From cb9022d74e1f902c14b4378221727cfefe8b37c4 Mon Sep 17 00:00:00 2001
From: Sean McGrail <549813+skmcgrail@users.noreply.github.com>
Date: Mon, 9 Oct 2023 12:17:50 -0700
Subject: [PATCH] Fix AppleClang 15 FIPS Shared Build (#1224)

---
 crypto/fipsmodule/CMakeLists.txt          |  4 ++--
 util/fipstools/inject_hash/inject_hash.go | 17 +++++++++++++----
 2 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/crypto/fipsmodule/CMakeLists.txt b/crypto/fipsmodule/CMakeLists.txt
index a52e5e9a8b..db325bc60c 100644
--- a/crypto/fipsmodule/CMakeLists.txt
+++ b/crypto/fipsmodule/CMakeLists.txt
@@ -460,12 +460,12 @@ elseif(FIPS_SHARED)
     # respective start and end markers.
     add_custom_command(
       OUTPUT fips_apple_start.o
-      COMMAND ${CMAKE_C_COMPILER} -arch ${CMAKE_SYSTEM_PROCESSOR} -isysroot ${CMAKE_OSX_SYSROOT} -c ${CMAKE_CURRENT_SOURCE_DIR}/fips_shared_library_marker.c -DAWSLC_FIPS_SHARED_START -o fips_apple_start.o
+      COMMAND ${CMAKE_C_COMPILER} -arch ${CMAKE_SYSTEM_PROCESSOR} -isysroot ${CMAKE_OSX_SYSROOT} -mmacosx-version-min=${CMAKE_OSX_DEPLOYMENT_TARGET} -c ${CMAKE_CURRENT_SOURCE_DIR}/fips_shared_library_marker.c -DAWSLC_FIPS_SHARED_START -o fips_apple_start.o
       DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/fips_shared_library_marker.c
     )
     add_custom_command(
       OUTPUT fips_apple_end.o
-      COMMAND ${CMAKE_C_COMPILER} -arch ${CMAKE_SYSTEM_PROCESSOR} -isysroot ${CMAKE_OSX_SYSROOT} -c ${CMAKE_CURRENT_SOURCE_DIR}/fips_shared_library_marker.c -DAWSLC_FIPS_SHARED_END -o fips_apple_end.o
+      COMMAND ${CMAKE_C_COMPILER} -arch ${CMAKE_SYSTEM_PROCESSOR} -isysroot ${CMAKE_OSX_SYSROOT} -mmacosx-version-min=${CMAKE_OSX_DEPLOYMENT_TARGET} -c ${CMAKE_CURRENT_SOURCE_DIR}/fips_shared_library_marker.c -DAWSLC_FIPS_SHARED_END -o fips_apple_end.o
       DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/fips_shared_library_marker.c
     )
 
diff --git a/util/fipstools/inject_hash/inject_hash.go b/util/fipstools/inject_hash/inject_hash.go
index 85e201f53b..0d1e15732d 100644
--- a/util/fipstools/inject_hash/inject_hash.go
+++ b/util/fipstools/inject_hash/inject_hash.go
@@ -168,7 +168,6 @@ func doLinux(objectBytes []byte, isStatic bool) ([]byte, []byte, error) {
 	return moduleText, moduleROData, nil
 }
 
-
 func doAppleOS(objectBytes []byte) ([]byte, []byte, error) {
 
 	object, err := macho.NewFile(bytes.NewReader(objectBytes))
@@ -221,6 +220,19 @@ func doAppleOS(objectBytes []byte) ([]byte, []byte, error) {
 			return nil, nil, fmt.Errorf("symbol %q at %x, which is below base of %x\n", symbol.Name, symbol.Value, base)
 		}
 
+		// Skip debugging symbols
+		//
+		// #define	N_STAB	0xe0  /* if any of these bits set, a symbolic debugging entry */
+		//
+		// "Only symbolic debugging entries have some of the N_STAB bits set and if any of these bits are set then it is
+		// a symbolic debugging entry (a stab).  In which case then the values of the n_type field (the entire field)
+		// are given in <mach-o/stab.h>"
+		//
+		// https://github.com/apple-oss-distributions/xnu/blob/main/EXTERNAL_HEADERS/mach-o/nlist.h
+		if symbol.Type&0xe0 != 0 {
+			continue
+		}
+
 		value := symbol.Value - base
 		switch symbol.Name {
 		case "_BORINGSSL_bcm_text_start":
@@ -296,8 +308,6 @@ func doAppleOS(objectBytes []byte) ([]byte, []byte, error) {
 	return moduleText, moduleROData, nil
 }
 
-
-
 func do(outPath, oInput string, arInput string, appleOS bool) error {
 	var objectBytes []byte
 	var isStatic bool
@@ -365,7 +375,6 @@ func do(outPath, oInput string, arInput string, appleOS bool) error {
 		return err
 	}
 
-
 	var zeroKey [64]byte
 	mac := hmac.New(sha256.New, zeroKey[:])