Date: Wed, 26 Apr 2006 18:38:12 +0200 (CEST) From: Joerg Pulz <Joerg.Pulz@frm2.tum.de> To: FreeBSD-gnats-submit@FreeBSD.org Cc: Maintainer <vanhu@netasq.com> Subject: ports/96368: security/ipsec-tools: use OPTIONS, extend featureset Message-ID: <200604261638.k3QGcCPQ065188@hades.admin.frm2> Resent-Message-ID: <200604261640.k3QGeFv4067003@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 96368
>Category: ports
>Synopsis: security/ipsec-tools: use OPTIONS, extend featureset
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Wed Apr 26 16:40:15 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator: Joerg Pulz
>Release: FreeBSD 6.1-PRERELEASE i386
>Organization:
TU-Munich / ZWE FRM-II
>Environment:
System: FreeBSD hades.admin.frm2 6.1-PRERELEASE FreeBSD 6.1-PRERELEASE #11: Wed Feb 22 19:01:44 CET 2006 root@hades.admin.frm2:/usr/obj/usr/src/sys/HADES i386
>Description:
Currently security/ipsec-tools is only configured with a subset of the
available features without the option to enable or disable some of them.
Makefile:
- introduce OPTIONS to enable/disable features
- add more features to the OPTION dialog
- choose reasonable defaults for OPTIONS (disabled patented stuff)
- remove usesless WRKSRC line
- move LDFLAGS to the place where it is necessary
- extend CONFIGURE_ARGS to set the directory for the adminport socket
* Note: racoonctl is useless without adminport enabled
* create the socket dir in post-install
- bump PORTREVISION that users notice the changes
- finally: remove one item from the TODO list on top of the Makefile ;)
pkg-descr:
- shortened by one line to please portlint
pkg-plist:
- slight reorganization
- add create instructions for the adminport socket dir for the
"installing from package" case
- add removal instructions for the adminport socket dir
files/patch-configure:
- add some stuff to detect libiconv when the GSSAPI OPTION is enabled
- iconv is required for GSSAPI but the library is not added to LIBS
in the original configure script
- Why not use USE_AUTOTOOLS and patch configure.ac?
* because the leads to configure running twice which is useless
overhead. I found no way to avoid this so we patch configure.
files/racoon.sh.in:
- add the adminsocket directory to required_dirs
NOTE:
There is no way to tell configure which kerberos to use when the GSSAPI
OPTION is enabled. The configure script will use krb5-config from PATH
which normally is heimdal kerberos from base (/usr/bin/krb5-config).
Regarding to this, there is no special dependency handling for the
various kerberos ports.
I will further investigate this to make it possible to decide which
kerberos version/implementation to use including the necessary dependecy
handling.
Tested on: RELENG_4 i386 (tinderbox)
RELENG_5 i386 (tinderbox)
RELENG_6 i386 (tinderbox)
RELENG_6_1 i386, amd64, sparc64
CURRENT i386 (tinderbox)
>How-To-Repeat:
>Fix:
- apply the patch and add the new files/patch-configure to CVS
--- security_ipsec-tools.diff begins here ---
Index: Makefile
===================================================================
RCS file: /home/ncvs/ports/security/ipsec-tools/Makefile,v
retrieving revision 1.11
diff -u -r1.11 Makefile
--- Makefile 23 Feb 2006 10:38:57 -0000 1.11
+++ Makefile 26 Apr 2006 15:05:27 -0000
@@ -4,15 +4,14 @@
#
# $FreeBSD: ports/security/ipsec-tools/Makefile,v 1.11 2006/02/23 10:38:57 ade Exp $
-# TODO: - configurable --enable-xxx
-# - libipsec issue ?
+# TODO: - libipsec issue ?
# - cleanup...
# - SYSCONFDIR
# - $LOCALBASE/sbin/setkey Vs /usr/sbin/setkey
PORTNAME= ipsec-tools
PORTVERSION= 0.6.5
-PORTREVISION= 1
+PORTREVISION= 2
CATEGORIES= security net
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE}
MASTER_SITE_SUBDIR= ipsec-tools
@@ -26,27 +25,133 @@
USE_OPENSSL= yes
USE_BZIP2= yes
-WRKSRC= ${WRKDIR}/${DISTNAME}
GNU_CONFIGURE= yes
INSTALLS_SHLIB= yes
-LDFLAGS= -L${LOCALBASE}/lib
CONFIGURE_TARGET= --build=${MACHINE_ARCH}-portbld-freebsd${OSREL}
-CONFIGURE_ARGS= --enable-debug --enable-dpd --enable-natt=kernel \
- --enable-frag --enable-ipv6 --enable-shared \
- --sysconfdir=${PREFIX}/etc/racoon \
+CONFIGURE_ARGS= --enable-shared --sysconfdir=${PREFIX}/etc/racoon \
+ --localstatedir=${STATEDIR:S/\/racoon//} \
--with-pkgversion=freebsd-${PORTVERSION}
+STATEDIR= ${DESTDIR}/var/db/racoon
+SUB_LIST+= STATEDIR=${STATEDIR}
+PLIST_SUB+= STATEDIR=${STATEDIR}
+
+OPTIONS= DEBUG "enable Debug support" on \
+ IPV6 "enable IPV6 support" on \
+ ADMINPORT "enable Admin port" on \
+ STATS "enable Statistics logging function" on \
+ DPD "enable Dead Peer Detection" on \
+ NATT "enable NAT-Traversal" on \
+ FRAG "enable IKE fragmentation payload support" on \
+ HYBRID "enable Hybrid Mode-cfg and Xauth support" on \
+ PAM "enable PAM authentication" on \
+ GSSAPI "enable GSS-API authentication" off \
+ RADIUS "enable Radius authentication" off \
+ SAUNSPEC "enable Unspecified SA mode" off \
+ RC5 "enable RC5 encryption (patented)" off \
+ IDEA "enable IDEA encryption (patented)" off
+
MAN3= ipsec_set_policy.3 ipsec_strerror.3
MAN5= racoon.conf.5
MAN8= racoon.8 racoonctl.8 setkey.8 plainrsa-gen.8
PORTDOCS= *
+.include <bsd.port.pre.mk>
+
+.ifdef(WITH_DEBUG)
+CONFIGURE_ARGS+= --enable-debug
+.else
+CONFIGURE_ARGS+= --disable-debug
+.endif
+
+.ifdef(WITH_IPV6)
+CONFIGURE_ARGS+= --enable-ipv6
+.else
+CONFIGURE_ARGS+= --disable-ipv6
+.endif
+
+.ifdef(WITH_ADMINPORT)
+CONFIGURE_ARGS+= --enable-adminport
+.else
+CONFIGURE_ARGS+= --disable-adminport
+.endif
+
+.ifdef(WITH_STATS)
+CONFIGURE_ARGS+= --enable-stats
+.else
+CONFIGURE_ARGS+= --disable-stats
+.endif
+
+.ifdef(WITH_DPD)
+CONFIGURE_ARGS+= --enable-dpd
+.else
+CONFIGURE_ARGS+= --disable-dpd
+.endif
+
+.ifdef(WITH_NATT)
+CONFIGURE_ARGS+= --enable-natt=kernel
+.else
+CONFIGURE_ARGS+= --disable-natt
+.endif
+
+.ifdef(WITH_FRAG)
+CONFIGURE_ARGS+= --enable-frag
+.else
+CONFIGURE_ARGS+= --disable-frag
+.endif
+
+.ifdef(WITH_HYBRID)
+CONFIGURE_ARGS+= --enable-hybrid
+.else
+CONFIGURE_ARGS+= --disable-hybrid
+.endif
+
+.ifdef(WITH_PAM)
+CONFIGURE_ARGS+= --with-libpam
+.else
+CONFIGURE_ARGS+= --without-libpam
+.endif
+
+.ifdef(WITH_GSSAPI)
+USE_ICONV= yes
+CFLAGS+= -I${LOCALBASE}/include
+LDFLAGS+= -L${LOCALBASE}/lib
+CONFIGURE_ARGS+= --enable-gssapi
+.else
+CONFIGURE_ARGS+= --disable-gssapi
+.endif
+
+.ifdef(WITH_RADIUS)
+CONFIGURE_ARGS+= --with-libradius
+.else
+CONFIGURE_ARGS+= --without-libradius
+.endif
+
+.ifdef(WITH_SAUNSPEC)
+CONFIGURE_ARGS+= --enable-samode-unspec
+.else
+CONFIGURE_ARGS+= --disable-samode-unspec
+.endif
+
+.ifdef(WITH_RC5)
+CONFIGURE_ARGS+= --enable-rc5
+.else
+CONFIGURE_ARGS+= --disable-rc5
+.endif
+
+.ifdef(WITH_IDEA)
+CONFIGURE_ARGS+= --enable-idea
+.else
+CONFIGURE_ARGS+= --disable-idea
+.endif
+
post-install:
@if [ -z `/sbin/sysctl -a | ${GREP} -q ipsec && ${ECHO_CMD} ipsec` ]; then \
${ECHO_MSG} "WARNING: IPsec feature is disabled on this host"; \
${ECHO_MSG} " You must build the kernel if you want to run racoon on the host"; \
fi ;
+ @${MKDIR} ${STATEDIR}
@${MKDIR} ${EXAMPLESDIR}
@${RM} -f ${WRKSRC}/src/racoon/samples/*.in
@${CP} -r ${WRKSRC}/src/racoon/samples/* ${EXAMPLESDIR}
@@ -55,4 +160,4 @@
@${INSTALL_DATA} ${WRKSRC}/src/racoon/doc/* ${DOCSDIR}
.endif
-.include <bsd.port.mk>
+.include <bsd.port.post.mk>
Index: pkg-descr
===================================================================
RCS file: /home/ncvs/ports/security/ipsec-tools/pkg-descr,v
retrieving revision 1.2
diff -u -r1.2 pkg-descr
--- pkg-descr 15 Sep 2005 12:11:48 -0000 1.2
+++ pkg-descr 26 Apr 2006 15:05:27 -0000
@@ -4,8 +4,7 @@
This is the IPSec-tools version of racoon.
Enchancements:
-- Support of NAT-T.
-- Support of IKE fragmentation.
+- Support of NAT-T and IKE fragmentation.
- Support of many authentication algorithms.
- Tons of bugfixes.
Index: pkg-plist
===================================================================
RCS file: /home/ncvs/ports/security/ipsec-tools/pkg-plist,v
retrieving revision 1.4
diff -u -r1.4 pkg-plist
--- pkg-plist 23 Feb 2006 10:38:57 -0000 1.4
+++ pkg-plist 26 Apr 2006 15:05:27 -0000
@@ -1,4 +1,6 @@
+sbin/plainrsa-gen
sbin/racoon
+sbin/racoonctl
sbin/setkey
include/libipsec/libpfkey.h
include/racoon/admin.h
@@ -24,8 +26,6 @@
lib/libracoon.la
lib/libracoon.so
lib/libracoon.so.0
-sbin/plainrsa-gen
-sbin/racoonctl
%%EXAMPLESDIR%%/psk.txt
%%EXAMPLESDIR%%/psk.txt.sample
%%EXAMPLESDIR%%/racoon.conf
@@ -48,3 +48,5 @@
@dirrm %%EXAMPLESDIR%%/roadwarrior
@dirrm %%EXAMPLESDIR%%
@dirrmtry var/racoon
+@exec mkdir -p %%STATEDIR%%
+@dirrmtry %%STATEDIR%%
Index: files/patch-configure
===================================================================
RCS file: files/patch-configure
diff -N files/patch-configure
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ files/patch-configure 26 Apr 2006 15:05:27 -0000
@@ -0,0 +1,77 @@
+--- configure.orig Wed Apr 26 15:28:47 2006
++++ configure Wed Apr 26 15:28:56 2006
+@@ -25122,6 +25122,74 @@
+ fi
+
+
++ echo "$as_me:$LINENO: checking for iconv_open in -liconv" >&5
++echo $ECHO_N "checking for iconv_open in -liconv... $ECHO_C" >&6
++if test "${ac_cv_lib_iconv_iconv_open+set}" = set; then
++ echo $ECHO_N "(cached) $ECHO_C" >&6
++else
++ ac_check_lib_save_LIBS=$LIBS
++LIBS="-liconv $LIBS"
++cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h. */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h. */
++
++/* Override any gcc2 internal prototype to avoid an error. */
++#ifdef __cplusplus
++extern "C"
++#endif
++/* We use char because int might match the return type of a gcc2
++ builtin and then its argument prototype would still apply. */
++char iconv_open ();
++int
++main ()
++{
++iconv_open ();
++ ;
++ return 0;
++}
++_ACEOF
++rm -f conftest.$ac_objext conftest$ac_exeext
++if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
++ (eval $ac_link) 2>conftest.er1
++ ac_status=$?
++ grep -v '^ *+' conftest.er1 >conftest.err
++ rm -f conftest.er1
++ cat conftest.err >&5
++ echo "$as_me:$LINENO: \$? = $ac_status" >&5
++ (exit $ac_status); } &&
++ { ac_try='test -z "$ac_c_werror_flag"
++ || test ! -s conftest.err'
++ { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
++ (eval $ac_try) 2>&5
++ ac_status=$?
++ echo "$as_me:$LINENO: \$? = $ac_status" >&5
++ (exit $ac_status); }; } &&
++ { ac_try='test -s conftest$ac_exeext'
++ { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
++ (eval $ac_try) 2>&5
++ ac_status=$?
++ echo "$as_me:$LINENO: \$? = $ac_status" >&5
++ (exit $ac_status); }; }; then
++ ac_cv_lib_iconv_iconv_open=yes
++else
++ echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++ac_cv_lib_iconv_iconv_open=no
++fi
++rm -f conftest.err conftest.$ac_objext \
++ conftest$ac_exeext conftest.$ac_ext
++LIBS=$ac_check_lib_save_LIBS
++fi
++echo "$as_me:$LINENO: result: $ac_cv_lib_iconv_iconv_open" >&5
++echo "${ECHO_T}$ac_cv_lib_iconv_iconv_open" >&6
++if test $ac_cv_lib_iconv_iconv_open = yes; then
++ LIBS="$LIBS -liconv"
++fi
++
+ echo "$as_me:$LINENO: checking if iconv second argument needs const" >&5
+ echo $ECHO_N "checking if iconv second argument needs const... $ECHO_C" >&6
+ saved_CFLAGS=$CFLAGS
Index: files/racoon.sh.in
===================================================================
RCS file: /home/ncvs/ports/security/ipsec-tools/files/racoon.sh.in,v
retrieving revision 1.3
diff -u -r1.3 racoon.sh.in
--- files/racoon.sh.in 20 Feb 2006 20:47:39 -0000 1.3
+++ files/racoon.sh.in 26 Apr 2006 15:05:27 -0000
@@ -32,6 +32,7 @@
command="${prefix}/sbin/racoon"
pidfile="/var/run/racoon.pid"
required_files="${prefix}/etc/racoon/racoon.conf"
+required_dirs="%%STATEDIR%%"
stop_postcmd="racoon_poststop"
racoon_poststop() {
--- security_ipsec-tools.diff ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200604261638.k3QGcCPQ065188>