3 files changed, 252 insertions, 49 deletions
diff --git a/contrib/devtools/check-deps.sh b/contrib/devtools/check-deps.sh
new file mode 100755
index 0000000000..9d2eebe14d
--- /dev/null
+++ b/contrib/devtools/check-deps.sh
@@ -0,0 +1,203 @@
+#!/usr/bin/env bash
+
+export LC_ALL=C
+set -Eeuo pipefail
+
+# Declare paths to libraries
+declare -A LIBS
+LIBS[cli]="libbitcoin_cli.a"
+LIBS[common]="libbitcoin_common.a"
+LIBS[consensus]="libbitcoin_consensus.a"
+LIBS[crypto]="crypto/.libs/libbitcoin_crypto_base.a crypto/.libs/libbitcoin_crypto_x86_shani.a crypto/.libs/libbitcoin_crypto_sse41.a crypto/.libs/libbitcoin_crypto_avx2.a"
+LIBS[node]="libbitcoin_node.a"
+LIBS[util]="libbitcoin_util.a"
+LIBS[wallet]="libbitcoin_wallet.a"
+LIBS[wallet_tool]="libbitcoin_wallet_tool.a"
+
+# Declare allowed dependencies "X Y" where X is allowed to depend on Y. This
+# list is taken from doc/design/libraries.md.
+ALLOWED_DEPENDENCIES=(
+    "cli common"
+    "cli util"
+    "common consensus"
+    "common crypto"
+    "common util"
+    "consensus crypto"
+    "node common"
+    "node consensus"
+    "node crypto"
+    "node kernel"
+    "node util"
+    "util crypto"
+    "wallet common"
+    "wallet crypto"
+    "wallet util"
+    "wallet_tool util"
+    "wallet_tool wallet"
+)
+
+# Add minor dependencies omitted from doc/design/libraries.md to keep the
+# dependency diagram simple.
+ALLOWED_DEPENDENCIES+=(
+    "wallet consensus"
+    "wallet_tool common"
+    "wallet_tool crypto"
+)
+
+# Declare list of known errors that should be suppressed.
+declare -A SUPPRESS
+# init.cpp file currently calls Berkeley DB sanity check function on startup, so
+# there is an undocumented dependency of the node library on the wallet library.
+SUPPRESS["libbitcoin_node_a-init.o libbitcoin_wallet_a-bdb.o _ZN6wallet27BerkeleyDatabaseSanityCheckEv"]=1
+# init/common.cpp file calls InitError and InitWarning from interface_ui which
+# is currently part of the node library. interface_ui should just be part of the
+# common library instead, and is moved in
+# https://github.com/bitcoin/bitcoin/issues/10102
+SUPPRESS["libbitcoin_common_a-common.o libbitcoin_node_a-interface_ui.o _Z11InitWarningRK13bilingual_str"]=1
+SUPPRESS["libbitcoin_common_a-common.o libbitcoin_node_a-interface_ui.o _Z9InitErrorRK13bilingual_str"]=1
+# rpc/external_signer.cpp adds defines node RPC methods but is built as part of the
+# common library. It should be moved to the node library instead.
+SUPPRESS["libbitcoin_common_a-external_signer.o libbitcoin_node_a-server.o _ZN9CRPCTable13appendCommandERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEEPK11CRPCCommand"]=1
+
+usage() {
+   echo "Usage: $(basename "${BASH_SOURCE[0]}") [BUILD_DIR]"
+}
+
+# Output makefile targets, converting library .a paths to libtool .la targets
+lib_targets() {
+  for lib in "${!LIBS[@]}"; do
+      for lib_path in ${LIBS[$lib]}; do
+          # shellcheck disable=SC2001
+          sed 's:/.libs/\(.*\)\.a$:/\1.la:g' <<<"$lib_path"
+      done
+  done
+}
+
+# Extract symbol names and object names and write to text files
+extract_symbols() {
+    local temp_dir="$1"
+    for lib in "${!LIBS[@]}"; do
+        for lib_path in ${LIBS[$lib]}; do
+            nm -o "$lib_path" | grep ' T ' | awk '{print $3, $1}' >> "${temp_dir}/${lib}_exports.txt"
+            nm -o "$lib_path" | grep ' U ' | awk '{print $3, $1}' >> "${temp_dir}/${lib}_imports.txt"
+            awk '{print $1}' "${temp_dir}/${lib}_exports.txt" | sort -u > "${temp_dir}/${lib}_exported_symbols.txt"
+            awk '{print $1}' "${temp_dir}/${lib}_imports.txt" | sort -u > "${temp_dir}/${lib}_imported_symbols.txt"
+        done
+    done
+}
+
+# Lookup object name(s) corresponding to symbol name in text file
+obj_names() {
+    local symbol="$1"
+    local txt_file="$2"
+    sed -n "s/^$symbol [^:]\\+:\\([^:]\\+\\):[^:]*\$/\\1/p" "$txt_file" | sort -u
+}
+
+# Iterate through libraries and find disallowed dependencies
+check_libraries() {
+    local temp_dir="$1"
+    local result=0
+    for src in "${!LIBS[@]}"; do
+        for dst in "${!LIBS[@]}"; do
+            if [ "$src" != "$dst" ] && ! is_allowed "$src" "$dst"; then
+                if ! check_disallowed "$src" "$dst" "$temp_dir"; then
+                    result=1
+                fi
+            fi
+        done
+    done
+    check_not_suppressed
+    return $result
+}
+
+# Return whether src library is allowed to depend on dst.
+is_allowed() {
+    local src="$1"
+    local dst="$2"
+    for allowed in "${ALLOWED_DEPENDENCIES[@]}"; do
+        if [ "$src $dst" = "$allowed" ]; then
+            return 0
+        fi
+    done
+    return 1
+}
+
+# Return whether src library imports any symbols from dst, assuming src is not
+# allowed to depend on dst.
+check_disallowed() {
+    local src="$1"
+    local dst="$2"
+    local temp_dir="$3"
+    local result=0
+
+    # Loop over symbol names exported by dst and imported by src
+    while read symbol; do
+        local dst_obj
+        dst_obj=$(obj_names "$symbol" "${temp_dir}/${dst}_exports.txt")
+        while read src_obj; do
+            if ! check_suppress "$src_obj" "$dst_obj" "$symbol"; then
+                echo "Error: $src_obj depends on $dst_obj symbol '$(c++filt "$symbol")', can suppess with:"
+                echo "    SUPPRESS[\"$src_obj $dst_obj $symbol\"]=1"
+                result=1
+            fi
+        done < <(obj_names "$symbol" "${temp_dir}/${src}_imports.txt")
+    done < <(comm -12 "${temp_dir}/${dst}_exported_symbols.txt" "${temp_dir}/${src}_imported_symbols.txt")
+    return $result
+}
+
+# Declare array to track errors which were suppressed.
+declare -A SUPPRESSED
+
+# Return whether error should be suppressed and record suppresssion in
+# SUPPRESSED array.
+check_suppress() {
+    local src_obj="$1"
+    local dst_obj="$2"
+    local symbol="$3"
+    for suppress in "${!SUPPRESS[@]}"; do
+        read suppress_src suppress_dst suppress_pattern <<<"$suppress"
+        if [[ "$src_obj" == "$suppress_src" && "$dst_obj" == "$suppress_dst" && "$symbol" =~ $suppress_pattern ]]; then
+            SUPPRESSED["$suppress"]=1
+            return 0
+        fi
+    done
+    return 1
+}
+
+# Warn about error which were supposed to be suppress, but were not encountered.
+check_not_suppressed() {
+    for suppress in "${!SUPPRESS[@]}"; do
+        if [[ ! -v SUPPRESSED[$suppress] ]]; then
+            echo >&2 "Warning: suppression '$suppress' was ignored, consider deleting."
+        fi
+    done
+}
+
+# Check arguments.
+if [ "$#" = 0 ]; then
+    BUILD_DIR="$(dirname "${BASH_SOURCE[0]}")/../../src"
+elif [ "$#" = 1 ]; then
+    BUILD_DIR="$1"
+else
+    echo >&2 "Error: wrong number of arguments."
+    usage >&2
+    exit 1
+fi
+if [ ! -f "$BUILD_DIR/Makefile" ]; then
+    echo >&2 "Error: directory '$BUILD_DIR' does not contain a makefile, please specify path to build directory for library targets."
+    usage >&2
+    exit 1
+fi
+
+# Build libraries and run checks.
+cd "$BUILD_DIR"
+# shellcheck disable=SC2046
+make -j"$(nproc)" $(lib_targets)
+TEMP_DIR="$(mktemp -d)"
+extract_symbols "$TEMP_DIR"
+if check_libraries "$TEMP_DIR"; then
+    echo "Success! No unexpected dependencies were detected."
+else
+    echo >&2 "Error: Unexpected dependencies were detected. Check previous output."
+fi
+rm -r "$TEMP_DIR"
diff --git a/contrib/devtools/symbol-check.py b/contrib/devtools/symbol-check.py
index b3e73bb2b9..c4e6bc81e1 100755
--- a/contrib/devtools/symbol-check.py
+++ b/contrib/devtools/symbol-check.py
@@ -14,31 +14,31 @@ import sys
 
 import lief
 
-# Debian 10 (Buster) EOL: 2024. https://wiki.debian.org/LTS
+# Debian 11 (Bullseye) EOL: 2026. https://wiki.debian.org/LTS
 #
-# - libgcc version 8.3.0 (https://packages.debian.org/search?suite=buster&arch=any&searchon=names&keywords=libgcc1)
-# - libc version 2.28 (https://packages.debian.org/search?suite=buster&arch=any&searchon=names&keywords=libc6)
+# - libgcc version 10.2.1 (https://packages.debian.org/bullseye/libgcc-s1)
+# - libc version 2.31 (https://packages.debian.org/source/bullseye/glibc)
 #
-# Ubuntu 18.04 (Bionic) EOL: 2028. https://wiki.ubuntu.com/ReleaseTeam
+# Ubuntu 20.04 (Focal) EOL: 2030. https://wiki.ubuntu.com/ReleaseTeam
 #
-# - libgcc version 8.4.0 (https://packages.ubuntu.com/bionic/libgcc1)
-# - libc version 2.27 (https://packages.ubuntu.com/bionic/libc6)
+# - libgcc version 10.5.0 (https://packages.ubuntu.com/focal/libgcc1)
+# - libc version 2.31 (https://packages.ubuntu.com/focal/libc6)
 #
-# CentOS Stream 8 EOL: 2024. https://wiki.centos.org/About/Product
+# CentOS Stream 9 EOL: 2027. https://www.centos.org/cl-vs-cs/#end-of-life
 #
-# - libgcc version 8.5.0 (http://mirror.centos.org/centos/8-stream/AppStream/x86_64/os/Packages/)
-# - libc version 2.28 (http://mirror.centos.org/centos/8-stream/AppStream/x86_64/os/Packages/)
+# - libgcc version 12.2.1 (https://mirror.stream.centos.org/9-stream/AppStream/x86_64/os/Packages/)
+# - libc version 2.34 (https://mirror.stream.centos.org/9-stream/AppStream/x86_64/os/Packages/)
 #
 # See https://gcc.gnu.org/onlinedocs/libstdc++/manual/abi.html for more info.
 
 MAX_VERSIONS = {
 'GCC':       (4,3,0),
 'GLIBC': {
-    lief.ELF.ARCH.x86_64: (2,27),
-    lief.ELF.ARCH.ARM:    (2,27),
-    lief.ELF.ARCH.AARCH64:(2,27),
-    lief.ELF.ARCH.PPC64:  (2,27),
-    lief.ELF.ARCH.RISCV:  (2,27),
+    lief.ELF.ARCH.x86_64: (2,31),
+    lief.ELF.ARCH.ARM:    (2,31),
+    lief.ELF.ARCH.AARCH64:(2,31),
+    lief.ELF.ARCH.PPC64:  (2,31),
+    lief.ELF.ARCH.RISCV:  (2,31),
 },
 'LIBATOMIC': (1,0),
 'V':         (0,5,0),  # xkb (bitcoin-qt only)
@@ -212,6 +212,11 @@ def check_exported_symbols(binary) -> bool:
         ok = False
     return ok
 
+def check_RUNPATH(binary) -> bool:
+    assert binary.get(lief.ELF.DYNAMIC_TAGS.RUNPATH) is None
+    assert binary.get(lief.ELF.DYNAMIC_TAGS.RPATH) is None
+    return True
+
 def check_ELF_libraries(binary) -> bool:
     ok: bool = True
     for library in binary.libraries:
@@ -239,8 +244,8 @@ def check_MACHO_sdk(binary) -> bool:
         return True
     return False
 
-def check_MACHO_ld64(binary) -> bool:
-    if binary.build_version.tools[0].version == [711, 0, 0]:
+def check_MACHO_lld(binary) -> bool:
+    if binary.build_version.tools[0].version == [18, 1, 6]:
         return True
     return False
 
@@ -277,12 +282,13 @@ lief.EXE_FORMATS.ELF: [
     ('LIBRARY_DEPENDENCIES', check_ELF_libraries),
     ('INTERPRETER_NAME', check_ELF_interpreter),
     ('ABI', check_ELF_ABI),
+    ('RUNPATH', check_RUNPATH),
 ],
 lief.EXE_FORMATS.MACHO: [
     ('DYNAMIC_LIBRARIES', check_MACHO_libraries),
     ('MIN_OS', check_MACHO_min_os),
     ('SDK', check_MACHO_sdk),
-    ('LD64', check_MACHO_ld64),
+    ('LLD', check_MACHO_lld),
 ],
 lief.EXE_FORMATS.PE: [
     ('DYNAMIC_LIBRARIES', check_PE_libraries),
diff --git a/contrib/devtools/test-security-check.py b/contrib/devtools/test-security-check.py
index 51bca4627e..7bfd4d98da 100755
--- a/contrib/devtools/test-security-check.py
+++ b/contrib/devtools/test-security-check.py
@@ -59,32 +59,32 @@ class TestSecurityChecks(unittest.TestCase):
         arch = get_arch(cc, source, executable)
 
         if arch == lief.ARCHITECTURES.X86:
-            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-zexecstack','-fno-stack-protector','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']),
-                    (1, executable+': failed PIE NX RELRO Canary CONTROL_FLOW'))
-            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fno-stack-protector','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']),
-                    (1, executable+': failed PIE RELRO Canary CONTROL_FLOW'))
-            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fstack-protector-all','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']),
+            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-zexecstack','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']),
+                    (1, executable+': failed PIE NX RELRO CONTROL_FLOW'))
+            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']),
                     (1, executable+': failed PIE RELRO CONTROL_FLOW'))
-            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fstack-protector-all','-Wl,-znorelro','-pie','-fPIE', '-Wl,-z,separate-code']),
+            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']),
+                    (1, executable+': failed PIE RELRO CONTROL_FLOW'))
+            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-Wl,-znorelro','-pie','-fPIE', '-Wl,-z,separate-code']),
                     (1, executable+': failed RELRO CONTROL_FLOW'))
-            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fstack-protector-all','-Wl,-zrelro','-Wl,-z,now','-pie','-fPIE', '-Wl,-z,noseparate-code']),
+            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-Wl,-zrelro','-Wl,-z,now','-pie','-fPIE', '-Wl,-z,noseparate-code']),
                     (1, executable+': failed separate_code CONTROL_FLOW'))
-            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fstack-protector-all','-Wl,-zrelro','-Wl,-z,now','-pie','-fPIE', '-Wl,-z,separate-code']),
+            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-Wl,-zrelro','-Wl,-z,now','-pie','-fPIE', '-Wl,-z,separate-code']),
                     (1, executable+': failed CONTROL_FLOW'))
-            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fstack-protector-all','-Wl,-zrelro','-Wl,-z,now','-pie','-fPIE', '-Wl,-z,separate-code', '-fcf-protection=full']),
+            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-Wl,-zrelro','-Wl,-z,now','-pie','-fPIE', '-Wl,-z,separate-code', '-fcf-protection=full']),
                     (0, ''))
         else:
-            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-zexecstack','-fno-stack-protector','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']),
-                    (1, executable+': failed PIE NX RELRO Canary'))
-            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fno-stack-protector','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']),
-                    (1, executable+': failed PIE RELRO Canary'))
-            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fstack-protector-all','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']),
+            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-zexecstack','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']),
+                    (1, executable+': failed PIE NX RELRO'))
+            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']),
+                    (1, executable+': failed PIE RELRO'))
+            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']),
                     (1, executable+': failed PIE RELRO'))
-            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fstack-protector-all','-Wl,-znorelro','-pie','-fPIE', '-Wl,-z,separate-code']),
+            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-Wl,-znorelro','-pie','-fPIE', '-Wl,-z,separate-code']),
                     (1, executable+': failed RELRO'))
-            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fstack-protector-all','-Wl,-zrelro','-Wl,-z,now','-pie','-fPIE', '-Wl,-z,noseparate-code']),
+            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-Wl,-zrelro','-Wl,-z,now','-pie','-fPIE', '-Wl,-z,noseparate-code']),
                     (1, executable+': failed separate_code'))
-            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-fstack-protector-all','-Wl,-zrelro','-Wl,-z,now','-pie','-fPIE', '-Wl,-z,separate-code']),
+            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-znoexecstack','-Wl,-zrelro','-Wl,-z,now','-pie','-fPIE', '-Wl,-z,separate-code']),
                     (0, ''))
 
         clean_files(source, executable)
@@ -120,21 +120,15 @@ class TestSecurityChecks(unittest.TestCase):
         arch = get_arch(cc, source, executable)
 
         if arch == lief.ARCHITECTURES.X86:
-            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-Wl,-allow_stack_execute','-fno-stack-protector', '-Wl,-no_fixup_chains']),
-                (1, executable+': failed NOUNDEFS Canary FIXUP_CHAINS PIE NX CONTROL_FLOW'))
-            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-Wl,-allow_stack_execute','-fno-stack-protector', '-Wl,-fixup_chains']),
-                (1, executable+': failed NOUNDEFS Canary PIE NX CONTROL_FLOW'))
-            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-Wl,-allow_stack_execute','-fstack-protector-all', '-Wl,-fixup_chains']),
-                (1, executable+': failed NOUNDEFS PIE NX CONTROL_FLOW'))
-            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-fstack-protector-all', '-Wl,-fixup_chains']),
-                (1, executable+': failed NOUNDEFS PIE CONTROL_FLOW'))
-            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-fstack-protector-all', '-Wl,-fixup_chains']),
-                (1, executable+': failed PIE CONTROL_FLOW'))
-            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-fstack-protector-all', '-Wl,-fixup_chains']),
-                (1, executable+': failed PIE CONTROL_FLOW'))
-            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-fstack-protector-all', '-fcf-protection=full', '-Wl,-fixup_chains']),
-                (1, executable+': failed PIE'))
-            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-pie','-fstack-protector-all', '-fcf-protection=full', '-Wl,-fixup_chains']),
+            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-fno-stack-protector', '-Wl,-no_fixup_chains']),
+                (1, executable+': failed NOUNDEFS Canary FIXUP_CHAINS PIE CONTROL_FLOW'))
+            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-flat_namespace','-fno-stack-protector', '-Wl,-fixup_chains']),
+                (1, executable+': failed NOUNDEFS Canary CONTROL_FLOW'))
+            self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-flat_namespace','-fstack-protector-all', '-Wl,-fixup_chains']),
+                (1, executable+': failed NOUNDEFS CONTROL_FLOW'))
+            self.assertEqual(call_security_check(cc, source, executable, ['-fstack-protector-all', '-Wl,-fixup_chains']),
+                (1, executable+': failed CONTROL_FLOW'))
+            self.assertEqual(call_security_check(cc, source, executable, ['-fstack-protector-all', '-fcf-protection=full', '-Wl,-fixup_chains']),
                 (0, ''))
         else:
             # arm64 darwin doesn't support non-PIE binaries, control flow or executable stacks