[gentoo-commits] repo/gentoo:master commit in: net-vpn/strongswan/ - gentoo-commits

From:	Florian Schmaus <flow@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: net-vpn/strongswan/
Date:	Fri, 06 May 2022 10:05:02
Message-Id:	`1651831492.6267dad0302a290cb09e84ffa62f023343362a9b.flow@gentoo`

1

commit:     6267dad0302a290cb09e84ffa62f023343362a9b

2

Author:     Philipp Rösner <rndxelement <AT> protonmail <DOT> com>

3

AuthorDate: Wed May  4 20:50:30 2022 +0000

4

Commit:     Florian Schmaus <flow <AT> gentoo <DOT> org>

5

CommitDate: Fri May  6 10:04:52 2022 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6267dad0

7

8

net-vpn/strongswan: add 5.9.6

9

10

Add support for the plugins addrblock, error-notify, kdf and prf-plus.

11

12

Signed-off-by: Philipp Rösner <rndxelement <AT> protonmail.com>

13

Closes: https://github.com/gentoo/gentoo/pull/25329

14

Signed-off-by: Florian Schmaus <flow <AT> gentoo.org>

15

16

 net-vpn/strongswan/Manifest                |   1 +

17

 net-vpn/strongswan/metadata.xml            |   4 +

18

 net-vpn/strongswan/strongswan-5.9.6.ebuild | 306 +++++++++++++++++++++++++++++

19

 3 files changed, 311 insertions(+)

20

21

diff --git a/net-vpn/strongswan/Manifest b/net-vpn/strongswan/Manifest

22

index 45ddfeb7608e..5bf87feeb4b9 100644

23

--- a/net-vpn/strongswan/Manifest

24

+++ b/net-vpn/strongswan/Manifest

25

@@ -1,3 +1,4 @@

26

 DIST strongswan-5.9.2.tar.bz2 4607281 BLAKE2B 84f5457bc970f49c9bc99d0ef41182d815e39b8a88be349ad0a78b531a983d3b3919d5c9f3b97793b0b2569f2c6b151cc3b5d9b145a8bfd663db6f79d8ff3dd6 SHA512 dca30b9be7847e0af59d1526c2e38d440b6729055cb3f0f0637d50d7381df465c7b59e79662efe63870a7a5a44eef696c02231274d2764f9e3c430ce2fd694f6

27

 DIST strongswan-5.9.4.tar.bz2 4651000 BLAKE2B 071a0a0a144b369a7e4069d92340cecca9eef0c004949d91993c8f1cc0f39f7868749020d6e135fa59d5899d146f39172f87eb32a26ad788cb8a4c160597e328 SHA512 796356c1d5c1ad410f0ed944ab4a131076d26f120ec6fa57796fe4060b0741201199625883ddc9ebd8a7ad299495f073cec76a6780ebd8f375605aae16750cf3

28

 DIST strongswan-5.9.5.tar.bz2 4722123 BLAKE2B 8b3adc44d5f5eb3824845ce9eda75e7b75f0f7394fbe84f827f4a8177e5299ca7170103ee6cd76e1e18aef85d7f124a43a505ceaf41ec4ed575eb214ebb6af21 SHA512 3b11c4edb1ffccf0ea5b8b843acfe2eb18dcd3857fc2818b8481c4febe7959261e1b2804c3af29068319df469fa0b784682d3ba4d49a3eb580841ff3c34e33a1

29

+DIST strongswan-5.9.6.tar.bz2 4750894 BLAKE2B 4021a10611e66f9e2e4e432bdfb9de0f94d27ba1be1b7d4e4b8bf3cd797c123658993e60eb3d49c424b479558e9581bb069a345a70f55850d1faf5abaa401246 SHA512 8efb7a55b074485b874e941e42462e97a404b4f84e2f90ed18ef66274731b22d167a571f6fd028dccc1f199f2e591c82616d0a832a5084e1981c6b867fe5bb6a

30

31

diff --git a/net-vpn/strongswan/metadata.xml b/net-vpn/strongswan/metadata.xml

32

index 0198dd1c8ac4..895902c71494 100644

33

--- a/net-vpn/strongswan/metadata.xml

34

+++ b/net-vpn/strongswan/metadata.xml

35

@@ -30,6 +30,7 @@

36

 		<flag name="non-root">Force IKEv1/IKEv2 daemons to normal user privileges. This might impose some restrictions mainly to the IKEv1 daemon. Disable only if you really require superuser privileges.</flag>

37

 		<flag name="openssl">Enable <pkg>dev-libs/openssl</pkg> plugin which is required for Elliptic Curve Cryptography (DH groups 19-21,25,26) and ECDSA. Also provides 3DES, AES, Blowfish, Camellia, CAST, DES, IDEA and RC5 ciphers along with MD2, MD4, MD5 and SHA1/2 hash algorithms, RSA and DH groups 1,2,5,14-18 and 22-24(4.4+) <pkg>dev-libs/openssl</pkg> has to be compiled with USE="-bindist".</flag>

38

 		<flag name="pkcs11">Enable pkcs11 support</flag>

39

+		<flag name="strongswan_plugins_addrblock">Enable support for the addrblock crypto plugin</flag>

40

 		<flag name="strongswan_plugins_aesni">Enable support for Intel AES-NI crypto plugin</flag>

41

 		<flag name="strongswan_plugins_bypass-lan">Enable support for the bypass-lan plugin</flag>

42

 		<flag name="strongswan_plugins_chapoly">Enable ChaCha20/Poly1305 AEAD implementation and ChaCha20 XOF plugin</flag>

43

@@ -42,12 +43,15 @@

44

 		<flag name="strongswan_plugins_blowfish">Enable support for the blowfish plugin</flag>

45

 		<flag name="strongswan_plugins_ccm">Enable support for the ccm plugin</flag>

46

 		<flag name="strongswan_plugins_ctr">Enable support for the ctr plugin</flag>

47

+		<flag name="strongswan_plugins_error-notify">Enable support for the error-notify plugin</flag>

48

 		<flag name="strongswan_plugins_gcm">Enable support for the gcm plugin</flag>

49

 		<flag name="strongswan_plugins_ha">Enable support for the ha plugin</flag>

50

 		<flag name="strongswan_plugins_ipseckey">Enable support for the ipseckey plugin</flag>

51

+		<flag name="strongswan_plugins_kdf">Enable support for the kdf plugin</flag>

52

 		<flag name="strongswan_plugins_newhope">Enable plugin that allows key exchange based on post-quantum computer New Hope algorithm</flag>

53

 		<flag name="strongswan_plugins_ntru">Enable support for the ntru plugin</flag>

54

 		<flag name="strongswan_plugins_padlock">Enable support for the padlock plugin</flag>

55

+		<flag name="strongswan_plugins_prf-plus">Enable support for the prf-plus plugin</flag>

56

 		<flag name="strongswan_plugins_rdrand">Enable support for the rdrand plugin</flag>

57

 		<flag name="strongswan_plugins_save-keys">Enable plugin that saves IKE and/or ESP keys to files compatible with Wireshark (for debugging)</flag>

58

 		<flag name="strongswan_plugins_unbound">Enable support for the unbound plugin</flag>

59

60

diff --git a/net-vpn/strongswan/strongswan-5.9.6.ebuild b/net-vpn/strongswan/strongswan-5.9.6.ebuild

61

new file mode 100644

62

index 000000000000..62c1b708ab44

63

--- /dev/null

64

+++ b/net-vpn/strongswan/strongswan-5.9.6.ebuild

65

@@ -0,0 +1,306 @@

66

+# Copyright 1999-2022 Gentoo Authors

67

+# Distributed under the terms of the GNU General Public License v2

68

+

69

+EAPI="8"

70

+inherit linux-info systemd

71

+

72

+DESCRIPTION="IPsec-based VPN solution, supporting IKEv1/IKEv2 and MOBIKE"

73

+HOMEPAGE="https://www.strongswan.org/"

74

+SRC_URI="https://download.strongswan.org/${P}.tar.bz2"

75

+

76

+LICENSE="GPL-2 RSA DES"

77

+SLOT="0"

78

+KEYWORDS="~amd64 ~arm ~arm64 ~ppc ~ppc64 ~x86"

79

+IUSE="+caps curl +constraints debug dhcp eap farp gcrypt +gmp ldap mysql networkmanager +non-root +openssl selinux sqlite systemd pam pkcs11"

80

+

81

+STRONGSWAN_PLUGINS_STD="led lookip systime-fix unity vici"

82

+STRONGSWAN_PLUGINS_OPT="addrblock aesni blowfish bypass-lan ccm chapoly ctr error-notify forecast gcm

83

+ha ipseckey kdf newhope ntru padlock prf-plus rdrand save-keys unbound whitelist

84

+xauth-noauth"

85

+for mod in $STRONGSWAN_PLUGINS_STD; do

86

+	IUSE="${IUSE} +strongswan_plugins_${mod}"

87

+done

88

+

89

+for mod in $STRONGSWAN_PLUGINS_OPT; do

90

+	IUSE="${IUSE} strongswan_plugins_${mod}"

91

+done

92

+

93

+COMMON_DEPEND="non-root? (

94

+		acct-user/ipsec

95

+		acct-group/ipsec

96

+	)

97

+	gmp? ( >=dev-libs/gmp-4.1.5:= )

98

+	gcrypt? ( dev-libs/libgcrypt:= )

99

+	caps? ( sys-libs/libcap )

100

+	curl? ( net-misc/curl )

101

+	ldap? ( net-nds/openldap:= )

102

+	openssl? ( >=dev-libs/openssl-0.9.8:=[-bindist(-)] )

103

+	mysql? ( dev-db/mysql-connector-c:= )

104

+	sqlite? ( >=dev-db/sqlite-3.3.1 )

105

+	systemd? ( sys-apps/systemd )

106

+	networkmanager? ( net-misc/networkmanager )

107

+	pam? ( sys-libs/pam )

108

+	strongswan_plugins_unbound? ( net-dns/unbound:= net-libs/ldns )"

109

+

110

+DEPEND="${COMMON_DEPEND}

111

+	virtual/linux-sources

112

+	sys-kernel/linux-headers"

113

+

114

+RDEPEND="${COMMON_DEPEND}

115

+	virtual/logger

116

+	sys-apps/iproute2

117

+	!net-vpn/libreswan

118

+	selinux? ( sec-policy/selinux-ipsec )"

119

+

120

+UGID="ipsec"

121

+

122

+pkg_setup() {

123

+	linux-info_pkg_setup

124

+

125

+	elog "Linux kernel version: ${KV_FULL}"

126

+

127

+	if ! kernel_is -ge 2 6 16; then

128

+		eerror

129

+		eerror "This ebuild currently only supports ${PN} with the"

130

+		eerror "native Linux 2.6 IPsec stack on kernels >= 2.6.16."

131

+		eerror

132

+	fi

133

+

134

+	if kernel_is -lt 2 6 34; then

135

+		ewarn

136

+		ewarn "IMPORTANT KERNEL NOTES: Please read carefully..."

137

+		ewarn

138

+

139

+		if kernel_is -lt 2 6 29; then

140

+			ewarn "[ < 2.6.29 ] Due to a missing kernel feature, you have to"

141

+			ewarn "include all required IPv6 modules even if you just intend"

142

+			ewarn "to run on IPv4 only."

143

+			ewarn

144

+			ewarn "This has been fixed with kernels >= 2.6.29."

145

+			ewarn

146

+		fi

147

+

148

+		if kernel_is -lt 2 6 33; then

149

+			ewarn "[ < 2.6.33 ] Kernels prior to 2.6.33 include a non-standards"

150

+			ewarn "compliant implementation for SHA-2 HMAC support in ESP and"

151

+			ewarn "miss SHA384 and SHA512 HMAC support altogether."

152

+			ewarn

153

+			ewarn "If you need any of those features, please use kernel >= 2.6.33."

154

+			ewarn

155

+		fi

156

+

157

+		if kernel_is -lt 2 6 34; then

158

+			ewarn "[ < 2.6.34 ] Support for the AES-GMAC authentification-only"

159

+			ewarn "ESP cipher is only included in kernels >= 2.6.34."

160

+			ewarn

161

+			ewarn "If you need it, please use kernel >= 2.6.34."

162

+			ewarn

163

+		fi

164

+	fi

165

+}

166

+

167

+src_configure() {

168

+	local myconf=""

169

+

170

+	if use non-root; then

171

+		myconf="${myconf} --with-user=${UGID} --with-group=${UGID}"

172

+	fi

173

+

174

+	# If a user has already enabled db support, those plugins will

175

+	# most likely be desired as well. Besides they don't impose new

176

+	# dependencies and come at no cost (except for space).

177

+	if use mysql || use sqlite; then

178

+		myconf="${myconf} --enable-attr-sql --enable-sql"

179

+	fi

180

+

181

+	# strongSwan builds and installs static libs by default which are

182

+	# useless to the user (and to strongSwan for that matter) because no

183

+	# header files or alike get installed... so disabling them is safe.

184

+	if use pam && use eap; then

185

+		myconf="${myconf} --enable-eap-gtc"

186

+	else

187

+		myconf="${myconf} --disable-eap-gtc"

188

+	fi

189

+

190

+	for mod in $STRONGSWAN_PLUGINS_STD; do

191

+		if use strongswan_plugins_${mod}; then

192

+			myconf+=" --enable-${mod}"

193

+		fi

194

+	done

195

+

196

+	for mod in $STRONGSWAN_PLUGINS_OPT; do

197

+		if use strongswan_plugins_${mod}; then

198

+			myconf+=" --enable-${mod}"

199

+		fi

200

+	done

201

+

202

+	econf \

203

+		--disable-static \

204

+		--enable-ikev1 \

205

+		--enable-ikev2 \

206

+		--enable-swanctl \

207

+		--enable-socket-dynamic \

208

+		--enable-cmd \

209

+		$(use_enable curl) \

210

+		$(use_enable constraints) \

211

+		$(use_enable ldap) \

212

+		$(use_enable debug leak-detective) \

213

+		$(use_enable dhcp) \

214

+		$(use_enable eap eap-sim) \

215

+		$(use_enable eap eap-sim-file) \

216

+		$(use_enable eap eap-simaka-sql) \

217

+		$(use_enable eap eap-simaka-pseudonym) \

218

+		$(use_enable eap eap-simaka-reauth) \

219

+		$(use_enable eap eap-identity) \

220

+		$(use_enable eap eap-md5) \

221

+		$(use_enable eap eap-aka) \

222

+		$(use_enable eap eap-aka-3gpp2) \

223

+		$(use_enable eap md4) \

224

+		$(use_enable eap eap-mschapv2) \

225

+		$(use_enable eap eap-radius) \

226

+		$(use_enable eap eap-tls) \

227

+		$(use_enable eap eap-ttls) \

228

+		$(use_enable eap xauth-eap) \

229

+		$(use_enable eap eap-dynamic) \

230

+		$(use_enable farp) \

231

+		$(use_enable gmp) \

232

+		$(use_enable gcrypt) \

233

+		$(use_enable mysql) \

234

+		$(use_enable networkmanager nm) \

235

+		$(use_enable openssl) \

236

+		$(use_enable pam xauth-pam) \

237

+		$(use_enable pkcs11) \

238

+		$(use_enable sqlite) \

239

+		$(use_enable systemd) \

240

+		$(use_with caps capabilities libcap) \

241

+		--with-piddir=/run \

242

+		--with-systemdsystemunitdir="$(systemd_get_systemunitdir)" \

243

+		${myconf}

244

+}

245

+

246

+src_install() {

247

+	emake DESTDIR="${D}" install

248

+

249

+	if ! use systemd; then

250

+		rm -rf "${ED}"/lib/systemd || die "Failed removing systemd lib."

251

+	fi

252

+

253

+	doinitd "${FILESDIR}"/ipsec

254

+

255

+	local dir_ugid

256

+	if use non-root; then

257

+		fowners ${UGID}:${UGID} \

258

+			/etc/ipsec.conf \

259

+			/etc/strongswan.conf

260

+

261

+		dir_ugid="${UGID}"

262

+	else

263

+		dir_ugid="root"

264

+	fi

265

+

266

+	diropts -m 0750 -o ${dir_ugid} -g ${dir_ugid}

267

+	dodir /etc/ipsec.d \

268

+		/etc/ipsec.d/aacerts \

269

+		/etc/ipsec.d/acerts \

270

+		/etc/ipsec.d/cacerts \

271

+		/etc/ipsec.d/certs \

272

+		/etc/ipsec.d/crls \

273

+		/etc/ipsec.d/ocspcerts \

274

+		/etc/ipsec.d/private \

275

+		/etc/ipsec.d/reqs

276

+

277

+	dodoc NEWS README TODO

278

+

279

+	# shared libs are used only internally and there are no static libs,

280

+	# so it's safe to get rid of the .la files

281

+	find "${D}" -name '*.la' -delete || die "Failed to remove .la files."

282

+}

283

+

284

+pkg_preinst() {

285

+	has_version "<net-vpn/strongswan-4.3.6-r1"

286

+	upgrade_from_leq_4_3_6=$(( !$? ))

287

+

288

+	has_version "<net-vpn/strongswan-4.3.6-r1[-caps]"

289

+	previous_4_3_6_with_caps=$(( !$? ))

290

+}

291

+

292

+pkg_postinst() {

293

+	if ! use openssl && ! use gcrypt; then

294

+		elog

295

+		elog "${PN} has been compiled without both OpenSSL and libgcrypt support."

296

+		elog "Please note that this might effect availability and speed of some"

297

+		elog "cryptographic features. You are advised to enable the OpenSSL plugin."

298

+	elif ! use openssl; then

299

+		elog

300

+		elog "${PN} has been compiled without the OpenSSL plugin. This might effect"

301

+		elog "availability and speed of some cryptographic features. There will be"

302

+		elog "no support for Elliptic Curve Cryptography (Diffie-Hellman groups 19-21,"

303

+		elog "25, 26) and ECDSA."

304

+	fi

305

+

306

+	if [[ $upgrade_from_leq_4_3_6 == 1 ]]; then

307

+		chmod 0750 "${ROOT}"/etc/ipsec.d \

308

+			"${ROOT}"/etc/ipsec.d/aacerts \

309

+			"${ROOT}"/etc/ipsec.d/acerts \

310

+			"${ROOT}"/etc/ipsec.d/cacerts \

311

+			"${ROOT}"/etc/ipsec.d/certs \

312

+			"${ROOT}"/etc/ipsec.d/crls \

313

+			"${ROOT}"/etc/ipsec.d/ocspcerts \

314

+			"${ROOT}"/etc/ipsec.d/private \

315

+			"${ROOT}"/etc/ipsec.d/reqs

316

+

317

+		ewarn

318

+		ewarn "The default permissions for /etc/ipsec.d/* have been tightened for"

319

+		ewarn "security reasons. Your system installed directories have been"

320

+		ewarn "updated accordingly. Please check if necessary."

321

+		ewarn

322

+

323

+		if [[ $previous_4_3_6_with_caps == 1 ]]; then

324

+			if ! use non-root; then

325

+				ewarn

326

+				ewarn "IMPORTANT: You previously had ${PN} installed without root"

327

+				ewarn "privileges because it was implied by the 'caps' USE flag."

328

+				ewarn "This has been changed. If you want ${PN} with user privileges,"

329

+				ewarn "you have to re-emerge it with the 'non-root' USE flag enabled."

330

+				ewarn

331

+			fi

332

+		fi

333

+	fi

334

+	if ! use caps && ! use non-root; then

335

+		ewarn

336

+		ewarn "You have decided to run ${PN} with root privileges and built it"

337

+		ewarn "without support for POSIX capability dropping. It is generally"

338

+		ewarn "strongly suggested that you reconsider- especially if you intend"

339

+		ewarn "to run ${PN} as server with a public ip address."

340

+		ewarn

341

+		ewarn "You should re-emerge ${PN} with at least the 'caps' USE flag enabled."

342

+		ewarn

343

+	fi

344

+	if use non-root; then

345

+		elog

346

+		elog "${PN} has been installed without superuser privileges (USE=non-root)."

347

+		elog "This imposes a few limitations mainly to the daemon 'charon' in"

348

+		elog "regards of the use of iptables."

349

+		elog

350

+		elog "Please carefully read: http://wiki.strongswan.org/projects/strongswan/wiki/ReducedPrivileges"

351

+		elog

352

+		elog "Thus if you require to specify a custom updown"

353

+		elog "script to charon which requires superuser privileges, you"

354

+		elog "can work around this limitation by using sudo to grant the"

355

+		elog "user \"ipsec\" the appropriate rights."

356

+		elog "For example (the default case):"

357

+		elog "/etc/sudoers:"

358

+		elog "  ipsec ALL=(ALL) NOPASSWD: SETENV: /usr/sbin/ipsec"

359

+		elog "Under the specific connection block in /etc/ipsec.conf:"

360

+		elog "  leftupdown=\"sudo -E ipsec _updown iptables\""

361

+		elog

362

+	fi

363

+	elog

364

+	elog "Make sure you have _all_ required kernel modules available including"

365

+	elog "the appropriate cryptographic algorithms. A list is available at:"

366

+	elog "  https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules"

367

+	elog

368

+	elog "The up-to-date manual is available online at:"

369

+	elog "  https://wiki.strongswan.org/"

370

+	elog

371

+}

1	commit: 6267dad0302a290cb09e84ffa62f023343362a9b
2	Author: Philipp Rösner <rndxelement <AT> protonmail <DOT> com>
3	AuthorDate: Wed May 4 20:50:30 2022 +0000
4	Commit: Florian Schmaus <flow <AT> gentoo <DOT> org>
5	CommitDate: Fri May 6 10:04:52 2022 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6267dad0
7
8	net-vpn/strongswan: add 5.9.6
9
10	Add support for the plugins addrblock, error-notify, kdf and prf-plus.
11
12	Signed-off-by: Philipp Rösner <rndxelement <AT> protonmail.com>
13	Closes: https://github.com/gentoo/gentoo/pull/25329
14	Signed-off-by: Florian Schmaus <flow <AT> gentoo.org>
15
16	net-vpn/strongswan/Manifest \| 1 +
17	net-vpn/strongswan/metadata.xml \| 4 +
18	net-vpn/strongswan/strongswan-5.9.6.ebuild \| 306 +++++++++++++++++++++++++++++
19	3 files changed, 311 insertions(+)
20
21	diff --git a/net-vpn/strongswan/Manifest b/net-vpn/strongswan/Manifest
22	index 45ddfeb7608e..5bf87feeb4b9 100644
23	--- a/net-vpn/strongswan/Manifest
24	+++ b/net-vpn/strongswan/Manifest
25	@@ -1,3 +1,4 @@
26	DIST strongswan-5.9.2.tar.bz2 4607281 BLAKE2B 84f5457bc970f49c9bc99d0ef41182d815e39b8a88be349ad0a78b531a983d3b3919d5c9f3b97793b0b2569f2c6b151cc3b5d9b145a8bfd663db6f79d8ff3dd6 SHA512 dca30b9be7847e0af59d1526c2e38d440b6729055cb3f0f0637d50d7381df465c7b59e79662efe63870a7a5a44eef696c02231274d2764f9e3c430ce2fd694f6
27	DIST strongswan-5.9.4.tar.bz2 4651000 BLAKE2B 071a0a0a144b369a7e4069d92340cecca9eef0c004949d91993c8f1cc0f39f7868749020d6e135fa59d5899d146f39172f87eb32a26ad788cb8a4c160597e328 SHA512 796356c1d5c1ad410f0ed944ab4a131076d26f120ec6fa57796fe4060b0741201199625883ddc9ebd8a7ad299495f073cec76a6780ebd8f375605aae16750cf3
28	DIST strongswan-5.9.5.tar.bz2 4722123 BLAKE2B 8b3adc44d5f5eb3824845ce9eda75e7b75f0f7394fbe84f827f4a8177e5299ca7170103ee6cd76e1e18aef85d7f124a43a505ceaf41ec4ed575eb214ebb6af21 SHA512 3b11c4edb1ffccf0ea5b8b843acfe2eb18dcd3857fc2818b8481c4febe7959261e1b2804c3af29068319df469fa0b784682d3ba4d49a3eb580841ff3c34e33a1
29	+DIST strongswan-5.9.6.tar.bz2 4750894 BLAKE2B 4021a10611e66f9e2e4e432bdfb9de0f94d27ba1be1b7d4e4b8bf3cd797c123658993e60eb3d49c424b479558e9581bb069a345a70f55850d1faf5abaa401246 SHA512 8efb7a55b074485b874e941e42462e97a404b4f84e2f90ed18ef66274731b22d167a571f6fd028dccc1f199f2e591c82616d0a832a5084e1981c6b867fe5bb6a
30
31	diff --git a/net-vpn/strongswan/metadata.xml b/net-vpn/strongswan/metadata.xml
32	index 0198dd1c8ac4..895902c71494 100644
33	--- a/net-vpn/strongswan/metadata.xml
34	+++ b/net-vpn/strongswan/metadata.xml
35	@@ -30,6 +30,7 @@
36	<flag name="non-root">Force IKEv1/IKEv2 daemons to normal user privileges. This might impose some restrictions mainly to the IKEv1 daemon. Disable only if you really require superuser privileges.</flag>
37	<flag name="openssl">Enable <pkg>dev-libs/openssl</pkg> plugin which is required for Elliptic Curve Cryptography (DH groups 19-21,25,26) and ECDSA. Also provides 3DES, AES, Blowfish, Camellia, CAST, DES, IDEA and RC5 ciphers along with MD2, MD4, MD5 and SHA1/2 hash algorithms, RSA and DH groups 1,2,5,14-18 and 22-24(4.4+) <pkg>dev-libs/openssl</pkg> has to be compiled with USE="-bindist".</flag>
38	<flag name="pkcs11">Enable pkcs11 support</flag>
39	+ <flag name="strongswan_plugins_addrblock">Enable support for the addrblock crypto plugin</flag>
40	<flag name="strongswan_plugins_aesni">Enable support for Intel AES-NI crypto plugin</flag>
41	<flag name="strongswan_plugins_bypass-lan">Enable support for the bypass-lan plugin</flag>
42	<flag name="strongswan_plugins_chapoly">Enable ChaCha20/Poly1305 AEAD implementation and ChaCha20 XOF plugin</flag>
43	@@ -42,12 +43,15 @@
44	<flag name="strongswan_plugins_blowfish">Enable support for the blowfish plugin</flag>
45	<flag name="strongswan_plugins_ccm">Enable support for the ccm plugin</flag>
46	<flag name="strongswan_plugins_ctr">Enable support for the ctr plugin</flag>
47	+ <flag name="strongswan_plugins_error-notify">Enable support for the error-notify plugin</flag>
48	<flag name="strongswan_plugins_gcm">Enable support for the gcm plugin</flag>
49	<flag name="strongswan_plugins_ha">Enable support for the ha plugin</flag>
50	<flag name="strongswan_plugins_ipseckey">Enable support for the ipseckey plugin</flag>
51	+ <flag name="strongswan_plugins_kdf">Enable support for the kdf plugin</flag>
52	<flag name="strongswan_plugins_newhope">Enable plugin that allows key exchange based on post-quantum computer New Hope algorithm</flag>
53	<flag name="strongswan_plugins_ntru">Enable support for the ntru plugin</flag>
54	<flag name="strongswan_plugins_padlock">Enable support for the padlock plugin</flag>
55	+ <flag name="strongswan_plugins_prf-plus">Enable support for the prf-plus plugin</flag>
56	<flag name="strongswan_plugins_rdrand">Enable support for the rdrand plugin</flag>
57	<flag name="strongswan_plugins_save-keys">Enable plugin that saves IKE and/or ESP keys to files compatible with Wireshark (for debugging)</flag>
58	<flag name="strongswan_plugins_unbound">Enable support for the unbound plugin</flag>
59
60	diff --git a/net-vpn/strongswan/strongswan-5.9.6.ebuild b/net-vpn/strongswan/strongswan-5.9.6.ebuild
61	new file mode 100644
62	index 000000000000..62c1b708ab44
63	--- /dev/null
64	+++ b/net-vpn/strongswan/strongswan-5.9.6.ebuild
65	@@ -0,0 +1,306 @@
66	+# Copyright 1999-2022 Gentoo Authors
67	+# Distributed under the terms of the GNU General Public License v2
68	+
69	+EAPI="8"
70	+inherit linux-info systemd
71	+
72	+DESCRIPTION="IPsec-based VPN solution, supporting IKEv1/IKEv2 and MOBIKE"
73	+HOMEPAGE="https://www.strongswan.org/"
74	+SRC_URI="https://download.strongswan.org/${P}.tar.bz2"
75	+
76	+LICENSE="GPL-2 RSA DES"
77	+SLOT="0"
78	+KEYWORDS="~amd64 ~arm ~arm64 ~ppc ~ppc64 ~x86"
79	+IUSE="+caps curl +constraints debug dhcp eap farp gcrypt +gmp ldap mysql networkmanager +non-root +openssl selinux sqlite systemd pam pkcs11"
80	+
81	+STRONGSWAN_PLUGINS_STD="led lookip systime-fix unity vici"
82	+STRONGSWAN_PLUGINS_OPT="addrblock aesni blowfish bypass-lan ccm chapoly ctr error-notify forecast gcm
83	+ha ipseckey kdf newhope ntru padlock prf-plus rdrand save-keys unbound whitelist
84	+xauth-noauth"
85	+for mod in $STRONGSWAN_PLUGINS_STD; do
86	+ IUSE="${IUSE} +strongswan_plugins_${mod}"
87	+done
88	+
89	+for mod in $STRONGSWAN_PLUGINS_OPT; do
90	+ IUSE="${IUSE} strongswan_plugins_${mod}"
91	+done
92	+
93	+COMMON_DEPEND="non-root? (
94	+ acct-user/ipsec
95	+ acct-group/ipsec
96	+ )
97	+ gmp? ( >=dev-libs/gmp-4.1.5:= )
98	+ gcrypt? ( dev-libs/libgcrypt:= )
99	+ caps? ( sys-libs/libcap )
100	+ curl? ( net-misc/curl )
101	+ ldap? ( net-nds/openldap:= )
102	+ openssl? ( >=dev-libs/openssl-0.9.8:=[-bindist(-)] )
103	+ mysql? ( dev-db/mysql-connector-c:= )
104	+ sqlite? ( >=dev-db/sqlite-3.3.1 )
105	+ systemd? ( sys-apps/systemd )
106	+ networkmanager? ( net-misc/networkmanager )
107	+ pam? ( sys-libs/pam )
108	+ strongswan_plugins_unbound? ( net-dns/unbound:= net-libs/ldns )"
109	+
110	+DEPEND="${COMMON_DEPEND}
111	+ virtual/linux-sources
112	+ sys-kernel/linux-headers"
113	+
114	+RDEPEND="${COMMON_DEPEND}
115	+ virtual/logger
116	+ sys-apps/iproute2
117	+ !net-vpn/libreswan
118	+ selinux? ( sec-policy/selinux-ipsec )"
119	+
120	+UGID="ipsec"
121	+
122	+pkg_setup() {
123	+ linux-info_pkg_setup
124	+
125	+ elog "Linux kernel version: ${KV_FULL}"
126	+
127	+ if ! kernel_is -ge 2 6 16; then
128	+ eerror
129	+ eerror "This ebuild currently only supports ${PN} with the"
130	+ eerror "native Linux 2.6 IPsec stack on kernels >= 2.6.16."
131	+ eerror
132	+ fi
133	+
134	+ if kernel_is -lt 2 6 34; then
135	+ ewarn
136	+ ewarn "IMPORTANT KERNEL NOTES: Please read carefully..."
137	+ ewarn
138	+
139	+ if kernel_is -lt 2 6 29; then
140	+ ewarn "[ < 2.6.29 ] Due to a missing kernel feature, you have to"
141	+ ewarn "include all required IPv6 modules even if you just intend"
142	+ ewarn "to run on IPv4 only."
143	+ ewarn
144	+ ewarn "This has been fixed with kernels >= 2.6.29."
145	+ ewarn
146	+ fi
147	+
148	+ if kernel_is -lt 2 6 33; then
149	+ ewarn "[ < 2.6.33 ] Kernels prior to 2.6.33 include a non-standards"
150	+ ewarn "compliant implementation for SHA-2 HMAC support in ESP and"
151	+ ewarn "miss SHA384 and SHA512 HMAC support altogether."
152	+ ewarn
153	+ ewarn "If you need any of those features, please use kernel >= 2.6.33."
154	+ ewarn
155	+ fi
156	+
157	+ if kernel_is -lt 2 6 34; then
158	+ ewarn "[ < 2.6.34 ] Support for the AES-GMAC authentification-only"
159	+ ewarn "ESP cipher is only included in kernels >= 2.6.34."
160	+ ewarn
161	+ ewarn "If you need it, please use kernel >= 2.6.34."
162	+ ewarn
163	+ fi
164	+ fi
165	+}
166	+
167	+src_configure() {
168	+ local myconf=""
169	+
170	+ if use non-root; then
171	+ myconf="${myconf} --with-user=${UGID} --with-group=${UGID}"
172	+ fi
173	+
174	+ # If a user has already enabled db support, those plugins will
175	+ # most likely be desired as well. Besides they don't impose new
176	+ # dependencies and come at no cost (except for space).
177	+ if use mysql \|\| use sqlite; then
178	+ myconf="${myconf} --enable-attr-sql --enable-sql"
179	+ fi
180	+
181	+ # strongSwan builds and installs static libs by default which are
182	+ # useless to the user (and to strongSwan for that matter) because no
183	+ # header files or alike get installed... so disabling them is safe.
184	+ if use pam && use eap; then
185	+ myconf="${myconf} --enable-eap-gtc"
186	+ else
187	+ myconf="${myconf} --disable-eap-gtc"
188	+ fi
189	+
190	+ for mod in $STRONGSWAN_PLUGINS_STD; do
191	+ if use strongswan_plugins_${mod}; then
192	+ myconf+=" --enable-${mod}"
193	+ fi
194	+ done
195	+
196	+ for mod in $STRONGSWAN_PLUGINS_OPT; do
197	+ if use strongswan_plugins_${mod}; then
198	+ myconf+=" --enable-${mod}"
199	+ fi
200	+ done
201	+
202	+ econf \
203	+ --disable-static \
204	+ --enable-ikev1 \
205	+ --enable-ikev2 \
206	+ --enable-swanctl \
207	+ --enable-socket-dynamic \
208	+ --enable-cmd \
209	+ $(use_enable curl) \
210	+ $(use_enable constraints) \
211	+ $(use_enable ldap) \
212	+ $(use_enable debug leak-detective) \
213	+ $(use_enable dhcp) \
214	+ $(use_enable eap eap-sim) \
215	+ $(use_enable eap eap-sim-file) \
216	+ $(use_enable eap eap-simaka-sql) \
217	+ $(use_enable eap eap-simaka-pseudonym) \
218	+ $(use_enable eap eap-simaka-reauth) \
219	+ $(use_enable eap eap-identity) \
220	+ $(use_enable eap eap-md5) \
221	+ $(use_enable eap eap-aka) \
222	+ $(use_enable eap eap-aka-3gpp2) \
223	+ $(use_enable eap md4) \
224	+ $(use_enable eap eap-mschapv2) \
225	+ $(use_enable eap eap-radius) \
226	+ $(use_enable eap eap-tls) \
227	+ $(use_enable eap eap-ttls) \
228	+ $(use_enable eap xauth-eap) \
229	+ $(use_enable eap eap-dynamic) \
230	+ $(use_enable farp) \
231	+ $(use_enable gmp) \
232	+ $(use_enable gcrypt) \
233	+ $(use_enable mysql) \
234	+ $(use_enable networkmanager nm) \
235	+ $(use_enable openssl) \
236	+ $(use_enable pam xauth-pam) \
237	+ $(use_enable pkcs11) \
238	+ $(use_enable sqlite) \
239	+ $(use_enable systemd) \
240	+ $(use_with caps capabilities libcap) \
241	+ --with-piddir=/run \
242	+ --with-systemdsystemunitdir="$(systemd_get_systemunitdir)" \
243	+ ${myconf}
244	+}
245	+
246	+src_install() {
247	+ emake DESTDIR="${D}" install
248	+
249	+ if ! use systemd; then
250	+ rm -rf "${ED}"/lib/systemd \|\| die "Failed removing systemd lib."
251	+ fi
252	+
253	+ doinitd "${FILESDIR}"/ipsec
254	+
255	+ local dir_ugid
256	+ if use non-root; then
257	+ fowners ${UGID}:${UGID} \
258	+ /etc/ipsec.conf \
259	+ /etc/strongswan.conf
260	+
261	+ dir_ugid="${UGID}"
262	+ else
263	+ dir_ugid="root"
264	+ fi
265	+
266	+ diropts -m 0750 -o ${dir_ugid} -g ${dir_ugid}
267	+ dodir /etc/ipsec.d \
268	+ /etc/ipsec.d/aacerts \
269	+ /etc/ipsec.d/acerts \
270	+ /etc/ipsec.d/cacerts \
271	+ /etc/ipsec.d/certs \
272	+ /etc/ipsec.d/crls \
273	+ /etc/ipsec.d/ocspcerts \
274	+ /etc/ipsec.d/private \
275	+ /etc/ipsec.d/reqs
276	+
277	+ dodoc NEWS README TODO
278	+
279	+ # shared libs are used only internally and there are no static libs,
280	+ # so it's safe to get rid of the .la files
281	+ find "${D}" -name '*.la' -delete \|\| die "Failed to remove .la files."
282	+}
283	+
284	+pkg_preinst() {
285	+ has_version "<net-vpn/strongswan-4.3.6-r1"
286	+ upgrade_from_leq_4_3_6=$(( !$? ))
287	+
288	+ has_version "<net-vpn/strongswan-4.3.6-r1[-caps]"
289	+ previous_4_3_6_with_caps=$(( !$? ))
290	+}
291	+
292	+pkg_postinst() {
293	+ if ! use openssl && ! use gcrypt; then
294	+ elog
295	+ elog "${PN} has been compiled without both OpenSSL and libgcrypt support."
296	+ elog "Please note that this might effect availability and speed of some"
297	+ elog "cryptographic features. You are advised to enable the OpenSSL plugin."
298	+ elif ! use openssl; then
299	+ elog
300	+ elog "${PN} has been compiled without the OpenSSL plugin. This might effect"
301	+ elog "availability and speed of some cryptographic features. There will be"
302	+ elog "no support for Elliptic Curve Cryptography (Diffie-Hellman groups 19-21,"
303	+ elog "25, 26) and ECDSA."
304	+ fi
305	+
306	+ if [[ $upgrade_from_leq_4_3_6 == 1 ]]; then
307	+ chmod 0750 "${ROOT}"/etc/ipsec.d \
308	+ "${ROOT}"/etc/ipsec.d/aacerts \
309	+ "${ROOT}"/etc/ipsec.d/acerts \
310	+ "${ROOT}"/etc/ipsec.d/cacerts \
311	+ "${ROOT}"/etc/ipsec.d/certs \
312	+ "${ROOT}"/etc/ipsec.d/crls \
313	+ "${ROOT}"/etc/ipsec.d/ocspcerts \
314	+ "${ROOT}"/etc/ipsec.d/private \
315	+ "${ROOT}"/etc/ipsec.d/reqs
316	+
317	+ ewarn
318	+ ewarn "The default permissions for /etc/ipsec.d/* have been tightened for"
319	+ ewarn "security reasons. Your system installed directories have been"
320	+ ewarn "updated accordingly. Please check if necessary."
321	+ ewarn
322	+
323	+ if [[ $previous_4_3_6_with_caps == 1 ]]; then
324	+ if ! use non-root; then
325	+ ewarn
326	+ ewarn "IMPORTANT: You previously had ${PN} installed without root"
327	+ ewarn "privileges because it was implied by the 'caps' USE flag."
328	+ ewarn "This has been changed. If you want ${PN} with user privileges,"
329	+ ewarn "you have to re-emerge it with the 'non-root' USE flag enabled."
330	+ ewarn
331	+ fi
332	+ fi
333	+ fi
334	+ if ! use caps && ! use non-root; then
335	+ ewarn
336	+ ewarn "You have decided to run ${PN} with root privileges and built it"
337	+ ewarn "without support for POSIX capability dropping. It is generally"
338	+ ewarn "strongly suggested that you reconsider- especially if you intend"
339	+ ewarn "to run ${PN} as server with a public ip address."
340	+ ewarn
341	+ ewarn "You should re-emerge ${PN} with at least the 'caps' USE flag enabled."
342	+ ewarn
343	+ fi
344	+ if use non-root; then
345	+ elog
346	+ elog "${PN} has been installed without superuser privileges (USE=non-root)."
347	+ elog "This imposes a few limitations mainly to the daemon 'charon' in"
348	+ elog "regards of the use of iptables."
349	+ elog
350	+ elog "Please carefully read: http://wiki.strongswan.org/projects/strongswan/wiki/ReducedPrivileges"
351	+ elog
352	+ elog "Thus if you require to specify a custom updown"
353	+ elog "script to charon which requires superuser privileges, you"
354	+ elog "can work around this limitation by using sudo to grant the"
355	+ elog "user \"ipsec\" the appropriate rights."
356	+ elog "For example (the default case):"
357	+ elog "/etc/sudoers:"
358	+ elog " ipsec ALL=(ALL) NOPASSWD: SETENV: /usr/sbin/ipsec"
359	+ elog "Under the specific connection block in /etc/ipsec.conf:"
360	+ elog " leftupdown=\"sudo -E ipsec _updown iptables\""
361	+ elog
362	+ fi
363	+ elog
364	+ elog "Make sure you have _all_ required kernel modules available including"
365	+ elog "the appropriate cryptographic algorithms. A list is available at:"
366	+ elog " https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules"
367	+ elog
368	+ elog "The up-to-date manual is available online at:"
369	+ elog " https://wiki.strongswan.org/"
370	+ elog
371	+}

Gentoo Archives: gentoo-commits