diff --git a/changes/compileTimeHardening b/changes/compileTimeHardening new file mode 100644 index 0000000000..9e90dd2147 --- /dev/null +++ b/changes/compileTimeHardening @@ -0,0 +1,12 @@ +Add two new configure flags: + --enable-gcc-hardening + This turns on gcc compile time hardening options. It ensures that + signed ints have defined behavior (-fwrapv), -D_FORTIFY_SOURCE=2 is + enabled (requiring -O2), stack smashing protection with canaries + (-fstack-protector-all), ASLR protection if supported by the kernel + (-fPIE, -pie). Additional security related warnings are enabled. + Verified as working on Mac OS X and Debian Lenny. + + --enable-linker-hardening + This turns on ELF specific hardening features (relro, now). This does + not work with Mac OS X or any other non-ELF binary format. diff --git a/configure.in b/configure.in index 10e509d3c5..07b3ff423b 100644 --- a/configure.in +++ b/configure.in @@ -90,6 +90,27 @@ AC_ARG_ENABLE(gcc-warnings, AC_ARG_ENABLE(gcc-warnings-advisory, AS_HELP_STRING(--enable-gcc-warnings-advisory, [enable verbose warnings, excluding -Werror])) +dnl Adam shostack suggests the following for Windows: +dnl -D_FORTIFY_SOURCE=2 -fstack-protector-all +dnl Others suggest '/gs /safeseh /nxcompat /dynamicbase' for non-gcc on Windows +dnl This requires that we use gcc and that we add -O2 to the CFLAGS. +AC_ARG_ENABLE(gcc-hardening, + AS_HELP_STRING(--enable-gcc-hardening, enable compiler security checks), +[if test x$enableval = xyes; then + CFLAGS="$CFLAGS -D_FORTIFY_SOURCE=2 -fstack-protector-all" + CFLAGS+=" -fwrapv -fPIE -Wstack-protector -Wformat -Wformat-security" + CFLAGS+=" -Wpointer-sign" + LDFLAGS+=" -pie" +fi]) + +dnl Linker hardening options +dnl Currently these options are ELF specific - you can't use this with MacOSX +AC_ARG_ENABLE(linker-hardening, + AS_HELP_STRING(--enable-linker-hardening, enable linker security fixups), +[if test x$enableval = xyes; then + LDFLAGS+=" -z relro -z now" +fi]) + AC_ARG_ENABLE(local-appdata, AS_HELP_STRING(--enable-local-appdata, default to host local application data paths on Windows)) if test "$enable_local_appdata" = "yes"; then