aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKonstantin Demin <rockdrilla@gmail.com>2019-03-25 21:40:59 +0300
committerHans Dedecker <dedeckeh@gmail.com>2019-03-25 22:25:33 +0100
commit9c3bfd0906398e9f508c4207bfb16b697e2f47be (patch)
tree9640b3490b85cb0de99aaeece2cd5a8698514b3b
parenta1099edf32cac9e35b6635f81d356ed20d46a534 (diff)
downloadupstream-9c3bfd0906398e9f508c4207bfb16b697e2f47be.tar.gz
upstream-9c3bfd0906398e9f508c4207bfb16b697e2f47be.tar.bz2
upstream-9c3bfd0906398e9f508c4207bfb16b697e2f47be.zip
dropbear: fix hardening flags during configure
compiler complains about messed up CFLAGS in build log: <command-line>: warning: "_FORTIFY_SOURCE" redefined <command-line>: note: this is the location of the previous definition and then linker fails: mips-openwrt-linux-musl-gcc [...] -o dropbearmulti [...] collect2: fatal error: ld terminated with signal 11 [Segmentation fault] compilation terminated. /staging_dir/toolchain-mips_24kc_gcc-8.2.0_musl/mips-openwrt-linux-musl/bin/ld: /tmp/cc27zORz.ltrans0.ltrans.o: relocation R_MIPS_HI16 against `cipher_descriptor' can not be used when making a shared object; recompile with -fPIC /staging_dir/toolchain-mips_24kc_gcc-8.2.0_musl/mips-openwrt-linux-musl/bin/ld: /tmp/cc27zORz.ltrans1.ltrans.o: relocation R_MIPS_HI16 against `ses' can not be used when making a shared object; recompile with -fPIC /staging_dir/toolchain-mips_24kc_gcc-8.2.0_musl/mips-openwrt-linux-musl/bin/ld: /tmp/cc27zORz.ltrans2.ltrans.o: relocation R_MIPS_HI16 against `cipher_descriptor' can not be used when making a shared object; recompile with -fPIC /staging_dir/toolchain-mips_24kc_gcc-8.2.0_musl/mips-openwrt-linux-musl/bin/ld: BFD (GNU Binutils) 2.31.1 assertion fail elfxx-mips.c:6550 [...] /staging_dir/toolchain-mips_24kc_gcc-8.2.0_musl/mips-openwrt-linux-musl/bin/ld: BFD (GNU Binutils) 2.31.1 assertion fail elfxx-mips.c:6550 make[3]: *** [Makefile:198: dropbearmulti] Error 1 make[3]: *** Deleting file 'dropbearmulti' make[3]: Leaving directory '/build_dir/target-mips_24kc_musl/dropbear-2018.76' make[2]: *** [Makefile:158: /build_dir/target-mips_24kc_musl/dropbear-2018.76/.built] Error 2 make[2]: Leaving directory '/package/network/services/dropbear' This FTBFS issue was caused by hardening flags set up by dropbear's configure script. By default, Dropbear offers hardening via CFLAGS and LDFLAGS, but this may break or confuse OpenWrt settings. Remove most Dropbear's hardening settings in favour of precise build, but preserve Spectre v2 mitigations: * -mfunction-return=thunk * -mindirect-branch=thunk Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
-rw-r--r--package/network/services/dropbear/patches/900-configure-hardening.patch56
1 files changed, 56 insertions, 0 deletions
diff --git a/package/network/services/dropbear/patches/900-configure-hardening.patch b/package/network/services/dropbear/patches/900-configure-hardening.patch
new file mode 100644
index 0000000000..ab1361f6ae
--- /dev/null
+++ b/package/network/services/dropbear/patches/900-configure-hardening.patch
@@ -0,0 +1,56 @@
+--- a/configure.ac
++++ b/configure.ac
+@@ -70,53 +70,6 @@ AC_ARG_ENABLE(harden,
+
+ if test "$hardenbuild" -eq 1; then
+ AC_MSG_NOTICE(Checking for available hardened build flags:)
+- # relocation flags don't make sense for static builds
+- if test "$STATIC" -ne 1; then
+- # pie
+- DB_TRYADDCFLAGS([-fPIE])
+-
+- OLDLDFLAGS="$LDFLAGS"
+- TESTFLAGS="-Wl,-pie"
+- LDFLAGS="$LDFLAGS $TESTFLAGS"
+- AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
+- [AC_MSG_NOTICE([Setting $TESTFLAGS])],
+- [
+- LDFLAGS="$OLDLDFLAGS"
+- TESTFLAGS="-pie"
+- LDFLAGS="$LDFLAGS $TESTFLAGS"
+- AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
+- [AC_MSG_NOTICE([Setting $TESTFLAGS])],
+- [AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ]
+- )
+- ]
+- )
+- # readonly elf relocation sections (relro)
+- OLDLDFLAGS="$LDFLAGS"
+- TESTFLAGS="-Wl,-z,now -Wl,-z,relro"
+- LDFLAGS="$LDFLAGS $TESTFLAGS"
+- AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
+- [AC_MSG_NOTICE([Setting $TESTFLAGS])],
+- [AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ]
+- )
+- fi # non-static
+- # stack protector. -strong is good but only in gcc 4.9 or later
+- OLDCFLAGS="$CFLAGS"
+- TESTFLAGS="-fstack-protector-strong"
+- CFLAGS="$CFLAGS $TESTFLAGS"
+- AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])],
+- [AC_MSG_NOTICE([Setting $TESTFLAGS])],
+- [
+- CFLAGS="$OLDCFLAGS"
+- TESTFLAGS="-fstack-protector --param=ssp-buffer-size=4"
+- CFLAGS="$CFLAGS $TESTFLAGS"
+- AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])],
+- [AC_MSG_NOTICE([Setting $TESTFLAGS])],
+- [AC_MSG_NOTICE([Not setting $TESTFLAGS]); CFLAGS="$OLDCFLAGS" ]
+- )
+- ]
+- )
+- # FORTIFY_SOURCE
+- DB_TRYADDCFLAGS([-D_FORTIFY_SOURCE=2])
+
+ # Spectre v2 mitigations
+ DB_TRYADDCFLAGS([-mfunction-return=thunk])