crypto: don't assume FIPS is disabled by default

mhdawson · danielleadams · commit effdca8b1031 · 2023-04-03T07:49:38.000-04:00
For binaries that use --shared-openssl FIPs may be enabled by default by the system. Allow --force-fips and --enable-fips to be specified in these cases. Signed-off-by: Michael Dawson <mdawson@devrus.com> PR-URL: #46532 Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de>
diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc
@@ -120,7 +120,8 @@ bool ProcessFipsOptions() {
     return EVP_default_properties_enable_fips(nullptr, 1) &&
            EVP_default_properties_is_fips_enabled(nullptr);
 #else
-    return FIPS_mode() == 0 && FIPS_mode_set(1);
+    if (FIPS_mode() == 0) return FIPS_mode_set(1);
+
 #endif
   }
   return true;
diff --git a/test/parallel/test-crypto-fips.js b/test/parallel/test-crypto-fips.js
@@ -77,13 +77,17 @@ testHelper(
   'process.versions',
   process.env);
 
-// By default FIPS should be off in both FIPS and non-FIPS builds.
-testHelper(
-  'stdout',
-  [],
-  FIPS_DISABLED,
-  'require("crypto").getFips()',
-  { ...process.env, 'OPENSSL_CONF': ' ' });
+// By default FIPS should be off in both FIPS and non-FIPS builds
+// unless Node.js was configured using --shared-openssl in
+// which case it may be enabled by the system.
+if (!sharedOpenSSL()) {
+  testHelper(
+    'stdout',
+    [],
+    FIPS_DISABLED,
+    'require("crypto").getFips()',
+    { ...process.env, 'OPENSSL_CONF': ' ' });
+}
 
 // This should succeed for both FIPS and non-FIPS builds in combination with
 // OpenSSL 1.1.1 or OpenSSL 3.0
