Add compile-time hardening flags, and enable by default.

AlCutter · AlCutter · commit d8fdbcf6101d · 2015-09-08T11:28:03.000+01:00
diff --git a/.travis.yml b/.travis.yml
@@ -24,7 +24,7 @@ before_install:
  - wget https://github.com/ellzey/libevhtp/archive/1.2.10.zip -O /tmp/libevhtp-1.2.10.zip
  - unzip -d /tmp/ /tmp/libevhtp-1.2.10.zip
  - mkdir /tmp/libevhtp-1.2.10/build
- - pushd /tmp/libevhtp-1.2.10/build && cmake -DEVHTP_DISABLE_REGEX:STRING=ON .. && sudo make install; popd
+ - pushd /tmp/libevhtp-1.2.10/build && cmake -DEVHTP_DISABLE_REGEX:STRING=ON -DCMAKE_C_FLAGS="-fPIC" .. && sudo make install; popd
  - sudo pip install -r python/requirements.txt
  - sudo ln -s protobuf-java.jar /usr/share/java/protobuf.jar
  - mkdir -p $GOPATH/src/github.com/google
diff --git a/configure.ac b/configure.ac
@@ -7,6 +7,9 @@ AC_CONFIG_MACRO_DIRS([m4])
 AM_SILENT_RULES([yes])
 AC_LANG([C++])
 
+AC_ARG_ENABLE(hardening,
+              AS_HELP_STRING([--disable-hardening], [Use C++ compiler flags which produce a hardened binary]))
+
 GMOCK_DIR="${GMOCK_DIR=/usr/src/gmock}"
 AC_ARG_VAR([GMOCK_DIR], [directory containing Google Mock])
 GTEST_DIR="${GTEST_DIR="$GMOCK_DIR/gtest"}"
@@ -25,6 +28,25 @@ AC_CHECK_PROGS([ANT], [ant])
 
 PKG_CHECK_MODULES([json_c], [json-c])
 
+if test "x${enable_hardening}" != "xno"; then
+  common_harden_copts="-fstack-protector-all -fPIE -Wa,--noexecstack -Wformat -Wformat-security"
+  clang_harden_copts="-Qunused-arguments $common_harden_copts"
+  gcc_harden_copts="$common_harden_copts"
+  AS_CASE([$CXX],
+          [clang++], [AS_VAR_APPEND([CXXFLAGS], [" $clang_harden_copts"])],
+          [g++], [AS_VAR_APPEND([CXXFLAGS], [" $gcc_harden_copts"])],
+          [AC_MSG_FAILURE([Hardening enabled, but we don't have hardening flags for C++ compiler $CXX])])
+  AS_CASE([$CC],
+          [clang], [AS_VAR_APPEND([CFLAGS], [" $clang_harden_copts"])],
+          [gcc], [AS_VAR_APPEND([CFLAGS], [" $gcc_harden_copts"])],
+          [AC_MSG_FAILURE(["Hardening enabled, but we don't have hardening flags for C compiler $CC"])])
+  AS_VAR_APPEND([CPPFLAGS], [" -D_FORTIFY_SOURCE=2"])
+  AS_VAR_APPEND([LDFLAGS], [" -pie -Wl,-z,relro,-z,now"])
+  AC_DEFINE([ENABLE_HARDENING], [], [Hardening enabled.])
+else
+  AC_MSG_WARN([NOT building hardened binaries])
+fi
+
 # Checks for header files.
 AC_HEADER_RESOLV
 AC_CHECK_HEADERS([arpa/inet.h fcntl.h limits.h netinet/in.h stddef.h stdint.h stdlib.h string.h sys/socket.h sys/time.h unistd.h leveldb/filter_policy.h])
diff --git a/cpp/util/init.cc b/cpp/util/init.cc
@@ -10,6 +10,7 @@
 #include <unistd.h>
 
 #include "log/ct_extensions.h"
+#include "config.h"
 #include "version.h"
 
 using std::string;
@@ -36,6 +37,11 @@ void InitCT(int* argc, char** argv[]) {
   cert_trans::LoadCtExtensions();
 
   LOG(INFO) << "Build version: " << google::VersionString();
+#ifdef ENABLE_HARDENING
+  LOG(INFO) << "Binary built with hardening enabled.";
+#else
+  LOG(WARNING) << "Binary built with hardening DISABLED.";
+#endif
 }
 
 
