Skip to content

Commit

Permalink
crypto: don't assume FIPS is disabled by default
Browse files Browse the repository at this point in the history
For binaries that use --shared-openssl FIPs may be enabled
by default by the system. Allow --force-fips and --enable-fips
to be specified in these cases.

Signed-off-by: Michael Dawson <[email protected]>

PR-URL: #46532
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Tobias Nießen <[email protected]>
  • Loading branch information
mhdawson authored and MylesBorins committed Feb 18, 2023
1 parent 9a5a274 commit c67dcc9
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 8 deletions.
3 changes: 2 additions & 1 deletion src/crypto/crypto_util.cc
Original file line number Diff line number Diff line change
Expand Up @@ -120,7 +120,8 @@ bool ProcessFipsOptions() {
return EVP_default_properties_enable_fips(nullptr, 1) &&
EVP_default_properties_is_fips_enabled(nullptr);
#else
return FIPS_mode() == 0 && FIPS_mode_set(1);
if (FIPS_mode() == 0) return FIPS_mode_set(1);

#endif
}
return true;
Expand Down
18 changes: 11 additions & 7 deletions test/parallel/test-crypto-fips.js
Original file line number Diff line number Diff line change
Expand Up @@ -77,13 +77,17 @@ testHelper(
'process.versions',
process.env);

// By default FIPS should be off in both FIPS and non-FIPS builds.
testHelper(
'stdout',
[],
FIPS_DISABLED,
'require("crypto").getFips()',
{ ...process.env, 'OPENSSL_CONF': ' ' });
// By default FIPS should be off in both FIPS and non-FIPS builds
// unless Node.js was configured using --shared-openssl in
// which case it may be enabled by the system.
if (!sharedOpenSSL()) {
testHelper(
'stdout',
[],
FIPS_DISABLED,
'require("crypto").getFips()',
{ ...process.env, 'OPENSSL_CONF': ' ' });
}

// Toggling fips with setFips should not be allowed from a worker thread
testHelper(
Expand Down

0 comments on commit c67dcc9

Please sign in to comment.