Node 4.2: Unable to run Node in non-FIPS mode if compiled with FIPS support

[lordjabez]

As currently implemented, when Node is compiled with FIPS support (./configure fips), there is no way to disable engaging FIPS mode during execution. This means that several functions that rely on non-FIPS approved algorithms (e.g. md5 hashing) will fail, as will any code that depends on them (most obviously, npm).

What seems needed to me is a way to explicitly enable or disable FIPS operation each time node is invoked. The way this is done with the openssl CLI is via the OPENSSL_FIPS environment variable.

It is straightforward to add a similar capability to Node. A pull request with a suggested implementation is forthcoming.

[jasnell]

/cc @mhdawson

[mhdawson]

@lordjabez in what cases are you seeing npm fail with FIPS turned on ?

I agree an option to turn on /off would likely be useful @stefanmb

[stefanmb]

@lordjabez @mhdawson

At first look MD5 dependencies in npm are not well justified. I'm trying to fix them.

[lordjabez]

Certainly if npm can be made to run with FIPS mode active, that's a good thing. But in any case I agree with @mhdawson that some form of runtime switch is needed to make a FIPS validated Node practical.

I'm pushing my company pretty hard to move our entire tech stack to Node, and running FIPS validated is a key part of that.

[stefanmb]

Another complication is that the test cases will become much more complex:

(1) Turn on FIPS.
(2) Test crypto, including test failures due to FIPS incompatible crypto.
(3) Turn off FIPS.
(4) Test crypto, include test success with FIPS incompatible crypto.
(5) Repeat a number of times.

[stefanmb]

@lordjabez

I had better luck with npm and FIPS after the following patches:
npm/write-file-atomic#7
npm/unique-slug#1
npm/fs-write-stream-atomic#6

I'll see if I can get them accepted. There is still the issue regarding native modules #3815 which will have to be addressed.

[jelmd]

Not sure, whether this applies to 4.x as well, however, I had to fix v5.0.0 too because it never called FIPS_mode() (and if compiled with -DFIPS_NODE it calls fips_mode_set(1) again and again w/o need, which in turn causes annoying messages)! Anyway, see http://iws.cs.uni-magdeburg.de/~elkner/tmp/node5/ssl.patch and look for 'FIPS_mode()' (2 places) - the major problem.

BTW: I think the major issue here is, that it is assumed, that a FIPS capable lib is always used with FIPS_mode set to 1. This is wrong! Actually one doesn't need a non-FIPS capable OpenSSL lib at all, if the application provides a mechanism, to switch it on on demand (e.g. node --fips), because basically only than the non-FIPS compliant stuff gets switched off.

[mhdawson]

@stefanb I could be wrong but I didn't think you could turn it on/off, more that you have to set it one way or the other before any crypto is used.