Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Bjarke Istrup Pedersen (gurligebis)" <gurligebis@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] gentoo-x86 commit in net-misc/strongswan: ChangeLog strongswan-5.2.0.ebuild
Date: Thu, 10 Jul 2014 08:16:17
Message-Id: 20140710081613.E8F872004E@flycatcher.gentoo.org
1 gurligebis 14/07/10 08:16:13
2
3 Modified: ChangeLog
4 Added: strongswan-5.2.0.ebuild
5 Log:
6 Bumping to 5.2.0
7
8 (Portage version: 2.2.10/cvs/Linux i686, signed Manifest commit with key 15AE484C)
9
10 Revision Changes Path
11 1.144 net-misc/strongswan/ChangeLog
12
13 file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-misc/strongswan/ChangeLog?rev=1.144&view=markup
14 plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-misc/strongswan/ChangeLog?rev=1.144&content-type=text/plain
15 diff : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-misc/strongswan/ChangeLog?r1=1.143&r2=1.144
16
17 Index: ChangeLog
18 ===================================================================
19 RCS file: /var/cvsroot/gentoo-x86/net-misc/strongswan/ChangeLog,v
20 retrieving revision 1.143
21 retrieving revision 1.144
22 diff -u -r1.143 -r1.144
23 --- ChangeLog 10 May 2014 15:22:51 -0000 1.143
24 +++ ChangeLog 10 Jul 2014 08:16:13 -0000 1.144
25 @@ -1,6 +1,11 @@
26 # ChangeLog for net-misc/strongswan
27 # Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2
28 -# $Header: /var/cvsroot/gentoo-x86/net-misc/strongswan/ChangeLog,v 1.143 2014/05/10 15:22:51 gurligebis Exp $
29 +# $Header: /var/cvsroot/gentoo-x86/net-misc/strongswan/ChangeLog,v 1.144 2014/07/10 08:16:13 gurligebis Exp $
30 +
31 +*strongswan-5.2.0 (10 Jul 2014)
32 +
33 + 10 Jul 2014; <gurligebis@g.o> +strongswan-5.2.0.ebuild:
34 + Bumping to 5.2.0
35
36 10 May 2014; <gurligebis@g.o> -strongswan-5.1.1.ebuild:
37 Removing old version, with known issues, fixing bug #507722 and #509832
38
39
40
41 1.1 net-misc/strongswan/strongswan-5.2.0.ebuild
42
43 file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-misc/strongswan/strongswan-5.2.0.ebuild?rev=1.1&view=markup
44 plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-misc/strongswan/strongswan-5.2.0.ebuild?rev=1.1&content-type=text/plain
45
46 Index: strongswan-5.2.0.ebuild
47 ===================================================================
48 # Copyright 1999-2014 Gentoo Foundation
49 # Distributed under the terms of the GNU General Public License v2
50 # $Header: /var/cvsroot/gentoo-x86/net-misc/strongswan/strongswan-5.2.0.ebuild,v 1.1 2014/07/10 08:16:13 gurligebis Exp $
51
52 EAPI=5
53 inherit eutils linux-info systemd user
54
55 DESCRIPTION="IPsec-based VPN solution focused on security and ease of use, supporting IKEv1/IKEv2 and MOBIKE"
56 HOMEPAGE="http://www.strongswan.org/"
57 SRC_URI="http://download.strongswan.org/${P}.tar.bz2"
58
59 LICENSE="GPL-2 RSA DES"
60 SLOT="0"
61 KEYWORDS="~amd64 ~arm ~ppc ~ppc64 ~x86"
62 IUSE="+caps curl +constraints debug dhcp eap farp gcrypt ldap mysql networkmanager +non-root +openssl sqlite pam"
63
64 COMMON_DEPEND="!net-misc/openswan
65 >=dev-libs/gmp-4.1.5
66 gcrypt? ( dev-libs/libgcrypt:0 )
67 caps? ( sys-libs/libcap )
68 curl? ( net-misc/curl )
69 ldap? ( net-nds/openldap )
70 openssl? ( >=dev-libs/openssl-0.9.8[-bindist] )
71 mysql? ( virtual/mysql )
72 sqlite? ( >=dev-db/sqlite-3.3.1 )
73 networkmanager? ( net-misc/networkmanager )
74 pam? ( sys-libs/pam )"
75 DEPEND="${COMMON_DEPEND}
76 virtual/linux-sources
77 sys-kernel/linux-headers"
78 RDEPEND="${COMMON_DEPEND}
79 virtual/logger
80 sys-apps/iproute2
81 !net-misc/libreswan"
82
83 UGID="ipsec"
84
85 pkg_setup() {
86 linux-info_pkg_setup
87 elog "Linux kernel version: ${KV_FULL}"
88
89 if ! kernel_is -ge 2 6 16; then
90 eerror
91 eerror "This ebuild currently only supports ${PN} with the"
92 eerror "native Linux 2.6 IPsec stack on kernels >= 2.6.16."
93 eerror
94 fi
95
96 if kernel_is -lt 2 6 34; then
97 ewarn
98 ewarn "IMPORTANT KERNEL NOTES: Please read carefully..."
99 ewarn
100
101 if kernel_is -lt 2 6 29; then
102 ewarn "[ < 2.6.29 ] Due to a missing kernel feature, you have to"
103 ewarn "include all required IPv6 modules even if you just intend"
104 ewarn "to run on IPv4 only."
105 ewarn
106 ewarn "This has been fixed with kernels >= 2.6.29."
107 ewarn
108 fi
109
110 if kernel_is -lt 2 6 33; then
111 ewarn "[ < 2.6.33 ] Kernels prior to 2.6.33 include a non-standards"
112 ewarn "compliant implementation for SHA-2 HMAC support in ESP and"
113 ewarn "miss SHA384 and SHA512 HMAC support altogether."
114 ewarn
115 ewarn "If you need any of those features, please use kernel >= 2.6.33."
116 ewarn
117 fi
118
119 if kernel_is -lt 2 6 34; then
120 ewarn "[ < 2.6.34 ] Support for the AES-GMAC authentification-only"
121 ewarn "ESP cipher is only included in kernels >= 2.6.34."
122 ewarn
123 ewarn "If you need it, please use kernel >= 2.6.34."
124 ewarn
125 fi
126 fi
127
128 if use non-root; then
129 enewgroup ${UGID}
130 enewuser ${UGID} -1 -1 -1 ${UGID}
131 fi
132 }
133
134 src_prepare() {
135 epatch_user
136 }
137
138 src_configure() {
139 local myconf=""
140
141 if use non-root; then
142 myconf="${myconf} --with-user=${UGID} --with-group=${UGID}"
143 fi
144
145 # If a user has already enabled db support, those plugins will
146 # most likely be desired as well. Besides they don't impose new
147 # dependencies and come at no cost (except for space).
148 if use mysql || use sqlite; then
149 myconf="${myconf} --enable-attr-sql --enable-sql"
150 fi
151
152 # strongSwan builds and installs static libs by default which are
153 # useless to the user (and to strongSwan for that matter) because no
154 # header files or alike get installed... so disabling them is safe.
155 if use pam && use eap; then
156 myconf="${myconf} --enable-eap-gtc"
157 else
158 myconf="${myconf} --disable-eap-gtc"
159 fi
160 econf \
161 --disable-static \
162 --enable-ikev1 \
163 --enable-ikev2 \
164 $(use_with caps capabilities libcap) \
165 $(use_enable curl) \
166 $(use_enable constraints) \
167 $(use_enable ldap) \
168 $(use_enable debug leak-detective) \
169 $(use_enable eap eap-sim) \
170 $(use_enable eap eap-sim-file) \
171 $(use_enable eap eap-simaka-sql) \
172 $(use_enable eap eap-simaka-pseudonym) \
173 $(use_enable eap eap-simaka-reauth) \
174 $(use_enable eap eap-identity) \
175 $(use_enable eap eap-md5) \
176 $(use_enable eap eap-aka) \
177 $(use_enable eap eap-aka-3gpp2) \
178 $(use_enable eap eap-mschapv2) \
179 $(use_enable eap eap-radius) \
180 $(use_enable eap eap-tls) \
181 $(use_enable openssl) \
182 $(use_enable gcrypt) \
183 $(use_enable mysql) \
184 $(use_enable sqlite) \
185 $(use_enable dhcp) \
186 $(use_enable farp) \
187 $(use_enable networkmanager nm) \
188 "$(systemd_with_unitdir)" \
189 ${myconf}
190 }
191
192 src_install() {
193 emake DESTDIR="${D}" install
194
195 doinitd "${FILESDIR}"/ipsec
196
197 local dir_ugid
198 if use non-root; then
199 fowners ${UGID}:${UGID} \
200 /etc/ipsec.conf \
201 /etc/strongswan.conf
202
203 dir_ugid="${UGID}"
204 else
205 dir_ugid="root"
206 fi
207
208 diropts -m 0750 -o ${dir_ugid} -g ${dir_ugid}
209 dodir /etc/ipsec.d \
210 /etc/ipsec.d/aacerts \
211 /etc/ipsec.d/acerts \
212 /etc/ipsec.d/cacerts \
213 /etc/ipsec.d/certs \
214 /etc/ipsec.d/crls \
215 /etc/ipsec.d/ocspcerts \
216 /etc/ipsec.d/private \
217 /etc/ipsec.d/reqs
218
219 dodoc NEWS README TODO || die
220
221 # shared libs are used only internally and there are no static libs,
222 # so it's safe to get rid of the .la files
223 find "${D}" -name '*.la' -delete || die "Failed to remove .la files."
224 }
225
226 pkg_preinst() {
227 has_version "<net-misc/strongswan-4.3.6-r1"
228 upgrade_from_leq_4_3_6=$(( !$? ))
229
230 has_version "<net-misc/strongswan-4.3.6-r1[-caps]"
231 previous_4_3_6_with_caps=$(( !$? ))
232 }
233
234 pkg_postinst() {
235 if ! use openssl && ! use gcrypt; then
236 elog
237 elog "${PN} has been compiled without both OpenSSL and libgcrypt support."
238 elog "Please note that this might effect availability and speed of some"
239 elog "cryptographic features. You are advised to enable the OpenSSL plugin."
240 elif ! use openssl; then
241 elog
242 elog "${PN} has been compiled without the OpenSSL plugin. This might effect"
243 elog "availability and speed of some cryptographic features. There will be"
244 elog "no support for Elliptic Curve Cryptography (Diffie-Hellman groups 19-21,"
245 elog "25, 26) and ECDSA."
246 fi
247
248 if [[ $upgrade_from_leq_4_3_6 == 1 ]]; then
249 chmod 0750 "${ROOT}"/etc/ipsec.d \
250 "${ROOT}"/etc/ipsec.d/aacerts \
251 "${ROOT}"/etc/ipsec.d/acerts \
252 "${ROOT}"/etc/ipsec.d/cacerts \
253 "${ROOT}"/etc/ipsec.d/certs \
254 "${ROOT}"/etc/ipsec.d/crls \
255 "${ROOT}"/etc/ipsec.d/ocspcerts \
256 "${ROOT}"/etc/ipsec.d/private \
257 "${ROOT}"/etc/ipsec.d/reqs
258
259 ewarn
260 ewarn "The default permissions for /etc/ipsec.d/* have been tightened for"
261 ewarn "security reasons. Your system installed directories have been"
262 ewarn "updated accordingly. Please check if necessary."
263 ewarn
264
265 if [[ $previous_4_3_6_with_caps == 1 ]]; then
266 if ! use non-root; then
267 ewarn
268 ewarn "IMPORTANT: You previously had ${PN} installed without root"
269 ewarn "privileges because it was implied by the 'caps' USE flag."
270 ewarn "This has been changed. If you want ${PN} with user privileges,"
271 ewarn "you have to re-emerge it with the 'non-root' USE flag enabled."
272 ewarn
273 fi
274 fi
275 fi
276 if ! use caps && ! use non-root; then
277 ewarn
278 ewarn "You have decided to run ${PN} with root privileges and built it"
279 ewarn "without support for POSIX capability dropping. It is generally"
280 ewarn "strongly suggested that you reconsider- especially if you intend"
281 ewarn "to run ${PN} as server with a public ip address."
282 ewarn
283 ewarn "You should re-emerge ${PN} with at least the 'caps' USE flag enabled."
284 ewarn
285 fi
286 if use non-root; then
287 elog
288 elog "${PN} has been installed without superuser privileges (USE=non-root)."
289 elog "This imposes several limitations mainly to the IKEv1 daemon 'pluto'"
290 elog "but also a few to the IKEv2 daemon 'charon'."
291 elog
292 elog "Please carefully read: http://wiki.strongswan.org/wiki/nonRoot"
293 elog
294 elog "pluto uses a helper script by default to insert/remove routing and"
295 elog "policy rules upon connection start/stop which requires superuser"
296 elog "privileges. charon in contrast does this internally and can do so"
297 elog "even with reduced (user) privileges."
298 elog
299 elog "Thus if you require IKEv1 (pluto) or need to specify a custom updown"
300 elog "script to pluto or charon which requires superuser privileges, you"
301 elog "can work around this limitation by using sudo to grant the"
302 elog "user \"ipsec\" the appropriate rights."
303 elog "For example (the default case):"
304 elog "/etc/sudoers:"
305 elog " ipsec ALL=(ALL) NOPASSWD: SETENV: /usr/sbin/ipsec"
306 elog "Under the specific connection block in /etc/ipsec.conf:"
307 elog " leftupdown=\"sudo -E ipsec _updown iptables\""
308 elog
309 fi
310 elog
311 elog "Make sure you have _all_ required kernel modules available including"
312 elog "the appropriate cryptographic algorithms. A list is available at:"
313 elog " http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules"
314 elog
315 elog "The up-to-date manual is available online at:"
316 elog " http://wiki.strongswan.org/"
317 elog
318 }
Report Message
Find on MARC Find on Google Groups