crypto: Improve control of FIPS mode #5181
Conversation
@mhdawson @indutny @shigeki @jasnell @lordjabez @ScarletTanager This PR should include suggestions from all of you, any comments are greatly appreciated. Thanks! |
Maybe defining a getter/setter simply called |
Added semver-major tag since it changes default behaviour |
@@ -645,6 +647,13 @@ exports.getCurves = function() { | |||
return filterDuplicates(getCurves()); | |||
}; | |||
|
|||
exports.hasFipsCrypto = function() { |
indutny
Feb 10, 2016
Member
Nit: function hasFipsCrypto
Nit: function hasFipsCrypto
return hasFipsCrypto(); | ||
}; | ||
|
||
exports.setFipsCrypto = function(mode) { |
indutny
Feb 10, 2016
Member
Ditto.
Ditto.
#endif | ||
#if NODE_FIPS_MODE | ||
} else if (strcmp(arg, "--disable-fips") == 0) { | ||
disable_fips_crypto = true; |
indutny
Feb 10, 2016
Member
Nit: indent.
Nit: indent.
} else if (strcmp(arg, "--disable-fips") == 0) { | ||
disable_fips_crypto = true; | ||
} else if (strcmp(arg, "--enable-fips") == 0) { | ||
enable_fips_crypto = true; |
indutny
Feb 10, 2016
Member
Ditto.
Ditto.
bool mode = args[0]->BooleanValue(); | ||
if (disable_fips_crypto) { | ||
return env->ThrowError( | ||
"Cannot set FIPS mode, it was forced with --disable-fips at startup."); |
indutny
Feb 10, 2016
Member
Nit: indent, does make cpplint
pass?
Nit: indent, does make cpplint
pass?
stefanmb
Feb 10, 2016
Author
Contributor
Sadly yes, reports 0 errors found. I'll fix all this stuff.
Sadly yes, reports 0 errors found. I'll fix all this stuff.
indutny
Feb 10, 2016
Member
Yikes, too bad for it. Thank you! 👍
Yikes, too bad for it. Thank you!
"Cannot set FIPS mode, it was forced with --disable-fips at startup."); | ||
} else if (enable_fips_crypto) { | ||
return env->ThrowError( | ||
"Cannot set FIPS mode, it was forced with --enable-fips at startup."); |
indutny
Feb 10, 2016
Member
Ditto.
Ditto.
@@ -93,7 +93,7 @@ for (var i in TEST_CASES) { | |||
|
|||
(function() { | |||
if (!test.password) return; | |||
if (common.hasFipsCrypto) { | |||
if (crypto.hasFipsCrypto()) { |
indutny
Feb 10, 2016
Member
Let's make common.hasFipsCrypto
a getter instead, should save us from fixing all tests and make them compatible to older node.js versions.
Let's make common.hasFipsCrypto
a getter instead, should save us from fixing all tests and make them compatible to older node.js versions.
} | ||
|
||
function getResponse(data) | ||
{ |
indutny
Feb 10, 2016
Member
Nit: style, please put brace on the previous line. Does it pass make lint
?
Nit: style, please put brace on the previous line. Does it pass make lint
?
stefanmb
Feb 10, 2016
Author
Contributor
It does :( I'll resolve the style problems.
It does :( I'll resolve the style problems.
const FIPS_DISABLED = 0; | ||
const FIPS_ERROR_STRING = 'Error: Cannot set FIPS mode'; | ||
const OPTION_ERROR_STRING = 'bad option'; | ||
const CNF_FIPS_ON = common.fixturesDir + '/openssl_fips_enabled.cnf'; |
indutny
Feb 10, 2016
Member
Nit: Let's use path.join()
here.
Nit: Let's use path.join()
here.
|
||
function getResponse(data) | ||
{ | ||
return data.toString().replace('\n', '').replace('>', '').trim(); |
indutny
Feb 10, 2016
Member
.replace(/\n|>/g, '').trim()
?
.replace(/\n|>/g, '').trim()
?
} | ||
|
||
function childOk(child) { | ||
console.log('Child ' + ++num_children_ok + '/' + num_children_spawned + |
indutny
Feb 10, 2016
Member
It should be either console.error
or nothing at all. Doesn't play well with TAP output.
It should be either console.error
or nothing at all. Doesn't play well with TAP output.
env: env | ||
}); | ||
|
||
console.log('Spawned child [pid:' + child.pid + '] with cmd ' + |
indutny
Feb 10, 2016
Member
Ditto.
Ditto.
child.stdin.setEncoding('utf-8'); | ||
child.stdout.on('data', function(data) { | ||
// Prompt and newline may occur in undefined order. | ||
const response = getResponse(data); |
indutny
Feb 10, 2016
Member
Perhaps it should wait until end
event to accumulate all data? I'm afraid of the situation where stdout
could be chunked.
Perhaps it should wait until end
event to accumulate all data? I'm afraid of the situation where stdout
could be chunked.
indutny
Feb 10, 2016
Member
Also, this way it will be possible able to share lots of code between fips and non-fips branches in this function.
Also, this way it will be possible able to share lots of code between fips and non-fips branches in this function.
const response = getResponse(data); | ||
if (response.length > 0) { | ||
assert.notEqual(-1, response.indexOf(string)); | ||
childOk(child); |
indutny
Feb 10, 2016
Member
Possibly this will be called several times as mentioned above.
Possibly this will be called several times as mentioned above.
This is a great change, and addresses all my concerns. Thanks! |
Overall I have really good impression from the PR. Thank you for your work! |
In terms of the command line options I'm wondering about the case were we want it enabled by default but then the application can turn on/off. I also wonder about the need to prevent an app from turning it on. Maybe the following would make sense ? --enable-fips - enables FIPs, overrides setting in openssl file |
@mscdex I've switched to using a "crypto.fips" property as you suggested, thanks! |
@mhdawson @indutny I've updated this PR to resolve issues encountered while attempting to setup the CI:
|
LTGM to latest changes, and successful test run in both fiips/non-fips enabled in updated test here: https://ci.nodejs.org/job/node-test-commit-linux-fips-dawson/ Will sync landing this and updating the test job. One last regular CI run so that we have a current one: https://ci.nodejs.org/job/node-test-pull-request/1752/ |
CI run is green, landing |
Default to FIPS off even in FIPS builds. Add JS API to check and control FIPS mode. Add command line arguments to force FIPS on/off. Respect OPENSSL_CONF variable and read the config. Add testing for new features. Fixes: #3819 PR-URL: #5181 Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-by: Michael Dawson <michael_dawson@ca.ibm.com>
Landed as 7c48cb5 Updated fits test, CI run here to validate test is updated ok: https://ci.nodejs.org/job/node-test-commit/2345/ |
CI all good closing |
The following significant (semver-major) changes have been made since the previous Node v5.0.0 release. * Buffer * New Buffer constructors have been added [#4682](#4682) * Previously deprecated Buffer APIs are removed [#5048](#5048), [#4594](#4594) * Improved error handling [#4514](#4514) * Cluster * Worker emitted as first argument in 'message' event [#5361](#5361). * Crypto * Improved error handling [#3100](#3100), [#5611](#5611) * Simplified Certificate class bindings [#5382](#5382) * Improved control over FIPS mode [#5181](#5181) * pbkdf2 digest overloading is deprecated [#4047](#4047) * Dependencies * Reintroduce shared c-ares build support [#5775](#5775). * V8 updated to 5.0.71.31 [#6111](#6111). * DNS * Add resolvePtr API to query plain DNS PTR records [#4921](#4921). * Domains * Clear stack when no error handler [#4659](#4659). * File System * The `fs.realpath()` and `fs.realpathSync()` methods have been updated to use a more efficient libuv implementation. This change includes the removal of the `cache` argument and the method can throw new errors [#3594](#3594) * FS apis can now accept and return paths as Buffers [#5616](#5616). * Error handling and type checking improvements [#5616](#5616), [#5590](#5590), [#4518](#4518), [#3917](#3917). * fs.read's string interface is deprecated [#4525](#4525) * HTTP * 'clientError' can now be used to return custom errors from an HTTP server [#4557](#4557). * Modules * Current directory is now prioritized for local lookups [#5689](#5689) * Symbolic links are preserved when requiring modules [#5950](#5950) * Net * DNS hints no longer implicitly set [#6021](#6021). * Improved error handling and type checking [#5981](#5981), [#5733](#5733), [#2904](#2904) * Path * Improved type checking [#5348](#5348). * Process * Introduce process warnings API [#4782](#4782). * Throw exception when non-function passed to nextTick [#3860](#3860). * Readline * Emit key info unconditionally [#6024](#6024) * REPL * Assignment to `_` will emit a warning. [#5535](#5535) * Timers * Fail early when callback is not a function [#4362](#4362) * TLS * Rename 'clientError' to 'tlsClientError' [#4557](#4557) * SHA1 used for sessionIdContext [#3866](#3866) * TTY * Previously deprecated setRawMode wrapper is removed [#2528](#2528). * Util * Changes to Error object formatting [#4582](#4582). * Windows * Windows XP and Vista are no longer supported [#5167](#5167), [#5167](#5167).
The following significant (semver-major) changes have been made since the previous Node v5.0.0 release. * Buffer * New Buffer constructors have been added [#4682](#4682) * Previously deprecated Buffer APIs are removed [#5048](#5048), [#4594](#4594) * Improved error handling [#4514](#4514) * Cluster * Worker emitted as first argument in 'message' event [#5361](#5361). * Crypto * Improved error handling [#3100](#3100), [#5611](#5611) * Simplified Certificate class bindings [#5382](#5382) * Improved control over FIPS mode [#5181](#5181) * pbkdf2 digest overloading is deprecated [#4047](#4047) * Dependencies * Reintroduce shared c-ares build support [#5775](#5775). * V8 updated to 5.0.71.31 [#6111](#6111). * DNS * Add resolvePtr API to query plain DNS PTR records [#4921](#4921). * Domains * Clear stack when no error handler [#4659](#4659). * File System * The `fs.realpath()` and `fs.realpathSync()` methods have been updated to use a more efficient libuv implementation. This change includes the removal of the `cache` argument and the method can throw new errors [#3594](#3594) * FS apis can now accept and return paths as Buffers [#5616](#5616). * Error handling and type checking improvements [#5616](#5616), [#5590](#5590), [#4518](#4518), [#3917](#3917). * fs.read's string interface is deprecated [#4525](#4525) * HTTP * 'clientError' can now be used to return custom errors from an HTTP server [#4557](#4557). * Modules * Current directory is now prioritized for local lookups [#5689](#5689) * Symbolic links are preserved when requiring modules [#5950](#5950) * Net * DNS hints no longer implicitly set [#6021](#6021). * Improved error handling and type checking [#5981](#5981), [#5733](#5733), [#2904](#2904) * Path * Improved type checking [#5348](#5348). * Process * Introduce process warnings API [#4782](#4782). * Throw exception when non-function passed to nextTick [#3860](#3860). * Readline * Emit key info unconditionally [#6024](#6024) * REPL * Assignment to `_` will emit a warning. [#5535](#5535) * Timers * Fail early when callback is not a function [#4362](#4362) * TLS * Rename 'clientError' to 'tlsClientError' [#4557](#4557) * SHA1 used for sessionIdContext [#3866](#3866) * TTY * Previously deprecated setRawMode wrapper is removed [#2528](#2528). * Util * Changes to Error object formatting [#4582](#4582). * Windows * Windows XP and Vista are no longer supported [#5167](#5167), [#5167](#5167).
The following significant (semver-major) changes have been made since the previous Node v5.0.0 release. * Buffer * New Buffer constructors have been added [#4682](#4682) * Previously deprecated Buffer APIs are removed [#5048](#5048), [#4594](#4594) * Improved error handling [#4514](#4514) * Cluster * Worker emitted as first argument in 'message' event [#5361](#5361). * Crypto * Improved error handling [#3100](#3100), [#5611](#5611) * Simplified Certificate class bindings [#5382](#5382) * Improved control over FIPS mode [#5181](#5181) * pbkdf2 digest overloading is deprecated [#4047](#4047) * Dependencies * Reintroduce shared c-ares build support [#5775](#5775). * V8 updated to 5.0.71.31 [#6111](#6111). * DNS * Add resolvePtr API to query plain DNS PTR records [#4921](#4921). * Domains * Clear stack when no error handler [#4659](#4659). * File System * The `fs.realpath()` and `fs.realpathSync()` methods have been updated to use a more efficient libuv implementation. This change includes the removal of the `cache` argument and the method can throw new errors [#3594](#3594) * FS apis can now accept and return paths as Buffers [#5616](#5616). * Error handling and type checking improvements [#5616](#5616), [#5590](#5590), [#4518](#4518), [#3917](#3917). * fs.read's string interface is deprecated [#4525](#4525) * HTTP * 'clientError' can now be used to return custom errors from an HTTP server [#4557](#4557). * Modules * Current directory is now prioritized for local lookups [#5689](#5689) * Symbolic links are preserved when requiring modules [#5950](#5950) * Net * DNS hints no longer implicitly set [#6021](#6021). * Improved error handling and type checking [#5981](#5981), [#5733](#5733), [#2904](#2904) * OS X * MACOSX_DEPLOYMENT_TARGET has been bumped up to 10.7 [#6402](#6402). * Path * Improved type checking [#5348](#5348). * Process * Introduce process warnings API [#4782](#4782). * Throw exception when non-function passed to nextTick [#3860](#3860). * Readline * Emit key info unconditionally [#6024](#6024) * REPL * Assignment to `_` will emit a warning. [#5535](#5535) * Timers * Fail early when callback is not a function [#4362](#4362) * TLS * Rename 'clientError' to 'tlsClientError' [#4557](#4557) * SHA1 used for sessionIdContext [#3866](#3866) * TTY * Previously deprecated setRawMode wrapper is removed [#2528](#2528). * Util * Changes to Error object formatting [#4582](#4582). * Windows * Windows XP and Vista are no longer supported [#5167](#5167), [#5167](#5167).
The following significant (semver-major) changes have been made since the previous Node v5.0.0 release. * Buffer * New Buffer constructors have been added [#4682](#4682) * Previously deprecated Buffer APIs are removed [#5048](#5048), [#4594](#4594) * Improved error handling [#4514](#4514) * Cluster * Worker emitted as first argument in 'message' event [#5361](#5361). * Crypto * Improved error handling [#3100](#3100), [#5611](#5611) * Simplified Certificate class bindings [#5382](#5382) * Improved control over FIPS mode [#5181](#5181) * pbkdf2 digest overloading is deprecated [#4047](#4047) * Dependencies * Reintroduce shared c-ares build support [#5775](#5775). * V8 updated to 5.0.71.31 [#6111](#6111). * DNS * Add resolvePtr API to query plain DNS PTR records [#4921](#4921). * Domains * Clear stack when no error handler [#4659](#4659). * File System * The `fs.realpath()` and `fs.realpathSync()` methods have been updated to use a more efficient libuv implementation. This change includes the removal of the `cache` argument and the method can throw new errors [#3594](#3594) * FS apis can now accept and return paths as Buffers [#5616](#5616). * Error handling and type checking improvements [#5616](#5616), [#5590](#5590), [#4518](#4518), [#3917](#3917). * fs.read's string interface is deprecated [#4525](#4525) * HTTP * 'clientError' can now be used to return custom errors from an HTTP server [#4557](#4557). * Modules * Current directory is now prioritized for local lookups [#5689](#5689) * Symbolic links are preserved when requiring modules [#5950](#5950) * Net * DNS hints no longer implicitly set [#6021](#6021). * Improved error handling and type checking [#5981](#5981), [#5733](#5733), [#2904](#2904) * OS X * MACOSX_DEPLOYMENT_TARGET has been bumped up to 10.7 [#6402](#6402). * Path * Improved type checking [#5348](#5348). * Process * Introduce process warnings API [#4782](#4782). * Throw exception when non-function passed to nextTick [#3860](#3860). * Readline * Emit key info unconditionally [#6024](#6024) * REPL * Assignment to `_` will emit a warning. [#5535](#5535) * Timers * Fail early when callback is not a function [#4362](#4362) * TLS * Rename 'clientError' to 'tlsClientError' [#4557](#4557) * SHA1 used for sessionIdContext [#3866](#3866) * TTY * Previously deprecated setRawMode wrapper is removed [#2528](#2528). * Util * Changes to Error object formatting [#4582](#4582). * Windows * Windows XP and Vista are no longer supported [#5167](#5167), [#5167](#5167).
The following significant (semver-major) changes have been made since the previous Node v5.0.0 release. * Buffer * New Buffer constructors have been added [#4682](#4682) * Previously deprecated Buffer APIs are removed [#5048](#5048), [#4594](#4594) * Improved error handling [#4514](#4514) * Cluster * Worker emitted as first argument in 'message' event [#5361](#5361). * Crypto * Improved error handling [#3100](#3100), [#5611](#5611) * Simplified Certificate class bindings [#5382](#5382) * Improved control over FIPS mode [#5181](#5181) * pbkdf2 digest overloading is deprecated [#4047](#4047) * Dependencies * Reintroduce shared c-ares build support [#5775](#5775). * V8 updated to 5.0.71.31 [#6111](#6111). * DNS * Add resolvePtr API to query plain DNS PTR records [#4921](#4921). * Domains * Clear stack when no error handler [#4659](#4659). * File System * The `fs.realpath()` and `fs.realpathSync()` methods have been updated to use a more efficient libuv implementation. This change includes the removal of the `cache` argument and the method can throw new errors [#3594](#3594) * FS apis can now accept and return paths as Buffers [#5616](#5616). * Error handling and type checking improvements [#5616](#5616), [#5590](#5590), [#4518](#4518), [#3917](#3917). * fs.read's string interface is deprecated [#4525](#4525) * HTTP * 'clientError' can now be used to return custom errors from an HTTP server [#4557](#4557). * Modules * Current directory is now prioritized for local lookups [#5689](#5689) * Symbolic links are preserved when requiring modules [#5950](#5950) * Net * DNS hints no longer implicitly set [#6021](#6021). * Improved error handling and type checking [#5981](#5981), [#5733](#5733), [#2904](#2904) * OS X * MACOSX_DEPLOYMENT_TARGET has been bumped up to 10.7 [#6402](#6402). * Path * Improved type checking [#5348](#5348). * Process * Introduce process warnings API [#4782](#4782). * Throw exception when non-function passed to nextTick [#3860](#3860). * Readline * Emit key info unconditionally [#6024](#6024) * REPL * Assignment to `_` will emit a warning. [#5535](#5535) * Timers * Fail early when callback is not a function [#4362](#4362) * TLS * Rename 'clientError' to 'tlsClientError' [#4557](#4557) * SHA1 used for sessionIdContext [#3866](#3866) * TTY * Previously deprecated setRawMode wrapper is removed [#2528](#2528). * Util * Changes to Error object formatting [#4582](#4582). * Windows * Windows XP and Vista are no longer supported [#5167](#5167), [#5167](#5167).
In Issue #3819 requests were made to support a FIPS OpenSSL build of Node.js running in a non-FIPS mode. In PR #3820 an attempt was made to introduce this feature.
In this PR I've attempted to merge all requests and discussion from #3819 and #3820.
The following features are introduced:
As always, I'm open to any suggestions and improvements, especially if there is a better way to pass global options such as the enable/disable flags (instead of extern C variables).
These features were added as a result of discussion in #3819 and #3820, please refer to them for background information.
Note also that going forward we will need to run regression testing in FIPS builds twice: once with FIPS enabled at runtime, and once with FIPS disabled.