Skip to content

test/parallel/test-crypto-fips.js fails if node is built with --shared-openssl and --openssl-is-fips #42827

New issue
New issue
Closed
Closed
test/parallel/test-crypto-fips.js fails if node is built with --shared-openssl and --openssl-is-fips#42827
@batrla

Description

@batrla
batrla
opened on Apr 22, 2022

Version

v18.0.0

Platform

Solaris 11.4

Subsystem

crypto FIPS

What steps will reproduce the bug?

  1. configure 'node' with shared OpenSSL 3.0 using following flags: ./configure --shared-openssl --openssl-is-fips ...
  2. run make
  3. run tests, test-crypto-fips.js fails

How often does it reproduce? Is there a required condition?

always reproduces

What is the expected behavior?

test/parallel/test-crypto-fips.js test PASSes

What do you see instead?

test/parallel/test-crypto-fips.js test FAILs

Additional information

The root cause is that if shared OpenSSL 3 is linked dynamically to node, then ./configure.py does not define OPENSSL_FIPS macro, which normally tells a test to expect FIPS is working. Since OPENSSL_FIPS is not defined, test expects FIPS is not working and is surprised when it actually works.

The problem starts here:

node/configure.py

Line 1538 in eeb27c2

if options.openssl_is_fips and not options.shared_openssl: 

  if options.openssl_is_fips and not options.shared_openssl:

# even if --openssl-is-fips is passed, passing --shared-openssl causes the condition is not satisfied

    o['defines'] += ['OPENSSL_FIPS']

# as result, no -DOPENSSL_FIPS is passed

    variables['node_fipsinstall'] = b(True)

# node_fipsinstall is not needed, since OpenSSL 3 uses providers, there's no need to recompile OpenSSL library.

Because -DOPENSSL_FIPS is not defined in compilation process, following code in TestFipsCrypto() reduces to return false:

node/src/crypto/crypto_util.cc

Line 243 in eeb27c2

void TestFipsCrypto(const v8::FunctionCallbackInfo<v8::Value>& args) {

Finally test/parallel/test-crypto-fips.js calls TestFipsCrypto() and learns that FIPS should not be working. Test starts node in FIPS mode and is surprised that it works. Test reports failure.

Following patch makes the pass (all other tests pass too):

--- node-18.0.0.orig/configure.py       2022-04-18 04:29:22.000000000 +0000
+++ node-18.0.0/configure.py    2022-04-22 19:10:52.510174797 +0000
@@ -1535,8 +1535,10 @@
   if options.openssl_no_asm and options.shared_openssl:
     error('--openssl-no-asm is incompatible with --shared-openssl')
 
-  if options.openssl_is_fips and not options.shared_openssl:
+  if options.openssl_is_fips:
     o['defines'] += ['OPENSSL_FIPS']
+
+  if options.openssl_is_fips and not options.shared_openssl:
     variables['node_fipsinstall'] = b(True)
 
   if options.shared_openssl:

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions