Bug#656861: Please enabled hardened build flags

[Simon Ruderich]

reopen 656861
thanks

Dear Maintainer,

The hardening flags are missing for the polarssl library. For
more hardening information please have a look at [1], [2] and
[3].

The attached patches fix the issue
(polarssl-use-dpkg-buildflags.patch should be applied first). The
second enables a verbose build for polarssl - otherwise missing
flags are not detected.

To check if all flags were correctly enabled you can use
`hardening-check` from the hardening-includes package and check
the build log (for example with blhc [4]) (hardening-check
doesn't catch everything):

    $ hardening-check /usr/bin/pdnssec /usr/bin/zone2sql /usr/bin/pdns_control 
/usr/sbin/pdns_server ...
    /usr/bin/pdnssec:
     Position Independent Executable: no, normal executable!
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!
    /usr/bin/zone2sql:
     Position Independent Executable: no, normal executable!
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!
    /usr/bin/pdns_control:
     Position Independent Executable: no, normal executable!
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!
    /usr/sbin/pdns_server:
     Position Independent Executable: no, normal executable!
     Stack protected: yes
     Fortify Source functions: yes (some protected functions found)
     Read-only relocations: yes
     Immediate binding: no not found!
    ...

(Position Independent Executable and Immediate binding is not
enabled by default.)

Use find -type f \( -executable -o -name \*.so\* \) -exec
hardening-check {} + on the build result to check all files.

Regards,
Simon

[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
[4]: http://ruderich.org/simon/blhc/
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9

Description: Use build flags from environment (dpkg-buildflags).
 Necessary for hardening flags.
Author: Simon Ruderich <si...@ruderich.org>
Last-Update: 2012-05-11

Index: pdns-3.0/pdns/ext/polarssl/library/Makefile
===================================================================
--- pdns-3.0.orig/pdns/ext/polarssl/library/Makefile	2012-05-11 13:01:01.000000000 +0200
+++ pdns-3.0/pdns/ext/polarssl/library/Makefile	2012-05-11 13:01:03.000000000 +0200
@@ -2,7 +2,10 @@
 # Also see "include/polarssl/config.h"
 
 CFLAGS	= -I../include -D_FILE_OFFSET_BITS=64 -Wall -Wdeclaration-after-statement
-OFLAGS	= -O
+#OFLAGS	= -O
+CFLAGS  += $(shell dpkg-buildflags --get CFLAGS)
+CPPFLAGS = $(shell dpkg-buildflags --get CPPFLAGS)
+LDFLAGS  = $(shell dpkg-buildflags --get LDFLAGS)
 
 # MicroBlaze specific options:
 # CFLAGS += -mno-xl-soft-mul -mxl-barrel-shift
@@ -43,15 +46,15 @@
 
 libpolarssl.so: libpolarssl.a
 	echo "  LD    $@"
-	$(CC) -shared -Wl,-soname,$@ -o $@ $(OBJS)
+	$(CC) $(CFLAGS) $(LDFLAGS) -shared -Wl,-soname,$@ -o $@ $(OBJS)
 
 libpolarssl.dylib: libpolarssl.a
 	echo "  LD    $@"
-	$(CC) -dynamiclib -o $@ $(OBJS)
+	$(CC) $(CFLAGS) $(LDFLAGS) -dynamiclib -o $@ $(OBJS)
 
 .c.o:
 	echo "  CC    $<"
-	$(CC) $(CFLAGS) $(OFLAGS) -c $<
+	$(CC) $(CPPFLAGS) $(CFLAGS) $(OFLAGS) -c $<
 
 clean:
 	rm -f *.o libpolarssl.*

Description: Display compiler commands when compiling.
 Necessary to detect missing (hardening) flags.
 .
 The echo lines were removed to prevent false positives when checking the
 build log.
Author: Simon Ruderich <si...@ruderich.org>
Last-Update: 2012-05-11

Index: pdns-3.0/pdns/ext/polarssl/library/Makefile
===================================================================
--- pdns-3.0.orig/pdns/ext/polarssl/library/Makefile	2012-05-11 13:01:03.000000000 +0200
+++ pdns-3.0/pdns/ext/polarssl/library/Makefile	2012-05-11 13:01:06.000000000 +0200
@@ -30,8 +30,6 @@
 	timing.o	x509parse.o	xtea.o		\
 	camellia.o
 
-.SILENT:
-
 all: static
 
 static: libpolarssl.a
@@ -39,21 +37,16 @@
 shared: libpolarssl.$(DLEXT)
 
 libpolarssl.a: $(OBJS)
-	echo "  AR    $@"
 	ar r $@ $(OBJS)
-	echo "  RL    $@"
 	ranlib $@
 
 libpolarssl.so: libpolarssl.a
-	echo "  LD    $@"
 	$(CC) $(CFLAGS) $(LDFLAGS) -shared -Wl,-soname,$@ -o $@ $(OBJS)
 
 libpolarssl.dylib: libpolarssl.a
-	echo "  LD    $@"
 	$(CC) $(CFLAGS) $(LDFLAGS) -dynamiclib -o $@ $(OBJS)
 
 .c.o:
-	echo "  CC    $<"
 	$(CC) $(CPPFLAGS) $(CFLAGS) $(OFLAGS) -c $<
 
 clean:

signature.asc
Description: Digital signature