aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Grothoff <christian@grothoff.org>2019-08-09 10:08:20 +0200
committerChristian Grothoff <christian@grothoff.org>2019-08-09 10:08:20 +0200
commit316f6ab358269d73e62b340b6cd62597290a498b (patch)
treec856872f8d39a982e659e2f23e19664b4b9b6020
parentb84ee1fa41c53c43aa7ed1583c36af5cb7c77a0f (diff)
downloadlibmicrohttpd-316f6ab358269d73e62b340b6cd62597290a498b.tar.gz
libmicrohttpd-316f6ab358269d73e62b340b6cd62597290a498b.zip
add compiler/linker hardnening
-rw-r--r--ChangeLog4
-rw-r--r--configure.ac30
2 files changed, 33 insertions, 1 deletions
diff --git a/ChangeLog b/ChangeLog
index 92161c6f..01889a7e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
1Fri 09 Aug 2019 10:07:27 AM CEST
2 Copy compiler and linker hardening flags from GNUnet (updating
3 configure.ac). -CG
4
1Thu 01 Aug 2019 01:23:36 PM CEST 5Thu 01 Aug 2019 01:23:36 PM CEST
2 Releasing libmicrohttpd 0.9.66. -CG 6 Releasing libmicrohttpd 0.9.66. -CG
3 7
diff --git a/configure.ac b/configure.ac
index 5292798a..086481a2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -81,6 +81,34 @@ AM_CONDITIONAL([HAVE_PO], [ test "$have_po" = yes ])
81 81
82 82
83 83
84
85# Adam shostack suggests the following for Windows:
86# -D_FORTIFY_SOURCE=2 -fstack-protector-all
87AC_ARG_ENABLE(gcc-hardening,
88 AS_HELP_STRING(--enable-gcc-hardening, enable compiler security checks),
89[AS_IF([test x$enableval = xyes],[
90 CFLAGS="$CFLAGS -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fstack-protector-all"
91 CFLAGS="$CFLAGS -fwrapv -fPIE -Wstack-protector"
92 CFLAGS="$CFLAGS --param ssp-buffer-size=1"
93 LDFLAGS="$LDFLAGS -pie"
94 ])])
95
96# Linker hardening options
97# Currently these options are ELF specific - you can't use this with MacOSX
98AC_ARG_ENABLE(linker-hardening,
99 AS_HELP_STRING(--enable-linker-hardening, enable linker security fixups),
100[AS_IF([test x$enableval = xyes],
101 [LDFLAGS="$LDFLAGS -z relro -z now"])])
102
103
104AC_ARG_ENABLE(sanitizer,
105 AS_HELP_STRING(--enable-sanitizer, enable Address Sanitizer and Undefined Behavior Sanitizer),
106[AS_IF([test x$enableval = xyes],[
107 LDFLAGS="$CFLAGS -fsanitize=address,undefined -fno-omit-frame-pointer"
108 ])])
109
110
111
84# Workaround for libgcrypt 112# Workaround for libgcrypt
85AS_IF([[test "x$lt_sysroot" != "x" && test "x$SYSROOT" = "x"]], [[SYSROOT="$lt_sysroot"]]) 113AS_IF([[test "x$lt_sysroot" != "x" && test "x$SYSROOT" = "x"]], [[SYSROOT="$lt_sysroot"]])
86 114
@@ -790,7 +818,7 @@ AC_INCLUDES_DEFAULT
790 ] 818 ]
791) 819)
792 820
793AC_CHECK_MEMBERS([struct sockaddr_in.sin_len, struct sockaddr_in6.sin6_len, 821AC_CHECK_MEMBERS([struct sockaddr_in.sin_len, struct sockaddr_in6.sin6_len,
794 struct sockaddr_storage.ss_len], 822 struct sockaddr_storage.ss_len],
795 [], [], 823 [], [],
796 [ 824 [