additional compiler hardening flags

Darren Tucker dtucker at zip.com.au
Fri Mar 22 16:08:15 EST 2013 

Hi all.

Any reason not to turn these on if the system supports them?  They're
cheap but not free (a bit under 1% slower to run the complete regress
suite in a completely unscientific test).

They're based on info from these places:
https://wiki.ubuntu.com/ToolChain/CompilerFlags
http://wiki.debian.org/Hardening
http://www.gentoo.org/proj/en/hardened/gnu-stack.xml
and I've attempted to take the ones that make sense for openssh.

>From my reading, -fPIE should be sufficient since we're not building a
shared library, however having -fPIC to does not seem to hurt.

Things in those pages that I don't think are needed:
 -Wa,--noexecstack (don't have any assembler sources) .
 --param=ssp-buffer-size=4 (superceded by -fstack-protector-all)

Tests/comments/corrections welcome.

Index: Makefile.in
===================================================================
RCS file: /home/dtucker/openssh/cvs/openssh/Makefile.in,v
retrieving revision 1.336
diff -u -p -r1.336 Makefile.in
--- Makefile.in	7 Mar 2013 15:37:13 -0000	1.336
+++ Makefile.in	22 Mar 2013 02:42:20 -0000
@@ -383,7 +383,7 @@ uninstall:
 
 regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c
 	[ -d `pwd`/regress ]  ||  mkdir -p `pwd`/regress; \
-	$(CC) $(CPPFLAGS) -o $@ $? \
+	$(CC) $(CPPFLAGS) $(CFLAGS) -o $@ $? \
 	$(LDFLAGS) -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
 
 tests interop-tests:	$(TARGETS) regress/modpipe$(EXEEXT)
Index: aclocal.m4
===================================================================
RCS file: /home/dtucker/openssh/cvs/openssh/aclocal.m4,v
retrieving revision 1.8
diff -u -p -r1.8 aclocal.m4
--- aclocal.m4	20 May 2011 01:45:25 -0000	1.8
+++ aclocal.m4	22 Mar 2013 02:42:20 -0000
@@ -21,6 +21,23 @@ AC_DEFUN([OSSH_CHECK_CFLAG_COMPILE], [{
 	)
 }])
 
+dnl OSSH_CHECK_CFLAG_LINK(check_flag[, define_flag])
+dnl Check that $LD accepts a flag 'check_flag'. If it is supported append
+dnl 'define_flag' to $LDFLAGS. If 'define_flag' is not specified, then append
+dnl 'check_flag'.
+AC_DEFUN([OSSH_CHECK_LDFLAG_LINK], [{
+	AC_MSG_CHECKING([if $LD supports $1])
+	saved_LDFLAGS="$LDFLAGS"
+	LDFLAGS="$LDFLAGS $1"
+	_define_flag="$2"
+	test "x$_define_flag" = "x" && _define_flag="$1"
+	AC_LINK_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])],
+		[ AC_MSG_RESULT([yes])
+		  LDFLAGS="$saved_LDFLAGS $_define_flag"],
+		[ AC_MSG_RESULT([no])
+		  LDFLAGS="$saved_LDFLAGS" ]
+	)
+}])
 
 dnl OSSH_CHECK_HEADER_FOR_FIELD(field, header, symbol)
 dnl Does AC_EGREP_HEADER on 'header' for the string 'field'
Index: configure.ac
===================================================================
RCS file: /home/dtucker/openssh/cvs/openssh/configure.ac,v
retrieving revision 1.519
diff -u -p -r1.519 configure.ac
--- configure.ac	22 Mar 2013 01:49:15 -0000	1.519
+++ configure.ac	22 Mar 2013 04:45:37 -0000
@@ -138,6 +138,13 @@ if test "$GCC" = "yes" || test "$GCC" = 
 	OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result])
 	OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing])
 	OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2])
+	OSSH_CHECK_CFLAG_COMPILE([-ftrapv])
+	OSSH_CHECK_CFLAG_COMPILE([-fPIC])
+	OSSH_CHECK_CFLAG_COMPILE([-fPIE])
+	OSSH_CHECK_LDFLAG_LINK([-pie])
+	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro])
+	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now])
+	OSSH_CHECK_LDFLAG_LINK([-Wl,-z,noexecstack])
 	AC_MSG_CHECKING([gcc version])
 	GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`
 	case $GCC_VER in
-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list