summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2014-01-22 21:30:12 +1100
committerDamien Miller <djm@mindrot.org>2014-01-22 21:30:12 +1100
commit5c2ff5e31f57d303ebb414d84a934c02728fa568 (patch)
treeb1c8a8a1d6eee29847c3de5d7ebe00f79f44db93
parent852472a54b8a0dc3e53786b313baaa86850a4273 (diff)
- (djm) [configure.ac aclocal.m4] More tests to detect fallout from
platform hardening options: include some long long int arithmatic to detect missing support functions for -ftrapv in libgcc and equivalents, actually test linking when -ftrapv is supplied and set either both -pie/-fPIE or neither. feedback and ok dtucker@
-rw-r--r--ChangeLog5
-rw-r--r--aclocal.m445
-rw-r--r--configure.ac23
3 files changed, 67 insertions, 6 deletions
diff --git a/ChangeLog b/ChangeLog
index bbe112e68..b4a81f996 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,6 +4,11 @@
4 hack surprises us by providing a setproctitle in libc; ok dtucker 4 hack surprises us by providing a setproctitle in libc; ok dtucker
5 - (djm) [configure.ac] Unless specifically requested, only attempt 5 - (djm) [configure.ac] Unless specifically requested, only attempt
6 to build Position Independent Executables on gcc >= 4.x; ok dtucker 6 to build Position Independent Executables on gcc >= 4.x; ok dtucker
7 - (djm) [configure.ac aclocal.m4] More tests to detect fallout from
8 platform hardening options: include some long long int arithmatic
9 to detect missing support functions for -ftrapv in libgcc and
10 equivalents, actually test linking when -ftrapv is supplied and
11 set either both -pie/-fPIE or neither. feedback and ok dtucker@
7 12
820140121 1320140121
9 - (dtucker) [configure.ac] Make PIE a configure-time option which defaults 14 - (dtucker) [configure.ac] Make PIE a configure-time option which defaults
diff --git a/aclocal.m4 b/aclocal.m4
index 195a87636..1640683e1 100644
--- a/aclocal.m4
+++ b/aclocal.m4
@@ -1,4 +1,4 @@
1dnl $Id: aclocal.m4,v 1.12 2014/01/21 02:10:27 djm Exp $ 1dnl $Id: aclocal.m4,v 1.13 2014/01/22 10:30:12 djm Exp $
2dnl 2dnl
3dnl OpenSSH-specific autoconf macros 3dnl OpenSSH-specific autoconf macros
4dnl 4dnl
@@ -21,7 +21,45 @@ int main(int argc, char **argv) {
21 int i = 123 * argc, j = 456 + argc, k = 789 - argc; 21 int i = 123 * argc, j = 456 + argc, k = 789 - argc;
22 float l = i * 2.1; 22 float l = i * 2.1;
23 double m = l / 0.5; 23 double m = l / 0.5;
24 printf("%d %d %d %f %f\n", i, j, k, l, m); 24 long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
25 printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
26 exit(0);
27}
28 ]])],
29 [
30if `grep -i "unrecognized option" conftest.err >/dev/null`
31then
32 AC_MSG_RESULT([no])
33 CFLAGS="$saved_CFLAGS"
34else
35 AC_MSG_RESULT([yes])
36 CFLAGS="$saved_CFLAGS $_define_flag"
37fi],
38 [ AC_MSG_RESULT([no])
39 CFLAGS="$saved_CFLAGS" ]
40 )
41}])
42
43dnl OSSH_CHECK_CFLAG_LINK(check_flag[, define_flag])
44dnl Check that $CC accepts a flag 'check_flag'. If it is supported append
45dnl 'define_flag' to $CFLAGS. If 'define_flag' is not specified, then append
46dnl 'check_flag'.
47AC_DEFUN([OSSH_CHECK_CFLAG_LINK], [{
48 AC_MSG_CHECKING([if $CC supports compile flag $1 and linking succeeds])
49 saved_CFLAGS="$CFLAGS"
50 CFLAGS="$CFLAGS $WERROR $1"
51 _define_flag="$2"
52 test "x$_define_flag" = "x" && _define_flag="$1"
53 AC_LINK_IFELSE([AC_LANG_SOURCE([[
54#include <stdlib.h>
55#include <stdio.h>
56int main(int argc, char **argv) {
57 /* Some math to catch -ftrapv problems in the toolchain */
58 int i = 123 * argc, j = 456 + argc, k = 789 - argc;
59 float l = i * 2.1;
60 double m = l / 0.5;
61 long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
62 printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
25 exit(0); 63 exit(0);
26} 64}
27 ]])], 65 ]])],
@@ -57,7 +95,8 @@ int main(int argc, char **argv) {
57 int i = 123 * argc, j = 456 + argc, k = 789 - argc; 95 int i = 123 * argc, j = 456 + argc, k = 789 - argc;
58 float l = i * 2.1; 96 float l = i * 2.1;
59 double m = l / 0.5; 97 double m = l / 0.5;
60 printf("%d %d %d %f %f\n", i, j, k, l, m); 98 long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
99 printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
61 exit(0); 100 exit(0);
62} 101}
63 ]])], 102 ]])],
diff --git a/configure.ac b/configure.ac
index b738f4e60..12d62e294 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
1# $Id: configure.ac,v 1.557 2014/01/22 05:31:18 djm Exp $ 1# $Id: configure.ac,v 1.558 2014/01/22 10:30:13 djm Exp $
2# 2#
3# Copyright (c) 1999-2004 Damien Miller 3# Copyright (c) 1999-2004 Damien Miller
4# 4#
@@ -15,7 +15,7 @@
15# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 15# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 16
17AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) 17AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
18AC_REVISION($Revision: 1.557 $) 18AC_REVISION($Revision: 1.558 $)
19AC_CONFIG_SRCDIR([ssh.c]) 19AC_CONFIG_SRCDIR([ssh.c])
20AC_LANG([C]) 20AC_LANG([C])
21 21
@@ -164,10 +164,15 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then
164 OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing]) 164 OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing])
165 OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2]) 165 OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2])
166 if test "x$use_toolchain_hardening" = "x1"; then 166 if test "x$use_toolchain_hardening" = "x1"; then
167 OSSH_CHECK_CFLAG_COMPILE([-ftrapv])
168 OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro]) 167 OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro])
169 OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now]) 168 OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now])
170 OSSH_CHECK_LDFLAG_LINK([-Wl,-z,noexecstack]) 169 OSSH_CHECK_LDFLAG_LINK([-Wl,-z,noexecstack])
170 # NB. -ftrapv expects certain support functions to be present in
171 # the compiler library (libgcc or similar) to detect integer operations
172 # that can overflow. We must check that the result of enabling it
173 # actually links. The test program compiled/linked includes a number
174 # of integer operations that should exercise this.
175 OSSH_CHECK_CFLAG_LINK([-ftrapv])
171 fi 176 fi
172 AC_MSG_CHECKING([gcc version]) 177 AC_MSG_CHECKING([gcc version])
173 GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'` 178 GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`
@@ -1594,8 +1599,20 @@ if test "x$use_pie" == "xauto"; then
1594) 1599)
1595fi 1600fi
1596if test "x$use_pie" != "xno"; then 1601if test "x$use_pie" != "xno"; then
1602 SAVED_CFLAGS="$CFLAGS"
1603 SAVED_LDFLAGS="$LDFLAGS"
1597 OSSH_CHECK_CFLAG_COMPILE([-fPIE]) 1604 OSSH_CHECK_CFLAG_COMPILE([-fPIE])
1598 OSSH_CHECK_LDFLAG_LINK([-pie]) 1605 OSSH_CHECK_LDFLAG_LINK([-pie])
1606 # We use both -fPIE and -pie or neither.
1607 AC_MSG_CHECKING([whether both -fPIE and -pie are supported])
1608 if echo "x $CFLAGS" | grep ' -fPIE' >/dev/null 2>&1 && \
1609 echo "x $LDFLAGS" | grep ' -pie' >/dev/null 2>&1 ; then
1610 AC_MSG_RESULT([yes])
1611 else
1612 AC_MSG_RESULT([no])
1613 CFLAGS="$SAVED_CFLAGS"
1614 LDFLAGS="$SAVED_LDFLAGS"
1615 fi
1599fi 1616fi
1600 1617
1601dnl Checks for library functions. Please keep in alphabetical order 1618dnl Checks for library functions. Please keep in alphabetical order