Add buildroot 2018-02

buildroot/package/ipsec-tools/0001-susv3-legacy.patch

@@ -0,0 +1,35 @@
+Replaces sysv3 legacy functions with modern equivalents.
+
+Signed-off-by: Julien Boibessot <julien.boibessot@armadeus.com>
+Index: ipsec-tools-0.7.3/src/racoon/pfkey.c
+===================================================================
+--- ipsec-tools-0.7.3.orig/src/racoon/pfkey.c	2010-07-12 14:46:52.000000000 +0200
++++ ipsec-tools-0.7.3/src/racoon/pfkey.c	2010-07-12 15:01:39.000000000 +0200
+@@ -3008,12 +3008,12 @@
+ 				struct sockaddr *paddr;
+ 
+ 				paddr = (struct sockaddr *)(xisr + 1);
+-				bcopy(paddr, &(*p_isr)->saidx.src,
++				memmove(&(*p_isr)->saidx.src, paddr,
+ 					sysdep_sa_len(paddr));
+ 
+ 				paddr = (struct sockaddr *)((caddr_t)paddr
+ 							+ sysdep_sa_len(paddr));
+-				bcopy(paddr, &(*p_isr)->saidx.dst,
++				memmove(&(*p_isr)->saidx.dst, paddr,
+ 					sysdep_sa_len(paddr));
+ 			}
+ 
+Index: ipsec-tools-0.7.3/src/racoon/racoonctl.c
+===================================================================
+--- ipsec-tools-0.7.3.orig/src/racoon/racoonctl.c	2010-07-12 14:49:51.000000000 +0200
++++ ipsec-tools-0.7.3/src/racoon/racoonctl.c	2010-07-12 15:00:52.000000000 +0200
+@@ -785,7 +785,7 @@
+ 		errx(1, "cannot read source address");
+ 
+ 	/* We get "ip[port]" strip the port */
+-	if ((idx = index(srcaddr, '[')) == NULL) 
++	if ((idx = strchr(srcaddr, '[')) == NULL)
+ 		errx(1, "unexpected source address format");
+ 	*idx = '\0';
+ 

buildroot/package/ipsec-tools/0002-configure-automake.patch

@@ -0,0 +1,21 @@
+Needed to fix broken autoreconf
+
+Downloaded from
+https://sources.debian.net/src/ipsec-tools/1:0.8.2%2B20140711-8/debian/patches/automake-options/
+
+Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
+
+Index: pkg-ipsec-tools/configure.ac
+===================================================================
+--- pkg-ipsec-tools.orig/configure.ac	2014-06-28 17:25:22.000000000 +0200
++++ pkg-ipsec-tools/configure.ac	2014-06-28 17:28:13.818373322 +0200
+@@ -6,7 +6,8 @@ AC_INIT(ipsec-tools, 0.8.2)
+ AC_CONFIG_SRCDIR([configure.ac])
+ AC_CONFIG_HEADERS(config.h)
+ 
+-AM_INIT_AUTOMAKE(dist-bzip2)
++AC_CONFIG_MACRO_DIR([.])
++AM_INIT_AUTOMAKE([dist-bzip2 foreign serial-tests])
+ 
+ AC_ENABLE_SHARED(no)
+ 

buildroot/package/ipsec-tools/0003-Don-t-link-against-libfl.patch

@@ -0,0 +1,92 @@
+From e48b9097dce7bc2bfbb9e9c542124d3b5cebab39 Mon Sep 17 00:00:00 2001
+From: Paul Barker <paul@paulbarker.me.uk>
+Date: Wed, 5 Mar 2014 13:39:14 +0000
+Subject: [PATCH] Don't link against libfl
+
+We can remove all references to yywrap by adding "%option noyywrap" statements
+to each flex source file that doesn't override yywrap. After this, we no longer
+need to link against libfl and so no longer get errors about undefined
+references to yylex.
+
+Signed-off-by: Paul Barker <paul@paulbarker.me.uk>
+Upstream-status: Submitted 2014-03-11
+    see http://sourceforge.net/p/ipsec-tools/mailman/ipsec-tools-devel/thread/CANyK_8ewmxGA3vBVJW6s1APXPmxPR%2BDFWZ61EL8pCt288aKQ6w%40mail.gmail.com/#msg32088797
+
+Downloaded from
+http://cgit.openembedded.org/meta-openembedded/tree/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0002-Don-t-link-against-libfl.patch
+
+Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
+---
+ src/libipsec/Makefile.am | 1 -
+ src/racoon/Makefile.am   | 2 +-
+ src/racoon/cftoken.l     | 2 ++
+ src/setkey/Makefile.am   | 1 -
+ src/setkey/token.l       | 2 ++
+ 5 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/src/libipsec/Makefile.am b/src/libipsec/Makefile.am
+index 6a4e3b3..df1e106 100644
+--- a/src/libipsec/Makefile.am
++++ b/src/libipsec/Makefile.am
+@@ -26,7 +26,6 @@ libipsec_la_SOURCES = \
+ # version is current:revision:age.
+ # See: http://www.gnu.org/manual/libtool-1.4.2/html_chapter/libtool_6.html#SEC32
+ libipsec_la_LDFLAGS = -version-info 0:1:0
+-libipsec_la_LIBADD = $(LEXLIB)
+ 
+ noinst_HEADERS = ipsec_strerror.h
+ 
+diff --git a/src/racoon/Makefile.am b/src/racoon/Makefile.am
+index dbaded9..0662957 100644
+--- a/src/racoon/Makefile.am
++++ b/src/racoon/Makefile.am
+@@ -38,7 +38,7 @@ racoon_SOURCES = \
+ 	cftoken.l cfparse.y prsa_tok.l prsa_par.y 
+ EXTRA_racoon_SOURCES = isakmp_xauth.c isakmp_cfg.c isakmp_unity.c throttle.c \
+ 	isakmp_frag.c nattraversal.c security.c $(MISSING_ALGOS)
+-racoon_LDADD = $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(LEXLIB) \
++racoon_LDADD = $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) \
+ 	 $(SECCTX_OBJS) vmbuf.o sockmisc.o misc.o ../libipsec/libipsec.la
+ racoon_DEPENDENCIES = \
+ 	$(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(SECCTX_OBJS) \
+diff --git a/src/racoon/cftoken.l b/src/racoon/cftoken.l
+index 490242c..1701922 100644
+--- a/src/racoon/cftoken.l
++++ b/src/racoon/cftoken.l
+@@ -106,6 +106,8 @@ static int incstackp = 0;
+ static int yy_first_time = 1;
+ %}
+ 
++%option noyywrap
++
+ /* common seciton */
+ nl		\n
+ ws		[ \t]+
+diff --git a/src/setkey/Makefile.am b/src/setkey/Makefile.am
+index 746c1f1..389e6cf 100644
+--- a/src/setkey/Makefile.am
++++ b/src/setkey/Makefile.am
+@@ -13,7 +13,6 @@ setkey_SOURCES = \
+ 
+ setkey_LDFLAGS = ../libipsec/libipsec.la
+ setkey_DEPENDENCIES = ../libipsec/libipsec.la
+-setkey_LDADD = $(LEXLIB)
+ 
+ noinst_HEADERS = vchar.h extern.h
+ man8_MANS = setkey.8
+diff --git a/src/setkey/token.l b/src/setkey/token.l
+index ad3d843..eb23b76 100644
+--- a/src/setkey/token.l
++++ b/src/setkey/token.l
+@@ -88,6 +88,8 @@
+ #endif
+ %}
+ 
++%option noyywrap
++
+ /* common section */
+ nl		\n
+ ws		[ \t]+
+-- 
+1.9.0
+

buildroot/package/ipsec-tools/0004-CVE-2015-4047.patch

@@ -0,0 +1,26 @@
+ipsec-tools: CVE-2015-4047: null pointer dereference crash in racoon
+
+See: https://bugs.gentoo.org/show_bug.cgi?id=550118
+
+Downloaded from
+https://gitweb.gentoo.org/repo/gentoo.git/tree/net-vpn/ipsec-tools/files/ipsec-tools-CVE-2015-4047.patch
+
+See also
+https://sources.debian.net/src/ipsec-tools/1:0.8.2%2B20140711-8/debian/patches/bug785778-null-pointer-deref.patch/
+
+Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
+
+--- ./src/racoon/gssapi.c    9 Sep 2006 16:22:09 -0000       1.4
++++ ./src/racoon/gssapi.c    19 May 2015 15:16:00 -0000      1.6
+@@ -192,6 +192,11 @@
+	gss_name_t princ, canon_princ;
+	OM_uint32 maj_stat, min_stat;
+ 
++	if (iph1->rmconf == NULL) {
++		plog(LLV_ERROR, LOCATION, NULL, "no remote config\n");
++		return -1;
++	}
++
+	gps = racoon_calloc(1, sizeof (struct gssapi_ph1_state));
+	if (gps == NULL) {
+		plog(LLV_ERROR, LOCATION, NULL, "racoon_calloc failed\n");

buildroot/package/ipsec-tools/Config.in

@@ -0,0 +1,75 @@
+config BR2_PACKAGE_IPSEC_TOOLS
+	bool "ipsec-tools"
+	depends on BR2_USE_MMU # fork()
+	depends on !BR2_TOOLCHAIN_USES_MUSL # Use __P() macro all over the tree
+	select BR2_PACKAGE_OPENSSL
+	select BR2_PACKAGE_FLEX
+	help
+	  This package is required to support IPSec for Linux 2.6+
+
+	  http://ipsec-tools.sourceforge.net/
+
+if BR2_PACKAGE_IPSEC_TOOLS
+
+config BR2_PACKAGE_IPSEC_TOOLS_ADMINPORT
+	bool "Enable racoonctl(8)"
+	default y
+	help
+	  Lets racoon to listen to racoon admin port, which is to
+	  be contacted by racoonctl(8).
+
+config BR2_PACKAGE_IPSEC_TOOLS_NATT
+	bool "Enable NAT-Traversal"
+	help
+	  This needs kernel support, which is available on Linux. On
+	  NetBSD, NAT-Traversal kernel support has not been integrated
+	  yet, you can get it from here:
+
+	  http://ipsec-tools.sourceforge.net/netbsd_nat-t.diff If you
+
+	  live in a country where software patents are legal, using
+	  NAT-Traversal might infringe a patent.
+
+config BR2_PACKAGE_IPSEC_TOOLS_FRAG
+	bool "Enable IKE fragmentation"
+	help
+	  Enable IKE fragmentation, which is a workaround for
+	  broken routers that drop fragmented packets
+
+config BR2_PACKAGE_IPSEC_TOOLS_DPD
+	bool "Enable DPD (Dead Peer Detection)"
+	help
+	  Enable dead peer detection support
+
+config BR2_PACKAGE_IPSEC_TOOLS_STATS
+	bool "Enable statistics logging function"
+	default y
+
+config BR2_PACKAGE_IPSEC_TOOLS_READLINE
+	bool "Enable readline input support"
+	select BR2_PACKAGE_READLINE
+
+config BR2_PACKAGE_IPSEC_TOOLS_HYBRID
+	bool "Enable hybrid, both mode-cfg and xauth support"
+	help
+	  Hybrid mode is required for successful interoperability
+	  (e.g. Cisco VPN Client).
+
+choice
+	prompt "Security context"
+	default BR2_PACKAGE_IPSEC_SECCTX_DISABLE
+	help
+	  Selects whether or not to enable security context support.
+
+config BR2_PACKAGE_IPSEC_SECCTX_DISABLE
+	bool "Disable security context support"
+
+config BR2_PACKAGE_IPSEC_SECCTX_ENABLE
+	bool "Enable SELinux security context support"
+
+config BR2_PACKAGE_IPSEC_SECCTX_KERNEL
+	bool "Enable kernel security context"
+
+endchoice
+
+endif

buildroot/package/ipsec-tools/ipsec-tools.hash

@@ -0,0 +1,3 @@
+# From http://sourceforge.net/projects/ipsec-tools/files/ipsec-tools/0.8.2/
+md5	d53ec14a0a3ece64e09e5e34b3350b41	ipsec-tools-0.8.2.tar.bz2
+sha1	7d92cae9fde59fb4f125636698c43b0a3df3d0f0	ipsec-tools-0.8.2.tar.bz2

buildroot/package/ipsec-tools/ipsec-tools.mk

@@ -0,0 +1,81 @@
+################################################################################
+#
+# ipsec-tools
+#
+################################################################################
+
+IPSEC_TOOLS_VERSION = 0.8.2
+IPSEC_TOOLS_SOURCE = ipsec-tools-$(IPSEC_TOOLS_VERSION).tar.bz2
+IPSEC_TOOLS_SITE = http://sourceforge.net/projects/ipsec-tools/files/ipsec-tools/$(IPSEC_TOOLS_VERSION)
+IPSEC_TOOLS_INSTALL_STAGING = YES
+IPSEC_TOOLS_MAKE = $(MAKE1)
+IPSEC_TOOLS_DEPENDENCIES = openssl flex host-flex
+# we patch configure.ac
+IPSEC_TOOLS_AUTORECONF = YES
+
+# configure hardcodes -Werror, so override CFLAGS on make invocation
+IPSEC_TOOLS_MAKE_OPTS = CFLAGS='$(TARGET_CFLAGS)'
+
+# openssl uses zlib, so we need to explicitly link with it when static
+ifeq ($(BR2_STATIC_LIBS),y)
+IPSEC_TOOLS_CONF_ENV += LIBS=-lz
+endif
+
+IPSEC_TOOLS_CONF_OPTS = \
+	  --without-libpam \
+	  --disable-gssapi \
+	  --with-kernel-headers=$(STAGING_DIR)/usr/include
+
+ifeq ($(BR2_PACKAGE_IPSEC_TOOLS_ADMINPORT),y)
+IPSEC_TOOLS_CONF_OPTS += --enable-adminport
+else
+IPSEC_TOOLS_CONF_OPTS += --disable-adminport
+endif
+
+ifeq ($(BR2_PACKAGE_IPSEC_TOOLS_NATT),y)
+IPSEC_TOOLS_CONF_OPTS += --enable-natt
+else
+IPSEC_TOOLS_CONF_OPTS += --disable-natt
+endif
+
+ifeq ($(BR2_PACKAGE_IPSEC_TOOLS_FRAG),y)
+IPSEC_TOOLS_CONF_OPTS += --enable-frag
+else
+IPSEC_TOOLS_CONF_OPTS += --disable-frag
+endif
+
+ifeq ($(BR2_PACKAGE_IPSEC_TOOLS_DPD),y)
+IPSEC_TOOLS_CONF_OPTS += --enable-dpd
+else
+IPSEC_TOOLS_CONF_OPTS += --disable-dpd
+endif
+
+ifeq ($(BR2_PACKAGE_IPSEC_TOOLS_STATS),y)
+IPSEC_TOOLS_CONF_OPTS += --enable-stats
+else
+IPSEC_TOOLS_CONF_OPTS += --disable-stats
+endif
+
+ifneq ($(BR2_PACKAGE_IPSEC_TOOLS_READLINE),y)
+IPSEC_TOOLS_CONF_OPTS += --without-readline
+else
+IPSEC_TOOLS_DEPENDENCIES += readline
+endif
+
+ifeq ($(BR2_PACKAGE_IPSEC_TOOLS_HYBRID),y)
+IPSEC_TOOLS_CONF_OPTS += --enable-hybrid
+else
+IPSEC_TOOLS_CONF_OPTS += --disable-hybrid
+endif
+
+ifeq ($(BR2_PACKAGE_IPSEC_SECCTX_DISABLE),y)
+IPSEC_TOOLS_CONF_OPTS += --enable-security-context=no
+endif
+ifeq ($(BR2_PACKAGE_IPSEC_SECCTX_ENABLE),y)
+IPSEC_TOOLS_CONF_OPTS += --enable-security-context=yes
+endif
+ifeq ($(BR2_PACKAGE_IPSEC_SECCTX_KERNEL),y)
+IPSEC_TOOLS_CONF_OPTS += --enable-security-context=kernel
+endif
+
+$(eval $(autotools-package))