tls: use process.binding('config') to detect fips mode

When the fips mode check was added sometime in v4 it caused a regression in some edge cases (see https://github.com/nodejs/node/issues/6114) because `process.config` can be overwritten by userland modules. This switches to using the backported process.binding('config') to fix the regression. Fixes: https://github.com/nodejs/node/issues/6114 PR-URL: https://github.com/nodejs/node/pull/7551 Reviewed-By: Myles Borins <myles.borins@gmail.com>
8 years ago · 06327e5eed
2 changed files with 5 additions and 2 deletions
--- a/lib/_tls_wrap.js
+++ b/lib/_tls_wrap.js
@ -19,7 +19,7 @@ const defaultSessionIdContext = getDefaultSessionIdContext();
 function getDefaultSessionIdContext() {
  var defaultText = process.argv.join(' ');
  /* SSL_MAX_SID_CTX_LENGTH is 128 bits */
-  if (process.config.variables.openssl_fips) {
+  if (process.binding('config').fipsMode) {
    return crypto.createHash('sha1')
      .update(defaultText)
      .digest('hex').slice(0, 32);
--- a/src/node_config.cc
+++ b/src/node_config.cc
@ -28,7 +28,10 @@ using v8::ReadOnly;
 void InitConfig(Local<Object> target,
                Local<Value> unused,
                Local<Context> context) {
-  // Environment* env = Environment::GetCurrent(context);
+#ifdef NODE_FIPS_MODE
+  Environment* env = Environment::GetCurrent(context);
+  READONLY_BOOLEAN_PROPERTY("fipsMode");
+#endif
 }

 }  // namespace node