Commit Graph

56 Commits

Author SHA1 Message Date
tls 4147a3c54a Add new Makefile knob, USE_FORT, which extends USE_SSP by turning on the
FORTIFY_SOURCE feature of libssp, thus checking the size of arguments to
various string and memory copy and set functions (as well as a few system
calls and other miscellany) where known at function entry.  RedHat has
evidently built all "core system packages" with this option for some time.

This option should be used at the top of Makefiles (or Makefile.inc where
this is used for subdirectories) but after any setting of LIB.

This is only useful for userland code, and cannot be used in libc or in
any code which includes the libc internals, because it overrides certain
libc functions with macros.  Some effort has been made to make USE_FORT=yes
work correctly for a full-system build by having the bsd.sys.mk logic
disable the feature where it should not be used (libc, libssp iteself,
the kernel) but no attempt has been made to build the entire system with
USE_FORT and doing so will doubtless expose numerous bugs and misfeatures.

Adjust the system build so that all programs and libraries that are setuid,
directly handle network data (including serial comm data), perform
authentication, or appear likely to have (or have a history of having)
data-driven bugs (e.g. file(1)) are built with USE_FORT=yes by default,
with the exception of libc, which cannot use USE_FORT and thus uses
only USE_SSP by default.  Tested on i386 with no ill results; USE_FORT=no
per-directory or in a system build will disable if desired.
2007-05-28 12:06:17 +00:00
christos 00201e88c3 PR/36069: Huang Yushuo: racoon can't work with pam_group
We need -lutil for login_getpwclass
2007-03-24 02:08:45 +00:00
manu 3c09e24ba2 Add the dependendy on libutil 2006-09-29 05:06:34 +00:00
manu d542f7adc2 Fix build 2006-09-16 06:19:50 +00:00
manu ba5b97f363 Fix ipsec-tools build after recent import 2006-09-09 17:52:01 +00:00
christos 65710e59db adjust to the new openssl 2005-11-26 02:32:32 +00:00
christos 192c2eccf6 Add -lcrypt where -lcrypto is specified. 2005-03-09 03:11:22 +00:00
he 8e8728c45c Introduce PAM_STATIC_LDADD and PAM_STATIC_DPADD. When compiling
with MKPIC=no, possibly because the target does not support shared
libraries, these include libraries required to resolve all symbols
which end up referenced from PAM-using applications.  The libraries
presently required are -lcrypt, -lrpcsvc and -lutil.

Add use of these variables which are currently set up to use PAM,
so that they compile when MKPIC=no.

Also, in the telnetd case, reorder the order of the libraries, so
that libtelnet.a comes before -ltermcap and -lutil, again to fix
link error when MKPIC=no.

Discussed with thorpej and christos.
2005-03-04 20:41:08 +00:00
he b404dc79be Move -lcrypto to the end of the library list, so that this links
without undefined entry points for non-shlib platforms such as sun2.
2005-02-26 11:31:48 +00:00
manu be15b99c92 Define SADB_X_EALG_AESCBC=SADB_X_EALG_AES, as we define SADB_X_EALG_AES
in <net/pfkeyv2.h> while ipsec-tools uses SADB_X_EALG_AESCBC in the code.
2005-02-24 13:45:08 +00:00
manu 3eda198fd5 Install racoon administrative socket in /var/run instead of /var/racoon 2005-02-23 14:44:41 +00:00
manu 32f1c835de Don't make racoonctl.8 here, it's already done in src/usr.sbin/racoonctl 2005-02-20 10:44:15 +00:00
manu f232e7a4c6 Add missing racoonctl(8), build with libradius 2005-02-20 01:17:41 +00:00
thorpej 33f19ef5cf Additional cleanup pass. 2005-02-19 17:05:02 +00:00
thorpej 354f2a1004 Switch to ipsec-tools for libipsec, setkey, and racoon. From
Emmanuel Dreyfus, with some small changes by me.
2005-02-19 16:55:02 +00:00
lukem 7157011597 Only compile in IPv6 support if ${USE_INET6} != "no"
MKINET6 is for providing IPv6 infrastructure.
USE_INET6 is for compiling IPv6 support into the programs (needs MKINET6).
2005-01-10 02:58:58 +00:00
junyoung d4277bb7d5 Add -fno-strict-aliasing to CFLAGS to avoid gcc warning
"dereferencing type-punned pointer will break strict-aliasing rules"
which occurs when compiling crypto_openssl.c with -O[23s].
This should be gone once a new release of kame with a fix applied
is imported.
2004-08-05 17:13:54 +00:00
itojun 166adfa9e5 sync w/ 20040617. 2004-06-17 03:42:55 +00:00
lukem b817247988 Use MKPRIVATELIB=yes instead of providing an empty libinstall:: target and
setting NOLINT, NOPIC, NOPROFILE (etc)
2004-05-23 02:24:50 +00:00
itojun 26cf1d701e do not compile in print-isakmp.c, as src/dist/tcpdump contains ancient version
which could be vulnerable to attacks.
2004-04-12 04:01:27 +00:00
itojun b4a3a9e6c1 properly validate phase 1 signature.
http://www.vuxml.org/freebsd/d8769838-8814-11d8-90d1-0020ed76ef5a.html
2004-04-12 03:34:05 +00:00
he 1a3822fca0 Wait for libpfkey to build before descending into racoon, as the
latter depends on the existence of the result of the former.
Fixes parallel build problem.
2004-04-09 22:23:14 +00:00
itojun a69a0241a1 bump date 2004-01-16 02:28:42 +00:00
itojun bde9df6596 bump version string 2004-01-14 09:21:41 +00:00
lukem 6672bff7fc rework how cfparse.y is generated 2003-10-19 06:09:17 +00:00
itojun d9c46578d1 update racoon to 2003/8/26 version. mostly minor bugfixes. 2003-08-26 03:31:50 +00:00
itojun c7d6ddcd4d racoon sha2.c is not compatible with openssl 0.9.7, drop support 2003-07-24 14:22:01 +00:00
itojun 18a884bc94 oops, forgot to bump version string 2003-07-22 08:46:03 +00:00
itojun 03eefe2ecf sync w/ latest racoon 2003-07-12 09:02:24 +00:00
itojun e1425434e7 no need for __ss_len define any longer 2003-07-04 05:21:26 +00:00
itojun 9f803f2b20 evp.h better fit under cert support 2003-07-04 05:20:45 +00:00
itojun 8172c901e4 support idea/rc5 if they are available. add missing #define.
VS: ----------------------------------------------------------------------
2003-07-04 05:17:25 +00:00
fvdl 03adc171d1 Don't explicitly add -Wall -Werror -g to CFLAGS, the .mk infrastructure
already takes care of this, and this makes NOGCCERROR builds fail.
2002-11-24 21:54:38 +00:00
itojun a426f44395 sync w/ kame source from 2002/11/20.
- plug some memory leaks
- correct phase 2 proposal reqid handling
- check for fd_set overrun
2002-11-20 03:35:57 +00:00
lukem c52b93f508 minor makefile delint 2002-09-18 13:31:52 +00:00
lukem 17d72c8a6b use NETBSDSRCDIR as appropriate 2002-09-18 03:54:26 +00:00
lukem ed401558f2 Implement MKDYNAMICROOT, which currently defaults to "no", but will
be changed in the future to "yes".

If MKDYNAMICROOT == "no", there is no change from existing behaviour
of a static /bin and /sbin (and a few programs in elsewhere).

If MKDYNAMICROOT == "yes", the following changes occur:
    in <bsd.own.mk>:
	SHLIBDIR?=     /lib
	SHLINKDIR?=	/lib
    in various Makefiles, the following entry is DISABLED.
	LDSTATIC?=-static
This results in all programs (except those "standalone" programs built
in sys/arch/*/stand) are linked dynamically, the shared linker is moved
from /usr/libexec to /lib (with a compat symlink), and the shared
libraries used by /bin and /sbin programs are moved from /usr/lib to
/lib (with compat symlinks).
2002-08-27 14:46:11 +00:00
itojun c68a2428ba correct handling of "unique" policy. bump version to 20020507
(corresponds to filename in ftp://ftp.kame.net/pub/kame).
2002-05-13 02:10:34 +00:00
itojun cd1e16de59 upgrade to KAME racoon as of 2002/4/26.
file descriptor leak fix.
null encryption algorithm key length fix (should use 0).
couple of null-pointer reference fixes.
set port # to 500 in ID payload (possible interop issue - spec is unclear).
correctly match address pair on informational exchange
2002-04-26 02:25:13 +00:00
thorpej 9c33b55e7c Split the notion of building Hesiod, Kerberos, S/key, and YP
infrastructure and using that infrastructure in programs.

	* MKHESIOD, MKKERBEROS, MKSKEY, and MKYP control building
	  of the infratsructure (libraries, support programs, etc.)

	* USE_HESIOD, USE_KERBEROS, USE_SKEY, and USE_YP control
	  building of support for using the corresponding API
	  in various libraries/programs that can use it.

As discussed on tech-toolchain.
2002-03-22 18:10:19 +00:00
tv 8e6f7afb5b MKfoo=no -> NOfoo 2001-12-12 01:48:43 +00:00
tv 29fb1f6827 Unravel the include spaghetti here:
- make a copy of cfparse.y called "y.tab.y" because "cfparse.h" is not
  actually the yacc generated header file (duh?)
- include the tcpdump directory with -I *after* racoon's source, else
  tcpdump's headers will be picked up unexpectedly
- include . *before* racoon's source so as to make the generated files
  first on the list
2001-10-19 23:59:56 +00:00
veego 0a9ac47f7c CLEANFILES has to come before the include of <bsd.prog.mk>. 2001-10-05 23:42:11 +00:00
itojun ee42f09d5b upgrade to KAME 2001/8/31. 2001-08-31 10:36:08 +00:00
itojun 4acce1d060 include version number into binary to help diagnosis 2001-08-02 15:27:21 +00:00
itojun 366bd307b0 sync with 2001/8/2 KAME racoon/libipsec. 2001-08-02 12:15:00 +00:00
enami ab05795faa Fix tcpdump path. 2001-06-27 05:17:32 +00:00
itojun 94cdb4e17c copy config hint docs to /usr/share. 2001-04-01 23:47:45 +00:00
thorpej 4576721e6c Add some glue to let us easily use Boehm-GC to track down
memory leaks.  Requires some (not yet committed) changes to
the racoon sources.
2001-03-30 06:38:25 +00:00
itojun 96863758b7 remove WARNS=0. from enami 2001-02-22 03:11:24 +00:00