From 98b9009b24588639bd6416fa2545e4ad0dbbfff3 Mon Sep 17 00:00:00 2001
From: William Metcalf <william.metcalf@gmail.com>
Date: Wed, 11 Nov 2009 15:22:49 -0600
Subject: [PATCH] added --enable-gccprotect to optionally detect and enable
 compile time protections

---
 configure.in | 57 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 57 insertions(+)

diff --git a/configure.in b/configure.in
index ce0bec36e5..1177dea1fd 100644
--- a/configure.in
+++ b/configure.in
@@ -55,7 +55,64 @@ AC_INIT(configure.in)
     AC_FUNC_REALLOC
     AC_CHECK_FUNCS([gettimeofday memset strcasecmp strchr strdup strerror strncasecmp strtol strtoul])
 
+#Enable support for gcc compile time security options. There is no great way to do detection of valid cflags that I have found
+#AX_CFLAGS_GCC_OPTION don't seem to do a better job than the code below and are a pain because of extra m4 files etc.
+#These flags seem to be supported on CentOS 5+, Ubuntu 8.04+, and FedoreCore 11+
+#Options are taken from https://wiki.ubuntu.com/CompilerFlags
+    AC_ARG_ENABLE(gccprotect,
+            [  --enable-gccprotect  Detect and use gcc hardening options],
+            [ enable_gccprotect=yes
+            ])
 
+    if test "$enable_gccprotect" = "yes"; then
+        #buffer overflow protection
+        AC_MSG_CHECKING(for -fstack-protector)
+        TMPCFLAGS="${CFLAGS}"
+        CFLAGS="${CFLAGS} -fstack-protector"
+        AC_TRY_LINK(,,SECCFLAGS="${SECCFLAGS} -fstack-protector"
+        AC_MSG_RESULT(yes),
+        AC_MSG_RESULT(no))
+        CFLAGS="${TMPCFLAGS}"
+
+        #compile-time best-practices errors for certain libc functions, provides checks of buffer lengths and memory regions
+        AC_MSG_CHECKING(for -D_FORTIFY_SOURCE=2)
+        TMPCFLAGS="${CFLAGS}"
+        CFLAGS="${CFLAGS} -D_FORTIFY_SOURCE=2"
+        AC_TRY_COMPILE(,,SECCFLAGS="${SECCFLAGS} -D_FORTIFY_SOURCE=2"
+        AC_MSG_RESULT(yes),
+        AC_MSG_RESULT(no))
+        CFLAGS="${TMPCFLAGS}"
+
+        #compile-time warnings about misuse of format strings
+        AC_MSG_CHECKING(for -Wformat -Wformat-security)
+        TMPCFLAGS="${CFLAGS}"
+        CFLAGS="${CFLAGS} -Wformat -Wformat-security"
+        AC_TRY_COMPILE(,,SECCFLAGS="${SECCFLAGS} -Wformat -Wformat-security"
+        AC_MSG_RESULT(yes),
+        AC_MSG_RESULT(no))
+        CFLAGS="${TMPCFLAGS}"
+
+        #provides a read-only relocation table area in the final ELF
+        AC_MSG_CHECKING(for -z relro)
+        TMPLDFLAGS="${LDFLAGS}"
+        LDFLAGS="${LDFLAGS} -z relro"
+        AC_TRY_LINK(,,SECLDFLAGS="${SECLDFLAGS} -z relro"
+        AC_MSG_RESULT(yes),
+        AC_MSG_RESULT(no))
+        LDFLAGS="${TMPLDFLAGS}"
+
+        #forces all relocations to be resolved at run-time
+        AC_MSG_CHECKING(for -z now)
+        TMPLDFLAGS="${LDFLAGS}"
+        LDFLAGS="${LDFLAGS} -z now"
+        AC_TRY_LINK(,,SECLDFLAGS="${SECLDFLAGS} -z now"
+        AC_MSG_RESULT(yes),
+        AC_MSG_RESULT(no))
+        LDFLAGS="${TMPLDFLAGS}"
+
+        CFLAGS="${CFLAGS} ${SECCFLAGS}"
+        LDFLAGS="${LDFLAGS} ${SECLDFLAGS}"
+    fi
 #libpcre
     AC_ARG_WITH(libpcre_includes,
             [  --with-libpcre-includes=DIR  libpcre include directory],