RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1847529 - [RFE] Enable '--enable-fips' option for nodejs
Summary: [RFE] Enable '--enable-fips' option for nodejs
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: nodejs-12-module
Version: 8.3
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: rc
: 8.0
Assignee: Jan Staněk
QA Contact: RHEL CS Apps Subsystem QE
URL:
Whiteboard:
Depends On: 1951620 1951621 1951622 1951623
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-06-16 14:52 UTC by Andrew Mike
Modified: 2024-06-13 22:43 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-08-24 11:37:30 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github nodejs node issues 34903 0 None open Drop `#ifdef NODE_FIPS_MODE` wherever possible 2021-02-12 16:29:32 UTC

Description Andrew Mike 2020-06-16 14:52:26 UTC 
1. Proposed title of this feature request: Enable '--enable-fips' option for nodejs
  
3. What is the nature and description of the request?  

Applications built using Redhat NodeJS runtime should work on Openshift with FIPS enabled. 
    
5. How would the customer like to achieve this? (List the functional requirements here)  
  
nodejs 12 should be built to allow --enable-fips or --force-fips flags. 

6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.

- nodejs in UBI 8 FIPS Mode should not return an unimplemented error when running with '--enable-fips' or '--force-fips' options.
- nodejs should start and function in an Openshift 4.x environment that is enabled for FIPS.

7. Is there already an existing RFE upstream or in Red Hat Bugzilla? No
  
8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)?  ASAP
  
9. Is the sales team involved in this request and do they have any additional input?  Sales is not involved.

10. List any affected packages or components.  
  
- nodejs-12.16.1-2.module+el8.2.0+6116+59db3763
- npm-6.13.4-1.12.16.1.2.module+el8.2.0+6116+59db3763

11. Would the customer be able to assist in testing this functionality if implemented? Yes
Comment 3 Vít Ondruch 2020-06-17 14:49:21 UTC 
(In reply to Andrew Mike from comment #0)
> - nodejs in UBI 8 FIPS Mode should not return an unimplemented error when
> running with '--enable-fips' or '--force-fips' options.

Andrew, do you think you can get clarification on this? What does it mean "unimplemented error". Trying just simple test cases, this is my experience:

~~~
$ node --enable-fips
node: bad option: --enable-fips

$ node --force-fips
node: bad option: --force-fips
~~~

So where comes the "unimplemented error" from.

> - nodejs should start and function in an Openshift 4.x environment that is
> enabled for FIPS.

I am quite sure it does start and function already. If it does not, then I would appreciate more details.

Just to be clear, if system is FIPS enabled, it does not matter if the '--enable-fips' or '--force-fips' are used, supported or not. Node.js will use just FIPS certified functionality provided by system OpenSSL. You can find more details at https://access.redhat.com/articles/3655361.
Comment 4 Vít Ondruch 2020-06-18 13:59:53 UTC 
Also, I wonder what is the output of following command:

~~~
$ node -p 'crypto.getFips()'
~~~

which should tell us if the FIPS mode is (system wide) enabled, no matter if the `--{enable,force}-fips` flags were used.
Comment 5 Aaron Cohen 2020-06-23 14:49:21 UTC 
From the container:

[kubeadmin@watson-ocp-4-fips-inf ~]$ node -p 'crypto.getFips()'
0

[kubeadmin@watson-ocp-4-fips-inf ~]$ cat /proc/sys/crypto/fips_enabled
0

From the same worker:

[core@worker0 ~]$ sysctl crypto.fips_enabled
crypto.fips_enabled = 1
[core@worker0 ~]$ cat /proc/sys/crypto/fips_enabled
1
Comment 6 Vít Ondruch 2020-06-24 08:01:15 UTC 
Thank you Aaron.

It seems the FIPS is not enabled for the container. Could you please double check, that you have followed this guide?

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/security_hardening/index#enabling-fips-mode-in-a-container_using-the-system-wide-cryptographic-policies

Namely, I am interested in comparison of `cat /etc/system-fips` and `update-crypto-policies --show` on the host and on the container.
Comment 7 Laurie Morse 2020-08-03 16:20:19 UTC 
I am trying to get the information you all were asking for and will follow up.
Comment 8 Vít Ondruch 2020-08-24 15:24:43 UTC 
Looking into this, I believe that Node.js is unnecessarily providing misleading information, which depends on build configuration, while the system configuration might be different. I have opened this upstream ticket which could help to address this issue:

https://github.com/nodejs/node/issues/34903
Comment 13 Jan Staněk 2021-08-24 11:37:30 UTC 
All the trackers are now MODIFIED, and the fix should be shipped in the appropriate release. Closing this as NEXTRELEASE, please follow the individual trackers for future work.
Note You need to log in before you can comment on or make changes to this bug.