tls: Use SHA1 for sessionIdContext in FIPS mode

[stefanmb]

By default, a call to tls.createServer() without a sessionIdContext will use a “MD5 hash value generated from command-line” as per documentation.

In FIPS mode MD5 is not allowed, however createServer is often called without specifying an explicit sessionIdContext. A significant number of test cases and applications break. The simple solution is to to use an allowed hash function. I have chosen SHA1 and truncated the output to 128 bits (which is the hardcoded length required by OpenSSL’s SSL_MAX_SID_CTX_LENGTH).

Note that I have opted to maintain the use of MD5 in non-FIPS mode, and updated the documentation accordingly.

[mscdex]

This should target tls instead of the crypto subsystem.

[stefanmb]

@mscdex I updated the commit message accordingly. Thanks.

[indutny]

Let's use .slice() here, this is what we try to do everywhere else.

[indutny]

I think that in general it may be a good idea to use sha256 on both fips and non-fips node. What do you think?

[mhdawson]

The main concern would be interoperability. Would changing to sha256 for non-FIPs mean that there would be problems inter-operating with with earlier Node.js releases ?

[stefanmb]

@indutny @mhdawson

I don't particularly like this commit. What's fed into the hash function is the process name and arguments. I maintained MD5 for non-FIPS because I was afraid someone somewhere might be serializing (caching) sessions across process lifetimes.

I've looked a bit more into the OpenSSL caching mechanism, specifically:
https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_session_cache_mode.html
https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_sess_set_get_cb.html

The only place where we provide external callbacks for session management is in node_crypto.cc GetSessionCallback and NewSessionCallback. In turn, these store data using CRYPTO_get_ex_data and CRYPTO_set_ex_data which I believe means the data only live as long as the process.

Therefore, I suggest we don't use a hash at all, and instead simply call crypto.randomBytes(16) once in this file and use the resulting value for the lifetime of a given Node process, in both FIPS and non-FIPS mode.

Edit: We still have to clarify why MD5 was mentioned in the docs, is that just internals leaking into the documentation or did it have some meaning to users?

[jasnell]

@stefanmb ... just a quick note, I see this PR has a few conflicts now, can you please take a moment to rebase and update. Thank you!

[stefanmb]

@jasnell Fixed, thanks!

[stefanmb]

@indutny @shigeki
Any thoughts on my comment above regarding the use of crypto.randomBytes instead of a hash?
(1) Is it okay to provide a randomized session ID for the lifespan of each process invocation, instead of deriving the session ID deterministically from the program arguments? In particular, I'm not sure how this affects the cluster module. It seems execArgv is passed to the child workers in cluster.js.
(2) Is it okay to remove the mention of MD5 from the documentation? Quote:

sessionIdContext: A string containing an opaque identifier for session resumption. If requestCert is true, the default is MD5 hash value generated from command-line. Otherwise, the default is not provided.
From documentation for tls.createServer(options[, secureConnectionListener])

If so, I can update this PR. Thank you for your help and advice!

[indutny]

@stefanmb the idea, originally was to provide the same session context to clustered processes (if I remember it right)

[stefanmb]

@indutny Okay, that's what I started to suspect. It's kind of clunky to do it through argv though. Anyway, perhaps the simplest thing is to move to a truncated SHA1 for both FIPS and non-FIPS. OpenSSL requires 128 bits, so I don't think there's a point in using a bigger hash.

[indutny]

Alright, this makes sense to me.

[indutny]

Hm... Let's use sha1 for both cases, and remove condition?

[stefanmb]

@indutny Okay, changed this to do SHA1 in all cases, the change is now pretty trivial.

[indutny]

@stefanmb I was thinking about it for a bit now, and I think we should handle it this way. Let's split this PR into two commits:

• First with both md5 and sha1 (as you originally did). This commit will be backported as semver-patch
• And the one that removes md5 entirely. This commit is going to be a semver-major

The best way to do it is probably to submit a second PR for the second half. @stefanmb does it sound reasonable?

Thank you very much!

[sneak]

This broke my app:

krs_1 | 
krs_1 | > [email protected] test /var/app
krs_1 | > node ./node_modules/mocha/bin/_mocha
krs_1 | 
krs_1 | _tls_wrap.js:22
krs_1 |   if (process.config.variables.openssl_fips) {
krs_1 |                               ^
krs_1 | 
krs_1 | TypeError: Cannot read property 'openssl_fips' of undefined
krs_1 |   at getDefaultSessionIdContext (_tls_wrap.js:22:31)
krs_1 |   at _tls_wrap.js:17:33
krs_1 |   at NativeModule.compile (node.js:954:5)
krs_1 |   at NativeModule.require (node.js:902:18)
krs_1 |   at tls.js:221:21
krs_1 |   at NativeModule.compile (node.js:954:5)
krs_1 |   at NativeModule.require (node.js:902:18)
krs_1 |   at https.js:3:13
krs_1 |   at NativeModule.compile (node.js:954:5)
krs_1 |   at Function.NativeModule.require (node.js:902:18)
krs_1 |   at Function.Module._load (module.js:298:25)
krs_1 |   at Module.require (module.js:366:17)
krs_1 |   at require (module.js:385:17)
krs_1 |   at Object.<anonymous> (/var/app/node_modules/supertest/node_modules/superagent/node_modules/form-data/lib/form_data.js:5:13)
krs_1 |   at Module._compile (module.js:435:26)
krs_1 |   at Object.Module._extensions..js (module.js:442:10)
krs_1 |   at Module.load (/var/app/node_modules/coffee-script/lib/coffee-script/register.js:45:36)
krs_1 |   at Function.Module._load (module.js:313:12)
krs_1 |   at Module.require (module.js:366:17)
krs_1 |   at require (module.js:385:17)
krs_1 |   at Object.<anonymous> (/var/app/node_modules/supertest/node_modules/superagent/lib/node/index.js:8:16)
krs_1 |   at Module._compile (module.js:435:26)
krs_1 |   at Object.Module._extensions..js (module.js:442:10)
krs_1 |   at Module.load (/var/app/node_modules/coffee-script/lib/coffee-script/register.js:45:36)
krs_1 |   at Function.Module._load (module.js:313:12)
krs_1 |   at Module.require (module.js:366:17)
krs_1 |   at require (module.js:385:17)
krs_1 |   at Object.<anonymous> (/var/app/node_modules/supertest/lib/test.js:5:15)
krs_1 |   at Module._compile (module.js:435:26)
krs_1 |   at Object.Module._extensions..js (module.js:442:10)
krs_1 |   at Module.load (/var/app/node_modules/coffee-script/lib/coffee-script/register.js:45:36)
krs_1 |   at Function.Module._load (module.js:313:12)
krs_1 |   at Module.require (module.js:366:17)
krs_1 |   at require (module.js:385:17)
krs_1 |   at Object.<anonymous> (/var/app/node_modules/supertest/index.js:7:12)
krs_1 |   at Module._compile (module.js:435:26)
krs_1 |   at Object.Module._extensions..js (module.js:442:10)
krs_1 |   at Module.load (/var/app/node_modules/coffee-script/lib/coffee-script/register.js:45:36)
krs_1 |   at Function.Module._load (module.js:313:12)
krs_1 |   at Module.require (module.js:366:17)
krs_1 |   at require (module.js:385:17)
krs_1 |   at Object.<anonymous> (/var/app/node_modules/supertest-as-promised/index.js:3:17)
krs_1 |   at Module._compile (module.js:435:26)
krs_1 |   at Object.Module._extensions..js (module.js:442:10)
krs_1 |   at Module.load (/var/app/node_modules/coffee-script/lib/coffee-script/register.js:45:36)
krs_1 |   at Function.Module._load (module.js:313:12)
krs_1 |   at Module.require (module.js:366:17)
krs_1 |   at require (module.js:385:17)
krs_1 |   at Object.<anonymous> (/var/app/test/app.coffee:3:11)
krs_1 |   at Object.<anonymous> (/var/app/test/app.coffee:2:1)
krs_1 |   at Module._compile (module.js:435:26)
krs_1 |   at Object.loadFile (/var/app/node_modules/coffee-script/lib/coffee-script/register.js:16:19)
krs_1 |   at Module.load (/var/app/node_modules/coffee-script/lib/coffee-script/register.js:45:36)
krs_1 |   at Function.Module._load (module.js:313:12)
krs_1 |   at Module.require (module.js:366:17)
krs_1 |   at require (module.js:385:17)
krs_1 |   at /var/app/node_modules/mocha/lib/mocha.js:219:27
krs_1 |   at Array.forEach (native)
krs_1 |   at Mocha.loadFiles (/var/app/node_modules/mocha/lib/mocha.js:216:14)
krs_1 |   at Mocha.run (/var/app/node_modules/mocha/lib/mocha.js:468:10)
krs_1 |   at Object.<anonymous> (/var/app/node_modules/mocha/bin/_mocha:403:18)
krs_1 |   at Module._compile (module.js:435:26)
krs_1 |   at Object.Module._extensions..js (module.js:442:10)
krs_1 |   at Module.load (module.js:356:32)
krs_1 |   at Function.Module._load (module.js:313:12)
krs_1 |   at Function.Module.runMain (module.js:467:10)
krs_1 |   at startup (node.js:136:18)
krs_1 |   at node.js:963:3
krs_1 | 
krs_1 | npm ERR! Test failed.  See above for more details.

It works on 4.2.3 but fails on 4.2.4. It still fails on 4.4.2 (current) and latest 5.x.

Isn't the point of LTS to not add features and not break compatibility?

[MylesBorins]

@sneak are you 100% there isn't some monkey patching of the process object happening in your app?

The error you are getting is suggesting that process.config.variables does not exist at all.

here is a screen shot of me sanity checking this in v4

Here is v5

[sneak]

I'm not; I have not read every line of the testing framework involved, I'm just letting you know that a test suite that passed on 4.2.3 now no longer runs on 4.2.4.

I thought the point of LTS was to not break stuff and cost people time; why not keep this FIPS stuff to 5.x? I don't know what ill-advised stuff this app or its deps was doing, but I do now know that it doesn't work anymore and that this was the change that broke it.

[sneak]

PS: When posting text snippets, you don't need to push bitmaps, simply wrapping them in triple backticks is sufficient.

[MylesBorins]

/cc @nodejs/crypto @nodejs/lts

fwiw we extensively smoke test LTS, we do occasionally hit edges like this though. Thank you for reporting this, we'll dig in and see what we can find.

[sneak]

FWIW:

  "devDependencies": {
    "chai": "3.5.0",
    "istanbul": "0.4.3",
    "mocha": "2.4.5",
    "supertest": "1.2.0",
    "supertest-as-promised": "3.1.0",
    "sqlite3": "*"
  },
  "dependencies": {
    "argparse": "1.0.2",
    "bitcoinjs-lib": "1.5.6",
    "body-parser": "1.13.2",
    "coffee-script": "1.10.0",
    "express": "4.13.1",
    "js-beautify": "1.5.10",
    "lodash": "^4.0.0",
    "moment": "2.10.6",
    "morgan": "1.6.1",
    "node-jsrender": "1.0.6",
    "nodemailer": "1.4.0",
    "nodemailer-smtp-transport": "1.0.3",
    "pg": "4.4.2",
    "pg-hstore": "2.3.2",
    "prompt-sync": "1.0.0",
    "q": "1.4.1",
    "sequelize": "3.17.0",
    "sequelize-cli": "1.9.1",
    "validator": "4.0.2",
    "winston": "2.2.0"
  }

I bumped the versions of the stuff mentioned in the stack trace to latest, but still no love.

[jasnell]

Yeah, the goal of LTS is to keep things as stable as absolutely possible but regressions do creep in from time to time. To help keep things easier to maintain we'll go ahead and pull certain changes back that appear innocuous but every once in a while we'll hit an edge case that needs to be looked at. For this, a quick existence check on process.config.variables and process.config (just to be safe) should be sufficient. Interested in opening a PR? ;-) Once it's reviewed we can get it landed in master, v5 and v4 so it goes out with the next release runs.

[sneak]

There you go, a PR against 4.x. I haven't tried getting 5.x to work yet, I can do that next.

[sneak]

It looks like the change is exactly the same in 5.x, but master has a different file without any FIPS stuff in it. (I haven't tested the breaking app against master, but can if you need me to.)