CMake: Add a hardening-check target.

On Windows, add a hardening-check target which checks for DYNAMICBASE and NXCOMPAT using the PowerShell script Get-HardenFlags.ps1. For a Visual Studio solution, run the check by calling: msbuild /m /p:Configuration=RelWithDebInfo hardening-check.vcxproj using the config as appropriate for your build. Otherwise if we find the Debian/Fedora hardening-check script add a target which runs it for each of our executables. Change-Id: I62263e81d155c66e8c8edc751ffab535bf9f3b96 Reviewed-on: https://code.wireshark.org/review/10641 Reviewed-by: Gerald Combs <gerald@wireshark.org>
2015-09-24 10:42:46 -07:00 · 2015-09-24 10:42:46 -07:00 · ff1dbba6ec
parent 44d17c7844
commit ff1dbba6ec
3 changed files with 115 additions and 3 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -2476,6 +2476,33 @@ add_custom_target(test-programs
 )
 set_target_properties(test-programs PROPERTIES FOLDER "Tests")

+if (WIN32)
+	file (TO_NATIVE_PATH ${CMAKE_SOURCE_DIR}/tools/Get-HardenFlags.ps1 _win_harden_flags)
+	add_custom_target(hardening-check
+		COMMAND ${POWERSHELL_COMMAND} "${_win_harden_flags}" "${CMAKE_BINARY_DIR}"
+		DEPENDS ${PROGLIST}
+		COMMENT "Checking binaries for security features"
+	)
+	set_target_properties(hardening-check PROPERTIES FOLDER "Tests")
+else ()
+	find_program(HARDENING_CHECK_EXECUTABLE hardening-check
+		DOC "Path to the hardening-check utility."
+	)
+	if (NOT "${HARDENING_CHECK_EXECUTABLE}" STREQUAL "HARDENING_CHECK_EXECUTABLE-NOTFOUND")
+		foreach(_prog ${PROGLIST})
+			get_target_property(_prog_dir ${_prog} RUNTIME_OUTPUT_DIRECTORY)
+			if (${_prog_dir} STREQUAL "_prog_dir-NOTFOUND")
+				set(_prog_dir "${CMAKE_BINARY_DIR}/run")
+			endif()
+			set(_prog_paths ${_prog_paths} "${_prog_dir}/${_prog}")
+		endforeach()
+		add_custom_target(hardening-check
+			COMMAND ${HARDENING_CHECK_EXECUTABLE} ${_prog_paths}
+			DEPENDS ${PROGLIST}
+			COMMENT "Checking binaries for security features"
+		)
+	endif()
+endif()

 #
 # Editor modelines  -  http://www.wireshark.org/tools/modelines.html
--- a/tools/Get-HardenFlags.ps1
+++ b/tools/Get-HardenFlags.ps1
@ -0,0 +1,84 @@
+#
+# Get-HardenFlags - Checks hardening flags on the binaries.
+#
+# Copyright 2015 Graham Bloice <graham.bloice@trihedral.com>
+#
+# Wireshark - Network traffic analyzer
+# By Gerald Combs <gerald@wireshark.org>
+# Copyright 1998 Gerald Combs
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+#requires -version 2
+
+# Get-HardenFlags does:
+#   call the dumpbin utility to get the binary header flags
+#   on all the binaries in the distribution, and then filters
+#   for the NXCOMPAT and DYNAMICBASE flags.
+
+<#
+.SYNOPSIS
+Checks the NXCOMPAT and DYNAMICBASE flags on all the binaries.
+
+.DESCRIPTION
+This script downloads and extracts third-party libraries required to compile
+Wireshark.
+
+.PARAMETER BinaryDir
+Specifies the directory where the binaries may be found.
+
+.INPUTS
+-BinaryDir Directory containing the binaries to be checked.
+
+.OUTPUTS
+Any binary that doesn't have the flags is written to the error stream
+
+.EXAMPLE
+C:\PS> .\tools\Get-HardenFlags.ps1 -BinaryDir run\RelWithDebInfo
+#>
+
+Param(
+    [Parameter(Mandatory=$true, Position=0)]
+    [String]
+    $BinaryDir
+)
+
+# CD into the bindir, allows Resolve-Path to work in relative mode.
+Push-Location $BinDir
+
+# Retrieve the list of binaries.  -Filter is quicker than -Include, but can only handle one item
+$Binaries = Get-ChildItem -Path $BinaryDir -Recurse -Include *.exe,*.dll
+
+# Number of "soft" binaries found
+$Count = 0;
+
+# Iterate over the list
+$Binaries | ForEach-Object {
+
+    # Get the flags
+    $flags = dumpbin $_ /HEADERS;
+
+    # Check for the required flags
+    $match = $flags | Select-String -Pattern "NX compatible", "Dynamic base"
+    if ($match.Count -ne 2) {
+
+        # Write-Error outputs error records, we simply want the filename
+        [Console]::Error.WriteLine((Resolve-Path $_ -Relative))
+
+        $Count++
+    }
+}
+
+exit $Count
--- a/tools/Makefile.am
+++ b/tools/Makefile.am
@ -132,12 +132,13 @@ EXTRA_DIST = \
 	dftestlib/util.py				\
 	extract_asn1_from_spec.pl			\
 	fix-encoding-args.pl				\
-	fix_pragma_wdocumentation.sh	\
+	fix_pragma_wdocumentation.sh			\
 	fixhf.pl					\
 	ftsanity.py					\
 	fuzz-test.sh					\
 	gen-bugnote					\
-	generate-bacnet-vendors.py	\
+	generate-bacnet-vendors.py			\
+	Get-HardenFlags.ps1				\
 	git-compare-abis.sh				\
 	git-export-release.sh				\
 	html2text.py					\
@ -164,7 +165,7 @@ EXTRA_DIST = \
 	npl/npl.c					\
 	npl/parser.l					\
 	npl/xmem.h					\
-	parse_xml2skinny_dissector.py	\
+	parse_xml2skinny_dissector.py			\
 	pkt-from-core.py				\
 	pre-commit					\
 	process-x11-fields.pl				\