Skip to content

Commit

Permalink
wip: crypto: Keep FIPS provided loaded
Browse files Browse the repository at this point in the history 
Loading the FIPS provider presumably disables lot of non-FIPS compliant
algorithms; disabling it right afterwards may leave the OpenSSL in
non-usable state (i.e. no RNG algorithm available).
  • Loading branch information
@khardix
khardix committed Jul 28, 2023
1 parent b3ecb23 commit 9fbb55f
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 2 deletions.
1 change: 0 additions & 1 deletion src/crypto/crypto_util.cc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -125,7 +125,6 @@ bool ProcessFipsOptions() {
OSSL_PROVIDER* fips_provider = OSSL_PROVIDER_load(nullptr, "fips");
if (fips_provider == nullptr)
return false;
OSSL_PROVIDER_unload(fips_provider);

return EVP_default_properties_enable_fips(nullptr, 1) &&
EVP_default_properties_is_fips_enabled(nullptr);
Expand Down
3 changes: 2 additions & 1 deletion src/node.cc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1070,7 +1070,8 @@ InitializeOncePerProcessInternal(const std::vector<std::string>& args,
if (!crypto::CSPRNG(nullptr, 0).is_ok()) {
// XXX: ERR_GET_REASON does not return something that is
// useful as an exit code at all.
result->exit_code_ = ERR_GET_REASON(ERR_peek_error());
result->exit_code_ =
static_cast<ExitCode>(ERR_GET_REASON(ERR_peek_error()));
result->early_return_ = true;
result->errors_.emplace_back(
"OpenSSL error when trying to seed CSPRNG:\n" +
Expand Down

0 comments on commit 9fbb55f

Please sign in to comment.