Skip to content

Commit

Permalink
crypto: enable FIPS only when configured with it
Browse files Browse the repository at this point in the history
Do not rely on `OPENSSL_FIPS` in `node_crypto.cc` when building with
shared FIPS-enabled OpenSSL library. Enable FIPS in core only when
configured with `--openssl-fips`.

Fix: #3077
PR-URL: #3153
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
  • Loading branch information
indutny authored and rvagg committed Oct 2, 2015
1 parent 0858c86 commit f055a66
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 2 deletions.
3 changes: 3 additions & 0 deletions node.gyp
Original file line number Diff line number Diff line change
Expand Up @@ -228,6 +228,9 @@
'src/tls_wrap.h'
],
'conditions': [
['openssl_fips != ""', {
'defines': [ 'NODE_FIPS_MODE' ],
}],
[ 'node_shared_openssl=="false"', {
'dependencies': [
'./deps/openssl/openssl.gyp:openssl',
Expand Down
4 changes: 2 additions & 2 deletions src/node_crypto.cc
Original file line number Diff line number Diff line change
Expand Up @@ -5323,13 +5323,13 @@ void InitCryptoOnce() {
CRYPTO_set_locking_callback(crypto_lock_cb);
CRYPTO_THREADID_set_callback(crypto_threadid_cb);

#ifdef OPENSSL_FIPS
#ifdef NODE_FIPS_MODE
if (!FIPS_mode_set(1)) {
int err = ERR_get_error();
fprintf(stderr, "openssl fips failed: %s\n", ERR_error_string(err, NULL));
UNREACHABLE();
}
#endif // OPENSSL_FIPS
#endif // NODE_FIPS_MODE


// Turn off compression. Saves memory and protects against CRIME attacks.
Expand Down

0 comments on commit f055a66

Please sign in to comment.