Discussion:
[rfc] add MK_TELNET_SSL as a build option
Adrian Chadd
2015-06-13 22:40:09 UTC
Permalink
Hi,

The wifi builds have a need for building telnet/telnetd without
ssl/kerberos in order to meet size constraints and to allow them to be
crunch'ed.

I'd like to add the following patch to -HEAD, minus the comments in
libtelnet that are currently a reminder to me of what needs to be
turned into function pointers so things link correctly.

I'd appreciate feedback here as it does involve addin ga new MK, and I
really dislike it. :(

***@lucy-11i386:~/work/freebsd/head-embedded-2/src % cat /tmp/diff
Index: contrib/telnet/libtelnet/misc-proto.h
===================================================================
--- contrib/telnet/libtelnet/misc-proto.h (revision 284291)
+++ contrib/telnet/libtelnet/misc-proto.h (working copy)
@@ -71,6 +71,11 @@
/*
* These functions are imported from the application
*/
+/*
+ * XXX TODO: turn into a function set that's passed in
+ * from telnet/telnetd main(). That way it can be
+ * built via crunchgen.
+ */
int net_write(unsigned char *, int);
void net_encrypt(void);
int telnet_spin(void);
Index: lib/libtelnet/Makefile
===================================================================
--- lib/libtelnet/Makefile (revision 284291)
+++ lib/libtelnet/Makefile (working copy)
@@ -15,7 +15,7 @@

WARNS?= 2

-.if ${MK_OPENSSL} != "no"
+.if ${MK_OPENSSL} != "no" && ${MK_TELNET_SSL} != "no"
SRCS+= encrypt.c auth.c enc_des.c sra.c pk.c
CFLAGS+= -DENCRYPTION -DAUTHENTICATION -DSRA
.endif
Index: libexec/telnetd/Makefile
===================================================================
--- libexec/telnetd/Makefile (revision 284291)
+++ libexec/telnetd/Makefile (working copy)
@@ -31,7 +31,7 @@

LIBADD= telnet util ncursesw

-.if ${MK_OPENSSL} != "no"
+.if ${MK_OPENSSL} != "no" && ${MK_TELNET_SSL} != "no"
SRCS+= authenc.c
CFLAGS+= -DAUTHENTICATION -DENCRYPTION
LIBADD+= mp crypto pam
***@lucy-11i386:~/work/freebsd/head-embedded-2/src % more /tmp/diff
Index: contrib/telnet/libtelnet/misc-proto.h
===================================================================
--- contrib/telnet/libtelnet/misc-proto.h (revision 284291)
+++ contrib/telnet/libtelnet/misc-proto.h (working copy)
@@ -71,6 +71,11 @@
/*
* These functions are imported from the application
*/
+/*
+ * XXX TODO: turn into a function set that's passed in
+ * from telnet/telnetd main(). That way it can be
+ * built via crunchgen.
+ */
int net_write(unsigned char *, int);
void net_encrypt(void);
int telnet_spin(void);
Index: lib/libtelnet/Makefile
===================================================================
--- lib/libtelnet/Makefile (revision 284291)
+++ lib/libtelnet/Makefile (working copy)
@@ -15,7 +15,7 @@

WARNS?= 2

-.if ${MK_OPENSSL} != "no"
+.if ${MK_OPENSSL} != "no" && ${MK_TELNET_SSL} != "no"
SRCS+= encrypt.c auth.c enc_des.c sra.c pk.c
CFLAGS+= -DENCRYPTION -DAUTHENTICATION -DSRA
.endif
Index: libexec/telnetd/Makefile
===================================================================
--- libexec/telnetd/Makefile (revision 284291)
+++ libexec/telnetd/Makefile (working copy)
@@ -31,7 +31,7 @@

LIBADD= telnet util ncursesw

-.if ${MK_OPENSSL} != "no"
+.if ${MK_OPENSSL} != "no" && ${MK_TELNET_SSL} != "no"
SRCS+= authenc.c
CFLAGS+= -DAUTHENTICATION -DENCRYPTION
LIBADD+= mp crypto pam
Index: share/mk/src.opts.mk
===================================================================
--- share/mk/src.opts.mk (revision 284291)
+++ share/mk/src.opts.mk (working copy)
@@ -161,6 +161,7 @@
TCP_WRAPPERS \
TCSH \
TELNET \
+ TELNET_SSL \
TESTS \
TEXTPROC \
TFTP \
@@ -290,6 +291,7 @@

.if ${MK_CRYPT} == "no"
MK_OPENSSL:= no
+MK_TELNET_SSL:= no
MK_OPENSSH:= no
MK_KERBEROS:= no
.endif
@@ -312,6 +314,7 @@
.endif

.if ${MK_OPENSSL} == "no"
+MK_TELNET_SSL:= no
MK_OPENSSH:= no
MK_KERBEROS:= no
.endif
Index: tools/bsdbox/Makefile
===================================================================
--- tools/bsdbox/Makefile (revision 284291)
+++ tools/bsdbox/Makefile (working copy)
@@ -100,7 +100,7 @@
.include "Makefile.kld"
# telnet/telnetd are too broken to include as a crunchgen'ed binary,
# thanks to some of the horrible layering violations going on.
-# .include "Makefile.telnetd"
+.include "Makefile.telnetd"
.include "Makefile.fs"

CRUNCH_LIBS+= -lcrypto -lssl -lz
Index: tools/bsdbox/Makefile.telnetd
===================================================================
--- tools/bsdbox/Makefile.telnetd (revision 284291)
+++ tools/bsdbox/Makefile.telnetd (working copy)
@@ -1,4 +1,4 @@
-# Build telnetd
+# Build telnet/telnetd
# Question - why is telnetds objects ending up in the srcdir? -adrian

# This won't work yet - because telnetd relies on libtelnet.a which includes
@@ -8,7 +8,8 @@

# $FreeBSD$

+CRUNCH_BUILDOPTS_telnetd= MK_KERBEROS_SUPPORT=no
CRUNCH_PROGS_libexec+= telnetd
CRUNCH_PROGS_usr.bin+= telnet
-CRUNCH_LIBS+= -lkrb5 -lhx509 -lasn1 -lcom_err -lroken -ltelnetd
-# CRUNCH_BUILDOPTS_telnetd= MK_KERBEROS_SUPPORT=no
+#CRUNCH_LIBS+= -lkrb5 -lhx509 -lasn1 -lcom_err -lroken
+CRUNCH_LIBS+= ../../lib/libtelnet/libtelnet.a
Index: usr.bin/telnet/Makefile
===================================================================
--- usr.bin/telnet/Makefile (revision 284291)
+++ usr.bin/telnet/Makefile (working copy)
@@ -30,7 +30,7 @@
CFLAGS+= -DHAS_CGETENT
.endif

-.if ${MK_OPENSSL} != "no"
+.if ${MK_OPENSSL} != "no" && ${MK_TELNET_SSL} != "no"
SRCS+= authenc.c
CFLAGS+= -DENCRYPTION -DAUTHENTICATION -DIPSEC
LIBADD+= mp crypto ipsec pam
***@lucy-11i386:~/work/freebsd/head-embedded-2/src %
Garrett Cooper
2015-06-13 22:46:31 UTC
Permalink
Post by Adrian Chadd
Hi,
The wifi builds have a need for building telnet/telnetd without
ssl/kerberos in order to meet size constraints and to allow them to be
crunch’ed.
...
Post by Adrian Chadd
===================================================================
--- contrib/telnet/libtelnet/misc-proto.h (revision 284291)
+++ contrib/telnet/libtelnet/misc-proto.h (working copy)
@@ -71,6 +71,11 @@
/*
* These functions are imported from the application
*/
+/*
+ * XXX TODO: turn into a function set that's passed in
+ * from telnet/telnetd main(). That way it can be
+ * built via crunchgen.
+ */
What’s the story behind the TODO?
Post by Adrian Chadd
===================================================================
--- lib/libtelnet/Makefile (revision 284291)
+++ lib/libtelnet/Makefile (working copy)
@@ -15,7 +15,7 @@
WARNS?= 2
-.if ${MK_OPENSSL} != "no"
+.if ${MK_OPENSSL} != "no" && ${MK_TELNET_SSL} != “no"
Please reduce this to ${MK_TELNET_SSL} != “no” (here and elsewhere). ${MK_OPENSSL} == “no” already handles setting this knob in src.opts.mk, so there’s no reason why you need to check both knobs.
Thanks!
Adrian Chadd
2015-06-13 23:34:16 UTC
Permalink
The telnet library requires those routines to be defined by the
application, but when doing crunchgen style binaries that doesn't work
- two sets of each of those symbols are defined and things don't link.

The solution here is to create a struct with function pointers that
the application registers at startup time, rather than having the
library link /into/ the application.



-adrian
Warner Losh
2015-06-15 16:04:51 UTC
Permalink
Post by Adrian Chadd
I'd appreciate feedback here as it does involve addin ga new MK, and I
really dislike it. :(
Me too. However, in this case it seems necessary. You need to have a system
with SSL, but without SSL telnet. Perhaps, though, you on’t really need telnet
at all on these boxes?
Post by Adrian Chadd
-.if ${MK_OPENSSL} != "no"
+.if ${MK_OPENSSL} != "no" && ${MK_TELNET_SSL} != “no”
...
Post by Adrian Chadd
-.if ${MK_OPENSSL} != "no"
+.if ${MK_OPENSSL} != "no" && ${MK_TELNET_SSL} != “no"
etc

If MK_OPENSSL is “no”, then MK_TELNET_SSL is necessarily no.
Reduce this to just testing for that.
Post by Adrian Chadd
.if ${MK_CRYPT} == "no"
MK_OPENSSL:= no
+MK_TELNET_SSL:= no
MK_OPENSSH:= no
MK_KERBEROS:= no
The last two (now three) are redunant because they are handled
below with the OPENSSL dependency.
Post by Adrian Chadd
.endif
@@ -312,6 +314,7 @@
.endif
.if ${MK_OPENSSL} == "no"
+MK_TELNET_SSL:= no
MK_OPENSSH:= no
MK_KERBEROS:= no
.endif
here...

Warner
Adrian Chadd
2015-06-15 16:19:06 UTC
Permalink
Post by Warner Losh
Post by Adrian Chadd
I'd appreciate feedback here as it does involve addin ga new MK, and I
really dislike it. :(
Me too. However, in this case it seems necessary. You need to have a system
with SSL, but without SSL telnet. Perhaps, though, you on’t really need telnet
at all on these boxes?
Well, we need telnet/telnetd on them right until we can build dropbear
as part of the base system or base package system to go into the
image.
Until then, it's telnet/telnetd.



-a
Poul-Henning Kamp
2015-06-15 16:36:01 UTC
Permalink
--------
Post by Adrian Chadd
I'd appreciate feedback here as it does involve addin ga new MK, and I
really dislike it. :(
This reminds me:

Somebody should really adopt src/tools/tools/build_option_survey

and run it periodically so people can find out the space cost of
the various build options.

Here is a very old output to show what it produces:

http://phk/misc/build_options_stable_8_210741/
--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
***@FreeBSD.ORG | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.
Benjamin Kaduk
2015-06-21 19:37:23 UTC
Permalink
Post by Adrian Chadd
Hi,
The wifi builds have a need for building telnet/telnetd without
ssl/kerberos in order to meet size constraints and to allow them to be
crunch'ed.
Something of a tangent, but the kerberos support in telnet is limited to
single-DES, i.e., breakable for $50 or so. I, for one, would be fine
seeing it just get removed entirely. (I have no data about telnet/ssl.)

-Ben

Loading...