[gentoo-commits] repo/gentoo:master commit in: net-vpn/strongswan/ - gentoo-commits

From:	Patrick Lauer <patrick@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: net-vpn/strongswan/
Date:	Sat, 24 Feb 2018 15:17:50
Message-Id:	`1519485457.e7b41c04b284c4bfa14cee9d60777cb39da3d6db.patrick@gentoo`

1

commit:     e7b41c04b284c4bfa14cee9d60777cb39da3d6db

2

Author:     Patrick Lauer <patrick <AT> gentoo <DOT> org>

3

AuthorDate: Sat Feb 24 08:07:05 2018 +0000

4

Commit:     Patrick Lauer <patrick <AT> gentoo <DOT> org>

5

CommitDate: Sat Feb 24 15:17:37 2018 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e7b41c04

7

8

net-vpn/strongswan: Bump

9

10

Package-Manager: Portage-2.3.24, Repoman-2.3.6

11

12

 net-vpn/strongswan/Manifest                |   1 +

13

 net-vpn/strongswan/strongswan-5.6.2.ebuild | 303 +++++++++++++++++++++++++++++

14

 2 files changed, 304 insertions(+)

15

16

diff --git a/net-vpn/strongswan/Manifest b/net-vpn/strongswan/Manifest

17

index b8e0ee71e94..053972a54ef 100644

18

--- a/net-vpn/strongswan/Manifest

19

+++ b/net-vpn/strongswan/Manifest

20

@@ -1,2 +1,3 @@

21

 DIST strongswan-5.5.3.tar.bz2 4768820 BLAKE2B 9f9da6c2ef27cec7f6a07f1cd5a7ecc8a92576fad2a5c6379b93d8a2e9d3b0804fe26dc0bc7b303754ef499ee938549c7cafbdf9a3f8f818d14cf88f613fe0fd SHA512 0b0b25d2102c98cda54300dc8c3c3a49a55e64f7c695dda65a24f2194f19bce0b7aab9e4f7486c243b552f9d1a94867d6a8782ee504aad1c9973809706d599ac

22

 DIST strongswan-5.6.0.tar.bz2 4850722 BLAKE2B edb9f2b277cd8bccf886a824e4b3fb3c06af7510d9e21283fcb8d8ba9cf234f38182fcd1ca0c350b4039945ab10888406986d9a0b8edac24fe09faf0b8967fb2 SHA512 9362069a01c3642e62864d88fdb409a3c7514bf7c92cbe36e552c6a80915119cf5bb91c39592aab2d15b562684a0628a764e4fa7636d3b5fd2ebaf165c0ce649

23

+DIST strongswan-5.6.2.tar.bz2 4977859 BLAKE2B 83943ec95e6b95724e9fc130a09f7c7364147d0ce50528ac8b64452db53516b143e92c7dcb746c0c25aaac9182dda14d55e5c267fbdcd5bb9a63cbf48801274b SHA512 cf2d5cb6c45d991fe0ad8eed4ea8628f95a1871e9728ddf0985aa26e78d1e6da1c92c961772aafd3e55cfcfa84516204a15561389d373f78140f05607b248c52

24

25

diff --git a/net-vpn/strongswan/strongswan-5.6.2.ebuild b/net-vpn/strongswan/strongswan-5.6.2.ebuild

26

new file mode 100644

27

index 00000000000..a4895259f77

28

--- /dev/null

29

+++ b/net-vpn/strongswan/strongswan-5.6.2.ebuild

30

@@ -0,0 +1,303 @@

31

+# Copyright 1999-2018 Gentoo Foundation

32

+# Distributed under the terms of the GNU General Public License v2

33

+

34

+EAPI=5

35

+inherit eutils linux-info systemd user

36

+

37

+DESCRIPTION="IPsec-based VPN solution focused on security and ease of use, supporting IKEv1/IKEv2 and MOBIKE"

38

+HOMEPAGE="http://www.strongswan.org/"

39

+SRC_URI="http://download.strongswan.org/${P}.tar.bz2"

40

+

41

+LICENSE="GPL-2 RSA DES"

42

+SLOT="0"

43

+KEYWORDS="~amd64 ~arm ~ppc ~ppc64 ~x86"

44

+IUSE="+caps curl +constraints debug dhcp eap farp gcrypt +gmp ldap mysql networkmanager +non-root +openssl selinux sqlite pam pkcs11"

45

+

46

+STRONGSWAN_PLUGINS_STD="led lookip systime-fix unity vici"

47

+STRONGSWAN_PLUGINS_OPT="blowfish ccm ctr gcm ha ipseckey ntru padlock rdrand unbound whitelist"

48

+for mod in $STRONGSWAN_PLUGINS_STD; do

49

+	IUSE="${IUSE} +strongswan_plugins_${mod}"

50

+done

51

+

52

+for mod in $STRONGSWAN_PLUGINS_OPT; do

53

+	IUSE="${IUSE} strongswan_plugins_${mod}"

54

+done

55

+

56

+COMMON_DEPEND="!net-misc/openswan

57

+	gmp? ( >=dev-libs/gmp-4.1.5:= )

58

+	gcrypt? ( dev-libs/libgcrypt:0 )

59

+	caps? ( sys-libs/libcap )

60

+	curl? ( net-misc/curl )

61

+	ldap? ( net-nds/openldap )

62

+	openssl? ( >=dev-libs/openssl-0.9.8:=[-bindist] )

63

+	mysql? ( virtual/mysql )

64

+	sqlite? ( >=dev-db/sqlite-3.3.1 )

65

+	networkmanager? ( net-misc/networkmanager )

66

+	pam? ( sys-libs/pam )

67

+	strongswan_plugins_unbound? ( net-dns/unbound net-libs/ldns )"

68

+DEPEND="${COMMON_DEPEND}

69

+	virtual/linux-sources

70

+	sys-kernel/linux-headers"

71

+RDEPEND="${COMMON_DEPEND}

72

+	virtual/logger

73

+	sys-apps/iproute2

74

+	!net-vpn/libreswan

75

+	selinux? ( sec-policy/selinux-ipsec )"

76

+

77

+UGID="ipsec"

78

+

79

+pkg_setup() {

80

+	linux-info_pkg_setup

81

+	elog "Linux kernel version: ${KV_FULL}"

82

+

83

+	if ! kernel_is -ge 2 6 16; then

84

+		eerror

85

+		eerror "This ebuild currently only supports ${PN} with the"

86

+		eerror "native Linux 2.6 IPsec stack on kernels >= 2.6.16."

87

+		eerror

88

+	fi

89

+

90

+	if kernel_is -lt 2 6 34; then

91

+		ewarn

92

+		ewarn "IMPORTANT KERNEL NOTES: Please read carefully..."

93

+		ewarn

94

+

95

+		if kernel_is -lt 2 6 29; then

96

+			ewarn "[ < 2.6.29 ] Due to a missing kernel feature, you have to"

97

+			ewarn "include all required IPv6 modules even if you just intend"

98

+			ewarn "to run on IPv4 only."

99

+			ewarn

100

+			ewarn "This has been fixed with kernels >= 2.6.29."

101

+			ewarn

102

+		fi

103

+

104

+		if kernel_is -lt 2 6 33; then

105

+			ewarn "[ < 2.6.33 ] Kernels prior to 2.6.33 include a non-standards"

106

+			ewarn "compliant implementation for SHA-2 HMAC support in ESP and"

107

+			ewarn "miss SHA384 and SHA512 HMAC support altogether."

108

+			ewarn

109

+			ewarn "If you need any of those features, please use kernel >= 2.6.33."

110

+			ewarn

111

+		fi

112

+

113

+		if kernel_is -lt 2 6 34; then

114

+			ewarn "[ < 2.6.34 ] Support for the AES-GMAC authentification-only"

115

+			ewarn "ESP cipher is only included in kernels >= 2.6.34."

116

+			ewarn

117

+			ewarn "If you need it, please use kernel >= 2.6.34."

118

+			ewarn

119

+		fi

120

+	fi

121

+

122

+	if use non-root; then

123

+		enewgroup ${UGID}

124

+		enewuser ${UGID} -1 -1 -1 ${UGID}

125

+	fi

126

+}

127

+

128

+src_prepare() {

129

+	epatch_user

130

+}

131

+

132

+src_configure() {

133

+	local myconf=""

134

+

135

+	if use non-root; then

136

+		myconf="${myconf} --with-user=${UGID} --with-group=${UGID}"

137

+	fi

138

+

139

+	# If a user has already enabled db support, those plugins will

140

+	# most likely be desired as well. Besides they don't impose new

141

+	# dependencies and come at no cost (except for space).

142

+	if use mysql || use sqlite; then

143

+		myconf="${myconf} --enable-attr-sql --enable-sql"

144

+	fi

145

+

146

+	# strongSwan builds and installs static libs by default which are

147

+	# useless to the user (and to strongSwan for that matter) because no

148

+	# header files or alike get installed... so disabling them is safe.

149

+	if use pam && use eap; then

150

+		myconf="${myconf} --enable-eap-gtc"

151

+	else

152

+		myconf="${myconf} --disable-eap-gtc"

153

+	fi

154

+

155

+	for mod in $STRONGSWAN_PLUGINS_STD; do

156

+		if use strongswan_plugins_${mod}; then

157

+			myconf+=" --enable-${mod}"

158

+		fi

159

+	done

160

+

161

+	for mod in $STRONGSWAN_PLUGINS_OPT; do

162

+		if use strongswan_plugins_${mod}; then

163

+			myconf+=" --enable-${mod}"

164

+		fi

165

+	done

166

+

167

+	econf \

168

+		--disable-static \

169

+		--enable-ikev1 \

170

+		--enable-ikev2 \

171

+		--enable-swanctl \

172

+		--enable-socket-dynamic \

173

+		$(use_with caps capabilities libcap) \

174

+		$(use_enable curl) \

175

+		$(use_enable constraints) \

176

+		$(use_enable ldap) \

177

+		$(use_enable debug leak-detective) \

178

+		$(use_enable dhcp) \

179

+		$(use_enable eap eap-sim) \

180

+		$(use_enable eap eap-sim-file) \

181

+		$(use_enable eap eap-simaka-sql) \

182

+		$(use_enable eap eap-simaka-pseudonym) \

183

+		$(use_enable eap eap-simaka-reauth) \

184

+		$(use_enable eap eap-identity) \

185

+		$(use_enable eap eap-md5) \

186

+		$(use_enable eap eap-aka) \

187

+		$(use_enable eap eap-aka-3gpp2) \

188

+		$(use_enable eap md4) \

189

+		$(use_enable eap eap-mschapv2) \

190

+		$(use_enable eap eap-radius) \

191

+		$(use_enable eap eap-tls) \

192

+		$(use_enable eap xauth-eap) \

193

+		$(use_enable eap eap-dynamic) \

194

+		$(use_enable farp) \

195

+		$(use_enable gmp) \

196

+		$(use_enable gcrypt) \

197

+		$(use_enable mysql) \

198

+		$(use_enable networkmanager nm) \

199

+		$(use_enable openssl) \

200

+		$(use_enable pam xauth-pam) \

201

+		$(use_enable pkcs11) \

202

+		$(use_enable sqlite) \

203

+		"$(systemd_with_unitdir)" \

204

+		${myconf}

205

+}

206

+

207

+src_install() {

208

+	emake DESTDIR="${D}" install

209

+

210

+	doinitd "${FILESDIR}"/ipsec

211

+

212

+	local dir_ugid

213

+	if use non-root; then

214

+		fowners ${UGID}:${UGID} \

215

+			/etc/ipsec.conf \

216

+			/etc/strongswan.conf

217

+

218

+		dir_ugid="${UGID}"

219

+	else

220

+		dir_ugid="root"

221

+	fi

222

+

223

+	diropts -m 0750 -o ${dir_ugid} -g ${dir_ugid}

224

+	dodir /etc/ipsec.d \

225

+		/etc/ipsec.d/aacerts \

226

+		/etc/ipsec.d/acerts \

227

+		/etc/ipsec.d/cacerts \

228

+		/etc/ipsec.d/certs \

229

+		/etc/ipsec.d/crls \

230

+		/etc/ipsec.d/ocspcerts \

231

+		/etc/ipsec.d/private \

232

+		/etc/ipsec.d/reqs

233

+

234

+	dodoc NEWS README TODO || die

235

+

236

+	# shared libs are used only internally and there are no static libs,

237

+	# so it's safe to get rid of the .la files

238

+	find "${D}" -name '*.la' -delete || die "Failed to remove .la files."

239

+}

240

+

241

+pkg_preinst() {

242

+	has_version "<net-vpn/strongswan-4.3.6-r1"

243

+	upgrade_from_leq_4_3_6=$(( !$? ))

244

+

245

+	has_version "<net-vpn/strongswan-4.3.6-r1[-caps]"

246

+	previous_4_3_6_with_caps=$(( !$? ))

247

+}

248

+

249

+pkg_postinst() {

250

+	if ! use openssl && ! use gcrypt; then

251

+		elog

252

+		elog "${PN} has been compiled without both OpenSSL and libgcrypt support."

253

+		elog "Please note that this might effect availability and speed of some"

254

+		elog "cryptographic features. You are advised to enable the OpenSSL plugin."

255

+	elif ! use openssl; then

256

+		elog

257

+		elog "${PN} has been compiled without the OpenSSL plugin. This might effect"

258

+		elog "availability and speed of some cryptographic features. There will be"

259

+		elog "no support for Elliptic Curve Cryptography (Diffie-Hellman groups 19-21,"

260

+		elog "25, 26) and ECDSA."

261

+	fi

262

+

263

+	if [[ $upgrade_from_leq_4_3_6 == 1 ]]; then

264

+		chmod 0750 "${ROOT}"/etc/ipsec.d \

265

+			"${ROOT}"/etc/ipsec.d/aacerts \

266

+			"${ROOT}"/etc/ipsec.d/acerts \

267

+			"${ROOT}"/etc/ipsec.d/cacerts \

268

+			"${ROOT}"/etc/ipsec.d/certs \

269

+			"${ROOT}"/etc/ipsec.d/crls \

270

+			"${ROOT}"/etc/ipsec.d/ocspcerts \

271

+			"${ROOT}"/etc/ipsec.d/private \

272

+			"${ROOT}"/etc/ipsec.d/reqs

273

+

274

+		ewarn

275

+		ewarn "The default permissions for /etc/ipsec.d/* have been tightened for"

276

+		ewarn "security reasons. Your system installed directories have been"

277

+		ewarn "updated accordingly. Please check if necessary."

278

+		ewarn

279

+

280

+		if [[ $previous_4_3_6_with_caps == 1 ]]; then

281

+			if ! use non-root; then

282

+				ewarn

283

+				ewarn "IMPORTANT: You previously had ${PN} installed without root"

284

+				ewarn "privileges because it was implied by the 'caps' USE flag."

285

+				ewarn "This has been changed. If you want ${PN} with user privileges,"

286

+				ewarn "you have to re-emerge it with the 'non-root' USE flag enabled."

287

+				ewarn

288

+			fi

289

+		fi

290

+	fi

291

+	if ! use caps && ! use non-root; then

292

+		ewarn

293

+		ewarn "You have decided to run ${PN} with root privileges and built it"

294

+		ewarn "without support for POSIX capability dropping. It is generally"

295

+		ewarn "strongly suggested that you reconsider- especially if you intend"

296

+		ewarn "to run ${PN} as server with a public ip address."

297

+		ewarn

298

+		ewarn "You should re-emerge ${PN} with at least the 'caps' USE flag enabled."

299

+		ewarn

300

+	fi

301

+	if use non-root; then

302

+		elog

303

+		elog "${PN} has been installed without superuser privileges (USE=non-root)."

304

+		elog "This imposes several limitations mainly to the IKEv1 daemon 'pluto'"

305

+		elog "but also a few to the IKEv2 daemon 'charon'."

306

+		elog

307

+		elog "Please carefully read: http://wiki.strongswan.org/wiki/nonRoot"

308

+		elog

309

+		elog "pluto uses a helper script by default to insert/remove routing and"

310

+		elog "policy rules upon connection start/stop which requires superuser"

311

+		elog "privileges. charon in contrast does this internally and can do so"

312

+		elog "even with reduced (user) privileges."

313

+		elog

314

+		elog "Thus if you require IKEv1 (pluto) or need to specify a custom updown"

315

+		elog "script to pluto or charon which requires superuser privileges, you"

316

+		elog "can work around this limitation by using sudo to grant the"

317

+		elog "user \"ipsec\" the appropriate rights."

318

+		elog "For example (the default case):"

319

+		elog "/etc/sudoers:"

320

+		elog "  ipsec ALL=(ALL) NOPASSWD: SETENV: /usr/sbin/ipsec"

321

+		elog "Under the specific connection block in /etc/ipsec.conf:"

322

+		elog "  leftupdown=\"sudo -E ipsec _updown iptables\""

323

+		elog

324

+	fi

325

+	elog

326

+	elog "Make sure you have _all_ required kernel modules available including"

327

+	elog "the appropriate cryptographic algorithms. A list is available at:"

328

+	elog "  http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules"

329

+	elog

330

+	elog "The up-to-date manual is available online at:"

331

+	elog "  http://wiki.strongswan.org/"

332

+	elog

333

+}

1	commit: e7b41c04b284c4bfa14cee9d60777cb39da3d6db
2	Author: Patrick Lauer <patrick <AT> gentoo <DOT> org>
3	AuthorDate: Sat Feb 24 08:07:05 2018 +0000
4	Commit: Patrick Lauer <patrick <AT> gentoo <DOT> org>
5	CommitDate: Sat Feb 24 15:17:37 2018 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e7b41c04
7
8	net-vpn/strongswan: Bump
9
10	Package-Manager: Portage-2.3.24, Repoman-2.3.6
11
12	net-vpn/strongswan/Manifest \| 1 +
13	net-vpn/strongswan/strongswan-5.6.2.ebuild \| 303 +++++++++++++++++++++++++++++
14	2 files changed, 304 insertions(+)
15
16	diff --git a/net-vpn/strongswan/Manifest b/net-vpn/strongswan/Manifest
17	index b8e0ee71e94..053972a54ef 100644
18	--- a/net-vpn/strongswan/Manifest
19	+++ b/net-vpn/strongswan/Manifest
20	@@ -1,2 +1,3 @@
21	DIST strongswan-5.5.3.tar.bz2 4768820 BLAKE2B 9f9da6c2ef27cec7f6a07f1cd5a7ecc8a92576fad2a5c6379b93d8a2e9d3b0804fe26dc0bc7b303754ef499ee938549c7cafbdf9a3f8f818d14cf88f613fe0fd SHA512 0b0b25d2102c98cda54300dc8c3c3a49a55e64f7c695dda65a24f2194f19bce0b7aab9e4f7486c243b552f9d1a94867d6a8782ee504aad1c9973809706d599ac
22	DIST strongswan-5.6.0.tar.bz2 4850722 BLAKE2B edb9f2b277cd8bccf886a824e4b3fb3c06af7510d9e21283fcb8d8ba9cf234f38182fcd1ca0c350b4039945ab10888406986d9a0b8edac24fe09faf0b8967fb2 SHA512 9362069a01c3642e62864d88fdb409a3c7514bf7c92cbe36e552c6a80915119cf5bb91c39592aab2d15b562684a0628a764e4fa7636d3b5fd2ebaf165c0ce649
23	+DIST strongswan-5.6.2.tar.bz2 4977859 BLAKE2B 83943ec95e6b95724e9fc130a09f7c7364147d0ce50528ac8b64452db53516b143e92c7dcb746c0c25aaac9182dda14d55e5c267fbdcd5bb9a63cbf48801274b SHA512 cf2d5cb6c45d991fe0ad8eed4ea8628f95a1871e9728ddf0985aa26e78d1e6da1c92c961772aafd3e55cfcfa84516204a15561389d373f78140f05607b248c52
24
25	diff --git a/net-vpn/strongswan/strongswan-5.6.2.ebuild b/net-vpn/strongswan/strongswan-5.6.2.ebuild
26	new file mode 100644
27	index 00000000000..a4895259f77
28	--- /dev/null
29	+++ b/net-vpn/strongswan/strongswan-5.6.2.ebuild
30	@@ -0,0 +1,303 @@
31	+# Copyright 1999-2018 Gentoo Foundation
32	+# Distributed under the terms of the GNU General Public License v2
33	+
34	+EAPI=5
35	+inherit eutils linux-info systemd user
36	+
37	+DESCRIPTION="IPsec-based VPN solution focused on security and ease of use, supporting IKEv1/IKEv2 and MOBIKE"
38	+HOMEPAGE="http://www.strongswan.org/"
39	+SRC_URI="http://download.strongswan.org/${P}.tar.bz2"
40	+
41	+LICENSE="GPL-2 RSA DES"
42	+SLOT="0"
43	+KEYWORDS="~amd64 ~arm ~ppc ~ppc64 ~x86"
44	+IUSE="+caps curl +constraints debug dhcp eap farp gcrypt +gmp ldap mysql networkmanager +non-root +openssl selinux sqlite pam pkcs11"
45	+
46	+STRONGSWAN_PLUGINS_STD="led lookip systime-fix unity vici"
47	+STRONGSWAN_PLUGINS_OPT="blowfish ccm ctr gcm ha ipseckey ntru padlock rdrand unbound whitelist"
48	+for mod in $STRONGSWAN_PLUGINS_STD; do
49	+ IUSE="${IUSE} +strongswan_plugins_${mod}"
50	+done
51	+
52	+for mod in $STRONGSWAN_PLUGINS_OPT; do
53	+ IUSE="${IUSE} strongswan_plugins_${mod}"
54	+done
55	+
56	+COMMON_DEPEND="!net-misc/openswan
57	+ gmp? ( >=dev-libs/gmp-4.1.5:= )
58	+ gcrypt? ( dev-libs/libgcrypt:0 )
59	+ caps? ( sys-libs/libcap )
60	+ curl? ( net-misc/curl )
61	+ ldap? ( net-nds/openldap )
62	+ openssl? ( >=dev-libs/openssl-0.9.8:=[-bindist] )
63	+ mysql? ( virtual/mysql )
64	+ sqlite? ( >=dev-db/sqlite-3.3.1 )
65	+ networkmanager? ( net-misc/networkmanager )
66	+ pam? ( sys-libs/pam )
67	+ strongswan_plugins_unbound? ( net-dns/unbound net-libs/ldns )"
68	+DEPEND="${COMMON_DEPEND}
69	+ virtual/linux-sources
70	+ sys-kernel/linux-headers"
71	+RDEPEND="${COMMON_DEPEND}
72	+ virtual/logger
73	+ sys-apps/iproute2
74	+ !net-vpn/libreswan
75	+ selinux? ( sec-policy/selinux-ipsec )"
76	+
77	+UGID="ipsec"
78	+
79	+pkg_setup() {
80	+ linux-info_pkg_setup
81	+ elog "Linux kernel version: ${KV_FULL}"
82	+
83	+ if ! kernel_is -ge 2 6 16; then
84	+ eerror
85	+ eerror "This ebuild currently only supports ${PN} with the"
86	+ eerror "native Linux 2.6 IPsec stack on kernels >= 2.6.16."
87	+ eerror
88	+ fi
89	+
90	+ if kernel_is -lt 2 6 34; then
91	+ ewarn
92	+ ewarn "IMPORTANT KERNEL NOTES: Please read carefully..."
93	+ ewarn
94	+
95	+ if kernel_is -lt 2 6 29; then
96	+ ewarn "[ < 2.6.29 ] Due to a missing kernel feature, you have to"
97	+ ewarn "include all required IPv6 modules even if you just intend"
98	+ ewarn "to run on IPv4 only."
99	+ ewarn
100	+ ewarn "This has been fixed with kernels >= 2.6.29."
101	+ ewarn
102	+ fi
103	+
104	+ if kernel_is -lt 2 6 33; then
105	+ ewarn "[ < 2.6.33 ] Kernels prior to 2.6.33 include a non-standards"
106	+ ewarn "compliant implementation for SHA-2 HMAC support in ESP and"
107	+ ewarn "miss SHA384 and SHA512 HMAC support altogether."
108	+ ewarn
109	+ ewarn "If you need any of those features, please use kernel >= 2.6.33."
110	+ ewarn
111	+ fi
112	+
113	+ if kernel_is -lt 2 6 34; then
114	+ ewarn "[ < 2.6.34 ] Support for the AES-GMAC authentification-only"
115	+ ewarn "ESP cipher is only included in kernels >= 2.6.34."
116	+ ewarn
117	+ ewarn "If you need it, please use kernel >= 2.6.34."
118	+ ewarn
119	+ fi
120	+ fi
121	+
122	+ if use non-root; then
123	+ enewgroup ${UGID}
124	+ enewuser ${UGID} -1 -1 -1 ${UGID}
125	+ fi
126	+}
127	+
128	+src_prepare() {
129	+ epatch_user
130	+}
131	+
132	+src_configure() {
133	+ local myconf=""
134	+
135	+ if use non-root; then
136	+ myconf="${myconf} --with-user=${UGID} --with-group=${UGID}"
137	+ fi
138	+
139	+ # If a user has already enabled db support, those plugins will
140	+ # most likely be desired as well. Besides they don't impose new
141	+ # dependencies and come at no cost (except for space).
142	+ if use mysql \|\| use sqlite; then
143	+ myconf="${myconf} --enable-attr-sql --enable-sql"
144	+ fi
145	+
146	+ # strongSwan builds and installs static libs by default which are
147	+ # useless to the user (and to strongSwan for that matter) because no
148	+ # header files or alike get installed... so disabling them is safe.
149	+ if use pam && use eap; then
150	+ myconf="${myconf} --enable-eap-gtc"
151	+ else
152	+ myconf="${myconf} --disable-eap-gtc"
153	+ fi
154	+
155	+ for mod in $STRONGSWAN_PLUGINS_STD; do
156	+ if use strongswan_plugins_${mod}; then
157	+ myconf+=" --enable-${mod}"
158	+ fi
159	+ done
160	+
161	+ for mod in $STRONGSWAN_PLUGINS_OPT; do
162	+ if use strongswan_plugins_${mod}; then
163	+ myconf+=" --enable-${mod}"
164	+ fi
165	+ done
166	+
167	+ econf \
168	+ --disable-static \
169	+ --enable-ikev1 \
170	+ --enable-ikev2 \
171	+ --enable-swanctl \
172	+ --enable-socket-dynamic \
173	+ $(use_with caps capabilities libcap) \
174	+ $(use_enable curl) \
175	+ $(use_enable constraints) \
176	+ $(use_enable ldap) \
177	+ $(use_enable debug leak-detective) \
178	+ $(use_enable dhcp) \
179	+ $(use_enable eap eap-sim) \
180	+ $(use_enable eap eap-sim-file) \
181	+ $(use_enable eap eap-simaka-sql) \
182	+ $(use_enable eap eap-simaka-pseudonym) \
183	+ $(use_enable eap eap-simaka-reauth) \
184	+ $(use_enable eap eap-identity) \
185	+ $(use_enable eap eap-md5) \
186	+ $(use_enable eap eap-aka) \
187	+ $(use_enable eap eap-aka-3gpp2) \
188	+ $(use_enable eap md4) \
189	+ $(use_enable eap eap-mschapv2) \
190	+ $(use_enable eap eap-radius) \
191	+ $(use_enable eap eap-tls) \
192	+ $(use_enable eap xauth-eap) \
193	+ $(use_enable eap eap-dynamic) \
194	+ $(use_enable farp) \
195	+ $(use_enable gmp) \
196	+ $(use_enable gcrypt) \
197	+ $(use_enable mysql) \
198	+ $(use_enable networkmanager nm) \
199	+ $(use_enable openssl) \
200	+ $(use_enable pam xauth-pam) \
201	+ $(use_enable pkcs11) \
202	+ $(use_enable sqlite) \
203	+ "$(systemd_with_unitdir)" \
204	+ ${myconf}
205	+}
206	+
207	+src_install() {
208	+ emake DESTDIR="${D}" install
209	+
210	+ doinitd "${FILESDIR}"/ipsec
211	+
212	+ local dir_ugid
213	+ if use non-root; then
214	+ fowners ${UGID}:${UGID} \
215	+ /etc/ipsec.conf \
216	+ /etc/strongswan.conf
217	+
218	+ dir_ugid="${UGID}"
219	+ else
220	+ dir_ugid="root"
221	+ fi
222	+
223	+ diropts -m 0750 -o ${dir_ugid} -g ${dir_ugid}
224	+ dodir /etc/ipsec.d \
225	+ /etc/ipsec.d/aacerts \
226	+ /etc/ipsec.d/acerts \
227	+ /etc/ipsec.d/cacerts \
228	+ /etc/ipsec.d/certs \
229	+ /etc/ipsec.d/crls \
230	+ /etc/ipsec.d/ocspcerts \
231	+ /etc/ipsec.d/private \
232	+ /etc/ipsec.d/reqs
233	+
234	+ dodoc NEWS README TODO \|\| die
235	+
236	+ # shared libs are used only internally and there are no static libs,
237	+ # so it's safe to get rid of the .la files
238	+ find "${D}" -name '*.la' -delete \|\| die "Failed to remove .la files."
239	+}
240	+
241	+pkg_preinst() {
242	+ has_version "<net-vpn/strongswan-4.3.6-r1"
243	+ upgrade_from_leq_4_3_6=$(( !$? ))
244	+
245	+ has_version "<net-vpn/strongswan-4.3.6-r1[-caps]"
246	+ previous_4_3_6_with_caps=$(( !$? ))
247	+}
248	+
249	+pkg_postinst() {
250	+ if ! use openssl && ! use gcrypt; then
251	+ elog
252	+ elog "${PN} has been compiled without both OpenSSL and libgcrypt support."
253	+ elog "Please note that this might effect availability and speed of some"
254	+ elog "cryptographic features. You are advised to enable the OpenSSL plugin."
255	+ elif ! use openssl; then
256	+ elog
257	+ elog "${PN} has been compiled without the OpenSSL plugin. This might effect"
258	+ elog "availability and speed of some cryptographic features. There will be"
259	+ elog "no support for Elliptic Curve Cryptography (Diffie-Hellman groups 19-21,"
260	+ elog "25, 26) and ECDSA."
261	+ fi
262	+
263	+ if [[ $upgrade_from_leq_4_3_6 == 1 ]]; then
264	+ chmod 0750 "${ROOT}"/etc/ipsec.d \
265	+ "${ROOT}"/etc/ipsec.d/aacerts \
266	+ "${ROOT}"/etc/ipsec.d/acerts \
267	+ "${ROOT}"/etc/ipsec.d/cacerts \
268	+ "${ROOT}"/etc/ipsec.d/certs \
269	+ "${ROOT}"/etc/ipsec.d/crls \
270	+ "${ROOT}"/etc/ipsec.d/ocspcerts \
271	+ "${ROOT}"/etc/ipsec.d/private \
272	+ "${ROOT}"/etc/ipsec.d/reqs
273	+
274	+ ewarn
275	+ ewarn "The default permissions for /etc/ipsec.d/* have been tightened for"
276	+ ewarn "security reasons. Your system installed directories have been"
277	+ ewarn "updated accordingly. Please check if necessary."
278	+ ewarn
279	+
280	+ if [[ $previous_4_3_6_with_caps == 1 ]]; then
281	+ if ! use non-root; then
282	+ ewarn
283	+ ewarn "IMPORTANT: You previously had ${PN} installed without root"
284	+ ewarn "privileges because it was implied by the 'caps' USE flag."
285	+ ewarn "This has been changed. If you want ${PN} with user privileges,"
286	+ ewarn "you have to re-emerge it with the 'non-root' USE flag enabled."
287	+ ewarn
288	+ fi
289	+ fi
290	+ fi
291	+ if ! use caps && ! use non-root; then
292	+ ewarn
293	+ ewarn "You have decided to run ${PN} with root privileges and built it"
294	+ ewarn "without support for POSIX capability dropping. It is generally"
295	+ ewarn "strongly suggested that you reconsider- especially if you intend"
296	+ ewarn "to run ${PN} as server with a public ip address."
297	+ ewarn
298	+ ewarn "You should re-emerge ${PN} with at least the 'caps' USE flag enabled."
299	+ ewarn
300	+ fi
301	+ if use non-root; then
302	+ elog
303	+ elog "${PN} has been installed without superuser privileges (USE=non-root)."
304	+ elog "This imposes several limitations mainly to the IKEv1 daemon 'pluto'"
305	+ elog "but also a few to the IKEv2 daemon 'charon'."
306	+ elog
307	+ elog "Please carefully read: http://wiki.strongswan.org/wiki/nonRoot"
308	+ elog
309	+ elog "pluto uses a helper script by default to insert/remove routing and"
310	+ elog "policy rules upon connection start/stop which requires superuser"
311	+ elog "privileges. charon in contrast does this internally and can do so"
312	+ elog "even with reduced (user) privileges."
313	+ elog
314	+ elog "Thus if you require IKEv1 (pluto) or need to specify a custom updown"
315	+ elog "script to pluto or charon which requires superuser privileges, you"
316	+ elog "can work around this limitation by using sudo to grant the"
317	+ elog "user \"ipsec\" the appropriate rights."
318	+ elog "For example (the default case):"
319	+ elog "/etc/sudoers:"
320	+ elog " ipsec ALL=(ALL) NOPASSWD: SETENV: /usr/sbin/ipsec"
321	+ elog "Under the specific connection block in /etc/ipsec.conf:"
322	+ elog " leftupdown=\"sudo -E ipsec _updown iptables\""
323	+ elog
324	+ fi
325	+ elog
326	+ elog "Make sure you have _all_ required kernel modules available including"
327	+ elog "the appropriate cryptographic algorithms. A list is available at:"
328	+ elog " http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules"
329	+ elog
330	+ elog "The up-to-date manual is available online at:"
331	+ elog " http://wiki.strongswan.org/"
332	+ elog
333	+}

Gentoo Archives: gentoo-commits