aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNick Mathewson <nickm@torproject.org>2012-06-11 11:00:48 -0400
committerNick Mathewson <nickm@torproject.org>2012-06-11 11:21:04 -0400
commitebaaa4834f803015e68d348f330fcef88de34a92 (patch)
tree4460e3130ed9851d6d35919395b686d654e0fd17
parente6dbe693b7fd90a495b98ec790205ff4ac56fea9 (diff)
downloadtor-ebaaa4834f803015e68d348f330fcef88de34a92.tar.gz
tor-ebaaa4834f803015e68d348f330fcef88de34a92.zip
Make our compiler-hardening checks robust against MinGW
First, specify -Werror when we are testing each option; if it causes a warning to appear, we shouldn't be adding it. Second, do not attempt to add these options until after we have found the libraries we want. Previously, I would hit a bug where the linker hardening options worked fine when we weren't linking anything, but failed completely once we added openssl or libevent.
-rw-r--r--acinclude.m412
-rw-r--r--configure.in39
2 files changed, 33 insertions, 18 deletions
diff --git a/acinclude.m4 b/acinclude.m4
index c5037fa35d..5e09c960fe 100644
--- a/acinclude.m4
+++ b/acinclude.m4
@@ -46,7 +46,7 @@ AC_DEFUN([TOR_CHECK_CFLAGS], [
AS_VAR_PUSHDEF([VAR],[tor_cv_cflags_$1])
AC_CACHE_CHECK([whether the compiler accepts $1], VAR, [
tor_saved_CFLAGS="$CFLAGS"
- CFLAGS="$CFLAGS -pedantic $1"
+ CFLAGS="$CFLAGS -pedantic -Werror $1"
AC_TRY_COMPILE([], [return 0;],
[AS_VAR_SET(VAR,yes)],
[AS_VAR_SET(VAR,no)])
@@ -59,15 +59,23 @@ AC_DEFUN([TOR_CHECK_CFLAGS], [
])
dnl 1:flags
+dnl 2:extra ldflags
+dnl 3:extra libraries
AC_DEFUN([TOR_CHECK_LDFLAGS], [
AS_VAR_PUSHDEF([VAR],[tor_cv_ldflags_$1])
AC_CACHE_CHECK([whether the linker accepts $1], VAR, [
+ tor_saved_CFLAGS="$CFLAGS"
tor_saved_LDFLAGS="$LDFLAGS"
- LDFLAGS="$LDFLAGS -pedantic $1"
+ tor_saved_LIBS="$LIBS"
+ CFLAGS="$CFLAGS -pedantic -Werror"
+ LDFLAGS="$LDFLAGS $2 $1"
+ LIBS="$LIBS $3"
AC_TRY_LINK([], [return 0;],
[AS_VAR_SET(VAR,yes)],
[AS_VAR_SET(VAR,no)])
+ CFLAGS="$tor_saved_CFLAGS"
LDFLAGS="$tor_saved_LDFLAGS"
+ LIBS="$tor_saved_LIBS"
])
if test x$VAR = xyes; then
LDFLAGS="$LDFLAGS $1"
diff --git a/configure.in b/configure.in
index 3e645753ee..7167ca9366 100644
--- a/configure.in
+++ b/configure.in
@@ -171,21 +171,6 @@ AM_CONDITIONAL(NAT_PMP, test x$natpmp = xtrue)
AM_CONDITIONAL(MINIUPNPC, test x$upnp = xtrue)
AM_PROG_CC_C_O
-if test x$enable_gcc_hardening != xno; then
- CFLAGS="$CFLAGS -D_FORTIFY_SOURCE=2"
- TOR_CHECK_CFLAGS(-Qunused-arguments)
- TOR_CHECK_CFLAGS(-fstack-protector-all)
- TOR_CHECK_CFLAGS(-Wstack-protector)
- TOR_CHECK_CFLAGS(-fwrapv)
- TOR_CHECK_CFLAGS(-fPIE)
- TOR_CHECK_CFLAGS(--param ssp-buffer-size=1)
- TOR_CHECK_LDFLAGS(-pie)
-fi
-
-if test x$enable_linker_hardening != xno; then
- TOR_CHECK_LDFLAGS(-z relro -z now)
-fi
-
ifdef([AC_C_FLEXIBLE_ARRAY_MEMBER], [
AC_C_FLEXIBLE_ARRAY_MEMBER
], [
@@ -566,8 +551,29 @@ else
fi
AC_SUBST(TOR_ZLIB_LIBS)
-dnl Make sure to enable support for large off_t if available.
+dnl ---------------------------------------------------------------------
+dnl Now that we know about our major libraries, we can check for compiler
+dnl and linker hardening options. We need to do this with the libraries known,
+dnl since sometimes the linker will like an option but not be willing to
+dnl use it with a build of a library.
+all_ldflags_for_check="$TOR_LDFLAGS_zlib $TOR_LDFLAGS_openssl $TOR_LDFLAGS_libevent"
+all_libs_for_check="$TOR_ZLIB_LIBS $TOR_LIB_MATH $TOR_LIBEVENT_LIBS $TOR_OPENSSL_LIBS $TOR_LIB_WS32 $TOR_LIB_GDI"
+
+if test x$enable_gcc_hardening != xno; then
+ CFLAGS="$CFLAGS -D_FORTIFY_SOURCE=2"
+ TOR_CHECK_CFLAGS(-Qunused-arguments)
+ TOR_CHECK_CFLAGS(-fstack-protector-all)
+ TOR_CHECK_CFLAGS(-Wstack-protector)
+ TOR_CHECK_CFLAGS(-fwrapv)
+ TOR_CHECK_CFLAGS(-fPIE)
+ TOR_CHECK_CFLAGS(--param ssp-buffer-size=1)
+ TOR_CHECK_LDFLAGS(-pie, "$all_ldflags_for_check", "$all_libs_for_check")
+fi
+
+if test x$enable_linker_hardening != xno; then
+ TOR_CHECK_LDFLAGS(-z relro -z now, "$all_ldflags_for_check", "$all_libs_for_check")
+fi
dnl ------------------------------------------------------
dnl Where do you live, libnatpmp? And how do we call you?
@@ -609,6 +615,7 @@ if test "$upnp" = "true"; then
[/usr/lib/])
fi
+dnl Make sure to enable support for large off_t if available.
AC_SYS_LARGEFILE
AC_CHECK_HEADERS(