[gentoo-commits] repo/gentoo:master commit in: net-vpn/strongswan/ - gentoo-commits

From:	Florian Schmaus <flow@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: net-vpn/strongswan/
Date:	Sun, 02 Jan 2022 14:15:56
Message-Id:	`1641132930.7b2be9c86d3a38312e787a30291c46e30b2da3bb.flow@gentoo`

1

commit:     7b2be9c86d3a38312e787a30291c46e30b2da3bb

2

Author:     Philipp Rösner <rndxelement <AT> protonmail <DOT> com>

3

AuthorDate: Wed Dec 29 22:46:06 2021 +0000

4

Commit:     Florian Schmaus <flow <AT> gentoo <DOT> org>

5

CommitDate: Sun Jan  2 14:15:30 2022 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7b2be9c8

7

8

net-vpn/strongswan: bump to 5.9.4

9

10

Added an ebuild for strongswan-5.9.4 with support for EAPI 8.

11

12

Bug: https://bugs.gentoo.org/818841

13

Package-Manager: Portage-3.0.30, Repoman-3.0.3

14

Signed-off-by: Philipp Roesner <rndxelement <AT> protonmail.com>

15

Signed-off-by: Florian Schmaus <flow <AT> gentoo.org>

16

17

 net-vpn/strongswan/Manifest                |   1 +

18

 net-vpn/strongswan/strongswan-5.9.4.ebuild | 308 +++++++++++++++++++++++++++++

19

 2 files changed, 309 insertions(+)

20

21

diff --git a/net-vpn/strongswan/Manifest b/net-vpn/strongswan/Manifest

22

index 928680f8c8db..20a3b02a5249 100644

23

--- a/net-vpn/strongswan/Manifest

24

+++ b/net-vpn/strongswan/Manifest

25

@@ -1 +1,2 @@

26

 DIST strongswan-5.9.2.tar.bz2 4607281 BLAKE2B 84f5457bc970f49c9bc99d0ef41182d815e39b8a88be349ad0a78b531a983d3b3919d5c9f3b97793b0b2569f2c6b151cc3b5d9b145a8bfd663db6f79d8ff3dd6 SHA512 dca30b9be7847e0af59d1526c2e38d440b6729055cb3f0f0637d50d7381df465c7b59e79662efe63870a7a5a44eef696c02231274d2764f9e3c430ce2fd694f6

27

+DIST strongswan-5.9.4.tar.bz2 4651000 BLAKE2B 071a0a0a144b369a7e4069d92340cecca9eef0c004949d91993c8f1cc0f39f7868749020d6e135fa59d5899d146f39172f87eb32a26ad788cb8a4c160597e328 SHA512 796356c1d5c1ad410f0ed944ab4a131076d26f120ec6fa57796fe4060b0741201199625883ddc9ebd8a7ad299495f073cec76a6780ebd8f375605aae16750cf3

28

29

diff --git a/net-vpn/strongswan/strongswan-5.9.4.ebuild b/net-vpn/strongswan/strongswan-5.9.4.ebuild

30

new file mode 100644

31

index 000000000000..133424376b55

32

--- /dev/null

33

+++ b/net-vpn/strongswan/strongswan-5.9.4.ebuild

34

@@ -0,0 +1,308 @@

35

+# Copyright 1999-2021 Gentoo Authors

36

+# Distributed under the terms of the GNU General Public License v2

37

+

38

+EAPI="8"

39

+inherit linux-info systemd

40

+

41

+DESCRIPTION="IPsec-based VPN solution, supporting IKEv1/IKEv2 and MOBIKE"

42

+HOMEPAGE="https://www.strongswan.org/"

43

+SRC_URI="https://download.strongswan.org/${P}.tar.bz2"

44

+

45

+LICENSE="GPL-2 RSA DES"

46

+SLOT="0"

47

+KEYWORDS="~amd64 ~arm ~arm64 ~ppc ~ppc64 ~x86"

48

+IUSE="+caps curl +constraints debug dhcp eap farp gcrypt +gmp ldap mysql networkmanager +non-root +openssl selinux sqlite systemd pam pkcs11"

49

+

50

+STRONGSWAN_PLUGINS_STD="led lookip systime-fix unity vici"

51

+STRONGSWAN_PLUGINS_OPT="aesni blowfish bypass-lan ccm chapoly ctr forecast gcm ha ipseckey newhope ntru padlock rdrand save-keys unbound whitelist"

52

+for mod in $STRONGSWAN_PLUGINS_STD; do

53

+	IUSE="${IUSE} +strongswan_plugins_${mod}"

54

+done

55

+

56

+for mod in $STRONGSWAN_PLUGINS_OPT; do

57

+	IUSE="${IUSE} strongswan_plugins_${mod}"

58

+done

59

+

60

+COMMON_DEPEND="non-root? (

61

+		acct-user/ipsec

62

+		acct-group/ipsec

63

+	)

64

+	gmp? ( >=dev-libs/gmp-4.1.5:= )

65

+	gcrypt? ( dev-libs/libgcrypt:0 )

66

+	caps? ( sys-libs/libcap )

67

+	curl? ( net-misc/curl )

68

+	ldap? ( net-nds/openldap )

69

+	openssl? ( >=dev-libs/openssl-0.9.8:=[-bindist(-)] )

70

+	mysql? ( dev-db/mysql-connector-c:= )

71

+	sqlite? ( >=dev-db/sqlite-3.3.1 )

72

+	systemd? ( sys-apps/systemd )

73

+	networkmanager? ( net-misc/networkmanager )

74

+	pam? ( sys-libs/pam )

75

+	strongswan_plugins_unbound? ( net-dns/unbound:= net-libs/ldns )"

76

+

77

+DEPEND="${COMMON_DEPEND}

78

+	virtual/linux-sources

79

+	sys-kernel/linux-headers"

80

+

81

+RDEPEND="${COMMON_DEPEND}

82

+	virtual/logger

83

+	sys-apps/iproute2

84

+	!net-vpn/libreswan

85

+	selinux? ( sec-policy/selinux-ipsec )"

86

+

87

+UGID="ipsec"

88

+

89

+pkg_setup() {

90

+	linux-info_pkg_setup

91

+

92

+	elog "Linux kernel version: ${KV_FULL}"

93

+

94

+	if ! kernel_is -ge 2 6 16; then

95

+		eerror

96

+		eerror "This ebuild currently only supports ${PN} with the"

97

+		eerror "native Linux 2.6 IPsec stack on kernels >= 2.6.16."

98

+		eerror

99

+	fi

100

+

101

+	if kernel_is -lt 2 6 34; then

102

+		ewarn

103

+		ewarn "IMPORTANT KERNEL NOTES: Please read carefully..."

104

+		ewarn

105

+

106

+		if kernel_is -lt 2 6 29; then

107

+			ewarn "[ < 2.6.29 ] Due to a missing kernel feature, you have to"

108

+			ewarn "include all required IPv6 modules even if you just intend"

109

+			ewarn "to run on IPv4 only."

110

+			ewarn

111

+			ewarn "This has been fixed with kernels >= 2.6.29."

112

+			ewarn

113

+		fi

114

+

115

+		if kernel_is -lt 2 6 33; then

116

+			ewarn "[ < 2.6.33 ] Kernels prior to 2.6.33 include a non-standards"

117

+			ewarn "compliant implementation for SHA-2 HMAC support in ESP and"

118

+			ewarn "miss SHA384 and SHA512 HMAC support altogether."

119

+			ewarn

120

+			ewarn "If you need any of those features, please use kernel >= 2.6.33."

121

+			ewarn

122

+		fi

123

+

124

+		if kernel_is -lt 2 6 34; then

125

+			ewarn "[ < 2.6.34 ] Support for the AES-GMAC authentification-only"

126

+			ewarn "ESP cipher is only included in kernels >= 2.6.34."

127

+			ewarn

128

+			ewarn "If you need it, please use kernel >= 2.6.34."

129

+			ewarn

130

+		fi

131

+	fi

132

+}

133

+

134

+src_configure() {

135

+	local myconf=""

136

+

137

+	if use non-root; then

138

+		myconf="${myconf} --with-user=${UGID} --with-group=${UGID}"

139

+	fi

140

+

141

+	# If a user has already enabled db support, those plugins will

142

+	# most likely be desired as well. Besides they don't impose new

143

+	# dependencies and come at no cost (except for space).

144

+	if use mysql || use sqlite; then

145

+		myconf="${myconf} --enable-attr-sql --enable-sql"

146

+	fi

147

+

148

+	# strongSwan builds and installs static libs by default which are

149

+	# useless to the user (and to strongSwan for that matter) because no

150

+	# header files or alike get installed... so disabling them is safe.

151

+	if use pam && use eap; then

152

+		myconf="${myconf} --enable-eap-gtc"

153

+	else

154

+		myconf="${myconf} --disable-eap-gtc"

155

+	fi

156

+

157

+	for mod in $STRONGSWAN_PLUGINS_STD; do

158

+		if use strongswan_plugins_${mod}; then

159

+			myconf+=" --enable-${mod}"

160

+		fi

161

+	done

162

+

163

+	for mod in $STRONGSWAN_PLUGINS_OPT; do

164

+		if use strongswan_plugins_${mod}; then

165

+			myconf+=" --enable-${mod}"

166

+		fi

167

+	done

168

+

169

+	econf \

170

+		--disable-static \

171

+		--enable-ikev1 \

172

+		--enable-ikev2 \

173

+		--enable-swanctl \

174

+		--enable-socket-dynamic \

175

+		$(use_enable curl) \

176

+		$(use_enable constraints) \

177

+		$(use_enable ldap) \

178

+		$(use_enable debug leak-detective) \

179

+		$(use_enable dhcp) \

180

+		$(use_enable eap eap-sim) \

181

+		$(use_enable eap eap-sim-file) \

182

+		$(use_enable eap eap-simaka-sql) \

183

+		$(use_enable eap eap-simaka-pseudonym) \

184

+		$(use_enable eap eap-simaka-reauth) \

185

+		$(use_enable eap eap-identity) \

186

+		$(use_enable eap eap-md5) \

187

+		$(use_enable eap eap-aka) \

188

+		$(use_enable eap eap-aka-3gpp2) \

189

+		$(use_enable eap md4) \

190

+		$(use_enable eap eap-mschapv2) \

191

+		$(use_enable eap eap-radius) \

192

+		$(use_enable eap eap-tls) \

193

+		$(use_enable eap eap-ttls) \

194

+		$(use_enable eap xauth-eap) \

195

+		$(use_enable eap eap-dynamic) \

196

+		$(use_enable farp) \

197

+		$(use_enable gmp) \

198

+		$(use_enable gcrypt) \

199

+		$(use_enable mysql) \

200

+		$(use_enable networkmanager nm) \

201

+		$(use_enable openssl) \

202

+		$(use_enable pam xauth-pam) \

203

+		$(use_enable pkcs11) \

204

+		$(use_enable sqlite) \

205

+		$(use_enable systemd) \

206

+		$(use_with caps capabilities libcap) \

207

+		--with-piddir=/run \

208

+		--with-systemdsystemunitdir="$(systemd_get_systemunitdir)" \

209

+		${myconf}

210

+}

211

+

212

+src_install() {

213

+	emake DESTDIR="${D}" install

214

+

215

+	if ! use systemd; then

216

+		rm -rf "${ED}"/lib/systemd || die "Failed removing systemd lib."

217

+	fi

218

+

219

+	doinitd "${FILESDIR}"/ipsec

220

+

221

+	local dir_ugid

222

+	if use non-root; then

223

+		fowners ${UGID}:${UGID} \

224

+			/etc/ipsec.conf \

225

+			/etc/strongswan.conf

226

+

227

+		dir_ugid="${UGID}"

228

+	else

229

+		dir_ugid="root"

230

+	fi

231

+

232

+	diropts -m 0750 -o ${dir_ugid} -g ${dir_ugid}

233

+	dodir /etc/ipsec.d \

234

+		/etc/ipsec.d/aacerts \

235

+		/etc/ipsec.d/acerts \

236

+		/etc/ipsec.d/cacerts \

237

+		/etc/ipsec.d/certs \

238

+		/etc/ipsec.d/crls \

239

+		/etc/ipsec.d/ocspcerts \

240

+		/etc/ipsec.d/private \

241

+		/etc/ipsec.d/reqs

242

+

243

+	dodoc NEWS README TODO

244

+

245

+	# shared libs are used only internally and there are no static libs,

246

+	# so it's safe to get rid of the .la files

247

+	find "${D}" -name '*.la' -delete || die "Failed to remove .la files."

248

+}

249

+

250

+pkg_preinst() {

251

+	has_version "<net-vpn/strongswan-4.3.6-r1"

252

+	upgrade_from_leq_4_3_6=$(( !$? ))

253

+

254

+	has_version "<net-vpn/strongswan-4.3.6-r1[-caps]"

255

+	previous_4_3_6_with_caps=$(( !$? ))

256

+}

257

+

258

+pkg_postinst() {

259

+	if ! use openssl && ! use gcrypt; then

260

+		elog

261

+		elog "${PN} has been compiled without both OpenSSL and libgcrypt support."

262

+		elog "Please note that this might effect availability and speed of some"

263

+		elog "cryptographic features. You are advised to enable the OpenSSL plugin."

264

+	elif ! use openssl; then

265

+		elog

266

+		elog "${PN} has been compiled without the OpenSSL plugin. This might effect"

267

+		elog "availability and speed of some cryptographic features. There will be"

268

+		elog "no support for Elliptic Curve Cryptography (Diffie-Hellman groups 19-21,"

269

+		elog "25, 26) and ECDSA."

270

+	fi

271

+

272

+	if [[ $upgrade_from_leq_4_3_6 == 1 ]]; then

273

+		chmod 0750 "${ROOT}"/etc/ipsec.d \

274

+			"${ROOT}"/etc/ipsec.d/aacerts \

275

+			"${ROOT}"/etc/ipsec.d/acerts \

276

+			"${ROOT}"/etc/ipsec.d/cacerts \

277

+			"${ROOT}"/etc/ipsec.d/certs \

278

+			"${ROOT}"/etc/ipsec.d/crls \

279

+			"${ROOT}"/etc/ipsec.d/ocspcerts \

280

+			"${ROOT}"/etc/ipsec.d/private \

281

+			"${ROOT}"/etc/ipsec.d/reqs

282

+

283

+		ewarn

284

+		ewarn "The default permissions for /etc/ipsec.d/* have been tightened for"

285

+		ewarn "security reasons. Your system installed directories have been"

286

+		ewarn "updated accordingly. Please check if necessary."

287

+		ewarn

288

+

289

+		if [[ $previous_4_3_6_with_caps == 1 ]]; then

290

+			if ! use non-root; then

291

+				ewarn

292

+				ewarn "IMPORTANT: You previously had ${PN} installed without root"

293

+				ewarn "privileges because it was implied by the 'caps' USE flag."

294

+				ewarn "This has been changed. If you want ${PN} with user privileges,"

295

+				ewarn "you have to re-emerge it with the 'non-root' USE flag enabled."

296

+				ewarn

297

+			fi

298

+		fi

299

+	fi

300

+	if ! use caps && ! use non-root; then

301

+		ewarn

302

+		ewarn "You have decided to run ${PN} with root privileges and built it"

303

+		ewarn "without support for POSIX capability dropping. It is generally"

304

+		ewarn "strongly suggested that you reconsider- especially if you intend"

305

+		ewarn "to run ${PN} as server with a public ip address."

306

+		ewarn

307

+		ewarn "You should re-emerge ${PN} with at least the 'caps' USE flag enabled."

308

+		ewarn

309

+	fi

310

+	if use non-root; then

311

+		elog

312

+		elog "${PN} has been installed without superuser privileges (USE=non-root)."

313

+		elog "This imposes several limitations mainly to the IKEv1 daemon 'pluto'"

314

+		elog "but also a few to the IKEv2 daemon 'charon'."

315

+		elog

316

+		elog "Please carefully read: http://wiki.strongswan.org/wiki/nonRoot"

317

+		elog

318

+		elog "pluto uses a helper script by default to insert/remove routing and"

319

+		elog "policy rules upon connection start/stop which requires superuser"

320

+		elog "privileges. charon in contrast does this internally and can do so"

321

+		elog "even with reduced (user) privileges."

322

+		elog

323

+		elog "Thus if you require IKEv1 (pluto) or need to specify a custom updown"

324

+		elog "script to pluto or charon which requires superuser privileges, you"

325

+		elog "can work around this limitation by using sudo to grant the"

326

+		elog "user \"ipsec\" the appropriate rights."

327

+		elog "For example (the default case):"

328

+		elog "/etc/sudoers:"

329

+		elog "  ipsec ALL=(ALL) NOPASSWD: SETENV: /usr/sbin/ipsec"

330

+		elog "Under the specific connection block in /etc/ipsec.conf:"

331

+		elog "  leftupdown=\"sudo -E ipsec _updown iptables\""

332

+		elog

333

+	fi

334

+	elog

335

+	elog "Make sure you have _all_ required kernel modules available including"

336

+	elog "the appropriate cryptographic algorithms. A list is available at:"

337

+	elog "  https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules"

338

+	elog

339

+	elog "The up-to-date manual is available online at:"

340

+	elog "  https://wiki.strongswan.org/"

341

+	elog

342

+}

1	commit: 7b2be9c86d3a38312e787a30291c46e30b2da3bb
2	Author: Philipp Rösner <rndxelement <AT> protonmail <DOT> com>
3	AuthorDate: Wed Dec 29 22:46:06 2021 +0000
4	Commit: Florian Schmaus <flow <AT> gentoo <DOT> org>
5	CommitDate: Sun Jan 2 14:15:30 2022 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7b2be9c8
7
8	net-vpn/strongswan: bump to 5.9.4
9
10	Added an ebuild for strongswan-5.9.4 with support for EAPI 8.
11
12	Bug: https://bugs.gentoo.org/818841
13	Package-Manager: Portage-3.0.30, Repoman-3.0.3
14	Signed-off-by: Philipp Roesner <rndxelement <AT> protonmail.com>
15	Signed-off-by: Florian Schmaus <flow <AT> gentoo.org>
16
17	net-vpn/strongswan/Manifest \| 1 +
18	net-vpn/strongswan/strongswan-5.9.4.ebuild \| 308 +++++++++++++++++++++++++++++
19	2 files changed, 309 insertions(+)
20
21	diff --git a/net-vpn/strongswan/Manifest b/net-vpn/strongswan/Manifest
22	index 928680f8c8db..20a3b02a5249 100644
23	--- a/net-vpn/strongswan/Manifest
24	+++ b/net-vpn/strongswan/Manifest
25	@@ -1 +1,2 @@
26	DIST strongswan-5.9.2.tar.bz2 4607281 BLAKE2B 84f5457bc970f49c9bc99d0ef41182d815e39b8a88be349ad0a78b531a983d3b3919d5c9f3b97793b0b2569f2c6b151cc3b5d9b145a8bfd663db6f79d8ff3dd6 SHA512 dca30b9be7847e0af59d1526c2e38d440b6729055cb3f0f0637d50d7381df465c7b59e79662efe63870a7a5a44eef696c02231274d2764f9e3c430ce2fd694f6
27	+DIST strongswan-5.9.4.tar.bz2 4651000 BLAKE2B 071a0a0a144b369a7e4069d92340cecca9eef0c004949d91993c8f1cc0f39f7868749020d6e135fa59d5899d146f39172f87eb32a26ad788cb8a4c160597e328 SHA512 796356c1d5c1ad410f0ed944ab4a131076d26f120ec6fa57796fe4060b0741201199625883ddc9ebd8a7ad299495f073cec76a6780ebd8f375605aae16750cf3
28
29	diff --git a/net-vpn/strongswan/strongswan-5.9.4.ebuild b/net-vpn/strongswan/strongswan-5.9.4.ebuild
30	new file mode 100644
31	index 000000000000..133424376b55
32	--- /dev/null
33	+++ b/net-vpn/strongswan/strongswan-5.9.4.ebuild
34	@@ -0,0 +1,308 @@
35	+# Copyright 1999-2021 Gentoo Authors
36	+# Distributed under the terms of the GNU General Public License v2
37	+
38	+EAPI="8"
39	+inherit linux-info systemd
40	+
41	+DESCRIPTION="IPsec-based VPN solution, supporting IKEv1/IKEv2 and MOBIKE"
42	+HOMEPAGE="https://www.strongswan.org/"
43	+SRC_URI="https://download.strongswan.org/${P}.tar.bz2"
44	+
45	+LICENSE="GPL-2 RSA DES"
46	+SLOT="0"
47	+KEYWORDS="~amd64 ~arm ~arm64 ~ppc ~ppc64 ~x86"
48	+IUSE="+caps curl +constraints debug dhcp eap farp gcrypt +gmp ldap mysql networkmanager +non-root +openssl selinux sqlite systemd pam pkcs11"
49	+
50	+STRONGSWAN_PLUGINS_STD="led lookip systime-fix unity vici"
51	+STRONGSWAN_PLUGINS_OPT="aesni blowfish bypass-lan ccm chapoly ctr forecast gcm ha ipseckey newhope ntru padlock rdrand save-keys unbound whitelist"
52	+for mod in $STRONGSWAN_PLUGINS_STD; do
53	+ IUSE="${IUSE} +strongswan_plugins_${mod}"
54	+done
55	+
56	+for mod in $STRONGSWAN_PLUGINS_OPT; do
57	+ IUSE="${IUSE} strongswan_plugins_${mod}"
58	+done
59	+
60	+COMMON_DEPEND="non-root? (
61	+ acct-user/ipsec
62	+ acct-group/ipsec
63	+ )
64	+ gmp? ( >=dev-libs/gmp-4.1.5:= )
65	+ gcrypt? ( dev-libs/libgcrypt:0 )
66	+ caps? ( sys-libs/libcap )
67	+ curl? ( net-misc/curl )
68	+ ldap? ( net-nds/openldap )
69	+ openssl? ( >=dev-libs/openssl-0.9.8:=[-bindist(-)] )
70	+ mysql? ( dev-db/mysql-connector-c:= )
71	+ sqlite? ( >=dev-db/sqlite-3.3.1 )
72	+ systemd? ( sys-apps/systemd )
73	+ networkmanager? ( net-misc/networkmanager )
74	+ pam? ( sys-libs/pam )
75	+ strongswan_plugins_unbound? ( net-dns/unbound:= net-libs/ldns )"
76	+
77	+DEPEND="${COMMON_DEPEND}
78	+ virtual/linux-sources
79	+ sys-kernel/linux-headers"
80	+
81	+RDEPEND="${COMMON_DEPEND}
82	+ virtual/logger
83	+ sys-apps/iproute2
84	+ !net-vpn/libreswan
85	+ selinux? ( sec-policy/selinux-ipsec )"
86	+
87	+UGID="ipsec"
88	+
89	+pkg_setup() {
90	+ linux-info_pkg_setup
91	+
92	+ elog "Linux kernel version: ${KV_FULL}"
93	+
94	+ if ! kernel_is -ge 2 6 16; then
95	+ eerror
96	+ eerror "This ebuild currently only supports ${PN} with the"
97	+ eerror "native Linux 2.6 IPsec stack on kernels >= 2.6.16."
98	+ eerror
99	+ fi
100	+
101	+ if kernel_is -lt 2 6 34; then
102	+ ewarn
103	+ ewarn "IMPORTANT KERNEL NOTES: Please read carefully..."
104	+ ewarn
105	+
106	+ if kernel_is -lt 2 6 29; then
107	+ ewarn "[ < 2.6.29 ] Due to a missing kernel feature, you have to"
108	+ ewarn "include all required IPv6 modules even if you just intend"
109	+ ewarn "to run on IPv4 only."
110	+ ewarn
111	+ ewarn "This has been fixed with kernels >= 2.6.29."
112	+ ewarn
113	+ fi
114	+
115	+ if kernel_is -lt 2 6 33; then
116	+ ewarn "[ < 2.6.33 ] Kernels prior to 2.6.33 include a non-standards"
117	+ ewarn "compliant implementation for SHA-2 HMAC support in ESP and"
118	+ ewarn "miss SHA384 and SHA512 HMAC support altogether."
119	+ ewarn
120	+ ewarn "If you need any of those features, please use kernel >= 2.6.33."
121	+ ewarn
122	+ fi
123	+
124	+ if kernel_is -lt 2 6 34; then
125	+ ewarn "[ < 2.6.34 ] Support for the AES-GMAC authentification-only"
126	+ ewarn "ESP cipher is only included in kernels >= 2.6.34."
127	+ ewarn
128	+ ewarn "If you need it, please use kernel >= 2.6.34."
129	+ ewarn
130	+ fi
131	+ fi
132	+}
133	+
134	+src_configure() {
135	+ local myconf=""
136	+
137	+ if use non-root; then
138	+ myconf="${myconf} --with-user=${UGID} --with-group=${UGID}"
139	+ fi
140	+
141	+ # If a user has already enabled db support, those plugins will
142	+ # most likely be desired as well. Besides they don't impose new
143	+ # dependencies and come at no cost (except for space).
144	+ if use mysql \|\| use sqlite; then
145	+ myconf="${myconf} --enable-attr-sql --enable-sql"
146	+ fi
147	+
148	+ # strongSwan builds and installs static libs by default which are
149	+ # useless to the user (and to strongSwan for that matter) because no
150	+ # header files or alike get installed... so disabling them is safe.
151	+ if use pam && use eap; then
152	+ myconf="${myconf} --enable-eap-gtc"
153	+ else
154	+ myconf="${myconf} --disable-eap-gtc"
155	+ fi
156	+
157	+ for mod in $STRONGSWAN_PLUGINS_STD; do
158	+ if use strongswan_plugins_${mod}; then
159	+ myconf+=" --enable-${mod}"
160	+ fi
161	+ done
162	+
163	+ for mod in $STRONGSWAN_PLUGINS_OPT; do
164	+ if use strongswan_plugins_${mod}; then
165	+ myconf+=" --enable-${mod}"
166	+ fi
167	+ done
168	+
169	+ econf \
170	+ --disable-static \
171	+ --enable-ikev1 \
172	+ --enable-ikev2 \
173	+ --enable-swanctl \
174	+ --enable-socket-dynamic \
175	+ $(use_enable curl) \
176	+ $(use_enable constraints) \
177	+ $(use_enable ldap) \
178	+ $(use_enable debug leak-detective) \
179	+ $(use_enable dhcp) \
180	+ $(use_enable eap eap-sim) \
181	+ $(use_enable eap eap-sim-file) \
182	+ $(use_enable eap eap-simaka-sql) \
183	+ $(use_enable eap eap-simaka-pseudonym) \
184	+ $(use_enable eap eap-simaka-reauth) \
185	+ $(use_enable eap eap-identity) \
186	+ $(use_enable eap eap-md5) \
187	+ $(use_enable eap eap-aka) \
188	+ $(use_enable eap eap-aka-3gpp2) \
189	+ $(use_enable eap md4) \
190	+ $(use_enable eap eap-mschapv2) \
191	+ $(use_enable eap eap-radius) \
192	+ $(use_enable eap eap-tls) \
193	+ $(use_enable eap eap-ttls) \
194	+ $(use_enable eap xauth-eap) \
195	+ $(use_enable eap eap-dynamic) \
196	+ $(use_enable farp) \
197	+ $(use_enable gmp) \
198	+ $(use_enable gcrypt) \
199	+ $(use_enable mysql) \
200	+ $(use_enable networkmanager nm) \
201	+ $(use_enable openssl) \
202	+ $(use_enable pam xauth-pam) \
203	+ $(use_enable pkcs11) \
204	+ $(use_enable sqlite) \
205	+ $(use_enable systemd) \
206	+ $(use_with caps capabilities libcap) \
207	+ --with-piddir=/run \
208	+ --with-systemdsystemunitdir="$(systemd_get_systemunitdir)" \
209	+ ${myconf}
210	+}
211	+
212	+src_install() {
213	+ emake DESTDIR="${D}" install
214	+
215	+ if ! use systemd; then
216	+ rm -rf "${ED}"/lib/systemd \|\| die "Failed removing systemd lib."
217	+ fi
218	+
219	+ doinitd "${FILESDIR}"/ipsec
220	+
221	+ local dir_ugid
222	+ if use non-root; then
223	+ fowners ${UGID}:${UGID} \
224	+ /etc/ipsec.conf \
225	+ /etc/strongswan.conf
226	+
227	+ dir_ugid="${UGID}"
228	+ else
229	+ dir_ugid="root"
230	+ fi
231	+
232	+ diropts -m 0750 -o ${dir_ugid} -g ${dir_ugid}
233	+ dodir /etc/ipsec.d \
234	+ /etc/ipsec.d/aacerts \
235	+ /etc/ipsec.d/acerts \
236	+ /etc/ipsec.d/cacerts \
237	+ /etc/ipsec.d/certs \
238	+ /etc/ipsec.d/crls \
239	+ /etc/ipsec.d/ocspcerts \
240	+ /etc/ipsec.d/private \
241	+ /etc/ipsec.d/reqs
242	+
243	+ dodoc NEWS README TODO
244	+
245	+ # shared libs are used only internally and there are no static libs,
246	+ # so it's safe to get rid of the .la files
247	+ find "${D}" -name '*.la' -delete \|\| die "Failed to remove .la files."
248	+}
249	+
250	+pkg_preinst() {
251	+ has_version "<net-vpn/strongswan-4.3.6-r1"
252	+ upgrade_from_leq_4_3_6=$(( !$? ))
253	+
254	+ has_version "<net-vpn/strongswan-4.3.6-r1[-caps]"
255	+ previous_4_3_6_with_caps=$(( !$? ))
256	+}
257	+
258	+pkg_postinst() {
259	+ if ! use openssl && ! use gcrypt; then
260	+ elog
261	+ elog "${PN} has been compiled without both OpenSSL and libgcrypt support."
262	+ elog "Please note that this might effect availability and speed of some"
263	+ elog "cryptographic features. You are advised to enable the OpenSSL plugin."
264	+ elif ! use openssl; then
265	+ elog
266	+ elog "${PN} has been compiled without the OpenSSL plugin. This might effect"
267	+ elog "availability and speed of some cryptographic features. There will be"
268	+ elog "no support for Elliptic Curve Cryptography (Diffie-Hellman groups 19-21,"
269	+ elog "25, 26) and ECDSA."
270	+ fi
271	+
272	+ if [[ $upgrade_from_leq_4_3_6 == 1 ]]; then
273	+ chmod 0750 "${ROOT}"/etc/ipsec.d \
274	+ "${ROOT}"/etc/ipsec.d/aacerts \
275	+ "${ROOT}"/etc/ipsec.d/acerts \
276	+ "${ROOT}"/etc/ipsec.d/cacerts \
277	+ "${ROOT}"/etc/ipsec.d/certs \
278	+ "${ROOT}"/etc/ipsec.d/crls \
279	+ "${ROOT}"/etc/ipsec.d/ocspcerts \
280	+ "${ROOT}"/etc/ipsec.d/private \
281	+ "${ROOT}"/etc/ipsec.d/reqs
282	+
283	+ ewarn
284	+ ewarn "The default permissions for /etc/ipsec.d/* have been tightened for"
285	+ ewarn "security reasons. Your system installed directories have been"
286	+ ewarn "updated accordingly. Please check if necessary."
287	+ ewarn
288	+
289	+ if [[ $previous_4_3_6_with_caps == 1 ]]; then
290	+ if ! use non-root; then
291	+ ewarn
292	+ ewarn "IMPORTANT: You previously had ${PN} installed without root"
293	+ ewarn "privileges because it was implied by the 'caps' USE flag."
294	+ ewarn "This has been changed. If you want ${PN} with user privileges,"
295	+ ewarn "you have to re-emerge it with the 'non-root' USE flag enabled."
296	+ ewarn
297	+ fi
298	+ fi
299	+ fi
300	+ if ! use caps && ! use non-root; then
301	+ ewarn
302	+ ewarn "You have decided to run ${PN} with root privileges and built it"
303	+ ewarn "without support for POSIX capability dropping. It is generally"
304	+ ewarn "strongly suggested that you reconsider- especially if you intend"
305	+ ewarn "to run ${PN} as server with a public ip address."
306	+ ewarn
307	+ ewarn "You should re-emerge ${PN} with at least the 'caps' USE flag enabled."
308	+ ewarn
309	+ fi
310	+ if use non-root; then
311	+ elog
312	+ elog "${PN} has been installed without superuser privileges (USE=non-root)."
313	+ elog "This imposes several limitations mainly to the IKEv1 daemon 'pluto'"
314	+ elog "but also a few to the IKEv2 daemon 'charon'."
315	+ elog
316	+ elog "Please carefully read: http://wiki.strongswan.org/wiki/nonRoot"
317	+ elog
318	+ elog "pluto uses a helper script by default to insert/remove routing and"
319	+ elog "policy rules upon connection start/stop which requires superuser"
320	+ elog "privileges. charon in contrast does this internally and can do so"
321	+ elog "even with reduced (user) privileges."
322	+ elog
323	+ elog "Thus if you require IKEv1 (pluto) or need to specify a custom updown"
324	+ elog "script to pluto or charon which requires superuser privileges, you"
325	+ elog "can work around this limitation by using sudo to grant the"
326	+ elog "user \"ipsec\" the appropriate rights."
327	+ elog "For example (the default case):"
328	+ elog "/etc/sudoers:"
329	+ elog " ipsec ALL=(ALL) NOPASSWD: SETENV: /usr/sbin/ipsec"
330	+ elog "Under the specific connection block in /etc/ipsec.conf:"
331	+ elog " leftupdown=\"sudo -E ipsec _updown iptables\""
332	+ elog
333	+ fi
334	+ elog
335	+ elog "Make sure you have _all_ required kernel modules available including"
336	+ elog "the appropriate cryptographic algorithms. A list is available at:"
337	+ elog " https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules"
338	+ elog
339	+ elog "The up-to-date manual is available online at:"
340	+ elog " https://wiki.strongswan.org/"
341	+ elog
342	+}

Gentoo Archives: gentoo-commits