From cfc97641eed586685bd689fcf65c2944c7f0db51 Mon Sep 17 00:00:00 2001 From: Stefan Budeanu Date: Tue, 24 Nov 2015 19:17:49 -0500 Subject: [PATCH] crypto: fix native module compilation with FIPS Prevent OpenSSL's fipsld from being used to link native modules because this requires the original OpenSSL source to be available after Node's installation. Fixes: https://github.com/nodejs/node/issues/3815 PR-URL: https://github.com/nodejs/node/pull/4023 Reviewed-By: Fedor Indutny Reviewed-By: Michael Dawson Reviewed-By: Shigeki Ohtsu --- .gitignore | 1 + Makefile | 2 +- configure | 11 ++++++++++- tools/gyp_node.py | 5 +++++ 4 files changed, 17 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 2e6f583bf732b4..931bf8c024dc3b 100644 --- a/.gitignore +++ b/.gitignore @@ -44,6 +44,7 @@ ipch/ /config.mk /config.gypi +/config_fips.gypi *-nodegyp* /gyp-mac-tool /dist-osx diff --git a/Makefile b/Makefile index 02619fac98ddd7..a99b112508c448 100644 --- a/Makefile +++ b/Makefile @@ -74,7 +74,7 @@ clean: distclean: -rm -rf out - -rm -f config.gypi icu_config.gypi + -rm -f config.gypi icu_config.gypi config_fips.gypi -rm -f config.mk -rm -rf $(NODE_EXE) $(NODE_G_EXE) -rm -rf node_modules diff --git a/configure b/configure index 51673e3fa96a0e..45d401b7485ad8 100755 --- a/configure +++ b/configure @@ -804,7 +804,7 @@ def configure_openssl(o): o['variables']['openssl_fips'] = options.openssl_fips fips_dir = os.path.join(root_dir, 'deps', 'openssl', 'fips') fips_ld = os.path.abspath(os.path.join(fips_dir, 'fipsld')) - o['make_global_settings'] = [ + o['make_fips_settings'] = [ ['LINK', fips_ld + ' <(openssl_fips)/bin/fipsld'], ] else: @@ -1126,6 +1126,15 @@ configure_fullystatic(output) variables = output['variables'] del output['variables'] +# make_global_settings for special FIPS linking +# should not be used to compile modules in node-gyp +config_fips = { 'make_global_settings' : [] } +if 'make_fips_settings' in output: + config_fips['make_global_settings'] = output['make_fips_settings'] + del output['make_fips_settings'] + write('config_fips.gypi', do_not_edit + + pprint.pformat(config_fips, indent=2) + '\n') + # make_global_settings should be a root level element too if 'make_global_settings' in output: make_global_settings = output['make_global_settings'] diff --git a/tools/gyp_node.py b/tools/gyp_node.py index 7b495055c180c8..064abe30aa209c 100755 --- a/tools/gyp_node.py +++ b/tools/gyp_node.py @@ -30,10 +30,12 @@ def run_gyp(args): args.append(os.path.join(node_root, 'node.gyp')) common_fn = os.path.join(node_root, 'common.gypi') options_fn = os.path.join(node_root, 'config.gypi') + options_fips_fn = os.path.join(node_root, 'config_fips.gypi') else: args.append(os.path.join(os.path.abspath(node_root), 'node.gyp')) common_fn = os.path.join(os.path.abspath(node_root), 'common.gypi') options_fn = os.path.join(os.path.abspath(node_root), 'config.gypi') + options_fips_fn = os.path.join(os.path.abspath(node_root), 'config_fips.gypi') if os.path.exists(common_fn): args.extend(['-I', common_fn]) @@ -41,6 +43,9 @@ def run_gyp(args): if os.path.exists(options_fn): args.extend(['-I', options_fn]) + if os.path.exists(options_fips_fn): + args.extend(['-I', options_fips_fn]) + args.append('--depth=' + node_root) # There's a bug with windows which doesn't allow this feature.