test: move crypto related common utilities in common/crypto

test/addons/openssl-providers/providers.cjs

@@ -1,11 +1,14 @@
 'use strict';
 
 const common = require('../../common');
-if (!common.hasCrypto)
+if (!common.hasCrypto) {
   common.skip('missing crypto');
+}
+const { hasOpenSSL3 } = require('../../common/crypto');
 
-if (!common.hasOpenSSL3)
+if (!hasOpenSSL3) {
   common.skip('this test requires OpenSSL 3.x');
+}
 const assert = require('node:assert');
 const { createHash, getCiphers, getHashes } = require('node:crypto');
 const { debuglog } = require('node:util');

test/benchmark/test-benchmark-crypto.js

@@ -5,8 +5,11 @@ const common = require('../common');
 if (!common.hasCrypto)
   common.skip('missing crypto');
 
-if (common.hasFipsCrypto)
+const { getFips } = require('crypto');
+
+if (getFips()) {
   common.skip('some benchmarks are FIPS-incompatible');
+}
 
 const runBenchmark = require('../common/benchmark');
 

test/common/README.md

@@ -226,17 +226,6 @@ The TTY file descriptor is assumed to be capable of being writable.
 
 Indicates whether OpenSSL is available.
 
-### `hasFipsCrypto`
-
-* [\<boolean>][<boolean>]
-
-Indicates that Node.js has been linked with a FIPS compatible OpenSSL library,
-and that FIPS as been enabled using `--enable-fips`.
-
-To only detect if the OpenSSL library is FIPS compatible, regardless if it has
-been enabled or not, then `process.config.variables.openssl_is_fips` can be
-used to determine that situation.
-
 ### `hasIntl`
 
 * [\<boolean>][<boolean>]
@@ -417,12 +406,6 @@ Returns `true` if the exit code `exitCode` and/or signal name `signal` represent
 the exit code and/or signal name of a node process that aborted, `false`
 otherwise.
 
-### `opensslCli`
-
-* [\<boolean>][<boolean>]
-
-Indicates whether 'opensslCli' is supported.
-
 ### `platformTimeout(ms)`
 
 * `ms` [\<number>][<number>] | [\<bigint>][<bigint>]

test/common/crypto.js

@@ -1,8 +1,9 @@
 'use strict';
 
 const common = require('../common');
-if (!common.hasCrypto)
+if (!common.hasCrypto) {
   common.skip('missing crypto');
+}
 
 const assert = require('assert');
 const crypto = require('crypto');
@@ -98,6 +99,27 @@ const pkcs8EncExp = getRegExpForPEM('ENCRYPTED PRIVATE KEY');
 const sec1Exp = getRegExpForPEM('EC PRIVATE KEY');
 const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
 
+// Synthesize OPENSSL_VERSION_NUMBER format with the layout 0xMNN00PPSL
+const opensslVersionNumber = (major = 0, minor = 0, patch = 0) => {
+  assert(major >= 0 && major <= 0xf);
+  assert(minor >= 0 && minor <= 0xff);
+  assert(patch >= 0 && patch <= 0xff);
+  return (major << 28) | (minor << 20) | (patch << 4);
+};
+
+let OPENSSL_VERSION_NUMBER;
+const hasOpenSSL = (major = 0, minor = 0, patch = 0) => {
+  if (!common.hasCrypto) return false;
+  if (OPENSSL_VERSION_NUMBER === undefined) {
+    const regexp = /(?<m>\d+)\.(?<n>\d+)\.(?<p>\d+)/;
+    const { m, n, p } = process.versions.openssl.match(regexp).groups;
+    OPENSSL_VERSION_NUMBER = opensslVersionNumber(m, n, p);
+  }
+  return OPENSSL_VERSION_NUMBER >= opensslVersionNumber(major, minor, patch);
+};
+
+let opensslCli = null;
+
 module.exports = {
   modp2buf,
   assertApproximateSize,
@@ -111,4 +133,32 @@ module.exports = {
   pkcs8EncExp,  // used once
   sec1Exp,
   sec1EncExp,
+  hasOpenSSL,
+  get hasOpenSSL3() {
+    return hasOpenSSL(3);
+  },
+  // opensslCli defined lazily to reduce overhead of spawnSync
+  get opensslCli() {
+    if (opensslCli !== null) return opensslCli;
+
+    if (process.config.variables.node_shared_openssl) {
+      // Use external command
+      opensslCli = 'openssl';
+    } else {
+      const path = require('path');
+      // Use command built from sources included in Node.js repository
+      opensslCli = path.join(path.dirname(process.execPath), 'openssl-cli');
+    }
+
+    if (exports.isWindows) opensslCli += '.exe';
+
+    const { spawnSync } = require('child_process');
+
+    const opensslCmd = spawnSync(opensslCli, ['version']);
+    if (opensslCmd.status !== 0 || opensslCmd.error !== undefined) {
+      // OpenSSL command cannot be executed
+      opensslCli = false;
+    }
+    return opensslCli;
+  },
 };

test/common/index.js

@@ -19,7 +19,6 @@
 // OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
 // USE OR OTHER DEALINGS IN THE SOFTWARE.
 
-/* eslint-disable node-core/crypto-check */
 'use strict';
 const process = global.process;  // Some tests tamper with the process global.
 
@@ -57,25 +56,6 @@ const noop = () => {};
 const hasCrypto = Boolean(process.versions.openssl) &&
                   !process.env.NODE_SKIP_CRYPTO;
 
-// Synthesize OPENSSL_VERSION_NUMBER format with the layout 0xMNN00PPSL
-const opensslVersionNumber = (major = 0, minor = 0, patch = 0) => {
-  assert(major >= 0 && major <= 0xf);
-  assert(minor >= 0 && minor <= 0xff);
-  assert(patch >= 0 && patch <= 0xff);
-  return (major << 28) | (minor << 20) | (patch << 4);
-};
-
-let OPENSSL_VERSION_NUMBER;
-const hasOpenSSL = (major = 0, minor = 0, patch = 0) => {
-  if (!hasCrypto) return false;
-  if (OPENSSL_VERSION_NUMBER === undefined) {
-    const regexp = /(?<m>\d+)\.(?<n>\d+)\.(?<p>\d+)/;
-    const { m, n, p } = process.versions.openssl.match(regexp).groups;
-    OPENSSL_VERSION_NUMBER = opensslVersionNumber(m, n, p);
-  }
-  return OPENSSL_VERSION_NUMBER >= opensslVersionNumber(major, minor, patch);
-};
-
 const hasQuic = hasCrypto && !!process.config.variables.openssl_quic;
 
 function parseTestFlags(filename = process.argv[1]) {
@@ -220,7 +200,6 @@ if (process.env.NODE_TEST_WITH_ASYNC_HOOKS) {
   }).enable();
 }
 
-let opensslCli = null;
 let inFreeBSDJail = null;
 let localhostIPv4 = null;
 
@@ -985,7 +964,6 @@ const common = {
   getTTYfd,
   hasIntl,
   hasCrypto,
-  hasOpenSSL,
   hasQuic,
   hasMultiLocalhost,
   invalidArgTypeHelper,
@@ -1027,10 +1005,6 @@ const common = {
     return require('os').totalmem() > 0x70000000; /* 1.75 Gb */
   },
 
-  get hasFipsCrypto() {
-    return hasCrypto && require('crypto').getFips();
-  },
-
   get hasIPv6() {
     const iFaces = require('os').networkInterfaces();
     let re;
@@ -1047,10 +1021,6 @@ const common = {
     });
   },
 
-  get hasOpenSSL3() {
-    return hasOpenSSL(3);
-  },
-
   get inFreeBSDJail() {
     if (inFreeBSDJail !== null) return inFreeBSDJail;
 
@@ -1100,28 +1070,6 @@ const common = {
     return localhostIPv4;
   },
 
-  // opensslCli defined lazily to reduce overhead of spawnSync
-  get opensslCli() {
-    if (opensslCli !== null) return opensslCli;
-
-    if (process.config.variables.node_shared_openssl) {
-      // Use external command
-      opensslCli = 'openssl';
-    } else {
-      // Use command built from sources included in Node.js repository
-      opensslCli = path.join(path.dirname(process.execPath), 'openssl-cli');
-    }
-
-    if (exports.isWindows) opensslCli += '.exe';
-
-    const opensslCmd = spawnSync(opensslCli, ['version']);
-    if (opensslCmd.status !== 0 || opensslCmd.error !== undefined) {
-      // OpenSSL command cannot be executed
-      opensslCli = false;
-    }
-    return opensslCli;
-  },
-
   get PORT() {
     if (+process.env.TEST_PARALLEL) {
       throw new Error('common.PORT cannot be used in a parallelized test');

test/common/index.mjs

@@ -41,7 +41,6 @@ const {
   mustNotMutateObjectDeep,
   mustSucceed,
   nodeProcessAborted,
-  opensslCli,
   parseTestFlags,
   PIPE,
   platformTimeout,
@@ -97,7 +96,6 @@ export {
   mustNotMutateObjectDeep,
   mustSucceed,
   nodeProcessAborted,
-  opensslCli,
   parseTestFlags,
   PIPE,
   platformTimeout,

test/parallel/test-cli-node-options.js

@@ -12,6 +12,7 @@ const { Worker } = require('worker_threads');
 
 const fixtures = require('../common/fixtures');
 const tmpdir = require('../common/tmpdir');
+const { hasOpenSSL3 } = require('../common/crypto');
 tmpdir.refresh();
 
 const printA = path.relative(tmpdir.path, fixtures.path('printA.js'));
@@ -64,7 +65,7 @@ if (common.isLinux) {
 if (common.hasCrypto) {
   expectNoWorker('--use-openssl-ca', 'B\n');
   expectNoWorker('--use-bundled-ca', 'B\n');
-  if (!common.hasOpenSSL3)
+  if (!hasOpenSSL3)
     expectNoWorker('--openssl-config=_ossl_cfg', 'B\n');
 }
 

test/parallel/test-crypto-authenticated.js

@@ -21,13 +21,17 @@
 // Flags: --no-warnings
 'use strict';
 const common = require('../common');
-if (!common.hasCrypto)
+if (!common.hasCrypto) {
   common.skip('missing crypto');
+}
 
 const assert = require('assert');
 const crypto = require('crypto');
 const { inspect } = require('util');
 const fixtures = require('../common/fixtures');
+const { hasOpenSSL3 } = require('../common/crypto');
+
+const isFipsEnabled = crypto.getFips();
 
 //
 // Test authenticated encryption modes.
@@ -53,7 +57,7 @@ for (const test of TEST_CASES) {
     continue;
   }
 
-  if (common.hasFipsCrypto && test.iv.length < 24) {
+  if (isFipsEnabled && test.iv.length < 24) {
     common.printSkipMessage('IV len < 12 bytes unsupported in FIPS mode');
     continue;
   }
@@ -95,7 +99,7 @@ for (const test of TEST_CASES) {
   }
 
   {
-    if (isCCM && common.hasFipsCrypto) {
+    if (isCCM && isFipsEnabled) {
       assert.throws(() => {
         crypto.createDecipheriv(test.algo,
                                 Buffer.from(test.key, 'hex'),
@@ -286,7 +290,7 @@ for (const test of TEST_CASES) {
                             });
     }, errMessages.authTagLength);
 
-    if (!common.hasFipsCrypto) {
+    if (!isFipsEnabled) {
       assert.throws(() => {
         crypto.createDecipheriv('aes-256-ccm',
                                 'FxLKsqdmv0E9xrQhp0b1ZgI0K7JFZJM8',
@@ -312,7 +316,7 @@ for (const test of TEST_CASES) {
     });
 
     // CCM decryption and create(De|C)ipher are unsupported in FIPS mode.
-    if (!common.hasFipsCrypto) {
+    if (!isFipsEnabled) {
       assert.throws(() => {
         crypto.createDecipheriv(`aes-256-${mode}`,
                                 'FxLKsqdmv0E9xrQhp0b1ZgI0K7JFZJM8',
@@ -388,7 +392,7 @@ for (const test of TEST_CASES) {
     cipher.setAAD(Buffer.from('0123456789', 'hex'));
   }, /options\.plaintextLength required for CCM mode with AAD/);
 
-  if (!common.hasFipsCrypto) {
+  if (!isFipsEnabled) {
     assert.throws(() => {
       const cipher = crypto.createDecipheriv('aes-256-ccm',
                                              'FxLKsqdmv0E9xrQhp0b1ZgI0K7JFZJM8',
@@ -403,7 +407,7 @@ for (const test of TEST_CASES) {
 
 // Test that final() throws in CCM mode when no authentication tag is provided.
 {
-  if (!common.hasFipsCrypto) {
+  if (!isFipsEnabled) {
     const key = Buffer.from('1ed2233fa2223ef5d7df08546049406c', 'hex');
     const iv = Buffer.from('7305220bca40d4c90e1791e9', 'hex');
     const ct = Buffer.from('8beba09d4d4d861f957d51c0794f4abf8030848e', 'hex');
@@ -562,7 +566,7 @@ for (const test of TEST_CASES) {
   ]) {
     assert.throws(() => {
       cipher.final();
-    }, common.hasOpenSSL3 ? {
+    }, hasOpenSSL3 ? {
       code: 'ERR_OSSL_TAG_NOT_SET'
     } : {
       message: /Unsupported state/

test/parallel/test-crypto-cipheriv-decipheriv.js

@@ -5,6 +5,8 @@ if (!common.hasCrypto)
 
 const assert = require('assert');
 const crypto = require('crypto');
+const { hasOpenSSL3 } = require('../common/crypto');
+const isFipsEnabled = crypto.getFips();
 
 function testCipher1(key, iv) {
   // Test encryption and decryption with explicit key and iv
@@ -150,7 +152,7 @@ testCipher1(Buffer.from('0123456789abcd0123456789'), '12345678');
 testCipher1(Buffer.from('0123456789abcd0123456789'), Buffer.from('12345678'));
 testCipher2(Buffer.from('0123456789abcd0123456789'), Buffer.from('12345678'));
 
-if (!common.hasFipsCrypto) {
+if (!isFipsEnabled) {
   testCipher3(Buffer.from('000102030405060708090A0B0C0D0E0F', 'hex'),
               Buffer.from('A6A6A6A6A6A6A6A6', 'hex'));
 }
@@ -193,10 +195,10 @@ assert.throws(
   errMessage);
 
 // But all other IV lengths should be accepted.
-const minIvLength = common.hasOpenSSL3 ? 8 : 1;
-const maxIvLength = common.hasOpenSSL3 ? 64 : 256;
+const minIvLength = hasOpenSSL3 ? 8 : 1;
+const maxIvLength = hasOpenSSL3 ? 64 : 256;
 for (let n = minIvLength; n < maxIvLength; n += 1) {
-  if (common.hasFipsCrypto && n < 12) continue;
+  if (isFipsEnabled && n < 12) continue;
   crypto.createCipheriv('aes-128-gcm', Buffer.alloc(16), Buffer.alloc(n));
 }