Skip to content

Commit

Permalink
crypto: only try to set FIPS mode if different
Browse files Browse the repository at this point in the history
Turning FIPS mode on (or off) when it's already on (or off) should be a
no-op, not an error.

PR-URL: #12210
Fixes: #11849
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
Reviewed-By: Ruben Bridgewater <[email protected]>
Reviewed-By: James M Snell <[email protected]>
  • Loading branch information
gibfahn authored and MylesBorins committed Sep 29, 2017
1 parent 5992a31 commit 997ccdd
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 2 deletions.
7 changes: 5 additions & 2 deletions src/node_crypto.cc
Original file line number Diff line number Diff line change
Expand Up @@ -6060,11 +6060,14 @@ void GetFipsCrypto(const FunctionCallbackInfo<Value>& args) {
void SetFipsCrypto(const FunctionCallbackInfo<Value>& args) {
Environment* env = Environment::GetCurrent(args);
#ifdef NODE_FIPS_MODE
bool mode = args[0]->BooleanValue();
const bool enabled = FIPS_mode();
const bool enable = args[0]->BooleanValue();
if (enable == enabled)
return; // No action needed.
if (force_fips_crypto) {
return env->ThrowError(
"Cannot set FIPS mode, it was forced with --force-fips at startup.");
} else if (!FIPS_mode_set(mode)) {
} else if (!FIPS_mode_set(enable)) {
unsigned long err = ERR_get_error(); // NOLINT(runtime/int)
return ThrowCryptoError(env, err);
}
Expand Down
9 changes: 9 additions & 0 deletions test/parallel/test-crypto-fips.js
Original file line number Diff line number Diff line change
Expand Up @@ -212,6 +212,15 @@ testHelper(
'require("crypto").fips = false',
process.env);

// --force-fips makes setFipsCrypto enable a no-op (FIPS stays on)
testHelper(
compiledWithFips() ? 'stdout' : 'stderr',
['--force-fips'],
compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
'(require("crypto").fips = true,' +
'require("crypto").fips)',
process.env);

// --force-fips and --enable-fips order does not matter
testHelper(
'stderr',
Expand Down

0 comments on commit 997ccdd

Please sign in to comment.