From beca25ab9e3da79c733f644963d4fc8fd2ad5d29 Mon Sep 17 00:00:00 2001 From: Daniel Bevenius Date: Sun, 18 Jun 2017 14:15:00 +0200 Subject: [PATCH] test: skip fips tests using OpenSSL config file The motivation for this commit is that we are building Node with --shared-openssl and in our case the system OpenSSL version supports FIPS. The tests in test-crypto-fips that toggle fips mode on/off using the config file option might succeed and return 1 instead of an error being thrown from OpenSSL (which is what happens for a default build but the error is not processed/displayed in any way at the moment): openssl config failed: error:060B10A7:digital envelope routines:ALG_MODULE_INIT:fips mode not supported Note that this only concerns the test that use the configuration file option which is different from when calling the fips setter as the handling of the configuration file is handled by OpenSSL, so it is not possible for us to try to call the fips setter as that would throw an error ("Error: Cannot set FIPS mode in a non-FIPS build."). The suggestion is to skips these tests when --shared-openssl is used. PR-URL: https://github.com/nodejs/node/pull/13786 Reviewed-By: Michael Dawson Reviewed-By: James M Snell --- test/parallel/test-crypto-fips.js | 64 ++++++++++++++++++++----------- 1 file changed, 41 insertions(+), 23 deletions(-) diff --git a/test/parallel/test-crypto-fips.js b/test/parallel/test-crypto-fips.js index b5d89593b923d2..6dffbe3e1352b3 100644 --- a/test/parallel/test-crypto-fips.js +++ b/test/parallel/test-crypto-fips.js @@ -21,6 +21,10 @@ function compiledWithFips() { return process.config.variables.openssl_fips ? true : false; } +function sharedOpenSSL() { + return process.config.variables.node_shared_openssl; +} + function addToEnv(newVar, value) { const envCopy = {}; for (const e in process.env) { @@ -85,29 +89,43 @@ testHelper( 'require("crypto").fips', process.env); -// OpenSSL config file should be able to turn on FIPS mode -testHelper( - 'stdout', - [`--openssl-config=${CNF_FIPS_ON}`], - compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED, - 'require("crypto").fips', - process.env); - -// OPENSSL_CONF should be able to turn on FIPS mode -testHelper( - 'stdout', - [], - compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED, - 'require("crypto").fips', - addToEnv('OPENSSL_CONF', CNF_FIPS_ON)); - -// --openssl-config option should override OPENSSL_CONF -testHelper( - 'stdout', - [`--openssl-config=${CNF_FIPS_ON}`], - compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED, - 'require("crypto").fips', - addToEnv('OPENSSL_CONF', CNF_FIPS_OFF)); +// If Node was configured using --shared-openssl fips support might be +// available depending on how OpenSSL was built. If fips support is +// available the tests that toggle the fips_mode on/off using the config +// file option will succeed and return 1 instead of 0. +// +// Note that this case is different from when calling the fips setter as the +// configuration file is handled by OpenSSL, so it is not possible for us +// to try to call the fips setter, to try to detect this situation, as +// that would throw an error: +// ("Error: Cannot set FIPS mode in a non-FIPS build."). +// Due to this uncertanty the following tests are skipped when configured +// with --shared-openssl. +if (!sharedOpenSSL()) { + // OpenSSL config file should be able to turn on FIPS mode + testHelper( + 'stdout', + [`--openssl-config=${CNF_FIPS_ON}`], + compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED, + 'require("crypto").fips', + process.env); + + // OPENSSL_CONF should be able to turn on FIPS mode + testHelper( + 'stdout', + [], + compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED, + 'require("crypto").fips', + addToEnv('OPENSSL_CONF', CNF_FIPS_ON)); + + // --openssl-config option should override OPENSSL_CONF + testHelper( + 'stdout', + [`--openssl-config=${CNF_FIPS_ON}`], + compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED, + 'require("crypto").fips', + addToEnv('OPENSSL_CONF', CNF_FIPS_OFF)); +} testHelper( 'stdout',