On Tue, Jun 23, 2026 at 05:14:48PM +0800, Chris Billington wrote:
> Theo Buehler wrote:
> > On Tue, Jun 23, 2026 at 04:35:55PM +0800, Chris Billington wrote:
> > > When trying to produce a port for deltachat-rpc-server 2.53.0, I stumbled 
> > > on
> > > a problem with the aws_lc_rc crate which is used for TLS.
> > 
> > If you want to keep using aws-lc, this is the approach existing ports
> > use.
> > 
> > # aws-lc-sys has constants in .text
> > # https://github.com/awslabs/s2n-bignum/pull/242
> > .if ${MACHINE_ARCH} == "amd64"
> > USE_NOEXECONLY =        Yes
> > .endif
> > 
> > The PR has been merged but it still needs to trickle into the ecosystem.
> > 
> > > The port builds two executables deltachat-rpc-server and deltachat-repl
> > > which reliably crash when making a TLS connection:
> > > 
> > > Thread 2 "tokio-rt-worker" received signal SIGSEGV, Segmentation fault.
> > > 0x... in aws_lc_0_41_0_curve25519_x25519base ()
> > > 
> > > I suspect this is similar to the exec-only violations which were 
> > > encountered
> > > with the ring-0.16 crate, where key algorithms making use of
> > > assembly-language code are attempting to read from an executable-only
> > > region, /usr/local mounted with wxallowed. This led to the making of the
> > > security/rust-ring port maintained by tb@.
> > 
> > Yes. It's the same issue. It will eventually fix itself but needs some
> > more patience. Since aws-lc is much faster evolving than ring, an analog
> > to rust-ring is something I'd like to avoid.
> > 
> > > I managed to patch deltachat-rpc-server to use ring-0.17 instead of
> > > aws_lc_rs, and this now connects reliably with TLS. I will continue to 
> > > test.
> > 
> > That's the other option. I think using USE_NOEXECONLY for amd64 is the
> > approach with less friction for now.
> > 
> Thanks!
> 
> I couldn't find any Rust ports using USE_NOEXECONLY. Maybe I am grepping
> incorrectly?

Here are the ones that use the specific hack mentioned above:

devel/codex
devel/uv
devel/zizmor
lang/deno
lang/gleam
net/krill
sysutils/rustic

> What would be the preferable approach for a deltachat-rpc-server port? The
> patch to use ring is quite minimal: a one-liner to Cargo.toml and 5
> replacements to substitute ring for aws-lc_rs features in two Deltachat
> source files.

It's your call, really. I think both are fine setting USE_NOEXECONLY
is probably slightly less friction and since rustls now defaults to
aws-lc, that's probably a bit better tested in the ecosystem.
Not having USE_NOEXECONLY is of course a plus.

Reply via email to