1 |
commit: ee8b389b8cabe9cbe8fcc0360f2062708974297d |
2 |
Author: Jakov Smolić <jsmolic <AT> gentoo <DOT> org> |
3 |
AuthorDate: Tue Sep 28 14:29:14 2021 +0000 |
4 |
Commit: Jakov Smolić <jsmolic <AT> gentoo <DOT> org> |
5 |
CommitDate: Tue Sep 28 14:29:14 2021 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ee8b389b |
7 |
|
8 |
net-vpn/ipsec-tools: Remove last-rited package |
9 |
|
10 |
Signed-off-by: Jakov Smolić <jsmolic <AT> gentoo.org> |
11 |
|
12 |
net-vpn/ipsec-tools/Manifest | 2 - |
13 |
.../files/ipsec-tools-0.8.0-sysctl.patch | 22 -- |
14 |
.../files/ipsec-tools-CVE-2015-4047.patch | 16 -- |
15 |
.../files/ipsec-tools-CVE-2016-10396.patch | 201 --------------- |
16 |
.../ipsec-tools/files/ipsec-tools-def-psk.patch | 25 -- |
17 |
.../files/ipsec-tools-include-vendoridh.patch | 11 - |
18 |
net-vpn/ipsec-tools/files/ipsec-tools.conf | 26 -- |
19 |
net-vpn/ipsec-tools/files/ipsec-tools.service | 12 - |
20 |
net-vpn/ipsec-tools/files/psk.txt | 10 - |
21 |
net-vpn/ipsec-tools/files/racoon.conf | 33 --- |
22 |
net-vpn/ipsec-tools/files/racoon.conf.d-r2 | 29 --- |
23 |
net-vpn/ipsec-tools/files/racoon.init.d-r3 | 57 ----- |
24 |
net-vpn/ipsec-tools/files/racoon.pam.d | 4 - |
25 |
net-vpn/ipsec-tools/files/racoon.service | 11 - |
26 |
net-vpn/ipsec-tools/ipsec-tools-0.8.2-r8.ebuild | 284 --------------------- |
27 |
net-vpn/ipsec-tools/metadata.xml | 17 -- |
28 |
profiles/package.mask | 4 - |
29 |
17 files changed, 764 deletions(-) |
30 |
|
31 |
diff --git a/net-vpn/ipsec-tools/Manifest b/net-vpn/ipsec-tools/Manifest |
32 |
deleted file mode 100644 |
33 |
index 2490dbc0ab0..00000000000 |
34 |
--- a/net-vpn/ipsec-tools/Manifest |
35 |
+++ /dev/null |
36 |
@@ -1,2 +0,0 @@ |
37 |
-DIST ipsec-tools-0.8.2.tar.bz2 866465 BLAKE2B cf8c9175d96326fc5c74e6b1921bc66911256e289e6fe9cef77f26c197546902be3ebd5696af39c749a2abaac3f42010c9e2a281fd208122cd59222044b9dd4c SHA512 2b7d0efa908d3a699be7ef8b2b126a3809956cb7add50e8efb1cfdfc2d9b70c39ef517379cb9a4fad9e5f0c25937e98535b06c32bd3e729f5129da4ab133e30f |
38 |
-DIST ipsec-tools-add-openssl-1.1.x-support.patch 32066 BLAKE2B b8380408c90bb93f0b95938de2efc61c80d727ae61a1417134583a8c74055fcfe1f7f75893f1f701b0f301a16d8b4d14f1b8a09d1e81d238821bcc122dfe183f SHA512 f2bd85f1c51226da6fc50d3473129e4c2e3c0e46107337f8d676029b7072b98bf164b6813a16de7dd4481f80038453b55a5ff56e7f5ec08ab07641034258e778 |
39 |
|
40 |
diff --git a/net-vpn/ipsec-tools/files/ipsec-tools-0.8.0-sysctl.patch b/net-vpn/ipsec-tools/files/ipsec-tools-0.8.0-sysctl.patch |
41 |
deleted file mode 100644 |
42 |
index 5c69bbb2fa6..00000000000 |
43 |
--- a/net-vpn/ipsec-tools/files/ipsec-tools-0.8.0-sysctl.patch |
44 |
+++ /dev/null |
45 |
@@ -1,22 +0,0 @@ |
46 |
-https://bugs.gentoo.org/425770 |
47 |
- |
48 |
---- a/src/racoon/pfkey.c |
49 |
-+++ b/src/racoon/pfkey.c |
50 |
-@@ -59,7 +59,6 @@ |
51 |
- #include <sys/param.h> |
52 |
- #include <sys/socket.h> |
53 |
- #include <sys/queue.h> |
54 |
--#include <sys/sysctl.h> |
55 |
- |
56 |
- #include <net/route.h> |
57 |
- #include <net/pfkeyv2.h> |
58 |
---- a/src/setkey/setkey.c |
59 |
-+++ b/src/setkey/setkey.c |
60 |
-@@ -40,7 +40,6 @@ |
61 |
- #include <sys/socket.h> |
62 |
- #include <sys/time.h> |
63 |
- #include <sys/stat.h> |
64 |
--#include <sys/sysctl.h> |
65 |
- #include <err.h> |
66 |
- #include <netinet/in.h> |
67 |
- #include <net/pfkeyv2.h> |
68 |
|
69 |
diff --git a/net-vpn/ipsec-tools/files/ipsec-tools-CVE-2015-4047.patch b/net-vpn/ipsec-tools/files/ipsec-tools-CVE-2015-4047.patch |
70 |
deleted file mode 100644 |
71 |
index 58f72e109c4..00000000000 |
72 |
--- a/net-vpn/ipsec-tools/files/ipsec-tools-CVE-2015-4047.patch |
73 |
+++ /dev/null |
74 |
@@ -1,16 +0,0 @@ |
75 |
-See: https://bugs.gentoo.org/show_bug.cgi?id=550118 |
76 |
- |
77 |
---- ./src/racoon/gssapi.c 9 Sep 2006 16:22:09 -0000 1.4 |
78 |
-+++ ./src/racoon/gssapi.c 19 May 2015 15:16:00 -0000 1.6 |
79 |
-@@ -192,6 +192,11 @@ |
80 |
- gss_name_t princ, canon_princ; |
81 |
- OM_uint32 maj_stat, min_stat; |
82 |
- |
83 |
-+ if (iph1->rmconf == NULL) { |
84 |
-+ plog(LLV_ERROR, LOCATION, NULL, "no remote config\n"); |
85 |
-+ return -1; |
86 |
-+ } |
87 |
-+ |
88 |
- gps = racoon_calloc(1, sizeof (struct gssapi_ph1_state)); |
89 |
- if (gps == NULL) { |
90 |
- plog(LLV_ERROR, LOCATION, NULL, "racoon_calloc failed\n"); |
91 |
|
92 |
diff --git a/net-vpn/ipsec-tools/files/ipsec-tools-CVE-2016-10396.patch b/net-vpn/ipsec-tools/files/ipsec-tools-CVE-2016-10396.patch |
93 |
deleted file mode 100644 |
94 |
index e123007bb59..00000000000 |
95 |
--- a/net-vpn/ipsec-tools/files/ipsec-tools-CVE-2016-10396.patch |
96 |
+++ /dev/null |
97 |
@@ -1,201 +0,0 @@ |
98 |
-Description: Fix remotely exploitable DoS. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10396 |
99 |
-Source: vendor; https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=51682 |
100 |
-Bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867986 |
101 |
- |
102 |
-Index: pkg-ipsec-tools/src/racoon/isakmp_frag.c |
103 |
-=================================================================== |
104 |
---- pkg-ipsec-tools.orig/src/racoon/isakmp_frag.c |
105 |
-+++ pkg-ipsec-tools/src/racoon/isakmp_frag.c |
106 |
-@@ -1,4 +1,4 @@ |
107 |
--/* $NetBSD: isakmp_frag.c,v 1.5 2009/04/22 11:24:20 tteras Exp $ */ |
108 |
-+/* $NetBSD: isakmp_frag.c,v 1.5.36.1 2017/04/21 16:50:42 bouyer Exp $ */ |
109 |
- |
110 |
- /* Id: isakmp_frag.c,v 1.4 2004/11/13 17:31:36 manubsd Exp */ |
111 |
- |
112 |
-@@ -173,6 +173,43 @@ vendorid_frag_cap(gen) |
113 |
- return ntohl(hp[MD5_DIGEST_LENGTH / sizeof(*hp)]); |
114 |
- } |
115 |
- |
116 |
-+static int |
117 |
-+isakmp_frag_insert(struct ph1handle *iph1, struct isakmp_frag_item *item) |
118 |
-+{ |
119 |
-+ struct isakmp_frag_item *pitem = NULL; |
120 |
-+ struct isakmp_frag_item *citem = iph1->frag_chain; |
121 |
-+ |
122 |
-+ /* no frag yet, just insert at beginning of list */ |
123 |
-+ if (iph1->frag_chain == NULL) { |
124 |
-+ iph1->frag_chain = item; |
125 |
-+ return 0; |
126 |
-+ } |
127 |
-+ |
128 |
-+ do { |
129 |
-+ /* duplicate fragment number, abort (CVE-2016-10396) */ |
130 |
-+ if (citem->frag_num == item->frag_num) |
131 |
-+ return -1; |
132 |
-+ |
133 |
-+ /* need to insert before current item */ |
134 |
-+ if (citem->frag_num > item->frag_num) { |
135 |
-+ if (pitem != NULL) |
136 |
-+ pitem->frag_next = item; |
137 |
-+ else |
138 |
-+ /* insert at the beginning of the list */ |
139 |
-+ iph1->frag_chain = item; |
140 |
-+ item->frag_next = citem; |
141 |
-+ return 0; |
142 |
-+ } |
143 |
-+ |
144 |
-+ pitem = citem; |
145 |
-+ citem = citem->frag_next; |
146 |
-+ } while (citem != NULL); |
147 |
-+ |
148 |
-+ /* we reached the end of the list, insert */ |
149 |
-+ pitem->frag_next = item; |
150 |
-+ return 0; |
151 |
-+} |
152 |
-+ |
153 |
- int |
154 |
- isakmp_frag_extract(iph1, msg) |
155 |
- struct ph1handle *iph1; |
156 |
-@@ -224,39 +261,43 @@ isakmp_frag_extract(iph1, msg) |
157 |
- item->frag_next = NULL; |
158 |
- item->frag_packet = buf; |
159 |
- |
160 |
-- /* Look for the last frag while inserting the new item in the chain */ |
161 |
-- if (item->frag_last) |
162 |
-- last_frag = item->frag_num; |
163 |
-+ /* Check for the last frag before inserting the new item in the chain */ |
164 |
-+ if (item->frag_last) { |
165 |
-+ /* if we have the last fragment, indices must match */ |
166 |
-+ if (iph1->frag_last_index != 0 && |
167 |
-+ item->frag_last != iph1->frag_last_index) { |
168 |
-+ plog(LLV_ERROR, LOCATION, NULL, |
169 |
-+ "Repeated last fragment index mismatch\n"); |
170 |
-+ racoon_free(item); |
171 |
-+ vfree(buf); |
172 |
-+ return -1; |
173 |
-+ } |
174 |
- |
175 |
-- if (iph1->frag_chain == NULL) { |
176 |
-- iph1->frag_chain = item; |
177 |
-- } else { |
178 |
-- struct isakmp_frag_item *current; |
179 |
-+ last_frag = iph1->frag_last_index = item->frag_num; |
180 |
-+ } |
181 |
- |
182 |
-- current = iph1->frag_chain; |
183 |
-- while (current->frag_next) { |
184 |
-- if (current->frag_last) |
185 |
-- last_frag = item->frag_num; |
186 |
-- current = current->frag_next; |
187 |
-- } |
188 |
-- current->frag_next = item; |
189 |
-+ /* insert fragment into chain */ |
190 |
-+ if (isakmp_frag_insert(iph1, item) == -1) { |
191 |
-+ plog(LLV_ERROR, LOCATION, NULL, |
192 |
-+ "Repeated fragment index mismatch\n"); |
193 |
-+ racoon_free(item); |
194 |
-+ vfree(buf); |
195 |
-+ return -1; |
196 |
- } |
197 |
- |
198 |
-- /* If we saw the last frag, check if the chain is complete */ |
199 |
-+ /* If we saw the last frag, check if the chain is complete |
200 |
-+ * we have a sorted list now, so just walk through */ |
201 |
- if (last_frag != 0) { |
202 |
-+ item = iph1->frag_chain; |
203 |
- for (i = 1; i <= last_frag; i++) { |
204 |
-- item = iph1->frag_chain; |
205 |
-- do { |
206 |
-- if (item->frag_num == i) |
207 |
-- break; |
208 |
-- item = item->frag_next; |
209 |
-- } while (item != NULL); |
210 |
-- |
211 |
-+ if (item->frag_num != i) |
212 |
-+ break; |
213 |
-+ item = item->frag_next; |
214 |
- if (item == NULL) /* Not found */ |
215 |
- break; |
216 |
- } |
217 |
- |
218 |
-- if (item != NULL) /* It is complete */ |
219 |
-+ if (i > last_frag) /* It is complete */ |
220 |
- return 1; |
221 |
- } |
222 |
- |
223 |
-@@ -291,15 +332,9 @@ isakmp_frag_reassembly(iph1) |
224 |
- } |
225 |
- data = buf->v; |
226 |
- |
227 |
-+ item = iph1->frag_chain; |
228 |
- for (i = 1; i <= frag_count; i++) { |
229 |
-- item = iph1->frag_chain; |
230 |
-- do { |
231 |
-- if (item->frag_num == i) |
232 |
-- break; |
233 |
-- item = item->frag_next; |
234 |
-- } while (item != NULL); |
235 |
-- |
236 |
-- if (item == NULL) { |
237 |
-+ if (item->frag_num != i) { |
238 |
- plog(LLV_ERROR, LOCATION, NULL, |
239 |
- "Missing fragment #%d\n", i); |
240 |
- vfree(buf); |
241 |
-@@ -308,6 +343,7 @@ isakmp_frag_reassembly(iph1) |
242 |
- } |
243 |
- memcpy(data, item->frag_packet->v, item->frag_packet->l); |
244 |
- data += item->frag_packet->l; |
245 |
-+ item = item->frag_next; |
246 |
- } |
247 |
- |
248 |
- out: |
249 |
-Index: pkg-ipsec-tools/src/racoon/isakmp_inf.c |
250 |
-=================================================================== |
251 |
---- pkg-ipsec-tools.orig/src/racoon/isakmp_inf.c |
252 |
-+++ pkg-ipsec-tools/src/racoon/isakmp_inf.c |
253 |
-@@ -720,6 +720,7 @@ isakmp_info_send_nx(isakmp, remote, loca |
254 |
- #endif |
255 |
- #ifdef ENABLE_FRAG |
256 |
- iph1->frag = 0; |
257 |
-+ iph1->frag_last_index = 0; |
258 |
- iph1->frag_chain = NULL; |
259 |
- #endif |
260 |
- |
261 |
-Index: pkg-ipsec-tools/src/racoon/isakmp.c |
262 |
-=================================================================== |
263 |
---- pkg-ipsec-tools.orig/src/racoon/isakmp.c |
264 |
-+++ pkg-ipsec-tools/src/racoon/isakmp.c |
265 |
-@@ -1072,6 +1072,7 @@ isakmp_ph1begin_i(rmconf, remote, local) |
266 |
- iph1->frag = 1; |
267 |
- else |
268 |
- iph1->frag = 0; |
269 |
-+ iph1->frag_last_index = 0; |
270 |
- iph1->frag_chain = NULL; |
271 |
- #endif |
272 |
- iph1->approval = NULL; |
273 |
-@@ -1176,6 +1177,7 @@ isakmp_ph1begin_r(msg, remote, local, et |
274 |
- #endif |
275 |
- #ifdef ENABLE_FRAG |
276 |
- iph1->frag = 0; |
277 |
-+ iph1->frag_last_index = 0; |
278 |
- iph1->frag_chain = NULL; |
279 |
- #endif |
280 |
- iph1->approval = NULL; |
281 |
-Index: pkg-ipsec-tools/src/racoon/handler.h |
282 |
-=================================================================== |
283 |
---- pkg-ipsec-tools.orig/src/racoon/handler.h |
284 |
-+++ pkg-ipsec-tools/src/racoon/handler.h |
285 |
-@@ -1,4 +1,4 @@ |
286 |
--/* $NetBSD: handler.h,v 1.25 2010/11/17 10:40:41 tteras Exp $ */ |
287 |
-+/* $NetBSD: handler.h,v 1.26 2017/01/24 19:23:56 christos Exp $ */ |
288 |
- |
289 |
- /* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */ |
290 |
- |
291 |
-@@ -141,6 +141,7 @@ struct ph1handle { |
292 |
- #endif |
293 |
- #ifdef ENABLE_FRAG |
294 |
- int frag; /* IKE phase 1 fragmentation */ |
295 |
-+ int frag_last_index; |
296 |
- struct isakmp_frag_item *frag_chain; /* Received fragments */ |
297 |
- #endif |
298 |
- |
299 |
|
300 |
diff --git a/net-vpn/ipsec-tools/files/ipsec-tools-def-psk.patch b/net-vpn/ipsec-tools/files/ipsec-tools-def-psk.patch |
301 |
deleted file mode 100644 |
302 |
index f351860a84e..00000000000 |
303 |
--- a/net-vpn/ipsec-tools/files/ipsec-tools-def-psk.patch |
304 |
+++ /dev/null |
305 |
@@ -1,25 +0,0 @@ |
306 |
-diff -brau ipsec-tools-0.7.3.o/src/racoon/oakley.c ipsec-tools-0.7.3/src/racoon/oakley.c |
307 |
---- ipsec-tools-0.7.3.o/src/racoon/oakley.c 2009-08-13 11:18:45.000000000 +0200 |
308 |
-+++ ipsec-tools-0.7.3/src/racoon/oakley.c 2011-06-06 09:36:11.000000000 +0200 |
309 |
-@@ -2498,8 +2498,21 @@ |
310 |
- plog(LLV_ERROR, LOCATION, iph1->remote, |
311 |
- "couldn't find the pskey for %s.\n", |
312 |
- saddrwop2str(iph1->remote)); |
313 |
-+ } |
314 |
-+ } |
315 |
-+ if (iph1->authstr == NULL) { |
316 |
-+ /* |
317 |
-+ * If we could not locate a psk above try and locate |
318 |
-+ * the default psk, ie, "*". |
319 |
-+ */ |
320 |
-+ iph1->authstr = privsep_getpsk("*", 1); |
321 |
-+ if (iph1->authstr == NULL) { |
322 |
-+ plog(LLV_ERROR, LOCATION, iph1->remote, |
323 |
-+ "couldn't find the the default pskey either.\n"); |
324 |
- goto end; |
325 |
- } |
326 |
-+ plog(LLV_NOTIFY, LOCATION, iph1->remote, |
327 |
-+ "Using default PSK.\n"); |
328 |
- } |
329 |
- plog(LLV_DEBUG, LOCATION, NULL, "the psk found.\n"); |
330 |
- /* should be secret PSK */ |
331 |
|
332 |
diff --git a/net-vpn/ipsec-tools/files/ipsec-tools-include-vendoridh.patch b/net-vpn/ipsec-tools/files/ipsec-tools-include-vendoridh.patch |
333 |
deleted file mode 100644 |
334 |
index 2e22c82db47..00000000000 |
335 |
--- a/net-vpn/ipsec-tools/files/ipsec-tools-include-vendoridh.patch |
336 |
+++ /dev/null |
337 |
@@ -1,11 +0,0 @@ |
338 |
-diff -Naur ipsec-tools-0.8.0.orig//src/racoon/ipsec_doi.c ipsec-tools-0.8.0/src/racoon/ipsec_doi.c |
339 |
---- ipsec-tools-0.8.0.orig//src/racoon/ipsec_doi.c 2012-02-28 13:42:24.000000000 -0500 |
340 |
-+++ ipsec-tools-0.8.0/src/racoon/ipsec_doi.c 2012-02-28 13:41:22.000000000 -0500 |
341 |
-@@ -87,6 +87,7 @@ |
342 |
- #ifdef HAVE_GSSAPI |
343 |
- #include <iconv.h> |
344 |
- #include "gssapi.h" |
345 |
-+#include "vendorid.h" |
346 |
- #ifdef HAVE_ICONV_2ND_CONST |
347 |
- #define __iconv_const const |
348 |
- #else |
349 |
|
350 |
diff --git a/net-vpn/ipsec-tools/files/ipsec-tools.conf b/net-vpn/ipsec-tools/files/ipsec-tools.conf |
351 |
deleted file mode 100644 |
352 |
index bfff04af069..00000000000 |
353 |
--- a/net-vpn/ipsec-tools/files/ipsec-tools.conf |
354 |
+++ /dev/null |
355 |
@@ -1,26 +0,0 @@ |
356 |
-#!/usr/sbin/setkey -f |
357 |
-# |
358 |
-# THIS IS A SAMPLE FILE! |
359 |
-# |
360 |
-# This is a sample file to test Gentoo's ipsec-tools out of the box. |
361 |
-# Do not use it in production. See: http://www.ipsec-howto.org/ |
362 |
-# |
363 |
-flush; |
364 |
-spdflush; |
365 |
- |
366 |
-# |
367 |
-# Uncomment the following if you want to do manual keying, ie, you want to run IPsec without racoon. |
368 |
-# Do not switch 192.168.3.21 <-> 192.168.3.25 on the peer |
369 |
-# |
370 |
-#add 192.168.3.25 192.168.3.21 ah 0x200 -A hmac-md5 0xc0291ff014dccdd03874d9e8e4cdf3e6; |
371 |
-#add 192.168.3.21 192.168.3.25 ah 0x300 -A hmac-md5 0x96358c90783bbfa3d7b196ceabe0536b; |
372 |
-#add 192.168.3.25 192.168.3.21 esp 0x201 -E 3des-cbc 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831; |
373 |
-#add 192.168.3.21 192.168.3.25 esp 0x301 -E 3des-cbc 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df; |
374 |
- |
375 |
-# |
376 |
-# Make sure to switch 192.168.3.21 <-> 192.168.3.25 on the peer |
377 |
-# |
378 |
-#spdadd 192.168.3.21 192.168.3.25 any -P out ipsec esp/transport//require ah/transport//require; |
379 |
-#spdadd 192.168.3.25 192.168.3.21 any -P in ipsec esp/transport//require ah/transport//require; |
380 |
-spdadd 192.168.3.25 192.168.3.21 any -P out ipsec esp/transport//require ah/transport//require; |
381 |
-spdadd 192.168.3.21 192.168.3.25 any -P in ipsec esp/transport//require ah/transport//require; |
382 |
|
383 |
diff --git a/net-vpn/ipsec-tools/files/ipsec-tools.service b/net-vpn/ipsec-tools/files/ipsec-tools.service |
384 |
deleted file mode 100644 |
385 |
index 0341aa7e4ed..00000000000 |
386 |
--- a/net-vpn/ipsec-tools/files/ipsec-tools.service |
387 |
+++ /dev/null |
388 |
@@ -1,12 +0,0 @@ |
389 |
-[Unit] |
390 |
-Description=Load IPSec Security Policy Database |
391 |
-After=syslog.target network.target |
392 |
- |
393 |
-[Service] |
394 |
-Type=oneshot |
395 |
-RemainAfterExit=true |
396 |
-ExecStart=/usr/sbin/setkey -k -f /etc/ipsec-tools.conf |
397 |
-ExecStop=/usr/sbin/setkey -F -P ; /usr/sbin/setkey -F |
398 |
- |
399 |
-[Install] |
400 |
-WantedBy=multi-user.target |
401 |
|
402 |
diff --git a/net-vpn/ipsec-tools/files/psk.txt b/net-vpn/ipsec-tools/files/psk.txt |
403 |
deleted file mode 100644 |
404 |
index 97f5180f5ae..00000000000 |
405 |
--- a/net-vpn/ipsec-tools/files/psk.txt |
406 |
+++ /dev/null |
407 |
@@ -1,10 +0,0 @@ |
408 |
-# THIS IS A SAMPLE FILE! |
409 |
-# |
410 |
-# This is a sample file to test Gentoo's ipsec-tools out of the box. |
411 |
-# Do not use it in production. See: http://www.ipsec-howto.org/ |
412 |
-# |
413 |
-# Make sure to switch 192.168.3.21 <-> 192.168.3.25 on the peer |
414 |
-# |
415 |
-# Peer IP/FQDN Secret |
416 |
-# 192.168.3.25 sample |
417 |
-192.168.3.21 sample |
418 |
|
419 |
diff --git a/net-vpn/ipsec-tools/files/racoon.conf b/net-vpn/ipsec-tools/files/racoon.conf |
420 |
deleted file mode 100644 |
421 |
index 2e9206db950..00000000000 |
422 |
--- a/net-vpn/ipsec-tools/files/racoon.conf |
423 |
+++ /dev/null |
424 |
@@ -1,33 +0,0 @@ |
425 |
-# THIS IS A SAMPLE FILE! |
426 |
-# |
427 |
-# This is a sample file to test Gentoo's ipsec-tools out of the box. |
428 |
-# Do not use it in production. See: http://www.ipsec-howto.org/ |
429 |
-# |
430 |
-path pre_shared_key "/etc/racoon/psk.txt"; |
431 |
- |
432 |
-# |
433 |
-# Make sure to switch 192.168.3.21 <-> 192.168.3.25 on the peer |
434 |
-# |
435 |
-#remote 192.168.3.25 |
436 |
-remote 192.168.3.21 |
437 |
-{ |
438 |
- exchange_mode main; |
439 |
- proposal { |
440 |
- encryption_algorithm 3des; |
441 |
- hash_algorithm md5; |
442 |
- authentication_method pre_shared_key; |
443 |
- dh_group modp1024; |
444 |
- } |
445 |
-} |
446 |
- |
447 |
-# |
448 |
-# Make sure to switch 192.168.3.21 <-> 192.168.3.25 on the peer |
449 |
-# |
450 |
-#sainfo address 192.168.3.21 any address 192.168.3.25 any |
451 |
-sainfo address 192.168.3.25 any address 192.168.3.21 any |
452 |
-{ |
453 |
- pfs_group modp768; |
454 |
- encryption_algorithm 3des; |
455 |
- authentication_algorithm hmac_md5; |
456 |
- compression_algorithm deflate; |
457 |
-} |
458 |
|
459 |
diff --git a/net-vpn/ipsec-tools/files/racoon.conf.d-r2 b/net-vpn/ipsec-tools/files/racoon.conf.d-r2 |
460 |
deleted file mode 100644 |
461 |
index c592d358496..00000000000 |
462 |
--- a/net-vpn/ipsec-tools/files/racoon.conf.d-r2 |
463 |
+++ /dev/null |
464 |
@@ -1,29 +0,0 @@ |
465 |
-# Copyright 1999-2014 Gentoo Foundation |
466 |
-# Distributed under the terms of the GNU General Public License v2 |
467 |
- |
468 |
-# Config file for /etc/init.d/racoon |
469 |
- |
470 |
-# See the man page or run `racoon --help` for valid command-line options |
471 |
-# RACOON_OPTS="-d" |
472 |
- |
473 |
-RACOON_CONF="/etc/racoon/racoon.conf" |
474 |
-RACOON_PSK_FILE="/etc/racoon/psk.txt" |
475 |
- |
476 |
-# The amount of time in ms for start-stop-daemon to wait before a timeout |
477 |
-# Racoon can sometimes be slow. We'll wait 1 sec. Bug #435398. |
478 |
- |
479 |
-RACOON_WAIT="1000" |
480 |
- |
481 |
-# The setkey config file. Don't name it ipsec.conf as this clashes |
482 |
-# with strongswan. We'll follow debian's naming. Bug #436144. |
483 |
- |
484 |
-SETKEY_CONF="/etc/ipsec-tools.conf" |
485 |
- |
486 |
-# Comment or remove the following if you don't want the policy tables |
487 |
-# to be flushed when racoon is stopped. |
488 |
- |
489 |
-RACOON_RESET_TABLES="true" |
490 |
- |
491 |
-# If you need to set custom options to the setkey command when loading rules, use this |
492 |
-# more info in the setkey mangage (example below sets kernel mode instead of RFC mode): |
493 |
-#SETKEY_OPTS="-k" |
494 |
|
495 |
diff --git a/net-vpn/ipsec-tools/files/racoon.init.d-r3 b/net-vpn/ipsec-tools/files/racoon.init.d-r3 |
496 |
deleted file mode 100644 |
497 |
index 66e10bb84d4..00000000000 |
498 |
--- a/net-vpn/ipsec-tools/files/racoon.init.d-r3 |
499 |
+++ /dev/null |
500 |
@@ -1,57 +0,0 @@ |
501 |
-#!/sbin/openrc-run |
502 |
-# Copyright 1999-2014 Gentoo Foundation |
503 |
-# Distributed under the terms of the GNU General Public License v2 |
504 |
- |
505 |
-depend() { |
506 |
- before netmount |
507 |
- use net |
508 |
-} |
509 |
- |
510 |
-checkconfig() { |
511 |
- if [ ! -e ${SETKEY_CONF} ] ; then |
512 |
- eerror "You need to configure setkey before starting racoon." |
513 |
- return 1 |
514 |
- fi |
515 |
- if [ ! -e ${RACOON_CONF} ] ; then |
516 |
- eerror "You need a configuration file to start racoon." |
517 |
- return 1 |
518 |
- fi |
519 |
- if [ ! -z ${RACOON_PSK_FILE} ] ; then |
520 |
- if [ ! -f ${RACOON_PSK_FILE} ] ; then |
521 |
- eerror "PSK file not found as specified." |
522 |
- eerror "Set RACOON_PSK_FILE in /etc/conf.d/racoon." |
523 |
- return 1 |
524 |
- fi |
525 |
- case "`ls -Lldn ${RACOON_PSK_FILE}`" in |
526 |
- -r--------*) |
527 |
- ;; |
528 |
- *) |
529 |
- eerror "Your defined PSK file should be mode 400 for security!" |
530 |
- return 1 |
531 |
- ;; |
532 |
- esac |
533 |
- fi |
534 |
-} |
535 |
- |
536 |
-command=/usr/sbin/racoon |
537 |
-command_args="-f ${RACOON_CONF} ${RACOON_OPTS}" |
538 |
-pidfile=/var/run/racoon.pid |
539 |
-start_stop_daemon_args="--wait ${RACOON_WAIT}" |
540 |
- |
541 |
-start_pre() { |
542 |
- checkconfig || return 1 |
543 |
- einfo "Loading ipsec policies from ${SETKEY_CONF}." |
544 |
- /usr/sbin/setkey ${SETKEY_OPTS} -f ${SETKEY_CONF} |
545 |
- if [ $? -eq 1 ] ; then |
546 |
- eerror "Error while loading ipsec policies" |
547 |
- fi |
548 |
-} |
549 |
- |
550 |
-stop_post() { |
551 |
- if [ -n "${RACOON_RESET_TABLES}" ]; then |
552 |
- ebegin "Flushing policy entries" |
553 |
- /usr/sbin/setkey -F |
554 |
- /usr/sbin/setkey -FP |
555 |
- eend $? |
556 |
- fi |
557 |
-} |
558 |
|
559 |
diff --git a/net-vpn/ipsec-tools/files/racoon.pam.d b/net-vpn/ipsec-tools/files/racoon.pam.d |
560 |
deleted file mode 100644 |
561 |
index b801aaafa0f..00000000000 |
562 |
--- a/net-vpn/ipsec-tools/files/racoon.pam.d |
563 |
+++ /dev/null |
564 |
@@ -1,4 +0,0 @@ |
565 |
-auth include system-remote-login |
566 |
-account include system-remote-login |
567 |
-password include system-remote-login |
568 |
-session include system-remote-login |
569 |
|
570 |
diff --git a/net-vpn/ipsec-tools/files/racoon.service b/net-vpn/ipsec-tools/files/racoon.service |
571 |
deleted file mode 100644 |
572 |
index df7f1bb8f8c..00000000000 |
573 |
--- a/net-vpn/ipsec-tools/files/racoon.service |
574 |
+++ /dev/null |
575 |
@@ -1,11 +0,0 @@ |
576 |
-[Unit] |
577 |
-Description=Racoon IKEv1 key management daemon for IPSEC |
578 |
-After=syslog.target network.target |
579 |
-Requires=ipsec-tools.service |
580 |
- |
581 |
-[Service] |
582 |
-Type=forking |
583 |
-ExecStart=/usr/sbin/racoon -f /etc/racoon/racoon.conf |
584 |
- |
585 |
-[Install] |
586 |
-WantedBy=multi-user.target |
587 |
|
588 |
diff --git a/net-vpn/ipsec-tools/ipsec-tools-0.8.2-r8.ebuild b/net-vpn/ipsec-tools/ipsec-tools-0.8.2-r8.ebuild |
589 |
deleted file mode 100644 |
590 |
index f5bcdfcd4ab..00000000000 |
591 |
--- a/net-vpn/ipsec-tools/ipsec-tools-0.8.2-r8.ebuild |
592 |
+++ /dev/null |
593 |
@@ -1,284 +0,0 @@ |
594 |
-# Copyright 1999-2021 Gentoo Authors |
595 |
-# Distributed under the terms of the GNU General Public License v2 |
596 |
- |
597 |
-EAPI="6" |
598 |
- |
599 |
-inherit flag-o-matic autotools linux-info pam systemd |
600 |
- |
601 |
-DESCRIPTION="A port of KAME's IPsec utilities to the Linux-2.6 IPsec implementation" |
602 |
-HOMEPAGE="http://ipsec-tools.sourceforge.net/" |
603 |
-SRC_URI="mirror://sourceforge/${PN}/${P}.tar.bz2 |
604 |
- https://dev.gentoo.org/~juippis/distfiles/tmp/ipsec-tools-add-openssl-1.1.x-support.patch" |
605 |
- |
606 |
-LICENSE="BSD GPL-2" |
607 |
-SLOT="0" |
608 |
-KEYWORDS="amd64 arm ~ia64 ~mips ppc ppc64 x86" |
609 |
-IUSE="hybrid idea ipv6 kerberos ldap nat pam rc5 readline selinux stats" |
610 |
- |
611 |
-CDEPEND=" |
612 |
- dev-libs/openssl:0= |
613 |
- virtual/libcrypt:= |
614 |
- kerberos? ( virtual/krb5 ) |
615 |
- ldap? ( net-nds/openldap ) |
616 |
- pam? ( sys-libs/pam ) |
617 |
- readline? ( sys-libs/readline:0= ) |
618 |
- selinux? ( sys-libs/libselinux )" |
619 |
- |
620 |
-DEPEND="${CDEPEND} |
621 |
- >=sys-kernel/linux-headers-2.6.30" |
622 |
- |
623 |
-RDEPEND="${CDEPEND} |
624 |
- selinux? ( sec-policy/selinux-ipsec ) |
625 |
-" |
626 |
- |
627 |
-pkg_preinst() { |
628 |
- if has_version "<${CATEGORY}/${PN}-0.8.0-r5" ; then |
629 |
- ewarn |
630 |
- ewarn "\033[1;33m**************************************************\033[00m" |
631 |
- ewarn |
632 |
- if ! has_version "net-vpn/strongswan" && |
633 |
- ! has_version "net-misc/openswan" && |
634 |
- ! has_version "net-vpn/libreswan"; then |
635 |
- ewarn "We found an earlier version of ${PN} installed." |
636 |
- ewarn "As of ${PN}-0.8.0-r5, the old configuration file," |
637 |
- ewarn "ipsec.conf, has been changed to ipsec-tools.conf to avoid" |
638 |
- ewarn "a conflict with net-vpn/strongswan; bug #436144. We will" |
639 |
- ewarn "rename this file for you with this upgrade. However, if" |
640 |
- ewarn "you later downgrade, you'll have to rename the file to" |
641 |
- ewarn "its orignal manually or change /etc/conf.d/racoon to point" |
642 |
- ewarn "to the new file." |
643 |
- |
644 |
- if [[ -f /etc/ipsec.conf && ! -f /etc/ipsec-tools.conf ]] ; then |
645 |
- mv /etc/ipsec.conf /etc/ipsec-tools.conf |
646 |
- else |
647 |
- ewarn |
648 |
- ewarn "Oops! I can't move ipsec.conf to ipsec-tools.conf!" |
649 |
- ewarn "Either the former doesn't exist or the later does and" |
650 |
- ewarn "I won't clobber it. Please fix this situation manually." |
651 |
- fi |
652 |
- else |
653 |
- ewarn "You had both an earlier version of ${PN} and" |
654 |
- ewarn "net-vpn/strongswan installed. I can't tell whether" |
655 |
- ewarn "the configuration file, ipsec.conf, belongs to one" |
656 |
- ewarn "package or the other due to a file conflict; bug #436144." |
657 |
- ewarn "The current version of ${PN} uses ipsec-tools.conf" |
658 |
- ewarn "as its configuration file, as will future versions." |
659 |
- ewarn "Please fix this situation manually." |
660 |
- fi |
661 |
- ewarn |
662 |
- ewarn "\033[1;33m**************************************************\033[00m" |
663 |
- ewarn |
664 |
- fi |
665 |
-} |
666 |
- |
667 |
-pkg_setup() { |
668 |
- linux-info_pkg_setup |
669 |
- |
670 |
- get_version |
671 |
- |
672 |
- if linux_config_exists && kernel_is -ge 2 6 19; then |
673 |
- ewarn |
674 |
- ewarn "\033[1;33m**************************************************\033[00m" |
675 |
- ewarn |
676 |
- ewarn "Checking kernel configuration in /usr/src/linux or" |
677 |
- ewarn "or /proc/config.gz for compatibility with ${PN}." |
678 |
- ewarn "Here are the potential problems:" |
679 |
- ewarn |
680 |
- |
681 |
- local nothing="1" |
682 |
- |
683 |
- # Check options for all flavors of IPSec |
684 |
- local msg="" |
685 |
- for i in XFRM_USER NET_KEY; do |
686 |
- if ! linux_chkconfig_present ${i}; then |
687 |
- msg="${msg} ${i}" |
688 |
- fi |
689 |
- done |
690 |
- if [[ ! -z "$msg" ]]; then |
691 |
- nothing="0" |
692 |
- ewarn |
693 |
- ewarn "ALL IPSec may fail. CHECK:" |
694 |
- ewarn "${msg}" |
695 |
- fi |
696 |
- |
697 |
- # Check unencrypted IPSec |
698 |
- if ! linux_chkconfig_present CRYPTO_NULL; then |
699 |
- nothing="0" |
700 |
- ewarn |
701 |
- ewarn "Unencrypted IPSec may fail. CHECK:" |
702 |
- ewarn " CRYPTO_NULL" |
703 |
- fi |
704 |
- |
705 |
- # Check IPv4 IPSec |
706 |
- msg="" |
707 |
- for i in \ |
708 |
- INET_IPCOMP INET_AH INET_ESP \ |
709 |
- INET_XFRM_MODE_TRANSPORT \ |
710 |
- INET_XFRM_MODE_TUNNEL \ |
711 |
- INET_XFRM_MODE_BEET |
712 |
- do |
713 |
- if ! linux_chkconfig_present ${i}; then |
714 |
- msg="${msg} ${i}" |
715 |
- fi |
716 |
- done |
717 |
- if [[ ! -z "$msg" ]]; then |
718 |
- nothing="0" |
719 |
- ewarn |
720 |
- ewarn "IPv4 IPSec may fail. CHECK:" |
721 |
- ewarn "${msg}" |
722 |
- fi |
723 |
- |
724 |
- # Check IPv6 IPSec |
725 |
- if use ipv6; then |
726 |
- msg="" |
727 |
- for i in INET6_IPCOMP INET6_AH INET6_ESP \ |
728 |
- INET6_XFRM_MODE_TRANSPORT \ |
729 |
- INET6_XFRM_MODE_TUNNEL \ |
730 |
- INET6_XFRM_MODE_BEET |
731 |
- do |
732 |
- if ! linux_chkconfig_present ${i}; then |
733 |
- msg="${msg} ${i}" |
734 |
- fi |
735 |
- done |
736 |
- if [[ ! -z "$msg" ]]; then |
737 |
- nothing="0" |
738 |
- ewarn |
739 |
- ewarn "IPv6 IPSec may fail. CHECK:" |
740 |
- ewarn "${msg}" |
741 |
- fi |
742 |
- fi |
743 |
- |
744 |
- # Check IPSec behind NAT |
745 |
- if use nat; then |
746 |
- if ! linux_chkconfig_present NETFILTER_XT_MATCH_POLICY; then |
747 |
- nothing="0" |
748 |
- ewarn |
749 |
- ewarn "IPSec behind NAT may fail. CHECK:" |
750 |
- ewarn " NETFILTER_XT_MATCH_POLICY" |
751 |
- fi |
752 |
- fi |
753 |
- |
754 |
- if [[ $nothing == "1" ]]; then |
755 |
- ewarn "NO PROBLEMS FOUND" |
756 |
- fi |
757 |
- |
758 |
- ewarn |
759 |
- ewarn "WARNING: If your *configured* and *running* kernel" |
760 |
- ewarn "differ either now or in the future, then these checks" |
761 |
- ewarn "may lead to misleading results." |
762 |
- ewarn |
763 |
- ewarn "\033[1;33m**************************************************\033[00m" |
764 |
- ewarn |
765 |
- else |
766 |
- eerror |
767 |
- eerror "\033[1;31m**************************************************\033[00m" |
768 |
- eerror "Make sure that your *running* kernel is/will be >=2.6.19." |
769 |
- eerror "Building ${PN} now, assuming that you know what you're doing." |
770 |
- eerror "\033[1;31m**************************************************\033[00m" |
771 |
- eerror |
772 |
- fi |
773 |
-} |
774 |
- |
775 |
-src_prepare() { |
776 |
- # fix for bug #124813 |
777 |
- sed -i 's:-Werror::g' "${S}"/configure.ac || die |
778 |
- # fix for building with gcc-4.6 |
779 |
- sed -i 's: -R: -Wl,-R:' "${S}"/configure.ac || die |
780 |
- |
781 |
- eapply "${FILESDIR}/${PN}-def-psk.patch" |
782 |
- eapply "${FILESDIR}/${PN}-include-vendoridh.patch" |
783 |
- eapply "${FILESDIR}"/${PN}-0.8.0-sysctl.patch #425770 |
784 |
- eapply "${FILESDIR}"/${PN}-CVE-2015-4047.patch |
785 |
- eapply "${DISTDIR}"/${PN}-add-openssl-1.1.x-support.patch |
786 |
- eapply "${FILESDIR}"/${PN}-CVE-2016-10396.patch |
787 |
- AT_M4DIR="${S}" eautoreconf |
788 |
- |
789 |
- eapply_user |
790 |
-} |
791 |
- |
792 |
-src_configure() { |
793 |
- #--with-{libiconv,libradius} lead to "Broken getaddrinfo()" |
794 |
- #--enable-samode-unspec is not supported in linux |
795 |
- local myconf |
796 |
- myconf="--with-kernel-headers=/usr/include \ |
797 |
- --enable-adminport \ |
798 |
- --enable-dependency-tracking \ |
799 |
- --enable-dpd \ |
800 |
- --enable-frag \ |
801 |
- --without-libiconv \ |
802 |
- --without-libradius \ |
803 |
- --disable-samode-unspec \ |
804 |
- $(use_enable idea) \ |
805 |
- $(use_enable ipv6) \ |
806 |
- $(use_enable kerberos gssapi) \ |
807 |
- $(use_with ldap libldap) \ |
808 |
- $(use_enable nat natt) \ |
809 |
- $(use_with pam libpam) \ |
810 |
- $(use_enable rc5) \ |
811 |
- $(use_with readline) \ |
812 |
- $(use_enable selinux security-context) \ |
813 |
- $(use_enable stats)" |
814 |
- |
815 |
- use nat && myconf="${myconf} --enable-natt-versions=yes" |
816 |
- |
817 |
- # enable mode-cfg and xauth support |
818 |
- if use pam; then |
819 |
- myconf="${myconf} --enable-hybrid" |
820 |
- else |
821 |
- myconf="${myconf} $(use_enable hybrid)" |
822 |
- fi |
823 |
- |
824 |
- econf ${myconf} |
825 |
-} |
826 |
- |
827 |
-src_install() { |
828 |
- emake DESTDIR="${D}" install |
829 |
- keepdir /var/lib/racoon |
830 |
- newconfd "${FILESDIR}"/racoon.conf.d-r2 racoon |
831 |
- newinitd "${FILESDIR}"/racoon.init.d-r3 racoon |
832 |
- systemd_dounit "${FILESDIR}/ipsec-tools.service" |
833 |
- systemd_dounit "${FILESDIR}/racoon.service" |
834 |
- use pam && newpamd "${FILESDIR}"/racoon.pam.d racoon |
835 |
- |
836 |
- insinto /etc |
837 |
- doins "${FILESDIR}"/ipsec-tools.conf |
838 |
- insinto /etc/racoon |
839 |
- doins "${FILESDIR}"/racoon.conf |
840 |
- doins "${FILESDIR}"/psk.txt |
841 |
- chmod 400 "${D}"/etc/racoon/psk.txt |
842 |
- |
843 |
- dodoc ChangeLog README NEWS |
844 |
- dodoc -r src/racoon/samples |
845 |
- dodoc -r src/racoon/doc |
846 |
- docinto samples |
847 |
- newdoc src/setkey/sample.cf ipsec-tools.conf |
848 |
-} |
849 |
- |
850 |
-pkg_postinst() { |
851 |
- if use nat; then |
852 |
- elog |
853 |
- elog "You have enabled the nat traversal functionnality." |
854 |
- elog "Nat versions wich are enabled by default are 00,02,rfc" |
855 |
- elog "you can find those drafts in the CVS repository:" |
856 |
- elog "cvs -d anoncvs@××××××××××××××.org:/cvsroot co ipsec-tools" |
857 |
- elog |
858 |
- elog "If you feel brave enough and you know what you are" |
859 |
- elog "doing, you can consider emerging this ebuild with" |
860 |
- elog "EXTRA_ECONF=\"--enable-natt-versions=08,07,06\"" |
861 |
- elog |
862 |
- fi |
863 |
- |
864 |
- if use ldap; then |
865 |
- elog |
866 |
- elog "You have enabled ldap support with ${PN}." |
867 |
- elog "The man page does NOT contain any information on it yet." |
868 |
- elog "Consider using a more recent version or CVS." |
869 |
- elog |
870 |
- fi |
871 |
- |
872 |
- elog |
873 |
- elog "Please have a look in /usr/share/doc/${P} and visit" |
874 |
- elog "http://www.netbsd.org/Documentation/network/ipsec/" |
875 |
- elog "to find more information on how to configure this tool." |
876 |
- elog |
877 |
-} |
878 |
|
879 |
diff --git a/net-vpn/ipsec-tools/metadata.xml b/net-vpn/ipsec-tools/metadata.xml |
880 |
deleted file mode 100644 |
881 |
index ebfe94eecee..00000000000 |
882 |
--- a/net-vpn/ipsec-tools/metadata.xml |
883 |
+++ /dev/null |
884 |
@@ -1,17 +0,0 @@ |
885 |
-<?xml version="1.0" encoding="UTF-8"?> |
886 |
-<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd"> |
887 |
-<pkgmetadata> |
888 |
- <maintainer type="person"> |
889 |
- <email>blueness@g.o</email> |
890 |
- </maintainer> |
891 |
- <use> |
892 |
- <flag name="hybrid">Makes available both mode-cfg and xauth support</flag> |
893 |
- <flag name="idea">Enable support for the IDEA algorithm</flag> |
894 |
- <flag name="nat">Enable NAT-Traversal</flag> |
895 |
- <flag name="rc5">Enable support for the patented RC5 algorithm</flag> |
896 |
- <flag name="stats">Enable statistics reporting</flag> |
897 |
- </use> |
898 |
- <upstream> |
899 |
- <remote-id type="sourceforge">ipsec-tools</remote-id> |
900 |
- </upstream> |
901 |
-</pkgmetadata> |
902 |
|
903 |
diff --git a/profiles/package.mask b/profiles/package.mask |
904 |
index 4e9189e86f1..ce047751e24 100644 |
905 |
--- a/profiles/package.mask |
906 |
+++ b/profiles/package.mask |
907 |
@@ -257,10 +257,6 @@ games-puzzle/gnudoku |
908 |
# and accept a more unstable release. |
909 |
>=www-client/chromium-96 |
910 |
|
911 |
-# Anthony G. Basile <blueness@g.o> (2021-08-27) |
912 |
-# Masked for removal in 30 days. Deprecated upstream. |
913 |
-net-vpn/ipsec-tools |
914 |
- |
915 |
# Bernard Cafarelli <voyageur@g.o> (2021-08-26) |
916 |
# Preparing for final 5.0.0 release |
917 |
>=app-text/tesseract-5.0.0_beta |