Skip to content

Commit

Permalink
crypto: fix native module compilation with FIPS
Browse files Browse the repository at this point in the history
Prevent OpenSSL's fipsld from being used to link native modules
because this requires the original OpenSSL source to be
available after Node's installation.

Fixes: #3815
PR-URL: #4023
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
  • Loading branch information
stefanmb authored and rvagg committed Dec 5, 2015
1 parent e8e4e07 commit cfc9764
Show file tree
Hide file tree
Showing 4 changed files with 17 additions and 2 deletions.
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ ipch/

/config.mk
/config.gypi
/config_fips.gypi
*-nodegyp*
/gyp-mac-tool
/dist-osx
Expand Down
2 changes: 1 addition & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@ clean:

distclean:
-rm -rf out
-rm -f config.gypi icu_config.gypi
-rm -f config.gypi icu_config.gypi config_fips.gypi
-rm -f config.mk
-rm -rf $(NODE_EXE) $(NODE_G_EXE)
-rm -rf node_modules
Expand Down
11 changes: 10 additions & 1 deletion configure
Original file line number Diff line number Diff line change
Expand Up @@ -804,7 +804,7 @@ def configure_openssl(o):
o['variables']['openssl_fips'] = options.openssl_fips
fips_dir = os.path.join(root_dir, 'deps', 'openssl', 'fips')
fips_ld = os.path.abspath(os.path.join(fips_dir, 'fipsld'))
o['make_global_settings'] = [
o['make_fips_settings'] = [
['LINK', fips_ld + ' <(openssl_fips)/bin/fipsld'],
]
else:
Expand Down Expand Up @@ -1126,6 +1126,15 @@ configure_fullystatic(output)
variables = output['variables']
del output['variables']

# make_global_settings for special FIPS linking
# should not be used to compile modules in node-gyp
config_fips = { 'make_global_settings' : [] }
if 'make_fips_settings' in output:
config_fips['make_global_settings'] = output['make_fips_settings']
del output['make_fips_settings']
write('config_fips.gypi', do_not_edit +
pprint.pformat(config_fips, indent=2) + '\n')

# make_global_settings should be a root level element too
if 'make_global_settings' in output:
make_global_settings = output['make_global_settings']
Expand Down
5 changes: 5 additions & 0 deletions tools/gyp_node.py
Original file line number Diff line number Diff line change
Expand Up @@ -30,17 +30,22 @@ def run_gyp(args):
args.append(os.path.join(node_root, 'node.gyp'))
common_fn = os.path.join(node_root, 'common.gypi')
options_fn = os.path.join(node_root, 'config.gypi')
options_fips_fn = os.path.join(node_root, 'config_fips.gypi')
else:
args.append(os.path.join(os.path.abspath(node_root), 'node.gyp'))
common_fn = os.path.join(os.path.abspath(node_root), 'common.gypi')
options_fn = os.path.join(os.path.abspath(node_root), 'config.gypi')
options_fips_fn = os.path.join(os.path.abspath(node_root), 'config_fips.gypi')

if os.path.exists(common_fn):
args.extend(['-I', common_fn])

if os.path.exists(options_fn):
args.extend(['-I', options_fn])

if os.path.exists(options_fips_fn):
args.extend(['-I', options_fips_fn])

args.append('--depth=' + node_root)

# There's a bug with windows which doesn't allow this feature.
Expand Down

0 comments on commit cfc9764

Please sign in to comment.