- (djm) [Makefile.in WARNING.RNG aclocal.m4 buildpkg.sh.in configure.ac]

[entropy.c ssh-add.c ssh-agent.c ssh-keygen.c ssh-keyscan.c] [ssh-keysign.c ssh-pkcs11-helper.c ssh-rand-helper.8 ssh-rand-helper.c] [ssh.c ssh_prng_cmds.in sshd.c contrib/aix/buildbff.sh] [regress/README.regress] Remove ssh-rand-helper and all its tentacles. PRNGd seeding has been rolled into entropy.c directly. Thanks to tim@ for testing on affected platforms.
author: Damien Miller <djm@mindrot.org> 2011-05-05 13:48:37 +1000
committer: Damien Miller <djm@mindrot.org> 2011-05-05 13:48:37 +1000
commit: f22019bdbfb986daf24428a9d37f9fe9bb3ff7ad (patch)
tree: e23aa2864fccb6f4097d962aa14f9d78ca02a929 /configure.ac
parent: 68790fedef210e03e36534b111e2f27b858170b4 (diff)
1 files changed, 75 insertions, 174 deletions
diff --git a/configure.ac b/configure.ac
index c8d90ea0..573c0971 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
-# $Id: configure.ac,v 1.471 2011/01/26 20:38:58 tim Exp $
+# $Id: configure.ac,v 1.472 2011/05/05 03:48:37 djm Exp $
 #
 # Copyright (c) 1999-2004 Damien Miller
 #
@@ -15,7 +15,7 @@
 # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
 AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
-AC_REVISION($Revision: 1.471 $)
+AC_REVISION($Revision: 1.472 $)
 AC_CONFIG_SRCDIR([ssh.c])
 AC_LANG([C])
 
@@ -2299,113 +2299,15 @@ AC_RUN_IFELSE(
 	],
 	[
 		AC_MSG_RESULT([no])
-		# Default to use of the rand helper if OpenSSL doesn't
-		# seed itself
-		USE_RAND_HELPER=yes
 	],
 	[
 		AC_MSG_WARN([cross compiling: assuming yes])
-		# This is safe, since all recent OpenSSL versions will
-		# complain at runtime if not seeded correctly.
+		# This is safe, since we will fatal() at runtime if
+		# OpenSSL is not seeded correctly.
 		OPENSSL_SEEDS_ITSELF=yes
 	]
 )
 
-# Check for PAM libs
-PAM_MSG="no"
-AC_ARG_WITH([pam],
-	[  --with-pam              Enable PAM support ],
-	[
-		if test "x$withval" != "xno" ; then
-			if test "x$ac_cv_header_security_pam_appl_h" != "xyes" && \
-			   test "x$ac_cv_header_pam_pam_appl_h" != "xyes" ; then
-				AC_MSG_ERROR([PAM headers not found])
-			fi
-
-			saved_LIBS="$LIBS"
-			AC_CHECK_LIB([dl], [dlopen], , )
-			AC_CHECK_LIB([pam], [pam_set_item], , [AC_MSG_ERROR([*** libpam missing])])
-			AC_CHECK_FUNCS([pam_getenvlist])
-			AC_CHECK_FUNCS([pam_putenv])
-			LIBS="$saved_LIBS"
-
-			PAM_MSG="yes"
-
-			SSHDLIBS="$SSHDLIBS -lpam"
-			AC_DEFINE([USE_PAM], [1],
-				[Define if you want to enable PAM support])
-
-			if test $ac_cv_lib_dl_dlopen = yes; then
-				case "$LIBS" in
-				*-ldl*)
-					# libdl already in LIBS
-					;;
-				*)
-					SSHDLIBS="$SSHDLIBS -ldl"
-					;;
-				esac
-			fi
-		fi
-	]
-)
-
-# Check for older PAM
-if test "x$PAM_MSG" = "xyes" ; then
-	# Check PAM strerror arguments (old PAM)
-	AC_MSG_CHECKING([whether pam_strerror takes only one argument])
-	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
-#include <stdlib.h>
-#if defined(HAVE_SECURITY_PAM_APPL_H)
-#include <security/pam_appl.h>
-#elif defined (HAVE_PAM_PAM_APPL_H)
-#include <pam/pam_appl.h>
-#endif
-		]], [[
-(void)pam_strerror((pam_handle_t *)NULL, -1);
-		]])], [AC_MSG_RESULT([no])], [
-			AC_DEFINE([HAVE_OLD_PAM], [1],
-				[Define if you have an old version of PAM
-				which takes only one argument to pam_strerror])
-			AC_MSG_RESULT([yes])
-			PAM_MSG="yes (old library)"
-		
-	])
-fi
-
-# Do we want to force the use of the rand helper?
-AC_ARG_WITH([rand-helper],
-	[  --with-rand-helper      Use subprocess to gather strong randomness ],
-	[
-		if test "x$withval" = "xno" ; then
-			# Force use of OpenSSL's internal RNG, even if
-			# the previous test showed it to be unseeded.
-			if test -z "$OPENSSL_SEEDS_ITSELF" ; then
-				AC_MSG_WARN([*** Forcing use of OpenSSL's non-self-seeding PRNG])
-				OPENSSL_SEEDS_ITSELF=yes
-				USE_RAND_HELPER=""
-			fi
-		else
-			USE_RAND_HELPER=yes
-		fi
-	],
-)
-
-# Which randomness source do we use?
-if test ! -z "$OPENSSL_SEEDS_ITSELF" && test -z "$USE_RAND_HELPER" ; then
-	# OpenSSL only
-	AC_DEFINE([OPENSSL_PRNG_ONLY], [1],
-		[Define if you want OpenSSL's internally seeded PRNG only])
-	RAND_MSG="OpenSSL internal ONLY"
-	INSTALL_SSH_RAND_HELPER=""
-elif test ! -z "$USE_RAND_HELPER" ; then
-	# install rand helper
-	RAND_MSG="ssh-rand-helper"
-	INSTALL_SSH_RAND_HELPER="yes"
-fi
-AC_SUBST([INSTALL_SSH_RAND_HELPER])
-
-### Configuration of ssh-rand-helper
-
 # PRNGD TCP socket
 AC_ARG_WITH([prngd-port],
 	[  --with-prngd-port=PORT  read entropy from PRNGD/EGD TCP localhost:PORT],
@@ -2460,7 +2362,7 @@ AC_ARG_WITH([prngd-socket],
 	],
 	[
 		# Check for existing socket only if we don't have a random device already
-		if test "$USE_RAND_HELPER" = yes ; then
+		if test "x$OPENSSL_SEEDS_ITSELF" != "xyes" ; then
 			AC_MSG_CHECKING([for PRNGD/EGD socket])
 			# Insert other locations here
 			for sock in /var/run/egd-pool /dev/egd-pool /etc/entropy; do
@@ -2479,19 +2381,79 @@ AC_ARG_WITH([prngd-socket],
 	]
 )
 
-# Change default command timeout for hashing entropy source
-entropy_timeout=200
-AC_ARG_WITH([entropy-timeout],
-	[  --with-entropy-timeout  Specify entropy gathering command timeout (msec)],
+# Which randomness source do we use?
+if test ! -z "$PRNGD_PORT" ; then
+	RAND_MSG="PRNGd port $PRNGD_PORT"
+elif test ! -z "$PRNGD_SOCKET" ; then
+	RAND_MSG="PRNGd socket $PRNGD_SOCKET"
+elif test ! -z "$OPENSSL_SEEDS_ITSELF" ; then
+	AC_DEFINE([OPENSSL_PRNG_ONLY], [1],
+		[Define if you want OpenSSL's internally seeded PRNG only])
+	RAND_MSG="OpenSSL internal ONLY"
+else
+	AC_MSG_ERROR([OpenSSH has no source of random numbers. Please configure OpenSSL with an entropy source or re-run configure using one of the --with-prngd-port or --with-prngd-socket options])
+fi
+
+# Check for PAM libs
+PAM_MSG="no"
+AC_ARG_WITH([pam],
+	[  --with-pam              Enable PAM support ],
 	[
-		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
-		    test "x${withval}" != "xyes"; then
-			entropy_timeout=$withval
+		if test "x$withval" != "xno" ; then
+			if test "x$ac_cv_header_security_pam_appl_h" != "xyes" && \
+			   test "x$ac_cv_header_pam_pam_appl_h" != "xyes" ; then
+				AC_MSG_ERROR([PAM headers not found])
+			fi
+
+			saved_LIBS="$LIBS"
+			AC_CHECK_LIB([dl], [dlopen], , )
+			AC_CHECK_LIB([pam], [pam_set_item], , [AC_MSG_ERROR([*** libpam missing])])
+			AC_CHECK_FUNCS([pam_getenvlist])
+			AC_CHECK_FUNCS([pam_putenv])
+			LIBS="$saved_LIBS"
+
+			PAM_MSG="yes"
+
+			SSHDLIBS="$SSHDLIBS -lpam"
+			AC_DEFINE([USE_PAM], [1],
+				[Define if you want to enable PAM support])
+
+			if test $ac_cv_lib_dl_dlopen = yes; then
+				case "$LIBS" in
+				*-ldl*)
+					# libdl already in LIBS
+					;;
+				*)
+					SSHDLIBS="$SSHDLIBS -ldl"
+					;;
+				esac
+			fi
 		fi
 	]
 )
-AC_DEFINE_UNQUOTED([ENTROPY_TIMEOUT_MSEC], [$entropy_timeout],
-	[Builtin PRNG command timeout])
+
+# Check for older PAM
+if test "x$PAM_MSG" = "xyes" ; then
+	# Check PAM strerror arguments (old PAM)
+	AC_MSG_CHECKING([whether pam_strerror takes only one argument])
+	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+#include <stdlib.h>
+#if defined(HAVE_SECURITY_PAM_APPL_H)
+#include <security/pam_appl.h>
+#elif defined (HAVE_PAM_PAM_APPL_H)
+#include <pam/pam_appl.h>
+#endif
+		]], [[
+(void)pam_strerror((pam_handle_t *)NULL, -1);
+		]])], [AC_MSG_RESULT([no])], [
+			AC_DEFINE([HAVE_OLD_PAM], [1],
+				[Define if you have an old version of PAM
+				which takes only one argument to pam_strerror])
+			AC_MSG_RESULT([yes])
+			PAM_MSG="yes (old library)"
+		
+	])
+fi
 
 SSH_PRIVSEP_USER=sshd
 AC_ARG_WITH([privsep-user],
@@ -2507,56 +2469,6 @@ AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], ["$SSH_PRIVSEP_USER"],
 	[non-privileged user for privilege separation])
 AC_SUBST([SSH_PRIVSEP_USER])
 
-# We do this little dance with the search path to insure
-# that programs that we select for use by installed programs
-# (which may be run by the super-user) come from trusted
-# locations before they come from the user's private area.
-# This should help avoid accidentally configuring some
-# random version of a program in someone's personal bin.
-
-OPATH=$PATH
-PATH=/bin:/usr/bin
-test -h /bin 2> /dev/null && PATH=/usr/bin
-test -d /sbin && PATH=$PATH:/sbin
-test -d /usr/sbin && PATH=$PATH:/usr/sbin
-PATH=$PATH:/etc:$OPATH
-
-# These programs are used by the command hashing source to gather entropy
-OSSH_PATH_ENTROPY_PROG([PROG_LS], [ls])
-OSSH_PATH_ENTROPY_PROG([PROG_NETSTAT], [netstat])
-OSSH_PATH_ENTROPY_PROG([PROG_ARP], [arp])
-OSSH_PATH_ENTROPY_PROG([PROG_IFCONFIG], [ifconfig])
-OSSH_PATH_ENTROPY_PROG([PROG_JSTAT], [jstat])
-OSSH_PATH_ENTROPY_PROG([PROG_PS], [ps])
-OSSH_PATH_ENTROPY_PROG([PROG_SAR], [sar])
-OSSH_PATH_ENTROPY_PROG([PROG_W], [w])
-OSSH_PATH_ENTROPY_PROG([PROG_WHO], [who])
-OSSH_PATH_ENTROPY_PROG([PROG_LAST], [last])
-OSSH_PATH_ENTROPY_PROG([PROG_LASTLOG], [lastlog])
-OSSH_PATH_ENTROPY_PROG([PROG_DF], [df])
-OSSH_PATH_ENTROPY_PROG([PROG_VMSTAT], [vmstat])
-OSSH_PATH_ENTROPY_PROG([PROG_UPTIME], [uptime])
-OSSH_PATH_ENTROPY_PROG([PROG_IPCS], [ipcs])
-OSSH_PATH_ENTROPY_PROG([PROG_TAIL], [tail])
-# restore PATH
-PATH=$OPATH
-
-# Where does ssh-rand-helper get its randomness from?
-INSTALL_SSH_PRNG_CMDS=""
-if test ! -z "$INSTALL_SSH_RAND_HELPER" ; then
-	if test ! -z "$PRNGD_PORT" ; then
-		RAND_HELPER_MSG="TCP localhost:$PRNGD_PORT"
-	elif test ! -z "$PRNGD_SOCKET" ; then
-		RAND_HELPER_MSG="Unix domain socket \"$PRNGD_SOCKET\""
-	else
-		RAND_HELPER_MSG="Command hashing (timeout $entropy_timeout)"
-		RAND_HELPER_CMDHASH=yes
-		INSTALL_SSH_PRNG_CMDS="yes"
-	fi
-fi
-AC_SUBST([INSTALL_SSH_PRNG_CMDS])
-
-
 # Cheap hack to ensure NEWS-OS libraries are arranged right.
 if test ! -z "$SONY" ; then
   LIBS="$LIBS -liberty";
@@ -4157,7 +4069,7 @@ AC_SUBST([TEST_SSH_IPV6], [$TEST_SSH_IPV6])
 AC_EXEEXT
 AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openssh.xml \
 	openbsd-compat/Makefile openbsd-compat/regress/Makefile \
-	ssh_prng_cmds survey.sh])
+	survey.sh])
 AC_OUTPUT
 
 # Print summary of options
@@ -4212,9 +4124,6 @@ echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
 echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
 echo "                  BSD Auth support: $BSD_AUTH_MSG"
 echo "              Random number source: $RAND_MSG"
-if test ! -z "$USE_RAND_HELPER" ; then
-echo "     ssh-rand-helper collects from: $RAND_HELPER_MSG"
-fi
 
 echo ""
 
@@ -4246,14 +4155,6 @@ if test "x$PAM_MSG" = "xyes" ; then
 	echo ""
 fi
 
-if test ! -z "$RAND_HELPER_CMDHASH" ; then
-	echo "WARNING: you are using the builtin random number collection "
-	echo "service. Please read WARNING.RNG and request that your OS "
-	echo "vendor includes kernel-based random number collection in "
-	echo "future versions of your OS."
-	echo ""
-fi
-
 if test ! -z "$NO_PEERCHECK" ; then
 	echo "WARNING: the operating system that you are using does not"
 	echo "appear to support getpeereid(), getpeerucred() or the"
author	Damien Miller <djm@mindrot.org>	2011-05-05 13:48:37 +1000
committer	Damien Miller <djm@mindrot.org>	2011-05-05 13:48:37 +1000
commit	f22019bdbfb986daf24428a9d37f9fe9bb3ff7ad (patch)
tree	e23aa2864fccb6f4097d962aa14f9d78ca02a929 /configure.ac
parent	68790fedef210e03e36534b111e2f27b858170b4 (diff)