[gentoo-commits] gentoo-x86 commit in net-misc/strongswan: metadata.xml ChangeLog strongswan-4.3.6-r2.ebuild strongswan-4.2.17.ebuild strongswan-4.3.5.ebuild strongswan-4.3.6.ebuild strongswan-4.3.6-r1.ebuild strongswan-4.3.4.ebuild strongswan-4.3.3.ebuild - gentoo-commits

From:	"Ben de Groot (yngwin)" <yngwin@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] gentoo-x86 commit in net-misc/strongswan: metadata.xml ChangeLog strongswan-4.3.6-r2.ebuild strongswan-4.2.17.ebuild strongswan-4.3.5.ebuild strongswan-4.3.6.ebuild strongswan-4.3.6-r1.ebuild strongswan-4.3.4.ebuild strongswan-4.3.3.ebuild
Date:	Fri, 02 Apr 2010 15:39:59
Message-Id:	`E1NxiyQ-00066M-Uh@stork.gentoo.org`

1

yngwin      10/04/02 15:39:54

2

3

  Modified:             metadata.xml ChangeLog

4

  Added:                strongswan-4.3.6-r2.ebuild

5

  Removed:              strongswan-4.2.17.ebuild strongswan-4.3.5.ebuild

6

                        strongswan-4.3.6.ebuild strongswan-4.3.6-r1.ebuild

7

                        strongswan-4.3.4.ebuild strongswan-4.3.3.ebuild

8

  Log:

9

    Remove 'nat' useflag as it is misleading and replace it with an

10

    appropriate 'nat-transport' flag and warn users about it. Fix dependency on

11

    openssl[-bindist] wrt bug #311981. Thanks to Thomas Klute for reporting this.

12

    Overhaul of package/useflag descriptions. Drop built_with_use again

13

    (deprecated) which I introduced in the latest revision. Addition of several

14

    new warnings/logs that will hopefully help the user. Drop old (and

15

    unsupported by proxy maintainer) ebuilds. Update metadata.xml.

16

  (Portage version: 2.2_rc67/cvs/Linux x86_64)

17

18

Revision  Changes    Path

19

1.10                 net-misc/strongswan/metadata.xml

20

21

file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-misc/strongswan/metadata.xml?rev=1.10&view=markup

22

plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-misc/strongswan/metadata.xml?rev=1.10&content-type=text/plain

23

diff : http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-misc/strongswan/metadata.xml?r1=1.9&r2=1.10

24

25

Index: metadata.xml

26

===================================================================

27

RCS file: /var/cvsroot/gentoo-x86/net-misc/strongswan/metadata.xml,v

28

retrieving revision 1.9

29

retrieving revision 1.10

30

diff -u -r1.9 -r1.10

31

--- metadata.xml	16 Mar 2010 18:37:21 -0000	1.9

32

+++ metadata.xml	2 Apr 2010 15:39:54 -0000	1.10

33

@@ -2,29 +2,54 @@

34

 <!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">

35

 <pkgmetadata>

36

   <herd>no-herd</herd>

37

-        <maintainer>

38

-                <email>patrick@g.o</email>

39

-                <name>Patrick Lauer</name>

40

-        </maintainer>

41

-        <maintainer>

42

-                <email>ua_bugz_gentoo@×××××××××××.de</email>

43

-                <name>Matthias Dahl </name>

44

-        </maintainer>

45

-

46

+  <maintainer>

47

+    <email>patrick@g.o</email>

48

+    <name>Patrick Lauer</name>

49

+  </maintainer>

50

+  <maintainer>

51

+    <email>ua_bugz_gentoo@×××××××××××.de</email>

52

+    <name>Matthias Dahl</name>

53

+    <description>Proxy Maintainer, CC on all bugs</description>

54

+  </maintainer>

55

   <longdescription lang="en">

56

-		strongSwan is an OpenSource IPsec implementation for the Linux

57

-		operating system. It is based on the discontinued FreeS/WAN project and

58

-		the X.509 patch which we developed over the last three years. In order

59

-		to have a stable IPsec platform to base our future extensions of the

60

-		X.509 capability on, we decided to lauch the strongSwan project.

61

-	</longdescription>

62

+    StrongSwan is direct descendant of the discontinued FreeS/WAN project.

63

+    As an IPsec based VPN solution which is focused on security and ease of

64

+    use, it fully implements the IKEv1/IKEv2 protocols, MOBIKE, NAT-Traversal

65

+    via UDP encapsulation (incl. port floating) and Dead Peer Detection. It

66

+    also fully supports the Linux 2.6 IPsec stack, IPv6, certificates/keys on

67

+    Smartcards and virtual IP address pools.

68

+  </longdescription>

69

   <use>

70

-    <flag name="cisco">Enable support of Cisco VPN client</flag>

71

-    <flag name="nat">Enable NAT traversal with IPsec transport mode</flag>

72

-    <flag name="gcrypt">Enable gcrypt support</flag>

73

-    <flag name="ikev1">Enable ikev1 protocol</flag>

74

-    <flag name="ikev2">Enable ikev2 protocol</flag>

75

-    <flag name="openssl">Enable openssl support</flag>

76

-    <flag name="non-root">Enable running as non-root</flag>

77

+    <flag name="cisco">

78

+      Enable support for the Cisco VPN client.

79

+    </flag>

80

+    <flag name="gcrypt">

81

+      Enable <pkg>dev-libs/libgcrypt</pkg> plugin which provides 3DES, AES,

82

+      Blowfish, Camellia, CAST, DES, Serpent and Twofish ciphers along with

83

+      MD4, MD5 and SHA1/2 hash algorithms, RSA and a software	random number

84

+      generator.

85

+    </flag>

86

+    <flag name="nat-transport">

87

+      Enable potentially insecure NAT traversal for transport mode in IKEv1.

88

+      Only enable if you really need this.

89

+    </flag>

90

+    <flag name="ikev1">

91

+      Enable IKEv1 protocol (pluto daemon).

92

+    </flag>

93

+    <flag name="ikev2">

94

+      Enable IKEv2 protocol (charon daemon).

95

+    </flag>

96

+    <flag name="openssl">

97

+      Enable <pkg>dev-libs/openssl</pkg> plugin which is required for Elliptic

98

+      Curve Cryptography (Diffie-Hellman groups 19-21, 25, 26) and ECDSA. Also

99

+      provides 3DES, AES, Blowfish, Camellia, CAST, DES, IDEA and RC5 ciphers

100

+      along with MD2, MD4, MD5 and SHA1/2 hash algorithms and RSA.

101

+      <pkg>dev-libs/openssl</pkg> has to be compiled with USE="-bindist".

102

+    </flag>

103

+    <flag name="non-root">

104

+      Force IKEv1/IKEv2 daemons to normal user privileges. This might impose

105

+      some restrictions mainly to the IKEv1 daemon. Disable only if you really

106

+      require superuser privileges.

107

+    </flag>

108

   </use>

109

 </pkgmetadata>

1.82                 net-misc/strongswan/ChangeLog

114

115

file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-misc/strongswan/ChangeLog?rev=1.82&view=markup

116

plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-misc/strongswan/ChangeLog?rev=1.82&content-type=text/plain

117

diff : http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-misc/strongswan/ChangeLog?r1=1.81&r2=1.82

118

119

Index: ChangeLog

120

===================================================================

121

RCS file: /var/cvsroot/gentoo-x86/net-misc/strongswan/ChangeLog,v

122

retrieving revision 1.81

123

retrieving revision 1.82

124

diff -u -r1.81 -r1.82

125

--- ChangeLog	23 Mar 2010 01:38:58 -0000	1.81

126

+++ ChangeLog	2 Apr 2010 15:39:54 -0000	1.82

127

@@ -1,6 +1,20 @@

128

 # ChangeLog for net-misc/strongswan

129

 # Copyright 1999-2010 Gentoo Foundation; Distributed under the GPL v2

130

-# $Header: /var/cvsroot/gentoo-x86/net-misc/strongswan/ChangeLog,v 1.81 2010/03/23 01:38:58 yngwin Exp $

131

+# $Header: /var/cvsroot/gentoo-x86/net-misc/strongswan/ChangeLog,v 1.82 2010/04/02 15:39:54 yngwin Exp $

132

+

133

+*strongswan-4.3.6-r2 (02 Apr 2010)

134

+

135

+  02 Apr 2010; Ben de Groot <yngwin@g.o> -strongswan-4.2.17.ebuild,

136

+  -strongswan-4.3.3.ebuild, -strongswan-4.3.4.ebuild,

137

+  -strongswan-4.3.5.ebuild, -strongswan-4.3.6.ebuild,

138

+  -strongswan-4.3.6-r1.ebuild, +strongswan-4.3.6-r2.ebuild, metadata.xml:

139

+  Remove 'nat' useflag as it is misleading and replace it with an

140

+  appropriate 'nat-transport' flag and warn users about it. Fix dependency on

141

+  openssl[-bindist] wrt bug #311981. Thanks to Thomas Klute for reporting this.

142

+  Overhaul of package/useflag descriptions. Drop built_with_use again

143

+  (deprecated) which I introduced in the latest revision. Addition of several

144

+  new warnings/logs that will hopefully help the user. Drop old (and

145

+  unsupported by proxy maintainer) ebuilds. Update metadata.xml.

146

147

   23 Mar 2010; Ben de Groot <yngwin@g.o> strongswan-4.3.6-r1.ebuild:

148

   Fix directory ownership for '+non-root -caps'/'-non-root +caps'

1.1                  net-misc/strongswan/strongswan-4.3.6-r2.ebuild

153

154

file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-misc/strongswan/strongswan-4.3.6-r2.ebuild?rev=1.1&view=markup

155

plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-misc/strongswan/strongswan-4.3.6-r2.ebuild?rev=1.1&content-type=text/plain

156

157

Index: strongswan-4.3.6-r2.ebuild

158

===================================================================

159

# Copyright 1999-2010 Gentoo Foundation

160

# Distributed under the terms of the GNU General Public License v2

161

# $Header: /var/cvsroot/gentoo-x86/net-misc/strongswan/strongswan-4.3.6-r2.ebuild,v 1.1 2010/04/02 15:39:54 yngwin Exp $

162

163

EAPI=2

164

inherit eutils linux-info

165

166

DESCRIPTION="IPsec-based VPN solution focused on security and ease of use, supporting IKEv1/IKEv2 and MOBIKE"

167

HOMEPAGE="http://www.strongswan.org/"

168

SRC_URI="http://download.strongswan.org/${P}.tar.bz2"

169

170

LICENSE="GPL-2 RSA-MD5 RSA-PKCS11 DES"

171

SLOT="0"

172

KEYWORDS="~amd64 ~ppc ~sparc ~x86"

173

IUSE="+caps cisco curl debug gcrypt ldap +ikev1 +ikev2 mysql nat-transport +non-root +openssl smartcard sqlite"

174

175

COMMON_DEPEND="!net-misc/openswan

176

	>=dev-libs/gmp-4.1.5

177

	gcrypt? ( dev-libs/libgcrypt )

178

	caps? ( sys-libs/libcap )

179

	curl? ( net-misc/curl )

180

	ldap? ( net-nds/openldap )

181

	smartcard? ( dev-libs/opensc )

182

	openssl? ( >=dev-libs/openssl-0.9.8[-bindist] )

183

	mysql? ( virtual/mysql )

184

	sqlite? ( >=dev-db/sqlite-3.3.1 )"

185

DEPEND="${COMMON_DEPEND}

186

	virtual/linux-sources

187

	sys-kernel/linux-headers"

188

RDEPEND="${COMMON_DEPEND}

189

	virtual/logger

190

	sys-apps/iproute2"

191

192

UGID="ipsec"

193

194

pkg_setup() {

195

	linux-info_pkg_setup

196

	elog "Linux kernel version: ${KV_FULL}"

197

198

	if ! kernel_is -ge 2 6 16; then

199

		eerror

200

		eerror "This ebuild currently only supports ${PN} with the"

201

		eerror "native Linux 2.6 IPsec stack on kernels >= 2.6.16."

202

		eerror

203

		die "Please install a recent 2.6 kernel."

204

fi

205

206

	if use nat-transport; then

207

		ewarn

208

		ewarn "You have enabled NAT Traversal for transport mode with the IKEv1"

209

		ewarn "protocol. Please double check if you really require this feature"

210

		ewarn "as it is potentially insecure and usually only required in certain"

211

		ewarn "situations when interoperating with Windows using L2TP/IPsec."

212

		ewarn

213

fi

214

215

	if kernel_is -lt 2 6 33; then

216

		ewarn

217

		ewarn "IMPORTANT KERNEL NOTES: Please read carefully..."

218

		ewarn

219

220

		if kernel_is -lt 2 6 29; then

221

			ewarn "[ < 2.6.29 ] Due to a missing kernel feature, you have to"

222

			ewarn "include all required IPv6 modules even if you just intend"

223

			ewarn "to run on IPv4 only."

224

			ewarn

225

			ewarn "This has been fixed with kernels >= 2.6.29."

226

			ewarn

227

fi

228

229

		if kernel_is -lt 2 6 33; then

230

			ewarn "[ < 2.6.33 ] Kernels prior to 2.6.33 include a non-standards"

231

			ewarn "compliant implementation for SHA-2 HMAC support in ESP and"

232

			ewarn "miss SHA384 and SHA512 HMAC support altogether."

233

			ewarn

234

			ewarn "If you need any of those features, please use kernel >= 2.6.33."

235

			ewarn

236

fi

237

fi

238

239

	if use non-root; then

240

		enewgroup ${UGID}

241

		enewuser ${UGID} -1 -1 -1 ${UGID}

242

fi

243

}

244

245

src_configure() {

246

	local myconf=""

247

248

	if use non-root; then

249

		myconf="${myconf} --with-user=${UGID} --with-group=${UGID}"

250

fi

251

252

	# If a user has already enabled db support, those plugins will

253

	# most likely be desired as well. Besides they don't impose new

254

	# dependencies and come at no cost (except for space).

255

	if use mysql || use sqlite; then

256

		myconf="${myconf} --enable-attr-sql --enable-sql"

257

fi

258

259

	# strongSwan builds and installs static libs by default which are

260

	# useless to the user (and to strongSwan for that matter) because no

261

	# header files or alike get installed... so disabling them is safe.

262

	econf \

263

		--disable-static \

264

		$(use_with caps capabilities libcap) \

265

		$(use_enable curl) \

266

		$(use_enable ldap) \

267

		$(use_enable smartcard) \

268

		$(use_enable cisco cisco-quirks) \

269

		$(use_enable debug leak-detective) \

270

		$(use_enable nat-transport) \

271

		$(use_enable openssl) \

272

		$(use_enable gcrypt) \

273

		$(use_enable mysql) \

274

		$(use_enable sqlite) \

275

		$(use_enable ikev1 pluto) \

276

		$(use_enable ikev2 charon) \

277

		${myconf}

278

}

279

280

src_install() {

281

	einstall || die "einstall failed"

282

283

	doinitd "${FILESDIR}"/ipsec

284

285

	local dir_ugid

286

	if use non-root; then

287

		fowners ${UGID}:${UGID} \

288

			/etc/ipsec.conf \

289

			/etc/ipsec.secrets \

290

			/etc/strongswan.conf

291

292

		dir_ugid="${UGID}"

293

	else

294

		dir_ugid="root"

295

fi

296

297

	diropts -m 0750 -o ${dir_ugid} -g ${dir_ugid}

298

	dodir /etc/ipsec.d \

299

		/etc/ipsec.d/aacerts \

300

		/etc/ipsec.d/acerts \

301

		/etc/ipsec.d/cacerts \

302

		/etc/ipsec.d/certs \

303

		/etc/ipsec.d/crls \

304

		/etc/ipsec.d/ocspcerts \

305

		/etc/ipsec.d/private \

306

		/etc/ipsec.d/reqs

307

308

	dodoc CREDITS NEWS README TODO || die

309

310

	# shared libs are used only internally and there are no static libs,

311

	# so it's safe to get rid of the .la files

312

	find "${D}" -name '*.la' -delete || die "Failed to remove .la files."

313

}

314

315

pkg_preinst() {

316

	has_version "<net-misc/strongswan-4.3.6-r1"

317

	upgrade_from_leq_4_3_6=$(( !$? ))

318

319

	has_version "<net-misc/strongswan-4.3.6-r1[-caps]"

320

	previous_4_3_6_with_caps=$(( !$? ))

321

}

322

323

pkg_postinst() {

324

	if ! use openssl && ! use gcrypt; then

325

		elog

326

		elog "${PN} has been compiled without both OpenSSL and libgcrypt support."

327

		elog "Please note that this might effect availability and speed of some"

328

		elog "cryptographic features. You are advised to enable the OpenSSL plugin."

329

	elif ! use openssl; then

330

		elog

331

		elog "${PN} has been compiled without the OpenSSL plugin. This might effect"

332

		elog "availability and speed of some cryptographic features. There will be"

333

		elog "no support for Elliptic Curve Cryptography (Diffie-Hellman groups 19-21,"

334

		elog "25, 26) and ECDSA."

335

fi

336

337

	if [[ $upgrade_from_leq_4_3_6 == 1 ]]; then

338

		chmod 0750 "${ROOT}"/etc/ipsec.d \

339

			"${ROOT}"/etc/ipsec.d/aacerts \

340

			"${ROOT}"/etc/ipsec.d/acerts \

341

			"${ROOT}"/etc/ipsec.d/cacerts \

342

			"${ROOT}"/etc/ipsec.d/certs \

343

			"${ROOT}"/etc/ipsec.d/crls \

344

			"${ROOT}"/etc/ipsec.d/ocspcerts \

345

			"${ROOT}"/etc/ipsec.d/private \

346

			"${ROOT}"/etc/ipsec.d/reqs

347

348

		ewarn

349

		ewarn "The default permissions for /etc/ipsec.d/* have been tightened for"

350

		ewarn "security reasons. Your system installed directories have been"

351

		ewarn "updated accordingly. Please check if necessary."

352

		ewarn

353

354

		if [[ $previous_4_3_6_with_caps == 1 ]]; then

355

			if ! use non-root; then

356

				ewarn

357

				ewarn "IMPORTANT: You previously had ${PN} installed without root"

358

				ewarn "privileges because it was implied by the 'caps' USE flag."

359

				ewarn "This has been changed. If you want ${PN} with user privileges,"

360

				ewarn "you have to re-emerge it with the 'non-root' USE flag enabled."

361

				ewarn

362

fi

363

fi

364

fi

365

	if ! use caps && ! use non-root; then

366

		ewarn

367

		ewarn "You have decided to run ${PN} with root privileges and built it"

368

		ewarn "without support for POSIX capability dropping. It is generally"

369

		ewarn "strongly suggested that you reconsider- especially if you intend"

370

		ewarn "to run ${PN} as server with a public ip address."

371

		ewarn

372

		ewarn "You should re-emerge ${PN} with at least the 'caps' USE flag enabled."

373

		ewarn

374

fi

375

	if use non-root; then

376

		elog

377

		elog "${PN} has been installed without superuser privileges (USE=non-root)."

378

		elog "This imposes several limitations mainly to the IKEv1 daemon 'pluto'"

379

		elog "but also a few to the IKEv2 daemon 'charon'."

380

		elog

381

		elog "Please carefully read: http://wiki.strongswan.org/wiki/nonRoot"

382

		elog

383

		elog "pluto uses a helper script by default to insert/remove routing and"

384

		elog "policy rules upon connection start/stop which requires superuser"

385

		elog "privileges. charon in contrast does this internally and can do so"

386

		elog "even with reduced (user) privileges."

387

		elog

388

		elog "Thus if you require IKEv1 (pluto) or need to specify a custom updown"

389

		elog "script to pluto or charon which requires superuser privileges, you"

390

		elog "can work around this limitation by using sudo to grant the"

391

		elog "user \"ipsec\" the appropriate rights."

392

		elog "For example (the default case):"

393

		elog "/etc/sudoers:"

394

		elog "  Defaults:ipsec always_set_home,!env_reset"

395

		elog "  ipsec ALL=(ALL) NOPASSWD: /usr/sbin/ipsec"

396

		elog "Under the specific connection block in /etc/ipsec.conf:"

397

		elog "  leftupdown=\"sudo ipsec _updown\""

398

		elog

399

fi

400

	elog

401

	elog "Make sure you have _all_ required kernel modules available including"

402

	elog "the appropriate cryptographic algorithms. A list is available at:"

403

	elog "  http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules"

404

	elog

405

	elog "The up-to-date manual is available online at:"

406

	elog "  http://wiki.strongswan.org/"

407

	elog

408

}

1	yngwin 10/04/02 15:39:54
2
3	Modified: metadata.xml ChangeLog
4	Added: strongswan-4.3.6-r2.ebuild
5	Removed: strongswan-4.2.17.ebuild strongswan-4.3.5.ebuild
6	strongswan-4.3.6.ebuild strongswan-4.3.6-r1.ebuild
7	strongswan-4.3.4.ebuild strongswan-4.3.3.ebuild
8	Log:
9	Remove 'nat' useflag as it is misleading and replace it with an
10	appropriate 'nat-transport' flag and warn users about it. Fix dependency on
11	openssl[-bindist] wrt bug #311981. Thanks to Thomas Klute for reporting this.
12	Overhaul of package/useflag descriptions. Drop built_with_use again
13	(deprecated) which I introduced in the latest revision. Addition of several
14	new warnings/logs that will hopefully help the user. Drop old (and
15	unsupported by proxy maintainer) ebuilds. Update metadata.xml.
16	(Portage version: 2.2_rc67/cvs/Linux x86_64)
17
18	Revision Changes Path
19	1.10 net-misc/strongswan/metadata.xml
20
21	file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-misc/strongswan/metadata.xml?rev=1.10&view=markup
22	plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-misc/strongswan/metadata.xml?rev=1.10&content-type=text/plain
23	diff : http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-misc/strongswan/metadata.xml?r1=1.9&r2=1.10
24
25	Index: metadata.xml
26	===================================================================
27	RCS file: /var/cvsroot/gentoo-x86/net-misc/strongswan/metadata.xml,v
28	retrieving revision 1.9
29	retrieving revision 1.10
30	diff -u -r1.9 -r1.10
31	--- metadata.xml 16 Mar 2010 18:37:21 -0000 1.9
32	+++ metadata.xml 2 Apr 2010 15:39:54 -0000 1.10
33	@@ -2,29 +2,54 @@
34	<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
35	<pkgmetadata>
36	<herd>no-herd</herd>
37	- <maintainer>
38	- <email>patrick@g.o</email>
39	- <name>Patrick Lauer</name>
40	- </maintainer>
41	- <maintainer>
42	- <email>ua_bugz_gentoo@×××××××××××.de</email>
43	- <name>Matthias Dahl </name>
44	- </maintainer>
45	-
46	+ <maintainer>
47	+ <email>patrick@g.o</email>
48	+ <name>Patrick Lauer</name>
49	+ </maintainer>
50	+ <maintainer>
51	+ <email>ua_bugz_gentoo@×××××××××××.de</email>
52	+ <name>Matthias Dahl</name>
53	+ <description>Proxy Maintainer, CC on all bugs</description>
54	+ </maintainer>
55	<longdescription lang="en">
56	- strongSwan is an OpenSource IPsec implementation for the Linux
57	- operating system. It is based on the discontinued FreeS/WAN project and
58	- the X.509 patch which we developed over the last three years. In order
59	- to have a stable IPsec platform to base our future extensions of the
60	- X.509 capability on, we decided to lauch the strongSwan project.
61	- </longdescription>
62	+ StrongSwan is direct descendant of the discontinued FreeS/WAN project.
63	+ As an IPsec based VPN solution which is focused on security and ease of
64	+ use, it fully implements the IKEv1/IKEv2 protocols, MOBIKE, NAT-Traversal
65	+ via UDP encapsulation (incl. port floating) and Dead Peer Detection. It
66	+ also fully supports the Linux 2.6 IPsec stack, IPv6, certificates/keys on
67	+ Smartcards and virtual IP address pools.
68	+ </longdescription>
69	<use>
70	- <flag name="cisco">Enable support of Cisco VPN client</flag>
71	- <flag name="nat">Enable NAT traversal with IPsec transport mode</flag>
72	- <flag name="gcrypt">Enable gcrypt support</flag>
73	- <flag name="ikev1">Enable ikev1 protocol</flag>
74	- <flag name="ikev2">Enable ikev2 protocol</flag>
75	- <flag name="openssl">Enable openssl support</flag>
76	- <flag name="non-root">Enable running as non-root</flag>
77	+ <flag name="cisco">
78	+ Enable support for the Cisco VPN client.
79	+ </flag>
80	+ <flag name="gcrypt">
81	+ Enable <pkg>dev-libs/libgcrypt</pkg> plugin which provides 3DES, AES,
82	+ Blowfish, Camellia, CAST, DES, Serpent and Twofish ciphers along with
83	+ MD4, MD5 and SHA1/2 hash algorithms, RSA and a software random number
84	+ generator.
85	+ </flag>
86	+ <flag name="nat-transport">
87	+ Enable potentially insecure NAT traversal for transport mode in IKEv1.
88	+ Only enable if you really need this.
89	+ </flag>
90	+ <flag name="ikev1">
91	+ Enable IKEv1 protocol (pluto daemon).
92	+ </flag>
93	+ <flag name="ikev2">
94	+ Enable IKEv2 protocol (charon daemon).
95	+ </flag>
96	+ <flag name="openssl">
97	+ Enable <pkg>dev-libs/openssl</pkg> plugin which is required for Elliptic
98	+ Curve Cryptography (Diffie-Hellman groups 19-21, 25, 26) and ECDSA. Also
99	+ provides 3DES, AES, Blowfish, Camellia, CAST, DES, IDEA and RC5 ciphers
100	+ along with MD2, MD4, MD5 and SHA1/2 hash algorithms and RSA.
101	+ <pkg>dev-libs/openssl</pkg> has to be compiled with USE="-bindist".
102	+ </flag>
103	+ <flag name="non-root">
104	+ Force IKEv1/IKEv2 daemons to normal user privileges. This might impose
105	+ some restrictions mainly to the IKEv1 daemon. Disable only if you really
106	+ require superuser privileges.
107	+ </flag>
108	</use>
109	</pkgmetadata>
110
111
112
113	1.82 net-misc/strongswan/ChangeLog
114
115	file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-misc/strongswan/ChangeLog?rev=1.82&view=markup
116	plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-misc/strongswan/ChangeLog?rev=1.82&content-type=text/plain
117	diff : http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-misc/strongswan/ChangeLog?r1=1.81&r2=1.82
118
119	Index: ChangeLog
120	===================================================================
121	RCS file: /var/cvsroot/gentoo-x86/net-misc/strongswan/ChangeLog,v
122	retrieving revision 1.81
123	retrieving revision 1.82
124	diff -u -r1.81 -r1.82
125	--- ChangeLog 23 Mar 2010 01:38:58 -0000 1.81
126	+++ ChangeLog 2 Apr 2010 15:39:54 -0000 1.82
127	@@ -1,6 +1,20 @@
128	# ChangeLog for net-misc/strongswan
129	# Copyright 1999-2010 Gentoo Foundation; Distributed under the GPL v2
130	-# $Header: /var/cvsroot/gentoo-x86/net-misc/strongswan/ChangeLog,v 1.81 2010/03/23 01:38:58 yngwin Exp $
131	+# $Header: /var/cvsroot/gentoo-x86/net-misc/strongswan/ChangeLog,v 1.82 2010/04/02 15:39:54 yngwin Exp $
132	+
133	+*strongswan-4.3.6-r2 (02 Apr 2010)
134	+
135	+ 02 Apr 2010; Ben de Groot <yngwin@g.o> -strongswan-4.2.17.ebuild,
136	+ -strongswan-4.3.3.ebuild, -strongswan-4.3.4.ebuild,
137	+ -strongswan-4.3.5.ebuild, -strongswan-4.3.6.ebuild,
138	+ -strongswan-4.3.6-r1.ebuild, +strongswan-4.3.6-r2.ebuild, metadata.xml:
139	+ Remove 'nat' useflag as it is misleading and replace it with an
140	+ appropriate 'nat-transport' flag and warn users about it. Fix dependency on
141	+ openssl[-bindist] wrt bug #311981. Thanks to Thomas Klute for reporting this.
142	+ Overhaul of package/useflag descriptions. Drop built_with_use again
143	+ (deprecated) which I introduced in the latest revision. Addition of several
144	+ new warnings/logs that will hopefully help the user. Drop old (and
145	+ unsupported by proxy maintainer) ebuilds. Update metadata.xml.
146
147	23 Mar 2010; Ben de Groot <yngwin@g.o> strongswan-4.3.6-r1.ebuild:
148	Fix directory ownership for '+non-root -caps'/'-non-root +caps'
149
150
151
152	1.1 net-misc/strongswan/strongswan-4.3.6-r2.ebuild
153
154	file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-misc/strongswan/strongswan-4.3.6-r2.ebuild?rev=1.1&view=markup
155	plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-misc/strongswan/strongswan-4.3.6-r2.ebuild?rev=1.1&content-type=text/plain
156
157	Index: strongswan-4.3.6-r2.ebuild
158	===================================================================
159	# Copyright 1999-2010 Gentoo Foundation
160	# Distributed under the terms of the GNU General Public License v2
161	# $Header: /var/cvsroot/gentoo-x86/net-misc/strongswan/strongswan-4.3.6-r2.ebuild,v 1.1 2010/04/02 15:39:54 yngwin Exp $
162
163	EAPI=2
164	inherit eutils linux-info
165
166	DESCRIPTION="IPsec-based VPN solution focused on security and ease of use, supporting IKEv1/IKEv2 and MOBIKE"
167	HOMEPAGE="http://www.strongswan.org/"
168	SRC_URI="http://download.strongswan.org/${P}.tar.bz2"
169
170	LICENSE="GPL-2 RSA-MD5 RSA-PKCS11 DES"
171	SLOT="0"
172	KEYWORDS="~amd64 ~ppc ~sparc ~x86"
173	IUSE="+caps cisco curl debug gcrypt ldap +ikev1 +ikev2 mysql nat-transport +non-root +openssl smartcard sqlite"
174
175	COMMON_DEPEND="!net-misc/openswan
176	>=dev-libs/gmp-4.1.5
177	gcrypt? ( dev-libs/libgcrypt )
178	caps? ( sys-libs/libcap )
179	curl? ( net-misc/curl )
180	ldap? ( net-nds/openldap )
181	smartcard? ( dev-libs/opensc )
182	openssl? ( >=dev-libs/openssl-0.9.8[-bindist] )
183	mysql? ( virtual/mysql )
184	sqlite? ( >=dev-db/sqlite-3.3.1 )"
185	DEPEND="${COMMON_DEPEND}
186	virtual/linux-sources
187	sys-kernel/linux-headers"
188	RDEPEND="${COMMON_DEPEND}
189	virtual/logger
190	sys-apps/iproute2"
191
192	UGID="ipsec"
193
194	pkg_setup() {
195	linux-info_pkg_setup
196	elog "Linux kernel version: ${KV_FULL}"
197
198	if ! kernel_is -ge 2 6 16; then
199	eerror
200	eerror "This ebuild currently only supports ${PN} with the"
201	eerror "native Linux 2.6 IPsec stack on kernels >= 2.6.16."
202	eerror
203	die "Please install a recent 2.6 kernel."
204	fi
205
206	if use nat-transport; then
207	ewarn
208	ewarn "You have enabled NAT Traversal for transport mode with the IKEv1"
209	ewarn "protocol. Please double check if you really require this feature"
210	ewarn "as it is potentially insecure and usually only required in certain"
211	ewarn "situations when interoperating with Windows using L2TP/IPsec."
212	ewarn
213	fi
214
215	if kernel_is -lt 2 6 33; then
216	ewarn
217	ewarn "IMPORTANT KERNEL NOTES: Please read carefully..."
218	ewarn
219
220	if kernel_is -lt 2 6 29; then
221	ewarn "[ < 2.6.29 ] Due to a missing kernel feature, you have to"
222	ewarn "include all required IPv6 modules even if you just intend"
223	ewarn "to run on IPv4 only."
224	ewarn
225	ewarn "This has been fixed with kernels >= 2.6.29."
226	ewarn
227	fi
228
229	if kernel_is -lt 2 6 33; then
230	ewarn "[ < 2.6.33 ] Kernels prior to 2.6.33 include a non-standards"
231	ewarn "compliant implementation for SHA-2 HMAC support in ESP and"
232	ewarn "miss SHA384 and SHA512 HMAC support altogether."
233	ewarn
234	ewarn "If you need any of those features, please use kernel >= 2.6.33."
235	ewarn
236	fi
237	fi
238
239	if use non-root; then
240	enewgroup ${UGID}
241	enewuser ${UGID} -1 -1 -1 ${UGID}
242	fi
243	}
244
245	src_configure() {
246	local myconf=""
247
248	if use non-root; then
249	myconf="${myconf} --with-user=${UGID} --with-group=${UGID}"
250	fi
251
252	# If a user has already enabled db support, those plugins will
253	# most likely be desired as well. Besides they don't impose new
254	# dependencies and come at no cost (except for space).
255	if use mysql \|\| use sqlite; then
256	myconf="${myconf} --enable-attr-sql --enable-sql"
257	fi
258
259	# strongSwan builds and installs static libs by default which are
260	# useless to the user (and to strongSwan for that matter) because no
261	# header files or alike get installed... so disabling them is safe.
262	econf \
263	--disable-static \
264	$(use_with caps capabilities libcap) \
265	$(use_enable curl) \
266	$(use_enable ldap) \
267	$(use_enable smartcard) \
268	$(use_enable cisco cisco-quirks) \
269	$(use_enable debug leak-detective) \
270	$(use_enable nat-transport) \
271	$(use_enable openssl) \
272	$(use_enable gcrypt) \
273	$(use_enable mysql) \
274	$(use_enable sqlite) \
275	$(use_enable ikev1 pluto) \
276	$(use_enable ikev2 charon) \
277	${myconf}
278	}
279
280	src_install() {
281	einstall \|\| die "einstall failed"
282
283	doinitd "${FILESDIR}"/ipsec
284
285	local dir_ugid
286	if use non-root; then
287	fowners ${UGID}:${UGID} \
288	/etc/ipsec.conf \
289	/etc/ipsec.secrets \
290	/etc/strongswan.conf
291
292	dir_ugid="${UGID}"
293	else
294	dir_ugid="root"
295	fi
296
297	diropts -m 0750 -o ${dir_ugid} -g ${dir_ugid}
298	dodir /etc/ipsec.d \
299	/etc/ipsec.d/aacerts \
300	/etc/ipsec.d/acerts \
301	/etc/ipsec.d/cacerts \
302	/etc/ipsec.d/certs \
303	/etc/ipsec.d/crls \
304	/etc/ipsec.d/ocspcerts \
305	/etc/ipsec.d/private \
306	/etc/ipsec.d/reqs
307
308	dodoc CREDITS NEWS README TODO \|\| die
309
310	# shared libs are used only internally and there are no static libs,
311	# so it's safe to get rid of the .la files
312	find "${D}" -name '*.la' -delete \|\| die "Failed to remove .la files."
313	}
314
315	pkg_preinst() {
316	has_version "<net-misc/strongswan-4.3.6-r1"
317	upgrade_from_leq_4_3_6=$(( !$? ))
318
319	has_version "<net-misc/strongswan-4.3.6-r1[-caps]"
320	previous_4_3_6_with_caps=$(( !$? ))
321	}
322
323	pkg_postinst() {
324	if ! use openssl && ! use gcrypt; then
325	elog
326	elog "${PN} has been compiled without both OpenSSL and libgcrypt support."
327	elog "Please note that this might effect availability and speed of some"
328	elog "cryptographic features. You are advised to enable the OpenSSL plugin."
329	elif ! use openssl; then
330	elog
331	elog "${PN} has been compiled without the OpenSSL plugin. This might effect"
332	elog "availability and speed of some cryptographic features. There will be"
333	elog "no support for Elliptic Curve Cryptography (Diffie-Hellman groups 19-21,"
334	elog "25, 26) and ECDSA."
335	fi
336
337	if [[ $upgrade_from_leq_4_3_6 == 1 ]]; then
338	chmod 0750 "${ROOT}"/etc/ipsec.d \
339	"${ROOT}"/etc/ipsec.d/aacerts \
340	"${ROOT}"/etc/ipsec.d/acerts \
341	"${ROOT}"/etc/ipsec.d/cacerts \
342	"${ROOT}"/etc/ipsec.d/certs \
343	"${ROOT}"/etc/ipsec.d/crls \
344	"${ROOT}"/etc/ipsec.d/ocspcerts \
345	"${ROOT}"/etc/ipsec.d/private \
346	"${ROOT}"/etc/ipsec.d/reqs
347
348	ewarn
349	ewarn "The default permissions for /etc/ipsec.d/* have been tightened for"
350	ewarn "security reasons. Your system installed directories have been"
351	ewarn "updated accordingly. Please check if necessary."
352	ewarn
353
354	if [[ $previous_4_3_6_with_caps == 1 ]]; then
355	if ! use non-root; then
356	ewarn
357	ewarn "IMPORTANT: You previously had ${PN} installed without root"
358	ewarn "privileges because it was implied by the 'caps' USE flag."
359	ewarn "This has been changed. If you want ${PN} with user privileges,"
360	ewarn "you have to re-emerge it with the 'non-root' USE flag enabled."
361	ewarn
362	fi
363	fi
364	fi
365	if ! use caps && ! use non-root; then
366	ewarn
367	ewarn "You have decided to run ${PN} with root privileges and built it"
368	ewarn "without support for POSIX capability dropping. It is generally"
369	ewarn "strongly suggested that you reconsider- especially if you intend"
370	ewarn "to run ${PN} as server with a public ip address."
371	ewarn
372	ewarn "You should re-emerge ${PN} with at least the 'caps' USE flag enabled."
373	ewarn
374	fi
375	if use non-root; then
376	elog
377	elog "${PN} has been installed without superuser privileges (USE=non-root)."
378	elog "This imposes several limitations mainly to the IKEv1 daemon 'pluto'"
379	elog "but also a few to the IKEv2 daemon 'charon'."
380	elog
381	elog "Please carefully read: http://wiki.strongswan.org/wiki/nonRoot"
382	elog
383	elog "pluto uses a helper script by default to insert/remove routing and"
384	elog "policy rules upon connection start/stop which requires superuser"
385	elog "privileges. charon in contrast does this internally and can do so"
386	elog "even with reduced (user) privileges."
387	elog
388	elog "Thus if you require IKEv1 (pluto) or need to specify a custom updown"
389	elog "script to pluto or charon which requires superuser privileges, you"
390	elog "can work around this limitation by using sudo to grant the"
391	elog "user \"ipsec\" the appropriate rights."
392	elog "For example (the default case):"
393	elog "/etc/sudoers:"
394	elog " Defaults:ipsec always_set_home,!env_reset"
395	elog " ipsec ALL=(ALL) NOPASSWD: /usr/sbin/ipsec"
396	elog "Under the specific connection block in /etc/ipsec.conf:"
397	elog " leftupdown=\"sudo ipsec _updown\""
398	elog
399	fi
400	elog
401	elog "Make sure you have _all_ required kernel modules available including"
402	elog "the appropriate cryptographic algorithms. A list is available at:"
403	elog " http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules"
404	elog
405	elog "The up-to-date manual is available online at:"
406	elog " http://wiki.strongswan.org/"
407	elog
408	}

Gentoo Archives: gentoo-commits