summaryrefslogtreecommitdiff
path: root/src/pluto
diff options
context:
space:
mode:
Diffstat (limited to 'src/pluto')
-rw-r--r--src/pluto/Makefile.am4
-rw-r--r--src/pluto/Makefile.in7
-rw-r--r--src/pluto/log.c6
-rw-r--r--src/pluto/plutomain.c38
-rw-r--r--src/pluto/vendor.c8
-rw-r--r--src/pluto/vendor.h6
6 files changed, 42 insertions, 27 deletions
diff --git a/src/pluto/Makefile.am b/src/pluto/Makefile.am
index 156b81018..c28fbf6e0 100644
--- a/src/pluto/Makefile.am
+++ b/src/pluto/Makefile.am
@@ -139,3 +139,7 @@ if USE_SMARTCARD
AM_CFLAGS += -DSMARTCARD
endif
+if USE_CAPABILITIES
+ pluto_LDADD += -lcap
+endif
+
diff --git a/src/pluto/Makefile.in b/src/pluto/Makefile.in
index 42017641c..6ea863973 100644
--- a/src/pluto/Makefile.in
+++ b/src/pluto/Makefile.in
@@ -60,6 +60,7 @@ ipsec_PROGRAMS = pluto$(EXEEXT) _pluto_adns$(EXEEXT)
# This compile option activates smartcard support
@USE_SMARTCARD_TRUE@am__append_9 = -DSMARTCARD
+@USE_CAPABILITIES_TRUE@am__append_10 = -lcap
subdir = src/pluto
DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.am \
$(srcdir)/Makefile.in TODO
@@ -102,7 +103,7 @@ pluto_OBJECTS = $(am_pluto_OBJECTS)
am__DEPENDENCIES_1 =
pluto_DEPENDENCIES = oid.o $(LIBFREESWANDIR)/libfreeswan.a \
$(LIBCRYPTODIR)/libcrypto.a $(am__DEPENDENCIES_1) \
- $(am__DEPENDENCIES_1)
+ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
DEFAULT_INCLUDES = -I.@am__isrc@
depcomp = $(SHELL) $(top_srcdir)/depcomp
am__depfiles_maybe = depfiles
@@ -239,6 +240,8 @@ localedir = @localedir@
localstatedir = @localstatedir@
mandir = @mandir@
mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
piddir = @piddir@
@@ -339,7 +342,7 @@ AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_CONFDIR=\"${confdir}\" \
$(am__append_8) $(am__append_9)
pluto_LDADD = oid.o $(LIBFREESWANDIR)/libfreeswan.a \
$(LIBCRYPTODIR)/libcrypto.a -lgmp -lresolv -lpthread -ldl \
- $(am__append_5) $(am__append_7)
+ $(am__append_5) $(am__append_7) $(am__append_10)
_pluto_adns_LDADD = \
$(LIBFREESWANDIR)/libfreeswan.a \
-lresolv -ldl
diff --git a/src/pluto/log.c b/src/pluto/log.c
index 0fb5f1d25..b7c1ba8b8 100644
--- a/src/pluto/log.c
+++ b/src/pluto/log.c
@@ -12,7 +12,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * RCSID $Id: log.c 4024 2008-05-29 07:49:47Z andreas $
+ * RCSID $Id: log.c 4246 2008-08-03 18:01:21Z andreas $
*/
#include <stdio.h>
@@ -95,8 +95,8 @@ void
close_peerlog(void)
{
/* exit if the queue has not been initialized */
- if (TAILQ_LAST(&perpeer_list, perpeer) == NULL)
- return;
+ if (perpeer_list.tqh_first == NULL)
+ return;
/* end of queue is given by pointer to "HEAD" */
while (TAILQ_LAST(&perpeer_list, perpeer) != (void *)&perpeer_list)
diff --git a/src/pluto/plutomain.c b/src/pluto/plutomain.c
index 5662c5c41..a39934f1f 100644
--- a/src/pluto/plutomain.c
+++ b/src/pluto/plutomain.c
@@ -12,7 +12,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * RCSID $Id: plutomain.c 3914 2008-05-08 10:58:04Z martin $
+ * RCSID $Id: plutomain.c 4313 2008-08-29 09:24:14Z martin $
*/
#include <stdio.h>
@@ -29,11 +29,14 @@
#include <resolv.h>
#include <arpa/nameser.h> /* missing from <resolv.h> on old systems */
#include <sys/queue.h>
-#include <linux/capability.h>
#include <sys/prctl.h>
#include <pwd.h>
#include <grp.h>
+#ifdef CAPABILITIES
+#include <sys/capability.h>
+#endif /* CAPABILITIES */
+
#include <freeswan.h>
#include <pfkeyv2.h>
@@ -68,11 +71,6 @@
#include "nat_traversal.h"
#include "virtual.h"
-/* on some distros, a capset() definition is missing */
-#ifdef NO_CAPSET_DEFINED
-extern int capset(cap_user_header_t hdrp, const cap_user_data_t datap);
-#endif /* NO_CAPSET_DEFINED */
-
static void
usage(const char *mess)
{
@@ -236,8 +234,10 @@ main(int argc, char **argv)
bool force_keepalive = FALSE;
char *virtual_private = NULL;
int lockfd;
- struct __user_cap_header_struct hdr;
- struct __user_cap_data_struct data;
+#ifdef CAPABILITIES
+ cap_t caps;
+ int keep[] = { CAP_NET_ADMIN, CAP_NET_BIND_SERVICE };
+#endif /* CAPABILITIES */
/* handle arguments */
for (;;)
@@ -619,14 +619,6 @@ main(int argc, char **argv)
init_fetch();
/* drop unneeded capabilities and change UID/GID */
-#ifdef _LINUX_CAPABILITY_VERSION_1
- hdr.version = _LINUX_CAPABILITY_VERSION_1;
-#else
- hdr.version = _LINUX_CAPABILITY_VERSION;
-#endif
- hdr.pid = 0;
- data.inheritable = data.effective = data.permitted =
- 1<<CAP_NET_ADMIN | 1<<CAP_NET_BIND_SERVICE;
prctl(PR_SET_KEEPCAPS, 1);
@@ -656,11 +648,19 @@ main(int argc, char **argv)
}
}
#endif
- if (capset(&hdr, &data))
+
+#ifdef CAPABILITIES
+ caps = cap_init();
+ cap_set_flag(caps, CAP_EFFECTIVE, 2, keep, CAP_SET);
+ cap_set_flag(caps, CAP_INHERITABLE, 2, keep, CAP_SET);
+ cap_set_flag(caps, CAP_PERMITTED, 2, keep, CAP_SET);
+ if (cap_set_proc(caps) != 0)
{
- plog("unable to drop root privileges");
+ plog("unable to drop daemon capabilities");
abort();
}
+ cap_free(caps);
+#endif /* CAPABILITIES */
/* loading X.509 CA certificates */
load_authcerts("CA cert", CA_CERT_PATH, AUTH_CA);
diff --git a/src/pluto/vendor.c b/src/pluto/vendor.c
index 3b779ed24..1db4027d1 100644
--- a/src/pluto/vendor.c
+++ b/src/pluto/vendor.c
@@ -11,7 +11,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * RCSID $Id: vendor.c 4016 2008-05-25 10:35:39Z andreas $
+ * RCSID $Id: vendor.c 4348 2008-09-18 00:42:22Z andreas $
*/
#include <stdlib.h>
@@ -206,7 +206,11 @@ static struct vid_struct _vid_tab[] = {
/*
* strongSwan
*/
- DEC_MD5_VID(STRONGSWAN, "strongSwan 4.2.4")
+ DEC_MD5_VID(STRONGSWAN, "strongSwan 4.2.8")
+ DEC_MD5_VID(STRONGSWAN_4_2_7, "strongSwan 4.2.7")
+ DEC_MD5_VID(STRONGSWAN_4_2_6, "strongSwan 4.2.6")
+ DEC_MD5_VID(STRONGSWAN_4_2_5, "strongSwan 4.2.5")
+ DEC_MD5_VID(STRONGSWAN_4_2_4, "strongSwan 4.2.4")
DEC_MD5_VID(STRONGSWAN_4_2_3, "strongSwan 4.2.3")
DEC_MD5_VID(STRONGSWAN_4_2_2, "strongSwan 4.2.2")
DEC_MD5_VID(STRONGSWAN_4_2_1, "strongSwan 4.2.1")
diff --git a/src/pluto/vendor.h b/src/pluto/vendor.h
index c1d8870bc..cf6b68e51 100644
--- a/src/pluto/vendor.h
+++ b/src/pluto/vendor.h
@@ -11,7 +11,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * RCSID $Id: vendor.h 4016 2008-05-25 10:35:39Z andreas $
+ * RCSID $Id: vendor.h 4348 2008-09-18 00:42:22Z andreas $
*/
#ifndef _VENDOR_H_
@@ -120,6 +120,10 @@ enum known_vendorid {
VID_STRONGSWAN_4_2_1 =101,
VID_STRONGSWAN_4_2_2 =102,
VID_STRONGSWAN_4_2_3 =103,
+ VID_STRONGSWAN_4_2_4 =104,
+ VID_STRONGSWAN_4_2_5 =105,
+ VID_STRONGSWAN_4_2_6 =106,
+ VID_STRONGSWAN_4_2_7 =107,
/* 101 - 200 : NAT-Traversal */
VID_NATT_STENBERG_01 =151,