Skip to content

Commit df9a15d

Browse files
committed
Add a check of the OPENSSL_FIPS environment variable around FIPS initialization.
As currently implemented, when Node is compiled with FIPS support (`./configure fips`), there is no way to disable engaging FIPS mode during execution. This means that several functions that rely on non-FIPS approved algorithms (e.g. md5 hashing) will fail, as will any code that depends on them (most obviously, `npm`). What seems needed to me is a way to explicitly enable or disable FIPS operation each time node is invoked. The way this is done with the openssl CLI is via the OPENSSL_FIPS environment variable. This change adds a check to OPENSSL_FIPS where FIPS_mode_set(1) is called (which enables FIPS mode). If Node is not compiled in FIPS mode this call will not even be compiled since it's wrapped with an ifdef. Those who are trying to run Node.js in FIPS mode should be familiar with this variable and using it will be natural.
1 parent 4270e7f commit df9a15d

File tree

2 files changed

+8
-4
lines changed

2 files changed

+8
-4
lines changed

README.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -306,6 +306,8 @@ Instructions:
306306
/usr/local/ssl/fips-2.0
307307
8. Build Node.js with `make -j`
308308
9. Verify with `node -p "process.versions.openssl"` (`1.0.2a-fips`)
309+
10. For FIPS mode to be enabled at runtime, the OPENSSL_FIPS environment
310+
variable must be set to 1.
309311

310312
## Resources for Newcomers
311313

src/node_crypto.cc

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -5522,10 +5522,12 @@ void InitCryptoOnce() {
55225522
CRYPTO_THREADID_set_callback(crypto_threadid_cb);
55235523

55245524
#ifdef NODE_FIPS_MODE
5525-
if (!FIPS_mode_set(1)) {
5526-
int err = ERR_get_error();
5527-
fprintf(stderr, "openssl fips failed: %s\n", ERR_error_string(err, NULL));
5528-
UNREACHABLE();
5525+
if (getenv("OPENSSL_FIPS")) {
5526+
if (!FIPS_mode_set(1)) {
5527+
int err = ERR_get_error();
5528+
fprintf(stderr, "openssl fips failed: %s\n", ERR_error_string(err, NULL));
5529+
UNREACHABLE();
5530+
}
55295531
}
55305532
#endif // NODE_FIPS_MODE
55315533

0 commit comments

Comments
 (0)