[mbedtls] Upgrade mbedTLS to version 3.4.0

This commit introduces the following changes along with the upgrade of mbedTLS to version 3.4.0: * updating the sonames of mbedTLS-produced libs; * aligning all Gramine patches to conform with the new coding style of mbedTLS; * explicitly specifying the Gramine-provided secure zeroization function `erase_memory()` and updating it to a more performant version to cope with the updated `mbedtls_platform_zeroize()` detection logic; * dropping `MBEDTLS_SHA224_C` in the mbedTLS config which is now made independent from `MBEDTLS_SHA256_C` (it is actually not used in Gramine but was required to be present together with `MBEDTLS_SHA256_C` in the previous mbedTLS versions). Signed-off-by: Kailun Qin <kailun.qin@intel.com>
gramineproject · Apr 4, 2023 · ea047eb · ea047eb
1 parent b748897
commit ea047eb
Show file tree

Hide file tree

Showing 11 changed files with 121 additions and 114 deletions.
diff --git a/common/include/api.h b/common/include/api.h
@@ -400,15 +400,6 @@ extern const char* const* sys_errlist_internal;
 #define TIME_NS_IN_US 1000ul
 #define TIME_NS_IN_S (TIME_NS_IN_US * TIME_US_IN_S)
 
-/* Scrub sensitive memory bufs (memset can be optimized away and memset_s is not available in PAL).
- * FIXME: This implementation is inefficient (and used in perf-critical functions).
- * TODO:  Is this really needed? Intel SGX SDK uses similar function as "defense in depth". */
-static inline void erase_memory(void* buffer, size_t size) {
-    volatile unsigned char* p = buffer;
-    while (size--)
-        *p++ = 0;
-}
-
 #ifdef __x86_64__
 static inline bool __range_not_ok(uintptr_t addr, size_t size) {
     addr += size;
@@ -431,6 +422,14 @@ static inline bool access_ok(const volatile void* addr, size_t size) {
     return !__range_not_ok((uintptr_t)addr, size);
 }
 
+/* Scrub sensitive memory bufs (memset can be optimized away and memset_s is not available in PAL).
+ * NOTE: optimizer runs only on C code and intermediate representations while assembly is
+ * copy-pasted literally into the final assembly source which gets compiled into the binary, so
+ * we're safe against being optimized away. */
+static inline void erase_memory(void* buffer, size_t size) {
+    __asm__ volatile("rep stosb" : "+D"(buffer), "+c"(size) : "a"(0) : "cc", "memory");
+}
+
 #else
 #error "Unsupported architecture"
 #endif /* __x86_64__ */

diff --git a/common/src/crypto/adapters/mbedtls_adapter.c b/common/src/crypto/adapters/mbedtls_adapter.c
@@ -506,3 +506,14 @@ int lib_HKDF_SHA256(const uint8_t* input_key, size_t input_key_size, const uint8
                            input_key_size, info, info_size, output_key, output_key_size);
     return mbedtls_to_pal_error(ret);
 }
+
+/* mbedTLS library will use this implementation to zeroize a block of memory, see
+ * https://github.com/Mbed-TLS/mbedtls/blob/v3.4.0/include/mbedtls/mbedtls_config.h#L3890.
+ * We explicitly specify this to skip mbedTLS's auto detection of the presence of a platform secure
+ * memset at the compiling stage, which can lead to errors at the linking stage. See
+ * https://github.com/Mbed-TLS/mbedtls/blob/v3.4.0/library/platform_util.c#L110-L127 for details. */
+void mbedtls_platform_zeroize(void* buf, size_t len) {
+    assert(len == 0 || buf != NULL);
+
+    erase_memory(buf, len);
+}
diff --git a/meson.build b/meson.build
@@ -228,7 +228,7 @@ tomlc99_src = tomlc99_proj.get_variable('tomlc99_src')
 
 uthash_dep = subproject('uthash-2.1.0').get_variable('uthash_dep')
 
-mbedtls_proj = subproject('mbedtls-mbedtls-3.3.0')
+mbedtls_proj = subproject('mbedtls-mbedtls-3.4.0')
 mbedtls_static_dep = mbedtls_proj.get_variable('mbedtls_static_dep')
 mbedtls_pal_dep = mbedtls_proj.get_variable('mbedtls_pal_dep')
 

diff --git a/subprojects/mbedtls-mbedtls-3.3.0.wrap b/subprojects/mbedtls-mbedtls-3.3.0.wrap
diff --git a/subprojects/mbedtls-mbedtls-3.4.0.wrap b/subprojects/mbedtls-mbedtls-3.4.0.wrap
@@ -0,0 +1,11 @@
+[wrap-file]
+directory = mbedtls-mbedtls-3.4.0
+source_url = https://github.com/ARMmbed/mbedtls/archive/mbedtls-3.4.0.tar.gz
+source_fallback_url = https://packages.gramineproject.io/distfiles/mbedtls-3.4.0.tar.gz
+source_filename = mbedtls-3.4.0.tar.gz
+source_hash = a5dac98592b1ac2232de0aed8f4ee62dffaa99e843e6f41dca2958095c737afd
+
+patch_directory = mbedtls
+
+# this unpacks the sources to `mbedtls-mbedtls-3.4.0/mbedtls-mbedtls-3.4.0`
+lead_directory_missing = true
diff --git a/subprojects/packagefiles/curl-7.84.0/meson.build b/subprojects/packagefiles/curl-7.84.0/meson.build
@@ -13,7 +13,7 @@ curl = custom_target('curl',
         meson.build_root() / 'subprojects',
     ],
 
-    depends: subproject('mbedtls-mbedtls-3.3.0').get_variable('mbedtls_curl_libs'),
+    depends: subproject('mbedtls-mbedtls-3.4.0').get_variable('mbedtls_curl_libs'),
     output: curl_libs_output,
 )
 

diff --git a/subprojects/packagefiles/mbedtls/enforce-aes-ni.patch b/subprojects/packagefiles/mbedtls/enforce-aes-ni.patch
@@ -1,34 +1,35 @@
 diff --git a/library/aes.c b/library/aes.c
-index 319d9bb67e89fa7a62ce3f2e14aa1552b7c91a12..2725b7bb8cfc5cd2f593050454a6d2b23866834d 100644
+index 69da5828ac619ed837559df5c54b6bb1e11076b0..ca54bfa0b086c495d47a7cba9b256ec9cae4ae16 100644
 --- a/library/aes.c
 +++ b/library/aes.c
-@@ -543,6 +543,8 @@ int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
- #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
-     if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
-         return( mbedtls_aesni_setkey_enc( (unsigned char *) RK, key, keybits ) );
-+    else
-+        return( MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED );
+@@ -582,6 +582,9 @@ int mbedtls_aes_setkey_enc(mbedtls_aes_context *ctx, const unsigned char *key,
+     if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) {
+         return mbedtls_aesni_setkey_enc((unsigned char *) RK, key, keybits);
+     }
++    else {
++        return MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED;
++    }
  #endif
 
-     for( i = 0; i < ( keybits >> 5 ); i++ )
-@@ -654,6 +656,11 @@ int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
-                            (const unsigned char *) ( cty.buf + cty.rk_offset ), ctx->nr );
+ #if defined(MBEDTLS_AESCE_C) && defined(MBEDTLS_HAVE_ARM64)
+@@ -687,6 +690,10 @@ int mbedtls_aes_setkey_dec(mbedtls_aes_context *ctx, const unsigned char *key,
+                                   (const unsigned char *) (cty.buf + cty.rk_offset), ctx->nr);
          goto exit;
      }
-+    else
-+    {
++    else {
 +        ret = MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED;
 +        goto exit;
 +    }
  #endif
 
-     SK = cty.buf + cty.rk_offset + cty.nr * 4;
-@@ -947,6 +954,8 @@ int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
- #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
-     if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
-         return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
-+    else
-+        return( MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED );
+ #if defined(MBEDTLS_AESCE_C) && defined(MBEDTLS_HAVE_ARM64)
+@@ -1013,6 +1020,9 @@ int mbedtls_aes_crypt_ecb(mbedtls_aes_context *ctx,
+     if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) {
+         return mbedtls_aesni_crypt_ecb(ctx, mode, input, output);
+     }
++    else {
++        return MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED;
++    }
  #endif
 
- #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
+ #if defined(MBEDTLS_AESCE_C) && defined(MBEDTLS_HAVE_ARM64)
diff --git a/subprojects/packagefiles/mbedtls/fcntl.patch b/subprojects/packagefiles/mbedtls/fcntl.patch
@@ -9,41 +9,41 @@
 # TODO: remove this patch after we drop Ubuntu 18.04 support
 
 diff --git a/library/net_sockets.c b/library/net_sockets.c
-index 17a9e4a5760bb19270af584f9acc861c2f9ab4c7..b02b4c99f15c4881876bf8a061748056f1161b86 100644
+index e63d08b15dda887e3a62528f43505b64b7bbc99f..b37f26e60d2b0546c1b8a29276caaa7a6d5cbe0e 100644
 --- a/library/net_sockets.c
 +++ b/library/net_sockets.c
-@@ -92,6 +92,7 @@ static int wsa_init_done = 0;
+@@ -88,6 +88,7 @@ static int wsa_init_done = 0;
  #include <fcntl.h>
  #include <netdb.h>
  #include <errno.h>
 +#include <sys/syscall.h>
 
- #define IS_EINTR( ret ) ( ( ret ) == EINTR )
+ #define IS_EINTR(ret) ((ret) == EINTR)
 
-@@ -313,7 +314,7 @@ static int net_would_block( const mbedtls_net_context *ctx )
+@@ -309,7 +310,7 @@ static int net_would_block(const mbedtls_net_context *ctx)
      /*
       * Never return 'WOULD BLOCK' on a blocking socket
       */
--    if( ( fcntl( ctx->fd, F_GETFL ) & O_NONBLOCK ) != O_NONBLOCK )
-+    if( ( syscall( SYS_fcntl, ctx->fd, F_GETFL ) & O_NONBLOCK ) != O_NONBLOCK )
-     {
+-    if ((fcntl(ctx->fd, F_GETFL) & O_NONBLOCK) != O_NONBLOCK) {
++    if ((syscall(SYS_fcntl, ctx->fd, F_GETFL) & O_NONBLOCK) != O_NONBLOCK) {
          errno = err;
-         return( 0 );
-@@ -462,7 +463,7 @@ int mbedtls_net_set_block( mbedtls_net_context *ctx )
+         return 0;
+     }
+@@ -447,7 +448,7 @@ int mbedtls_net_set_block(mbedtls_net_context *ctx)
      u_long n = 0;
-     return( ioctlsocket( ctx->fd, FIONBIO, &n ) );
+     return ioctlsocket(ctx->fd, FIONBIO, &n);
  #else
--    return( fcntl( ctx->fd, F_SETFL, fcntl( ctx->fd, F_GETFL ) & ~O_NONBLOCK ) );
-+    return( syscall( SYS_fcntl, ctx->fd, F_SETFL, syscall(SYS_fcntl, ctx->fd, F_GETFL ) & ~O_NONBLOCK ) );
+-    return fcntl(ctx->fd, F_SETFL, fcntl(ctx->fd, F_GETFL) & ~O_NONBLOCK);
++    return syscall(SYS_fcntl, ctx->fd, F_SETFL, syscall(SYS_fcntl, ctx->fd, F_GETFL) & ~O_NONBLOCK);
  #endif
  }
 
-@@ -473,7 +474,7 @@ int mbedtls_net_set_nonblock( mbedtls_net_context *ctx )
+@@ -458,7 +459,7 @@ int mbedtls_net_set_nonblock(mbedtls_net_context *ctx)
      u_long n = 1;
-     return( ioctlsocket( ctx->fd, FIONBIO, &n ) );
+     return ioctlsocket(ctx->fd, FIONBIO, &n);
  #else
--    return( fcntl( ctx->fd, F_SETFL, fcntl( ctx->fd, F_GETFL ) | O_NONBLOCK ) );
-+    return( syscall( SYS_fcntl, ctx->fd, F_SETFL, syscall( SYS_fcntl, ctx->fd, F_GETFL ) | O_NONBLOCK ) );
+-    return fcntl(ctx->fd, F_SETFL, fcntl(ctx->fd, F_GETFL) | O_NONBLOCK);
++    return syscall(SYS_fcntl, ctx->fd, F_SETFL, syscall(SYS_fcntl, ctx->fd, F_GETFL) | O_NONBLOCK);
  #endif
  }
 
diff --git a/subprojects/packagefiles/mbedtls/gramine.patch b/subprojects/packagefiles/mbedtls/gramine.patch
@@ -2,44 +2,41 @@
 # progress via issue https://github.com/ARMmbed/mbedtls/issues/3141.
 
 diff --git a/library/ssl_tls.c b/library/ssl_tls.c
-index 9bb9dc23cde94a23bb71a2d421410a7cea039816..6e7926a99220e79935396cbc2b7d3f22720bf906 100644
+index a6129da397d0b404c3aaa5b7bc9984ede5e49732..b82e90008e7c7d09f23b9c32fc3caa361fb55ac6 100644
 --- a/library/ssl_tls.c
 +++ b/library/ssl_tls.c
-@@ -4250,12 +4250,14 @@ int mbedtls_ssl_context_save( mbedtls_ssl_context *ssl,
-         MBEDTLS_SSL_DEBUG_MSG( 1, ( "There is pending outgoing data" ) );
-         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+@@ -4400,11 +4400,13 @@ int mbedtls_ssl_context_save(mbedtls_ssl_context *ssl,
+         MBEDTLS_SSL_DEBUG_MSG(1, ("There is pending outgoing data"));
+         return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
      }
 +#if 0
      /* Protocol must be DTLS, not TLS */
-     if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
-     {
-         MBEDTLS_SSL_DEBUG_MSG( 1, ( "Only DTLS is supported" ) );
-         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+     if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
+         MBEDTLS_SSL_DEBUG_MSG(1, ("Only DTLS is supported"));
+         return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
      }
 +#endif
      /* Version must be 1.2 */
-     if( ssl->tls_version != MBEDTLS_SSL_VERSION_TLS1_2 )
-     {
-@@ -4401,6 +4403,16 @@ int mbedtls_ssl_context_save( mbedtls_ssl_context *ssl,
+     if (ssl->tls_version != MBEDTLS_SSL_VERSION_TLS1_2) {
+         MBEDTLS_SSL_DEBUG_MSG(1, ("Only version 1.2 supported"));
+@@ -4538,6 +4540,14 @@ int mbedtls_ssl_context_save(mbedtls_ssl_context *ssl,
      }
  #endif /* MBEDTLS_SSL_ALPN */
 
-+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM )
-+    {
++    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM) {
 +        used += 8;
-+        if( used <= buf_len )
-+        {
-+            memcpy( p, ssl->in_ctr, 8 );
++        if (used <= buf_len) {
++            memcpy(p, ssl->in_ctr, 8);
 +            p += 8;
 +        }
 +    }
 +
      /*
       * Done
       */
-@@ -4411,7 +4423,19 @@ int mbedtls_ssl_context_save( mbedtls_ssl_context *ssl,
+@@ -4549,7 +4559,19 @@ int mbedtls_ssl_context_save(mbedtls_ssl_context *ssl,
 
-     MBEDTLS_SSL_DEBUG_BUF( 4, "saved context", buf, used );
+     MBEDTLS_SSL_DEBUG_BUF(4, "saved context", buf, used);
 
 +#if 0
 +    /* At the moment of fork (when we call this function to serialize the TLS
@@ -50,62 +47,61 @@ index 9bb9dc23cde94a23bb71a2d421410a7cea039816..6e7926a99220e79935396cbc2b7d3f22
 +     * be continued to be used.
 +     * Currently we are relying on the application to be "sane" and not use
 +     * the same endpoint in two different processes. */
-     return( mbedtls_ssl_session_reset_int( ssl, 0 ) );
+     return mbedtls_ssl_session_reset_int(ssl, 0);
 +#else
-+    return( 0 );
++    return 0;
 +#endif
  }
 
  /*
-@@ -4449,7 +4473,10 @@ static int ssl_context_load( mbedtls_ssl_context *ssl,
+@@ -4586,7 +4608,10 @@ static int ssl_context_load(mbedtls_ssl_context *ssl,
       * We can't check that the config matches the initial one, but we can at
       * least check it matches the requirements for serializing.
       */
 +#if 0
-     if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
+     if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
 +#else
-+    if(
++    if (
          ssl->conf->max_tls_version < MBEDTLS_SSL_VERSION_TLS1_2 ||
          ssl->conf->min_tls_version > MBEDTLS_SSL_VERSION_TLS1_2 ||
  #if defined(MBEDTLS_SSL_RENEGOTIATION)
-@@ -4459,6 +4486,7 @@ static int ssl_context_load( mbedtls_ssl_context *ssl,
-     {
-         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+@@ -4595,6 +4620,7 @@ static int ssl_context_load(mbedtls_ssl_context *ssl,
+         0) {
+         return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
      }
 +#endif
 
-     MBEDTLS_SSL_DEBUG_BUF( 4, "context to load", buf, len );
+     MBEDTLS_SSL_DEBUG_BUF(4, "context to load", buf, len);
 
-@@ -4670,6 +4698,15 @@ static int ssl_context_load( mbedtls_ssl_context *ssl,
+@@ -4819,6 +4845,14 @@ static int ssl_context_load(mbedtls_ssl_context *ssl,
      ssl->in_epoch = 1;
  #endif
 
-+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM )
-+    {
-+        if( (size_t)( end - p ) < 8 )
-+            return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
++    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM) {
++        if ((size_t) (end - p) < 8)
++            return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
 +
-+        memcpy( ssl->in_ctr, p, 8 );
++        memcpy(ssl->in_ctr, p, 8);
 +        p += 8;
 +    }
 +
      /* mbedtls_ssl_reset() leaves the handshake sub-structure allocated,
       * which we don't want - otherwise we'd end up freeing the wrong transform
       * by calling mbedtls_ssl_handshake_wrapup_free_hs_transform()
 diff --git a/library/Makefile b/library/Makefile
-index dd16d061588321952a74944a9a0e17427cd7544e..680b67b52cfe4acf686e77eb83ddfc58bcfac05e 100644
+index 160aa6be5397f4cb5702504b9e2c8ee97f15a011..8c63260b2d021f55174cd5b476ac9e72898b0677 100644
 --- a/library/Makefile
 +++ b/library/Makefile
 @@ -51,6 +51,8 @@ SOEXT_TLS?=so.19
- SOEXT_X509?=so.4
- SOEXT_CRYPTO?=so.13
+ SOEXT_X509?=so.5
+ SOEXT_CRYPTO?=so.14
 
 +SUFFIX ?=
 +
  # Set AR_DASH= (empty string) to use an ar implementation that does not accept
  # the - prefix for command line options (e.g. llvm-ar)
  AR_DASH ?= -
-@@ -199,10 +201,11 @@ else
+@@ -201,10 +203,11 @@ else
  all: shared static
  endif
 
@@ -119,7 +115,7 @@ index dd16d061588321952a74944a9a0e17427cd7544e..680b67b52cfe4acf686e77eb83ddfc58
 
  # Windows builds under Mingw can fail if make tries to create archives in the same
  # directory at the same time - see https://bugs.launchpad.net/gcc-arm-embedded/+bug/1848002.
-@@ -213,7 +216,7 @@ libmbedx509.a: | libmbedcrypto.a
+@@ -215,7 +218,7 @@ libmbedx509.a: | libmbedcrypto.a
  endif
 
  # tls
@@ -128,7 +124,7 @@ index dd16d061588321952a74944a9a0e17427cd7544e..680b67b52cfe4acf686e77eb83ddfc58
  	echo "  AR    $@"
  	$(AR) $(ARFLAGS) $@ $(OBJS_TLS)
  ifdef APPLE_BUILD
-@@ -223,12 +226,12 @@ ifneq ($(APPLE_BUILD),0)
+@@ -225,12 +228,12 @@ ifneq ($(APPLE_BUILD),0)
  endif
  endif
 
@@ -144,7 +140,7 @@ index dd16d061588321952a74944a9a0e17427cd7544e..680b67b52cfe4acf686e77eb83ddfc58
  	echo "  LN    $@ -> $<"
  	ln -sf $< $@
  endif
-@@ -242,7 +245,7 @@ libmbedtls.dll: $(OBJS_TLS) libmbedx509.dll
+@@ -244,7 +247,7 @@ libmbedtls.dll: $(OBJS_TLS) libmbedx509.dll
  	$(CC) -shared -Wl,-soname,$@ -Wl,--out-implib,$@.a -o $@ $(OBJS_TLS) -lws2_32 -lwinmm -lgdi32 -L. -lmbedx509 -lmbedcrypto -static-libgcc $(LOCAL_LDFLAGS) $(LDFLAGS)
 
  # x509
@@ -153,7 +149,7 @@ index dd16d061588321952a74944a9a0e17427cd7544e..680b67b52cfe4acf686e77eb83ddfc58
  	echo "  AR    $@"
  	$(AR) $(ARFLAGS) $@ $(OBJS_X509)
  ifdef APPLE_BUILD
-@@ -252,12 +255,12 @@ ifneq ($(APPLE_BUILD),0)
+@@ -254,12 +257,12 @@ ifneq ($(APPLE_BUILD),0)
  endif
  endif
 
@@ -169,7 +165,7 @@ index dd16d061588321952a74944a9a0e17427cd7544e..680b67b52cfe4acf686e77eb83ddfc58
  	echo "  LN    $@ -> $<"
  	ln -sf $< $@
  endif
-@@ -271,7 +274,7 @@ libmbedx509.dll: $(OBJS_X509) libmbedcrypto.dll
+@@ -273,7 +276,7 @@ libmbedx509.dll: $(OBJS_X509) libmbedcrypto.dll
  	$(CC) -shared -Wl,-soname,$@ -Wl,--out-implib,$@.a -o $@ $(OBJS_X509) -lws2_32 -lwinmm -lgdi32 -L. -lmbedcrypto -static-libgcc $(LOCAL_LDFLAGS) $(LDFLAGS)
 
  # crypto
@@ -178,7 +174,7 @@ index dd16d061588321952a74944a9a0e17427cd7544e..680b67b52cfe4acf686e77eb83ddfc58
  	echo "  AR    $@"
  	$(AR) $(ARFLAGS) $@ $(OBJS_CRYPTO)
  ifdef APPLE_BUILD
-@@ -281,12 +284,12 @@ ifneq ($(APPLE_BUILD),0)
+@@ -283,12 +286,12 @@ ifneq ($(APPLE_BUILD),0)
  endif
  endif