package/ipsec-tools: drop package

Extract from http://ipsec-tools.sourceforge.net: "The development of ipsec-tools has been ABANDONED. ipsec-tools has security issues, and you should not use it. Please switch to a secure alternative!" Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2026-01-05 14:09:53 +03:00 · 2020-11-13 23:44:08 +01:00
parent 32455cb735
commit a3f58a74e0
11 changed files with 9 additions and 1653 deletions
--- a/Config.in.legacy
+++ b/Config.in.legacy
@@ -144,6 +144,15 @@ endif
 ###############################################################################
 comment "Legacy options removed in 2021.02"
 config BR2_PACKAGE_IPSEC_TOOLS
 	bool "ipsec-tools package was removed"
 	select BR2_LEGACY
 	help
 	  This package has been removed as it has security issues and
 	  has been abandoned since 2014.
 comment "Legacy options removed in 2020.11"
 config BR2_PACKAGE_OPENCV
--- a/package/Config.in
+++ b/package/Config.in
@@ -2112,7 +2112,6 @@ menu "Networking applications"
 	source "package/iperf/Config.in"
 	source "package/iperf3/Config.in"
 	source "package/iproute2/Config.in"
 	source "package/ipsec-tools/Config.in"
 	source "package/ipset/Config.in"
 	source "package/iptables/Config.in"
 	source "package/iptraf-ng/Config.in"
--- a/package/ipsec-tools/0001-susv3-legacy.patch
+++ b/package/ipsec-tools/0001-susv3-legacy.patch
@@ -1,35 +0,0 @@
 Replaces sysv3 legacy functions with modern equivalents.
 Signed-off-by: Julien Boibessot <julien.boibessot@armadeus.com>
 Index: ipsec-tools-0.7.3/src/racoon/pfkey.c
 ===================================================================
 --- ipsec-tools-0.7.3.orig/src/racoon/pfkey.c	2010-07-12 14:46:52.000000000 +0200
 +++ ipsec-tools-0.7.3/src/racoon/pfkey.c	2010-07-12 15:01:39.000000000 +0200
@@ -3008,12 +3008,12 @@
 				struct sockaddr *paddr;
 				paddr = (struct sockaddr *)(xisr + 1);
 -				bcopy(paddr, &(*p_isr)->saidx.src,
 +				memmove(&(*p_isr)->saidx.src, paddr,
 					sysdep_sa_len(paddr));
 				paddr = (struct sockaddr *)((caddr_t)paddr
 							+ sysdep_sa_len(paddr));
 -				bcopy(paddr, &(*p_isr)->saidx.dst,
 +				memmove(&(*p_isr)->saidx.dst, paddr,
 					sysdep_sa_len(paddr));
 			}
 Index: ipsec-tools-0.7.3/src/racoon/racoonctl.c
 ===================================================================
 --- ipsec-tools-0.7.3.orig/src/racoon/racoonctl.c	2010-07-12 14:49:51.000000000 +0200
 +++ ipsec-tools-0.7.3/src/racoon/racoonctl.c	2010-07-12 15:00:52.000000000 +0200
@@ -785,7 +785,7 @@
 		errx(1, "cannot read source address");
 	/* We get "ip[port]" strip the port */
 -	if ((idx = index(srcaddr, '[')) == NULL) 
 +	if ((idx = strchr(srcaddr, '[')) == NULL)
 		errx(1, "unexpected source address format");
 	*idx = '\0';
--- a/package/ipsec-tools/0002-configure-automake.patch
+++ b/package/ipsec-tools/0002-configure-automake.patch
@@ -1,21 +0,0 @@
 Needed to fix broken autoreconf
 Downloaded from
 https://sources.debian.net/src/ipsec-tools/1:0.8.2%2B20140711-8/debian/patches/automake-options/
 Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
 Index: pkg-ipsec-tools/configure.ac
 ===================================================================
 --- pkg-ipsec-tools.orig/configure.ac	2014-06-28 17:25:22.000000000 +0200
 +++ pkg-ipsec-tools/configure.ac	2014-06-28 17:28:13.818373322 +0200
@@ -6,7 +6,8 @@ AC_INIT(ipsec-tools, 0.8.2)
 AC_CONFIG_SRCDIR([configure.ac])
 AC_CONFIG_HEADERS(config.h)
 -AM_INIT_AUTOMAKE(dist-bzip2)
 +AC_CONFIG_MACRO_DIR([.])
 +AM_INIT_AUTOMAKE([dist-bzip2 foreign serial-tests])
 AC_ENABLE_SHARED(no)
--- a/package/ipsec-tools/0003-Don-t-link-against-libfl.patch
+++ b/package/ipsec-tools/0003-Don-t-link-against-libfl.patch
@@ -1,92 +0,0 @@
 From e48b9097dce7bc2bfbb9e9c542124d3b5cebab39 Mon Sep 17 00:00:00 2001
 From: Paul Barker <paul@paulbarker.me.uk>
 Date: Wed, 5 Mar 2014 13:39:14 +0000
 Subject: [PATCH] Don't link against libfl
 We can remove all references to yywrap by adding "%option noyywrap" statements
 to each flex source file that doesn't override yywrap. After this, we no longer
 need to link against libfl and so no longer get errors about undefined
 references to yylex.
 Signed-off-by: Paul Barker <paul@paulbarker.me.uk>
 Upstream-status: Submitted 2014-03-11
    see http://sourceforge.net/p/ipsec-tools/mailman/ipsec-tools-devel/thread/CANyK_8ewmxGA3vBVJW6s1APXPmxPR%2BDFWZ61EL8pCt288aKQ6w%40mail.gmail.com/#msg32088797
 Downloaded from
 http://cgit.openembedded.org/meta-openembedded/tree/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0002-Don-t-link-against-libfl.patch
 Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
 ---
 src/libipsec/Makefile.am | 1 -
 src/racoon/Makefile.am   | 2 +-
 src/racoon/cftoken.l     | 2 ++
 src/setkey/Makefile.am   | 1 -
 src/setkey/token.l       | 2 ++
 5 files changed, 5 insertions(+), 3 deletions(-)
 diff --git a/src/libipsec/Makefile.am b/src/libipsec/Makefile.am
 index 6a4e3b3..df1e106 100644
 --- a/src/libipsec/Makefile.am
 +++ b/src/libipsec/Makefile.am
@@ -26,7 +26,6 @@ libipsec_la_SOURCES = \
 # version is current:revision:age.
 # See: http://www.gnu.org/manual/libtool-1.4.2/html_chapter/libtool_6.html#SEC32
 libipsec_la_LDFLAGS = -version-info 0:1:0
 -libipsec_la_LIBADD = $(LEXLIB)
 noinst_HEADERS = ipsec_strerror.h
 diff --git a/src/racoon/Makefile.am b/src/racoon/Makefile.am
 index dbaded9..0662957 100644
 --- a/src/racoon/Makefile.am
 +++ b/src/racoon/Makefile.am
@@ -38,7 +38,7 @@ racoon_SOURCES = \
 	cftoken.l cfparse.y prsa_tok.l prsa_par.y 
 EXTRA_racoon_SOURCES = isakmp_xauth.c isakmp_cfg.c isakmp_unity.c throttle.c \
 	isakmp_frag.c nattraversal.c security.c $(MISSING_ALGOS)
 -racoon_LDADD = $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(LEXLIB) \
 +racoon_LDADD = $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) \
 	 $(SECCTX_OBJS) vmbuf.o sockmisc.o misc.o ../libipsec/libipsec.la
 racoon_DEPENDENCIES = \
 	$(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(SECCTX_OBJS) \
 diff --git a/src/racoon/cftoken.l b/src/racoon/cftoken.l
 index 490242c..1701922 100644
 --- a/src/racoon/cftoken.l
 +++ b/src/racoon/cftoken.l
@@ -106,6 +106,8 @@ static int incstackp = 0;
 static int yy_first_time = 1;
 %}
 +%option noyywrap
 +
 /* common seciton */
 nl		\n
 ws		[ \t]+
 diff --git a/src/setkey/Makefile.am b/src/setkey/Makefile.am
 index 746c1f1..389e6cf 100644
 --- a/src/setkey/Makefile.am
 +++ b/src/setkey/Makefile.am
@@ -13,7 +13,6 @@ setkey_SOURCES = \
 setkey_LDFLAGS = ../libipsec/libipsec.la
 setkey_DEPENDENCIES = ../libipsec/libipsec.la
 -setkey_LDADD = $(LEXLIB)
 noinst_HEADERS = vchar.h extern.h
 man8_MANS = setkey.8
 diff --git a/src/setkey/token.l b/src/setkey/token.l
 index ad3d843..eb23b76 100644
 --- a/src/setkey/token.l
 +++ b/src/setkey/token.l
@@ -88,6 +88,8 @@
 #endif
 %}
 +%option noyywrap
 +
 /* common section */
 nl		\n
 ws		[ \t]+
 -- 
 1.9.0
--- a/package/ipsec-tools/0004-CVE-2015-4047.patch
+++ b/package/ipsec-tools/0004-CVE-2015-4047.patch
@@ -1,26 +0,0 @@
 ipsec-tools: CVE-2015-4047: null pointer dereference crash in racoon
 See: https://bugs.gentoo.org/show_bug.cgi?id=550118
 Downloaded from
 https://gitweb.gentoo.org/repo/gentoo.git/tree/net-vpn/ipsec-tools/files/ipsec-tools-CVE-2015-4047.patch
 See also
 https://sources.debian.net/src/ipsec-tools/1:0.8.2%2B20140711-8/debian/patches/bug785778-null-pointer-deref.patch/
 Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
 --- ./src/racoon/gssapi.c    9 Sep 2006 16:22:09 -0000       1.4
 +++ ./src/racoon/gssapi.c    19 May 2015 15:16:00 -0000      1.6
@@ -192,6 +192,11 @@
 	gss_name_t princ, canon_princ;
 	OM_uint32 maj_stat, min_stat;
 +	if (iph1->rmconf == NULL) {
 +		plog(LLV_ERROR, LOCATION, NULL, "no remote config\n");
 +		return -1;
 +	}
 +
 	gps = racoon_calloc(1, sizeof (struct gssapi_ph1_state));
 	if (gps == NULL) {
 		plog(LLV_ERROR, LOCATION, NULL, "racoon_calloc failed\n");
--- a/package/ipsec-tools/0005-CVE-2016-10396.patch
+++ b/package/ipsec-tools/0005-CVE-2016-10396.patch
@@ -1,208 +0,0 @@
 Fix CVE-2016-10396
 Description: Fix remotely exploitable DoS. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10396
 Source: vendor; https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=51682
 Bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867986
 Downloaded from
 https://github.com/openwrt/packages/blob/master/net/ipsec-tools/patches/010-CVE-2016-10396.patch
 Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
 Index: ipsec-tools-0.8.2/src/racoon/isakmp_frag.c
 ===================================================================
 --- ipsec-tools-0.8.2.orig/src/racoon/isakmp_frag.c
 +++ ipsec-tools-0.8.2/src/racoon/isakmp_frag.c
@@ -1,4 +1,4 @@
 -/*	$NetBSD: isakmp_frag.c,v 1.5 2009/04/22 11:24:20 tteras Exp $	*/
 +/*	$NetBSD: isakmp_frag.c,v 1.5.36.1 2017/04/21 16:50:42 bouyer Exp $	*/
 /* Id: isakmp_frag.c,v 1.4 2004/11/13 17:31:36 manubsd Exp */
@@ -173,6 +173,43 @@ vendorid_frag_cap(gen)
 	return ntohl(hp[MD5_DIGEST_LENGTH / sizeof(*hp)]);
 }
 +static int 
 +isakmp_frag_insert(struct ph1handle *iph1, struct isakmp_frag_item *item)
 +{
 +	struct isakmp_frag_item *pitem = NULL;
 +	struct isakmp_frag_item *citem = iph1->frag_chain;
 +
 +	/* no frag yet, just insert at beginning of list */
 +	if (iph1->frag_chain == NULL) {
 +		iph1->frag_chain = item;
 +		return 0;
 +	}
 +
 +	do {
 +		/* duplicate fragment number, abort (CVE-2016-10396) */
 +		if (citem->frag_num == item->frag_num)
 +			return -1;
 +
 +		/* need to insert before current item */
 +		if (citem->frag_num > item->frag_num) {
 +			if (pitem != NULL)
 +				pitem->frag_next = item;
 +			else
 +				/* insert at the beginning of the list  */
 +				iph1->frag_chain = item;
 +			item->frag_next = citem;
 +			return 0;
 +		}
 +
 +		pitem = citem;
 +		citem = citem->frag_next;
 +	} while (citem != NULL);
 +
 +	/* we reached the end of the list, insert */
 +	pitem->frag_next = item;
 +	return 0;
 +}
 +
 int 
 isakmp_frag_extract(iph1, msg)
 	struct ph1handle *iph1;
@@ -224,39 +261,43 @@ isakmp_frag_extract(iph1, msg)
 	item->frag_next = NULL;
 	item->frag_packet = buf;
 -	/* Look for the last frag while inserting the new item in the chain */
 -	if (item->frag_last)
 -		last_frag = item->frag_num;
 +	/* Check for the last frag before inserting the new item in the chain */
 +	if (item->frag_last) {
 +		/* if we have the last fragment, indices must match */
 +		if (iph1->frag_last_index != 0 &&
 +		    item->frag_last != iph1->frag_last_index) {
 +			plog(LLV_ERROR, LOCATION, NULL,
 +			     "Repeated last fragment index mismatch\n");
 +			racoon_free(item);
 +			vfree(buf);
 +			return -1;
 +		}
 -	if (iph1->frag_chain == NULL) {
 -		iph1->frag_chain = item;
 -	} else {
 -		struct isakmp_frag_item *current;
 +		last_frag = iph1->frag_last_index = item->frag_num;
 +	}
 -		current = iph1->frag_chain;
 -		while (current->frag_next) {
 -			if (current->frag_last)
 -				last_frag = item->frag_num;
 -			current = current->frag_next;
 -		}
 -		current->frag_next = item;
 +	/* insert fragment into chain */
 +	if (isakmp_frag_insert(iph1, item) == -1) {
 +		plog(LLV_ERROR, LOCATION, NULL,
 +		    "Repeated fragment index mismatch\n");
 +		racoon_free(item);
 +		vfree(buf);
 +		return -1;
 	}
 -	/* If we saw the last frag, check if the chain is complete */
 +	/* If we saw the last frag, check if the chain is complete
 +	 * we have a sorted list now, so just walk through */
 	if (last_frag != 0) {
 +		item = iph1->frag_chain;
 		for (i = 1; i <= last_frag; i++) {
 -			item = iph1->frag_chain;
 -			do {
 -				if (item->frag_num == i)
 -					break;
 -				item = item->frag_next;
 -			} while (item != NULL);
 -
 +			if (item->frag_num != i)
 +				break;
 +			item = item->frag_next;
 			if (item == NULL) /* Not found */
 				break;
 		}
 -		if (item != NULL) /* It is complete */
 +		if (i > last_frag) /* It is complete */
 			return 1;
 	}
@@ -291,15 +332,9 @@ isakmp_frag_reassembly(iph1)
 	}
 	data = buf->v;
 +	item = iph1->frag_chain;
 	for (i = 1; i <= frag_count; i++) {
 -		item = iph1->frag_chain;
 -		do {
 -			if (item->frag_num == i)
 -				break;
 -			item = item->frag_next;
 -		} while (item != NULL);
 -
 -		if (item == NULL) {
 +		if (item->frag_num != i) {
 			plog(LLV_ERROR, LOCATION, NULL, 
 			    "Missing fragment #%d\n", i);
 			vfree(buf);
@@ -308,6 +343,7 @@ isakmp_frag_reassembly(iph1)
 		}
 		memcpy(data, item->frag_packet->v, item->frag_packet->l);
 		data += item->frag_packet->l;
 +		item = item->frag_next;
 	}
 out:
 Index: ipsec-tools-0.8.2/src/racoon/isakmp_inf.c
 ===================================================================
 --- ipsec-tools-0.8.2.orig/src/racoon/isakmp_inf.c
 +++ ipsec-tools-0.8.2/src/racoon/isakmp_inf.c
@@ -720,6 +720,7 @@ isakmp_info_send_nx(isakmp, remote, loca
 #endif
 #ifdef ENABLE_FRAG
 	iph1->frag = 0;
 +	iph1->frag_last_index = 0;
 	iph1->frag_chain = NULL;
 #endif
 Index: ipsec-tools-0.8.2/src/racoon/isakmp.c
 ===================================================================
 --- ipsec-tools-0.8.2.orig/src/racoon/isakmp.c
 +++ ipsec-tools-0.8.2/src/racoon/isakmp.c
@@ -1071,6 +1071,7 @@ isakmp_ph1begin_i(rmconf, remote, local)
 		iph1->frag = 1;
 	else
 		iph1->frag = 0;
 +	iph1->frag_last_index = 0;
 	iph1->frag_chain = NULL;
 #endif
 	iph1->approval = NULL;
@@ -1175,6 +1176,7 @@ isakmp_ph1begin_r(msg, remote, local, et
 #endif
 #ifdef ENABLE_FRAG
 	iph1->frag = 0;
 +	iph1->frag_last_index = 0;
 	iph1->frag_chain = NULL;
 #endif
 	iph1->approval = NULL;
 Index: ipsec-tools-0.8.2/src/racoon/handler.h
 ===================================================================
 --- ipsec-tools-0.8.2.orig/src/racoon/handler.h
 +++ ipsec-tools-0.8.2/src/racoon/handler.h
@@ -1,4 +1,4 @@
 -/*	$NetBSD: handler.h,v 1.25 2010/11/17 10:40:41 tteras Exp $	*/
 +/*	$NetBSD: handler.h,v 1.26 2017/01/24 19:23:56 christos Exp $	*/
 /* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */
@@ -141,6 +141,7 @@ struct ph1handle {
 #endif
 #ifdef ENABLE_FRAG
 	int frag;			/* IKE phase 1 fragmentation */
 +	int frag_last_index;
 	struct isakmp_frag_item *frag_chain;	/* Received fragments */
 #endif
--- a/package/ipsec-tools/0006-openssl-1.1.patch
+++ b/package/ipsec-tools/0006-openssl-1.1.patch
--- a/package/ipsec-tools/Config.in
+++ b/package/ipsec-tools/Config.in
@@ -1,75 +0,0 @@
 config BR2_PACKAGE_IPSEC_TOOLS
 	bool "ipsec-tools"
 	depends on BR2_USE_MMU # fork()
 	depends on !BR2_TOOLCHAIN_USES_MUSL # Use __P() macro all over the tree
 	select BR2_PACKAGE_OPENSSL
 	select BR2_PACKAGE_FLEX
 	help
 	  This package is required to support IPSec for Linux 2.6+
 	  http://ipsec-tools.sourceforge.net/
 if BR2_PACKAGE_IPSEC_TOOLS
 config BR2_PACKAGE_IPSEC_TOOLS_ADMINPORT
 	bool "Enable racoonctl(8)"
 	default y
 	help
 	  Lets racoon to listen to racoon admin port, which is to
 	  be contacted by racoonctl(8).
 config BR2_PACKAGE_IPSEC_TOOLS_NATT
 	bool "Enable NAT-Traversal"
 	help
 	  This needs kernel support, which is available on Linux. On
 	  NetBSD, NAT-Traversal kernel support has not been integrated
 	  yet, you can get it from here:
 	  http://ipsec-tools.sourceforge.net/netbsd_nat-t.diff If you
 	  live in a country where software patents are legal, using
 	  NAT-Traversal might infringe a patent.
 config BR2_PACKAGE_IPSEC_TOOLS_FRAG
 	bool "Enable IKE fragmentation"
 	help
 	  Enable IKE fragmentation, which is a workaround for
 	  broken routers that drop fragmented packets
 config BR2_PACKAGE_IPSEC_TOOLS_DPD
 	bool "Enable DPD (Dead Peer Detection)"
 	help
 	  Enable dead peer detection support
 config BR2_PACKAGE_IPSEC_TOOLS_STATS
 	bool "Enable statistics logging function"
 	default y
 config BR2_PACKAGE_IPSEC_TOOLS_READLINE
 	bool "Enable readline input support"
 	select BR2_PACKAGE_READLINE
 config BR2_PACKAGE_IPSEC_TOOLS_HYBRID
 	bool "Enable hybrid, both mode-cfg and xauth support"
 	help
 	  Hybrid mode is required for successful interoperability
 	  (e.g. Cisco VPN Client).
 choice
 	prompt "Security context"
 	default BR2_PACKAGE_IPSEC_TOOLS_SECCTX_DISABLE
 	help
 	  Selects whether or not to enable security context support.
 config BR2_PACKAGE_IPSEC_TOOLS_SECCTX_DISABLE
 	bool "Disable security context support"
 config BR2_PACKAGE_IPSEC_TOOLS_SECCTX_ENABLE
 	bool "Enable SELinux security context support"
 config BR2_PACKAGE_IPSEC_TOOLS_SECCTX_KERNEL
 	bool "Enable kernel security context"
 endchoice
 endif
--- a/package/ipsec-tools/ipsec-tools.hash
+++ b/package/ipsec-tools/ipsec-tools.hash
@@ -1,6 +0,0 @@
 # From http://sourceforge.net/projects/ipsec-tools/files/ipsec-tools/0.8.2/
 md5	d53ec14a0a3ece64e09e5e34b3350b41	ipsec-tools-0.8.2.tar.bz2
 sha1	7d92cae9fde59fb4f125636698c43b0a3df3d0f0	ipsec-tools-0.8.2.tar.bz2
 # Locally calculated
 sha256	3f4af4aef0b2599928bee9875935b8fad8449ddbb98ea7da74c20c3dff5cdef7  src/setkey/setkey.c
--- a/package/ipsec-tools/ipsec-tools.mk
+++ b/package/ipsec-tools/ipsec-tools.mk
@@ -1,85 +0,0 @@
 ################################################################################
 #
 # ipsec-tools
 #
 ################################################################################
 IPSEC_TOOLS_VERSION = 0.8.2
 IPSEC_TOOLS_SOURCE = ipsec-tools-$(IPSEC_TOOLS_VERSION).tar.bz2
 IPSEC_TOOLS_SITE = http://sourceforge.net/projects/ipsec-tools/files/ipsec-tools/$(IPSEC_TOOLS_VERSION)
 IPSEC_TOOLS_LICENSE = BSD-3-Clause
 IPSEC_TOOLS_LICENSE_FILES = src/setkey/setkey.c
 IPSEC_TOOLS_INSTALL_STAGING = YES
 IPSEC_TOOLS_MAKE = $(MAKE1)
 IPSEC_TOOLS_DEPENDENCIES = openssl flex host-pkgconf host-flex host-bison
 # we patch configure.ac
 IPSEC_TOOLS_AUTORECONF = YES
 # 0004-CVE-2015-4047.patch
 IPSEC_TOOLS_IGNORE_CVES += CVE-2015-4047
 # 0005-CVE-2016-10396.patch
 IPSEC_TOOLS_IGNORE_CVES += CVE-2016-10396
 # configure hardcodes -Werror, so override CFLAGS on make invocation
 IPSEC_TOOLS_MAKE_OPTS = CFLAGS='$(TARGET_CFLAGS)'
 IPSEC_TOOLS_CONF_ENV = LIBS=`$(PKG_CONFIG_HOST_BINARY) --libs openssl`
 IPSEC_TOOLS_CONF_OPTS = \
 	  --without-libpam \
 	  --disable-gssapi \
 	  --with-kernel-headers=$(STAGING_DIR)/usr/include
 ifeq ($(BR2_PACKAGE_IPSEC_TOOLS_ADMINPORT),y)
 IPSEC_TOOLS_CONF_OPTS += --enable-adminport
 else
 IPSEC_TOOLS_CONF_OPTS += --disable-adminport
 endif
 ifeq ($(BR2_PACKAGE_IPSEC_TOOLS_NATT),y)
 IPSEC_TOOLS_CONF_OPTS += --enable-natt
 else
 IPSEC_TOOLS_CONF_OPTS += --disable-natt
 endif
 ifeq ($(BR2_PACKAGE_IPSEC_TOOLS_FRAG),y)
 IPSEC_TOOLS_CONF_OPTS += --enable-frag
 else
 IPSEC_TOOLS_CONF_OPTS += --disable-frag
 endif
 ifeq ($(BR2_PACKAGE_IPSEC_TOOLS_DPD),y)
 IPSEC_TOOLS_CONF_OPTS += --enable-dpd
 else
 IPSEC_TOOLS_CONF_OPTS += --disable-dpd
 endif
 ifeq ($(BR2_PACKAGE_IPSEC_TOOLS_STATS),y)
 IPSEC_TOOLS_CONF_OPTS += --enable-stats
 else
 IPSEC_TOOLS_CONF_OPTS += --disable-stats
 endif
 ifneq ($(BR2_PACKAGE_IPSEC_TOOLS_READLINE),y)
 IPSEC_TOOLS_CONF_OPTS += --without-readline
 else
 IPSEC_TOOLS_DEPENDENCIES += readline
 endif
 ifeq ($(BR2_PACKAGE_IPSEC_TOOLS_HYBRID),y)
 IPSEC_TOOLS_CONF_OPTS += --enable-hybrid
 else
 IPSEC_TOOLS_CONF_OPTS += --disable-hybrid
 endif
 ifeq ($(BR2_PACKAGE_IPSEC_TOOLS_SECCTX_DISABLE),y)
 IPSEC_TOOLS_CONF_OPTS += --enable-security-context=no
 endif
 ifeq ($(BR2_PACKAGE_IPSEC_TOOLS_SECCTX_ENABLE),y)
 IPSEC_TOOLS_CONF_OPTS += --enable-security-context=yes
 endif
 ifeq ($(BR2_PACKAGE_IPSEC_TOOLS_SECCTX_KERNEL),y)
 IPSEC_TOOLS_CONF_OPTS += --enable-security-context=kernel
 endif
 $(eval $(autotools-package))