From: nico Date: Sat, 17 Apr 2010 23:44:49 +0000 (+0000) Subject: [packages] add strongswan4 (closes: #2538) X-Git-Url: http://207.154.207.93/?a=commitdiff_plain;h=2b2f59ec379dd8c53850b12e06d0a817f9164b2e;p=packages.git [packages] add strongswan4 (closes: #2538) git-svn-id: svn://svn.openwrt.org/openwrt/packages@20965 3c298f89-4303-0410-b956-a3cf2f4a3e73 --- diff --git a/net/strongswan4/Config.in b/net/strongswan4/Config.in new file mode 100644 index 000000000..f0f7dbf14 --- /dev/null +++ b/net/strongswan4/Config.in @@ -0,0 +1,40 @@ +menu "Configuration" + depends on PACKAGE_strongswan4 + +# --enable-cisco-quirks +config STRONGSWAN4_ENABLE_CISCO_QUIRKS + bool + prompt "Enable support of Cisco VPN client" + default y + +# --enable-nat-transport +config STRONGSWAN4_ENABLE_NAT_TRANSPORT + bool + prompt "Enable NAT traversal with IPsec transport mode in" + default y + +# --with-random-device +config STRONGSWAN4_DEVICE_RANDOM + string + prompt "Set the device to read real random data from" + default "/dev/random" + +# --with-urandom-device +config STRONGSWAN4_DEVICE_URANDOM + string + prompt "Set the device to read pseudo random data from" + default "/dev/urandom" + +# --with-routing-table +config STRONGSWAN4_ROUTING_TABLE + string + prompt "Set the IPsec routing table ID" + default "220" + +# --with-routing-table-prio +config STRONGSWAN4_ROUTING_TABLE_PRIO + string + prompt "Set the IPsec routing table priority" + default "220" + +endmenu diff --git a/net/strongswan4/Makefile b/net/strongswan4/Makefile new file mode 100644 index 000000000..8cb2d5028 --- /dev/null +++ b/net/strongswan4/Makefile @@ -0,0 +1,395 @@ +# +# Copyright (C) 2010 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=strongswan +PKG_VERSION:=4.3.6 +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 +PKG_SOURCE_URL:=http://download.strongswan.org/ +PKG_MD5SUM:=e071f46b6c463ce76900758734e6143e + +PKG_BUILD_DEPENDS:= \ + clearsilver \ + fcgi \ + +PKG_FIXUP:=libtool +PKG_INSTALL:=1 + +include $(INCLUDE_DIR)/package.mk + + +define Package/strongswan4/Default + SECTION:=net + CATEGORY:=Network + TITLE:=StrongSwan + URL:=http://www.strongswan.org/ +endef + +define Package/strongswan4/description/Default + StrongSwan is an OpenSource IPsec implementation for the Linux + operating system. +endef + + +define Package/strongswan4 +$(call Package/strongswan4/Default) + DEPENDS:= +libpthread +ip \ + +kmod-ipsec +kmod-ipsec4 \ + +kmod-ipt-ipsec +iptables-mod-ipsec + MENU:=1 +endef + +define Package/strongswan4/config + source "$(SOURCE)/Config.in" +endef + +define Package/strongswan4/description +$(call Package/strongswan4/description/Default) + . + This package contains shared libraries and scripts. +endef + + +define Package/strongswan4-full +$(call Package/strongswan4/Default) + TITLE+= (full) + DEPENDS:= strongswan4 \ + +strongswan4-app-charon \ + +strongswan4-app-pluto \ + +strongswan4-mod-aes \ + +strongswan4-mod-agent \ + +strongswan4-mod-attr \ + +strongswan4-mod-attr-sql \ + +strongswan4-mod-blowfish \ + +strongswan4-mod-curl \ + +strongswan4-mod-des \ + +strongswan4-mod-dnskey \ + +strongswan4-mod-eap-md5 \ + +strongswan4-mod-eap-mschapv2 \ + +strongswan4-mod-eap-radius \ + +strongswan4-mod-fips-prf \ + +strongswan4-mod-gcrypt \ + +strongswan4-mod-gmp \ + +strongswan4-mod-hmac \ + +strongswan4-mod-kernel-klips \ + +strongswan4-mod-kernel-netlink \ + +strongswan4-mod-kernel-pfkey \ + +strongswan4-mod-ldap \ + +strongswan4-mod-load-tester \ + +strongswan4-mod-md5 \ + +strongswan4-mod-medcli \ + +strongswan4-mod-medsrv \ + +strongswan4-mod-mysql \ + +strongswan4-mod-padlock \ + +strongswan4-mod-pem \ + +strongswan4-mod-pgp \ + +strongswan4-mod-pkcs1 \ + +strongswan4-mod-pubkey \ + +strongswan4-mod-random \ + +strongswan4-mod-resolve \ + +strongswan4-mod-sha1 \ + +strongswan4-mod-sha2 \ + +strongswan4-mod-smp \ + +strongswan4-mod-sql \ + +strongswan4-mod-sqlite \ + +strongswan4-mod-stroke \ + +strongswan4-mod-uci \ + +strongswan4-mod-updown \ + +strongswan4-mod-x509 \ + +strongswan4-mod-xcbc \ + +strongswan4-utils +endef + +define Package/strongswan4-full/description +$(call Package/strongswan4/description/Default) + . + This meta-package contains only dependencies for a complete setup. +endef + + +define Package/strongswan4-minimal +$(call Package/strongswan4/Default) + TITLE+= (minimal) + DEPENDS:= strongswan4 \ + +strongswan4-app-charon \ + +strongswan4-mod-aes \ + +strongswan4-mod-gmp \ + +strongswan4-mod-hmac \ + +strongswan4-mod-pubkey \ + +strongswan4-mod-random \ + +strongswan4-mod-sha1 \ + +strongswan4-mod-stroke \ + +strongswan4-mod-updown \ + +strongswan4-mod-x509 \ + +strongswan4-mod-xcbc +endef + +define Package/strongswan4-minimal/description +$(call Package/strongswan4/description/Default) + . + This meta-package contains only dependencies for a minimal setup. +endef + + +define Package/strongswan4-app-charon +$(call Package/strongswan4/Default) + TITLE+= IKEv2 keying daemon + DEPENDS:= strongswan4 +endef + +define Package/strongswan4-app-charon/description +$(call Package/strongswan4/description/Default) + . + This package contains charon, an IKEv2 keying daemon. +endef + + +define Package/strongswan4-app-pluto +$(call Package/strongswan4/Default) + TITLE+= IKEv1 keying daemon + DEPENDS:= strongswan4 +endef + +define Package/strongswan4-app-pluto/description +$(call Package/strongswan4/description/Default) + . + This package contains pluto, an IKEv1 keying daemon. +endef + + +define Package/strongswan4-utils +$(call Package/strongswan4/Default) + TITLE+= utilities + DEPENDS:= strongswan4 +endef + +define Package/strongswan4-utils/description +$(call Package/strongswan4/description/Default) + . + This package contains the openac, pki & scepclient utilities. +endef + + +# 1. Name +# 2. Title +# 3. Depends +define BuildPlugin + define Package/strongswan4-mod-$(1) + $$(call Package/strongswan4/Default) + TITLE:= StronSwan $(2) plugin + DEPENDS:= strongswan4 $(3) + endef + + define Package/strongswan4-mod-$(1)/install + $(INSTALL_DIR) $$(1)/usr/lib/ipsec/plugins + $(CP) \ + $(PKG_INSTALL_DIR)/usr/lib/ipsec/plugins/libstrongswan-$(1).so \ + $$(1)/usr/lib/ipsec/plugins/ ; + $(call Plugin/$(1)/install,$$(1)) + endef + + $$(eval $$(call BuildPackage,strongswan4-mod-$(1))) +endef + + +# 1. Name +define ConfigurePlugin +$(if $(CONFIG_PACKAGE_strongswan4-mod-$(1)),--enable-$(1),--disable-$(1)) +endef + + +CONFIGURE_ARGS+= \ + $(if $(CONFIG_STRONGSWAN4_ENABLE_CISCO_QUIRKS),--enable-cisco-quirks,--disable-cisco-quirks) \ + $(if $(CONFIG_STRONGSWAN4_ENABLE_NAT_TRANSPORT),--enable-nat-transport,--disable-nat-transport) \ + --disable-scripts \ + --disable-static \ + $(if $(CONFIG_PACKAGE_strongswan4-utils),--enable-tools,--disable-tools) \ + --with-random-device="$(call qstrip,$(CONFIG_STRONGSWAN4_DEVICE_RANDOM))" \ + --with-urandom-device="$(call qstrip,$(CONFIG_STRONGSWAN4_DEVICE_RANDOM))" \ + --with-routing-table="$(call qstrip,$(CONFIG_STRONGSWAN4_ROUTING_TABLE))" \ + --with-routing-table-prio="$(call qstrip,$(CONFIG_STRONGSWAN4_ROUTING_TABLE_PRIO))" \ + $(call ConfigurePlugin,aes) \ + $(call ConfigurePlugin,agent) \ + $(call ConfigurePlugin,attr) \ + $(call ConfigurePlugin,attr-sql) \ + $(call ConfigurePlugin,blowfish) \ + $(call ConfigurePlugin,curl) \ + $(call ConfigurePlugin,des) \ + $(call ConfigurePlugin,dnskey) \ + $(call ConfigurePlugin,eap-md5) \ + $(call ConfigurePlugin,eap-mschapv2) \ + $(call ConfigurePlugin,eap-radius) \ + $(call ConfigurePlugin,fips-prf) \ + $(call ConfigurePlugin,gcrypt) \ + $(call ConfigurePlugin,gmp) \ + $(call ConfigurePlugin,hmac) \ + $(call ConfigurePlugin,kernel-klips) \ + $(call ConfigurePlugin,kernel-netlink) \ + $(call ConfigurePlugin,kernel-pfkey) \ + $(call ConfigurePlugin,ldap) \ + $(call ConfigurePlugin,load-tester) \ + $(call ConfigurePlugin,md5) \ + $(call ConfigurePlugin,medcli) \ + $(call ConfigurePlugin,medsrv) \ + $(call ConfigurePlugin,mysql) \ + $(call ConfigurePlugin,padlock) \ + $(call ConfigurePlugin,pem) \ + $(call ConfigurePlugin,pgp) \ + $(call ConfigurePlugin,pkcs1) \ + $(call ConfigurePlugin,pubkey) \ + $(call ConfigurePlugin,random) \ + $(call ConfigurePlugin,resolve) \ + $(call ConfigurePlugin,sha1) \ + $(call ConfigurePlugin,sha2) \ + $(call ConfigurePlugin,smp) \ + $(call ConfigurePlugin,sql) \ + $(call ConfigurePlugin,sqlite) \ + $(call ConfigurePlugin,stroke) \ + $(call ConfigurePlugin,uci) \ + $(call ConfigurePlugin,updown) \ + $(call ConfigurePlugin,x509) \ + $(call ConfigurePlugin,xcbc) \ + #$(call ConfigurePlugin,openssl,OpenSSL,openssl,,+libopenssl)) + +EXTRA_CPPFLAGS+= -I$(STAGING_DIR)/usr/include/ClearSilver + +EXTRA_LDFLAGS+= -Wl,-rpath-link,$(STAGING_DIR)/usr/lib + + +define Package/strongswan4/conffiles +/etc/ipsec.conf +/etc/ipsec.secrets +/etc/strongswan.conf +endef + +define Package/strongswan4/install + $(INSTALL_DIR) $(1)/etc + $(CP) -R $(PKG_INSTALL_DIR)/etc/ipsec.d $(1)/etc/ + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libstrongswan.so.* $(1)/usr/lib/ + $(INSTALL_DIR) $(1)/usr/sbin + $(CP) $(PKG_INSTALL_DIR)/usr/sbin/ipsec $(1)/usr/sbin/ + $(INSTALL_DIR) $(1)/usr/lib/ipsec + $(CP) \ + $(PKG_INSTALL_DIR)/usr/lib/ipsec/_copyright \ + $(PKG_INSTALL_DIR)/usr/lib/ipsec/starter \ + $(PKG_INSTALL_DIR)/usr/lib/ipsec/whack \ + $(1)/usr/lib/ipsec/ + $(INSTALL_CONF) \ + ./files/ipsec.conf \ + ./files/ipsec.secrets \ + ./files/strongswan.conf \ + $(1)/etc/ +endef + + +define Package/strongswan4-full/install + true +endef + + +define Package/strongswan4-minimal/install + true +endef + + +define Package/strongswan4-app-charon/install + $(INSTALL_DIR) $(1)/usr/lib/ipsec + $(CP) \ + $(PKG_INSTALL_DIR)/usr/lib/ipsec/charon \ + $(PKG_INSTALL_DIR)/usr/lib/ipsec/stroke \ + $(1)/usr/lib/ipsec/ +endef + + +define Package/strongswan4-app-pluto/install + $(INSTALL_DIR) $(1)/usr/lib/ipsec + $(CP) \ + $(PKG_INSTALL_DIR)/usr/lib/ipsec/pluto \ + $(PKG_INSTALL_DIR)/usr/lib/ipsec/_pluto_adns \ + $(1)/usr/lib/ipsec/ +endef + + +define Package/strongswan4-utils/install + $(INSTALL_DIR) $(1)/usr/lib/ipsec + $(CP) \ + $(PKG_INSTALL_DIR)/usr/lib/ipsec/openac \ + $(PKG_INSTALL_DIR)/usr/lib/ipsec/pki \ + $(PKG_INSTALL_DIR)/usr/lib/ipsec/scepclient \ + $(1)/usr/lib/ipsec/ +endef + + +define Plugin/attr-sql/install + $(INSTALL_DIR) $(1)/usr/lib/ipsec + $(CP) \ + $(PKG_INSTALL_DIR)/usr/lib/ipsec/pool \ + $(1)/usr/lib/ipsec/ +endef + +define Plugin/updown/install + $(INSTALL_DIR) $(1)/usr/lib/ipsec + $(CP) \ + $(PKG_INSTALL_DIR)/usr/lib/ipsec/_updown \ + $(PKG_INSTALL_DIR)/usr/lib/ipsec/_updown_espmark \ + $(1)/usr/lib/ipsec/ +endef + + +$(eval $(call BuildPackage,strongswan4)) +$(eval $(call BuildPackage,strongswan4-full)) +$(eval $(call BuildPackage,strongswan4-minimal)) +$(eval $(call BuildPackage,strongswan4-app-charon)) +$(eval $(call BuildPackage,strongswan4-app-pluto)) +$(eval $(call BuildPackage,strongswan4-utils)) + +$(eval $(call BuildPlugin,aes,AES crypto,)) +$(eval $(call BuildPlugin,agent,SSH agent signing,)) +$(eval $(call BuildPlugin,attr,File-based config attr,)) +$(eval $(call BuildPlugin,attr-sql,SQL-based config attrib,+strongswan4-mod-sql)) +$(eval $(call BuildPlugin,blowfish,Blowfish crypto,)) +$(eval $(call BuildPlugin,curl,cURL,+libcurl)) +$(eval $(call BuildPlugin,des,DES crypto,)) +$(eval $(call BuildPlugin,dnskey,DNS RR key decoding,)) +$(eval $(call BuildPlugin,eap-md5,MD5 EAP (CHAP) auth,)) +$(eval $(call BuildPlugin,eap-mschapv2,MS-CHAPv2 EAP auth,)) +$(eval $(call BuildPlugin,eap-radius,RADIUS proxy auth,)) +$(eval $(call BuildPlugin,fips-prf,FIPS PRF crypto,)) +$(eval $(call BuildPlugin,gcrypt,libgcrypt,+libgcrypt)) +$(eval $(call BuildPlugin,gmp,libgmp,+libgmp)) +$(eval $(call BuildPlugin,hmac,HMAC crypto,)) +$(eval $(call BuildPlugin,kernel-klips,KLIPS kernel interface,)) +$(eval $(call BuildPlugin,kernel-netlink,netlink kernel interface,)) +$(eval $(call BuildPlugin,kernel-pfkey,PK_KEY kernel interface,)) +$(eval $(call BuildPlugin,ldap,LDAP,+libopenldap)) +$(eval $(call BuildPlugin,load-tester,load testing,)) +$(eval $(call BuildPlugin,md5,MD5 crypto,)) +$(eval $(call BuildPlugin,medcli,mediation client configuration database,)) +$(eval $(call BuildPlugin,medsrv,mediation server configuration database,)) +$(eval $(call BuildPlugin,mysql,MySQL database interface,+strongswan4-mod-sql +libmysqlclient)) +$(eval $(call BuildPlugin,padlock,VIA PadLock crypto,)) +$(eval $(call BuildPlugin,pem,PEM decoding,)) +$(eval $(call BuildPlugin,pgp,PGP key decoding,)) +$(eval $(call BuildPlugin,pkcs1,PKCS1 key decoding,)) +$(eval $(call BuildPlugin,pubkey,raw public key,)) +$(eval $(call BuildPlugin,random,RNG,)) +$(eval $(call BuildPlugin,resolve,DNS resolver,)) +$(eval $(call BuildPlugin,sha1,SHA1 crypto,)) +$(eval $(call BuildPlugin,sha2,SHA2 crypto,)) +$(eval $(call BuildPlugin,smp,SMP configuration and control interface,+libxml2)) +$(eval $(call BuildPlugin,sql,SQL database interface,)) +$(eval $(call BuildPlugin,sqlite,SQLite database interface,+strongswan4-mod-sql +libsqlite3)) +$(eval $(call BuildPlugin,stroke,Stroke,)) +$(eval $(call BuildPlugin,uci,UCI config interface,+libuci)) +$(eval $(call BuildPlugin,updown,updown firewall,)) +$(eval $(call BuildPlugin,x509,x509 certificate,)) +$(eval $(call BuildPlugin,xcbc,xcbc crypto,)) +#$(eval $(call BuildPlugin,openssl,OpenSSL,+libopenssl)) diff --git a/net/strongswan4/files/ipsec.conf b/net/strongswan4/files/ipsec.conf new file mode 100644 index 000000000..8c16d9dfd --- /dev/null +++ b/net/strongswan4/files/ipsec.conf @@ -0,0 +1,19 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + authby=secret + +conn example + left=%defaultroute + leftsubnet=192.168.1.0/24 + leftfirewall=yes + right=%any + auto=add diff --git a/net/strongswan4/files/ipsec.secrets b/net/strongswan4/files/ipsec.secrets new file mode 100644 index 000000000..ddd495699 --- /dev/null +++ b/net/strongswan4/files/ipsec.secrets @@ -0,0 +1 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file diff --git a/net/strongswan4/files/strongswan.conf b/net/strongswan4/files/strongswan.conf new file mode 100644 index 000000000..c9493ffd4 --- /dev/null +++ b/net/strongswan4/files/strongswan.conf @@ -0,0 +1,18 @@ +# strongswan.conf - strongSwan configuration file + +charon { + + # number of worker threads in charon + threads = 4 + + # plugins to load in charon + load = aes gmp hmac pubkey random sha1 x509 xcbc stroke + +} + +libstrongswan { + + # set to no, the DH exponent size is optimized + # dh_exponent_ansi_x9_42 = no + +} diff --git a/net/strongswan4/patches/201-no-modprobe.patch b/net/strongswan4/patches/201-no-modprobe.patch new file mode 100644 index 000000000..bba3bb6ca --- /dev/null +++ b/net/strongswan4/patches/201-no-modprobe.patch @@ -0,0 +1,28 @@ +--- a/src/starter/netkey.c ++++ b/src/starter/netkey.c +@@ -34,7 +34,7 @@ starter_netkey_init(void) + /* af_key module makes the netkey proc interface visible */ + if (stat(PROC_MODULES, &stb) == 0) + { +- ignore_result(system("modprobe -qv af_key")); ++ ignore_result(system("insmod -qv af_key")); + } + + /* now test again */ +@@ -50,11 +50,11 @@ starter_netkey_init(void) + /* make sure that all required IPsec modules are loaded */ + if (stat(PROC_MODULES, &stb) == 0) + { +- ignore_result(system("modprobe -qv ah4")); +- ignore_result(system("modprobe -qv esp4")); +- ignore_result(system("modprobe -qv ipcomp")); +- ignore_result(system("modprobe -qv xfrm4_tunnel")); +- ignore_result(system("modprobe -qv xfrm_user")); ++ ignore_result(system("insmod -qv ah4")); ++ ignore_result(system("insmod -qv esp4")); ++ ignore_result(system("insmod -qv ipcomp")); ++ ignore_result(system("insmod -qv xfrm4_tunnel")); ++ ignore_result(system("insmod -qv xfrm_user")); + } + + DBG(DBG_CONTROL, diff --git a/net/strongswan4/patches/202-clone.patch b/net/strongswan4/patches/202-clone.patch new file mode 100644 index 000000000..fdcd0e483 --- /dev/null +++ b/net/strongswan4/patches/202-clone.patch @@ -0,0 +1,20 @@ +--- a/src/libstrongswan/utils/identification.c ++++ b/src/libstrongswan/utils/identification.c +@@ -798,7 +798,7 @@ int identification_printf_hook(char *dst + return print_in_hook(dst, len, "%*s", spec->width, buf); + } + +-METHOD(identification_t, clone, identification_t*, ++METHOD(identification_t, clone_, identification_t*, + private_identification_t *this) + { + private_identification_t *clone = malloc_thing(private_identification_t); +@@ -830,7 +830,7 @@ static private_identification_t *identif + .get_encoding = _get_encoding, + .get_type = _get_type, + .create_part_enumerator = _create_part_enumerator, +- .clone = _clone, ++ .clone = _clone_, + .destroy = _destroy, + }, + .type = type, diff --git a/net/strongswan4/patches/203-uci.patch b/net/strongswan4/patches/203-uci.patch new file mode 100644 index 000000000..353d90f1b --- /dev/null +++ b/net/strongswan4/patches/203-uci.patch @@ -0,0 +1,20 @@ +--- a/src/charon/plugins/uci/uci_parser.c ++++ b/src/charon/plugins/uci/uci_parser.c +@@ -80,7 +80,7 @@ static bool section_enumerator_enumerate + if (uci_lookup(this->ctx, &element, this->package, + this->current->name, "name") == UCI_OK) + { /* use "name" attribute as config name if available ... */ +- *value = uci_to_option(element)->value; ++ *value = uci_to_option(element)->v.string; + } + else + { /* ... or the section name becomes config name */ +@@ -95,7 +95,7 @@ static bool section_enumerator_enumerate + if (value && uci_lookup(this->ctx, &element, this->package, + this->current->name, this->keywords[i]) == UCI_OK) + { +- *value = uci_to_option(element)->value; ++ *value = uci_to_option(element)->v.string; + } + } + va_end(args);