aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--package/network/services/dropbear/patches/900-configure-hardening.patch56
1 files changed, 56 insertions, 0 deletions
diff --git a/package/network/services/dropbear/patches/900-configure-hardening.patch b/package/network/services/dropbear/patches/900-configure-hardening.patch
new file mode 100644
index 0000000000..ab1361f6ae
--- /dev/null
+++ b/package/network/services/dropbear/patches/900-configure-hardening.patch
@@ -0,0 +1,56 @@
+--- a/configure.ac
++++ b/configure.ac
+@@ -70,53 +70,6 @@ AC_ARG_ENABLE(harden,
+
+ if test "$hardenbuild" -eq 1; then
+ AC_MSG_NOTICE(Checking for available hardened build flags:)
+- # relocation flags don't make sense for static builds
+- if test "$STATIC" -ne 1; then
+- # pie
+- DB_TRYADDCFLAGS([-fPIE])
+-
+- OLDLDFLAGS="$LDFLAGS"
+- TESTFLAGS="-Wl,-pie"
+- LDFLAGS="$LDFLAGS $TESTFLAGS"
+- AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
+- [AC_MSG_NOTICE([Setting $TESTFLAGS])],
+- [
+- LDFLAGS="$OLDLDFLAGS"
+- TESTFLAGS="-pie"
+- LDFLAGS="$LDFLAGS $TESTFLAGS"
+- AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
+- [AC_MSG_NOTICE([Setting $TESTFLAGS])],
+- [AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ]
+- )
+- ]
+- )
+- # readonly elf relocation sections (relro)
+- OLDLDFLAGS="$LDFLAGS"
+- TESTFLAGS="-Wl,-z,now -Wl,-z,relro"
+- LDFLAGS="$LDFLAGS $TESTFLAGS"
+- AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
+- [AC_MSG_NOTICE([Setting $TESTFLAGS])],
+- [AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ]
+- )
+- fi # non-static
+- # stack protector. -strong is good but only in gcc 4.9 or later
+- OLDCFLAGS="$CFLAGS"
+- TESTFLAGS="-fstack-protector-strong"
+- CFLAGS="$CFLAGS $TESTFLAGS"
+- AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])],
+- [AC_MSG_NOTICE([Setting $TESTFLAGS])],
+- [
+- CFLAGS="$OLDCFLAGS"
+- TESTFLAGS="-fstack-protector --param=ssp-buffer-size=4"
+- CFLAGS="$CFLAGS $TESTFLAGS"
+- AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])],
+- [AC_MSG_NOTICE([Setting $TESTFLAGS])],
+- [AC_MSG_NOTICE([Not setting $TESTFLAGS]); CFLAGS="$OLDCFLAGS" ]
+- )
+- ]
+- )
+- # FORTIFY_SOURCE
+- DB_TRYADDCFLAGS([-D_FORTIFY_SOURCE=2])
+
+ # Spectre v2 mitigations
+ DB_TRYADDCFLAGS([-mfunction-return=thunk])
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-16 01:26:45 +0000