Import ipsec-tools ipsec-tools-0_6-20050224

crypto/dist/ipsec-tools/ChangeLog

@@ -1,3 +1,12 @@
+2005-02-24  Emmanuel Dreyfus <manu@netbsd.org>
+
+	* src/racoon/privsep.c: safety check port numbers given by the
+	  unprivilegied instance.
+	* src/libipsec/libpfkey.h: prefer __inline to inline
+	* src/racoon/racoonctl.8: display fixes in racoonctl(8)
+	* src/racoon/{cfparse.y|cftoken.l|localconf.c|localconf.h|privsep.c}
+	  src/racoon/racoon.conf.5: Add chroot capability
+	
 2005-02-23  Emmanuel Dreyfus <manu@netbsd.org>
 
         * configure.ac, src/racoon/{Makefile.am|crypto_openssl.c}: optionnal

crypto/dist/ipsec-tools/configure.ac

@@ -2,7 +2,7 @@ dnl -*- mode: m4 -*-
 dnl Id: configure.ac,v 1.47.2.2 2005/02/22 23:56:08 manubsd Exp
 
 AC_PREREQ(2.52)
-AC_INIT(ipsec-tools, 0.6-20050223)
+AC_INIT(ipsec-tools, 0.5pre)
 AC_CONFIG_SRCDIR([configure.ac])
 AM_CONFIG_HEADER(config.h)
 

crypto/dist/ipsec-tools/netbsd-import.sh

@@ -0,0 +1,111 @@
+#! /bin/sh
+#
+#	$NetBSD: netbsd-import.sh,v 1.1.1.1 2005/02/24 20:52:27 manu Exp $
+#
+# Copyright (c) 2000-2005 The NetBSD Foundation, Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+# 3. All advertising materials mentioning features or use of this software
+#    must display the following acknowledgement:
+#	This product includes software developed by the NetBSD
+#	Foundation, Inc. and its contributors.
+# 4. Neither the name of The NetBSD Foundation nor the names of its
+#    contributors may be used to endorse or promote products derived
+#    from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+# PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+#
+# netbsd-import: prepare ipsec-tools distribution for import 
+# in the NetBSD tree, under src/crypto/dist/ipsec-tools
+# Based on bind2netbsd.
+#
+# Instructions for importing a newer ipsec-tools release:
+#
+#	$ tag=ipsec-tools-0_6-20050224
+#	$ cd /tmp
+#	$ cvs -danoncvs@cvs.sf.net:/cvsroot/ipsec-tools co -r $tag ipsec-tools
+#	$ cd ipsec-tools
+#	$ /usr/src/crypto/dist/ipsec-tools/netbsd-import.sh $tag `pwd` /usr/src
+#	$ cvs -d`whoami`@cvs.netbsd.org:/cvsroot import -m 	\
+#	  "Import ipsec-tools $tag" src/crypto/dist/ipsec-tools \
+#	  IPSEC_TOOLS $tag
+#	$ cd /usr/src/lib/libipsec
+#	$ cvs -d`whoami`@cvs.netbsd.org:/cvsroot commit -m 	\
+#	  "update ipsec-tools version" package_version.h 
+#
+
+test $# -ne 3 && 							\
+    echo "usage: netbsd-import.sh tag ipsec-tools-src netbsdsrc" &&	\
+    exit
+
+SCRIPTNAME=$0
+RELEASE=`echo $1|sed 's/^ipsec-tools-//; s/_/\./'`
+DISTSRC=$2
+NETBSDSRC=$3
+
+### Remove CVS directories and .cvsignore files
+find ${DISTSRC} -type d -name CVS -print | while read d ; do 		\
+    rm -R $d && echo "removed $d" ;					\
+done
+find ${DISTSRC} -type f -name .cvsignore -print | while read f ; do	\
+    rm $f && echo "removed $f" ;					\
+done
+
+### Remove the $'s around RCS tags
+find ${DISTSRC} -type f -print | 				\
+    xargs egrep -l '\$(Id|Created|Header)' | while read f; do
+	sed -e 's/\$\(Id.*\) \$/\1/' \
+	    -e 's/\$\(Created.*\) \$/\1/' \
+	    -e 's/\$\(Header.*\) \$/\1/' \
+	    < $f > /tmp/ipsec1f$$ && mv /tmp/ipsec1f$$ $f && \
+	echo "removed \$RCS tag from $f"
+done
+
+### Add our NetBSD RCS Id
+find ${DISTSRC}  -type f -name '*.[chly]' -print | while read c; do
+	sed 1q < $c | grep -q '\$NetBSD' || (
+echo "/*	\$NetBSD\$	*/" >/tmp/ipsec3n$$
+echo "" >>/tmp/ipsec3n$$
+cat $c  >> /tmp/ipsec3n$$
+mv /tmp/ipsec3n$$ $c && echo "added NetBSD RCS tag to $c"
+	)
+done
+
+find ${DISTSRC} -type f -name '*.[0-9]' -print | while read m; do
+	sed 1q < $m | grep -q '\$NetBSD' || (
+echo ".\\\"	\$NetBSD\$" >/tmp/ipsec2m$$
+echo ".\\\"" >>/tmp/ipsec2m$$
+cat $m >> /tmp/ipsec2m$$
+mv /tmp/ipsec2m$$ $m && echo "added NetBSD RCS tag to $m"
+	)
+done
+
+sed "									\
+    s/^\(#define TOP_PACKAGE_VERSION \).*/\1 \"${RELEASE}\"/;		\
+    s/^\(#define TOP_PACKAGE_STRING \).*/\1 \"ipsec-tools ${RELEASE}\"/;\
+" ${NETBSDSRC}/lib/libipsec/package_version.h > /tmp/ipsec5		
+mv /tmp/ipsec5 ${NETBSDSRC}/lib/libipsec/package_version.h &&		\
+    echo "Updated version in lib/libipsec/package_version.h"
+
+cp ${SCRIPTNAME} ${DISTSRC} && echo "copied ${SCRIPTNAME} to ${DISTSRC}" 
+
+echo "done, don't forget to cvs commit src/lib/libipsec/package_version.h"
+

crypto/dist/ipsec-tools/src/racoon/cfparse.y

@@ -1,6 +1,6 @@
-/*	$NetBSD: cfparse.y,v 1.1.1.2 2005/02/23 14:54:11 manu Exp $	*/
+/*	$NetBSD: cfparse.y,v 1.1.1.3 2005/02/24 20:52:46 manu Exp $	*/
 
-/* Id: cfparse.y,v 1.37 2005/02/11 06:59:01 manubsd Exp */
+/* Id: cfparse.y,v 1.37.2.1 2005/02/24 18:31:55 manubsd Exp */
 
 %{
 /*
@@ -179,7 +179,7 @@ static int fix_lifebyte __P((u_long));
 }
 
 	/* privsep */
-%token PRIVSEP USER GROUP
+%token PRIVSEP USER GROUP CHROOT
 	/* path */
 %token PATH PATHTYPE
 	/* include */
@@ -301,6 +301,7 @@ privsep_stmt
 		}
 		EOS
 	|	GROUP NUMBER { lcconf->gid = $2; } EOS
+	|	CHROOT QUOTEDSTRING { lcconf->chroot = $2->v; } EOS
 	;
 
 	/* path */

crypto/dist/ipsec-tools/src/racoon/cftoken.l

@@ -1,6 +1,6 @@
-/*	$NetBSD: cftoken.l,v 1.1.1.2 2005/02/23 14:54:12 manu Exp $	*/
+/*	$NetBSD: cftoken.l,v 1.1.1.3 2005/02/24 20:52:47 manu Exp $	*/
 
-/* Id: cftoken.l,v 1.31 2005/02/11 06:59:01 manubsd Exp */
+/* Id: cftoken.l,v 1.31.2.1 2005/02/24 18:31:56 manubsd Exp */
 
 %{
 /*
@@ -154,6 +154,7 @@ hexstring	0x{hexdigit}+
 <S_PRIV>{bcl}		{ return(BOC); }
 <S_PRIV>user		{ YYD; return(USER); }
 <S_PRIV>group		{ YYD; return(GROUP); }
+<S_PRIV>chroot		{ YYD; return(CHROOT); }
 <S_PRIV>{ecl}		{ BEGIN S_INI; return(EOC); }
 
 	/* path */

crypto/dist/ipsec-tools/src/racoon/localconf.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: localconf.c,v 1.1.1.2 2005/02/23 14:54:22 manu Exp $	*/
+/*	$NetBSD: localconf.c,v 1.1.1.3 2005/02/24 20:53:34 manu Exp $	*/
 
 /*	$KAME: localconf.c,v 1.33 2001/08/09 07:32:19 sakane Exp $	*/
 
@@ -104,6 +104,7 @@ setdefault()
 {
 	lcconf->uid = 0;
 	lcconf->gid = 0;
+	lcconf->chroot = NULL;
 	lcconf->autograbaddr = 1;
 	lcconf->port_isakmp = PORT_ISAKMP;
 	lcconf->port_isakmp_natt = PORT_ISAKMP_NATT;

crypto/dist/ipsec-tools/src/racoon/localconf.h

@@ -1,6 +1,6 @@
-/*	$NetBSD: localconf.h,v 1.1.1.2 2005/02/23 14:54:22 manu Exp $	*/
+/*	$NetBSD: localconf.h,v 1.1.1.3 2005/02/24 20:53:34 manu Exp $	*/
 
-/* Id: localconf.h,v 1.9 2005/02/11 06:59:01 manubsd Exp */
+/* Id: localconf.h,v 1.9.2.1 2005/02/24 18:31:56 manubsd Exp */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -69,6 +69,7 @@ struct localconf {
 
 	uid_t uid;
 	gid_t gid;
+	char *chroot;			/* chroot path */
 	u_int16_t port_isakmp;		/* port for isakmp as default */
 	u_int16_t port_isakmp_natt;	/* port for NAT-T use */
 	u_int16_t port_admin;		/* port for admin */

crypto/dist/ipsec-tools/src/racoon/privsep.c

@@ -1,6 +1,6 @@
-/*	$NetBSD: privsep.c,v 1.1.1.2 2005/02/23 14:54:25 manu Exp $	*/
+/*	$NetBSD: privsep.c,v 1.1.1.3 2005/02/24 20:53:50 manu Exp $	*/
 
-/* Id: privsep.c,v 1.6 2005/02/10 02:02:56 manubsd Exp */
+/* Id: privsep.c,v 1.6.2.2 2005/02/24 18:31:56 manubsd Exp */
 
 /*
  * Copyright (C) 2004 Emmanuel Dreyfus
@@ -69,6 +69,7 @@ static int privsep_sock[2] = { -1, -1 };
 static int privsep_recv(int, struct privsep_com_msg **, size_t *);
 static int privsep_send(int, struct privsep_com_msg *, size_t);
 static int safety_check(struct privsep_com_msg *, int i);
+static int port_check(int);
 static int unsafe_env(char *const *);
 static int unknown_name(int);
 static int unknown_script(int);
@@ -182,10 +183,48 @@ privsep_init(void)
 		break;
 
 	case 0: /* Child: drop privileges */
-		setgid(lcconf->gid);
-		setegid(lcconf->gid);
-		setuid(lcconf->uid);
-		seteuid(lcconf->uid);
+		if (lcconf->chroot != NULL) {
+			if (chdir(lcconf->chroot) != 0) {
+				plog(LLV_ERROR, LOCATION, NULL, 
+				    "Cannot chdir(%s): %s\n", lcconf->chroot, 
+				    strerror(errno));
+				return -1;
+			}
+			if (chroot(lcconf->chroot) != 0) {
+				plog(LLV_ERROR, LOCATION, NULL, 
+				    "Cannot chroot(%s): %s\n", lcconf->chroot, 
+				    strerror(errno));
+				return -1;
+			}
+		}
+
+		if (setgid(lcconf->gid) != 0) {
+			plog(LLV_ERROR, LOCATION, NULL, 
+			    "Cannot setgid(%d): %s\n", lcconf->gid,
+			    strerror(errno));
+			return -1;
+		}
+
+		if (setegid(lcconf->gid) != 0) {
+			plog(LLV_ERROR, LOCATION, NULL, 
+			    "Cannot setegid(%d): %s\n", lcconf->gid,
+			    strerror(errno));
+			return -1;
+		}
+
+		if (setuid(lcconf->uid) != 0) {
+			plog(LLV_ERROR, LOCATION, NULL, 
+			    "Cannot setuid(%d): %s\n", lcconf->uid,
+			    strerror(errno));
+			return -1;
+		}
+
+		if (seteuid(lcconf->uid) != 0) {
+			plog(LLV_ERROR, LOCATION, NULL, 
+			    "Cannot seteuid(%d): %s\n", lcconf->uid,
+			    strerror(errno));
+			return -1;
+		}
 
 		return 0;
 		break;
@@ -462,6 +501,9 @@ privsep_init(void)
 			memcpy(&port, bufs[0], sizeof(port));
 			memcpy(&inout, bufs[1], sizeof(inout));
 
+			if (port_check(port) != 0)
+				break;
+
 			errno = 0;
 			if (isakmp_cfg_accounting_pam(port, inout) != 0) {
 				if (errno == 0)
@@ -491,6 +533,9 @@ privsep_init(void)
 			bufs[2][combuf->bufs.buflen[2] - 1] = '\0';
 			bufs[3][combuf->bufs.buflen[3] - 1] = '\0';
 
+			if (port_check(port) != 0)
+				break;
+
 			errno = 0;
 			if (xauth_login_pam(port, 
 			    raddr, bufs[2], bufs[3]) != 0) {
@@ -510,6 +555,9 @@ privsep_init(void)
 
 			memcpy(&port, bufs[0], sizeof(port));
 
+			if (port_check(port) != 0)
+				break;
+
 			cleanup_pam(port);
 			reply->hdr.ac_errno = 0;
 
@@ -829,6 +877,20 @@ privsep_xauth_login_system(usr, pwd)
 }
 #endif /* ENABLE_HYBRID */
 
+static int
+port_check(port)
+	int port;
+{
+	if ((port < 0) || (port >= isakmp_cfg_config.pool_size)) {
+		plog(LLV_ERROR, LOCATION, NULL, 
+		    "privsep: port %d outsied of allowed range [0,%d]\n",
+		    port, isakmp_cfg_config.pool_size - 1);
+		return -1;
+	}
+
+	return 0;
+}
+
 static int 
 safety_check(msg, index)
 	struct privsep_com_msg *msg;

crypto/dist/ipsec-tools/src/racoon/racoon.conf.5

@@ -1,6 +1,6 @@
-.\"	$NetBSD: racoon.conf.5,v 1.1.1.2 2005/02/23 14:54:26 manu Exp $
+.\"	$NetBSD: racoon.conf.5,v 1.1.1.3 2005/02/24 20:53:56 manu Exp $
 .\"
-.\" Id: racoon.conf.5,v 1.27 2005/02/11 06:59:01 manubsd Exp
+.\" Id: racoon.conf.5,v 1.27.2.1 2005/02/24 18:31:56 manubsd Exp
 .\"
 .\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
 .\" All rights reserved.
@@ -129,17 +129,39 @@ is one of following:
 .Ss Privilege separation
 .Bl -tag -width Ds -compact
 .It Ic privsep { Ar statements Ic }
-specifies privilege separation parameters.
+specifies privilege separation parameters. When enabled, these enable
+.Xr racoon 8
+to operate with an unprivilegied instance doing most of the work, while
+a privilegied instance take care of performing the following operations 
+as root: reading PSK and private keys, launching hook scripts, and 
+validating passwords against system database or against PAM.
 .Pp
 .Bl -tag -width Ds -compact
 .It Ic user Ar user ;
-The user
+The user the unprivilegied instance of
 .Xr racoon 8 ,
 should switch to. This can be a quoted user name or a numeric UID.
 .It Ic group Ar group ;
-The group
+The group the unprivilegied instance of
 .Xr racoon 8 ,
 should switch to. This can be a quoted group name or a numeric GID.
+.It Ic chroot Ar path ;
+A directory where the unprivilegied instance of 
+.Xr racoon 8
+should 
+.Xr chroot 2
+to. This directory should hold a tree where the following files must be
+reachable:
+.Bl -tag -width Ds -compact
+.It Pa /dev/random
+.It Pa /dev/urandom
+.It The certificates.
+.It The file containing the Xauth banner.
+.El
+.Pp
+The PSK file, the private keys, and the hook scripts are accessed through 
+.Xr racoon 8
+privilegied instance and do not need to be reachable in the chrooted tree.
 .El
 .El
 .Ss Path Specification

crypto/dist/ipsec-tools/src/racoon/racoonctl.8

@@ -1,6 +1,6 @@
-.\"	$NetBSD: racoonctl.8,v 1.1.1.2 2005/02/23 14:54:26 manu Exp $
+.\"	$NetBSD: racoonctl.8,v 1.1.1.3 2005/02/24 20:53:56 manu Exp $
 .\"
-.\" Id: racoonctl.8,v 1.2 2004/11/21 16:46:53 manubsd Exp
+.\" Id: racoonctl.8,v 1.2.4.1 2005/02/24 18:04:42 manubsd Exp
 .\"
 .\" Copyright (C) 2004 Emmanuel Dreyfus
 .\" All rights reserved.
@@ -98,7 +98,10 @@ to increase verbosity.
 .It flush-sa Op isakmp|esp|ah|ipsec
 is used to flush all SA if no SA class is provided, or a class of SA, 
 either ISAKMP SA, IPsec ESP SA, or IPsec AH SA, or all IPsec SA.
-.It establish-sa Oo Fl u Ar username Oc Ar saopts
+.It Xo establish-sa 
+.Oo Fl u Ar username 
+.Oc Ar saopts
+.Xc
 Establish a SA, either a ISAKMP SA, IPsec ESP SA, or IPsec AH SA. The 
 optionnal 
 .Fl u Ar username
@@ -115,7 +118,10 @@ can have the following formats:
 .It {esp|ah} {inet|inet6} Ar src/prefixlen/port Ar dst/prefixlen/port
 {icmp|tcp|udp|any}
 .El
-.It vpn-connect Oo Fl u Ar username Oc Ar vpn_gateway
+.It Xo vpn-connect 
+.Oo Fl u Ar username 
+.Oc Ar vpn_gateway
+.Xc
 This is a particular case of the previous command. It will establish an ISAKMP
 SA with
 .Ar vpn_gateway .
@@ -138,35 +144,26 @@ awaiting and reporting new events.
 .El
 .Pp
 Command shortcuts are available:
-.Bl -tag
-.It rc 
-reload-config
-.It ss 
-show-sa
-.It sc 
-show-schedule
-.It fs 
-flush-sa
-.It ds 
-delete-sa
-.It es 
-establish-sa
-.It vc 
-vpn-connect
-.It vd 
-vpn-disconnect
-.It se
-show-event
+.Bl -tag -width Bl
+.It rc reload-config 
+.It ss show-sa 
+.It sc show-schedule
+.It fs flush-sa
+.It ds delete-sa
+.It es establish-sa
+.It vc vpn-connect
+.It vd vpn-disconnect
+.It se show-event
 .El
 .\"
 .Sh RETURN VALUES
 The command should exit with 0 on success, and non-zero on errors.
 .\"
 .Sh FILES
-.Bl -tag 
-.It Pa /var/racoon/racoon.sock
-.Xr racoon 8 
-control socket.
+.Bl -tag -width Bl
+.It Pa /var/racoon/racoon.sock or Pa /var/run/racoon.sock 
+.Xr racoon 8
+control socket. 
 .El
 .\"
 .Sh SEE ALSO
@@ -176,6 +173,7 @@ control socket.
 Once was 
 .Xr kmpstat 8 
 in the KAME project. It turned into 
-.Xr racoonctl 8 but remained undocumented for a while. 
+.Xr racoonctl 8 
+but remained undocumented for a while. 
 .An Emmanuel Dreyfus Aq manu@netbsd.org
 wrote this man page.