crypto: don't assume FIPS is disabled by default

For binaries that use --shared-openssl FIPs may be enabled
by default by the system. Allow --force-fips and --enable-fips
to be specified in these cases.

Signed-off-by: Michael Dawson <[email protected]>

PR-URL: #46532
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Tobias Nießen <[email protected]>

Author: mhdawson

src/crypto/crypto_util.cc

@@ -120,7 +120,8 @@ bool ProcessFipsOptions() {
     return EVP_default_properties_enable_fips(nullptr, 1) &&
            EVP_default_properties_is_fips_enabled(nullptr);
 #else
-    return FIPS_mode() == 0 && FIPS_mode_set(1);
+    if (FIPS_mode() == 0) return FIPS_mode_set(1);
+
 #endif
   }
   return true;

test/parallel/test-crypto-fips.js

@@ -77,13 +77,17 @@ testHelper(
   'process.versions',
   process.env);
 
-// By default FIPS should be off in both FIPS and non-FIPS builds.
-testHelper(
-  'stdout',
-  [],
-  FIPS_DISABLED,
-  'require("crypto").getFips()',
-  { ...process.env, 'OPENSSL_CONF': ' ' });
+// By default FIPS should be off in both FIPS and non-FIPS builds
+// unless Node.js was configured using --shared-openssl in
+// which case it may be enabled by the system.
+if (!sharedOpenSSL()) {
+  testHelper(
+    'stdout',
+    [],
+    FIPS_DISABLED,
+    'require("crypto").getFips()',
+    { ...process.env, 'OPENSSL_CONF': ' ' });
+}
 
 // This should succeed for both FIPS and non-FIPS builds in combination with
 // OpenSSL 1.1.1 or OpenSSL 3.0