diff options
Diffstat (limited to 'configure.ac')
-rw-r--r-- | configure.ac | 40 |
1 files changed, 33 insertions, 7 deletions
diff --git a/configure.ac b/configure.ac index d37a211ed..37db0fa7d 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -1,4 +1,4 @@ | |||
1 | # $Id: configure.ac,v 1.547 2013/12/19 00:00:12 dtucker Exp $ | 1 | # $Id: configure.ac,v 1.548 2014/01/16 22:53:24 dtucker Exp $ |
2 | # | 2 | # |
3 | # Copyright (c) 1999-2004 Damien Miller | 3 | # Copyright (c) 1999-2004 Damien Miller |
4 | # | 4 | # |
@@ -15,7 +15,7 @@ | |||
15 | # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | 15 | # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
16 | 16 | ||
17 | AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) | 17 | AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) |
18 | AC_REVISION($Revision: 1.547 $) | 18 | AC_REVISION($Revision: 1.548 $) |
19 | AC_CONFIG_SRCDIR([ssh.c]) | 19 | AC_CONFIG_SRCDIR([ssh.c]) |
20 | AC_LANG([C]) | 20 | AC_LANG([C]) |
21 | 21 | ||
@@ -121,18 +121,35 @@ AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [ | |||
121 | #include <linux/prctl.h> | 121 | #include <linux/prctl.h> |
122 | ]) | 122 | ]) |
123 | use_stack_protector=1 | 123 | use_stack_protector=1 |
124 | use_toolchain_hardening=1 | ||
124 | AC_ARG_WITH([stackprotect], | 125 | AC_ARG_WITH([stackprotect], |
125 | [ --without-stackprotect Don't use compiler's stack protection], [ | 126 | [ --without-stackprotect Don't use compiler's stack protection], [ |
126 | if test "x$withval" = "xno"; then | 127 | if test "x$withval" = "xno"; then |
127 | use_stack_protector=0 | 128 | use_stack_protector=0 |
128 | fi ]) | 129 | fi ]) |
130 | AC_ARG_WITH([hardening], | ||
131 | [ --without-hardening Don't use toolchain hardening flags], [ | ||
132 | if test "x$withval" = "xno"; then | ||
133 | use_stack_protector=0 | ||
134 | use_toolchain_hardening=0 | ||
135 | fi ]) | ||
129 | 136 | ||
137 | # We use -Werror for the tests only so that we catch warnings like "this is | ||
138 | # on by default" for things like -fPIE. | ||
139 | AC_MSG_CHECKING([if $CC supports -Werror]) | ||
140 | saved_CFLAGS="$CFLAGS" | ||
141 | CFLAGS="$CFLAGS -Werror" | ||
142 | AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])], | ||
143 | [ AC_MSG_RESULT([yes]) | ||
144 | WERROR="-Werror"], | ||
145 | [ AC_MSG_RESULT([no]) | ||
146 | WERROR="" ] | ||
147 | ) | ||
148 | CFLAGS="$saved_CFLAGS" | ||
130 | 149 | ||
131 | if test "$GCC" = "yes" || test "$GCC" = "egcs"; then | 150 | if test "$GCC" = "yes" || test "$GCC" = "egcs"; then |
132 | OSSH_CHECK_CFLAG_COMPILE([-Qunused-arguments -Werror], | 151 | OSSH_CHECK_CFLAG_COMPILE([-Qunused-arguments]) |
133 | [-Qunused-arguments]) | 152 | OSSH_CHECK_CFLAG_COMPILE([-Wunknown-warning-option]) |
134 | OSSH_CHECK_CFLAG_COMPILE([-Wunknown-warning-option -Werror], | ||
135 | [-Wno-unknown-warning-option]) | ||
136 | OSSH_CHECK_CFLAG_COMPILE([-Wall]) | 153 | OSSH_CHECK_CFLAG_COMPILE([-Wall]) |
137 | OSSH_CHECK_CFLAG_COMPILE([-Wpointer-arith]) | 154 | OSSH_CHECK_CFLAG_COMPILE([-Wpointer-arith]) |
138 | OSSH_CHECK_CFLAG_COMPILE([-Wuninitialized]) | 155 | OSSH_CHECK_CFLAG_COMPILE([-Wuninitialized]) |
@@ -143,6 +160,14 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then | |||
143 | OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result]) | 160 | OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result]) |
144 | OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing]) | 161 | OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing]) |
145 | OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2]) | 162 | OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2]) |
163 | if test "x$use_toolchain_hardening" = "x1"; then | ||
164 | OSSH_CHECK_CFLAG_COMPILE([-ftrapv]) | ||
165 | OSSH_CHECK_CFLAG_COMPILE([-fPIE]) | ||
166 | OSSH_CHECK_LDFLAG_LINK([-pie]) | ||
167 | OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro]) | ||
168 | OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now]) | ||
169 | OSSH_CHECK_LDFLAG_LINK([-Wl,-z,noexecstack]) | ||
170 | fi | ||
146 | AC_MSG_CHECKING([gcc version]) | 171 | AC_MSG_CHECKING([gcc version]) |
147 | GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'` | 172 | GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'` |
148 | case $GCC_VER in | 173 | case $GCC_VER in |
@@ -169,7 +194,8 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then | |||
169 | # and/or platforms, so we test if we can. If it's not supported | 194 | # and/or platforms, so we test if we can. If it's not supported |
170 | # on a given platform gcc will emit a warning so we use -Werror. | 195 | # on a given platform gcc will emit a warning so we use -Werror. |
171 | if test "x$use_stack_protector" = "x1"; then | 196 | if test "x$use_stack_protector" = "x1"; then |
172 | for t in -fstack-protector-all -fstack-protector; do | 197 | for t in -fstack-protector-strong -fstack-protector-all \ |
198 | -fstack-protector; do | ||
173 | AC_MSG_CHECKING([if $CC supports $t]) | 199 | AC_MSG_CHECKING([if $CC supports $t]) |
174 | saved_CFLAGS="$CFLAGS" | 200 | saved_CFLAGS="$CFLAGS" |
175 | saved_LDFLAGS="$LDFLAGS" | 201 | saved_LDFLAGS="$LDFLAGS" |