commit a791f32a4dff71aaf03f086723572d7f98e2ac12 Author: Anthony G. Basile <blueness@gentoo.org> Date: Sun Jan 11 17:13:35 2015 +0000 configure.ac: avoid tests which have both -pie and -static Building and linking with both -pie and -static is not supported for some toolchain combinations (eg. glibc or binutil's gold). Yet this combination is hit if the check for gcc hardening is done before AC_PROG_LIBTOOL and AC_ENABLE_STATIC. We avoid the issue by moving the gcc hardening check to after AC_PROG_LIBTOOL and friends. See: https://sourceware.org/bugzilla/show_bug.cgi?id=17826 https://sourceware.org/bugzilla/show_bug.cgi?id=16428 https://bugs.gentoo.org/show_bug.cgi?id=533862 Signed-off-by: Anthony G. Basile <blueness@gentoo.org> Signed-off-by: David Goulet <dgoulet@ev0ke.net> --- configure.ac | 46 ++++++++++++++++++++++++++++------------------ 1 file changed, 28 insertions(+), 18 deletions(-) diff --git a/configure.ac b/configure.ac index 3eb9060..f4aadfb 100644 --- a/configure.ac +++ b/configure.ac @@ -144,24 +144,6 @@ AC_SUBST(TESTLDFLAGS) # Version information for libtorsocks TORSOCKSLDFLAGS="$LDFLAGS -version-info 1:0:0" -# Check for the gcc hardening flags. -AX_CHECK_COMPILE_FLAG([-fPIE],[CFLAGS="$CFLAGS -fPIE"],[],[]) -AX_CHECK_COMPILE_FLAG([-fwrapv],[CFLAGS="$CFLAGS -fwrapv"],[],[]) -AX_CHECK_COMPILE_FLAG([--param ssp-buffer-size=1], - [CFLAGS="$CFLAGS --param ssp-buffer-size=1"],[],[]) -AX_CHECK_COMPILE_FLAG([-fstack-protector-all], - [CFLAGS="$CFLAGS -fstack-protector-all"],[],[] -) -AX_CHECK_COMPILE_FLAG([-fno-strict-overflow], - [CFLAGS="$CFLAGS -fno-strict-overflow"],[],[] -) - -dnl Add hardening linker flags -AX_CHECK_LINK_FLAG([-pie],[LDFLAGS="$LDFLAGS -pie"],[],[]) -AX_CHECK_LINK_FLAG([-z relro],[LDFLAGS="$LDFLAGS -z relro"],[],[]) -AX_CHECK_LINK_FLAG([-z now],[LDFLAGS="$LDFLAGS -z now"],[],[]) -LDFLAGS="$LDFLAGS -D_FORTIFY_SOURCE=2" - dnl Linker checks for Mac OSX, which uses DYLD_INSERT_LIBRARIES dnl instead of LD_PRELOAD case "$host_os" in @@ -255,6 +237,34 @@ AC_ENABLE_STATIC DEFAULT_INCLUDES="-I\$(top_srcdir) -I\$(top_builddir) -I\$(top_builddir)/src -I\$(top_builddir)/include -include config.h" AC_SUBST(DEFAULT_INCLUDES) +############################################################################## +# 9. Test and add hardening flags +############################################################################## + +# Check for the gcc hardening flags. +AX_CHECK_COMPILE_FLAG([-fPIE],[CFLAGS="$CFLAGS -fPIE"],[],[]) +AX_CHECK_COMPILE_FLAG([-fwrapv],[CFLAGS="$CFLAGS -fwrapv"],[],[]) +AX_CHECK_COMPILE_FLAG([--param ssp-buffer-size=1], + [CFLAGS="$CFLAGS --param ssp-buffer-size=1"],[],[]) +AX_CHECK_COMPILE_FLAG([-fstack-protector-all], + [CFLAGS="$CFLAGS -fstack-protector-all"],[],[] +) +AX_CHECK_COMPILE_FLAG([-fno-strict-overflow], + [CFLAGS="$CFLAGS -fno-strict-overflow"],[],[] +) + +dnl Add hardening linker flags +AX_CHECK_LINK_FLAG([-pie],[LDFLAGS="$LDFLAGS -pie"],[],[]) +AX_CHECK_LINK_FLAG([-z relro],[LDFLAGS="$LDFLAGS -z relro"],[],[]) +AX_CHECK_LINK_FLAG([-z now],[LDFLAGS="$LDFLAGS -z now"],[],[]) + +dnl Add glibc hardening +CPPFLAGS="$CPPFLAGS -D_FORTIFY_SOURCE=2" + +############################################################################## +# 10. Finish up +############################################################################## + AC_CONFIG_FILES([ Makefile extras/Makefile