diff options
author | Hans de Graaff <graaff@gentoo.org> | 2019-06-10 08:39:06 +0200 |
---|---|---|
committer | Hans de Graaff <graaff@gentoo.org> | 2019-06-10 09:26:17 +0200 |
commit | fd812d0ff2a598722bffe33af224ab8eb3b19e97 (patch) | |
tree | 54ae886b0fb54ebb0f6f15edd01d638c75912b6c /net-vpn | |
parent | dev-lang/mono: re-apply minimal libgdiplus common, keep old keywrods (diff) | |
download | gentoo-fd812d0ff2a598722bffe33af224ab8eb3b19e97.tar.gz gentoo-fd812d0ff2a598722bffe33af224ab8eb3b19e97.tar.bz2 gentoo-fd812d0ff2a598722bffe33af224ab8eb3b19e97.zip |
net-vpn/libreswan: backport XFRM detection patch
Backport upstream patch for XFRM detection that was
failing on some kernels due to lack of (optional) XFRM_STAT.
Signed-off-by: Hans de Graaff <graaff@gentoo.org>
Package-Manager: Portage-2.3.66, Repoman-2.3.11
Diffstat (limited to 'net-vpn')
-rw-r--r-- | net-vpn/libreswan/files/libreswan-3.28-barf-syntax.patch | 23 | ||||
-rw-r--r-- | net-vpn/libreswan/files/libreswan-3.28-xfrm-detection.patch | 200 | ||||
-rw-r--r-- | net-vpn/libreswan/libreswan-3.28-r1.ebuild | 117 |
3 files changed, 340 insertions, 0 deletions
diff --git a/net-vpn/libreswan/files/libreswan-3.28-barf-syntax.patch b/net-vpn/libreswan/files/libreswan-3.28-barf-syntax.patch new file mode 100644 index 000000000000..69786bba99f0 --- /dev/null +++ b/net-vpn/libreswan/files/libreswan-3.28-barf-syntax.patch @@ -0,0 +1,23 @@ +From 8c3ba6a5f73ae64aa5171252f54c15d65c9930db Mon Sep 17 00:00:00 2001 +From: Tuomo Soini <tis@foobar.fi> +Date: Fri, 24 May 2019 19:19:12 +0300 +Subject: [PATCH] barf: fix syntax error caused by removing pfkey checks + +Fixes problem introduced in beccfe9f7a40816a9ec663e4076ff051bf4c91cb +--- + programs/barf/barf.in | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/programs/barf/barf.in b/programs/barf/barf.in +index fce05994cf..9cb92ffc58 100755 +--- a/programs/barf/barf.in ++++ b/programs/barf/barf.in +@@ -170,6 +170,8 @@ if test -r /proc/net/ipsec_tncfg + then + cat /proc/net/ipsec_tncfg + fi ++if test -r /proc/net/xfrm_stat ++then + _________________________ ip-xfrm-state + ip xfrm state + _________________________ ip-xfrm-policy diff --git a/net-vpn/libreswan/files/libreswan-3.28-xfrm-detection.patch b/net-vpn/libreswan/files/libreswan-3.28-xfrm-detection.patch new file mode 100644 index 000000000000..7cda675af776 --- /dev/null +++ b/net-vpn/libreswan/files/libreswan-3.28-xfrm-detection.patch @@ -0,0 +1,200 @@ +From 716f4b712724c6698469563e531dea3667507ceb Mon Sep 17 00:00:00 2001 +From: Paul Wouters <pwouters@redhat.com> +Date: Tue, 28 May 2019 00:24:30 -0400 +Subject: [PATCH] programs: Change to use /proc/sys/net/core/xfrm_acq_expires + to detect XFRM + +Apparently, not all kernels with XFRM support also enable support for +CONFIG_XFRM_STATISTICS, causing XFRM auto-detection to fail. + +This affected openwrt and also some other distribution/custom kernels. +--- + programs/_realsetup.bsd/_realsetup.in | 2 +- + programs/_stackmanager/_stackmanager.in | 2 +- + programs/barf/barf.in | 6 +++--- + programs/eroute/eroute.c | 2 +- + programs/ipsec/ipsec.in | 2 +- + programs/look/look.in | 2 +- + programs/pluto/kernel.c | 2 +- + programs/setup/setup.in | 2 +- + programs/spi/spi.c | 2 +- + programs/spigrp/spigrp.c | 2 +- + programs/tncfg/tncfg.c | 2 +- + programs/verify/verify.in | 2 +- + 12 files changed, 14 insertions(+), 14 deletions(-) + +diff --git a/programs/_realsetup.bsd/_realsetup.in b/programs/_realsetup.bsd/_realsetup.in +index 91cca98ac8..4a783772f6 100755 +--- a/programs/_realsetup.bsd/_realsetup.in ++++ b/programs/_realsetup.bsd/_realsetup.in +@@ -28,7 +28,7 @@ plutoctl=/var/run/pluto/pluto.ctl + subsyslock=/var/lock/subsys/ipsec + lock=/var/run/pluto/ipsec_setup.pid + +-xfrm_stat=/proc/net/xfrm_stat ++xfrm_stat=/proc/sys/net/core/xfrm_acq_expires + + # defaults for "config setup" items + IPSECuniqueids=${IPSECuniqueids:-yes} +diff --git a/programs/_stackmanager/_stackmanager.in b/programs/_stackmanager/_stackmanager.in +index 4d41c5ad51..21616a31c9 100644 +--- a/programs/_stackmanager/_stackmanager.in ++++ b/programs/_stackmanager/_stackmanager.in +@@ -29,7 +29,7 @@ eval $(ASAN_OPTIONS=detect_leaks=0 ipsec addconn --configsetup | grep -v "#" | + test ${IPSEC_INIT_SCRIPT_DEBUG} && set -v -x + MODPROBE="@MODPROBEBIN@ @MODPROBEARGS@" + +-xfrm_stat=/proc/net/xfrm_stat ++xfrm_stat=/proc/sys/net/core/xfrm_acq_expires + klipsstack=/proc/net/ipsec/version + action="${1}" + +diff --git a/programs/barf/barf.in b/programs/barf/barf.in +index 17f830d4a3..15eb252f11 100755 +--- a/programs/barf/barf.in ++++ b/programs/barf/barf.in +@@ -174,14 +174,13 @@ _________________________ /proc/net/ipsec_tncfg + if test -r /proc/net/ipsec_tncfg + then + cat /proc/net/ipsec_tncfg + fi +-if test -r /proc/net/xfrm_stat +-then ++if [ -r /proc/sys/net/core/xfrm_acq_expires ]; then + _________________________ ip-xfrm-state + ip xfrm state + _________________________ ip-xfrm-policy + ip xfrm policy +-_________________________ ip-xfrm-stats ++_________________________ cat-proc-net-xfrm_stat + cat /proc/net/xfrm_stat + fi + _________________________ ip-l2tp-tunnel +@@ -283,9 +283,8 @@ _________________________ /proc/net/ipsec_version + if test -r /proc/net/ipsec_version + then + cat /proc/net/ipsec_version + else +- if test -r /proc/net/xfrm_stat +- then ++ if [ -r /proc/sys/net/core/xfrm_acq_expires ]; then + echo "NETKEY (`uname -r`) support detected " + else + echo "no KLIPS or NETKEY support detected" +diff --git a/programs/eroute/eroute.c b/programs/eroute/eroute.c +index c33234c194..6f058d9232 100644 +--- a/programs/eroute/eroute.c ++++ b/programs/eroute/eroute.c +@@ -495,7 +495,7 @@ int main(int argc, char **argv) + if (argcount == 1) { + struct stat sts; + +- if (stat("/proc/net/xfrm_stat", &sts) == 0) { ++ if (stat("/proc/sys/net/core/xfrm_acq_expires", &sts) == 0) { + fprintf(stderr, + "%s: NETKEY does not support eroute table.\n", + progname); +diff --git a/programs/ipsec/ipsec.in b/programs/ipsec/ipsec.in +index 401a596628..06bec21632 100755 +--- a/programs/ipsec/ipsec.in ++++ b/programs/ipsec/ipsec.in +@@ -61,7 +61,7 @@ fixversion() { + stack=" (klips)" + kv="$(awk '{print $NF}' /proc/net/ipsec_version)" + else +- if [ -f /proc/net/xfrm_stat ]; then ++ if [ -f /proc/sys/net/core/xfrm_acq_expires ]; then + stack=" (netkey)" + kv="${version}" + else +diff --git a/programs/look/look.in b/programs/look/look.in +index bb55e8eda2..192856c630 100755 +--- a/programs/look/look.in ++++ b/programs/look/look.in +@@ -72,7 +72,7 @@ if [ -f /proc/net/ipsec_spi ]; then + fi + + # xfrm +-if [ -f /proc/net/xfrm_stat ]; then ++if [ -f /proc/sys/net/core/xfrm_acq_expires ]; then + echo "XFRM state:" + ip xfrm state + echo "XFRM policy:" +diff --git a/programs/pluto/kernel.c b/programs/pluto/kernel.c +index 39b1e32389..5c71c04af3 100644 +--- a/programs/pluto/kernel.c ++++ b/programs/pluto/kernel.c +@@ -2666,7 +2666,7 @@ void init_kernel(void) + switch (kern_interface) { + #if defined(NETKEY_SUPPORT) + case USE_NETKEY: +- if (stat("/proc/net/xfrm_stat", &buf) != 0) { ++ if (stat("/proc/sys/net/core/xfrm_acq_expires", &buf) != 0) { + libreswan_log("No XFRM kernel interface detected"); + exit_pluto(PLUTO_EXIT_KERNEL_FAIL); + } +diff --git a/programs/setup/setup.in b/programs/setup/setup.in +index 8c28b0e157..1933089459 100755 +--- a/programs/setup/setup.in ++++ b/programs/setup/setup.in +@@ -110,7 +110,7 @@ case "$1" in + + # If stack is non-modular, we want to force clean too + [ -f /proc/net/pf_key ] && ipsec eroute --clear +- [ -f /proc/net/xfrm_stat ] && ip xfrm state flush && ip xfrm policy flush ++ [ -f /proc/sys/net/core/xfrm_acq_expires ] && ip xfrm state flush && ip xfrm policy flush + + # Cleaning up backup resolv.conf + if [ -e ${LIBRESWAN_RESOLV_CONF} ]; then +diff --git a/programs/spi/spi.c b/programs/spi/spi.c +index c45fe6a517..742898a86f 100644 +--- a/programs/spi/spi.c ++++ b/programs/spi/spi.c +@@ -1135,7 +1135,7 @@ int main(int argc, char *argv[]) + progname); + } + +- if (stat("/proc/net/xfrm_stat", &sts) == 0) { ++ if (stat("/proc/sys/net/core/xfrm_acq_expires", &sts) == 0) { + fprintf(stderr, + "%s: XFRM does not use the ipsec spi command. Use 'ip xfrm' instead.\n", + progname); +diff --git a/programs/spigrp/spigrp.c b/programs/spigrp/spigrp.c +index 79d6c50e5e..fe0942325d 100644 +--- a/programs/spigrp/spigrp.c ++++ b/programs/spigrp/spigrp.c +@@ -151,7 +151,7 @@ int main(int argc, char **argv) + if (debug) + fprintf(stdout, "...After check for --label option.\n"); + +- if (stat("/proc/net/xfrm_stat", &sts) == 0) { ++ if (stat("/proc/sys/net/core/xfrm_acq_expires", &sts) == 0) { + fprintf(stderr, + "%s: XFRM does not use the ipsec spigrp command. Use 'ip xfrm' instead.\n", + progname); +diff --git a/programs/tncfg/tncfg.c b/programs/tncfg/tncfg.c +index 55de83b1ef..5a9f2e9aee 100644 +--- a/programs/tncfg/tncfg.c ++++ b/programs/tncfg/tncfg.c +@@ -259,7 +259,7 @@ int main(int argc, char *argv[]) + } + } + +- if (stat("/proc/net/xfrm_stat", &sts) == 0) { ++ if (stat("/proc/sys/net/core/xfrm_acq_expires", &sts) == 0) { + fprintf(stderr, + "%s: XFRM does not support virtual interfaces.\n", + progname); +diff --git a/programs/verify/verify.in b/programs/verify/verify.in +index 9321631931..81ae1d32fe 100755 +--- a/programs/verify/verify.in ++++ b/programs/verify/verify.in +@@ -223,7 +223,7 @@ def installstartcheck(): + print_result("FAIL","FAILED") + + printfun("Checking for IPsec support in kernel") +- if not os.path.isfile("/proc/net/ipsec_eroute") and not os.path.isfile("/proc/net/xfrm_stat"): ++ if not os.path.isfile("/proc/net/ipsec_eroute") and not os.path.isfile("/proc/sys/net/core/xfrm_acq_expires"): + print_result("FAIL","FAILED") + if "no kernel code presently loaded" in output: + print("\n The ipsec service should be started before running 'ipsec verify'\n") diff --git a/net-vpn/libreswan/libreswan-3.28-r1.ebuild b/net-vpn/libreswan/libreswan-3.28-r1.ebuild new file mode 100644 index 000000000000..ee813e6e8443 --- /dev/null +++ b/net-vpn/libreswan/libreswan-3.28-r1.ebuild @@ -0,0 +1,117 @@ +# Copyright 1999-2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit systemd toolchain-funcs + +SRC_URI="https://download.libreswan.org/${P}.tar.gz" +KEYWORDS="~amd64 ~ppc ~x86" + +DESCRIPTION="IPsec implementation for Linux, fork of Openswan" +HOMEPAGE="https://libreswan.org/" + +LICENSE="GPL-2 BSD-4 RSA DES" +SLOT="0" +IUSE="caps curl dnssec ldap pam seccomp selinux systemd test" + +DEPEND=" + dev-libs/gmp:0= + dev-libs/libevent:0= + dev-libs/nspr + >=dev-libs/nss-3.42 + caps? ( sys-libs/libcap-ng ) + curl? ( net-misc/curl ) + dnssec? ( >=net-dns/unbound-1.9.1-r1:= net-libs/ldns ) + ldap? ( net-nds/openldap ) + pam? ( sys-libs/pam ) + seccomp? ( sys-libs/libseccomp ) + selinux? ( sys-libs/libselinux ) + systemd? ( sys-apps/systemd:0= ) +" +BDEPEND=" + app-text/docbook-xml-dtd:4.1.2 + app-text/xmlto + dev-libs/nss + sys-devel/bison + sys-devel/flex + virtual/pkgconfig + test? ( dev-python/setproctitle ) +" +RDEPEND="${DEPEND} + dev-libs/nss[utils(+)] + sys-apps/iproute2 + !net-misc/openswan + !net-vpn/strongswan + selinux? ( sec-policy/selinux-ipsec ) +" + +usetf() { + usex "$1" true false +} + +src_prepare() { + eapply "${FILESDIR}/${P}-barf-syntax.patch" + eapply -l "${FILESDIR}/${P}-xfrm-detection.patch" + + sed -i -e 's:/sbin/runscript:/sbin/openrc-run:' initsystems/openrc/ipsec.init.in || die + sed -i -e '/^install/ s/postcheck//' -e '/^doinstall/ s/oldinitdcheck//' initsystems/systemd/Makefile || die + default +} + +src_configure() { + tc-export AR CC + export INC_USRLOCAL=/usr + export INC_MANDIR=share/man + export FINALEXAMPLECONFDIR=/usr/share/doc/${PF} + export FINALDOCDIR=/usr/share/doc/${PF}/html + export INITSYSTEM=openrc + export INC_RCDIRS= + export INC_RCDEFAULT=/etc/init.d + export USERCOMPILE= + export USERLINK= + export USE_DNSSEC=$(usetf dnssec) + export USE_LABELED_IPSEC=$(usetf selinux) + export USE_LIBCAP_NG=$(usetf caps) + export USE_LIBCURL=$(usetf curl) + export USE_LINUX_AUDIT=$(usetf selinux) + export USE_LDAP=$(usetf ldap) + export USE_SECCOMP=$(usetf seccomp) + export USE_SYSTEMD_WATCHDOG=$(usetf systemd) + export SD_WATCHDOGSEC=$(usex systemd 200 0) + export USE_XAUTHPAM=$(usetf pam) + export DEBUG_CFLAGS= + export OPTIMIZE_CFLAGS= + export WERROR_CFLAGS= +} + +src_compile() { + emake all + emake -C initsystems INITSYSTEM=systemd SYSTEMUNITDIR="$(systemd_get_systemunitdir)" SYSTEMTMPFILESDIR="/usr/lib/tmpfiles.d" all +} + +src_test() { + : # integration tests only that require set of kvms to be set up +} + +src_install() { + default + emake -C initsystems INITSYSTEM=systemd SYSTEMUNITDIR="$(systemd_get_systemunitdir)" SYSTEMTMPFILESDIR="/usr/lib/tmpfiles.d" DESTDIR="${D}" install + + echo "include /etc/ipsec.d/*.secrets" > "${D}"/etc/ipsec.secrets + fperms 0600 /etc/ipsec.secrets + + dodoc -r docs + + find "${D}" -type d -empty -delete || die +} + +pkg_postinst() { + local IPSEC_CONFDIR=${ROOT%/}/etc/ipsec.d + if [[ ! -f ${IPSEC_CONFDIR}/cert8.db && ! -f ${IPSEC_CONFDIR}/cert9.db ]] ; then + ebegin "Setting up NSS database in ${IPSEC_CONFDIR} with empty password" + certutil -N -d "${IPSEC_CONFDIR}" --empty-password + eend $? + einfo "To set a password: certutil -W -d sql:${IPSEC_CONFDIR}" + fi +} |