From c214e8847d2a9a0ffb6c842f8bfdc064ff9355c2 Mon Sep 17 00:00:00 2001 From: Ben Noordhuis Date: Thu, 8 Sep 2016 21:52:20 +0200 Subject: [PATCH] crypto: don't build hardware engines Compile out hardware engines. Most are stubs that dynamically load the real driver but that poses a security liability when an attacker is able to create a malicious DLL in one of the default search paths. PR-URL: https://github.com/nodejs/node-private/pull/70 Reviewed-By: James Snell Reviewed-By: Fedor Indutny Reviewed-By: Joao Reis Reviewed-By: Rod Vagg --- deps/openssl/openssl.gypi | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/deps/openssl/openssl.gypi b/deps/openssl/openssl.gypi index 63286a1a64..a76a955854 100644 --- a/deps/openssl/openssl.gypi +++ b/deps/openssl/openssl.gypi @@ -1260,6 +1260,11 @@ # Microsoft's IIS, which seems to be ignoring whole ClientHello after # seeing this extension. 'OPENSSL_NO_HEARTBEATS', + + # Compile out hardware engines. Most are stubs that dynamically load + # the real driver but that poses a security liability when an attacker + # is able to create a malicious DLL in one of the default search paths. + 'OPENSSL_NO_HW', ], 'openssl_default_defines_win': [ 'MK1MF_BUILD',