df96e42c51
Added various security options that can be enabled at compile time. These
options include everything that the "hardening-check" script written by Kees
Cook checks for. After this change, the hardening-check script produces the
following output against the fwknopd binary:
$ hardening-check server/.libs/fwknopd
server/.libs/fwknopd:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes
Read-only relocations: yes
Immediate binding: yes
One of the compile outputs (for example) that shows the new options is:
/bin/bash ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I.. -g -O2 -fstack-protector-all -fPIE -pie -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wl,-z,now -MT fko_decode.lo -MD -MP -MF .deps/fko_decode.Tpo -c -o fko_decode.lo fko_decode.c
From the hardening-check man page, here is a description of each of these
options:
NAME
hardening-check - check binaries for security hardening features
SYNOPSIS
Examine a given set of ELF binaries and check for several security
hardening features, failing if they are not all found.
DESCRIPTION
This utility checks a given list of ELF binaries for several security
hardening features that can be compiled into an executable. These
features are:
Position Independent Executable
This indicates that the executable was built in such a way
(PIE) that the "text" section of the program can be relocated
in memory. To take full advantage of this feature, the
executing kernel must support text Address Space Layout
Randomization (ASLR).
Stack Protected
This indicates that the executable was compiled with the
gcc(1) option -fstack-protector. The program will be
resistant to have its stack overflowed.
Fortify Source functions
This indicates that the executable was compiled with
-D_FORTIFY_SOURCE=2 and -O2 or higher. This causes certain
unsafe glibc functions with their safer counterparts (e.g.
strncpy instead of strcpy).
Read-only relocations
This indicates that the executable was build with -Wl,-z,relro
to have ELF markings (RELRO) that ask the runtime linker to
mark any regions of the relocation table as "read-only" if
they were resolved before execution begins. This reduces the
possible areas of memory in a program that can be used by an
attacker that performs a successful memory corruption exploit.
Immediate binding
This indicates that the executable was built with -Wl,-z,now
to have ELF markings (BIND_NOW) that ask the runtime linker to
resolve all relocations before starting program execution.
When combined with RELRO above, this further reduces the
regions of memory available to memory corruption attacks.
592 lines
17 KiB
Plaintext
592 lines
17 KiB
Plaintext
dnl Fwknop AutoConf script...
|
|
dnl =========================
|
|
dnl
|
|
dnl Created by Damien Stuart
|
|
dnl
|
|
dnl Inspiration from RRDtool configure.ac, the AutoConf Archive
|
|
dnl (http://www.nongnu.org/autoconf-archive/), and other examples.
|
|
|
|
dnl Minimum Autoconf version required.
|
|
AC_PREREQ(2.62)
|
|
|
|
dnl Define our name, version and email.
|
|
m4_define(my_package, [fwknop])
|
|
m4_define(my_version, [2.0.0rc3])
|
|
m4_define(my_bug_email, [dstuart@dstuart.org])
|
|
|
|
AC_INIT(my_package, my_version, my_bug_email)
|
|
|
|
AC_CONFIG_AUX_DIR(config)
|
|
|
|
AC_CANONICAL_TARGET
|
|
|
|
AM_INIT_AUTOMAKE([tar-ustar -Wall -Werror foreign])
|
|
|
|
dnl AM_MAINTAINER_MODE
|
|
|
|
AC_CONFIG_HEADERS([config.h])
|
|
|
|
dnl The top of our header
|
|
dnl
|
|
AH_TOP([
|
|
#ifndef FWKNOP_CONFIG_H
|
|
#define FWKNOP_CONFIG_H
|
|
])
|
|
|
|
dnl The bottom of our header file
|
|
dnl
|
|
AH_BOTTOM([
|
|
#endif /* FWKNOP_CONFIG_H */
|
|
])
|
|
|
|
dnl Decide whether or not to build the client
|
|
dnl
|
|
want_client=yes
|
|
AC_ARG_ENABLE([client],
|
|
[AS_HELP_STRING([--disable-client],
|
|
[Do not build the fwknop client @<:@default is to build@:>@])],
|
|
[want_client=$enableval],
|
|
[])
|
|
AM_CONDITIONAL([WANT_CLIENT], [test "$want_client" = yes])
|
|
|
|
dnl Decide whether or not to build the server
|
|
dnl
|
|
want_server=yes
|
|
AC_ARG_ENABLE([server],
|
|
[AS_HELP_STRING([--disable-server],
|
|
[Do not build the fwknop server @<:@default is to build@:>@])],
|
|
[want_server=$enableval],
|
|
[])
|
|
AM_CONDITIONAL([WANT_SERVER], [test "$want_server" = yes])
|
|
|
|
dnl Decide whether or not to enable the digest-cache
|
|
dnl
|
|
want_digest_cache=yes
|
|
AC_ARG_ENABLE([digest-cache],
|
|
[AS_HELP_STRING([--disable-digest-cache],
|
|
[Do not enable the fwknopd digest-cache @<:@default is to build@:>@])],
|
|
[want_digest_cache=$enableval],
|
|
[])
|
|
dnl AM_CONDITIONAL([WANT_DIGEST_CACHE], [test "$want_digest_cache" = yes])
|
|
|
|
dnl Decide whether or not to try to look for gdbm/ndbm (default to just
|
|
dnl use a file-based solution - reduces dependencies)
|
|
dnl
|
|
want_file_cache=yes
|
|
AC_ARG_ENABLE([file-cache],
|
|
[AS_HELP_STRING([--disable-file-cache],
|
|
[Replace file cache with gdbm/ndbm @<:@default on@:>@])],
|
|
[want_file_cache=$enableval],
|
|
[])
|
|
AS_IF([test "$want_file_cache" = yes], [
|
|
AC_DEFINE([USE_FILE_CACHE], [1], [Define this to enable non-gdbm/ndbm digest storing (eliminates gdbm/ndbm dependency).])
|
|
])
|
|
|
|
use_stack_protector=yes
|
|
AC_ARG_ENABLE(stackprotect,
|
|
[ --without-stackprotect Don't use compiler's stack protection], [
|
|
if test "x$withval" = "xno"; then
|
|
use_stack_protector=no
|
|
fi ])
|
|
|
|
use_pie=yes
|
|
AC_ARG_ENABLE(pie,
|
|
[ --without-pie Do not use Position Independent Executables], [
|
|
if test "x$withval" = "xno"; then
|
|
use_pie=no
|
|
fi ])
|
|
|
|
use_fortify_source=yes
|
|
AC_ARG_ENABLE(fortify_source,
|
|
[ --without-fortify-source Do not fortify source functions], [
|
|
if test "x$withval" = "xno"; then
|
|
use_fortify_source=no
|
|
fi ])
|
|
|
|
use_ro_relocations=yes
|
|
AC_ARG_ENABLE(ro_relocations,
|
|
[ --without-ro-relocations Do not use read-only relocation protection], [
|
|
if test "x$withval" = "xno"; then
|
|
use_ro_relocations=no
|
|
fi ])
|
|
|
|
use_immediate_binding=yes
|
|
AC_ARG_ENABLE(immediate_binding,
|
|
[ --without-immediate-binding Do not use immediate binding protection], [
|
|
if test "x$withval" = "xno"; then
|
|
use_immediate_binding=no
|
|
fi ])
|
|
|
|
AC_GNU_SOURCE
|
|
|
|
AC_PROG_CC
|
|
AM_PROG_CC_C_O
|
|
AC_PROG_CPP
|
|
AC_PROG_AWK
|
|
AC_PROG_SED
|
|
AC_PROG_GREP
|
|
AC_PROG_INSTALL
|
|
AC_PROG_LN_S
|
|
AC_PROG_MAKE_SET
|
|
AC_PROG_RANLIB
|
|
AC_PROG_LIBTOOL
|
|
|
|
case "$host" in
|
|
*-*-linux*)
|
|
;;
|
|
*-*-freebsd*)
|
|
if [ test "x$CPPFLAGS" = "x" ] ; then
|
|
CPPFLAGS="-I/usr/local/include -I/usr/local/include/gpgme"
|
|
fi
|
|
if [ test "x$LDFLAGS" = "x" ] ; then
|
|
LDFLAGS="-L/usr/local/lib"
|
|
fi
|
|
;;
|
|
esac
|
|
|
|
# Checks for header files.
|
|
#
|
|
AC_HEADER_STDC
|
|
AC_HEADER_TIME
|
|
AC_HEADER_RESOLV
|
|
|
|
AC_CHECK_HEADERS([arpa/inet.h ctype.h endian.h errno.h locale.h netdb.h net/ethernet.h netinet/in.h stdint.h stdlib.h string.h strings.h sys/byteorder.h sys/endian.h sys/ethernet.h sys/socket.h sys/stat.h sys/time.h sys/wait.h termios.h time.h unistd.h])
|
|
|
|
# Type checks.
|
|
#
|
|
AC_C_CONST
|
|
AC_TYPE_INT8_T
|
|
AC_TYPE_INT16_T
|
|
AC_TYPE_INT32_T
|
|
AC_TYPE_INT64_T
|
|
AC_TYPE_UINT8_T
|
|
AC_TYPE_UINT16_T
|
|
AC_TYPE_UINT32_T
|
|
AC_TYPE_UINT64_T
|
|
AC_TYPE_OFF_T
|
|
AC_TYPE_PID_T
|
|
AC_TYPE_SIZE_T
|
|
AC_TYPE_SSIZE_T
|
|
|
|
AC_CHECK_SIZEOF(unsigned int)
|
|
dnl AC_CHECK_TYPES([uint8_t, uint32_t])
|
|
|
|
AC_C_BIGENDIAN
|
|
|
|
AC_SYS_LARGEFILE
|
|
|
|
# Checks for library functions.
|
|
#
|
|
AC_FUNC_MALLOC
|
|
AC_FUNC_REALLOC
|
|
AC_FUNC_STAT
|
|
|
|
AC_CHECK_FUNCS([bzero gettimeofday memmove memset socket strchr strcspn strdup strncasecmp strndup strrchr strspn])
|
|
|
|
AC_SEARCH_LIBS([socket], [socket])
|
|
AC_SEARCH_LIBS([inet_addr], [nsl])
|
|
|
|
# Check for security features offered by the compiler
|
|
#
|
|
|
|
# From OpenSSH:
|
|
# -fstack-protector-all doesn't always work for some GCC versions
|
|
# and/or platforms, so we test if we can. If it's not supported
|
|
# on a given platform gcc will emit a warning so we use -Werror.
|
|
if test "x$use_stack_protector" = "xyes"; then
|
|
# for t in "-fstack-protector-all" "-fstack-protector" "-fPIE -pie" "-D_FORTIFY_SOURCE=2" "-O2" "-Wl,-z,now"; do
|
|
for t in -fstack-protector-all -fstack-protector; do
|
|
AC_MSG_CHECKING(if $CC supports $t)
|
|
saved_CFLAGS="$CFLAGS"
|
|
saved_LDFLAGS="$LDFLAGS"
|
|
CFLAGS="$CFLAGS $t -Werror"
|
|
LDFLAGS="$LDFLAGS $t -Werror"
|
|
AC_LINK_IFELSE(
|
|
[AC_LANG_SOURCE([
|
|
#include <stdio.h>
|
|
int main(void){char x[[256]]; snprintf(x, sizeof(x), "NNN"); return 0;}
|
|
])],
|
|
[ AC_MSG_RESULT(yes)
|
|
CFLAGS="$saved_CFLAGS $t"
|
|
LDFLAGS="$saved_LDFLAGS $t"
|
|
AC_MSG_CHECKING(if $t works)
|
|
AC_RUN_IFELSE(
|
|
[AC_LANG_SOURCE([
|
|
#include <stdio.h>
|
|
int main(void){char x[[256]]; snprintf(x, sizeof(x), "NNN"); return 0;}
|
|
])],
|
|
[ AC_MSG_RESULT(yes)
|
|
break ],
|
|
[ AC_MSG_RESULT(no) ],
|
|
[ AC_MSG_WARN([cross compiling: cannot test])
|
|
break ]
|
|
)
|
|
],
|
|
[ AC_MSG_RESULT(no) ]
|
|
)
|
|
CFLAGS="$saved_CFLAGS"
|
|
LDFLAGS="$saved_LDFLAGS"
|
|
done
|
|
fi
|
|
|
|
if test "x$use_pie" = "xyes"; then
|
|
for t in "-fPIE -pie"; do
|
|
AC_MSG_CHECKING(if $CC supports $t)
|
|
saved_CFLAGS="$CFLAGS"
|
|
saved_LDFLAGS="$LDFLAGS"
|
|
CFLAGS="$CFLAGS $t -Werror"
|
|
LDFLAGS="$LDFLAGS $t -Werror"
|
|
AC_LINK_IFELSE(
|
|
[AC_LANG_SOURCE([
|
|
#include <stdio.h>
|
|
int main(void){char x[[256]]; snprintf(x, sizeof(x), "NNN"); return 0;}
|
|
])],
|
|
[ AC_MSG_RESULT(yes)
|
|
CFLAGS="$saved_CFLAGS $t"
|
|
LDFLAGS="$saved_LDFLAGS $t"
|
|
AC_MSG_CHECKING(if $t works)
|
|
AC_RUN_IFELSE(
|
|
[AC_LANG_SOURCE([
|
|
#include <stdio.h>
|
|
int main(void){char x[[256]]; snprintf(x, sizeof(x), "NNN"); return 0;}
|
|
])],
|
|
[ AC_MSG_RESULT(yes)
|
|
break ],
|
|
[ AC_MSG_RESULT(no) ],
|
|
[ AC_MSG_WARN([cross compiling: cannot test])
|
|
break ]
|
|
)
|
|
],
|
|
[ AC_MSG_RESULT(no) ]
|
|
)
|
|
CFLAGS="$saved_CFLAGS"
|
|
LDFLAGS="$saved_LDFLAGS"
|
|
done
|
|
fi
|
|
|
|
if test "x$use_fortify_source" = "xyes"; then
|
|
for t in "-D_FORTIFY_SOURCE=2"; do
|
|
AC_MSG_CHECKING(if $CC supports $t)
|
|
saved_CFLAGS="$CFLAGS"
|
|
saved_LDFLAGS="$LDFLAGS"
|
|
CFLAGS="$CFLAGS $t -Werror"
|
|
LDFLAGS="$LDFLAGS $t -Werror"
|
|
AC_LINK_IFELSE(
|
|
[AC_LANG_SOURCE([
|
|
#include <stdio.h>
|
|
int main(void){char x[[256]]; snprintf(x, sizeof(x), "NNN"); return 0;}
|
|
])],
|
|
[ AC_MSG_RESULT(yes)
|
|
CFLAGS="$saved_CFLAGS $t"
|
|
LDFLAGS="$saved_LDFLAGS $t"
|
|
AC_MSG_CHECKING(if $t works)
|
|
AC_RUN_IFELSE(
|
|
[AC_LANG_SOURCE([
|
|
#include <stdio.h>
|
|
int main(void){char x[[256]]; snprintf(x, sizeof(x), "NNN"); return 0;}
|
|
])],
|
|
[ AC_MSG_RESULT(yes)
|
|
break ],
|
|
[ AC_MSG_RESULT(no) ],
|
|
[ AC_MSG_WARN([cross compiling: cannot test])
|
|
break ]
|
|
)
|
|
],
|
|
[ AC_MSG_RESULT(no) ]
|
|
)
|
|
CFLAGS="$saved_CFLAGS"
|
|
LDFLAGS="$saved_LDFLAGS"
|
|
done
|
|
fi
|
|
|
|
if test "x$use_ro_relocations" = "xyes"; then
|
|
for t in "-Wl,-z,relro"; do
|
|
AC_MSG_CHECKING(if $CC supports $t)
|
|
saved_CFLAGS="$CFLAGS"
|
|
saved_LDFLAGS="$LDFLAGS"
|
|
CFLAGS="$CFLAGS $t -Werror"
|
|
LDFLAGS="$LDFLAGS $t -Werror"
|
|
AC_LINK_IFELSE(
|
|
[AC_LANG_SOURCE([
|
|
#include <stdio.h>
|
|
int main(void){char x[[256]]; snprintf(x, sizeof(x), "NNN"); return 0;}
|
|
])],
|
|
[ AC_MSG_RESULT(yes)
|
|
CFLAGS="$saved_CFLAGS $t"
|
|
LDFLAGS="$saved_LDFLAGS $t"
|
|
AC_MSG_CHECKING(if $t works)
|
|
AC_RUN_IFELSE(
|
|
[AC_LANG_SOURCE([
|
|
#include <stdio.h>
|
|
int main(void){char x[[256]]; snprintf(x, sizeof(x), "NNN"); return 0;}
|
|
])],
|
|
[ AC_MSG_RESULT(yes)
|
|
break ],
|
|
[ AC_MSG_RESULT(no) ],
|
|
[ AC_MSG_WARN([cross compiling: cannot test])
|
|
break ]
|
|
)
|
|
],
|
|
[ AC_MSG_RESULT(no) ]
|
|
)
|
|
CFLAGS="$saved_CFLAGS"
|
|
LDFLAGS="$saved_LDFLAGS"
|
|
done
|
|
fi
|
|
|
|
if test "x$use_immediate_binding" = "xyes"; then
|
|
for t in "-Wl,-z,now"; do
|
|
AC_MSG_CHECKING(if $CC supports $t)
|
|
saved_CFLAGS="$CFLAGS"
|
|
saved_LDFLAGS="$LDFLAGS"
|
|
CFLAGS="$CFLAGS $t -Werror"
|
|
LDFLAGS="$LDFLAGS $t -Werror"
|
|
AC_LINK_IFELSE(
|
|
[AC_LANG_SOURCE([
|
|
#include <stdio.h>
|
|
int main(void){char x[[256]]; snprintf(x, sizeof(x), "NNN"); return 0;}
|
|
])],
|
|
[ AC_MSG_RESULT(yes)
|
|
CFLAGS="$saved_CFLAGS $t"
|
|
LDFLAGS="$saved_LDFLAGS $t"
|
|
AC_MSG_CHECKING(if $t works)
|
|
AC_RUN_IFELSE(
|
|
[AC_LANG_SOURCE([
|
|
#include <stdio.h>
|
|
int main(void){char x[[256]]; snprintf(x, sizeof(x), "NNN"); return 0;}
|
|
])],
|
|
[ AC_MSG_RESULT(yes)
|
|
break ],
|
|
[ AC_MSG_RESULT(no) ],
|
|
[ AC_MSG_WARN([cross compiling: cannot test])
|
|
break ]
|
|
)
|
|
],
|
|
[ AC_MSG_RESULT(no) ]
|
|
)
|
|
CFLAGS="$saved_CFLAGS"
|
|
LDFLAGS="$saved_LDFLAGS"
|
|
done
|
|
fi
|
|
|
|
# Check for 3rd-party libs
|
|
#
|
|
AC_ARG_WITH([gpgme],
|
|
[AS_HELP_STRING([--with-gpgme],
|
|
[support for gpg encryption using libgpgme @<:@default=check@:>@])],
|
|
[],
|
|
[with_gpgme=check])
|
|
|
|
have_gpgme=yes
|
|
AS_IF([test "x$with_gpgme" != xno],
|
|
[AM_PATH_GPGME([],
|
|
[AC_DEFINE([HAVE_LIBGPGME], [1], [Define if you have libgpgme])],
|
|
[if test "x$with_gpgme" != xcheck; then
|
|
AC_MSG_FAILURE(
|
|
[--with-gpgme was given, but test for gpgme failed])
|
|
else
|
|
have_gpgme=no
|
|
fi
|
|
], [have_gpgme=no])], [have_gpgme=no])
|
|
|
|
dnl Add various common way to sbin dir to the path (just in case)
|
|
APP_PATH=$PATH$PATH_SEPARATOR/sbin$PATH_SEPARATOR/usr/sbin$PATH_SEPARATOR/usr/local/sbin
|
|
|
|
dnl Check for gpg (not gpg2)
|
|
dnl
|
|
AC_ARG_WITH([gpg],
|
|
[AS_HELP_STRING([--with-gpg=/path/to/gpg],
|
|
[Specify path to the gpg executable that gpgme will use @<:@default=check path@:>@])],
|
|
[
|
|
AS_IF([ test "x$withval" = x -o "x$withval" = xyes -o "x$withval" = xno ],
|
|
[AC_MSG_ERROR([--with-gpg requires an argument specifying a path to gpg])],
|
|
[ GPG_EXE=$withval ]
|
|
)
|
|
],
|
|
[
|
|
AC_PATH_PROG(GPG_EXE, [gpg], [], [$APP_PATH])
|
|
]
|
|
)
|
|
AS_IF([test "x$GPG_EXE" != x],
|
|
[
|
|
AC_DEFINE_UNQUOTED([GPG_EXE], ["$GPG_EXE"], [Path to gpg executable])
|
|
gpg_exe=$GPG_EXE
|
|
], [ gpg_exe="(not found)"]
|
|
)
|
|
|
|
dnl Check for libpcap, gdbm (or ndbm) if we are building the server component
|
|
dnl
|
|
AS_IF([test "$want_server" = yes], [
|
|
# Looking for libpcap
|
|
#
|
|
AC_CHECK_LIB([pcap],[pcap_open_live],
|
|
[ AC_DEFINE([HAVE_LIBPCAP], [1], [Define if you have libpcap]) ],
|
|
[ AC_MSG_ERROR([fwknopd needs libpcap])]
|
|
)
|
|
|
|
AS_IF([test "$want_digest_cache" = yes], [
|
|
use_ndbm=no
|
|
have_digest_cache=yes
|
|
|
|
AS_IF([test "$want_file_cache" = no], [
|
|
|
|
# Looking for gdbm or fallback to ndbm or bail
|
|
#
|
|
AC_CHECK_LIB([gdbm],[gdbm_open],
|
|
[
|
|
AC_DEFINE([HAVE_LIBGDBM], [1], [Define if you have libgdbm])
|
|
],
|
|
[ AC_CHECK_LIB([ndbm],[dbm_open],
|
|
[
|
|
AC_DEFINE([HAVE_LIBNDBM], [1], [Define if you have libndbm])
|
|
use_ndbm=yes
|
|
],
|
|
[ AC_CHECK_HEADER([ndbm.h],
|
|
[ AC_CHECK_FUNC([dbm_open],
|
|
[ AC_DEFINE([HAVE_LIBNDBM], [1], [Define if you have libndbm])],
|
|
[
|
|
AC_DEFINE([NO_DIGEST_CACHE], [1], [Define this to disable the digest cache for replay detection - not recommended.])
|
|
AC_MSG_WARN([No DBM implementation found. Replay detection will be disabled.])
|
|
have_digest_cache=no
|
|
]
|
|
)]
|
|
)]
|
|
)]
|
|
)]
|
|
)],
|
|
[
|
|
AC_DEFINE([NO_DIGEST_CACHE], [1], [Define this to disable the digest cache for replay detection - not recommended.])
|
|
have_digest_cache=no
|
|
]
|
|
)
|
|
|
|
AM_CONDITIONAL([USE_NDBM], [test x$use_ndbm = xyes])
|
|
AM_CONDITIONAL([CONFIG_FILE_CACHE], [test x$want_file_cache = xyes])
|
|
|
|
dnl Check for iptables
|
|
dnl
|
|
AC_ARG_WITH([iptables],
|
|
[AS_HELP_STRING([--with-iptables=/path/to/iptables],
|
|
[Specify path to the iptables executable @<:@default=check path@:>@])],
|
|
[
|
|
AS_IF([ test "x$withval" = xno ], [],
|
|
AS_IF([ test "x$withval" = x -o "x$withval" = xyes ],
|
|
[AC_MSG_ERROR([--with-iptables requires an argument specifying a path to iptables])],
|
|
[ IPTABLES_EXE=$withval ]
|
|
)
|
|
)
|
|
],
|
|
[
|
|
AC_PATH_PROG(IPTABLES_EXE, [iptables], [], [$APP_PATH])
|
|
]
|
|
)
|
|
|
|
dnl Check for ipfw
|
|
dnl
|
|
AC_ARG_WITH([ipfw],
|
|
[AS_HELP_STRING([--with-ipfw=/path/to/ipfw],
|
|
[Specify path to the ipfw executable @<:@default=check path@:>@])],
|
|
[
|
|
AS_IF([ test "x$withval" = xno ], [],
|
|
AS_IF([ test "x$withval" = x -o "x$withval" = xyes ],
|
|
[AC_MSG_ERROR([--with-ipfw requires an argument specifying a path to ipfw])],
|
|
[ IPFW_EXE=$withval ]
|
|
)
|
|
)
|
|
],
|
|
[
|
|
AC_PATH_PROG(IPFW_EXE, [ipfw], [], [$APP_PATH])
|
|
]
|
|
)
|
|
|
|
dnl Check for ipf (ipfilter)
|
|
dnl
|
|
AC_ARG_WITH([ipf],
|
|
[AS_HELP_STRING([--with-ipf=/path/to/ipf],
|
|
[Specify path to the ipf executable @<:@default=check path@:>@])],
|
|
[
|
|
AS_IF([ test "x$withval" = xno ], [],
|
|
AS_IF([ test "x$withval" = x -o "x$withval" = xyes ],
|
|
[AC_MSG_ERROR([--with-ipfw requires an argument specifying a path to ipfw])],
|
|
[ IPF_EXE=$withval ]
|
|
)
|
|
)
|
|
],
|
|
[
|
|
AC_PATH_PROG(IPF_EXE, [ipf], [], [$APP_PATH])
|
|
]
|
|
)
|
|
|
|
dnl Determine which firewall exe we use (if we have one).
|
|
dnl If iptables was found or specified, it wins, then we fallback to ipfw,
|
|
dnl otherwise we try ipf.
|
|
dnl
|
|
AS_IF([test "x$IPTABLES_EXE" != x], [
|
|
FW_DEF="FW_IPTABLES"
|
|
FIREWALL_TYPE="iptables"
|
|
FIREWALL_EXE=$IPTABLES_EXE
|
|
AC_DEFINE_UNQUOTED([FIREWALL_IPTABLES], [1], [The firewall type: iptables.])
|
|
],[
|
|
AS_IF([test "x$IPFW_EXE" != x], [
|
|
FW_DEF="FW_IPFW"
|
|
FIREWALL_TYPE="ipfw"
|
|
FIREWALL_EXE=$IPFW_EXE
|
|
AC_DEFINE_UNQUOTED([FIREWALL_IPFW], [1], [The firewall type: ipfw.])
|
|
],[ AS_IF([test "x$IPF_EXE" != x], [
|
|
AC_MSG_ERROR([Sorry - ipf was specified or the only one found, however, it is not supported yet.])
|
|
FIREWALL_TYPE="ipf"
|
|
FIREWALL_EXE=$IPF_EXE
|
|
AC_DEFINE_UNQUOTED([FIREWALL_IPF], [1], [The firewall type: ipf.])
|
|
], [AC_MSG_ERROR([No firewall program was found or specified.]) ]
|
|
]
|
|
]
|
|
)))
|
|
|
|
AC_DEFINE_UNQUOTED([FIREWALL_EXE], ["$FIREWALL_EXE"],
|
|
[Path to firewall command executable (it should match the firewall type).])
|
|
|
|
],
|
|
[test "$want_server" = no], [
|
|
use_ndbm=no
|
|
AM_CONDITIONAL([USE_NDBM], [test x$use_ndbm = xno])
|
|
AM_CONDITIONAL([CONFIG_FILE_CACHE], [test x$use_ndbm = xno])
|
|
]
|
|
)
|
|
|
|
AC_CONFIG_FILES([Makefile
|
|
lib/Makefile
|
|
client/Makefile
|
|
server/Makefile
|
|
common/Makefile
|
|
doc/Makefile])
|
|
|
|
AC_OUTPUT
|
|
|
|
if [test "$have_gpgme" = "yes" ]; then
|
|
have_gpgme="$have_gpgme
|
|
Gpgme engine: $GPG_EXE"
|
|
fi
|
|
|
|
echo "
|
|
$PACKAGE_NAME-$PACKAGE_VERSION configuration.
|
|
==========================================================
|
|
Client build: $want_client
|
|
Server build: $want_server
|
|
GPG encryption support: $have_gpgme
|
|
|
|
Installation prefix: $prefix
|
|
"
|
|
if [test "$want_server" = "yes" ]; then
|
|
echo " Server support:
|
|
firewall type: $FIREWALL_TYPE
|
|
firewall program path: $FIREWALL_EXE
|
|
"
|
|
|
|
if [test "$want_digest_cache" = "no" ]; then
|
|
echo " *WARNING*
|
|
The digest-cache functionality is not enabled. This
|
|
could leave the fwknopd server open to replay attacks!
|
|
"
|
|
fi
|
|
fi
|