test/parallel/test-crypto-fips.js fails if node is built with --shared-openssl and --openssl-is-fips
Version
v18.0.0
Platform
Solaris 11.4
Subsystem
crypto FIPS
What steps will reproduce the bug?
- configure 'node' with shared OpenSSL 3.0 using following flags:
./configure --shared-openssl --openssl-is-fips ...
- run
make
- run tests,
test-crypto-fips.js
fails
How often does it reproduce? Is there a required condition?
always reproduces
What is the expected behavior?
test/parallel/test-crypto-fips.js
test PASSes
What do you see instead?
test/parallel/test-crypto-fips.js
test FAILs
Additional information
The root cause is that if shared OpenSSL 3 is linked dynamically to node, then ./configure.py
does not define OPENSSL_FIPS
macro, which normally tells a test to expect FIPS is working. Since OPENSSL_FIPS
is not defined, test expects FIPS is not working and is surprised when it actually works.
The problem starts here: https://github.com/nodejs/node/blob/eeb27c2e0aecbf418635a8c4b7c4529385798c63/configure.py#L1538
if options.openssl_is_fips and not options.shared_openssl:
# even if --openssl-is-fips is passed, passing --shared-openssl causes the condition is not satisfied
o['defines'] += ['OPENSSL_FIPS']
# as result, no -DOPENSSL_FIPS is passed
variables['node_fipsinstall'] = b(True)
# node_fipsinstall is not needed, since OpenSSL 3 uses providers, there's no need to recompile OpenSSL library.
Because -DOPENSSL_FIPS
is not defined in compilation process, following code in TestFipsCrypto()
reduces to return false
:
https://github.com/nodejs/node/blob/eeb27c2e0aecbf418635a8c4b7c4529385798c63/src/crypto/crypto_util.cc#L243
Finally test/parallel/test-crypto-fips.js
calls TestFipsCrypto()
and learns that FIPS should not be working. Test starts node in FIPS mode and is surprised that it works. Test reports failure.
Following patch makes the pass (all other tests pass too):
--- node-18.0.0.orig/configure.py 2022-04-18 04:29:22.000000000 +0000
+++ node-18.0.0/configure.py 2022-04-22 19:10:52.510174797 +0000
@@ -1535,8 +1535,10 @@
if options.openssl_no_asm and options.shared_openssl:
error('--openssl-no-asm is incompatible with --shared-openssl')
- if options.openssl_is_fips and not options.shared_openssl:
+ if options.openssl_is_fips:
o['defines'] += ['OPENSSL_FIPS']
+
+ if options.openssl_is_fips and not options.shared_openssl:
variables['node_fipsinstall'] = b(True)
if options.shared_openssl: