-
Notifications
You must be signed in to change notification settings - Fork 30.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto: only try to set FIPS mode if different #12210
Conversation
const bool enabled = FIPS_mode(); | ||
const bool enable = args[0]->BooleanValue(); | ||
if (enable == enabled) | ||
return; // No action needed. | ||
if (force_fips_crypto) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Given this change, should we also only throw if attempting to turn FIPS off when force_fips_crypto
is on? Turning it on should likely just non-op
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jasnell if force_fips_crypto
is on, then FIPS_mode()
should already be enabled right? So doesn't the if (enable == enabled)
branch already cover that?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good point. ok
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Needs tests (marking so this doesn't land without them).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@gibfahn would you be so kind and add some tests for this? |
Ping @gibfahn |
167bde0
to
e93588b
Compare
Closing due to long inactivity. @gibfahn please reopen if you still want to pursue this. |
e93588b
to
dadc0ea
Compare
Note to self, if a PR is closed, don't push to the branch before reopening the PR. If you do it's undoable as long as you force-push back to the commit hash the branch pointed to when the PR was closed. |
Added a test to confirm that enabling fips when PTAL. |
['--force-fips'], | ||
compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING, | ||
'(require("crypto").fips = true,' + | ||
'require("crypto").fips)', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I personally would use a single line for this argument as all other arguments are also on a single line but that is just taste and does not have to be addressed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I copied this from a test further up. There are a few things I'd change about this test file, but I thought I'd try to keep this diff clean.
@richardlau does this LGTY now? |
CI: https://ci.nodejs.org/job/node-test-commit/12618/ @nodejs/crypto I'd appreciate a quick look if you have time. |
CI has these failures (I think all unrelated):
|
dadc0ea
to
6f1c8c8
Compare
Turning FIPS mode on (or off) when it's already on (or off) should be a no-op, not an error. PR-URL: nodejs#12210 Fixes: nodejs#11849 Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> Reviewed-By: James M Snell <jasnell@gmail.com>
6f1c8c8
to
0919dff
Compare
Turning FIPS mode on (or off) when it's already on (or off) should be a no-op, not an error. PR-URL: #12210 Fixes: #11849 Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> Reviewed-By: James M Snell <jasnell@gmail.com>
Turning FIPS mode on (or off) when it's already on (or off) should be a no-op, not an error. PR-URL: #12210 Fixes: #11849 Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> Reviewed-By: James M Snell <jasnell@gmail.com>
Turning FIPS mode on (or off) when it's already on (or off) should be a no-op, not an error. PR-URL: nodejs/node#12210 Fixes: nodejs/node#11849 Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> Reviewed-By: James M Snell <jasnell@gmail.com>
Turning FIPS mode on (or off) when it's already on (or off) should be a no-op, not an error. PR-URL: #12210 Fixes: #11849 Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> Reviewed-By: James M Snell <jasnell@gmail.com>
@gibfahn I've backported to v6.x, can you test this out once the r.c. drops |
Turning FIPS mode on (or off) when it's already on (or off) should be a no-op, not an error. PR-URL: #12210 Fixes: #11849 Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> Reviewed-By: James M Snell <jasnell@gmail.com>
Turning FIPS mode on (or off) when it's already on (or off) should be a no-op, not an error. PR-URL: #12210 Fixes: #11849 Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> Reviewed-By: James M Snell <jasnell@gmail.com>
Turning FIPS mode on (or off) when it's already on (or off) should be a
no-op, not an error.
Fixes: #11849
Checklist
make -j4 test
(UNIX), orvcbuild test
(Windows) passesAffected core subsystem(s)
crypto (FIPS)
Patch shamelessly stolen from @bnoordhuis here. PR'd to remind myself to test this properly.