diff --git a/CMakeLists.txt b/CMakeLists.txt index 83c6d885ae1..0f1aa85cef1 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -371,9 +371,6 @@ endif() option(UA_DEBUG_DUMP_PKGS "Dump every package received by the server as hexdump format" OFF) mark_as_advanced(UA_DEBUG_DUMP_PKGS) -option(UA_ENABLE_HARDENING "Enable Hardening measures (e.g. Stack-Protectors and Fortify)" ON) -mark_as_advanced(UA_ENABLE_HARDENING) - if(CMAKE_VERSION VERSION_GREATER 3.6) set(UA_ENABLE_STATIC_ANALYZER "OFF" CACHE STRING "Enable installed static analyzer during build process (off/minimal/reduced/full)") mark_as_advanced(UA_ENABLE_STATIC_ANALYZER) @@ -597,16 +594,6 @@ if((CMAKE_COMPILER_IS_GNUCC OR CMAKE_C_COMPILER_ID STREQUAL "Clang") AND endif() if(NOT MINGW AND NOT UA_BUILD_OSS_FUZZ) - if(UA_ENABLE_HARDENING) - check_add_cc_flag("-fstack-protector-strong") # more performant stack protector, available since gcc 4.9 - check_add_cc_flag("-fstack-clash-protection") # increased reliability of stack overflow detection, available since gcc 8 - # future use (control flow integrity protection) - if(NOT ${CMAKE_SYSTEM_NAME} MATCHES "OpenBSD") - check_add_cc_flag("-mcet") - check_add_cc_flag("-fcf-protection") - endif() - endif() - # IPO requires too much memory for unit tests # GCC docu recommends to compile all files with the same options, therefore ignore it completely if(NOT UA_BUILD_UNIT_TESTS AND NOT DEFINED CMAKE_INTERPROCEDURAL_OPTIMIZATION) @@ -639,10 +626,6 @@ if((CMAKE_COMPILER_IS_GNUCC OR CMAKE_C_COMPILER_ID STREQUAL "Clang") AND set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${SANITIZER_FLAGS}") endif() - if(NOT MINGW AND UA_ENABLE_HARDENING AND ((CMAKE_BUILD_TYPE STREQUAL "Release") OR (CMAKE_BUILD_TYPE STREQUAL "RelWithDebInfo"))) - check_add_cc_flag("-D_FORTIFY_SOURCE=2") # run-time buffer overflow detection (needs at least -O1) - endif() - # Strip release builds if(CMAKE_BUILD_TYPE STREQUAL "MinSizeRel" OR CMAKE_BUILD_TYPE STREQUAL "Release") check_add_cc_flag("-ffunction-sections") diff --git a/arch/zephyr/Kconfig b/arch/zephyr/Kconfig index 3d486d5bfb4..b3c9cbf774f 100644 --- a/arch/zephyr/Kconfig +++ b/arch/zephyr/Kconfig @@ -175,11 +175,6 @@ config OPEN62541_DEBUG_DUMP_PKGS default n help Dump every package received by the server as hexdump format -config OPEN62541_ENABLE_HARDENING - bool "Enable hardening" - default y - help - Enable Hardening measures (e.g. Stack-Protectors and Fortify) config OPEN62541_DEBUG_FILE_LINE_INFO bool "Enable debug file line info" default n diff --git a/arch/zephyr/zephyr.cmake b/arch/zephyr/zephyr.cmake index bdb4a1216ff..34fa8a8aa85 100644 --- a/arch/zephyr/zephyr.cmake +++ b/arch/zephyr/zephyr.cmake @@ -48,7 +48,6 @@ if(CONFIG_OPEN62541) open62541_translate_zephyr_param_option(UA_FILE_NS0_BLACKLIST CONFIG_OPEN62541_FILE_NS0_BLACKLIST) open62541_translate_zephyr_bool_option(UA_ENABLE_DISCOVERY_SEMAPHORE CONFIG_OPEN62541_ENABLE_DISCOVERY_SEMAPHORE) open62541_translate_zephyr_bool_option(UA_DEBUG_DUMP_PKGS CONFIG_OPEN62541_DEBUG_DUMP_PKGS) - open62541_translate_zephyr_bool_option(UA_ENABLE_HARDENING CONFIG_OPEN62541_ENABLE_HARDENING) open62541_translate_zephyr_bool_option(UA_DEBUG_FILE_LINE_INFO CONFIG_OPEN62541_DEBUG_FILE_LINE_INFO) open62541_translate_zephyr_param_option(UA_MULTITHREADING CONFIG_OPEN62541_MULTITHREADING) open62541_translate_zephyr_param_option(UA_NAMESPACE_ZERO CONFIG_OPEN62541_NAMESPACE_ZERO) diff --git a/tools/docker/Dockerfile b/tools/docker/Dockerfile index 29b54ac076e..21584a4df00 100644 --- a/tools/docker/Dockerfile +++ b/tools/docker/Dockerfile @@ -15,8 +15,6 @@ WORKDIR /opt/open62541/build RUN cmake -DBUILD_SHARED_LIBS=ON \ -DCMAKE_BUILD_TYPE=Release \ -DUA_BUILD_EXAMPLES=ON \ - # Hardening needs to be disabled, otherwise the docker build takes too long and travis fails - -DUA_ENABLE_HARDENING=OFF \ -DUA_ENABLE_ENCRYPTION=MBEDTLS \ -DUA_ENABLE_SUBSCRIPTIONS=ON \ -DUA_ENABLE_SUBSCRIPTIONS_EVENTS=ON \