Date: Fri, 05 Apr 2013 12:14:35 +0200 From: Michael Cardell Widerkrantz <mc@hack.org> To: FreeBSD-gnats-submit@freebsd.org Subject: ports/177651: New port: security/openiked OpenBSD's IKEv2 daemon Message-ID: <868v4xuvw4.fsf@totoro.hack.org> Resent-Message-ID: <201304051020.r35AK07s028074@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 177651
>Category: ports
>Synopsis: New port: security/openiked OpenBSD's IKEv2 daemon
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Fri Apr 05 10:20:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator: Michael Cardell Widerkrantz
>Release:
>Organization:
>Environment:
>Description:
A port of OpenBSD's IKEv2 daemon iked to FreeBSD. shar archive included
as Fix. iked needs a separate user and group so please apply following
patch to /usr/ports/UIDs and GIDs as well:
--- UIDs~ 2013-04-04 13:35:18.000000000 +0200
+++ UIDs 2013-04-04 13:35:18.000000000 +0200
@@ -258,4 +258,5 @@
ossecm:*:967:966::0:0:OSSEC mail
user:/usr/local/ossec-hids:/usr/sbin/nologin
ossecr:*:968:966::0:0:OSSEC rem
user:/usr/local/ossec-hids:/usr/sbin/nologin
kippo:*:969:969::0:0:kippo user:/nonexistent:/usr/sbin/nologin
+_iked:*:970:970::0:0:iked privsep user:/nonexistent:/usr/sbin/nologin
nobody:*:65534:65534::0:0:Unprivileged
user:/nonexistent:/usr/sbin/nologin
--- GIDs~ 2013-04-04 13:35:31.000000000 +0200
+++ GIDs 2013-04-04 13:35:31.000000000 +0200
@@ -250,5 +250,6 @@
elasticsearch:*:965:
ossec:*:966:
kippo:*:969:
+_iked:*:970:
nogroup:*:65533:
nobody:*:65534:
>How-To-Repeat:
>Fix:
See attachment.
--=-=-=
Content-Type: text/plain
Content-Disposition: attachment; filename=openiked-20130404.shar
Content-Description: shar archive
# This is a shell archive. Save it in a file, remove anything before
# this line, and then unpack it by entering "sh file". Note, it may
# create directories; files and directories will be owned by you and
# have default permissions.
#
# This archive contains:
#
# openiked
# openiked/files
# openiked/files/iked.in
# openiked/pkg-message
# openiked/pkg-descr
# openiked/distinfo
# openiked/Makefile
#
echo c - openiked
mkdir -p openiked > /dev/null 2>&1
echo c - openiked/files
mkdir -p openiked/files > /dev/null 2>&1
echo x - openiked/files/iked.in
sed 's/^X//' >openiked/files/iked.in << '9cbff9a61a068575bee3d679960bba57'
X#!/bin/sh
X
X# $FreeBSD$
X#
X# PROVIDE: iked
X# REQUIRE: LOGIN cleanvar
X# KEYWORD: shutdown
X
X. /etc/rc.subr
X
Xname="iked"
Xkeygen_cmd="iked_keygen"
Xpexp="iked:.*parent.*"
Xrcvar=iked_enable
Xextra_commands="keygen reload"
X
Xiked_enable=${iked_enable:-"NO"} # Disable by default
Xiked_create_dirs=${iked_create_dirs:-"NO"} # Create $required_dirs
X#iked_flags="" # Flags to iked program
X
Xcommand="%%PREFIX%%/sbin/${name}"
Xpidfile="/var/run/${name}.pid"
X
Xstart_precmd="${name}_prestart"
Xstop_postcmd="${name}_cleanup"
X
Xsocketfile="/var/run//${name}.sock"
Xrequired_files="%%PREFIX%%/etc/${name}.conf"
Xrequired_dirs="/var/run"
X
Xuser_reseed()
X{
X (
X seeded=`sysctl -n kern.random.sys.seeded 2>/dev/null`
X if [ "x${seeded}" != "x" ] && [ ${seeded} -eq 0 ] ; then
X warn "Setting entropy source to blocking mode."
X echo "===================================================="
X echo "Type a full screenful of random junk to unblock"
X echo "it and remember to finish with <enter>. This will"
X echo "timeout in ${timeout} seconds, but waiting for"
X echo "the timeout without typing junk may make the"
X echo "entropy source deliver predictable output."
X echo ""
X echo "Just hit <enter> for fast+insecure startup."
X echo "===================================================="
X sysctl kern.random.sys.seeded=0 2>/dev/null
X read -t ${timeout} junk
X echo "${junk}" `sysctl -a` `date` > /dev/random
X fi
X )
X}
X
Xiked_keygen()
X{
X umask 022
X
X # Can't do anything if openssl is not installed
X [ -x /usr/bin/openssl ] || {
X warn "/usr/bin/openssl does not exist."
X return 1
X }
X
X if [ ! -f ${privkey} ]
X then
X echo "Generating private key"
X openssl genrsa -out ${privkey} 2048
X if [ $? ]
X then
X chmod 600 ${privkey}
X echo "Copying public key from private key."
X openssl rsa -out ${pubkey} -in ${privkey} -pubout
X else
X echo "Generation of private key failed!"
X fi
X else
X echo Private key ${privkey} exists.
X fi
X
X if [ ! -f ${pubkey} ]
X then
X echo "Copying public key from private key".
X openssl rsa -out ${pubkey} -in ${privkey} -pubout
X else
X echo Public key ${pubkey} exists.
X fi
X}
X
Xiked_cleanup()
X{
X /bin/rm -f ${pidfile}
X /bin/rm -f ${socketfile}
X}
X
Xiked_prestart()
X{
X iked_cleanup
X
X if checkyesno "${name}_create_dirs"; then
X /bin/mkdir -p $required_dirs
X fi
X
X if [ ! -f ${privkey} -o ! -f ${pubkey} ]
X then
X user_reseed
X run_rc_command keygen
X fi
X}
X
Xload_rc_config $name
Xprivkey=%%PREFIX%%/etc/iked/private/local.key
Xpubkey=%%PREFIX%%/etc/iked/local.pub
X
Xrun_rc_command "$1"
Xpgrep -f 'iked:.*parent.*' > ${pidfile}
9cbff9a61a068575bee3d679960bba57
echo x - openiked/pkg-message
sed 's/^X//' >openiked/pkg-message << '6aa22e636d263d972d47611b9a9d7773'
XPlease note: Openiked is experimental. Don't trust it for production
Xnetworks.
6aa22e636d263d972d47611b9a9d7773
echo x - openiked/pkg-descr
sed 's/^X//' >openiked/pkg-descr << 'bf719d1d40bccd4f602fd5c06fe3c8fe'
XOpeniked is the portable version of OpenBSD's iked.
X
XOpeniked speaks the IKEv2 protocol which is used to establish security
Xassociation with other hosts.
X
XPlease observe: The Openiked projects has not done any official
Xreleases yet. This is an experimental port.
X
XKnown issues:
X- Does not support NAT-traversal.
X
XWWW: http://openiked.org/
bf719d1d40bccd4f602fd5c06fe3c8fe
echo x - openiked/distinfo
sed 's/^X//' >openiked/distinfo << 'a57e20e772c96a7980ad44aea16f4b51'
XSHA256 (openiked-20130312.tar.bz2) = 57fbcb7448a995c219fa4843c55e63aec3e7db20d298235c79bf348c7d7e377a
XSIZE (openiked-20130312.tar.bz2) = 153074
a57e20e772c96a7980ad44aea16f4b51
echo x - openiked/Makefile
sed 's/^X//' >openiked/Makefile << '7c64873fed3cf374baaaab9813cbb043'
X# Created by: Michael Cardell Widerkrantz <mc@hack.org>
X# $FreeBSD$
X
XPORTNAME= openiked
XPORTVERSION= 20130312
XCATEGORIES= security
XMASTER_SITES= http://hack.org/mc/projects/openiked/
X
XMAINTAINER= mc@hack.org
XCOMMENT= Openiked IKEv2 daemon
X
XLICENSE= ISCL
X
XLIB_DEPENDS= ssl.8:${PORTSDIR}/security/openssl \
X event:${PORTSDIR}/devel/libevent
X
XIS_INTERACTIVE= yes
XUSERS= _iked
XGROUPS= _iked
X
XCONFLICTS= racoon2-[0-9]* strongswan-[0-9]*
X
XUSE_RC_SUBR= iked
XUSE_OPENSSL= yes
XUSE_BZIP2= yes
XUSE_AUTOTOOLS= autoconf automake libtool
XAUTOMAKE_ARGS= --foreign --add-missing --copy
XGNU_CONFIGURE= yes
XUSE_LDCONFIG= yes
X
XCONFIGURE_ARGS= --with-libevent-dir=${PREFIX} --with-ssl-dir=${PREFIX}
X
XOPTIONS_DEFINE= DEBUG BSD
XOPTIONS_DEFAULT=
XDEBUG_DESC= Build main code with debugging symbols and disable privsep
XBSD_DESC= Enable BSD auth support
X
XMAN5= iked.conf.5
XMAN8= iked.8 ikectl.8
XPLIST_FILES= sbin/iked sbin/ikectl
X
X.include <bsd.port.pre.mk>
X
Xpre-configure:
X cd ${WRKDIR}/${PORTNAME}-${PORTVERSION}; ./bootstrap
X
X.if ${PORT_OPTIONS:MDEBUG}
XCONFIGURE_ARGS+= --with-debug
X.endif
X
X.if ${PORT_OPTIONS:MPAM}
XCONFIGURE_ARGS+= --with-pam
X.endif
X
X.if ${PORT_OPTIONS:MBSD}
XCONFIGURE_ARGS+= --with-bsd-auth
X.endif
X
Xpost-install:
X @if [ -z `${SYSCTL} -a | ${GREP} -q ipsec && ${ECHO_CMD} ipsec` ]
X then
X ${ECHO_MSG} "WARNING: IPsec feature is disabled on this host"
X ${ECHO_MSG} " You must build the kernel if you want to run openiked on the host"
X fi
X
X.include <bsd.port.post.mk>
7c64873fed3cf374baaaab9813cbb043
exit
--=-=-=--
>Release-Note:
>Audit-Trail:
>Unformatted:
--=-=-=
Content-Type: text/plain
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?868v4xuvw4.fsf>