Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

src: raise error for --enable-fips when no FIPS #38859

Closed
wants to merge 2 commits into from

Conversation

danbev
Copy link
Contributor

@danbev danbev commented May 31, 2021

This commit moves the check for FIPS from the crypto module
initialization to process startup.

The motivation for this is that when OpenSSL is not FIPS enabled and the
command line options --enable-fips, or --force-fips are used, there will
only be an error raised if the crypto module is used. This can be
surprising and we have gotten feedback that users assumed that there
would be an error if these options were specified and FIPS is not
available.


Example output using OpenSSL 1.1.1:

$ ./out/Release/node -p 'crypto.getFips()'
0

$ ./out/Release/node --enable-fips  -p 'crypto.getFips()'
OpenSSL error when trying to enable FIPS:
140252042856384:error:0F06D065:common libcrypto routines:FIPS_mode_set:fips mode not supported:../deps/openssl/openssl/crypto/o_fips.c:22:

Example output using OpenSSL 3.0:

$ ./out/Release/node -p 'crypto.getFips()'
0

$ ./out/Release/node --enable-fips  -p 'crypto.getFips()'
OpenSSL error when trying to enable FIPS:
00A0462A9F7F0000:error:12800067:DSO support routines:dlfcn_load:could not load the shared library:crypto/dso/dso_dlfcn.c:118:filename(/home/danielbevenius/work/security/openssl_quic-3.0/lib/ossl-modules/fips.so): /home/danielbevenius/work/security/openssl_quic-3.0/lib/ossl-modules/fips.so: cannot open shared object file: No such file or directory
00A0462A9F7F0000:error:12800067:DSO support routines:DSO_load:could not load the shared library:crypto/dso/dso_lib.c:162:
00A0462A9F7F0000:error:078C0105:common libcrypto routines:provider_init:init fail:crypto/provider_core.c:657:name=fips

@github-actions github-actions bot added c++ Issues and PRs that require attention from people who are familiar with C++. lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run. labels May 31, 2021
@nodejs-github-bot
Copy link
Collaborator

src/crypto/crypto_util.cc Outdated Show resolved Hide resolved
src/crypto/crypto_util.cc Outdated Show resolved Hide resolved
Copy link
Member

@mhdawson mhdawson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Copy link
Member

@richardlau richardlau left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It should be possible to write a test for this?

@danbev
Copy link
Contributor Author

danbev commented Jun 7, 2021

It should be possible to write a test for this?

That should be possible. Sorry about the late reply (I had to give other tasks priority over this one last week) and I'll take a look at adding a test this week. Thanks

@nodejs-github-bot
Copy link
Collaborator

This commit moves the check for FIPS from the crypto module
initialization to process startup.

The motivation for this is that when OpenSSL is not FIPS enabled and the
command line options --enable-fips, or --force-fips are used, there will
only be an error raised if the crypto module is used. This can be
surprising and we have gotten feedback that users assumed that there
would be an error if these options were specified and FIPS is not
available.
@nodejs-github-bot
Copy link
Collaborator

@nodejs-github-bot
Copy link
Collaborator

danbev added a commit that referenced this pull request Jun 8, 2021
This commit moves the check for FIPS from the crypto module
initialization to process startup.

The motivation for this is that when OpenSSL is not FIPS enabled and the
command line options --enable-fips, or --force-fips are used, there will
only be an error raised if the crypto module is used. This can be
surprising and we have gotten feedback that users assumed that there
would be an error if these options were specified and FIPS is not
available.

PR-URL: #38859
Reviewed-By: Michael Dawson <[email protected]>
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Anna Henningsen <[email protected]>
Reviewed-By: Richard Lau <[email protected]>
@danbev
Copy link
Contributor Author

danbev commented Jun 8, 2021

Landed in 1997aa3.

@danbev danbev closed this Jun 8, 2021
@danbev danbev deleted the enable-fips-raise-error branch June 8, 2021 09:50
targos pushed a commit that referenced this pull request Jun 11, 2021
This commit moves the check for FIPS from the crypto module
initialization to process startup.

The motivation for this is that when OpenSSL is not FIPS enabled and the
command line options --enable-fips, or --force-fips are used, there will
only be an error raised if the crypto module is used. This can be
surprising and we have gotten feedback that users assumed that there
would be an error if these options were specified and FIPS is not
available.

PR-URL: #38859
Reviewed-By: Michael Dawson <[email protected]>
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Anna Henningsen <[email protected]>
Reviewed-By: Richard Lau <[email protected]>
@danielleadams danielleadams mentioned this pull request Jun 14, 2021
@richardlau
Copy link
Member

Doesn't land cleanly on v14.x-staging.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c++ Issues and PRs that require attention from people who are familiar with C++. lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants