20

I'm trying to build OpenSSL with -Wa,--noexecstack, but can't find anywhere in its config command-line to provide this flag. I've tried to set CFLAGS, but it appears to ignore that and just use its own.

This is an automated build working off a clean copy of the OpenSSL source, so a one-time hack of the config script isn't really an option.

Is there a way to pass custom flags to OpenSSL's build process?

DNS
  • 37,249
  • 18
  • 95
  • 132
  • 1
    Note that the documentation actually suggests that you do those edits you'd like to avoid - see https://wiki.openssl.org/index.php/Compilation_and_Installation#Modifying_Build_Settings, where they talk about running sed as part of your build. – James Moore May 25 '17 at 17:17

4 Answers4

21

Later to the party, but this seems to be the correct way of doing this.

From the config script help:

$ ./config -h
Usage: config [options]
 -d Add a debug- prefix to machine choice.
 -t Test mode, do not run the Configure perl script.
 -h This help.

Any other text will be passed to the Configure perl script.
See INSTALL for instructions.

So the config script forwards "unexpected" options to the Configure script. Well, lets see what the Configure script has to say about that:

$ ./Configure --help
Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]

See the [:flags] part at the end of that long line? There is also a comment inside the file:

# -<xxx> +<xxx> compiler options are passed through

It's not that obvious since it does not follow well known standards but the answer is: just append the options to the end of the config command line.

As a long time has passed since you posted the question, I must add:

  • it may not work for the version of OpenSSL you are working with (mine is OpenSSL 1.0);
  • I felt compelled to post this answer since none of the previous answers solved my problem and it took me a little while to figure out that solution.
freitass
  • 6,542
  • 5
  • 40
  • 44
  • 2
    Turns out this isn't useful. Most of the time you're going to need to _set_ cflags; this just appends them. Doesn't help get rid of bad ones that are there already. – James Moore Dec 16 '16 at 23:05
  • Note that this doesn't work with all types of flags. For example on Windows, there is no way to set "/SUBSYSTEM:CONSOLE,x.xx" and you still have to fall back to [this answer](https://stackoverflow.com/a/16248464/423913). – Claudiu Oct 03 '18 at 09:01
15

The config script ignores CFLAGS, but not CC. So you can specify your compiler and give it the flags at the same time:

export CC="gcc -Wall -DHELLO_WORLD"; ./config

Alternatively, since config auto detects your platform and then runs Configure with preset compiler settings, you can add the compiler flags to your platform configuration. E.g., for my mac, I see this line when I first run config:

Operating system: i386-apple-darwinDarwin Kernel Version 10.8.0: Tue Jun 7 16:33:36 PDT 2011; root:xnu-1504.15.3~1/RELEASE_I386
Configuring for darwin-i386-cc

So if I open Configure, I can search for darwin-i386-cc and add the flags to the presets.

If you're not using a preset configuration, then you'd just pass the flags directly to Configure on the command line and it'll use them.

indiv
  • 17,306
  • 6
  • 61
  • 82
5

Late to the party, but another way of doing this is to make an automated edit to the generated makefile. E.g., to add -DPURIFY to the flags, I first do the regular configure, then:

perl -i~ -plwe 's!^(CFLAG=.*$)!$1 -DPURIFY!' Makefile

Not the most elegant solution, but it works for me.

AnthonyFoiani
  • 504
  • 5
  • 7
0
  1. CC=clang ./config [other args]
  2. CC=gcc ./confug [other args]

etc

Zhang Tab
  • 11
  • 3