BoomMicrophone/nixpkgs-suyu
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
nixpkgs-suyu/pkgs/development/libraries/libressl/default.nix
Ruud van Asseldonk 8b6a9202e7 libressl: build libcrypto with noexecstack 
For some reasons, libcrypto would be built with the executable stack
flag set. I found out about this when Nginx failed to load the shared
library, because I was running it with MemoryDenyWriteExecute=true,
which does not permit executable stacks.

I am not sure why the stack ends up executable; the other shared
libraries which are part of LibreSSL do not have this flag set. You can
verify this with 'execstack -q'. Non-executable stacks should be the
default, and from checking some other files, that does appear to be the
case. The LibreSSL sources do not contain the string "execstack", so
I am not sure what causes the default to be overridden.

Adding '-z noexecstack' to the linker flags makes the linker unset the
flag. Now my Nginx can load the library, and so far I have not run into
other issues.
2019-08-10 22:21:57 +02:00

63 lines
1.8 KiB
Nix
Raw Blame History

{ stdenv, fetchurl, lib, cmake }:
let
generic = { version, sha256 }: stdenv.mkDerivation rec {
name = "libressl-${version}";
inherit version;
src = fetchurl {
url = "mirror://openbsd/LibreSSL/${name}.tar.gz";
inherit sha256;
};
nativeBuildInputs = [ cmake ];
cmakeFlags = [ "-DENABLE_NC=ON" "-DBUILD_SHARED_LIBS=ON" ];
# The autoconf build is broken as of 2.9.1, resulting in the following error:
# libressl-2.9.1/tls/.libs/libtls.a', needed by 'handshake_table'.
# Fortunately LibreSSL provides a CMake build as well, so opt for CMake by
# removing ./configure pre-config.
preConfigure = ''
rm configure
'';
# Ensure that the output libraries do not require an executable stack.
# Without this, libcrypto would be built with the executable stack flag set.
NIX_LDFLAGS = ["-z" "noexecstack"];
enableParallelBuilding = true;
outputs = [ "bin" "dev" "out" "man" "nc" ];
postFixup = ''
moveToOutput "bin/nc" "$nc"
moveToOutput "bin/openssl" "$bin"
moveToOutput "bin/ocspcheck" "$bin"
moveToOutput "share/man/man1/nc.1${lib.optionalString (dontGzipMan==null) ".gz"}" "$nc"
'';
dontGzipMan = if stdenv.isDarwin then true else null; # not sure what's wrong
meta = with lib; {
description = "Free TLS/SSL implementation";
homepage = "https://www.libressl.org";
license = with licenses; [ publicDomain bsdOriginal bsd0 bsd3 gpl3 isc openssl ];
platforms = platforms.all;
maintainers = with maintainers; [ thoughtpolice fpletz globin ];
};
};
in {
libressl_2_8 = generic {
version = "2.8.3";
sha256 = "0xw4z4z6m7lyf1r4m2w2w1k7as791c04ygnfk4d7d0ki0h9hnr4v";
};
libressl_2_9 = generic {
version = "2.9.2";
sha256 = "1m6mz515dcbrbnyz8hrpdfjzdmj1c15vbgnqxdxb89g3z9kq3iy4";
};
}
Reference in a new issue View git blame Copy permalink