Node 18 reads openssl.cnf from /home/iojs/build/... upon startup on MacOS

> NOTE! Thanks for submitting a report! Please replace *all* the [square] sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! **Summary:** Similar to https://hackerone.com/reports/1623175 it looks like in Node 18 and later, when it starts it attempts to read /home/iojs/build/ws/out/Release/obj.target/deps/openssl/openssl.cnf on MacOS which ordinarily doesn't exist. This is even after the fix for linux. The attack would be an attacker with access to a shared MacOS host with a self-chosen username (iojs) being able to affect the OpenSSF configuration of other users. I believe the iojs home directory is something configured within the Node.js build/CI pipeline, as opposed to something internal to OpenSSL. **Description:** ## Steps To Reproduce: From inspection of the code, look at the path specified in: https://github.com/nodejs/node/blob/7f9cd60eef6fad245baed9896ec6376b693e089a/deps/openssl/openssl.gyp#L24 'openssl_dir': '<(PRODUCT_DIR_ABS)/obj.target/deps/openssl', and unlike other platforms, this is not overriden on MacOS in "/deps/openssl/openssl_common.gypi" This is a similar problem to what was fixed for Linux in https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/#attempt-to-read-openssl-cnf-from-home-iojs-build-upon-startup-medium-cve-2022-32222 ## Impact: openssl.cnf file is being read as part of OpenSSL's initialization; this is used to configure Node.js ## Supporting Material/References: This is the suggested fix (also includes removing existing compiler warnings about duplicate OPENSSL definitions) diff --git a/deps/openssl/openssl.gyp b/deps/openssl/openssl.gyp 2 index 7b1278044e..861bbc5844 100644 3 --- a/deps/openssl/openssl.gyp 4 +++ b/deps/openssl/openssl.gyp 5 @@ -7,21 +7,17 @@ 6 'conditions': [ 7 ['OS == "win"', { 8 'obj_dir_abs': '<(PRODUCT_DIR_ABS)/obj', 9 - 'openssl_dir': '<(PRODUCT_DIR_ABS)/obj/lib', 10 }], 11 ['GENERATOR == "ninja"', { 12 'obj_dir_abs': '<(PRODUCT_DIR_ABS)/obj', 13 'modules_dir': '<(PRODUCT_DIR_ABS)/obj/lib/openssl-modules', 14 - 'openssl_dir': '<(PRODUCT_DIR_ABS)/obj/lib', 15 }, { 16 'obj_dir_abs%': '<(PRODUCT_DIR_ABS)/obj.target', 17 'modules_dir': '<(PRODUCT_DIR_ABS)/obj.target/deps/openssl/lib/openssl-modules', 18 - 'openssl_dir': '<(PRODUCT_DIR_ABS)/obj.target/deps/openssl', 19 }], 20 ['OS=="mac"', { 21 'obj_dir_abs%': '<(PRODUCT_DIR_ABS)/obj.target', 22 'modules_dir': '<(PRODUCT_DIR_ABS)/obj.target/deps/openssl/lib/openssl-modules', 23 - 'openssl_dir': '<(PRODUCT_DIR_ABS)/obj.target/deps/openssl', 24 }], 25 ], 26 }, 27 @@ -57,7 +53,6 @@ 28 ['node_shared_openssl=="false"', { 29 'defines': [ 30 'MODULESDIR="<(modules_dir)"', 31 - 'OPENSSLDIR="<(openssl_dir)"', 32 ] 33 }], 34 ], 35 diff --git a/deps/openssl/openssl_common.gypi b/deps/openssl/openssl_common.gypi 36 index d4e39e8416..256eb7d180 100644 37 --- a/deps/openssl/openssl_common.gypi 38 +++ b/deps/openssl/openssl_common.gypi 39 @@ -49,6 +49,7 @@ 40 'WARNING_CFLAGS': ['-Wno-missing-field-initializers'] 41 }, 42 'defines': [ 43 + 'OPENSSLDIR="/System/Library/OpenSSL/"', 44 'ENGINESDIR="/dev/null"', 45 ], 46 }, 'OS=="solaris"', { ## Impact The openssl.cnf file contains security configuration information for OpenSSL. It's possible that changing things like default ciphers could affect the security of an application using it.