|
1b10e48a
|
2016-07-19T12:11:28
|
|
Fix typo in USE_BUILTIN_ARC4RANDOM check
Solaris 11 recently introduced a builtin arc4random in libc which fails the tests in "make check". Found USE_BUILTIN_ARC4RANDOM, but could not get it to work. Apparently, there is a typo in the configure logic rendering USE_BUILTIN_ARC4RANDOM ineffective.
|
|
466e389d
|
2016-04-24T03:29:14
|
|
check linker flags before checking for functions
|
|
|
d4d040c1
|
2016-02-15T13:39:06
|
|
add things to minimize diffs with OpenNTPD-portable
|
|
|
35e669fd
|
2016-01-03T20:47:20
|
|
whitelist NetBSD 7.0 native arc4random(3) implementation.
NetBSD 7 improves arc4random(3) over earlier versions by adding fork
detection, stronger assertions on seed failure.
|
|
|
d0009039
|
2016-01-03T19:08:20
|
|
enable nc on AIX
|
|
|
53cd105d
|
2015-12-27T22:12:35
|
|
update check for b64_ntop
typo spotted by Jonas 'Sortie' Termansen
|
|
|
4db1ad67
|
2015-12-07T08:24:41
|
|
installing nc(1) should imply building, even if not whitelisted
|
|
7a82b7c0
|
2015-11-23T02:07:23
|
|
build nc on solaris and cygwin
|
|
24b5a96a
|
2015-10-23T16:19:07
|
|
whitelist nc on other BSDs
|
|
|
a45e38e9
|
2015-10-17T22:57:59
|
|
disable some tests with 32-bit time_t systems
Also disable use of _mkgmtime, it does not produce correct results.
|
|
|
4298ac93
|
2015-10-14T23:53:52
|
|
include timegm fallback
|
|
|
ff52e6f4
|
2015-10-12T15:34:03
|
|
check for pledge(2)
|
|
|
442cc6f1
|
2015-10-07T08:55:05
|
|
add tame(2) check
|
|
|
a7f031ba
|
2015-10-01T07:40:26
|
|
add b64_ntop checking and fallback for nc(1)
|
|
|
497a47c5
|
2015-09-30T08:00:49
|
|
remove incorrect comment
We actually want to only start extending CFLAGS after calling AC_PROG_CC
so we get the default autoconf value (usually just -O2).
|
|
|
8c90be2a
|
2015-09-13T11:56:41
|
|
allow nc to build on linux and os x
|
|
|
a787f964
|
2015-09-12T10:51:11
|
|
restrict nc to openbsd builds for now
|
|
9aa4e1d9
|
2015-08-04T19:08:42
|
|
disable strict aliasing on HP-UX C/aC++ compiler
to disable strict aliasing on HP-UX C/aC++, `+Otype_safety=off` is right.
`+Otype_safety=strong` forces ANSI aliasing.
|
|
|
5d8a1cf7
|
2014-07-10T22:06:10
|
|
add initial CMake and Visual Studio build support
This moves the compatibility include files from include to
include/compat so we can use the awful MS C compiler
<../include/> trick to emulate the GNU #include_next extension.
This also removes a few old compat files we do not need anymore.
|
|
|
b9291fac
|
2015-07-16T11:34:07
|
|
disable strict aliasing on AIX xlc and HP-UX aC++ compilers
|
|
|
c1a162d8
|
2015-07-15T20:24:05
|
|
disable strict aliasing by default, noticed by miod@
|
|
|
54545427
|
2015-06-29T22:51:40
|
|
add check for inet_pton, nudge minimum win32 compat to 0x0501
|
|
|
b091d236
|
2015-06-13T22:26:58
|
|
fix libtool 2.4.2 stack-protector flag handling
Teach libtool 2.4.2 how to pass -fstack-protector* to the linker so
libssp is properly linked in on some toolchains. See upstream patch:
https://github.com/instantinfrastructure/poky-daisy/blob/master/meta/recipes-devtools/libtool/libtool/respect-fstack-protector.patch
Thanks to kinichiro inoguchi
|
|
|
04a8eca5
|
2015-06-11T08:47:12
|
|
always check if ssp needs to be linked
|
|
|
edfc5690
|
2015-05-02T11:13:41
|
|
fix definition of DISABLE_AS_EXECUTABLE_STACK
|
|
|
d3771a41
|
2015-05-01T07:18:12
|
|
refactor configure into separate m4 macros
this allows for some reusability with libtls
|
|
|
303b972d
|
2015-01-05T20:14:54
|
|
simplify hardening check logic, disable for mingw
Rather than doing separate linker/compiler checks, just build a
non-empty program with each so that the compiler will actually try to
use the hardening features. Reduce redundancy in the macro calls by just
setting the flag that was just tested.
Also, disable hardening for mingw, since its trying to use a
libssp-0.dll file that I can't find right now. The detected hardening
flags break mingw builds currently.
|
|
a6c07234
|
2014-12-23T05:24:24
|
|
configure.ac: use executable hardening where available
Where available, enable stack smashing protection, fortify source,
no-strict-overflow, and read only relocations.
Many Linux distributions automatically enable most of these options.
They are no brainers. The difference introduced here is in asking for a
few more aggressive options. An option to disable the more aggressive
options is provided (--disable-hardening). When set, configure will fall
back to the default CFLAGS on the system - in many cases that will still
be hardened. There is no point in going further than that.
Options enabled are:
-fstack-protector-strong is a relatively new GCC-4.9 feature that is
supposed to give a better balance between performance and protection.
-all is considered too aggressive, but was used in Chromium and other
security critical systems until -strong became available. Follow their
lead and use -strong when possible. clang 6.0 supports -all but not
-strong.
_FORTIFY_SOURCE replaces certain unsafe C str* and mem* functions with
more robust equivalents when the compiler can determine the length of
the buffers involved.
-fno-strict-overflow instructs GCC to not make optimizations based on
the assumption that signed arithmetic will wrap around on overflow (e.g.
(short)0x7FFF + 1 == 0). This prevents the optimizer from doing some
unexpected things. Further improvements should trap signed overflows and
reduce the use of signed to refer to naturally unsigned quantities.
I did not set -fPIE (position independent executables). The critical
function of Open/LibreSSL is as a library, not an executable.
Tested on Ubuntu Linux 14.04.1 LTS, OS X 10.10.1 with "make check".
Signed-off-by: Jim Barlow <jim@purplerock.ca>
|