diff -cr stunnel-3.8/common.h stunnel-3.8.prng/common.h *** stunnel-3.8/common.h Thu Feb 24 03:35:00 2000 --- stunnel-3.8.prng/common.h Sat Jun 10 01:18:09 2000 *************** *** 126,131 **** --- 126,135 ---- /* Length of strings (including the terminating '\0' character) */ #define STRLEN 1024 + /* How many bytes of random input to read from files for PRNG */ + /* OpenSSL likes at least 128 bits, so 64 bytes seems plenty. */ + #define RANDOM_BYTES 64 + /* Safe copy for strings declarated as char[STRLEN] */ #define safecopy(dst, src) \ (dst[STRLEN-1]='\0', strncpy((dst), (src), STRLEN-1)) *************** *** 153,158 **** --- 157,165 ---- char *protocol; char *setuid_user; char *setgid_group; + char *egd_sock; /* entropy gathering daemon socket */ + char *rand_file; /* file with random data */ + int random_bytes; /* how many random bytes to read */ } server_options; /* Prototypes for stunnel.c */ diff -cr stunnel-3.8/configure stunnel-3.8.prng/configure *** stunnel-3.8/configure Thu Feb 24 03:28:45 2000 --- stunnel-3.8.prng/configure Sat Jun 10 01:18:09 2000 *************** *** 12,17 **** --- 12,19 ---- ac_default_prefix=/usr/local # Any additions from configure.in: ac_help="$ac_help + --with-egd-socket=FILE Entropy Gathering Daemon socket pathname" + ac_help="$ac_help --with-random=FILE read randomness from FILE (default=/dev/urandom)" ac_help="$ac_help --with-ssl=DIR location of installed SSL libraries/include files" *************** *** 552,558 **** fi echo $ac_n "checking host system type""... $ac_c" 1>&6 ! echo "configure:556: checking host system type" >&5 host_alias=$host case "$host_alias" in --- 554,560 ---- fi echo $ac_n "checking host system type""... $ac_c" 1>&6 ! echo "configure:558: checking host system type" >&5 host_alias=$host case "$host_alias" in *************** *** 575,581 **** # Extract the first word of "gcc", so it can be a program name with args. set dummy gcc; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 ! echo "configure:579: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else --- 577,583 ---- # Extract the first word of "gcc", so it can be a program name with args. set dummy gcc; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 ! echo "configure:581: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else *************** *** 605,611 **** # Extract the first word of "cc", so it can be a program name with args. set dummy cc; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 ! echo "configure:609: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else --- 607,613 ---- # Extract the first word of "cc", so it can be a program name with args. set dummy cc; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 ! echo "configure:611: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else *************** *** 656,662 **** # Extract the first word of "cl", so it can be a program name with args. set dummy cl; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 ! echo "configure:660: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else --- 658,664 ---- # Extract the first word of "cl", so it can be a program name with args. set dummy cl; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 ! echo "configure:662: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else *************** *** 688,694 **** fi echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works""... $ac_c" 1>&6 ! echo "configure:692: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works" >&5 ac_ext=c # CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options. --- 690,696 ---- fi echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works""... $ac_c" 1>&6 ! echo "configure:694: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works" >&5 ac_ext=c # CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options. *************** *** 699,710 **** cat > conftest.$ac_ext << EOF ! #line 703 "configure" #include "confdefs.h" main(){return(0);} EOF ! if { (eval echo configure:708: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then ac_cv_prog_cc_works=yes # If we can't run a trivial program, we are probably using a cross compiler. if (./conftest; exit) 2>/dev/null; then --- 701,712 ---- cat > conftest.$ac_ext << EOF ! #line 705 "configure" #include "confdefs.h" main(){return(0);} EOF ! if { (eval echo configure:710: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then ac_cv_prog_cc_works=yes # If we can't run a trivial program, we are probably using a cross compiler. if (./conftest; exit) 2>/dev/null; then *************** *** 730,741 **** { echo "configure: error: installation or configuration problem: C compiler cannot create executables." 1>&2; exit 1; } fi echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler""... $ac_c" 1>&6 ! echo "configure:734: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler" >&5 echo "$ac_t""$ac_cv_prog_cc_cross" 1>&6 cross_compiling=$ac_cv_prog_cc_cross echo $ac_n "checking whether we are using GNU C""... $ac_c" 1>&6 ! echo "configure:739: checking whether we are using GNU C" >&5 if eval "test \"`echo '$''{'ac_cv_prog_gcc'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else --- 732,743 ---- { echo "configure: error: installation or configuration problem: C compiler cannot create executables." 1>&2; exit 1; } fi echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler""... $ac_c" 1>&6 ! echo "configure:736: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler" >&5 echo "$ac_t""$ac_cv_prog_cc_cross" 1>&6 cross_compiling=$ac_cv_prog_cc_cross echo $ac_n "checking whether we are using GNU C""... $ac_c" 1>&6 ! echo "configure:741: checking whether we are using GNU C" >&5 if eval "test \"`echo '$''{'ac_cv_prog_gcc'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else *************** *** 744,750 **** yes; #endif EOF ! if { ac_try='${CC-cc} -E conftest.c'; { (eval echo configure:748: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then ac_cv_prog_gcc=yes else ac_cv_prog_gcc=no --- 746,752 ---- yes; #endif EOF ! if { ac_try='${CC-cc} -E conftest.c'; { (eval echo configure:750: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then ac_cv_prog_gcc=yes else ac_cv_prog_gcc=no *************** *** 763,769 **** ac_save_CFLAGS="$CFLAGS" CFLAGS= echo $ac_n "checking whether ${CC-cc} accepts -g""... $ac_c" 1>&6 ! echo "configure:767: checking whether ${CC-cc} accepts -g" >&5 if eval "test \"`echo '$''{'ac_cv_prog_cc_g'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else --- 765,771 ---- ac_save_CFLAGS="$CFLAGS" CFLAGS= echo $ac_n "checking whether ${CC-cc} accepts -g""... $ac_c" 1>&6 ! echo "configure:769: checking whether ${CC-cc} accepts -g" >&5 if eval "test \"`echo '$''{'ac_cv_prog_cc_g'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else *************** *** 807,813 **** # SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff" # ./install, which can be erroneously created by make from ./install.sh. echo $ac_n "checking for a BSD compatible install""... $ac_c" 1>&6 ! echo "configure:811: checking for a BSD compatible install" >&5 if test -z "$INSTALL"; then if eval "test \"`echo '$''{'ac_cv_path_install'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 --- 809,815 ---- # SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff" # ./install, which can be erroneously created by make from ./install.sh. echo $ac_n "checking for a BSD compatible install""... $ac_c" 1>&6 ! echo "configure:813: checking for a BSD compatible install" >&5 if test -z "$INSTALL"; then if eval "test \"`echo '$''{'ac_cv_path_install'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 *************** *** 860,866 **** test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644' echo $ac_n "checking whether ${MAKE-make} sets \${MAKE}""... $ac_c" 1>&6 ! echo "configure:864: checking whether ${MAKE-make} sets \${MAKE}" >&5 set dummy ${MAKE-make}; ac_make=`echo "$2" | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_prog_make_${ac_make}_set'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 --- 862,868 ---- test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644' echo $ac_n "checking whether ${MAKE-make} sets \${MAKE}""... $ac_c" 1>&6 ! echo "configure:866: checking whether ${MAKE-make} sets \${MAKE}" >&5 set dummy ${MAKE-make}; ac_make=`echo "$2" | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_prog_make_${ac_make}_set'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 *************** *** 894,909 **** EOF # Check whether --with-random or --without-random was given. if test "${with_random+set}" = set; then withval="$with_random" ! RANDOM_OPT="-rand $withval" else ac_safe=`echo ""/dev/urandom"" | sed 'y%./+-%__p_%'` echo $ac_n "checking for "/dev/urandom"""... $ac_c" 1>&6 ! echo "configure:907: checking for "/dev/urandom"" >&5 if eval "test \"`echo '$''{'ac_cv_file_$ac_safe'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else --- 896,925 ---- EOF + # Check whether --with-egd-socket or --without-egd-socket was given. + if test "${with_egd_socket+set}" = set; then + withval="$with_egd_socket" + EGD_SOCKET="$withval" + + fi + + if test -n "$EGD_SOCKET" ; then + cat >> confdefs.h <&6 ! echo "configure:923: checking for "/dev/urandom"" >&5 if eval "test \"`echo '$''{'ac_cv_file_$ac_safe'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else *************** *** 933,938 **** --- 949,960 ---- fi + if test -n "$RANDOM_FILE" ; then + cat >> confdefs.h <&6 ! echo "configure:957: checking for SSL directory" >&5 # Check whether --with-ssl or --without-ssl was given. if test "${with_ssl+set}" = set; then withval="$with_ssl" --- 975,981 ---- } echo $ac_n "checking for SSL directory""... $ac_c" 1>&6 ! echo "configure:979: checking for SSL directory" >&5 # Check whether --with-ssl or --without-ssl was given. if test "${with_ssl+set}" = set; then withval="$with_ssl" *************** *** 993,999 **** echo $ac_n "checking for gethostbyname in -lnsl""... $ac_c" 1>&6 ! echo "configure:997: checking for gethostbyname in -lnsl" >&5 ac_lib_var=`echo nsl'_'gethostbyname | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 --- 1015,1021 ---- echo $ac_n "checking for gethostbyname in -lnsl""... $ac_c" 1>&6 ! echo "configure:1019: checking for gethostbyname in -lnsl" >&5 ac_lib_var=`echo nsl'_'gethostbyname | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 *************** *** 1001,1007 **** ac_save_LIBS="$LIBS" LIBS="-lnsl $LIBS" cat > conftest.$ac_ext < conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else --- 1034,1040 ---- gethostbyname() ; return 0; } EOF ! if { (eval echo configure:1038: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else *************** *** 1040,1046 **** fi echo $ac_n "checking for socket in -lsocket""... $ac_c" 1>&6 ! echo "configure:1044: checking for socket in -lsocket" >&5 ac_lib_var=`echo socket'_'socket | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 --- 1062,1068 ---- fi echo $ac_n "checking for socket in -lsocket""... $ac_c" 1>&6 ! echo "configure:1066: checking for socket in -lsocket" >&5 ac_lib_var=`echo socket'_'socket | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 *************** *** 1048,1054 **** ac_save_LIBS="$LIBS" LIBS="-lsocket $LIBS" cat > conftest.$ac_ext < conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else --- 1081,1087 ---- socket() ; return 0; } EOF ! if { (eval echo configure:1085: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else *************** *** 1087,1093 **** fi echo $ac_n "checking for pthread_create in -lpthread""... $ac_c" 1>&6 ! echo "configure:1091: checking for pthread_create in -lpthread" >&5 ac_lib_var=`echo pthread'_'pthread_create | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 --- 1109,1115 ---- fi echo $ac_n "checking for pthread_create in -lpthread""... $ac_c" 1>&6 ! echo "configure:1113: checking for pthread_create in -lpthread" >&5 ac_lib_var=`echo pthread'_'pthread_create | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 *************** *** 1095,1101 **** ac_save_LIBS="$LIBS" LIBS="-lpthread $LIBS" cat > conftest.$ac_ext < conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else --- 1128,1134 ---- pthread_create() ; return 0; } EOF ! if { (eval echo configure:1132: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else *************** *** 1134,1140 **** fi echo $ac_n "checking for pthread_create in -lc_r""... $ac_c" 1>&6 ! echo "configure:1138: checking for pthread_create in -lc_r" >&5 ac_lib_var=`echo c_r'_'pthread_create | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 --- 1156,1162 ---- fi echo $ac_n "checking for pthread_create in -lc_r""... $ac_c" 1>&6 ! echo "configure:1160: checking for pthread_create in -lc_r" >&5 ac_lib_var=`echo c_r'_'pthread_create | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 *************** *** 1142,1148 **** ac_save_LIBS="$LIBS" LIBS="-lc_r $LIBS" cat > conftest.$ac_ext < conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else --- 1175,1181 ---- pthread_create() ; return 0; } EOF ! if { (eval echo configure:1179: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else *************** *** 1181,1187 **** fi echo $ac_n "checking for openpty in -lutil""... $ac_c" 1>&6 ! echo "configure:1185: checking for openpty in -lutil" >&5 ac_lib_var=`echo util'_'openpty | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 --- 1203,1209 ---- fi echo $ac_n "checking for openpty in -lutil""... $ac_c" 1>&6 ! echo "configure:1207: checking for openpty in -lutil" >&5 ac_lib_var=`echo util'_'openpty | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 *************** *** 1189,1195 **** ac_save_LIBS="$LIBS" LIBS="-lutil $LIBS" cat > conftest.$ac_ext < conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else --- 1222,1228 ---- openpty() ; return 0; } EOF ! if { (eval echo configure:1226: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else *************** *** 1229,1246 **** echo $ac_n "checking for hosts_access in -lwrap""... $ac_c" 1>&6 ! echo "configure:1233: checking for hosts_access in -lwrap" >&5 saved_LIBS="$LIBS" LIBS="-lwrap $saved_LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* echo "$ac_t""yes" 1>&6; cat >> confdefs.h <<\EOF #define HAVE_LIBWRAP 1 --- 1251,1268 ---- echo $ac_n "checking for hosts_access in -lwrap""... $ac_c" 1>&6 ! echo "configure:1255: checking for hosts_access in -lwrap" >&5 saved_LIBS="$LIBS" LIBS="-lwrap $saved_LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* echo "$ac_t""yes" 1>&6; cat >> confdefs.h <<\EOF #define HAVE_LIBWRAP 1 *************** *** 1258,1275 **** LIBS="$LIBS -L$ssldir/lib -lssl -lcrypto" echo $ac_n "checking for RSAref library""... $ac_c" 1>&6 ! echo "configure:1262: checking for RSAref library" >&5 saved_LIBS="$LIBS" LIBS="$saved_LIBS -lRSAglue -lrsaref" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* echo "$ac_t""yes" 1>&6; else --- 1280,1297 ---- LIBS="$LIBS -L$ssldir/lib -lssl -lcrypto" echo $ac_n "checking for RSAref library""... $ac_c" 1>&6 ! echo "configure:1284: checking for RSAref library" >&5 saved_LIBS="$LIBS" LIBS="$saved_LIBS -lRSAglue -lrsaref" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* echo "$ac_t""yes" 1>&6; else *************** *** 1283,1289 **** ac_safe=`echo ""/dev/ptmx"" | sed 'y%./+-%__p_%'` echo $ac_n "checking for "/dev/ptmx"""... $ac_c" 1>&6 ! echo "configure:1287: checking for "/dev/ptmx"" >&5 if eval "test \"`echo '$''{'ac_cv_file_$ac_safe'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else --- 1305,1311 ---- ac_safe=`echo ""/dev/ptmx"" | sed 'y%./+-%__p_%'` echo $ac_n "checking for "/dev/ptmx"""... $ac_c" 1>&6 ! echo "configure:1309: checking for "/dev/ptmx"" >&5 if eval "test \"`echo '$''{'ac_cv_file_$ac_safe'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else *************** *** 1311,1317 **** ac_safe=`echo ""/dev/ptc"" | sed 'y%./+-%__p_%'` echo $ac_n "checking for "/dev/ptc"""... $ac_c" 1>&6 ! echo "configure:1315: checking for "/dev/ptc"" >&5 if eval "test \"`echo '$''{'ac_cv_file_$ac_safe'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else --- 1333,1339 ---- ac_safe=`echo ""/dev/ptc"" | sed 'y%./+-%__p_%'` echo $ac_n "checking for "/dev/ptc"""... $ac_c" 1>&6 ! echo "configure:1337: checking for "/dev/ptc"" >&5 if eval "test \"`echo '$''{'ac_cv_file_$ac_safe'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else *************** *** 1341,1347 **** # AC_HEADER_STDC # AC_HEADER_SYS_WAIT echo $ac_n "checking how to run the C preprocessor""... $ac_c" 1>&6 ! echo "configure:1345: checking how to run the C preprocessor" >&5 # On Suns, sometimes $CPP names a directory. if test -n "$CPP" && test -d "$CPP"; then CPP= --- 1363,1369 ---- # AC_HEADER_STDC # AC_HEADER_SYS_WAIT echo $ac_n "checking how to run the C preprocessor""... $ac_c" 1>&6 ! echo "configure:1367: checking how to run the C preprocessor" >&5 # On Suns, sometimes $CPP names a directory. if test -n "$CPP" && test -d "$CPP"; then CPP= *************** *** 1356,1368 **** # On the NeXT, cc -E runs the code through the compiler's parser, # not just through cpp. cat > conftest.$ac_ext < Syntax Error EOF ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" ! { (eval echo configure:1366: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` if test -z "$ac_err"; then : --- 1378,1390 ---- # On the NeXT, cc -E runs the code through the compiler's parser, # not just through cpp. cat > conftest.$ac_ext < Syntax Error EOF ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" ! { (eval echo configure:1388: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` if test -z "$ac_err"; then : *************** *** 1373,1385 **** rm -rf conftest* CPP="${CC-cc} -E -traditional-cpp" cat > conftest.$ac_ext < Syntax Error EOF ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" ! { (eval echo configure:1383: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` if test -z "$ac_err"; then : --- 1395,1407 ---- rm -rf conftest* CPP="${CC-cc} -E -traditional-cpp" cat > conftest.$ac_ext < Syntax Error EOF ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" ! { (eval echo configure:1405: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` if test -z "$ac_err"; then : *************** *** 1390,1402 **** rm -rf conftest* CPP="${CC-cc} -nologo -E" cat > conftest.$ac_ext < Syntax Error EOF ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" ! { (eval echo configure:1400: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` if test -z "$ac_err"; then : --- 1412,1424 ---- rm -rf conftest* CPP="${CC-cc} -nologo -E" cat > conftest.$ac_ext < Syntax Error EOF ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" ! { (eval echo configure:1422: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` if test -z "$ac_err"; then : *************** *** 1424,1440 **** do ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'` echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6 ! echo "configure:1428: checking for $ac_hdr" >&5 if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" ! { (eval echo configure:1438: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` if test -z "$ac_err"; then rm -rf conftest* --- 1446,1462 ---- do ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'` echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6 ! echo "configure:1450: checking for $ac_hdr" >&5 if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" ! { (eval echo configure:1460: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` if test -z "$ac_err"; then rm -rf conftest* *************** *** 1471,1482 **** for ac_func in getopt snprintf vsnprintf openpty _getpty do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 ! echo "configure:1475: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&6 ! echo "configure:1497: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else --- 1521,1527 ---- ; return 0; } EOF ! if { (eval echo configure:1525: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else diff -cr stunnel-3.8/configure.in stunnel-3.8.prng/configure.in *** stunnel-3.8/configure.in Tue Feb 22 05:19:04 2000 --- stunnel-3.8.prng/configure.in Sat Jun 10 01:18:09 2000 *************** *** 12,21 **** AC_SUBST(VERSION) AC_DEFINE_UNQUOTED(VERSION, "$VERSION") dnl Check for user-specified random device AC_ARG_WITH(random, [ --with-random=FILE read randomness from FILE (default=/dev/urandom)], ! [ RANDOM_OPT="-rand $withval" ], [ dnl Check for random device AC_CHECK_FILE("/dev/urandom", --- 12,29 ---- AC_SUBST(VERSION) AC_DEFINE_UNQUOTED(VERSION, "$VERSION") + AC_ARG_WITH(egd-socket, + [ --with-egd-socket=FILE Entropy Gathering Daemon socket pathname], + [ EGD_SOCKET="$withval" ] + ) + if test -n "$EGD_SOCKET" ; then + AC_DEFINE_UNQUOTED(EGD_SOCKET, "$EGD_SOCKET") + fi + dnl Check for user-specified random device AC_ARG_WITH(random, [ --with-random=FILE read randomness from FILE (default=/dev/urandom)], ! [ RANDOM_OPT="-rand $withval"; RANDOM_FILE="$withval" ], [ dnl Check for random device AC_CHECK_FILE("/dev/urandom", *************** *** 26,31 **** --- 34,42 ---- ) ] ) + if test -n "$RANDOM_FILE" ; then + AC_DEFINE_UNQUOTED(RANDOM_FILE, "$RANDOM_FILE") + fi checkssldir() { : if test -d "$1/certs"; then diff -cr stunnel-3.8/ssl.c stunnel-3.8.prng/ssl.c *** stunnel-3.8/ssl.c Fri Feb 18 07:26:48 2000 --- stunnel-3.8.prng/ssl.c Sat Jun 10 01:21:52 2000 *************** *** 52,57 **** --- 52,58 ---- #include #include #include + #include #else #include #include *************** *** 119,124 **** --- 120,128 ---- void context_init(); void context_free(); void client(int); + int prng_seeded(int); + int add_rand_file(char *); + void initialize_prng(); static int transfer(SSL *, int); #ifndef NO_RSA static RSA *tmp_rsa_cb(SSL *, int, int); *************** *** 147,158 **** --- 151,268 ---- /* const allowed here */ #endif + + /* shortcut to determine if sufficient entropy for PRNG is present */ + int prng_seeded( int bytes ) { + #if SSLEAY_VERSION_NUMBER >= 0x0090581fL + if ( RAND_status() ) { + log(LOG_INFO, "Sufficient entropy in PRNG"); + #else + if ( bytes > options.random_bytes ) { + log(LOG_INFO, "Sufficient entropy in PRNG assumed"); + #endif + return(1); + } + + return(0); /* assume we don't have enough */ + } + + int add_rand_file( char *filename ) { + int bytes; + struct stat sb; + + if ( stat(filename, &sb) !=0 ) { + log(LOG_INFO, "No file %s for random data", filename); + return(0); + } + + if ( (bytes = RAND_load_file(filename, options.random_bytes)) ) { + log(LOG_DEBUG, "Snagged %d random bytes from %s", bytes, filename); + return(bytes); + } else { + log(LOG_INFO, "Unable to retrieve any random data from %s", filename); + return(0); + } + } + + + void initialize_prng( void ) { + int bytes,totbytes=0; + char filename[STRLEN]; + bytes=1; /* avoid warning when not compiling egd */ + + totbytes += add_rand_file( "/dev/urandom" ); + if ( prng_seeded(totbytes) ) { return; } + + + #ifdef USE_WIN32 + RAND_screen(); + if ( prng_seeded(totbytes) ) { + log(LOG_DEBUG, "Seeded PRNG with RAND_screen"); + return; + } else { + log(LOG_DEBUG, "RAND_screen failed to sufficiently seed PRNG"); + } + #else + + #if SSLEAY_VERSION_NUMBER >= 0x0090581fL + if ( options.egd_sock ) { + if ( (bytes=RAND_egd(options.egd_sock)) == -1 ) { + log(LOG_WARNING, "EGD Socket %s failed", options.egd_sock); + bytes=0; + } else { + log(LOG_DEBUG, "Snagged %d random bytes from EGD Socket %s", + bytes, options.egd_sock); + return; /* openssl always gets what it needs or fails */ + } + } + if ( prng_seeded(totbytes) ) { return; } + #ifdef EGD_SOCKET + if ( (bytes=RAND_egd( EGD_SOCKET )) == -1 ) { + log(LOG_WARNING, "EGD Socket %s failed", EGD_SOCKET); + } else { + log(LOG_DEBUG, "Snagged %d random bytes from EGD Socket %s", + bytes, EGD_SOCKET); + return; /* openssl always gets what it needs or fails */ + } + #endif /* EGD_SOCKET */ + + #endif /* OpenSSL-0.9.5a */ + #endif /* USE_WIN32 */ + + /* If they specify a rand file on the command line */ + if ( options.rand_file ) { + totbytes += add_rand_file(options.rand_file); + if ( prng_seeded(totbytes) ) { return; } + } + + /* try $RANDFILE or $HOME/.rnd as appropriate */ + if ( RAND_file_name(filename, STRLEN) ) { + filename[STRLEN-1]='\0'; + totbytes += add_rand_file(filename); + if ( prng_seeded(totbytes) ) { return; } + } + + /* Random file specified during configure */ + #ifdef RANDOM_FILE + totbytes += add_rand_file( RANDOM_FILE ); + if ( prng_seeded(totbytes) ) { return; } + #endif + + + + log(LOG_WARNING, "PRNG may not have been seeded with enough random bytes"); + + } + void context_init() /* init SSL */ { #ifndef NO_DH static DH *dh=NULL; BIO *bio=NULL; #endif /* NO_DH */ + + initialize_prng(); SSLeay_add_ssl_algorithms(); SSL_load_error_strings(); diff -cr stunnel-3.8/stunnel.8.in stunnel-3.8.prng/stunnel.8.in *** stunnel-3.8/stunnel.8.in Tue Feb 15 09:13:15 2000 --- stunnel-3.8.prng/stunnel.8.in Sat Jun 10 01:18:09 2000 *************** *** 4,15 **** .SH SYNOPSIS .B stunnel [-T] [-p pemfile] [-v level] [-a directory] ! [-t timeout] [-u username] [-n protocol] [-d [ip:]port [-f]] [ -l program | -r [ip:]port | -L program [-- args] ] .PP .B stunnel {-c} [-p pemfile] [-v level] [-a directory] ! [-t timeout] [-u username] [-n protocol] -r [ip:]port [ -d [ip:]port [-f] | -l program | -L program [-- args] ] .SH DESCRIPTION The \fBstunnel\fR program is designed to work as \fISSL\fR encryption wrapper --- 4,17 ---- .SH SYNOPSIS .B stunnel [-T] [-p pemfile] [-v level] [-a directory] ! [-t timeout] [-u username] [-n protocol] ! [-C ciphers] [-B bytes] [-R filename] [-E socket] [-d [ip:]port [-f]] [ -l program | -r [ip:]port | -L program [-- args] ] .PP .B stunnel {-c} [-p pemfile] [-v level] [-a directory] ! [-t timeout] [-u username] [-n protocol] ! [-C ciphers] [-B bytes] [-R filename] [-E socket] -r [ip:]port [ -d [ip:]port [-f] | -l program | -L program [-- args] ] .SH DESCRIPTION The \fBstunnel\fR program is designed to work as \fISSL\fR encryption wrapper *************** *** 71,76 **** --- 73,100 ---- Negotiate SSL with specified protocol .RS currenty supported: smtp + .RE + .PP + .B -C ciphers + .RS + List of ciphers to allow + .RE + .PP + .B -E socket + .RS + Entropy Gathering Daemon socket to use to feed OpenSSL random number + generator. (Available only if compiled with OpenSSL 0.9.5a or higher) + .RE + .PP + .B -R filename + .RS + File containing random input. The ssl library + will use data from this file to seed the random number generator. + .RE + .PP + .B -B bytes + .RS + Number of bytes of data to read from the file specified with the -R flag .RE .PP .B -d [ip:]port diff -cr stunnel-3.8/stunnel.c stunnel-3.8.prng/stunnel.c *** stunnel-3.8/stunnel.c Thu Feb 24 03:32:27 2000 --- stunnel-3.8.prng/stunnel.c Sat Jun 10 01:18:09 2000 *************** *** 36,41 **** --- 36,48 ---- /* Must be included before sys/stat.h for Ultrix */ #include /* u_short, u_long */ + /* Needed so we know which version of OpenSSL we're using */ + #ifdef HAVE_OPENSSL + #include + #else + #include + #endif + /* General headers */ #include #include /* errno */ *************** *** 49,54 **** --- 56,62 ---- #define Win32_Winsock #include + static struct WSAData wsa_state; #else /* defined USE_WIN32 */ *************** *** 216,223 **** options.protocol=NULL; options.setuid_user=NULL; options.setgid_group=NULL; opterr=0; ! while ((c = getopt(argc, argv, "a:cp:v:d:fTl:L:r:s:g:t:u:n:hC:D:V")) != EOF) switch (c) { case 'a': safecopy(options.clientdir, optarg); --- 224,234 ---- options.protocol=NULL; options.setuid_user=NULL; options.setgid_group=NULL; + options.egd_sock=NULL; + options.rand_file=NULL; + options.random_bytes=RANDOM_BYTES; opterr=0; ! while ((c = getopt(argc, argv, "a:cp:v:d:fTl:L:r:s:g:t:u:n:hC:D:E:R:B:V")) != EOF) switch (c) { case 'a': safecopy(options.clientdir, optarg); *************** *** 264,269 **** --- 275,294 ---- case 'T': options.option|=OPT_TRANSPARENT; break; + case 'R': + options.rand_file=optarg; + break; + case 'B': + options.random_bytes=atoi(optarg); + break; + case 'E': + #if SSLEAY_VERSION_NUMBER >= 0x0090581fL + options.egd_sock=optarg; + #else + log(LOG_ERR, "-E is only supported when compiled with OpenSSL 0.9.5a or later"); + /* exit(1) ??? */ + #endif + break; case 'L': options.option |= OPT_PTY; case 'l': *************** *** 876,894 **** "\nstunnel [-T] [-p pemfile] [-v level] [-a directory]" "\n\t[-t timeout] [-u username] [-n protocol]" #ifndef USE_WIN32 ! "\n\t[-d [ip:]port [-f]]" "\n\t[ -l program | -r [ip:]port | -L program [-- args] ]" ! #else ! "\n\t-d [ip:]port -r [ip:]port" ! #endif ! "\nstunnel {-c} [-p pemfile] [-v level] [-a directory]" "\n\t[-t timeout] [-u username] [-n protocol]" #ifndef USE_WIN32 ! "\n\t-r [ip:]port" ! "\n\t[ -d [ip:]port [-f] | -l program | -L program [-- args] ]" ! #else ! "\n\t-r [ip:]port -d [ip:]port" #endif "\n\n -c\t\tclient mode (remote service uses SSL)" "\n\t\tdefault: server mode" "\n -T\t\ttransparent proxy mode (on hosts that support it)" --- 901,931 ---- "\nstunnel [-T] [-p pemfile] [-v level] [-a directory]" "\n\t[-t timeout] [-u username] [-n protocol]" #ifndef USE_WIN32 ! "\n\t[-d [ip:]port [-f]] [-C ciphers]" ! "\n\t[-R randfile] [-B bytes]" ! #if SSLEAY_VERSION_NUMBER >= 0x0090581fL ! " [-E egd_socket]" ! #endif /* OpenSSL-0.9.5a */ "\n\t[ -l program | -r [ip:]port | -L program [-- args] ]" ! #else /* USE_WIN32 */ ! "\n\t-d [ip:]port -r [ip:]port [-C ciphers]" ! "\n\t[-R randfile] [-B bytes]" ! #endif /* USE_WIN32 */ ! ! "\n\nstunnel {-c} [-p pemfile] [-v level] [-a directory]" "\n\t[-t timeout] [-u username] [-n protocol]" #ifndef USE_WIN32 ! "\n\t-r [ip:]port [-C ciphers]" ! "\n\t[-R randfile] [-B bytes]" ! #if SSLEAY_VERSION_NUMBER >= 0x0090581fL ! " [-E egd_socket]" #endif + "\n\t[ -d [ip:]port [-f] | -l program | -L program [-- args] ]" + #else /* USE_WIN32 */ + "\n\t-r [ip:]port -d [ip:]port [-C ciphers]" + "\n\t[-R randfile] [-B bytes]" + #endif /* USE_WIN32 */ + "\n\n -c\t\tclient mode (remote service uses SSL)" "\n\t\tdefault: server mode" "\n -T\t\ttransparent proxy mode (on hosts that support it)" *************** *** 921,926 **** --- 958,974 ---- " (ip defaults to INADDR_LOOPBACK)" "\n -h\t\tprint this help screen" "\n -C list\tset permitted SSL ciphers" + #if SSLEAY_VERSION_NUMBER >= 0x0090581fL + "\n -E socket\tpath to Entropy Gathering Daemon socket" + #ifdef EGD_SOCKET + "\n\t\t" EGD_SOCKET " is used when this option is not specified." + #endif + #endif + "\n -R file\tpath to file with random seed data" + #ifdef RANDOM_FILE + "\n\t\t" RANDOM_FILE " is used when this option is not specified." + #endif + "\n -B bytes\thow many bytes of data to use from random seed file" "\n -D level\tdebug level (0-7) default: 5" "\n -V\t\tprint stunnel version\n"); exit(1);