Adopt the OpenSSF Compiler Options Hardening Guide for C and C++

philippeVerney · philippeVerney · commit 9f7f6a9063bc · 2026-03-16T18:58:48.000+01:00
diff --git a/cmake/cmake-harden.cmake b/cmake/cmake-harden.cmake
@@ -0,0 +1,148 @@
+# Copyright 2025 Holepunch Inc
+# 
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
+#     http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Downloaded on 2026-03-16 from https://github.com/holepunchto/cmake-harden/blob/main/cmake-harden.cmake
+# Changelog
+# 2026-03-16
+# add -Wextra
+# add -Wsign-conversion
+# add -Wbidi-chars=any
+# add -U_FORTIFY_SOURCE
+# add -D_FORTIFY_SOURCE=3
+# add -D_GLIBCXX_ASSERTIONS
+# add -fcf-protection=full
+# add -mbranch-protection=standard
+# add -Wl,-z,nodlopen
+# add -Wl,--as-needed
+# add -Wl,--no-copy-dt-needed-entries
+# add fexceptions
+# add fhardened
+
+include_guard()
+
+include(CheckCCompilerFlag)
+include(CheckCXXCompilerFlag)
+
+# https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html
+
+macro(add_hardened_compiler_flags)
+  foreach(flag ${ARGV})
+    if(lang MATCHES "CXX")
+      check_cxx_compiler_flag(${flag} supports_${flag})
+    else()
+      check_c_compiler_flag(${flag} supports_${flag})
+    endif()
+
+    if(supports_${flag})
+      target_compile_options(${target} PRIVATE ${flag})
+    endif()
+  endforeach()
+endmacro()
+
+macro(add_hardened_linker_flags)
+  foreach(flag ${ARGV})
+    target_link_options(${target} PRIVATE ${flag})
+  endforeach()
+endmacro()
+
+macro(harden_posix)
+  add_hardened_compiler_flags(
+    -Wall
+    -Wextra
+    -Wformat
+    -Wformat=2
+    -Wconversion
+    -Wsign-conversion
+    -Wimplicit-fallthrough
+	-Wbidi-chars=any
+    -Werror=format-security
+    -Werror=implicit
+    -Werror=incompatible-pointer-types
+    -Werror=int-conversion
+	-U_FORTIFY_SOURCE
+	-D_FORTIFY_SOURCE=3
+	-D_GLIBCXX_ASSERTIONS
+    -fstrict-flex-arrays=3
+	-fcf-protection=full
+	-mbranch-protection=standard
+    -fno-delete-null-pointer-checks
+    -fno-strict-overflow
+    -fno-strict-aliasing
+    -ftrivial-auto-var-init=zero
+	-fexceptions
+	-fhardened
+  )
+
+  add_hardened_linker_flags(
+    -Wl,-z,nodlopen
+    -Wl,-z,noexecstack
+    -Wl,-z,relro
+    -Wl,-z,now
+	-Wl,--as-needed
+	-Wl,--no-copy-dt-needed-entries
+  )
+
+  if(runtime)
+    add_hardened_compiler_flags(
+      -fstack-clash-protection
+      -fstack-protector-strong
+    )
+  endif()
+endmacro()
+
+macro(harden_clang)
+  harden_posix()
+endmacro()
+
+macro(harden_gcc)
+  harden_posix()
+
+  add_hardened_compiler_flags(
+    -Wtrampolines
+  )
+endmacro()
+
+macro(harden_msvc)
+  message(WARNING "Compiler hardening is not yet supported for MSVC")
+endmacro()
+
+function(harden target)
+  set(option_keywords
+    C
+    CXX
+    RUNTIME
+  )
+
+  cmake_parse_arguments(
+    PARSE_ARGV 1 ARGV "${option_keywords}" "" ""
+  )
+
+  set(runtime ${ARGV_RUNTIME})
+
+  if(ARGV_CXX)
+    set(lang CXX)
+  else()
+    set(lang C)
+  endif()
+
+  set(compiler ${CMAKE_${lang}_COMPILER_ID})
+
+  if(compiler MATCHES "Clang")
+    harden_clang()
+  elseif(compiler MATCHES "GCC")
+    harden_gcc()
+  elseif(compiler MATCHES "MSVC")
+    harden_msvc()
+  endif()
+endfunction()
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
@@ -40,15 +40,12 @@ set (EML_PREFIX_2_0 "eml2_0")
 set (EML_PREFIX_2_3 "eml2_3")
 
 # Define the compile options according to the compiler
-target_compile_options(${CPP_LIBRARY_NAME}	PRIVATE
+include(${FESAPI_ROOT_DIR}/cmake/cmake-harden.cmake)
+harden(${CPP_LIBRARY_NAME} CXX RUNTIME)
+target_compile_options(${CPP_LIBRARY_NAME} PRIVATE
 	$<$<CXX_COMPILER_ID:MSVC>:/bigobj>
 	$<$<CXX_COMPILER_ID:MSVC>:/MP>
 	$<$<CXX_COMPILER_ID:MSVC>:/W4>
-	$<$<CXX_COMPILER_ID:GNU>:-Wall>
-	$<$<CXX_COMPILER_ID:GNU>:-Wextra>
-	$<$<CXX_COMPILER_ID:GNU>:-Wcast-qual>
-	$<$<CXX_COMPILER_ID:GNU>:-pedantic>
-	$<$<CXX_COMPILER_ID:CLANG>:-Weverything>
 )
 if (WITH_RESQML2_2)
 	target_compile_definitions(${CPP_LIBRARY_NAME} PUBLIC "-DWITH_RESQML2_2")
