From 521e63529c42513c06a8caa27ef22e93a63e9c38 Mon Sep 17 00:00:00 2001
From: Matt Johnston <matt@ucc.asn.au>
Date: Sat, 24 Jun 2017 00:42:20 +0800
Subject: set hardened compiler/linker flags by default

---
 configure.ac | 67 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++----
 1 file changed, 63 insertions(+), 4 deletions(-)

(limited to 'configure.ac')

diff --git a/configure.ac b/configure.ac
index 6f55c71..5d792df 100644
--- a/configure.ac
+++ b/configure.ac
@@ -19,6 +19,7 @@ if test -z "$LD" ; then
 fi
 AC_SUBST(LD)	
 
+# set compile flags prior to other tests
 if test -z "$OLDCFLAGS" && test "$GCC" = "yes"; then
 	AC_MSG_NOTICE(No \$CFLAGS set... using "-Os -W -Wall" for GCC)
 	CFLAGS="-Os -W -Wall -Wno-pointer-sign"
@@ -29,12 +30,70 @@ OLDCFLAGS="$CFLAGS"
 CFLAGS="$CFLAGS -fno-strict-overflow"
 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])], 
     [AC_MSG_RESULT(yes)], 
-    [
-        AC_MSG_RESULT(no)
-        CFLAGS=$OLDCFLAGS
-    ]
+    [AC_MSG_RESULT(no); CFLAGS="$OLDCFLAGS" ]
     )
 
+hardenbuild=1
+AC_ARG_ENABLE(harden,
+	[  --disable-harden          Don't set hardened build flags],
+	[
+		if test "x$enableval" = "xno"; then
+			hardenbuild=0
+			AC_MSG_NOTICE(Disabling hardened build flags)
+		fi
+	], [])
+
+if test "$hardenbuild" -eq 1; then
+	AC_MSG_NOTICE(Checking for available hardened build flags:)
+	# pie
+	OLDCFLAGS="$CFLAGS"
+	TESTFLAGS="-fPIE"
+	CFLAGS="$CFLAGS $TESTFLAGS"
+	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])], 
+	    [AC_MSG_NOTICE([Setting $TESTFLAGS])], 
+	    [AC_MSG_NOTICE([Not setting $TESTFLAGS]); CFLAGS="$OLDCFLAGS" ]
+	    )
+	OLDLDFLAGS="$LDFLAGS"
+	TESTFLAGS="-Wl,-pie"
+	LDFLAGS="$LDFLAGS $TESTFLAGS"
+	AC_LINK_IFELSE([AC_LANG_PROGRAM([])], 
+	    [AC_MSG_NOTICE([Setting $TESTFLAGS])], 
+	    [AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ]
+	    )
+	# readonly elf relocation sections (relro)
+	OLDLDFLAGS="$LDFLAGS"
+	TESTFLAGS="-Wl,-z,now -Wl,-z,relro"
+	LDFLAGS="$LDFLAGS $TESTFLAGS"
+	AC_LINK_IFELSE([AC_LANG_PROGRAM([])], 
+	    [AC_MSG_NOTICE([Setting $TESTFLAGS])], 
+	    [AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ]
+	    )
+	# stack protector. -strong is good but only in gcc 4.9 or later
+	OLDCFLAGS="$CFLAGS"
+	TESTFLAGS="-fstack-protector-strong"
+	CFLAGS="$CFLAGS $TESTFLAGS"
+	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])], 
+	    [AC_MSG_NOTICE([Setting $TESTFLAGS])], 
+	    [
+			CFLAGS="$OLDCFLAGS"
+			TESTFLAGS="-fstack-protector --param=ssp-buffer-size=4"
+			CFLAGS="$CFLAGS $TESTFLAGS"
+			AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])], 
+			    [AC_MSG_NOTICE([Setting $TESTFLAGS])], 
+			    [AC_MSG_NOTICE([Not setting $TESTFLAGS]); CFLAGS="$OLDCFLAGS" ]
+			    )
+	    ]
+	    )
+	# FORTIFY_SOURCE
+	OLDCFLAGS="$CFLAGS"
+	TESTFLAGS="-D_FORTIFY_SOURCE=2"
+	CFLAGS="$CFLAGS $TESTFLAGS"
+	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])], 
+	    [AC_MSG_NOTICE([Setting $TESTFLAGS])], 
+	    [AC_MSG_NOTICE([Not setting $TESTFLAGS]); CFLAGS="$OLDCFLAGS" ]
+	    )
+fi
+
 # large file support is useful for scp
 AC_SYS_LARGEFILE
 
-- 
cgit v1.2.3