3 files changed, 80 insertions, 0 deletions

diff --git a/nixpkgs/pkgs/os-specific/linux/ipsec-tools/CVE-2015-4047.patch b/nixpkgs/pkgs/os-specific/linux/ipsec-tools/CVE-2015-4047.patch
new file mode 100644
index 000000000000..00c23c6cac14
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ipsec-tools/CVE-2015-4047.patch
@@ -0,0 +1,16 @@
+Index: pkg-ipsec-tools/src/racoon/gssapi.c
+===================================================================
+--- pkg-ipsec-tools.orig/src/racoon/gssapi.c
++++ pkg-ipsec-tools/src/racoon/gssapi.c
+@@ -192,6 +192,11 @@ gssapi_init(struct ph1handle *iph1)
+	gss_name_t princ, canon_princ;
+	OM_uint32 maj_stat, min_stat;
+
++	if (iph1->rmconf == NULL) {
++		plog(LLV_ERROR, LOCATION, NULL, "no remote config\n");
++		return -1;
++	}
++
+	gps = racoon_calloc(1, sizeof (struct gssapi_ph1_state));
+	if (gps == NULL) {
+		plog(LLV_ERROR, LOCATION, NULL, "racoon_calloc failed\n");
diff --git a/nixpkgs/pkgs/os-specific/linux/ipsec-tools/default.nix b/nixpkgs/pkgs/os-specific/linux/ipsec-tools/default.nix
new file mode 100644
index 000000000000..0aa074b4df8f
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ipsec-tools/default.nix
@@ -0,0 +1,51 @@
+{ stdenv, fetchurl, fetchpatch, linuxHeaders, readline, openssl, flex, kerberos, pam }:
+
+# TODO: These tools are supposed to work under NetBSD and FreeBSD as
+# well, so I guess it's not appropriate to place this expression in
+# "os-specific/linux/ipsec-tools". Since I cannot verify that the
+# expression actually builds on those platforms, I'll leave it here for
+# the time being.
+
+stdenv.mkDerivation rec {
+  name = "ipsec-tools-0.8.2";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/ipsec-tools/${name}.tar.bz2";
+    sha256 = "0b9gfbz78k2nj0k7jdlm5kajig628ja9qm0z5yksiwz22s3v7dlf";
+  };
+
+  buildInputs = [ readline openssl flex kerberos pam ];
+
+  patches = [
+    ./dont-create-localstatedir-during-install.patch
+    ./CVE-2015-4047.patch
+    (fetchpatch {
+      url = "https://anonscm.debian.org/cgit/pkg-ipsec-tools/pkg-ipsec-tools.git/plain/debian/patches/CVE-2016-10396.patch?id=62ac12648a4eb7c5ba5dba0f81998d1acf310d8b";
+      sha256 = "1kf7j2pf1blni52z7q41n0yisqb7gvk01lvldr319zaxxg7rm84a";
+    })
+  ];
+
+  # fix build with newer gcc versions
+  preConfigure = ''substituteInPlace configure --replace "-Werror" "" '';
+
+  configureFlags = [
+    "--sysconfdir=/etc --localstatedir=/var"
+    "--with-kernel-headers=${linuxHeaders}/include"
+    "--disable-security-context"
+    "--enable-adminport"
+    "--enable-dpd"
+    "--enable-frag"
+    "--enable-gssapi"
+    "--enable-hybrid"
+    "--enable-natt"
+    "--enable-shared"
+    "--enable-stats"
+  ];
+
+  meta = with stdenv.lib; {
+    homepage = http://ipsec-tools.sourceforge.net/;
+    description = "Port of KAME's IPsec utilities to the Linux-2.6 IPsec implementation";
+    license = licenses.bsd3;
+    platforms = platforms.linux;
+  };
+}
diff --git a/nixpkgs/pkgs/os-specific/linux/ipsec-tools/dont-create-localstatedir-during-install.patch b/nixpkgs/pkgs/os-specific/linux/ipsec-tools/dont-create-localstatedir-during-install.patch
new file mode 100644
index 000000000000..16b80c36d6a5
--- /dev/null
+++ b/nixpkgs/pkgs/os-specific/linux/ipsec-tools/dont-create-localstatedir-during-install.patch
@@ -0,0 +1,13 @@
+diff -ubr ipsec-tools-0.8.0-orig/src/racoon/Makefile.in ipsec-tools-0.8.0/src/racoon/Makefile.in
+--- ipsec-tools-0.8.0-orig/src/racoon/Makefile.in	2012-10-20 13:01:07.700903316 +0200
++++ ipsec-tools-0.8.0/src/racoon/Makefile.in	2012-10-20 13:01:13.177832616 +0200
+@@ -1085,9 +1085,6 @@
+ 	uninstall-sbinPROGRAMS
+ 
+ 
+-install-exec-local:
+-	${mkinstalldirs} $(DESTDIR)${adminsockdir}
+-
+ # special object rules
+ crypto_openssl_test.o: crypto_openssl.c
+ 	$(COMPILE) -DEAYDEBUG -o crypto_openssl_test.o -c $(srcdir)/crypto_openssl.c