-
-
Notifications
You must be signed in to change notification settings - Fork 35.5k
Expand file tree
/
Copy pathtest-crypto-ciphers-hashes-fips-cache.js
More file actions
74 lines (59 loc) Β· 2.49 KB
/
test-crypto-ciphers-hashes-fips-cache.js
File metadata and controls
74 lines (59 loc) Β· 2.49 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
// Flags: --expose-internals
'use strict';
// Verify that getCiphers() and getHashes() reflect the current FIPS state
// rather than returning a stale cached snapshot from before setFips() was
// called. Regression test for https://github.com/nodejs/node/issues/62982.
const common = require('../common');
if (!common.hasCrypto)
common.skip('missing crypto');
const { internalBinding } = require('internal/test/binding');
const { testFipsCrypto } = internalBinding('crypto');
if (!testFipsCrypto())
common.skip('FIPS not supported in this build');
const assert = require('assert');
const { getCiphers, getHashes, setFips, getFips } = require('crypto');
const initialFips = getFips();
// Ensure FIPS is off so we can capture the full algorithm lists as a baseline,
// regardless of whether the system has FIPS on by default.
if (initialFips)
setFips(false);
const ciphersWithoutFips = getCiphers();
const hashesWithoutFips = getHashes();
assert.ok(ciphersWithoutFips.length > 0, 'expected at least one cipher');
assert.ok(hashesWithoutFips.length > 0, 'expected at least one hash');
// Switch to FIPS mode; the lists must be re-derived, not served from cache.
setFips(true);
assert.strictEqual(getFips(), 1);
const ciphersWithFips = getCiphers();
const hashesWithFips = getHashes();
// FIPS mode restricts the visible algorithm set β the lists must shrink
// (or at minimum differ; some platforms expose only FIPS algorithms by
// default, but in that case the full list can't be larger than the FIPS one).
assert.ok(
ciphersWithFips.length <= ciphersWithoutFips.length,
`Expected FIPS cipher list (${ciphersWithFips.length}) to be no larger ` +
`than the full list (${ciphersWithoutFips.length})`
);
assert.ok(
hashesWithFips.length <= hashesWithoutFips.length,
`Expected FIPS hash list (${hashesWithFips.length}) to be no larger ` +
`than the full list (${hashesWithoutFips.length})`
);
// Every FIPS-mode algorithm must also appear in the non-FIPS list.
for (const cipher of ciphersWithFips) {
assert.ok(
ciphersWithoutFips.includes(cipher),
`FIPS cipher '${cipher}' missing from the non-FIPS list`
);
}
for (const hash of hashesWithFips) {
assert.ok(
hashesWithoutFips.includes(hash),
`FIPS hash '${hash}' missing from the non-FIPS list`
);
}
// Turn FIPS back off; the cache must be evicted so the full lists come back.
setFips(false);
assert.strictEqual(getFips(), 0);
assert.deepStrictEqual(getCiphers(), ciphersWithoutFips);
assert.deepStrictEqual(getHashes(), hashesWithoutFips);