Date: Wed, 26 Apr 2006 18:38:12 +0200 (CEST) From: Joerg Pulz <Joerg.Pulz@frm2.tum.de> To: FreeBSD-gnats-submit@FreeBSD.org Cc: Maintainer <vanhu@netasq.com> Subject: ports/96368: security/ipsec-tools: use OPTIONS, extend featureset Message-ID: <200604261638.k3QGcCPQ065188@hades.admin.frm2> Resent-Message-ID: <200604261640.k3QGeFv4067003@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 96368 >Category: ports >Synopsis: security/ipsec-tools: use OPTIONS, extend featureset >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Wed Apr 26 16:40:15 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Joerg Pulz >Release: FreeBSD 6.1-PRERELEASE i386 >Organization: TU-Munich / ZWE FRM-II >Environment: System: FreeBSD hades.admin.frm2 6.1-PRERELEASE FreeBSD 6.1-PRERELEASE #11: Wed Feb 22 19:01:44 CET 2006 root@hades.admin.frm2:/usr/obj/usr/src/sys/HADES i386 >Description: Currently security/ipsec-tools is only configured with a subset of the available features without the option to enable or disable some of them. Makefile: - introduce OPTIONS to enable/disable features - add more features to the OPTION dialog - choose reasonable defaults for OPTIONS (disabled patented stuff) - remove usesless WRKSRC line - move LDFLAGS to the place where it is necessary - extend CONFIGURE_ARGS to set the directory for the adminport socket * Note: racoonctl is useless without adminport enabled * create the socket dir in post-install - bump PORTREVISION that users notice the changes - finally: remove one item from the TODO list on top of the Makefile ;) pkg-descr: - shortened by one line to please portlint pkg-plist: - slight reorganization - add create instructions for the adminport socket dir for the "installing from package" case - add removal instructions for the adminport socket dir files/patch-configure: - add some stuff to detect libiconv when the GSSAPI OPTION is enabled - iconv is required for GSSAPI but the library is not added to LIBS in the original configure script - Why not use USE_AUTOTOOLS and patch configure.ac? * because the leads to configure running twice which is useless overhead. I found no way to avoid this so we patch configure. files/racoon.sh.in: - add the adminsocket directory to required_dirs NOTE: There is no way to tell configure which kerberos to use when the GSSAPI OPTION is enabled. The configure script will use krb5-config from PATH which normally is heimdal kerberos from base (/usr/bin/krb5-config). Regarding to this, there is no special dependency handling for the various kerberos ports. I will further investigate this to make it possible to decide which kerberos version/implementation to use including the necessary dependecy handling. Tested on: RELENG_4 i386 (tinderbox) RELENG_5 i386 (tinderbox) RELENG_6 i386 (tinderbox) RELENG_6_1 i386, amd64, sparc64 CURRENT i386 (tinderbox) >How-To-Repeat: >Fix: - apply the patch and add the new files/patch-configure to CVS --- security_ipsec-tools.diff begins here --- Index: Makefile =================================================================== RCS file: /home/ncvs/ports/security/ipsec-tools/Makefile,v retrieving revision 1.11 diff -u -r1.11 Makefile --- Makefile 23 Feb 2006 10:38:57 -0000 1.11 +++ Makefile 26 Apr 2006 15:05:27 -0000 @@ -4,15 +4,14 @@ # # $FreeBSD: ports/security/ipsec-tools/Makefile,v 1.11 2006/02/23 10:38:57 ade Exp $ -# TODO: - configurable --enable-xxx -# - libipsec issue ? +# TODO: - libipsec issue ? # - cleanup... # - SYSCONFDIR # - $LOCALBASE/sbin/setkey Vs /usr/sbin/setkey PORTNAME= ipsec-tools PORTVERSION= 0.6.5 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= security net MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} MASTER_SITE_SUBDIR= ipsec-tools @@ -26,27 +25,133 @@ USE_OPENSSL= yes USE_BZIP2= yes -WRKSRC= ${WRKDIR}/${DISTNAME} GNU_CONFIGURE= yes INSTALLS_SHLIB= yes -LDFLAGS= -L${LOCALBASE}/lib CONFIGURE_TARGET= --build=${MACHINE_ARCH}-portbld-freebsd${OSREL} -CONFIGURE_ARGS= --enable-debug --enable-dpd --enable-natt=kernel \ - --enable-frag --enable-ipv6 --enable-shared \ - --sysconfdir=${PREFIX}/etc/racoon \ +CONFIGURE_ARGS= --enable-shared --sysconfdir=${PREFIX}/etc/racoon \ + --localstatedir=${STATEDIR:S/\/racoon//} \ --with-pkgversion=freebsd-${PORTVERSION} +STATEDIR= ${DESTDIR}/var/db/racoon +SUB_LIST+= STATEDIR=${STATEDIR} +PLIST_SUB+= STATEDIR=${STATEDIR} + +OPTIONS= DEBUG "enable Debug support" on \ + IPV6 "enable IPV6 support" on \ + ADMINPORT "enable Admin port" on \ + STATS "enable Statistics logging function" on \ + DPD "enable Dead Peer Detection" on \ + NATT "enable NAT-Traversal" on \ + FRAG "enable IKE fragmentation payload support" on \ + HYBRID "enable Hybrid Mode-cfg and Xauth support" on \ + PAM "enable PAM authentication" on \ + GSSAPI "enable GSS-API authentication" off \ + RADIUS "enable Radius authentication" off \ + SAUNSPEC "enable Unspecified SA mode" off \ + RC5 "enable RC5 encryption (patented)" off \ + IDEA "enable IDEA encryption (patented)" off + MAN3= ipsec_set_policy.3 ipsec_strerror.3 MAN5= racoon.conf.5 MAN8= racoon.8 racoonctl.8 setkey.8 plainrsa-gen.8 PORTDOCS= * +.include <bsd.port.pre.mk> + +.ifdef(WITH_DEBUG) +CONFIGURE_ARGS+= --enable-debug +.else +CONFIGURE_ARGS+= --disable-debug +.endif + +.ifdef(WITH_IPV6) +CONFIGURE_ARGS+= --enable-ipv6 +.else +CONFIGURE_ARGS+= --disable-ipv6 +.endif + +.ifdef(WITH_ADMINPORT) +CONFIGURE_ARGS+= --enable-adminport +.else +CONFIGURE_ARGS+= --disable-adminport +.endif + +.ifdef(WITH_STATS) +CONFIGURE_ARGS+= --enable-stats +.else +CONFIGURE_ARGS+= --disable-stats +.endif + +.ifdef(WITH_DPD) +CONFIGURE_ARGS+= --enable-dpd +.else +CONFIGURE_ARGS+= --disable-dpd +.endif + +.ifdef(WITH_NATT) +CONFIGURE_ARGS+= --enable-natt=kernel +.else +CONFIGURE_ARGS+= --disable-natt +.endif + +.ifdef(WITH_FRAG) +CONFIGURE_ARGS+= --enable-frag +.else +CONFIGURE_ARGS+= --disable-frag +.endif + +.ifdef(WITH_HYBRID) +CONFIGURE_ARGS+= --enable-hybrid +.else +CONFIGURE_ARGS+= --disable-hybrid +.endif + +.ifdef(WITH_PAM) +CONFIGURE_ARGS+= --with-libpam +.else +CONFIGURE_ARGS+= --without-libpam +.endif + +.ifdef(WITH_GSSAPI) +USE_ICONV= yes +CFLAGS+= -I${LOCALBASE}/include +LDFLAGS+= -L${LOCALBASE}/lib +CONFIGURE_ARGS+= --enable-gssapi +.else +CONFIGURE_ARGS+= --disable-gssapi +.endif + +.ifdef(WITH_RADIUS) +CONFIGURE_ARGS+= --with-libradius +.else +CONFIGURE_ARGS+= --without-libradius +.endif + +.ifdef(WITH_SAUNSPEC) +CONFIGURE_ARGS+= --enable-samode-unspec +.else +CONFIGURE_ARGS+= --disable-samode-unspec +.endif + +.ifdef(WITH_RC5) +CONFIGURE_ARGS+= --enable-rc5 +.else +CONFIGURE_ARGS+= --disable-rc5 +.endif + +.ifdef(WITH_IDEA) +CONFIGURE_ARGS+= --enable-idea +.else +CONFIGURE_ARGS+= --disable-idea +.endif + post-install: @if [ -z `/sbin/sysctl -a | ${GREP} -q ipsec && ${ECHO_CMD} ipsec` ]; then \ ${ECHO_MSG} "WARNING: IPsec feature is disabled on this host"; \ ${ECHO_MSG} " You must build the kernel if you want to run racoon on the host"; \ fi ; + @${MKDIR} ${STATEDIR} @${MKDIR} ${EXAMPLESDIR} @${RM} -f ${WRKSRC}/src/racoon/samples/*.in @${CP} -r ${WRKSRC}/src/racoon/samples/* ${EXAMPLESDIR} @@ -55,4 +160,4 @@ @${INSTALL_DATA} ${WRKSRC}/src/racoon/doc/* ${DOCSDIR} .endif -.include <bsd.port.mk> +.include <bsd.port.post.mk> Index: pkg-descr =================================================================== RCS file: /home/ncvs/ports/security/ipsec-tools/pkg-descr,v retrieving revision 1.2 diff -u -r1.2 pkg-descr --- pkg-descr 15 Sep 2005 12:11:48 -0000 1.2 +++ pkg-descr 26 Apr 2006 15:05:27 -0000 @@ -4,8 +4,7 @@ This is the IPSec-tools version of racoon. Enchancements: -- Support of NAT-T. -- Support of IKE fragmentation. +- Support of NAT-T and IKE fragmentation. - Support of many authentication algorithms. - Tons of bugfixes. Index: pkg-plist =================================================================== RCS file: /home/ncvs/ports/security/ipsec-tools/pkg-plist,v retrieving revision 1.4 diff -u -r1.4 pkg-plist --- pkg-plist 23 Feb 2006 10:38:57 -0000 1.4 +++ pkg-plist 26 Apr 2006 15:05:27 -0000 @@ -1,4 +1,6 @@ +sbin/plainrsa-gen sbin/racoon +sbin/racoonctl sbin/setkey include/libipsec/libpfkey.h include/racoon/admin.h @@ -24,8 +26,6 @@ lib/libracoon.la lib/libracoon.so lib/libracoon.so.0 -sbin/plainrsa-gen -sbin/racoonctl %%EXAMPLESDIR%%/psk.txt %%EXAMPLESDIR%%/psk.txt.sample %%EXAMPLESDIR%%/racoon.conf @@ -48,3 +48,5 @@ @dirrm %%EXAMPLESDIR%%/roadwarrior @dirrm %%EXAMPLESDIR%% @dirrmtry var/racoon +@exec mkdir -p %%STATEDIR%% +@dirrmtry %%STATEDIR%% Index: files/patch-configure =================================================================== RCS file: files/patch-configure diff -N files/patch-configure --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ files/patch-configure 26 Apr 2006 15:05:27 -0000 @@ -0,0 +1,77 @@ +--- configure.orig Wed Apr 26 15:28:47 2006 ++++ configure Wed Apr 26 15:28:56 2006 +@@ -25122,6 +25122,74 @@ + fi + + ++ echo "$as_me:$LINENO: checking for iconv_open in -liconv" >&5 ++echo $ECHO_N "checking for iconv_open in -liconv... $ECHO_C" >&6 ++if test "${ac_cv_lib_iconv_iconv_open+set}" = set; then ++ echo $ECHO_N "(cached) $ECHO_C" >&6 ++else ++ ac_check_lib_save_LIBS=$LIBS ++LIBS="-liconv $LIBS" ++cat >conftest.$ac_ext <<_ACEOF ++/* confdefs.h. */ ++_ACEOF ++cat confdefs.h >>conftest.$ac_ext ++cat >>conftest.$ac_ext <<_ACEOF ++/* end confdefs.h. */ ++ ++/* Override any gcc2 internal prototype to avoid an error. */ ++#ifdef __cplusplus ++extern "C" ++#endif ++/* We use char because int might match the return type of a gcc2 ++ builtin and then its argument prototype would still apply. */ ++char iconv_open (); ++int ++main () ++{ ++iconv_open (); ++ ; ++ return 0; ++} ++_ACEOF ++rm -f conftest.$ac_objext conftest$ac_exeext ++if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 ++ (eval $ac_link) 2>conftest.er1 ++ ac_status=$? ++ grep -v '^ *+' conftest.er1 >conftest.err ++ rm -f conftest.er1 ++ cat conftest.err >&5 ++ echo "$as_me:$LINENO: \$? = $ac_status" >&5 ++ (exit $ac_status); } && ++ { ac_try='test -z "$ac_c_werror_flag" ++ || test ! -s conftest.err' ++ { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 ++ (eval $ac_try) 2>&5 ++ ac_status=$? ++ echo "$as_me:$LINENO: \$? = $ac_status" >&5 ++ (exit $ac_status); }; } && ++ { ac_try='test -s conftest$ac_exeext' ++ { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 ++ (eval $ac_try) 2>&5 ++ ac_status=$? ++ echo "$as_me:$LINENO: \$? = $ac_status" >&5 ++ (exit $ac_status); }; }; then ++ ac_cv_lib_iconv_iconv_open=yes ++else ++ echo "$as_me: failed program was:" >&5 ++sed 's/^/| /' conftest.$ac_ext >&5 ++ ++ac_cv_lib_iconv_iconv_open=no ++fi ++rm -f conftest.err conftest.$ac_objext \ ++ conftest$ac_exeext conftest.$ac_ext ++LIBS=$ac_check_lib_save_LIBS ++fi ++echo "$as_me:$LINENO: result: $ac_cv_lib_iconv_iconv_open" >&5 ++echo "${ECHO_T}$ac_cv_lib_iconv_iconv_open" >&6 ++if test $ac_cv_lib_iconv_iconv_open = yes; then ++ LIBS="$LIBS -liconv" ++fi ++ + echo "$as_me:$LINENO: checking if iconv second argument needs const" >&5 + echo $ECHO_N "checking if iconv second argument needs const... $ECHO_C" >&6 + saved_CFLAGS=$CFLAGS Index: files/racoon.sh.in =================================================================== RCS file: /home/ncvs/ports/security/ipsec-tools/files/racoon.sh.in,v retrieving revision 1.3 diff -u -r1.3 racoon.sh.in --- files/racoon.sh.in 20 Feb 2006 20:47:39 -0000 1.3 +++ files/racoon.sh.in 26 Apr 2006 15:05:27 -0000 @@ -32,6 +32,7 @@ command="${prefix}/sbin/racoon" pidfile="/var/run/racoon.pid" required_files="${prefix}/etc/racoon/racoon.conf" +required_dirs="%%STATEDIR%%" stop_postcmd="racoon_poststop" racoon_poststop() { --- security_ipsec-tools.diff ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200604261638.k3QGcCPQ065188>