From 6c21c51c487ec31ceb5b81b536c9516c5f20b5b0 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 22 Jan 2002 21:57:53 +1100 Subject: - (djm) autoconf hacking: - We don't support --without-zlib currently, so don't allow it. - Rework cryptographic random number support detection. We now detect whether OpenSSL seeds itself. If it does, then we don't bother with the ssh-rand-helper program. You can force the use of ssh-rand-helper using the --with-rand-helper configure argument - Simplify and clean up ssh-rand-helper configuration --- configure.ac | 306 +++++++++++++++++++++++++++++++---------------------------- 1 file changed, 160 insertions(+), 146 deletions(-) (limited to 'configure.ac') diff --git a/configure.ac b/configure.ac index 0ed1ddddf..9cc7dc97c 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -i# $Id: configure.ac,v 1.10 2002/01/14 08:01:06 djm Exp $ +i# $Id: configure.ac,v 1.11 2002/01/22 10:57:54 djm Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -336,6 +336,9 @@ dnl zlib is required AC_ARG_WITH(zlib, [ --with-zlib=PATH Use zlib in PATH], [ + if test "x$withval" != "xno" ; then + AC_MSG_ERROR([*** zlib is required ***]) + fi if test -d "$withval/lib"; then if test -n "${need_dash_r}"; then LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" @@ -815,6 +818,144 @@ if test "x$PAM_MSG" = "xno" -a "x$check_for_libcrypt_later" = "x1"; then AC_CHECK_LIB(crypt, crypt, LIBS="$LIBS -lcrypt") fi + +### Configure cryptographic random number support + +# Check wheter OpenSSL seeds itself +AC_MSG_CHECKING([whether OpenSSL's PRNG is internally seeded]) +AC_TRY_RUN( + [ +#include +#include +int main(void) { return(RAND_status() == 1 ? 0 : 1); } + ], + [ + OPENSSL_SEEDS_ITSELF=yes + AC_MSG_RESULT(yes) + ], + [ + AC_MSG_RESULT(no) + # Default to use of the rand helper if OpenSSL doesn't + # seed itself + USE_RAND_HELPER=yes + ] +) + + +# Do we want to force the use of the rand helper? +AC_ARG_WITH(rand-helper, + [ --with-rand-helper Use subprocess to gather strong randomness ], + [ + if test "x$withval" = "xno" ; then + # Force use of OpenSSL's internal RNG, even if + # the previous test showed it to be unseeded. + if test -z "$OPENSSL_SEEDS_ITSELF" ; then + AC_MSG_WARN([*** Forcing use of OpenSSL's non-self-seeding PRNG]) + OPENSSL_SEEDS_ITSELF=yes + USE_RAND_HELPER="" + fi + else + USE_RAND_HELPER=yes + fi + ], +) + +# Which randomness source do we use? +if test ! -z "$OPENSSL_SEEDS_ITSELF" -a -z "$USE_RAND_HELPER" ; then + # OpenSSL only + AC_DEFINE(OPENSSL_PRNG_ONLY) + RAND_MSG="OpenSSL internal ONLY" + INSTALL_SSH_RAND_HELPER="" +elif test ! -z "$OPENSSL_SEEDS_ITSELF" -a ! -z "$USE_RAND_HELPER" ; then + # OpenSSL with fallback to rand helper + RAND_MSG="ssh-rand-helper" + INSTALL_SSH_RAND_HELPER="yes" +fi +AC_SUBST(INSTALL_SSH_RAND_HELPER) + +### Configuration of ssh-rand-helper + +# PRNGD TCP socket +AC_ARG_WITH(prngd-port, + [ --with-prngd-port=PORT read entropy from PRNGD/EGD TCP localhost:PORT], + [ + if test ! -z "$withval" -a "x$withval" != "xno" ; then + PRNGD_PORT="$withval" + AC_DEFINE_UNQUOTED(PRNGD_PORT, $PRNGD_PORT) + fi + ] +) + +# PRNGD Unix domain socket +AC_ARG_WITH(prngd-socket, + [ --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)], + [ + if test -z "$withval" ; then + withval="/var/run/egd-pool" + fi + if test "x$withval" != "xno" ; then + if test ! -z "$PRNGD_PORT" ; then + AC_MSG_ERROR(You may not specify both a PRNGD/EGD port and socket) + fi + if ! echo "$withval" | grep -q '^/' ; then + AC_MSG_ERROR(You must specify an absolute path to the entropy socket) + fi + if ! test -r "$withval" ; then + AC_MSG_WARN(Entropy socket is not readable) + fi + PRNGD_SOCKET="$withval" + AC_DEFINE_UNQUOTED(PRNGD_SOCKET, "$PRNGD_SOCKET") + fi + ] +) + +# Change default command timeout for hashing entropy source +entropy_timeout=200 +AC_ARG_WITH(entropy-timeout, + [ --with-entropy-timeout Specify entropy gathering command timeout (msec)], + [ + if test "x$withval" != "xno" ; then + entropy_timeout=$withval + fi + ] +) + +AC_DEFINE_UNQUOTED(ENTROPY_TIMEOUT_MSEC, $entropy_timeout) + +# These programs are used by the command hashing source to gather entropy +OSSH_PATH_ENTROPY_PROG(PROG_LS, ls) +OSSH_PATH_ENTROPY_PROG(PROG_NETSTAT, netstat) +OSSH_PATH_ENTROPY_PROG(PROG_ARP, arp) +OSSH_PATH_ENTROPY_PROG(PROG_IFCONFIG, ifconfig) +OSSH_PATH_ENTROPY_PROG(PROG_JSTAT, jstat) +OSSH_PATH_ENTROPY_PROG(PROG_PS, ps) +OSSH_PATH_ENTROPY_PROG(PROG_SAR, sar) +OSSH_PATH_ENTROPY_PROG(PROG_W, w) +OSSH_PATH_ENTROPY_PROG(PROG_WHO, who) +OSSH_PATH_ENTROPY_PROG(PROG_LAST, last) +OSSH_PATH_ENTROPY_PROG(PROG_LASTLOG, lastlog) +OSSH_PATH_ENTROPY_PROG(PROG_DF, df) +OSSH_PATH_ENTROPY_PROG(PROG_VMSTAT, vmstat) +OSSH_PATH_ENTROPY_PROG(PROG_UPTIME, uptime) +OSSH_PATH_ENTROPY_PROG(PROG_IPCS, ipcs) +OSSH_PATH_ENTROPY_PROG(PROG_TAIL, tail) + +# Where does ssh-rand-helper get its randomness from? +INSTALL_SSH_PRNG_CMDS="" +if test ! -z "$INSTALL_SSH_RAND_HELPER" ; then + if test ! -z "$PRNGD_PORT" ; then + RAND_HELPER_MSG="TCP localhost:$PRNGD_PORT" + elif test ! -z "$PRNGD_SOCKET" ; then + RAND_HELPER_MSG="Unix domain socket \"$PRNGD_SOCKET\"" + else + RAND_HELPER_MSG="Command hashing (timeout $entropy_timeout)" + RAND_HELPER_CMDHASH=yes + INSTALL_SSH_PRNG_CMDS="yes" + fi +fi +AC_SUBST(INSTALL_SSH_PRNG_CMDS) + + # Cheap hack to ensure NEWS-OS libraries are arranged right. if test ! -z "$SONY" ; then LIBS="$LIBS -liberty"; @@ -1531,109 +1672,6 @@ AC_CHECK_FILE("/dev/ptc", ) # Options from here on. Some of these are preset by platform above - -# Check for user-specified random device, otherwise check /dev/urandom -AC_ARG_WITH(random, - [ --with-random=FILE read entropy from FILE (default=/dev/urandom)], - [ - if test "x$withval" != "xno" ; then - RANDOM_POOL="$withval"; - if ! echo "$RANDOM_POOL" | grep -q '^/' ; then - AC_MSG_ERROR(You must specify an absolute path to the random device) - fi - if ! test -r "$RANDOM_POOL" ; then - AC_MSG_WARN(Random device is not readable) - fi - AC_DEFINE_UNQUOTED(RANDOM_POOL, "$RANDOM_POOL") - fi - ], - [ - # Check for random device - AC_CHECK_FILE("/dev/urandom", - [ - RANDOM_POOL="/dev/urandom"; - AC_SUBST(RANDOM_POOL) - AC_DEFINE_UNQUOTED(RANDOM_POOL, "$RANDOM_POOL") - ] - ) - ] -) - -# Check for PRNGD/EGD pool file -AC_ARG_WITH(prngd-port, - [ --with-prngd-port=PORT read entropy from PRNGD/EGD localhost:PORT], - [ - if test ! -z "$withval" -a "x$withval" != "xno" ; then - PRNGD_PORT="$withval" - AC_DEFINE_UNQUOTED(PRNGD_PORT, $PRNGD_PORT) - fi - ] -) - -# Check for PRNGD/EGD pool file -AC_ARG_WITH(prngd-socket, - [ --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)], - [ - if test "x$withval" != "xno" ; then - PRNGD_SOCKET="$withval" - if echo "$PRNGD_SOCKET" | grep -q '^/' ; then - AC_MSG_ERROR(You must specify an absolute path to the entropy socket) - fi - if ! test -r "$PRNGD_SOCKET" ; then - AC_MSG_WARN(Entropy socket is not readable) - fi - AC_DEFINE_UNQUOTED(PRNGD_SOCKET, "$PRNGD_SOCKET") - fi - ], - [ - # Check for existing socket only if we don't have a random device already - if test -z "$RANDOM_POOL" ; then - AC_MSG_CHECKING(for PRNGD/EGD socket) - # Insert other locations here - for sock in /var/run/egd-pool /dev/egd-pool /etc/entropy; do - if test -r $sock && $TEST_MINUS_S_SH -c "test -S $sock -o -p $sock" ; then - PRNGD_SOCKET="$sock" - AC_DEFINE_UNQUOTED(PRNGD_SOCKET, "$PRNGD_SOCKET") - break; - fi - done - if test ! -z "$PRNGD_SOCKET" ; then - AC_MSG_RESULT($PRNGD_SOCKET) - else - AC_MSG_RESULT(not found) - fi - fi - ] -) - - -# detect pathnames for entropy gathering commands, if we need them -INSTALL_SSH_PRNG_CMDS="" -rm -f prng_commands -if (test -z "$RANDOM_POOL" && test -z "$PRNGD") ; then - INSTALL_SSH_PRNG_CMDS="yes" -fi -AC_SUBST(INSTALL_SSH_PRNG_CMDS) - -# These programs are used to gather entropy from -OSSH_PATH_ENTROPY_PROG(PROG_LS, ls) -OSSH_PATH_ENTROPY_PROG(PROG_NETSTAT, netstat) -OSSH_PATH_ENTROPY_PROG(PROG_ARP, arp) -OSSH_PATH_ENTROPY_PROG(PROG_IFCONFIG, ifconfig) -OSSH_PATH_ENTROPY_PROG(PROG_JSTAT, jstat) -OSSH_PATH_ENTROPY_PROG(PROG_PS, ps) -OSSH_PATH_ENTROPY_PROG(PROG_SAR, sar) -OSSH_PATH_ENTROPY_PROG(PROG_W, w) -OSSH_PATH_ENTROPY_PROG(PROG_WHO, who) -OSSH_PATH_ENTROPY_PROG(PROG_LAST, last) -OSSH_PATH_ENTROPY_PROG(PROG_LASTLOG, lastlog) -OSSH_PATH_ENTROPY_PROG(PROG_DF, df) -OSSH_PATH_ENTROPY_PROG(PROG_VMSTAT, vmstat) -OSSH_PATH_ENTROPY_PROG(PROG_UPTIME, uptime) -OSSH_PATH_ENTROPY_PROG(PROG_IPCS, ipcs) -OSSH_PATH_ENTROPY_PROG(PROG_TAIL, tail) - - AC_ARG_WITH(mantype, [ --with-mantype=man|cat|doc Set man page type], [ @@ -1825,12 +1863,13 @@ AC_ARG_WITH(4in6, ) # Whether to enable BSD auth support +BSD_AUTH_MSG=no AC_ARG_WITH(bsd-auth, [ --with-bsd-auth Enable BSD auth support], [ if test "x$withval" != "xno" ; then AC_DEFINE(BSD_AUTH) - bsd_auth=yes + BSD_AUTH_MSG=yes fi ] ) @@ -2097,44 +2136,17 @@ else fi -# Change default command timeout for builtin PRNG -entropy_timeout=200 -AC_ARG_WITH(entropy-timeout, - [ --with-entropy-timeout Specify entropy gathering command timeout (msec)], - [ - if test "x$withval" != "xno" ; then - entropy_timeout=$withval - fi - ] -) -AC_DEFINE_UNQUOTED(ENTROPY_TIMEOUT_MSEC, $entropy_timeout) - - if test ! -z "$blibpath" ; then LDFLAGS="$LDFLAGS -blibpath:$blibpath" AC_MSG_WARN([Please check and edit -blibpath in LDFLAGS in Makefile]) fi AC_EXEEXT - AC_CONFIG_FILES([Makefile openbsd-compat/Makefile scard/Makefile ssh_prng_cmds]) AC_OUTPUT # Print summary of options -if test ! -z "$RANDOM_POOL" ; then - RAND_MSG="Device ($RANDOM_POOL)" -else - if test ! -z "$PRNGD_PORT" ; then - RAND_MSG="PRNGD/EGD (port localhost:$PRNGD_PORT)" - elif test ! -z "$PRNGD_SOCKET" ; then - RAND_MSG="PRNGD/EGD (socket $PRNGD_SOCKET)" - else - RAND_MSG="Builtin (timeout $entropy_timeout)" - BUILTIN_RNG=1 - fi -fi - # Someone please show me a better way :) A=`eval echo ${prefix}` ; A=`eval echo ${A}` B=`eval echo ${bindir}` ; B=`eval echo ${B}` @@ -2154,7 +2166,6 @@ echo " Askpass program: $E" echo " Manual pages: $F" echo " PID file: $G" echo " sshd default user PATH: $H" -echo " Random number collection: $RAND_MSG" echo " Manpage format: $MANTYPE" echo " PAM support: ${PAM_MSG}" echo " KerberosIV support: $KRB4_MSG" @@ -2166,9 +2177,10 @@ echo " MD5 password support: $MD5_MSG" echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" echo " Use IPv4 by default hack: $IPV4_HACK_MSG" echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" - -if test ! -z "$bsd_auth"; then - echo " BSD Auth support: yes" +echo " BSD Auth support: $BSD_AUTH_MSG" +echo " Random number source: $RAND_MSG" +if test ! -z "$USE_RAND_HELPER" ; then + echo " ssh-rand-helper collects from: $RAND_HELPER_MSG" fi echo "" @@ -2183,22 +2195,24 @@ echo " Libraries: ${LIBS}" echo "" if test "x$PAM_MSG" = "xyes" ; then - echo "PAM is enabled. You may need to install a PAM control file for sshd," - echo "otherwise password authentication may fail. Example PAM control files" - echo "can be found in the contrib/ subdirectory" + echo "PAM is enabled. You may need to install a PAM control file " + echo "for sshd, otherwise password authentication may fail. " + echo "Example PAM control files can be found in the contrib/ " + echo "subdirectory" echo "" fi -if test ! -z "$BUILTIN_RNG" ; then - echo "WARNING: you are using the builtin random number collection service." - echo "Please read WARNING.RNG and request that your OS vendor includes" - echo "/dev/random in future versions of their OS." +if test ! -z "$NO_SFTP"; then + echo "sftp-server will be disabled. Your compiler does not " + echo "support 64bit integers." echo "" fi -if test ! -z "$NO_SFTP"; then - echo "sftp-server will be disabled. Your compiler does not support" - echo "64bit integers." +if test ! -z "$RAND_HELPER_CMDHASH" ; then + echo "WARNING: you are using the builtin random number collection " + echo "service. Please read WARNING.RNG and request that your OS " + echo "vendor includes kernel-based random number collection in " + echo "future versions of your OS." echo "" fi -- cgit v1.2.3