[rfc] add MK_TELNET_SSL as a build option

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

[rfc] add MK_TELNET_SSL as a build option

Adrian Chadd-2
Hi,

The wifi builds have a need for building telnet/telnetd without
ssl/kerberos in order to meet size constraints and to allow them to be
crunch'ed.

I'd like to add the following patch to -HEAD, minus the comments in
libtelnet that are currently a reminder to me of what needs to be
turned into function pointers so things link correctly.

I'd appreciate feedback here as it does involve addin ga new MK, and I
really dislike it. :(

adrian@lucy-11i386:~/work/freebsd/head-embedded-2/src % cat /tmp/diff
Index: contrib/telnet/libtelnet/misc-proto.h
===================================================================
--- contrib/telnet/libtelnet/misc-proto.h       (revision 284291)
+++ contrib/telnet/libtelnet/misc-proto.h       (working copy)
@@ -71,6 +71,11 @@
 /*
  * These functions are imported from the application
  */
+/*
+ * XXX TODO: turn into a function set that's passed in
+ * from telnet/telnetd main().  That way it can be
+ * built via crunchgen.
+ */
 int net_write(unsigned char *, int);
 void net_encrypt(void);
 int telnet_spin(void);
Index: lib/libtelnet/Makefile
===================================================================
--- lib/libtelnet/Makefile      (revision 284291)
+++ lib/libtelnet/Makefile      (working copy)
@@ -15,7 +15,7 @@

 WARNS?=                2

-.if ${MK_OPENSSL} != "no"
+.if ${MK_OPENSSL} != "no" && ${MK_TELNET_SSL} != "no"
 SRCS+=         encrypt.c auth.c enc_des.c sra.c pk.c
 CFLAGS+=       -DENCRYPTION -DAUTHENTICATION -DSRA
 .endif
Index: libexec/telnetd/Makefile
===================================================================
--- libexec/telnetd/Makefile    (revision 284291)
+++ libexec/telnetd/Makefile    (working copy)
@@ -31,7 +31,7 @@

 LIBADD=                telnet util ncursesw

-.if ${MK_OPENSSL} != "no"
+.if ${MK_OPENSSL} != "no" && ${MK_TELNET_SSL} != "no"
 SRCS+=         authenc.c
 CFLAGS+=       -DAUTHENTICATION -DENCRYPTION
 LIBADD+=       mp crypto pam
adrian@lucy-11i386:~/work/freebsd/head-embedded-2/src % more /tmp/diff
Index: contrib/telnet/libtelnet/misc-proto.h
===================================================================
--- contrib/telnet/libtelnet/misc-proto.h       (revision 284291)
+++ contrib/telnet/libtelnet/misc-proto.h       (working copy)
@@ -71,6 +71,11 @@
 /*
  * These functions are imported from the application
  */
+/*
+ * XXX TODO: turn into a function set that's passed in
+ * from telnet/telnetd main().  That way it can be
+ * built via crunchgen.
+ */
 int net_write(unsigned char *, int);
 void net_encrypt(void);
 int telnet_spin(void);
Index: lib/libtelnet/Makefile
===================================================================
--- lib/libtelnet/Makefile      (revision 284291)
+++ lib/libtelnet/Makefile      (working copy)
@@ -15,7 +15,7 @@

 WARNS?=                2

-.if ${MK_OPENSSL} != "no"
+.if ${MK_OPENSSL} != "no" && ${MK_TELNET_SSL} != "no"
 SRCS+=         encrypt.c auth.c enc_des.c sra.c pk.c
 CFLAGS+=       -DENCRYPTION -DAUTHENTICATION -DSRA
 .endif
Index: libexec/telnetd/Makefile
===================================================================
--- libexec/telnetd/Makefile    (revision 284291)
+++ libexec/telnetd/Makefile    (working copy)
@@ -31,7 +31,7 @@

 LIBADD=                telnet util ncursesw

-.if ${MK_OPENSSL} != "no"
+.if ${MK_OPENSSL} != "no" && ${MK_TELNET_SSL} != "no"
 SRCS+=         authenc.c
 CFLAGS+=       -DAUTHENTICATION -DENCRYPTION
 LIBADD+=       mp crypto pam
Index: share/mk/src.opts.mk
===================================================================
--- share/mk/src.opts.mk        (revision 284291)
+++ share/mk/src.opts.mk        (working copy)
@@ -161,6 +161,7 @@
     TCP_WRAPPERS \
     TCSH \
     TELNET \
+    TELNET_SSL \
     TESTS \
     TEXTPROC \
     TFTP \
@@ -290,6 +291,7 @@

 .if ${MK_CRYPT} == "no"
 MK_OPENSSL:=   no
+MK_TELNET_SSL:=        no
 MK_OPENSSH:=   no
 MK_KERBEROS:=  no
 .endif
@@ -312,6 +314,7 @@
 .endif

 .if ${MK_OPENSSL} == "no"
+MK_TELNET_SSL:=        no
 MK_OPENSSH:=   no
 MK_KERBEROS:=  no
 .endif
Index: tools/bsdbox/Makefile
===================================================================
--- tools/bsdbox/Makefile       (revision 284291)
+++ tools/bsdbox/Makefile       (working copy)
@@ -100,7 +100,7 @@
 .include "Makefile.kld"
 # telnet/telnetd are too broken to include as a crunchgen'ed binary,
 # thanks to some of the horrible layering violations going on.
-# .include "Makefile.telnetd"
+.include "Makefile.telnetd"
 .include "Makefile.fs"

 CRUNCH_LIBS+= -lcrypto -lssl -lz
Index: tools/bsdbox/Makefile.telnetd
===================================================================
--- tools/bsdbox/Makefile.telnetd       (revision 284291)
+++ tools/bsdbox/Makefile.telnetd       (working copy)
@@ -1,4 +1,4 @@
-# Build telnetd
+# Build telnet/telnetd
 # Question - why is telnetds objects ending up in the srcdir? -adrian

 # This won't work yet - because telnetd relies on libtelnet.a which includes
@@ -8,7 +8,8 @@

 # $FreeBSD$

+CRUNCH_BUILDOPTS_telnetd=      MK_KERBEROS_SUPPORT=no
 CRUNCH_PROGS_libexec+= telnetd
 CRUNCH_PROGS_usr.bin+= telnet
-CRUNCH_LIBS+=          -lkrb5 -lhx509 -lasn1 -lcom_err -lroken -ltelnetd
-# CRUNCH_BUILDOPTS_telnetd=    MK_KERBEROS_SUPPORT=no
+#CRUNCH_LIBS+=         -lkrb5 -lhx509 -lasn1 -lcom_err -lroken
+CRUNCH_LIBS+=          ../../lib/libtelnet/libtelnet.a
Index: usr.bin/telnet/Makefile
===================================================================
--- usr.bin/telnet/Makefile     (revision 284291)
+++ usr.bin/telnet/Makefile     (working copy)
@@ -30,7 +30,7 @@
 CFLAGS+=       -DHAS_CGETENT
 .endif

-.if ${MK_OPENSSL} != "no"
+.if ${MK_OPENSSL} != "no" && ${MK_TELNET_SSL} != "no"
 SRCS+=         authenc.c
 CFLAGS+=       -DENCRYPTION -DAUTHENTICATION -DIPSEC
 LIBADD+=       mp crypto ipsec pam
adrian@lucy-11i386:~/work/freebsd/head-embedded-2/src %
_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: [rfc] add MK_TELNET_SSL as a build option

Enji Cooper
On Jun 13, 2015, at 15:40, Adrian Chadd <[hidden email]> wrote:

> Hi,
>
> The wifi builds have a need for building telnet/telnetd without
> ssl/kerberos in order to meet size constraints and to allow them to be
> crunch’ed.

...

> ===================================================================
> --- contrib/telnet/libtelnet/misc-proto.h       (revision 284291)
> +++ contrib/telnet/libtelnet/misc-proto.h       (working copy)
> @@ -71,6 +71,11 @@
> /*
>  * These functions are imported from the application
>  */
> +/*
> + * XXX TODO: turn into a function set that's passed in
> + * from telnet/telnetd main().  That way it can be
> + * built via crunchgen.
> + */
What’s the story behind the TODO?

> ===================================================================
> --- lib/libtelnet/Makefile      (revision 284291)
> +++ lib/libtelnet/Makefile      (working copy)
> @@ -15,7 +15,7 @@
>
> WARNS?=                2
>
> -.if ${MK_OPENSSL} != "no"
> +.if ${MK_OPENSSL} != "no" && ${MK_TELNET_SSL} != “no"

Please reduce this to ${MK_TELNET_SSL} != “no” (here and elsewhere). ${MK_OPENSSL} == “no” already handles setting this knob in src.opts.mk, so there’s no reason why you need to check both knobs.
Thanks!

signature.asc (507 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [rfc] add MK_TELNET_SSL as a build option

Adrian Chadd-2
The telnet library requires those routines to be defined by the
application, but when doing crunchgen style binaries that doesn't work
- two sets of each of those symbols are defined and things don't link.

The solution here is to create a struct with function pointers that
the application registers at startup time, rather than having the
library link /into/ the application.



-adrian
_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: [rfc] add MK_TELNET_SSL as a build option

Warner Losh
In reply to this post by Adrian Chadd-2

> On Jun 13, 2015, at 4:40 PM, Adrian Chadd <[hidden email]> wrote:
> I'd appreciate feedback here as it does involve addin ga new MK, and I
> really dislike it. :(

Me too. However, in this case it seems necessary. You need to have a system
with SSL, but without SSL telnet. Perhaps, though, you on’t really need telnet
at all on these boxes?

> -.if ${MK_OPENSSL} != "no"
> +.if ${MK_OPENSSL} != "no" && ${MK_TELNET_SSL} != “no”
...
> -.if ${MK_OPENSSL} != "no"
> +.if ${MK_OPENSSL} != "no" && ${MK_TELNET_SSL} != “no"
etc

If MK_OPENSSL is “no”, then MK_TELNET_SSL is necessarily no.
Reduce this to just testing for that.

> .if ${MK_CRYPT} == "no"
> MK_OPENSSL:=   no
> +MK_TELNET_SSL:=        no
> MK_OPENSSH:=   no
> MK_KERBEROS:=  no

The last two (now three) are redunant because they are handled
below with the OPENSSL dependency.

> .endif
> @@ -312,6 +314,7 @@
> .endif
>
> .if ${MK_OPENSSL} == "no"
> +MK_TELNET_SSL:=        no
> MK_OPENSSH:=   no
> MK_KERBEROS:=  no
> .endif

here...

Warner

signature.asc (859 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [rfc] add MK_TELNET_SSL as a build option

Adrian Chadd-2
On 15 June 2015 at 09:04, Warner Losh <[hidden email]> wrote:
>
>> On Jun 13, 2015, at 4:40 PM, Adrian Chadd <[hidden email]> wrote:
>> I'd appreciate feedback here as it does involve addin ga new MK, and I
>> really dislike it. :(
>
> Me too. However, in this case it seems necessary. You need to have a system
> with SSL, but without SSL telnet. Perhaps, though, you on’t really need telnet
> at all on these boxes?

Well, we need telnet/telnetd on them right until we can build dropbear
as part of the base system or base package system to go into the
image.
Until then, it's telnet/telnetd.



-a
_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: [rfc] add MK_TELNET_SSL as a build option

Poul-Henning Kamp
In reply to this post by Warner Losh
--------
In message <[hidden email]>, Warner Losh write
s:

>> On Jun 13, 2015, at 4:40 PM, Adrian Chadd <[hidden email]> wrote:
>> I'd appreciate feedback here as it does involve addin ga new MK, and I
>> really dislike it. :(

This reminds me:

   Somebody should really adopt src/tools/tools/build_option_survey

and run it periodically so people can find out the space cost of
the various build options.

Here is a very old output to show what it produces:

        http://phk/misc/build_options_stable_8_210741/


--
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
[hidden email]         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.
_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: [rfc] add MK_TELNET_SSL as a build option

Benjamin Kaduk-4
In reply to this post by Adrian Chadd-2
On Sat, 13 Jun 2015, Adrian Chadd wrote:

> Hi,
>
> The wifi builds have a need for building telnet/telnetd without
> ssl/kerberos in order to meet size constraints and to allow them to be
> crunch'ed.

Something of a tangent, but the kerberos support in telnet is limited to
single-DES, i.e., breakable for $50 or so.  I, for one, would be fine
seeing it just get removed entirely.  (I have no data about telnet/ssl.)

-Ben
_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "[hidden email]"