commit: 6ed9a78958599e7c391c30988d3a6bbf3e3f54ea Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org> AuthorDate: Sat Aug 11 07:38:35 2018 +0000 Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org> CommitDate: Sat Aug 11 07:38:35 2018 +0000 URL: https://gitweb.gentoo.org/proj/musl.git/commit/?id=6ed9a789
net-vpn: initial commit Package-Manager: Portage-2.3.40, Repoman-2.3.9 RepoMan-Options: --force net-vpn/ipsec-tools/Manifest | 1 + .../files/ipsec-tools-0.8.0-sysctl.patch | 22 ++ .../files/ipsec-tools-CVE-2015-4047.patch | 16 ++ .../ipsec-tools/files/ipsec-tools-def-psk.patch | 25 ++ .../files/ipsec-tools-include-vendoridh.patch | 11 + .../ipsec-tools/files/ipsec-tools-remove__P.patch | 137 ++++++++++ net-vpn/ipsec-tools/files/ipsec-tools.conf | 26 ++ net-vpn/ipsec-tools/files/ipsec-tools.service | 12 + net-vpn/ipsec-tools/files/psk.txt | 10 + net-vpn/ipsec-tools/files/racoon.conf | 33 +++ net-vpn/ipsec-tools/files/racoon.conf.d-r2 | 29 +++ net-vpn/ipsec-tools/files/racoon.init.d-r3 | 57 +++++ net-vpn/ipsec-tools/files/racoon.pam.d | 4 + net-vpn/ipsec-tools/files/racoon.service | 11 + net-vpn/ipsec-tools/ipsec-tools-0.8.2-r5.ebuild | 285 +++++++++++++++++++++ net-vpn/ipsec-tools/metadata.xml | 17 ++ 16 files changed, 696 insertions(+) diff --git a/net-vpn/ipsec-tools/Manifest b/net-vpn/ipsec-tools/Manifest new file mode 100644 index 0000000..e78840e --- /dev/null +++ b/net-vpn/ipsec-tools/Manifest @@ -0,0 +1 @@ +DIST ipsec-tools-0.8.2.tar.bz2 866465 BLAKE2B cf8c9175d96326fc5c74e6b1921bc66911256e289e6fe9cef77f26c197546902be3ebd5696af39c749a2abaac3f42010c9e2a281fd208122cd59222044b9dd4c SHA512 2b7d0efa908d3a699be7ef8b2b126a3809956cb7add50e8efb1cfdfc2d9b70c39ef517379cb9a4fad9e5f0c25937e98535b06c32bd3e729f5129da4ab133e30f diff --git a/net-vpn/ipsec-tools/files/ipsec-tools-0.8.0-sysctl.patch b/net-vpn/ipsec-tools/files/ipsec-tools-0.8.0-sysctl.patch new file mode 100644 index 0000000..5c69bbb --- /dev/null +++ b/net-vpn/ipsec-tools/files/ipsec-tools-0.8.0-sysctl.patch @@ -0,0 +1,22 @@ +https://bugs.gentoo.org/425770 + +--- a/src/racoon/pfkey.c ++++ b/src/racoon/pfkey.c +@@ -59,7 +59,6 @@ + #include <sys/param.h> + #include <sys/socket.h> + #include <sys/queue.h> +-#include <sys/sysctl.h> + + #include <net/route.h> + #include <net/pfkeyv2.h> +--- a/src/setkey/setkey.c ++++ b/src/setkey/setkey.c +@@ -40,7 +40,6 @@ + #include <sys/socket.h> + #include <sys/time.h> + #include <sys/stat.h> +-#include <sys/sysctl.h> + #include <err.h> + #include <netinet/in.h> + #include <net/pfkeyv2.h> diff --git a/net-vpn/ipsec-tools/files/ipsec-tools-CVE-2015-4047.patch b/net-vpn/ipsec-tools/files/ipsec-tools-CVE-2015-4047.patch new file mode 100644 index 0000000..58f72e1 --- /dev/null +++ b/net-vpn/ipsec-tools/files/ipsec-tools-CVE-2015-4047.patch @@ -0,0 +1,16 @@ +See: https://bugs.gentoo.org/show_bug.cgi?id=550118 + +--- ./src/racoon/gssapi.c 9 Sep 2006 16:22:09 -0000 1.4 ++++ ./src/racoon/gssapi.c 19 May 2015 15:16:00 -0000 1.6 +@@ -192,6 +192,11 @@ + gss_name_t princ, canon_princ; + OM_uint32 maj_stat, min_stat; + ++ if (iph1->rmconf == NULL) { ++ plog(LLV_ERROR, LOCATION, NULL, "no remote config\n"); ++ return -1; ++ } ++ + gps = racoon_calloc(1, sizeof (struct gssapi_ph1_state)); + if (gps == NULL) { + plog(LLV_ERROR, LOCATION, NULL, "racoon_calloc failed\n"); diff --git a/net-vpn/ipsec-tools/files/ipsec-tools-def-psk.patch b/net-vpn/ipsec-tools/files/ipsec-tools-def-psk.patch new file mode 100644 index 0000000..f351860 --- /dev/null +++ b/net-vpn/ipsec-tools/files/ipsec-tools-def-psk.patch @@ -0,0 +1,25 @@ +diff -brau ipsec-tools-0.7.3.o/src/racoon/oakley.c ipsec-tools-0.7.3/src/racoon/oakley.c +--- ipsec-tools-0.7.3.o/src/racoon/oakley.c 2009-08-13 11:18:45.000000000 +0200 ++++ ipsec-tools-0.7.3/src/racoon/oakley.c 2011-06-06 09:36:11.000000000 +0200 +@@ -2498,8 +2498,21 @@ + plog(LLV_ERROR, LOCATION, iph1->remote, + "couldn't find the pskey for %s.\n", + saddrwop2str(iph1->remote)); ++ } ++ } ++ if (iph1->authstr == NULL) { ++ /* ++ * If we could not locate a psk above try and locate ++ * the default psk, ie, "*". ++ */ ++ iph1->authstr = privsep_getpsk("*", 1); ++ if (iph1->authstr == NULL) { ++ plog(LLV_ERROR, LOCATION, iph1->remote, ++ "couldn't find the the default pskey either.\n"); + goto end; + } ++ plog(LLV_NOTIFY, LOCATION, iph1->remote, ++ "Using default PSK.\n"); + } + plog(LLV_DEBUG, LOCATION, NULL, "the psk found.\n"); + /* should be secret PSK */ diff --git a/net-vpn/ipsec-tools/files/ipsec-tools-include-vendoridh.patch b/net-vpn/ipsec-tools/files/ipsec-tools-include-vendoridh.patch new file mode 100644 index 0000000..2e22c82 --- /dev/null +++ b/net-vpn/ipsec-tools/files/ipsec-tools-include-vendoridh.patch @@ -0,0 +1,11 @@ +diff -Naur ipsec-tools-0.8.0.orig//src/racoon/ipsec_doi.c ipsec-tools-0.8.0/src/racoon/ipsec_doi.c +--- ipsec-tools-0.8.0.orig//src/racoon/ipsec_doi.c 2012-02-28 13:42:24.000000000 -0500 ++++ ipsec-tools-0.8.0/src/racoon/ipsec_doi.c 2012-02-28 13:41:22.000000000 -0500 +@@ -87,6 +87,7 @@ + #ifdef HAVE_GSSAPI + #include <iconv.h> + #include "gssapi.h" ++#include "vendorid.h" + #ifdef HAVE_ICONV_2ND_CONST + #define __iconv_const const + #else diff --git a/net-vpn/ipsec-tools/files/ipsec-tools-remove__P.patch b/net-vpn/ipsec-tools/files/ipsec-tools-remove__P.patch new file mode 100644 index 0000000..a0a44f5 --- /dev/null +++ b/net-vpn/ipsec-tools/files/ipsec-tools-remove__P.patch @@ -0,0 +1,137 @@ +diff -Naur ipsec-tools-0.8.2.orig/src/libipsec/ipsec_strerror.h ipsec-tools-0.8.2/src/libipsec/ipsec_strerror.h +--- ipsec-tools-0.8.2.orig/src/libipsec/ipsec_strerror.h 2006-09-09 16:22:09.000000000 +0000 ++++ ipsec-tools-0.8.2/src/libipsec/ipsec_strerror.h 2018-08-11 06:56:43.378265279 +0000 +@@ -34,6 +34,8 @@ + #ifndef _IPSEC_STRERROR_H + #define _IPSEC_STRERROR_H + ++#define __P(protos) protos ++ + extern int __ipsec_errcode; + extern void __ipsec_set_strerror __P((const char *)); + +diff -Naur ipsec-tools-0.8.2.orig/src/libipsec/libpfkey.h ipsec-tools-0.8.2/src/libipsec/libpfkey.h +--- ipsec-tools-0.8.2.orig/src/libipsec/libpfkey.h 2012-08-23 11:10:45.000000000 +0000 ++++ ipsec-tools-0.8.2/src/libipsec/libpfkey.h 2018-08-11 06:58:44.102604340 +0000 +@@ -44,6 +44,8 @@ + #define PRIORITY_OFFSET_POSITIVE_MAX 0x3fffffff + #define PRIORITY_OFFSET_NEGATIVE_MAX 0x40000000 + ++#define __P(protos) protos ++ + struct sadb_msg; + extern void pfkey_sadump __P((struct sadb_msg *)); + extern void pfkey_sadump_withports __P((struct sadb_msg *)); +diff -Naur ipsec-tools-0.8.2.orig/src/racoon/gnuc.h ipsec-tools-0.8.2/src/racoon/gnuc.h +--- ipsec-tools-0.8.2.orig/src/racoon/gnuc.h 2006-09-09 16:22:09.000000000 +0000 ++++ ipsec-tools-0.8.2/src/racoon/gnuc.h 2018-08-11 06:54:00.543203861 +0000 +@@ -3,14 +3,7 @@ + /* Id: gnuc.h,v 1.4 2004/11/18 15:14:44 ludvigm Exp */ + + /* Define __P() macro, if necessary */ +-#undef __P +-#ifndef __P +-#if __STDC__ + #define __P(protos) protos +-#else +-#define __P(protos) () +-#endif +-#endif + + /* inline foo */ + #ifdef __GNUC__ +diff -Naur ipsec-tools-0.8.2.orig/src/racoon/logger.h ipsec-tools-0.8.2/src/racoon/logger.h +--- ipsec-tools-0.8.2.orig/src/racoon/logger.h 2006-09-09 16:22:09.000000000 +0000 ++++ ipsec-tools-0.8.2/src/racoon/logger.h 2018-08-11 07:04:12.320653159 +0000 +@@ -42,6 +42,8 @@ + char *fname; + }; + ++#define __P(protos) protos ++ + extern struct log *log_open __P((size_t, char *)); + extern void log_add __P((struct log *, char *)); + extern int log_print __P((struct log *, char *)); +diff -Naur ipsec-tools-0.8.2.orig/src/racoon/misc.h ipsec-tools-0.8.2/src/racoon/misc.h +--- ipsec-tools-0.8.2.orig/src/racoon/misc.h 2008-07-15 00:47:09.000000000 +0000 ++++ ipsec-tools-0.8.2/src/racoon/misc.h 2018-08-11 07:01:29.029603601 +0000 +@@ -42,6 +42,8 @@ + #define LOCATION debug_location(__FILE__, __LINE__, NULL) + #endif + ++#define __P(protos) protos ++ + extern int racoon_hexdump __P((void *, size_t)); + extern char *bit2str __P((int, int)); + extern void *get_newbuf __P((void *, size_t)); +diff -Naur ipsec-tools-0.8.2.orig/src/racoon/missing/crypto/sha2/sha2.h ipsec-tools-0.8.2/src/racoon/missing/crypto/sha2/sha2.h +--- ipsec-tools-0.8.2.orig/src/racoon/missing/crypto/sha2/sha2.h 2006-09-09 16:22:36.000000000 +0000 ++++ ipsec-tools-0.8.2/src/racoon/missing/crypto/sha2/sha2.h 2018-08-11 07:04:57.967269426 +0000 +@@ -119,6 +119,8 @@ + + /*** SHA-256/384/512 Function Prototypes ******************************/ + ++#define __P(protos) protos ++ + #ifndef HAVE_SHA2_IN_SHA_H + void SHA256_Init __P((SHA256_CTX *)); + void SHA256_Update __P((SHA256_CTX*, const u_int8_t*, size_t)); +diff -Naur ipsec-tools-0.8.2.orig/src/racoon/netdb_dnssec.h ipsec-tools-0.8.2/src/racoon/netdb_dnssec.h +--- ipsec-tools-0.8.2.orig/src/racoon/netdb_dnssec.h 2006-09-09 16:22:09.000000000 +0000 ++++ ipsec-tools-0.8.2/src/racoon/netdb_dnssec.h 2018-08-11 07:06:07.145172460 +0000 +@@ -68,6 +68,8 @@ + struct certinfo *ci_next; /* next structure */ + }; + ++#define __P(protos) protos ++ + extern void freecertinfo __P((struct certinfo *)); + extern int getcertsbyname __P((char *, struct certinfo **)); + +diff -Naur ipsec-tools-0.8.2.orig/src/racoon/plog.h ipsec-tools-0.8.2/src/racoon/plog.h +--- ipsec-tools-0.8.2.orig/src/racoon/plog.h 2007-10-02 09:47:40.000000000 +0000 ++++ ipsec-tools-0.8.2/src/racoon/plog.h 2018-08-11 07:06:55.163716961 +0000 +@@ -63,6 +63,8 @@ + extern int f_foreground; + extern int print_location; + ++#define __P(protos) protos ++ + struct sockaddr; + #define plog(pri, ...) \ + do { \ +diff -Naur ipsec-tools-0.8.2.orig/src/racoon/str2val.h ipsec-tools-0.8.2/src/racoon/str2val.h +--- ipsec-tools-0.8.2.orig/src/racoon/str2val.h 2006-09-09 16:22:10.000000000 +0000 ++++ ipsec-tools-0.8.2/src/racoon/str2val.h 2018-08-11 07:05:31.530252028 +0000 +@@ -34,6 +34,8 @@ + #ifndef _STR2VAL_H + #define _STR2VAL_H + ++#define __P(protos) protos ++ + extern caddr_t val2str __P((const char *, size_t)); + extern char *str2val __P((const char *, int, size_t *)); + +diff -Naur ipsec-tools-0.8.2.orig/src/racoon/vmbuf.h ipsec-tools-0.8.2/src/racoon/vmbuf.h +--- ipsec-tools-0.8.2.orig/src/racoon/vmbuf.h 2006-09-09 16:22:10.000000000 +0000 ++++ ipsec-tools-0.8.2/src/racoon/vmbuf.h 2018-08-11 07:03:41.489587802 +0000 +@@ -65,6 +65,8 @@ + #define vfree vmbuf_free + #endif + ++#define __P(protos) protos ++ + extern vchar_t *vmalloc __P((size_t)); + extern vchar_t *vrealloc __P((vchar_t *, size_t)); + extern void vfree __P((vchar_t *)); +diff -Naur ipsec-tools-0.8.2.orig/src/setkey/extern.h ipsec-tools-0.8.2/src/setkey/extern.h +--- ipsec-tools-0.8.2.orig/src/setkey/extern.h 2009-03-06 11:45:03.000000000 +0000 ++++ ipsec-tools-0.8.2/src/setkey/extern.h 2018-08-11 06:59:26.933305604 +0000 +@@ -1,6 +1,6 @@ + /* $NetBSD: extern.h,v 1.5 2009/03/06 11:45:03 tteras Exp $ */ + +- ++#define __P(protos) protos + + void parse_init __P((void)); + int parse __P((FILE **)); diff --git a/net-vpn/ipsec-tools/files/ipsec-tools.conf b/net-vpn/ipsec-tools/files/ipsec-tools.conf new file mode 100644 index 0000000..bfff04a --- /dev/null +++ b/net-vpn/ipsec-tools/files/ipsec-tools.conf @@ -0,0 +1,26 @@ +#!/usr/sbin/setkey -f +# +# THIS IS A SAMPLE FILE! +# +# This is a sample file to test Gentoo's ipsec-tools out of the box. +# Do not use it in production. See: http://www.ipsec-howto.org/ +# +flush; +spdflush; + +# +# Uncomment the following if you want to do manual keying, ie, you want to run IPsec without racoon. +# Do not switch 192.168.3.21 <-> 192.168.3.25 on the peer +# +#add 192.168.3.25 192.168.3.21 ah 0x200 -A hmac-md5 0xc0291ff014dccdd03874d9e8e4cdf3e6; +#add 192.168.3.21 192.168.3.25 ah 0x300 -A hmac-md5 0x96358c90783bbfa3d7b196ceabe0536b; +#add 192.168.3.25 192.168.3.21 esp 0x201 -E 3des-cbc 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831; +#add 192.168.3.21 192.168.3.25 esp 0x301 -E 3des-cbc 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df; + +# +# Make sure to switch 192.168.3.21 <-> 192.168.3.25 on the peer +# +#spdadd 192.168.3.21 192.168.3.25 any -P out ipsec esp/transport//require ah/transport//require; +#spdadd 192.168.3.25 192.168.3.21 any -P in ipsec esp/transport//require ah/transport//require; +spdadd 192.168.3.25 192.168.3.21 any -P out ipsec esp/transport//require ah/transport//require; +spdadd 192.168.3.21 192.168.3.25 any -P in ipsec esp/transport//require ah/transport//require; diff --git a/net-vpn/ipsec-tools/files/ipsec-tools.service b/net-vpn/ipsec-tools/files/ipsec-tools.service new file mode 100644 index 0000000..0341aa7 --- /dev/null +++ b/net-vpn/ipsec-tools/files/ipsec-tools.service @@ -0,0 +1,12 @@ +[Unit] +Description=Load IPSec Security Policy Database +After=syslog.target network.target + +[Service] +Type=oneshot +RemainAfterExit=true +ExecStart=/usr/sbin/setkey -k -f /etc/ipsec-tools.conf +ExecStop=/usr/sbin/setkey -F -P ; /usr/sbin/setkey -F + +[Install] +WantedBy=multi-user.target diff --git a/net-vpn/ipsec-tools/files/psk.txt b/net-vpn/ipsec-tools/files/psk.txt new file mode 100644 index 0000000..97f5180 --- /dev/null +++ b/net-vpn/ipsec-tools/files/psk.txt @@ -0,0 +1,10 @@ +# THIS IS A SAMPLE FILE! +# +# This is a sample file to test Gentoo's ipsec-tools out of the box. +# Do not use it in production. See: http://www.ipsec-howto.org/ +# +# Make sure to switch 192.168.3.21 <-> 192.168.3.25 on the peer +# +# Peer IP/FQDN Secret +# 192.168.3.25 sample +192.168.3.21 sample diff --git a/net-vpn/ipsec-tools/files/racoon.conf b/net-vpn/ipsec-tools/files/racoon.conf new file mode 100644 index 0000000..2e9206d --- /dev/null +++ b/net-vpn/ipsec-tools/files/racoon.conf @@ -0,0 +1,33 @@ +# THIS IS A SAMPLE FILE! +# +# This is a sample file to test Gentoo's ipsec-tools out of the box. +# Do not use it in production. See: http://www.ipsec-howto.org/ +# +path pre_shared_key "/etc/racoon/psk.txt"; + +# +# Make sure to switch 192.168.3.21 <-> 192.168.3.25 on the peer +# +#remote 192.168.3.25 +remote 192.168.3.21 +{ + exchange_mode main; + proposal { + encryption_algorithm 3des; + hash_algorithm md5; + authentication_method pre_shared_key; + dh_group modp1024; + } +} + +# +# Make sure to switch 192.168.3.21 <-> 192.168.3.25 on the peer +# +#sainfo address 192.168.3.21 any address 192.168.3.25 any +sainfo address 192.168.3.25 any address 192.168.3.21 any +{ + pfs_group modp768; + encryption_algorithm 3des; + authentication_algorithm hmac_md5; + compression_algorithm deflate; +} diff --git a/net-vpn/ipsec-tools/files/racoon.conf.d-r2 b/net-vpn/ipsec-tools/files/racoon.conf.d-r2 new file mode 100644 index 0000000..cbb0480 --- /dev/null +++ b/net-vpn/ipsec-tools/files/racoon.conf.d-r2 @@ -0,0 +1,29 @@ +# Copyright 1999-2018 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +# Config file for /etc/init.d/racoon + +# See the man page or run `racoon --help` for valid command-line options +# RACOON_OPTS="-d" + +RACOON_CONF="/etc/racoon/racoon.conf" +RACOON_PSK_FILE="/etc/racoon/psk.txt" + +# The amount of time in ms for start-stop-daemon to wait before a timeout +# Racoon can sometimes be slow. We'll wait 1 sec. Bug #435398. + +RACOON_WAIT="1000" + +# The setkey config file. Don't name it ipsec.conf as this clashes +# with strongswan. We'll follow debian's naming. Bug #436144. + +SETKEY_CONF="/etc/ipsec-tools.conf" + +# Comment or remove the following if you don't want the policy tables +# to be flushed when racoon is stopped. + +RACOON_RESET_TABLES="true" + +# If you need to set custom options to the setkey command when loading rules, use this +# more info in the setkey mangage (example below sets kernel mode instead of RFC mode): +#SETKEY_OPTS="-k" diff --git a/net-vpn/ipsec-tools/files/racoon.init.d-r3 b/net-vpn/ipsec-tools/files/racoon.init.d-r3 new file mode 100644 index 0000000..61a3769 --- /dev/null +++ b/net-vpn/ipsec-tools/files/racoon.init.d-r3 @@ -0,0 +1,57 @@ +#!/sbin/openrc-run +# Copyright 1999-2018 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +depend() { + before netmount + use net +} + +checkconfig() { + if [ ! -e ${SETKEY_CONF} ] ; then + eerror "You need to configure setkey before starting racoon." + return 1 + fi + if [ ! -e ${RACOON_CONF} ] ; then + eerror "You need a configuration file to start racoon." + return 1 + fi + if [ ! -z ${RACOON_PSK_FILE} ] ; then + if [ ! -f ${RACOON_PSK_FILE} ] ; then + eerror "PSK file not found as specified." + eerror "Set RACOON_PSK_FILE in /etc/conf.d/racoon." + return 1 + fi + case "`ls -Lldn ${RACOON_PSK_FILE}`" in + -r--------*) + ;; + *) + eerror "Your defined PSK file should be mode 400 for security!" + return 1 + ;; + esac + fi +} + +command=/usr/sbin/racoon +command_args="-f ${RACOON_CONF} ${RACOON_OPTS}" +pidfile=/var/run/racoon.pid +start_stop_daemon_args="--wait ${RACOON_WAIT}" + +start_pre() { + checkconfig || return 1 + einfo "Loading ipsec policies from ${SETKEY_CONF}." + /usr/sbin/setkey ${SETKEY_OPTS} -f ${SETKEY_CONF} + if [ $? -eq 1 ] ; then + eerror "Error while loading ipsec policies" + fi +} + +stop_post() { + if [ -n "${RACOON_RESET_TABLES}" ]; then + ebegin "Flushing policy entries" + /usr/sbin/setkey -F + /usr/sbin/setkey -FP + eend $? + fi +} diff --git a/net-vpn/ipsec-tools/files/racoon.pam.d b/net-vpn/ipsec-tools/files/racoon.pam.d new file mode 100644 index 0000000..b801aaa --- /dev/null +++ b/net-vpn/ipsec-tools/files/racoon.pam.d @@ -0,0 +1,4 @@ +auth include system-remote-login +account include system-remote-login +password include system-remote-login +session include system-remote-login diff --git a/net-vpn/ipsec-tools/files/racoon.service b/net-vpn/ipsec-tools/files/racoon.service new file mode 100644 index 0000000..df7f1bb --- /dev/null +++ b/net-vpn/ipsec-tools/files/racoon.service @@ -0,0 +1,11 @@ +[Unit] +Description=Racoon IKEv1 key management daemon for IPSEC +After=syslog.target network.target +Requires=ipsec-tools.service + +[Service] +Type=forking +ExecStart=/usr/sbin/racoon -f /etc/racoon/racoon.conf + +[Install] +WantedBy=multi-user.target diff --git a/net-vpn/ipsec-tools/ipsec-tools-0.8.2-r5.ebuild b/net-vpn/ipsec-tools/ipsec-tools-0.8.2-r5.ebuild new file mode 100644 index 0000000..6470e21 --- /dev/null +++ b/net-vpn/ipsec-tools/ipsec-tools-0.8.2-r5.ebuild @@ -0,0 +1,285 @@ +# Copyright 1999-2018 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI="6" + +inherit flag-o-matic autotools linux-info pam systemd + +DESCRIPTION="A port of KAME's IPsec utilities to the Linux-2.6 IPsec implementation" +HOMEPAGE="http://ipsec-tools.sourceforge.net/"; +SRC_URI="mirror://sourceforge/${PN}/${P}.tar.bz2" + +LICENSE="BSD GPL-2" +SLOT="0" +KEYWORDS="amd64 arm ~ia64 ~mips ppc ppc64 x86" +IUSE="hybrid idea ipv6 kerberos ldap libressl nat pam rc5 readline selinux stats" + +CDEPEND=" + !libressl? ( dev-libs/openssl:0 ) + libressl? ( dev-libs/libressl ) + kerberos? ( virtual/krb5 ) + ldap? ( net-nds/openldap ) + pam? ( sys-libs/pam ) + readline? ( sys-libs/readline:0= ) + selinux? ( sys-libs/libselinux )" + +DEPEND="${CDEPEND} + >=sys-kernel/linux-headers-2.6.30" + +RDEPEND="${CDEPEND} + selinux? ( sec-policy/selinux-ipsec ) +" + +pkg_preinst() { + if has_version "<${CATEGORY}/${PN}-0.8.0-r5" ; then + ewarn + ewarn "\033[1;33m**************************************************\033[00m" + ewarn + if ! has_version "net-vpn/strongswan" && + ! has_version "net-misc/openswan" && + ! has_version "net-vpn/libreswan"; then + ewarn "We found an earlier version of ${PN} installed." + ewarn "As of ${PN}-0.8.0-r5, the old configuration file," + ewarn "ipsec.conf, has been changed to ipsec-tools.conf to avoid" + ewarn "a conflict with net-vpn/strongswan; bug #436144. We will" + ewarn "rename this file for you with this upgrade. However, if" + ewarn "you later downgrade, you'll have to rename the file to" + ewarn "its orignal manually or change /etc/conf.d/racoon to point" + ewarn "to the new file." + + if [[ -f /etc/ipsec.conf && ! -f /etc/ipsec-tools.conf ]] ; then + mv /etc/ipsec.conf /etc/ipsec-tools.conf + else + ewarn + ewarn "Oops! I can't move ipsec.conf to ipsec-tools.conf!" + ewarn "Either the former doesn't exist or the later does and" + ewarn "I won't clobber it. Please fix this situation manually." + fi + else + ewarn "You had both an earlier version of ${PN} and" + ewarn "net-vpn/strongswan installed. I can't tell whether" + ewarn "the configuration file, ipsec.conf, belongs to one" + ewarn "package or the other due to a file conflict; bug #436144." + ewarn "The current version of ${PN} uses ipsec-tools.conf" + ewarn "as its configuration file, as will future versions." + ewarn "Please fix this situation manually." + fi + ewarn + ewarn "\033[1;33m**************************************************\033[00m" + ewarn + fi +} + +pkg_setup() { + linux-info_pkg_setup + + get_version + + if linux_config_exists && kernel_is -ge 2 6 19; then + ewarn + ewarn "\033[1;33m**************************************************\033[00m" + ewarn + ewarn "Checking kernel configuration in /usr/src/linux or" + ewarn "or /proc/config.gz for compatibility with ${PN}." + ewarn "Here are the potential problems:" + ewarn + + local nothing="1" + + # Check options for all flavors of IPSec + local msg="" + for i in XFRM_USER NET_KEY; do + if ! linux_chkconfig_present ${i}; then + msg="${msg} ${i}" + fi + done + if [[ ! -z "$msg" ]]; then + nothing="0" + ewarn + ewarn "ALL IPSec may fail. CHECK:" + ewarn "${msg}" + fi + + # Check unencrypted IPSec + if ! linux_chkconfig_present CRYPTO_NULL; then + nothing="0" + ewarn + ewarn "Unencrypted IPSec may fail. CHECK:" + ewarn " CRYPTO_NULL" + fi + + # Check IPv4 IPSec + msg="" + for i in \ + INET_IPCOMP INET_AH INET_ESP \ + INET_XFRM_MODE_TRANSPORT \ + INET_XFRM_MODE_TUNNEL \ + INET_XFRM_MODE_BEET + do + if ! linux_chkconfig_present ${i}; then + msg="${msg} ${i}" + fi + done + if [[ ! -z "$msg" ]]; then + nothing="0" + ewarn + ewarn "IPv4 IPSec may fail. CHECK:" + ewarn "${msg}" + fi + + # Check IPv6 IPSec + if use ipv6; then + msg="" + for i in INET6_IPCOMP INET6_AH INET6_ESP \ + INET6_XFRM_MODE_TRANSPORT \ + INET6_XFRM_MODE_TUNNEL \ + INET6_XFRM_MODE_BEET + do + if ! linux_chkconfig_present ${i}; then + msg="${msg} ${i}" + fi + done + if [[ ! -z "$msg" ]]; then + nothing="0" + ewarn + ewarn "IPv6 IPSec may fail. CHECK:" + ewarn "${msg}" + fi + fi + + # Check IPSec behind NAT + if use nat; then + if ! linux_chkconfig_present NETFILTER_XT_MATCH_POLICY; then + nothing="0" + ewarn + ewarn "IPSec behind NAT may fail. CHECK:" + ewarn " NETFILTER_XT_MATCH_POLICY" + fi + fi + + if [[ $nothing == "1" ]]; then + ewarn "NO PROBLEMS FOUND" + fi + + ewarn + ewarn "WARNING: If your *configured* and *running* kernel" + ewarn "differ either now or in the future, then these checks" + ewarn "may lead to misleading results." + ewarn + ewarn "\033[1;33m**************************************************\033[00m" + ewarn + else + eerror + eerror "\033[1;31m**************************************************\033[00m" + eerror "Make sure that your *running* kernel is/will be >=2.6.19." + eerror "Building ${PN} now, assuming that you know what you're doing." + eerror "\033[1;31m**************************************************\033[00m" + eerror + fi +} + +src_prepare() { + # fix for bug #124813 + sed -i 's:-Werror::g' "${S}"/configure.ac || die + # fix for building with gcc-4.6 + sed -i 's: -R: -Wl,-R:' "${S}"/configure.ac || die + + eapply "${FILESDIR}/${PN}-def-psk.patch" + eapply "${FILESDIR}/${PN}-include-vendoridh.patch" + eapply "${FILESDIR}"/${PN}-0.8.0-sysctl.patch #425770 + eapply "${FILESDIR}"/${PN}-CVE-2015-4047.patch + + # musl fixes + eapply "${FILESDIR}"/${PN}-remove__P.patch + + AT_M4DIR="${S}" eautoreconf + + eapply_user +} + +src_configure() { + #--with-{libiconv,libradius} lead to "Broken getaddrinfo()" + #--enable-samode-unspec is not supported in linux + local myconf + myconf="--with-kernel-headers=/usr/include \ + --enable-adminport \ + --enable-dependency-tracking \ + --enable-dpd \ + --enable-frag \ + --without-libiconv \ + --without-libradius \ + --disable-samode-unspec \ + $(use_enable idea) \ + $(use_enable ipv6) \ + $(use_enable kerberos gssapi) \ + $(use_with ldap libldap) \ + $(use_enable nat natt) \ + $(use_with pam libpam) \ + $(use_enable rc5) \ + $(use_with readline) \ + $(use_enable selinux security-context) \ + $(use_enable stats)" + + use nat && myconf="${myconf} --enable-natt-versions=yes" + + # enable mode-cfg and xauth support + if use pam; then + myconf="${myconf} --enable-hybrid" + else + myconf="${myconf} $(use_enable hybrid)" + fi + + econf ${myconf} +} + +src_install() { + emake DESTDIR="${D}" install + keepdir /var/lib/racoon + newconfd "${FILESDIR}"/racoon.conf.d-r2 racoon + newinitd "${FILESDIR}"/racoon.init.d-r3 racoon + systemd_dounit "${FILESDIR}/ipsec-tools.service" + systemd_dounit "${FILESDIR}/racoon.service" + use pam && newpamd "${FILESDIR}"/racoon.pam.d racoon + + insinto /etc + doins "${FILESDIR}"/ipsec-tools.conf + insinto /etc/racoon + doins "${FILESDIR}"/racoon.conf + doins "${FILESDIR}"/psk.txt + chmod 400 "${D}"/etc/racoon/psk.txt + + dodoc ChangeLog README NEWS + dodoc -r src/racoon/samples + dodoc -r src/racoon/doc + docinto samples + newdoc src/setkey/sample.cf ipsec-tools.conf +} + +pkg_postinst() { + if use nat; then + elog + elog "You have enabled the nat traversal functionnality." + elog "Nat versions wich are enabled by default are 00,02,rfc" + elog "you can find those drafts in the CVS repository:" + elog "cvs -d anon...@anoncvs.netbsd.org:/cvsroot co ipsec-tools" + elog + elog "If you feel brave enough and you know what you are" + elog "doing, you can consider emerging this ebuild with" + elog "EXTRA_ECONF=\"--enable-natt-versions=08,07,06\"" + elog + fi + + if use ldap; then + elog + elog "You have enabled ldap support with {$PN}." + elog "The man page does NOT contain any information on it yet." + elog "Consider using a more recent version or CVS." + elog + fi + + elog + elog "Please have a look in /usr/share/doc/${P} and visit" + elog "http://www.netbsd.org/Documentation/network/ipsec/"; + elog "to find more information on how to configure this tool." + elog +} diff --git a/net-vpn/ipsec-tools/metadata.xml b/net-vpn/ipsec-tools/metadata.xml new file mode 100644 index 0000000..b9c2c83 --- /dev/null +++ b/net-vpn/ipsec-tools/metadata.xml @@ -0,0 +1,17 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd";> +<pkgmetadata> + <maintainer type="person"> + <email>bluen...@gentoo.org</email> + </maintainer> + <use> + <flag name="hybrid">Makes available both mode-cfg and xauth support</flag> + <flag name="idea">Enable support for the IDEA algorithm</flag> + <flag name="nat">Enable NAT-Traversal</flag> + <flag name="rc5">Enable support for the patented RC5 algorithm</flag> + <flag name="stats">Enable statistics reporting</flag> + </use> + <upstream> + <remote-id type="sourceforge">ipsec-tools</remote-id> + </upstream> +</pkgmetadata>
