diff options
-rw-r--r-- | ChangeLog | 11 | ||||
-rw-r--r-- | Makefile.in | 7 | ||||
-rw-r--r-- | acconfig.h | 8 | ||||
-rw-r--r-- | configure.ac | 306 | ||||
-rw-r--r-- | entropy.c | 15 |
5 files changed, 191 insertions, 156 deletions
@@ -1,3 +1,12 @@ | |||
1 | 20020122 | ||
2 | - (djm) autoconf hacking: | ||
3 | - We don't support --without-zlib currently, so don't allow it. | ||
4 | - Rework cryptographic random number support detection. We now detect | ||
5 | whether OpenSSL seeds itself. If it does, then we don't bother with | ||
6 | the ssh-rand-helper program. You can force the use of ssh-rand-helper | ||
7 | using the --with-rand-helper configure argument | ||
8 | - Simplify and clean up ssh-rand-helper configuration | ||
9 | |||
1 | 20020121 | 10 | 20020121 |
2 | - (djm) Rework ssh-rand-helper: | 11 | - (djm) Rework ssh-rand-helper: |
3 | - Reduce quantity of ifdef code, in preparation for ssh_rand_conf | 12 | - Reduce quantity of ifdef code, in preparation for ssh_rand_conf |
@@ -7144,4 +7153,4 @@ | |||
7144 | - Wrote replacements for strlcpy and mkdtemp | 7153 | - Wrote replacements for strlcpy and mkdtemp |
7145 | - Released 1.0pre1 | 7154 | - Released 1.0pre1 |
7146 | 7155 | ||
7147 | $Id: ChangeLog,v 1.1721 2002/01/21 12:44:12 djm Exp $ | 7156 | $Id: ChangeLog,v 1.1722 2002/01/22 10:57:53 djm Exp $ |
diff --git a/Makefile.in b/Makefile.in index 287b5ab1b..58bf424b5 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -1,4 +1,4 @@ | |||
1 | # $Id: Makefile.in,v 1.192 2001/12/25 04:32:58 stevesk Exp $ | 1 | # $Id: Makefile.in,v 1.193 2002/01/22 10:57:54 djm Exp $ |
2 | 2 | ||
3 | prefix=@prefix@ | 3 | prefix=@prefix@ |
4 | exec_prefix=@exec_prefix@ | 4 | exec_prefix=@exec_prefix@ |
@@ -42,6 +42,7 @@ EXEEXT=@EXEEXT@ | |||
42 | SSH_MODE= @SSHMODE@ | 42 | SSH_MODE= @SSHMODE@ |
43 | 43 | ||
44 | INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@ | 44 | INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@ |
45 | INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAND_HELPER@ | ||
45 | 46 | ||
46 | @NO_SFTP@SFTP_PROGS=sftp-server$(EXEEXT) sftp$(EXEEXT) | 47 | @NO_SFTP@SFTP_PROGS=sftp-server$(EXEEXT) sftp$(EXEEXT) |
47 | 48 | ||
@@ -201,7 +202,9 @@ install-files: scard-install | |||
201 | $(INSTALL) -m 0755 -s ssh-keygen $(DESTDIR)$(bindir)/ssh-keygen | 202 | $(INSTALL) -m 0755 -s ssh-keygen $(DESTDIR)$(bindir)/ssh-keygen |
202 | $(INSTALL) -m 0755 -s ssh-keyscan $(DESTDIR)$(bindir)/ssh-keyscan | 203 | $(INSTALL) -m 0755 -s ssh-keyscan $(DESTDIR)$(bindir)/ssh-keyscan |
203 | $(INSTALL) -m 0755 -s sshd $(DESTDIR)$(sbindir)/sshd | 204 | $(INSTALL) -m 0755 -s sshd $(DESTDIR)$(sbindir)/sshd |
204 | $(INSTALL) -m 0755 -s ssh-rand-helper $(DESTDIR)$(libexecdir)/ssh-rand-helper | 205 | if test ! -z "$(INSTALL_SSH_RAND_HELPER)" ; then \ |
206 | $(INSTALL) -m 0755 -s ssh-rand-helper $(DESTDIR)$(libexecdir)/ssh-rand-helper ; \ | ||
207 | fi | ||
205 | @NO_SFTP@$(INSTALL) -m 0755 -s sftp $(DESTDIR)$(bindir)/sftp | 208 | @NO_SFTP@$(INSTALL) -m 0755 -s sftp $(DESTDIR)$(bindir)/sftp |
206 | @NO_SFTP@$(INSTALL) -m 0755 -s sftp-server $(DESTDIR)$(SFTP_SERVER) | 209 | @NO_SFTP@$(INSTALL) -m 0755 -s sftp-server $(DESTDIR)$(SFTP_SERVER) |
207 | $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 | 210 | $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 |
diff --git a/acconfig.h b/acconfig.h index 766a92687..caf30149f 100644 --- a/acconfig.h +++ b/acconfig.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $Id: acconfig.h,v 1.120 2001/12/07 17:20:48 mouring Exp $ */ | 1 | /* $Id: acconfig.h,v 1.121 2002/01/22 10:57:54 djm Exp $ */ |
2 | 2 | ||
3 | #ifndef _CONFIG_H | 3 | #ifndef _CONFIG_H |
4 | #define _CONFIG_H | 4 | #define _CONFIG_H |
@@ -86,9 +86,6 @@ | |||
86 | /* Define if you want IRIX kernel jobs */ | 86 | /* Define if you want IRIX kernel jobs */ |
87 | #undef WITH_IRIX_JOBS | 87 | #undef WITH_IRIX_JOBS |
88 | 88 | ||
89 | /* Location of random number pool */ | ||
90 | #undef RANDOM_POOL | ||
91 | |||
92 | /* Location of PRNGD/EGD random number socket */ | 89 | /* Location of PRNGD/EGD random number socket */ |
93 | #undef PRNGD_SOCKET | 90 | #undef PRNGD_SOCKET |
94 | 91 | ||
@@ -326,6 +323,9 @@ | |||
326 | /* Define if you want smartcard support */ | 323 | /* Define if you want smartcard support */ |
327 | #undef SMARTCARD | 324 | #undef SMARTCARD |
328 | 325 | ||
326 | /* Define if you want to use OpenSSL's internally seeded PRNG only */ | ||
327 | #undef OPENSSL_PRNG_ONLY | ||
328 | |||
329 | @BOTTOM@ | 329 | @BOTTOM@ |
330 | 330 | ||
331 | /* ******************* Shouldn't need to edit below this line ************** */ | 331 | /* ******************* Shouldn't need to edit below this line ************** */ |
diff --git a/configure.ac b/configure.ac index 0ed1ddddf..9cc7dc97c 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -1,4 +1,4 @@ | |||
1 | i# $Id: configure.ac,v 1.10 2002/01/14 08:01:06 djm Exp $ | 1 | i# $Id: configure.ac,v 1.11 2002/01/22 10:57:54 djm Exp $ |
2 | 2 | ||
3 | AC_INIT | 3 | AC_INIT |
4 | AC_CONFIG_SRCDIR([ssh.c]) | 4 | AC_CONFIG_SRCDIR([ssh.c]) |
@@ -336,6 +336,9 @@ dnl zlib is required | |||
336 | AC_ARG_WITH(zlib, | 336 | AC_ARG_WITH(zlib, |
337 | [ --with-zlib=PATH Use zlib in PATH], | 337 | [ --with-zlib=PATH Use zlib in PATH], |
338 | [ | 338 | [ |
339 | if test "x$withval" != "xno" ; then | ||
340 | AC_MSG_ERROR([*** zlib is required ***]) | ||
341 | fi | ||
339 | if test -d "$withval/lib"; then | 342 | if test -d "$withval/lib"; then |
340 | if test -n "${need_dash_r}"; then | 343 | if test -n "${need_dash_r}"; then |
341 | LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" | 344 | LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" |
@@ -815,6 +818,144 @@ if test "x$PAM_MSG" = "xno" -a "x$check_for_libcrypt_later" = "x1"; then | |||
815 | AC_CHECK_LIB(crypt, crypt, LIBS="$LIBS -lcrypt") | 818 | AC_CHECK_LIB(crypt, crypt, LIBS="$LIBS -lcrypt") |
816 | fi | 819 | fi |
817 | 820 | ||
821 | |||
822 | ### Configure cryptographic random number support | ||
823 | |||
824 | # Check wheter OpenSSL seeds itself | ||
825 | AC_MSG_CHECKING([whether OpenSSL's PRNG is internally seeded]) | ||
826 | AC_TRY_RUN( | ||
827 | [ | ||
828 | #include <string.h> | ||
829 | #include <openssl/rand.h> | ||
830 | int main(void) { return(RAND_status() == 1 ? 0 : 1); } | ||
831 | ], | ||
832 | [ | ||
833 | OPENSSL_SEEDS_ITSELF=yes | ||
834 | AC_MSG_RESULT(yes) | ||
835 | ], | ||
836 | [ | ||
837 | AC_MSG_RESULT(no) | ||
838 | # Default to use of the rand helper if OpenSSL doesn't | ||
839 | # seed itself | ||
840 | USE_RAND_HELPER=yes | ||
841 | ] | ||
842 | ) | ||
843 | |||
844 | |||
845 | # Do we want to force the use of the rand helper? | ||
846 | AC_ARG_WITH(rand-helper, | ||
847 | [ --with-rand-helper Use subprocess to gather strong randomness ], | ||
848 | [ | ||
849 | if test "x$withval" = "xno" ; then | ||
850 | # Force use of OpenSSL's internal RNG, even if | ||
851 | # the previous test showed it to be unseeded. | ||
852 | if test -z "$OPENSSL_SEEDS_ITSELF" ; then | ||
853 | AC_MSG_WARN([*** Forcing use of OpenSSL's non-self-seeding PRNG]) | ||
854 | OPENSSL_SEEDS_ITSELF=yes | ||
855 | USE_RAND_HELPER="" | ||
856 | fi | ||
857 | else | ||
858 | USE_RAND_HELPER=yes | ||
859 | fi | ||
860 | ], | ||
861 | ) | ||
862 | |||
863 | # Which randomness source do we use? | ||
864 | if test ! -z "$OPENSSL_SEEDS_ITSELF" -a -z "$USE_RAND_HELPER" ; then | ||
865 | # OpenSSL only | ||
866 | AC_DEFINE(OPENSSL_PRNG_ONLY) | ||
867 | RAND_MSG="OpenSSL internal ONLY" | ||
868 | INSTALL_SSH_RAND_HELPER="" | ||
869 | elif test ! -z "$OPENSSL_SEEDS_ITSELF" -a ! -z "$USE_RAND_HELPER" ; then | ||
870 | # OpenSSL with fallback to rand helper | ||
871 | RAND_MSG="ssh-rand-helper" | ||
872 | INSTALL_SSH_RAND_HELPER="yes" | ||
873 | fi | ||
874 | AC_SUBST(INSTALL_SSH_RAND_HELPER) | ||
875 | |||
876 | ### Configuration of ssh-rand-helper | ||
877 | |||
878 | # PRNGD TCP socket | ||
879 | AC_ARG_WITH(prngd-port, | ||
880 | [ --with-prngd-port=PORT read entropy from PRNGD/EGD TCP localhost:PORT], | ||
881 | [ | ||
882 | if test ! -z "$withval" -a "x$withval" != "xno" ; then | ||
883 | PRNGD_PORT="$withval" | ||
884 | AC_DEFINE_UNQUOTED(PRNGD_PORT, $PRNGD_PORT) | ||
885 | fi | ||
886 | ] | ||
887 | ) | ||
888 | |||
889 | # PRNGD Unix domain socket | ||
890 | AC_ARG_WITH(prngd-socket, | ||
891 | [ --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)], | ||
892 | [ | ||
893 | if test -z "$withval" ; then | ||
894 | withval="/var/run/egd-pool" | ||
895 | fi | ||
896 | if test "x$withval" != "xno" ; then | ||
897 | if test ! -z "$PRNGD_PORT" ; then | ||
898 | AC_MSG_ERROR(You may not specify both a PRNGD/EGD port and socket) | ||
899 | fi | ||
900 | if ! echo "$withval" | grep -q '^/' ; then | ||
901 | AC_MSG_ERROR(You must specify an absolute path to the entropy socket) | ||
902 | fi | ||
903 | if ! test -r "$withval" ; then | ||
904 | AC_MSG_WARN(Entropy socket is not readable) | ||
905 | fi | ||
906 | PRNGD_SOCKET="$withval" | ||
907 | AC_DEFINE_UNQUOTED(PRNGD_SOCKET, "$PRNGD_SOCKET") | ||
908 | fi | ||
909 | ] | ||
910 | ) | ||
911 | |||
912 | # Change default command timeout for hashing entropy source | ||
913 | entropy_timeout=200 | ||
914 | AC_ARG_WITH(entropy-timeout, | ||
915 | [ --with-entropy-timeout Specify entropy gathering command timeout (msec)], | ||
916 | [ | ||
917 | if test "x$withval" != "xno" ; then | ||
918 | entropy_timeout=$withval | ||
919 | fi | ||
920 | ] | ||
921 | ) | ||
922 | |||
923 | AC_DEFINE_UNQUOTED(ENTROPY_TIMEOUT_MSEC, $entropy_timeout) | ||
924 | |||
925 | # These programs are used by the command hashing source to gather entropy | ||
926 | OSSH_PATH_ENTROPY_PROG(PROG_LS, ls) | ||
927 | OSSH_PATH_ENTROPY_PROG(PROG_NETSTAT, netstat) | ||
928 | OSSH_PATH_ENTROPY_PROG(PROG_ARP, arp) | ||
929 | OSSH_PATH_ENTROPY_PROG(PROG_IFCONFIG, ifconfig) | ||
930 | OSSH_PATH_ENTROPY_PROG(PROG_JSTAT, jstat) | ||
931 | OSSH_PATH_ENTROPY_PROG(PROG_PS, ps) | ||
932 | OSSH_PATH_ENTROPY_PROG(PROG_SAR, sar) | ||
933 | OSSH_PATH_ENTROPY_PROG(PROG_W, w) | ||
934 | OSSH_PATH_ENTROPY_PROG(PROG_WHO, who) | ||
935 | OSSH_PATH_ENTROPY_PROG(PROG_LAST, last) | ||
936 | OSSH_PATH_ENTROPY_PROG(PROG_LASTLOG, lastlog) | ||
937 | OSSH_PATH_ENTROPY_PROG(PROG_DF, df) | ||
938 | OSSH_PATH_ENTROPY_PROG(PROG_VMSTAT, vmstat) | ||
939 | OSSH_PATH_ENTROPY_PROG(PROG_UPTIME, uptime) | ||
940 | OSSH_PATH_ENTROPY_PROG(PROG_IPCS, ipcs) | ||
941 | OSSH_PATH_ENTROPY_PROG(PROG_TAIL, tail) | ||
942 | |||
943 | # Where does ssh-rand-helper get its randomness from? | ||
944 | INSTALL_SSH_PRNG_CMDS="" | ||
945 | if test ! -z "$INSTALL_SSH_RAND_HELPER" ; then | ||
946 | if test ! -z "$PRNGD_PORT" ; then | ||
947 | RAND_HELPER_MSG="TCP localhost:$PRNGD_PORT" | ||
948 | elif test ! -z "$PRNGD_SOCKET" ; then | ||
949 | RAND_HELPER_MSG="Unix domain socket \"$PRNGD_SOCKET\"" | ||
950 | else | ||
951 | RAND_HELPER_MSG="Command hashing (timeout $entropy_timeout)" | ||
952 | RAND_HELPER_CMDHASH=yes | ||
953 | INSTALL_SSH_PRNG_CMDS="yes" | ||
954 | fi | ||
955 | fi | ||
956 | AC_SUBST(INSTALL_SSH_PRNG_CMDS) | ||
957 | |||
958 | |||
818 | # Cheap hack to ensure NEWS-OS libraries are arranged right. | 959 | # Cheap hack to ensure NEWS-OS libraries are arranged right. |
819 | if test ! -z "$SONY" ; then | 960 | if test ! -z "$SONY" ; then |
820 | LIBS="$LIBS -liberty"; | 961 | LIBS="$LIBS -liberty"; |
@@ -1531,109 +1672,6 @@ AC_CHECK_FILE("/dev/ptc", | |||
1531 | ) | 1672 | ) |
1532 | 1673 | ||
1533 | # Options from here on. Some of these are preset by platform above | 1674 | # Options from here on. Some of these are preset by platform above |
1534 | |||
1535 | # Check for user-specified random device, otherwise check /dev/urandom | ||
1536 | AC_ARG_WITH(random, | ||
1537 | [ --with-random=FILE read entropy from FILE (default=/dev/urandom)], | ||
1538 | [ | ||
1539 | if test "x$withval" != "xno" ; then | ||
1540 | RANDOM_POOL="$withval"; | ||
1541 | if ! echo "$RANDOM_POOL" | grep -q '^/' ; then | ||
1542 | AC_MSG_ERROR(You must specify an absolute path to the random device) | ||
1543 | fi | ||
1544 | if ! test -r "$RANDOM_POOL" ; then | ||
1545 | AC_MSG_WARN(Random device is not readable) | ||
1546 | fi | ||
1547 | AC_DEFINE_UNQUOTED(RANDOM_POOL, "$RANDOM_POOL") | ||
1548 | fi | ||
1549 | ], | ||
1550 | [ | ||
1551 | # Check for random device | ||
1552 | AC_CHECK_FILE("/dev/urandom", | ||
1553 | [ | ||
1554 | RANDOM_POOL="/dev/urandom"; | ||
1555 | AC_SUBST(RANDOM_POOL) | ||
1556 | AC_DEFINE_UNQUOTED(RANDOM_POOL, "$RANDOM_POOL") | ||
1557 | ] | ||
1558 | ) | ||
1559 | ] | ||
1560 | ) | ||
1561 | |||
1562 | # Check for PRNGD/EGD pool file | ||
1563 | AC_ARG_WITH(prngd-port, | ||
1564 | [ --with-prngd-port=PORT read entropy from PRNGD/EGD localhost:PORT], | ||
1565 | [ | ||
1566 | if test ! -z "$withval" -a "x$withval" != "xno" ; then | ||
1567 | PRNGD_PORT="$withval" | ||
1568 | AC_DEFINE_UNQUOTED(PRNGD_PORT, $PRNGD_PORT) | ||
1569 | fi | ||
1570 | ] | ||
1571 | ) | ||
1572 | |||
1573 | # Check for PRNGD/EGD pool file | ||
1574 | AC_ARG_WITH(prngd-socket, | ||
1575 | [ --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)], | ||
1576 | [ | ||
1577 | if test "x$withval" != "xno" ; then | ||
1578 | PRNGD_SOCKET="$withval" | ||
1579 | if echo "$PRNGD_SOCKET" | grep -q '^/' ; then | ||
1580 | AC_MSG_ERROR(You must specify an absolute path to the entropy socket) | ||
1581 | fi | ||
1582 | if ! test -r "$PRNGD_SOCKET" ; then | ||
1583 | AC_MSG_WARN(Entropy socket is not readable) | ||
1584 | fi | ||
1585 | AC_DEFINE_UNQUOTED(PRNGD_SOCKET, "$PRNGD_SOCKET") | ||
1586 | fi | ||
1587 | ], | ||
1588 | [ | ||
1589 | # Check for existing socket only if we don't have a random device already | ||
1590 | if test -z "$RANDOM_POOL" ; then | ||
1591 | AC_MSG_CHECKING(for PRNGD/EGD socket) | ||
1592 | # Insert other locations here | ||
1593 | for sock in /var/run/egd-pool /dev/egd-pool /etc/entropy; do | ||
1594 | if test -r $sock && $TEST_MINUS_S_SH -c "test -S $sock -o -p $sock" ; then | ||
1595 | PRNGD_SOCKET="$sock" | ||
1596 | AC_DEFINE_UNQUOTED(PRNGD_SOCKET, "$PRNGD_SOCKET") | ||
1597 | break; | ||
1598 | fi | ||
1599 | done | ||
1600 | if test ! -z "$PRNGD_SOCKET" ; then | ||
1601 | AC_MSG_RESULT($PRNGD_SOCKET) | ||
1602 | else | ||
1603 | AC_MSG_RESULT(not found) | ||
1604 | fi | ||
1605 | fi | ||
1606 | ] | ||
1607 | ) | ||
1608 | |||
1609 | |||
1610 | # detect pathnames for entropy gathering commands, if we need them | ||
1611 | INSTALL_SSH_PRNG_CMDS="" | ||
1612 | rm -f prng_commands | ||
1613 | if (test -z "$RANDOM_POOL" && test -z "$PRNGD") ; then | ||
1614 | INSTALL_SSH_PRNG_CMDS="yes" | ||
1615 | fi | ||
1616 | AC_SUBST(INSTALL_SSH_PRNG_CMDS) | ||
1617 | |||
1618 | # These programs are used to gather entropy from | ||
1619 | OSSH_PATH_ENTROPY_PROG(PROG_LS, ls) | ||
1620 | OSSH_PATH_ENTROPY_PROG(PROG_NETSTAT, netstat) | ||
1621 | OSSH_PATH_ENTROPY_PROG(PROG_ARP, arp) | ||
1622 | OSSH_PATH_ENTROPY_PROG(PROG_IFCONFIG, ifconfig) | ||
1623 | OSSH_PATH_ENTROPY_PROG(PROG_JSTAT, jstat) | ||
1624 | OSSH_PATH_ENTROPY_PROG(PROG_PS, ps) | ||
1625 | OSSH_PATH_ENTROPY_PROG(PROG_SAR, sar) | ||
1626 | OSSH_PATH_ENTROPY_PROG(PROG_W, w) | ||
1627 | OSSH_PATH_ENTROPY_PROG(PROG_WHO, who) | ||
1628 | OSSH_PATH_ENTROPY_PROG(PROG_LAST, last) | ||
1629 | OSSH_PATH_ENTROPY_PROG(PROG_LASTLOG, lastlog) | ||
1630 | OSSH_PATH_ENTROPY_PROG(PROG_DF, df) | ||
1631 | OSSH_PATH_ENTROPY_PROG(PROG_VMSTAT, vmstat) | ||
1632 | OSSH_PATH_ENTROPY_PROG(PROG_UPTIME, uptime) | ||
1633 | OSSH_PATH_ENTROPY_PROG(PROG_IPCS, ipcs) | ||
1634 | OSSH_PATH_ENTROPY_PROG(PROG_TAIL, tail) | ||
1635 | |||
1636 | |||
1637 | AC_ARG_WITH(mantype, | 1675 | AC_ARG_WITH(mantype, |
1638 | [ --with-mantype=man|cat|doc Set man page type], | 1676 | [ --with-mantype=man|cat|doc Set man page type], |
1639 | [ | 1677 | [ |
@@ -1825,12 +1863,13 @@ AC_ARG_WITH(4in6, | |||
1825 | ) | 1863 | ) |
1826 | 1864 | ||
1827 | # Whether to enable BSD auth support | 1865 | # Whether to enable BSD auth support |
1866 | BSD_AUTH_MSG=no | ||
1828 | AC_ARG_WITH(bsd-auth, | 1867 | AC_ARG_WITH(bsd-auth, |
1829 | [ --with-bsd-auth Enable BSD auth support], | 1868 | [ --with-bsd-auth Enable BSD auth support], |
1830 | [ | 1869 | [ |
1831 | if test "x$withval" != "xno" ; then | 1870 | if test "x$withval" != "xno" ; then |
1832 | AC_DEFINE(BSD_AUTH) | 1871 | AC_DEFINE(BSD_AUTH) |
1833 | bsd_auth=yes | 1872 | BSD_AUTH_MSG=yes |
1834 | fi | 1873 | fi |
1835 | ] | 1874 | ] |
1836 | ) | 1875 | ) |
@@ -2097,44 +2136,17 @@ else | |||
2097 | fi | 2136 | fi |
2098 | 2137 | ||
2099 | 2138 | ||
2100 | # Change default command timeout for builtin PRNG | ||
2101 | entropy_timeout=200 | ||
2102 | AC_ARG_WITH(entropy-timeout, | ||
2103 | [ --with-entropy-timeout Specify entropy gathering command timeout (msec)], | ||
2104 | [ | ||
2105 | if test "x$withval" != "xno" ; then | ||
2106 | entropy_timeout=$withval | ||
2107 | fi | ||
2108 | ] | ||
2109 | ) | ||
2110 | AC_DEFINE_UNQUOTED(ENTROPY_TIMEOUT_MSEC, $entropy_timeout) | ||
2111 | |||
2112 | |||
2113 | if test ! -z "$blibpath" ; then | 2139 | if test ! -z "$blibpath" ; then |
2114 | LDFLAGS="$LDFLAGS -blibpath:$blibpath" | 2140 | LDFLAGS="$LDFLAGS -blibpath:$blibpath" |
2115 | AC_MSG_WARN([Please check and edit -blibpath in LDFLAGS in Makefile]) | 2141 | AC_MSG_WARN([Please check and edit -blibpath in LDFLAGS in Makefile]) |
2116 | fi | 2142 | fi |
2117 | 2143 | ||
2118 | AC_EXEEXT | 2144 | AC_EXEEXT |
2119 | |||
2120 | AC_CONFIG_FILES([Makefile openbsd-compat/Makefile scard/Makefile ssh_prng_cmds]) | 2145 | AC_CONFIG_FILES([Makefile openbsd-compat/Makefile scard/Makefile ssh_prng_cmds]) |
2121 | AC_OUTPUT | 2146 | AC_OUTPUT |
2122 | 2147 | ||
2123 | # Print summary of options | 2148 | # Print summary of options |
2124 | 2149 | ||
2125 | if test ! -z "$RANDOM_POOL" ; then | ||
2126 | RAND_MSG="Device ($RANDOM_POOL)" | ||
2127 | else | ||
2128 | if test ! -z "$PRNGD_PORT" ; then | ||
2129 | RAND_MSG="PRNGD/EGD (port localhost:$PRNGD_PORT)" | ||
2130 | elif test ! -z "$PRNGD_SOCKET" ; then | ||
2131 | RAND_MSG="PRNGD/EGD (socket $PRNGD_SOCKET)" | ||
2132 | else | ||
2133 | RAND_MSG="Builtin (timeout $entropy_timeout)" | ||
2134 | BUILTIN_RNG=1 | ||
2135 | fi | ||
2136 | fi | ||
2137 | |||
2138 | # Someone please show me a better way :) | 2150 | # Someone please show me a better way :) |
2139 | A=`eval echo ${prefix}` ; A=`eval echo ${A}` | 2151 | A=`eval echo ${prefix}` ; A=`eval echo ${A}` |
2140 | B=`eval echo ${bindir}` ; B=`eval echo ${B}` | 2152 | B=`eval echo ${bindir}` ; B=`eval echo ${B}` |
@@ -2154,7 +2166,6 @@ echo " Askpass program: $E" | |||
2154 | echo " Manual pages: $F" | 2166 | echo " Manual pages: $F" |
2155 | echo " PID file: $G" | 2167 | echo " PID file: $G" |
2156 | echo " sshd default user PATH: $H" | 2168 | echo " sshd default user PATH: $H" |
2157 | echo " Random number collection: $RAND_MSG" | ||
2158 | echo " Manpage format: $MANTYPE" | 2169 | echo " Manpage format: $MANTYPE" |
2159 | echo " PAM support: ${PAM_MSG}" | 2170 | echo " PAM support: ${PAM_MSG}" |
2160 | echo " KerberosIV support: $KRB4_MSG" | 2171 | echo " KerberosIV support: $KRB4_MSG" |
@@ -2166,9 +2177,10 @@ echo " MD5 password support: $MD5_MSG" | |||
2166 | echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" | 2177 | echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" |
2167 | echo " Use IPv4 by default hack: $IPV4_HACK_MSG" | 2178 | echo " Use IPv4 by default hack: $IPV4_HACK_MSG" |
2168 | echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" | 2179 | echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" |
2169 | 2180 | echo " BSD Auth support: $BSD_AUTH_MSG" | |
2170 | if test ! -z "$bsd_auth"; then | 2181 | echo " Random number source: $RAND_MSG" |
2171 | echo " BSD Auth support: yes" | 2182 | if test ! -z "$USE_RAND_HELPER" ; then |
2183 | echo " ssh-rand-helper collects from: $RAND_HELPER_MSG" | ||
2172 | fi | 2184 | fi |
2173 | 2185 | ||
2174 | echo "" | 2186 | echo "" |
@@ -2183,22 +2195,24 @@ echo " Libraries: ${LIBS}" | |||
2183 | echo "" | 2195 | echo "" |
2184 | 2196 | ||
2185 | if test "x$PAM_MSG" = "xyes" ; then | 2197 | if test "x$PAM_MSG" = "xyes" ; then |
2186 | echo "PAM is enabled. You may need to install a PAM control file for sshd," | 2198 | echo "PAM is enabled. You may need to install a PAM control file " |
2187 | echo "otherwise password authentication may fail. Example PAM control files" | 2199 | echo "for sshd, otherwise password authentication may fail. " |
2188 | echo "can be found in the contrib/ subdirectory" | 2200 | echo "Example PAM control files can be found in the contrib/ " |
2201 | echo "subdirectory" | ||
2189 | echo "" | 2202 | echo "" |
2190 | fi | 2203 | fi |
2191 | 2204 | ||
2192 | if test ! -z "$BUILTIN_RNG" ; then | 2205 | if test ! -z "$NO_SFTP"; then |
2193 | echo "WARNING: you are using the builtin random number collection service." | 2206 | echo "sftp-server will be disabled. Your compiler does not " |
2194 | echo "Please read WARNING.RNG and request that your OS vendor includes" | 2207 | echo "support 64bit integers." |
2195 | echo "/dev/random in future versions of their OS." | ||
2196 | echo "" | 2208 | echo "" |
2197 | fi | 2209 | fi |
2198 | 2210 | ||
2199 | if test ! -z "$NO_SFTP"; then | 2211 | if test ! -z "$RAND_HELPER_CMDHASH" ; then |
2200 | echo "sftp-server will be disabled. Your compiler does not support" | 2212 | echo "WARNING: you are using the builtin random number collection " |
2201 | echo "64bit integers." | 2213 | echo "service. Please read WARNING.RNG and request that your OS " |
2214 | echo "vendor includes kernel-based random number collection in " | ||
2215 | echo "future versions of your OS." | ||
2202 | echo "" | 2216 | echo "" |
2203 | fi | 2217 | fi |
2204 | 2218 | ||
@@ -45,15 +45,17 @@ | |||
45 | * XXX: we should tell the child how many bytes we need. | 45 | * XXX: we should tell the child how many bytes we need. |
46 | */ | 46 | */ |
47 | 47 | ||
48 | #define RANDOM_SEED_SIZE 48 | 48 | RCSID("$Id: entropy.c,v 1.40 2002/01/22 10:57:54 djm Exp $"); |
49 | |||
50 | RCSID("$Id: entropy.c,v 1.39 2001/12/23 14:41:48 djm Exp $"); | ||
51 | 49 | ||
50 | #ifndef OPENSSL_PRNG_ONLY | ||
51 | #define RANDOM_SEED_SIZE 48 | ||
52 | static uid_t original_uid, original_euid; | 52 | static uid_t original_uid, original_euid; |
53 | #endif | ||
53 | 54 | ||
54 | void | 55 | void |
55 | seed_rng(void) | 56 | seed_rng(void) |
56 | { | 57 | { |
58 | #ifndef OPENSSL_PRNG_ONLY | ||
57 | int devnull; | 59 | int devnull; |
58 | int p[2]; | 60 | int p[2]; |
59 | pid_t pid; | 61 | pid_t pid; |
@@ -121,6 +123,10 @@ seed_rng(void) | |||
121 | 123 | ||
122 | RAND_add(buf, sizeof(buf), sizeof(buf)); | 124 | RAND_add(buf, sizeof(buf), sizeof(buf)); |
123 | memset(buf, '\0', sizeof(buf)); | 125 | memset(buf, '\0', sizeof(buf)); |
126 | |||
127 | #endif /* OPENSSL_PRNG_ONLY */ | ||
128 | if (RAND_status() != 1) | ||
129 | fatal("PRNG is not seeded"); | ||
124 | } | 130 | } |
125 | 131 | ||
126 | void | 132 | void |
@@ -134,8 +140,11 @@ init_rng(void) | |||
134 | fatal("OpenSSL version mismatch. Built against %lx, you " | 140 | fatal("OpenSSL version mismatch. Built against %lx, you " |
135 | "have %lx", OPENSSL_VERSION_NUMBER, SSLeay()); | 141 | "have %lx", OPENSSL_VERSION_NUMBER, SSLeay()); |
136 | 142 | ||
143 | #ifndef OPENSSL_PRNG_ONLY | ||
137 | if ((original_uid = getuid()) == -1) | 144 | if ((original_uid = getuid()) == -1) |
138 | fatal("getuid: %s", strerror(errno)); | 145 | fatal("getuid: %s", strerror(errno)); |
139 | if ((original_euid = geteuid()) == -1) | 146 | if ((original_euid = geteuid()) == -1) |
140 | fatal("geteuid: %s", strerror(errno)); | 147 | fatal("geteuid: %s", strerror(errno)); |
148 | #endif | ||
141 | } | 149 | } |
150 | |||