FS#12434 - PAX and OpenSSL (libcrypto.so)
Attached to Project:
Arch Linux
Opened by Cristian C. (ckristi) - Saturday, 13 December 2008, 00:49 GMT
Last edited by Pierre Schmitz (Pierre) - Sunday, 28 December 2008, 20:14 GMT
Opened by Cristian C. (ckristi) - Saturday, 13 December 2008, 00:49 GMT
Last edited by Pierre Schmitz (Pierre) - Sunday, 28 December 2008, 20:14 GMT
|
Details
Description:
OpenSSL does not play well with security enhanced kernels (PaX/grsecurity). Additional info: * openssl-0.9.8i-2 Steps to reproduce: I applied the PaX patch to my custom kernel empowering Arch Linux. And I had the surprise that OpenSSL (libcrypto.so to be more precise) requested executable stack to run. After 2 days of "playing" around with PaX specific tools (user-level apps like paxctl/chpax) and reconfigurations at the kernel level... I found out a simple solution to this problem on a Debian or Debian-related forum (can't remember the link). The solution was to compile openssl using "-Wa,--noexecstack" on the config line. So, I patched the PKGBUILD for openssl to do this, and now everything is working fine. Do you think you can enable this patch for the future builds of the openssl package? I'll attach the diff from the original PKGBUILD. |
This task depends upon
Closed by Pierre Schmitz (Pierre)
Sunday, 28 December 2008, 20:14 GMT
Reason for closing: Implemented
Sunday, 28 December 2008, 20:14 GMT
Reason for closing: Implemented
# Add -Wa,--noexecstack here so that libcrypto's assembler modules will be
# marked as not requiring an executable stack.
The Gentoo page on this (http://www.gentoo.org/proj/en/hardened/gnu-stack.xml) states: "If an assembler source contains no GNU-stack note, the system by default assumes that an executable stack may be required. However, usually if there's no GNU-stack note, this is simply because the author didn't include one, rather than the code actually needing an executable stack."
As it works on other systems, I would assume that the assembler parts don't contain the GNU-stack note and don't require an executable stack.
The as assembler program will incorrectly mark libcrypto.so as needing an executable stack, if OpenSSL is built with its assembly code. The following command adds an assembler option to mark the library correctly:
find crypto/ -name Makefile -exec \
sed 's/^ASFLAGS=/&-Wa,--noexecstack /' -i.orig {} \;
Also, there's a 5 year testing on Fedora (http://lwn.net/Articles/211328/):
* Tue Sep 30 2003 Nalin Dahyabhai <nalin@redhat.com> 0.9.7a-22
- add -Wa,--noexecstack to RPM_OPT_FLAGS so that assembled modules get tagged
as not needing executable stacks
I'll put a new openssl package into [testing].
As I use wpa2, my wireless connection depends on openssl, so I'll complain in time if there are any problems. ;-)
I've tested the new 0.9.8i-3 and it has been working flawlessly so far. Thanks much.