package/ipsec-tools: drop package

Extract from http://ipsec-tools.sourceforge.net: "The development of ipsec-tools has been ABANDONED. ipsec-tools has security issues, and you should not use it. Please switch to a secure alternative!" Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-13 23:44:08 +01:00 · 2020-11-13 23:44:08 +01:00 · a3f58a74e0
commit a3f58a74e0
parent 32455cb735
11 changed files with 9 additions and 1653 deletions
--- a/Config.in.legacy
+++ b/Config.in.legacy
@ -144,6 +144,15 @@ endif

 ###############################################################################

+comment "Legacy options removed in 2021.02"
+
+config BR2_PACKAGE_IPSEC_TOOLS
+	bool "ipsec-tools package was removed"
+	select BR2_LEGACY
+	help
+	  This package has been removed as it has security issues and
+	  has been abandoned since 2014.
+
 comment "Legacy options removed in 2020.11"

 config BR2_PACKAGE_OPENCV
--- a/package/Config.in
+++ b/package/Config.in
@ -2112,7 +2112,6 @@ menu "Networking applications"
 	source "package/iperf/Config.in"
 	source "package/iperf3/Config.in"
 	source "package/iproute2/Config.in"
-	source "package/ipsec-tools/Config.in"
 	source "package/ipset/Config.in"
 	source "package/iptables/Config.in"
 	source "package/iptraf-ng/Config.in"
--- a/package/ipsec-tools/0001-susv3-legacy.patch
+++ b/package/ipsec-tools/0001-susv3-legacy.patch
@ -1,35 +0,0 @@
-Replaces sysv3 legacy functions with modern equivalents.
-
-Signed-off-by: Julien Boibessot <julien.boibessot@armadeus.com>
-Index: ipsec-tools-0.7.3/src/racoon/pfkey.c
-===================================================================
--- ipsec-tools-0.7.3.orig/src/racoon/pfkey.c	2010-07-12 14:46:52.000000000 +0200
-+++ ipsec-tools-0.7.3/src/racoon/pfkey.c	2010-07-12 15:01:39.000000000 +0200
-@@ -3008,12 +3008,12 @@
- 				struct sockaddr *paddr;
- 
- 				paddr = (struct sockaddr *)(xisr + 1);
-				bcopy(paddr, &(*p_isr)->saidx.src,
-+				memmove(&(*p_isr)->saidx.src, paddr,
- 					sysdep_sa_len(paddr));
- 
- 				paddr = (struct sockaddr *)((caddr_t)paddr
- 							+ sysdep_sa_len(paddr));
-				bcopy(paddr, &(*p_isr)->saidx.dst,
-+				memmove(&(*p_isr)->saidx.dst, paddr,
- 					sysdep_sa_len(paddr));
- 			}
- 
-Index: ipsec-tools-0.7.3/src/racoon/racoonctl.c
-===================================================================
--- ipsec-tools-0.7.3.orig/src/racoon/racoonctl.c	2010-07-12 14:49:51.000000000 +0200
-+++ ipsec-tools-0.7.3/src/racoon/racoonctl.c	2010-07-12 15:00:52.000000000 +0200
-@@ -785,7 +785,7 @@
- 		errx(1, "cannot read source address");
- 
- 	/* We get "ip[port]" strip the port */
-	if ((idx = index(srcaddr, '[')) == NULL) 
-+	if ((idx = strchr(srcaddr, '[')) == NULL)
- 		errx(1, "unexpected source address format");
- 	*idx = '\0';
- 
--- a/package/ipsec-tools/0002-configure-automake.patch
+++ b/package/ipsec-tools/0002-configure-automake.patch
@ -1,21 +0,0 @@
-Needed to fix broken autoreconf
-
-Downloaded from
-https://sources.debian.net/src/ipsec-tools/1:0.8.2%2B20140711-8/debian/patches/automake-options/
-
-Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
-
-Index: pkg-ipsec-tools/configure.ac
-===================================================================
--- pkg-ipsec-tools.orig/configure.ac	2014-06-28 17:25:22.000000000 +0200
-+++ pkg-ipsec-tools/configure.ac	2014-06-28 17:28:13.818373322 +0200
-@@ -6,7 +6,8 @@ AC_INIT(ipsec-tools, 0.8.2)
- AC_CONFIG_SRCDIR([configure.ac])
- AC_CONFIG_HEADERS(config.h)
- 
-AM_INIT_AUTOMAKE(dist-bzip2)
-+AC_CONFIG_MACRO_DIR([.])
-+AM_INIT_AUTOMAKE([dist-bzip2 foreign serial-tests])
- 
- AC_ENABLE_SHARED(no)
- 
--- a/package/ipsec-tools/0003-Don-t-link-against-libfl.patch
+++ b/package/ipsec-tools/0003-Don-t-link-against-libfl.patch
@ -1,92 +0,0 @@
-From e48b9097dce7bc2bfbb9e9c542124d3b5cebab39 Mon Sep 17 00:00:00 2001
-From: Paul Barker <paul@paulbarker.me.uk>
-Date: Wed, 5 Mar 2014 13:39:14 +0000
-Subject: [PATCH] Don't link against libfl
-
-We can remove all references to yywrap by adding "%option noyywrap" statements
-to each flex source file that doesn't override yywrap. After this, we no longer
-need to link against libfl and so no longer get errors about undefined
-references to yylex.
-
-Signed-off-by: Paul Barker <paul@paulbarker.me.uk>
-Upstream-status: Submitted 2014-03-11
-    see http://sourceforge.net/p/ipsec-tools/mailman/ipsec-tools-devel/thread/CANyK_8ewmxGA3vBVJW6s1APXPmxPR%2BDFWZ61EL8pCt288aKQ6w%40mail.gmail.com/#msg32088797
-
-Downloaded from
-http://cgit.openembedded.org/meta-openembedded/tree/meta-networking/recipes-support/ipsec-tools/ipsec-tools/0002-Don-t-link-against-libfl.patch
-
-Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
---
- src/libipsec/Makefile.am | 1 -
- src/racoon/Makefile.am   | 2 +-
- src/racoon/cftoken.l     | 2 ++
- src/setkey/Makefile.am   | 1 -
- src/setkey/token.l       | 2 ++
- 5 files changed, 5 insertions(+), 3 deletions(-)
-
-diff --git a/src/libipsec/Makefile.am b/src/libipsec/Makefile.am
-index 6a4e3b3..df1e106 100644
--- a/src/libipsec/Makefile.am
-+++ b/src/libipsec/Makefile.am
-@@ -26,7 +26,6 @@ libipsec_la_SOURCES = \
- # version is current:revision:age.
- # See: http://www.gnu.org/manual/libtool-1.4.2/html_chapter/libtool_6.html#SEC32
- libipsec_la_LDFLAGS = -version-info 0:1:0
-libipsec_la_LIBADD = $(LEXLIB)
- 
- noinst_HEADERS = ipsec_strerror.h
- 
-diff --git a/src/racoon/Makefile.am b/src/racoon/Makefile.am
-index dbaded9..0662957 100644
--- a/src/racoon/Makefile.am
-+++ b/src/racoon/Makefile.am
-@@ -38,7 +38,7 @@ racoon_SOURCES = \
- 	cftoken.l cfparse.y prsa_tok.l prsa_par.y 
- EXTRA_racoon_SOURCES = isakmp_xauth.c isakmp_cfg.c isakmp_unity.c throttle.c \
- 	isakmp_frag.c nattraversal.c security.c $(MISSING_ALGOS)
-racoon_LDADD = $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(LEXLIB) \
-+racoon_LDADD = $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) \
- 	 $(SECCTX_OBJS) vmbuf.o sockmisc.o misc.o ../libipsec/libipsec.la
- racoon_DEPENDENCIES = \
- 	$(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(SECCTX_OBJS) \
-diff --git a/src/racoon/cftoken.l b/src/racoon/cftoken.l
-index 490242c..1701922 100644
--- a/src/racoon/cftoken.l
-+++ b/src/racoon/cftoken.l
-@@ -106,6 +106,8 @@ static int incstackp = 0;
- static int yy_first_time = 1;
- %}
- 
-+%option noyywrap
-+
- /* common seciton */
- nl		\n
- ws		[ \t]+
-diff --git a/src/setkey/Makefile.am b/src/setkey/Makefile.am
-index 746c1f1..389e6cf 100644
--- a/src/setkey/Makefile.am
-+++ b/src/setkey/Makefile.am
-@@ -13,7 +13,6 @@ setkey_SOURCES = \
- 
- setkey_LDFLAGS = ../libipsec/libipsec.la
- setkey_DEPENDENCIES = ../libipsec/libipsec.la
-setkey_LDADD = $(LEXLIB)
- 
- noinst_HEADERS = vchar.h extern.h
- man8_MANS = setkey.8
-diff --git a/src/setkey/token.l b/src/setkey/token.l
-index ad3d843..eb23b76 100644
--- a/src/setkey/token.l
-+++ b/src/setkey/token.l
-@@ -88,6 +88,8 @@
- #endif
- %}
- 
-+%option noyywrap
-+
- /* common section */
- nl		\n
- ws		[ \t]+
-- 
-1.9.0
-
--- a/package/ipsec-tools/0004-CVE-2015-4047.patch
+++ b/package/ipsec-tools/0004-CVE-2015-4047.patch
@ -1,26 +0,0 @@
-ipsec-tools: CVE-2015-4047: null pointer dereference crash in racoon
-
-See: https://bugs.gentoo.org/show_bug.cgi?id=550118
-
-Downloaded from
-https://gitweb.gentoo.org/repo/gentoo.git/tree/net-vpn/ipsec-tools/files/ipsec-tools-CVE-2015-4047.patch
-
-See also
-https://sources.debian.net/src/ipsec-tools/1:0.8.2%2B20140711-8/debian/patches/bug785778-null-pointer-deref.patch/
-
-Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
-
--- ./src/racoon/gssapi.c    9 Sep 2006 16:22:09 -0000       1.4
-+++ ./src/racoon/gssapi.c    19 May 2015 15:16:00 -0000      1.6
-@@ -192,6 +192,11 @@
-	gss_name_t princ, canon_princ;
-	OM_uint32 maj_stat, min_stat;
- 
-+	if (iph1->rmconf == NULL) {
-+		plog(LLV_ERROR, LOCATION, NULL, "no remote config\n");
-+		return -1;
-+	}
-+
-	gps = racoon_calloc(1, sizeof (struct gssapi_ph1_state));
-	if (gps == NULL) {
-		plog(LLV_ERROR, LOCATION, NULL, "racoon_calloc failed\n");
--- a/package/ipsec-tools/0005-CVE-2016-10396.patch
+++ b/package/ipsec-tools/0005-CVE-2016-10396.patch
@ -1,208 +0,0 @@
-Fix CVE-2016-10396
-
-Description: Fix remotely exploitable DoS. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10396
-Source: vendor; https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=51682
-Bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867986
-
-Downloaded from
-https://github.com/openwrt/packages/blob/master/net/ipsec-tools/patches/010-CVE-2016-10396.patch
-
-Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
-
-Index: ipsec-tools-0.8.2/src/racoon/isakmp_frag.c
-===================================================================
--- ipsec-tools-0.8.2.orig/src/racoon/isakmp_frag.c
-+++ ipsec-tools-0.8.2/src/racoon/isakmp_frag.c
-@@ -1,4 +1,4 @@
-/*	$NetBSD: isakmp_frag.c,v 1.5 2009/04/22 11:24:20 tteras Exp $	*/
-+/*	$NetBSD: isakmp_frag.c,v 1.5.36.1 2017/04/21 16:50:42 bouyer Exp $	*/
- 
- /* Id: isakmp_frag.c,v 1.4 2004/11/13 17:31:36 manubsd Exp */
- 
-@@ -173,6 +173,43 @@ vendorid_frag_cap(gen)
- 	return ntohl(hp[MD5_DIGEST_LENGTH / sizeof(*hp)]);
- }
- 
-+static int 
-+isakmp_frag_insert(struct ph1handle *iph1, struct isakmp_frag_item *item)
-+{
-+	struct isakmp_frag_item *pitem = NULL;
-+	struct isakmp_frag_item *citem = iph1->frag_chain;
-+
-+	/* no frag yet, just insert at beginning of list */
-+	if (iph1->frag_chain == NULL) {
-+		iph1->frag_chain = item;
-+		return 0;
-+	}
-+
-+	do {
-+		/* duplicate fragment number, abort (CVE-2016-10396) */
-+		if (citem->frag_num == item->frag_num)
-+			return -1;
-+
-+		/* need to insert before current item */
-+		if (citem->frag_num > item->frag_num) {
-+			if (pitem != NULL)
-+				pitem->frag_next = item;
-+			else
-+				/* insert at the beginning of the list  */
-+				iph1->frag_chain = item;
-+			item->frag_next = citem;
-+			return 0;
-+		}
-+
-+		pitem = citem;
-+		citem = citem->frag_next;
-+	} while (citem != NULL);
-+
-+	/* we reached the end of the list, insert */
-+	pitem->frag_next = item;
-+	return 0;
-+}
-+
- int 
- isakmp_frag_extract(iph1, msg)
- 	struct ph1handle *iph1;
-@@ -224,39 +261,43 @@ isakmp_frag_extract(iph1, msg)
- 	item->frag_next = NULL;
- 	item->frag_packet = buf;
- 
-	/* Look for the last frag while inserting the new item in the chain */
-	if (item->frag_last)
-		last_frag = item->frag_num;
-+	/* Check for the last frag before inserting the new item in the chain */
-+	if (item->frag_last) {
-+		/* if we have the last fragment, indices must match */
-+		if (iph1->frag_last_index != 0 &&
-+		    item->frag_last != iph1->frag_last_index) {
-+			plog(LLV_ERROR, LOCATION, NULL,
-+			     "Repeated last fragment index mismatch\n");
-+			racoon_free(item);
-+			vfree(buf);
-+			return -1;
-+		}
- 
-	if (iph1->frag_chain == NULL) {
-		iph1->frag_chain = item;
-	} else {
-		struct isakmp_frag_item *current;
-+		last_frag = iph1->frag_last_index = item->frag_num;
-+	}
- 
-		current = iph1->frag_chain;
-		while (current->frag_next) {
-			if (current->frag_last)
-				last_frag = item->frag_num;
-			current = current->frag_next;
-		}
-		current->frag_next = item;
-+	/* insert fragment into chain */
-+	if (isakmp_frag_insert(iph1, item) == -1) {
-+		plog(LLV_ERROR, LOCATION, NULL,
-+		    "Repeated fragment index mismatch\n");
-+		racoon_free(item);
-+		vfree(buf);
-+		return -1;
- 	}
- 
-	/* If we saw the last frag, check if the chain is complete */
-+	/* If we saw the last frag, check if the chain is complete
-+	 * we have a sorted list now, so just walk through */
- 	if (last_frag != 0) {
-+		item = iph1->frag_chain;
- 		for (i = 1; i <= last_frag; i++) {
-			item = iph1->frag_chain;
-			do {
-				if (item->frag_num == i)
-					break;
-				item = item->frag_next;
-			} while (item != NULL);
-
-+			if (item->frag_num != i)
-+				break;
-+			item = item->frag_next;
- 			if (item == NULL) /* Not found */
- 				break;
- 		}
- 
-		if (item != NULL) /* It is complete */
-+		if (i > last_frag) /* It is complete */
- 			return 1;
- 	}
- 		
-@@ -291,15 +332,9 @@ isakmp_frag_reassembly(iph1)
- 	}
- 	data = buf->v;
- 
-+	item = iph1->frag_chain;
- 	for (i = 1; i <= frag_count; i++) {
-		item = iph1->frag_chain;
-		do {
-			if (item->frag_num == i)
-				break;
-			item = item->frag_next;
-		} while (item != NULL);
-
-		if (item == NULL) {
-+		if (item->frag_num != i) {
- 			plog(LLV_ERROR, LOCATION, NULL, 
- 			    "Missing fragment #%d\n", i);
- 			vfree(buf);
-@@ -308,6 +343,7 @@ isakmp_frag_reassembly(iph1)
- 		}
- 		memcpy(data, item->frag_packet->v, item->frag_packet->l);
- 		data += item->frag_packet->l;
-+		item = item->frag_next;
- 	}
- 
- out:
-Index: ipsec-tools-0.8.2/src/racoon/isakmp_inf.c
-===================================================================
--- ipsec-tools-0.8.2.orig/src/racoon/isakmp_inf.c
-+++ ipsec-tools-0.8.2/src/racoon/isakmp_inf.c
-@@ -720,6 +720,7 @@ isakmp_info_send_nx(isakmp, remote, loca
- #endif
- #ifdef ENABLE_FRAG
- 	iph1->frag = 0;
-+	iph1->frag_last_index = 0;
- 	iph1->frag_chain = NULL;
- #endif
- 
-Index: ipsec-tools-0.8.2/src/racoon/isakmp.c
-===================================================================
--- ipsec-tools-0.8.2.orig/src/racoon/isakmp.c
-+++ ipsec-tools-0.8.2/src/racoon/isakmp.c
-@@ -1071,6 +1071,7 @@ isakmp_ph1begin_i(rmconf, remote, local)
- 		iph1->frag = 1;
- 	else
- 		iph1->frag = 0;
-+	iph1->frag_last_index = 0;
- 	iph1->frag_chain = NULL;
- #endif
- 	iph1->approval = NULL;
-@@ -1175,6 +1176,7 @@ isakmp_ph1begin_r(msg, remote, local, et
- #endif
- #ifdef ENABLE_FRAG
- 	iph1->frag = 0;
-+	iph1->frag_last_index = 0;
- 	iph1->frag_chain = NULL;
- #endif
- 	iph1->approval = NULL;
-Index: ipsec-tools-0.8.2/src/racoon/handler.h
-===================================================================
--- ipsec-tools-0.8.2.orig/src/racoon/handler.h
-+++ ipsec-tools-0.8.2/src/racoon/handler.h
-@@ -1,4 +1,4 @@
-/*	$NetBSD: handler.h,v 1.25 2010/11/17 10:40:41 tteras Exp $	*/
-+/*	$NetBSD: handler.h,v 1.26 2017/01/24 19:23:56 christos Exp $	*/
- 
- /* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */
- 
-@@ -141,6 +141,7 @@ struct ph1handle {
- #endif
- #ifdef ENABLE_FRAG
- 	int frag;			/* IKE phase 1 fragmentation */
-+	int frag_last_index;
- 	struct isakmp_frag_item *frag_chain;	/* Received fragments */
- #endif
- 
--- a/package/ipsec-tools/0006-openssl-1.1.patch
+++ b/package/ipsec-tools/0006-openssl-1.1.patch
--- a/package/ipsec-tools/Config.in
+++ b/package/ipsec-tools/Config.in
@ -1,75 +0,0 @@
-config BR2_PACKAGE_IPSEC_TOOLS
-	bool "ipsec-tools"
-	depends on BR2_USE_MMU # fork()
-	depends on !BR2_TOOLCHAIN_USES_MUSL # Use __P() macro all over the tree
-	select BR2_PACKAGE_OPENSSL
-	select BR2_PACKAGE_FLEX
-	help
-	  This package is required to support IPSec for Linux 2.6+
-
-	  http://ipsec-tools.sourceforge.net/
-
-if BR2_PACKAGE_IPSEC_TOOLS
-
-config BR2_PACKAGE_IPSEC_TOOLS_ADMINPORT
-	bool "Enable racoonctl(8)"
-	default y
-	help
-	  Lets racoon to listen to racoon admin port, which is to
-	  be contacted by racoonctl(8).
-
-config BR2_PACKAGE_IPSEC_TOOLS_NATT
-	bool "Enable NAT-Traversal"
-	help
-	  This needs kernel support, which is available on Linux. On
-	  NetBSD, NAT-Traversal kernel support has not been integrated
-	  yet, you can get it from here:
-
-	  http://ipsec-tools.sourceforge.net/netbsd_nat-t.diff If you
-
-	  live in a country where software patents are legal, using
-	  NAT-Traversal might infringe a patent.
-
-config BR2_PACKAGE_IPSEC_TOOLS_FRAG
-	bool "Enable IKE fragmentation"
-	help
-	  Enable IKE fragmentation, which is a workaround for
-	  broken routers that drop fragmented packets
-
-config BR2_PACKAGE_IPSEC_TOOLS_DPD
-	bool "Enable DPD (Dead Peer Detection)"
-	help
-	  Enable dead peer detection support
-
-config BR2_PACKAGE_IPSEC_TOOLS_STATS
-	bool "Enable statistics logging function"
-	default y
-
-config BR2_PACKAGE_IPSEC_TOOLS_READLINE
-	bool "Enable readline input support"
-	select BR2_PACKAGE_READLINE
-
-config BR2_PACKAGE_IPSEC_TOOLS_HYBRID
-	bool "Enable hybrid, both mode-cfg and xauth support"
-	help
-	  Hybrid mode is required for successful interoperability
-	  (e.g. Cisco VPN Client).
-
-choice
-	prompt "Security context"
-	default BR2_PACKAGE_IPSEC_TOOLS_SECCTX_DISABLE
-	help
-	  Selects whether or not to enable security context support.
-
-config BR2_PACKAGE_IPSEC_TOOLS_SECCTX_DISABLE
-	bool "Disable security context support"
-
-config BR2_PACKAGE_IPSEC_TOOLS_SECCTX_ENABLE
-	bool "Enable SELinux security context support"
-
-config BR2_PACKAGE_IPSEC_TOOLS_SECCTX_KERNEL
-	bool "Enable kernel security context"
-
-endchoice
-
-endif
--- a/package/ipsec-tools/ipsec-tools.hash
+++ b/package/ipsec-tools/ipsec-tools.hash
@ -1,6 +0,0 @@
-# From http://sourceforge.net/projects/ipsec-tools/files/ipsec-tools/0.8.2/
-md5	d53ec14a0a3ece64e09e5e34b3350b41	ipsec-tools-0.8.2.tar.bz2
-sha1	7d92cae9fde59fb4f125636698c43b0a3df3d0f0	ipsec-tools-0.8.2.tar.bz2
-
-# Locally calculated
-sha256	3f4af4aef0b2599928bee9875935b8fad8449ddbb98ea7da74c20c3dff5cdef7  src/setkey/setkey.c
--- a/package/ipsec-tools/ipsec-tools.mk
+++ b/package/ipsec-tools/ipsec-tools.mk
@ -1,85 +0,0 @@
-################################################################################
-#
-# ipsec-tools
-#
-################################################################################
-
-IPSEC_TOOLS_VERSION = 0.8.2
-IPSEC_TOOLS_SOURCE = ipsec-tools-$(IPSEC_TOOLS_VERSION).tar.bz2
-IPSEC_TOOLS_SITE = http://sourceforge.net/projects/ipsec-tools/files/ipsec-tools/$(IPSEC_TOOLS_VERSION)
-IPSEC_TOOLS_LICENSE = BSD-3-Clause
-IPSEC_TOOLS_LICENSE_FILES = src/setkey/setkey.c
-IPSEC_TOOLS_INSTALL_STAGING = YES
-IPSEC_TOOLS_MAKE = $(MAKE1)
-IPSEC_TOOLS_DEPENDENCIES = openssl flex host-pkgconf host-flex host-bison
-# we patch configure.ac
-IPSEC_TOOLS_AUTORECONF = YES
-
-# 0004-CVE-2015-4047.patch
-IPSEC_TOOLS_IGNORE_CVES += CVE-2015-4047
-# 0005-CVE-2016-10396.patch
-IPSEC_TOOLS_IGNORE_CVES += CVE-2016-10396
-
-# configure hardcodes -Werror, so override CFLAGS on make invocation
-IPSEC_TOOLS_MAKE_OPTS = CFLAGS='$(TARGET_CFLAGS)'
-
-IPSEC_TOOLS_CONF_ENV = LIBS=`$(PKG_CONFIG_HOST_BINARY) --libs openssl`
-
-IPSEC_TOOLS_CONF_OPTS = \
-	  --without-libpam \
-	  --disable-gssapi \
-	  --with-kernel-headers=$(STAGING_DIR)/usr/include
-
-ifeq ($(BR2_PACKAGE_IPSEC_TOOLS_ADMINPORT),y)
-IPSEC_TOOLS_CONF_OPTS += --enable-adminport
-else
-IPSEC_TOOLS_CONF_OPTS += --disable-adminport
-endif
-
-ifeq ($(BR2_PACKAGE_IPSEC_TOOLS_NATT),y)
-IPSEC_TOOLS_CONF_OPTS += --enable-natt
-else
-IPSEC_TOOLS_CONF_OPTS += --disable-natt
-endif
-
-ifeq ($(BR2_PACKAGE_IPSEC_TOOLS_FRAG),y)
-IPSEC_TOOLS_CONF_OPTS += --enable-frag
-else
-IPSEC_TOOLS_CONF_OPTS += --disable-frag
-endif
-
-ifeq ($(BR2_PACKAGE_IPSEC_TOOLS_DPD),y)
-IPSEC_TOOLS_CONF_OPTS += --enable-dpd
-else
-IPSEC_TOOLS_CONF_OPTS += --disable-dpd
-endif
-
-ifeq ($(BR2_PACKAGE_IPSEC_TOOLS_STATS),y)
-IPSEC_TOOLS_CONF_OPTS += --enable-stats
-else
-IPSEC_TOOLS_CONF_OPTS += --disable-stats
-endif
-
-ifneq ($(BR2_PACKAGE_IPSEC_TOOLS_READLINE),y)
-IPSEC_TOOLS_CONF_OPTS += --without-readline
-else
-IPSEC_TOOLS_DEPENDENCIES += readline
-endif
-
-ifeq ($(BR2_PACKAGE_IPSEC_TOOLS_HYBRID),y)
-IPSEC_TOOLS_CONF_OPTS += --enable-hybrid
-else
-IPSEC_TOOLS_CONF_OPTS += --disable-hybrid
-endif
-
-ifeq ($(BR2_PACKAGE_IPSEC_TOOLS_SECCTX_DISABLE),y)
-IPSEC_TOOLS_CONF_OPTS += --enable-security-context=no
-endif
-ifeq ($(BR2_PACKAGE_IPSEC_TOOLS_SECCTX_ENABLE),y)
-IPSEC_TOOLS_CONF_OPTS += --enable-security-context=yes
-endif
-ifeq ($(BR2_PACKAGE_IPSEC_TOOLS_SECCTX_KERNEL),y)
-IPSEC_TOOLS_CONF_OPTS += --enable-security-context=kernel
-endif
-
-$(eval $(autotools-package))