From 0df26c1c2b30a44adc06f9c93650a6f2e31475c0 Mon Sep 17 00:00:00 2001
From: Simon Ruderich <simon@ruderich.org>
Date: Sat, 10 Mar 2012 22:19:43 +0100
Subject: [PATCH] First working version.

Also add tests.
---
 Build.PL              |   1 +
 MANIFEST              |  21 +++
 bin/blhc              | 293 ++++++++++++++++++++++++++++++++++++++++++
 t/logs/bad            |  11 ++
 t/logs/bad-cflags     |   8 ++
 t/logs/bad-cppflags   |   4 +
 t/logs/bad-ldflags    |   4 +
 t/logs/bad-library    |   3 +
 t/logs/bad-multiline  |  21 +++
 t/logs/c++            |  11 ++
 t/logs/cc             |   4 +
 t/logs/debian         |   1 +
 t/logs/empty          |   0
 t/logs/g++            |  11 ++
 t/logs/good           |  14 ++
 t/logs/good-all       |   4 +
 t/logs/good-bindnow   |   4 +
 t/logs/good-library   |   4 +
 t/logs/good-multiline |  26 ++++
 t/logs/good-pie       |   4 +
 t/logs/libtool        |  15 +++
 t/tests.t             | 281 ++++++++++++++++++++++++++++++++++++++++
 22 files changed, 745 insertions(+)
 create mode 100644 t/logs/bad
 create mode 100644 t/logs/bad-cflags
 create mode 100644 t/logs/bad-cppflags
 create mode 100644 t/logs/bad-ldflags
 create mode 100644 t/logs/bad-library
 create mode 100644 t/logs/bad-multiline
 create mode 100644 t/logs/c++
 create mode 100644 t/logs/cc
 create mode 100644 t/logs/debian
 create mode 100644 t/logs/empty
 create mode 100644 t/logs/g++
 create mode 100644 t/logs/good
 create mode 100644 t/logs/good-all
 create mode 100644 t/logs/good-bindnow
 create mode 100644 t/logs/good-library
 create mode 100644 t/logs/good-multiline
 create mode 100644 t/logs/good-pie
 create mode 100644 t/logs/libtool
 create mode 100644 t/tests.t

diff --git a/Build.PL b/Build.PL
index d49b069..f229a0f 100644
--- a/Build.PL
+++ b/Build.PL
@@ -31,6 +31,7 @@ my $build = Module::Build->new(
                             # Bundled with perl.
                             'Getopt::Long' => 0,
                             'Pod::Usage' => 0,
+                            'Term::ANSIColor' => 0,
                           },
 );
 $build->create_build_script;
diff --git a/MANIFEST b/MANIFEST
index dcd5742..51ed4bc 100644
--- a/MANIFEST
+++ b/MANIFEST
@@ -2,3 +2,24 @@ bin/blhc
 Build.PL
 COPYING
 MANIFEST			This list of files
+META.json
+META.yml
+t/logs/bad
+t/logs/bad-cflags
+t/logs/bad-cppflags
+t/logs/bad-ldflags
+t/logs/bad-library
+t/logs/bad-multiline
+t/logs/c++
+t/logs/cc
+t/logs/debian
+t/logs/empty
+t/logs/g++
+t/logs/good
+t/logs/good-all
+t/logs/good-bindnow
+t/logs/good-library
+t/logs/good-multiline
+t/logs/good-pie
+t/logs/libtool
+t/tests.t
diff --git a/bin/blhc b/bin/blhc
index c4aefd2..73548dc 100755
--- a/bin/blhc
+++ b/bin/blhc
@@ -22,16 +22,147 @@ use strict;
 use warnings;
 
 use Getopt::Long ();
+use Term::ANSIColor ();
 
 our $VERSION = '0.01';
 
 
+# FUNCTIONS
+
+sub error_flags {
+    my ($message, $missing_flags_ref, $flag_renames_ref, $line) = @_;
+
+    # Rename flags if requested.
+    my @missing_flags = map {
+        (exists $flag_renames_ref->{$_})
+            ? $flag_renames_ref->{$_}
+            : $_
+    } @{$missing_flags_ref};
+
+    my $flags = join ' ', @missing_flags;
+    printf "%s (%s)%s %s",
+           error_color($message, 'red'), $flags, error_color(':', 'yellow'),
+           $line;
+}
+sub error_color {
+    my ($message, $color) = @_;
+
+    # Use colors when writing to a terminal.
+    if (-t STDOUT) {
+        return Term::ANSIColor::colored($message, $color);
+    } else {
+        return $message;
+    }
+}
+
+sub any_flags_used {
+    my ($line, @flags) = @_;
+
+    foreach my $flag (@flags) {
+        return 1 if $line =~ /\s$flag(\s|\\|$)/;
+    }
+
+    return 0;
+}
+sub all_flags_used {
+    my ($line, $missing_flags_ref, @flags) = @_;
+
+    my @missing_flags = ();
+    foreach my $flag (@flags) {
+        if ($line !~ /\s$flag(\s|\\|$)/) {
+            push @missing_flags, $flag;
+        }
+    }
+
+    if (scalar @missing_flags == 0) {
+        return 1;
+    }
+
+    @{$missing_flags_ref} = @missing_flags;
+    return 0;
+}
+
+# Modifies $missing_flags_ref array.
+sub pic_pie_conflict {
+    my ($line, $pie, $missing_flags_ref, @flags_pie) = @_;
+
+    return 0 if not $pie;
+    return 0 if not any_flags_used($line, ('-fPIC'));
+
+    my %flags = map { $_ => 1 } @flags_pie;
+
+    # Remove all PIE flags from @missing_flags as they are not required with
+    # -fPIC.
+    my @result = grep {
+        not exists $flags{$_}
+    } @{$missing_flags_ref};
+    @{$missing_flags_ref} = @result;
+
+    # We got a conflict when no flags are left, thus only PIE flags were
+    # missing. If other flags were missing abort because the conflict is not
+    # the problem.
+    return scalar @result == 0;
+}
+
+
+# CONSTANTS/VARIABLES
+
+# Regex to catch (GCC) compiler warnings.
+my $warning_regex = qr/^(.+?):([0-9]+):[0-9]+: warning: (.+?) \[(.+?)\]$/;
+
+# Expected hardening flags. All flags are used as regexps.
+my @cflags = (
+    '-g',
+    '-O2',
+    '-fstack-protector',
+    '--param=ssp-buffer-size=4',
+    '-Wformat',
+    '-Wformat-security',
+    '-Werror=format-security',
+);
+my @cflags_pie = (
+    '-fPIE',
+);
+my @cppflags = (
+    '-D_FORTIFY_SOURCE=2',
+);
+my @ldflags = (
+    '-Wl,(-z,)?relro',
+);
+my @ldflags_pie = (
+    '-fPIE',
+    '-pie',
+);
+my @ldflags_bindnow = (
+    '-Wl,(-z,)?now',
+);
+# All (hardening) flags.
+my @flags = (@cflags, @cflags_pie,
+             @cppflags,
+             @ldflags, @ldflags_pie, @ldflags_bindnow);
+# Renaming rules for the output so the regex parts are not visible.
+my %flag_renames = (
+    '-Wl,(-z,)?relro' => '-Wl,-z,relro',
+    '-Wl,(-z,)?now'   => '-Wl,-z,now',
+);
+
+
+# MAIN
+
+# Additional hardening options.
+my $pie     = 0;
+my $bindnow = 0;
+
 # Parse command line arguments.
+my $option_all     = 0;
 my $option_help    = 0;
 my $option_version = 0;
 if (not Getopt::Long::GetOptions(
             'help|h|?' => \$option_help,
             'version'  => \$option_version,
+            'pie'      => \$pie,
+            'bindnow'  => \$bindnow,
+            'all'      => \$option_all,
         )) {
     require Pod::Usage;
     Pod::Usage::pod2usage(2);
@@ -59,6 +190,122 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
     exit 0;
 }
 
+if ($option_all) {
+    $pie     = 1;
+    $bindnow = 1;
+}
+
+# Final exit code.
+my $exit = 0;
+
+# Input lines, contain only the lines with compiler commands.
+my @input = ();
+
+my $continuation = 0;
+while (my $line = <>) {
+    # Ignore compiler warnings for now.
+    next if $line =~ /$warning_regex/;
+
+    # One line may contain multiple commands (";"). Treat each one as single
+    # line.
+    my @line = split /(?<!\\);/, $line;
+    foreach $line (@line) {
+        # Add newline, drop all other whitespace at the end of a line.
+        $line =~ s/\s+$//;
+        $line .= "\n";
+
+        if ($continuation) {
+            $continuation = 0;
+
+            # Join lines, but leave the "\" in place so it's clear where the
+            # original line break was.
+            chomp $input[-1];
+            $input[-1] .= ' ' . $line;
+
+        } else {
+            # Ignore lines with no compiler commands.
+            next if $line !~ /\b(cc\b|gcc\b|g\+\+|c\+\+)/;
+
+            # Ignore false positives.
+            #
+            # `./configure` output.
+            if ($line =~ /^checking /) {
+                next;
+            }
+
+            push @input, $line;
+        }
+
+        # Line continuation, line ends with "\".
+        if ($line =~ /\\\s*$/) {
+            $continuation = 1;
+        }
+    }
+}
+
+if (scalar @input == 0) {
+    print "No compiler commands!\n";
+    $exit |= 1;
+    exit $exit;
+}
+
+# Check if additional hardening options were used. Used to ensure they are
+# used for the complete build.
+foreach my $line (@input) {
+    $pie     = 1 if any_flags_used($line, @cflags_pie, @ldflags_pie);
+    $bindnow = 1 if any_flags_used($line, @ldflags_bindnow);
+}
+
+if ($pie) {
+    @cflags  = (@cflags,  @cflags_pie);
+    @ldflags = (@ldflags, @ldflags_pie);
+}
+if ($bindnow) {
+    @ldflags = (@ldflags, @ldflags_bindnow);
+}
+
+foreach my $line (@input) {
+    # Is this a compiler or linker command?
+    my $compiler = 1;
+    my $linker   = 0;
+
+    # Linker commands.
+    if ($line =~ /\s-l[A-Za-z0-9.-]+(\s|\\|$)/
+            or $line =~ /^libtool: link: /
+            or $line =~ m{\s*/bin/bash (\.\./)+libtool\s+--tag=CC\s+--mode=link}) {
+        $compiler = 0;
+        $linker   = 1;
+    }
+
+    # If there are source files then it's compiling/linking in one step and we
+    # must check both.
+    if ($line =~ /\.(c|cc|cpp)\b/) {
+        $compiler = 1;
+    }
+
+    # Check hardening flags.
+    my @missing;
+    if ($compiler and not all_flags_used($line, \@missing, @cflags)
+            # Libraries linked with -fPIC don't have to (and can't) be linked
+            # with -fPIE as well. It's no error if only PIE flags are missing.
+            and not pic_pie_conflict($line, $pie, \@missing, @cflags_pie)) {
+        error_flags('CFLAGS missing', \@missing, \%flag_renames, $line);
+        $exit |= 1 << 2;
+    }
+    if ($compiler and not all_flags_used($line, \@missing, @cppflags)) {
+        error_flags('CPPFLAGS missing', \@missing, \%flag_renames, $line);
+        $exit |= 1 << 2;
+    }
+    if ($linker and not all_flags_used($line, \@missing, @ldflags)
+            # Same here, -fPIC conflicts with -fPIE.
+            and not pic_pie_conflict($line, $pie, \@missing, @ldflags_pie)) {
+        error_flags('LDFLAGS missing', \@missing, \%flag_renames, $line);
+        $exit |= 1 << 2;
+    }
+}
+
+exit $exit;
+
 
 __END__
 
@@ -70,8 +317,13 @@ blhc - build log hardening check, checks build logs for missing hardening flags
 
 B<blhc> [-h -? --help]
 
+B<blhc> [--pie] [--bindnow] [--all]
+
     --help                  available options
     --version               version number and license
+    --pie                   force +pie check
+    --bindnow               force +bindbow check
+    --all                   force +all (+pie, +bindnow) check
 
 =head1 DESCRIPTION
 
@@ -90,6 +342,47 @@ Print available options.
 
 Print version number and license.
 
+=item B<--pie>
+
+Force check for all +pie hardening flags. By default it's auto detected.
+
+=item B<--bindnow>
+
+Force check for all +bindnow hardening flags. By default it's auto detected.
+
+=item B<--all>
+
+Force check for all +all (+pie, +bindnow) hardening flags. By default it's
+auto detected.
+
+=back
+
+Auto detection only works if at least one command uses the required hardening
+flag (e.g. -fPIE). Then it's required for all other commands as well.
+
+=head1 EXIT STATUS
+
+The exit status is a "bit mask", each listed status is ORed when the error
+condition occurs to get the result.
+
+=over 8
+
+=item B<0>
+
+Success.
+
+=item B<1>
+
+No compiler commands were found.
+
+=item B<2>
+
+Invalid arguments/options given to blhc.
+
+=item B<4>
+
+Missing hardening flags.
+
 =back
 
 =head1 AUTHOR
diff --git a/t/logs/bad b/t/logs/bad
new file mode 100644
index 0000000..c4184d8
--- /dev/null
+++ b/t/logs/bad
@@ -0,0 +1,11 @@
+configure: running /bin/bash ./configure ... 'CFLAGS=-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security' 'LDFLAGS=-Wl,-z,relro -Wl,-z,defs -Wl,--as-needed' ...
+
+checking for gcc... gcc
+checking whether gcc accepts -g... yes
+checking for gcc option to accept ISO C89... none needed
+checking dependency style of gcc... gcc3
+
+gcc -g -O2 -c test-a.c
+gcc -g -O2 -c test-b.c
+gcc -g -O2 -c test-c.c
+gcc -o test test-a.o test-b.o test-c.o -ltest
diff --git a/t/logs/bad-cflags b/t/logs/bad-cflags
new file mode 100644
index 0000000..3f47182
--- /dev/null
+++ b/t/logs/bad-cflags
@@ -0,0 +1,8 @@
+gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-a.c
+gcc -g -O2 -fstack-protector -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-b.c
+gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -D_FORTIFY_SOURCE=2 -c test-c.c
+gcc -Wl,-z,relro -o test test-a.o test-b.o test-c.o -ltest
+
+# Compiling and linking in one step must also check CFLAGS/CPPFLAGS.
+gcc -Wl,-z,relro -o test test.c -ltest
+gcc -shared -fPIC -Wl,-z,relro -o test.so test.c -ltest
diff --git a/t/logs/bad-cppflags b/t/logs/bad-cppflags
new file mode 100644
index 0000000..ff128e6
--- /dev/null
+++ b/t/logs/bad-cppflags
@@ -0,0 +1,4 @@
+gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -c test-a.c
+gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -c test-b.c
+gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -c test-c.c
+gcc -Wl,-z,relro -o test test-a.o test-b.o test-c.o -ltest
diff --git a/t/logs/bad-ldflags b/t/logs/bad-ldflags
new file mode 100644
index 0000000..9296f4c
--- /dev/null
+++ b/t/logs/bad-ldflags
@@ -0,0 +1,4 @@
+gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-a.c
+gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-b.c
+gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-c.c
+gcc -o test test-a.o test-b.o test-c.o -ltest
diff --git a/t/logs/bad-library b/t/logs/bad-library
new file mode 100644
index 0000000..32765c3
--- /dev/null
+++ b/t/logs/bad-library
@@ -0,0 +1,3 @@
+gcc -D_FORTIFY_SOURCE=2 -g -O2 --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security test.c -fPIC -DPIC -o libtest.o
+gcc -shared -fPIC -DPIC libtest.o -lpthread -O2 -Wl,relro -Wl,--as-needed -o libtest.so
+gcc -shared -fPIC -DPIC libtest.o -lpthread -O2 -Wl,--as-needed -o libtest.so
diff --git a/t/logs/bad-multiline b/t/logs/bad-multiline
new file mode 100644
index 0000000..490690a
--- /dev/null
+++ b/t/logs/bad-multiline
@@ -0,0 +1,21 @@
+# Command over multiple lines.
+gcc \
+        	-g -O2 -fstack-protector\
+    --param=ssp-buffer-size=4 -Wformat-security\
+-Werror=format-security -D_FORTIFY_SOURCE=2 -c test-a.c
+gcc -g -O2 -fstack-protector -Wformat -Wformat-security -Werror=format-security\
+-D_FORTIFY_SOURCE=2\
+-c test-b.c
+gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -D_FORTIFY_SOURCE=2 -c test-c.c
+gcc -Wl,-z,relro -o test test-a.o test-b.o test-c.o\
+	-ltest
+
+# Multiple commands in a single line.
+gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -c test-a.c; gcc -D_FORTIFY_SOURCE=2 -c test-b.c
+gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -D_FORTIFY_SOURCE=2 -c test-a.c ; gcc -Wformat-security -Werror=format-security -c test-b.c
+gcc -g -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -c test-a.c;\
+gcc -O2 -D_FORTIFY_SOURCE=2 -c test-b.c
+gcc -g -O2 --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -c test-a.c ; \
+gcc -D_FORTIFY_SOURCE=2 -fstack-protector -c test-b.c
+# Escaped ";" - not really useful, just to check it works.
+gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security \; -Werror=format-security -D_FORTIFY_SOURCE=1 -c test-a.c
diff --git a/t/logs/c++ b/t/logs/c++
new file mode 100644
index 0000000..21e9a29
--- /dev/null
+++ b/t/logs/c++
@@ -0,0 +1,11 @@
+checking for c++... c++
+checking whether we are using the GNU C++ compiler... yes
+checking whether c++ accepts -g... yes
+checking dependency style of c++... none
+
+c++ -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-a.cpp
+c++ -g -O2 -fstack-protector -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-b.cpp
+c++ -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -D_FORTIFY_SOURCE=2 -c test-c.cpp
+c++ -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-d.cc
+test-d.cc:47:11: warning: unused variable 'test' [-Wunused-variable]
+c++ -Wl,-z,defs -o test test-a.o test-b.o test-c.o test-d.o -ltest
diff --git a/t/logs/cc b/t/logs/cc
new file mode 100644
index 0000000..ddacd82
--- /dev/null
+++ b/t/logs/cc
@@ -0,0 +1,4 @@
+cc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-a.c
+cc -g -O2 -fstack-protector -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-b.c
+cc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -D_FORTIFY_SOURCE=2 -c test-c.c
+cc -Wl,-z,defs -o test test-a.o test-b.o test-c.o -ltest
diff --git a/t/logs/debian b/t/logs/debian
new file mode 100644
index 0000000..9a03ba6
--- /dev/null
+++ b/t/logs/debian
@@ -0,0 +1 @@
+dh_auto_configure -- CFLAGS="-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security" CPPFLAGS="-D_FORTIFY_SOURCE=2" CXXFLAGS="-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security" LDFLAGS="-Wl,-z,relro -Wl,-z,defs -Wl,--as-needed" ...
diff --git a/t/logs/empty b/t/logs/empty
new file mode 100644
index 0000000..e69de29
diff --git a/t/logs/g++ b/t/logs/g++
new file mode 100644
index 0000000..636839a
--- /dev/null
+++ b/t/logs/g++
@@ -0,0 +1,11 @@
+checking for g++... g++
+checking whether we are using the GNU C++ compiler... yes
+checking whether g++ accepts -g... yes
+checking dependency style of g++... gcc3
+
+g++ -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-a.cpp
+g++ -g -O2 -fstack-protector -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-b.cpp
+g++ -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -D_FORTIFY_SOURCE=2 -c test-c.cpp
+g++ -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-d.cc
+test-d.cc:47:11: warning: unused variable 'test' [-Wunused-variable]
+g++ -Wl,-z,defs -o test test-a.o test-b.o test-c.o test-d.o -ltest
diff --git a/t/logs/good b/t/logs/good
new file mode 100644
index 0000000..c5a6d0e
--- /dev/null
+++ b/t/logs/good
@@ -0,0 +1,14 @@
+configure: running /bin/bash ./configure ... 'CFLAGS=-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security' 'LDFLAGS=-Wl,-z,relro -Wl,-z,defs -Wl,--as-needed' ...
+
+checking whether gcc accepts -g... yes
+checking for gcc option to accept ISO C89... none needed
+checking dependency style of gcc... gcc3
+
+gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-a.c
+gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-b.c
+gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-c.c
+gcc -Wl,-z,relro -o test test-a.o test-b.o test-c.o -ltest
+
+# Compiling and linking in one step must also check CFLAGS/CPPFLAGS.
+gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-z,relro -o test test.c -ltest
+gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -shared -fPIC -Wl,-z,relro -o test.so test.c -ltest
diff --git a/t/logs/good-all b/t/logs/good-all
new file mode 100644
index 0000000..84aca21
--- /dev/null
+++ b/t/logs/good-all
@@ -0,0 +1,4 @@
+gcc -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-a.c
+gcc -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-b.c
+gcc -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-c.c
+gcc -fPIE -pie -Wl,-z,relro -Wl,-z,now -o test test-a.o test-b.o test-c.o -ltest
diff --git a/t/logs/good-bindnow b/t/logs/good-bindnow
new file mode 100644
index 0000000..eaa168d
--- /dev/null
+++ b/t/logs/good-bindnow
@@ -0,0 +1,4 @@
+gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-a.c
+gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-b.c
+gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-c.c
+gcc -Wl,-z,relro -Wl,-z,now -o test test-a.o test-b.o test-c.o -ltest
diff --git a/t/logs/good-library b/t/logs/good-library
new file mode 100644
index 0000000..c160a8a
--- /dev/null
+++ b/t/logs/good-library
@@ -0,0 +1,4 @@
+# -fPIC and -fPIE conflict with each other and -fPIE is not necessary for
+# libraries.
+gcc -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security test.c -fPIC -DPIC -o libtest.o
+gcc -shared -fPIC -DPIC libtest.o -lpthread -O2 -Wl,relro -Wl,now -Wl,--as-needed -o libtest.so
diff --git a/t/logs/good-multiline b/t/logs/good-multiline
new file mode 100644
index 0000000..cc4a90c
--- /dev/null
+++ b/t/logs/good-multiline
@@ -0,0 +1,26 @@
+# Command over multiple lines.
+gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 \
+\
+-Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-a.c
+gcc \
+    -g -O2 \
+-fstack-protector --param=ssp-buffer-size=4 -Wformat \
+-Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c\
+        	test-b.c
+gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-c.c
+gcc \
+            	-Wl,-z,relro \
+-o \
+	test \
+    	    test-a.o test-b.o test-c.o \
+-ltest
+
+# Multiple commands in a single line.
+gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-a.c; gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-b.c
+gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-a.c ; gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-b.c
+gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-a.c;\
+gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-b.c
+gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-a.c ; \
+gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-b.c
+# Escaped ";" - not really useful, just to check it works.
+gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security \; -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-a.c
diff --git a/t/logs/good-pie b/t/logs/good-pie
new file mode 100644
index 0000000..fb12870
--- /dev/null
+++ b/t/logs/good-pie
@@ -0,0 +1,4 @@
+gcc -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-a.c
+gcc -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-b.c
+gcc -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-c.c
+gcc -fPIE -pie -Wl,-z,relro -o test test-a.o test-b.o test-c.o -ltest
diff --git a/t/logs/libtool b/t/logs/libtool
new file mode 100644
index 0000000..cde74f9
--- /dev/null
+++ b/t/logs/libtool
@@ -0,0 +1,15 @@
+libtool: link: g++ -shared test-a.o test-b.o test-b.o test-c.o -O2 -pie -Wl,relro -Wl,now -o test.so
+libtool: link: g++ -shared test-a.o test-b.o test-b.o test-c.o -O2 -Wl,relro -o test.so
+
+libtool: link: gcc -Wl,-z -Wl,relro -o test test.o
+/bin/bash ../libtool --tag=CC --mode=link gcc -Wl,-z,relro -o test.so test.o
+/bin/bash ../libtool --tag=CC   --mode=link gcc -Wl,-z,relro -o test.so test.o
+  /bin/bash ../libtool --tag=CC   --mode=link gcc -Wl,-z,relro -o test.so test.o
+
+# Just to be sure, libtool won't do this. Note the test.c.
+/bin/bash ../libtool --tag=CC   --mode=link gcc -Wl,-z,relro -o test.so test.c
+
+libtool: install: /usr/bin/install -c ...
+/bin/bash ../../libtool --mode=install /usr/bin/install -c ...
+  /bin/bash ../../libtool   --mode=install /usr/bin/install -c  ...
+    /bin/bash ../../../libtool   --mode=install /usr/bin/install -c  ...
diff --git a/t/tests.t b/t/tests.t
new file mode 100644
index 0000000..cc23802
--- /dev/null
+++ b/t/tests.t
@@ -0,0 +1,281 @@
+# Tests for blhc.
+#
+# Copyright (C) 2012  Simon Ruderich
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+
+use strict;
+use warnings;
+
+use Test::More tests => 66;
+
+
+sub is_blhc {
+    my ($file, $options, $exit, $expected) = @_;
+
+    my $output = `./bin/blhc $options ./t/logs/$file 2>&1`;
+
+    if ($options) {
+        $options = ' '. $options;
+    }
+    is $? >> 8, $exit,     "$file$options (exit code)";
+    is $output, $expected, "$file$options (output)";
+}
+
+
+# Usage.
+
+is_blhc 'empty', '--invalid', 2,
+        "Unknown option: invalid
+Usage:
+    blhc [-h -? --help]
+
+    blhc [--pie] [--bindnow] [--all]
+
+        --help                  available options
+        --version               version number and license
+        --pie                   force +pie check
+        --bindnow               force +bindbow check
+        --all                   force +all (+pie, +bindnow) check
+
+";
+
+
+# No compiler commands found.
+
+is_blhc 'empty', '', 1,
+        "No compiler commands!\n";
+
+
+# Correct build logs.
+
+is_blhc 'good', '', 0,
+        '';
+is_blhc 'good-pie', '', 0,
+        '';
+is_blhc 'good-pie', '--pie', 0,
+        '';
+is_blhc 'good-bindnow', '', 0,
+        '';
+is_blhc 'good-bindnow', '--bindnow', 0,
+        '';
+is_blhc 'good-all', '', 0,
+        '';
+is_blhc 'good-all', '--all', 0,
+        '';
+is_blhc 'good-all', '--pie --bindnow', 0,
+        '';
+
+is_blhc 'good-multiline', '', 0,
+        '';
+is_blhc 'good-library', '--all', 0,
+        '';
+
+
+# Build logs with missing flags.
+
+is_blhc 'bad', '', 4,
+        "CFLAGS missing (-fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): gcc -g -O2 -c test-a.c
+CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -g -O2 -c test-a.c
+CFLAGS missing (-fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): gcc -g -O2 -c test-b.c
+CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -g -O2 -c test-b.c
+CFLAGS missing (-fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): gcc -g -O2 -c test-c.c
+CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -g -O2 -c test-c.c
+LDFLAGS missing (-Wl,-z,relro): gcc -o test test-a.o test-b.o test-c.o -ltest
+";
+is_blhc 'bad', '--pie', 4,
+        "CFLAGS missing (-fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -fPIE): gcc -g -O2 -c test-a.c
+CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -g -O2 -c test-a.c
+CFLAGS missing (-fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -fPIE): gcc -g -O2 -c test-b.c
+CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -g -O2 -c test-b.c
+CFLAGS missing (-fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -fPIE): gcc -g -O2 -c test-c.c
+CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -g -O2 -c test-c.c
+LDFLAGS missing (-Wl,-z,relro -fPIE -pie): gcc -o test test-a.o test-b.o test-c.o -ltest
+";
+is_blhc 'bad', '--bindnow', 4,
+        "CFLAGS missing (-fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): gcc -g -O2 -c test-a.c
+CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -g -O2 -c test-a.c
+CFLAGS missing (-fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): gcc -g -O2 -c test-b.c
+CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -g -O2 -c test-b.c
+CFLAGS missing (-fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): gcc -g -O2 -c test-c.c
+CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -g -O2 -c test-c.c
+LDFLAGS missing (-Wl,-z,relro -Wl,-z,now): gcc -o test test-a.o test-b.o test-c.o -ltest
+";
+is_blhc 'bad', '--pie --bindnow', 4,
+        "CFLAGS missing (-fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -fPIE): gcc -g -O2 -c test-a.c
+CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -g -O2 -c test-a.c
+CFLAGS missing (-fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -fPIE): gcc -g -O2 -c test-b.c
+CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -g -O2 -c test-b.c
+CFLAGS missing (-fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -fPIE): gcc -g -O2 -c test-c.c
+CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -g -O2 -c test-c.c
+LDFLAGS missing (-Wl,-z,relro -fPIE -pie -Wl,-z,now): gcc -o test test-a.o test-b.o test-c.o -ltest
+";
+is_blhc 'bad', '--all', 4,
+        "CFLAGS missing (-fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -fPIE): gcc -g -O2 -c test-a.c
+CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -g -O2 -c test-a.c
+CFLAGS missing (-fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -fPIE): gcc -g -O2 -c test-b.c
+CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -g -O2 -c test-b.c
+CFLAGS missing (-fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -fPIE): gcc -g -O2 -c test-c.c
+CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -g -O2 -c test-c.c
+LDFLAGS missing (-Wl,-z,relro -fPIE -pie -Wl,-z,now): gcc -o test test-a.o test-b.o test-c.o -ltest
+";
+
+is_blhc 'bad-cflags', '', 4,
+        "CFLAGS missing (-Wformat): gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-a.c
+CFLAGS missing (--param=ssp-buffer-size=4): gcc -g -O2 -fstack-protector -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-b.c
+CFLAGS missing (-Werror=format-security): gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -D_FORTIFY_SOURCE=2 -c test-c.c
+CFLAGS missing (-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): gcc -Wl,-z,relro -o test test.c -ltest
+CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -Wl,-z,relro -o test test.c -ltest
+CFLAGS missing (-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): gcc -shared -fPIC -Wl,-z,relro -o test.so test.c -ltest
+CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -shared -fPIC -Wl,-z,relro -o test.so test.c -ltest
+";
+is_blhc 'bad-cflags', '--pie', 4,
+        "CFLAGS missing (-Wformat -fPIE): gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-a.c
+CFLAGS missing (--param=ssp-buffer-size=4 -fPIE): gcc -g -O2 -fstack-protector -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-b.c
+CFLAGS missing (-Werror=format-security -fPIE): gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -D_FORTIFY_SOURCE=2 -c test-c.c
+LDFLAGS missing (-fPIE -pie): gcc -Wl,-z,relro -o test test-a.o test-b.o test-c.o -ltest
+CFLAGS missing (-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -fPIE): gcc -Wl,-z,relro -o test test.c -ltest
+CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -Wl,-z,relro -o test test.c -ltest
+LDFLAGS missing (-fPIE -pie): gcc -Wl,-z,relro -o test test.c -ltest
+CFLAGS missing (-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): gcc -shared -fPIC -Wl,-z,relro -o test.so test.c -ltest
+CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -shared -fPIC -Wl,-z,relro -o test.so test.c -ltest
+";
+is_blhc 'bad-cflags', '--bindnow', 4,
+        "CFLAGS missing (-Wformat): gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-a.c
+CFLAGS missing (--param=ssp-buffer-size=4): gcc -g -O2 -fstack-protector -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-b.c
+CFLAGS missing (-Werror=format-security): gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -D_FORTIFY_SOURCE=2 -c test-c.c
+LDFLAGS missing (-Wl,-z,now): gcc -Wl,-z,relro -o test test-a.o test-b.o test-c.o -ltest
+CFLAGS missing (-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): gcc -Wl,-z,relro -o test test.c -ltest
+CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -Wl,-z,relro -o test test.c -ltest
+LDFLAGS missing (-Wl,-z,now): gcc -Wl,-z,relro -o test test.c -ltest
+CFLAGS missing (-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): gcc -shared -fPIC -Wl,-z,relro -o test.so test.c -ltest
+CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -shared -fPIC -Wl,-z,relro -o test.so test.c -ltest
+LDFLAGS missing (-Wl,-z,now): gcc -shared -fPIC -Wl,-z,relro -o test.so test.c -ltest
+";
+is_blhc 'bad-cflags', '--pie --bindnow', 4,
+        "CFLAGS missing (-Wformat -fPIE): gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-a.c
+CFLAGS missing (--param=ssp-buffer-size=4 -fPIE): gcc -g -O2 -fstack-protector -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-b.c
+CFLAGS missing (-Werror=format-security -fPIE): gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -D_FORTIFY_SOURCE=2 -c test-c.c
+LDFLAGS missing (-fPIE -pie -Wl,-z,now): gcc -Wl,-z,relro -o test test-a.o test-b.o test-c.o -ltest
+CFLAGS missing (-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -fPIE): gcc -Wl,-z,relro -o test test.c -ltest
+CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -Wl,-z,relro -o test test.c -ltest
+LDFLAGS missing (-fPIE -pie -Wl,-z,now): gcc -Wl,-z,relro -o test test.c -ltest
+CFLAGS missing (-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): gcc -shared -fPIC -Wl,-z,relro -o test.so test.c -ltest
+CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -shared -fPIC -Wl,-z,relro -o test.so test.c -ltest
+LDFLAGS missing (-Wl,-z,now): gcc -shared -fPIC -Wl,-z,relro -o test.so test.c -ltest
+";
+
+is_blhc 'bad-cppflags', '', 4,
+        "CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -c test-a.c
+CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -c test-b.c
+CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -c test-c.c
+";
+
+is_blhc 'bad-ldflags', '', 4,
+        "LDFLAGS missing (-Wl,-z,relro): gcc -o test test-a.o test-b.o test-c.o -ltest
+";
+is_blhc 'bad-ldflags', '--pie', 4,
+        "CFLAGS missing (-fPIE): gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-a.c
+CFLAGS missing (-fPIE): gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-b.c
+CFLAGS missing (-fPIE): gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-c.c
+LDFLAGS missing (-Wl,-z,relro -fPIE -pie): gcc -o test test-a.o test-b.o test-c.o -ltest
+";
+is_blhc 'bad-ldflags', '--bindnow', 4,
+        "LDFLAGS missing (-Wl,-z,relro -Wl,-z,now): gcc -o test test-a.o test-b.o test-c.o -ltest
+";
+is_blhc 'bad-ldflags', '--pie --bindnow', 4,
+        "CFLAGS missing (-fPIE): gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-a.c
+CFLAGS missing (-fPIE): gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-b.c
+CFLAGS missing (-fPIE): gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-c.c
+LDFLAGS missing (-Wl,-z,relro -fPIE -pie -Wl,-z,now): gcc -o test test-a.o test-b.o test-c.o -ltest
+";
+
+is_blhc 'bad-multiline', '', 4,
+        "CFLAGS missing (-Wformat): gcc \\         	-g -O2 -fstack-protector\\     --param=ssp-buffer-size=4 -Wformat-security\\ -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-a.c
+CFLAGS missing (--param=ssp-buffer-size=4): gcc -g -O2 -fstack-protector -Wformat -Wformat-security -Werror=format-security\\ -D_FORTIFY_SOURCE=2\\ -c test-b.c
+CFLAGS missing (-Werror=format-security): gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -D_FORTIFY_SOURCE=2 -c test-c.c
+CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -c test-a.c
+CFLAGS missing (-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security):  gcc -D_FORTIFY_SOURCE=2 -c test-b.c
+CFLAGS missing (-Wformat-security -Werror=format-security): gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -D_FORTIFY_SOURCE=2 -c test-a.c
+CFLAGS missing (-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat):  gcc -Wformat-security -Werror=format-security -c test-b.c
+CPPFLAGS missing (-D_FORTIFY_SOURCE=2):  gcc -Wformat-security -Werror=format-security -c test-b.c
+CFLAGS missing (-O2): gcc -g -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -c test-a.c
+CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -g -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -c test-a.c
+CFLAGS missing (-g -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): gcc -O2 -D_FORTIFY_SOURCE=2 -c test-b.c
+CFLAGS missing (-fstack-protector): gcc -g -O2 --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -c test-a.c
+CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -g -O2 --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -c test-a.c
+CFLAGS missing (-g -O2 --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security): gcc -D_FORTIFY_SOURCE=2 -fstack-protector -c test-b.c
+CPPFLAGS missing (-D_FORTIFY_SOURCE=2): gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security \\; -Werror=format-security -D_FORTIFY_SOURCE=1 -c test-a.c
+";
+
+is_blhc 'bad-library', '--all', 4,
+        "CFLAGS missing (-fstack-protector): gcc -D_FORTIFY_SOURCE=2 -g -O2 --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security test.c -fPIC -DPIC -o libtest.o
+LDFLAGS missing (-Wl,-z,now): gcc -shared -fPIC -DPIC libtest.o -lpthread -O2 -Wl,relro -Wl,--as-needed -o libtest.so
+LDFLAGS missing (-Wl,-z,relro -Wl,-z,now): gcc -shared -fPIC -DPIC libtest.o -lpthread -O2 -Wl,--as-needed -o libtest.so
+";
+
+
+# cc
+
+is_blhc 'cc', '--pie --bindnow', 4,
+        "CFLAGS missing (-Wformat -fPIE): cc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-a.c
+CFLAGS missing (--param=ssp-buffer-size=4 -fPIE): cc -g -O2 -fstack-protector -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-b.c
+CFLAGS missing (-Werror=format-security -fPIE): cc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -D_FORTIFY_SOURCE=2 -c test-c.c
+LDFLAGS missing (-Wl,-z,relro -fPIE -pie -Wl,-z,now): cc -Wl,-z,defs -o test test-a.o test-b.o test-c.o -ltest
+";
+
+
+# debian
+
+is_blhc 'debian', '--all', 1,
+        "No compiler commands!
+";
+
+
+# c++
+
+is_blhc 'c++', '--pie --bindnow', 4,
+        "CFLAGS missing (-Wformat -fPIE): c++ -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-a.cpp
+CFLAGS missing (--param=ssp-buffer-size=4 -fPIE): c++ -g -O2 -fstack-protector -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-b.cpp
+CFLAGS missing (-Werror=format-security -fPIE): c++ -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -D_FORTIFY_SOURCE=2 -c test-c.cpp
+CFLAGS missing (-fPIE): c++ -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-d.cc
+LDFLAGS missing (-Wl,-z,relro -fPIE -pie -Wl,-z,now): c++ -Wl,-z,defs -o test test-a.o test-b.o test-c.o test-d.o -ltest
+";
+
+
+# g++
+
+is_blhc 'g++', '--pie --bindnow', 4,
+        "CFLAGS missing (-Wformat -fPIE): g++ -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-a.cpp
+CFLAGS missing (--param=ssp-buffer-size=4 -fPIE): g++ -g -O2 -fstack-protector -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-b.cpp
+CFLAGS missing (-Werror=format-security -fPIE): g++ -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -D_FORTIFY_SOURCE=2 -c test-c.cpp
+CFLAGS missing (-fPIE): g++ -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -c test-d.cc
+LDFLAGS missing (-Wl,-z,relro -fPIE -pie -Wl,-z,now): g++ -Wl,-z,defs -o test test-a.o test-b.o test-c.o test-d.o -ltest
+";
+
+
+# libtool
+
+is_blhc 'libtool', '--bindnow', 4,
+        "LDFLAGS missing (-fPIE): libtool: link: g++ -shared test-a.o test-b.o test-b.o test-c.o -O2 -pie -Wl,relro -Wl,now -o test.so
+LDFLAGS missing (-fPIE -pie -Wl,-z,now): libtool: link: g++ -shared test-a.o test-b.o test-b.o test-c.o -O2 -Wl,relro -o test.so
+LDFLAGS missing (-fPIE -pie -Wl,-z,now): libtool: link: gcc -Wl,-z -Wl,relro -o test test.o
+LDFLAGS missing (-fPIE -pie -Wl,-z,now): /bin/bash ../libtool --tag=CC --mode=link gcc -Wl,-z,relro -o test.so test.o
+LDFLAGS missing (-fPIE -pie -Wl,-z,now): /bin/bash ../libtool --tag=CC   --mode=link gcc -Wl,-z,relro -o test.so test.o
+LDFLAGS missing (-fPIE -pie -Wl,-z,now):   /bin/bash ../libtool --tag=CC   --mode=link gcc -Wl,-z,relro -o test.so test.o
+CFLAGS missing (-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -fPIE): /bin/bash ../libtool --tag=CC   --mode=link gcc -Wl,-z,relro -o test.so test.c
+CPPFLAGS missing (-D_FORTIFY_SOURCE=2): /bin/bash ../libtool --tag=CC   --mode=link gcc -Wl,-z,relro -o test.so test.c
+LDFLAGS missing (-fPIE -pie -Wl,-z,now): /bin/bash ../libtool --tag=CC   --mode=link gcc -Wl,-z,relro -o test.so test.c
+";
-- 
2.43.2