From 4f1484f1336e1556c70e11d6662d0bf297289d3f Mon Sep 17 00:00:00 2001
From: Fred Morcos <fred.morcos@open-xchange.com>
Date: Fri, 13 Oct 2023 10:17:26 +0200
Subject: [PATCH] Meson: Hardening - Control Flow Protection

---
 meson/hardening/control-flow/meson.build | 10 ++++++++++
 meson/hardening/meson.build              |  1 +
 meson_options.txt                        |  1 +
 3 files changed, 12 insertions(+)
 create mode 100644 meson/hardening/control-flow/meson.build

diff --git a/meson/hardening/control-flow/meson.build b/meson/hardening/control-flow/meson.build
new file mode 100644
index 0000000000..0c1ed36722
--- /dev/null
+++ b/meson/hardening/control-flow/meson.build
@@ -0,0 +1,10 @@
+opt_cf = get_option('hardening-experimental-cf')
+
+support_cf_prot = opt_cf != 'disabled' and cxx.has_argument('-fcf-protection=' + opt_cf)
+if support_cf_prot
+  add_project_arguments('-fcf-protection=' + opt_cf, language: ['c', 'cpp'])
+elif opt_cf != 'disabled'
+  error('Control Flow Protection was explicitly requested but is not supported by the compiler')
+endif
+
+summary('Control Flow Protection', support_cf_prot, bool_yn: true, section: 'Hardening')
diff --git a/meson/hardening/meson.build b/meson/hardening/meson.build
index 18d7161532..05df75533b 100644
--- a/meson/hardening/meson.build
+++ b/meson/hardening/meson.build
@@ -30,3 +30,4 @@ if opt_hardening.enabled() or opt_hardening.auto()
 endif
 
 subdir('fortify-source')      # Fortify Source
+subdir('control-flow')        # Control Flow Protection
diff --git a/meson_options.txt b/meson_options.txt
index dc5d0edb96..12f3e0d6d2 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -1,5 +1,6 @@
 option('lua', type: 'combo', choices: ['auto', 'luajit', 'lua'], value: 'auto', description: 'Lua implementation to use')
 option('hardening', type: 'feature', value: 'auto', description: 'Compiler security checks')
+option('hardening-experimental-cf', type: 'combo', choices: ['disabled', 'full', 'branch', 'return', 'check'], value: 'disabled', description: 'Control Flow hardening')
 option('hardening-fortify-source', type: 'combo', choices: ['auto', 'disabled', '1', '2', '3'], value: '2', description: 'Source fortification level')
 option('rng-kiss', type: 'boolean', value: false, description: 'Use the unsafe KISS RNG')
 option('signers-libsodium', type: 'feature', value: 'auto', description: 'Enable libsodium-based signers')
-- 
2.47.2