[Swan-dev] libreswan FTBFS on hppa and alpha due to lack of -fstack-protector

Fri Feb 3 23:44:26 UTC 2017

hey libreswan folks--

i notice that mk/userland-cflags.mk has -fstack-protector-all set inside
USERCOMPILE.

However, there are at least two debian unofficial architectures (alpha
and hppa) where gcc doesn't have -fstack-protector available.

A couple example builds from those arches:

https://buildd.debian.org/status/fetch.php?pkg=libreswan&arch=alpha&ver=3.19-1&stamp=1485414786&raw=0
https://buildd.debian.org/status/fetch.php?pkg=libreswan&arch=hppa&ver=3.19-2&stamp=1486145521&raw=0

they fail with:

--------
make[5]: Entering directory '/<<PKGBUILDDIR>>/OBJ.linux.parisc64/lib/libswan'
cc -g -O2 -fdebug-prefix-map=/<<PKGBUILDDIR>>=. -Wformat -Werror=format-security -I/<<PKGBUILDDIR>>/lib/libcrypto/libsha2 -I/<<PKGBUILDDIR>>/lib/libcrypto/libaes_xcbc -I/<<PKGBUILDDIR>>/ports/linux/include -I/<<PKGBUILDDIR>>/ports/linux/include -I/<<PKGBUILDDIR>>/ports/linux/include -I. -I/<<PKGBUILDDIR>>/linux/net/ipsec -I/<<PKGBUILDDIR>>/linux/include -I/<<PKGBUILDDIR>> -DPFKEYV2  -I/usr/include/nss -I/usr/include/nspr -I/<<PKGBUILDDIR>>/include -I/<<PKGBUILDDIR>>/ports/linux/include -I/<<PKGBUILDDIR>>/ports/linux/include -I/<<PKGBUILDDIR>>/ports/linux/include -std=gnu99  -g -O2 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-all -fno-strict-aliasing -fPIE -DPIE -DFORCE_PR_ASSERT -DDNSSEC -DLIBCURL -DLDAP_VER=3 -DHAVE_NM -DUSE_MD5 -DUSE_SHA2 -DUSE_SHA1 -DUSE_AES -DUSE_3DES -DUSE_CAMELLIA -DUSE_SERPENT -DUSE_TWOFISH -DUSE_CAST -DUSE_RIPEMD -DFIPSPRODUCTCHECK=\"/etc/system-fips\" -DIPSEC_CONF=\"/etc/ipsec.conf\" -DIPSEC_CONFDDIR=\"/etc/ipsec.d\" -DIPSEC_NSSDIR=\"/var/lib/ipsec/nss\" -DIPSEC_CONFDIR=\"/etc\" -DIPSEC_EXECDIR=\"/usr/lib/ipsec\" -DIPSEC_SBINDIR=\"/usr/sbin\" -DIPSEC_VARDIR=\"/var\" -DPOLICYGROUPSDIR=\"/etc/ipsec.d/policies\" -DIPSEC_SECRETS_FILE=\"/etc/ipsec.secrets\" -DRETRANSMIT_INTERVAL_DEFAULT="500" -DUSE_FORK=1 -DUSE_VFORK=0 -DUSE_DAEMON=0 -DUSE_PTHREAD_SETSCHEDPRIO=1 -DGCC_LINT -DALLOW_MICROSOFT_BAD_PROPOSAL -Werror -Wall -Wextra -Wformat -Wformat-nonliteral -Wformat-security -Wundef -Wmissing-declarations -Wredundant-decls -Wnested-externs  -I/<<PKGBUILDDIR>>/lib/libcrypto/libsha2 -I/<<PKGBUILDDIR>>/lib/libcrypto/libaes_xcbc -I/<<PKGBUILDDIR>>/ports/linux/include -I/<<PKGBUILDDIR>>/ports/linux/include -I/<<PKGBUILDDIR>>/ports/linux/include -I/<<PKGBUILDDIR>>/ports/linux/include -I. -I/<<PKGBUILDDIR>>/linux/net/ipsec -I/<<PKGBUILDDIR>>/linux/include -I/<<PKGBUILDDIR>> -DPFKEYV2  -I/usr/include/nss -I/usr/include/nspr -I/<<PKGBUILDDIR>>/include -I/<<PKGBUILDDIR>>/ports/linux/include -I/<<PKGBUILDDIR>>/ports/linux/include -I/<<PKGBUILDDIR>>/ports/linux/include -I/<<PKGBUILDDIR>>/ports/linux/include -std=gnu99  -g -O2 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-all -fno-strict-aliasing -fPIE -DPIE -DFORCE_PR_ASSERT -DDNSSEC -DLIBCURL -DLDAP_VER=3 -DHAVE_NM -DUSE_MD5 -DUSE_SHA2 -DUSE_SHA1 -DUSE_AES -DUSE_3DES -DUSE_CAMELLIA -DUSE_SERPENT -DUSE_TWOFISH -DUSE_CAST -DUSE_RIPEMD -DFIPSPRODUCTCHECK=\"/etc/system-fips\" -DIPSEC_CONF=\"/etc/ipsec.conf\" -DIPSEC_CONFDDIR=\"/etc/ipsec.d\" -DIPSEC_NSSDIR=\"/var/lib/ipsec/nss\" -DIPSEC_CONFDIR=\"/etc\" -DIPSEC_EXECDIR=\"/usr/lib/ipsec\" -DIPSEC_SBINDIR=\"/usr/sbin\" -DIPSEC_VARDIR=\"/var\" -DPOLICYGROUPSDIR=\"/etc/ipsec.d/policies\" -DIPSEC_SECRETS_FILE=\"/etc/ipsec.secrets\" -DRETRANSMIT_INTERVAL_DEFAULT="500" -DUSE_FORK=1 -DUSE_VFORK=0 -DUSE_DAEMON=0 -DUSE_PTHREAD_SETSCHEDPRIO=1 -DGCC_LINT -DALLOW_MICROSOFT_BAD_PROPOSAL -Werror -Wall -Wextra -Wformat -Wformat-nonliteral -Wformat-security -Wundef -Wmissing-declarations -Wredundant-decls -Wnested-externs  -I/<<PKGBUILDDIR>>/ports/linux/include -I/<<PKGBUILDDIR>>/ports/linux/include -I/<<PKGBUILDDIR>>/ports/linux/include -I/<<PKGBUILDDIR>>/ports/linux/include  \
	-MMD -MF ./addrtoa.d \
	-o ./addrtoa.o \
	-c /<<PKGBUILDDIR>>/linux/net/ipsec/addrtoa.c
cc1: error: -fstack-protector not supported for this target [-Werror]
cc1: all warnings being treated as errors
../../../mk/depend.mk:28: recipe for target 'addrtoa.o' failed
make[5]: *** [addrtoa.o] Error 1
--------

It's not going to be the end of the world if libreswan doesn't build on
these architectures (i can just mark it as explicitly not for those
arches if you prefer), but otoh, it might be nice if we could build
there anyway.

Would you consider making the build flag optional somehow, or only
enabling it if it's detected to be available?  or should i mark
libreswan as not for those architectures?

You can detect it with something like:

   printf 'int main() { return 0;}' | gcc -x c -fstack-protector-all - 

(note that this will create a.out in the current directory)

      --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20170203/a035517a/attachment-0001.sig>