deps: update OpenSSL build config to support compression

Author: pimterry

deps/openssl/config/Makefile

@@ -21,11 +21,17 @@ CC = gcc
 FAKE_GCC = ../config/fake_gcc.pl
 
 CONFIGURE = ./Configure
-# no-comp: against CRIME attack
 # no-shared: openssl-cli needs static link
 # no-afalgeng: old Linux kernel < 4.0 does not support it
 # enable-ssl-trace: cause the optional SSL_trace API to be built
-COPTS =  no-comp no-shared no-afalgeng enable-ssl-trace enable-fips
+# zlib/brotli/zstd: enable compression libraries for TLS certificate
+#   compression (RFC 8879). Record compression remains disabled at runtime
+#   via SSL_OP_NO_COMPRESSION and sk_SSL_COMP_zero() in crypto_util.cc.
+#   Include paths point to Node's bundled deps (relative to openssl/).
+COPTS =  no-shared no-afalgeng enable-ssl-trace enable-fips \
+         zlib --with-zlib-include=../../zlib \
+         enable-brotli --with-brotli-include=../../brotli/c/include \
+         enable-zstd --with-zstd-include=../../zstd/lib
 
 # disable platform check in Configure
 NO_WARN_ENV = CONFIGURE_CHECKER_WARN=1

deps/openssl/config/generate_gypi.pl

@@ -285,6 +285,21 @@
 $target{'lib_cppflags'} =~ s/-D//g;
 my @lib_cppflags = split(/ /, $target{'lib_cppflags'});
 
+# Strip library flags for deps provided via GYP dependencies.
+# zlib, brotli, and zstd are bundled in deps/ with proper GYP targets,
+# so we must not link against system shared libraries.
+$target{ex_libs} =~ s/-l(?:z|brotlienc|brotlidec|brotlicommon|zstd)\b//g;
+$target{ex_libs} =~ s/\s+/ /g;
+$target{ex_libs} =~ s/^\s+|\s+$//g;
+
+# Filter out bare ZLIB/BROTLI/ZSTD defines added by Configure for compression
+# support. These are internal to OpenSSL and clash with identifiers in
+# Node.js source (e.g. ZLIB in async_wrap.h) when propagated via
+# direct_dependent_settings. They are kept in the main defines for OpenSSL's
+# own compilation but excluded from the exported defines.
+my @config_defines_exported = grep { $_ !~ /^(?:ZLIB|BROTLI|ZSTD)$/ } @{$config{defines}};
+my @target_defines_exported = grep { $_ !~ /^(?:ZLIB|BROTLI|ZSTD)$/ } @{$target{defines}};
+
 my @cflags = ();
 push(@cflags, @{$config{'cflags'}});
 push(@cflags, @{$config{'CFLAGS'}});
@@ -315,6 +330,8 @@
         arch => \$arch,
         lib_cppflags => \@lib_cppflags,
         is_win => \$is_win,
+        config_defines_exported => \@config_defines_exported,
+        target_defines_exported => \@target_defines_exported,
     });
 
 open(GYPI, "> ./archs/$arch/$asm/openssl.gypi");

deps/openssl/config/openssl.gypi.tmpl

@@ -26,6 +26,22 @@ foreach $src (@libcrypto_srcs) {
     }
     foreach $define (@{$config{lib_defines}}) {
   $OUT .= "      '$define',\n";
+} -%%    ],
+    'openssl_defines_exported_%%-$arch-%%': [
+%%- foreach $define (@config_defines_exported) {
+      $OUT .= "      '$define',\n";
+    }
+    foreach $define (@lib_cppflags) {
+      $OUT .= "      '$define',\n";
+    }
+    foreach $define (@target_defines_exported) {
+      $OUT .= "      '$define',\n";
+    }
+    foreach $define (@{lib_defines}) {
+      $OUT .= "      '$define',\n";
+    }
+    foreach $define (@{$config{lib_defines}}) {
+  $OUT .= "      '$define',\n";
 } -%%    ],
     'openssl_cflags_%%-$arch-%%': [
 %%- foreach $cflag (@cflags) {
@@ -50,6 +66,6 @@ foreach $src (@libcrypto_srcs) {
   'sources': ['<@(openssl_sources)', '<@(openssl_sources_%%-$arch-%%)'],
   'direct_dependent_settings': {
     'include_dirs': ['./include', '.'],
-    'defines': ['<@(openssl_defines_%%-$arch-%%)'],
+    'defines': ['<@(openssl_defines_exported_%%-$arch-%%)'],
   },
 }

deps/openssl/openssl.gyp

@@ -19,6 +19,11 @@
     {
       'target_name': 'openssl',
       'type': '<(library)',
+      'dependencies': [
+        '../zlib/zlib.gyp:zlib',
+        '../brotli/brotli.gyp:brotli',
+        '../zstd/zstd.gyp:zstd',
+      ],
       'includes': ['./openssl_common.gypi'],
       'defines': [
         # Compile out hardware engines.  Most are stubs that dynamically load

deps/openssl/openssl.gypi

@@ -1254,9 +1254,6 @@
       # for reducing the overall entropy.
       'PURIFY',
 
-      # Compression is not used and considered insecure (CRIME.)
-      'OPENSSL_NO_COMP',
-
       # SSLv3 is susceptible to downgrade attacks (POODLE.)
       'OPENSSL_NO_SSL3',
 

test/addons/openssl-client-cert-engine/binding.gyp

@@ -13,10 +13,8 @@
           'sources': [ 'testengine.cc' ],
           'product_extension': 'engine',
           'include_dirs': ['../../../deps/openssl/openssl/include'],
-          'link_settings': {
-            'libraries': [
-              '../../../../out/<(PRODUCT_DIR)/<(openssl_product)'
-            ]
+          'xcode_settings': {
+            'OTHER_LDFLAGS': ['-undefined', 'dynamic_lookup'],
           },
         }],
       ]

test/addons/openssl-key-engine/binding.gyp

@@ -13,10 +13,8 @@
           'sources': [ 'testkeyengine.cc' ],
           'product_extension': 'engine',
           'include_dirs': ['../../../deps/openssl/openssl/include'],
-          'link_settings': {
-            'libraries': [
-              '../../../../out/<(PRODUCT_DIR)/<(openssl_product)'
-            ]
+          'xcode_settings': {
+            'OTHER_LDFLAGS': ['-undefined', 'dynamic_lookup'],
           },
         }],
       ]

test/addons/openssl-test-engine/binding.gyp

@@ -17,11 +17,7 @@
             ['OS=="mac"', {
               'xcode_settings': {
                 'OTHER_CFLAGS': ['-Wno-deprecated-declarations'],
-              },
-              'link_settings': {
-                'libraries': [
-                  '../../../../out/<(PRODUCT_DIR)/<(openssl_product)'
-                ]
+                'OTHER_LDFLAGS': ['-undefined', 'dynamic_lookup'],
               },
             }],
             ['OS=="linux"', {