search

Yubico / libfido2

Provides library functionality for FIDO2, including communication with a device over USB or NFC.
Other
598 stars 152 forks source link

cmake check HAVE_STACK_PROTECTOR_ALL is broken #443

Closed glaubitz closed 3 years ago

glaubitz commented 3 years ago

libfido2 currently fails to build on Debian alpha, hppa and ia64 because the check for HAVE_STACK_PROTECTOR_ALL is broken.

Despite the host compiler not supporting the flag -fstack-protector, the test still succeeds and libfido2 will try to build with -fstack-protector which fails since the flag causes a warning which is treated like an error due to -Werror:

-- The C compiler identification is GNU 11.2.0
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Check for working C compiler: /usr/bin/cc - skipped
-- Detecting C compile features
-- Detecting C compile features - done
-- Performing Test HAVE_SHORTEN_64_TO_32
-- Performing Test HAVE_SHORTEN_64_TO_32 - Failed
-- Performing Test HAVE_STACK_PROTECTOR_ALL
-- Performing Test HAVE_STACK_PROTECTOR_ALL - Success

and

cd /<<PKGBUILDDIR>>/obj-alpha-linux-gnu/src && /usr/bin/cc -DHAVE_CBOR_H -DHAVE_CLOCK_GETTIME -DHAVE_DEV_URANDOM -DHAVE_ENDIAN_H -DHAVE_ERR_H -DHAVE_EXPLICIT_BZERO -DHAVE_GETLINE -DHAVE_GETOPT -DHAVE_GETPAGESIZE -DHAVE_GETRANDOM -DHAVE_OPENSSLV_H -DHAVE_SIGACTION -DHAVE_SIGNAL_H -DHAVE_SYSCONF -DHAVE_SYS_RANDOM_H -DHAVE_UNISTD_H -DSIGNAL_EXAMPLE -DTLS=__thread -D_FIDO_INTERNAL -D_FIDO_MAJOR=1 -D_FIDO_MINOR=8 -D_FIDO_PATCH=0 -Dfido2_shared_EXPORTS -I/<<PKGBUILDDIR>>/src -D_POSIX_C_SOURCE=200809L -D_BSD_SOURCE -D_GNU_SOURCE -D_DEFAULT_SOURCE -std=c99 -g -O2 -ffile-prefix-map=/<<PKGBUILDDIR>>=. -specs=/usr/share/dpkg/pie-compile.specs -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -Wall -Wextra -Werror -Wshadow -Wcast-qual -Wwrite-strings -Wmissing-prototypes -Wbad-function-cast -pedantic -pedantic-errors -fstack-protector-all -Wno-unused-result -Wconversion -Wsign-conversion -o CMakeFiles/fido2_shared.dir/aes256.c.o -c /<<PKGBUILDDIR>>/src/aes256.c
cd /<<PKGBUILDDIR>>/obj-alpha-linux-gnu/src && /usr/bin/cc -DHAVE_CBOR_H -DHAVE_CLOCK_GETTIME -DHAVE_DEV_URANDOM -DHAVE_ENDIAN_H -DHAVE_ERR_H -DHAVE_EXPLICIT_BZERO -DHAVE_GETLINE -DHAVE_GETOPT -DHAVE_GETPAGESIZE -DHAVE_GETRANDOM -DHAVE_OPENSSLV_H -DHAVE_SIGACTION -DHAVE_SIGNAL_H -DHAVE_SYSCONF -DHAVE_SYS_RANDOM_H -DHAVE_UNISTD_H -DSIGNAL_EXAMPLE -DTLS=__thread -D_FIDO_INTERNAL -D_FIDO_MAJOR=1 -D_FIDO_MINOR=8 -D_FIDO_PATCH=0 -I/<<PKGBUILDDIR>>/src -D_POSIX_C_SOURCE=200809L -D_BSD_SOURCE -D_GNU_SOURCE -D_DEFAULT_SOURCE -std=c99 -g -O2 -ffile-prefix-map=/<<PKGBUILDDIR>>=. -specs=/usr/share/dpkg/pie-compile.specs -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -Wall -Wextra -Werror -Wshadow -Wcast-qual -Wwrite-strings -Wmissing-prototypes -Wbad-function-cast -pedantic -pedantic-errors -fstack-protector-all -Wno-unused-result -Wconversion -Wsign-conversion -o CMakeFiles/fido2.dir/aes256.c.o -c /<<PKGBUILDDIR>>/src/aes256.c
cc1: error: ‘-fstack-protector’ not supported for this target [-Werror]
cc1: error: ‘-fstack-protector’ not supported for this target [-Werror]
cc1: all warnings being treated as errors
cc1: all warnings being treated as errors
make[3]: *** [src/CMakeFiles/fido2_shared.dir/build.make:85: src/CMakeFiles/fido2_shared.dir/aes256.c.o] Error 1
make[3]: Leaving directory '/<<PKGBUILDDIR>>/obj-alpha-linux-gnu'
make[2]: *** [CMakeFiles/Makefile2:229: src/CMakeFiles/fido2_shared.dir/all] Error 2
make[2]: *** Waiting for unfinished jobs....
make[3]: *** [src/CMakeFiles/fido2.dir/build.make:85: src/CMakeFiles/fido2.dir/aes256.c.o] Error 1
make[3]: *** Waiting for unfinished jobs....
[  0%] Building C object src/CMakeFiles/fido2.dir/assert.c.o
cd /<<PKGBUILDDIR>>/obj-alpha-linux-gnu/src && /usr/bin/cc -DHAVE_CBOR_H -DHAVE_CLOCK_GETTIME -DHAVE_DEV_URANDOM -DHAVE_ENDIAN_H -DHAVE_ERR_H -DHAVE_EXPLICIT_BZERO -DHAVE_GETLINE -DHAVE_GETOPT -DHAVE_GETPAGESIZE -DHAVE_GETRANDOM -DHAVE_OPENSSLV_H -DHAVE_SIGACTION -DHAVE_SIGNAL_H -DHAVE_SYSCONF -DHAVE_SYS_RANDOM_H -DHAVE_UNISTD_H -DSIGNAL_EXAMPLE -DTLS=__thread -D_FIDO_INTERNAL -D_FIDO_MAJOR=1 -D_FIDO_MINOR=8 -D_FIDO_PATCH=0 -I/<<PKGBUILDDIR>>/src -D_POSIX_C_SOURCE=200809L -D_BSD_SOURCE -D_GNU_SOURCE -D_DEFAULT_SOURCE -std=c99 -g -O2 -ffile-prefix-map=/<<PKGBUILDDIR>>=. -specs=/usr/share/dpkg/pie-compile.specs -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -Wall -Wextra -Werror -Wshadow -Wcast-qual -Wwrite-strings -Wmissing-prototypes -Wbad-function-cast -pedantic -pedantic-errors -fstack-protector-all -Wno-unused-result -Wconversion -Wsign-conversion -o CMakeFiles/fido2.dir/assert.c.o -c /<<PKGBUILDDIR>>/src/assert.c
cc1: error: ‘-fstack-protector’ not supported for this target [-Werror]
cc1: all warnings being treated as errors

The check HAVE_STACK_PROTECTOR_ALL should most likely be performed with -Werror turned on.

Full log here: https://buildd.debian.org/status/fetch.php?pkg=libfido2&arch=alpha&ver=1.8.0-1&stamp=1629096735&raw=0

jrtc27 commented 3 years ago

FWIW this also breaks compiling for CHERI/Arm's Morello, where the stack protector is rendered obsolete and so we turn the flag into a no-op that warns about it being obsolete. For #437 I just patched out the relevant lines locally as it wasn't relevant (my motivation for that PR was that FreeBSD has recently imported libfido2 into the base system, and so we need it to build and work downstream in the CheriBSD fork, but FreeBSD doesn't use upstream build systems for imported code, it wires it up to its own Makefiles).

LDVG commented 3 years ago

Resolved via #444.