mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-24 04:13:28 +01:00
New --enable-expensive-hardening option
It turns on -fsanitize=address and -fsanitize=ubsan if they work. Most relays won't want this. Some clients may. Ticket 11477.
This commit is contained in:
parent
0820031419
commit
64f62881d8
4
changes/bug11477
Normal file
4
changes/bug11477
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
o Minor features:
|
||||||
|
- New --enable-expensive-hardening option to turn on security hardening
|
||||||
|
options that consume nontrivial amounts of CPU and memory. Right now,
|
||||||
|
this includes AddressSanitizer and UbSan. Closes ticket 11477.
|
17
configure.ac
17
configure.ac
@ -129,13 +129,13 @@ AC_ARG_ENABLE(gcc-warnings,
|
|||||||
AC_ARG_ENABLE(gcc-warnings-advisory,
|
AC_ARG_ENABLE(gcc-warnings-advisory,
|
||||||
AS_HELP_STRING(--enable-gcc-warnings-advisory, [enable verbose warnings, excluding -Werror]))
|
AS_HELP_STRING(--enable-gcc-warnings-advisory, [enable verbose warnings, excluding -Werror]))
|
||||||
|
|
||||||
dnl Adam shostack suggests the following for Windows:
|
|
||||||
dnl -D_FORTIFY_SOURCE=2 -fstack-protector-all
|
|
||||||
dnl Others suggest '/gs /safeseh /nxcompat /dynamicbase' for non-gcc on Windows
|
dnl Others suggest '/gs /safeseh /nxcompat /dynamicbase' for non-gcc on Windows
|
||||||
dnl This requires that we use gcc and that we add -O2 to the CFLAGS.
|
|
||||||
AC_ARG_ENABLE(gcc-hardening,
|
AC_ARG_ENABLE(gcc-hardening,
|
||||||
AS_HELP_STRING(--disable-gcc-hardening, disable compiler security checks))
|
AS_HELP_STRING(--disable-gcc-hardening, disable compiler security checks))
|
||||||
|
|
||||||
|
AC_ARG_ENABLE(expensive-hardening,
|
||||||
|
AS_HELP_STRING(--enable-expensive-hardening, enable more expensive compiler hardening; makes Tor slower))
|
||||||
|
|
||||||
dnl Linker hardening options
|
dnl Linker hardening options
|
||||||
dnl Currently these options are ELF specific - you can't use this with MacOSX
|
dnl Currently these options are ELF specific - you can't use this with MacOSX
|
||||||
AC_ARG_ENABLE(linker-hardening,
|
AC_ARG_ENABLE(linker-hardening,
|
||||||
@ -628,6 +628,12 @@ if test x$enable_gcc_hardening != xno; then
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if test x$enable_expensive_hardening = xyes ; then
|
||||||
|
TOR_CHECK_CFLAGS([-fsanitize=address])
|
||||||
|
TOR_CHECK_CFLAGS([-fsanitize=undefined])
|
||||||
|
TOR_CHECK_CFLAGS([-fno-omit-frame-pointer])
|
||||||
|
fi
|
||||||
|
|
||||||
if test x$enable_linker_hardening != xno; then
|
if test x$enable_linker_hardening != xno; then
|
||||||
TOR_CHECK_LDFLAGS(-z relro -z now, "$all_ldflags_for_check", "$all_libs_for_check")
|
TOR_CHECK_LDFLAGS(-z relro -z now, "$all_ldflags_for_check", "$all_libs_for_check")
|
||||||
fi
|
fi
|
||||||
@ -640,10 +646,11 @@ dnl Now see if we have a -fomit-frame-pointer compiler option.
|
|||||||
|
|
||||||
saved_CFLAGS="$CFLAGS"
|
saved_CFLAGS="$CFLAGS"
|
||||||
TOR_CHECK_CFLAGS(-fomit-frame-pointer)
|
TOR_CHECK_CFLAGS(-fomit-frame-pointer)
|
||||||
|
F_OMIT_FRAME_POINTER=''
|
||||||
if test "$saved_CFLAGS" != "$CFLAGS"; then
|
if test "$saved_CFLAGS" != "$CFLAGS"; then
|
||||||
|
if test x$enable_expensive_hardening != xyes ; then
|
||||||
F_OMIT_FRAME_POINTER='-fomit-frame-pointer'
|
F_OMIT_FRAME_POINTER='-fomit-frame-pointer'
|
||||||
else
|
fi
|
||||||
F_OMIT_FRAME_POINTER=''
|
|
||||||
fi
|
fi
|
||||||
CFLAGS="$saved_CFLAGS"
|
CFLAGS="$saved_CFLAGS"
|
||||||
AC_SUBST(F_OMIT_FRAME_POINTER)
|
AC_SUBST(F_OMIT_FRAME_POINTER)
|
||||||
|
Loading…
Reference in New Issue
Block a user