diff options
author | marcel <marcel@FreeBSD.org> | 2016-11-11 00:14:03 +0800 |
---|---|---|
committer | marcel <marcel@FreeBSD.org> | 2016-11-11 00:14:03 +0800 |
commit | 6b99b0fbe1759a16bae4f1af8e65d6d000d31925 (patch) | |
tree | e5a0bbf955550578ed7625736171367ba1b156f5 /security | |
parent | ebecb69fb7e1546c70ca82eb379c22fb1d9bad3c (diff) | |
download | freebsd-ports-graphics-6b99b0fbe1759a16bae4f1af8e65d6d000d31925.tar.gz freebsd-ports-graphics-6b99b0fbe1759a16bae4f1af8e65d6d000d31925.tar.zst freebsd-ports-graphics-6b99b0fbe1759a16bae4f1af8e65d6d000d31925.zip |
Add OpenIKED, version 1.0
This is OpenBSD's OpenIKED with fixes and improvements and additional
features.
Original author: Reyk Floeter <reyk@openbsd.org>
Author: Marcel Moolenaar <marcel@brkt.com>
Reviewed by: mat@
Approved by: mat@
Obtained from: https://github.com/xcllnt/openiked
Sponsored by: Bracket Computing, Inc.
Differential Revision: https://reviews.freebsd.org/D8417
Diffstat (limited to 'security')
-rw-r--r-- | security/Makefile | 1 | ||||
-rw-r--r-- | security/openiked/Makefile | 32 | ||||
-rw-r--r-- | security/openiked/distinfo | 3 | ||||
-rw-r--r-- | security/openiked/files/iked.in | 70 | ||||
-rw-r--r-- | security/openiked/pkg-descr | 9 | ||||
-rw-r--r-- | security/openiked/pkg-plist | 15 |
6 files changed, 130 insertions, 0 deletions
diff --git a/security/Makefile b/security/Makefile index 07e62cd2ff6..fcec5417fc8 100644 --- a/security/Makefile +++ b/security/Makefile @@ -417,6 +417,7 @@ SUBDIR += openconnect SUBDIR += opencryptoki SUBDIR += openct + SUBDIR += openiked SUBDIR += opensaml2 SUBDIR += opensc SUBDIR += openscep diff --git a/security/openiked/Makefile b/security/openiked/Makefile new file mode 100644 index 00000000000..3bfdb5e864f --- /dev/null +++ b/security/openiked/Makefile @@ -0,0 +1,32 @@ +# $FreeBSD$ + +PORTNAME= openiked +PORTVERSION= 1.0 +CATEGORIES= security net ipv6 + +MAINTAINER= marcel@FreeBSD.org +COMMENT= IKEv2 daemon + +LICENSE= ISCL + +LIB_DEPENDS= libevent.so:devel/libevent2 + +USE_GITHUB= yes +GH_ACCOUNT= xcllnt + +USE_RC_SUBR= iked +USERS= _iked +GROUPS= _iked + +USES= autoreconf libtool ssl +GNU_CONFIGURE= yes +INSTALL_TARGET= install-strip +CONFIGURE_ARGS= --with-libevent-dir=${PREFIX} + +post-install: + ${MV} ${STAGEDIR}/etc/ssl/ikeca.cnf \ + ${STAGEDIR}${PREFIX}/etc/ikeca.cnf.sample + ${MV} ${STAGEDIR}${PREFIX}/etc/iked.conf \ + ${STAGEDIR}${PREFIX}/etc/iked.conf.sample + +.include <bsd.port.mk> diff --git a/security/openiked/distinfo b/security/openiked/distinfo new file mode 100644 index 00000000000..6b902454ca5 --- /dev/null +++ b/security/openiked/distinfo @@ -0,0 +1,3 @@ +TIMESTAMP = 1477960722 +SHA256 (xcllnt-openiked-1.0_GH0.tar.gz) = 675835edb34ebbfa096eb5e16014ec3a3ba25a3b9468ca7fa063ebaf81e3cb02 +SIZE (xcllnt-openiked-1.0_GH0.tar.gz) = 224063 diff --git a/security/openiked/files/iked.in b/security/openiked/files/iked.in new file mode 100644 index 00000000000..3cf2e5efe1c --- /dev/null +++ b/security/openiked/files/iked.in @@ -0,0 +1,70 @@ +#!/bin/sh + +# $FreeBSD$ +# +# PROVIDE: iked +# REQUIRE: LOGIN +# KEYWORD: shutdown +# +# Add these lines to /etc/rc.conf.local or /etc/rc.conf +# to enable this service: +# +# iked_enable (bool): Set to NO by default. +# Set it to YES to enable iked. +# iked_ramdisk (bool): Set to NO by default. See below. +# +# When iked_ramdisk is set to YES, the rc.d script will make sure +# all directories exist, but will not generate a key pair if none +# exists. The daemon is not started when the key pair no config +# files are missing. It is assumed the ramdisk is not populated +# completely. When iked_ramdisk is NO, key pairs are created as +# needed and thr daemon is started unconditionally. + +. /etc/rc.subr + +name=iked +desc="IKEv2 daemon" +rcvar=iked_enable + +load_rc_config $name + +: ${iked_enable:=NO} +: ${iked_ramdisk=NO} + +command=%%PREFIX%%/sbin/iked +start_precmd=iked_precmd + +iked_config=%%PREFIX%%/etc/iked.conf +iked_rootdir=%%PREFIX%%/etc/iked +iked_privkey=${iked_rootdir}/private/local.key +iked_pubkey=${iked_rootdir}/local.pub + +iked_precmd() +{ + + if checkyesno iked_ramdisk; then + # Make sure we have our directory hierarchy. + for D in ca certs crls export private pubkeys \ + pubkeys/fqdn pubkeys/ipv4 pubkeys/ipv6 pubkeys/ufqdn; do + mkdir -p %%PREFIX%%/etc/iked/$D + done + chmod 700 %%PREFIX%%/etc/iked/private + else + # Create a key pair if not already present. + if test ! -f $iked_privkey; then + /usr/bin/openssl genrsa -out $iked_privkey 2048 + /bin/chmod 600 $iked_privkey + /usr/bin/openssl rsa -out $iked_pubkey \ + -in $iked_privkey -pubout + fi + fi + + # We must have a private key and a configuration file. + # Don't start iked when those are missing. + if test ! \( -f $iked_privkey -a -f $iked_config \); then + # Be quiet about it; it must be intentional. + exit 1 + fi +} + +run_rc_command "$1" diff --git a/security/openiked/pkg-descr b/security/openiked/pkg-descr new file mode 100644 index 00000000000..f924268459b --- /dev/null +++ b/security/openiked/pkg-descr @@ -0,0 +1,9 @@ +OpenIKED is a lean Internet Key Exchange (IKEv2) daemon which performs +mutual authentication and which establishes and maintains IPsec VPN +flows and security associations (SAs) between the two peers. + +This version of OpenIKED is derived from OpenIKED's iked, but changed +to support transport mode IPSec and lazy creation of associations, +among many other improvements. + +WWW: https://github.com/xcllnt/openiked diff --git a/security/openiked/pkg-plist b/security/openiked/pkg-plist new file mode 100644 index 00000000000..42f2b0a0ba3 --- /dev/null +++ b/security/openiked/pkg-plist @@ -0,0 +1,15 @@ +@sample etc/ikeca.cnf.sample +@sample etc/iked.conf.sample +man/man5/iked.conf.5.gz +man/man8/ikectl.8.gz +man/man8/iked.8.gz +sbin/ikectl +sbin/iked +@dir etc/iked/ca +@dir etc/iked/certs +@dir etc/iked/crls +@dir(,,700) etc/iked/private +@dir etc/iked/pubkeys/fqdn +@dir etc/iked/pubkeys/ipv4 +@dir etc/iked/pubkeys/ipv6 +@dir etc/iked/pubkeys/ufqdn |