Merge pull request #5054 from lucize/libreswan

libreswan: add libreswan 3.27

net/libreswan/Makefile

@@ -0,0 +1,125 @@
+#
+# Copyright (C) 2019 Lucian Cristian <lucian.cristian@gmail.com>
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=libreswan
+PKG_VERSION:=3.27
+PKG_RELEASE:=1
+
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
+PKG_SOURCE_URL:=https://download.libreswan.org/
+PKG_HASH:=ead07dd701116094b483dc57e54e2a5ee9a06d3982bb142260bcbf3d1faf7b82
+
+PKG_LICENSE:=GPL-2.0
+PKG_MAINTAINER:=Lucian Cristian <lucian.cristian@gmail.com>
+
+PKG_BUILD_PARALLEL:=1
+PKG_INSTALL:=1
+
+include $(INCLUDE_DIR)/package.mk
+include $(INCLUDE_DIR)/kernel.mk
+
+define Package/libreswan/Default
+  TITLE:=Libreswan
+  URL:=https://libreswan.org/
+endef
+
+define Package/libreswan/Default/description
+ Libreswan is a free software implementation of the most widely supported and
+ standardized VPN protocol based on ("IPsec") and the Internet Key Exchange
+ ("IKE"). These standards are produced and maintained by the Internet
+ Engineering Task Force ("IETF").
+endef
+
+define Package/libreswan
+$(call Package/libreswan/Default)
+  SUBMENU:=VPN
+  SECTION:=net
+  CATEGORY:=Network
+  DEPENDS:= +kmod-libreswan +libnss +librt +libevent2 +libevent2-pthreads \
+	    +ip-full
+  PROVIDES:=openswan
+  CONFLICTS:=strongswan
+  TITLE+= IPsec Server
+endef
+
+define Package/libreswan/description
+$(call Package/libreswan/Default/description)
+ Libreswan is a free software implementation of the most widely supported and
+ standardized VPN protocol based on ("IPsec") and the Internet Key Exchange
+ ("IKE"). These standards are produced and maintained by the Internet
+ Engineering Task Force ("IETF").
+endef
+
+define KernelPackage/libreswan
+$(call Package/libreswan/Default)
+  SUBMENU:=Network Support
+  TITLE+= (kernel module)
+  FILES:=$(PKG_BUILD_DIR)/modobj*/ipsec.$(LINUX_KMOD_SUFFIX)
+  DEPENDS:= +kmod-crypto-authenc +kmod-crypto-hash +kmod-ipt-ipsec +iptables-mod-ipsec \
+	    +kmod-ipsec +kmod-ipsec4 +kmod-crypto-rng +IPV6:kmod-ipsec6
+endef
+
+define KernelPackage/libreswan/description
+$(call Package/libreswan/Default/description)
+ This package contains the Libreswan kernel module.
+endef
+
+define Package/libreswan/conffiles
+/etc/ipsec.d
+/etc/ipsec.conf
+/etc/ipsec.secrets
+endef
+
+TARGET_CFLAGS+= -Wno-error=format-nonliteral
+MAKE_FLAGS+= \
+    WERROR_CFLAGS=" " \
+    USE_DNSSEC=false \
+    USE_LINUX_AUDIT=false \
+    USE_LABELED_IPSEC=false \
+    USE_NM=false \
+    USE_LIBCURL=false \
+    USE_GLIBC_KERN_FLIP_HEADERS=true \
+    USE_XAUTHPAM=false \
+    USE_FIPSCHECK=false \
+    USE_LIBCAP_NG=false \
+    USE_SYSTEMD_WATCHDOG=false \
+    INC_USRLOCAL="/usr" \
+    FINALRUNDIR="/var/run/pluto" \
+    KERNELSRC="$(LINUX_DIR)"
+
+define Build/Prepare
+	$(call Build/Prepare/Default)
+	$(SED) 's,include $$$$(top_srcdir)/mk/manpages.mk,,g' \
+            $(PKG_BUILD_DIR)/mk/program.mk
+endef
+
+define Build/Compile
+	$(call Build/Compile/Default,base)
+	$(call Build/Compile/Default,module)
+endef
+
+define Package/libreswan/install
+	$(INSTALL_DIR) \
+	 $(1)/etc/init.d \
+	 $(1)/etc/ipsec.d/policies \
+	 $(1)/usr/libexec/ipsec \
+	 $(1)/usr/sbin
+
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/ipsec  \
+	    $(1)/usr/sbin/ipsec
+	$(INSTALL_BIN) ./files/ipsec.init $(1)/etc/init.d/ipsec
+	$(INSTALL_DATA) ./files/ipsec.conf $(1)/etc/ipsec.conf
+	$(INSTALL_DATA) ./files/ipsec.secrets $(1)/etc/ipsec.secrets
+	$(INSTALL_DATA) $(PKG_INSTALL_DIR)/etc/ipsec.d/policies/* \
+	     $(1)/etc/ipsec.d/policies/
+	$(CP) $(PKG_INSTALL_DIR)/usr/libexec/ipsec/* \
+	    $(1)/usr/libexec/ipsec/
+endef
+
+$(eval $(call BuildPackage,libreswan))
+$(eval $(call KernelPackage,libreswan))

net/libreswan/files/ipsec.conf

@@ -0,0 +1,46 @@
+# /etc/ipsec.conf - Libreswan IPsec configuration file
+#
+# see 'man ipsec.conf' and 'man pluto' for more information
+#
+# For example configurations and documentation, see https://libreswan.org/wiki/
+
+config setup
+        # Normally, pluto logs via syslog.
+        #logfile=/var/log/pluto.log
+        #
+        # Do not enable debug options to debug configuration issues!
+        #
+        # plutodebug="control parsing"
+        # plutodebug="all crypt"
+        plutodebug=none
+        #
+        # NAT-TRAVERSAL support
+        # exclude networks used on server side by adding %v4:!a.b.c.0/24
+        # It seems that T-Mobile in the US and Rogers/Fido in Canada are
+        # using 25/8 as "private" address space on their wireless networks.
+        # This range has never been announced via BGP (at least up to 2015)
+        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
+
+# if it exists, include system wide crypto-policy defaults
+# include /etc/crypto-policies/back-ends/libreswan.config
+
+# It is best to add your IPsec connections as separate files in /etc/ipsec.d/
+
+conn L2TP-PSK-NAT
+    rightsubnet=vhost:%priv
+    also=L2TP-PSK-noNAT
+
+conn L2TP-PSK-noNAT
+    authby=secret
+    pfs=no
+    auto=add
+    keyingtries=8
+    ikelifetime=8h
+    keylife=1h
+    type=transport
+    left=A.B.C.D
+    leftprotoport=17/1701
+    right=%any
+    rightprotoport=17/%any
+
+include /etc/ipsec.d/*.conf

net/libreswan/files/ipsec.init

@@ -0,0 +1,207 @@
+#!/bin/sh /etc/rc.common
+
+START=90
+STOP=10
+
+#USE_PROCD=1
+
+. $IPKG_INSTROOT/lib/functions.sh
+
+EXTRA_COMMANDS=status
+EXTRA_HELP="	status	Show the status of the service"
+
+# Check that networking is up.
+[ "${NETWORKING}" = "no" ] && exit 6
+
+if [ $(id -u) -ne 0 ]; then
+    echo "permission denied (must be superuser)" | \
+	logger -s -p daemon.error -t ipsec_setup 2>&1
+    exit 4
+fi
+
+# where the private directory and the config files are
+IPSEC_EXECDIR="${IPSEC_EXECDIR-/usr/libexec/ipsec}"
+IPSEC_SBINDIR="${IPSEC_SBINDIR-/usr/sbin}"
+IPSEC_CONF="${IPSEC_CONF-/etc/ipsec.conf}"
+unset PLUTO_OPTIONS
+
+rundir=/var/run/pluto
+plutopid=${rundir}/pluto.pid
+plutoctl=${rundir}/pluto.ctl
+lockdir=/var/lock
+lockfile=${lockdir}/ipsec
+ipsecversion=/proc/net/ipsec_version
+kamepfkey=/proc/net/pfkey
+
+# /etc/resolv.conf related paths
+LIBRESWAN_RESOLV_CONF=${rundir}/libreswan-resolv-conf-backup
+ORIG_RESOLV_CONF=/etc/resolv.conf
+
+# misc setup
+umask 022
+
+# standardize PATH, and export it for everything else's benefit
+PATH="${IPSEC_SBINDIR}":/sbin:/usr/sbin:/usr/local/bin:/bin:/usr/bin
+export PATH
+
+mkdir -p ${rundir}
+chmod 700 ${rundir}
+
+verify_config() {
+	[ -f ${IPSEC_CONF} ] || exit 6
+	config_error=$(ipsec addconn --config ${IPSEC_CONF} --checkconfig 2>&1)
+	RETVAL=$?
+	if [ ${RETVAL} -gt 0 ]; then
+		echo "Configuration error - the following error occurred:"
+		echo ${config_error}
+		echo "IKE daemon status was not modified"
+		exit ${RETVAL}
+	fi
+}
+
+start() {
+	echo -n "Starting pluto IKE daemon for IPsec: "
+	ipsec _stackmanager start
+	# pluto searches the current directory, so this is required for making it selinux compliant
+	cd /
+	# Create nss db or convert from old format to new sql format
+	ipsec --checknss
+	# Enable nflog if configured
+	ipsec --checknflog > /dev/null
+	# This script will enter an endless loop to ensure pluto restarts on crash
+	ipsec _plutorun --config ${IPSEC_CONF} --nofork ${PLUTO_OPTIONS} & [ -d ${lockdir} ] || mkdir -p ${lockdir}
+	touch ${lockfile}
+	# Because _plutorun starts pluto at background we need to make sure pluto is started
+	# before we know if start was successful or not
+	for waitsec in 1 2 3 4 5; do
+	    if status >/dev/null; then
+		RETVAL=0
+		break
+		else
+		echo -n "."
+		sleep 1
+		RETVAL=1
+	    fi
+	done
+	if [ ${RETVAL} -ge 1 ]; then
+	    rm -f ${lockfile}
+	fi
+	echo
+	return ${RETVAL}
+}
+
+stop() {
+    if [ -e ${plutoctl} ]; then
+	echo "Shutting down pluto IKE daemon"
+	ipsec whack --shutdown 2>/dev/null
+	# don't use seq, might not exist on embedded
+	for waitsec in 1 2 3 4 5 6 7 8 9 10; do
+	    if [ -s ${plutopid} ]; then
+		echo -n "."
+		sleep 1
+	    else
+		break
+	    fi
+	done
+	echo
+	rm -f ${plutoctl} # we won't be using this anymore
+    fi
+    if [ -s ${plutopid} ]; then
+	# pluto did not die peacefully
+	pid=$(cat ${plutopid})
+	if [ -d /proc/${pid} ]; then
+	    kill -TERM ${pid}
+	    RETVAL=$?
+	    sleep 5;
+	    if [ -d /proc/${pid} ]; then
+		kill -KILL ${pid}
+		RETVAL=$?
+	    fi
+	    if [ ${RETVAL} -ne 0 ]; then
+		echo "Kill failed - removing orphaned ${plutopid}"
+	    fi
+	else
+	    echo "Removing orphaned ${plutopid}"
+	fi
+	rm -f ${plutopid}
+    fi
+
+    ipsec _stackmanager stop
+    ipsec --stopnflog > /dev/null
+
+    # cleaning up backup resolv.conf
+    if [ -e ${LIBRESWAN_RESOLV_CONF} ]; then
+	if grep 'Libreswan' ${ORIG_RESOLV_CONF} > /dev/null 2>&1; then
+	    cp ${LIBRESWAN_RESOLV_CONF} ${ORIG_RESOLV_CONF}
+	fi
+	rm -f  ${LIBRESWAN_RESOLV_CONF}
+    fi
+
+    rm -f ${lockfile}
+    return ${RETVAL}
+}
+
+restart() {
+    verify_config
+    stop
+    start
+    return $?
+}
+
+status() {
+    local RC
+    if [ -f ${plutopid} ]; then
+	if [ -r ${plutopid} ]; then
+	    pid=$(cat ${plutopid})
+	    if [ -n "$pid" -a -d /proc/${pid} ]; then
+		RC=0    # running
+	    else
+		RC=1    # not running but pid exists
+	    fi
+	else
+	    RC=4        # insufficient privileges
+	fi
+    fi
+    if [ -z "${RC}" ]; then
+	if [ -f ${lockfile} ]; then
+	    RC=2
+	else
+	    RC=3
+	fi
+    fi
+    case "${RC}" in
+	0)
+	    echo "ipsec: pluto (pid ${pid}) is running..."
+	    return 0
+	    ;;
+	1)
+	    echo "ipsec: pluto dead but pid file exits"
+	    return 1
+	    ;;
+	2)
+	    echo "ipsec: pluto dead but subsys locked"
+	    return 2
+	    ;;
+	4)
+	    echo "ipsec: pluto status unknown due to insufficient privileges."
+	    return 4
+	    ;;
+    esac
+    echo "ipsec: pluto is stopped"
+    return 3
+}
+
+condrestart() {
+    verify_config
+    RETVAL=$?
+    if [ -f ${lockfile} ]; then
+	restart
+	RETVAL=$?
+    fi
+    return ${RETVAL}
+}
+
+version() {
+    ipsec version
+    return $?
+}

net/libreswan/files/ipsec.secrets

@@ -0,0 +1,17 @@
+# This file holds shared secrets (PSK) and XAUTH user passwords used for
+# authentication.  See pluto(8) manpage or the libreswan website.
+
+# Unlike older openswan, this file does NOT contain any X.509 related
+# information such as private key :RSA statements as these now reside
+# in the NSS database. See:
+#
+# https://libreswan.org/wiki/Using_NSS_with_libreswan
+# https://libreswan.org/wiki/Migrating_from_Openswan
+#
+# The preferred method for adding secrets is to create a new file in
+# the /etc/ipsec.d/ directory, so it will be included via the include
+# line below
+
+#A.B.C.D %any : PSK "SsEeCcRrEeTt"
+
+include /etc/ipsec.d/*.secrets