src: cleanup some obsolete includes in crypto_util

Author: jasnell

deps/ncrypto/ncrypto.cc

@@ -113,7 +113,6 @@ DataPointer DataPointer::Alloc(size_t len) {
 
 DataPointer DataPointer::SecureAlloc(size_t len) {
 #ifndef OPENSSL_IS_BORINGSSL
-  printf("... %zu\n", len);
   auto ptr = OPENSSL_secure_zalloc(len);
   if (ptr == nullptr) return {};
   return DataPointer(ptr, len, true);
@@ -236,7 +235,8 @@ bool setFipsEnabled(bool enable, CryptoErrorList* errors) {
   if (isFipsEnabled() == enable) return true;
   ClearErrorOnReturn clearErrorOnReturn(errors);
 #if OPENSSL_VERSION_MAJOR >= 3
-  return EVP_default_properties_enable_fips(nullptr, enable ? 1 : 0) == 1;
+  return EVP_default_properties_enable_fips(nullptr, enable ? 1 : 0) == 1 &&
+         EVP_default_properties_is_fips_enabled(nullptr);
 #else
   return FIPS_mode_set(enable ? 1 : 0) == 1;
 #endif
@@ -249,18 +249,17 @@ bool testFipsEnabled() {
   if (OSSL_PROVIDER_available(nullptr, "fips")) {
     fips_provider = OSSL_PROVIDER_load(nullptr, "fips");
   }
-  const auto enabled = fips_provider == nullptr                 ? 0
-                       : OSSL_PROVIDER_self_test(fips_provider) ? 1
-                                                                : 0;
+  if (fips_provider == nullptr) return false;
+  int result = OSSL_PROVIDER_self_test(fips_provider);
+  OSSL_PROVIDER_unload(fips_provider);
+  return result;
 #else
 #ifdef OPENSSL_FIPS
-  const auto enabled = FIPS_selftest() ? 1 : 0;
+  return FIPS_selftest();
 #else  // OPENSSL_FIPS
-  const auto enabled = 0;
+  return false;
 #endif  // OPENSSL_FIPS
 #endif
-
-  return enabled;
 }
 
 // ============================================================================

src/crypto/crypto_hkdf.cc

@@ -118,7 +118,7 @@ bool HKDFTraits::DeriveBits(
                           params.length);
   if (!dp) return false;
 
-  DCHECK(!data.isSecure());
+  DCHECK(!dp.isSecure());
   *out = ByteSource::Allocated(dp.release());
   return true;
 }

src/crypto/crypto_util.cc

@@ -22,8 +22,6 @@
 #include "openssl/provider.h"
 #endif
 
-#include <openssl/rand.h>
-
 namespace node {
 
 using ncrypto::BignumPointer;
@@ -85,8 +83,14 @@ bool ProcessFipsOptions() {
   /* Override FIPS settings in configuration file, if needed. */
   if (per_process::cli_options->enable_fips_crypto ||
       per_process::cli_options->force_fips_crypto) {
+#if OPENSSL_VERSION_MAJOR >= 3
     if (!ncrypto::testFipsEnabled()) return false;
-    return ncrypto::setFipsEnabled(true, nullptr) && ncrypto::isFipsEnabled();
+    return ncrypto::setFipsEnabled(true, nullptr);
+#else
+    // TODO(@jasnell): Remove this ifdef branch when openssl 1.1.1 is
+    // no longer supported.
+    if (FIPS_mode() == 0) return FIPS_mode_set(1);
+#endif
   }
   return true;
 }

src/crypto/crypto_util.h

@@ -14,21 +14,6 @@
 
 #include "ncrypto.h"
 
-#include <openssl/dsa.h>
-#include <openssl/ec.h>
-#include <openssl/err.h>
-#include <openssl/evp.h>
-#include <openssl/hmac.h>
-#include <openssl/kdf.h>
-#include <openssl/rsa.h>
-#include <openssl/ssl.h>
-
-// The FIPS-related functions are only available
-// when the OpenSSL itself was compiled with FIPS support.
-#if defined(OPENSSL_FIPS) && OPENSSL_VERSION_MAJOR < 3
-#  include <openssl/fips.h>
-#endif  // OPENSSL_FIPS
-
 #include <algorithm>
 #include <climits>
 #include <cstdio>
@@ -37,9 +22,7 @@
 #include <string>
 #include <vector>
 
-namespace node {
-
-namespace crypto {
+namespace node::crypto {
 // Currently known sizes of commonly used OpenSSL struct sizes.
 // OpenSSL considers it's various structs to be opaque and the
 // sizes may change from one version of OpenSSL to another, so
@@ -606,9 +589,7 @@ namespace Util {
 void Initialize(Environment* env, v8::Local<v8::Object> target);
 void RegisterExternalReferences(ExternalReferenceRegistry* registry);
 }  // namespace Util
-
-}  // namespace crypto
-}  // namespace node
+}  // namespace node::crypto
 
 #endif  // defined(NODE_WANT_INTERNALS) && NODE_WANT_INTERNALS
 #endif  // SRC_CRYPTO_CRYPTO_UTIL_H_