ClearML/dropbear
1
0
Fork 0
mirror of https://github.com/clearml/dropbear synced 2025-05-14 16:45:59 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Test linking for hardening options

Browse Source 
Some options depend on correct library support.
This commit is contained in:
Matt Johnston 2022-04-26 22:04:38 +08:00
parent 2e0a16c334
commit 72d8cae7a4
2 changed files with 51 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
configure vendored
View File

@ -3204,7 +3204,7 @@ main ()
return 0; return 0;
} }
_ACEOF _ACEOF
if ac_fn_c_try_compile "$LINENO"; then : if ac_fn_c_try_link "$LINENO"; then :
{ $as_echo "$as_me:${as_lineno-$LINENO}: Setting $TESTFLAGS" >&5 { $as_echo "$as_me:${as_lineno-$LINENO}: Setting $TESTFLAGS" >&5
$as_echo "$as_me: Setting $TESTFLAGS" >&6;} $as_echo "$as_me: Setting $TESTFLAGS" >&6;}
else else
@ -3212,7 +3212,8 @@ else
$as_echo "$as_me: Not setting $TESTFLAGS" >&6;}; CFLAGS="$OLDFLAGS" $as_echo "$as_me: Not setting $TESTFLAGS" >&6;}; CFLAGS="$OLDFLAGS"
fi fi
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
} }
{ $as_echo "$as_me:${as_lineno-$LINENO}: Checking if compiler '$CC' supports -fno-strict-overflow" >&5 { $as_echo "$as_me:${as_lineno-$LINENO}: Checking if compiler '$CC' supports -fno-strict-overflow" >&5
@ -3232,7 +3233,7 @@ main ()
return 0; return 0;
} }
_ACEOF _ACEOF
if ac_fn_c_try_compile "$LINENO"; then : if ac_fn_c_try_link "$LINENO"; then :
{ $as_echo "$as_me:${as_lineno-$LINENO}: Setting $TESTFLAGS" >&5 { $as_echo "$as_me:${as_lineno-$LINENO}: Setting $TESTFLAGS" >&5
$as_echo "$as_me: Setting $TESTFLAGS" >&6;} $as_echo "$as_me: Setting $TESTFLAGS" >&6;}
else else
@ -3240,7 +3241,8 @@ else
$as_echo "$as_me: Not setting $TESTFLAGS" >&6;}; CFLAGS="$OLDFLAGS" $as_echo "$as_me: Not setting $TESTFLAGS" >&6;}; CFLAGS="$OLDFLAGS"
fi fi
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
} }
# needed for various extensions. define early before autoconf tests # needed for various extensions. define early before autoconf tests
@ -3296,7 +3298,7 @@ main ()
return 0; return 0;
} }
_ACEOF _ACEOF
if ac_fn_c_try_compile "$LINENO"; then : if ac_fn_c_try_link "$LINENO"; then :
{ $as_echo "$as_me:${as_lineno-$LINENO}: Setting $TESTFLAGS" >&5 { $as_echo "$as_me:${as_lineno-$LINENO}: Setting $TESTFLAGS" >&5
$as_echo "$as_me: Setting $TESTFLAGS" >&6;} $as_echo "$as_me: Setting $TESTFLAGS" >&6;}
else else
@ -3304,7 +3306,8 @@ else
$as_echo "$as_me: Not setting $TESTFLAGS" >&6;}; CFLAGS="$OLDFLAGS" $as_echo "$as_me: Not setting $TESTFLAGS" >&6;}; CFLAGS="$OLDFLAGS"
fi fi
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
} }
OLDLDFLAGS="$LDFLAGS" OLDLDFLAGS="$LDFLAGS"
@ -3396,7 +3399,7 @@ main ()
return 0; return 0;
} }
_ACEOF _ACEOF
if ac_fn_c_try_compile "$LINENO"; then : if ac_fn_c_try_link "$LINENO"; then :
{ $as_echo "$as_me:${as_lineno-$LINENO}: Setting $TESTFLAGS" >&5 { $as_echo "$as_me:${as_lineno-$LINENO}: Setting $TESTFLAGS" >&5
$as_echo "$as_me: Setting $TESTFLAGS" >&6;} $as_echo "$as_me: Setting $TESTFLAGS" >&6;}
else else
@ -3415,7 +3418,7 @@ main ()
return 0; return 0;
} }
_ACEOF _ACEOF
if ac_fn_c_try_compile "$LINENO"; then : if ac_fn_c_try_link "$LINENO"; then :
{ $as_echo "$as_me:${as_lineno-$LINENO}: Setting $TESTFLAGS" >&5 { $as_echo "$as_me:${as_lineno-$LINENO}: Setting $TESTFLAGS" >&5
$as_echo "$as_me: Setting $TESTFLAGS" >&6;} $as_echo "$as_me: Setting $TESTFLAGS" >&6;}
else else
@ -3423,11 +3426,13 @@ else
$as_echo "$as_me: Not setting $TESTFLAGS" >&6;}; CFLAGS="$OLDCFLAGS" $as_echo "$as_me: Not setting $TESTFLAGS" >&6;}; CFLAGS="$OLDCFLAGS"
fi fi
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
fi fi
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
# FORTIFY_SOURCE # FORTIFY_SOURCE
{ {
OLDFLAGS="$CFLAGS" OLDFLAGS="$CFLAGS"
@ -3444,7 +3449,7 @@ main ()
return 0; return 0;
} }
_ACEOF _ACEOF
if ac_fn_c_try_compile "$LINENO"; then : if ac_fn_c_try_link "$LINENO"; then :
{ $as_echo "$as_me:${as_lineno-$LINENO}: Setting $TESTFLAGS" >&5 { $as_echo "$as_me:${as_lineno-$LINENO}: Setting $TESTFLAGS" >&5
$as_echo "$as_me: Setting $TESTFLAGS" >&6;} $as_echo "$as_me: Setting $TESTFLAGS" >&6;}
else else
@ -3452,7 +3457,8 @@ else
$as_echo "$as_me: Not setting $TESTFLAGS" >&6;}; CFLAGS="$OLDFLAGS" $as_echo "$as_me: Not setting $TESTFLAGS" >&6;}; CFLAGS="$OLDFLAGS"
fi fi
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
} }
# Spectre v2 mitigations # Spectre v2 mitigations
@ -3471,7 +3477,7 @@ main ()
return 0; return 0;
} }
_ACEOF _ACEOF
if ac_fn_c_try_compile "$LINENO"; then : if ac_fn_c_try_link "$LINENO"; then :
{ $as_echo "$as_me:${as_lineno-$LINENO}: Setting $TESTFLAGS" >&5 { $as_echo "$as_me:${as_lineno-$LINENO}: Setting $TESTFLAGS" >&5
$as_echo "$as_me: Setting $TESTFLAGS" >&6;} $as_echo "$as_me: Setting $TESTFLAGS" >&6;}
else else
@ -3479,7 +3485,8 @@ else
$as_echo "$as_me: Not setting $TESTFLAGS" >&6;}; CFLAGS="$OLDFLAGS" $as_echo "$as_me: Not setting $TESTFLAGS" >&6;}; CFLAGS="$OLDFLAGS"
fi fi
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
} }
{ {
OLDFLAGS="$CFLAGS" OLDFLAGS="$CFLAGS"
@ -3496,7 +3503,7 @@ main ()
return 0; return 0;
} }
_ACEOF _ACEOF
if ac_fn_c_try_compile "$LINENO"; then : if ac_fn_c_try_link "$LINENO"; then :
{ $as_echo "$as_me:${as_lineno-$LINENO}: Setting $TESTFLAGS" >&5 { $as_echo "$as_me:${as_lineno-$LINENO}: Setting $TESTFLAGS" >&5
$as_echo "$as_me: Setting $TESTFLAGS" >&6;} $as_echo "$as_me: Setting $TESTFLAGS" >&6;}
else else
@ -3504,7 +3511,8 @@ else
$as_echo "$as_me: Not setting $TESTFLAGS" >&6;}; CFLAGS="$OLDFLAGS" $as_echo "$as_me: Not setting $TESTFLAGS" >&6;}; CFLAGS="$OLDFLAGS"
fi fi
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
} }
fi fi

54
configure.ac
View File

@ -23,15 +23,15 @@ AC_PROG_CC
if test -z "$LD" ; then if test -z "$LD" ; then
LD=$CC LD=$CC
fi fi
AC_SUBST(LD) AC_SUBST(LD)
AC_DEFUN(DB_TRYADDCFLAGS, AC_DEFUN(DB_TRYADDCFLAGS,
[{ [{
OLDFLAGS="$CFLAGS" OLDFLAGS="$CFLAGS"
TESTFLAGS="$1" TESTFLAGS="$1"
CFLAGS="$CFLAGS $TESTFLAGS" CFLAGS="$CFLAGS $TESTFLAGS"
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])], AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
[AC_MSG_NOTICE([Setting $TESTFLAGS])], [AC_MSG_NOTICE([Setting $TESTFLAGS])],
[AC_MSG_NOTICE([Not setting $TESTFLAGS]); CFLAGS="$OLDFLAGS" ] [AC_MSG_NOTICE([Not setting $TESTFLAGS]); CFLAGS="$OLDFLAGS" ]
) )
}]) }])
@ -82,14 +82,14 @@ if test "$hardenbuild" -eq 1; then
OLDLDFLAGS="$LDFLAGS" OLDLDFLAGS="$LDFLAGS"
TESTFLAGS="-Wl,-pie" TESTFLAGS="-Wl,-pie"
LDFLAGS="$LDFLAGS $TESTFLAGS" LDFLAGS="$LDFLAGS $TESTFLAGS"
AC_LINK_IFELSE([AC_LANG_PROGRAM([])], AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
[AC_MSG_NOTICE([Setting $TESTFLAGS])], [AC_MSG_NOTICE([Setting $TESTFLAGS])],
[ [
LDFLAGS="$OLDLDFLAGS" LDFLAGS="$OLDLDFLAGS"
TESTFLAGS="-pie" TESTFLAGS="-pie"
LDFLAGS="$LDFLAGS $TESTFLAGS" LDFLAGS="$LDFLAGS $TESTFLAGS"
AC_LINK_IFELSE([AC_LANG_PROGRAM([])], AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
[AC_MSG_NOTICE([Setting $TESTFLAGS])], [AC_MSG_NOTICE([Setting $TESTFLAGS])],
[AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ] [AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ]
) )
] ]
@ -98,8 +98,8 @@ if test "$hardenbuild" -eq 1; then
OLDLDFLAGS="$LDFLAGS" OLDLDFLAGS="$LDFLAGS"
TESTFLAGS="-Wl,-z,now -Wl,-z,relro" TESTFLAGS="-Wl,-z,now -Wl,-z,relro"
LDFLAGS="$LDFLAGS $TESTFLAGS" LDFLAGS="$LDFLAGS $TESTFLAGS"
AC_LINK_IFELSE([AC_LANG_PROGRAM([])], AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
[AC_MSG_NOTICE([Setting $TESTFLAGS])], [AC_MSG_NOTICE([Setting $TESTFLAGS])],
[AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ] [AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ]
) )
fi # non-static fi # non-static
@ -107,14 +107,14 @@ if test "$hardenbuild" -eq 1; then
OLDCFLAGS="$CFLAGS" OLDCFLAGS="$CFLAGS"
TESTFLAGS="-fstack-protector-strong" TESTFLAGS="-fstack-protector-strong"
CFLAGS="$CFLAGS $TESTFLAGS" CFLAGS="$CFLAGS $TESTFLAGS"
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])], AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
[AC_MSG_NOTICE([Setting $TESTFLAGS])], [AC_MSG_NOTICE([Setting $TESTFLAGS])],
[ [
CFLAGS="$OLDCFLAGS" CFLAGS="$OLDCFLAGS"
TESTFLAGS="-fstack-protector --param=ssp-buffer-size=4" TESTFLAGS="-fstack-protector --param=ssp-buffer-size=4"
CFLAGS="$CFLAGS $TESTFLAGS" CFLAGS="$CFLAGS $TESTFLAGS"
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])], AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
[AC_MSG_NOTICE([Setting $TESTFLAGS])], [AC_MSG_NOTICE([Setting $TESTFLAGS])],
[AC_MSG_NOTICE([Not setting $TESTFLAGS]); CFLAGS="$OLDCFLAGS" ] [AC_MSG_NOTICE([Not setting $TESTFLAGS]); CFLAGS="$OLDCFLAGS" ]
) )
] ]
@ -174,7 +174,7 @@ case "$host" in
# OpenSSH thinks it's broken. If it isn't, let me know. # OpenSSH thinks it's broken. If it isn't, let me know.
AC_DEFINE(BROKEN_GETADDRINFO,1,Broken getaddrinfo) AC_DEFINE(BROKEN_GETADDRINFO,1,Broken getaddrinfo)
;; ;;
*-*-hpux*) *-*-hpux*)
LIBS="$LIBS -lsec" LIBS="$LIBS -lsec"
# It's probably broken. # It's probably broken.
@ -191,7 +191,7 @@ AC_CHECK_TOOL(STRIP, strip, :)
AC_CHECK_TOOL(INSTALL, install, :) AC_CHECK_TOOL(INSTALL, install, :)
dnl Can't use login() or logout() with uclibc dnl Can't use login() or logout() with uclibc
AC_CHECK_DECL(__UCLIBC__, AC_CHECK_DECL(__UCLIBC__,
[ [
no_loginfunc_check=1 no_loginfunc_check=1
AC_MSG_NOTICE([Using uClibc - login() and logout() probably don't work, so we won't use them.]) AC_MSG_NOTICE([Using uClibc - login() and logout() probably don't work, so we won't use them.])
@ -199,14 +199,14 @@ AC_CHECK_DECL(__UCLIBC__,
dnl We test for crypt() specially. On Linux (and others?) it resides in libcrypt dnl We test for crypt() specially. On Linux (and others?) it resides in libcrypt
dnl but we don't want link all binaries to -lcrypt, just dropbear server. dnl but we don't want link all binaries to -lcrypt, just dropbear server.
dnl OS X doesn't need -lcrypt dnl OS X doesn't need -lcrypt
AC_CHECK_FUNC(crypt, found_crypt_func=here) AC_CHECK_FUNC(crypt, found_crypt_func=here)
AC_CHECK_LIB(crypt, crypt, AC_CHECK_LIB(crypt, crypt,
[ [
CRYPTLIB="-lcrypt" CRYPTLIB="-lcrypt"
found_crypt_func=here found_crypt_func=here
]) ])
AC_SUBST(CRYPTLIB) AC_SUBST(CRYPTLIB)
if test "t$found_crypt_func" = there; then if test "t$found_crypt_func" = there; then
AC_DEFINE(HAVE_CRYPT, 1, [crypt() function]) AC_DEFINE(HAVE_CRYPT, 1, [crypt() function])
fi fi
@ -568,7 +568,7 @@ AC_ARG_ENABLE(bundled-libtom,
) )
if test $BUNDLED_LIBTOM = 1 ; then if test $BUNDLED_LIBTOM = 1 ; then
AC_DEFINE(BUNDLED_LIBTOM,1,Use bundled libtom) AC_DEFINE(BUNDLED_LIBTOM,1,Use bundled libtom)
fi fi
AC_SUBST(LIBTOM_LIBS) AC_SUBST(LIBTOM_LIBS)
@ -641,7 +641,7 @@ AC_ARG_ENABLE(pututxline,
AC_ARG_WITH(lastlog, AC_ARG_WITH(lastlog,
[ --with-lastlog=FILE|DIR specify lastlog location [common locations]], [ --with-lastlog=FILE|DIR specify lastlog location [common locations]],
[ [
if test "x$withval" = "xno" ; then if test "x$withval" = "xno" ; then
AC_DEFINE(DISABLE_LASTLOG) AC_DEFINE(DISABLE_LASTLOG)
else else
conf_lastlog_location=$withval conf_lastlog_location=$withval
@ -716,7 +716,7 @@ fi
if test -n "$conf_lastlog_location"; then if test -n "$conf_lastlog_location"; then
AC_DEFINE_UNQUOTED(CONF_LASTLOG_FILE, "$conf_lastlog_location", lastlog file location) AC_DEFINE_UNQUOTED(CONF_LASTLOG_FILE, "$conf_lastlog_location", lastlog file location)
fi fi
dnl utmp detection dnl utmp detection
AC_MSG_CHECKING([if your system defines UTMP_FILE]) AC_MSG_CHECKING([if your system defines UTMP_FILE])
@ -746,7 +746,7 @@ if test -z "$conf_utmp_location"; then
fi fi
if test -n "$conf_utmp_location"; then if test -n "$conf_utmp_location"; then
AC_DEFINE_UNQUOTED(CONF_UTMP_FILE, "$conf_utmp_location", utmp file location) AC_DEFINE_UNQUOTED(CONF_UTMP_FILE, "$conf_utmp_location", utmp file location)
fi fi
dnl wtmp detection dnl wtmp detection
AC_MSG_CHECKING([if your system defines WTMP_FILE]) AC_MSG_CHECKING([if your system defines WTMP_FILE])
@ -778,7 +778,7 @@ if test -z "$conf_wtmp_location"; then
fi fi
if test -n "$conf_wtmp_location"; then if test -n "$conf_wtmp_location"; then
AC_DEFINE_UNQUOTED(CONF_WTMP_FILE, "$conf_wtmp_location", wtmp file location) AC_DEFINE_UNQUOTED(CONF_WTMP_FILE, "$conf_wtmp_location", wtmp file location)
fi fi
dnl utmpx detection - I don't know any system so perverse as to require dnl utmpx detection - I don't know any system so perverse as to require
@ -806,7 +806,7 @@ if test -z "$conf_utmpx_location"; then
fi fi
else else
AC_DEFINE_UNQUOTED(CONF_UTMPX_FILE, "$conf_utmpx_location", utmpx file location) AC_DEFINE_UNQUOTED(CONF_UTMPX_FILE, "$conf_utmpx_location", utmpx file location)
fi fi
dnl wtmpx detection dnl wtmpx detection
AC_MSG_CHECKING([if your system defines WTMPX_FILE]) AC_MSG_CHECKING([if your system defines WTMPX_FILE])
@ -833,7 +833,7 @@ if test -z "$conf_wtmpx_location"; then
fi fi
else else
AC_DEFINE_UNQUOTED(CONF_WTMPX_FILE, "$conf_wtmpx_location", wtmpx file location) AC_DEFINE_UNQUOTED(CONF_WTMPX_FILE, "$conf_wtmpx_location", wtmpx file location)
fi fi
# Checks for library functions. # Checks for library functions.
AC_PROG_GCC_TRADITIONAL AC_PROG_GCC_TRADITIONAL
@ -869,7 +869,7 @@ fi
AC_EXEEXT AC_EXEEXT
if test $BUNDLED_LIBTOM = 1 ; then if test $BUNDLED_LIBTOM = 1 ; then
(cd $srcdir; find libtomcrypt -type d) | xargs mkdir -pv (cd $srcdir; find libtomcrypt -type d) | xargs mkdir -pv
LIBTOM_FILES="libtomcrypt/Makefile libtommath/Makefile" LIBTOM_FILES="libtomcrypt/Makefile libtommath/Makefile"
fi fi