160 lines
5.1 KiB
Diff
160 lines
5.1 KiB
Diff
|
From 88808f0b8906bdc32579c144a2c44401ee97798a Mon Sep 17 00:00:00 2001
|
||
|
From: Daiki Ueno <ueno@gnu.org>
|
||
|
Date: Fri, 19 Aug 2022 12:32:27 +0900
|
||
|
Subject: [PATCH] build: allow GMP to be statically linked
|
||
|
|
||
|
Even though we set the custom allocator[1] to zeroize sensitive data,
|
||
|
it can be easily invalidated if the application sets its own custom
|
||
|
allocator. An approach to prevent that is to link against a static
|
||
|
library of GMP, so the use of GMP is privatized and the custom
|
||
|
allocator configuration is not shared with other applications.
|
||
|
|
||
|
This patch allows libgnutls to be linked with the static library of
|
||
|
GMP. Note that, to this work libgmp.a needs to be compiled with -fPIC
|
||
|
and libhogweed in Nettle is also linked to the static library of GMP.
|
||
|
|
||
|
1. https://gitlab.com/gnutls/gnutls/-/merge_requests/1554
|
||
|
|
||
|
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
||
|
---
|
||
|
configure.ac | 14 +++++++++++++-
|
||
|
lib/fips.c | 10 ++++++++++
|
||
|
lib/fipshmac.c | 5 ++++-
|
||
|
lib/global.c | 2 ++
|
||
|
4 files changed, 29 insertions(+), 2 deletions(-)
|
||
|
|
||
|
diff --git a/configure.ac b/configure.ac
|
||
|
index 96894b0be3..e4cf5eab81 100644
|
||
|
--- a/configure.ac
|
||
|
+++ b/configure.ac
|
||
|
@@ -742,6 +742,8 @@ AC_CHECK_FUNCS(nettle_cmac_kuznyechik_update)
|
||
|
LIBS=$save_LIBS
|
||
|
|
||
|
# Check sonames of the linked libraries needed for FIPS selftests.
|
||
|
+save_CFLAGS=$CFLAGS
|
||
|
+CFLAGS="$CFLAGS $GMP_CFLAGS"
|
||
|
save_LIBS=$LIBS
|
||
|
LIBS="$LIBS $GMP_LIBS"
|
||
|
AC_MSG_CHECKING([gmp soname])
|
||
|
@@ -755,9 +757,14 @@ if test -z "$gmp_so"; then
|
||
|
gmp_so=none
|
||
|
fi
|
||
|
AC_MSG_RESULT($gmp_so)
|
||
|
-AC_DEFINE_UNQUOTED([GMP_LIBRARY_SONAME], ["$gmp_so"], [The soname of gmp library])
|
||
|
+if test "$gmp_so" != none; then
|
||
|
+ AC_DEFINE_UNQUOTED([GMP_LIBRARY_SONAME], ["$gmp_so"], [The soname of gmp library])
|
||
|
+fi
|
||
|
LIBS=$save_LIBS
|
||
|
+CFLAGS=$save_CFLAGS
|
||
|
|
||
|
+save_CFLAGS=$CFLAGS
|
||
|
+CFLAGS="$CFLAGS $NETTLE_CFLAGS"
|
||
|
save_LIBS=$LIBS
|
||
|
LIBS="$LIBS $NETTLE_LIBS"
|
||
|
AC_MSG_CHECKING([nettle soname])
|
||
|
@@ -773,7 +780,11 @@ fi
|
||
|
AC_MSG_RESULT($nettle_so)
|
||
|
AC_DEFINE_UNQUOTED([NETTLE_LIBRARY_SONAME], ["$nettle_so"], [The soname of nettle library])
|
||
|
LIBS=$save_LIBS
|
||
|
+CFLAGS=$save_CFLAGS
|
||
|
|
||
|
+save_CFLAGS=$CFLAGS
|
||
|
+# <nettle/bignum.h> includes <gmp.h>
|
||
|
+CFLAGS="$CFLAGS $HOGWEED_CFLAGS $GMP_CFLAGS"
|
||
|
save_LIBS=$LIBS
|
||
|
LIBS="$LIBS $HOGWEED_LIBS"
|
||
|
AC_MSG_CHECKING([hogweed soname])
|
||
|
@@ -789,6 +800,7 @@ fi
|
||
|
AC_MSG_RESULT($hogweed_so)
|
||
|
AC_DEFINE_UNQUOTED([HOGWEED_LIBRARY_SONAME], ["$hogweed_so"], [The soname of hogweed library])
|
||
|
LIBS=$save_LIBS
|
||
|
+CFLAGS=$save_CFLAGS
|
||
|
|
||
|
gnutls_so=libgnutls.so.`expr "$LT_CURRENT" - "$LT_AGE"`
|
||
|
AC_DEFINE_UNQUOTED([GNUTLS_LIBRARY_SONAME], ["$gnutls_so"], [The soname of gnutls library])
|
||
|
diff --git a/lib/fips.c b/lib/fips.c
|
||
|
index 54eb4a37d4..42124ecf4e 100644
|
||
|
--- a/lib/fips.c
|
||
|
+++ b/lib/fips.c
|
||
|
@@ -149,7 +149,11 @@ void _gnutls_fips_mode_reset_zombie(void)
|
||
|
#define GNUTLS_LIBRARY_NAME GNUTLS_LIBRARY_SONAME
|
||
|
#define NETTLE_LIBRARY_NAME NETTLE_LIBRARY_SONAME
|
||
|
#define HOGWEED_LIBRARY_NAME HOGWEED_LIBRARY_SONAME
|
||
|
+
|
||
|
+/* GMP can be statically linked. */
|
||
|
+#ifdef GMP_LIBRARY_SONAME
|
||
|
#define GMP_LIBRARY_NAME GMP_LIBRARY_SONAME
|
||
|
+#endif
|
||
|
|
||
|
#define HMAC_SIZE 32
|
||
|
#define HMAC_ALGO GNUTLS_MAC_SHA256
|
||
|
@@ -168,7 +172,9 @@ typedef struct
|
||
|
struct hmac_entry gnutls;
|
||
|
struct hmac_entry nettle;
|
||
|
struct hmac_entry hogweed;
|
||
|
+#ifdef GMP_LIBRARY_SONAME
|
||
|
struct hmac_entry gmp;
|
||
|
+#endif
|
||
|
} hmac_file;
|
||
|
|
||
|
static int get_library_path(const char* lib, const char* symbol, char* path, size_t path_size)
|
||
|
@@ -259,8 +265,10 @@ static int handler(void *user, const char *section, const char *name, const char
|
||
|
return lib_handler(&p->nettle, section, name, value);
|
||
|
} else if (!strcmp(section, HOGWEED_LIBRARY_NAME)) {
|
||
|
return lib_handler(&p->hogweed, section, name, value);
|
||
|
+#ifdef GMP_LIBRARY_SONAME
|
||
|
} else if (!strcmp(section, GMP_LIBRARY_NAME)) {
|
||
|
return lib_handler(&p->gmp, section, name, value);
|
||
|
+#endif
|
||
|
} else {
|
||
|
return 0;
|
||
|
}
|
||
|
@@ -408,9 +416,11 @@ static int check_binary_integrity(void)
|
||
|
ret = check_lib_hmac(&file.hogweed, HOGWEED_LIBRARY_NAME, "nettle_mpz_sizeinbase_256_u");
|
||
|
if (ret < 0)
|
||
|
return ret;
|
||
|
+#ifdef GMP_LIBRARY_SONAME
|
||
|
ret = check_lib_hmac(&file.gmp, GMP_LIBRARY_NAME, "__gmpz_init");
|
||
|
if (ret < 0)
|
||
|
return ret;
|
||
|
+#endif
|
||
|
|
||
|
return 0;
|
||
|
}
|
||
|
diff --git a/lib/fipshmac.c b/lib/fipshmac.c
|
||
|
index b091572bdf..363077f3e2 100644
|
||
|
--- a/lib/fipshmac.c
|
||
|
+++ b/lib/fipshmac.c
|
||
|
@@ -159,10 +159,13 @@ int main(int argc, char **argv)
|
||
|
ret = print_lib_dl(HOGWEED_LIBRARY_SONAME, "nettle_mpz_sizeinbase_256_u");
|
||
|
if (ret < 0)
|
||
|
return EXIT_FAILURE;
|
||
|
-
|
||
|
+
|
||
|
+ /* GMP can be statically linked. */
|
||
|
+#ifdef GMP_LIBRARY_SONAME
|
||
|
ret = print_lib_dl(GMP_LIBRARY_SONAME, "__gmpz_init");
|
||
|
if (ret < 0)
|
||
|
return EXIT_FAILURE;
|
||
|
+#endif
|
||
|
|
||
|
return EXIT_SUCCESS;
|
||
|
}
|
||
|
diff --git a/lib/global.c b/lib/global.c
|
||
|
index 1b372c15bd..9f3c7b22bd 100644
|
||
|
--- a/lib/global.c
|
||
|
+++ b/lib/global.c
|
||
|
@@ -548,7 +548,9 @@ static const struct gnutls_library_config_st _gnutls_library_config[] = {
|
||
|
{ "libgnutls-soname", GNUTLS_LIBRARY_SONAME },
|
||
|
{ "libnettle-soname", NETTLE_LIBRARY_SONAME },
|
||
|
{ "libhogweed-soname", HOGWEED_LIBRARY_SONAME },
|
||
|
+#ifdef GMP_LIBRARY_SONAME
|
||
|
{ "libgmp-soname", GMP_LIBRARY_SONAME },
|
||
|
+#endif
|
||
|
{ "hardware-features", HW_FEATURES },
|
||
|
{ "tls-features", TLS_FEATURES },
|
||
|
{ NULL, NULL }
|
||
|
--
|
||
|
2.37.1
|
||
|
|