diff options
| author | Daniel Bevenius <daniel.bevenius@gmail.com> | 2021-05-31 07:08:01 +0300 |
|---|---|---|
| committer | Daniel Bevenius <daniel.bevenius@gmail.com> | 2021-06-08 12:42:00 +0300 |
| commit | 1997aa3b4073d1cfdf589c0656cfb286cbf8cea8 (patch) | |
| tree | a483a71f2258ff7fc429a256e626e947b284e6b6 /test | |
| parent | 911ff342553a78f162bc30f53237a5a80c757b8c (diff) | |
src,test: raise error for --enable-fips when no FIPS
This commit moves the check for FIPS from the crypto module
initialization to process startup.
The motivation for this is that when OpenSSL is not FIPS enabled and the
command line options --enable-fips, or --force-fips are used, there will
only be an error raised if the crypto module is used. This can be
surprising and we have gotten feedback that users assumed that there
would be an error if these options were specified and FIPS is not
available.
PR-URL: https://github.com/nodejs/node/pull/38859
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Richard Lau <rlau@redhat.com>
Diffstat (limited to 'test')
| -rw-r--r-- | test/parallel/test-crypto-fips.js | 23 |
1 files changed, 21 insertions, 2 deletions
diff --git a/test/parallel/test-crypto-fips.js b/test/parallel/test-crypto-fips.js index b6e70b62be6..ba8a1ba653e 100644 --- a/test/parallel/test-crypto-fips.js +++ b/test/parallel/test-crypto-fips.js @@ -17,6 +17,7 @@ const FIPS_ERROR_STRING2 = 'Error [ERR_CRYPTO_FIPS_FORCED]: Cannot set FIPS mode, it was forced with ' + '--force-fips at startup.'; const FIPS_UNSUPPORTED_ERROR_STRING = 'fips mode not supported'; +const FIPS_ENABLE_ERROR_STRING = 'OpenSSL error when trying to enable FIPS:'; const CNF_FIPS_ON = fixtures.path('openssl_fips_enabled.cnf'); const CNF_FIPS_OFF = fixtures.path('openssl_fips_disabled.cnf'); @@ -49,8 +50,10 @@ function testHelper(stream, args, expectedOutput, cmd, env) { // In the case of expected errors just look for a substring. assert.ok(response.includes(expectedOutput)); } else { - // Normal path where we expect either FIPS enabled or disabled. - assert.strictEqual(Number(response), expectedOutput); + const getFipsValue = Number(response); + if (!Number.isNaN(getFipsValue)) + // Normal path where we expect either FIPS enabled or disabled. + assert.strictEqual(getFipsValue, expectedOutput); } childOk(child); } @@ -58,6 +61,22 @@ function testHelper(stream, args, expectedOutput, cmd, env) { responseHandler(child[stream], expectedOutput); } +// --enable-fips should raise an error if OpenSSL is not FIPS enabled. +testHelper( + testFipsCrypto() ? 'stdout' : 'stderr', + ['--enable-fips'], + testFipsCrypto() ? FIPS_ENABLED : FIPS_ENABLE_ERROR_STRING, + 'process.versions', + process.env); + +// --force-fips should raise an error if OpenSSL is not FIPS enabled. +testHelper( + testFipsCrypto() ? 'stdout' : 'stderr', + ['--force-fips'], + testFipsCrypto() ? FIPS_ENABLED : FIPS_ENABLE_ERROR_STRING, + 'process.versions', + process.env); + // By default FIPS should be off in both FIPS and non-FIPS builds. testHelper( 'stdout', |