diff options
| author | Brent Cook <bcook@openbsd.org> | 2015-02-24 19:39:16 -0600 |
|---|---|---|
| committer | Brent Cook <bcook@openbsd.org> | 2015-02-24 19:39:16 -0600 |
| commit | ab0d3e54a221b8959582459bbd1ff6fd2f08f9f0 (patch) | |
| tree | 9f1b317fa75f852e65d63e3c880418deca1e876b /configure.ac | |
| parent | 347c03d3a02e63775ec6b0c3aa94aef2b41f599d (diff) | |
| download | portable-ab0d3e54a221b8959582459bbd1ff6fd2f08f9f0.tar.gz portable-ab0d3e54a221b8959582459bbd1ff6fd2f08f9f0.tar.bz2 portable-ab0d3e54a221b8959582459bbd1ff6fd2f08f9f0.zip | |
add windows-specific hardening options
This enables DEP and ALSR capabilities. Stack protection is enabled
optionally, there are some extra linking steps required that make it
difficult to enable by default.
Diffstat (limited to 'configure.ac')
| -rw-r--r-- | configure.ac | 31 |
1 files changed, 23 insertions, 8 deletions
diff --git a/configure.ac b/configure.ac index 9212fb7..81433c8 100644 --- a/configure.ac +++ b/configure.ac | |||
| @@ -104,6 +104,11 @@ AC_ARG_ENABLE([hardening], | |||
| 104 | [Disable options to frustrate memory corruption exploits])], | 104 | [Disable options to frustrate memory corruption exploits])], |
| 105 | [], [enable_hardening=yes]) | 105 | [], [enable_hardening=yes]) |
| 106 | 106 | ||
| 107 | AC_ARG_ENABLE([windows-ssp], | ||
| 108 | [AS_HELP_STRING([--enable-windows-ssp], | ||
| 109 | [Enable building the stack smashing protection on | ||
| 110 | Windows. This currently distributing libssp-0.dll.])]) | ||
| 111 | |||
| 107 | AC_DEFUN([CHECK_CFLAG], [ | 112 | AC_DEFUN([CHECK_CFLAG], [ |
| 108 | AC_LANG_ASSERT(C) | 113 | AC_LANG_ASSERT(C) |
| 109 | AC_MSG_CHECKING([if $saved_CC supports "$1"]) | 114 | AC_MSG_CHECKING([if $saved_CC supports "$1"]) |
| @@ -148,16 +153,26 @@ AS_IF([test "x$enable_hardening" = "xyes"], [ | |||
| 148 | # Enable read only relocations | 153 | # Enable read only relocations |
| 149 | CHECK_LDFLAG([[-Wl,-z,relro]]) | 154 | CHECK_LDFLAG([[-Wl,-z,relro]]) |
| 150 | CHECK_LDFLAG([[-Wl,-z,now]]) | 155 | CHECK_LDFLAG([[-Wl,-z,now]]) |
| 151 | ]) | ||
| 152 | 156 | ||
| 153 | # Use stack-protector-strong if available; if not, fallback to | 157 | # Windows security flags |
| 154 | # stack-protector-all which is considered to be overkill | 158 | AS_IF([test "x$HOST_OS" = "xwin"], [ |
| 155 | AS_IF([test "x$enable_hardening" = "xyes" -a "x$HOST_OS" != "xwin"], [ | 159 | CHECK_LDFLAG([[-Wl,--nxcompat]]) |
| 156 | CHECK_CFLAG([[-fstack-protector-strong]], | 160 | CHECK_LDFLAG([[-Wl,--dynamicbase]]) |
| 157 | CHECK_CFLAG([[-fstack-protector-all]], | 161 | CHECK_LDFLAG([[-Wl,--high-entropy-va]]) |
| 158 | AC_MSG_WARN([compiler does not appear to support stack protection]) | 162 | ]) |
| 163 | |||
| 164 | # Use stack-protector-strong if available; if not, fallback to | ||
| 165 | # stack-protector-all which is considered to be overkill | ||
| 166 | AS_IF([test "x$enable_windows_ssp" = "xyes" -o "x$HOST_OS" != "xwin"], [ | ||
| 167 | CHECK_CFLAG([[-fstack-protector-strong]], | ||
| 168 | CHECK_CFLAG([[-fstack-protector-all]], | ||
| 169 | AC_MSG_WARN([compiler does not appear to support stack protection]) | ||
| 170 | ) | ||
| 159 | ) | 171 | ) |
| 160 | ) | 172 | AS_IF([test "x$HOST_OS" = "xwin"], [ |
| 173 | AC_SEARCH_LIBS([__stack_chk_guard],[ssp]) | ||
| 174 | ]) | ||
| 175 | ]) | ||
| 161 | ]) | 176 | ]) |
| 162 | 177 | ||
| 163 | 178 | ||