libressl: use CFLAGS to avoid exectuable stack

It turns out that libcrypto had an exectuable stack, because it linked
some objects without a .note.GNU-stack section. Compilers add this
section by default, but the objects produced from .S files did not
contain it. The .S files do include a directive to add the section, but
guarded behind an #ifdef HAVE_GNU_STACK. So define HAVE_GNU_STACK, to
ensure that all objects have a .note.GNU-stack section.
This commit is contained in:
Ruud van Asseldonk 2019-08-21 00:07:38 +02:00
parent c02b4a1cc8
commit fdd78a5387

View file

@ -13,7 +13,15 @@ let
nativeBuildInputs = [ cmake ];
cmakeFlags = [ "-DENABLE_NC=ON" "-DBUILD_SHARED_LIBS=ON" ];
cmakeFlags = [
"-DENABLE_NC=ON"
"-DBUILD_SHARED_LIBS=ON"
# Ensure that the output libraries do not require an executable stack.
# Without this define, assembly files in libcrypto do not include a
# .note.GNU-stack section, and if that section is missing from any object,
# the linker will make the stack executable.
"-DCMAKE_C_FLAGS=-DHAVE_GNU_STACK"
];
# The autoconf build is broken as of 2.9.1, resulting in the following error:
# libressl-2.9.1/tls/.libs/libtls.a', needed by 'handshake_table'.
@ -23,15 +31,6 @@ let
rm configure
'';
# Ensure that the output libraries do not require an executable stack.
# Without this, libcrypto would be built with the executable stack flag set.
# For GCC the flag is '-z noexecstack'. Clang, which is used on Darwin,
# expects '--noexecstack'. Execstack is an ELF thing, so it is not needed
# on Darwin.
NIX_LDFLAGS = if stdenv.isDarwin
then []
else ["-z" "noexecstack"];
enableParallelBuilding = true;
outputs = [ "bin" "dev" "out" "man" "nc" ];