forked from aws/s2n-tls
-
Notifications
You must be signed in to change notification settings - Fork 0
/
s2n.mk
283 lines (229 loc) · 9.24 KB
/
s2n.mk
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
# You may not use this file except in compliance with the License.
# A copy of the License is located at
#
# http://aws.amazon.com/apache2.0
#
# or in the "license" file accompanying this file. This file is distributed
# on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
# express or implied. See the License for the specific language governing
# permissions and limitations under the License.
#
ifeq ($(PLATFORM),Darwin)
LIBS = -lc -pthread
else ifeq ($(PLATFORM),FreeBSD)
LIBS = -lthr
else ifeq ($(PLATFORM),NetBSD)
LIBS = -pthread
else ifeq ($(PLATFORM),OpenBSD)
LIBS = -pthread -lkvm
else
LIBS = -pthread -ldl -lrt
endif
CRYPTO_LIBS = -lcrypto
CC := $(CROSS_COMPILE)$(CC)
CXX := $(CROSS_COMPILE)$(CXX)
AR = $(CROSS_COMPILE)ar
RANLIB = $(CROSS_COMPILE)ranlib
CLANG ?= clang-3.9
LLVMLINK ?= llvm-link-3.9
SOURCES = $(wildcard *.c *.h)
CRUFT = $(wildcard *.c~ *.h~ *.c.BAK *.h.BAK *.o *.a *.so *.dylib *.bc *.gcov *.gcda *.gcno *.info *.profraw *.tmp)
INDENT = $(shell (if indent --version 2>&1 | grep GNU > /dev/null; then echo indent ; elif gindent --version 2>&1 | grep GNU > /dev/null; then echo gindent; else echo true ; fi ))
# BoringSSL is a C11 library and has less strict compiler flags than s2n. All other libcryptos use the default c99 flags
ifeq ($(S2N_LIBCRYPTO), boringssl)
DEFAULT_CFLAGS = -std=c11
else ifeq ($(S2N_LIBCRYPTO), awslc)
# AWS-LC is a BoringSSL derivative and has fixed the c11 issues but not all -Wcast-qual warnings
DEFAULT_CFLAGS = -std=c99
else ifeq ($(S2N_LIBCRYPTO), awslc-fips)
# AWS-LC is a BoringSSL derivative and has fixed the c11 issues but not all -Wcast-qual warnings
DEFAULT_CFLAGS = -std=c99
else
DEFAULT_CFLAGS = -std=c99 -Wcast-qual
endif
DEFAULT_CFLAGS += -pedantic -Wall -Werror -Wimplicit -Wunused -Wcomment -Wchar-subscripts -Wuninitialized \
-Wshadow -Wcast-align -Wwrite-strings -fPIC -Wno-missing-braces\
-D_POSIX_C_SOURCE=200809L -O2 -I$(LIBCRYPTO_ROOT)/include/ \
-I$(S2N_ROOT)/api/ -I$(S2N_ROOT) -Wno-deprecated-declarations -Wno-unknown-pragmas -Wformat-security \
-D_FORTIFY_SOURCE=2 -fgnu89-inline -fvisibility=hidden -DS2N_EXPORTS
COVERAGE_CFLAGS = -fprofile-arcs -ftest-coverage
COVERAGE_LDFLAGS = --coverage
LDFLAGS = -z relro -z now -z noexecstack
FUZZ_CFLAGS = -fsanitize-coverage=trace-pc-guard -fsanitize=address,undefined,leak
# Define FUZZ_COVERAGE - to be used for generating coverage reports on fuzz tests
# !!! NOT COMPATIBLE WITH S2N_COVERAGE !!!
ifeq ($(FUZZ_COVERAGE), true)
FUZZ_CFLAGS += -fprofile-instr-generate -fcoverage-mapping
else
ifeq ($(S2N_COVERAGE), true)
DEFAULT_CFLAGS += ${COVERAGE_CFLAGS}
LIBS += ${COVERAGE_LDFLAGS}
endif
endif
ifdef FUZZ_TIMEOUT_SEC
DEFAULT_CFLAGS += -DS2N_FUZZ_TESTING=1
endif
# Add a flag to disable stack protector for alternative libcs without
# libssp.
ifneq ($(NO_STACK_PROTECTOR), 1)
DEFAULT_CFLAGS += -Wstack-protector -fstack-protector-all
endif
ifeq ($(NO_INLINE), 1)
DEFAULT_CFLAGS += -fno-inline
endif
# Define S2N_TEST_IN_FIPS_MODE - to be used for testing when present.
ifdef S2N_TEST_IN_FIPS_MODE
DEFAULT_CFLAGS += -DS2N_TEST_IN_FIPS_MODE
endif
# Don't compile PQ related source code
ifdef S2N_NO_PQ
DEFAULT_CFLAGS += -DS2N_NO_PQ
endif
CFLAGS += ${DEFAULT_CFLAGS}
ifdef GCC_VERSION
ifneq ("$(GCC_VERSION)","NONE")
CC=gcc-$(GCC_VERSION)
# Make doesn't support greater than checks, this uses `test` to compare values, then `echo $$?` to return the value of test's
# exit code and finally uses the built in make `ifeq` to check if it was true and then adds the extra flag.
ifeq ($(shell test $(GCC_VERSION) -gt 7; echo $$?), 0)
CFLAGS += -Wimplicit-fallthrough
endif
ifeq ($(shell test $(GCC_VERSION) -ge 10; echo $$?), 0)
CFLAGS += -fanalyzer
endif
endif
endif
DEBUG_CFLAGS = -g3 -ggdb -fno-omit-frame-pointer -fno-optimize-sibling-calls
ifdef S2N_ADDRESS_SANITIZER
CFLAGS += -fsanitize=address -fuse-ld=gold -DS2N_ADDRESS_SANITIZER=1 ${DEBUG_CFLAGS}
endif
ifdef S2N_GDB
S2N_DEBUG = 1
CFLAGS += -O0
endif
ifdef S2N_DEBUG
CFLAGS += ${DEBUG_CFLAGS}
endif
# Prepare CPPFLAGS by stripping out the unsupported options
CPPFLAGS = ${CFLAGS}
CPPFLAGS:=$(filter-out -Wimplicit,${CPPFLAGS})
CPPFLAGS:=$(filter-out -std=c99,${CPPFLAGS})
CPPFLAGS:=$(filter-out -fgnu89-inline,${CPPFLAGS})
# Prints more information when running tests
ifdef S2N_TEST_DEBUG
DEFAULT_CFLAGS += -DS2N_TEST_DEBUG
endif
LLVM_GCOV_MARKER_FILE=${COVERAGE_DIR}/use-llvm-gcov.tmp
ifeq ($(S2N_UNSAFE_FUZZING_MODE),1)
# Override compiler to clang if fuzzing, since gcc does not support as many sanitizer flags as clang
CC=clang
# Create a marker file so that later invocations of make can pick the right COV_TOOL by default
$(shell touch "${LLVM_GCOV_MARKER_FILE}")
# Turn on debugging and fuzzing flags when S2N_UNSAFE_FUZZING_MODE is enabled to give detailed stack traces in case
# an error occurs while fuzzing.
CFLAGS += ${DEFAULT_CFLAGS} ${DEBUG_CFLAGS} ${FUZZ_CFLAGS}
# Filter out the visibility settings if we are fuzzing
CFLAGS := $(filter-out -fvisibility=hidden,$(CFLAGS))
CFLAGS := $(filter-out -DS2N_EXPORTS,$(CFLAGS))
DEFAULT_CFLAGS := $(filter-out -fvisibility=hidden,$(DEFAULT_CFLAGS))
DEFAULT_CFLAGS := $(filter-out -DS2N_EXPORTS,$(DEFAULT_CFLAGS))
CPPFLAGS := $(filter-out -fvisibility=hidden,$(CPPFLAGS))
CPPFLAGS := $(filter-out -DS2N_EXPORTS,$(CPPFLAGS))
endif
# Disable strict-prototypes check in clang
ifneq '' '$(findstring clang,$(CC))'
CFLAGS += -Wno-strict-prototypes
DEFAULT_CFLAGS += -Wno-strict-prototypes
CPPFLAGS += -Wno-strict-prototypes
endif
# If COV_TOOL isn't set, pick a default COV_TOOL depending on if the LLVM Marker File was created.
ifndef COV_TOOL
ifneq ("$(wildcard $(LLVM_GCOV_MARKER_FILE))","")
COV_TOOL=llvm-gcov.sh
endif
endif
# Used for testing.
prefix ?= /usr/local
exec_prefix ?= $(prefix)
bindir ?= $(exec_prefix)/bin
libdir ?= $(exec_prefix)/lib64
includedir ?= $(exec_prefix)/include
try_compile = $(shell $(CC) $(CFLAGS) -c -o tmp.o $(1) > /dev/null 2>&1; echo $$?; rm tmp.o > /dev/null 2>&1)
# Determine if execinfo.h is available
TRY_COMPILE_EXECINFO := $(call try_compile,$(S2N_ROOT)/tests/features/execinfo.c)
ifeq ($(TRY_COMPILE_EXECINFO), 0)
DEFAULT_CFLAGS += -DS2N_STACKTRACE
endif
# Determine if cpuid.h is available
TRY_COMPILE_CPUID := $(call try_compile,$(S2N_ROOT)/tests/features/cpuid.c)
ifeq ($(TRY_COMPILE_CPUID), 0)
DEFAULT_CFLAGS += -DS2N_CPUID_AVAILABLE
endif
# Determine if features.h is availabe
TRY_COMPILE_FEATURES := $(call try_compile,$(S2N_ROOT)/tests/features/features.c)
ifeq ($(TRY_COMPILE_FEATURES), 0)
DEFAULT_CFLAGS += -DS2N_FEATURES_AVAILABLE
endif
# Determine if __attribute__((fallthrough)) is available
TRY_COMPILE_FALL_THROUGH := $(call try_compile,$(S2N_ROOT)/tests/features/fallthrough.c)
ifeq ($(TRY_COMPILE_FALL_THROUGH), 0)
DEFAULT_CFLAGS += -DS2N_FALL_THROUGH_SUPPORTED
endif
# Determine if __restrict__ is available
TRY_COMPILE__RESTRICT__ := $(call try_compile,$(S2N_ROOT)/tests/features/__restrict__.c)
ifeq ($(TRY_COMPILE__RESTRICT__), 0)
DEFAULT_CFLAGS += -DS2N___RESTRICT__SUPPORTED
endif
# Determine if EVP_md5_sha1 is available
TRY_EVP_MD5_SHA1_HASH := $(call try_compile,$(S2N_ROOT)/tests/features/evp_md5_sha1.c)
ifeq ($(TRY_EVP_MD5_SHA1_HASH), 0)
DEFAULT_CFLAGS += -DS2N_LIBCRYPTO_SUPPORTS_EVP_MD5_SHA1_HASH
endif
# Determine if EVP_RC4 is available
TRY_EVP_RC4 := $(call try_compile,$(S2N_ROOT)/tests/features/evp_rc4.c)
ifeq ($(TRY_EVP_RC4), 0)
DEFAULT_CFLAGS += -DS2N_LIBCRYPTO_SUPPORTS_EVP_RC4
endif
# Determine if EVP_MD_CTX_set_pkey_ctx is available
TRY_EVP_MD_CTX_SET_PKEY_CTX := $(call try_compile,$(S2N_ROOT)/tests/features/evp_md_ctx_set_pkey_ctx.c)
ifeq ($(TRY_EVP_MD_CTX_SET_PKEY_CTX), 0)
DEFAULT_CFLAGS += -DS2N_LIBCRYPTO_SUPPORTS_EVP_MD_CTX_SET_PKEY_CTX
endif
# Determine if the Kyber 512 KEM API is available in libcrypto
TRY_LIBCRYPTO_SUPPORTS_KYBER512 := $(call try_compile,$(S2N_ROOT)/tests/features/evp_kem_kyber_512.c)
ifeq ($(TRY_LIBCRYPTO_SUPPORTS_KYBER512), 0)
DEFAULT_CFLAGS += -DS2N_LIBCRYPTO_SUPPORTS_KYBER512
endif
# Determine if madvise() is available
TRY_COMPILE_MADVISE := $(call try_compile,$(S2N_ROOT)/tests/features/madvise.c)
ifeq ($(TRY_COMPILE_MADVISE), 0)
DEFAULT_CFLAGS += -DS2N_MADVISE_SUPPORTED
endif
# Determine if minherit() is available
TRY_COMPILE_MINHERIT:= $(call try_compile,$(S2N_ROOT)/tests/features/minherit.c)
ifeq ($(TRY_COMPILE_MINHERIT), 0)
DEFAULT_CFLAGS += -DS2N_MINHERIT_SUPPORTED
endif
# Determine if clone() is available
TRY_COMPILE_CLONE := $(call try_compile,$(S2N_ROOT)/tests/features/clone.c)
ifeq ($(TRY_COMPILE_CLONE), 0)
DEFAULT_CFLAGS += -DS2N_CLONE_SUPPORTED
endif
# Determine if kTLS is available
TRY_COMPILE_KTLS := $(call try_compile,$(S2N_ROOT)/tests/features/ktls.c)
ifeq ($(TRY_COMPILE_KTLS), 0)
DEFAULT_CFLAGS += -DS2N_PLATFORM_SUPPORTS_KTLS
endif
CFLAGS_LLVM = ${DEFAULT_CFLAGS} -emit-llvm -c -g -O1
$(BITCODE_DIR)%.bc: %.c
$(CLANG) $(CFLAGS_LLVM) -o $@ $<
INDENTOPTS = -npro -kr -i4 -ts4 -nut -sob -l180 -ss -ncs -cp1
.PHONY : indentsource
indentsource:
( for source in ${SOURCES} ; do ${INDENT} ${INDENTOPTS} $$source; done )
.PHONY : lcov
lcov:
lcov --capture --directory . --gcov-tool $(COV_TOOL) --output ./coverage.info
.PHONY : decruft
decruft:
$(RM) -- ${CRUFT}