diff options
| author | Nick Mathewson <nickm@torproject.org> | 2014-04-16 23:06:39 -0400 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2014-04-16 23:06:39 -0400 |
| commit | 10174b00e7258cc8184e85c37a2a39b04a0df92e (patch) | |
| tree | 752cf53b632edbdf9f12c4563a59168515218b8c | |
| parent | 973661394abc393e3dfd5b82de86659ecadc72a4 (diff) | |
| parent | 64f62881d8578ebf98d35d2731f7e6b51a565a09 (diff) | |
| download | tor-10174b00e7258cc8184e85c37a2a39b04a0df92e.tar.gz tor-10174b00e7258cc8184e85c37a2a39b04a0df92e.zip | |
Merge remote-tracking branch 'public/bug11477'
| -rw-r--r-- | changes/bug11477 | 4 | ||||
| -rw-r--r-- | configure.ac | 19 |
2 files changed, 17 insertions, 6 deletions
diff --git a/changes/bug11477 b/changes/bug11477 new file mode 100644 index 0000000000..44bdba971f --- /dev/null +++ b/changes/bug11477 @@ -0,0 +1,4 @@ + o Minor features: + - New --enable-expensive-hardening option to turn on security hardening + options that consume nontrivial amounts of CPU and memory. Right now, + this includes AddressSanitizer and UbSan. Closes ticket 11477. diff --git a/configure.ac b/configure.ac index 6e41041961..1f06755369 100644 --- a/configure.ac +++ b/configure.ac @@ -129,13 +129,13 @@ AC_ARG_ENABLE(gcc-warnings, AC_ARG_ENABLE(gcc-warnings-advisory, AS_HELP_STRING(--enable-gcc-warnings-advisory, [enable verbose warnings, excluding -Werror])) -dnl Adam shostack suggests the following for Windows: -dnl -D_FORTIFY_SOURCE=2 -fstack-protector-all dnl Others suggest '/gs /safeseh /nxcompat /dynamicbase' for non-gcc on Windows -dnl This requires that we use gcc and that we add -O2 to the CFLAGS. AC_ARG_ENABLE(gcc-hardening, AS_HELP_STRING(--disable-gcc-hardening, disable compiler security checks)) +AC_ARG_ENABLE(expensive-hardening, + AS_HELP_STRING(--enable-expensive-hardening, enable more expensive compiler hardening; makes Tor slower)) + dnl Linker hardening options dnl Currently these options are ELF specific - you can't use this with MacOSX AC_ARG_ENABLE(linker-hardening, @@ -628,6 +628,12 @@ if test x$enable_gcc_hardening != xno; then fi fi +if test x$enable_expensive_hardening = xyes ; then + TOR_CHECK_CFLAGS([-fsanitize=address]) + TOR_CHECK_CFLAGS([-fsanitize=undefined]) + TOR_CHECK_CFLAGS([-fno-omit-frame-pointer]) +fi + if test x$enable_linker_hardening != xno; then TOR_CHECK_LDFLAGS(-z relro -z now, "$all_ldflags_for_check", "$all_libs_for_check") fi @@ -640,10 +646,11 @@ dnl Now see if we have a -fomit-frame-pointer compiler option. saved_CFLAGS="$CFLAGS" TOR_CHECK_CFLAGS(-fomit-frame-pointer) +F_OMIT_FRAME_POINTER='' if test "$saved_CFLAGS" != "$CFLAGS"; then - F_OMIT_FRAME_POINTER='-fomit-frame-pointer' -else - F_OMIT_FRAME_POINTER='' + if test x$enable_expensive_hardening != xyes ; then + F_OMIT_FRAME_POINTER='-fomit-frame-pointer' + fi fi CFLAGS="$saved_CFLAGS" AC_SUBST(F_OMIT_FRAME_POINTER) |