crypto: fix native module compilation with FIPS

stefanmb · rvagg · commit cfc97641eed5 · 2015-12-05T17:42:52.000+11:00
Prevent OpenSSL's fipsld from being used to link native modules because this requires the original OpenSSL source to be available after Node's installation. Fixes: #3815 PR-URL: #4023 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
diff --git a/.gitignore b/.gitignore
@@ -44,6 +44,7 @@ ipch/
 
 /config.mk
 /config.gypi
+/config_fips.gypi
 *-nodegyp*
 /gyp-mac-tool
 /dist-osx
diff --git a/Makefile b/Makefile
@@ -74,7 +74,7 @@ clean:
 
 distclean:
 	-rm -rf out
-	-rm -f config.gypi icu_config.gypi
+	-rm -f config.gypi icu_config.gypi config_fips.gypi
 	-rm -f config.mk
 	-rm -rf $(NODE_EXE) $(NODE_G_EXE)
 	-rm -rf node_modules
diff --git a/configure b/configure
@@ -804,7 +804,7 @@ def configure_openssl(o):
     o['variables']['openssl_fips'] = options.openssl_fips
     fips_dir = os.path.join(root_dir, 'deps', 'openssl', 'fips')
     fips_ld = os.path.abspath(os.path.join(fips_dir, 'fipsld'))
-    o['make_global_settings'] = [
+    o['make_fips_settings'] = [
       ['LINK', fips_ld + ' <(openssl_fips)/bin/fipsld'],
     ]
   else:
@@ -1126,6 +1126,15 @@ configure_fullystatic(output)
 variables = output['variables']
 del output['variables']
 
+# make_global_settings for special FIPS linking
+# should not be used to compile modules in node-gyp
+config_fips = { 'make_global_settings' : [] }
+if 'make_fips_settings' in output:
+  config_fips['make_global_settings'] = output['make_fips_settings']
+  del output['make_fips_settings']
+  write('config_fips.gypi', do_not_edit +
+        pprint.pformat(config_fips, indent=2) + '\n')
+
 # make_global_settings should be a root level element too
 if 'make_global_settings' in output:
   make_global_settings = output['make_global_settings']
diff --git a/tools/gyp_node.py b/tools/gyp_node.py
@@ -30,17 +30,22 @@ def run_gyp(args):
     args.append(os.path.join(node_root, 'node.gyp'))
     common_fn  = os.path.join(node_root, 'common.gypi')
     options_fn = os.path.join(node_root, 'config.gypi')
+    options_fips_fn = os.path.join(node_root, 'config_fips.gypi')
   else:
     args.append(os.path.join(os.path.abspath(node_root), 'node.gyp'))
     common_fn  = os.path.join(os.path.abspath(node_root), 'common.gypi')
     options_fn = os.path.join(os.path.abspath(node_root), 'config.gypi')
+    options_fips_fn = os.path.join(os.path.abspath(node_root), 'config_fips.gypi')
 
   if os.path.exists(common_fn):
     args.extend(['-I', common_fn])
 
   if os.path.exists(options_fn):
     args.extend(['-I', options_fn])
 
+  if os.path.exists(options_fips_fn):
+    args.extend(['-I', options_fips_fn])
+
   args.append('--depth=' + node_root)
 
   # There's a bug with windows which doesn't allow this feature.
