From 7c7f5159fcc71d915dfcc5f97ab18d5f8912f1b5 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?V=C3=ADt=20Ondruch?= <vondruch@redhat.com>

Date: Tue, 25 Aug 2020 14:04:54 +0200

Subject: [PATCH] crypto: make FIPS related options always awailable

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

There is no reason to hide FIPS functionality behind build flags.

OpenSSL always provide the information about FIPS availability via

`FIPS_mode()` function.

This makes the user experience more consistent, because the OpenSSL

library is always queried and the `crypto.getFips()` always returns

OpenSSL settings.

Fixes #34903

PR-URL: https://github.com/nodejs/node/pull/36341

Reviewed-By: Anna Henningsen <anna@addaleax.net>

Reviewed-By: Michael Dawson <midawson@redhat.com>

Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>

Signed-off-by: Jan Staněk <jstanek@redhat.com>

Signed-off-by: rpm-build <rpm-build>

---

 doc/api/cli.md                                |  8 +--

 lib/crypto.js                                 | 22 ++----

 node.gypi                                     |  3 -

 src/node.cc                                   |  6 +-

 src/node_config.cc                            |  2 -

 src/node_crypto.cc                            | 45 +++++++-----

 src/node_options.cc                           |  2 -

 src/node_options.h                            |  2 -

 test/parallel/test-cli-node-print-help.js     |  7 +-

 test/parallel/test-crypto-fips.js             | 71 +++++++++----------

 ...rocess-env-allowed-flags-are-documented.js | 11 +--

 11 files changed, 74 insertions(+), 105 deletions(-)

diff --git a/doc/api/cli.md b/doc/api/cli.md

index a8ef339..c41bd49 100644

--- a/doc/api/cli.md

+++ b/doc/api/cli.md

@@ -182,8 +182,8 @@ code from strings throw an exception instead. This does not affect the Node.js

 added: v6.0.0

 -->

-Enable FIPS-compliant crypto at startup. (Requires Node.js to be built with

-`./configure --openssl-fips`.)

+Enable FIPS-compliant crypto at startup. (Requires Node.js to be built

+against FIPS-compatible OpenSSL.)

 ### `--enable-source-maps`

@@ -543,8 +543,8 @@ added: v6.9.0

 -->

 Load an OpenSSL configuration file on startup. Among other uses, this can be

-used to enable FIPS-compliant crypto if Node.js is built with

-`./configure --openssl-fips`.

+used to enable FIPS-compliant crypto if Node.js is built

+against FIPS-enabled OpenSSL.

 ### `--pending-deprecation`

diff --git a/lib/crypto.js b/lib/crypto.js

index a41b02d..5c15ab3 100644

--- a/lib/crypto.js

+++ b/lib/crypto.js

@@ -37,12 +37,10 @@ assertCrypto();

 const {

   ERR_CRYPTO_FIPS_FORCED,

-  ERR_CRYPTO_FIPS_UNAVAILABLE

 } = require('internal/errors').codes;

 const constants = internalBinding('constants').crypto;

 const { getOptionValue } = require('internal/options');

 const pendingDeprecation = getOptionValue('--pending-deprecation');

-const { fipsMode } = internalBinding('config');

 const fipsForced = getOptionValue('--force-fips');

 const {

   getFipsCrypto,

@@ -193,10 +191,8 @@ module.exports = {

   sign: signOneShot,

   setEngine,

   timingSafeEqual,

-  getFips: !fipsMode ? getFipsDisabled :

-    fipsForced ? getFipsForced : getFipsCrypto,

-  setFips: !fipsMode ? setFipsDisabled :

-    fipsForced ? setFipsForced : setFipsCrypto,

+  getFips: fipsForced ? getFipsForced : getFipsCrypto,

+  setFips: fipsForced ? setFipsForced : setFipsCrypto,

   verify: verifyOneShot,

   // Classes

@@ -215,19 +211,11 @@ module.exports = {

   Verify

 };

-function setFipsDisabled() {

-  throw new ERR_CRYPTO_FIPS_UNAVAILABLE();

-}

-

 function setFipsForced(val) {

   if (val) return;

   throw new ERR_CRYPTO_FIPS_FORCED();

 }

-function getFipsDisabled() {

-  return 0;

-}

-

 function getFipsForced() {

   return 1;

 }

@@ -249,10 +237,8 @@ ObjectDefineProperties(module.exports, {

   },

   // crypto.fips is deprecated. DEP0093. Use crypto.getFips()/crypto.setFips()

   fips: {

-    get: !fipsMode ? getFipsDisabled :

-      fipsForced ? getFipsForced : getFipsCrypto,

-    set: !fipsMode ? setFipsDisabled :

-      fipsForced ? setFipsForced : setFipsCrypto

+    get: fipsForced ? getFipsForced : getFipsCrypto,

+    set: fipsForced ? setFipsForced : setFipsCrypto

   },

   DEFAULT_ENCODING: {

     enumerable: false,

diff --git a/node.gypi b/node.gypi

index 070f212..45f6a9f 100644

--- a/node.gypi

+++ b/node.gypi

@@ -319,9 +319,6 @@

     [ 'node_use_openssl=="true"', {

       'defines': [ 'HAVE_OPENSSL=1' ],

       'conditions': [

-        ['openssl_fips != "" or openssl_is_fips=="true"', {

-          'defines': [ 'NODE_FIPS_MODE' ],

-        }],

         [ 'node_shared_openssl=="false"', {

           'dependencies': [

             './deps/openssl/openssl.gyp:openssl',

diff --git a/src/node.cc b/src/node.cc

index 905afd8..c04d199 100644

--- a/src/node.cc

+++ b/src/node.cc

@@ -1035,11 +1035,11 @@ InitializationResult InitializeOncePerProcess(int argc, char** argv) {

     if (credentials::SafeGetenv("NODE_EXTRA_CA_CERTS", &extra_ca_certs))

       crypto::UseExtraCaCerts(extra_ca_certs);

   }

-#ifdef NODE_FIPS_MODE

   // In the case of FIPS builds we should make sure

   // the random source is properly initialized first.

-  OPENSSL_init();

-#endif  // NODE_FIPS_MODE

+  if (FIPS_mode()) {

+    OPENSSL_init();

+  }

   // V8 on Windows doesn't have a good source of entropy. Seed it from

   // OpenSSL's pool.

   V8::SetEntropySource(crypto::EntropySource);

diff --git a/src/node_config.cc b/src/node_config.cc

index 6ee3164..e229eee 100644

--- a/src/node_config.cc

+++ b/src/node_config.cc

@@ -42,9 +42,7 @@ static void Initialize(Local<Object> target,

   READONLY_FALSE_PROPERTY(target, "hasOpenSSL");

 #endif  // HAVE_OPENSSL

-#ifdef NODE_FIPS_MODE

   READONLY_TRUE_PROPERTY(target, "fipsMode");

-#endif

 #ifdef NODE_HAVE_I18N_SUPPORT

diff --git a/src/node_crypto.cc b/src/node_crypto.cc

index 31e8276..721c9d1 100644

--- a/src/node_crypto.cc

+++ b/src/node_crypto.cc

@@ -51,6 +51,11 @@

 #include <openssl/hmac.h>

 #include <openssl/rand.h>

 #include <openssl/pkcs12.h>

+// The FIPS-related functions are only available

+// when the OpenSSL itself was compiled with FIPS support.

+#ifdef OPENSSL_FIPS

+#include <openssl/fips.h>

+#endif // OPENSSL_FIPS

 #include <cerrno>

 #include <climits>  // INT_MAX

@@ -101,6 +106,7 @@ using v8::String;

 using v8::Uint32;

 using v8::Uint8Array;

 using v8::Undefined;

+using v8::TryCatch;

 using v8::Value;

 #ifdef OPENSSL_NO_OCB

@@ -3706,12 +3712,10 @@ void CipherBase::Init(const char* cipher_type,

   HandleScope scope(env()->isolate());

   MarkPopErrorOnReturn mark_pop_error_on_return;

-#ifdef NODE_FIPS_MODE

   if (FIPS_mode()) {

     return env()->ThrowError(

         "crypto.createCipher() is not supported in FIPS mode.");

   }

-#endif  // NODE_FIPS_MODE

   const EVP_CIPHER* const cipher = EVP_get_cipherbyname(cipher_type);

   if (cipher == nullptr)

@@ -3897,13 +3901,11 @@ bool CipherBase::InitAuthenticated(const char* cipher_type, int iv_len,

       return false;

     }

-#ifdef NODE_FIPS_MODE

     // TODO(tniessen) Support CCM decryption in FIPS mode

     if (mode == EVP_CIPH_CCM_MODE && kind_ == kDecipher && FIPS_mode()) {

       env()->ThrowError("CCM decryption not supported in FIPS mode");

       return false;

     }

-#endif

     // Tell OpenSSL about the desired length.

     if (!EVP_CIPHER_CTX_ctrl(ctx_.get(), EVP_CTRL_AEAD_SET_TAG, auth_tag_len,

@@ -4778,7 +4780,6 @@ static AllocatedBuffer Node_SignFinal(Environment* env,

 }

 static inline bool ValidateDSAParameters(EVP_PKEY* key) {

-#ifdef NODE_FIPS_MODE

   /* Validate DSA2 parameters from FIPS 186-4 */

   if (FIPS_mode() && EVP_PKEY_DSA == EVP_PKEY_base_id(key)) {

     DSA* dsa = EVP_PKEY_get0_DSA(key);

@@ -4794,7 +4795,6 @@ static inline bool ValidateDSAParameters(EVP_PKEY* key) {

            (L == 2048 && N == 256) ||

            (L == 3072 && N == 256);

   }

-#endif  // NODE_FIPS_MODE

   return true;

 }

@@ -7032,7 +7032,6 @@ void InitCryptoOnce() {

   settings = nullptr;

 #endif

-#ifdef NODE_FIPS_MODE

   /* Override FIPS settings in cnf file, if needed. */

   unsigned long err = 0;  // NOLINT(runtime/int)

   if (per_process::cli_options->enable_fips_crypto ||

@@ -7042,12 +7041,10 @@ void InitCryptoOnce() {

     }

   }

   if (0 != err) {

-    fprintf(stderr,

-            "openssl fips failed: %s\n",

-            ERR_error_string(err, nullptr));

-    UNREACHABLE();

+      auto* isolate = Isolate::GetCurrent();

+      auto* env = Environment::GetCurrent(isolate);

+      return ThrowCryptoError(env, err);

   }

-#endif  // NODE_FIPS_MODE

   // Turn off compression. Saves memory and protects against CRIME attacks.

@@ -7093,7 +7090,6 @@ void SetEngine(const FunctionCallbackInfo<Value>& args) {

 }

 #endif  // !OPENSSL_NO_ENGINE

-#ifdef NODE_FIPS_MODE

 void GetFipsCrypto(const FunctionCallbackInfo<Value>& args) {

   args.GetReturnValue().Set(FIPS_mode() ? 1 : 0);

 }

@@ -7111,7 +7107,16 @@ void SetFipsCrypto(const FunctionCallbackInfo<Value>& args) {

     return ThrowCryptoError(env, err);

   }

 }

-#endif /* NODE_FIPS_MODE */

+

+void TestFipsCrypto(const v8::FunctionCallbackInfo<v8::Value>& args) {

+#ifdef OPENSSL_FIPS

+  const auto enabled = FIPS_selftest() ? 1 : 0;

+#else  // OPENSSL_FIPS

+  const auto enabled = 0;

+#endif  // OPENSSL_FIPS

+

+  args.GetReturnValue().Set(enabled);

+}

 namespace {

 // SecureBuffer uses openssl to allocate a Uint8Array using

@@ -7147,10 +7152,17 @@ void Initialize(Local<Object> target,

                 Local<Value> unused,

                 Local<Context> context,

                 void* priv) {

+  Environment* env = Environment::GetCurrent(context);

+

   static uv_once_t init_once = UV_ONCE_INIT;

+  TryCatch try_catch{env->isolate()};

   uv_once(&init_once, InitCryptoOnce);

-  Environment* env = Environment::GetCurrent(context);

+  if (try_catch.HasCaught() && !try_catch.HasTerminated()) {

+    try_catch.ReThrow();

+    return;

+  }

+

   SecureContext::Initialize(env, target);

   target->Set(env->context(),

             FIXED_ONE_BYTE_STRING(env->isolate(), "KeyObjectHandle"),

@@ -7179,10 +7191,9 @@ void Initialize(Local<Object> target,

   env->SetMethod(target, "setEngine", SetEngine);

 #endif  // !OPENSSL_NO_ENGINE

-#ifdef NODE_FIPS_MODE

   env->SetMethodNoSideEffect(target, "getFipsCrypto", GetFipsCrypto);

   env->SetMethod(target, "setFipsCrypto", SetFipsCrypto);

-#endif

+  env->SetMethodNoSideEffect(target, "testFipsCrypto", TestFipsCrypto);

   env->SetMethod(target, "pbkdf2", PBKDF2);

   env->SetMethod(target, "generateKeyPairRSA", GenerateKeyPairRSA);

diff --git a/src/node_options.cc b/src/node_options.cc

index 0102329..1ad44f4 100644

--- a/src/node_options.cc

+++ b/src/node_options.cc

@@ -753,7 +753,6 @@ PerProcessOptionsParser::PerProcessOptionsParser(

             &PerProcessOptions::ssl_openssl_cert_store);

   Implies("--use-openssl-ca", "[ssl_openssl_cert_store]");

   ImpliesNot("--use-bundled-ca", "[ssl_openssl_cert_store]");

-#if NODE_FIPS_MODE

   AddOption("--enable-fips",

             "enable FIPS crypto at startup",

             &PerProcessOptions::enable_fips_crypto,

@@ -762,7 +761,6 @@ PerProcessOptionsParser::PerProcessOptionsParser(

             "force FIPS crypto (cannot be disabled)",

             &PerProcessOptions::force_fips_crypto,

             kAllowedInEnvironment);

-#endif

 #endif

   AddOption("--use-largepages",

             "Map the Node.js static code to large pages. Options are "

diff --git a/src/node_options.h b/src/node_options.h

index 58a21e0..f22b254 100644

--- a/src/node_options.h

+++ b/src/node_options.h

@@ -243,10 +243,8 @@ class PerProcessOptions : public Options {

 #endif

   bool use_openssl_ca = false;

   bool use_bundled_ca = false;

-#if NODE_FIPS_MODE

   bool enable_fips_crypto = false;

   bool force_fips_crypto = false;

-#endif

 #endif

   // Per-process because reports can be triggered outside a known V8 context.

diff --git a/test/parallel/test-cli-node-print-help.js b/test/parallel/test-cli-node-print-help.js

index ab8cd10..7e7c77f 100644

--- a/test/parallel/test-cli-node-print-help.js

+++ b/test/parallel/test-cli-node-print-help.js

@@ -8,8 +8,6 @@ const common = require('../common');

 const assert = require('assert');

 const { exec } = require('child_process');

-const { internalBinding } = require('internal/test/binding');

-const { fipsMode } = internalBinding('config');

 let stdOut;

@@ -28,9 +26,8 @@ function validateNodePrintHelp() {

   const cliHelpOptions = [

     { compileConstant: HAVE_OPENSSL,

       flags: [ '--openssl-config=...', '--tls-cipher-list=...',

-               '--use-bundled-ca', '--use-openssl-ca' ] },

-    { compileConstant: fipsMode,

-      flags: [ '--enable-fips', '--force-fips' ] },

+               '--use-bundled-ca', '--use-openssl-ca',

+               '--enable-fips', '--force-fips' ] },

     { compileConstant: NODE_HAVE_I18N_SUPPORT,

       flags: [ '--icu-data-dir=...', 'NODE_ICU_DATA' ] },

     { compileConstant: HAVE_INSPECTOR,

diff --git a/test/parallel/test-crypto-fips.js b/test/parallel/test-crypto-fips.js

index eae3134..a1ed645 100644

--- a/test/parallel/test-crypto-fips.js

+++ b/test/parallel/test-crypto-fips.js

@@ -9,27 +9,20 @@ const spawnSync = require('child_process').spawnSync;

 const path = require('path');

 const fixtures = require('../common/fixtures');

 const { internalBinding } = require('internal/test/binding');

-const { fipsMode } = internalBinding('config');

+const { testFipsCrypto } = internalBinding('crypto');

 const FIPS_ENABLED = 1;

 const FIPS_DISABLED = 0;

-const FIPS_ERROR_STRING =

-  'Error [ERR_CRYPTO_FIPS_UNAVAILABLE]: Cannot set FIPS mode in a ' +

-  'non-FIPS build.';

 const FIPS_ERROR_STRING2 =

   'Error [ERR_CRYPTO_FIPS_FORCED]: Cannot set FIPS mode, it was forced with ' +

   '--force-fips at startup.';

-const OPTION_ERROR_STRING = 'bad option';

+const FIPS_UNSUPPORTED_ERROR_STRING = 'fips mode not supported';

 const CNF_FIPS_ON = fixtures.path('openssl_fips_enabled.cnf');

 const CNF_FIPS_OFF = fixtures.path('openssl_fips_disabled.cnf');

 let num_children_ok = 0;

-function compiledWithFips() {

-  return fipsMode ? true : false;

-}

-

 function sharedOpenSSL() {

   return process.config.variables.node_shared_openssl;

 }

@@ -75,17 +68,17 @@ testHelper(

 // --enable-fips should turn FIPS mode on

 testHelper(

-  compiledWithFips() ? 'stdout' : 'stderr',

+  testFipsCrypto() ? 'stdout' : 'stderr',

   ['--enable-fips'],

-  compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,

+  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,

   'require("crypto").getFips()',

   process.env);

 // --force-fips should turn FIPS mode on

 testHelper(

-  compiledWithFips() ? 'stdout' : 'stderr',

+  testFipsCrypto() ? 'stdout' : 'stderr',

   ['--force-fips'],

-  compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,

+  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,

   'require("crypto").getFips()',

   process.env);

@@ -106,7 +99,7 @@ if (!sharedOpenSSL()) {

   testHelper(

     'stdout',

     [`--openssl-config=${CNF_FIPS_ON}`],

-    compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED,

+    testFipsCrypto() ? FIPS_ENABLED : FIPS_DISABLED,

     'require("crypto").getFips()',

     process.env);

@@ -114,7 +107,7 @@ if (!sharedOpenSSL()) {

   testHelper(

     'stdout',

     [],

-    compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED,

+    testFipsCrypto() ? FIPS_ENABLED : FIPS_DISABLED,

     'require("crypto").getFips()',

     Object.assign({}, process.env, { 'OPENSSL_CONF': CNF_FIPS_ON }));

@@ -122,7 +115,7 @@ if (!sharedOpenSSL()) {

   testHelper(

     'stdout',

     [`--openssl-config=${CNF_FIPS_ON}`],

-    compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED,

+    testFipsCrypto() ? FIPS_ENABLED : FIPS_DISABLED,

     'require("crypto").getFips()',

     Object.assign({}, process.env, { 'OPENSSL_CONF': CNF_FIPS_OFF }));

 }

@@ -136,50 +129,50 @@ testHelper(

 // --enable-fips should take precedence over OpenSSL config file

 testHelper(

-  compiledWithFips() ? 'stdout' : 'stderr',

+  testFipsCrypto() ? 'stdout' : 'stderr',

   ['--enable-fips', `--openssl-config=${CNF_FIPS_OFF}`],

-  compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,

+  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,

   'require("crypto").getFips()',

   process.env);

 // OPENSSL_CONF should _not_ make a difference to --enable-fips

 testHelper(

-  compiledWithFips() ? 'stdout' : 'stderr',

+  testFipsCrypto() ? 'stdout' : 'stderr',

   ['--enable-fips'],

-  compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,

+  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,

   'require("crypto").getFips()',

   Object.assign({}, process.env, { 'OPENSSL_CONF': CNF_FIPS_OFF }));

 // --force-fips should take precedence over OpenSSL config file

 testHelper(

-  compiledWithFips() ? 'stdout' : 'stderr',

+  testFipsCrypto() ? 'stdout' : 'stderr',

   ['--force-fips', `--openssl-config=${CNF_FIPS_OFF}`],

-  compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,

+  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,

   'require("crypto").getFips()',

   process.env);

 // Using OPENSSL_CONF should not make a difference to --force-fips

 testHelper(

-  compiledWithFips() ? 'stdout' : 'stderr',

+  testFipsCrypto() ? 'stdout' : 'stderr',

   ['--force-fips'],

-  compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,

+  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,

   'require("crypto").getFips()',

   Object.assign({}, process.env, { 'OPENSSL_CONF': CNF_FIPS_OFF }));

 // setFipsCrypto should be able to turn FIPS mode on

 testHelper(

-  compiledWithFips() ? 'stdout' : 'stderr',

+  testFipsCrypto() ? 'stdout' : 'stderr',

   [],

-  compiledWithFips() ? FIPS_ENABLED : FIPS_ERROR_STRING,

+  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,

   '(require("crypto").setFips(true),' +

   'require("crypto").getFips())',

   process.env);

 // setFipsCrypto should be able to turn FIPS mode on and off

 testHelper(

-  compiledWithFips() ? 'stdout' : 'stderr',

+  testFipsCrypto() ? 'stdout' : 'stderr',

   [],

-  compiledWithFips() ? FIPS_DISABLED : FIPS_ERROR_STRING,

+  testFipsCrypto() ? FIPS_DISABLED : FIPS_UNSUPPORTED_ERROR_STRING,

   '(require("crypto").setFips(true),' +

   'require("crypto").setFips(false),' +

   'require("crypto").getFips())',

@@ -187,27 +180,27 @@ testHelper(

 // setFipsCrypto takes precedence over OpenSSL config file, FIPS on

 testHelper(

-  compiledWithFips() ? 'stdout' : 'stderr',

+  testFipsCrypto() ? 'stdout' : 'stderr',

   [`--openssl-config=${CNF_FIPS_OFF}`],

-  compiledWithFips() ? FIPS_ENABLED : FIPS_ERROR_STRING,

+  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,

   '(require("crypto").setFips(true),' +

   'require("crypto").getFips())',

   process.env);

 // setFipsCrypto takes precedence over OpenSSL config file, FIPS off

 testHelper(

-  compiledWithFips() ? 'stdout' : 'stderr',

+  'stdout',

   [`--openssl-config=${CNF_FIPS_ON}`],

-  compiledWithFips() ? FIPS_DISABLED : FIPS_ERROR_STRING,

+  FIPS_DISABLED,

   '(require("crypto").setFips(false),' +

   'require("crypto").getFips())',

   process.env);

 // --enable-fips does not prevent use of setFipsCrypto API

 testHelper(

-  compiledWithFips() ? 'stdout' : 'stderr',

+  testFipsCrypto() ? 'stdout' : 'stderr',

   ['--enable-fips'],

-  compiledWithFips() ? FIPS_DISABLED : OPTION_ERROR_STRING,

+  testFipsCrypto() ? FIPS_DISABLED : FIPS_UNSUPPORTED_ERROR_STRING,

   '(require("crypto").setFips(false),' +

   'require("crypto").getFips())',

   process.env);

@@ -216,15 +209,15 @@ testHelper(

 testHelper(

   'stderr',

   ['--force-fips'],

-  compiledWithFips() ? FIPS_ERROR_STRING2 : OPTION_ERROR_STRING,

+  testFipsCrypto() ? FIPS_ERROR_STRING2 : FIPS_UNSUPPORTED_ERROR_STRING,

   'require("crypto").setFips(false)',

   process.env);

 // --force-fips makes setFipsCrypto enable a no-op (FIPS stays on)

 testHelper(

-  compiledWithFips() ? 'stdout' : 'stderr',

+  testFipsCrypto() ? 'stdout' : 'stderr',

   ['--force-fips'],

-  compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,

+  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,

   '(require("crypto").setFips(true),' +

   'require("crypto").getFips())',

   process.env);

@@ -233,7 +226,7 @@ testHelper(

 testHelper(

   'stderr',

   ['--force-fips', '--enable-fips'],

-  compiledWithFips() ? FIPS_ERROR_STRING2 : OPTION_ERROR_STRING,

+  testFipsCrypto() ? FIPS_ERROR_STRING2 : FIPS_UNSUPPORTED_ERROR_STRING,

   'require("crypto").setFips(false)',

   process.env);

@@ -241,6 +234,6 @@ testHelper(

 testHelper(

   'stderr',

   ['--enable-fips', '--force-fips'],

-  compiledWithFips() ? FIPS_ERROR_STRING2 : OPTION_ERROR_STRING,

+  testFipsCrypto() ? FIPS_ERROR_STRING2 : FIPS_UNSUPPORTED_ERROR_STRING,

   'require("crypto").setFips(false)',

   process.env);

diff --git a/test/parallel/test-process-env-allowed-flags-are-documented.js b/test/parallel/test-process-env-allowed-flags-are-documented.js

index 1c91444..1d1605d 100644

--- a/test/parallel/test-process-env-allowed-flags-are-documented.js

+++ b/test/parallel/test-process-env-allowed-flags-are-documented.js

@@ -45,17 +45,8 @@ const conditionalOpts = [

     include: common.hasCrypto,

     filter: (opt) => {

       return ['--openssl-config', '--tls-cipher-list', '--use-bundled-ca',

-              '--use-openssl-ca' ].includes(opt);

+              '--use-openssl-ca', '--enable-fips', '--force-fips' ].includes(opt);

     }

-  }, {

-    // We are using openssl_is_fips from the configuration because it could be

-    // the case that OpenSSL is FIPS compatible but fips has not been enabled

-    // (starting node with --enable-fips). If we use common.hasFipsCrypto

-    // that would only tells us if fips has been enabled, but in this case we

-    // want to check options which will be available regardless of whether fips

-    // is enabled at runtime or not.

-    include: process.config.variables.openssl_is_fips,

-    filter: (opt) => opt.includes('-fips')

   }, {

     include: common.hasIntl,

     filter: (opt) => opt === '--icu-data-dir'

-- 

2.31.1