search

wolfSSL / wolfssl

The wolfSSL library is a small, fast, portable implementation of TLS/SSL for embedded devices to the cloud. wolfSSL supports up to TLS 1.3 and DTLS 1.3!
https://www.wolfssl.com
GNU General Public License v2.0
2.35k stars 832 forks source link

"libwolfssl.so: undefined reference to `wc_Sha256Transform'" with --enable-devcrypto=yes #4399

Closed hauke closed 3 years ago

hauke commented 3 years ago

When we set --enable-devcrypto=yes in OpenWrt libraries linking against libwollssl 4.8.1 fail, this worked with wolfssl 4.7.0. With --enable-devcrypto=no it works fine.

Linking fails like this:

/home/hauke/openwrt/openwrt/staging_dir/toolchain-arm_cortex-a7+neon-vfpv4_gcc-10.3.0_musl_eabi/lib/gcc/arm-openwrt-linux-muslgnueabi/10.3.0/../../../../arm-openwrt-linux-muslgnueabi/bin/ld: /home/hauke/openwrt/openwrt/staging_dir/target-arm_cortex-a7+neon-vfpv4_musl_eabi/usr/lib/libwolfssl.so: undefined reference to `wc_Sha256Transform'
collect2: error: ld returned 1 exit status
ninja: build stopped: subcommand failed.

I see the following difference between the working an the broken wolfssl configuration

--- wolfssl-working.txt 2021-09-14 12:22:22.201246550 +0200
+++ wolfssl-broken.txt  2021-09-14 12:22:08.858077571 +0200
@@ -173,7 +173,7 @@
 --disable-curve25519
 --disable-afalg
 --enable-openvpn
---enable-devcrypto=no
+--enable-devcrypto=yes
 --enable-ocsp
 --enable-ocspstapling
 --enable-ocspstapling2
@@ -189,6 +189,7 @@

+---
 Configuration summary for wolfssl version 4.8.1

    * Installation prefix:        /usr
@@ -370,7 +371,7 @@
    * Xilinx Hardware Acc.:       no
    * Inline Code:                yes
    * Linux AF_ALG:               no
-   * Linux devcrypto:            no
+   * Linux devcrypto:            yes
    * Crypto callbacks:           no
    * i.MX6 CAAM:                 no

full working configuration:

Configuration summary for wolfssl version 4.8.1

   * Installation prefix:        /usr
   * System type:                openwrt-linux-gnu
   * Host CPU:                   arm
   * C Compiler:                 arm-openwrt-linux-muslgnueabi-gcc
   * C Flags:                    -Os -pipe -fno-caller-saves -fno-plt -fhonour-copts -Wno-error=unused-but-set-variable -Wno-error=unused-result -mfloat-abi=hard -fmacro-prefix-map=/home/hauke/openwrt/openwrt/build_dir/target-arm_cortex-a7+neon-vfpv4_musl_eabi/wolfssl-4.8.1-stable=wolfssl-4.8.1-stable -Wformat -Werror=format-security -fstack-protector -D_FORTIFY_SOURCE=1 -Wl,-z,now -Wl,-z,relro -DPIC -fpic -DFP_MAX_BITS=8192 -fomit-frame-pointer -flto    -Wno-pragmas -Wall -Wno-strict-aliasing -Wextra -Wunknown-pragmas --param=ssp-buffer-size=1 -Waddress -Warray-bounds -Wbad-function-cast -Wchar-subscripts -Wcomment -Wfloat-equal -Wformat-security -Wformat=2 -Wmaybe-uninitialized -Wmissing-field-initializers -Wmissing-noreturn -Wmissing-prototypes -Wnested-externs -Wnormalized=id -Woverride-init -Wpointer-arith -Wpointer-sign -Wredundant-decls -Wshadow -Wsign-compare -Wstrict-overflow=1 -Wswitch-enum -Wundef -Wunused -Wunused-result -Wunused-variable -Wwrite-strings -fwrapv
   * C++ Compiler:               arm-openwrt-linux-muslgnueabi-g++
   * C++ Flags:                  -Os -pipe -fno-caller-saves -fno-plt -fhonour-copts -Wno-error=unused-but-set-variable -Wno-error=unused-result -mfloat-abi=hard -fmacro-prefix-map=/home/hauke/openwrt/openwrt/build_dir/target-arm_cortex-a7+neon-vfpv4_musl_eabi/wolfssl-4.8.1-stable=wolfssl-4.8.1-stable -Wformat -Werror=format-security -fstack-protector -D_FORTIFY_SOURCE=1 -Wl,-z,now -Wl,-z,relro -DPIC -fpic -DFP_MAX_BITS=8192 -fomit-frame-pointer -flto 
   * CPP Flags:                  -I/home/hauke/openwrt/openwrt/staging_dir/toolchain-arm_cortex-a7+neon-vfpv4_gcc-10.3.0_musl_eabi/usr/include -I/home/hauke/openwrt/openwrt/staging_dir/toolchain-arm_cortex-a7+neon-vfpv4_gcc-10.3.0_musl_eabi/include/fortify -I/home/hauke/openwrt/openwrt/staging_dir/toolchain-arm_cortex-a7+neon-vfpv4_gcc-10.3.0_musl_eabi/include 
   * CCAS Flags:                 -Os -pipe -fno-caller-saves -fno-plt -fhonour-copts -Wno-error=unused-but-set-variable -Wno-error=unused-result -mfloat-abi=hard -fmacro-prefix-map=/home/hauke/openwrt/openwrt/build_dir/target-arm_cortex-a7+neon-vfpv4_musl_eabi/wolfssl-4.8.1-stable=wolfssl-4.8.1-stable -Wformat -Werror=format-security -fstack-protector -D_FORTIFY_SOURCE=1 -Wl,-z,now -Wl,-z,relro -DPIC -fpic -DFP_MAX_BITS=8192 -fomit-frame-pointer -flto   
   * LIB Flags:                   -pie -z relro -z now 
   * Debug enabled:              no
   * Coverage enabled:           
   * Warnings as failure:        no
   * make -j:                    no
   * VCS checkout:               no

   Features 
   * FIPS:                       no
   * Single threaded:            yes
   * Filesystem:                 yes
   * OpenSSH Build:              no
   * OpenSSL Extra API:          yes
   * OpenSSL Coexist:            no
   * Old Names:                  yes
   * Max Strength Build:         no
   * Distro Build:               no
   * Reproducible Build:         no
   * fastmath:                   yes
   * Assembly Allowed:           yes
   * sniffer:                    no
   * snifftest:                  no
   * ARC4:                       yes
   * AES:                        yes
   * AES-NI:                     no
   * AES-CBC:                    yes
   * AES-CBC length checks:      no
   * AES-GCM:                    yes
   * AES-CCM:                    yes
   * AES-CTR:                    yes
   * AES-CFB:                    no
   * AES-OFB:                    no
   * DES3:                       yes
   * IDEA:                       no
   * Camellia:                   no
   * NULL Cipher:                no
   * MD2:                        no
   * MD4:                        yes
   * MD5:                        yes
   * RIPEMD:                     no
   * SHA:                        yes
   * SHA-224:                    no
   * SHA-384:                    yes
   * SHA-512:                    yes
   * SHA3:                       no
   * SHAKE256:                   
   * BLAKE2:                     no
   * BLAKE2S:                    no
   * CMAC:                       yes
   * keygen:                     no
   * certgen:                    yes
   * certreq:                    no
   * certext:                    yes
   * certgencache:               no
   * HC-128:                     no
   * RABBIT:                     no
   * CHACHA:                     yes
   * XCHACHA:                    no
   * Hash DRBG:                  yes
   * PWDBASED:                   yes
   * scrypt:                     no
   * wolfCrypt Only:             no
   * HKDF:                       yes
   * X9.63 KDF:                  no
   * MD4:                        yes
   * PSK:                        yes
   * Poly1305:                   yes
   * LEANPSK:                    no
   * LEANTLS:                    no
   * RSA:                        yes
   * RSA-PSS:                    yes
   * DSA:                        yes
   * DH:                         yes
   * DH Default Parameters:      yes
   * ECC:                        yes
   * ECC Custom Curves:          no
   * ECC Minimum Bits:           224
   * CURVE25519:                 no
   * ED25519:                    no
   * CURVE448:                   no
   * ED448:                      no
   * FPECC:                      no
   * ECC_ENCRYPT:                no
   * ECCSI                       no
   * SAKKE                       no
   * ASN:                        yes
   * Anonymous cipher:           yes
   * CODING:                     yes
   * MEMORY:                     yes
   * I/O POOL:                   no
   * wolfSentry:                 no
   * LIGHTY:                     yes
   * HAPROXY:                    no
   * STUNNEL:                    yes
   * Apache httpd:               no
   * NGINX:                      no
   * ASIO:                       no
   * LIBWEBSOCKETS:              no
   * Qt:                         no
   * Qt Unit Testing:            no
   * SIGNAL:                     no
   * ERROR_STRINGS:              yes
   * DTLS:                       no
   * SCTP:                       no
   * Indefinite Length:          no
   * Multicast:                  no
   * SSL v3.0 (Old):             no
   * TLS v1.0 (Old):             yes
   * TLS v1.1 (Old):             yes
   * TLS v1.2:                   yes
   * TLS v1.3:                   yes
   * Post-handshake Auth:        no
   * Early Data:                 no
   * Send State in HRR Cookie:   no
   * OCSP:                       yes
   * OCSP Stapling:              yes
   * OCSP Stapling v2:           yes
   * CRL:                        yes
   * CRL-MONITOR:                no
   * Persistent session cache:   no
   * Persistent cert    cache:   no
   * Atomic User Record Layer:   no
   * Public Key Callbacks:       no
   * NTRU:                       no
   * QSH:                        no
   * Whitewood netRandom:        no
   * Server Name Indication:     yes
   * ALPN:                       yes
   * Maximum Fragment Length:    yes
   * Trusted CA Indication:      yes
   * Truncated HMAC:             yes
   * Supported Elliptic Curves:  yes
   * FFDHE only in client:       no
   * Session Ticket:             yes
   * Extended Master Secret:     yes
   * Renegotiation Indication:   no
   * Secure Renegotiation:       no
   * Fallback SCSV:              no
   * Keying Material Exporter:   no
   * All TLS Extensions:         yes
   * PKCS#7:                     no
   * S/MIME:                     no
   * wolfSSH:                    no
   * wolfTPM:                    no
   * wolfSCEP:                   no
   * Secure Remote Password:     no
   * Small Stack:                no
   * Linux Kernel Module:        no
   * valgrind unit tests:        no
   * LIBZ:                       no
   * Examples:                   no
   * Crypt tests:                no
   * Stack sizes in tests:       no
   * Heap stats in tests:        no
   * User Crypto:                no
   * Fast RSA:                   no
   * Single Precision:           no
   * SP math implementation:     no
   * Async Crypto:               no
   * PKCS#11:                    no
   * PKCS#12:                    yes
   * Cavium Nitrox:              no
   * Cavium Octeon (Sync):       no
   * Intel Quick Assist:         no
   * ARM ASM:                    no
   * AES Key Wrap:               yes
   * Write duplicate:            no
   * Xilinx Hardware Acc.:       no
   * Inline Code:                yes
   * Linux AF_ALG:               no
   * Linux devcrypto:            yes
   * Crypto callbacks:           no
   * i.MX6 CAAM:                 no

This was reported to us by @rmandrad, see https://github.com/openwrt/openwrt/commit/7d92bb0509615550b98e2dc71091073c8258d564

embhorn commented 3 years ago

@SparkiDev Could you please review this report?

peterwillcn commented 3 years ago

any news ?

embhorn commented 3 years ago

Hi @peterwillcn

We'll post an update after this has been reviewed. For priority customer support, please send a message to support@wolfssl.com

JacobBarthelmeh commented 3 years ago

Hi @peterwillcn ,

As an update on this I have reproduced the issue reported using "./configure --enable-devcrypto --enable-opensslextra" when compiling wolfSSL version 4.8.1. A fix is in process, will put a link to the PR when it gets posted.

Regards, Jacob from wolfSSL.

JacobBarthelmeh commented 3 years ago

Looks like it was some missed macro guards around a new feature added in to the compatibility layer. We have a pull request that is under review here https://github.com/wolfSSL/wolfssl/pull/4414. Thanks for the report.

peterwillcn commented 3 years ago

Thank everybody