diff --git a/src/node_crypto.cc b/src/node_crypto.cc index 573d3b8ed6d1c5..9f4ac37448b328 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc @@ -6134,11 +6134,14 @@ void GetFipsCrypto(const FunctionCallbackInfo& args) { void SetFipsCrypto(const FunctionCallbackInfo& args) { Environment* env = Environment::GetCurrent(args); #ifdef NODE_FIPS_MODE - bool mode = args[0]->BooleanValue(); + const bool enabled = FIPS_mode(); + const bool enable = args[0]->BooleanValue(); + if (enable == enabled) + return; // No action needed. if (force_fips_crypto) { return env->ThrowError( "Cannot set FIPS mode, it was forced with --force-fips at startup."); - } else if (!FIPS_mode_set(mode)) { + } else if (!FIPS_mode_set(enable)) { unsigned long err = ERR_get_error(); // NOLINT(runtime/int) return ThrowCryptoError(env, err); } diff --git a/test/parallel/test-crypto-fips.js b/test/parallel/test-crypto-fips.js index 7f3ac9e26baefb..36a542b7b04f52 100644 --- a/test/parallel/test-crypto-fips.js +++ b/test/parallel/test-crypto-fips.js @@ -209,6 +209,15 @@ testHelper( 'require("crypto").fips = false', process.env); +// --force-fips makes setFipsCrypto enable a no-op (FIPS stays on) +testHelper( + compiledWithFips() ? 'stdout' : 'stderr', + ['--force-fips'], + compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING, + '(require("crypto").fips = true,' + + 'require("crypto").fips)', + process.env); + // --force-fips and --enable-fips order does not matter testHelper( 'stderr',