From df9a15d08e6bf28bf2b407af895c5b7d48cc44e1 Mon Sep 17 00:00:00 2001
From: Judson Neer <judson.neer@gmail.com>
Date: Fri, 13 Nov 2015 20:50:47 -0800
Subject: [PATCH] Add a check of the OPENSSL_FIPS environment variable around
 FIPS initialization.

As currently implemented, when Node is compiled with FIPS support
(`./configure fips`), there is no way to disable engaging FIPS mode
during execution. This means that several functions that rely on
non-FIPS approved algorithms (e.g. md5 hashing) will fail, as will
any code that depends on them (most obviously, `npm`).

What seems needed to me is a way to explicitly enable or disable
FIPS operation each time node is invoked. The way this is done
with the openssl CLI is via the OPENSSL_FIPS environment variable.

This change adds a check to OPENSSL_FIPS where FIPS_mode_set(1)
is called (which enables FIPS mode). If Node is not compiled in
FIPS mode this call will not even be compiled since it's wrapped
with an ifdef.

Those who are trying to run Node.js in FIPS mode should be
familiar with this variable and using it will be natural.
---
 README.md          |  2 ++
 src/node_crypto.cc | 10 ++++++----
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 3c14da04398185..ceb70b38c0510e 100644
--- a/README.md
+++ b/README.md
@@ -306,6 +306,8 @@ Instructions:
    /usr/local/ssl/fips-2.0
 8. Build Node.js with `make -j`
 9. Verify with `node -p "process.versions.openssl"` (`1.0.2a-fips`)
+10. For FIPS mode to be enabled at runtime, the OPENSSL_FIPS environment
+    variable must be set to 1.
 
 ## Resources for Newcomers
 
diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index f0569eb354ac5e..4fb4325c8f21ae 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -5522,10 +5522,12 @@ void InitCryptoOnce() {
   CRYPTO_THREADID_set_callback(crypto_threadid_cb);
 
 #ifdef NODE_FIPS_MODE
-  if (!FIPS_mode_set(1)) {
-    int err = ERR_get_error();
-    fprintf(stderr, "openssl fips failed: %s\n", ERR_error_string(err, NULL));
-    UNREACHABLE();
+  if (getenv("OPENSSL_FIPS")) {
+    if (!FIPS_mode_set(1)) {
+      int err = ERR_get_error();
+      fprintf(stderr, "openssl fips failed: %s\n", ERR_error_string(err, NULL));
+      UNREACHABLE();
+    }
   }
 #endif  // NODE_FIPS_MODE