Security hardening: Expose Build flags for Position Independed Execution (PIE)

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22596)

diff --git a/.github/workflows/run-checker-merge.yml b/.github/workflows/run-checker-merge.yml
index e5746d75bdf8c2618f3cb5cff540756135fa0d88..8a1da0c2f2a5bcfb63381d1acb35497ef45e9007 100644 (file)
--- a/.github/workflows/run-checker-merge.yml
+++ b/.github/workflows/run-checker-merge.yml
@@ -35,6 +35,7 @@ jobs:
           no-ts,
           enable-weak-ssl-ciphers,
           enable-zlib,
+          enable-pie,
         ]
     runs-on: ubuntu-latest
     steps:

diff --git a/CHANGES.md b/CHANGES.md
index 21fd185444d77b6a047779451fa67804f075ec48..1258a44b5239ef6a75e9b2bda15bf1e754a78017 100644 (file)
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -59,6 +59,13 @@ OpenSSL 3.4
 
    *Damian Hobson-Garcia*
 
+ * Added support to build Position Independent Executables (PIE). Configuration
+   option `enable-pie` configures the cflag '-fPIE' and ldflag '-pie' to
+   support Address Space Layout Randomization (ASLR) in the openssl executable,
+   removes reliance on external toolchain configurations.
+
+   *Craig Lorentzen*
+
 OpenSSL 3.3
 -----------
 

diff --git a/Configurations/00-base-templates.conf b/Configurations/00-base-templates.conf
index 55da5ec56c20045483c575402964e18a742ade6c..a9ccb0ced8792f6cbc3642164556d905fe65da2d 100644 (file)
--- a/Configurations/00-base-templates.conf
+++ b/Configurations/00-base-templates.conf
@@ -76,6 +76,22 @@ my %targets=(
         AR              => "ar",
         ARFLAGS         => "qc",
         CC              => "cc",
+        bin_cflags      =>
+            sub {
+                my @flags = ();
+                if (!defined($disabled{pie})) {
+                    push(@flags, "-fPIE");
+                }
+                return join(" ", @flags);
+            },
+        bin_lflags      =>
+            sub {
+                my @flags = ();
+                if (!defined($disabled{pie})) {
+                    push(@flags, "-pie");
+                }
+                return join(" ", @flags);
+            },
         lflags          =>
             sub {
                 my @libs = ();

diff --git a/Configure b/Configure
index cef9e8c3e6662ea73eac2cfd81a47490090bc853..f7fc016c8cab2030dd95a6e043ed7477d56eddab 100755 (executable)
--- a/Configure
+++ b/Configure
@@ -492,6 +492,7 @@ my @disablables = (
     "ocsp",
     "padlockeng",
     "pic",
+    "pie",
     "pinshared",
     "poly1305",
     "posix-io",
@@ -584,6 +585,7 @@ our %disabled = ( # "what"         => "comment"
                   "external-tests"      => "default",
                   "fuzz-afl"            => "default",
                   "fuzz-libfuzzer"      => "default",
+                  "pie"                 => "default",
                   "ktls"                => "default",
                   "md2"                 => "default",
                   "msan"                => "default",
@@ -943,6 +945,10 @@ while (@argvcopy)
                         {
                         delete $disabled{"brotli"};
                         }
+                elsif ($1 eq "pie")
+                        {
+                        delete $disabled{"pie"};
+                        }
                 elsif ($1 eq "zstd-dynamic")
                         {
                         delete $disabled{"zstd"};

diff --git a/INSTALL.md b/INSTALL.md
index b486ee1556a2526d6d263e726cc053ad4374c302..a34de9bbf8c9e522327da85862c8bdb9d262c0db 100644 (file)
--- a/INSTALL.md
+++ b/INSTALL.md
@@ -870,6 +870,10 @@ As synonym for `no-padlockeng`.  Deprecated and should not be used.
 
 Don't build with support for Position Independent Code.
 
+### enable-pie
+
+Build with support for Position Independent Execution.
+
 ### no-pinshared
 
 Don't pin the shared libraries.