libmicrohttpd2

HTTP server C library (MHD 2.x, alpha)
Log | Files | Refs | README | LICENSE
commit cb0e70b16a674921aa9774a253ada8408618c1ab
parent 2a142eb70804f1edb7d4d777aacaf78b2239ea1c
Author: Evgeny Grin (Karlson2k) <k2k@drgrin.dev>
Date:   Tue, 31 Mar 2026 05:47:57 +0200

Adjusted hardening flags

Flags were corrected based on recommendations from Red Hat;
OpenSSF Best Practices WG; Quarkslab; Airbus Security Lab.

Diffstat:

Mconfigure.ac | 7+++++--


1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/configure.ac b/configure.ac
@@ -1046,6 +1046,8 @@ AS_VAR_IF([enable_compiler_hardening],["yes"],
     CFLAGS="${user_CFLAGS}"
     MHD_FIND_ADD_CC_CFLAG([CFLAGS_ac],[-fstack-protector-strong],[-fstack-protector-all],[-fstack-protector])
     MHD_CHECK_ADD_CC_CFLAGS([-fstack-clash-protection],[CFLAGS_ac])
+    MHD_CHECK_ADD_CC_CFLAGS([-fcf-protection=full -mbranch-protection=standard],[CFLAGS_ac])
+    MHD_CHECK_ADD_CC_CFLAGS([-fno-delete-null-pointer-checks -fno-strict-overflow ],[CFLAGS_ac])
     MHD_FIND_ADD_CC_CFLAG([CFLAGS_ac],[-ftrivial-auto-var-init=pattern],[-ftrivial-auto-var-init=zero])
     CFLAGS="${CFLAGS_ac} ${user_CFLAGS}"
     AS_IF([test "x${enable_static}" = "xyes" && test "x${pic_mode}" != "xyes"],
@@ -1093,6 +1095,7 @@ AS_VAR_IF([enable_linker_hardening],["yes"],
     LDFLAGS="${user_LDFLAGS}"
     MHD_CHECK_ADD_CC_LDFLAG([-Wl,-z,relro],[LDFLAGS_ac],
       [MHD_CHECK_ADD_CC_LDFLAG([-Wl,-z,now],[LDFLAGS_ac])])
+    MHD_CHECK_ADD_CC_LDFLAG([-Wl,-z,separate-code],[LDFLAGS_ac])
     # Actually should be "noexec" by default, but let's try to enforce it.
     MHD_CHECK_ADD_CC_LDFLAG([-Wl,-z,noexecstack],[LDFLAGS_ac])
     # W32-specific. Some are enabled by default, but they will be enfored to be sure.
@@ -8695,8 +8698,8 @@ AS_IF([test "x${enable_sanitizers}" = "xno"],
     AS_VAR_IF([enable_compiler_hardening],["yes"],
       [
         AS_VAR_IF([enable_sanitizers],["auto"],
-          [AC_MSG_ERROR([sanitizers cannot be enabled with compiler hardnening])],
-          [AC_MSG_WARN([sanitizers cannot be enabled with compiler hardnening])]
+          [AC_MSG_ERROR([sanitizers cannot be enabled with compiler hardening])],
+          [AC_MSG_WARN([sanitizers cannot be enabled with compiler hardening])]
         )
         enable_sanitizers="no"
         enable_san_address="no"