package/network/services/dropbear/patches/900-configure-hardening.patch - T108 - Gitiles

 --- a/configure.ac
 +++ b/configure.ac
 @@ -86,54 +86,6 @@ AC_ARG_ENABLE(harden,

  if test "$hardenbuild" -eq 1; then
  	AC_MSG_NOTICE(Checking for available hardened build flags:)
 -	# relocation flags don't make sense for static builds
 -	if test "$STATIC" -ne 1; then
 -		# pie
 -		DB_TRYADDCFLAGS([-fPIE])
 -
 -		OLDLDFLAGS="$LDFLAGS"
 -		TESTFLAGS="-Wl,-pie"
 -		LDFLAGS="$TESTFLAGS $LDFLAGS"
 -		AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
 -			[AC_MSG_NOTICE([Setting $TESTFLAGS])],
 -			[
 -				LDFLAGS="$OLDLDFLAGS"
 -				TESTFLAGS="-pie"
 -				LDFLAGS="$TESTFLAGS $LDFLAGS"
 -				AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
 -					[AC_MSG_NOTICE([Setting $TESTFLAGS])],
 -					[AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ]
 -					)
 -			]
 -			)
 -		# readonly elf relocation sections (relro)
 -		OLDLDFLAGS="$LDFLAGS"
 -		TESTFLAGS="-Wl,-z,now -Wl,-z,relro"
 -		LDFLAGS="$TESTFLAGS $LDFLAGS"
 -		AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
 -			[AC_MSG_NOTICE([Setting $TESTFLAGS])],
 -			[AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ]
 -			)
 -	fi # non-static
 -	# stack protector. -strong is good but only in gcc 4.9 or later
 -	OLDCFLAGS="$CFLAGS"
 -	TESTFLAGS="-fstack-protector-strong"
 -	CFLAGS="$TESTFLAGS $CFLAGS"
 -	AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
 -	    [AC_MSG_NOTICE([Setting $TESTFLAGS])],
 -	    [
 -			CFLAGS="$OLDCFLAGS"
 -			TESTFLAGS="-fstack-protector --param=ssp-buffer-size=4"
 -			CFLAGS="$TESTFLAGS $CFLAGS"
 -			AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
 -			    [AC_MSG_NOTICE([Setting $TESTFLAGS])],
 -			    [AC_MSG_NOTICE([Not setting $TESTFLAGS]); CFLAGS="$OLDCFLAGS" ]
 -			    )
 -	    ]
 -	    )
 -	# FORTIFY_SOURCE
 -	DB_TRYADDCFLAGS([-D_FORTIFY_SOURCE=2])
 -
  	# Spectre v2 mitigations
  	DB_TRYADDCFLAGS([-mfunction-return=thunk])
  	DB_TRYADDCFLAGS([-mindirect-branch=thunk])
	--- a/configure.ac
	+++ b/configure.ac
	@@ -86,54 +86,6 @@ AC_ARG_ENABLE(harden,

	if test "$hardenbuild" -eq 1; then
	AC_MSG_NOTICE(Checking for available hardened build flags:)
	- # relocation flags don't make sense for static builds
	- if test "$STATIC" -ne 1; then
	- # pie
	- DB_TRYADDCFLAGS([-fPIE])
	-
	- OLDLDFLAGS="$LDFLAGS"
	- TESTFLAGS="-Wl,-pie"
	- LDFLAGS="$TESTFLAGS $LDFLAGS"
	- AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
	- [AC_MSG_NOTICE([Setting $TESTFLAGS])],
	- [
	- LDFLAGS="$OLDLDFLAGS"
	- TESTFLAGS="-pie"
	- LDFLAGS="$TESTFLAGS $LDFLAGS"
	- AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
	- [AC_MSG_NOTICE([Setting $TESTFLAGS])],
	- [AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ]
	- )
	- ]
	- )
	- # readonly elf relocation sections (relro)
	- OLDLDFLAGS="$LDFLAGS"
	- TESTFLAGS="-Wl,-z,now -Wl,-z,relro"
	- LDFLAGS="$TESTFLAGS $LDFLAGS"
	- AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
	- [AC_MSG_NOTICE([Setting $TESTFLAGS])],
	- [AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ]
	- )
	- fi # non-static
	- # stack protector. -strong is good but only in gcc 4.9 or later
	- OLDCFLAGS="$CFLAGS"
	- TESTFLAGS="-fstack-protector-strong"
	- CFLAGS="$TESTFLAGS $CFLAGS"
	- AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
	- [AC_MSG_NOTICE([Setting $TESTFLAGS])],
	- [
	- CFLAGS="$OLDCFLAGS"
	- TESTFLAGS="-fstack-protector --param=ssp-buffer-size=4"
	- CFLAGS="$TESTFLAGS $CFLAGS"
	- AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
	- [AC_MSG_NOTICE([Setting $TESTFLAGS])],
	- [AC_MSG_NOTICE([Not setting $TESTFLAGS]); CFLAGS="$OLDCFLAGS" ]
	- )
	- ]
	- )
	- # FORTIFY_SOURCE
	- DB_TRYADDCFLAGS([-D_FORTIFY_SOURCE=2])
	-
	# Spectre v2 mitigations
	DB_TRYADDCFLAGS([-mfunction-return=thunk])
	DB_TRYADDCFLAGS([-mindirect-branch=thunk])