Test failures on Fedora 40

[edewata]

The following tests failed on Fedora 40:

healthcheck:
https://github.com/edewata/pki/actions/runs/7895266030/job/21547519001

OCSP:
https://github.com/edewata/pki/actions/runs/7895266016/job/21547517485

healthcheck:
https://github.com/edewata/pki/actions/runs/7895266012/job/21547492461

request notification:
https://github.com/edewata/pki/actions/runs/7895266006/job/21547523359

[edewata]

https://github.com/edewata/pki/actions/runs/7895266006/job/21547523359

The test for CA with request notification should be fixed by PR #4670.

[edewata]

rpminspect failure:
https://github.com/dogtagpki/pki/actions/runs/8057343646/job/22008485308#step:8:4678

[abbra]

The failure with annocheck is that you have fortify level hardcoded:

 git grep FORTIFY
cmake/Modules/DefineCompilerFlags.cmake:        check_c_compiler_flag("-D_FORTIFY_SOURCE=2" WITH_FORTIFY_SOURCE)
cmake/Modules/DefineCompilerFlags.cmake:        if (WITH_FORTIFY_SOURCE)
cmake/Modules/DefineCompilerFlags.cmake:            set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D_FORTIFY_SOURCE=2")
cmake/Modules/DefineCompilerFlags.cmake:        endif (WITH_FORTIFY_SOURCE)

Now -D_FORTIFY_SOURCE=3 is expected.

[edewata]

@abbra Thanks. The fortify level is mostly fixed by PR #4687 but rpminspect is still complaining about that on tpsclient:
https://github.com/dogtagpki/pki/actions/runs/8253539008/job/22575904372#step:8:5006

[abbra]

I guess some of the linking units were built with older flags? Some of the dependencies, perhaps?

[edewata]

This is how the sources are compiled for tpsclient according to the build log:

cd /root/pki/build/BUILD/pki-11.6.0-alpha1/redhat-linux-build/base/tools/src/main/native/tpsclient && /usr/bin/g++ -DHAVE_CONFIG_H -I/root/pki/build/BUILD/pki-11.6.0-alpha1/redhat-linux-build/base/tools/src/main/native/tpsclient -I/root/pki/build/BUILD/pki-11.6.0-alpha1/base/tools/src/main/native/tpsclient -I/root/pki/build/BUILD/pki-11.6.0-alpha1/base/tools/src/main/native/tpsclient/src/include -I/root/pki/build/BUILD/pki-11.6.0-alpha1/redhat-linux-build -I/usr/include/nspr4 -I/usr/include/nss3 -I/usr/include/apr-1 -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -march=x86-64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -MD -MT base/tools/src/main/native/tpsclient/CMakeFiles/tpsclient.dir/src/main/Buffer.cpp.o -MF CMakeFiles/tpsclient.dir/src/main/Buffer.cpp.o.d -o CMakeFiles/tpsclient.dir/src/main/Buffer.cpp.o -c /root/pki/build/BUILD/pki-11.6.0-alpha1/base/tools/src/main/native/tpsclient/src/main/Buffer.cpp

and this is how they are linked:

/usr/bin/g++ -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -march=x86-64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -Wl,-z,relro -Wl,--as-needed -Wl,-z,pack-relative-relocs -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld-errors -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -Wl,--build-id=sha1 -specs=/usr/lib/rpm/redhat/redhat-package-notes -rdynamic CMakeFiles/tpsclient.dir/src/main/Buffer.cpp.o CMakeFiles/tpsclient.dir/src/main/NameValueSet.cpp.o CMakeFiles/tpsclient.dir/src/main/Util.cpp.o CMakeFiles/tpsclient.dir/src/main/RA_Msg.cpp.o CMakeFiles/tpsclient.dir/src/main/Memory.cpp.o CMakeFiles/tpsclient.dir/src/main/AuthParams.cpp.o CMakeFiles/tpsclient.dir/src/apdu/APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Unblock_Pin_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Create_Object_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Set_Pin_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Set_IssuerInfo_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Get_IssuerInfo_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Create_Pin_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/List_Pins_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Initialize_Update_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Get_Version_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Get_Status_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Get_Data_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/External_Authenticate_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Generate_Key_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Generate_Key_ECC_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Read_Buffer_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Read_Object_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Write_Object_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Put_Key_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Select_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Delete_File_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Install_Applet_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Format_Muscle_Applet_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Load_File_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Install_Load_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Lifecycle_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/List_Objects_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Import_Key_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Import_Key_Enc_APDU.cpp.o CMakeFiles/tpsclient.dir/src/apdu/APDU_Response.cpp.o CMakeFiles/tpsclient.dir/src/apdu/Get_Lifecycle_APDU.cpp.o CMakeFiles/tpsclient.dir/src/msg/RA_Begin_Op_Msg.cpp.o CMakeFiles/tpsclient.dir/src/msg/RA_End_Op_Msg.cpp.o CMakeFiles/tpsclient.dir/src/msg/RA_Login_Request_Msg.cpp.o CMakeFiles/tpsclient.dir/src/msg/RA_Login_Response_Msg.cpp.o CMakeFiles/tpsclient.dir/src/msg/RA_SecureId_Request_Msg.cpp.o CMakeFiles/tpsclient.dir/src/msg/RA_SecureId_Response_Msg.cpp.o CMakeFiles/tpsclient.dir/src/msg/RA_ASQ_Request_Msg.cpp.o CMakeFiles/tpsclient.dir/src/msg/RA_ASQ_Response_Msg.cpp.o CMakeFiles/tpsclient.dir/src/msg/RA_New_Pin_Request_Msg.cpp.o CMakeFiles/tpsclient.dir/src/msg/RA_New_Pin_Response_Msg.cpp.o CMakeFiles/tpsclient.dir/src/msg/RA_Token_PDU_Request_Msg.cpp.o CMakeFiles/tpsclient.dir/src/msg/RA_Token_PDU_Response_Msg.cpp.o CMakeFiles/tpsclient.dir/src/msg/RA_Status_Update_Request_Msg.cpp.o CMakeFiles/tpsclient.dir/src/msg/RA_Status_Update_Response_Msg.cpp.o CMakeFiles/tpsclient.dir/src/msg/RA_Extended_Login_Request_Msg.cpp.o CMakeFiles/tpsclient.dir/src/msg/RA_Extended_Login_Response_Msg.cpp.o CMakeFiles/tpsclient.dir/tools/raclient/RA_Client.cpp.o CMakeFiles/tpsclient.dir/tools/raclient/RA_Conn.cpp.o CMakeFiles/tpsclient.dir/tools/raclient/RA_Token.cpp.o -o tpsclient -Wl,-rpath,:::::::::::::: -lplds4 -lplc4 -lnspr4 -lssl3 -lsmime3 -lnss3 -lnssutil3

This is how the sources are compiled for other tools which do not have annocheck issue:

cd /root/pki/build/BUILD/pki-11.6.0-alpha1/redhat-linux-build/base/tools/src/main/native/setpin && /usr/bin/gcc -DHAVE_CONFIG_H -I/root/pki/build/BUILD/pki-11.6.0-alpha1/redhat-linux-build/base/tools/src/main/native/setpin -I/root/pki/build/BUILD/pki-11.6.0-alpha1/base/tools/src/main/native/setpin -I/root/pki/build/BUILD/pki-11.6.0-alpha1/redhat-linux-build -I/usr/include/nspr4 -I/usr/include/nss3 -I/usr/include -s -fplugin=annobin -fcf-protection=full -O2 -D_GLIBCXX_ASSERTIONS -fno-lto -D_FORTIFY_SOURCE=3 -Wall -Wextra -Wshadow -Wmissing-prototypes -Wdeclaration-after-statement -Wunused -Wfloat-equal -Wpointer-arith -Wwrite-strings -Werror=format-security -Wmissing-format-attribute -fPIC -fstack-protector-strong -D_LARGEFILE64_SOURCE -MD -MT base/tools/src/main/native/setpin/CMakeFiles/setpin.dir/b64.c.o -MF CMakeFiles/setpin.dir/b64.c.o.d -o CMakeFiles/setpin.dir/b64.c.o -c /root/pki/build/BUILD/pki-11.6.0-alpha1/base/tools/src/main/native/setpin/b64.c

and this is how they are linked:

/usr/bin/gcc -s -fplugin=annobin -fcf-protection=full -O2 -D_GLIBCXX_ASSERTIONS -fno-lto -D_FORTIFY_SOURCE=3 -Wall -Wextra -Wshadow -Wmissing-prototypes -Wdeclaration-after-statement -Wunused -Wfloat-equal -Wpointer-arith -Wwrite-strings -Werror=format-security -Wmissing-format-attribute -fPIC -fstack-protector-strong -D_LARGEFILE64_SOURCE -Wl,-z,relro -Wl,--as-needed -Wl,-z,pack-relative-relocs -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld-errors -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -Wl,--build-id=sha1 -specs=/usr/lib/rpm/redhat/redhat-package-notes -rdynamic CMakeFiles/setpin.dir/b64.c.o CMakeFiles/setpin.dir/options.c.o CMakeFiles/setpin.dir/setpin.c.o CMakeFiles/setpin.dir/setpin_options.c.o -o setpin -lplds4 -lplc4 -lnspr4 -lssl3 -lsmime3 -lnss3 -lnssutil3 -lldap -llber

As you can see, tpsclient is already using -D_FORTIFY_SOURCE=3 and it's only linked to NSS and NSPR libraries which are also used by other tools without any problem.

Does g++ vs. gcc make a difference? Does -U_FORTIFY_SOURCE make a difference?

[edewata]

@fmarco76 fyi

[abbra]

From the gcc documentation:

‘-Wp,OPTION’
     You can use ‘-Wp,OPTION’ to bypass the compiler driver and pass
     OPTION directly through to the preprocessor.  If OPTION contains
     commas, it is split into multiple options at the commas.  However,
     many options are modified, translated or interpreted by the
     compiler driver before being passed to the preprocessor, and ‘-Wp’
     forcibly bypasses this phase.  The preprocessor’s direct interface
     is undocumented and subject to change, so whenever possible you
     should avoid using ‘-Wp’ and let the driver handle the options
     instead.

According to https://developers.redhat.com/articles/2022/09/17/gccs-new-fortification-level, -D_FORTIFY_SOURCE=3 adds a 'fortify metrics' GCC plugin into the action. -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 bypasses this interface, it seems.

[fmarco76]

g++/ vs. gcc issue has been fixed with #4714. The remaining problem for rpminspect is the missing -fstack-clash-protection which should be fixed by #4731