simplify hardening check logic, disable for mingw

Rather than doing separate linker/compiler checks, just build a non-empty program with each so that the compiler will actually try to use the hardening features. Reduce redundancy in the macro calls by just setting the flag that was just tested. Also, disable hardening for mingw, since its trying to use a libssp-0.dll file that I can't find right now. The detected hardening flags break mingw builds currently.
author: Brent Cook <busterb@gmail.com> 2015-01-05 20:14:54 -0600
committer: Brent Cook <bcook@openbsd.org> 2015-01-05 20:23:48 -0600
commit: 303b972d554493e0be1c63061500f730ca88e4a8 (patch)
tree: e4a1b8497034bfd1daad4efa5df2a4c79f6abe16 /configure.ac
parent: 5be407a42427a298cc00241f5d6bf67c9c7fa041 (diff)
download: portable-303b972d554493e0be1c63061500f730ca88e4a8.tar.gz
portable-303b972d554493e0be1c63061500f730ca88e4a8.tar.bz2
portable-303b972d554493e0be1c63061500f730ca88e4a8.zip
1 files changed, 33 insertions, 38 deletions
diff --git a/configure.ac b/configure.ac
index 18321bc..a9f8b6e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -80,58 +80,53 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([], [[
 AC_MSG_RESULT([$CLANG])
 AS_IF([test "x$CLANG" == "xyes"], [CLANG_FLAGS=-Qunused-arguments])
-# We want to check for compiler flag support. Prior to clang v5.1, there was no way to make
+# We want to check for compiler flag support. Prior to clang v5.1, there was no
-# clang's "argument unused" warning fatal.  So we invoke the compiler through a
+# way to make clang's "argument unused" warning fatal.  So we invoke the
-# wrapper script that greps for this message.
+# compiler through a wrapper script that greps for this message.
 saved_CC="$CC"
 saved_LD="$LD"
 flag_wrap="$srcdir/scripts/wrap-compiler-for-flag-check"
 CC="$flag_wrap $CC"
 LD="$flag_wrap $LD"
-AC_DEFUN([check_cflag],
-        [AX_CHECK_COMPILE_FLAG([$1], [$2], [$3], [-Werror $4])])
-AC_DEFUN([check_ldflag],
-        [AX_CHECK_LINK_FLAG([$1], [$2], [$3], [-Werror $4])])
 AC_ARG_ENABLE([hardening],
-        [AS_HELP_STRING([--disable-hardening], [Disable options to frustrate memory corruption exploits])],
+        [AS_HELP_STRING([--disable-hardening],
-        [],
+                        [Disable options to frustrate memory corruption exploits])],
-        [enable_hardening=yes])
+        [], [enable_hardening=yes])
-HARDEN_CFLAGS=""
+AC_DEFUN([CHECK_CFLAG],
-HARDEN_LDFLAGS=""
+         [AC_LANG_ASSERT(C)
-AS_IF([test "x$enable_hardening" == "xyes"], [
+          AC_MSG_CHECKING([if $saved_CC supports "$1"])
+          old_cflags="$CFLAGS"
+          CFLAGS=[$1]
+          AC_TRY_LINK([#include <stdio.h>],
+                      [printf("Hello")],
+                      AC_MSG_RESULT([yes])
+                      HARDEN_CFLAGS="$HARDEN_CFLAGS [$1]",
+                      AC_MSG_RESULT([no])
+                      $2
+                      )
+          ])
+AS_IF([test "x$enable_hardening" == "xyes" -a "x$HOST_OS" != "xwin"], [
        # Tell GCC to NOT optimize based on signed arithmetic overflow
-        check_cflag([-fno-strict-overflow], [HARDEN_CFLAGS="$HARDEN_CFLAGS -fno-strict-overflow"])
+        CHECK_CFLAG([-fno-strict-overflow])
        # _FORTIFY_SOURCE replaces builtin functions with safer versions.
-        check_cflag([-D_FORTIFY_SOURCE=2], 
+        CHECK_CFLAG([-D_FORTIFY_SOURCE=2])
-                [HARDEN_CFLAGS="$HARDEN_CFLAGS -D_FORTIFY_SOURCE=2"])
+        # Use stack-protector-strong if available; if not, fallback to
-        # Use stack-protector-strong if available; if not, fallback to stack-protector-all which
+        # stack-protector-all which is considered to be overkill
-        # is considered to be overkill
+        CHECK_CFLAG([-fstack-protector-strong],
-        check_cflag([-fstack-protector-strong], 
+                CHECK_CFLAG([-fstack-protector-all],
-                [STACK_PROTECT="-fstack-protector-strong"],
+                        AC_MSG_ERROR([compiler does appear to support stack protection
-                check_cflag([-fstack-protector-all],
+                          - use --disable-hardening to override])
-                        [STACK_PROTECT="-fstack-protector-all"],
-                        [AC_MSG_ERROR([compiler does not support stack protection - use --disable-hardening to override if you understand the risks])]
                )
        )
-        check_ldflag([$STACK_PROTECT],
-                [HARDEN_CFLAGS="$HARDEN_CFLAGS $STACK_PROTECT"
-                 check_cflag([-Wstack-protector], [HARDEN_CFLAGS="$HARDEN_CFLAGS -Wstack-protector"],
-                        [], [$STACK_PROTECT])
-                ],
-                [AC_MSG_ERROR([compiler supports stack protection but linker does not])]
-        )
        # Enable read only relocations
-        check_ldflag([-Wl,-z,relro],
+        CHECK_CFLAG([-Wl,-z,relro])
-                [HARDEN_LDFLAGS="$HARDEN_LDFLAGS -Wl,-z,relro"
+        CHECK_CFLAG([-Wl,-z,now])
-        check_ldflag([-Wl,-z,now], [HARDEN_LDFLAGS="$HARDEN_LDFLAGS -Wl,-z,now"])])
 ])
 # Restore CC, LD
author	Brent Cook <busterb@gmail.com>	2015-01-05 20:14:54 -0600
committer	Brent Cook <bcook@openbsd.org>	2015-01-05 20:23:48 -0600
commit	303b972d554493e0be1c63061500f730ca88e4a8 (patch)
tree	e4a1b8497034bfd1daad4efa5df2a4c79f6abe16 /configure.ac
parent	5be407a42427a298cc00241f5d6bf67c9c7fa041 (diff)
download	portable-303b972d554493e0be1c63061500f730ca88e4a8.tar.gz portable-303b972d554493e0be1c63061500f730ca88e4a8.tar.bz2 portable-303b972d554493e0be1c63061500f730ca88e4a8.zip

diff --git a/configure.ac b/configure.ac index 18321bc..a9f8b6e 100644 --- a/configure.ac +++ b/configure.ac
@@ -80,58 +80,53 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([], [[
80	AC_MSG_RESULT([$CLANG])	80	AC_MSG_RESULT([$CLANG])
81	AS_IF([test "x$CLANG" == "xyes"], [CLANG_FLAGS=-Qunused-arguments])	81	AS_IF([test "x$CLANG" == "xyes"], [CLANG_FLAGS=-Qunused-arguments])
82		82
83	# We want to check for compiler flag support. Prior to clang v5.1, there was no way to make	83	# We want to check for compiler flag support. Prior to clang v5.1, there was no
84	# clang's "argument unused" warning fatal. So we invoke the compiler through a	84	# way to make clang's "argument unused" warning fatal. So we invoke the
85	# wrapper script that greps for this message.	85	# compiler through a wrapper script that greps for this message.
86	saved_CC="$CC"	86	saved_CC="$CC"
87	saved_LD="$LD"	87	saved_LD="$LD"
88	flag_wrap="$srcdir/scripts/wrap-compiler-for-flag-check"	88	flag_wrap="$srcdir/scripts/wrap-compiler-for-flag-check"
89	CC="$flag_wrap $CC"	89	CC="$flag_wrap $CC"
90	LD="$flag_wrap $LD"	90	LD="$flag_wrap $LD"
91		91
92	AC_DEFUN([check_cflag],
93	[AX_CHECK_COMPILE_FLAG([$1], [$2], [$3], [-Werror $4])])
94	AC_DEFUN([check_ldflag],
95	[AX_CHECK_LINK_FLAG([$1], [$2], [$3], [-Werror $4])])
96
97
98	AC_ARG_ENABLE([hardening],	92	AC_ARG_ENABLE([hardening],
99	[AS_HELP_STRING([--disable-hardening], [Disable options to frustrate memory corruption exploits])],	93	[AS_HELP_STRING([--disable-hardening],
100	[],	94	[Disable options to frustrate memory corruption exploits])],
101	[enable_hardening=yes])	95	[], [enable_hardening=yes])
102		96
103	HARDEN_CFLAGS=""	97	AC_DEFUN([CHECK_CFLAG],
104	HARDEN_LDFLAGS=""	98	[AC_LANG_ASSERT(C)
105	AS_IF([test "x$enable_hardening" == "xyes"], [	99	AC_MSG_CHECKING([if $saved_CC supports "$1"])
		100	old_cflags="$CFLAGS"
		101	CFLAGS=[$1]
		102	AC_TRY_LINK([#include <stdio.h>],
		103	[printf("Hello")],
		104	AC_MSG_RESULT([yes])
		105	HARDEN_CFLAGS="$HARDEN_CFLAGS [$1]",
		106	AC_MSG_RESULT([no])
		107	$2
		108	)
		109	])
		110
		111	AS_IF([test "x$enable_hardening" == "xyes" -a "x$HOST_OS" != "xwin"], [
106	# Tell GCC to NOT optimize based on signed arithmetic overflow	112	# Tell GCC to NOT optimize based on signed arithmetic overflow
107	check_cflag([-fno-strict-overflow], [HARDEN_CFLAGS="$HARDEN_CFLAGS -fno-strict-overflow"])	113	CHECK_CFLAG([-fno-strict-overflow])
108		114
109	# _FORTIFY_SOURCE replaces builtin functions with safer versions.	115	# _FORTIFY_SOURCE replaces builtin functions with safer versions.
110	check_cflag([-D_FORTIFY_SOURCE=2],	116	CHECK_CFLAG([-D_FORTIFY_SOURCE=2])
111	[HARDEN_CFLAGS="$HARDEN_CFLAGS -D_FORTIFY_SOURCE=2"])	117
112		118	# Use stack-protector-strong if available; if not, fallback to
113	# Use stack-protector-strong if available; if not, fallback to stack-protector-all which	119	# stack-protector-all which is considered to be overkill
114	# is considered to be overkill	120	CHECK_CFLAG([-fstack-protector-strong],
115	check_cflag([-fstack-protector-strong],	121	CHECK_CFLAG([-fstack-protector-all],
116	[STACK_PROTECT="-fstack-protector-strong"],	122	AC_MSG_ERROR([compiler does appear to support stack protection
117	check_cflag([-fstack-protector-all],	123	- use --disable-hardening to override])
118	[STACK_PROTECT="-fstack-protector-all"],
119	[AC_MSG_ERROR([compiler does not support stack protection - use --disable-hardening to override if you understand the risks])]
120	)	124	)
121	)	125	)
122		126
123	check_ldflag([$STACK_PROTECT],
124	[HARDEN_CFLAGS="$HARDEN_CFLAGS $STACK_PROTECT"
125	check_cflag([-Wstack-protector], [HARDEN_CFLAGS="$HARDEN_CFLAGS -Wstack-protector"],
126	[], [$STACK_PROTECT])
127	],
128	[AC_MSG_ERROR([compiler supports stack protection but linker does not])]
129	)
130
131	# Enable read only relocations	127	# Enable read only relocations
132	check_ldflag([-Wl,-z,relro],	128	CHECK_CFLAG([-Wl,-z,relro])
133	[HARDEN_LDFLAGS="$HARDEN_LDFLAGS -Wl,-z,relro"	129	CHECK_CFLAG([-Wl,-z,now])
134	check_ldflag([-Wl,-z,now], [HARDEN_LDFLAGS="$HARDEN_LDFLAGS -Wl,-z,now"])])
135	])	130	])
136		131
137	# Restore CC, LD	132	# Restore CC, LD