Browse Source

crypto: enable FIPS only when configured with it

Do not rely on `OPENSSL_FIPS` in `node_crypto.cc` when building with
shared FIPS-enabled OpenSSL library. Enable FIPS in core only when
configured with `--openssl-fips`.

Fix: https://github.com/nodejs/node/issues/3077
PR-URL: https://github.com/nodejs/node/pull/3153
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
v5.x
Fedor Indutny 9 years ago
parent
commit
9bd26e7ffa
  1. 3
      node.gyp
  2. 4
      src/node_crypto.cc

3
node.gyp

@ -228,6 +228,9 @@
'src/tls_wrap.h'
],
'conditions': [
['openssl_fips != ""', {
'defines': [ 'NODE_FIPS_MODE' ],
}],
[ 'node_shared_openssl=="false"', {
'dependencies': [
'./deps/openssl/openssl.gyp:openssl',

4
src/node_crypto.cc

@ -5323,13 +5323,13 @@ void InitCryptoOnce() {
CRYPTO_set_locking_callback(crypto_lock_cb);
CRYPTO_THREADID_set_callback(crypto_threadid_cb);
#ifdef OPENSSL_FIPS
#ifdef NODE_FIPS_MODE
if (!FIPS_mode_set(1)) {
int err = ERR_get_error();
fprintf(stderr, "openssl fips failed: %s\n", ERR_error_string(err, NULL));
UNREACHABLE();
}
#endif // OPENSSL_FIPS
#endif // NODE_FIPS_MODE
// Turn off compression. Saves memory and protects against CRIME attacks.

Loading…
Cancel
Save