Skip to content

Commit

Permalink
crypto: only try to set FIPS mode if different
Browse files Browse the repository at this point in the history
Turning FIPS mode on (or off) when it's already on (or off) should be a
no-op, not an error.

PR-URL: nodejs/node#12210
Fixes: nodejs/node#11849
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: James M Snell <jasnell@gmail.com>
  • Loading branch information
gibfahn authored and addaleax committed Sep 30, 2017
1 parent ed53097 commit 1949e4d
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 2 deletions.
7 changes: 5 additions & 2 deletions src/node_crypto.cc
Original file line number Diff line number Diff line change
Expand Up @@ -6037,11 +6037,14 @@ void GetFipsCrypto(const FunctionCallbackInfo<Value>& args) {
void SetFipsCrypto(const FunctionCallbackInfo<Value>& args) {
Environment* env = Environment::GetCurrent(args);
#ifdef NODE_FIPS_MODE
bool mode = args[0]->BooleanValue();
const bool enabled = FIPS_mode();
const bool enable = args[0]->BooleanValue();
if (enable == enabled)
return; // No action needed.
if (force_fips_crypto) {
return env->ThrowError(
"Cannot set FIPS mode, it was forced with --force-fips at startup.");
} else if (!FIPS_mode_set(mode)) {
} else if (!FIPS_mode_set(enable)) {
unsigned long err = ERR_get_error(); // NOLINT(runtime/int)
return ThrowCryptoError(env, err);
}
Expand Down
9 changes: 9 additions & 0 deletions test/parallel/test-crypto-fips.js
Original file line number Diff line number Diff line change
Expand Up @@ -212,6 +212,15 @@ testHelper(
'require("crypto").fips = false',
process.env);

// --force-fips makes setFipsCrypto enable a no-op (FIPS stays on)
testHelper(
compiledWithFips() ? 'stdout' : 'stderr',
['--force-fips'],
compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
'(require("crypto").fips = true,' +
'require("crypto").fips)',
process.env);

// --force-fips and --enable-fips order does not matter
testHelper(
'stderr',
Expand Down

0 comments on commit 1949e4d

Please sign in to comment.