crypto: only try to set FIPS mode if different

Turning FIPS mode on (or off) when it's already on (or off) should be a no-op, not an error. PR-URL: #12210 Fixes: #11849 Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> Reviewed-By: James M Snell <jasnell@gmail.com>
nodejs · Sep 26, 2017 · 0919dff · 0919dff
1 parent 7d55b81
commit 0919dff
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 2 deletions.
diff --git a/src/node_crypto.cc b/src/node_crypto.cc
@@ -6021,11 +6021,14 @@ void GetFipsCrypto(const FunctionCallbackInfo<Value>& args) {
 void SetFipsCrypto(const FunctionCallbackInfo<Value>& args) {
  Environment* env = Environment::GetCurrent(args);
 #ifdef NODE_FIPS_MODE
- bool mode = args[0]->BooleanValue();
+ const bool enabled = FIPS_mode();
+ const bool enable = args[0]->BooleanValue();
+ if (enable == enabled)
+ return; // No action needed.
  if (force_fips_crypto) {
  return env->ThrowError(
  "Cannot set FIPS mode, it was forced with --force-fips at startup.");
- } else if (!FIPS_mode_set(mode)) {
+ } else if (!FIPS_mode_set(enable)) {
  unsigned long err = ERR_get_error(); // NOLINT(runtime/int)
  return ThrowCryptoError(env, err);
  }

diff --git a/test/parallel/test-crypto-fips.js b/test/parallel/test-crypto-fips.js
@@ -212,6 +212,15 @@ testHelper(
  'require("crypto").fips = false',
  process.env);
 
+// --force-fips makes setFipsCrypto enable a no-op (FIPS stays on)
+testHelper(
+ compiledWithFips() ? 'stdout' : 'stderr',
+ ['--force-fips'],
+ compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
+ '(require("crypto").fips = true,' +
+ 'require("crypto").fips)',
+ process.env);
+
 // --force-fips and --enable-fips order does not matter
 testHelper(
  'stderr',