hey libreswan folks-- i notice that mk/userland-cflags.mk has -fstack-protector-all set inside USERCOMPILE.
However, there are at least two debian unofficial architectures (alpha and hppa) where gcc doesn't have -fstack-protector available. A couple example builds from those arches: https://buildd.debian.org/status/fetch.php?pkg=libreswan&arch=alpha&ver=3.19-1&stamp=1485414786&raw=0 https://buildd.debian.org/status/fetch.php?pkg=libreswan&arch=hppa&ver=3.19-2&stamp=1486145521&raw=0 they fail with: -------- make[5]: Entering directory '/<<PKGBUILDDIR>>/OBJ.linux.parisc64/lib/libswan' cc -g -O2 -fdebug-prefix-map=/<<PKGBUILDDIR>>=. -Wformat -Werror=format-security -I/<<PKGBUILDDIR>>/lib/libcrypto/libsha2 -I/<<PKGBUILDDIR>>/lib/libcrypto/libaes_xcbc -I/<<PKGBUILDDIR>>/ports/linux/include -I/<<PKGBUILDDIR>>/ports/linux/include -I/<<PKGBUILDDIR>>/ports/linux/include -I. -I/<<PKGBUILDDIR>>/linux/net/ipsec -I/<<PKGBUILDDIR>>/linux/include -I/<<PKGBUILDDIR>> -DPFKEYV2 -I/usr/include/nss -I/usr/include/nspr -I/<<PKGBUILDDIR>>/include -I/<<PKGBUILDDIR>>/ports/linux/include -I/<<PKGBUILDDIR>>/ports/linux/include -I/<<PKGBUILDDIR>>/ports/linux/include -std=gnu99 -g -O2 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-all -fno-strict-aliasing -fPIE -DPIE -DFORCE_PR_ASSERT -DDNSSEC -DLIBCURL -DLDAP_VER=3 -DHAVE_NM -DUSE_MD5 -DUSE_SHA2 -DUSE_SHA1 -DUSE_AES -DUSE_3DES -DUSE_CAMELLIA -DUSE_SERPENT -DUSE_TWOFISH -DUSE_CAST -DUSE_RIPEMD -DFIPSPRODUCTCHECK=\"/etc/system-fips\" -DIPSEC_CONF=\"/etc/ipsec.conf\" -DIPSEC_CONFDDIR=\"/etc/ipsec.d\" -DIPSEC_NSSDIR=\"/var/lib/ipsec/nss\" -DIPSEC_CONFDIR=\"/etc\" -DIPSEC_EXECDIR=\"/usr/lib/ipsec\" -DIPSEC_SBINDIR=\"/usr/sbin\" -DIPSEC_VARDIR=\"/var\" -DPOLICYGROUPSDIR=\"/etc/ipsec.d/policies\" -DIPSEC_SECRETS_FILE=\"/etc/ipsec.secrets\" -DRETRANSMIT_INTERVAL_DEFAULT="500" -DUSE_FORK=1 -DUSE_VFORK=0 -DUSE_DAEMON=0 -DUSE_PTHREAD_SETSCHEDPRIO=1 -DGCC_LINT -DALLOW_MICROSOFT_BAD_PROPOSAL -Werror -Wall -Wextra -Wformat -Wformat-nonliteral -Wformat-security -Wundef -Wmissing-declarations -Wredundant-decls -Wnested-externs -I/<<PKGBUILDDIR>>/lib/libcrypto/libsha2 -I/<<PKGBUILDDIR>>/lib/libcrypto/libaes_xcbc -I/<<PKGBUILDDIR>>/ports/linux/include -I/<<PKGBUILDDIR>>/ports/linux/include -I/<<PKGBUILDDIR>>/ports/linux/include -I/<<PKGBUILDDIR>>/ports/linux/include -I. -I/<<PKGBUILDDIR>>/linux/net/ipsec -I/<<PKGBUILDDIR>>/linux/include -I/<<PKGBUILDDIR>> -DPFKEYV2 -I/usr/include/nss -I/usr/include/nspr -I/<<PKGBUILDDIR>>/include -I/<<PKGBUILDDIR>>/ports/linux/include -I/<<PKGBUILDDIR>>/ports/linux/include -I/<<PKGBUILDDIR>>/ports/linux/include -I/<<PKGBUILDDIR>>/ports/linux/include -std=gnu99 -g -O2 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-all -fno-strict-aliasing -fPIE -DPIE -DFORCE_PR_ASSERT -DDNSSEC -DLIBCURL -DLDAP_VER=3 -DHAVE_NM -DUSE_MD5 -DUSE_SHA2 -DUSE_SHA1 -DUSE_AES -DUSE_3DES -DUSE_CAMELLIA -DUSE_SERPENT -DUSE_TWOFISH -DUSE_CAST -DUSE_RIPEMD -DFIPSPRODUCTCHECK=\"/etc/system-fips\" -DIPSEC_CONF=\"/etc/ipsec.conf\" -DIPSEC_CONFDDIR=\"/etc/ipsec.d\" -DIPSEC_NSSDIR=\"/var/lib/ipsec/nss\" -DIPSEC_CONFDIR=\"/etc\" -DIPSEC_EXECDIR=\"/usr/lib/ipsec\" -DIPSEC_SBINDIR=\"/usr/sbin\" -DIPSEC_VARDIR=\"/var\" -DPOLICYGROUPSDIR=\"/etc/ipsec.d/policies\" -DIPSEC_SECRETS_FILE=\"/etc/ipsec.secrets\" -DRETRANSMIT_INTERVAL_DEFAULT="500" -DUSE_FORK=1 -DUSE_VFORK=0 -DUSE_DAEMON=0 -DUSE_PTHREAD_SETSCHEDPRIO=1 -DGCC_LINT -DALLOW_MICROSOFT_BAD_PROPOSAL -Werror -Wall -Wextra -Wformat -Wformat-nonliteral -Wformat-security -Wundef -Wmissing-declarations -Wredundant-decls -Wnested-externs -I/<<PKGBUILDDIR>>/ports/linux/include -I/<<PKGBUILDDIR>>/ports/linux/include -I/<<PKGBUILDDIR>>/ports/linux/include -I/<<PKGBUILDDIR>>/ports/linux/include \ -MMD -MF ./addrtoa.d \ -o ./addrtoa.o \ -c /<<PKGBUILDDIR>>/linux/net/ipsec/addrtoa.c cc1: error: -fstack-protector not supported for this target [-Werror] cc1: all warnings being treated as errors ../../../mk/depend.mk:28: recipe for target 'addrtoa.o' failed make[5]: *** [addrtoa.o] Error 1 -------- It's not going to be the end of the world if libreswan doesn't build on these architectures (i can just mark it as explicitly not for those arches if you prefer), but otoh, it might be nice if we could build there anyway. Would you consider making the build flag optional somehow, or only enabling it if it's detected to be available? or should i mark libreswan as not for those architectures? You can detect it with something like: printf 'int main() { return 0;}' | gcc -x c -fstack-protector-all - (note that this will create a.out in the current directory) --dkg
signature.asc
Description: PGP signature
_______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
