Relinking's goal is to reduce gadget discovery.
There are two reasons we do this:
- The existance of many small stub functions that might be reached with
the wrong parameters to act upon data structures incorrectly
- polymorphic gadget availability on variable-sized instruction architectures
Random relinking makes the offsets to those things less discoverable.
But these two librares you propose are than the others we relink, and
have far fewer gadgets to begin with.
I don't see a positive value:cost tradeoff here, where cost is "time during
boot, and potential for fragility in case of relink failure".
So these libraries are simply not in the same scope as libcrypto, libc,
sshd, and the kernel. For those pieces, the boot-time investment is
worth it. I only really consider one more program worth investing in
relinking: httpd, but haven't done so yet.
Job Snijders <j...@openbsd.org> wrote:
> Hi all,
>
> Would it be worth it to reorder libssl & libtls at boot?
>
> Kind regards,
>
> Job
>
> Index: etc/rc
> ===================================================================
> RCS file: /cvs/src/etc/rc,v
> retrieving revision 1.571
> diff -u -p -r1.571 rc
> --- etc/rc 26 Apr 2023 14:28:09 -0000 1.571
> +++ etc/rc 17 Jun 2023 05:18:46 -0000
> @@ -199,7 +199,7 @@ reorder_libs() {
> done
>
> # Only choose the latest version of the libraries.
> - for _liba in $_relink/usr/lib/lib{c,crypto}; do
> + for _liba in $_relink/usr/lib/lib{c,crypto,ssl,tls}; do
> _libas="$_libas $(ls $_liba.so.+([0-9.]).a | sort -rV | head
> -1)"
> done
>
> Index: lib/libssl/Makefile
> ===================================================================
> RCS file: /cvs/src/lib/libssl/Makefile,v
> retrieving revision 1.79
> diff -u -p -r1.79 Makefile
> --- lib/libssl/Makefile 5 May 2023 21:23:02 -0000 1.79
> +++ lib/libssl/Makefile 17 Jun 2023 05:18:46 -0000
> @@ -10,6 +10,7 @@ PC_FILES=openssl.pc libssl.pc
> CLEANFILES=${PC_FILES} ${VERSION_SCRIPT}
>
> LIB= ssl
> +LIBREBUILD=y
>
> CFLAGS+= -Wall -Wundef
> .if ${COMPILER_VERSION:L} == "clang"
> Index: lib/libtls/Makefile
> ===================================================================
> RCS file: /cvs/src/lib/libtls/Makefile,v
> retrieving revision 1.38
> diff -u -p -r1.38 Makefile
> --- lib/libtls/Makefile 5 May 2023 21:23:02 -0000 1.38
> +++ lib/libtls/Makefile 17 Jun 2023 05:18:46 -0000
> @@ -16,6 +16,7 @@ CLEANFILES= ${VERSION_SCRIPT}
> WARNINGS= Yes
>
> LIB= tls
> +LIBREBUILD=y
>
> DPADD= ${LIBCRYPTO} ${LIBSSL}
>
> Index: distrib/sets/lists/base/mi
> ===================================================================
> RCS file: /cvs/src/distrib/sets/lists/base/mi,v
> retrieving revision 1.1099
> diff -u -p -r1.1099 mi
> --- distrib/sets/lists/base/mi 10 Jun 2023 15:16:43 -0000 1.1099
> +++ distrib/sets/lists/base/mi 17 Jun 2023 05:18:50 -0000
> @@ -3009,6 +3009,8 @@
> ./usr/share/relink/usr/lib
> ./usr/share/relink/usr/lib/libc.so.97.0.a
> ./usr/share/relink/usr/lib/libcrypto.so.51.0.a
> +./usr/share/relink/usr/lib/libssl.so.54.0
> +./usr/share/relink/usr/lib/libtls.so.27.0
> ./usr/share/relink/usr/libexec
> ./usr/share/relink/usr/libexec/ld.so.a
> ./usr/share/relink/usr/sbin
>
