strongswan_6: init at 6.0.0

pkgs/by-name/st/strongswan_6/ext_auth-path.patch

@@ -0,0 +1,13 @@
+Index: strongswan-5.2.1/src/libcharon/plugins/ext_auth/ext_auth_listener.c
+===================================================================
+--- strongswan-5.2.1.orig/src/libcharon/plugins/ext_auth/ext_auth_listener.c
++++ strongswan-5.2.1/src/libcharon/plugins/ext_auth/ext_auth_listener.c
+@@ -101,6 +101,8 @@ METHOD(listener_t, authorize, bool,
+
+ 		*success = FALSE;
+
++		push_env(envp, countof(envp), "PATH=%s", getenv("PATH"));
++
+ 		push_env(envp, countof(envp), "IKE_UNIQUE_ID=%u",
+ 				 ike_sa->get_unique_id(ike_sa));
+ 		push_env(envp, countof(envp), "IKE_NAME=%s",

pkgs/by-name/st/strongswan_6/firewall_defaults.patch

@@ -0,0 +1,32 @@
+Index: strongswan-5.2.1/src/starter/confread.c
+===================================================================
+--- strongswan-5.2.1.orig/src/starter/confread.c
++++ strongswan-5.2.1/src/starter/confread.c
+@@ -43,7 +43,7 @@
+ static const char ike_defaults[] = "aes128-sha1-modp2048,3des-sha1-modp1536";
+ static const char esp_defaults[] = "aes128-sha1,3des-sha1";
+
+-static const char firewall_defaults[] = IPSEC_SCRIPT " _updown iptables";
++static const char firewall_defaults[] = IPSEC_SBINDIR "/" IPSEC_SCRIPT " _updown iptables";
+
+ /**
+  * Provided by GPERF
+Index: strongswan-5.2.1/src/starter/Makefile.am
+===================================================================
+--- strongswan-5.2.1.orig/src/starter/Makefile.am
++++ strongswan-5.2.1/src/starter/Makefile.am
+@@ -18,10 +18,12 @@ AM_CPPFLAGS = \
+ 	-I$(top_srcdir)/src/libhydra \
+ 	-I$(top_srcdir)/src/starter \
+ 	-I$(top_srcdir)/src/stroke \
+-	-DIPSEC_DIR=\"${ipsecdir}\" \
++	-DIPSEC_BINDIR=\"${bindir}\" \
+ 	-DIPSEC_CONFDIR=\"${sysconfdir}\" \
+-	-DIPSEC_PIDDIR=\"${piddir}\" \
++	-DIPSEC_DIR=\"${ipsecdir}\" \
+ 	-DIPSEC_EAPDIR=\"${eapdir}\" \
++	-DIPSEC_PIDDIR=\"${piddir}\" \
++	-DIPSEC_SBINDIR=\"${sbindir}\" \
+ 	-DIPSEC_SCRIPT=\"${ipsec_script}\" \
+ 	-DDEV_RANDOM=\"${random_device}\" \
+ 	-DDEV_URANDOM=\"${urandom_device}\" \

pkgs/by-name/st/strongswan_6/package.nix

@@ -0,0 +1,189 @@
+{
+  lib,
+  stdenv,
+  fetchFromGitHub,
+  autoreconfHook,
+  pkg-config,
+  bison,
+  flex,
+  curl,
+  perl,
+  gperf,
+  openssl,
+  pcsclite,
+  networkmanager,
+  openresolv,
+  glib,
+  systemd,
+  libxml2,
+  pam,
+  iptables,
+  trousers,
+  sqlite,
+  unbound,
+  ldns,
+  gmp,
+  enableNetworkManager ? false,
+  enableTNC ? false,
+}:
+let
+  features =
+    rec {
+      nm = enableNetworkManager;
+      cmd = true;
+      stroke = true;
+      swanctl = true;
+      systemd = stdenv.hostPlatform.isLinux;
+
+      openssl = true;
+
+      farp = stdenv.hostPlatform.isLinux;
+      dhcp = stdenv.hostPlatform.isLinux;
+      af-alg = stdenv.hostPlatform.isLinux;
+      resolve = stdenv.hostPlatform.isLinux;
+      scripts = stdenv.hostPlatform.isLinux;
+      connmark = stdenv.hostPlatform.isLinux;
+      forecast = stdenv.hostPlatform.isLinux;
+      kernel-netlink = stdenv.hostPlatform.isLinux;
+
+      aesni = stdenv.hostPlatform.isx86_64;
+      rdrand = stdenv.hostPlatform.isx86_64;
+      padlock = stdenv.hostPlatform.system == "i686-linux";
+
+      kernel-pfkey = stdenv.hostPlatform.isDarwin || stdenv.hostPlatform.isFreeBSD;
+      kernel-pfroute = stdenv.hostPlatform.isDarwin || stdenv.hostPlatform.isFreeBSD;
+      kernel-libipsec = stdenv.hostPlatform.isDarwin || stdenv.hostPlatform.isFreeBSD;
+
+      keychain = stdenv.hostPlatform.isDarwin;
+      osx-attr = stdenv.hostPlatform.isDarwin;
+
+      ml = true;
+      curl = true;
+      acert = true;
+      pkcs11 = true;
+      dnscert = true;
+      unbound = true;
+      chapoly = true;
+      ext-auth = true;
+      socket-dynamic = true;
+
+      eap-sim = true;
+      eap-sim-file = true;
+      eap-sim-pcsc = true;
+      eap-simaka-pseudonym = true;
+      eap-simaka-reauth = true;
+      eap-identity = true;
+      eap-md5 = true;
+      eap-gtc = true;
+      eap-aka = true;
+      eap-aka-3gpp = true;
+      eap-aka-3gpp2 = true;
+      eap-mschapv2 = true;
+      eap-tls = true;
+      eap-peap = true;
+      eap-radius = true;
+
+      xauth-eap = true;
+      xauth-pam = stdenv.hostPlatform.isLinux;
+      xauth-noauth = true;
+
+      gmp = eap-aka-3gpp2;
+    }
+    // lib.optionalAttrs enableTNC {
+      eap-tnc = true;
+      eap-ttls = true;
+      eap-dynamic = true;
+
+      tnccs-20 = true;
+
+      tnc-imc = true;
+      tnc-imv = true;
+      tnc-ifmap = true;
+
+      imc-os = true;
+      imv-os = true;
+      imc-attestation = true;
+      imv-attestation = true;
+
+      aikgen = true;
+      tss-trousers = true;
+
+      sqlite = true;
+    };
+in
+stdenv.mkDerivation rec {
+  pname = "strongswan";
+  version = "6.0.0";
+
+  src = fetchFromGitHub {
+    owner = "strongswan";
+    repo = "strongswan";
+    rev = "refs/tags/${version}";
+    hash = "sha256-SOl5MXSnmfMo1/LTFuT1P+rQf3Wn9kdxUtUgRxrN9VM=";
+  };
+
+  patches = [
+    ./ext_auth-path.patch
+    ./firewall_defaults.patch
+    ./updown-path.patch
+  ];
+
+  nativeBuildInputs = [
+    autoreconfHook
+    pkg-config
+    bison
+    flex
+    perl
+    gperf
+  ];
+
+  buildInputs =
+    lib.optional (features.gmp or false) gmp
+    ++ lib.optional (features.eap-sim-pcsc or false) pcsclite
+    ++ lib.optional (features.openssl or false) openssl
+    ++ lib.optional (features.curl or false) curl
+    ++ lib.optional (features.systemd or false) systemd
+    ++ lib.optional (features.tnc-ifmap or false) libxml2
+    ++ lib.optional (features.xauth-pam or false) pam
+    ++ lib.optional (features.forecast or false || features.connmark or false) iptables
+    ++ lib.optional (features.tss-trousers or false) trousers
+    ++ lib.optional (features.sqlite or false) sqlite
+    ++ lib.optionals (features.unbound or false) [
+      unbound
+      ldns
+    ]
+    ++ lib.optionals (features.nm or false) [
+      networkmanager
+      glib
+    ];
+
+  configureFlags = (lib.mapAttrsToList (lib.flip lib.enableFeature)) features ++ [
+    "--sysconfdir=/etc"
+    (lib.withFeatureAs (features.nm or false) "nm-ca-dir" "/etc/ssl/certs")
+    (lib.withFeatureAs (features.systemd or false
+    ) "systemdsystemunitdir" "${placeholder "out"}/etc/systemd/system")
+  ];
+
+  installFlags = [
+    "sysconfdir=${placeholder "out"}/etc"
+  ];
+
+  enableParallelBuilding = true;
+
+  dontPatchELF = true;
+
+  postPatch = lib.optionalString features.resolve ''
+    substituteInPlace src/libcharon/plugins/resolve/resolve_handler.c \
+      --replace-fail "/sbin/resolvconf" "${openresolv}/sbin/resolvconf"
+  '';
+
+  meta = {
+    description = "OpenSource IPsec-based VPN solution";
+    homepage = "https://www.strongswan.org/";
+    changelog = "https://github.com/strongswan/strongswan/blob/${src.rev}/ChangeLog";
+    license = lib.licenses.gpl2Plus;
+    maintainers = with lib.maintainers; [ nickcao ];
+    mainProgram = "swanctl";
+    platforms = lib.platforms.unix;
+  };
+}

pkgs/by-name/st/strongswan_6/updown-path.patch

@@ -0,0 +1,26 @@
+Index: strongswan-5.2.1/src/_updown/_updown.in
+===================================================================
+--- strongswan-5.2.1.orig/src/_updown/_updown.in
++++ strongswan-5.2.1/src/_updown/_updown.in
+@@ -125,7 +125,7 @@
+ #
+
+ # define a minimum PATH environment in case it is not set
+-PATH="/sbin:/bin:/usr/sbin:/usr/bin:@sbindir@"
++PATH="${PATH:-/sbin:/bin:/usr/sbin:/usr/bin}"
+ export PATH
+
+ # uncomment to log VPN connections
+Index: strongswan-5.2.1/src/libcharon/plugins/updown/updown_listener.c
+===================================================================
+--- strongswan-5.2.1.orig/src/libcharon/plugins/updown/updown_listener.c
++++ strongswan-5.2.1/src/libcharon/plugins/updown/updown_listener.c
+@@ -240,6 +240,8 @@ static void invoke_once(private_updown_l
+ 	process_t *process;
+ 	char *envp[128] = {};
+
++	push_env(envp, countof(envp), "PATH=%s", getenv("PATH"));
++
+ 	me = ike_sa->get_my_host(ike_sa);
+ 	other = ike_sa->get_other_host(ike_sa);
+