additional compiler hardening flags

Darren Tucker dtucker at zip.com.au
Thu Apr 18 21:44:28 EST 2013 

On Thu, Apr 18, 2013 at 08:13:26PM +1000, Darren Tucker wrote:
> On Thu, Apr 18, 2013 at 11:29:55AM +0200, Corinna Vinschen wrote:
> > Sounds good to me, but wouldn't it be simpler to add -Werror by default
> > in OSSH_CHECK_CFLAG_COMPILE and OSSH_CHECK_CFLAG_LINK?
> 
> I considered that, but I was concerned it may mis-detect some of the other
> options for compilers that aren't gcc, but identify themselves as such
> enough that configure thinks they are and sets $GCC (eg clang, intelcc).
> I guess we could check for -Werror too before using it.

Like so.

Index: Makefile.in
===================================================================
RCS file: /var/cvs/openssh/Makefile.in,v
retrieving revision 1.337
diff -u -p -r1.337 Makefile.in
--- Makefile.in	22 Mar 2013 17:14:33 -0000	1.337
+++ Makefile.in	18 Apr 2013 11:41:27 -0000
@@ -385,7 +385,7 @@ regress/modpipe$(EXEEXT): $(srcdir)/regr
 	[ -d `pwd`/regress ]  ||  mkdir -p `pwd`/regress
 	[ -f `pwd`/regress/Makefile ]  || \
 	    ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile
-	$(CC) $(CPPFLAGS) -o $@ $? \
+	$(CC) $(CPPFLAGS) $(CFLAGS) -o $@ $? \
 	$(LDFLAGS) -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
 
 tests interop-tests:	$(TARGETS) regress/modpipe$(EXEEXT)
Index: aclocal.m4
===================================================================
RCS file: /var/cvs/openssh/aclocal.m4,v
retrieving revision 1.8
diff -u -p -r1.8 aclocal.m4
--- aclocal.m4	20 May 2011 01:45:25 -0000	1.8
+++ aclocal.m4	18 Apr 2013 11:41:27 -0000
@@ -10,7 +10,7 @@ dnl 'check_flag'.
 AC_DEFUN([OSSH_CHECK_CFLAG_COMPILE], [{
 	AC_MSG_CHECKING([if $CC supports $1])
 	saved_CFLAGS="$CFLAGS"
-	CFLAGS="$CFLAGS $1"
+	CFLAGS="$CFLAGS $WERROR $1"
 	_define_flag="$2"
 	test "x$_define_flag" = "x" && _define_flag="$1"
 	AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])],
@@ -21,6 +21,23 @@ AC_DEFUN([OSSH_CHECK_CFLAG_COMPILE], [{
 	)
 }])
 
+dnl OSSH_CHECK_CFLAG_LINK(check_flag[, define_flag])
+dnl Check that $LD accepts a flag 'check_flag'. If it is supported append
+dnl 'define_flag' to $LDFLAGS. If 'define_flag' is not specified, then append
+dnl 'check_flag'.
+AC_DEFUN([OSSH_CHECK_LDFLAG_LINK], [{
+	AC_MSG_CHECKING([if $LD supports $1])
+	saved_LDFLAGS="$LDFLAGS"
+	LDFLAGS="$LDFLAGS $WERROR $1"
+	_define_flag="$2"
+	test "x$_define_flag" = "x" && _define_flag="$1"
+	AC_LINK_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])],
+		[ AC_MSG_RESULT([yes])
+		  LDFLAGS="$saved_LDFLAGS $_define_flag"],
+		[ AC_MSG_RESULT([no])
+		  LDFLAGS="$saved_LDFLAGS" ]
+	)
+}])
 
 dnl OSSH_CHECK_HEADER_FOR_FIELD(field, header, symbol)
 dnl Does AC_EGREP_HEADER on 'header' for the string 'field'
Index: configure.ac
===================================================================
RCS file: /var/cvs/openssh/configure.ac,v
retrieving revision 1.520
diff -u -p -r1.520 configure.ac
--- configure.ac	18 Apr 2013 11:36:20 -0000	1.520
+++ configure.ac	18 Apr 2013 11:41:27 -0000
@@ -121,12 +121,31 @@ AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [ha
 	#include <linux/prctl.h>
 ])
 use_stack_protector=1
+use_toolchain_hardening=1
 AC_ARG_WITH([stackprotect],
     [  --without-stackprotect  Don't use compiler's stack protection], [
     if test "x$withval" = "xno"; then
 	use_stack_protector=0
     fi ])
+AC_ARG_WITH([hardening],
+    [  --without-hardening     Don't use toolchain hardening flags], [
+    if test "x$withval" = "xno"; then
+	use_stack_protector=0
+	use_toolchain_hardening=0
+    fi ])
 
+# We use -Werror for the tests only so that we catch warnings like "this is
+# on by default" for things like -fPIE.
+AC_MSG_CHECKING([if $CC supports -Werror])
+saved_CFLAGS="$CFLAGS"
+CFLAGS="$CFLAGS -Werror"
+AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])],
+	[ AC_MSG_RESULT([yes])
+	  WERROR="-Werror"],
+	[ AC_MSG_RESULT([no])
+	  WERROR="" ]
+)
+CFLAGS="$saved_CFLAGS"
 
 if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
 	OSSH_CHECK_CFLAG_COMPILE([-Wall])
@@ -139,6 +158,14 @@ if test "$GCC" = "yes" || test "$GCC" = 
 	OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing])
 	OSSH_CHECK_CFLAG_COMPILE([-Qunused-arguments])
 	OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2])
+    if test "x$use_toolchain_hardening" = "x1"; then
+	OSSH_CHECK_CFLAG_COMPILE([-ftrapv])
+	OSSH_CHECK_CFLAG_COMPILE([-fPIE])
+	OSSH_CHECK_LDFLAG_LINK([-pie])
+	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro])
+	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now])
+	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,noexecstack])
+    fi
 	AC_MSG_CHECKING([gcc version])
 	GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`
 	case $GCC_VER in

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list