From 426fc64c796a3a9f8c5c64093050c47b771a592b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADt=20Ondruch?= Date: Tue, 25 Aug 2020 14:04:54 +0200 Subject: [PATCH] Make FIPS related options and functionality always awailable. There is no reason to hide FIPS functionality behind build flags. OpenSSL always provide the information about FIPS availability via `FIPS_mode()` function. This makes the user experience more consistent, because the OpenSSL library is always queried and the `crypto.getFips()` always returns OpenSSL settings. Fixes #34903 --- node.gypi | 3 --- src/node.cc | 6 +++--- src/node_config.cc | 2 -- src/node_crypto.cc | 14 -------------- src/node_options.cc | 2 -- src/node_options.h | 2 -- 6 files changed, 3 insertions(+), 26 deletions(-) diff --git a/node.gypi b/node.gypi index dbe1b05cf546e2..4b3fc5ef45ed20 100644 --- a/node.gypi +++ b/node.gypi @@ -337,9 +337,6 @@ [ 'node_use_openssl=="true"', { 'defines': [ 'HAVE_OPENSSL=1' ], 'conditions': [ - ['openssl_fips != "" or openssl_is_fips=="true"', { - 'defines': [ 'NODE_FIPS_MODE' ], - }], [ 'node_shared_openssl=="false"', { 'dependencies': [ './deps/openssl/openssl.gyp:openssl', diff --git a/src/node.cc b/src/node.cc index d68c6d8d148a38..152386c69fc6c8 100644 --- a/src/node.cc +++ b/src/node.cc @@ -1028,11 +1028,11 @@ InitializationResult InitializeOncePerProcess(int argc, char** argv) { if (credentials::SafeGetenv("NODE_EXTRA_CA_CERTS", &extra_ca_certs)) crypto::UseExtraCaCerts(extra_ca_certs); } -#ifdef NODE_FIPS_MODE // In the case of FIPS builds we should make sure // the random source is properly initialized first. - OPENSSL_init(); -#endif // NODE_FIPS_MODE + if (FIPS_mode()) { + OPENSSL_init(); + } // V8 on Windows doesn't have a good source of entropy. Seed it from // OpenSSL's pool. V8::SetEntropySource(crypto::EntropySource); diff --git a/src/node_config.cc b/src/node_config.cc index 2d8ad25bbe9c02..176daa88b0fab1 100644 --- a/src/node_config.cc +++ b/src/node_config.cc @@ -42,9 +42,7 @@ static void Initialize(Local target, READONLY_FALSE_PROPERTY(target, "hasOpenSSL"); #endif // HAVE_OPENSSL -#ifdef NODE_FIPS_MODE READONLY_TRUE_PROPERTY(target, "fipsMode"); -#endif #ifdef NODE_HAVE_I18N_SUPPORT diff --git a/src/node_crypto.cc b/src/node_crypto.cc index 05da3af09c63dc..62c4c985493902 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc @@ -3611,12 +3611,10 @@ void CipherBase::Init(const char* cipher_type, HandleScope scope(env()->isolate()); MarkPopErrorOnReturn mark_pop_error_on_return; -#ifdef NODE_FIPS_MODE if (FIPS_mode()) { return env()->ThrowError( "crypto.createCipher() is not supported in FIPS mode."); } -#endif // NODE_FIPS_MODE const EVP_CIPHER* const cipher = EVP_get_cipherbyname(cipher_type); if (cipher == nullptr) @@ -3802,13 +3800,11 @@ bool CipherBase::InitAuthenticated(const char* cipher_type, int iv_len, return false; } -#ifdef NODE_FIPS_MODE // TODO(tniessen) Support CCM decryption in FIPS mode if (mode == EVP_CIPH_CCM_MODE && kind_ == kDecipher && FIPS_mode()) { env()->ThrowError("CCM decryption not supported in FIPS mode"); return false; } -#endif // Tell OpenSSL about the desired length. if (!EVP_CIPHER_CTX_ctrl(ctx_.get(), EVP_CTRL_AEAD_SET_TAG, auth_tag_len, @@ -4683,7 +4679,6 @@ static AllocatedBuffer Node_SignFinal(Environment* env, } static inline bool ValidateDSAParameters(EVP_PKEY* key) { -#ifdef NODE_FIPS_MODE /* Validate DSA2 parameters from FIPS 186-4 */ if (FIPS_mode() && EVP_PKEY_DSA == EVP_PKEY_base_id(key)) { DSA* dsa = EVP_PKEY_get0_DSA(key); @@ -4699,7 +4694,6 @@ static inline bool ValidateDSAParameters(EVP_PKEY* key) { (L == 2048 && N == 256) || (L == 3072 && N == 256); } -#endif // NODE_FIPS_MODE return true; } @@ -6859,7 +6853,6 @@ void InitCryptoOnce() { settings = nullptr; #endif -#ifdef NODE_FIPS_MODE /* Override FIPS settings in cnf file, if needed. */ unsigned long err = 0; // NOLINT(runtime/int) if (per_process::cli_options->enable_fips_crypto || @@ -6874,8 +6867,6 @@ void InitCryptoOnce() { ERR_error_string(err, nullptr)); UNREACHABLE(); } -#endif // NODE_FIPS_MODE - // Turn off compression. Saves memory and protects against CRIME attacks. // No-op with OPENSSL_NO_COMP builds of OpenSSL. @@ -6920,7 +6911,6 @@ void SetEngine(const FunctionCallbackInfo& args) { } #endif // !OPENSSL_NO_ENGINE -#ifdef NODE_FIPS_MODE void GetFipsCrypto(const FunctionCallbackInfo& args) { args.GetReturnValue().Set(FIPS_mode() ? 1 : 0); } @@ -6938,8 +6928,6 @@ void SetFipsCrypto(const FunctionCallbackInfo& args) { return ThrowCryptoError(env, err); } } -#endif /* NODE_FIPS_MODE */ - void Initialize(Local target, Local unused, @@ -6976,10 +6964,8 @@ void Initialize(Local target, env->SetMethod(target, "setEngine", SetEngine); #endif // !OPENSSL_NO_ENGINE -#ifdef NODE_FIPS_MODE env->SetMethodNoSideEffect(target, "getFipsCrypto", GetFipsCrypto); env->SetMethod(target, "setFipsCrypto", SetFipsCrypto); -#endif env->SetMethod(target, "pbkdf2", PBKDF2); env->SetMethod(target, "generateKeyPairRSA", GenerateKeyPairRSA); diff --git a/src/node_options.cc b/src/node_options.cc index d3fdc459de1ee2..a201c6102aa823 100644 --- a/src/node_options.cc +++ b/src/node_options.cc @@ -749,7 +749,6 @@ PerProcessOptionsParser::PerProcessOptionsParser( &PerProcessOptions::ssl_openssl_cert_store); Implies("--use-openssl-ca", "[ssl_openssl_cert_store]"); ImpliesNot("--use-bundled-ca", "[ssl_openssl_cert_store]"); -#if NODE_FIPS_MODE AddOption("--enable-fips", "enable FIPS crypto at startup", &PerProcessOptions::enable_fips_crypto, @@ -758,7 +757,6 @@ PerProcessOptionsParser::PerProcessOptionsParser( "force FIPS crypto (cannot be disabled)", &PerProcessOptions::force_fips_crypto, kAllowedInEnvironment); -#endif #endif AddOption("--use-largepages", "Map the Node.js static code to large pages. Options are " diff --git a/src/node_options.h b/src/node_options.h index 3258d4b3f0df0c..97c59d7985d6c2 100644 --- a/src/node_options.h +++ b/src/node_options.h @@ -237,10 +237,8 @@ class PerProcessOptions : public Options { #endif bool use_openssl_ca = false; bool use_bundled_ca = false; -#if NODE_FIPS_MODE bool enable_fips_crypto = false; bool force_fips_crypto = false; -#endif #endif // Per-process because reports can be triggered outside a known V8 context.