crypto: fix native module compilation with FIPS

Prevent OpenSSL's fipsld from being used to link native modules
because this requires the original OpenSSL source to be
available after Node's installation.

Fixes: https://github.com/nodejs/node/issues/3815
PR-URL: https://github.com/nodejs/node/pull/4023
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>

diff --git a/.gitignore b/.gitignore
index a3e3a28..5cf2cd0 100644 (file)
--- a/.gitignore
+++ b/.gitignore
@@ -43,6 +43,7 @@ ipch/
 
 /config.mk
 /config.gypi
+/config_fips.gypi
 *-nodegyp*
 /gyp-mac-tool
 /dist-osx

diff --git a/Makefile b/Makefile
index 02619fa..a99b112 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -74,7 +74,7 @@ clean:
 
 distclean:
        -rm -rf out
-       -rm -f config.gypi icu_config.gypi
+       -rm -f config.gypi icu_config.gypi config_fips.gypi
        -rm -f config.mk
        -rm -rf $(NODE_EXE) $(NODE_G_EXE)
        -rm -rf node_modules

diff --git a/configure b/configure
index 56a0376..e30ce5f 100755 (executable)
--- a/configure
+++ b/configure
@@ -782,7 +782,7 @@ def configure_openssl(o):
     o['variables']['openssl_fips'] = options.openssl_fips
     fips_dir = os.path.join(root_dir, 'deps', 'openssl', 'fips')
     fips_ld = os.path.abspath(os.path.join(fips_dir, 'fipsld'))
-    o['make_global_settings'] = [
+    o['make_fips_settings'] = [
       ['LINK', fips_ld + ' <(openssl_fips)/bin/fipsld'],
     ]
   else:
@@ -1104,6 +1104,15 @@ configure_fullystatic(output)
 variables = output['variables']
 del output['variables']
 
+# make_global_settings for special FIPS linking
+# should not be used to compile modules in node-gyp
+config_fips = { 'make_global_settings' : [] }
+if 'make_fips_settings' in output:
+  config_fips['make_global_settings'] = output['make_fips_settings']
+  del output['make_fips_settings']
+  write('config_fips.gypi', do_not_edit +
+        pprint.pformat(config_fips, indent=2) + '\n')
+
 # make_global_settings should be a root level element too
 if 'make_global_settings' in output:
   make_global_settings = output['make_global_settings']

diff --git a/tools/gyp_node.py b/tools/gyp_node.py
index 7b49505..064abe3 100755 (executable)
--- a/tools/gyp_node.py
+++ b/tools/gyp_node.py
@@ -30,10 +30,12 @@ if __name__ == '__main__':
     args.append(os.path.join(node_root, 'node.gyp'))
     common_fn  = os.path.join(node_root, 'common.gypi')
     options_fn = os.path.join(node_root, 'config.gypi')
+    options_fips_fn = os.path.join(node_root, 'config_fips.gypi')
   else:
     args.append(os.path.join(os.path.abspath(node_root), 'node.gyp'))
     common_fn  = os.path.join(os.path.abspath(node_root), 'common.gypi')
     options_fn = os.path.join(os.path.abspath(node_root), 'config.gypi')
+    options_fips_fn = os.path.join(os.path.abspath(node_root), 'config_fips.gypi')
 
   if os.path.exists(common_fn):
     args.extend(['-I', common_fn])
@@ -41,6 +43,9 @@ if __name__ == '__main__':
   if os.path.exists(options_fn):
     args.extend(['-I', options_fn])
 
+  if os.path.exists(options_fips_fn):
+    args.extend(['-I', options_fips_fn])
+
   args.append('--depth=' + node_root)
 
   # There's a bug with windows which doesn't allow this feature.