* configure.ac: New option --enable-noexecstack.

* Makefile.am (ASFLAGS): Renamed to AM_CCASFLAGS and added the
variable for non exectubale stack options.  Adapted users.

8 files changed, 49 insertions, 3 deletions

diff --git a/ChangeLog b/ChangeLog
index ae97753ec..fb886e968 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+2005-03-11  Werner Koch  <[email protected]>
+
+	* configure.ac: New option --enable-noexecstack. 
+
 2005-02-16  Werner Koch  <[email protected]>
 
 	Released 1.4.1rc2.
diff --git a/NEWS b/NEWS
index cb23aa9d4..193c77d6a 100644
--- a/NEWS
+++ b/NEWS
@@ -53,6 +53,8 @@ Noteworthy changes in version 1.4.1
     * The "fetch" command of --card-edit now retrieves the key using
       the default keyserver if no URL has been stored on the card.
 
+    * New configure option --enable-noexecstack.
+
 
 Noteworthy changes in version 1.4.0 (2004-12-16)
 ------------------------------------------------
diff --git a/README b/README
index 4798caf1f..3af6a3fda 100644
--- a/README
+++ b/README
@@ -607,6 +607,10 @@
                     This prevents access to certain files and won't
                     allow import or export of secret keys. 
 
+     --enable-noexecstack
+                    Pass option --noexecstack to as.  Works only when
+                    using gcc.
+
      --disable-gnupg-iconv
                     If iconv is available it is used to convert
                     between utf-8 and the system character set.  This
diff --git a/configure.ac b/configure.ac
index 3dbfbede2..54cb51212 100644
--- a/configure.ac
+++ b/configure.ac
@@ -102,6 +102,18 @@ if test "$use_m_guard" = yes ; then
     AC_DEFINE(M_GUARD,1,[Define to use the (obsolete) malloc guarding feature])
 fi
 
+# We don't have a test to check whetyer as(1) knows about the
+# non executable stackioption.  Thus we provide an option to enable
+# it.
+AC_MSG_CHECKING([whether non excutable stack support is requested])
+AC_ARG_ENABLE(noexecstack,
+              AC_HELP_STRING([--enable-noexecstack],
+                             [enable non executable stack support (gcc only)]),
+              noexecstack_support=$enableval, noexecstack_support=no)
+AC_MSG_RESULT($noexecstack_support)
+
+# SELinux support includes tracking of sensitive files to avoid
+# leaking their contents through processing these files by gpg itself
 AC_MSG_CHECKING([whether SELinux support is requested])
 AC_ARG_ENABLE(selinux-support,
               AC_HELP_STRING([--enable-selinux-support],
@@ -109,6 +121,7 @@ AC_ARG_ENABLE(selinux-support,
               selinux_support=$enableval, selinux_support=no)
 AC_MSG_RESULT($selinux_support)
 
+
 AC_MSG_CHECKING([whether OpenPGP card support is requested])
 AC_ARG_ENABLE(card-support,
               AC_HELP_STRING([--disable-card-support],
@@ -1234,14 +1247,26 @@ esac
 AC_SUBST(NETLIBS)
 AC_SUBST(W32LIBS)
 
+# Special options used fith gcc.
 if test "$GCC" = yes; then
+    # Note that it is okay to use CFLAGS here because this are just
+    # warning options and the user should have a chance of overriding
+    #them.
     if test "$USE_MAINTAINER_MODE" = "yes"; then
         CFLAGS="$CFLAGS -Wall -Wcast-align -Wshadow -Wstrict-prototypes"
         CFLAGS="$CFLAGS -Wformat-nonliteral"
     else
         CFLAGS="$CFLAGS -Wall"
     fi
+
+    # Non exec stack hack.  Fixme: Write a test to check whether as
+    # can cope with it and use the enable-noexecstack option only to
+    # disable it in case it is required on sime platforms.
+    if test "$noexecstack_support" = yes; then
+        NOEXECSTACK_FLAGS="-Wa,--noexecstack"
+    fi
 fi
+AC_SUBST(NOEXECSTACK_FLAGS)
 
 
 if test "$print_egd_warning" = yes; then
diff --git a/doc/ChangeLog b/doc/ChangeLog
index 7b003b1ff..c9fc5b034 100644
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -1,5 +1,7 @@
 2005-03-07  Werner Koch  <[email protected]>
 
+	* gpg.sgml (comment): Add note to keep the comment short.
+
 	* DETAILS: Document new status codes.
 
 2005-02-15  Werner Koch  <[email protected]>
diff --git a/doc/gpg.sgml b/doc/gpg.sgml
index 03a7eb841..805f4f885 100644
--- a/doc/gpg.sgml
+++ b/doc/gpg.sgml
@@ -1769,6 +1769,10 @@ Use &ParmString; as a comment string in clear text signatures and
 ASCII armored messages or keys (see --armor).  The default behavior is
 not to use a comment string.  --comment may be repeated multiple times
 to get multiple comment strings.  --no-comments removes all comments.
+It is a good idea to keep the length of a single comment below 60
+characters to avoid problems with mail programs wrapping such lines.
+Note, that those comment lines, like all other header lines, are not
+protected by the signature.
 </para></listitem></varlistentry>
 
 
diff --git a/mpi/ChangeLog b/mpi/ChangeLog
index 20175f961..00e0e3e6a 100644
--- a/mpi/ChangeLog
+++ b/mpi/ChangeLog
@@ -1,3 +1,8 @@
+2005-03-11  Werner Koch  <[email protected]>
+
+	* Makefile.am (ASFLAGS): Renamed to AM_CCASFLAGS and added the
+	variable for non exectubale stack options.  Adapted users.
+
 2004-12-20  Werner Koch  <[email protected]>
 
 	* mpicoder.c (mpi_read_from_buffer): Don't abort in case of an
diff --git a/mpi/Makefile.am b/mpi/Makefile.am
index 798a4d1dd..35135c24d 100644
--- a/mpi/Makefile.am
+++ b/mpi/Makefile.am
@@ -20,8 +20,8 @@
 
 
 INCLUDES = -I.. -I$(top_srcdir)/include
-AM_CFLAGS = @MPI_OPT_FLAGS@
-ASFLAGS = @MPI_SFLAGS@
+AM_CFLAGS = $(MPI_OPT_FLAGS)
+AM_CCASFLAGS = $(NOEXECSTACK_FLAGS) $(MPI_SFLAGS)
 
 EXTRA_DIST = config.links
 DISTCLEANFILES = mpi-asm-defs.h \
@@ -73,7 +73,7 @@ libmpi_a_LIBADD = $(common_asm_objects) @MPI_EXTRA_ASM_OBJS@
 # work and add one to cpp .S files
 .S.o:
 	 $(CPP) $(INCLUDES) $(DEFS) $< | grep -v '^#' > _$*.s
-	 $(COMPILE) $(ASFLAGS) -c _$*.s
+	 $(COMPILE) $(AM_CCASFLAGS) -c _$*.s
 	 mv -f _$*.o $*.o
 
 .S.lo: