From 62ea3ccd2705b7e95016c646b260fa05fbd62c28 Mon Sep 17 00:00:00 2001 From: Rajeev Ranjan Date: Tue, 15 Oct 2024 13:39:54 +0200 Subject: [PATCH 01/10] remove REQUIRED from find_package for OpenSSL as it occasionally fails. --- CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index eba5dad..b39719e 100755 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -30,7 +30,7 @@ endif() if(DEFINED ENV{OPENSSL_LIB}) set(OPENSSL_LIB $ENV{OPENSSL_LIB}) endif() -find_package(OpenSSL QUIET REQUIRED COMPONENTS SSL Crypto) +find_package(OpenSSL QUIET COMPONENTS SSL Crypto) # We do not use REQUIRED, as it occasionally fails. Warning can likely be ignored. if("$ENV{OPENSSL_DIR}" STREQUAL "" OR NOT DEFINED ENV{OPENSSL_LIB}) message(STATUS "using OpenSSL package, with version ${OPENSSL_VERSION}") endif() From 5349c6b0f2545dc77ee30decab4363f009391d48 Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Fri, 18 Oct 2024 19:57:35 +0200 Subject: [PATCH 02/10] Makefile_v1: add -Werror only if NDEBUG is defined --- Makefile_v1 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Makefile_v1 b/Makefile_v1 index fe9e8c9..c201642 100644 --- a/Makefile_v1 +++ b/Makefile_v1 @@ -74,7 +74,7 @@ endif ifdef NDEBUG DEBUG_FLAGS ?= -O2 - override DEBUG_FLAGS += -DNDEBUG=1 + override DEBUG_FLAGS += -DNDEBUG=1 -Werror else DEBUG_FLAGS ?= -g -O0 -fsanitize=address -fsanitize=undefined -fno-sanitize-recover=all # not every compiler(version) supports -Og endif @@ -84,8 +84,8 @@ override CFLAGS += $(DEBUG_FLAGS) \ -Wsign-compare -Wpointer-arith -Wunused-parameter # TODO clean up code and re-enable warnings instead: override CFLAGS += -Wno-conversion -Wno-sign-conversion \ - -Wno-shadow -Wno-declaration-after-statement -Wno-vla -override CFLAGS += -pedantic -DPEDANTIC -Werror + -Wno-shadow -Wno-declaration-after-statement -Wno-vla -Wno-gnu-folding-constant +override CFLAGS += -pedantic -DPEDANTIC ################################################################################ # Obligatory flags From 7215ac31038f59471c0d868274356f73bbca4019 Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Fri, 18 Oct 2024 19:58:27 +0200 Subject: [PATCH 03/10] src/CMakeLists.txt,README.md: add support for clang version 19.1.1 (adding -Wno-gnu-folding-constant) --- README.md | 12 ++++++------ src/CMakeLists.txt | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index b6426a1..fd3fea7 100644 --- a/README.md +++ b/README.md @@ -48,15 +48,15 @@ also on a virtual machine or the Windows Subsystem for Linux ([WSL](https://docs and with MacOS. The following network and development tools are needed or recommended. -* Git (for getting the software, tested with versions 2.7.2, 2.11.0, 2.20, 2.30.2, 2.39.2) -* CMake (for using [`CMakeLists.txt`](CMakeLists.txt), tested with versions 3.18.4, 3.26.3, 3.27.7) -* GNU make (tested with versions 3.81, 4.1, 4.2.1, 4.3) -* GNU C compiler (gcc, tested with versions 5.4.0, 7.3.0, 8.3.0, 10.0.1, 10.2.1) - or clang (tested with version 14.0.3 and 17.0.3) +* Git (for getting the software, tested versions include 2.7.2, 2.11.0, 2.20, 2.30.2, 2.39.2, 2.47.0) +* CMake (for using [`CMakeLists.txt`](CMakeLists.txt), tested versions include 3.18.4, 3.26.3, 3.27.7) +* GNU make (tested versions include 3.81, 4.1, 4.2.1, 4.3) +* GNU C compiler (gcc, tested versions include 5.4.0, 7.3.0, 8.3.0, 10.0.1, 10.2.1, 12.2.0) + or clang (tested versions include 14.0.3, 17.0.3, 19.1.1) The following OSS components are used. * OpenSSL development edition, at least version 1.1.1. Tested, among others, - with 1.0.2u, 1.1.0f, 1.1.0g, 1.1.1d, 1.1.1i, 1.1.1l, and 3.0.0.
+ with 1.0.2u, 1.1.0f, 1.1.0g, 1.1.1d, 1.1.1i, 1.1.1l, 3.0, 3.1, 3.2, 3.3, 3.4.
**Warning:** OpenSSL 1.1.1 (on Mint 19) contains a bug where used cipher suite (level 3) is empty (1.1.1d on Buster works correctly) * optionally: [github.com/siemens/libuta](https://github.com/siemens/libuta) diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index efa4b46..99192d1 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -7,7 +7,7 @@ target_compile_options(secutils_compilation_options INTERFACE # TODO clean up code and re-enable warnings instead: -Wno-conversion -Wno-sign-conversion -Wno-c99-extensions - -Wno-shadow -Wno-declaration-after-statement -Wno-vla + -Wno-shadow -Wno-declaration-after-statement -Wno-vla -Wno-gnu-folding-constant ) target_compile_definitions(secutils_compilation_options INTERFACE PEDANTIC) From e5338a4e5020b36e9c60a88b526c1548367f3ed6 Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Sat, 19 Oct 2024 16:41:58 +0200 Subject: [PATCH 04/10] Makefile_v1: clean target: avoid errors trying to remove files not (anymore) existing --- Makefile_v1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile_v1 b/Makefile_v1 index c201642..5709d7a 100644 --- a/Makefile_v1 +++ b/Makefile_v1 @@ -296,8 +296,8 @@ clean_all: clean clean_deb -not -path ./src/libsecutils/security-utilities_libraryConfig.cmake \ -not -path ./src/util/security-utilities_icvutilConfig.cmake \ -not -path ./coverage/Makefile \ - | xargs rm - find . -name CMakeFiles | xargs rm -r + | xargs rm 2>/dev/null || true + find . -name CMakeFiles | xargs rm -r 2>/dev/null || true rm -f install_manifest*.txt rm -fr doc refman.pdf CMakeDoxyfile.in Doxyfile.security-utilities_doxygen Doxyfile.doc *.gcov reports rm -fr _CPack_Packages Makefile CMakeCache.txt From 7e41b10b86d4209e6e8af5a37e38d872eebe6b48 Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Sat, 19 Oct 2024 16:49:36 +0200 Subject: [PATCH 05/10] CMakeLists.txt,REAME.md: improve use and diagnostics of OpenSSL package detection --- CMakeLists.txt | 42 +++++++++++++++++++++++++++++------------- README.md | 22 +++++++++++++++------- 2 files changed, 44 insertions(+), 20 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index b39719e..9d25263 100755 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -21,21 +21,32 @@ elseif(NOT CMAKE_BUILD_TYPE) endif() message(STATUS "Build mode: ${CMAKE_BUILD_TYPE}") -# https://cmake.org/cmake/help/v3.6/module/FindOpenSSL.html -if(NOT "$ENV{OPENSSL_DIR}" STREQUAL "") - set(OPENSSL_ROOT_DIR $ENV{OPENSSL_DIR}) - set(OPENSSL_INCLUDE_DIR "$ENV{OPENSSL_DIR}/include") - set(OPENSSL_LIB $ENV{OPENSSL_DIR}) +set(OPENSSL_COMPONENTS REQUIRED COMPONENTS Crypto SSL) # TODO SSL should not be needed if SECUTILS_NO_TLS +# improved from https://cmake.org/cmake/help/v3.6/module/FindOpenSSL.html +if(NOT DEFINED OPENSSL_ROOT_DIR AND NOT "$ENV{OPENSSL_DIR}" STREQUAL "") + get_filename_component(OPENSSL_ROOT_DIR "$ENV{OPENSSL_DIR}" ABSOLUTE) + set(OPENSSL_INCLUDE_DIR "${OPENSSL_ROOT_DIR}/include") endif() -if(DEFINED ENV{OPENSSL_LIB}) - set(OPENSSL_LIB $ENV{OPENSSL_LIB}) +if(NOT DEFINED OPENSSL_FOUND) # not already done by superordinate module + if(DEFINED OPENSSL_ROOT_DIR) + find_package(OpenSSL HINTS "${OPENSSL_ROOT_DIR}" NO_DEFAULT_PATH ${OPENSSL_COMPONENTS}) + else() + find_package(OpenSSL ${OPENSSL_COMPONENTS}) + endif() + STRING(REGEX REPLACE "/?/libcrypto\..*" "" OPENSSL_LIB "${OPENSSL_CRYPTO_LIBRARY}") endif() -find_package(OpenSSL QUIET COMPONENTS SSL Crypto) # We do not use REQUIRED, as it occasionally fails. Warning can likely be ignored. -if("$ENV{OPENSSL_DIR}" STREQUAL "" OR NOT DEFINED ENV{OPENSSL_LIB}) - message(STATUS "using OpenSSL package, with version ${OPENSSL_VERSION}") +message(STATUS "using OpenSSL version ${OPENSSL_VERSION}") +message(STATUS "using OpenSSL inc dir ${OPENSSL_INCLUDE_DIR}") +STRING(REGEX REPLACE ";.*" "" OPENSSL_INCLUDE_DIR "${OPENSSL_INCLUDE_DIR}") +if(NOT EXISTS "${OPENSSL_INCLUDE_DIR}/openssl") + message(FATAL_ERROR "OpenSSL include directory does not exist: ${OPENSSL_INCLUDE_DIR}/openssl") endif() -message(STATUS "using OpenSSL hdrs from ${OPENSSL_INCLUDE_DIR}") -if(NOT "${OPENSSL_LIB}" STREQUAL "") +if(NOT DEFINED OPENSSL_LIB_SET AND NOT "$ENV{OPENSSL_LIB}" STREQUAL "") + set(OPENSSL_LIB_SET 1) + get_filename_component(OPENSSL_LIB "$ENV{OPENSSL_LIB}" ABSOLUTE) + if(NOT EXISTS "${OPENSSL_LIB}") + message(FATAL_ERROR "directory OPENSSL_LIB does not exist: ${OPENSSL_LIB}") + endif() if(TARGET OpenSSL::Crypto) set(OPENSSL_CRYPTO_LIBRARY "${OPENSSL_LIB}/libcrypto${CMAKE_SHARED_LIBRARY_SUFFIX}") set_target_properties(OpenSSL::Crypto PROPERTIES IMPORTED_LOCATION ${OPENSSL_CRYPTO_LIBRARY}) @@ -44,8 +55,13 @@ if(NOT "${OPENSSL_LIB}" STREQUAL "") set(OPENSSL_SSL_LIBRARY "${OPENSSL_LIB}/libssl${CMAKE_SHARED_LIBRARY_SUFFIX}") set_target_properties(OpenSSL::SSL PROPERTIES IMPORTED_LOCATION ${OPENSSL_SSL_LIBRARY}) endif() + # set(OPENSSL_LIBRARIES ${OPENSSL_CRYPTO_LIBRARY} ${OPENSSL_SSL_LIBRARY}) +endif() +message(STATUS "using OpenSSL lib dir ${OPENSSL_LIB}") +message(STATUS "using OpenSSL library ${OPENSSL_CRYPTO_LIBRARY}, ${OPENSSL_SSL_LIBRARY}") +if(NOT EXISTS "${OPENSSL_CRYPTO_LIBRARY}") + message(FATAL_ERROR "OpenSSL crypto library file does not exist: ${OPENSSL_CRYPTO_LIBRARY}") endif() -message(STATUS "using OpenSSL libraries ${OPENSSL_CRYPTO_LIBRARY}, ${OPENSSL_SSL_LIBRARY}") option(SECURITY_UTILITIES_USE_UTA "Use UTA API" OFF) option(SECURITY_UTILITIES_USE_ICV "Use configuration ICV" OFF) diff --git a/README.md b/README.md index fd3fea7..3c0b307 100644 --- a/README.md +++ b/README.md @@ -49,7 +49,7 @@ and with MacOS. The following network and development tools are needed or recommended. * Git (for getting the software, tested versions include 2.7.2, 2.11.0, 2.20, 2.30.2, 2.39.2, 2.47.0) -* CMake (for using [`CMakeLists.txt`](CMakeLists.txt), tested versions include 3.18.4, 3.26.3, 3.27.7) +* CMake (for using [`CMakeLists.txt`](CMakeLists.txt), tested versions include 3.18.4, 3.26.3, 3.27.7, 3.30.5) * GNU make (tested versions include 3.81, 4.1, 4.2.1, 4.3) * GNU C compiler (gcc, tested versions include 5.4.0, 7.3.0, 8.3.0, 10.0.1, 10.2.1, 12.2.0) or clang (tested versions include 14.0.3, 17.0.3, 19.1.1) @@ -75,15 +75,22 @@ including the C header files needed for development (as provided by, e.g., the Debian/Ubuntu package `libssl-dev`). By default any OpenSSL installation available on the system is used. -Set the optional environment variable `OPENSSL_DIR` to specify the -absolute (or relative to `../`) path of the OpenSSL installation to use, e.g.: + +It is recommended to set the optional environment variable `OPENSSL_DIR` to specify +the absolute or relative path of the OpenSSL installation or local build directory to use, e.g., ``` export OPENSSL_DIR=/usr/local ``` -In case its libraries are in a different location, set also `OPENSSL_LIB`, e.g.: +or some heuristics will try to detect the location. +This must point to the location in the file system from which the subdirectory `include/openssl` +is directly accessible (using this relative path name).\ +When used with CMake, `$OPENSSL_DIR/OpenSSLConfig.cmake` must exist. + +In case the OpenSSL libraries are in an unusual location, set also `OPENSSL_LIB`, e.g., ``` -export OPENSSL_LIB=$OPENSSL_DIR/lib +export OPENSSL_LIB=/lib/aarch64-linux-gnu ``` +Otherwise some heuristics will try to detect the location. Use of the UTA library can be enabled by setting the environment variable `SECUTILS_USE_UTA`. @@ -99,8 +106,9 @@ for instance as follows: ``` cmake . ``` -When using CMake, `cmake` must be (re-)run -after setting or unsetting environment variables. +After modifying (i.e., setting or unsetting) relevant environment variables, +it is recommended to remove `CMakeCache.txt` and re-run CMake. + By default, CMake builds are in Release mode. This may also be enforced by defining the environment variable `NDEBUG`. For switching to Debug mode, use `cmake` with `-DCMAKE_BUILD_TYPE=Debug`. From ca4e520a150d7239b2f8df9aaa4f40f63b990823 Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Sat, 19 Oct 2024 16:49:43 +0200 Subject: [PATCH 06/10] src/CMakeLists.txt: remove -Werror. It is enabled only for development and CI, using Makefile_v1 without NDEBUG --- src/CMakeLists.txt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 99192d1..0d333aa 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -3,7 +3,8 @@ target_compile_options(secutils_compilation_options INTERFACE -Wall -Woverflow -Wextra -Wswitch -Wmissing-prototypes -Wstrict-prototypes -Wformat -Wformat-security -Wtype-limits -Wundef -Wsign-compare -Wpointer-arith -Wunused-parameter - -pedantic -Werror + -pedantic + # -Werror is enabled only for development and CI using Makefile_v1 without NDEBUG # TODO clean up code and re-enable warnings instead: -Wno-conversion -Wno-sign-conversion -Wno-c99-extensions From f03a07a76f6446b69ec5e997a2bb67a75b35c173 Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Sat, 19 Oct 2024 21:22:38 +0200 Subject: [PATCH 07/10] Makefile_v1,README.md: major update with improved diagnostics --- Makefile_v1 | 145 ++++++++++++++++++++++++++++++++++++++++++---------- README.md | 5 +- 2 files changed, 122 insertions(+), 28 deletions(-) diff --git a/Makefile_v1 b/Makefile_v1 index 5709d7a..f46a1a0 100644 --- a/Makefile_v1 +++ b/Makefile_v1 @@ -12,13 +12,20 @@ # # SPDX-License-Identifier: Apache-2.0 -# Optional OPENSSL_DIR defines absolute or relative (to ../) path to OpenSSL installation -# Optional OPENSSL_LIB defines where to find the OpenSSL library installation (default: OPENSSL_DIR/lib). +# Optional OPENSSL_DIR defines where to find the OpenSSL installation +# with header files at include/openssl (default: will try, e.g., /usr). +# Optional OPENSSL_LIB defines where to find the OpenSSL libraries +# (default: will try, e.g., OPENSSL_DIR/lib). # Optional CFLAGS and LDFLAGS are appended by local settings. # Optional DEBUG_FLAGS may set to prepend to local CFLAGS and LDFLAGS (default see below). # Builds are done in release mode if optional NDEBUG is defined. -# Optional OUT_DIR defines absolute or relative (to ./) path where to place the library. +# Optional OUT_DIR defines where to place the resulting library (default: '.'). # Optional DESTDIR defines a prefix for the installation target directories. +# All paths may be absolute or relative to the directory containing this Makefile. + +SHELL=bash # This is needed for supporting extended file name globbing + +# variables #################################################################### ROOTFS ?= $(DESTDIR)$(prefix) @@ -31,39 +38,87 @@ VERSION=2.0 # PACKAGENAME=libsecutils # DIRNAME=$(PACKAGENAME)-$(VERSION) -SHELL=bash # This is needed for supporting extended file name globbing - -ifeq ($(OS),Windows_NT) +# https://stackoverflow.com/questions/714100/os-detecting-makefile +ifeq ($(OS),Windows_NT) # strange but apparently this string is used also for all later versions + # so far, we do not support Windows, but trying to continue anyway + override OS=Windows + USERS='^([[:alpha:]]:)?\\Users\\' EXE=.exe DLL=.dll + SONAME= + LDD=TODO OBJ=.obj LIB=bin else EXE= OBJ=.o LIB=lib + override OS = $(shell sh -c 'uname 2>/dev/null || echo Unknown') + USERS='^/(home|Users)/' ifeq ($(shell uname -s),Darwin) - OS=MacOS + override OS=MacOS DLL=.dylib SONAME=install_name,@rpath/ - else # assuming Linux + LDD=otool -l + else # assuming other Unix-like DLL=.so SONAME=soname, + LDD=ldd endif endif -ifeq ($(OPENSSL_DIR),) - OPENSSL_DIR=$(ROOTFS)/usr +ifneq ($(filter-out doc install uninstall clean clean_config clean_all clean_uta clean_deb,$(MAKECMDGOALS)),) +ifeq ($(OPENSSL_DIR),) # for convenience, use heuristics to determine OPENSSL_DIR + ifeq ($(OS),MacOS) + SYSTEM_INCLUDE_OPENSSL=/opt/homebrew/include/openssl # usually symlink + else # TODO for Windows + SYSTEM_INCLUDE_OPENSSL=/usr/include/openssl + endif + OPENSSL_INCLUDE_DIR = $(realpath $(SYSTEM_INCLUDE_OPENSSL)) + override OPENSSL_DIR = $(realpath $(OPENSSL_INCLUDE_DIR)/../..) endif -ifeq ($(shell echo $(OPENSSL_DIR) | grep "^/"),) -# $(OPENSSL_DIR) is relative path, assumed relative to ../ - OPENSSL=../$(OPENSSL_DIR) - OPENSSL_LIB ?= ../$(OPENSSL_DIR) -else -# $(OPENSSL_DIR) is absolute path - OPENSSL=$(OPENSSL_DIR) - OPENSSL_LIB ?= $(OPENSSL_DIR) +ifneq ($(OPENSSL_DIR),) # due to the above, always true + LIB_NAME_PATTERN=libcrypto*$(DLL)* + ifeq ($(realpath $(OPENSSL_DIR)),) + $(error OPENSSL_DIR appears to be an invalid path: $(OPENSSL_DIR)) + endif + override OPENSSL_DIR := $(realpath $(OPENSSL_DIR)) + + ifeq ($(OPENSSL_LIB),) # for convenience, use heuristics to determine OPENSSL_LIB + override OPENSSL_LIB = $(OPENSSL_DIR)/$(LIB) + ifeq ($(wildcard $(OPENSSL_LIB)/$(LIB_NAME_PATTERN)),) + $(warning Warning: cannot find OpenSSL libraries at determined location $(OPENSSL_LIB), now trying $(OPENSSL_DIR)) + override OPENSSL_LIB = $(OPENSSL_DIR) + ifeq ($(wildcard $(OPENSSL_LIB)/$(LIB_NAME_PATTERN)),) + ifeq ($(OS),Linux) + ifeq ($(shell echo $(OPENSSL_DIR) | grep -E '^/(home|Users)'),) + override OPENSSL_LIB = $(wildcard /lib/*linux-gnu*) + $(warning Warning: cannot find OpenSSL libraries at $(OPENSSL_DIR), now trying $(OPENSSL_LIB)) + endif + endif + endif + endif + else + ifeq ($(wildcard $(OPENSSL_LIB)/$(LIB_NAME_PATTERN)),) + # $(warning Warning: cannot find OpenSSL libraries at given OPENSSL_LIB $(OPENSSL_LIB), now trying OPENSSL_DIR) + override OPENSSL_LIB = $(OPENSSL_DIR) + endif + endif + # ifeq ($(findstring $(USERS),$(OPENSSL_FULL_DIR)),) + # $(warning [DEBUG] OPENSSL_DIR is assumed to be an installation directory) + # else + # $(warning [DEBUG] OPENSSL_DIR is assumed to be a local build directory) + # endif + ifeq ($(wildcard $(OPENSSL_LIB)/$(LIB_NAME_PATTERN)),) + $(error Error: cannot find OpenSSL library $(LIB_NAME_PATTERN) at $(OPENSSL_LIB)/) + endif + override OPENSSL_LIB := $(realpath $(OPENSSL_LIB)) +endif +ifeq ($(wildcard $(OPENSSL_DIR)/include/openssl),) + $(error cannot find directory '$(OPENSSL_DIR)/include/openssl', check OPENSSL_DIR variable) endif +endif # neq ($(filter-out doc install uninstall clean clean_config clean_all clean_uta clean_deb,$(MAKECMDGOALS)),) + ################################################################################ # Basic definitions targeted at debugging @@ -73,10 +128,10 @@ endif ################################################################################ ifdef NDEBUG - DEBUG_FLAGS ?= -O2 + override DEBUG_FLAGS ?= -O2 override DEBUG_FLAGS += -DNDEBUG=1 -Werror else - DEBUG_FLAGS ?= -g -O0 -fsanitize=address -fsanitize=undefined -fno-sanitize-recover=all # not every compiler(version) supports -Og + override DEBUG_FLAGS ?= -g -O0 -fsanitize=address -fsanitize=undefined -fno-sanitize-recover=all # not every compiler(version) supports -Og endif override CFLAGS += $(DEBUG_FLAGS) \ -Wall -Woverflow -Wextra -Wswitch -Wmissing-prototypes -Wstrict-prototypes \ @@ -94,7 +149,7 @@ override CFLAGS += -pedantic -DPEDANTIC ################################################################################ CC ?= gcc -OUTLIB_=libsecutils +override OUTLIB_= libsecutils OUTLIB=$(OUTLIB_)$(DLL) ifeq ($(OS),MacOS) OUTLIBV=$(OUTLIB_).$(VERSION)$(DLL) @@ -109,7 +164,7 @@ DEST_DOC=$(DEST_PRE)/share/doc/libsecutils-dev OUTBIN=icvutil$(EXE) DEST_BIN=$(DEST_PRE)/bin LOCAL_CFLAGS= -fPIC # -std=gnu90 TODO clean up code and re-enable flag -override CFLAGS += -isystem $(OPENSSL)/include# # # use of -isystem is critical for selecting wanted OpenSSL version +override CFLAGS += -isystem $(OPENSSL_DIR)/include# # use of -isystem is critical for selecting wanted OpenSSL version override CFLAGS += -Isrc/libsecutils/include override CFLAGS += -Isrc/libsecutils/include/secutils ifneq ($(SECUTILS_USE_UTA),) @@ -120,12 +175,9 @@ ifneq ($(SECUTILS_USE_ICV),) endif override LDFLAGS += $(DEBUG_FLAGS) # needed for -fsanitize=... -override LDFLAGS += -L $(OPENSSL_LIB) -L $(OPENSSL) +override LDFLAGS += -L $(OPENSSL_LIB) ifeq ($(DEB_TARGET_ARCH),) # not during Debian packaging override LDFLAGS += -Wl,-rpath,$(OPENSSL_LIB) - ifneq ($(OPENSSL_LIB),$(OPENSSL)) - override LDFLAGS += -Wl,-rpath,$(OPENSSL) - endif endif ifneq ($(SECUTILS_USE_UTA),) override LDFLAGS += -luta @@ -167,12 +219,22 @@ OBJS := $(patsubst %.c,$(BUILDDIR)/%$(OBJ),$(notdir $(wildcard src/libsecutils/s # Targets ################################################################################ +# building ##################################################################### + # Phony (non-file) targets .PHONY: all doc util build build_only build_all clean clean_config clean_all clean_uta install uninstall deb clean_deb coverage # Default target all: build_all doc +$(OUT_DIR): + @mkdir -p $(OUT_DIR) + +ifneq ($(findstring build_only,$(MAKECMDGOALS)),) + $(info Build info: source directory is $(PWD)) + $(info detected OpenSSL base directory $(OPENSSL_DIR)) + $(info detected OpenSSL lib directory $(OPENSSL_LIB)) +endif build_only: $(OUT_DIR)/$(OUTLIB) build: @@ -212,7 +274,7 @@ endif $(OUT_DIR)/$(OUTLIBV): $(OBJS) $(CC) $(OBJS) $(LDFLAGS) -shared -o $@ -Wl,-$(SONAME)$(OUTLIBV) -$(OUT_DIR)/$(OUTLIB): $(OUT_DIR)/$(OUTLIBV) +$(OUT_DIR)/$(OUTLIB): $(OUT_DIR)/$(OUTLIBV) fix_build_lib ln -sf $(OUTLIBV) $(OUT_DIR)/$(OUTLIB) # Individual object targets; also provide dependencies on header files of the project (not on system headers) @@ -232,6 +294,23 @@ $(BUILDDIR): # (directories are flagged as changed on every object build) $(OBJS): | $(BUILDDIR) +# workaround for using local OpenSSL builds by default expecting that +# its dynamic libs have been installed in ./$(LIB) when using the libs +# see for binaries that dynamically link to OpenSSL the output of $(LDD) +.PHONY: fix_build_lib +fix_build_lib: +ifneq ($(shell echo $(realpath $(OPENSSL_LIB)) | grep -E $(USERS)),) + ifeq ($(OPENSSL_LIB),$(OPENSSL_DIR)) + @cd "$(OPENSSL_DIR)"; if [ ! -e $(LIB) ]; then ln -s . $(LIB); fi + @ # alternative would be to use, e.g., + @ # install_name_tool -change $(OPENSSL_DIR)/lib/libcrypto.3.dylib $(OPENSSL_DIR)/libcrypto.3.dylib + endif +endif + @true # prevent warning "Nothing to be done for `fix_build_lib'." + + +# Debian packaging ############################################################# + deb: debuild -e OPENSSL_DIR="$(OPENSSL_DIR)" -e OPENSSL_LIB="$(OPENSSL_LIB)" \ --preserve-envvar SECUTILS_NO_TLS \ @@ -248,6 +327,9 @@ clean_deb: rm -fr _CPack_Packages changelog.gz rm -f libsecutils*.{deb,tar.gz,zip} + +# installation ################################################################# + # installation target - append ROOTFS= to install into virtual root # filesystem install: # doc/html $(OUT_DIR)/$(OUTLIB) $(OUT_DIR)/$(OUTBIN) @@ -277,6 +359,9 @@ uninstall: rm -f $(DEST_BIN)/$(OUTBIN) rm -rf $(DEST_DOC)/doc/html + +# cleaning ##################################################################### + clean_uta: rm -fr $(BUILDDIR)/uta_api$(OBJ) $(BUILDDIR)/files_icv$(OBJ) \ $(BUILDDIR)/files_dv$(OBJ) \ @@ -302,6 +387,9 @@ clean_all: clean clean_deb rm -fr doc refman.pdf CMakeDoxyfile.in Doxyfile.security-utilities_doxygen Doxyfile.doc *.gcov reports rm -fr _CPack_Packages Makefile CMakeCache.txt + +# documentation ################################################################ + doc: $(SECUTILS_CONFIG) doc/html refman.pdf doc/html: Doxyfile $(wildcard src/libsecutils/include/*/*.h src/libsecutils/include/*/*/*.h) @@ -312,5 +400,8 @@ refman.pdf: doc/html @# for producing doc/latex/*, comment out in Doxyfile: GENERATE_LATEX = NO @# $(MAKE) -C -f Makefile_v1 doc/latex && cp -a doc/latex/refman.pdf . # requires latex + +# others ####################################################################### + coverage: clean $(MAKE) -f Makefile_v1 COMPILE_TYPE=code_coverage diff --git a/README.md b/README.md index 3c0b307..3a04055 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# libsecutils +# libSecUtils @@ -92,6 +92,9 @@ export OPENSSL_LIB=/lib/aarch64-linux-gnu ``` Otherwise some heuristics will try to detect the location. +For all environment variables specifying a directory, relative paths such as `.` +are interpreted relative to the libSecUtils source directory. + Use of the UTA library can be enabled by setting the environment variable `SECUTILS_USE_UTA`. From db2d0415e83aab33a492b539e1e5eb834117a57e Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Mon, 21 Oct 2024 21:56:02 +0200 Subject: [PATCH 08/10] CMakeLists.txt: add workaround for using non-installed OpenSSL builds with default libdir --- CMakeLists.txt | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/CMakeLists.txt b/CMakeLists.txt index 9d25263..a3a00e8 100755 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -63,6 +63,22 @@ if(NOT EXISTS "${OPENSSL_CRYPTO_LIBRARY}") message(FATAL_ERROR "OpenSSL crypto library file does not exist: ${OPENSSL_CRYPTO_LIBRARY}") endif() +# Workaround for local OpenSSL builds by default expecting that their +# dynamic libs have been installed in ./${LIB}. +# See for binaries dynamically linked to OpenSSL the output of 'ldd ' +if(CMAKE_SYSTEM_NAME MATCHES "Windows") + set(USERS "^(\w:)?\\Users\\") + set(LIB "bin") +else() + set(USERS "^/(home|Users)/") + set(LIB "lib") +endif() +string(REGEX MATCH ${USERS} MATCHED "${OPENSSL_LIB}") +if(NOT "${MATCHED}" STREQUAL "" AND NOT EXISTS "${OPENSSL_LIB}/${LIB}") + execute_process(COMMAND ${CMAKE_COMMAND} -E create_symlink "." "${OPENSSL_LIB}/${LIB}") + # since CMake 3.13, this works also for Windows +endif() + option(SECURITY_UTILITIES_USE_UTA "Use UTA API" OFF) option(SECURITY_UTILITIES_USE_ICV "Use configuration ICV" OFF) option(SECURITY_UTILITIES_NO_TLS "Do not use TLS" OFF) From 9dc942487712ad04306ef72405221d0f1d0900d2 Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Fri, 22 Nov 2024 17:16:27 +0100 Subject: [PATCH 09/10] README.md: require at least OpenSSL version 3.0 --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 3a04055..d3305fa 100644 --- a/README.md +++ b/README.md @@ -55,9 +55,9 @@ The following network and development tools are needed or recommended. or clang (tested versions include 14.0.3, 17.0.3, 19.1.1) The following OSS components are used. -* OpenSSL development edition, at least version 1.1.1. Tested, among others, - with 1.0.2u, 1.1.0f, 1.1.0g, 1.1.1d, 1.1.1i, 1.1.1l, 3.0, 3.1, 3.2, 3.3, 3.4.
- **Warning:** OpenSSL 1.1.1 (on Mint 19) contains a bug where used cipher suite (level 3) is empty (1.1.1d on Buster works correctly) +* OpenSSL development edition, at least version 3.0. Tested, among others, + with 3.0, 3.1, 3.2, 3.3, 3.4.
+ * optionally: [github.com/siemens/libuta](https://github.com/siemens/libuta) From 63ec0e4e6b286e6ccc498c0f2f37d1ab2d71b036 Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Fri, 22 Nov 2024 17:17:15 +0100 Subject: [PATCH 10/10] files.c: remove incompatible #define OSSL_DEPRECATEDIN_3_1 --- src/libsecutils/src/storage/files.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/libsecutils/src/storage/files.c b/src/libsecutils/src/storage/files.c index bc336b3..fe80a06 100644 --- a/src/libsecutils/src/storage/files.c +++ b/src/libsecutils/src/storage/files.c @@ -1,20 +1,20 @@ -/** +/** * @file files.c -* +* * @brief Private key, certificate, CSR (PKCS#10), and CRL file handling * * @copyright Copyright (c) Siemens Mobility GmbH, 2021 * * @author David von Oheimb * -* This work is licensed under the terms of the Apache Software License +* This work is licensed under the terms of the Apache Software License * 2.0. See the COPYING file in the top-level directory. * * SPDX-License-Identifier: Apache-2.0 */ #define OPENSSL_NO_RC4 /* prevent errors on undeclared FORMAT_MSBLOB and FORMAT_PVK */ -#define OSSL_DEPRECATEDIN_3_1 +//#define OSSL_DEPRECATEDIN_3_1 #include #include #ifndef OPENSSL_NO_ENGINE