depends: add NO_HARDEN option

Add an option that when passed, will disable hardening options, and pass `--disable-hardening` through to configure. Due to the way we link libssp for Windows builds, they now fail (after #27118), if building with depends, and configuring with --disable-hardening. See: https://github.com/bitcoin/bitcoin/pull/27118#issuecomment-1492606272. This change would add a depends opiton such that, if someone wants to build with, for windows, without hardening, they can do so. This may also be useful when building for debugging.
2 years ago · 436df1e826
parent 369d4c03b7
commit 436df1e826
5 changed files with 18 additions and 4 deletions
--- a/depends/Makefile
+++ b/depends/Makefile
@ -45,6 +45,7 @@ NO_USDT ?=
 NO_NATPMP ?=
 MULTIPROCESS ?=
 LTO ?=
+NO_HARDEN ?=
 FALLBACK_DOWNLOAD_PATH ?= https://bitcoincore.org/depends-sources

 C_STANDARD ?= c11
@ -146,8 +147,8 @@ include packages/packages.mk
 #     2. Before including packages/*.mk (excluding packages/packages.mk), since
 #        they rely on the build_id variables
 #
-build_id:=$(shell env CC='$(build_CC)' C_STANDARD='$(C_STANDARD)' CXX='$(build_CXX)' CXX_STANDARD='$(CXX_STANDARD)' AR='$(build_AR)' RANLIB='$(build_RANLIB)' STRIP='$(build_STRIP)' SHA256SUM='$(build_SHA256SUM)' DEBUG='$(DEBUG)' LTO='$(LTO)' ./gen_id '$(BUILD_ID_SALT)' 'GUIX_ENVIRONMENT=$(realpath $(GUIX_ENVIRONMENT))')
-$(host_arch)_$(host_os)_id:=$(shell env CC='$(host_CC)' C_STANDARD='$(C_STANDARD)' CXX='$(host_CXX)' CXX_STANDARD='$(CXX_STANDARD)' AR='$(host_AR)' RANLIB='$(host_RANLIB)' STRIP='$(host_STRIP)' SHA256SUM='$(build_SHA256SUM)' DEBUG='$(DEBUG)' LTO='$(LTO)' ./gen_id '$(HOST_ID_SALT)' 'GUIX_ENVIRONMENT=$(realpath $(GUIX_ENVIRONMENT))')
+build_id:=$(shell env CC='$(build_CC)' C_STANDARD='$(C_STANDARD)' CXX='$(build_CXX)' CXX_STANDARD='$(CXX_STANDARD)' AR='$(build_AR)' RANLIB='$(build_RANLIB)' STRIP='$(build_STRIP)' SHA256SUM='$(build_SHA256SUM)' DEBUG='$(DEBUG)' LTO='$(LTO)' NO_HARDEN='$(NO_HARDEN)' ./gen_id '$(BUILD_ID_SALT)' 'GUIX_ENVIRONMENT=$(realpath $(GUIX_ENVIRONMENT))')
+$(host_arch)_$(host_os)_id:=$(shell env CC='$(host_CC)' C_STANDARD='$(C_STANDARD)' CXX='$(host_CXX)' CXX_STANDARD='$(CXX_STANDARD)' AR='$(host_AR)' RANLIB='$(host_RANLIB)' STRIP='$(host_STRIP)' SHA256SUM='$(build_SHA256SUM)' DEBUG='$(DEBUG)' LTO='$(LTO)' NO_HARDEN='$(NO_HARDEN)' ./gen_id '$(HOST_ID_SALT)' 'GUIX_ENVIRONMENT=$(realpath $(GUIX_ENVIRONMENT))')

 boost_packages_$(NO_BOOST) = $(boost_packages)

@ -253,6 +254,7 @@ $(host_prefix)/share/config.site : config.site.in $(host_prefix)/.stamp_$(final_
            -e 's|@no_natpmp@|$(NO_NATPMP)|' \
            -e 's|@multiprocess@|$(MULTIPROCESS)|' \
            -e 's|@lto@|$(LTO)|' \
+            -e 's|@no_harden@|$(NO_HARDEN)|' \
            -e 's|@debug@|$(DEBUG)|' \
            $< > $@
 	touch $@
--- a/depends/README.md
+++ b/depends/README.md
@ -123,6 +123,7 @@ The following can be set when running make: `make FOO=bar`
  resides in the `depends` directory, and the log file is printed out automatically in case
  of build error. After successful build log files are moved along with package archives
 - `LTO`: Use LTO when building packages.
+- `NO_HARDEN=1`: Don't use hardening options when building packages

 If some packages are not built, for example `make NO_WALLET=1`, the appropriate
 options will be passed to bitcoin's configure. In this case, `--disable-wallet`.
--- a/depends/config.site.in
+++ b/depends/config.site.in
@ -82,6 +82,10 @@ if test -z "$enable_lto" && test -n "@lto@"; then
  enable_lto=yes
 fi

+if test -z "$enable_hardening" && test -n "@no_harden@"; then
+  enable_hardening=no
+fi
+
 PKG_CONFIG="$(which pkg-config) --static"

 PKG_CONFIG_PATH="${depends_prefix}/share/pkgconfig:${depends_prefix}/lib/pkgconfig"
--- a/depends/gen_id
+++ b/depends/gen_id
@ -2,7 +2,7 @@

 # Usage: env [ CC=... ] [ C_STANDARD=...] [ CXX=... ] [CXX_STANDARD=...] \
 #            [ AR=... ] [ RANLIB=... ] [ STRIP=... ] [ DEBUG=... ] \
-#            [ LTO=... ] ./build-id [ID_SALT]...
+#            [ LTO=... ] [ NO_HARDEN=... ] ./build-id [ID_SALT]...
 #
 # Prints to stdout a SHA256 hash representing the current toolset, used by
 # depends/Makefile as a build id for caching purposes (detecting when the
@ -70,6 +70,10 @@
    echo "LTO=${LTO}"
    echo "END LTO"

+    echo "BEGIN NO_HARDEN"
+    echo "NO_HARDEN=${NO_HARDEN}"
+    echo "END NO_HARDEN"
+
    echo "END ALL"
 ) | if [ -n "$DEBUG" ] && command -v tee > /dev/null 2>&1; then
        # When debugging and `tee` is available, output the preimage to stderr
--- a/depends/packages/libevent.mk
+++ b/depends/packages/libevent.mk
@ -16,8 +16,11 @@ define $(package)_set_vars
  $(package)_config_opts_netbsd=--with-pic
  $(package)_config_opts_openbsd=--with-pic
  $(package)_config_opts_android=--with-pic
-  $(package)_cppflags+=-D_FORTIFY_SOURCE=3
  $(package)_cppflags_mingw32=-D_WIN32_WINNT=0x0601
+
+  ifeq ($(NO_HARDEN),)
+  $(package)_cppflags+=-D_FORTIFY_SOURCE=3
+  endif
 endef

 define $(package)_preprocess_cmds