build: add default compiler hardening flags via --enable-hardening

Enable security hardening by default in configure.ac:
- Warning flags: -Wshadow, -Wformat=2, -Wstrict-prototypes, etc.
- Error promotions: -Werror=implicit-function-declaration,
  -Werror=return-type, -Werror=format-security, etc.
- Runtime: -D_FORTIFY_SOURCE=2, -fstack-protector-strong
- Platform-detected: -fstack-clash-protection, -fPIE/-pie (Linux)
- Linker: -Wl,-z,relro,-z,now (Linux only)

Fix two real bugs found by -Werror=incompatible-pointer-types:
- util.c rtrim(): char *trim -> const char *trim
- util.c ltrim(): char *trim -> const char *trim

Disable with --disable-hardening for debugging builds.

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>

Author: somethingwithproof

configure.ac

@@ -98,6 +98,71 @@ AC_ARG_ENABLE(warnings,
   AC_MSG_RESULT(no)
 )
 
+# Security hardening flags (enabled by default)
+AC_MSG_CHECKING([whether to enable security hardening])
+AC_ARG_ENABLE(hardening,
+  [  --disable-hardening     Disable security hardening compiler flags (default: enabled)],
+  [ ENABLED_HARDENING=$enableval ],
+  [ ENABLED_HARDENING=yes ]
+)
+if test "$ENABLED_HARDENING" = "yes"; then
+  AC_MSG_RESULT([yes])
+
+  # Warning flags that catch real bugs
+  CFLAGS="$CFLAGS -Wall -Wshadow -Wpointer-arith -Wcast-qual -Wwrite-strings"
+  CFLAGS="$CFLAGS -Wstrict-prototypes -Wmissing-prototypes"
+  CFLAGS="$CFLAGS -Wformat=2 -Wformat-security"
+  CFLAGS="$CFLAGS -Wno-unused-parameter"
+
+  # Promote dangerous patterns to errors; catches implicit declarations and
+  # type mismatches that are UB in C99 and silently wrong in practice.
+  CFLAGS="$CFLAGS -Werror=implicit-function-declaration"
+  CFLAGS="$CFLAGS -Werror=implicit-int"
+  CFLAGS="$CFLAGS -Werror=incompatible-pointer-types"
+  CFLAGS="$CFLAGS -Werror=int-conversion"
+  CFLAGS="$CFLAGS -Werror=return-type"
+  CFLAGS="$CFLAGS -Werror=format-security"
+
+  # Runtime protection: buffer overflow detection and stack canaries
+  CFLAGS="$CFLAGS -D_FORTIFY_SOURCE=2"
+  CFLAGS="$CFLAGS -fstack-protector-strong"
+
+  # Stack clash protection (GCC 8+ / Clang 11+); probe pages on large
+  # stack allocations to prevent stack-to-heap collisions.
+  save_CFLAGS="$CFLAGS"
+  CFLAGS="$CFLAGS -fstack-clash-protection -Werror"
+  AC_MSG_CHECKING([whether $CC supports -fstack-clash-protection])
+  AC_COMPILE_IFELSE([AC_LANG_PROGRAM()],
+    [AC_MSG_RESULT([yes])
+     CFLAGS="$save_CFLAGS -fstack-clash-protection"],
+    [AC_MSG_RESULT([no])
+     CFLAGS="$save_CFLAGS"])
+
+  # Position-independent code for ASLR; hardened distros expect -pie binaries.
+  save_CFLAGS="$CFLAGS"
+  save_LDFLAGS="$LDFLAGS"
+  CFLAGS="$CFLAGS -fPIE -Werror"
+  LDFLAGS="$LDFLAGS -pie"
+  AC_MSG_CHECKING([whether $CC supports -fPIE -pie])
+  AC_LINK_IFELSE([AC_LANG_PROGRAM()],
+    [AC_MSG_RESULT([yes])
+     CFLAGS="$save_CFLAGS -fPIE"
+     LDFLAGS="$save_LDFLAGS -pie"],
+    [AC_MSG_RESULT([no])
+     CFLAGS="$save_CFLAGS"
+     LDFLAGS="$save_LDFLAGS"])
+
+  # Linker hardening: RELRO makes the GOT read-only after startup; BIND_NOW
+  # forces all symbol resolution at load time, closing lazy-binding exploits.
+  case $host_os in
+    linux*)
+      LDFLAGS="$LDFLAGS -Wl,-z,relro,-z,now"
+      ;;
+  esac
+else
+  AC_MSG_RESULT([no])
+fi
+
 AC_PATH_PROG(HELP2MAN, help2man, false // No help2man //)
 AC_CHECK_PROG([HELP2MAN], [help2man], [help2man])
 AM_CONDITIONAL([HAVE_HELP2MAN], [test x$HELP2MAN = xhelp2man])