diff options
author | Neil Horman <nhorman@openssl.org> | 2023-10-23 18:47:13 +0200 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2023-11-01 16:32:26 +0100 |
commit | 796e5f96488643755a18570a4907da78ee46131a (patch) | |
tree | 4d5abf7335a727b9165e6baebbd5cfeeb2f93f14 | |
parent | CI: add Clang 17 (diff) | |
download | openssl-796e5f96488643755a18570a4907da78ee46131a.tar.xz openssl-796e5f96488643755a18570a4907da78ee46131a.zip |
Create a rudimentary symbol scanning script
We would like to be able to log and audit the symbols we use in openssl
so that we might catch when a new platform symbols is referecned
Add such a script (just on unix platforms for now) that gathers the used
symbols not belonging to libcrypto or libssl, and compare it to a prior
known set of used symbols. Error out if a new symbol is found
Add this script to the ci workflow in CI to capture newly
introduced platform symbols
Fixes #22330
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22478)
-rw-r--r-- | .github/workflows/run-checker-ci.yml | 2 | ||||
-rw-r--r-- | .github/workflows/windows.yml | 3 | ||||
-rw-r--r-- | .github/workflows/windows_comp.yml | 3 | ||||
-rwxr-xr-x | util/checkplatformsyms.pl | 84 | ||||
-rw-r--r-- | util/platform_symbols/unix-symbols.txt | 156 | ||||
-rw-r--r-- | util/platform_symbols/windows-symbols.txt | 231 |
6 files changed, 479 insertions, 0 deletions
diff --git a/.github/workflows/run-checker-ci.yml b/.github/workflows/run-checker-ci.yml index 2b7ca84d86..0c961f8ef1 100644 --- a/.github/workflows/run-checker-ci.yml +++ b/.github/workflows/run-checker-ci.yml @@ -54,5 +54,7 @@ jobs: run: | cat /proc/cpuinfo ./util/opensslwrap.sh version -c + - name: Check platform symbol usage + run: ./util/checkplatformsyms.pl ./util/platform_symbols/unix-symbols.txt ./libcrypto.so ./libssl.so - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index 8f68450a5f..0d0f24c299 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -58,6 +58,9 @@ jobs: 7z.exe x coreinfo/Coreinfo.zip ./Coreinfo64.exe -accepteula -f ./apps/openssl.exe version -c + - name: Check platform symbol usage + working-directory: _build + run: perl ../util/checkplatformsyms.pl ../util/platform_symbols/windows-symbols.txt libcrypto-3-x64.dll ./libssl-3-x64.dll - name: test working-directory: _build run: nmake test VERBOSE_FAILURE=yes TESTS=-test_fuzz* HARNESS_JOBS=4 diff --git a/.github/workflows/windows_comp.yml b/.github/workflows/windows_comp.yml index abcc0ad019..a75451669a 100644 --- a/.github/workflows/windows_comp.yml +++ b/.github/workflows/windows_comp.yml @@ -53,6 +53,9 @@ jobs: 7z.exe x coreinfo/Coreinfo.zip ./Coreinfo64.exe -accepteula -f ./apps/openssl.exe version -c + - name: Check platform symbol usage + run: | + perl ./util/checkplatformsyms.pl ./util/platform_symbols/windows-symbols.txt libcrypto-3-x64.dll ./libssl-3-x64.dll - name: test working-directory: _build run: | diff --git a/util/checkplatformsyms.pl b/util/checkplatformsyms.pl new file mode 100755 index 0000000000..742dd8ea84 --- /dev/null +++ b/util/checkplatformsyms.pl @@ -0,0 +1,84 @@ +#! /usr/bin/env perl +# Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +use warnings; +use strict; +use Config; + +my $expectedsyms=$ARGV[0]; + +shift(@ARGV); + +my $objlist; +my $objfilelist = join(" ", @ARGV); +my $expsyms; +my $exps; +my $OBJFH; +my $cmd; + +if ($Config{osname} eq "MSWin32") { + my $currentdll = ""; + $cmd = "dumpbin /imports " . $objfilelist; + my @symlist; + open $expsyms, '<', $expectedsyms or die; + { + local $/; + $exps=<$expsyms>; + } + close($expsyms); + open($OBJFH, "$cmd|") or die "Cannot open process: $!"; + while (<$OBJFH>) + { + chomp; + my $dllfile = $_; + $dllfile =~ s/( +)(.*)(\.dll)(.*)/DLLFILE \2/; + if (index($dllfile, "DLLFILE") >= 0) { + $currentdll = substr($dllfile, 8); + $currentdll =~ s/^\s+|s+$//g; + } + # filter imports from our own library + if ("$currentdll" ne "libcrypto-3-x64") { + my $line = $_; + $line =~ s/ [0-9a-fA-F]{1,2} /SYMBOL /; + if (index($line, "SYMBOL") != -1) { + $line =~ s/.*SYMBOL //; + push(@symlist, $line); + } + } + } + foreach (@symlist) { + if (index($exps, $_) < 0) { + print "Symbol $_ not in the allowed platform symbols list\n"; + exit 1; + } + } + exit 0; + } +else { + $cmd = "objdump -t " . $objfilelist . " | grep UND | grep -v \@OPENSSL"; + $cmd = $cmd . " | awk '{print \$NF}' |"; + $cmd = $cmd . " sed -e\"s/@.*\$//\" | sort | uniq"; + + open $expsyms, '<', $expectedsyms or die; + { + local $/; + $exps=<$expsyms>; + } + close($expsyms); + + open($OBJFH, "$cmd|") or die "Cannot open process: $!"; + while (<$OBJFH>) + { + if (index($exps, $_) < 0) { + print "Symbol $_ not in the allowed platform symbols list\n"; + exit 1; + } + } + close($OBJFH); + exit 0; + } diff --git a/util/platform_symbols/unix-symbols.txt b/util/platform_symbols/unix-symbols.txt new file mode 100644 index 0000000000..2b2fe53672 --- /dev/null +++ b/util/platform_symbols/unix-symbols.txt @@ -0,0 +1,156 @@ +abort +accept +bcmp +bind +calloc +chmod +clearerr +clock_gettime +close +closedir +closelog +connect +__ctype_b_loc +__ctype_tolower_loc +__cxa_atexit +__cxa_finalize +dladdr +dlclose +dlerror +dlopen +dlsym +__errno_location +fclose +fdopen +feof +ferror +fflush +fgets +fileno +fopen +fopen64 +fprintf +fputc +fputs +fread +free +freeaddrinfo +fseek +fstat +ftell +fwrite +gai_strerror +getaddrinfo +getauxval +getcontext +getentropy +getenv +gethostbyname +getnameinfo +getpeername +getpid +getsockname +getsockopt +gettimeofday +__gmon_start__ +gmtime_r +gmtime +ioctl +__isoc99_sscanf +_ITM_deregisterTMCloneTable +_ITM_registerTMCloneTable +listen +_longjmp +lseek +madvise +makecontext +malloc +memchr +memcmp +memcpy +memmove +memset +mktime +mlock +mmap +mprotect +munmap +opendir +openlog +poll +pthread_attr_destroy +pthread_attr_init +pthread_attr_setdetachstate +pthread_cond_broadcast +pthread_cond_destroy +pthread_cond_init +pthread_cond_signal +pthread_cond_timedwait +pthread_cond_wait +pthread_create +pthread_exit +pthread_getspecific +pthread_join +pthread_key_create +pthread_key_delete +pthread_mutex_destroy +pthread_mutex_init +pthread_mutex_lock +pthread_mutex_trylock +pthread_mutex_unlock +pthread_once +pthread_rwlock_destroy +pthread_rwlock_init +pthread_rwlock_rdlock +pthread_rwlock_unlock +pthread_rwlock_wrlock +pthread_self +pthread_setspecific +qsort +readdir +realloc +recvfrom +recvmmsg +secure_getenv +select +sendmmsg +sendto +setbuf +setcontext +_setjmp +setsockopt +shmat +shmdt +shmget +shutdown +sigaction +sleep +socket +sprintf +stderr +stdin +stdout +strcat +strchr +strcmp +strcpy +strcspn +strdup +strlen +strncmp +strncpy +strrchr +strspn +strstr +strtol +strtoul +syscall +sysconf +syslog +tcgetattr +tcsetattr +__timezone +uname +usleep +vfprintf +__xpg_strerror_r diff --git a/util/platform_symbols/windows-symbols.txt b/util/platform_symbols/windows-symbols.txt new file mode 100644 index 0000000000..097741b336 --- /dev/null +++ b/util/platform_symbols/windows-symbols.txt @@ -0,0 +1,231 @@ +CryptGenRandom +RegisterEventSourceW +ReportEventW +CryptAcquireContextW +CryptReleaseContext +DeregisterEventSource +CertFindCertificateInStore +CertFreeCertificateContext +CertOpenSystemStoreW +CertCloseStore +GetUserObjectInformationW +GetProcessWindowStation +MessageBoxW +GetCurrentProcess +ReadConsoleW +ReadConsoleA +SetConsoleMode +GetConsoleMode +CreateSemaphoreA +GetExitCodeThread +WaitForSingleObject +ReleaseSemaphore +GetCurrentProcessId +TryEnterCriticalSection +LeaveCriticalSection +EnterCriticalSection +InitializeCriticalSection +SystemTimeToFileTime +GetSystemTime +TlsFree +TlsSetValue +TlsGetValue +GetSystemTimeAsFileTime +RtlCaptureContext +RtlLookupFunctionEntry +UnhandledExceptionFilter +SetUnhandledExceptionFilter +IsProcessorFeaturePresent +IsDebuggerPresent +GetStartupInfoW +QueryPerformanceCounter +InitializeSListHead +DeleteCriticalSection +TerminateProcess +TlsAlloc +GetCurrentThreadId +AcquireSRWLockShared +AcquireSRWLockExclusive +RtlVirtualUnwind +ConvertFiberToThread +ConvertThreadToFiberEx +SwitchToFiber +DeleteFiber +CreateFiberEx +GetSystemDirectoryA +FreeLibrary +GetProcAddress +LoadLibraryA +FormatMessageA +GetLastError +SetLastError +CloseHandle +LoadLibraryW +GetEnvironmentVariableW +GetStdHandle +GetFileType +WriteFile +GetModuleHandleW +MultiByteToWideChar +WideCharToMultiByte +GetACP +GetModuleHandleExW +GetSystemInfo +VirtualAlloc +VirtualProtect +VirtualFree +VirtualLock +FindClose +FindFirstFileW +FindNextFileW +Sleep +InitializeSRWLock +ReleaseSRWLockExclusive +ReleaseSRWLockShared +__current_exception +__C_specific_handler +wcsstr +__current_exception_context +strstr +strchr +memmove +strrchr +memcmp +memset +memcpy +memchr +__std_type_info_destroy_list +__stdio_common_vsprintf +__stdio_common_vfprintf +__stdio_common_vsscanf +ftell +fseek +fread +_fileno +__stdio_common_vswprintf +_wfopen +fopen +setvbuf +fflush +ferror +feof +clearerr +setbuf +fclose +fputs +__acrt_iob_func +__stdio_common_vsprintf_s +fwrite +fgets +_setmode +strtoul +atoi +strtol +tolower +strspn +strcspn +strncpy +strncmp +strcmp +strcat_s +isspace +_strdup +isdigit +strncpy_s +strcpy_s +_gmtime64_s +__timezone +_mktime64 +_time64 +qsort +malloc +realloc +calloc +free +terminate +signal +_initialize_narrow_environment +_beginthreadex +_endthreadex +_register_onexit_function +strerror_s +_execute_onexit_table +raise +_crt_atexit +_exit +_crt_at_quick_exit +_errno +_cexit +_initterm_e +_configure_narrow_argv +_initialize_onexit_table +_initterm +_seh_filter_dll +_chmod +_stat64i32 +_fstat64i32 +getenv +GetStartupInfoW +RtlLookupFunctionEntry +RtlVirtualUnwind +UnhandledExceptionFilter +GetSystemTime +SystemTimeToFileTime +CloseHandle +InitializeCriticalSection +EnterCriticalSection +LeaveCriticalSection +TryEnterCriticalSection +DeleteCriticalSection +ReleaseSemaphore +WaitForSingleObject +GetCurrentThreadId +SetUnhandledExceptionFilter +GetExitCodeThread +CreateSemaphoreA +SetLastError +GetLastError +GetCurrentProcess +TerminateProcess +IsProcessorFeaturePresent +QueryPerformanceCounter +RtlCaptureContext +GetCurrentProcessId +GetSystemTimeAsFileTime +DisableThreadLibraryCalls +InitializeSListHead +IsDebuggerPresent +GetModuleHandleW +memcpy +memset +__current_exception_context +strchr +memcmp +memchr +strstr +memmove +__std_type_info_destroy_list +__current_exception +__C_specific_handler +_errno +_endthreadex +terminate +_initterm +_initterm_e +_seh_filter_dll +_configure_narrow_argv +_initialize_narrow_environment +_initialize_onexit_table +_register_onexit_function +_execute_onexit_table +_crt_atexit +_crt_at_quick_exit +_cexit +_beginthreadex +_time64 +strncmp +strcmp +qsort +_stat64i32 +atoi +__stdio_common_vsprintf |