From 75efb42b7d6a377b1aac05b67dc2b715034a55fc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
Date: Wed, 26 Jul 2023 13:07:21 +0200
Subject: [PATCH 1/2] src: report if CSPRNG fails to seed properly

In some cases, the CSPRNG may fail to seed properly,
which currently results in assertion failure and core dump.

This change will turn the behavior in a better-debuggable error report.
---
 src/node.cc | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/node.cc b/src/node.cc
index 7ca3e14ee06c3a..679956f03826c2 100644
--- a/src/node.cc
+++ b/src/node.cc
@@ -1067,7 +1067,17 @@ InitializeOncePerProcessInternal(const std::vector<std::string>& args,
     }
 
     // Ensure CSPRNG is properly seeded.
-    CHECK(crypto::CSPRNG(nullptr, 0).is_ok());
+    if (!crypto::CSPRNG(nullptr, 0).is_ok()) {
+      // XXX: ERR_GET_REASON does not return something that is
+      // useful as an exit code at all.
+      result->exit_code_ =
+        static_cast<ExitCode>(ERR_GET_REASON(ERR_peek_error()));
+      result->early_return_ = true;
+      result->errors_.emplace_back(
+          "OpenSSL error when trying to seed CSPRNG:\n" +
+          GetOpenSSLErrorString());
+      return result;
+    }
 
     V8::SetEntropySource([](unsigned char* buffer, size_t length) {
       // V8 falls back to very weak entropy when this function fails

From 137735c452e32b8b2179f7bd017012d745a1e22b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
Date: Tue, 15 Aug 2023 16:09:47 +0200
Subject: [PATCH 2/2] src: warn about FIPS options used with shared OpenSSL

Related: https://github.com/nodejs/node/pull/48950
---
 node.gypi   | 7 ++++++-
 src/node.cc | 8 ++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/node.gypi b/node.gypi
index 9138317c62c7cd..e1e6b48b4e9a74 100644
--- a/node.gypi
+++ b/node.gypi
@@ -350,7 +350,10 @@
       'defines': [ 'HAVE_OPENSSL=1' ],
       'conditions': [
         [ 'node_shared_openssl=="false"', {
-          'defines': [ 'OPENSSL_API_COMPAT=0x10100000L', ],
+          'defines': [
+            'OPENSSL_API_COMPAT=0x10100000L',
+            'NODE_OPENSSL_IS_SHARED=0',
+          ],
           'dependencies': [
             './deps/openssl/openssl.gyp:openssl',
 
@@ -392,6 +395,8 @@
               ],
             }],
           ]
+        }, {
+          'defines': [ 'NODE_OPENSSL_IS_SHARED=1', ]
         }],
         [ 'openssl_quic=="true" and node_shared_ngtcp2=="false"', {
           'dependencies': [ './deps/ngtcp2/ngtcp2.gyp:ngtcp2' ]
diff --git a/src/node.cc b/src/node.cc
index 679956f03826c2..7db6a923ddb42e 100644
--- a/src/node.cc
+++ b/src/node.cc
@@ -1054,6 +1054,14 @@ InitializeOncePerProcessInternal(const std::vector<std::string>& args,
       OPENSSL_init();
     }
 #endif
+#if NODE_OPENSSL_IS_SHARED
+    if (per_process::cli_options->enable_fips_crypto ||
+        per_process::cli_options->force_fips_crypto) {
+      result->errors_.emplace_back(
+          "Warning: FIPS options are not supported with shared OpenSSL library!"
+      );
+    }
+#endif  // NODE_OPENSSL_IS_SHARED
     if (!crypto::ProcessFipsOptions()) {
       // XXX: ERR_GET_REASON does not return something that is
       // useful as an exit code at all.