[gentoo-commits] repo/gentoo:master commit in: net-vpn/strongswan/ - gentoo-commits

From:	Thomas Deutschmann <whissi@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: net-vpn/strongswan/
Date:	Tue, 24 Dec 2019 15:07:30
Message-Id:	`1577200039.8ba3b86125f41e4ad28d8fcc7cbd6c50bb59e3e8.whissi@gentoo`

1

commit:     8ba3b86125f41e4ad28d8fcc7cbd6c50bb59e3e8

2

Author:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>

3

AuthorDate: Tue Dec 24 15:04:21 2019 +0000

4

Commit:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>

5

CommitDate: Tue Dec 24 15:07:19 2019 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8ba3b861

7

8

net-vpn/strongswan: bump to v5.8.2

9

10

Package-Manager: Portage-2.3.82, Repoman-2.3.20

11

Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>

12

13

 net-vpn/strongswan/Manifest                |   1 +

14

 net-vpn/strongswan/strongswan-5.8.2.ebuild | 308 +++++++++++++++++++++++++++++

15

 2 files changed, 309 insertions(+)

16

17

diff --git a/net-vpn/strongswan/Manifest b/net-vpn/strongswan/Manifest

18

index bfe47d0734f..ea091b71387 100644

19

--- a/net-vpn/strongswan/Manifest

20

+++ b/net-vpn/strongswan/Manifest

21

@@ -1 +1,2 @@

22

 DIST strongswan-5.8.1.tar.bz2 4517921 BLAKE2B 07a82309515a054b267a063fc0e2f49fd03d16b221b1ee26a33c8d367df140797320e1ef7007a39074e40c472022d941656b3ae93d2eb860152cdc5a5d3dbc8a SHA512 630d24643b3d61e931bb25cdd083ad3c55f92fe41f3fcd3198012eee486fb3b1a16dc3f80936162afb7da9e471d45d92b7d183a00153a558babb2a79e5f6813f

23

+DIST strongswan-5.8.2.tar.bz2 4533402 BLAKE2B edbfa8dbe1ac00c140cfe9e906ac7aa1b6f3ddfd528dec84e7b1799e5ecdd0f6114679168ebcff9185c8abae78b46dfc43ddc4dabecd44f720285bd175d7a249 SHA512 423e7924acfe8a03ad7d4359ae9086fd516798fcf5eb948a27b52ea719f4d8954b83ea30ce94191ea1647616611df8a1215cb4d5c7ec48676624df6c41853e1d

24

25

diff --git a/net-vpn/strongswan/strongswan-5.8.2.ebuild b/net-vpn/strongswan/strongswan-5.8.2.ebuild

26

new file mode 100644

27

index 00000000000..2ab3a0ed5d3

28

--- /dev/null

29

+++ b/net-vpn/strongswan/strongswan-5.8.2.ebuild

30

@@ -0,0 +1,308 @@

31

+# Copyright 1999-2019 Gentoo Authors

32

+# Distributed under the terms of the GNU General Public License v2

33

+

34

+EAPI="7"

35

+inherit linux-info systemd user

36

+

37

+DESCRIPTION="IPsec-based VPN solution, supporting IKEv1/IKEv2 and MOBIKE"

38

+HOMEPAGE="https://www.strongswan.org/"

39

+SRC_URI="https://download.strongswan.org/${P}.tar.bz2"

40

+

41

+LICENSE="GPL-2 RSA DES"

42

+SLOT="0"

43

+KEYWORDS="~amd64 ~arm ~ppc ~ppc64 ~x86"

44

+IUSE="+caps curl +constraints debug dhcp eap farp gcrypt +gmp ldap mysql networkmanager +non-root +openssl selinux sqlite systemd pam pkcs11"

45

+

46

+STRONGSWAN_PLUGINS_STD="led lookip systime-fix unity vici"

47

+STRONGSWAN_PLUGINS_OPT="aesni blowfish ccm chapoly ctr forecast gcm ha ipseckey newhope ntru padlock rdrand save-keys unbound whitelist"

48

+for mod in $STRONGSWAN_PLUGINS_STD; do

49

+	IUSE="${IUSE} +strongswan_plugins_${mod}"

50

+done

51

+

52

+for mod in $STRONGSWAN_PLUGINS_OPT; do

53

+	IUSE="${IUSE} strongswan_plugins_${mod}"

54

+done

55

+

56

+COMMON_DEPEND="!net-misc/openswan

57

+	gmp? ( >=dev-libs/gmp-4.1.5:= )

58

+	gcrypt? ( dev-libs/libgcrypt:0 )

59

+	caps? ( sys-libs/libcap )

60

+	curl? ( net-misc/curl )

61

+	ldap? ( net-nds/openldap )

62

+	openssl? ( >=dev-libs/openssl-0.9.8:=[-bindist] )

63

+	mysql? ( dev-db/mysql-connector-c:= )

64

+	sqlite? ( >=dev-db/sqlite-3.3.1 )

65

+	systemd? ( sys-apps/systemd )

66

+	networkmanager? ( net-misc/networkmanager )

67

+	pam? ( sys-libs/pam )

68

+	strongswan_plugins_unbound? ( net-dns/unbound:= net-libs/ldns )"

69

+DEPEND="${COMMON_DEPEND}

70

+	virtual/linux-sources

71

+	sys-kernel/linux-headers"

72

+RDEPEND="${COMMON_DEPEND}

73

+	virtual/logger

74

+	sys-apps/iproute2

75

+	!net-vpn/libreswan

76

+	selinux? ( sec-policy/selinux-ipsec )"

77

+

78

+UGID="ipsec"

79

+

80

+pkg_setup() {

81

+	linux-info_pkg_setup

82

+

83

+	elog "Linux kernel version: ${KV_FULL}"

84

+

85

+	if ! kernel_is -ge 2 6 16; then

86

+		eerror

87

+		eerror "This ebuild currently only supports ${PN} with the"

88

+		eerror "native Linux 2.6 IPsec stack on kernels >= 2.6.16."

89

+		eerror

90

+	fi

91

+

92

+	if kernel_is -lt 2 6 34; then

93

+		ewarn

94

+		ewarn "IMPORTANT KERNEL NOTES: Please read carefully..."

95

+		ewarn

96

+

97

+		if kernel_is -lt 2 6 29; then

98

+			ewarn "[ < 2.6.29 ] Due to a missing kernel feature, you have to"

99

+			ewarn "include all required IPv6 modules even if you just intend"

100

+			ewarn "to run on IPv4 only."

101

+			ewarn

102

+			ewarn "This has been fixed with kernels >= 2.6.29."

103

+			ewarn

104

+		fi

105

+

106

+		if kernel_is -lt 2 6 33; then

107

+			ewarn "[ < 2.6.33 ] Kernels prior to 2.6.33 include a non-standards"

108

+			ewarn "compliant implementation for SHA-2 HMAC support in ESP and"

109

+			ewarn "miss SHA384 and SHA512 HMAC support altogether."

110

+			ewarn

111

+			ewarn "If you need any of those features, please use kernel >= 2.6.33."

112

+			ewarn

113

+		fi

114

+

115

+		if kernel_is -lt 2 6 34; then

116

+			ewarn "[ < 2.6.34 ] Support for the AES-GMAC authentification-only"

117

+			ewarn "ESP cipher is only included in kernels >= 2.6.34."

118

+			ewarn

119

+			ewarn "If you need it, please use kernel >= 2.6.34."

120

+			ewarn

121

+		fi

122

+	fi

123

+

124

+	if use non-root; then

125

+		enewgroup ${UGID}

126

+		enewuser ${UGID} -1 -1 -1 ${UGID}

127

+	fi

128

+}

129

+

130

+src_configure() {

131

+	local myconf=""

132

+

133

+	if use non-root; then

134

+		myconf="${myconf} --with-user=${UGID} --with-group=${UGID}"

135

+	fi

136

+

137

+	# If a user has already enabled db support, those plugins will

138

+	# most likely be desired as well. Besides they don't impose new

139

+	# dependencies and come at no cost (except for space).

140

+	if use mysql || use sqlite; then

141

+		myconf="${myconf} --enable-attr-sql --enable-sql"

142

+	fi

143

+

144

+	# strongSwan builds and installs static libs by default which are

145

+	# useless to the user (and to strongSwan for that matter) because no

146

+	# header files or alike get installed... so disabling them is safe.

147

+	if use pam && use eap; then

148

+		myconf="${myconf} --enable-eap-gtc"

149

+	else

150

+		myconf="${myconf} --disable-eap-gtc"

151

+	fi

152

+

153

+	for mod in $STRONGSWAN_PLUGINS_STD; do

154

+		if use strongswan_plugins_${mod}; then

155

+			myconf+=" --enable-${mod}"

156

+		fi

157

+	done

158

+

159

+	for mod in $STRONGSWAN_PLUGINS_OPT; do

160

+		if use strongswan_plugins_${mod}; then

161

+			myconf+=" --enable-${mod}"

162

+		fi

163

+	done

164

+

165

+	econf \

166

+		--disable-static \

167

+		--enable-ikev1 \

168

+		--enable-ikev2 \

169

+		--enable-swanctl \

170

+		--enable-socket-dynamic \

171

+		$(use_enable curl) \

172

+		$(use_enable constraints) \

173

+		$(use_enable ldap) \

174

+		$(use_enable debug leak-detective) \

175

+		$(use_enable dhcp) \

176

+		$(use_enable eap eap-sim) \

177

+		$(use_enable eap eap-sim-file) \

178

+		$(use_enable eap eap-simaka-sql) \

179

+		$(use_enable eap eap-simaka-pseudonym) \

180

+		$(use_enable eap eap-simaka-reauth) \

181

+		$(use_enable eap eap-identity) \

182

+		$(use_enable eap eap-md5) \

183

+		$(use_enable eap eap-aka) \

184

+		$(use_enable eap eap-aka-3gpp2) \

185

+		$(use_enable eap md4) \

186

+		$(use_enable eap eap-mschapv2) \

187

+		$(use_enable eap eap-radius) \

188

+		$(use_enable eap eap-tls) \

189

+		$(use_enable eap eap-ttls) \

190

+		$(use_enable eap xauth-eap) \

191

+		$(use_enable eap eap-dynamic) \

192

+		$(use_enable farp) \

193

+		$(use_enable gmp) \

194

+		$(use_enable gcrypt) \

195

+		$(use_enable mysql) \

196

+		$(use_enable networkmanager nm) \

197

+		$(use_enable openssl) \

198

+		$(use_enable pam xauth-pam) \

199

+		$(use_enable pkcs11) \

200

+		$(use_enable sqlite) \

201

+		$(use_enable systemd) \

202

+		$(use_with caps capabilities libcap) \

203

+		--with-piddir=/run \

204

+		--with-systemdsystemunitdir="$(systemd_get_systemunitdir)" \

205

+		${myconf}

206

+}

207

+

208

+src_install() {

209

+	emake DESTDIR="${D}" install

210

+

211

+	if ! use systemd; then

212

+		rm -rf "${ED}"/lib/systemd || die

213

+	fi

214

+

215

+	doinitd "${FILESDIR}"/ipsec

216

+

217

+	local dir_ugid

218

+	if use non-root; then

219

+		fowners ${UGID}:${UGID} \

220

+			/etc/ipsec.conf \

221

+			/etc/strongswan.conf

222

+

223

+		dir_ugid="${UGID}"

224

+	else

225

+		dir_ugid="root"

226

+	fi

227

+

228

+	diropts -m 0750 -o ${dir_ugid} -g ${dir_ugid}

229

+	dodir /etc/ipsec.d \

230

+		/etc/ipsec.d/aacerts \

231

+		/etc/ipsec.d/acerts \

232

+		/etc/ipsec.d/cacerts \

233

+		/etc/ipsec.d/certs \

234

+		/etc/ipsec.d/crls \

235

+		/etc/ipsec.d/ocspcerts \

236

+		/etc/ipsec.d/private \

237

+		/etc/ipsec.d/reqs

238

+

239

+	dodoc NEWS README TODO

240

+

241

+	# shared libs are used only internally and there are no static libs,

242

+	# so it's safe to get rid of the .la files

243

+	find "${D}" -name '*.la' -delete || die "Failed to remove .la files."

244

+}

245

+

246

+pkg_preinst() {

247

+	has_version "<net-vpn/strongswan-4.3.6-r1"

248

+	upgrade_from_leq_4_3_6=$(( !$? ))

249

+

250

+	has_version "<net-vpn/strongswan-4.3.6-r1[-caps]"

251

+	previous_4_3_6_with_caps=$(( !$? ))

252

+}

253

+

254

+pkg_postinst() {

255

+	if ! use openssl && ! use gcrypt; then

256

+		elog

257

+		elog "${PN} has been compiled without both OpenSSL and libgcrypt support."

258

+		elog "Please note that this might effect availability and speed of some"

259

+		elog "cryptographic features. You are advised to enable the OpenSSL plugin."

260

+	elif ! use openssl; then

261

+		elog

262

+		elog "${PN} has been compiled without the OpenSSL plugin. This might effect"

263

+		elog "availability and speed of some cryptographic features. There will be"

264

+		elog "no support for Elliptic Curve Cryptography (Diffie-Hellman groups 19-21,"

265

+		elog "25, 26) and ECDSA."

266

+	fi

267

+

268

+	if [[ $upgrade_from_leq_4_3_6 == 1 ]]; then

269

+		chmod 0750 "${ROOT}"/etc/ipsec.d \

270

+			"${ROOT}"/etc/ipsec.d/aacerts \

271

+			"${ROOT}"/etc/ipsec.d/acerts \

272

+			"${ROOT}"/etc/ipsec.d/cacerts \

273

+			"${ROOT}"/etc/ipsec.d/certs \

274

+			"${ROOT}"/etc/ipsec.d/crls \

275

+			"${ROOT}"/etc/ipsec.d/ocspcerts \

276

+			"${ROOT}"/etc/ipsec.d/private \

277

+			"${ROOT}"/etc/ipsec.d/reqs

278

+

279

+		ewarn

280

+		ewarn "The default permissions for /etc/ipsec.d/* have been tightened for"

281

+		ewarn "security reasons. Your system installed directories have been"

282

+		ewarn "updated accordingly. Please check if necessary."

283

+		ewarn

284

+

285

+		if [[ $previous_4_3_6_with_caps == 1 ]]; then

286

+			if ! use non-root; then

287

+				ewarn

288

+				ewarn "IMPORTANT: You previously had ${PN} installed without root"

289

+				ewarn "privileges because it was implied by the 'caps' USE flag."

290

+				ewarn "This has been changed. If you want ${PN} with user privileges,"

291

+				ewarn "you have to re-emerge it with the 'non-root' USE flag enabled."

292

+				ewarn

293

+			fi

294

+		fi

295

+	fi

296

+	if ! use caps && ! use non-root; then

297

+		ewarn

298

+		ewarn "You have decided to run ${PN} with root privileges and built it"

299

+		ewarn "without support for POSIX capability dropping. It is generally"

300

+		ewarn "strongly suggested that you reconsider- especially if you intend"

301

+		ewarn "to run ${PN} as server with a public ip address."

302

+		ewarn

303

+		ewarn "You should re-emerge ${PN} with at least the 'caps' USE flag enabled."

304

+		ewarn

305

+	fi

306

+	if use non-root; then

307

+		elog

308

+		elog "${PN} has been installed without superuser privileges (USE=non-root)."

309

+		elog "This imposes several limitations mainly to the IKEv1 daemon 'pluto'"

310

+		elog "but also a few to the IKEv2 daemon 'charon'."

311

+		elog

312

+		elog "Please carefully read: http://wiki.strongswan.org/wiki/nonRoot"

313

+		elog

314

+		elog "pluto uses a helper script by default to insert/remove routing and"

315

+		elog "policy rules upon connection start/stop which requires superuser"

316

+		elog "privileges. charon in contrast does this internally and can do so"

317

+		elog "even with reduced (user) privileges."

318

+		elog

319

+		elog "Thus if you require IKEv1 (pluto) or need to specify a custom updown"

320

+		elog "script to pluto or charon which requires superuser privileges, you"

321

+		elog "can work around this limitation by using sudo to grant the"

322

+		elog "user \"ipsec\" the appropriate rights."

323

+		elog "For example (the default case):"

324

+		elog "/etc/sudoers:"

325

+		elog "  ipsec ALL=(ALL) NOPASSWD: SETENV: /usr/sbin/ipsec"

326

+		elog "Under the specific connection block in /etc/ipsec.conf:"

327

+		elog "  leftupdown=\"sudo -E ipsec _updown iptables\""

328

+		elog

329

+	fi

330

+	elog

331

+	elog "Make sure you have _all_ required kernel modules available including"

332

+	elog "the appropriate cryptographic algorithms. A list is available at:"

333

+	elog "  http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules"

334

+	elog

335

+	elog "The up-to-date manual is available online at:"

336

+	elog "  http://wiki.strongswan.org/"

337

+	elog

338

+}

1	commit: 8ba3b86125f41e4ad28d8fcc7cbd6c50bb59e3e8
2	Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
3	AuthorDate: Tue Dec 24 15:04:21 2019 +0000
4	Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
5	CommitDate: Tue Dec 24 15:07:19 2019 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8ba3b861
7
8	net-vpn/strongswan: bump to v5.8.2
9
10	Package-Manager: Portage-2.3.82, Repoman-2.3.20
11	Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>
12
13	net-vpn/strongswan/Manifest \| 1 +
14	net-vpn/strongswan/strongswan-5.8.2.ebuild \| 308 +++++++++++++++++++++++++++++
15	2 files changed, 309 insertions(+)
16
17	diff --git a/net-vpn/strongswan/Manifest b/net-vpn/strongswan/Manifest
18	index bfe47d0734f..ea091b71387 100644
19	--- a/net-vpn/strongswan/Manifest
20	+++ b/net-vpn/strongswan/Manifest
21	@@ -1 +1,2 @@
22	DIST strongswan-5.8.1.tar.bz2 4517921 BLAKE2B 07a82309515a054b267a063fc0e2f49fd03d16b221b1ee26a33c8d367df140797320e1ef7007a39074e40c472022d941656b3ae93d2eb860152cdc5a5d3dbc8a SHA512 630d24643b3d61e931bb25cdd083ad3c55f92fe41f3fcd3198012eee486fb3b1a16dc3f80936162afb7da9e471d45d92b7d183a00153a558babb2a79e5f6813f
23	+DIST strongswan-5.8.2.tar.bz2 4533402 BLAKE2B edbfa8dbe1ac00c140cfe9e906ac7aa1b6f3ddfd528dec84e7b1799e5ecdd0f6114679168ebcff9185c8abae78b46dfc43ddc4dabecd44f720285bd175d7a249 SHA512 423e7924acfe8a03ad7d4359ae9086fd516798fcf5eb948a27b52ea719f4d8954b83ea30ce94191ea1647616611df8a1215cb4d5c7ec48676624df6c41853e1d
24
25	diff --git a/net-vpn/strongswan/strongswan-5.8.2.ebuild b/net-vpn/strongswan/strongswan-5.8.2.ebuild
26	new file mode 100644
27	index 00000000000..2ab3a0ed5d3
28	--- /dev/null
29	+++ b/net-vpn/strongswan/strongswan-5.8.2.ebuild
30	@@ -0,0 +1,308 @@
31	+# Copyright 1999-2019 Gentoo Authors
32	+# Distributed under the terms of the GNU General Public License v2
33	+
34	+EAPI="7"
35	+inherit linux-info systemd user
36	+
37	+DESCRIPTION="IPsec-based VPN solution, supporting IKEv1/IKEv2 and MOBIKE"
38	+HOMEPAGE="https://www.strongswan.org/"
39	+SRC_URI="https://download.strongswan.org/${P}.tar.bz2"
40	+
41	+LICENSE="GPL-2 RSA DES"
42	+SLOT="0"
43	+KEYWORDS="~amd64 ~arm ~ppc ~ppc64 ~x86"
44	+IUSE="+caps curl +constraints debug dhcp eap farp gcrypt +gmp ldap mysql networkmanager +non-root +openssl selinux sqlite systemd pam pkcs11"
45	+
46	+STRONGSWAN_PLUGINS_STD="led lookip systime-fix unity vici"
47	+STRONGSWAN_PLUGINS_OPT="aesni blowfish ccm chapoly ctr forecast gcm ha ipseckey newhope ntru padlock rdrand save-keys unbound whitelist"
48	+for mod in $STRONGSWAN_PLUGINS_STD; do
49	+ IUSE="${IUSE} +strongswan_plugins_${mod}"
50	+done
51	+
52	+for mod in $STRONGSWAN_PLUGINS_OPT; do
53	+ IUSE="${IUSE} strongswan_plugins_${mod}"
54	+done
55	+
56	+COMMON_DEPEND="!net-misc/openswan
57	+ gmp? ( >=dev-libs/gmp-4.1.5:= )
58	+ gcrypt? ( dev-libs/libgcrypt:0 )
59	+ caps? ( sys-libs/libcap )
60	+ curl? ( net-misc/curl )
61	+ ldap? ( net-nds/openldap )
62	+ openssl? ( >=dev-libs/openssl-0.9.8:=[-bindist] )
63	+ mysql? ( dev-db/mysql-connector-c:= )
64	+ sqlite? ( >=dev-db/sqlite-3.3.1 )
65	+ systemd? ( sys-apps/systemd )
66	+ networkmanager? ( net-misc/networkmanager )
67	+ pam? ( sys-libs/pam )
68	+ strongswan_plugins_unbound? ( net-dns/unbound:= net-libs/ldns )"
69	+DEPEND="${COMMON_DEPEND}
70	+ virtual/linux-sources
71	+ sys-kernel/linux-headers"
72	+RDEPEND="${COMMON_DEPEND}
73	+ virtual/logger
74	+ sys-apps/iproute2
75	+ !net-vpn/libreswan
76	+ selinux? ( sec-policy/selinux-ipsec )"
77	+
78	+UGID="ipsec"
79	+
80	+pkg_setup() {
81	+ linux-info_pkg_setup
82	+
83	+ elog "Linux kernel version: ${KV_FULL}"
84	+
85	+ if ! kernel_is -ge 2 6 16; then
86	+ eerror
87	+ eerror "This ebuild currently only supports ${PN} with the"
88	+ eerror "native Linux 2.6 IPsec stack on kernels >= 2.6.16."
89	+ eerror
90	+ fi
91	+
92	+ if kernel_is -lt 2 6 34; then
93	+ ewarn
94	+ ewarn "IMPORTANT KERNEL NOTES: Please read carefully..."
95	+ ewarn
96	+
97	+ if kernel_is -lt 2 6 29; then
98	+ ewarn "[ < 2.6.29 ] Due to a missing kernel feature, you have to"
99	+ ewarn "include all required IPv6 modules even if you just intend"
100	+ ewarn "to run on IPv4 only."
101	+ ewarn
102	+ ewarn "This has been fixed with kernels >= 2.6.29."
103	+ ewarn
104	+ fi
105	+
106	+ if kernel_is -lt 2 6 33; then
107	+ ewarn "[ < 2.6.33 ] Kernels prior to 2.6.33 include a non-standards"
108	+ ewarn "compliant implementation for SHA-2 HMAC support in ESP and"
109	+ ewarn "miss SHA384 and SHA512 HMAC support altogether."
110	+ ewarn
111	+ ewarn "If you need any of those features, please use kernel >= 2.6.33."
112	+ ewarn
113	+ fi
114	+
115	+ if kernel_is -lt 2 6 34; then
116	+ ewarn "[ < 2.6.34 ] Support for the AES-GMAC authentification-only"
117	+ ewarn "ESP cipher is only included in kernels >= 2.6.34."
118	+ ewarn
119	+ ewarn "If you need it, please use kernel >= 2.6.34."
120	+ ewarn
121	+ fi
122	+ fi
123	+
124	+ if use non-root; then
125	+ enewgroup ${UGID}
126	+ enewuser ${UGID} -1 -1 -1 ${UGID}
127	+ fi
128	+}
129	+
130	+src_configure() {
131	+ local myconf=""
132	+
133	+ if use non-root; then
134	+ myconf="${myconf} --with-user=${UGID} --with-group=${UGID}"
135	+ fi
136	+
137	+ # If a user has already enabled db support, those plugins will
138	+ # most likely be desired as well. Besides they don't impose new
139	+ # dependencies and come at no cost (except for space).
140	+ if use mysql \|\| use sqlite; then
141	+ myconf="${myconf} --enable-attr-sql --enable-sql"
142	+ fi
143	+
144	+ # strongSwan builds and installs static libs by default which are
145	+ # useless to the user (and to strongSwan for that matter) because no
146	+ # header files or alike get installed... so disabling them is safe.
147	+ if use pam && use eap; then
148	+ myconf="${myconf} --enable-eap-gtc"
149	+ else
150	+ myconf="${myconf} --disable-eap-gtc"
151	+ fi
152	+
153	+ for mod in $STRONGSWAN_PLUGINS_STD; do
154	+ if use strongswan_plugins_${mod}; then
155	+ myconf+=" --enable-${mod}"
156	+ fi
157	+ done
158	+
159	+ for mod in $STRONGSWAN_PLUGINS_OPT; do
160	+ if use strongswan_plugins_${mod}; then
161	+ myconf+=" --enable-${mod}"
162	+ fi
163	+ done
164	+
165	+ econf \
166	+ --disable-static \
167	+ --enable-ikev1 \
168	+ --enable-ikev2 \
169	+ --enable-swanctl \
170	+ --enable-socket-dynamic \
171	+ $(use_enable curl) \
172	+ $(use_enable constraints) \
173	+ $(use_enable ldap) \
174	+ $(use_enable debug leak-detective) \
175	+ $(use_enable dhcp) \
176	+ $(use_enable eap eap-sim) \
177	+ $(use_enable eap eap-sim-file) \
178	+ $(use_enable eap eap-simaka-sql) \
179	+ $(use_enable eap eap-simaka-pseudonym) \
180	+ $(use_enable eap eap-simaka-reauth) \
181	+ $(use_enable eap eap-identity) \
182	+ $(use_enable eap eap-md5) \
183	+ $(use_enable eap eap-aka) \
184	+ $(use_enable eap eap-aka-3gpp2) \
185	+ $(use_enable eap md4) \
186	+ $(use_enable eap eap-mschapv2) \
187	+ $(use_enable eap eap-radius) \
188	+ $(use_enable eap eap-tls) \
189	+ $(use_enable eap eap-ttls) \
190	+ $(use_enable eap xauth-eap) \
191	+ $(use_enable eap eap-dynamic) \
192	+ $(use_enable farp) \
193	+ $(use_enable gmp) \
194	+ $(use_enable gcrypt) \
195	+ $(use_enable mysql) \
196	+ $(use_enable networkmanager nm) \
197	+ $(use_enable openssl) \
198	+ $(use_enable pam xauth-pam) \
199	+ $(use_enable pkcs11) \
200	+ $(use_enable sqlite) \
201	+ $(use_enable systemd) \
202	+ $(use_with caps capabilities libcap) \
203	+ --with-piddir=/run \
204	+ --with-systemdsystemunitdir="$(systemd_get_systemunitdir)" \
205	+ ${myconf}
206	+}
207	+
208	+src_install() {
209	+ emake DESTDIR="${D}" install
210	+
211	+ if ! use systemd; then
212	+ rm -rf "${ED}"/lib/systemd \|\| die
213	+ fi
214	+
215	+ doinitd "${FILESDIR}"/ipsec
216	+
217	+ local dir_ugid
218	+ if use non-root; then
219	+ fowners ${UGID}:${UGID} \
220	+ /etc/ipsec.conf \
221	+ /etc/strongswan.conf
222	+
223	+ dir_ugid="${UGID}"
224	+ else
225	+ dir_ugid="root"
226	+ fi
227	+
228	+ diropts -m 0750 -o ${dir_ugid} -g ${dir_ugid}
229	+ dodir /etc/ipsec.d \
230	+ /etc/ipsec.d/aacerts \
231	+ /etc/ipsec.d/acerts \
232	+ /etc/ipsec.d/cacerts \
233	+ /etc/ipsec.d/certs \
234	+ /etc/ipsec.d/crls \
235	+ /etc/ipsec.d/ocspcerts \
236	+ /etc/ipsec.d/private \
237	+ /etc/ipsec.d/reqs
238	+
239	+ dodoc NEWS README TODO
240	+
241	+ # shared libs are used only internally and there are no static libs,
242	+ # so it's safe to get rid of the .la files
243	+ find "${D}" -name '*.la' -delete \|\| die "Failed to remove .la files."
244	+}
245	+
246	+pkg_preinst() {
247	+ has_version "<net-vpn/strongswan-4.3.6-r1"
248	+ upgrade_from_leq_4_3_6=$(( !$? ))
249	+
250	+ has_version "<net-vpn/strongswan-4.3.6-r1[-caps]"
251	+ previous_4_3_6_with_caps=$(( !$? ))
252	+}
253	+
254	+pkg_postinst() {
255	+ if ! use openssl && ! use gcrypt; then
256	+ elog
257	+ elog "${PN} has been compiled without both OpenSSL and libgcrypt support."
258	+ elog "Please note that this might effect availability and speed of some"
259	+ elog "cryptographic features. You are advised to enable the OpenSSL plugin."
260	+ elif ! use openssl; then
261	+ elog
262	+ elog "${PN} has been compiled without the OpenSSL plugin. This might effect"
263	+ elog "availability and speed of some cryptographic features. There will be"
264	+ elog "no support for Elliptic Curve Cryptography (Diffie-Hellman groups 19-21,"
265	+ elog "25, 26) and ECDSA."
266	+ fi
267	+
268	+ if [[ $upgrade_from_leq_4_3_6 == 1 ]]; then
269	+ chmod 0750 "${ROOT}"/etc/ipsec.d \
270	+ "${ROOT}"/etc/ipsec.d/aacerts \
271	+ "${ROOT}"/etc/ipsec.d/acerts \
272	+ "${ROOT}"/etc/ipsec.d/cacerts \
273	+ "${ROOT}"/etc/ipsec.d/certs \
274	+ "${ROOT}"/etc/ipsec.d/crls \
275	+ "${ROOT}"/etc/ipsec.d/ocspcerts \
276	+ "${ROOT}"/etc/ipsec.d/private \
277	+ "${ROOT}"/etc/ipsec.d/reqs
278	+
279	+ ewarn
280	+ ewarn "The default permissions for /etc/ipsec.d/* have been tightened for"
281	+ ewarn "security reasons. Your system installed directories have been"
282	+ ewarn "updated accordingly. Please check if necessary."
283	+ ewarn
284	+
285	+ if [[ $previous_4_3_6_with_caps == 1 ]]; then
286	+ if ! use non-root; then
287	+ ewarn
288	+ ewarn "IMPORTANT: You previously had ${PN} installed without root"
289	+ ewarn "privileges because it was implied by the 'caps' USE flag."
290	+ ewarn "This has been changed. If you want ${PN} with user privileges,"
291	+ ewarn "you have to re-emerge it with the 'non-root' USE flag enabled."
292	+ ewarn
293	+ fi
294	+ fi
295	+ fi
296	+ if ! use caps && ! use non-root; then
297	+ ewarn
298	+ ewarn "You have decided to run ${PN} with root privileges and built it"
299	+ ewarn "without support for POSIX capability dropping. It is generally"
300	+ ewarn "strongly suggested that you reconsider- especially if you intend"
301	+ ewarn "to run ${PN} as server with a public ip address."
302	+ ewarn
303	+ ewarn "You should re-emerge ${PN} with at least the 'caps' USE flag enabled."
304	+ ewarn
305	+ fi
306	+ if use non-root; then
307	+ elog
308	+ elog "${PN} has been installed without superuser privileges (USE=non-root)."
309	+ elog "This imposes several limitations mainly to the IKEv1 daemon 'pluto'"
310	+ elog "but also a few to the IKEv2 daemon 'charon'."
311	+ elog
312	+ elog "Please carefully read: http://wiki.strongswan.org/wiki/nonRoot"
313	+ elog
314	+ elog "pluto uses a helper script by default to insert/remove routing and"
315	+ elog "policy rules upon connection start/stop which requires superuser"
316	+ elog "privileges. charon in contrast does this internally and can do so"
317	+ elog "even with reduced (user) privileges."
318	+ elog
319	+ elog "Thus if you require IKEv1 (pluto) or need to specify a custom updown"
320	+ elog "script to pluto or charon which requires superuser privileges, you"
321	+ elog "can work around this limitation by using sudo to grant the"
322	+ elog "user \"ipsec\" the appropriate rights."
323	+ elog "For example (the default case):"
324	+ elog "/etc/sudoers:"
325	+ elog " ipsec ALL=(ALL) NOPASSWD: SETENV: /usr/sbin/ipsec"
326	+ elog "Under the specific connection block in /etc/ipsec.conf:"
327	+ elog " leftupdown=\"sudo -E ipsec _updown iptables\""
328	+ elog
329	+ fi
330	+ elog
331	+ elog "Make sure you have _all_ required kernel modules available including"
332	+ elog "the appropriate cryptographic algorithms. A list is available at:"
333	+ elog " http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules"
334	+ elog
335	+ elog "The up-to-date manual is available online at:"
336	+ elog " http://wiki.strongswan.org/"
337	+ elog
338	+}

Gentoo Archives: gentoo-commits