diff --git a/package/network/services/dropbear/patches/900-configure-hardening.patch b/package/network/services/dropbear/patches/900-configure-hardening.patch new file mode 100644 index 0000000000..ab1361f6ae --- /dev/null +++ b/package/network/services/dropbear/patches/900-configure-hardening.patch @@ -0,0 +1,56 @@ +--- a/configure.ac ++++ b/configure.ac +@@ -70,53 +70,6 @@ AC_ARG_ENABLE(harden, + + if test "$hardenbuild" -eq 1; then + AC_MSG_NOTICE(Checking for available hardened build flags:) +- # relocation flags don't make sense for static builds +- if test "$STATIC" -ne 1; then +- # pie +- DB_TRYADDCFLAGS([-fPIE]) +- +- OLDLDFLAGS="$LDFLAGS" +- TESTFLAGS="-Wl,-pie" +- LDFLAGS="$LDFLAGS $TESTFLAGS" +- AC_LINK_IFELSE([AC_LANG_PROGRAM([])], +- [AC_MSG_NOTICE([Setting $TESTFLAGS])], +- [ +- LDFLAGS="$OLDLDFLAGS" +- TESTFLAGS="-pie" +- LDFLAGS="$LDFLAGS $TESTFLAGS" +- AC_LINK_IFELSE([AC_LANG_PROGRAM([])], +- [AC_MSG_NOTICE([Setting $TESTFLAGS])], +- [AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ] +- ) +- ] +- ) +- # readonly elf relocation sections (relro) +- OLDLDFLAGS="$LDFLAGS" +- TESTFLAGS="-Wl,-z,now -Wl,-z,relro" +- LDFLAGS="$LDFLAGS $TESTFLAGS" +- AC_LINK_IFELSE([AC_LANG_PROGRAM([])], +- [AC_MSG_NOTICE([Setting $TESTFLAGS])], +- [AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ] +- ) +- fi # non-static +- # stack protector. -strong is good but only in gcc 4.9 or later +- OLDCFLAGS="$CFLAGS" +- TESTFLAGS="-fstack-protector-strong" +- CFLAGS="$CFLAGS $TESTFLAGS" +- AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])], +- [AC_MSG_NOTICE([Setting $TESTFLAGS])], +- [ +- CFLAGS="$OLDCFLAGS" +- TESTFLAGS="-fstack-protector --param=ssp-buffer-size=4" +- CFLAGS="$CFLAGS $TESTFLAGS" +- AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])], +- [AC_MSG_NOTICE([Setting $TESTFLAGS])], +- [AC_MSG_NOTICE([Not setting $TESTFLAGS]); CFLAGS="$OLDCFLAGS" ] +- ) +- ] +- ) +- # FORTIFY_SOURCE +- DB_TRYADDCFLAGS([-D_FORTIFY_SOURCE=2]) + + # Spectre v2 mitigations + DB_TRYADDCFLAGS([-mfunction-return=thunk])