Loading changes/bug11477 0 → 100644 +4 −0 Original line number Diff line number Diff line o Minor features: - New --enable-expensive-hardening option to turn on security hardening options that consume nontrivial amounts of CPU and memory. Right now, this includes AddressSanitizer and UbSan. Closes ticket 11477. configure.ac +13 −6 Original line number Diff line number Diff line Loading @@ -129,13 +129,13 @@ AC_ARG_ENABLE(gcc-warnings, AC_ARG_ENABLE(gcc-warnings-advisory, AS_HELP_STRING(--enable-gcc-warnings-advisory, [enable verbose warnings, excluding -Werror])) dnl Adam shostack suggests the following for Windows: dnl -D_FORTIFY_SOURCE=2 -fstack-protector-all dnl Others suggest '/gs /safeseh /nxcompat /dynamicbase' for non-gcc on Windows dnl This requires that we use gcc and that we add -O2 to the CFLAGS. AC_ARG_ENABLE(gcc-hardening, AS_HELP_STRING(--disable-gcc-hardening, disable compiler security checks)) AC_ARG_ENABLE(expensive-hardening, AS_HELP_STRING(--enable-expensive-hardening, enable more expensive compiler hardening; makes Tor slower)) dnl Linker hardening options dnl Currently these options are ELF specific - you can't use this with MacOSX AC_ARG_ENABLE(linker-hardening, Loading Loading @@ -628,6 +628,12 @@ if test x$enable_gcc_hardening != xno; then fi fi if test x$enable_expensive_hardening = xyes ; then TOR_CHECK_CFLAGS([-fsanitize=address]) TOR_CHECK_CFLAGS([-fsanitize=undefined]) TOR_CHECK_CFLAGS([-fno-omit-frame-pointer]) fi if test x$enable_linker_hardening != xno; then TOR_CHECK_LDFLAGS(-z relro -z now, "$all_ldflags_for_check", "$all_libs_for_check") fi Loading @@ -640,10 +646,11 @@ dnl Now see if we have a -fomit-frame-pointer compiler option. saved_CFLAGS="$CFLAGS" TOR_CHECK_CFLAGS(-fomit-frame-pointer) F_OMIT_FRAME_POINTER='' if test "$saved_CFLAGS" != "$CFLAGS"; then if test x$enable_expensive_hardening != xyes ; then F_OMIT_FRAME_POINTER='-fomit-frame-pointer' else F_OMIT_FRAME_POINTER='' fi fi CFLAGS="$saved_CFLAGS" AC_SUBST(F_OMIT_FRAME_POINTER) Loading Loading
changes/bug11477 0 → 100644 +4 −0 Original line number Diff line number Diff line o Minor features: - New --enable-expensive-hardening option to turn on security hardening options that consume nontrivial amounts of CPU and memory. Right now, this includes AddressSanitizer and UbSan. Closes ticket 11477.
configure.ac +13 −6 Original line number Diff line number Diff line Loading @@ -129,13 +129,13 @@ AC_ARG_ENABLE(gcc-warnings, AC_ARG_ENABLE(gcc-warnings-advisory, AS_HELP_STRING(--enable-gcc-warnings-advisory, [enable verbose warnings, excluding -Werror])) dnl Adam shostack suggests the following for Windows: dnl -D_FORTIFY_SOURCE=2 -fstack-protector-all dnl Others suggest '/gs /safeseh /nxcompat /dynamicbase' for non-gcc on Windows dnl This requires that we use gcc and that we add -O2 to the CFLAGS. AC_ARG_ENABLE(gcc-hardening, AS_HELP_STRING(--disable-gcc-hardening, disable compiler security checks)) AC_ARG_ENABLE(expensive-hardening, AS_HELP_STRING(--enable-expensive-hardening, enable more expensive compiler hardening; makes Tor slower)) dnl Linker hardening options dnl Currently these options are ELF specific - you can't use this with MacOSX AC_ARG_ENABLE(linker-hardening, Loading Loading @@ -628,6 +628,12 @@ if test x$enable_gcc_hardening != xno; then fi fi if test x$enable_expensive_hardening = xyes ; then TOR_CHECK_CFLAGS([-fsanitize=address]) TOR_CHECK_CFLAGS([-fsanitize=undefined]) TOR_CHECK_CFLAGS([-fno-omit-frame-pointer]) fi if test x$enable_linker_hardening != xno; then TOR_CHECK_LDFLAGS(-z relro -z now, "$all_ldflags_for_check", "$all_libs_for_check") fi Loading @@ -640,10 +646,11 @@ dnl Now see if we have a -fomit-frame-pointer compiler option. saved_CFLAGS="$CFLAGS" TOR_CHECK_CFLAGS(-fomit-frame-pointer) F_OMIT_FRAME_POINTER='' if test "$saved_CFLAGS" != "$CFLAGS"; then if test x$enable_expensive_hardening != xyes ; then F_OMIT_FRAME_POINTER='-fomit-frame-pointer' else F_OMIT_FRAME_POINTER='' fi fi CFLAGS="$saved_CFLAGS" AC_SUBST(F_OMIT_FRAME_POINTER) Loading
