From c0a8ddc163859ec7cbfe42cc163cc0a863b017f4 Mon Sep 17 00:00:00 2001 From: Jim Barlow Date: Tue, 23 Dec 2014 21:47:03 -0800 Subject: configure.ac: use executable hardening where available Where available, enable stack smashing protection, fortify source, no-strict-overflow, and read only relocations. Many Linux distributions automatically enable most of these options. They are no brainers. The difference introduced here is in asking for a few more aggressive options. An option to disable the more aggressive options is provided (--disable-hardening). When set, configure will fall back to the default CFLAGS on the system - in many cases that will still be hardened. There is no point in going further than that. Options enabled are: -fstack-protector-strong is a relatively new GCC-4.9 feature that is supposed to give a better balance between performance and protection. -all is considered too aggressive, but was used in Chromium and other security critical systems until -strong became available. Follow their lead and use -strong when possible. clang 6.0 supports -all but not -strong. _FORTIFY_SOURCE replaces certain unsafe C str* and mem* functions with more robust equivalents when the compiler can determine the length of the buffers involved. -fno-strict-overflow instructs GCC to not make optimizations based on the assumption that signed arithmetic will wrap around on overflow (e.g. (short)0x7FFF + 1 == 0). This prevents the optimizer from doing some unexpected things. Further improvements should trap signed overflows and reduce the use of signed to refer to naturally unsigned quantities. I did not set -fPIE (position independent executables). The critical function of Open/LibreSSL is as a library, not an executable. Tested on Ubuntu Linux 14.04.1 LTS, OS X 10.10.1 with "make check". The code added to m4/ is GPLv3 but con Signed-off-by: Jim Barlow --- scripts/wrap-compiler-for-flag-check | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100755 scripts/wrap-compiler-for-flag-check diff --git a/scripts/wrap-compiler-for-flag-check b/scripts/wrap-compiler-for-flag-check new file mode 100755 index 0000000..6fa77f0 --- /dev/null +++ b/scripts/wrap-compiler-for-flag-check @@ -0,0 +1,25 @@ +#!/bin/sh + +# From kmcallister: +# https://github.com/kmcallister/autoharden/blob/efaf5a16612589808c276a11536ea9a47071f74b/scripts/wrap-compiler-for-flag-check + +# There is no way to make clang's "argument unused" warning fatal. So when +# configure checks for supported flags, it runs $CC, $CXX, $LD via this +# wrapper. +# +# Ideally the search string would also include 'clang: ' but this output might +# depend on clang's argv[0]. + +if out=`"$@" 2>&1`; then + echo "$out" + if echo "$out" | grep 'warning: argument unused' >/dev/null; then + echo "$0: found clang warning" + exit 1 + else + exit 0 + fi +else + code=$? + echo "$out" + exit $code +fi -- cgit v1.2.3-55-g6feb