mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-09-20 04:12:13 +02:00
Merge remote-tracking branch 'public/bug5210'
This commit is contained in:
Nick Mathewson
commit
62a77f1117
42
acinclude.m4
42
acinclude.m4
@ -42,6 +42,48 @@ AC_DEFUN([TOR_DEFINE_CODEPATH],
|
|||||||
AC_SUBST(TOR_LDFLAGS_$2)
|
AC_SUBST(TOR_LDFLAGS_$2)
|
||||||
])
|
])
|
||||||
|
|
||||||
|
dnl 1:flags
|
||||||
|
AC_DEFUN([TOR_CHECK_CFLAGS], [
|
||||||
|
AS_VAR_PUSHDEF([VAR],[tor_cv_cflags_$1])
|
||||||
|
AC_CACHE_CHECK([whether the compiler accepts $1], VAR, [
|
||||||
|
tor_saved_CFLAGS="$CFLAGS"
|
||||||
|
CFLAGS="$CFLAGS -pedantic -Werror $1"
|
||||||
|
AC_TRY_COMPILE([], [return 0;],
|
||||||
|
[AS_VAR_SET(VAR,yes)],
|
||||||
|
[AS_VAR_SET(VAR,no)])
|
||||||
|
CFLAGS="$tor_saved_CFLAGS"
|
||||||
|
])
|
||||||
|
if test x$VAR = xyes; then
|
||||||
|
CFLAGS="$CFLAGS $1"
|
||||||
|
fi
|
||||||
|
AS_VAR_POPDEF([VAR])
|
||||||
|
])
|
||||||
|
|
||||||
|
dnl 1:flags
|
||||||
|
dnl 2:extra ldflags
|
||||||
|
dnl 3:extra libraries
|
||||||
|
AC_DEFUN([TOR_CHECK_LDFLAGS], [
|
||||||
|
AS_VAR_PUSHDEF([VAR],[tor_cv_ldflags_$1])
|
||||||
|
AC_CACHE_CHECK([whether the linker accepts $1], VAR, [
|
||||||
|
tor_saved_CFLAGS="$CFLAGS"
|
||||||
|
tor_saved_LDFLAGS="$LDFLAGS"
|
||||||
|
tor_saved_LIBS="$LIBS"
|
||||||
|
CFLAGS="$CFLAGS -pedantic -Werror"
|
||||||
|
LDFLAGS="$LDFLAGS $2 $1"
|
||||||
|
LIBS="$LIBS $3"
|
||||||
|
AC_TRY_LINK([], [return 0;],
|
||||||
|
[AS_VAR_SET(VAR,yes)],
|
||||||
|
[AS_VAR_SET(VAR,no)])
|
||||||
|
CFLAGS="$tor_saved_CFLAGS"
|
||||||
|
LDFLAGS="$tor_saved_LDFLAGS"
|
||||||
|
LIBS="$tor_saved_LIBS"
|
||||||
|
])
|
||||||
|
if test x$VAR = xyes; then
|
||||||
|
LDFLAGS="$LDFLAGS $1"
|
||||||
|
fi
|
||||||
|
AS_VAR_POPDEF([VAR])
|
||||||
|
])
|
||||||
|
|
||||||
dnl 1:libname
|
dnl 1:libname
|
||||||
AC_DEFUN([TOR_WARN_MISSING_LIB], [
|
AC_DEFUN([TOR_WARN_MISSING_LIB], [
|
||||||
h=""
|
h=""
|
||||||
|
|||||||
2
changes/bug5210
Normal file
2
changes/bug5210
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
o Security fixes:
|
||||||
|
- Enable gcc and ld hardening by default. Fixes bug 5210.
|
||||||
39
configure.in
39
configure.in
@ -122,21 +122,12 @@ dnl -D_FORTIFY_SOURCE=2 -fstack-protector-all
|
|||||||
dnl Others suggest '/gs /safeseh /nxcompat /dynamicbase' for non-gcc on Windows
|
dnl Others suggest '/gs /safeseh /nxcompat /dynamicbase' for non-gcc on Windows
|
||||||
dnl This requires that we use gcc and that we add -O2 to the CFLAGS.
|
dnl This requires that we use gcc and that we add -O2 to the CFLAGS.
|
||||||
AC_ARG_ENABLE(gcc-hardening,
|
AC_ARG_ENABLE(gcc-hardening,
|
||||||
AS_HELP_STRING(--enable-gcc-hardening, enable compiler security checks),
|
AS_HELP_STRING(--disable-gcc-hardening, disable compiler security checks))
|
||||||
[if test x$enableval = xyes; then
|
|
||||||
CFLAGS="$CFLAGS -D_FORTIFY_SOURCE=2 -fstack-protector-all"
|
|
||||||
CFLAGS="$CFLAGS -fwrapv -fPIE -Wstack-protector"
|
|
||||||
CFLAGS="$CFLAGS --param ssp-buffer-size=1"
|
|
||||||
LDFLAGS="$LDFLAGS -pie"
|
|
||||||
fi])
|
|
||||||
|
|
||||||
dnl Linker hardening options
|
dnl Linker hardening options
|
||||||
dnl Currently these options are ELF specific - you can't use this with MacOSX
|
dnl Currently these options are ELF specific - you can't use this with MacOSX
|
||||||
AC_ARG_ENABLE(linker-hardening,
|
AC_ARG_ENABLE(linker-hardening,
|
||||||
AS_HELP_STRING(--enable-linker-hardening, enable linker security fixups),
|
AS_HELP_STRING(--disable-linker-hardening, disable linker security fixups))
|
||||||
[if test x$enableval = xyes; then
|
|
||||||
LDFLAGS="$LDFLAGS -z relro -z now"
|
|
||||||
fi])
|
|
||||||
|
|
||||||
AC_ARG_ENABLE(local-appdata,
|
AC_ARG_ENABLE(local-appdata,
|
||||||
AS_HELP_STRING(--enable-local-appdata, default to host local application data paths on Windows))
|
AS_HELP_STRING(--enable-local-appdata, default to host local application data paths on Windows))
|
||||||
@ -563,8 +554,31 @@ else
|
|||||||
fi
|
fi
|
||||||
AC_SUBST(TOR_ZLIB_LIBS)
|
AC_SUBST(TOR_ZLIB_LIBS)
|
||||||
|
|
||||||
dnl Make sure to enable support for large off_t if available.
|
dnl ---------------------------------------------------------------------
|
||||||
|
dnl Now that we know about our major libraries, we can check for compiler
|
||||||
|
dnl and linker hardening options. We need to do this with the libraries known,
|
||||||
|
dnl since sometimes the linker will like an option but not be willing to
|
||||||
|
dnl use it with a build of a library.
|
||||||
|
|
||||||
|
all_ldflags_for_check="$TOR_LDFLAGS_zlib $TOR_LDFLAGS_openssl $TOR_LDFLAGS_libevent"
|
||||||
|
all_libs_for_check="$TOR_ZLIB_LIBS $TOR_LIB_MATH $TOR_LIBEVENT_LIBS $TOR_OPENSSL_LIBS $TOR_LIB_WS32 $TOR_LIB_GDI"
|
||||||
|
|
||||||
|
if test x$enable_gcc_hardening != xno; then
|
||||||
|
CFLAGS="$CFLAGS -D_FORTIFY_SOURCE=2"
|
||||||
|
TOR_CHECK_CFLAGS(-Qunused-arguments)
|
||||||
|
TOR_CHECK_CFLAGS(-fstack-protector-all)
|
||||||
|
TOR_CHECK_CFLAGS(-Wstack-protector)
|
||||||
|
TOR_CHECK_CFLAGS(-fwrapv)
|
||||||
|
TOR_CHECK_CFLAGS(--param ssp-buffer-size=1)
|
||||||
|
if test "$bwin32" = "false"; then
|
||||||
|
TOR_CHECK_CFLAGS(-fPIE)
|
||||||
|
TOR_CHECK_LDFLAGS(-pie, "$all_ldflags_for_check", "$all_libs_for_check")
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if test x$enable_linker_hardening != xno; then
|
||||||
|
TOR_CHECK_LDFLAGS(-z relro -z now, "$all_ldflags_for_check", "$all_libs_for_check")
|
||||||
|
fi
|
||||||
|
|
||||||
dnl ------------------------------------------------------
|
dnl ------------------------------------------------------
|
||||||
dnl Where do you live, libnatpmp? And how do we call you?
|
dnl Where do you live, libnatpmp? And how do we call you?
|
||||||
@ -625,6 +639,7 @@ if test "$upnp" = "true"; then
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
dnl Make sure to enable support for large off_t if available.
|
||||||
AC_SYS_LARGEFILE
|
AC_SYS_LARGEFILE
|
||||||
|
|
||||||
AC_CHECK_HEADERS(
|
AC_CHECK_HEADERS(
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user