aboutsummaryrefslogtreecommitdiffstats
path: root/package/network/services/dropbear/patches/900-configure-hardening.patch
diff options
context:
space:
mode:
Diffstat (limited to 'package/network/services/dropbear/patches/900-configure-hardening.patch')
-rw-r--r--package/network/services/dropbear/patches/900-configure-hardening.patch35
1 files changed, 18 insertions, 17 deletions
diff --git a/package/network/services/dropbear/patches/900-configure-hardening.patch b/package/network/services/dropbear/patches/900-configure-hardening.patch
index ab1361f6ae8..5dc84849bef 100644
--- a/package/network/services/dropbear/patches/900-configure-hardening.patch
+++ b/package/network/services/dropbear/patches/900-configure-hardening.patch
@@ -1,6 +1,6 @@
--- a/configure.ac
+++ b/configure.ac
-@@ -70,53 +70,6 @@ AC_ARG_ENABLE(harden,
+@@ -87,54 +87,6 @@ AC_ARG_ENABLE(harden,
if test "$hardenbuild" -eq 1; then
AC_MSG_NOTICE(Checking for available hardened build flags:)
@@ -11,15 +11,15 @@
-
- OLDLDFLAGS="$LDFLAGS"
- TESTFLAGS="-Wl,-pie"
-- LDFLAGS="$LDFLAGS $TESTFLAGS"
-- AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
-- [AC_MSG_NOTICE([Setting $TESTFLAGS])],
+- LDFLAGS="$TESTFLAGS $LDFLAGS"
+- AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
+- [AC_MSG_NOTICE([Setting $TESTFLAGS])],
- [
- LDFLAGS="$OLDLDFLAGS"
- TESTFLAGS="-pie"
-- LDFLAGS="$LDFLAGS $TESTFLAGS"
-- AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
-- [AC_MSG_NOTICE([Setting $TESTFLAGS])],
+- LDFLAGS="$TESTFLAGS $LDFLAGS"
+- AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
+- [AC_MSG_NOTICE([Setting $TESTFLAGS])],
- [AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ]
- )
- ]
@@ -27,30 +27,31 @@
- # readonly elf relocation sections (relro)
- OLDLDFLAGS="$LDFLAGS"
- TESTFLAGS="-Wl,-z,now -Wl,-z,relro"
-- LDFLAGS="$LDFLAGS $TESTFLAGS"
-- AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
-- [AC_MSG_NOTICE([Setting $TESTFLAGS])],
+- LDFLAGS="$TESTFLAGS $LDFLAGS"
+- AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
+- [AC_MSG_NOTICE([Setting $TESTFLAGS])],
- [AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ]
- )
- fi # non-static
- # stack protector. -strong is good but only in gcc 4.9 or later
- OLDCFLAGS="$CFLAGS"
- TESTFLAGS="-fstack-protector-strong"
-- CFLAGS="$CFLAGS $TESTFLAGS"
-- AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])],
-- [AC_MSG_NOTICE([Setting $TESTFLAGS])],
+- CFLAGS="$TESTFLAGS $CFLAGS"
+- AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
+- [AC_MSG_NOTICE([Setting $TESTFLAGS])],
- [
- CFLAGS="$OLDCFLAGS"
- TESTFLAGS="-fstack-protector --param=ssp-buffer-size=4"
-- CFLAGS="$CFLAGS $TESTFLAGS"
-- AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])],
-- [AC_MSG_NOTICE([Setting $TESTFLAGS])],
+- CFLAGS="$TESTFLAGS $CFLAGS"
+- AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
+- [AC_MSG_NOTICE([Setting $TESTFLAGS])],
- [AC_MSG_NOTICE([Not setting $TESTFLAGS]); CFLAGS="$OLDCFLAGS" ]
- )
- ]
- )
- # FORTIFY_SOURCE
- DB_TRYADDCFLAGS([-D_FORTIFY_SOURCE=2])
-
+-
# Spectre v2 mitigations
DB_TRYADDCFLAGS([-mfunction-return=thunk])
+ DB_TRYADDCFLAGS([-mindirect-branch=thunk])
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-13 16:29:59 +0000