1 Topic by carlo (edited by carlo 2020-06-18 13:26:14)

  • Registered: 2020-06-15
  • Posts: 21

Topic: --enable-distro and options.h

If wolfssl packages included with distribitions should be configured with --enable-distro and subsequently don't have options.h installed,
then the user can't #include options.h, right?

But when I don't, I get the following warning:

In file included from /usr/local/include/wolfssl/ssl.h:33:
/usr/local/include/wolfssl/wolfcrypt/settings.h:2124:14: warning: "For timing resistance / side-channel attack prevention consider using harden options" [-W#warnings]
            #warning "For timing resistance / side-channel attack prevention consider using harden options"

Does this mean that the (default) configuration used for distros is not hardened?
Or is something worse wrong?

Share

  • Registered: 2015-10-07
  • Posts: 415

Re: --enable-distro and options.h

Hi carlo,

That's a great question. I am going to ask our Distro maintainer Felix to comment on this.

The equivalent option you should use is "--enable-all". This will have all the same "distro" features, but enables all features and generates a `wolfssl/options.h` you can use.

Thanks,
David Garske, wolfSSL

Share

  • Registered: 2020-06-18
  • Posts: 1

Re: --enable-distro and options.h

Hi David & carlo,

Debian ships 'options.h' for cyassl and wolfssl. You can see the file list here: https://packages.debian.org/sid/amd64/l … v/filelist.

Kind regards
Felix Lechner

Share

4 Reply by carlo (edited by carlo 2020-06-19 12:11:30)

  • Registered: 2020-06-15
  • Posts: 21

Re: --enable-distro and options.h

I also had a discussion on freenode with fellow Arch Linux users and the consensus was that it was "utter nonsense" not to install options.h.
That is, --enable-distro can be explained as "this is what all distributions should use in order to have a consistent configuration of wolfssl on all linux platforms", but then options.h should still be installed. Not installing options.h just seems wrong.

There is this single remark that I found concerning the matter:
In `wolfssl/include.am`,

# For distro build don't install options.h.
# It depends on the architecture and conflicts with Multi-Arch.
if BUILD_DISTRO
noinst_HEADERS+=         wolfssl/options.h
else
nobase_include_HEADERS+= wolfssl/options.h
endif

Apparently we have a different options.h for each architecture.

I found an a package on ubuntu that does this: libssl.

This installs for i386 and amd64 architectures the same headers, except for
one:

sean:~>dpkg -L libssl-dev:i386 | grep opensslconf.h
/usr/include/i386-linux-gnu/openssl/opensslconf.h
sean:~>dpkg -L libssl-dev:amd64 | grep opensslconf.h
/usr/include/x86_64-linux-gnu/openssl/opensslconf.h

the rest of the headers in both cases are installed in `/usr/include/openssl`.

They also install their own respective `*.pc` files in `/usr/lib/i386-linux-gnu/pkgconfig`
and `/usr/lib/x86_64-linux-gnu/pkgconfig`.

This is how Multi-Arch works. While /usr/lib and /usr/include are
the normal directories, depending on the current architectures
that is being compiled for, also /usr/lib/<arch> and /usr/include/<arch>
are searched.

[The "main" <arch> path can be printed with `gcc -print-multiarch`.

Note that on Arch Linux that prints nothing, because there is no
/usr/lib/x86_64-linux-gnu on Arch (which basically only supports 64bit).]


So, correct me if I'm wrong but I will now assume that distributions are
responsible for installing options.h themselves, in the right place - as
opposed to not installing it at all.

PS So it seems that debian is doing this wrong.

Share