From 3c931abeb7e9bbf744cde83fbaaf3bb011107834 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Fri, 19 Aug 2022 12:32:27 +0900 Subject: [PATCH] build: allow GMP to be statically linked Even though we set the custom allocator[1] to zeroize sensitive data, it can be easily invalidated if the application sets its own custom allocator. An approach to prevent that is to link against a static library of GMP, so the use of GMP is privatized and the custom allocator configuration is not shared with other applications. This patch allows libgnutls to be linked with the static library of GMP. Note that, to this work libgmp.a needs to be compiled with -fPIC and libhogweed in Nettle is also linked to the static library of GMP. 1. https://gitlab.com/gnutls/gnutls/-/merge_requests/1554 Signed-off-by: Daiki Ueno --- configure.ac | 14 +++++++++++++- lib/fips.c | 18 +++++++++++++++++- lib/fipshmac.c | 2 ++ lib/global.c | 2 ++ 4 files changed, 34 insertions(+), 2 deletions(-) diff --git a/configure.ac b/configure.ac index f81d93edc0..b38583c554 100644 --- a/configure.ac +++ b/configure.ac @@ -786,6 +786,8 @@ LIBS=$save_LIBS AM_CONDITIONAL([NEED_SIV_GCM], [test "$ac_cv_func_nettle_siv_gcm_encrypt_message" != yes]) # Check sonames of the linked libraries needed for FIPS selftests. +save_CFLAGS=$CFLAGS +CFLAGS="$CFLAGS $GMP_CFLAGS" save_LIBS=$LIBS LIBS="$LIBS $GMP_LIBS" AC_MSG_CHECKING([gmp soname]) @@ -799,9 +801,14 @@ if test -z "$gmp_so"; then gmp_so=none fi AC_MSG_RESULT($gmp_so) -AC_DEFINE_UNQUOTED([GMP_LIBRARY_SONAME], ["$gmp_so"], [The soname of gmp library]) +if test "$gmp_so" != none; then + AC_DEFINE_UNQUOTED([GMP_LIBRARY_SONAME], ["$gmp_so"], [The soname of gmp library]) +fi LIBS=$save_LIBS +CFLAGS=$save_CFLAGS +save_CFLAGS=$CFLAGS +CFLAGS="$CFLAGS $NETTLE_CFLAGS" save_LIBS=$LIBS LIBS="$LIBS $NETTLE_LIBS" AC_MSG_CHECKING([nettle soname]) @@ -817,7 +824,11 @@ fi AC_MSG_RESULT($nettle_so) AC_DEFINE_UNQUOTED([NETTLE_LIBRARY_SONAME], ["$nettle_so"], [The soname of nettle library]) LIBS=$save_LIBS +CFLAGS=$save_CFLAGS +save_CFLAGS=$CFLAGS +# includes +CFLAGS="$CFLAGS $HOGWEED_CFLAGS $GMP_CFLAGS" save_LIBS=$LIBS LIBS="$LIBS $HOGWEED_LIBS" AC_MSG_CHECKING([hogweed soname]) @@ -833,6 +844,7 @@ fi AC_MSG_RESULT($hogweed_so) AC_DEFINE_UNQUOTED([HOGWEED_LIBRARY_SONAME], ["$hogweed_so"], [The soname of hogweed library]) LIBS=$save_LIBS +CFLAGS=$save_CFLAGS gnutls_so=libgnutls.so.`expr "$LT_CURRENT" - "$LT_AGE"` AC_DEFINE_UNQUOTED([GNUTLS_LIBRARY_SONAME], ["$gnutls_so"], [The soname of gnutls library]) diff --git a/lib/fips.c b/lib/fips.c index e337221267..c1859709da 100644 --- a/lib/fips.c +++ b/lib/fips.c @@ -157,7 +157,11 @@ void _gnutls_fips_mode_reset_zombie(void) #define GNUTLS_LIBRARY_NAME GNUTLS_LIBRARY_SONAME #define NETTLE_LIBRARY_NAME NETTLE_LIBRARY_SONAME #define HOGWEED_LIBRARY_NAME HOGWEED_LIBRARY_SONAME + +/* GMP can be statically linked. */ +#ifdef GMP_LIBRARY_SONAME #define GMP_LIBRARY_NAME GMP_LIBRARY_SONAME +#endif #define HMAC_SIZE 32 #define HMAC_ALGO GNUTLS_MAC_SHA256 @@ -173,14 +177,18 @@ struct hmac_file { struct hmac_entry gnutls; struct hmac_entry nettle; struct hmac_entry hogweed; +#ifdef GMP_LIBRARY_SONAME struct hmac_entry gmp; +#endif }; struct lib_paths { char gnutls[GNUTLS_PATH_MAX]; char nettle[GNUTLS_PATH_MAX]; char hogweed[GNUTLS_PATH_MAX]; +#ifdef GMP_LIBRARY_SONAME char gmp[GNUTLS_PATH_MAX]; +#endif }; /* @@ -244,8 +252,10 @@ static int handler(void *user, const char *section, const char *name, return lib_handler(&p->nettle, section, name, value); } else if (!strcmp(section, HOGWEED_LIBRARY_NAME)) { return lib_handler(&p->hogweed, section, name, value); +#ifdef GMP_LIBRARY_SONAME } else if (!strcmp(section, GMP_LIBRARY_NAME)) { return lib_handler(&p->gmp, section, name, value); +#endif } else { return 0; } @@ -393,8 +403,10 @@ static int callback(struct dl_phdr_info *info, size_t size, void *data) _gnutls_str_cpy(paths->nettle, GNUTLS_PATH_MAX, path); else if (!strcmp(soname, HOGWEED_LIBRARY_SONAME)) _gnutls_str_cpy(paths->hogweed, GNUTLS_PATH_MAX, path); +#ifdef GMP_LIBRARY_SONAME else if (!strcmp(soname, GMP_LIBRARY_SONAME)) _gnutls_str_cpy(paths->gmp, GNUTLS_PATH_MAX, path); +#endif return 0; } @@ -415,10 +427,12 @@ static int load_lib_paths(struct lib_paths *paths) _gnutls_debug_log("Hogweed library path was not found\n"); return gnutls_assert_val(GNUTLS_E_FILE_ERROR); } +#ifdef GMP_LIBRARY_SONAME if (paths->gmp[0] == '\0') { _gnutls_debug_log("Gmp library path was not found\n"); return gnutls_assert_val(GNUTLS_E_FILE_ERROR); } +#endif return GNUTLS_E_SUCCESS; } @@ -471,9 +485,11 @@ static int check_binary_integrity(void) ret = check_lib_hmac(&hmac.hogweed, paths.hogweed); if (ret < 0) return ret; - ret = check_lib_hmac(&hmac.gmp, paths.gmp); +#ifdef GMP_LIBRARY_SONAME + ret = check_lib_hmac(&file.gmp, GMP_LIBRARY_NAME, "__gmpz_init"); if (ret < 0) return ret; +#endif return 0; } diff --git a/lib/fipshmac.c b/lib/fipshmac.c index 51f38f18e5..6a4883a131 100644 --- a/lib/fipshmac.c +++ b/lib/fipshmac.c @@ -107,8 +107,10 @@ static int callback(struct dl_phdr_info *info, size_t size, void *data) return print_lib(path, soname); if (!strcmp(soname, HOGWEED_LIBRARY_SONAME)) return print_lib(path, soname); +#ifdef GMP_LIBRARY_SONAME if (!strcmp(soname, GMP_LIBRARY_SONAME)) return print_lib(path, soname); +#endif return 0; } diff --git a/lib/global.c b/lib/global.c index 924ec945de..c197fd0e5f 100644 --- a/lib/global.c +++ b/lib/global.c @@ -564,7 +564,9 @@ static const struct gnutls_library_config_st _gnutls_library_config[] = { { "libgnutls-soname", GNUTLS_LIBRARY_SONAME }, { "libnettle-soname", NETTLE_LIBRARY_SONAME }, { "libhogweed-soname", HOGWEED_LIBRARY_SONAME }, +#ifdef GMP_LIBRARY_SONAME { "libgmp-soname", GMP_LIBRARY_SONAME }, +#endif { "hardware-features", HW_FEATURES }, { "tls-features", TLS_FEATURES }, { "default-system-config", SYSTEM_PRIORITY_FILE }, -- 2.41.0