diff options
| author | Brent Cook <bcook@openbsd.org> | 2015-02-24 19:39:16 -0600 |
|---|---|---|
| committer | Brent Cook <bcook@openbsd.org> | 2015-02-24 19:39:16 -0600 |
| commit | ab0d3e54a221b8959582459bbd1ff6fd2f08f9f0 (patch) | |
| tree | 9f1b317fa75f852e65d63e3c880418deca1e876b | |
| parent | 347c03d3a02e63775ec6b0c3aa94aef2b41f599d (diff) | |
| download | portable-ab0d3e54a221b8959582459bbd1ff6fd2f08f9f0.tar.gz portable-ab0d3e54a221b8959582459bbd1ff6fd2f08f9f0.tar.bz2 portable-ab0d3e54a221b8959582459bbd1ff6fd2f08f9f0.zip | |
add windows-specific hardening options
This enables DEP and ALSR capabilities. Stack protection is enabled
optionally, there are some extra linking steps required that make it
difficult to enable by default.
| -rw-r--r-- | configure.ac | 31 |
1 files changed, 23 insertions, 8 deletions
diff --git a/configure.ac b/configure.ac index 9212fb7..81433c8 100644 --- a/configure.ac +++ b/configure.ac | |||
| @@ -104,6 +104,11 @@ AC_ARG_ENABLE([hardening], | |||
| 104 | [Disable options to frustrate memory corruption exploits])], | 104 | [Disable options to frustrate memory corruption exploits])], |
| 105 | [], [enable_hardening=yes]) | 105 | [], [enable_hardening=yes]) |
| 106 | 106 | ||
| 107 | AC_ARG_ENABLE([windows-ssp], | ||
| 108 | [AS_HELP_STRING([--enable-windows-ssp], | ||
| 109 | [Enable building the stack smashing protection on | ||
| 110 | Windows. This currently distributing libssp-0.dll.])]) | ||
| 111 | |||
| 107 | AC_DEFUN([CHECK_CFLAG], [ | 112 | AC_DEFUN([CHECK_CFLAG], [ |
| 108 | AC_LANG_ASSERT(C) | 113 | AC_LANG_ASSERT(C) |
| 109 | AC_MSG_CHECKING([if $saved_CC supports "$1"]) | 114 | AC_MSG_CHECKING([if $saved_CC supports "$1"]) |
| @@ -148,16 +153,26 @@ AS_IF([test "x$enable_hardening" = "xyes"], [ | |||
| 148 | # Enable read only relocations | 153 | # Enable read only relocations |
| 149 | CHECK_LDFLAG([[-Wl,-z,relro]]) | 154 | CHECK_LDFLAG([[-Wl,-z,relro]]) |
| 150 | CHECK_LDFLAG([[-Wl,-z,now]]) | 155 | CHECK_LDFLAG([[-Wl,-z,now]]) |
| 151 | ]) | ||
| 152 | 156 | ||
| 153 | # Use stack-protector-strong if available; if not, fallback to | 157 | # Windows security flags |
| 154 | # stack-protector-all which is considered to be overkill | 158 | AS_IF([test "x$HOST_OS" = "xwin"], [ |
| 155 | AS_IF([test "x$enable_hardening" = "xyes" -a "x$HOST_OS" != "xwin"], [ | 159 | CHECK_LDFLAG([[-Wl,--nxcompat]]) |
| 156 | CHECK_CFLAG([[-fstack-protector-strong]], | 160 | CHECK_LDFLAG([[-Wl,--dynamicbase]]) |
| 157 | CHECK_CFLAG([[-fstack-protector-all]], | 161 | CHECK_LDFLAG([[-Wl,--high-entropy-va]]) |
| 158 | AC_MSG_WARN([compiler does not appear to support stack protection]) | 162 | ]) |
| 163 | |||
| 164 | # Use stack-protector-strong if available; if not, fallback to | ||
| 165 | # stack-protector-all which is considered to be overkill | ||
| 166 | AS_IF([test "x$enable_windows_ssp" = "xyes" -o "x$HOST_OS" != "xwin"], [ | ||
| 167 | CHECK_CFLAG([[-fstack-protector-strong]], | ||
| 168 | CHECK_CFLAG([[-fstack-protector-all]], | ||
| 169 | AC_MSG_WARN([compiler does not appear to support stack protection]) | ||
| 170 | ) | ||
| 159 | ) | 171 | ) |
| 160 | ) | 172 | AS_IF([test "x$HOST_OS" = "xwin"], [ |
| 173 | AC_SEARCH_LIBS([__stack_chk_guard],[ssp]) | ||
| 174 | ]) | ||
| 175 | ]) | ||
| 161 | ]) | 176 | ]) |
| 162 | 177 | ||
| 163 | 178 | ||