import nettle-3.4.1-2.el8

2020-11-03 06:49:06 -05:00 · 2020-11-03 06:49:06 -05:00 · d41e1e8915
commit d41e1e8915
parent 9c76acbb74
2 changed files with 216 additions and 1 deletions
--- a/SOURCES/nettle-3.4.1-enable-intel-cet.patch
+++ b/SOURCES/nettle-3.4.1-enable-intel-cet.patch
@ -0,0 +1,210 @@
 diff --git a/asm.m4 b/asm.m4
 index 8da47201..59d64098 100644
 --- a/asm.m4
 +++ b/asm.m4
@@ -32,7 +32,7 @@ define(<GMP_NUMB_BITS>,<>)dnl
 define(<PROLOGUE>,
 <.globl C_NAME($1)
 DECLARE_FUNC(C_NAME($1))
 -C_NAME($1):>)
 +C_NAME($1): ASM_X86_ENDBR>)
 define(<EPILOGUE>,
 <ifelse(ELF_STYLE,yes,
 --- a/config.m4.in	2018-12-04 21:56:06.000000000 +0100
 +++ b/config.m4.in	2020-05-15 11:25:42.350465132 +0200
@@ -7,6 +7,9 @@
 define(<ALIGN_LOG>, <@ASM_ALIGN_LOG@>)dnl
 define(<W64_ABI>, <@W64_ABI@>)dnl
 define(<RODATA>, <@ASM_RODATA@>)dnl
 +define(<ASM_X86_ENDBR>,<@ASM_X86_ENDBR@>)dnl
 +define(<ASM_X86_MARK_CET_ALIGN>,<@ASM_X86_MARK_CET_ALIGN@>)dnl
 divert(1)
 +@ASM_X86_MARK_CET@
 @ASM_MARK_NOEXEC_STACK@
 divert
 --- a/configure.ac	2018-12-04 21:56:06.000000000 +0100
 +++ b/configure.ac	2020-05-15 11:46:39.152373137 +0200
@@ -787,6 +787,68 @@
   ASM_ALIGN_LOG="$nettle_cv_asm_align_log"
 fi
 +dnl  Define
 +dnl  1. ASM_X86_ENDBR for endbr32/endbr64.
 +dnl  2. ASM_X86_MARK_CET to add a .note.gnu.property section to mark
 +dnl  Intel CET support if needed.
 +dnl  3. ASM_X86_MARK_CET_ALIGN to align ASM_X86_MARK_CET.
 +AC_CACHE_CHECK([if Intel CET is enabled],
 +  [nettle_cv_asm_x86_intel_cet],
 +  [AC_TRY_COMPILE([
 +#ifndef __CET__
 +#error Intel CET is not enabled
 +#endif
 +  ], [],
 +  [nettle_cv_asm_x86_intel_cet=yes],
 +  [nettle_cv_asm_x86_intel_cet=no])])
 +if test "$nettle_cv_asm_x86_intel_cet" = yes; then
 +  case $ABI in
 +  32|standard)
 +    ASM_X86_ENDBR=endbr32
 +    ASM_X86_MARK_CET_ALIGN=2
 +    ;;
 +  64)
 +    ASM_X86_ENDBR=endbr64
 +    ASM_X86_MARK_CET_ALIGN=3
 +    ;;
 +  x32)
 +    ASM_X86_ENDBR=endbr64
 +    ASM_X86_MARK_CET_ALIGN=2
 +    ;;
 +  esac
 +  AC_CACHE_CHECK([if .note.gnu.property section is needed],
 +    [nettle_cv_asm_x86_gnu_property],
 +    [AC_TRY_COMPILE([
 +#if !defined __ELF__ || !defined __CET__
 +#error GNU property is not needed
 +#endif
 +    ], [],
 +    [nettle_cv_asm_x86_gnu_property=yes],
 +    [nettle_cv_asm_x86_gnu_property=no])])
 +else
 +  nettle_cv_asm_x86_gnu_property=no
 +fi
 +if test "$nettle_cv_asm_x86_gnu_property" = yes; then
 +  ASM_X86_MARK_CET='
 +	.pushsection ".note.gnu.property", "a"
 +	.p2align ASM_X86_MARK_CET_ALIGN
 +	.long 1f - 0f
 +	.long 4f - 1f
 +	.long 5
 +0:
 +	.asciz "GNU"
 +1:
 +	.p2align ASM_X86_MARK_CET_ALIGN
 +	.long 0xc0000002
 +	.long 3f - 2f
 +2:
 +	.long 3
 +3:
 +	.p2align ASM_X86_MARK_CET_ALIGN
 +4:
 +	.popsection'
 +fi
 +
 AC_SUBST(ASM_SYMBOL_PREFIX)
 AC_SUBST(ASM_ELF_STYLE)
 AC_SUBST(ASM_COFF_STYLE)
@@ -796,6 +858,9 @@
 AC_SUBST(ASM_ALIGN_LOG)
 AC_SUBST(W64_ABI)
 AC_SUBST(EMULATOR)
 +AC_SUBST(ASM_X86_ENDBR)
 +AC_SUBST(ASM_X86_MARK_CET)
 +AC_SUBST(ASM_X86_MARK_CET_ALIGN)
 AC_SUBST(LIBNETTLE_MAJOR)
 AC_SUBST(LIBNETTLE_MINOR)
 diff --git a/testsuite/.test-rules.make b/testsuite/.test-rules.make
 index 922a2c7f..9de8f412 100644
 --- a/testsuite/.test-rules.make
 +++ b/testsuite/.test-rules.make
@@ -178,6 +178,9 @@ xts-test$(EXEEXT): xts-test.$(OBJEXT)
 pbkdf2-test$(EXEEXT): pbkdf2-test.$(OBJEXT)
 	$(LINK) pbkdf2-test.$(OBJEXT) $(TEST_OBJS) -o pbkdf2-test$(EXEEXT)
 +x86-ibt-test$(EXEEXT): x86-ibt-test.$(OBJEXT)
 +	$(LINK) x86-ibt-test.$(OBJEXT) $(TEST_OBJS) -o x86-ibt-test$(EXEEXT)
 +
 sexp-test$(EXEEXT): sexp-test.$(OBJEXT)
 	$(LINK) sexp-test.$(OBJEXT) $(TEST_OBJS) -o sexp-test$(EXEEXT)
 --- a/testsuite/Makefile.in	2018-12-04 21:56:06.000000000 +0100
 +++ b/testsuite/Makefile.in	2020-05-15 11:21:15.673321598 +0200
@@ -31,7 +31,8 @@
 		    hmac-test.c umac-test.c \
 		    meta-hash-test.c meta-cipher-test.c\
 		    meta-aead-test.c meta-armor-test.c \
 -		    buffer-test.c yarrow-test.c pbkdf2-test.c
 +		    buffer-test.c yarrow-test.c pbkdf2-test.c \
 +		    x86-ibt-test.c
 TS_HOGWEED_SOURCES = sexp-test.c sexp-format-test.c \
 		     rsa2sexp-test.c sexp2rsa-test.c \
 diff --git a/testsuite/x86-ibt-test.c b/testsuite/x86-ibt-test.c
 new file mode 100644
 index 00000000..1f3d1d67
 --- /dev/null
 +++ b/testsuite/x86-ibt-test.c
@@ -0,0 +1,69 @@
 +#include "testutils.h"
 +#if defined(__GNUC__) && (defined(__i386__) || defined(__x86_64__)) \
 +    && defined(__CET__) && defined(__linux__)
 +#include <signal.h>
 +
 +static void
 +segfault_handler(int signo)
 +{
 +  exit(0);
 +}
 +
 +static void
 +ibt_violation(void)
 +{
 +#ifdef __i386__
 +  unsigned int reg;
 +  asm volatile("lea 1f, %0\n\t"
 +	       "jmp *%0\n"
 +	       "1:" : "=r" (reg));
 +#else
 +  unsigned long long reg;
 +  asm volatile("lea 1f(%%rip), %0\n\t"
 +	       "jmp *%0\n"
 +	       "1:" : "=r" (reg));
 +#endif
 +}
 +
 +#ifdef __i386__
 +static unsigned int
 +_get_ssp(void)
 +{
 +  unsigned int ssp;
 +  asm volatile("xor %0, %0\n\trdsspd %0" : "=r" (ssp));
 +  return ssp;
 +}
 +#else
 +static unsigned long long
 +_get_ssp(void)
 +{
 +  unsigned long long ssp;
 +  asm volatile("xor %0, %0\n\trdsspq %0" : "=r" (ssp));
 +  return ssp;
 +}
 +#endif
 +
 +void
 +test_main(void)
 +{
 +   /* NB: This test should trigger SIGSEGV on CET platforms.  _get_ssp
 +      returns the address of shadow stack pointer.  If the address of
 +      shadow stack pointer is 0, SHSTK is disabled and we assume that
 +      IBT is also disabled.  */
 +  if (_get_ssp() == 0)
 +    {
 +      ibt_violation();
 +      SKIP();
 +    }
 +
 +  signal(SIGSEGV, segfault_handler);
 +  ibt_violation();
 +  FAIL();
 +}
 +#else
 +void
 +test_main(void)
 +{
 +  SKIP();
 +}
 +#endif
 -- 
 2.25.4
--- a/SPECS/nettle.spec
+++ b/SPECS/nettle.spec
@ -2,7 +2,7 @@
 Name:           nettle
 Version:        3.4.1
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        A low-level cryptographic library
 Group:          Development/Libraries
@ -12,6 +12,7 @@ Source0:	%{name}-%{version}-hobbled.tar.xz
 #Source0:        http://www.lysator.liu.se/~nisse/archive/%{name}-%{version}.tar.gz
 Patch0:		nettle-3.3-remove-ecc-testsuite.patch
 Patch1:		nettle-3.4-annocheck.patch
 Patch2:		nettle-3.4.1-enable-intel-cet.patch
 BuildRequires:  gcc
 BuildRequires:  gmp-devel, m4
@ -52,6 +53,7 @@ sed 's/ecc-192.c//g' -i Makefile.in
 sed 's/ecc-224.c//g' -i Makefile.in
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
 %build
 autoreconf -ifv
@ -124,6 +126,9 @@ fi
 %changelog
 * Fri May 15 2020 Anderson Sasaki <ansasaki@redhat.com> - 3.4.1-2
 - Enable Intel CET support (#1737542)
 * Tue Dec 11 2018 Daiki Ueno <dueno@redhat.com> - 3.4.1-1
 - New upstream release