diff options
Diffstat (limited to 'pkgs/tools/networking')
21 files changed, 44 insertions, 102 deletions
diff --git a/pkgs/tools/networking/chrony/default.nix b/pkgs/tools/networking/chrony/default.nix index 38839c4b6acd..d262f7fc9e0c 100644 --- a/pkgs/tools/networking/chrony/default.nix +++ b/pkgs/tools/networking/chrony/default.nix @@ -15,6 +15,8 @@ stdenv.mkDerivation rec { buildInputs = [ readline texinfo nss nspr ] ++ stdenv.lib.optional stdenv.isLinux libcap; nativeBuildInputs = [ pkgconfig ]; + hardeningEnable = [ "pie" ]; + configureFlags = [ "--chronyvardir=$(out)/var/lib/chrony" ]; diff --git a/pkgs/tools/networking/dhcpdump/default.nix b/pkgs/tools/networking/dhcpdump/default.nix index 778cfc3b5ed6..91232b4ffa74 100644 --- a/pkgs/tools/networking/dhcpdump/default.nix +++ b/pkgs/tools/networking/dhcpdump/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [libpcap perl]; + hardeningDisable = [ "fortify" ]; + installPhase = '' mkdir -pv $out/bin cp dhcpdump $out/bin diff --git a/pkgs/tools/networking/dnsmasq/default.nix b/pkgs/tools/networking/dnsmasq/default.nix index 63720faf7078..b05f4e8e80ee 100644 --- a/pkgs/tools/networking/dnsmasq/default.nix +++ b/pkgs/tools/networking/dnsmasq/default.nix @@ -29,6 +29,8 @@ stdenv.mkDerivation rec { "LOCALEDIR=$(out)/share/locale" ]; + hardeningEnable = [ "pie" ]; + postBuild = optionalString stdenv.isLinux '' make -C contrib/wrt ''; diff --git a/pkgs/tools/networking/eggdrop/default.nix b/pkgs/tools/networking/eggdrop/default.nix index 623b42d6fc1b..a9f2419b1368 100644 --- a/pkgs/tools/networking/eggdrop/default.nix +++ b/pkgs/tools/networking/eggdrop/default.nix @@ -1,20 +1,19 @@ -{ stdenv, fetchurl, tcl }: +{ stdenv, fetchFromGitHub, tcl }: stdenv.mkDerivation rec { name = "eggdrop-${version}"; - version = "1.6.21"; + version = "1.6.21-nix1"; - src = fetchurl { - url = "ftp://ftp.eggheads.org/pub/eggdrop/GNU/1.6/eggdrop${version}.tar.gz"; - sha256 = "1galvbh9y4c3msrg1s9na0asm077mh1g2i2vsv1vczmfrbgq92vs"; + src = fetchFromGitHub { + owner = "eggheads"; + repo = "eggdrop"; + rev = "9ec109a13c016c4cdc7d52b7e16e4b9b6fbb9331"; + sha256 = "0mf1vcbmpnvmf5mxk7gi3z32fxpcbynsh9jni8z8frrscrdf5lp5"; }; buildInputs = [ tcl ]; - patches = [ - # https://github.com/eggheads/eggdrop/issues/123 - ./b34a33255f56bbd2317c26da12d702796d67ed50.patch - ]; + hardeningDisable = [ "format" ]; preConfigure = '' prefix=$out/eggdrop diff --git a/pkgs/tools/networking/iperf/2.nix b/pkgs/tools/networking/iperf/2.nix index 33d8ee2fd636..13f8cedc673d 100644 --- a/pkgs/tools/networking/iperf/2.nix +++ b/pkgs/tools/networking/iperf/2.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "0nr6c81x55ihs7ly2dwq19v9i1n6wiyad1gacw3aikii0kzlwsv3"; }; + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { homepage = "http://sourceforge.net/projects/iperf/"; description = "Tool to measure IP bandwidth using UDP or TCP"; diff --git a/pkgs/tools/networking/lsh/default.nix b/pkgs/tools/networking/lsh/default.nix deleted file mode 100644 index 5d788af1682e..000000000000 --- a/pkgs/tools/networking/lsh/default.nix +++ /dev/null @@ -1,51 +0,0 @@ -{ stdenv, fetchurl, gperf, guile, gmp, zlib, liboop, readline, gnum4, pam -, nettools, lsof, procps }: - -stdenv.mkDerivation rec { - name = "lsh-2.0.4"; - src = fetchurl { - url = "mirror://gnu/lsh/${name}.tar.gz"; - sha256 = "614b9d63e13ad3e162c82b6405d1f67713fc622a8bc11337e72949d613713091"; - }; - - patches = [ ./pam-service-name.patch ./lshd-no-root-login.patch ]; - - preConfigure = '' - # Patch `lsh-make-seed' so that it can gather enough entropy. - sed -i "src/lsh-make-seed.c" \ - -e "s|/usr/sbin/arp|${nettools}/sbin/arp|g ; - s|/usr/bin/netstat|${nettools}/bin/netstat|g ; - s|/usr/local/bin/lsof|${lsof}/bin/lsof|g ; - s|/bin/vmstat|${procps}/bin/vmstat|g ; - s|/bin/ps|${procps}/bin/sp|g ; - s|/usr/bin/w|${procps}/bin/w|g ; - s|/usr/bin/df|$(type -P df)|g ; - s|/usr/bin/ipcs|$(type -P ipcs)|g ; - s|/usr/bin/uptime|$(type -P uptime)|g" - - # Skip the `configure' script that checks whether /dev/ptmx & co. work as - # expected, because it relies on impurities (for instance, /dev/pts may - # be unavailable in chroots.) - export lsh_cv_sys_unix98_ptys=yes - ''; - - NIX_CFLAGS_COMPILE = "-std=gnu90"; - - buildInputs = [ gperf guile gmp zlib liboop readline gnum4 pam ]; - - meta = { - description = "GPL'd implementation of the SSH protocol"; - - longDescription = '' - lsh is a free implementation (in the GNU sense) of the ssh - version 2 protocol, currently being standardised by the IETF - SECSH working group. - ''; - - homepage = http://www.lysator.liu.se/~nisse/lsh/; - license = stdenv.lib.licenses.gpl2Plus; - - maintainers = [ ]; - platforms = [ "x86_64-linux" ]; - }; -} diff --git a/pkgs/tools/networking/lsh/lshd-no-root-login.patch b/pkgs/tools/networking/lsh/lshd-no-root-login.patch deleted file mode 100644 index 9dd81de3fbc1..000000000000 --- a/pkgs/tools/networking/lsh/lshd-no-root-login.patch +++ /dev/null @@ -1,16 +0,0 @@ -Correctly handle the `--no-root-login' option. - ---- lsh-2.0.4/src/lshd.c 2006-05-01 13:47:44.000000000 +0200 -+++ lsh-2.0.4/src/lshd.c 2009-09-08 12:20:36.000000000 +0200 -@@ -758,6 +758,10 @@ main_argp_parser(int key, char *arg, str - self->allow_root = 1; - break; - -+ case OPT_NO_ROOT_LOGIN: -+ self->allow_root = 0; -+ break; -+ - case OPT_KERBEROS_PASSWD: - self->pw_helper = PATH_KERBEROS_HELPER; - break; - diff --git a/pkgs/tools/networking/lsh/pam-service-name.patch b/pkgs/tools/networking/lsh/pam-service-name.patch deleted file mode 100644 index 6a6156855c51..000000000000 --- a/pkgs/tools/networking/lsh/pam-service-name.patch +++ /dev/null @@ -1,14 +0,0 @@ -Tell `lsh-pam-checkpw', the PAM password helper program, to use a more -descriptive service name. - ---- lsh-2.0.4/src/lsh-pam-checkpw.c 2003-02-16 22:30:10.000000000 +0100 -+++ lsh-2.0.4/src/lsh-pam-checkpw.c 2008-11-28 16:16:58.000000000 +0100 -@@ -38,7 +38,7 @@ - #include <security/pam_appl.h> - - #define PWD_MAXLEN 1024 --#define SERVICE_NAME "other" -+#define SERVICE_NAME "lshd" - #define TIMEOUT 600 - - static int diff --git a/pkgs/tools/networking/mailutils/default.nix b/pkgs/tools/networking/mailutils/default.nix index cbca408f0842..140d58e3163e 100644 --- a/pkgs/tools/networking/mailutils/default.nix +++ b/pkgs/tools/networking/mailutils/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { sha256 = "0szbqa12zqzldqyw97lxqax3ja2adis83i7brdfsxmrfw68iaf65"; }; + hardeningDisable = [ "format" ]; + patches = [ ./path-to-cat.patch ./no-gets.patch ]; configureFlags = "--with-path-sendmail=${sendmailPath}"; diff --git a/pkgs/tools/networking/netboot/default.nix b/pkgs/tools/networking/netboot/default.nix index 0f75bd44d69b..7a1eac59eeae 100644 --- a/pkgs/tools/networking/netboot/default.nix +++ b/pkgs/tools/networking/netboot/default.nix @@ -9,10 +9,12 @@ stdenv.mkDerivation rec { buildInputs = [ yacc lzo db4 ]; + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { description = "Mini PXE server"; maintainers = [ maintainers.raskin ]; platforms = ["x86_64-linux"]; license = stdenv.lib.licenses.free; }; -} \ No newline at end of file +} diff --git a/pkgs/tools/networking/ntp/default.nix b/pkgs/tools/networking/ntp/default.nix index 0e7c23fd3a6c..b2242fe54546 100644 --- a/pkgs/tools/networking/ntp/default.nix +++ b/pkgs/tools/networking/ntp/default.nix @@ -19,6 +19,8 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ autoreconfHook ]; buildInputs = [ libcap openssl ]; + hardeningEnable = [ "pie" ]; + postInstall = '' rm -rf $out/share/doc ''; diff --git a/pkgs/tools/networking/openfortivpn/default.nix b/pkgs/tools/networking/openfortivpn/default.nix index 50fde6a77944..c1f78c911a1a 100644 --- a/pkgs/tools/networking/openfortivpn/default.nix +++ b/pkgs/tools/networking/openfortivpn/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchFromGitHub, automake, autoconf, openssl, ppp }: +{ stdenv, fetchFromGitHub, autoreconfHook, openssl, ppp }: with stdenv.lib; @@ -15,13 +15,11 @@ in stdenv.mkDerivation { sha256 = "0kwl8hv3nydd34xp1489jpjdj4bmknfl9xrgynij0vf5qx29xv7m"; }; - buildInputs = [ openssl automake autoconf ppp ]; + buildInputs = [ openssl ppp autoreconfHook ]; - preConfigure = '' - aclocal - autoconf - automake --add-missing + hardeningDisable = [ "format" ]; + preConfigure = '' substituteInPlace src/tunnel.c --replace "/usr/sbin/pppd" "${ppp}/bin/pppd" ''; diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix index 64b9fe98278b..064745f88558 100644 --- a/pkgs/tools/networking/openssh/default.nix +++ b/pkgs/tools/networking/openssh/default.nix @@ -73,6 +73,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardeningEnable = [ "pie" ]; + postInstall = '' # Install ssh-copy-id, it's very useful. cp contrib/ssh-copy-id $out/bin/ diff --git a/pkgs/tools/networking/quicktun/default.nix b/pkgs/tools/networking/quicktun/default.nix index f07cfe4d0724..ed559f5d5c9f 100644 --- a/pkgs/tools/networking/quicktun/default.nix +++ b/pkgs/tools/networking/quicktun/default.nix @@ -11,8 +11,6 @@ stdenv.mkDerivation rec { sha256 = "0m7gvlgs1mhyw3c8s2dg05j7r7hz8kjpb0sk245m61ir9dmwlf8i"; }; - CFLAGS = "-fPIE -fPIC -pie -fstack-protector-all -D_FORTIFY_SOURCE=2 -O2 -Wl,-z,relro,-z,now"; - buildInputs = [ libsodium ]; phases = [ "unpackPhase" "buildPhase" "installPhase" ]; diff --git a/pkgs/tools/networking/radvd/default.nix b/pkgs/tools/networking/radvd/default.nix index 84db01dc4ba1..fc4ca793199d 100644 --- a/pkgs/tools/networking/radvd/default.nix +++ b/pkgs/tools/networking/radvd/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig libdaemon bison flex check ]; + hardeningEnable = [ "pie" ]; + meta = with stdenv.lib; { homepage = http://www.litech.org/radvd/; description = "IPv6 Router Advertisement Daemon"; diff --git a/pkgs/tools/networking/socat/default.nix b/pkgs/tools/networking/socat/default.nix index f57af20739d6..36c6a2deead0 100644 --- a/pkgs/tools/networking/socat/default.nix +++ b/pkgs/tools/networking/socat/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { patches = [ ./enable-ecdhe.patch ./libressl-fixes.patch ]; + hardeningEnable = [ "pie" ]; + meta = { description = "A utility for bidirectional data transfer between two independent data channels"; homepage = http://www.dest-unreach.org/socat/; diff --git a/pkgs/tools/networking/stunnel/default.nix b/pkgs/tools/networking/stunnel/default.nix index e8b56ed7d966..48e3c5625832 100644 --- a/pkgs/tools/networking/stunnel/default.nix +++ b/pkgs/tools/networking/stunnel/default.nix @@ -2,11 +2,11 @@ stdenv.mkDerivation rec { name = "stunnel-${version}"; - version = "5.29"; + version = "5.31"; src = fetchurl { url = "http://www.stunnel.org/downloads/${name}.tar.gz"; - sha256 = "0lgmdpsm36a6j5s0jabv3cfg3rzqz9c9sfdqgkx399iy80jrd423"; + sha256 = "1dz0p85ha78vxc2hjhrkr4xf8w3q8r177bqdrgm26v6wncdbfim7"; }; buildInputs = [ openssl ]; diff --git a/pkgs/tools/networking/telnet/default.nix b/pkgs/tools/networking/telnet/default.nix index 9827b62c6c4a..3a5117653c83 100644 --- a/pkgs/tools/networking/telnet/default.nix +++ b/pkgs/tools/networking/telnet/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation { sha256 = "0cs7ks22dhcn5qfjv2vl6ikhw93x68gg33zdn5f5cxgg81kx5afn"; }; + hardeningDisable = [ "format" ]; + buildInputs = [ncurses]; meta = { diff --git a/pkgs/tools/networking/trickle/default.nix b/pkgs/tools/networking/trickle/default.nix index d10e645dc874..1c8829a07b27 100644 --- a/pkgs/tools/networking/trickle/default.nix +++ b/pkgs/tools/networking/trickle/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0s1qq3k5mpcs9i7ng0l9fvr1f75abpbzfi1jaf3zpzbs1dz50dlx"; }; - buildInputs = [libevent]; + buildInputs = [ libevent ]; preConfigure = '' sed -i 's|libevent.a|libevent.so|' configure @@ -22,6 +22,8 @@ stdenv.mkDerivation rec { configureFlags = "--with-libevent"; + hardeningDisable = [ "format" ]; + meta = { description = "Lightweight userspace bandwidth shaper"; license = stdenv.lib.licenses.bsd3; diff --git a/pkgs/tools/networking/uwimap/default.nix b/pkgs/tools/networking/uwimap/default.nix index e2c83bcb975c..69b3e633f379 100644 --- a/pkgs/tools/networking/uwimap/default.nix +++ b/pkgs/tools/networking/uwimap/default.nix @@ -14,6 +14,8 @@ stdenv.mkDerivation { # -fPIC is required to compile php with imap on x86_64 systems + stdenv.lib.optionalString stdenv.isx86_64 " EXTRACFLAGS=-fPIC"; + hardeningDisable = [ "format" ]; + buildInputs = [ openssl ] ++ stdenv.lib.optional (!stdenv.isDarwin) pam; diff --git a/pkgs/tools/networking/vde2/default.nix b/pkgs/tools/networking/vde2/default.nix index 72a31262e26f..81d43fa501cf 100644 --- a/pkgs/tools/networking/vde2/default.nix +++ b/pkgs/tools/networking/vde2/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [ openssl libpcap python ]; + hardeningDisable = [ "format" ]; + meta = { homepage = http://vde.sourceforge.net/; description = "Virtual Distributed Ethernet, an Ethernet compliant virtual network"; |