From effdca8b10319f18611be8d76cf1f6e7170c6d66 Mon Sep 17 00:00:00 2001 From: Michael Dawson Date: Mon, 6 Feb 2023 15:50:46 -0500 Subject: [PATCH] crypto: don't assume FIPS is disabled by default MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit For binaries that use --shared-openssl FIPs may be enabled by default by the system. Allow --force-fips and --enable-fips to be specified in these cases. Signed-off-by: Michael Dawson PR-URL: https://github.com/nodejs/node/pull/46532 Reviewed-By: Richard Lau Reviewed-By: James M Snell Reviewed-By: Colin Ihrig Reviewed-By: Tobias Nießen --- src/crypto/crypto_util.cc | 3 ++- test/parallel/test-crypto-fips.js | 18 +++++++++++------- 2 files changed, 13 insertions(+), 8 deletions(-) diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc index 8ead5fcbb55afb..247067a9908717 100644 --- a/src/crypto/crypto_util.cc +++ b/src/crypto/crypto_util.cc @@ -120,7 +120,8 @@ bool ProcessFipsOptions() { return EVP_default_properties_enable_fips(nullptr, 1) && EVP_default_properties_is_fips_enabled(nullptr); #else - return FIPS_mode() == 0 && FIPS_mode_set(1); + if (FIPS_mode() == 0) return FIPS_mode_set(1); + #endif } return true; diff --git a/test/parallel/test-crypto-fips.js b/test/parallel/test-crypto-fips.js index cc3e4eed79d80f..06f0948ea63d8f 100644 --- a/test/parallel/test-crypto-fips.js +++ b/test/parallel/test-crypto-fips.js @@ -77,13 +77,17 @@ testHelper( 'process.versions', process.env); -// By default FIPS should be off in both FIPS and non-FIPS builds. -testHelper( - 'stdout', - [], - FIPS_DISABLED, - 'require("crypto").getFips()', - { ...process.env, 'OPENSSL_CONF': ' ' }); +// By default FIPS should be off in both FIPS and non-FIPS builds +// unless Node.js was configured using --shared-openssl in +// which case it may be enabled by the system. +if (!sharedOpenSSL()) { + testHelper( + 'stdout', + [], + FIPS_DISABLED, + 'require("crypto").getFips()', + { ...process.env, 'OPENSSL_CONF': ' ' }); +} // This should succeed for both FIPS and non-FIPS builds in combination with // OpenSSL 1.1.1 or OpenSSL 3.0