Include FIPS Module by Default

[elliot-huffman]

What is the problem this feature will solve?

Reduce the amount of time and money required to become FIPS validated/certified.

What is the feature you are proposing to solve the problem?

With the integration of OpenSSL 3.x in the Node.JS core (https://nodejs.org/en/blog/release/v17.0.0), the cryptographic system that powers Node.JS is now certified out of the box for FIPS (https://www.openssl.org/blog/blog/2021/09/07/OpenSSL3.Final/ and https://www.openssl.org/blog/blog/2022/08/24/FIPS-validation-certificate-issued/), which reduces the amount of investment necessary to demon straight that the framework is FIPS.

I propose that the build process for Node.JS be modified so that it includes the FIPS module by default. As it is now, when the module is included in the build, the end user is still responsible for enabling FIPS mode by using the crypto.setFips object. This allows for devs to not have to use FIPS mode if they don't want to and if they do want to, it will save them tremendous investment and months of validation/certification testing their code every release they make.

I have personally heard some quotes of north of $100,000 per certification when building from source. This would reduce that number dramatically. I have heard some orgs offering to do the paperwork for solutions that have been pre-certified for $10k or less. This represents 90% cost savings to devs/orgs (not including the time and build infra costs needed to build from source) that are able to take advantage of the build that comes with the module built in.

What alternatives have you considered?

Doing it the hard way, building from source :-(

[elliot-huffman]

The issue is similar to #37072 but updated for the times and what is now needed for the capability set forth by that request.

[bnoordhuis]

FIPS validation usually lags severely behind openssl release. That's a problem.

Another problem is that FIPS builds are severely restricted compared to regular openssl builds. The majority of node users isn't going to appreciate that.

In good news: I'll take care of your FIPS build for the low, low price of $80k. :-)

[richardlau]

I suspect the chances of us doing so will be slim. It will be of no use to downstream packagers (Linux distros) as they tend to link to their system OpenSSL and get/enable FIPS that way. Another problem is that even if we included the compiled FIPS module, you (as the user) would still need to run openssl fipsinstall on it.

I have personally heard some quotes of north of $100,000 per certification when building from source. This would reduce that number dramatically. I have heard some orgs offering to do the paperwork for solutions that have been pre-certified for $10k or less. This represents 90% cost savings to devs/orgs (not including the time and build infra costs needed to build from source) that are able to take advantage of the build that comes with the module built in.

Right, but I don't see Node.js being in a position to certify the FIPS module on your behalf. If we ever did ship a compiled FIPS module, we would not make any claims about its certification status. I suspect, for example, that building OpenSSL via gyp (as we do for Node.js) would be questionably incompatible with the OpenSSL FIPS 140-2 Security Policy.

[mhdawson]

+1 to what @richardlau has said. I've not looked recently at the requirements but in past versions of OpenSSL there were requirements on how the parts that provided the FIPs crypto had to be built, requirements on making sure the source was obtained directly from the right place and additional requirements on ensuring the providence throught the process. The project worked to make it possible to build in that way but is/was not setup to ensure those requirements are met. Building binaries that meets all of the requirements and being comfortable that they are met correctly is not something I think the project can/should take on.

[elliot-huffman]

Fair enough, thanks for the info :-) I'll look into doing my own build process :-( Sounds like the way to go.