diff options
author | Andrew Savchenko <bircoph@gmail.com> | 2010-11-10 19:08:01 +0300 |
---|---|---|
committer | Andrew Savchenko <bircoph@gmail.com> | 2010-11-10 19:08:01 +0300 |
commit | b61ee9528908ab302bfb17afb3e96cc30889d441 (patch) | |
tree | d7f4923f9a3aa00127ab5ac025ddb441bfa87399 /net-dialup/openl2tp | |
parent | openl2tpd: new config example (diff) | |
download | bircoph-b61ee9528908ab302bfb17afb3e96cc30889d441.tar.gz bircoph-b61ee9528908ab302bfb17afb3e96cc30889d441.tar.bz2 bircoph-b61ee9528908ab302bfb17afb3e96cc30889d441.zip |
openl2tpd: fix pppd auth args
Apply upstream patch to fix ppp auth args passing.
Diffstat (limited to 'net-dialup/openl2tp')
-rw-r--r-- | net-dialup/openl2tp/ChangeLog | 4 | ||||
-rw-r--r-- | net-dialup/openl2tp/Manifest | 4 | ||||
-rw-r--r-- | net-dialup/openl2tp/files/openl2tp-1.7-ppp_auth_args.patch | 108 | ||||
-rw-r--r-- | net-dialup/openl2tp/openl2tp-1.7-r1.ebuild | 150 |
4 files changed, 265 insertions, 1 deletions
diff --git a/net-dialup/openl2tp/ChangeLog b/net-dialup/openl2tp/ChangeLog index 97cdcec..7e10cf4 100644 --- a/net-dialup/openl2tp/ChangeLog +++ b/net-dialup/openl2tp/ChangeLog @@ -3,6 +3,10 @@ # $Header: $ 10 Nov 2010; Andrew Savchenko <bircoph@gmail.com> + +files/openl2tp-1.7-ppp_auth_args.patch: + Apply upstream patch to fix ppp auth args passing. + + 10 Nov 2010; Andrew Savchenko <bircoph@gmail.com> files/openl2tpd.conf.sample: Update sample config file with more reliable and practically verified defaults. diff --git a/net-dialup/openl2tp/Manifest b/net-dialup/openl2tp/Manifest index 3f32bbe..8e45f00 100644 --- a/net-dialup/openl2tp/Manifest +++ b/net-dialup/openl2tp/Manifest @@ -1,12 +1,14 @@ AUX openl2tp-1.7-l2tpconfig.patch 621 RMD160 ca821f3336fcc35336e2bd857ac92700d1e37c5e SHA1 e116771492724db3543e5cfb35bd88b4812aeebe SHA256 f7176518baad226d276006fa3d0c877b5ebab982266ffaef954f6d72dcf1bb8a AUX openl2tp-1.7-ldflags.patch 2318 RMD160 32b38b8dbf8b0e29855b6571f261ca6c42c762ce SHA1 33667dc4204ab6047654329118a8fad8e43ae4f4 SHA256 786a1178aaa774e75a9b1a2c76a9a9b18bb62791ba4e66d0edac4442b9f460ab AUX openl2tp-1.7-man.patch 1345 RMD160 4103470fbaaebba1cfa232aaaf2a042b77e61e7f SHA1 4f1a05616a3f4faf4cc75ff5e2a64e4329cf1d15 SHA256 6752ee913ca7fae689408da9bc1148dd302cc5a97a18c7c0b9280d12e9f933c3 +AUX openl2tp-1.7-ppp_auth_args.patch 5002 RMD160 60e6edece7c3a1e9b6d7568b2756f8d5baab720d SHA1 8bc053573075e80dc039dc4fa81b9cfb5db5fd64 SHA256 fc8e52d9bd35c9d4224f7fd46fa19ffe03f27f0f9d5404d1f9d913c1069d5ffd AUX openl2tp-1.7-pppd.patch 847 RMD160 734323993b668fe510ebbde78c1d04f2224be208 SHA1 731aaddf60cfc6cd9162221fb2ade4307e49fe3c SHA256 0a2c32f5f14ed6376557c810010afa2a29f88fc7445afc6fc03b5abea0b25482 AUX openl2tp-1.7-werror.patch 1602 RMD160 77c73e8d5bb89e1d1288e79db80339f0b42eeae8 SHA1 c4915b6f30dc43881a51d4ce5b8d61519429b18f SHA256 259d0291bfa64d4b33c77f2bf534006202259d4ec1105af8a9d1d857eebca1a7 AUX openl2tpd.conf.sample 681 RMD160 c36361ea26c675263d90673933c32e1cd5664f38 SHA1 fe9022987dc009794b92577e58d2cf25b1e23f43 SHA256 333d2f4b4babf2a408d7ea7602871712d8a8337d9cd1bf885bc1b6e49b34528f AUX openl2tpd.confd 627 RMD160 c98ef7bdcca067cab855b43f4c28d7db5651dbee SHA1 ab72ca17e0f3b1d8839bc1a644c11f160529bc9d SHA256 9bea610cf2614bdd6c2f371987f98f8c9b854dd8332d33647505c895ae9a7314 AUX openl2tpd.initd 1408 RMD160 38cbf38472df1a1493bc2be0cf8c55b17c8f1510 SHA1 76891770505f8927b1df0ead0648f3b5861e5da7 SHA256 946a0e8b7341e2d346b9b4814a3b1ed8519ee9b6db9bf0e91f7c7cabbf1f2c48 DIST openl2tp-1.7.tar.gz 501698 RMD160 5a85297060338fc24230582fc3674638d1778634 SHA1 f79e5229b8501664e98bac8229a6d8547b43467b SHA256 f6ae19e19340144ba28c31c55f4667fb180b61ee76ccef2bf63fa62f297ca9da +EBUILD openl2tp-1.7-r1.ebuild 4199 RMD160 0ded02ee0bacd2cb4066cd2e94098ca9478fcd92 SHA1 72ce525c15515501d1c42713c2d5f7d56e3e9293 SHA256 d5bb3d35647cd46088dc0e38510456bcd5c7d49b901953fbdd870e07a7d40a99 EBUILD openl2tp-1.7.ebuild 4023 RMD160 2cda1a5a433446f75057727a5152660fa07b8144 SHA1 367b57a117e106d4eefb657450ca1788c88a9b6b SHA256 ff06cb9413037def2eb2f81e63bb31d92827ca643c2f8e3d460e1d198610eda8 -MISC ChangeLog 492 RMD160 0579561c6002ed9fa1a221ef0eb24b929c0f03a3 SHA1 2cd3a8b8f6f26c2038acdf291d2e5b576be19c38 SHA256 c3ae85d0321019c32b6c59e4b6f1115cfe84d9aaae0644e0a9ec1c8829e6d22c +MISC ChangeLog 641 RMD160 d948c5d67f65389c3000e043132fff182434bd88 SHA1 22eb2d934c05b77ac61381c380882dbd8bb15d3c SHA256 5080caad454250c8b8fd5f1575fcbaa5783d91a505ff8f947151ea530a497a65 MISC metadata.xml 762 RMD160 416cd2087fe041e02046f07bb6c1677908542c37 SHA1 302dc937814f7d4c32ad16c0300020794f519c0e SHA256 e765957111816f91553fd3db2fef165babdd02ee82d923da6f5b455b684afd72 diff --git a/net-dialup/openl2tp/files/openl2tp-1.7-ppp_auth_args.patch b/net-dialup/openl2tp/files/openl2tp-1.7-ppp_auth_args.patch new file mode 100644 index 0000000..fd2e683 --- /dev/null +++ b/net-dialup/openl2tp/files/openl2tp-1.7-ppp_auth_args.patch @@ -0,0 +1,108 @@ +In ppp_unix_params_to_argv (ppp_unix.c:168) when the refuse-* +arguments to pppd are determined, only the value of flags2 is +considered. However, in l 2tp_parse_ppp_profile_arg +(l2tp_config.c:3273) where the values are parsed, the flags2 field is +used only to indicate that the field value for the opt ion has been +set. This has the effect that if a user sets auth_mschapv2=ye s in +openl2tpd.conf refuse-mschapv2 will be passed to pppd (since L2TP_API_ +PPP_PROFILE_FLAG_AUTH_REFUSE_MSCHAPV2 is set in flags2, but the +auth_refuse _mschapv2 field is set to 0). I have attached a patch +which corrects this behavior to consider the value of the field when +determining whether to add the argument to pppd. (kevinoid@users.sf.net) + +--- openl2tp-1.7.orig/plugins/ppp_unix.c 2008-08-05 10:33:49.000000000 -0600 ++++ openl2tp-1.7/plugins/ppp_unix.c 2010-04-04 14:25:34.964151271 -0600 +@@ -285,19 +285,24 @@ + } + + /* ppp auth options */ +- if (params->flags2 & L2TP_API_PPP_PROFILE_FLAG_AUTH_REFUSE_EAP) { ++ if ((params->flags2 & L2TP_API_PPP_PROFILE_FLAG_AUTH_REFUSE_EAP) && ++ params->auth_refuse_eap) { + argv[arg++] = "refuse-eap"; + } +- if (params->flags2 & L2TP_API_PPP_PROFILE_FLAG_AUTH_REFUSE_MSCHAPV2) { ++ if ((params->flags2 & L2TP_API_PPP_PROFILE_FLAG_AUTH_REFUSE_MSCHAPV2) && ++ params->auth_refuse_mschapv2) { + argv[arg++] = "refuse-mschap-v2"; + } +- if (params->flags2 & L2TP_API_PPP_PROFILE_FLAG_AUTH_REFUSE_MSCHAP) { ++ if ((params->flags2 & L2TP_API_PPP_PROFILE_FLAG_AUTH_REFUSE_MSCHAP) && ++ params->auth_refuse_mschap) { + argv[arg++] = "refuse-mschap"; + } +- if (params->flags2 & L2TP_API_PPP_PROFILE_FLAG_AUTH_REFUSE_CHAP) { ++ if ((params->flags2 & L2TP_API_PPP_PROFILE_FLAG_AUTH_REFUSE_CHAP) && ++ params->auth_refuse_chap) { + argv[arg++] = "refuse-chap"; + } +- if (params->flags2 & L2TP_API_PPP_PROFILE_FLAG_AUTH_REFUSE_PAP) { ++ if ((params->flags2 & L2TP_API_PPP_PROFILE_FLAG_AUTH_REFUSE_PAP) && ++ params->auth_refuse_pap) { + argv[arg++] = "refuse-pap"; + } + +@@ -313,25 +318,53 @@ + L2TP_API_PPP_PROFILE_FLAG_AUTH_REFUSE_MSCHAP | + L2TP_API_PPP_PROFILE_FLAG_AUTH_REFUSE_CHAP | + L2TP_API_PPP_PROFILE_FLAG_AUTH_REFUSE_PAP); +- if (auth_flags == (L2TP_API_PPP_PROFILE_FLAG_AUTH_REFUSE_EAP | ++ if ((auth_flags & ~L2TP_API_PPP_PROFILE_FLAG_AUTH_REFUSE_PAP) == ++ (L2TP_API_PPP_PROFILE_FLAG_AUTH_REFUSE_EAP | + L2TP_API_PPP_PROFILE_FLAG_AUTH_REFUSE_MSCHAPV2 | + L2TP_API_PPP_PROFILE_FLAG_AUTH_REFUSE_MSCHAP | +- L2TP_API_PPP_PROFILE_FLAG_AUTH_REFUSE_CHAP)) { ++ L2TP_API_PPP_PROFILE_FLAG_AUTH_REFUSE_CHAP) && ++ params->auth_refuse_eap && ++ params->auth_refuse_mschapv2 && ++ params->auth_refuse_mschap && ++ params->auth_refuse_chap && ++ (!(auth_flags & L2TP_API_PPP_PROFILE_FLAG_AUTH_REFUSE_PAP) || ++ !params->auth_refuse_pap)) { + argv[arg++] = "require-pap"; +- } else if (auth_flags == (L2TP_API_PPP_PROFILE_FLAG_AUTH_REFUSE_EAP | ++ } else if ((auth_flags & ~L2TP_API_PPP_PROFILE_FLAG_AUTH_REFUSE_CHAP) == ++ (L2TP_API_PPP_PROFILE_FLAG_AUTH_REFUSE_EAP | + L2TP_API_PPP_PROFILE_FLAG_AUTH_REFUSE_MSCHAPV2 | + L2TP_API_PPP_PROFILE_FLAG_AUTH_REFUSE_MSCHAP | +- L2TP_API_PPP_PROFILE_FLAG_AUTH_REFUSE_PAP)) { ++ L2TP_API_PPP_PROFILE_FLAG_AUTH_REFUSE_PAP) && ++ params->auth_refuse_eap && ++ params->auth_refuse_mschapv2 && ++ params->auth_refuse_mschap && ++ params->auth_refuse_pap && ++ (!(auth_flags & L2TP_API_PPP_PROFILE_FLAG_AUTH_REFUSE_CHAP) || ++ !params->auth_refuse_chap)) { + argv[arg++] = "require-chap"; +- } else if (auth_flags == (L2TP_API_PPP_PROFILE_FLAG_AUTH_REFUSE_EAP | ++ } else if ((auth_flags & ~L2TP_API_PPP_PROFILE_FLAG_AUTH_REFUSE_MSCHAP) == ++ (L2TP_API_PPP_PROFILE_FLAG_AUTH_REFUSE_EAP | + L2TP_API_PPP_PROFILE_FLAG_AUTH_REFUSE_MSCHAPV2 | + L2TP_API_PPP_PROFILE_FLAG_AUTH_REFUSE_CHAP | +- L2TP_API_PPP_PROFILE_FLAG_AUTH_REFUSE_PAP)) { ++ L2TP_API_PPP_PROFILE_FLAG_AUTH_REFUSE_PAP) && ++ params->auth_refuse_eap && ++ params->auth_refuse_mschapv2 && ++ params->auth_refuse_chap && ++ params->auth_refuse_pap && ++ (!(auth_flags & L2TP_API_PPP_PROFILE_FLAG_AUTH_REFUSE_MSCHAP) || ++ !params->auth_refuse_mschap)) { + argv[arg++] = "require-mschap"; +- } else if (auth_flags == (L2TP_API_PPP_PROFILE_FLAG_AUTH_REFUSE_EAP | ++ } else if ((auth_flags & ~L2TP_API_PPP_PROFILE_FLAG_AUTH_REFUSE_MSCHAPV2) == ++ (L2TP_API_PPP_PROFILE_FLAG_AUTH_REFUSE_EAP | + L2TP_API_PPP_PROFILE_FLAG_AUTH_REFUSE_MSCHAP | + L2TP_API_PPP_PROFILE_FLAG_AUTH_REFUSE_CHAP | +- L2TP_API_PPP_PROFILE_FLAG_AUTH_REFUSE_PAP)) { ++ L2TP_API_PPP_PROFILE_FLAG_AUTH_REFUSE_PAP) && ++ params->auth_refuse_eap && ++ params->auth_refuse_mschap && ++ params->auth_refuse_chap && ++ params->auth_refuse_pap && ++ (!(auth_flags & L2TP_API_PPP_PROFILE_FLAG_AUTH_REFUSE_MSCHAPV2) || ++ !params->auth_refuse_mschapv2)) { + argv[arg++] = "require-mschap-v2"; + } + + + diff --git a/net-dialup/openl2tp/openl2tp-1.7-r1.ebuild b/net-dialup/openl2tp/openl2tp-1.7-r1.ebuild new file mode 100644 index 0000000..c33b3ea --- /dev/null +++ b/net-dialup/openl2tp/openl2tp-1.7-r1.ebuild @@ -0,0 +1,150 @@ +# Copyright 1999-2010 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: $ + +EAPI=3 + +inherit eutils linux-info + +DESCRIPTION="Userspace tools for kernel L2TP implementation." +HOMEPAGE="http://openl2tp.sourceforge.net" +SRC_URI="mirror://sourceforge/openl2tp/${P}.tar.gz" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~amd64 ~x86" +IUSE="doc +client pppd rpc server -stats" + +CDEPEND="net-dialup/ppp + sys-libs/readline + " +DEPEND="${CDEPEND} + sys-devel/bison + sys-devel/flex + " +RDEPEND="${CDEPEND} + rpc? ( || ( + net-nds/rpcbind + net-nds/portmap + ) )" + +CONFIG_CHECK="~PPPOL2TP" + +pkg_setup() { + # check for sane USE flags + if ! use server && ! use client; then + eerror + eerror "You have disabled both server and client parts!" + eerror "At least one of them must be enabled. ;)" + eerror + die "bad USE flags" + fi + # kernel requirements + linux-info_pkg_setup + if kernel_is -lt 2 6 23; then + eerror + eerror "Your kernel is too old. At least 2.6.23 is required to work with this program." + eerror + die "kernel is too old" + fi +} + +src_prepare() { + # disable -Werror, as warnings may occur on different CFLAGS + epatch "${FILESDIR}/${P}-werror.patch" + # use system LDFLAGS + epatch "${FILESDIR}/${P}-ldflags.patch" + # let ebuild to control pppd plugins support + epatch "${FILESDIR}/${P}-pppd.patch" + # do not gzip man pages, let portage to compress them + epatch "${FILESDIR}/${P}-man.patch" + # install l2tpconfig to /usr/sbin with 0700 permissions + # to make it at least a bit more secure + epatch "${FILESDIR}/${P}-l2tpconfig.patch" + # apply upstream patch for pppd auth args fix: + # ftp://ftp.openl2tp.org/releases/openl2tp-1.7/openl2tp-fix_ppp_auth_args.patch + epatch "${FILESDIR}/${P}-ppp_auth_args.patch" +} + +src_configure() { + myconf="" # not local, should be used at src_compile() + + use client || myconf+="L2TP_FEATURE_LAC_SUPPORT=n \ + L2TP_FEATURE_LAIC_SUPPORT=n \ + L2TP_FEATURE_LAOC_SUPPORT=n " + + use server || myconf+="L2TP_FEATURE_LNS_SUPPORT=n \ + L2TP_FEATURE_LNIC_SUPPORT=n \ + L2TP_FEATURE_LNOC_SUPPORT=n " + + use rpc || myconf+="L2TP_FEATURE_RPC_MANAGEMENT=n " + + use stats && myconf+="L2TP_FEATURE_LOCAL_STAT_FILE=y " + + # pppd plugin is only needed for pppd < 2.4.5 + unset PPPD_SUBDIR + if use pppd; then + export PPPD_VERSION=$( gawk '{ + if ($2=="VERSION") { + gsub("\"","",$3); + print $3 + } + }' /usr/include/pppd/patchlevel.h ) || die "gawk failed" + einfo "Building for pppd version $PPPD_VERSION" + + # convert version to comparable format + local ver=$( echo $PPPD_VERSION | gawk -F "." '{ + print lshift($1,16) + lshift($2,8) + $3 + }' ) + if [[ $ver -lt $(( (2<<16) + (4<<8) + 5)) ]]; then + export PPPD_SUBDIR="pppd" + else + ewarn + ewarn "openl2tp plugins are already integrated in >=net-dialup/ppp-2.4.5" + fi + fi +} + +src_compile() { + # upstream use OPT_CFLAGS for optimizations + export OPT_CFLAGS=${CFLAGS} + emake ${myconf} || die "emake failed" +} + +src_install() { + emake ${myconf} DESTDIR="${D}" install || die "emake install failed" + dodoc CHANGES INSTALL README + + if use doc; then + dodoc doc/*.txt "${FILESDIR}"/openl2tpd.conf.sample + newdoc plugins/README README.plugins + use pppd && newdoc pppd/README README.pppd + docinto ipsec + dodoc ipsec/* + fi + + newinitd "${FILESDIR}"/openl2tpd.initd openl2tpd + # init.d script is quite different for RPC and non-RPC versions. + use rpc || sed -i s/userpc=\"yes\"/userpc=\"no\"/ "${D}/etc/init.d/openl2tpd" || die "sed failed" + newconfd "${FILESDIR}"/openl2tpd.confd openl2tpd +} + +pkg_postinst() { + if use rpc; then + ewarn + ewarn "RPC control does not provide any auth checks for control connection." + ewarn "By default localhost only is allowed and l2tpconfig is installed" + ewarn "accessible only by root, but local users may install or compile binary" + ewarn "on they own if not prohibited by system administrator." + ewarn + ewarn "Therefore DO NOT USE RPC IN INSECURE ENVIRONMENTS!" + else + ewarn + ewarn "Without RPC support you won't be able to use l2tpconfig." + fi + if use stats; then + ewarn + ewarn "To enable status files openl2tpd must be started with -S option." + ewarn "Upstream warns about runtime overhead with status files enabled." + fi +} |