net-vpn/libreswan: backport XFRM detection patch

Backport upstream patch for XFRM detection that was failing on some kernels due to lack of (optional) XFRM_STAT. Signed-off-by: Hans de Graaff <graaff@gentoo.org> Package-Manager: Portage-2.3.66, Repoman-2.3.11
author: Hans de Graaff <graaff@gentoo.org> 2019-06-10 08:39:06 +0200
committer: Hans de Graaff <graaff@gentoo.org> 2019-06-10 09:26:17 +0200
commit: fd812d0ff2a598722bffe33af224ab8eb3b19e97 (patch)
tree: 54ae886b0fb54ebb0f6f15edd01d638c75912b6c /net-vpn/libreswan
parent: dev-lang/mono: re-apply minimal libgdiplus common, keep old keywrods (diff)
download: gentoo-fd812d0ff2a598722bffe33af224ab8eb3b19e97.tar.gz
gentoo-fd812d0ff2a598722bffe33af224ab8eb3b19e97.tar.bz2
gentoo-fd812d0ff2a598722bffe33af224ab8eb3b19e97.zip
3 files changed, 340 insertions, 0 deletions
diff --git a/net-vpn/libreswan/files/libreswan-3.28-barf-syntax.patch b/net-vpn/libreswan/files/libreswan-3.28-barf-syntax.patch
new file mode 100644
index 000000000000..69786bba99f0
--- /dev/null
+++ b/net-vpn/libreswan/files/libreswan-3.28-barf-syntax.patch
@@ -0,0 +1,23 @@
+From 8c3ba6a5f73ae64aa5171252f54c15d65c9930db Mon Sep 17 00:00:00 2001
+From: Tuomo Soini <tis@foobar.fi>
+Date: Fri, 24 May 2019 19:19:12 +0300
+Subject: [PATCH] barf: fix syntax error caused by removing pfkey checks
+
+Fixes problem introduced in beccfe9f7a40816a9ec663e4076ff051bf4c91cb
+---
+ programs/barf/barf.in | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/programs/barf/barf.in b/programs/barf/barf.in
+index fce05994cf..9cb92ffc58 100755
+--- a/programs/barf/barf.in
++++ b/programs/barf/barf.in
+@@ -170,6 +170,8 @@ if test -r /proc/net/ipsec_tncfg
+ then
+ 	cat /proc/net/ipsec_tncfg
+ fi
++if test -r /proc/net/xfrm_stat
++then
+ _________________________ ip-xfrm-state
+ 	ip xfrm state
+ _________________________ ip-xfrm-policy
diff --git a/net-vpn/libreswan/files/libreswan-3.28-xfrm-detection.patch b/net-vpn/libreswan/files/libreswan-3.28-xfrm-detection.patch
new file mode 100644
index 000000000000..7cda675af776
--- /dev/null
+++ b/net-vpn/libreswan/files/libreswan-3.28-xfrm-detection.patch
@@ -0,0 +1,200 @@
+From 716f4b712724c6698469563e531dea3667507ceb Mon Sep 17 00:00:00 2001
+From: Paul Wouters <pwouters@redhat.com>
+Date: Tue, 28 May 2019 00:24:30 -0400
+Subject: [PATCH] programs: Change to use /proc/sys/net/core/xfrm_acq_expires
+ to detect XFRM
+
+Apparently, not all kernels with XFRM support also enable support for
+CONFIG_XFRM_STATISTICS, causing XFRM auto-detection to fail.
+
+This affected openwrt and also some other distribution/custom kernels.
+---
+ programs/_realsetup.bsd/_realsetup.in   | 2 +-
+ programs/_stackmanager/_stackmanager.in | 2 +-
+ programs/barf/barf.in                   | 6 +++---
+ programs/eroute/eroute.c                | 2 +-
+ programs/ipsec/ipsec.in                 | 2 +-
+ programs/look/look.in                   | 2 +-
+ programs/pluto/kernel.c                 | 2 +-
+ programs/setup/setup.in                 | 2 +-
+ programs/spi/spi.c                      | 2 +-
+ programs/spigrp/spigrp.c                | 2 +-
+ programs/tncfg/tncfg.c                  | 2 +-
+ programs/verify/verify.in               | 2 +-
+ 12 files changed, 14 insertions(+), 14 deletions(-)
+
+diff --git a/programs/_realsetup.bsd/_realsetup.in b/programs/_realsetup.bsd/_realsetup.in
+index 91cca98ac8..4a783772f6 100755
+--- a/programs/_realsetup.bsd/_realsetup.in
++++ b/programs/_realsetup.bsd/_realsetup.in
+@@ -28,7 +28,7 @@ plutoctl=/var/run/pluto/pluto.ctl
+ subsyslock=/var/lock/subsys/ipsec
+ lock=/var/run/pluto/ipsec_setup.pid
+ 
+-xfrm_stat=/proc/net/xfrm_stat
++xfrm_stat=/proc/sys/net/core/xfrm_acq_expires
+ 
+ # defaults for "config setup" items
+ IPSECuniqueids=${IPSECuniqueids:-yes}
+diff --git a/programs/_stackmanager/_stackmanager.in b/programs/_stackmanager/_stackmanager.in
+index 4d41c5ad51..21616a31c9 100644
+--- a/programs/_stackmanager/_stackmanager.in
++++ b/programs/_stackmanager/_stackmanager.in
+@@ -29,7 +29,7 @@ eval $(ASAN_OPTIONS=detect_leaks=0 ipsec addconn  --configsetup | grep -v "#" |
+ test ${IPSEC_INIT_SCRIPT_DEBUG} && set -v -x
+ MODPROBE="@MODPROBEBIN@ @MODPROBEARGS@"
+ 
+-xfrm_stat=/proc/net/xfrm_stat
++xfrm_stat=/proc/sys/net/core/xfrm_acq_expires
+ klipsstack=/proc/net/ipsec/version
+ action="${1}"
+ 
+diff --git a/programs/barf/barf.in b/programs/barf/barf.in
+index 17f830d4a3..15eb252f11 100755
+--- a/programs/barf/barf.in
++++ b/programs/barf/barf.in
+@@ -174,14 +174,13 @@ _________________________ /proc/net/ipsec_tncfg
+ if test -r /proc/net/ipsec_tncfg
+ then
+     cat /proc/net/ipsec_tncfg
+ fi
+-if test -r /proc/net/xfrm_stat
+-then
++if [ -r /proc/sys/net/core/xfrm_acq_expires ]; then
+ _________________________ ip-xfrm-state
+     ip xfrm state
+ _________________________ ip-xfrm-policy
+     ip xfrm policy
+-_________________________ ip-xfrm-stats
++_________________________ cat-proc-net-xfrm_stat
+     cat /proc/net/xfrm_stat
+ fi
+ _________________________ ip-l2tp-tunnel
+@@ -283,9 +283,8 @@ _________________________ /proc/net/ipsec_version
+ if test -r /proc/net/ipsec_version
+ then
+     cat /proc/net/ipsec_version
+ else
+-    if test -r /proc/net/xfrm_stat
+-    then
++    if [ -r /proc/sys/net/core/xfrm_acq_expires ]; then
+ 	echo "NETKEY (`uname -r`) support detected "
+     else
+ 	echo "no KLIPS or NETKEY support detected"
+diff --git a/programs/eroute/eroute.c b/programs/eroute/eroute.c
+index c33234c194..6f058d9232 100644
+--- a/programs/eroute/eroute.c
++++ b/programs/eroute/eroute.c
+@@ -495,7 +495,7 @@ int main(int argc, char **argv)
+ 	if (argcount == 1) {
+ 		struct stat sts;
+ 
+-		if (stat("/proc/net/xfrm_stat", &sts) == 0) {
++		if (stat("/proc/sys/net/core/xfrm_acq_expires", &sts) == 0) {
+ 			fprintf(stderr,
+ 				"%s: NETKEY does not support eroute table.\n",
+ 				progname);
+diff --git a/programs/ipsec/ipsec.in b/programs/ipsec/ipsec.in
+index 401a596628..06bec21632 100755
+--- a/programs/ipsec/ipsec.in
++++ b/programs/ipsec/ipsec.in
+@@ -61,7 +61,7 @@ fixversion() {
+ 	stack=" (klips)"
+ 	kv="$(awk '{print $NF}' /proc/net/ipsec_version)"
+     else
+-	if [ -f /proc/net/xfrm_stat ]; then
++	if [ -f /proc/sys/net/core/xfrm_acq_expires ]; then
+ 	    stack=" (netkey)"
+ 	    kv="${version}"
+ 	else
+diff --git a/programs/look/look.in b/programs/look/look.in
+index bb55e8eda2..192856c630 100755
+--- a/programs/look/look.in
++++ b/programs/look/look.in
+@@ -72,7 +72,7 @@ if [ -f /proc/net/ipsec_spi ]; then
+ fi
+ 
+ # xfrm
+-if [ -f /proc/net/xfrm_stat ]; then
++if [ -f /proc/sys/net/core/xfrm_acq_expires ]; then
+     echo "XFRM state:"
+     ip xfrm state
+     echo "XFRM policy:"
+diff --git a/programs/pluto/kernel.c b/programs/pluto/kernel.c
+index 39b1e32389..5c71c04af3 100644
+--- a/programs/pluto/kernel.c
++++ b/programs/pluto/kernel.c
+@@ -2666,7 +2666,7 @@ void init_kernel(void)
+ 	switch (kern_interface) {
+ #if defined(NETKEY_SUPPORT)
+ 	case USE_NETKEY:
+-		if (stat("/proc/net/xfrm_stat", &buf) != 0) {
++		if (stat("/proc/sys/net/core/xfrm_acq_expires", &buf) != 0) {
+ 			libreswan_log("No XFRM kernel interface detected");
+ 			exit_pluto(PLUTO_EXIT_KERNEL_FAIL);
+ 		}
+diff --git a/programs/setup/setup.in b/programs/setup/setup.in
+index 8c28b0e157..1933089459 100755
+--- a/programs/setup/setup.in
++++ b/programs/setup/setup.in
+@@ -110,7 +110,7 @@ case "$1" in
+ 
+ 	# If stack is non-modular, we want to force clean too
+ 	[ -f /proc/net/pf_key ] && ipsec eroute --clear
+-	[ -f /proc/net/xfrm_stat ] && ip xfrm state flush && ip xfrm policy flush
++	[ -f /proc/sys/net/core/xfrm_acq_expires ] && ip xfrm state flush && ip xfrm policy flush
+ 
+ 	# Cleaning up backup resolv.conf
+ 	if [ -e ${LIBRESWAN_RESOLV_CONF} ]; then
+diff --git a/programs/spi/spi.c b/programs/spi/spi.c
+index c45fe6a517..742898a86f 100644
+--- a/programs/spi/spi.c
++++ b/programs/spi/spi.c
+@@ -1135,7 +1135,7 @@ int main(int argc, char *argv[])
+ 			progname);
+ 	}
+ 
+-	if (stat("/proc/net/xfrm_stat", &sts) == 0) {
++	if (stat("/proc/sys/net/core/xfrm_acq_expires", &sts) == 0) {
+ 		fprintf(stderr,
+ 			"%s: XFRM does not use the ipsec spi command. Use 'ip xfrm' instead.\n",
+ 			progname);
+diff --git a/programs/spigrp/spigrp.c b/programs/spigrp/spigrp.c
+index 79d6c50e5e..fe0942325d 100644
+--- a/programs/spigrp/spigrp.c
++++ b/programs/spigrp/spigrp.c
+@@ -151,7 +151,7 @@ int main(int argc, char **argv)
+ 	if (debug)
+ 		fprintf(stdout, "...After check for --label option.\n");
+ 
+-	if (stat("/proc/net/xfrm_stat", &sts) == 0) {
++	if (stat("/proc/sys/net/core/xfrm_acq_expires", &sts) == 0) {
+ 		fprintf(stderr,
+ 			"%s: XFRM does not use the ipsec spigrp command. Use 'ip xfrm' instead.\n",
+ 			progname);
+diff --git a/programs/tncfg/tncfg.c b/programs/tncfg/tncfg.c
+index 55de83b1ef..5a9f2e9aee 100644
+--- a/programs/tncfg/tncfg.c
++++ b/programs/tncfg/tncfg.c
+@@ -259,7 +259,7 @@ int main(int argc, char *argv[])
+ 		}
+ 	}
+ 
+-	if (stat("/proc/net/xfrm_stat", &sts) == 0) {
++	if (stat("/proc/sys/net/core/xfrm_acq_expires", &sts) == 0) {
+ 		fprintf(stderr,
+ 			"%s: XFRM does not support virtual interfaces.\n",
+ 			progname);
+diff --git a/programs/verify/verify.in b/programs/verify/verify.in
+index 9321631931..81ae1d32fe 100755
+--- a/programs/verify/verify.in
++++ b/programs/verify/verify.in
+@@ -223,7 +223,7 @@ def installstartcheck():
+ 		print_result("FAIL","FAILED")
+ 
+ 	printfun("Checking for IPsec support in kernel")
+-	if not os.path.isfile("/proc/net/ipsec_eroute") and not os.path.isfile("/proc/net/xfrm_stat"):
++	if not os.path.isfile("/proc/net/ipsec_eroute") and not os.path.isfile("/proc/sys/net/core/xfrm_acq_expires"):
+ 		print_result("FAIL","FAILED")
+ 		if "no kernel code presently loaded" in output:
+ 			print("\n The ipsec service should be started before running 'ipsec verify'\n")
diff --git a/net-vpn/libreswan/libreswan-3.28-r1.ebuild b/net-vpn/libreswan/libreswan-3.28-r1.ebuild
new file mode 100644
index 000000000000..ee813e6e8443
--- /dev/null
+++ b/net-vpn/libreswan/libreswan-3.28-r1.ebuild
@@ -0,0 +1,117 @@
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit systemd toolchain-funcs
+
+SRC_URI="https://download.libreswan.org/${P}.tar.gz"
+KEYWORDS="~amd64 ~ppc ~x86"
+
+DESCRIPTION="IPsec implementation for Linux, fork of Openswan"
+HOMEPAGE="https://libreswan.org/"
+
+LICENSE="GPL-2 BSD-4 RSA DES"
+SLOT="0"
+IUSE="caps curl dnssec ldap pam seccomp selinux systemd test"
+
+DEPEND="
+	dev-libs/gmp:0=
+	dev-libs/libevent:0=
+	dev-libs/nspr
+	>=dev-libs/nss-3.42
+	caps? ( sys-libs/libcap-ng )
+	curl? ( net-misc/curl )
+	dnssec? ( >=net-dns/unbound-1.9.1-r1:= net-libs/ldns )
+	ldap? ( net-nds/openldap )
+	pam? ( sys-libs/pam )
+	seccomp? ( sys-libs/libseccomp )
+	selinux? ( sys-libs/libselinux )
+	systemd? ( sys-apps/systemd:0= )
+"
+BDEPEND="
+	app-text/docbook-xml-dtd:4.1.2
+	app-text/xmlto
+	dev-libs/nss
+	sys-devel/bison
+	sys-devel/flex
+	virtual/pkgconfig
+	test? ( dev-python/setproctitle )
+"
+RDEPEND="${DEPEND}
+	dev-libs/nss[utils(+)]
+	sys-apps/iproute2
+	!net-misc/openswan
+	!net-vpn/strongswan
+	selinux? ( sec-policy/selinux-ipsec )
+"
+
+usetf() {
+	usex "$1" true false
+}
+
+src_prepare() {
+	eapply "${FILESDIR}/${P}-barf-syntax.patch"
+	eapply -l "${FILESDIR}/${P}-xfrm-detection.patch"
+
+	sed -i -e 's:/sbin/runscript:/sbin/openrc-run:' initsystems/openrc/ipsec.init.in || die
+	sed -i -e '/^install/ s/postcheck//' -e '/^doinstall/ s/oldinitdcheck//' initsystems/systemd/Makefile || die
+	default
+}
+
+src_configure() {
+	tc-export AR CC
+	export INC_USRLOCAL=/usr
+	export INC_MANDIR=share/man
+	export FINALEXAMPLECONFDIR=/usr/share/doc/${PF}
+	export FINALDOCDIR=/usr/share/doc/${PF}/html
+	export INITSYSTEM=openrc
+	export INC_RCDIRS=
+	export INC_RCDEFAULT=/etc/init.d
+	export USERCOMPILE=
+	export USERLINK=
+	export USE_DNSSEC=$(usetf dnssec)
+	export USE_LABELED_IPSEC=$(usetf selinux)
+	export USE_LIBCAP_NG=$(usetf caps)
+	export USE_LIBCURL=$(usetf curl)
+	export USE_LINUX_AUDIT=$(usetf selinux)
+	export USE_LDAP=$(usetf ldap)
+	export USE_SECCOMP=$(usetf seccomp)
+	export USE_SYSTEMD_WATCHDOG=$(usetf systemd)
+	export SD_WATCHDOGSEC=$(usex systemd 200 0)
+	export USE_XAUTHPAM=$(usetf pam)
+	export DEBUG_CFLAGS=
+	export OPTIMIZE_CFLAGS=
+	export WERROR_CFLAGS=
+}
+
+src_compile() {
+	emake all
+	emake -C initsystems INITSYSTEM=systemd SYSTEMUNITDIR="$(systemd_get_systemunitdir)" SYSTEMTMPFILESDIR="/usr/lib/tmpfiles.d" all
+}
+
+src_test() {
+	: # integration tests only that require set of kvms to be set up
+}
+
+src_install() {
+	default
+	emake -C initsystems INITSYSTEM=systemd SYSTEMUNITDIR="$(systemd_get_systemunitdir)" SYSTEMTMPFILESDIR="/usr/lib/tmpfiles.d" DESTDIR="${D}" install
+
+	echo "include /etc/ipsec.d/*.secrets" > "${D}"/etc/ipsec.secrets
+	fperms 0600 /etc/ipsec.secrets
+
+	dodoc -r docs
+
+	find "${D}" -type d -empty -delete || die
+}
+
+pkg_postinst() {
+	local IPSEC_CONFDIR=${ROOT%/}/etc/ipsec.d
+	if [[ ! -f ${IPSEC_CONFDIR}/cert8.db && ! -f ${IPSEC_CONFDIR}/cert9.db ]] ; then
+		ebegin "Setting up NSS database in ${IPSEC_CONFDIR} with empty password"
+		certutil -N -d "${IPSEC_CONFDIR}" --empty-password
+		eend $?
+		einfo "To set a password: certutil -W -d sql:${IPSEC_CONFDIR}"
+	fi
+}
author	Hans de Graaff <graaff@gentoo.org>	2019-06-10 08:39:06 +0200
committer	Hans de Graaff <graaff@gentoo.org>	2019-06-10 09:26:17 +0200
commit	fd812d0ff2a598722bffe33af224ab8eb3b19e97 (patch)
tree	54ae886b0fb54ebb0f6f15edd01d638c75912b6c /net-vpn/libreswan
parent	dev-lang/mono: re-apply minimal libgdiplus common, keep old keywrods (diff)
download	gentoo-fd812d0ff2a598722bffe33af224ab8eb3b19e97.tar.gz gentoo-fd812d0ff2a598722bffe33af224ab8eb3b19e97.tar.bz2 gentoo-fd812d0ff2a598722bffe33af224ab8eb3b19e97.zip