diff options
| author | Simone Basso <bassosimone@gmail.com> | 2016-12-09 12:39:37 +0100 |
|---|---|---|
| committer | Simone Basso <bassosimone@gmail.com> | 2016-12-09 12:50:56 +0100 |
| commit | f8a9c71e793975e2d224cb01603bf814320545ab (patch) | |
| tree | f08a25c2940ca6782f69ca0b337aa6d85b221a34 /m4 | |
| parent | b5ebbf6b88b13cbf465fdc7d4101e4aa612f0ef9 (diff) | |
| download | portable-f8a9c71e793975e2d224cb01603bf814320545ab.tar.gz portable-f8a9c71e793975e2d224cb01603bf814320545ab.tar.bz2 portable-f8a9c71e793975e2d224cb01603bf814320545ab.zip | |
configure: fix getentropy() for sierra and ios
This diff changes the logic by which configure detects getentropy() to
ensure that we don't use the system wide getentropy
- with macOS sierra if the deployment target is lower than sierra as
found by tor developers here
https://gitweb.torproject.org/tor.git/commit/?id=https://gitweb.torproject.org/tor.git/commit/?id=16fcbd21c963a9a65bf55024680c8323c8b7175d
- with iOS unconditionally because an app linking libressl compiled with
system wide getentropy has been rejected by the App store as I have
documented here
https://github.com/measurement-kit/measurement-kit/pull/994
I think something similar could also affect clock_gettime judging from
tor's patch, but this diff for now doesn't address that.
I do not have macOS < sierra, so I could only verify that configure was
not picking up system wide getentropy by compiling libressl using
export CFLAGS="-mmacosx-version-min=10.11"
As regards iOS, removing the check for getentropy and recompiling (thus
using libressl builtin getentropy()) was enough to have another iteration
of the app accepted. Otherwise testing should be possible with:
export LDFLAGS=-arch armv7 -miphoneos-version-min=7.1 -isysroot `xcrun --show-sdk-path --sdk iphoneos`
export CPPFLAGS=-arch armv7 -isysroot `xcrun --show-sdk-path --sdk iphoneos`
export CFLAGS=-arch armv7 -miphoneos-version-min=7.1 -isysroot `xcrun --show-sdk-path --sdk iphoneos`
Related ticket: https://github.com/libressl-portable/portable/issues/230
Diffstat (limited to 'm4')
| -rw-r--r-- | m4/check-libc.m4 | 56 |
1 files changed, 55 insertions, 1 deletions
diff --git a/m4/check-libc.m4 b/m4/check-libc.m4 index f2eb3eb..272ebfe 100644 --- a/m4/check-libc.m4 +++ b/m4/check-libc.m4 | |||
| @@ -47,7 +47,61 @@ AM_CONDITIONAL([HAVE_B64_NTOP], [test "x$ac_cv_func_b64_ntop_arg" = xyes]) | |||
| 47 | AC_DEFUN([CHECK_CRYPTO_COMPAT], [ | 47 | AC_DEFUN([CHECK_CRYPTO_COMPAT], [ |
| 48 | # Check crypto-related libc functions and syscalls | 48 | # Check crypto-related libc functions and syscalls |
| 49 | AC_CHECK_FUNCS([arc4random arc4random_buf arc4random_uniform]) | 49 | AC_CHECK_FUNCS([arc4random arc4random_buf arc4random_uniform]) |
| 50 | AC_CHECK_FUNCS([explicit_bzero getauxval getentropy]) | 50 | AC_CHECK_FUNCS([explicit_bzero getauxval]) |
| 51 | |||
| 52 | AC_CACHE_CHECK([for getentropy], ac_cv_func_getentropy, [ | ||
| 53 | AC_LINK_IFELSE([AC_LANG_PROGRAM([[ | ||
| 54 | #include <sys/types.h> | ||
| 55 | #include <sys/random.h> | ||
| 56 | |||
| 57 | #ifdef __APPLE__ | ||
| 58 | # include <AvailabilityMacros.h> | ||
| 59 | |||
| 60 | /* | ||
| 61 | * Before macOS 10.12 getentropy() was not available. In 10.12 however it | ||
| 62 | * seems to be not marked for retro-compatibility and thus we cannot cross | ||
| 63 | * compile targeting, e.g., 10.12 unless we disable getentropy(). | ||
| 64 | * | ||
| 65 | * To test, | ||
| 66 | * | ||
| 67 | * export CFLAGS="-mmacosx-version-min=10.11" | ||
| 68 | * ./configure | ||
| 69 | * # ensure that getentropy() is not found | ||
| 70 | * | ||
| 71 | * Based on: https://gitweb.torproject.org/tor.git/commit/?id=https://gitweb.torproject.org/tor.git/commit/?id=16fcbd21c963a9a65bf55024680c8323c8b7175d | ||
| 72 | */ | ||
| 73 | # ifndef MAC_OS_X_VERSION_10_12 | ||
| 74 | # define MAC_OS_X_VERSION_10_12 101200 | ||
| 75 | # endif | ||
| 76 | # if defined(MAC_OS_X_VERSION_MIN_REQUIRED) | ||
| 77 | # if MAC_OS_X_VERSION_MIN_REQUIRED < MAC_OS_X_VERSION_10_12 | ||
| 78 | # error "Running on Mac OSX 10.11 or earlier" | ||
| 79 | # endif | ||
| 80 | # endif | ||
| 81 | #endif | ||
| 82 | |||
| 83 | /* | ||
| 84 | * As of iOS 10.1, getentropy() as a system call is defined but is not | ||
| 85 | * declared in sys/random.h and submitting an App that links to getentropy() | ||
| 86 | * leads to the App store rejecting the App because: | ||
| 87 | * | ||
| 88 | * > The app references non-public symbols in $appname: _getentropy | ||
| 89 | * | ||
| 90 | * Disabling the check for getentropy() and thus enabling libressl own | ||
| 91 | * emulation of that fixes the issue. | ||
| 92 | */ | ||
| 93 | #if (defined TARGET_IPHONE_OS || defined TARGET_IPHONE_SIMULATOR) | ||
| 94 | # error "As far as we know, getentropy() is not usable on iOS" | ||
| 95 | #endif | ||
| 96 | ]], [[ | ||
| 97 | char buffer[1024]; | ||
| 98 | (void)getentropy(buffer, sizeof (buffer)); | ||
| 99 | ]])], | ||
| 100 | [ ac_cv_func_getentropy="yes" ], | ||
| 101 | [ ac_cv_func_getentropy="no" | ||
| 102 | ]) | ||
| 103 | ]) | ||
| 104 | |||
| 51 | AC_CHECK_FUNCS([timingsafe_bcmp timingsafe_memcmp]) | 105 | AC_CHECK_FUNCS([timingsafe_bcmp timingsafe_memcmp]) |
| 52 | AM_CONDITIONAL([HAVE_ARC4RANDOM], [test "x$ac_cv_func_arc4random" = xyes]) | 106 | AM_CONDITIONAL([HAVE_ARC4RANDOM], [test "x$ac_cv_func_arc4random" = xyes]) |
| 53 | AM_CONDITIONAL([HAVE_ARC4RANDOM_BUF], [test "x$ac_cv_func_arc4random_buf" = xyes]) | 107 | AM_CONDITIONAL([HAVE_ARC4RANDOM_BUF], [test "x$ac_cv_func_arc4random_buf" = xyes]) |