177651 – New port: security/openiked OpenBSD's IKEv2 daemon

Bug 177651 - New port: security/openiked OpenBSD's IKEv2 daemon

Summary: New port: security/openiked OpenBSD's IKEv2 daemon

Status:	Closed Overcome By Events

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	Normal Affects Only Me
Assignee:	freebsd-ports-bugs (Nobody)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2013-04-05 11:20 UTC by Michael Cardell Widerkrantz
Modified:	2014-08-24 18:21 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Cardell Widerkrantz 2013-04-05 11:20:00 UTC

A port of OpenBSD's IKEv2 daemon iked to FreeBSD. shar archive included
as Fix. iked needs a separate user and group so please apply following
patch to /usr/ports/UIDs and GIDs as well:

--- UIDs~       2013-04-04 13:35:18.000000000 +0200
+++ UIDs        2013-04-04 13:35:18.000000000 +0200
@@ -258,4 +258,5 @@
 ossecm:*:967:966::0:0:OSSEC mail
 user:/usr/local/ossec-hids:/usr/sbin/nologin
 ossecr:*:968:966::0:0:OSSEC rem
 user:/usr/local/ossec-hids:/usr/sbin/nologin
 kippo:*:969:969::0:0:kippo user:/nonexistent:/usr/sbin/nologin
+_iked:*:970:970::0:0:iked privsep user:/nonexistent:/usr/sbin/nologin
 nobody:*:65534:65534::0:0:Unprivileged
 user:/nonexistent:/usr/sbin/nologin

--- GIDs~       2013-04-04 13:35:31.000000000 +0200
+++ GIDs        2013-04-04 13:35:31.000000000 +0200
@@ -250,5 +250,6 @@
 elasticsearch:*:965:
 ossec:*:966:
 kippo:*:969:
+_iked:*:970:
 nogroup:*:65533:
 nobody:*:65534:

Fix: See attachment.

--=-=-=
Content-Type: text/plain
Content-Disposition: attachment; filename=openiked-20130404.shar
Content-Description: shar archive



--=-=-=----1LmLUuwlU6LMEj5n02hLpxloWiotTXeZTlaW21pqEeUbXJ6I
Content-Type: text/plain; name="file.shar"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="file.shar"

# This is a shell archive.  Save it in a file, remove anything before
# this line, and then unpack it by entering "sh file".  Note, it may
# create directories; files and directories will be owned by you and
# have default permissions.
#
# This archive contains:
#
#	openiked
#	openiked/files
#	openiked/files/iked.in
#	openiked/pkg-message
#	openiked/pkg-descr
#	openiked/distinfo
#	openiked/Makefile
#
echo c - openiked
mkdir -p openiked > /dev/null 2>&1
echo c - openiked/files
mkdir -p openiked/files > /dev/null 2>&1
echo x - openiked/files/iked.in
sed 's/^X//' >openiked/files/iked.in << '9cbff9a61a068575bee3d679960bba57'
X#!/bin/sh
X
X# $FreeBSD$
X#
X# PROVIDE: iked
X# REQUIRE: LOGIN cleanvar
X# KEYWORD: shutdown
X
X. /etc/rc.subr
X
Xname="iked"
Xkeygen_cmd="iked_keygen"
Xpexp="iked:.*parent.*"
Xrcvar=iked_enable
Xextra_commands="keygen reload"
X
Xiked_enable=${iked_enable:-"NO"}		# Disable by default
Xiked_create_dirs=${iked_create_dirs:-"NO"}	# Create $required_dirs
X#iked_flags=""				# Flags to iked program
X
Xcommand="%%PREFIX%%/sbin/${name}"
Xpidfile="/var/run/${name}.pid"
X
Xstart_precmd="${name}_prestart"
Xstop_postcmd="${name}_cleanup"
X
Xsocketfile="/var/run//${name}.sock"
Xrequired_files="%%PREFIX%%/etc/${name}.conf"
Xrequired_dirs="/var/run"
X
Xuser_reseed()
X{
X	(
X	seeded=`sysctl -n kern.random.sys.seeded 2>/dev/null`
X	if [ "x${seeded}" != "x" ] && [ ${seeded} -eq 0 ] ; then
X		warn "Setting entropy source to blocking mode."
X		echo "===================================================="
X		echo "Type a full screenful of random junk to unblock"
X		echo "it and remember to finish with <enter>. This will"
X		echo "timeout in ${timeout} seconds, but waiting for"
X		echo "the timeout without typing junk may make the"
X		echo "entropy source deliver predictable output."
X		echo ""
X		echo "Just hit <enter> for fast+insecure startup."
X		echo "===================================================="
X		sysctl kern.random.sys.seeded=0 2>/dev/null
X		read -t ${timeout} junk
X		echo "${junk}" `sysctl -a` `date` > /dev/random
X	fi
X	)
X}
X
Xiked_keygen()
X{
X	umask 022
X
X	# Can't do anything if openssl is not installed
X	[ -x /usr/bin/openssl ] || {
X		warn "/usr/bin/openssl does not exist."
X		return 1
X	}
X
X	if [ ! -f ${privkey} ]
X	then
X		echo "Generating private key"
X		openssl genrsa -out ${privkey} 2048
X		if [ $? ]
X		then
X			chmod 600 ${privkey}
X			echo "Copying public key from private key."
X			openssl rsa -out ${pubkey} -in ${privkey} -pubout
X		else
X			echo "Generation of private key failed!"
X		fi
X	else
X		echo Private key ${privkey} exists.
X	fi
X
X	if [ ! -f ${pubkey} ]
X	then
X		echo "Copying public key from private key".
X		openssl rsa -out ${pubkey} -in ${privkey} -pubout
X	else
X		echo Public key ${pubkey} exists.
X	fi
X}
X
Xiked_cleanup()
X{
X	/bin/rm -f ${pidfile}
X	/bin/rm -f ${socketfile}
X}
X
Xiked_prestart()
X{
X	iked_cleanup
X
X	if checkyesno "${name}_create_dirs"; then
X		/bin/mkdir -p $required_dirs
X	fi
X
X	if [ ! -f ${privkey} -o ! -f ${pubkey} ]
X	then
X		user_reseed
X		run_rc_command keygen
X	fi
X}
X
Xload_rc_config $name
Xprivkey=%%PREFIX%%/etc/iked/private/local.key
Xpubkey=%%PREFIX%%/etc/iked/local.pub
X
Xrun_rc_command "$1"
Xpgrep -f 'iked:.*parent.*' > ${pidfile}
9cbff9a61a068575bee3d679960bba57
echo x - openiked/pkg-message
sed 's/^X//' >openiked/pkg-message << '6aa22e636d263d972d47611b9a9d7773'
XPlease note: Openiked is experimental. Don't trust it for production
Xnetworks.
6aa22e636d263d972d47611b9a9d7773
echo x - openiked/pkg-descr
sed 's/^X//' >openiked/pkg-descr << 'bf719d1d40bccd4f602fd5c06fe3c8fe'
XOpeniked is the portable version of OpenBSD's iked.
X
XOpeniked speaks the IKEv2 protocol which is used to establish security
Xassociation with other hosts.
X
XPlease observe: The Openiked projects has not done any official
Xreleases yet. This is an experimental port.
X
XKnown issues:
X- Does not support NAT-traversal.
X
XWWW: http://openiked.org/
bf719d1d40bccd4f602fd5c06fe3c8fe
echo x - openiked/distinfo
sed 's/^X//' >openiked/distinfo << 'a57e20e772c96a7980ad44aea16f4b51'
XSHA256 (openiked-20130312.tar.bz2) = 57fbcb7448a995c219fa4843c55e63aec3e7db20d298235c79bf348c7d7e377a
XSIZE (openiked-20130312.tar.bz2) = 153074
a57e20e772c96a7980ad44aea16f4b51
echo x - openiked/Makefile
sed 's/^X//' >openiked/Makefile << '7c64873fed3cf374baaaab9813cbb043'
X# Created by: Michael Cardell Widerkrantz <mc@hack.org>
X# $FreeBSD$
X
XPORTNAME=	openiked
XPORTVERSION=	20130312
XCATEGORIES=	security
XMASTER_SITES=	http://hack.org/mc/projects/openiked/
X
XMAINTAINER=	mc@hack.org
XCOMMENT=	Openiked IKEv2 daemon
X
XLICENSE=	ISCL
X
XLIB_DEPENDS=	ssl.8:${PORTSDIR}/security/openssl \
X		event:${PORTSDIR}/devel/libevent
X
XIS_INTERACTIVE=	yes
XUSERS=		_iked
XGROUPS=		_iked
X
XCONFLICTS=	racoon2-[0-9]* strongswan-[0-9]*
X
XUSE_RC_SUBR=	iked
XUSE_OPENSSL=	yes
XUSE_BZIP2=	yes
XUSE_AUTOTOOLS=	autoconf automake libtool
XAUTOMAKE_ARGS=	--foreign --add-missing --copy
XGNU_CONFIGURE=	yes
XUSE_LDCONFIG=	yes
X
XCONFIGURE_ARGS=	--with-libevent-dir=${PREFIX} --with-ssl-dir=${PREFIX}
X
XOPTIONS_DEFINE=	DEBUG BSD
XOPTIONS_DEFAULT=
XDEBUG_DESC=	Build main code with debugging symbols and disable privsep
XBSD_DESC=	Enable BSD auth support
X
XMAN5=		iked.conf.5
XMAN8=		iked.8 ikectl.8
XPLIST_FILES=	sbin/iked sbin/ikectl
X
X.include <bsd.port.pre.mk>
X
Xpre-configure:
X	cd ${WRKDIR}/${PORTNAME}-${PORTVERSION}; ./bootstrap
X
X.if ${PORT_OPTIONS:MDEBUG}
XCONFIGURE_ARGS+=	--with-debug
X.endif
X
X.if ${PORT_OPTIONS:MPAM}
XCONFIGURE_ARGS+=	--with-pam
X.endif
X
X.if ${PORT_OPTIONS:MBSD}
XCONFIGURE_ARGS+=	--with-bsd-auth
X.endif
X
Xpost-install:
X	@if [ -z `${SYSCTL} -a | ${GREP} -q ipsec && ${ECHO_CMD} ipsec` ]
X	then
X	    ${ECHO_MSG} "WARNING: IPsec feature is disabled on this host"
X	    ${ECHO_MSG} "         You must build the kernel if you want to run openiked on the host"
X	fi
X
X.include <bsd.port.post.mk>
7c64873fed3cf374baaaab9813cbb043
exit

Comment 1 Emanuel Haupt freebsd_committer

2013-05-18 19:57:35 UTC

Responsible Changed
From-To: freebsd-ports-bugs->ehaupt

I will take care of it.

Comment 2 Emanuel Haupt freebsd_committer

2013-05-27 13:26:05 UTC

Responsible Changed
From-To: ehaupt->freebsd-ports-bugs

Back to the pool.

Comment 3 John Marino freebsd_committer

2014-08-07 13:54:57 UTC

Hi, if you are still interested in having this port in FreeBSD, it needs to be reworked to support stage.  
See http://lists.freebsd.org/pipermail/freebsd-ports-announce/2014-May/000080.html


Additionally, you need to provide some sort of quality assurance.    
In order of preference, we are looking for:

1) "poudriere testport" or "poudriere bulk -t" logs
2) Redports or tinderbox logs

Please provide an updated shar file and attach a test log.  Alternatively, please indicate if you are no longer interested in having this software in the Ports Collection and that we can close the PR.

Thanks!

Comment 4 John Marino freebsd_committer

2014-08-24 18:21:33 UTC

I apologize, but I'm going to close all "new port" PRs older than 1 July 2013 that have had no activity, even if it is through no fault of the submitter.  If you are still interested in getting the port into tree, please provide an updated share and some build verification (poudriere logs, redports logs, or Porter's Handbook[1]).  If you do that, we'll fast-track the port into the tree.  I'm sorry about this.


"make check-plist" followed by "make stage-qa" output  (https://www.freebsd.org/doc/en/books/porters-handbook/porting-testing.html)