Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/crypto/dist/ipsec-tools Import ipsec-tools ipsec-tools-0_6-2...
details: https://anonhg.NetBSD.org/src/rev/5be7cb8231a4
branches: trunk
changeset: 574234:5be7cb8231a4
user: manu <manu%NetBSD.org@localhost>
date: Thu Feb 24 20:52:25 2005 +0000
description:
Import ipsec-tools ipsec-tools-0_6-20050224
diffstat:
crypto/dist/ipsec-tools/ChangeLog | 9 +
crypto/dist/ipsec-tools/configure.ac | 2 +-
crypto/dist/ipsec-tools/netbsd-import.sh | 111 +++++++++++++++++++++++
crypto/dist/ipsec-tools/src/racoon/cfparse.y | 7 +-
crypto/dist/ipsec-tools/src/racoon/cftoken.l | 5 +-
crypto/dist/ipsec-tools/src/racoon/localconf.c | 3 +-
crypto/dist/ipsec-tools/src/racoon/localconf.h | 5 +-
crypto/dist/ipsec-tools/src/racoon/privsep.c | 74 ++++++++++++++-
crypto/dist/ipsec-tools/src/racoon/racoon.conf.5 | 32 +++++-
crypto/dist/ipsec-tools/src/racoon/racoonctl.8 | 54 +++++-----
10 files changed, 254 insertions(+), 48 deletions(-)
diffs (truncated from 503 to 300 lines):
diff -r d6cc56ef8ecc -r 5be7cb8231a4 crypto/dist/ipsec-tools/ChangeLog
--- a/crypto/dist/ipsec-tools/ChangeLog Thu Feb 24 15:15:27 2005 +0000
+++ b/crypto/dist/ipsec-tools/ChangeLog Thu Feb 24 20:52:25 2005 +0000
@@ -1,3 +1,12 @@
+2005-02-24 Emmanuel Dreyfus <manu%netbsd.org@localhost>
+
+ * src/racoon/privsep.c: safety check port numbers given by the
+ unprivilegied instance.
+ * src/libipsec/libpfkey.h: prefer __inline to inline
+ * src/racoon/racoonctl.8: display fixes in racoonctl(8)
+ * src/racoon/{cfparse.y|cftoken.l|localconf.c|localconf.h|privsep.c}
+ src/racoon/racoon.conf.5: Add chroot capability
+
2005-02-23 Emmanuel Dreyfus <manu%netbsd.org@localhost>
* configure.ac, src/racoon/{Makefile.am|crypto_openssl.c}: optionnal
diff -r d6cc56ef8ecc -r 5be7cb8231a4 crypto/dist/ipsec-tools/configure.ac
--- a/crypto/dist/ipsec-tools/configure.ac Thu Feb 24 15:15:27 2005 +0000
+++ b/crypto/dist/ipsec-tools/configure.ac Thu Feb 24 20:52:25 2005 +0000
@@ -2,7 +2,7 @@
dnl Id: configure.ac,v 1.47.2.2 2005/02/22 23:56:08 manubsd Exp
AC_PREREQ(2.52)
-AC_INIT(ipsec-tools, 0.6-20050223)
+AC_INIT(ipsec-tools, 0.5pre)
AC_CONFIG_SRCDIR([configure.ac])
AM_CONFIG_HEADER(config.h)
diff -r d6cc56ef8ecc -r 5be7cb8231a4 crypto/dist/ipsec-tools/netbsd-import.sh
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/crypto/dist/ipsec-tools/netbsd-import.sh Thu Feb 24 20:52:25 2005 +0000
@@ -0,0 +1,111 @@
+#! /bin/sh
+#
+# $NetBSD: netbsd-import.sh,v 1.1.1.1 2005/02/24 20:52:27 manu Exp $
+#
+# Copyright (c) 2000-2005 The NetBSD Foundation, Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+# 3. All advertising materials mentioning features or use of this software
+# must display the following acknowledgement:
+# This product includes software developed by the NetBSD
+# Foundation, Inc. and its contributors.
+# 4. Neither the name of The NetBSD Foundation nor the names of its
+# contributors may be used to endorse or promote products derived
+# from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+#
+# netbsd-import: prepare ipsec-tools distribution for import
+# in the NetBSD tree, under src/crypto/dist/ipsec-tools
+# Based on bind2netbsd.
+#
+# Instructions for importing a newer ipsec-tools release:
+#
+# $ tag=ipsec-tools-0_6-20050224
+# $ cd /tmp
+# $ cvs -danoncvs%cvs.sf.net@localhost:/cvsroot/ipsec-tools co -r $tag ipsec-tools
+# $ cd ipsec-tools
+# $ /usr/src/crypto/dist/ipsec-tools/netbsd-import.sh $tag `pwd` /usr/src
+# $ cvs -d`whoami`@cvs.netbsd.org:/cvsroot import -m \
+# "Import ipsec-tools $tag" src/crypto/dist/ipsec-tools \
+# IPSEC_TOOLS $tag
+# $ cd /usr/src/lib/libipsec
+# $ cvs -d`whoami`@cvs.netbsd.org:/cvsroot commit -m \
+# "update ipsec-tools version" package_version.h
+#
+
+test $# -ne 3 && \
+ echo "usage: netbsd-import.sh tag ipsec-tools-src netbsdsrc" && \
+ exit
+
+SCRIPTNAME=$0
+RELEASE=`echo $1|sed 's/^ipsec-tools-//; s/_/\./'`
+DISTSRC=$2
+NETBSDSRC=$3
+
+### Remove CVS directories and .cvsignore files
+find ${DISTSRC} -type d -name CVS -print | while read d ; do \
+ rm -R $d && echo "removed $d" ; \
+done
+find ${DISTSRC} -type f -name .cvsignore -print | while read f ; do \
+ rm $f && echo "removed $f" ; \
+done
+
+### Remove the $'s around RCS tags
+find ${DISTSRC} -type f -print | \
+ xargs egrep -l '\$(Id|Created|Header)' | while read f; do
+ sed -e 's/\$\(Id.*\) \$/\1/' \
+ -e 's/\$\(Created.*\) \$/\1/' \
+ -e 's/\$\(Header.*\) \$/\1/' \
+ < $f > /tmp/ipsec1f$$ && mv /tmp/ipsec1f$$ $f && \
+ echo "removed \$RCS tag from $f"
+done
+
+### Add our NetBSD RCS Id
+find ${DISTSRC} -type f -name '*.[chly]' -print | while read c; do
+ sed 1q < $c | grep -q '\$NetBSD' || (
+echo "/* \$NetBSD\$ */" >/tmp/ipsec3n$$
+echo "" >>/tmp/ipsec3n$$
+cat $c >> /tmp/ipsec3n$$
+mv /tmp/ipsec3n$$ $c && echo "added NetBSD RCS tag to $c"
+ )
+done
+
+find ${DISTSRC} -type f -name '*.[0-9]' -print | while read m; do
+ sed 1q < $m | grep -q '\$NetBSD' || (
+echo ".\\\" \$NetBSD\$" >/tmp/ipsec2m$$
+echo ".\\\"" >>/tmp/ipsec2m$$
+cat $m >> /tmp/ipsec2m$$
+mv /tmp/ipsec2m$$ $m && echo "added NetBSD RCS tag to $m"
+ )
+done
+
+sed " \
+ s/^\(#define TOP_PACKAGE_VERSION \).*/\1 \"${RELEASE}\"/; \
+ s/^\(#define TOP_PACKAGE_STRING \).*/\1 \"ipsec-tools ${RELEASE}\"/;\
+" ${NETBSDSRC}/lib/libipsec/package_version.h > /tmp/ipsec5
+mv /tmp/ipsec5 ${NETBSDSRC}/lib/libipsec/package_version.h && \
+ echo "Updated version in lib/libipsec/package_version.h"
+
+cp ${SCRIPTNAME} ${DISTSRC} && echo "copied ${SCRIPTNAME} to ${DISTSRC}"
+
+echo "done, don't forget to cvs commit src/lib/libipsec/package_version.h"
+
diff -r d6cc56ef8ecc -r 5be7cb8231a4 crypto/dist/ipsec-tools/src/racoon/cfparse.y
--- a/crypto/dist/ipsec-tools/src/racoon/cfparse.y Thu Feb 24 15:15:27 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/cfparse.y Thu Feb 24 20:52:25 2005 +0000
@@ -1,6 +1,6 @@
-/* $NetBSD: cfparse.y,v 1.1.1.2 2005/02/23 14:54:11 manu Exp $ */
+/* $NetBSD: cfparse.y,v 1.1.1.3 2005/02/24 20:52:46 manu Exp $ */
-/* Id: cfparse.y,v 1.37 2005/02/11 06:59:01 manubsd Exp */
+/* Id: cfparse.y,v 1.37.2.1 2005/02/24 18:31:55 manubsd Exp */
%{
/*
@@ -179,7 +179,7 @@
}
/* privsep */
-%token PRIVSEP USER GROUP
+%token PRIVSEP USER GROUP CHROOT
/* path */
%token PATH PATHTYPE
/* include */
@@ -301,6 +301,7 @@
}
EOS
| GROUP NUMBER { lcconf->gid = $2; } EOS
+ | CHROOT QUOTEDSTRING { lcconf->chroot = $2->v; } EOS
;
/* path */
diff -r d6cc56ef8ecc -r 5be7cb8231a4 crypto/dist/ipsec-tools/src/racoon/cftoken.l
--- a/crypto/dist/ipsec-tools/src/racoon/cftoken.l Thu Feb 24 15:15:27 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/cftoken.l Thu Feb 24 20:52:25 2005 +0000
@@ -1,6 +1,6 @@
-/* $NetBSD: cftoken.l,v 1.1.1.2 2005/02/23 14:54:12 manu Exp $ */
+/* $NetBSD: cftoken.l,v 1.1.1.3 2005/02/24 20:52:47 manu Exp $ */
-/* Id: cftoken.l,v 1.31 2005/02/11 06:59:01 manubsd Exp */
+/* Id: cftoken.l,v 1.31.2.1 2005/02/24 18:31:56 manubsd Exp */
%{
/*
@@ -154,6 +154,7 @@
<S_PRIV>{bcl} { return(BOC); }
<S_PRIV>user { YYD; return(USER); }
<S_PRIV>group { YYD; return(GROUP); }
+<S_PRIV>chroot { YYD; return(CHROOT); }
<S_PRIV>{ecl} { BEGIN S_INI; return(EOC); }
/* path */
diff -r d6cc56ef8ecc -r 5be7cb8231a4 crypto/dist/ipsec-tools/src/racoon/localconf.c
--- a/crypto/dist/ipsec-tools/src/racoon/localconf.c Thu Feb 24 15:15:27 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/localconf.c Thu Feb 24 20:52:25 2005 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: localconf.c,v 1.1.1.2 2005/02/23 14:54:22 manu Exp $ */
+/* $NetBSD: localconf.c,v 1.1.1.3 2005/02/24 20:53:34 manu Exp $ */
/* $KAME: localconf.c,v 1.33 2001/08/09 07:32:19 sakane Exp $ */
@@ -104,6 +104,7 @@
{
lcconf->uid = 0;
lcconf->gid = 0;
+ lcconf->chroot = NULL;
lcconf->autograbaddr = 1;
lcconf->port_isakmp = PORT_ISAKMP;
lcconf->port_isakmp_natt = PORT_ISAKMP_NATT;
diff -r d6cc56ef8ecc -r 5be7cb8231a4 crypto/dist/ipsec-tools/src/racoon/localconf.h
--- a/crypto/dist/ipsec-tools/src/racoon/localconf.h Thu Feb 24 15:15:27 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/localconf.h Thu Feb 24 20:52:25 2005 +0000
@@ -1,6 +1,6 @@
-/* $NetBSD: localconf.h,v 1.1.1.2 2005/02/23 14:54:22 manu Exp $ */
+/* $NetBSD: localconf.h,v 1.1.1.3 2005/02/24 20:53:34 manu Exp $ */
-/* Id: localconf.h,v 1.9 2005/02/11 06:59:01 manubsd Exp */
+/* Id: localconf.h,v 1.9.2.1 2005/02/24 18:31:56 manubsd Exp */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -69,6 +69,7 @@
uid_t uid;
gid_t gid;
+ char *chroot; /* chroot path */
u_int16_t port_isakmp; /* port for isakmp as default */
u_int16_t port_isakmp_natt; /* port for NAT-T use */
u_int16_t port_admin; /* port for admin */
diff -r d6cc56ef8ecc -r 5be7cb8231a4 crypto/dist/ipsec-tools/src/racoon/privsep.c
--- a/crypto/dist/ipsec-tools/src/racoon/privsep.c Thu Feb 24 15:15:27 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/privsep.c Thu Feb 24 20:52:25 2005 +0000
@@ -1,6 +1,6 @@
-/* $NetBSD: privsep.c,v 1.1.1.2 2005/02/23 14:54:25 manu Exp $ */
+/* $NetBSD: privsep.c,v 1.1.1.3 2005/02/24 20:53:50 manu Exp $ */
-/* Id: privsep.c,v 1.6 2005/02/10 02:02:56 manubsd Exp */
+/* Id: privsep.c,v 1.6.2.2 2005/02/24 18:31:56 manubsd Exp */
/*
* Copyright (C) 2004 Emmanuel Dreyfus
@@ -69,6 +69,7 @@
static int privsep_recv(int, struct privsep_com_msg **, size_t *);
static int privsep_send(int, struct privsep_com_msg *, size_t);
static int safety_check(struct privsep_com_msg *, int i);
+static int port_check(int);
static int unsafe_env(char *const *);
static int unknown_name(int);
static int unknown_script(int);
@@ -182,10 +183,48 @@
break;
case 0: /* Child: drop privileges */
- setgid(lcconf->gid);
- setegid(lcconf->gid);
- setuid(lcconf->uid);
- seteuid(lcconf->uid);
+ if (lcconf->chroot != NULL) {
+ if (chdir(lcconf->chroot) != 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "Cannot chdir(%s): %s\n", lcconf->chroot,
+ strerror(errno));
+ return -1;
+ }
+ if (chroot(lcconf->chroot) != 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "Cannot chroot(%s): %s\n", lcconf->chroot,
+ strerror(errno));
+ return -1;
+ }
+ }
+
+ if (setgid(lcconf->gid) != 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "Cannot setgid(%d): %s\n", lcconf->gid,
+ strerror(errno));
+ return -1;
+ }
+
+ if (setegid(lcconf->gid) != 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "Cannot setegid(%d): %s\n", lcconf->gid,
+ strerror(errno));
+ return -1;
+ }
+
+ if (setuid(lcconf->uid) != 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "Cannot setuid(%d): %s\n", lcconf->uid,
+ strerror(errno));
+ return -1;
+ }
+
+ if (seteuid(lcconf->uid) != 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "Cannot seteuid(%d): %s\n", lcconf->uid,
+ strerror(errno));
+ return -1;
+ }
Home |
Main Index |
Thread Index |
Old Index