mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2025-02-23 14:40:51 +01:00
Try to manually test for whether the compiler hardening flags work
Also, make the check for whether they're on by default work; there's no need to mess around with this "$enableval" silliness.
This commit is contained in:
Nick Mathewson
parent
62f3121a3d
commit
e36cd01633
2 changed files with 50 additions and 15 deletions
34
acinclude.m4
34
acinclude.m4
|
|
@ -41,6 +41,40 @@ AC_DEFUN([TOR_DEFINE_CODEPATH],
|
|||
AC_SUBST(TOR_LDFLAGS_$2)
|
||||
])
|
||||
|
||||
dnl 1:flags
|
||||
AC_DEFUN([TOR_CHECK_CFLAGS], [
|
||||
AS_VAR_PUSHDEF([VAR],[tor_cv_cflags_$1])
|
||||
AC_CACHE_CHECK([whether the compiler accepts $1], VAR, [
|
||||
tor_saved_CFLAGS="$CFLAGS"
|
||||
CFLAGS="$CFLAGS $1"
|
||||
AC_TRY_COMPILE([], [return 0;],
|
||||
[AS_VAR_SET(VAR,yes)],
|
||||
[AS_VAR_SET(VAR,no)])
|
||||
CFLAGS="$tor_saved_CFLAGS"
|
||||
])
|
||||
if test x$VAR = xyes; then
|
||||
CFLAGS="$CFLAGS $1"
|
||||
fi
|
||||
AS_VAR_POPDEF([VAR])
|
||||
])
|
||||
|
||||
dnl 1:flags
|
||||
AC_DEFUN([TOR_CHECK_LDFLAGS], [
|
||||
AS_VAR_PUSHDEF([VAR],[tor_cv_ldflags_$1])
|
||||
AC_CACHE_CHECK([whether the linker accepts $1], VAR, [
|
||||
tor_saved_LDFLAGS="$LDFLAGS"
|
||||
LDFLAGS="$LDFLAGS $1"
|
||||
AC_TRY_LINK([], [return 0;],
|
||||
[AS_VAR_SET(VAR,yes)],
|
||||
[AS_VAR_SET(VAR,no)])
|
||||
LDFLAGS="$tor_saved_LDFLAGS"
|
||||
])
|
||||
if test x$VAR = xyes; then
|
||||
LDFLAGS="$LDFLAGS $1"
|
||||
fi
|
||||
AS_VAR_POPDEF([VAR])
|
||||
])
|
||||
|
||||
dnl 1:libname
|
||||
AC_DEFUN([TOR_WARN_MISSING_LIB], [
|
||||
h=""
|
||||
|
|
|
|||
31
configure.in
31
configure.in
|
|
@ -122,25 +122,12 @@ dnl -D_FORTIFY_SOURCE=2 -fstack-protector-all
|
|||
dnl Others suggest '/gs /safeseh /nxcompat /dynamicbase' for non-gcc on Windows
|
||||
dnl This requires that we use gcc and that we add -O2 to the CFLAGS.
|
||||
AC_ARG_ENABLE(gcc-hardening,
|
||||
AS_HELP_STRING(--disable-gcc-hardening, disable compiler security checks),
|
||||
[],
|
||||
[enableval=yes;])
|
||||
[if test x$enableval = xyes; then
|
||||
CFLAGS="$CFLAGS -D_FORTIFY_SOURCE=2 -fstack-protector-all"
|
||||
CFLAGS="$CFLAGS -fwrapv -fPIE -Wstack-protector"
|
||||
CFLAGS="$CFLAGS --param ssp-buffer-size=1"
|
||||
LDFLAGS="$LDFLAGS -pie"
|
||||
fi]
|
||||
AS_HELP_STRING(--disable-gcc-hardening, disable compiler security checks))
|
||||
|
||||
dnl Linker hardening options
|
||||
dnl Currently these options are ELF specific - you can't use this with MacOSX
|
||||
AC_ARG_ENABLE(linker-hardening,
|
||||
AS_HELP_STRING(--disable-linker-hardening, disable linker security fixups),
|
||||
[],
|
||||
[enableval=yes;])
|
||||
AC_CHECK_HEADER([elf.h], [if test x$enableval = xyes; then
|
||||
LDFLAGS="$LDFLAGS -z relro -z now"
|
||||
fi])
|
||||
AS_HELP_STRING(--disable-linker-hardening, disable linker security fixups))
|
||||
|
||||
AC_ARG_ENABLE(local-appdata,
|
||||
AS_HELP_STRING(--enable-local-appdata, default to host local application data paths on Windows))
|
||||
|
|
@ -184,6 +171,20 @@ AM_CONDITIONAL(NAT_PMP, test x$natpmp = xtrue)
|
|||
AM_CONDITIONAL(MINIUPNPC, test x$upnp = xtrue)
|
||||
AM_PROG_CC_C_O
|
||||
|
||||
if test x$enable_gcc_hardening != xno; then
|
||||
CFLAGS="$CFLAGS -D_FORTIFY_SOURCE=2"
|
||||
TOR_CHECK_CFLAGS(-fstack-protector-all)
|
||||
TOR_CHECK_CFLAGS(-Wstack-protector)
|
||||
TOR_CHECK_CFLAGS(-fwrapv)
|
||||
TOR_CHECK_CFLAGS(-fPIE)
|
||||
TOR_CHECK_CFLAGS(--param ssp-buffer-size=1)
|
||||
TOR_CHECK_LDFLAGS(-pie)
|
||||
fi
|
||||
|
||||
if test x$enable_linker_hardening != xno; then
|
||||
TOR_CHECK_LDFLAGS(-z relro -z now)
|
||||
fi
|
||||
|
||||
ifdef([AC_C_FLEXIBLE_ARRAY_MEMBER], [
|
||||
AC_C_FLEXIBLE_ARRAY_MEMBER
|
||||
], [
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue