Change PKGSRC_USE_SSP to a quad option. The options are now:

   "no"     Do not pass any stack protection flags (the default)
   "yes"    Pass -fstack-protector
   "strong" Pass -fstack-protector-strong
   "all"    Pass -fstack-protector-all

This allows users to configure the level of stack smashing protection they
require, and ensures consistent behaviour across platforms.  Users running
on NetBSD who previously used the option will need to change "yes" to "all"
to match the previous default configuration for that platform.

While here use _WRAP_EXTRA_ARGS to ensure the flag gets passed regardless
of whether the package honours CFLAGS, and support additional wrappers.

Discussed a while back with khorben, and used in production for the SmartOS
2016Q1 package sets with the "strong" option.

3 files changed, 24 insertions, 10 deletions

diff --git a/mk/bsd.prefs.mk b/mk/bsd.prefs.mk
index bc9a0c1f0fd..55516d1b4db 100644
--- a/mk/bsd.prefs.mk
+++ b/mk/bsd.prefs.mk
@@ -1,4 +1,4 @@
-# $NetBSD: bsd.prefs.mk,v 1.386 2016/04/17 08:13:09 jperkin Exp $
+# $NetBSD: bsd.prefs.mk,v 1.387 2016/06/13 13:26:42 jperkin Exp $
 #
 # This file includes the mk.conf file, which contains the user settings.
 #
@@ -707,7 +707,7 @@ _PKGSRC_USE_RELRO=	yes
 .endif
 
 _PKGSRC_USE_SSP=	no
-.if (${PKGSRC_USE_SSP:tl} == "yes") && \
+.if (${PKGSRC_USE_SSP:tl} != "no") && \
     (${_OPSYS_SUPPORTS_SSP:Uno} == "yes")
 _PKGSRC_USE_SSP=	yes
 .endif
diff --git a/mk/compiler/gcc.mk b/mk/compiler/gcc.mk
index af93b08d14f..c92441b0a1e 100644
--- a/mk/compiler/gcc.mk
+++ b/mk/compiler/gcc.mk
@@ -1,4 +1,4 @@
-# $NetBSD: gcc.mk,v 1.167 2016/04/11 04:22:34 dbj Exp $
+# $NetBSD: gcc.mk,v 1.168 2016/06/13 13:26:42 jperkin Exp $
 #
 # This is the compiler definition for the GNU Compiler Collection.
 #
@@ -346,12 +346,10 @@ _MKPIE_CFLAGS.gcc=	-fPIC
 # XXX for libraries a sink wrapper around gcc is required and used instead
 #_MKPIE_LDFLAGS.gcc=	-pie
 _RELRO_LDFLAGS.gcc=	-Wl,-z,relro -Wl,-z,now
-_SSP_CFLAGS.gcc=	-fstack-protector-all
 .endif
 
 .if ${OPSYS} == "SunOS"
 _FORTIFY_CFLAGS.gcc=	-D_FORTIFY_SOURCE=2
-_SSP_CFLAGS.gcc=	-fstack-protector
 .endif
 
 .if ${_PKGSRC_MKPIE} == "yes"
@@ -372,9 +370,21 @@ _GCC_LDFLAGS+=		${_RELRO_LDFLAGS.gcc}
 CWRAPPERS_APPEND.ld+=	${_RELRO_LDFLAGS.gcc}
 .endif
  
+# The user can choose the level of stack smashing protection.
+.if ${PKGSRC_USE_SSP} == "all"
+_SSP_CFLAGS=		-fstack-protector-all
+.elif ${PKGSRC_USE_SSP} == "strong"
+_SSP_CFLAGS=		-fstack-protector-strong
+.else
+_SSP_CFLAGS=		-fstack-protector
+.endif
+
 .if ${_PKGSRC_USE_SSP} == "yes"
-_GCC_CFLAGS+=		${_SSP_CFLAGS.gcc}
-CWRAPPERS_APPEND.cc+=	${_SSP_CFLAGS.gcc}
+_WRAP_EXTRA_ARGS.CC+=	${_SSP_CFLAGS}
+_WRAP_EXTRA_ARGS.CXX+=	${_SSP_CFLAGS}
+CWRAPPERS_APPEND.cc+=	${_SSP_CFLAGS}
+CWRAPPERS_APPEND.cxx+=	${_SSP_CFLAGS}
+CWRAPPERS_APPEND.f77+=	${_SSP_CFLAGS}
 .endif
 
 # GCC has this annoying behaviour where it advocates in a multi-line
diff --git a/mk/defaults/mk.conf b/mk/defaults/mk.conf
index 568b72a6fa7..4204a2bea30 100644
--- a/mk/defaults/mk.conf
+++ b/mk/defaults/mk.conf
@@ -1,4 +1,4 @@
-# $NetBSD: mk.conf,v 1.263 2016/03/11 23:03:31 khorben Exp $
+# $NetBSD: mk.conf,v 1.264 2016/06/13 13:26:42 jperkin Exp $
 #
 
 # This file provides default values for variables that may be overridden
@@ -236,8 +236,12 @@ PKGSRC_USE_RELRO?= no
 # Default: no
 
 PKGSRC_USE_SSP?= no
-# Set this to yes to enable stack-smashing protection (on supported platforms).
-# Possible: yes, no
+# Configure this to enable stack smashing protection (on supported platforms).
+# Possible values:
+#	no:	Do not pass any stack protection flags
+#	yes:	Pass -fstack-protector
+#	strong:	Pass -fstack-protector-strong
+#	all:	Pass -fstack-protector-all
 # Default: no
 
 # The default PREFER_PKGSRC should be empty, but due to historical reasons we have the list below.