Use hardening-includes for hardening logic (thanks, Kees Cook; closes:

#561887).

3 files changed, 8 insertions, 10 deletions

diff --git a/debian/changelog b/debian/changelog
index 56f4b6f9e..3065481d6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -39,6 +39,8 @@ openssh (1:5.2p1-1) UNRELEASED; urgency=low
     closes: #498684).
   * Don't duplicate backslashes when displaying server banner (thanks,
     Michał Górny; closes: #505378, LP: #425346).
+  * Use hardening-includes for hardening logic (thanks, Kees Cook; closes:
+    #561887).
 
  -- Colin Watson <cjwatson@debian.org>  Thu, 12 Nov 2009 21:31:44 +0000
 
diff --git a/debian/control b/debian/control
index 062a5148e..25df28c5c 100644
--- a/debian/control
+++ b/debian/control
@@ -2,7 +2,7 @@ Source: openssh
 Section: net
 Priority: standard
 Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
-Build-Depends: libwrap0-dev | libwrap-dev, zlib1g-dev (>= 1:1.2.3-1), libssl-dev (>= 0.9.8-1), libpam0g-dev | libpam-dev, libgtk2.0-dev, libedit-dev, debhelper (>= 7.0.1), sharutils, libselinux1-dev [alpha amd64 arm armeb armel hppa i386 ia64 lpia m68k mips mipsel powerpc ppc64 s390 sh4 sparc], libkrb5-dev | heimdal-dev
+Build-Depends: libwrap0-dev | libwrap-dev, zlib1g-dev (>= 1:1.2.3-1), libssl-dev (>= 0.9.8-1), libpam0g-dev | libpam-dev, libgtk2.0-dev, libedit-dev, debhelper (>= 7.0.1), sharutils, libselinux1-dev [alpha amd64 arm armeb armel hppa i386 ia64 lpia m68k mips mipsel powerpc ppc64 s390 sh4 sparc], libkrb5-dev | heimdal-dev, hardening-includes
 Standards-Version: 3.7.3
 Uploaders: Colin Watson <cjwatson@debian.org>, Matthew Vernon <matthew@debian.org>
 Vcs-Bzr: http://bzr.debian.org/pkg-ssh/openssh/trunk
diff --git a/debian/rules b/debian/rules
index ff83b852b..0966a2e55 100755
--- a/debian/rules
+++ b/debian/rules
@@ -3,6 +3,8 @@
 # Uncomment this to turn on verbose mode.
 # export DH_VERBOSE=1
 
+include /usr/share/hardening-includes/hardening.make
+
 # This has to be exported to make some magic below work.
 export DH_OPTIONS
 
@@ -44,12 +46,6 @@ ifneq (,$(findstring :$(DEB_HOST_ARCH_OS):,:linux:knetbsd:))
     PIC_CFLAGS := -fPIC
     PIC_LDFLAGS := -fPIC
   endif
-  ifeq (,$(findstring :$(DEB_HOST_ARCH_CPU):,:hppa:m68k:mips:mipsel:))
-    # Use position-independent executables to take advantage of address space
-    # layout randomisation. TODO: This should be done in configure.
-    PIE_CFLAGS := -fPIE
-    PIE_LDFLAGS := -fPIE -pie
-  endif
 endif
 
 # Change the version string to include the Debian version
@@ -100,7 +96,7 @@ confflags += --with-default-path=$(DEFAULT_PATH) --with-superuser-path=$(SUPERUS
 confflags_udeb += --with-default-path=/usr/local/bin:/usr/bin:/bin --with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 
 # Compiler flags.
-cflags := $(OPTFLAGS) $(PIC_CFLAGS) $(PIE_CFLAGS)
+cflags := $(OPTFLAGS) $(PIC_CFLAGS) $(HARDENING_CFLAGS)
 cflags += -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT
 cflags += -DSSH_EXTRAVERSION=\"$(SSH_EXTRAVERSION)\"
 cflags_udeb := -Os
@@ -109,8 +105,8 @@ confflags += --with-cflags='$(cflags)'
 confflags_udeb += --with-cflags='$(cflags_udeb)'
 
 # Linker flags.
-ifneq ($(PIC_LDFLAGS)$(PIE_LDFLAGS),)
-confflags += --with-ldflags='$(strip $(PIC_LDFLAGS) $(PIE_LDFLAGS))'
+ifneq ($(PIC_LDFLAGS)$(HARDENING_LDFLAGS),)
+confflags += --with-ldflags='$(strip $(PIC_LDFLAGS) $(HARDENING_LDFLAGS))'
 endif
 
 build: build-deb build-udeb