diff options
| author | Damien Miller <djm@mindrot.org> | 2014-01-22 21:30:12 +1100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2014-01-22 21:30:12 +1100 |
| commit | 5c2ff5e31f57d303ebb414d84a934c02728fa568 (patch) | |
| tree | b1c8a8a1d6eee29847c3de5d7ebe00f79f44db93 | |
| parent | 852472a54b8a0dc3e53786b313baaa86850a4273 (diff) | |
- (djm) [configure.ac aclocal.m4] More tests to detect fallout from
platform hardening options: include some long long int arithmatic
to detect missing support functions for -ftrapv in libgcc and
equivalents, actually test linking when -ftrapv is supplied and
set either both -pie/-fPIE or neither. feedback and ok dtucker@
| -rw-r--r-- | ChangeLog | 5 | ||||
| -rw-r--r-- | aclocal.m4 | 45 | ||||
| -rw-r--r-- | configure.ac | 23 |
3 files changed, 67 insertions, 6 deletions
@@ -4,6 +4,11 @@ hack surprises us by providing a setproctitle in libc; ok dtucker - (djm) [configure.ac] Unless specifically requested, only attempt to build Position Independent Executables on gcc >= 4.x; ok dtucker + - (djm) [configure.ac aclocal.m4] More tests to detect fallout from + platform hardening options: include some long long int arithmatic + to detect missing support functions for -ftrapv in libgcc and + equivalents, actually test linking when -ftrapv is supplied and + set either both -pie/-fPIE or neither. feedback and ok dtucker@ 20140121 - (dtucker) [configure.ac] Make PIE a configure-time option which defaults @@ -1,4 +1,4 @@ -dnl $Id: aclocal.m4,v 1.12 2014/01/21 02:10:27 djm Exp $ +dnl $Id: aclocal.m4,v 1.13 2014/01/22 10:30:12 djm Exp $ dnl dnl OpenSSH-specific autoconf macros dnl @@ -21,7 +21,45 @@ int main(int argc, char **argv) { int i = 123 * argc, j = 456 + argc, k = 789 - argc; float l = i * 2.1; double m = l / 0.5; - printf("%d %d %d %f %f\n", i, j, k, l, m); + long long int n = argc * 12345LL, o = 12345LL * (long long int)argc; + printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o); + exit(0); +} + ]])], + [ +if `grep -i "unrecognized option" conftest.err >/dev/null` +then + AC_MSG_RESULT([no]) + CFLAGS="$saved_CFLAGS" +else + AC_MSG_RESULT([yes]) + CFLAGS="$saved_CFLAGS $_define_flag" +fi], + [ AC_MSG_RESULT([no]) + CFLAGS="$saved_CFLAGS" ] + ) +}]) + +dnl OSSH_CHECK_CFLAG_LINK(check_flag[, define_flag]) +dnl Check that $CC accepts a flag 'check_flag'. If it is supported append +dnl 'define_flag' to $CFLAGS. If 'define_flag' is not specified, then append +dnl 'check_flag'. +AC_DEFUN([OSSH_CHECK_CFLAG_LINK], [{ + AC_MSG_CHECKING([if $CC supports compile flag $1 and linking succeeds]) + saved_CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS $WERROR $1" + _define_flag="$2" + test "x$_define_flag" = "x" && _define_flag="$1" + AC_LINK_IFELSE([AC_LANG_SOURCE([[ +#include <stdlib.h> +#include <stdio.h> +int main(int argc, char **argv) { + /* Some math to catch -ftrapv problems in the toolchain */ + int i = 123 * argc, j = 456 + argc, k = 789 - argc; + float l = i * 2.1; + double m = l / 0.5; + long long int n = argc * 12345LL, o = 12345LL * (long long int)argc; + printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o); exit(0); } ]])], @@ -57,7 +95,8 @@ int main(int argc, char **argv) { int i = 123 * argc, j = 456 + argc, k = 789 - argc; float l = i * 2.1; double m = l / 0.5; - printf("%d %d %d %f %f\n", i, j, k, l, m); + long long int n = argc * 12345LL, o = 12345LL * (long long int)argc; + printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o); exit(0); } ]])], diff --git a/configure.ac b/configure.ac index b738f4e6..12d62e29 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.557 2014/01/22 05:31:18 djm Exp $ +# $Id: configure.ac,v 1.558 2014/01/22 10:30:13 djm Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org]) -AC_REVISION($Revision: 1.557 $) +AC_REVISION($Revision: 1.558 $) AC_CONFIG_SRCDIR([ssh.c]) AC_LANG([C]) @@ -164,10 +164,15 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing]) OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2]) if test "x$use_toolchain_hardening" = "x1"; then - OSSH_CHECK_CFLAG_COMPILE([-ftrapv]) OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro]) OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now]) OSSH_CHECK_LDFLAG_LINK([-Wl,-z,noexecstack]) + # NB. -ftrapv expects certain support functions to be present in + # the compiler library (libgcc or similar) to detect integer operations + # that can overflow. We must check that the result of enabling it + # actually links. The test program compiled/linked includes a number + # of integer operations that should exercise this. + OSSH_CHECK_CFLAG_LINK([-ftrapv]) fi AC_MSG_CHECKING([gcc version]) GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'` @@ -1594,8 +1599,20 @@ if test "x$use_pie" == "xauto"; then ) fi if test "x$use_pie" != "xno"; then + SAVED_CFLAGS="$CFLAGS" + SAVED_LDFLAGS="$LDFLAGS" OSSH_CHECK_CFLAG_COMPILE([-fPIE]) OSSH_CHECK_LDFLAG_LINK([-pie]) + # We use both -fPIE and -pie or neither. + AC_MSG_CHECKING([whether both -fPIE and -pie are supported]) + if echo "x $CFLAGS" | grep ' -fPIE' >/dev/null 2>&1 && \ + echo "x $LDFLAGS" | grep ' -pie' >/dev/null 2>&1 ; then + AC_MSG_RESULT([yes]) + else + AC_MSG_RESULT([no]) + CFLAGS="$SAVED_CFLAGS" + LDFLAGS="$SAVED_LDFLAGS" + fi fi dnl Checks for library functions. Please keep in alphabetical order |