diff --git a/node.gypi b/node.gypi index 9138317c62c7cd..e1e6b48b4e9a74 100644 --- a/node.gypi +++ b/node.gypi @@ -350,7 +350,10 @@ 'defines': [ 'HAVE_OPENSSL=1' ], 'conditions': [ [ 'node_shared_openssl=="false"', { - 'defines': [ 'OPENSSL_API_COMPAT=0x10100000L', ], + 'defines': [ + 'OPENSSL_API_COMPAT=0x10100000L', + 'NODE_OPENSSL_IS_SHARED=0', + ], 'dependencies': [ './deps/openssl/openssl.gyp:openssl', @@ -392,6 +395,8 @@ ], }], ] + }, { + 'defines': [ 'NODE_OPENSSL_IS_SHARED=1', ] }], [ 'openssl_quic=="true" and node_shared_ngtcp2=="false"', { 'dependencies': [ './deps/ngtcp2/ngtcp2.gyp:ngtcp2' ] diff --git a/src/node.cc b/src/node.cc index 7ca3e14ee06c3a..7db6a923ddb42e 100644 --- a/src/node.cc +++ b/src/node.cc @@ -1054,6 +1054,14 @@ InitializeOncePerProcessInternal(const std::vector& args, OPENSSL_init(); } #endif +#if NODE_OPENSSL_IS_SHARED + if (per_process::cli_options->enable_fips_crypto || + per_process::cli_options->force_fips_crypto) { + result->errors_.emplace_back( + "Warning: FIPS options are not supported with shared OpenSSL library!" + ); + } +#endif // NODE_OPENSSL_IS_SHARED if (!crypto::ProcessFipsOptions()) { // XXX: ERR_GET_REASON does not return something that is // useful as an exit code at all. @@ -1067,7 +1075,17 @@ InitializeOncePerProcessInternal(const std::vector& args, } // Ensure CSPRNG is properly seeded. - CHECK(crypto::CSPRNG(nullptr, 0).is_ok()); + if (!crypto::CSPRNG(nullptr, 0).is_ok()) { + // XXX: ERR_GET_REASON does not return something that is + // useful as an exit code at all. + result->exit_code_ = + static_cast(ERR_GET_REASON(ERR_peek_error())); + result->early_return_ = true; + result->errors_.emplace_back( + "OpenSSL error when trying to seed CSPRNG:\n" + + GetOpenSSLErrorString()); + return result; + } V8::SetEntropySource([](unsigned char* buffer, size_t length) { // V8 falls back to very weak entropy when this function fails