Compare revisions

Matt Johnston · Matt Johnston · Matt Johnston · Matt Johnston · Matt Johnston · 57690891
--- a/configure.ac
+++ b/configure.ac
@@ -19,6 +19,7 @@ if test -z "$LD" ; then
 fi
 AC_SUBST(LD)	
+# set compile flags prior to other tests
 if test -z "$OLDCFLAGS" && test "$GCC" = "yes"; then
 	AC_MSG_NOTICE(No \$CFLAGS set... using "-Os -W -Wall" for GCC)
 	CFLAGS="-Os -W -Wall -Wno-pointer-sign"
@@ -29,12 +30,78 @@ OLDCFLAGS="$CFLAGS"
 CFLAGS="$CFLAGS -fno-strict-overflow"
 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])], 
    [AC_MSG_RESULT(yes)], 
-    [
+    [AC_MSG_RESULT(no); CFLAGS="$OLDCFLAGS" ]
-        AC_MSG_RESULT(no)
-        CFLAGS=$OLDCFLAGS
-    ]
    )
+hardenbuild=1
+AC_ARG_ENABLE(harden,
+	[  --disable-harden          Don't set hardened build flags],
+	[
+		if test "x$enableval" = "xno"; then
+			hardenbuild=0
+			AC_MSG_NOTICE(Disabling hardened build flags)
+		fi
+	], [])
+if test "$hardenbuild" -eq 1; then
+	AC_MSG_NOTICE(Checking for available hardened build flags:)
+	# pie
+	OLDCFLAGS="$CFLAGS"
+	TESTFLAGS="-fPIE"
+	CFLAGS="$CFLAGS $TESTFLAGS"
+	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])], 
+	    [AC_MSG_NOTICE([Setting $TESTFLAGS])], 
+	    [AC_MSG_NOTICE([Not setting $TESTFLAGS]); CFLAGS="$OLDCFLAGS" ]
+	    )
+	OLDLDFLAGS="$LDFLAGS"
+	TESTFLAGS="-Wl,-pie"
+	LDFLAGS="$LDFLAGS $TESTFLAGS"
+	AC_LINK_IFELSE([AC_LANG_PROGRAM([])], 
+	    [AC_MSG_NOTICE([Setting $TESTFLAGS])], 
+		[
+			LDFLAGS="$OLDLDFLAGS"
+			TESTFLAGS="-pie"
+			LDFLAGS="$LDFLAGS $TESTFLAGS"
+			AC_LINK_IFELSE([AC_LANG_PROGRAM([])], 
+				[AC_MSG_NOTICE([Setting $TESTFLAGS])], 
+				[AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ]
+				)
+		]
+	    )
+	# readonly elf relocation sections (relro)
+	OLDLDFLAGS="$LDFLAGS"
+	TESTFLAGS="-Wl,-z,now -Wl,-z,relro"
+	LDFLAGS="$LDFLAGS $TESTFLAGS"
+	AC_LINK_IFELSE([AC_LANG_PROGRAM([])], 
+	    [AC_MSG_NOTICE([Setting $TESTFLAGS])], 
+	    [AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ]
+	    )
+	# stack protector. -strong is good but only in gcc 4.9 or later
+	OLDCFLAGS="$CFLAGS"
+	TESTFLAGS="-fstack-protector-strong"
+	CFLAGS="$CFLAGS $TESTFLAGS"
+	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])], 
+	    [AC_MSG_NOTICE([Setting $TESTFLAGS])], 
+	    [
+			CFLAGS="$OLDCFLAGS"
+			TESTFLAGS="-fstack-protector --param=ssp-buffer-size=4"
+			CFLAGS="$CFLAGS $TESTFLAGS"
+			AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])], 
+			    [AC_MSG_NOTICE([Setting $TESTFLAGS])], 
+			    [AC_MSG_NOTICE([Not setting $TESTFLAGS]); CFLAGS="$OLDCFLAGS" ]
+			    )
+	    ]
+	    )
+	# FORTIFY_SOURCE
+	OLDCFLAGS="$CFLAGS"
+	TESTFLAGS="-D_FORTIFY_SOURCE=2"
+	CFLAGS="$CFLAGS $TESTFLAGS"
+	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])], 
+	    [AC_MSG_NOTICE([Setting $TESTFLAGS])], 
+	    [AC_MSG_NOTICE([Not setting $TESTFLAGS]); CFLAGS="$OLDCFLAGS" ]
+	    )
+fi
 # large file support is useful for scp
 AC_SYS_LARGEFILE
@@ -233,7 +300,11 @@ AC_ARG_ENABLE(shadow,
 # Checks for header files.
 AC_HEADER_STDC
 AC_HEADER_SYS_WAIT
-AC_CHECK_HEADERS([fcntl.h limits.h netinet/in.h netinet/tcp.h stdlib.h string.h sys/socket.h sys/time.h termios.h unistd.h crypt.h pty.h ioctl.h libutil.h libgen.h inttypes.h stropts.h utmp.h utmpx.h lastlog.h paths.h util.h netdb.h security/pam_appl.h pam/pam_appl.h netinet/in_systm.h sys/uio.h])
+AC_CHECK_HEADERS([fcntl.h limits.h netinet/in.h netinet/tcp.h stdlib.h \
+	string.h sys/socket.h sys/time.h termios.h unistd.h crypt.h \
+	pty.h ioctl.h libutil.h libgen.h inttypes.h stropts.h utmp.h \
+	utmpx.h lastlog.h paths.h util.h netdb.h security/pam_appl.h \
+	pam/pam_appl.h netinet/in_systm.h sys/uio.h linux/pkt_sched.h])
 # Checks for typedefs, structures, and compiler characteristics.
 AC_C_CONST

--- a/dss.c
+++ b/dss.c
@@ -61,16 +61,14 @@ int buf_get_dss_pub_key(buffer* buf, dropbear_dss_key *key) {
 		goto out;
 	}
-	if (mp_count_bits(key->p) < DSS_P_BITS) {
+	if (mp_count_bits(key->p) != DSS_P_BITS) {
 		dropbear_log(LOG_WARNING, "Bad DSS p");
-		TRACE(("leave buf_get_dss_pub_key: short key"))
 		ret = DROPBEAR_FAILURE;
 		goto out;
 	}
-	if (mp_count_bits(key->q) < DSS_Q_BITS) {
+	if (mp_count_bits(key->q) != DSS_Q_BITS) {
 		dropbear_log(LOG_WARNING, "Bad DSS q");
-		TRACE(("leave buf_get_dss_pub_key: short key"))
 		ret = DROPBEAR_FAILURE;
 		goto out;
 	}

--- a/includes.h
+++ b/includes.h
@@ -156,7 +156,7 @@ typedef unsigned int u_int32_t;
 typedef u_int32_t uint32_t;
 #endif /* HAVE_UINT32_T */
-#ifdef SO_PRIORITY
+#ifdef HAVE_LINUX_PKT_SCHED_H
 #include <linux/types.h>
 #include <linux/pkt_sched.h>
 #endif

--- a/netio.c
+++ b/netio.c
@@ -306,7 +306,7 @@ void set_sock_priority(int sock, enum dropbear_prio prio) {
 #ifdef IPTOS_LOWDELAY
 	int iptos_val = 0;
 #endif
-#ifdef SO_PRIORITY
+#ifdef HAVE_LINUX_PKT_SCHED_H
 	int so_prio_val = 0;
 #endif
@@ -333,7 +333,7 @@ void set_sock_priority(int sock, enum dropbear_prio prio) {
 	}
 #endif
-#ifdef SO_PRIORITY
+#ifdef HAVE_LINUX_PKT_SCHED_H
 	if (prio == DROPBEAR_PRIO_LOWDELAY) {
 		so_prio_val = TC_PRIO_INTERACTIVE;
 	} else if (prio == DROPBEAR_PRIO_BULK) {

--- a/svr-authpam.c
+++ b/svr-authpam.c
@@ -224,6 +224,12 @@ void svr_auth_pam() {
 		goto cleanup;
 	}
+	if ((rc = pam_set_item(pamHandlep, PAM_RHOST, svr_ses.remotehost)) != PAM_SUCCESS) {
+		dropbear_log(LOG_WARNING, "pam_set_item() failed, rc=%d, %s",
+				rc, pam_strerror(pamHandlep, rc));
+		goto cleanup;
+	}
 #ifdef HAVE_PAM_FAIL_DELAY
 	/* We have our own random delay code already, disable PAM's */
 	(void) pam_fail_delay(pamHandlep, 0 /* musec_delay */);
No results found