debian/0000755000000000000000000000000012255622167007176 5ustar debian/racoon.lintian-overrides0000644000000000000000000000021411766214464014037 0ustar racoon: possible-gpl-code-linked-with-openssl racoon binary: init.d-script-missing-dependency-on-remote_fs etc/init.d/racoon: required-stop debian/postinst0000644000000000000000000000164211766214464011012 0ustar #! /bin/sh # postinst script for ipsec-tools # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `configure' # * `abort-upgrade' # * `abort-remove' `in-favour' # # * `abort-deconfigure' `in-favour' # `removing' # # for details, see http://www.debian.org/doc/debian-policy/ or # the debian-policy package # case "$1" in configure) ;; abort-upgrade|abort-remove|abort-deconfigure) ;; *) echo "postinst called with unknown argument \`$1'" >&2 exit 1 ;; esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# exit 0 debian/racoon.init0000644000000000000000000000753111766214464011355 0ustar #! /bin/sh ### BEGIN INIT INFO # Provides: racoon # Required-Start: $remote_fs setkey # Required-Stop: # Should-Start: $portmap # Should-Stop: $portmap # Default-Start: S # Default-Stop: 0 1 6 # X-Stop-After: sendsigs # Short-Description: start the ipsec key exchange server ### END INIT INFO # # Written by Miquel van Smoorenburg . # Modified for Debian GNU/Linux # by Ian Murdock . # Modified from /etc/init.d/skeleton # by Matthew Grant # PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin TOOL=/usr/sbin/racoon-tool DAEMON=/usr/sbin/racoon NAME=racoon DESC="IKE (ISAKMP/Oakley) server" DEF_CFG="/etc/default/racoon" PID_FILE="/var/run/racoon.pid" PROC_FILE="/proc/net/pfkey" test -f $TOOL || exit 0 test -f $DAEMON || exit 0 CONFIG_MODE="direct" RACOON_ARGS="" [ -f "$DEF_CFG" ] && . $DEF_CFG if [ ! -d /var/run/racoon ]; then mkdir -p /var/run/racoon fi check_kernel () { local MOD_DIR=/lib/modules/`uname -r` local FOUT [ -f "$PROC_FILE" ] && return 0 [ ! -d "$MOD_DIR" ] && return 1 FOUT=`find $MOD_DIR -name "*af_key*"` [ -z "$FOUT" ] && return 1 return 0 } if [ "$(uname -s)" = "Linux" ] && ! check_kernel ; then echo "racoon - IKE keying daemon will not be started as $PROC_FILE is not" 1>&2 echo " available or a suitable 2.6 (or 2.4 with IPSEC backport)" 1>&2 echo " kernel with af_key.[k]o module installed." 1>&2 exit 0 fi if [ "$(uname -s)" = "GNU/kFreeBSD" ]; then result=0 setkey -DP >/dev/null || result=$? if [ $result -ne 0 ]; then echo "racoon - IKE keying daemon will not be started as this kFreeBSD kernel" 1>&2 echo "is not compiled with support for IPsec." 1>&2 exit 0; fi fi . /lib/init/vars.sh . /lib/lsb/init-functions do_start () { start-stop-daemon --start --quiet --pidfile $PID_FILE --exec $DAEMON --test > /dev/null \ || return 1 start-stop-daemon --start --quiet --exec ${DAEMON} -- ${RACOON_ARGS} \ || return 2 } do_stop () { start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PID_FILE --name $NAME RETVAL="$?" [ "$RETVAL" = 2 ] && return 2 start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON [ "$?" = 2 ] && return 2 rm -f $PID_FILE /var/run/racoon/racoon.sock return "$RETVAL" } case $CONFIG_MODE in racoon-tool) # /usr/sbin/racoon-tool command complies with Debian Policy so just do this: # NB the following makes lintian happy case "$1" in start|stop|reload|force-reload|restart) $TOOL $* ;; status) status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? ;; *) $TOOL $* ;; esac ;; *) case "$1" in start) [ "$VERBOSE" != no ] && log_begin_msg "Starting $DESC" "$NAME" do_start case "$?" in 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; esac ;; stop) [ "$VERBOSE" != no ] && log_begin_msg "Stopping $DESC" "$NAME" do_stop case "$?" in 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; esac ;; reload) racoonctl reload-config ;; status) status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? ;; restart|force-reload) log_daemon_msg "Restarting $DESC" "$NAME" do_stop case "$?" in 0|1) do_start case "$?" in 0) log_end_msg 0 ;; 1) log_end_msg 1 ;; # Old process is still running *) log_end_msg 1 ;; # Failed to start esac ;; *) log_end_msg 1 ;; esac ;; *) log_success_msg "Usage: $0 {start|stop|status|reload|force-reload|restart}" >&2 exit 1 esac ;; esac exit 0 debian/racoon-tool.conf.50000644000000000000000000002331611766214464012454 0ustar .TH RACOON-TOOL.CONF 5 .SH NAME racoon-tool.conf \- configuration file for .BR racoon-tool (8). .SH "DESCRIPTION" This manual page documents briefly the .BR racoon-tool.conf (5) , configuration file format. .PP Please consult the .BR racoon.conf (5) man-page first to better understand what is written about here. .SH SYNTAX The .BR racoon-tool.conf (5) file is laid out in sections. .PP Comments are delimited on the left by `#', and can be on a line by themselves, or at the end of a line. .PP The possible sections are .I global, .I connection, and .I peer. The possible templates are .I spdadd, .I spdadd_transport_ip4, .I spdadd_transport_ip6, .I spdinit, .I sadinit, .I sadadd, .I remote, .I sainfo, and .I racooninit. .PP Sections start with .I section: and then continue with their properties (name terminated by `:' then value), and templates ALWAYS have to have each line started with .I template: Sections and templates can be named, with the name occurring in parenthesis between the last character of their type and the final colon. .SH SECTIONS The possible sections are: .TP .BR global: Contains global parameters for the generated .BR racoon.conf (5), and global settings used by .BR racoon-tool (8). Available settings are: .I path_pre_shared_key, .I path_certificate, .I path_racoon_conf, .I privsep, .I privsep_chroot, .I privsep_user, .I privsep_group, .I racoon_command, .I racoon_pid_file, .I log, .I listen[[0-9a-z]], and .I complex_bundle. Apart from .I racoon_command, and .I racoon_pid_file, the setting map across to the similar names in .BR racoon.conf (5). These items .I privsep, .I privsep_chroot, .I privsep_user, .I privsep_group, are related to the .I privsep section in .BR racoon.conf(5) .I Privsep is a boolean option to turn on privilege separation. The default is to chroot to '/', as quite a bit of setup is required in the chroot directory. The .I listen directive is a bit different from the man-page and takes multiple .I {ip-address} [[port]] statements by attaching an index `0-9',`a-z' in square brackets immediately before the colon. .TP .BR connection( "%default|%anonymous|[-_a-z0-9]+" ): Connection as described by the complementary SPD entries. Creates `sainfo' sections in the generated .BR racoon.conf (5), and associated SPD entries. Directives and values are basically one for one with the relevant entries in .BR racoon.conf (5). .I Spdadd: can be used to override the template automatically selected. The templates that are automatically selected depending om connection .I mode and IPv4 or IPv6 addresssing are .BR spdadd, .BR spdadd_transport_ip4, and .BR spdadd_transport_ip6. The supplied default transport mode templates do not encrypt ICMP as this can easily result in SPD policy difficulties. Boolean parameters .I auto_ah_on_esp, always_ah_on_esp can be used to add AH encapsulation to the `esp' mode transform supplied by the default .BR spdadd templates. The IKE phase 2 identifier type can be set with the .I id_type option, either `address' or `subnet'. Compression can be added to the default transforms by using the .I compression boolean. Multiple SPD rule pairs can be entered in place of the pair supplied by the default spdadd templates. They are signified by adding an index made up from the characters (case-insensitive) in the regular expression `[-_0-9a-z]+' to the .I src_port, and/or .I dst_port entries, within square brackets immediately before the colon. Only one port needs to be defined, with the other defaulting to `[any]'. Additional properties for the rule pair can be given by .I encap, and .I policy entries, with the appropriate index entry in square brackets before the colon. Please note that on the FreeBSD kernel ( .BR ipsec (4) ) nested ipsec policy transforms are not supported, and that ipcomp is buggy. The `%default' VPN connection fills in entries in other specified connections, unless they are otherwise defined within the specific connection. The `%anonymous' connection is there for a passive VPN server. .TP .BR peer( "%default|%anonymous|[a-f0-9:\.]+" ): Defines the phase 1 attributes associated with a peer. This creates `remote' entries in the generated .BR racoon.conf (5). Directives and values are basically one for one with the relevant entries in .BR racoon.conf (5). Different proposals are signified by adding an index `0-9', `a-z', or made up from characters (case-insensitive) in the regular expression `[-_0-9a-z]+' to the .I encryption_algorithm, .I hash_algorithm, .I dh_group, and .I authentication_method entries, within square brackets immediately before the colon. The `%default' VPN connection fills in entries in other specified connections, unless they are otherwise defined within the specific connection. The `%anonymous' connection is there for a passive VPN server. .SH TEMPLATES Templates are described briefly here. You will have to look inside the .BR racoon-tool (8) perl script to see exactly what you can do. .TP .BR spdinit: Portion that can be used to initialise the SPD. Uses setkey syntax. See .BR setkey (8). .TP .BR sadinit: Portion that can be used to initialise the SAD. Uses setkey syntax. See .BR setkey (8). .TP .BR spdadd(%default|[-_a-z0-9]+): Template for adding SPD entries. Different templates can be used. Keys for replacement are of the form `___setkey_name___', with names found in .BR setkey (8). The built in template is named `%default'. .TP .BR spdadd_transport_ip4(%transport_ip4_default|[-_a-z0-9]+): Template for adding SPD entries for IPv4 when transport .I mode is desired. Different templates can be used, but have to be selected with the .I spdadd connection property. Keys for replacement are of the form `___setkey_name___', with names found in .BR setkey (8). The built in template is named `%transport_ip4_default'. .TP .BR spdadd_transport_ip6(%transport_ip6_default|[-_a-z0-9]+): Template for adding SPD entries for IPv6 when transport .I mode is desired. Different templates can be used, but have to be selected with the .I spdadd connection property. Keys for replacement are of the form `___setkey_name___', with names found in .BR setkey (8). The built in template is named `%transport_ip4_default'. .TP .BR sadadd(%default|[-_a-z0-9]+): Template for adding SAD entries. Different templates can be used. Keys for replacement are of the form `___setkey_name___', with names found in .BR setkey (8). The built in template is named `%default'. .TP .BR remote(%default|[-_a-z0-9]+): Template for adding 'remote' entries to the generated .BR racoon.conf(5). Different templates can be used. Keys for replacement are of the form `___setkey_name___', with names found in .BR setkey (8). The built in template is named `%default'. .TP .BR sainfo(%default|[-_a-z0-9]+): Template for adding 'sainfo' entries to the generated .BR racoon.conf (5). Different templates can be used. Keys for replacement are of the form `___setkey_name___', with names found in .BR setkey (8). The built in template is named `%default'. .TP .BR racooninit: Template for adding your own section to the start of the generated .BR racoon.conf (5). .SH "EXAMPLES" Example of a simple configuration using PSK authentication. .PP .nf # # Configuration file for racoon-tool # # See racoon-tool.conf(5) for details # # # Simple PSK - authentication defaults to pre_shared_key # connection(bacckdoor-doormat): src_range: 192.168.223.1/32 dst_range: 192.168.200.0/24 src_ip: 172.31.1.1 dst_ip: 10.0.0.1 admin_status: enabled compression: no lifetime: time 20 min authentication_algorithm: hmac_sha1 encryption_algorithm: 3des peer(10.0.0.1): verify_cert: on passive: off verify_identifier: off lifetime: time 60 min hash_algorithm[0]: sha1 encryption_algorithm[0]: 3des .fi .PP Example of a complex configuration with multple networks betweenthe same endpoints, as well as use of `%default' for common settings. .PP .nf # # Configuration file for racoon-tool # global: log: notify # default settings to save typing peer(%default): certificate_type: x509 blurke-ipsec.crt blurke-ipsec.key my_identifier: fqdn blurke.bar.com lifetime: time 60 min verify_identifier: on verify_cert: on hash_algorithm[0]: sha1 encryption_algorithm[0]: 3des authentication_method[0]: rsasig connection(%default): authentication_algorithm: hmac_sha1 encryption_algorithm: 3des src_ip: 172.31.1.1 lifetime: time 20 min # Connection to work peer(10.0.0.1): peers_identifier: fqdn blue.sky.com connection(blurke-blue-sky-work): src_range: 192.168.203.1/32 dst_range: 172.16.0.0/24 dst_ip: 10.0.0.1 admin_status: enabled # Connection to telehoused servers connection(blurke-mail): src_range: 192.168.203.0/24 dst_range: 172.20.1.1 dst_ip: 10.100.0.1 encryption_algorithm: blowfish compression: on admin_status: yes peer(10.100.0.1): peers_identifier: fqdn mail.bar.com connection(blurke-web1): src_range: 192.168.203.0/24 dst_range: 172.20.1.23 dst_ip: 10.100.0.1 encryption_algorithm: blowfish admin_status: yes connection(blurke-web2): src_range: 192.168.203.0/24 dst_range: 172.20.1.24 dst_ip: 10.100.0.1 encryption_algorithm: blowfish admin_status: yes # Test connection to Free S/WAN connection(blurke-freeswan): src_range: 192.168.203.0/24 dst_range: 172.17.100.0/24 dst_ip: 172.30.1.1 admin_status: yes peer(172.30.1.1): peers_identifier: fqdn banshee .fi .SH "FILES" .TP .I /etc/racoon/racoon-tool.conf (configuration header file) .TP .I /etc/racoon/racoon-tool.conf.d/*.conf optional portions. The file(s) that this man page describes. .TP .I /var/lib/racoon/racoon.conf The generated racoon.conf. .SH "SEE ALSO" .BR racoon.conf (5), .BR racoon-tool (8), .BR racoon (8), .BR setkey (8), .BR ipsec(4) on FreeBSD. .SH BUGS This man page is by no means complete. .SH AUTHOR This manual page was written by Matthew Grant for the Debian GNU/Linux system (but may be used by others). debian/racoon.templates0000644000000000000000000000233212000505265012362 0ustar # These templates have been reviewed by the debian-l10n-english # team # # If modifications/additions/rewording are needed, please ask # debian-l10n-english@lists.debian.org for advice. # # Even minor modifications require translation updates and such # changes should be coordinated with translators and reviewers. Template: racoon/config_mode Type: select __Choices: direct, racoon-tool Default: direct _Description: Configuration mode for racoon IKE daemon: Racoon can be configured either directly, by editing /etc/racoon/racoon.conf, or using the racoon-tool administrative front end. . Use of the "direct" method is strongly recommended if you want to use all the racoon examples on the Net, and if you want to use the full racoon feature set. You will have to directly edit /etc/racoon/racoon.conf and possibly manually set up the Security Policy Database via setkey. . Racoon-tool has been updated for racoon 0.8.0, and is for use in basic configuration setups. It gives the benefit of managing the SPD along with the IKE that strongSwan offers. IPv6, transport/tunnel mode (ESP/AH), PSK/X509 auth, and basic "anonymous" VPN server are supported. . More information is available in /usr/share/doc/racoon/README.Debian. debian/racoon-tool.80000644000000000000000000000646111766214464011535 0ustar .TH RACOON-TOOL 8 .\" NAME should be all caps, SECTION should be 1-8, maybe w/ subsection .\" other parms are allowed: see man(7), man(1) .SH NAME racoon-tool \- program to manage the .BR racoon (8) IPSEC IKE daemon. .SH SYNOPSIS .B racoon-tool .I "[-h] reload|restart|force-reload|start|stop" .br .B racoon-tool .I "[-h] sadflush|spdflush|saddump|spddump" .br .B racoon-tool .I "[-h] vpndown|vdown|vpnup|vup connection-name|all" .br .B racoon-tool .I "[-h] vpnreload|vreload connection-name|all" .br .B racoon-tool .I "[-h] vpnlist|vlist [connection-name|all]" .br .B racoon-tool .I "[-h] vpnmenu|vmenu [connection-name-regexp]" .br .B racoon-tool .I "[-h] racoonstart|racoonstop|rstart|rstop" .br .SH "DESCRIPTION" This manual page documents briefly the .BR racoon-tool command. .BR racoon-tool (8) is a perl script that can be used to control the .BR racoon (8) IKE daemon and the SPD database within the kernel via the .BR setkey (8) command. Various operations that it can do are described below. .PP You can also optionally choose not to use it via reconfiguring the .I racoon package using .BR dpkg-reconfigure (8). .SH OPTIONS A summary of options are included below. .TP .B \-h Show summary of options. .SH COMMANDS .TP .B start Start .BR racoon (8), loading any needed modules, configuring the SPD, and generating a configuration from .I /etc/racoon/racoon-tool.conf (head) and following up with .I *.conf files from .I /etc/racoon/racoon-tool.conf.d/. .TP .B stop Stop .BR racoon (8) unloading any crypto/IPSEC modules, flushing the SAD and SPD. .TP .B reload Regenerate configuration from .I /etc/racoon/racoon.conf, and .I /etc/racoon/racoon.conf.d/, .I HUP .BR racoon (8) and reinitialise the SPD and SAD. .TP .B restart|force-reload Perform a .I stop followed by a .I start .TP .B sadflush Flush the SAD via .BR setkey (8). .TP .B spdflush Flush the SPD via .BR setkey (8). .TP .B saddump|dump Dump the SAD to screen via .BR setkey (8), paginating via your pager. .TP .B spddump Dump the SPD to screen via .BR setkey (8), paginating via your pager. .TP .BR "vpnup|vup" " connection-name|all" Bring up the VPN connection(s). .TP .BR "vpndown|vdown" " connection-name|all" Take down the VPN connection(s). .TP .BR "vpnreload|vreload" " connection-name|all" Reload the VPN connection(s). .TP .BR "vpnlist|vlist" " [connection-name|all]" List the known VPN connections in .I /etc/racoon/racoon-tool.conf, etc. Can be used by a script or administrator to see if a VPN connection exists. .TP .BR "vpnmenu|vmenu" " [connection-name-regexp]" Start the VPN menu management mode. This displays the SPD, and you can shutdown VPNs from here. Latter on support will be added for checking status and reloading the chosen connection. .TP .B racoonstart|rstart Start only the .BR racoon (8) daemon. .TP .B racoonstop|rstop Stop only the .BR racoon (8) daemon. .SH "FILES" .TP .I /etc/racoon/racoon-tool.conf \- configuration file (head). .TP .I /etc/racoon/racoon-tool.conf.d \- configuration file segment directory read after the above. .TP .I /var/lib/racoon/racoon.conf \- generated racoon.conf .SH "SEE ALSO" .BR racoon (8), .BR racoon.conf (5), .BR setkey (8), .BR racoon-tool.conf (5). .SH AUTHOR This manual page was written by Matthew Grant , for the Debian GNU/Linux system (but may be used by others). \" LocalWords: RACOON debian/racoon-tool.conf0000644000000000000000000000216211766214464012305 0ustar # # Configuration file for racoon-tool # # See racoon-tool.conf(5) for details # global: # How to control the syslog level log: notify # Turned this on for extra security, not enabled by default as # listen and path become only changeable by restart privsep: no # # Example of multiple networks to one endpoint # #connection(bacckdoor-doormat): # src_range: 192.168.223.1/32 # dst_range: 192.168.200.0/24 # src_ip: 172.31.1.1 # dst_ip: 10.0.0.1 # admin_status: enabled # compression: no # lifetime: time 20 min # authentication_algorithm: hmac_sha1,hmac_md5 # encryption_algorithm: aes,3des #connection(backdoor-outhouse): # src_range: 192.168.223.0/24 # dst_range: 10.255.255.254 # src_ip: 172.31.1.1 # dst_ip: 10.0.0.1 # admin_status: no # lifetime: time 20 min # authentication_algorithm: hmac_sha1 # encryption_algorithm: 3des #peer(10.0.0.1): # verify_cert: on # passive: off # verify_identifier: off # lifetime: time 60 min # hash_algorithm[0]: sha1 # encryption_algorithm[0]: 3des ## my_identifier: fqdn backdoor.foo.bar ## peers_identifier: fqdn garden-path.foo.bar ## certificate_type: x509 bLaH.pem PrIv.pem debian/copyright0000644000000000000000000002526211766214463011142 0ustar This is the Debian packaged version of ipsec-tools. Sources for this package can be found at its homepage at http://ipsec-tools.sourceforge.net/ . The code is copyright 1995, 1996, 1997, 1998, and 1999 by the WIDE Project and licensed under the BSD license. Copyright (c) The Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The GSSAPI code is copyright 2000 Wasabi Systems, Inc and lincensed under the following license: Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgement: This product includes software developed by Wasabi Systems for Zembu Labs, Inc. http://www.zembu.com/ 4. The name of Wasabi Systems, Inc. may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY WASABI SYSTEMS, INC. ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL WASABI SYSTEMS, INC BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The racoon-tool perl script is: Copyright Matthew Grant 2004-2012, Catalyst IT Ltd 2004, Voyager Internet Ltd 2012. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; version 2 dated June, 1991. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. On Debian GNU/Linux systems, the complete text of the GNU General Public License can be found in `/usr/share/common-licenses/GPL-2'. A copy of the GNU General Public License is also available at . You may also obtain it by writing to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA. The OpenSSL License is: Copyright (c) 1998-2004 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson The upstream sources were obtained from http://www.openssl.org/ LICENSE ISSUES ============== The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact openssl-core@openssl.org. OpenSSL License --------------- /* ==================================================================== * Copyright (c) 1998-2004 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * openssl-core@openssl.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.openssl.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ Original SSLeay License ----------------------- /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ debian/ipsec-tools.symbols0000644000000000000000000000550711766214464013063 0ustar libipsec.so.0 ipsec-tools #MINVER# __ipsec_errcode@Base 0.7.3 __ipsec_set_strerror@Base 0.7.3 __libipsec_create_buffer@Base 0.7.3 __libipsec_delete_buffer@Base 0.7.3 __libipsec_flex_debug@Base 0.7.3 __libipsec_flush_buffer@Base 0.7.3 __libipsec_scan_buffer@Base 0.7.3 __libipsec_scan_bytes@Base 0.7.3 __libipsec_scan_string@Base 0.7.3 __libipsec_switch_to_buffer@Base 0.7.3 __libipsecalloc@Base 0.7.3 __libipsecchar@Base 0.7.3 __libipsecerror@Base 0.7.3 __libipsecfree@Base 0.7.3 __libipsecget_debug@Base 0.7.3 __libipsecget_in@Base 0.7.3 __libipsecget_leng@Base 0.7.3 __libipsecget_lineno@Base 0.7.3 __libipsecget_out@Base 0.7.3 __libipsecget_text@Base 0.7.3 __libipsecin@Base 0.7.3 __libipsecleng@Base 0.7.3 __libipseclex@Base 0.7.3 __libipseclex_destroy@Base 0.7.3 __libipseclineno@Base 0.7.3 __libipseclval@Base 0.7.3 __libipsecnerrs@Base 0.7.3 __libipsecout@Base 0.7.3 __libipsecparse@Base 0.7.3 __libipsecpop_buffer_state@Base 0.7.3 __libipsecpush_buffer_state@Base 0.7.3 __libipsecrealloc@Base 0.7.3 __libipsecrestart@Base 0.7.3 __libipsecset_debug@Base 0.7.3 __libipsecset_in@Base 0.7.3 __libipsecset_lineno@Base 0.7.3 __libipsecset_out@Base 0.7.3 __libipsectext@Base 0.7.3 __policy__strbuffer__free__@Base 0.7.3 __policy__strbuffer__init__@Base 0.7.3 ipsec_bindump@Base 0.7.3 ipsec_check_keylen2@Base 0.7.3 ipsec_check_keylen@Base 0.7.3 ipsec_dump_policy@Base 0.7.3 ipsec_dump_policy_withports@Base 0.7.3 ipsec_get_keylen@Base 0.7.3 ipsec_get_policylen@Base 0.7.3 ipsec_hexdump@Base 0.7.3 ipsec_set_policy@Base 0.7.3 ipsec_strerror@Base 0.7.3 kdebug_sadb@Base 0.7.3 libipsec_opt@Base 0.7.3 pfkey_align@Base 0.7.3 pfkey_check@Base 0.7.3 pfkey_close@Base 0.7.3 pfkey_get_softrate@Base 0.7.3 pfkey_open@Base 0.7.3 pfkey_recv@Base 0.7.3 pfkey_recv_register@Base 0.7.3 pfkey_sadump@Base 0.7.3 pfkey_sadump_withports@Base 0.7.3 pfkey_send@Base 0.7.3 pfkey_send_add2@Base 0.7.3 pfkey_send_add@Base 0.7.3 pfkey_send_add_nat@Base 0.7.3 pfkey_send_delete@Base 0.7.3 pfkey_send_delete_all@Base 0.7.3 pfkey_send_dump@Base 0.7.3 pfkey_send_flush@Base 0.7.3 pfkey_send_get@Base 0.7.3 pfkey_send_getspi@Base 0.7.3 pfkey_send_getspi_nat@Base 0.8.0 pfkey_send_migrate@Base 0.7.3 pfkey_send_promisc_toggle@Base 0.7.3 pfkey_send_register@Base 0.7.3 pfkey_send_spdadd2@Base 0.7.3 pfkey_send_spdadd@Base 0.7.3 pfkey_send_spddelete2@Base 0.7.3 pfkey_send_spddelete@Base 0.7.3 pfkey_send_spddump@Base 0.7.3 pfkey_send_spdflush@Base 0.7.3 pfkey_send_spdget@Base 0.7.3 pfkey_send_spdsetidx@Base 0.7.3 pfkey_send_spdupdate2@Base 0.7.3 pfkey_send_spdupdate@Base 0.7.3 pfkey_send_update2@Base 0.7.3 pfkey_send_update@Base 0.7.3 pfkey_send_update_nat@Base 0.7.3 pfkey_set_buffer_size@Base 0.8.0 pfkey_set_softrate@Base 0.7.3 pfkey_set_supported@Base 0.7.3 pfkey_spdump@Base 0.7.3 pfkey_spdump_withports@Base 0.7.3 debian/racoon.postinst0000644000000000000000000000610011766214464012264 0ustar #! /bin/sh # postinst script for racoon # # see: dh_installdeb(1) set -e update_param() { eval old=\"'$'$1\" eval new=\"'$'new_$1\" if test "$old" = "$new"; then return fi if test -z "$old"; then grep -Eq "^ *$1=" "$INITCONFFILE" || echo "$1=" \ >> "$INITCONFFILE" fi sed -e "s/^ *$1=.*/$1=\"$new\"/" < $INITCONFFILE > $INITCONFFILE.$$ mv -f $INITCONFFILE.$$ $INITCONFFILE } # summary of how this script can be called: # * `configure' # * `abort-upgrade' # * `abort-remove' `in-favour' # # * `abort-deconfigure' `in-favour' # `removing' # # for details, see http://www.debian.org/doc/debian-policy/ or # the debian-policy package # case "$1" in configure) if [ -L /etc/rc2.d/S20racoon ]; then # remove this old entry, we'll add correct one below update-rc.d -f racoon remove > /dev/null || exit 0 fi if ! getent passwd racoon >/dev/null; then adduser --quiet --system --group --no-create-home --home /var/lib/racoon --shell /bin/false racoon fi ;; abort-upgrade|abort-remove|abort-deconfigure) exit 0 ;; *) echo "postinst called with unknown argument \`$1'" >&2 exit 1 ;; esac # Handle debconf . /usr/share/debconf/confmodule INITCONFFILE=/etc/default/racoon # We generate several files during the postinst, and we don't want # them to be readable only by root. umask 022 # Generate configuration file if it does not exist, using default values. [ -r "${INITCONFFILE}" ] || { echo Generating ${INITCONFFILE}... >&2 cat >${INITCONFFILE} <<'EOFMAGICNUMBER1234' # Defaults for racoon initscript # sourced by /etc/init.d/racoon # installed at /etc/default/racoon by the maintainer scripts # # This is a POSIX shell fragment # # Which configuration mode shall we use for racoon? # Should be either "direct" (edit racoon.conf by hand) # or "racoon-tool" (use this tool to do it). # Unknown values are treated as if "direct" was given. CONFIG_MODE="" # Arguments to pass to racoon (ignored when config mode is racoon-tool) RACOON_ARGS="" EOFMAGICNUMBER1234 } # ------------------------- Debconf questions start --------------------- db_get racoon/config_mode || true new_CONFIG_MODE="${RET}" update_param CONFIG_MODE db_stop # ------------------------- Debconf questions end --------------------- # Fix psk.txt permissions [ -f /etc/racoon/psk.txt ] && chmod 0600 /etc/racoon/psk.txt #DEBHELPER# exit 0 debian/changelog0000644000000000000000000014301212255622167011051 0ustar ipsec-tools (1:0.8.0-14ubuntu4) trusty; urgency=medium * Update aclocal.m4 and configure for ppc64el. -- Matthias Klose Sun, 22 Dec 2013 18:38:26 +0100 ipsec-tools (1:0.8.0-14ubuntu3) saucy; urgency=low * Update config.{guess,sub} for AArch64. -- Matthias Klose Wed, 09 Oct 2013 21:38:28 +0200 ipsec-tools (1:0.8.0-14ubuntu2) raring; urgency=low * Fix build failure with GCC 4.8. -- Matthias Klose Tue, 26 Feb 2013 10:00:37 +0100 ipsec-tools (1:0.8.0-14ubuntu1) raring; urgency=low * Resynchronise with Debian. Remaining changes: - Depend on lsb-base. * Make racoon depend on lsb-base too. -- Colin Watson Mon, 03 Dec 2012 17:58:06 +0000 ipsec-tools (1:0.8.0-14) unstable; urgency=low * Debconf templates and debian/control reviewed by the debian-l10n- english team as part of the Smith review project. Kudos to Christian Perrier for organising this. Closes: #677713 * [Debconf translation updates] * Russian (Yuri Kozlov). Closes: #679732 * Italian (Luca Monducci). Closes: #679743 * Slovak (Ivan Masár). Closes: #679808 * Danish (Joe Hansen). Closes: #680068 * Portuguese (Américo Monteiro). Closes: #680131 * German (Erik Pfannenstein). Closes: #680295 * French (Jean-Christope GARNIER). Closes: #680270 * Czech (Miroslav Kure). Closes: #680471 * Polish (Michał Kułach). Closes: #680526 * Swedish (Martin Bagge / brother). Closes: #680560 * Spanish (Javier Fernández-Sanguino). Last in the gate. Added by Maintainer. Closes: #681400 -- Matthew Grant Sun, 15 Jul 2012 21:13:32 +1200 ipsec-tools (1:0.8.0-13) unstable; urgency=low * Set CFLAGS _FORTIFY_SOURCE=2 cf 0 (Closes: #679481) * Make peer_sertfile dnssec DNSSEC validate on linux (Closes: #679483) -- Matthew Grant Fri, 29 Jun 2012 22:22:51 +1200 ipsec-tools (1:0.8.0-12) unstable; urgency=low * racoon - add adduser dependency (Closes: #677572) * Fix racoon debconf template. -- Matthew Grant Fri, 15 Jun 2012 11:33:48 +1200 ipsec-tools (1:0.8.0-11) unstable; urgency=low * Update racoon-tool to 0.1.5 to fix proposal bug and add privsep support. * Make racoon init return 0 when already started (Closes: #666913) * Remove set -e from racoon init (Closes: #666912) * Update debconf and README.Debian re X509 and racoon-tool. * Update package format to 3.9.3 -- Matthew Grant Wed, 13 Jun 2012 16:39:18 +1200 ipsec-tools (1:0.8.0-10) unstable; urgency=low * Correctly close bugs related to Debian GNU/kfreebsd build failures. Bugs #617859 and #639970 reopened. (Closes: #619687, #643570) -- Matthew Grant Sun, 16 Oct 2011 11:43:09 +1300 ipsec-tools (1:0.8.0-9ubuntu2) quantal; urgency=low * Rebuild for new armel compiler default of ARMv5t. -- Colin Watson Wed, 03 Oct 2012 09:27:21 +0100 ipsec-tools (1:0.8.0-9ubuntu1) precise; urgency=low * Merge from Debian unstable (LP: #881097). Remaining changes: - debian/control: Depend on lsb-base - debian/rules: switch -U_FORTIFY_SOURCE for -D_FORTIFY_SOURCE=0 * Dropped changes: - Modify configure.ac to not convert -RXYZ to -Wl,-RXYZ, and regenerate configure (Applied in debian via configure-pass-Wl-with-R.patch) - debian/{racoon.init, ipsec-tools.setkey.init}: Re-write LSB init script (Fixed in Debian) -- Adam Gandelman Mon, 24 Oct 2011 12:08:24 -0700 ipsec-tools (1:0.8.0-9) unstable; urgency=low * Apply new patchs which enable GNU/kfreebsd build. Thanks to Mats Erik Andersson. (Closes: #617859, #639970) * Put removing of config.log at end of dh_clean to stop file changed problems during git-buildpackage * Fix lots of minor lintian warnings. * LSB-fy init scripts. (Closes: #629828) * Fix spelling error in racoon.conf.5 manpage. * Fix typo in libipsec_strerror.h (Closes: #642926) * Updated racoon-tool.conf.5 manpage, minor regexps. * New racoon-tool, Multi relation SPD code. * debian/control: Add Vcs-* stanzas. -- Matthew Grant Sat, 08 Oct 2011 16:30:22 +1300 ipsec-tools (1:0.8.0-8) unstable; urgency=low * Revert racoon-tool default SPD level to unique for comaptibilty and individual VPN reload speed. -- Matthew Grant Wed, 28 Sep 2011 12:12:12 +1300 ipsec-tools (1:0.8.0-7) unstable; urgency=low * Temporarily fix gcc-4.6 build on most architectures. Need to contact upstream about proper use of autoconf and configure.ac for gcc-4.6 support as autoconf for this package appears to be brittle. -- Matthew Grant Wed, 28 Sep 2011 10:09:20 +1300 ipsec-tools (1:0.8.0-6) unstable; urgency=low * Remove Requires-Stop $remotefs from init script. (Closes: #643006) -- Matthew Grant Tue, 27 Sep 2011 07:51:09 +1300 ipsec-tools (1:0.8.0-5.1) unstable; urgency=low * Minor version to kick over reprepro -- Matthew Grant Mon, 26 Sep 2011 10:58:05 +1300 ipsec-tools (1:0.8.0-5) unstable; urgency=low * Fix required-stop $remotefs with lintian override as otherwise causes dependency boot order loops sith sendsigs. * Add racoon-tool match code for udp port 500 traffic. -- Matthew Grant Mon, 26 Sep 2011 10:52:50 +1300 ipsec-tools (1:0.8.0-4.1) unstable; urgency=low * Update raccon-tool transport mode to ignore dup port 500 <-> 500 traffic. -- Matthew Grant Mon, 26 Sep 2011 10:19:19 +1300 ipsec-tools (1:0.8.0-4) unstable; urgency=low * New Maintainer. Have conferred with Stefan Bauer. * Changed to gcc-4.5 only as 4.6 does not support -R flag that ipsec-tools requires. (Closes: #625184) * Marked automake, autoconf, and autoheader as Build-Conflicts. * Added updated racoon-tool.pl and associated manpages. -- Matthew Grant Sun, 25 Sep 2011 17:41:02 +1300 ipsec-tools (1:0.8.0-3ubuntu1) oneiric; urgency=low * Merge from debian unstable (LP: #787114), remaining changes: - debian/control: Depend on lsb-base * Dropped patches, applied upstream: - debian/patches/fix-address-already-in-use.patch - fix-several-formating-errors-in-setkey-manpage.patch * debian/rules: switch -U_FORTIFY_SOURCE for -D_FORTIFY_SOURCE=0, bc the latter breaks in oneiric, claiming _FORTIFY_SOURCE is redefined. * Modify configure.ac to not convert -RXYZ to -Wl,-RXYZ, and regenerate configure. * debian/ipsec-tools.setkey.init: Re-write LSB init script * debian/racoon.init: LSB init script -- Serge Hallyn Mon, 06 Jun 2011 08:06:28 -0500 ipsec-tools (1:0.8.0-3) unstable; urgency=low * Apply patch from Mats Erik Andersson to fix build problems on *BSD This patch also addresses nat-t related issues for this arch -- Stefan Bauer Fri, 25 Mar 2011 12:29:19 +0100 ipsec-tools (1:0.8.0-2) unstable; urgency=low * Skip dependency on libssl-dev and move back to libssl-dev (>= 0.9.6) to provide an update to unstable. This will temporary remove the support for camellia encryption algorithm until libssl-dev 1.x enters unstable * Adjust racoon-init-script (Closes: #619151) * Apply patch to fix build problems on *BSD Thanks to Mats Erik Andersson -- Stefan Bauer Wed, 23 Mar 2011 11:44:33 +0100 ipsec-tools (1:0.8.0-1) experimental; urgency=low * New upstream release o Fix authentication method ambiguity with kerberos and xauth o RFC2253 compliant escaping of asn1dn identifiers (Cyrus Rahman) o Local address code rewrite to speed things up o Improved MIPv6 support (Arnaud Ebalard) o ISAKMP SA (phase1) rekeying o Improved scheduler (faster algorithm, support monotonic clock) o Handle RESPONDER-LIFETIME in quick mode o Handle INITIAL-CONTACT in from main mode too o Rewritten event handling framework for admin port o Ability to initiate IPsec SA through admin port o NAT-T Original Address handling (transport mode NAT-T support) o clean NAT-T - PFkey support o support for multiple anonymous remoteconfs o Remove various obsolete configuration options o A lot of other bug fixes, performance improvements and clean ups * Remove patches as they are now part of upstream release -- Stefan Bauer Mon, 21 Mar 2011 10:52:37 +0100 ipsec-tools (1:0.7.3-18) experimental; urgency=low * Lower the log level for racoon to notify to keep syslog clear * Reupload because build dir was tainted * Skip --enable-xauth on build, as this is covered by --enable-hybrid -- Stefan Bauer Fri, 11 Mar 2011 09:16:43 +0100 ipsec-tools (1:0.7.3-16) experimental; urgency=low * Adjust racoon init-script to handle the start with kFreeBSD kernel as well. Thanks to Mats Erik Andersson (Closes: #613726) * Enable --with-libldap at build time -- Stefan Bauer Mon, 28 Feb 2011 13:21:18 +0100 ipsec-tools (1:0.7.3-15) experimental; urgency=low * Fix build problems on *bsd (Closes: #612676) * Include configuration example to tunnel with OpenBSD (Closes: #612448) Thanks to Mats Erik Andersson -- Stefan Bauer Thu, 10 Feb 2011 11:11:53 +0100 ipsec-tools (1:0.7.3-14) experimental; urgency=low * Fix build problems on *bsd * Include converter for plainrsa to pem file format (Closes: #612021) -- Stefan Bauer Sat, 05 Feb 2011 11:56:25 +0100 ipsec-tools (1:0.7.3-13) experimental; urgency=low * Switch to dpkg-source 3.0 (quilt) format * Fix typo in README-file * Bump Standards to 3.9.1 * Include /usr/share/common-licenses/BSD in packages copyright file as base-files might drop the licenses in future versions * Added support for camellia encryption algorithm * Ship /etc/ipsec-tools.d/ with the package (Closes: #598426) -- Stefan Bauer Wed, 26 Jan 2011 15:26:30 +0100 ipsec-tools (1:0.7.3-12ubuntu1) natty; urgency=low [ Lorenzo De Liso ] * Merge from debian unstable (LP: #681427), remaining changes: - debian/control: Depend on lsb-base - debian/ipsec-tools.setket.init: LSB init script. - debian/patches/fix-address-already-in-use.patch: Fix address already in use. (LP: #332606) * Dropped changes: - debian/{control,rules}: add and enable hardening build for PIE (Debian bug 542731): fixed in debian - src/racoon/ipsec_doi.c: Patched to fix segfault when using ipv6 addresses in sainfo section of racoon.conf. Thanks to Fredrik Ljunggren. (LP: #374185): fixed upstream [ Alessio Treglia ] * Refresh Lorenzo's patch in order to make it apply cleanly, add patch header as per DEP-3 spec. * Refresh fix-several-formating-errors-in-setkey-manpage.patch. -- Lorenzo De Liso Wed, 24 Nov 2010 22:37:15 +0100 ipsec-tools (1:0.7.3-12) unstable; urgency=low * Extend racoon init-script to start after setkey (Closes: #599529) This fix is to allow dependency based boot sequence as it is the default in squeeze. Thanks to Sebastian Bernhart for assistance. -- Stefan Bauer Sun, 10 Oct 2010 21:16:49 +0200 ipsec-tools (1:0.7.3-9) unstable; urgency=low * Delay the check of setkey-configuration files to speed up processing Idea taken from Mats Erik Andersson (Closes: #588490) * Include upstream patch to support iPhone OS with L2TP over IPsec and main mode with pre-shared keys as this is the only supported method by the iPhone OS. Patch supplied by John Keith Hohm -- Stefan Bauer Thu, 12 Aug 2010 12:45:24 +0200 ipsec-tools (1:0.7.3-8ubuntu1) maverick; urgency=low * Merge from debian/unstable: + debian/control: - Set Ubuntu maintainer address - Depend on lsb-base + debian/ipsec-tools.setket.init: LSB init script. + debian/{control,rules}: add and enable hardening build for PIE (Debian bug 542731) + src/racoon/ipsec_doi.c: Patched to fix segfault when using ipv6 addresses in sainfo section of racoon.conf. Thanks to Fredrik Ljunggren. (LP: #374185) + src/racoon/isakmp.c: Fix address already in use. (LP: #332606) -- Chuck Short Fri, 02 Jul 2010 13:06:26 -0400 ipsec-tools (1:0.7.3-8) unstable; urgency=low * Moved the private libs to /usr/lib/ipsec-tools to follow 10.2 of Debian Policy (Closes: #507072) -- Stefan Bauer Tue, 01 Jun 2010 22:12:18 +0200 ipsec-tools (1:0.7.3-7) unstable; urgency=low * Conflict with virtual package ike-server to avoid conflicts with other ike-implementations (#583334) * Include Danish debconf translation (Closes: #583969) -- Stefan Bauer Tue, 01 Jun 2010 12:05:15 +0200 ipsec-tools (1:0.7.3-6ubuntu1) maverick; urgency=low * Merge from debian unstable. Remaining changes: + debian/control: - Set Ubuntu maintainer address - Depend on lsb-base + debian/ipsec-tools.setket.init: LSB init script. + debian/{control,rules}: add and enable hardening build for PIE (Debian bug 542731) + src/racoon/ipsec_doi.c: Patched to fix segfault when using ipv6 addresses in sainfo section of racoon.conf. Thanks to Fredrik Ljunggren. (LP: #374185) + src/racoon/isakmp.c: Fix address already in use. (LP: #332606) -- Chuck Short Wed, 05 May 2010 02:26:50 +0100 ipsec-tools (1:0.7.3-6) unstable; urgency=low * Applied patch from Martin Fuzzey to fix failed to bind to address bug when using the phase1-up.sh script. Ubuntu Bug # 332606 -- Stefan Bauer Mon, 12 Apr 2010 16:42:02 +0200 ipsec-tools (1:0.7.3-5) unstable; urgency=low * Extented setkey init-script to be able to load setkey configurations from /etc/ipsec-tools.d/*.conf files (Closes: #519862) Patch supplied by Shane R. Spencer * Mention undocumented feature esp-udp in setkey manpage (Closes: #550697) * Document lack of tcp-md5 support for setkey on linux (Closes: #389286) -- Stefan Bauer Mon, 22 Mar 2010 10:36:28 +0100 ipsec-tools (1:0.7.3-4) unstable; urgency=low * Restart at the end of upgrade process to keep the connection in case of maintenance over ipsec (Closes: #307721) -- Stefan Bauer Wed, 17 Mar 2010 12:14:27 +0100 ipsec-tools (1:0.7.3-3) unstable; urgency=low * Modified the racoon and ipsec-tool maintainer scripts to not flush the kernel SA/SD database on remove of racoon * Keep the kernel SA/SD entries on upgrade as well -- Stefan Bauer Fri, 26 Feb 2010 16:15:32 +0100 ipsec-tools (1:0.7.3-2) unstable; urgency=low * Modify racoon startscript to not restart on reload (Closes: #529001) * Applied patch to support cast128-cbc algorithm - patch supplied by Hiroyuki YAMAMORI (Closes: #242723) * Build with hardening options enabled (Closes: #542731) Patch supplied by Kees Cook * Fix typo in FAQ (Closes: #561980) * Flush SA/SD kernel-database on purge/remove (Closes: #569949) -- Stefan Bauer Tue, 23 Feb 2010 20:39:02 +0100 ipsec-tools (1:0.7.3-1) unstable; urgency=low * New Maintainer (Closes: #565362) * Acknowledge NMU changes * New upstream release * Fixed a NAT-T flag check * Some code cleanups/compilation fixes with recent gcc * Fix a remote crash and a memory leak * Fix memory leak in x509 certificate validation * Fix a potential DoS in oakley_do_decrypt() * Check fgets return value in setkey to make gcc happy * Backport S.P.Zeidler's fix to IPv6 address related stack smashing * Bump Standards to 3.8.4 * Added {misc:Depends} for binary packages * Bump debhelper to 7.0.50~ to keep backports dependency * Fix typo in manpage * Stop racoon on runlevel 0 and 6 too * Get rid of dh_clean -k in favor of dh_prep -- Stefan Bauer Mon, 22 Feb 2010 15:46:03 +0100 ipsec-tools (1:0.7.1-1.6ubuntu1) lucid; urgency=low * Merge from debian testing. Remaining changes: - debian/control: - Set Ubuntu maintainer address. - Depend on lsb-base - debian/ipsec-tools.setkey.init: LSB init script. - Enable build with hardened options: - src/setkey/setkey.c: stop scanning stdin if fgets fails. - debian/{control,rules}: add and enable hardened build for PIE (Debian bug 542731). - src/racoon/ipsec_doi.c: Patched to fix segfault when using ipv6 addresses in sainfo section of racoon.conf. Thanks to Fredrik Ljunggren. (LP: #374185) - src/racoon/isakmp.c: Fix address already in use. (LP: #332606) -- Chuck Short Sun, 03 Jan 2010 17:58:13 +0000 ipsec-tools (1:0.7.1-1.6) unstable; urgency=low * Non-maintainer upload. * Avoid strict aliasing checking, fix FTBFS w/ GCC 4.4 and up; patch by peter green. (Closes: #530527) -- Stefano Zacchiroli Fri, 25 Dec 2009 19:21:49 +0100 ipsec-tools (1:0.7.1-1.5ubuntu4) karmic; urgency=low * src/racoon/isakmp.c: Fix address already in use. (LP: #332606) -- Chuck Short Tue, 15 Sep 2009 08:39:41 -0400 ipsec-tools (1:0.7.1-1.5ubuntu3) karmic; urgency=low * src/racoon/ipsec_doi.c: Patched to fix segfault when using ipv6 addresses in sainfo section of racoon.conf. Thanks to Fredrik Ljunggren. (LP: #374185) -- Chuck Short Wed, 09 Sep 2009 13:11:32 -0400 ipsec-tools (1:0.7.1-1.5ubuntu2) karmic; urgency=low * debian/{control,rules}: add and enable hardened build for PIE (Debian bug 542731). -- Kees Cook Thu, 20 Aug 2009 17:56:30 -0700 ipsec-tools (1:0.7.1-1.5ubuntu1) karmic; urgency=low * Merge from debian unstable, remaining changes: - debian/control: - Set Ubuntu maintainer address. - Depend on lsb-base. - debian/ipsec-tools.setkey.init: LSB init script. - debian/rules: build with -fno-strict-aliasing, required with gcc 4.4. - Enable build with hardened options: - src/setkey/setkey.c: stop scanning stdin if fgets fails. * Dropped - src/libipsec/policy_token.c: don't check return code of fwrite. -- Jamie Strandboge Fri, 24 Jul 2009 13:24:17 -0500 ipsec-tools (1:0.7.1-1.5) unstable; urgency=high * Non-maintainer upload by the Security Team. * Fix multiple memory leaks in NAT traversal and RSA authentication code of racoon leading to DoS because (CVE-2009-1632; Closes: #528933). -- Nico Golde Tue, 19 May 2009 13:26:14 +0200 ipsec-tools (1:0.7.1-1.4) unstable; urgency=high * Non-maintainer upload by the Security Team. * Fix possible denial of service via a fragment without any payload (all item lengths = 0) which triggers a null ptr dereference (Closes: #527634). -- Nico Golde Wed, 13 May 2009 13:24:22 +0200 ipsec-tools (1:0.7.1-1.3) unstable; urgency=low * Non-maintainer upload * Racoon should depend on at least the current version of ipsec-tools (Closes: #507071) -- Evan Broder Sat, 13 Dec 2008 15:40:55 -0500 ipsec-tools (1:0.7.1-1.2) unstable; urgency=high * Non-maintainer upload by the Security Team. * Apply upstream patch to remove orphaned phase 1 handles that were initiated remotely if an invalid first exchange was received which may lead to a denial of service attack (CVE-2008-3652; Closes: #501026). -- Nico Golde Tue, 07 Oct 2008 14:22:25 +0200 ipsec-tools (1:0.7.1-1.1) unstable; urgency=low * Non-maintainer upload. * Fix pending l10n issues * Debconf translations: - Russian. Closes: #484325 - Japanese. Closes: #494054 - Italian. Closes: #496117 - Finnish. Closes: #496236 -- Christian Perrier Wed, 27 Aug 2008 08:49:00 +0200 ipsec-tools (1:0.7.1-1) unstable; urgency=low * New upstream release * Apply debconf Swedish translation (closes: #491769) -- Ganesan Rajagopal Sun, 27 Jul 2008 15:51:17 +0530 ipsec-tools (1:0.7-2.1ubuntu3) karmic; urgency=low * debian/rules: build with -fno-strict-aliasing, required with gcc 4.4. -- Steve Langasek Tue, 21 Jul 2009 18:33:13 +0000 ipsec-tools (1:0.7-2.1ubuntu2) karmic; urgency=low * No-change rebuild against libkrb5-3. -- Steve Langasek Tue, 21 Jul 2009 08:26:53 +0000 ipsec-tools (1:0.7-2.1ubuntu1) intrepid; urgency=low * Merge from debian unstable, remaining changes: - debian/control: - Set Ubuntu maintainer address. - Depend on lsb-base. - debian/ipsec-tools.setkey.init: - LSB init script. * Dropped: - debian/ipsec-tools.setkey.init: - restart method: stop then start. - Use {} instead of () in usage (bash_completion). - debian/racoon.init: - Create /var/run/racoon. - Use {} instead of () in usage (bash_completion). * Bug fixed by this merge: - fix XAuth with U-FQDN (LP: #234166). * Enable build with hardened options: - src/libipsec/policy_token.c: don't check return code of fwrite. - src/setkey/setkey.c: stop scanning stdin if fgets fails. -- Mathias Gug Wed, 18 Jun 2008 17:34:55 -0400 ipsec-tools (1:0.7-2.1) unstable; urgency=low * Non-maintainer upload to fix pending l10n issues. * Debconf translations: - German. Closes: #479257 - French. Closes: #477771 - Galician. Closes: #480984 - Spanish. Closes: #482343 - Vietnamese. Closes: #482363 - Czech. Closes: #482429 - Basque. Closes: #482847 - Portuguese. Closes: #482892 - Dutch. Closes: #483006 - Brazilian Portuguese. Closes: #483684 * [Lintian] Remove useless debian/preinst script -- Christian Perrier Sat, 10 May 2008 19:36:28 +0200 ipsec-tools (1:0.7-2) unstable; urgency=low * Really apply patch from Ubuntu to racoon.init for bash completion (closes: #453031). * Fix module loading bug with hyphen in kernel version (closes: 376934). -- Ganesan Rajagopal Tue, 22 Apr 2008 14:40:39 +0530 ipsec-tools (1:0.7-1) unstable; urgency=low * New upstream release (closes: #448056). * Thanks Peter Eisentraut and Jérémy Bobbio for NMUs. * Apply patch from Ubuntu to racoon.init to create /var/run/racoon if it doesn't already exist (closes: #453029). * Apply patch from Ubuntu to racoon.init for bash completion (closes: #453031). * Fix bad config location in README.Debian (closes: #412674). * Remove unneeded Build-Depends on libreadline5-dev. * Add Build-Depends on chrpath and remove rpath lintian warnings. * Fix racoon-tool bug which causes racoon to fail to start (closes: #470736). * Update Standards-Version to 3.7.3 (no packaging changes required). -- Ganesan Rajagopal Tue, 22 Apr 2008 14:37:51 +0530 ipsec-tools (1:0.6.7-1.2) unstable; urgency=low * Non-maintainer upload * Remove all configuration files on purge (closes: #298496) * Remove PID file and socket file on daemon stop (closes: #298496) * Corrected restart logic in setkey init script (closes: #460324) * Added LSB-formatted dependency info in init.d scripts (closes: #458488) * Fixed watch file (closes: #449659) -- Peter Eisentraut Tue, 18 Mar 2008 01:24:48 +0100 ipsec-tools (1:0.6.7-1.1ubuntu1) hardy; urgency=low * Merge from debian unstable, remaining changes: - debian/control: - Set Ubuntu maintainer address. - Depend on lsb-base. - debian/ipsec-tools.setkey.init: - LSB init script. - restart method: stop then start. - Use {} instead of () in usage (bash_completion). - debian/racoon.init: - Create /var/run/racoon. - Use {} instead of () in usage (bash_completion). * Dropped: - src/racoon/isakmp_inf.c: upstream fix for unecrypted ISAKMP packets. - src/racoon/grabmyaddr.c: Define IFA_RTA and #include . -- Mathias Gug Mon, 26 Nov 2007 11:57:18 -0500 ipsec-tools (1:0.6.7-1.1) unstable; urgency=low * Non-maintainer upload. * Fix null pointer checks in: (Closes: #362213) * GETNAMEINFO and GETNAMEINFO_NULL in src/racoon/var.h, * certtest() in src/racoon/eaytest.c. * Fix debian-rules-ignores-make-clean-error lintian warning. -- Jérémy Bobbio Sat, 29 Sep 2007 14:37:50 +0200 ipsec-tools (1:0.6.7-1) unstable; urgency=low * New upstream release (closes: #429711) * Thanks Dann Frazier and Christian Perrier for NMUs. * Fixed bug in parsing for DNSSEC. Patch from Marc Dequènes (closes: #321159). * Included Galician translation provided by Jacobo Tarrio for debconf templates (closes: #412867). * Included Dutch translation proivded by cobaco (aka Bart Cornelis) (closes: #413885). * Fix racoon-tool bug setting lifetime when the setting pfs_group=none. Patch by Pallai Roland (closes: #406684). * Re-ran automake/autoconf because of a bug in libtool versions older than 1.5.20 which insists on checking for a C++ compiler though racoon doesn't require it. -- Ganesan Rajagopal Sat, 30 Jun 2007 19:31:39 +0530 ipsec-tools (1:0.6.6-3.2) unstable; urgency=low * Non-maintainer upload * Fix remote DoS condition that makes it possible for remote attackers to crash a tunnel. See CVE-2007-1841 (closes: #423252) * Fix typo in initscript (s/force_reload/force-reload). Patch from Robie Basak (closes: #380103) * setkey does not honor both -FP and -F in a single run, split into separate calls. Patch from Benjamin Sonntag (closes: #403511) -- dann frazier Tue, 19 Jun 2007 11:26:58 -0600 ipsec-tools (1:0.6.6-3.1ubuntu3) gutsy; urgency=low * fix racoon.init to work with bash_completion (LP: #88153) -- Patrick Hetu Tue, 10 Jul 2007 10:59:25 -0400 ipsec-tools (1:0.6.6-3.1ubuntu2) gutsy; urgency=low * Fix compilation errors with GCC-4.2. -- Matthias Klose Tue, 29 May 2007 09:05:02 +0200 ipsec-tools (1:0.6.6-3.1ubuntu1) gutsy; urgency=low * Merge from debian unstable, remaining changes: - src/racoon/isakmp_inf.c: upstream fix for unecrypted ISAKMP packets. - src/racoon/grabmyaddr.c: Define IFA_RTA and #include . - debian/control: Set Ubuntu maintainer address. - LSB init script. - debian/racoon.init: Create /var/run/racoon. -- Kees Cook Tue, 08 May 2007 05:29:33 -0700 ipsec-tools (1:0.6.6-3.1) unstable; urgency=low * Non-maintainer upload to fix pending l10n issues. * Debconf translations: - Russian. Closes: #373925 - German. Closes: #401468 - Japanese. Closes: #402623 - Spanish. Closes: #403484 * Fix typos in the debconf templates and unfuzzy translations Closes: #397187 -- Christian Perrier Sun, 4 Feb 2007 19:34:49 +0100 ipsec-tools (1:0.6.6-3ubuntu3) feisty; urgency=low * SECURITY UPDATE: remote ipsec tunnel disruption. * src/racoon/isakmp_inf.c: upstream fix for unecrypted ISAKMP packets causing tunnels to be disconnected. * References CVE-2007-1841 -- Kees Cook Wed, 4 Apr 2007 13:46:40 -0700 ipsec-tools (1:0.6.6-3ubuntu2) feisty; urgency=low * Rebuild for changes in the amd64 toolchain. * Set Ubuntu maintainer address. -- Matthias Klose Mon, 5 Mar 2007 01:19:03 +0000 ipsec-tools (1:0.6.6-3ubuntu1) feisty; urgency=low * Merge from debian unstable. - LSB init script. - debian/racoon.init: Create /var/run/racoon. * src/racoon/grabmyaddr.c: Define IFA_RTA and #include . -- Martin Pitt Fri, 3 Nov 2006 10:15:57 +0100 ipsec-tools (1:0.6.6-3) unstable; urgency=low * Remove old rc*.d symlinks to fix existing installations. -- Ganesan Rajagopal Wed, 19 Jul 2006 19:59:57 +0530 ipsec-tools (1:0.6.6-2) unstable; urgency=low * Fix typo in enabling PAM. * Include russian translation. * Don't flush keys on reboot/shutdown (closes: #340740). * Start racoon in rcS.d to help VPN configurations (closes: #372665). -- Ganesan Rajagopal Wed, 19 Jul 2006 17:10:15 +0530 ipsec-tools (1:0.6.6-1ubuntu1) edgy; urgency=low * Merge from Debian. Only changes left: - LSB init script. - debian/racoon.init: Create /var/run/racoon. -- Martin Pitt Fri, 30 Jun 2006 10:21:40 +0200 ipsec-tools (1:0.6.6-1) unstable; urgency=low * New upstream release. * Added debconf-updatepo in clean target (closes: #372910). * Compiled with PAM support (closes: #299806, #371053). * Fixed typo in racoon.templates and corresponding po files. * Updated Brazilian Portugese, Vietnamese, Swedish, French and Czech translations for debconf templates (closes: #370148, #369409). -- Ganesan Rajagopal Thu, 15 Jun 2006 17:47:58 +0530 ipsec-tools (1:0.6.5-6) unstable; urgency=low * Fix regex in racoon-tool.conf man page (closes: #352157). * Switch to "/sbin/modprobe" instead of "/sbin/insmod" for module loading in racoon-tool (closes: #298286). * Apply patch by Teddy Hogeborn to fix as1dn handling by racoon-tool (closes: #296259). * Apply patch by Kristjan Räts to make sure racoon is configured before it's started (closes: #304573). * Officially deprecate racoon-tool and cleanup debconf template (closes: #338216). * Update Standards-Version to 3.7.2 (no packaging changes required). -- Ganesan Rajagopal Mon, 29 May 2006 15:43:05 +0530 ipsec-tools (1:0.6.5-5) unstable; urgency=low * Fix "dereferencing type-punned...." gcc-4.1 FTBFS bug (closes: #361334). * Include updated French translation (closes: #338642). * Include swedish debconf translation (closes: #330569). * Fix racoon-tool tool braindead shutdown delay (closes: #332814). -- Ganesan Rajagopal Wed, 17 May 2006 17:03:11 +0530 ipsec-tools (1:0.6.5-4ubuntu1) dapper; urgency=low * Synchronize to Debian to bring in new upstream version. - UVF exception approved by Matt Zimmerman. - New version repairs racoon for road warrior setup (which broke in earlier Dapper versions, but worked fine in Breezy). Closes: LP#40386 -- Martin Pitt Tue, 9 May 2006 11:33:01 +0200 ipsec-tools (1:0.6.5-4) unstable; urgency=low * Fixed FTBFS on another source file on 64-bit platforms. (closes: #359092). * Include samples directory in package. -- Ganesan Rajagopal Thu, 30 Mar 2006 14:30:45 +0530 ipsec-tools (1:0.6.5-3) unstable; urgency=low * Fixed FTBFS on 64-bit platforms (closes: #359092). -- Ganesan Rajagopal Mon, 27 Mar 2006 17:41:45 +0530 ipsec-tools (1:0.6.5-2) unstable; urgency=low * Enable GSSAPI/Kerberos 5 support (closes: #352040). -- Ganesan Rajagopal Sun, 26 Mar 2006 09:48:51 +0530 ipsec-tools (1:0.6.5-1) unstable; urgency=low * New upstream release. * Don't rerun bootstrap because upstream libtool problem is fixed. -- Ganesan Rajagopal Tue, 7 Feb 2006 13:40:27 +0530 ipsec-tools (1:0.6.4-1ubuntu2) dapper; urgency=low * Create /var/run/racoon in the init script. -- Scott James Remnant Wed, 19 Apr 2006 14:26:13 +0100 ipsec-tools (1:0.6.4-1ubuntu1) dapper; urgency=low * Resynchronise with Debian. -- Martin Pitt Tue, 7 Feb 2006 11:45:50 +0100 ipsec-tools (1:0.6.4-1) unstable; urgency=low * New upstream release. * Apply racoon-tool patch to use modprobe instead of insmod (closes: #320087). * Rerun bootstrap because upstream libtool appears to be broken (configure breaks if g++ is not installed). -- Ganesan Rajagopal Tue, 24 Jan 2006 10:20:11 +0530 ipsec-tools (1:0.6.3-1) unstable; urgency=low * New upstream release with fix for CVE-2005-3732 (closes: #340584). -- Ganesan Rajagopal Mon, 28 Nov 2005 11:58:31 +0530 ipsec-tools (1:0.6.2-2ubuntu2) dapper; urgency=low * Rebuild against openssl 0.9.8. -- Martin Pitt Mon, 30 Jan 2006 10:48:21 +0000 ipsec-tools (1:0.6.2-2ubuntu1) dapper; urgency=low * Resynchronise with Debian. -- Tollef Fog Heen Fri, 11 Nov 2005 09:59:03 +0100 ipsec-tools (1:0.6.2-2) unstable; urgency=low * Fix build breakage with OpenSSL 0.9.8 (closes: #334669). -- Ganesan Rajagopal Mon, 31 Oct 2005 11:19:53 +0530 ipsec-tools (1:0.6.2-1) unstable; urgency=low * New upstream release. * Update FSF address in copyright. * Remove bashism in postinst. -- Ganesan Rajagopal Tue, 18 Oct 2005 10:30:53 +0530 ipsec-tools (1:0.6.1-1) unstable; urgency=low * New upstream release -- Ganesan Rajagopal Sun, 21 Aug 2005 13:24:15 +0530 ipsec-tools (1:0.6-2) unstable; urgency=low * Add debconf-2.0 as an alternate for debconf dependency. * Updated standards version. * Fixed racoonctl breakage (closes: #320535). -- Ganesan Rajagopal Sat, 13 Aug 2005 09:27:43 +0530 ipsec-tools (1:0.6-1ubuntu1) breezy; urgency=low * LSB init scripts. -- LaMont Jones Wed, 28 Sep 2005 18:33:52 -0600 ipsec-tools (1:0.6-1) unstable; urgency=low * New upstream release. * Include Vietnamese translation for debconf template (closes: #312031). * Include Japanese translation for debconf template (closes: #309732). * Registering /etc/init.d/setkey in rcS.d before ifupdown (closes: #303451). -- Ganesan Rajagopal Wed, 29 Jun 2005 10:16:54 +0530 ipsec-tools (1:0.5.2-1) unstable; urgency=high * New upstream release. This release fixes ph2handle unlink bug (closes: #307233). * Urgency high because of fix for security problem with single DES. * Applied patch from Richard Lucassen to pass options to racoon via /etc/default/racoon file. -- Ganesan Rajagopal Wed, 4 May 2005 13:46:45 +0530 ipsec-tools (1:0.5.1-2) unstable; urgency=low * Disabled readline support because it introduces a bug in setkey and confuses a lot of people (closes: #303573). * Added Build-Conflicts for bison++ (closes: #305974). -- Ganesan Rajagopal Mon, 2 May 2005 10:18:04 +0530 ipsec-tools (1:0.5.1-1) unstable; urgency=low * New upstream release (closes: #305310). * Removed --enabled-stats while building (closes: #300718). * Removed --enable-ipv6 while build; this enables IPv6 automatically. (closes: #304000). -- Ganesan Rajagopal Tue, 19 Apr 2005 15:47:29 +0530 ipsec-tools (1:0.5-5) unstable; urgency=high * Fix ISAKMP Header Parsing DoS bug (closes: #299716). * Quote URL in README.Debian to avoid confusion (closes: #297179). -- Ganesan Rajagopal Wed, 16 Mar 2005 09:31:30 +0530 ipsec-tools (1:0.5-4) unstable; urgency=low * Fix typo in ipsec-tools.setkey.init (closes: #296912). -- Ganesan Rajagopal Sat, 26 Feb 2005 11:39:19 +0530 ipsec-tools (1:0.5-3) unstable; urgency=low * Renamed ipsec.conf to ipsec-tools.conf to avoid conflict with openswan (closes: #296079). * Fix bug in quotes handling for peers_certfile (closes: #296105). -- Ganesan Rajagopal Sun, 20 Feb 2005 21:51:41 +0530 ipsec-tools (1:0.5-2) unstable; urgency=low * Fix compile warnings to avoid build failures on 64-bit platforms. -- Ganesan Rajagopal Sat, 19 Feb 2005 10:03:27 +0530 ipsec-tools (1:0.5-1) unstable; urgency=low * New upstream stable release. * Forced to introduce epoch because I misunderstood how comparing version strings works (0.4999 > 0.5). I can't believe I screwed up this one :-(. * Added initscript to run setkey on boot (closes: #276970). * Renamed racoon.init.d to racoon.init as per dh_installinit documentation. * Added note in README.Debian that racoon-tool may lag behind in features. * Included racoon.conf samples directory. * Added note in sample racoon.conf that it will not be used if racoon-tool is used. -- Ganesan Rajagopal Fri, 18 Feb 2005 11:00:23 +0530 ipsec-tools (0.4999pre0.5rc2-3) unstable; urgency=low * Added libssl-dev to build-deps (closes: #295263). * Updated racoon-tool.pl to handle certtype for peers_certfile (closes: #295035). * Escape quote ('"') characters in racoon-tool.pl to prevent messing up syntax highlighting in emacs. -- Ganesan Rajagopal Thu, 17 Feb 2005 14:34:06 +0530 ipsec-tools (0.4999pre0.5rc2-2) unstable; urgency=low * Applied patch to support SPD levels and NAT traversl from Lockenvitz Jan EXT (closes: #277285). * Included debconf template Czech translation by Miroslav Kure (closes: #294779). -- Ganesan Rajagopal Mon, 14 Feb 2005 18:27:14 +0530 ipsec-tools (0.4999pre0.5rc2-1) unstable; urgency=low * New upstream release. * Redone packaging using debhelper. * Upstream supports Linux fwd policy (closes: #292850). * Source address patch applied upstream (closes: #289604). * Enabled NATT support (closes: #238795). * Removed empty racoon.conf (closes: #255124). * Fixed paths in man pages (closes: #276854). -- Ganesan Rajagopal Tue, 1 Feb 2005 13:55:37 +0530 ipsec-tools (0.3.3-7) unstable; urgency=low * Fixed fix memory leak in crypto_openssl.c (closes: #292732). * French translation already included (closes: #245583). * Brazilian portugese translation already included (closes: #262550). * We don't include a debbugs URL anymore (closes: #220089). -- Ganesan Rajagopal Tue, 1 Feb 2005 13:48:22 +0530 ipsec-tools (0.3.3-6) unstable; urgency=low * Taking over as maintainer from Matthew Grant with his approval. -- Ganesan Rajagopal Mon, 31 Jan 2005 20:52:43 +0530 ipsec-tools (0.3.3-5) unstable; urgency=low * Removed unneeded dependency on ed from control file, which I forgot to do. -- Matthew Grant Sat, 18 Dec 2004 16:14:10 +1300 ipsec-tools (0.3.3-4) unstable; urgency=medium * Didn't properly fix Bug #285103. This upload fixes it by adjusting the config scripts. Priority set to medium to make sure that the 3 RC bugs get cleared promptly from testing version. Removed use of ed as this tool is only used in racoon.postint, and is not needed by any package essential to run a firewall. -- Matthew Grant Sat, 18 Dec 2004 11:46:36 +1300 ipsec-tools (0.3.3-3) unstable; urgency=low * Fix use of 'find' in debian/rules. Thanks to Christian Ospelkaus for patch. (closes: #285788) * Fix use of $? after another command execution in if statement at line 2161 of racoon-tool. Thanks to shonorio@alpargatas.com.br for analysis. (closes: #285549) * debian/racoon.init.d: In stop target, pass option --name instead of --exec to start-stop-daemon to make sure old versions of the daemon are properly stopped even if a new version is already on disk. (closes: #285117) (Daniel Kobras ) * debian/racoon.{config,postinst}: Seed debconf settings from configuration file, and take care to preserve manual changes. (closes: #285103) (Daniel Kobras ) * debian/control: Add ed to racoon's dependencies as it is used in the postinst script. (Daniel Kobras ) -- Matthew Grant Thu, 16 Dec 2004 22:29:48 +1300 ipsec-tools (0.3.3-2) unstable; urgency=medium * Fix spelling mistake for 'available' in racoon init script. (closes: #249288) * Fixed URL in README.certificate (closes: #252513) * Fixed gzipping of under sized files (closes: #279739) * Added french debconf translation for racoon (closes: #245251) * Added pt_BR.po Brazilian Portuguese translation for raccon debconf (closes #262550) * Added German de.po for raccon debconf (closes: #263055) * Applied patch from Wilfried Weissmann who forwarded a fix for "initial_contact" spelling error (closes: #280837) * Fixed racoon-tool address type parsing bug. Fix forwarded by Kolja Waschk (closes: #269934) * Fixed racoon-tool port parsing bug with port numbers more than 3 chars. Patch from Jeremy Jackson (closes: #260875) * Fixed parsing of file paths delimited by optional double quotes. (closes: #257350) -- Matthew Grant Fri, 26 Nov 2004 08:34:17 +1300 ipsec-tools (0.3.3-1) unstable; urgency=high * Security upload. Updated to vesion 0.3.3 which fixes a "authentication bug in KAME's racoon" in eay_check_x509cert() (Bugtraq http://seclists.org/lists/bugtraq/2004/Jun/0219.html) (closes: #254663). * Fix for "racooninit" in racoon-tool.conf. Applied patch submitted by Teddy Hogeborn . (closes: #249222) * Stopped patching racoon.conf.5 manpage as the "Japlish" fix is now in the source tree. -- Matthew Grant Thu, 17 Jun 2004 09:05:50 +1200 ipsec-tools (0.3.1-4) unstable; urgency=low * Fixed autoconf more so that it only gets called by maintainer. This is to fix the woody backport support. -- Matthew Grant Thu, 22 Apr 2004 15:55:45 +1200 ipsec-tools (0.3.1-3) unstable; urgency=high * Security upload. Correct urgency so that it will be accepted into testing in 2 days because version in testing suffers from CAN-2004-0403 and CAN-2004-0155. * New upstrem release. Fixes remote DoS in racoon (CAN-2004-0403) (closes: #244182). Repeated for sake of BTS. -- Matthew Grant Thu, 22 Apr 2004 10:42:49 +1200 ipsec-tools (0.3.1-2) unstable; urgency=high * Security upload. Correct urgency so that it will be accepted into testing in 2 days because version in testing suffers from CAN-2004-0403 and CAN-2004-0155. * New upstrem release. Fixes remote DoS in racoon (CAN-2004-0403) (closes: #244182). Repeated for sake of BTS. -- Matthew Grant Thu, 22 Apr 2004 10:00:58 +1200 ipsec-tools (0.3.1-1) unstable; urgency=high (Fixes remote DoS CAN-2004-0403) * New upstrem release. Fixes remote DoS in racoon (CAN-2004-0403) (closes: #244182) * Enable shared libraries for libipsec - had been turned off upstream. * Removed support for GNU readline as there is definitely a licensing conflist, and it breadks the stdin processing of setkey which is needed for racoon-tool. * rpm building Makefile was causing a lot of grief by recursively calling toplevel makefile. Removed from configure.ac * Removed autoconf from build targets as rebuilding Makefile.in makes debian/rules clean target non-idempotent. * Security release, set urgency to high. -- Matthew Grant Thu, 22 Apr 2004 08:42:28 +1200 ipsec-tools (0.2.5-2) unstable; urgency=low * New upstream release. Fixes the the X509 security authentication bug. (CAN-2004-0155) Closes: #242327 * Finally worked out autoconf so that it is dependable. Package needs to use 2 DIFFERENT versions of autoconf so that it works! * Fixed some 'Japlish' in the racoon.conf.5 manpage. Closes: #235456 -- Matthew Grant Wed, 7 Apr 2004 16:05:34 +1200 ipsec-tools (0.2.5-1) unstable; urgency=low * Botched upload due to Ctrl-C-ing dupload... -- Matthew Grant Wed, 7 Apr 2004 13:18:03 +1200 ipsec-tools (0.2.4-3) unstable; urgency=low * Fixed start and stop being in the wrong order in legacy init.d target. Closes: #198755 * Rearranged racoon maintainer scripts starting and stopping of daemon. Dropped testing of kernel in postinst - test in init script is enough. Closes: #233642 * Reorganised the debconf screens as there was too many of them. Closes: #240056. Removal of one of the screens - Closes: #240010 * Installed a README.Debian in the racoon package, describing most things needed to get racoon starting properly. * Replaced racoon.conf with a far simpler one to make sure racoon has a good chance of starting properly. Closes: #209226 * Made sure packaged is autoconfed correctly. This was causing trouble when building with set CC, CPP and CFLAGS in environment. Closes: #229614 * Set racoon and ipsec-tools priorities to optional, shouldn't be extra. Closes: #212985 -- Matthew Grant Sun, 28 Mar 2004 23:19:16 +1200 ipsec-tools (0.2.4-2) unstable; urgency=low * Fix problem with do_patch do_unpatch not having execute bits set on dpkg-source -x causing build failures. Closes: Bug#239668 * Forgot to mention that upgrade to upstream does this: Closes: Bug#216650 * Upstream release also Closes: Bug#233642 Closes: Bug#231006, Bug#224960 * This build also Closes: Bug#230269, lintian checks found it! -- Matthew Grant Thu, 25 Mar 2004 22:32:34 +1200 ipsec-tools (0.2.4-1) unstable; urgency=low * Upload takes over maintainership of ipsec-tools. I have already emailed Wichert Akkerman , and he has said this is good and OK. * Converted templates to po-debconf. * Built support into debian/rules, templates and control files to allow easy building on woody as well as unstable. * Rebuilt autoconf and libtool using latest versions in sid. This should fix ARM compilation problems. * Ported to sid. * Included patches and portablilty in debian/rules to make building on either tons easier. -- Matthew Grant Wed, 24 Mar 2004 08:41:14 +1200 ipsec-tools (0.2.4-0.mag.4) unstable; urgency=low * Set up a quick and dirty patching scheme so that all changes are in debian directory. Make source tree easier to maintain. * Make a test build. -- Matthew Grant Mon, 22 Mar 2004 02:40:53 +0000 ipsec-tools (0.2.4-0.mag.3) unstable; urgency=low * Made it generate a .diff file. -- Matthew Grant Mon, 22 Mar 2004 01:51:20 +0000 ipsec-tools (0.2.4-0.mag.2) unstable; urgency=low * Added manpages for racoon-tool(8) and racoon-tool.conf(5) * Updated copyright file etc. * Fixed a lot of problems lintian detected. -- Matthew Grant Sun, 21 Mar 2004 21:01:07 +0000 ipsec-tools (0.2.4-0.mag.1) unstable; urgency=low * Fix install so that racoon goes into /usr/sbin. * Fix restart operation of racoon init script. * Set up debconf to either select racoon-tool or use direct editing of the configuration. Default to direct configuration mode. * Fix dependency generation for racoon package. * Fix racoon init scripts and posinst script to detect if a suitable kernel is installed. -- Matthew Grant Wed, 17 Mar 2004 00:34:24 +0000 ipsec-tools (0.2.4-0.mag.0) unstable; urgency=low * Updated to new upstream release. -- Matthew Grant Tue, 2 Mar 2004 03:05:17 +0000 ipsec-tools (0.2.2-8) unstable; urgency=low * Give libtool and auto* the deserved kick in the pants and upgrade them to newer versions which do not break on ARM. Closes: Bug#221553 -- Wichert Akkerman Wed, 19 Nov 2003 13:42:19 +0100 ipsec-tools (0.2.2-7) unstable; urgency=low * Tell configure that our kernel includes are in /usr/include. Closes: Bug#221380 * Stop using debian email address in changelog as well -- Wichert Akkerman Tue, 18 Nov 2003 11:13:48 +0100 ipsec-tools (0.2.2-6) unstable; urgency=low * Build using the new linux-kernel-headers package * Split out racoon into its own package -- Wichert Akkerman Fri, 14 Nov 2003 00:09:21 +0100 ipsec-tools (0.2.2-5) unstable; urgency=low * Update kernel headers so DES and 3DES work again with current kernels. -- Wichert Akkerman Mon, 23 Jun 2003 14:01:40 +0200 ipsec-tools (0.2.2-4) unstable; urgency=low * Fix logic error in init script which prevented racoon from being started * Update link to the PKIX certificate documentation * Use invoke-rc.d. Note that whoever decided its --query option should return 104 on an obvious success case should be shot. * Include GSSAPI copyright. Closes: Bug#192281 -- Wichert Akkerman Wed, 14 May 2003 11:21:47 +0200 ipsec-tools (0.2.2-3) unstable; urgency=low * Add libssl-dev Build-Depend. Closes: Bug#186750 * Add a Standards-Version. Closes: Bug#186748 * Update config.{guess,sub} to version from autotools-dev 20030110.1. Closes: Bug#186587 * Don't abort if make distclean fails. Closes: Bug#186751 -- Wichert Akkerman Sat, 29 Mar 2003 18:16:01 +0100 ipsec-tools (0.2.2-2) unstable; urgency=low * Add a real description and copyright * Install all racoon documentation * Install conffiles * Fix permissions, compress manpages * Properly restart and stop racoon on upgrade and removal -- Wichert Akkerman Sat, 22 Mar 2003 18:42:03 +0100 ipsec-tools (0.2.2-1) unstable; urgency=low * First trivial packaging -- Wichert Akkerman Sat, 15 Mar 2003 11:53:05 +0100 debian/racoon.docs0000644000000000000000000000010111766214464011324 0ustar NEWS README src/racoon/doc/FAQ src/racoon/doc/README.certificate debian/ipsec-tools.setkey.init0000644000000000000000000000235511766214464013637 0ustar #!/bin/sh ### BEGIN INIT INFO # Provides: setkey # Required-Start: $remote_fs # Required-Stop: $remote_fs # Default-Start: S # Default-Stop: # Short-Description: option to manually manipulate the IPsec SA/SP database ### END INIT INFO PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin SETKEY=/usr/sbin/setkey SETKEY_CONF=/etc/ipsec-tools.conf SETKEY_CONF_DIR=/etc/ipsec-tools.d NAME=setkey RUN_SETKEY="yes" if [ -f /etc/default/setkey ] ; then . /etc/default/setkey fi test -x $SETKEY -a -f $SETKEY_CONF || exit 0 if [ $RUN_SETKEY != "yes" ] ; then exit 0 fi set -e . /lib/lsb/init-functions case "$1" in start) log_begin_msg "Loading IPsec SA/SP database: " err=0 for file in $SETKEY_CONF $SETKEY_CONF_DIR/*.conf ; do if [ -r "$file" ] ; then # Insert a manual newline until lsb-base amends its code. echo log_progress_msg " - ${file}" $SETKEY -f $file || err=1 fi done log_end_msg $err ;; stop) log_begin_msg "Flushing IPsec SA/SP database: " err=0 $SETKEY -F || err=1 $SETKEY -FP || err=1 log_end_msg $err ;; restart|force-reload) $0 stop $0 start echo "done." ;; *) N=/etc/init.d/$NAME log_success_msg "Usage: $N {start|stop|restart|force-reload}" >&2 exit 1 ;; esac exit 0 debian/racoon.files0000644000000000000000000000015511766214464011507 0ustar ipsec-tools_0.4999pre5-20041206cvs_i386.deb net optional racoon_0.4999pre5-20041206cvs_i386.deb net optional debian/ipsec-tools.dirs0000644000000000000000000000002211766214464012317 0ustar etc/ipsec-tools.d debian/racoon.README.Debian0000644000000000000000000001000711766214464012520 0ustar Debian README for racoon ------------------------ This package requires a 2.6 kernel with IPSEC available, or a 2.4 kernel with the new IPSEC backport as in the latest 2.4 kernel source in sid and sarge. Please note that the xfrm_user.o module must be loaded unless statically compiled into the kernel so that the /proc/net/pfkey file is available for setkey and racoon. If a suitable kernel is not installed, or /proc/net/pfkey is not available racoon will fail to start properly. You will also have to make sure all required kernel encryption and xfrm modules are loaded, or that they are statically linked if using 'direct' debconf configuration. racoon-tool ----------- racoon-tool is back. It is a management script that simplifies looking after setkey SPD rules, and basic racoon.conf on a connection oriented basis. It now functions in transport mode and tunnel mode, with anonymous VPN service, and supports PSK/X509 authentication and IPv6. It should also function on the FreeBSD kernel. Yes, racoon-tool is debian specific, upstream doesn't like it, it does have all the features when compared to racoon.conf(5). If you're interested in using the latest and greatest feature in racoon, and advanced functionality use /etc/racoon/racoon.conf directly. X509 Certificates ----------------- You will need to place the PEM certificate, PEM private key and the CA cert and CA CRL in /etc/racoon/certs. Racoon requires the CRL file for X509 certificate verification. Hash names for the CRL and the CA cert will have to be set up in the directory with: # ln -s ca-cacert.pem `openssl x509 -hash -noout -in ca-cacert.pem`.0 # ln -s ca-crl.pem `openssl x509 -hash -noout -in ca-cacert.pem`.r0 Note that the CRL symlink has to use the hash of the ca-cert. The certificates must also have SubjectAltName X509v3 additional attribute set type DNS name, and the machines DNS ID. Peer/remote my_dentifier and peers_identifier must be set correctly to the DNS IDs specified in SubjectAltName, and peer/remote verify_identifier, and verify_cert turned on. Peer/remote authentication_method must be set to rsasig. See README.certifcate for further details. The ca CRL, cacert and all other certificates whould be installed with owner/group root:root, permissions 644: # chmod 644 *cert.pem *crl.pem # chown root:root *cert.pem *crl.pem and keys: # chmod 600 *key.pem # chown root:root *key.pem This is important if you want to use privilege seperation. After this is done, configure the key and cert with the certificate_type x509 racoon.conf or certificate_type: racoon-tool.conf statements. iPhone OS Support -------------------- The iPhone OS has a strange set of VPN features. Using L2TP over IPsec it only supports main mode with pre-shared keys (no certificates). Since L2TP provides the per-user authentication we want to use a single pre-shared key for all VPN users, but this is hard to do with ipsec-tools since racoon only supports pskey lookup by address when identity protection is used and we do not know the address of the client in advance. There is now support for a wildcard match in psk.txt. Simply specify * in the id-filed of psk.txt to match any client. Plainrsa to PEM file format converter --------------------------------------- You'll find a perl script to convert the OpenBSD key file format to the one racoon is using called plainrsa-convert in /usr/share/doc/racoon/examples Further information can be found here: http://www.mail-archive.com/misc@openbsd.org/msg59741.html Keep in mind, that this script requires package libparse-recdescent-perl and libcrypt-openssl-rsa-perl. Further Information ------------------- Further information about the new Linux KAME/racoon IPSEC can be found up at http://ipsec-tools.sourceforge.net, and a HOWTO can be found up at "http://www.ipsec-howto.org/t1.html". -- Stefan Bauer , Thu, 12 Aug 2010 13:16:11 +0200 -- Ganesan Rajagopal , Mon, 21 Apr 2008 13:47:57 +0530 -- Matthew Grant , Wed, 13 Jun 2012 15:51:29 +1200 debian/examples/0000755000000000000000000000000011766214463011016 5ustar debian/examples/tunnel-openbsd-to-debian-example.txt0000644000000000000000000000552611766214463020015 0ustar This text presents the possibly simplest use case of an IPsec/Racoon tunnel between a GNU/Linux system and an OpenBSD system, using RSA signatures and automatic keying. Observe that Racoon and Isakmpd/ipsecctl are still using IKEv1. As of OpenBSD 4.8 there is also the new Iked for IKEv2, but this is not cosidered here. An essential fact to keep in mind is that Racoon uses RSA-signatures encoded in the format "plainrsa", whereas ipsecctl/isakmpd uses PEM encoded signatures. As of recently, the Debian packaging contains a tool for conversion between the formats, so the following example is readily deployed. The GNU/Linux side needs two files, one containing policies and the other outlining associations. Practical tests indicate that Racoon parses the following pair into a passive end point of a tunnel. First off is the policy setting: #!/usr/sbin/setkey -f # flush; spdflush; spdadd 192.168.0.33 192.168.0.25 any -P out ipsec esp/tunnel/192.168.0.33-192.168.0.25/require; spdadd 192.168.0.25 192.168.0.33 any -P in ipsec esp/tunnel/192.168.0.25-192.168.0.33/require; Next the association proposals, which are tailored to a minimal default setting at the OpenBSD end point. #!/usr/sbin/racoon -f # # Address of this GNU/Linux system # # 192.168.0.33 # # Required "plainrsa" encoded RSA-keys: # # /etc/racoon/privkeys/192.168.0.33 # /etc/racoon/pubkeys/192.168.0.25 # remote 192.168.0.25 { exchange_mode main; certificate_type plain_rsa "/etc/racoon/privkeys/192.168.0.33"; peers_certfile plain_rsa "/etc/racoon/pubkeys/192.168.0.25"; proposal { # Default main mode in OpenBSD authentication_method rsasig; dh_group modp1024; encryption_algorithm aes; hash_algorithm sha1; } } sainfo address 192.168.0.33 any address 192.168.0.25 any { pfs_group modp1024; # Default quick mode in OpenBSD encryption_algorithm aes; authentication_algorithm hmac_sha256; compression_algorithm deflate; } sainfo address 192.168.0.25 any address 192.168.0.33 any { pfs_group modp1024; # Default quick mode in OpenBSD encryption_algorithm aes; authentication_algorithm hmac_sha256; compression_algorithm deflate; } Finally the setting at the OpenBSD side: Only one file, but "isakmpd -K" is required before the call to ipsecctl. #!/sbin/ipsecctl -f # # Required PEM-encoded RSA-keys: # # /etc/isakmpd/private/local.key # /etc/isakmpd/pubkeys/ipv4/192.168.0.33 # # Address of this OpenBSD system: # # 102.168.0.25 # # Activation: # # # isakmpd -K # # ipsecctl -f this_file ike esp from 192.168.0.25 to 192.168.0.33 peer 192.168.0.33 ike esp from 192.168.0.33 to 192.168.0.25 peer 192.168.0.33 debian/examples/plainrsa-convert0000644000000000000000000000275411766214463014240 0ustar #!/usr/bin/perl -w # Convert public keys from and to the format used by Racoon. # Written and placed in the public domain by Andreas Voegele. use strict; use Parse::RecDescent; use Crypt::OpenSSL::RSA; use MIME::Base64; sub pem2rfc { my $key = shift; my $rsa_pub = Crypt::OpenSSL::RSA->new_public_key($key); my ($n, $e) = $rsa_pub->get_key_parameters(); my $eb = $e->to_bin(); return encode_base64(pack("C", length($eb)) . $eb . $n->to_bin(), ''); } sub rfc2pem { my $key = shift; my $decoded = decode_base64($key); my $len = unpack("C", substr($decoded, 0, 1)); my $e = Crypt::OpenSSL::Bignum->new_from_bin(substr($decoded, 1, $len)); my $n = Crypt::OpenSSL::Bignum->new_from_bin(substr($decoded, 1 + $len)); my $rsa_pub = Crypt::OpenSSL::RSA->new_key_from_parameters($n, $e); return $rsa_pub->get_public_key_x509_string(); } my $grammar = q { input: item(s) item: pempubkey | rfcpubkey | other pempubkey: m{-----BEGIN PUBLIC KEY-----.*?-----END PUBLIC KEY-----}s { print ": PUB 0s" . ::pem2rfc($item[1]), "\n"; } rfcpubkey: addr(0..2) ':' 'PUB' m{0s[A-Za-z0-9+/=]+} { print ::rfc2pem(substr($item[4], 2)); } addr: ( ipv4addr | ipv6addr ) prefix(?) | 'any' ipv4addr: /(?:\\d{1,3}\\.){3}\\d{1,3}/ ipv6addr: /[[:xdigit:]:]*:[[:xdigit:]:]*:[[:xdigit:]:]*/ prefix: m{/\d{1,3}} other: /.*/ }; my $parser = new Parse::RecDescent($grammar); undef $/; my $input = <>; $parser->input($input); debian/ipsec-tools.setkey.default0000644000000000000000000000011011766214464014303 0ustar # Set to "no" to disable loading ipsec.conf on startup # RUN_SETKEY=yes debian/racoon.postrm0000644000000000000000000000053511766214464011733 0ustar #! /bin/sh # postrm script for racoon # # see: dh_installdeb(1) set -e if [ "$1" = purge ]; then rm -f /etc/default/racoon if which deluser >/dev/null 2>&1; then deluser --quiet --system racoon > /dev/null || true fi if which delgroup >/dev/null 2>&1; then delgroup --quiet --system racoon > /dev/null || true fi fi #DEBHELPER# exit 0 debian/ipsec-tools.postinst0000644000000000000000000000177311766214464013257 0ustar #! /bin/sh # postinst script for ipsec-tools # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `configure' # * `abort-upgrade' # * `abort-remove' `in-favour' # # * `abort-deconfigure' `in-favour' # `removing' # # for details, see http://www.debian.org/doc/debian-policy/ or # the debian-policy package # case "$1" in configure) if [ -L /etc/rc2.d/S20setkey -o -L /etc/rc0.d/K37setkey ]; then # remove this old entry, we'll add correct one below update-rc.d -f setkey remove > /dev/null || exit 0 fi ;; abort-upgrade|abort-remove|abort-deconfigure) exit 0 ;; *) echo "postinst called with unknown argument \`$1'" >&2 exit 1 ;; esac #DEBHELPER# exit 0 debian/racoon.dirs0000644000000000000000000000012411766214464011342 0ustar usr/sbin usr/lib etc/racoon/certs etc/racoon/scripts etc/racoon/racoon-tool.conf.d debian/racoon.install0000644000000000000000000000144511766214464012056 0ustar usr/lib/ipsec-tools/libracoon.so.0 usr/lib/ipsec-tools/libracoon.so.0.0.0 usr/include/libipsec/libpfkey.h usr/include/racoon/admin.h usr/include/racoon/evt.h usr/include/racoon/gcmalloc.h usr/include/racoon/ipsec_doi.h usr/include/racoon/isakmp.h usr/include/racoon/isakmp_cfg.h usr/include/racoon/isakmp_unity.h usr/include/racoon/isakmp_var.h usr/include/racoon/isakmp_xauth.h usr/include/racoon/misc.h usr/include/racoon/racoonctl.h usr/include/racoon/schedule.h usr/include/racoon/sockmisc.h usr/include/racoon/var.h usr/include/racoon/vmbuf.h usr/sbin/plainrsa-gen usr/sbin/racoon usr/sbin/racoonctl usr/share/man/man3/ipsec_set_policy.3 usr/share/man/man3/ipsec_strerror.3 usr/share/man/man5/racoon.conf.5 usr/share/man/man8/plainrsa-gen.8 usr/share/man/man8/racoon.8 usr/share/man/man8/racoonctl.8 debian/po/0000755000000000000000000000000012000504450007572 5ustar debian/po/pl.po0000644000000000000000000000605012000504522010546 0ustar # Translation of ipsec-tools debconf templates to Polish. # Copyright (C) 2012 # This file is distributed under the same license as the ipsec-tools package. # # Michał Kułach , 2012. msgid "" msgstr "" "Project-Id-Version: ipsec-tools\n" "Report-Msgid-Bugs-To: ipsec-tools@packages.debian.org\n" "POT-Creation-Date: 2012-06-30 16:16+0200\n" "PO-Revision-Date: 2012-07-06 16:53+0200\n" "Last-Translator: Michał Kułach \n" "Language-Team: Polish \n" "Language: pl\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "Plural-Forms: nplurals=3; plural=(n==1 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 " "|| n%100>=20) ? 1 : 2);\n" "X-Generator: Lokalize 1.4\n" #. Type: select #. Choices #: ../racoon.templates:2001 msgid "direct" msgstr "bezpośrednia" #. Type: select #. Choices #: ../racoon.templates:2001 msgid "racoon-tool" msgstr "racoon-tool" #. Type: select #. Description #: ../racoon.templates:2002 msgid "Configuration mode for racoon IKE daemon:" msgstr "Tryb konfiguracji do demona IKE racoon:" #. Type: select #. Description #: ../racoon.templates:2002 msgid "" "Racoon can be configured either directly, by editing /etc/racoon/racoon." "conf, or using the racoon-tool administrative front end." msgstr "" "Racoon może zostać skonfigurowane bezpośrednio, za pomocą edycji pliku /etc/" "racoon/racoon.conf lub używając interfejsu administracyjnego racoon-tool." #. Type: select #. Description #: ../racoon.templates:2002 msgid "" "Use of the \"direct\" method is strongly recommended if you want to use all " "the racoon examples on the Net, and if you want to use the full racoon " "feature set. You will have to directly edit /etc/racoon/racoon.conf and " "possibly manually set up the Security Policy Database via setkey." msgstr "" "Użycie metody bezpośredniej jest zalecane, jeśli chce się używać wszystkich " "przykładów racoon z sieci i aby wykorzystać pełne możliwości racoon. " "Konieczne będzie bezpośrednie edytowanie pliku /etc/racoon/racoon.conf i " "prawdopodobnie ręczna konfiguracja Security Policy Database za pomocą setkey." #. Type: select #. Description #: ../racoon.templates:2002 msgid "" "Racoon-tool has been updated for racoon 0.8.0, and is for use in basic " "configuration setups. It gives the benefit of managing the SPD along with " "the IKE that strongSwan offers. IPv6, transport/tunnel mode (ESP/AH), PSK/" "X509 auth, and basic \"anonymous\" VPN server are supported." msgstr "" "Racoon-tool zostało zaktualizowane do racoon w wersji 0.8.0 i przydaje się w " "prostych konfiguracjach. Daje zaletę zarządzania SPD razem z IKE, które " "oferuje strongSwan. Obsługiwane są: IPv6, tryb transport/tunel (ESP/AH), " "autoryzacja PSK/X509 i prosty serwer \"anonimowy\" VPN." #. Type: select #. Description #: ../racoon.templates:2002 msgid "More information is available in /usr/share/doc/racoon/README.Debian." msgstr "" "Więcej informacji znajduje się w pliku /usr/share/doc/racoon/README.Debian." debian/po/pt.po0000644000000000000000000000612612000504522010562 0ustar # translation of ipsec-tools debconf to Portuguese # Portuguese translation of ipsec-tools debconf messages. # This file is distributed under the same license as the ipsec-tools package. # # Manuel Padilha , 2006. # Américo Monteiro , 2008, 2012. msgid "" msgstr "" "Project-Id-Version: ipsec-tools 1:0.8.0-13\n" "Report-Msgid-Bugs-To: ipsec-tools@packages.debian.org\n" "POT-Creation-Date: 2012-06-30 16:16+0200\n" "PO-Revision-Date: 2012-07-03 21:58+0100\n" "Last-Translator: Américo Monteiro \n" "Language-Team: Portuguese \n" "Language: pt\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "X-Generator: Lokalize 1.4\n" "Plural-Forms: nplurals=2; plural=(n != 1);\n" #. Type: select #. Choices #: ../racoon.templates:2001 msgid "direct" msgstr "directo" #. Type: select #. Choices #: ../racoon.templates:2001 msgid "racoon-tool" msgstr "raccon-tool" #. Type: select #. Description #: ../racoon.templates:2002 msgid "Configuration mode for racoon IKE daemon:" msgstr "Modo de configuração para o daemon racoon IKE:" #. Type: select #. Description #: ../racoon.templates:2002 msgid "" "Racoon can be configured either directly, by editing /etc/racoon/racoon." "conf, or using the racoon-tool administrative front end." msgstr "" "O racoon pode ser configurado ou directamente, ao editar /etc/racoon/racoon." "conf, ou usando o front-end administrativo racoon-tool." #. Type: select #. Description #: ../racoon.templates:2002 msgid "" "Use of the \"direct\" method is strongly recommended if you want to use all " "the racoon examples on the Net, and if you want to use the full racoon " "feature set. You will have to directly edit /etc/racoon/racoon.conf and " "possibly manually set up the Security Policy Database via setkey." msgstr "" "O uso do método directo é \"fortemente\" recomendado se você deseja usar " "todos os exemplos do racoon da Net, e se deseja usar o conjunto total de " "funcionalidades do racoon. Você terá que editar directamente /etc/racoon/" "racoon.conf e possivelmente ter que definir manualmente a Base de Dados de " "Politicas de Segurança via setkey." #. Type: select #. Description #: ../racoon.templates:2002 msgid "" "Racoon-tool has been updated for racoon 0.8.0, and is for use in basic " "configuration setups. It gives the benefit of managing the SPD along with " "the IKE that strongSwan offers. IPv6, transport/tunnel mode (ESP/AH), PSK/" "X509 auth, and basic \"anonymous\" VPN server are supported." msgstr "" "O racoon-tool foi actualizado para o racoon 0.8.0, e é usado para definir " "configurações básicas. Oferece o benefício de gerir o SPD juntamente com a " "IKE que o strongSwan oferece. são suportados IPv6, modo de transporte em " "túnel (ESP/AH), autenticação PSK/X509, e servidor VPN \"anonimo\" básico." #. Type: select #. Description #: ../racoon.templates:2002 msgid "More information is available in /usr/share/doc/racoon/README.Debian." msgstr "" "Mais informações estão disponíveis em /usr/share/doc/racoon/README.Debian." debian/po/sv.po0000644000000000000000000001156212000504522010567 0ustar # Translation of ipsec-tools debconf template to Swedish # Copyright (C) 2012 Martin Bagge # This file is distributed under the same license as the ipsec-tools package. # # Martin Bagge , 2012 msgid "" msgstr "" "Project-Id-Version: ipsec-tools 1:0.6.1-1\n" "Report-Msgid-Bugs-To: ipsec-tools@packages.debian.org\n" "POT-Creation-Date: 2012-06-30 16:16+0200\n" "PO-Revision-Date: 2012-07-06 20:55+0100\n" "Last-Translator: Martin Bagge / brother \n" "Language-Team: Swedish \n" "Language: sv\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "X-Poedit-Language: Swedish\n" "X-Poedit-Country: Sweden\n" #. Type: select #. Choices #: ../racoon.templates:2001 msgid "direct" msgstr "direkt" #. Type: select #. Choices #: ../racoon.templates:2001 msgid "racoon-tool" msgstr "racoon-tool" #. Type: select #. Description #: ../racoon.templates:2002 msgid "Configuration mode for racoon IKE daemon:" msgstr "Konfigurationsläge för IKE-demonen racoon:" #. Type: select #. Description #: ../racoon.templates:2002 msgid "" "Racoon can be configured either directly, by editing /etc/racoon/racoon." "conf, or using the racoon-tool administrative front end." msgstr "" "Racoon kan konfigureras genom att direkt redigera /etc/racoon/racoon.conf " "eller genom att använda administrationsverktyget racoon-tool." #. Type: select #. Description #: ../racoon.templates:2002 msgid "" "Use of the \"direct\" method is strongly recommended if you want to use all " "the racoon examples on the Net, and if you want to use the full racoon " "feature set. You will have to directly edit /etc/racoon/racoon.conf and " "possibly manually set up the Security Policy Database via setkey." msgstr "" "Användning av metoden \"direkt\" rekomenderas starkt om du vill använda alla " "racoon-exempel på på nätet och om du vill alla racoons möjligheter. Du " "behöver då redigera /etc/racoon/racoon.conf manuellt och eventuellt manuellt " "installera Security Policy Database (SPD) via \"setkey\"." #. Type: select #. Description #: ../racoon.templates:2002 msgid "" "Racoon-tool has been updated for racoon 0.8.0, and is for use in basic " "configuration setups. It gives the benefit of managing the SPD along with " "the IKE that strongSwan offers. IPv6, transport/tunnel mode (ESP/AH), PSK/" "X509 auth, and basic \"anonymous\" VPN server are supported." msgstr "" "Racoon-tool har uppdaterats för racoon 0.8.0 och kan användas för enklare " "installtationer. Det drar nytta av hanteringen av SPD tillsammans med IKE " "som StrongSwan erbjuder. IPv6, transport-/tunnel-läga (ESP/AH), PSK-/X509-" "autentisering och enkel \"anonym\" VPN-server stöds." #. Type: select #. Description #: ../racoon.templates:2002 msgid "More information is available in /usr/share/doc/racoon/README.Debian." msgstr "" "Ytterligare information finns att läsa i /usr/share/doc/racoon/README.Debian." #~ msgid "Please select the racoon configuration mode." #~ msgstr "Välj konfigurationsläget för racoon IKE daemon." #~ msgid "Racoon can now be configured two ways." #~ msgstr "Racoon kan konfigureras på två sätt." #~ msgid "" #~ "The traditional one (direct), which is for direct editing of /etc/racoon/" #~ "racoon.conf and setup of the SPD using setkey via a shell script written " #~ "by the systems administrator. You will have to make sure that the kernel " #~ "has all required modules loaded or the racoon daemon can exit with a " #~ "'failed to parse configuration file' error." #~ msgstr "" #~ "Den traditionella metoden (direkt) som är för att direkt göra ändringar " #~ "i /etc/racoon/racoon.conf och sätta upp SPD med setkey via shellskript " #~ "(skrivet av systemadministratören). Du måste kontrollera att kerneln har " #~ "alla nödvändiga moduler laddade annars kommer racoon daemonen att " #~ "avslutas med ett 'failed to parse configuration file' fel." #~ msgid "" #~ "The new one is the racoon-tool administration front end which configures " #~ "both, as well as handling module loading and can handle most common " #~ "setups. Please read /usr/share/doc/racoon/README.Debian for more " #~ "details." #~ msgstr "" #~ "Det nya är racoon-tools administrationsgränssnitt som konfigurerar dem " #~ "båda och som även hanterar laddning av moduler och kan även hantera de " #~ "flesta allmänna inställningar. Vänligen läs /usr/share/doc/racoon/README." #~ "Debian för mer information." #~ msgid "" #~ "Would you like to use the new racoon-tool program to configure VPNs, or " #~ "the direct editing of /etc/racoon/racoon.conf?" #~ msgstr "" #~ "Vill du använda det nya programmet racoon-tool för att konfigurera VPN " #~ "eller direkt ändra /etc/racoon/racoon.conf manuellt?" #~ msgid "Please select from either 'direct' or 'racoon-tool'." #~ msgstr "Välj mellan antingen 'direkt' eller 'racoon-tool'." debian/po/pt_BR.po0000644000000000000000000000576112000504522011151 0ustar # ipsec-tools Brazilian Portuguese translation # Copyright (C) 2006 ipsec-tools's COPYRIGHT HOLDER # This file is distributed under the same license as the ipsec-tools package. # André Luís Lopes , 2006. # Eder L. Marques (frolic) , 2008. # msgid "" msgstr "" "Project-Id-Version: ipsec-tools 1:0.7-2.1\n" "Report-Msgid-Bugs-To: ipsec-tools@packages.debian.org\n" "POT-Creation-Date: 2012-06-30 16:16+0200\n" "PO-Revision-Date: 2008-05-26 11:23-0300\n" "Last-Translator: Eder L. Marques (frolic) \n" "Language-Team: Brazilian Portuguese \n" "Language: pt_BR\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "pt_BR utf-8\n" "X-Generator: KBabel 1.11.4\n" "Plural-Forms: nplurals=2; plural=(n > 1);\n" #. Type: select #. Choices #: ../racoon.templates:2001 msgid "direct" msgstr "direta" #. Type: select #. Choices #: ../racoon.templates:2001 msgid "racoon-tool" msgstr "racoon-tool" #. Type: select #. Description #: ../racoon.templates:2002 #, fuzzy #| msgid "Configuration mode for racoon IKE daemon." msgid "Configuration mode for racoon IKE daemon:" msgstr "Modo de configuração para o daemon IKE racoon." #. Type: select #. Description #: ../racoon.templates:2002 #, fuzzy #| msgid "" #| "Racoon can be configured two ways, either by directly editing /etc/racoon/" #| "racoon.conf or using the racoon-tool administrative front end. racoon-" #| "tool is now deprecated and is only available for backward compatibility. " #| "New installations should always use the \"direct\" method." msgid "" "Racoon can be configured either directly, by editing /etc/racoon/racoon." "conf, or using the racoon-tool administrative front end." msgstr "" "O racoon pode ser configurado de duas maneiras, tanto editando diretamente o " "arquivo /etc/racoon/racoon.conf ou usando a interface administrativa racoon-" "tool. O racoon-tool está obsoleto agora e está disponível somente para " "compatibilidade com versões anteriores. Novas instalações deveriam sempre " "utilizar o método \"direto\"." #. Type: select #. Description #: ../racoon.templates:2002 msgid "" "Use of the \"direct\" method is strongly recommended if you want to use all " "the racoon examples on the Net, and if you want to use the full racoon " "feature set. You will have to directly edit /etc/racoon/racoon.conf and " "possibly manually set up the Security Policy Database via setkey." msgstr "" #. Type: select #. Description #: ../racoon.templates:2002 msgid "" "Racoon-tool has been updated for racoon 0.8.0, and is for use in basic " "configuration setups. It gives the benefit of managing the SPD along with " "the IKE that strongSwan offers. IPv6, transport/tunnel mode (ESP/AH), PSK/" "X509 auth, and basic \"anonymous\" VPN server are supported." msgstr "" #. Type: select #. Description #: ../racoon.templates:2002 msgid "More information is available in /usr/share/doc/racoon/README.Debian." msgstr "" debian/po/eu.po0000644000000000000000000000545312000504522010552 0ustar # translation of xd-ipsec-tools-eu.po to Euskara # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER # This file is distributed under the same license as the PACKAGE package. # # xabier bilbao , 2008. # Piarres Beobide , 2008. msgid "" msgstr "" "Project-Id-Version: xd-ipsec-tools-eu\n" "Report-Msgid-Bugs-To: ipsec-tools@packages.debian.org\n" "POT-Creation-Date: 2012-06-30 16:16+0200\n" "PO-Revision-Date: 2008-05-24 23:47+0200\n" "Last-Translator: Piarres Beobide \n" "Language-Team: Euskara \n" "Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "X-Generator: KBabel 1.11.4\n" #. Type: select #. Choices #: ../racoon.templates:2001 msgid "direct" msgstr "zuzena" #. Type: select #. Choices #: ../racoon.templates:2001 msgid "racoon-tool" msgstr "racoon-tool bidez" #. Type: select #. Description #: ../racoon.templates:2002 #, fuzzy #| msgid "Configuration mode for racoon IKE daemon." msgid "Configuration mode for racoon IKE daemon:" msgstr "Racoon IKE deabrua konfiguratzeko modua:" #. Type: select #. Description #: ../racoon.templates:2002 #, fuzzy #| msgid "" #| "Racoon can be configured two ways, either by directly editing /etc/racoon/" #| "racoon.conf or using the racoon-tool administrative front end. racoon-" #| "tool is now deprecated and is only available for backward compatibility. " #| "New installations should always use the \"direct\" method." msgid "" "Racoon can be configured either directly, by editing /etc/racoon/racoon." "conf, or using the racoon-tool administrative front end." msgstr "" "Bi era daude Racoon konfiguratzeko: /etc/racoon/racoon.conf zuzenean " "editatuz, edo racoon-tool administrazio interfazea erabiliz. Racoon-tool " "zaharkitua geratu da, eta atzeranzko bateragarritasunagatik soilik dago " "eskura. Instalazio berrietan erabili beti \"zuzena\" modua." #. Type: select #. Description #: ../racoon.templates:2002 msgid "" "Use of the \"direct\" method is strongly recommended if you want to use all " "the racoon examples on the Net, and if you want to use the full racoon " "feature set. You will have to directly edit /etc/racoon/racoon.conf and " "possibly manually set up the Security Policy Database via setkey." msgstr "" #. Type: select #. Description #: ../racoon.templates:2002 msgid "" "Racoon-tool has been updated for racoon 0.8.0, and is for use in basic " "configuration setups. It gives the benefit of managing the SPD along with " "the IKE that strongSwan offers. IPv6, transport/tunnel mode (ESP/AH), PSK/" "X509 auth, and basic \"anonymous\" VPN server are supported." msgstr "" #. Type: select #. Description #: ../racoon.templates:2002 msgid "More information is available in /usr/share/doc/racoon/README.Debian." msgstr "" debian/po/nl.po0000644000000000000000000000541312000504522010546 0ustar # SOME DESCRIPTIVE TITLE. # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER # This file is distributed under the same license as the PACKAGE package. # FIRST AUTHOR , YEAR. # msgid "" msgstr "" "Project-Id-Version: ipsec-tools\n" "Report-Msgid-Bugs-To: ipsec-tools@packages.debian.org\n" "POT-Creation-Date: 2012-06-30 16:16+0200\n" "PO-Revision-Date: 2008-05-26 15:23+0100\n" "Last-Translator: Bart Cornelis \n" "Language-Team: debian-l10n-dutch \n" "Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=utf-8\n" "Content-Transfer-Encoding: 8bit\n" "X-Poedit-Language: Dutch\n" #. Type: select #. Choices #: ../racoon.templates:2001 msgid "direct" msgstr "direct" #. Type: select #. Choices #: ../racoon.templates:2001 msgid "racoon-tool" msgstr "racoon-tool" #. Type: select #. Description #: ../racoon.templates:2002 #, fuzzy #| msgid "Configuration mode for racoon IKE daemon." msgid "Configuration mode for racoon IKE daemon:" msgstr "Configuratiemodus voor de racoon IKE-achtergronddienst." #. Type: select #. Description #: ../racoon.templates:2002 #, fuzzy #| msgid "" #| "Racoon can be configured two ways, either by directly editing /etc/racoon/" #| "racoon.conf or using the racoon-tool administrative front end. racoon-" #| "tool is now deprecated and is only available for backward compatibility. " #| "New installations should always use the \"direct\" method." msgid "" "Racoon can be configured either directly, by editing /etc/racoon/racoon." "conf, or using the racoon-tool administrative front end." msgstr "" "Racoon kan ingesteld worden door of het configuratiebestand /etc/racoon/" "racoon.conf direct aan te passen, of via het racoon-tool administratieve " "programma. Racoon-tool is verouderd en enkel beschikbaar voor teruggaande " "compatibiliteit. Nieuwe installaties dienen de 'direct'-methode te gebruiken." #. Type: select #. Description #: ../racoon.templates:2002 msgid "" "Use of the \"direct\" method is strongly recommended if you want to use all " "the racoon examples on the Net, and if you want to use the full racoon " "feature set. You will have to directly edit /etc/racoon/racoon.conf and " "possibly manually set up the Security Policy Database via setkey." msgstr "" #. Type: select #. Description #: ../racoon.templates:2002 msgid "" "Racoon-tool has been updated for racoon 0.8.0, and is for use in basic " "configuration setups. It gives the benefit of managing the SPD along with " "the IKE that strongSwan offers. IPv6, transport/tunnel mode (ESP/AH), PSK/" "X509 auth, and basic \"anonymous\" VPN server are supported." msgstr "" #. Type: select #. Description #: ../racoon.templates:2002 msgid "More information is available in /usr/share/doc/racoon/README.Debian." msgstr "" debian/po/sk.po0000644000000000000000000000564712000504522010563 0ustar # Slovak translation of ipsec-tools debconf templates. # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER # This file is distributed under the same license as the ipsec-tools package. # Ivan Masár , 2012. # msgid "" msgstr "" "Project-Id-Version: ipsec-tools\n" "Report-Msgid-Bugs-To: ipsec-tools@packages.debian.org\n" "POT-Creation-Date: 2012-06-30 16:16+0200\n" "PO-Revision-Date: 2012-07-01 19:15+0100\n" "Last-Translator: Ivan Masár \n" "Language-Team: Slovak \n" "Language: sk\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: select #. Choices #: ../racoon.templates:2001 msgid "direct" msgstr "priamo" #. Type: select #. Choices #: ../racoon.templates:2001 msgid "racoon-tool" msgstr "racoon-tool" #. Type: select #. Description #: ../racoon.templates:2002 msgid "Configuration mode for racoon IKE daemon:" msgstr "Režim konfigurácie démona IKE racoon:" #. Type: select #. Description #: ../racoon.templates:2002 msgid "" "Racoon can be configured either directly, by editing /etc/racoon/racoon." "conf, or using the racoon-tool administrative front end." msgstr "" "Racoon je možné nakonfigurovať buď priamo, úpravou /etc/racoon/racoon.conf " "alebo použitím správcovského rozhrania racoon-tool." #. Type: select #. Description #: ../racoon.templates:2002 msgid "" "Use of the \"direct\" method is strongly recommended if you want to use all " "the racoon examples on the Net, and if you want to use the full racoon " "feature set. You will have to directly edit /etc/racoon/racoon.conf and " "possibly manually set up the Security Policy Database via setkey." msgstr "" "Dôrazne sa odporúča použiť spôsob „priamo“ ak chcete používať všetk príklade " "racoon z internetu a ak chcete používať kompletnú sadu vlastností racoon. " "Budete musieť priamo upraviť /etc/racoon/racoon.conf a možno aj nastaviť " "Databázu bezpečnostných politík prostredníctvom setkey." #. Type: select #. Description #: ../racoon.templates:2002 msgid "" "Racoon-tool has been updated for racoon 0.8.0, and is for use in basic " "configuration setups. It gives the benefit of managing the SPD along with " "the IKE that strongSwan offers. IPv6, transport/tunnel mode (ESP/AH), PSK/" "X509 auth, and basic \"anonymous\" VPN server are supported." msgstr "" "Racoon-tool bol aktualizovaný na racoon 0.8.0 a slúži na použitie na " "nastavenie základných konfigurácií. Jeho výhodou je správa SPD spolu s IDE, " "ktorý ponúka strongSwan. Podporované je IPv6, režim transport/tunel (ESP/" "AH), overenie totožnosti PSK/X509 a základný „anonýmný“ VPN server." #. Type: select #. Description #: ../racoon.templates:2002 msgid "More information is available in /usr/share/doc/racoon/README.Debian." msgstr "" "Ďalšie informácie sú dostupné v súbore /usr/share/doc/racoon/README.Debian." debian/po/it.po0000644000000000000000000000563012000504522010552 0ustar # Italian (it) translation of debconf templates for ipsec-tools # This file is distributed under the same license as the ipsec-tools package. # Luca Monducci , 2008-2012. # msgid "" msgstr "" "Project-Id-Version: ipsec-tools 1:0.8.0\n" "Report-Msgid-Bugs-To: ipsec-tools@packages.debian.org\n" "POT-Creation-Date: 2012-06-30 16:16+0200\n" "PO-Revision-Date: 2012-07-01 11:24+0200\n" "Last-Translator: Luca Monducci \n" "Language-Team: Italian \n" "Language: it\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: select #. Choices #: ../racoon.templates:2001 msgid "direct" msgstr "diretto" #. Type: select #. Choices #: ../racoon.templates:2001 msgid "racoon-tool" msgstr "racoon-tool" #. Type: select #. Description #: ../racoon.templates:2002 msgid "Configuration mode for racoon IKE daemon:" msgstr "Modalità di configurazione del demone IKE racoon:" #. Type: select #. Description #: ../racoon.templates:2002 msgid "" "Racoon can be configured either directly, by editing /etc/racoon/racoon." "conf, or using the racoon-tool administrative front end." msgstr "" "Racoon può essere configurato direttamente, andando a modificare /etc/racoon/" "racoon.conf, oppure usando l'interfaccia d'amministrazione racoon-tool." #. Type: select #. Description #: ../racoon.templates:2002 msgid "" "Use of the \"direct\" method is strongly recommended if you want to use all " "the racoon examples on the Net, and if you want to use the full racoon " "feature set. You will have to directly edit /etc/racoon/racoon.conf and " "possibly manually set up the Security Policy Database via setkey." msgstr "" "L'uso del metodo \"diretto\" è fortemente raccomandato se si vogliono usare " "tutti gli esempi disponibili in rete e se si vogliono usare tutte le " "funzionalità di racoon. Sarà necessario modificare direttamente /etc/racoon/" "racoon.conf e probabilmente impostare manualmente il Security Policy " "Database con setkey." #. Type: select #. Description #: ../racoon.templates:2002 msgid "" "Racoon-tool has been updated for racoon 0.8.0, and is for use in basic " "configuration setups. It gives the benefit of managing the SPD along with " "the IKE that strongSwan offers. IPv6, transport/tunnel mode (ESP/AH), PSK/" "X509 auth, and basic \"anonymous\" VPN server are supported." msgstr "" "Racoon-tool è stato aggiornato per racoon 0.8.0 e può essere usato per fare " "delle configurazioni di base. Ha il pregio di gestire il SPD con IKE offerto " "da strongSwan. Supporta IPv6, la modalità trasporto/tunnel (ESP/AH), " "l'autenticazione PSK/X509 e server VPN \"anonimi\" di base." #. Type: select #. Description #: ../racoon.templates:2002 msgid "More information is available in /usr/share/doc/racoon/README.Debian." msgstr "" "Maggiori informazioni sono disponibili in /usr/share/doc/racoon/README." "Debian." debian/po/es.po0000644000000000000000000001355712000504602010553 0ustar # ipsec-tools po-debconf translation to Spanish # Copyright (C) 2005 Software in the Public Interest # This file is distributed under the same license as the ipsec-tools package. # # Changes: # - Initial translation # César Gómez Martín # - Translation update # Javier Fernández-Sanguino # # Traductores, si no conoce el formato PO, merece la pena leer la # documentación de gettext, especialmente las secciones dedicadas a este # formato, por ejemplo ejecutando: # info -n '(gettext)PO Files' # info -n '(gettext)Header Entry' # Equipo de traducción al español, por favor, lean antes de traducir # los siguientes documentos: # # - El proyecto de traducción de Debian al español # http://www.debian.org/intl/spanish/ # especialmente las notas de traducción en # http://www.debian.org/intl/spanish/notas # # - La guía de traducción de po's de debconf: # /usr/share/doc/po-debconf/README-trans # o http://www.debian.org/intl/l10n/po-debconf/README-trans # msgid "" msgstr "" "Project-Id-Version: ipsec-tools 1:0.6.6-3\n" "Report-Msgid-Bugs-To: ipsec-tools@packages.debian.org\n" "POT-Creation-Date: 2012-06-30 16:16+0200\n" "PO-Revision-Date: 2012-07-12 23:06+0200\n" "Last-Translator: Javier Fernández-Sanguino \n" "Language-Team: Debian l10n spanish \n" "Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=utf-8\n" "Content-Transfer-Encoding: 8bit\n" "X-Poedit-Language: Spanish\n" "X-Poedit-Country: SPAIN\n" "X-Poedit-SourceCharset: utf-8\n" #. Type: select #. Choices #: ../racoon.templates:2001 msgid "direct" msgstr "directo" #. Type: select #. Choices #: ../racoon.templates:2001 msgid "racoon-tool" msgstr "racoon-tool" #. Type: select #. Description #: ../racoon.templates:2002 msgid "Configuration mode for racoon IKE daemon:" msgstr "Modo de configuración para el demonio IKE de racoon:" #. Type: select #. Description #: ../racoon.templates:2002 msgid "" "Racoon can be configured either directly, by editing /etc/racoon/racoon." "conf, or using the racoon-tool administrative front end." msgstr "Se puede configurar racoon de dos formas distintas: editando directamente el fichero «/etc/racoon/racoon.conf» o utilizando la interfaz de administración «racoon-tool»." #. Type: select #. Description #: ../racoon.templates:2002 msgid "" "Use of the \"direct\" method is strongly recommended if you want to use all " "the racoon examples on the Net, and if you want to use the full racoon " "feature set. You will have to directly edit /etc/racoon/racoon.conf and " "possibly manually set up the Security Policy Database via setkey." msgstr "Se recomienda encarecidamente el método «direct» si quiere utilizar todos los ejemplos de racoon disponibles en la red, y si desea utilizar el conjunto completo de funcionalidades. Tendrá que editar directamente «/etc/racoon/racoon.conf» y seguramente deba configurar manualmente la Base de datos de la Política de Seguridad con «setkey»." #. Type: select #. Description #: ../racoon.templates:2002 msgid "" "Racoon-tool has been updated for racoon 0.8.0, and is for use in basic " "configuration setups. It gives the benefit of managing the SPD along with " "the IKE that strongSwan offers. IPv6, transport/tunnel mode (ESP/AH), PSK/" "X509 auth, and basic \"anonymous\" VPN server are supported." msgstr "Se ha actualizado «acoon-tool» para la versión 0.8.0 de racoon y se ha de utilizar para conjuntos de configuración básicos. Esta herramienta tiene como beneficio la gestión de SPF junto con el IKE que ofrece strongSwam. También incluye soporte para las funcionalidades de IPv6, modo de transporte/túnel (ESP/AH), autenticación PSK/X509, y el servidor VPN «anónimo»." #. Type: select #. Description #: ../racoon.templates:2002 msgid "More information is available in /usr/share/doc/racoon/README.Debian." msgstr "Tiene más información disponible en «/usr/share/doc/racoon/README.Debian»." #~ msgid "Racoon can now be configured two ways." #~ msgstr "Racoon puede configurarse de dos formas." #~ msgid "" #~ "The traditional one (direct), which is for direct editing of /etc/racoon/" #~ "racoon.conf and setup of the SPD using setkey via a shell script written " #~ "by the systems administrator. You will have to make sure that the kernel " #~ "has all required modules loaded or the racoon daemon can exit with a " #~ "'failed to parse configuration file' error." #~ msgstr "" #~ "El modo tradicional (directo), que se usa para la edición directa de /etc/" #~ "racoon/racoon.conf y para la instalación de SPD usando setkey a través de " #~ "un shell script escrito por el administrador del sistema. Tendrá que " #~ "asegurarse de que el núcleo tiene cargados todos los módulos requeridos o " #~ "el demonio racoon se finalizará con el mensaje de error «fallo al " #~ "analizar el fichero de configuración»." #~ msgid "" #~ "The new one is the racoon-tool administration front end which configures " #~ "both, as well as handling module loading and can handle most common " #~ "setups. Please read /usr/share/doc/racoon/README.Debian for more " #~ "details." #~ msgstr "" #~ "El nuevo modo es el administrador de racoon-tool que configura ambos, " #~ "también gestiona la carga de módulos y puede gestionar la mayoría de " #~ "instalaciones habituales. Por favor, lea /usr/share/doc/racoon/README." #~ "Debian para más detalles." #~ msgid "" #~ "Would you like to use the new racoon-tool program to configure VPNs, or " #~ "the direct editing of /etc/racoon/racoon.conf?" #~ msgstr "" #~ "¿Le gustaría utilizar el administrador racoon-tool para configurar VPNs " #~ "(Redes privadas virtuales) o prefiere la edición directa de «/etc/racoon/" #~ "racoon.conf»?" #~ msgid "Please select from either 'direct' or 'racoon-tool'." #~ msgstr "Por favor, seleccione «direct» o «racoon-tool»." debian/po/POTFILES.in0000644000000000000000000000005312000504522011345 0ustar [type: gettext/rfc822deb] racoon.templates debian/po/vi.po0000644000000000000000000000565612000504522010564 0ustar # Vietnamese Translation for ipsec-tools. # Copyright © 2008 Free Software Foundation, Inc. # Clytie Siddall , 2005-2008. # msgid "" msgstr "" "Project-Id-Version: ipsec-tools 1:0.7-2.1\n" "Report-Msgid-Bugs-To: ipsec-tools@packages.debian.org\n" "POT-Creation-Date: 2012-06-30 16:16+0200\n" "PO-Revision-Date: 2008-05-22 14:29+0930\n" "Last-Translator: Clytie Siddall \n" "Language-Team: Vietnamese \n" "Language: vi\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "Plural-Forms: nplurals=1; plural=0;\n" "X-Generator: LocFactoryEditor 1.7b3\n" #. Type: select #. Choices #: ../racoon.templates:2001 msgid "direct" msgstr "trực tiếp" #. Type: select #. Choices #: ../racoon.templates:2001 msgid "racoon-tool" msgstr "racoon-tool" #. Type: select #. Description #: ../racoon.templates:2002 #, fuzzy #| msgid "Configuration mode for racoon IKE daemon." msgid "Configuration mode for racoon IKE daemon:" msgstr "Chế độ cấu hình cho trình nền IKE racoon." #. Type: select #. Description #: ../racoon.templates:2002 #, fuzzy #| msgid "" #| "Racoon can be configured two ways, either by directly editing /etc/racoon/" #| "racoon.conf or using the racoon-tool administrative front end. racoon-" #| "tool is now deprecated and is only available for backward compatibility. " #| "New installations should always use the \"direct\" method." msgid "" "Racoon can be configured either directly, by editing /etc/racoon/racoon." "conf, or using the racoon-tool administrative front end." msgstr "" "Trình racoon có thể được cấu hình bằng hai cách khác nhau, hoặc bằng cách " "hiệu chỉnh trực tiếp tập tin cấu hình « /etc/init.d/racoon.conf », hoặc bằng " "cách sử dụng tiền tiêu quản trị racoon-tool. Tùy nhiên, racoon-tool lúc bây " "giờ bị phản đối và công bố chỉ để tương thích ngược. Việc cài đặt mới lúc " "nào cũng nên dùng phương pháp « trực tiếp »." #. Type: select #. Description #: ../racoon.templates:2002 msgid "" "Use of the \"direct\" method is strongly recommended if you want to use all " "the racoon examples on the Net, and if you want to use the full racoon " "feature set. You will have to directly edit /etc/racoon/racoon.conf and " "possibly manually set up the Security Policy Database via setkey." msgstr "" #. Type: select #. Description #: ../racoon.templates:2002 msgid "" "Racoon-tool has been updated for racoon 0.8.0, and is for use in basic " "configuration setups. It gives the benefit of managing the SPD along with " "the IKE that strongSwan offers. IPv6, transport/tunnel mode (ESP/AH), PSK/" "X509 auth, and basic \"anonymous\" VPN server are supported." msgstr "" #. Type: select #. Description #: ../racoon.templates:2002 msgid "More information is available in /usr/share/doc/racoon/README.Debian." msgstr "" debian/po/ru.po0000644000000000000000000000730512000504522010565 0ustar # translation of ipsec-tools_1:0.7-2.1_ru.po to Russian # Russian translation of ipsec-tools_1:0.6.5-6.po. # This file is distributed under the same license as the ipsec-tools package. # # # Aleksandr Bouksha , 2006.A , 2006. # Yuri Kozlov , 2008, 2012. msgid "" msgstr "" "Project-Id-Version: ipsec-tools 1:0.8.0-13\n" "Report-Msgid-Bugs-To: ipsec-tools@packages.debian.org\n" "POT-Creation-Date: 2012-06-30 16:16+0200\n" "PO-Revision-Date: 2012-07-01 11:38+0400\n" "Last-Translator: Yuri Kozlov \n" "Language-Team: Russian \n" "Language: ru\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "X-Generator: Lokalize 1.2\n" "Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n" "%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" #. Type: select #. Choices #: ../racoon.templates:2001 msgid "direct" msgstr "вручную" #. Type: select #. Choices #: ../racoon.templates:2001 msgid "racoon-tool" msgstr "racoon-tool" #. Type: select #. Description #: ../racoon.templates:2002 msgid "Configuration mode for racoon IKE daemon:" msgstr "Способ настройки службы racoon IKE:" #. Type: select #. Description #: ../racoon.templates:2002 msgid "" "Racoon can be configured either directly, by editing /etc/racoon/racoon." "conf, or using the racoon-tool administrative front end." msgstr "" "Службу racoon можно настраивать двумя способами: правкой /etc/racoon/racoon." "conf вручную и при помощи управляющей оболочки racoon-tool." #. Type: select #. Description #: ../racoon.templates:2002 msgid "" "Use of the \"direct\" method is strongly recommended if you want to use all " "the racoon examples on the Net, and if you want to use the full racoon " "feature set. You will have to directly edit /etc/racoon/racoon.conf and " "possibly manually set up the Security Policy Database via setkey." msgstr "" "Если вы хотите использовать все примеры racoon для Net, или задействовать " "все возможности racoon, то настоятельно рекомендуется использовать «ручной» " "способ. Для этого отредактируйте файл /etc/racoon/racoon.conf и, возможно, " "вручную настройте базу данных политики безопасности через setkey." #. Type: select #. Description #: ../racoon.templates:2002 msgid "" "Racoon-tool has been updated for racoon 0.8.0, and is for use in basic " "configuration setups. It gives the benefit of managing the SPD along with " "the IKE that strongSwan offers. IPv6, transport/tunnel mode (ESP/AH), PSK/" "X509 auth, and basic \"anonymous\" VPN server are supported." msgstr "" "Программа Racoon-tool была обновлена в racoon 0.8.0, ей можно пользоваться " "для создания несложных конфигураций. Вместе с IKE, которую предлагает " "strongSwan, она удобна в управлении SPD. Поддерживается настройка IPv6, " "режим пересылки/туннелирования (ESP/AH), аутентификация PSK/X509 и базовый " "«анонимный» сервер VPN." #. Type: select #. Description #: ../racoon.templates:2002 msgid "More information is available in /usr/share/doc/racoon/README.Debian." msgstr "" "Дополнительную информацию можно найти в файле /usr/share/doc/racoon/README." "Debian." debian/po/gl.po0000644000000000000000000000533212000504522010537 0ustar # Galician translation of ipsec-tools's debconf templates # This file is distributed under the same license as the ipsec-tools package. # Jacobo Tarrio , 2007, 2008. # msgid "" msgstr "" "Project-Id-Version: ipsec-tools\n" "Report-Msgid-Bugs-To: ipsec-tools@packages.debian.org\n" "POT-Creation-Date: 2012-06-30 16:16+0200\n" "PO-Revision-Date: 2008-05-13 00:54+0100\n" "Last-Translator: Jacobo Tarrio \n" "Language-Team: Galician \n" "Language: gl\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: select #. Choices #: ../racoon.templates:2001 msgid "direct" msgstr "directo" #. Type: select #. Choices #: ../racoon.templates:2001 msgid "racoon-tool" msgstr "racoon-tool" #. Type: select #. Description #: ../racoon.templates:2002 #, fuzzy #| msgid "Configuration mode for racoon IKE daemon." msgid "Configuration mode for racoon IKE daemon:" msgstr "Modo de configuración para o servizo IKE racoon." #. Type: select #. Description #: ../racoon.templates:2002 #, fuzzy #| msgid "" #| "Racoon can be configured two ways, either by directly editing /etc/racoon/" #| "racoon.conf or using the racoon-tool administrative front end. racoon-" #| "tool is now deprecated and is only available for backward compatibility. " #| "New installations should always use the \"direct\" method." msgid "" "Racoon can be configured either directly, by editing /etc/racoon/racoon." "conf, or using the racoon-tool administrative front end." msgstr "" "Pódese configurar racoon de dous xeitos: editando /etc/racoon/racoon.conf " "directamente, ou empregando a interface administrativa racoon-tool. racoon-" "tool está obsoleto e só está dispoñible para compatibilidade con versións " "anteriores. As instalacións novas deberían empregar só o método \"directo\"." #. Type: select #. Description #: ../racoon.templates:2002 msgid "" "Use of the \"direct\" method is strongly recommended if you want to use all " "the racoon examples on the Net, and if you want to use the full racoon " "feature set. You will have to directly edit /etc/racoon/racoon.conf and " "possibly manually set up the Security Policy Database via setkey." msgstr "" #. Type: select #. Description #: ../racoon.templates:2002 msgid "" "Racoon-tool has been updated for racoon 0.8.0, and is for use in basic " "configuration setups. It gives the benefit of managing the SPD along with " "the IKE that strongSwan offers. IPv6, transport/tunnel mode (ESP/AH), PSK/" "X509 auth, and basic \"anonymous\" VPN server are supported." msgstr "" #. Type: select #. Description #: ../racoon.templates:2002 msgid "More information is available in /usr/share/doc/racoon/README.Debian." msgstr "" debian/po/fi.po0000644000000000000000000000513112000504522010530 0ustar msgid "" msgstr "" "Project-Id-Version: ipsec-tools\n" "Report-Msgid-Bugs-To: ipsec-tools@packages.debian.org\n" "POT-Creation-Date: 2012-06-30 16:16+0200\n" "PO-Revision-Date: \n" "Last-Translator: Esko Arajärvi \n" "Language-Team: Finnish \n" "Language: fi\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "X-Poedit-Language: Finnish\n" "X-Poedit-Country: FINLAND\n" #. Type: select #. Choices #: ../racoon.templates:2001 msgid "direct" msgstr "suora" #. Type: select #. Choices #: ../racoon.templates:2001 msgid "racoon-tool" msgstr "racoon-tool" #. Type: select #. Description #: ../racoon.templates:2002 #, fuzzy #| msgid "Configuration mode for racoon IKE daemon." msgid "Configuration mode for racoon IKE daemon:" msgstr "Racoon IKE -taustaohjelman asetustapa:" #. Type: select #. Description #: ../racoon.templates:2002 #, fuzzy #| msgid "" #| "Racoon can be configured two ways, either by directly editing /etc/racoon/" #| "racoon.conf or using the racoon-tool administrative front end. racoon-" #| "tool is now deprecated and is only available for backward compatibility. " #| "New installations should always use the \"direct\" method." msgid "" "Racoon can be configured either directly, by editing /etc/racoon/racoon." "conf, or using the racoon-tool administrative front end." msgstr "" "Racoonin asetukset voidaan tehdä joko muokkaamalla suoraan tiedostoa /etc/" "racoon/racoon.conf tai käyttämällä ylläpitokäyttöliittymää racoon-tool. " "racoon-tool on nyt vanhentunut ja käytettävissä vain aiempien versioiden " "yhteensopivuuden varmistamiseksi. Uusissa asennuksissa tulisi aina käyttää " "”suoraa” tapaa." #. Type: select #. Description #: ../racoon.templates:2002 msgid "" "Use of the \"direct\" method is strongly recommended if you want to use all " "the racoon examples on the Net, and if you want to use the full racoon " "feature set. You will have to directly edit /etc/racoon/racoon.conf and " "possibly manually set up the Security Policy Database via setkey." msgstr "" #. Type: select #. Description #: ../racoon.templates:2002 msgid "" "Racoon-tool has been updated for racoon 0.8.0, and is for use in basic " "configuration setups. It gives the benefit of managing the SPD along with " "the IKE that strongSwan offers. IPv6, transport/tunnel mode (ESP/AH), PSK/" "X509 auth, and basic \"anonymous\" VPN server are supported." msgstr "" #. Type: select #. Description #: ../racoon.templates:2002 msgid "More information is available in /usr/share/doc/racoon/README.Debian." msgstr "" debian/po/ja.po0000644000000000000000000001223012000504522010522 0ustar # # Translators, if you are not familiar with the PO format, gettext # documentation is worth reading, especially sections dedicated to # this format, e.g. by running: # info -n '(gettext)PO Files' # info -n '(gettext)Header Entry' # # Some information specific to po-debconf are available at # /usr/share/doc/po-debconf/README-trans # or http://www.debian.org/intl/l10n/po-debconf/README-trans # # Developers do not need to manually edit POT or PO files. # msgid "" msgstr "" "Project-Id-Version: ipsec-tools 1:0.7.1-1\n" "Report-Msgid-Bugs-To: ipsec-tools@packages.debian.org\n" "POT-Creation-Date: 2012-06-30 16:16+0200\n" "PO-Revision-Date: 2008-08-06 20:05+0900\n" "Last-Translator: Hideki Yamane (Debian-JP) \n" "Language-Team: Japanese \n" "Language: ja\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: select #. Choices #: ../racoon.templates:2001 msgid "direct" msgstr "直接" #. Type: select #. Choices #: ../racoon.templates:2001 msgid "racoon-tool" msgstr "racoon-tool" #. Type: select #. Description #: ../racoon.templates:2002 #, fuzzy #| msgid "Configuration mode for racoon IKE daemon." msgid "Configuration mode for racoon IKE daemon:" msgstr "racoon IKE デーモンの設定方法" #. Type: select #. Description #: ../racoon.templates:2002 #, fuzzy #| msgid "" #| "Racoon can be configured two ways, either by directly editing /etc/racoon/" #| "racoon.conf or using the racoon-tool administrative front end. racoon-" #| "tool is now deprecated and is only available for backward compatibility. " #| "New installations should always use the \"direct\" method." msgid "" "Racoon can be configured either directly, by editing /etc/racoon/racoon." "conf, or using the racoon-tool administrative front end." msgstr "" "racoon は、/etc/racoon/racoon.conf を直接編集する、もしくは racoon-tool 管理" "フロントエンドを利用するという、2 つの方法のどちらを使っても設定可能です。" "racoon-tool はすでに廃止される予定になっており、後方互換性のためにのみ残され" "ています。新規インストールでは必ず「直接」設定してください。" #. Type: select #. Description #: ../racoon.templates:2002 msgid "" "Use of the \"direct\" method is strongly recommended if you want to use all " "the racoon examples on the Net, and if you want to use the full racoon " "feature set. You will have to directly edit /etc/racoon/racoon.conf and " "possibly manually set up the Security Policy Database via setkey." msgstr "" #. Type: select #. Description #: ../racoon.templates:2002 msgid "" "Racoon-tool has been updated for racoon 0.8.0, and is for use in basic " "configuration setups. It gives the benefit of managing the SPD along with " "the IKE that strongSwan offers. IPv6, transport/tunnel mode (ESP/AH), PSK/" "X509 auth, and basic \"anonymous\" VPN server are supported." msgstr "" #. Type: select #. Description #: ../racoon.templates:2002 msgid "More information is available in /usr/share/doc/racoon/README.Debian." msgstr "" #~ msgid "Please select the racoon configuration mode." #~ msgstr "racoon IKE デーモンの設定方法を選択してください。" #~ msgid "Racoon can now be configured two ways." #~ msgstr "racoon は 2 つの方法で設定可能です。" #~ msgid "" #~ "The traditional one (direct), which is for direct editing of /etc/racoon/" #~ "racoon.conf and setup of the SPD using setkey via a shell script written " #~ "by the systems administrator. You will have to make sure that the kernel " #~ "has all required modules loaded or the racoon daemon can exit with a " #~ "'failed to parse configuration file' error." #~ msgstr "" #~ "従来の方法 (直接) では、/etc/racoon/racoon.conf を直接編集し、管理者によっ" #~ "て書かれたシェルスクリプトによる setkey を用いて SPD を設定します。カーネ" #~ "ルに必要な全てのモジュールが読み込まれていなければ、racoon デーモンは '設" #~ "定ファイルの解析エラー' で終了します。" #~ msgid "" #~ "The new one is the racoon-tool administration front end which configures " #~ "both, as well as handling module loading and can handle most common " #~ "setups. Please read /usr/share/doc/racoon/README.Debian for more " #~ "details." #~ msgstr "" #~ "新しい方法は、racoon-tool 管理フロントエンドでは、モジュールのロードと、一" #~ "般的なセットアップの両方が行えます。より詳細な情報については、/usr/share/" #~ "doc/racoon/README.Debian を読んでください。" #~ msgid "" #~ "Would you like to use the new racoon-tool program to configure VPNs, or " #~ "the direct editing of /etc/racoon/racoon.conf?" #~ msgstr "" #~ "VPN の設定に新しい racoon-tool プログラムを利用しますか?もしくは、直接 /" #~ "etc/racoon/racoon.conf を編集しますか?" #~ msgid "Please select from either 'direct' or 'racoon-tool'." #~ msgstr "'直接' もしくは 'racoon-tool' のいづれかを選択してください" debian/po/templates.pot0000644000000000000000000000372212000504522012320 0ustar # SOME DESCRIPTIVE TITLE. # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER # This file is distributed under the same license as the PACKAGE package. # FIRST AUTHOR , YEAR. # #, fuzzy msgid "" msgstr "" "Project-Id-Version: ipsec-tools\n" "Report-Msgid-Bugs-To: ipsec-tools@packages.debian.org\n" "POT-Creation-Date: 2012-06-30 16:16+0200\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" "Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=CHARSET\n" "Content-Transfer-Encoding: 8bit\n" #. Type: select #. Choices #: ../racoon.templates:2001 msgid "direct" msgstr "" #. Type: select #. Choices #: ../racoon.templates:2001 msgid "racoon-tool" msgstr "" #. Type: select #. Description #: ../racoon.templates:2002 msgid "Configuration mode for racoon IKE daemon:" msgstr "" #. Type: select #. Description #: ../racoon.templates:2002 msgid "" "Racoon can be configured either directly, by editing /etc/racoon/racoon." "conf, or using the racoon-tool administrative front end." msgstr "" #. Type: select #. Description #: ../racoon.templates:2002 msgid "" "Use of the \"direct\" method is strongly recommended if you want to use all " "the racoon examples on the Net, and if you want to use the full racoon " "feature set. You will have to directly edit /etc/racoon/racoon.conf and " "possibly manually set up the Security Policy Database via setkey." msgstr "" #. Type: select #. Description #: ../racoon.templates:2002 msgid "" "Racoon-tool has been updated for racoon 0.8.0, and is for use in basic " "configuration setups. It gives the benefit of managing the SPD along with " "the IKE that strongSwan offers. IPv6, transport/tunnel mode (ESP/AH), PSK/" "X509 auth, and basic \"anonymous\" VPN server are supported." msgstr "" #. Type: select #. Description #: ../racoon.templates:2002 msgid "More information is available in /usr/share/doc/racoon/README.Debian." msgstr "" debian/po/de.po0000644000000000000000000000671612000504522010534 0ustar # translation of ipsec-tools_1:0.7-2_de.po to German # Translators, if you are not familiar with the PO format, gettext # documentation is worth reading, especially sections dedicated to # this format, e.g. by running: # info -n '(gettext)PO Files' # info -n '(gettext)Header Entry' # Some information specific to po-debconf are available at # /usr/share/doc/po-debconf/README-trans # or http://www.debian.org/intl/l10n/po-debconf/README-trans# # Developers do not need to manually edit POT or PO files. # Erik Schanze , 2004-2008. # Erik Pfannenstein , 2012. msgid "" msgstr "" "Project-Id-Version: ipsec-tools_1:0.8.0-13_de\n" "Report-Msgid-Bugs-To: ipsec-tools@packages.debian.org\n" "POT-Creation-Date: 2012-06-30 16:16+0200\n" "PO-Revision-Date: 2012-07-02 21:46+0200\n" "Last-Translator: Erik Pfannenstein \n" "Language-Team: de \n" "Language: de\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "Plural-Forms: nplurals=2; plural=(n != 1);\n" "X-Generator: Virtaal 0.7.1\n" #. Type: select #. Choices #: ../racoon.templates:2001 msgid "direct" msgstr "direkt" #. Type: select #. Choices #: ../racoon.templates:2001 msgid "racoon-tool" msgstr "Racoon-Tool" #. Type: select #. Description #: ../racoon.templates:2002 msgid "Configuration mode for racoon IKE daemon:" msgstr "Art der Einrichtung des Racoon-IKE-Daemons:" #. Type: select #. Description #: ../racoon.templates:2002 msgid "" "Racoon can be configured either directly, by editing /etc/racoon/racoon." "conf, or using the racoon-tool administrative front end." msgstr "" "Racoon kann entweder direkt durch Bearbeitung von /etc/racoon/racoon.conf " "oder über die administrative Oberfläche von Racoon-Tool konfiguriert werden." #. Type: select #. Description #: ../racoon.templates:2002 msgid "" "Use of the \"direct\" method is strongly recommended if you want to use all " "the racoon examples on the Net, and if you want to use the full racoon " "feature set. You will have to directly edit /etc/racoon/racoon.conf and " "possibly manually set up the Security Policy Database via setkey." msgstr "" "Die Verwendung der »direkten« Methode wird dringend empfohlen, wenn Sie die " "vielen Racoon-Beispiele aus dem Netz verwenden und alle Fähigkeiten von " "Racoon ausreizen wollen. Sie werden /etc/racoon/racoon.conf direkt " "bearbeiten und möglicherweise die Sicherheitsrichtlinien-Datenbank (Security " "Policy Database) via Setkey per Hand aufsetzen müssen." #. Type: select #. Description #: ../racoon.templates:2002 msgid "" "Racoon-tool has been updated for racoon 0.8.0, and is for use in basic " "configuration setups. It gives the benefit of managing the SPD along with " "the IKE that strongSwan offers. IPv6, transport/tunnel mode (ESP/AH), PSK/" "X509 auth, and basic \"anonymous\" VPN server are supported." msgstr "" "Racoon-Tool wurde für Racoon 0.8.0 auf den neuesten Stand gebracht und ist " "für die Verwendung in Basiskonfigurationen. Es hat den Vorzug, die SPD " "zusammen mit dem von strongSwan angebotenen IKE zu verwalten. IPv6, " "Transport/Tunnel-Modus (ESP/AH), PSK/X509-Authentifizierung und einfacher " "»anonymer« VPN-Server werden unterstützt." #. Type: select #. Description #: ../racoon.templates:2002 msgid "More information is available in /usr/share/doc/racoon/README.Debian." msgstr "" "Weitere Informationen finden Sie in /usr/share/doc/racoon/README.Debian." debian/po/cs.po0000644000000000000000000000615512000504522010546 0ustar # # Translators, if you are not familiar with the PO format, gettext # documentation is worth reading, especially sections dedicated to # this format, e.g. by running: # info -n '(gettext)PO Files' # info -n '(gettext)Header Entry' # # Some information specific to po-debconf are available at # /usr/share/doc/po-debconf/README-trans # or http://www.debian.org/intl/l10n/po-debconf/README-trans # # Developers do not need to manually edit POT or PO files. # msgid "" msgstr "" "Project-Id-Version: ipsec-tools\n" "Report-Msgid-Bugs-To: ipsec-tools@packages.debian.org\n" "POT-Creation-Date: 2012-06-30 16:16+0200\n" "PO-Revision-Date: 2012-07-06 08:25+0200\n" "Last-Translator: Miroslav Kure \n" "Language-Team: Czech \n" "Language: cs\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: select #. Choices #: ../racoon.templates:2001 msgid "direct" msgstr "přímo" #. Type: select #. Choices #: ../racoon.templates:2001 msgid "racoon-tool" msgstr "racoon-tool" #. Type: select #. Description #: ../racoon.templates:2002 msgid "Configuration mode for racoon IKE daemon:" msgstr "Způsob nastavení racoon IKE daemona:" #. Type: select #. Description #: ../racoon.templates:2002 msgid "" "Racoon can be configured either directly, by editing /etc/racoon/racoon." "conf, or using the racoon-tool administrative front end." msgstr "" "racoon můžete nastavit buď přímou úpravou souboru /etc/racoon/racoon.conf, " "nebo použitím administračního rozhraní racoon-tool." #. Type: select #. Description #: ../racoon.templates:2002 msgid "" "Use of the \"direct\" method is strongly recommended if you want to use all " "the racoon examples on the Net, and if you want to use the full racoon " "feature set. You will have to directly edit /etc/racoon/racoon.conf and " "possibly manually set up the Security Policy Database via setkey." msgstr "" "„Přímý“ způsob se doporučuje v případě, že chcete využít všechny příklady z " "Internetu, nebo pokud chcete využít racoon naplno. Budete ovšem muset " "upravovat /etc/racoon/racoon.conf ručně a možná také ručně pomocí setkey " "nastavit Security Policy Database (SPD)." #. Type: select #. Description #: ../racoon.templates:2002 msgid "" "Racoon-tool has been updated for racoon 0.8.0, and is for use in basic " "configuration setups. It gives the benefit of managing the SPD along with " "the IKE that strongSwan offers. IPv6, transport/tunnel mode (ESP/AH), PSK/" "X509 auth, and basic \"anonymous\" VPN server are supported." msgstr "" "Racoon-tool byl aktualizován pro racoon verze 0.8.0 a slouží pro základní " "nastavení. Výhodou je, že umí spravovat SPD i IKE ze strongSwanu. Podporuje " "IPv6, transportní/tunelovací režim (ESP/AH), autentizaci PSK/X509 a základní " "„anonymní“ VPN server." #. Type: select #. Description #: ../racoon.templates:2002 msgid "More information is available in /usr/share/doc/racoon/README.Debian." msgstr "Více informací naleznete v /usr/share/doc/racoon/README.Debian." debian/po/fr.po0000644000000000000000000000663012000504522010546 0ustar # Translation of iodine debconf templates to French # Copyright (C) Sylvain Archenault # This file is distributed under the same license as the iodine package. # # Jean-Luc Coulon (f5ibh)" # Christian Perrier # et Denis Barbier # # Sylvain Archenault , 2005. # Christian Perrier , 2012. msgid "" msgstr "" "Project-Id-Version: fr\n" "Report-Msgid-Bugs-To: ipsec-tools@packages.debian.org\n" "POT-Creation-Date: 2012-06-30 16:16+0200\n" "PO-Revision-Date: 2012-07-04 12:02-0600\n" "Last-Translator: Christian Perrier \n" "Language-Team: French \n" "Language: fr\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "Plural-Forms: nplurals=2; plural=(n > 1);\n" "X-Generator: Lokalize 1.4\n" #. Type: select #. Choices #: ../racoon.templates:2001 msgid "direct" msgstr "Modification directe" #. Type: select #. Choices #: ../racoon.templates:2001 msgid "racoon-tool" msgstr "Utilisation de racoon-tool" #. Type: select #. Description #: ../racoon.templates:2002 msgid "Configuration mode for racoon IKE daemon:" msgstr "Mode de configuration pour le démon IKE racoon :" #. Type: select #. Description #: ../racoon.templates:2002 msgid "" "Racoon can be configured either directly, by editing /etc/racoon/racoon." "conf, or using the racoon-tool administrative front end." msgstr "" "Racoon peut être configuré de deux façons, soit en modifiant directement le " "fichier /etc/racoon/racoon.conf, soit en utilisant l'outil d'administration " "racoon-tool." #. Type: select #. Description #: ../racoon.templates:2002 msgid "" "Use of the \"direct\" method is strongly recommended if you want to use all " "the racoon examples on the Net, and if you want to use the full racoon " "feature set. You will have to directly edit /etc/racoon/racoon.conf and " "possibly manually set up the Security Policy Database via setkey." msgstr "" "Il est recommandé d'utiliser la méthode « directe » afin de pouvoir " "bénéficier des exemples d'utilisation de Racoon disponibles sur l'Internet " "et pour utiliser toutes les fonctionnalités de Racoon. Vous devrez alors " "modifier /etc/racoon/racoon.conf et éventuellement créer la base de données " "de politiques de sécurité avec setkey." #. Type: select #. Description #: ../racoon.templates:2002 msgid "" "Racoon-tool has been updated for racoon 0.8.0, and is for use in basic " "configuration setups. It gives the benefit of managing the SPD along with " "the IKE that strongSwan offers. IPv6, transport/tunnel mode (ESP/AH), PSK/" "X509 auth, and basic \"anonymous\" VPN server are supported." msgstr "" "Racoon-tool a été mis à jour pour Racoon 0.8.0 et permet de créer des " "configurations de base. Il a l'avantage de gérer la base de données de " "politiques de sécurité en même temps que le protocole d'échange de clés " "(IKE) fourni par strongSwan. Il gère IPv6, le mode transport/tunnel (ESP/" "AH), l'authentification à clé pré-partagée PSK/X509 et un VPN « anonyme » " "simple." #. Type: select #. Description #: ../racoon.templates:2002 msgid "More information is available in /usr/share/doc/racoon/README.Debian." msgstr "" "Plus d'informations sont disponibles dans le fichier /usr/share/doc/racoon/" "README.Debian." debian/po/da.po0000644000000000000000000000570512000504522010525 0ustar # Danish translation ipsec-tools. # Copyright (C) 2010 ipsec-tools & nedenstående oversættere. # This file is distributed under the same license as the ipsec-tools package. # Joe Hansen , 2010, 2012. # msgid "" msgstr "" "Project-Id-Version: ipsec-tools\n" "Report-Msgid-Bugs-To: ipsec-tools@packages.debian.org\n" "POT-Creation-Date: 2012-06-30 16:16+0200\n" "PO-Revision-Date: 2012-07-03 17:30+01:00\n" "Last-Translator: Joe Hansen \n" "Language-Team: Danish \n" "Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: select #. Choices #: ../racoon.templates:2001 msgid "direct" msgstr "direkte" #. Type: select #. Choices #: ../racoon.templates:2001 msgid "racoon-tool" msgstr "racoon-tool" #. Type: select #. Description #: ../racoon.templates:2002 msgid "Configuration mode for racoon IKE daemon:" msgstr "Konfigurationstilstand for racoon IKE-dæmon:" #. Type: select #. Description #: ../racoon.templates:2002 msgid "" "Racoon can be configured either directly, by editing /etc/racoon/racoon." "conf, or using the racoon-tool administrative front end." msgstr "" "Racoon kan konfigureres enten direkte, ved redigering af /etc/racoon/racoon." "conf, eller med brug af den administrative brugerflade til racoon-tool." #. Type: select #. Description #: ../racoon.templates:2002 msgid "" "Use of the \"direct\" method is strongly recommended if you want to use all " "the racoon examples on the Net, and if you want to use the full racoon " "feature set. You will have to directly edit /etc/racoon/racoon.conf and " "possibly manually set up the Security Policy Database via setkey." msgstr "" "Brug af metoden »direkte« anbefales, hvis du ønsker at bruge alle " "racooneksemplerne på nettet, og hvis du ønsker at bruge det fulde " "funktionssæt for racoon. Du skal direkte redigere /etc/racoon/racoon.conf og " "muligvis manuelt opsætte Security Policy Database (database for " "sikkerhedspolitik) via setkey." #. Type: select #. Description #: ../racoon.templates:2002 msgid "" "Racoon-tool has been updated for racoon 0.8.0, and is for use in basic " "configuration setups. It gives the benefit of managing the SPD along with " "the IKE that strongSwan offers. IPv6, transport/tunnel mode (ESP/AH), PSK/" "X509 auth, and basic \"anonymous\" VPN server are supported." msgstr "" "Racoon-tool er blevet opdateret for racoon 0.8.0, og skal bruges i de " "grundlæggende konfigurationsopsætninger. Værktøjer giver mulighed for at " "håndtere SPD'en sammen med IKE'en som strongSwan tilbyder. IPv6, transport/" "tunnel tilstand (ESP/AH), PSK/X509 auth og grundlæggende »anonym« VPN-server " "er understøttet." #. Type: select #. Description #: ../racoon.templates:2002 msgid "More information is available in /usr/share/doc/racoon/README.Debian." msgstr "" "Yderligere information er tilgængelig i /usr/share/doc/racoon/README.Debian." debian/compat0000644000000000000000000000000211766214463010376 0ustar 7 debian/ipsec-tools.conf0000644000000000000000000000073111766214463012311 0ustar #!/usr/sbin/setkey -f # NOTE: Do not use this file if you use racoon with racoon-tool # utility. racoon-tool will setup SAs and SPDs automatically using # /etc/racoon/racoon-tool.conf configuration. # ## Flush the SAD and SPD # # flush; # spdflush; ## Some sample SPDs for use racoon # # spdadd 10.10.100.1 10.10.100.2 any -P out ipsec # esp/transport//require; # # spdadd 10.10.100.2 10.10.100.1 any -P in ipsec # esp/transport//require; # debian/racoon.config0000644000000000000000000000073011766214464011651 0ustar #!/bin/sh set -e CONFFILE=/etc/default/racoon # Source debconf library. . /usr/share/debconf/confmodule CONFIG_MODE="" if test -e "$CONFFILE"; then . "$CONFFILE" # Guard against admin writing silly things into the # config file... if test "$CONFIG_MODE" != "racoon-tool"; then db_set racoon/config_mode "direct" else db_set racoon/config_mode "racoon-tool" fi fi # Setup and select the configuration mode db_input high racoon/config_mode || true db_go debian/postrm0000644000000000000000000000163211766214464010452 0ustar #! /bin/sh # postrm script for ipsec-tools # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `remove' # * `purge' # * `upgrade' # * `failed-upgrade' # * `abort-install' # * `abort-install' # * `abort-upgrade' # * `disappear' overwrit>r> # for details, see http://www.debian.org/doc/debian-policy/ or # the debian-policy package case "$1" in purge|remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) ;; *) echo "postrm called with unknown argument \`$1'" >&2 exit 1 esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# exit 0 debian/racoon-tool.pl0000644000000000000000000022333411766214464012001 0ustar #!/usr/bin/perl -w # # Script for configuring linux 2.6.x IPSEC # # Copyright 2004 Matthew Grant, Catalyst IT Ltd, GPL2 # # Loads and unloads all modules needed for IPSEC # Writes configuration files for racoon # Administers SPD in kernel using setkey program # Basically imitates Free S/WAN without all the kludgy garbage... # We are only dealing with IP addresses use integer; sub mod_ls (); sub mod_load ($); sub mod_unload ($); sub usage (); sub mod_start(); sub mod_stop(); sub sad_flush(); sub spd_flush(); sub parse_config(); sub ipsec_start(); sub ipsec_stop(); sub ipsec_load(); sub spd_show(); sub sad_show(); sub parse_spd(\@\%); sub conn_dump_list(); sub peer_dump_list(); sub global_dump_list(); sub spd_dump_list(\@\%); sub prog_warn($$;$); sub prog_die($;$); sub match_spd_connection(\@\%); sub conn_down_handle($); sub conn_down (\@\%$;$$); sub conn_list($); sub log_backend(); sub conn_up_handle($); sub conn_menu($); sub racoon_write_config($$); sub racoon_configure(;$); sub prop_get_indexes (\%); sub prop_store_index (\%$); sub conn_reload_handle($); sub check_if_running (); sub racoon_start(); sub racoon_stop(); sub basename($$); sub dirname($); sub openlog($$$); sub syslog($$); if ($^O =~ /linux/i ) { $proc_modules = "/proc/modules"; $kver = `uname -r`; chomp $kver; $modpath = "/lib/modules/" . $kver; $modpath_ipsec = "$modpath/kernel/net/ipv4"; $modpath_ipsec6 = "$modpath/kernel/net/ipv6"; $modpath_xfrm = "$modpath/kernel/net/xfrm"; $modpath_key = "$modpath/kernel/net/key"; $modpath_crypto = "$modpath/kernel/crypto"; $modpath_zlib = "$modpath/kernel/lib/zlib_deflate"; $modext = ( $kver =~ /^2\.6\.|^3\./ ? ".ko" : ".o" ); $proc_ipv4 = "/proc/sys/net/ipv4"; $proc_ipv6 = "/proc/sys/net/ipv6"; } # endif linux if ($^O =~ /linux|gnukfreebsd/i) { $setkey_cmd = "/usr/sbin/setkey"; $confdir = "/etc/racoon"; $vardir = "/var/lib/racoon"; $conffile = "${confdir}/racoon-tool.conf"; $conffiledir = "${confdir}/racoon-tool.conf.d"; $racoon_cmd = "/usr/sbin/racoon"; $less_cmd = "/usr/bin/less"; $more_cmd = "/bin/more"; } elsif ($^O =~ /freebsd/i) { $setkey_cmd = "/usr/local/sbin/setkey"; $confdir = "/usr/local/etc/racoon"; $vardir = "/var/db/racoon"; $conffile = "${confdir}/racoon-tool.conf"; $conffiledir = "${confdir}/racoon-tool.conf.d"; $racoon_cmd = "/usr/local/sbin/racoon"; $less_cmd = "/usr/bin/less"; $more_cmd = "/usr/bin/more"; } elsif ($^O =~ /netbsd/i) { # This set of paths is a guess, and needs confirmation $setkey_cmd = "/usr/sbin/setkey"; $confdir = "/etc/racoon"; $vardir = "/var/db/racoon"; $conffile = "${confdir}/racoon-tool.conf"; $conffiledir = "${confdir}/racoon-tool.conf.d"; $racoon_cmd = "/usr/sbin/racoon"; $less_cmd = "/usr/bin/less"; $more_cmd = "/usr/bin/more"; } else { prog_die("unsupported platform - '$^O'."); } # Some OS kernels need time for their SAD and SPD to settle. $quiesce = 0; if ($^O =~ /freebsd/i) { $quiesce = 1; # seconds } $pager_cmd = ( -x $less_cmd ? $less_cmd : $more_cmd ); @pager_flags = ( -x $less_cmd ? ( '-MMXEi' ): ()); # Handle BSD and SYSV ps... $ps_cmd = ($^O =~ /bsd/i ? "ps axc" : "ps -e"); $psf_cmd = ($^O =~ /bsd/i ? "ps axw" : "ps -eo pid,cmd"); %fmt = ( 'normal' => 1, 'brief' => 2, 'comma' => 3 ); $global_format = $fmt{'normal'}; local $proc_id = $$; $progname = basename($0, ""); $racoon_kill_delay = 25; # seconds # global settings hash my $global_proplist = 'path_pre_shared_key|path_certificate|path_script|path_racoon_conf|privsep|privsep_chroot|privsep_user|privsep_group|racoon_command|racoon_pid_file|log|listen\[[-_0-9a-z]+\]|complex_bundle'; my %global = ( 'path_pre_shared_key' => "$confdir/psk.txt", 'path_certificate' => "$confdir/certs", 'path_script' => "$confdir/scripts", 'path_racoon_conf' => "${vardir}/racoon.conf", 'privsep' => "off", 'privsep_chroot' => "/", 'privsep_user' => "racoon", 'privsep_group' => "racoon", 'racoon_command' => "${racoon_cmd} -f ___path_racoon_conf___", 'racoon_pid_file' => "/var/run/racoon.pid", ); # Peer related stuff my $peer_proplist = 'exchange_mode|encryption_algorithm\[[-_0-9a-z]+\]|hash_algorithm\[[-_0-9a-z]+\]|dh_group\[[-_0-9a-z]+\]|authentication_method\[[-_0-9a-z]+\]|remote_template|lifetime|verify_identifier|verify_cert|passive|generate_policy|my_identifier|peers_identifier|certificate_type|peers_certfile|support_mip6|send_cr|send_cert|initial_contact|proposal_check|nat_traversal|nonce_size'; my %peer_list = ( '%default' => { 'exchange_mode' => 'main', 'encryption_algorithm[0]' => '3des', 'hash_algorithm[0]' => 'sha1', 'dh_group[0]' => 'modp1024', 'authentication_method[0]' => 'pre_shared_key', 'remote_template' => '%default', # Initialised because proposal 0 is present 'pindexes' => [0] }, '%anonymous' => { 'passive' => 'on', 'generate_policy' => 'on' } ); # Connection related stuff my $conn_proplist = 'src_range|dst_range|src_ip|dst_ip|src_port\[[-_0-9a-z]+\]|dst_port\[[-_0-9a-z]+\]|upperspec|encap|encap\[[-_0-9a-z]+\]|mode|level|level\[[-_0-9a-z]+\]|admin_status|spdadd_template|sadadd_template|sainfo_template|pfs_group|lifetime|encryption_algorithm|authentication_algorithm|compression|id_type|auto_ah_on_esp|always_ah_on_esp|policy|policy\[[-_0-9a-z]+\]'; my @conn_required_props = ( 'src_ip', 'dst_ip'); my %connection_list = ( '%default' => { 'admin_status' => 'disabled', 'upperspec' => 'any', 'encap' => 'esp', 'level' => 'unique', 'policy' => 'ipsec', 'spdadd_template' => '%default', 'sadadd_template' => '%default', 'sainfo_template' => '%default', 'pfs_group' => 'modp1024', 'encryption_algorithm' => 'aes,3des', 'authentication_algorithm' => 'hmac_sha1,hmac_md5', 'id_type' => 'address', 'auto_ah_on_esp' => 'off', 'always_ah_on_esp' => 'off', 'policy' => 'ipsec' }, '%anonymous' => { 'admin_status' => 'disabled' } ); my %prop_typehash = ( 'connection' => { 'src_range' => 'range', 'dst_range' => 'range', 'src_ip' => 'ip', 'dst_ip' => 'ip', 'src_port' => 'port', 'dst_port' => 'port', 'upperspec' => 'upperspec', 'encap' => 'encap', 'level' => 'level', 'mode' => 'mode', 'admin_status' => 'boolean', 'spdadd_template' => 'template_name', 'sadadd_template' => 'template_name', 'sainfo_template' => 'template_name', 'pfs_group' => 'pfs_group', 'lifetime' => 'lifetime', 'encryption_algorithm' => 'phase2_encryption', 'authentication_algorithm' => 'phase2_auth_algorithm', 'compression' => 'boolean', 'id_type' => 'id_type', 'auto_ah_on_esp' => 'boolean', 'always_ah_on_esp' => 'boolean', 'policy' => 'policy', }, 'peer' => { 'exchange_mode' => 'phase1_exchange_mode', 'encryption_algorithm' => 'phase1_encryption', 'hash_algorithm' => 'hash_algorithm', 'dh_group' => 'dh_group', 'authentication_method' => 'phase1_auth_method', 'remote_template' => 'template_name', 'lifetime' => 'lifetime', 'verify_identifier' => 'switch', 'verify_cert' => 'switch', 'passive' => 'switch', 'generate_policy' => 'switch', 'initial_contact' => 'switch', 'send_cr' => 'switch', 'send_cert' => 'switch', 'support_mip6' => 'switch', 'my_identifier' => 'identifier', 'peers_identifier' => 'identifier', 'certificate_type' => 'certificate', 'peers_certfile' => 'peers_certfile', 'nonce_size' => 'nonce_size', 'proposal_check' => 'proposal_check', 'nat_traversal' => 'nat_traversal' }, 'global' => { 'racoon_command' => 'shell_command', 'racoon_pid_file' => 'path_generated_file', 'path_pre_shared_key' => 'path_conf_file', 'path_racoon_conf' => 'path_generated_file', 'path_certificate' => 'path_certificate', 'path_script' => 'path_script', 'privsep' => 'boolean', 'privsep_chroot' => 'path_chroot_dir', 'privsep_user' => 'user', 'privsep_group' => 'group', 'log' => 'log', 'listen' => 'listen', 'complex_bundle' => 'switch' } ); my %prop_syntaxhash = ( 'range' => '{ip-address|ip-address/masklen|ip-address[port]|ip-address/masklen[port]}', 'ip' => '{ip-address} - IPv4 or IPv6', 'port' => '{[any]|[port]} - any or port number, []s required', 'uppserspec' => '{protocol} - number or from /etc/protocols or any or icmp6', 'encap' => '{ah|esp}', 'mode' => '{tunnel|transport}', 'boolean' => '{enabled|disabled|true|false|yes|no|up|down|on|off|0|1}', 'template_name' => '{template-name} - can be %default or ^[-a-zA-Z0-9_]+', 'level' => '{default|use|require|unique}', 'phase1_exchange_mode' => '{main|aggressive|base}', 'phase1_encryption' => '{des|3des|blowfish|cast128|aes|camellia}', 'hash_algorithm' => '{md5|sha1|sha256|sha384|sha512}', 'dh_group' => '{modp768|modp1024|modp1536|modp2048|modp3072|modp4096|modp6144|modp8192|1|2|5|14|15|16|17|18}', 'pfs_group' => '{none|modp768|modp1024|modp1536|modp2048|modp3072|modp4096|modp6144|modp8192|1|2|5|14|15|16|17|18}', 'phase1_auth_method' => '{pre_shared_key|rsasig}', 'switch' => '{on|off}', 'lifetime' => '{time} {integer} {hour|hours|min|mins|minutes|sec|secs|seconds}', 'phase2_encryption' => '{des|3des|des_iv64|des_iv32|rc5|rc4|idea|3idea|cast128|blowfish|null_enc|twofish|rijndael|aes|camellia}', 'phase2_auth_algorithm' => '{des|3des|des_iv64|des_iv32|hmac_md5|hmac_sha1|hmac_sha256|hmac_sha384|hmac_sha512|non_auth}', 'identifier' => '{address [ip-address]|fqdn dns-name|user_fqdn user@dns-name|keyid file-name|asn1dn [asn1-name]}', 'certificate' => '{x509 cert-file privkey-file}', 'peers_certfile' => '{x509 cert-file|plain_rsa cert-file|dnssec}', 'path_conf_file' => '{full-path-file-name}', 'shell_command' => '{shell-command}', 'path_generated_file' => '{full-path-file-name}', 'path_certificate' => '{full-path-dir}', 'path_script' => '{full-path-dir}', 'log' => '{notify|debug|debug2}', 'listen' => '{ip-address} [[port]]', 'proposal_check' => '{obey|strict|claim|exact}', 'nat_traversal' => '{on|off|force}', 'nonce_size' => '{number} - between 8 and 256', 'id_type' => '{address|subnet} - ID type of ISAKMP Phase II identifier', 'policy' => '{discard|ipsec|none} - SPD policy', 'path_chroot_dir' => '{full-path-chroot-dir} - racoon privsep chroot dir', 'user' => '{system-user} - racoon privsep user', 'group' => '{system-group} - racoon privsep group', ); my %bool_val = ( 'enabled' => 1, 'disabled' => 0, 'true' => 1, 'false' => 0, 'yes' => 1, 'no' => 0, 'up' => 1, 'down' => 0, 'on' => 1, 'off' => 0, '0' => 0, '1' =>1 ); # Default templates for spdadd and sadadd defined here my $sadadd_default = ""; my $spdadd_default = <<'EOF'; spdadd ___src_range___ ___dst_range___ ___upperspec___ -P out ipsec ___encap___/___mode___/___src_ip___-___dst_ip___/___level___; spdadd ___dst_range___ ___src_range___ ___upperspec___ -P in ipsec ___encap___/___mode___/___dst_ip___-___src_ip___/___level___; EOF my $spdadd_alternate_policy = <<'EOF'; spdadd ___src_range___ ___dst_range___ ___upperspec___ -P out ___policy___; spdadd ___dst_range___ ___src_range___ ___upperspec___ -P in ___policy___; EOF %spdadd_addons = ( 'ipcomp_in' => ' ipcomp/___mode___/___dst_ip___-___src_ip___/use', 'ipcomp_out' => ' ipcomp/___mode___/___src_ip___-___dst_ip___/use', 'ah_in' => ' ah/transport/___dst_ip___-___src_ip___/___level___', 'ah_out' => ' ah/transport/___src_ip___-___dst_ip___/___level___' ); # allow the following icmp control traffic # - echo reply (0) # - destination unreachable (3) # - source quench (4) # - echo request (8) # - time exceeded (11) my $spdadd_ip4_header = << 'EOF'; spdadd ___src_subnet___ ___dst_subnet___ icmp -P out priority 1 none; spdadd ___dst_subnet___ ___src_subnet___ icmp -P in priority 1 none; EOF my $spdadd_ip6_header = << 'EOF'; spdadd ___src_subnet___ ___dst_subnet___ icmp6 -P out priority 1 none; spdadd ___dst_subnet___ ___src_subnet___ icmp6 -P in priority 1 none; EOF my $spdadd_transport_ip4_default = "$spdadd_ip4_header" . "$spdadd_default"; my $spdadd_transport_ip6_default = "$spdadd_ip6_header" . "$spdadd_default"; my $racoon_init_default = <<"EOF"; path script ___path_script___; path pre_shared_key ___path_pre_shared_key___; path certificate ___path_certificate___; EOF %init_addons = ('log' => 'log ___log___;', 'listen' => "listen {\n\tstrict_address;\n}", 'isakmp' => 'isakmp ___listen___;', 'complex_bundle' => 'complex_bundle ___complex_bundle___;' ); my $racoon_privsep = <<'EOF'; privsep { chroot ___privsep_chroot___; user ___privsep_user___; group ___privsep_group___; } EOF my $remote_default = <<'EOF'; remote ___dst_ip___ { exchange_mode ___exchange_mode___; } EOF my $remote_proposal = <<'EOF'; proposal { encryption_algorithm ___encryption_algorithm___; hash_algorithm ___hash_algorithm___; authentication_method ___authentication_method___; dh_group ___dh_group___; } EOF %remote_addons = ( 'verify_identifier' => 'verify_identifier ___verify_identifier___;', 'verify_cert' => 'verify_cert ___verify_cert___;', 'passive' => 'passive ___passive___;', 'generate_policy' => 'generate_policy ___generate_policy___;', 'my_identifier' => 'my_identifier ___my_identifier___;', 'peers_identifier' => 'peers_identifier ___peers_identifier___;', 'peers_certfile' => 'peers_certfile ___peers_certfile___;', 'certificate_type' => 'certificate_type ___certificate_type___;', 'lifetime' => 'lifetime ___lifetime___;', 'initial_contact' => 'initial_contact ___initial_contact___;', 'send_cr' => 'send_cr ___send_cr___;', 'send_cert' => 'send_cert ___send_cert___;', 'support_mip6' => 'support_mip6 ___support_mip6___;', 'nonce_size' => 'nonce_size ___nonce_size___;', 'proposal_check' => 'proposal_check ___proposal_check___;', 'nat_traversal' => 'nat_traversal ___nat_traversal___;' ); my $sainfo_default = <<'EOF'; sainfo ___id_type___ ___local_id___ ___upperspec___ ___id_type___ ___remote_id___ ___upperspec___ { encryption_algorithm ___encryption_algorithm___; authentication_algorithm ___authentication_algorithm___; compression_algorithm deflate; } EOF %sainfo_addons = ( 'pfs_group' => 'pfs_group ___pfs_group___;', 'lifetime' => 'lifetime ___lifetime___;' ); @modules = (); @modules_ipsec = ('ah4', 'esp4', 'ipcomp'); @modules_ipsec6 = ('ah6', 'esp6', 'ipcomp6'); # Make stdout and stderr unbuffered select STDERR; $| = 1; select STDOUT; $| = 1; # Make sure we are running as root if ( $> != 0 ) { print STDERR "$progname: must be root to run this.\n"; exit 1; } # 'Open' syslog openlog ($progname, 'pid', 'daemon'); # Handle logging backend if '-l' switch given log_backend (); # See if we are already running... check_if_running(); mod_ls(); parse_config(); $have_1arg = "vpndown|vpnup|vpnreload|vpnlist|vpnmenu|vdown|vup|vreload|vlist|vmenu"; # Process command line... foreach my $i ( 0..$#ARGV ) { $ARGV[$i] = lc $ARGV[$i]; } SWITCH: { !defined $ARGV[0] && do { usage (); exit 1; }; $ARGV[0] =~ /^(${have_1arg})$/ && @ARGV > 2 && do { usage (); exit 1; }; $ARGV[0] !~ /^(${have_1arg})$/ && @ARGV > 1 && do { usage (); exit 1; }; $ARGV[0] =~ /^start$/ && do { ipsec_start (); last SWITCH; }; $ARGV[0] =~ /^stop$/ && do { ipsec_stop (); last SWITCH; }; $ARGV[0] =~ /^reload$/ && do { ipsec_load (); last SWITCH; }; $ARGV[0] =~ /^(restart|force-reload)$/ && do { ipsec_stop (); @modules = (); ipsec_start (); last SWITCH; }; $ARGV[0] =~ /^(sadshow|saddump|dump)$/ && do { # Show the SAD sad_show (); last SWITCH; }; $ARGV[0] =~ /^(spdshow|spddump)$/ && do { # Show the SPD spd_show (); last SWITCH; }; $ARGV[0] =~ /^(sadflush|flush)$/ && do { # Flush the SAD print "Flushing SAD...\n"; sad_flush (); print "SAD flushed.\n"; prog_warn 'info', "manually flushed SAD"; last SWITCH; }; $ARGV[0] =~ /^spdflush$/ && do { # Flush the SPD print "Flushing SPD...\n"; spd_flush (); print "SPD flushed.\n"; prog_warn 'info', "manually flushed SPD"; last SWITCH; }; $ARGV[0] =~ /^(vpndown|vdown)$/ && do { # Go and do it conn_down_handle ($ARGV[1]); last SWITCH; }; $ARGV[0] =~ /^(vpnmenu|vmenu)$/ && do { # Go and do it conn_menu ($ARGV[1]); last SWITCH; }; $ARGV[0] =~ /^(vpnup|vup)$/ && do { # Go and do it conn_up_handle ($ARGV[1]); last SWITCH; }; $ARGV[0] =~ /^(vpnreload|vreload)$/ && do { # Go and do it conn_reload_handle ($ARGV[1]); last SWITCH; }; $ARGV[0] =~ /^(vpnlist|vlist)$/ && do { # Go and do it conn_list ($ARGV[1]); last SWITCH; }; $ARGV[0] =~ /^(racoonstart|rstart)$/ && do { # Go and do it racoon_start(); last SWITCH; }; $ARGV[0] =~ /^(racoonstop|rstop)$/ && do { # Go and do it racoon_stop(); last SWITCH; }; usage (); exit 1; }; exit 0; # Functions start here sub usage () { print STDERR "\n"; print STDERR " Usage: $progname [-h] sadflush|spdflush|saddump|spddump\n"; print STDERR " |reload|restart|force-reload|start|stop\n"; print STDERR " $progname [-h] vpndown|vdown|vpnup|vup\n"; print STDERR " |vpnreload|vreload connection-name|all\n"; print STDERR " $progname [-h] vpnlist|vlist [connection-name|all]\n"; print STDERR " $progname [-h] vpnmenu|vmenu\n"; print STDERR " $progname [-h] racoonstart|racoonstop|rstart|rstop\n"; print STDERR "\n"; }; sub basename ($$) { my $name = shift; my $ext = shift; $name =~ s/^.*\/(.*)$/$1/; $name =~ s/^(.*)${ext}$/$1/; return $name; } sub dirname ($) { my $name = shift; if ( $name eq '/' ) { return $name; } $name =~ s/^(.*)\/(.*)$/$1/; return $name; } sub openlog ($$$) { $log{'ident'} = shift; $log{'logopt'} = shift; $log{'facility'} = shift; my $logger; $logger = "/usr/bin/logger"; if ( ! -x $logger ) { $logger = "/bin/logger"; } elsif ( ! -x $logger ) { die "$progname: cannot run $logger.\n"; } $log{'logger'} = $logger; } sub syslog ($$) { my $priority = shift; my $msg = shift; system("$log{'logger'}", '-p', "$log{'facility'}.${priority}", '-t', "$log{'ident'}\[${proc_id}\]", "$msg"); } sub check_if_running () { my @pids = (); my @procs = grep /\b${progname}$/, (grep ! /^\s*${proc_id}\b/, `$ps_cmd`); foreach (@procs) { my @fields = split; if (!$fields[0]) { next; } push @pids, $fields[0]; } if (@pids) { print STDERR "$progname: process(es) @pids are already running.\n"; exit 2; } } sub racoon_get_pids () { my @pids = (); my $cmd = ''; my $pid_file = $global{'racoon_pid_file'}; $cmd = $global{'racoon_command'}; if ( $cmd =~ m/^(\S+).*$/ ) { $cmd = $1; } if ( -f $pid_file ) { if ( ! open PID, "$pid_file" ) { prog_die "cannot open $pid_file - $!"; } @pids = ( ); close PID; } elsif ( scalar(@pids = grep m#${cmd}[\s\n]#s, (split /^/m, `$psf_cmd`)) ) { grep { s/^\s*([0-9]+)\s+.*$/$1/; } @pids; } return @pids; } sub racoon_fill_command ($) { my $stuff = shift; foreach my $key (keys %global) { my $key_reg = $key; $key_reg =~ s/\[/\\[/g; $key_reg =~ s/\]/\\]/g; $stuff =~ s/___${key_reg}___/$global{"$key"}/img; } return $stuff; } sub racoon_start () { my $running; my @pids = (); print "Starting IKE (ISAKMP/Oakley) server: "; # see if it is already running @pids = racoon_get_pids(); if ( $running = kill ( '0', @pids ) ) { prog_warn 'warning', "racoon already running - exiting.", $fmt{'brief'}; exit 10; } # Start it. my $stuff = racoon_fill_command ($global{'racoon_command'}); system "$stuff"; # See if it started @pids = racoon_get_pids(); $running = @pids; if ( ! $running ) { prog_die "racoon did not start."; } print "racoon.\n"; prog_warn 'info', "racoon started."; } sub racoon_stop () { my @pids = (); my $running; print "Stopping IKE (ISAKMP/Oakley) server: "; # Find PIDs to use @pids = racoon_get_pids(); # see if it is running $running = kill ('0', @pids ); if ( ! $running ) { print "not found running.\n"; return; } # kill -15 it $running = kill ( 'TERM', @pids ); my $delay = $racoon_kill_delay; # Check if any still running while ( ($running = kill ( '0', @pids )) && $delay) { sleep 1; $delay--; # see if still running, and loop back to wait upto 25 secs } # kill -9 it kill ( 'KILL', @pids ); print "racoon.\n"; prog_warn 'info', "racoon stopped."; } sub racoon_configure (;$) { my $format = shift; my @pids; my @new; my $running = 0; # Prepare new config file racoon_write_config ($global{'path_racoon_conf'}, $format); # HUP racoon to reconfigure it @pids = racoon_get_pids(); $running = @pids; sad_flush(); kill ( 'HUP', @pids ); @pids = racoon_get_pids(); if ($running && @pids < 1 ) { prog_warn 'err', "reconfiguring racoon failed - racoon died, check system logs.", $format; return -1; } elsif ( ! $running && @pids < 1) { prog_warn 'warning', "racoon not running.", $format; return 0; } return 1; } sub racoon_fill_remote ($) { my $peer = shift; my $stuff; my $hndl = $peer_list{$peer}; my $template = $hndl->{'remote_template'}; $stuff = $remote{$template}; if ( $template eq '%default' ) { foreach my $property ( keys %remote_addons ) { if (defined $hndl->{"$property"}) { $stuff =~ s/^(\s*remote.*{\s*)$/${1}\n\t${remote_addons{"$property"}}/m; } } my $pindexes = $hndl->{'pindexes'}; foreach my $ind ( @$pindexes ) { my $to_add = $remote_proposal; $to_add =~ s/___(\S+)___/___$1\[$ind\]___/gm; $stuff =~ s/^(\s*remote.*{\s*)$/${1}\n${to_add}/m } } foreach my $key (keys %$hndl) { my $key_reg = $key; $key_reg =~ s/\[/\\[/g; $key_reg =~ s/\]/\\]/g; $stuff =~ s/___${key_reg}___/$$hndl{"$key"}/img; } if ($peer eq '%anonymous' && $template eq '%default' ) { $stuff =~ s/(remote\s+)\%anonymous/remote anonymous/ } return $stuff; } sub racoon_fill_sainfo ($) { my $connection = shift; my $stuff; my $hndl = $connection_list{$connection}; my $template = $hndl->{'sainfo_template'}; $stuff = $sainfo{$template}; if ( $template eq '%default' ) { foreach my $property ( keys %sainfo_addons ) { next if $property eq "pfs_group" && defined $hndl->{'pfs_group'} && $hndl->{'pfs_group'} eq 'none'; if ( defined $hndl->{"$property"} ) { $stuff =~ s/^(\s*sainfo.*)$/${1}\n\t${sainfo_addons{"$property"}}/m; } } } foreach my $key (keys %$hndl) { $stuff =~ s/___${key}___/$$hndl{$key}/img; } if ($connection eq '%anonymous' && $template eq '%default' ) { $stuff =~ s/sainfo.*{/sainfo anonymous {/ } return $stuff; } sub racoon_fill_init () { my $stuff = $racoon_init; foreach my $key ( keys %global ) { $key =~ s/^(\S+)\[[-0-9_a-z]+\]$/$1/i; if ( defined $init_addons{"$key"} ) { $stuff =~ s/^(\s*path certificate.*)$/${1}\n${init_addons{"$key"}}/m; } } my @indexes = prop_get_indexes ( %global ); foreach my $ind ( @indexes ) { my $to_add = $init_addons{'isakmp'}; $to_add =~ s/___(\S+)___/___$1\[$ind\]___/gm; $stuff =~ s/^(\s*listen.*{\s*)$/${1}\n\t${to_add}/m } if ( $bool_val{ $global{'privsep'} } != 0 ) { $stuff = $stuff . $racoon_privsep; } foreach my $key (keys %global) { my $key_reg = $key; $key_reg =~ s/\[/\\[/g; $key_reg =~ s/\]/\\]/g; $stuff =~ s/___${key_reg}___/$global{"$key"}/img; } return $stuff; } sub racoon_write_config ($$) { my $file = shift; my $format = shift; my @spd_list; my %conn_spd_hash; my @remote_done = (); my @sainfo_done = (); parse_spd (@spd_list, %conn_spd_hash); open (RCF, ">$file") or prog_die "can't open $file - $!", $format; # Pretty print comments... my $hostname = `/bin/hostname`; my $date = scalar localtime; print RCF <<"EOF"; # # Racoon configuration for $hostname # Generated on $date by $progname # EOF # Print out the racoon header print RCF "#\n# Global items\n#\n"; my $stuff = racoon_fill_init(); print RCF $stuff; foreach my $connection ( keys %conn_spd_hash ) { my $stuff = ''; my $hndl = $connection_list{$connection}; print RCF "#\n# Connection $connection\n#\n"; # print remote clauses needed... my $dst_ip = $hndl->{'dst_ip'}; if ( ! grep { $dst_ip eq $_ } @remote_done ) { push @remote_done, $dst_ip; $stuff = racoon_fill_remote($dst_ip); print RCF $stuff; } my $id_string = $hndl->{'local_id'} . '_' . $hndl->{'remote_id'}; if ( grep { $id_string eq $_ } @sainfo_done) { print RCF "# using sainfo above here\n\n"; next; } push @sainfo_done, $id_string; # print sainfo clauses needed... $stuff = racoon_fill_sainfo($connection); print RCF $stuff; } # Handle anonymous connection my $hndl = $connection_list{'%anonymous'}; my $phndl = $peer_list{'%anonymous'}; if ( defined $hndl && $hndl && defined $hndl->{'admin_status'} && $bool_val{"$hndl->{'admin_status'}"} != 0 && $hndl->{'makelive'} != 0 && defined $phndl && $phndl && $phndl->{'makelive'} != 0 ) { my $stuff = ''; print RCF "#\n# Anonymous connection section\n#\n"; $stuff = racoon_fill_remote('%anonymous'); print RCF $stuff; $stuff = racoon_fill_sainfo('%anonymous'); print RCF $stuff; } close RCF; } sub log_backend () { foreach my $arg ( @ARGV ) { next if $arg ne '-l'; my $error = 0; while ( ) { chomp; prog_warn 0, "setkey said: $_"; $error = 1; } exit $error; } } # List all connections sub conn_list ($) { my $connection = shift; my $exit_code = 1; if ( ! defined $connection || $connection eq 'all' ) { $connection = '.*'; } my @conns = grep /${connection}/, keys(%connection_list); @conns = grep !/^%default$/, @conns; open( PAGER, '|-' ) || exec ("$pager_cmd", @pager_flags); foreach my $conn ( @conns ) { print PAGER "$conn\n"; } close PAGER or die "$progname: conn_list () - $pager_cmd failed - exit code " . ($? >> 8) . "\n"; exit ( scalar(@conns) == 0 ); } # Connection up sub conn_up_handle ($) { my $connection = shift; if (! defined $connection ) { usage (); exit 1; } if ( $connection eq 'all' ) { # Flush SPD and SAD ipsec_flush (); # Load the SPD spd_load(); # Do dee racoon... exit 1 if racoon_configure() < 0; exit 0; } print "Starting VPN $connection..."; if ((my $ret = spd_load($connection)) <= 0 ) { print "not found in configuration\n" if $ret == 0; print "syntax problem in configuration.\n" if $ret == -1; print "already in SPD.\n" if $ret == -2; exit 1; } # Do dee racoon... exit 1 if racoon_configure($fmt{'brief'}) < 0; print "done.\n"; prog_warn 'info', "$connection started."; exit 0; } # Connection down sub conn_down_handle ($) { my $connection = shift; my @spd_list; my %conn_spd_hash; if ( ! defined $connection ) { usage (); exit 1; } if ( $connection eq 'all' ) { # Flush SPD and SAD ipsec_flush (); # Do dee racoon... exit 1 if racoon_configure() < 0; exit 0; } print "Shutting down VPN $connection..."; if ( ! grep /^${connection}$/, keys %connection_list) { print "not found in configuration.\n"; exit 1; } # Read SPD list from kernel... parse_spd(@spd_list, %conn_spd_hash); if ( ! conn_down (@spd_list, %conn_spd_hash, $connection, 1) ) { print "not found in SPD.\n"; exit 0; } print "done.\n"; prog_warn 'info', "$connection shutdown."; exit 0 } sub conn_reload_handle ($) { my $connection = shift; my @spd_list; my %conn_spd_hash; if ( ! defined $connection ) { usage (); exit 1; } if ( $connection eq 'all' ) { ipsec_load(); exit 0; } print "Reloading VPN $connection..."; if ( ! grep /^${connection}$/, keys %connection_list) { print "not found in configuration.\n"; exit 1; } # Read SPD list from kernel... parse_spd(@spd_list, %conn_spd_hash); if ( ! conn_down (@spd_list, %conn_spd_hash, $connection, 1, 1) ) { print "not found in SPD, "; } if ((my $ret = spd_load($connection)) <= 0 ) { print "not found in configuration.\n" if $ret == 0; print "syntax problem in configuration.\n" if $ret == -1; print "already in SPD.\n" if $ret == -2; exit 1; } # Do dee racoon... exit 1 if racoon_configure($fmt{'brief'}) < 0; print "done.\n"; prog_warn 'info', "$connection reloaded."; exit 0; } sub spd_show_header () { print "Number Connection Name UpperSpec DirN\n"; print " src_range\n"; print " dst_range\n"; print " policy\n"; } sub spd_show_entry ($) { my $entry = shift; my $conn_name; if (defined $$entry{'connection'}) { $conn_name = $$entry{'connection'}; } else { $conn_name = ''; } printf " %3.1d %-50s %-9s %-3s\n", $$entry{'index'}, $conn_name, $$entry{'upperspec'}, $$entry{'direction'}; print " $$entry{'src_range'}\n"; print " $$entry{'dst_range'}\n"; print " $$entry{'policy'}\n"; } sub spd_show_footer () { print "\n"; print "Press for more, or enter number or VPN-name > "; } sub conn_menu ($) { my $term = shift; my @spd_list; my %conn_spd_hash; # Initialise the SPD data structure parse_spd(@spd_list, %conn_spd_hash); # Reverse dirN for better human recongition so that it is in config file order @spd_list = reverse @spd_list; my ($pos,$rows,$cols,$do_fill) = 0; $term = '.*' if ! defined $term; my @spd = grep { ( defined $$_{'connection'} && $$_{'connection'} =~ m/${term}/ ) || $$_{'src_range'} =~ m/${term}/ || $$_{'dst_range'} =~ m/${term}/ } @spd_list; if ( ! @spd ) { print "No SPD entries found.\n"; return; } REDRAW: while ($pos < @spd_list) { # get terminal size ($rows, $cols) = split ' ', `stty size`; my $ntoshow = ($rows - 7) / 4; my $fill = $rows % $ntoshow; if ( ($pos +$ntoshow) > @spd) { $fill += 4*($pos + $ntoshow - @spd); } # display SPD list if ( $do_fill ) { foreach (0..$fill) { print "\n" }; } $do_fill = 1; spd_show_header (); for ($i=$pos; $i < ($pos + $ntoshow) && $i < @spd; $i++) { spd_show_entry ($spd[$i]); } spd_show_footer (); # wait for keypress while ( my $chars = ) { last if $chars =~ /^$/; $chars = lc $chars; exit 0 if $chars =~ /^q$/; chomp $chars; my @deleted = conn_down(@spd_list, %conn_spd_hash, $chars) if $chars =~ /^[-0-9a-z_]+$/; if (! @deleted) { print "$chars does not exist or cannot be deleted.\n"; } else { foreach my $i ( @deleted ) { @spd = grep { $i != $$_{'index'} } @spd; $pos -= 1 if $pos > 0; } } if ( ! @spd ) { print "No selected SPD entries left.\n"; last REDRAW; } sleep 2; next REDRAW; } $pos += $ntoshow; } } sub conn_down (\@\%$;$$) { my $spd_list = shift; my $conn_spd_hash = shift; my $spd = shift; my $conn_force = shift; my $no_racoon = shift; my @ret = (); my @spd_to_del = (); if ( $conn_force || $spd !~ m/^[0-9]+$/ ) { # Deal with a connection name @spd_to_del = keys %$conn_spd_hash; return @ret if @spd_to_del <= 0; return @ret if ! grep /^$spd$/, keys %$conn_spd_hash; @spd_to_del = @{ $conn_spd_hash->{$spd} }; return @ret if @spd_to_del <= 0; } else { # Handle a connection number # Check that it exists return @ret if ! grep { $$_{'index'} == $spd } @$spd_list; # Follow up any connection name and add that one to my ($spdentry) = grep { $$_{'index'} == $spd } @$spd_list; goto GO if ! defined $$spdentry{'connection'}; $connection = $$spdentry{'connection'}; goto GO if @{ $conn_spd_hash->{$connection} } <= 0; push @spd_to_del, @{ $conn_spd_hash->{$connection} }; } GO: # Delete entries from SPD open( SETKEY, '|-') || exec ("$setkey_cmd", '-f', '/dev/stdin'); foreach my $spdnum ( @spd_to_del ) { my ($spdentry) = grep { $$_{'index'} == $spdnum } @$spd_list; print SETKEY <<"EOF"; spddelete -n $$spdentry{'src_range'} $$spdentry{'dst_range'} $$spdentry{'upperspec'} -P $$spdentry{'direction'}; EOF push @ret, $spdnum; } close SETKEY or prog_die ("conn_down() - setkey connection deletion failed - exit code ". ($? >> 8) ); sleep($quiesce) if ($quiesce > 0); # Deal with racoon if ( ! $no_racoon ) { racoon_configure(); } return @ret; } # Process warning message sub prog_warn($$;$) { my $level = shift; my $msg = shift; my $format = shift; $format = $global_format if ! $format; $level = 'warning' if ! $level; $msg =~ s/\t/ /g; if ( $level ne 'info' ) { if ( $format == $fmt{'normal'} ) { print STDERR "$progname: $msg\n" } elsif ( $format == $fmt{'brief'} ) { print STDOUT "${msg}\n"; } elsif ( $format == $fmt{'comma'} ) { $msg =~ s/\.$//; print STDOUT "${msg}, "; } } $msg =~ s/%/%%/g; syslog ($level, "$msg"); } sub prog_die($;$) { my $msg = shift; my $format = shift; prog_warn 'err', $msg, $format; exit 255; } # Dump read in SPD list sub spd_dump_list (\@\%) { my $spd_list = shift; my $conn_spd_hash = shift; for my $spd ( @$spd_list ) { print "{ "; for $val ( keys %$spd ) { print "$val=$spd->{$val} "; } print "}\n"; } for my $conn ( keys(%$conn_spd_hash) ) { print "$conn: @{ $conn_spd_hash->{$conn} }\n"; } } # Parse SPD to produce SPD list sub parse_spd (\@\%) { my $spd_list = shift; my $conn_spd_hash = shift; my $src_range; my $dst_range; my $upperspec; my $direction; my $onespd_flag = 0; @$spd_list = (); open (SETKEY, '-|') || exec ($setkey_cmd, '-PD'); while (my $line = ) { # print "$line"; if ( $line =~ m/^\s*([0-9a-fny\.\:\/\[\]]+)\s+([0-9a-fny\.\:\/\[\]]+)\s+([-0-9a-z]+)\s*$/ ){ $src_range = $1; $dst_range = $2; $upperspec = $3; # For Linux $upperspec = 'any' if ($upperspec eq '255'); $onespd_flag = 1 } elsif ($onespd_flag > 0) { $onespd_flag = 0; $line =~ m/^\s*(in|out|fwd)\s+(prio)?.*\s?(ipsec|none|discard)\s*$/; $direction = $1; $policy = $3; push @$spd_list, { 'src_range', $src_range, 'dst_range', $dst_range, 'upperspec', $upperspec, 'direction', $direction, 'policy', $policy }; # print "[ src_range=$src_range, dst_range=$dst_range, upperspec=$upperspec, direction=$direction ]\n"; } } close (SETKEY) or prog_die "parse_spd() - can't parse SPD - exit code " . ($? >> 8); # match the SPD policies to configuration data. match_spd_connection (@$spd_list, %$conn_spd_hash); } sub match_spd_connection (\@\%) { my $spd_list = shift; my $conn_spd_hash = shift; my $index = 0; %$conn_spd_hash = (); foreach my $spd ( @$spd_list ) { $spd->{'index'} = $index; # Loop over connection list to find connection name foreach my $connection ( keys %connection_list ) { next if "$connection" eq '%default'; next if ! defined $connection_list{$connection}{'src_ip'}; next if ! defined $connection_list{$connection}{'dst_ip'}; # Quick handle - read only my $chndl = $connection_list{$connection}; # Below covers ipsec and none my $pindexes = $chndl->{'pindexes'}; foreach my $ind (@$pindexes) { if ($spd->{'upperspec'} eq $chndl->{'upperspec'} && $spd->{'src_range' } eq $chndl->{"src_range[${ind}]"} && $spd->{'dst_range'} eq $chndl->{"dst_range[${ind}]"} && $spd->{'direction'} eq 'out' || $spd->{'upperspec'} eq $chndl->{'upperspec'} && $spd->{'dst_range'} eq $chndl->{"src_range[${ind}]"} && $spd->{'src_range'} eq $chndl->{"dst_range[${ind}]"} && $spd->{'direction'} eq 'in' || $spd->{'upperspec'} eq $chndl->{'upperspec'} && $spd->{'dst_range'} eq $chndl->{"src_range[${ind}]"} && $spd->{'src_range'} eq $chndl->{"dst_range[${ind}]"} && $spd->{'direction'} eq 'fwd') { $spd->{'connection'} = $connection; push @{ $conn_spd_hash->{$connection} }, $index; } } # Match for non-multi SPD connections if ($spd->{'upperspec'} eq $chndl->{'upperspec'} && $spd->{'src_range' } eq $chndl->{'src_range'} && $spd->{'dst_range'} eq $chndl->{'dst_range'} && $spd->{'direction'} eq 'out' || $spd->{'upperspec'} eq $chndl->{'upperspec'} && $spd->{'dst_range'} eq $chndl->{'src_range'} && $spd->{'src_range'} eq $chndl->{'dst_range'} && $spd->{'direction'} eq 'in' || $spd->{'upperspec'} eq $chndl->{'upperspec'} && $spd->{'dst_range'} eq $chndl->{'src_range'} && $spd->{'src_range'} eq $chndl->{'dst_range'} && $spd->{'direction'} eq 'fwd' || $spd->{'src_range' } eq $chndl->{'src_subnet'} && $spd->{'dst_range'} eq $chndl->{'dst_subnet'} && $spd->{'direction'} eq 'out' && $spd->{'policy'} =~ m/^(none|discard)$/ || $spd->{'dst_range'} eq $chndl->{'src_subnet'} && $spd->{'src_range'} eq $chndl->{'dst_subnet'} && $spd->{'direction'} eq 'in' && $spd->{'policy'} =~ m/^(none|discard)$/ || $spd->{'dst_range'} eq $chndl->{'src_subnet'} && $spd->{'src_range'} eq $chndl->{'dst_subnet'} && $spd->{'direction'} eq 'fwd' && $spd->{'policy'} =~ m/^(none|discard)$/){ $spd->{'connection'} = $connection; push @{ $conn_spd_hash->{$connection} }, $index; } } $index ++; } } # start sub ipsec_start () { mod_start (); ipsec_flush (); ipsec_load (); racoon_start(); } # stop sub ipsec_stop () { racoon_stop(); ipsec_flush (); mod_stop (); } # load sub ipsec_load () { print "Loading SAD and SPD...\n"; sad_init (); spd_init (); spd_load(); print "SAD and SPD loaded.\n"; prog_warn 'info', "loaded SAD and SPD."; print "Configuring racoon..."; exit 1 if racoon_configure($fmt{'brief'}) < 0; print "done.\n"; prog_warn 'info', "configured racoon."; return 1; } # flush sub ipsec_flush () { print "Flushing SAD and SPD...\n"; # Flush the SAD sad_flush (); # Flush the SPD spd_flush (); print "SAD and SPD flushed.\n"; prog_warn 'info', "flushed SAD and SPD."; } # Read configuration sub parse_config () { my $line = 0; my $barf = 0; my $section = ""; my $connection = ""; my $peer = ""; my $stuff = ""; my $name = ""; my @conffiles = (); if (-e "$conffiledir") { opendir(CONFDIR, $conffiledir) || prog_die "can't open $conffiledir - $!"; @conffiles = grep { not /^\.{1,2}\z/ or /^.*\.conf$/ } readdir(CONFDIR); @conffiles = map { $conffiledir . '/' . $_ } @conffiles; closedir CONFDIR; } unshift @conffiles, $conffile; CF: for my $cf (@conffiles) { # next CF if ( not -r $cf ); open(CONF, "< $cf") || prog_die "can't open $cf - $!"; LINE: while () { $line +=1; # Deal with blank lines if ( m/^\s*$/) { next LINE; } # Comments if ( m/^[ \t]*#.*$/ ) { next LINE; } # Comments at the end of lines if ( m/^([^#]*)#.*$/ ) { $_ = $1; } chomp; if (! m/^[-\"{}()\[\]_;\%\@\w\s.:\/=]+$/) { prog_warn 0, "bad data in $cf, line $line:"; prog_warn 0, $_; # $barf = 1; next LINE; } if ( m/^\s*SPDADD\((\%default|[-_a-z0-9]+)\):([\S \t]*)$/i ) { $name = $1; $stuff = $2 . "\n"; if ( defined $spdadd{"$name"} ) { $spdadd{"$name"} .= $stuff; } else { $spdadd{"$name"} = $stuff; } next LINE; } elsif ( m/^\s*SPDADD_TRANSPORT_IP4\((\%transport_ip4_default|[-_a-z0-9]+)\):([\S \t]*)$/i ) { $name = $1; $stuff = $2 . "\n"; if ( defined $spdadd{"$name"} ) { $spdadd{"$name"} .= $stuff; } else { $spdadd{"$name"} = $stuff; } next LINE; } elsif ( m/^\s*SPDADD_TRANSPORT_IP6\((\%transport_ip6_default|[-_a-z0-9]+)\):([\S \t]*)$/i ) { $name = $1; $stuff = $2 . "\n"; if ( defined $spdadd{"$name"} ) { $spdadd{"$name"} .= $stuff; } else { $spdadd{"$name"} = $stuff; } next LINE; } elsif ( m/^\s*SADADD\((\%default|[-_a-z0-9]+)\):([\S \t]*)$/i ) { $name = $1; $stuff = $2 . "\n"; if ( defined $sadadd{"$name"} ) { $sadadd{"$name" } .= $stuff; } else { $sadadd{"$name"} = $stuff; } next LINE; } elsif ( m/^\s*REMOTE\((\%default|[-_a-z0-9]+)\):([\S \t]*)$/i ) { $name = $1; $stuff = $2 . "\n"; if ( defined $remote{"$name"} ) { $remote{"$name" } .= $stuff; } else { $remote{"$name"} = $stuff; } next LINE; } elsif ( m/^\s*SAINFO\((\%default|[-_a-z0-9]+)\):([\S \t]*)$/i ) { $name = $1; $stuff = $2 . "\n"; if ( defined $sainfo{"$name"} ) { $sainfo{"$name" } .= $stuff; } else { $sainfo{"$name"} = $stuff; } next LINE; } elsif ( m/^\s*SADINIT:([\S \t]*)$/i ) { $name = ''; $stuff = $1 . "\n"; if ( defined $sadinit ) { $sadinit .= $stuff; } else { $sadinit = $stuff; } next LINE; } elsif ( m/^\s*SPDINIT:([\S \t]*)$/i ) { $name = ''; $stuff = $1 . "\n"; if ( defined $spdinit ) { $spdinit .= $stuff; } else { $spdinit = $stuff; } next LINE; } elsif ( m/^\s*RACOONINIT:([\S \t]*)$/i ) { $name = ''; $stuff = $1 . "\n"; if ( defined $racoon_init ) { $racoon_init .= $stuff; } else { $racoon_init = $stuff; } next LINE; } elsif ( m/^\s*CONNECTION\((\%default|\%anonymous|[-_a-z0-9]+)\):\s*$/i ) { $section = 'connection'; $connection = lc $1; # Make place holder so that error message gets generated $connection_list{$connection}{'makelive'} = 0; next LINE; } elsif ( m/^\s*PEER\((\%default|\%anonymous|[a-f0-9:\.]+)\):\s*$/i ) { $peer = lc $1; if ( $peer ne '%default' && $peer ne '%anonymous' && ! ip_check_syntax ($peer)) { prog_warn 0, "unrecognised tag in $cf, line $line:"; prog_warn 0, "$_"; prog_warn 0, "invalid peer name - $peer"; next LINE; } $section = 'peer'; # Make place holder so that error message gets generated $peer_list{$peer}{'makelive'} = 0; next LINE; } elsif ( m/^\s*GLOBAL:\s*$/i ) { $section = 'global'; next LINE; } elsif ( $section eq 'connection' && m/^\s*($conn_proplist):\s*(.+)\s*$/i ) { my $property = lc $1; my $value = $2; $value =~ s/^(.*\S)\s*$/$1/; if ( ! check_property_syntax($section, $property, $value) ) { prog_warn 0, "$connection - unrecognised connection property syntax."; prog_warn 0, "$connection - file $cf, line $line:"; prog_warn 0, error_getmsg($section, $property); prog_warn 0, $_; $connection_list{$connection}{'syntax_error'} = 1; next LINE; } $value = value_lc($section, $property, $value); # Keep list of spd indexes for ordering prop_store_index(%{ $connection_list{$connection} }, $property); $connection_list{$connection}{$property} = $value; } elsif ( $section eq 'connection' ) { prog_warn 0, "$connection - unrecognised tag in $cf, line $line:"; prog_warn 0, $_; prog_warn 0, "$connection - allowed tags are $conn_proplist"; $connection_list{$connection}{'syntax_error'} = 1; next LINE; } elsif ( $section eq 'peer' && m/^\s*($peer_proplist):\s*(.+)\s*$/i ) { my $property = lc $1; my $value = $2; $value =~ s/^(.*\S)\s*$/$1/; if ( ! check_property_syntax($section, $property, $value) ) { prog_warn 0, "$peer - unrecognised peer property syntax or unreadable file(s)."; prog_warn 0, "$peer - file $cf, line $line:"; prog_warn 0, error_getmsg($section, $property); prog_warn 0, $_; $peer_list{$peer}{'syntax_error'} = 1; next LINE; } # Keep list of proposal indexes for ordering prop_store_index(%{ $peer_list{$peer} }, $property); # $value = value_lc($section, $property, $value); $peer_list{$peer}{$property} = $value; } elsif ( $section eq 'peer' ) { prog_warn 0, "$peer - unrecognised tag in $cf, line $line:"; prog_warn 0, $_; prog_warn 0, "$peer - allowed tags are $peer_proplist"; $peer_list{$peer}{'syntax_error'} = 1; next LINE; } elsif ( $section eq 'global' && m /^\s*($global_proplist):\s*(.+)\s*$/i ) { my $property = lc $1; my $value = $2; $value =~ s/^(.*\S)\s*$/$1/; if (! check_property_syntax($section, $property, $value)) { prog_warn 0, "global - unrecognised global property syntax, non existent user/group or unreadable file(s)."; prog_warn 0, "global - file $cf, line $line:"; prog_warn 0, error_getmsg($section, $property); prog_warn 0, $_; prog_warn 0, "global - allowed tags are $global_proplist"; $global{'deadly_error'} = 1; next LINE; } $value = value_lc($section, $property, $value); $global{$property} = $value; } elsif ( $section eq 'global' ) { prog_warn 0, "$global - unrecognised tag in $cf, line $line:"; prog_warn 0, $_; prog_warn 0, "$global - allowed tags are $global_proplist"; } else { prog_warn 0, "unrecognised tag in $cf, line $line:"; prog_warn 0, $_; next LINE; } } close (CONF); } if ( $barf ) { exit 1; } # apply defaults $spdadd{'%default'} = $spdadd_default if ( ! defined $spdadd{'%default'} ); $spdadd{'%transport_ip4_default'} = $spdadd_transport_ip4_default if ( ! defined $spdadd{'%transport_ip4_default'} ); $spdadd{'%transport_ip6_default'} = $spdadd_transport_ip6_default if ( ! defined $spdadd{'%transport_ip6_default'} ); $sadadd{'%default'} = $sadadd_default if ( ! defined $sadadd{'%default'} ); $remote{'%default'} = $remote_default if ( ! defined $remote{'%default'} ); $sainfo{'%default'} = $sainfo_default if ( ! defined $sainfo{'%default'} ); $racoon_init = $racoon_init_default if ( ! defined $racoon_init ); global_fillin_defaults(); conn_fillin_defaults(); peer_fillin_defaults(); peer_check_required(); conn_check_required(); global_check_required(); }; # Lower case value function sub value_lc ($$$) { my $section = shift; my $property = shift; my $value = shift; my $ptype = get_proptype($section, $property); if ( $ptype eq 'path_conf_file' ) { $value = $value; } elsif ( $ptype eq 'path_generated_file' ) { $value = $value; } elsif ( $ptype eq 'path_chroot_dir' ) { $value = $value; } elsif ( $ptype eq 'user' ) { $value = $value; } elsif ( $ptype eq 'group' ) { $value = $value; } elsif ( $ptype eq 'shell_command' ) { $value = $value; } elsif ( $ptype eq 'path_certificate' ) { $value = $value; } elsif ( $ptype eq 'certificate' ) { if ( $value =~ m/^\s*x509\s+(\S+)\s+(\S+)\s*$/i ) { $value = "x509 $1 $2"; } } elsif ( $ptype =~ 'peers_certfile' ) { if ( $value =~ m/^\s*dnssec\s*$/i ) { $value = "dnssec"; } elsif ( $value =~ m/^\s*(plain_rsa|x509)\s+(\S+)\s*$/i ) { $value = "$1 $2"; } } elsif ( $ptype eq 'identity' ) { if ( $value =~ m/^\s*keyid\s+(\S+)\s*$/i ) { $value = "keyid $1" } } else { $value = lc $value; } return $value; } # Error mesage lookups sub error_getmsg ($$) { my $section = shift; my $property = shift; my $ptype = get_proptype($section, $property); return "$property only takes $prop_syntaxhash{$ptype}"; } #Fill in global defaults sub global_fillin_defaults () { foreach $prop ('path_pre_shared_key', 'path_certificate', 'path_script', 'privsep_chroot', 'privsep_user', 'privsep_group' ) { if ( defined $global{$prop} && $global{$prop} =~ m/^"?(\S+)"?$/i ) { $global{$prop} = "\"${1}\""; } } foreach $prop ('path_racoon_conf', 'racoon_command', 'racoon_pid_file') { if ( defined $global{$prop} && $global{$prop} =~ m/^"(\S+)"$/i ) { $global{$prop} = "${1}"; } } } sub global_check_required () { if ( $global{'deadly_error'} ) { prog_warn 'err', "deadly error in global configuration - exiting."; exit 10; } } #Check synax of IP address sub ip_check_syntax ($) { my $ip = shift; if ( $ip =~ m/^([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})$/ ) { return 1 if ( $1 >=0 && $1 <= 255 && $2 >= 0 && $2 <= 255 && $3 >= 0 && $3 <= 255 && $4 >= 0 && $4 <= 255 ); } elsif ( $ip =~ m/^[0-9a-f]{1,4}:[0-9a-f:]*:[0-9a-f]{0,4}$/i ) { my @dbytes = split /:/, $ip; my $valid = 1; foreach my $v ( @dbytes ) { if ( $v ne '' && $v !~ m/^[0-9a-f]{1,4}$/i && $v < 0 && $v > 0xffff ) { $valid = 0; } } return 1 if $valid; } return 0; } # Check syntax sub get_proptype($$) { my $section = shift; my $property = shift; my $ptype; if ( $property =~ m/^(.*)\[[-_0-9a-z]+\]$/ ) { $property = $1; } $ptype = $prop_typehash{$section}{$property}; return $ptype; } sub check_property_syntax ($$$) { my $section = shift; my $property = shift; my $value = shift; my ($protoname, $protoaliases, $protonumber); my $ptype; $ptype = get_proptype($section,$property); if ( $ptype eq 'boolean' ) { $value =~ m/^(enabled|disabled|true|false|up|down|on|off|yes|no|0|1)$/i && return 1; } elsif ( $ptype eq 'id_type' ) { $value =~ m/^(address|subnet)$/i && return 1; } elsif ( $ptype eq 'encap' ) { $value =~ m/^(ah|esp)$/i && return 1; } elsif ( $ptype eq 'mode' ) { $value =~ m/^(transport|tunnel)$/i && return 1; } elsif ( $ptype eq 'template_name' ) { $value =~ m/^(%default|[-a-z0-9_]+)$/i && return 1; } elsif ( $ptype eq 'phase1_exchange_mode' ) { $value =~ m/^((main|aggressive|base),? ?){1,3}$/i && return 1; } elsif ( $ptype eq 'phase1_encryption' ) { $value =~ m/^(des|3des|blowfish|cast128|aes|camellia)$/i && return 1; } elsif ( $ptype eq 'hash_algorithm' ) { $value =~ m/^(md5|sha1|sha256|sha384|sha512)$/i && return 1; } elsif ( $ptype eq 'phase1_auth_method' ) { $value =~ m/^(pre_shared_key|rsasig)$/i && return 1; } elsif ( $ptype eq 'switch' ) { $value =~ m/^(on|off)$/i && return 1; } elsif ( $ptype eq 'lifetime' ) { $value =~ m/^time\s+[0-9]+\s+(hour|hours|min|mins|minutes|sec|secs|seconds)$/i && return 1; } elsif ( $ptype eq 'phase2_encryption' ) { $value =~ m/^((des|3des|des_iv64|des_iv32|rc5|rc4|idea|3idea|cast128|blowfish|null_enc|twofish|rijndael|aes|camellia),? ?)+$/i && return 1; } elsif ( $ptype eq 'phase2_auth_algorithm' ) { $value =~ m/^((des|3des|des_iv64|des_iv32|hmac_md5|hmac_sha1|hmac_sha256|hmac_sha384|hmac_sha512|non_auth),? ?)+$/i && return 1; } elsif ( $ptype eq 'dh_group' ) { $value =~ m/^(modp768|modp1024|modp1536|modp2048|modp3072|modp4096|modp6144|modp8192|1|2|5|14|15|16|17|18)$/i && return 1; } elsif ( $ptype eq 'pfs_group' ) { $value =~ m/^(none|modp768|modp1024|modp1536|modp2048|modp3072|modp4096|modp6144|modp8192|1|2|5|14|15|16|17|18)$/i && return 1; } elsif ( $ptype eq 'level') { $value =~ m/^(default|use|require|unique)$/i && return 1; } elsif ( $ptype eq 'log') { $value =~ m/^(notify|debug|debug2)$/i && return 1; } elsif ( $ptype eq 'proposal_check' ) { $value =~ m/^(obey|strict|claim|exact)$/i && return 1; } elsif ( $ptype eq 'nat_traversal' ) { $value =~ m/^(on|off|force)$/i && return 1; } elsif ( $ptype eq 'policy' ) { $value =~ m/^(discard|ipsec|none)$/i && return 1; } elsif ( $ptype =~ 'nonce_size' ) { $value =~ m/^[0-9]{1,3}$/ && $value >= 8 && $value <= 256 && return 1; } elsif ( $ptype eq 'listen' ) { if ( $value =~ m/^[0-9a-f:\.]+$/i ) { return ip_check_syntax( $value ); } if ( $value =~ m/^([0-9a-f:\.]+)\s+\[([0-9]{1,5})\]$/i ) { my $ip = $1; my $port = $2; return 0 if ! ip_check_syntax ( $ip ); return 0 if $port !~ m/^[0-9]{1,5}$/; return 1; } return 0; } elsif ( $ptype eq 'shell_command' ) { if ( $value =~ m/^"?([\S]+)\s+.*"?$/i ) { if ( ! -x $1 ) { prog_warn 'err', "$property - cannot execute $1"; return 0; } return 1; } return 0; } elsif ( $ptype =~ m/^(group|user)$/ ){ if ( $value !~ m/^[-_0-9a-zA-Z]+$/i ) { return 1; } if ( $ptype eq 'group' && getgrnam($value) ne '' ) { return 1; } if ( $ptype eq 'user' && getpwnam($value) ne '' ) { return 1; } return 0; } elsif ( $ptype eq 'path_conf_file' ) { if ( $value =~ m/^\"?([^\"\s]+)\"?$/i ) { if ( ! -r $1 ) { prog_warn 0, "$property - cannot read file $1"; return 0; } return 1; } return 0; } elsif ( $ptype =~ m/^(path_generated_file|path_chroot_dir)$/ ) { if ( $value =~ m/^\"?([^\"\s]+)\"?$/i ) { my $dir = dirname($1); if ( ! defined $dir || $dir eq '' ) { prog_warn 0, "$property - directory does not exist"; return 0; } if ( ! -r $dir ) { prog_warn 0, "$property - cannot access directory $dir"; return 0; } return 1; } return 0; } elsif ( $ptype eq 'path_certificate' ) { if ( $value =~ m/^\"?([^\"\s]+)\"?$/i ) { if ( ! -r $1 ) { prog_warn 0, "$property - cannot read directory $1"; return 0; } return 1; } return 0; } elsif ( $ptype eq 'peers_certfile' ){ # TODO - do we need do something extra for plain_rsa? $value =~ m/^(dnssec|plain_rsa)$/i && return 1; if ( $value =~ m/^x509\s+\"?([^\"\s]+)\"?\s*$/i ) { if (-r "$global{'path_certificate'}/$1") { return 1; } else { prog_warn 0, "$property - cannot read $global{'path_certificate'}/$1"; return 0; } } return 0; } elsif ( $ptype eq 'certificate' ) { if ( $value =~ m/^x509\s+\"?([^\"\s]+)\"?\s+\"?([^\"\s]+)\"?\s*$/i ) { if ( ! -r "$global{'path_certificate'}/$1" ) { prog_warn 0, "$property - cannot read $global{'path_certificate'}/$1"; return 0; } if ( ! -r "$global{'path_certificate'}/$2" ) { prog_warn 0, "$property - cannot read $global{'path_certificate'}/$2"; return 0; } return 1; } return 0; } elsif ( $ptype eq 'identifier' ) { if ( $value =~ m/^address\s*$/i ) { return 1; } if ( $value =~ m/^address\s+([0-9a-f:\.]+)\s*$/i ) { local $ip = $1; return ip_check_syntax($ip); } if ( $value =~ m/^fqdn\s+"?([-a-z0-9\._]+)"?\s*$/i ) { return 1; } if ( $value =~ m/^user_fqdn\s+"?([-a-z0-9\.\@_]+)"?\s*$/i ) { return 1; } if ( $value =~ m/^asn1dn\s+"?([-a-z0-9\.\@_\s\\\/='\[\]]+)"?\s*$/i ) { return 1; } if ( $value =~ m/^asn1dn\s*$/i ) { return 1; } if ( $value =~ m/^keyid\s+\"?(\/[^\"\s]+)\"?$/i ) { if ( -r $1 ) { return 1; } else { prog_warn 0, "$property - cannot read $1"; return 0; } } return 0; } elsif ( $ptype eq 'upperspec' ) { if ( ($protoname, $protoaliases, $protonumber ) = getprotobyname $value ) { return 1; } $value =~ m/^(any|icmp6)$/i && return 1; if ( $value =~ m/^icmp6[ \t]+([0-9]{1,3})$/i ) { return 1 if ( $1 >= 0 && $1 <= 255 ); } if ( $value =~ m/^icmp6[ \t]+([0-9]{1,3}),([0-9]{1,3})$/i ) { return 1 if ( $1 >= 0 && $1 <= 255 && $2 >= 0 && $2 <= 255 ); } if ( $value =~ m/[0-9]{1,5}/ && $value > 0 && $value <= 65535 ) { return 1; } return 0 } elsif ( $ptype eq 'ip' ) { return ip_check_syntax($value); } elsif ( $ptype eq 'port' ) { my $port; if ( $port = getservbyname ($value, '' )) { return 1; } if ($value =~ m/^\[?(any|[0-9]{1,5})\]?$/i ) { $port = $1; } else { return 0; } if ( $port ne 'any' ) { return 0 if ( $port < 0 || $port > 65535 ); } return 1; } elsif ( $ptype eq 'range' ) { my $valid = 1; my ($ip, $mask, $port, $type); # make sure we have only 1 slash; return 0 if $value =~ m/^.*\/.*\/.*$/; # Split range into address, mask and port if ( $value !~ m/^.*\[(any|[0-9]{1,5})\]$/i ) { $value .= "[any]"; } if ( $value =~ m/^(.*)\/([0-9]{1,5})\[(any|[0-9]{1,5})\]$/i ) { $ip = $1; $mask = $2; $port = $3; } elsif ( $value =~ m/^(.*)\[(any|[0-9]{1,5})\]$/i ) { $ip = $1; $mask = 255; $port = $2; } elsif ( $value =~ m/^(.*)$/i ) { $ip = $1; $mask = 255; $port = 'any'; } else { return 0; } # Work out type of IP address if ( $ip =~ m/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/ ) { $type = 'ipv4'; } elsif ( $ip =~ m/^::$|^[0-9a-f]{1,4}:[0-9a-f:]*:[0-9a-f]{0,4}$/i ) { $type = 'ipv6'; } else { return 0; } # Check IP address if ( ! ip_check_syntax($ip) && $ip ne '::' ) { $valid = 0; } # Check mask if ( $mask != 255 ) { if ( $type eq 'ipv4') { $valid = 0 if ( $mask < 0 || $mask > 32 ); } else { $valid = 0 if ( $mask < 0 || $mask > 128 ); } } # Check port if ( $port ne 'any' ) { $valid = 0 if ( $port < 0 || $port > 65535 ); } return $valid; } else { return 0; } return 0; } # Check for required parameters for activation sub conn_check_required () { foreach my $connection ( keys %connection_list ) { my $makelive = 1; my $chndl = $connection_list{$connection}; next if $connection eq '%default'; if ( $connection ne '%anonymous' ) { foreach my $property ( @conn_required_props ) { $makelive = 0 if ! defined $chndl->{$property}; } # Check that address families of src_range and dst_range match my $src_range_iptype = $chndl->{'src_range_iptype'}; my $dst_range_iptype = $chndl->{'dst_range_iptype'}; if ($src_range_iptype ne $dst_range_iptype) { prog_warn 0, "$connection - src_range '${src_range_iptype}' does not match dst_range '${dst_range_iptype}'."; $makelive = 0; } # Check that address families of dst_ip and src_ip match my $src_ip_iptype = $chndl->{'src_ip_iptype'}; my $dst_ip_iptype = $chndl->{'dst_ip_iptype'}; if ($src_ip_iptype ne $dst_ip_iptype) { prog_warn 0, "$connection - src_ip '${src_ip_iptype}' does not match dst_ip '${dst_ip_iptype}'."; $makelive = 0; } # check peer my $dst_ip = $chndl->{'dst_ip'}; if ( ! defined $dst_ip || ! defined $peer_list{$dst_ip} || ! defined $peer_list{$dst_ip}{'makelive'} || $peer_list{$dst_ip}{'makelive'} == 0 ) { $makelive = 0; } } $makelive = 0 if ( $chndl->{'syntax_error'} ); if (! $makelive) { prog_warn 0, "$connection - required parameters missing, peer missing or syntax error."; prog_warn 0, "$connection - not activating."; $chndl->{'makelive'} = 0; next; } $chndl->{'makelive'} = 1; } } # Translate /etc/services name to port sub getportnum($) { my $port = shift; my $value; if ($port =~ m/^(any|\[any\])$/ ) { return $port; } if ($value = getservbyname( $port, '')){ return $value; } return $port; } # Fill in default missing parameters sub conn_fillin_defaults () { foreach my $connection ( keys %connection_list ) { next if $connection eq '%default'; my $chndl = $connection_list{$connection}; foreach my $property ( keys %{ $connection_list{'%default'} } ) { if ( ! defined $chndl->{$property} ) { $chndl->{$property} = $connection_list{'%default'}{$property}; } } next if ! defined $chndl->{'src_ip'}; next if ! defined $chndl->{'dst_ip'}; # Set up default values for range and ID if they do not exist already foreach my $p ( 'src', 'dst' ) { if ( ! defined $chndl->{"${p}_range"} ) { $chndl->{"${p}_range"} = $chndl->{"${p}_ip"}; } if ( $chndl->{"${p}_range"} !~ m/^.*\[(any|[0-9]{1,5})\]$/ ) { $chndl->{"${p}_range"} .= "[any]"; } # Remove full length netmasks to avoid confusing things... if ($chndl->{"${p}_range"} =~ m/^[0-9]{1,3}\./) { $chndl->{"${p}_range"} =~ s/\/32//; $chndl->{"${p}_range_iptype"} = 'ip4'; } elsif ($chndl->{"${p}_range"} =~ m/^([0-9a-f]{1,4}:|::)/) { $chndl->{"${p}_range"} =~ s/\/128//; $chndl->{"${p}_range_iptype"} = 'ip6'; } # Record IP types if dst_ip and src_ip if ($chndl->{"${p}_ip"} =~ m/^[0-9]{1,3}\./) { $chndl->{"${p}_ip_iptype"} = 'ip4'; } elsif ($chndl->{"${p}_ip"} =~ m/^([0-9a-f]{1,4}:|::)/) { $chndl->{"${p}_ip_iptype"} = 'ip6'; } } # Work out IDs for use with racoon configuration # Remove any port information as racoon sees it as duplicate sainfo... my $local_id = $chndl->{'src_range'}; $local_id =~ m/^(\S+)(\[(any|[0-9]{1,5}|[-0-9a-z]+)\])$/; my $src_port = $2; $local_id = $1; $chndl->{'local_id'} = $local_id; $chndl->{'src_subnet'} = $local_id; $chndl->{'src_port'} = getportnum($src_port); my $remote_id = $chndl->{'dst_range'}; $remote_id =~ m/^(\S+)(\[(any|[0-9]{1,5}|[-0-9a-z]+)\])$/; my $dst_port = $2; $remote_id = $1; $chndl->{'remote_id'} = $remote_id; $chndl->{'dst_subnet'} = $remote_id; $chndl->{'dst_port'} = getportnum($dst_port); # Set the mode appropriately if not already set if ( !defined $chndl->{'mode'} ) { if ( $chndl->{'src_range'} eq $chndl->{'src_ip'} . "[any]" && $chndl->{'dst_range'} eq $chndl->{'dst_ip'} . "[any]" ) { $chndl->{'mode'} = 'transport'; } else { $chndl->{'mode'} = 'tunnel'; } } # Deal with SPD port rules my $pindexes = $chndl->{'pindexes'} ; # Work out if this is a multi SPD connection if ( ! scalar(@$pindexes)) { $chndl->{'multi_spd'} = 0; next; } $chndl->{'multi_spd'} = 1; foreach my $ind ( @$pindexes ) { # fill in missing ports, and add missing '[]'s foreach my $p ( 'src', 'dst' ) { my $pname = "${p}_port" . "[${ind}]"; $chndl->{$pname} = '[any]' if ( ! defined $chndl->{$pname} ); $chndl->{$pname} = getportnum($chndl->{$pname}); $chndl->{$pname} =~ s/^(any|[0-9]{1,5})$/[${1}]/; $chndl->{"${p}_range[${ind}]"} = $chndl->{"${p}_subnet"} . $chndl->{"${p}_port[${ind}]"}; } foreach my $p ( 'level', 'encap', 'policy' ) { my $pname = "${p}" . "[${ind}]"; $chndl->{$pname} = $chndl->{$p} if ( ! defined $chndl->{$pname} ); } } } } sub prop_get_indexes (\%) { my $hndl = shift; my %tmp; my @keys = keys %$hndl; @keys = grep /^.*\[[-_0-9a-z]+\]$/, @keys; map { s/^.*\[([-_0-9a-z]+)\]$/$1/; } @keys; $tmp{$_} = 1 foreach (@keys); @keys = reverse (sort (keys (%tmp))); return @keys; } sub prop_store_index (\%$) { my $hndl = shift; my $property = shift; if ( ! defined $hndl->{'pindexes'} ) { $hndl->{'pindexes'} = []; } if ($property =~ m/^\S+\[([-_0-9a-z]+)\]$/) { $pindex = $1; return if ( grep { $_ eq $pindex} @{ $hndl->{'pindexes'}}); push @{ $hndl->{'pindexes'} }, $pindex; } } sub peer_fillin_defaults () { # Copy default to defined peers my $dhndl = $peer_list{'%default'}; foreach my $peer ( keys %peer_list ) { next if $peer eq '%default'; my $phndl = $peer_list{$peer}; foreach my $property ( keys %{ $dhndl } ) { if ( ! defined $phndl->{$property} ) { $phndl->{$property} = $dhndl->{$property}; } prop_store_index(%{ $phndl }, $property) } } foreach my $peer ( keys %peer_list ) { my $phndl = $peer_list{$peer}; # Fill in all proposals... my $pindexes = $phndl->{'pindexes'}; foreach my $property ( grep { $_ = $1 if /^(.*)\[[-_0-9a-z]+\]$/; } keys %$dhndl ) { foreach my $ind ( @$pindexes ) { next if $peer eq '%default' && $ind == 0; my $name = "$property" . '[' . "$ind" . "]"; my $dname = "$property" . '[0]'; if ( ! defined $phndl->{"$name"} ) { $phndl->{"$name"} = $dhndl->{"$dname"} } } } } # If a peer does not exist, create it from %default my @peers = keys %peer_list; foreach my $connection ( keys %connection_list ) { next if $connection eq '%default'; my $conn_hndl = $connection_list{$connection}; next if ! defined $conn_hndl->{'dst_ip'}; my $ip_addr = $conn_hndl->{'dst_ip'}; next if grep { $ip_addr eq $_ } @peers; foreach my $element ( keys %{ $peer_list{'%default'} } ) { $peer_list{$ip_addr}{$element} = $peer_list{'%default'}{$element}; } } # fill in dst_ip property if not already done... foreach my $peer ( keys %peer_list ) { next if $peer eq '%default'; $peer_list{$peer}{'dst_ip'} = $peer; } # Fix up missing " ... foreach my $peer ( keys %peer_list ) { my $phndl = $peer_list{$peer}; foreach my $prop ( 'my_identifier', 'peers_identifier', 'certificate_type', 'peers_certfile') { my $ptype = get_proptype('peer', "$prop"); next if ! defined $phndl->{"$prop"}; my $value = $phndl->{"$prop"}; if ( $ptype eq 'peers_certfile' ){ next if $value =~ m/^dnssec$/i; if ( $value =~ m/^(x509|plain_rsa)\s+\"?(\S+)\"?\s*$/i ) { $phndl->{"$prop"} = "$1" . ' "' . "$2" . '"'; } } elsif ( $ptype eq 'certificate' ) { if ( $value =~ m/^x509\s+\"?(\S+)\"?\s+\"?(\S+)\"?\s*$/ ) { $phndl->{"$prop"} = "x509 " . '"' . $1 . '" "' . $2 . '"'; } } elsif ( $ptype eq 'identifier' ) { next if $value =~ m/^address\s*$/i; next if $value =~ m/^asn1dn\s*$/i; if ( $value =~ m/^address\s+([0-9a-f:\.]+)\s*$/i ) { $phndl->{"$prop"} = "address $1"; } if ( $value =~ m/^fqdn\s+"?([-a-z0-9\._]+)"?\s*$/i ) { $phndl->{"$prop"} = "fqdn " . '"' . $1 . '"'; } if ( $value =~ m/^user_fqdn\s+"?([-a-z0-9\.\@_]+)"?\s*$/i ) { $phndl->{"$prop"} = "user_fqdn " . '"' . $1 . '"'; } if ( $value =~ m/^asn1dn\s+"?([-a-z0-9\.\@_\s\\\/='\[\]]+)"?\s*$/i ) { $phndl->{"$prop"} = "asn1dn " . '"' . $1 . '"'; } if ( $value =~ m/^keyid\s+"?(\/\S+)"?$/i ) { $phndl->{"$prop"} = "keyid " . '"' . $1 . '"'; } } } } } sub peer_check_required () { # For now, every peer has required values... PEER: foreach my $peer ( keys %peer_list ) { my $makelive = 1; next PEER if $peer eq '%default'; $makelive = 0 if ( $peer_list{$peer}{'syntax_error'} ); if (! $makelive) { prog_warn 0, "$peer - required parameters missing or syntax error."; prog_warn 0, "$peer - not activating."; $peer_list{$peer}{'makelive'} = 0; next PEER; } $peer_list{$peer}{'makelive'} = 1; } } # print connection output sub global_dump_list () { print "global: "; foreach my $prop ( keys %global ) { print "$prop=$global{$prop} "; } print "\n"; } sub peer_dump_list () { foreach my $peer ( keys %peer_list ) { print "$peer: "; foreach my $property ( keys %{ $peer_list{$peer} } ) { print "$property=$peer_list{$peer}{$property} "; } print "\n"; } } sub conn_dump_list () { foreach my $connection ( keys %connection_list ) { print "$connection: "; foreach my $property ( keys %{ $connection_list{$connection} } ) { print "$property=$connection_list{$connection}{$property} "; } print "\n"; } } # setup the kernel sub setkey_start () { # Flush and reinit kernel sadspd_reset(); # Load all peers } sub setkey_stop () { # Flush kernel spd_flush(); sad_flush(); } # Reset SAD and SPD sub spd_reset () { spd_flush (); spd_init (); } sub sad_reset () { sad_flush (); sad_init (); } # Fill in spdadd command sub spd_fill_add ($) { my $connection = shift; my $stuff; my $hndl = $connection_list{$connection}; $stuff = $spdadd{$$hndl{'spdadd_template'}}; # We only do interesting things on %default templates if ($hndl->{'spdadd_template'} eq '%default') { my $pindexes = $hndl->{'pindexes'}; my $multi_spd = scalar( @$pindexes ); if ($multi_spd > 0) { if ($hndl->{'src_range_iptype'} eq 'ip4') { $stuff = $spdadd_ip4_header; } elsif ($hndl->{'src_range_iptype'} eq 'ip6') { $stuff = $spdadd_ip6_header; } # Build multi SPD template foreach my $ind ( @$pindexes ) { my $to_add; my $pname = "policy[${ind}]"; if ($hndl->{$pname} eq 'ipsec') { $to_add = $spdadd_default; } else { $to_add = $spdadd_alternate_policy; } $to_add =~ s/___(encap|level|policy|src_range|dst_range)___/___$1\[$ind\]___/gm; $stuff .= $to_add; } } else { # Original non-multi SPD template action # Use transport template if needed if ($hndl->{'mode'} eq 'transport' && $hndl->{'upperspec'} eq 'any' && $hndl->{'src_range'} =~ m/^.*\[any\]$/ && $hndl->{'dst_range'} =~ m/^.*\[any\]$/) { if ($hndl->{'src_range_iptype'} eq 'ip4') { $stuff = $spdadd{'%transport_ip4_default'}; } elsif ($hndl->{'src_range_iptype'} eq 'ip6') { $stuff = $spdadd{'%transport_ip6_default'}; } } } # # Do fill in AH header if asked for. if ($hndl->{'encap'} eq 'esp' && ($hndl->{'mode'} eq 'transport' && $bool_val{"$hndl->{'auto_ah_on_esp'}"} != 0 || $bool_val{"$hndl->{'always_ah_on_esp'}"} != 0)) { $stuff =~ s/^(\s*spdadd.*out ipsec\s*\n.*);$/${1}\n${spdadd_addons{'ah_out'}};/mg; $stuff =~ s/^(\s*spdadd.*in ipsec\s*\n.*);$/${1}\n${spdadd_addons{'ah_in'}};/mg; } # # Do fill in values for compression if (defined $hndl->{'compression'} && $bool_val{"$hndl->{'compression'}"} != 0) { $stuff =~ s/^(\s*spdadd.*out ipsec\s*)$/${1}\n${spdadd_addons{'ipcomp_out'}}/mg; $stuff =~ s/^(\s*spdadd.*in ipsec\s*)$/${1}\n${spdadd_addons{'ipcomp_in'}}/mg; } } foreach my $key (keys %$hndl) { my $key_reg = $key; $key_reg =~ s/\[/\\[/g; $key_reg =~ s/\]/\\]/g; $stuff =~ s/___${key_reg}___/$$hndl{"$key"}/img; } # # spd priority only supported on Linux kernels if (($^O !~ /linux/i) && ($hndl->{'spdadd_template'} eq '%default') ) { $stuff =~ s/^(\s*spdadd.*(in|out))\s+prio.*(ipsec|discard;|none;)$/${1} ${3}/mg; } return $stuff; } # Load the SPD sub spd_load (;$) { my $conn = shift; my $setkey_buffer = ''; my @conns = (); my @spd_list; my %conn_spd_hash; parse_spd(@spd_list, %conn_spd_hash); if ( defined $conn ) { return 0 if ( ! grep /^${conn}$/, (keys %connection_list) ); return -1 if ( ! $connection_list{$conn}{'makelive'} ); return -2 if ( grep /^${conn}$/, keys %conn_spd_hash ); @conns = ( $conn ); } else { @conns = keys %connection_list; } open ( SETKEY, '|-' ) || exec ("$setkey_cmd -f /dev/stdin 2>&1 | $0 -l" ); for my $connection ( @conns ) { next if $connection eq '%default'; next if $connection eq '%anonymous'; next if grep /^${connection}$/, keys %conn_spd_hash; my $hndl = $connection_list{$connection}; next if ! $$hndl{'makelive'}; next if ! $bool_val{$$hndl{'admin_status'}}; my $stuff = spd_fill_add ($connection); $setkey_buffer .= $stuff. "\n"; print SETKEY <<"EOF"; $stuff EOF } close SETKEY; my $err = $?; if ( $err ) { my $i = 1; foreach my $line ( split /^/m, $setkey_buffer ) { chomp $line; prog_warn 0, "setkey input: $i $line"; $i++; } prog_die "loading SPD failed - exit code " . ($err >> 8); } sleep($quiesce) if ($quiesce > 0); return 1; } # Initialise the SPD sub spd_init() { open ( SETKEY, '|-' ) || exec ($setkey_cmd, '-f', '/dev/stdin'); $spdinit = '' if ! defined $spdinit; print SETKEY <<"EOF"; spdflush; $spdinit EOF close SETKEY or prog_die "initialising SPD failed - exit code " . ($? >> 8); sleep($quiesce) if ($quiesce > 0); return 1; } # Initialise the SAD sub sad_init() { open ( SETKEY, '|-' ) || exec ($setkey_cmd, '-f', '/dev/stdin'); $sadinit = '' if ! defined $sadinit; print SETKEY <<"EOF"; $sadinit EOF close SETKEY or prog_die "initialising SPD failed - exit code " . ($? >> 8); sleep($quiesce) if ($quiesce > 0); return 1; } # Flush the SAD sub sad_flush () { setkey_flush('SAD'); } # Flush the SPD sub spd_flush() { setkey_flush('SPD'); } sub setkey_flush ($) { my $table = shift; my $cleanret = 0; my $arg = ""; if ( $table =~ /SAD/ ) { $arg = ""; } elsif ( $table =~ /SPD/ ) { $arg = "-P"; } else { prog_die "setkey_flush() - wrong arg $table"; } open ( SETKEY, '-|' ) || exec ("$setkey_cmd $arg -F 2>&1"); while ( ) { if ( m/pfkey_open: Address family not supported by protocol/ ) { $cleanret = 1; next; } chomp; prog_warn 0, "setkey said: $_"; # print "$_\n"; } close SETKEY; prog_die ("flushing $table failed - exit code " . ($? >> 8)) if ( $? && ! $cleanret); sleep($quiesce) if ($quiesce > 0); return 0 } sub spd_show () { setkey_show('SPD'); } sub sad_show () { setkey_show('SAD'); } sub setkey_show ($) { my $table = shift; my $cleanret = 0; my $arg = ""; if ( $table =~ /SAD/ ) { $arg = ""; } elsif ( $table =~ /SPD/ ) { $arg = "-P"; } else { prog_die "setkey_show() - wrong arg $table"; } system ("$setkey_cmd $arg -D | $pager_cmd @pager_flags"); return 0 } sub mod_start () { # Only do this if on linux return 0 if ($^O !~ /linux/i); print "Loading IPSEC/crypto modules...\n"; # Load cryptographic modules mod_start_crypto (); # Load xfrm and af_key mod_load "$modpath_xfrm/xfrm_user${modext}"; mod_load "$modpath_key/af_key${modext}"; # Load IPv4 IPSEC mod_start_ipsec (); # Load IPv6 IPSEC mod_start_ipsec6 (); print "IPSEC/crypto modules loaded.\n"; prog_warn 'info', "loaded IPSEC/crypto modules."; return 0; } sub mod_stop () { # Only do this if on linux return 0 if ($^O !~ /linux/i); print "Unloading IPSEC/crypto modules...\n"; # Unload crypto modules mod_stop_crypto (); # Unload xfrm and af_key mod_unload "$modpath_xfrm/xfrm_user${modext}"; mod_unload "$modpath_key/af_key${modext}"; # Unload IPv4 IPSEC mod_stop_ipsec (); # Unload IPv6 IPSEC mod_stop_ipsec6 (); print "IPSEC/crypto modules unloaded.\n"; prog_warn 'info', "unloaded IPSEC/crypto modules"; return 0; } sub mod_start_ipsec6 () { return 0 if ! -d $proc_ipv6; for my $mod ( @modules_ipsec6 ) { mod_load "${modpath_ipsec6}/${mod}${modext}"; } return 0; } sub mod_stop_ipsec6 () { for my $mod ( @modules_ipsec6 ) { mod_unload $mod; } return 0; } sub mod_start_ipsec () { return 0 if ! -d $proc_ipv4; for my $mod ( @modules_ipsec ) { mod_load "${modpath_ipsec}/${mod}${modext}"; } return 0; } sub mod_stop_ipsec () { for my $mod ( @modules_ipsec ) { mod_unload $mod; } return 0; } sub mod_start_crypto () { local @modfiles; return 0 if ( ! -d $modpath_crypto ); # Load zlib_deflate if present mod_load "$modpath_zlib/zlib_deflate${modext}"; opendir DIR, $modpath_crypto or prog_die "$modpath_crypto - $!"; @modfiles = grep /${modext}$/, readdir DIR; closedir DIR; for my $mod ( @modfiles ) { next if ( $mod =~ /tcrypt${modext}$/ ); mod_load "$modpath_crypto/$mod"; } return 0 } sub mod_stop_crypto () { local @modfiles; return 0 if ( ! -d $modpath_crypto ); opendir DIR, $modpath_crypto or prog_die "$modpath_crypto - $!"; @modfiles = grep /${modext}$/, readdir DIR; closedir DIR; for my $mod ( @modfiles ) { mod_unload $mod; } # Unload zlib_deflate if present mod_unload "$modpath_zlib/zlib_deflate${modext}"; return 0 } sub mod_load ($) { local $modtoload = shift; local $modname; # Check that kernel supports modules return 1 if ( ! -f $proc_modules ); return 1 if ( ! -f $modtoload ); return 1 if ( ! -f "/sbin/modprobe" ); $modname = basename("$modtoload", "$modext"); if ( ! grep /^${modname}$/, @modules ) { system ( "/sbin/modprobe $modname" ); } return 0 } sub mod_unload ($) { my $modname = shift; $modname = basename("$modname", "$modext"); if ( ! grep /^${modname}$/, @modules ) { return 0; } system ( "/sbin/modprobe -r $modname > /dev/null 2>&1" ); return 0; } sub mod_ls () { local $module; # Only do this if on linux return 0 if ($^O !~ /linux/i); if (@modules > 0) { return 0 } # Check that kernel supports modules if ( ! -f $proc_modules ) { return 1; } open MOD, "<$proc_modules"; while ($module = ) { chomp $module; next if ($module =~ /^Module\s+Size/); $module =~ s/^([a-zA-Z0-9_\-]+)\s+.*$/$1/; push @modules, $module; } close MOD; return 0; } debian/patches/0000755000000000000000000000000012255622143010617 5ustar debian/patches/modify-makefile-to-let-initscript-create-var-run-directory.patch0000644000000000000000000000121511766214464025135 0ustar By default through the upstream script the raccon directory /var/run/racoon gets created. As the content in /var/run/* could get lost due to a reboot, this patch gets rid of that creation and let the initscript handle this. --- ipsec-tools-0.7.3.orig/src/racoon/Makefile.in 2010-02-22 23:09:40.000000000 +0100 +++ ipsec-tools-0.7.3/src/racoon/Makefile.in 2010-02-22 23:10:09.000000000 +0100 @@ -972,9 +972,6 @@ uninstall-sbinPROGRAMS -install-exec-local: - ${mkinstalldirs} $(DESTDIR)${adminsockdir} - # special object rules crypto_openssl_test.o: crypto_openssl.c $(COMPILE) -DEAYDEBUG -o crypto_openssl_test.o -c $(srcdir)/crypto_openssl.c debian/patches/make-peer_certfile-dnssec-validate-dnssec0000644000000000000000000000255111773300602020606 0ustar Index: ipsec-tools/src/racoon/getcertsbyname.c =================================================================== --- ipsec-tools.orig/src/racoon/getcertsbyname.c 2012-06-29 22:19:52.569078120 +1200 +++ ipsec-tools/src/racoon/getcertsbyname.c 2012-06-29 22:20:44.599749858 +1200 @@ -213,6 +213,8 @@ char hostbuf[1024]; /* XXX */ int qtype, qclass, keytag, algorithm; struct certinfo head, *cur; + struct __res_state *_resp = &_res; + u_long _res_options = 0; int error = -1; /* initialize res */ @@ -222,6 +224,12 @@ cur = &head; /* get CERT RR */ + /* Bit bang _res libc resolver global, we are single threaded */ + if ((_resp->options & RES_INIT) == 0 && res_init() == -1) { + goto end; + } + _res_options = _resp->options; + _resp->options |= (RES_USE_EDNS0|RES_USE_DNSSEC); buflen = 512; do { @@ -241,6 +249,8 @@ goto end; } while (buflen < anslen); + /* Undo resolver options */ + _resp->options = _res_options; #ifdef DNSSEC_DEBUG printf("get a DNS packet len=%d\n", anslen); @@ -253,6 +263,15 @@ qdcount = ntohs(hp->qdcount); ancount = ntohs(hp->ancount); + /* Check if DNS server has validated answer or not */ + if (hp->ad == 0 && hp->aa==0) { +#ifdef DNSSEC_DEBUG + printf("answer is not authenticated.\n"); +#endif + h_errno = NO_RECOVERY; + goto end; + } + /* question section */ if (qdcount != 1) { #ifdef DNSSEC_DEBUG debian/patches/Fix-spelling-error-racoon.conf.5.patch0000644000000000000000000000160011766214464017704 0ustar Description: Spelling error Amend a common mis-spelling. Author: Matthew Grant Last-Update: 2011-10-03 Index: ipsec-tools/src/racoon/racoon.conf.5 =================================================================== --- ipsec-tools.orig/src/racoon/racoon.conf.5 2011-10-03 19:43:47.778635363 +1300 +++ ipsec-tools/src/racoon/racoon.conf.5 2011-10-03 20:41:04.878434600 +1300 @@ -521,7 +521,7 @@ specification should correspond to RFC 2253; in particular, commas and certain other characters - .Ic ,=+\*[Lt]\*[Gt]#; -- may be included in a name by preceeding them with a backslash "\e", and +- may be included in a name by preceding them with a backslash "\e", and arbitrary characters may be inserted in a name with the "\enn" escape, where nn is the hex representation of the ascii value of the desired character. Alternative acceptable peer identifiers may be specified by repeating the debian/patches/config-updates.diff0000644000000000000000000012704512255622143014372 0ustar Index: b/config.guess =================================================================== --- a/config.guess +++ b/config.guess @@ -1,14 +1,12 @@ #! /bin/sh # Attempt to guess a canonical system name. -# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, -# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 -# Free Software Foundation, Inc. +# Copyright 1992-2013 Free Software Foundation, Inc. -timestamp='2009-12-30' +timestamp='2013-06-10' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or +# the Free Software Foundation; either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, but @@ -17,26 +15,22 @@ # General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA -# 02110-1301, USA. +# along with this program; if not, see . # # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a # configuration script generated by Autoconf, you may include it under -# the same distribution terms that you use for the rest of that program. - - -# Originally written by Per Bothner. Please send patches (context -# diff format) to and include a ChangeLog -# entry. +# the same distribution terms that you use for the rest of that +# program. This Exception is an additional permission under section 7 +# of the GNU General Public License, version 3 ("GPLv3"). # -# This script attempts to guess a canonical system name similar to -# config.sub. If it succeeds, it prints the system name on stdout, and -# exits with 0. Otherwise, it exits with 1. +# Originally written by Per Bothner. # # You can get the latest version of this script from: # http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD +# +# Please send patches with a ChangeLog entry to config-patches@gnu.org. + me=`echo "$0" | sed -e 's,.*/,,'` @@ -56,9 +50,7 @@ GNU config.guess ($timestamp) Originally written by Per Bothner. -Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, -2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free -Software Foundation, Inc. +Copyright 1992-2013 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -140,12 +132,33 @@ UNAME_SYSTEM=`(uname -s) 2>/dev/null` || UNAME_SYSTEM=unknown UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown +case "${UNAME_SYSTEM}" in +Linux|GNU|GNU/*) + # If the system lacks a compiler, then just pick glibc. + # We could probably try harder. + LIBC=gnu + + eval $set_cc_for_build + cat <<-EOF > $dummy.c + #include + #if defined(__UCLIBC__) + LIBC=uclibc + #elif defined(__dietlibc__) + LIBC=dietlibc + #else + LIBC=gnu + #endif + EOF + eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC'` + ;; +esac + # Note: order is significant - the case branches are not exclusive. case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in *:NetBSD:*:*) # NetBSD (nbsd) targets should (where applicable) match one or - # more of the tupples: *-*-netbsdelf*, *-*-netbsdaout*, + # more of the tuples: *-*-netbsdelf*, *-*-netbsdaout*, # *-*-netbsdecoff* and *-*-netbsd*. For targets that recently # switched to ELF, *-*-netbsd* would select the old # object file format. This provides both forward @@ -181,7 +194,7 @@ fi ;; *) - os=netbsd + os=netbsd ;; esac # The OS release @@ -202,6 +215,10 @@ # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used. echo "${machine}-${os}${release}" exit ;; + *:Bitrig:*:*) + UNAME_MACHINE_ARCH=`arch | sed 's/Bitrig.//'` + echo ${UNAME_MACHINE_ARCH}-unknown-bitrig${UNAME_RELEASE} + exit ;; *:OpenBSD:*:*) UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'` echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE} @@ -224,7 +241,7 @@ UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'` ;; *5.*) - UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'` + UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'` ;; esac # According to Compaq, /usr/sbin/psrinfo has been available on @@ -270,7 +287,10 @@ # A Xn.n version is an unreleased experimental baselevel. # 1.2 uses "1.2" for uname -r. echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` - exit ;; + # Reset EXIT trap before exiting to avoid spurious non-zero exit code. + exitcode=$? + trap '' 0 + exit $exitcode ;; Alpha\ *:Windows_NT*:*) # How do we know it's Interix rather than the generic POSIX subsystem? # Should we change UNAME_MACHINE based on the output of uname instead @@ -296,12 +316,12 @@ echo s390-ibm-zvmoe exit ;; *:OS400:*:*) - echo powerpc-ibm-os400 + echo powerpc-ibm-os400 exit ;; arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*) echo arm-acorn-riscix${UNAME_RELEASE} exit ;; - arm:riscos:*:*|arm:RISCOS:*:*) + arm*:riscos:*:*|arm*:RISCOS:*:*) echo arm-unknown-riscos exit ;; SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*) @@ -395,23 +415,23 @@ # MiNT. But MiNT is downward compatible to TOS, so this should # be no problem. atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*) - echo m68k-atari-mint${UNAME_RELEASE} + echo m68k-atari-mint${UNAME_RELEASE} exit ;; atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*) echo m68k-atari-mint${UNAME_RELEASE} - exit ;; + exit ;; *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*) - echo m68k-atari-mint${UNAME_RELEASE} + echo m68k-atari-mint${UNAME_RELEASE} exit ;; milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*) - echo m68k-milan-mint${UNAME_RELEASE} - exit ;; + echo m68k-milan-mint${UNAME_RELEASE} + exit ;; hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*) - echo m68k-hades-mint${UNAME_RELEASE} - exit ;; + echo m68k-hades-mint${UNAME_RELEASE} + exit ;; *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*) - echo m68k-unknown-mint${UNAME_RELEASE} - exit ;; + echo m68k-unknown-mint${UNAME_RELEASE} + exit ;; m68k:machten:*:*) echo m68k-apple-machten${UNAME_RELEASE} exit ;; @@ -481,8 +501,8 @@ echo m88k-motorola-sysv3 exit ;; AViiON:dgux:*:*) - # DG/UX returns AViiON for all architectures - UNAME_PROCESSOR=`/usr/bin/uname -p` + # DG/UX returns AViiON for all architectures + UNAME_PROCESSOR=`/usr/bin/uname -p` if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110 ] then if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \ @@ -495,7 +515,7 @@ else echo i586-dg-dgux${UNAME_RELEASE} fi - exit ;; + exit ;; M88*:DolphinOS:*:*) # DolphinOS (SVR3) echo m88k-dolphin-sysv3 exit ;; @@ -552,7 +572,7 @@ echo rs6000-ibm-aix3.2 fi exit ;; - *:AIX:*:[456]) + *:AIX:*:[4567]) IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'` if /usr/sbin/lsattr -El ${IBM_CPU_ID} | grep ' POWER' >/dev/null 2>&1; then IBM_ARCH=rs6000 @@ -595,52 +615,52 @@ 9000/[678][0-9][0-9]) if [ -x /usr/bin/getconf ]; then sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null` - sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null` - case "${sc_cpu_version}" in - 523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0 - 528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1 - 532) # CPU_PA_RISC2_0 - case "${sc_kernel_bits}" in - 32) HP_ARCH="hppa2.0n" ;; - 64) HP_ARCH="hppa2.0w" ;; + sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null` + case "${sc_cpu_version}" in + 523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0 + 528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1 + 532) # CPU_PA_RISC2_0 + case "${sc_kernel_bits}" in + 32) HP_ARCH="hppa2.0n" ;; + 64) HP_ARCH="hppa2.0w" ;; '') HP_ARCH="hppa2.0" ;; # HP-UX 10.20 - esac ;; - esac + esac ;; + esac fi if [ "${HP_ARCH}" = "" ]; then eval $set_cc_for_build - sed 's/^ //' << EOF >$dummy.c + sed 's/^ //' << EOF >$dummy.c + + #define _HPUX_SOURCE + #include + #include - #define _HPUX_SOURCE - #include - #include - - int main () - { - #if defined(_SC_KERNEL_BITS) - long bits = sysconf(_SC_KERNEL_BITS); - #endif - long cpu = sysconf (_SC_CPU_VERSION); - - switch (cpu) - { - case CPU_PA_RISC1_0: puts ("hppa1.0"); break; - case CPU_PA_RISC1_1: puts ("hppa1.1"); break; - case CPU_PA_RISC2_0: - #if defined(_SC_KERNEL_BITS) - switch (bits) - { - case 64: puts ("hppa2.0w"); break; - case 32: puts ("hppa2.0n"); break; - default: puts ("hppa2.0"); break; - } break; - #else /* !defined(_SC_KERNEL_BITS) */ - puts ("hppa2.0"); break; - #endif - default: puts ("hppa1.0"); break; - } - exit (0); - } + int main () + { + #if defined(_SC_KERNEL_BITS) + long bits = sysconf(_SC_KERNEL_BITS); + #endif + long cpu = sysconf (_SC_CPU_VERSION); + + switch (cpu) + { + case CPU_PA_RISC1_0: puts ("hppa1.0"); break; + case CPU_PA_RISC1_1: puts ("hppa1.1"); break; + case CPU_PA_RISC2_0: + #if defined(_SC_KERNEL_BITS) + switch (bits) + { + case 64: puts ("hppa2.0w"); break; + case 32: puts ("hppa2.0n"); break; + default: puts ("hppa2.0"); break; + } break; + #else /* !defined(_SC_KERNEL_BITS) */ + puts ("hppa2.0"); break; + #endif + default: puts ("hppa1.0"); break; + } + exit (0); + } EOF (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy` test -z "$HP_ARCH" && HP_ARCH=hppa @@ -731,22 +751,22 @@ exit ;; C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*) echo c1-convex-bsd - exit ;; + exit ;; C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*) if getsysinfo -f scalar_acc then echo c32-convex-bsd else echo c2-convex-bsd fi - exit ;; + exit ;; C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*) echo c34-convex-bsd - exit ;; + exit ;; C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*) echo c38-convex-bsd - exit ;; + exit ;; C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*) echo c4-convex-bsd - exit ;; + exit ;; CRAY*Y-MP:*:*:*) echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit ;; @@ -770,14 +790,14 @@ exit ;; F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*) FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` - FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` - FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'` - echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" - exit ;; + FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` + FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'` + echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" + exit ;; 5000:UNIX_System_V:4.*:*) - FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` - FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'` - echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" + FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` + FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'` + echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" exit ;; i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*) echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE} @@ -789,30 +809,35 @@ echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE} exit ;; *:FreeBSD:*:*) - case ${UNAME_MACHINE} in - pc98) - echo i386-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; + UNAME_PROCESSOR=`/usr/bin/uname -p` + case ${UNAME_PROCESSOR} in amd64) echo x86_64-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; *) - echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; + echo ${UNAME_PROCESSOR}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; esac exit ;; i*:CYGWIN*:*) echo ${UNAME_MACHINE}-pc-cygwin exit ;; + *:MINGW64*:*) + echo ${UNAME_MACHINE}-pc-mingw64 + exit ;; *:MINGW*:*) echo ${UNAME_MACHINE}-pc-mingw32 exit ;; + i*:MSYS*:*) + echo ${UNAME_MACHINE}-pc-msys + exit ;; i*:windows32*:*) - # uname -m includes "-pc" on this system. - echo ${UNAME_MACHINE}-mingw32 + # uname -m includes "-pc" on this system. + echo ${UNAME_MACHINE}-mingw32 exit ;; i*:PW*:*) echo ${UNAME_MACHINE}-pc-pw32 exit ;; *:Interix*:*) - case ${UNAME_MACHINE} in + case ${UNAME_MACHINE} in x86) echo i586-pc-interix${UNAME_RELEASE} exit ;; @@ -849,15 +874,22 @@ exit ;; *:GNU:*:*) # the GNU system - echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-gnu`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'` + echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-${LIBC}`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'` exit ;; *:GNU/*:*:*) # other systems with GNU libc and userland - echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-gnu + echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-${LIBC} exit ;; i*86:Minix:*:*) echo ${UNAME_MACHINE}-pc-minix exit ;; + aarch64:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + exit ;; + aarch64_be:Linux:*:*) + UNAME_MACHINE=aarch64_be + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + exit ;; alpha:Linux:*:*) case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in EV5) UNAME_MACHINE=alphaev5 ;; @@ -867,52 +899,56 @@ EV6) UNAME_MACHINE=alphaev6 ;; EV67) UNAME_MACHINE=alphaev67 ;; EV68*) UNAME_MACHINE=alphaev68 ;; - esac + esac objdump --private-headers /bin/sh | grep -q ld.so.1 - if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi - echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC} + if test "$?" = 0 ; then LIBC="gnulibc1" ; fi + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + exit ;; + arc:Linux:*:* | arceb:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; arm*:Linux:*:*) eval $set_cc_for_build if echo __ARM_EABI__ | $CC_FOR_BUILD -E - 2>/dev/null \ | grep -q __ARM_EABI__ then - echo ${UNAME_MACHINE}-unknown-linux-gnu + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} else - echo ${UNAME_MACHINE}-unknown-linux-gnueabi + if echo __ARM_PCS_VFP | $CC_FOR_BUILD -E - 2>/dev/null \ + | grep -q __ARM_PCS_VFP + then + echo ${UNAME_MACHINE}-unknown-linux-${LIBC}eabi + else + echo ${UNAME_MACHINE}-unknown-linux-${LIBC}eabihf + fi fi exit ;; avr32*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-gnu + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; cris:Linux:*:*) - echo cris-axis-linux-gnu + echo ${UNAME_MACHINE}-axis-linux-${LIBC} exit ;; crisv32:Linux:*:*) - echo crisv32-axis-linux-gnu + echo ${UNAME_MACHINE}-axis-linux-${LIBC} exit ;; frv:Linux:*:*) - echo frv-unknown-linux-gnu + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + exit ;; + hexagon:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; i*86:Linux:*:*) - LIBC=gnu - eval $set_cc_for_build - sed 's/^ //' << EOF >$dummy.c - #ifdef __dietlibc__ - LIBC=dietlibc - #endif -EOF - eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC'` - echo "${UNAME_MACHINE}-pc-linux-${LIBC}" + echo ${UNAME_MACHINE}-pc-linux-${LIBC} exit ;; ia64:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-gnu + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; m32r*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-gnu + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; m68*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-gnu + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; mips:Linux:*:* | mips64:Linux:*:*) eval $set_cc_for_build @@ -931,51 +967,63 @@ #endif EOF eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^CPU'` - test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; } + test x"${CPU}" != x && { echo "${CPU}-unknown-linux-${LIBC}"; exit; } ;; + or1k:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + exit ;; or32:Linux:*:*) - echo or32-unknown-linux-gnu + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; padre:Linux:*:*) - echo sparc-unknown-linux-gnu + echo sparc-unknown-linux-${LIBC} exit ;; parisc64:Linux:*:* | hppa64:Linux:*:*) - echo hppa64-unknown-linux-gnu + echo hppa64-unknown-linux-${LIBC} exit ;; parisc:Linux:*:* | hppa:Linux:*:*) # Look for CPU level case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in - PA7*) echo hppa1.1-unknown-linux-gnu ;; - PA8*) echo hppa2.0-unknown-linux-gnu ;; - *) echo hppa-unknown-linux-gnu ;; + PA7*) echo hppa1.1-unknown-linux-${LIBC} ;; + PA8*) echo hppa2.0-unknown-linux-${LIBC} ;; + *) echo hppa-unknown-linux-${LIBC} ;; esac exit ;; ppc64:Linux:*:*) - echo powerpc64-unknown-linux-gnu + echo powerpc64-unknown-linux-${LIBC} exit ;; ppc:Linux:*:*) - echo powerpc-unknown-linux-gnu + echo powerpc-unknown-linux-${LIBC} + exit ;; + ppc64le:Linux:*:*) + echo powerpc64le-unknown-linux-${LIBC} + exit ;; + ppcle:Linux:*:*) + echo powerpcle-unknown-linux-${LIBC} exit ;; s390:Linux:*:* | s390x:Linux:*:*) - echo ${UNAME_MACHINE}-ibm-linux + echo ${UNAME_MACHINE}-ibm-linux-${LIBC} exit ;; sh64*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-gnu + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; sh*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-gnu + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; sparc:Linux:*:* | sparc64:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-gnu + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + exit ;; + tile*:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; vax:Linux:*:*) - echo ${UNAME_MACHINE}-dec-linux-gnu + echo ${UNAME_MACHINE}-dec-linux-${LIBC} exit ;; x86_64:Linux:*:*) - echo x86_64-unknown-linux-gnu + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; xtensa*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-gnu + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; i*86:DYNIX/ptx:4*:*) # ptx 4.0 does uname -s correctly, with DYNIX/ptx in there. @@ -984,11 +1032,11 @@ echo i386-sequent-sysv4 exit ;; i*86:UNIX_SV:4.2MP:2.*) - # Unixware is an offshoot of SVR4, but it has its own version - # number series starting with 2... - # I am not positive that other SVR4 systems won't match this, + # Unixware is an offshoot of SVR4, but it has its own version + # number series starting with 2... + # I am not positive that other SVR4 systems won't match this, # I just have to hope. -- rms. - # Use sysv4.2uw... so that sysv4* matches it. + # Use sysv4.2uw... so that sysv4* matches it. echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION} exit ;; i*86:OS/2:*:*) @@ -1020,7 +1068,7 @@ fi exit ;; i*86:*:5:[678]*) - # UnixWare 7.x, OpenUNIX and OpenServer 6. + # UnixWare 7.x, OpenUNIX and OpenServer 6. case `/bin/uname -X | grep "^Machine"` in *486*) UNAME_MACHINE=i486 ;; *Pentium) UNAME_MACHINE=i586 ;; @@ -1048,13 +1096,13 @@ exit ;; pc:*:*:*) # Left here for compatibility: - # uname -m prints for DJGPP always 'pc', but it prints nothing about - # the processor, so we play safe by assuming i586. + # uname -m prints for DJGPP always 'pc', but it prints nothing about + # the processor, so we play safe by assuming i586. # Note: whatever this is, it MUST be the same as what config.sub # prints for the "djgpp" host, or else GDB configury will decide that # this is a cross-build. echo i586-pc-msdosdjgpp - exit ;; + exit ;; Intel:Mach:3*:*) echo i386-pc-mach3 exit ;; @@ -1089,8 +1137,8 @@ /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \ && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;; 3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*) - /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ - && { echo i486-ncr-sysv4; exit; } ;; + /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ + && { echo i486-ncr-sysv4; exit; } ;; NCR*:*:4.2:* | MPRAS*:*:4.2:*) OS_REL='.3' test -r /etc/.relid \ @@ -1133,10 +1181,10 @@ echo ns32k-sni-sysv fi exit ;; - PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort - # says - echo i586-unisys-sysv4 - exit ;; + PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort + # says + echo i586-unisys-sysv4 + exit ;; *:UNIX_System_V:4*:FTX*) # From Gerald Hewes . # How about differentiating between stratus architectures? -djm @@ -1162,11 +1210,11 @@ exit ;; R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*) if [ -d /usr/nec ]; then - echo mips-nec-sysv${UNAME_RELEASE} + echo mips-nec-sysv${UNAME_RELEASE} else - echo mips-unknown-sysv${UNAME_RELEASE} + echo mips-unknown-sysv${UNAME_RELEASE} fi - exit ;; + exit ;; BeBox:BeOS:*:*) # BeOS running on hardware made by Be, PPC only. echo powerpc-be-beos exit ;; @@ -1179,6 +1227,9 @@ BePC:Haiku:*:*) # Haiku running on Intel PC compatible. echo i586-pc-haiku exit ;; + x86_64:Haiku:*:*) + echo x86_64-unknown-haiku + exit ;; SX-4:SUPER-UX:*:*) echo sx4-nec-superux${UNAME_RELEASE} exit ;; @@ -1205,19 +1256,21 @@ exit ;; *:Darwin:*:*) UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown - case $UNAME_PROCESSOR in - i386) - eval $set_cc_for_build - if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then - if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \ - (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ - grep IS_64BIT_ARCH >/dev/null - then - UNAME_PROCESSOR="x86_64" - fi - fi ;; - unknown) UNAME_PROCESSOR=powerpc ;; - esac + eval $set_cc_for_build + if test "$UNAME_PROCESSOR" = unknown ; then + UNAME_PROCESSOR=powerpc + fi + if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then + if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \ + (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ + grep IS_64BIT_ARCH >/dev/null + then + case $UNAME_PROCESSOR in + i386) UNAME_PROCESSOR=x86_64 ;; + powerpc) UNAME_PROCESSOR=powerpc64 ;; + esac + fi + fi echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE} exit ;; *:procnto*:*:* | *:QNX:[0123456789]*:*) @@ -1231,7 +1284,10 @@ *:QNX:*:4*) echo i386-pc-qnx exit ;; - NSE-?:NONSTOP_KERNEL:*:*) + NEO-?:NONSTOP_KERNEL:*:*) + echo neo-tandem-nsk${UNAME_RELEASE} + exit ;; + NSE-*:NONSTOP_KERNEL:*:*) echo nse-tandem-nsk${UNAME_RELEASE} exit ;; NSR-?:NONSTOP_KERNEL:*:*) @@ -1276,13 +1332,13 @@ echo pdp10-unknown-its exit ;; SEI:*:*:SEIUX) - echo mips-sei-seiux${UNAME_RELEASE} + echo mips-sei-seiux${UNAME_RELEASE} exit ;; *:DragonFly:*:*) echo ${UNAME_MACHINE}-unknown-dragonfly`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` exit ;; *:*VMS:*:*) - UNAME_MACHINE=`(uname -p) 2>/dev/null` + UNAME_MACHINE=`(uname -p) 2>/dev/null` case "${UNAME_MACHINE}" in A*) echo alpha-dec-vms ; exit ;; I*) echo ia64-dec-vms ; exit ;; @@ -1300,11 +1356,11 @@ i*86:AROS:*:*) echo ${UNAME_MACHINE}-pc-aros exit ;; + x86_64:VMkernel:*:*) + echo ${UNAME_MACHINE}-unknown-esx + exit ;; esac -#echo '(No uname command or uname output not recognized.)' 1>&2 -#echo "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" 1>&2 - eval $set_cc_for_build cat >$dummy.c < printf ("m68k-sony-newsos%s\n", #ifdef NEWSOS4 - "4" + "4" #else - "" + "" #endif - ); exit (0); + ); exit (0); #endif #endif Index: b/config.sub =================================================================== --- a/config.sub +++ b/config.sub @@ -1,38 +1,31 @@ #! /bin/sh # Configuration validation subroutine script. -# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, -# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 -# Free Software Foundation, Inc. - -timestamp='2010-01-22' - -# This file is (in principle) common to ALL GNU software. -# The presence of a machine in this file suggests that SOME GNU software -# can handle that machine. It does not imply ALL GNU software can. -# -# This file is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or +# Copyright 1992-2013 Free Software Foundation, Inc. + +timestamp='2013-08-10' + +# This file is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or # (at your option) any later version. # -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA -# 02110-1301, USA. +# along with this program; if not, see . # # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a # configuration script generated by Autoconf, you may include it under -# the same distribution terms that you use for the rest of that program. +# the same distribution terms that you use for the rest of that +# program. This Exception is an additional permission under section 7 +# of the GNU General Public License, version 3 ("GPLv3"). -# Please send patches to . Submit a context -# diff and a properly formatted GNU ChangeLog entry. +# Please send patches with a ChangeLog entry to config-patches@gnu.org. # # Configuration subroutine to validate and canonicalize a configuration type. # Supply the specified configuration type as an argument. @@ -75,9 +68,7 @@ version="\ GNU config.sub ($timestamp) -Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, -2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free -Software Foundation, Inc. +Copyright 1992-2013 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -124,13 +115,18 @@ # Here we must recognize all the valid KERNEL-OS combinations. maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'` case $maybe_os in - nto-qnx* | linux-gnu* | linux-dietlibc | linux-newlib* | linux-uclibc* | \ - uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | knetbsd*-gnu* | netbsd*-gnu* | \ + nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc | linux-newlib* | \ + linux-musl* | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \ + knetbsd*-gnu* | netbsd*-gnu* | \ kopensolaris*-gnu* | \ storm-chaos* | os2-emx* | rtmk-nova*) os=-$maybe_os basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'` ;; + android-linux) + os=-linux-android + basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`-unknown + ;; *) basic_machine=`echo $1 | sed 's/-[^-]*$//'` if [ $basic_machine != $1 ] @@ -153,12 +149,12 @@ -convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\ -c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \ -harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \ - -apple | -axis | -knuth | -cray | -microblaze) + -apple | -axis | -knuth | -cray | -microblaze*) os= basic_machine=$1 ;; - -bluegene*) - os=-cnk + -bluegene*) + os=-cnk ;; -sim | -cisco | -oki | -wec | -winbond) os= @@ -174,10 +170,10 @@ os=-chorusos basic_machine=$1 ;; - -chorusrdb) - os=-chorusrdb + -chorusrdb) + os=-chorusrdb basic_machine=$1 - ;; + ;; -hiux*) os=-hiuxwe2 ;; @@ -222,6 +218,12 @@ -isc*) basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; + -lynx*178) + os=-lynxos178 + ;; + -lynx*5) + os=-lynxos5 + ;; -lynx*) os=-lynxos ;; @@ -246,20 +248,27 @@ # Some are omitted here because they have special meanings below. 1750a | 580 \ | a29k \ + | aarch64 | aarch64_be \ | alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \ | alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \ | am33_2.0 \ - | arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr | avr32 \ + | arc | arceb \ + | arm | arm[bl]e | arme[lb] | armv[2-8] | armv[3-8][lb] | armv7[arm] \ + | avr | avr32 \ + | be32 | be64 \ | bfin \ - | c4x | clipper \ + | c4x | c8051 | clipper \ | d10v | d30v | dlx | dsp16xx \ + | epiphany \ | fido | fr30 | frv \ | h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \ + | hexagon \ | i370 | i860 | i960 | ia64 \ | ip2k | iq2000 \ + | le32 | le64 \ | lm32 \ | m32c | m32r | m32rle | m68000 | m68k | m88k \ - | maxq | mb | microblaze | mcore | mep | metag \ + | maxq | mb | microblaze | microblazeel | mcore | mep | metag \ | mips | mipsbe | mipseb | mipsel | mipsle \ | mips16 \ | mips64 | mips64el \ @@ -277,34 +286,45 @@ | mipsisa64r2 | mipsisa64r2el \ | mipsisa64sb1 | mipsisa64sb1el \ | mipsisa64sr71k | mipsisa64sr71kel \ + | mipsr5900 | mipsr5900el \ | mipstx39 | mipstx39el \ | mn10200 | mn10300 \ | moxie \ | mt \ | msp430 \ - | nios | nios2 \ + | nds32 | nds32le | nds32be \ + | nios | nios2 | nios2eb | nios2el \ | ns16k | ns32k \ - | or32 \ + | open8 \ + | or1k | or32 \ | pdp10 | pdp11 | pj | pjl \ - | powerpc | powerpc64 | powerpc64le | powerpcle | ppcbe \ + | powerpc | powerpc64 | powerpc64le | powerpcle \ | pyramid \ - | rx \ + | rl78 | rx \ | score \ | sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \ | sh64 | sh64le \ | sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet | sparclite \ | sparcv8 | sparcv9 | sparcv9b | sparcv9v \ - | spu | strongarm \ - | tahoe | thumb | tic4x | tic80 | tron \ + | spu \ + | tahoe | tic4x | tic54x | tic55x | tic6x | tic80 | tron \ | ubicom32 \ - | v850 | v850e \ + | v850 | v850e | v850e1 | v850e2 | v850es | v850e2v3 \ | we32k \ - | x86 | xc16x | xscale | xscalee[bl] | xstormy16 | xtensa \ + | x86 | xc16x | xstormy16 | xtensa \ | z8k | z80) basic_machine=$basic_machine-unknown ;; - m6811 | m68hc11 | m6812 | m68hc12 | picochip) - # Motorola 68HC11/12. + c54x) + basic_machine=tic54x-unknown + ;; + c55x) + basic_machine=tic55x-unknown + ;; + c6x) + basic_machine=tic6x-unknown + ;; + m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | picochip) basic_machine=$basic_machine-unknown os=-none ;; @@ -314,6 +334,21 @@ basic_machine=mt-unknown ;; + strongarm | thumb | xscale) + basic_machine=arm-unknown + ;; + xgate) + basic_machine=$basic_machine-unknown + os=-none + ;; + xscaleeb) + basic_machine=armeb-unknown + ;; + + xscaleel) + basic_machine=armel-unknown + ;; + # We use `pc' rather than `unknown' # because (1) that's what they normally are, and # (2) the word "unknown" tends to confuse beginning users. @@ -328,25 +363,30 @@ # Recognize the basic CPU types with company name. 580-* \ | a29k-* \ + | aarch64-* | aarch64_be-* \ | alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \ | alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \ - | alphapca5[67]-* | alpha64pca5[67]-* | arc-* \ + | alphapca5[67]-* | alpha64pca5[67]-* | arc-* | arceb-* \ | arm-* | armbe-* | armle-* | armeb-* | armv*-* \ | avr-* | avr32-* \ + | be32-* | be64-* \ | bfin-* | bs2000-* \ - | c[123]* | c30-* | [cjt]90-* | c4x-* | c54x-* | c55x-* | c6x-* \ - | clipper-* | craynv-* | cydra-* \ + | c[123]* | c30-* | [cjt]90-* | c4x-* \ + | c8051-* | clipper-* | craynv-* | cydra-* \ | d10v-* | d30v-* | dlx-* \ | elxsi-* \ | f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \ | h8300-* | h8500-* \ | hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \ + | hexagon-* \ | i*86-* | i860-* | i960-* | ia64-* \ | ip2k-* | iq2000-* \ + | le32-* | le64-* \ | lm32-* \ | m32c-* | m32r-* | m32rle-* \ | m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \ - | m88110-* | m88k-* | maxq-* | mcore-* | metag-* | microblaze-* \ + | m88110-* | m88k-* | maxq-* | mcore-* | metag-* \ + | microblaze-* | microblazeel-* \ | mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \ | mips16-* \ | mips64-* | mips64el-* \ @@ -364,30 +404,34 @@ | mipsisa64r2-* | mipsisa64r2el-* \ | mipsisa64sb1-* | mipsisa64sb1el-* \ | mipsisa64sr71k-* | mipsisa64sr71kel-* \ + | mipsr5900-* | mipsr5900el-* \ | mipstx39-* | mipstx39el-* \ | mmix-* \ | mt-* \ | msp430-* \ - | nios-* | nios2-* \ + | nds32-* | nds32le-* | nds32be-* \ + | nios-* | nios2-* | nios2eb-* | nios2el-* \ | none-* | np1-* | ns16k-* | ns32k-* \ + | open8-* \ | orion-* \ | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \ - | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* | ppcbe-* \ + | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \ | pyramid-* \ - | romp-* | rs6000-* | rx-* \ + | rl78-* | romp-* | rs6000-* | rx-* \ | sh-* | sh[1234]-* | sh[24]a-* | sh[24]aeb-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \ | shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \ | sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \ | sparclite-* \ - | sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | strongarm-* | sv1-* | sx?-* \ - | tahoe-* | thumb-* \ + | sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | sv1-* | sx?-* \ + | tahoe-* \ | tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \ - | tile-* | tilegx-* \ + | tile*-* \ | tron-* \ | ubicom32-* \ - | v850-* | v850e-* | vax-* \ + | v850-* | v850e-* | v850e1-* | v850es-* | v850e2-* | v850e2v3-* \ + | vax-* \ | we32k-* \ - | x86-* | x86_64-* | xc16x-* | xps100-* | xscale-* | xscalee[bl]-* \ + | x86-* | x86_64-* | xc16x-* | xps100-* \ | xstormy16-* | xtensa*-* \ | ymp-* \ | z8k-* | z80-*) @@ -412,7 +456,7 @@ basic_machine=a29k-amd os=-udi ;; - abacus) + abacus) basic_machine=abacus-unknown ;; adobe68k) @@ -482,11 +526,20 @@ basic_machine=powerpc-ibm os=-cnk ;; + c54x-*) + basic_machine=tic54x-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + c55x-*) + basic_machine=tic55x-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + c6x-*) + basic_machine=tic6x-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; c90) basic_machine=c90-cray os=-unicos ;; - cegcc) + cegcc) basic_machine=arm-unknown os=-cegcc ;; @@ -518,7 +571,7 @@ basic_machine=craynv-cray os=-unicosmp ;; - cr16) + cr16 | cr16-*) basic_machine=cr16-unknown os=-elf ;; @@ -676,7 +729,6 @@ i370-ibm* | ibm*) basic_machine=i370-ibm ;; -# I'm not sure what "Sysv32" means. Should this be sysv3.2? i*86v32) basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` os=-sysv32 @@ -734,11 +786,15 @@ basic_machine=ns32k-utek os=-sysv ;; - microblaze) + microblaze*) basic_machine=microblaze-xilinx ;; + mingw64) + basic_machine=x86_64-pc + os=-mingw64 + ;; mingw32) - basic_machine=i386-pc + basic_machine=i686-pc os=-mingw32 ;; mingw32ce) @@ -773,10 +829,18 @@ ms1-*) basic_machine=`echo $basic_machine | sed -e 's/ms1-/mt-/'` ;; + msys) + basic_machine=i686-pc + os=-msys + ;; mvs) basic_machine=i370-ibm os=-mvs ;; + nacl) + basic_machine=le32-unknown + os=-nacl + ;; ncr3000) basic_machine=i486-ncr os=-sysv4 @@ -841,6 +905,12 @@ np1) basic_machine=np1-gould ;; + neo-tandem) + basic_machine=neo-tandem + ;; + nse-tandem) + basic_machine=nse-tandem + ;; nsr-tandem) basic_machine=nsr-tandem ;; @@ -923,9 +993,10 @@ ;; power) basic_machine=power-ibm ;; - ppc) basic_machine=powerpc-unknown + ppc | ppcbe) basic_machine=powerpc-unknown ;; - ppc-*) basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'` + ppc-* | ppcbe-*) + basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'` ;; ppcle | powerpclittle | ppc-le | powerpc-little) basic_machine=powerpcle-unknown @@ -950,7 +1021,11 @@ basic_machine=i586-unknown os=-pw32 ;; - rdos) + rdos | rdos64) + basic_machine=x86_64-pc + os=-rdos + ;; + rdos32) basic_machine=i386-pc os=-rdos ;; @@ -1019,6 +1094,9 @@ basic_machine=i860-stratus os=-sysv4 ;; + strongarm-* | thumb-*) + basic_machine=arm-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; sun2) basic_machine=m68000-sun ;; @@ -1075,25 +1153,8 @@ basic_machine=t90-cray os=-unicos ;; - tic54x | c54x*) - basic_machine=tic54x-unknown - os=-coff - ;; - tic55x | c55x*) - basic_machine=tic55x-unknown - os=-coff - ;; - tic6x | c6x*) - basic_machine=tic6x-unknown - os=-coff - ;; - # This must be matched before tile*. - tilegx*) - basic_machine=tilegx-unknown - os=-linux-gnu - ;; tile*) - basic_machine=tile-unknown + basic_machine=$basic_machine-unknown os=-linux-gnu ;; tx39) @@ -1163,6 +1224,9 @@ xps | xps100) basic_machine=xps100-honeywell ;; + xscale-* | xscalee[bl]-*) + basic_machine=`echo $basic_machine | sed 's/^xscale/arm/'` + ;; ymp) basic_machine=ymp-cray os=-unicos @@ -1260,11 +1324,11 @@ if [ x"$os" != x"" ] then case $os in - # First match some system type aliases - # that might get confused with valid system types. + # First match some system type aliases + # that might get confused with valid system types. # -solaris* is a basic system type, with this one exception. - -auroraux) - os=-auroraux + -auroraux) + os=-auroraux ;; -solaris1 | -solaris1.*) os=`echo $os | sed -e 's|solaris1|sunos4|'` @@ -1288,20 +1352,21 @@ -gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \ | -*vms* | -sco* | -esix* | -isc* | -aix* | -cnk* | -sunos | -sunos[34]*\ | -hpux* | -unos* | -osf* | -luna* | -dgux* | -auroraux* | -solaris* \ - | -sym* | -kopensolaris* \ + | -sym* | -kopensolaris* | -plan9* \ | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \ | -aos* | -aros* \ | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \ | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \ | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \ - | -openbsd* | -solidbsd* \ + | -bitrig* | -openbsd* | -solidbsd* \ | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \ | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \ | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \ | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \ | -chorusos* | -chorusrdb* | -cegcc* \ - | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ - | -mingw32* | -linux-gnu* | -linux-newlib* | -linux-uclibc* \ + | -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ + | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \ + | -linux-newlib* | -linux-musl* | -linux-uclibc* \ | -uxpv* | -beos* | -mpeix* | -udk* \ | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \ | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \ @@ -1348,7 +1413,7 @@ -opened*) os=-openedition ;; - -os400*) + -os400*) os=-os400 ;; -wince*) @@ -1397,7 +1462,7 @@ -sinix*) os=-sysv4 ;; - -tpf*) + -tpf*) os=-tpf ;; -triton*) @@ -1433,17 +1498,14 @@ -aros*) os=-aros ;; - -kaos*) - os=-kaos - ;; -zvmoe) os=-zvmoe ;; -dicos*) os=-dicos ;; - -nacl*) - ;; + -nacl*) + ;; -none) ;; *) @@ -1466,10 +1528,10 @@ # system, and we'll never get to this point. case $basic_machine in - score-*) + score-*) os=-elf ;; - spu-*) + spu-*) os=-elf ;; *-acorn) @@ -1481,8 +1543,23 @@ arm*-semi) os=-aout ;; - c4x-* | tic4x-*) - os=-coff + c4x-* | tic4x-*) + os=-coff + ;; + c8051-*) + os=-elf + ;; + hexagon-*) + os=-elf + ;; + tic54x-*) + os=-coff + ;; + tic55x-*) + os=-coff + ;; + tic6x-*) + os=-coff ;; # This must come before the *-dec entry. pdp10-*) @@ -1502,14 +1579,11 @@ ;; m68000-sun) os=-sunos3 - # This also exists in the configure program, but was not the - # default. - # os=-sunos4 ;; m68*-cisco) os=-aout ;; - mep-*) + mep-*) os=-elf ;; mips*-cisco) @@ -1518,6 +1592,9 @@ mips*-*) os=-elf ;; + or1k-*) + os=-elf + ;; or32-*) os=-coff ;; @@ -1536,7 +1613,7 @@ *-ibm) os=-aix ;; - *-knuth) + *-knuth) os=-mmixware ;; *-wec) Index: b/configure =================================================================== --- a/configure +++ b/configure @@ -6865,7 +6865,10 @@ x86_64-*linux*) LD="${LD-ld} -m elf_i386" ;; - ppc64-*linux*|powerpc64-*linux*) + powerpc64le-*) + LD="${LD-ld} -m elf32lppclinux" + ;; + powerpc64-*) LD="${LD-ld} -m elf32ppclinux" ;; s390x-*linux*) @@ -6884,7 +6887,10 @@ x86_64-*linux*) LD="${LD-ld} -m elf_x86_64" ;; - ppc*-*linux*|powerpc*-*linux*) + powerpcle-*) + LD="${LD-ld} -m elf64lppc" + ;; + powerpc-*) LD="${LD-ld} -m elf64ppc" ;; s390*-*linux*|s390*-*tpf*) Index: b/aclocal.m4 =================================================================== --- a/aclocal.m4 +++ b/aclocal.m4 @@ -1296,7 +1296,10 @@ x86_64-*linux*) LD="${LD-ld} -m elf_i386" ;; - ppc64-*linux*|powerpc64-*linux*) + powerpc64le-*) + LD="${LD-ld} -m elf32lppclinux" + ;; + powerpc64-*) LD="${LD-ld} -m elf32ppclinux" ;; s390x-*linux*) @@ -1315,7 +1318,10 @@ x86_64-*linux*) LD="${LD-ld} -m elf_x86_64" ;; - ppc*-*linux*|powerpc*-*linux*) + powerpcle-*) + LD="${LD-ld} -m elf64lppc" + ;; + powerpc-*) LD="${LD-ld} -m elf64ppc" ;; s390*-*linux*|s390*-*tpf*) debian/patches/patch-to-support-cast128-cbc-algorithm.patch0000644000000000000000000000120611766214464020775 0ustar This patch adds support for cast128-cbc algorithm patch supplied by Hiroyuki YAMAMORI --- ipsec-tools-0.7.3.orig/src/include-glibc/net/pfkeyv2.h 2010-02-24 21:06:06.000000000 +0100 +++ ipsec-tools-0.7.3/src/include-glibc/net/pfkeyv2.h 2010-02-24 21:06:30.000000000 +0100 @@ -18,7 +18,7 @@ #define SADB_X_AALG_SHA 250 /* private allocations - based on RFC2407/IANA assignment */ -#define SADB_X_EALG_CAST128CBC 5 /* SADB_X_EALG_CASTCBC? == 6 */ +#define SADB_X_EALG_CAST128CBC SADB_X_EALG_CASTCBC #define SADB_X_EALG_RIJNDAELCBC SADB_X_EALG_AESCBC #define SADB_X_EALG_AES SADB_X_EALG_AESCBC debian/patches/support-iphone-os-main-mode-with-psk.patch0000644000000000000000000000204211766214464020672 0ustar The iPhone OS has a strange set of VPN features. Using L2TP over IPsec it only supports main mode with pre-shared keys (no certificates). Since L2TP provides the per-user authentication we want to use a single pre-shared key for all VPN users, but this is hard to do with ipsec-tools since racoon only supports pskey lookup by address when identity protection is used and we do not know the address of the client in advance. The attached patch adds a wildcard match to the psk.txt reading code, specifying an id of * will match any client. (John Keith Hohm ) --- ipsec-tools-0.7.3.orig/src/racoon/localconf.c 2010-08-12 12:52:27.000000000 +0200 +++ ipsec-tools-0.7.3/src/racoon/localconf.c 2010-08-12 12:55:01.000000000 +0200 @@ -211,7 +211,8 @@ if (*p == '\0') continue; /* no 2nd parameter */ p--; - if (strncmp(buf, str, len) == 0 && buf[len] == '\0') { + if (strncmp(buf, "*", 2) == 0 || + (strncmp(buf, str, len) == 0 && buf[len] == '\0')) { p++; keylen = 0; for (q = p; *q != '\0' && *q != '\n'; q++) debian/patches/gcc-4.8.diff0000644000000000000000000000054412113074654012520 0ustar Index: b/src/racoon/ipsec_doi.c =================================================================== --- a/src/racoon/ipsec_doi.c +++ b/src/racoon/ipsec_doi.c @@ -1183,7 +1183,7 @@ "failed to get buffer.\n"); goto bad; } - memset(pair, 0, sizeof(pair)); + memset(pair, 0, sizeof(*pair)); bp = (caddr_t)(sab + 1); tlen = sa->l - sizeof(*sab); debian/patches/ipsec-str_error-spelling.patch0000644000000000000000000000153511766214464016612 0ustar Description: Trivial spelling error Code comment has a mis-spelled word. Author: Matthew Grant Last-Update: 2011-10-03 Index: ipsec-tools/src/libipsec/ipsec_strerror.h =================================================================== --- ipsec-tools.orig/src/libipsec/ipsec_strerror.h 2011-10-03 19:43:47.000000000 +1300 +++ ipsec-tools/src/libipsec/ipsec_strerror.h 2011-10-03 20:58:43.672162611 +1300 @@ -54,7 +54,7 @@ #define EIPSEC_INVAL_KEYLEN 14 /*invalid key length*/ #define EIPSEC_INVAL_FAMILY 15 /*invalid address family*/ #define EIPSEC_INVAL_PREFIXLEN 16 /*SPI range violation*/ -#define EIPSEC_INVAL_DIR 17 /*Invalid direciton*/ +#define EIPSEC_INVAL_DIR 17 /*Invalid direction*/ #define EIPSEC_INVAL_SPI 18 /*invalid prefixlen*/ #define EIPSEC_NO_PROTO 19 /*no protocol specified*/ #define EIPSEC_NO_ALGS 20 /*No algorithm specified*/ debian/patches/configure-pass-Wl-with-R.patch0000644000000000000000000000313611766214464016331 0ustar Description: Always pass -Wl,-Rxyz rather than just -Rxyz gcc used to return 0 on unknown flags, but now returns an error. So test compilations fail because we are passing -R/lib. Author: Serge Hallyn Origin: serge.hallyn@ubuntu.com Forwarded: no Last-Update: 2011-06-08 --- ipsec-tools-0.8.0.orig/configure +++ ipsec-tools-0.8.0/configure @@ -13076,7 +13076,7 @@ fi as_fn_error $? "ICONV libs or includes not found. Aborting." "$LINENO" 5 fi fi - LIBS="$LIBS -L$libiconv_dir/lib -R$libiconv_dir/lib -liconv" + LIBS="$LIBS -L$libiconv_dir/lib -Wl,-R$libiconv_dir/lib -liconv" for ac_func in iconv_open do : ac_fn_c_check_func "$LINENO" "iconv_open" "ac_cv_func_iconv_open" @@ -13333,7 +13333,7 @@ fi $as_echo "#define HAVE_LIBRADIUS /**/" >>confdefs.h - LIBS="$LIBS -L$libradius_dir/lib -R$libradius_dir/lib -lradius" + LIBS="$LIBS -L$libradius_dir/lib -Wl,-R$libradius_dir/lib -lradius" for ac_func in rad_create_request do : ac_fn_c_check_func "$LINENO" "rad_create_request" "ac_cv_func_rad_create_request" @@ -13536,7 +13536,7 @@ fi $as_echo "#define HAVE_LIBPAM /**/" >>confdefs.h - LIBS="$LIBS -L$libpam_dir/lib -R$libpam_dir/lib -lpam" + LIBS="$LIBS -L$libpam_dir/lib -Wl,-R$libpam_dir/lib -lpam" for ac_func in pam_start do : ac_fn_c_check_func "$LINENO" "pam_start" "ac_cv_func_pam_start" @@ -13739,7 +13739,7 @@ fi $as_echo "#define HAVE_LIBLDAP /**/" >>confdefs.h - LIBS="$LIBS -L$libldap_dir/lib -R$libldap_dir/lib -lldap" + LIBS="$LIBS -L$libldap_dir/lib -Wl,-R$libldap_dir/lib -lldap" saved_CFLAGS=$CFLAGS CFLAGS="$CFLAGS -Wall -Werror" debian/patches/move-private-libraries-to-subfolder.patch0000644000000000000000000000100211766214464020635 0ustar this patch is setting the rpath in ltmain.sh to move the private libraries afterwards in a subfolder under /usr/lib/ to follow the recommendations of debian policy 10.2 --- ipsec-tools-0.8.0-orig/ltmain.sh 2011-03-21 11:29:31.000000000 +0100 +++ ipsec-tools-0.8.0/ltmain.sh 2011-03-21 11:35:07.000000000 +0100 @@ -4057,7 +4057,7 @@ finalize_command=$nonopt compile_rpath= - finalize_rpath= + finalize_rpath=/usr/lib/ipsec-tools compile_shlibpath= finalize_shlibpath= convenience= debian/patches/FTBFS2_kfreebsd.patch0000644000000000000000000001267011766214464014452 0ustar this patch addresses build problems on kfreebsd diff -Naurp ipsec-tools-0.8.0.orig/configure ipsec-tools-0.8.0/configure --- ipsec-tools-0.8.0.orig/configure 2011-03-18 14:27:41.000000000 +0100 +++ ipsec-tools-0.8.0/configure 2011-03-21 15:43:06.000000000 +0100 @@ -11550,6 +11550,9 @@ case $host in ;; +*kfreebsd*) + LIBS="$LIBS -lresolv" + ;; *darwin*) LIBS="$LIBS -lresolv" ;; @@ -14100,6 +14103,7 @@ $as_echo_n "checking for advanced API su #define INET6 #endif #include +#define __USE_GNU 1 /* GNU/kFreeBSD */ #include int main () @@ -14266,7 +14270,7 @@ fi rm -f conftest* ;; -freebsd*|netbsd*) +freebsd*|kfreebsd*|netbsd*) # NetBSD case # Same check for FreeBSD ac_fn_c_check_member "$LINENO" "struct sadb_x_nat_t_type" "sadb_x_nat_t_type_len" "ac_cv_member_struct_sadb_x_nat_t_type_sadb_x_nat_t_type_len" " diff -Naurp ipsec-tools-0.8.0.orig/src/libipsec/key_debug.c ipsec-tools-0.8.0/src/libipsec/key_debug.c --- ipsec-tools-0.8.0.orig/src/libipsec/key_debug.c 2008-12-05 07:02:20.000000000 +0100 +++ ipsec-tools-0.8.0/src/libipsec/key_debug.c 2011-03-21 14:48:08.000000000 +0100 @@ -790,7 +790,7 @@ kdebug_mbufhdr(m) m->m_pkthdr.len, m->m_pkthdr.rcvif); } -#ifdef __FreeBSD__ +#if defined(__FreeBSD__) || defined(__FreeBSD_kernel__) if (m->m_flags & M_EXT) { printf(" m_ext{ ext_buf:%p ext_free:%p " "ext_size:%u ext_ref:%p }\n", diff -Naurp ipsec-tools-0.8.0.orig/src/libipsec/policy_token.c ipsec-tools-0.8.0/src/libipsec/policy_token.c --- ipsec-tools-0.8.0.orig/src/libipsec/policy_token.c 2011-03-18 14:28:03.000000000 +0100 +++ ipsec-tools-0.8.0/src/libipsec/policy_token.c 2011-03-21 14:48:08.000000000 +0100 @@ -625,7 +625,7 @@ char *__libipsectext; #include "libpfkey.h" #if !defined(__NetBSD__) && !defined(__FreeBSD__) && !defined(__linux__) && \ -!defined(__APPLE__) && !defined(__MACH__) +!defined(__APPLE__) && !defined(__MACH__) && !defined(__FreeBSD_kernel__) #include "y.tab.h" #else #include "policy_parse.h" diff -Naurp ipsec-tools-0.8.0.orig/src/libipsec/policy_token.l ipsec-tools-0.8.0/src/libipsec/policy_token.l --- ipsec-tools-0.8.0.orig/src/libipsec/policy_token.l 2007-07-18 14:07:50.000000000 +0200 +++ ipsec-tools-0.8.0/src/libipsec/policy_token.l 2011-03-21 14:48:08.000000000 +0100 @@ -52,7 +52,7 @@ #include "libpfkey.h" #if !defined(__NetBSD__) && !defined(__FreeBSD__) && !defined(__linux__) && \ -!defined(__APPLE__) && !defined(__MACH__) +!defined(__APPLE__) && !defined(__MACH__) && !defined(__FreeBSD_kernel__) #include "y.tab.h" #else #include "policy_parse.h" diff -Naurp ipsec-tools-0.8.0.orig/src/racoon/isakmp.c ipsec-tools-0.8.0/src/racoon/isakmp.c --- ipsec-tools-0.8.0.orig/src/racoon/isakmp.c 2011-03-15 14:20:14.000000000 +0100 +++ ipsec-tools-0.8.0/src/racoon/isakmp.c 2011-03-21 14:48:08.000000000 +0100 @@ -122,12 +122,15 @@ # endif # endif /* __linux__ */ # if defined(__NetBSD__) || defined(__FreeBSD__) || \ - (defined(__APPLE__) && defined(__MACH__)) + (defined(__APPLE__) && defined(__MACH__)) || defined(__FreeBSD_kernel__) +# define __FAVOR_BSD /* GNU/kFreeBSD */ # include # include # include # include -# define SOL_UDP IPPROTO_UDP +# ifndef SOL_UDP +# define SOL_UDP IPPROTO_UDP +# endif # endif /* __NetBSD__ / __FreeBSD__ */ static int nostate1 __P((struct ph1handle *, vchar_t *)); diff -Naurp ipsec-tools-0.8.0.orig/src/racoon/nattraversal.c ipsec-tools-0.8.0/src/racoon/nattraversal.c --- ipsec-tools-0.8.0.orig/src/racoon/nattraversal.c 2011-03-14 18:18:13.000000000 +0100 +++ ipsec-tools-0.8.0/src/racoon/nattraversal.c 2011-03-21 14:48:08.000000000 +0100 @@ -38,7 +38,7 @@ #ifdef __linux__ #include #endif -#if defined(__NetBSD__) || defined (__FreeBSD__) +#if defined(__NetBSD__) || defined (__FreeBSD__) || defined(__FreeBSD_kernel__) #include #endif diff -Naurp ipsec-tools-0.8.0.orig/src/racoon/pfkey.c ipsec-tools-0.8.0/src/racoon/pfkey.c --- ipsec-tools-0.8.0.orig/src/racoon/pfkey.c 2011-03-15 14:20:14.000000000 +0100 +++ ipsec-tools-0.8.0/src/racoon/pfkey.c 2011-03-21 14:48:08.000000000 +0100 @@ -50,7 +50,7 @@ # include # endif # if defined(__NetBSD__) || defined(__FreeBSD__) || \ - (defined(__APPLE__) && defined(__MACH__)) + (defined(__APPLE__) && defined(__MACH__)) || defined(__FreeBSD_kernel__) # include # endif #endif diff -Naurp ipsec-tools-0.8.0.orig/src/setkey/token.c ipsec-tools-0.8.0/src/setkey/token.c --- ipsec-tools-0.8.0.orig/src/setkey/token.c 2011-03-18 14:28:03.000000000 +0100 +++ ipsec-tools-0.8.0/src/setkey/token.c 2011-03-21 14:48:08.000000000 +0100 @@ -1051,7 +1051,7 @@ char *yytext; #include "vchar.h" #if defined(__NetBSD__) || defined(__FreeBSD__) || defined(__linux__) || \ -(defined(__APPLE__) && defined(__MACH__)) +(defined(__APPLE__) && defined(__MACH__)) || defined(__FreeBSD_kernel__) #include "parse.h" #else #include "y.tab.h" diff -Naurp ipsec-tools-0.8.0.orig/src/setkey/token.l ipsec-tools-0.8.0/src/setkey/token.l --- ipsec-tools-0.8.0.orig/src/setkey/token.l 2010-06-04 15:06:03.000000000 +0200 +++ ipsec-tools-0.8.0/src/setkey/token.l 2011-03-21 14:48:08.000000000 +0100 @@ -53,7 +53,7 @@ #include "vchar.h" #if defined(__NetBSD__) || defined(__FreeBSD__) || defined(__linux__) || \ -(defined(__APPLE__) && defined(__MACH__)) +(defined(__APPLE__) && defined(__MACH__)) || defined(__FreeBSD_kernel__) #include "parse.h" #else #include "y.tab.h" debian/patches/0001-extend-setkey.8-manpage-esp-udp-tcp-md5.patch0000644000000000000000000000131411766214464021415 0ustar Patch to document esp-udp algo for setkey as well as lack of tcp-md5 support for linux systems --- ipsec-tools-0.7.3.orig/src/setkey/setkey.8 2010-03-23 13:02:39.000000000 +0100 +++ ipsec-tools-0.7.3/src/setkey/setkey.8 2010-03-23 13:03:52.000000000 +0100 @@ -293,6 +293,8 @@ ESP based on rfc2406 .It Li esp-old ESP based on rfc1827 +.It Li esp-udp +ESP-UDP based on rfc3948 .It Li ah AH based on rfc2402 .It Li ah-old @@ -735,7 +737,7 @@ ah-old: 128bit ICV (no document) aes-xcbc-mac 128 ah: 96bit ICV (RFC3566) 128 ah-old: 128bit ICV (no document) -tcp-md5 8 to 640 tcp: rfc2385 +tcp-md5 8 to 640 tcp: rfc2385 (tcp-md5 support only on BSD) .Ed .Pp These encryption algorithms can be used as debian/patches/series0000644000000000000000000000067412225330240012032 0ustar make-peer_certfile-dnssec-validate-dnssec ipsec-str_error-spelling.patch Fix-spelling-error-racoon.conf.5.patch 0001-extend-setkey.8-manpage-esp-udp-tcp-md5.patch modify-makefile-to-let-initscript-create-var-run-directory.patch move-private-libraries-to-subfolder.patch FTBFS2_kfreebsd.patch patch-to-support-cast128-cbc-algorithm.patch support-iphone-os-main-mode-with-psk.patch configure-pass-Wl-with-R.patch gcc-4.8.diff config-updates.diff debian/racoon.symbols0000644000000000000000000000164011766214464012075 0ustar libracoon.so.0 racoon #MINVER# _plog@Base 0.7.3 bit2str@Base 0.7.3 close_on_exec@Base 0.8.0 cmpsaddr@Base 0.8.0 com_init@Base 0.7.3 com_recv@Base 0.7.3 com_send@Base 0.7.3 debug_location@Base 0.7.3 dupsaddr@Base 0.7.3 extract_port@Base 0.7.3 get_port_ptr@Base 0.7.3 get_sockaddr@Base 0.7.3 getfsize@Base 0.7.3 getlocaladdr@Base 0.7.3 loglevel@Base 0.7.3 mask_sockaddr@Base 0.7.3 naddr_score@Base 0.7.3 naddrwop2str@Base 0.7.3 naddrwop2str_fromto@Base 0.7.3 newsaddr@Base 0.7.3 niflags@Base 0.7.3 plogdump@Base 0.7.3 racoon_hexdump@Base 0.7.3 racoonctl_interface@Base 0.7.3 racoonctl_interface_major@Base 0.7.3 recvfromto@Base 0.7.3 saddr2str@Base 0.7.3 saddr2str_fromto@Base 0.7.3 saddrwop2str@Base 0.7.3 sendfromto@Base 0.7.3 set_port@Base 0.7.3 setsockopt_bypass@Base 0.7.3 str2saddr@Base 0.7.3 timedelta@Base 0.7.3 vdup@Base 0.7.3 vfree@Base 0.7.3 vmalloc@Base 0.7.3 vrealloc@Base 0.7.3 debian/control0000644000000000000000000000252312057163643010602 0ustar Source: ipsec-tools Section: net Priority: extra Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Matthew Grant Build-Depends: debhelper (>=7.0.50~), flex, bison, libkrb5-dev, libssl-dev (>= 0.9.6), libpam0g-dev, po-debconf, chrpath, hardening-wrapper, libldap2-dev Standards-Version: 3.9.3 Vcs-Git: git://anonscm.debian.org/collab-maint/ipsec-tools.git Vcs-Browser: http://anonscm.debian.org/gitweb/?p=collab-maint/ipsec-tools.git Homepage: http://ipsec-tools.sourceforge.net/ Package: ipsec-tools Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends}, lsb-base (>= 3.0-6) Description: IPsec utilities IPsec (Internet Protocol security) offers end-to-end security for network traffic at the IP layer. . This package is a Linux port of the utilities from the KAME IPsec implementation on BSD. Package: racoon Architecture: any Provides: ike-server Conflicts: ike-server Depends: ${misc:Depends}, ${shlibs:Depends}, ipsec-tools (= ${binary:Version}), debconf (>= 0.2.26) | debconf-2.0, adduser, lsb-base (>= 3.0-6), ${perl:Depends} Description: IPsec Internet Key Exchange daemon IPsec (Internet Protocol security) offers end-to-end security for network traffic at the IP layer. . This package is a Linux port of the IKE server from the KAME IPsec implementation on BSD. debian/ipsec-tools.copyright0000644000000000000000000002334511766214463013402 0ustar This is the Debian packaged version of ipsec-tools. Sources for this package can be found at its homepage at http://ipsec-tools.sourceforge.net/ . The code is copyright 1995, 1996, 1997, 1998, and 1999 by the WIDE Project and licensed under the BSD license. Copyright (c) The Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The GSSAPI code is copyright 2000 Wasabi Systems, Inc and lincensed under the following license: Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgement: This product includes software developed by Wasabi Systems for Zembu Labs, Inc. http://www.zembu.com/ 4. The name of Wasabi Systems, Inc. may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY WASABI SYSTEMS, INC. ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL WASABI SYSTEMS, INC BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The OpenSSL License is: Copyright (c) 1998-2004 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson The upstream sources were obtained from http://www.openssl.org/ LICENSE ISSUES ============== The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact openssl-core@openssl.org. OpenSSL License --------------- /* ==================================================================== * Copyright (c) 1998-2004 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * openssl-core@openssl.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.openssl.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ Original SSLeay License ----------------------- /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ debian/ipsec-tools.lintian-overrides0000644000000000000000000000011111766214464015013 0ustar ipsec-tools: unusual-interpreter etc/ipsec-tools.conf #!/usr/sbin/setkey debian/ipsec-tools.install0000644000000000000000000000016411766214464013033 0ustar usr/sbin/setkey usr/share/man/man8/setkey.8 usr/lib/ipsec-tools/libipsec.so.0 usr/lib/ipsec-tools/libipsec.so.0.0.1 debian/rules0000755000000000000000000000532511773213615010261 0ustar #!/usr/bin/make -f export DEB_BUILD_HARDENING=1 export DH_OPTIONS # These are used for cross-compiling and for saving the configure script DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) DEB_HOST_ARCH ?= $(shell dpkg-architecture -qDEB_HOST_ARCH) DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) CFLAGS = -Wall -g -fno-strict-aliasing -isystem /usr/include -D_FORTIFY_SOURCE=2 ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) CFLAGS += -O0 else CFLAGS += -O2 endif #NAT-T=--enable-natt # #ifeq '$(DEB_HOST_ARCH)' 'kfreebsd-amd64' #NAT-T= #endif #ifeq '$(DEB_HOST_ARCH)' 'kfreebsd-i386' #NAT-T= #endif %: dh $@ patch: quilt push -a unpatch: quilt pop -a override_dh_auto_configure: CFLAGS="$(CFLAGS)" ./configure --verbose \ --host=$(DEB_HOST_GNU_TYPE) \ --build=$(DEB_BUILD_GNU_TYPE) \ --prefix=/usr \ --sysconfdir=/etc/racoon \ --libdir=/usr/lib/ipsec-tools \ --mandir=\$${prefix}/share/man \ --infodir=\$${prefix}/share/info \ --localstatedir=/var/run \ --enable-shared \ --disable-static \ --enable-frag \ --enable-gssapi \ --enable-hybrid \ --with-libldap \ --enable-dpd \ --enable-adminport \ --with-kernel-headers=/usr/include \ --with-libpam \ --without-readline \ --disable-security-context \ --enable-natt override_dh_clean: dh_testdir dh_auto_clean dh_clean # Remove this after make clean as it upsets git-buildpackage # make clean will invoke configure!! - rm -f config.log override_dh_install: chrpath -r /usr/lib/ipsec-tools debian/tmp/usr/lib/ipsec-tools/*.so.0.* \ debian/tmp/usr/sbin/* dh_install mkdir -p debian/racoon/var/lib/racoon install -m 755 -o root -g root debian/racoon-tool.pl \ debian/racoon/usr/sbin/racoon-tool install -D -m 600 -o root -g root src/racoon/samples/psk.txt.sample \ debian/racoon/etc/racoon/psk.txt install -m 644 -o root -g root debian/racoon-tool.conf \ debian/racoon/etc/racoon install -m 644 -o root -g root debian/racoon.conf \ debian/racoon/etc/racoon/racoon.conf mkdir -p debian/ipsec-tools/etc install -m 755 -o root -g root debian/ipsec-tools.conf \ debian/ipsec-tools/etc/ipsec-tools.conf override_dh_installchangelogs: dh_installchangelogs ChangeLog override_dh_installexamples: dh_installexamples -pracoon -X.in src/racoon/samples dh_installexamples override_dh_installinit: dh_installinit -R -pracoon -- start 40 S . stop 07 0 1 6 . dh_installinit -R -pipsec-tools --name=setkey --no-start -- start 14 S . override_dh_installman: dh_installman dh_installman -pracoon debian/racoon-tool.8 debian/racoon-tool.conf.5 override_dh_makeshlibs: dh_makeshlibs -n debian/source/0000755000000000000000000000000011766214464010501 5ustar debian/source/format0000644000000000000000000000001411766214464011707 0ustar 3.0 (quilt) debian/racoon.examples0000644000000000000000000000012611766214464012221 0ustar debian/examples/plainrsa-convert debian/examples/tunnel-openbsd-to-debian-example.txt debian/ipsec-tools.README.Debian0000644000000000000000000000025611766214463013504 0ustar Debian README for ipsec-tools ------------------------ The setkey init-script now provides a way to use setkey statements from different files in /etc/ipsec-tools.d/*.conf debian/racoon.conf0000644000000000000000000000215611766214464011335 0ustar # # NOTE: This file will not be used if you use racoon-tool(8) to manage your # IPsec connections. racoon-tool will process racoon-tool.conf(5) and # generate a configuration (/var/lib/racoon/racoon.conf) and use it, instead # of this file. # # Simple racoon.conf # # # Please look in /usr/share/doc/racoon/examples for # examples that come with the source. # # Please read racoon.conf(5) for details, and alsoread setkey(8). # # # Also read the Linux IPSEC Howto up at # http://www.ipsec-howto.org/t1.html # log notify; path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs"; #remote 172.31.1.1 { # exchange_mode main,aggressive; # proposal { # encryption_algorithm 3des; # hash_algorithm sha1; # authentication_method pre_shared_key; # dh_group modp1024; # } # generate_policy off; #} # #sainfo address 192.168.203.10[any] any address 192.168.22.0/24[any] any { # pfs_group modp768; # encryption_algorithm 3des; # authentication_algorithm hmac_md5; # compression_algorithm deflate; #} debian/watch0000644000000000000000000000012311766214464010226 0ustar version=3 http://sf.net/ipsec-tools/ipsec-tools-([0-9.]+)\.tar\.gz debian uupdate