diff --git a/net/ipsec-tools/Makefile b/net/ipsec-tools/Makefile new file mode 100644 index 000000000..fdbf06d48 --- /dev/null +++ b/net/ipsec-tools/Makefile @@ -0,0 +1,95 @@ +# +# Copyright (C) 2006-2011 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk +include $(INCLUDE_DIR)/kernel.mk + +PKG_NAME:=ipsec-tools +PKG_VERSION:=0.8.1 +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 +PKG_SOURCE_URL:=@SF/ipsec-tools +PKG_MD5SUM:=d38b39f291ba2962387c3232e7335dd8 + +PKG_BUILD_PARALLEL:=1 +PKG_INSTALL:=1 + +PKG_FIXUP:=autoreconf + +include $(INCLUDE_DIR)/package.mk + +define Package/ipsec-tools + SECTION:=net + CATEGORY:=Network + SUBMENU:=VPN + DEPENDS:=+libopenssl +kmod-ipsec + TITLE:=IPsec management tools + URL:=http://ipsec-tools.sourceforge.net/ +endef + +CONFIGURE_ARGS += \ + --enable-shared \ + --enable-static \ + --with-kernel-headers="$(LINUX_DIR)/include" \ + --without-readline \ + --with-openssl="$(STAGING_DIR)/usr" \ + --without-libradius \ + --without-libpam \ + --enable-dpd \ + --enable-hybrid \ + --enable-security-context=no \ + --enable-natt \ + --enable-adminport \ + --enable-frag \ + $(call autoconf_bool,CONFIG_IPV6,ipv6) + +# override CFLAGS holding "-Werror" that break builds on compile warnings +MAKE_FLAGS+=\ + CFLAGS="$(TARGET_CFLAGS) $(EXTRA_CFLAGS) $(TARGET_CPPFLAGS) $(EXTRA_CPPFLAGS)" + +define Build/Prepare + $(call Build/Prepare/Default) + chmod -R u+w $(PKG_BUILD_DIR) +endef + +define Build/Configure + (cd $(PKG_BUILD_DIR); touch \ + configure.ac \ + aclocal.m4 \ + Makefile.in \ + config.h.in \ + configure \ + ); + $(call Build/Configure/Default) + echo "#undef HAVE_SHADOW_H" >> $(PKG_BUILD_DIR)/config.h +endef + +define Package/ipsec-tools/install + $(INSTALL_DIR) $(1)/etc + $(INSTALL_CONF) $(PKG_BUILD_DIR)/src/racoon/samples/racoon.conf $(1)/etc/ + $(SED) 's|@sysconfdir_x@|/etc|g' $(1)/etc/racoon.conf + $(INSTALL_DIR) $(1)/etc/racoon + $(INSTALL_CONF) $(PKG_BUILD_DIR)/src/racoon/samples/psk.txt $(1)/etc/racoon/ + $(INSTALL_DIR) $(1)/etc/init.d + $(INSTALL_BIN) ./files/racoon.init $(1)/etc/init.d/racoon + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libipsec.so.* $(1)/usr/lib/ + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libracoon.so.* $(1)/usr/lib/ + $(INSTALL_DIR) $(1)/usr/sbin + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/plainrsa-gen $(1)/usr/sbin/ + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/racoon $(1)/usr/sbin/ + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/racoonctl $(1)/usr/sbin/ + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/setkey $(1)/usr/sbin/ +endef + +define Package/ipsec-tools/conffiles +/etc/racoon.conf +/etc/racoon/psk.txt +endef + +$(eval $(call BuildPackage,ipsec-tools)) diff --git a/net/ipsec-tools/files/racoon.init b/net/ipsec-tools/files/racoon.init new file mode 100644 index 000000000..d539b363f --- /dev/null +++ b/net/ipsec-tools/files/racoon.init @@ -0,0 +1,17 @@ +#!/bin/sh /etc/rc.common +# Copyright (C) 2009-2011 OpenWrt.org +# Copyright (C) 2011 Artem Makhutov + +START=49 + +SERVICE_USE_PID=1 + +start() { + mkdir -m 0700 -p /var/racoon + [ -f /etc/ipsec.conf ] && /usr/sbin/setkey -f /etc/ipsec.conf + service_start /usr/sbin/racoon -f /etc/racoon.conf +} + +stop() { + service_stop /usr/sbin/racoon +} diff --git a/net/ipsec-tools/patches/001-ipsec-tools-def-psk.patch b/net/ipsec-tools/patches/001-ipsec-tools-def-psk.patch new file mode 100644 index 000000000..db5b3064d --- /dev/null +++ b/net/ipsec-tools/patches/001-ipsec-tools-def-psk.patch @@ -0,0 +1,24 @@ +--- a/src/racoon/oakley.c ++++ b/src/racoon/oakley.c +@@ -2424,8 +2424,21 @@ oakley_skeyid(iph1) + plog(LLV_ERROR, LOCATION, iph1->remote, + "couldn't find the pskey for %s.\n", + saddrwop2str(iph1->remote)); ++ } ++ } ++ if (iph1->authstr == NULL) { ++ /* ++ * If we could not locate a psk above try and locate ++ * the default psk, ie, "*". ++ */ ++ iph1->authstr = privsep_getpsk("*", 1); ++ if (iph1->authstr == NULL) { ++ plog(LLV_ERROR, LOCATION, iph1->remote, ++ "couldn't find the the default pskey either.\n"); + goto end; + } ++ plog(LLV_NOTIFY, LOCATION, iph1->remote, ++ "Using default PSK.\n"); + } + plog(LLV_DEBUG, LOCATION, NULL, "the psk found.\n"); + /* should be secret PSK */ diff --git a/net/ipsec-tools/patches/001-no_libfl.patch b/net/ipsec-tools/patches/001-no_libfl.patch new file mode 100644 index 000000000..b56b596ba --- /dev/null +++ b/net/ipsec-tools/patches/001-no_libfl.patch @@ -0,0 +1,22 @@ +--- a/src/racoon/cftoken.l ++++ b/src/racoon/cftoken.l +@@ -104,6 +104,8 @@ static struct include_stack { + static int incstackp = 0; + + static int yy_first_time = 1; ++ ++int yywrap(void) { return 1; } + %} + + /* common seciton */ +--- a/src/setkey/token.l ++++ b/src/setkey/token.l +@@ -86,6 +86,8 @@ + #if defined(SADB_X_EALG_AES) && ! defined(SADB_X_EALG_AESCBC) + #define SADB_X_EALG_AESCBC SADB_X_EALG_AES + #endif ++ ++int yywrap(void) { return 1; } + %} + + /* common section */ diff --git a/net/ipsec-tools/patches/002-patch8-utmp.patch b/net/ipsec-tools/patches/002-patch8-utmp.patch new file mode 100644 index 000000000..16dc9237c --- /dev/null +++ b/net/ipsec-tools/patches/002-patch8-utmp.patch @@ -0,0 +1,72 @@ +--- a/src/racoon/isakmp_cfg.c ++++ b/src/racoon/isakmp_cfg.c +@@ -38,7 +38,7 @@ + #include + #include + +-#include ++#include + #if defined(__APPLE__) && defined(__MACH__) + #include + #endif +@@ -1661,7 +1661,8 @@ isakmp_cfg_accounting_system(port, raddr + int inout; + { + int error = 0; +- struct utmpx ut; ++ struct utmp ut; ++ char term[UT_LINESIZE]; + char addr[NI_MAXHOST]; + + if (usr == NULL || usr[0]=='\0') { +@@ -1670,34 +1671,37 @@ isakmp_cfg_accounting_system(port, raddr + return -1; + } + +- memset(&ut, 0, sizeof ut); +- gettimeofday((struct timeval *)&ut.ut_tv, NULL); +- snprintf(ut.ut_id, sizeof ut.ut_id, TERMSPEC, port); ++ sprintf(term, TERMSPEC, port); + + switch (inout) { + case ISAKMP_CFG_LOGIN: +- ut.ut_type = USER_PROCESS; +- strncpy(ut.ut_user, usr, sizeof ut.ut_user); ++ strncpy(ut.ut_name, usr, UT_NAMESIZE); ++ ut.ut_name[UT_NAMESIZE - 1] = '\0'; ++ ++ strncpy(ut.ut_line, term, UT_LINESIZE); ++ ut.ut_line[UT_LINESIZE - 1] = '\0'; + + GETNAMEINFO_NULL(raddr, addr); +- strncpy(ut.ut_host, addr, sizeof ut.ut_host); ++ strncpy(ut.ut_host, addr, UT_HOSTSIZE); ++ ut.ut_host[UT_HOSTSIZE - 1] = '\0'; ++ ++ ut.ut_time = time(NULL); + + plog(LLV_INFO, LOCATION, NULL, + "Accounting : '%s' logging on '%s' from %s.\n", +- ut.ut_user, ut.ut_id, addr); +- +- pututxline(&ut); ++ ut.ut_name, ut.ut_line, ut.ut_host); + ++ login(&ut); ++ + break; + case ISAKMP_CFG_LOGOUT: +- ut.ut_type = DEAD_PROCESS; + + plog(LLV_INFO, LOCATION, NULL, + "Accounting : '%s' unlogging from '%s'.\n", +- usr, ut.ut_id); +- +- pututxline(&ut); ++ usr, term); + ++ logout(term); ++ + break; + default: + plog(LLV_ERROR, LOCATION, NULL, "Unepected inout\n"); diff --git a/net/ipsec-tools/patches/003-microsoft-fqdn-in-main.patch b/net/ipsec-tools/patches/003-microsoft-fqdn-in-main.patch new file mode 100644 index 000000000..443d38d5e --- /dev/null +++ b/net/ipsec-tools/patches/003-microsoft-fqdn-in-main.patch @@ -0,0 +1,13 @@ +--- a/src/racoon/ipsec_doi.c ++++ b/src/racoon/ipsec_doi.c +@@ -3582,8 +3582,8 @@ ipsecdoi_checkid1(iph1) + iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_PSKEY) { + if (id_b->type != IPSECDOI_ID_IPV4_ADDR + && id_b->type != IPSECDOI_ID_IPV6_ADDR) { +- plog(LLV_ERROR, LOCATION, NULL, +- "Expecting IP address type in main mode, " ++ plog(LLV_WARNING, LOCATION, NULL, ++ "Expecting IP address type in main mode (RFC2409) , " + "but %s.\n", s_ipsecdoi_ident(id_b->type)); + return ISAKMP_NTYPE_INVALID_ID_INFORMATION; + } diff --git a/net/ipsec-tools/patches/005-isakmp-fix.patch b/net/ipsec-tools/patches/005-isakmp-fix.patch new file mode 100644 index 000000000..f7aa3c26c --- /dev/null +++ b/net/ipsec-tools/patches/005-isakmp-fix.patch @@ -0,0 +1,11 @@ +--- a/src/racoon/isakmp.c ++++ b/src/racoon/isakmp.c +@@ -31,6 +31,8 @@ + * SUCH DAMAGE. + */ + ++#define __packed __attribute__((__packed__)) ++ + #include "config.h" + + #include diff --git a/net/ipsec-tools/patches/006-linux-3.7-compat.patch b/net/ipsec-tools/patches/006-linux-3.7-compat.patch new file mode 100644 index 000000000..46b11ee51 --- /dev/null +++ b/net/ipsec-tools/patches/006-linux-3.7-compat.patch @@ -0,0 +1,50 @@ +--- a/configure.ac ++++ b/configure.ac +@@ -74,9 +74,10 @@ case "$host_os" in + [ KERNEL_INCLUDE="/lib/modules/`uname -r`/build/include" ]) + + AC_CHECK_HEADER($KERNEL_INCLUDE/linux/pfkeyv2.h, , +- [ AC_CHECK_HEADER(/usr/src/linux/include/linux/pfkeyv2.h, +- KERNEL_INCLUDE=/usr/src/linux/include , +- [ AC_MSG_ERROR([Unable to find linux-2.6 kernel headers. Aborting.]) ] ) ] ) ++ [ AC_CHECK_HEADER($KERNEL_INCLUDE/uapi/linux/pfkeyv2.h, , ++ [ AC_CHECK_HEADER(/usr/src/linux/include/linux/pfkeyv2.h, ++ KERNEL_INCLUDE=/usr/src/linux/include , ++ [ AC_MSG_ERROR([Unable to find linux-2.6 kernel headers. Aborting.]) ] ) ] ) ] ) + AC_SUBST(KERNEL_INCLUDE) + # We need the configure script to run with correct kernel headers. + # However we don't want to point to kernel source tree in compile time, +@@ -643,7 +644,14 @@ AC_EGREP_CPP(yes, + #ifdef SADB_X_EXT_NAT_T_TYPE + yes + #endif +-], [kernel_natt="yes"]) ++], [kernel_natt="yes"], [ ++ AC_EGREP_CPP(yes, ++ [#include ++ #ifdef SADB_X_EXT_NAT_T_TYPE ++ yes ++ #endif ++ ], [kernel_natt="yes"]) ++]) + ;; + freebsd*|netbsd*) + # NetBSD case +--- a/src/include-glibc/Makefile.am ++++ b/src/include-glibc/Makefile.am +@@ -1,14 +1,7 @@ +- +-.includes: ${top_builddir}/config.status +- ln -snf $(KERNEL_INCLUDE)/linux +- touch .includes +- +-all: .includes +- + EXTRA_DIST = \ + glibc-bugs.h \ + net/pfkeyv2.h \ + netinet/ipsec.h \ + sys/queue.h + +-DISTCLEANFILES = .includes linux ++DISTCLEANFILES = linux