crypto: enable FIPS only when configured with it

Do not rely on `OPENSSL_FIPS` in `node_crypto.cc` when building with shared FIPS-enabled OpenSSL library. Enable FIPS in core only when configured with `--openssl-fips`. Fix: https://github.com/nodejs/node/issues/3077 PR-URL: https://github.com/nodejs/node/pull/3153 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
9 years ago · 9bd26e7ffa
2 changed files with 5 additions and 2 deletions
--- a/node.gyp
+++ b/node.gyp
@ -228,6 +228,9 @@
            'src/tls_wrap.h'
          ],
          'conditions': [
+            ['openssl_fips != ""', {
+              'defines': [ 'NODE_FIPS_MODE' ],
+            }],
            [ 'node_shared_openssl=="false"', {
              'dependencies': [
                './deps/openssl/openssl.gyp:openssl',
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@ -5323,13 +5323,13 @@ void InitCryptoOnce() {
  CRYPTO_set_locking_callback(crypto_lock_cb);
  CRYPTO_THREADID_set_callback(crypto_threadid_cb);

-#ifdef OPENSSL_FIPS
+#ifdef NODE_FIPS_MODE
  if (!FIPS_mode_set(1)) {
    int err = ERR_get_error();
    fprintf(stderr, "openssl fips failed: %s\n", ERR_error_string(err, NULL));
    UNREACHABLE();
  }
-#endif  // OPENSSL_FIPS
+#endif  // NODE_FIPS_MODE


  // Turn off compression. Saves memory and protects against CRIME attacks.