diff options
Diffstat (limited to '')
| -rw-r--r-- | VERSION | 2 | ||||
| -rw-r--r-- | import.sh | 2 | ||||
| -rw-r--r-- | m4/ax_add_fortify_source.m4 | 80 | ||||
| -rw-r--r-- | m4/ax_check_compile_flag.m4 | 53 | ||||
| -rw-r--r-- | m4/check-hardening-options.m4 | 2 |
5 files changed, 137 insertions, 2 deletions
diff --git a/VERSION b/VERSION index 252fb77..667b8b1 100644 --- a/VERSION +++ b/VERSION @@ -1,2 +1,2 @@ -3.2.0 +3.2.1 diff --git a/import.sh b/import.sh index 1c95070..5da49ba 100644 --- a/import.sh +++ b/import.sh @@ -30,6 +30,8 @@ tar -x -f "${input}" --strip-components 1 \ 'libressl-*/include/compat/win32netcompat.h' \ 'libressl-*/include/tls.h' \ 'libressl-*/libtls.pc.in' \ + 'libressl-*/m4/ax_add_fortify_source.m4' \ + 'libressl-*/m4/ax_check_compile_flag.m4' \ 'libressl-*/m4/check-hardening-options.m4' \ 'libressl-*/m4/check-libc.m4' \ 'libressl-*/m4/check-os-options.m4' \ diff --git a/m4/ax_add_fortify_source.m4 b/m4/ax_add_fortify_source.m4 new file mode 100644 index 0000000..7e15312 --- /dev/null +++ b/m4/ax_add_fortify_source.m4 @@ -0,0 +1,80 @@ +# =========================================================================== +# https://www.gnu.org/software/autoconf-archive/ax_add_fortify_source.html +# =========================================================================== +# +# SYNOPSIS +# +# AX_ADD_FORTIFY_SOURCE +# +# DESCRIPTION +# +# Check whether -D_FORTIFY_SOURCE=2 can be added to CPPFLAGS without macro +# redefinition warnings, other cpp warnings or linker. Some distributions +# (such as Gentoo Linux) enable _FORTIFY_SOURCE globally in their +# compilers, leading to unnecessary warnings in the form of +# +# <command-line>:0:0: error: "_FORTIFY_SOURCE" redefined [-Werror] +# <built-in>: note: this is the location of the previous definition +# +# which is a problem if -Werror is enabled. This macro checks whether +# _FORTIFY_SOURCE is already defined, and if not, adds -D_FORTIFY_SOURCE=2 +# to CPPFLAGS. +# +# Newer mingw-w64 msys2 package comes with a bug in +# headers-git-7.0.0.5546.d200317d-1. It broke -D_FORTIFY_SOURCE support, +# and would need -lssp or -fstack-protector. See +# https://github.com/msys2/MINGW-packages/issues/5803. Try to actually +# link it. +# +# LICENSE +# +# Copyright (c) 2017 David Seifert <soap@gentoo.org> +# Copyright (c) 2019 Reini Urban <rurban@cpan.org> +# +# Copying and distribution of this file, with or without modification, are +# permitted in any medium without royalty provided the copyright notice +# and this notice are preserved. This file is offered as-is, without any +# warranty. + +#serial 4 + +AC_DEFUN([AX_ADD_FORTIFY_SOURCE],[ + ac_save_cflags=$CFLAGS + ac_cwerror_flag=yes + AX_CHECK_COMPILE_FLAG([-Werror],[CFLAGS="$CFLAGS -Werror"]) + AC_MSG_CHECKING([whether to add -D_FORTIFY_SOURCE=2 to CPPFLAGS]) + AC_LINK_IFELSE([ + AC_LANG_PROGRAM([], + [[ + #ifndef _FORTIFY_SOURCE + return 0; + #else + this_is_an_error; + #endif + ]] + )], + AC_LINK_IFELSE([ + AC_LANG_SOURCE([[ + #define _FORTIFY_SOURCE 2 + #include <string.h> + int main() { + char *s = " "; + strcpy(s, "x"); + return strlen(s)-1; + } + ]] + )], + [ + AC_MSG_RESULT([yes]) + CFLAGS=$ac_save_cflags + CPPFLAGS="$CPPFLAGS -D_FORTIFY_SOURCE=2" + ], [ + AC_MSG_RESULT([no]) + CFLAGS=$ac_save_cflags + ], + ), + [ + AC_MSG_RESULT([no]) + CFLAGS=$ac_save_cflags + ]) +]) diff --git a/m4/ax_check_compile_flag.m4 b/m4/ax_check_compile_flag.m4 new file mode 100644 index 0000000..bd753b3 --- /dev/null +++ b/m4/ax_check_compile_flag.m4 @@ -0,0 +1,53 @@ +# =========================================================================== +# https://www.gnu.org/software/autoconf-archive/ax_check_compile_flag.html +# =========================================================================== +# +# SYNOPSIS +# +# AX_CHECK_COMPILE_FLAG(FLAG, [ACTION-SUCCESS], [ACTION-FAILURE], [EXTRA-FLAGS], [INPUT]) +# +# DESCRIPTION +# +# Check whether the given FLAG works with the current language's compiler +# or gives an error. (Warnings, however, are ignored) +# +# ACTION-SUCCESS/ACTION-FAILURE are shell commands to execute on +# success/failure. +# +# If EXTRA-FLAGS is defined, it is added to the current language's default +# flags (e.g. CFLAGS) when the check is done. The check is thus made with +# the flags: "CFLAGS EXTRA-FLAGS FLAG". This can for example be used to +# force the compiler to issue an error when a bad flag is given. +# +# INPUT gives an alternative input source to AC_COMPILE_IFELSE. +# +# NOTE: Implementation based on AX_CFLAGS_GCC_OPTION. Please keep this +# macro in sync with AX_CHECK_{PREPROC,LINK}_FLAG. +# +# LICENSE +# +# Copyright (c) 2008 Guido U. Draheim <guidod@gmx.de> +# Copyright (c) 2011 Maarten Bosmans <mkbosmans@gmail.com> +# +# Copying and distribution of this file, with or without modification, are +# permitted in any medium without royalty provided the copyright notice +# and this notice are preserved. This file is offered as-is, without any +# warranty. + +#serial 6 + +AC_DEFUN([AX_CHECK_COMPILE_FLAG], +[AC_PREREQ(2.64)dnl for _AC_LANG_PREFIX and AS_VAR_IF +AS_VAR_PUSHDEF([CACHEVAR],[ax_cv_check_[]_AC_LANG_ABBREV[]flags_$4_$1])dnl +AC_CACHE_CHECK([whether _AC_LANG compiler accepts $1], CACHEVAR, [ + ax_check_save_flags=$[]_AC_LANG_PREFIX[]FLAGS + _AC_LANG_PREFIX[]FLAGS="$[]_AC_LANG_PREFIX[]FLAGS $4 $1" + AC_COMPILE_IFELSE([m4_default([$5],[AC_LANG_PROGRAM()])], + [AS_VAR_SET(CACHEVAR,[yes])], + [AS_VAR_SET(CACHEVAR,[no])]) + _AC_LANG_PREFIX[]FLAGS=$ax_check_save_flags]) +AS_VAR_IF(CACHEVAR,yes, + [m4_default([$2], :)], + [m4_default([$3], :)]) +AS_VAR_POPDEF([CACHEVAR])dnl +])dnl AX_CHECK_COMPILE_FLAGS diff --git a/m4/check-hardening-options.m4 b/m4/check-hardening-options.m4 index 3ffdb1a..869f00b 100644 --- a/m4/check-hardening-options.m4 +++ b/m4/check-hardening-options.m4 @@ -73,7 +73,7 @@ AC_DEFUN([CHECK_C_HARDENING_OPTIONS], [ CHECK_CFLAG([[-fno-strict-overflow]]) # _FORTIFY_SOURCE replaces builtin functions with safer versions. - CHECK_CFLAG([[-D_FORTIFY_SOURCE=2]]) + AX_ADD_FORTIFY_SOURCE # Enable read only relocations CHECK_LDFLAG([[-Wl,-z,relro]]) |