[gentoo-commits] repo/gentoo:master commit in: net-vpn/libreswan/files/, net-vpn/libreswan/

[gentoo-commits] repo/gentoo:master commit in: net-vpn/libreswan/files/, net-vpn/libreswan/

[Hans de Graaff]

commit:     7dd4310aac4f0a15fa98a4bdbb379d7d4882ce97
Author:     Hans de Graaff <graaff <AT> gentoo <DOT> org>
AuthorDate: Fri Feb 16 08:59:16 2018 +0000
Commit:     Hans de Graaff <graaff <AT> gentoo <DOT> org>
CommitDate: Fri Feb 16 08:59:35 2018 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7dd4310a

net-vpn/libreswan: fix glibc/kernel incompatibility, bug 647198

Apply upstream patch to support newer glibc and kernel combinations.
Not applied upstream yet because they also need to support old
distributions. This patch works with current stable glibc 2.25.

Closes: https://bugs.gentoo.org/647198
Package-Manager: Portage-2.3.19, Repoman-2.3.6

 .../files/libreswan-3.23-modern-kernels.patch      |  15 +++
 net-vpn/libreswan/libreswan-3.23-r1.ebuild         | 114 +++++++++++++++++++++
 2 files changed, 129 insertions(+)

diff --git a/net-vpn/libreswan/files/libreswan-3.23-modern-kernels.patch b/net-vpn/libreswan/files/libreswan-3.23-modern-kernels.patch
new file mode 100644
index 00000000000..5dedfeb34c7
--- /dev/null
+++ b/net-vpn/libreswan/files/libreswan-3.23-modern-kernels.patch
@@ -0,0 +1,15 @@
+diff --git a/programs/pluto/kernel_netlink.c
+b/programs/pluto/kernel_netlink.c
+index 8cec3a2..a2500f4 100644
+--- a/programs/pluto/kernel_netlink.c
++++ b/programs/pluto/kernel_netlink.c
+@@ -51,8 +51,8 @@
+ #include <linux/if_addr.h>
+ #include <linux/if_link.h>
+
+-#include "libreswan.h" /* before xfrm.h otherwise break on F22 */
+ #include "linux/xfrm.h" /* local (if configured) or system copy */
++#include "libreswan.h" /* before xfrm.h otherwise break on F22 */
+
+ #include "libreswan/pfkeyv2.h"
+ #include "libreswan/pfkey.h"

diff --git a/net-vpn/libreswan/libreswan-3.23-r1.ebuild b/net-vpn/libreswan/libreswan-3.23-r1.ebuild
new file mode 100644
index 00000000000..3a6e2002c93
--- /dev/null
+++ b/net-vpn/libreswan/libreswan-3.23-r1.ebuild
@@ -0,0 +1,114 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+inherit systemd toolchain-funcs
+
+SRC_URI="https://download.libreswan.org/${P}.tar.gz"
+KEYWORDS="~amd64 ~ppc ~x86"
+
+DESCRIPTION="IPsec implementation for Linux, fork of Openswan"
+HOMEPAGE="https://libreswan.org/"
+
+LICENSE="GPL-2 BSD-4 RSA DES"
+SLOT="0"
+IUSE="caps curl dnssec ldap pam seccomp selinux systemd test"
+
+COMMON_DEPEND="
+	dev-libs/gmp:0=
+	dev-libs/libevent:0=
+	dev-libs/nspr
+	caps? ( sys-libs/libcap-ng )
+	curl? ( net-misc/curl )
+	dnssec? ( net-dns/unbound net-libs/ldns )
+	ldap? ( net-nds/openldap )
+	pam? ( sys-libs/pam )
+	seccomp? ( sys-libs/libseccomp )
+	selinux? ( sys-libs/libselinux )
+	systemd? ( sys-apps/systemd:0= )
+"
+DEPEND="${COMMON_DEPEND}
+	app-text/docbook-xml-dtd:4.1.2
+	app-text/xmlto
+	dev-libs/nss
+	sys-devel/bison
+	sys-devel/flex
+	virtual/pkgconfig
+	test? ( dev-python/setproctitle )
+"
+RDEPEND="${COMMON_DEPEND}
+	dev-libs/nss[utils(+)]
+	sys-apps/iproute2
+	!net-misc/openswan
+	!net-vpn/strongswan
+	selinux? ( sec-policy/selinux-ipsec )
+"
+
+PATCHES=( "${FILESDIR}/${P}-modern-kernels.patch" )
+
+usetf() {
+	usex "$1" true false
+}
+
+src_prepare() {
+	sed -i -e 's:/sbin/runscript:/sbin/openrc-run:' initsystems/openrc/ipsec.init.in || die
+	sed -i -e '/^install/ s/postcheck//' -e '/^doinstall/ s/oldinitdcheck//' initsystems/systemd/Makefile || die
+	default
+}
+
+src_configure() {
+	tc-export AR CC
+	export INC_USRLOCAL=/usr
+	export INC_MANDIR=share/man
+	export FINALEXAMPLECONFDIR=/usr/share/doc/${PF}
+	export FINALDOCDIR=/usr/share/doc/${PF}/html
+	export INITSYSTEM=openrc
+	export INC_RCDIRS=
+	export INC_RCDEFAULT=/etc/init.d
+	export USERCOMPILE=
+	export USERLINK=
+	export USE_DNSSEC=$(usetf dnssec)
+	export USE_LABELED_IPSEC=$(usetf selinux)
+	export USE_LIBCAP_NG=$(usetf caps)
+	export USE_LIBCURL=$(usetf curl)
+	export USE_LINUX_AUDIT=$(usetf selinux)
+	export USE_LDAP=$(usetf ldap)
+	export USE_SECCOMP=$(usetf seccomp)
+	export USE_SYSTEMD_WATCHDOG=$(usetf systemd)
+	export SD_WATCHDOGSEC=$(usex systemd 200 0)
+	export USE_XAUTHPAM=$(usetf pam)
+	export DEBUG_CFLAGS=
+	export OPTIMIZE_CFLAGS=
+	export WERROR_CFLAGS=
+}
+
+src_compile() {
+	emake all
+	emake -C initsystems INITSYSTEM=systemd UNITDIR="$(systemd_get_systemunitdir)" all
+}
+
+src_test() {
+	: # integration tests only that require set of kvms to be set up
+}
+
+src_install() {
+	default
+	emake -C initsystems INITSYSTEM=systemd UNITDIR="$(systemd_get_systemunitdir)" DESTDIR="${D}" install
+
+	echo "include /etc/ipsec.d/*.secrets" > "${D}"/etc/ipsec.secrets
+	fperms 0600 /etc/ipsec.secrets
+
+	dodoc -r docs
+
+	find "${D}" -type d -empty -delete || die
+}
+
+pkg_postinst() {
+	local IPSEC_CONFDIR=${ROOT%/}/etc/ipsec.d
+	if [[ ! -f ${IPSEC_CONFDIR}/cert8.db ]]; then
+		ebegin "Setting up NSS database in ${IPSEC_CONFDIR}"
+		certutil -N -d "${IPSEC_CONFDIR}" -f <(echo)
+		eend $?
+	fi
+}

[gentoo-commits] repo/gentoo:master commit in: net-vpn/libreswan/files/, net-vpn/libreswan/

[Hans de Graaff]

commit:     2d707becfb19a25cabc2c1af3e08a464b5c1345e
Author:     Hans de Graaff <graaff <AT> gentoo <DOT> org>
AuthorDate: Sun Jul 22 19:38:16 2018 +0000
Commit:     Hans de Graaff <graaff <AT> gentoo <DOT> org>
CommitDate: Sun Jul 22 19:38:34 2018 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2d707bec

net-vpn/libreswan: fix compilation with -curl

Backports an upstream bug fix.

Closes: https://bugs.gentoo.org/661814
Package-Manager: Portage-2.3.40, Repoman-2.3.9

 .../libreswan/files/libreswan-3.25-no-curl.patch   | 25 ++++++++++++++++++++++
 net-vpn/libreswan/libreswan-3.25.ebuild            |  2 ++
 2 files changed, 27 insertions(+)

diff --git a/net-vpn/libreswan/files/libreswan-3.25-no-curl.patch b/net-vpn/libreswan/files/libreswan-3.25-no-curl.patch
new file mode 100644
index 00000000000..f23e2f7f227
--- /dev/null
+++ b/net-vpn/libreswan/files/libreswan-3.25-no-curl.patch
@@ -0,0 +1,25 @@
+From 903f953b271c35f33790bb7ba98b17acfdecede6 Mon Sep 17 00:00:00 2001
+From: Paul Wouters <pwouters@redhat.com>
+Date: Sun, 22 Jul 2018 11:37:04 -0700
+Subject: [PATCH] building: only call check_crls() if LIBCURL support is
+ compiled in
+
+Noted by Daniel M. Weeks
+---
+ programs/pluto/timer.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/programs/pluto/timer.c b/programs/pluto/timer.c
+index b8a465a91b..4e82e634ea 100644
+--- a/programs/pluto/timer.c
++++ b/programs/pluto/timer.c
+@@ -432,7 +432,9 @@ static void timer_event_cb(evutil_socket_t fd UNUSED, const short event UNUSED,
+ 		break;
+ 
+ 	case EVENT_CHECK_CRLS:
++#ifdef LIBCURL
+ 		check_crls();
++#endif
+ 		break;
+ 
+ 	case EVENT_v2_RELEASE_WHACK:

diff --git a/net-vpn/libreswan/libreswan-3.25.ebuild b/net-vpn/libreswan/libreswan-3.25.ebuild
index b71d536ae10..ef9392525b5 100644
--- a/net-vpn/libreswan/libreswan-3.25.ebuild
+++ b/net-vpn/libreswan/libreswan-3.25.ebuild
@@ -50,6 +50,8 @@ usetf() {
 }
 
 src_prepare() {
+	eapply "${FILESDIR}/${P}-no-curl.patch"
+
 	sed -i -e 's:/sbin/runscript:/sbin/openrc-run:' initsystems/openrc/ipsec.init.in || die
 	sed -i -e '/^install/ s/postcheck//' -e '/^doinstall/ s/oldinitdcheck//' initsystems/systemd/Makefile || die
 	default

[gentoo-commits] repo/gentoo:master commit in: net-vpn/libreswan/files/, net-vpn/libreswan/

[Hans de Graaff]

commit:     fd812d0ff2a598722bffe33af224ab8eb3b19e97
Author:     Hans de Graaff <graaff <AT> gentoo <DOT> org>
AuthorDate: Mon Jun 10 06:39:06 2019 +0000
Commit:     Hans de Graaff <graaff <AT> gentoo <DOT> org>
CommitDate: Mon Jun 10 07:26:17 2019 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fd812d0f

net-vpn/libreswan: backport XFRM detection patch

Backport upstream patch for XFRM detection that was
failing on some kernels due to lack of (optional) XFRM_STAT.

Signed-off-by: Hans de Graaff <graaff <AT> gentoo.org>
Package-Manager: Portage-2.3.66, Repoman-2.3.11

 .../files/libreswan-3.28-barf-syntax.patch         |  23 +++
 .../files/libreswan-3.28-xfrm-detection.patch      | 200 +++++++++++++++++++++
 net-vpn/libreswan/libreswan-3.28-r1.ebuild         | 117 ++++++++++++
 3 files changed, 340 insertions(+)

diff --git a/net-vpn/libreswan/files/libreswan-3.28-barf-syntax.patch b/net-vpn/libreswan/files/libreswan-3.28-barf-syntax.patch
new file mode 100644
index 00000000000..69786bba99f
--- /dev/null
+++ b/net-vpn/libreswan/files/libreswan-3.28-barf-syntax.patch
@@ -0,0 +1,23 @@
+From 8c3ba6a5f73ae64aa5171252f54c15d65c9930db Mon Sep 17 00:00:00 2001
+From: Tuomo Soini <tis@foobar.fi>
+Date: Fri, 24 May 2019 19:19:12 +0300
+Subject: [PATCH] barf: fix syntax error caused by removing pfkey checks
+
+Fixes problem introduced in beccfe9f7a40816a9ec663e4076ff051bf4c91cb
+---
+ programs/barf/barf.in | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/programs/barf/barf.in b/programs/barf/barf.in
+index fce05994cf..9cb92ffc58 100755
+--- a/programs/barf/barf.in
++++ b/programs/barf/barf.in
+@@ -170,6 +170,8 @@ if test -r /proc/net/ipsec_tncfg
+ then
+ 	cat /proc/net/ipsec_tncfg
+ fi
++if test -r /proc/net/xfrm_stat
++then
+ _________________________ ip-xfrm-state
+ 	ip xfrm state
+ _________________________ ip-xfrm-policy

diff --git a/net-vpn/libreswan/files/libreswan-3.28-xfrm-detection.patch b/net-vpn/libreswan/files/libreswan-3.28-xfrm-detection.patch
new file mode 100644
index 00000000000..7cda675af77
--- /dev/null
+++ b/net-vpn/libreswan/files/libreswan-3.28-xfrm-detection.patch
@@ -0,0 +1,200 @@
+From 716f4b712724c6698469563e531dea3667507ceb Mon Sep 17 00:00:00 2001
+From: Paul Wouters <pwouters@redhat.com>
+Date: Tue, 28 May 2019 00:24:30 -0400
+Subject: [PATCH] programs: Change to use /proc/sys/net/core/xfrm_acq_expires
+ to detect XFRM
+
+Apparently, not all kernels with XFRM support also enable support for
+CONFIG_XFRM_STATISTICS, causing XFRM auto-detection to fail.
+
+This affected openwrt and also some other distribution/custom kernels.
+---
+ programs/_realsetup.bsd/_realsetup.in   | 2 +-
+ programs/_stackmanager/_stackmanager.in | 2 +-
+ programs/barf/barf.in                   | 6 +++---
+ programs/eroute/eroute.c                | 2 +-
+ programs/ipsec/ipsec.in                 | 2 +-
+ programs/look/look.in                   | 2 +-
+ programs/pluto/kernel.c                 | 2 +-
+ programs/setup/setup.in                 | 2 +-
+ programs/spi/spi.c                      | 2 +-
+ programs/spigrp/spigrp.c                | 2 +-
+ programs/tncfg/tncfg.c                  | 2 +-
+ programs/verify/verify.in               | 2 +-
+ 12 files changed, 14 insertions(+), 14 deletions(-)
+
+diff --git a/programs/_realsetup.bsd/_realsetup.in b/programs/_realsetup.bsd/_realsetup.in
+index 91cca98ac8..4a783772f6 100755
+--- a/programs/_realsetup.bsd/_realsetup.in
++++ b/programs/_realsetup.bsd/_realsetup.in
+@@ -28,7 +28,7 @@ plutoctl=/var/run/pluto/pluto.ctl
+ subsyslock=/var/lock/subsys/ipsec
+ lock=/var/run/pluto/ipsec_setup.pid
+ 
+-xfrm_stat=/proc/net/xfrm_stat
++xfrm_stat=/proc/sys/net/core/xfrm_acq_expires
+ 
+ # defaults for "config setup" items
+ IPSECuniqueids=${IPSECuniqueids:-yes}
+diff --git a/programs/_stackmanager/_stackmanager.in b/programs/_stackmanager/_stackmanager.in
+index 4d41c5ad51..21616a31c9 100644
+--- a/programs/_stackmanager/_stackmanager.in
++++ b/programs/_stackmanager/_stackmanager.in
+@@ -29,7 +29,7 @@ eval $(ASAN_OPTIONS=detect_leaks=0 ipsec addconn  --configsetup | grep -v "#" |
+ test ${IPSEC_INIT_SCRIPT_DEBUG} && set -v -x
+ MODPROBE="@MODPROBEBIN@ @MODPROBEARGS@"
+ 
+-xfrm_stat=/proc/net/xfrm_stat
++xfrm_stat=/proc/sys/net/core/xfrm_acq_expires
+ klipsstack=/proc/net/ipsec/version
+ action="${1}"
+ 
+diff --git a/programs/barf/barf.in b/programs/barf/barf.in
+index 17f830d4a3..15eb252f11 100755
+--- a/programs/barf/barf.in
++++ b/programs/barf/barf.in
+@@ -174,14 +174,13 @@ _________________________ /proc/net/ipsec_tncfg
+ if test -r /proc/net/ipsec_tncfg
+ then
+     cat /proc/net/ipsec_tncfg
+ fi
+-if test -r /proc/net/xfrm_stat
+-then
++if [ -r /proc/sys/net/core/xfrm_acq_expires ]; then
+ _________________________ ip-xfrm-state
+     ip xfrm state
+ _________________________ ip-xfrm-policy
+     ip xfrm policy
+-_________________________ ip-xfrm-stats
++_________________________ cat-proc-net-xfrm_stat
+     cat /proc/net/xfrm_stat
+ fi
+ _________________________ ip-l2tp-tunnel
+@@ -283,9 +283,8 @@ _________________________ /proc/net/ipsec_version
+ if test -r /proc/net/ipsec_version
+ then
+     cat /proc/net/ipsec_version
+ else
+-    if test -r /proc/net/xfrm_stat
+-    then
++    if [ -r /proc/sys/net/core/xfrm_acq_expires ]; then
+ 	echo "NETKEY (`uname -r`) support detected "
+     else
+ 	echo "no KLIPS or NETKEY support detected"
+diff --git a/programs/eroute/eroute.c b/programs/eroute/eroute.c
+index c33234c194..6f058d9232 100644
+--- a/programs/eroute/eroute.c
++++ b/programs/eroute/eroute.c
+@@ -495,7 +495,7 @@ int main(int argc, char **argv)
+ 	if (argcount == 1) {
+ 		struct stat sts;
+ 
+-		if (stat("/proc/net/xfrm_stat", &sts) == 0) {
++		if (stat("/proc/sys/net/core/xfrm_acq_expires", &sts) == 0) {
+ 			fprintf(stderr,
+ 				"%s: NETKEY does not support eroute table.\n",
+ 				progname);
+diff --git a/programs/ipsec/ipsec.in b/programs/ipsec/ipsec.in
+index 401a596628..06bec21632 100755
+--- a/programs/ipsec/ipsec.in
++++ b/programs/ipsec/ipsec.in
+@@ -61,7 +61,7 @@ fixversion() {
+ 	stack=" (klips)"
+ 	kv="$(awk '{print $NF}' /proc/net/ipsec_version)"
+     else
+-	if [ -f /proc/net/xfrm_stat ]; then
++	if [ -f /proc/sys/net/core/xfrm_acq_expires ]; then
+ 	    stack=" (netkey)"
+ 	    kv="${version}"
+ 	else
+diff --git a/programs/look/look.in b/programs/look/look.in
+index bb55e8eda2..192856c630 100755
+--- a/programs/look/look.in
++++ b/programs/look/look.in
+@@ -72,7 +72,7 @@ if [ -f /proc/net/ipsec_spi ]; then
+ fi
+ 
+ # xfrm
+-if [ -f /proc/net/xfrm_stat ]; then
++if [ -f /proc/sys/net/core/xfrm_acq_expires ]; then
+     echo "XFRM state:"
+     ip xfrm state
+     echo "XFRM policy:"
+diff --git a/programs/pluto/kernel.c b/programs/pluto/kernel.c
+index 39b1e32389..5c71c04af3 100644
+--- a/programs/pluto/kernel.c
++++ b/programs/pluto/kernel.c
+@@ -2666,7 +2666,7 @@ void init_kernel(void)
+ 	switch (kern_interface) {
+ #if defined(NETKEY_SUPPORT)
+ 	case USE_NETKEY:
+-		if (stat("/proc/net/xfrm_stat", &buf) != 0) {
++		if (stat("/proc/sys/net/core/xfrm_acq_expires", &buf) != 0) {
+ 			libreswan_log("No XFRM kernel interface detected");
+ 			exit_pluto(PLUTO_EXIT_KERNEL_FAIL);
+ 		}
+diff --git a/programs/setup/setup.in b/programs/setup/setup.in
+index 8c28b0e157..1933089459 100755
+--- a/programs/setup/setup.in
++++ b/programs/setup/setup.in
+@@ -110,7 +110,7 @@ case "$1" in
+ 
+ 	# If stack is non-modular, we want to force clean too
+ 	[ -f /proc/net/pf_key ] && ipsec eroute --clear
+-	[ -f /proc/net/xfrm_stat ] && ip xfrm state flush && ip xfrm policy flush
++	[ -f /proc/sys/net/core/xfrm_acq_expires ] && ip xfrm state flush && ip xfrm policy flush
+ 
+ 	# Cleaning up backup resolv.conf
+ 	if [ -e ${LIBRESWAN_RESOLV_CONF} ]; then
+diff --git a/programs/spi/spi.c b/programs/spi/spi.c
+index c45fe6a517..742898a86f 100644
+--- a/programs/spi/spi.c
++++ b/programs/spi/spi.c
+@@ -1135,7 +1135,7 @@ int main(int argc, char *argv[])
+ 			progname);
+ 	}
+ 
+-	if (stat("/proc/net/xfrm_stat", &sts) == 0) {
++	if (stat("/proc/sys/net/core/xfrm_acq_expires", &sts) == 0) {
+ 		fprintf(stderr,
+ 			"%s: XFRM does not use the ipsec spi command. Use 'ip xfrm' instead.\n",
+ 			progname);
+diff --git a/programs/spigrp/spigrp.c b/programs/spigrp/spigrp.c
+index 79d6c50e5e..fe0942325d 100644
+--- a/programs/spigrp/spigrp.c
++++ b/programs/spigrp/spigrp.c
+@@ -151,7 +151,7 @@ int main(int argc, char **argv)
+ 	if (debug)
+ 		fprintf(stdout, "...After check for --label option.\n");
+ 
+-	if (stat("/proc/net/xfrm_stat", &sts) == 0) {
++	if (stat("/proc/sys/net/core/xfrm_acq_expires", &sts) == 0) {
+ 		fprintf(stderr,
+ 			"%s: XFRM does not use the ipsec spigrp command. Use 'ip xfrm' instead.\n",
+ 			progname);
+diff --git a/programs/tncfg/tncfg.c b/programs/tncfg/tncfg.c
+index 55de83b1ef..5a9f2e9aee 100644
+--- a/programs/tncfg/tncfg.c
++++ b/programs/tncfg/tncfg.c
+@@ -259,7 +259,7 @@ int main(int argc, char *argv[])
+ 		}
+ 	}
+ 
+-	if (stat("/proc/net/xfrm_stat", &sts) == 0) {
++	if (stat("/proc/sys/net/core/xfrm_acq_expires", &sts) == 0) {
+ 		fprintf(stderr,
+ 			"%s: XFRM does not support virtual interfaces.\n",
+ 			progname);
+diff --git a/programs/verify/verify.in b/programs/verify/verify.in
+index 9321631931..81ae1d32fe 100755
+--- a/programs/verify/verify.in
++++ b/programs/verify/verify.in
+@@ -223,7 +223,7 @@ def installstartcheck():
+ 		print_result("FAIL","FAILED")
+ 
+ 	printfun("Checking for IPsec support in kernel")
+-	if not os.path.isfile("/proc/net/ipsec_eroute") and not os.path.isfile("/proc/net/xfrm_stat"):
++	if not os.path.isfile("/proc/net/ipsec_eroute") and not os.path.isfile("/proc/sys/net/core/xfrm_acq_expires"):
+ 		print_result("FAIL","FAILED")
+ 		if "no kernel code presently loaded" in output:
+ 			print("\n The ipsec service should be started before running 'ipsec verify'\n")

diff --git a/net-vpn/libreswan/libreswan-3.28-r1.ebuild b/net-vpn/libreswan/libreswan-3.28-r1.ebuild
new file mode 100644
index 00000000000..ee813e6e844
--- /dev/null
+++ b/net-vpn/libreswan/libreswan-3.28-r1.ebuild
@@ -0,0 +1,117 @@
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit systemd toolchain-funcs
+
+SRC_URI="https://download.libreswan.org/${P}.tar.gz"
+KEYWORDS="~amd64 ~ppc ~x86"
+
+DESCRIPTION="IPsec implementation for Linux, fork of Openswan"
+HOMEPAGE="https://libreswan.org/"
+
+LICENSE="GPL-2 BSD-4 RSA DES"
+SLOT="0"
+IUSE="caps curl dnssec ldap pam seccomp selinux systemd test"
+
+DEPEND="
+	dev-libs/gmp:0=
+	dev-libs/libevent:0=
+	dev-libs/nspr
+	>=dev-libs/nss-3.42
+	caps? ( sys-libs/libcap-ng )
+	curl? ( net-misc/curl )
+	dnssec? ( >=net-dns/unbound-1.9.1-r1:= net-libs/ldns )
+	ldap? ( net-nds/openldap )
+	pam? ( sys-libs/pam )
+	seccomp? ( sys-libs/libseccomp )
+	selinux? ( sys-libs/libselinux )
+	systemd? ( sys-apps/systemd:0= )
+"
+BDEPEND="
+	app-text/docbook-xml-dtd:4.1.2
+	app-text/xmlto
+	dev-libs/nss
+	sys-devel/bison
+	sys-devel/flex
+	virtual/pkgconfig
+	test? ( dev-python/setproctitle )
+"
+RDEPEND="${DEPEND}
+	dev-libs/nss[utils(+)]
+	sys-apps/iproute2
+	!net-misc/openswan
+	!net-vpn/strongswan
+	selinux? ( sec-policy/selinux-ipsec )
+"
+
+usetf() {
+	usex "$1" true false
+}
+
+src_prepare() {
+	eapply "${FILESDIR}/${P}-barf-syntax.patch"
+	eapply -l "${FILESDIR}/${P}-xfrm-detection.patch"
+
+	sed -i -e 's:/sbin/runscript:/sbin/openrc-run:' initsystems/openrc/ipsec.init.in || die
+	sed -i -e '/^install/ s/postcheck//' -e '/^doinstall/ s/oldinitdcheck//' initsystems/systemd/Makefile || die
+	default
+}
+
+src_configure() {
+	tc-export AR CC
+	export INC_USRLOCAL=/usr
+	export INC_MANDIR=share/man
+	export FINALEXAMPLECONFDIR=/usr/share/doc/${PF}
+	export FINALDOCDIR=/usr/share/doc/${PF}/html
+	export INITSYSTEM=openrc
+	export INC_RCDIRS=
+	export INC_RCDEFAULT=/etc/init.d
+	export USERCOMPILE=
+	export USERLINK=
+	export USE_DNSSEC=$(usetf dnssec)
+	export USE_LABELED_IPSEC=$(usetf selinux)
+	export USE_LIBCAP_NG=$(usetf caps)
+	export USE_LIBCURL=$(usetf curl)
+	export USE_LINUX_AUDIT=$(usetf selinux)
+	export USE_LDAP=$(usetf ldap)
+	export USE_SECCOMP=$(usetf seccomp)
+	export USE_SYSTEMD_WATCHDOG=$(usetf systemd)
+	export SD_WATCHDOGSEC=$(usex systemd 200 0)
+	export USE_XAUTHPAM=$(usetf pam)
+	export DEBUG_CFLAGS=
+	export OPTIMIZE_CFLAGS=
+	export WERROR_CFLAGS=
+}
+
+src_compile() {
+	emake all
+	emake -C initsystems INITSYSTEM=systemd SYSTEMUNITDIR="$(systemd_get_systemunitdir)" SYSTEMTMPFILESDIR="/usr/lib/tmpfiles.d" all
+}
+
+src_test() {
+	: # integration tests only that require set of kvms to be set up
+}
+
+src_install() {
+	default
+	emake -C initsystems INITSYSTEM=systemd SYSTEMUNITDIR="$(systemd_get_systemunitdir)" SYSTEMTMPFILESDIR="/usr/lib/tmpfiles.d" DESTDIR="${D}" install
+
+	echo "include /etc/ipsec.d/*.secrets" > "${D}"/etc/ipsec.secrets
+	fperms 0600 /etc/ipsec.secrets
+
+	dodoc -r docs
+
+	find "${D}" -type d -empty -delete || die
+}
+
+pkg_postinst() {
+	local IPSEC_CONFDIR=${ROOT%/}/etc/ipsec.d
+	if [[ ! -f ${IPSEC_CONFDIR}/cert8.db && ! -f ${IPSEC_CONFDIR}/cert9.db ]] ; then
+		ebegin "Setting up NSS database in ${IPSEC_CONFDIR} with empty password"
+		certutil -N -d "${IPSEC_CONFDIR}" --empty-password
+		eend $?
+		einfo "To set a password: certutil -W -d sql:${IPSEC_CONFDIR}"
+	fi
+}

[gentoo-commits] repo/gentoo:master commit in: net-vpn/libreswan/files/, net-vpn/libreswan/

[Hans de Graaff]

commit:     f089a9dbc70325b82be293afe46bf2c9a7c3e9e8
Author:     Hans de Graaff <graaff <AT> gentoo <DOT> org>
AuthorDate: Sat Jun 27 06:15:13 2020 +0000
Commit:     Hans de Graaff <graaff <AT> gentoo <DOT> org>
CommitDate: Sat Jun 27 06:15:30 2020 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f089a9db

net-vpn/libreswan: backport NSS compat patch

Backport a patch for compatibility with newer NSS versions.

Closes: https://bugs.gentoo.org/721686
Package-Manager: Portage-2.3.99, Repoman-2.3.23
Signed-off-by: Hans de Graaff <graaff <AT> gentoo.org>

 .../files/libreswan-3.32-nss-compat.patch          |  23 ++++
 net-vpn/libreswan/libreswan-3.32-r1.ebuild         | 117 +++++++++++++++++++++
 2 files changed, 140 insertions(+)

diff --git a/net-vpn/libreswan/files/libreswan-3.32-nss-compat.patch b/net-vpn/libreswan/files/libreswan-3.32-nss-compat.patch
new file mode 100644
index 00000000000..09f71a9f907
--- /dev/null
+++ b/net-vpn/libreswan/files/libreswan-3.32-nss-compat.patch
@@ -0,0 +1,23 @@
+Add compatibility setting for NSS
+
+https://github.com/libreswan/libreswan/commit/65a497959a0e1ca615341109eaad5e75723839d6
+
+We patch a different file because a later commit moved the setting to this file.
+
+diff --git a/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c b/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c
+index 93a027089a..571913cc1e 100644
+--- a/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c
++++ b/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c
+@@ -16,6 +16,12 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ 
++/*
++ * Special advise from Bob Relyea - needs to go before any nss include
++ *
++ */
++#define NSS_PKCS11_2_0_COMPAT 1
++
+ #include "lswlog.h"
+ #include "lswnss.h"
+ #include "prmem.h"

diff --git a/net-vpn/libreswan/libreswan-3.32-r1.ebuild b/net-vpn/libreswan/libreswan-3.32-r1.ebuild
new file mode 100644
index 00000000000..594a265b467
--- /dev/null
+++ b/net-vpn/libreswan/libreswan-3.32-r1.ebuild
@@ -0,0 +1,117 @@
+# Copyright 1999-2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit systemd toolchain-funcs
+
+SRC_URI="https://download.libreswan.org/${P}.tar.gz"
+KEYWORDS="~amd64 ~arm ~ppc ~x86"
+
+DESCRIPTION="IPsec implementation for Linux, fork of Openswan"
+HOMEPAGE="https://libreswan.org/"
+
+LICENSE="GPL-2 BSD-4 RSA DES"
+SLOT="0"
+IUSE="caps curl dnssec ldap pam seccomp selinux systemd test"
+RESTRICT="!test? ( test )"
+
+DEPEND="
+	dev-libs/gmp:0=
+	dev-libs/libevent:0=
+	dev-libs/nspr
+	>=dev-libs/nss-3.42
+	>=sys-kernel/linux-headers-4.19
+	caps? ( sys-libs/libcap-ng )
+	curl? ( net-misc/curl )
+	dnssec? ( >=net-dns/unbound-1.9.1-r1:= net-libs/ldns )
+	ldap? ( net-nds/openldap )
+	pam? ( sys-libs/pam )
+	seccomp? ( sys-libs/libseccomp )
+	selinux? ( sys-libs/libselinux )
+	systemd? ( sys-apps/systemd:0= )
+"
+BDEPEND="
+	app-text/docbook-xml-dtd:4.1.2
+	app-text/xmlto
+	dev-libs/nss
+	sys-devel/bison
+	sys-devel/flex
+	virtual/pkgconfig
+	test? ( dev-python/setproctitle )
+"
+RDEPEND="${DEPEND}
+	dev-libs/nss[utils(+)]
+	sys-apps/iproute2
+	!net-vpn/strongswan
+	selinux? ( sec-policy/selinux-ipsec )
+"
+
+usetf() {
+	usex "$1" true false
+}
+
+PATCHES=( "${FILESDIR}/${PN}-3.30-ip-path.patch" "${FILESDIR}/${P}-nss-compat.patch" )
+
+src_prepare() {
+	sed -i -e 's:/sbin/runscript:/sbin/openrc-run:' initsystems/openrc/ipsec.init.in || die
+	sed -i -e '/^install/ s/postcheck//' -e '/^doinstall/ s/oldinitdcheck//' initsystems/systemd/Makefile || die
+	default
+}
+
+src_configure() {
+	tc-export AR CC
+	export INC_USRLOCAL=/usr
+	export INC_MANDIR=share/man
+	export FINALEXAMPLECONFDIR=/usr/share/doc/${PF}
+	export FINALDOCDIR=/usr/share/doc/${PF}/html
+	export INITSYSTEM=openrc
+	export INC_RCDIRS=
+	export INC_RCDEFAULT=/etc/init.d
+	export USERCOMPILE=
+	export USERLINK=
+	export USE_DNSSEC=$(usetf dnssec)
+	export USE_LABELED_IPSEC=$(usetf selinux)
+	export USE_LIBCAP_NG=$(usetf caps)
+	export USE_LIBCURL=$(usetf curl)
+	export USE_LINUX_AUDIT=$(usetf selinux)
+	export USE_LDAP=$(usetf ldap)
+	export USE_SECCOMP=$(usetf seccomp)
+	export USE_SYSTEMD_WATCHDOG=$(usetf systemd)
+	export SD_WATCHDOGSEC=$(usex systemd 200 0)
+	export USE_XAUTHPAM=$(usetf pam)
+	export DEBUG_CFLAGS=
+	export OPTIMIZE_CFLAGS=
+	export WERROR_CFLAGS=
+}
+
+src_compile() {
+	emake all
+	emake -C initsystems INITSYSTEM=systemd SYSTEMUNITDIR="$(systemd_get_systemunitdir)" SYSTEMTMPFILESDIR="/usr/lib/tmpfiles.d" all
+}
+
+src_test() {
+	: # integration tests only that require set of kvms to be set up
+}
+
+src_install() {
+	default
+	emake -C initsystems INITSYSTEM=systemd SYSTEMUNITDIR="$(systemd_get_systemunitdir)" SYSTEMTMPFILESDIR="/usr/lib/tmpfiles.d" DESTDIR="${D}" install
+
+	echo "include /etc/ipsec.d/*.secrets" > "${D}"/etc/ipsec.secrets
+	fperms 0600 /etc/ipsec.secrets
+
+	dodoc -r docs
+
+	find "${D}" -type d -empty -delete || die
+}
+
+pkg_postinst() {
+	local IPSEC_CONFDIR=${ROOT}/etc/ipsec.d
+	if [[ ! -f ${IPSEC_CONFDIR}/cert8.db && ! -f ${IPSEC_CONFDIR}/cert9.db ]] ; then
+		ebegin "Setting up NSS database in ${IPSEC_CONFDIR} with empty password"
+		certutil -N -d "${IPSEC_CONFDIR}" --empty-password
+		eend $?
+		einfo "To set a password: certutil -W -d sql:${IPSEC_CONFDIR}"
+	fi
+}

[gentoo-commits] repo/gentoo:master commit in: net-vpn/libreswan/files/, net-vpn/libreswan/

[Hans de Graaff]

commit:     14b24fe29d3814b63fb22a6faa25d3109eface9d
Author:     Hans de Graaff <graaff <AT> gentoo <DOT> org>
AuthorDate: Mon Nov 11 09:25:03 2024 +0000
Commit:     Hans de Graaff <graaff <AT> gentoo <DOT> org>
CommitDate: Mon Nov 11 09:29:48 2024 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=14b24fe2

net-vpn/libreswan: fix building without curl

Backport upstream patch to allow building without curl support.

Closes: https://bugs.gentoo.org/941388
Signed-off-by: Hans de Graaff <graaff <AT> gentoo.org>

 .../files/libreswan-5.1-without-libcurl.patch      |  72 +++++++++++
 net-vpn/libreswan/libreswan-5.1-r1.ebuild          | 137 +++++++++++++++++++++
 2 files changed, 209 insertions(+)

diff --git a/net-vpn/libreswan/files/libreswan-5.1-without-libcurl.patch b/net-vpn/libreswan/files/libreswan-5.1-without-libcurl.patch
new file mode 100644
index 000000000000..e83683324e83
--- /dev/null
+++ b/net-vpn/libreswan/files/libreswan-5.1-without-libcurl.patch
@@ -0,0 +1,72 @@
+From 9f0336036caa92eb5f82841d200027c95991fd13 Mon Sep 17 00:00:00 2001
+From: Andrew Cagney <cagney@gnu.org>
+Date: Mon, 14 Oct 2024 11:09:17 -0400
+Subject: [PATCH] building: fix USE_LIBCURL=false
+
+close #1845 Libreswan 5.1 no longer compiles without libcurl support
+---
+ programs/pluto/fetch.c     | 13 ++++---------
+ programs/pluto/rcv_whack.c |  2 --
+ 2 files changed, 4 insertions(+), 11 deletions(-)
+
+diff --git a/programs/pluto/fetch.c b/programs/pluto/fetch.c
+index 299b7ff405..9bc60b9801 100644
+--- a/programs/pluto/fetch.c
++++ b/programs/pluto/fetch.c
+@@ -19,8 +19,6 @@
+  *
+  */
+ 
+-#if defined(LIBCURL) || defined(LIBLDAP)	/* essentially whole body of file */
+-
+ #include <pthread.h>    /* Must be the first include file */
+ #include <stdlib.h>
+ #include <errno.h>
+@@ -30,7 +28,6 @@
+ #include <cert.h>
+ #include <certdb.h>
+ 
+-
+ #include "constants.h"
+ #include "defs.h"
+ #include "log.h"
+@@ -153,9 +150,11 @@ static err_t fetch_curl(const char *url, chunk_t *blob, struct logger *logger)
+ 
+ #else	/* LIBCURL */
+ 
+-static err_t fetch_curl(const char *url UNUSED,
+-			chunk_t *blob UNUSED)
++static err_t fetch_curl(const char *url,
++			chunk_t *blob,
++			struct logger *logger)
+ {
++	ldbg(logger, "%s() ignoring %s %p", __func__, url, blob->ptr);
+ 	return "not compiled with libcurl support";
+ }
+ 
+@@ -578,7 +577,3 @@ void free_crl_fetch(void)
+ 	}
+ #endif
+ }
+-
+-#else /* defined(LIBCURL) || defined(LIBLDAP) */
+-/* we'll just ignore for now - this is all going away anyway */
+-#endif
+diff --git a/programs/pluto/rcv_whack.c b/programs/pluto/rcv_whack.c
+index 7959e9ec1f..a7f811f319 100644
+--- a/programs/pluto/rcv_whack.c
++++ b/programs/pluto/rcv_whack.c
+@@ -522,13 +522,11 @@ static void whack_process(const struct whack_message *const m, struct show *s)
+ 		dbg_whack(s, "purgeocsp: stop:");
+ 	}
+ 
+-#if defined(LIBCURL) || defined(LIBLDAP)
+ 	if (m->whack_fetchcrls) {
+ 		dbg_whack(s, "fetchcrls: start:");
+ 		whack_fetchcrls(s);
+ 		dbg_whack(s, "fetchcrls: stop:");
+ 	}
+-#endif
+ 
+ 	if (m->whack_rereadcerts) {
+ 		dbg_whack(s, "rereadcerts: start:");

diff --git a/net-vpn/libreswan/libreswan-5.1-r1.ebuild b/net-vpn/libreswan/libreswan-5.1-r1.ebuild
new file mode 100644
index 000000000000..1e8b49a3595c
--- /dev/null
+++ b/net-vpn/libreswan/libreswan-5.1-r1.ebuild
@@ -0,0 +1,137 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit systemd flag-o-matic toolchain-funcs tmpfiles
+
+DESCRIPTION="IPsec implementation for Linux, fork of Openswan"
+HOMEPAGE="https://libreswan.org/"
+SRC_URI="https://download.libreswan.org/${P}.tar.gz"
+
+LICENSE="GPL-2 BSD-4 RSA DES"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~arm64 ~ppc ~x86"
+IUSE="caps curl dnssec +ikev1 ldap networkmanager pam seccomp selinux systemd test"
+RESTRICT="!test? ( test )"
+
+DEPEND="
+	dev-libs/gmp:0=
+	dev-libs/libevent:0=
+	dev-libs/nspr
+	>=dev-libs/nss-3.42
+	>=sys-kernel/linux-headers-4.19
+	virtual/libcrypt:=
+	caps? ( sys-libs/libcap-ng )
+	curl? ( net-misc/curl )
+	dnssec? ( >=net-dns/unbound-1.9.1-r1:= net-libs/ldns:= net-dns/dnssec-root )
+	ldap? ( net-nds/openldap:= )
+	pam? ( sys-libs/pam )
+	seccomp? ( sys-libs/libseccomp )
+	selinux? ( sys-libs/libselinux )
+	systemd? ( sys-apps/systemd:0= )
+"
+BDEPEND="
+	app-text/docbook-xml-dtd:4.1.2
+	app-text/xmlto
+	dev-libs/nss
+	sys-devel/bison
+	sys-devel/flex
+	virtual/pkgconfig
+	test? ( dev-python/setproctitle )
+"
+RDEPEND="${DEPEND}
+	dev-libs/nss[utils(+)]
+	sys-apps/iproute2
+	!net-vpn/strongswan
+	selinux? ( sec-policy/selinux-ipsec )
+"
+DEPEND+=" elibc_musl? ( sys-libs/queue-standalone )"
+
+PATCHES=( "${FILESDIR}/${P}-without-libcurl.patch" )
+
+usetf() {
+	usex "$1" true false
+}
+
+src_prepare() {
+	sed -i -e 's:/sbin/runscript:/sbin/openrc-run:' initsystems/openrc/ipsec.init.in || die
+	sed -i -e '/^install/ s/postcheck//' -e '/^doinstall/ s/oldinitdcheck//' initsystems/systemd/Makefile || die
+	default
+}
+
+src_configure() {
+	tc-export AR CC
+
+	use elibc_musl && append-cflags -DGLIBC_KERN_FLIP_HEADERS
+
+	export PREFIX=/usr
+	export DEFAULT_DNSSEC_ROOTKEY_FILE=/etc/dnssec/icannbundle.pem
+	export EXAMPLE_IPSEC_SYSCONFDIR=/usr/share/doc/${PF}
+	export FINALEXAMPLECONFDIR=/usr/share/doc/${PF}
+	export INITSYSTEM=$(usex systemd systemd openrc)
+	export INITDDIRS=
+	export INITDDIR_DEFAULT=/etc/init.d
+	export USERCOMPILE=${CFLAGS}
+	export USERLINK=${LDFLAGS}
+	export USE_DNSSEC=$(usetf dnssec)
+	export USE_IKEV1=$(usetf ikev1)
+	export USE_LABELED_IPSEC=$(usetf selinux)
+	export USE_LIBCAP_NG=$(usetf caps)
+	export USE_LIBCURL=$(usetf curl)
+	export USE_LINUX_AUDIT=$(usetf selinux)
+	export USE_LDAP=$(usetf ldap)
+	export USE_NM=$(usetf networkmanager)
+	export USE_SECCOMP=$(usetf seccomp)
+	export USE_SYSTEMD_WATCHDOG=$(usetf systemd)
+	export SD_WATCHDOGSEC=$(usex systemd 200 0)
+	export USE_AUTHPAM=$(usetf pam)
+	export DEBUG_CFLAGS=
+	export OPTIMIZE_CFLAGS=
+	export WERROR_CFLAGS=
+}
+
+src_compile() {
+	emake all
+	emake -C initsystems \
+		INITSYSTEM=systemd \
+		SYSTEMUNITDIR="$(systemd_get_systemunitdir)" \
+		SYSTEMTMPFILESDIR="/usr/lib/tmpfiles.d" \
+		all
+}
+
+src_test() {
+	: # integration tests only that require set of kvms to be set up
+}
+
+src_install() {
+	default
+	emake -C initsystems \
+		  INITSYSTEM=systemd \
+		  SYSTEMUNITDIR="$(systemd_get_systemunitdir)" \
+		  SYSTEMTMPFILESDIR="/usr/lib/tmpfiles.d" \
+		  DESTDIR="${D}" \
+		  install
+
+	echo "include /etc/ipsec.d/*.secrets" > "${D}"/etc/ipsec.secrets
+	fperms 0600 /etc/ipsec.secrets
+
+	keepdir /var/lib/ipsec/nss
+	fperms 0700 /var/lib/ipsec/nss
+
+	dodoc -r docs
+
+	find "${D}" -type d -empty -delete || die
+}
+
+pkg_postinst() {
+	tmpfiles_process libreswan.conf
+
+	local IPSEC_CONFDIR=${ROOT}/var/lib/ipsec/nss
+	if [[ ! -f ${IPSEC_CONFDIR}/cert8.db && ! -f ${IPSEC_CONFDIR}/cert9.db ]] ; then
+		ebegin "Setting up NSS database in ${IPSEC_CONFDIR} with empty password"
+		certutil -N -d "${IPSEC_CONFDIR}" --empty-password
+		eend $?
+		einfo "To set a password: certutil -W -d sql:${IPSEC_CONFDIR}"
+	fi
+}