Add new compiler hardening flags.

Add -fzero-call-used-regs and -ftrivial-auto-var-init to the list of
compiler hardening flags that configure checks for.  These are supported
by clang and gcc, and make ROP gadgets less useful and mitigate
stack-based infoleaks respectively.  ok djm@

diff --git a/configure.ac b/configure.ac
index 413913a7c72edb3487783b67cf875c0b53a463c8..821a75ba17cd1a84ba1eb18fafefc187f9e6a53d 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -190,6 +190,8 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
        # actually links. The test program compiled/linked includes a number
        # of integer operations that should exercise this.
        OSSH_CHECK_CFLAG_LINK([-ftrapv])
+       OSSH_CHECK_CFLAG_COMPILE([-fzero-call-used-regs=all])
+       OSSH_CHECK_CFLAG_COMPILE([-ftrivial-auto-var-init=zero])
     fi
        AC_MSG_CHECKING([gcc version])
        GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`