crypto: don't build hardware engines

Compile out hardware engines. `ENGINE_load_builtin_engines()` is not called in v0.10 so this does not represent a known security vulnerability. Backport of https://github.com/nodejs/node-private/pull/58 PR-URL: https://github.com/nodejs/node-private/pull/68 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
author: Rod Vagg <rod@vagg.org> 2016-09-27 15:33:58 +0300
committer: Rod Vagg <rod@vagg.org> 2016-09-27 16:38:24 +0300
commit: 03f4920d6a8b4ac1d990f7659f2815075c8c896b (patch)
tree: f7a3600ada5171d6dcf6e475f78394ec2e78c1f7
parent: fc259c7dc489b82b166e58053fba86ed7707e0ae (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/deps/openssl/openssl.gyp b/deps/openssl/openssl.gyp
index 58feb474453..462111d5322 100644
--- a/deps/openssl/openssl.gyp
+++ b/deps/openssl/openssl.gyp
@@ -1099,6 +1099,11 @@
       # Microsoft's IIS, which seems to be ignoring whole ClientHello after
       # seeing this extension.
       'OPENSSL_NO_HEARTBEATS',
+
+      # Compile out hardware engines.  Most are stubs that dynamically load
+      # the real driver but that poses a security liability when an attacker
+      # is able to create a malicious DLL in one of the default search paths.
+      'OPENSSL_NO_HW',
     ],
     'direct_dependent_settings': {
       'defines': [
author	Rod Vagg <rod@vagg.org>	2016-09-27 15:33:58 +0300
committer	Rod Vagg <rod@vagg.org>	2016-09-27 16:38:24 +0300
commit	03f4920d6a8b4ac1d990f7659f2815075c8c896b (patch)
tree	f7a3600ada5171d6dcf6e475f78394ec2e78c1f7
parent	fc259c7dc489b82b166e58053fba86ed7707e0ae (diff)