diff options
| author | Jim Barlow <jim@purplerock.ca> | 2014-12-23 21:47:03 -0800 |
|---|---|---|
| committer | Jim Barlow <jim@purplerock.ca> | 2014-12-23 21:47:03 -0800 |
| commit | c0a8ddc163859ec7cbfe42cc163cc0a863b017f4 (patch) | |
| tree | 8c7c045a8169f17153a035b9956f0e94c5b29520 | |
| parent | a6c072343a8d0beb232b3dc71cf0f5db81fa6629 (diff) | |
| download | portable-c0a8ddc163859ec7cbfe42cc163cc0a863b017f4.tar.gz portable-c0a8ddc163859ec7cbfe42cc163cc0a863b017f4.tar.bz2 portable-c0a8ddc163859ec7cbfe42cc163cc0a863b017f4.zip | |
configure.ac: use executable hardening where available
Where available, enable stack smashing protection, fortify source,
no-strict-overflow, and read only relocations.
Many Linux distributions automatically enable most of these options.
They are no brainers. The difference introduced here is in asking for a
few more aggressive options. An option to disable the more aggressive
options is provided (--disable-hardening). When set, configure will fall
back to the default CFLAGS on the system - in many cases that will still
be hardened. There is no point in going further than that.
Options enabled are:
-fstack-protector-strong is a relatively new GCC-4.9 feature that is
supposed to give a better balance between performance and protection.
-all is considered too aggressive, but was used in Chromium and other
security critical systems until -strong became available. Follow their
lead and use -strong when possible. clang 6.0 supports -all but not
-strong.
_FORTIFY_SOURCE replaces certain unsafe C str* and mem* functions with
more robust equivalents when the compiler can determine the length of
the buffers involved.
-fno-strict-overflow instructs GCC to not make optimizations based on
the assumption that signed arithmetic will wrap around on overflow (e.g.
(short)0x7FFF + 1 == 0). This prevents the optimizer from doing some
unexpected things. Further improvements should trap signed overflows and
reduce the use of signed to refer to naturally unsigned quantities.
I did not set -fPIE (position independent executables). The critical
function of Open/LibreSSL is as a library, not an executable.
Tested on Ubuntu Linux 14.04.1 LTS, OS X 10.10.1 with "make check".
The code added to m4/ is GPLv3 but con
Signed-off-by: Jim Barlow <jim@purplerock.ca>
| -rwxr-xr-x | scripts/wrap-compiler-for-flag-check | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/scripts/wrap-compiler-for-flag-check b/scripts/wrap-compiler-for-flag-check new file mode 100755 index 0000000..6fa77f0 --- /dev/null +++ b/scripts/wrap-compiler-for-flag-check | |||
| @@ -0,0 +1,25 @@ | |||
| 1 | #!/bin/sh | ||
| 2 | |||
| 3 | # From kmcallister: | ||
| 4 | # https://github.com/kmcallister/autoharden/blob/efaf5a16612589808c276a11536ea9a47071f74b/scripts/wrap-compiler-for-flag-check | ||
| 5 | |||
| 6 | # There is no way to make clang's "argument unused" warning fatal. So when | ||
| 7 | # configure checks for supported flags, it runs $CC, $CXX, $LD via this | ||
| 8 | # wrapper. | ||
| 9 | # | ||
| 10 | # Ideally the search string would also include 'clang: ' but this output might | ||
| 11 | # depend on clang's argv[0]. | ||
| 12 | |||
| 13 | if out=`"$@" 2>&1`; then | ||
| 14 | echo "$out" | ||
| 15 | if echo "$out" | grep 'warning: argument unused' >/dev/null; then | ||
| 16 | echo "$0: found clang warning" | ||
| 17 | exit 1 | ||
| 18 | else | ||
| 19 | exit 0 | ||
| 20 | fi | ||
| 21 | else | ||
| 22 | code=$? | ||
| 23 | echo "$out" | ||
| 24 | exit $code | ||
| 25 | fi | ||