Compiling SSLProxy statically (including cross compiling arm64 from chroot)

[GhostNaix]

I'm leaving this here in case someone wants to compile SSLProxy and have it statically linked (IOT Pentesting or portability).

Prerequisites:

• Systemd based linux (both host and target).
• The target must have the same glibc library version as the system you are building sslproxy on (due to an issue with glibc we cannot build a truely static binary).
• This guide is targeted to Debian based Linux distros but I'm sure you can adapt it to other Linux distros with some effort although success is not guaranteed.

⚠️Regarding Bug reports⚠️

After discovering this I have not had time to thoroughly test the static build of SSLProxy against all situations thus I advise some due diligence before posting an issue. You may have notice the following warnings when building statically.

/usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/13/../../../x86_64-linux-gnu/libcrypto.a(libcrypto-lib-dso_dlfcn.o): in function `dlfcn_globallookup':
(.text+0x1f): warning: Using 'dlopen' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: sys.o: in function `sys_privdrop':
/home/naix/SSLproxy/src/sys.c:150:(.text+0x233): warning: Using 'endgrent' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/13/../../../x86_64-linux-gnu/libsystemd.a(src_basic_user-util.c.o): in function `get_group_creds':
/home/naix/systemd-255.4/build/../src/basic/user-util.c:371:(.text+0x1172): warning: Using 'getgrgid' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: sys.o: in function `sys_group_str':
/home/naix/SSLproxy/src/sys.c:385:(.text+0xb73): warning: Using 'getgrgid_r' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: sys.o: in function `sys_privdrop':
/home/naix/SSLproxy/src/sys.c:86:(.text+0x174): warning: Using 'getgrnam' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/13/../../../x86_64-linux-gnu/libdbus-1.a(libdbus_1_la-dbus-sysdeps-unix.o): in function `fill_user_info':
(.text+0x320): warning: Using 'getgrouplist' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: sys.o: in function `sys_privdrop':
/home/naix/SSLproxy/src/sys.c:105:(.text+0x1c3): warning: Using 'initgroups' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/13/../../../x86_64-linux-gnu/libcrypto.a(libcrypto-lib-bio_addr.o): in function `BIO_lookup_ex':
(.text+0xdbc): warning: Using 'getaddrinfo' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/13/../../../x86_64-linux-gnu/libnet.a(libnet_resolve.o): in function `libnet_addr2name4':
(.text+0xc2): warning: Using 'gethostbyaddr' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/13/../../../x86_64-linux-gnu/libnet.a(libnet_resolve.o): in function `libnet_name2addr4':
(.text+0x32c): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/13/../../../x86_64-linux-gnu/libnet.a(libnet_resolve.o): in function `libnet_name2addr6':
(.text+0x546): warning: Using 'gethostbyname2' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/13/../../../x86_64-linux-gnu/libpcap.a(nametoaddr.o): in function `pcap_nametonetaddr':
(.text+0xfb): warning: Using 'getnetbyname_r' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/13/../../../x86_64-linux-gnu/libevent.a(evutil.o): in function `evutil_getaddrinfo_common_':
(.text+0x1b84): warning: Using 'getprotobynumber' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/13/../../../x86_64-linux-gnu/libnl-3.a(libnl_3_la-utils.o): in function `nl_str2ip_proto':
(.text+0x1530): warning: Using 'getprotobyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/13/../../../x86_64-linux-gnu/libpcap.a(nametoaddr.o): in function `pcap_nametoproto':
(.text+0x4c9): warning: Using 'getprotobyname_r' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: sys.o: in function `sys_privdrop':
/home/naix/SSLproxy/src/sys.c:147:(.text+0x229): warning: Using 'endpwent' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: /home/naix/SSLproxy/src/sys.c:95:(.text+0x19f): warning: Using 'getpwnam' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/13/../../../x86_64-linux-gnu/libdbus-1.a(libdbus_1_la-dbus-sysdeps-unix.o): in function `fill_user_info':
(.text+0x233): warning: Using 'getpwnam_r' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/13/../../../x86_64-linux-gnu/libsystemd.a(src_basic_user-util.c.o): in function `get_user_creds':
/home/naix/systemd-255.4/build/../src/basic/user-util.c:268:(.text+0xdb3): warning: Using 'getpwuid' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: sys.o: in function `sys_user_str':
/home/naix/SSLproxy/src/sys.c:332:(.text+0x9d3): warning: Using 'getpwuid_r' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/13/../../../x86_64-linux-gnu/libevent.a(evutil.o): in function `evutil_getaddrinfo_common_':
(.text+0x1d0f): warning: Using 'getservbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking

Which leads me to believe that some functionality may break during runtime (even if you've adhered to the prequisites above), If you do encounter a bug, an error or unexpected behaviour, please attempt to replicate it on a dynamic build first to verify that it's caused by statically building SSLProxy before posting an issue. I believe it is imperative that when encountering a bug you should assume that due to static linking unless you find evidence otherwise.

Building statically linked SSLProxy on x86-64 systems

Installing and Standard SSLProxy dependencies (Used for both Dynamic and Static linking)
This step is self explanatory, we need this packages whether we are building SSLProxy statically or dynamically, at the time of writing this these packages come with both dynamic and static libraries, but that could change in the future.

1. Update the repository
   sudo apt update
2. Install the dependencies required for building SSLproxy
   sudo apt install -y libevent-dev libpcap-dev libnet-dev libsqlite3-dev libssl-dev libcap-dev

Building Systemd libraries statically
So, most linux distros for whatever reason don't include a static version of systemd library so we will need to build it ourselves.

1. Install the build dependencies for systemd
   sudo apt build-dep -y systemd
2. Get the Systemd source code for your distro (This will be downloaded to the current working directory)
   sudo apt-get source systemd
3. (Optional) remove unnecessary files
   rm systemd_*
4. Change the current working directory to the source code
   cd systemd-*
5. Setup the Build Directory
   meson setup build/
6. Reconfigure Build to build libraries statically
   meson configure --default-library static --strip -Dstatic-libsystemd=pic -Dstatic-libudev=pic build/
7. Build the Systemd
   ninja -C build/
8. Install Systemd libraries only (We are not going to use the built in meson command to install, we don't want to break our current systemd install or bork something down the line)

install -d /usr/lib/x86_64-linux-gnu/
sudo install build/libsystemd.a /usr/lib/x86_64-linux-gnu/
sudo install build/libudev.a /usr/lib/x86_64-linux-gnu/

Compiling SSLProxy
At this point we would have all the dependencies to build SSLProxy Statically (I will assume that you are still using the same terminal window which it's working directory is in the systemd source code folder)

1. (Optional) Leave the Systemd source code folder
   cd ..
2. Download SSLProxy source code
   git clone https://github.com/sonertari/SSLproxy.git
3. Change working directory to the SSLProxy source code folder
   cd SSLProxy
4. Explicit specify libcap in the build
   sed -i 's/LIBS+= $(PKG_LIBS)/LIBS+= $(PKG_LIBS) -lcap/g' Mk/main.mk
5. Build SSLProxy
   PCFLAGS='-static' CFLAGS='-static' LDFLAGS='-static' make -j$(nproc)
6. (Optional) Check if it's correctly statically compiled
   file -s src/sslproxy
   Should return something like this (Build ID would differ)
   src/sslproxy: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, BuildID[sha1]=587018efc21d9a8ecc6fb9da459ef4cb71292e11, for GNU/Linux 3.2.0, with debug_info, not stripped
7. (Optional) Strip debugging information
   strip -s src/sslproxy

Cross Compiling statically linked SSLProxy on x86-64 systems for arm64 Systems

Now there is a method to cross-compile a statically linked SSLProxy targeted for arm64 from an x86-64 system, however I recommend a Debian Chroot as it needs to install arm64 libraries and some of them refuses to live with x86-64 libraries on the same system.

Additional prerequisites

• Setting up Debian Chroot (Refer to the paragraph above for explanation)

Making the Chroot
We need to make the chroot environment to safely install the required arm64 packages required to build SSLProxy.

1. Update your repository
   sudo apt update
2. Install debootstrap
   sudo apt install debootstrap
3. Make the Chroot (You may pick the debian release of you choice i.e trixie, bookworm, etc. You may also change to the install directory for the purposes of this guide I will be installing it to /Debian_chroot)
   sudo debootstrap --arch=amd64 bookworm /Debian_chroot
   or
   sudo debootstrap --arch=amd64 <Release codename of your choice> <Directory of you choice>
4. Add Sources to your chroot

echo "deb http://deb.debian.org/debian bookworm main non-free-firmware"  | sudo tee "/Debian_chroot/etc/apt/sources.list"
echo "deb http://deb.debian.org/debian bookworm-updates main non-free-firmware" | sudo tee -a "/Debian_chroot/etc/apt/sources.list"
echo "deb-src http://deb.debian.org/debian bookworm main non-free-firmware" | sudo tee -a "/Debian_chroot/etc/apt/sources.list"
echo "deb-src http://deb.debian.org/debian bookworm-updates main non-free-firmware" | sudo tee -a "/Debian_chroot/etc/apt/sources.list"

or

echo "deb http://deb.debian.org/debian <Release codename of your choice> main non-free-firmware"  | sudo tee "/Debian_chroot/etc/apt/sources.list"
echo "deb http://deb.debian.org/debian <Release codename of your choice>-updates main non-free-firmware" | sudo tee -a "/Debian_chroot/etc/apt/sources.list"
echo "deb-src http://deb.debian.org/debian <Release codename of your choice> main non-free-firmware" | sudo tee -a "/Debian_chroot/etc/apt/sources.list"
echo "deb-src http://deb.debian.org/debian <Release codename of your choice>-updates main non-free-firmware" | sudo tee -a "/Debian_chroot/etc/apt/sources.list"

Dropping into your Chroot Shell
At this point your chroot environment should be setup however we need to drop into the chroot shell which is covered in this section.
A word of warning, Some linux distros break when chrooting as shown below and is only solvable via a reboot amke sure you are ready to reboot after building.

1. Mounting the Chroot system file systems

sudo mount -t proc /proc "/Debian_chroot/proc"
sudo mount --rbind /sys "/Debian_chroot/sys"
sudo mount --rbind /dev "/Debian_chroot/dev"

or

sudo mount -t proc /proc "<Directory of you choice>/proc"
sudo mount --rbind /sys "<Directory of you choice>/sys"
sudo mount --rbind /dev "<Directory of you choice>/dev"

2. Dropping into the chroot shell

chroot "/Debian_chroot" "/bin/bash"
or
chroot "<Directory of you choice>" "/bin/bash"

Configuring the chroot
At this point I am assuming you are in the chroot shell, commands executed in this shell should not affect your main system.

1. Add the Arm64/aarch64 architecture packages
   dpkg --add-architecture arm64
2. Update the repository
   apt update
3. Install Arm64 compilers and git
   apt install gcc-aarch64-linux-gnu g++-aarch64-linux-gnu git

Installing and Standard SSLProxy dependencies (Used for both Dynamic and Static linking)
This step is self explanatory, we need this packages whether we are building SSLProxy statically or dynamically, at the time of writing this these packages come with both dynamic and static libraries, but that could change in the future.

1. Install the dependencies required for building SSLproxy

apt install -y libpcap-dev libsqlite3-dev libssl-dev libcap-dev
apt install -y libevent-dev:arm64 libpcap-dev:arm64 libnet-dev:arm64 libsqlite3-dev:arm64 libssl-dev:arm64 libcap-dev:arm64

(Optional) Changing to a suitable Working Directroy
By default when you drop into a chroot shell you will be at the root of the file system (/) which is not ideal for building so we will change our working directory to /usr/src however you may change to whatever directroy you desire or fancy,or even create directories dedicated to this and adapt the guide.
cd usr/src

Building Systemd libraries statically for arm64

1. Install the build dependencies for systemd arm64
   apt build-dep --host-architecture arm64 systemd
2. Get the Systemd source code for your distro (This will be downloaded to the current working directory)
   apt-get source systemd
3. (Optional) remove unnecessary files
   rm systemd_*
4. Change the current working directory to the source code
   cd systemd-*
5. Create the Systemd Cross Build configuration (Use whatever text editor you fancy for this guide I'm gonna use nano)
   nano "Systemd-cross.ini"
   and paste the following

[binaries]
c = 'aarch64-linux-gnu-gcc'
cpp = 'aarch64-linux-gnu-g++'
ld = 'aarch64-linux-gnu-ld'
ar = 'aarch64-linux-gnu-ar'
strip = 'aarch64-linux-gnu-strip'
pkgconfig = 'aarch64-linux-gnu-pkg-config'

[build_machine]
system = 'linux'
cpu_family = 'x86_64'
cpu = 'x86_64'
endian = 'little'

[host_machine]
system = 'linux'
cpu_family = 'arm'
cpu = 'aarch64'
endian = 'little'

[built-in options]
c_args = []
cpp_args = []

Save the file and proceed.

6. Setup the Build Directory with Cross compile configuration
   meson setup build/ --cross-file Systemd-cross.ini
7. Reconfigure Build to build libraries statically
   meson configure --default-library static --strip -Dstatic-libsystemd=pic -Dstatic-libudev=pic build/
8. Build the Systemd
   ninja -C build/
9. Install Systemd libraries only (We are not going to use the built in meson command to install, we don't want to break our current systemd install or bork something down the line)

install -d /usr/lib/aarch64-linux-gnu/
install build-arm64/libsystemd.a /usr/lib/aarch64-linux-gnu/
install build-arm64/libsystemd.a /usr/lib/aarch64-linux-gnu/

Compiling SSLProxy
At this point we would have all the dependencies to build SSLProxy Statically (I will assume that you are still using the same terminal window which it's working directory is in the systemd source code folder)

1. (Optional) Leave the Systemd source code folder
   cd ..
2. Download SSLProxy source code
   git clone https://github.com/sonertari/SSLproxy.git
3. Change working directory to the SSLProxy source code folder
   cd SSLProxy
4. Explicit specify libcap in the build
   sed -i 's/LIBS+= $(PKG_LIBS)/LIBS+= $(PKG_LIBS) -lcap/g' Mk/main.mk
5. Build SSLProxy
   CC='aarch64-linux-gnu-gcc' PCFLAGS='--static' CFLAGS='-static' LDFLAGS='-static' make -j$(nproc)
6. (Optional) Strip debugging information
   aarch64-linux-gnu-strip -s src/sslproxy