From 263b1d9a46ea53de9920707c08a583f9bab552fb Mon Sep 17 00:00:00 2001
From: James M Snell <jasnell@gmail.com>
Date: Mon, 18 Apr 2016 21:26:30 -0700
Subject: [PATCH 1/3] doc: note that process.config can and will be changed

PR-URL: https://github.com/nodejs/node/pull/6266
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
---
 doc/api/process.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/doc/api/process.md b/doc/api/process.md
index c7f2567ccf5aff..494a57ffe6be33 100644
--- a/doc/api/process.md
+++ b/doc/api/process.md
@@ -375,6 +375,10 @@ An example of the possible output looks like:
 }
 ```
 
+*Note: the `process.config` property is **not** read-only and there are existing
+modules in the ecosystem that are known to extend, modify, or entirely replace
+the value of `process.config`.*
+
 ## process.connected
 
 * {Boolean} Set to false after `process.disconnect()` is called

From 1ad35c370d3d1faf03d90a845b6061ba2919f67a Mon Sep 17 00:00:00 2001
From: James M Snell <jasnell@gmail.com>
Date: Mon, 18 Apr 2016 21:02:18 -0700
Subject: [PATCH 2/3] src: add process.binding('config')

It turns out that userland likes to override process.config with
their own stuff. If we want to be able to depend on it in any way,
we need our own internal mechanism.

This adds a new private process.binding('config') that is
intended to serve as a container for internal flags and compile
time configs that need to be passed on to the JS layer.

PR-URL: https://github.com/nodejs/node/pull/6266
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
---
 node.gyp           |  1 +
 src/node_config.cc | 36 ++++++++++++++++++++++++++++++++++++
 2 files changed, 37 insertions(+)
 create mode 100644 src/node_config.cc

diff --git a/node.gyp b/node.gyp
index 240922d619337f..5058682bff8f8e 100644
--- a/node.gyp
+++ b/node.gyp
@@ -124,6 +124,7 @@
         'src/js_stream.cc',
         'src/node.cc',
         'src/node_buffer.cc',
+        'src/node_config.cc',
         'src/node_constants.cc',
         'src/node_contextify.cc',
         'src/node_file.cc',
diff --git a/src/node_config.cc b/src/node_config.cc
new file mode 100644
index 00000000000000..e50002bc64c202
--- /dev/null
+++ b/src/node_config.cc
@@ -0,0 +1,36 @@
+#include "node.h"
+#include "env.h"
+#include "env-inl.h"
+#include "util.h"
+#include "util-inl.h"
+
+
+namespace node {
+
+using v8::Context;
+using v8::Local;
+using v8::Object;
+using v8::Value;
+using v8::ReadOnly;
+
+// The config binding is used to provide an internal view of compile or runtime
+// config options that are required internally by lib/*.js code. This is an
+// alternative to dropping additional properties onto the process object as
+// has been the practice previously in node.cc.
+
+#define READONLY_BOOLEAN_PROPERTY(str)                                        \
+  do {                                                                        \
+    target->DefineOwnProperty(env->context(),                                 \
+                              OneByteString(env->isolate(), str),             \
+                              True(env->isolate()), ReadOnly).FromJust();     \
+  } while (0)
+
+void InitConfig(Local<Object> target,
+                Local<Value> unused,
+                Local<Context> context) {
+  // Environment* env = Environment::GetCurrent(context);
+}
+
+}  // namespace node
+
+NODE_MODULE_CONTEXT_AWARE_BUILTIN(config, node::InitConfig)

From 544443673190416d9403094a30dd5c50ece73f5a Mon Sep 17 00:00:00 2001
From: James M Snell <jasnell@gmail.com>
Date: Tue, 5 Jul 2016 16:24:35 -0700
Subject: [PATCH 3/3] tls: use process.binding('config') to detect fips mode

When the fips mode check was added sometime in v4 it caused a
regression in some edge cases (see https://github.com/nodejs/node/issues/6114)
because `process.config` can be overwritten by userland modules.
This switches to using the backported process.binding('config') to
fix the regression.

Fixes: https://github.com/nodejs/node/issues/6114
---
 lib/_tls_wrap.js   | 2 +-
 src/node_config.cc | 5 ++++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/lib/_tls_wrap.js b/lib/_tls_wrap.js
index c115555ce7a7ff..5c5370e09c19e0 100644
--- a/lib/_tls_wrap.js
+++ b/lib/_tls_wrap.js
@@ -19,7 +19,7 @@ const defaultSessionIdContext = getDefaultSessionIdContext();
 function getDefaultSessionIdContext() {
   var defaultText = process.argv.join(' ');
   /* SSL_MAX_SID_CTX_LENGTH is 128 bits */
-  if (process.config.variables.openssl_fips) {
+  if (process.binding('config').fipsMode) {
     return crypto.createHash('sha1')
       .update(defaultText)
       .digest('hex').slice(0, 32);
diff --git a/src/node_config.cc b/src/node_config.cc
index e50002bc64c202..6fe22a4f985dab 100644
--- a/src/node_config.cc
+++ b/src/node_config.cc
@@ -28,7 +28,10 @@ using v8::ReadOnly;
 void InitConfig(Local<Object> target,
                 Local<Value> unused,
                 Local<Context> context) {
-  // Environment* env = Environment::GetCurrent(context);
+#ifdef NODE_FIPS_MODE
+  Environment* env = Environment::GetCurrent(context);
+  READONLY_BOOLEAN_PROPERTY("fipsMode");
+#endif
 }
 
 }  // namespace node