Various tweaks of build machinery and OpenSSL version support and test fixes

.github/workflows/build.yml

@@ -39,8 +39,8 @@ jobs:
           # sudo apt-get update
           # sudo apt-get install -y >/dev/null libssl-dev build-essential # not needed
           make -f Makefile_v1
-          make -f Makefile_v1 clean
-          make -f Makefile_v1 build_no_tls
+          make -f Makefile_v1 clean_all
+          USE_LIBCMP=1 STATIC_LIBCMP=1 make -f Makefile_v1 build_no_tls
           make -C libsecutils -f Makefile_v1 clean_config
           SKIP_pod2markdown=1 make -f Makefile_v1 doc_this
           SKIP_pod2markdown=1 DESTDIR=tmp make -f Makefile_v1 install
@@ -55,7 +55,7 @@ jobs:
           # would need access to azure.archive.ubuntu.com:
           # sudo apt-get update
           # sudo apt-get install -y >/dev/null libssl-dev build-essential # not needed
-          make -f Makefile_v1 build_prereq test_all
+          USE_LIBCMP=1 make -f Makefile_v1 build test_all
 
   doc_deb:
     runs-on: ubuntu-latest

.github/workflows/quality_check_sonarcloud.yml

@@ -31,7 +31,8 @@ jobs:
           make
       - name: test-coverage
         run: |
-          make -f Makefile_v1 test_Mock
+          USE_LIBCMP=1 make -f Makefile_v1 clean_all build
+          USE_LIBCMP=1 make -f Makefile_v1 test_Mock
           find . -name *.gcno -exec gcov {} \;
       - name: Run sonar-scanner
         env:

CMakeLists.txt

@@ -23,34 +23,37 @@ if(NOT("$ENV{OPENSSL_DIR}" STREQUAL ""))
   else()
     set(OPENSSL_LIB $ENV{OPENSSL_DIR})
   endif()
-  set(OpenSSL_INCLUDE_DIRS $ENV{OPENSSL_DIR}/include)
+  set(OPENSSL_INCLUDE_DIR $ENV{OPENSSL_DIR}/include)
   set(OPENSSL_LIBRARIES ${OPENSSL_LIB}/libssl${CMAKE_SHARED_LIBRARY_SUFFIX}
                         ${OPENSSL_LIB}/libcrypto${CMAKE_SHARED_LIBRARY_SUFFIX})
-  add_definitions(-isystem ${OpenSSL_INCLUDE_DIRS})
   if($ENV{OPENSSL_DIR} MATCHES "3\\.0")
     set(OPENSSL_VERSION 3.0)
   elseif($ENV{OPENSSL_DIR} MATCHES "3\\.1")
     set(OPENSSL_VERSION 3.1)
   elseif($ENV{OPENSSL_DIR} MATCHES "3\\.2")
     set(OPENSSL_VERSION 3.2)
+  elseif($ENV{OPENSSL_DIR} MATCHES "3\\.3")
+    set(OPENSSL_VERSION 3.3)
   elseif($ENV{OPENSSL_DIR} MATCHES "3\\.")
     set(OPENSSL_VERSION 3)
   elseif($ENV{OPENSSL_DIR} MATCHES "1\\.1\\.1")
     set(OPENSSL_VERSION 1.1.1)
+  elseif($ENV{OPENSSL_DIR} MATCHES "1\\.1")
+    set(OPENSSL_VERSION 1.1)
   elseif($ENV{OPENSSL_DIR} MATCHES "prepare")
-    set(OPENSSL_VERSION 3.2)
+    set(OPENSSL_VERSION 3.3)
   else()
-    set(OPENSSL_VERSION 1.1.1)
+    set(OPENSSL_VERSION 3.0)
   endif()
   message(STATUS "assuming OpenSSL version " ${OPENSSL_VERSION})
 else()
   find_package(OpenSSL REQUIRED)
   message(STATUS "using OpenSSL package, with version " ${OPENSSL_VERSION})
-  add_definitions(-isystem /usr/include)
 endif()
 
 if(DEFINED ENV{USE_LIBCMP} OR "${OPENSSL_VERSION}" LESS "3")
   set(USE_LIBCMP 1)
+  message(STATUS "using libcmp")
 endif()
 
 set(SRC_DIR ${PROJECT_SOURCE_DIR}/src)
@@ -64,16 +67,13 @@ include_directories(
   ${PROJECT_SOURCE_DIR}/libsecutils/include
 )
 if(DEFINED USE_LIBCMP)
-  include_directories(
-    ${CMPOSSL_INC_DIR}
-    ${CMPOSSL_INC_DIR}/cmp
-    ${CMAKE_SYSROOT}/usr/include/cmp
-    # does not work for OpenSSL 3.0+:
-    # add_definitions(-isystem ${CMPOSSL_INC_DIR}/cmp)
-    # add_definitions(-isystem ${CMAKE_SYSROOT}/usr/include/cmp)
-    )
+  include_directories(SYSTEM ${CMPOSSL_INC_DIR}/cmp)
+  include_directories(SYSTEM ${CMAKE_SYSROOT}/usr/include/cmp)
 endif()
 
+# must not add the system OpenSSL include dir before ${CMPOSSL_INC_DIR}/cmp etc.
+include_directories(SYSTEM ${OPENSSL_INCLUDE_DIR})
+
 configure_file(${INC_DIR}/genericCMPClient_config.h.in ${INC_DIR}/genericCMPClient_config.h)
 
 # help CPackDeb please dpkg-shlibdeps
@@ -104,6 +104,7 @@ if(DEFINED USE_LIBCMP)
     cmp
   )
 endif()
+# important: place libcmp before libcrypto such that its contents are preferred
 target_link_libraries(cmpClient
   ${OPENSSL_LIBRARIES}
 )
@@ -113,41 +114,51 @@ if(DEFINED ENV{SECUTILS_USE_UTA})
   )
 endif()
 if(DEFINED ENV{SECUTILS_NO_TLS})
-  add_definitions(-DSECUTILS_NO_TLS=1)
+  add_compile_definitions(SECUTILS_NO_TLS=1)
 endif()
 
-if(CMAKE_BUILD_TYPE MATCHES Release OR DEFINED ENV{NDEBUG})
-  message(STATUS "build mode: Release")
-  add_definitions(-DNDEBUG=1 -O2)
+if(DEFINED ENV{NDEBUG} OR NOT CMAKE_BUILD_TYPE MATCHES Debug)
+  set(CMAKE_BUILD_TYPE Release
+      CACHE STRING "Choose the type of build." FORCE)
+  add_compile_options(-O2)
+  add_compile_definitions(NDEBUG=1)
 else()
-  message(STATUS "build mode: Debug")
-  add_definitions(-g -O0)
+  set(CMAKE_BUILD_TYPE Debug
+      CACHE STRING "Choose the type of build." FORCE)
+  add_compile_options(-g -O0)
 
   set(DEBUG_FLAGS "-fsanitize=address,undefined -fno-sanitize-recover=all") # must use quotes on MacOSX
-  add_definitions(${DEBUG_FLAGS})
+  add_compile_options(${DEBUG_FLAGS})
   link_libraries(${DEBUG_FLAGS})
   #set(CMAKE_SHARED_LINKER_FLAGS "-fsanitize=address,undefined -fno-sanitize-recover=all") # workarund for link_libraries() ignored on MacOSX
 
   if(NOT APPLE)
     set(COVERAGE_FLAGS --coverage -fprofile-arcs)
-    add_definitions(${COVERAGE_FLAGS})
+    add_compile_options(${COVERAGE_FLAGS})
     link_libraries(${COVERAGE_FLAGS})
     target_link_libraries(${LIBGENCMP_NAME} ${COVERAGE_FLAGS})
   endif()
 endif()
-
-add_definitions(-DDEBUG_UNUSED)
-add_definitions(-DPEDANTIC -pedantic)
-add_definitions(-Wall -Wextra -Wmissing-prototypes -Wstrict-prototypes
-  -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef)
-
+message(STATUS "build mode: ${CMAKE_BUILD_TYPE}")
+
+add_compile_definitions(DEBUG_UNUSED)
+add_compile_definitions(PEDANTIC)
+add_compile_options(-pedantic -Werror)
+add_compile_options(
+  -Wall -Woverflow -Wextra -Wmissing-prototypes -Wstrict-prototypes -Wswitch
+  -Wsign-compare -Wformat -Wtype-limits -Wundef -Wconversion -Wunused-parameter)
+# because of libsecutils:
+add_compile_options(-Wno-sign-conversion -Wno-shorten-64-to-32 -Wno-shadow)
+
+# TODO maybe clean up code and re-enable property
 # set_property(TARGET ${LIBGENCMP_NAME} PROPERTY C_STANDARD 90)
 # set_property(TARGET cmpClient PROPERTY C_STANDARD 90)
 
-target_link_libraries(${LIBGENCMP_NAME} ${OPENSSL_LIBRARIES} secutils) # needed for clang/MacOSX
 if(DEFINED USE_LIBCMP)
   target_link_libraries(${LIBGENCMP_NAME} cmp) # needed for clang/MacOSX
 endif()
+# important: place libcmp before libcrypto such that its contents are preferred
+target_link_libraries(${LIBGENCMP_NAME} ${OPENSSL_LIBRARIES} secutils) # needed for clang/MacOSX
 
 set(INC_PUBLIC_HDRS
   ${INC_DIR}/genericCMPClient.h

Makefile_src

@@ -6,6 +6,7 @@
 # BIN_DIR defines where the CLI application shall be placed, unless it is empty or unset.
 # Optional LIBCMP_INC defines the directory of the libcmp header files, must be non-empty if and only if libcmp is used (USE_LIBCMP).
 # All these paths may be absolute or relative to the dir containing this Makefile.
+# With USE_LIBCMP, setting STATIC_LIBCMP leads to static linking with libcmp.a .
 # Optional DEBUG_FLAGS may set to prepend to local CFLAGS and LDFLAGS (default see below).
 # OSSL_VERSION_QUIRKS maybe be needed to provide for setting OpenSSL compilation version quirks.
 
@@ -36,10 +37,11 @@ else
     ifeq ($(shell uname -s),Darwin)
         OS=MacOS
         DLL=.dylib
-        SONAME=install_name
+        # see https://www.fullstaq.com/knowledge-hub/blogs/an-alternative-to-macos-dyld-library-path
+        SONAME=install_name,@rpath/
     else # assuming Linux
         DLL=.so
-        SONAME=soname
+        SONAME=soname,
     endif
 endif
 
@@ -89,8 +91,15 @@ ifdef NDEBUG
 else
     DEBUG_FLAGS ?= -g -O0 -fsanitize=address -fsanitize=undefined -fno-sanitize-recover=all # not every compiler(version) supports -Og
 endif
-override CFLAGS += $(DEBUG_FLAGS) -std=gnu90 -fstack-protector -fno-omit-frame-pointer
-override CFLAGS += -Wall -Woverflow -Wconversion -Wextra -Wunused-parameter -Werror #-DPEDANTIC -pedantic -Wno-declaration-after-statement
+override CFLAGS += $(DEBUG_FLAGS) -fstack-protector -fno-omit-frame-pointer
+# override CFLAGS += -std=gnu90  # TODO maybe clean up code and re-enable flag
+override CFLAGS += \
+  -Wall -Woverflow -Wextra -Wswitch -Wmissing-prototypes -Wstrict-prototypes \
+  -Wformat -Wformat-security -Wtype-limits -Wundef -Wconversion \
+  -Wsign-compare -Wpointer-arith -Wunused-parameter -Wshadow \
+  -pedantic -DPEDANTIC -Werror
+override CFLAGS +=-Wno-c99-extensions -Wno-language-extension-token -Wno-declaration-after-statement \
+  -Wno-sign-conversion -Wno-shorten-64-to-32 -Wno-shadow # due to libsecutils
 ifeq ($(LPATH),)
    override CFLAGS += -I$(SECUTILS_DIR)/include
 endif
@@ -112,34 +121,47 @@ override CFLAGS += -I$(PREFIX)include # for genericCMPClient.h
 override CFLAGS += $(OSSL_VERSION_QUIRKS)
 
 ifneq ($(LIBCMP_INC),)
-    override LIBS += -lcmp
-endif
-# placing libcmp before libcrypto such that its contents are preferred
-override LIBS += -lcrypto
-ifdef SECUTILS_USE_UTA
-    override LIBS += -luta
+    ifneq ($(STATIC_LIBCMP),)
+        LIBCMP = $(LIBCMP_DIR)/libcmp.a
+    else
+        override LIBS += -lcmp
+    endif
 endif
+# important: place libcmp before libcrypto such that its contents are preferred
+
+override LIBS += -lsecutils
 ifdef SECUTILS_NO_TLS
     override CFLAGS += -DSECUTILS_NO_TLS=1
 else
     override LIBS += -lssl
 endif
-override LIBS += -lsecutils
+override LIBS += -lcrypto
+ifdef SECUTILS_USE_UTA
+    override LIBS += -luta
+endif
 
 override LDFLAGS += $(DEBUG_FLAGS) # needed for -fsanitize=...
 ifeq ($(LPATH),)
     override LDFLAGS += -L $(PREFIX)$(OUT_DIR)
     ifeq ($(DEB_TARGET_ARCH),) # not during Debian packaging
-        override LDFLAGS += -Wl,-rpath $(OUT_DIR) -Wl,-rpath $(LIBCMP_DIR) -Wl,-rpath $(SECUTILS_DIR)
-        # override LDFLAGS += -Wl,-rpath $(OUT_DIR)/../../../.. -Wl,-rpath $(OUT_DIR)/../../../../$(LIBCMP_DIR) -Wl,-rpath $(OUT_DIR)/../../../../$(SECUTILS_DIR) # for CLI-based tests
+        # ifeq ($(PREFIX),)
+        # TODO maybe better use absolute path here, as done by CMake
+        override LDFLAGS += -Wl,-rpath,$(OUT_DIR) -Wl,-rpath,$(LIBCMP_DIR) -Wl,-rpath,$(SECUTILS_DIR)
+        # endif
+        override LDFLAGS += -Wl,-rpath,$(OUT_DIR)/../../../.. -Wl,-rpath,$(OUT_DIR)/../../../../$(LIBCMP_DIR) -Wl,-rpath,$(OUT_DIR)/../../../../$(SECUTILS_DIR) # for CLI-based tests
     endif
     override LDFLAGS += -L $(LIBCMP_DIR) -L $(SECUTILS_DIR)
     ifeq ($(DEB_TARGET_ARCH),) # not during Debian packaging
-        override LDFLAGS += -Wl,-rpath $(LIBCMP_DIR_) -Wl,-rpath $(SECUTILS_DIR_)
+      ifneq ($(PREFIX),)
+        override LDFLAGS += -Wl,-rpath,$(LIBCMP_DIR_) -Wl,-rpath,$(SECUTILS_DIR_)
+      endif
     endif
     override LDFLAGS += -L $(OPENSSL_LIB) -L $(OPENSSL)
     ifeq ($(DEB_TARGET_ARCH),) # not during Debian packaging
-        override LDFLAGS += -Wl,-rpath $(OPENSSL_RPATH_LIB) -Wl,-rpath $(OPENSSL_RPATH)
+        override LDFLAGS += -Wl,-rpath,$(OPENSSL_RPATH_LIB)
+	ifneq ($(OPENSSL_RPATH_LIB),$(OPENSSL_RPATH))
+        override LDFLAGS += -Wl,-rpath,$(OPENSSL_RPATH)
+        endif
     endif
 else
     override LDFLAGS += -L $(LPATH)
@@ -192,14 +214,14 @@ $(OBJS): %$(OBJ): %.c # | $(SECUTILS_LIB) # $(PREFIX)$(OUT_DIR)/libcmp$(DLL)
 #%$(OBJ): %.c
 #	$(CC) $(CFLAGS) -o "$@" "$<"
 
-$(OUT_DIR)/$(OUTLIBV): src/genericCMPClient$(OBJ)
-	$(CC) $^ $(LDFLAGS) $(LIBS) -shared -o $@ -Wl,-$(SONAME),$(OUTLIBV)
+$(OUT_DIR)/$(OUTLIBV): src/genericCMPClient$(OBJ) $(LIBCMP)
+	$(CC) $^ $(LDFLAGS) $(LIBS) -shared -o $@ -Wl,-$(SONAME)$(OUTLIBV)
 
 $(OUT_DIR)/$(OUTLIB): $(OUT_DIR)/$(OUTLIBV)
 	ln -sf $(OUTLIBV) $(OUT_DIR)/$(OUTLIB)
 
 $(CMPCLIENT): src/cmpClient$(OBJ) $(OUT_DIR)/$(OUTLIB)
-	$(CC) $(LDFLAGS) $< $(LIBS) -lgencmp -o $@
+	$(CC) $(LDFLAGS) $< -lgencmp $(LIBS) -o $@
 
 .PHONY: all archive
 all: build archive

Makefile_tests

@@ -47,7 +47,7 @@ LWCMPRA_JAR ?= $(LWCMPRA_JAR) # was: ./LightweightCmpRa.jar
 LWCMPRA_RUN = java -jar $(LWCMPRA_JAR)
 # may insert before -jar: -Dorg.slf4j.simpleLogger.log.com.siemens.pki.cmpracomponent.msgprocessing.CmpRaImplementation=trace
 CMPCAMOCK_JAR ?= ./CmpCaMock.jar # TODO: $(LWCMPRA_DIR)/target/??
-CMPCAMOCK_RUN = java -jar $(CMPCAMOCK_JAR)
+CMPCAMOCK_RUN = java -jar $(CMPCAMOCK_JAR)# -verbose:class
 
 .phony: tests_LwCmp
 tests_LwCmp:
@@ -61,7 +61,7 @@ start_LwCmp: $(CMPRACOMP_JAR) $(LWCMPRA_JAR)
 	@ #mkdir test/Upstream test/Downstream 2>/dev/null || true
 	@$(LWCMPRA_RUN) config/tests.yml &
 	@echo starting CmpCaMock
-	@$(CMPCAMOCK_RUN) . http://localhost:7000/ca credentials/ENROLL_Keystore.p12 credentials/CMP_CA_Keystore.p12 &
+	@CLASSPATH=CmpCaMock_lib $(CMPCAMOCK_RUN) . http://localhost:7000/ca credentials/ENROLL_Keystore.p12 credentials/CMP_CA_Keystore.p12 &
 	@sleep 2
 stop_LwCmp:
 	@PID=`ps aux|grep "$(LWCMPRA_RUN)"   | grep -v grep | awk '{ print $$2 }'` && \
@@ -72,8 +72,9 @@ stop_LwCmp:
 # conformance ##################################################################
 
 GENERATE_OPERATIONAL=$(OPENSSL) x509 -in creds/operational.crt -x509toreq -signkey creds/operational.pem -out creds/operational.csr -passin pass:12345 2>/dev/null
-CMPCLNT = LD_LIBRARY_PATH=. $(CMPCLIENT) -section CmpRa,
-CMPOSSL = $(OPENSSL) cmp -config config/demo.cnf -section CmpRa,
+BASIC_ARGS = -verbosity 3 -path /lra -section CmpRa,
+CMPCLNT = LD_LIBRARY_PATH=. $(CMPCLIENT)         $(BASIC_ARGS)
+CMPOSSL = $(OPENSSL) cmp -config config/demo.cnf $(BASIC_ARGS)
 .phony: test_conformance_openssl test_conformance_cmpclient test_conformance
 test_conformance_openssl:   start_LwCmp conformance_openssl   stop_LwCmp
 test_conformance_cmpclient: start_LwCmp conformance_cmpclient stop_LwCmp
@@ -88,13 +89,13 @@ conformance_openssl: newkey
 conformance_cmpclient:
 	@CMPCL="$(CMPCLNT)" $(MAKE) -f Makefile_tests conformance
 conformance: $(CMPCLIENT)
-	$(CMPCL)imprint            -verbosity 3
-	$(CMPCL)bootstrap          -verbosity 3
+	$(CMPCL)imprint
+	$(CMPCL)bootstrap
 	@$(GENERATE_OPERATIONAL)
-	$(CMPCL)pkcs10             -verbosity 3
-	$(CMPCL)update -path /lra  -verbosity 3
-	$(CMPCL)revoke -path /lra  -verbosity 3
-	@ # $(CMPCL)bootstrap      -verbosity 3 -server localhost:6003/delayedlra
+	$(CMPCL)pkcs10 # when using openssl, requires at least version 3.3(-dev)
+	$(CMPCL)update
+	$(CMPCL)revoke
+	@ # $(CMPCL)bootstrap $(BASIC_ARGS) -server localhost:6003/delayedlra
 
 # cli ##########################################################################
 
@@ -124,16 +125,19 @@ test_cli: $(CMPCLIENT)
 .phony: test_Mock
 test_Mock:
 	$(MAKE) -f Makefile_tests test_cli OPENSSL_CMP_SERVER=Mock OPENSSL=$(OPENSSL) \
-	|| (($(OPENSSL) version; echo $(OPENSSL_VERSION)) | grep -e "1\.1\|3\.0")
+	|| (($(OPENSSL) version; echo $(OPENSSL_VERSION)) | grep -e "1\.0\|1\.1")
 # with OpenSSL 1.1 and 3.0, these Mock genm command test cases fail: 'genm certReqTemplate' 'genm caCerts'
+# with OpenSSL 1.1, Mock enrollment test 'out_trusted accept issuing ca cert ...' fails likely due to -partial_chain not being respected
+# Better use these extended tests only with builds with USE_LIBCMP and OpenSSL >= 3.0.
 
 # LwCmp ########################################################################
 
 .phony: test_LwCmp
 test_LwCmp:
 	$(MAKE) -f Makefile_tests test_cli OPENSSL_CMP_SERVER=LwCmp OPENSSL=$(OPENSSL) \
-	|| (($(OPENSSL) version; echo $(OPENSSL_VERSION)) | grep -e "1\.1\|3\.0")
+	|| (($(OPENSSL) version; echo $(OPENSSL_VERSION)) | grep -e "1\.0\|1\.1")
 # with OpenSSL 1.1 and 3.0, most LwCmp genm command test cases fail
+# Better use these extended tests only with builds with USE_LIBCMP and OpenSSL >= 3.0.
 
 # clean ########################################################################