Build generates PIC even for static library #4
Comments
|
I think the sharp edge here is a wrapper DLL or shared object. For this use case, this could happen:
The user will experience relocation errors when linking their shared object with I think the same could happen if the user built an executable linked against
See Wrapper DLL on the Crypto++ wiki. And see https://www.google.com/search?q=ld+relocation+error+'-fPIC' (and the slew of answers that say "rebuild with -fPIC"). |
|
It is probably worth mentioning...
ASLR was introduced by Microsoft in Windows XP. Utilizing ASLR has been part of the secure coding guide since at least the year 2000. Position independent code has been part of Unix & Linux for years also. It became a recommendation around 2010 for secure coding Unix & Linux. In 2012 Android adopted it. It is very unfortunate CMake does not enable it by default given it has been a standard option for over 10 years. Code that does not use position independent code or ASLR will fail a security audit nowadays. |
|
Hmm… from a hardening point of view it makes sense. Anyway, the only reason I thought it should be removed is that some distros require that archive libs should be built with no -fPIC. I will make a specific test case for using wrapper DLL and a test case for -fPIE executable and document the scenarios clearly in the code if we decide to keep/remove -fPIC/-fPIE. |
This is a remanent from the old cmake file.
For static lib build, and given that we do not use the same intermediary object files for shared and static, the archive library should be built without -fPIC.
The text was updated successfully, but these errors were encountered: