1 |
yngwin 10/04/02 15:39:54 |
2 |
|
3 |
Modified: metadata.xml ChangeLog |
4 |
Added: strongswan-4.3.6-r2.ebuild |
5 |
Removed: strongswan-4.2.17.ebuild strongswan-4.3.5.ebuild |
6 |
strongswan-4.3.6.ebuild strongswan-4.3.6-r1.ebuild |
7 |
strongswan-4.3.4.ebuild strongswan-4.3.3.ebuild |
8 |
Log: |
9 |
Remove 'nat' useflag as it is misleading and replace it with an |
10 |
appropriate 'nat-transport' flag and warn users about it. Fix dependency on |
11 |
openssl[-bindist] wrt bug #311981. Thanks to Thomas Klute for reporting this. |
12 |
Overhaul of package/useflag descriptions. Drop built_with_use again |
13 |
(deprecated) which I introduced in the latest revision. Addition of several |
14 |
new warnings/logs that will hopefully help the user. Drop old (and |
15 |
unsupported by proxy maintainer) ebuilds. Update metadata.xml. |
16 |
(Portage version: 2.2_rc67/cvs/Linux x86_64) |
17 |
|
18 |
Revision Changes Path |
19 |
1.10 net-misc/strongswan/metadata.xml |
20 |
|
21 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-misc/strongswan/metadata.xml?rev=1.10&view=markup |
22 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-misc/strongswan/metadata.xml?rev=1.10&content-type=text/plain |
23 |
diff : http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-misc/strongswan/metadata.xml?r1=1.9&r2=1.10 |
24 |
|
25 |
Index: metadata.xml |
26 |
=================================================================== |
27 |
RCS file: /var/cvsroot/gentoo-x86/net-misc/strongswan/metadata.xml,v |
28 |
retrieving revision 1.9 |
29 |
retrieving revision 1.10 |
30 |
diff -u -r1.9 -r1.10 |
31 |
--- metadata.xml 16 Mar 2010 18:37:21 -0000 1.9 |
32 |
+++ metadata.xml 2 Apr 2010 15:39:54 -0000 1.10 |
33 |
@@ -2,29 +2,54 @@ |
34 |
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd"> |
35 |
<pkgmetadata> |
36 |
<herd>no-herd</herd> |
37 |
- <maintainer> |
38 |
- <email>patrick@g.o</email> |
39 |
- <name>Patrick Lauer</name> |
40 |
- </maintainer> |
41 |
- <maintainer> |
42 |
- <email>ua_bugz_gentoo@×××××××××××.de</email> |
43 |
- <name>Matthias Dahl </name> |
44 |
- </maintainer> |
45 |
- |
46 |
+ <maintainer> |
47 |
+ <email>patrick@g.o</email> |
48 |
+ <name>Patrick Lauer</name> |
49 |
+ </maintainer> |
50 |
+ <maintainer> |
51 |
+ <email>ua_bugz_gentoo@×××××××××××.de</email> |
52 |
+ <name>Matthias Dahl</name> |
53 |
+ <description>Proxy Maintainer, CC on all bugs</description> |
54 |
+ </maintainer> |
55 |
<longdescription lang="en"> |
56 |
- strongSwan is an OpenSource IPsec implementation for the Linux |
57 |
- operating system. It is based on the discontinued FreeS/WAN project and |
58 |
- the X.509 patch which we developed over the last three years. In order |
59 |
- to have a stable IPsec platform to base our future extensions of the |
60 |
- X.509 capability on, we decided to lauch the strongSwan project. |
61 |
- </longdescription> |
62 |
+ StrongSwan is direct descendant of the discontinued FreeS/WAN project. |
63 |
+ As an IPsec based VPN solution which is focused on security and ease of |
64 |
+ use, it fully implements the IKEv1/IKEv2 protocols, MOBIKE, NAT-Traversal |
65 |
+ via UDP encapsulation (incl. port floating) and Dead Peer Detection. It |
66 |
+ also fully supports the Linux 2.6 IPsec stack, IPv6, certificates/keys on |
67 |
+ Smartcards and virtual IP address pools. |
68 |
+ </longdescription> |
69 |
<use> |
70 |
- <flag name="cisco">Enable support of Cisco VPN client</flag> |
71 |
- <flag name="nat">Enable NAT traversal with IPsec transport mode</flag> |
72 |
- <flag name="gcrypt">Enable gcrypt support</flag> |
73 |
- <flag name="ikev1">Enable ikev1 protocol</flag> |
74 |
- <flag name="ikev2">Enable ikev2 protocol</flag> |
75 |
- <flag name="openssl">Enable openssl support</flag> |
76 |
- <flag name="non-root">Enable running as non-root</flag> |
77 |
+ <flag name="cisco"> |
78 |
+ Enable support for the Cisco VPN client. |
79 |
+ </flag> |
80 |
+ <flag name="gcrypt"> |
81 |
+ Enable <pkg>dev-libs/libgcrypt</pkg> plugin which provides 3DES, AES, |
82 |
+ Blowfish, Camellia, CAST, DES, Serpent and Twofish ciphers along with |
83 |
+ MD4, MD5 and SHA1/2 hash algorithms, RSA and a software random number |
84 |
+ generator. |
85 |
+ </flag> |
86 |
+ <flag name="nat-transport"> |
87 |
+ Enable potentially insecure NAT traversal for transport mode in IKEv1. |
88 |
+ Only enable if you really need this. |
89 |
+ </flag> |
90 |
+ <flag name="ikev1"> |
91 |
+ Enable IKEv1 protocol (pluto daemon). |
92 |
+ </flag> |
93 |
+ <flag name="ikev2"> |
94 |
+ Enable IKEv2 protocol (charon daemon). |
95 |
+ </flag> |
96 |
+ <flag name="openssl"> |
97 |
+ Enable <pkg>dev-libs/openssl</pkg> plugin which is required for Elliptic |
98 |
+ Curve Cryptography (Diffie-Hellman groups 19-21, 25, 26) and ECDSA. Also |
99 |
+ provides 3DES, AES, Blowfish, Camellia, CAST, DES, IDEA and RC5 ciphers |
100 |
+ along with MD2, MD4, MD5 and SHA1/2 hash algorithms and RSA. |
101 |
+ <pkg>dev-libs/openssl</pkg> has to be compiled with USE="-bindist". |
102 |
+ </flag> |
103 |
+ <flag name="non-root"> |
104 |
+ Force IKEv1/IKEv2 daemons to normal user privileges. This might impose |
105 |
+ some restrictions mainly to the IKEv1 daemon. Disable only if you really |
106 |
+ require superuser privileges. |
107 |
+ </flag> |
108 |
</use> |
109 |
</pkgmetadata> |
110 |
|
111 |
|
112 |
|
113 |
1.82 net-misc/strongswan/ChangeLog |
114 |
|
115 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-misc/strongswan/ChangeLog?rev=1.82&view=markup |
116 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-misc/strongswan/ChangeLog?rev=1.82&content-type=text/plain |
117 |
diff : http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-misc/strongswan/ChangeLog?r1=1.81&r2=1.82 |
118 |
|
119 |
Index: ChangeLog |
120 |
=================================================================== |
121 |
RCS file: /var/cvsroot/gentoo-x86/net-misc/strongswan/ChangeLog,v |
122 |
retrieving revision 1.81 |
123 |
retrieving revision 1.82 |
124 |
diff -u -r1.81 -r1.82 |
125 |
--- ChangeLog 23 Mar 2010 01:38:58 -0000 1.81 |
126 |
+++ ChangeLog 2 Apr 2010 15:39:54 -0000 1.82 |
127 |
@@ -1,6 +1,20 @@ |
128 |
# ChangeLog for net-misc/strongswan |
129 |
# Copyright 1999-2010 Gentoo Foundation; Distributed under the GPL v2 |
130 |
-# $Header: /var/cvsroot/gentoo-x86/net-misc/strongswan/ChangeLog,v 1.81 2010/03/23 01:38:58 yngwin Exp $ |
131 |
+# $Header: /var/cvsroot/gentoo-x86/net-misc/strongswan/ChangeLog,v 1.82 2010/04/02 15:39:54 yngwin Exp $ |
132 |
+ |
133 |
+*strongswan-4.3.6-r2 (02 Apr 2010) |
134 |
+ |
135 |
+ 02 Apr 2010; Ben de Groot <yngwin@g.o> -strongswan-4.2.17.ebuild, |
136 |
+ -strongswan-4.3.3.ebuild, -strongswan-4.3.4.ebuild, |
137 |
+ -strongswan-4.3.5.ebuild, -strongswan-4.3.6.ebuild, |
138 |
+ -strongswan-4.3.6-r1.ebuild, +strongswan-4.3.6-r2.ebuild, metadata.xml: |
139 |
+ Remove 'nat' useflag as it is misleading and replace it with an |
140 |
+ appropriate 'nat-transport' flag and warn users about it. Fix dependency on |
141 |
+ openssl[-bindist] wrt bug #311981. Thanks to Thomas Klute for reporting this. |
142 |
+ Overhaul of package/useflag descriptions. Drop built_with_use again |
143 |
+ (deprecated) which I introduced in the latest revision. Addition of several |
144 |
+ new warnings/logs that will hopefully help the user. Drop old (and |
145 |
+ unsupported by proxy maintainer) ebuilds. Update metadata.xml. |
146 |
|
147 |
23 Mar 2010; Ben de Groot <yngwin@g.o> strongswan-4.3.6-r1.ebuild: |
148 |
Fix directory ownership for '+non-root -caps'/'-non-root +caps' |
149 |
|
150 |
|
151 |
|
152 |
1.1 net-misc/strongswan/strongswan-4.3.6-r2.ebuild |
153 |
|
154 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-misc/strongswan/strongswan-4.3.6-r2.ebuild?rev=1.1&view=markup |
155 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-misc/strongswan/strongswan-4.3.6-r2.ebuild?rev=1.1&content-type=text/plain |
156 |
|
157 |
Index: strongswan-4.3.6-r2.ebuild |
158 |
=================================================================== |
159 |
# Copyright 1999-2010 Gentoo Foundation |
160 |
# Distributed under the terms of the GNU General Public License v2 |
161 |
# $Header: /var/cvsroot/gentoo-x86/net-misc/strongswan/strongswan-4.3.6-r2.ebuild,v 1.1 2010/04/02 15:39:54 yngwin Exp $ |
162 |
|
163 |
EAPI=2 |
164 |
inherit eutils linux-info |
165 |
|
166 |
DESCRIPTION="IPsec-based VPN solution focused on security and ease of use, supporting IKEv1/IKEv2 and MOBIKE" |
167 |
HOMEPAGE="http://www.strongswan.org/" |
168 |
SRC_URI="http://download.strongswan.org/${P}.tar.bz2" |
169 |
|
170 |
LICENSE="GPL-2 RSA-MD5 RSA-PKCS11 DES" |
171 |
SLOT="0" |
172 |
KEYWORDS="~amd64 ~ppc ~sparc ~x86" |
173 |
IUSE="+caps cisco curl debug gcrypt ldap +ikev1 +ikev2 mysql nat-transport +non-root +openssl smartcard sqlite" |
174 |
|
175 |
COMMON_DEPEND="!net-misc/openswan |
176 |
>=dev-libs/gmp-4.1.5 |
177 |
gcrypt? ( dev-libs/libgcrypt ) |
178 |
caps? ( sys-libs/libcap ) |
179 |
curl? ( net-misc/curl ) |
180 |
ldap? ( net-nds/openldap ) |
181 |
smartcard? ( dev-libs/opensc ) |
182 |
openssl? ( >=dev-libs/openssl-0.9.8[-bindist] ) |
183 |
mysql? ( virtual/mysql ) |
184 |
sqlite? ( >=dev-db/sqlite-3.3.1 )" |
185 |
DEPEND="${COMMON_DEPEND} |
186 |
virtual/linux-sources |
187 |
sys-kernel/linux-headers" |
188 |
RDEPEND="${COMMON_DEPEND} |
189 |
virtual/logger |
190 |
sys-apps/iproute2" |
191 |
|
192 |
UGID="ipsec" |
193 |
|
194 |
pkg_setup() { |
195 |
linux-info_pkg_setup |
196 |
elog "Linux kernel version: ${KV_FULL}" |
197 |
|
198 |
if ! kernel_is -ge 2 6 16; then |
199 |
eerror |
200 |
eerror "This ebuild currently only supports ${PN} with the" |
201 |
eerror "native Linux 2.6 IPsec stack on kernels >= 2.6.16." |
202 |
eerror |
203 |
die "Please install a recent 2.6 kernel." |
204 |
fi |
205 |
|
206 |
if use nat-transport; then |
207 |
ewarn |
208 |
ewarn "You have enabled NAT Traversal for transport mode with the IKEv1" |
209 |
ewarn "protocol. Please double check if you really require this feature" |
210 |
ewarn "as it is potentially insecure and usually only required in certain" |
211 |
ewarn "situations when interoperating with Windows using L2TP/IPsec." |
212 |
ewarn |
213 |
fi |
214 |
|
215 |
if kernel_is -lt 2 6 33; then |
216 |
ewarn |
217 |
ewarn "IMPORTANT KERNEL NOTES: Please read carefully..." |
218 |
ewarn |
219 |
|
220 |
if kernel_is -lt 2 6 29; then |
221 |
ewarn "[ < 2.6.29 ] Due to a missing kernel feature, you have to" |
222 |
ewarn "include all required IPv6 modules even if you just intend" |
223 |
ewarn "to run on IPv4 only." |
224 |
ewarn |
225 |
ewarn "This has been fixed with kernels >= 2.6.29." |
226 |
ewarn |
227 |
fi |
228 |
|
229 |
if kernel_is -lt 2 6 33; then |
230 |
ewarn "[ < 2.6.33 ] Kernels prior to 2.6.33 include a non-standards" |
231 |
ewarn "compliant implementation for SHA-2 HMAC support in ESP and" |
232 |
ewarn "miss SHA384 and SHA512 HMAC support altogether." |
233 |
ewarn |
234 |
ewarn "If you need any of those features, please use kernel >= 2.6.33." |
235 |
ewarn |
236 |
fi |
237 |
fi |
238 |
|
239 |
if use non-root; then |
240 |
enewgroup ${UGID} |
241 |
enewuser ${UGID} -1 -1 -1 ${UGID} |
242 |
fi |
243 |
} |
244 |
|
245 |
src_configure() { |
246 |
local myconf="" |
247 |
|
248 |
if use non-root; then |
249 |
myconf="${myconf} --with-user=${UGID} --with-group=${UGID}" |
250 |
fi |
251 |
|
252 |
# If a user has already enabled db support, those plugins will |
253 |
# most likely be desired as well. Besides they don't impose new |
254 |
# dependencies and come at no cost (except for space). |
255 |
if use mysql || use sqlite; then |
256 |
myconf="${myconf} --enable-attr-sql --enable-sql" |
257 |
fi |
258 |
|
259 |
# strongSwan builds and installs static libs by default which are |
260 |
# useless to the user (and to strongSwan for that matter) because no |
261 |
# header files or alike get installed... so disabling them is safe. |
262 |
econf \ |
263 |
--disable-static \ |
264 |
$(use_with caps capabilities libcap) \ |
265 |
$(use_enable curl) \ |
266 |
$(use_enable ldap) \ |
267 |
$(use_enable smartcard) \ |
268 |
$(use_enable cisco cisco-quirks) \ |
269 |
$(use_enable debug leak-detective) \ |
270 |
$(use_enable nat-transport) \ |
271 |
$(use_enable openssl) \ |
272 |
$(use_enable gcrypt) \ |
273 |
$(use_enable mysql) \ |
274 |
$(use_enable sqlite) \ |
275 |
$(use_enable ikev1 pluto) \ |
276 |
$(use_enable ikev2 charon) \ |
277 |
${myconf} |
278 |
} |
279 |
|
280 |
src_install() { |
281 |
einstall || die "einstall failed" |
282 |
|
283 |
doinitd "${FILESDIR}"/ipsec |
284 |
|
285 |
local dir_ugid |
286 |
if use non-root; then |
287 |
fowners ${UGID}:${UGID} \ |
288 |
/etc/ipsec.conf \ |
289 |
/etc/ipsec.secrets \ |
290 |
/etc/strongswan.conf |
291 |
|
292 |
dir_ugid="${UGID}" |
293 |
else |
294 |
dir_ugid="root" |
295 |
fi |
296 |
|
297 |
diropts -m 0750 -o ${dir_ugid} -g ${dir_ugid} |
298 |
dodir /etc/ipsec.d \ |
299 |
/etc/ipsec.d/aacerts \ |
300 |
/etc/ipsec.d/acerts \ |
301 |
/etc/ipsec.d/cacerts \ |
302 |
/etc/ipsec.d/certs \ |
303 |
/etc/ipsec.d/crls \ |
304 |
/etc/ipsec.d/ocspcerts \ |
305 |
/etc/ipsec.d/private \ |
306 |
/etc/ipsec.d/reqs |
307 |
|
308 |
dodoc CREDITS NEWS README TODO || die |
309 |
|
310 |
# shared libs are used only internally and there are no static libs, |
311 |
# so it's safe to get rid of the .la files |
312 |
find "${D}" -name '*.la' -delete || die "Failed to remove .la files." |
313 |
} |
314 |
|
315 |
pkg_preinst() { |
316 |
has_version "<net-misc/strongswan-4.3.6-r1" |
317 |
upgrade_from_leq_4_3_6=$(( !$? )) |
318 |
|
319 |
has_version "<net-misc/strongswan-4.3.6-r1[-caps]" |
320 |
previous_4_3_6_with_caps=$(( !$? )) |
321 |
} |
322 |
|
323 |
pkg_postinst() { |
324 |
if ! use openssl && ! use gcrypt; then |
325 |
elog |
326 |
elog "${PN} has been compiled without both OpenSSL and libgcrypt support." |
327 |
elog "Please note that this might effect availability and speed of some" |
328 |
elog "cryptographic features. You are advised to enable the OpenSSL plugin." |
329 |
elif ! use openssl; then |
330 |
elog |
331 |
elog "${PN} has been compiled without the OpenSSL plugin. This might effect" |
332 |
elog "availability and speed of some cryptographic features. There will be" |
333 |
elog "no support for Elliptic Curve Cryptography (Diffie-Hellman groups 19-21," |
334 |
elog "25, 26) and ECDSA." |
335 |
fi |
336 |
|
337 |
if [[ $upgrade_from_leq_4_3_6 == 1 ]]; then |
338 |
chmod 0750 "${ROOT}"/etc/ipsec.d \ |
339 |
"${ROOT}"/etc/ipsec.d/aacerts \ |
340 |
"${ROOT}"/etc/ipsec.d/acerts \ |
341 |
"${ROOT}"/etc/ipsec.d/cacerts \ |
342 |
"${ROOT}"/etc/ipsec.d/certs \ |
343 |
"${ROOT}"/etc/ipsec.d/crls \ |
344 |
"${ROOT}"/etc/ipsec.d/ocspcerts \ |
345 |
"${ROOT}"/etc/ipsec.d/private \ |
346 |
"${ROOT}"/etc/ipsec.d/reqs |
347 |
|
348 |
ewarn |
349 |
ewarn "The default permissions for /etc/ipsec.d/* have been tightened for" |
350 |
ewarn "security reasons. Your system installed directories have been" |
351 |
ewarn "updated accordingly. Please check if necessary." |
352 |
ewarn |
353 |
|
354 |
if [[ $previous_4_3_6_with_caps == 1 ]]; then |
355 |
if ! use non-root; then |
356 |
ewarn |
357 |
ewarn "IMPORTANT: You previously had ${PN} installed without root" |
358 |
ewarn "privileges because it was implied by the 'caps' USE flag." |
359 |
ewarn "This has been changed. If you want ${PN} with user privileges," |
360 |
ewarn "you have to re-emerge it with the 'non-root' USE flag enabled." |
361 |
ewarn |
362 |
fi |
363 |
fi |
364 |
fi |
365 |
if ! use caps && ! use non-root; then |
366 |
ewarn |
367 |
ewarn "You have decided to run ${PN} with root privileges and built it" |
368 |
ewarn "without support for POSIX capability dropping. It is generally" |
369 |
ewarn "strongly suggested that you reconsider- especially if you intend" |
370 |
ewarn "to run ${PN} as server with a public ip address." |
371 |
ewarn |
372 |
ewarn "You should re-emerge ${PN} with at least the 'caps' USE flag enabled." |
373 |
ewarn |
374 |
fi |
375 |
if use non-root; then |
376 |
elog |
377 |
elog "${PN} has been installed without superuser privileges (USE=non-root)." |
378 |
elog "This imposes several limitations mainly to the IKEv1 daemon 'pluto'" |
379 |
elog "but also a few to the IKEv2 daemon 'charon'." |
380 |
elog |
381 |
elog "Please carefully read: http://wiki.strongswan.org/wiki/nonRoot" |
382 |
elog |
383 |
elog "pluto uses a helper script by default to insert/remove routing and" |
384 |
elog "policy rules upon connection start/stop which requires superuser" |
385 |
elog "privileges. charon in contrast does this internally and can do so" |
386 |
elog "even with reduced (user) privileges." |
387 |
elog |
388 |
elog "Thus if you require IKEv1 (pluto) or need to specify a custom updown" |
389 |
elog "script to pluto or charon which requires superuser privileges, you" |
390 |
elog "can work around this limitation by using sudo to grant the" |
391 |
elog "user \"ipsec\" the appropriate rights." |
392 |
elog "For example (the default case):" |
393 |
elog "/etc/sudoers:" |
394 |
elog " Defaults:ipsec always_set_home,!env_reset" |
395 |
elog " ipsec ALL=(ALL) NOPASSWD: /usr/sbin/ipsec" |
396 |
elog "Under the specific connection block in /etc/ipsec.conf:" |
397 |
elog " leftupdown=\"sudo ipsec _updown\"" |
398 |
elog |
399 |
fi |
400 |
elog |
401 |
elog "Make sure you have _all_ required kernel modules available including" |
402 |
elog "the appropriate cryptographic algorithms. A list is available at:" |
403 |
elog " http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules" |
404 |
elog |
405 |
elog "The up-to-date manual is available online at:" |
406 |
elog " http://wiki.strongswan.org/" |
407 |
elog |
408 |
} |