Fix build with gcc-2.95 (tested on sparc, simh-vax was too slow).

Remove some useless linux-specific code which tried to modify the routing table by running "/bin/ip". Because this code has no error checking and failed silently, no one noticed it. Noticed it now because it didn't compile with gcc-2.95. Don't install useless documentation. Install useful notes on protocol insecurity instead. Tweak the man page a little. Dunno if anyone is still using Bezeq ADSL modems that need the --quirks option, but move the information here just in case. Clean up MESSAGE; don't shout at everybody about security holes in a particular kind of modem that's almost 10 years old. ok naddy@
2009-03-08 21:57:24 +00:00 · 2009-03-08 21:57:24 +00:00 · 652a2e6714
commit 652a2e6714
parent 1bfb4a027a
9 changed files with 182 additions and 45 deletions
--- a/net/pptp/Makefile
+++ b/net/pptp/Makefile
@ -1,15 +1,16 @@
-# $OpenBSD: Makefile,v 1.19 2008/11/11 16:23:26 naddy Exp $
+# $OpenBSD: Makefile,v 1.20 2009/03/08 21:57:24 stsp Exp $
 # $NetBSD: Makefile,v 1.1.1.1 2000/04/10 01:14:01 jtk Exp $

 COMMENT=	PPTP client package for Microsoft VPN servers

 DISTNAME=	pptp-1.7.2
+PKGNAME=	${DISTNAME}p0
 CATEGORIES=	net
 MASTER_SITES= 	${MASTER_SITE_SOURCEFORGE:=pptpclient/}

 HOMEPAGE=	http://pptpclient.sf.net

-MAINTAINER=	Stefan Sperling <stsp@stsp.name>
+MAINTAINER=	Stefan Sperling <stsp@openbsd.org>

 # GPL
 PERMIT_PACKAGE_CDROM=   Yes
@ -23,19 +24,14 @@ NO_REGRESS=	Yes
 MAKE_ENV+=	PPPD=/usr/sbin/ppp
 CFLAGS+=	-DUSER_PPP

-DIRS=	Documentation
-
 post-patch:
 	@cd ${WRKSRC}; sed -e s,PREFIX,${PREFIX}, < \
 		${FILESDIR}/pptp_8 > pptp.8
-	@perl -pi -e "s,PREFIX,${PREFIX}," ${WRKSRC}/USING

 do-install:
 	${INSTALL_PROGRAM} ${WRKSRC}/pptp ${PREFIX}/sbin
 	${INSTALL_MAN} ${WRKSRC}/pptp.8 ${PREFIX}/man/man8
 	${INSTALL_DATA_DIR} ${PREFIX}/share/doc/pptp
-	${INSTALL_DATA} ${WRKSRC}/USING ${PREFIX}/share/doc/pptp/
-	@cd ${WRKSRC} && \
-	    tar cf - ${DIRS} | (cd ${PREFIX}/share/doc/pptp && tar -xf -)
+	${INSTALL_DATA} ${WRKSRC}/PROTOCOL-SECURITY ${PREFIX}/share/doc/pptp/

 .include <bsd.port.mk>
--- a/net/pptp/files/pptp_8
+++ b/net/pptp/files/pptp_8
@ -1,4 +1,4 @@
-.\" $OpenBSD: pptp_8,v 1.6 2007/10/23 22:13:38 naddy Exp $
+.\" $OpenBSD: pptp_8,v 1.7 2009/03/08 21:57:24 stsp Exp $
 .\" Manual page for pptp-1.1.0
 .\" Information gleaned from USING file in the distribution
 .\" SH section heading
@ -42,6 +42,8 @@ to negotiate the connection with MS-CHAP authentication.
 Because
 .Nm
 uses GRE, the net.inet.gre.allow sysctl needs to be enabled.
+.Nm
+will automatically try to enable this sysctl on startup.
 .Pp
 The
 .Ar hostname
@ -67,12 +69,14 @@ to remote host as phone number.
 .It Fl -nolaunchpppd 
 Do not launch a ppp daemon, for use as a ppp daemon pty.
 .It Fl -quirks Ar quirk
-Work around a buggy PPTP implementation.
-The only currently recognised value is
-.Ar BEZEQ_ISRAEL .
-See the file
-.Pa PREFIX/share/doc/pptp/USING
-for details.
+Some ADSL providers and some ADSL hardware are buggy or not conforming
+to the RFC, and require special handling.  To this end,
+.Nm
+supports a 'quirks' mechanism.
+Currently, only '--quirks BEZEQ_ISRAEL' is defined, for connecting to
+Bezeq (the Israeli phone company) ADSL service.
+Only some of the equipment used by Bezeq needs this option, but even
+the equipment that does not need it works fine with it.
 .It Fl -debug
 Run in foreground (for debugging with gdb).
 .It Fl -sync
@ -101,7 +105,9 @@ Bind to specified IP address instead of wildcard.
 Sets the debugging level (0=low, 1=default, 2=high).
 .Sh EXAMPLES
 .Ss PPTP on a stand-alone VPN client
-This example assumes that you want to use pptp to connect
+This example assumes that you want to use
+.Nm
+to connect
 to a VPN and use the VPN connection as your default route.
 Let us assume that the VPN server was called vpn-gateway.net.
 .Pp
@ -148,7 +154,7 @@ host route to the VPN gateway. For example:
 .Bd -literal
 	#!/bin/sh
        gw=`netstat -rn -f inet | grep ^default | awk '{print $2};'`
-        route add -host vpn-gateway.net ${gw}
+        /sbin/route add -host vpn-gateway.net ${gw}
 .Ed
 .Pp
 Call the script from
@ -237,7 +243,7 @@ For example:
 .Bd -literal
 	#!/bin/sh
        gw=`netstat -rn -f inet | grep ^default | awk '{print $2};'`
-        route add -host vpn-gateway.net ${gw}
+        /sbin/route add -host vpn-gateway.net ${gw}
 .Ed
 .Pp
 Call the script from
@ -312,19 +318,20 @@ file in /var/run/tunX.pid, where X is the number of the tun device used.
 .Pa /var/run/pptp/<ip-address>
 is created as a socket.  It is used for communicating with an existing
 PPTP call manager for a given remote server host.
+.Sh CAVEATS
+The PPTP protocol is insecure.
 .Sh SEE ALSO
 .Xr ppp 8 ,
 .Xr gre 4 ,
 .Xr pf 4 ,
 .Xr pf.conf 5 ,
-.Pa PREFIX/share/doc/pptp/USING .
+.Pa PREFIX/share/doc/pptp/PROTOCOL-SECURITY .
 .Sh HISTORY
 This man page appeared first in 
 .Nx
 \'s pptp package.
 .Sh AUTHORS
-.An Stefan Sperling Aq stsp@stsp.name
-(detailed option description, EXAMPLES section),
+.An Stefan Sperling Aq stsp@openbsd.org
 .An C. Scott Ananian Aq cananian@alumni.princeton.edu ,
 .An John Kohl Aq jtk@NetBSD.org 
 (patches and original man page).
--- a/net/pptp/patches/patch-Makefile
+++ b/net/pptp/patches/patch-Makefile
@ -1,6 +1,6 @@
-$OpenBSD: patch-Makefile,v 1.6 2008/11/11 16:23:26 naddy Exp $
--- Makefile.orig	Wed May 14 08:33:55 2008
-+++ Makefile	Sat Sep 20 17:44:51 2008
+$OpenBSD: patch-Makefile,v 1.7 2009/03/08 21:57:24 stsp Exp $
+--- Makefile.orig	Wed May 14 07:33:55 2008
+++ Makefile	Fri Mar  6 15:45:41 2009
@@ -4,19 +4,19 @@ RELEASE=
 
 #################################################################
@ -24,3 +24,12 @@ $OpenBSD: patch-Makefile,v 1.6 2008/11/11 16:23:26 naddy Exp $
 LIBS	= -lutil
 # Solaris 10
 # LIBS	= -lnsl -lsocket -lresolv
+@@ -29,7 +29,7 @@ PPTP_BIN = pptp
+ PPTP_OBJS = pptp.o pptp_gre.o ppp_fcs.o \
+             pptp_ctrl.o dirutil.o vector.o \
+ 	    inststr.o util.o version.o test.o \
+-	    pptp_quirks.o orckit_quirks.o pqueue.o pptp_callmgr.o routing.o \
+	    pptp_quirks.o orckit_quirks.o pqueue.o pptp_callmgr.o \
+ 	    pptp_compat.o
+ 
+ PPTP_DEPS = pptp_callmgr.h pptp_gre.h ppp_fcs.h util.h test.h \
--- a/net/pptp/patches/patch-inststr_c
+++ b/net/pptp/patches/patch-inststr_c
@ -1,6 +1,6 @@
-$OpenBSD: patch-inststr_c,v 1.2 2007/10/23 22:13:38 naddy Exp $
--- inststr.c.orig	Mon Feb 13 04:07:42 2006
-+++ inststr.c	Tue Sep 18 07:24:08 2007
+$OpenBSD: patch-inststr_c,v 1.3 2009/03/08 21:57:24 stsp Exp $
+--- inststr.c.orig	Wed May 14 07:33:55 2008
+++ inststr.c	Thu Mar  5 23:07:12 2009
@@ -20,7 +20,7 @@ inststr(int argc, char **argv, char **environ, char *s
 
         for (ptr = argv[0]; *ptr; *(ptr++) = '\0');
@ -10,3 +10,14 @@ $OpenBSD: patch-inststr_c,v 1.2 2007/10/23 22:13:38 naddy Exp $
     } else
     {
         /* Stolen from the source to perl 4.036 (assigning to $0) */
+@@ -31,8 +31,9 @@ inststr(int argc, char **argv, char **environ, char *s
+         /* than lower numbered elements.                          */
+         char *ptr, *ptr2;
+         int count;
+        int aligned;
+         UL mask = ~(UL)(PTRSIZE == 4 ? 3 : PTRSIZE == 8 ? 7 : PTRSIZE == 16 ? 15 : 0);
+-        int aligned = (mask < ~(UL)0) && (((UL)(argv[0]) & mask) == (UL)(argv[0]));
+        aligned = (mask < ~(UL)0) && (((UL)(argv[0]) & mask) == (UL)(argv[0]));
+         ptr = argv[0] + strlen(argv[0]);
+         if (argv[argc - 1] >= argv[1]) {
+             /* argv pointers in ascending memory order */
--- a/net/pptp/patches/patch-pptp_c
+++ b/net/pptp/patches/patch-pptp_c
@ -0,0 +1,33 @@
+$OpenBSD: patch-pptp_c,v 1.1 2009/03/08 21:57:24 stsp Exp $
+--- pptp.c.orig	Thu Mar  5 22:54:51 2009
+++ pptp.c	Thu Mar  5 22:56:53 2009
+@@ -193,6 +193,7 @@ int main(int argc, char **argv, char **envp)
+                           * '\0' */
+     char * volatile phonenr = NULL;
+     volatile int launchpppd = 1, debug = 0;
+    char *tty_name;
+ 
+     while(1){ 
+         /* structure with all recognised options for pptp */
+@@ -391,7 +392,7 @@ int main(int argc, char **argv, char **envp)
+         file2fd("/dev/null", "wb", STDERR_FILENO);
+     }
+ 
+-    char *tty_name = ttyname(tty_fd);
+    tty_name = ttyname(tty_fd);
+     snprintf(buf, sizeof(buf), "pptp: GRE-to-PPP gateway on %s",
+               tty_name ? tty_name : "(null)");
+ #ifdef PR_SET_NAME
+@@ -494,9 +495,11 @@ void launch_callmgr(struct in_addr inetaddr, char *pho
+ {
+       char *my_argv[3] = { argv[0], inet_ntoa(inetaddr), phonenr };
+       char buf[128];
+-      snprintf(buf, sizeof(buf), "pptp: call manager for %s", my_argv[1]);
+ #ifdef PR_SET_NAME
+       int rc;
+#endif
+      snprintf(buf, sizeof(buf), "pptp: call manager for %s", my_argv[1]);
+#ifdef PR_SET_NAME
+       rc = prctl(PR_SET_NAME, "pptpcm", 0, 0, 0);
+       if (rc != 0) perror("prctl");
+ #else
--- a/net/pptp/patches/patch-pptp_callmgr_c
+++ b/net/pptp/patches/patch-pptp_callmgr_c
@ -0,0 +1,12 @@
+$OpenBSD: patch-pptp_callmgr_c,v 1.1 2009/03/08 21:57:24 stsp Exp $
+--- pptp_callmgr.c.orig	Fri Mar  6 15:44:54 2009
+++ pptp_callmgr.c	Fri Mar  6 15:45:00 2009
+@@ -120,8 +120,6 @@ int callmgr_main(int argc, char **argv, char **envp)
+     phonenr = argc == 3 ? argv[2] : NULL;
+     if (inet_aton(argv[1], &inetaddr) == 0)
+         fatal("Invalid IP address: %s", argv[1]);
+-    routing_init(inet_ntoa(inetaddr));
+-    routing_start();
+     /* Step 1: Open sockets. */
+     if ((inet_sock = open_inetsock(inetaddr)) < 0)
+         fatal("Could not open control connection to %s", argv[1]);
--- a/net/pptp/patches/patch-routing_c
+++ b/net/pptp/patches/patch-routing_c
@ -0,0 +1,83 @@
+$OpenBSD: patch-routing_c,v 1.1 2009/03/08 21:57:24 stsp Exp $
+--- routing.c.orig	Fri Mar  6 15:31:31 2009
+++ routing.c	Fri Mar  6 15:43:43 2009
+@@ -1,79 +0,0 @@
+-/*
+-    routing.c, manipulating routing table for PPTP Client
+-    Copyright (C) 2006  James Cameron <quozl@us.netrek.org>
+-
+-    This program is free software; you can redistribute it and/or modify
+-    it under the terms of the GNU General Public License as published by
+-    the Free Software Foundation; either version 2 of the License, or
+-    (at your option) any later version.
+-
+-    This program is distributed in the hope that it will be useful,
+-    but WITHOUT ANY WARRANTY; without even the implied warranty of
+-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+-    GNU General Public License for more details.
+-
+-    You should have received a copy of the GNU General Public License
+-    along with this program; if not, write to the Free Software
+-    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+-
+-*/
+-
+-#include <sys/types.h>
+-#include <unistd.h>
+-#include <stdio.h>
+-#include <string.h>
+-#include "routing.h"
+-
+-/* route to the server */
+-char *route;
+-
+-/*
+-
+-Design discussion.
+-
+-The primary task of this module is to add a host route to the PPTP
+-server so that the kernel continues to deliver PPTP control and data
+-connection packets to the server despite the new PPP interface that is
+-created.  The flag --no-host-route is to disable this (not yet implemented).
+-
+-A secondary task may be to implement all-to-tunnel routing if the
+-appropriate flag is specified on the command line.  The flag
+---route-all is to implement this (not yet implemented).
+-
+-Caveat.
+-
+-It is not possible from the "ip route" command to determine if a host
+-route already exists, so it isn't practical to put the routing table
+-back exactly as it was.
+-
+-We have a choice of either leaving our route lying around, or
+-destroying a route that the user had pre-arranged.  Both are
+-unfortunate.  The flag --remove-host-route is to remove the route
+-regardless (not yet implemented).
+-
+-*/
+-
+-void routing_init(char *ip) {
+-  char buf[256];
+-  snprintf(buf, 255, "/bin/ip route get %s", ip);
+-  FILE *p = popen(buf, "r");
+-  fgets(buf, 255, p);
+-  /* TODO: check for failure of fgets */
+-  route = strdup(buf);
+-  pclose(p);
+-  /* TODO: check for failure of command */
+-}
+-
+-void routing_start() {
+-  char buf[256];
+-  snprintf(buf, 255, "/bin/ip route replace %s", route);
+-  FILE *p = popen(buf, "r");
+-  pclose(p);
+-}
+-
+-void routing_end() {
+-  char buf[256];
+-  snprintf(buf, 255, "/bin/ip route delete %s", route);
+-  FILE *p = popen(buf, "r");
+-  pclose(p);
+-}
--- a/net/pptp/pkg/MESSAGE
+++ b/net/pptp/pkg/MESSAGE
@ -1,12 +1,2 @@
-You will need to allow gre traffic for pptp to work:
-	sysctl net.inet.gre.allow=1
-pptp will automatically try to set this sysctl before opening a gre socket.
-
-See http://www.schneier.com/pptp-faq.html for a list of security flaws.
-==========================================================================
-ATTENTION:
-Alcatel ADSL modems contain default logins with easily computed passwords.
-See http://security.sdsc.edu/self-help/alcatel/ for more information.
-==========================================================================
-You may want to use TCP/IP packet filter rules to prevent unauthorized 
-access to your modem (from internal net or spoofed/bounced TCP/IP packets).
+PPTP IS NOT SECURE, see ${LOCALBASE}/share/doc/pptp/PROTOCOL-SECURITY
+and http://www.schneier.com/pptp.html for more information.
--- a/net/pptp/pkg/PLIST
+++ b/net/pptp/pkg/PLIST
@ -1,9 +1,5 @@
-@comment $OpenBSD: PLIST,v 1.7 2008/11/11 16:23:26 naddy Exp $
+@comment $OpenBSD: PLIST,v 1.8 2009/03/08 21:57:24 stsp Exp $
@man man/man8/pptp.8
@bin sbin/pptp
 share/doc/pptp/
-share/doc/pptp/Documentation/
-share/doc/pptp/Documentation/DESIGN.CALLMGR
-share/doc/pptp/Documentation/DESIGN.PPTP
-share/doc/pptp/Documentation/PORTING
-share/doc/pptp/USING
+share/doc/pptp/PROTOCOL-SECURITY