[gentoo-commits] repo/gentoo:master commit in: net-vpn/strongswan/ - gentoo-commits

From:	Thomas Deutschmann <whissi@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: net-vpn/strongswan/
Date:	Wed, 17 Oct 2018 10:05:43
Message-Id:	`1539770709.cd0b22894f6e7e2efaee62316991816f2a459040.whissi@gentoo`

1

commit:     cd0b22894f6e7e2efaee62316991816f2a459040

2

Author:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>

3

AuthorDate: Wed Oct 17 10:03:47 2018 +0000

4

Commit:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>

5

CommitDate: Wed Oct 17 10:05:09 2018 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cd0b2289

7

8

net-vpn/strongswan: bump to v5.7.1

9

10

Closes: https://bugs.gentoo.org/667696

11

Closes: https://bugs.gentoo.org/666014

12

Package-Manager: Portage-2.3.51, Repoman-2.3.11

13

Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>

14

15

 net-vpn/strongswan/Manifest                |   1 +

16

 net-vpn/strongswan/strongswan-5.7.1.ebuild | 303 +++++++++++++++++++++++++++++

17

 2 files changed, 304 insertions(+)

18

19

diff --git a/net-vpn/strongswan/Manifest b/net-vpn/strongswan/Manifest

20

index b0bda31db3f..dbe0b5b6b3d 100644

21

--- a/net-vpn/strongswan/Manifest

22

+++ b/net-vpn/strongswan/Manifest

23

@@ -2,3 +2,4 @@ DIST strongswan-5.5.3.tar.bz2 4768820 BLAKE2B 9f9da6c2ef27cec7f6a07f1cd5a7ecc8a9

24

 DIST strongswan-5.6.0.tar.bz2 4850722 BLAKE2B edb9f2b277cd8bccf886a824e4b3fb3c06af7510d9e21283fcb8d8ba9cf234f38182fcd1ca0c350b4039945ab10888406986d9a0b8edac24fe09faf0b8967fb2 SHA512 9362069a01c3642e62864d88fdb409a3c7514bf7c92cbe36e552c6a80915119cf5bb91c39592aab2d15b562684a0628a764e4fa7636d3b5fd2ebaf165c0ce649

25

 DIST strongswan-5.6.2.tar.bz2 4977859 BLAKE2B 83943ec95e6b95724e9fc130a09f7c7364147d0ce50528ac8b64452db53516b143e92c7dcb746c0c25aaac9182dda14d55e5c267fbdcd5bb9a63cbf48801274b SHA512 cf2d5cb6c45d991fe0ad8eed4ea8628f95a1871e9728ddf0985aa26e78d1e6da1c92c961772aafd3e55cfcfa84516204a15561389d373f78140f05607b248c52

26

 DIST strongswan-5.6.3.tar.bz2 4961579 BLAKE2B 177d9ca9a730c8ccb3293c9f1c1397429879177aef60c90a3561fffed64cd4fe18cdf1c74bd52956c576e061ce33935b7dc34864576edeac7d4824841b0ee3e0 SHA512 080402640952b1a08e95bfe9c7f33c6a7dd01ac401b5e7e2e78257c0f2bf0a4d6078141232ac62abfacef892c493f6824948b3165d54d72b4e436ed564fd2609

27

+DIST strongswan-5.7.1.tar.bz2 4967533 BLAKE2B e438d1b44a997eb0e012586b18604bd35ac6f53cce1c34ff89192a760bbd0d6a9aaa7b90b389ff1a5e7c6d2356ff5cc74b40daad1d6579fa5026f4878489bf66 SHA512 43102814434bee7c27a5956be59099cc4ffb9bb5b0d6382ce4c6a80d1d82ed6639f698f5f5544b9ca563554a344638c953525b0e2d39bc6b71b19055c80e07fc

28

29

diff --git a/net-vpn/strongswan/strongswan-5.7.1.ebuild b/net-vpn/strongswan/strongswan-5.7.1.ebuild

30

new file mode 100644

31

index 00000000000..17e1233b4cd

32

--- /dev/null

33

+++ b/net-vpn/strongswan/strongswan-5.7.1.ebuild

34

@@ -0,0 +1,303 @@

35

+# Copyright 1999-2018 Gentoo Authors

36

+# Distributed under the terms of the GNU General Public License v2

37

+

38

+EAPI="7"

39

+inherit linux-info systemd user

40

+

41

+DESCRIPTION="IPsec-based VPN solution, supporting IKEv1/IKEv2 and MOBIKE"

42

+HOMEPAGE="https://www.strongswan.org/"

43

+SRC_URI="https://download.strongswan.org/${P}.tar.bz2"

44

+

45

+LICENSE="GPL-2 RSA DES"

46

+SLOT="0"

47

+KEYWORDS="~amd64 ~arm ~ppc ~ppc64 ~x86"

48

+IUSE="+caps curl +constraints debug dhcp eap farp gcrypt +gmp ldap mysql networkmanager +non-root +openssl selinux sqlite systemd pam pkcs11"

49

+

50

+STRONGSWAN_PLUGINS_STD="led lookip systime-fix unity vici"

51

+STRONGSWAN_PLUGINS_OPT="aesni blowfish ccm chapoly ctr forecast gcm ha ipseckey newhope ntru padlock rdrand save-keys unbound whitelist"

52

+for mod in $STRONGSWAN_PLUGINS_STD; do

53

+	IUSE="${IUSE} +strongswan_plugins_${mod}"

54

+done

55

+

56

+for mod in $STRONGSWAN_PLUGINS_OPT; do

57

+	IUSE="${IUSE} strongswan_plugins_${mod}"

58

+done

59

+

60

+COMMON_DEPEND="!net-misc/openswan

61

+	gmp? ( >=dev-libs/gmp-4.1.5:= )

62

+	gcrypt? ( dev-libs/libgcrypt:0 )

63

+	caps? ( sys-libs/libcap )

64

+	curl? ( net-misc/curl )

65

+	ldap? ( net-nds/openldap )

66

+	openssl? ( >=dev-libs/openssl-0.9.8:=[-bindist] )

67

+	mysql? ( dev-db/mysql-connector-c:= )

68

+	sqlite? ( >=dev-db/sqlite-3.3.1 )

69

+	systemd? ( sys-apps/systemd )

70

+	networkmanager? ( net-misc/networkmanager )

71

+	pam? ( sys-libs/pam )

72

+	strongswan_plugins_unbound? ( net-dns/unbound:= net-libs/ldns )"

73

+DEPEND="${COMMON_DEPEND}

74

+	virtual/linux-sources

75

+	sys-kernel/linux-headers"

76

+RDEPEND="${COMMON_DEPEND}

77

+	virtual/logger

78

+	sys-apps/iproute2

79

+	!net-vpn/libreswan

80

+	selinux? ( sec-policy/selinux-ipsec )"

81

+

82

+UGID="ipsec"

83

+

84

+pkg_setup() {

85

+	linux-info_pkg_setup

86

+

87

+	elog "Linux kernel version: ${KV_FULL}"

88

+

89

+	if ! kernel_is -ge 2 6 16; then

90

+		eerror

91

+		eerror "This ebuild currently only supports ${PN} with the"

92

+		eerror "native Linux 2.6 IPsec stack on kernels >= 2.6.16."

93

+		eerror

94

+	fi

95

+

96

+	if kernel_is -lt 2 6 34; then

97

+		ewarn

98

+		ewarn "IMPORTANT KERNEL NOTES: Please read carefully..."

99

+		ewarn

100

+

101

+		if kernel_is -lt 2 6 29; then

102

+			ewarn "[ < 2.6.29 ] Due to a missing kernel feature, you have to"

103

+			ewarn "include all required IPv6 modules even if you just intend"

104

+			ewarn "to run on IPv4 only."

105

+			ewarn

106

+			ewarn "This has been fixed with kernels >= 2.6.29."

107

+			ewarn

108

+		fi

109

+

110

+		if kernel_is -lt 2 6 33; then

111

+			ewarn "[ < 2.6.33 ] Kernels prior to 2.6.33 include a non-standards"

112

+			ewarn "compliant implementation for SHA-2 HMAC support in ESP and"

113

+			ewarn "miss SHA384 and SHA512 HMAC support altogether."

114

+			ewarn

115

+			ewarn "If you need any of those features, please use kernel >= 2.6.33."

116

+			ewarn

117

+		fi

118

+

119

+		if kernel_is -lt 2 6 34; then

120

+			ewarn "[ < 2.6.34 ] Support for the AES-GMAC authentification-only"

121

+			ewarn "ESP cipher is only included in kernels >= 2.6.34."

122

+			ewarn

123

+			ewarn "If you need it, please use kernel >= 2.6.34."

124

+			ewarn

125

+		fi

126

+	fi

127

+

128

+	if use non-root; then

129

+		enewgroup ${UGID}

130

+		enewuser ${UGID} -1 -1 -1 ${UGID}

131

+	fi

132

+}

133

+

134

+src_configure() {

135

+	local myconf=""

136

+

137

+	if use non-root; then

138

+		myconf="${myconf} --with-user=${UGID} --with-group=${UGID}"

139

+	fi

140

+

141

+	# If a user has already enabled db support, those plugins will

142

+	# most likely be desired as well. Besides they don't impose new

143

+	# dependencies and come at no cost (except for space).

144

+	if use mysql || use sqlite; then

145

+		myconf="${myconf} --enable-attr-sql --enable-sql"

146

+	fi

147

+

148

+	# strongSwan builds and installs static libs by default which are

149

+	# useless to the user (and to strongSwan for that matter) because no

150

+	# header files or alike get installed... so disabling them is safe.

151

+	if use pam && use eap; then

152

+		myconf="${myconf} --enable-eap-gtc"

153

+	else

154

+		myconf="${myconf} --disable-eap-gtc"

155

+	fi

156

+

157

+	for mod in $STRONGSWAN_PLUGINS_STD; do

158

+		if use strongswan_plugins_${mod}; then

159

+			myconf+=" --enable-${mod}"

160

+		fi

161

+	done

162

+

163

+	for mod in $STRONGSWAN_PLUGINS_OPT; do

164

+		if use strongswan_plugins_${mod}; then

165

+			myconf+=" --enable-${mod}"

166

+		fi

167

+	done

168

+

169

+	econf \

170

+		--disable-static \

171

+		--enable-ikev1 \

172

+		--enable-ikev2 \

173

+		--enable-swanctl \

174

+		--enable-socket-dynamic \

175

+		$(use_enable curl) \

176

+		$(use_enable constraints) \

177

+		$(use_enable ldap) \

178

+		$(use_enable debug leak-detective) \

179

+		$(use_enable dhcp) \

180

+		$(use_enable eap eap-sim) \

181

+		$(use_enable eap eap-sim-file) \

182

+		$(use_enable eap eap-simaka-sql) \

183

+		$(use_enable eap eap-simaka-pseudonym) \

184

+		$(use_enable eap eap-simaka-reauth) \

185

+		$(use_enable eap eap-identity) \

186

+		$(use_enable eap eap-md5) \

187

+		$(use_enable eap eap-aka) \

188

+		$(use_enable eap eap-aka-3gpp2) \

189

+		$(use_enable eap md4) \

190

+		$(use_enable eap eap-mschapv2) \

191

+		$(use_enable eap eap-radius) \

192

+		$(use_enable eap eap-tls) \

193

+		$(use_enable eap eap-ttls) \

194

+		$(use_enable eap xauth-eap) \

195

+		$(use_enable eap eap-dynamic) \

196

+		$(use_enable farp) \

197

+		$(use_enable gmp) \

198

+		$(use_enable gcrypt) \

199

+		$(use_enable mysql) \

200

+		$(use_enable networkmanager nm) \

201

+		$(use_enable openssl) \

202

+		$(use_enable pam xauth-pam) \

203

+		$(use_enable pkcs11) \

204

+		$(use_enable sqlite) \

205

+		$(use_enable systemd) \

206

+		$(use_with caps capabilities libcap) \

207

+		--with-systemdsystemunitdir="$(systemd_get_systemunitdir)" \

208

+		${myconf}

209

+}

210

+

211

+src_install() {

212

+	emake DESTDIR="${D}" install

213

+

214

+	doinitd "${FILESDIR}"/ipsec

215

+

216

+	local dir_ugid

217

+	if use non-root; then

218

+		fowners ${UGID}:${UGID} \

219

+			/etc/ipsec.conf \

220

+			/etc/strongswan.conf

221

+

222

+		dir_ugid="${UGID}"

223

+	else

224

+		dir_ugid="root"

225

+	fi

226

+

227

+	diropts -m 0750 -o ${dir_ugid} -g ${dir_ugid}

228

+	dodir /etc/ipsec.d \

229

+		/etc/ipsec.d/aacerts \

230

+		/etc/ipsec.d/acerts \

231

+		/etc/ipsec.d/cacerts \

232

+		/etc/ipsec.d/certs \

233

+		/etc/ipsec.d/crls \

234

+		/etc/ipsec.d/ocspcerts \

235

+		/etc/ipsec.d/private \

236

+		/etc/ipsec.d/reqs

237

+

238

+	dodoc NEWS README TODO || die

239

+

240

+	# shared libs are used only internally and there are no static libs,

241

+	# so it's safe to get rid of the .la files

242

+	find "${D}" -name '*.la' -delete || die "Failed to remove .la files."

243

+}

244

+

245

+pkg_preinst() {

246

+	has_version "<net-vpn/strongswan-4.3.6-r1"

247

+	upgrade_from_leq_4_3_6=$(( !$? ))

248

+

249

+	has_version "<net-vpn/strongswan-4.3.6-r1[-caps]"

250

+	previous_4_3_6_with_caps=$(( !$? ))

251

+}

252

+

253

+pkg_postinst() {

254

+	if ! use openssl && ! use gcrypt; then

255

+		elog

256

+		elog "${PN} has been compiled without both OpenSSL and libgcrypt support."

257

+		elog "Please note that this might effect availability and speed of some"

258

+		elog "cryptographic features. You are advised to enable the OpenSSL plugin."

259

+	elif ! use openssl; then

260

+		elog

261

+		elog "${PN} has been compiled without the OpenSSL plugin. This might effect"

262

+		elog "availability and speed of some cryptographic features. There will be"

263

+		elog "no support for Elliptic Curve Cryptography (Diffie-Hellman groups 19-21,"

264

+		elog "25, 26) and ECDSA."

265

+	fi

266

+

267

+	if [[ $upgrade_from_leq_4_3_6 == 1 ]]; then

268

+		chmod 0750 "${ROOT}"/etc/ipsec.d \

269

+			"${ROOT}"/etc/ipsec.d/aacerts \

270

+			"${ROOT}"/etc/ipsec.d/acerts \

271

+			"${ROOT}"/etc/ipsec.d/cacerts \

272

+			"${ROOT}"/etc/ipsec.d/certs \

273

+			"${ROOT}"/etc/ipsec.d/crls \

274

+			"${ROOT}"/etc/ipsec.d/ocspcerts \

275

+			"${ROOT}"/etc/ipsec.d/private \

276

+			"${ROOT}"/etc/ipsec.d/reqs

277

+

278

+		ewarn

279

+		ewarn "The default permissions for /etc/ipsec.d/* have been tightened for"

280

+		ewarn "security reasons. Your system installed directories have been"

281

+		ewarn "updated accordingly. Please check if necessary."

282

+		ewarn

283

+

284

+		if [[ $previous_4_3_6_with_caps == 1 ]]; then

285

+			if ! use non-root; then

286

+				ewarn

287

+				ewarn "IMPORTANT: You previously had ${PN} installed without root"

288

+				ewarn "privileges because it was implied by the 'caps' USE flag."

289

+				ewarn "This has been changed. If you want ${PN} with user privileges,"

290

+				ewarn "you have to re-emerge it with the 'non-root' USE flag enabled."

291

+				ewarn

292

+			fi

293

+		fi

294

+	fi

295

+	if ! use caps && ! use non-root; then

296

+		ewarn

297

+		ewarn "You have decided to run ${PN} with root privileges and built it"

298

+		ewarn "without support for POSIX capability dropping. It is generally"

299

+		ewarn "strongly suggested that you reconsider- especially if you intend"

300

+		ewarn "to run ${PN} as server with a public ip address."

301

+		ewarn

302

+		ewarn "You should re-emerge ${PN} with at least the 'caps' USE flag enabled."

303

+		ewarn

304

+	fi

305

+	if use non-root; then

306

+		elog

307

+		elog "${PN} has been installed without superuser privileges (USE=non-root)."

308

+		elog "This imposes several limitations mainly to the IKEv1 daemon 'pluto'"

309

+		elog "but also a few to the IKEv2 daemon 'charon'."

310

+		elog

311

+		elog "Please carefully read: http://wiki.strongswan.org/wiki/nonRoot"

312

+		elog

313

+		elog "pluto uses a helper script by default to insert/remove routing and"

314

+		elog "policy rules upon connection start/stop which requires superuser"

315

+		elog "privileges. charon in contrast does this internally and can do so"

316

+		elog "even with reduced (user) privileges."

317

+		elog

318

+		elog "Thus if you require IKEv1 (pluto) or need to specify a custom updown"

319

+		elog "script to pluto or charon which requires superuser privileges, you"

320

+		elog "can work around this limitation by using sudo to grant the"

321

+		elog "user \"ipsec\" the appropriate rights."

322

+		elog "For example (the default case):"

323

+		elog "/etc/sudoers:"

324

+		elog "  ipsec ALL=(ALL) NOPASSWD: SETENV: /usr/sbin/ipsec"

325

+		elog "Under the specific connection block in /etc/ipsec.conf:"

326

+		elog "  leftupdown=\"sudo -E ipsec _updown iptables\""

327

+		elog

328

+	fi

329

+	elog

330

+	elog "Make sure you have _all_ required kernel modules available including"

331

+	elog "the appropriate cryptographic algorithms. A list is available at:"

332

+	elog "  http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules"

333

+	elog

334

+	elog "The up-to-date manual is available online at:"

335

+	elog "  http://wiki.strongswan.org/"

336

+	elog

337

+}

1	commit: cd0b22894f6e7e2efaee62316991816f2a459040
2	Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
3	AuthorDate: Wed Oct 17 10:03:47 2018 +0000
4	Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
5	CommitDate: Wed Oct 17 10:05:09 2018 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cd0b2289
7
8	net-vpn/strongswan: bump to v5.7.1
9
10	Closes: https://bugs.gentoo.org/667696
11	Closes: https://bugs.gentoo.org/666014
12	Package-Manager: Portage-2.3.51, Repoman-2.3.11
13	Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>
14
15	net-vpn/strongswan/Manifest \| 1 +
16	net-vpn/strongswan/strongswan-5.7.1.ebuild \| 303 +++++++++++++++++++++++++++++
17	2 files changed, 304 insertions(+)
18
19	diff --git a/net-vpn/strongswan/Manifest b/net-vpn/strongswan/Manifest
20	index b0bda31db3f..dbe0b5b6b3d 100644
21	--- a/net-vpn/strongswan/Manifest
22	+++ b/net-vpn/strongswan/Manifest
23	@@ -2,3 +2,4 @@ DIST strongswan-5.5.3.tar.bz2 4768820 BLAKE2B 9f9da6c2ef27cec7f6a07f1cd5a7ecc8a9
24	DIST strongswan-5.6.0.tar.bz2 4850722 BLAKE2B edb9f2b277cd8bccf886a824e4b3fb3c06af7510d9e21283fcb8d8ba9cf234f38182fcd1ca0c350b4039945ab10888406986d9a0b8edac24fe09faf0b8967fb2 SHA512 9362069a01c3642e62864d88fdb409a3c7514bf7c92cbe36e552c6a80915119cf5bb91c39592aab2d15b562684a0628a764e4fa7636d3b5fd2ebaf165c0ce649
25	DIST strongswan-5.6.2.tar.bz2 4977859 BLAKE2B 83943ec95e6b95724e9fc130a09f7c7364147d0ce50528ac8b64452db53516b143e92c7dcb746c0c25aaac9182dda14d55e5c267fbdcd5bb9a63cbf48801274b SHA512 cf2d5cb6c45d991fe0ad8eed4ea8628f95a1871e9728ddf0985aa26e78d1e6da1c92c961772aafd3e55cfcfa84516204a15561389d373f78140f05607b248c52
26	DIST strongswan-5.6.3.tar.bz2 4961579 BLAKE2B 177d9ca9a730c8ccb3293c9f1c1397429879177aef60c90a3561fffed64cd4fe18cdf1c74bd52956c576e061ce33935b7dc34864576edeac7d4824841b0ee3e0 SHA512 080402640952b1a08e95bfe9c7f33c6a7dd01ac401b5e7e2e78257c0f2bf0a4d6078141232ac62abfacef892c493f6824948b3165d54d72b4e436ed564fd2609
27	+DIST strongswan-5.7.1.tar.bz2 4967533 BLAKE2B e438d1b44a997eb0e012586b18604bd35ac6f53cce1c34ff89192a760bbd0d6a9aaa7b90b389ff1a5e7c6d2356ff5cc74b40daad1d6579fa5026f4878489bf66 SHA512 43102814434bee7c27a5956be59099cc4ffb9bb5b0d6382ce4c6a80d1d82ed6639f698f5f5544b9ca563554a344638c953525b0e2d39bc6b71b19055c80e07fc
28
29	diff --git a/net-vpn/strongswan/strongswan-5.7.1.ebuild b/net-vpn/strongswan/strongswan-5.7.1.ebuild
30	new file mode 100644
31	index 00000000000..17e1233b4cd
32	--- /dev/null
33	+++ b/net-vpn/strongswan/strongswan-5.7.1.ebuild
34	@@ -0,0 +1,303 @@
35	+# Copyright 1999-2018 Gentoo Authors
36	+# Distributed under the terms of the GNU General Public License v2
37	+
38	+EAPI="7"
39	+inherit linux-info systemd user
40	+
41	+DESCRIPTION="IPsec-based VPN solution, supporting IKEv1/IKEv2 and MOBIKE"
42	+HOMEPAGE="https://www.strongswan.org/"
43	+SRC_URI="https://download.strongswan.org/${P}.tar.bz2"
44	+
45	+LICENSE="GPL-2 RSA DES"
46	+SLOT="0"
47	+KEYWORDS="~amd64 ~arm ~ppc ~ppc64 ~x86"
48	+IUSE="+caps curl +constraints debug dhcp eap farp gcrypt +gmp ldap mysql networkmanager +non-root +openssl selinux sqlite systemd pam pkcs11"
49	+
50	+STRONGSWAN_PLUGINS_STD="led lookip systime-fix unity vici"
51	+STRONGSWAN_PLUGINS_OPT="aesni blowfish ccm chapoly ctr forecast gcm ha ipseckey newhope ntru padlock rdrand save-keys unbound whitelist"
52	+for mod in $STRONGSWAN_PLUGINS_STD; do
53	+ IUSE="${IUSE} +strongswan_plugins_${mod}"
54	+done
55	+
56	+for mod in $STRONGSWAN_PLUGINS_OPT; do
57	+ IUSE="${IUSE} strongswan_plugins_${mod}"
58	+done
59	+
60	+COMMON_DEPEND="!net-misc/openswan
61	+ gmp? ( >=dev-libs/gmp-4.1.5:= )
62	+ gcrypt? ( dev-libs/libgcrypt:0 )
63	+ caps? ( sys-libs/libcap )
64	+ curl? ( net-misc/curl )
65	+ ldap? ( net-nds/openldap )
66	+ openssl? ( >=dev-libs/openssl-0.9.8:=[-bindist] )
67	+ mysql? ( dev-db/mysql-connector-c:= )
68	+ sqlite? ( >=dev-db/sqlite-3.3.1 )
69	+ systemd? ( sys-apps/systemd )
70	+ networkmanager? ( net-misc/networkmanager )
71	+ pam? ( sys-libs/pam )
72	+ strongswan_plugins_unbound? ( net-dns/unbound:= net-libs/ldns )"
73	+DEPEND="${COMMON_DEPEND}
74	+ virtual/linux-sources
75	+ sys-kernel/linux-headers"
76	+RDEPEND="${COMMON_DEPEND}
77	+ virtual/logger
78	+ sys-apps/iproute2
79	+ !net-vpn/libreswan
80	+ selinux? ( sec-policy/selinux-ipsec )"
81	+
82	+UGID="ipsec"
83	+
84	+pkg_setup() {
85	+ linux-info_pkg_setup
86	+
87	+ elog "Linux kernel version: ${KV_FULL}"
88	+
89	+ if ! kernel_is -ge 2 6 16; then
90	+ eerror
91	+ eerror "This ebuild currently only supports ${PN} with the"
92	+ eerror "native Linux 2.6 IPsec stack on kernels >= 2.6.16."
93	+ eerror
94	+ fi
95	+
96	+ if kernel_is -lt 2 6 34; then
97	+ ewarn
98	+ ewarn "IMPORTANT KERNEL NOTES: Please read carefully..."
99	+ ewarn
100	+
101	+ if kernel_is -lt 2 6 29; then
102	+ ewarn "[ < 2.6.29 ] Due to a missing kernel feature, you have to"
103	+ ewarn "include all required IPv6 modules even if you just intend"
104	+ ewarn "to run on IPv4 only."
105	+ ewarn
106	+ ewarn "This has been fixed with kernels >= 2.6.29."
107	+ ewarn
108	+ fi
109	+
110	+ if kernel_is -lt 2 6 33; then
111	+ ewarn "[ < 2.6.33 ] Kernels prior to 2.6.33 include a non-standards"
112	+ ewarn "compliant implementation for SHA-2 HMAC support in ESP and"
113	+ ewarn "miss SHA384 and SHA512 HMAC support altogether."
114	+ ewarn
115	+ ewarn "If you need any of those features, please use kernel >= 2.6.33."
116	+ ewarn
117	+ fi
118	+
119	+ if kernel_is -lt 2 6 34; then
120	+ ewarn "[ < 2.6.34 ] Support for the AES-GMAC authentification-only"
121	+ ewarn "ESP cipher is only included in kernels >= 2.6.34."
122	+ ewarn
123	+ ewarn "If you need it, please use kernel >= 2.6.34."
124	+ ewarn
125	+ fi
126	+ fi
127	+
128	+ if use non-root; then
129	+ enewgroup ${UGID}
130	+ enewuser ${UGID} -1 -1 -1 ${UGID}
131	+ fi
132	+}
133	+
134	+src_configure() {
135	+ local myconf=""
136	+
137	+ if use non-root; then
138	+ myconf="${myconf} --with-user=${UGID} --with-group=${UGID}"
139	+ fi
140	+
141	+ # If a user has already enabled db support, those plugins will
142	+ # most likely be desired as well. Besides they don't impose new
143	+ # dependencies and come at no cost (except for space).
144	+ if use mysql \|\| use sqlite; then
145	+ myconf="${myconf} --enable-attr-sql --enable-sql"
146	+ fi
147	+
148	+ # strongSwan builds and installs static libs by default which are
149	+ # useless to the user (and to strongSwan for that matter) because no
150	+ # header files or alike get installed... so disabling them is safe.
151	+ if use pam && use eap; then
152	+ myconf="${myconf} --enable-eap-gtc"
153	+ else
154	+ myconf="${myconf} --disable-eap-gtc"
155	+ fi
156	+
157	+ for mod in $STRONGSWAN_PLUGINS_STD; do
158	+ if use strongswan_plugins_${mod}; then
159	+ myconf+=" --enable-${mod}"
160	+ fi
161	+ done
162	+
163	+ for mod in $STRONGSWAN_PLUGINS_OPT; do
164	+ if use strongswan_plugins_${mod}; then
165	+ myconf+=" --enable-${mod}"
166	+ fi
167	+ done
168	+
169	+ econf \
170	+ --disable-static \
171	+ --enable-ikev1 \
172	+ --enable-ikev2 \
173	+ --enable-swanctl \
174	+ --enable-socket-dynamic \
175	+ $(use_enable curl) \
176	+ $(use_enable constraints) \
177	+ $(use_enable ldap) \
178	+ $(use_enable debug leak-detective) \
179	+ $(use_enable dhcp) \
180	+ $(use_enable eap eap-sim) \
181	+ $(use_enable eap eap-sim-file) \
182	+ $(use_enable eap eap-simaka-sql) \
183	+ $(use_enable eap eap-simaka-pseudonym) \
184	+ $(use_enable eap eap-simaka-reauth) \
185	+ $(use_enable eap eap-identity) \
186	+ $(use_enable eap eap-md5) \
187	+ $(use_enable eap eap-aka) \
188	+ $(use_enable eap eap-aka-3gpp2) \
189	+ $(use_enable eap md4) \
190	+ $(use_enable eap eap-mschapv2) \
191	+ $(use_enable eap eap-radius) \
192	+ $(use_enable eap eap-tls) \
193	+ $(use_enable eap eap-ttls) \
194	+ $(use_enable eap xauth-eap) \
195	+ $(use_enable eap eap-dynamic) \
196	+ $(use_enable farp) \
197	+ $(use_enable gmp) \
198	+ $(use_enable gcrypt) \
199	+ $(use_enable mysql) \
200	+ $(use_enable networkmanager nm) \
201	+ $(use_enable openssl) \
202	+ $(use_enable pam xauth-pam) \
203	+ $(use_enable pkcs11) \
204	+ $(use_enable sqlite) \
205	+ $(use_enable systemd) \
206	+ $(use_with caps capabilities libcap) \
207	+ --with-systemdsystemunitdir="$(systemd_get_systemunitdir)" \
208	+ ${myconf}
209	+}
210	+
211	+src_install() {
212	+ emake DESTDIR="${D}" install
213	+
214	+ doinitd "${FILESDIR}"/ipsec
215	+
216	+ local dir_ugid
217	+ if use non-root; then
218	+ fowners ${UGID}:${UGID} \
219	+ /etc/ipsec.conf \
220	+ /etc/strongswan.conf
221	+
222	+ dir_ugid="${UGID}"
223	+ else
224	+ dir_ugid="root"
225	+ fi
226	+
227	+ diropts -m 0750 -o ${dir_ugid} -g ${dir_ugid}
228	+ dodir /etc/ipsec.d \
229	+ /etc/ipsec.d/aacerts \
230	+ /etc/ipsec.d/acerts \
231	+ /etc/ipsec.d/cacerts \
232	+ /etc/ipsec.d/certs \
233	+ /etc/ipsec.d/crls \
234	+ /etc/ipsec.d/ocspcerts \
235	+ /etc/ipsec.d/private \
236	+ /etc/ipsec.d/reqs
237	+
238	+ dodoc NEWS README TODO \|\| die
239	+
240	+ # shared libs are used only internally and there are no static libs,
241	+ # so it's safe to get rid of the .la files
242	+ find "${D}" -name '*.la' -delete \|\| die "Failed to remove .la files."
243	+}
244	+
245	+pkg_preinst() {
246	+ has_version "<net-vpn/strongswan-4.3.6-r1"
247	+ upgrade_from_leq_4_3_6=$(( !$? ))
248	+
249	+ has_version "<net-vpn/strongswan-4.3.6-r1[-caps]"
250	+ previous_4_3_6_with_caps=$(( !$? ))
251	+}
252	+
253	+pkg_postinst() {
254	+ if ! use openssl && ! use gcrypt; then
255	+ elog
256	+ elog "${PN} has been compiled without both OpenSSL and libgcrypt support."
257	+ elog "Please note that this might effect availability and speed of some"
258	+ elog "cryptographic features. You are advised to enable the OpenSSL plugin."
259	+ elif ! use openssl; then
260	+ elog
261	+ elog "${PN} has been compiled without the OpenSSL plugin. This might effect"
262	+ elog "availability and speed of some cryptographic features. There will be"
263	+ elog "no support for Elliptic Curve Cryptography (Diffie-Hellman groups 19-21,"
264	+ elog "25, 26) and ECDSA."
265	+ fi
266	+
267	+ if [[ $upgrade_from_leq_4_3_6 == 1 ]]; then
268	+ chmod 0750 "${ROOT}"/etc/ipsec.d \
269	+ "${ROOT}"/etc/ipsec.d/aacerts \
270	+ "${ROOT}"/etc/ipsec.d/acerts \
271	+ "${ROOT}"/etc/ipsec.d/cacerts \
272	+ "${ROOT}"/etc/ipsec.d/certs \
273	+ "${ROOT}"/etc/ipsec.d/crls \
274	+ "${ROOT}"/etc/ipsec.d/ocspcerts \
275	+ "${ROOT}"/etc/ipsec.d/private \
276	+ "${ROOT}"/etc/ipsec.d/reqs
277	+
278	+ ewarn
279	+ ewarn "The default permissions for /etc/ipsec.d/* have been tightened for"
280	+ ewarn "security reasons. Your system installed directories have been"
281	+ ewarn "updated accordingly. Please check if necessary."
282	+ ewarn
283	+
284	+ if [[ $previous_4_3_6_with_caps == 1 ]]; then
285	+ if ! use non-root; then
286	+ ewarn
287	+ ewarn "IMPORTANT: You previously had ${PN} installed without root"
288	+ ewarn "privileges because it was implied by the 'caps' USE flag."
289	+ ewarn "This has been changed. If you want ${PN} with user privileges,"
290	+ ewarn "you have to re-emerge it with the 'non-root' USE flag enabled."
291	+ ewarn
292	+ fi
293	+ fi
294	+ fi
295	+ if ! use caps && ! use non-root; then
296	+ ewarn
297	+ ewarn "You have decided to run ${PN} with root privileges and built it"
298	+ ewarn "without support for POSIX capability dropping. It is generally"
299	+ ewarn "strongly suggested that you reconsider- especially if you intend"
300	+ ewarn "to run ${PN} as server with a public ip address."
301	+ ewarn
302	+ ewarn "You should re-emerge ${PN} with at least the 'caps' USE flag enabled."
303	+ ewarn
304	+ fi
305	+ if use non-root; then
306	+ elog
307	+ elog "${PN} has been installed without superuser privileges (USE=non-root)."
308	+ elog "This imposes several limitations mainly to the IKEv1 daemon 'pluto'"
309	+ elog "but also a few to the IKEv2 daemon 'charon'."
310	+ elog
311	+ elog "Please carefully read: http://wiki.strongswan.org/wiki/nonRoot"
312	+ elog
313	+ elog "pluto uses a helper script by default to insert/remove routing and"
314	+ elog "policy rules upon connection start/stop which requires superuser"
315	+ elog "privileges. charon in contrast does this internally and can do so"
316	+ elog "even with reduced (user) privileges."
317	+ elog
318	+ elog "Thus if you require IKEv1 (pluto) or need to specify a custom updown"
319	+ elog "script to pluto or charon which requires superuser privileges, you"
320	+ elog "can work around this limitation by using sudo to grant the"
321	+ elog "user \"ipsec\" the appropriate rights."
322	+ elog "For example (the default case):"
323	+ elog "/etc/sudoers:"
324	+ elog " ipsec ALL=(ALL) NOPASSWD: SETENV: /usr/sbin/ipsec"
325	+ elog "Under the specific connection block in /etc/ipsec.conf:"
326	+ elog " leftupdown=\"sudo -E ipsec _updown iptables\""
327	+ elog
328	+ fi
329	+ elog
330	+ elog "Make sure you have _all_ required kernel modules available including"
331	+ elog "the appropriate cryptographic algorithms. A list is available at:"
332	+ elog " http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules"
333	+ elog
334	+ elog "The up-to-date manual is available online at:"
335	+ elog " http://wiki.strongswan.org/"
336	+ elog
337	+}

Gentoo Archives: gentoo-commits