From 947a0d6a2f9a7cc8e54dd646fa4e42e0ef0f1f0f Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Fri, 27 Aug 2021 23:03:14 -0500 Subject: [PATCH] autotools/Makefiles: enable reproducible build by default for FIPS, and add -DHAVE_REPRODUCIBLE_BUILD to AM_CFLAGS; refactor the HAVE_WC_INTROSPECTION mechanism to pass build params via $output_objdir/.build_params rather than abusing autotools config.h to pass them; add support for EXTRA_CFLAGS on the make command line; in FIPS builds, exclude pkcallbacks from --enable-all; linuxkm: move test.o out of PIE container (uses function pointers as operands). --- Makefile.am | 3 ++ configure.ac | 91 +++++++++++++++++++++++---------------- linuxkm/Makefile | 4 +- src/include.am | 2 +- wolfssl/wolfcrypt/types.h | 8 +++- 5 files changed, 66 insertions(+), 42 deletions(-) diff --git a/Makefile.am b/Makefile.am index 2fefc9cae..71d7ae651 100644 --- a/Makefile.am +++ b/Makefile.am @@ -24,6 +24,9 @@ noinst_DATA = SUBDIRS_OPT = DIST_SUBDIRS_OPT = +# allow supplementary or override flags to be passed at make time: +AM_CFLAGS += $(EXTRA_CFLAGS) + #includes additional rules from aminclude.am @INC_AMINCLUDE@ DISTCLEANFILES+= aminclude.am diff --git a/configure.ac b/configure.ac index e6797abe5..f4655ba6b 100644 --- a/configure.ac +++ b/configure.ac @@ -35,6 +35,8 @@ AC_CONFIG_HEADERS([config.h:config.in]) LT_PREREQ([2.4.2]) LT_INIT([disable-static win32-dll]) +AC_ARG_VAR(EXTRA_CFLAGS, [Extra CFLAGS to add to autoconf-computed arg list. Can also supply directly to make.]) + #shared library versioning WOLFSSL_LIBRARY_VERSION=29:1:5 # | | | @@ -82,31 +84,6 @@ else REPRODUCIBLE_BUILD_DEFAULT=no fi -# For reproducible build, gate out from the build anything that might -# introduce semantically frivolous jitter, maximizing chance of -# identical object files. -AC_ARG_ENABLE([reproducible-build], - [AS_HELP_STRING([--enable-reproducible-build],[Enable maximally reproducible build (default: disabled)])], - [ ENABLED_REPRODUCIBLE_BUILD=$enableval ], - [ ENABLED_REPRODUCIBLE_BUILD=$REPRODUCIBLE_BUILD_DEFAULT ] - ) - -# Test ar for the "U" or "D" options. Should be checked before the libtool macros. -xxx_ar_flags=$(ar --help 2>&1) -if test "$ENABLED_REPRODUCIBLE_BUILD" = "yes" -then - AS_CASE([$xxx_ar_flags],[*'use zero for timestamps and uids/gids'*],[AR_FLAGS="Dcr"]) -else - AS_CASE([$xxx_ar_flags],[*'use actual timestamps and uids/gids'*],[AR_FLAGS="Ucru"]) -fi -xxx_ranlib_flags=$(ranlib --help 2>&1) -if test "$ENABLED_REPRODUCIBLE_BUILD" = "yes" -then - AS_CASE([$xxx_ranlib_flags],[*'Use zero for symbol map timestamp'*],[RANLIB="ranlib -D"]) -else - AS_CASE([$xxx_ranlib_flags],[*'Use actual symbol map timestamp'*],[RANLIB="ranlib -U"]) -fi - AC_CHECK_HEADERS([arpa/inet.h fcntl.h limits.h netdb.h netinet/in.h stddef.h time.h sys/ioctl.h sys/socket.h sys/time.h errno.h]) AC_CHECK_LIB([network],[socket]) @@ -161,6 +138,11 @@ DEBUG_CFLAGS="-g -DDEBUG -DDEBUG_WOLFSSL" LIB_ADD= LIB_STATIC_ADD= +if test "$output_objdir" = "" +then + output_objdir=. +fi + # Thread local storage AX_TLS([thread_ls_on=yes],[thread_ls_on=no]) AS_IF([test "x$thread_ls_on" = "xyes"],[AM_CFLAGS="$AM_CFLAGS -DHAVE_THREAD_LS"]) @@ -223,6 +205,11 @@ AC_ARG_ENABLE([fips], [ENABLED_FIPS=$enableval], [ENABLED_FIPS="no"]) +if test "$ENABLED_FIPS" != "no" +then + REPRODUCIBLE_BUILD_DEFAULT=yes +fi + # The FIPS options are: # v5 - FIPS 140-3 (wolfCrypt v5.0.0) # v3 - FIPS Ready @@ -280,6 +267,30 @@ AC_ARG_ENABLE([fips-3], [ENABLED_FIPS_140_3="no"]) AS_IF([test "x$ENABLED_FIPS_140_3" = "xyes"],[ENABLED_FIPS="yes";FIPS_VERSION="v5"]) + +# For reproducible build, gate out from the build anything that might +# introduce semantically frivolous jitter, maximizing chance of +# identical object files. +AC_ARG_ENABLE([reproducible-build], + [AS_HELP_STRING([--enable-reproducible-build],[Enable maximally reproducible build (default: disabled)])], + [ ENABLED_REPRODUCIBLE_BUILD=$enableval ], + [ ENABLED_REPRODUCIBLE_BUILD=$REPRODUCIBLE_BUILD_DEFAULT ] + ) + +# Test ar for the "U" or "D" options. Should be checked before the libtool macros. +xxx_ar_flags=$(ar --help 2>&1) +xxx_ranlib_flags=$(ranlib --help 2>&1) +if test "$ENABLED_REPRODUCIBLE_BUILD" = "yes" +then + AM_CFLAGS="$AM_CFLAGS -DHAVE_REPRODUCIBLE_BUILD" + AS_CASE([$xxx_ar_flags],[*'use zero for timestamps and uids/gids'*],[AR_FLAGS="Dcr"]) + AS_CASE([$xxx_ranlib_flags],[*'Use zero for symbol map timestamp'*],[RANLIB="ranlib -D"]) +else + AS_CASE([$xxx_ar_flags],[*'use actual timestamps and uids/gids'*],[AR_FLAGS="Ucru"]) + AS_CASE([$xxx_ranlib_flags],[*'Use actual symbol map timestamp'*],[RANLIB="ranlib -U"]) +fi + + # Linux Kernel Module AC_ARG_ENABLE([linuxkm], [AS_HELP_STRING([--enable-linuxkm],[Enable Linux Kernel Module (default: disabled)])], @@ -327,6 +338,7 @@ if test "x$ENABLED_LINUXKM" = "xyes" then AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_LINUXKM" ENABLED_NO_LIBRARY=yes + output_objdir="$(realpath "$output_objdir")/linuxkm" if test "$KERNEL_ROOT" = ""; then AC_PATH_DEFAULT_KERNEL_SOURCE @@ -415,7 +427,6 @@ then test "$enable_savesession" = "" && enable_savesession=yes test "$enable_savecert" = "" && enable_savecert=yes test "$enable_atomicuser" = "" && enable_atomicuser=yes - test "$enable_pkcallbacks" = "" && enable_pkcallbacks=yes test "$enable_aesgcm" = "" && enable_aesgcm=yes test "$enable_aesgcm_stream" = "" && enable_aesgcm_stream=yes test "$enable_aesccm" = "" && enable_aesccm=yes @@ -509,6 +520,8 @@ then fi # S/MIME support requires PKCS7, which requires no FIPS. test "$enable_smime" = "" && enable_smime=yes + # JNI uses pkcallbacks. + test "$enable_jni" = "" && enable_jni=yes fi test "$enable_opensslextra" = "" && enable_opensslextra=yes test "$enable_opensslall" = "" && enable_opensslall=yes @@ -527,6 +540,7 @@ then if test "$ENABLED_FIPS" = "no" then + test "$enable_pkcallbacks" = "" && enable_pkcallbacks=yes test "$enable_xchacha" = "" && enable_xchacha=yes test "$enable_scep" = "" && enable_scep=yes test "$enable_pkcs7" = "" && enable_pkcs7=yes @@ -579,7 +593,6 @@ AC_ARG_ENABLE([all-crypto], if test "$ENABLED_ALL_CRYPT" = "yes" then test "$enable_atomicuser" = "" && enable_atomicuser=yes - test "$enable_pkcallbacks" = "" && enable_pkcallbacks=yes test "$enable_aesgcm" = "" && enable_aesgcm=yes test "$enable_aesgcm_stream" = "" && enable_aesgcm_stream=yes test "$enable_aesccm" = "" && enable_aesccm=yes @@ -652,6 +665,7 @@ then if test "$ENABLED_FIPS" = "no" then + test "$enable_pkcallbacks" = "" && enable_pkcallbacks=yes test "$enable_xchacha" = "" && enable_xchacha=yes test "$enable_pkcs7" = "" && enable_pkcs7=yes if test "$ENABLED_32BIT" != "yes" @@ -7183,11 +7197,12 @@ AM_CONDITIONAL([BUILD_IOTSAFE],[test "x$ENABLED_IOTSAFE" = "xyes"]) AM_CONDITIONAL([BUILD_IOTSAFE_HWRNG],[test "x$ENABLED_IOTSAFE_HWRNG" = "xyes"]) AM_CONDITIONAL([BUILD_SE050],[test "x$ENABLED_SE050" = "xyes"]) -if test "$ax_enable_debug" = "yes" || +if test "$ENABLED_REPRODUCIBLE_BUILD" != "yes" && + (test "$ax_enable_debug" = "yes" || test "$ENABLED_STACKSIZE" != "no" || (test "$ENABLED_LEANTLS" = "no" && test "$ENABLED_LEANPSK" = "no" && - test "$ENABLED_LOWRESOURCE" = "no") + test "$ENABLED_LOWRESOURCE" = "no")) then AM_CFLAGS="$AM_CFLAGS -DHAVE_WC_INTROSPECTION" fi @@ -7238,6 +7253,14 @@ else make clean >/dev/null fi +if test "$ENABLED_REPRODUCIBLE_BUILD" != "yes" +then + echo "#define LIBWOLFSSL_CONFIGURE_ARGS \"$ac_configure_args\"" > ${output_objdir}/.build_params && + echo "#define LIBWOLFSSL_GLOBAL_CFLAGS \"$CPPFLAGS $AM_CPPFLAGS $CFLAGS $AM_CFLAGS\" LIBWOLFSSL_GLOBAL_EXTRA_CFLAGS" >> ${output_objdir}/.build_params || + AC_MSG_ERROR([Couldn't create ${output_objdir}/.build_params.]) + AM_CFLAGS="-include ${output_objdir}/.build_params $AM_CFLAGS" +fi + # generate user options header AC_MSG_NOTICE([---]) AC_MSG_NOTICE([Generating user options header...]) @@ -7264,7 +7287,7 @@ echo "extern \"C\" {" >> $OPTION_FILE echo "#endif" >> $OPTION_FILE echo "" >> $OPTION_FILE -for option in $CPPFLAGS $AM_CPPFLAGS $CFLAGS $AM_CFLAGS; do +for option in $CPPFLAGS $AM_CPPFLAGS $CFLAGS $AM_CFLAGS $EXTRA_CFLAGS; do defonly=`echo $option | sed 's/^-D//'` if test "$defonly" != "$option" then @@ -7570,14 +7593,6 @@ echo "---" fi # $silent != yes -if test "$ENABLED_REPRODUCIBLE_BUILD" != "yes" -then - echo >> config.h - echo "#define LIBWOLFSSL_CONFIGURE_ARGS \"$ac_configure_args\"" >> config.h - echo >> config.h - echo "#define LIBWOLFSSL_GLOBAL_CFLAGS \"$CPPFLAGS $AM_CPPFLAGS $CFLAGS $AM_CFLAGS\"" >> config.h -fi - ################################################################################ # Show warnings at bottom so they are noticed ################################################################################ diff --git a/linuxkm/Makefile b/linuxkm/Makefile index 091ee5bf6..17e3131a9 100644 --- a/linuxkm/Makefile +++ b/linuxkm/Makefile @@ -33,7 +33,7 @@ ifndef SRC_TOP SRC_TOP=$(shell dirname $(MODULE_TOP)) endif -WOLFSSL_CFLAGS=-DHAVE_CONFIG_H -I$(SRC_TOP) -DBUILDING_WOLFSSL $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -Wno-declaration-after-statement -Wno-redundant-decls +WOLFSSL_CFLAGS=-DHAVE_CONFIG_H -I$(SRC_TOP) -DBUILDING_WOLFSSL $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -Wno-declaration-after-statement -Wno-redundant-decls -DLIBWOLFSSL_GLOBAL_EXTRA_CFLAGS="\" $(KERNEL_EXTRA_CFLAGS)\"" ifdef KERNEL_EXTRA_CFLAGS WOLFSSL_CFLAGS += $(KERNEL_EXTRA_CFLAGS) endif @@ -49,7 +49,7 @@ else endif ifeq "$(ENABLED_LINUXKM_PIE)" "yes" - WOLFCRYPT_PIE_FILES := linuxkm/pie_first.o $(filter wolfcrypt/%,$(WOLFSSL_OBJ_FILES)) linuxkm/pie_redirect_table.o linuxkm/pie_last.o + WOLFCRYPT_PIE_FILES := linuxkm/pie_first.o $(filter wolfcrypt/src/%,$(WOLFSSL_OBJ_FILES)) linuxkm/pie_redirect_table.o linuxkm/pie_last.o WOLFSSL_OBJ_FILES := $(WOLFCRYPT_PIE_FILES) $(filter-out $(WOLFCRYPT_PIE_FILES),$(WOLFSSL_OBJ_FILES)) endif diff --git a/src/include.am b/src/include.am index 4bf074469..d1b1faecd 100644 --- a/src/include.am +++ b/src/include.am @@ -50,7 +50,7 @@ endif src_libwolfssl_la_SOURCES = src_libwolfssl_la_LDFLAGS = ${AM_LDFLAGS} -no-undefined -version-info ${WOLFSSL_LIBRARY_VERSION} src_libwolfssl_la_LIBADD = $(LIBM) $(LIB_ADD) $(LIB_STATIC_ADD) -src_libwolfssl_la_CFLAGS = -DBUILDING_WOLFSSL $(AM_CFLAGS) +src_libwolfssl_la_CFLAGS = -DBUILDING_WOLFSSL $(AM_CFLAGS) -DLIBWOLFSSL_GLOBAL_EXTRA_CFLAGS="\" $(EXTRA_CFLAGS)\"" src_libwolfssl_la_CPPFLAGS = -DBUILDING_WOLFSSL $(AM_CPPFLAGS) # install the packaged IPP libraries diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h index f8736290e..5832b41c0 100644 --- a/wolfssl/wolfcrypt/types.h +++ b/wolfssl/wolfcrypt/types.h @@ -109,9 +109,15 @@ decouple library dependencies with standard string, memory and so on. #endif #endif + /* helpers for stringifying the expanded value of a macro argument rather + * than its literal text: + */ + #define STRINGIFY_L2(str) #str + #define STRINGIFY(str) STRINGIFY_L2(str) + /* try to set SIZEOF_LONG or SIZEOF_LONG_LONG if user didn't */ #if defined(_MSC_VER) || defined(HAVE_LIMITS_H) - /* make sure both SIZEOF_LONG_LONG and SIZEOF_LONG are set, + /* make sure both SIZEOF_LONG_LONG and SIZEOF_LONG are set, * otherwise causes issues with CTC_SETTINGS */ #if !defined(SIZEOF_LONG_LONG) || !defined(SIZEOF_LONG) #include