Skip to content
This repository has been archived by the owner on Apr 22, 2023. It is now read-only.

Enabling FIPS-compliant encryption #25463

Closed
nzakas opened this issue May 29, 2015 · 28 comments
Closed

Enabling FIPS-compliant encryption #25463

nzakas opened this issue May 29, 2015 · 28 comments

Comments

@nzakas
Copy link

nzakas commented May 29, 2015

For many in enterprises, regulations require the use of FIPS-compliant encryption tools. OpenSSL itself is not FIPS compliant, but does have a module that is (http://www.openssl.org/docs/fips/fipsnotes.html). It's possible to hack this into a custom build of Node.js (http://arthur-notes.youramaryllis.com/2014/12/nodejs-fips.html), but it would be nice to have it supported by Node directly (preferably starting with 0.10.x).

Someone had submitted a PR a while back for this: #6380

Is this something that would be considered?

@mhdawson
Copy link
Member

mhdawson commented Jun 2, 2015

I have had a few internal teams within IBM ask for this as well. @nzakas have you looked into the details whether simply enabling the FIPs mode in OpenSSL would be enough for consumers to use Node when FIPS compliance is required ? If you have researched/thought about this I'd be interested in setting up a time for a conversation.

@nzakas
Copy link
Author

nzakas commented Jun 3, 2015

Are you talking about calling FIPS_mode_set(1) from somewhere?

@mhdawson
Copy link
Member

mhdawson commented Jun 3, 2015

No, I meant does simply having Node use a version of OpenSSL compiled in FIPs mode enough for users that have a FIPs requirement as there is Node specific code in the path between the request and the crypto operations that take place.

@mhdawson
Copy link
Member

mhdawson commented Jun 3, 2015

The other issue might also be if there are any patches in Node which are floated on top of OpenSSL and what that would to do the FIPs cert

@indutny
Copy link
Member

indutny commented Jun 3, 2015

Hello!

I have did it in bud:

It should be pretty straightforward to integrate it in node.js/io.js .

The way it works in bud is following:

  1. Build the fipscanister thing in some folder.
  2. Supply this folder to configure: ./configure --fips-dir=...
  3. Build everything and enjoy!

There is only minor nit that will be required for this in node.js, that is not required in bud. It is patched version of fipsld that wraps premain.c with -x c and -x none, to make sure it works with C++ code.

@indutny
Copy link
Member

indutny commented Jun 3, 2015

TL;DR: going to port this code right now, expect a PR today or tomorrow.

indutny added a commit to indutny/io.js that referenced this issue Jun 3, 2015
Support building and running with FIPS-compliant OpenSSL. The process is
following:

1. Download and verify `openssl-fips-x.x.x.tar.gz` from
   https://www.openssl.org/source/
2. Extract source to `openssl-fips` folder
3. `cd openssl-fips && ./config fipscanisterbuild --prefix=`pwd`/out`
4. `make -j && make install`
5. Get into io.js checkout folder
6. `./configure --openssl-fips=/path/to/openssl-fips/out`
7. Build io.js with `make -j`

Fix: nodejs/node-v0.x-archive#25463
@nzakas
Copy link
Author

nzakas commented Jun 3, 2015

@mhdawson I believe so, I'll get clarification from our security folks. From my discussions with them thus far, it seems to be enough of we can prove Node.js crypto is running against the FIPS-enabled OpenSSL.

indutny added a commit to indutny/io.js that referenced this issue Jun 3, 2015
Support building and running with FIPS-compliant OpenSSL. The process is
following:

1. Download and verify `openssl-fips-x.x.x.tar.gz` from
   https://www.openssl.org/source/
2. Extract source to `openssl-fips` folder
3. `cd openssl-fips && ./config fipscanisterbuild --prefix=`pwd`/out`
4. `git apply /path/to/io.js/deps/openssl/fips/fipsld.diff`
5. `make -j && make install`
6. Get into io.js checkout folder
7. `./configure --openssl-fips=/path/to/openssl-fips/out`
8. Build io.js with `make -j`

Fix: nodejs/node-v0.x-archive#25463
@indutny
Copy link
Member

indutny commented Jun 3, 2015

Yay, a PR for io.js: nodejs/node#1890 . I guess it can be easily backported to node.js.

@nzakas
Copy link
Author

nzakas commented Jun 3, 2015

Just confirmed with our security folks that we must call FIPS_mode_set(1) to be in compliance. I'm going to ask them to chime in directly.

@nc-box
Copy link

nc-box commented Jun 4, 2015

Going off of the OpenSSL Fips User Guide, it should call FIPS_mode_set(1) in order to enable FIPS mode. This will begin all the tests and disable algorithms that are not FIPS validated. There's also FIPS_selftest_failed() which will return if the self tests succeeded or not. I couldn't confirm if this is required, but it's useful to call along with FIPS_mode_set.

Additionally as described above fipsld is required to properly do the linking and for the integrity tests.

Also I want to point out one important fact listed in page 42 and 45 of the user guide. Basically NIST standards maintain that the source must be obtained via a "secure installation". You cannot just download the source and validate it using a preinstalled FIPS validated openssl. Their recommendation is to contact OSF and ask for a CD with the source. Page 88 has alternative suggestions on how to validate it but even then no luck using an old OpenSSL version.

@jasnell
Copy link
Member

jasnell commented Jun 4, 2015

@indutny 👍

@nzakas ... the key question for whether this can be enabled in v0.10 is whether it changes any of the default APIs or behaviors (which I wouldn't expect). The fact that it's put behind a configure flag makes it even better. It shouldn't be too difficult to backport it. @joyent/node-coreteam ... what do you think?

@nzakas .. interesting in helping out with a pull request based on @indutny's work? :-)

indutny added a commit to indutny/io.js that referenced this issue Jun 4, 2015
Support building and running with FIPS-compliant OpenSSL. The process is
following:

1. Download and verify `openssl-fips-x.x.x.tar.gz` from
   https://www.openssl.org/source/
2. Extract source to `openssl-fips` folder
3. `cd openssl-fips && ./config fipscanisterbuild --prefix=`pwd`/out`
4. `make -j && make install`
5. Get into io.js checkout folder
6. `./configure --openssl-fips=/path/to/openssl-fips/out`
7. Build io.js with `make -j`

Fix: nodejs/node-v0.x-archive#25463
indutny added a commit to indutny/io.js that referenced this issue Jun 4, 2015
Support building and running with FIPS-compliant OpenSSL. The process is
following:

1. Download and verify `openssl-fips-x.x.x.tar.gz` from
   https://www.openssl.org/source/
2. Extract source to `openssl-fips` folder
3. `cd openssl-fips && ./config fipscanisterbuild --prefix=`pwd`/out`
4. `make -j && make install`
5. Get into io.js checkout folder
6. `./configure --openssl-fips=/path/to/openssl-fips/out`
7. Build io.js with `make -j`

Fix: nodejs/node-v0.x-archive#25463
indutny added a commit to indutny/io.js that referenced this issue Jun 4, 2015
Support building and running with FIPS-compliant OpenSSL. The process is
following:

1. Download and verify `openssl-fips-x.x.x.tar.gz` from
   https://www.openssl.org/source/
2. Extract source to `openssl-fips` folder
3. `cd openssl-fips && ./config fipscanisterbuild --prefix=`pwd`/out`
4. `make -j && make install`
5. Get into io.js checkout folder
6. `./configure --openssl-fips=/path/to/openssl-fips/out`
7. Build io.js with `make -j`

Fix: nodejs/node-v0.x-archive#25463
indutny added a commit to indutny/io.js that referenced this issue Jun 4, 2015
Support building and running with FIPS-compliant OpenSSL. The process is
following:

1. Download and verify `openssl-fips-x.x.x.tar.gz` from
   https://www.openssl.org/source/
2. Extract source to `openssl-fips` folder
3. `cd openssl-fips && ./config fipscanisterbuild --prefix=`pwd`/out`
4. `make -j && make install`
5. Get into io.js checkout folder
6. `./configure --openssl-fips=/path/to/openssl-fips/out`
7. Build io.js with `make -j`

Fix: nodejs/node-v0.x-archive#25463
indutny added a commit to indutny/io.js that referenced this issue Jun 4, 2015
Support building and running with FIPS-compliant OpenSSL. The process is
following:

1. Download and verify `openssl-fips-x.x.x.tar.gz` from
   https://www.openssl.org/source/
2. Extract source to `openssl-fips` folder
3. `cd openssl-fips && ./config fipscanisterbuild --prefix=`pwd`/out`
4. `make -j && make install`
5. Get into io.js checkout folder
6. `./configure --openssl-fips=/path/to/openssl-fips/out`
7. Build io.js with `make -j`

Fix: nodejs/node-v0.x-archive#25463
@mhdawson
Copy link
Member

mhdawson commented Jun 4, 2015

@nc-box I think what we'd want is a documented set of steps that would result in a configuration that would meet FIPs requirements. 1) Get CD from X, etc.

@nzakas
Copy link
Author

nzakas commented Jun 5, 2015

@jasnell interested, yes, but I'm away from my computer for a few weeks (on a tablet right now). If someone else wants to take it, I'd be grateful; if not, I'll follow up when I'm back on a computer.

@nc-box
Copy link

nc-box commented Jun 6, 2015

@mhdawson At this time, I would suggest referring to the OpenSSL FIPS User Guide (https://openssl.org/docs/fips/UserGuide-2.0.pdf) for details around building a version of OpenSSL that meets the FIPS requirements. The User Guide provides more information and considerations when trying to build and use the FIPS compliant version of OpenSSL.

indutny added a commit to nodejs/node that referenced this issue Jun 10, 2015
Support building and running with FIPS-compliant OpenSSL. The process is
following:

1. Download and verify `openssl-fips-x.x.x.tar.gz` from
   https://www.openssl.org/source/
2. Extract source to `openssl-fips` folder
3. ``cd openssl-fips && ./config fipscanisterbuild --prefix=`pwd`/out``
   (NOTE: On OS X, you may want to run
    ``./Configure darwin64-x86_64-cc --prefix=`pwd`/out`` if you are going to
    build x64-mode io.js)
4. `make -j && make install`
5. Get into io.js checkout folder
6. `./configure --openssl-fips=/path/to/openssl-fips/out`
7. Build io.js with `make -j`
8. Verify with `node -p "process.versions.openssl"` (`1.0.2a-fips`)

Fix: nodejs/node-v0.x-archive#25463
PR-URL: #1890
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
@arthurtsang
Copy link

so i was the author of PR #6380, anyway, this is how we build FIPS compliant nodejs http://arthur-notes.youramaryllis.com/2014/12/nodejs-fips.html. and one "side" effect after enabling FIPS is calling anything function using md5 will crash. node would just crash as FIPS implementation will exit the application. btw, it's nice we finally have some discussion of getting FIPS compliance to nodejs. thanks.

@indutny
Copy link
Member

indutny commented Jun 30, 2015

@arthurtsang nice one! I think we already landed it in io.js, see the commit above ;)

@ScarletTanager
Copy link

What is the status of this item? As others have noted, we'd need a Node API call to invoke the FIPS_set_mode(1) library call. I'm also curious about the question @mhdawson asked re: patches on top of OpenSSL (I apologize, but I'm not a Node.js guy, and I'm going based off of /~https://github.com/joyent/node/wiki/OpenSSL-upgrade-process).

@nzakas
Copy link
Author

nzakas commented Jul 1, 2015

It's waiting for someone to port @indutny 's io.js patch to Node.

@indutny
Copy link
Member

indutny commented Jul 1, 2015

@nzakas why should it be ported? Technically it is the same project now, we're just merging everything together atm.

@jasnell
Copy link
Member

jasnell commented Jul 1, 2015

Ok, so the question then becomes: is there reason to enable FIPS in v0.12. Technically that would qualify as a new feature. The informal policy so far has been to defer new features to the converged repo. Perhaps for v0.12, the best thing to do would be to document how someone could build v0.12 on their own with FIPS enabled but defer actually merging that into core until we're working from the converged repo (or, perhaps, getting it landed in the io.js stream).

@indutny
Copy link
Member

indutny commented Jul 1, 2015

@jasnell I believe it was already landed in io.js master some time ago.

@nzakas
Copy link
Author

nzakas commented Jul 1, 2015

At work we are still using 0.10.x, upgrading breaks a lot of the world for us, so was looking for an intermediate solution.

@weagle08
Copy link

What is the status of this issue in the NodeJS 4.0 release? We are looking to use NodeJS on a project but it requires FIPS compliance.

@indutny
Copy link
Member

indutny commented Sep 15, 2015

It is already in 4.0

@weagle08
Copy link

sweet! thanks!

@arash16
Copy link

arash16 commented Nov 6, 2015

I'm using node-v5.0.0, after enabling fips support, as @arthurtsang said before any usage of md5 will crash, even the npm is broken..
I think it would be better to implement md5 inside crypto module on it's own.. There's a lot of frameworks depending on md5 for tag/crc generation (ex. Express.js)

screenshot

@ScarletTanager
Copy link

@arash16 What do you mean, "enabling FIPS support?" MD5 is not a FIPS-approved digest algorithm, so if you put OpenSSL into FIPS mode, MD5 is not going to be available to you. In FIPS mode you need to use SHA.

@mhdawson
Copy link
Member

mhdawson commented Aug 8, 2016

I thinking at this point this issue can be closed. Support is enabled in 4.x and later, and with the 0.10 and 0.12 end of life within 6 months I don't think it will be backported. Please let me know if you disagree.

@mhdawson mhdawson closed this as completed Aug 8, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

10 participants