security/ipsec-tools: Moved man to share/man

Approved by:    portmgr (blanket)

security/ipsec-tools: fix build with openssl from ports

*/*: Update WWW to use HTTPS for sourceforge.net projects

Homepage link is permanent redirected to its HTTPS counterpart

Mk/**ldap.mk: Convert USE_LDAP to USES=ldap

Convert the USE_LDAP=yes to USES=ldap and adds the following features:

- Adds the argument USES=ldap:server to add openldap2{4|5|6}-server as
  RUN_DEPENDS
- Adds the argument USES=ldap<version> and replaces WANT_OPENLDAP_VER
- Adds OPENLDAP versions in bsd.default-versions.mk
- Adds USE_OPENLDAP/WANT_OPENLDAP_VER in Mk/bsd.sanity.mk
- Changes consumers to use the features

Reviewed by:	delphij
Approved by:	portmgr
Differential Revision: https://reviews.freebsd.org/D38233

Remove WWW entries moved into port Makefiles

Commit b7f05445c00f has added WWW entries to port Makefiles based on
WWW: lines in pkg-descr files.

This commit removes the WWW: lines of moved-over URLs from these
pkg-descr files.

Approved by:		portmgr (tcberner)

Add WWW entries to port Makefiles

It has been common practice to have one or more URLs at the end of the
ports' pkg-descr files, one per line and prefixed with "WWW:". These
URLs should point at a project website or other relevant resources.

Access to these URLs required processing of the pkg-descr files, and
they have often become stale over time. If more than one such URL was
present in a pkg-descr file, only the first one was tarnsfered into
the port INDEX, but for many ports only the last line did contain the
port specific URL to further information.

There have been several proposals to make a project URL available as
a macro in the ports' Makefiles, over time.

security: remove 'Created by' lines

A big Thank You to the original contributors of these ports:

  *  <ports@c0decafe.net>
  *  Aaron Dalton <aaron@FreeBSD.org>
  *  Adam Weinberger <adamw@FreeBSD.org>
  *  Ade Lovett <ade@FreeBSD.org>
  *  Aldis Berjoza <aldis@bsdroot.lv>
  *  Alex Dupre <ale@FreeBSD.org>
  *  Alex Kapranoff <kappa@rambler-co.ru>
  *  Alex Samorukov <samm@freebsd.org>
  *  Alexander Botero-Lowry <alex@foxybanana.com>
  *  Alexander Kriventsov <avk@vl.ru>
  *  Alexander Leidinger <netchild@FreeBSD.org>

all: drop support for EOL FreeBSD 12.2

- Mk/bsd.port.mk: bump minimal FreeBSD version to 12.3,
  update an example
- sysutils/lsof: drop support for ancient FreeBSD releases.
- multimedia/ustreamer: remove inline patch for 12.2
- x11/wayland-logout: remove support for FreeBSD < 12.3
- sysutils/bhyve+: remove support for FreeBSD 12.2
- databases/clickhouse: remove support for FreeBSD 12.2
- databases/mariadb106-server: remove support for FreeBSD 12.2
- devel/cvsd: no need to test for FreeBSD >=5 anymore
- devel/imake: no need to support a.out anymore
- japanese/kterm: no need to support FreeBSD <= 9
- math/igraph: remove support for FreeBSD 12.2
- net/onedrive: remove support for FreeBSD 12.2
- security/ipsec-tools: no need to test for FreeBSD >= 11
- emulators/rpcs3: Revert "emulators/rpcs3: unbreak on FreeBSD 12.2 after
49f593b2f77f"

Reviewed by:	brnrd, fluffy, jbeich, ler, yuri, x11 (zeising)
Approved by:	portmgr (implicit)
Differential Revision:	https://reviews.freebsd.org/D34523

*/*: Remove redundant '-[0-9]*' from CONFLICTS

The conflict checks compare the patterns first against the package
names without version (as reported by "pkg query "%n"), then - if
there was no match - agsinst the full package names including the
version (as reported by "pkg query "%n-%v").

Many CONFLICTS definitions used patterns like "bash-[0-9]*" to filter
for the bash package in any version. But that pattern is functionally
identical with just "bash".

Approved by:	portmgr (blanket)

cleanup: drop support for EOL FreeBSD 11.X

Search criteria used:
- 11.4
- OSREL*
- OSVER*
- *_FreeBSD_11

Input from:
- adridg: devel/qca-legacy
- jbeich: _WITH_DPRINTF, _WITH_GETLINE, GNU bfd workarounds
- sunpoet: security/p5-*OpenSSL*

Reviewed by:	doceng, kde, multimedia, perl, python, ruby, rust
Differential Revision: https://reviews.freebsd.org/D32008
Test Plan: make index

security/ipsec-tools: Add CPE information

Approved by:	portmgr (blanket)

security/ipsec-tools: make upgrade less painful

Partially revert r516983 to make upgrade from old versions
less painful. For example, upgrade path from 9.3 via 10.4
then to 11.0 and later should not break due to non-existing
required module ipsec.ko.

all: Remove all other $FreeBSD keywords.

Remove # $FreeBSD$ from Makefiles.

security/ipsec-tool: minor port cleanup

Remove non-existing configure options --enable-debug and --with-pkgversion.
Remove option NATTF that changed --enable-natt=yes to --enable-natt=kernel
that is exactly same for FreeBSD releases since 8.0-RELEASE.

Update devel/automake to 1.16.2.

mail/bogofilter security/ipsec-tools:
Patch Makefile.in instead of Makefile.am so automake is not required.

PR:		245599
Approved by:	portmgr (antoine)
Exp-run by:	antoine

Clean up support for FreeBSD 11.2.

While here, modernize some comments in Mk/bsd.*.mk.

Note that graphics/drm-fbsd11.2-kmod is not renamed yet, this was somewhat
under discussion.

Submitted by:	rene
Reviewed by:	antoine, jbeich, mat, zeising
Differential Revision:	https://reviews.freebsd.org/D21974

security/ipsec-tools: unbreak racoon_create_dirs

Specifying required_dirs and creating it at prestart stage does not work
because required_dirs is checked before running prestart these days.
So it fails to start for mfs-based /var even if racoon_create_dirs=YES

Unbreak this by replacing "required_dirs" and "mkdir -p"
in the racoon_prestart with "install -d" that returns error in case
of failure and does nothing if the directory already exists.

Reported by:	Cybil Courraud <freebsd@cyb.fr>

security/ipsec-tools: fix aggressive mode tunnels with wildcard-psk config

Wilcard patch exposures existing bug where agressive tunnels using ip addresses
for identification were not matching the entry in the PSK file,
due to the identifier not being cast to a 'xxx.xxx.xxx.xxx' notation.

PR:		203308
Submitted by:	andywhite@gmail.com (based on)

security/ipsec-tools: autoload ipsec.ko if possible

Check for IPSEC support in kernel and auto-load ipsec.ko
if needed while starting racoon except of 11.0-RELEASE
that had not IPSEC as a module.

security/ipsec-tools: small correction NATT patch

This change fixes rare case for "site to site" IPSec tunnel mode
when remote peer is behind NAT and has its own LAN behind.
Now this works too (previously NATT worked only for single host behind NAT).

Fix build on 12-stable when using OpenSSL from port.

PR:		232169
Submitted by:	Michael Grimm <trashcan@ellael.org>

security/ipsec-tools: Only append to BUILD_DEPENDS after bsd.port.pre.mk

Fix openssl 1.1.1 breakage

PR:		232169
Submitted by:	Walter Schwarzenfeld <w.schwarzenfeld@utanet.at>
Obtained from:	https://bugs.archlinux.org/task/59734

security/ipsec-tools: make binary package more useful

- enable options ADMINPORT and WCPSKEY by default;
- polish NATT_DESC a bit as we have releases past 11.0-STABLE;
- bump PORTREVISION.

security/ipsec-tools: add support for multiple if_ipsec(4) interfaces

- added patch introducing racoon compatibility with multiple
  if_ipsec(4) interfaces (*);
- MAINTAINER reset due to nearly 3 years maintainer inactivity;
- bump PORTREVISION.

Submitted by:	ae (*)
Approved by:	vanhu (implicitly)

Fix phase 1 initiation in the racoon daemon after base system change r285204

PR:		192774, 222065
Submitted by:	Andreas Longwitz <longwitz@incore.de>
Approved by:	VANHULLEBUS Yvan (maintainer, implicitly)

security/ipsec-tools: fix CVE-2016-10396

The racoon daemon in IPsec-Tools 0.8.2 contains a remotely exploitable
computational-complexity attack when parsing and storing ISAKMP fragments.
The implementation permits a remote attacker to exhaust computational
resources on the remote endpoint by repeatedly sending ISAKMP fragment
packets in a particular order such that the worst-case computational
complexity is realized in the algorithm utilized to determine
if reassembly of the fragments can take place.

The fix obtained from NetBSD CVS head with a command:

cvs diff -D 2017-01-24 -D 2017-09-01 \
	src/racoon/handler.h \
	src/racoon/isakmp.c \
	src/racoon/isakmp_frag.c \
	src/racoon/isakmp_inf.c

While here, add LICENSE.

PR:		225066
Approved by:	VANHULLEBUS Yvan (maintainer timeout, 3 months)
Obtained from:	NetBSD
MFH:		2018Q1
Security:	CVE-2016-10396

This patch adds NATT_EXTRA_PATCHES=natt.diff and enables only UDP encapsulation
defined in RFC3948.

The natt.diff patch contains the following changes:
* added support for SADB_X_EXT_NAT_T_OAI and SADB_X_EXT_NAT_T_OAR PF_KEY
messages;
* used NAT address instead of original for SAs created by racoon;
* NAT-T keep-alives now sends only by NATed host.

Tested with 11.0-STABLE after projects/ipsec merge.

PR:		217131
Submitted by:	Andrey V. Elsukov
Approved by:	VANHULLEBUS Yvan (maintainer timeout, 2 months), vsevolod (mentor)

Remove all USE_OPENSSL occurrences.

Sponsored by:	Absolight

${RM} already has -f.

PR:		213570
Submitted by:	mat
Exp-run by:	antoine
Sponsored by:	Absolight

- Switch to options helpers
- Drop 8.x support

Approved by:	portmgr blanket

Update ipsec-tools with a patch from NetBSD to fix a memory leak.

PR:		200334 (reported in)
Submitted by:	brd
Approved by:	bdrewery (mentor, portmgr)
MFH:		2015Q2

security/ipsec-tools: 0.8.1 -> 0.8.2

From ChangeLog:
- Fix admin port establish-sa for tunnel mode SAs (Alexander Sbitnev)
- Fix source port selection regression from version 0.8.1
- Various logging improvements
- Additional compliance and build fixes

From submitter:
- extra patch to adding wildcard psk option

PR:		196930
Submitted by:	Harald Schmalzbauer <bugzilla.freebsd@omnilan.de>,
		Ed Schouten <ed@80368.nl>
Approved by:	vanhu (maintainer)

Simplify plist
Modernize a bit

net/openldap24-*:
- Convert to USES=libtool and bump dependent ports
- Avoid USE_AUTOTOOLS
- Don't use PTHREAD_LIBS
- Use MAKE_CMD

databases/glom:
- Drop :keepla
- Add INSTALL_TARGET=install-strip

databases/libgda4* databases/libgda5*:
- Convert to USES=libtool and bump dependent ports
- USES=tar:xz
- Use INSTALL_TARGET=install-strip
- Use @sample

- Drop .la files, no dependees require them

Approved by:	portmgr blanket

When linking a library libA with a library libB using libtool, if libB.la
exists, libtool will add all libraries libB.la refers to (dependency_libs
field) to the linker command line and store them in the dependency_libs
field of libA.la.  So everything that subsequently links with libA will also
link to these extra libraries.  This causes too much overlinking.

This commit modifies Mk/Uses/libtool.mk so it empties the dependency_libs
field in .la libraries during staging.  However, because .la libraries have
very limited use when dependency_libs is empty it makes sense to completely
remove them during staging.

So with this commit USES=libtool is modified to remove .la libraries and a
new form (USES=libtool:keepla) is introduced in case they need to be kept
(dependency_libs is still emptied).

Restore vanhu as maintainer: bounce was due to mail configuration error.

Reset vanhu@netasq.com: email bounces.

Fix build with clang 3.4

Remove CFLAGS unsupported by ancient gcc and just remove -Werror to have the
code build with clang

Reported by:	olgeni

Fix build with clang,
Convert to USES=libtool
Strip binaries

security/ipsec-tools: update to 0.8.1

- Update to 0.8.1 [1]
- Allow staging [1]
- Remove FreeBSD < 8.x message

PR:		ports/182758 [1]
Submitted by:	Kurt Jaeger <fbsd-ports opsec.eu>

Add NO_STAGE all over the place in preparation for the staging support (cat:
security)

- Fix a typo in PORT_OPTIONS conversion
- Create configuration directory we try to remove on uninstall

- Convert USE_ICONV=yes to USES=iconv
- Change USE_GNOME=pkgconfig|gnomehack to USES=pathfix|pkgconfig and
  USE_GETTEXT=yes to USES=gettext while here

Convert vanhu@ ports to new options framework
Removed optionnal dependency on the deprecated py-visual for net/scapy

Approved by:	maintainer (vanhu)

Move the rc.d scripts of the form *.sh.in to *.in

Where necessary add $FreeBSD$ to the file

No PORTREVISION bump necessary because this is a no-op

Apply utmp patch from ${FILESDIR} (not files) if OSVERSION <  900007

Spotted by: Jason Hellenthal <jhell at DataIX.net>
Approved by:    crees,rene (mentors,implicit)

In the rc.d scripts, change assignments to rcvar to use the
literal name_enable wherever possible, and ${name}_enable
when it's not, to prepare for the demise of set_rcvar().

In cases where I had to hand-edit unusual instances also
modify formatting slightly to be more uniform (and in
some cases, correct). This includes adding some $FreeBSD$
tags, and most importantly moving rcvar= to right after
name= so it's clear that one is derived from the other.

Fix the rc.d script to avoid unconditional code execution,
and various other cleanups.

- Fix startup script rc.d/racoon.
- Bump portrevision.

PR:             ports/148605
Submitted by:   John Hein <jhein@symmetricom.com>
Approved by:    maho (mentor) and vanhu@netasq.com (maintainer)

- update to 0.8.0

PR:             ports/155883
Submitted by:   vanhu (maintainer)

Sync to new bsd.autotools.mk

Begin the process of deprecating sysutils/rc_subr by
s#. %%RC_SUBR%%#. /etc/rc.subr#

- Mark BROKEN on HEAD: fails to build with new utmpx

Reported by:    pointyhat

- Update to 0.7.3

PR:             137966
Submitted by:   VANHULLEBUS Yvan <vanhu@netasq.com> (maintainer)

-Repocopy devel/libtool15 -> libtool22 and libltdl15 -> libltdl22.
-Update libtool and libltdl to 2.2.6a.
-Remove devel/libtool15 and devel/libltdl15.
-Fix ports build with libtool22/libltdl22.
-Bump ports that depend on libltdl22 due to shared library version change.
-Explain what to do update in the UPDATING.

It has been tested with GNOME2, XFCE4, KDE3, KDE4 and other many wm/desktop
and applications in the runtime.

With help:      marcus and kwm
Pointyhat-exp:  a few times by pav
Tested by:      pgollucci, "Romain Tartière" <romain@blogreen.org>, and
                a few MarcusCom CVS users. Also, I might have missed a few.
Repocopy by:    marcus
Approved by:    portmgr

Fix a few "bad example" problems in the rc.d scripts that have been
propogated by copy and paste.

1. Primarily the "empty variable" default assignment, which is mostly
${name}_flags="", but fix a few others as well.
2. Where they are not already documented, add the existence of the _flags
(or other deleted empties) option to the comments, and in some cases add
comments from scratch.
3. Replace things that look like:
prefix=%%PREFIX%%
command=${prefix}/sbin/foo
to just use %%PREFIX%%. In many cases the $prefix variable is only used
once, and in some cases it is not used at all.
4. In a few cases remove ${name}_flags from command_args
5. Remove a long-stale comment about putting the port's rc.d script in
/etc/rc.d (which is no longer necessary).

No PORTREVISION bumps because all of these changes are noops.

- Update to 0.7.2. This release fixes a remote DoS bug with IKE
  fragmentation reassembly.

PR:             ports/133922
Submitted by:   VANHULLEBUS Yvan <vanhu@netasq.com> (maintainer)

Update CONFIGURE_ARGS for how we pass CONFIGURE_TARGET to configure script.
Specifically, newer autoconf (> 2.13) has different semantic of the
configure target. In short, one should use --build=CONFIGURE_TARGET
instead of CONFIGURE_TARGET directly. Otherwise, you will get a warning
and the old semantic may be removed in later autoconf releases.

To workaround this issue, many ports hack the CONFIGURE_TARGET variable
so that it contains the ``--build='' prefix.

To solve this issue, under the fact that some ports still have
configure script generated by the old autoconf, we use runtime detection
in the do-configure target so that the proper argument can be used.

Changes to Mk/*:
 - Add runtime detection magic in bsd.port.mk

Add an WITH_LDAP option
enable hybrid, xauth and mode-cfg per default

PR:             125748
Submitted by:   Matthew Grooms
Approved by:    vanhu (maintainer)

- Update to 0.7.1

PR:             ports/125957
Submitted by:   VANHULLEBUS Yvan <vanhu@netasq.com> (maintainer)

Fix build on 7.x when RC5 support is enabled.

PR:             103084, 122187
Submitted by:   Dmitry A Grigorovich
Approved by:    maintainer

- Fix: Have the racoon startup script [optionally] create its required dirs.

PR:             ports/117128
Submitted by:   John Hein <jhein@timing.com>
Approved by:    VANHULLEBUS Yvan <vanhu@netasq.com> (maintainer)

Remove always-false/true conditions based on OSVERSION 500000

Update to 0.7

PR:             115978
Submitted by:   VANHULLEBUS Yvan <vanhu@netasq.com>

- Remove the DESTDIR modifications from individual ports as we have a new,
  fully chrooted DESTDIR, which does not need such any more.

Sponsored by:   Google Summer of Code 2007
Approved by:    portmgr (pav)

- Revert changes to patch-configure. It was slipped in when committing
  fix for gcc 4.x

Noticed by:   sat
Approved by:  maintainer (implicit)

- Fix build with gcc 4.x
- While I'm here, remove extra empty line in distinfo

PR:            ports/113383
Submitted by:  rafan
Approved by:   VANHULLEBUS Yvan <yvan.vanhullebus at netasq.com> (maintainer)

- Version 0.6.7 of ipsec-tools is out, which fixes an easy to exploit
  Denial of Service (CVE-2007-1841).

PR:             ports/111319
Submitted by:   maintainer (VANHULLEBUS Yvan)
Security:       CVE-2007-1841

Use libtool port instead of included version to avoid objformat a.out botch

- An option to force NATT functionality
- Sneak in master sites beautification and use_ldconfig
  while I'm here

PR:             ports/105488
Submitted by:   bz
Approved by:    VANHULLEBUS Yvan <yvan.vanhullebus@netasq.com> (maintainer)

- There should be only one site in the WWW line and kame is obsolete anyway

- Add patch for people having trouble compiling OpenSSL bits

PR:             ports/97442
Submitted by:   Dmitry Andrianov <dimas@dataart.com>
Approved by:    VANHULLEBUS Yvan <yvan.vanhullebus@netasq.com> (maintainer)

- Update to 0.6.6

PR:             ports/98902
Submitted by:   VANHULLEBUS Yvan <vanhu@netasq.com> (maintainer)

Makefile:
- introduce OPTIONS to enable/disable features
- add more features to the OPTION dialog
- choose reasonable defaults for OPTIONS (disabled patented stuff)
- remove usesless WRKSRC line
- move LDFLAGS to the place where it is necessary
- extend CONFIGURE_ARGS to set the directory for the adminport socket
  * Note: racoonctl is useless without adminport enabled
  * create the socket dir in post-install
- bump PORTREVISION that users notice the changes
- finally: remove one item from the TODO list on top of the Makefile ;)

pkg-descr:
- shortened by one line to please portlint

Conversion to a single libtool environment.

Approved by:    portmgr (kris)

Remove the FreeBSD KEYWORD from all rc.d scripts where it appears.
We have not checked for this KEYWORD for a long time now, so this
is a complete noop, and thus no PORTREVISION bump. Removing it at
this point is mostly for pedantic reasons, and partly to avoid
perpetuating this anachronism by copy and paste to future scripts.

- Update to 0.6.5

Submitted by:   VANHULLEBUS Yvan <vanhu@netasq.com> (maintainer)
PR:             ports/92838

Change facility from daemon to security, because daemon.info goes to
devnull by default

PR:             ports/91047
Submitted by:   PR: Brian Candler <B.Candler@pobox.com>, patch: VANHULLEBUS Yvan
<vanhu@netasq.com> (maintainer)
Approved by:    garga (mentor)

Replace ugly "@unexec rmdir %D... 2>/dev/null || true" with @dirrmtry

Approved by:    krion@
PR:             ports/88711 (related)

ports/security/ipsec-tools enables itself at startup

        ports/security/ipsec-tools rc.d script defaults to 'enabled'

        It also installs its own versions of setkey and libipsec.so
        which seems redundant as they are part of the base system
        and should be used in preference.

Submitted by:   Vivek Khera <vivek@khera.org>
PR:             ports/91317

Update to 0.6.4

PR:             90326
Submitted by:   maintainer

- Change the location of racoon configuration files to /usr/local/etc/racoon,
  bringing it in line with the old security/racoon port and the handbook [1]
- Make use of USE_RC_SUBR instead of home-grown substitution and install
- Prevent installation of some intermediate sample configuration files

PR:             ports/89273 [1]
Submitted by:   Angelo Turetta <aturetta@bestunion.it> [1]
Approved by:    VANHULLEBUS Yvan <vanhu@netasq.com> (maintainer)

- Update to 0.6.3. It fixes some crashes,
  including potential DoS in aggressive mode.
- Add SHA256

PR:             ports/89365
Submitted by:   ANHULLEBUS Yvan (maintainer)

Mass-conversion to the USE_AUTOTOOLS New World Order.  The code present
in bsd.autotools.mk essentially makes this a no-op given that all the
old variables set a USE_AUTOTOOLS_COMPAT variable, which is parsed in
exactly the same way as USE_AUTOTOOLS itself.

Moreover, USE_AUTOTOOLS has already been extensively tested by the GNOME
team -- all GNOME 2.12.x ports use it.

Preliminary documentation can be found at:
        http://people.FreeBSD.org/~ade/autotools.txt

which is in the process of being SGMLized before introduction into the
Porters Handbook.

Light blue touch-paper.  Run.

Update to 0.6.2

PR:             88042
Submitted by:   VANHULLEBUS Yvan <yvan.vanhullebus@netasq.com> (maintainer)

Update to 0.6.1

Submitted by:   Yvan Vanhullebus (maintainer)

Add IPSec tools port - the new "official" version of racoon,
is the only one which is maintained and have lots of new features.

PR:             85544
Submitted by:   VANHULLEBUS Yvan <vanhu@netasq.com>
Approved by:    perky (mentor)