Fix for _FORTIFY_SOURCE

.github/workflows/tests.yml

@@ -611,8 +611,10 @@ jobs:
       fail-fast: false
       matrix:
         os: [ ubuntu-latest, macos-latest ]
+        cflags:
+          - '-O3'
     env:
-      CFLAGS: '-O3'
+      CFLAGS: ${{ matrix.cflags }}
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -623,3 +625,28 @@ jobs:
         run: cargo test -p aws-lc-rs --all-targets
       - name: Run tests w/ FIPS
         run: cargo test -p aws-lc-rs --all-targets --features fips
+
+  hardened-environment:
+    if: github.repository_owner == 'aws'
+    name: Hardened environment
+    strategy:
+      fail-fast: false
+      matrix:
+        os:
+          - ubuntu-latest
+        cflags:
+          - '-O2 -fhardened'
+        gcc_version:
+          - 14
+    env:
+      CC: gcc-${{ matrix.gcc_version }}
+      CXX: g++-${{ matrix.gcc_version }}
+      CFLAGS: ${{ matrix.cflags }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: 'recursive'
+      - uses: dtolnay/rust-toolchain@stable
+      - name: Run tests
+        run: cargo test -p aws-lc-rs --all-targets

aws-lc-sys/builder/cc_builder.rs

@@ -375,7 +375,8 @@ impl CcBuilder {
 
         let compiler = if let Some(original_cflags) = optional_env_target("CFLAGS") {
             let mut new_cflags = original_cflags.clone();
-            new_cflags.push_str(" -O0");
+            // The `_FORTIFY_SOURCE` macro often requires optimizations to also be enabled, so unset it.
+            new_cflags.push_str(" -O0 -Wp,-U_FORTIFY_SOURCE");
             set_env_for_target("CFLAGS", &new_cflags);
             // cc-rs currently prioritizes flags provided by CFLAGS over the flags provided by the build script.
             // The environment variables used by the compiler are set when `get_compiler` is called.