diff options
author | Nick Mathewson <nickm@torproject.org> | 2012-05-11 15:08:16 -0400 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2012-05-11 15:08:16 -0400 |
commit | e36cd016337f26188f572e0bd511a4f8b72c07dc (patch) | |
tree | 6abd9705c4b1922b3b62940ee73b3315239a8776 | |
parent | 62f3121a3d209fb4f826988d53b1aac93842502c (diff) | |
download | tor-e36cd016337f26188f572e0bd511a4f8b72c07dc.tar.gz tor-e36cd016337f26188f572e0bd511a4f8b72c07dc.zip |
Try to manually test for whether the compiler hardening flags work
Also, make the check for whether they're on by default work; there's
no need to mess around with this "$enableval" silliness.
-rw-r--r-- | acinclude.m4 | 34 | ||||
-rw-r--r-- | configure.in | 31 |
2 files changed, 50 insertions, 15 deletions
diff --git a/acinclude.m4 b/acinclude.m4 index ccfecff28d..c482e37546 100644 --- a/acinclude.m4 +++ b/acinclude.m4 @@ -41,6 +41,40 @@ AC_DEFUN([TOR_DEFINE_CODEPATH], AC_SUBST(TOR_LDFLAGS_$2) ]) +dnl 1:flags +AC_DEFUN([TOR_CHECK_CFLAGS], [ + AS_VAR_PUSHDEF([VAR],[tor_cv_cflags_$1]) + AC_CACHE_CHECK([whether the compiler accepts $1], VAR, [ + tor_saved_CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS $1" + AC_TRY_COMPILE([], [return 0;], + [AS_VAR_SET(VAR,yes)], + [AS_VAR_SET(VAR,no)]) + CFLAGS="$tor_saved_CFLAGS" + ]) + if test x$VAR = xyes; then + CFLAGS="$CFLAGS $1" + fi + AS_VAR_POPDEF([VAR]) +]) + +dnl 1:flags +AC_DEFUN([TOR_CHECK_LDFLAGS], [ + AS_VAR_PUSHDEF([VAR],[tor_cv_ldflags_$1]) + AC_CACHE_CHECK([whether the linker accepts $1], VAR, [ + tor_saved_LDFLAGS="$LDFLAGS" + LDFLAGS="$LDFLAGS $1" + AC_TRY_LINK([], [return 0;], + [AS_VAR_SET(VAR,yes)], + [AS_VAR_SET(VAR,no)]) + LDFLAGS="$tor_saved_LDFLAGS" + ]) + if test x$VAR = xyes; then + LDFLAGS="$LDFLAGS $1" + fi + AS_VAR_POPDEF([VAR]) +]) + dnl 1:libname AC_DEFUN([TOR_WARN_MISSING_LIB], [ h="" diff --git a/configure.in b/configure.in index 4a3ed0e6c3..d894c73df8 100644 --- a/configure.in +++ b/configure.in @@ -122,25 +122,12 @@ dnl -D_FORTIFY_SOURCE=2 -fstack-protector-all dnl Others suggest '/gs /safeseh /nxcompat /dynamicbase' for non-gcc on Windows dnl This requires that we use gcc and that we add -O2 to the CFLAGS. AC_ARG_ENABLE(gcc-hardening, - AS_HELP_STRING(--disable-gcc-hardening, disable compiler security checks), - [], - [enableval=yes;]) -[if test x$enableval = xyes; then - CFLAGS="$CFLAGS -D_FORTIFY_SOURCE=2 -fstack-protector-all" - CFLAGS="$CFLAGS -fwrapv -fPIE -Wstack-protector" - CFLAGS="$CFLAGS --param ssp-buffer-size=1" - LDFLAGS="$LDFLAGS -pie" -fi] + AS_HELP_STRING(--disable-gcc-hardening, disable compiler security checks)) dnl Linker hardening options dnl Currently these options are ELF specific - you can't use this with MacOSX AC_ARG_ENABLE(linker-hardening, - AS_HELP_STRING(--disable-linker-hardening, disable linker security fixups), - [], - [enableval=yes;]) -AC_CHECK_HEADER([elf.h], [if test x$enableval = xyes; then - LDFLAGS="$LDFLAGS -z relro -z now" -fi]) + AS_HELP_STRING(--disable-linker-hardening, disable linker security fixups)) AC_ARG_ENABLE(local-appdata, AS_HELP_STRING(--enable-local-appdata, default to host local application data paths on Windows)) @@ -184,6 +171,20 @@ AM_CONDITIONAL(NAT_PMP, test x$natpmp = xtrue) AM_CONDITIONAL(MINIUPNPC, test x$upnp = xtrue) AM_PROG_CC_C_O +if test x$enable_gcc_hardening != xno; then + CFLAGS="$CFLAGS -D_FORTIFY_SOURCE=2" + TOR_CHECK_CFLAGS(-fstack-protector-all) + TOR_CHECK_CFLAGS(-Wstack-protector) + TOR_CHECK_CFLAGS(-fwrapv) + TOR_CHECK_CFLAGS(-fPIE) + TOR_CHECK_CFLAGS(--param ssp-buffer-size=1) + TOR_CHECK_LDFLAGS(-pie) +fi + +if test x$enable_linker_hardening != xno; then + TOR_CHECK_LDFLAGS(-z relro -z now) +fi + ifdef([AC_C_FLEXIBLE_ARRAY_MEMBER], [ AC_C_FLEXIBLE_ARRAY_MEMBER ], [ |