From 19b4e355a6a9e67d06f8167867e6266e4005114c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20Gomez?= Date: Wed, 31 Jan 2024 22:27:45 +0900 Subject: [PATCH] Move strict gcc compilation flags to configure.ac to avoid breaking incompatible environments MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Move gcc hardening/warning/advanced warnings flags to configure.ac to avoid breaking incompatible environments - Use -Warith-conversion only with gcc 10 and later - Keep -Wundef -Wpedantic enabled globally Signed-off-by: Loïc Gomez --- configure.ac | 68 +++++++++++++++++++++++++++++++++++++++++++++++++ src/Makefile.am | 7 +---- 2 files changed, 69 insertions(+), 6 deletions(-) diff --git a/configure.ac b/configure.ac index 02c3915..b274b0d 100644 --- a/configure.ac +++ b/configure.ac @@ -94,6 +94,74 @@ if test "$ap_cv_cc_pie" = "yes"; then enable_pie=yes fi + +AC_CACHE_CHECK([whether $CC accepts hardening flags], [ap_cv_cc_hardening], [ + save_CFLAGS=$CFLAGS + save_LDFLAGS=$LDFLAGS + CFLAGS="$CFLAGS -O2 -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fstack-clash-protection -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -Wl,-z,separate-code" + AC_RUN_IFELSE([AC_LANG_SOURCE([[static int foo[30000]; int main () { return 0; }]])], + [ap_cv_cc_hardening=yes], + [ap_cv_cc_hardening=no], + [ap_cv_cc_hardening=yes] + ) + CFLAGS=$save_CFLAGS +]) +if test "$ap_cv_cc_hardening" = "yes"; then + CFLAGS="$CFLAGS -O2 -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fstack-clash-protection -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -Wl,-z,separate-code" + enable_cc_hardening=yes +fi + +AC_CACHE_CHECK([whether $CC accepts some warning flags], [ap_cv_cc_warnings], [ + save_CFLAGS=$CFLAGS + save_LDFLAGS=$LDFLAGS + CFLAGS="$CFLAGS -Wformat-overflow=2 -Wformat-truncation=2 -Wtrampolines -Warray-bounds=2 -Wimplicit-fallthrough=3 -Wtraditional-conversion -Wshift-overflow=2 -Wstringop-overflow=4 -Wlogical-op -Wduplicated-cond -Wduplicated-branches -Wformat-signedness -Wstack-usage=1000000 -Wcast-align=strict" + AC_RUN_IFELSE([AC_LANG_SOURCE([[static int foo[30000]; int main () { return 0; }]])], + [ap_cv_cc_warnings=yes], + [ap_cv_cc_warnings=no], + [ap_cv_cc_warnings=yes] + ) + CFLAGS=$save_CFLAGS +]) +if test "$ap_cv_cc_warnings" = "yes"; then + CFLAGS="$CFLAGS -Wformat-overflow=2 -Wformat-truncation=2 -Wtrampolines -Warray-bounds=2 -Wimplicit-fallthrough=3 -Wtraditional-conversion -Wshift-overflow=2 -Wstringop-overflow=4 -Wlogical-op -Wduplicated-cond -Wduplicated-branches -Wformat-signedness -Wstack-usage=1000000 -Wcast-align=strict" + enable_cc_warnings=yes +fi + +AC_CACHE_CHECK([whether $CC accepts some supplementary warning flags], [ap_cv_cc_warnings2], [ + save_CFLAGS=$CFLAGS + save_LDFLAGS=$LDFLAGS + CFLAGS="$CFLAGS -Wformat=2 -Wformat-security -Wnull-dereference -Wstack-protector -Walloca -Wvla -Wcast-qual -Wconversion -Wshadow -Wstrict-overflow=4 -Wstrict-prototypes -Wswitch-default -Wswitch-enum" + AC_RUN_IFELSE([AC_LANG_SOURCE([[static int foo[30000]; int main () { return 0; }]])], + [ap_cv_cc_warnings2=yes], + [ap_cv_cc_warnings2=no], + [ap_cv_cc_warnings2=yes] + ) + CFLAGS=$save_CFLAGS +]) +if test "$ap_cv_cc_warnings2" = "yes"; then + CFLAGS="$CFLAGS -Wformat=2 -Wformat-security -Wnull-dereference -Wstack-protector -Walloca -Wvla -Wcast-qual -Wconversion -Wshadow -Wstrict-overflow=4 -Wstrict-prototypes -Wswitch-default -Wswitch-enum" + enable_cc_warnings2=yes +fi + + + +AC_CACHE_CHECK([whether $CC accepts -Warith-conversion flag], [ap_cv_cc_warith], [ + save_CFLAGS=$CFLAGS + save_LDFLAGS=$LDFLAGS + CFLAGS="$CFLAGS -Warith-conversion" + AC_RUN_IFELSE([AC_LANG_SOURCE([[static int foo[30000]; int main () { return 0; }]])], + [ap_cv_cc_warith=yes], + [ap_cv_cc_warith=no], + [ap_cv_cc_warith=yes] + ) + CFLAGS=$save_CFLAGS +]) +if test "$ap_cv_cc_warith" = "yes"; then + CFLAGS="$CFLAGS -Warith-conversion" + enable_warith_conversion=yes +fi + + PKG_CHECK_MODULES([CHECK], [check >= 0.9.6], [enable_tests=yes], [enable_tests=no]) AM_CONDITIONAL([COND_WANT_TESTS], [test "$enable_tests" = yes]) diff --git a/src/Makefile.am b/src/Makefile.am index 57b8992..4e03bc4 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -36,9 +36,4 @@ bipmkpw_LDADD = libbip.a libbiplex.a $(OPENSSL_LIBS) AM_YFLAGS= -d BUILT_SOURCES = conf.c conf.h lex.c -AM_CFLAGS=-Wall -Wextra -Werror \ - -O2 \ - -D_FORTIFY_SOURCE=2 \ - -fstack-protector-strong -fstack-clash-protection \ - -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -Wl,-z,separate-code \ - -Wpedantic -Wformat=2 -Wformat-overflow=2 -Wformat-truncation=2 -Wformat-security -Wnull-dereference -Wstack-protector -Wtrampolines -Walloca -Wvla -Warray-bounds=2 -Wimplicit-fallthrough=3 -Wtraditional-conversion -Wshift-overflow=2 -Wcast-qual -Wstringop-overflow=4 -Wconversion -Warith-conversion -Wlogical-op -Wduplicated-cond -Wduplicated-branches -Wformat-signedness -Wshadow -Wstrict-overflow=4 -Wundef -Wstrict-prototypes -Wswitch-default -Wswitch-enum -Wstack-usage=1000000 -Wcast-align=strict +AM_CFLAGS=-Wall -Wextra -Werror -Wundef -Wpedantic