diff options
author | Nick Mathewson <nickm@torproject.org> | 2012-06-11 11:00:48 -0400 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2012-06-11 11:21:04 -0400 |
commit | ebaaa4834f803015e68d348f330fcef88de34a92 (patch) | |
tree | 4460e3130ed9851d6d35919395b686d654e0fd17 | |
parent | e6dbe693b7fd90a495b98ec790205ff4ac56fea9 (diff) | |
download | tor-ebaaa4834f803015e68d348f330fcef88de34a92.tar.gz tor-ebaaa4834f803015e68d348f330fcef88de34a92.zip |
Make our compiler-hardening checks robust against MinGW
First, specify -Werror when we are testing each option; if it causes
a warning to appear, we shouldn't be adding it.
Second, do not attempt to add these options until after we have
found the libraries we want. Previously, I would hit a bug where
the linker hardening options worked fine when we weren't linking
anything, but failed completely once we added openssl or libevent.
-rw-r--r-- | acinclude.m4 | 12 | ||||
-rw-r--r-- | configure.in | 39 |
2 files changed, 33 insertions, 18 deletions
diff --git a/acinclude.m4 b/acinclude.m4 index c5037fa35d..5e09c960fe 100644 --- a/acinclude.m4 +++ b/acinclude.m4 @@ -46,7 +46,7 @@ AC_DEFUN([TOR_CHECK_CFLAGS], [ AS_VAR_PUSHDEF([VAR],[tor_cv_cflags_$1]) AC_CACHE_CHECK([whether the compiler accepts $1], VAR, [ tor_saved_CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS -pedantic $1" + CFLAGS="$CFLAGS -pedantic -Werror $1" AC_TRY_COMPILE([], [return 0;], [AS_VAR_SET(VAR,yes)], [AS_VAR_SET(VAR,no)]) @@ -59,15 +59,23 @@ AC_DEFUN([TOR_CHECK_CFLAGS], [ ]) dnl 1:flags +dnl 2:extra ldflags +dnl 3:extra libraries AC_DEFUN([TOR_CHECK_LDFLAGS], [ AS_VAR_PUSHDEF([VAR],[tor_cv_ldflags_$1]) AC_CACHE_CHECK([whether the linker accepts $1], VAR, [ + tor_saved_CFLAGS="$CFLAGS" tor_saved_LDFLAGS="$LDFLAGS" - LDFLAGS="$LDFLAGS -pedantic $1" + tor_saved_LIBS="$LIBS" + CFLAGS="$CFLAGS -pedantic -Werror" + LDFLAGS="$LDFLAGS $2 $1" + LIBS="$LIBS $3" AC_TRY_LINK([], [return 0;], [AS_VAR_SET(VAR,yes)], [AS_VAR_SET(VAR,no)]) + CFLAGS="$tor_saved_CFLAGS" LDFLAGS="$tor_saved_LDFLAGS" + LIBS="$tor_saved_LIBS" ]) if test x$VAR = xyes; then LDFLAGS="$LDFLAGS $1" diff --git a/configure.in b/configure.in index 3e645753ee..7167ca9366 100644 --- a/configure.in +++ b/configure.in @@ -171,21 +171,6 @@ AM_CONDITIONAL(NAT_PMP, test x$natpmp = xtrue) AM_CONDITIONAL(MINIUPNPC, test x$upnp = xtrue) AM_PROG_CC_C_O -if test x$enable_gcc_hardening != xno; then - CFLAGS="$CFLAGS -D_FORTIFY_SOURCE=2" - TOR_CHECK_CFLAGS(-Qunused-arguments) - TOR_CHECK_CFLAGS(-fstack-protector-all) - TOR_CHECK_CFLAGS(-Wstack-protector) - TOR_CHECK_CFLAGS(-fwrapv) - TOR_CHECK_CFLAGS(-fPIE) - TOR_CHECK_CFLAGS(--param ssp-buffer-size=1) - TOR_CHECK_LDFLAGS(-pie) -fi - -if test x$enable_linker_hardening != xno; then - TOR_CHECK_LDFLAGS(-z relro -z now) -fi - ifdef([AC_C_FLEXIBLE_ARRAY_MEMBER], [ AC_C_FLEXIBLE_ARRAY_MEMBER ], [ @@ -566,8 +551,29 @@ else fi AC_SUBST(TOR_ZLIB_LIBS) -dnl Make sure to enable support for large off_t if available. +dnl --------------------------------------------------------------------- +dnl Now that we know about our major libraries, we can check for compiler +dnl and linker hardening options. We need to do this with the libraries known, +dnl since sometimes the linker will like an option but not be willing to +dnl use it with a build of a library. +all_ldflags_for_check="$TOR_LDFLAGS_zlib $TOR_LDFLAGS_openssl $TOR_LDFLAGS_libevent" +all_libs_for_check="$TOR_ZLIB_LIBS $TOR_LIB_MATH $TOR_LIBEVENT_LIBS $TOR_OPENSSL_LIBS $TOR_LIB_WS32 $TOR_LIB_GDI" + +if test x$enable_gcc_hardening != xno; then + CFLAGS="$CFLAGS -D_FORTIFY_SOURCE=2" + TOR_CHECK_CFLAGS(-Qunused-arguments) + TOR_CHECK_CFLAGS(-fstack-protector-all) + TOR_CHECK_CFLAGS(-Wstack-protector) + TOR_CHECK_CFLAGS(-fwrapv) + TOR_CHECK_CFLAGS(-fPIE) + TOR_CHECK_CFLAGS(--param ssp-buffer-size=1) + TOR_CHECK_LDFLAGS(-pie, "$all_ldflags_for_check", "$all_libs_for_check") +fi + +if test x$enable_linker_hardening != xno; then + TOR_CHECK_LDFLAGS(-z relro -z now, "$all_ldflags_for_check", "$all_libs_for_check") +fi dnl ------------------------------------------------------ dnl Where do you live, libnatpmp? And how do we call you? @@ -609,6 +615,7 @@ if test "$upnp" = "true"; then [/usr/lib/]) fi +dnl Make sure to enable support for large off_t if available. AC_SYS_LARGEFILE AC_CHECK_HEADERS( |