From c788b0e2c9cf164fdbc85de5e605308d45bb5b31 Mon Sep 17 00:00:00 2001
From: Gibson Fahnestock <gibfahn@gmail.com>
Date: Tue, 4 Apr 2017 15:36:15 +0100
Subject: [PATCH] crypto: only try to set FIPS mode if different

Turning FIPS mode on (or off) when it's already on (or off) should be a
no-op, not an error.

PR-URL: https://github.com/nodejs/node/pull/12210
Fixes: https://github.com/nodejs/node/issues/11849
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: James M Snell <jasnell@gmail.com>
---
 src/node_crypto.cc                | 7 +++++--
 test/parallel/test-crypto-fips.js | 9 +++++++++
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index 573d3b8ed6d1c5..9f4ac37448b328 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -6134,11 +6134,14 @@ void GetFipsCrypto(const FunctionCallbackInfo<Value>& args) {
 void SetFipsCrypto(const FunctionCallbackInfo<Value>& args) {
   Environment* env = Environment::GetCurrent(args);
 #ifdef NODE_FIPS_MODE
-  bool mode = args[0]->BooleanValue();
+  const bool enabled = FIPS_mode();
+  const bool enable = args[0]->BooleanValue();
+  if (enable == enabled)
+    return;  // No action needed.
   if (force_fips_crypto) {
     return env->ThrowError(
         "Cannot set FIPS mode, it was forced with --force-fips at startup.");
-  } else if (!FIPS_mode_set(mode)) {
+  } else if (!FIPS_mode_set(enable)) {
     unsigned long err = ERR_get_error();  // NOLINT(runtime/int)
     return ThrowCryptoError(env, err);
   }
diff --git a/test/parallel/test-crypto-fips.js b/test/parallel/test-crypto-fips.js
index 7f3ac9e26baefb..36a542b7b04f52 100644
--- a/test/parallel/test-crypto-fips.js
+++ b/test/parallel/test-crypto-fips.js
@@ -209,6 +209,15 @@ testHelper(
   'require("crypto").fips = false',
   process.env);
 
+// --force-fips makes setFipsCrypto enable a no-op (FIPS stays on)
+testHelper(
+  compiledWithFips() ? 'stdout' : 'stderr',
+  ['--force-fips'],
+  compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
+  '(require("crypto").fips = true,' +
+  'require("crypto").fips)',
+  process.env);
+
 // --force-fips and --enable-fips order does not matter
 testHelper(
   'stderr',