chore(NODE-4266): improve error message for SCRAM-SHA-1 in FIPS mode (#3258)

addaleax · web-flow · commit c496c25a9386 · 2022-05-23T16:59:22.000+02:00
No tests because the Node.js driver CI doesn’t have a FIPS setup.
MONGOSH-1232 will add integration tests for this message.
diff --git a/src/cmap/auth/scram.ts b/src/cmap/auth/scram.ts
@@ -261,7 +261,17 @@ function passwordDigest(username: string, password: string) {
     throw new MongoInvalidArgumentError('Password cannot be empty');
   }
 
-  const md5 = crypto.createHash('md5');
+  let md5: crypto.Hash;
+  try {
+    md5 = crypto.createHash('md5');
+  } catch (err) {
+    if (crypto.getFips()) {
+      // This error is (slightly) more helpful than what comes from OpenSSL directly, e.g.
+      // 'Error: error:060800C8:digital envelope routines:EVP_DigestInit_ex:disabled for FIPS'
+      throw new Error('Auth mechanism SCRAM-SHA-1 is not supported in FIPS mode');
+    }
+    throw err;
+  }
   md5.update(`${username}:mongo:${password}`, 'utf8');
   return md5.digest('hex');
 }
