move more extra packages from ./trunk to ./packages
authorNicolas Thill <nico@openwrt.org>
Wed, 20 Aug 2008 22:00:41 +0000 (22:00 +0000)
committerNicolas Thill <nico@openwrt.org>
Wed, 20 Aug 2008 22:00:41 +0000 (22:00 +0000)
SVN-Revision: 12359

53 files changed:
libs/gmp/Makefile [new file with mode: 0644]
libs/keynote/Makefile [new file with mode: 0644]
libs/keynote/patches/001-build.patch [new file with mode: 0644]
libs/keynote/patches/002-cross_compile.patch [new file with mode: 0644]
net/aodv-uu/Makefile [new file with mode: 0644]
net/aodv-uu/files/aodv-uu.modules [new file with mode: 0644]
net/aodv-uu/patches/001-normalize.patch [new file with mode: 0644]
net/aodv-uu/patches/002-linux_2.6.19_ip_route_me_harder_change.patch [new file with mode: 0644]
net/aodv-uu/patches/003-linux_2.6.19_security_netlink_recv_change.patch [new file with mode: 0644]
net/aodv-uu/patches/004-linux_2.6.19_includes.patch [new file with mode: 0644]
net/aodv-uu/patches/005-linux_2.6.22_skbuff.patch [new file with mode: 0644]
net/ipsec-tools/Makefile [new file with mode: 0644]
net/ipsec-tools/patches/001-no_libfl.patch [new file with mode: 0644]
net/ipsec-tools/patches/002-configure_cppflags_typo.patch [new file with mode: 0644]
net/ipsec-tools/patches/003-linux_2.6.19_rtnetlink_changes.diff [new file with mode: 0644]
net/isakmpd/Makefile [new file with mode: 0644]
net/isakmpd/patches/010-debian_3.patch [new file with mode: 0644]
net/isakmpd/patches/020-standardize.patch [new file with mode: 0644]
net/isakmpd/patches/030-openssl_hashes.patch [new file with mode: 0644]
net/isakmpd/patches/040-security_fix.patch [new file with mode: 0644]
net/isakmpd/patches/050-ar_cross.patch [new file with mode: 0644]
net/openswan/Makefile [new file with mode: 0644]
net/openswan/files/ipsec.init [new file with mode: 0755]
net/openswan/patches/110-scripts.patch [new file with mode: 0644]
net/openswan/patches/120-use_dev_urandom.patch [new file with mode: 0644]
net/shfs/Makefile [new file with mode: 0644]
net/shfs/patches/100-kmod_build.patch [new file with mode: 0644]
net/shfs/patches/101-shfs_0.35_2.6.18_dentry.patch [new file with mode: 0644]
net/shfs/patches/102-shfs_0.35_clean_inode_clear.patch [new file with mode: 0644]
net/shfs/patches/103-shfs_0.35_gcc4.patch [new file with mode: 0644]
net/shfs/patches/104-shfs_0.35_inode_and_fs.patch [new file with mode: 0644]
net/shfs/patches/105-space_chars.patch [new file with mode: 0644]
net/shfs/patches/106-uidgid32.patch [new file with mode: 0644]
net/shfs/patches/107-df.patch [new file with mode: 0644]
net/shfs/patches/108-no_update_mtab.patch [new file with mode: 0644]
net/shfs/patches/109-linux_2.6.22.patch [new file with mode: 0644]
net/strongswan/Makefile [new file with mode: 0644]
net/strongswan/files/ipsec.button [new file with mode: 0644]
net/strongswan/files/ipsec.conf [new file with mode: 0644]
net/strongswan/files/ipsec.config [new file with mode: 0644]
net/strongswan/files/ipsec.cron [new file with mode: 0644]
net/strongswan/files/ipsec.iface [new file with mode: 0644]
net/strongswan/files/ipsec.init [new file with mode: 0644]
net/strongswan/patches/100-ar-fixes.patch [new file with mode: 0644]
net/strongswan/patches/110-make-ipsec.patch [new file with mode: 0644]
net/strongswan/patches/120-make-pluto.patch [new file with mode: 0644]
net/strongswan/patches/130-make-starter.patch [new file with mode: 0644]
net/strongswan/patches/200-wakeup-showstatus.patch [new file with mode: 0644]
net/strongswan/patches/210-updown.patch [new file with mode: 0644]
net/strongswan/patches/300-openwrt.patch [new file with mode: 0644]
net/strongswan/patches/310-make-ipsec-alg.patch [new file with mode: 0644]
net/strongswan/patches/320-no-modprobe.patch [new file with mode: 0644]
net/strongswan/patches/350-make-programs.patch [new file with mode: 0644]

diff --git a/libs/gmp/Makefile b/libs/gmp/Makefile
new file mode 100644 (file)
index 0000000..59a826b
--- /dev/null
@@ -0,0 +1,59 @@
+#
+# Copyright (C) 2006-2008 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+# $Id$
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=gmp
+PKG_VERSION:=4.2.2
+PKG_RELEASE:=1
+
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
+PKG_SOURCE_URL:=@GNU/gmp
+PKG_MD5SUM:=7ce52531644e6d12f16911b7e3151f3f
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/libgmp
+  SECTION:=libs
+  CATEGORY:=Libraries
+  TITLE:=GNU multiprecision arithmetic library
+  URL:=http://gmplib.org/
+endef
+
+define Package/libgmp/description
+       GMP is a free library for arbitrary precision arithmetic, operating on
+       signed integers, rational numbers, and floating point numbers.
+endef
+
+TARGET_CFLAGS += $(FPIC)
+CONFIGURE_VARS += CC="$(TARGET_CROSS)gcc"
+CONFIGURE_ARGS += \
+       --enable-shared \
+       --enable-static \
+
+define Build/Compile
+       $(call Build/Compile/Default, \
+               DESTDIR="$(PKG_INSTALL_DIR)" \
+               CC="$(TARGET_CC)" \
+               all install \
+       )
+endef
+
+define Build/InstallDev
+       mkdir -p $(1)/usr/include
+       $(CP) $(PKG_INSTALL_DIR)/usr/include/gmp* $(1)/usr/include/
+       mkdir -p $(1)/usr/lib
+       $(CP) $(PKG_INSTALL_DIR)/usr/lib/libgmp.{a,so*} $(1)/usr/lib/
+endef
+
+define Package/libgmp/install
+       $(INSTALL_DIR) $(1)/usr/lib
+       $(CP) $(PKG_INSTALL_DIR)/usr/lib/libgmp.so.* $(1)/usr/lib/
+endef
+
+$(eval $(call BuildPackage,libgmp))
diff --git a/libs/keynote/Makefile b/libs/keynote/Makefile
new file mode 100644 (file)
index 0000000..5b27257
--- /dev/null
@@ -0,0 +1,55 @@
+# 
+# Copyright (C) 2006 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+# $Id$
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=keynote
+PKG_VERSION:=2.3
+PKG_RELEASE:=2
+
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
+PKG_SOURCE_URL:=http://downloads.openwrt.org/sources/
+PKG_MD5SUM:=b569066ac2ba1356c2112b118a7d74d0
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/keynote
+  SECTION:=net
+  CATEGORY:=Network
+  DEPENDS:=@LINUX_2_6 +libopenssl
+  TITLE:=Simple and flexible trust-management system
+  URL:=http://www1.cs.columbia.edu/~angelos/keynote.html
+endef
+
+define Package/keynote/description
+ KeyNote is a simple and flexible trust-management system designed to work 
+ well for a variety of large- and small- scale Internet-based applications.
+ It provides a single, unified language for both local policies and 
+ credentials.
+endef
+
+CONFIGURE_ARGS += \
+       --enable-static \
+       --enable-shared
+
+MAKE_FLAGS += \
+       CFLAGS="$(TARGET_CFLAGS)"
+
+define Build/InstallDev
+       mkdir -p $(1)/usr/include/keynote
+       $(CP) $(PKG_BUILD_DIR)/{assertion,header,keynote,signature}.h $(1)/usr/include/keynote/
+       mkdir -p $(1)/usr/lib
+       $(CP) $(PKG_BUILD_DIR)/libkeynote.a $(1)/usr/lib/
+endef
+
+define Package/keynote/install
+       $(INSTALL_DIR) $(1)/usr/sbin
+       $(INSTALL_BIN) $(PKG_BUILD_DIR)/keynote $(1)/usr/sbin/
+endef
+
+$(eval $(call BuildPackage,keynote))
diff --git a/libs/keynote/patches/001-build.patch b/libs/keynote/patches/001-build.patch
new file mode 100644 (file)
index 0000000..88db372
--- /dev/null
@@ -0,0 +1,345 @@
+Index: keynote-2.3/configure.in
+===================================================================
+--- keynote-2.3.orig/configure.in      2007-06-04 13:22:41.284579072 +0200
++++ keynote-2.3/configure.in   2007-06-04 13:22:41.389563112 +0200
+@@ -21,19 +21,13 @@
+ AC_PATH_PROG(ECHO, echo, /bin/echo)
+ AC_PATH_PROG(SED, sed, /usr/bin/sed)
+-dnl Checks for libraries.
+-LIBS="-L/usr/lib -L/usr/local/lib -L/usr/ssl/lib -L/usr/openssl/lib\
+- -L/usr/local/ssl/lib -L/usr/local/openssl/lib -L/usr/pkg/lib -L/pkg/lib"
+-
+ AC_CHECK_LIB(m, floor, LIBS="$LIBS -lm")
+ AC_CHECK_LIB(rsaref, RSAPrivateDecrypt, LIBS="$LIBS -lrsaref")
+ AC_CHECK_LIB(crypto, i2a_ASN1_STRING, LIBS="$LIBS -lcrypto")
+ AC_CHECK_LIB(RSAglue, RSA_ref_private_encrypt, LIBS="$LIBS -lRSAglue")
+ dnl Checks for header files.
+-CPPFLAGS="-I/usr/include -I/usr/local/include -I/usr/ssl/include\
+- -I/usr/local/ssl/include -I/usr/openssl/include -I/usr/pkg/include\
+- -I/usr/local/openssl/include -I/pkg/include"
++CPPFLAGS="-I/usr/include/openssl"
+ AC_HEADER_STDC
+ AC_HEADER_TIME
+Index: keynote-2.3/keynote-keygen.c
+===================================================================
+--- keynote-2.3.orig/keynote-keygen.c  2007-06-04 13:22:41.290578160 +0200
++++ keynote-2.3/keynote-keygen.c       2007-06-04 13:22:41.389563112 +0200
+@@ -161,7 +161,7 @@
+     if (strlen(algname) + 2 > prlen)
+     {
+       fprintf(stderr, "Parameter ``print-length'' should be larger "
+-              "than the length of AlgorithmName (%d)\n", strlen(algname));
++              "than the length of AlgorithmName (%lu)\n", strlen(algname));
+       exit(-1);
+     }
+Index: keynote-2.3/keynote.l
+===================================================================
+--- keynote-2.3.orig/keynote.l 2007-06-04 13:22:41.295577400 +0200
++++ keynote-2.3/keynote.l      2007-06-04 13:22:41.390562960 +0200
+@@ -61,7 +61,8 @@
+ static struct lex_list *keynote_lex_list = (struct lex_list *) NULL;
+ static int    keynote_max_lex_list = 32;
+ static int    keynote_lex_counter = 0;
+-static int    first_tok = 0;
++extern int    first_tok;
++int    first_tok = 0;
+ %}
+ digit         [0-9]
+ specnumber      [1-9][0-9]*
+@@ -766,7 +767,7 @@
+     if (0)
+     {
+       yyunput(0, NULL);
+-      yy_flex_realloc(0, NULL);
++      yy_flex_realloc(NULL, 0);
+     }
+     return en;
+Index: keynote-2.3/keynote-ver.l
+===================================================================
+--- keynote-2.3.orig/keynote-ver.l     2007-06-04 13:22:41.301576488 +0200
++++ keynote-2.3/keynote-ver.l  2007-06-04 13:22:41.390562960 +0200
+@@ -267,7 +267,7 @@
+     if (0)
+     {
+       yyunput(0, NULL);
+-      yy_flex_realloc(0, NULL);
++      yy_flex_realloc(NULL, 0);
+     }
+ }
+Index: keynote-2.3/keynote-ver.y
+===================================================================
+--- keynote-2.3.orig/keynote-ver.y     2007-06-04 13:22:41.306575728 +0200
++++ keynote-2.3/keynote-ver.y  2007-06-04 13:22:41.390562960 +0200
+@@ -49,7 +49,7 @@
+                                return keynote_errno;
+                                free($1);
+                              }
+-
++              ;
+ expr: VSTRING EQ STRING      { int i = kn_add_action(sessid, $1, $3, 0);
+                                if (i != 0)
+@@ -64,6 +64,7 @@
+                              free($1);
+                              free($3);
+                              } expr 
++              ;
+ %%
+ void
+ kverror(char *s)
+Index: keynote-2.3/keynote.y
+===================================================================
+--- keynote-2.3.orig/keynote.y 2007-06-04 13:22:41.311574968 +0200
++++ keynote-2.3/keynote.y      2007-06-04 13:22:41.391562808 +0200
+@@ -73,8 +73,7 @@
+ %}
+ %%
+-grammarswitch: LOCINI { keynote_exceptionflag = keynote_donteval = 0; }
+-                localinit
++grammarswitch: LOCINI { keynote_exceptionflag = keynote_donteval = 0; } localinit
+              | ACTSTR { keynote_exceptionflag = keynote_donteval = 0; } program
+            | KEYPRE { keynote_exceptionflag = keynote_donteval = 0; }
+                 keypredicate
+@@ -91,17 +90,17 @@
+                         STRING { keynote_lex_remove($3);
+                                keynote_privkey = $3;
+                              }
+-    
++              ;
+ keypredicate: /* Nothing */   { keynote_returnvalue = 0;
+                                 return 0; 
+                               }
+        | notemptykeypredicate { keynote_returnvalue = $1;
+                               return 0;
+                               }
+-
++              ;
+ notemptykeypredicate:  key     { $$ = $1; }
+                            | keyexp  { $$ = $1; }
+-
++              ;
+ keyexp: notemptykeypredicate AND { if (($1 == 0) && !keynote_justrecord)
+                                      keynote_donteval = 1;
+                                  } notemptykeypredicate 
+@@ -138,7 +137,7 @@
+                           else
+                             $$ = 0;
+                         }  /* K-th */
+-
++                      ;
+ keylist: key
+           { /* Don't do anything if we're just recording */ 
+               if (!keynote_justrecord && !keynote_donteval)
+@@ -155,7 +154,7 @@
+             keylistcount++;
+             }
+-
++              ;
+ key: str        {
+                  if (keynote_donteval)
+                    $$ = 0;
+@@ -193,10 +192,10 @@
+                        }
+                  }
+                  }
+-
++              ;
+ localinit: /* Nothing */
+          | localconstants
+-
++              ;
+ localconstants: VARIABLE EQQ STRING 
+         {
+             int i;
+@@ -265,12 +264,12 @@
+           if (i != RESULT_TRUE)
+             return -1;
+         } localconstants
+-
++              ;
+ program: prog { 
+               keynote_returnvalue = $1;
+               return 0;
+             }
+-
++              ;
+ prog:   /* Nada */ { $$ = 0; }
+        | notemptyprog {
+                         /* 
+@@ -285,7 +284,7 @@
+                     else
+                       $$ = $4;
+                     } 
+-
++              ;
+ notemptyprog: expr HINT afterhint
+               {
+               if (checkexception($1))
+@@ -300,7 +299,7 @@
+               else
+                 $$ = 0;
+             }
+-
++              ;
+ afterhint: str {  if (keynote_exceptionflag || keynote_donteval)
+                   $$ = 0;
+                 else
+@@ -315,7 +314,7 @@
+                 }
+                 }
+          | OPENBLOCK prog CLOSEBLOCK { $$ = $2; }
+-
++              ;
+ expr:     OPENPAREN expr CLOSEPAREN   { $$ = $2; }
+       | expr AND { if ($1 == 0)
+@@ -334,19 +333,19 @@
+       | stringexp                     { $$ = $1; }
+         | TRUE                                { $$ = 1; }
+         | FALSE                               { $$ = 0; }
+-
++              ;
+ numexp:         numex LT numex { $$ = $1 < $3; }
+       | numex GT numex { $$ = $1 > $3; }
+       | numex EQ numex { $$ = $1 == $3; }
+       | numex LE numex { $$ = $1 <= $3; }
+       | numex GE numex { $$ = $1 >= $3; }
+       | numex NE numex { $$ = $1 != $3; }
+-
++              ;
+ floatexp: floatex LT floatex { $$ = $1 < $3; }
+       | floatex GT floatex { $$ = $1 > $3; }
+       | floatex LE floatex { $$ = $1 <= $3; }
+       | floatex GE floatex { $$ = $1 >= $3; }
+-
++              ;
+ numex:          numex PLUS numex  { $$ = $1 + $3; }
+       | numex MINUS numex { $$ = $1 - $3; }
+       | numex MULT numex  { $$ = $1 * $3; }
+@@ -384,7 +383,7 @@
+                                             free($2);
+                                         }
+                                       }
+-
++              ;
+ floatex:  floatex PLUS floatex        { $$ = ($1 + $3); }
+       | floatex MINUS floatex         { $$ = ($1 - $3); }
+       | floatex MULT floatex          { $$ = ($1 * $3); }
+@@ -418,7 +417,7 @@
+                                             free($2);
+                                         }
+                                       }
+-
++              ;
+ stringexp: str EQ str {
+                         if (keynote_exceptionflag || keynote_donteval)
+                         $$ = 0;
+@@ -529,9 +528,9 @@
+                     if (i == 0)
+                     {
+ #if !defined(HAVE_SNPRINTF)
+-                        sprintf(grp, "%d", preg.re_nsub);
++                        sprintf(grp, "%d", (int)preg.re_nsub);
+ #else /* !HAVE_SNPRINTF */
+-                        snprintf(grp, 3, "%d", preg.re_nsub);
++                        snprintf(grp, 3, "%d", (int)preg.re_nsub);
+ #endif /* !HAVE_SNPRINTF */
+                         if (keynote_env_add("_0", grp, &keynote_temp_list,
+                                             1, 0) != RESULT_TRUE)
+@@ -579,7 +578,7 @@
+                 }
+             }
+           }
+-
++              ;
+ str: str DOTT str    {  if (keynote_exceptionflag || keynote_donteval)
+                         $$ = (char *) NULL;
+                       else
+@@ -605,7 +604,7 @@
+                       }
+                     }
+       | strnotconcat { $$ = $1; }
+-
++              ;
+ strnotconcat: STRING                  { $$ = $1; }
+         | OPENPAREN str CLOSEPAREN    { $$ = $2; }
+         | VARIABLE      {  if (keynote_exceptionflag || keynote_donteval)
+@@ -660,6 +659,7 @@
+                                 return -1;
+                           }
+                        }
++              ;
+ %%
+ /*
+Index: keynote-2.3/Makefile.in
+===================================================================
+--- keynote-2.3.orig/Makefile.in       2007-06-04 13:22:41.317574056 +0200
++++ keynote-2.3/Makefile.in    2007-06-04 13:22:41.391562808 +0200
+@@ -41,7 +41,8 @@
+ YACCFLAGS = -d -p kn -b k
+ LEXFLAGS2 = -Pkv -s -i
+ LEXFLAGS = -Cr -Pkn -s -i
+-CFLAGS = -O2 -Wall # -g
++CFLAGS = -O2 -Wall -fno-strict-aliasing # -g
++LDFLAGS = @LDFLAGS@
+ RMFLAGS2 = -rf
+ RMFLAGS = -f
+ NROFFFLAGS = -mandoc
+@@ -83,7 +84,7 @@
+       $(RANLIB) $(TARGET)
+ $(TARGET2): $(TARGET) $(OBJS2)
+-      $(CC) $(CFLAGS) -o $(TARGET2) $(OBJS2) $(LIBS)
++      $(CC) $(CFLAGS) -o $(TARGET2) $(OBJS2) $(LDFLAGS) $(LIBS)
+ k.tab.c: keynote.y header.h keynote.h assertion.h config.h
+       $(YACC) $(YACCFLAGS) keynote.y
+Index: keynote-2.3/signature.c
+===================================================================
+--- keynote-2.3.orig/signature.c       2007-06-04 13:22:41.323573144 +0200
++++ keynote-2.3/signature.c    2007-06-04 13:22:41.392562656 +0200
+@@ -515,7 +515,7 @@
+       kk = dc->dec_key;
+       if (keytype == KEYNOTE_PRIVATE_KEY)
+       {
+-          if (d2i_DSAPrivateKey((DSA **) &kk, &decoded, len) == (DSA *) NULL)
++          if (d2i_DSAPrivateKey((DSA **) &kk, (const unsigned char **) &decoded, len) == (DSA *) NULL)
+           {
+               if (ptr != (unsigned char *) NULL)
+                 free(ptr);
+@@ -526,7 +526,7 @@
+       }
+       else
+       {
+-          if (d2i_DSAPublicKey((DSA **) &kk, &decoded, len) == (DSA *) NULL)
++          if (d2i_DSAPublicKey((DSA **) &kk, (const unsigned char **) &decoded, len) == (DSA *) NULL)
+           {
+               if (ptr != (unsigned char *) NULL)
+                 free(ptr);
+@@ -556,7 +556,7 @@
+         kk = dc->dec_key;
+         if (keytype == KEYNOTE_PRIVATE_KEY)
+         {
+-            if (d2i_RSAPrivateKey((RSA **) &kk, &decoded, len) == (RSA *) NULL)
++            if (d2i_RSAPrivateKey((RSA **) &kk, (const unsigned char **) &decoded, len) == (RSA *) NULL)
+             {
+                 if (ptr != (unsigned char *) NULL)
+                   free(ptr);
+@@ -567,7 +567,7 @@
+         }
+         else
+         {
+-            if (d2i_RSAPublicKey((RSA **) &kk, &decoded, len) == (RSA *) NULL)
++            if (d2i_RSAPublicKey((RSA **) &kk, (const unsigned char **) &decoded, len) == (RSA *) NULL)
+             {
+                 if (ptr != (unsigned char *) NULL)
+                   free(ptr);
diff --git a/libs/keynote/patches/002-cross_compile.patch b/libs/keynote/patches/002-cross_compile.patch
new file mode 100644 (file)
index 0000000..050efbd
--- /dev/null
@@ -0,0 +1,588 @@
+Index: keynote-2.3/configure
+===================================================================
+--- keynote-2.3.orig/configure 2007-06-04 13:22:41.259582872 +0200
++++ keynote-2.3/configure      2007-06-04 13:22:41.658522224 +0200
+@@ -889,52 +889,10 @@
+ done
+ test -n "$YACC" || YACC="yacc"
+-for ac_prog in openssl ssleay
+-do
+-# Extract the first word of "$ac_prog", so it can be a program name with args.
+-set dummy $ac_prog; ac_word=$2
+-echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:898: checking for $ac_word" >&5
+-if eval "test \"`echo '$''{'ac_cv_path_SSLEAY'+set}'`\" = set"; then
+-  echo $ac_n "(cached) $ac_c" 1>&6
+-else
+-  case "$SSLEAY" in
+-  /*)
+-  ac_cv_path_SSLEAY="$SSLEAY" # Let the user override the test with a path.
+-  ;;
+-  ?:/*)                        
+-  ac_cv_path_SSLEAY="$SSLEAY" # Let the user override the test with a dos path.
+-  ;;
+-  *)
+-  IFS="${IFS=         }"; ac_save_ifs="$IFS"; IFS=":"
+-  ac_dummy="\
+-               $PATH:/usr/local/bin:/usr/local/ssl/sbin:/usr/local/ssl/bin:/usr/ssl/bin:/usr/ssl/sbin:/usr/sbin:/usr/openssl/bin:/usr/openssl/bin:/usr/local/openssl/bin:/usr/local/openssl/sbin"
+-  for ac_dir in $ac_dummy; do 
+-    test -z "$ac_dir" && ac_dir=.
+-    if test -f $ac_dir/$ac_word; then
+-      ac_cv_path_SSLEAY="$ac_dir/$ac_word"
+-      break
+-    fi
+-  done
+-  IFS="$ac_save_ifs"
+-  ;;
+-esac
+-fi
+-SSLEAY="$ac_cv_path_SSLEAY"
+-if test -n "$SSLEAY"; then
+-  echo "$ac_t""$SSLEAY" 1>&6
+-else
+-  echo "$ac_t""no" 1>&6
+-fi
+-
+-test -n "$SSLEAY" && break
+-done
+-test -n "$SSLEAY" || SSLEAY="/usr/local/bin/ssleay"
+-
+ # Extract the first word of "rm", so it can be a program name with args.
+ set dummy rm; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:938: checking for $ac_word" >&5
++echo "configure:896: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_RM'+set}'`\" = set"; then
+   echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -970,7 +928,7 @@
+ # Extract the first word of "ar", so it can be a program name with args.
+ set dummy ar; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:974: checking for $ac_word" >&5
++echo "configure:932: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_AR'+set}'`\" = set"; then
+   echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -1006,7 +964,7 @@
+ # Extract the first word of "nroff", so it can be a program name with args.
+ set dummy nroff; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:1010: checking for $ac_word" >&5
++echo "configure:968: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_NROFF'+set}'`\" = set"; then
+   echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -1042,7 +1000,7 @@
+ # Extract the first word of "tar", so it can be a program name with args.
+ set dummy tar; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:1046: checking for $ac_word" >&5
++echo "configure:1004: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_TAR'+set}'`\" = set"; then
+   echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -1078,7 +1036,7 @@
+ # Extract the first word of "true", so it can be a program name with args.
+ set dummy true; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:1082: checking for $ac_word" >&5
++echo "configure:1040: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_TRUE'+set}'`\" = set"; then
+   echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -1114,7 +1072,7 @@
+ # Extract the first word of "mkdir", so it can be a program name with args.
+ set dummy mkdir; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:1118: checking for $ac_word" >&5
++echo "configure:1076: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_MKDIR'+set}'`\" = set"; then
+   echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -1150,7 +1108,7 @@
+ # Extract the first word of "tr", so it can be a program name with args.
+ set dummy tr; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:1154: checking for $ac_word" >&5
++echo "configure:1112: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_TR'+set}'`\" = set"; then
+   echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -1186,7 +1144,7 @@
+ # Extract the first word of "echo", so it can be a program name with args.
+ set dummy echo; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:1190: checking for $ac_word" >&5
++echo "configure:1148: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_ECHO'+set}'`\" = set"; then
+   echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -1222,7 +1180,7 @@
+ # Extract the first word of "sed", so it can be a program name with args.
+ set dummy sed; ac_word=$2
+ echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+-echo "configure:1226: checking for $ac_word" >&5
++echo "configure:1184: checking for $ac_word" >&5
+ if eval "test \"`echo '$''{'ac_cv_path_SED'+set}'`\" = set"; then
+   echo $ac_n "(cached) $ac_c" 1>&6
+ else
+@@ -1256,11 +1214,8 @@
+ fi
+-LIBS="-L/usr/lib -L/usr/local/lib -L/usr/ssl/lib -L/usr/openssl/lib\
+- -L/usr/local/ssl/lib -L/usr/local/openssl/lib -L/usr/pkg/lib -L/pkg/lib"
+-
+ echo $ac_n "checking for floor in -lm""... $ac_c" 1>&6
+-echo "configure:1264: checking for floor in -lm" >&5
++echo "configure:1219: checking for floor in -lm" >&5
+ ac_lib_var=`echo m'_'floor | sed 'y%./+-%__p_%'`
+ if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+   echo $ac_n "(cached) $ac_c" 1>&6
+@@ -1268,7 +1223,7 @@
+   ac_save_LIBS="$LIBS"
+ LIBS="-lm  $LIBS"
+ cat > conftest.$ac_ext <<EOF
+-#line 1272 "configure"
++#line 1227 "configure"
+ #include "confdefs.h"
+ /* Override any gcc2 internal prototype to avoid an error.  */
+ /* We use char because int might match the return type of a gcc2
+@@ -1279,7 +1234,7 @@
+ floor()
+ ; return 0; }
+ EOF
+-if { (eval echo configure:1283: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:1238: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+   rm -rf conftest*
+   eval "ac_cv_lib_$ac_lib_var=yes"
+ else
+@@ -1300,7 +1255,7 @@
+ fi
+ echo $ac_n "checking for RSAPrivateDecrypt in -lrsaref""... $ac_c" 1>&6
+-echo "configure:1304: checking for RSAPrivateDecrypt in -lrsaref" >&5
++echo "configure:1259: checking for RSAPrivateDecrypt in -lrsaref" >&5
+ ac_lib_var=`echo rsaref'_'RSAPrivateDecrypt | sed 'y%./+-%__p_%'`
+ if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+   echo $ac_n "(cached) $ac_c" 1>&6
+@@ -1308,7 +1263,7 @@
+   ac_save_LIBS="$LIBS"
+ LIBS="-lrsaref  $LIBS"
+ cat > conftest.$ac_ext <<EOF
+-#line 1312 "configure"
++#line 1267 "configure"
+ #include "confdefs.h"
+ /* Override any gcc2 internal prototype to avoid an error.  */
+ /* We use char because int might match the return type of a gcc2
+@@ -1319,7 +1274,7 @@
+ RSAPrivateDecrypt()
+ ; return 0; }
+ EOF
+-if { (eval echo configure:1323: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:1278: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+   rm -rf conftest*
+   eval "ac_cv_lib_$ac_lib_var=yes"
+ else
+@@ -1340,7 +1295,7 @@
+ fi
+ echo $ac_n "checking for i2a_ASN1_STRING in -lcrypto""... $ac_c" 1>&6
+-echo "configure:1344: checking for i2a_ASN1_STRING in -lcrypto" >&5
++echo "configure:1299: checking for i2a_ASN1_STRING in -lcrypto" >&5
+ ac_lib_var=`echo crypto'_'i2a_ASN1_STRING | sed 'y%./+-%__p_%'`
+ if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+   echo $ac_n "(cached) $ac_c" 1>&6
+@@ -1348,7 +1303,7 @@
+   ac_save_LIBS="$LIBS"
+ LIBS="-lcrypto  $LIBS"
+ cat > conftest.$ac_ext <<EOF
+-#line 1352 "configure"
++#line 1307 "configure"
+ #include "confdefs.h"
+ /* Override any gcc2 internal prototype to avoid an error.  */
+ /* We use char because int might match the return type of a gcc2
+@@ -1359,7 +1314,7 @@
+ i2a_ASN1_STRING()
+ ; return 0; }
+ EOF
+-if { (eval echo configure:1363: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:1318: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+   rm -rf conftest*
+   eval "ac_cv_lib_$ac_lib_var=yes"
+ else
+@@ -1380,7 +1335,7 @@
+ fi
+ echo $ac_n "checking for RSA_ref_private_encrypt in -lRSAglue""... $ac_c" 1>&6
+-echo "configure:1384: checking for RSA_ref_private_encrypt in -lRSAglue" >&5
++echo "configure:1339: checking for RSA_ref_private_encrypt in -lRSAglue" >&5
+ ac_lib_var=`echo RSAglue'_'RSA_ref_private_encrypt | sed 'y%./+-%__p_%'`
+ if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+   echo $ac_n "(cached) $ac_c" 1>&6
+@@ -1388,7 +1343,7 @@
+   ac_save_LIBS="$LIBS"
+ LIBS="-lRSAglue  $LIBS"
+ cat > conftest.$ac_ext <<EOF
+-#line 1392 "configure"
++#line 1347 "configure"
+ #include "confdefs.h"
+ /* Override any gcc2 internal prototype to avoid an error.  */
+ /* We use char because int might match the return type of a gcc2
+@@ -1399,7 +1354,7 @@
+ RSA_ref_private_encrypt()
+ ; return 0; }
+ EOF
+-if { (eval echo configure:1403: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:1358: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+   rm -rf conftest*
+   eval "ac_cv_lib_$ac_lib_var=yes"
+ else
+@@ -1420,12 +1375,9 @@
+ fi
+-CPPFLAGS="-I/usr/include -I/usr/local/include -I/usr/ssl/include\
+- -I/usr/local/ssl/include -I/usr/openssl/include -I/usr/pkg/include\
+- -I/usr/local/openssl/include -I/pkg/include"
+ echo $ac_n "checking how to run the C preprocessor""... $ac_c" 1>&6
+-echo "configure:1429: checking how to run the C preprocessor" >&5
++echo "configure:1381: checking how to run the C preprocessor" >&5
+ # On Suns, sometimes $CPP names a directory.
+ if test -n "$CPP" && test -d "$CPP"; then
+   CPP=
+@@ -1440,13 +1392,13 @@
+   # On the NeXT, cc -E runs the code through the compiler's parser,
+   # not just through cpp.
+   cat > conftest.$ac_ext <<EOF
+-#line 1444 "configure"
++#line 1396 "configure"
+ #include "confdefs.h"
+ #include <assert.h>
+ Syntax Error
+ EOF
+ ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
+-{ (eval echo configure:1450: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
++{ (eval echo configure:1402: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+ if test -z "$ac_err"; then
+   :
+@@ -1457,13 +1409,13 @@
+   rm -rf conftest*
+   CPP="${CC-cc} -E -traditional-cpp"
+   cat > conftest.$ac_ext <<EOF
+-#line 1461 "configure"
++#line 1413 "configure"
+ #include "confdefs.h"
+ #include <assert.h>
+ Syntax Error
+ EOF
+ ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
+-{ (eval echo configure:1467: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
++{ (eval echo configure:1419: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+ if test -z "$ac_err"; then
+   :
+@@ -1474,13 +1426,13 @@
+   rm -rf conftest*
+   CPP="${CC-cc} -nologo -E"
+   cat > conftest.$ac_ext <<EOF
+-#line 1478 "configure"
++#line 1430 "configure"
+ #include "confdefs.h"
+ #include <assert.h>
+ Syntax Error
+ EOF
+ ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
+-{ (eval echo configure:1484: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
++{ (eval echo configure:1436: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+ if test -z "$ac_err"; then
+   :
+@@ -1505,12 +1457,12 @@
+ echo "$ac_t""$CPP" 1>&6
+ echo $ac_n "checking for ANSI C header files""... $ac_c" 1>&6
+-echo "configure:1509: checking for ANSI C header files" >&5
++echo "configure:1461: checking for ANSI C header files" >&5
+ if eval "test \"`echo '$''{'ac_cv_header_stdc'+set}'`\" = set"; then
+   echo $ac_n "(cached) $ac_c" 1>&6
+ else
+   cat > conftest.$ac_ext <<EOF
+-#line 1514 "configure"
++#line 1466 "configure"
+ #include "confdefs.h"
+ #include <stdlib.h>
+ #include <stdarg.h>
+@@ -1518,7 +1470,7 @@
+ #include <float.h>
+ EOF
+ ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
+-{ (eval echo configure:1522: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
++{ (eval echo configure:1474: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+ if test -z "$ac_err"; then
+   rm -rf conftest*
+@@ -1535,7 +1487,7 @@
+ if test $ac_cv_header_stdc = yes; then
+   # SunOS 4.x string.h does not declare mem*, contrary to ANSI.
+ cat > conftest.$ac_ext <<EOF
+-#line 1539 "configure"
++#line 1491 "configure"
+ #include "confdefs.h"
+ #include <string.h>
+ EOF
+@@ -1553,7 +1505,7 @@
+ if test $ac_cv_header_stdc = yes; then
+   # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI.
+ cat > conftest.$ac_ext <<EOF
+-#line 1557 "configure"
++#line 1509 "configure"
+ #include "confdefs.h"
+ #include <stdlib.h>
+ EOF
+@@ -1574,7 +1526,7 @@
+   :
+ else
+   cat > conftest.$ac_ext <<EOF
+-#line 1578 "configure"
++#line 1530 "configure"
+ #include "confdefs.h"
+ #include <ctype.h>
+ #define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
+@@ -1585,7 +1537,7 @@
+ exit (0); }
+ EOF
+-if { (eval echo configure:1589: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
++if { (eval echo configure:1541: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+ then
+   :
+ else
+@@ -1609,12 +1561,12 @@
+ fi
+ echo $ac_n "checking whether time.h and sys/time.h may both be included""... $ac_c" 1>&6
+-echo "configure:1613: checking whether time.h and sys/time.h may both be included" >&5
++echo "configure:1565: checking whether time.h and sys/time.h may both be included" >&5
+ if eval "test \"`echo '$''{'ac_cv_header_time'+set}'`\" = set"; then
+   echo $ac_n "(cached) $ac_c" 1>&6
+ else
+   cat > conftest.$ac_ext <<EOF
+-#line 1618 "configure"
++#line 1570 "configure"
+ #include "confdefs.h"
+ #include <sys/types.h>
+ #include <sys/time.h>
+@@ -1623,7 +1575,7 @@
+ struct tm *tp;
+ ; return 0; }
+ EOF
+-if { (eval echo configure:1627: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:1579: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+   rm -rf conftest*
+   ac_cv_header_time=yes
+ else
+@@ -1647,17 +1599,17 @@
+ do
+ ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
+ echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
+-echo "configure:1651: checking for $ac_hdr" >&5
++echo "configure:1603: checking for $ac_hdr" >&5
+ if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+   echo $ac_n "(cached) $ac_c" 1>&6
+ else
+   cat > conftest.$ac_ext <<EOF
+-#line 1656 "configure"
++#line 1608 "configure"
+ #include "confdefs.h"
+ #include <$ac_hdr>
+ EOF
+ ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
+-{ (eval echo configure:1661: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
++{ (eval echo configure:1613: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+ if test -z "$ac_err"; then
+   rm -rf conftest*
+@@ -1687,17 +1639,17 @@
+ do
+ ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
+ echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
+-echo "configure:1691: checking for $ac_hdr" >&5
++echo "configure:1643: checking for $ac_hdr" >&5
+ if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+   echo $ac_n "(cached) $ac_c" 1>&6
+ else
+   cat > conftest.$ac_ext <<EOF
+-#line 1696 "configure"
++#line 1648 "configure"
+ #include "confdefs.h"
+ #include <$ac_hdr>
+ EOF
+ ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
+-{ (eval echo configure:1701: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
++{ (eval echo configure:1653: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+ if test -z "$ac_err"; then
+   rm -rf conftest*
+@@ -1726,12 +1678,12 @@
+ echo $ac_n "checking for working const""... $ac_c" 1>&6
+-echo "configure:1730: checking for working const" >&5
++echo "configure:1682: checking for working const" >&5
+ if eval "test \"`echo '$''{'ac_cv_c_const'+set}'`\" = set"; then
+   echo $ac_n "(cached) $ac_c" 1>&6
+ else
+   cat > conftest.$ac_ext <<EOF
+-#line 1735 "configure"
++#line 1687 "configure"
+ #include "confdefs.h"
+ int main() {
+@@ -1780,7 +1732,7 @@
+ ; return 0; }
+ EOF
+-if { (eval echo configure:1784: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
++if { (eval echo configure:1736: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+   rm -rf conftest*
+   ac_cv_c_const=yes
+ else
+@@ -1801,12 +1753,12 @@
+ fi
+ echo $ac_n "checking for u_int""... $ac_c" 1>&6
+-echo "configure:1805: checking for u_int" >&5
++echo "configure:1757: checking for u_int" >&5
+ if eval "test \"`echo '$''{'ac_cv_type_u_int'+set}'`\" = set"; then
+   echo $ac_n "(cached) $ac_c" 1>&6
+ else
+   cat > conftest.$ac_ext <<EOF
+-#line 1810 "configure"
++#line 1762 "configure"
+ #include "confdefs.h"
+ #include <sys/types.h>
+ #if STDC_HEADERS
+@@ -1834,12 +1786,12 @@
+ fi
+ echo $ac_n "checking for u_char""... $ac_c" 1>&6
+-echo "configure:1838: checking for u_char" >&5
++echo "configure:1790: checking for u_char" >&5
+ if eval "test \"`echo '$''{'ac_cv_type_u_char'+set}'`\" = set"; then
+   echo $ac_n "(cached) $ac_c" 1>&6
+ else
+   cat > conftest.$ac_ext <<EOF
+-#line 1843 "configure"
++#line 1795 "configure"
+ #include "confdefs.h"
+ #include <sys/types.h>
+ #if STDC_HEADERS
+@@ -1870,12 +1822,12 @@
+ for ac_func in regcomp open close read _open _close _read strchr memcpy
+ do
+ echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+-echo "configure:1874: checking for $ac_func" >&5
++echo "configure:1826: checking for $ac_func" >&5
+ if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+   echo $ac_n "(cached) $ac_c" 1>&6
+ else
+   cat > conftest.$ac_ext <<EOF
+-#line 1879 "configure"
++#line 1831 "configure"
+ #include "confdefs.h"
+ /* System header to define __stub macros and hopefully few prototypes,
+     which can conflict with char $ac_func(); below.  */
+@@ -1898,7 +1850,7 @@
+ ; return 0; }
+ EOF
+-if { (eval echo configure:1902: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:1854: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+   rm -rf conftest*
+   eval "ac_cv_func_$ac_func=yes"
+ else
+@@ -1925,12 +1877,12 @@
+ for ac_func in strcasecmp strncasecmp stricmp strnicmp snprintf __b64_ntop
+ do
+ echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+-echo "configure:1929: checking for $ac_func" >&5
++echo "configure:1881: checking for $ac_func" >&5
+ if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+   echo $ac_n "(cached) $ac_c" 1>&6
+ else
+   cat > conftest.$ac_ext <<EOF
+-#line 1934 "configure"
++#line 1886 "configure"
+ #include "confdefs.h"
+ /* System header to define __stub macros and hopefully few prototypes,
+     which can conflict with char $ac_func(); below.  */
+@@ -1953,7 +1905,7 @@
+ ; return 0; }
+ EOF
+-if { (eval echo configure:1957: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:1909: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+   rm -rf conftest*
+   eval "ac_cv_func_$ac_func=yes"
+ else
+@@ -1980,12 +1932,12 @@
+ for ac_func in getopt
+ do
+ echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+-echo "configure:1984: checking for $ac_func" >&5
++echo "configure:1936: checking for $ac_func" >&5
+ if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+   echo $ac_n "(cached) $ac_c" 1>&6
+ else
+   cat > conftest.$ac_ext <<EOF
+-#line 1989 "configure"
++#line 1941 "configure"
+ #include "confdefs.h"
+ /* System header to define __stub macros and hopefully few prototypes,
+     which can conflict with char $ac_func(); below.  */
+@@ -2008,7 +1960,7 @@
+ ; return 0; }
+ EOF
+-if { (eval echo configure:2012: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
++if { (eval echo configure:1964: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+   rm -rf conftest*
+   eval "ac_cv_func_$ac_func=yes"
+ else
+@@ -2172,7 +2124,6 @@
+ s%@CC@%$CC%g
+ s%@RANLIB@%$RANLIB%g
+ s%@YACC@%$YACC%g
+-s%@SSLEAY@%$SSLEAY%g
+ s%@RM@%$RM%g
+ s%@AR@%$AR%g
+ s%@NROFF@%$NROFF%g
+Index: keynote-2.3/configure.in
+===================================================================
+--- keynote-2.3.orig/configure.in      2007-06-04 13:22:41.389563112 +0200
++++ keynote-2.3/configure.in   2007-06-04 13:22:41.658522224 +0200
+@@ -9,8 +9,8 @@
+ AC_PROG_CC
+ AC_PROG_RANLIB
+ AC_PROG_YACC
+-AC_PATH_PROGS(SSLEAY, openssl ssleay, /usr/local/bin/ssleay, \
+-               $PATH:/usr/local/bin:/usr/local/ssl/sbin:/usr/local/ssl/bin:/usr/ssl/bin:/usr/ssl/sbin:/usr/sbin:/usr/openssl/bin:/usr/openssl/bin:/usr/local/openssl/bin:/usr/local/openssl/sbin)
++dnl AC_PATH_PROGS(SSLEAY, openssl ssleay, /usr/local/bin/ssleay, \
++dnl                $PATH:/usr/local/bin:/usr/local/ssl/sbin:/usr/local/ssl/bin:/usr/ssl/bin:/usr/ssl/sbin:/usr/sbin:/usr/openssl/bin:/usr/openssl/bin:/usr/local/openssl/bin:/usr/local/openssl/sbin)
+ AC_PATH_PROG(RM, rm, /bin/rm)
+ AC_PATH_PROG(AR, ar, /usr/bin/ar)
+ AC_PATH_PROG(NROFF, nroff, /usr/bin/nroff)
+@@ -27,7 +27,7 @@
+ AC_CHECK_LIB(RSAglue, RSA_ref_private_encrypt, LIBS="$LIBS -lRSAglue")
+ dnl Checks for header files.
+-CPPFLAGS="-I/usr/include/openssl"
++dnl CPPFLAGS="-I/usr/include/openssl"
+ AC_HEADER_STDC
+ AC_HEADER_TIME
diff --git a/net/aodv-uu/Makefile b/net/aodv-uu/Makefile
new file mode 100644 (file)
index 0000000..9f55194
--- /dev/null
@@ -0,0 +1,105 @@
+#
+# Copyright (C) 2006-2008 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+# $Id$
+
+include $(TOPDIR)/rules.mk
+include $(INCLUDE_DIR)/kernel.mk
+
+PKG_NAME:=aodv-uu
+PKG_VERSION:=0.9.3
+PKG_RELEASE:=1
+
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
+PKG_SOURCE_URL:=http://core.it.uu.se/core/files/
+PKG_MD5SUM:=05460543054449cb4b170252a7168c65
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/aodv-uu/Default
+  TITLE:=Ad-hoc On-demand Distance Vector Routing
+  DEPENDS:=@BROKEN
+  URL:=http://core.it.uu.se/core/index.php/AODV-UU
+endef
+
+define Package/aodv-uu/Default/description
+ AODV is the Ad-hoc On-demand Distance Vector routing protocol
+ implementation created at Uppsala University.
+endef
+
+define Package/aodv-uu
+$(call Package/aodv-uu/Default)
+  SECTION:=net
+  CATEGORY:=Network
+  TITLE+= (daemon)
+endef
+
+define Package/aodv-uu/description
+$(call Package/aodv-uu/Default/description)
+ This package contains the AODV userland daemon.
+endef
+
+define KernelPackage/aodv-uu
+$(call Package/aodv-uu/Default)
+  TITLE+= (kernel module)
+  FILES:=$(PKG_BUILD_DIR)/lnx/kaodv.$(LINUX_KMOD_SUFFIX)
+  SUBMENU:=Network Support
+  AUTOLOAD:=$(call AutoLoad,80,$(shell cat ./files/aodv-uu.modules))
+endef
+
+define KernelPackage/aodv-uu/description
+$(call Package/aodv-uu/Default/description)
+ This package contains the AODV kernel module.
+endef
+
+ifeq ($(CONFIG_LINUX_2_6),y)
+  define Build/Compile/linux26
+       $(MAKE) -C $(LINUX_DIR) \
+               ARCH="$(LINUX_KARCH)" \
+               CROSS_COMPILE="$(TARGET_CROSS)" \
+               PATCHLEVEL="$(LINUX_VERSION)" \
+               KERNDIR="$(LINUX_DIR)" \
+               SUBDIRS="$(PKG_BUILD_DIR)/lnx" \
+                modules
+  endef
+else
+  # We assume 2.4 builds are only for brcm-2.4 yet
+  define Build/Compile/linux24-brcm
+       $(call Build/Compile/Default,\
+               KERNEL_DIR="$(LINUX_DIR)" \
+               KCC="$(TARGET_CC)" \
+               CFLAGS="$(TARGET_CFLAGS)" \
+               kaodv-mips \
+       )
+       cp $(PKG_BUILD_DIR)/lnx/kaodv-mips.$(LINUX_KMOD_SUFFIX) $(PKG_BUILD_DIR)/lnx/kaodv.$(LINUX_KMOD_SUFFIX)
+  endef
+endif
+
+define Build/Compile
+       $(call Build/Compile/linux26)
+       $(call Build/Compile/linux24-brcm)
+       $(call Build/Compile/Default,\
+               KERNEL_DIR="$(LINUX_DIR)" \
+               KCC="$(TARGET_CC)" \
+               CFLAGS="$(TARGET_CFLAGS)" \
+               aodvd \
+       )
+endef
+
+define Package/aodv-uu/install
+       $(INSTALL_DIR) $(1)/usr/sbin
+       $(INSTALL_BIN) $(PKG_BUILD_DIR)/aodvd $(1)/usr/sbin
+endef
+
+define Package/kmod-aodv-uu/install
+       $(INSTALL_DIR) $(1)/etc/modules.d
+       $(INSTALL_DATA) ./files/aodv-uu.modules $(1)/etc/modules.d/80-aodv-uu
+       $(INSTALL_DIR) $(1)/lib/modules/$(LINUX_VERSION)
+       $(CP) $(PKG_BUILD_DIR)/lnx/kaodv.$(LINUX_KMOD_SUFFIX) $(1)/lib/modules/$(LINUX_VERSION)/
+endef
+
+$(eval $(call BuildPackage,aodv-uu))
+$(eval $(call KernelPackage,aodv-uu))
diff --git a/net/aodv-uu/files/aodv-uu.modules b/net/aodv-uu/files/aodv-uu.modules
new file mode 100644 (file)
index 0000000..809c4da
--- /dev/null
@@ -0,0 +1 @@
+kaodv
diff --git a/net/aodv-uu/patches/001-normalize.patch b/net/aodv-uu/patches/001-normalize.patch
new file mode 100644 (file)
index 0000000..bdc6fda
--- /dev/null
@@ -0,0 +1,64 @@
+Index: aodv-uu-0.9.3/lnx/Makefile
+===================================================================
+--- aodv-uu-0.9.3.orig/lnx/Makefile    2007-06-04 13:22:19.859836128 +0200
++++ aodv-uu-0.9.3/lnx/Makefile 2007-06-04 13:22:19.932825032 +0200
+@@ -30,7 +30,7 @@
+ KCFLAGS=-Wall -Wno-strict-aliasing -O2 $(KDEFS) $(KINC) $(XDEFS)
+ KCFLAGS_ARM=-Wall -O2 -D__KERNEL__ -DMODULE -nostdinc $(shell $(ARM_CC) -print-search-dirs | sed -ne 's/install: \(.*\)/-I \1include/gp') -I$(KERNEL_INC)
+ KCFLAGS_MIPS=-Wall -mips2 -O2 -fno-pic -mno-abicalls -mlong-calls -G0 -msoft-float -D__KERNEL__ -DMODULE -nostdinc $(shell $(MIPS_CC) -print-search-dirs | sed -ne 's/install: \(.*\)/-I \1include/gp') -I$(KERNEL_INC) $(XDEFS)
+-
++endif
+ .PHONY: clean clean-2.4 clean-2.6 indent default
+ # Check for kernel version
+@@ -89,5 +89,3 @@
+       etags *.c *.h
+ indent:
+       indent -kr -i8 -ts8 -sob -l80 -ss -ncs *.c *.h 
+-endif
+-
+Index: aodv-uu-0.9.3/Makefile
+===================================================================
+--- aodv-uu-0.9.3.orig/Makefile        2007-06-04 13:22:19.866835064 +0200
++++ aodv-uu-0.9.3/Makefile     2007-06-04 13:22:19.932825032 +0200
+@@ -87,7 +87,7 @@
+ mips: aodvd-mips kaodv-mips
+ endian.h:
+-      $(CC) $(CFLAGS) -o endian endian.c
++      gcc -o endian endian.c
+       ./endian > endian.h
+ $(OBJS): %.o: %.c Makefile
+@@ -143,19 +143,18 @@
+       @makedepend -Y./ -- $(DEFS) -- $(SRC) &>/dev/null
+       @makedepend -a -Y./ -- $(KDEFS) kaodv.c &>/dev/null
+-install: default
+-      install -s -m 755 aodvd /usr/sbin/aodvd
+-      @if [ ! -d /lib/modules/$(KERNEL)/aodv ]; then \
+-              mkdir /lib/modules/$(KERNEL)/aodv; \
+-      fi
+-
+-      @echo "Installing kernel module in /lib/modules/$(KERNEL)/aodv/";
+-      @if [ -f ./kaodv.ko ]; then \
+-              install -m 644 kaodv.ko /lib/modules/$(KERNEL)/aodv/kaodv.ko; \
+-      else \
+-              install -m 644 kaodv.o /lib/modules/$(KERNEL)/aodv/kaodv.o; \
+-      fi
+-      /sbin/depmod -a
++install: install-aodvd install-kaodv
++
++install-aodvd:
++      @echo "Installing aodv in $(DESTDIR)/usr/sbin";
++      install -d -m0755 $(DESTDIR)/usr/sbin/
++      install -m0755 aodvd $(DESTDIR)/usr/sbin/aodvd
++
++install-kaodv:
++      @echo "Installing kernel module in $(DESTDIR)/lib/modules/$(KERNEL)/";
++      install -d -m0644 $(DESTDIR)/lib/modules/$(KERNEL)/
++      install -m 644 lnx/kaodv.$(KMOD_SUFFIX) $(DESTDIR)/lib/modules/$(KERNEL)/kaodv.$(KMOD_SUFFIX);
++
+ uninstall:
+       rm -f /usr/sbin/aodvd
+       rm -rf /lib/modules/$(KERNEL)/aodv
diff --git a/net/aodv-uu/patches/002-linux_2.6.19_ip_route_me_harder_change.patch b/net/aodv-uu/patches/002-linux_2.6.19_ip_route_me_harder_change.patch
new file mode 100644 (file)
index 0000000..638de87
--- /dev/null
@@ -0,0 +1,49 @@
+Index: aodv-uu-0.9.3/lnx/kaodv-mod.c
+===================================================================
+--- aodv-uu-0.9.3.orig/lnx/kaodv-mod.c 2007-06-04 13:22:19.830840536 +0200
++++ aodv-uu-0.9.3/lnx/kaodv-mod.c      2007-06-04 13:22:20.130794936 +0200
+@@ -19,7 +19,7 @@
+  * Author: Erik Nordström, <erik.nordstrom@it.uu.se>
+  * 
+  *****************************************************************************/
+-#include <linux/config.h>
++#include <linux/autoconf.h>
+ #include <linux/version.h>
+ #ifdef KERNEL26
+@@ -258,7 +258,11 @@
+                       if (!(*skb))
+                               return NF_STOLEN;
+                       
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,19)
++                      ip_route_me_harder(skb, RTN_UNSPEC);
++#else
+                       ip_route_me_harder(skb);
++#endif
+               }
+               break;
+       case NF_IP_POST_ROUTING:
+Index: aodv-uu-0.9.3/lnx/kaodv-queue.c
+===================================================================
+--- aodv-uu-0.9.3.orig/lnx/kaodv-queue.c       2007-06-04 13:22:19.837839472 +0200
++++ aodv-uu-0.9.3/lnx/kaodv-queue.c    2007-06-04 13:22:20.130794936 +0200
+@@ -29,6 +29,7 @@
+ #include <linux/spinlock.h>
+ #include <linux/sysctl.h>
+ #include <linux/proc_fs.h>
++#include <linux/version.h>
+ #include <net/sock.h>
+ #include <net/route.h>
+ #include <net/icmp.h>
+@@ -246,7 +247,11 @@
+                               if (!entry->skb)
+                                       goto next;
+                       }
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,19)
++                      ip_route_me_harder(&entry->skb, RTN_UNSPEC);
++#else
+                       ip_route_me_harder(&entry->skb);
++#endif
+                       pkts++;
diff --git a/net/aodv-uu/patches/003-linux_2.6.19_security_netlink_recv_change.patch b/net/aodv-uu/patches/003-linux_2.6.19_security_netlink_recv_change.patch
new file mode 100644 (file)
index 0000000..53d9064
--- /dev/null
@@ -0,0 +1,16 @@
+Index: aodv-uu-0.9.3/lnx/kaodv-netlink.c
+===================================================================
+--- aodv-uu-0.9.3.orig/lnx/kaodv-netlink.c     2007-06-04 13:22:19.810843576 +0200
++++ aodv-uu-0.9.3/lnx/kaodv-netlink.c  2007-06-04 13:22:20.326765144 +0200
+@@ -284,7 +284,11 @@
+ /*            RCV_SKB_FAIL(-EINVAL); */
+ #ifdef KERNEL26
++# if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,19)     
++      if (security_netlink_recv(skb, CAP_NET_ADMIN))
++# else        
+       if (security_netlink_recv(skb))
++# endif
+               RCV_SKB_FAIL(-EPERM);
+ #endif
+       //write_lock_bh(&queue_lock);
diff --git a/net/aodv-uu/patches/004-linux_2.6.19_includes.patch b/net/aodv-uu/patches/004-linux_2.6.19_includes.patch
new file mode 100644 (file)
index 0000000..8dc1adf
--- /dev/null
@@ -0,0 +1,28 @@
+Index: aodv-uu-0.9.3/main.c
+===================================================================
+--- aodv-uu-0.9.3.orig/main.c  2007-06-04 13:22:19.782847832 +0200
++++ aodv-uu-0.9.3/main.c       2007-06-04 13:22:20.513736720 +0200
+@@ -26,6 +26,8 @@
+ #include <sys/types.h>
+ #include <sys/socket.h>
+ #include <sys/stat.h>
++#include <linux/types.h>
++#include <linux/if.h>
+ #include <linux/sockios.h>
+ #include <linux/wireless.h>
+ #include <getopt.h>
+Index: aodv-uu-0.9.3/nl.c
+===================================================================
+--- aodv-uu-0.9.3.orig/nl.c    2007-06-04 13:22:19.789846768 +0200
++++ aodv-uu-0.9.3/nl.c 2007-06-04 13:22:20.513736720 +0200
+@@ -33,6 +33,10 @@
+ #include <netinet/in.h>
+ #include <arpa/inet.h>
+ #include <linux/rtnetlink.h>
++#include <linux/version.h>
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,19)
++#include <linux/if_addr.h>
++#endif
+ #include "defs.h"
+ #include "lnx/kaodv-netlink.h"
diff --git a/net/aodv-uu/patches/005-linux_2.6.22_skbuff.patch b/net/aodv-uu/patches/005-linux_2.6.22_skbuff.patch
new file mode 100644 (file)
index 0000000..0831c5f
--- /dev/null
@@ -0,0 +1,164 @@
+Index: aodv-uu-0.9.3/lnx/kaodv-compat.h
+===================================================================
+--- /dev/null  1970-01-01 00:00:00.000000000 +0000
++++ aodv-uu-0.9.3/lnx/kaodv-compat.h   2007-06-17 02:49:46.844217144 +0200
+@@ -0,0 +1,15 @@
++#ifndef __KAODV_COMPAT_H
++#define __KAODV_COMPAT_H
++
++#include <linux/version.h>
++#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,22)
++
++#define ip_hdr(_skb) (_skb)->nh.iph
++#define skb_reset_network_header(_skb) do { \
++              _skb->nh.iph = (struct iphdr *)_skb->data; \
++      } while (0);
++
++
++#endif /* LINUX_VERSION_CODE < KERNEL_VERSION(2,6,22) */
++
++#endif
+Index: aodv-uu-0.9.3/lnx/kaodv-ipenc.c
+===================================================================
+--- aodv-uu-0.9.3.orig/lnx/kaodv-ipenc.c       2007-06-17 02:31:56.448941960 +0200
++++ aodv-uu-0.9.3/lnx/kaodv-ipenc.c    2007-06-17 02:45:50.420159064 +0200
+@@ -64,7 +64,7 @@
+     if (skb->sk != NULL)
+       skb_set_owner_w(nskb, skb->sk);
+-    iph = skb->nh.iph;
++    iph = ip_hdr(skb);
+     skb_put(nskb, sizeof(struct min_ipenc_hdr));
+     
+@@ -78,7 +78,8 @@
+     skb = nskb;
+     
+     /* Update pointers */
+-    iph = skb->nh.iph = (struct iphdr *)skb->data;
++      skb_reset_network_header(skb);
++    iph = (struct iphdr *)skb->data;
+     ipe = (struct min_ipenc_hdr *)(skb->data + (iph->ihl << 2));
+     
+@@ -99,8 +100,8 @@
+     ip_send_check(iph);
+-    if (skb->nh.iph->id == 0)
+-      ip_select_ident(skb->nh.iph, skb->dst, NULL);
++    if (ip_hdr(skb)->id == 0)
++      ip_select_ident(ip_hdr(skb), skb->dst, NULL);
+         
+     return skb;
+ }
+@@ -108,9 +109,7 @@
+ struct sk_buff *ip_pkt_decapsulate(struct sk_buff *skb)
+ {
+     struct min_ipenc_hdr *ipe;
+-    /* skb->nh.iph is probably not set yet */
+-    struct iphdr *iph = skb->nh.iph;
+-
++    struct iphdr *iph = ip_hdr(skb);
+     ipe = (struct min_ipenc_hdr *)((char *)iph + (iph->ihl << 2));
+@@ -123,8 +122,9 @@
+           skb->len - (iph->ihl << 2) - sizeof(struct min_ipenc_hdr));
+     
+     skb_trim(skb, skb->len - sizeof(struct min_ipenc_hdr));
+-    
+-    skb->nh.iph = iph = (struct iphdr *)skb->data;
++
++      skb_reset_network_header(skb);
++    iph = (struct iphdr *)skb->data;
+     iph->tot_len = htons((ntohs(iph->tot_len) - sizeof(struct min_ipenc_hdr))); 
+     ip_send_check(iph);
+Index: aodv-uu-0.9.3/lnx/kaodv-ipenc.h
+===================================================================
+--- aodv-uu-0.9.3.orig/lnx/kaodv-ipenc.h       2007-06-17 02:44:13.881835120 +0200
++++ aodv-uu-0.9.3/lnx/kaodv-ipenc.h    2007-06-17 02:44:16.549429584 +0200
+@@ -27,6 +27,7 @@
+ #include <linux/ip.h>
+ #include <linux/skbuff.h>
+ #include <asm/byteorder.h>
++#include "kaodv-compat.h"
+ #define IPPROTO_MIPE 55
+Index: aodv-uu-0.9.3/lnx/kaodv-mod.c
+===================================================================
+--- aodv-uu-0.9.3.orig/lnx/kaodv-mod.c 2007-06-17 02:43:33.776931992 +0200
++++ aodv-uu-0.9.3/lnx/kaodv-mod.c      2007-06-17 02:43:39.008136728 +0200
+@@ -120,7 +120,7 @@
+                              const struct net_device *out,
+                              int (*okfn) (struct sk_buff *))
+ {
+-      struct iphdr *iph = (*skb)->nh.iph;
++      struct iphdr *iph = ip_hdr(*skb);
+       struct expl_entry e;
+       struct in_addr ifaddr, bcaddr;
+       int res = 0;
+@@ -188,7 +188,7 @@
+               if (is_gateway && iph->protocol == IPPROTO_MIPE &&
+                   iph->daddr == ifaddr.s_addr) {
+                       ip_pkt_decapsulate(*skb);
+-                      iph = (*skb)->nh.iph;
++                      iph = ip_hdr(*skb);
+                       return NF_ACCEPT;
+               }
+               /* Ignore packets generated locally or that are for this
+Index: aodv-uu-0.9.3/lnx/kaodv-mod.h
+===================================================================
+--- aodv-uu-0.9.3.orig/lnx/kaodv-mod.h 2007-06-17 02:44:32.498005032 +0200
++++ aodv-uu-0.9.3/lnx/kaodv-mod.h      2007-06-17 02:44:34.662675952 +0200
+@@ -5,6 +5,7 @@
+ #include <linux/inetdevice.h>
+ #include <linux/list.h>
+ #include <linux/spinlock.h>
++#include "kaodv-compat.h"
+ /* Interface information */
+ struct if_info {
+Index: aodv-uu-0.9.3/lnx/kaodv-queue.c
+===================================================================
+--- aodv-uu-0.9.3.orig/lnx/kaodv-queue.c       2007-06-17 02:45:01.513593992 +0200
++++ aodv-uu-0.9.3/lnx/kaodv-queue.c    2007-06-17 02:45:11.534070648 +0200
+@@ -152,7 +152,7 @@
+ {
+       int status = -EINVAL;
+       struct kaodv_queue_entry *entry;
+-      struct iphdr *iph = skb->nh.iph;
++      struct iphdr *iph = ip_hdr(skb);
+       entry = kmalloc(sizeof(*entry), GFP_ATOMIC);
+Index: aodv-uu-0.9.3/lnx/kaodv-queue.h
+===================================================================
+--- aodv-uu-0.9.3.orig/lnx/kaodv-queue.h       2007-06-17 02:44:50.537262648 +0200
++++ aodv-uu-0.9.3/lnx/kaodv-queue.h    2007-06-17 02:44:53.629792512 +0200
+@@ -21,6 +21,7 @@
+  *****************************************************************************/
+ #ifndef _KAODV_QUEUE_H
+ #define _KAODV_QUEUE_H
++#include "kaodv-compat.h"
+ #define KAODV_QUEUE_DROP 1
+ #define KAODV_QUEUE_SEND 2
+Index: aodv-uu-0.9.3/lnx/kaodv-netlink.c
+===================================================================
+--- aodv-uu-0.9.3.orig/lnx/kaodv-netlink.c     2007-06-17 02:47:48.927143264 +0200
++++ aodv-uu-0.9.3/lnx/kaodv-netlink.c  2007-06-17 02:49:11.604574384 +0200
+@@ -338,8 +338,10 @@
+       netlink_register_notifier(&kaodv_nl_notifier);
+ #if (LINUX_VERSION_CODE < KERNEL_VERSION(2,6,14))
+       kaodvnl = netlink_kernel_create(NETLINK_AODV, kaodv_netlink_rcv_sk);
+-#else
++#elif (LINUX_VERSION_CODE < KERNEL_VERSION(2,6,22))
+       kaodvnl = netlink_kernel_create(NETLINK_AODV, AODVGRP_MAX, kaodv_netlink_rcv_sk, THIS_MODULE);
++#else
++      kaodvnl = netlink_kernel_create(NETLINK_AODV, AODVGRP_MAX, kaodv_netlink_rcv_sk, NULL, THIS_MODULE);
+ #endif
+       if (kaodvnl == NULL) {
+               printk(KERN_ERR "kaodv_netlink: failed to create netlink socket\n");
diff --git a/net/ipsec-tools/Makefile b/net/ipsec-tools/Makefile
new file mode 100644 (file)
index 0000000..0f24ae1
--- /dev/null
@@ -0,0 +1,86 @@
+# 
+# Copyright (C) 2006 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+# $Id$
+
+include $(TOPDIR)/rules.mk
+include $(INCLUDE_DIR)/kernel.mk
+
+PKG_NAME:=ipsec-tools
+PKG_VERSION:=0.7
+PKG_RELEASE:=1
+
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
+PKG_SOURCE_URL:=@SF/ipsec-tools
+PKG_MD5SUM:=c0a586924edde35264ecfe94ad1c261f
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/ipsec-tools
+  SECTION:=net
+  CATEGORY:=Network
+  DEPENDS:=@LINUX_2_6 +libopenssl
+  TITLE:=IPsec management tools
+  URL:=http://ipsec-tools.sourceforge.net/
+endef
+
+CONFIGURE_ARGS += \
+       --enable-shared \
+       --enable-static \
+       --with-kernel-headers="$(LINUX_DIR)/include" \
+       --without-readline \
+       --with-openssl="$(STAGING_DIR)/usr" \
+       --without-libradius \
+       --without-libpam \
+       --enable-dpd \
+       --enable-hybrid \
+       --enable-security-context=no \
+       --enable-natt \
+       --enable-adminport \
+       --enable-ipv6
+
+define Build/Configure
+       (cd $(PKG_BUILD_DIR); touch \
+               configure.ac \
+               aclocal.m4 \
+               Makefile.in \
+               config.h.in \
+               configure \
+       );
+       $(call Build/Configure/Default)
+       echo "#undef HAVE_SHADOW_H" >> $(PKG_BUILD_DIR)/config.h
+endef
+
+# override CFLAGS holding "-Werror" that break builds on compile warnings
+define Build/Compile
+       $(MAKE) -C $(PKG_BUILD_DIR) \
+               DESTDIR="$(PKG_INSTALL_DIR)" \
+               CFLAGS="$(TARGET_CFLAGS)" \
+               all install
+endef
+
+define Package/ipsec-tools/install
+       $(INSTALL_DIR) $(1)/etc
+       $(INSTALL_CONF) $(PKG_BUILD_DIR)/src/racoon/samples/racoon.conf $(1)/etc/
+       $(SED) 's|@sysconfdir_x@|/etc|g' $(1)/etc/racoon.conf
+       $(INSTALL_DIR) $(1)/etc/racoon
+       $(INSTALL_CONF) $(PKG_BUILD_DIR)/src/racoon/samples/psk.txt $(1)/etc/racoon/
+       $(INSTALL_DIR) $(1)/usr/lib
+       $(CP) $(PKG_INSTALL_DIR)/usr/lib/libipsec.so.* $(1)/usr/lib/
+       $(CP) $(PKG_INSTALL_DIR)/usr/lib/libracoon.so.* $(1)/usr/lib/
+       $(INSTALL_DIR) $(1)/usr/sbin
+       $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/plainrsa-gen $(1)/usr/sbin/
+       $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/racoon $(1)/usr/sbin/
+       $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/racoonctl $(1)/usr/sbin/
+       $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/setkey $(1)/usr/sbin/
+endef
+
+define Package/ipsec-tools/conffiles
+/etc/racoon.conf
+/etc/racoon/psk.txt
+endef
+
+$(eval $(call BuildPackage,ipsec-tools))
diff --git a/net/ipsec-tools/patches/001-no_libfl.patch b/net/ipsec-tools/patches/001-no_libfl.patch
new file mode 100644 (file)
index 0000000..8abc9a0
--- /dev/null
@@ -0,0 +1,26 @@
+Index: ipsec-tools-0.6.6/src/racoon/cftoken.l
+===================================================================
+--- ipsec-tools-0.6.6.orig/src/racoon/cftoken.l        2007-06-04 13:22:36.567296208 +0200
++++ ipsec-tools-0.6.6/src/racoon/cftoken.l     2007-06-04 13:22:36.646284200 +0200
+@@ -105,6 +105,8 @@
+ static int incstackp = 0;
+ static int yy_first_time = 1;
++
++int yywrap(void) { return 1; }
+ %}
+ /* common seciton */
+Index: ipsec-tools-0.6.6/src/setkey/token.l
+===================================================================
+--- ipsec-tools-0.6.6.orig/src/setkey/token.l  2007-06-04 13:22:36.575294992 +0200
++++ ipsec-tools-0.6.6/src/setkey/token.l       2007-06-04 13:22:36.646284200 +0200
+@@ -84,6 +84,8 @@
+ #ifndef SADB_X_EALG_AESCTR
+ #define SADB_X_EALG_AESCTR    (-1)
+ #endif
++
++int yywrap(void) { return 1; }
+ %}
+ /* common section */
diff --git a/net/ipsec-tools/patches/002-configure_cppflags_typo.patch b/net/ipsec-tools/patches/002-configure_cppflags_typo.patch
new file mode 100644 (file)
index 0000000..407c67e
--- /dev/null
@@ -0,0 +1,26 @@
+Index: ipsec-tools-0.6.6/configure.ac
+===================================================================
+--- ipsec-tools-0.6.6.orig/configure.ac        2007-06-04 13:22:36.540300312 +0200
++++ ipsec-tools-0.6.6/configure.ac     2007-06-04 13:22:36.841254560 +0200
+@@ -183,7 +183,7 @@
+ if test "x$crypto_dir" != "x"; then
+       LIBS="$LIBS -L${crypto_dir}/lib"
+-      CPPFLAGS="-I${crypto_dir}/include $CPPLAGS"
++      CPPFLAGS="-I${crypto_dir}/include $CPPFLAGS"
+ fi
+ AC_MSG_CHECKING(openssl version)
+Index: ipsec-tools-0.6.6/configure
+===================================================================
+--- ipsec-tools-0.6.6.orig/configure   2007-06-04 13:22:36.547299248 +0200
++++ ipsec-tools-0.6.6/configure        2007-06-04 13:22:36.850253192 +0200
+@@ -23687,7 +23687,7 @@
+ if test "x$crypto_dir" != "x"; then
+       LIBS="$LIBS -L${crypto_dir}/lib"
+-      CPPFLAGS="-I${crypto_dir}/include $CPPLAGS"
++      CPPFLAGS="-I${crypto_dir}/include $CPPFLAGS"
+ fi
+ echo "$as_me:$LINENO: checking openssl version" >&5
+ echo $ECHO_N "checking openssl version... $ECHO_C" >&6
diff --git a/net/ipsec-tools/patches/003-linux_2.6.19_rtnetlink_changes.diff b/net/ipsec-tools/patches/003-linux_2.6.19_rtnetlink_changes.diff
new file mode 100644 (file)
index 0000000..52d092e
--- /dev/null
@@ -0,0 +1,22 @@
+Index: ipsec-tools-0.6.6/src/racoon/grabmyaddr.c
+===================================================================
+--- ipsec-tools-0.6.6.orig/src/racoon/grabmyaddr.c     2007-06-04 13:22:36.521303200 +0200
++++ ipsec-tools-0.6.6/src/racoon/grabmyaddr.c  2007-06-04 13:22:37.064220664 +0200
+@@ -77,10 +77,17 @@
+ #ifdef __linux__
+ #include <linux/types.h>
+ #include <linux/rtnetlink.h>
++#include <linux/version.h>
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,19)
++# include <linux/if_addr.h>
++#endif
+ #ifndef HAVE_GETIFADDRS
+ #define HAVE_GETIFADDRS
+ #define NEED_LINUX_GETIFADDRS
+ #endif
++#ifndef IFA_RTA
++# define IFA_RTA(r)  ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct ifaddrmsg))))
++#endif
+ #endif
+ #ifndef HAVE_GETIFADDRS
diff --git a/net/isakmpd/Makefile b/net/isakmpd/Makefile
new file mode 100644 (file)
index 0000000..4214fdb
--- /dev/null
@@ -0,0 +1,51 @@
+# 
+# Copyright (C) 2006 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+# $Id$
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=isakmpd
+PKG_VERSION:=20041012
+PKG_RELEASE:=1
+
+PKG_SOURCE:=$(PKG_NAME)_$(PKG_VERSION).orig.tar.gz
+PKG_SOURCE_URL:=http://ftp.debian.org/debian/pool/main/i/isakmpd/
+PKG_MD5SUM:=e6d25a9e232fb186e1a48dc06453bd57
+
+PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION).orig
+
+include $(INCLUDE_DIR)/package.mk
+include $(INCLUDE_DIR)/kernel.mk
+
+define Package/isakmpd
+  SECTION:=net
+  CATEGORY:=Network
+  DEPENDS:=@LINUX_2_6 +libopenssl +keynote +libgmp
+  TITLE:=IPsec management tools
+  URL:=http://isakmpd.sourceforge.net/
+endef
+
+define Build/Compile
+       CFLAGS="$(TARGET_CFLAGS)" \
+       $(MAKE) -C $(PKG_BUILD_DIR) \
+               $(TARGET_CONFIGURE_OPTS) \
+               LINUX_DIR="$(LINUX_DIR)" \
+               EXTRA_CPPFLAGS="$(TARGET_CPPFLAGS) -I$(STAGING_DIR)/usr/include/openssl -I$(STAGING_DIR)/usr/include/keynote" \
+               EXTRA_LDFLAGS="$(TARGET_LDFLAGS)"
+
+       $(MAKE) -C $(PKG_BUILD_DIR) \
+               DESTDIR="$(PKG_INSTALL_DIR)" \
+               INSTALL="install -c" \
+               install-bin
+endef
+
+define Package/isakmpd/install
+       $(INSTALL_DIR) $(1)/usr/sbin
+       $(CP) $(PKG_INSTALL_DIR)/* $(1)/
+endef
+
+$(eval $(call BuildPackage,isakmpd))
diff --git a/net/isakmpd/patches/010-debian_3.patch b/net/isakmpd/patches/010-debian_3.patch
new file mode 100644 (file)
index 0000000..0f50cf9
--- /dev/null
@@ -0,0 +1,1753 @@
+Index: isakmpd-20041012.orig/dpd.c
+===================================================================
+--- isakmpd-20041012.orig.orig/dpd.c   2007-06-04 13:22:39.088912864 +0200
++++ isakmpd-20041012.orig/dpd.c        2007-06-04 13:22:39.282883376 +0200
+@@ -26,6 +26,7 @@
+ #include <sys/types.h>
+ #include <stdlib.h>
++#include <memory.h>
+ #include "sysdep.h"
+@@ -174,6 +175,7 @@
+               }
+               break;
+       default:
++      ;
+       }
+       /* Mark handled.  */
+@@ -223,6 +225,7 @@
+                   dpd_check_event, sa, &tv);
+               break;
+       default:
++      ;
+       }
+       if (!sa->dpd_event) 
+               log_print("dpd_timer_reset: timer_add_event failed");
+Index: isakmpd-20041012.orig/ipsec.c
+===================================================================
+--- isakmpd-20041012.orig.orig/ipsec.c 2007-06-04 13:22:39.093912104 +0200
++++ isakmpd-20041012.orig/ipsec.c      2007-06-04 13:22:39.283883224 +0200
+@@ -1020,6 +1020,52 @@
+       }
+ }
++/*
++ * deal with a NOTIFY of INVALID_SPI
++ */
++static void
++ipsec_invalid_spi (struct message *msg, struct payload *p)
++{
++  struct sockaddr *dst;
++  int invspisz, off;
++  u_int32_t spi;
++  u_int16_t totsiz;
++  u_int8_t spisz;
++
++  /* Any notification that make us do something should be protected */
++  if(!TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_HASH]))
++    {
++      LOG_DBG ((LOG_SA, 40,
++                     "ipsec_invalid_spi: missing HASH payload in INVALID_SPI"
++                     " notification"));
++      return;
++    }
++
++  /*
++   * get the invalid spi out of the variable sized notification data
++   * field, which is after the variable sized SPI field [which specifies
++   * the receiving entity's phase-1 SPI, not the invalid spi]
++   */
++  totsiz = GET_ISAKMP_GEN_LENGTH (p->p);
++  spisz = GET_ISAKMP_NOTIFY_SPI_SZ (p->p);
++  off = ISAKMP_NOTIFY_SPI_OFF + spisz;
++  invspisz = totsiz - off;
++
++  if (invspisz != sizeof spi)
++    {
++      LOG_DBG ((LOG_SA, 40,
++             "ipsec_invalid_spi: SPI size %d in INVALID_SPI "
++             "payload unsupported", spisz));
++       return;
++    }
++  memcpy (&spi, p->p + off, sizeof spi);
++
++  msg->transport->vtbl->get_dst (msg->transport, &dst);
++
++  /* delete matching SPI's from this peer */
++  ipsec_delete_spi_list (dst, 0, (u_int8_t *)&spi, 1, "INVALID_SPI");
++}
++
+ static int
+ ipsec_responder(struct message *msg)
+ {
+@@ -1205,7 +1251,9 @@
+                       return dv != IPSEC_ENCAP_TUNNEL
+                           && dv != IPSEC_ENCAP_TRANSPORT
+                           && dv != IPSEC_ENCAP_UDP_ENCAP_TUNNEL
+-                          && dv != IPSEC_ENCAP_UDP_ENCAP_TRANSPORT;
++                          && dv != IPSEC_ENCAP_UDP_ENCAP_TRANSPORT
++                          && dv != IPSEC_ENCAP_UDP_ENCAP_TUNNEL_DRAFT
++                          && dv != IPSEC_ENCAP_UDP_ENCAP_TRANSPORT_DRAFT;
+ #else
+                       return dv < IPSEC_ENCAP_TUNNEL
+                           || dv > IPSEC_ENCAP_TRANSPORT;
+@@ -1837,7 +1885,7 @@
+ ipsec_get_id(char *section, int *id, struct sockaddr **addr,
+     struct sockaddr **mask, u_int8_t *tproto, u_int16_t *port)
+ {
+-      char    *type, *address, *netmask;
++    char      *type, *address, *netmask;
+       type = conf_get_str(section, "ID-type");
+       if (!type) {
+Index: isakmpd-20041012.orig/GNUmakefile
+===================================================================
+--- isakmpd-20041012.orig.orig/GNUmakefile     2007-06-04 13:22:39.099911192 +0200
++++ isakmpd-20041012.orig/GNUmakefile  2007-06-04 13:22:39.283883224 +0200
+@@ -40,12 +40,12 @@
+ # integrated, freebsd/netbsd means FreeBSD/NetBSD with KAME IPsec.
+ # darwin means MacOS X 10.2 and later with KAME IPsec. linux means Linux-2.5
+ # and later with native IPSec support.
+-OS=           openbsd
++#OS=          openbsd
+ #OS=          netbsd
+ #OS=          freebsd
+ #OS=          freeswan
+ #OS=          darwin
+-#OS=          linux
++OS=           linux
+ .CURDIR:=     $(shell pwd)
+ VPATH=                ${.CURDIR}/sysdep/${OS}
+@@ -55,9 +55,10 @@
+ ifndef BINDIR
+ BINDIR=               /sbin
+ endif
+-ifndef LDSTATIC
+-LDSTATIC=     -static
+-endif
++
++#ifndef LDSTATIC
++#LDSTATIC=    -static
++#endif
+ SRCS=         app.c attribute.c cert.c connection.c \
+               constants.c conf.c cookie.c crypto.c dh.c doi.c exchange.c \
+@@ -131,11 +132,14 @@
+ ifneq ($(findstring install,$(MAKECMDGOALS)),install)
+ # Skip 'regress' until the regress/ structure has gmake makefiles for it.
+ #SUBDIR:=     regress
+-SUBDIR:=
++#SUBDIR:=     apps/certpatch
+ mksubdirs:
+       $(foreach DIR, ${SUBDIR}, \
+-              cd ${DIR}; ${MAKE} ${MAKEFLAGS} CFLAGS="${CFLAGS}" \
+-                      MKDEP="${MKDEP}" ${MAKECMDGOALS})
++              cd ${.CURDIR}/${DIR}; ${MAKE} ${MAKECMDGOALS};)
++              
++#     $(foreach DIR, ${SUBDIR}, \
++#             cd ${DIR}; ${MAKE} CFLAGS="${CFLAGS}" \
++#                     MKDEP="${MKDEP}" ${MAKECMDGOALS})
+ else
+ mksubdirs:
+ endif
+@@ -173,7 +177,7 @@
+ endif
+ SRCS+=                ${IPSEC_SRCS} ${X509} ${POLICY} ${EC} ${AGGRESSIVE} ${DNSSEC} \
+-              $(ISAKMP_CFG)
++                      $(ISAKMP_CFG) ${DPD} ${NAT_TRAVERSAL}
+ CFLAGS+=      ${IPSEC_CFLAGS}
+ LDADD+=               ${DESLIB}
+ DPADD+=               ${DESLIBDEP}
+Index: isakmpd-20041012.orig/exchange.h
+===================================================================
+--- isakmpd-20041012.orig.orig/exchange.h      2007-06-04 13:22:39.104910432 +0200
++++ isakmpd-20041012.orig/exchange.h   2007-06-04 13:22:39.283883224 +0200
+@@ -221,6 +221,8 @@
+ #define EXCHANGE_FLAG_NAT_T_ENABLE    0x10    /* We are doing NAT-T.  */
+ #define EXCHANGE_FLAG_NAT_T_KEEPALIVE 0x20    /* We are the NAT:ed peer.  */
+ #define EXCHANGE_FLAG_DPD_CAP_PEER    0x40    /* Peer is DPD capable.  */
++#define EXCHANGE_FLAG_NAT_T_RFC               0x0080  /* Peer does RFC NAT-T. */
++#define EXCHANGE_FLAG_NAT_T_DRAFT     0x0100  /* Peer does draft NAT-T.*/
+ extern int      exchange_add_certs(struct message *);
+ extern void     exchange_finalize(struct message *);
+Index: isakmpd-20041012.orig/log.c
+===================================================================
+--- isakmpd-20041012.orig.orig/log.c   2007-06-04 13:22:39.110909520 +0200
++++ isakmpd-20041012.orig/log.c        2007-06-04 13:22:39.284883072 +0200
+@@ -79,7 +79,6 @@
+ struct packhdr {
+       struct pcap_pkthdr pcap;/* pcap file packet header */
+-      u_int32_t sa_family;    /* address family */
+       union {
+               struct ip       ip4;    /* IPv4 header (w/o options) */
+               struct ip6_hdr  ip6;    /* IPv6 header */
+@@ -97,7 +96,7 @@
+ static u_int8_t *packet_buf = NULL;
+ static int      udp_cksum(struct packhdr *, const struct udphdr *,
+-    u_int16_t *);
++    u_int16_t *, int);
+ static u_int16_t in_cksum(const u_int16_t *, int);
+ #endif                                /* USE_DEBUG */
+@@ -539,11 +538,9 @@
+       udp.uh_ulen = htons(datalen);
+       /* ip */
+-      hdr.sa_family = htonl(src->sa_family);
+       switch (src->sa_family) {
+       default:
+               /* Assume IPv4. XXX Can 'default' ever happen here?  */
+-              hdr.sa_family = htonl(AF_INET);
+               hdr.ip.ip4.ip_src.s_addr = 0x02020202;
+               hdr.ip.ip4.ip_dst.s_addr = 0x01010101;
+               /* The rest of the setup is common to AF_INET.  */
+@@ -584,9 +581,7 @@
+       }
+       /* Calculate UDP checksum.  */
+-      udp.uh_sum = udp_cksum(&hdr, &udp, (u_int16_t *) packet_buf);
+-      hdrlen += sizeof hdr.sa_family;
+-
++      udp.uh_sum = udp_cksum(&hdr, &udp, (u_int16_t *) packet_buf, src->sa_family);
+       /* pcap file packet header */
+       gettimeofday(&tv, 0);
+       hdr.pcap.ts.tv_sec = tv.tv_sec;
+@@ -610,7 +605,7 @@
+ /* Copied from tcpdump/print-udp.c, mostly rewritten.  */
+ static int
+-udp_cksum(struct packhdr *hdr, const struct udphdr *u, u_int16_t *d)
++udp_cksum(struct packhdr *hdr, const struct udphdr *u, u_int16_t *d, int af)
+ {
+       struct ip       *ip4;
+       struct ip6_hdr  *ip6;
+@@ -639,7 +634,7 @@
+       /* Setup pseudoheader.  */
+       memset(phu.pa, 0, sizeof phu);
+-      switch (ntohl(hdr->sa_family)) {
++      switch (af) {
+       case AF_INET:
+               ip4 = &hdr->ip.ip4;
+               memcpy(&phu.ip4p.src, &ip4->ip_src, sizeof(struct in_addr));
+@@ -664,7 +659,7 @@
+       /* IPv6 wants a 0xFFFF checksum "on error", not 0x0.  */
+       if (tlen < 0)
+-              return (ntohl(hdr->sa_family) == AF_INET ? 0 : 0xFFFF);
++              return (af == AF_INET ? 0 : 0xFFFF);
+       sum = 0;
+       for (i = 0; i < hdrlen; i += 2)
+Index: isakmpd-20041012.orig/nat_traversal.c
+===================================================================
+--- isakmpd-20041012.orig.orig/nat_traversal.c 2007-06-04 13:22:39.115908760 +0200
++++ isakmpd-20041012.orig/nat_traversal.c      2007-06-04 13:22:39.284883072 +0200
+@@ -1,4 +1,4 @@
+-/*    $OpenBSD: nat_traversal.c,v 1.7 2004/08/08 19:11:06 deraadt Exp $       */
++/*    $OpenBSD: nat_traversal.c,v 1.17 2006/06/14 14:03:33 hshoexer Exp $     */
+ /*
+  * Copyright (c) 2004 Håkan Olsson.  All rights reserved.
+@@ -48,40 +48,40 @@
+ #include "util.h"
+ #include "virtual.h"
++int   disable_nat_t = 0;
++
+ /*
+- * XXX According to draft-ietf-ipsec-nat-t-ike-07.txt, the NAT-T
+- * capability of the other peer is determined by a particular vendor ID
+- * sent as the first message. This vendor ID string is supposed to be a
+- * MD5 hash of "RFC XXXX", where XXXX is the future RFC number.
++ * NAT-T capability of the other peer is determined by a particular vendor
++ * ID sent in the first message. This vendor ID string is supposed to be a
++ * MD5 hash of "RFC 3947".
+  *
+  * These seem to be the "well" known variants of this string in use by
+  * products today.
+  */
+-static const char *isakmp_nat_t_cap_text[] = {
+-      "draft-ietf-ipsec-nat-t-ike-00",        /* V1 (XXX: may be obsolete) */
+-      "draft-ietf-ipsec-nat-t-ike-02\n",      /* V2 */
+-      "draft-ietf-ipsec-nat-t-ike-03",        /* V3 */
+-#ifdef notyet
+-      "RFC XXXX",
+-#endif
++
++static struct nat_t_cap isakmp_nat_t_cap[] = {
++      { VID_DRAFT_V2_N, EXCHANGE_FLAG_NAT_T_DRAFT,
++        "draft-ietf-ipsec-nat-t-ike-02\n", NULL, 0 },
++      { VID_DRAFT_V3, EXCHANGE_FLAG_NAT_T_DRAFT,
++        "draft-ietf-ipsec-nat-t-ike-03", NULL, 0 },
++      { VID_RFC3947, EXCHANGE_FLAG_NAT_T_RFC,
++        "RFC 3947", NULL, 0 },
+ };
++#define NUMNATTCAP    (sizeof isakmp_nat_t_cap / sizeof isakmp_nat_t_cap[0])
++
+ /* In seconds. Recommended in draft-ietf-ipsec-udp-encaps-09.  */
+ #define NAT_T_KEEPALIVE_INTERVAL      20
+-/* The MD5 hashes of the above strings is put in this array.  */
+-static char   **nat_t_hashes;
+-static size_t   nat_t_hashsize;
+-
+ static int    nat_t_setup_hashes(void);
+-static int    nat_t_add_vendor_payload(struct message *, char *);
++static int    nat_t_add_vendor_payload(struct message *, struct nat_t_cap *);
+ static int    nat_t_add_nat_d(struct message *, struct sockaddr *);
+ static int    nat_t_match_nat_d_payload(struct message *, struct sockaddr *);
+ void
+ nat_t_init(void)
+ {
+-      nat_t_hashes = (char **)NULL;
++      nat_t_setup_hashes();
+ }
+ /* Generate the NAT-T capability marker hashes. Executed only once.  */
+@@ -89,7 +89,7 @@
+ nat_t_setup_hashes(void)
+ {
+       struct hash *hash;
+-      int n = sizeof isakmp_nat_t_cap_text / sizeof isakmp_nat_t_cap_text[0];
++      int n = NUMNATTCAP;
+       int i;
+       /* The draft says to use MD5.  */
+@@ -100,56 +100,49 @@
+                   "could not find MD5 hash structure!");
+               return -1;
+       }
+-      nat_t_hashsize = hash->hashsize;
+-      /* Allocate one more than is necessary, i.e NULL terminated.  */
+-      nat_t_hashes = (char **)calloc((size_t)(n + 1), sizeof(char *));
+-      if (!nat_t_hashes) {
+-              log_error("nat_t_setup_hashes: calloc (%lu,%lu) failed",
+-                  (unsigned long)n, (unsigned long)sizeof(char *));
+-              return -1;
+-      }
+-
+-      /* Populate with hashes.  */
++      /* Populate isakmp_nat_t_cap with hashes.  */
+       for (i = 0; i < n; i++) {
+-              nat_t_hashes[i] = (char *)malloc(nat_t_hashsize);
+-              if (!nat_t_hashes[i]) {
++              isakmp_nat_t_cap[i].hashsize = hash->hashsize;
++              isakmp_nat_t_cap[i].hash = (char *)malloc(hash->hashsize);
++              if (!isakmp_nat_t_cap[i].hash) {
+                       log_error("nat_t_setup_hashes: malloc (%lu) failed",
+-                          (unsigned long)nat_t_hashsize);
++                          (unsigned long)hash->hashsize);
+                       goto errout;
+               }
+               hash->Init(hash->ctx);
+               hash->Update(hash->ctx,
+-                  (unsigned char *)isakmp_nat_t_cap_text[i],
+-                  strlen(isakmp_nat_t_cap_text[i]));
+-              hash->Final(nat_t_hashes[i], hash->ctx);
++                  (unsigned char *)isakmp_nat_t_cap[i].text,
++                  strlen(isakmp_nat_t_cap[i].text));
++              hash->Final(isakmp_nat_t_cap[i].hash, hash->ctx);
+               LOG_DBG((LOG_EXCHANGE, 50, "nat_t_setup_hashes: "
+-                  "MD5(\"%s\") (%lu bytes)", isakmp_nat_t_cap_text[i],
+-                  (unsigned long)nat_t_hashsize));
++                  "MD5(\"%s\") (%lu bytes)", isakmp_nat_t_cap[i].text,
++                  (unsigned long)hash->hashsize));
+               LOG_DBG_BUF((LOG_EXCHANGE, 50, "nat_t_setup_hashes",
+-                  nat_t_hashes[i], nat_t_hashsize));
++                  isakmp_nat_t_cap[i].hash, hash->hashsize));
+       }
+       return 0;
+-  errout:
++errout:
+       for (i = 0; i < n; i++)
+-              if (nat_t_hashes[i])
+-                      free(nat_t_hashes[i]);
+-      free(nat_t_hashes);
+-      nat_t_hashes = NULL;
++              if (isakmp_nat_t_cap[i].hash)
++                      free(isakmp_nat_t_cap[i].hash);
+       return -1;
+ }
+ /* Add one NAT-T VENDOR payload.  */
+ static int
+-nat_t_add_vendor_payload(struct message *msg, char *hash)
++nat_t_add_vendor_payload(struct message *msg, struct nat_t_cap *cap)
+ {
+-      size_t   buflen = nat_t_hashsize + ISAKMP_GEN_SZ;
++      size_t    buflen = cap->hashsize + ISAKMP_GEN_SZ;
+       u_int8_t *buf;
++      if (disable_nat_t)
++              return 0;
++
+       buf = malloc(buflen);
+       if (!buf) {
+               log_error("nat_t_add_vendor_payload: malloc (%lu) failed",
+@@ -158,12 +151,11 @@
+       }
+       SET_ISAKMP_GEN_LENGTH(buf, buflen);
+-      memcpy(buf + ISAKMP_VENDOR_ID_OFF, hash, nat_t_hashsize);
++      memcpy(buf + ISAKMP_VENDOR_ID_OFF, cap->hash, cap->hashsize);
+       if (message_add_payload(msg, ISAKMP_PAYLOAD_VENDOR, buf, buflen, 1)) {
+               free(buf);
+               return -1;
+       }
+-
+       return 0;
+ }
+@@ -171,16 +163,14 @@
+ int
+ nat_t_add_vendor_payloads(struct message *msg)
+ {
+-      int i = 0;
++      int i;
+-      if (!nat_t_hashes)
+-              if (nat_t_setup_hashes())
+-                      return 0;  /* XXX should this be an error?  */
++      if (disable_nat_t)
++              return 0;
+-      while (nat_t_hashes[i])
+-              if (nat_t_add_vendor_payload(msg, nat_t_hashes[i++]))
++      for (i = 0; i < NUMNATTCAP; i++)
++              if (nat_t_add_vendor_payload(msg, &isakmp_nat_t_cap[i]))
+                       return -1;
+-
+       return 0;
+ }
+@@ -192,36 +182,31 @@
+ {
+       u_int8_t *pbuf = p->p;
+       size_t    vlen;
+-      int       i = 0;
++      int       i;
+-      /* Already checked? */
+-      if (p->flags & PL_MARK ||
+-          msg->exchange->flags & EXCHANGE_FLAG_NAT_T_CAP_PEER)
++      if (disable_nat_t)
+               return;
+-      if (!nat_t_hashes)
+-              if (nat_t_setup_hashes())
+-                      return;
+-
+       vlen = GET_ISAKMP_GEN_LENGTH(pbuf) - ISAKMP_GEN_SZ;
+-      if (vlen != nat_t_hashsize) {
+-              LOG_DBG((LOG_EXCHANGE, 50, "nat_t_check_vendor_payload: "
+-                  "bad size %lu != %lu", (unsigned long)vlen,
+-                  (unsigned long)nat_t_hashsize));
+-              return;
+-      }
+-      while (nat_t_hashes[i])
+-              if (memcmp(nat_t_hashes[i++], pbuf + ISAKMP_GEN_SZ,
++      for (i = 0; i < NUMNATTCAP; i++) {
++              if (vlen != isakmp_nat_t_cap[i].hashsize) {
++                      LOG_DBG((LOG_EXCHANGE, 50, "nat_t_check_vendor_payload: "
++                          "bad size %lu != %lu", (unsigned long)vlen,
++                          (unsigned long)isakmp_nat_t_cap[i].hashsize));
++                      continue;
++              }
++              if (memcmp(isakmp_nat_t_cap[i].hash, pbuf + ISAKMP_GEN_SZ,
+                   vlen) == 0) {
+                       /* This peer is NAT-T capable.  */
+                       msg->exchange->flags |= EXCHANGE_FLAG_NAT_T_CAP_PEER;
++                      msg->exchange->flags |= isakmp_nat_t_cap[i].flags;
+                       LOG_DBG((LOG_EXCHANGE, 10,
+                           "nat_t_check_vendor_payload: "
+                           "NAT-T capable peer detected"));
+                       p->flags |= PL_MARK;
+-                      return;
+               }
++      }
+       return;
+ }
+@@ -233,10 +218,8 @@
+ {
+       struct ipsec_exch *ie = (struct ipsec_exch *)msg->exchange->data;
+       struct hash      *hash;
+-      struct prf       *prf;
+       u_int8_t         *res;
+       in_port_t         port;
+-      int               prf_type = PRF_HMAC; /* XXX */
+       hash = hash_get(ie->hash->type);
+       if (hash == NULL) {
+@@ -244,31 +227,25 @@
+               return NULL;
+       }
+-      prf = prf_alloc(prf_type, hash->type, msg->exchange->cookies,
+-          ISAKMP_HDR_COOKIES_LEN);
+-      if(!prf) {
+-              log_print("nat_t_generate_nat_d_hash: prf_alloc failed");
+-              return NULL;
+-      }
++      *hashlen = hash->hashsize;
+-      *hashlen = prf->blocksize;
+       res = (u_int8_t *)malloc((unsigned long)*hashlen);
+       if (!res) {
+               log_print("nat_t_generate_nat_d_hash: malloc (%lu) failed",
+                   (unsigned long)*hashlen);
+-              prf_free(prf);
+               *hashlen = 0;
+               return NULL;
+       }
+       port = sockaddr_port(sa);
+-      memset(res, 0, *hashlen);
+-
+-      prf->Update(prf->prfctx, sockaddr_addrdata(sa), sockaddr_addrlen(sa));
+-      prf->Update(prf->prfctx, (unsigned char *)&port, sizeof port);
+-      prf->Final(res, prf->prfctx);
+-      prf_free (prf);
++      bzero(res, *hashlen);
++      hash->Init(hash->ctx);
++      hash->Update(hash->ctx, msg->exchange->cookies,
++          sizeof msg->exchange->cookies);
++      hash->Update(hash->ctx, sockaddr_addrdata(sa), sockaddr_addrlen(sa));
++      hash->Update(hash->ctx, (unsigned char *)&port, sizeof port);
++      hash->Final(res, hash->ctx);
+       return res;
+ }
+@@ -276,6 +253,7 @@
+ static int
+ nat_t_add_nat_d(struct message *msg, struct sockaddr *sa)
+ {
++      int       ret;
+       u_int8_t *hbuf, *buf;
+       size_t    hbuflen, buflen;
+@@ -298,11 +276,19 @@
+       memcpy(buf + ISAKMP_NAT_D_DATA_OFF, hbuf, hbuflen);
+       free(hbuf);
+-      if (message_add_payload(msg, ISAKMP_PAYLOAD_NAT_D, buf, buflen, 1)) {
++      if (msg->exchange->flags & EXCHANGE_FLAG_NAT_T_RFC)
++              ret = message_add_payload(msg, ISAKMP_PAYLOAD_NAT_D, buf,
++                  buflen, 1);
++      else if (msg->exchange->flags & EXCHANGE_FLAG_NAT_T_DRAFT)
++              ret = message_add_payload(msg, ISAKMP_PAYLOAD_NAT_D_DRAFT,
++                  buf, buflen, 1);
++      else
++              ret = -1;
++              
++      if (ret) {
+               free(buf);
+               return -1;
+       }
+-
+       return 0;
+ }
+@@ -312,14 +298,14 @@
+ {
+       struct sockaddr *sa;
+-      msg->transport->vtbl->get_src(msg->transport, &sa);
++      /* Remote address first. */
++      msg->transport->vtbl->get_dst(msg->transport, &sa);
+       if (nat_t_add_nat_d(msg, sa))
+               return -1;
+-      msg->transport->vtbl->get_dst(msg->transport, &sa);
++      msg->transport->vtbl->get_src(msg->transport, &sa);
+       if (nat_t_add_nat_d(msg, sa))
+               return -1;
+-
+       return 0;
+ }
+@@ -336,8 +322,8 @@
+        * If there are no NAT-D payloads in the message, return "found"
+        * as this will avoid NAT-T (see nat_t_exchange_check_nat_d()).
+        */
+-      p = payload_first(msg, ISAKMP_PAYLOAD_NAT_D);
+-      if (!p)
++      if ((p = payload_first(msg, ISAKMP_PAYLOAD_NAT_D_DRAFT)) == NULL &&
++          (p = payload_first(msg, ISAKMP_PAYLOAD_NAT_D)) == NULL)
+               return 1;
+       hbuf = nat_t_generate_nat_d_hash(msg, sa, &hbuflen);
+Index: isakmpd-20041012.orig/udp_encap.c
+===================================================================
+--- isakmpd-20041012.orig.orig/udp_encap.c     2007-06-04 13:22:39.121907848 +0200
++++ isakmpd-20041012.orig/udp_encap.c  2007-06-04 13:22:39.284883072 +0200
+@@ -61,6 +61,11 @@
+ #define UDP_SIZE 65536
++#if defined(USE_NAT_TRAVERSAL) && defined (LINUX_IPSEC)
++#include <linux/socket.h>
++#include <linux/udp.h>
++#endif
++
+ /* If a system doesn't have SO_REUSEPORT, SO_REUSEADDR will have to do.  */
+ #ifndef SO_REUSEPORT
+ #define SO_REUSEPORT SO_REUSEADDR
+@@ -134,6 +139,18 @@
+       if (sysdep_cleartext(s, laddr->sa_family) == -1)
+               goto err;
++#if defined(USE_NAT_TRAVERSAL) && defined (LINUX_IPSEC)
++    {
++#ifndef SOL_UDP
++#define SOL_UDP 17
++#endif
++        int option = UDP_ENCAP_ESPINUDP;
++        if(setsockopt(s, SOL_UDP, UDP_ENCAP, &option,
++                      sizeof (option)) < 0)
++            goto err;
++    }
++#endif
++
+       /* Wildcard address ?  */
+       switch (laddr->sa_family) {
+       case AF_INET:
+Index: isakmpd-20041012.orig/apps/Makefile
+===================================================================
+--- isakmpd-20041012.orig.orig/apps/Makefile   2007-06-04 13:22:39.126907088 +0200
++++ isakmpd-20041012.orig/apps/Makefile        2007-06-04 13:22:39.285882920 +0200
+@@ -31,4 +31,4 @@
+ SUBDIR= certpatch
+-.include <bsd.subdir.mk>
++#.include <bsd.subdir.mk>
+Index: isakmpd-20041012.orig/apps/certpatch/GNUmakefile
+===================================================================
+--- /dev/null  1970-01-01 00:00:00.000000000 +0000
++++ isakmpd-20041012.orig/apps/certpatch/GNUmakefile   2007-06-04 13:22:39.285882920 +0200
+@@ -0,0 +1,55 @@
++#     $OpenBSD: Makefile,v 1.7 2003/06/03 14:35:00 ho Exp $
++#     $EOM: Makefile,v 1.6 2000/03/28 21:22:06 ho Exp $
++
++#
++# Copyright (c) 1999 Niels Provos.  All rights reserved.
++# Copyright (c) 2001 Niklas Hallqvist.  All rights reserved.
++#
++# Redistribution and use in source and binary forms, with or without
++# modification, are permitted provided that the following conditions
++# are met:
++# 1. Redistributions of source code must retain the above copyright
++#    notice, this list of conditions and the following disclaimer.
++# 2. Redistributions in binary form must reproduce the above copyright
++#    notice, this list of conditions and the following disclaimer in the
++#    documentation and/or other materials provided with the distribution.
++#
++# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
++# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
++# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
++# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
++# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
++# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
++# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
++# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++#
++
++#
++# This code was written under funding by Ericsson Radio Systems.
++#
++
++PROG=         certpatch
++SRCS=         certpatch.c
++BINDIR?=      /usr/sbin
++TOPSRC=               ${.CURDIR}../..
++TOPOBJ!=      cd ${TOPSRC}; printf "all:\n\t@pwd\n" |${MAKE} -f-
++OS=                   linux
++FEATURES!=    awk '/^FEATURES=/ { print $$0 }' ${.CURDIR}/../../Makefile | sed 's/FEATURES=.//'
++.PATH:                ${TOPSRC} ${TOPSRC}/sysdep/${OS} ${TOPOBJ}
++CFLAGS+=      -I${TOPSRC} -I${TOPSRC}/sysdep/${OS} -I${TOPOBJ} -Wall
++LDFLAGS+=     -lcrypto -lssl -lgmp
++MAN=          certpatch.8
++
++CFLAGS+=      -DMP_FLAVOUR=MP_FLAVOUR_GMP
++LDADD+=               -lgmp
++DPADD+=               ${LIBGMP}
++
++# Override LIBSYSDEPDIR definition from Makefile.sysdep
++LIBSYSDEPDIR= ${TOPSRC}/sysdep/common/libsysdep
++
++all:  ${PROG}
++
++clean:        
++      rm -f ${PROG}
+Index: isakmpd-20041012.orig/pf_key_v2.c
+===================================================================
+--- isakmpd-20041012.orig.orig/pf_key_v2.c     2007-06-04 13:22:39.137905416 +0200
++++ isakmpd-20041012.orig/pf_key_v2.c  2007-06-04 13:22:39.287882616 +0200
+@@ -1055,6 +1055,10 @@
+ #endif
+ #if defined (USE_NAT_TRAVERSAL) && defined (SADB_X_EXT_UDPENCAP)
+       struct sadb_x_udpencap udpencap;
++#elif defined (USE_NAT_TRAVERSAL) && defined (SADB_X_EXT_NAT_T_TYPE)
++      struct sadb_x_nat_t_type nat_t_type;
++      struct sadb_x_nat_t_port nat_t_sport;
++      struct sadb_x_nat_t_port nat_t_dport;
+ #endif
+ #ifdef USE_DEBUG
+       char           *addr_str;
+@@ -1273,10 +1277,15 @@
+               log_print("pf_key_v2_set_spi: invalid proto %d", proto->proto);
+               goto cleanup;
+       }
+-      if (incoming)
++      if (incoming) {
+               sa->transport->vtbl->get_src(sa->transport, &dst);
+-      else
++              sa->transport->vtbl->get_dst(sa->transport, &src);
++      }
++      else {
+               sa->transport->vtbl->get_dst(sa->transport, &dst);
++              sa->transport->vtbl->get_src(sa->transport, &src);
++      }
++
+ #ifdef KAME
+       msg.sadb_msg_seq = (incoming ?
+           pf_key_v2_seq_by_sa(proto->spi[incoming], sizeof ssa.sadb_sa_spi,
+@@ -1319,12 +1328,13 @@
+       ssa.sadb_sa_flags = 0;
+ #ifdef SADB_X_SAFLAGS_TUNNEL
+       if (iproto->encap_mode == IPSEC_ENCAP_TUNNEL ||
+-          iproto->encap_mode == IPSEC_ENCAP_UDP_ENCAP_TUNNEL)
++          iproto->encap_mode == IPSEC_ENCAP_UDP_ENCAP_TUNNEL ||
++          iproto->encap_mode == IPSEC_ENCAP_UDP_ENCAP_TUNNEL_DRAFT)
+               ssa.sadb_sa_flags = SADB_X_SAFLAGS_TUNNEL;
+ #endif
+-#if defined (USE_NAT_TRAVERSAL) && defined (SADB_X_EXT_UDPENCAP)
+       if (isakmp_sa->flags & SA_FLAG_NAT_T_ENABLE) {
++#if defined (USE_NAT_TRAVERSAL) && defined (SADB_X_EXT_UDPENCAP)
+               memset(&udpencap, 0, sizeof udpencap);
+               ssa.sadb_sa_flags |= SADB_X_SAFLAGS_UDPENCAP;
+               udpencap.sadb_x_udpencap_exttype = SADB_X_EXT_UDPENCAP;
+@@ -1334,8 +1344,40 @@
+               if (pf_key_v2_msg_add(update, (struct sadb_ext *)&udpencap, 0)
+                   == -1)
+                       goto cleanup;
+-      }
++#elif defined (USE_NAT_TRAVERSAL) && defined (SADB_X_EXT_NAT_T_TYPE)
++#ifndef UDP_ENCAP_ESPINUDP
++#define UDP_ENCAP_ESPINUDP    2
++#endif
++              memset(&nat_t_type, 0, sizeof nat_t_type);
++              memset(&nat_t_sport, 0, sizeof nat_t_sport);
++              memset(&nat_t_dport, 0, sizeof nat_t_dport);
++
++              /* type = draft-udp-encap-06 */
++              nat_t_type.sadb_x_nat_t_type_len = sizeof nat_t_type / PF_KEY_V2_CHUNK;
++              nat_t_type.sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
++              nat_t_type.sadb_x_nat_t_type_type = UDP_ENCAP_ESPINUDP;
++              if(pf_key_v2_msg_add(update, (struct sadb_ext *)&nat_t_type, 0) == -1)
++                      goto cleanup;
++
++              /* source port */
++              nat_t_sport.sadb_x_nat_t_port_len = sizeof nat_t_sport / 
++                                                         PF_KEY_V2_CHUNK;
++              nat_t_sport.sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT;
++              nat_t_sport.sadb_x_nat_t_port_port = sockaddr_port(src);
++              if(pf_key_v2_msg_add(update, (struct sadb_ext *)&nat_t_sport, 0) == -1)
++                      goto cleanup;
++
++              /* destination port */
++              nat_t_dport.sadb_x_nat_t_port_len = sizeof nat_t_dport / 
++                                                         PF_KEY_V2_CHUNK;
++              nat_t_dport.sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT;
++              nat_t_dport.sadb_x_nat_t_port_port = sockaddr_port(dst);
++              if(pf_key_v2_msg_add(update, (struct sadb_ext *)&nat_t_dport, 0) == -1)
++                      goto cleanup;
++
++              /* original address (transport mode checksum missing info) goes here */
+ #endif
++    }
+       if (pf_key_v2_msg_add(update, (struct sadb_ext *)&ssa, 0) == -1)
+               goto cleanup;
+@@ -1395,10 +1437,6 @@
+       /*
+        * Setup the ADDRESS extensions.
+          */
+-      if (incoming)
+-              sa->transport->vtbl->get_dst(sa->transport, &src);
+-      else
+-              sa->transport->vtbl->get_src(sa->transport, &src);
+       len = sizeof *addr + PF_KEY_V2_ROUND(sysdep_sa_len(src));
+       addr = calloc(1, len);
+       if (!addr)
+@@ -2167,7 +2205,7 @@
+               pf_key_v2_msg_free(ret);
+       return -1;
+-#elif defined (SADB_X_SPDADD) && defined (SADB_X_SPDDELETE)
++#elif defined (SADB_X_SPDUPDATE) && defined (SADB_X_SPDDELETE)
+       struct sadb_msg msg;
+       struct sadb_x_policy *policy = 0;
+       struct sadb_x_ipsecrequest *ipsecrequest;
+@@ -2181,7 +2219,7 @@
+       struct sockaddr_in *ip4_sa;
+       struct sockaddr_in6 *ip6_sa;
+-      msg.sadb_msg_type = delete ? SADB_X_SPDDELETE : SADB_X_SPDADD;
++      msg.sadb_msg_type = delete ? SADB_X_SPDDELETE : SADB_X_SPDUPDATE;
+       msg.sadb_msg_satype = SADB_SATYPE_UNSPEC;
+       msg.sadb_msg_seq = 0;
+       flow = pf_key_v2_msg_new(&msg, 0);
+Index: isakmpd-20041012.orig/isakmp_num.cst
+===================================================================
+--- isakmpd-20041012.orig.orig/isakmp_num.cst  2007-06-04 13:22:39.143904504 +0200
++++ isakmpd-20041012.orig/isakmp_num.cst       2007-06-04 13:22:39.287882616 +0200
+@@ -57,15 +57,18 @@
+   KD                          17      # RFC 3547, Key Download
+   SEQ                         18      # RFC 3547, Sequence Number
+   POP                         19      # RFC 3547, Proof of possession
+-  RESERVED_MIN                        20
++  NAT_D                               20      # RFC 3947, NAT Discovery payload
++  NAT_OA                      21      # RFC 3947, NAT Original Address payload
++  RESERVED_MIN                        22
+   RESERVED_MAX                        127
+   PRIVATE_MIN                 128
+ # XXX values from draft-ietf-ipsec-nat-t-ike-01,02,03. Later drafts specify
+ # XXX NAT_D as payload 15 and NAT_OA as 16, but these are allocated by RFC
+ # XXX 3547 as seen above.
+-  NAT_D                               130     # NAT Discovery payload
+-  NAT_OA                      131     # NAT Original Address payload
++  NAT_D_DRAFT                 130     # NAT Discovery payload
++  NAT_OA_DRAFT                        131     # NAT Original Address payload
+   PRIVATE_MAX                 255
++  MAX                         255
+ .
+ # ISAKMP exchange types.
+Index: isakmpd-20041012.orig/ipsec_num.cst
+===================================================================
+--- isakmpd-20041012.orig.orig/ipsec_num.cst   2007-06-04 13:22:39.149903592 +0200
++++ isakmpd-20041012.orig/ipsec_num.cst        2007-06-04 13:22:39.287882616 +0200
+@@ -62,10 +62,10 @@
+ IPSEC_ENCAP
+   TUNNEL                              1
+   TRANSPORT                           2
+-  FUTURE_UDP_ENCAP_TUNNEL             3       # XXX Not yet assigned
+-  FUTURE_UDP_ENCAP_TRANSPORT          4       # XXX Not yet assigned
+-  UDP_ENCAP_TUNNEL                    61443   # draft-ietf-ipsec-nat-t-ike
+-  UDP_ENCAP_TRANSPORT                 61443   # draft-ietf-ipsec-nat-t-ike
++  UDP_ENCAP_TUNNEL                    3
++  UDP_ENCAP_TRANSPORT                 4
++  UDP_ENCAP_TUNNEL_DRAFT              61443   # draft-ietf-ipsec-nat-t-ike
++  UDP_ENCAP_TRANSPORT_DRAFT           61443   # draft-ietf-ipsec-nat-t-ike
+ .
+ # IPSEC authentication algorithm.
+Index: isakmpd-20041012.orig/nat_traversal.h
+===================================================================
+--- isakmpd-20041012.orig.orig/nat_traversal.h 2007-06-04 13:22:39.154902832 +0200
++++ isakmpd-20041012.orig/nat_traversal.h      2007-06-04 13:22:39.287882616 +0200
+@@ -1,4 +1,4 @@
+-/*    $OpenBSD: nat_traversal.h,v 1.2 2004/06/21 23:27:10 ho Exp $    */
++/*    $OpenBSD: nat_traversal.h,v 1.4 2005/07/25 15:03:47 hshoexer Exp $      */
+ /*
+  * Copyright (c) 2004 Håkan Olsson.  All rights reserved.
+@@ -27,6 +27,24 @@
+ #ifndef _NAT_TRAVERSAL_H_
+ #define _NAT_TRAVERSAL_H_
++#define VID_DRAFT_V2  0
++#define VID_DRAFT_V2_N        1
++#define VID_DRAFT_V3  2
++#define VID_RFC3947   3
++
++struct nat_t_cap {
++      int              id;
++      u_int32_t        flags;
++      const char      *text;
++      char            *hash;
++      size_t           hashsize;
++};
++
++/*
++ * Set if -T is given on the command line to disable NAT-T support.
++ */
++extern int    disable_nat_t;
++
+ void  nat_t_init(void);
+ int   nat_t_add_vendor_payloads(struct message *);
+ void  nat_t_check_vendor_payload(struct message *, struct payload *);
+Index: isakmpd-20041012.orig/message.c
+===================================================================
+--- isakmpd-20041012.orig.orig/message.c       2007-06-04 13:22:39.160901920 +0200
++++ isakmpd-20041012.orig/message.c    2007-06-04 13:22:39.288882464 +0200
+@@ -112,6 +112,7 @@
+       message_validate_hash, message_validate_sig, message_validate_nonce,
+       message_validate_notify, message_validate_delete,
+       message_validate_vendor, message_validate_attribute,
++      message_validate_nat_d, message_validate_nat_oa,
+       message_validate_nat_d, message_validate_nat_oa
+ };
+@@ -120,7 +121,7 @@
+       isakmp_id_fld, isakmp_cert_fld, isakmp_certreq_fld, isakmp_hash_fld,
+       isakmp_sig_fld, isakmp_nonce_fld, isakmp_notify_fld, isakmp_delete_fld,
+       isakmp_vendor_fld, isakmp_attribute_fld, isakmp_nat_d_fld,
+-      isakmp_nat_oa_fld
++      isakmp_nat_oa_fld, isakmp_nat_d_fld, isakmp_nat_oa_fld
+ };
+ /*
+@@ -138,7 +139,8 @@
+       ISAKMP_PAYLOAD_SAK, ISAKMP_PAYLOAD_SAT, ISAKMP_PAYLOAD_KD,
+       ISAKMP_PAYLOAD_SEQ, ISAKMP_PAYLOAD_POP
+ #endif
+-      ISAKMP_PAYLOAD_NAT_D, ISAKMP_PAYLOAD_NAT_OA
++      ISAKMP_PAYLOAD_NAT_D, ISAKMP_PAYLOAD_NAT_OA, 
++      ISAKMP_PAYLOAD_NAT_D_DRAFT, ISAKMP_PAYLOAD_NAT_OA_DRAFT
+ };
+ static u_int8_t payload_map[256];
+@@ -347,8 +349,8 @@
+               }
+               /* Ignore most private payloads.  */
+               if (next >= ISAKMP_PAYLOAD_PRIVATE_MIN &&
+-                  next != ISAKMP_PAYLOAD_NAT_D &&
+-                  next != ISAKMP_PAYLOAD_NAT_OA) {
++                  next != ISAKMP_PAYLOAD_NAT_D_DRAFT &&
++                  next != ISAKMP_PAYLOAD_NAT_OA_DRAFT) {
+                       LOG_DBG((LOG_MESSAGE, 30, "message_parse_payloads: "
+                           "private next payload type %s in payload of "
+                           "type %d ignored",
+@@ -460,8 +462,10 @@
+               return ISAKMP_ATTRIBUTE_SZ;
+ #if defined (USE_NAT_TRAVERSAL)
+       case ISAKMP_PAYLOAD_NAT_D:
++      case ISAKMP_PAYLOAD_NAT_D_DRAFT:
+               return ISAKMP_NAT_D_SZ;
+       case ISAKMP_PAYLOAD_NAT_OA:
++      case ISAKMP_PAYLOAD_NAT_OA_DRAFT:
+               return ISAKMP_NAT_OA_SZ;
+ #endif
+       /* Not yet supported and any other unknown payloads. */
+Index: isakmpd-20041012.orig/policy.c
+===================================================================
+--- isakmpd-20041012.orig.orig/policy.c        2007-06-04 13:22:39.165901160 +0200
++++ isakmpd-20041012.orig/policy.c     2007-06-04 13:22:39.289882312 +0200
+@@ -511,7 +511,10 @@
+                                                       break;
+                                               }
+ #if defined (USE_NAT_TRAVERSAL)
+-                                      else if (decode_16(value) == IPSEC_ENCAP_UDP_ENCAP_TUNNEL)
++                                      else if (decode_16(value) ==
++                                          IPSEC_ENCAP_UDP_ENCAP_TUNNEL ||
++                                          decode_16(value) ==
++                                          IPSEC_ENCAP_UDP_ENCAP_TUNNEL_DRAFT)
+                                               switch (proto->proto) {
+                                               case IPSEC_PROTO_IPSEC_AH:
+                                                       ah_encapsulation = "udp-encap-tunnel";
+@@ -1932,7 +1935,7 @@
+ void
+ policy_init(void)
+ {
+-      char           *ptr, *policy_file;
++      char           *ptr, *policy_file, *use_keynote;
+       char          **asserts;
+       size_t          sz, len;
+       int             fd, i;
+@@ -1940,10 +1943,11 @@
+       LOG_DBG((LOG_POLICY, 30, "policy_init: initializing"));
+       /* Do we want to use the policy modules?  */
+-      if (ignore_policy ||
+-          strncmp("yes", conf_get_str("General", "Use-Keynote"), 3))
+-              return;
+-
++      use_keynote = conf_get_str("General", "Use-Keynote");
++      if (ignore_policy || 
++              (use_keynote && strncmp("yes", use_keynote, 3)))
++               return;
++ 
+       /* Get policy file from configuration.  */
+       policy_file = conf_get_str("General", "Policy-file");
+       if (!policy_file)
+Index: isakmpd-20041012.orig/ike_phase_1.c
+===================================================================
+--- isakmpd-20041012.orig.orig/ike_phase_1.c   2007-06-04 13:22:39.170900400 +0200
++++ isakmpd-20041012.orig/ike_phase_1.c        2007-06-04 13:22:39.290882160 +0200
+@@ -1040,9 +1040,9 @@
+               /* Compare expected/desired and received remote ID */
+               if (bcmp(rid, payload->p + ISAKMP_ID_DATA_OFF, sz)) {
+-                      free(rid);
+                       log_print("ike_phase_1_recv_ID: "
+-                          "received remote ID other than expected %s", p);
++                          "received remote ID other than expected %s - %s", p, payload->p);
++                      free(rid);
+                       return -1;
+               }
+               free(rid);
+Index: isakmpd-20041012.orig/x509.c
+===================================================================
+--- isakmpd-20041012.orig.orig/x509.c  2007-06-04 13:22:39.176899488 +0200
++++ isakmpd-20041012.orig/x509.c       2007-06-04 13:22:39.290882160 +0200
+@@ -910,7 +910,11 @@
+       X509_STORE_CTX_init(&csc, x509_cas, cert, NULL);
+ #if OPENSSL_VERSION_NUMBER >= 0x00907000L
+       /* XXX See comment in x509_read_crls_from_dir.  */
++#if OPENSSL_VERSION_NUMBER >= 0x00908000L
++      if (x509_cas->param->flags & X509_V_FLAG_CRL_CHECK) {
++#else
+       if (x509_cas->flags & X509_V_FLAG_CRL_CHECK) {
++#endif
+               X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_CRL_CHECK);
+               X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_CRL_CHECK_ALL);
+       }
+Index: isakmpd-20041012.orig/sysdep/linux/sysdep.c
+===================================================================
+--- isakmpd-20041012.orig.orig/sysdep/linux/sysdep.c   2007-06-04 13:22:39.182898576 +0200
++++ isakmpd-20041012.orig/sysdep/linux/sysdep.c        2007-06-04 13:22:39.291882008 +0200
+@@ -169,22 +169,22 @@
+     return 0;
+   if (!(af == AF_INET || af == AF_INET6))
+-    {
++    { 
+       log_print ("sysdep_cleartext: unsupported protocol family %d", af);
+       return -1;
+     }
+   if (setsockopt (fd, af == AF_INET ? IPPROTO_IP : IPPROTO_IPV6,
+-                af == AF_INET ? IP_IPSEC_POLICY : IPV6_IPSEC_POLICY,
+-                &pol_in, sizeof pol_in) < 0 ||
++          af == AF_INET ? IP_IPSEC_POLICY : IPV6_IPSEC_POLICY,
++          &pol_in, sizeof pol_in) < 0 ||
+       setsockopt (fd, af == AF_INET ? IPPROTO_IP : IPPROTO_IPV6,
+-                af == AF_INET ? IP_IPSEC_POLICY : IPV6_IPSEC_POLICY,
+-                &pol_out, sizeof pol_out) < 0)
+-    {
++          af == AF_INET ? IP_IPSEC_POLICY : IPV6_IPSEC_POLICY,
++          &pol_out, sizeof pol_out) < 0)
++    { 
+       log_error ("sysdep_cleartext: "
+-               "setsockopt (%d, IPPROTO_IP%s, IP%s_IPSEC_POLICY, ...) "
+-               "failed", fd, af == AF_INET ? "" : "V6",
+-               af == AF_INET ? "" : "V6");
++         "setsockopt (%d, IPPROTO_IP%s, IP%s_IPSEC_POLICY, ...) "
++         "failed", fd, af == AF_INET ? "" : "V6",
++         af == AF_INET ? "" : "V6");
+       return -1;
+     }
+   return 0;
+Index: isakmpd-20041012.orig/sysdep/linux/GNUmakefile.sysdep
+===================================================================
+--- isakmpd-20041012.orig.orig/sysdep/linux/GNUmakefile.sysdep 2007-06-04 13:22:39.187897816 +0200
++++ isakmpd-20041012.orig/sysdep/linux/GNUmakefile.sysdep      2007-06-04 13:22:39.291882008 +0200
+@@ -33,13 +33,13 @@
+ LDADD+=               -lgmp ${LIBSYSDEP} ${LIBCRYPTO}
+ DPADD+=               ${LIBGMP} ${LIBSYSDEP}
+-CFLAGS+=      -DUSE_OLD_SOCKADDR -DHAVE_PCAP \
+-              -DNEED_SYSDEP_APP -DMP_FLAVOUR=MP_FLAVOUR_GMP \
+-              -I/usr/src/linux/include -I${.CURDIR}/sysdep/common \
++CFLAGS+=      -DHAVE_GETNAMEINFO -DUSE_OLD_SOCKADDR -DHAVE_PCAP \
++              -DNEED_SYSDEP_APP -DMP_FLAVOUR=MP_FLAVOUR_GMP -DUSE_AES \
++              -I${.CURDIR}/sysdep/linux/include -I${.CURDIR}/sysdep/common \
+               -I/usr/include/openssl
+ FEATURES=     debug tripledes blowfish cast ec aggressive x509 policy
+-FEATURES+=    des aes
++FEATURES+=    dpd nat_traversal isakmp_cfg des aes
+ IPSEC_SRCS=   pf_key_v2.c
+ IPSEC_CFLAGS= -DUSE_PF_KEY_V2
+@@ -51,7 +51,7 @@
+ # hack libsysdep.a dependenc
+ ${LIBSYSDEPDIR}/.depend ${LIBSYSDEP}:
+       cd ${LIBSYSDEPDIR} && \
+-              ${MAKE} --no-print-directory ${MAKEFLAGS} \
++              ${MAKE} --no-print-directory \
+                       CFLAGS="${CFLAGS}" MKDEP="${MKDEP}" ${MAKECMDGOALS}
+ ifeq ($(findstring clean,$(MAKECMDGOALS)),clean)
+Index: isakmpd-20041012.orig/sysdep/linux/include/bitstring.h
+===================================================================
+--- /dev/null  1970-01-01 00:00:00.000000000 +0000
++++ isakmpd-20041012.orig/sysdep/linux/include/bitstring.h     2007-06-04 13:22:39.291882008 +0200
+@@ -0,0 +1,132 @@
++/*    $OpenBSD: bitstring.h,v 1.4 2002/06/19 02:50:10 millert Exp $   */
++/*    $NetBSD: bitstring.h,v 1.5 1997/05/14 15:49:55 pk Exp $ */
++
++/*
++ * Copyright (c) 1989, 1993
++ *    The Regents of the University of California.  All rights reserved.
++ *
++ * This code is derived from software contributed to Berkeley by
++ * Paul Vixie.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in the
++ *    documentation and/or other materials provided with the distribution.
++ * 3. All advertising materials mentioning features or use of this software
++ *    must display the following acknowledgement:
++ *    This product includes software developed by the University of
++ *    California, Berkeley and its contributors.
++ * 4. Neither the name of the University nor the names of its contributors
++ *    may be used to endorse or promote products derived from this software
++ *    without specific prior written permission.
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
++ * SUCH DAMAGE.
++ *
++ *    @(#)bitstring.h 8.1 (Berkeley) 7/19/93
++ */
++
++#ifndef _BITSTRING_H_
++#define       _BITSTRING_H_
++
++/* modified for SV/AT and bitstring bugfix by M.R.Murphy, 11oct91
++ * bitstr_size changed gratuitously, but shorter
++ * bit_alloc   spelling error fixed
++ * the following were efficient, but didn't work, they've been made to
++ * work, but are no longer as efficient :-)
++ * bit_nclear, bit_nset, bit_ffc, bit_ffs
++ */
++typedef       unsigned char bitstr_t;
++
++/* internal macros */
++                              /* byte of the bitstring bit is in */
++#define       _bit_byte(bit) \
++      ((bit) >> 3)
++
++                              /* mask for the bit within its byte */
++#define       _bit_mask(bit) \
++      (1 << ((bit)&0x7))
++
++/* external macros */
++                              /* bytes in a bitstring of nbits bits */
++#define       bitstr_size(nbits) \
++      (((nbits) + 7) >> 3)
++
++                              /* allocate a bitstring */
++#define       bit_alloc(nbits) \
++      (bitstr_t *)calloc((size_t)bitstr_size(nbits), sizeof(bitstr_t))
++
++                              /* allocate a bitstring on the stack */
++#define       bit_decl(name, nbits) \
++      ((name)[bitstr_size(nbits)])
++
++                              /* is bit N of bitstring name set? */
++#define       bit_test(name, bit) \
++      ((name)[_bit_byte(bit)] & _bit_mask(bit))
++
++                              /* set bit N of bitstring name */
++#define       bit_set(name, bit) \
++      ((name)[_bit_byte(bit)] |= _bit_mask(bit))
++
++                              /* clear bit N of bitstring name */
++#define       bit_clear(name, bit) \
++      ((name)[_bit_byte(bit)] &= ~_bit_mask(bit))
++
++                              /* clear bits start ... stop in bitstring */
++#define       bit_nclear(name, start, stop) do { \
++      register bitstr_t *_name = name; \
++      register int _start = start, _stop = stop; \
++      while (_start <= _stop) { \
++              bit_clear(_name, _start); \
++              _start++; \
++              } \
++} while(0)
++
++                              /* set bits start ... stop in bitstring */
++#define       bit_nset(name, start, stop) do { \
++      register bitstr_t *_name = name; \
++      register int _start = start, _stop = stop; \
++      while (_start <= _stop) { \
++              bit_set(_name, _start); \
++              _start++; \
++              } \
++} while(0)
++
++                              /* find first bit clear in name */
++#define       bit_ffc(name, nbits, value) do { \
++      register bitstr_t *_name = name; \
++      register int _bit, _nbits = nbits, _value = -1; \
++      for (_bit = 0; _bit < _nbits; ++_bit) \
++              if (!bit_test(_name, _bit)) { \
++                      _value = _bit; \
++                      break; \
++              } \
++      *(value) = _value; \
++} while(0)
++
++                              /* find first bit set in name */
++#define       bit_ffs(name, nbits, value) do { \
++      register bitstr_t *_name = name; \
++      register int _bit, _nbits = nbits, _value = -1; \
++      for (_bit = 0; _bit < _nbits; ++_bit) \
++              if (bit_test(_name, _bit)) { \
++                      _value = _bit; \
++                      break; \
++              } \
++      *(value) = _value; \
++} while(0)
++
++#endif /* !_BITSTRING_H_ */
+Index: isakmpd-20041012.orig/sysdep/linux/include/sys/queue.h
+===================================================================
+--- /dev/null  1970-01-01 00:00:00.000000000 +0000
++++ isakmpd-20041012.orig/sysdep/linux/include/sys/queue.h     2007-06-04 13:22:39.292881856 +0200
+@@ -0,0 +1,453 @@
++/*
++ * Copyright (c) 1991, 1993
++ *    The Regents of the University of California.  All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in the
++ *    documentation and/or other materials provided with the distribution.
++ * 3. All advertising materials mentioning features or use of this software
++ *    must display the following acknowledgement:
++ *    This product includes software developed by the University of
++ *    California, Berkeley and its contributors.
++ * 4. Neither the name of the University nor the names of its contributors
++ *    may be used to endorse or promote products derived from this software
++ *    without specific prior written permission.
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
++ * SUCH DAMAGE.
++ *
++ *    @(#)queue.h     8.5 (Berkeley) 8/20/94
++ * $FreeBSD: src/sys/sys/queue.h,v 1.45 2001/12/11 11:49:58 sheldonh Exp $
++ */
++
++#ifndef _SYS_QUEUE_H_
++#define       _SYS_QUEUE_H_
++
++//#include <machine/ansi.h>   /* for __offsetof */
++
++/*
++ * This file defines four types of data structures: singly-linked lists,
++ * singly-linked tail queues, lists and tail queues.
++ *
++ * A singly-linked list is headed by a single forward pointer. The elements
++ * are singly linked for minimum space and pointer manipulation overhead at
++ * the expense of O(n) removal for arbitrary elements. New elements can be
++ * added to the list after an existing element or at the head of the list.
++ * Elements being removed from the head of the list should use the explicit
++ * macro for this purpose for optimum efficiency. A singly-linked list may
++ * only be traversed in the forward direction.  Singly-linked lists are ideal
++ * for applications with large datasets and few or no removals or for
++ * implementing a LIFO queue.
++ *
++ * A singly-linked tail queue is headed by a pair of pointers, one to the
++ * head of the list and the other to the tail of the list. The elements are
++ * singly linked for minimum space and pointer manipulation overhead at the
++ * expense of O(n) removal for arbitrary elements. New elements can be added
++ * to the list after an existing element, at the head of the list, or at the
++ * end of the list. Elements being removed from the head of the tail queue
++ * should use the explicit macro for this purpose for optimum efficiency.
++ * A singly-linked tail queue may only be traversed in the forward direction.
++ * Singly-linked tail queues are ideal for applications with large datasets
++ * and few or no removals or for implementing a FIFO queue.
++ *
++ * A list is headed by a single forward pointer (or an array of forward
++ * pointers for a hash table header). The elements are doubly linked
++ * so that an arbitrary element can be removed without a need to
++ * traverse the list. New elements can be added to the list before
++ * or after an existing element or at the head of the list. A list
++ * may only be traversed in the forward direction.
++ *
++ * A tail queue is headed by a pair of pointers, one to the head of the
++ * list and the other to the tail of the list. The elements are doubly
++ * linked so that an arbitrary element can be removed without a need to
++ * traverse the list. New elements can be added to the list before or
++ * after an existing element, at the head of the list, or at the end of
++ * the list. A tail queue may be traversed in either direction.
++ *
++ * For details on the use of these macros, see the queue(3) manual page.
++ *
++ *
++ *                    SLIST   LIST    STAILQ  TAILQ
++ * _HEAD              +       +       +       +
++ * _HEAD_INITIALIZER  +       +       +       +
++ * _ENTRY             +       +       +       +
++ * _INIT              +       +       +       +
++ * _EMPTY             +       +       +       +
++ * _FIRST             +       +       +       +
++ * _NEXT              +       +       +       +
++ * _PREV              -       -       -       +
++ * _LAST              -       -       +       +
++ * _FOREACH           +       +       +       +
++ * _FOREACH_REVERSE   -       -       -       +
++ * _INSERT_HEAD               +       +       +       +
++ * _INSERT_BEFORE     -       +       -       +
++ * _INSERT_AFTER      +       +       +       +
++ * _INSERT_TAIL               -       -       +       +
++ * _REMOVE_HEAD               +       -       +       -
++ * _REMOVE            +       +       +       +
++ *
++ */
++
++/*
++ * Singly-linked List declarations.
++ */
++#define       SLIST_HEAD(name, type)                                          \
++struct name {                                                         \
++      struct type *slh_first; /* first element */                     \
++}
++
++#define       SLIST_HEAD_INITIALIZER(head)                                    \
++      { NULL }
++ 
++#define       SLIST_ENTRY(type)                                               \
++struct {                                                              \
++      struct type *sle_next;  /* next element */                      \
++}
++ 
++/*
++ * Singly-linked List functions.
++ */
++#define       SLIST_EMPTY(head)       ((head)->slh_first == NULL)
++
++#define       SLIST_FIRST(head)       ((head)->slh_first)
++
++#define       SLIST_FOREACH(var, head, field)                                 \
++      for ((var) = SLIST_FIRST((head));                               \
++          (var);                                                      \
++          (var) = SLIST_NEXT((var), field))
++
++#define       SLIST_INIT(head) do {                                           \
++      SLIST_FIRST((head)) = NULL;                                     \
++} while (0)
++
++#define       SLIST_INSERT_AFTER(slistelm, elm, field) do {                   \
++      SLIST_NEXT((elm), field) = SLIST_NEXT((slistelm), field);       \
++      SLIST_NEXT((slistelm), field) = (elm);                          \
++} while (0)
++
++#define       SLIST_INSERT_HEAD(head, elm, field) do {                        \
++      SLIST_NEXT((elm), field) = SLIST_FIRST((head));                 \
++      SLIST_FIRST((head)) = (elm);                                    \
++} while (0)
++
++#define       SLIST_NEXT(elm, field)  ((elm)->field.sle_next)
++
++#define       SLIST_REMOVE(head, elm, type, field) do {                       \
++      if (SLIST_FIRST((head)) == (elm)) {                             \
++              SLIST_REMOVE_HEAD((head), field);                       \
++      }                                                               \
++      else {                                                          \
++              struct type *curelm = SLIST_FIRST((head));              \
++              while (SLIST_NEXT(curelm, field) != (elm))              \
++                      curelm = SLIST_NEXT(curelm, field);             \
++              SLIST_NEXT(curelm, field) =                             \
++                  SLIST_NEXT(SLIST_NEXT(curelm, field), field);       \
++      }                                                               \
++} while (0)
++
++#define       SLIST_REMOVE_HEAD(head, field) do {                             \
++      SLIST_FIRST((head)) = SLIST_NEXT(SLIST_FIRST((head)), field);   \
++} while (0)
++
++/*
++ * Singly-linked Tail queue declarations.
++ */
++#define       STAILQ_HEAD(name, type)                                         \
++struct name {                                                         \
++      struct type *stqh_first;/* first element */                     \
++      struct type **stqh_last;/* addr of last next element */         \
++}
++
++#define       STAILQ_HEAD_INITIALIZER(head)                                   \
++      { NULL, &(head).stqh_first }
++
++#define       STAILQ_ENTRY(type)                                              \
++struct {                                                              \
++      struct type *stqe_next; /* next element */                      \
++}
++
++/*
++ * Singly-linked Tail queue functions.
++ */
++#define       STAILQ_EMPTY(head)      ((head)->stqh_first == NULL)
++
++#define       STAILQ_FIRST(head)      ((head)->stqh_first)
++
++#define       STAILQ_FOREACH(var, head, field)                                \
++      for((var) = STAILQ_FIRST((head));                               \
++         (var);                                                       \
++         (var) = STAILQ_NEXT((var), field))
++
++#define       STAILQ_INIT(head) do {                                          \
++      STAILQ_FIRST((head)) = NULL;                                    \
++      (head)->stqh_last = &STAILQ_FIRST((head));                      \
++} while (0)
++
++#define       STAILQ_INSERT_AFTER(head, tqelm, elm, field) do {               \
++      if ((STAILQ_NEXT((elm), field) = STAILQ_NEXT((tqelm), field)) == NULL)\
++              (head)->stqh_last = &STAILQ_NEXT((elm), field);         \
++      STAILQ_NEXT((tqelm), field) = (elm);                            \
++} while (0)
++
++#define       STAILQ_INSERT_HEAD(head, elm, field) do {                       \
++      if ((STAILQ_NEXT((elm), field) = STAILQ_FIRST((head))) == NULL) \
++              (head)->stqh_last = &STAILQ_NEXT((elm), field);         \
++      STAILQ_FIRST((head)) = (elm);                                   \
++} while (0)
++
++#define       STAILQ_INSERT_TAIL(head, elm, field) do {                       \
++      STAILQ_NEXT((elm), field) = NULL;                               \
++      *(head)->stqh_last = (elm);                                     \
++      (head)->stqh_last = &STAILQ_NEXT((elm), field);                 \
++} while (0)
++
++#define       STAILQ_LAST(head, type, field)                                  \
++      (STAILQ_EMPTY(head) ?                                           \
++              NULL :                                                  \
++              ((struct type *)                                        \
++              ((char *)((head)->stqh_last) - __offsetof(struct type, field))))
++
++#define       STAILQ_NEXT(elm, field) ((elm)->field.stqe_next)
++
++#define       STAILQ_REMOVE(head, elm, type, field) do {                      \
++      if (STAILQ_FIRST((head)) == (elm)) {                            \
++              STAILQ_REMOVE_HEAD(head, field);                        \
++      }                                                               \
++      else {                                                          \
++              struct type *curelm = STAILQ_FIRST((head));             \
++              while (STAILQ_NEXT(curelm, field) != (elm))             \
++                      curelm = STAILQ_NEXT(curelm, field);            \
++              if ((STAILQ_NEXT(curelm, field) =                       \
++                   STAILQ_NEXT(STAILQ_NEXT(curelm, field), field)) == NULL)\
++                      (head)->stqh_last = &STAILQ_NEXT((curelm), field);\
++      }                                                               \
++} while (0)
++
++#define       STAILQ_REMOVE_HEAD(head, field) do {                            \
++      if ((STAILQ_FIRST((head)) =                                     \
++           STAILQ_NEXT(STAILQ_FIRST((head)), field)) == NULL)         \
++              (head)->stqh_last = &STAILQ_FIRST((head));              \
++} while (0)
++
++#define       STAILQ_REMOVE_HEAD_UNTIL(head, elm, field) do {                 \
++      if ((STAILQ_FIRST((head)) = STAILQ_NEXT((elm), field)) == NULL) \
++              (head)->stqh_last = &STAILQ_FIRST((head));              \
++} while (0)
++
++/*
++ * List declarations.
++ */
++#define       LIST_HEAD(name, type)                                           \
++struct name {                                                         \
++      struct type *lh_first;  /* first element */                     \
++}
++
++#define       LIST_HEAD_INITIALIZER(head)                                     \
++      { NULL }
++
++#define       LIST_ENTRY(type)                                                \
++struct {                                                              \
++      struct type *le_next;   /* next element */                      \
++      struct type **le_prev;  /* address of previous next element */  \
++}
++
++/*
++ * List functions.
++ */
++
++#define       LIST_EMPTY(head)        ((head)->lh_first == NULL)
++
++#define       LIST_FIRST(head)        ((head)->lh_first)
++
++#define       LIST_FOREACH(var, head, field)                                  \
++      for ((var) = LIST_FIRST((head));                                \
++          (var);                                                      \
++          (var) = LIST_NEXT((var), field))
++
++#define       LIST_INIT(head) do {                                            \
++      LIST_FIRST((head)) = NULL;                                      \
++} while (0)
++
++#define       LIST_INSERT_AFTER(listelm, elm, field) do {                     \
++      if ((LIST_NEXT((elm), field) = LIST_NEXT((listelm), field)) != NULL)\
++              LIST_NEXT((listelm), field)->field.le_prev =            \
++                  &LIST_NEXT((elm), field);                           \
++      LIST_NEXT((listelm), field) = (elm);                            \
++      (elm)->field.le_prev = &LIST_NEXT((listelm), field);            \
++} while (0)
++
++#define       LIST_INSERT_BEFORE(listelm, elm, field) do {                    \
++      (elm)->field.le_prev = (listelm)->field.le_prev;                \
++      LIST_NEXT((elm), field) = (listelm);                            \
++      *(listelm)->field.le_prev = (elm);                              \
++      (listelm)->field.le_prev = &LIST_NEXT((elm), field);            \
++} while (0)
++
++#define       LIST_INSERT_HEAD(head, elm, field) do {                         \
++      if ((LIST_NEXT((elm), field) = LIST_FIRST((head))) != NULL)     \
++              LIST_FIRST((head))->field.le_prev = &LIST_NEXT((elm), field);\
++      LIST_FIRST((head)) = (elm);                                     \
++      (elm)->field.le_prev = &LIST_FIRST((head));                     \
++} while (0)
++
++#define       LIST_NEXT(elm, field)   ((elm)->field.le_next)
++
++#define       LIST_REMOVE(elm, field) do {                                    \
++      if (LIST_NEXT((elm), field) != NULL)                            \
++              LIST_NEXT((elm), field)->field.le_prev =                \
++                  (elm)->field.le_prev;                               \
++      *(elm)->field.le_prev = LIST_NEXT((elm), field);                \
++} while (0)
++
++/*
++ * Tail queue declarations.
++ */
++#define       TAILQ_HEAD(name, type)                                          \
++struct name {                                                         \
++      struct type *tqh_first; /* first element */                     \
++      struct type **tqh_last; /* addr of last next element */         \
++}
++
++#define       TAILQ_HEAD_INITIALIZER(head)                                    \
++      { NULL, &(head).tqh_first }
++
++#define       TAILQ_ENTRY(type)                                               \
++struct {                                                              \
++      struct type *tqe_next;  /* next element */                      \
++      struct type **tqe_prev; /* address of previous next element */  \
++}
++
++/*
++ * Tail queue functions.
++ */
++#define       TAILQ_EMPTY(head)       ((head)->tqh_first == NULL)
++
++#define       TAILQ_FIRST(head)       ((head)->tqh_first)
++
++#define       TAILQ_FOREACH(var, head, field)                                 \
++      for ((var) = TAILQ_FIRST((head));                               \
++          (var);                                                      \
++          (var) = TAILQ_NEXT((var), field))
++
++#define       TAILQ_FOREACH_REVERSE(var, head, headname, field)               \
++      for ((var) = TAILQ_LAST((head), headname);                      \
++          (var);                                                      \
++          (var) = TAILQ_PREV((var), headname, field))
++
++#define       TAILQ_INIT(head) do {                                           \
++      TAILQ_FIRST((head)) = NULL;                                     \
++      (head)->tqh_last = &TAILQ_FIRST((head));                        \
++} while (0)
++
++#define       TAILQ_INSERT_AFTER(head, listelm, elm, field) do {              \
++      if ((TAILQ_NEXT((elm), field) = TAILQ_NEXT((listelm), field)) != NULL)\
++              TAILQ_NEXT((elm), field)->field.tqe_prev =              \
++                  &TAILQ_NEXT((elm), field);                          \
++      else                                                            \
++              (head)->tqh_last = &TAILQ_NEXT((elm), field);           \
++      TAILQ_NEXT((listelm), field) = (elm);                           \
++      (elm)->field.tqe_prev = &TAILQ_NEXT((listelm), field);          \
++} while (0)
++
++#define       TAILQ_INSERT_BEFORE(listelm, elm, field) do {                   \
++      (elm)->field.tqe_prev = (listelm)->field.tqe_prev;              \
++      TAILQ_NEXT((elm), field) = (listelm);                           \
++      *(listelm)->field.tqe_prev = (elm);                             \
++      (listelm)->field.tqe_prev = &TAILQ_NEXT((elm), field);          \
++} while (0)
++
++#define       TAILQ_INSERT_HEAD(head, elm, field) do {                        \
++      if ((TAILQ_NEXT((elm), field) = TAILQ_FIRST((head))) != NULL)   \
++              TAILQ_FIRST((head))->field.tqe_prev =                   \
++                  &TAILQ_NEXT((elm), field);                          \
++      else                                                            \
++              (head)->tqh_last = &TAILQ_NEXT((elm), field);           \
++      TAILQ_FIRST((head)) = (elm);                                    \
++      (elm)->field.tqe_prev = &TAILQ_FIRST((head));                   \
++} while (0)
++
++#define       TAILQ_INSERT_TAIL(head, elm, field) do {                        \
++      TAILQ_NEXT((elm), field) = NULL;                                \
++      (elm)->field.tqe_prev = (head)->tqh_last;                       \
++      *(head)->tqh_last = (elm);                                      \
++      (head)->tqh_last = &TAILQ_NEXT((elm), field);                   \
++} while (0)
++
++#define       TAILQ_LAST(head, headname)                                      \
++      (*(((struct headname *)((head)->tqh_last))->tqh_last))
++
++#define       TAILQ_NEXT(elm, field) ((elm)->field.tqe_next)
++
++#define       TAILQ_PREV(elm, headname, field)                                \
++      (*(((struct headname *)((elm)->field.tqe_prev))->tqh_last))
++
++#define       TAILQ_REMOVE(head, elm, field) do {                             \
++      if ((TAILQ_NEXT((elm), field)) != NULL)                         \
++              TAILQ_NEXT((elm), field)->field.tqe_prev =              \
++                  (elm)->field.tqe_prev;                              \
++      else                                                            \
++              (head)->tqh_last = (elm)->field.tqe_prev;               \
++      *(elm)->field.tqe_prev = TAILQ_NEXT((elm), field);              \
++} while (0)
++
++
++#ifdef _KERNEL
++
++/*
++ * XXX insque() and remque() are an old way of handling certain queues.
++ * They bogusly assumes that all queue heads look alike.
++ */
++
++struct quehead {
++      struct quehead *qh_link;
++      struct quehead *qh_rlink;
++};
++
++#ifdef        __GNUC__
++
++static __inline void
++insque(void *a, void *b)
++{
++      struct quehead *element = (struct quehead *)a,
++               *head = (struct quehead *)b;
++
++      element->qh_link = head->qh_link;
++      element->qh_rlink = head;
++      head->qh_link = element;
++      element->qh_link->qh_rlink = element;
++}
++
++static __inline void
++remque(void *a)
++{
++      struct quehead *element = (struct quehead *)a;
++
++      element->qh_link->qh_rlink = element->qh_rlink;
++      element->qh_rlink->qh_link = element->qh_link;
++      element->qh_rlink = 0;
++}
++
++#else /* !__GNUC__ */
++
++void  insque __P((void *a, void *b));
++void  remque __P((void *a));
++
++#endif /* __GNUC__ */
++
++#endif /* _KERNEL */
++
++#endif /* !_SYS_QUEUE_H_ */
+Index: isakmpd-20041012.orig/sysdep/common/pcap.h
+===================================================================
+--- isakmpd-20041012.orig.orig/sysdep/common/pcap.h    2007-06-04 13:22:39.203895384 +0200
++++ isakmpd-20041012.orig/sysdep/common/pcap.h 2007-06-04 13:22:39.292881856 +0200
+@@ -55,8 +55,13 @@
+       u_int32_t linktype;     /* data link type (DLT_*) */
+ };
++struct pcap_timeval {
++      int32_t tv_sec;         /* seconds */
++      int32_t tv_usec;        /* microseconds */
++};
++
+ struct pcap_pkthdr {
+-      struct timeval ts;      /* time stamp */
++      struct pcap_timeval ts; /* time stamp */
+       u_int32_t caplen;       /* length of portion present */
+       u_int32_t len;          /* length this packet (off wire) */
+ };
+Index: isakmpd-20041012.orig/sysdep/common/libsysdep/arc4random.c
+===================================================================
+--- isakmpd-20041012.orig.orig/sysdep/common/libsysdep/arc4random.c    2007-06-04 13:22:39.211894168 +0200
++++ isakmpd-20041012.orig/sysdep/common/libsysdep/arc4random.c 2007-06-04 13:22:39.292881856 +0200
+@@ -78,7 +78,7 @@
+ static void
+ arc4_stir(struct arc4_stream *as)
+ {
+-      int     fd;
++      int     fd, i;
+       struct {
+               struct timeval tv;
+               u_int8_t rnd[128 - sizeof(struct timeval)];
+Index: isakmpd-20041012.orig/x509v3.cnf
+===================================================================
+--- /dev/null  1970-01-01 00:00:00.000000000 +0000
++++ isakmpd-20041012.orig/x509v3.cnf   2007-06-04 13:22:39.293881704 +0200
+@@ -0,0 +1,26 @@
++# default settings
++CERTPATHLEN             = 1
++CERTUSAGE               = digitalSignature,keyCertSign
++CERTIP                  = 0.0.0.0
++CERTFQDN                = nohost.nodomain
++
++# This section should be referenced when building an x509v3 CA
++# Certificate.
++# The default path length and the key usage can be overriden
++# modified by setting the CERTPATHLEN and CERTUSAGE environment 
++# variables.
++[x509v3_CA]
++basicConstraints=critical,CA:true,pathlen:$ENV::CERTPATHLEN
++keyUsage=$ENV::CERTUSAGE
++
++# This section should be referenced to add an IP Address
++# as an alternate subject name, needed by isakmpd
++# The address must be provided in the CERTIP environment variable
++[x509v3_IPAddr]
++subjectAltName=IP:$ENV::CERTIP
++
++# This section should be referenced to add a FQDN hostname
++# as an alternate subject name, needed by isakmpd
++# The address must be provided in the CERTFQDN environment variable
++[x509v3_FQDN]
++subjectAltName=DNS:$ENV::CERTFQDN
diff --git a/net/isakmpd/patches/020-standardize.patch b/net/isakmpd/patches/020-standardize.patch
new file mode 100644 (file)
index 0000000..435782b
--- /dev/null
@@ -0,0 +1,154 @@
+Index: isakmpd-20041012.orig/GNUmakefile
+===================================================================
+--- isakmpd-20041012.orig.orig/GNUmakefile     2007-06-04 13:22:39.283883224 +0200
++++ isakmpd-20041012.orig/GNUmakefile  2007-06-04 13:22:39.722816496 +0200
+@@ -168,7 +168,6 @@
+ X509=         x509.c
+ CFLAGS+=      -DUSE_LIBCRYPTO
+ LDADD+=               -lcrypto
+-DPADD+=               ${LIBCRYPTO}
+ endif
+ ifdef USE_RAWKEY
+@@ -242,3 +241,16 @@
+ realcleandepend:
+       rm -f .depend tags
++
++# Install rules
++install: install-bin install-man
++
++install-bin: isakmpd
++      -mkdir -p $(DESTDIR)$(BINDIR)
++      $(INSTALL) $(INSTALL_OPTS) -m 755 isakmpd $(DESTDIR)$(BINDIR)
++
++install-man:
++      -mkdir -p $(DESTDIR)$(MANDIR)/man8
++      $(INSTALL) $(INSTALL_OPTS) -m 444 isakmpd.8 $(DESTDIR)$(MANDIR)/man8
++      -mkdir -p $(DESTDIR)$(MANDIR)/man5
++      $(INSTALL) $(INSTALL_OPTS) -m 444 isakmpd.conf.5 isakmpd.policy.5 $(DESTDIR)$(MANDIR)/man5
+Index: isakmpd-20041012.orig/samples/Makefile
+===================================================================
+--- isakmpd-20041012.orig.orig/samples/Makefile        2007-06-04 13:22:39.015923960 +0200
++++ isakmpd-20041012.orig/samples/Makefile     2007-06-04 13:22:39.722816496 +0200
+@@ -26,7 +26,7 @@
+ #
+ FILES=                VPN-* policy singlehost-*
+-TARGETDIR=    /usr/share/ipsec/isakmpd
++TARGETDIR=    /usr/share/isakmpd/samples
+ # The mkdir below is for installation on OpenBSD pre 2.7
+ install:
+Index: isakmpd-20041012.orig/sysdep/linux/GNUmakefile.sysdep
+===================================================================
+--- isakmpd-20041012.orig.orig/sysdep/linux/GNUmakefile.sysdep 2007-06-04 13:22:39.291882008 +0200
++++ isakmpd-20041012.orig/sysdep/linux/GNUmakefile.sysdep      2007-06-04 13:22:39.722816496 +0200
+@@ -25,18 +25,18 @@
+ # THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ #
+-LIBGMP:=      /usr/lib/libgmp.a
+-LIBCRYPTO:=   /usr/lib/libcrypto.a
++LIBGMP:=
++LIBCRYPTO:=   -lcrypto
+ LIBSYSDEPDIR:=        ${.CURDIR}/sysdep/common/libsysdep
+ LIBSYSDEP:=   ${LIBSYSDEPDIR}/libsysdep.a
+-LDADD+=               -lgmp ${LIBSYSDEP} ${LIBCRYPTO}
++LDADD+=               $(EXTRA_LDFLAGS) -lgmp ${LIBSYSDEP} ${LIBCRYPTO}
+ DPADD+=               ${LIBGMP} ${LIBSYSDEP}
+ CFLAGS+=      -DHAVE_GETNAMEINFO -DUSE_OLD_SOCKADDR -DHAVE_PCAP \
+               -DNEED_SYSDEP_APP -DMP_FLAVOUR=MP_FLAVOUR_GMP -DUSE_AES \
+               -I${.CURDIR}/sysdep/linux/include -I${.CURDIR}/sysdep/common \
+-              -I/usr/include/openssl
++              $(EXTRA_CPPFLAGS)
+ FEATURES=     debug tripledes blowfish cast ec aggressive x509 policy
+ FEATURES+=    dpd nat_traversal isakmp_cfg des aes
+Index: isakmpd-20041012.orig/Makefile
+===================================================================
+--- isakmpd-20041012.orig.orig/Makefile        2007-06-04 13:22:39.028921984 +0200
++++ isakmpd-20041012.orig/Makefile     2007-06-04 13:22:39.723816344 +0200
+@@ -147,7 +147,6 @@
+ .ifdef USE_LIBCRYPTO
+ CFLAGS+=      -DUSE_LIBCRYPTO
+ LDADD+=               -lcrypto
+-DPADD+=               ${LIBCRYPTO}
+ .endif
+ .ifdef USE_LIBDES
+Index: isakmpd-20041012.orig/apps/certpatch/Makefile
+===================================================================
+--- isakmpd-20041012.orig.orig/apps/certpatch/Makefile 2007-06-04 13:22:39.035920920 +0200
++++ isakmpd-20041012.orig/apps/certpatch/Makefile      2007-06-04 13:22:39.723816344 +0200
+@@ -40,7 +40,6 @@
+ .PATH:                ${TOPSRC} ${TOPSRC}/sysdep/${OS} ${TOPOBJ}
+ CFLAGS+=      -I${TOPSRC} -I${TOPSRC}/sysdep/${OS} -I${TOPOBJ} -Wall
+ LDADD+=               -lcrypto
+-DPADD+=               ${LIBCRYPTO}
+ MAN=          certpatch.8
+ .if ${FEATURES:Mgmp} == "gmp"
+Index: isakmpd-20041012.orig/regress/crypto/Makefile
+===================================================================
+--- isakmpd-20041012.orig.orig/regress/crypto/Makefile 2007-06-04 13:22:39.041920008 +0200
++++ isakmpd-20041012.orig/regress/crypto/Makefile      2007-06-04 13:22:39.723816344 +0200
+@@ -13,7 +13,7 @@
+               -DUSE_TRIPLEDES -DUSE_CAST -DUSE_BLOWFISH -DUSE_DES \
+               -DUSE_AES
+ LDADD+=               -lcrypto -ldes
+-DPADD+=               ${LIBCRYPTO} ${LIBDES}
++DPADD+=               ${LIBDES}
+ NOMAN=
+ DEBUG=                -g
+Index: isakmpd-20041012.orig/regress/dh/Makefile
+===================================================================
+--- isakmpd-20041012.orig.orig/regress/dh/Makefile     2007-06-04 13:22:39.048918944 +0200
++++ isakmpd-20041012.orig/regress/dh/Makefile  2007-06-04 13:22:39.726815888 +0200
+@@ -15,7 +15,6 @@
+               -DUSE_EC
+ NOMAN=
+ LDADD+=               -lcrypto
+-DPADD+=               ${LIBCRYPTO}
+ DEBUG=                -g
+ .if ${FEATURES:Mgmp} == "gmp"
+Index: isakmpd-20041012.orig/regress/group/Makefile
+===================================================================
+--- isakmpd-20041012.orig.orig/regress/group/Makefile  2007-06-04 13:22:39.054918032 +0200
++++ isakmpd-20041012.orig/regress/group/Makefile       2007-06-04 13:22:39.727815736 +0200
+@@ -15,7 +15,6 @@
+               -DUSE_EC
+ NOMAN=
+ LDADD+=               -lcrypto
+-DPADD+=               ${LIBCRYPTO}
+ DEBUG=                -g
+ .if ${FEATURES:Mgmp} == "gmp"
+Index: isakmpd-20041012.orig/regress/rsakeygen/Makefile
+===================================================================
+--- isakmpd-20041012.orig.orig/regress/rsakeygen/Makefile      2007-06-04 13:22:39.060917120 +0200
++++ isakmpd-20041012.orig/regress/rsakeygen/Makefile   2007-06-04 13:22:39.727815736 +0200
+@@ -62,7 +62,6 @@
+ .ifdef USE_LIBCRYPTO
+ CFLAGS+=      -DUSE_LIBCRYPTO
+ LDADD+=               -lcrypto
+-DPADD+=               ${LIBCRYPTO}
+ .endif
+ .if !defined (HAVE_DLOPEN) && !defined (USE_LIBCRYPTO)
+Index: isakmpd-20041012.orig/regress/x509/Makefile
+===================================================================
+--- isakmpd-20041012.orig.orig/regress/x509/Makefile   2007-06-04 13:22:39.068915904 +0200
++++ isakmpd-20041012.orig/regress/x509/Makefile        2007-06-04 13:22:39.727815736 +0200
+@@ -78,7 +78,6 @@
+ X509=         x509.c
+ CFLAGS+=      -DUSE_LIBCRYPTO
+ LDADD+=               -lcrypto ${LIBLWRES}
+-DPADD+=               ${LIBCRYPTO}
+ .endif
+ .if !defined (HAVE_DLOPEN) && !defined (USE_LIBCRYPTO) || !defined (USE_KEYNOTE)
diff --git a/net/isakmpd/patches/030-openssl_hashes.patch b/net/isakmpd/patches/030-openssl_hashes.patch
new file mode 100644 (file)
index 0000000..f50afc5
--- /dev/null
@@ -0,0 +1,161 @@
+Index: isakmpd-20041012.orig/GNUmakefile
+===================================================================
+--- isakmpd-20041012.orig.orig/GNUmakefile     2007-06-04 13:22:39.722816496 +0200
++++ isakmpd-20041012.orig/GNUmakefile  2007-06-04 13:22:40.000774240 +0200
+@@ -76,13 +76,14 @@
+               isakmp_fld.c isakmp_fld.h
+ MAN=          isakmpd.8 isakmpd.conf.5 isakmpd.policy.5
+-CFLAGS+=      -O2 ${DEBUG} -Wall -DNEED_SYSDEP_APP \
++CFLAGS+=      ${DEBUG} -Wall -DNEED_SYSDEP_APP \
+               -I${.CURDIR} -I${.CURDIR}/sysdep/${OS} -I. \
+ # Different debugging & profiling suggestions
+ # Include symbolic debugging info
+ DEBUG=                -g
++CFLAGS+=      -g
+ # Do execution time profiles
+ #CFLAGS+=     -pg
+@@ -175,6 +176,14 @@
+ CFLAGS+=        -DUSE_RAWKEY
+ endif
++ifdef USE_OPENSSL_MD5
++CFLAGS+=      -DUSE_OPENSSL_MD5
++endif
++
++ifdef USE_OPENSSL_SHA1
++CFLAGS+=      -DUSE_OPENSSL_SHA1
++endif
++
+ SRCS+=                ${IPSEC_SRCS} ${X509} ${POLICY} ${EC} ${AGGRESSIVE} ${DNSSEC} \
+                       $(ISAKMP_CFG) ${DPD} ${NAT_TRAVERSAL}
+ CFLAGS+=      ${IPSEC_CFLAGS}
+Index: isakmpd-20041012.orig/sysdep/common/libsysdep/GNUmakefile
+===================================================================
+--- isakmpd-20041012.orig.orig/sysdep/common/libsysdep/GNUmakefile     2007-06-04 13:22:38.959932472 +0200
++++ isakmpd-20041012.orig/sysdep/common/libsysdep/GNUmakefile  2007-06-04 13:22:40.000774240 +0200
+@@ -31,10 +31,18 @@
+ .CURDIR:=     $(shell pwd)
+ LIB=          sysdep
+-SRCS=         arc4random.c blowfish.c cast.c md5.c sha1.c strlcat.c strlcpy.c
++SRCS=         arc4random.c blowfish.c cast.c strlcat.c strlcpy.c
+ NOMAN=
+ CFLAGS+=      -I${.CURDIR}/.. -I/usr/include/machine
++ifeq (,$(findstring USE_OPENSSL_MD5,$(CFLAGS)))
++SRCS+=md5.c
++endif
++
++ifeq (,$(findstring USE_OPENSSL_SHA1,$(CFLAGS)))
++SRCS+=sha1.c
++endif
++
+ lib${LIB}.a: ${SRCS:%.c=%.o}
+       ar cq $@ ${SRCS:%.c=%.o}
+Index: isakmpd-20041012.orig/sysdep/common/libsysdep/md5.c
+===================================================================
+--- isakmpd-20041012.orig.orig/sysdep/common/libsysdep/md5.c   2007-06-04 13:22:38.964931712 +0200
++++ isakmpd-20041012.orig/sysdep/common/libsysdep/md5.c        2007-06-04 13:22:40.000774240 +0200
+@@ -5,6 +5,8 @@
+  * changes to accommodate it in the kernel by ji.
+  */
++#ifndef USE_OPENSSL_MD5
++
+ /* MD5C.C - RSA Data Security, Inc., MD5 message-digest algorithm
+  */
+@@ -390,3 +392,4 @@
+ #endif
+ #endif
++#endif /* USE_OPENSSL_MD5 */
+Index: isakmpd-20041012.orig/sysdep/common/libsysdep/sha1.c
+===================================================================
+--- isakmpd-20041012.orig.orig/sysdep/common/libsysdep/sha1.c  2007-06-04 13:22:38.970930800 +0200
++++ isakmpd-20041012.orig/sysdep/common/libsysdep/sha1.c       2007-06-04 13:22:40.001774088 +0200
+@@ -1,5 +1,7 @@
+ /*    $OpenBSD: sha1.c,v 1.2 2001/01/28 22:38:48 niklas Exp $ */
++#ifndef USE_OPENSSL_SHA1
++
+ /*
+ SHA-1 in C
+ By Steve Reid <steve@edmweb.com>
+@@ -171,3 +173,5 @@
+     SHA1Transform(context->state, context->buffer);
+ #endif
+ }
++
++#endif /* USE_OPENSSL_SHA1 */
+Index: isakmpd-20041012.orig/sysdep/common/md5.h
+===================================================================
+--- isakmpd-20041012.orig.orig/sysdep/common/md5.h     2007-06-04 13:22:38.976929888 +0200
++++ isakmpd-20041012.orig/sysdep/common/md5.h  2007-06-04 13:22:40.001774088 +0200
+@@ -1,5 +1,15 @@
+ /*    $OpenBSD: md5.h,v 1.2 2001/01/28 22:38:47 niklas Exp $  */
++#ifdef USE_OPENSSL_MD5
++
++#include <openssl/md5.h>
++
++#define MD5Init               MD5_Init
++#define       MD5Update       MD5_Update
++#define       MD5Final        MD5_Final
++
++#else /* USE_OPENSSL_MD5 */
++
+ /* GLOBAL.H - RSAREF types and constants
+  */
+@@ -71,3 +81,5 @@
+ void MD5Final PROTO_LIST ((unsigned char [16], MD5_CTX *));
+ #define _MD5_H_
++
++#endif        /* USE_OPENSSL_MD5 */
+Index: isakmpd-20041012.orig/sysdep/common/sha1.h
+===================================================================
+--- isakmpd-20041012.orig.orig/sysdep/common/sha1.h    2007-06-04 13:22:38.982928976 +0200
++++ isakmpd-20041012.orig/sysdep/common/sha1.h 2007-06-04 13:22:40.001774088 +0200
+@@ -1,5 +1,16 @@
+ /*    $OpenBSD: sha1.h,v 1.2 2001/01/28 22:38:47 niklas Exp $ */
++#ifdef USE_OPENSSL_SHA1
++
++#include <openssl/sha.h>
++
++typedef SHA_CTX SHA1_CTX;
++#define       SHA1Init        SHA1_Init
++#define       SHA1Update      SHA1_Update
++#define       SHA1Final       SHA1_Final
++
++#else /* USE_OPENSSL_SHA1 */
++
+ /*
+ SHA-1 in C
+ By Steve Reid <steve@edmweb.com>
+@@ -16,3 +27,5 @@
+ void SHA1Init(SHA1_CTX* context);
+ void SHA1Update(SHA1_CTX* context, unsigned char* data, unsigned int len);
+ void SHA1Final(unsigned char digest[20], SHA1_CTX* context);
++
++#endif        /* USE_OPENSSL_SHA1 */
+Index: isakmpd-20041012.orig/sysdep/linux/GNUmakefile.sysdep
+===================================================================
+--- isakmpd-20041012.orig.orig/sysdep/linux/GNUmakefile.sysdep 2007-06-04 13:22:39.722816496 +0200
++++ isakmpd-20041012.orig/sysdep/linux/GNUmakefile.sysdep      2007-06-04 13:22:40.001774088 +0200
+@@ -47,6 +47,8 @@
+ USE_LIBCRYPO= defined
+ HAVE_DLOPEN=  defined
+ USE_KEYNOTE=  defined
++USE_OPENSSL_MD5=      defined
++USE_OPENSSL_SHA1=     defined
+ # hack libsysdep.a dependenc
+ ${LIBSYSDEPDIR}/.depend ${LIBSYSDEP}:
diff --git a/net/isakmpd/patches/040-security_fix.patch b/net/isakmpd/patches/040-security_fix.patch
new file mode 100644 (file)
index 0000000..d70a722
--- /dev/null
@@ -0,0 +1,18 @@
+Index: isakmpd-20041012.orig/ipsec.c
+===================================================================
+--- isakmpd-20041012.orig.orig/ipsec.c 2007-06-04 13:22:39.283883224 +0200
++++ isakmpd-20041012.orig/ipsec.c      2007-06-04 13:22:40.247736696 +0200
+@@ -2176,9 +2176,10 @@
+ {
+       struct ipsec_proto *iproto = proto->data;
+-      if (proto->sa->phase == 2 && section)
+-              iproto->replay_window = conf_get_num(section, "ReplayWindow",
+-                  DEFAULT_REPLAY_WINDOW);
++      if (proto->sa->phase == 2)
++              iproto->replay_window = section ? conf_get_num(section,
++                  "ReplayWindow", DEFAULT_REPLAY_WINDOW) :
++                  DEFAULT_REPLAY_WINDOW;
+ }
+ /*
diff --git a/net/isakmpd/patches/050-ar_cross.patch b/net/isakmpd/patches/050-ar_cross.patch
new file mode 100644 (file)
index 0000000..2bac048
--- /dev/null
@@ -0,0 +1,13 @@
+Index: isakmpd-20041012.orig/sysdep/common/libsysdep/GNUmakefile
+===================================================================
+--- isakmpd-20041012.orig.orig/sysdep/common/libsysdep/GNUmakefile     2007-06-04 13:22:40.000774240 +0200
++++ isakmpd-20041012.orig/sysdep/common/libsysdep/GNUmakefile  2007-06-04 13:22:40.431708728 +0200
+@@ -44,7 +44,7 @@
+ endif
+ lib${LIB}.a: ${SRCS:%.c=%.o}
+-      ar cq $@ ${SRCS:%.c=%.o}
++      $(AR) cq $@ ${SRCS:%.c=%.o}
+ clean:
+       rm -f lib${LIB}.a ${SRCS:%.c=%.o}
diff --git a/net/openswan/Makefile b/net/openswan/Makefile
new file mode 100644 (file)
index 0000000..6b6821d
--- /dev/null
@@ -0,0 +1,96 @@
+#
+# Copyright (C) 2006-2008 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+# $Id$
+
+include $(TOPDIR)/rules.mk
+include $(INCLUDE_DIR)/kernel.mk
+
+PKG_NAME:=openswan
+PKG_VERSION:=2.4.10
+PKG_RELEASE:=1
+
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
+PKG_SOURCE_URL:=http://www.openswan.org/download
+PKG_MD5SUM:=2b36785342c74d524d8d86bde89a445f
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/openswan/Default
+  TITLE:=Openswan
+  URL:=http://www.openswan.org/
+  DEPENDS:=@BROKEN
+endef
+
+define Package/openswan/Default/description
+ Openswan is an IPsec implementation for Linux.
+endef
+
+define Package/openswan
+$(call Package/openswan/Default)
+  SECTION:=net
+  CATEGORY:=Network
+  DEPENDS+= +kmod-openswan +libgmp +ip
+  TITLE+= (daemon)
+  URL:=http://www.openswan.org/
+endef
+
+define Package/openswan/description
+$(call Package/openswan/Default/description)
+ This package contains the Openswan user-land daemon.
+endef
+
+define KernelPackage/openswan
+$(call Package/openswan/Default)
+  SUBMENU:=Network Support
+  TITLE+= (kernel module)
+  FILES:=$(PKG_BUILD_DIR)/modobj*/ipsec.$(LINUX_KMOD_SUFFIX)
+endef
+
+define KernelPackage/openswan/description
+$(call Package/openswan/Default/description)
+ This package contains the Openswan kernel module.
+endef
+
+TARGET_CPPFLAGS = \
+       -I$(STAGING_DIR)/usr/include \
+       -I$(LINUX_DIR)/include
+
+TARGET_LDFLAGS = \
+       -L$(STAGING_DIR)/usr/lib
+
+OPENSWAN_MAKE := $(MAKE) -C $(PKG_BUILD_DIR) \
+       $(TARGET_CONFIGURE_OPTS) \
+       LINUX_RELEASE="$(LINUX_RELEASE)" \
+       KERNELSRC="$(LINUX_DIR)" \
+       ARCH="$(LINUX_KARCH)" \
+       CROSS_COMPILE="$(TARGET_CROSS)" \
+       USERCOMPILE="$(TARGET_CFLAGS) -I$(PKG_BUILD_DIR)/linux/include $(TARGET_CPPFLAGS) $(TARGET_LDFLAGS)" \
+       IPSECDIR="/usr/lib/ipsec" \
+       INC_USRLOCAL="/usr" \
+       INC_RCDEFAULT="/etc/init.d" \
+       MODPROBE="/sbin/insmod" \
+       LDFLAGS="$(TARGET_LDFLAGS)" \
+       DESTDIR="$(PKG_INSTALL_DIR)"
+
+define Build/Compile
+       $(OPENSWAN_MAKE) \
+               programs module install
+endef
+
+define Package/openswan/install
+       $(CP) $(PKG_INSTALL_DIR)/* $(1)
+       $(INSTALL_DIR) $(1)/etc/init.d
+       $(CP) ./files/ipsec.init $(1)/etc/init.d/ipsec
+       rm -rf $(1)/usr/share
+       rm -rf $(1)/usr/man
+       rm -rf $(1)/var
+       rm -rf $(1)/etc/rc.d
+       find $(1) -name \*.old | xargs rm -rf
+endef
+
+$(eval $(call BuildPackage,openswan))
+$(eval $(call KernelPackage,openswan))
diff --git a/net/openswan/files/ipsec.init b/net/openswan/files/ipsec.init
new file mode 100755 (executable)
index 0000000..33c4163
--- /dev/null
@@ -0,0 +1,158 @@
+#!/bin/sh /etc/rc.common
+# IPsec startup and shutdown script
+# Copyright (C) 1998, 1999, 2001  Henry Spencer.
+# Copyright (C) 2002              Michael Richardson <mcr@freeswan.org>
+# Copyright (C) 2006              OpenWrt.org
+# 
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+# 
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+#
+# RCSID $Id: setup.in,v 1.122.6.1 2005/07/25 19:17:03 ken Exp $
+#
+# ipsec         init.d script for starting and stopping
+#               the IPsec security subsystem (KLIPS and Pluto).
+#
+# This script becomes /etc/rc.d/init.d/ipsec (or possibly /etc/init.d/ipsec)
+# and is also accessible as "ipsec setup" (the preferred route for human
+# invocation).
+#
+# The startup and shutdown times are a difficult compromise (in particular,
+# it is almost impossible to reconcile them with the insanely early/late
+# times of NFS filesystem startup/shutdown).  Startup is after startup of
+# syslog and pcmcia support; shutdown is just before shutdown of syslog.
+#
+# chkconfig: 2345 47 76
+# description: IPsec provides encrypted and authenticated communications; \
+# KLIPS is the kernel half of it, Pluto is the user-level management daemon.
+
+START=60
+script_init() {
+       me='ipsec setup'                # for messages
+
+       # where the private directory and the config files are
+       IPSEC_EXECDIR="${IPSEC_EXECDIR-/usr/libexec/ipsec}"
+       IPSEC_LIBDIR="${IPSEC_LIBDIR-/usr/lib/ipsec}"
+       IPSEC_SBINDIR="${IPSEC_SBINDIR-/usr/sbin}"
+       IPSEC_CONFS="${IPSEC_CONFS-/etc}"
+
+       if test " $IPSEC_DIR" = " "     # if we were not called by the ipsec command
+       then
+           # we must establish a suitable PATH ourselves
+           PATH="${IPSEC_SBINDIR}":/sbin:/usr/sbin:/usr/local/bin:/bin:/usr/bin
+           export PATH
+
+           IPSEC_DIR="$IPSEC_LIBDIR"
+           export IPSEC_DIR IPSEC_CONFS IPSEC_LIBDIR IPSEC_EXECDIR
+       fi
+
+       # Check that the ipsec command is available.
+       found=
+       for dir in `echo $PATH | tr ':' ' '`
+       do
+               if test -f $dir/ipsec -a -x $dir/ipsec
+               then
+                       found=yes
+                       break                   # NOTE BREAK OUT
+               fi
+       done
+       if ! test "$found"
+       then
+               echo "cannot find ipsec command -- \`$1' aborted" |
+                       logger -s -p daemon.error -t ipsec_setup
+               exit 1
+       fi
+
+       # Pick up IPsec configuration (until we have done this, successfully, we
+       # do not know where errors should go, hence the explicit "daemon.error"s.)
+       # Note the "--export", which exports the variables created.
+       eval `ipsec _confread $config --optional --varprefix IPSEC --export --type config setup`
+
+       if test " $IPSEC_confreadstatus" != " "
+       then
+           case $1 in 
+           stop|--stop|_autostop) 
+               echo "$IPSEC_confreadstatus -- \`$1' may not work" |
+                       logger -s -p daemon.error -t ipsec_setup;;
+
+           *) echo "$IPSEC_confreadstatus -- \`$1' aborted" |
+                   logger -s -p daemon.error -t ipsec_setup;
+               exit 1;;
+           esac
+       fi
+
+       IPSEC_confreadsection=${IPSEC_confreadsection:-setup}
+       export IPSEC_confreadsection
+
+       IPSECsyslog=${IPSECsyslog-daemon.error}
+       export IPSECsyslog
+
+       # misc setup
+       umask 022
+
+       mkdir -p /var/run/pluto
+}
+
+script_command() {
+       if [ "${USER}" != "root" ]
+       then
+               echo "permission denied (must be superuser)" |
+                       logger -s -p $IPSECsyslog -t ipsec_setup 2>&1
+               exit 1
+       fi
+       # make sure all required directories exist
+       if [ ! -d /var/run/pluto ]
+       then
+               mkdir -p /var/run/pluto
+       fi
+       if [ ! -d /var/lock/subsys ]
+       then
+               mkdir -p /var/lock/subsys
+       fi
+       tmp=/var/run/pluto/ipsec_setup.st
+       outtmp=/var/run/pluto/ipsec_setup.out
+       (
+               ipsec _realsetup $1
+               echo "$?" >$tmp
+       ) > ${outtmp} 2>&1
+       st=$?
+       if test -f $tmp
+       then
+               st=`cat $tmp`
+               rm -f $tmp
+       fi
+       if [ -f ${outtmp} ]; then
+               cat ${outtmp} | logger -s -p $IPSECsyslog -t ipsec_setup 2>&1
+               rm -f ${outtmp}
+       fi
+}
+
+
+start() {
+       script_init start "$@"
+       script_command start "$@"
+}
+
+stop() {
+       script_init stop "$@"
+       script_command stop "$@"
+}
+
+restart() {
+       script_init stop "$@"
+       script_command stop "$@"
+       script_command start "$@"
+}
+
+status() {
+       script_init status "$@"
+       ipsec _realsetup status
+}
+EXTRA_COMMANDS=status
+EXTRA_HELP="   status  Show the status of the service"
diff --git a/net/openswan/patches/110-scripts.patch b/net/openswan/patches/110-scripts.patch
new file mode 100644 (file)
index 0000000..d605cea
--- /dev/null
@@ -0,0 +1,33 @@
+diff -urN openswan.old/programs/loggerfix openswan.dev/programs/loggerfix
+--- openswan.old/programs/loggerfix    1970-01-01 01:00:00.000000000 +0100
++++ openswan.dev/programs/loggerfix    2006-10-08 20:41:08.000000000 +0200
+@@ -0,0 +1,5 @@
++#!/bin/sh
++# use filename instead of /dev/null to log, but dont log to flash or ram
++# pref. log to nfs mount
++echo "$*" >> /dev/null
++exit 0
+diff -urN openswan.old/programs/_plutorun/_plutorun.in openswan.dev/programs/_plutorun/_plutorun.in
+--- openswan.old/programs/_plutorun/_plutorun.in       2006-10-08 20:43:21.000000000 +0200
++++ openswan.dev/programs/_plutorun/_plutorun.in       2006-10-08 20:41:08.000000000 +0200
+@@ -147,7 +147,7 @@
+                       exit 1
+               fi
+       else
+-              if test ! -w "`dirname $stderrlog`"
++              if test ! -w "`echo $stderrlog | sed -r 's/(^.*\/)(.*$)/\1/'`"
+               then
+                       echo Cannot write to directory to create \"$stderrlog\".
+                       exit 1
+diff -urN openswan.old/programs/_realsetup/_realsetup.in openswan.dev/programs/_realsetup/_realsetup.in
+--- openswan.old/programs/_realsetup/_realsetup.in     2006-10-08 20:43:21.000000000 +0200
++++ openswan.dev/programs/_realsetup/_realsetup.in     2006-10-08 20:41:08.000000000 +0200
+@@ -232,7 +232,7 @@
+       # misc pre-Pluto setup
+-      perform test -d `dirname $subsyslock` "&&" touch $subsyslock
++      perform test -d `echo $subsyslock | sed -r 's/(^.*\/)(.*$)/\1/'` "&&" touch $subsyslock "&&" rm -f $subsyslock
+       if test " $IPSECforwardcontrol" = " yes"
+       then
diff --git a/net/openswan/patches/120-use_dev_urandom.patch b/net/openswan/patches/120-use_dev_urandom.patch
new file mode 100644 (file)
index 0000000..6bbcbf1
--- /dev/null
@@ -0,0 +1,39 @@
+Index: openswan-2.4.8/programs/ranbits/ranbits.c
+===================================================================
+--- openswan-2.4.8.orig/programs/ranbits/ranbits.c     2007-06-04 13:22:49.835279168 +0200
++++ openswan-2.4.8/programs/ranbits/ranbits.c  2007-06-04 13:22:51.648003592 +0200
+@@ -29,7 +29,7 @@
+ #include <openswan.h>
+ #ifndef DEVICE
+-#define       DEVICE  "/dev/random"
++#define       DEVICE  "/dev/urandom"
+ #endif
+ #ifndef QDEVICE
+ #define       QDEVICE "/dev/urandom"
+Index: openswan-2.4.8/programs/rsasigkey/rsasigkey.c
+===================================================================
+--- openswan-2.4.8.orig/programs/rsasigkey/rsasigkey.c 2007-06-04 13:22:49.842278104 +0200
++++ openswan-2.4.8/programs/rsasigkey/rsasigkey.c      2007-06-04 13:22:51.649003440 +0200
+@@ -31,7 +31,7 @@
+ #include <gmp.h>
+ #ifndef DEVICE
+-#define       DEVICE  "/dev/random"
++#define       DEVICE  "/dev/urandom"
+ #endif
+ #ifndef MAXBITS
+ #define       MAXBITS 20000
+Index: openswan-2.4.8/programs/starter/files.h
+===================================================================
+--- openswan-2.4.8.orig/programs/starter/files.h       2007-06-04 13:22:49.850276888 +0200
++++ openswan-2.4.8/programs/starter/files.h    2007-06-04 13:22:51.649003440 +0200
+@@ -36,7 +36,7 @@
+ #define MY_PID_FILE     "/var/run/pluto/ipsec-starter.pid"
+-#define DEV_RANDOM      "/dev/random"
++#define DEV_RANDOM      "/dev/urandom"
+ #define DEV_URANDOM     "/dev/urandom"
+ #define PROC_IPSECVERSION   "/proc/net/ipsec_version"
diff --git a/net/shfs/Makefile b/net/shfs/Makefile
new file mode 100644 (file)
index 0000000..fd50721
--- /dev/null
@@ -0,0 +1,89 @@
+# 
+# Copyright (C) 2006 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+# $Id$
+
+include $(TOPDIR)/rules.mk
+include $(INCLUDE_DIR)/kernel.mk
+
+PKG_NAME:=shfs
+PKG_VERSION:=0.35
+PKG_RELEASE:=2
+
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
+PKG_SOURCE_URL:=@SF/shfs
+PKG_MD5SUM:=016f49d71bc32eee2b5d11fc1600cfbe
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/shfs/Default
+  TITLE:=ShFS
+  URL:=http://shfs.sourceforge.net/
+endef
+
+define Package/shfs/Default/description
+ ShFS is a simple and easy to use Linux kernel module which allows you to 
+ mount remote filesystems using a plain shell (SSH) connection. When using 
+ ShFS, you can access all remote files just like the local ones, only the 
+ access is governed through the transport security of SSH.
+endef
+
+define KernelPackage/shfs
+$(call Package/shfs/Default)
+  TITLE+= (kernel module)
+  DEPENDS:=@LINUX_2_4
+  FILES:=$(PKG_INSTALL_DIR)/lib/modules/$(LINUX_VERSION)/kernel/fs/shfs/shfs.$(LINUX_KMOD_SUFFIX)
+  SUBMENU:=Filesystems
+  AUTOLOAD:=$(call AutoLoad,40,shfs)
+endef
+
+define KernelPackage/shfs/description
+$(call Package/shfs/Default/description)
+ This package contains the ShFS kernel module.
+endef
+
+define Package/shfs-utils
+$(call Package/shfs/Default)
+  SECTION:=utils
+  CATEGORY:=Utilities
+  DEPENDS+=+kmod-shfs
+  TITLE+= (utilities)
+endef
+
+define Package/shfs-utils/description
+$(call Package/shfs/Default/description)
+ This package contains the ShFS utilities.
+endef
+
+define Build/Compile
+       $(MAKE) -C $(PKG_BUILD_DIR) \
+               ARCH="$(LINUX_KARCH)" \
+               CROSS_COMPILE="$(TARGET_CROSS)" \
+               OFLAGS="$(TARGET_CFLAGS)" \
+               CC="$(TARGET_CC)" \
+               LINKER="$(TARGET_CC)" \
+               KERNEL="$(LINUX_VERSION)" \
+               KERNEL_SOURCES="$(LINUX_DIR)" \
+               ROOT="$(PKG_INSTALL_DIR)" \
+               module module-install
+       $(MAKE) -C $(PKG_BUILD_DIR) \
+               OFLAGS="$(TARGET_CFLAGS)" \
+               CC="$(TARGET_CC)" \
+               LINKER="$(TARGET_CC)" \
+               KERNEL_SOURCES="$(LINUX_DIR)" \
+               ROOT="$(PKG_INSTALL_DIR)" \
+               utils utils-install
+endef
+
+define Package/shfs-utils/install
+       $(INSTALL_DIR) $(1)/usr/bin
+       $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/shfs{,u}mount $(1)/usr/bin/
+       $(INSTALL_DIR) $(1)/sbin
+       ln -sf /usr/bin/shfsmount $(1)/sbin/mount.shfs
+endef
+
+$(eval $(call KernelPackage,shfs))
+$(eval $(call BuildPackage,shfs-utils))
diff --git a/net/shfs/patches/100-kmod_build.patch b/net/shfs/patches/100-kmod_build.patch
new file mode 100644 (file)
index 0000000..16f198c
--- /dev/null
@@ -0,0 +1,100 @@
+Index: shfs-0.35/shfs/Linux-2.4/Makefile
+===================================================================
+--- shfs-0.35.orig/shfs/Linux-2.4/Makefile     2007-06-04 13:22:58.143016200 +0200
++++ shfs-0.35/shfs/Linux-2.4/Makefile  2007-06-04 13:22:58.209006168 +0200
+@@ -1,3 +1,13 @@
++#
++# the original Makefile was trashed and replaced by this one
++# The main reason is that loadable modules should be built with
++# the same compile flags the kernel was built with, so we'd better
++# let the kernel tree build the module for us, like that :
++#
++#   make -C $(KERNEL_DIR) SUBDIRS="$(shell pwd)" modules
++#   make -C $(KERNEL_DIR) SUBDIRS="$(shell pwd)" modules_install
++#
++
+ ifndef KERNEL
+ KERNEL=$(shell uname -r)
+ endif
+@@ -10,67 +20,29 @@
+ KERNEL_SOURCES=${MODULESDIR}/build
+ endif
+-ifeq (${MODVERSIONS},detect)
+-  ifeq ($(shell test -e ${KERNEL_SOURCES}/include/linux/modversions.h; echo $$?),0)
+-    MODVERSIONS=yes
+-  endif
+-endif
+-
+-ifeq (${MODVERSIONS},yes)
+-MVER=-DMODVERSIONS -DEXPORT_SYMTAB
+-endif
+-
+-LINVER=linux-${KERNEL}
+-
+-ALL_TARGETS := shfs.o
+-
+-SEARCHDIRS := -I- -I. -I${KERNEL_SOURCES}/include #-I/usr/src/linux/include/
++all: all-y
+-CC     := gcc
+-CFLAGS  = -O2 -fomit-frame-pointer -fno-strict-aliasing -pipe -Wall ${SEARCHDIRS} -DMODULE ${MVER} -D__KERNEL__ -DLINUX
+-LINKER    := ld
+-LDFLAGS    = -r
+-LOADLIBES := 
++O_TARGET := shfs.o
+-all: ${ALL_TARGETS}
++shfs-objs := dcache.o dir.o fcache.o file.o inode.o ioctl.o proc.o shell.o symlink.o
+-%.o: %.c $(wildcard *.h)
+-      ${CC} ${CFLAGS} -c $< -o $@
++obj-y := $(shfs-objs) 
++obj-m := $(O_TARGET)
+-shfs.o: dcache.o dir.o fcache.o file.o inode.o ioctl.o proc.o shell.o symlink.o
+-      ${LINKER} ${LDFLAGS} -o $@ ${filter-out %.a %.so, $^} ${LOADLIBES}
+-
+-tidy:
+-      ${RM} core dcache.o dir.o fcache.o file.o inode.o ioctl.o proc.o shell.o symlink.o
+-
+-clean: tidy patch-clean
+-      ${RM} shfs.o
++-include $(TOPDIR)/Rules.make
++all-y:
++      make -C ${KERNEL_SOURCES} TOPDIR="${KERNEL_SOURCES}" SUBDIRS="$(shell pwd)" modules
++      
+ install: shfs.o
+       rm -f ${MODULESDIR}/kernel/fs/shfs/shfs.o
+       install -m644 -b -D shfs.o ${MODULESDIR}/kernel/fs/shfs/shfs.o
+-      if [ -x /sbin/depmod -a "${ROOT}" = "/" ]; then /sbin/depmod -aq; fi
+ uninstall:
+       rm -rf ${MODULESDIR}/kernel/fs/shfs
+-      if [ -x /sbin/depmod -a "${ROOT}" = "/" ]; then /sbin/depmod -aq; fi
+-patch:
+-      rm -rf ${LINVER} ${LINVER}.orig; mkdir ${LINVER};
+-      for i in Documentation fs/shfs include/linux; do \
+-        mkdir -p ${LINVER}/$$i; \
+-      done
+-      cp ${KERNEL_SOURCES}/Documentation/Configure.help ${LINVER}/Documentation
+-      cp ${KERNEL_SOURCES}/fs/{Makefile,Config.in} ${LINVER}/fs
+-      cp -r ${LINVER} ${LINVER}.orig
+-      cp ../../Changelog *.c shfs_debug.h proc.h ${LINVER}/fs/shfs/
+-      cp shfs.h shfs_fs* ${LINVER}/include/linux/
+-      (cd ${LINVER}; patch -p1 <../kernel-config.diff)
+-      find . -type f -name "*.orig" -print | xargs rm -f
+-      diff -urN ${LINVER}.orig ${LINVER} >${LINVER}.diff; true
+-
+-patch-clean:
+-      rm -rf ${LINVER} ${LINVER}.orig;
+-      rm -f ${LINVER}.diff
+-      
+-.PHONY : all tidy clean install uninstall patch patch-clean
++clean:
++      rm -f core *.o *.a *.s
++
++shfs.o: $(shfs-objs)
++
diff --git a/net/shfs/patches/101-shfs_0.35_2.6.18_dentry.patch b/net/shfs/patches/101-shfs_0.35_2.6.18_dentry.patch
new file mode 100644 (file)
index 0000000..e7754b0
--- /dev/null
@@ -0,0 +1,166 @@
+Index: shfs-0.35/shfs/Linux-2.6/inode.c
+===================================================================
+--- shfs-0.35.orig/shfs/Linux-2.6/inode.c      2007-06-04 13:22:58.091024104 +0200
++++ shfs-0.35/shfs/Linux-2.6/inode.c   2007-06-04 13:22:58.397977440 +0200
+@@ -337,12 +337,21 @@
+       return -EINVAL;
+ }
++#ifdef NEW_VFS_DENTRY_API
++static int
++shfs_get_sb(struct file_system_type *fs_type,
++          int flags, const char *dev_name, void *data, struct vfsmount *mnt)
++{
++      return get_sb_nodev(fs_type, flags, data, shfs_read_super, mnt);
++}
++#else
+ static struct super_block *
+ shfs_get_sb(struct file_system_type *fs_type,
+           int flags, const char *dev_name, void *data)
+ {
+       return get_sb_nodev(fs_type, flags, data, shfs_read_super);
+ }
++#endif
+ static struct file_system_type sh_fs_type = {
+       .owner          = THIS_MODULE,
+Index: shfs-0.35/shfs/Linux-2.6/file.c
+===================================================================
+--- shfs-0.35.orig/shfs/Linux-2.6/file.c       2007-06-04 13:22:58.096023344 +0200
++++ shfs-0.35/shfs/Linux-2.6/file.c    2007-06-04 13:22:58.397977440 +0200
+@@ -199,7 +199,7 @@
+ }
+ static int
+-shfs_file_flush(struct file *f)
++do_file_flush(struct file *f)
+ {
+       struct dentry *dentry = f->f_dentry;
+       struct shfs_sb_info *info = info_from_dentry(dentry);
+@@ -222,6 +222,16 @@
+ }
+ static int
++#ifdef FLUSH_HAS_LOCK_OWNER
++shfs_file_flush(struct file *f, fl_owner_t id)
++#else
++shfs_file_flush(struct file *f)
++#endif
++{
++      return do_file_flush(f);
++}
++
++static int
+ shfs_file_release(struct inode *inode, struct file *f)
+ {
+       struct dentry *dentry = f->f_dentry;
+@@ -311,7 +321,7 @@
+       DEBUG("\n");
+       written = generic_file_write(f, buf, count, offset);
+       if (written > 0) {
+-              result = shfs_file_flush(f);
++              result = do_file_flush(f);
+               written = result < 0 ? result: written;
+       }
+       
+Index: shfs-0.35/shfs/Linux-2.6/proc.c
+===================================================================
+--- shfs-0.35.orig/shfs/Linux-2.6/proc.c       2007-06-04 13:22:58.102022432 +0200
++++ shfs-0.35/shfs/Linux-2.6/proc.c    2007-06-04 13:22:58.398977288 +0200
+@@ -570,6 +570,16 @@
+       return result;
+ }
++#ifdef NEW_VFS_DENTRY_API
++int
++shfs_statfs(struct dentry *dentry, struct kstatfs *attr)
++{
++      struct shfs_sb_info *info = info_from_sb(dentry->d_sb);
++
++      DEBUG("\n");
++      return info->fops.statfs(info, attr);
++}
++#else
+ int
+ shfs_statfs(struct super_block *sb, struct kstatfs *attr)
+ {
+@@ -578,4 +588,5 @@
+       DEBUG("\n");
+       return info->fops.statfs(info, attr);
+ }
++#endif
+Index: shfs-0.35/shfs/Linux-2.6/shfs_fs.h
+===================================================================
+--- shfs-0.35.orig/shfs/Linux-2.6/shfs_fs.h    2007-06-04 13:22:58.107021672 +0200
++++ shfs-0.35/shfs/Linux-2.6/shfs_fs.h 2007-06-04 13:22:58.398977288 +0200
+@@ -9,6 +9,12 @@
+ #include <linux/ioctl.h>
+ #include <linux/pagemap.h>
++#include <linux/version.h>
++
++#if LINUX_VERSION_CODE > KERNEL_VERSION(2,6,17)
++#define NEW_VFS_DENTRY_API
++#define FLUSH_HAS_LOCK_OWNER
++#endif
+ #define SHFS_MAX_AGE(info)    (((info)->ttl * HZ) / 1000)
+ #define SOCKBUF_SIZE          (SHFS_PATH_MAX * 10)
+@@ -101,7 +107,12 @@
+ void set_garbage(struct shfs_sb_info *info, int write, int count);
+ int get_name(struct dentry *d, char *name);
+ int shfs_notify_change(struct dentry *dentry, struct iattr *attr);
++
++#ifdef NEW_VFS_DENTRY_API
++int shfs_statfs(struct dentry *dentry, struct kstatfs *attr);
++#else
+ int shfs_statfs(struct super_block *sb, struct kstatfs *attr);
++#endif
+       
+ /* shfs/inode.c */
+ void shfs_set_inode_attr(struct inode *inode, struct shfs_fattr *fattr);
+Index: shfs-0.35/shfs/Linux-2.6/symlink.c
+===================================================================
+--- shfs-0.35.orig/shfs/Linux-2.6/symlink.c    2007-06-04 13:22:58.113020760 +0200
++++ shfs-0.35/shfs/Linux-2.6/symlink.c 2007-06-04 13:22:58.398977288 +0200
+@@ -41,7 +41,7 @@
+       return result;
+ }
+-static int
++static void *
+ shfs_follow_link(struct dentry *dentry, struct nameidata *nd)
+ {
+       struct shfs_sb_info *info = info_from_dentry(dentry);
+@@ -61,7 +61,7 @@
+       DEBUG("%s\n", real_name);
+       result = vfs_follow_link(nd, real_name);
+ error:
+-      return result;
++      return NULL;
+ }
+ struct inode_operations shfs_symlink_inode_operations = {
+Index: shfs-0.35/shfs/Linux-2.6/dcache.c
+===================================================================
+--- shfs-0.35.orig/shfs/Linux-2.6/dcache.c     2007-06-04 13:22:58.121019544 +0200
++++ shfs-0.35/shfs/Linux-2.6/dcache.c  2007-06-04 13:22:58.398977288 +0200
+@@ -68,7 +68,7 @@
+       spin_lock(&dcache_lock);
+       next = parent->d_subdirs.next;
+       while (next != &parent->d_subdirs) {
+-              dentry = list_entry(next, struct dentry, d_child);
++              dentry = list_entry(next, struct dentry, d_u.d_child);
+               dentry->d_fsdata = NULL;
+               shfs_age_dentry(info, dentry);
+               next = next->next;
+@@ -101,7 +101,7 @@
+       spin_lock(&dcache_lock);
+       next = parent->d_subdirs.next;
+       while (next != &parent->d_subdirs) {
+-              dent = list_entry(next, struct dentry, d_child);
++              dent = list_entry(next, struct dentry, d_u.d_child);
+               if ((unsigned long)dent->d_fsdata == fpos) {
+                       if (dent->d_inode)
+                               dget_locked(dent);
diff --git a/net/shfs/patches/102-shfs_0.35_clean_inode_clear.patch b/net/shfs/patches/102-shfs_0.35_clean_inode_clear.patch
new file mode 100644 (file)
index 0000000..f12fc96
--- /dev/null
@@ -0,0 +1,22 @@
+Index: shfs-0.35/shfs/Linux-2.6/inode.c
+===================================================================
+--- shfs-0.35.orig/shfs/Linux-2.6/inode.c      2007-06-04 13:22:58.397977440 +0200
++++ shfs-0.35/shfs/Linux-2.6/inode.c   2007-06-04 13:22:58.637940960 +0200
+@@ -8,6 +8,7 @@
+ #include <linux/modversions.h>
+ #endif
++#include <linux/version.h>
+ #include <linux/kernel.h>
+ #include <linux/module.h>
+ #include <linux/init.h>
+@@ -118,6 +119,9 @@
+       }
+       KMEM_FREE("inode", inode_cache, i);
+ out:
++#if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,13))
++   truncate_inode_pages(&inode->i_data, 0);
++#endif
+       clear_inode(inode);
+ }
diff --git a/net/shfs/patches/103-shfs_0.35_gcc4.patch b/net/shfs/patches/103-shfs_0.35_gcc4.patch
new file mode 100644 (file)
index 0000000..e4c1388
--- /dev/null
@@ -0,0 +1,25 @@
+Index: shfs-0.35/shfs/Linux-2.6/dir.c
+===================================================================
+--- shfs-0.35.orig/shfs/Linux-2.6/dir.c        2007-06-04 13:22:58.041031704 +0200
++++ shfs-0.35/shfs/Linux-2.6/dir.c     2007-06-04 13:22:58.822912840 +0200
+@@ -19,6 +19,8 @@
+ #include "shfs_debug.h"
+ #include "proc.h"
++static struct dentry_operations shfs_dentry_operations;
++      
+ static int
+ shfs_dir_open(struct inode *inode, struct file *filp)
+ {
+Index: shfs-0.35/shfs/Linux-2.6/shfs_fs.h
+===================================================================
+--- shfs-0.35.orig/shfs/Linux-2.6/shfs_fs.h    2007-06-04 13:22:58.398977288 +0200
++++ shfs-0.35/shfs/Linux-2.6/shfs_fs.h 2007-06-04 13:22:58.823912688 +0200
+@@ -56,7 +56,6 @@
+ #define ROUND_TO_MINS(x) do { (x).tv_sec = ((x).tv_sec / 60) * 60; (x).tv_nsec = 0; } while (0)
+ /* shfs/dir.c */
+-extern struct dentry_operations shfs_dentry_operations;
+ extern struct file_operations shfs_dir_operations;
+ extern struct inode_operations shfs_dir_inode_operations;
+ extern void shfs_new_dentry(struct dentry *dentry);
diff --git a/net/shfs/patches/104-shfs_0.35_inode_and_fs.patch b/net/shfs/patches/104-shfs_0.35_inode_and_fs.patch
new file mode 100644 (file)
index 0000000..0953e6b
--- /dev/null
@@ -0,0 +1,377 @@
+Index: shfs-0.35/shfs/Linux-2.6/fcache.c
+===================================================================
+--- shfs-0.35.orig/shfs/Linux-2.6/fcache.c     2007-06-04 13:22:57.997038392 +0200
++++ shfs-0.35/shfs/Linux-2.6/fcache.c  2007-06-04 13:22:59.019882896 +0200
+@@ -100,7 +100,11 @@
+               VERBOSE("dir in file cache?\n");
+               return -EINVAL;
+       }
++#if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,19))
++      p = (struct shfs_inode_info *)inode->i_private;
++#else
+       p = (struct shfs_inode_info *)inode->u.generic_ip;
++#endif
+       if (!p) {
+               VERBOSE("inode without info\n");
+               return -EINVAL;
+@@ -127,7 +131,11 @@
+               VERBOSE("dir in file cache?\n");
+               return -EINVAL;
+       }
++#if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,19))
++      p = (struct shfs_inode_info *)inode->i_private;
++#else
+       p = (struct shfs_inode_info *)inode->u.generic_ip;
++#endif
+       if (!p) {
+               VERBOSE("inode without info\n");
+               return -EINVAL;
+@@ -160,7 +168,11 @@
+       if (result == 0) {
+               struct shfs_inode_info *p;
++#if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,19))
++              p = (struct shfs_inode_info *)f->f_dentry->d_inode->i_private;
++#else
+               p = (struct shfs_inode_info *)f->f_dentry->d_inode->u.generic_ip;
++#endif
+               if (!p) {
+                       VERBOSE("inode without info\n");
+                       return -EINVAL;
+@@ -184,7 +196,11 @@
+               return -EINVAL;
+       }
+       DEBUG("ino: %lu\n", inode->i_ino);
++#if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,19))
++      p = (struct shfs_inode_info *)inode->i_private;
++#else
+       p = (struct shfs_inode_info *)inode->u.generic_ip;
++#endif
+       if (!p) {
+               VERBOSE("inode without info\n");
+               return -EINVAL;
+@@ -226,7 +242,11 @@
+               VERBOSE("dir in file cache?\n");
+               return -EINVAL;
+       }
++#if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,19))
++      p = (struct shfs_inode_info *)inode->i_private;
++#else
+       p = (struct shfs_inode_info *)inode->u.generic_ip;
++#endif
+       if (!p) {
+               VERBOSE("inode without info\n");
+               return -EINVAL;
+@@ -327,7 +347,11 @@
+               VERBOSE("dir in file cache?\n");
+               return -EINVAL;
+       }
++#if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,19))
++      p = (struct shfs_inode_info *)inode->i_private;
++#else
+       p = (struct shfs_inode_info *)inode->u.generic_ip;
++#endif
+       if (!p) {
+               VERBOSE("inode without info\n");
+               return -EINVAL;
+Index: shfs-0.35/shfs/Linux-2.6/inode.c
+===================================================================
+--- shfs-0.35.orig/shfs/Linux-2.6/inode.c      2007-06-04 13:22:58.637940960 +0200
++++ shfs-0.35/shfs/Linux-2.6/inode.c   2007-06-04 13:22:59.020882744 +0200
+@@ -36,7 +36,11 @@
+ shfs_set_inode_attr(struct inode *inode, struct shfs_fattr *fattr)
+ {
+       struct shfs_sb_info *info = info_from_inode(inode);
++#if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,19))
++      struct shfs_inode_info *i = inode->i_private;
++#else
+       struct shfs_inode_info *i = inode->u.generic_ip;
++#endif
+       struct timespec last_time = inode->i_mtime;
+       loff_t last_size = inode->i_size;
+@@ -53,7 +57,9 @@
+       inode->i_ctime  = fattr->f_ctime;
+       inode->i_atime  = fattr->f_atime;
+       inode->i_mtime  = fattr->f_mtime;
++#ifdef STRUCT_INODE_HAS_I_BLKSIZE
+       inode->i_blksize= fattr->f_blksize;
++#endif
+       inode->i_blocks = fattr->f_blocks;
+       inode->i_size   = fattr->f_size;
+@@ -76,7 +82,11 @@
+       if (!inode)
+               return NULL;
+       inode->i_ino = fattr->f_ino;
++#if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,19))
++      i = inode->i_private = (struct shfs_inode_info *)KMEM_ALLOC("inode", inode_cache, GFP_KERNEL);
++#else
+       i = inode->u.generic_ip = (struct shfs_inode_info *)KMEM_ALLOC("inode", inode_cache, GFP_KERNEL);
++#endif
+       if (!i)
+               return NULL;
+       i->cache = NULL;
+@@ -108,7 +118,11 @@
+       struct shfs_inode_info *i;
+       DEBUG("ino: %lu\n", inode->i_ino);
++#if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,19))
++      i = (struct shfs_inode_info *)inode->i_private;
++#else
+       i = (struct shfs_inode_info *)inode->u.generic_ip;
++#endif
+       if (!i) {
+               VERBOSE("invalid inode\n");
+               goto out;
+@@ -176,7 +190,11 @@
+ {
+       struct shfs_sb_info *info = info_from_dentry(dentry);
+       struct inode *inode = dentry->d_inode;
++#if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,19))
++      struct shfs_inode_info *i = (struct shfs_inode_info *)inode->i_private;
++#else
+       struct shfs_inode_info *i = (struct shfs_inode_info *)inode->u.generic_ip;
++#endif
+       int result;
+         DEBUG("%s\n", dentry->d_name.name);
+Index: shfs-0.35/shfs/Linux-2.6/dir.c
+===================================================================
+--- shfs-0.35.orig/shfs/Linux-2.6/dir.c        2007-06-04 13:22:58.822912840 +0200
++++ shfs-0.35/shfs/Linux-2.6/dir.c     2007-06-04 13:22:59.020882744 +0200
+@@ -302,8 +302,13 @@
+       
+       shfs_invalid_dir_cache(dir);
+       result = shfs_instantiate(dentry);
++#if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,19))
++      if (forced_write && dentry->d_inode && dentry->d_inode->i_private)
++              ((struct shfs_inode_info *)dentry->d_inode->i_private)->unset_write_on_close = 1;
++#else
+       if (forced_write && dentry->d_inode && dentry->d_inode->u.generic_ip)
+               ((struct shfs_inode_info *)dentry->d_inode->u.generic_ip)->unset_write_on_close = 1;
++#endif
+       return result;
+ }
+Index: shfs-0.35/shfs/Linux-2.6/file.c
+===================================================================
+--- shfs-0.35.orig/shfs/Linux-2.6/file.c       2007-06-04 13:22:58.397977440 +0200
++++ shfs-0.35/shfs/Linux-2.6/file.c    2007-06-04 13:22:59.020882744 +0200
+@@ -90,7 +90,11 @@
+       struct dentry *dentry = f->f_dentry;
+       struct shfs_sb_info *info = info_from_dentry(dentry);
+       struct inode *inode = p->mapping->host;
++#if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,19))
++      struct shfs_inode_info *i = (struct shfs_inode_info *)inode->i_private;
++#else
+       struct shfs_inode_info *i = (struct shfs_inode_info *)inode->u.generic_ip;
++#endif
+       char *buffer = kmap(p) + offset;
+       int written = 0, result;
+       unsigned count = to - offset;
+@@ -252,8 +256,13 @@
+               }
+       }
+       /* if file was forced to be writeable, change attrs back on close */
++#if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,19))
++      if (dentry->d_inode && dentry->d_inode->i_private) {
++              if  (((struct shfs_inode_info *)dentry->d_inode->i_private)->unset_write_on_close) {
++#else
+       if (dentry->d_inode && dentry->d_inode->u.generic_ip) {
+               if  (((struct shfs_inode_info *)dentry->d_inode->u.generic_ip)->unset_write_on_close) {
++#endif
+                       char name[SHFS_PATH_MAX];
+                       if (get_name(dentry, name) < 0)
+@@ -302,7 +311,8 @@
+               goto error;
+       }
+       if (result != 0) {
+-              copy_to_user(buf, (char *)page, result);
++              if (copy_to_user(buf, (char *)page, result))
++                      goto error;
+               *ppos += result;
+       }
+ error:
+@@ -315,11 +325,15 @@
+ static ssize_t 
+ shfs_slow_write(struct file *f, const char *buf, size_t count, loff_t *offset)
+ {
+-      int written = 0;
++      ssize_t written = 0;
+       int result;
+       
+       DEBUG("\n");
++#if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,19))
++      written = do_sync_write(f, buf, count, offset);
++#else
+       written = generic_file_write(f, buf, count, offset);
++#endif
+       if (written > 0) {
+               result = do_file_flush(f);
+               written = result < 0 ? result: written;
+@@ -330,14 +344,23 @@
+ struct file_operations shfs_file_operations = {
+       .llseek         = generic_file_llseek,
++#if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,19))
++      .read           = do_sync_read,
++      .write          = do_sync_write,
++#else
+       .read           = generic_file_read,
+       .write          = generic_file_write,
++#endif
+       .ioctl          = shfs_ioctl,
+       .mmap           = generic_file_mmap,
+       .open           = shfs_file_open,
+       .flush          = shfs_file_flush,
+       .release        = shfs_file_release,
+       .fsync          = shfs_file_sync,
++#if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,19))
++      .aio_read       = generic_file_aio_read,
++      .aio_write      = generic_file_aio_write,
++#endif
+ };
+ struct file_operations shfs_slow_operations = {
+Index: shfs-0.35/shfs/Linux-2.6/proc.c
+===================================================================
+--- shfs-0.35.orig/shfs/Linux-2.6/proc.c       2007-06-04 13:22:58.398977288 +0200
++++ shfs-0.35/shfs/Linux-2.6/proc.c    2007-06-04 13:22:59.021882592 +0200
+@@ -149,7 +149,12 @@
+ {
+       struct file *f = info->sock;
+       mm_segment_t fs;
++#if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,19))
++      ssize_t result = 0;
++      loff_t begin;
++#else
+       int c, result = 0;
++#endif
+       unsigned long flags, sigpipe;
+       sigset_t old_set;
+@@ -161,7 +166,9 @@
+                       return result;
+       }
+       
++#if (LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19))
+       c = count;
++#endif
+       fs = get_fs();
+       set_fs(get_ds());
+@@ -173,6 +180,16 @@
+       SIGRECALC;
+       SIGUNLOCK(flags);
++#if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,19))
++      begin = f->f_pos;
++      result = do_sync_write(f, buffer, count, &f->f_pos);
++
++      if (result < 0) {
++              DEBUG("error: %d\n", result);
++              fput(f);
++              info->sock = NULL;
++      }
++#else
+       do {
+               struct iovec vec[1];
+@@ -190,6 +207,7 @@
+               buffer += result;
+               c -= result;
+       } while (c > 0);
++#endif
+       SIGLOCK(flags);
+       if (result == -EPIPE && !sigpipe) {
+@@ -204,7 +222,11 @@
+       DEBUG(">%d\n", result);
+       if (result < 0)
++#if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,19))
++              set_garbage(info, 1, count - (f->f_pos - begin));
++#else
+               set_garbage(info, 1, c);
++#endif
+       else
+               result = count;
+       return result;
+@@ -222,6 +244,9 @@
+       int c, result = 0;
+       unsigned long flags, sigpipe;
+       sigset_t old_set;
++#if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,19))
++      loff_t begin;
++#endif
+       if (!f)
+               return -EIO;
+@@ -256,6 +281,20 @@
+       fs = get_fs();
+       set_fs(get_ds());
++#if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,19))
++      begin = f->f_pos;
++      result = do_sync_read(f, buffer, c, &f->f_pos);
++
++      if (!result) {
++              /* peer has closed socket */
++              result = -EIO;
++      }
++      if (result < 0) {
++              DEBUG("error: %d\n", result);
++              fput(f);
++              info->sock = NULL;
++      }
++#else
+       do {
+               struct iovec vec[1];
+@@ -277,6 +316,7 @@
+               buffer += result;
+               c -= result;
+       } while (c > 0);
++#endif
+       SIGLOCK(flags);
+       if (result == -EPIPE && !sigpipe) {
+@@ -291,7 +331,11 @@
+       
+       DEBUG("<%d\n", result);
+       if (result < 0)
++#if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,19))
++              set_garbage(info, 0, count - (f->f_pos - begin));
++#else
+               set_garbage(info, 0, c);
++#endif
+       else
+               result = count;
+       return result;
+@@ -316,8 +360,10 @@
+                       return result;
+       }
+       while (1) {
++#if (LINUX_VERSION_CODE < KERNEL_VERSION(2,6,19))
+               struct iovec vec[1];
++#endif
+               nl = memchr(BUFFER, '\n', LEN);
+               if (nl) {
+                       *nl = '\0';
+@@ -348,9 +394,13 @@
+               fs = get_fs();
+               set_fs(get_ds());
++#if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,19))
++              result = do_sync_read(f, BUFFER+LEN, c, &f->f_pos);
++#else
+               vec[0].iov_base = BUFFER+LEN;
+               vec[0].iov_len = c;
+               result = f->f_op->readv(f, (const struct iovec *)&vec, 1, &f->f_pos);
++#endif
+               SIGLOCK(flags);
+               if (result == -EPIPE && !sigpipe) {
+                       sigdelset(&current->pending.signal, SIGPIPE);
diff --git a/net/shfs/patches/105-space_chars.patch b/net/shfs/patches/105-space_chars.patch
new file mode 100644 (file)
index 0000000..03ad832
--- /dev/null
@@ -0,0 +1,70 @@
+Index: shfs-0.35/shfs/Linux-2.4/shell.c
+===================================================================
+--- shfs-0.35.orig/shfs/Linux-2.4/shell.c      2007-06-04 13:22:57.970042496 +0200
++++ shfs-0.35/shfs/Linux-2.4/shell.c   2007-06-04 13:22:59.249847936 +0200
+@@ -213,6 +213,7 @@
+       int c = 0;
+       int is_space = 1;
+       int device = 0;
++      char *start = s;
+       while (*s) {
+               if (c == DIR_COLS)
+@@ -227,17 +228,20 @@
+                                               s++;
+                               }
+                               *s = '\0';
++                              start = s+1;
+                               is_space = 1;
++                      } else {
++                              if (c != DIR_NAME)
++                                      start = s+1;
+                       }
+               } else {
+                       if (is_space) {
+                               /* (b)lock/(c)haracter device hack */
+-                              col[c++] = s;
++                              col[c++] = start;
+                               is_space = 0;
+                               if ((c-1 == DIR_PERM) && ((*s == 'b')||(*s == 'c'))) {
+                                       device = 1;
+                               }
+-
+                       }
+               }
+               s++;
+Index: shfs-0.35/shfs/Linux-2.6/shell.c
+===================================================================
+--- shfs-0.35.orig/shfs/Linux-2.6/shell.c      2007-06-04 13:22:57.977041432 +0200
++++ shfs-0.35/shfs/Linux-2.6/shell.c   2007-06-04 13:22:59.249847936 +0200
+@@ -225,6 +225,7 @@
+       int c = 0;
+       int is_space = 1;
+       int device = 0;
++      char *start = s;
+       while (*s) {
+               if (c == DIR_COLS)
+@@ -239,17 +240,20 @@
+                                               s++;
+                               }
+                               *s = '\0';
++                              start = s+1;
+                               is_space = 1;
++                      } else {
++                              if (c != DIR_NAME)
++                                      start = s+1;
+                       }
+               } else {
+                       if (is_space) {
+                               /* (b)lock/(c)haracter device hack */
+-                              col[c++] = s;
++                              col[c++] = start;
+                               is_space = 0;
+                               if ((c-1 == DIR_PERM) && ((*s == 'b')||(*s == 'c'))) {
+                                       device = 1;
+                               }
+-
+                       }
+               }
+               s++;
diff --git a/net/shfs/patches/106-uidgid32.patch b/net/shfs/patches/106-uidgid32.patch
new file mode 100644 (file)
index 0000000..60510a2
--- /dev/null
@@ -0,0 +1,38 @@
+Index: shfs-0.35/shfs/Linux-2.4/shfs_fs_sb.h
+===================================================================
+--- shfs-0.35.orig/shfs/Linux-2.4/shfs_fs_sb.h 2007-06-04 13:22:57.941046904 +0200
++++ shfs-0.35/shfs/Linux-2.4/shfs_fs_sb.h      2007-06-04 13:22:59.448817688 +0200
+@@ -38,10 +38,10 @@
+       struct shfs_fileops fops;
+       int version;
+       int ttl;
+-      __kernel_uid_t uid;
+-      __kernel_gid_t gid;
+-      __kernel_mode_t root_mode;
+-      __kernel_mode_t fmask;
++      uid_t uid;
++      gid_t gid;
++      mode_t root_mode;
++      mode_t fmask;
+       char mount_point[SHFS_PATH_MAX];
+       struct semaphore sock_sem;      /* next 4 vars are guarded */
+       struct file *sock;
+Index: shfs-0.35/shfs/Linux-2.6/shfs_fs_sb.h
+===================================================================
+--- shfs-0.35.orig/shfs/Linux-2.6/shfs_fs_sb.h 2007-06-04 13:22:57.949045688 +0200
++++ shfs-0.35/shfs/Linux-2.6/shfs_fs_sb.h      2007-06-04 13:22:59.449817536 +0200
+@@ -38,10 +38,10 @@
+       struct shfs_fileops fops;
+       int version;
+       int ttl;
+-      __kernel_uid_t uid;
+-      __kernel_gid_t gid;
+-      __kernel_mode_t root_mode;
+-      __kernel_mode_t fmask;
++      uid_t uid;
++      gid_t gid;
++      mode_t root_mode;
++      mode_t fmask;
+       char mount_point[SHFS_PATH_MAX];
+       struct semaphore sock_sem;      /* next 4 vars are guarded */
+       struct file *sock;
diff --git a/net/shfs/patches/107-df.patch b/net/shfs/patches/107-df.patch
new file mode 100644 (file)
index 0000000..ca2c9d0
--- /dev/null
@@ -0,0 +1,38 @@
+Index: shfs-0.35/shfs/Linux-2.4/shell.c
+===================================================================
+--- shfs-0.35.orig/shfs/Linux-2.4/shell.c      2007-06-04 13:22:59.249847936 +0200
++++ shfs-0.35/shfs/Linux-2.4/shell.c   2007-06-04 13:22:59.643788048 +0200
+@@ -961,11 +961,11 @@
+       s = info->sockbuf;
+       if ((p = strsep(&s, " ")))
+-              attr->f_blocks = simple_strtoull(p, NULL, 10);
++              attr->f_blocks = simple_strtoull(p, NULL, 10) >> 2;
+       if ((p = strsep(&s, " ")))
+-              attr->f_bfree = attr->f_blocks - simple_strtoull(p, NULL, 10);
++              attr->f_bfree = attr->f_blocks - (simple_strtoull(p, NULL, 10) >> 2);
+       if ((p = strsep(&s, " ")))
+-              attr->f_bavail = simple_strtoull(p, NULL, 10);
++              attr->f_bavail = simple_strtoull(p, NULL, 10) >> 2;
+       result = sock_readln(info, info->sockbuf, SOCKBUF_SIZE);
+       if (result < 0)
+Index: shfs-0.35/shfs/Linux-2.6/shell.c
+===================================================================
+--- shfs-0.35.orig/shfs/Linux-2.6/shell.c      2007-06-04 13:22:59.249847936 +0200
++++ shfs-0.35/shfs/Linux-2.6/shell.c   2007-06-04 13:22:59.643788048 +0200
+@@ -974,11 +974,11 @@
+       s = info->sockbuf;
+       if ((p = strsep(&s, " ")))
+-              attr->f_blocks = simple_strtoull(p, NULL, 10);
++              attr->f_blocks = simple_strtoull(p, NULL, 10) >> 2;
+       if ((p = strsep(&s, " ")))
+-              attr->f_bfree = attr->f_blocks - simple_strtoull(p, NULL, 10);
++              attr->f_bfree = attr->f_blocks - (simple_strtoull(p, NULL, 10) >> 2);
+       if ((p = strsep(&s, " ")))
+-              attr->f_bavail = simple_strtoull(p, NULL, 10);
++              attr->f_bavail = simple_strtoull(p, NULL, 10) >> 2;
+       result = sock_readln(info, info->sockbuf, SOCKBUF_SIZE);
+       if (result < 0)
diff --git a/net/shfs/patches/108-no_update_mtab.patch b/net/shfs/patches/108-no_update_mtab.patch
new file mode 100644 (file)
index 0000000..9b4a9ae
--- /dev/null
@@ -0,0 +1,28 @@
+Index: shfs-0.35/shfsmount/shfsmount.c
+===================================================================
+--- shfs-0.35.orig/shfsmount/shfsmount.c       2007-06-04 13:22:57.883055720 +0200
++++ shfs-0.35/shfsmount/shfsmount.c    2007-06-04 13:22:59.838758408 +0200
+@@ -74,7 +74,7 @@
+ static int have_uid = 0;
+ /* do not update /etc/mtab */
+-static int nomtab = 0;
++static int nomtab = 1;
+ /* preserve owner of files */
+ static int preserve = 0;
+Index: shfs-0.35/shfsmount/shfsumount.c
+===================================================================
+--- shfs-0.35.orig/shfsmount/shfsumount.c      2007-06-04 13:22:57.890054656 +0200
++++ shfs-0.35/shfsmount/shfsumount.c   2007-06-04 13:22:59.838758408 +0200
+@@ -67,10 +67,6 @@
+       FILE *new_mtab;
+       struct mntent *ment;
+-        if ((fd = open(MOUNTED"~", O_RDWR|O_CREAT|O_EXCL, 0600)) == -1) {
+-                fprintf(stderr, "Can't get "MOUNTED"~ lock file");
+-                return 0;
+-        }
+         close(fd);
+         if ((mtab = setmntent(MOUNTED, "r")) == NULL) {
+                 fprintf(stderr, "Can't open " MOUNTED ": %s\n", strerror(errno));
diff --git a/net/shfs/patches/109-linux_2.6.22.patch b/net/shfs/patches/109-linux_2.6.22.patch
new file mode 100644 (file)
index 0000000..c91e052
--- /dev/null
@@ -0,0 +1,26 @@
+Index: shfs-0.35/shfs/Linux-2.6/dir.c
+===================================================================
+--- shfs-0.35.orig/shfs/Linux-2.6/dir.c        2007-06-17 04:08:32.449815896 +0200
++++ shfs-0.35/shfs/Linux-2.6/dir.c     2007-06-17 04:08:41.766399560 +0200
+@@ -13,6 +13,7 @@
+ #include <asm/uaccess.h>
+ #include <linux/smp_lock.h>
+ #include <linux/stat.h>
++#include <linux/jiffies.h>
+ #include "shfs_fs.h"
+ #include "shfs_fs_i.h"
+Index: shfs-0.35/shfs/Linux-2.6/inode.c
+===================================================================
+--- shfs-0.35.orig/shfs/Linux-2.6/inode.c      2007-06-17 04:09:01.961329464 +0200
++++ shfs-0.35/shfs/Linux-2.6/inode.c   2007-06-17 04:13:08.501849608 +0200
+@@ -15,6 +15,9 @@
+ #include <asm/uaccess.h>
+ #include <linux/file.h>
+ #include <linux/smp_lock.h>
++#include <linux/jiffies.h>
++#include <linux/sched.h>
++#include <asm/current.h>
+ #include "shfs_fs.h"
+ #include "shfs_fs_sb.h"
diff --git a/net/strongswan/Makefile b/net/strongswan/Makefile
new file mode 100644 (file)
index 0000000..65a77be
--- /dev/null
@@ -0,0 +1,98 @@
+# 
+# Copyright (C) 2006 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+# $Id$
+
+include $(TOPDIR)/rules.mk
+include $(INCLUDE_DIR)/kernel.mk
+
+PKG_NAME:=strongswan
+PKG_VERSION:=2.8.2
+PKG_RELEASE:=2
+
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
+PKG_SOURCE_URL:=http://download.strongswan.org/
+PKG_MD5SUM:=57427f5b48123851a73b10d78dd4f8d6
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/strongswan/Default
+  TITLE:=strongSwan
+  DEPENDS:=@LINUX_2_4
+  URL:=http://www.strongswan.org/
+endef
+
+define Package/strongswan/Default/description
+ strongSwan is an IPsec implementation for Linux.
+endef
+
+define Package/strongswan
+$(call Package/strongswan/Default)
+  SECTION:=net
+  CATEGORY:=Network
+  DEPENDS:=+kmod-strongswan +libgmp @LINUX_2_4
+  TITLE+= (daemon)
+endef
+
+define Package/strongswan/description
+$(call Package/strongswan/Default/description)
+ This package contains the strongSwan user-land daemon.
+endef
+
+define KernelPackage/strongswan
+$(call Package/strongswan/Default)
+  SUBMENU:=Network Support
+  TITLE+= (kernel module)
+  DEPENDS:=@LINUX_2_4
+  FILES:=$(PKG_BUILD_DIR)/linux/net/ipsec/ipsec.$(LINUX_KMOD_SUFFIX)
+  AUTOLOAD:=$(call AutoLoad,50,ipsec)
+endef
+
+define KernelPackage/strongswan/description
+$(call Package/strongswan/Default/description)
+ This package contains the strongSwan kernel module.
+endef
+
+PKG_MAKE_OPTS:= \
+               LINUX_RELEASE="$(LINUX_RELEASE)" \
+               KERNELSRC="$(LINUX_DIR)" \
+               ARCH="$(LINUX_KARCH)" \
+               CROSS_COMPILE="$(TARGET_CROSS)" \
+               USERCOMPILE="$(TARGET_CFLAGS) -I./linux/include $(TARGET_CPPFLAGS) $(TARGET_LDFLAGS)" \
+               IPSECDIR="/usr/lib/ipsec" \
+               INC_USRLOCAL="/usr" \
+
+define Build/Compile
+       $(MAKE) -C $(PKG_BUILD_DIR) \
+               $(TARGET_CONFIGURE_OPTS) \
+               $(PKG_MAKE_OPTS) \
+               LDFLAGS="$(TARGET_LDFLAGS)" \
+               DESTDIR="$(PKG_INSTALL_DIR)" \
+               programs module install
+endef
+
+define Package/strongswan/install
+       $(CP) $(PKG_INSTALL_DIR)/* $(1)
+       $(INSTALL_DIR) $(1)/etc/init.d
+       $(INSTALL_DIR) $(1)/etc/config
+       $(INSTALL_DIR) $(1)/etc/cron.tick
+       $(INSTALL_DIR) $(1)/etc/hotplug.d/iface
+       $(INSTALL_DIR) $(1)/etc/hotplug.d/button
+       $(INSTALL_BIN) ./files/ipsec.init   $(1)/etc/init.d/ipsec
+       $(INSTALL_BIN) ./files/ipsec.cron   $(1)/etc/cron.tick/ipsec-wakeup
+       $(INSTALL_BIN) ./files/ipsec.iface  $(1)/etc/hotplug.d/iface/65-ipsec
+       $(INSTALL_BIN) ./files/ipsec.button $(1)/etc/hotplug.d/button/65-ipsec
+       $(INSTALL_DATA) ./files/ipsec.config $(1)/etc/config/ipsec
+       $(INSTALL_DATA) ./files/ipsec.conf $(1)/etc/ipsec.conf
+       rm -rf $(1)/usr/share
+       rm -rf $(1)/usr/man
+       rm -rf $(1)/var
+       rm -rf $(1)/etc/rc.d
+       find $(1) -name \*.old | xargs rm -rf
+endef
+
+$(eval $(call BuildPackage,strongswan))
+$(eval $(call KernelPackage,strongswan))
diff --git a/net/strongswan/files/ipsec.button b/net/strongswan/files/ipsec.button
new file mode 100644 (file)
index 0000000..9bd9023
--- /dev/null
@@ -0,0 +1,34 @@
+#!/bin/sh
+
+# snarf the code that loads the config values
+# since we also load the functions, might as well save the shell calls
+. /etc/init.d/ipsec
+
+[ -n "$IPSEC_RESET_BUTTON" -a "$BUTTON" = "$IPSEC_RESET_BUTTON" ] || exit
+
+if [ ! -e /var/run/pluto.pid ] ; then
+
+       [ "$ACTION" = "pressed" ] && start
+       
+else
+
+       if   [ "$ACTION" = "pressed"  ] ; then
+       
+               stop 
+               
+       elif [ "$ACTION" = "released" ] ; then
+
+               while [ -e /var/run/pluto.pid ] ; do
+                       sleep 1
+               done
+
+               while ps auxww | grep ipsec | grep -v grep ; do
+                       sleep 1
+               done
+
+               start
+               
+       fi
+       
+fi
+
diff --git a/net/strongswan/files/ipsec.conf b/net/strongswan/files/ipsec.conf
new file mode 100644 (file)
index 0000000..8f59008
--- /dev/null
@@ -0,0 +1,34 @@
+
+version 2.0
+
+config setup
+        interfaces=%defaultroute
+        nat_traversal=yes              # required on both ends
+        uniqueids=yes                  # makes sense on client, not server
+        hidetos=no
+
+conn %default
+        authby=rsasig
+        keyingtries=3
+        keyexchange=ike
+        left=%defaultroute
+        leftrsasigkey=%cert
+        rightrsasigkey=%cert
+        dpdtimeout=30                  # keepalive must arrive within
+        dpddelay=5                     # secs before keepalives start
+        compress=no                    # breaks double nat installations
+        pfs=yes
+
+conn sample
+        leftca=%same
+        leftcert=my.certificate.crt
+        leftsourceip=192.168.10.1
+        leftsubnet=192.168.10.0/24
+        right=my.vpn.concentrator.net.
+        rightca=%same
+        rightid="C=??, ST=??, O=??, OU=??, CN=my.vpn.concentrator.net, E=root@concentrator.net"
+        rightsourceip=192.168.11.1
+        rightsubnet=192.168.11.0/24
+        dpdaction=hold
+        auto=start
+
diff --git a/net/strongswan/files/ipsec.config b/net/strongswan/files/ipsec.config
new file mode 100644 (file)
index 0000000..b4865e4
--- /dev/null
@@ -0,0 +1,21 @@
+
+# Configure button/light behavior here.
+config device
+       option reset_button     ses
+       option status_start     ses_orange
+       option status_valid     ses_white
+
+# iptables setup for traffic to/from this host
+config filter
+       option rule_in          input_rule
+       option dest_in          ACCEPT
+       option rule_out         output_rule
+       option dest_out         ACCEPT
+
+# iptables setup for traffic to/from another host
+config forward
+       option rule_in          forwarding_rule
+       option dest_in          forwarding_vpn_in
+       option rule_out         forwarding_rule
+       option dest_out         forwarding_vpn_out
+
diff --git a/net/strongswan/files/ipsec.cron b/net/strongswan/files/ipsec.cron
new file mode 100644 (file)
index 0000000..d8c7dcc
--- /dev/null
@@ -0,0 +1,2 @@
+#!/bin/sh
+/usr/sbin/ipsec wakeup
diff --git a/net/strongswan/files/ipsec.iface b/net/strongswan/files/ipsec.iface
new file mode 100644 (file)
index 0000000..0716bf7
--- /dev/null
@@ -0,0 +1,8 @@
+NAME=ipsec
+CTLFILE="/var/run/pluto.ctl"
+
+[ "$ACTION" = "ifup" -a "$INTERFACE" = "wan" ] || exit
+
+[ -e "$CTLFILE" ] || exit
+
+/etc/init.d/ipsec update
diff --git a/net/strongswan/files/ipsec.init b/net/strongswan/files/ipsec.init
new file mode 100644 (file)
index 0000000..4e8b8a2
--- /dev/null
@@ -0,0 +1,101 @@
+#!/bin/sh /etc/rc.common
+
+START=65
+
+config_cb() {
+       local cfg="$CONFIG_SECTION"
+       local cfgt
+       config_get cfgt "$cfg" TYPE
+
+       case "$cfgt" in
+               device)
+                       config_get IPSEC_RESET_BUTTON           $cfg reset_button
+                       config_get IPSEC_STATUS_LED_START       $cfg status_start
+                       config_get IPSEC_STATUS_LED_VALID       $cfg status_valid
+                       ;;
+               filter)
+                       config_get IPSEC_UPDOWN_RULE_IN         $cfg rule_in
+                       config_get IPSEC_UPDOWN_DEST_IN         $cfg dest_in
+                       config_get IPSEC_UPDOWN_RULE_OUT        $cfg rule_out
+                       config_get IPSEC_UPDOWN_DEST_OUT        $cfg dest_out
+                       ;;
+               forward)
+                       config_get IPSEC_UPDOWN_FWD_RULE_IN     $cfg rule_in
+                       config_get IPSEC_UPDOWN_FWD_DEST_IN     $cfg dest_in
+                       config_get IPSEC_UPDOWN_FWD_RULE_OUT    $cfg rule_out
+                       config_get IPSEC_UPDOWN_FWD_DEST_OUT    $cfg dest_out
+                       ;;
+               *)
+                       ;;
+       esac
+}
+
+config_load ipsec
+
+export IPSEC_RESET_BUTTON
+export IPSEC_STATUS_LED_START
+export IPSEC_STATUS_LED_VALID
+
+export IPSEC_UPDOWN_RULE_IN
+export IPSEC_UPDOWN_DEST_IN
+export IPSEC_UPDOWN_RULE_OUT
+export IPSEC_UPDOWN_DEST_OUT
+
+export IPSEC_UPDOWN_FWD_RULE_IN
+export IPSEC_UPDOWN_FWD_DEST_IN
+export IPSEC_UPDOWN_FWD_RULE_OUT
+export IPSEC_UPDOWN_FWD_DEST_OUT
+
+
+start() {
+
+       [ -f /etc/ipsec.conf      ] || exit
+       [ -e /var/run/starter.pid ] && exit
+
+       /usr/sbin/ipsec _showstatus start
+       
+       # stuff the dnsmasq cache in case dns is on our own subnet
+       for peer in `grep left= /etc/ipsec.conf | \
+                               cut -f 1 -d% | cut -f 2 -d=` ; do
+               ping -c 1 $peer > /dev/null 2>&1
+       done
+       
+       /usr/sbin/ipsec start || exit
+       
+       # work around broken routing behavior:
+       # a route to the local wan segment will appear
+       # the need was removed in the patched _updown script
+
+       while ! route -n | grep -q ipsec ; do sleep 1 ; done
+
+       defint=`route -n | awk '/^0.0.0.0/{print $8}'`
+       defnet=`route -n | grep $defint | awk  '!/^0.0.0.0/{print $1}'`
+       dnmask=`route -n | grep $defint | awk  '!/^0.0.0.0/{print $3}'`
+       tundev=`route -n | grep $defnet | awk '/ipsec/{print $8}'`
+       
+       route del -net $defnet netmask $dnmask dev $tundev
+}
+
+
+stop() {
+
+       /usr/sbin/ipsec stop 2> /dev/null
+
+       # wait until the shutdown actually happens
+       while [ -e /var/run/starter.pid ] ; do
+               if [ -d /proc/`cat /var/run/starter.pid` ] ; then
+                       sleep 1
+               else
+                       rm /var/run/starter.pid
+               fi
+       done
+
+       # kill any lingering processes
+       while ps auxww | grep -q ipsec | grep -v init.d; do
+               kill `ps auxww | grep -v init.d | awk '/\/ipsec\//{print $1}'` 2> /dev/null
+               sleep 1
+       done
+
+       ipsec _showstatus stop
+}
+
diff --git a/net/strongswan/patches/100-ar-fixes.patch b/net/strongswan/patches/100-ar-fixes.patch
new file mode 100644 (file)
index 0000000..2e9d780
--- /dev/null
@@ -0,0 +1,81 @@
+Index: strongswan-2.8.2/lib/libcrypto/libaes/Makefile
+===================================================================
+--- strongswan-2.8.2.orig/lib/libcrypto/libaes/Makefile        2007-06-04 13:23:04.777007680 +0200
++++ strongswan-2.8.2/lib/libcrypto/libaes/Makefile     2007-06-04 13:23:04.873992936 +0200
+@@ -25,10 +25,8 @@
+ $(BLIB): $(LIBOBJ)
+       /bin/rm -f $(BLIB)
+-      ar cr $(BLIB) $(LIBOBJ)
+-      -if test -s /bin/ranlib; then /bin/ranlib $(BLIB); \
+-      else if test -s /usr/bin/ranlib; then /usr/bin/ranlib $(BLIB); \
+-      else exit 0; fi; fi
++      $(AR) cr $(BLIB) $(LIBOBJ)
++      $(RANLIB) $(BLIB)
+ testx: test_main_mac.o $(BLIB)
+       $(CC) -o $@ $^ 
+Index: strongswan-2.8.2/lib/libcrypto/libblowfish/Makefile
+===================================================================
+--- strongswan-2.8.2.orig/lib/libcrypto/libblowfish/Makefile   2007-06-04 13:23:04.783006768 +0200
++++ strongswan-2.8.2/lib/libcrypto/libblowfish/Makefile        2007-06-04 13:23:04.873992936 +0200
+@@ -58,7 +58,7 @@
+ lib:  $(LIB)
+ $(LIB):       $(LIBOBJ)
+-      $(AR) $(LIB) $(LIBOBJ)
++      $(AR) -r $(LIB) $(LIBOBJ)
+       $(RANLIB) $(LIB)
+ # elf
+Index: strongswan-2.8.2/lib/libcrypto/libserpent/Makefile
+===================================================================
+--- strongswan-2.8.2.orig/lib/libcrypto/libserpent/Makefile    2007-06-04 13:23:04.790005704 +0200
++++ strongswan-2.8.2/lib/libcrypto/libserpent/Makefile 2007-06-04 13:23:04.873992936 +0200
+@@ -8,10 +8,8 @@
+ $(BLIB): $(LIBOBJ)
+       /bin/rm -f $(BLIB)
+-      ar cr $(BLIB) $(LIBOBJ)
+-      -if test -s /bin/ranlib; then /bin/ranlib $(BLIB); \
+-      else if test -s /usr/bin/ranlib; then /usr/bin/ranlib $(BLIB); \
+-      else exit 0; fi; fi
++      $(AR) cr $(BLIB) $(LIBOBJ)
++      $(RANLIB) $(BLIB)
+ test: test_main.o $(BLIB)
+       $(CC) -o $@ $^ 
+Index: strongswan-2.8.2/lib/libcrypto/libsha2/Makefile
+===================================================================
+--- strongswan-2.8.2.orig/lib/libcrypto/libsha2/Makefile       2007-06-04 13:23:04.796004792 +0200
++++ strongswan-2.8.2/lib/libcrypto/libsha2/Makefile    2007-06-04 13:23:04.874992784 +0200
+@@ -9,10 +9,8 @@
+ $(BLIB): $(LIBOBJ)
+       /bin/rm -f $(BLIB)
+-      ar cr $(BLIB) $(LIBOBJ)
+-      -if test -s /bin/ranlib; then /bin/ranlib $(BLIB); \
+-      else if test -s /usr/bin/ranlib; then /usr/bin/ranlib $(BLIB); \
+-      else exit 0; fi; fi
++      $(AR) cr $(BLIB) $(LIBOBJ)
++      $(RANLIB) $(BLIB)
+ test: test_main.o $(BLIB)
+       $(CC) -o $@ $^ 
+Index: strongswan-2.8.2/lib/libcrypto/libtwofish/Makefile
+===================================================================
+--- strongswan-2.8.2.orig/lib/libcrypto/libtwofish/Makefile    2007-06-04 13:23:04.804003576 +0200
++++ strongswan-2.8.2/lib/libcrypto/libtwofish/Makefile 2007-06-04 13:23:04.874992784 +0200
+@@ -9,10 +9,8 @@
+ $(BLIB): $(LIBOBJ)
+       /bin/rm -f $(BLIB)
+-      ar cr $(BLIB) $(LIBOBJ)
+-      -if test -s /bin/ranlib; then /bin/ranlib $(BLIB); \
+-      else if test -s /usr/bin/ranlib; then /usr/bin/ranlib $(BLIB); \
+-      else exit 0; fi; fi
++      $(AR) cr $(BLIB) $(LIBOBJ)
++      $(RANLIB) $(BLIB)
+ test: test_main.o $(BLIB)
+       $(CC) -o $@ $^ 
diff --git a/net/strongswan/patches/110-make-ipsec.patch b/net/strongswan/patches/110-make-ipsec.patch
new file mode 100644 (file)
index 0000000..0d2a4e6
--- /dev/null
@@ -0,0 +1,11 @@
+Index: strongswan-2.8.2/programs/ipsec/Makefile
+===================================================================
+--- strongswan-2.8.2.orig/programs/ipsec/Makefile      2007-06-04 13:23:04.756010872 +0200
++++ strongswan-2.8.2/programs/ipsec/Makefile   2007-06-04 13:23:05.227939128 +0200
+@@ -24,5 +24,5 @@
+ include ../Makefile.program
+ install:: ipsec
+-      @$(INSTALL) $(INSTBINFLAGS) ipsec $(RCDIR)/ipsec
++      @$(INSTALL) $(INSTBINFLAGS) -D ipsec $(RCDIR)/ipsec
diff --git a/net/strongswan/patches/120-make-pluto.patch b/net/strongswan/patches/120-make-pluto.patch
new file mode 100644 (file)
index 0000000..e0dd813
--- /dev/null
@@ -0,0 +1,13 @@
+Index: strongswan-2.8.2/programs/pluto/alg/Makefile
+===================================================================
+--- strongswan-2.8.2.orig/programs/pluto/alg/Makefile  2007-06-04 13:23:04.734014216 +0200
++++ strongswan-2.8.2/programs/pluto/alg/Makefile       2007-06-04 13:23:05.416910400 +0200
+@@ -20,7 +20,7 @@
+ include Config.ike_alg
+ LIBCRYPTO:=../../../lib/libcrypto
+-ALLFLAGS=$(CPPFLAGS) $(CFLAGS) -I .. -I-  -I ../../../linux/include -I $(LIBCRYPTO)
++ALLFLAGS=$(CPPFLAGS) $(CFLAGS) -I .. -I-  -I ../../../linux/include -I $(LIBCRYPTO) $(USERCOMPILE)
+ LIBALG := libalg.o
+ all : $(LIBALG)
diff --git a/net/strongswan/patches/130-make-starter.patch b/net/strongswan/patches/130-make-starter.patch
new file mode 100644 (file)
index 0000000..93888ab
--- /dev/null
@@ -0,0 +1,21 @@
+Index: strongswan-2.8.2/programs/starter/Makefile
+===================================================================
+--- strongswan-2.8.2.orig/programs/starter/Makefile    2007-06-04 13:23:04.711017712 +0200
++++ strongswan-2.8.2/programs/starter/Makefile 2007-06-04 13:23:06.227787128 +0200
+@@ -16,7 +16,6 @@
+ FREESWANSRCDIR?=$(shell cd ../..; pwd)
+ include ${FREESWANSRCDIR}/Makefile.inc
+-LD=$(CC)
+ RM=rm
+ LEX=flex
+ BISON=bison
+@@ -59,7 +58,7 @@
+ all:  starter
+ starter:      $(OBJS) $(FREESWANLIB)
+-              $(LD) $(LDFLAGS) -o starter $(OBJS) $(LIBS)
++              $(CC) $(LDFLAGS) -o starter $(OBJS) $(LIBS)
+ lex.yy.c:     parser.tab.c parser.l parser.y parser.h
+               $(LEX) parser.l
diff --git a/net/strongswan/patches/200-wakeup-showstatus.patch b/net/strongswan/patches/200-wakeup-showstatus.patch
new file mode 100644 (file)
index 0000000..731f83c
--- /dev/null
@@ -0,0 +1,234 @@
+Index: strongswan-2.8.2/programs/Makefile
+===================================================================
+--- strongswan-2.8.2.orig/programs/Makefile    2007-06-04 13:23:04.661025312 +0200
++++ strongswan-2.8.2/programs/Makefile 2007-06-04 13:23:06.414758704 +0200
+@@ -22,7 +22,7 @@
+ SUBDIRS+=_realsetup _secretcensor _startklips _updown _updown_espmark
+ SUBDIRS+=auto barf ipsec look manual ranbits secrets starter
+ SUBDIRS+=rsasigkey send-pr setup showdefaults showhostkey calcgoo mailkey
+-SUBDIRS+=ikeping examples openac scepclient
++SUBDIRS+=ikeping examples openac scepclient _showstatus wakeup
+ ifeq ($(USE_LWRES),true)
+ SUBDIRS+=lwdnsq
+Index: strongswan-2.8.2/programs/_showstatus/Makefile
+===================================================================
+--- /dev/null  1970-01-01 00:00:00.000000000 +0000
++++ strongswan-2.8.2/programs/_showstatus/Makefile     2007-06-04 13:23:06.414758704 +0200
+@@ -0,0 +1,22 @@
++# Makefile for miscelaneous programs
++# Copyright (C) 2002  Michael Richardson      <mcr@freeswan.org>
++# 
++# This program is free software; you can redistribute it and/or modify it
++# under the terms of the GNU General Public License as published by the
++# Free Software Foundation; either version 2 of the License, or (at your
++# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
++# 
++# This program is distributed in the hope that it will be useful, but
++# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
++# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
++# for more details.
++#
++# RCSID $Id: Makefile,v 1.3 2006/04/17 06:48:49 as Exp $
++
++FREESWANSRCDIR=../..
++include ${FREESWANSRCDIR}/Makefile.inc
++
++PROGRAM=_showstatus
++PROGRAMDIR=${LIBDIR}
++
++include ../Makefile.program
+Index: strongswan-2.8.2/programs/_showstatus/_showstatus.8
+===================================================================
+--- /dev/null  1970-01-01 00:00:00.000000000 +0000
++++ strongswan-2.8.2/programs/_showstatus/_showstatus.8        2007-06-04 13:23:06.414758704 +0200
+@@ -0,0 +1,23 @@
++.TH _showstatus 8 "03 Feb 2007"
++.\"
++.\" RCSID $Id: _showstatus.8
++.\"
++.SH NAME
++ipsec _showstatus \- give state feedback via led or other method
++.SH SYNOPSIS
++.I _showstatus
++is invoked by _updown to trigger led's, or other distribution
++or platform specific behavior. Presently, the SES button is
++supported as a status light on OpenWRT platforms. The button
++is configurable by environment variable:
++-B IPSEC_STATUS_LED_START
++defaults to ses_orange, and
++-B IPSEC_STATUS_LED_VALID
++defaults to ses_white.
++.SH "SEE ALSO"
++ipsec(8), ipsec_updown(8).
++.SH HISTORY
++Man page written for the Linux strongSwan project <http://www.strongswan.org/>
++by Kevin Cody Jr. Original manpage for _updown by Michael Richardson.
++Original program written by Henry Spencer. Extended for the Linux strongSwan
++project <http://www.strongswan.org/> by Andreas Steffen.
+Index: strongswan-2.8.2/programs/_showstatus/_showstatus.in
+===================================================================
+--- /dev/null  1970-01-01 00:00:00.000000000 +0000
++++ strongswan-2.8.2/programs/_showstatus/_showstatus.in       2007-06-04 13:23:06.414758704 +0200
+@@ -0,0 +1,70 @@
++#! /bin/sh
++#
++# Copyright (C) 2007 Kevin Cody Jr. <kcody@vegaresearch.com>
++# 
++# This program is free software; you can redistribute it and/or modify it
++# under the terms of the GNU General Public License as published by the
++# Free Software Foundation; either version 2 of the License, or (at your
++# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
++# 
++# This program is distributed in the hope that it will be useful, but
++# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
++# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
++# for more details.
++#
++# RCSID $Id: _showstatus.in
++
++
++LED_START=$IPSEC_STATUS_LED_START
++LED_VALID=$IPSEC_STATUS_LED_VALID
++
++[ -z "$LED_START" ] && LED_START="ses_orange"
++[ -z "$LED_VALID" ] && LED_VALID="ses_white"
++
++
++setled() {
++      led=$1
++      st=$2
++
++      [ -n "$led" -a -n "$st" ] || return
++      
++      if [ -w "/proc/diag/led/$led" ] ; then
++              echo "$st" > "/proc/diag/led/$led"
++      fi
++
++      # integrate other led control methods here
++
++}
++
++
++case "$1" in
++      'start')
++              [ -n "$LED_VALID" ] && setled "$LED_START" 1
++              [ -z "$LED_VALID" ] && setled "$LED_START" f
++              setled "$LED_VALID" 0
++              ;;
++      'stop')
++              setled "$LED_START" 0
++              setled "$LED_VALID" 0
++              ;;
++      'valid')
++              setled "$LED_VALID" 1
++              ;;
++      'invalid')
++              setled "$LED_VALID" 0
++              ;;
++      'up')
++              [ -n "$LED_VALID" ] && setled "$LED_START" 0
++              [ -z "$LED_VALID" ] && setled "$LED_START" 1
++              setled "$LED_VALID" 1
++              ;;
++      'down')
++              [ -n "$LED_VALID" ] && setled "$LED_START" 1
++              [ -z "$LED_VALID" ] && setled "$LED_START" f
++              setled "$LED_VALID" f
++              ;;
++      *)
++              echo "$0: unknown status $status" >&2
++              ;;
++esac
++
+Index: strongswan-2.8.2/programs/wakeup/Makefile
+===================================================================
+--- /dev/null  1970-01-01 00:00:00.000000000 +0000
++++ strongswan-2.8.2/programs/wakeup/Makefile  2007-06-04 13:23:06.415758552 +0200
+@@ -0,0 +1,22 @@
++# Makefile for miscelaneous programs
++# Copyright (C) 2002  Michael Richardson      <mcr@freeswan.org>
++# 
++# This program is free software; you can redistribute it and/or modify it
++# under the terms of the GNU General Public License as published by the
++# Free Software Foundation; either version 2 of the License, or (at your
++# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
++# 
++# This program is distributed in the hope that it will be useful, but
++# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
++# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
++# for more details.
++#
++# RCSID $Id: Makefile,v 1.3 2006/04/17 06:48:49 as Exp $
++
++FREESWANSRCDIR=../..
++include ${FREESWANSRCDIR}/Makefile.inc
++
++PROGRAM=wakeup
++PROGRAMDIR=${LIBDIR}
++
++include ../Makefile.program
+Index: strongswan-2.8.2/programs/wakeup/wakeup.8
+===================================================================
+--- /dev/null  1970-01-01 00:00:00.000000000 +0000
++++ strongswan-2.8.2/programs/wakeup/wakeup.8  2007-06-04 13:23:06.415758552 +0200
+@@ -0,0 +1,16 @@
++.TH wakeup 8 "03 Feb 2007"
++.\"
++.\" RCSID $Id: wakeup.8
++.\"
++.SH NAME
++ipsec wakeup \- stalled and down connection detection
++.SH SYNOPSIS
++.I wakeup
++is invoked by cron and checks ipsec status, whacking as necessary.
++.SH "SEE ALSO"
++ipsec(8), ipsec_whack(8).
++.SH HISTORY
++Man page written for the Linux strongSwan project <http://www.strongswan.org/>
++by Kevin Cody Jr. Original manpage for _updown by Michael Richardson.
++Original program written by Henry Spencer. Extended for the Linux strongSwan
++project <http://www.strongswan.org/> by Andreas Steffen.
+Index: strongswan-2.8.2/programs/wakeup/wakeup.in
+===================================================================
+--- /dev/null  1970-01-01 00:00:00.000000000 +0000
++++ strongswan-2.8.2/programs/wakeup/wakeup.in 2007-06-04 13:23:06.415758552 +0200
+@@ -0,0 +1,38 @@
++#! /bin/sh
++# wakeup script
++#
++# Copyright (C) 2007 Kevin Cody Jr. <kcody@vegaresearch.com>
++# 
++# This program is free software; you can redistribute it and/or modify it
++# under the terms of the GNU General Public License as published by the
++# Free Software Foundation; either version 2 of the License, or (at your
++# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
++# 
++# This program is distributed in the hope that it will be useful, but
++# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
++# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
++# for more details.
++#
++
++# only applicable when ipsec is running
++[ -e /var/run/pluto.pid ] || exit
++
++# loop through any erouted tunnels in the HOLD state
++for f in  `ipsec status | awk '/erouted HOLD/{ print $2 }' | cut -f1 -d\: | cut -f2 -d\"` ; do
++
++        # only whack if no pending events at all exists
++        ipsec status | grep STATE | grep -q $f ||
++                ipsec whack --name $f --initiate --asynchronous
++
++done
++
++# loop through any tunnels that don't quite exist
++for f in `ipsec status | awk '/prospective erouted/{ print $2 }' | cut -f1 -d: | grep -v \# | cut -f2 -d\"` ; do
++
++        ipsec status | grep STATE_QUICK | grep -q $f || {
++                ipsec status | grep STATE_MAIN | grep -q $f && ipsec down $f
++                ipsec up $f
++        }
++
++done
++
diff --git a/net/strongswan/patches/210-updown.patch b/net/strongswan/patches/210-updown.patch
new file mode 100644 (file)
index 0000000..d546625
--- /dev/null
@@ -0,0 +1,662 @@
+Index: strongswan-2.8.2/programs/_updown/_updown.8
+===================================================================
+--- strongswan-2.8.2.orig/programs/_updown/_updown.8   2007-06-04 13:23:04.632029720 +0200
++++ strongswan-2.8.2/programs/_updown/_updown.8        2007-06-04 13:23:06.656721920 +0200
+@@ -8,8 +8,23 @@
+ .I _updown
+ is invoked by pluto when it has brought up a new connection. This script
+ is used to insert the appropriate routing entries for IPsec operation.
+-It can also be used to insert and delete dynamic iptables firewall rules.
+-The interface to the script is documented in the pluto man page.
++It also inserts and deletes dynamic iptables firewall rules. IMPORTANT!
++By default, it will ACCEPT as appropriate on the INPUT, OUTPUT, FORWARD
++tables. Most distributions will want to change that to provide more
++flexibility in their firewall configuration.
++The script looks for the environment variables
++.B IPSEC_UPDOWN_RULE_IN
++for the iptables table it should insert into,
++.B IPSEC_UPDOWN_DEST_IN
++for where the rule should -j jump to,
++.B IPSEC_UPDOWN_RULE_OUT
++.B IPSEC_UPDOWN_DEST_OUT
++for the same on outgoing packets, and
++.B IPSEC_UPDOWN_FWD_RULE_IN
++.B IPSEC_UPDOWN_FWD_DEST_IN
++.B IPSEC_UPDOWN_FWD_RULE_OUT
++.B IPSEC_UPDOWN_FWD_DEST_OUT
++respectively for packets being forwarded to/from the local networks.
+ .SH "SEE ALSO"
+ ipsec(8), ipsec_pluto(8).
+ .SH HISTORY
+Index: strongswan-2.8.2/programs/_updown/_updown.in
+===================================================================
+--- strongswan-2.8.2.orig/programs/_updown/_updown.in  2007-06-04 13:23:04.642028200 +0200
++++ strongswan-2.8.2/programs/_updown/_updown.in       2007-06-04 13:23:06.657721768 +0200
+@@ -5,6 +5,7 @@
+ # Copyright (C) 2003-2004 Tuomo Soini
+ # Copyright (C) 2002-2004 Michael Richardson
+ # Copyright (C) 2005-2006 Andreas Steffen <andreas.steffen@strongswan.org>
++# Copyright (C) 2007 Kevin Cody Jr <kcody@vegaresearch.com>
+ # 
+ # This program is free software; you can redistribute it and/or modify it
+ # under the terms of the GNU General Public License as published by the
+@@ -118,20 +119,61 @@
+ #              restricted on the peer side.
+ #
+-# uncomment to log VPN connections
+-VPN_LOGGING=1
+-#
++# set to /bin/true to silence log messages
++LOGGER=logger
++
+ # tag put in front of each log entry:
+ TAG=vpn
+-#
++
+ # syslog facility and priority used:
+-FAC_PRIO=local0.notice
+-#
+-# to create a special vpn logging file, put the following line into
+-# the syslog configuration file /etc/syslog.conf:
+-#
+-# local0.notice                   -/var/log/vpn
+-#
++FAC_PRIO=authpriv.info
++
++
++# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY 
++if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] ; then
++      IPSEC_POLICY_IN=""
++      IPSEC_POLICY_OUT=""
++else
++      IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
++      IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
++      IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
++fi
++
++# are there port numbers?
++if [ "$PLUTO_MY_PORT" != 0 ] ; then
++      S_MY_PORT="--sport $PLUTO_MY_PORT"
++      D_MY_PORT="--dport $PLUTO_MY_PORT"
++fi
++
++if [ "$PLUTO_PEER_PORT" != 0 ] ; then
++      S_PEER_PORT="--sport $PLUTO_PEER_PORT"
++      D_PEER_PORT="--dport $PLUTO_PEER_PORT"
++fi
++
++# import firewall behavior
++IPT_RULE_IN=$IPSEC_UPDOWN_RULE_IN
++IPT_DEST_IN=$IPSEC_UPDOWN_DEST_IN
++IPT_RULE_OUT=$IPSEC_UPDOWN_RULE_OUT
++IPT_DEST_OUT=$IPSEC_UPDOWN_DEST_OUT
++
++# import forwarding behavior
++FWD_RULE_IN=$IPSEC_UPDOWN_FWD_RULE_IN
++FWD_DEST_IN=$IPSEC_UPDOWN_FWD_DEST_IN
++FWD_RULE_OUT=$IPSEC_UPDOWN_FWD_RULE_OUT
++FWD_DEST_OUT=$IPSEC_UPDOWN_FWD_DEST_OUT
++
++# default firewall behavior
++[ -z "$IPT_RULE_IN"  ] && IPT_RULE_IN=INPUT
++[ -z "$IPT_DEST_IN"  ] && IPT_DEST_IN=ACCEPT
++[ -z "$IPT_RULE_OUT" ] && IPT_RULE_OUT=OUTPUT
++[ -z "$IPT_DEST_OUT" ] && IPT_DEST_OUT=ACCEPT
++
++# default forwarding behavior
++[ -z "$FWD_RULE_IN"  ] && FWD_RULE_IN=FORWARD
++[ -z "$FWD_DEST_IN"  ] && FWD_DEST_IN=ACCEPT
++[ -z "$FWD_RULE_OUT" ] && FWD_RULE_OUT=FORWARD
++[ -z "$FWD_DEST_OUT" ] && FWD_DEST_OUT=ACCEPT
++
+ # check interface version
+ case "$PLUTO_VERSION" in
+@@ -150,8 +192,6 @@
+ case "$1:$*" in
+ ':')                  # no parameters
+       ;;
+-iptables:iptables)    # due to (left/right)firewall; for default script only
+-      ;;
+ custom:*)             # custom parameters (see above CAUTION comment)
+       ;;
+ *)    echo "$0: unknown parameters \`$*'" >&2
+@@ -159,345 +199,307 @@
+       ;;
+ esac
++
+ # utility functions for route manipulation
+ # Meddling with this stuff should not be necessary and requires great care.
++
+ uproute() {
+       doroute add
+       ip route flush cache
+ }
++
+ downroute() {
+       doroute delete
+       ip route flush cache
+ }
++upfirewall() {
++      in_rule=$1
++      in_dest=$2
++      out_rule=$3
++      out_dest=$4
++
++      [ -n "$in_rule" -a -n "$in_dest" ] &&           \
++      iptables -I $in_rule 1                          \
++              -i $PLUTO_INTERFACE                     \
++              -p $PLUTO_MY_PROTOCOL                   \
++              -s $PLUTO_PEER_CLIENT   $S_PEER_PORT    \
++              -d $PLUTO_MY_CLIENT     $D_MY_PORT      \
++              $IPSEC_POLICY_IN                        \
++              -j $in_dest
++
++      [ -n "$out_rule" -a -n "$out_dest" ] &&         \
++      iptables -I $out_rule 1                         \
++              -o $PLUTO_INTERFACE                     \
++              -p $PLUTO_PEER_PROTOCOL                 \
++              -s $PLUTO_MY_CLIENT     $S_MY_PORT      \
++              -d $PLUTO_PEER_CLIENT   $D_PEER_PORT    \
++              $IPSEC_POLICY_OUT                       \
++              -j $out_dest
++
++}
++
++downfirewall() {
++      in_rule=$1
++      in_dest=$2
++      out_rule=$3
++      out_dest=$4
++
++      [ -n "$in_rule" -a -n "$in_dest" ] &&           \
++      iptables -D $in_rule                            \
++              -i $PLUTO_INTERFACE                     \
++              -p $PLUTO_MY_PROTOCOL                   \
++              -s $PLUTO_PEER_CLIENT   $S_PEER_PORT    \
++              -d $PLUTO_MY_CLIENT     $D_MY_PORT      \
++              $IPSEC_POLICY_IN                        \
++              -j $in_dest
++
++      [ -n "$out_rule" -a -n "$out_dest" ] &&         \
++      iptables -D $out_rule                           \
++              -o $PLUTO_INTERFACE                     \
++              -p $PLUTO_PEER_PROTOCOL                 \
++              -s $PLUTO_MY_CLIENT     $S_MY_PORT      \
++              -d $PLUTO_PEER_CLIENT   $D_PEER_PORT    \
++              $IPSEC_POLICY_OUT                       \
++              -j $out_dest
++
++}
++
+ addsource() {
+       st=0
+-      if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
+-      then
++
++      if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local ; then
++
+           it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
+           oops="`eval $it 2>&1`"
+           st=$?
+-          if test " $oops" = " " -a " $st" != " 0"
+-          then
++
++          if [ " $oops"  = " " -a " $st" != " 0" ] ; then
+               oops="silent error, exit status $st"
+           fi
+-          if test " $oops" != " " -o " $st" != " 0"
+-          then
++
++          if [ " $oops" != " " -o " $st" != " 0" ] ; then
+               echo "$0: addsource \`$it' failed ($oops)" >&2
+           fi
+       fi
++
+       return $st
+ }
+ doroute() {
+       st=0
+       parms="$PLUTO_PEER_CLIENT"
++      parms2="dev $PLUTO_INTERFACE"
+-      parms2=
+-      if [ -n "$PLUTO_NEXT_HOP" ]
+-      then
+-         parms2="via $PLUTO_NEXT_HOP"
+-      fi
+-      parms2="$parms2 dev $PLUTO_INTERFACE"
+-
+-      if [ -z "$PLUTO_MY_SOURCEIP" ]
+-      then
+-          if [ -f /etc/sysconfig/defaultsource ]
+-          then
+-              . /etc/sysconfig/defaultsource
+-          fi
++      if [ -z "$PLUTO_MY_SOURCEIP" ] ; then
+-          if [ -f /etc/conf.d/defaultsource ]
+-          then
+-              . /etc/conf.d/defaultsource
+-          fi
++              [ -f /etc/sysconfig/defaultsource ] && \
++                      . /etc/sysconfig/defaultsource
++
++              [ -f /etc/conf.d/defaultsource ] && \
++                      . /etc/conf.d/defaultsource
++
++              [ -n "$DEFAULTSOURCE" ] && \
++                      PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
+-          if [ -n "$DEFAULTSOURCE" ]
+-          then
+-              PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
+-          fi
+         fi
+       parms3=
+-      if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP"
+-      then
++      if [ "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP" ] ; then
+           addsource
+           parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}"
+       fi
+-      case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+-      "0.0.0.0/0.0.0.0")
++      if [ "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" = \
++                                              "0.0.0.0/0.0.0.0" ] ; then
+               # opportunistic encryption work around
+               # need to provide route that eclipses default, without 
+               # replacing it.
+-              it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
+-                      ip route $1 128.0.0.0/1 $parms2 $parms3"
+-              ;;
+-      *)      it="ip route $1 $parms $parms2 $parms3"
+-              ;;
+-      esac
++              it="ip route $1   0.0.0.0/1 $parms2 $parms3 &&
++                  ip route $1 128.0.0.0/1 $parms2 $parms3"
++      else
++              it="ip route $1 $parms $parms2 $parms3"
++      fi
++
+       oops="`eval $it 2>&1`"
+       st=$?
+-      if test " $oops" = " " -a " $st" != " 0"
+-      then
+-          oops="silent error, exit status $st"
+-      fi
+-      if test " $oops" != " " -o " $st" != " 0"
+-      then
+-          echo "$0: doroute \`$it' failed ($oops)" >&2
++
++      if [ " $oops" = " " -a " $st" != " 0" ] ; then
++              oops="silent error, exit status $st"
+       fi
++
++      if [ " $oops" != " " -o " $st" != " 0" ] ; then
++              echo "$0: doroute \`$it' failed ($oops)" >&2
++      fi
++
+       return $st
+ }
+- 
+-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY 
+-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
+-then
+-      IPSEC_POLICY_IN=""
+-      IPSEC_POLICY_OUT=""
+-else
+-      IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
+-      IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+-      IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
+-fi
+-# are there port numbers?
+-if [ "$PLUTO_MY_PORT" != 0 ]
+-then
+-      S_MY_PORT="--sport $PLUTO_MY_PORT"
+-      D_MY_PORT="--dport $PLUTO_MY_PORT"
+-fi
+-if [ "$PLUTO_PEER_PORT" != 0 ]
+-then
+-      S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+-      D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+-fi
++dologentry() {
++      action=$1
++
++      if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] ; then
++              rem="$PLUTO_PEER"
++      else
++              rem="$PLUTO_PEER_CLIENT == $PLUTO_PEER"
++      fi
++
++      if [ "$PLUTO_MY_CLIENT" == "$PLUTO_ME/32" ] ; then
++              loc="$PLUTO_ME"
++      else
++              loc="$PLUTO_ME == $PLUTO_MY_CLIENT"
++      fi
++
++      $LOGGER -t $TAG -p $FAC_PRIO "$action $rem -- $loc ($PLUTO_PEER_ID)"
++}
++
+ # the big choice
++
+ case "$PLUTO_VERB:$1" in
+ prepare-host:*|prepare-client:*)
+       # delete possibly-existing route (preliminary to adding a route)
+-      case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+-      "0.0.0.0/0.0.0.0")
+-              # need to provide route that eclipses default, without 
++
++      if [ "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" = \
++                                              "0.0.0.0/0.0.0.0" ] ; then
++              # need to remove the route that eclipses default, without 
+               # replacing it.
+-              parms1="0.0.0.0/1"
+-              parms2="128.0.0.0/1"
+-              it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
+-              oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
+-              ;;
+-      *)
+-              parms="$PLUTO_PEER_CLIENT"
+-              it="ip route delete $parms 2>&1"
+-              oops="`ip route delete $parms 2>&1`"
+-              ;;
+-      esac
+-      status="$?"
+-      if test " $oops" = " " -a " $status" != " 0"
+-      then
+-              oops="silent error, exit status $status"
++              it="( ip route delete   0.0.0.0/1 ;
++                    ip route delete 128.0.0.0/1 )"
++      else
++              it="ip route delete $PLUTO_PEER_CLIENT"
++      fi
++
++      oops="`$it 2>&1`"
++      st="$?"
++
++      if [ " $oops" = " " -a " $st" != " 0" ] ; then
++              oops="silent error, exit status $st"
+       fi
++
+       case "$oops" in
+       *'RTNETLINK answers: No such process'*) 
+               # This is what route (currently -- not documented!) gives
+               # for "could not find such a route".
+               oops=
+-              status=0
++              st=0
+               ;;
+       esac
+-      if test " $oops" != " " -o " $status" != " 0"
+-      then
++
++      if [ " $oops" != " " -o " $st" != " 0" ] ; then
+               echo "$0: \`$it' failed ($oops)" >&2
+       fi
+-      exit $status
++
++      exit $st
++
+       ;;
+ route-host:*|route-client:*)
+       # connection to me or my client subnet being routed
++
++      ipsec _showstatus valid
+       uproute
++
+       ;;
+ unroute-host:*|unroute-client:*)
+       # connection to me or my client subnet being unrouted
++
++      ipsec _showstatus invalid
+       downroute
++
+       ;;
+-up-host:)
++up-host:*)
+       # connection to me coming up
+-      # If you are doing a custom version, firewall commands go here.
++
++      ipsec _showstatus up
++      upfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT
++      dologentry "VPN-UP"
++
+       ;;
+-down-host:)
++down-host:*)
+       # connection to me going down
+-      # If you are doing a custom version, firewall commands go here.
+-      ;;
+-up-client:)
+-      # connection to my client subnet coming up
+-      # If you are doing a custom version, firewall commands go here.
+-      ;;
+-down-client:)
+-      # connection to my client subnet going down
+-      # If you are doing a custom version, firewall commands go here.
++
++      ipsec _showstatus down
++      downfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT
++      dologentry "VPN-DN"
++
+       ;;
+-up-host:iptables)
+-      # connection to me, with (left/right)firewall=yes, coming up
+-      # This is used only by the default updown script, not by your custom
+-      # ones, so do not mess with it; see CAUTION comment up at top.
+-      iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+-          -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
+-          -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+-      iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+-          -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+-          -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
+-      #
+-      # log IPsec host connection setup
+-      if [ $VPN_LOGGING ]
+-      then
+-        if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
+-        then
+-          logger -t $TAG -p $FAC_PRIO \
+-            "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
+-        else
+-          logger -t $TAG -p $FAC_PRIO \
+-            "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+-        fi
+-      fi      
+-      ;;
+-down-host:iptables)
+-      # connection to me, with (left/right)firewall=yes, going down
+-      # This is used only by the default updown script, not by your custom
+-      # ones, so do not mess with it; see CAUTION comment up at top.
+-      iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+-          -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
+-          -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+-      iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+-          -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+-          -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
+-      #
+-      # log IPsec host connection teardown
+-      if [ $VPN_LOGGING ]
+-      then
+-        if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
+-        then
+-          logger -t $TAG -p $FAC_PRIO -- \
+-            "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
+-        else
+-          logger -t $TAG -p $FAC_PRIO -- \
+-          "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+-        fi
+-      fi
+-      ;;
+-up-client:iptables)
+-      # connection to client subnet, with (left/right)firewall=yes, coming up
+-      # This is used only by the default updown script, not by your custom
+-      # ones, so do not mess with it; see CAUTION comment up at top.
+-      if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+-      then
+-        iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+-            -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
+-            -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
+-               $IPSEC_POLICY_OUT -j ACCEPT
+-        iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+-            -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
+-            -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
+-               $IPSEC_POLICY_IN -j ACCEPT
++up-client:*)
++      # connection to client subnet coming up
++
++      ipsec _showstatus up
++
++      if [ "$PLUTO_MY_CLIENT" != "$PLUTO_ME/32" -a \
++           "$PLUTO_MY_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] ; then
++              upfirewall $FWD_RULE_IN $FWD_DEST_IN $FWD_RULE_OUT $FWD_DEST_OUT
+       fi
+-      #
++
+       # a virtual IP requires an INPUT and OUTPUT rule on the host
+       # or sometimes host access via the internal IP is needed
+-      if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+-      then
+-        iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+-            -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
+-            -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
+-               $IPSEC_POLICY_IN -j ACCEPT
+-        iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+-            -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
+-            -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
+-               $IPSEC_POLICY_OUT -j ACCEPT
+-      fi
+-      #
+-      # log IPsec client connection setup
+-      if [ $VPN_LOGGING ]
+-      then
+-        if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
+-        then
+-          logger -t $TAG -p $FAC_PRIO \
+-            "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+-        else
+-          logger -t $TAG -p $FAC_PRIO \
+-            "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+-        fi
+-      fi
+-      ;;
+-down-client:iptables)
+-      # connection to client subnet, with (left/right)firewall=yes, going down
+-      # This is used only by the default updown script, not by your custom
+-      # ones, so do not mess with it; see CAUTION comment up at top.
+-      if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+-      then
+-        iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+-            -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
+-            -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
+-               $IPSEC_POLICY_OUT -j ACCEPT
+-        iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+-            -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
+-            -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
+-               $IPSEC_POLICY_IN -j ACCEPT
++      if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] ; then
++              upfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT
++      fi
++
++      dologentry "VPN-UP"
++
++      ;;
++down-client:*)
++      # connection to client subnet going down
++
++      ipsec _showstatus down
++
++      if [ "$PLUTO_MY_CLIENT" != "$PLUTO_ME/32" -a \
++           "$PLUTO_MY_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] ; then
++              downfirewall $FWD_RULE_IN $FWD_DEST_IN $FWD_RULE_OUT $FWD_DEST_OUT
+       fi
+-      #
++
+       # a virtual IP requires an INPUT and OUTPUT rule on the host
+       # or sometimes host access via the internal IP is needed
+-      if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+-      then
+-        iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+-            -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
+-            -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
+-               $IPSEC_POLICY_IN -j ACCEPT
+-        iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+-            -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
+-            -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
+-               $IPSEC_POLICY_OUT -j ACCEPT
+-      fi
+-      #
+-      # log IPsec client connection teardown
+-      if [ $VPN_LOGGING ]
+-      then
+-        if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
+-        then
+-          logger -t $TAG -p $FAC_PRIO -- \
+-            "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+-        else
+-          logger -t $TAG -p $FAC_PRIO -- \
+-            "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+-        fi
++      if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] ; then
++              downfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT
+       fi
++
++      dologentry "VPN-DN"
++
+       ;;
+-#
+-# IPv6
+-#
+ prepare-host-v6:*|prepare-client-v6:*)
++
+       ;;
+ route-host-v6:*|route-client-v6:*)
+       # connection to me or my client subnet being routed
++
+       #uproute_v6
++
+       ;;
+ unroute-host-v6:*|unroute-client-v6:*)
+       # connection to me or my client subnet being unrouted
++
+       #downroute_v6
++
+       ;;
+ up-host-v6:*)
+       # connection to me coming up
+       # If you are doing a custom version, firewall commands go here.
++
+       ;;
+ down-host-v6:*)
+       # connection to me going down
+       # If you are doing a custom version, firewall commands go here.
++
+       ;;
+ up-client-v6:)
+       # connection to my client subnet coming up
+       # If you are doing a custom version, firewall commands go here.
++
+       ;;
+ down-client-v6:)
+       # connection to my client subnet going down
+       # If you are doing a custom version, firewall commands go here.
++
+       ;;
+-*)    echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
++*)
++      echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+       exit 1
++
+       ;;
+ esac
++
diff --git a/net/strongswan/patches/300-openwrt.patch b/net/strongswan/patches/300-openwrt.patch
new file mode 100644 (file)
index 0000000..e249a8d
--- /dev/null
@@ -0,0 +1,26 @@
+Index: strongswan-2.8.2/Makefile.inc
+===================================================================
+--- strongswan-2.8.2.orig/Makefile.inc 2007-06-04 13:23:04.604033976 +0200
++++ strongswan-2.8.2/Makefile.inc      2007-06-04 13:23:06.855691672 +0200
+@@ -123,7 +123,7 @@
+ # With a non-null DESTDIR, INC_RCDEFAULT will be used unless one of the
+ # INC_RCDIRS directories has been pre-created under DESTDIR.
+ INC_RCDIRS=/etc/rc.d/init.d /etc/rc.d /etc/init.d /sbin/init.d
+-INC_RCDEFAULT=/etc/rc.d/init.d
++INC_RCDEFAULT=/etc/init.d
+ # RCDIR is where boot/shutdown scripts go; FINALRCDIR is where they think
+ # will finally be (so utils/Makefile can create a symlink in BINDIR to the
+Index: strongswan-2.8.2/programs/showhostkey/showhostkey.in
+===================================================================
+--- strongswan-2.8.2.orig/programs/showhostkey/showhostkey.in  2007-06-04 13:23:04.612032760 +0200
++++ strongswan-2.8.2/programs/showhostkey/showhostkey.in       2007-06-04 13:23:06.855691672 +0200
+@@ -62,7 +62,7 @@
+       exit 1
+ fi
+-host="`hostname --fqdn`"
++host="`cat /proc/sys/kernel/hostname`"
+ awk ' BEGIN {
+               inkey = 0
diff --git a/net/strongswan/patches/310-make-ipsec-alg.patch b/net/strongswan/patches/310-make-ipsec-alg.patch
new file mode 100644 (file)
index 0000000..d5fad3d
--- /dev/null
@@ -0,0 +1,19 @@
+Index: strongswan-2.8.2/linux/net/ipsec/alg/Makefile.alg_cryptoapi
+===================================================================
+--- strongswan-2.8.2.orig/linux/net/ipsec/alg/Makefile.alg_cryptoapi   2007-06-04 13:23:04.583037168 +0200
++++ strongswan-2.8.2/linux/net/ipsec/alg/Makefile.alg_cryptoapi        2007-06-04 13:23:07.053661576 +0200
+@@ -1,10 +1,10 @@
+ MOD_CRYPTOAPI := ipsec_cryptoapi.o
+ ifneq ($(wildcard $(TOPDIR)/include/linux/crypto.h),)
+-ALG_MODULES += $(MOD_CRYPTOAPI)
+-obj-$(CONFIG_IPSEC_ALG_CRYPTOAPI) += $(MOD_CRYPTOAPI)
+-static_init-func-$(CONFIG_IPSEC_ALG_CRYPTOAPI)+= ipsec_cryptoapi_init
+-alg_obj-$(CONFIG_IPSEC_ALG_CRYPTOAPI) += ipsec_alg_cryptoapi.o
++#ALG_MODULES += $(MOD_CRYPTOAPI)
++#obj-$(CONFIG_IPSEC_ALG_CRYPTOAPI) += $(MOD_CRYPTOAPI)
++#static_init-func-$(CONFIG_IPSEC_ALG_CRYPTOAPI)+= ipsec_cryptoapi_init
++#alg_obj-$(CONFIG_IPSEC_ALG_CRYPTOAPI) += ipsec_alg_cryptoapi.o
+ else
+ $(warning "Linux CryptoAPI (2.4.22+ or 2.6.x) not found, not building ipsec_cryptoapi.o")
+ endif
diff --git a/net/strongswan/patches/320-no-modprobe.patch b/net/strongswan/patches/320-no-modprobe.patch
new file mode 100644 (file)
index 0000000..d8c3648
--- /dev/null
@@ -0,0 +1,108 @@
+Index: strongswan-2.8.2/programs/starter/klips.c
+===================================================================
+--- strongswan-2.8.2.orig/programs/starter/klips.c     2007-06-04 13:23:04.544043096 +0200
++++ strongswan-2.8.2/programs/starter/klips.c  2007-06-04 13:23:07.238633456 +0200
+@@ -44,7 +44,7 @@
+           unsetenv("MODPATH");
+           unsetenv("MODULECONF");
+           system("depmod -a >/dev/null 2>&1");
+-          system("modprobe -qv ipsec");
++          system("insmod -qv ipsec");
+       }
+       if (stat(PROC_IPSECVERSION, &stb) == 0)
+       {
+@@ -62,11 +62,11 @@
+     /* make sure that all available crypto algorithms are loaded */
+     if (stat(PROC_MODULES, &stb) == 0)
+     {
+-      system("modprobe -qv ipsec_aes");
+-      system("modprobe -qv ipsec_serpent");
+-      system("modprobe -qv ipsec_twofish");
+-      system("modprobe -qv ipsec_blowfish");
+-      system("modprobe -qv ipsec_sha2");
++      system("insmod -qv ipsec_aes");
++      system("insmod -qv ipsec_serpent");
++      system("insmod -qv ipsec_twofish");
++      system("insmod -qv ipsec_blowfish");
++      system("insmod -qv ipsec_sha2");
+     }
+     starter_klips_clear();
+Index: strongswan-2.8.2/programs/starter/netkey.c
+===================================================================
+--- strongswan-2.8.2.orig/programs/starter/netkey.c    2007-06-04 13:23:04.551042032 +0200
++++ strongswan-2.8.2/programs/starter/netkey.c 2007-06-04 13:23:07.238633456 +0200
+@@ -36,7 +36,7 @@
+       /* af_key module makes the netkey proc interface visible */
+       if (stat(PROC_MODULES, &stb) == 0)
+       {
+-          system("modprobe -qv af_key");
++          system("insmod -qv af_key");
+       }
+       /* now test again */
+@@ -52,11 +52,11 @@
+     /* make sure that all required IPsec modules are loaded */
+     if (stat(PROC_MODULES, &stb) == 0)
+     {
+-      system("modprobe -qv ah4");
+-      system("modprobe -qv esp4");
+-      system("modprobe -qv ipcomp");
+-      system("modprobe -qv xfrm4_tunnel");
+-      system("modprobe -qv xfrm_user");
++      system("insmod -qv ah4");
++      system("insmod -qv esp4");
++      system("insmod -qv ipcomp");
++      system("insmod -qv xfrm4_tunnel");
++      system("insmod -qv xfrm_user");
+     }
+     DBG(DBG_CONTROL,
+Index: strongswan-2.8.2/programs/_startklips/_startklips.in
+===================================================================
+--- strongswan-2.8.2.orig/programs/_startklips/_startklips.in  2007-06-04 13:23:04.560040664 +0200
++++ strongswan-2.8.2/programs/_startklips/_startklips.in       2007-06-04 13:23:07.238633456 +0200
+@@ -249,7 +249,7 @@
+ if test ! -f $ipsecversion && test ! -f $netkey
+ then
+-      modprobe -v af_key
++      insmod -v af_key
+ fi
+ if test -f $netkey
+@@ -257,11 +257,11 @@
+       klips=false
+       if test -f $modules
+       then
+-              modprobe -qv ah4
+-              modprobe -qv esp4
+-              modprobe -qv ipcomp
+-              modprobe -qv xfrm4_tunnel
+-              modprobe -qv xfrm_user
++              insmod -qv ah4
++              insmod -qv esp4
++              insmod -qv ipcomp
++              insmod -qv xfrm4_tunnel
++              insmod -qv xfrm_user
+       fi
+ fi
+@@ -272,7 +272,7 @@
+                 setmodule
+                 unset MODPATH MODULECONF        # no user overrides!
+                 depmod -a >/dev/null 2>&1
+-                modprobe -v ipsec
++                insmod -v ipsec
+         fi
+         if test ! -f $ipsecversion
+         then
+@@ -288,7 +288,7 @@
+       do
+               if test -f $moduleinstplace/alg/ipsec_$alg.o
+               then
+-                      modprobe ipsec_$alg
++                      insmod ipsec_$alg
+               fi
+       done
+ fi
diff --git a/net/strongswan/patches/350-make-programs.patch b/net/strongswan/patches/350-make-programs.patch
new file mode 100644 (file)
index 0000000..aba9577
--- /dev/null
@@ -0,0 +1,21 @@
+Index: strongswan-2.8.2/programs/Makefile
+===================================================================
+--- strongswan-2.8.2.orig/programs/Makefile    2007-06-04 13:23:06.414758704 +0200
++++ strongswan-2.8.2/programs/Makefile 2007-06-04 13:23:07.444602144 +0200
+@@ -17,12 +17,10 @@
+ FREESWANSRCDIR=..
+ include ${FREESWANSRCDIR}/Makefile.inc
+-SUBDIRS=spi eroute spigrp tncfg klipsdebug pf_key proc pluto 
+-SUBDIRS+=_confread _copyright _include _keycensor _plutoload _plutorun
+-SUBDIRS+=_realsetup _secretcensor _startklips _updown _updown_espmark
+-SUBDIRS+=auto barf ipsec look manual ranbits secrets starter
+-SUBDIRS+=rsasigkey send-pr setup showdefaults showhostkey calcgoo mailkey
+-SUBDIRS+=ikeping examples openac scepclient _showstatus wakeup
++SUBDIRS=_copyright _updown _showstatus wakeup examples
++SUBDIRS+=barf calcgoo eroute ikeping klipsdebug look mailkey manual
++SUBDIRS+=openac pf_key pluto proc ranbits rsasigkey scepclient secrets
++SUBDIRS+=showdefaults showhostkey spi spigrp starter tncfg ipsec
+ ifeq ($(USE_LWRES),true)
+ SUBDIRS+=lwdnsq