[tor-commits] [tor/master] Try to manually test for whether the compiler hardening flags work
nickm at torproject.org
nickm at torproject.org
Wed Jun 13 15:37:11 UTC 2012
commit e36cd016337f26188f572e0bd511a4f8b72c07dc
Author: Nick Mathewson <nickm at torproject.org>
Date: Fri May 11 15:08:16 2012 -0400
Try to manually test for whether the compiler hardening flags work
Also, make the check for whether they're on by default work; there's
no need to mess around with this "$enableval" silliness.
---
acinclude.m4 | 34 ++++++++++++++++++++++++++++++++++
configure.in | 31 ++++++++++++++++---------------
2 files changed, 50 insertions(+), 15 deletions(-)
diff --git a/acinclude.m4 b/acinclude.m4
index ccfecff..c482e37 100644
--- a/acinclude.m4
+++ b/acinclude.m4
@@ -41,6 +41,40 @@ AC_DEFUN([TOR_DEFINE_CODEPATH],
AC_SUBST(TOR_LDFLAGS_$2)
])
+dnl 1:flags
+AC_DEFUN([TOR_CHECK_CFLAGS], [
+ AS_VAR_PUSHDEF([VAR],[tor_cv_cflags_$1])
+ AC_CACHE_CHECK([whether the compiler accepts $1], VAR, [
+ tor_saved_CFLAGS="$CFLAGS"
+ CFLAGS="$CFLAGS $1"
+ AC_TRY_COMPILE([], [return 0;],
+ [AS_VAR_SET(VAR,yes)],
+ [AS_VAR_SET(VAR,no)])
+ CFLAGS="$tor_saved_CFLAGS"
+ ])
+ if test x$VAR = xyes; then
+ CFLAGS="$CFLAGS $1"
+ fi
+ AS_VAR_POPDEF([VAR])
+])
+
+dnl 1:flags
+AC_DEFUN([TOR_CHECK_LDFLAGS], [
+ AS_VAR_PUSHDEF([VAR],[tor_cv_ldflags_$1])
+ AC_CACHE_CHECK([whether the linker accepts $1], VAR, [
+ tor_saved_LDFLAGS="$LDFLAGS"
+ LDFLAGS="$LDFLAGS $1"
+ AC_TRY_LINK([], [return 0;],
+ [AS_VAR_SET(VAR,yes)],
+ [AS_VAR_SET(VAR,no)])
+ LDFLAGS="$tor_saved_LDFLAGS"
+ ])
+ if test x$VAR = xyes; then
+ LDFLAGS="$LDFLAGS $1"
+ fi
+ AS_VAR_POPDEF([VAR])
+])
+
dnl 1:libname
AC_DEFUN([TOR_WARN_MISSING_LIB], [
h=""
diff --git a/configure.in b/configure.in
index 4a3ed0e..d894c73 100644
--- a/configure.in
+++ b/configure.in
@@ -122,25 +122,12 @@ dnl -D_FORTIFY_SOURCE=2 -fstack-protector-all
dnl Others suggest '/gs /safeseh /nxcompat /dynamicbase' for non-gcc on Windows
dnl This requires that we use gcc and that we add -O2 to the CFLAGS.
AC_ARG_ENABLE(gcc-hardening,
- AS_HELP_STRING(--disable-gcc-hardening, disable compiler security checks),
- [],
- [enableval=yes;])
-[if test x$enableval = xyes; then
- CFLAGS="$CFLAGS -D_FORTIFY_SOURCE=2 -fstack-protector-all"
- CFLAGS="$CFLAGS -fwrapv -fPIE -Wstack-protector"
- CFLAGS="$CFLAGS --param ssp-buffer-size=1"
- LDFLAGS="$LDFLAGS -pie"
-fi]
+ AS_HELP_STRING(--disable-gcc-hardening, disable compiler security checks))
dnl Linker hardening options
dnl Currently these options are ELF specific - you can't use this with MacOSX
AC_ARG_ENABLE(linker-hardening,
- AS_HELP_STRING(--disable-linker-hardening, disable linker security fixups),
- [],
- [enableval=yes;])
-AC_CHECK_HEADER([elf.h], [if test x$enableval = xyes; then
- LDFLAGS="$LDFLAGS -z relro -z now"
-fi])
+ AS_HELP_STRING(--disable-linker-hardening, disable linker security fixups))
AC_ARG_ENABLE(local-appdata,
AS_HELP_STRING(--enable-local-appdata, default to host local application data paths on Windows))
@@ -184,6 +171,20 @@ AM_CONDITIONAL(NAT_PMP, test x$natpmp = xtrue)
AM_CONDITIONAL(MINIUPNPC, test x$upnp = xtrue)
AM_PROG_CC_C_O
+if test x$enable_gcc_hardening != xno; then
+ CFLAGS="$CFLAGS -D_FORTIFY_SOURCE=2"
+ TOR_CHECK_CFLAGS(-fstack-protector-all)
+ TOR_CHECK_CFLAGS(-Wstack-protector)
+ TOR_CHECK_CFLAGS(-fwrapv)
+ TOR_CHECK_CFLAGS(-fPIE)
+ TOR_CHECK_CFLAGS(--param ssp-buffer-size=1)
+ TOR_CHECK_LDFLAGS(-pie)
+fi
+
+if test x$enable_linker_hardening != xno; then
+ TOR_CHECK_LDFLAGS(-z relro -z now)
+fi
+
ifdef([AC_C_FLEXIBLE_ARRAY_MEMBER], [
AC_C_FLEXIBLE_ARRAY_MEMBER
], [
More information about the tor-commits
mailing list