|
|
e79d4b |
From: Daiki Ueno <ueno@gnu.org>
|
|
|
e79d4b |
Date: Fri, 19 Aug 2022 12:32:27 +0900
|
|
|
e79d4b |
Subject: [PATCH] build: allow GMP to be statically linked
|
|
|
e79d4b |
|
|
|
e79d4b |
Even though we set the custom allocator[1] to zeroize sensitive data,
|
|
|
e79d4b |
it can be easily invalidated if the application sets its own custom
|
|
|
e79d4b |
allocator. An approach to prevent that is to link against a static
|
|
|
e79d4b |
library of GMP, so the use of GMP is privatized and the custom
|
|
|
e79d4b |
allocator configuration is not shared with other applications.
|
|
|
e79d4b |
|
|
|
e79d4b |
This patch allows libgnutls to be linked with the static library of
|
|
|
e79d4b |
GMP. Note that, to this work libgmp.a needs to be compiled with -fPIC
|
|
|
e79d4b |
and libhogweed in Nettle is also linked to the static library of GMP.
|
|
|
e79d4b |
|
|
|
e79d4b |
1. https://gitlab.com/gnutls/gnutls/-/merge_requests/1554
|
|
|
e79d4b |
|
|
|
e79d4b |
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
e79d4b |
---
|
|
|
a74aed |
diff --color -ruNp a/configure.ac b/configure.ac
|
|
|
a74aed |
--- a/configure.ac 2022-12-15 11:06:16.782726043 +0100
|
|
|
a74aed |
+++ b/configure.ac 2022-12-15 11:08:35.603451427 +0100
|
|
|
a74aed |
@@ -744,6 +744,8 @@ AC_CHECK_FUNCS(nettle_cmac_kuznyechik_up
|
|
|
e79d4b |
LIBS=$save_LIBS
|
|
|
e79d4b |
|
|
|
e79d4b |
# Check sonames of the linked libraries needed for FIPS selftests.
|
|
|
e79d4b |
+save_CFLAGS=$CFLAGS
|
|
|
e79d4b |
+CFLAGS="$CFLAGS $GMP_CFLAGS"
|
|
|
e79d4b |
save_LIBS=$LIBS
|
|
|
e79d4b |
LIBS="$LIBS $GMP_LIBS"
|
|
|
e79d4b |
AC_MSG_CHECKING([gmp soname])
|
|
|
a74aed |
@@ -757,9 +759,14 @@ if test -z "$gmp_so"; then
|
|
|
e79d4b |
gmp_so=none
|
|
|
e79d4b |
fi
|
|
|
e79d4b |
AC_MSG_RESULT($gmp_so)
|
|
|
e79d4b |
-AC_DEFINE_UNQUOTED([GMP_LIBRARY_SONAME], ["$gmp_so"], [The soname of gmp library])
|
|
|
e79d4b |
+if test "$gmp_so" != none; then
|
|
|
e79d4b |
+ AC_DEFINE_UNQUOTED([GMP_LIBRARY_SONAME], ["$gmp_so"], [The soname of gmp library])
|
|
|
e79d4b |
+fi
|
|
|
e79d4b |
LIBS=$save_LIBS
|
|
|
e79d4b |
+CFLAGS=$save_CFLAGS
|
|
|
e79d4b |
|
|
|
e79d4b |
+save_CFLAGS=$CFLAGS
|
|
|
e79d4b |
+CFLAGS="$CFLAGS $NETTLE_CFLAGS"
|
|
|
e79d4b |
save_LIBS=$LIBS
|
|
|
e79d4b |
LIBS="$LIBS $NETTLE_LIBS"
|
|
|
e79d4b |
AC_MSG_CHECKING([nettle soname])
|
|
|
a74aed |
@@ -775,7 +782,11 @@ fi
|
|
|
e79d4b |
AC_MSG_RESULT($nettle_so)
|
|
|
e79d4b |
AC_DEFINE_UNQUOTED([NETTLE_LIBRARY_SONAME], ["$nettle_so"], [The soname of nettle library])
|
|
|
e79d4b |
LIBS=$save_LIBS
|
|
|
e79d4b |
+CFLAGS=$save_CFLAGS
|
|
|
e79d4b |
|
|
|
e79d4b |
+save_CFLAGS=$CFLAGS
|
|
|
e79d4b |
+# <nettle/bignum.h> includes <gmp.h>
|
|
|
e79d4b |
+CFLAGS="$CFLAGS $HOGWEED_CFLAGS $GMP_CFLAGS"
|
|
|
e79d4b |
save_LIBS=$LIBS
|
|
|
e79d4b |
LIBS="$LIBS $HOGWEED_LIBS"
|
|
|
e79d4b |
AC_MSG_CHECKING([hogweed soname])
|
|
|
a74aed |
@@ -791,6 +802,7 @@ fi
|
|
|
e79d4b |
AC_MSG_RESULT($hogweed_so)
|
|
|
e79d4b |
AC_DEFINE_UNQUOTED([HOGWEED_LIBRARY_SONAME], ["$hogweed_so"], [The soname of hogweed library])
|
|
|
e79d4b |
LIBS=$save_LIBS
|
|
|
e79d4b |
+CFLAGS=$save_CFLAGS
|
|
|
e79d4b |
|
|
|
e79d4b |
gnutls_so=libgnutls.so.`expr "$LT_CURRENT" - "$LT_AGE"`
|
|
|
e79d4b |
AC_DEFINE_UNQUOTED([GNUTLS_LIBRARY_SONAME], ["$gnutls_so"], [The soname of gnutls library])
|
|
|
a74aed |
diff --color -ruNp a/lib/fips.c b/lib/fips.c
|
|
|
a74aed |
--- a/lib/fips.c 2022-12-15 11:06:16.868727731 +0100
|
|
|
a74aed |
+++ b/lib/fips.c 2022-12-15 11:12:42.744303409 +0100
|
|
|
a74aed |
@@ -155,7 +155,11 @@ void _gnutls_fips_mode_reset_zombie(void
|
|
|
e79d4b |
#define GNUTLS_LIBRARY_NAME GNUTLS_LIBRARY_SONAME
|
|
|
e79d4b |
#define NETTLE_LIBRARY_NAME NETTLE_LIBRARY_SONAME
|
|
|
e79d4b |
#define HOGWEED_LIBRARY_NAME HOGWEED_LIBRARY_SONAME
|
|
|
e79d4b |
+
|
|
|
a74aed |
+/* GMP can be statically linked */
|
|
|
e79d4b |
+#ifdef GMP_LIBRARY_SONAME
|
|
|
e79d4b |
#define GMP_LIBRARY_NAME GMP_LIBRARY_SONAME
|
|
|
e79d4b |
+#endif
|
|
|
e79d4b |
|
|
|
e79d4b |
#define HMAC_SIZE 32
|
|
|
e79d4b |
#define HMAC_ALGO GNUTLS_MAC_SHA256
|
|
|
a74aed |
@@ -173,7 +177,9 @@ struct hmac_file
|
|
|
e79d4b |
struct hmac_entry gnutls;
|
|
|
e79d4b |
struct hmac_entry nettle;
|
|
|
e79d4b |
struct hmac_entry hogweed;
|
|
|
e79d4b |
+#ifdef GMP_LIBRARY_SONAME
|
|
|
e79d4b |
struct hmac_entry gmp;
|
|
|
e79d4b |
+#endif
|
|
|
a74aed |
};
|
|
|
a74aed |
|
|
|
a74aed |
struct lib_paths
|
|
|
a74aed |
@@ -181,7 +187,9 @@ struct lib_paths
|
|
|
a74aed |
char gnutls[GNUTLS_PATH_MAX];
|
|
|
a74aed |
char nettle[GNUTLS_PATH_MAX];
|
|
|
a74aed |
char hogweed[GNUTLS_PATH_MAX];
|
|
|
a74aed |
+#ifdef GMP_LIBRARY_SONAME
|
|
|
a74aed |
char gmp[GNUTLS_PATH_MAX];
|
|
|
a74aed |
+#endif
|
|
|
a74aed |
};
|
|
|
e79d4b |
|
|
|
a74aed |
/*
|
|
|
a74aed |
@@ -245,8 +253,10 @@ static int handler(void *user, const cha
|
|
|
e79d4b |
return lib_handler(&p->nettle, section, name, value);
|
|
|
e79d4b |
} else if (!strcmp(section, HOGWEED_LIBRARY_NAME)) {
|
|
|
e79d4b |
return lib_handler(&p->hogweed, section, name, value);
|
|
|
e79d4b |
+#ifdef GMP_LIBRARY_SONAME
|
|
|
e79d4b |
} else if (!strcmp(section, GMP_LIBRARY_NAME)) {
|
|
|
e79d4b |
return lib_handler(&p->gmp, section, name, value);
|
|
|
e79d4b |
+#endif
|
|
|
e79d4b |
} else {
|
|
|
e79d4b |
return 0;
|
|
|
e79d4b |
}
|
|
|
a74aed |
@@ -389,8 +399,10 @@ static int callback(struct dl_phdr_info
|
|
|
a74aed |
_gnutls_str_cpy(paths->nettle, GNUTLS_PATH_MAX, path);
|
|
|
a74aed |
else if (!strcmp(soname, HOGWEED_LIBRARY_SONAME))
|
|
|
a74aed |
_gnutls_str_cpy(paths->hogweed, GNUTLS_PATH_MAX, path);
|
|
|
a74aed |
+#ifdef GMP_LIBRARY_SONAME
|
|
|
a74aed |
else if (!strcmp(soname, GMP_LIBRARY_SONAME))
|
|
|
a74aed |
_gnutls_str_cpy(paths->gmp, GNUTLS_PATH_MAX, path);
|
|
|
a74aed |
+#endif
|
|
|
a74aed |
return 0;
|
|
|
a74aed |
}
|
|
|
a74aed |
|
|
|
a74aed |
@@ -411,10 +423,12 @@ static int load_lib_paths(struct lib_pat
|
|
|
a74aed |
_gnutls_debug_log("Hogweed library path was not found\n");
|
|
|
a74aed |
return gnutls_assert_val(GNUTLS_E_FILE_ERROR);
|
|
|
a74aed |
}
|
|
|
a74aed |
+#ifdef GMP_LIBRARY_SONAME
|
|
|
a74aed |
if (paths->gmp[0] == '\0') {
|
|
|
a74aed |
_gnutls_debug_log("Gmp library path was not found\n");
|
|
|
a74aed |
return gnutls_assert_val(GNUTLS_E_FILE_ERROR);
|
|
|
a74aed |
}
|
|
|
a74aed |
+#endif
|
|
|
a74aed |
|
|
|
a74aed |
return GNUTLS_E_SUCCESS;
|
|
|
a74aed |
}
|
|
|
a74aed |
@@ -467,9 +481,11 @@ static int check_binary_integrity(void)
|
|
|
a74aed |
ret = check_lib_hmac(&hmac.hogweed, paths.hogweed);
|
|
|
e79d4b |
if (ret < 0)
|
|
|
e79d4b |
return ret;
|
|
|
e79d4b |
+#ifdef GMP_LIBRARY_SONAME
|
|
|
a74aed |
ret = check_lib_hmac(&hmac.gmp, paths.gmp);
|
|
|
e79d4b |
if (ret < 0)
|
|
|
e79d4b |
return ret;
|
|
|
e79d4b |
+#endif
|
|
|
e79d4b |
|
|
|
e79d4b |
return 0;
|
|
|
e79d4b |
}
|
|
|
a74aed |
diff --color -ruNp a/lib/fipshmac.c b/lib/fipshmac.c
|
|
|
a74aed |
--- a/lib/fipshmac.c 2022-12-15 11:06:16.785726102 +0100
|
|
|
a74aed |
+++ b/lib/fipshmac.c 2022-12-15 11:13:34.533320156 +0100
|
|
|
a74aed |
@@ -107,8 +107,10 @@ static int callback(struct dl_phdr_info
|
|
|
a74aed |
return print_lib(path, soname);
|
|
|
a74aed |
if (!strcmp(soname, HOGWEED_LIBRARY_SONAME))
|
|
|
a74aed |
return print_lib(path, soname);
|
|
|
e79d4b |
+#ifdef GMP_LIBRARY_SONAME
|
|
|
a74aed |
if (!strcmp(soname, GMP_LIBRARY_SONAME))
|
|
|
a74aed |
return print_lib(path, soname);
|
|
|
e79d4b |
+#endif
|
|
|
a74aed |
return 0;
|
|
|
e79d4b |
}
|
|
|
a74aed |
|
|
|
a74aed |
diff --color -ruNp a/lib/global.c b/lib/global.c
|
|
|
a74aed |
--- a/lib/global.c 2022-12-15 11:06:16.061711888 +0100
|
|
|
a74aed |
+++ b/lib/global.c 2022-12-15 11:08:35.604451446 +0100
|
|
|
a74aed |
@@ -540,7 +540,9 @@ static const struct gnutls_library_confi
|
|
|
e79d4b |
{ "libgnutls-soname", GNUTLS_LIBRARY_SONAME },
|
|
|
e79d4b |
{ "libnettle-soname", NETTLE_LIBRARY_SONAME },
|
|
|
e79d4b |
{ "libhogweed-soname", HOGWEED_LIBRARY_SONAME },
|
|
|
e79d4b |
+#ifdef GMP_LIBRARY_SONAME
|
|
|
e79d4b |
{ "libgmp-soname", GMP_LIBRARY_SONAME },
|
|
|
e79d4b |
+#endif
|
|
|
e79d4b |
{ "hardware-features", HW_FEATURES },
|
|
|
e79d4b |
{ "tls-features", TLS_FEATURES },
|
|
|
e79d4b |
{ NULL, NULL }
|