From 72d8cae7a4c295cabca2dd0fbe14f134762dc90a Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Tue, 26 Apr 2022 22:04:38 +0800 Subject: [PATCH] Test linking for hardening options Some options depend on correct library support. --- configure | 40 ++++++++++++++++++++++---------------- configure.ac | 54 ++++++++++++++++++++++++++-------------------------- 2 files changed, 51 insertions(+), 43 deletions(-) diff --git a/configure b/configure index 837471498..088a4bd42 100755 --- a/configure +++ b/configure @@ -3204,7 +3204,7 @@ main () return 0; } _ACEOF -if ac_fn_c_try_compile "$LINENO"; then : +if ac_fn_c_try_link "$LINENO"; then : { $as_echo "$as_me:${as_lineno-$LINENO}: Setting $TESTFLAGS" >&5 $as_echo "$as_me: Setting $TESTFLAGS" >&6;} else @@ -3212,7 +3212,8 @@ else $as_echo "$as_me: Not setting $TESTFLAGS" >&6;}; CFLAGS="$OLDFLAGS" fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext } { $as_echo "$as_me:${as_lineno-$LINENO}: Checking if compiler '$CC' supports -fno-strict-overflow" >&5 @@ -3232,7 +3233,7 @@ main () return 0; } _ACEOF -if ac_fn_c_try_compile "$LINENO"; then : +if ac_fn_c_try_link "$LINENO"; then : { $as_echo "$as_me:${as_lineno-$LINENO}: Setting $TESTFLAGS" >&5 $as_echo "$as_me: Setting $TESTFLAGS" >&6;} else @@ -3240,7 +3241,8 @@ else $as_echo "$as_me: Not setting $TESTFLAGS" >&6;}; CFLAGS="$OLDFLAGS" fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext } # needed for various extensions. define early before autoconf tests @@ -3296,7 +3298,7 @@ main () return 0; } _ACEOF -if ac_fn_c_try_compile "$LINENO"; then : +if ac_fn_c_try_link "$LINENO"; then : { $as_echo "$as_me:${as_lineno-$LINENO}: Setting $TESTFLAGS" >&5 $as_echo "$as_me: Setting $TESTFLAGS" >&6;} else @@ -3304,7 +3306,8 @@ else $as_echo "$as_me: Not setting $TESTFLAGS" >&6;}; CFLAGS="$OLDFLAGS" fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext } OLDLDFLAGS="$LDFLAGS" @@ -3396,7 +3399,7 @@ main () return 0; } _ACEOF -if ac_fn_c_try_compile "$LINENO"; then : +if ac_fn_c_try_link "$LINENO"; then : { $as_echo "$as_me:${as_lineno-$LINENO}: Setting $TESTFLAGS" >&5 $as_echo "$as_me: Setting $TESTFLAGS" >&6;} else @@ -3415,7 +3418,7 @@ main () return 0; } _ACEOF -if ac_fn_c_try_compile "$LINENO"; then : +if ac_fn_c_try_link "$LINENO"; then : { $as_echo "$as_me:${as_lineno-$LINENO}: Setting $TESTFLAGS" >&5 $as_echo "$as_me: Setting $TESTFLAGS" >&6;} else @@ -3423,11 +3426,13 @@ else $as_echo "$as_me: Not setting $TESTFLAGS" >&6;}; CFLAGS="$OLDCFLAGS" fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext # FORTIFY_SOURCE { OLDFLAGS="$CFLAGS" @@ -3444,7 +3449,7 @@ main () return 0; } _ACEOF -if ac_fn_c_try_compile "$LINENO"; then : +if ac_fn_c_try_link "$LINENO"; then : { $as_echo "$as_me:${as_lineno-$LINENO}: Setting $TESTFLAGS" >&5 $as_echo "$as_me: Setting $TESTFLAGS" >&6;} else @@ -3452,7 +3457,8 @@ else $as_echo "$as_me: Not setting $TESTFLAGS" >&6;}; CFLAGS="$OLDFLAGS" fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext } # Spectre v2 mitigations @@ -3471,7 +3477,7 @@ main () return 0; } _ACEOF -if ac_fn_c_try_compile "$LINENO"; then : +if ac_fn_c_try_link "$LINENO"; then : { $as_echo "$as_me:${as_lineno-$LINENO}: Setting $TESTFLAGS" >&5 $as_echo "$as_me: Setting $TESTFLAGS" >&6;} else @@ -3479,7 +3485,8 @@ else $as_echo "$as_me: Not setting $TESTFLAGS" >&6;}; CFLAGS="$OLDFLAGS" fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext } { OLDFLAGS="$CFLAGS" @@ -3496,7 +3503,7 @@ main () return 0; } _ACEOF -if ac_fn_c_try_compile "$LINENO"; then : +if ac_fn_c_try_link "$LINENO"; then : { $as_echo "$as_me:${as_lineno-$LINENO}: Setting $TESTFLAGS" >&5 $as_echo "$as_me: Setting $TESTFLAGS" >&6;} else @@ -3504,7 +3511,8 @@ else $as_echo "$as_me: Not setting $TESTFLAGS" >&6;}; CFLAGS="$OLDFLAGS" fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext } fi diff --git a/configure.ac b/configure.ac index 6a194797a..f4f74de76 100644 --- a/configure.ac +++ b/configure.ac @@ -23,15 +23,15 @@ AC_PROG_CC if test -z "$LD" ; then LD=$CC fi -AC_SUBST(LD) +AC_SUBST(LD) -AC_DEFUN(DB_TRYADDCFLAGS, +AC_DEFUN(DB_TRYADDCFLAGS, [{ OLDFLAGS="$CFLAGS" TESTFLAGS="$1" CFLAGS="$CFLAGS $TESTFLAGS" - AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])], - [AC_MSG_NOTICE([Setting $TESTFLAGS])], + AC_LINK_IFELSE([AC_LANG_PROGRAM([])], + [AC_MSG_NOTICE([Setting $TESTFLAGS])], [AC_MSG_NOTICE([Not setting $TESTFLAGS]); CFLAGS="$OLDFLAGS" ] ) }]) @@ -82,14 +82,14 @@ if test "$hardenbuild" -eq 1; then OLDLDFLAGS="$LDFLAGS" TESTFLAGS="-Wl,-pie" LDFLAGS="$LDFLAGS $TESTFLAGS" - AC_LINK_IFELSE([AC_LANG_PROGRAM([])], - [AC_MSG_NOTICE([Setting $TESTFLAGS])], + AC_LINK_IFELSE([AC_LANG_PROGRAM([])], + [AC_MSG_NOTICE([Setting $TESTFLAGS])], [ LDFLAGS="$OLDLDFLAGS" TESTFLAGS="-pie" LDFLAGS="$LDFLAGS $TESTFLAGS" - AC_LINK_IFELSE([AC_LANG_PROGRAM([])], - [AC_MSG_NOTICE([Setting $TESTFLAGS])], + AC_LINK_IFELSE([AC_LANG_PROGRAM([])], + [AC_MSG_NOTICE([Setting $TESTFLAGS])], [AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ] ) ] @@ -98,8 +98,8 @@ if test "$hardenbuild" -eq 1; then OLDLDFLAGS="$LDFLAGS" TESTFLAGS="-Wl,-z,now -Wl,-z,relro" LDFLAGS="$LDFLAGS $TESTFLAGS" - AC_LINK_IFELSE([AC_LANG_PROGRAM([])], - [AC_MSG_NOTICE([Setting $TESTFLAGS])], + AC_LINK_IFELSE([AC_LANG_PROGRAM([])], + [AC_MSG_NOTICE([Setting $TESTFLAGS])], [AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ] ) fi # non-static @@ -107,14 +107,14 @@ if test "$hardenbuild" -eq 1; then OLDCFLAGS="$CFLAGS" TESTFLAGS="-fstack-protector-strong" CFLAGS="$CFLAGS $TESTFLAGS" - AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])], - [AC_MSG_NOTICE([Setting $TESTFLAGS])], + AC_LINK_IFELSE([AC_LANG_PROGRAM([])], + [AC_MSG_NOTICE([Setting $TESTFLAGS])], [ CFLAGS="$OLDCFLAGS" TESTFLAGS="-fstack-protector --param=ssp-buffer-size=4" CFLAGS="$CFLAGS $TESTFLAGS" - AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])], - [AC_MSG_NOTICE([Setting $TESTFLAGS])], + AC_LINK_IFELSE([AC_LANG_PROGRAM([])], + [AC_MSG_NOTICE([Setting $TESTFLAGS])], [AC_MSG_NOTICE([Not setting $TESTFLAGS]); CFLAGS="$OLDCFLAGS" ] ) ] @@ -174,7 +174,7 @@ case "$host" in # OpenSSH thinks it's broken. If it isn't, let me know. AC_DEFINE(BROKEN_GETADDRINFO,1,Broken getaddrinfo) ;; - + *-*-hpux*) LIBS="$LIBS -lsec" # It's probably broken. @@ -191,7 +191,7 @@ AC_CHECK_TOOL(STRIP, strip, :) AC_CHECK_TOOL(INSTALL, install, :) dnl Can't use login() or logout() with uclibc -AC_CHECK_DECL(__UCLIBC__, +AC_CHECK_DECL(__UCLIBC__, [ no_loginfunc_check=1 AC_MSG_NOTICE([Using uClibc - login() and logout() probably don't work, so we won't use them.]) @@ -199,14 +199,14 @@ AC_CHECK_DECL(__UCLIBC__, dnl We test for crypt() specially. On Linux (and others?) it resides in libcrypt dnl but we don't want link all binaries to -lcrypt, just dropbear server. -dnl OS X doesn't need -lcrypt +dnl OS X doesn't need -lcrypt AC_CHECK_FUNC(crypt, found_crypt_func=here) -AC_CHECK_LIB(crypt, crypt, +AC_CHECK_LIB(crypt, crypt, [ CRYPTLIB="-lcrypt" found_crypt_func=here ]) -AC_SUBST(CRYPTLIB) +AC_SUBST(CRYPTLIB) if test "t$found_crypt_func" = there; then AC_DEFINE(HAVE_CRYPT, 1, [crypt() function]) fi @@ -568,7 +568,7 @@ AC_ARG_ENABLE(bundled-libtom, ) if test $BUNDLED_LIBTOM = 1 ; then - AC_DEFINE(BUNDLED_LIBTOM,1,Use bundled libtom) + AC_DEFINE(BUNDLED_LIBTOM,1,Use bundled libtom) fi AC_SUBST(LIBTOM_LIBS) @@ -641,7 +641,7 @@ AC_ARG_ENABLE(pututxline, AC_ARG_WITH(lastlog, [ --with-lastlog=FILE|DIR specify lastlog location [common locations]], [ - if test "x$withval" = "xno" ; then + if test "x$withval" = "xno" ; then AC_DEFINE(DISABLE_LASTLOG) else conf_lastlog_location=$withval @@ -716,7 +716,7 @@ fi if test -n "$conf_lastlog_location"; then AC_DEFINE_UNQUOTED(CONF_LASTLOG_FILE, "$conf_lastlog_location", lastlog file location) -fi +fi dnl utmp detection AC_MSG_CHECKING([if your system defines UTMP_FILE]) @@ -746,7 +746,7 @@ if test -z "$conf_utmp_location"; then fi if test -n "$conf_utmp_location"; then AC_DEFINE_UNQUOTED(CONF_UTMP_FILE, "$conf_utmp_location", utmp file location) -fi +fi dnl wtmp detection AC_MSG_CHECKING([if your system defines WTMP_FILE]) @@ -778,7 +778,7 @@ if test -z "$conf_wtmp_location"; then fi if test -n "$conf_wtmp_location"; then AC_DEFINE_UNQUOTED(CONF_WTMP_FILE, "$conf_wtmp_location", wtmp file location) -fi +fi dnl utmpx detection - I don't know any system so perverse as to require @@ -806,7 +806,7 @@ if test -z "$conf_utmpx_location"; then fi else AC_DEFINE_UNQUOTED(CONF_UTMPX_FILE, "$conf_utmpx_location", utmpx file location) -fi +fi dnl wtmpx detection AC_MSG_CHECKING([if your system defines WTMPX_FILE]) @@ -833,7 +833,7 @@ if test -z "$conf_wtmpx_location"; then fi else AC_DEFINE_UNQUOTED(CONF_WTMPX_FILE, "$conf_wtmpx_location", wtmpx file location) -fi +fi # Checks for library functions. AC_PROG_GCC_TRADITIONAL @@ -869,7 +869,7 @@ fi AC_EXEEXT if test $BUNDLED_LIBTOM = 1 ; then -(cd $srcdir; find libtomcrypt -type d) | xargs mkdir -pv +(cd $srcdir; find libtomcrypt -type d) | xargs mkdir -pv LIBTOM_FILES="libtomcrypt/Makefile libtommath/Makefile" fi