Node FIPS support/npm

[mhdawson]

Support for building Node in a FIPS capable mode was added a while back.

More recently effort has gone into making sure the test suite can run/pass when Node is built in FIPS capable mode. See nodejs/node#3760 opened by @stefanmb for more details.

Tests are now running in the CI in FIPS capable more as part of the regression tests (see here: https://ci.nodejs.org/job/node-test-commit-linux-fips/)

As part of this work (as rasied by @lordjabez) along with other issues it has been discovered that npm does not work when FIPS is built in FIPS capable mode (some discussion is in nodejs/node#3760)

The issue seems to be that MD5 is used by some sub-modules to generate unique values. MD5 is dis-allowed in FIPS mode. Looking at the cases were MD5 is being used it does not look like it needs to be MD5, only that it was an easy way to generate a semi-unique value. PRs have been opened to change to different algorithms. The dependent modules look to be owned by people who are part of the npm organization which is why I'm opening the issue here. The modules are:

• User murmur instead of md5 write-file-atomic#7
• Use SHA1 instead of MD5 unique-slug#1
• User murmur instead of md5 fs-write-stream-atomic#6

I'm opening this issue to explain the importance of pulling these changes in and to provide a place where any necessary discussion can take place.

[mhdawson]

@zkat is this something you can help out with ?

[othiym23]

I've landed npm/fs-write-stream-atomic@dfaac1b, which takes care of that. @iarna, can you either merge npm/write-file-atomic#7 and npm/unique-slug#1 and put out new versions of those, or move them into the npm organization so I can fix them? If we can get those out tomorrow, we can have a FIPS-compliant npm@3.5.1.

[mhdawson]

Were you also planning to put then into the 2.X line ?

[othiym23]

Yes. For now, npm LTS is taking dependency upgrades as a matter of course.

[othiym23]

The close came from the relevant commits landing on master (which will be npm@3.5.2), and I'm in the process of releasing npm@2.14.14, which has the same changes, so both npm@2 and npm@3 will work with FIPS-restricted builds of Node.js once their respective versions have become latest.

[mhdawson]

Stefan mentioned that npm/fs-write-stream-atomic@dfaac1b, landed but not the other 2

[mhdawson]

Hmm, looking at a few I think it looks like there were commits so I'll follow up with Stefan

[stefanmb]

@mhdawson Looks like the relevant changes have actually made it in, for reference:

npm/fs-write-stream-atomic@dfaac1b
npm/unique-slug@f1cd16d
npm/write-file-atomic@22dd875

I believe this issue is fixed. Thanks @mhdawson and @othiym23 for your help!

[othiym23]

Yes, as far as I know the only thing in the npm dependency tree that uses MD5 at this point is request, and npm never uses the functionality in request that would cause it to execute that code. npm@3.5.2 and higher should work fine with FIPS Node.js builds.