From 8b6a9202e7fb543d948efc20ff478d362665b945 Mon Sep 17 00:00:00 2001 From: Ruud van Asseldonk Date: Sat, 10 Aug 2019 22:07:59 +0200 Subject: libressl: build libcrypto with noexecstack For some reasons, libcrypto would be built with the executable stack flag set. I found out about this when Nginx failed to load the shared library, because I was running it with MemoryDenyWriteExecute=true, which does not permit executable stacks. I am not sure why the stack ends up executable; the other shared libraries which are part of LibreSSL do not have this flag set. You can verify this with 'execstack -q'. Non-executable stacks should be the default, and from checking some other files, that does appear to be the case. The LibreSSL sources do not contain the string "execstack", so I am not sure what causes the default to be overridden. Adding '-z noexecstack' to the linker flags makes the linker unset the flag. Now my Nginx can load the library, and so far I have not run into other issues. --- pkgs/development/libraries/libressl/default.nix | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'pkgs/development') diff --git a/pkgs/development/libraries/libressl/default.nix b/pkgs/development/libraries/libressl/default.nix index d710c41a97c..34262b89cd1 100644 --- a/pkgs/development/libraries/libressl/default.nix +++ b/pkgs/development/libraries/libressl/default.nix @@ -23,6 +23,10 @@ let rm configure ''; + # Ensure that the output libraries do not require an executable stack. + # Without this, libcrypto would be built with the executable stack flag set. + NIX_LDFLAGS = ["-z" "noexecstack"]; + enableParallelBuilding = true; outputs = [ "bin" "dev" "out" "man" "nc" ]; -- cgit 1.4.1 From b3c613b9aaa32a6315f5a10fcf56f5b58e0cd405 Mon Sep 17 00:00:00 2001 From: Ruud van Asseldonk Date: Sun, 11 Aug 2019 20:34:57 +0200 Subject: libressl: fix noexecstack on Darwin The flags to disable executable stacks are different for Clang and GCC, and Clang is used on Darwin. --- pkgs/development/libraries/libressl/default.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'pkgs/development') diff --git a/pkgs/development/libraries/libressl/default.nix b/pkgs/development/libraries/libressl/default.nix index 34262b89cd1..32b58c736fb 100644 --- a/pkgs/development/libraries/libressl/default.nix +++ b/pkgs/development/libraries/libressl/default.nix @@ -25,7 +25,10 @@ let # Ensure that the output libraries do not require an executable stack. # Without this, libcrypto would be built with the executable stack flag set. - NIX_LDFLAGS = ["-z" "noexecstack"]; + # For Clang, the flag is '--noexecstack', for GCC it is '-z noexecstack'. + NIX_LDFLAGS = if stdenv.isDarwin + then ["--noexecstack"] + else ["-z" "noexecstack"]; enableParallelBuilding = true; -- cgit 1.4.1 From c02b4a1cc8c718d4e6a1ef5fbb547388bb4636df Mon Sep 17 00:00:00 2001 From: Ruud van Asseldonk Date: Tue, 13 Aug 2019 22:20:16 +0200 Subject: libressl: do not set noexecstack on Darwin at all It is not needed on Darwin. [1] Thanks Matthew for explaining this. [1]: https://github.com/NixOS/nixpkgs/pull/66454#issuecomment-520970986 --- pkgs/development/libraries/libressl/default.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'pkgs/development') diff --git a/pkgs/development/libraries/libressl/default.nix b/pkgs/development/libraries/libressl/default.nix index 32b58c736fb..f30ead30b3b 100644 --- a/pkgs/development/libraries/libressl/default.nix +++ b/pkgs/development/libraries/libressl/default.nix @@ -25,9 +25,11 @@ let # Ensure that the output libraries do not require an executable stack. # Without this, libcrypto would be built with the executable stack flag set. - # For Clang, the flag is '--noexecstack', for GCC it is '-z noexecstack'. + # For GCC the flag is '-z noexecstack'. Clang, which is used on Darwin, + # expects '--noexecstack'. Execstack is an ELF thing, so it is not needed + # on Darwin. NIX_LDFLAGS = if stdenv.isDarwin - then ["--noexecstack"] + then [] else ["-z" "noexecstack"]; enableParallelBuilding = true; -- cgit 1.4.1 From fdd78a53878be5421aeb76295d6f98b7994d4b04 Mon Sep 17 00:00:00 2001 From: Ruud van Asseldonk Date: Wed, 21 Aug 2019 00:07:38 +0200 Subject: libressl: use CFLAGS to avoid exectuable stack It turns out that libcrypto had an exectuable stack, because it linked some objects without a .note.GNU-stack section. Compilers add this section by default, but the objects produced from .S files did not contain it. The .S files do include a directive to add the section, but guarded behind an #ifdef HAVE_GNU_STACK. So define HAVE_GNU_STACK, to ensure that all objects have a .note.GNU-stack section. --- pkgs/development/libraries/libressl/default.nix | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) (limited to 'pkgs/development') diff --git a/pkgs/development/libraries/libressl/default.nix b/pkgs/development/libraries/libressl/default.nix index f30ead30b3b..29b28e85f86 100644 --- a/pkgs/development/libraries/libressl/default.nix +++ b/pkgs/development/libraries/libressl/default.nix @@ -13,7 +13,15 @@ let nativeBuildInputs = [ cmake ]; - cmakeFlags = [ "-DENABLE_NC=ON" "-DBUILD_SHARED_LIBS=ON" ]; + cmakeFlags = [ + "-DENABLE_NC=ON" + "-DBUILD_SHARED_LIBS=ON" + # Ensure that the output libraries do not require an executable stack. + # Without this define, assembly files in libcrypto do not include a + # .note.GNU-stack section, and if that section is missing from any object, + # the linker will make the stack executable. + "-DCMAKE_C_FLAGS=-DHAVE_GNU_STACK" + ]; # The autoconf build is broken as of 2.9.1, resulting in the following error: # libressl-2.9.1/tls/.libs/libtls.a', needed by 'handshake_table'. @@ -23,15 +31,6 @@ let rm configure ''; - # Ensure that the output libraries do not require an executable stack. - # Without this, libcrypto would be built with the executable stack flag set. - # For GCC the flag is '-z noexecstack'. Clang, which is used on Darwin, - # expects '--noexecstack'. Execstack is an ELF thing, so it is not needed - # on Darwin. - NIX_LDFLAGS = if stdenv.isDarwin - then [] - else ["-z" "noexecstack"]; - enableParallelBuilding = true; outputs = [ "bin" "dev" "out" "man" "nc" ]; -- cgit 1.4.1