Move hardening checks to m4/hardening.m4

MANIFEST

@@ -425,6 +425,7 @@ m4/ax_check_link_flag.m4
 m4/ax_func_getaddrinfo.m4
 m4/ax_func_snprintf.m4
 m4/ax_prog_cc_for_build.m4
+m4/hardening.m4
 m4/libtool.m4
 m4/ltoptions.m4
 m4/ltsugar.m4

aclocal.m4

@@ -18,6 +18,7 @@ m4_include([m4/ax_check_link_flag.m4])
 m4_include([m4/ax_func_getaddrinfo.m4])
 m4_include([m4/ax_func_snprintf.m4])
 m4_include([m4/ax_prog_cc_for_build.m4])
+m4_include([m4/hardening.m4])
 m4_include([m4/libtool.m4])
 m4_include([m4/ltoptions.m4])
 m4_include([m4/ltsugar.m4])

configure

@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.72a for sudo 1.9.12p1.
+# Generated by GNU Autoconf 2.72a.69-9c123-dirty for sudo 1.9.12p1.
 #
 # Report bugs to <https://bugzilla.sudo.ws/>.
 #
@@ -1992,7 +1992,7 @@ test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
 sudo configure 1.9.12p1
-generated by GNU Autoconf 2.72a
+generated by GNU Autoconf 2.72a.69-9c123-dirty
 
 Copyright (C) 2022 Free Software Foundation, Inc.
 This configure script is free software; the Free Software Foundation
@@ -2670,7 +2670,7 @@ This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
 It was created by sudo $as_me 1.9.12p1, which was
-generated by GNU Autoconf 2.72a.  Invocation command line was
+generated by GNU Autoconf 2.72a.69-9c123-dirty.  Invocation command line was
 
   $ $0$ac_configure_args_raw
 
@@ -31432,104 +31432,6 @@ EOF
 fi
 
 
-if test "$enable_hardening" != "no"; then
-    O_CPPFLAGS="$CPPFLAGS"
-
-if test ${CPPFLAGS+y}
-then :
-
-  case " $CPPFLAGS " in #(
-  *" -D_FORTIFY_SOURCE=2 "*) :
-    { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS already contains -D_FORTIFY_SOURCE=2"; } >&5
-  (: CPPFLAGS already contains -D_FORTIFY_SOURCE=2) 2>&5
-  ac_status=$?
-  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-  test $ac_status = 0; } ;; #(
-  *) :
-
-     as_fn_append CPPFLAGS " -D_FORTIFY_SOURCE=2"
-     { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5
-  (: CPPFLAGS="$CPPFLAGS") 2>&5
-  ac_status=$?
-  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-  test $ac_status = 0; }
-     ;;
-esac
-
-else case e in #(
-  e)
-  CPPFLAGS=-D_FORTIFY_SOURCE=2
-  { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5
-  (: CPPFLAGS="$CPPFLAGS") 2>&5
-  ac_status=$?
-  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-  test $ac_status = 0; }
-   ;;
-esac
-fi
-
-    { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether _FORTIFY_SOURCE may be specified" >&5
-printf %s "checking whether _FORTIFY_SOURCE may be specified... " >&6; }
-if test ${sudo_cv_use_fortify_source+y}
-then :
-  printf %s "(cached) " >&6
-else case e in #(
-  e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
-
-
-int
-main (void)
-{
-char buf[4]; (void)sprintf(buf, "%s", "foo");
-
-  ;
-  return 0;
-}
-_ACEOF
-if ac_fn_c_try_link "$LINENO"
-then :
-  sudo_cv_use_fortify_source=yes
-else case e in #(
-  e) sudo_cv_use_fortify_source=no
-	     ;;
-esac
-fi
-rm -f core conftest.err conftest.$ac_objext conftest.beam \
-    conftest$ac_exeext conftest.$ac_ext
-
-	cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
-
-int
-main (void)
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-if ac_fn_c_try_link "$LINENO"
-then :
-  sudo_cv_use_fortify_source=yes
-else case e in #(
-  e) sudo_cv_use_fortify_source=no
-	     ;;
-esac
-fi
-rm -f core conftest.err conftest.$ac_objext conftest.beam \
-    conftest$ac_exeext conftest.$ac_ext
-
-     ;;
-esac
-fi
-{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_use_fortify_source" >&5
-printf "%s\n" "$sudo_cv_use_fortify_source" >&6; }
-    if test "$sudo_cv_use_fortify_source" != yes; then
-	CPPFLAGS="$O_CPPFLAGS"
-    fi
-fi
-
 
 ac_c_werror_flag=yes
 
@@ -33042,7 +32944,109 @@ fi
     esac
 fi
 
-if test "$enable_hardening" != "no" && test "$enable_ssp" != "no"; then
+
+    if test "$enable_hardening" != "no"; then
+	#
+	# Attempt to use _FORTIFY_SOURCE with sprintf.  If the headers support
+	# it but libc does not, __sprintf_chk should be an undefined symbol.
+	#
+	O_CPPFLAGS="$CPPFLAGS"
+
+if test ${CPPFLAGS+y}
+then :
+
+  case " $CPPFLAGS " in #(
+  *" -D_FORTIFY_SOURCE=2 "*) :
+    { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS already contains -D_FORTIFY_SOURCE=2"; } >&5
+  (: CPPFLAGS already contains -D_FORTIFY_SOURCE=2) 2>&5
+  ac_status=$?
+  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; } ;; #(
+  *) :
+
+     as_fn_append CPPFLAGS " -D_FORTIFY_SOURCE=2"
+     { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5
+  (: CPPFLAGS="$CPPFLAGS") 2>&5
+  ac_status=$?
+  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+     ;;
+esac
+
+else case e in #(
+  e)
+  CPPFLAGS=-D_FORTIFY_SOURCE=2
+  { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5
+  (: CPPFLAGS="$CPPFLAGS") 2>&5
+  ac_status=$?
+  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+   ;;
+esac
+fi
+
+	{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether _FORTIFY_SOURCE may be specified" >&5
+printf %s "checking whether _FORTIFY_SOURCE may be specified... " >&6; }
+if test ${sudo_cv_use_fortify_source+y}
+then :
+  printf %s "(cached) " >&6
+else case e in #(
+  e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+
+int
+main (void)
+{
+char buf[4]; (void)sprintf(buf, "%s", "foo");
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"
+then :
+  sudo_cv_use_fortify_source=yes
+else case e in #(
+  e) sudo_cv_use_fortify_source=no
+		 ;;
+esac
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.beam \
+    conftest$ac_exeext conftest.$ac_ext
+
+	    cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main (void)
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"
+then :
+  sudo_cv_use_fortify_source=yes
+else case e in #(
+  e) sudo_cv_use_fortify_source=no
+		 ;;
+esac
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.beam \
+    conftest$ac_exeext conftest.$ac_ext
+
+	 ;;
+esac
+fi
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_use_fortify_source" >&5
+printf "%s\n" "$sudo_cv_use_fortify_source" >&6; }
+	if test "$sudo_cv_use_fortify_source" != yes; then
+	    CPPFLAGS="$O_CPPFLAGS"
+	fi
+
+				if test "$enable_ssp" != "no"; then
 	    { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for compiler stack protector support" >&5
 printf %s "checking for compiler stack protector support... " >&6; }
 if test ${sudo_cv_var_stack_protector+y}
@@ -33050,9 +33054,10 @@ then :
   printf %s "(cached) " >&6
 else case e in #(
   e)
-	    # Avoid CFLAGS since the compiler might optimize away our test.
+		    # Avoid CFLAGS since the compiler might optimize away our
-	    # We don't want CPPFLAGS or LIBS to interfere with the test but
+		    # test.  We don't want CPPFLAGS or LIBS to interfere with
-	    # keep LDFLAGS as it may have an rpath needed to find the ssp lib.
+		    # the test but keep LDFLAGS as it may have an rpath needed
+		    # to find the ssp lib.
 		    _CPPFLAGS="$CPPFLAGS"
 		    _CFLAGS="$CFLAGS"
 		    _LDFLAGS="$LDFLAGS"
@@ -33154,7 +33159,7 @@ printf "%s\n" "$sudo_cv_var_stack_protector" >&6; }
 		HARDENING_LDFLAGS="-Wc,$sudo_cv_var_stack_protector"
 	    fi
 	fi
-if test "$enable_hardening" != "no"; then
+
 	# The gcc front-end may accept -fstack-clash-protection even if the
 	# machine-specific code does not support it.  We use a test program
 	# with a large stack allocation to try to cause the compiler to
@@ -33260,6 +33265,7 @@ fi
 
 	fi
 
+	# Check for control-flow transfer instrumentation (Intel CET).
 	{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fcf-protection" >&5
 printf %s "checking whether C compiler accepts -fcf-protection... " >&6; }
 if test ${ax_cv_check_cflags___fcf_protection+y}
@@ -33413,6 +33419,8 @@ else case e in #(
 esac
 fi
 
+
+	# Linker-specific hardening flags.
 	{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,-z,relro" >&5
 printf %s "checking whether the linker accepts -Wl,-z,relro... " >&6; }
 if test ${ax_cv_check_ldflags___Wl__z_relro+y}
@@ -33450,21 +33458,21 @@ printf "%s\n" "$ax_cv_check_ldflags___Wl__z_relro" >&6; }
 if test x"$ax_cv_check_ldflags___Wl__z_relro" = xyes
 then :
 
-if test ${LDFLAGS+y}
+if test ${HARDENING_LDFLAGS+y}
 then :
 
-  case " $LDFLAGS " in #(
+  case " $HARDENING_LDFLAGS " in #(
   *" -Wl,-z,relro "*) :
-    { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LDFLAGS already contains -Wl,-z,relro"; } >&5
+    { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : HARDENING_LDFLAGS already contains -Wl,-z,relro"; } >&5
-  (: LDFLAGS already contains -Wl,-z,relro) 2>&5
+  (: HARDENING_LDFLAGS already contains -Wl,-z,relro) 2>&5
   ac_status=$?
   printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; } ;; #(
   *) :
 
-     as_fn_append LDFLAGS " -Wl,-z,relro"
+     as_fn_append HARDENING_LDFLAGS " -Wl,-z,relro"
-     { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LDFLAGS=\"\$LDFLAGS\""; } >&5
+     { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : HARDENING_LDFLAGS=\"\$HARDENING_LDFLAGS\""; } >&5
-  (: LDFLAGS="$LDFLAGS") 2>&5
+  (: HARDENING_LDFLAGS="$HARDENING_LDFLAGS") 2>&5
   ac_status=$?
   printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }
@@ -33473,9 +33481,9 @@ esac
 
 else case e in #(
   e)
-  LDFLAGS=-Wl,-z,relro
+  HARDENING_LDFLAGS=-Wl,-z,relro
-  { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LDFLAGS=\"\$LDFLAGS\""; } >&5
+  { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : HARDENING_LDFLAGS=\"\$HARDENING_LDFLAGS\""; } >&5
-  (: LDFLAGS="$LDFLAGS") 2>&5
+  (: HARDENING_LDFLAGS="$HARDENING_LDFLAGS") 2>&5
   ac_status=$?
   printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }
@@ -33525,21 +33533,21 @@ printf "%s\n" "$ax_cv_check_ldflags___Wl__z_now" >&6; }
 if test x"$ax_cv_check_ldflags___Wl__z_now" = xyes
 then :
 
-if test ${LDFLAGS+y}
+if test ${HARDENING_LDFLAGS+y}
 then :
 
-  case " $LDFLAGS " in #(
+  case " $HARDENING_LDFLAGS " in #(
   *" -Wl,-z,now "*) :
-    { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LDFLAGS already contains -Wl,-z,now"; } >&5
+    { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : HARDENING_LDFLAGS already contains -Wl,-z,now"; } >&5
-  (: LDFLAGS already contains -Wl,-z,now) 2>&5
+  (: HARDENING_LDFLAGS already contains -Wl,-z,now) 2>&5
   ac_status=$?
   printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; } ;; #(
   *) :
 
-     as_fn_append LDFLAGS " -Wl,-z,now"
+     as_fn_append HARDENING_LDFLAGS " -Wl,-z,now"
-     { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LDFLAGS=\"\$LDFLAGS\""; } >&5
+     { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : HARDENING_LDFLAGS=\"\$HARDENING_LDFLAGS\""; } >&5
-  (: LDFLAGS="$LDFLAGS") 2>&5
+  (: HARDENING_LDFLAGS="$HARDENING_LDFLAGS") 2>&5
   ac_status=$?
   printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }
@@ -33548,9 +33556,9 @@ esac
 
 else case e in #(
   e)
-  LDFLAGS=-Wl,-z,now
+  HARDENING_LDFLAGS=-Wl,-z,now
-  { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LDFLAGS=\"\$LDFLAGS\""; } >&5
+  { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : HARDENING_LDFLAGS=\"\$HARDENING_LDFLAGS\""; } >&5
-  (: LDFLAGS="$LDFLAGS") 2>&5
+  (: HARDENING_LDFLAGS="$HARDENING_LDFLAGS") 2>&5
   ac_status=$?
   printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }
@@ -33600,21 +33608,21 @@ printf "%s\n" "$ax_cv_check_ldflags___Wl__z_noexecstack" >&6; }
 if test x"$ax_cv_check_ldflags___Wl__z_noexecstack" = xyes
 then :
 
-if test ${LDFLAGS+y}
+if test ${HARDENING_LDFLAGS+y}
 then :
 
-  case " $LDFLAGS " in #(
+  case " $HARDENING_LDFLAGS " in #(
   *" -Wl,-z,noexecstack "*) :
-    { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LDFLAGS already contains -Wl,-z,noexecstack"; } >&5
+    { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : HARDENING_LDFLAGS already contains -Wl,-z,noexecstack"; } >&5
-  (: LDFLAGS already contains -Wl,-z,noexecstack) 2>&5
+  (: HARDENING_LDFLAGS already contains -Wl,-z,noexecstack) 2>&5
   ac_status=$?
   printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; } ;; #(
   *) :
 
-     as_fn_append LDFLAGS " -Wl,-z,noexecstack"
+     as_fn_append HARDENING_LDFLAGS " -Wl,-z,noexecstack"
-     { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LDFLAGS=\"\$LDFLAGS\""; } >&5
+     { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : HARDENING_LDFLAGS=\"\$HARDENING_LDFLAGS\""; } >&5
-  (: LDFLAGS="$LDFLAGS") 2>&5
+  (: HARDENING_LDFLAGS="$HARDENING_LDFLAGS") 2>&5
   ac_status=$?
   printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }
@@ -33623,9 +33631,9 @@ esac
 
 else case e in #(
   e)
-  LDFLAGS=-Wl,-z,noexecstack
+  HARDENING_LDFLAGS=-Wl,-z,noexecstack
-  { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LDFLAGS=\"\$LDFLAGS\""; } >&5
+  { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : HARDENING_LDFLAGS=\"\$HARDENING_LDFLAGS\""; } >&5
-  (: LDFLAGS="$LDFLAGS") 2>&5
+  (: HARDENING_LDFLAGS="$HARDENING_LDFLAGS") 2>&5
   ac_status=$?
   printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
   test $ac_status = 0; }
@@ -34960,7 +34968,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # values after options handling.
 ac_log="
 This file was extended by sudo $as_me 1.9.12p1, which was
-generated by GNU Autoconf 2.72a.  Invocation command line was
+generated by GNU Autoconf 2.72a.69-9c123-dirty.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
   CONFIG_HEADERS  = $CONFIG_HEADERS
@@ -35028,7 +35036,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config='$ac_cs_config_escaped'
 ac_cs_version="\\
 sudo config.status 1.9.12p1
-configured by $0, generated by GNU Autoconf 2.72a,
+configured by $0, generated by GNU Autoconf 2.72a.69-9c123-dirty,
   with options \\"\$ac_cs_config\\"
 
 Copyright (C) 2022 Free Software Foundation, Inc.

configure.ac

@@ -4533,35 +4533,6 @@ SUDO_VARDIR
 SUDO_IO_LOGDIR
 SUDO_TZDIR
 
-dnl
-dnl Attempt to use _FORTIFY_SOURCE with sprintf.  If the headers support
-dnl it but libc does not, __sprintf_chk should be an undefined symbol.
-dnl
-if test "$enable_hardening" != "no"; then
-    O_CPPFLAGS="$CPPFLAGS"
-    AX_APPEND_FLAG([-D_FORTIFY_SOURCE=2], [CPPFLAGS])
-    AC_CACHE_CHECK([whether _FORTIFY_SOURCE may be specified],
-	[sudo_cv_use_fortify_source],
-	[AC_LINK_IFELSE([
-		AC_LANG_PROGRAM(
-		    [[]], [[char buf[4]; (void)sprintf(buf, "%s", "foo");]]
-		)],
-		[sudo_cv_use_fortify_source=yes],
-		[sudo_cv_use_fortify_source=no]
-	    )
-	]
-	[AC_LINK_IFELSE(
-	    [AC_LANG_PROGRAM([[]], [[]])],
-		[sudo_cv_use_fortify_source=yes],
-		[sudo_cv_use_fortify_source=no]
-	    )
-	]
-    )
-    if test "$sudo_cv_use_fortify_source" != yes; then
-	CPPFLAGS="$O_CPPFLAGS"
-    fi
-fi
-
 dnl
 dnl Turn warnings into errors.
 dnl All compiler/loader tests after this point will fail if
@@ -4844,91 +4815,7 @@ if test "$enable_pie" != "yes"; then
     esac
 fi
 
-dnl
+SUDO_CHECK_HARDENING
-dnl Check for -fstack-protector and -z relro support
-dnl This test relies on AC_LANG_WERROR
-dnl
-if test "$enable_hardening" != "no" && test "$enable_ssp" != "no"; then
-    AC_CACHE_CHECK([for compiler stack protector support],
-	[sudo_cv_var_stack_protector],
-	[
-	    # Avoid CFLAGS since the compiler might optimize away our test.
-	    # We don't want CPPFLAGS or LIBS to interfere with the test but
-	    # keep LDFLAGS as it may have an rpath needed to find the ssp lib.
-	    _CPPFLAGS="$CPPFLAGS"
-	    _CFLAGS="$CFLAGS"
-	    _LDFLAGS="$LDFLAGS"
-	    _LIBS="$LIBS"
-	    CPPFLAGS=
-	    LIBS=
-
-	    sudo_cv_var_stack_protector="-fstack-protector-strong"
-	    CFLAGS="$sudo_cv_var_stack_protector"
-	    LDFLAGS="$_LDFLAGS $sudo_cv_var_stack_protector"
-	    AC_LINK_IFELSE([
-		AC_LANG_PROGRAM([AC_INCLUDES_DEFAULT],
-		[[char buf[1024]; buf[1023] = '\0';]])
-	    ], [], [
-		sudo_cv_var_stack_protector="-fstack-protector-all"
-		CFLAGS="$sudo_cv_var_stack_protector"
-		LDFLAGS="$_LDFLAGS $sudo_cv_var_stack_protector"
-		AC_LINK_IFELSE([
-		    AC_LANG_PROGRAM([AC_INCLUDES_DEFAULT],
-		    [[char buf[1024]; buf[1023] = '\0';]])
-		], [], [
-		    sudo_cv_var_stack_protector="-fstack-protector"
-		    CFLAGS="$sudo_cv_var_stack_protector"
-		    LDFLAGS="$_LDFLAGS $sudo_cv_var_stack_protector"
-		    AC_LINK_IFELSE([
-			AC_LANG_PROGRAM([AC_INCLUDES_DEFAULT],
-			[[char buf[1024]; buf[1023] = '\0';]])
-		    ], [], [
-			sudo_cv_var_stack_protector=no
-		    ])
-		])
-	    ])
-	    CPPFLAGS="$_CPPFLAGS"
-	    CFLAGS="$_CFLAGS"
-	    LDFLAGS="$_LDFLAGS"
-	    LIBS="$_LIBS"
-	]
-    )
-    if test X"$sudo_cv_var_stack_protector" != X"no"; then
-	HARDENING_CFLAGS="$sudo_cv_var_stack_protector"
-	HARDENING_LDFLAGS="-Wc,$sudo_cv_var_stack_protector"
-    fi
-fi
-if test "$enable_hardening" != "no"; then
-    # The gcc front-end may accept -fstack-clash-protection even if the
-    # machine-specific code does not support it.  We use a test program
-    # with a large stack allocation to try to cause the compiler to
-    # insert the stack clash protection code, or fail if not supported.
-    AC_CACHE_CHECK([whether C compiler supports -fstack-clash-protection],
-	[sudo_cv_check_cflags___fstack_clash_protection],
-	[
-	    _CFLAGS="$CFLAGS"
-	    CFLAGS="$CFLAGS -fstack-clash-protection"
-	    AC_COMPILE_IFELSE([
-		AC_LANG_SOURCE([[int main(int argc, char *argv[]) { char buf[16384], *src = argv[0], *dst = buf; while ((*dst++ = *src++) != '\0'); return buf[argc]; }]])
-	    ], [sudo_cv_check_cflags___fstack_clash_protection=yes], [sudo_cv_check_cflags___fstack_clash_protection=no])
-	    CFLAGS="$_CFLAGS"
-	]
-    )
-    if test X"$sudo_cv_check_cflags___fstack_clash_protection" = X"yes"; then
-	AX_APPEND_FLAG([-fstack-clash-protection], [HARDENING_CFLAGS])
-	AX_APPEND_FLAG([-Wc,-fstack-clash-protection], [HARDENING_LDFLAGS])
-    fi
-
-    AX_CHECK_COMPILE_FLAG([-fcf-protection], [
-	AX_CHECK_LINK_FLAG([-fcf-protection], [
-	    AX_APPEND_FLAG([-fcf-protection], [HARDENING_CFLAGS])
-	    AX_APPEND_FLAG([-Wc,-fcf-protection], [HARDENING_LDFLAGS])
-	])
-    ])
-    AX_CHECK_LINK_FLAG([-Wl,-z,relro], [AX_APPEND_FLAG([-Wl,-z,relro], [LDFLAGS])])
-    AX_CHECK_LINK_FLAG([-Wl,-z,now], [AX_APPEND_FLAG([-Wl,-z,now], [LDFLAGS])])
-    AX_CHECK_LINK_FLAG([-Wl,-z,noexecstack], [AX_APPEND_FLAG([-Wl,-z,noexecstack], [LDFLAGS])])
-fi
 
 dnl
 dnl Use passwd auth module?

m4/hardening.m4

@@ -0,0 +1,117 @@
+AC_DEFUN([SUDO_CHECK_HARDENING], [
+    if test "$enable_hardening" != "no"; then
+	#
+	# Attempt to use _FORTIFY_SOURCE with sprintf.  If the headers support
+	# it but libc does not, __sprintf_chk should be an undefined symbol.
+	#
+	O_CPPFLAGS="$CPPFLAGS"
+	AX_APPEND_FLAG([-D_FORTIFY_SOURCE=2], [CPPFLAGS])
+	AC_CACHE_CHECK([whether _FORTIFY_SOURCE may be specified],
+	    [sudo_cv_use_fortify_source],
+	    [AC_LINK_IFELSE([
+		    AC_LANG_PROGRAM(
+			[[]], [[char buf[4]; (void)sprintf(buf, "%s", "foo");]]
+		    )],
+		    [sudo_cv_use_fortify_source=yes],
+		    [sudo_cv_use_fortify_source=no]
+		)
+	    ]
+	    [AC_LINK_IFELSE(
+		[AC_LANG_PROGRAM([[]], [[]])],
+		    [sudo_cv_use_fortify_source=yes],
+		    [sudo_cv_use_fortify_source=no]
+		)
+	    ]
+	)
+	if test "$sudo_cv_use_fortify_source" != yes; then
+	    CPPFLAGS="$O_CPPFLAGS"
+	fi
+
+	dnl
+	dnl The following tests rely on AC_LANG_WERROR.
+	dnl
+	if test "$enable_ssp" != "no"; then
+	    AC_CACHE_CHECK([for compiler stack protector support],
+		[sudo_cv_var_stack_protector],
+		[
+		    # Avoid CFLAGS since the compiler might optimize away our
+		    # test.  We don't want CPPFLAGS or LIBS to interfere with
+		    # the test but keep LDFLAGS as it may have an rpath needed
+		    # to find the ssp lib.
+		    _CPPFLAGS="$CPPFLAGS"
+		    _CFLAGS="$CFLAGS"
+		    _LDFLAGS="$LDFLAGS"
+		    _LIBS="$LIBS"
+		    CPPFLAGS=
+		    LIBS=
+
+		    sudo_cv_var_stack_protector="-fstack-protector-strong"
+		    CFLAGS="$sudo_cv_var_stack_protector"
+		    LDFLAGS="$_LDFLAGS $sudo_cv_var_stack_protector"
+		    AC_LINK_IFELSE([
+			AC_LANG_PROGRAM([AC_INCLUDES_DEFAULT],
+			[[char buf[1024]; buf[1023] = '\0';]])
+		    ], [], [
+			sudo_cv_var_stack_protector="-fstack-protector-all"
+			CFLAGS="$sudo_cv_var_stack_protector"
+			LDFLAGS="$_LDFLAGS $sudo_cv_var_stack_protector"
+			AC_LINK_IFELSE([
+			    AC_LANG_PROGRAM([AC_INCLUDES_DEFAULT],
+			    [[char buf[1024]; buf[1023] = '\0';]])
+			], [], [
+			    sudo_cv_var_stack_protector="-fstack-protector"
+			    CFLAGS="$sudo_cv_var_stack_protector"
+			    LDFLAGS="$_LDFLAGS $sudo_cv_var_stack_protector"
+			    AC_LINK_IFELSE([
+				AC_LANG_PROGRAM([AC_INCLUDES_DEFAULT],
+				[[char buf[1024]; buf[1023] = '\0';]])
+			    ], [], [
+				sudo_cv_var_stack_protector=no
+			    ])
+			])
+		    ])
+		    CPPFLAGS="$_CPPFLAGS"
+		    CFLAGS="$_CFLAGS"
+		    LDFLAGS="$_LDFLAGS"
+		    LIBS="$_LIBS"
+		]
+	    )
+	    if test X"$sudo_cv_var_stack_protector" != X"no"; then
+		HARDENING_CFLAGS="$sudo_cv_var_stack_protector"
+		HARDENING_LDFLAGS="-Wc,$sudo_cv_var_stack_protector"
+	    fi
+	fi
+
+	# The gcc front-end may accept -fstack-clash-protection even if the
+	# machine-specific code does not support it.  We use a test program
+	# with a large stack allocation to try to cause the compiler to
+	# insert the stack clash protection code, or fail if not supported.
+	AC_CACHE_CHECK([whether C compiler supports -fstack-clash-protection],
+	    [sudo_cv_check_cflags___fstack_clash_protection],
+	    [
+		_CFLAGS="$CFLAGS"
+		CFLAGS="$CFLAGS -fstack-clash-protection"
+		AC_COMPILE_IFELSE([
+		    AC_LANG_SOURCE([[int main(int argc, char *argv[]) { char buf[16384], *src = argv[0], *dst = buf; while ((*dst++ = *src++) != '\0'); return buf[argc]; }]])
+		], [sudo_cv_check_cflags___fstack_clash_protection=yes], [sudo_cv_check_cflags___fstack_clash_protection=no])
+		CFLAGS="$_CFLAGS"
+	    ]
+	)
+	if test X"$sudo_cv_check_cflags___fstack_clash_protection" = X"yes"; then
+	    AX_APPEND_FLAG([-fstack-clash-protection], [HARDENING_CFLAGS])
+	    AX_APPEND_FLAG([-Wc,-fstack-clash-protection], [HARDENING_LDFLAGS])
+	fi
+
+	# Check for control-flow transfer instrumentation (Intel CET).
+	AX_CHECK_COMPILE_FLAG([-fcf-protection], [
+	    AX_CHECK_LINK_FLAG([-fcf-protection], [
+		AX_APPEND_FLAG([-fcf-protection], [HARDENING_CFLAGS])
+		AX_APPEND_FLAG([-Wc,-fcf-protection], [HARDENING_LDFLAGS])
+	    ])
+	])
+
+	# Linker-specific hardening flags.
+	AX_CHECK_LINK_FLAG([-Wl,-z,relro], [AX_APPEND_FLAG([-Wl,-z,relro], [HARDENING_LDFLAGS])])
+	AX_CHECK_LINK_FLAG([-Wl,-z,now], [AX_APPEND_FLAG([-Wl,-z,now], [HARDENING_LDFLAGS])])
+	AX_CHECK_LINK_FLAG([-Wl,-z,noexecstack], [AX_APPEND_FLAG([-Wl,-z,noexecstack], [HARDENING_LDFLAGS])])
+    fi])