mirror of
https://github.com/nodejs/node.git
synced 2024-12-01 16:10:02 +01:00
59afa275ad
A side-effect of https://github.com/nodejs/node-private/pull/82 was to remove support for OPENSSL_CONF, as well as removing the default read of a configuration file on startup. Partly revert this, allowing OPENSSL_CONF to be used to specify a configuration file to read on startup, but do not read a file by default. If the --openssl-config command line option is provided, its value is used, not the OPENSSL_CONF environment variable. Fix: https://github.com/nodejs/node/issues/10938 PR-URL: https://github.com/nodejs/node/pull/11006 Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
221 lines
6.5 KiB
JavaScript
221 lines
6.5 KiB
JavaScript
'use strict';
|
|
const common = require('../common');
|
|
const assert = require('assert');
|
|
const spawnSync = require('child_process').spawnSync;
|
|
const path = require('path');
|
|
|
|
if (!common.hasCrypto) {
|
|
common.skip('missing crypto');
|
|
return;
|
|
}
|
|
|
|
const FIPS_ENABLED = 1;
|
|
const FIPS_DISABLED = 0;
|
|
const FIPS_ERROR_STRING = 'Error: Cannot set FIPS mode';
|
|
const OPTION_ERROR_STRING = 'bad option';
|
|
const CNF_FIPS_ON = path.join(common.fixturesDir, 'openssl_fips_enabled.cnf');
|
|
const CNF_FIPS_OFF = path.join(common.fixturesDir, 'openssl_fips_disabled.cnf');
|
|
let num_children_ok = 0;
|
|
|
|
function compiledWithFips() {
|
|
return process.config.variables.openssl_fips ? true : false;
|
|
}
|
|
|
|
function addToEnv(newVar, value) {
|
|
const envCopy = {};
|
|
for (const e in process.env) {
|
|
envCopy[e] = process.env[e];
|
|
}
|
|
envCopy[newVar] = value;
|
|
return envCopy;
|
|
}
|
|
|
|
function testHelper(stream, args, expectedOutput, cmd, env) {
|
|
const fullArgs = args.concat(['-e', 'console.log(' + cmd + ')']);
|
|
const child = spawnSync(process.execPath, fullArgs, {
|
|
cwd: path.dirname(process.execPath),
|
|
env: env
|
|
});
|
|
|
|
console.error('Spawned child [pid:' + child.pid + '] with cmd \'' +
|
|
cmd + '\' expect %j with args \'' + args + '\'' +
|
|
' OPENSSL_CONF=%j', expectedOutput, env.OPENSSL_CONF);
|
|
|
|
function childOk(child) {
|
|
console.error('Child #' + ++num_children_ok +
|
|
' [pid:' + child.pid + '] OK.');
|
|
}
|
|
|
|
function responseHandler(buffer, expectedOutput) {
|
|
const response = buffer.toString();
|
|
assert.notStrictEqual(response.length, 0);
|
|
if (FIPS_ENABLED !== expectedOutput && FIPS_DISABLED !== expectedOutput) {
|
|
// In the case of expected errors just look for a substring.
|
|
assert.ok(response.includes(expectedOutput));
|
|
} else {
|
|
// Normal path where we expect either FIPS enabled or disabled.
|
|
assert.strictEqual(expectedOutput, Number(response));
|
|
}
|
|
childOk(child);
|
|
}
|
|
|
|
responseHandler(child[stream], expectedOutput);
|
|
}
|
|
|
|
// By default FIPS should be off in both FIPS and non-FIPS builds.
|
|
testHelper(
|
|
'stdout',
|
|
[],
|
|
FIPS_DISABLED,
|
|
'require("crypto").fips',
|
|
addToEnv('OPENSSL_CONF', ''));
|
|
|
|
// --enable-fips should turn FIPS mode on
|
|
testHelper(
|
|
compiledWithFips() ? 'stdout' : 'stderr',
|
|
['--enable-fips'],
|
|
compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
|
|
'require("crypto").fips',
|
|
process.env);
|
|
|
|
//--force-fips should turn FIPS mode on
|
|
testHelper(
|
|
compiledWithFips() ? 'stdout' : 'stderr',
|
|
['--force-fips'],
|
|
compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
|
|
'require("crypto").fips',
|
|
process.env);
|
|
|
|
// OpenSSL config file should be able to turn on FIPS mode
|
|
testHelper(
|
|
'stdout',
|
|
[`--openssl-config=${CNF_FIPS_ON}`],
|
|
compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED,
|
|
'require("crypto").fips',
|
|
process.env);
|
|
|
|
// OPENSSL_CONF should be able to turn on FIPS mode
|
|
testHelper(
|
|
'stdout',
|
|
[],
|
|
compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED,
|
|
'require("crypto").fips',
|
|
addToEnv('OPENSSL_CONF', CNF_FIPS_ON));
|
|
|
|
// --openssl-config option should override OPENSSL_CONF
|
|
testHelper(
|
|
'stdout',
|
|
[`--openssl-config=${CNF_FIPS_ON}`],
|
|
compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED,
|
|
'require("crypto").fips',
|
|
addToEnv('OPENSSL_CONF', CNF_FIPS_OFF));
|
|
|
|
testHelper(
|
|
'stdout',
|
|
[`--openssl-config=${CNF_FIPS_OFF}`],
|
|
FIPS_DISABLED,
|
|
'require("crypto").fips',
|
|
addToEnv('OPENSSL_CONF', CNF_FIPS_ON));
|
|
|
|
// --enable-fips should take precedence over OpenSSL config file
|
|
testHelper(
|
|
compiledWithFips() ? 'stdout' : 'stderr',
|
|
['--enable-fips', `--openssl-config=${CNF_FIPS_OFF}`],
|
|
compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
|
|
'require("crypto").fips',
|
|
process.env);
|
|
|
|
// OPENSSL_CONF should _not_ make a difference to --enable-fips
|
|
testHelper(
|
|
compiledWithFips() ? 'stdout' : 'stderr',
|
|
['--enable-fips'],
|
|
compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
|
|
'require("crypto").fips',
|
|
addToEnv('OPENSSL_CONF', CNF_FIPS_OFF));
|
|
|
|
// --force-fips should take precedence over OpenSSL config file
|
|
testHelper(
|
|
compiledWithFips() ? 'stdout' : 'stderr',
|
|
['--force-fips', `--openssl-config=${CNF_FIPS_OFF}`],
|
|
compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
|
|
'require("crypto").fips',
|
|
process.env);
|
|
|
|
// Using OPENSSL_CONF should not make a difference to --force-fips
|
|
testHelper(
|
|
compiledWithFips() ? 'stdout' : 'stderr',
|
|
['--force-fips'],
|
|
compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
|
|
'require("crypto").fips',
|
|
addToEnv('OPENSSL_CONF', CNF_FIPS_OFF));
|
|
|
|
// setFipsCrypto should be able to turn FIPS mode on
|
|
testHelper(
|
|
compiledWithFips() ? 'stdout' : 'stderr',
|
|
[],
|
|
compiledWithFips() ? FIPS_ENABLED : FIPS_ERROR_STRING,
|
|
'(require("crypto").fips = true,' +
|
|
'require("crypto").fips)',
|
|
process.env);
|
|
|
|
// setFipsCrypto should be able to turn FIPS mode on and off
|
|
testHelper(
|
|
compiledWithFips() ? 'stdout' : 'stderr',
|
|
[],
|
|
compiledWithFips() ? FIPS_DISABLED : FIPS_ERROR_STRING,
|
|
'(require("crypto").fips = true,' +
|
|
'require("crypto").fips = false,' +
|
|
'require("crypto").fips)',
|
|
process.env);
|
|
|
|
// setFipsCrypto takes precedence over OpenSSL config file, FIPS on
|
|
testHelper(
|
|
compiledWithFips() ? 'stdout' : 'stderr',
|
|
[`--openssl-config=${CNF_FIPS_OFF}`],
|
|
compiledWithFips() ? FIPS_ENABLED : FIPS_ERROR_STRING,
|
|
'(require("crypto").fips = true,' +
|
|
'require("crypto").fips)',
|
|
process.env);
|
|
|
|
// setFipsCrypto takes precedence over OpenSSL config file, FIPS off
|
|
testHelper(
|
|
compiledWithFips() ? 'stdout' : 'stderr',
|
|
[`--openssl-config=${CNF_FIPS_ON}`],
|
|
compiledWithFips() ? FIPS_DISABLED : FIPS_ERROR_STRING,
|
|
'(require("crypto").fips = false,' +
|
|
'require("crypto").fips)',
|
|
process.env);
|
|
|
|
// --enable-fips does not prevent use of setFipsCrypto API
|
|
testHelper(
|
|
compiledWithFips() ? 'stdout' : 'stderr',
|
|
['--enable-fips'],
|
|
compiledWithFips() ? FIPS_DISABLED : OPTION_ERROR_STRING,
|
|
'(require("crypto").fips = false,' +
|
|
'require("crypto").fips)',
|
|
process.env);
|
|
|
|
// --force-fips prevents use of setFipsCrypto API
|
|
testHelper(
|
|
'stderr',
|
|
['--force-fips'],
|
|
compiledWithFips() ? FIPS_ERROR_STRING : OPTION_ERROR_STRING,
|
|
'require("crypto").fips = false',
|
|
process.env);
|
|
|
|
// --force-fips and --enable-fips order does not matter
|
|
testHelper(
|
|
'stderr',
|
|
['--force-fips', '--enable-fips'],
|
|
compiledWithFips() ? FIPS_ERROR_STRING : OPTION_ERROR_STRING,
|
|
'require("crypto").fips = false',
|
|
process.env);
|
|
|
|
//--enable-fips and --force-fips order does not matter
|
|
testHelper(
|
|
'stderr',
|
|
['--enable-fips', '--force-fips'],
|
|
compiledWithFips() ? FIPS_ERROR_STRING : OPTION_ERROR_STRING,
|
|
'require("crypto").fips = false',
|
|
process.env);
|