Merge pull request #209 from nmeyerhans/ipsec-tools-0.8.2

ipsec-tools: Re-introduce package ipsec-tools and update to v0.8.2

net/ipsec-tools/Makefile

@@ -0,0 +1,99 @@
+#
+# Copyright (C) 2006-2011 OpenWrt.org
+#               2014 Noah Meyerhans <frodo@morgul.net>
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+include $(INCLUDE_DIR)/kernel.mk
+
+PKG_NAME:=ipsec-tools
+PKG_VERSION:=0.8.2
+PKG_RELEASE:=1
+PKG_MAINTAINER := "Noah Meyerhans <frodo@morgul.net>"
+PKG_LICENSE := BSD-3-Clause
+
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
+PKG_SOURCE_URL:=@SF/ipsec-tools
+PKG_MD5SUM:=d53ec14a0a3ece64e09e5e34b3350b41
+
+PKG_BUILD_PARALLEL:=1
+PKG_INSTALL:=1
+
+PKG_FIXUP:=autoreconf
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/ipsec-tools
+  SECTION:=net
+  CATEGORY:=Network
+  SUBMENU:=VPN
+  DEPENDS:=+libopenssl +kmod-ipsec
+  TITLE:=IPsec management tools
+  URL:=http://ipsec-tools.sourceforge.net/
+  MAINTAINER:=Noah Meyerhans <frodo@morgul.net>
+endef
+
+CONFIGURE_ARGS += \
+	--enable-shared \
+	--enable-static \
+	--with-kernel-headers="$(LINUX_DIR)/include" \
+	--without-readline \
+	--with-openssl="$(STAGING_DIR)/usr" \
+	--without-libradius \
+	--without-libpam \
+	--enable-dpd \
+	--enable-hybrid \
+	--enable-security-context=no \
+	--enable-natt \
+	--enable-adminport \
+	--enable-frag \
+	 $(call autoconf_bool,CONFIG_IPV6,ipv6)
+
+# override CFLAGS holding "-Werror" that break builds on compile warnings
+MAKE_FLAGS+=\
+	CFLAGS="$(TARGET_CFLAGS) $(EXTRA_CFLAGS) $(TARGET_CPPFLAGS) $(EXTRA_CPPFLAGS)"
+
+define Build/Prepare
+	$(call Build/Prepare/Default)
+	chmod -R u+w $(PKG_BUILD_DIR)
+endef
+
+define Build/Configure
+	(cd $(PKG_BUILD_DIR); touch \
+		configure.ac \
+		aclocal.m4 \
+		Makefile.in \
+		config.h.in \
+		configure \
+	);
+	$(call Build/Configure/Default)
+	echo "#undef HAVE_SHADOW_H" >> $(PKG_BUILD_DIR)/config.h
+endef
+
+define Package/ipsec-tools/install
+	$(INSTALL_DIR) $(1)/etc
+	$(INSTALL_CONF) $(PKG_BUILD_DIR)/src/racoon/samples/racoon.conf $(1)/etc/
+	$(SED) 's|@sysconfdir_x@|/etc|g' $(1)/etc/racoon.conf
+	$(INSTALL_DIR) $(1)/etc/racoon
+	$(INSTALL_CONF) $(PKG_BUILD_DIR)/src/racoon/samples/psk.txt $(1)/etc/racoon/
+	$(INSTALL_DIR) $(1)/etc/init.d
+	$(INSTALL_BIN) ./files/racoon.init $(1)/etc/init.d/racoon
+	$(INSTALL_DIR) $(1)/usr/lib
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libipsec.so.* $(1)/usr/lib/
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libracoon.so.* $(1)/usr/lib/
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/plainrsa-gen $(1)/usr/sbin/
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/racoon $(1)/usr/sbin/
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/racoonctl $(1)/usr/sbin/
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/setkey $(1)/usr/sbin/
+endef
+
+define Package/ipsec-tools/conffiles
+/etc/racoon.conf
+/etc/racoon/psk.txt
+endef
+
+$(eval $(call BuildPackage,ipsec-tools))

net/ipsec-tools/files/racoon.init

@@ -0,0 +1,17 @@
+#!/bin/sh /etc/rc.common
+# Copyright (C) 2009-2011 OpenWrt.org
+# Copyright (C) 2011 Artem Makhutov
+
+START=49
+
+SERVICE_USE_PID=1
+
+start() {
+	mkdir -m 0700 -p /var/racoon
+	[ -f /etc/ipsec.conf ] && /usr/sbin/setkey -f /etc/ipsec.conf
+	service_start /usr/sbin/racoon -f /etc/racoon.conf
+}
+
+stop() {
+	service_stop /usr/sbin/racoon
+}

net/ipsec-tools/patches/001-ipsec-tools-def-psk.patch

@@ -0,0 +1,24 @@
+--- a/src/racoon/oakley.c
++++ b/src/racoon/oakley.c
+@@ -2424,8 +2424,21 @@ oakley_skeyid(iph1)
+ 				plog(LLV_ERROR, LOCATION, iph1->remote,
+ 					"couldn't find the pskey for %s.\n",
+ 					saddrwop2str(iph1->remote));
++			}
++		}
++		if (iph1->authstr == NULL) {
++			/*
++			 * If we could not locate a psk above try and locate
++			 * the default psk, ie, "*".
++			 */
++			iph1->authstr = privsep_getpsk("*", 1);
++			if (iph1->authstr == NULL) {
++				plog(LLV_ERROR, LOCATION, iph1->remote,
++					"couldn't find the the default pskey either.\n");
+ 				goto end;
+ 			}
++			plog(LLV_NOTIFY, LOCATION, iph1->remote,
++					"Using default PSK.\n");
+ 		}
+ 		plog(LLV_DEBUG, LOCATION, NULL, "the psk found.\n");
+ 		/* should be secret PSK */

net/ipsec-tools/patches/001-no_libfl.patch

@@ -0,0 +1,22 @@
+--- a/src/racoon/cftoken.l
++++ b/src/racoon/cftoken.l
+@@ -104,6 +104,8 @@ static struct include_stack {
+ static int incstackp = 0;
+ 
+ static int yy_first_time = 1;
++
++int yywrap(void) { return 1; }
+ %}
+ 
+ /* common seciton */
+--- a/src/setkey/token.l
++++ b/src/setkey/token.l
+@@ -86,6 +86,8 @@
+ #if defined(SADB_X_EALG_AES) && ! defined(SADB_X_EALG_AESCBC)
+ #define SADB_X_EALG_AESCBC  SADB_X_EALG_AES
+ #endif
++
++int yywrap(void) { return 1; }
+ %}
+ 
+ /* common section */

net/ipsec-tools/patches/002-patch8-utmp.patch

@@ -0,0 +1,72 @@
+--- a/src/racoon/isakmp_cfg.c
++++ b/src/racoon/isakmp_cfg.c
+@@ -38,7 +38,7 @@
+ #include <sys/socket.h>
+ #include <sys/queue.h>
+ 
+-#include <utmpx.h>
++#include <utmp.h>
+ #if defined(__APPLE__) && defined(__MACH__)
+ #include <util.h>
+ #endif
+@@ -1661,7 +1661,8 @@ isakmp_cfg_accounting_system(port, raddr
+ 	int inout;
+ {
+ 	int error = 0;
+-	struct utmpx ut;
++	struct utmp ut;
++	char term[UT_LINESIZE];
+ 	char addr[NI_MAXHOST];
+ 	
+ 	if (usr == NULL || usr[0]=='\0') {
+@@ -1670,34 +1671,37 @@ isakmp_cfg_accounting_system(port, raddr
+ 		return -1;
+ 	}
+ 
+-	memset(&ut, 0, sizeof ut);
+-	gettimeofday((struct timeval *)&ut.ut_tv, NULL);
+-	snprintf(ut.ut_id, sizeof ut.ut_id, TERMSPEC, port);
++	sprintf(term, TERMSPEC, port);
+ 
+ 	switch (inout) {
+ 	case ISAKMP_CFG_LOGIN:
+-		ut.ut_type = USER_PROCESS;
+-		strncpy(ut.ut_user, usr, sizeof ut.ut_user);
++		strncpy(ut.ut_name, usr, UT_NAMESIZE);
++		ut.ut_name[UT_NAMESIZE - 1] = '\0';
++		
++		strncpy(ut.ut_line, term, UT_LINESIZE);
++		ut.ut_line[UT_LINESIZE - 1] = '\0';
+ 
+ 		GETNAMEINFO_NULL(raddr, addr);
+-		strncpy(ut.ut_host, addr, sizeof ut.ut_host);
++		strncpy(ut.ut_host, addr, UT_HOSTSIZE);
++		ut.ut_host[UT_HOSTSIZE - 1] = '\0';
++
++		ut.ut_time = time(NULL);
+ 
+ 		plog(LLV_INFO, LOCATION, NULL,
+ 			"Accounting : '%s' logging on '%s' from %s.\n",
+-			ut.ut_user, ut.ut_id, addr);
+-
+-		pututxline(&ut);
++			ut.ut_name, ut.ut_line, ut.ut_host);
+ 
++		login(&ut);
++		
+ 		break;
+ 	case ISAKMP_CFG_LOGOUT:	
+-		ut.ut_type = DEAD_PROCESS;
+ 
+ 		plog(LLV_INFO, LOCATION, NULL,
+ 			"Accounting : '%s' unlogging from '%s'.\n",
+-			usr, ut.ut_id);
+-
+-		pututxline(&ut);
++			usr, term);
+ 
++		logout(term);
++		
+ 		break;
+ 	default:
+ 		plog(LLV_ERROR, LOCATION, NULL, "Unepected inout\n");

net/ipsec-tools/patches/003-microsoft-fqdn-in-main.patch

@@ -0,0 +1,13 @@
+--- a/src/racoon/ipsec_doi.c
++++ b/src/racoon/ipsec_doi.c
+@@ -3582,8 +3582,8 @@ ipsecdoi_checkid1(iph1)
+ 	    iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_PSKEY) {
+ 		 if (id_b->type != IPSECDOI_ID_IPV4_ADDR
+ 		  && id_b->type != IPSECDOI_ID_IPV6_ADDR) {
+-			plog(LLV_ERROR, LOCATION, NULL,
+-				"Expecting IP address type in main mode, "
++			plog(LLV_WARNING, LOCATION, NULL,
++				"Expecting IP address type in main mode (RFC2409) , "
+ 				"but %s.\n", s_ipsecdoi_ident(id_b->type));
+ 			return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
+ 		}

net/ipsec-tools/patches/005-isakmp-fix.patch

@@ -0,0 +1,11 @@
+--- a/src/racoon/isakmp.c
++++ b/src/racoon/isakmp.c
+@@ -31,6 +31,8 @@
+  * SUCH DAMAGE.
+  */
+ 
++#define __packed __attribute__((__packed__))
++
+ #include "config.h"
+ 
+ #include <sys/types.h>

net/ipsec-tools/patches/006-linux-3.7-compat.patch

@@ -0,0 +1,50 @@
+--- a/configure.ac
++++ b/configure.ac
+@@ -74,9 +74,10 @@ case "$host_os" in
+ 	    [ KERNEL_INCLUDE="/lib/modules/`uname -r`/build/include" ])
+ 
+     AC_CHECK_HEADER($KERNEL_INCLUDE/linux/pfkeyv2.h, ,
+-	[ AC_CHECK_HEADER(/usr/src/linux/include/linux/pfkeyv2.h,
+-	  KERNEL_INCLUDE=/usr/src/linux/include ,
+-	  [ AC_MSG_ERROR([Unable to find linux-2.6 kernel headers. Aborting.]) ] ) ] )
++	[ AC_CHECK_HEADER($KERNEL_INCLUDE/uapi/linux/pfkeyv2.h, ,
++	  [ AC_CHECK_HEADER(/usr/src/linux/include/linux/pfkeyv2.h,
++	    KERNEL_INCLUDE=/usr/src/linux/include ,
++	    [ AC_MSG_ERROR([Unable to find linux-2.6 kernel headers. Aborting.]) ] ) ] ) ] )
+     AC_SUBST(KERNEL_INCLUDE)
+     # We need the configure script to run with correct kernel headers.
+     # However we don't want to point to kernel source tree in compile time,
+@@ -643,7 +644,14 @@ AC_EGREP_CPP(yes,
+ #ifdef SADB_X_EXT_NAT_T_TYPE
+ yes
+ #endif
+-], [kernel_natt="yes"])
++], [kernel_natt="yes"], [
++  AC_EGREP_CPP(yes,
++  [#include <uapi/linux/pfkeyv2.h>
++  #ifdef SADB_X_EXT_NAT_T_TYPE
++  yes
++  #endif
++  ], [kernel_natt="yes"])
++])
+ 	;;
+ freebsd*|netbsd*)
+ # NetBSD case
+--- a/src/include-glibc/Makefile.am
++++ b/src/include-glibc/Makefile.am
+@@ -1,14 +1,7 @@
+-
+-.includes: ${top_builddir}/config.status
+-	ln -snf $(KERNEL_INCLUDE)/linux
+-	touch .includes
+-
+-all: .includes
+-
+ EXTRA_DIST = \
+   glibc-bugs.h \
+   net/pfkeyv2.h \
+   netinet/ipsec.h \
+   sys/queue.h
+ 
+-DISTCLEANFILES = .includes linux
++DISTCLEANFILES = linux

net/ipsec-tools/patches/force_HAVE_POLICY_FWD

@@ -0,0 +1,14 @@
+diff --git a/configure.ac b/configure.ac
+index 8506245..eca8895 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -724,7 +724,8 @@ case $host in
+ 			],
+ 			[AC_MSG_RESULT(yes)
+ 			 AC_DEFINE([HAVE_POLICY_FWD], [], [Have forward policy])],
+-			[AC_MSG_RESULT(no)])
++			[AC_MSG_RESULT(forced)
++			 AC_DEFINE([HAVE_POLICY_FWD], [], [Have forward policy])])
+ 		;;
+ 	*)
+ 		AC_MSG_RESULT(no)