aboutsummaryrefslogtreecommitdiff
path: root/configure.ac (follow)
Commit message (Collapse)AuthorAgeFilesLines
* enable libtls by defaultBrent Cook2015-03-191-5/+1
| | | | | | | | The API/ABI for the LibreSSL 2.1.x series is now fixed, so we can safely enable libtls it by default. This is useful for new OpenNTPD and OpenSMTPD releases as well. ok deraadt@ beck@ sthen@
* update __STRICT_ALIGNMENT checkBrent Cook2015-03-081-3/+7
|
* specify -static-libgcc for mingw buildsBrent Cook2015-03-081-1/+2
| | | | Avoid external external dependencies on 32-bit windows builds.
* avoid doubling user-specified cflagsBrent Cook2015-03-071-2/+2
|
* separate the BSWAP check from the actionBrent Cook2015-03-011-14/+17
| | | | checks need to be unconditional with autoconf
* check if the BSWAP assembly for ARM works before buildingBrent Cook2015-03-011-0/+8
|
* add windows-specific hardening optionsBrent Cook2015-02-241-8/+23
| | | | | | This enables DEP and ALSR capabilities. Stack protection is enabled optionally, there are some extra linking steps required that make it difficult to enable by default.
* remove openat requirement for building certhashBrent Cook2015-02-231-2/+2
|
* add missing line continuationBrent Cook2015-02-191-1/+1
|
* disable system issetugid on OS X since it is not fork-safeBrent Cook2015-02-171-0/+5
| | | | | Noticed while testing similar code for AIX. ok beck@
* add strsep fallback for libtlsBrent Cook2015-02-141-1/+2
|
* conditionally build certhash into openssl(1)Brent Cook2015-02-141-0/+2
| | | | | For now, look for openat and symlink. We may switch to just needing symlink later.
* add NetBSD shims for arc4randomBrent Cook2015-01-211-1/+8
| | | | | | The current NetBSD release, 6.1.5, fails to reseed arc4random fork. Work around it by providing arc4random/getentropy shims. Revisit when NetBSD 7 is available.
* catch GCC versions that only warn on unused flagsBrent Cook2015-01-061-3/+3
| | | | | Noticed while building with GCC 4.2 with HP-UX. Switching the ERROR to a WARN for a first release while we continue to survey the field.
* remove bash-style comparisons from testsBrent Cook2015-01-061-3/+3
|
* Add support for HP-UXkinichiro2015-01-061-0/+6
| | | | | | | | | | tested on: HP-UX 11.31 ia64, gcc 4.7.1(HP AllianceOne version) gcc 4.2.3(http://hpux.connect.org.uk) HP C/aC++ HP-UX defaults to use LP32 and it treats long as 32 bit (= 4 bytes). This build forces LP64 for treating long as 64 bit.
* quoting and ensure old_*flags are restored before the 'else'Brent Cook2015-01-051-8/+10
|
* preserve CFLAGS between hardening checks, enable mingwBrent Cook2015-01-051-26/+46
| | | | | | Allow hardening CFLAGS for mingw that do not cause link-time failures. Add proper quoting on flags for commas Check LDFLAGS for linker-only flags.
* simplify hardening check logic, disable for mingwBrent Cook2015-01-051-38/+33
| | | | | | | | | | | Rather than doing separate linker/compiler checks, just build a non-empty program with each so that the compiler will actually try to use the hardening features. Reduce redundancy in the macro calls by just setting the flag that was just tested. Also, disable hardening for mingw, since its trying to use a libssp-0.dll file that I can't find right now. The detected hardening flags break mingw builds currently.
* Change comments to remark on script not being needed for clang >= 5.1Jim Barlow2015-01-011-1/+1
|
* Fix typo causing output of clang test to read "CLANG" instead of yes/noJim Barlow2014-12-311-1/+1
|
* Merge recent upstream changes with compiler hardeningJim Barlow2014-12-301-4/+19
|\ | | | | | | | | Conflicts: configure.ac
| * enable __STRICT_ALIGNMENT on sparcBrent Cook2014-12-271-0/+6
| |
| * do not mark GNU_STACK WX in ELFs generated from assemblyBrent Cook2014-12-221-1/+12
| | | | | | | | | | | | | | | | | | | | | | | | When generating ELF objects from assembly, gcc and clang mark the GNU_STACK program headers as RWX by default. This is a security issue, so we make sure it is marked only RW. This modifies Anthony G. Basile's original patch for Linux to set .note.GNU-stack whenever the assembler supports it. It is surprising that any modern toolchain would enable an executable stack without an explicit request. The number of programs that need an executable stack is surely much smaller than the number of programs that include assembly.
* | configure.ac: use executable hardening where availableJim Barlow2014-12-231-0/+62
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Where available, enable stack smashing protection, fortify source, no-strict-overflow, and read only relocations. Many Linux distributions automatically enable most of these options. They are no brainers. The difference introduced here is in asking for a few more aggressive options. An option to disable the more aggressive options is provided (--disable-hardening). When set, configure will fall back to the default CFLAGS on the system - in many cases that will still be hardened. There is no point in going further than that. Options enabled are: -fstack-protector-strong is a relatively new GCC-4.9 feature that is supposed to give a better balance between performance and protection. -all is considered too aggressive, but was used in Chromium and other security critical systems until -strong became available. Follow their lead and use -strong when possible. clang 6.0 supports -all but not -strong. _FORTIFY_SOURCE replaces certain unsafe C str* and mem* functions with more robust equivalents when the compiler can determine the length of the buffers involved. -fno-strict-overflow instructs GCC to not make optimizations based on the assumption that signed arithmetic will wrap around on overflow (e.g. (short)0x7FFF + 1 == 0). This prevents the optimizer from doing some unexpected things. Further improvements should trap signed overflows and reduce the use of signed to refer to naturally unsigned quantities. I did not set -fPIE (position independent executables). The critical function of Open/LibreSSL is as a library, not an executable. Tested on Ubuntu Linux 14.04.1 LTS, OS X 10.10.1 with "make check". Signed-off-by: Jim Barlow <jim@purplerock.ca>
* | configure.ac: Modify clang check to save result to a variableJim Barlow2014-12-231-10/+14
|/ | | | | ...and leave a note that -Qunused-arguments is being applied to CFLAGS not LDFLAGS, probably in error.
* allow Windows DLLs to be builtBrent Cook2014-12-141-1/+1
| | | | based on a patch from Jan Engelhardt
* Enable optimized crypto operations for x86_64Brent Cook2014-12-071-16/+29
| | | | | | | | | | | | | | This adds initial support for assembly crypto acceleration on x86_64 for ELF (Linux, *BSD, Solaris) and Mach-O (OS-X) systems. The build method is a little different than OpenSSL and OpenBSD. All the .s files are generated ahead of time when the tarball is generated, so there are no complicated makefile rules at configure/build time. This also means the builds are faster and perl is not required on the build system. Thanks to Wouter Clarie for providing the initial cleanup and patch that this is based on.
* read all library versions directly from filesBrent Cook2014-12-061-0/+4
| | | | | | This makes building and testing easier because the library Makefile.am files are use directly rather than as templates. Thanks to Wouter Clarie for the idea.
* add support for building libtlsBrent Cook2014-12-061-1/+7
| | | | | | | | Use './configure --enable-libtls' to build the library and install the associated manpages. Note that the API and ABI of this library may change still, though feedback is welcome. ok deraadt@ jsing@ tedu@
* add minimal poll(2) implementation for WindowsBrent Cook2014-12-031-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This provides sufficient functionality to run openssl(1) from a Windows console. This is based on the original select-based version from from songdongsheng@live.cn. Changes: * use nfds_t directly for iterating the fds. * add WSAGetLastError -> errno mappings * handle POLLHUP and the OOB data cases for revents * handle sparse arrays of fds correctly * KNF style updates * teach poll how to handle file handles as well as sockets This handles the socket/non-socket issue by alternating a loop between WaitForMultipleObjects for non-sockets and and select for sockets. One would think this would be terrible for performance, but as of this writing, poll consumes about 6% of the time doing a bulk transfer between a Linux box and 'openssl.exe s_server'. I tried to implement this all in terms of WaitForMultipleObjects with a select 'poll' at the end to get extra specific socket status. However, the cost of setting up an event handle for each socket, setting the WSAEventSelect attributes, and cleaning them up reliably was pretty high. Since the event handle associated with a socket is also global, creating a new one cancels the previous one or can be disabled externally. In addition, the 'FD_WRITE' status of a socket event handle does not behave in an expected fashion, being triggered by an edge on a write event rather than being level triggered. Another fun horror story is how stdin in windows might be a console, it might be a pipe, it might be something else. If these all worked in the same way, it would be great. But, since a console-stdin can also signal on a mouse or window event, it means we can easily get stuck in a blocking read (you can't make stdin non-blocking) if the non-character events are not filtered out. So, poll does that too. See here for various additional horror stories: http://www.postgresql.org/message-id/4351.1336927207@sss.pgh.pa.us
* Update win32 build definesBrent Cook2014-12-031-1/+2
|
* Quiet clang warnings about unused arguments in general.Brent Cook2014-11-031-1/+13
| | | | | Check if we are using clang, rather than simply if we are on OS X. Note: recent LLVM releases do not seem to need this anyway.
* make 'autoreconf' work from dist tarballBrent Cook2014-11-031-1/+1
| | | | We need to include VERSION for it to run.
* override native arc4random_buf on FreeBSDBrent Cook2014-11-031-1/+6
| | | | | | | | | | | | | | | | The FreeBSD-native arc4random_buf implementation falls back to weak sources of entropy if the sysctl fails. Remove these dangerous fallbacks by overriding locally. Unfortunately, pthread_atfork() is broken on FreeBSD (at least 9 and 10) if a program does not link to -lthr. Callbacks registered with pthread_atfork() simply fail silently. So, it is not always possible to detect a PID wraparound. I wish we could do better. This improves arc4random_buf's safety compared to the native FreeBSD implementation. Tested on FreeBSD 9 and 10. ok beck@ deraadt@
* override native arc4random_buf on OS XBrent Cook2014-11-031-0/+4
| | | | | | | | While the native OS X implementation is fork-safe, it does not seed safely, as of the latest released OS X libc sources, version 997.90.3. It only uses weak sources of entropy if accessing /dev/urandom fails. ok beck@ deraadt@
* Improve and simplify function and header detection logic.Brent Cook2014-10-301-76/+21
| | | | | | | | | Simplify autoconf checks by using AC_CHECK_FUNCS/HEADERS. Clarify some ambiguous dependencies around strnlen/strndup. Unconditionally enable pidwraptest for all arc4random implementations. Remove HAVE_VASPRINTF conditional, since asprintf requires vasprintf. ok @doug
* use the correct HOST_OS for the Windows buildBrent Cook2014-10-301-1/+1
| | | | ok doug@
* set various glibc flags that also are useful with mingwBrent Cook2014-10-221-1/+2
| | | | for example, asprintf/vasprintf are unmasked with _GNU_SOURCE in mingw
* include a proper check for memmem when configuring unit testsBrent Cook2014-10-221-0/+5
| | | | This allows the proper compatibility header definition to be exposed.
* ensure compatibility with posix shellBrent Cook2014-08-181-1/+1
| | | | remove bash comparison, thanks kinichiro
* add --disable-asm flag for disabling inline asmBrent Cook2014-08-171-0/+4
| | | | | Surprisingly (or not), a lot of OpenSSL's inline assembly actually makes things slower with a relatively modern compiler (read, gcc >= 4.x).
* allow inline asmBrent Cook2014-08-161-1/+1
| | | | use default of -std=gnu99 for it to be recognized
* set _DEFAULT_SOURCE on linux hostsBrent Cook2014-08-161-1/+1
| | | | this is the replacement for _BSD_SOURCE on newer glibc's
* remove configure.am.tpl, pull in VERSION directlyBrent Cook2014-08-121-0/+184
| | | | from wouter@
* source library version from a common place, speed man buildsBrent Cook2014-07-121-99/+0
| | | | | | | grab library version from VERSION file build manpages only on changes ok beck@
* remove unconditional -WerrorBrent Cook2014-07-111-1/+1
| | | | | | Allow warnings to be reported without failing the entire build. ok beck@
* link -lrt on linux for glibc < 2.17 compatibilityBrent Cook2014-07-111-0/+1
| | | | ok beck@
* prefer symlinks rather than hardlinks for manpagesBrent Cook2014-07-111-1/+0
| | | | ok beck@
* put CPP defines in CPPFLAGSBrent Cook2014-07-111-1/+1
|