^~~~~~~ eaytest.c: In function ‘rsa_verify_with_pubkey’: eaytest.c:106:41: error: dereferencing pointer to incomplete type ‘EVP_PKEY’ {aka ‘struct evp_pkey_st’} error = eay_check_rsasign(src, sig, evp->pkey.rsa); ^~ make[4]: *** [Makefile:937: eaytest.o] Error 1 ------------------------------------------------------------------- This is an unstable amd64 chroot image at a tinderbox (==build bot) name: 17.0-developer_20181229-151642 ------------------------------------------------------------------- Please see the tracker bug for details. gcc-config -l: [1] x86_64-pc-linux-gnu-7.3.1 [2] x86_64-pc-linux-gnu-8.2.0 * Available Python interpreters, in order of preference: [1] python3.6 [2] python2.7 (fallback) Available Ruby profiles: [1] ruby24 (with Rubygems) [2] ruby25 (with Rubygems) [3] ruby26 (with Rubygems) * Available Rust versions: [1] rust-1.31.1 * java-config: The following VMs are available for generation-2: *) IcedTea JDK 3.9.0 [icedtea-bin-8] Available Java Virtual Machines: [1] icedtea-bin-8 system-vm emerge -qpvO net-vpn/ipsec-tools [ebuild N ] net-vpn/ipsec-tools-0.8.2-r5 USE="ipv6 ldap pam readline -hybrid -idea -kerberos -libressl -nat -rc5 (-selinux) -stats"
Created attachment 559724 [details] emerge-info.txt
Created attachment 559726 [details] emerge-history.txt
Created attachment 559728 [details] environment
Created attachment 559730 [details] etc.portage.tbz2
Created attachment 559732 [details] logs.tbz2
Created attachment 559734 [details] net-vpn:ipsec-tools-0.8.2-r5:20190103-220156.log
Created attachment 559736 [details] temp.tbz2
Same, ipsec-tools-0.8.2-r5 is not compatible with OpenSSL 1.1.x. I found a patch which was mailed to the mostly-dead ipsec-tools mailing list and also picked up by the openwrt folks, it compiles successfully, although I did not test more than racoon -h / racoon -V afterwards. Will attach to this bug.
Created attachment 561902 [details, diff] Add openssl-1.1.x support to ipsec-tools Cherry-picked from https://github.com/openwrt/packages/blob/master/net/ipsec-tools/patches/015-openssl-1.1.patch
That patch looks huge. @blueness, can we pick it up, considering openwrt seem to use it too?
Given the stern warning on the ipsec HOMEPAGE I think this package should be masked for removal: http://ipsec-tools.sourceforge.net/
SF homepage have been abandoned, NetBSD is the new upstream for this package, see: https://github.com/NetBSD/src/blob/trunk/crypto/dist/ipsec-tools/README Debian also maintains its own fork, which synchronizes with NetBSD changes, but contains few extra local patches: https://salsa.debian.org/debian/ipsec-tools And yes, this package is in active use.
*** Bug 696926 has been marked as a duplicate of this bug. ***
(In reply to Maciej S. Szmigiero from comment #12) > SF homepage have been abandoned, NetBSD is the new upstream for this package, > see: https://github.com/NetBSD/src/blob/trunk/crypto/dist/ipsec-tools/README > > Debian also maintains its own fork, which synchronizes with NetBSD changes, > but contains few extra local patches: > https://salsa.debian.org/debian/ipsec-tools > > And yes, this package is in active use. I just tried the debian build and its looking for the linux 2.6 kernel headers. Even the debian version is very old.
(In reply to Anthony Basile from comment #14) > (In reply to Maciej S. Szmigiero from comment #12) > > SF homepage have been abandoned, NetBSD is the new upstream for this package, > > see: https://github.com/NetBSD/src/blob/trunk/crypto/dist/ipsec-tools/README > > > > Debian also maintains its own fork, which synchronizes with NetBSD changes, > > but contains few extra local patches: > > https://salsa.debian.org/debian/ipsec-tools > > > > And yes, this package is in active use. > > I just tried the debian build and its looking for the linux 2.6 kernel > headers. Even the debian version is very old. The latest ipsec-tools with the above patch work fine with linux-headers-4.14.x and kernel-4.14.x. The patch applies fine, if placed into /etc/portage/patches/…
Hmm, I have actually submitted few patches to this package to NetBSD in February and no one has responded yet. The upstream (NetBSD) code doesn't even currently build on Linux and frees an uninitialized pointer on an error path so the quality of this package maintenance is also a bit questionable. That's why I start to lean towards Hans position that this package should simply be removed. The possible replacements are probably net-vpn/libreswan and net-vpn/strongswan.
(In reply to Maciej S. Szmigiero from comment #16) > Hmm, I have actually submitted few patches to this package to NetBSD in > February > and no one has responded yet. > > The upstream (NetBSD) code doesn't even currently build on Linux and frees an > uninitialized pointer on an error path so the quality of this package > maintenance > is also a bit questionable. > > That's why I start to lean towards Hans position that this package should > simply > be removed. > > The possible replacements are probably net-vpn/libreswan and > net-vpn/strongswan. It works fine here with ipsec or ipsec & l2tp. It builds with all tests and without errors. Tested with macOS & iOS clients. Performance is perfect, reliable and rock solid.
*** Bug 697626 has been marked as a duplicate of this bug. ***
(In reply to cilly from comment #17) > (In reply to Maciej S. Szmigiero from comment #16) > > Hmm, I have actually submitted few patches to this package to NetBSD in > > February > > and no one has responded yet. > > > > The upstream (NetBSD) code doesn't even currently build on Linux and frees an > > uninitialized pointer on an error path so the quality of this package > > maintenance > > is also a bit questionable. > > > > That's why I start to lean towards Hans position that this package should > > simply > > be removed. > > > > The possible replacements are probably net-vpn/libreswan and > > net-vpn/strongswan. > > It works fine here with ipsec or ipsec & l2tp. It builds with all tests and > without errors. Tested with macOS & iOS clients. Performance is perfect, > reliable and rock solid. cilly, do you mind preparing for me a ebuild and patch here. I'm not sure what you did, but if it works and is secure, then that's good enough for me.
(In reply to Anthony Basile from comment #19) > (In reply to cilly from comment #17) > > cilly, do you mind preparing for me a ebuild and patch here. I'm not sure > what you did, but if it works and is secure, then that's good enough for me. What I did: I added the above patch: https://674460.bugs.gentoo.org/attachment.cgi?id=561902 to userpatches /etc/patches/<ipsectoolspath>. So simply adding a line like: eapply "${FILESDIR}"/${PN}-<above_patchname>.patch would do it. Namce the patch accordingly to: eapply "${FILESDIR}"/${PN}-add-openssl-1.1.x-support.patch and place it into files. Then try my attached ebuild.
Created attachment 592830 [details] ebuild for ipsec-tools
Created attachment 592832 [details, diff] diff of ebuild
(In reply to cilly from comment #22) > Created attachment 592832 [details, diff] [details, diff] > diff of ebuild Thanks cilly. I've just tested and pushed. Let me know if there are any issues and reopen this bug if there are.