Backport: Fix AppleClang 15 FIPS Shared Build (#1224) (#1400)

aws · Jan 13, 2024 · 0a111e8 · 0a111e8
1 parent fc24116
commit 0a111e8
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 7 deletions.
diff --git a/crypto/fipsmodule/CMakeLists.txt b/crypto/fipsmodule/CMakeLists.txt
@@ -417,17 +417,19 @@ elseif(FIPS_SHARED)
     # generate the output object file where all the code in the __text section
     # and all the read-only data in the __const section are between the
     # respective start and end markers.
+    if (CMAKE_OSX_DEPLOYMENT_TARGET)
+      set(OSX_VERSION_MIN_FLAG "-mmacosx-version-min=${CMAKE_OSX_DEPLOYMENT_TARGET}")
+    endif()
     add_custom_command(
       OUTPUT fips_apple_start.o
-      COMMAND ${CMAKE_C_COMPILER} -arch ${CMAKE_SYSTEM_PROCESSOR} -isysroot ${CMAKE_OSX_SYSROOT} -c ${CMAKE_CURRENT_SOURCE_DIR}/fips_shared_library_marker.c -DAWSLC_FIPS_SHARED_START -o fips_apple_start.o
+      COMMAND ${CMAKE_C_COMPILER} -arch ${CMAKE_SYSTEM_PROCESSOR} -isysroot ${CMAKE_OSX_SYSROOT} ${OSX_VERSION_MIN_FLAG} -c ${CMAKE_CURRENT_SOURCE_DIR}/fips_shared_library_marker.c -DAWSLC_FIPS_SHARED_START -o fips_apple_start.o
       DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/fips_shared_library_marker.c
     )
     add_custom_command(
       OUTPUT fips_apple_end.o
-      COMMAND ${CMAKE_C_COMPILER} -arch ${CMAKE_SYSTEM_PROCESSOR} -isysroot ${CMAKE_OSX_SYSROOT} -c ${CMAKE_CURRENT_SOURCE_DIR}/fips_shared_library_marker.c -DAWSLC_FIPS_SHARED_END -o fips_apple_end.o
+      COMMAND ${CMAKE_C_COMPILER} -arch ${CMAKE_SYSTEM_PROCESSOR} -isysroot ${CMAKE_OSX_SYSROOT} ${OSX_VERSION_MIN_FLAG} -c ${CMAKE_CURRENT_SOURCE_DIR}/fips_shared_library_marker.c -DAWSLC_FIPS_SHARED_END -o fips_apple_end.o
       DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/fips_shared_library_marker.c
     )
-
     add_custom_command(
       OUTPUT bcm.o
       COMMAND ${CMAKE_LINKER} -r fips_apple_start.o -force_load $<TARGET_FILE:bcm_library> fips_apple_end.o -keep_private_externs -o bcm.o

diff --git a/util/fipstools/inject_hash/inject_hash.go b/util/fipstools/inject_hash/inject_hash.go
@@ -168,7 +168,6 @@ func doLinux(objectBytes []byte, isStatic bool) ([]byte, []byte, error) {
 	return moduleText, moduleROData, nil
 }
 
-
 func doAppleOS(objectBytes []byte) ([]byte, []byte, error) {
 
 	object, err := macho.NewFile(bytes.NewReader(objectBytes))
@@ -221,6 +220,19 @@ func doAppleOS(objectBytes []byte) ([]byte, []byte, error) {
 			return nil, nil, fmt.Errorf("symbol %q at %x, which is below base of %x\n", symbol.Name, symbol.Value, base)
 		}
 
+		// Skip debugging symbols
+		//
+		// #define	N_STAB	0xe0  /* if any of these bits set, a symbolic debugging entry */
+		//
+		// "Only symbolic debugging entries have some of the N_STAB bits set and if any of these bits are set then it is
+		// a symbolic debugging entry (a stab).  In which case then the values of the n_type field (the entire field)
+		// are given in <mach-o/stab.h>"
+		//
+		// https://github.com/apple-oss-distributions/xnu/blob/main/EXTERNAL_HEADERS/mach-o/nlist.h
+		if symbol.Type&0xe0 != 0 {
+			continue
+		}
+
 		value := symbol.Value - base
 		switch symbol.Name {
 		case "_BORINGSSL_bcm_text_start":
@@ -296,8 +308,6 @@ func doAppleOS(objectBytes []byte) ([]byte, []byte, error) {
 	return moduleText, moduleROData, nil
 }
 
-
-
 func do(outPath, oInput string, arInput string, appleOS bool) error {
 	var objectBytes []byte
 	var isStatic bool
@@ -365,7 +375,6 @@ func do(outPath, oInput string, arInput string, appleOS bool) error {
 		return err
 	}
 
-
 	var zeroKey [64]byte
 	mac := hmac.New(sha256.New, zeroKey[:])