[gentoo-commits] repo/gentoo:master commit in: net-vpn/strongswan/ - gentoo-commits

From:	Thomas Deutschmann <whissi@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: net-vpn/strongswan/
Date:	Sun, 03 May 2020 19:02:00
Message-Id:	`1588532468.6eae691e064bd7f51443476331368d92d73e7742.whissi@gentoo`

1

commit:     6eae691e064bd7f51443476331368d92d73e7742

2

Author:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>

3

AuthorDate: Sun May  3 18:41:07 2020 +0000

4

Commit:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>

5

CommitDate: Sun May  3 19:01:08 2020 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6eae691e

7

8

net-vpn/strongswan: bump to v5.8.4

9

10

Closes: https://bugs.gentoo.org/716910

11

Package-Manager: Portage-2.3.99, Repoman-2.3.22

12

Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>

13

14

 net-vpn/strongswan/Manifest                |   1 +

15

 net-vpn/strongswan/strongswan-5.8.4.ebuild | 308 +++++++++++++++++++++++++++++

16

 2 files changed, 309 insertions(+)

17

18

diff --git a/net-vpn/strongswan/Manifest b/net-vpn/strongswan/Manifest

19

index ea091b71387..ce8f7438ae4 100644

20

--- a/net-vpn/strongswan/Manifest

21

+++ b/net-vpn/strongswan/Manifest

22

@@ -1,2 +1,3 @@

23

 DIST strongswan-5.8.1.tar.bz2 4517921 BLAKE2B 07a82309515a054b267a063fc0e2f49fd03d16b221b1ee26a33c8d367df140797320e1ef7007a39074e40c472022d941656b3ae93d2eb860152cdc5a5d3dbc8a SHA512 630d24643b3d61e931bb25cdd083ad3c55f92fe41f3fcd3198012eee486fb3b1a16dc3f80936162afb7da9e471d45d92b7d183a00153a558babb2a79e5f6813f

24

 DIST strongswan-5.8.2.tar.bz2 4533402 BLAKE2B edbfa8dbe1ac00c140cfe9e906ac7aa1b6f3ddfd528dec84e7b1799e5ecdd0f6114679168ebcff9185c8abae78b46dfc43ddc4dabecd44f720285bd175d7a249 SHA512 423e7924acfe8a03ad7d4359ae9086fd516798fcf5eb948a27b52ea719f4d8954b83ea30ce94191ea1647616611df8a1215cb4d5c7ec48676624df6c41853e1d

25

+DIST strongswan-5.8.4.tar.bz2 4546240 BLAKE2B f58f53a17c02924a3ad75bfadd5956f62098c41468ec5fe8d51bf0f0465c8936d8ca846a41a0b6ff6ac24ccd2229e726d3ea2b48904abf5743bbe766e5f5f81c SHA512 15e866b0d6cc4ea94f17856b519d926ae08c15d3b62f675f62685d0722ca8fa26b46afb1ad1c866e9d5f347d77a747f57d0c6d7f6bd57762f37d7798f9e28103

26

27

diff --git a/net-vpn/strongswan/strongswan-5.8.4.ebuild b/net-vpn/strongswan/strongswan-5.8.4.ebuild

28

new file mode 100644

29

index 00000000000..aa83509c3d2

30

--- /dev/null

31

+++ b/net-vpn/strongswan/strongswan-5.8.4.ebuild

32

@@ -0,0 +1,308 @@

33

+# Copyright 1999-2020 Gentoo Authors

34

+# Distributed under the terms of the GNU General Public License v2

35

+

36

+EAPI="7"

37

+inherit linux-info systemd user

38

+

39

+DESCRIPTION="IPsec-based VPN solution, supporting IKEv1/IKEv2 and MOBIKE"

40

+HOMEPAGE="https://www.strongswan.org/"

41

+SRC_URI="https://download.strongswan.org/${P}.tar.bz2"

42

+

43

+LICENSE="GPL-2 RSA DES"

44

+SLOT="0"

45

+KEYWORDS="~amd64 ~arm ~ppc ~ppc64 ~x86"

46

+IUSE="+caps curl +constraints debug dhcp eap farp gcrypt +gmp ldap mysql networkmanager +non-root +openssl selinux sqlite systemd pam pkcs11"

47

+

48

+STRONGSWAN_PLUGINS_STD="led lookip systime-fix unity vici"

49

+STRONGSWAN_PLUGINS_OPT="aesni blowfish ccm chapoly ctr forecast gcm ha ipseckey newhope ntru padlock rdrand save-keys unbound whitelist"

50

+for mod in $STRONGSWAN_PLUGINS_STD; do

51

+	IUSE="${IUSE} +strongswan_plugins_${mod}"

52

+done

53

+

54

+for mod in $STRONGSWAN_PLUGINS_OPT; do

55

+	IUSE="${IUSE} strongswan_plugins_${mod}"

56

+done

57

+

58

+COMMON_DEPEND="!net-misc/openswan

59

+	gmp? ( >=dev-libs/gmp-4.1.5:= )

60

+	gcrypt? ( dev-libs/libgcrypt:0 )

61

+	caps? ( sys-libs/libcap )

62

+	curl? ( net-misc/curl )

63

+	ldap? ( net-nds/openldap )

64

+	openssl? ( >=dev-libs/openssl-0.9.8:=[-bindist] )

65

+	mysql? ( dev-db/mysql-connector-c:= )

66

+	sqlite? ( >=dev-db/sqlite-3.3.1 )

67

+	systemd? ( sys-apps/systemd )

68

+	networkmanager? ( net-misc/networkmanager )

69

+	pam? ( sys-libs/pam )

70

+	strongswan_plugins_unbound? ( net-dns/unbound:= net-libs/ldns )"

71

+DEPEND="${COMMON_DEPEND}

72

+	virtual/linux-sources

73

+	sys-kernel/linux-headers"

74

+RDEPEND="${COMMON_DEPEND}

75

+	virtual/logger

76

+	sys-apps/iproute2

77

+	!net-vpn/libreswan

78

+	selinux? ( sec-policy/selinux-ipsec )"

79

+

80

+UGID="ipsec"

81

+

82

+pkg_setup() {

83

+	linux-info_pkg_setup

84

+

85

+	elog "Linux kernel version: ${KV_FULL}"

86

+

87

+	if ! kernel_is -ge 2 6 16; then

88

+		eerror

89

+		eerror "This ebuild currently only supports ${PN} with the"

90

+		eerror "native Linux 2.6 IPsec stack on kernels >= 2.6.16."

91

+		eerror

92

+	fi

93

+

94

+	if kernel_is -lt 2 6 34; then

95

+		ewarn

96

+		ewarn "IMPORTANT KERNEL NOTES: Please read carefully..."

97

+		ewarn

98

+

99

+		if kernel_is -lt 2 6 29; then

100

+			ewarn "[ < 2.6.29 ] Due to a missing kernel feature, you have to"

101

+			ewarn "include all required IPv6 modules even if you just intend"

102

+			ewarn "to run on IPv4 only."

103

+			ewarn

104

+			ewarn "This has been fixed with kernels >= 2.6.29."

105

+			ewarn

106

+		fi

107

+

108

+		if kernel_is -lt 2 6 33; then

109

+			ewarn "[ < 2.6.33 ] Kernels prior to 2.6.33 include a non-standards"

110

+			ewarn "compliant implementation for SHA-2 HMAC support in ESP and"

111

+			ewarn "miss SHA384 and SHA512 HMAC support altogether."

112

+			ewarn

113

+			ewarn "If you need any of those features, please use kernel >= 2.6.33."

114

+			ewarn

115

+		fi

116

+

117

+		if kernel_is -lt 2 6 34; then

118

+			ewarn "[ < 2.6.34 ] Support for the AES-GMAC authentification-only"

119

+			ewarn "ESP cipher is only included in kernels >= 2.6.34."

120

+			ewarn

121

+			ewarn "If you need it, please use kernel >= 2.6.34."

122

+			ewarn

123

+		fi

124

+	fi

125

+

126

+	if use non-root; then

127

+		enewgroup ${UGID}

128

+		enewuser ${UGID} -1 -1 -1 ${UGID}

129

+	fi

130

+}

131

+

132

+src_configure() {

133

+	local myconf=""

134

+

135

+	if use non-root; then

136

+		myconf="${myconf} --with-user=${UGID} --with-group=${UGID}"

137

+	fi

138

+

139

+	# If a user has already enabled db support, those plugins will

140

+	# most likely be desired as well. Besides they don't impose new

141

+	# dependencies and come at no cost (except for space).

142

+	if use mysql || use sqlite; then

143

+		myconf="${myconf} --enable-attr-sql --enable-sql"

144

+	fi

145

+

146

+	# strongSwan builds and installs static libs by default which are

147

+	# useless to the user (and to strongSwan for that matter) because no

148

+	# header files or alike get installed... so disabling them is safe.

149

+	if use pam && use eap; then

150

+		myconf="${myconf} --enable-eap-gtc"

151

+	else

152

+		myconf="${myconf} --disable-eap-gtc"

153

+	fi

154

+

155

+	for mod in $STRONGSWAN_PLUGINS_STD; do

156

+		if use strongswan_plugins_${mod}; then

157

+			myconf+=" --enable-${mod}"

158

+		fi

159

+	done

160

+

161

+	for mod in $STRONGSWAN_PLUGINS_OPT; do

162

+		if use strongswan_plugins_${mod}; then

163

+			myconf+=" --enable-${mod}"

164

+		fi

165

+	done

166

+

167

+	econf \

168

+		--disable-static \

169

+		--enable-ikev1 \

170

+		--enable-ikev2 \

171

+		--enable-swanctl \

172

+		--enable-socket-dynamic \

173

+		$(use_enable curl) \

174

+		$(use_enable constraints) \

175

+		$(use_enable ldap) \

176

+		$(use_enable debug leak-detective) \

177

+		$(use_enable dhcp) \

178

+		$(use_enable eap eap-sim) \

179

+		$(use_enable eap eap-sim-file) \

180

+		$(use_enable eap eap-simaka-sql) \

181

+		$(use_enable eap eap-simaka-pseudonym) \

182

+		$(use_enable eap eap-simaka-reauth) \

183

+		$(use_enable eap eap-identity) \

184

+		$(use_enable eap eap-md5) \

185

+		$(use_enable eap eap-aka) \

186

+		$(use_enable eap eap-aka-3gpp2) \

187

+		$(use_enable eap md4) \

188

+		$(use_enable eap eap-mschapv2) \

189

+		$(use_enable eap eap-radius) \

190

+		$(use_enable eap eap-tls) \

191

+		$(use_enable eap eap-ttls) \

192

+		$(use_enable eap xauth-eap) \

193

+		$(use_enable eap eap-dynamic) \

194

+		$(use_enable farp) \

195

+		$(use_enable gmp) \

196

+		$(use_enable gcrypt) \

197

+		$(use_enable mysql) \

198

+		$(use_enable networkmanager nm) \

199

+		$(use_enable openssl) \

200

+		$(use_enable pam xauth-pam) \

201

+		$(use_enable pkcs11) \

202

+		$(use_enable sqlite) \

203

+		$(use_enable systemd) \

204

+		$(use_with caps capabilities libcap) \

205

+		--with-piddir=/run \

206

+		--with-systemdsystemunitdir="$(systemd_get_systemunitdir)" \

207

+		${myconf}

208

+}

209

+

210

+src_install() {

211

+	emake DESTDIR="${D}" install

212

+

213

+	if ! use systemd; then

214

+		rm -rf "${ED}"/lib/systemd || die

215

+	fi

216

+

217

+	doinitd "${FILESDIR}"/ipsec

218

+

219

+	local dir_ugid

220

+	if use non-root; then

221

+		fowners ${UGID}:${UGID} \

222

+			/etc/ipsec.conf \

223

+			/etc/strongswan.conf

224

+

225

+		dir_ugid="${UGID}"

226

+	else

227

+		dir_ugid="root"

228

+	fi

229

+

230

+	diropts -m 0750 -o ${dir_ugid} -g ${dir_ugid}

231

+	dodir /etc/ipsec.d \

232

+		/etc/ipsec.d/aacerts \

233

+		/etc/ipsec.d/acerts \

234

+		/etc/ipsec.d/cacerts \

235

+		/etc/ipsec.d/certs \

236

+		/etc/ipsec.d/crls \

237

+		/etc/ipsec.d/ocspcerts \

238

+		/etc/ipsec.d/private \

239

+		/etc/ipsec.d/reqs

240

+

241

+	dodoc NEWS README TODO

242

+

243

+	# shared libs are used only internally and there are no static libs,

244

+	# so it's safe to get rid of the .la files

245

+	find "${D}" -name '*.la' -delete || die "Failed to remove .la files."

246

+}

247

+

248

+pkg_preinst() {

249

+	has_version "<net-vpn/strongswan-4.3.6-r1"

250

+	upgrade_from_leq_4_3_6=$(( !$? ))

251

+

252

+	has_version "<net-vpn/strongswan-4.3.6-r1[-caps]"

253

+	previous_4_3_6_with_caps=$(( !$? ))

254

+}

255

+

256

+pkg_postinst() {

257

+	if ! use openssl && ! use gcrypt; then

258

+		elog

259

+		elog "${PN} has been compiled without both OpenSSL and libgcrypt support."

260

+		elog "Please note that this might effect availability and speed of some"

261

+		elog "cryptographic features. You are advised to enable the OpenSSL plugin."

262

+	elif ! use openssl; then

263

+		elog

264

+		elog "${PN} has been compiled without the OpenSSL plugin. This might effect"

265

+		elog "availability and speed of some cryptographic features. There will be"

266

+		elog "no support for Elliptic Curve Cryptography (Diffie-Hellman groups 19-21,"

267

+		elog "25, 26) and ECDSA."

268

+	fi

269

+

270

+	if [[ $upgrade_from_leq_4_3_6 == 1 ]]; then

271

+		chmod 0750 "${ROOT}"/etc/ipsec.d \

272

+			"${ROOT}"/etc/ipsec.d/aacerts \

273

+			"${ROOT}"/etc/ipsec.d/acerts \

274

+			"${ROOT}"/etc/ipsec.d/cacerts \

275

+			"${ROOT}"/etc/ipsec.d/certs \

276

+			"${ROOT}"/etc/ipsec.d/crls \

277

+			"${ROOT}"/etc/ipsec.d/ocspcerts \

278

+			"${ROOT}"/etc/ipsec.d/private \

279

+			"${ROOT}"/etc/ipsec.d/reqs

280

+

281

+		ewarn

282

+		ewarn "The default permissions for /etc/ipsec.d/* have been tightened for"

283

+		ewarn "security reasons. Your system installed directories have been"

284

+		ewarn "updated accordingly. Please check if necessary."

285

+		ewarn

286

+

287

+		if [[ $previous_4_3_6_with_caps == 1 ]]; then

288

+			if ! use non-root; then

289

+				ewarn

290

+				ewarn "IMPORTANT: You previously had ${PN} installed without root"

291

+				ewarn "privileges because it was implied by the 'caps' USE flag."

292

+				ewarn "This has been changed. If you want ${PN} with user privileges,"

293

+				ewarn "you have to re-emerge it with the 'non-root' USE flag enabled."

294

+				ewarn

295

+			fi

296

+		fi

297

+	fi

298

+	if ! use caps && ! use non-root; then

299

+		ewarn

300

+		ewarn "You have decided to run ${PN} with root privileges and built it"

301

+		ewarn "without support for POSIX capability dropping. It is generally"

302

+		ewarn "strongly suggested that you reconsider- especially if you intend"

303

+		ewarn "to run ${PN} as server with a public ip address."

304

+		ewarn

305

+		ewarn "You should re-emerge ${PN} with at least the 'caps' USE flag enabled."

306

+		ewarn

307

+	fi

308

+	if use non-root; then

309

+		elog

310

+		elog "${PN} has been installed without superuser privileges (USE=non-root)."

311

+		elog "This imposes several limitations mainly to the IKEv1 daemon 'pluto'"

312

+		elog "but also a few to the IKEv2 daemon 'charon'."

313

+		elog

314

+		elog "Please carefully read: http://wiki.strongswan.org/wiki/nonRoot"

315

+		elog

316

+		elog "pluto uses a helper script by default to insert/remove routing and"

317

+		elog "policy rules upon connection start/stop which requires superuser"

318

+		elog "privileges. charon in contrast does this internally and can do so"

319

+		elog "even with reduced (user) privileges."

320

+		elog

321

+		elog "Thus if you require IKEv1 (pluto) or need to specify a custom updown"

322

+		elog "script to pluto or charon which requires superuser privileges, you"

323

+		elog "can work around this limitation by using sudo to grant the"

324

+		elog "user \"ipsec\" the appropriate rights."

325

+		elog "For example (the default case):"

326

+		elog "/etc/sudoers:"

327

+		elog "  ipsec ALL=(ALL) NOPASSWD: SETENV: /usr/sbin/ipsec"

328

+		elog "Under the specific connection block in /etc/ipsec.conf:"

329

+		elog "  leftupdown=\"sudo -E ipsec _updown iptables\""

330

+		elog

331

+	fi

332

+	elog

333

+	elog "Make sure you have _all_ required kernel modules available including"

334

+	elog "the appropriate cryptographic algorithms. A list is available at:"

335

+	elog "  http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules"

336

+	elog

337

+	elog "The up-to-date manual is available online at:"

338

+	elog "  http://wiki.strongswan.org/"

339

+	elog

340

+}

1	commit: 6eae691e064bd7f51443476331368d92d73e7742
2	Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
3	AuthorDate: Sun May 3 18:41:07 2020 +0000
4	Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
5	CommitDate: Sun May 3 19:01:08 2020 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6eae691e
7
8	net-vpn/strongswan: bump to v5.8.4
9
10	Closes: https://bugs.gentoo.org/716910
11	Package-Manager: Portage-2.3.99, Repoman-2.3.22
12	Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>
13
14	net-vpn/strongswan/Manifest \| 1 +
15	net-vpn/strongswan/strongswan-5.8.4.ebuild \| 308 +++++++++++++++++++++++++++++
16	2 files changed, 309 insertions(+)
17
18	diff --git a/net-vpn/strongswan/Manifest b/net-vpn/strongswan/Manifest
19	index ea091b71387..ce8f7438ae4 100644
20	--- a/net-vpn/strongswan/Manifest
21	+++ b/net-vpn/strongswan/Manifest
22	@@ -1,2 +1,3 @@
23	DIST strongswan-5.8.1.tar.bz2 4517921 BLAKE2B 07a82309515a054b267a063fc0e2f49fd03d16b221b1ee26a33c8d367df140797320e1ef7007a39074e40c472022d941656b3ae93d2eb860152cdc5a5d3dbc8a SHA512 630d24643b3d61e931bb25cdd083ad3c55f92fe41f3fcd3198012eee486fb3b1a16dc3f80936162afb7da9e471d45d92b7d183a00153a558babb2a79e5f6813f
24	DIST strongswan-5.8.2.tar.bz2 4533402 BLAKE2B edbfa8dbe1ac00c140cfe9e906ac7aa1b6f3ddfd528dec84e7b1799e5ecdd0f6114679168ebcff9185c8abae78b46dfc43ddc4dabecd44f720285bd175d7a249 SHA512 423e7924acfe8a03ad7d4359ae9086fd516798fcf5eb948a27b52ea719f4d8954b83ea30ce94191ea1647616611df8a1215cb4d5c7ec48676624df6c41853e1d
25	+DIST strongswan-5.8.4.tar.bz2 4546240 BLAKE2B f58f53a17c02924a3ad75bfadd5956f62098c41468ec5fe8d51bf0f0465c8936d8ca846a41a0b6ff6ac24ccd2229e726d3ea2b48904abf5743bbe766e5f5f81c SHA512 15e866b0d6cc4ea94f17856b519d926ae08c15d3b62f675f62685d0722ca8fa26b46afb1ad1c866e9d5f347d77a747f57d0c6d7f6bd57762f37d7798f9e28103
26
27	diff --git a/net-vpn/strongswan/strongswan-5.8.4.ebuild b/net-vpn/strongswan/strongswan-5.8.4.ebuild
28	new file mode 100644
29	index 00000000000..aa83509c3d2
30	--- /dev/null
31	+++ b/net-vpn/strongswan/strongswan-5.8.4.ebuild
32	@@ -0,0 +1,308 @@
33	+# Copyright 1999-2020 Gentoo Authors
34	+# Distributed under the terms of the GNU General Public License v2
35	+
36	+EAPI="7"
37	+inherit linux-info systemd user
38	+
39	+DESCRIPTION="IPsec-based VPN solution, supporting IKEv1/IKEv2 and MOBIKE"
40	+HOMEPAGE="https://www.strongswan.org/"
41	+SRC_URI="https://download.strongswan.org/${P}.tar.bz2"
42	+
43	+LICENSE="GPL-2 RSA DES"
44	+SLOT="0"
45	+KEYWORDS="~amd64 ~arm ~ppc ~ppc64 ~x86"
46	+IUSE="+caps curl +constraints debug dhcp eap farp gcrypt +gmp ldap mysql networkmanager +non-root +openssl selinux sqlite systemd pam pkcs11"
47	+
48	+STRONGSWAN_PLUGINS_STD="led lookip systime-fix unity vici"
49	+STRONGSWAN_PLUGINS_OPT="aesni blowfish ccm chapoly ctr forecast gcm ha ipseckey newhope ntru padlock rdrand save-keys unbound whitelist"
50	+for mod in $STRONGSWAN_PLUGINS_STD; do
51	+ IUSE="${IUSE} +strongswan_plugins_${mod}"
52	+done
53	+
54	+for mod in $STRONGSWAN_PLUGINS_OPT; do
55	+ IUSE="${IUSE} strongswan_plugins_${mod}"
56	+done
57	+
58	+COMMON_DEPEND="!net-misc/openswan
59	+ gmp? ( >=dev-libs/gmp-4.1.5:= )
60	+ gcrypt? ( dev-libs/libgcrypt:0 )
61	+ caps? ( sys-libs/libcap )
62	+ curl? ( net-misc/curl )
63	+ ldap? ( net-nds/openldap )
64	+ openssl? ( >=dev-libs/openssl-0.9.8:=[-bindist] )
65	+ mysql? ( dev-db/mysql-connector-c:= )
66	+ sqlite? ( >=dev-db/sqlite-3.3.1 )
67	+ systemd? ( sys-apps/systemd )
68	+ networkmanager? ( net-misc/networkmanager )
69	+ pam? ( sys-libs/pam )
70	+ strongswan_plugins_unbound? ( net-dns/unbound:= net-libs/ldns )"
71	+DEPEND="${COMMON_DEPEND}
72	+ virtual/linux-sources
73	+ sys-kernel/linux-headers"
74	+RDEPEND="${COMMON_DEPEND}
75	+ virtual/logger
76	+ sys-apps/iproute2
77	+ !net-vpn/libreswan
78	+ selinux? ( sec-policy/selinux-ipsec )"
79	+
80	+UGID="ipsec"
81	+
82	+pkg_setup() {
83	+ linux-info_pkg_setup
84	+
85	+ elog "Linux kernel version: ${KV_FULL}"
86	+
87	+ if ! kernel_is -ge 2 6 16; then
88	+ eerror
89	+ eerror "This ebuild currently only supports ${PN} with the"
90	+ eerror "native Linux 2.6 IPsec stack on kernels >= 2.6.16."
91	+ eerror
92	+ fi
93	+
94	+ if kernel_is -lt 2 6 34; then
95	+ ewarn
96	+ ewarn "IMPORTANT KERNEL NOTES: Please read carefully..."
97	+ ewarn
98	+
99	+ if kernel_is -lt 2 6 29; then
100	+ ewarn "[ < 2.6.29 ] Due to a missing kernel feature, you have to"
101	+ ewarn "include all required IPv6 modules even if you just intend"
102	+ ewarn "to run on IPv4 only."
103	+ ewarn
104	+ ewarn "This has been fixed with kernels >= 2.6.29."
105	+ ewarn
106	+ fi
107	+
108	+ if kernel_is -lt 2 6 33; then
109	+ ewarn "[ < 2.6.33 ] Kernels prior to 2.6.33 include a non-standards"
110	+ ewarn "compliant implementation for SHA-2 HMAC support in ESP and"
111	+ ewarn "miss SHA384 and SHA512 HMAC support altogether."
112	+ ewarn
113	+ ewarn "If you need any of those features, please use kernel >= 2.6.33."
114	+ ewarn
115	+ fi
116	+
117	+ if kernel_is -lt 2 6 34; then
118	+ ewarn "[ < 2.6.34 ] Support for the AES-GMAC authentification-only"
119	+ ewarn "ESP cipher is only included in kernels >= 2.6.34."
120	+ ewarn
121	+ ewarn "If you need it, please use kernel >= 2.6.34."
122	+ ewarn
123	+ fi
124	+ fi
125	+
126	+ if use non-root; then
127	+ enewgroup ${UGID}
128	+ enewuser ${UGID} -1 -1 -1 ${UGID}
129	+ fi
130	+}
131	+
132	+src_configure() {
133	+ local myconf=""
134	+
135	+ if use non-root; then
136	+ myconf="${myconf} --with-user=${UGID} --with-group=${UGID}"
137	+ fi
138	+
139	+ # If a user has already enabled db support, those plugins will
140	+ # most likely be desired as well. Besides they don't impose new
141	+ # dependencies and come at no cost (except for space).
142	+ if use mysql \|\| use sqlite; then
143	+ myconf="${myconf} --enable-attr-sql --enable-sql"
144	+ fi
145	+
146	+ # strongSwan builds and installs static libs by default which are
147	+ # useless to the user (and to strongSwan for that matter) because no
148	+ # header files or alike get installed... so disabling them is safe.
149	+ if use pam && use eap; then
150	+ myconf="${myconf} --enable-eap-gtc"
151	+ else
152	+ myconf="${myconf} --disable-eap-gtc"
153	+ fi
154	+
155	+ for mod in $STRONGSWAN_PLUGINS_STD; do
156	+ if use strongswan_plugins_${mod}; then
157	+ myconf+=" --enable-${mod}"
158	+ fi
159	+ done
160	+
161	+ for mod in $STRONGSWAN_PLUGINS_OPT; do
162	+ if use strongswan_plugins_${mod}; then
163	+ myconf+=" --enable-${mod}"
164	+ fi
165	+ done
166	+
167	+ econf \
168	+ --disable-static \
169	+ --enable-ikev1 \
170	+ --enable-ikev2 \
171	+ --enable-swanctl \
172	+ --enable-socket-dynamic \
173	+ $(use_enable curl) \
174	+ $(use_enable constraints) \
175	+ $(use_enable ldap) \
176	+ $(use_enable debug leak-detective) \
177	+ $(use_enable dhcp) \
178	+ $(use_enable eap eap-sim) \
179	+ $(use_enable eap eap-sim-file) \
180	+ $(use_enable eap eap-simaka-sql) \
181	+ $(use_enable eap eap-simaka-pseudonym) \
182	+ $(use_enable eap eap-simaka-reauth) \
183	+ $(use_enable eap eap-identity) \
184	+ $(use_enable eap eap-md5) \
185	+ $(use_enable eap eap-aka) \
186	+ $(use_enable eap eap-aka-3gpp2) \
187	+ $(use_enable eap md4) \
188	+ $(use_enable eap eap-mschapv2) \
189	+ $(use_enable eap eap-radius) \
190	+ $(use_enable eap eap-tls) \
191	+ $(use_enable eap eap-ttls) \
192	+ $(use_enable eap xauth-eap) \
193	+ $(use_enable eap eap-dynamic) \
194	+ $(use_enable farp) \
195	+ $(use_enable gmp) \
196	+ $(use_enable gcrypt) \
197	+ $(use_enable mysql) \
198	+ $(use_enable networkmanager nm) \
199	+ $(use_enable openssl) \
200	+ $(use_enable pam xauth-pam) \
201	+ $(use_enable pkcs11) \
202	+ $(use_enable sqlite) \
203	+ $(use_enable systemd) \
204	+ $(use_with caps capabilities libcap) \
205	+ --with-piddir=/run \
206	+ --with-systemdsystemunitdir="$(systemd_get_systemunitdir)" \
207	+ ${myconf}
208	+}
209	+
210	+src_install() {
211	+ emake DESTDIR="${D}" install
212	+
213	+ if ! use systemd; then
214	+ rm -rf "${ED}"/lib/systemd \|\| die
215	+ fi
216	+
217	+ doinitd "${FILESDIR}"/ipsec
218	+
219	+ local dir_ugid
220	+ if use non-root; then
221	+ fowners ${UGID}:${UGID} \
222	+ /etc/ipsec.conf \
223	+ /etc/strongswan.conf
224	+
225	+ dir_ugid="${UGID}"
226	+ else
227	+ dir_ugid="root"
228	+ fi
229	+
230	+ diropts -m 0750 -o ${dir_ugid} -g ${dir_ugid}
231	+ dodir /etc/ipsec.d \
232	+ /etc/ipsec.d/aacerts \
233	+ /etc/ipsec.d/acerts \
234	+ /etc/ipsec.d/cacerts \
235	+ /etc/ipsec.d/certs \
236	+ /etc/ipsec.d/crls \
237	+ /etc/ipsec.d/ocspcerts \
238	+ /etc/ipsec.d/private \
239	+ /etc/ipsec.d/reqs
240	+
241	+ dodoc NEWS README TODO
242	+
243	+ # shared libs are used only internally and there are no static libs,
244	+ # so it's safe to get rid of the .la files
245	+ find "${D}" -name '*.la' -delete \|\| die "Failed to remove .la files."
246	+}
247	+
248	+pkg_preinst() {
249	+ has_version "<net-vpn/strongswan-4.3.6-r1"
250	+ upgrade_from_leq_4_3_6=$(( !$? ))
251	+
252	+ has_version "<net-vpn/strongswan-4.3.6-r1[-caps]"
253	+ previous_4_3_6_with_caps=$(( !$? ))
254	+}
255	+
256	+pkg_postinst() {
257	+ if ! use openssl && ! use gcrypt; then
258	+ elog
259	+ elog "${PN} has been compiled without both OpenSSL and libgcrypt support."
260	+ elog "Please note that this might effect availability and speed of some"
261	+ elog "cryptographic features. You are advised to enable the OpenSSL plugin."
262	+ elif ! use openssl; then
263	+ elog
264	+ elog "${PN} has been compiled without the OpenSSL plugin. This might effect"
265	+ elog "availability and speed of some cryptographic features. There will be"
266	+ elog "no support for Elliptic Curve Cryptography (Diffie-Hellman groups 19-21,"
267	+ elog "25, 26) and ECDSA."
268	+ fi
269	+
270	+ if [[ $upgrade_from_leq_4_3_6 == 1 ]]; then
271	+ chmod 0750 "${ROOT}"/etc/ipsec.d \
272	+ "${ROOT}"/etc/ipsec.d/aacerts \
273	+ "${ROOT}"/etc/ipsec.d/acerts \
274	+ "${ROOT}"/etc/ipsec.d/cacerts \
275	+ "${ROOT}"/etc/ipsec.d/certs \
276	+ "${ROOT}"/etc/ipsec.d/crls \
277	+ "${ROOT}"/etc/ipsec.d/ocspcerts \
278	+ "${ROOT}"/etc/ipsec.d/private \
279	+ "${ROOT}"/etc/ipsec.d/reqs
280	+
281	+ ewarn
282	+ ewarn "The default permissions for /etc/ipsec.d/* have been tightened for"
283	+ ewarn "security reasons. Your system installed directories have been"
284	+ ewarn "updated accordingly. Please check if necessary."
285	+ ewarn
286	+
287	+ if [[ $previous_4_3_6_with_caps == 1 ]]; then
288	+ if ! use non-root; then
289	+ ewarn
290	+ ewarn "IMPORTANT: You previously had ${PN} installed without root"
291	+ ewarn "privileges because it was implied by the 'caps' USE flag."
292	+ ewarn "This has been changed. If you want ${PN} with user privileges,"
293	+ ewarn "you have to re-emerge it with the 'non-root' USE flag enabled."
294	+ ewarn
295	+ fi
296	+ fi
297	+ fi
298	+ if ! use caps && ! use non-root; then
299	+ ewarn
300	+ ewarn "You have decided to run ${PN} with root privileges and built it"
301	+ ewarn "without support for POSIX capability dropping. It is generally"
302	+ ewarn "strongly suggested that you reconsider- especially if you intend"
303	+ ewarn "to run ${PN} as server with a public ip address."
304	+ ewarn
305	+ ewarn "You should re-emerge ${PN} with at least the 'caps' USE flag enabled."
306	+ ewarn
307	+ fi
308	+ if use non-root; then
309	+ elog
310	+ elog "${PN} has been installed without superuser privileges (USE=non-root)."
311	+ elog "This imposes several limitations mainly to the IKEv1 daemon 'pluto'"
312	+ elog "but also a few to the IKEv2 daemon 'charon'."
313	+ elog
314	+ elog "Please carefully read: http://wiki.strongswan.org/wiki/nonRoot"
315	+ elog
316	+ elog "pluto uses a helper script by default to insert/remove routing and"
317	+ elog "policy rules upon connection start/stop which requires superuser"
318	+ elog "privileges. charon in contrast does this internally and can do so"
319	+ elog "even with reduced (user) privileges."
320	+ elog
321	+ elog "Thus if you require IKEv1 (pluto) or need to specify a custom updown"
322	+ elog "script to pluto or charon which requires superuser privileges, you"
323	+ elog "can work around this limitation by using sudo to grant the"
324	+ elog "user \"ipsec\" the appropriate rights."
325	+ elog "For example (the default case):"
326	+ elog "/etc/sudoers:"
327	+ elog " ipsec ALL=(ALL) NOPASSWD: SETENV: /usr/sbin/ipsec"
328	+ elog "Under the specific connection block in /etc/ipsec.conf:"
329	+ elog " leftupdown=\"sudo -E ipsec _updown iptables\""
330	+ elog
331	+ fi
332	+ elog
333	+ elog "Make sure you have _all_ required kernel modules available including"
334	+ elog "the appropriate cryptographic algorithms. A list is available at:"
335	+ elog " http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules"
336	+ elog
337	+ elog "The up-to-date manual is available online at:"
338	+ elog " http://wiki.strongswan.org/"
339	+ elog
340	+}

Gentoo Archives: gentoo-commits