Adopt the OpenSSF Compiler Options Hardening Guide for C and C++

Author: philippeVerney

cmake/cmake-harden.cmake

@@ -0,0 +1,153 @@
+# Copyright 2025 Holepunch Inc
+# 
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
+#     http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Downloaded on 2026-03-16 from https://github.com/holepunchto/cmake-harden/blob/main/cmake-harden.cmake
+# Changelog
+# 2026-03-16
+# add -Wextra
+# add -Wsign-conversion
+# add -Wbidi-chars=any
+# add -U_FORTIFY_SOURCE
+# add -D_FORTIFY_SOURCE=3
+# add -D_GLIBCXX_ASSERTIONS
+# add -fcf-protection=full
+# add -mbranch-protection=standard
+# add -Wl,-z,nodlopen
+# add -Wl,--as-needed
+# add -Wl,--no-copy-dt-needed-entries
+# add fexceptions
+# add fhardened
+# rename GCC compiler to GNU compiler to apply to gcc and g++
+# Check Linker Flag and use LINKER: prefix
+
+cmake_minimum_required(VERSION 3.19)
+
+include_guard()
+
+include(CheckCompilerFlag)
+include(CheckLinkerFlag)
+
+# https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html
+
+macro(add_hardened_compiler_flags)
+  foreach(flag ${ARGV})
+    check_compiler_flag(${lang} ${flag} supports_${flag})
+
+    if(supports_${flag})
+      target_compile_options(${target} PRIVATE ${flag})
+    endif()
+  endforeach()
+endmacro()
+
+macro(add_hardened_linker_flags)
+  foreach(flag ${ARGV})
+    check_linker_flag(${lang} LINKER:${flag} supports_${flag})
+  
+    if(supports_${flag})
+      target_link_options(${target} PRIVATE LINKER:${flag})
+    endif()
+  endforeach()
+endmacro()
+
+macro(harden_posix)
+  add_hardened_compiler_flags(
+    -Wall
+    -Wextra
+    -Wformat
+    -Wformat=2
+    -Wconversion
+    -Wsign-conversion
+    -Wimplicit-fallthrough
+	-Wbidi-chars=any
+    -Werror=format-security
+    -Werror=implicit
+    -Werror=incompatible-pointer-types
+    -Werror=int-conversion
+	-U_FORTIFY_SOURCE
+	-D_FORTIFY_SOURCE=3
+	-D_GLIBCXX_ASSERTIONS
+    -fstrict-flex-arrays=3
+	-fcf-protection=full
+	-mbranch-protection=standard
+    -fno-delete-null-pointer-checks
+    -fno-strict-overflow
+    -fno-strict-aliasing
+    -ftrivial-auto-var-init=zero
+	-fexceptions
+	-fhardened
+  )
+
+  # The SHARED and MODULE library targets have by default position independent code enabled : https://cmake.org/cmake/help/latest/variable/CMAKE_POSITION_INDEPENDENT_CODE.html
+  add_hardened_linker_flags(
+    -z,nodlopen
+    -z,noexecstack
+    -z,relro
+    -z,now
+    --as-needed
+    --no-copy-dt-needed-entries
+  )
+
+  if(runtime)
+    add_hardened_compiler_flags(
+      -fstack-clash-protection
+      -fstack-protector-strong
+    )
+  endif()
+endmacro()
+
+macro(harden_clang)
+  harden_posix()
+endmacro()
+
+macro(harden_gnu)
+  harden_posix()
+
+  add_hardened_compiler_flags(
+    -Wtrampolines
+  )
+endmacro()
+
+macro(harden_msvc)
+  message(WARNING "Compiler hardening is not yet supported for MSVC")
+endmacro()
+
+function(harden target)
+  set(option_keywords
+    C
+    CXX
+    RUNTIME
+  )
+
+  cmake_parse_arguments(
+    PARSE_ARGV 1 ARGV "${option_keywords}" "" ""
+  )
+
+  set(runtime ${ARGV_RUNTIME})
+
+  if(ARGV_CXX)
+    set(lang CXX)
+  else()
+    set(lang C)
+  endif()
+
+  set(compiler ${CMAKE_${lang}_COMPILER_ID})
+
+  if(compiler MATCHES "Clang")
+    harden_clang()
+  elseif(compiler MATCHES "GNU")
+    harden_gnu()
+  elseif(compiler MATCHES "MSVC")
+    harden_msvc()
+  endif()
+endfunction()

java/CMakeLists.txt

@@ -6,6 +6,13 @@ find_package(JNI REQUIRED)
 find_package(Java REQUIRED)
 include(UseJava)
 
+## Need to enable dlopen
+get_target_property(old_link_options ${CPP_LIBRARY_NAME} LINK_OPTIONS)
+if(old)
+    string(REPLACE "-Wl,-z,nodlopen" "" new_link_options "${old_link_options}")
+    set_target_properties(${CPP_LIBRARY_NAME} PROPERTIES LINK_OPTIONS "${new_link_options}")
+endif()
+
 set(SWIG_LINKED_TO_RELEASE ON CACHE BOOL "Is your SWIG generated library linked to the release or debug version of FesapiCpp ?")
 
 message("Generating SWIG Java files...")

python/CMakeLists.txt

@@ -3,6 +3,13 @@
 find_package(SWIG 3.0 REQUIRED)
 find_package(Python3 REQUIRED)
 
+## Need to enable dlopen
+get_target_property(old_link_options ${CPP_LIBRARY_NAME} LINK_OPTIONS)
+if(old)
+    string(REPLACE "-Wl,-z,nodlopen" "" new_link_options "${old_link_options}")
+    set_target_properties(${CPP_LIBRARY_NAME} PROPERTIES LINK_OPTIONS "${new_link_options}")
+endif()
+
 set (Fesapi_PYTHON_VERSION ${Fesapi_VERSION_MAJOR}.${Fesapi_VERSION_MINOR}.${Fesapi_VERSION_PATCH})
 
 set(SWIG_LINKED_TO_RELEASE ON CACHE BOOL "Is your SWIG generated library linked to the release or debug version of FesapiCpp ?")

src/CMakeLists.txt

@@ -40,15 +40,12 @@ set (EML_PREFIX_2_0 "eml2_0")
 set (EML_PREFIX_2_3 "eml2_3")
 
 # Define the compile options according to the compiler
-target_compile_options(${CPP_LIBRARY_NAME}	PRIVATE
+include(${FESAPI_ROOT_DIR}/cmake/cmake-harden.cmake)
+harden(${CPP_LIBRARY_NAME} CXX RUNTIME)
+target_compile_options(${CPP_LIBRARY_NAME} PRIVATE
 	$<$<CXX_COMPILER_ID:MSVC>:/bigobj>
 	$<$<CXX_COMPILER_ID:MSVC>:/MP>
 	$<$<CXX_COMPILER_ID:MSVC>:/W4>
-	$<$<CXX_COMPILER_ID:GNU>:-Wall>
-	$<$<CXX_COMPILER_ID:GNU>:-Wextra>
-	$<$<CXX_COMPILER_ID:GNU>:-Wcast-qual>
-	$<$<CXX_COMPILER_ID:GNU>:-pedantic>
-	$<$<CXX_COMPILER_ID:CLANG>:-Weverything>
 )
 if (WITH_RESQML2_2)
 	target_compile_definitions(${CPP_LIBRARY_NAME} PUBLIC "-DWITH_RESQML2_2")