Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Creating OpenSSL binaries with Control flow guard enabled fails with multiple test failure #22554

Open
aniljadaun opened this issue Oct 30, 2023 · 7 comments
Open

Creating OpenSSL binaries with Control flow guard enabled fails with multiple test failure #22554

aniljadaun opened this issue Oct 30, 2023 · 7 comments
Assignees
@nhorman
Labels
branch: master Merge to master branch help wanted triaged: feature The issue/pr requests/adds a feature

Comments

@aniljadaun
Copy link

aniljadaun commented Oct 30, 2023
edited

I am trying to create a non-shared fips enabled build with control flow guard enabled:

command used:
perl Configure VC-WIN64A enable-fips enable-capieng --prefix=D:\opensslBuild\x64\dll --openssldir=D:\opensslBuild\openssldir no-shared CFLAGS=/guard:cf LDFLAGS=/guard:cf LIB_CFLAGS=/guard:cf

This is failing with multiple test failures.

Without using CFLAGS=/guard:cf LDFLAGS=/guard:cf LIB_CFLAGS=/guard:cf , Build is successfuly created.
@aniljadaun aniljadaun added the issue: question The issue was opened to ask a question label Oct 30, 2023
@t8m t8m added branch: master Merge to master branch help wanted triaged: feature The issue/pr requests/adds a feature and removed issue: question The issue was opened to ask a question labels Oct 30, 2023
@paulidale
Copy link
Contributor

Try adding no-asm to the command line. The assembly implementations don't include support for this feature which I suspect it the problem.

The downside is that a build with no-asm is slower.

@aniljadaun
Copy link
Author

Hi @paulidale

Is it possible to get the CFG enabled build without impacting performance and also please confirm if using no-asm wouldn't impact fips compliance?

@paulidale
Copy link
Contributor

It would be possible but it would require a community member (i.e. you) to submit patches for the assembler implementations so that they supported CFG.

Using no-asm does not impact FIPS compliance. All of our platforms are tested both with and without the assembler implementations.

@aniljadaun
Copy link
Author

aniljadaun commented Oct 31, 2023
edited

Thanks @paulidale .

Update: Not working :(

@nhorman
Copy link
Contributor

nhorman commented Oct 31, 2023

#22387
That issue sounds like it might be related

If you turn off /guard:cf, does the problem go away? If so, can you re-enable /guard:cf and provide debugger output regarding the locations of the failures? It will require you identifying a specific failing test case, and running it manually under the VC debugger

@FdaSilvaYY
Copy link
Contributor

Windows guard:cf / masm / SEH are kind of recurring themes around assembly code in project :
#1592
#8109
#22387
#21522 (comment)

HTH

@vszakats vszakats mentioned this issue Nov 7, 2023
Open
@nhorman
Copy link
Contributor

nhorman commented Dec 6, 2023

FYI, the connection just occured to me (thanks to a post in openssl-security). This is effectively the windows version of #22896

Please check there for all the thorny details.

I'm tinkering with fixes now, but its likely going to be some time, as all the options I've come up with thus far require significant ABI changes

@nhorman nhorman mentioned this issue Dec 6, 2023
Open
@sfc-gh-ext-simba-hx sfc-gh-ext-simba-hx mentioned this issue Feb 1, 2024
Merged
Chocobo1 added a commit to Chocobo1/qBittorrent that referenced this issue Mar 2, 2024
@Chocobo1
GHA CI: disable security hardening flag
f0546dc 
OpenSSL isn't compatible with `/guard:cf` flag so we omit it for now.
Related: openssl/openssl#22554

Closes qbittorrent#20479.
@Chocobo1 Chocobo1 mentioned this issue Mar 2, 2024
Merged
Chocobo1 added a commit to qbittorrent/qBittorrent that referenced this issue Mar 3, 2024
@Chocobo1
GHA CI: disable security hardening flag
71f1e6d 
OpenSSL isn't compatible with `/guard:cf` flag so we omit it for now.
Related: openssl/openssl#22554

Closes #20479.
PR #20487.
Chocobo1 added a commit to Chocobo1/qBittorrent that referenced this issue Mar 26, 2024
@Chocobo1
GHA CI: disable security hardening flag
639939c 
OpenSSL isn't compatible with `/guard:cf` flag so we omit it for now.
Related: openssl/openssl#22554

Closes qbittorrent#20479.
Chocobo1 added a commit to Chocobo1/qBittorrent that referenced this issue Mar 26, 2024
@Chocobo1
GHA CI: disable security hardening flag
07ac601 
OpenSSL isn't compatible with `/guard:cf` flag so we omit it for now.
Related: openssl/openssl#22554

Closes qbittorrent#20479.
PR qbittorrent#20487.
Chocobo1 added a commit to qbittorrent/qBittorrent that referenced this issue Mar 28, 2024
@Chocobo1
GHA CI: disable security hardening flag
694661d 
OpenSSL isn't compatible with `/guard:cf` flag so we omit it for now.
Related: openssl/openssl#22554

Closes #20479.
PR #20487.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nhorman nhorman

Labels
branch: master Merge to master branch help wanted triaged: feature The issue/pr requests/adds a feature
Projects
Project Board
Status: In progress
Milestone
No milestone
Development

No branches or pull requests
5 participants
@nhorman @t8m @FdaSilvaYY @paulidale @aniljadaun