[openssl-users] Openssl Build Error- module unsafe for SAFESEH image/Unable to generate SAFESEH image

Jakob Bohm jb-openssl at wisemo.com
Thu Oct 18 14:24:59 UTC 2018 

SAFESEH requires any code that sets up Win32/i386 SEH handlers
to include special assembler directives to add the handler code
address to a special list which the linker then puts in the
compiled program for the Windows runtime (NTDLL.DLL etc.) to
check to make sure it is only calling back to your real handler
and not to one added by a buffer overflow attack on your process.

For C/C++ code, the compiler uses only handlers in the C runtime,
each of which already include those directives.  But for Assembler
source code (such as the optimized assembler modules in OpenSSL),
there is no way to automatically detect if the code sets up any
unofficial SEH handlers.  So instead, the linker looks for a special
flag placed in the .obj files to indicate that the programmer
indicated that they did whatever necessary (which may be nothing
if the modules don't set up their own SEH handlers).

For MASM (recent versions), this means passing "/safeseh" on the
assembler command line and adding the .SAFESEH directive for any
SEH handlers defined in the .asm file:

HandlerEntrypointSymbol PROC NEAR
   ; Example "nothing handled" Handler:
   XOR EAX,EAX
   INC EAX
   RETN 10h
HandlerEntrypointSymbol ENDP
.SAFESEH HandlerEntrypointSymbol

Note that this only applies to the file that implements the
handler, not the files that push its address on the stack.

I haven't checked, but I don't think any of the OpenSSL .asm files
for Win32/i386 actually implement any handlers, so just the command
line switch is probably enough, but someone from the OpenSSL team
needs to confirm this.

On 18/10/2018 14:34, sakdev wrote:
> Thanks for reply Michael.
>
> I am sure i gave 32-bit build only. "BuildWinLibs.bat vs2015 x32d clean"
> This is the comment i gave for build. Here "x32r" means 32-bit release
> build.
>
> Here is the error code(text).
>
>
>          rc /fo"tmp32dll/MSVC14.0\libeay32.res" /d CRYPTO ms\version32.rc
> Microsoft (R) Windows (R) Resource Compiler Version 10.0.10011.16384
> Copyright (C) Microsoft Corporation.  All rights reserved.
>
>          link /nologo /subsystem:console /opt:ref /safeseh /debug /dll
> /out:out32
> dll/MSVC14.0\libeay32.dll /def:ms/LIBEAY32.def
> @C:\Users\SAKTHI~1\AppData\Local\
> Temp\nm973D.tmp
> x86cpuid.obj : error LNK2026: module unsafe for SAFESEH image.
> md5-586.obj : error LNK2026: module unsafe for SAFESEH image.
> sha1-586.obj : error LNK2026: module unsafe for SAFESEH image.
> sha256-586.obj : error LNK2026: module unsafe for SAFESEH image.
> sha512-586.obj : error LNK2026: module unsafe for SAFESEH image.
> rmd-586.obj : error LNK2026: module unsafe for SAFESEH image.
> bf-586.obj : error LNK2026: module unsafe for SAFESEH image.
> cast-586.obj : error LNK2026: module unsafe for SAFESEH image.
> aes-586.obj : error LNK2026: module unsafe for SAFESEH image.
> vpaes-x86.obj : error LNK2026: module unsafe for SAFESEH image.
> aesni-x86.obj : error LNK2026: module unsafe for SAFESEH image.
> cmll-x86.obj : error LNK2026: module unsafe for SAFESEH image.
> ghash-x86.obj : error LNK2026: module unsafe for SAFESEH image.
> bn-586.obj : error LNK2026: module unsafe for SAFESEH image.
> co-586.obj : error LNK2026: module unsafe for SAFESEH image.
> x86-mont.obj : error LNK2026: module unsafe for SAFESEH image.
> x86-gf2m.obj : error LNK2026: module unsafe for SAFESEH image.
> wp-mmx.obj : error LNK2026: module unsafe for SAFESEH image.
>     Creating library out32dll/MSVC14.0\libeay32.lib and object
> out32dll/MSVC14.0\
> libeay32.exp
> out32dll/MSVC14.0\libeay32.dll : fatal error LNK1281: Unable to generate
> SAFESEH
>   image.
> NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual Studio
> 14.0
> \VC\BIN\link.EXE"' : return code '0x501'
> Stop.
>
> "nmake -f .\ms\ntdll_WIN32_REL.mak install"
>
> Microsoft (R) Program Maintenance Utility Version 14.00.24210.0
> Copyright (C) Microsoft Corporation.  All rights reserved.
>
>          perl .\util\copy-if-different.pl ".\crypto\opensslconf.h"
> "inc32\openssl
> \opensslconf.h"
> NOT copying: ./crypto/opensslconf.h to inc32/openssl/opensslconf.h
>          link /nologo /subsystem:console /opt:ref /safeseh /debug /dll
> /out:out32
> dll/MSVC14.0\libeay32.dll /def:ms/LIBEAY32.def
> @C:\Users\SAKTHI~1\AppData\Local\
> Temp\nmA0DE.tmp
> x86cpuid.obj : error LNK2026: module unsafe for SAFESEH image.
> md5-586.obj : error LNK2026: module unsafe for SAFESEH image.
> sha1-586.obj : error LNK2026: module unsafe for SAFESEH image.
> sha256-586.obj : error LNK2026: module unsafe for SAFESEH image.
> sha512-586.obj : error LNK2026: module unsafe for SAFESEH image.
> rmd-586.obj : error LNK2026: module unsafe for SAFESEH image.
> bf-586.obj : error LNK2026: module unsafe for SAFESEH image.
> cast-586.obj : error LNK2026: module unsafe for SAFESEH image.
> aes-586.obj : error LNK2026: module unsafe for SAFESEH image.
> vpaes-x86.obj : error LNK2026: module unsafe for SAFESEH image.
> aesni-x86.obj : error LNK2026: module unsafe for SAFESEH image.
> cmll-x86.obj : error LNK2026: module unsafe for SAFESEH image.
> ghash-x86.obj : error LNK2026: module unsafe for SAFESEH image.
> bn-586.obj : error LNK2026: module unsafe for SAFESEH image.
> co-586.obj : error LNK2026: module unsafe for SAFESEH image.
> x86-mont.obj : error LNK2026: module unsafe for SAFESEH image.
> x86-gf2m.obj : error LNK2026: module unsafe for SAFESEH image.
> wp-mmx.obj : error LNK2026: module unsafe for SAFESEH image.
>     Creating library out32dll/MSVC14.0\libeay32.lib and object
> out32dll/MSVC14.0\
> libeay32.exp
> out32dll/MSVC14.0\libeay32.dll : fatal error LNK1281: Unable to generate
> SAFESEH
>   image.
> NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual Studio
> 14.0
> \VC\BIN\link.EXE"' : return code '0x501'
> Stop.
>
>
> "COMPLETED."
>

Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list