From 0a111e8f622c7057d538289cfc9bc30ecdbc8135 Mon Sep 17 00:00:00 2001 From: Justin W Smith <103147162+justsmth@users.noreply.github.com> Date: Fri, 12 Jan 2024 19:28:28 -0500 Subject: [PATCH] Backport: Fix AppleClang 15 FIPS Shared Build (#1224) (#1400) --- crypto/fipsmodule/CMakeLists.txt | 8 +++++--- util/fipstools/inject_hash/inject_hash.go | 17 +++++++++++++---- 2 files changed, 18 insertions(+), 7 deletions(-) diff --git a/crypto/fipsmodule/CMakeLists.txt b/crypto/fipsmodule/CMakeLists.txt index b7b453d93c..dab39b774e 100644 --- a/crypto/fipsmodule/CMakeLists.txt +++ b/crypto/fipsmodule/CMakeLists.txt @@ -417,17 +417,19 @@ elseif(FIPS_SHARED) # generate the output object file where all the code in the __text section # and all the read-only data in the __const section are between the # respective start and end markers. + if (CMAKE_OSX_DEPLOYMENT_TARGET) + set(OSX_VERSION_MIN_FLAG "-mmacosx-version-min=${CMAKE_OSX_DEPLOYMENT_TARGET}") + endif() add_custom_command( OUTPUT fips_apple_start.o - COMMAND ${CMAKE_C_COMPILER} -arch ${CMAKE_SYSTEM_PROCESSOR} -isysroot ${CMAKE_OSX_SYSROOT} -c ${CMAKE_CURRENT_SOURCE_DIR}/fips_shared_library_marker.c -DAWSLC_FIPS_SHARED_START -o fips_apple_start.o + COMMAND ${CMAKE_C_COMPILER} -arch ${CMAKE_SYSTEM_PROCESSOR} -isysroot ${CMAKE_OSX_SYSROOT} ${OSX_VERSION_MIN_FLAG} -c ${CMAKE_CURRENT_SOURCE_DIR}/fips_shared_library_marker.c -DAWSLC_FIPS_SHARED_START -o fips_apple_start.o DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/fips_shared_library_marker.c ) add_custom_command( OUTPUT fips_apple_end.o - COMMAND ${CMAKE_C_COMPILER} -arch ${CMAKE_SYSTEM_PROCESSOR} -isysroot ${CMAKE_OSX_SYSROOT} -c ${CMAKE_CURRENT_SOURCE_DIR}/fips_shared_library_marker.c -DAWSLC_FIPS_SHARED_END -o fips_apple_end.o + COMMAND ${CMAKE_C_COMPILER} -arch ${CMAKE_SYSTEM_PROCESSOR} -isysroot ${CMAKE_OSX_SYSROOT} ${OSX_VERSION_MIN_FLAG} -c ${CMAKE_CURRENT_SOURCE_DIR}/fips_shared_library_marker.c -DAWSLC_FIPS_SHARED_END -o fips_apple_end.o DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/fips_shared_library_marker.c ) - add_custom_command( OUTPUT bcm.o COMMAND ${CMAKE_LINKER} -r fips_apple_start.o -force_load $ fips_apple_end.o -keep_private_externs -o bcm.o diff --git a/util/fipstools/inject_hash/inject_hash.go b/util/fipstools/inject_hash/inject_hash.go index 3d1d8dc4b4..e4905be6b3 100644 --- a/util/fipstools/inject_hash/inject_hash.go +++ b/util/fipstools/inject_hash/inject_hash.go @@ -168,7 +168,6 @@ func doLinux(objectBytes []byte, isStatic bool) ([]byte, []byte, error) { return moduleText, moduleROData, nil } - func doAppleOS(objectBytes []byte) ([]byte, []byte, error) { object, err := macho.NewFile(bytes.NewReader(objectBytes)) @@ -221,6 +220,19 @@ func doAppleOS(objectBytes []byte) ([]byte, []byte, error) { return nil, nil, fmt.Errorf("symbol %q at %x, which is below base of %x\n", symbol.Name, symbol.Value, base) } + // Skip debugging symbols + // + // #define N_STAB 0xe0 /* if any of these bits set, a symbolic debugging entry */ + // + // "Only symbolic debugging entries have some of the N_STAB bits set and if any of these bits are set then it is + // a symbolic debugging entry (a stab). In which case then the values of the n_type field (the entire field) + // are given in " + // + // https://github.com/apple-oss-distributions/xnu/blob/main/EXTERNAL_HEADERS/mach-o/nlist.h + if symbol.Type&0xe0 != 0 { + continue + } + value := symbol.Value - base switch symbol.Name { case "_BORINGSSL_bcm_text_start": @@ -296,8 +308,6 @@ func doAppleOS(objectBytes []byte) ([]byte, []byte, error) { return moduleText, moduleROData, nil } - - func do(outPath, oInput string, arInput string, appleOS bool) error { var objectBytes []byte var isStatic bool @@ -365,7 +375,6 @@ func do(outPath, oInput string, arInput string, appleOS bool) error { return err } - var zeroKey [64]byte mac := hmac.New(sha256.New, zeroKey[:])