diff options
author | Christian Grothoff <christian@grothoff.org> | 2019-08-09 10:08:20 +0200 |
---|---|---|
committer | Christian Grothoff <christian@grothoff.org> | 2019-08-09 10:08:20 +0200 |
commit | 316f6ab358269d73e62b340b6cd62597290a498b (patch) | |
tree | c856872f8d39a982e659e2f23e19664b4b9b6020 | |
parent | b84ee1fa41c53c43aa7ed1583c36af5cb7c77a0f (diff) | |
download | libmicrohttpd-316f6ab358269d73e62b340b6cd62597290a498b.tar.gz libmicrohttpd-316f6ab358269d73e62b340b6cd62597290a498b.zip |
add compiler/linker hardnening
-rw-r--r-- | ChangeLog | 4 | ||||
-rw-r--r-- | configure.ac | 30 |
2 files changed, 33 insertions, 1 deletions
@@ -1,3 +1,7 @@ | |||
1 | Fri 09 Aug 2019 10:07:27 AM CEST | ||
2 | Copy compiler and linker hardening flags from GNUnet (updating | ||
3 | configure.ac). -CG | ||
4 | |||
1 | Thu 01 Aug 2019 01:23:36 PM CEST | 5 | Thu 01 Aug 2019 01:23:36 PM CEST |
2 | Releasing libmicrohttpd 0.9.66. -CG | 6 | Releasing libmicrohttpd 0.9.66. -CG |
3 | 7 | ||
diff --git a/configure.ac b/configure.ac index 5292798a..086481a2 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -81,6 +81,34 @@ AM_CONDITIONAL([HAVE_PO], [ test "$have_po" = yes ]) | |||
81 | 81 | ||
82 | 82 | ||
83 | 83 | ||
84 | |||
85 | # Adam shostack suggests the following for Windows: | ||
86 | # -D_FORTIFY_SOURCE=2 -fstack-protector-all | ||
87 | AC_ARG_ENABLE(gcc-hardening, | ||
88 | AS_HELP_STRING(--enable-gcc-hardening, enable compiler security checks), | ||
89 | [AS_IF([test x$enableval = xyes],[ | ||
90 | CFLAGS="$CFLAGS -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fstack-protector-all" | ||
91 | CFLAGS="$CFLAGS -fwrapv -fPIE -Wstack-protector" | ||
92 | CFLAGS="$CFLAGS --param ssp-buffer-size=1" | ||
93 | LDFLAGS="$LDFLAGS -pie" | ||
94 | ])]) | ||
95 | |||
96 | # Linker hardening options | ||
97 | # Currently these options are ELF specific - you can't use this with MacOSX | ||
98 | AC_ARG_ENABLE(linker-hardening, | ||
99 | AS_HELP_STRING(--enable-linker-hardening, enable linker security fixups), | ||
100 | [AS_IF([test x$enableval = xyes], | ||
101 | [LDFLAGS="$LDFLAGS -z relro -z now"])]) | ||
102 | |||
103 | |||
104 | AC_ARG_ENABLE(sanitizer, | ||
105 | AS_HELP_STRING(--enable-sanitizer, enable Address Sanitizer and Undefined Behavior Sanitizer), | ||
106 | [AS_IF([test x$enableval = xyes],[ | ||
107 | LDFLAGS="$CFLAGS -fsanitize=address,undefined -fno-omit-frame-pointer" | ||
108 | ])]) | ||
109 | |||
110 | |||
111 | |||
84 | # Workaround for libgcrypt | 112 | # Workaround for libgcrypt |
85 | AS_IF([[test "x$lt_sysroot" != "x" && test "x$SYSROOT" = "x"]], [[SYSROOT="$lt_sysroot"]]) | 113 | AS_IF([[test "x$lt_sysroot" != "x" && test "x$SYSROOT" = "x"]], [[SYSROOT="$lt_sysroot"]]) |
86 | 114 | ||
@@ -790,7 +818,7 @@ AC_INCLUDES_DEFAULT | |||
790 | ] | 818 | ] |
791 | ) | 819 | ) |
792 | 820 | ||
793 | AC_CHECK_MEMBERS([struct sockaddr_in.sin_len, struct sockaddr_in6.sin6_len, | 821 | AC_CHECK_MEMBERS([struct sockaddr_in.sin_len, struct sockaddr_in6.sin6_len, |
794 | struct sockaddr_storage.ss_len], | 822 | struct sockaddr_storage.ss_len], |
795 | [], [], | 823 | [], [], |
796 | [ | 824 | [ |