use -fstack-protector-strong when available

With gcc-4.9, a new -fstack-protector-strong flag is available that is
between -fstack-protector (pretty weak) and -fstack-protector-all (pretty
strong) that provides good trade-offs between overhead but still providing
good coverage.  Update the places in glibc that use ssp to use this flag
when it's available.

This also kills off the indirection of hardcoding the flag name in the
Makefiles and adding it based on a have-ssp boolean.  Instead, the build
always expands the $(stack-protector) variable to the best ssp setting.
This makes the build logic a bit simpler and allows people to easily set
to a diff flag like:
	make stack-protector=-fstack-protector-all

ChangeLog

@@ -1,3 +1,15 @@
+2015-10-19  Mike Frysinger  <vapier@gentoo.org>
+
+	* config.make.in (have-ssp): Delete.
+	(stack-protector): New variable.
+	* configure.ac: Delete libc_cv_ssp export.  Add libc_cv_ssp_strong
+	cache test for -fstack-protector-strong.  Export stack_protector to
+	the best ssp flag.
+	* configure: Regenerated.
+	* login/Makefile (pt_chown-cflags): Always add $(stack-protector).
+	* nscd/Makefile (CFLAGS-nscd): Likewise.
+	* resolv/Makefile (CFLAGS-libresolv): Likewise.
+
 2015-10-16  H.J. Lu  <hongjiu.lu@intel.com>
 
 	[BZ #19122]

config.make.in

@@ -56,7 +56,7 @@ old-glibc-headers = @old_glibc_headers@
 unwind-find-fde = @libc_cv_gcc_unwind_find_fde@
 have-forced-unwind = @libc_cv_forced_unwind@
 have-fpie = @libc_cv_fpie@
-have-ssp = @libc_cv_ssp@
+stack-protector = @stack_protector@
 have-selinux = @have_selinux@
 have-libaudit = @have_libaudit@
 have-libcap = @have_libcap@

configure

@@ -621,7 +621,7 @@ LIBGD
 libc_cv_cc_loop_to_function
 libc_cv_cc_submachine
 libc_cv_cc_nofma
-libc_cv_ssp
+stack_protector
 fno_unit_at_a_time
 libc_cv_output_format
 libc_cv_hashstyle
@@ -6050,6 +6050,33 @@ fi
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $libc_cv_ssp" >&5
 $as_echo "$libc_cv_ssp" >&6; }
 
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for -fstack-protector-strong" >&5
+$as_echo_n "checking for -fstack-protector-strong... " >&6; }
+if ${libc_cv_ssp_strong+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if { ac_try='${CC-cc} $CFLAGS $CPPFLAGS -Werror -fstack-protector-strong -xc /dev/null -S -o /dev/null'
+  { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_try\""; } >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }; }; then :
+  libc_cv_ssp_strong=yes
+else
+  libc_cv_ssp_strong=no
+fi
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $libc_cv_ssp_strong" >&5
+$as_echo "$libc_cv_ssp_strong" >&6; }
+
+stack_protector=
+if test "$libc_cv_ssp_strong" = "yes"; then
+  stack_protector="-fstack-protector-strong"
+elif test "$libc_cv_ssp" = "yes"; then
+  stack_protector="-fstack-protector"
+fi
+
 
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether cc puts quotes around section names" >&5
 $as_echo_n "checking whether cc puts quotes around section names... " >&6; }

configure.ac

@@ -1503,7 +1503,20 @@ LIBC_TRY_CC_OPTION([$CFLAGS $CPPFLAGS -Werror -fstack-protector],
 		   [libc_cv_ssp=yes],
 		   [libc_cv_ssp=no])
 ])
-AC_SUBST(libc_cv_ssp)
+
+AC_CACHE_CHECK(for -fstack-protector-strong, libc_cv_ssp_strong, [dnl
+LIBC_TRY_CC_OPTION([$CFLAGS $CPPFLAGS -Werror -fstack-protector-strong],
+		   [libc_cv_ssp_strong=yes],
+		   [libc_cv_ssp_strong=no])
+])
+
+stack_protector=
+if test "$libc_cv_ssp_strong" = "yes"; then
+  stack_protector="-fstack-protector-strong"
+elif test "$libc_cv_ssp" = "yes"; then
+  stack_protector="-fstack-protector"
+fi
+AC_SUBST(stack_protector)
 
 AC_CACHE_CHECK(whether cc puts quotes around section names,
 	       libc_cv_have_section_quotes,

login/Makefile

@@ -58,9 +58,7 @@ CFLAGS-getpt.c = -fexceptions
 ifeq (yesyes,$(have-fpie)$(build-shared))
 pt_chown-cflags += $(pie-ccflag)
 endif
-ifeq (yes,$(have-ssp))
+pt_chown-cflags += $(stack-protector)
-pt_chown-cflags += -fstack-protector
-endif
 ifeq (yes,$(have-libcap))
 libcap = -lcap
 endif

nscd/Makefile

@@ -84,9 +84,7 @@ CPPFLAGS-nscd += -D_FORTIFY_SOURCE=2
 ifeq (yesyes,$(have-fpie)$(build-shared))
 CFLAGS-nscd += $(pie-ccflag)
 endif
-ifeq (yes,$(have-ssp))
+CFLAGS-nscd += $(stack-protector)
-CFLAGS-nscd += -fstack-protector
-endif
 
 ifeq (yesyes,$(have-fpie)$(build-shared))
 LDFLAGS-nscd = -Wl,-z,now

resolv/Makefile

@@ -90,9 +90,7 @@ CPPFLAGS += -Dgethostbyname=res_gethostbyname \
 	    -Dgetnetbyname=res_getnetbyname \
 	    -Dgetnetbyaddr=res_getnetbyaddr
 
-ifeq (yes,$(have-ssp))
+CFLAGS-libresolv += $(stack-protector)
-CFLAGS-libresolv += -fstack-protector
-endif
 CFLAGS-res_hconf.c = -fexceptions
 
 # The BIND code elicits some harmless warnings.