How can one provide custom compiler/linker flags for OpenSSL?

Question

I'm trying to build OpenSSL with -Wa,--noexecstack, but can't find anywhere in its config command-line to provide this flag. I've tried to set CFLAGS, but it appears to ignore that and just use its own.

This is an automated build working off a clean copy of the OpenSSL source, so a one-time hack of the config script isn't really an option.

Is there a way to pass custom flags to OpenSSL's build process?

Answer 1

Later to the party, but this seems to be the correct way of doing this.

From the config script help:

$ ./config -h
Usage: config [options]
 -d Add a debug- prefix to machine choice.
 -t Test mode, do not run the Configure perl script.
 -h This help.

Any other text will be passed to the Configure perl script.
See INSTALL for instructions.

So the config script forwards "unexpected" options to the Configure script. Well, lets see what the Configure script has to say about that:

$ ./Configure --help
Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]

See the [:flags] part at the end of that long line? There is also a comment inside the file:

# -<xxx> +<xxx> compiler options are passed through

It's not that obvious since it does not follow well known standards but the answer is: just append the options to the end of the config command line.

As a long time has passed since you posted the question, I must add:

• it may not work for the version of OpenSSL you are working with (mine is OpenSSL 1.0);
• I felt compelled to post this answer since none of the previous answers solved my problem and it took me a little while to figure out that solution.

Answer 2

The config script ignores CFLAGS, but not CC. So you can specify your compiler and give it the flags at the same time:

export CC="gcc -Wall -DHELLO_WORLD"; ./config

Alternatively, since config auto detects your platform and then runs Configure with preset compiler settings, you can add the compiler flags to your platform configuration. E.g., for my mac, I see this line when I first run config:

Operating system: i386-apple-darwinDarwin Kernel Version 10.8.0: Tue Jun 7 16:33:36 PDT 2011; root:xnu-1504.15.3~1/RELEASE_I386
Configuring for darwin-i386-cc

So if I open Configure, I can search for darwin-i386-cc and add the flags to the presets.

If you're not using a preset configuration, then you'd just pass the flags directly to Configure on the command line and it'll use them.