Gentoo Archives: gentoo-commits

From: "Bjarke Istrup Pedersen (gurligebis)" <gurligebis@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] gentoo-x86 commit in net-misc/strongswan: ChangeLog strongswan-4.6.4.ebuild strongswan-4.6.3.ebuild
Date: Thu, 31 May 2012 16:31:04
Message-Id: 20120531163053.EB2D42004B@flycatcher.gentoo.org
1 gurligebis 12/05/31 16:30:53
2
3 Modified: ChangeLog
4 Added: strongswan-4.6.4.ebuild
5 Removed: strongswan-4.6.3.ebuild
6 Log:
7 Bumping to 4.6.4
8
9 (Portage version: 2.2.0_alpha108/cvs/Linux i686)
10
11 Revision Changes Path
12 1.95 net-misc/strongswan/ChangeLog
13
14 file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-misc/strongswan/ChangeLog?rev=1.95&view=markup
15 plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-misc/strongswan/ChangeLog?rev=1.95&content-type=text/plain
16 diff : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-misc/strongswan/ChangeLog?r1=1.94&r2=1.95
17
18 Index: ChangeLog
19 ===================================================================
20 RCS file: /var/cvsroot/gentoo-x86/net-misc/strongswan/ChangeLog,v
21 retrieving revision 1.94
22 retrieving revision 1.95
23 diff -u -r1.94 -r1.95
24 --- ChangeLog 1 May 2012 14:05:18 -0000 1.94
25 +++ ChangeLog 31 May 2012 16:30:53 -0000 1.95
26 @@ -1,6 +1,12 @@
27 # ChangeLog for net-misc/strongswan
28 # Copyright 1999-2012 Gentoo Foundation; Distributed under the GPL v2
29 -# $Header: /var/cvsroot/gentoo-x86/net-misc/strongswan/ChangeLog,v 1.94 2012/05/01 14:05:18 gurligebis Exp $
30 +# $Header: /var/cvsroot/gentoo-x86/net-misc/strongswan/ChangeLog,v 1.95 2012/05/31 16:30:53 gurligebis Exp $
31 +
32 +*strongswan-4.6.4 (31 May 2012)
33 +
34 + 31 May 2012; <gurligebis@g.o> -strongswan-4.6.3.ebuild,
35 + +strongswan-4.6.4.ebuild:
36 + Bumping to 4.6.4
37
38 *strongswan-4.6.3 (01 May 2012)
39
40
41
42
43 1.1 net-misc/strongswan/strongswan-4.6.4.ebuild
44
45 file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-misc/strongswan/strongswan-4.6.4.ebuild?rev=1.1&view=markup
46 plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-misc/strongswan/strongswan-4.6.4.ebuild?rev=1.1&content-type=text/plain
47
48 Index: strongswan-4.6.4.ebuild
49 ===================================================================
50 # Copyright 1999-2012 Gentoo Foundation
51 # Distributed under the terms of the GNU General Public License v2
52 # $Header: /var/cvsroot/gentoo-x86/net-misc/strongswan/strongswan-4.6.4.ebuild,v 1.1 2012/05/31 16:30:53 gurligebis Exp $
53
54 EAPI=2
55 inherit eutils linux-info
56
57 DESCRIPTION="IPsec-based VPN solution focused on security and ease of use, supporting IKEv1/IKEv2 and MOBIKE"
58 HOMEPAGE="http://www.strongswan.org/"
59 SRC_URI="http://download.strongswan.org/${P}.tar.bz2"
60
61 LICENSE="GPL-2 RSA-MD5 RSA-PKCS11 DES"
62 SLOT="0"
63 KEYWORDS="~arm ~amd64 ~ppc ~sparc ~x86"
64 IUSE="+caps cisco curl debug dhcp eap farp gcrypt ldap +ikev1 +ikev2 mysql nat-transport +non-root +openssl smartcard sqlite"
65
66 COMMON_DEPEND="!net-misc/openswan
67 >=dev-libs/gmp-4.1.5
68 gcrypt? ( dev-libs/libgcrypt )
69 caps? ( sys-libs/libcap )
70 curl? ( net-misc/curl )
71 ldap? ( net-nds/openldap )
72 smartcard? ( dev-libs/opensc )
73 openssl? ( >=dev-libs/openssl-0.9.8[-bindist] )
74 mysql? ( virtual/mysql )
75 sqlite? ( >=dev-db/sqlite-3.3.1 )"
76 DEPEND="${COMMON_DEPEND}
77 virtual/linux-sources
78 sys-kernel/linux-headers"
79 RDEPEND="${COMMON_DEPEND}
80 virtual/logger
81 sys-apps/iproute2"
82
83 UGID="ipsec"
84
85 pkg_setup() {
86 linux-info_pkg_setup
87 elog "Linux kernel version: ${KV_FULL}"
88
89 if ! kernel_is -ge 2 6 16; then
90 eerror
91 eerror "This ebuild currently only supports ${PN} with the"
92 eerror "native Linux 2.6 IPsec stack on kernels >= 2.6.16."
93 eerror
94 die "Please install a recent 2.6 kernel."
95 fi
96
97 if use nat-transport; then
98 ewarn
99 ewarn "You have enabled NAT Traversal for transport mode with the IKEv1"
100 ewarn "protocol. Please double check if you really require this feature"
101 ewarn "as it is potentially insecure and usually only required in certain"
102 ewarn "situations when interoperating with Windows using L2TP/IPsec."
103 ewarn
104 fi
105
106 if kernel_is -lt 2 6 34; then
107 ewarn
108 ewarn "IMPORTANT KERNEL NOTES: Please read carefully..."
109 ewarn
110
111 if kernel_is -lt 2 6 29; then
112 ewarn "[ < 2.6.29 ] Due to a missing kernel feature, you have to"
113 ewarn "include all required IPv6 modules even if you just intend"
114 ewarn "to run on IPv4 only."
115 ewarn
116 ewarn "This has been fixed with kernels >= 2.6.29."
117 ewarn
118 fi
119
120 if kernel_is -lt 2 6 33; then
121 ewarn "[ < 2.6.33 ] Kernels prior to 2.6.33 include a non-standards"
122 ewarn "compliant implementation for SHA-2 HMAC support in ESP and"
123 ewarn "miss SHA384 and SHA512 HMAC support altogether."
124 ewarn
125 ewarn "If you need any of those features, please use kernel >= 2.6.33."
126 ewarn
127 fi
128
129 if kernel_is -lt 2 6 34; then
130 ewarn "[ < 2.6.34 ] Support for the AES-GMAC authentification-only"
131 ewarn "ESP cipher is only included in kernels >= 2.6.34."
132 ewarn
133 ewarn "If you need it, please use kernel >= 2.6.34."
134 ewarn
135 fi
136 fi
137
138 if use non-root; then
139 enewgroup ${UGID}
140 enewuser ${UGID} -1 -1 -1 ${UGID}
141 fi
142 }
143
144 src_configure() {
145 local myconf=""
146
147 if use non-root; then
148 myconf="${myconf} --with-user=${UGID} --with-group=${UGID}"
149 fi
150
151 # If a user has already enabled db support, those plugins will
152 # most likely be desired as well. Besides they don't impose new
153 # dependencies and come at no cost (except for space).
154 if use mysql || use sqlite; then
155 myconf="${myconf} --enable-attr-sql --enable-sql"
156 fi
157
158 # strongSwan builds and installs static libs by default which are
159 # useless to the user (and to strongSwan for that matter) because no
160 # header files or alike get installed... so disabling them is safe.
161 econf \
162 --disable-static \
163 $(use_with caps capabilities libcap) \
164 $(use_enable curl) \
165 $(use_enable ldap) \
166 $(use_enable smartcard) \
167 $(use_enable cisco cisco-quirks) \
168 $(use_enable debug leak-detective) \
169 $(use_enable eap eap-sim) \
170 $(use_enable eap eap-sim-file) \
171 $(use_enable eap eap-simaka-sql) \
172 $(use_enable eap eap-simaka-pseudonym) \
173 $(use_enable eap eap-simaka-reauth) \
174 $(use_enable eap eap-identity) \
175 $(use_enable eap eap-md5) \
176 $(use_enable eap eap-gtc) \
177 $(use_enable eap eap-aka) \
178 $(use_enable eap eap-aka-3gpp2) \
179 $(use_enable eap eap-mschapv2) \
180 $(use_enable eap eap-radius) \
181 $(use_enable nat-transport) \
182 $(use_enable openssl) \
183 $(use_enable gcrypt) \
184 $(use_enable mysql) \
185 $(use_enable sqlite) \
186 $(use_enable ikev1 pluto) \
187 $(use_enable ikev2 charon) \
188 $(use_enable dhcp) \
189 $(use_enable farp) \
190 ${myconf}
191 }
192
193 src_install() {
194 emake DESTDIR="${D}" install || die "Install failed"
195
196 doinitd "${FILESDIR}"/ipsec
197
198 local dir_ugid
199 if use non-root; then
200 fowners ${UGID}:${UGID} \
201 /etc/ipsec.conf \
202 /etc/ipsec.secrets \
203 /etc/strongswan.conf
204
205 dir_ugid="${UGID}"
206 else
207 dir_ugid="root"
208 fi
209
210 diropts -m 0750 -o ${dir_ugid} -g ${dir_ugid}
211 dodir /etc/ipsec.d \
212 /etc/ipsec.d/aacerts \
213 /etc/ipsec.d/acerts \
214 /etc/ipsec.d/cacerts \
215 /etc/ipsec.d/certs \
216 /etc/ipsec.d/crls \
217 /etc/ipsec.d/ocspcerts \
218 /etc/ipsec.d/private \
219 /etc/ipsec.d/reqs
220
221 dodoc CREDITS NEWS README TODO || die
222
223 # shared libs are used only internally and there are no static libs,
224 # so it's safe to get rid of the .la files
225 find "${D}" -name '*.la' -delete || die "Failed to remove .la files."
226 }
227
228 pkg_preinst() {
229 has_version "<net-misc/strongswan-4.3.6-r1"
230 upgrade_from_leq_4_3_6=$(( !$? ))
231
232 has_version "<net-misc/strongswan-4.3.6-r1[-caps]"
233 previous_4_3_6_with_caps=$(( !$? ))
234 }
235
236 pkg_postinst() {
237 if ! use openssl && ! use gcrypt; then
238 elog
239 elog "${PN} has been compiled without both OpenSSL and libgcrypt support."
240 elog "Please note that this might effect availability and speed of some"
241 elog "cryptographic features. You are advised to enable the OpenSSL plugin."
242 elif ! use openssl; then
243 elog
244 elog "${PN} has been compiled without the OpenSSL plugin. This might effect"
245 elog "availability and speed of some cryptographic features. There will be"
246 elog "no support for Elliptic Curve Cryptography (Diffie-Hellman groups 19-21,"
247 elog "25, 26) and ECDSA."
248 fi
249
250 if [[ $upgrade_from_leq_4_3_6 == 1 ]]; then
251 chmod 0750 "${ROOT}"/etc/ipsec.d \
252 "${ROOT}"/etc/ipsec.d/aacerts \
253 "${ROOT}"/etc/ipsec.d/acerts \
254 "${ROOT}"/etc/ipsec.d/cacerts \
255 "${ROOT}"/etc/ipsec.d/certs \
256 "${ROOT}"/etc/ipsec.d/crls \
257 "${ROOT}"/etc/ipsec.d/ocspcerts \
258 "${ROOT}"/etc/ipsec.d/private \
259 "${ROOT}"/etc/ipsec.d/reqs
260
261 ewarn
262 ewarn "The default permissions for /etc/ipsec.d/* have been tightened for"
263 ewarn "security reasons. Your system installed directories have been"
264 ewarn "updated accordingly. Please check if necessary."
265 ewarn
266
267 if [[ $previous_4_3_6_with_caps == 1 ]]; then
268 if ! use non-root; then
269 ewarn
270 ewarn "IMPORTANT: You previously had ${PN} installed without root"
271 ewarn "privileges because it was implied by the 'caps' USE flag."
272 ewarn "This has been changed. If you want ${PN} with user privileges,"
273 ewarn "you have to re-emerge it with the 'non-root' USE flag enabled."
274 ewarn
275 fi
276 fi
277 fi
278 if ! use caps && ! use non-root; then
279 ewarn
280 ewarn "You have decided to run ${PN} with root privileges and built it"
281 ewarn "without support for POSIX capability dropping. It is generally"
282 ewarn "strongly suggested that you reconsider- especially if you intend"
283 ewarn "to run ${PN} as server with a public ip address."
284 ewarn
285 ewarn "You should re-emerge ${PN} with at least the 'caps' USE flag enabled."
286 ewarn
287 fi
288 if use non-root; then
289 elog
290 elog "${PN} has been installed without superuser privileges (USE=non-root)."
291 elog "This imposes several limitations mainly to the IKEv1 daemon 'pluto'"
292 elog "but also a few to the IKEv2 daemon 'charon'."
293 elog
294 elog "Please carefully read: http://wiki.strongswan.org/wiki/nonRoot"
295 elog
296 elog "pluto uses a helper script by default to insert/remove routing and"
297 elog "policy rules upon connection start/stop which requires superuser"
298 elog "privileges. charon in contrast does this internally and can do so"
299 elog "even with reduced (user) privileges."
300 elog
301 elog "Thus if you require IKEv1 (pluto) or need to specify a custom updown"
302 elog "script to pluto or charon which requires superuser privileges, you"
303 elog "can work around this limitation by using sudo to grant the"
304 elog "user \"ipsec\" the appropriate rights."
305 elog "For example (the default case):"
306 elog "/etc/sudoers:"
307 elog " Defaults:ipsec always_set_home,!env_reset"
308 elog " ipsec ALL=(ALL) NOPASSWD: /usr/sbin/ipsec"
309 elog "Under the specific connection block in /etc/ipsec.conf:"
310 elog " leftupdown=\"sudo ipsec _updown\""
311 elog
312 fi
313 elog
314 elog "Make sure you have _all_ required kernel modules available including"
315 elog "the appropriate cryptographic algorithms. A list is available at:"
316 elog " http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules"
317 elog
318 elog "The up-to-date manual is available online at:"
319 elog " http://wiki.strongswan.org/"
320 elog
321 }