feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

autotools/Makefiles: enable reproducible build by default for FIPS, and add -DHAVE_REPRODUCIBLE_BUILD to AM_CFLAGS;

Browse Source 
refactor the HAVE_WC_INTROSPECTION mechanism to pass build params via $output_objdir/.build_params rather than abusing autotools config.h to pass them;

add support for EXTRA_CFLAGS on the make command line;

in FIPS builds, exclude pkcallbacks from --enable-all;

linuxkm: move test.o out of PIE container (uses function pointers as operands).
This commit is contained in:
Daniel Pouzzner
2021-08-27 23:03:14 -05:00
parent f1c1f76851
commit 947a0d6a2f
5 changed files with 66 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
Makefile.am
View File

@@ -24,6 +24,9 @@ noinst_DATA =
SUBDIRS_OPT = SUBDIRS_OPT =
DIST_SUBDIRS_OPT = DIST_SUBDIRS_OPT =
# allow supplementary or override flags to be passed at make time:
AM_CFLAGS += $(EXTRA_CFLAGS)
#includes additional rules from aminclude.am #includes additional rules from aminclude.am
@INC_AMINCLUDE@ @INC_AMINCLUDE@
DISTCLEANFILES+= aminclude.am DISTCLEANFILES+= aminclude.am

91
configure.ac
View File

@@ -35,6 +35,8 @@ AC_CONFIG_HEADERS([config.h:config.in])
LT_PREREQ([2.4.2]) LT_PREREQ([2.4.2])
LT_INIT([disable-static win32-dll]) LT_INIT([disable-static win32-dll])
AC_ARG_VAR(EXTRA_CFLAGS, [Extra CFLAGS to add to autoconf-computed arg list. Can also supply directly to make.])
#shared library versioning #shared library versioning
WOLFSSL_LIBRARY_VERSION=29:1:5 WOLFSSL_LIBRARY_VERSION=29:1:5
# | | | # | | |
@@ -82,31 +84,6 @@ else
REPRODUCIBLE_BUILD_DEFAULT=no REPRODUCIBLE_BUILD_DEFAULT=no
fi fi
# For reproducible build, gate out from the build anything that might
# introduce semantically frivolous jitter, maximizing chance of
# identical object files.
AC_ARG_ENABLE([reproducible-build],
[AS_HELP_STRING([--enable-reproducible-build],[Enable maximally reproducible build (default: disabled)])],
[ ENABLED_REPRODUCIBLE_BUILD=$enableval ],
[ ENABLED_REPRODUCIBLE_BUILD=$REPRODUCIBLE_BUILD_DEFAULT ]
)
# Test ar for the "U" or "D" options. Should be checked before the libtool macros.
xxx_ar_flags=$(ar --help 2>&1)
if test "$ENABLED_REPRODUCIBLE_BUILD" = "yes"
then
AS_CASE([$xxx_ar_flags],[*'use zero for timestamps and uids/gids'*],[AR_FLAGS="Dcr"])
else
AS_CASE([$xxx_ar_flags],[*'use actual timestamps and uids/gids'*],[AR_FLAGS="Ucru"])
fi
xxx_ranlib_flags=$(ranlib --help 2>&1)
if test "$ENABLED_REPRODUCIBLE_BUILD" = "yes"
then
AS_CASE([$xxx_ranlib_flags],[*'Use zero for symbol map timestamp'*],[RANLIB="ranlib -D"])
else
AS_CASE([$xxx_ranlib_flags],[*'Use actual symbol map timestamp'*],[RANLIB="ranlib -U"])
fi
AC_CHECK_HEADERS([arpa/inet.h fcntl.h limits.h netdb.h netinet/in.h stddef.h time.h sys/ioctl.h sys/socket.h sys/time.h errno.h]) AC_CHECK_HEADERS([arpa/inet.h fcntl.h limits.h netdb.h netinet/in.h stddef.h time.h sys/ioctl.h sys/socket.h sys/time.h errno.h])
AC_CHECK_LIB([network],[socket]) AC_CHECK_LIB([network],[socket])
@@ -161,6 +138,11 @@ DEBUG_CFLAGS="-g -DDEBUG -DDEBUG_WOLFSSL"
LIB_ADD= LIB_ADD=
LIB_STATIC_ADD= LIB_STATIC_ADD=
if test "$output_objdir" = ""
then
output_objdir=.
fi
# Thread local storage # Thread local storage
AX_TLS([thread_ls_on=yes],[thread_ls_on=no]) AX_TLS([thread_ls_on=yes],[thread_ls_on=no])
AS_IF([test "x$thread_ls_on" = "xyes"],[AM_CFLAGS="$AM_CFLAGS -DHAVE_THREAD_LS"]) AS_IF([test "x$thread_ls_on" = "xyes"],[AM_CFLAGS="$AM_CFLAGS -DHAVE_THREAD_LS"])
@@ -223,6 +205,11 @@ AC_ARG_ENABLE([fips],
[ENABLED_FIPS=$enableval], [ENABLED_FIPS=$enableval],
[ENABLED_FIPS="no"]) [ENABLED_FIPS="no"])
if test "$ENABLED_FIPS" != "no"
then
REPRODUCIBLE_BUILD_DEFAULT=yes
fi
# The FIPS options are: # The FIPS options are:
# v5 - FIPS 140-3 (wolfCrypt v5.0.0) # v5 - FIPS 140-3 (wolfCrypt v5.0.0)
# v3 - FIPS Ready # v3 - FIPS Ready
@@ -280,6 +267,30 @@ AC_ARG_ENABLE([fips-3],
[ENABLED_FIPS_140_3="no"]) [ENABLED_FIPS_140_3="no"])
AS_IF([test "x$ENABLED_FIPS_140_3" = "xyes"],[ENABLED_FIPS="yes";FIPS_VERSION="v5"]) AS_IF([test "x$ENABLED_FIPS_140_3" = "xyes"],[ENABLED_FIPS="yes";FIPS_VERSION="v5"])
# For reproducible build, gate out from the build anything that might
# introduce semantically frivolous jitter, maximizing chance of
# identical object files.
AC_ARG_ENABLE([reproducible-build],
[AS_HELP_STRING([--enable-reproducible-build],[Enable maximally reproducible build (default: disabled)])],
[ ENABLED_REPRODUCIBLE_BUILD=$enableval ],
[ ENABLED_REPRODUCIBLE_BUILD=$REPRODUCIBLE_BUILD_DEFAULT ]
)
# Test ar for the "U" or "D" options. Should be checked before the libtool macros.
xxx_ar_flags=$(ar --help 2>&1)
xxx_ranlib_flags=$(ranlib --help 2>&1)
if test "$ENABLED_REPRODUCIBLE_BUILD" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_REPRODUCIBLE_BUILD"
AS_CASE([$xxx_ar_flags],[*'use zero for timestamps and uids/gids'*],[AR_FLAGS="Dcr"])
AS_CASE([$xxx_ranlib_flags],[*'Use zero for symbol map timestamp'*],[RANLIB="ranlib -D"])
else
AS_CASE([$xxx_ar_flags],[*'use actual timestamps and uids/gids'*],[AR_FLAGS="Ucru"])
AS_CASE([$xxx_ranlib_flags],[*'Use actual symbol map timestamp'*],[RANLIB="ranlib -U"])
fi
# Linux Kernel Module # Linux Kernel Module
AC_ARG_ENABLE([linuxkm], AC_ARG_ENABLE([linuxkm],
[AS_HELP_STRING([--enable-linuxkm],[Enable Linux Kernel Module (default: disabled)])], [AS_HELP_STRING([--enable-linuxkm],[Enable Linux Kernel Module (default: disabled)])],
@@ -327,6 +338,7 @@ if test "x$ENABLED_LINUXKM" = "xyes"
then then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_LINUXKM" AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_LINUXKM"
ENABLED_NO_LIBRARY=yes ENABLED_NO_LIBRARY=yes
output_objdir="$(realpath "$output_objdir")/linuxkm"
if test "$KERNEL_ROOT" = ""; then if test "$KERNEL_ROOT" = ""; then
AC_PATH_DEFAULT_KERNEL_SOURCE AC_PATH_DEFAULT_KERNEL_SOURCE
@@ -415,7 +427,6 @@ then
test "$enable_savesession" = "" && enable_savesession=yes test "$enable_savesession" = "" && enable_savesession=yes
test "$enable_savecert" = "" && enable_savecert=yes test "$enable_savecert" = "" && enable_savecert=yes
test "$enable_atomicuser" = "" && enable_atomicuser=yes test "$enable_atomicuser" = "" && enable_atomicuser=yes
test "$enable_pkcallbacks" = "" && enable_pkcallbacks=yes
test "$enable_aesgcm" = "" && enable_aesgcm=yes test "$enable_aesgcm" = "" && enable_aesgcm=yes
test "$enable_aesgcm_stream" = "" && enable_aesgcm_stream=yes test "$enable_aesgcm_stream" = "" && enable_aesgcm_stream=yes
test "$enable_aesccm" = "" && enable_aesccm=yes test "$enable_aesccm" = "" && enable_aesccm=yes
@@ -509,6 +520,8 @@ then
fi fi
# S/MIME support requires PKCS7, which requires no FIPS. # S/MIME support requires PKCS7, which requires no FIPS.
test "$enable_smime" = "" && enable_smime=yes test "$enable_smime" = "" && enable_smime=yes
# JNI uses pkcallbacks.
test "$enable_jni" = "" && enable_jni=yes
fi fi
test "$enable_opensslextra" = "" && enable_opensslextra=yes test "$enable_opensslextra" = "" && enable_opensslextra=yes
test "$enable_opensslall" = "" && enable_opensslall=yes test "$enable_opensslall" = "" && enable_opensslall=yes
@@ -527,6 +540,7 @@ then
if test "$ENABLED_FIPS" = "no" if test "$ENABLED_FIPS" = "no"
then then
test "$enable_pkcallbacks" = "" && enable_pkcallbacks=yes
test "$enable_xchacha" = "" && enable_xchacha=yes test "$enable_xchacha" = "" && enable_xchacha=yes
test "$enable_scep" = "" && enable_scep=yes test "$enable_scep" = "" && enable_scep=yes
test "$enable_pkcs7" = "" && enable_pkcs7=yes test "$enable_pkcs7" = "" && enable_pkcs7=yes
@@ -579,7 +593,6 @@ AC_ARG_ENABLE([all-crypto],
if test "$ENABLED_ALL_CRYPT" = "yes" if test "$ENABLED_ALL_CRYPT" = "yes"
then then
test "$enable_atomicuser" = "" && enable_atomicuser=yes test "$enable_atomicuser" = "" && enable_atomicuser=yes
test "$enable_pkcallbacks" = "" && enable_pkcallbacks=yes
test "$enable_aesgcm" = "" && enable_aesgcm=yes test "$enable_aesgcm" = "" && enable_aesgcm=yes
test "$enable_aesgcm_stream" = "" && enable_aesgcm_stream=yes test "$enable_aesgcm_stream" = "" && enable_aesgcm_stream=yes
test "$enable_aesccm" = "" && enable_aesccm=yes test "$enable_aesccm" = "" && enable_aesccm=yes
@@ -652,6 +665,7 @@ then
if test "$ENABLED_FIPS" = "no" if test "$ENABLED_FIPS" = "no"
then then
test "$enable_pkcallbacks" = "" && enable_pkcallbacks=yes
test "$enable_xchacha" = "" && enable_xchacha=yes test "$enable_xchacha" = "" && enable_xchacha=yes
test "$enable_pkcs7" = "" && enable_pkcs7=yes test "$enable_pkcs7" = "" && enable_pkcs7=yes
if test "$ENABLED_32BIT" != "yes" if test "$ENABLED_32BIT" != "yes"
@@ -7183,11 +7197,12 @@ AM_CONDITIONAL([BUILD_IOTSAFE],[test "x$ENABLED_IOTSAFE" = "xyes"])
AM_CONDITIONAL([BUILD_IOTSAFE_HWRNG],[test "x$ENABLED_IOTSAFE_HWRNG" = "xyes"]) AM_CONDITIONAL([BUILD_IOTSAFE_HWRNG],[test "x$ENABLED_IOTSAFE_HWRNG" = "xyes"])
AM_CONDITIONAL([BUILD_SE050],[test "x$ENABLED_SE050" = "xyes"]) AM_CONDITIONAL([BUILD_SE050],[test "x$ENABLED_SE050" = "xyes"])
if test "$ax_enable_debug" = "yes" || if test "$ENABLED_REPRODUCIBLE_BUILD" != "yes" &&
(test "$ax_enable_debug" = "yes" ||
test "$ENABLED_STACKSIZE" != "no" || test "$ENABLED_STACKSIZE" != "no" ||
(test "$ENABLED_LEANTLS" = "no" && (test "$ENABLED_LEANTLS" = "no" &&
test "$ENABLED_LEANPSK" = "no" && test "$ENABLED_LEANPSK" = "no" &&
test "$ENABLED_LOWRESOURCE" = "no") test "$ENABLED_LOWRESOURCE" = "no"))
then then
AM_CFLAGS="$AM_CFLAGS -DHAVE_WC_INTROSPECTION" AM_CFLAGS="$AM_CFLAGS -DHAVE_WC_INTROSPECTION"
fi fi
@@ -7238,6 +7253,14 @@ else
make clean >/dev/null make clean >/dev/null
fi fi
if test "$ENABLED_REPRODUCIBLE_BUILD" != "yes"
then
echo "#define LIBWOLFSSL_CONFIGURE_ARGS \"$ac_configure_args\"" > ${output_objdir}/.build_params &&
echo "#define LIBWOLFSSL_GLOBAL_CFLAGS \"$CPPFLAGS $AM_CPPFLAGS $CFLAGS $AM_CFLAGS\" LIBWOLFSSL_GLOBAL_EXTRA_CFLAGS" >> ${output_objdir}/.build_params ||
AC_MSG_ERROR([Couldn't create ${output_objdir}/.build_params.])
AM_CFLAGS="-include ${output_objdir}/.build_params $AM_CFLAGS"
fi
# generate user options header # generate user options header
AC_MSG_NOTICE([---]) AC_MSG_NOTICE([---])
AC_MSG_NOTICE([Generating user options header...]) AC_MSG_NOTICE([Generating user options header...])
@@ -7264,7 +7287,7 @@ echo "extern \"C\" {" >> $OPTION_FILE
echo "#endif" >> $OPTION_FILE echo "#endif" >> $OPTION_FILE
echo "" >> $OPTION_FILE echo "" >> $OPTION_FILE
for option in $CPPFLAGS $AM_CPPFLAGS $CFLAGS $AM_CFLAGS; do for option in $CPPFLAGS $AM_CPPFLAGS $CFLAGS $AM_CFLAGS $EXTRA_CFLAGS; do
defonly=`echo $option | sed 's/^-D//'` defonly=`echo $option | sed 's/^-D//'`
if test "$defonly" != "$option" if test "$defonly" != "$option"
then then
@@ -7570,14 +7593,6 @@ echo "---"
fi # $silent != yes fi # $silent != yes
if test "$ENABLED_REPRODUCIBLE_BUILD" != "yes"
then
echo >> config.h
echo "#define LIBWOLFSSL_CONFIGURE_ARGS \"$ac_configure_args\"" >> config.h
echo >> config.h
echo "#define LIBWOLFSSL_GLOBAL_CFLAGS \"$CPPFLAGS $AM_CPPFLAGS $CFLAGS $AM_CFLAGS\"" >> config.h
fi
################################################################################ ################################################################################
# Show warnings at bottom so they are noticed # Show warnings at bottom so they are noticed
################################################################################ ################################################################################

4
linuxkm/Makefile
View File

@@ -33,7 +33,7 @@ ifndef SRC_TOP
SRC_TOP=$(shell dirname $(MODULE_TOP)) SRC_TOP=$(shell dirname $(MODULE_TOP))
endif endif
WOLFSSL_CFLAGS=-DHAVE_CONFIG_H -I$(SRC_TOP) -DBUILDING_WOLFSSL $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -Wno-declaration-after-statement -Wno-redundant-decls WOLFSSL_CFLAGS=-DHAVE_CONFIG_H -I$(SRC_TOP) -DBUILDING_WOLFSSL $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -Wno-declaration-after-statement -Wno-redundant-decls -DLIBWOLFSSL_GLOBAL_EXTRA_CFLAGS="\" $(KERNEL_EXTRA_CFLAGS)\""
ifdef KERNEL_EXTRA_CFLAGS ifdef KERNEL_EXTRA_CFLAGS
WOLFSSL_CFLAGS += $(KERNEL_EXTRA_CFLAGS) WOLFSSL_CFLAGS += $(KERNEL_EXTRA_CFLAGS)
endif endif
@@ -49,7 +49,7 @@ else
endif endif
ifeq "$(ENABLED_LINUXKM_PIE)" "yes" ifeq "$(ENABLED_LINUXKM_PIE)" "yes"
WOLFCRYPT_PIE_FILES := linuxkm/pie_first.o $(filter wolfcrypt/%,$(WOLFSSL_OBJ_FILES)) linuxkm/pie_redirect_table.o linuxkm/pie_last.o WOLFCRYPT_PIE_FILES := linuxkm/pie_first.o $(filter wolfcrypt/src/%,$(WOLFSSL_OBJ_FILES)) linuxkm/pie_redirect_table.o linuxkm/pie_last.o
WOLFSSL_OBJ_FILES := $(WOLFCRYPT_PIE_FILES) $(filter-out $(WOLFCRYPT_PIE_FILES),$(WOLFSSL_OBJ_FILES)) WOLFSSL_OBJ_FILES := $(WOLFCRYPT_PIE_FILES) $(filter-out $(WOLFCRYPT_PIE_FILES),$(WOLFSSL_OBJ_FILES))
endif endif

2
src/include.am
View File

@@ -50,7 +50,7 @@ endif
src_libwolfssl_la_SOURCES = src_libwolfssl_la_SOURCES =
src_libwolfssl_la_LDFLAGS = ${AM_LDFLAGS} -no-undefined -version-info ${WOLFSSL_LIBRARY_VERSION} src_libwolfssl_la_LDFLAGS = ${AM_LDFLAGS} -no-undefined -version-info ${WOLFSSL_LIBRARY_VERSION}
src_libwolfssl_la_LIBADD = $(LIBM) $(LIB_ADD) $(LIB_STATIC_ADD) src_libwolfssl_la_LIBADD = $(LIBM) $(LIB_ADD) $(LIB_STATIC_ADD)
src_libwolfssl_la_CFLAGS = -DBUILDING_WOLFSSL $(AM_CFLAGS) src_libwolfssl_la_CFLAGS = -DBUILDING_WOLFSSL $(AM_CFLAGS) -DLIBWOLFSSL_GLOBAL_EXTRA_CFLAGS="\" $(EXTRA_CFLAGS)\""
src_libwolfssl_la_CPPFLAGS = -DBUILDING_WOLFSSL $(AM_CPPFLAGS) src_libwolfssl_la_CPPFLAGS = -DBUILDING_WOLFSSL $(AM_CPPFLAGS)
# install the packaged IPP libraries # install the packaged IPP libraries

6
wolfssl/wolfcrypt/types.h
View File

@@ -109,6 +109,12 @@ decouple library dependencies with standard string, memory and so on.
#endif #endif
#endif #endif
/* helpers for stringifying the expanded value of a macro argument rather
* than its literal text:
*/
#define STRINGIFY_L2(str) #str
#define STRINGIFY(str) STRINGIFY_L2(str)
/* try to set SIZEOF_LONG or SIZEOF_LONG_LONG if user didn't */ /* try to set SIZEOF_LONG or SIZEOF_LONG_LONG if user didn't */
#if defined(_MSC_VER) || defined(HAVE_LIMITS_H) #if defined(_MSC_VER) || defined(HAVE_LIMITS_H)
/* make sure both SIZEOF_LONG_LONG and SIZEOF_LONG are set, /* make sure both SIZEOF_LONG_LONG and SIZEOF_LONG are set,