[gentoo-commits] repo/gentoo:master commit in: net-vpn/strongswan/ - gentoo-commits

From:	Conrad Kostecki <conikost@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: net-vpn/strongswan/
Date:	Tue, 14 Mar 2023 23:14:57
Message-Id:	`1678835521.e946ce4d76ece04b512661469ce5550e1d505ae5.conikost@gentoo`

1

commit:     e946ce4d76ece04b512661469ce5550e1d505ae5

2

Author:     Dennis Eisele <kernlpanic <AT> dennis-eisele <DOT> de>

3

AuthorDate: Sat Mar  4 13:33:08 2023 +0000

4

Commit:     Conrad Kostecki <conikost <AT> gentoo <DOT> org>

5

CommitDate: Tue Mar 14 23:12:01 2023 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e946ce4d

7

8

net-vpn/strongswan: version bump to 5.9.10

9

10

Bug: https://bugs.gentoo.org/899964

11

Signed-off-by: Dennis Eisele <kernlpanic <AT> dennis-eisele.de>

12

Closes: https://github.com/gentoo/gentoo/pull/29924

13

Signed-off-by: Conrad Kostecki <conikost <AT> gentoo.org>

14

15

 net-vpn/strongswan/Manifest                 |   1 +

16

 net-vpn/strongswan/strongswan-5.9.10.ebuild | 318 ++++++++++++++++++++++++++++

17

 2 files changed, 319 insertions(+)

18

19

diff --git a/net-vpn/strongswan/Manifest b/net-vpn/strongswan/Manifest

20

index f85dfcb0feff..0d022dbe3b3f 100644

21

--- a/net-vpn/strongswan/Manifest

22

+++ b/net-vpn/strongswan/Manifest

23

@@ -1,2 +1,3 @@

24

+DIST strongswan-5.9.10.tar.bz2 4765407 BLAKE2B 757d55aa0c623356c5d8bf0360df63990ec18294d06f50b6dd475273b75a883354ea8723708e4856a8f0acc4d3237ac6bcf5adc40346fded7051d78375b2bcc9 SHA512 cf1d4a79ec02ac0502494ce6bfcab7399ddff151e2bc39bd4fbb9562bae7d0c66cf8d1e387b3c36a35e4387d597889fd7519e7bce07d3a7f764b1b73bd8a4667

25

 DIST strongswan-5.9.8.tar.bz2 4747096 BLAKE2B 2a7e346931f909aefa17a7e2f4a2d5b491979dd21519eaffa5d14ac0e54d86207009526aed903bfadbec2d4d449a23077f391106ed9ac02851a081b563c72eb0 SHA512 16d3afc80704f896f3f97addf452b4bb29fc1911c54e980f76ac48bdbe2340ce3bd4e79024848cb7961bbe9ad5458d93389343878ca042af658d51b11219666b

26

 DIST strongswan-5.9.9.tar.bz2 4764675 BLAKE2B 9cbc73192527254a2d20b28295e7583a0d9ec81e4d6eb1b7d78e54b30ba8e5304a33e813145d8a47b2b4319d7b49762cd35cdbdaf1d41161d7746d68d3cef1b5 SHA512 7f5d94527193ce7716292f30db75303a0594169647e41e8c9530a7dedd914ad7fecf94885356738fd54d3781a066fa591c621d531923b20780b1fca76ad7bd46

27

28

diff --git a/net-vpn/strongswan/strongswan-5.9.10.ebuild b/net-vpn/strongswan/strongswan-5.9.10.ebuild

29

new file mode 100644

30

index 000000000000..057c1e8f3e05

31

--- /dev/null

32

+++ b/net-vpn/strongswan/strongswan-5.9.10.ebuild

33

@@ -0,0 +1,318 @@

34

+# Copyright 1999-2023 Gentoo Authors

35

+# Distributed under the terms of the GNU General Public License v2

36

+

37

+EAPI="8"

38

+inherit linux-info systemd

39

+

40

+DESCRIPTION="IPsec-based VPN solution, supporting IKEv1/IKEv2 and MOBIKE"

41

+HOMEPAGE="https://www.strongswan.org/"

42

+SRC_URI="https://download.strongswan.org/${P}.tar.bz2"

43

+

44

+LICENSE="GPL-2 RSA DES"

45

+SLOT="0"

46

+KEYWORDS="~amd64 ~arm ~arm64 ~ppc ~ppc64 ~riscv ~x86"

47

+IUSE="+caps curl +constraints debug dhcp eap farp gcrypt +gmp ldap mysql networkmanager +non-root +openssl selinux sqlite systemd pam pkcs11"

48

+

49

+STRONGSWAN_PLUGINS_STD="gcm led lookip systime-fix unity vici"

50

+STRONGSWAN_PLUGINS_OPT_DISABLE="kdf"

51

+STRONGSWAN_PLUGINS_OPT="addrblock aesni blowfish bypass-lan ccm chapoly ctr error-notify forecast

52

+ha ipseckey newhope ntru padlock rdrand save-keys unbound whitelist

53

+xauth-noauth"

54

+for mod in $STRONGSWAN_PLUGINS_STD; do

55

+	IUSE="${IUSE} +strongswan_plugins_${mod}"

56

+done

57

+

58

+for mod in $STRONGSWAN_PLUGINS_OPT_DISABLE; do

59

+	IUSE="${IUSE} strongswan_plugins_${mod}"

60

+done

61

+

62

+for mod in $STRONGSWAN_PLUGINS_OPT; do

63

+	IUSE="${IUSE} strongswan_plugins_${mod}"

64

+done

65

+

66

+COMMON_DEPEND="non-root? (

67

+		acct-user/ipsec

68

+		acct-group/ipsec

69

+	)

70

+	dev-libs/glib:2

71

+	gmp? ( >=dev-libs/gmp-4.1.5:= )

72

+	gcrypt? ( dev-libs/libgcrypt:= )

73

+	caps? ( sys-libs/libcap )

74

+	curl? ( net-misc/curl )

75

+	ldap? ( net-nds/openldap:= )

76

+	openssl? ( >=dev-libs/openssl-0.9.8:=[-bindist(-)] )

77

+	mysql? ( dev-db/mysql-connector-c:= )

78

+	sqlite? ( >=dev-db/sqlite-3.3.1:3 )

79

+	systemd? ( sys-apps/systemd )

80

+	networkmanager? ( net-misc/networkmanager )

81

+	pam? ( sys-libs/pam )

82

+	strongswan_plugins_unbound? ( net-dns/unbound:= net-libs/ldns:= )"

83

+

84

+DEPEND="${COMMON_DEPEND}

85

+	virtual/linux-sources

86

+	sys-kernel/linux-headers"

87

+

88

+RDEPEND="${COMMON_DEPEND}

89

+	virtual/logger

90

+	sys-apps/iproute2

91

+	!net-vpn/libreswan

92

+	selinux? ( sec-policy/selinux-ipsec )"

93

+

94

+UGID="ipsec"

95

+

96

+pkg_setup() {

97

+	linux-info_pkg_setup

98

+

99

+	elog "Linux kernel version: ${KV_FULL}"

100

+

101

+	if ! kernel_is -ge 2 6 16; then

102

+		eerror

103

+		eerror "This ebuild currently only supports ${PN} with the"

104

+		eerror "native Linux 2.6 IPsec stack on kernels >= 2.6.16."

105

+		eerror

106

+	fi

107

+

108

+	if kernel_is -lt 2 6 34; then

109

+		ewarn

110

+		ewarn "IMPORTANT KERNEL NOTES: Please read carefully..."

111

+		ewarn

112

+

113

+		if kernel_is -lt 2 6 29; then

114

+			ewarn "[ < 2.6.29 ] Due to a missing kernel feature, you have to"

115

+			ewarn "include all required IPv6 modules even if you just intend"

116

+			ewarn "to run on IPv4 only."

117

+			ewarn

118

+			ewarn "This has been fixed with kernels >= 2.6.29."

119

+			ewarn

120

+		fi

121

+

122

+		if kernel_is -lt 2 6 33; then

123

+			ewarn "[ < 2.6.33 ] Kernels prior to 2.6.33 include a non-standards"

124

+			ewarn "compliant implementation for SHA-2 HMAC support in ESP and"

125

+			ewarn "miss SHA384 and SHA512 HMAC support altogether."

126

+			ewarn

127

+			ewarn "If you need any of those features, please use kernel >= 2.6.33."

128

+			ewarn

129

+		fi

130

+

131

+		if kernel_is -lt 2 6 34; then

132

+			ewarn "[ < 2.6.34 ] Support for the AES-GMAC authentification-only"

133

+			ewarn "ESP cipher is only included in kernels >= 2.6.34."

134

+			ewarn

135

+			ewarn "If you need it, please use kernel >= 2.6.34."

136

+			ewarn

137

+		fi

138

+	fi

139

+}

140

+

141

+src_configure() {

142

+	local myconf=""

143

+

144

+	if use non-root; then

145

+		myconf="${myconf} --with-user=${UGID} --with-group=${UGID}"

146

+	fi

147

+

148

+	# If a user has already enabled db support, those plugins will

149

+	# most likely be desired as well. Besides they don't impose new

150

+	# dependencies and come at no cost (except for space).

151

+	if use mysql || use sqlite; then

152

+		myconf="${myconf} --enable-attr-sql --enable-sql"

153

+	fi

154

+

155

+	# strongSwan builds and installs static libs by default which are

156

+	# useless to the user (and to strongSwan for that matter) because no

157

+	# header files or alike get installed... so disabling them is safe.

158

+	if use pam && use eap; then

159

+		myconf="${myconf} --enable-eap-gtc"

160

+	else

161

+		myconf="${myconf} --disable-eap-gtc"

162

+	fi

163

+

164

+	for mod in $STRONGSWAN_PLUGINS_STD; do

165

+		if use strongswan_plugins_${mod}; then

166

+			myconf+=" --enable-${mod}"

167

+		fi

168

+	done

169

+

170

+	for mod in $STRONGSWAN_PLUGINS_OPT_DISABLE; do

171

+		if ! use strongswan_plugins_${mod}; then

172

+			myconf+=" --disable-${mod}"

173

+		fi

174

+	done

175

+

176

+	for mod in $STRONGSWAN_PLUGINS_OPT; do

177

+		if use strongswan_plugins_${mod}; then

178

+			myconf+=" --enable-${mod}"

179

+		fi

180

+	done

181

+

182

+	econf \

183

+		--disable-static \

184

+		--enable-ikev1 \

185

+		--enable-ikev2 \

186

+		--enable-swanctl \

187

+		--enable-socket-dynamic \

188

+		--enable-cmd \

189

+		$(use_enable curl) \

190

+		$(use_enable constraints) \

191

+		$(use_enable ldap) \

192

+		$(use_enable debug leak-detective) \

193

+		$(use_enable dhcp) \

194

+		$(use_enable eap eap-sim) \

195

+		$(use_enable eap eap-sim-file) \

196

+		$(use_enable eap eap-simaka-sql) \

197

+		$(use_enable eap eap-simaka-pseudonym) \

198

+		$(use_enable eap eap-simaka-reauth) \

199

+		$(use_enable eap eap-identity) \

200

+		$(use_enable eap eap-md5) \

201

+		$(use_enable eap eap-aka) \

202

+		$(use_enable eap eap-aka-3gpp2) \

203

+		$(use_enable eap md4) \

204

+		$(use_enable eap eap-mschapv2) \

205

+		$(use_enable eap eap-radius) \

206

+		$(use_enable eap eap-tls) \

207

+		$(use_enable eap eap-ttls) \

208

+		$(use_enable eap xauth-eap) \

209

+		$(use_enable eap eap-dynamic) \

210

+		$(use_enable farp) \

211

+		$(use_enable gmp) \

212

+		$(use_enable gcrypt) \

213

+		$(use_enable mysql) \

214

+		$(use_enable networkmanager nm) \

215

+		$(use_enable openssl) \

216

+		$(use_enable pam xauth-pam) \

217

+		$(use_enable pkcs11) \

218

+		$(use_enable sqlite) \

219

+		$(use_enable systemd) \

220

+		$(use_with caps capabilities libcap) \

221

+		--with-piddir=/run \

222

+		--with-systemdsystemunitdir="$(systemd_get_systemunitdir)" \

223

+		${myconf}

224

+}

225

+

226

+src_install() {

227

+	emake DESTDIR="${D}" install

228

+

229

+	if ! use systemd; then

230

+		rm -rf "${ED}"/lib/systemd || die "Failed removing systemd lib."

231

+	fi

232

+

233

+	doinitd "${FILESDIR}"/ipsec

234

+

235

+	local dir_ugid

236

+	if use non-root; then

237

+		fowners ${UGID}:${UGID} \

238

+			/etc/ipsec.conf \

239

+			/etc/strongswan.conf

240

+

241

+		dir_ugid="${UGID}"

242

+	else

243

+		dir_ugid="root"

244

+	fi

245

+

246

+	diropts -m 0750 -o ${dir_ugid} -g ${dir_ugid}

247

+	dodir /etc/ipsec.d \

248

+		/etc/ipsec.d/aacerts \

249

+		/etc/ipsec.d/acerts \

250

+		/etc/ipsec.d/cacerts \

251

+		/etc/ipsec.d/certs \

252

+		/etc/ipsec.d/crls \

253

+		/etc/ipsec.d/ocspcerts \

254

+		/etc/ipsec.d/private \

255

+		/etc/ipsec.d/reqs

256

+

257

+	dodoc NEWS README TODO

258

+

259

+	# shared libs are used only internally and there are no static libs,

260

+	# so it's safe to get rid of the .la files

261

+	find "${D}" -name '*.la' -delete || die "Failed to remove .la files."

262

+}

263

+

264

+pkg_preinst() {

265

+	has_version "<net-vpn/strongswan-4.3.6-r1"

266

+	upgrade_from_leq_4_3_6=$(( !$? ))

267

+

268

+	has_version "<net-vpn/strongswan-4.3.6-r1[-caps]"

269

+	previous_4_3_6_with_caps=$(( !$? ))

270

+}

271

+

272

+pkg_postinst() {

273

+	if ! use openssl && ! use gcrypt; then

274

+		elog

275

+		elog "${PN} has been compiled without both OpenSSL and libgcrypt support."

276

+		elog "Please note that this might effect availability and speed of some"

277

+		elog "cryptographic features. You are advised to enable the OpenSSL plugin."

278

+	elif ! use openssl; then

279

+		elog

280

+		elog "${PN} has been compiled without the OpenSSL plugin. This might effect"

281

+		elog "availability and speed of some cryptographic features. There will be"

282

+		elog "no support for Elliptic Curve Cryptography (Diffie-Hellman groups 19-21,"

283

+		elog "25, 26) and ECDSA."

284

+	fi

285

+

286

+	if [[ $upgrade_from_leq_4_3_6 == 1 ]]; then

287

+		chmod 0750 "${ROOT}"/etc/ipsec.d \

288

+			"${ROOT}"/etc/ipsec.d/aacerts \

289

+			"${ROOT}"/etc/ipsec.d/acerts \

290

+			"${ROOT}"/etc/ipsec.d/cacerts \

291

+			"${ROOT}"/etc/ipsec.d/certs \

292

+			"${ROOT}"/etc/ipsec.d/crls \

293

+			"${ROOT}"/etc/ipsec.d/ocspcerts \

294

+			"${ROOT}"/etc/ipsec.d/private \

295

+			"${ROOT}"/etc/ipsec.d/reqs

296

+

297

+		ewarn

298

+		ewarn "The default permissions for /etc/ipsec.d/* have been tightened for"

299

+		ewarn "security reasons. Your system installed directories have been"

300

+		ewarn "updated accordingly. Please check if necessary."

301

+		ewarn

302

+

303

+		if [[ $previous_4_3_6_with_caps == 1 ]]; then

304

+			if ! use non-root; then

305

+				ewarn

306

+				ewarn "IMPORTANT: You previously had ${PN} installed without root"

307

+				ewarn "privileges because it was implied by the 'caps' USE flag."

308

+				ewarn "This has been changed. If you want ${PN} with user privileges,"

309

+				ewarn "you have to re-emerge it with the 'non-root' USE flag enabled."

310

+				ewarn

311

+			fi

312

+		fi

313

+	fi

314

+	if ! use caps && ! use non-root; then

315

+		ewarn

316

+		ewarn "You have decided to run ${PN} with root privileges and built it"

317

+		ewarn "without support for POSIX capability dropping. It is generally"

318

+		ewarn "strongly suggested that you reconsider- especially if you intend"

319

+		ewarn "to run ${PN} as server with a public ip address."

320

+		ewarn

321

+		ewarn "You should re-emerge ${PN} with at least the 'caps' USE flag enabled."

322

+		ewarn

323

+	fi

324

+	if use non-root; then

325

+		elog

326

+		elog "${PN} has been installed without superuser privileges (USE=non-root)."

327

+		elog "This imposes a few limitations mainly to the daemon 'charon' in"

328

+		elog "regards of the use of iptables."

329

+		elog

330

+		elog "Please carefully read: http://wiki.strongswan.org/projects/strongswan/wiki/ReducedPrivileges"

331

+		elog

332

+		elog "Thus if you require to specify a custom updown"

333

+		elog "script to charon which requires superuser privileges, you"

334

+		elog "can work around this limitation by using sudo to grant the"

335

+		elog "user \"ipsec\" the appropriate rights."

336

+		elog "For example (the default case):"

337

+		elog "/etc/sudoers:"

338

+		elog "  ipsec ALL=(ALL) NOPASSWD: SETENV: /usr/sbin/ipsec"

339

+		elog "Under the specific connection block in /etc/ipsec.conf:"

340

+		elog "  leftupdown=\"sudo -E ipsec _updown iptables\""

341

+		elog

342

+	fi

343

+	elog

344

+	elog "Make sure you have _all_ required kernel modules available including"

345

+	elog "the appropriate cryptographic algorithms. A list is available at:"

346

+	elog "  https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules"

347

+	elog

348

+	elog "The up-to-date manual is available online at:"

349

+	elog "  https://wiki.strongswan.org/"

350

+	elog

351

+}

1	commit: e946ce4d76ece04b512661469ce5550e1d505ae5
2	Author: Dennis Eisele <kernlpanic <AT> dennis-eisele <DOT> de>
3	AuthorDate: Sat Mar 4 13:33:08 2023 +0000
4	Commit: Conrad Kostecki <conikost <AT> gentoo <DOT> org>
5	CommitDate: Tue Mar 14 23:12:01 2023 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e946ce4d
7
8	net-vpn/strongswan: version bump to 5.9.10
9
10	Bug: https://bugs.gentoo.org/899964
11	Signed-off-by: Dennis Eisele <kernlpanic <AT> dennis-eisele.de>
12	Closes: https://github.com/gentoo/gentoo/pull/29924
13	Signed-off-by: Conrad Kostecki <conikost <AT> gentoo.org>
14
15	net-vpn/strongswan/Manifest \| 1 +
16	net-vpn/strongswan/strongswan-5.9.10.ebuild \| 318 ++++++++++++++++++++++++++++
17	2 files changed, 319 insertions(+)
18
19	diff --git a/net-vpn/strongswan/Manifest b/net-vpn/strongswan/Manifest
20	index f85dfcb0feff..0d022dbe3b3f 100644
21	--- a/net-vpn/strongswan/Manifest
22	+++ b/net-vpn/strongswan/Manifest
23	@@ -1,2 +1,3 @@
24	+DIST strongswan-5.9.10.tar.bz2 4765407 BLAKE2B 757d55aa0c623356c5d8bf0360df63990ec18294d06f50b6dd475273b75a883354ea8723708e4856a8f0acc4d3237ac6bcf5adc40346fded7051d78375b2bcc9 SHA512 cf1d4a79ec02ac0502494ce6bfcab7399ddff151e2bc39bd4fbb9562bae7d0c66cf8d1e387b3c36a35e4387d597889fd7519e7bce07d3a7f764b1b73bd8a4667
25	DIST strongswan-5.9.8.tar.bz2 4747096 BLAKE2B 2a7e346931f909aefa17a7e2f4a2d5b491979dd21519eaffa5d14ac0e54d86207009526aed903bfadbec2d4d449a23077f391106ed9ac02851a081b563c72eb0 SHA512 16d3afc80704f896f3f97addf452b4bb29fc1911c54e980f76ac48bdbe2340ce3bd4e79024848cb7961bbe9ad5458d93389343878ca042af658d51b11219666b
26	DIST strongswan-5.9.9.tar.bz2 4764675 BLAKE2B 9cbc73192527254a2d20b28295e7583a0d9ec81e4d6eb1b7d78e54b30ba8e5304a33e813145d8a47b2b4319d7b49762cd35cdbdaf1d41161d7746d68d3cef1b5 SHA512 7f5d94527193ce7716292f30db75303a0594169647e41e8c9530a7dedd914ad7fecf94885356738fd54d3781a066fa591c621d531923b20780b1fca76ad7bd46
27
28	diff --git a/net-vpn/strongswan/strongswan-5.9.10.ebuild b/net-vpn/strongswan/strongswan-5.9.10.ebuild
29	new file mode 100644
30	index 000000000000..057c1e8f3e05
31	--- /dev/null
32	+++ b/net-vpn/strongswan/strongswan-5.9.10.ebuild
33	@@ -0,0 +1,318 @@
34	+# Copyright 1999-2023 Gentoo Authors
35	+# Distributed under the terms of the GNU General Public License v2
36	+
37	+EAPI="8"
38	+inherit linux-info systemd
39	+
40	+DESCRIPTION="IPsec-based VPN solution, supporting IKEv1/IKEv2 and MOBIKE"
41	+HOMEPAGE="https://www.strongswan.org/"
42	+SRC_URI="https://download.strongswan.org/${P}.tar.bz2"
43	+
44	+LICENSE="GPL-2 RSA DES"
45	+SLOT="0"
46	+KEYWORDS="~amd64 ~arm ~arm64 ~ppc ~ppc64 ~riscv ~x86"
47	+IUSE="+caps curl +constraints debug dhcp eap farp gcrypt +gmp ldap mysql networkmanager +non-root +openssl selinux sqlite systemd pam pkcs11"
48	+
49	+STRONGSWAN_PLUGINS_STD="gcm led lookip systime-fix unity vici"
50	+STRONGSWAN_PLUGINS_OPT_DISABLE="kdf"
51	+STRONGSWAN_PLUGINS_OPT="addrblock aesni blowfish bypass-lan ccm chapoly ctr error-notify forecast
52	+ha ipseckey newhope ntru padlock rdrand save-keys unbound whitelist
53	+xauth-noauth"
54	+for mod in $STRONGSWAN_PLUGINS_STD; do
55	+ IUSE="${IUSE} +strongswan_plugins_${mod}"
56	+done
57	+
58	+for mod in $STRONGSWAN_PLUGINS_OPT_DISABLE; do
59	+ IUSE="${IUSE} strongswan_plugins_${mod}"
60	+done
61	+
62	+for mod in $STRONGSWAN_PLUGINS_OPT; do
63	+ IUSE="${IUSE} strongswan_plugins_${mod}"
64	+done
65	+
66	+COMMON_DEPEND="non-root? (
67	+ acct-user/ipsec
68	+ acct-group/ipsec
69	+ )
70	+ dev-libs/glib:2
71	+ gmp? ( >=dev-libs/gmp-4.1.5:= )
72	+ gcrypt? ( dev-libs/libgcrypt:= )
73	+ caps? ( sys-libs/libcap )
74	+ curl? ( net-misc/curl )
75	+ ldap? ( net-nds/openldap:= )
76	+ openssl? ( >=dev-libs/openssl-0.9.8:=[-bindist(-)] )
77	+ mysql? ( dev-db/mysql-connector-c:= )
78	+ sqlite? ( >=dev-db/sqlite-3.3.1:3 )
79	+ systemd? ( sys-apps/systemd )
80	+ networkmanager? ( net-misc/networkmanager )
81	+ pam? ( sys-libs/pam )
82	+ strongswan_plugins_unbound? ( net-dns/unbound:= net-libs/ldns:= )"
83	+
84	+DEPEND="${COMMON_DEPEND}
85	+ virtual/linux-sources
86	+ sys-kernel/linux-headers"
87	+
88	+RDEPEND="${COMMON_DEPEND}
89	+ virtual/logger
90	+ sys-apps/iproute2
91	+ !net-vpn/libreswan
92	+ selinux? ( sec-policy/selinux-ipsec )"
93	+
94	+UGID="ipsec"
95	+
96	+pkg_setup() {
97	+ linux-info_pkg_setup
98	+
99	+ elog "Linux kernel version: ${KV_FULL}"
100	+
101	+ if ! kernel_is -ge 2 6 16; then
102	+ eerror
103	+ eerror "This ebuild currently only supports ${PN} with the"
104	+ eerror "native Linux 2.6 IPsec stack on kernels >= 2.6.16."
105	+ eerror
106	+ fi
107	+
108	+ if kernel_is -lt 2 6 34; then
109	+ ewarn
110	+ ewarn "IMPORTANT KERNEL NOTES: Please read carefully..."
111	+ ewarn
112	+
113	+ if kernel_is -lt 2 6 29; then
114	+ ewarn "[ < 2.6.29 ] Due to a missing kernel feature, you have to"
115	+ ewarn "include all required IPv6 modules even if you just intend"
116	+ ewarn "to run on IPv4 only."
117	+ ewarn
118	+ ewarn "This has been fixed with kernels >= 2.6.29."
119	+ ewarn
120	+ fi
121	+
122	+ if kernel_is -lt 2 6 33; then
123	+ ewarn "[ < 2.6.33 ] Kernels prior to 2.6.33 include a non-standards"
124	+ ewarn "compliant implementation for SHA-2 HMAC support in ESP and"
125	+ ewarn "miss SHA384 and SHA512 HMAC support altogether."
126	+ ewarn
127	+ ewarn "If you need any of those features, please use kernel >= 2.6.33."
128	+ ewarn
129	+ fi
130	+
131	+ if kernel_is -lt 2 6 34; then
132	+ ewarn "[ < 2.6.34 ] Support for the AES-GMAC authentification-only"
133	+ ewarn "ESP cipher is only included in kernels >= 2.6.34."
134	+ ewarn
135	+ ewarn "If you need it, please use kernel >= 2.6.34."
136	+ ewarn
137	+ fi
138	+ fi
139	+}
140	+
141	+src_configure() {
142	+ local myconf=""
143	+
144	+ if use non-root; then
145	+ myconf="${myconf} --with-user=${UGID} --with-group=${UGID}"
146	+ fi
147	+
148	+ # If a user has already enabled db support, those plugins will
149	+ # most likely be desired as well. Besides they don't impose new
150	+ # dependencies and come at no cost (except for space).
151	+ if use mysql \|\| use sqlite; then
152	+ myconf="${myconf} --enable-attr-sql --enable-sql"
153	+ fi
154	+
155	+ # strongSwan builds and installs static libs by default which are
156	+ # useless to the user (and to strongSwan for that matter) because no
157	+ # header files or alike get installed... so disabling them is safe.
158	+ if use pam && use eap; then
159	+ myconf="${myconf} --enable-eap-gtc"
160	+ else
161	+ myconf="${myconf} --disable-eap-gtc"
162	+ fi
163	+
164	+ for mod in $STRONGSWAN_PLUGINS_STD; do
165	+ if use strongswan_plugins_${mod}; then
166	+ myconf+=" --enable-${mod}"
167	+ fi
168	+ done
169	+
170	+ for mod in $STRONGSWAN_PLUGINS_OPT_DISABLE; do
171	+ if ! use strongswan_plugins_${mod}; then
172	+ myconf+=" --disable-${mod}"
173	+ fi
174	+ done
175	+
176	+ for mod in $STRONGSWAN_PLUGINS_OPT; do
177	+ if use strongswan_plugins_${mod}; then
178	+ myconf+=" --enable-${mod}"
179	+ fi
180	+ done
181	+
182	+ econf \
183	+ --disable-static \
184	+ --enable-ikev1 \
185	+ --enable-ikev2 \
186	+ --enable-swanctl \
187	+ --enable-socket-dynamic \
188	+ --enable-cmd \
189	+ $(use_enable curl) \
190	+ $(use_enable constraints) \
191	+ $(use_enable ldap) \
192	+ $(use_enable debug leak-detective) \
193	+ $(use_enable dhcp) \
194	+ $(use_enable eap eap-sim) \
195	+ $(use_enable eap eap-sim-file) \
196	+ $(use_enable eap eap-simaka-sql) \
197	+ $(use_enable eap eap-simaka-pseudonym) \
198	+ $(use_enable eap eap-simaka-reauth) \
199	+ $(use_enable eap eap-identity) \
200	+ $(use_enable eap eap-md5) \
201	+ $(use_enable eap eap-aka) \
202	+ $(use_enable eap eap-aka-3gpp2) \
203	+ $(use_enable eap md4) \
204	+ $(use_enable eap eap-mschapv2) \
205	+ $(use_enable eap eap-radius) \
206	+ $(use_enable eap eap-tls) \
207	+ $(use_enable eap eap-ttls) \
208	+ $(use_enable eap xauth-eap) \
209	+ $(use_enable eap eap-dynamic) \
210	+ $(use_enable farp) \
211	+ $(use_enable gmp) \
212	+ $(use_enable gcrypt) \
213	+ $(use_enable mysql) \
214	+ $(use_enable networkmanager nm) \
215	+ $(use_enable openssl) \
216	+ $(use_enable pam xauth-pam) \
217	+ $(use_enable pkcs11) \
218	+ $(use_enable sqlite) \
219	+ $(use_enable systemd) \
220	+ $(use_with caps capabilities libcap) \
221	+ --with-piddir=/run \
222	+ --with-systemdsystemunitdir="$(systemd_get_systemunitdir)" \
223	+ ${myconf}
224	+}
225	+
226	+src_install() {
227	+ emake DESTDIR="${D}" install
228	+
229	+ if ! use systemd; then
230	+ rm -rf "${ED}"/lib/systemd \|\| die "Failed removing systemd lib."
231	+ fi
232	+
233	+ doinitd "${FILESDIR}"/ipsec
234	+
235	+ local dir_ugid
236	+ if use non-root; then
237	+ fowners ${UGID}:${UGID} \
238	+ /etc/ipsec.conf \
239	+ /etc/strongswan.conf
240	+
241	+ dir_ugid="${UGID}"
242	+ else
243	+ dir_ugid="root"
244	+ fi
245	+
246	+ diropts -m 0750 -o ${dir_ugid} -g ${dir_ugid}
247	+ dodir /etc/ipsec.d \
248	+ /etc/ipsec.d/aacerts \
249	+ /etc/ipsec.d/acerts \
250	+ /etc/ipsec.d/cacerts \
251	+ /etc/ipsec.d/certs \
252	+ /etc/ipsec.d/crls \
253	+ /etc/ipsec.d/ocspcerts \
254	+ /etc/ipsec.d/private \
255	+ /etc/ipsec.d/reqs
256	+
257	+ dodoc NEWS README TODO
258	+
259	+ # shared libs are used only internally and there are no static libs,
260	+ # so it's safe to get rid of the .la files
261	+ find "${D}" -name '*.la' -delete \|\| die "Failed to remove .la files."
262	+}
263	+
264	+pkg_preinst() {
265	+ has_version "<net-vpn/strongswan-4.3.6-r1"
266	+ upgrade_from_leq_4_3_6=$(( !$? ))
267	+
268	+ has_version "<net-vpn/strongswan-4.3.6-r1[-caps]"
269	+ previous_4_3_6_with_caps=$(( !$? ))
270	+}
271	+
272	+pkg_postinst() {
273	+ if ! use openssl && ! use gcrypt; then
274	+ elog
275	+ elog "${PN} has been compiled without both OpenSSL and libgcrypt support."
276	+ elog "Please note that this might effect availability and speed of some"
277	+ elog "cryptographic features. You are advised to enable the OpenSSL plugin."
278	+ elif ! use openssl; then
279	+ elog
280	+ elog "${PN} has been compiled without the OpenSSL plugin. This might effect"
281	+ elog "availability and speed of some cryptographic features. There will be"
282	+ elog "no support for Elliptic Curve Cryptography (Diffie-Hellman groups 19-21,"
283	+ elog "25, 26) and ECDSA."
284	+ fi
285	+
286	+ if [[ $upgrade_from_leq_4_3_6 == 1 ]]; then
287	+ chmod 0750 "${ROOT}"/etc/ipsec.d \
288	+ "${ROOT}"/etc/ipsec.d/aacerts \
289	+ "${ROOT}"/etc/ipsec.d/acerts \
290	+ "${ROOT}"/etc/ipsec.d/cacerts \
291	+ "${ROOT}"/etc/ipsec.d/certs \
292	+ "${ROOT}"/etc/ipsec.d/crls \
293	+ "${ROOT}"/etc/ipsec.d/ocspcerts \
294	+ "${ROOT}"/etc/ipsec.d/private \
295	+ "${ROOT}"/etc/ipsec.d/reqs
296	+
297	+ ewarn
298	+ ewarn "The default permissions for /etc/ipsec.d/* have been tightened for"
299	+ ewarn "security reasons. Your system installed directories have been"
300	+ ewarn "updated accordingly. Please check if necessary."
301	+ ewarn
302	+
303	+ if [[ $previous_4_3_6_with_caps == 1 ]]; then
304	+ if ! use non-root; then
305	+ ewarn
306	+ ewarn "IMPORTANT: You previously had ${PN} installed without root"
307	+ ewarn "privileges because it was implied by the 'caps' USE flag."
308	+ ewarn "This has been changed. If you want ${PN} with user privileges,"
309	+ ewarn "you have to re-emerge it with the 'non-root' USE flag enabled."
310	+ ewarn
311	+ fi
312	+ fi
313	+ fi
314	+ if ! use caps && ! use non-root; then
315	+ ewarn
316	+ ewarn "You have decided to run ${PN} with root privileges and built it"
317	+ ewarn "without support for POSIX capability dropping. It is generally"
318	+ ewarn "strongly suggested that you reconsider- especially if you intend"
319	+ ewarn "to run ${PN} as server with a public ip address."
320	+ ewarn
321	+ ewarn "You should re-emerge ${PN} with at least the 'caps' USE flag enabled."
322	+ ewarn
323	+ fi
324	+ if use non-root; then
325	+ elog
326	+ elog "${PN} has been installed without superuser privileges (USE=non-root)."
327	+ elog "This imposes a few limitations mainly to the daemon 'charon' in"
328	+ elog "regards of the use of iptables."
329	+ elog
330	+ elog "Please carefully read: http://wiki.strongswan.org/projects/strongswan/wiki/ReducedPrivileges"
331	+ elog
332	+ elog "Thus if you require to specify a custom updown"
333	+ elog "script to charon which requires superuser privileges, you"
334	+ elog "can work around this limitation by using sudo to grant the"
335	+ elog "user \"ipsec\" the appropriate rights."
336	+ elog "For example (the default case):"
337	+ elog "/etc/sudoers:"
338	+ elog " ipsec ALL=(ALL) NOPASSWD: SETENV: /usr/sbin/ipsec"
339	+ elog "Under the specific connection block in /etc/ipsec.conf:"
340	+ elog " leftupdown=\"sudo -E ipsec _updown iptables\""
341	+ elog
342	+ fi
343	+ elog
344	+ elog "Make sure you have _all_ required kernel modules available including"
345	+ elog "the appropriate cryptographic algorithms. A list is available at:"
346	+ elog " https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules"
347	+ elog
348	+ elog "The up-to-date manual is available online at:"
349	+ elog " https://wiki.strongswan.org/"
350	+ elog
351	+}

Gentoo Archives: gentoo-commits