diff options
| author | Jim Barlow <jim@purplerock.ca> | 2014-12-23 05:24:24 -0800 |
|---|---|---|
| committer | Jim Barlow <jim@purplerock.ca> | 2014-12-23 05:24:24 -0800 |
| commit | a6c072343a8d0beb232b3dc71cf0f5db81fa6629 (patch) | |
| tree | 2356dc497f100b2e82dbc2846079a8b9f72ecfa7 /configure.ac | |
| parent | 164f684eb8e4ebe31d0f9d0603dc25533fa43c5b (diff) | |
| download | portable-a6c072343a8d0beb232b3dc71cf0f5db81fa6629.tar.gz portable-a6c072343a8d0beb232b3dc71cf0f5db81fa6629.tar.bz2 portable-a6c072343a8d0beb232b3dc71cf0f5db81fa6629.zip | |
configure.ac: use executable hardening where available
Where available, enable stack smashing protection, fortify source,
no-strict-overflow, and read only relocations.
Many Linux distributions automatically enable most of these options.
They are no brainers. The difference introduced here is in asking for a
few more aggressive options. An option to disable the more aggressive
options is provided (--disable-hardening). When set, configure will fall
back to the default CFLAGS on the system - in many cases that will still
be hardened. There is no point in going further than that.
Options enabled are:
-fstack-protector-strong is a relatively new GCC-4.9 feature that is
supposed to give a better balance between performance and protection.
-all is considered too aggressive, but was used in Chromium and other
security critical systems until -strong became available. Follow their
lead and use -strong when possible. clang 6.0 supports -all but not
-strong.
_FORTIFY_SOURCE replaces certain unsafe C str* and mem* functions with
more robust equivalents when the compiler can determine the length of
the buffers involved.
-fno-strict-overflow instructs GCC to not make optimizations based on
the assumption that signed arithmetic will wrap around on overflow (e.g.
(short)0x7FFF + 1 == 0). This prevents the optimizer from doing some
unexpected things. Further improvements should trap signed overflows and
reduce the use of signed to refer to naturally unsigned quantities.
I did not set -fPIE (position independent executables). The critical
function of Open/LibreSSL is as a library, not an executable.
Tested on Ubuntu Linux 14.04.1 LTS, OS X 10.10.1 with "make check".
Signed-off-by: Jim Barlow <jim@purplerock.ca>
Diffstat (limited to 'configure.ac')
| -rw-r--r-- | configure.ac | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac index 9174a64..3d93d12 100644 --- a/configure.ac +++ b/configure.ac | |||
| @@ -74,6 +74,68 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([], [[ | |||
| 74 | ) | 74 | ) |
| 75 | AC_MSG_RESULT([CLANG]) | 75 | AC_MSG_RESULT([CLANG]) |
| 76 | 76 | ||
| 77 | # We want to check for compiler flag support, but there is no way to make | ||
| 78 | # clang's "argument unused" warning fatal. So we invoke the compiler through a | ||
| 79 | # wrapper script that greps for this message. | ||
| 80 | saved_CC="$CC" | ||
| 81 | saved_LD="$LD" | ||
| 82 | flag_wrap="$srcdir/scripts/wrap-compiler-for-flag-check" | ||
| 83 | CC="$flag_wrap $CC" | ||
| 84 | LD="$flag_wrap $LD" | ||
| 85 | |||
| 86 | AC_DEFUN([check_cflag], | ||
| 87 | [AX_CHECK_COMPILE_FLAG([$1], [$2], [$3], [-Werror $4])]) | ||
| 88 | AC_DEFUN([check_ldflag], | ||
| 89 | [AX_CHECK_LINK_FLAG([$1], [$2], [$3], [-Werror $4])]) | ||
| 90 | |||
| 91 | |||
| 92 | AC_ARG_ENABLE([hardening], | ||
| 93 | [AS_HELP_STRING([--disable-hardening], [Disable options to frustrate memory corruption exploits])], | ||
| 94 | [], | ||
| 95 | [enable_hardening=yes]) | ||
| 96 | |||
| 97 | HARDEN_CFLAGS="" | ||
| 98 | HARDEN_LDFLAGS="" | ||
| 99 | AS_IF([test "x$enable_hardening" == "xyes"], [ | ||
| 100 | # Tell GCC to NOT optimize based on signed arithmetic overflow | ||
| 101 | check_cflag([-fno-strict-overflow], [HARDEN_CFLAGS="$HARDEN_CFLAGS -fno-strict-overflow"]) | ||
| 102 | |||
| 103 | # _FORTIFY_SOURCE replaces builtin functions with safer versions. | ||
| 104 | check_cflag([-D_FORTIFY_SOURCE=2], | ||
| 105 | [HARDEN_CFLAGS="$HARDEN_CFLAGS -D_FORTIFY_SOURCE=2"]) | ||
| 106 | |||
| 107 | # Use stack-protector-strong if available; if not, fallback to stack-protector-all which | ||
| 108 | # is considered to be overkill | ||
| 109 | check_cflag([-fstack-protector-strong], | ||
| 110 | [STACK_PROTECT="-fstack-protector-strong"], | ||
| 111 | check_cflag([-fstack-protector-all], | ||
| 112 | [STACK_PROTECT="-fstack-protector-all"], | ||
| 113 | [AC_MSG_ERROR([compiler does not support stack protection - use --disable-hardening to override if you understand the risks])] | ||
| 114 | ) | ||
| 115 | ) | ||
| 116 | |||
| 117 | check_ldflag([$STACK_PROTECT], | ||
| 118 | [HARDEN_CFLAGS="$HARDEN_CFLAGS $STACK_PROTECT" | ||
| 119 | check_cflag([-Wstack-protector], [HARDEN_CFLAGS="$HARDEN_CFLAGS -Wstack-protector"], | ||
| 120 | [], [$STACK_PROTECT]) | ||
| 121 | ], | ||
| 122 | [AC_MSG_ERROR([compiler supports stack protection but linker does not])] | ||
| 123 | ) | ||
| 124 | |||
| 125 | # Enable read only relocations | ||
| 126 | check_ldflag([-Wl,-z,relro], | ||
| 127 | [HARDEN_LDFLAGS="$HARDEN_LDFLAGS -Wl,-z,relro" | ||
| 128 | check_ldflag([-Wl,-z,now], [HARDEN_LDFLAGS="$HARDEN_LDFLAGS -Wl,-z,now"])]) | ||
| 129 | ]) | ||
| 130 | |||
| 131 | # Restore CC, LD | ||
| 132 | CC="$saved_CC" | ||
| 133 | LD="$saved_LD" | ||
| 134 | |||
| 135 | CFLAGS="$CFLAGS $HARDEN_CFLAGS" | ||
| 136 | LDFLAGS="$LDFLAGS $HARDEN_LDFLAGS" | ||
| 137 | |||
| 138 | # Removing the dependency on -Wno-pointer-sign should be a goal | ||
| 77 | save_cflags="$CFLAGS" | 139 | save_cflags="$CFLAGS" |
| 78 | CFLAGS=-Wno-pointer-sign | 140 | CFLAGS=-Wno-pointer-sign |
| 79 | AC_MSG_CHECKING([whether CC supports -Wno-pointer-sign]) | 141 | AC_MSG_CHECKING([whether CC supports -Wno-pointer-sign]) |