Limit some of the hardening tests to compilers that define __GNUC__.

This should avoid false positives on other compilers.

configure

@@ -31317,7 +31317,7 @@ then :
 fi
 
 
-if test -n "$GCC" -a "$lt_cv_prog_gnu_ld" != "yes" -a -n "$GCC"; then
+if test -n "$GCC" -a "$lt_cv_prog_gnu_ld" != "yes"; then
     { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -static-libgcc" >&5
 printf %s "checking whether C compiler accepts -static-libgcc... " >&6; }
 if test ${ax_cv_check_cflags___static_libgcc+y}
@@ -32930,7 +32930,7 @@ printf "%s\n" "$sudo_cv_use_fortify_source" >&6; }
 	    CPPFLAGS="$O_CPPFLAGS"
 	fi
 
-				if test "$enable_ssp" != "no"; then
+				if test -n "$GCC" -a "$enable_ssp" != "no"; then
 	    { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for compiler stack protector support" >&5
 printf %s "checking for compiler stack protector support... " >&6; }
 if test ${sudo_cv_var_stack_protector+y}
@@ -33048,19 +33048,20 @@ printf "%s\n" "$sudo_cv_var_stack_protector" >&6; }
 	# machine-specific code does not support it.  We use a test program
 	# with a large stack allocation to try to cause the compiler to
 	# insert the stack clash protection code, or fail if not supported.
-	{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler supports -fstack-clash-protection" >&5
+	if test -n "$GCC"; then
+	    { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler supports -fstack-clash-protection" >&5
 printf %s "checking whether C compiler supports -fstack-clash-protection... " >&6; }
 if test ${sudo_cv_check_cflags___fstack_clash_protection+y}
 then :
   printf %s "(cached) " >&6
 else case e in #(
   e)
-		_CFLAGS="$CFLAGS"
+		    _CFLAGS="$CFLAGS"
-		CFLAGS="$CFLAGS -fstack-clash-protection"
+		    CFLAGS="$CFLAGS -fstack-clash-protection"
-		cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+		    cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
-		    int main(int argc, char *argv[]) { char buf[16384], *src = argv[0], *dst = buf; while ((*dst++ = *src++) != '\0') { continue; } return buf[argc]; }
+			int main(int argc, char *argv[]) { char buf[16384], *src = argv[0], *dst = buf; while ((*dst++ = *src++) != '\0') { continue; } return buf[argc]; }
 
 _ACEOF
 if ac_fn_c_try_compile "$LINENO"
@@ -33071,15 +33072,15 @@ else case e in #(
 esac
 fi
 rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext
-		CFLAGS="$_CFLAGS"
+		    CFLAGS="$_CFLAGS"
 
-	 ;;
+	     ;;
 esac
 fi
 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_check_cflags___fstack_clash_protection" >&5
 printf "%s\n" "$sudo_cv_check_cflags___fstack_clash_protection" >&6; }
-	if test X"$sudo_cv_check_cflags___fstack_clash_protection" = X"yes"; then
+	    if test X"$sudo_cv_check_cflags___fstack_clash_protection" = X"yes"; then
-	    { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -fstack-clash-protection" >&5
+		{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -fstack-clash-protection" >&5
 printf %s "checking whether the linker accepts -fstack-clash-protection... " >&6; }
 if test ${ax_cv_check_ldflags___fstack_clash_protection+y}
 then :
@@ -33190,10 +33191,10 @@ else case e in #(
 esac
 fi
 
-	fi
+	    fi
 
-	# Check for control-flow transfer instrumentation (Intel CET).
+	    # Check for control-flow transfer instrumentation (Intel CET).
-	{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fcf-protection" >&5
+	    { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fcf-protection" >&5
 printf %s "checking whether C compiler accepts -fcf-protection... " >&6; }
 if test ${ax_cv_check_cflags___fcf_protection+y}
 then :
@@ -33229,7 +33230,7 @@ printf "%s\n" "$ax_cv_check_cflags___fcf_protection" >&6; }
 if test "x$ax_cv_check_cflags___fcf_protection" = xyes
 then :
 
-	    { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -fcf-protection" >&5
+		{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -fcf-protection" >&5
 printf %s "checking whether the linker accepts -fcf-protection... " >&6; }
 if test ${ax_cv_check_ldflags___fcf_protection+y}
 then :
@@ -33346,6 +33347,7 @@ else case e in #(
 esac
 fi
 
+	fi
 
 	# Linker-specific hardening flags.
 	{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,-z,relro" >&5

configure.ac

@@ -4024,7 +4024,7 @@ dnl If compiler supports the -static-libgcc flag use it unless we have
 dnl GNU ld (which can avoid linking in libgcc when it is not needed).
 dnl This test relies on AC_LANG_WERROR
 dnl
-if test -n "$GCC" -a "$lt_cv_prog_gnu_ld" != "yes" -a -n "$GCC"; then
+if test -n "$GCC" -a "$lt_cv_prog_gnu_ld" != "yes"; then
     AX_CHECK_COMPILE_FLAG([-static-libgcc], [AX_APPEND_FLAG([-Wc,-static-libgcc], [LT_LDFLAGS])])
 fi
 

m4/hardening.m4

@@ -30,7 +30,7 @@ AC_DEFUN([SUDO_CHECK_HARDENING], [
 	dnl
 	dnl The following tests rely on AC_LANG_WERROR.
 	dnl
-	if test "$enable_ssp" != "no"; then
+	if test -n "$GCC" -a "$enable_ssp" != "no"; then
 	    AC_CACHE_CHECK([for compiler stack protector support],
 		[sudo_cv_var_stack_protector],
 		[
@@ -86,32 +86,34 @@ AC_DEFUN([SUDO_CHECK_HARDENING], [
 	# machine-specific code does not support it.  We use a test program
 	# with a large stack allocation to try to cause the compiler to
 	# insert the stack clash protection code, or fail if not supported.
-	AC_CACHE_CHECK([whether C compiler supports -fstack-clash-protection],
+	if test -n "$GCC"; then
-	    [sudo_cv_check_cflags___fstack_clash_protection],
+	    AC_CACHE_CHECK([whether C compiler supports -fstack-clash-protection],
-	    [
+		[sudo_cv_check_cflags___fstack_clash_protection],
-		_CFLAGS="$CFLAGS"
+		[
-		CFLAGS="$CFLAGS -fstack-clash-protection"
+		    _CFLAGS="$CFLAGS"
-		AC_COMPILE_IFELSE([
+		    CFLAGS="$CFLAGS -fstack-clash-protection"
-		    AC_LANG_SOURCE([[int main(int argc, char *argv[]) { char buf[16384], *src = argv[0], *dst = buf; while ((*dst++ = *src++) != '\0') { continue; } return buf[argc]; }]])
+		    AC_COMPILE_IFELSE([
-		], [sudo_cv_check_cflags___fstack_clash_protection=yes], [sudo_cv_check_cflags___fstack_clash_protection=no])
+			AC_LANG_SOURCE([[int main(int argc, char *argv[]) { char buf[16384], *src = argv[0], *dst = buf; while ((*dst++ = *src++) != '\0') { continue; } return buf[argc]; }]])
-		CFLAGS="$_CFLAGS"
+		    ], [sudo_cv_check_cflags___fstack_clash_protection=yes], [sudo_cv_check_cflags___fstack_clash_protection=no])
-	    ]
+		    CFLAGS="$_CFLAGS"
-	)
+		]
-	if test X"$sudo_cv_check_cflags___fstack_clash_protection" = X"yes"; then
+	    )
-	    AX_CHECK_LINK_FLAG([-fstack-clash-protection], [
+	    if test X"$sudo_cv_check_cflags___fstack_clash_protection" = X"yes"; then
-		AX_APPEND_FLAG([-fstack-clash-protection], [HARDENING_CFLAGS])
+		AX_CHECK_LINK_FLAG([-fstack-clash-protection], [
-		AX_APPEND_FLAG([-Wc,-fstack-clash-protection], [HARDENING_LDFLAGS])
+		    AX_APPEND_FLAG([-fstack-clash-protection], [HARDENING_CFLAGS])
+		    AX_APPEND_FLAG([-Wc,-fstack-clash-protection], [HARDENING_LDFLAGS])
+		])
+	    fi
+
+	    # Check for control-flow transfer instrumentation (Intel CET).
+	    AX_CHECK_COMPILE_FLAG([-fcf-protection], [
+		AX_CHECK_LINK_FLAG([-fcf-protection], [
+		    AX_APPEND_FLAG([-fcf-protection], [HARDENING_CFLAGS])
+		    AX_APPEND_FLAG([-Wc,-fcf-protection], [HARDENING_LDFLAGS])
+		])
 	    ])
 	fi
 
-	# Check for control-flow transfer instrumentation (Intel CET).
-	AX_CHECK_COMPILE_FLAG([-fcf-protection], [
-	    AX_CHECK_LINK_FLAG([-fcf-protection], [
-		AX_APPEND_FLAG([-fcf-protection], [HARDENING_CFLAGS])
-		AX_APPEND_FLAG([-Wc,-fcf-protection], [HARDENING_LDFLAGS])
-	    ])
-	])
-
 	# Linker-specific hardening flags.
 	AX_CHECK_LINK_FLAG([-Wl,-z,relro], [AX_APPEND_FLAG([-Wl,-z,relro], [HARDENING_LDFLAGS])])
 	AX_CHECK_LINK_FLAG([-Wl,-z,now], [AX_APPEND_FLAG([-Wl,-z,now], [HARDENING_LDFLAGS])])