Open edewata opened 7 months ago
edewata
commented
7 months ago https://github.com/edewata/pki/actions/runs/7895266006/job/21547523359
The test for CA with request notification should be fixed by PR https://github.com/dogtagpki/pki/pull/4670.
edewata
commented
7 months ago 
abbra
commented
7 months ago The failure with annocheck is that you have fortify level hardcoded:
git grep FORTIFY
cmake/Modules/DefineCompilerFlags.cmake: check_c_compiler_flag("-D_FORTIFY_SOURCE=2" WITH_FORTIFY_SOURCE)
cmake/Modules/DefineCompilerFlags.cmake: if (WITH_FORTIFY_SOURCE)
cmake/Modules/DefineCompilerFlags.cmake: set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D_FORTIFY_SOURCE=2")
cmake/Modules/DefineCompilerFlags.cmake: endif (WITH_FORTIFY_SOURCE)Now -D_FORTIFY_SOURCE=3 is expected.
edewata
commented
6 months ago @abbra Thanks. The fortify level is mostly fixed by PR #4687 but rpminspect is still complaining about that on tpsclient:
https://github.com/dogtagpki/pki/actions/runs/8253539008/job/22575904372#step:8:5006
abbra
commented
6 months ago I guess some of the linking units were built with older flags? Some of the dependencies, perhaps?
edewata
commented
6 months ago This is how the sources are compiled for tpsclient according to the build log:
cd /root/pki/build/BUILD/pki-11.6.0-alpha1/redhat-linux-build/base/tools/src/main/native/tpsclient && /usr/bin/g++ -DHAVE_CONFIG_H -I/root/pki/build/BUILD/pki-11.6.0-alpha1/redhat-linux-build/base/tools/src/main/native/tpsclient -I/root/pki/build/BUILD/pki-11.6.0-alpha1/base/tools/src/main/native/tpsclient -I/root/pki/build/BUILD/pki-11.6.0-alpha1/base/tools/src/main/native/tpsclient/src/include -I/root/pki/build/BUILD/pki-11.6.0-alpha1/redhat-linux-build -I/usr/include/nspr4 -I/usr/include/nss3 -I/usr/include/apr-1 -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -march=x86-64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -MD -MT base/tools/src/main/native/tpsclient/CMakeFiles/tpsclient.dir/src/main/Buffer.cpp.o -MF CMakeFiles/tpsclient.dir/src/main/Buffer.cpp.o.d -o CMakeFiles/tpsclient.dir/src/main/Buffer.cpp.o -c /root/pki/build/BUILD/pki-11.6.0-alpha1/base/tools/src/main/native/tpsclient/src/main/Buffer.cpp
and this is how they are linked:
/usr/bin/g++ -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -march=x86-64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -Wl,-z,relro -Wl,--as-needed -Wl,-z,pack-relative-relocs -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld-errors -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -Wl,--build-id=sha1 -specs=/usr/lib/rpm/redhat/redhat-package-notes -rdynamic CMakeFiles/tpsclient.dir/src/main/Buffer.cpp.o CMakeFiles/tpsclient.dir/src/main/NameValueSet.cpp.o CMakeFiles/tpsclient.dir/src/main/Util.cpp.o CMakeFiles/tpsclient.dir/src/main/RA_Msg.cpp.o CMakeFiles/tpsclient.dir/src/main/Memory.cpp.o CMakeFiles/tpsclient.dir/src/main/AuthParams.cpp.o CMakeFiles/tpsclient.dir/src/apdu/APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Unblock_Pin_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Create_Object_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Set_Pin_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Set_IssuerInfo_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Get_IssuerInfo_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Create_Pin_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/List_Pins_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Initialize_Update_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Get_Version_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Get_Status_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Get_Data_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/External_Authenticate_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Generate_Key_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Generate_Key_ECC_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Read_Buffer_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Read_Object_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Write_Object_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Put_Key_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Select_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Delete_File_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Install_Applet_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Format_Muscle_Applet_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Load_File_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Install_Load_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Lifecycle_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/List_Objects_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Import_Key_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Import_Key_Enc_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/APDU_Response.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Get_Lifecycle_APDU.cpp.o CMakeFiles/tpsclient.dir/src/msg/RA_Begin_Op_Msg.cpp.o CMakeFiles/tpsclient.dir/src/msg/RA_End_Op_Msg.cpp.o CMakeFiles/tpsclient.dir/src/msg/RA_Login_Request_Msg.cpp.o CMakeFiles/tpsclient.dir/src/msg/RA_Login_Response_Msg.cpp.o CMakeFiles/tpsclient.dir/src/msg/RA_SecureId_Request_Msg.cpp.o CMakeFiles/tpsclient.dir/src/msg/RA_SecureId_Response_Msg.cpp.o CMakeFiles/tpsclient.dir/src/msg/RA_ASQ_Request_Msg.cpp.o CMakeFiles/tpsclient.dir/src/msg/RA_ASQ_Response_Msg.cpp.o CMakeFiles/tpsclient.dir/src/msg/RA_New_Pin_Request_Msg.cpp.o CMakeFiles/tpsclient.dir/src/msg/RA_New_Pin_Response_Msg.cpp.o CMakeFiles/tpsclient.dir/src/msg/RA_Token_PDU_Request_Msg.cpp.o CMakeFiles/tpsclient.dir/src/msg/RA_Token_PDU_Response_Msg.cpp.o CMakeFiles/tpsclient.dir/src/msg/RA_Status_Update_Request_Msg.cpp.o CMakeFiles/tpsclient.dir/src/msg/RA_Status_Update_Response_Msg.cpp.o CMakeFiles/tpsclient.dir/src/msg/RA_Extended_Login_Request_Msg.cpp.o CMakeFiles/tpsclient.dir/src/msg/RA_Extended_Login_Response_Msg.cpp.o CMakeFiles/tpsclient.dir/tools/raclient/RA_Client.cpp.o CMakeFiles/tpsclient.dir/tools/raclient/RA_Conn.cpp.o CMakeFiles/tpsclient.dir/tools/raclient/RA_Token.cpp.o -o tpsclient -Wl,-rpath,:::::::::::::: -lplds4 -lplc4 -lnspr4 -lssl3 -lsmime3 -lnss3 -lnssutil3
This is how the sources are compiled for other tools which do not have annocheck issue:
cd /root/pki/build/BUILD/pki-11.6.0-alpha1/redhat-linux-build/base/tools/src/main/native/setpin && /usr/bin/gcc -DHAVE_CONFIG_H -I/root/pki/build/BUILD/pki-11.6.0-alpha1/redhat-linux-build/base/tools/src/main/native/setpin -I/root/pki/build/BUILD/pki-11.6.0-alpha1/base/tools/src/main/native/setpin -I/root/pki/build/BUILD/pki-11.6.0-alpha1/redhat-linux-build -I/usr/include/nspr4 -I/usr/include/nss3 -I/usr/include -s -fplugin=annobin -fcf-protection=full -O2 -D_GLIBCXX_ASSERTIONS -fno-lto -D_FORTIFY_SOURCE=3 -Wall -Wextra -Wshadow -Wmissing-prototypes -Wdeclaration-after-statement -Wunused -Wfloat-equal -Wpointer-arith -Wwrite-strings -Werror=format-security -Wmissing-format-attribute -fPIC -fstack-protector-strong -D_LARGEFILE64_SOURCE -MD -MT base/tools/src/main/native/setpin/CMakeFiles/setpin.dir/b64.c.o -MF CMakeFiles/setpin.dir/b64.c.o.d -o CMakeFiles/setpin.dir/b64.c.o -c /root/pki/build/BUILD/pki-11.6.0-alpha1/base/tools/src/main/native/setpin/b64.c
and this is how they are linked:
/usr/bin/gcc -s -fplugin=annobin -fcf-protection=full -O2 -D_GLIBCXX_ASSERTIONS -fno-lto -D_FORTIFY_SOURCE=3 -Wall -Wextra -Wshadow -Wmissing-prototypes -Wdeclaration-after-statement -Wunused -Wfloat-equal -Wpointer-arith -Wwrite-strings -Werror=format-security -Wmissing-format-attribute -fPIC -fstack-protector-strong -D_LARGEFILE64_SOURCE -Wl,-z,relro -Wl,--as-needed -Wl,-z,pack-relative-relocs -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld-errors -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -Wl,--build-id=sha1 -specs=/usr/lib/rpm/redhat/redhat-package-notes -rdynamic CMakeFiles/setpin.dir/b64.c.o CMakeFiles/setpin.dir/options.c.o CMakeFiles/setpin.dir/setpin.c.o CMakeFiles/setpin.dir/setpin_options.c.o -o setpin -lplds4 -lplc4 -lnspr4 -lssl3 -lsmime3 -lnss3 -lnssutil3 -lldap -llber
As you can see, tpsclient is already using -D_FORTIFY_SOURCE=3 and it's only linked to NSS and NSPR libraries which are also used by other tools without any problem.
Does g++ vs. gcc make a difference? Does -U_FORTIFY_SOURCE make a difference?
edewata
commented
6 months ago @fmarco76 fyi
abbra
commented
6 months ago From the gcc documentation:
‘-Wp,OPTION’
You can use ‘-Wp,OPTION’ to bypass the compiler driver and pass
OPTION directly through to the preprocessor. If OPTION contains
commas, it is split into multiple options at the commas. However,
many options are modified, translated or interpreted by the
compiler driver before being passed to the preprocessor, and ‘-Wp’
forcibly bypasses this phase. The preprocessor’s direct interface
is undocumented and subject to change, so whenever possible you
should avoid using ‘-Wp’ and let the driver handle the options
instead.
According to https://developers.redhat.com/articles/2022/09/17/gccs-new-fortification-level, -D_FORTIFY_SOURCE=3 adds a 'fortify metrics' GCC plugin into the action. -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 bypasses this interface, it seems.
fmarco76
commented
5 months ago g++/ vs. gcc issue has been fixed with #4714. The remaining problem for rpminspect is the missing -fstack-clash-protection which should be fixed by #4731
The following tests failed on Fedora 40:
healthcheck: https://github.com/edewata/pki/actions/runs/7895266030/job/21547519001
OCSP: https://github.com/edewata/pki/actions/runs/7895266016/job/21547517485
healthcheck: https://github.com/edewata/pki/actions/runs/7895266012/job/21547492461
request notification: https://github.com/edewata/pki/actions/runs/7895266006/job/21547523359