svn commit: r425847 - in head: . security security/openiked security/openiked/files

Thu Nov 10 16:14:05 UTC 2016

Author: marcel (src committer)
Date: Thu Nov 10 16:14:03 2016
New Revision: 425847
URL: https://svnweb.freebsd.org/changeset/ports/425847

Log:
  Add OpenIKED, version 1.0
  
  This is OpenBSD's OpenIKED with fixes and improvements and additional
  features.
  
  Original author:	Reyk Floeter <reyk at openbsd.org>
  Author:			Marcel Moolenaar <marcel at brkt.com>
  Reviewed by:		mat@
  Approved by:		mat@
  Obtained from:		https://github.com/xcllnt/openiked
  Sponsored by:		Bracket Computing, Inc.
  Differential Revision:	https://reviews.freebsd.org/D8417

Added:
  head/security/openiked/
  head/security/openiked/Makefile   (contents, props changed)
  head/security/openiked/distinfo   (contents, props changed)
  head/security/openiked/files/
  head/security/openiked/files/iked.in   (contents, props changed)
  head/security/openiked/pkg-descr   (contents, props changed)
  head/security/openiked/pkg-plist   (contents, props changed)
Modified:
  head/GIDs
  head/UIDs
  head/security/Makefile

Modified: head/GIDs
==============================================================================

--- head/GIDs	Thu Nov 10 14:22:57 2016	(r425846)
+++ head/GIDs	Thu Nov 10 16:14:03 2016	(r425847)
@@ -104,7 +104,7 @@ nocat:*:159:
 _ypldap:*:160:
 solr:*:161:
 octoprint:*:162:
-# free: 163
+_iked:*:163:
 # free: 164
 # free: 165
 # free: 166

Modified: head/UIDs
==============================================================================
--- head/UIDs	Thu Nov 10 14:22:57 2016	(r425846)
+++ head/UIDs	Thu Nov 10 16:14:03 2016	(r425847)
@@ -109,7 +109,7 @@ nocat:*:159:159::0:0:NoCat Daemon:/libex
 _ypldap:*:160:160::0:0:YP Ldap unprivileged user:/var/empty:/usr/sbin/nologin
 solr:*:161:161::0:0:Apache Solr System:/var/db/solr:/usr/sbin/nologin
 octoprint:*:162:162::0:0:OctoPrint Daemon:/usr/local/octoprint:/usr/sbin/nologin
-# free: 163
+_iked:*:163:163::0:0:IKEv2 Daemon:/var/empty:/usr/sbin/nologin
 # free: 164
 # free: 165
 # free: 166

Modified: head/security/Makefile
==============================================================================
--- head/security/Makefile	Thu Nov 10 14:22:57 2016	(r425846)
+++ head/security/Makefile	Thu Nov 10 16:14:03 2016	(r425847)
@@ -417,6 +417,7 @@
     SUBDIR += openconnect
     SUBDIR += opencryptoki
     SUBDIR += openct
+    SUBDIR += openiked
     SUBDIR += opensaml2
     SUBDIR += opensc
     SUBDIR += openscep

Added: head/security/openiked/Makefile
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/security/openiked/Makefile	Thu Nov 10 16:14:03 2016	(r425847)
@@ -0,0 +1,32 @@
+# $FreeBSD$
+
+PORTNAME=	openiked
+PORTVERSION=	1.0
+CATEGORIES=	security net ipv6
+
+MAINTAINER=	marcel at FreeBSD.org
+COMMENT=	IKEv2 daemon
+
+LICENSE=	ISCL
+
+LIB_DEPENDS=	libevent.so:devel/libevent2
+
+USE_GITHUB=	yes
+GH_ACCOUNT=	xcllnt
+
+USE_RC_SUBR=	iked
+USERS=		_iked
+GROUPS=		_iked
+
+USES=           autoreconf libtool ssl
+GNU_CONFIGURE=	yes
+INSTALL_TARGET=	install-strip
+CONFIGURE_ARGS=	--with-libevent-dir=${PREFIX}
+
+post-install:
+	${MV} ${STAGEDIR}/etc/ssl/ikeca.cnf \
+	    ${STAGEDIR}${PREFIX}/etc/ikeca.cnf.sample
+	${MV} ${STAGEDIR}${PREFIX}/etc/iked.conf \
+	    ${STAGEDIR}${PREFIX}/etc/iked.conf.sample
+
+.include <bsd.port.mk>

Added: head/security/openiked/distinfo
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/security/openiked/distinfo	Thu Nov 10 16:14:03 2016	(r425847)
@@ -0,0 +1,3 @@
+TIMESTAMP = 1477960722
+SHA256 (xcllnt-openiked-1.0_GH0.tar.gz) = 675835edb34ebbfa096eb5e16014ec3a3ba25a3b9468ca7fa063ebaf81e3cb02
+SIZE (xcllnt-openiked-1.0_GH0.tar.gz) = 224063

Added: head/security/openiked/files/iked.in
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/security/openiked/files/iked.in	Thu Nov 10 16:14:03 2016	(r425847)
@@ -0,0 +1,70 @@
+#!/bin/sh
+
+# $FreeBSD$
+#
+# PROVIDE: iked
+# REQUIRE: LOGIN
+# KEYWORD: shutdown
+#
+# Add these lines to /etc/rc.conf.local or /etc/rc.conf
+# to enable this service:
+#
+# iked_enable (bool):	Set to NO by default.
+#			Set it to YES to enable iked.
+# iked_ramdisk (bool):	Set to NO by default. See below.
+#
+# When iked_ramdisk is set to YES, the rc.d script will make sure
+# all directories exist, but will not generate a key pair if none
+# exists.  The daemon is not started when the key pair no config
+# files are missing.  It is assumed the ramdisk is not populated
+# completely.  When iked_ramdisk is NO, key pairs are created as
+# needed and thr daemon is started unconditionally.
+
+. /etc/rc.subr
+
+name=iked
+desc="IKEv2 daemon"
+rcvar=iked_enable
+
+load_rc_config $name
+
+: ${iked_enable:=NO}
+: ${iked_ramdisk=NO}
+
+command=%%PREFIX%%/sbin/iked
+start_precmd=iked_precmd
+
+iked_config=%%PREFIX%%/etc/iked.conf
+iked_rootdir=%%PREFIX%%/etc/iked
+iked_privkey=${iked_rootdir}/private/local.key
+iked_pubkey=${iked_rootdir}/local.pub
+
+iked_precmd()
+{
+
+	if checkyesno iked_ramdisk; then
+		# Make sure we have our directory hierarchy.
+		for D in ca certs crls export private pubkeys \
+		    pubkeys/fqdn pubkeys/ipv4 pubkeys/ipv6 pubkeys/ufqdn; do
+			mkdir -p %%PREFIX%%/etc/iked/$D
+		done
+		chmod 700 %%PREFIX%%/etc/iked/private
+	else
+		# Create a key pair if not already present.
+		if test ! -f $iked_privkey; then
+			/usr/bin/openssl genrsa -out $iked_privkey 2048
+			/bin/chmod 600 $iked_privkey
+			/usr/bin/openssl rsa -out $iked_pubkey \
+			    -in $iked_privkey -pubout
+		fi
+	fi
+
+	# We must have a private key and a configuration file.
+	# Don't start iked when those are missing.
+	if test ! \( -f $iked_privkey -a -f $iked_config \); then
+		# Be quiet about it; it must be intentional.
+		exit 1
+	fi
+}
+
+run_rc_command "$1"

Added: head/security/openiked/pkg-descr
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/security/openiked/pkg-descr	Thu Nov 10 16:14:03 2016	(r425847)
@@ -0,0 +1,9 @@
+OpenIKED is a lean Internet Key Exchange (IKEv2) daemon which performs
+mutual authentication and which establishes and maintains IPsec VPN
+flows and security associations (SAs) between the two peers.
+
+This version of OpenIKED is derived from OpenIKED's iked, but changed
+to support transport mode IPSec and lazy creation of associations,
+among many other improvements.
+
+WWW: https://github.com/xcllnt/openiked

Added: head/security/openiked/pkg-plist
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/security/openiked/pkg-plist	Thu Nov 10 16:14:03 2016	(r425847)
@@ -0,0 +1,15 @@
+ at sample etc/ikeca.cnf.sample
+ at sample etc/iked.conf.sample
+man/man5/iked.conf.5.gz
+man/man8/ikectl.8.gz
+man/man8/iked.8.gz
+sbin/ikectl
+sbin/iked
+ at dir etc/iked/ca
+ at dir etc/iked/certs
+ at dir etc/iked/crls
+ at dir(,,700) etc/iked/private
+ at dir etc/iked/pubkeys/fqdn
+ at dir etc/iked/pubkeys/ipv4
+ at dir etc/iked/pubkeys/ipv6
+ at dir etc/iked/pubkeys/ufqdn
