libressl: use CFLAGS to avoid exectuable stack
It turns out that libcrypto had an exectuable stack, because it linked some objects without a .note.GNU-stack section. Compilers add this section by default, but the objects produced from .S files did not contain it. The .S files do include a directive to add the section, but guarded behind an #ifdef HAVE_GNU_STACK. So define HAVE_GNU_STACK, to ensure that all objects have a .note.GNU-stack section.
This commit is contained in:
parent
c02b4a1cc8
commit
fdd78a5387
@ -13,7 +13,15 @@ let
|
||||
|
||||
nativeBuildInputs = [ cmake ];
|
||||
|
||||
cmakeFlags = [ "-DENABLE_NC=ON" "-DBUILD_SHARED_LIBS=ON" ];
|
||||
cmakeFlags = [
|
||||
"-DENABLE_NC=ON"
|
||||
"-DBUILD_SHARED_LIBS=ON"
|
||||
# Ensure that the output libraries do not require an executable stack.
|
||||
# Without this define, assembly files in libcrypto do not include a
|
||||
# .note.GNU-stack section, and if that section is missing from any object,
|
||||
# the linker will make the stack executable.
|
||||
"-DCMAKE_C_FLAGS=-DHAVE_GNU_STACK"
|
||||
];
|
||||
|
||||
# The autoconf build is broken as of 2.9.1, resulting in the following error:
|
||||
# libressl-2.9.1/tls/.libs/libtls.a', needed by 'handshake_table'.
|
||||
@ -23,15 +31,6 @@ let
|
||||
rm configure
|
||||
'';
|
||||
|
||||
# Ensure that the output libraries do not require an executable stack.
|
||||
# Without this, libcrypto would be built with the executable stack flag set.
|
||||
# For GCC the flag is '-z noexecstack'. Clang, which is used on Darwin,
|
||||
# expects '--noexecstack'. Execstack is an ELF thing, so it is not needed
|
||||
# on Darwin.
|
||||
NIX_LDFLAGS = if stdenv.isDarwin
|
||||
then []
|
||||
else ["-z" "noexecstack"];
|
||||
|
||||
enableParallelBuilding = true;
|
||||
|
||||
outputs = [ "bin" "dev" "out" "man" "nc" ];
|
||||
|
Loading…
Reference in New Issue
Block a user