From 4c159159d296e30c59fa780299644d71b2e52d3d Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Sat, 30 Jul 2005 21:56:07 +0000 Subject: [PATCH] INCOMPATIBLE: DROP --netsec/-T option, NET_SECURITY macro - the required library is no longer available. svn path=/trunk/; revision=4192 --- INSTALL | 5 ----- NEWS | 4 ++++ conf.c | 6 ------ configure.ac | 20 -------------------- driver.c | 4 ++-- fetchmail-FAQ.html | 17 ----------------- fetchmail-features.html | 3 --- fetchmail.c | 11 ----------- fetchmail.h | 1 - fetchmail.man | 10 ---------- fetchmailconf | 24 +++++++----------------- options.c | 18 ------------------ rcfile_l.l | 1 - rcfile_y.y | 21 +-------------------- sink.c | 6 +++--- socket.c | 26 ++------------------------ socket.h | 4 ++-- 17 files changed, 21 insertions(+), 160 deletions(-) diff --git a/INSTALL b/INSTALL index 54b9f46c..9263e8bb 100644 --- a/INSTALL +++ b/INSTALL @@ -28,11 +28,6 @@ Building in IPv6 support *requires* an up-to-date operating system. Recent Linux versions with glibc 2.1.1 or newer, FreeBSD, Solaris should be fine. -The IPsec code *requires* the inet6-apps kit, which used to be available -from ftp.ipv6.inner.net:/pub/ipv6 (via IPv6) or ftp.inner.net /pub/ipv6 -(via IPv4), but the software has been withdrawn, so we're sorry, no -advanced IPsec support at this time. - If you have trouble with intl or gettext functions, try using the configure option `--with-included-gettext'. diff --git a/NEWS b/NEWS index 388aaede..f7e49721 100644 --- a/NEWS +++ b/NEWS @@ -13,6 +13,10 @@ SECURITY FIX: This vulnerability is remotely exploitable to inject code run in a root shell. This is tracked under the CVE Name: CAN-2005-2335 +MAJOR INCOMPATIBLE CHANGES: +* Remove support for --netsec/-T options, the required inet6_apps library is no + longer available. Matthias Andree + OTHER CHANGES: * Sunil Shetye's fix to force fetchsizelimit to 1 for APOP and RPOP. (ESR) * PopDel.py removed from contrib at author's request. (ESR) diff --git a/conf.c b/conf.c index 083e08a3..d046902b 100644 --- a/conf.c +++ b/conf.c @@ -186,9 +186,6 @@ void dump_config(struct runctl *runp, struct query *querylist) #ifdef INET6_ENABLE "'inet6'," #endif /* INET6_ENABLE */ -#ifdef NET_SECURITY - "'netsec'," -#endif /* NET_SECURITY */ ")\n"); fputs("# Start of configuration initializer\n", stdout); @@ -367,9 +364,6 @@ void dump_config(struct runctl *runp, struct query *querylist) else fputs("'lmtp':FALSE,\n", stdout); -#ifdef INET6_ENABLE - stringdump("netsec", ctl->server.netsec); -#endif /* INET6_ENABLE */ stringdump("preconnect", ctl->preconnect); stringdump("postconnect", ctl->postconnect); numdump("limit", ctl->limit); diff --git a/configure.ac b/configure.ac index 63bb3148..5804dd58 100644 --- a/configure.ac +++ b/configure.ac @@ -365,26 +365,6 @@ test "$with_inet6" = "yes" && AC_DEFINE(INET6_ENABLE,1,Define if you want IPv6 s AC_CHECK_FUNCS(inner_connect) -AC_ARG_ENABLE(netsec, - [ --enable-netsec support network security (requires inet6-apps library)], - [ unset ac_cv_lib_inet6_net_security_strtorequest; AC_CHECK_LIB(inet6, net_security_strtorequest,, - [ unset ac_cv_lib_inet6_net_security_strtorequest; - LDFLAGS="$LDFLAGS -L/usr/inet6/lib"; - AC_CHECK_LIB(inet6, net_security_strtorequest,, - [ echo 'configure: cannot find net_security_strtorequest in libinet6, which is required'; - echo ' for network security support. Either it does not exist, or it was'; - echo ' not built with network security support enabled.'; - exit 1]) ]) - unset ac_cv_header_net_security_h; AC_CHECK_HEADER(net/security.h,, - [ unset ac_cv_header_net_security_h; - CPPFLAGS="$CPPFLAGS -I/usr/inet6/include"; - CFLAGS="$CFLAGS -I/usr/inet6/include"; AC_CHECK_HEADER(net/security.h,, - [ echo 'configure: cannot find , which is required'; - echo ' for network security support.'; - exit 1]) ]) ] - [with_netsec=no]) -test "$with_netsec" = "yes" && AC_DEFINE(NET_SECURITY,1,Define if you want network security support compiled in) - # This version of the Kerberos 4 and 5 options addresses the follwing issues: # # * Build correctly under Heimdal kerberos if it is compiled with db2 and diff --git a/driver.c b/driver.c index 647b777e..56fc93f1 100644 --- a/driver.c +++ b/driver.c @@ -1078,9 +1078,9 @@ static int do_session( #ifdef INET6_ENABLE if ((mailserver_socket = SockOpen(realhost, ctl->server.service ? ctl->server.service : ( ctl->use_ssl ? ctl->server.base_protocol->sslservice : ctl->server.base_protocol->service ), - ctl->server.netsec, ctl->server.plugin)) == -1) + ctl->server.plugin)) == -1) #else /* INET6_ENABLE */ - if ((mailserver_socket = SockOpen(realhost, port, NULL, ctl->server.plugin)) == -1) + if ((mailserver_socket = SockOpen(realhost, port, ctl->server.plugin)) == -1) #endif /* INET6_ENABLE */ { char errbuf[BUFSIZ]; diff --git a/fetchmail-FAQ.html b/fetchmail-FAQ.html index 19065384..163e2b20 100644 --- a/fetchmail-FAQ.html +++ b/fetchmail-FAQ.html @@ -2044,27 +2044,10 @@ IPsec? IPv6, the "Basic Socket Interface Extensions for IPv6" (RFC 2133).

-

Note that the inet6-apps library is no longer available, so - we're sorry to say that IPsec support is no longer available at this - time. The IPsec information in the next three paragraphs is obsolete - and only included here for historic reasons and no longer - accurate.

To use fetchmail with networking -security (read: IPsec), you -need a system that supports IPsec, the API described in the -"Network Security API for Sockets" -(draft-metz-net-security-api-01.txt), and the inet6-apps kit. This -currently means that you need to have a BSD/OS or NetBSD system -with the NRL IPv6+IPsec software distribution. A Linux IPsec -implementation supporting this API will probably appear in the -coming months.

-

The NRL IPv6+IPsec software distribution can be obtained from: http://web.mit.edu/network/isakmp

-

The inet6-apps kit used to be available from http://ftp.ps.pl/pub/linux/IPv6/inet6-apps/.

-

More information on using IPv6 with Linux can be obtained from:

diff --git a/fetchmail-features.html b/fetchmail-features.html index 95f8db55..0a7af6fc 100644 --- a/fetchmail-features.html +++ b/fetchmail-features.html @@ -146,9 +146,6 @@ for UW IMAP.
  • Support for IPv6
    • -
  • Support for IPSec (using Craig Metz's inet6-apps library – note the -library is no longer available—sorry!).
    • -
  • Support for IMAP with RFC1731-conformant GSSAPI authentication.
    • diff --git a/fetchmail.c b/fetchmail.c index fc3deff4..57b41a61 100644 --- a/fetchmail.c +++ b/fetchmail.c @@ -69,11 +69,6 @@ char *program_name; /* the name to prefix error messages with */ flag configdump; /* dump control blocks for configurator */ char *fetchmailhost; /* either `localhost' or the host's FQDN */ -#ifdef NET_SECURITY -void *request = NULL; -int requestlen = 0; -#endif /* NET_SECURITY */ - static int querystatus; /* status of query */ static int successes; /* count number of successful polls */ static int activecount; /* count number of active entries */ @@ -245,9 +240,6 @@ int main(int argc, char **argv) #ifdef HAVE_PKG_hesiod "+HESIOD" #endif -#ifdef NET_SECURITY - "+NETSEC" -#endif /* NET_SECURITY */ #ifdef HAVE_SOCKS "+SOCKS" #endif /* HAVE_SOCKS */ @@ -848,7 +840,6 @@ static void optmerge(struct query *h2, struct query *h1, int force) FLAG_MERGE(server.protocol); #ifdef INET6_ENABLE FLAG_MERGE(server.service); - FLAG_MERGE(server.netsec); #else /* INET6_ENABLE */ FLAG_MERGE(server.port); #endif /* INET6_ENABLE */ @@ -1549,8 +1540,6 @@ static void dump_params (struct runctl *runp, #ifdef INET6_ENABLE if (ctl->server.service) printf(GT_(" (using service %s)"), ctl->server.service); - if (ctl->server.netsec) - printf(GT_(" (using network security options %s)"), ctl->server.netsec); #else /* INET6_ENABLE */ if (ctl->server.port) printf(GT_(" (using port %d)"), ctl->server.port); diff --git a/fetchmail.h b/fetchmail.h index 74121bd5..e819e7e8 100644 --- a/fetchmail.h +++ b/fetchmail.h @@ -235,7 +235,6 @@ struct hostdata /* shared among all user connections to given server */ int protocol; /* protocol type */ #ifdef INET6_ENABLE char *service; /* IPv6 service name */ - void *netsec; /* IPv6 security request */ #else /* INET6_ENABLE */ int port; /* TCP/IP service port number */ #endif /* INET6_ENABLE */ diff --git a/fetchmail.man b/fetchmail.man index a7e0eba8..c6552b2a 100644 --- a/fetchmail.man +++ b/fetchmail.man @@ -862,13 +862,6 @@ capability response. Specify a user option value that looks like `user@domain': the part to the left of the @ will be passed as the username and the part to the right as the NTLM domain. .PP -If you are using IPsec, the -T (--netsec) option can be used to pass -an IP security request to be used when outgoing IP connections are -initialized. You can also do this using the `netsec' server option -in the .fetchmailrc file. In either case, the option value is a -string in the format accepted by the net_security_strtorequest() -function of the inet6_apps library. -.PP You can access SSL encrypted services by specifying the --ssl option. You can also do this using the "ssl" server option in the .fetchmailrc file. With SSL encryption enabled, queries are initiated over a connection @@ -1386,9 +1379,6 @@ T} tracepolls \& \& T{ Add poll tracing information to the Received header T} -netsec \& \& T{ -Pass in IPsec security option request. -T} principal \& \& T{ Set Kerberos principal (only useful with imap and kerberos) T} diff --git a/fetchmailconf b/fetchmailconf index f5cddf6c..36bc99fd 100755 --- a/fetchmailconf +++ b/fetchmailconf @@ -1,10 +1,11 @@ #!/usr/bin/env python # # A GUI configurator for generating fetchmail configuration files. -# by Eric S. Raymond, . +# by Eric S. Raymond, , +# Matthias Andree # Requires Python with Tkinter, and the following OS-dependent services: # posix, posixpath, socket -version = "1.43" +version = "1.44" from Tkinter import * from Dialog import * @@ -92,7 +93,6 @@ class Server: self.monitor = None # IP address and range self.plugin = None # Plugin command for going to server self.plugout = None # Plugin command for going to listener - self.netsec = None # IPV6 security options self.principal = None # Kerberos principal self.esmtpname = None # ESMTP 2554 name self.esmtppassword = None # ESMTP 2554 password @@ -120,7 +120,6 @@ class Server: ('plugout', 'String'), ('esmtpname', 'String'), ('esmtppassword', 'String'), - ('netsec', 'String'), ('principal', 'String'), ('tracepolls','Boolean')) @@ -183,15 +182,13 @@ class Server: res = res + " plugin " + `self.plugin` if self.plugout: res = res + " plugout " + `self.plugout` - if self.netsec: - res = res + " netsec " + str(self.netsec) if self.principal: res = res + " principal " + `self.principal` if self.esmtpname: res = res + " esmtpname " + `self.esmtpname` if self.esmtppassword: res = res + " esmtppassword " + `self.esmtppassword` - if self.interface or self.monitor or self.netsec or self.principal or self.plugin or self.plugout: + if self.interface or self.monitor or self.principal or self.plugin or self.plugout: if folded: res = res + "\n" @@ -980,10 +977,6 @@ The sslcertck option enables strict checking of SSL server certificates (and sslcertpath gives trusted certificate directory). With sslfingerprint, you can specify a finger- print the server's key is checked against. - -The `netsec' option will be configurable only if fetchmail -was compiled with IPV6 support. If you need to use it, -you probably know what to do. """} multihelp = { @@ -1157,7 +1150,7 @@ class ServerEdit(Frame, MyWidget): self.server.localdomains, None, None, mdropwin, multihelp) mdropwin.pack(fill=X) - if os_type in ('linux', 'freebsd') or 'netsec' in feature_options: + if os_type in ('linux', 'freebsd'): secwin = Frame(rightwin, relief=RAISED, bd=5) Label(secwin, text="Security").pack(side=TOP) # Don't actually let users set this. KPOP sets it implicitly @@ -1169,9 +1162,6 @@ class ServerEdit(Frame, MyWidget): if os_type == 'linux' or os_type == 'freebsd' or 'monitor' in dictmembers: LabeledEntry(secwin, 'Interface to monitor:', self.monitor, leftwidth).pack(side=TOP, fill=X) - if 'netsec' in feature_options or 'netsec' in dictmembers: - LabeledEntry(secwin, 'IPV6 security options:', - self.netsec, leftwidth).pack(side=TOP, fill=X) # Someday this should handle Kerberos 5 too if 'kerberos' in feature_options: LabeledEntry(secwin, 'Principal:', @@ -1921,7 +1911,7 @@ def copy_instance(toclass, fromdict): # conformability checking; they'll still get copied if they are # present in the dictionary. optional = ('interface', 'monitor', - 'netsec', 'esmtpname', 'esmtppassword', + 'esmtpname', 'esmtppassword', 'ssl', 'sslkey', 'sslcert', 'sslproto', 'sslcertck', 'sslcertpath', 'sslfingerprint', 'showdots') class_sig = setdiff(toclass.__dict__.keys(), optional) @@ -2064,7 +2054,7 @@ gUSiYASJpMEHhilJTEnhAlGoQqYAZQ1AiqEMZ0jDGtqQImhwwA13yMMevoQAGvGhEAWHGMOAAAA7 # `Configuration' is the top level of the object tree we're going to mung. # The dictmembers list is used to track the set of fields the dictionary # contains; in particular, we can use it to tell whether things like the - # monitor, interface, netsec, ssl, sslkey, or sslcert fields are present. + # monitor, interface, ssl, sslkey, or sslcert fields are present. dictmembers = [] Fetchmailrc = Configuration() copy_instance(Fetchmailrc, fetchmailrc) diff --git a/options.c b/options.c index d49e1690..6d70bd60 100644 --- a/options.c +++ b/options.c @@ -66,7 +66,6 @@ #define LA_LMTP 42 #define LA_PLUGIN 43 #define LA_PLUGOUT 44 -#define LA_NETSEC 45 #define LA_INTERFACE 46 #define LA_MONITOR 47 #define LA_CONFIGDUMP 48 @@ -149,10 +148,6 @@ static const struct option longoptions[] = { {"bsmtp", required_argument, (int *) 0, LA_BSMTP }, {"lmtp", no_argument, (int *) 0, LA_LMTP }, -#ifdef INET6_ENABLE - {"netsec", required_argument, (int *) 0, LA_NETSEC }, -#endif /* INET6_ENABLE */ - #ifdef SSL_ENABLE {"ssl", no_argument, (int *) 0, LA_SSL }, {"sslkey", required_argument, (int *) 0, LA_SSLKEY }, @@ -559,16 +554,6 @@ struct query *ctl; /* option record to be initialized */ ctl->listener = LMTP_MODE; break; - case 'T': - case LA_NETSEC: -#ifdef NET_SECURITY - ctl->server.netsec = (void *)optarg; -#else - fprintf(stderr, GT_("fetchmail: network security support is disabled\n")); - errflag++; -#endif /* NET_SECURITY */ - break; - #if (defined(linux) && !defined(INET6_ENABLE)) || defined(__FreeBSD__) case 'I': case LA_INTERFACE: @@ -709,9 +694,6 @@ struct query *ctl; /* option record to be initialized */ P(GT_(" -l, --limit don't fetch messages over given size\n")); P(GT_(" -w, --warnings interval between warning mail notification\n")); -#ifdef NET_SECURITY - P(GT_(" -T, --netsec set IP security request\n")); -#endif /* NET_SECURITY */ P(GT_(" -S, --smtphost set SMTP forwarding host\n")); P(GT_(" --fetchdomains fetch mail for specified domains\n")); P(GT_(" -D, --smtpaddress set SMTP delivery domain to use\n")); diff --git a/rcfile_l.l b/rcfile_l.l index 25e4308b..21f05b4e 100644 --- a/rcfile_l.l +++ b/rcfile_l.l @@ -123,7 +123,6 @@ bsmtp { return BSMTP; } lmtp { return LMTP; } pre(connect)? { return PRECONNECT; } post(connect)? { return POSTCONNECT; } -netsec { return NETSEC; } interface { return INTERFACE; } monitor { return MONITOR; } plugin { return PLUGIN; } diff --git a/rcfile_y.y b/rcfile_y.y index 8ce862dc..cbbf6b07 100644 --- a/rcfile_y.y +++ b/rcfile_y.y @@ -22,10 +22,6 @@ #endif #include -#if NET_SECURITY -#include -#endif /* NET_SECURITY */ - #if defined(__CYGWIN__) #include #endif /* __CYGWIN__ */ @@ -69,7 +65,7 @@ extern char * yytext; %token AUTHENTICATE TIMEOUT KPOP SDPS ENVELOPE QVIRTUAL %token USERNAME PASSWORD FOLDER SMTPHOST FETCHDOMAINS MDA BSMTP LMTP %token SMTPADDRESS SMTPNAME SPAMRESPONSE PRECONNECT POSTCONNECT LIMIT WARNINGS -%token NETSEC INTERFACE MONITOR PLUGIN PLUGOUT +%token INTERFACE MONITOR PLUGIN PLUGOUT %token IS HERE THERE TO MAP WILDCARD %token BATCHLIMIT FETCHLIMIT FETCHSIZELIMIT FASTUIDL EXPUNGE PROPERTIES %token SET LOGFILE DAEMON SYSLOG IDFILE INVISIBLE POSTMASTER BOUNCEMAIL @@ -213,21 +209,6 @@ serv_option : AKA alias_list } | QVIRTUAL STRING {current.server.qvirtual=xstrdup($2);} - | NETSEC STRING { -#ifdef NET_SECURITY - void *request; - int requestlen; - - if (net_security_strtorequest($2, &request, &requestlen)) - yyerror(GT_("invalid security request")); - else { - current.server.netsec = xstrdup($2); - free(request); - } -#else - yyerror(GT_("network-security support disabled")); -#endif /* NET_SECURITY */ - } | INTERFACE STRING { #if (defined(linux) && !defined(INET6_ENABLE)) || defined(__FreeBSD__) interface_parse($2, ¤t.server); diff --git a/sink.c b/sink.c index f3d3bce1..7aae42ac 100644 --- a/sink.c +++ b/sink.c @@ -148,7 +148,7 @@ int smtp_open(struct query *ctl) if ((ctl->smtp_socket = UnixOpen(ctl->smtphost))==-1) continue; } else - if ((ctl->smtp_socket = SockOpen(parsed_host,portnum,NULL, + if ((ctl->smtp_socket = SockOpen(parsed_host,portnum, ctl->server.plugout)) == -1) continue; @@ -177,7 +177,7 @@ int smtp_open(struct query *ctl) smtp_close(ctl, 0); /* if opening for ESMTP failed, try SMTP */ - if ((ctl->smtp_socket = SockOpen(parsed_host,portnum,NULL, + if ((ctl->smtp_socket = SockOpen(parsed_host,portnum, ctl->server.plugout)) == -1) continue; @@ -304,7 +304,7 @@ static int send_bouncemail(struct query *ctl, struct msgblk *msg, strlcat(daemon_name, fqdn_of_host, sizeof(daemon_name)); /* we need only SMTP for this purpose */ - if ((sock = SockOpen("localhost", SMTP_PORT, NULL, NULL)) == -1) + if ((sock = SockOpen("localhost", SMTP_PORT, NULL)) == -1) return(FALSE); if (SMTP_ok(sock) != SM_OK) diff --git a/socket.c b/socket.c index d6c47adf..576281c2 100644 --- a/socket.c +++ b/socket.c @@ -84,10 +84,6 @@ static int h_errno; #endif /* ndef h_errno */ -#ifdef NET_SECURITY -#include -#endif /* NET_SECURITY */ - #ifdef HAVE_SOCKETPAIR static char *const *parse_plugin(const char *plugin, const char *host, const char *service) { const char **argvec; @@ -267,15 +263,11 @@ int UnixOpen(const char *path) } #ifdef INET6_ENABLE -int SockOpen(const char *host, const char *service, const char *options, +int SockOpen(const char *host, const char *service, const char *plugin) { struct addrinfo *ai, *ai0, req; int i; -#ifdef NET_SECURITY - void *request = NULL; - int requestlen; -#endif /* NET_SECURITY */ #ifdef HAVE_SOCKETPAIR if (plugin) @@ -289,19 +281,6 @@ int SockOpen(const char *host, const char *service, const char *options, return -1; } -#if NET_SECURITY - if (!options) - requestlen = 0; - else - if (net_security_strtorequest((char *)options, &request, &requestlen)) - goto ret; - - i = inner_connect(ai0, request, requestlen, NULL, NULL, "fetchmail", NULL); - if (request) - free(request); - - ret: -#else /* NET_SECURITY */ #ifdef HAVE_INNER_CONNECT i = inner_connect(ai0, NULL, 0, NULL, NULL, "fetchmail", NULL); if (i >= 0) @@ -332,7 +311,6 @@ int SockOpen(const char *host, const char *service, const char *options, } #endif -#endif /* NET_SECURITY */ freeaddrinfo(ai0); @@ -349,7 +327,7 @@ int SockOpen(const char *host, const char *service, const char *options, #endif #endif /* HAVE_INET_ATON */ -int SockOpen(const char *host, int clientPort, const char *options, +int SockOpen(const char *host, int clientPort, const char *plugin) { int sock = -1; /* pacify -Wall */ diff --git a/socket.h b/socket.h index a0a45bc1..d7c3ad25 100644 --- a/socket.h +++ b/socket.h @@ -9,10 +9,10 @@ /* Create a new client socket; returns (FILE *)NULL on error */ #ifdef INET6_ENABLE -int SockOpen(const char *host, const char *service, const char *options, +int SockOpen(const char *host, const char *service, const char *plugin); #else /* INET6_ENABLE */ -int SockOpen(const char *host, int clientPort, const char *options, +int SockOpen(const char *host, int clientPort, const char *plugin); #endif /* INET6_ENABLE */ -- 2.43.2