security/libreswan: New port: IPsec and IKE based firewall

security/Makefile

@@ -310,6 +310,7 @@
     SUBDIR += libpwstor
     SUBDIR += libressl
     SUBDIR += libressl-devel
+    SUBDIR += libreswan
     SUBDIR += libretls
     SUBDIR += libscep
     SUBDIR += libscrypt

security/libreswan/Makefile

@@ -0,0 +1,45 @@
+PORTNAME=	libreswan
+DISTVERSION=	4.4
+CATEGORIES=	security
+MASTER_SITES=	https://download.libreswan.org/
+
+PATCH_SITES=	https://github.com/${PORTNAME}/${PORTNAME}/commit/
+PATCHFILES=	e43bc147e1342df55f51df06ef886749111d2cff.patch:-p1 # fix for https://github.com/libreswan/libreswan/issues/448
+PATCHFILES+=	607237df81c9896743f9b2cb91faab01e4d1c3fc.patch:-p1 # BSD patches: https://github.com/libreswan/libreswan/commit/607237df81c9896743f9b2cb91faab01e4d1c3fc
+
+MAINTAINER=	yuri@FreeBSD.org
+COMMENT=	IPsec and IKE based firewall
+
+LICENSE=	GPLv2
+LICENSE_FILE=	${WRKSRC}/COPYING
+
+LIB_DEPENDS=	libcurl.so:ftp/curl \
+		libevent.so:devel/libevent \
+		libldns.so:dns/ldns \
+		libnspr4.so:devel/nspr \
+		libnss3.so:security/nss \
+		libunbound.so:dns/unbound
+
+USES=		bison gmake pkgconfig python
+
+CFLAGS+=	-I${WRKSRC}/include/unbound
+LDFLAGS+=	-lcrypt
+
+MAKE_ARGS=	PKG_BASE=${LOCALBASE} \
+		NSS_CFLAGS="`pkg-config --cflags nss`" NSPR_LDFLAGS="`pkg-config --libs nss`" \
+		USE_PTHREAD_SETSCHEDPRIO=false \
+		WERROR_CFLAGS=""  \
+		PYTHON_BINARY=${PYTHON_CMD}
+
+OPTIONS_DEFINE=	DOCS
+
+post-configure:
+	@cd ${WRKSRC}/mk/defaults && \
+		${RLN} netbsd.mk freebsd.mk
+
+post-install:
+.for f in _import_crl addconn algparse cavp dncheck ecdsasigkey enumcheck hunkcheck ipcheck jambufcheck keyidcheck pluto readwriteconf rsasigkey showhostkey timecheck whack
+	@${STRIP_CMD} ${STAGEDIR}${PREFIX}/libexec/ipsec/${f}
+.endfor
+
+.include <bsd.port.mk>

security/libreswan/distinfo

@@ -0,0 +1,7 @@
+TIMESTAMP = 1621641154
+SHA256 (libreswan-4.4.tar.gz) = 5f3f0a20d7097f20108bc93ba1255a778d8ffb8692d05f86383978c03c394976
+SIZE (libreswan-4.4.tar.gz) = 3503201
+SHA256 (e43bc147e1342df55f51df06ef886749111d2cff.patch) = d3f168c32501ee2de41b51a747921765c3d2bef555656c098041696f29e14806
+SIZE (e43bc147e1342df55f51df06ef886749111d2cff.patch) = 1279
+SHA256 (607237df81c9896743f9b2cb91faab01e4d1c3fc.patch) = 8a5c42b5b0c405a67fc4b178da10a9734e34fc44cb6f6c02ce63d8dd45e11253
+SIZE (607237df81c9896743f9b2cb91faab01e4d1c3fc.patch) = 14059

security/libreswan/files/patch-include_fd.h

@@ -0,0 +1,10 @@
+--- include/fd.h.orig	2021-05-21 21:31:28 UTC
++++ include/fd.h
+@@ -26,6 +26,7 @@
+
+ #include <stdbool.h>
+ #include <stdlib.h>		/* for ssize_t */
++#include <sys/types.h>
+
+ #include "where.h"
+

security/libreswan/files/patch-lib_libipsecconf_confread.c

@@ -0,0 +1,10 @@
+--- lib/libipsecconf/confread.c.orig	2021-05-21 21:27:40 UTC
++++ lib/libipsecconf/confread.c
+@@ -33,6 +33,7 @@
+ #include <stdio.h>
+ #include <string.h>
+ #include <assert.h>
++#include <sys/socket.h>
+
+ #include "lswalloc.h"
+ #include "ip_address.h"

security/libreswan/files/patch-lib_libipsecconf_keywords.c

@@ -0,0 +1,10 @@
+--- lib/libipsecconf/keywords.c.orig	2021-05-21 21:28:14 UTC
++++ lib/libipsecconf/keywords.c
+@@ -28,6 +28,7 @@
+ #include <stdlib.h>
+ #include <stdio.h>
+ #include <limits.h>
++#include <sys/socket.h>
+
+ #include <libreswan.h>
+ #include "constants.h"

security/libreswan/files/patch-lib_libswan_addrtypeof.c

@@ -0,0 +1,10 @@
+--- lib/libswan/addrtypeof.c.orig	2021-05-21 18:49:29 UTC
++++ lib/libswan/addrtypeof.c
+@@ -14,6 +14,7 @@
+  */
+
+ #include <string.h>
++#include <sys/socket.h>
+
+ #include "ip_address.h"
+ #include "ip_info.h"

security/libreswan/files/patch-lib_libswan_initaddr.c

@@ -0,0 +1,10 @@
+--- lib/libswan/initaddr.c.orig	2021-04-22 15:24:33 UTC
++++ lib/libswan/initaddr.c
+@@ -16,6 +16,7 @@
+  */
+
+ #include <string.h>
++#include <sys/socket.h>
+
+ #include "ip_info.h"
+ #include "ip_address.h"

security/libreswan/files/patch-lib_libswan_ip__address.c

@@ -0,0 +1,11 @@
+--- lib/libswan/ip_address.c.orig	2021-05-21 18:51:10 UTC
++++ lib/libswan/ip_address.c
+@@ -16,6 +16,8 @@
+  * License for more details.
+  */
+
++#include <sys/socket.h>
++
+ #include "jambuf.h"
+ #include "ip_address.h"
+ #include "lswlog.h"		/* for dbg() */

security/libreswan/files/patch-lib_libswan_ip__encap.c

@@ -0,0 +1,10 @@
+--- lib/libswan/ip_encap.c.orig	2021-05-21 18:52:58 UTC
++++ lib/libswan/ip_encap.c
+@@ -19,6 +19,7 @@
+ #ifdef linux
+ #  include <linux/udp.h>		/* for TCP_ENCAP_ESPINTCP and UDP_ENCAP_ESPINUDP */
+ #else
++#  include <sys/types.h>
+ #  include <netinet/udp.h>		/* for UDP_ENCAP_ESPINUDP aka NAT */
+ #endif
+

security/libreswan/files/patch-lib_libswan_ip__endpoint.c

@@ -0,0 +1,11 @@
+--- lib/libswan/ip_endpoint.c.orig	2021-05-21 18:53:45 UTC
++++ lib/libswan/ip_endpoint.c
+@@ -14,6 +14,8 @@
+  *
+  */
+
++#include <sys/socket.h>
++
+ #include "jambuf.h"
+ #include "ip_endpoint.h"
+ #include "constants.h"		/* for memeq() */

security/libreswan/files/patch-lib_libswan_ip__info.c

@@ -0,0 +1,11 @@
+--- lib/libswan/ip_info.c.orig	2021-05-21 18:51:44 UTC
++++ lib/libswan/ip_info.c
+@@ -17,6 +17,8 @@
+  * for more details.
+  */
+
++#include <sys/socket.h>
++
+ #include "ietf_constants.h"
+ #include "ip_info.h"
+ #include "passert.h"

security/libreswan/files/patch-lib_libswan_ttoaddress.c

@@ -0,0 +1,10 @@
+--- lib/libswan/ttoaddress.c.orig	2021-05-21 18:49:01 UTC
++++ lib/libswan/ttoaddress.c
+@@ -18,6 +18,7 @@
+
+ #include <string.h>
+ #include <netdb.h>		/* for gethostbyname2() */
++#include <sys/socket.h>
+
+ #include "ip_address.h"
+ #include "ip_info.h"

security/libreswan/files/patch-programs_pluto_kernel__bsdkame.c

@@ -0,0 +1,13 @@
+--- programs/pluto/kernel_bsdkame.c.orig	2021-05-21 21:30:08 UTC
++++ programs/pluto/kernel_bsdkame.c
+@@ -24,6 +24,10 @@
+ #include <string.h>
+ #include <unistd.h>
+
++#if defined(__FreeBSD__)
++#include <sys/queue.h>
++#endif
++
+ #include <sys/select.h>
+ #include <sys/time.h>
+ #include <sys/socket.h>

security/libreswan/files/patch-programs_pluto_packet.c

@@ -0,0 +1,10 @@
+--- programs/pluto/packet.c.orig	2021-05-21 23:54:59 UTC
++++ programs/pluto/packet.c
+@@ -22,6 +22,7 @@
+ #include <stddef.h>
+ #include <netinet/in.h>
+ #include <string.h>
++#include <sys/socket.h>
+
+ #include "constants.h"
+ #include "lswalloc.h"

security/libreswan/pkg-descr

@@ -0,0 +1,6 @@
+Libreswan is a free software implementation of the most widely supported and
+standardized VPN protocol using "IPsec" and the Internet Key Exchange ("IKE").
+These standards are produced and maintained by the Internet Engineering Task
+Force ("IETF").
+
+WWW: https://libreswan.org/

security/libreswan/pkg-plist

@@ -0,0 +1,45 @@
+/etc/pam.d/pluto
+etc/ipsec.conf
+etc/ipsec.d/policies/block
+etc/ipsec.d/policies/clear
+etc/ipsec.d/policies/clear-or-private
+etc/ipsec.d/policies/portexcludes.conf
+etc/ipsec.d/policies/private
+etc/ipsec.d/policies/private-or-clear
+etc/ipsec.secrets
+etc/logrotate.d/libreswan
+libexec/ipsec/_import_crl
+libexec/ipsec/_plutorun
+libexec/ipsec/_realsetup
+libexec/ipsec/_secretcensor
+libexec/ipsec/_stackmanager
+libexec/ipsec/_unbound-hook
+libexec/ipsec/_updown
+libexec/ipsec/_updown.bsdkame
+libexec/ipsec/addconn
+libexec/ipsec/algparse
+libexec/ipsec/auto
+libexec/ipsec/barf
+libexec/ipsec/cavp
+libexec/ipsec/dncheck
+libexec/ipsec/ecdsasigkey
+libexec/ipsec/enumcheck
+libexec/ipsec/hunkcheck
+libexec/ipsec/ipcheck
+libexec/ipsec/jambufcheck
+libexec/ipsec/keyidcheck
+libexec/ipsec/letsencrypt
+libexec/ipsec/look
+libexec/ipsec/newhostkey
+libexec/ipsec/pluto
+libexec/ipsec/readwriteconf
+libexec/ipsec/rsasigkey
+libexec/ipsec/setup
+libexec/ipsec/show
+libexec/ipsec/showhostkey
+libexec/ipsec/timecheck
+libexec/ipsec/verify
+libexec/ipsec/whack
+sbin/ipsec
+%%PORTDOCS%%%%DOCSDIR%%/ipsec.conf-sample
+%%PORTDOCS%%%%DOCSDIR%%/ipsec.secrets-sample