Merge pull request #863 from danielg4/master

openconnect: separate out vpnc-scripts and import vpnc

net/openconnect/Makefile

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2006 OpenWrt.org
+# Copyright (C) 2006-2015 OpenWrt.org
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openconnect
 PKG_VERSION:=7.04
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=ftp://ftp.infradead.org/pub/openconnect/
@@ -29,7 +29,7 @@ endef
 define Package/openconnect
   SECTION:=net
   CATEGORY:=Network
-  DEPENDS:=+libxml2 +kmod-tun +resolveip +OPENCONNECT_OPENSSL:libopenssl +OPENCONNECT_GNUTLS:libgnutls +OPENCONNECT_STOKEN:libstoken
+  DEPENDS:=+libxml2 +kmod-tun +resolveip +vpnc-scripts +OPENCONNECT_OPENSSL:libopenssl +OPENCONNECT_GNUTLS:libgnutls +OPENCONNECT_STOKEN:libstoken
   TITLE:=OpenConnect VPN client (Cisco AnyConnect compatible)
   MAINTAINER:=Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
   URL:=http://www.infradead.org/openconnect/
@@ -65,7 +65,6 @@ define Package/openconnect/install
 	$(INSTALL_DIR) $(1)/etc/openconnect/
 	$(INSTALL_DIR) $(1)/lib/netifd/proto
 	$(INSTALL_BIN) ./files/openconnect.sh $(1)/lib/netifd/proto/
-	$(INSTALL_BIN) ./files/vpnc-script $(1)/lib/netifd/
 	$(INSTALL_DIR) $(1)/usr/sbin
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/openconnect $(1)/usr/sbin/
 	$(INSTALL_BIN) ./files/openconnect-wrapper $(1)/usr/sbin/

net/openconnect/README

@@ -4,6 +4,7 @@ To setup a VPN connection, add the following to /etc/config/network:
 
 config interface 'MYVPN'
         option proto 'openconnect'
+        option interface 'wan'
         option server 'vpn.example.com'
         option port '4443'
         option username 'test'

net/openconnect/files/openconnect.sh

@@ -10,6 +10,9 @@ proto_openconnect_init_config() {
 	proto_config_add_string "serverhash"
 	proto_config_add_string "authgroup"
 	proto_config_add_string "password"
+	proto_config_add_string "token_mode"
+	proto_config_add_string "token_secret"
+	proto_config_add_string "interface"
 	no_device=1
 	available=1
 }
@@ -17,14 +20,14 @@ proto_openconnect_init_config() {
 proto_openconnect_setup() {
 	local config="$1"
 
-	json_get_vars server port username serverhash authgroup password vgroup token_mode token_secret
+	json_get_vars server port username serverhash authgroup password interface token_mode token_secret
 
 	grep -q tun /proc/modules || insmod tun
 
 	logger -t openconnect "initializing..."
 	serv_addr=
 	for ip in $(resolveip -t 10 "$server"); do
-		( proto_add_host_dependency "$config" "$ip" )
+		( proto_add_host_dependency "$config" "$ip" $interface )
 		serv_addr=1
 	done
 	[ -n "$serv_addr" ] || {
@@ -57,7 +60,8 @@ proto_openconnect_setup() {
 	[ -n "$username" ] && append cmdline "-u $username"
 	[ -n "$password" ] && {
 		umask 077
-		pwfile="/var/run/openconnect-$config.passwd"
+		mkdir -p /var/etc
+		pwfile="/var/etc/openconnect-$config.passwd"
 		echo "$password" > "$pwfile"
 		append cmdline "--passwd-on-stdin"
 	}
@@ -78,7 +82,7 @@ proto_openconnect_setup() {
 proto_openconnect_teardown() {
 	local config="$1"
 
-	pwfile="/var/run/openconnect-$config.passwd"
+	pwfile="/var/etc/openconnect-$config.passwd"
 
 	rm -f $pwfile
 	logger -t openconnect "bringing down openconnect"

net/vpnc-scripts/Makefile

@@ -0,0 +1,37 @@
+#
+# Copyright (C) 2006-2015 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=vpnc-scripts
+PKG_VERSION:=20150116
+PKG_RELEASE:=1
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/vpnc-scripts
+  SECTION:=net
+  CATEGORY:=Network
+  TITLE:=VPN configuration script for vpnc and OpenConnect
+  MAINTAINER:=Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
+  SUBMENU:=VPN
+endef
+
+define Package/vpnc-scripts/description
+	This package contains the vpnc-script which is used by vpnc
+	and OpenConnect to configure the tunnel interface.
+endef
+
+define Build/Compile
+endef
+
+define Package/vpnc-scripts/install
+	$(INSTALL_DIR) $(1)/lib/netifd
+	$(INSTALL_BIN) ./files/vpnc-script $(1)/lib/netifd/
+endef
+
+$(eval $(call BuildPackage,vpnc-scripts))

net/vpnc/Config.in

@@ -0,0 +1,18 @@
+# vpnc avanced configuration
+
+menu "Configuration"
+	depends on PACKAGE_vpnc
+
+choice
+	prompt "SSL library"
+	default VPNC_GNUTLS
+
+config VPNC_GNUTLS
+	bool "GnuTLS support"
+
+config VPNC_OPENSSL
+	bool "OpenSSL"
+
+endchoice
+
+endmenu

net/vpnc/Makefile

@@ -0,0 +1,94 @@
+#
+# Copyright (C) 2006-2015 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=vpnc
+PKG_REV:=550
+PKG_VERSION:=0.5.3.r$(PKG_REV)
+PKG_RELEASE:=1
+
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
+PKG_SOURCE_URL:=http://svn.unix-ag.uni-kl.de/vpnc/trunk/
+PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)
+PKG_SOURCE_VERSION:=$(PKG_REV)
+PKG_SOURCE_PROTO:=svn
+
+PKG_MAINTAINER:=Daniel Gimpelevich <daniel@gimpelevich.san-francisco.ca.us>
+PKG_LICENSE:=VARIOUS
+PKG_LICENSE_FILES:=COPYING
+
+PKG_CONFIG_DEPENDS:= \
+	CONFIG_VPNC_GNUTLS \
+	CONFIG_VPNC_OPENSSL \
+
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/vpnc/config
+	source "$(SOURCE)/Config.in"
+endef
+
+define Package/vpnc
+  SECTION:=net
+  CATEGORY:=Network
+  DEPENDS:=+libgpg-error +libgcrypt +kmod-tun +VPNC_OPENSSL:libopenssl +VPNC_GNUTLS:libgnutls +vpnc-scripts +resolveip
+  TITLE:=VPN client for Cisco EasyVPN
+  URL:=http://www.unix-ag.uni-kl.de/~massar/vpnc/
+  SUBMENU:=VPN
+endef
+
+define Package/vpnc/description
+	A VPN client compatible with Cisco's EasyVPN equipment.
+
+	Supports IPSec (ESP) with Mode Configuration and Xauth.  Supports only
+	shared-secret IPSec authentication with Xauth, AES (256, 192, 128),
+	3DES, 1DES, MD5, SHA1, DH1/2/5 and IP tunneling.
+endef
+
+define Package/vpnc/conffiles
+/etc/vpnc/default.conf
+endef
+
+ifeq ($(CONFIG_VPNC_OPENSSL),y)
+define Build/Compile
+	$(call Build/Compile/Default, \
+		OFLAGS="$(TARGET_CFLAGS)" \
+		OS="Linux" VERSION="$(PKG_VERSION)" \
+		STAGING_DIR="$(STAGING_DIR)" \
+		DESTDIR="$(PKG_INSTALL_DIR)" \
+		OPENSSL_GPL_VIOLATION=yes PREFIX=/usr \
+		all install \
+	)
+endef
+else
+define Build/Compile
+	$(call Build/Compile/Default, \
+		OFLAGS="$(TARGET_CFLAGS)" \
+		OS="Linux" VERSION="$(PKG_VERSION)" \
+		STAGING_DIR="$(STAGING_DIR)" \
+		DESTDIR="$(PKG_INSTALL_DIR)" \
+		PREFIX=/usr \
+		all install \
+	)
+endef
+endif
+
+define Package/vpnc/install
+	$(INSTALL_DIR) $(1)/lib/netifd/proto
+	$(INSTALL_BIN) ./files/vpnc.sh $(1)/lib/netifd/proto/
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(CP)	$(PKG_INSTALL_DIR)/usr/sbin/vpnc \
+		$(PKG_INSTALL_DIR)/usr/sbin/vpnc-disconnect \
+		$(1)/usr/sbin/
+	$(INSTALL_DIR) $(1)/etc/vpnc
+	$(INSTALL_CONF) $(PKG_INSTALL_DIR)/etc/vpnc/default.conf $(1)/etc/vpnc/
+	$(INSTALL_DIR) $(1)/lib/upgrade/keep.d
+	$(INSTALL_DATA) ./files/vpnc.upgrade $(1)/lib/upgrade/keep.d/vpnc
+endef
+
+$(eval $(call BuildPackage,vpnc))

net/vpnc/README

@@ -0,0 +1,39 @@
+The vpnc client expects to be configured using the uci interface.
+
+To setup a VPN connection, add the following to /etc/config/network:
+
+config interface 'MYVPN'
+        option proto 'vpnc'
+        option interface 'wan'
+        option server 'vpn.example.com'
+        option username 'test'
+        option password 'secret' # or:
+        option hexpasswd 'AE7FF6A0426F0A0CD0A02EB9EC3C5066FAEB0B25'
+        option authgroup 'DEFAULT'
+        option passgroup 'groupsecret' # or:
+        option hexpassgroup '52B0BEAF6605C3CE9BE20A0DC0A0F6240A6FF7EA'
+        option domain 'WORKGROUP'
+        option vendor 'cisco' # or 'netscreen'
+        option natt_mode 'natt' # or 'none' or 'force-natt' or 'cisco-udp'
+        option dh_group 'dh2' # or 'dh1' or 'dh5'
+        option pfs 'server' # or 'nopfs' or 'dh1' or 'dh2' or 'dh5'
+        option enable_single_des '0'
+        option enable_no_enc '0' # '1' to enable unencrypted VPN
+        option mtu '0'
+        option local_addr '0.0.0.0'
+        option local_port '500' # '0' to use a random port
+        option udp_port '10000' # '0' to use a random port
+        option dpd_idle '300'
+        option auth_mode 'psk' # or 'hybrid'
+        option target_network '0.0.0.0/0.0.0.0' # network/netmask or CIDR
+
+The additional file(s) are also used:
+/etc/vpnc/ca-vpn-MYVPN.pem: The server's CA certificate (for auth_mode 'hybrid')
+
+After these are setup you can initiate the VPN using "ifup MYVPN", and
+deinitialize it using ifdown. You may also use the luci web interface
+(Network -> Interfaces -> MYVPN Connect).
+
+Note that you need to configure the firewall to allow communication between
+the MYVPN interface and lan.
+

net/vpnc/files/vpnc.sh

@@ -0,0 +1,98 @@
+#!/bin/sh
+. /lib/functions.sh
+. ../netifd-proto.sh
+init_proto "$@"
+
+proto_vpnc_init_config() {
+	proto_config_add_string "server"
+	proto_config_add_string "username"
+	proto_config_add_string "hexpasswd"
+	proto_config_add_string "authgroup"
+	proto_config_add_string "password"
+	proto_config_add_string "token_mode"
+	proto_config_add_string "token_secret"
+	proto_config_add_string "interface"
+	proto_config_add_string "passgroup"
+	proto_config_add_string "hexpassgroup"
+	proto_config_add_string "domain"
+	proto_config_add_string "vendor"
+	proto_config_add_string "natt_mode"
+	proto_config_add_string "dh_group"
+	proto_config_add_string "pfs"
+	proto_config_add_boolean "enable_single_des"
+	proto_config_add_boolean "enable_no_enc"
+	proto_config_add_int "mtu"
+	proto_config_add_string "local_addr"
+	proto_config_add_int "local_port"
+	proto_config_add_int "udp_port"
+	proto_config_add_int "dpd_idle"
+	proto_config_add_string "auth_mode"
+	proto_config_add_string "target_network"
+	no_device=1
+	available=1
+}
+
+proto_vpnc_setup() {
+	local config="$1"
+
+	json_get_vars server username hexpasswd authgroup password token_mode token_secret interface passgroup hexpassgroup domain vendor natt_mode dh_group pfs enable_single_des enable_no_enc mtu local_addr local_port udp_port dpd_idle auth_mode target_network
+
+	grep -q tun /proc/modules || insmod tun
+
+	logger -t vpnc "initializing..."
+	serv_addr=
+	for ip in $(resolveip -t 10 "$server"); do
+		( proto_add_host_dependency "$config" "$ip" $interface )
+		serv_addr=1
+	done
+	[ -n "$serv_addr" ] || {
+		logger -t vpnc "Could not resolve server address: '$server'"
+		sleep 60
+		proto_setup_failed "$config"
+		exit 1
+	}
+
+	mkdir -p /var/etc
+	umask 077
+	pwfile="/var/etc/vpnc-$config.conf"
+	echo "IPSec gateway $server" > "$pwfile"
+	cmdline="--no-detach --pid-file /var/run/vpnc-$config.pid --ifname vpn-$config --non-inter --script /lib/netifd/vpnc-script $pwfile"
+
+	[ -f /etc/vpnc/ca-vpn-$config.pem ] && echo "CA-File /etc/vpnc/ca-vpn-$config.pem" >> "$pwfile"
+	[ -n "$hexpasswd" ] && echo "Xauth obfuscated password $hexpasswd" >> "$pwfile"
+	[ -n "$authgroup" ] && echo "IPSec ID $authgroup" >> "$pwfile"
+	[ -n "$username" ] && echo "Xauth username $username" >> "$pwfile"
+	[ -n "$password" ] && echo "Xauth password $password" >> "$pwfile"
+	[ -n "$passgroup" ] && echo "IPSec secret $passgroup" >> "$pwfile"
+	[ -n "$hexpassgroup" ] && echo "IPSec obfuscated secret $hexpassgroup" >> "$pwfile"
+	[ -n "$domain" ] && echo "Domain $domain" >> "$pwfile"
+	[ -n "$vendor" ] && echo "Vendor $vendor" >> "$pwfile"
+	[ -n "$natt_mode" ] && echo "NAT Traversal Mode $natt_mode" >> "$pwfile"
+	[ -n "$dh_group" ] && echo "IKE DH Group $dh_group" >> "$pwfile"
+	[ -n "$pfs" ] && echo "Perfect Forward Secrecy $pfs" >> "$pwfile"
+	[ "${enable_single_des:-0}" -gt 0 ] && echo "Enable Single DES" >> "$pwfile"
+	[ "${enable_no_enc:-0}" -gt 0 ] && echo "Enable no encryption" >> "$pwfile"
+	[ -n "$mtu" ] && echo "Interface MTU $mtu" >> "$pwfile"
+	[ -n "$local_addr" ] && echo "Local Addr $local_addr" >> "$pwfile"
+	[ -n "$local_port" ] && echo "Local Port $local_port" >> "$pwfile"
+	[ -n "$udp_port" ] && echo "Cisco UDP Encapsulation Port $udp_port" >> "$pwfile"
+	[ -n "$dpd_idle" ] && echo "DPD idle timeout (our side) $dpd_idle" >> "$pwfile"
+	[ -n "$auth_mode" ] && echo "IKE Authmode $auth_mode" >> "$pwfile"
+	[ -n "$target_network" ] && echo "IPSEC target network $target_network" >> "$pwfile"
+
+	proto_export INTERFACE="$config"
+	logger -t vpnc "executing 'vpnc $cmdline'"
+	proto_run_command "$config" /usr/sbin/vpnc $cmdline
+}
+
+proto_vpnc_teardown() {
+	local config="$1"
+
+	pwfile="/var/etc/vpnc-$config.conf"
+
+	rm -f $pwfile
+	logger -t vpnc "bringing down vpnc"
+	proto_kill_command "$config" 2
+}
+
+add_protocol vpnc

net/vpnc/files/vpnc.upgrade

@@ -0,0 +1,2 @@
+/etc/vpnc/ca-vpn-*.pem
+

net/vpnc/patches/001-cross.patch

@@ -0,0 +1,42 @@
+--- a/Makefile
++++ b/Makefile
+@@ -20,7 +20,7 @@
+ # $Id$
+ 
+ DESTDIR=
+-PREFIX=/usr/local
++PREFIX=/usr
+ ETCDIR=/etc/vpnc
+ BINDIR=$(PREFIX)/bin
+ SBINDIR=$(PREFIX)/sbin
+@@ -57,18 +57,15 @@
+ CRYPTO_OBJS = $(addsuffix .o,$(basename $(CRYPTO_SRCS)))
+ BINOBJS = $(addsuffix .o,$(BINS))
+ BINSRCS = $(addsuffix .c,$(BINS))
+-VERSION := $(shell sh mk-version)
+ RELEASE_VERSION := $(shell cat VERSION)
+ 
+ CC ?= gcc
+-CFLAGS ?= -O3 -g
+ CFLAGS += -W -Wall -Wmissing-declarations -Wwrite-strings
+-CFLAGS +=  $(shell libgcrypt-config --cflags) $(CRYPTO_CFLAGS)
++CFLAGS += -O3 -I$(STAGING_DIR)/usr/include -I$(STAGING_DIR)/include $(OFLAGS) $(CRYPTO_CFLAGS)
+ CPPFLAGS += -DVERSION=\"$(VERSION)\"
+-LDFLAGS ?= -g
+-LIBS += $(shell libgcrypt-config --libs) $(CRYPTO_LDADD)
++LIBS += -L$(STAGING_DIR)/usr/lib -L$(STAGING_DIR)/lib -lgcrypt -lgpg-error $(CRYPTO_LDADD)
+ 
+-ifeq ($(shell uname -s), SunOS)
++ifeq ($(OS), SunOS)
+ LIBS += -lnsl -lresolv -lsocket
+ endif
+ ifneq (,$(findstring Apple,$(shell $(CC) --version)))
+@@ -82,7 +79,7 @@
+ 	$(CC) $(LDFLAGS) -o $@ $^ $(LIBS)
+ 
+ vpnc.8 : vpnc.8.template makeman.pl vpnc
+-	./makeman.pl
++	touch vpnc.8
+ 
+ cisco-decrypt : cisco-decrypt.o decrypt-utils.o
+ 	$(CC) $(LDFLAGS) -o $@ $^ $(LIBS)