Ticket 48350 - configure.ac add options for debbuging and security analysis / hardening.

https://fedorahosted.org/389/ticket/48350

Bug Description:  Improve options for debugging and gcc security options.

Fix Description:
* We add -g3 to --enable-debug
* Add a new option, --enable-gcc-security that enables a number of strict
   protections. These options are to match the options in rpm-build so that we
   can test like-for-like options.
* Add a new option, --enable-asan. This enables GCC's address sanitization
   checker. This is NOT for production, but for development and debugging.

Author: wibrown

Thanks: [email protected], for putting me onto GCC's address sanitization,
 and for discussing secure development in general.

Review by: mreynolds, nhosoi (Thanks!)

Makefile.am

@@ -11,6 +11,8 @@ QUOTE := $(NULLSTRING)"# a double quote"
 BUILDNUM := $(shell perl $(srcdir)/buildnum.pl)
 NQBUILDNUM := $(subst \,,$(subst $(QUOTE),,$(BUILDNUM)))
 DEBUG_DEFINES = @debug_defs@
+GCCSEC_DEFINES = @gccsec_defs@
+ASAN_DEFINES = @asan_defs@
 # the -U undefines these symbols - should use the corresponding DS_ ones instead - see configure.ac
 DS_DEFINES = -DBUILD_NUM=$(BUILDNUM) -DVENDOR="\"$(vendor)\"" -DBRAND="\"$(brand)\"" -DCAPBRAND="\"$(capbrand)\"" \
 	-UPACKAGE_VERSION -UPACKAGE_TARNAME -UPACKAGE_STRING -UPACKAGE_BUGREPORT
@@ -38,13 +40,14 @@ PATH_DEFINES = -DLOCALSTATEDIR="\"$(localstatedir)\"" -DSYSCONFDIR="\"$(sysconfd
 	-DDATADIR="\"$(datadir)\"" -DDOCDIR="\"$(docdir)\"" \
 	-DSBINDIR="\"$(sbindir)\"" -DPLUGINDIR="\"$(serverplugindir)\"" -DTEMPLATEDIR="\"$(sampledatadir)\""
 
-AM_CPPFLAGS = $(DEBUG_DEFINES) $(DS_DEFINES) $(DS_INCLUDES) $(PATH_DEFINES)
+AM_CPPFLAGS = $(DEBUG_DEFINES) $(GCCSEC_DEFINES) $(ASAN_DEFINES) $(DS_DEFINES) $(DS_INCLUDES) $(PATH_DEFINES)
 PLUGIN_CPPFLAGS = $(AM_CPPFLAGS) @openldap_inc@ @ldapsdk_inc@ @nss_inc@ @nspr_inc@
 # We need to make sure that libpthread is linked before libc on HP-UX.
 if HPUX
 AM_LDFLAGS = -lpthread
-#else
+else
 #AM_LDFLAGS = -Wl,-z,defs
+AM_LDFLAGS = $(ASAN_DEFINES)
 endif
 
 #------------------------

Makefile.in

@@ -1370,6 +1370,7 @@ am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
+asan_defs = @asan_defs@
 bindir = @bindir@
 brand = @brand@
 build = @build@
@@ -1398,6 +1399,7 @@ defaultuser = @defaultuser@
 docdir = @docdir@
 dvidir = @dvidir@
 exec_prefix = @exec_prefix@
+gccsec_defs = @gccsec_defs@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -1506,6 +1508,8 @@ QUOTE := $(NULLSTRING)"# a double quote"
 BUILDNUM := $(shell perl $(srcdir)/buildnum.pl)
 NQBUILDNUM := $(subst \,,$(subst $(QUOTE),,$(BUILDNUM)))
 DEBUG_DEFINES = @debug_defs@
+GCCSEC_DEFINES = @gccsec_defs@
+ASAN_DEFINES = @asan_defs@
 # the -U undefines these symbols - should use the corresponding DS_ ones instead - see configure.ac
 DS_DEFINES = -DBUILD_NUM=$(BUILDNUM) -DVENDOR="\"$(vendor)\"" -DBRAND="\"$(brand)\"" -DCAPBRAND="\"$(capbrand)\"" \
 	-UPACKAGE_VERSION -UPACKAGE_TARNAME -UPACKAGE_STRING -UPACKAGE_BUGREPORT
@@ -1531,12 +1535,12 @@ PATH_DEFINES = -DLOCALSTATEDIR="\"$(localstatedir)\"" -DSYSCONFDIR="\"$(sysconfd
 	-DDATADIR="\"$(datadir)\"" -DDOCDIR="\"$(docdir)\"" \
 	-DSBINDIR="\"$(sbindir)\"" -DPLUGINDIR="\"$(serverplugindir)\"" -DTEMPLATEDIR="\"$(sampledatadir)\""
 
-AM_CPPFLAGS = $(DEBUG_DEFINES) $(DS_DEFINES) $(DS_INCLUDES) $(PATH_DEFINES)
+AM_CPPFLAGS = $(DEBUG_DEFINES) $(GCCSEC_DEFINES) $(ASAN_DEFINES) $(DS_DEFINES) $(DS_INCLUDES) $(PATH_DEFINES)
 PLUGIN_CPPFLAGS = $(AM_CPPFLAGS) @openldap_inc@ @ldapsdk_inc@ @nss_inc@ @nspr_inc@
+#AM_LDFLAGS = -Wl,-z,defs
+@HPUX_FALSE@AM_LDFLAGS = $(ASAN_DEFINES)
 # We need to make sure that libpthread is linked before libc on HP-UX.
 @HPUX_TRUE@AM_LDFLAGS = -lpthread
-#else
-#AM_LDFLAGS = -Wl,-z,defs
 
 #------------------------
 # Linker Flags

aclocal.m4

@@ -329,6 +329,43 @@ AC_PREREQ([2.50])dnl
 am_aux_dir=`cd $ac_aux_dir && pwd`
 ])
 
+# AM_COND_IF                                            -*- Autoconf -*-
+
+# Copyright (C) 2008-2013 Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# _AM_COND_IF
+# _AM_COND_ELSE
+# _AM_COND_ENDIF
+# --------------
+# These macros are only used for tracing.
+m4_define([_AM_COND_IF])
+m4_define([_AM_COND_ELSE])
+m4_define([_AM_COND_ENDIF])
+
+# AM_COND_IF(COND, [IF-TRUE], [IF-FALSE])
+# ---------------------------------------
+# If the shell condition COND is true, execute IF-TRUE, otherwise execute
+# IF-FALSE.  Allow automake to learn about conditional instantiating macros
+# (the AC_CONFIG_FOOS).
+AC_DEFUN([AM_COND_IF],
+[m4_ifndef([_AM_COND_VALUE_$1],
+	   [m4_fatal([$0: no such condition "$1"])])dnl
+_AM_COND_IF([$1])dnl
+if test -z "$$1_TRUE"; then :
+  m4_n([$2])[]dnl
+m4_ifval([$3],
+[_AM_COND_ELSE([$1])dnl
+else
+  $3
+])dnl
+_AM_COND_ENDIF([$1])dnl
+fi[]dnl
+])
+
 # AM_CONDITIONAL                                            -*- Autoconf -*-
 
 # Copyright (C) 1997-2013 Free Software Foundation, Inc.

configure

@@ -763,6 +763,10 @@ enable_pam_passthru_FALSE
 enable_pam_passthru_TRUE
 BUNDLE_FALSE
 BUNDLE_TRUE
+gccsec_defs
+RPM_HARDEND_CC_FALSE
+RPM_HARDEND_CC_TRUE
+asan_defs
 debug_defs
 LIBOBJS
 CXXCPP
@@ -909,6 +913,8 @@ with_gnu_ld
 with_sysroot
 enable_libtool_lock
 enable_debug
+enable_asan
+enable_gcc_security
 enable_bundle
 enable_pam_passthru
 enable_dna
@@ -1619,6 +1625,8 @@ Optional Features:
                           optimize for fast installation [default=yes]
   --disable-libtool-lock  avoid locking (might break parallel builds)
   --enable-debug          Enable debug features (default: no)
+  --enable-asan           Enable gcc address sanitizer options (default: no)
+  --enable-gcc-security   Enable gcc secure compilation options (default: no)
   --enable-bundle         Enable bundled dependencies (default: no)
   --enable-pam-passthru   enable the PAM passthrough auth plugin (default:
                           yes)
@@ -17677,7 +17685,7 @@ if test "${enable_debug+set}" = set; then :
   enableval=$enable_debug;
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
-  debug_defs="-DDEBUG -DMCC_DEBUG"
+  debug_defs="-g3 -DDEBUG -DMCC_DEBUG"
 
 else
 
@@ -17689,6 +17697,57 @@ fi
 
 
 
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for --enable-asan" >&5
+$as_echo_n "checking for --enable-asan... " >&6; }
+# Check whether --enable-asan was given.
+if test "${enable_asan+set}" = set; then :
+  enableval=$enable_asan;
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+  asan_defs="-fsanitize=address -fno-omit-frame-pointer"
+
+else
+
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+  asan_defs=""
+
+fi
+
+
+
+ if test -f /usr/lib/rpm/redhat/redhat-hardened-cc1; then
+  RPM_HARDEND_CC_TRUE=
+  RPM_HARDEND_CC_FALSE='#'
+else
+  RPM_HARDEND_CC_TRUE='#'
+  RPM_HARDEND_CC_FALSE=
+fi
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for --enable-gcc-security" >&5
+$as_echo_n "checking for --enable-gcc-security... " >&6; }
+# Check whether --enable-gcc-security was given.
+if test "${enable_gcc_security+set}" = set; then :
+  enableval=$enable_gcc_security;
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+  if test -z "$RPM_HARDEND_CC_TRUE"; then :
+   gccsec_defs="-Wall -Wp,-D_FORITY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 "
+else
+   gccsec_defs="-Wall -Wp,-D_FORITY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches"
+
+fi
+
+else
+
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+  gccsec_defs=""
+
+fi
+
+
+
 # Used for legacy style packaging where we bundle all of the dependencies.
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for --enable-bundle" >&5
 $as_echo_n "checking for --enable-bundle... " >&6; }
@@ -21560,6 +21619,10 @@ if test -z "${am__fastdepCCAS_TRUE}" && test -z "${am__fastdepCCAS_FALSE}"; then
   as_fn_error $? "conditional \"am__fastdepCCAS\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${RPM_HARDEND_CC_TRUE}" && test -z "${RPM_HARDEND_CC_FALSE}"; then
+  as_fn_error $? "conditional \"RPM_HARDEND_CC\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${BUNDLE_TRUE}" && test -z "${BUNDLE_FALSE}"; then
   as_fn_error $? "conditional \"BUNDLE\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5

configure.ac

@@ -69,7 +69,7 @@ AC_MSG_CHECKING(for --enable-debug)
 AC_ARG_ENABLE(debug, AS_HELP_STRING([--enable-debug], [Enable debug features (default: no)]),
 [
   AC_MSG_RESULT(yes)
-  debug_defs="-DDEBUG -DMCC_DEBUG"
+  debug_defs="-g3 -DDEBUG -DMCC_DEBUG"
 ],
 [
   AC_MSG_RESULT(no)
@@ -77,6 +77,34 @@ AC_ARG_ENABLE(debug, AS_HELP_STRING([--enable-debug], [Enable debug features (de
 ])
 AC_SUBST([debug_defs])
 
+AC_MSG_CHECKING(for --enable-asan)
+AC_ARG_ENABLE(asan, AS_HELP_STRING([--enable-asan], [Enable gcc address sanitizer options (default: no)]),
+[
+  AC_MSG_RESULT(yes)
+  asan_defs="-fsanitize=address -fno-omit-frame-pointer"
+],
+[
+  AC_MSG_RESULT(no)
+  asan_defs=""
+])
+AC_SUBST([asan_defs])
+
+AM_CONDITIONAL([RPM_HARDEND_CC], [test -f /usr/lib/rpm/redhat/redhat-hardened-cc1])
+AC_MSG_CHECKING(for --enable-gcc-security)
+AC_ARG_ENABLE(gcc-security, AS_HELP_STRING([--enable-gcc-security], [Enable gcc secure compilation options (default: no)]),
+[
+  AC_MSG_RESULT(yes)
+  AM_COND_IF([RPM_HARDEND_CC],
+  [ gccsec_defs="-Wall -Wp,-D_FORITY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 " ],
+  [ gccsec_defs="-Wall -Wp,-D_FORITY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches" ]
+  )
+],
+[
+  AC_MSG_RESULT(no)
+  gccsec_defs=""
+])
+AC_SUBST([gccsec_defs])
+
 # Used for legacy style packaging where we bundle all of the dependencies.
 AC_MSG_CHECKING(for --enable-bundle)
 AC_ARG_ENABLE(bundle, AS_HELP_STRING([--enable-bundle], [Enable bundled dependencies (default: no)]),