Merge pull request #156787 from helsinki-systems/drop/racoon

nixos/modules/module-list.nix

@@ -852,7 +852,6 @@
   ./services/networking/quassel.nix
   ./services/networking/quorum.nix
   ./services/networking/quicktun.nix
-  ./services/networking/racoon.nix
   ./services/networking/radicale.nix
   ./services/networking/radvd.nix
   ./services/networking/rdnssd.nix

nixos/modules/rename.nix

@@ -80,6 +80,9 @@ with lib;
       libinput and synaptics.
     '')
     (mkRemovedOptionModule [ "virtualisation" "rkt" ] "The rkt module has been removed, it was archived by upstream")
+    (mkRemovedOptionModule [ "services" "racoon" ] ''
+      The racoon module has been removed, because the software project was abandoned upstream.
+    '')
 
     # Do NOT add any option renames here, see top of the file
   ];

nixos/modules/services/networking/racoon.nix

@@ -1,45 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-let
-  cfg = config.services.racoon;
-in {
-  options.services.racoon = {
-    enable = mkEnableOption "racoon";
-
-    config = mkOption {
-      description = "Contents of racoon configuration file.";
-      default = "";
-      type = types.str;
-    };
-
-    configPath = mkOption {
-      description = "Location of racoon config if config is not provided.";
-      default = "/etc/racoon/racoon.conf";
-      type = types.path;
-    };
-  };
-
-  config = mkIf cfg.enable {
-    systemd.services.racoon = {
-      description = "Racoon Daemon";
-      wantedBy = [ "multi-user.target" ];
-      after = [ "network.target" ];
-      serviceConfig = {
-        ExecStart = "${pkgs.ipsecTools}/bin/racoon -f ${
-          if (cfg.config != "") then pkgs.writeText "racoon.conf" cfg.config
-          else cfg.configPath
-        }";
-        ExecReload = "${pkgs.ipsecTools}/bin/racoonctl reload-config";
-        PIDFile = "/run/racoon.pid";
-        Type = "forking";
-        Restart = "always";
-      };
-      preStart = ''
-        rm /run/racoon.pid || true
-        mkdir -p /var/racoon
-      '';
-    };
-  };
-}

nixos/modules/virtualisation/openvswitch.nix

@@ -36,17 +36,6 @@ in {
         Open vSwitch package to use.
       '';
     };
-
-    ipsec = mkOption {
-      type = types.bool;
-      default = false;
-      description = ''
-        Whether to start racoon service for openvswitch.
-        Supported only if openvswitch version is less than 2.6.0.
-        Use <literal>virtualisation.vswitch.package = pkgs.openvswitch-lts</literal>
-        for a version that supports ipsec over GRE.
-      '';
-    };
   };
 
   config = mkIf cfg.enable (let
@@ -65,7 +54,7 @@ in {
       installPhase = "mkdir -p $out";
     };
 
-  in (mkMerge [{
+  in {
     environment.systemPackages = [ cfg.package ];
     boot.kernelModules = [ "tun" "openvswitch" ];
 
@@ -142,48 +131,14 @@ in {
       };
     };
 
-  }
-  (mkIf (cfg.ipsec && (versionOlder cfg.package.version "2.6.0")) {
-    environment.systemPackages = [ pkgs.ipsecTools ];
+  });
 
-    services.racoon.enable = true;
-    services.racoon.configPath = "${runDir}/ipsec/etc/racoon/racoon.conf";
-
-    networking.firewall.extraCommands = ''
-      iptables -I INPUT -t mangle -p esp -j MARK --set-mark 1/1
-      iptables -I INPUT -t mangle -p udp --dport 4500 -j MARK --set-mark 1/1
-    '';
-
-    systemd.services.ovs-monitor-ipsec = {
-      description = "Open_vSwitch Ipsec Daemon";
-      wantedBy = [ "multi-user.target" ];
-      requires = [ "ovsdb.service" ];
-      before = [ "vswitchd.service" "racoon.service" ];
-      environment.UNIXCTLPATH = "/tmp/ovsdb.ctl.sock";
-      serviceConfig = {
-        ExecStart = ''
-          ${cfg.package}/bin/ovs-monitor-ipsec \
-            --root-prefix ${runDir}/ipsec \
-            --pidfile /run/openvswitch/ovs-monitor-ipsec.pid \
-            --monitor --detach \
-            unix:/run/openvswitch/db.sock
-        '';
-        PIDFile = "/run/openvswitch/ovs-monitor-ipsec.pid";
-        # Use service type 'forking' to correctly determine when ovs-monitor-ipsec is ready.
-        Type = "forking";
-      };
-
-      preStart = ''
-        rm -r ${runDir}/ipsec/etc/racoon/certs || true
-        mkdir -p ${runDir}/ipsec/{etc/racoon,etc/init.d/,usr/sbin/}
-        ln -fs ${pkgs.ipsecTools}/bin/setkey ${runDir}/ipsec/usr/sbin/setkey
-        ln -fs ${pkgs.writeScript "racoon-restart" ''
-        #!${pkgs.runtimeShell}
-        /run/current-system/sw/bin/systemctl $1 racoon
-        ''} ${runDir}/ipsec/etc/init.d/racoon
-      '';
-    };
-  })]));
+  imports = [
+    (mkRemovedOptionModule [ "virtualisation" "vswitch" "ipsec" ] ''
+      OpenVSwitch IPSec functionality has been removed, because it depended on racoon,
+      which was removed from nixpkgs, because it was abanoded upstream.
+    '')
+  ];
 
   meta.maintainers = with maintainers; [ netixx ];
 

pkgs/os-specific/linux/ipsec-tools/CVE-2015-4047.patch

@@ -1,16 +0,0 @@
-Index: pkg-ipsec-tools/src/racoon/gssapi.c
-===================================================================
---- pkg-ipsec-tools.orig/src/racoon/gssapi.c
-+++ pkg-ipsec-tools/src/racoon/gssapi.c
-@@ -192,6 +192,11 @@ gssapi_init(struct ph1handle *iph1)
-	gss_name_t princ, canon_princ;
-	OM_uint32 maj_stat, min_stat;
-
-+	if (iph1->rmconf == NULL) {
-+		plog(LLV_ERROR, LOCATION, NULL, "no remote config\n");
-+		return -1;
-+	}
-+
-	gps = racoon_calloc(1, sizeof (struct gssapi_ph1_state));
-	if (gps == NULL) {
-		plog(LLV_ERROR, LOCATION, NULL, "racoon_calloc failed\n");

pkgs/os-specific/linux/ipsec-tools/CVE-2016-10396.patch

@@ -1,193 +0,0 @@
-From: Antoine_Beaupre <anarcat@orangeseeds.org>
-Acked-by: Jiri Bohac <jbohac@suse.cz>
-Subject: PR/51682: Avoid DoS with fragment out of order insertion; keep fragments sorted in the list.
-References: bsc#1047443, CVE-2016-10396
-
-
-
-Index: a/src/racoon/handler.h
-===================================================================
---- a/src/racoon/handler.h.orig	2018-01-26 18:05:21.114764376 +0100
-+++ a/src/racoon/handler.h	2018-01-26 18:05:33.986741103 +0100
-@@ -141,6 +141,7 @@ struct ph1handle {
- #endif
- #ifdef ENABLE_FRAG
- 	int frag;			/* IKE phase 1 fragmentation */
-+	int frag_last_index;
- 	struct isakmp_frag_item *frag_chain;	/* Received fragments */
- #endif
- 
-Index: a/src/racoon/isakmp.c
-===================================================================
---- a/src/racoon/isakmp.c.orig	2018-01-26 18:05:21.118764369 +0100
-+++ a/src/racoon/isakmp.c	2018-01-26 18:05:33.986741103 +0100
-@@ -1069,6 +1069,7 @@ isakmp_ph1begin_i(rmconf, remote, local)
- 		iph1->frag = 1;
- 	else
- 		iph1->frag = 0;
-+	iph1->frag_last_index = 0;
- 	iph1->frag_chain = NULL;
- #endif
- 	iph1->approval = NULL;
-@@ -1173,6 +1174,7 @@ isakmp_ph1begin_r(msg, remote, local, et
- #endif
- #ifdef ENABLE_FRAG
- 	iph1->frag = 0;
-+	iph1->frag_last_index = 0;
- 	iph1->frag_chain = NULL;
- #endif
- 	iph1->approval = NULL;
-Index: a/src/racoon/isakmp_frag.c
-===================================================================
---- a/src/racoon/isakmp_frag.c.orig	2018-01-26 18:05:21.118764369 +0100
-+++ a/src/racoon/isakmp_frag.c	2018-01-26 18:05:33.986741103 +0100
-@@ -173,6 +173,43 @@ vendorid_frag_cap(gen)
- 	return ntohl(hp[MD5_DIGEST_LENGTH / sizeof(*hp)]);
- }
- 
-+static int 
-+isakmp_frag_insert(struct ph1handle *iph1, struct isakmp_frag_item *item)
-+{
-+	struct isakmp_frag_item *pitem = NULL;
-+	struct isakmp_frag_item *citem = iph1->frag_chain;
-+
-+	/* no frag yet, just insert at beginning of list */
-+	if (iph1->frag_chain == NULL) {
-+		iph1->frag_chain = item;
-+		return 0;
-+	}
-+
-+	do {
-+		/* duplicate fragment number, abort (CVE-2016-10396) */
-+		if (citem->frag_num == item->frag_num)
-+			return -1;
-+
-+		/* need to insert before current item */
-+		if (citem->frag_num > item->frag_num) {
-+			if (pitem != NULL)
-+				pitem->frag_next = item;
-+			else
-+				/* insert at the beginning of the list  */
-+				iph1->frag_chain = item;
-+			item->frag_next = citem;
-+			return 0;
-+		}
-+
-+		pitem = citem;
-+		citem = citem->frag_next;
-+	} while (citem != NULL);
-+
-+	/* we reached the end of the list, insert */
-+	pitem->frag_next = item;
-+	return 0;
-+}
-+
- int 
- isakmp_frag_extract(iph1, msg)
- 	struct ph1handle *iph1;
-@@ -224,39 +261,43 @@ isakmp_frag_extract(iph1, msg)
- 	item->frag_next = NULL;
- 	item->frag_packet = buf;
- 
--	/* Look for the last frag while inserting the new item in the chain */
--	if (item->frag_last)
--		last_frag = item->frag_num;
-+	/* Check for the last frag before inserting the new item in the chain */
-+	if (item->frag_last) {
-+		/* if we have the last fragment, indices must match */
-+		if (iph1->frag_last_index != 0 &&
-+		    item->frag_last != iph1->frag_last_index) {
-+			plog(LLV_ERROR, LOCATION, NULL,
-+			     "Repeated last fragment index mismatch\n");
-+			racoon_free(item);
-+			vfree(buf);
-+			return -1;
-+		}
- 
--	if (iph1->frag_chain == NULL) {
--		iph1->frag_chain = item;
--	} else {
--		struct isakmp_frag_item *current;
-+		last_frag = iph1->frag_last_index = item->frag_num;
-+	}
- 
--		current = iph1->frag_chain;
--		while (current->frag_next) {
--			if (current->frag_last)
--				last_frag = item->frag_num;
--			current = current->frag_next;
--		}
--		current->frag_next = item;
-+	/* insert fragment into chain */
-+	if (isakmp_frag_insert(iph1, item) == -1) {
-+		plog(LLV_ERROR, LOCATION, NULL,
-+		    "Repeated fragment index mismatch\n");
-+		racoon_free(item);
-+		vfree(buf);
-+		return -1;
- 	}
- 
--	/* If we saw the last frag, check if the chain is complete */
-+	/* If we saw the last frag, check if the chain is complete
-+	 * we have a sorted list now, so just walk through */
- 	if (last_frag != 0) {
-+		item = iph1->frag_chain;
- 		for (i = 1; i <= last_frag; i++) {
--			item = iph1->frag_chain;
--			do {
--				if (item->frag_num == i)
--					break;
--				item = item->frag_next;
--			} while (item != NULL);
--
-+			if (item->frag_num != i)
-+				break;
-+			item = item->frag_next;
- 			if (item == NULL) /* Not found */
- 				break;
- 		}
- 
--		if (item != NULL) /* It is complete */
-+		if (i > last_frag) /* It is complete */
- 			return 1;
- 	}
- 		
-@@ -291,15 +332,9 @@ isakmp_frag_reassembly(iph1)
- 	}
- 	data = buf->v;
- 
-+	item = iph1->frag_chain;
- 	for (i = 1; i <= frag_count; i++) {
--		item = iph1->frag_chain;
--		do {
--			if (item->frag_num == i)
--				break;
--			item = item->frag_next;
--		} while (item != NULL);
--
--		if (item == NULL) {
-+		if (item->frag_num != i) {
- 			plog(LLV_ERROR, LOCATION, NULL, 
- 			    "Missing fragment #%d\n", i);
- 			vfree(buf);
-@@ -308,6 +343,7 @@ isakmp_frag_reassembly(iph1)
- 		}
- 		memcpy(data, item->frag_packet->v, item->frag_packet->l);
- 		data += item->frag_packet->l;
-+		item = item->frag_next;
- 	}
- 
- out:
-
-
-diff -u -p -r1.50 -r1.51
---- a/src/racoon/isakmp_inf.c	2013/04/12 09:53:10	1.50
-+++ a/src/racoon/isakmp_inf.c	2017/01/24 19:23:56	1.51
-@@ -720,6 +720,7 @@ isakmp_info_send_nx(isakmp, remote, loca
- #endif
- #ifdef ENABLE_FRAG
- 	iph1->frag = 0;
-+	iph1->frag_last_index = 0;
- 	iph1->frag_chain = NULL;
- #endif
- 

pkgs/os-specific/linux/ipsec-tools/default.nix

@@ -1,49 +0,0 @@
-{ lib, stdenv, fetchurl, fetchpatch, linuxHeaders, readline, openssl, flex, libkrb5, pam }:
-
-# TODO: These tools are supposed to work under NetBSD and FreeBSD as
-# well, so I guess it's not appropriate to place this expression in
-# "os-specific/linux/ipsec-tools". Since I cannot verify that the
-# expression actually builds on those platforms, I'll leave it here for
-# the time being.
-
-stdenv.mkDerivation rec {
-  pname = "ipsec-tools";
-  version = "0.8.2";
-
-  src = fetchurl {
-    url = "mirror://sourceforge/ipsec-tools/ipsec-tools-${version}.tar.bz2";
-    sha256 = "0b9gfbz78k2nj0k7jdlm5kajig628ja9qm0z5yksiwz22s3v7dlf";
-  };
-
-  buildInputs = [ readline openssl flex libkrb5 pam ];
-
-  patches = [
-    ./dont-create-localstatedir-during-install.patch
-    ./CVE-2015-4047.patch
-    ./CVE-2016-10396.patch
-  ];
-
-  # fix build with newer gcc versions
-  preConfigure = ''substituteInPlace configure --replace "-Werror" "" '';
-
-  configureFlags = [
-    "--sysconfdir=/etc --localstatedir=/var"
-    "--with-kernel-headers=${linuxHeaders}/include"
-    "--disable-security-context"
-    "--enable-adminport"
-    "--enable-dpd"
-    "--enable-frag"
-    "--enable-gssapi"
-    "--enable-hybrid"
-    "--enable-natt"
-    "--enable-shared"
-    "--enable-stats"
-  ];
-
-  meta = with lib; {
-    homepage = "http://ipsec-tools.sourceforge.net/";
-    description = "Port of KAME's IPsec utilities to the Linux-2.6 IPsec implementation";
-    license = licenses.bsd3;
-    platforms = platforms.linux;
-  };
-}

pkgs/os-specific/linux/ipsec-tools/dont-create-localstatedir-during-install.patch

@@ -1,13 +0,0 @@
-diff -ubr ipsec-tools-0.8.0-orig/src/racoon/Makefile.in ipsec-tools-0.8.0/src/racoon/Makefile.in
---- ipsec-tools-0.8.0-orig/src/racoon/Makefile.in	2012-10-20 13:01:07.700903316 +0200
-+++ ipsec-tools-0.8.0/src/racoon/Makefile.in	2012-10-20 13:01:13.177832616 +0200
-@@ -1085,9 +1085,6 @@
- 	uninstall-sbinPROGRAMS
- 
- 
--install-exec-local:
--	${mkinstalldirs} $(DESTDIR)${adminsockdir}
--
- # special object rules
- crypto_openssl_test.o: crypto_openssl.c
- 	$(COMPILE) -DEAYDEBUG -o crypto_openssl_test.o -c $(srcdir)/crypto_openssl.c

pkgs/top-level/aliases.nix

@@ -413,6 +413,7 @@ mapAliases ({
   inotifyTools = inotify-tools;
   inter-ui = inter; # added 2021-03-27
   iproute = iproute2; # moved from top-level 2021-03-14
+  ipsecTools = throw "ipsecTools has benn removed, because it was no longer maintained upstream"; # added 2021-12-15
   i-score = throw "i-score has been removed: abandoned upstream."; # added 2020-11-21
   jack2Full = jack2; # moved from top-level 2021-03-14
   jamomacore = throw "jamomacore has been removed: abandoned upstream."; # added 2020-11-21

pkgs/top-level/all-packages.nix

@@ -8641,11 +8641,6 @@ with pkgs;
 
   pngout = callPackage ../tools/graphics/pngout { };
 
-  ipsecTools = callPackage ../os-specific/linux/ipsec-tools {
-    flex = flex_2_5_35;
-    openssl = openssl_1_0_2;
-  };
-
   patch = gnupatch;
 
   patchage = callPackage ../applications/audio/patchage { };