Compile FIPS 140 integrity check only when building shared library#23
Closed
ueno wants to merge 2 commits intosmuellerDD:masterfrom
Closed
Compile FIPS 140 integrity check only when building shared library#23ueno wants to merge 2 commits intosmuellerDD:masterfrom
ueno wants to merge 2 commits intosmuellerDD:masterfrom
Conversation
When leancrypto is compiled as a static library with
-Ddefault_library=static, it fails with:
```
../internal/src/fips_integrity_checker_elf.c:77:10: fatal error: fips_integrity_checker_values.h: No such file or directory
77 | #include "fips_integrity_checker_values.h"
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
```
Given the FIPS 140 integrity check only works with shared library, as
it utilizes the ELF sections, this adds an extra check on
build_shared to avoid the compilation error.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Contributor
Author
|
Not sure about the CI failures; all tests with |
Owner
|
Am Montag, 17. März 2025, 08:57:01 Mitteleuropäische Normalzeit schrieb Daiki
Ueno:
Hi Daiki,
ueno left a comment (smuellerDD/leancrypto#23)
Not sure about the CI failures; all tests with
`-Ddefault_library=shared/static/both` succeed on my environment (Fedora
41).
I fixed the failures with the last patch. It is a bummer that this patch is
needed.
Daiki, do you happen to have an idea why the constructors are not executed
when compiling the library statically?
Ciao
Stephan
|
Contributor
Author
|
Thank you for merging and fixing the issue with constructor :-)
Afaik constructors are run by a dynamic linker, after determining the correct order of initialization/finalization, so there is no way to ensure that with static libraries: |
Owner
|
Am Dienstag, 18. März 2025, 13:54:46 CET schrieb Daiki Ueno:
Hi Daiki,
ueno left a comment (smuellerDD/leancrypto#23)
Thank you for merging and fixing the issue with constructor :-)
> Daiki, do you happen to have an idea why the constructors are not executed
when compiling the library statically?
Afaik constructors are run by a dynamic linker, after determining the
correct order of initialization/finalization, so there is no way to ensure
that with static libraries:
https://www.akkadia.org/drepper/dsohowto.pdf#page=12
Right, but I thought when the static library is finally linked into the
executable, the constructor functions are initialized.
That said, Daiki, may I suggest to add an lc_init(0) call to GnuTLS? Otherwise
you will not run the accelerated implementations for hashes.
Ciao
Stephan
|
Contributor
Author
|
Thank you; I've filed https://gitlab.com/gnutls/gnutls/-/merge_requests/1942 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When leancrypto is compiled as a static library with
-Ddefault_library=static, it fails with:Given the FIPS 140 integrity check only works with shared library, as
it utilizes the ELF sections, this adds an extra check on
build_shared to avoid the compilation error.
Originally spotted by GnuTLS CI at: https://gitlab.com/dueno/gnutls/-/jobs/9425635915#L509