From 5117da79253c79ad49158d3419e8d87fb1d5ef03 Mon Sep 17 00:00:00 2001 From: Noah Meyerhans Date: Fri, 15 Aug 2014 22:01:52 -0700 Subject: [PATCH 1/4] net/ipsec-tools: Import net/ipsec-tools from oldpackages Signed-off-by: Noah Meyerhans --- net/ipsec-tools/Makefile | 95 +++++++++++++++++++ net/ipsec-tools/files/racoon.init | 17 ++++ .../patches/001-ipsec-tools-def-psk.patch | 24 +++++ net/ipsec-tools/patches/001-no_libfl.patch | 22 +++++ net/ipsec-tools/patches/002-patch8-utmp.patch | 72 ++++++++++++++ .../patches/003-microsoft-fqdn-in-main.patch | 13 +++ net/ipsec-tools/patches/005-isakmp-fix.patch | 11 +++ .../patches/006-linux-3.7-compat.patch | 50 ++++++++++ 8 files changed, 304 insertions(+) create mode 100644 net/ipsec-tools/Makefile create mode 100644 net/ipsec-tools/files/racoon.init create mode 100644 net/ipsec-tools/patches/001-ipsec-tools-def-psk.patch create mode 100644 net/ipsec-tools/patches/001-no_libfl.patch create mode 100644 net/ipsec-tools/patches/002-patch8-utmp.patch create mode 100644 net/ipsec-tools/patches/003-microsoft-fqdn-in-main.patch create mode 100644 net/ipsec-tools/patches/005-isakmp-fix.patch create mode 100644 net/ipsec-tools/patches/006-linux-3.7-compat.patch diff --git a/net/ipsec-tools/Makefile b/net/ipsec-tools/Makefile new file mode 100644 index 000000000..fdbf06d48 --- /dev/null +++ b/net/ipsec-tools/Makefile @@ -0,0 +1,95 @@ +# +# Copyright (C) 2006-2011 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk +include $(INCLUDE_DIR)/kernel.mk + +PKG_NAME:=ipsec-tools +PKG_VERSION:=0.8.1 +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 +PKG_SOURCE_URL:=@SF/ipsec-tools +PKG_MD5SUM:=d38b39f291ba2962387c3232e7335dd8 + +PKG_BUILD_PARALLEL:=1 +PKG_INSTALL:=1 + +PKG_FIXUP:=autoreconf + +include $(INCLUDE_DIR)/package.mk + +define Package/ipsec-tools + SECTION:=net + CATEGORY:=Network + SUBMENU:=VPN + DEPENDS:=+libopenssl +kmod-ipsec + TITLE:=IPsec management tools + URL:=http://ipsec-tools.sourceforge.net/ +endef + +CONFIGURE_ARGS += \ + --enable-shared \ + --enable-static \ + --with-kernel-headers="$(LINUX_DIR)/include" \ + --without-readline \ + --with-openssl="$(STAGING_DIR)/usr" \ + --without-libradius \ + --without-libpam \ + --enable-dpd \ + --enable-hybrid \ + --enable-security-context=no \ + --enable-natt \ + --enable-adminport \ + --enable-frag \ + $(call autoconf_bool,CONFIG_IPV6,ipv6) + +# override CFLAGS holding "-Werror" that break builds on compile warnings +MAKE_FLAGS+=\ + CFLAGS="$(TARGET_CFLAGS) $(EXTRA_CFLAGS) $(TARGET_CPPFLAGS) $(EXTRA_CPPFLAGS)" + +define Build/Prepare + $(call Build/Prepare/Default) + chmod -R u+w $(PKG_BUILD_DIR) +endef + +define Build/Configure + (cd $(PKG_BUILD_DIR); touch \ + configure.ac \ + aclocal.m4 \ + Makefile.in \ + config.h.in \ + configure \ + ); + $(call Build/Configure/Default) + echo "#undef HAVE_SHADOW_H" >> $(PKG_BUILD_DIR)/config.h +endef + +define Package/ipsec-tools/install + $(INSTALL_DIR) $(1)/etc + $(INSTALL_CONF) $(PKG_BUILD_DIR)/src/racoon/samples/racoon.conf $(1)/etc/ + $(SED) 's|@sysconfdir_x@|/etc|g' $(1)/etc/racoon.conf + $(INSTALL_DIR) $(1)/etc/racoon + $(INSTALL_CONF) $(PKG_BUILD_DIR)/src/racoon/samples/psk.txt $(1)/etc/racoon/ + $(INSTALL_DIR) $(1)/etc/init.d + $(INSTALL_BIN) ./files/racoon.init $(1)/etc/init.d/racoon + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libipsec.so.* $(1)/usr/lib/ + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libracoon.so.* $(1)/usr/lib/ + $(INSTALL_DIR) $(1)/usr/sbin + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/plainrsa-gen $(1)/usr/sbin/ + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/racoon $(1)/usr/sbin/ + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/racoonctl $(1)/usr/sbin/ + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/setkey $(1)/usr/sbin/ +endef + +define Package/ipsec-tools/conffiles +/etc/racoon.conf +/etc/racoon/psk.txt +endef + +$(eval $(call BuildPackage,ipsec-tools)) diff --git a/net/ipsec-tools/files/racoon.init b/net/ipsec-tools/files/racoon.init new file mode 100644 index 000000000..d539b363f --- /dev/null +++ b/net/ipsec-tools/files/racoon.init @@ -0,0 +1,17 @@ +#!/bin/sh /etc/rc.common +# Copyright (C) 2009-2011 OpenWrt.org +# Copyright (C) 2011 Artem Makhutov + +START=49 + +SERVICE_USE_PID=1 + +start() { + mkdir -m 0700 -p /var/racoon + [ -f /etc/ipsec.conf ] && /usr/sbin/setkey -f /etc/ipsec.conf + service_start /usr/sbin/racoon -f /etc/racoon.conf +} + +stop() { + service_stop /usr/sbin/racoon +} diff --git a/net/ipsec-tools/patches/001-ipsec-tools-def-psk.patch b/net/ipsec-tools/patches/001-ipsec-tools-def-psk.patch new file mode 100644 index 000000000..db5b3064d --- /dev/null +++ b/net/ipsec-tools/patches/001-ipsec-tools-def-psk.patch @@ -0,0 +1,24 @@ +--- a/src/racoon/oakley.c ++++ b/src/racoon/oakley.c +@@ -2424,8 +2424,21 @@ oakley_skeyid(iph1) + plog(LLV_ERROR, LOCATION, iph1->remote, + "couldn't find the pskey for %s.\n", + saddrwop2str(iph1->remote)); ++ } ++ } ++ if (iph1->authstr == NULL) { ++ /* ++ * If we could not locate a psk above try and locate ++ * the default psk, ie, "*". ++ */ ++ iph1->authstr = privsep_getpsk("*", 1); ++ if (iph1->authstr == NULL) { ++ plog(LLV_ERROR, LOCATION, iph1->remote, ++ "couldn't find the the default pskey either.\n"); + goto end; + } ++ plog(LLV_NOTIFY, LOCATION, iph1->remote, ++ "Using default PSK.\n"); + } + plog(LLV_DEBUG, LOCATION, NULL, "the psk found.\n"); + /* should be secret PSK */ diff --git a/net/ipsec-tools/patches/001-no_libfl.patch b/net/ipsec-tools/patches/001-no_libfl.patch new file mode 100644 index 000000000..b56b596ba --- /dev/null +++ b/net/ipsec-tools/patches/001-no_libfl.patch @@ -0,0 +1,22 @@ +--- a/src/racoon/cftoken.l ++++ b/src/racoon/cftoken.l +@@ -104,6 +104,8 @@ static struct include_stack { + static int incstackp = 0; + + static int yy_first_time = 1; ++ ++int yywrap(void) { return 1; } + %} + + /* common seciton */ +--- a/src/setkey/token.l ++++ b/src/setkey/token.l +@@ -86,6 +86,8 @@ + #if defined(SADB_X_EALG_AES) && ! defined(SADB_X_EALG_AESCBC) + #define SADB_X_EALG_AESCBC SADB_X_EALG_AES + #endif ++ ++int yywrap(void) { return 1; } + %} + + /* common section */ diff --git a/net/ipsec-tools/patches/002-patch8-utmp.patch b/net/ipsec-tools/patches/002-patch8-utmp.patch new file mode 100644 index 000000000..16dc9237c --- /dev/null +++ b/net/ipsec-tools/patches/002-patch8-utmp.patch @@ -0,0 +1,72 @@ +--- a/src/racoon/isakmp_cfg.c ++++ b/src/racoon/isakmp_cfg.c +@@ -38,7 +38,7 @@ + #include + #include + +-#include ++#include + #if defined(__APPLE__) && defined(__MACH__) + #include + #endif +@@ -1661,7 +1661,8 @@ isakmp_cfg_accounting_system(port, raddr + int inout; + { + int error = 0; +- struct utmpx ut; ++ struct utmp ut; ++ char term[UT_LINESIZE]; + char addr[NI_MAXHOST]; + + if (usr == NULL || usr[0]=='\0') { +@@ -1670,34 +1671,37 @@ isakmp_cfg_accounting_system(port, raddr + return -1; + } + +- memset(&ut, 0, sizeof ut); +- gettimeofday((struct timeval *)&ut.ut_tv, NULL); +- snprintf(ut.ut_id, sizeof ut.ut_id, TERMSPEC, port); ++ sprintf(term, TERMSPEC, port); + + switch (inout) { + case ISAKMP_CFG_LOGIN: +- ut.ut_type = USER_PROCESS; +- strncpy(ut.ut_user, usr, sizeof ut.ut_user); ++ strncpy(ut.ut_name, usr, UT_NAMESIZE); ++ ut.ut_name[UT_NAMESIZE - 1] = '\0'; ++ ++ strncpy(ut.ut_line, term, UT_LINESIZE); ++ ut.ut_line[UT_LINESIZE - 1] = '\0'; + + GETNAMEINFO_NULL(raddr, addr); +- strncpy(ut.ut_host, addr, sizeof ut.ut_host); ++ strncpy(ut.ut_host, addr, UT_HOSTSIZE); ++ ut.ut_host[UT_HOSTSIZE - 1] = '\0'; ++ ++ ut.ut_time = time(NULL); + + plog(LLV_INFO, LOCATION, NULL, + "Accounting : '%s' logging on '%s' from %s.\n", +- ut.ut_user, ut.ut_id, addr); +- +- pututxline(&ut); ++ ut.ut_name, ut.ut_line, ut.ut_host); + ++ login(&ut); ++ + break; + case ISAKMP_CFG_LOGOUT: +- ut.ut_type = DEAD_PROCESS; + + plog(LLV_INFO, LOCATION, NULL, + "Accounting : '%s' unlogging from '%s'.\n", +- usr, ut.ut_id); +- +- pututxline(&ut); ++ usr, term); + ++ logout(term); ++ + break; + default: + plog(LLV_ERROR, LOCATION, NULL, "Unepected inout\n"); diff --git a/net/ipsec-tools/patches/003-microsoft-fqdn-in-main.patch b/net/ipsec-tools/patches/003-microsoft-fqdn-in-main.patch new file mode 100644 index 000000000..443d38d5e --- /dev/null +++ b/net/ipsec-tools/patches/003-microsoft-fqdn-in-main.patch @@ -0,0 +1,13 @@ +--- a/src/racoon/ipsec_doi.c ++++ b/src/racoon/ipsec_doi.c +@@ -3582,8 +3582,8 @@ ipsecdoi_checkid1(iph1) + iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_PSKEY) { + if (id_b->type != IPSECDOI_ID_IPV4_ADDR + && id_b->type != IPSECDOI_ID_IPV6_ADDR) { +- plog(LLV_ERROR, LOCATION, NULL, +- "Expecting IP address type in main mode, " ++ plog(LLV_WARNING, LOCATION, NULL, ++ "Expecting IP address type in main mode (RFC2409) , " + "but %s.\n", s_ipsecdoi_ident(id_b->type)); + return ISAKMP_NTYPE_INVALID_ID_INFORMATION; + } diff --git a/net/ipsec-tools/patches/005-isakmp-fix.patch b/net/ipsec-tools/patches/005-isakmp-fix.patch new file mode 100644 index 000000000..f7aa3c26c --- /dev/null +++ b/net/ipsec-tools/patches/005-isakmp-fix.patch @@ -0,0 +1,11 @@ +--- a/src/racoon/isakmp.c ++++ b/src/racoon/isakmp.c +@@ -31,6 +31,8 @@ + * SUCH DAMAGE. + */ + ++#define __packed __attribute__((__packed__)) ++ + #include "config.h" + + #include diff --git a/net/ipsec-tools/patches/006-linux-3.7-compat.patch b/net/ipsec-tools/patches/006-linux-3.7-compat.patch new file mode 100644 index 000000000..46b11ee51 --- /dev/null +++ b/net/ipsec-tools/patches/006-linux-3.7-compat.patch @@ -0,0 +1,50 @@ +--- a/configure.ac ++++ b/configure.ac +@@ -74,9 +74,10 @@ case "$host_os" in + [ KERNEL_INCLUDE="/lib/modules/`uname -r`/build/include" ]) + + AC_CHECK_HEADER($KERNEL_INCLUDE/linux/pfkeyv2.h, , +- [ AC_CHECK_HEADER(/usr/src/linux/include/linux/pfkeyv2.h, +- KERNEL_INCLUDE=/usr/src/linux/include , +- [ AC_MSG_ERROR([Unable to find linux-2.6 kernel headers. Aborting.]) ] ) ] ) ++ [ AC_CHECK_HEADER($KERNEL_INCLUDE/uapi/linux/pfkeyv2.h, , ++ [ AC_CHECK_HEADER(/usr/src/linux/include/linux/pfkeyv2.h, ++ KERNEL_INCLUDE=/usr/src/linux/include , ++ [ AC_MSG_ERROR([Unable to find linux-2.6 kernel headers. Aborting.]) ] ) ] ) ] ) + AC_SUBST(KERNEL_INCLUDE) + # We need the configure script to run with correct kernel headers. + # However we don't want to point to kernel source tree in compile time, +@@ -643,7 +644,14 @@ AC_EGREP_CPP(yes, + #ifdef SADB_X_EXT_NAT_T_TYPE + yes + #endif +-], [kernel_natt="yes"]) ++], [kernel_natt="yes"], [ ++ AC_EGREP_CPP(yes, ++ [#include ++ #ifdef SADB_X_EXT_NAT_T_TYPE ++ yes ++ #endif ++ ], [kernel_natt="yes"]) ++]) + ;; + freebsd*|netbsd*) + # NetBSD case +--- a/src/include-glibc/Makefile.am ++++ b/src/include-glibc/Makefile.am +@@ -1,14 +1,7 @@ +- +-.includes: ${top_builddir}/config.status +- ln -snf $(KERNEL_INCLUDE)/linux +- touch .includes +- +-all: .includes +- + EXTRA_DIST = \ + glibc-bugs.h \ + net/pfkeyv2.h \ + netinet/ipsec.h \ + sys/queue.h + +-DISTCLEANFILES = .includes linux ++DISTCLEANFILES = linux From 5639066c121ba14ed7f4a07d93d3fab140b21f6a Mon Sep 17 00:00:00 2001 From: Noah Meyerhans Date: Fri, 15 Aug 2014 22:02:16 -0700 Subject: [PATCH 2/4] net/ipsec-tools: Update ipsec-tools to 0.8.2 Signed-off-by: Noah Meyerhans --- net/ipsec-tools/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/ipsec-tools/Makefile b/net/ipsec-tools/Makefile index fdbf06d48..fbb81cec8 100644 --- a/net/ipsec-tools/Makefile +++ b/net/ipsec-tools/Makefile @@ -9,12 +9,12 @@ include $(TOPDIR)/rules.mk include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=ipsec-tools -PKG_VERSION:=0.8.1 +PKG_VERSION:=0.8.2 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=@SF/ipsec-tools -PKG_MD5SUM:=d38b39f291ba2962387c3232e7335dd8 +PKG_MD5SUM:=d53ec14a0a3ece64e09e5e34b3350b41 PKG_BUILD_PARALLEL:=1 PKG_INSTALL:=1 From cc919289a37e66687144dbf5fdb9398a7465e5bc Mon Sep 17 00:00:00 2001 From: Noah Meyerhans Date: Fri, 15 Aug 2014 22:02:24 -0700 Subject: [PATCH 3/4] net/ipsec-tools: Update configure.ac to force HAVE_POLICY_FWD=true, which is appropriate on Linux but not properly detected in the openwrt build currently. Signed-off-by: Noah Meyerhans --- net/ipsec-tools/patches/force_HAVE_POLICY_FWD | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 net/ipsec-tools/patches/force_HAVE_POLICY_FWD diff --git a/net/ipsec-tools/patches/force_HAVE_POLICY_FWD b/net/ipsec-tools/patches/force_HAVE_POLICY_FWD new file mode 100644 index 000000000..24e64458b --- /dev/null +++ b/net/ipsec-tools/patches/force_HAVE_POLICY_FWD @@ -0,0 +1,14 @@ +diff --git a/configure.ac b/configure.ac +index 8506245..eca8895 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -724,7 +724,8 @@ case $host in + ], + [AC_MSG_RESULT(yes) + AC_DEFINE([HAVE_POLICY_FWD], [], [Have forward policy])], +- [AC_MSG_RESULT(no)]) ++ [AC_MSG_RESULT(forced) ++ AC_DEFINE([HAVE_POLICY_FWD], [], [Have forward policy])]) + ;; + *) + AC_MSG_RESULT(no) From da797a7ee1a1d8354a06180931ad3793079d194a Mon Sep 17 00:00:00 2001 From: Noah Meyerhans Date: Sat, 16 Aug 2014 09:52:35 -0700 Subject: [PATCH 4/4] net/ipsec-tools: Update some makefile definitions per https://github.com/openwrt/packages/blob/master/CONTRIBUTING.md to list me as maintainer. Signed-off-by: Noah Meyerhans --- net/ipsec-tools/Makefile | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/ipsec-tools/Makefile b/net/ipsec-tools/Makefile index fbb81cec8..4131cff4b 100644 --- a/net/ipsec-tools/Makefile +++ b/net/ipsec-tools/Makefile @@ -1,5 +1,6 @@ # # Copyright (C) 2006-2011 OpenWrt.org +# 2014 Noah Meyerhans # # This is free software, licensed under the GNU General Public License v2. # See /LICENSE for more information. @@ -11,6 +12,8 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=ipsec-tools PKG_VERSION:=0.8.2 PKG_RELEASE:=1 +PKG_MAINTAINER := "Noah Meyerhans " +PKG_LICENSE := BSD-3-Clause PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=@SF/ipsec-tools @@ -30,6 +33,7 @@ define Package/ipsec-tools DEPENDS:=+libopenssl +kmod-ipsec TITLE:=IPsec management tools URL:=http://ipsec-tools.sourceforge.net/ + MAINTAINER:=Noah Meyerhans endef CONFIGURE_ARGS += \