Home Explore Help
Sign In
piros
/
tor
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Merge remote-tracking branch 'public/bug5210'

Nick Mathewson 13 years ago
parent
9dd4e5a9b0 4717951cfa
commit
62a77f1117
3 changed files with 71 additions and 12 deletions
Split View Show Diff Stats
  1. 42 0
      acinclude.m4
  2. 2 0
      changes/bug5210
  3. 27 12
      configure.in

+ 42 - 0
acinclude.m4
View File 

@@ -42,6 +42,48 @@ AC_DEFUN([TOR_DEFINE_CODEPATH],
 
   AC_SUBST(TOR_LDFLAGS_$2)
 
 ])
 
 
+dnl 1:flags
 
+AC_DEFUN([TOR_CHECK_CFLAGS], [
 
+  AS_VAR_PUSHDEF([VAR],[tor_cv_cflags_$1])
 
+  AC_CACHE_CHECK([whether the compiler accepts $1], VAR, [
 
+    tor_saved_CFLAGS="$CFLAGS"
 
+    CFLAGS="$CFLAGS -pedantic -Werror $1"
 
+    AC_TRY_COMPILE([], [return 0;],
 
+                   [AS_VAR_SET(VAR,yes)],
 
+                   [AS_VAR_SET(VAR,no)])
 
+    CFLAGS="$tor_saved_CFLAGS"
 
+  ])
 
+  if test x$VAR = xyes; then
 
+    CFLAGS="$CFLAGS $1"
 
+  fi
 
+  AS_VAR_POPDEF([VAR])
 
+])
 
+
 
+dnl 1:flags
 
+dnl 2:extra ldflags
 
+dnl 3:extra libraries
 
+AC_DEFUN([TOR_CHECK_LDFLAGS], [
 
+  AS_VAR_PUSHDEF([VAR],[tor_cv_ldflags_$1])
 
+  AC_CACHE_CHECK([whether the linker accepts $1], VAR, [
 
+    tor_saved_CFLAGS="$CFLAGS"
 
+    tor_saved_LDFLAGS="$LDFLAGS"
 
+    tor_saved_LIBS="$LIBS"
 
+    CFLAGS="$CFLAGS -pedantic -Werror"
 
+    LDFLAGS="$LDFLAGS $2 $1"
 
+    LIBS="$LIBS $3"
 
+    AC_TRY_LINK([], [return 0;],
 
+                   [AS_VAR_SET(VAR,yes)],
 
+                   [AS_VAR_SET(VAR,no)])
 
+    CFLAGS="$tor_saved_CFLAGS"
 
+    LDFLAGS="$tor_saved_LDFLAGS"
 
+    LIBS="$tor_saved_LIBS"
 
+  ])
 
+  if test x$VAR = xyes; then
 
+    LDFLAGS="$LDFLAGS $1"
 
+  fi
 
+  AS_VAR_POPDEF([VAR])
 
+])
 
+
 
 dnl 1:libname
 
 AC_DEFUN([TOR_WARN_MISSING_LIB], [
 
 h=""

+ 2 - 0
changes/bug5210
View File 

@@ -0,0 +1,2 @@
 
+  o Security fixes:
 
+    - Enable gcc and ld hardening by default. Fixes bug 5210.

+ 27 - 12
configure.in
View File 

@@ -122,21 +122,12 @@ dnl -D_FORTIFY_SOURCE=2 -fstack-protector-all
 
 dnl Others suggest '/gs /safeseh /nxcompat /dynamicbase' for non-gcc on Windows
 
 dnl This requires that we use gcc and that we add -O2 to the CFLAGS.
 
 AC_ARG_ENABLE(gcc-hardening,
 
-     AS_HELP_STRING(--enable-gcc-hardening, enable compiler security checks),
 
-[if test x$enableval = xyes; then
 
-    CFLAGS="$CFLAGS -D_FORTIFY_SOURCE=2 -fstack-protector-all"
 
-    CFLAGS="$CFLAGS -fwrapv -fPIE -Wstack-protector"
 
-    CFLAGS="$CFLAGS --param ssp-buffer-size=1"
 
-    LDFLAGS="$LDFLAGS -pie"
 
-fi])
 
+    AS_HELP_STRING(--disable-gcc-hardening, disable compiler security checks))
 
 
 dnl Linker hardening options
 
 dnl Currently these options are ELF specific - you can't use this with MacOSX
 
 AC_ARG_ENABLE(linker-hardening,
 
-        AS_HELP_STRING(--enable-linker-hardening, enable linker security fixups),
 
-[if test x$enableval = xyes; then
 
-    LDFLAGS="$LDFLAGS -z relro -z now"
 
-fi])
 
+    AS_HELP_STRING(--disable-linker-hardening, disable linker security fixups))
 
 
 AC_ARG_ENABLE(local-appdata,
 
    AS_HELP_STRING(--enable-local-appdata, default to host local application data paths on Windows))
 
@@ -563,8 +554,31 @@ else
 
 fi
 
 AC_SUBST(TOR_ZLIB_LIBS)
 
 
-dnl Make sure to enable support for large off_t if available.
 
+dnl ---------------------------------------------------------------------
 
+dnl Now that we know about our major libraries, we can check for compiler
 
+dnl and linker hardening options.  We need to do this with the libraries known,
 
+dnl since sometimes the linker will like an option but not be willing to
 
+dnl use it with a build of a library.
 
+
 
+all_ldflags_for_check="$TOR_LDFLAGS_zlib $TOR_LDFLAGS_openssl $TOR_LDFLAGS_libevent"
 
+all_libs_for_check="$TOR_ZLIB_LIBS $TOR_LIB_MATH $TOR_LIBEVENT_LIBS $TOR_OPENSSL_LIBS $TOR_LIB_WS32 $TOR_LIB_GDI"
 
+
 
+if test x$enable_gcc_hardening != xno; then
 
+    CFLAGS="$CFLAGS -D_FORTIFY_SOURCE=2"
 
+    TOR_CHECK_CFLAGS(-Qunused-arguments)
 
+    TOR_CHECK_CFLAGS(-fstack-protector-all)
 
+    TOR_CHECK_CFLAGS(-Wstack-protector)
 
+    TOR_CHECK_CFLAGS(-fwrapv)
 
+    TOR_CHECK_CFLAGS(--param ssp-buffer-size=1)
 
+    if test "$bwin32" = "false"; then
 
+       TOR_CHECK_CFLAGS(-fPIE)
 
+       TOR_CHECK_LDFLAGS(-pie, "$all_ldflags_for_check", "$all_libs_for_check")
 
+    fi
 
+fi
 
 
+if test x$enable_linker_hardening != xno; then
 
+    TOR_CHECK_LDFLAGS(-z relro -z now, "$all_ldflags_for_check", "$all_libs_for_check")
 
+fi
 
 
 dnl ------------------------------------------------------
 
 dnl Where do you live, libnatpmp?  And how do we call you?
 
@@ -625,6 +639,7 @@ if test "$upnp" = "true"; then
 
     fi
 
 fi
 
 
+dnl Make sure to enable support for large off_t if available.
 
 AC_SYS_LARGEFILE
 
 
 AC_CHECK_HEADERS(