mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-27 13:53:31 +01:00
Make our compiler-hardening checks robust against MinGW
First, specify -Werror when we are testing each option; if it causes a warning to appear, we shouldn't be adding it. Second, do not attempt to add these options until after we have found the libraries we want. Previously, I would hit a bug where the linker hardening options worked fine when we weren't linking anything, but failed completely once we added openssl or libevent.
This commit is contained in:
parent
e6dbe693b7
commit
ebaaa4834f
12
acinclude.m4
12
acinclude.m4
@ -46,7 +46,7 @@ AC_DEFUN([TOR_CHECK_CFLAGS], [
|
||||
AS_VAR_PUSHDEF([VAR],[tor_cv_cflags_$1])
|
||||
AC_CACHE_CHECK([whether the compiler accepts $1], VAR, [
|
||||
tor_saved_CFLAGS="$CFLAGS"
|
||||
CFLAGS="$CFLAGS -pedantic $1"
|
||||
CFLAGS="$CFLAGS -pedantic -Werror $1"
|
||||
AC_TRY_COMPILE([], [return 0;],
|
||||
[AS_VAR_SET(VAR,yes)],
|
||||
[AS_VAR_SET(VAR,no)])
|
||||
@ -59,15 +59,23 @@ AC_DEFUN([TOR_CHECK_CFLAGS], [
|
||||
])
|
||||
|
||||
dnl 1:flags
|
||||
dnl 2:extra ldflags
|
||||
dnl 3:extra libraries
|
||||
AC_DEFUN([TOR_CHECK_LDFLAGS], [
|
||||
AS_VAR_PUSHDEF([VAR],[tor_cv_ldflags_$1])
|
||||
AC_CACHE_CHECK([whether the linker accepts $1], VAR, [
|
||||
tor_saved_CFLAGS="$CFLAGS"
|
||||
tor_saved_LDFLAGS="$LDFLAGS"
|
||||
LDFLAGS="$LDFLAGS -pedantic $1"
|
||||
tor_saved_LIBS="$LIBS"
|
||||
CFLAGS="$CFLAGS -pedantic -Werror"
|
||||
LDFLAGS="$LDFLAGS $2 $1"
|
||||
LIBS="$LIBS $3"
|
||||
AC_TRY_LINK([], [return 0;],
|
||||
[AS_VAR_SET(VAR,yes)],
|
||||
[AS_VAR_SET(VAR,no)])
|
||||
CFLAGS="$tor_saved_CFLAGS"
|
||||
LDFLAGS="$tor_saved_LDFLAGS"
|
||||
LIBS="$tor_saved_LIBS"
|
||||
])
|
||||
if test x$VAR = xyes; then
|
||||
LDFLAGS="$LDFLAGS $1"
|
||||
|
39
configure.in
39
configure.in
@ -171,21 +171,6 @@ AM_CONDITIONAL(NAT_PMP, test x$natpmp = xtrue)
|
||||
AM_CONDITIONAL(MINIUPNPC, test x$upnp = xtrue)
|
||||
AM_PROG_CC_C_O
|
||||
|
||||
if test x$enable_gcc_hardening != xno; then
|
||||
CFLAGS="$CFLAGS -D_FORTIFY_SOURCE=2"
|
||||
TOR_CHECK_CFLAGS(-Qunused-arguments)
|
||||
TOR_CHECK_CFLAGS(-fstack-protector-all)
|
||||
TOR_CHECK_CFLAGS(-Wstack-protector)
|
||||
TOR_CHECK_CFLAGS(-fwrapv)
|
||||
TOR_CHECK_CFLAGS(-fPIE)
|
||||
TOR_CHECK_CFLAGS(--param ssp-buffer-size=1)
|
||||
TOR_CHECK_LDFLAGS(-pie)
|
||||
fi
|
||||
|
||||
if test x$enable_linker_hardening != xno; then
|
||||
TOR_CHECK_LDFLAGS(-z relro -z now)
|
||||
fi
|
||||
|
||||
ifdef([AC_C_FLEXIBLE_ARRAY_MEMBER], [
|
||||
AC_C_FLEXIBLE_ARRAY_MEMBER
|
||||
], [
|
||||
@ -566,8 +551,29 @@ else
|
||||
fi
|
||||
AC_SUBST(TOR_ZLIB_LIBS)
|
||||
|
||||
dnl Make sure to enable support for large off_t if available.
|
||||
dnl ---------------------------------------------------------------------
|
||||
dnl Now that we know about our major libraries, we can check for compiler
|
||||
dnl and linker hardening options. We need to do this with the libraries known,
|
||||
dnl since sometimes the linker will like an option but not be willing to
|
||||
dnl use it with a build of a library.
|
||||
|
||||
all_ldflags_for_check="$TOR_LDFLAGS_zlib $TOR_LDFLAGS_openssl $TOR_LDFLAGS_libevent"
|
||||
all_libs_for_check="$TOR_ZLIB_LIBS $TOR_LIB_MATH $TOR_LIBEVENT_LIBS $TOR_OPENSSL_LIBS $TOR_LIB_WS32 $TOR_LIB_GDI"
|
||||
|
||||
if test x$enable_gcc_hardening != xno; then
|
||||
CFLAGS="$CFLAGS -D_FORTIFY_SOURCE=2"
|
||||
TOR_CHECK_CFLAGS(-Qunused-arguments)
|
||||
TOR_CHECK_CFLAGS(-fstack-protector-all)
|
||||
TOR_CHECK_CFLAGS(-Wstack-protector)
|
||||
TOR_CHECK_CFLAGS(-fwrapv)
|
||||
TOR_CHECK_CFLAGS(-fPIE)
|
||||
TOR_CHECK_CFLAGS(--param ssp-buffer-size=1)
|
||||
TOR_CHECK_LDFLAGS(-pie, "$all_ldflags_for_check", "$all_libs_for_check")
|
||||
fi
|
||||
|
||||
if test x$enable_linker_hardening != xno; then
|
||||
TOR_CHECK_LDFLAGS(-z relro -z now, "$all_ldflags_for_check", "$all_libs_for_check")
|
||||
fi
|
||||
|
||||
dnl ------------------------------------------------------
|
||||
dnl Where do you live, libnatpmp? And how do we call you?
|
||||
@ -609,6 +615,7 @@ if test "$upnp" = "true"; then
|
||||
[/usr/lib/])
|
||||
fi
|
||||
|
||||
dnl Make sure to enable support for large off_t if available.
|
||||
AC_SYS_LARGEFILE
|
||||
|
||||
AC_CHECK_HEADERS(
|
||||
|
Loading…
Reference in New Issue
Block a user