Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 26 Apr 2006 18:38:12 +0200 (CEST)
From:      Joerg Pulz <Joerg.Pulz@frm2.tum.de>
To:        FreeBSD-gnats-submit@FreeBSD.org
Cc:        Maintainer <vanhu@netasq.com>
Subject:   ports/96368: security/ipsec-tools: use OPTIONS, extend featureset
Message-ID:  <200604261638.k3QGcCPQ065188@hades.admin.frm2>
Resent-Message-ID: <200604261640.k3QGeFv4067003@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help

>Number:         96368
>Category:       ports
>Synopsis:       security/ipsec-tools: use OPTIONS, extend featureset
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Wed Apr 26 16:40:15 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Joerg Pulz
>Release:        FreeBSD 6.1-PRERELEASE i386
>Organization:
TU-Munich / ZWE FRM-II
>Environment:
System: FreeBSD hades.admin.frm2 6.1-PRERELEASE FreeBSD 6.1-PRERELEASE #11: Wed Feb 22 19:01:44 CET 2006 root@hades.admin.frm2:/usr/obj/usr/src/sys/HADES i386


	
>Description:
	Currently security/ipsec-tools is only configured with a subset of the
	available features without the option to enable or disable some of them.

	Makefile:
	- introduce OPTIONS to enable/disable features
	- add more features to the OPTION dialog
	- choose reasonable defaults for OPTIONS (disabled patented stuff)
	- remove usesless WRKSRC line
	- move LDFLAGS to the place where it is necessary
	- extend CONFIGURE_ARGS to set the directory for the adminport socket
	  * Note: racoonctl is useless without adminport enabled
	  * create the socket dir in post-install
	- bump PORTREVISION that users notice the changes
	- finally: remove one item from the TODO list on top of the Makefile ;)

	pkg-descr:
	- shortened by one line to please portlint

	pkg-plist:
	- slight reorganization
	- add create instructions for the adminport socket dir for the
	  "installing from package" case
	- add removal instructions for the adminport socket dir

	files/patch-configure:
	- add some stuff to detect libiconv when the GSSAPI OPTION is enabled
	- iconv is required for GSSAPI but the library is not added to LIBS
	  in the original configure script
	- Why not use USE_AUTOTOOLS and patch configure.ac?
	  * because the leads to configure running twice which is useless
	    overhead. I found no way to avoid this so we patch configure.

	files/racoon.sh.in:
	- add the adminsocket directory to required_dirs

	NOTE:
	There is no way to tell configure which kerberos to use when the GSSAPI
	OPTION is enabled. The configure script will use krb5-config from PATH
	which normally is heimdal kerberos from base (/usr/bin/krb5-config).
	Regarding to this, there is no special dependency handling for the
	various kerberos ports.
	I will further investigate this to make it possible to decide which
	kerberos version/implementation to use including the necessary dependecy
	handling.

	Tested on: 	RELENG_4 i386 (tinderbox)
			RELENG_5 i386 (tinderbox)
			RELENG_6 i386 (tinderbox)
			RELENG_6_1 i386, amd64, sparc64
			CURRENT i386 (tinderbox)

>How-To-Repeat:
	
>Fix:

	- apply the patch and add the new files/patch-configure to CVS

--- security_ipsec-tools.diff begins here ---
Index: Makefile
===================================================================
RCS file: /home/ncvs/ports/security/ipsec-tools/Makefile,v
retrieving revision 1.11
diff -u -r1.11 Makefile
--- Makefile	23 Feb 2006 10:38:57 -0000	1.11
+++ Makefile	26 Apr 2006 15:05:27 -0000
@@ -4,15 +4,14 @@
 #
 # $FreeBSD: ports/security/ipsec-tools/Makefile,v 1.11 2006/02/23 10:38:57 ade Exp $
 
-# TODO: - configurable --enable-xxx
-#       - libipsec issue ?
+# TODO: - libipsec issue ?
 #       - cleanup...
 #       - SYSCONFDIR
 #       - $LOCALBASE/sbin/setkey Vs /usr/sbin/setkey
 
 PORTNAME=	ipsec-tools
 PORTVERSION=	0.6.5
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	security net
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE}
 MASTER_SITE_SUBDIR=	ipsec-tools
@@ -26,27 +25,133 @@
 USE_OPENSSL=	yes
 USE_BZIP2=	yes
 
-WRKSRC=		${WRKDIR}/${DISTNAME}
 GNU_CONFIGURE=	yes
 INSTALLS_SHLIB=	yes
-LDFLAGS=	-L${LOCALBASE}/lib
 CONFIGURE_TARGET=	--build=${MACHINE_ARCH}-portbld-freebsd${OSREL}
-CONFIGURE_ARGS=	--enable-debug --enable-dpd --enable-natt=kernel \
-		--enable-frag --enable-ipv6 --enable-shared \
-		--sysconfdir=${PREFIX}/etc/racoon \
+CONFIGURE_ARGS=	--enable-shared --sysconfdir=${PREFIX}/etc/racoon \
+		--localstatedir=${STATEDIR:S/\/racoon//} \
 		--with-pkgversion=freebsd-${PORTVERSION}
 
+STATEDIR=	${DESTDIR}/var/db/racoon
+SUB_LIST+=	STATEDIR=${STATEDIR}
+PLIST_SUB+=	STATEDIR=${STATEDIR}
+
+OPTIONS=	DEBUG		"enable Debug support" on \
+		IPV6		"enable IPV6 support" on \
+		ADMINPORT	"enable Admin port" on \
+		STATS		"enable Statistics logging function" on \
+		DPD		"enable Dead Peer Detection" on \
+		NATT		"enable NAT-Traversal" on \
+		FRAG		"enable IKE fragmentation payload support" on \
+		HYBRID		"enable Hybrid Mode-cfg and Xauth support" on \
+		PAM		"enable PAM authentication" on \
+		GSSAPI		"enable GSS-API authentication" off \
+		RADIUS		"enable Radius authentication" off \
+		SAUNSPEC	"enable Unspecified SA mode" off \
+		RC5		"enable RC5 encryption (patented)" off \
+		IDEA		"enable IDEA encryption (patented)" off
+
 MAN3=		ipsec_set_policy.3 ipsec_strerror.3
 MAN5=		racoon.conf.5
 MAN8=		racoon.8 racoonctl.8 setkey.8 plainrsa-gen.8
 
 PORTDOCS=	*
 
+.include <bsd.port.pre.mk>
+
+.ifdef(WITH_DEBUG)
+CONFIGURE_ARGS+=	--enable-debug
+.else
+CONFIGURE_ARGS+=	--disable-debug
+.endif
+
+.ifdef(WITH_IPV6)
+CONFIGURE_ARGS+=	--enable-ipv6
+.else
+CONFIGURE_ARGS+=	--disable-ipv6
+.endif
+
+.ifdef(WITH_ADMINPORT)
+CONFIGURE_ARGS+=	--enable-adminport
+.else
+CONFIGURE_ARGS+=	--disable-adminport
+.endif
+
+.ifdef(WITH_STATS)
+CONFIGURE_ARGS+=	--enable-stats
+.else
+CONFIGURE_ARGS+=	--disable-stats
+.endif
+
+.ifdef(WITH_DPD)
+CONFIGURE_ARGS+=	--enable-dpd
+.else
+CONFIGURE_ARGS+=	--disable-dpd
+.endif
+
+.ifdef(WITH_NATT)
+CONFIGURE_ARGS+=	--enable-natt=kernel
+.else
+CONFIGURE_ARGS+=	--disable-natt
+.endif
+
+.ifdef(WITH_FRAG)
+CONFIGURE_ARGS+=	--enable-frag
+.else
+CONFIGURE_ARGS+=	--disable-frag
+.endif
+
+.ifdef(WITH_HYBRID)
+CONFIGURE_ARGS+=	--enable-hybrid
+.else
+CONFIGURE_ARGS+=	--disable-hybrid
+.endif
+
+.ifdef(WITH_PAM)
+CONFIGURE_ARGS+=	--with-libpam
+.else
+CONFIGURE_ARGS+=	--without-libpam
+.endif
+
+.ifdef(WITH_GSSAPI)
+USE_ICONV=	yes
+CFLAGS+=	-I${LOCALBASE}/include
+LDFLAGS+=	-L${LOCALBASE}/lib
+CONFIGURE_ARGS+=	--enable-gssapi
+.else
+CONFIGURE_ARGS+=	--disable-gssapi
+.endif
+
+.ifdef(WITH_RADIUS)
+CONFIGURE_ARGS+=	--with-libradius
+.else
+CONFIGURE_ARGS+=	--without-libradius
+.endif
+
+.ifdef(WITH_SAUNSPEC)
+CONFIGURE_ARGS+=	--enable-samode-unspec
+.else
+CONFIGURE_ARGS+=	--disable-samode-unspec
+.endif
+
+.ifdef(WITH_RC5)
+CONFIGURE_ARGS+=	--enable-rc5
+.else
+CONFIGURE_ARGS+=	--disable-rc5
+.endif
+
+.ifdef(WITH_IDEA)
+CONFIGURE_ARGS+=	--enable-idea
+.else
+CONFIGURE_ARGS+=	--disable-idea
+.endif
+
 post-install:
 	@if [ -z `/sbin/sysctl -a | ${GREP} -q ipsec && ${ECHO_CMD} ipsec` ]; then \
 	    ${ECHO_MSG} "WARNING: IPsec feature is disabled on this host"; \
 	    ${ECHO_MSG} "         You must build the kernel if you want to run racoon on the host"; \
 	fi ;
+	@${MKDIR} ${STATEDIR}
 	@${MKDIR} ${EXAMPLESDIR}
 	@${RM} -f ${WRKSRC}/src/racoon/samples/*.in
 	@${CP} -r ${WRKSRC}/src/racoon/samples/* ${EXAMPLESDIR}
@@ -55,4 +160,4 @@
 	@${INSTALL_DATA} ${WRKSRC}/src/racoon/doc/* ${DOCSDIR}
 .endif
 
-.include <bsd.port.mk>
+.include <bsd.port.post.mk>
Index: pkg-descr
===================================================================
RCS file: /home/ncvs/ports/security/ipsec-tools/pkg-descr,v
retrieving revision 1.2
diff -u -r1.2 pkg-descr
--- pkg-descr	15 Sep 2005 12:11:48 -0000	1.2
+++ pkg-descr	26 Apr 2006 15:05:27 -0000
@@ -4,8 +4,7 @@
 This is the IPSec-tools version of racoon.
 
 Enchancements:
-- Support of NAT-T.
-- Support of IKE fragmentation.
+- Support of NAT-T and IKE fragmentation.
 - Support of many authentication algorithms.
 - Tons of bugfixes.
 
Index: pkg-plist
===================================================================
RCS file: /home/ncvs/ports/security/ipsec-tools/pkg-plist,v
retrieving revision 1.4
diff -u -r1.4 pkg-plist
--- pkg-plist	23 Feb 2006 10:38:57 -0000	1.4
+++ pkg-plist	26 Apr 2006 15:05:27 -0000
@@ -1,4 +1,6 @@
+sbin/plainrsa-gen
 sbin/racoon
+sbin/racoonctl
 sbin/setkey
 include/libipsec/libpfkey.h
 include/racoon/admin.h
@@ -24,8 +26,6 @@
 lib/libracoon.la
 lib/libracoon.so
 lib/libracoon.so.0
-sbin/plainrsa-gen
-sbin/racoonctl
 %%EXAMPLESDIR%%/psk.txt
 %%EXAMPLESDIR%%/psk.txt.sample
 %%EXAMPLESDIR%%/racoon.conf
@@ -48,3 +48,5 @@
 @dirrm %%EXAMPLESDIR%%/roadwarrior
 @dirrm %%EXAMPLESDIR%%
 @dirrmtry var/racoon
+@exec mkdir -p %%STATEDIR%%
+@dirrmtry %%STATEDIR%%
Index: files/patch-configure
===================================================================
RCS file: files/patch-configure
diff -N files/patch-configure
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ files/patch-configure	26 Apr 2006 15:05:27 -0000
@@ -0,0 +1,77 @@
+--- configure.orig	Wed Apr 26 15:28:47 2006
++++ configure	Wed Apr 26 15:28:56 2006
+@@ -25122,6 +25122,74 @@
+ fi
+ 
+ 
++	echo "$as_me:$LINENO: checking for iconv_open in -liconv" >&5
++echo $ECHO_N "checking for iconv_open in -liconv... $ECHO_C" >&6
++if test "${ac_cv_lib_iconv_iconv_open+set}" = set; then
++  echo $ECHO_N "(cached) $ECHO_C" >&6
++else
++  ac_check_lib_save_LIBS=$LIBS
++LIBS="-liconv  $LIBS"
++cat >conftest.$ac_ext <<_ACEOF
++/* confdefs.h.  */
++_ACEOF
++cat confdefs.h >>conftest.$ac_ext
++cat >>conftest.$ac_ext <<_ACEOF
++/* end confdefs.h.  */
++
++/* Override any gcc2 internal prototype to avoid an error.  */
++#ifdef __cplusplus
++extern "C"
++#endif
++/* We use char because int might match the return type of a gcc2
++   builtin and then its argument prototype would still apply.  */
++char iconv_open ();
++int
++main ()
++{
++iconv_open ();
++  ;
++  return 0;
++}
++_ACEOF
++rm -f conftest.$ac_objext conftest$ac_exeext
++if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
++  (eval $ac_link) 2>conftest.er1
++  ac_status=$?
++  grep -v '^ *+' conftest.er1 >conftest.err
++  rm -f conftest.er1
++  cat conftest.err >&5
++  echo "$as_me:$LINENO: \$? = $ac_status" >&5
++  (exit $ac_status); } &&
++	 { ac_try='test -z "$ac_c_werror_flag"
++			 || test ! -s conftest.err'
++  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
++  (eval $ac_try) 2>&5
++  ac_status=$?
++  echo "$as_me:$LINENO: \$? = $ac_status" >&5
++  (exit $ac_status); }; } &&
++	 { ac_try='test -s conftest$ac_exeext'
++  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
++  (eval $ac_try) 2>&5
++  ac_status=$?
++  echo "$as_me:$LINENO: \$? = $ac_status" >&5
++  (exit $ac_status); }; }; then
++  ac_cv_lib_iconv_iconv_open=yes
++else
++  echo "$as_me: failed program was:" >&5
++sed 's/^/| /' conftest.$ac_ext >&5
++
++ac_cv_lib_iconv_iconv_open=no
++fi
++rm -f conftest.err conftest.$ac_objext \
++      conftest$ac_exeext conftest.$ac_ext
++LIBS=$ac_check_lib_save_LIBS
++fi
++echo "$as_me:$LINENO: result: $ac_cv_lib_iconv_iconv_open" >&5
++echo "${ECHO_T}$ac_cv_lib_iconv_iconv_open" >&6
++if test $ac_cv_lib_iconv_iconv_open = yes; then
++  LIBS="$LIBS -liconv"
++fi
++
+ 	echo "$as_me:$LINENO: checking if iconv second argument needs const" >&5
+ echo $ECHO_N "checking if iconv second argument needs const... $ECHO_C" >&6
+ 	saved_CFLAGS=$CFLAGS
Index: files/racoon.sh.in
===================================================================
RCS file: /home/ncvs/ports/security/ipsec-tools/files/racoon.sh.in,v
retrieving revision 1.3
diff -u -r1.3 racoon.sh.in
--- files/racoon.sh.in	20 Feb 2006 20:47:39 -0000	1.3
+++ files/racoon.sh.in	26 Apr 2006 15:05:27 -0000
@@ -32,6 +32,7 @@
 command="${prefix}/sbin/racoon"
 pidfile="/var/run/racoon.pid"
 required_files="${prefix}/etc/racoon/racoon.conf"
+required_dirs="%%STATEDIR%%"
 stop_postcmd="racoon_poststop"
 
 racoon_poststop() {
--- security_ipsec-tools.diff ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200604261638.k3QGcCPQ065188>