Open edewata opened 7 months ago
https://github.com/edewata/pki/actions/runs/7895266006/job/21547523359
The test for CA with request notification should be fixed by PR https://github.com/dogtagpki/pki/pull/4670.
The failure with annocheck is that you have fortify level hardcoded:
git grep FORTIFY
cmake/Modules/DefineCompilerFlags.cmake: check_c_compiler_flag("-D_FORTIFY_SOURCE=2" WITH_FORTIFY_SOURCE)
cmake/Modules/DefineCompilerFlags.cmake: if (WITH_FORTIFY_SOURCE)
cmake/Modules/DefineCompilerFlags.cmake: set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D_FORTIFY_SOURCE=2")
cmake/Modules/DefineCompilerFlags.cmake: endif (WITH_FORTIFY_SOURCE)
Now -D_FORTIFY_SOURCE=3
is expected.
@abbra Thanks. The fortify level is mostly fixed by PR #4687 but rpminspect
is still complaining about that on tpsclient
:
https://github.com/dogtagpki/pki/actions/runs/8253539008/job/22575904372#step:8:5006
I guess some of the linking units were built with older flags? Some of the dependencies, perhaps?
This is how the sources are compiled for tpsclient
according to the build log:
cd /root/pki/build/BUILD/pki-11.6.0-alpha1/redhat-linux-build/base/tools/src/main/native/tpsclient && /usr/bin/g++ -DHAVE_CONFIG_H -I/root/pki/build/BUILD/pki-11.6.0-alpha1/redhat-linux-build/base/tools/src/main/native/tpsclient -I/root/pki/build/BUILD/pki-11.6.0-alpha1/base/tools/src/main/native/tpsclient -I/root/pki/build/BUILD/pki-11.6.0-alpha1/base/tools/src/main/native/tpsclient/src/include -I/root/pki/build/BUILD/pki-11.6.0-alpha1/redhat-linux-build -I/usr/include/nspr4 -I/usr/include/nss3 -I/usr/include/apr-1 -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -march=x86-64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -MD -MT base/tools/src/main/native/tpsclient/CMakeFiles/tpsclient.dir/src/main/Buffer.cpp.o -MF CMakeFiles/tpsclient.dir/src/main/Buffer.cpp.o.d -o CMakeFiles/tpsclient.dir/src/main/Buffer.cpp.o -c /root/pki/build/BUILD/pki-11.6.0-alpha1/base/tools/src/main/native/tpsclient/src/main/Buffer.cpp
and this is how they are linked:
/usr/bin/g++ -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -march=x86-64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -Wl,-z,relro -Wl,--as-needed -Wl,-z,pack-relative-relocs -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld-errors -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -Wl,--build-id=sha1 -specs=/usr/lib/rpm/redhat/redhat-package-notes -rdynamic CMakeFiles/tpsclient.dir/src/main/Buffer.cpp.o CMakeFiles/tpsclient.dir/src/main/NameValueSet.cpp.o CMakeFiles/tpsclient.dir/src/main/Util.cpp.o CMakeFiles/tpsclient.dir/src/main/RA_Msg.cpp.o CMakeFiles/tpsclient.dir/src/main/Memory.cpp.o CMakeFiles/tpsclient.dir/src/main/AuthParams.cpp.o CMakeFiles/tpsclient.dir/src/apdu/APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Unblock_Pin_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Create_Object_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Set_Pin_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Set_IssuerInfo_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Get_IssuerInfo_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Create_Pin_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/List_Pins_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Initialize_Update_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Get_Version_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Get_Status_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Get_Data_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/External_Authenticate_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Generate_Key_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Generate_Key_ECC_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Read_Buffer_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Read_Object_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Write_Object_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Put_Key_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Select_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Delete_File_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Install_Applet_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Format_Muscle_Applet_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Load_File_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Install_Load_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Lifecycle_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/List_Objects_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Import_Key_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Import_Key_Enc_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/APDU_Response.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Get_Lifecycle_APDU.cpp.o CMakeFiles/tpsclient.dir/src/msg/RA_Begin_Op_Msg.cpp.o CMakeFiles/tpsclient.dir/src/msg/RA_End_Op_Msg.cpp.o CMakeFiles/tpsclient.dir/src/msg/RA_Login_Request_Msg.cpp.o CMakeFiles/tpsclient.dir/src/msg/RA_Login_Response_Msg.cpp.o CMakeFiles/tpsclient.dir/src/msg/RA_SecureId_Request_Msg.cpp.o CMakeFiles/tpsclient.dir/src/msg/RA_SecureId_Response_Msg.cpp.o CMakeFiles/tpsclient.dir/src/msg/RA_ASQ_Request_Msg.cpp.o CMakeFiles/tpsclient.dir/src/msg/RA_ASQ_Response_Msg.cpp.o CMakeFiles/tpsclient.dir/src/msg/RA_New_Pin_Request_Msg.cpp.o CMakeFiles/tpsclient.dir/src/msg/RA_New_Pin_Response_Msg.cpp.o CMakeFiles/tpsclient.dir/src/msg/RA_Token_PDU_Request_Msg.cpp.o CMakeFiles/tpsclient.dir/src/msg/RA_Token_PDU_Response_Msg.cpp.o CMakeFiles/tpsclient.dir/src/msg/RA_Status_Update_Request_Msg.cpp.o CMakeFiles/tpsclient.dir/src/msg/RA_Status_Update_Response_Msg.cpp.o CMakeFiles/tpsclient.dir/src/msg/RA_Extended_Login_Request_Msg.cpp.o CMakeFiles/tpsclient.dir/src/msg/RA_Extended_Login_Response_Msg.cpp.o CMakeFiles/tpsclient.dir/tools/raclient/RA_Client.cpp.o CMakeFiles/tpsclient.dir/tools/raclient/RA_Conn.cpp.o CMakeFiles/tpsclient.dir/tools/raclient/RA_Token.cpp.o -o tpsclient -Wl,-rpath,:::::::::::::: -lplds4 -lplc4 -lnspr4 -lssl3 -lsmime3 -lnss3 -lnssutil3
This is how the sources are compiled for other tools which do not have annocheck
issue:
cd /root/pki/build/BUILD/pki-11.6.0-alpha1/redhat-linux-build/base/tools/src/main/native/setpin && /usr/bin/gcc -DHAVE_CONFIG_H -I/root/pki/build/BUILD/pki-11.6.0-alpha1/redhat-linux-build/base/tools/src/main/native/setpin -I/root/pki/build/BUILD/pki-11.6.0-alpha1/base/tools/src/main/native/setpin -I/root/pki/build/BUILD/pki-11.6.0-alpha1/redhat-linux-build -I/usr/include/nspr4 -I/usr/include/nss3 -I/usr/include -s -fplugin=annobin -fcf-protection=full -O2 -D_GLIBCXX_ASSERTIONS -fno-lto -D_FORTIFY_SOURCE=3 -Wall -Wextra -Wshadow -Wmissing-prototypes -Wdeclaration-after-statement -Wunused -Wfloat-equal -Wpointer-arith -Wwrite-strings -Werror=format-security -Wmissing-format-attribute -fPIC -fstack-protector-strong -D_LARGEFILE64_SOURCE -MD -MT base/tools/src/main/native/setpin/CMakeFiles/setpin.dir/b64.c.o -MF CMakeFiles/setpin.dir/b64.c.o.d -o CMakeFiles/setpin.dir/b64.c.o -c /root/pki/build/BUILD/pki-11.6.0-alpha1/base/tools/src/main/native/setpin/b64.c
and this is how they are linked:
/usr/bin/gcc -s -fplugin=annobin -fcf-protection=full -O2 -D_GLIBCXX_ASSERTIONS -fno-lto -D_FORTIFY_SOURCE=3 -Wall -Wextra -Wshadow -Wmissing-prototypes -Wdeclaration-after-statement -Wunused -Wfloat-equal -Wpointer-arith -Wwrite-strings -Werror=format-security -Wmissing-format-attribute -fPIC -fstack-protector-strong -D_LARGEFILE64_SOURCE -Wl,-z,relro -Wl,--as-needed -Wl,-z,pack-relative-relocs -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld-errors -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -Wl,--build-id=sha1 -specs=/usr/lib/rpm/redhat/redhat-package-notes -rdynamic CMakeFiles/setpin.dir/b64.c.o CMakeFiles/setpin.dir/options.c.o CMakeFiles/setpin.dir/setpin.c.o CMakeFiles/setpin.dir/setpin_options.c.o -o setpin -lplds4 -lplc4 -lnspr4 -lssl3 -lsmime3 -lnss3 -lnssutil3 -lldap -llber
As you can see, tpsclient
is already using -D_FORTIFY_SOURCE=3
and it's only linked to NSS and NSPR libraries which are also used by other tools without any problem.
Does g++
vs. gcc
make a difference? Does -U_FORTIFY_SOURCE
make a difference?
@fmarco76 fyi
From the gcc documentation:
‘-Wp,OPTION’
You can use ‘-Wp,OPTION’ to bypass the compiler driver and pass
OPTION directly through to the preprocessor. If OPTION contains
commas, it is split into multiple options at the commas. However,
many options are modified, translated or interpreted by the
compiler driver before being passed to the preprocessor, and ‘-Wp’
forcibly bypasses this phase. The preprocessor’s direct interface
is undocumented and subject to change, so whenever possible you
should avoid using ‘-Wp’ and let the driver handle the options
instead.
According to https://developers.redhat.com/articles/2022/09/17/gccs-new-fortification-level, -D_FORTIFY_SOURCE=3
adds a 'fortify metrics' GCC plugin into the action. -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3
bypasses this interface, it seems.
g++/ vs. gcc issue has been fixed with #4714. The remaining problem for rpminspect is the missing -fstack-clash-protection
which should be fixed by #4731
The following tests failed on Fedora 40:
healthcheck: https://github.com/edewata/pki/actions/runs/7895266030/job/21547519001
OCSP: https://github.com/edewata/pki/actions/runs/7895266016/job/21547517485
healthcheck: https://github.com/edewata/pki/actions/runs/7895266012/job/21547492461
request notification: https://github.com/edewata/pki/actions/runs/7895266006/job/21547523359