diff options
| author | Riccardo Spagni <ric@spagni.net> | 2018-01-10 11:53:26 +0100 |
|---|---|---|
| committer | Riccardo Spagni <ric@spagni.net> | 2018-01-10 11:53:26 +0100 |
| commit | d08aee7a7eae23aaf35c1f129faa5a70d2f5510f (patch) | |
| tree | 900362d33e020797fa6b2b7bafc87e9a39172b10 /CMakeLists.txt | |
| parent | Merge pull request #2990 (diff) | |
| parent | Add misc hardening flags to the cmake machinery (diff) | |
| download | monero-d08aee7a7eae23aaf35c1f129faa5a70d2f5510f.tar.xz | |
Merge pull request #2993
776b44f1 Add misc hardening flags to the cmake machinery (moneromooo-monero)
Diffstat (limited to 'CMakeLists.txt')
| -rw-r--r-- | CMakeLists.txt | 90 |
1 files changed, 83 insertions, 7 deletions
diff --git a/CMakeLists.txt b/CMakeLists.txt index 4d451f8ad..5b7d1bf77 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -27,6 +27,13 @@ # THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # Parts of this file are originally copyright (c) 2012-2013 The Cryptonote developers +list(INSERT CMAKE_MODULE_PATH 0 + "${CMAKE_SOURCE_DIR}/cmake") +include(CheckCCompilerFlag) +include(CheckCXXCompilerFlag) +include(CheckLinkerFlag) +include(CheckLibraryExists) + if (IOS) INCLUDE(CmakeLists_IOS.txt) endif() @@ -48,6 +55,31 @@ function (die msg) message(FATAL_ERROR "${BoldRed}${msg}${ColourReset}") endfunction () +function (add_c_flag_if_supported flag var) + string(REPLACE "-" "_" supported ${flag}_c) + check_c_compiler_flag(${flag} ${supported}) + if(${${supported}}) + set(${var} "${${var}} ${flag}" PARENT_SCOPE) + endif() +endfunction() + +function (add_cxx_flag_if_supported flag var) + string(REPLACE "-" "_" supported ${flag}_cxx) + check_cxx_compiler_flag(${flag} ${supported}) + if(${${supported}}) + set(${var} "${${var}} ${flag}" PARENT_SCOPE) + endif() +endfunction() + +function (add_linker_flag_if_supported flag var) + string(REPLACE "-" "_" supported ${flag}_ld) + string(REPLACE "," "_" supported ${flag}_ld) + check_linker_flag(${flag} ${supported}) + if(${${supported}}) + set(${var} "${${var}} ${flag}" PARENT_SCOPE) + endif() +endfunction() + if(NOT CMAKE_BUILD_TYPE) set(CMAKE_BUILD_TYPE Release CACHE STRING "Build type" FORCE) message(STATUS "Setting default build type: ${CMAKE_BUILD_TYPE}") @@ -210,11 +242,11 @@ endif() if (BUILD_SHARED_LIBS) message(STATUS "Building internal libraries with position independent code") - set(PIC_FLAG "-fPIC") add_definitions("-DBUILD_SHARED_LIBS") else() message(STATUS "Building internal libraries as static") endif() +set(PIC_FLAG "-fPIC") if(MINGW) string(REGEX MATCH "^[^/]:/[^/]*" msys2_install_path "${CMAKE_C_COMPILER}") @@ -474,6 +506,52 @@ else() set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fno-strict-aliasing") set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fno-strict-aliasing") + # if those don't work for your compiler, single it out where appropriate + if(CMAKE_BUILD_TYPE STREQUAL "Release") + set(C_SECURITY_FLAGS "${C_SECURITY_FLAGS} -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=1") + set(CXX_SECURITY_FLAGS "${CXX_SECURITY_FLAGS} -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=1") + endif() + + # warnings + add_c_flag_if_supported(-Wformat C_SECURITY_FLAGS) + add_cxx_flag_if_supported(-Wformat CXX_SECURITY_FLAGS) + add_c_flag_if_supported(-Wformat-security C_SECURITY_FLAGS) + add_cxx_flag_if_supported(-Wformat-security CXX_SECURITY_FLAGS) + + # -fstack-protector + add_c_flag_if_supported(-fstack-protector C_SECURITY_FLAGS) + add_cxx_flag_if_supported(-fstack-protector CXX_SECURITY_FLAGS) + add_c_flag_if_supported(-fstack-protector-strong C_SECURITY_FLAGS) + add_cxx_flag_if_supported(-fstack-protector-strong CXX_SECURITY_FLAGS) + + # linker + if (NOT WIN32) + # Windows binaries die on startup with PIE + add_linker_flag_if_supported(-pie LD_SECURITY_FLAGS) + endif() + add_linker_flag_if_supported(-Wl,-z,relro LD_SECURITY_FLAGS) + add_linker_flag_if_supported(-Wl,-z,now LD_SECURITY_FLAGS) + add_linker_flag_if_supported(-Wl,-z,noexecstack noexecstack_SUPPORTED) + if (noexecstack_SUPPORTED) + set(LD_SECURITY_FLAGS "${LD_SECURITY_FLAGS} -Wl,-z,noexecstack") + set(LD_RAW_FLAGS ${LD_RAW_FLAGS} -z noexecstack) + endif() + add_linker_flag_if_supported(-Wl,-z,noexecheap noexecheap_SUPPORTED) + if (noexecheap_SUPPORTED) + set(LD_SECURITY_FLAGS "${LD_SECURITY_FLAGS} -Wl,-z,noexecheap") + set(LD_RAW_FLAGS ${LD_RAW_FLAGS} -z noexecheap) + endif() + + # some windows linker bits + if (WIN32) + add_linker_flag_if_supported(-Wl,--dynamicbase LD_SECURITY_FLAGS) + add_linker_flag_if_supported(-Wl,--nxcompat LD_SECURITY_FLAGS) + endif() + + message(STATUS "Using C security hardening flags: ${C_SECURITY_FLAGS}") + message(STATUS "Using C++ security hardening flags: ${CXX_SECURITY_FLAGS}") + message(STATUS "Using linker security hardening flags: ${LD_SECURITY_FLAGS}") + option(NO_AES "Explicitly disable AES support" ${NO_AES}) if(NO_AES) @@ -502,8 +580,9 @@ else() message(STATUS "AES support disabled") endif() - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -std=c11 -D_GNU_SOURCE ${MINGW_FLAG} ${STATIC_ASSERT_FLAG} ${WARNINGS} ${C_WARNINGS} ${ARCH_FLAG} ${COVERAGE_FLAGS} ${PIC_FLAG}") - set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -std=c++11 -D_GNU_SOURCE ${MINGW_FLAG} ${STATIC_ASSERT_CPP_FLAG} ${WARNINGS} ${CXX_WARNINGS} ${ARCH_FLAG} ${COVERAGE_FLAGS} ${PIC_FLAG}") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -std=c11 -D_GNU_SOURCE ${MINGW_FLAG} ${STATIC_ASSERT_FLAG} ${WARNINGS} ${C_WARNINGS} ${ARCH_FLAG} ${COVERAGE_FLAGS} ${PIC_FLAG} ${C_SECURITY_FLAGS}") + set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -std=c++11 -D_GNU_SOURCE ${MINGW_FLAG} ${STATIC_ASSERT_CPP_FLAG} ${WARNINGS} ${CXX_WARNINGS} ${ARCH_FLAG} ${COVERAGE_FLAGS} ${PIC_FLAG} ${CXX_SECURITY_FLAGS}") + set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} ${LD_SECURITY_FLAGS}") # With GCC 6.1.1 the compiled binary malfunctions due to aliasing. Until that # is fixed in the code (Issue #847), force compiler to be conservative. @@ -590,6 +669,7 @@ else() if(ANDROID AND NOT BUILD_GUI_DEPS STREQUAL "ON" OR IOS) #From Android 5: "only position independent executables (PIE) are supported" message(STATUS "Enabling PIE executable") + set(PIC_FLAG "") set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fPIE") set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fPIE") set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_CXX_FLAGS} -fPIE -pie") @@ -782,11 +862,7 @@ option(BUILD_GUI_DEPS "Build GUI dependencies." OFF) option(INSTALL_VENDORED_LIBUNBOUND "Install libunbound binary built from source vendored with this repo." OFF) -include(CheckCCompilerFlag) - CHECK_C_COMPILER_FLAG(-std=c11 HAVE_C11) -include(CheckLibraryExists) - check_library_exists(c memset_s "string.h" HAVE_MEMSET_S) check_library_exists(c explicit_bzero "strings.h" HAVE_EXPLICIT_BZERO) |