Skip to content

crypto: Improve control of FIPS mode

Rodrigo Muino Tomonari requested to merge github/fork/stefanmb/fips-switch into master

In Issue https://github.com/nodejs/node/issues/3819 requests were made to support a FIPS OpenSSL build of Node.js running in a non-FIPS mode. In PR https://github.com/nodejs/node/pull/3820 an attempt was made to introduce this feature.

In this PR I've attempted to merge all requests and discussion from https://github.com/nodejs/node/issues/3819 and https://github.com/nodejs/node/pull/3820.

The following features are introduced:

  1. Default to FIPS off even in FIPS builds: FIPS mode now has to be explicitly enabled by command line argument, OpenSSL config file, or JavaScript API call.
  2. Add JS API to check and control FIPS mode: Allow JavaScript applications to check if they are executing in FIPS mode and to enable/disable FIPS mode if applicable.
  3. Add command line arguments to force FIPS on/off: --[disable|enable]-fips have been added, and they will override all other options.
  4. Respect OPENSSL_CONF variable and read the config: OpenSSL provides a standard mechanism for reading a config file from the "OPENSSL_CONF" environment variable. Load this config file, which permits, among other things, to control FIPS mode.
  5. Add testing for new features: Test combinations of features from 1 and 4.

As always, I'm open to any suggestions and improvements, especially if there is a better way to pass global options such as the enable/disable flags (instead of extern C variables).

These features were added as a result of discussion in https://github.com/nodejs/node/issues/3819 and https://github.com/nodejs/node/issues/3820, please refer to them for background information.

Note also that going forward we will need to run regression testing in FIPS builds twice: once with FIPS enabled at runtime, and once with FIPS disabled.

Merge request reports