Skip to content

Commit

Permalink
crypto: don't assume FIPS is disabled by default
Browse files Browse the repository at this point in the history
For binaries that use --shared-openssl FIPs may be enabled
by default by the system. Allow --force-fips and --enable-fips
to be specified in these cases.

Signed-off-by: Michael Dawson <mdawson@devrus.com>

PR-URL: #46532
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
  • Loading branch information
mhdawson authored and danielleadams committed Apr 3, 2023
1 parent f8d0291 commit effdca8
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 8 deletions.
3 changes: 2 additions & 1 deletion src/crypto/crypto_util.cc
Original file line number Diff line number Diff line change
Expand Up @@ -120,7 +120,8 @@ bool ProcessFipsOptions() {
return EVP_default_properties_enable_fips(nullptr, 1) &&
EVP_default_properties_is_fips_enabled(nullptr);
#else
return FIPS_mode() == 0 && FIPS_mode_set(1);
if (FIPS_mode() == 0) return FIPS_mode_set(1);

#endif
}
return true;
Expand Down
18 changes: 11 additions & 7 deletions test/parallel/test-crypto-fips.js
Original file line number Diff line number Diff line change
Expand Up @@ -77,13 +77,17 @@ testHelper(
'process.versions',
process.env);

// By default FIPS should be off in both FIPS and non-FIPS builds.
testHelper(
'stdout',
[],
FIPS_DISABLED,
'require("crypto").getFips()',
{ ...process.env, 'OPENSSL_CONF': ' ' });
// By default FIPS should be off in both FIPS and non-FIPS builds
// unless Node.js was configured using --shared-openssl in
// which case it may be enabled by the system.
if (!sharedOpenSSL()) {
testHelper(
'stdout',
[],
FIPS_DISABLED,
'require("crypto").getFips()',
{ ...process.env, 'OPENSSL_CONF': ' ' });
}

// This should succeed for both FIPS and non-FIPS builds in combination with
// OpenSSL 1.1.1 or OpenSSL 3.0
Expand Down

0 comments on commit effdca8

Please sign in to comment.