diff --git a/pkgs/by-name/st/strongswan_6/ext_auth-path.patch b/pkgs/by-name/st/strongswan_6/ext_auth-path.patch new file mode 100644 index 00000000000000..397537ad8d84aa --- /dev/null +++ b/pkgs/by-name/st/strongswan_6/ext_auth-path.patch @@ -0,0 +1,13 @@ +Index: strongswan-5.2.1/src/libcharon/plugins/ext_auth/ext_auth_listener.c +=================================================================== +--- strongswan-5.2.1.orig/src/libcharon/plugins/ext_auth/ext_auth_listener.c ++++ strongswan-5.2.1/src/libcharon/plugins/ext_auth/ext_auth_listener.c +@@ -101,6 +101,8 @@ METHOD(listener_t, authorize, bool, + + *success = FALSE; + ++ push_env(envp, countof(envp), "PATH=%s", getenv("PATH")); ++ + push_env(envp, countof(envp), "IKE_UNIQUE_ID=%u", + ike_sa->get_unique_id(ike_sa)); + push_env(envp, countof(envp), "IKE_NAME=%s", diff --git a/pkgs/by-name/st/strongswan_6/firewall_defaults.patch b/pkgs/by-name/st/strongswan_6/firewall_defaults.patch new file mode 100644 index 00000000000000..12c446c8c9aace --- /dev/null +++ b/pkgs/by-name/st/strongswan_6/firewall_defaults.patch @@ -0,0 +1,32 @@ +Index: strongswan-5.2.1/src/starter/confread.c +=================================================================== +--- strongswan-5.2.1.orig/src/starter/confread.c ++++ strongswan-5.2.1/src/starter/confread.c +@@ -43,7 +43,7 @@ + static const char ike_defaults[] = "aes128-sha1-modp2048,3des-sha1-modp1536"; + static const char esp_defaults[] = "aes128-sha1,3des-sha1"; + +-static const char firewall_defaults[] = IPSEC_SCRIPT " _updown iptables"; ++static const char firewall_defaults[] = IPSEC_SBINDIR "/" IPSEC_SCRIPT " _updown iptables"; + + /** + * Provided by GPERF +Index: strongswan-5.2.1/src/starter/Makefile.am +=================================================================== +--- strongswan-5.2.1.orig/src/starter/Makefile.am ++++ strongswan-5.2.1/src/starter/Makefile.am +@@ -18,10 +18,12 @@ AM_CPPFLAGS = \ + -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/starter \ + -I$(top_srcdir)/src/stroke \ +- -DIPSEC_DIR=\"${ipsecdir}\" \ ++ -DIPSEC_BINDIR=\"${bindir}\" \ + -DIPSEC_CONFDIR=\"${sysconfdir}\" \ +- -DIPSEC_PIDDIR=\"${piddir}\" \ ++ -DIPSEC_DIR=\"${ipsecdir}\" \ + -DIPSEC_EAPDIR=\"${eapdir}\" \ ++ -DIPSEC_PIDDIR=\"${piddir}\" \ ++ -DIPSEC_SBINDIR=\"${sbindir}\" \ + -DIPSEC_SCRIPT=\"${ipsec_script}\" \ + -DDEV_RANDOM=\"${random_device}\" \ + -DDEV_URANDOM=\"${urandom_device}\" \ diff --git a/pkgs/by-name/st/strongswan_6/package.nix b/pkgs/by-name/st/strongswan_6/package.nix new file mode 100644 index 00000000000000..53775ab725f8bb --- /dev/null +++ b/pkgs/by-name/st/strongswan_6/package.nix @@ -0,0 +1,189 @@ +{ + lib, + stdenv, + fetchFromGitHub, + autoreconfHook, + pkg-config, + bison, + flex, + curl, + perl, + gperf, + openssl, + pcsclite, + networkmanager, + openresolv, + glib, + systemd, + libxml2, + pam, + iptables, + trousers, + sqlite, + unbound, + ldns, + gmp, + enableNetworkManager ? true, + enableTNC ? true, +}: +let + features = + rec { + nm = enableNetworkManager; + cmd = true; + stroke = true; + swanctl = true; + systemd = stdenv.hostPlatform.isLinux; + + openssl = true; + + farp = stdenv.hostPlatform.isLinux; + dhcp = stdenv.hostPlatform.isLinux; + af-alg = stdenv.hostPlatform.isLinux; + resolve = stdenv.hostPlatform.isLinux; + scripts = stdenv.hostPlatform.isLinux; + connmark = stdenv.hostPlatform.isLinux; + forecast = stdenv.hostPlatform.isLinux; + kernel-netlink = stdenv.hostPlatform.isLinux; + + aesni = stdenv.hostPlatform.isx86_64; + rdrand = stdenv.hostPlatform.isx86_64; + padlock = stdenv.hostPlatform.system == "i686-linux"; + + kernel-pfkey = stdenv.hostPlatform.isDarwin || stdenv.hostPlatform.isFreeBSD; + kernel-pfroute = stdenv.hostPlatform.isDarwin || stdenv.hostPlatform.isFreeBSD; + kernel-libipsec = stdenv.hostPlatform.isUnix; + + keychain = stdenv.hostPlatform.isDarwin; + osx-attr = stdenv.hostPlatform.isDarwin; + + ml = true; + curl = true; + acert = true; + pkcs11 = true; + dnscert = true; + unbound = true; + chapoly = true; + ext-auth = true; + socket-dynamic = true; + + eap-sim = true; + eap-sim-file = true; + eap-sim-pcsc = true; + eap-simaka-pseudonym = true; + eap-simaka-reauth = true; + eap-identity = true; + eap-md5 = true; + eap-gtc = true; + eap-aka = true; + eap-aka-3gpp = true; + eap-aka-3gpp2 = true; + eap-mschapv2 = true; + eap-tls = true; + eap-peap = true; + eap-radius = true; + + xauth-eap = true; + xauth-pam = stdenv.hostPlatform.isLinux; + xauth-noauth = true; + + gmp = eap-aka-3gpp2; + } + // lib.optionalAttrs enableTNC { + eap-tnc = true; + eap-ttls = true; + eap-dynamic = true; + + tnccs-20 = true; + + tnc-imc = true; + tnc-imv = true; + tnc-ifmap = true; + + imc-os = true; + imv-os = true; + imc-attestation = true; + imv-attestation = true; + + aikgen = true; + tss-trousers = true; + + sqlite = true; + }; +in +stdenv.mkDerivation rec { + pname = "strongswan"; + version = "6.0.0"; + + src = fetchFromGitHub { + owner = "strongswan"; + repo = "strongswan"; + rev = "refs/tags/${version}"; + hash = "sha256-SOl5MXSnmfMo1/LTFuT1P+rQf3Wn9kdxUtUgRxrN9VM="; + }; + + patches = [ + ./ext_auth-path.patch + ./firewall_defaults.patch + ./updown-path.patch + ]; + + nativeBuildInputs = [ + autoreconfHook + pkg-config + bison + flex + perl + gperf + ]; + + buildInputs = + lib.optional (features.gmp or false) gmp + ++ lib.optional (features.eap-sim-pcsc or false) pcsclite + ++ lib.optional (features.openssl or false) openssl + ++ lib.optional (features.curl or false) curl + ++ lib.optional (features.systemd or false) systemd + ++ lib.optional (features.tnc-ifmap or false) libxml2 + ++ lib.optional (features.xauth-pam or false) pam + ++ lib.optional (features.forecast or false || features.connmark or false) iptables + ++ lib.optional (features.tss-trousers or false) trousers + ++ lib.optional (features.sqlite or false) sqlite + ++ lib.optionals (features.unbound or false) [ + unbound + ldns + ] + ++ lib.optionals (features.nm or false) [ + networkmanager + glib + ]; + + configureFlags = (lib.mapAttrsToList (lib.flip lib.enableFeature)) features ++ [ + "--sysconfdir=/etc" + (lib.withFeatureAs (features.nm or false) "nm-ca-dir" "/etc/ssl/certs") + (lib.withFeatureAs (features.systemd or false + ) "systemdsystemunitdir" "${placeholder "out"}/etc/systemd/system") + ]; + + installFlags = [ + "sysconfdir=${placeholder "out"}/etc" + ]; + + enableParallelBuilding = true; + + dontPatchELF = true; + + postPatch = lib.optionalString features.resolve '' + substituteInPlace src/libcharon/plugins/resolve/resolve_handler.c \ + --replace-fail "/sbin/resolvconf" "${openresolv}/sbin/resolvconf" + ''; + + meta = { + description = "OpenSource IPsec-based VPN solution"; + homepage = "https://www.strongswan.org/"; + changelog = "https://github.com/strongswan/strongswan/blob/${src.rev}/ChangeLog"; + license = lib.licenses.gpl2Plus; + maintainers = with lib.maintainers; [ nickcao ]; + mainProgram = "swanctl"; + platforms = lib.platforms.unix; + }; +} diff --git a/pkgs/by-name/st/strongswan_6/updown-path.patch b/pkgs/by-name/st/strongswan_6/updown-path.patch new file mode 100644 index 00000000000000..f01da7d7bce644 --- /dev/null +++ b/pkgs/by-name/st/strongswan_6/updown-path.patch @@ -0,0 +1,26 @@ +Index: strongswan-5.2.1/src/_updown/_updown.in +=================================================================== +--- strongswan-5.2.1.orig/src/_updown/_updown.in ++++ strongswan-5.2.1/src/_updown/_updown.in +@@ -125,7 +125,7 @@ + # + + # define a minimum PATH environment in case it is not set +-PATH="/sbin:/bin:/usr/sbin:/usr/bin:@sbindir@" ++PATH="${PATH:-/sbin:/bin:/usr/sbin:/usr/bin}" + export PATH + + # uncomment to log VPN connections +Index: strongswan-5.2.1/src/libcharon/plugins/updown/updown_listener.c +=================================================================== +--- strongswan-5.2.1.orig/src/libcharon/plugins/updown/updown_listener.c ++++ strongswan-5.2.1/src/libcharon/plugins/updown/updown_listener.c +@@ -240,6 +240,8 @@ static void invoke_once(private_updown_l + process_t *process; + char *envp[128] = {}; + ++ push_env(envp, countof(envp), "PATH=%s", getenv("PATH")); ++ + me = ike_sa->get_my_host(ike_sa); + other = ike_sa->get_other_host(ike_sa); +