Permalink
Browse files

crypto: only try to set FIPS mode if different

Turning FIPS mode on (or off) when it's already on (or off) should be a
no-op, not an error.

PR-URL: #12210
Fixes: #11849
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: James M Snell <jasnell@gmail.com>
  • Loading branch information...
gibfahn committed Apr 4, 2017
1 parent 7d55b81 commit 0919dff489652595e59b44b7d11114bb402d760b
Showing with 14 additions and 2 deletions.
  1. +5 −2 src/node_crypto.cc
  2. +9 −0 test/parallel/test-crypto-fips.js
View
@@ -6021,11 +6021,14 @@ void GetFipsCrypto(const FunctionCallbackInfo<Value>& args) {
void SetFipsCrypto(const FunctionCallbackInfo<Value>& args) {
Environment* env = Environment::GetCurrent(args);
#ifdef NODE_FIPS_MODE
bool mode = args[0]->BooleanValue();
const bool enabled = FIPS_mode();
const bool enable = args[0]->BooleanValue();
if (enable == enabled)
return; // No action needed.
if (force_fips_crypto) {
return env->ThrowError(
"Cannot set FIPS mode, it was forced with --force-fips at startup.");
} else if (!FIPS_mode_set(mode)) {
} else if (!FIPS_mode_set(enable)) {
unsigned long err = ERR_get_error(); // NOLINT(runtime/int)
return ThrowCryptoError(env, err);
}
@@ -212,6 +212,15 @@ testHelper(
'require("crypto").fips = false',
process.env);
// --force-fips makes setFipsCrypto enable a no-op (FIPS stays on)
testHelper(
compiledWithFips() ? 'stdout' : 'stderr',
['--force-fips'],
compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
'(require("crypto").fips = true,' +
'require("crypto").fips)',
process.env);
// --force-fips and --enable-fips order does not matter
testHelper(
'stderr',

0 comments on commit 0919dff

Please sign in to comment.