From 47d040dd779a2b4ecb0df517f1658feef2497947 Mon Sep 17 00:00:00 2001 From: Daniel Bevenius Date: Wed, 9 Jan 2019 11:54:08 +0100 Subject: [PATCH] build: introduce --openssl-is-fips flag This commit introduces a new configuration flag named --openssl-is-fips which is intended to be used when linking against an OpenSSL library that is FIPS compatible. The motivation for this is that Red Hat Enterprise Linux 8 (RHEL8) comes with OpenSSL 1.1.1 and includes FIPS support, and we would like to be able to dynamically link against this version and also have FIPS features enabled in node, like would be done when statically linking and using the --openssl-fips flag. The suggestion here is to introduce a new flag: $ ./configure --help ... --openssl-is-fips specifies that the shared OpenSSL version is FIPS compatible This flag could be used in combination with the shared-openssl flag: $ ./configure --shared-openssl ---openssl-is-fips This will enable FIPS support in node and the runtime flags will be availalbe to enable FIPS (--enable-fips, --force-fips). PR-URL: https://github.com/nodejs/node/pull/25412 Reviewed-By: Sam Roberts Reviewed-By: Anna Henningsen --- configure.py | 6 ++++++ node.gypi | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/configure.py b/configure.py index 3ac700c86c3482..232806170a0c3b 100755 --- a/configure.py +++ b/configure.py @@ -173,6 +173,11 @@ dest='openssl_fips', help='Build OpenSSL using FIPS canister .o file in supplied folder') +parser.add_option('--openssl-is-fips', + action='store_true', + dest='openssl_is_fips', + help='specifies that the OpenSSL library is FIPS compatible') + parser.add_option('--openssl-use-def-ca-store', action='store_true', dest='use_openssl_ca_store', @@ -1190,6 +1195,7 @@ def configure_openssl(o): variables = o['variables'] variables['node_use_openssl'] = b(not options.without_ssl) variables['node_shared_openssl'] = b(options.shared_openssl) + variables['openssl_is_fips'] = b(options.openssl_is_fips) variables['openssl_fips'] = '' if options.openssl_no_asm: diff --git a/node.gypi b/node.gypi index 13886faf80985f..689138c15b5705 100644 --- a/node.gypi +++ b/node.gypi @@ -319,7 +319,7 @@ [ 'node_use_openssl=="true"', { 'defines': [ 'HAVE_OPENSSL=1' ], 'conditions': [ - ['openssl_fips != ""', { + ['openssl_fips != "" or openssl_is_fips=="true"', { 'defines': [ 'NODE_FIPS_MODE' ], }], [ 'node_shared_openssl=="false"', {