src: fix FIPS init error handling · nodejs/node@d99d657

@@ -23,13 +23,16 @@ const FIPS_ENABLE_ERROR_STRING = 'OpenSSL error when trying to enable FIPS:';

2323const CNF_FIPS_ON = fixtures.path('openssl_fips_enabled.cnf');2424const CNF_FIPS_OFF = fixtures.path('openssl_fips_disabled.cnf');252526+const kNoFailure = 0;27+const kGenericUserError = 1;28+2629let num_children_ok = 0;27302831function sharedOpenSSL() {2932return process.config.variables.node_shared_openssl;3033}313432-function testHelper(stream, args, expectedOutput, cmd, env) {35+function testHelper(stream, args, expectedStatus, expectedOutput, cmd, env) {3336const fullArgs = args.concat(['-e', `console.log(${cmd})`]);3437const child = spawnSync(process.execPath, fullArgs, {3538cwd: path.dirname(process.execPath),

@@ -56,6 +59,7 @@ function testHelper(stream, args, expectedOutput, cmd, env) {

5659// Normal path where we expect either FIPS enabled or disabled.5760assert.strictEqual(getFipsValue, expectedOutput);5861}62+assert.strictEqual(child.status, expectedStatus);5963childOk(child);6064}6165

@@ -66,6 +70,7 @@ function testHelper(stream, args, expectedOutput, cmd, env) {

6670testHelper(6771testFipsCrypto() ? 'stdout' : 'stderr',6872['--enable-fips'],73+testFipsCrypto() ? kNoFailure : kGenericUserError,6974testFipsCrypto() ? FIPS_ENABLED : FIPS_ENABLE_ERROR_STRING,7075'process.versions',7176process.env);

@@ -74,6 +79,7 @@ testHelper(

7479testHelper(7580testFipsCrypto() ? 'stdout' : 'stderr',7681['--force-fips'],82+testFipsCrypto() ? kNoFailure : kGenericUserError,7783testFipsCrypto() ? FIPS_ENABLED : FIPS_ENABLE_ERROR_STRING,7884'process.versions',7985process.env);

@@ -85,6 +91,7 @@ if (!sharedOpenSSL()) {

8591testHelper(8692'stdout',8793[],94+kNoFailure,8895FIPS_DISABLED,8996'require("crypto").getFips()',9097{ ...process.env, 'OPENSSL_CONF': ' ' });

@@ -94,6 +101,7 @@ if (!sharedOpenSSL()) {

94101testHelper(95102'stderr',96103[],104+kGenericUserError,97105'Calling crypto.setFips() is not supported in workers',98106'new worker_threads.Worker(\'require("crypto").setFips(true);\', { eval: true })',99107process.env);

@@ -120,6 +128,7 @@ if (!sharedOpenSSL() && !hasOpenSSL3) {

120128testHelper(121129'stdout',122130[`--openssl-config=${CNF_FIPS_ON}`],131+kNoFailure,123132testFipsCrypto() ? FIPS_ENABLED : FIPS_DISABLED,124133'require("crypto").getFips()',125134process.env);

@@ -128,6 +137,7 @@ if (!sharedOpenSSL() && !hasOpenSSL3) {

128137testHelper(129138'stdout',130139[],140+kNoFailure,131141testFipsCrypto() ? FIPS_ENABLED : FIPS_DISABLED,132142'require("crypto").getFips()',133143Object.assign({}, process.env, { 'OPENSSL_CONF': CNF_FIPS_ON }));

@@ -136,6 +146,7 @@ if (!sharedOpenSSL() && !hasOpenSSL3) {

136146testHelper(137147'stdout',138148[`--openssl-config=${CNF_FIPS_ON}`],149+kNoFailure,139150testFipsCrypto() ? FIPS_ENABLED : FIPS_DISABLED,140151'require("crypto").getFips()',141152Object.assign({}, process.env, { 'OPENSSL_CONF': CNF_FIPS_OFF }));

@@ -149,6 +160,7 @@ if (!hasOpenSSL3) {

149160testHelper(150161'stdout',151162[`--openssl-config=${CNF_FIPS_OFF}`],163+kNoFailure,152164FIPS_DISABLED,153165'require("crypto").getFips()',154166Object.assign({}, process.env, { 'OPENSSL_CONF': CNF_FIPS_ON }));

@@ -157,20 +169,23 @@ if (!hasOpenSSL3) {

157169testHelper(158170testFipsCrypto() ? 'stdout' : 'stderr',159171['--enable-fips', `--openssl-config=${CNF_FIPS_OFF}`],172+testFipsCrypto() ? kNoFailure : kGenericUserError,160173testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,161174'require("crypto").getFips()',162175process.env);163176// --force-fips should take precedence over OpenSSL config file164177testHelper(165178testFipsCrypto() ? 'stdout' : 'stderr',166179['--force-fips', `--openssl-config=${CNF_FIPS_OFF}`],180+testFipsCrypto() ? kNoFailure : kGenericUserError,167181testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,168182'require("crypto").getFips()',169183process.env);170184// --enable-fips should turn FIPS mode on171185testHelper(172186testFipsCrypto() ? 'stdout' : 'stderr',173187['--enable-fips'],188+testFipsCrypto() ? kNoFailure : kGenericUserError,174189testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,175190'require("crypto").getFips()',176191process.env);

@@ -179,6 +194,7 @@ if (!hasOpenSSL3) {

179194testHelper(180195testFipsCrypto() ? 'stdout' : 'stderr',181196['--force-fips'],197+testFipsCrypto() ? kNoFailure : kGenericUserError,182198testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,183199'require("crypto").getFips()',184200process.env);

@@ -187,6 +203,7 @@ if (!hasOpenSSL3) {

187203testHelper(188204testFipsCrypto() ? 'stdout' : 'stderr',189205['--enable-fips'],206+testFipsCrypto() ? kNoFailure : kGenericUserError,190207testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,191208'require("crypto").getFips()',192209Object.assign({}, process.env, { 'OPENSSL_CONF': CNF_FIPS_OFF }));

@@ -195,6 +212,7 @@ if (!hasOpenSSL3) {

195212testHelper(196213testFipsCrypto() ? 'stdout' : 'stderr',197214['--force-fips'],215+testFipsCrypto() ? kNoFailure : kGenericUserError,198216testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,199217'require("crypto").getFips()',200218Object.assign({}, process.env, { 'OPENSSL_CONF': CNF_FIPS_OFF }));

@@ -203,6 +221,7 @@ if (!hasOpenSSL3) {

203221testHelper(204222testFipsCrypto() ? 'stdout' : 'stderr',205223[],224+testFipsCrypto() ? kNoFailure : kGenericUserError,206225testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,207226'(require("crypto").setFips(true),' +208227'require("crypto").getFips())',

@@ -212,6 +231,7 @@ if (!hasOpenSSL3) {

212231testHelper(213232testFipsCrypto() ? 'stdout' : 'stderr',214233[],234+testFipsCrypto() ? kNoFailure : kGenericUserError,215235testFipsCrypto() ? FIPS_DISABLED : FIPS_UNSUPPORTED_ERROR_STRING,216236'(require("crypto").setFips(true),' +217237'require("crypto").setFips(false),' +

@@ -222,6 +242,7 @@ if (!hasOpenSSL3) {

222242testHelper(223243testFipsCrypto() ? 'stdout' : 'stderr',224244[`--openssl-config=${CNF_FIPS_OFF}`],245+testFipsCrypto() ? kNoFailure : kGenericUserError,225246testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,226247'(require("crypto").setFips(true),' +227248'require("crypto").getFips())',

@@ -231,6 +252,7 @@ if (!hasOpenSSL3) {

231252testHelper(232253'stdout',233254[`--openssl-config=${CNF_FIPS_ON}`],255+kNoFailure,234256FIPS_DISABLED,235257'(require("crypto").setFips(false),' +236258'require("crypto").getFips())',

@@ -240,6 +262,7 @@ if (!hasOpenSSL3) {

240262testHelper(241263testFipsCrypto() ? 'stdout' : 'stderr',242264['--enable-fips'],265+testFipsCrypto() ? kNoFailure : kGenericUserError,243266testFipsCrypto() ? FIPS_DISABLED : FIPS_UNSUPPORTED_ERROR_STRING,244267'(require("crypto").setFips(false),' +245268'require("crypto").getFips())',

@@ -249,6 +272,7 @@ if (!hasOpenSSL3) {

249272testHelper(250273'stderr',251274['--force-fips'],275+kGenericUserError,252276testFipsCrypto() ? FIPS_ERROR_STRING2 : FIPS_UNSUPPORTED_ERROR_STRING,253277'require("crypto").setFips(false)',254278process.env);

@@ -257,6 +281,7 @@ if (!hasOpenSSL3) {

257281testHelper(258282testFipsCrypto() ? 'stdout' : 'stderr',259283['--force-fips'],284+testFipsCrypto() ? kNoFailure : kGenericUserError,260285testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,261286'(require("crypto").setFips(true),' +262287'require("crypto").getFips())',

@@ -266,6 +291,7 @@ if (!hasOpenSSL3) {

266291testHelper(267292'stderr',268293['--force-fips', '--enable-fips'],294+kGenericUserError,269295testFipsCrypto() ? FIPS_ERROR_STRING2 : FIPS_UNSUPPORTED_ERROR_STRING,270296'require("crypto").setFips(false)',271297process.env);

@@ -274,6 +300,7 @@ if (!hasOpenSSL3) {

274300testHelper(275301'stderr',276302['--enable-fips', '--force-fips'],303+kGenericUserError,277304testFipsCrypto() ? FIPS_ERROR_STRING2 : FIPS_UNSUPPORTED_ERROR_STRING,278305'require("crypto").setFips(false)',279306process.env);