From: Guus Sliepen Date: Sat, 22 Jan 2022 21:56:55 +0000 (+0100) Subject: Enable hardening flags at the end of the configure script. X-Git-Url: https://git.tinc-vpn.org/git/browse?a=commitdiff_plain;h=63106cf58402a3af96640727b499258d0eb529f1;p=tinc Enable hardening flags at the end of the configure script. Unfortunately some of the autoconf checks themselver trigger compiler warnings when hardening is enabled and if -Werror is also enabled. Avoid this by only enabling the hardening flags at the end of the configure script. --- diff --git a/configure.ac b/configure.ac index 0ed205d7..4fa9975d 100644 --- a/configure.ac +++ b/configure.ac @@ -143,34 +143,6 @@ AC_CACHE_SAVE AS_IF([test -d /sw/include], [CPPFLAGS="$CPPFLAGS -I/sw/include"]) AS_IF([test -d /sw/lib], [LIBS="$LIBS -L/sw/lib"]) -dnl Compiler hardening flags -dnl No -fstack-protector-all because it doesn't work on all platforms or architectures. - -AX_CFLAGS_WARN_ALL(CFLAGS) - -AC_ARG_ENABLE([hardening], AS_HELP_STRING([--disable-hardening], [disable compiler and linker hardening flags])) -AS_IF([test "x$enable_hardening" != "xno"], - [AX_CHECK_COMPILE_FLAG([-D_FORTIFY_SOURCE=2], [CPPFLAGS="$CPPFLAGS -D_FORTIFY_SOURCE=2"]) - AX_CHECK_COMPILE_FLAG([-fwrapv], [CPPFLAGS="$CPPFLAGS -fwrapv"], - AX_CHECK_COMPILE_FLAG([-fno-strict-overflow], [CPPFLAGS="$CPPFLAGS -fno-strict-overflow"])) - case $host_os in - *mingw*) - AX_CHECK_LINK_FLAG([-Wl,--dynamicbase], [LDFLAGS="$LDFLAGS -Wl,--dynamicbase"]) - AX_CHECK_LINK_FLAG([-Wl,--nxcompat], [LDFLAGS="$LDFLAGS -Wl,--nxcompat"]) - AX_CHECK_LINK_FLAG([-lssp], [LDFLAGS="$LDFLAGS -lssp"]) - ;; - *) - AX_CHECK_COMPILE_FLAG([-fPIE], [CPPFLAGS="$CPPFLAGS -fPIE"]) - AX_CHECK_LINK_FLAG([-pie], [LDFLAGS="$LDFLAGS -pie"]) - ;; - esac - AX_CHECK_LINK_FLAG([-Wl,-z,relro], [LDFLAGS="$LDFLAGS -Wl,-z,relro"]) - AX_CHECK_LINK_FLAG([-Wl,-z,now], [LDFLAGS="$LDFLAGS -Wl,-z,now"]) - AX_CHECK_COMPILE_FLAG([-W -Wextra -pedantic -Wreturn-type -Wold-style-definition -Wmissing-declarations -Wmissing-prototypes -Wstrict-prototypes -Wredundant-decls -Wbad-function-cast -Wwrite-strings -fdiagnostics-show-option -fstrict-aliasing -Wmissing-noreturn], - [CPPFLAGS="$CPPFLAGS -W -Wextra -pedantic -Wreturn-type -Wold-style-definition -Wmissing-declarations -Wmissing-prototypes -Wstrict-prototypes -Wredundant-decls -Wbad-function-cast -Wwrite-strings -fdiagnostics-show-option -fstrict-aliasing -Wmissing-noreturn"]) - ] -); - dnl Checks for header files. dnl We do this in multiple stages, because unlike Linux all the other operating systems really suck and don't include their own dependencies. @@ -267,6 +239,34 @@ AC_ARG_ENABLE(jumbograms, ] ) +dnl Compiler hardening flags +dnl No -fstack-protector-all because it doesn't work on all platforms or architectures. + +AX_CFLAGS_WARN_ALL(CFLAGS) + +AC_ARG_ENABLE([hardening], AS_HELP_STRING([--disable-hardening], [disable compiler and linker hardening flags])) +AS_IF([test "x$enable_hardening" != "xno"], + [AX_CHECK_COMPILE_FLAG([-D_FORTIFY_SOURCE=2], [CPPFLAGS="$CPPFLAGS -D_FORTIFY_SOURCE=2"]) + AX_CHECK_COMPILE_FLAG([-fwrapv], [CPPFLAGS="$CPPFLAGS -fwrapv"], + AX_CHECK_COMPILE_FLAG([-fno-strict-overflow], [CPPFLAGS="$CPPFLAGS -fno-strict-overflow"])) + case $host_os in + *mingw*) + AX_CHECK_LINK_FLAG([-Wl,--dynamicbase], [LDFLAGS="$LDFLAGS -Wl,--dynamicbase"]) + AX_CHECK_LINK_FLAG([-Wl,--nxcompat], [LDFLAGS="$LDFLAGS -Wl,--nxcompat"]) + AX_CHECK_LINK_FLAG([-lssp], [LDFLAGS="$LDFLAGS -lssp"]) + ;; + *) + AX_CHECK_COMPILE_FLAG([-fPIE], [CPPFLAGS="$CPPFLAGS -fPIE"]) + AX_CHECK_LINK_FLAG([-pie], [LDFLAGS="$LDFLAGS -pie"]) + ;; + esac + AX_CHECK_LINK_FLAG([-Wl,-z,relro], [LDFLAGS="$LDFLAGS -Wl,-z,relro"]) + AX_CHECK_LINK_FLAG([-Wl,-z,now], [LDFLAGS="$LDFLAGS -Wl,-z,now"]) + AX_CHECK_COMPILE_FLAG([-W -Wextra -pedantic -Wreturn-type -Wold-style-definition -Wmissing-declarations -Wmissing-prototypes -Wstrict-prototypes -Wredundant-decls -Wbad-function-cast -Wwrite-strings -fdiagnostics-show-option -fstrict-aliasing -Wmissing-noreturn], + [CPPFLAGS="$CPPFLAGS -W -Wextra -pedantic -Wreturn-type -Wold-style-definition -Wmissing-declarations -Wmissing-prototypes -Wstrict-prototypes -Wredundant-decls -Wbad-function-cast -Wwrite-strings -fdiagnostics-show-option -fstrict-aliasing -Wmissing-noreturn"]) + ] +); + dnl Ensure runstatedir is set if we are using a version of autoconf that does not support it if test "x$runstatedir" = "x"; then AC_SUBST([runstatedir], ['${localstatedir}/run'])