diff options
author | Brent Cook <busterb@gmail.com> | 2015-01-05 20:14:54 -0600 |
---|---|---|
committer | Brent Cook <bcook@openbsd.org> | 2015-01-05 20:23:48 -0600 |
commit | 303b972d554493e0be1c63061500f730ca88e4a8 (patch) | |
tree | e4a1b8497034bfd1daad4efa5df2a4c79f6abe16 /configure.ac | |
parent | 5be407a42427a298cc00241f5d6bf67c9c7fa041 (diff) | |
download | portable-303b972d554493e0be1c63061500f730ca88e4a8.tar.gz portable-303b972d554493e0be1c63061500f730ca88e4a8.tar.bz2 portable-303b972d554493e0be1c63061500f730ca88e4a8.zip |
simplify hardening check logic, disable for mingw
Rather than doing separate linker/compiler checks, just build a
non-empty program with each so that the compiler will actually try to
use the hardening features. Reduce redundancy in the macro calls by just
setting the flag that was just tested.
Also, disable hardening for mingw, since its trying to use a
libssp-0.dll file that I can't find right now. The detected hardening
flags break mingw builds currently.
Diffstat (limited to 'configure.ac')
-rw-r--r-- | configure.ac | 71 |
1 files changed, 33 insertions, 38 deletions
diff --git a/configure.ac b/configure.ac index 18321bc..a9f8b6e 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -80,58 +80,53 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([], [[ | |||
80 | AC_MSG_RESULT([$CLANG]) | 80 | AC_MSG_RESULT([$CLANG]) |
81 | AS_IF([test "x$CLANG" == "xyes"], [CLANG_FLAGS=-Qunused-arguments]) | 81 | AS_IF([test "x$CLANG" == "xyes"], [CLANG_FLAGS=-Qunused-arguments]) |
82 | 82 | ||
83 | # We want to check for compiler flag support. Prior to clang v5.1, there was no way to make | 83 | # We want to check for compiler flag support. Prior to clang v5.1, there was no |
84 | # clang's "argument unused" warning fatal. So we invoke the compiler through a | 84 | # way to make clang's "argument unused" warning fatal. So we invoke the |
85 | # wrapper script that greps for this message. | 85 | # compiler through a wrapper script that greps for this message. |
86 | saved_CC="$CC" | 86 | saved_CC="$CC" |
87 | saved_LD="$LD" | 87 | saved_LD="$LD" |
88 | flag_wrap="$srcdir/scripts/wrap-compiler-for-flag-check" | 88 | flag_wrap="$srcdir/scripts/wrap-compiler-for-flag-check" |
89 | CC="$flag_wrap $CC" | 89 | CC="$flag_wrap $CC" |
90 | LD="$flag_wrap $LD" | 90 | LD="$flag_wrap $LD" |
91 | 91 | ||
92 | AC_DEFUN([check_cflag], | ||
93 | [AX_CHECK_COMPILE_FLAG([$1], [$2], [$3], [-Werror $4])]) | ||
94 | AC_DEFUN([check_ldflag], | ||
95 | [AX_CHECK_LINK_FLAG([$1], [$2], [$3], [-Werror $4])]) | ||
96 | |||
97 | |||
98 | AC_ARG_ENABLE([hardening], | 92 | AC_ARG_ENABLE([hardening], |
99 | [AS_HELP_STRING([--disable-hardening], [Disable options to frustrate memory corruption exploits])], | 93 | [AS_HELP_STRING([--disable-hardening], |
100 | [], | 94 | [Disable options to frustrate memory corruption exploits])], |
101 | [enable_hardening=yes]) | 95 | [], [enable_hardening=yes]) |
102 | 96 | ||
103 | HARDEN_CFLAGS="" | 97 | AC_DEFUN([CHECK_CFLAG], |
104 | HARDEN_LDFLAGS="" | 98 | [AC_LANG_ASSERT(C) |
105 | AS_IF([test "x$enable_hardening" == "xyes"], [ | 99 | AC_MSG_CHECKING([if $saved_CC supports "$1"]) |
100 | old_cflags="$CFLAGS" | ||
101 | CFLAGS=[$1] | ||
102 | AC_TRY_LINK([#include <stdio.h>], | ||
103 | [printf("Hello")], | ||
104 | AC_MSG_RESULT([yes]) | ||
105 | HARDEN_CFLAGS="$HARDEN_CFLAGS [$1]", | ||
106 | AC_MSG_RESULT([no]) | ||
107 | $2 | ||
108 | ) | ||
109 | ]) | ||
110 | |||
111 | AS_IF([test "x$enable_hardening" == "xyes" -a "x$HOST_OS" != "xwin"], [ | ||
106 | # Tell GCC to NOT optimize based on signed arithmetic overflow | 112 | # Tell GCC to NOT optimize based on signed arithmetic overflow |
107 | check_cflag([-fno-strict-overflow], [HARDEN_CFLAGS="$HARDEN_CFLAGS -fno-strict-overflow"]) | 113 | CHECK_CFLAG([-fno-strict-overflow]) |
108 | 114 | ||
109 | # _FORTIFY_SOURCE replaces builtin functions with safer versions. | 115 | # _FORTIFY_SOURCE replaces builtin functions with safer versions. |
110 | check_cflag([-D_FORTIFY_SOURCE=2], | 116 | CHECK_CFLAG([-D_FORTIFY_SOURCE=2]) |
111 | [HARDEN_CFLAGS="$HARDEN_CFLAGS -D_FORTIFY_SOURCE=2"]) | 117 | |
112 | 118 | # Use stack-protector-strong if available; if not, fallback to | |
113 | # Use stack-protector-strong if available; if not, fallback to stack-protector-all which | 119 | # stack-protector-all which is considered to be overkill |
114 | # is considered to be overkill | 120 | CHECK_CFLAG([-fstack-protector-strong], |
115 | check_cflag([-fstack-protector-strong], | 121 | CHECK_CFLAG([-fstack-protector-all], |
116 | [STACK_PROTECT="-fstack-protector-strong"], | 122 | AC_MSG_ERROR([compiler does appear to support stack protection |
117 | check_cflag([-fstack-protector-all], | 123 | - use --disable-hardening to override]) |
118 | [STACK_PROTECT="-fstack-protector-all"], | ||
119 | [AC_MSG_ERROR([compiler does not support stack protection - use --disable-hardening to override if you understand the risks])] | ||
120 | ) | 124 | ) |
121 | ) | 125 | ) |
122 | 126 | ||
123 | check_ldflag([$STACK_PROTECT], | ||
124 | [HARDEN_CFLAGS="$HARDEN_CFLAGS $STACK_PROTECT" | ||
125 | check_cflag([-Wstack-protector], [HARDEN_CFLAGS="$HARDEN_CFLAGS -Wstack-protector"], | ||
126 | [], [$STACK_PROTECT]) | ||
127 | ], | ||
128 | [AC_MSG_ERROR([compiler supports stack protection but linker does not])] | ||
129 | ) | ||
130 | |||
131 | # Enable read only relocations | 127 | # Enable read only relocations |
132 | check_ldflag([-Wl,-z,relro], | 128 | CHECK_CFLAG([-Wl,-z,relro]) |
133 | [HARDEN_LDFLAGS="$HARDEN_LDFLAGS -Wl,-z,relro" | 129 | CHECK_CFLAG([-Wl,-z,now]) |
134 | check_ldflag([-Wl,-z,now], [HARDEN_LDFLAGS="$HARDEN_LDFLAGS -Wl,-z,now"])]) | ||
135 | ]) | 130 | ]) |
136 | 131 | ||
137 | # Restore CC, LD | 132 | # Restore CC, LD |