Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Markos Chandras (hwoarang)" <hwoarang@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] gentoo-x86 commit in net-misc/strongswan: strongswan-4.4.0.ebuild metadata.xml ChangeLog
Date: Mon, 10 May 2010 17:00:58
Message-Id: 20100510170051.E31FD2C59E@corvid.gentoo.org
1 hwoarang 10/05/10 17:00:51
2
3 Modified: metadata.xml ChangeLog
4 Added: strongswan-4.4.0.ebuild
5 Log:
6 Version bump thanks to Matthias Dahl
7 (Portage version: 2.2_rc67/cvs/Linux x86_64)
8
9 Revision Changes Path
10 1.11 net-misc/strongswan/metadata.xml
11
12 file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-misc/strongswan/metadata.xml?rev=1.11&view=markup
13 plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-misc/strongswan/metadata.xml?rev=1.11&content-type=text/plain
14 diff : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-misc/strongswan/metadata.xml?r1=1.10&r2=1.11
15
16 Index: metadata.xml
17 ===================================================================
18 RCS file: /var/cvsroot/gentoo-x86/net-misc/strongswan/metadata.xml,v
19 retrieving revision 1.10
20 retrieving revision 1.11
21 diff -u -r1.10 -r1.11
22 --- metadata.xml 2 Apr 2010 15:39:54 -0000 1.10
23 +++ metadata.xml 10 May 2010 17:00:51 -0000 1.11
24 @@ -23,15 +23,19 @@
25 <flag name="cisco">
26 Enable support for the Cisco VPN client.
27 </flag>
28 + <flag name="dhcp">
29 + Enable server support for querying virtual IP addresses for clients
30 + from a DHCP server. (IKEv2 only)
31 + </flag>
32 + <flag name="farp">
33 + Enable faking of ARP responses for virtual IP addresses assigned to
34 + clients. (IKEv2 only)
35 + </flag>
36 <flag name="gcrypt">
37 Enable <pkg>dev-libs/libgcrypt</pkg> plugin which provides 3DES, AES,
38 Blowfish, Camellia, CAST, DES, Serpent and Twofish ciphers along with
39 - MD4, MD5 and SHA1/2 hash algorithms, RSA and a software random number
40 - generator.
41 - </flag>
42 - <flag name="nat-transport">
43 - Enable potentially insecure NAT traversal for transport mode in IKEv1.
44 - Only enable if you really need this.
45 + MD4, MD5 and SHA1/2 hash algorithms, RSA and DH groups 1,2,5,14-18 and
46 + 22-24(4.4+). Also includes a software random number generator.
47 </flag>
48 <flag name="ikev1">
49 Enable IKEv1 protocol (pluto daemon).
50 @@ -39,17 +43,22 @@
51 <flag name="ikev2">
52 Enable IKEv2 protocol (charon daemon).
53 </flag>
54 - <flag name="openssl">
55 - Enable <pkg>dev-libs/openssl</pkg> plugin which is required for Elliptic
56 - Curve Cryptography (Diffie-Hellman groups 19-21, 25, 26) and ECDSA. Also
57 - provides 3DES, AES, Blowfish, Camellia, CAST, DES, IDEA and RC5 ciphers
58 - along with MD2, MD4, MD5 and SHA1/2 hash algorithms and RSA.
59 - <pkg>dev-libs/openssl</pkg> has to be compiled with USE="-bindist".
60 + <flag name="nat-transport">
61 + Enable potentially insecure NAT traversal for transport mode in IKEv1.
62 + Only enable if you really need this.
63 </flag>
64 <flag name="non-root">
65 Force IKEv1/IKEv2 daemons to normal user privileges. This might impose
66 some restrictions mainly to the IKEv1 daemon. Disable only if you really
67 require superuser privileges.
68 </flag>
69 + <flag name="openssl">
70 + Enable <pkg>dev-libs/openssl</pkg> plugin which is required for Elliptic
71 + Curve Cryptography (DH groups 19-21,25,26) and ECDSA. Also provides 3DES,
72 + AES, Blowfish, Camellia, CAST, DES, IDEA and RC5 ciphers along with MD2,
73 + MD4, MD5 and SHA1/2 hash algorithms, RSA and DH groups 1,2,5,14-18 and
74 + 22-24(4.4+)
75 + <pkg>dev-libs/openssl</pkg> has to be compiled with USE="-bindist".
76 + </flag>
77 </use>
78 </pkgmetadata>
79
80
81
82 1.83 net-misc/strongswan/ChangeLog
83
84 file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-misc/strongswan/ChangeLog?rev=1.83&view=markup
85 plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-misc/strongswan/ChangeLog?rev=1.83&content-type=text/plain
86 diff : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-misc/strongswan/ChangeLog?r1=1.82&r2=1.83
87
88 Index: ChangeLog
89 ===================================================================
90 RCS file: /var/cvsroot/gentoo-x86/net-misc/strongswan/ChangeLog,v
91 retrieving revision 1.82
92 retrieving revision 1.83
93 diff -u -r1.82 -r1.83
94 --- ChangeLog 2 Apr 2010 15:39:54 -0000 1.82
95 +++ ChangeLog 10 May 2010 17:00:51 -0000 1.83
96 @@ -1,6 +1,12 @@
97 # ChangeLog for net-misc/strongswan
98 # Copyright 1999-2010 Gentoo Foundation; Distributed under the GPL v2
99 -# $Header: /var/cvsroot/gentoo-x86/net-misc/strongswan/ChangeLog,v 1.82 2010/04/02 15:39:54 yngwin Exp $
100 +# $Header: /var/cvsroot/gentoo-x86/net-misc/strongswan/ChangeLog,v 1.83 2010/05/10 17:00:51 hwoarang Exp $
101 +
102 +*strongswan-4.4.0 (10 May 2010)
103 +
104 + 10 May 2010; Markos Chandras <hwoarang@g.o>
105 + +strongswan-4.4.0.ebuild, metadata.xml:
106 + Version bump thanks to Matthias Dahl <ua_bugz_gentoo@×××××××××××.de>
107
108 *strongswan-4.3.6-r2 (02 Apr 2010)
109
110
111
112
113 1.1 net-misc/strongswan/strongswan-4.4.0.ebuild
114
115 file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-misc/strongswan/strongswan-4.4.0.ebuild?rev=1.1&view=markup
116 plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-misc/strongswan/strongswan-4.4.0.ebuild?rev=1.1&content-type=text/plain
117
118 Index: strongswan-4.4.0.ebuild
119 ===================================================================
120 # Copyright 1999-2010 Gentoo Foundation
121 # Distributed under the terms of the GNU General Public License v2
122 # $Header: /var/cvsroot/gentoo-x86/net-misc/strongswan/strongswan-4.4.0.ebuild,v 1.1 2010/05/10 17:00:51 hwoarang Exp $
123
124 EAPI=2
125 inherit eutils linux-info
126
127 DESCRIPTION="IPsec-based VPN solution focused on security and ease of use, supporting IKEv1/IKEv2 and MOBIKE"
128 HOMEPAGE="http://www.strongswan.org/"
129 SRC_URI="http://download.strongswan.org/${P}.tar.bz2"
130
131 LICENSE="GPL-2 RSA-MD5 RSA-PKCS11 DES"
132 SLOT="0"
133 KEYWORDS="~amd64 ~ppc ~sparc ~x86"
134 IUSE="+caps cisco curl debug dhcp farp gcrypt ldap +ikev1 +ikev2 mysql nat-transport +non-root +openssl smartcard sqlite"
135
136 COMMON_DEPEND="!net-misc/openswan
137 >=dev-libs/gmp-4.1.5
138 gcrypt? ( dev-libs/libgcrypt )
139 caps? ( sys-libs/libcap )
140 curl? ( net-misc/curl )
141 ldap? ( net-nds/openldap )
142 smartcard? ( dev-libs/opensc )
143 openssl? ( >=dev-libs/openssl-0.9.8[-bindist] )
144 mysql? ( virtual/mysql )
145 sqlite? ( >=dev-db/sqlite-3.3.1 )"
146 DEPEND="${COMMON_DEPEND}
147 virtual/linux-sources
148 sys-kernel/linux-headers"
149 RDEPEND="${COMMON_DEPEND}
150 virtual/logger
151 sys-apps/iproute2"
152
153 UGID="ipsec"
154
155 pkg_setup() {
156 linux-info_pkg_setup
157 elog "Linux kernel version: ${KV_FULL}"
158
159 if ! kernel_is -ge 2 6 16; then
160 eerror
161 eerror "This ebuild currently only supports ${PN} with the"
162 eerror "native Linux 2.6 IPsec stack on kernels >= 2.6.16."
163 eerror
164 die "Please install a recent 2.6 kernel."
165 fi
166
167 if use nat-transport; then
168 ewarn
169 ewarn "You have enabled NAT Traversal for transport mode with the IKEv1"
170 ewarn "protocol. Please double check if you really require this feature"
171 ewarn "as it is potentially insecure and usually only required in certain"
172 ewarn "situations when interoperating with Windows using L2TP/IPsec."
173 ewarn
174 fi
175
176 if kernel_is -lt 2 6 34; then
177 ewarn
178 ewarn "IMPORTANT KERNEL NOTES: Please read carefully..."
179 ewarn
180
181 if kernel_is -lt 2 6 29; then
182 ewarn "[ < 2.6.29 ] Due to a missing kernel feature, you have to"
183 ewarn "include all required IPv6 modules even if you just intend"
184 ewarn "to run on IPv4 only."
185 ewarn
186 ewarn "This has been fixed with kernels >= 2.6.29."
187 ewarn
188 fi
189
190 if kernel_is -lt 2 6 33; then
191 ewarn "[ < 2.6.33 ] Kernels prior to 2.6.33 include a non-standards"
192 ewarn "compliant implementation for SHA-2 HMAC support in ESP and"
193 ewarn "miss SHA384 and SHA512 HMAC support altogether."
194 ewarn
195 ewarn "If you need any of those features, please use kernel >= 2.6.33."
196 ewarn
197 fi
198
199 if kernel_is -lt 2 6 34; then
200 ewarn "[ < 2.6.34 ] Support for the AES-GMAC authentification-only"
201 ewarn "ESP cipher is only included in kernels >= 2.6.34."
202 ewarn
203 ewarn "If you need it, please use kernel >= 2.6.34."
204 ewarn
205 fi
206 fi
207
208 if use non-root; then
209 enewgroup ${UGID}
210 enewuser ${UGID} -1 -1 -1 ${UGID}
211 fi
212 }
213
214 src_configure() {
215 local myconf=""
216
217 if use non-root; then
218 myconf="${myconf} --with-user=${UGID} --with-group=${UGID}"
219 fi
220
221 # If a user has already enabled db support, those plugins will
222 # most likely be desired as well. Besides they don't impose new
223 # dependencies and come at no cost (except for space).
224 if use mysql || use sqlite; then
225 myconf="${myconf} --enable-attr-sql --enable-sql"
226 fi
227
228 # strongSwan builds and installs static libs by default which are
229 # useless to the user (and to strongSwan for that matter) because no
230 # header files or alike get installed... so disabling them is safe.
231 econf \
232 --disable-static \
233 $(use_with caps capabilities libcap) \
234 $(use_enable curl) \
235 $(use_enable ldap) \
236 $(use_enable smartcard) \
237 $(use_enable cisco cisco-quirks) \
238 $(use_enable debug leak-detective) \
239 $(use_enable nat-transport) \
240 $(use_enable openssl) \
241 $(use_enable gcrypt) \
242 $(use_enable mysql) \
243 $(use_enable sqlite) \
244 $(use_enable ikev1 pluto) \
245 $(use_enable ikev2 charon) \
246 $(use_enable dhcp) \
247 $(use_enable farp) \
248 ${myconf}
249 }
250
251 src_install() {
252 einstall || die "einstall failed"
253
254 doinitd "${FILESDIR}"/ipsec
255
256 local dir_ugid
257 if use non-root; then
258 fowners ${UGID}:${UGID} \
259 /etc/ipsec.conf \
260 /etc/ipsec.secrets \
261 /etc/strongswan.conf
262
263 dir_ugid="${UGID}"
264 else
265 dir_ugid="root"
266 fi
267
268 diropts -m 0750 -o ${dir_ugid} -g ${dir_ugid}
269 dodir /etc/ipsec.d \
270 /etc/ipsec.d/aacerts \
271 /etc/ipsec.d/acerts \
272 /etc/ipsec.d/cacerts \
273 /etc/ipsec.d/certs \
274 /etc/ipsec.d/crls \
275 /etc/ipsec.d/ocspcerts \
276 /etc/ipsec.d/private \
277 /etc/ipsec.d/reqs
278
279 dodoc CREDITS NEWS README TODO || die
280
281 # shared libs are used only internally and there are no static libs,
282 # so it's safe to get rid of the .la files
283 find "${D}" -name '*.la' -delete || die "Failed to remove .la files."
284 }
285
286 pkg_preinst() {
287 has_version "<net-misc/strongswan-4.3.6-r1"
288 upgrade_from_leq_4_3_6=$(( !$? ))
289
290 has_version "<net-misc/strongswan-4.3.6-r1[-caps]"
291 previous_4_3_6_with_caps=$(( !$? ))
292 }
293
294 pkg_postinst() {
295 if ! use openssl && ! use gcrypt; then
296 elog
297 elog "${PN} has been compiled without both OpenSSL and libgcrypt support."
298 elog "Please note that this might effect availability and speed of some"
299 elog "cryptographic features. You are advised to enable the OpenSSL plugin."
300 elif ! use openssl; then
301 elog
302 elog "${PN} has been compiled without the OpenSSL plugin. This might effect"
303 elog "availability and speed of some cryptographic features. There will be"
304 elog "no support for Elliptic Curve Cryptography (Diffie-Hellman groups 19-21,"
305 elog "25, 26) and ECDSA."
306 fi
307
308 if [[ $upgrade_from_leq_4_3_6 == 1 ]]; then
309 chmod 0750 "${ROOT}"/etc/ipsec.d \
310 "${ROOT}"/etc/ipsec.d/aacerts \
311 "${ROOT}"/etc/ipsec.d/acerts \
312 "${ROOT}"/etc/ipsec.d/cacerts \
313 "${ROOT}"/etc/ipsec.d/certs \
314 "${ROOT}"/etc/ipsec.d/crls \
315 "${ROOT}"/etc/ipsec.d/ocspcerts \
316 "${ROOT}"/etc/ipsec.d/private \
317 "${ROOT}"/etc/ipsec.d/reqs
318
319 ewarn
320 ewarn "The default permissions for /etc/ipsec.d/* have been tightened for"
321 ewarn "security reasons. Your system installed directories have been"
322 ewarn "updated accordingly. Please check if necessary."
323 ewarn
324
325 if [[ $previous_4_3_6_with_caps == 1 ]]; then
326 if ! use non-root; then
327 ewarn
328 ewarn "IMPORTANT: You previously had ${PN} installed without root"
329 ewarn "privileges because it was implied by the 'caps' USE flag."
330 ewarn "This has been changed. If you want ${PN} with user privileges,"
331 ewarn "you have to re-emerge it with the 'non-root' USE flag enabled."
332 ewarn
333 fi
334 fi
335 fi
336 if ! use caps && ! use non-root; then
337 ewarn
338 ewarn "You have decided to run ${PN} with root privileges and built it"
339 ewarn "without support for POSIX capability dropping. It is generally"
340 ewarn "strongly suggested that you reconsider- especially if you intend"
341 ewarn "to run ${PN} as server with a public ip address."
342 ewarn
343 ewarn "You should re-emerge ${PN} with at least the 'caps' USE flag enabled."
344 ewarn
345 fi
346 if use non-root; then
347 elog
348 elog "${PN} has been installed without superuser privileges (USE=non-root)."
349 elog "This imposes several limitations mainly to the IKEv1 daemon 'pluto'"
350 elog "but also a few to the IKEv2 daemon 'charon'."
351 elog
352 elog "Please carefully read: http://wiki.strongswan.org/wiki/nonRoot"
353 elog
354 elog "pluto uses a helper script by default to insert/remove routing and"
355 elog "policy rules upon connection start/stop which requires superuser"
356 elog "privileges. charon in contrast does this internally and can do so"
357 elog "even with reduced (user) privileges."
358 elog
359 elog "Thus if you require IKEv1 (pluto) or need to specify a custom updown"
360 elog "script to pluto or charon which requires superuser privileges, you"
361 elog "can work around this limitation by using sudo to grant the"
362 elog "user \"ipsec\" the appropriate rights."
363 elog "For example (the default case):"
364 elog "/etc/sudoers:"
365 elog " Defaults:ipsec always_set_home,!env_reset"
366 elog " ipsec ALL=(ALL) NOPASSWD: /usr/sbin/ipsec"
367 elog "Under the specific connection block in /etc/ipsec.conf:"
368 elog " leftupdown=\"sudo ipsec _updown\""
369 elog
370 fi
371 elog
372 elog "Make sure you have _all_ required kernel modules available including"
373 elog "the appropriate cryptographic algorithms. A list is available at:"
374 elog " http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules"
375 elog
376 elog "The up-to-date manual is available online at:"
377 elog " http://wiki.strongswan.org/"
378 elog
379 }
Report Message
Find on MARC Find on Google Groups