1 |
commit: f089a9dbc70325b82be293afe46bf2c9a7c3e9e8 |
2 |
Author: Hans de Graaff <graaff <AT> gentoo <DOT> org> |
3 |
AuthorDate: Sat Jun 27 06:15:13 2020 +0000 |
4 |
Commit: Hans de Graaff <graaff <AT> gentoo <DOT> org> |
5 |
CommitDate: Sat Jun 27 06:15:30 2020 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f089a9db |
7 |
|
8 |
net-vpn/libreswan: backport NSS compat patch |
9 |
|
10 |
Backport a patch for compatibility with newer NSS versions. |
11 |
|
12 |
Closes: https://bugs.gentoo.org/721686 |
13 |
Package-Manager: Portage-2.3.99, Repoman-2.3.23 |
14 |
Signed-off-by: Hans de Graaff <graaff <AT> gentoo.org> |
15 |
|
16 |
.../files/libreswan-3.32-nss-compat.patch | 23 ++++ |
17 |
net-vpn/libreswan/libreswan-3.32-r1.ebuild | 117 +++++++++++++++++++++ |
18 |
2 files changed, 140 insertions(+) |
19 |
|
20 |
diff --git a/net-vpn/libreswan/files/libreswan-3.32-nss-compat.patch b/net-vpn/libreswan/files/libreswan-3.32-nss-compat.patch |
21 |
new file mode 100644 |
22 |
index 00000000000..09f71a9f907 |
23 |
--- /dev/null |
24 |
+++ b/net-vpn/libreswan/files/libreswan-3.32-nss-compat.patch |
25 |
@@ -0,0 +1,23 @@ |
26 |
+Add compatibility setting for NSS |
27 |
+ |
28 |
+https://github.com/libreswan/libreswan/commit/65a497959a0e1ca615341109eaad5e75723839d6 |
29 |
+ |
30 |
+We patch a different file because a later commit moved the setting to this file. |
31 |
+ |
32 |
+diff --git a/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c b/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c |
33 |
+index 93a027089a..571913cc1e 100644 |
34 |
+--- a/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c |
35 |
++++ b/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c |
36 |
+@@ -16,6 +16,12 @@ |
37 |
+ #include <stdio.h> |
38 |
+ #include <stdlib.h> |
39 |
+ |
40 |
++/* |
41 |
++ * Special advise from Bob Relyea - needs to go before any nss include |
42 |
++ * |
43 |
++ */ |
44 |
++#define NSS_PKCS11_2_0_COMPAT 1 |
45 |
++ |
46 |
+ #include "lswlog.h" |
47 |
+ #include "lswnss.h" |
48 |
+ #include "prmem.h" |
49 |
|
50 |
diff --git a/net-vpn/libreswan/libreswan-3.32-r1.ebuild b/net-vpn/libreswan/libreswan-3.32-r1.ebuild |
51 |
new file mode 100644 |
52 |
index 00000000000..594a265b467 |
53 |
--- /dev/null |
54 |
+++ b/net-vpn/libreswan/libreswan-3.32-r1.ebuild |
55 |
@@ -0,0 +1,117 @@ |
56 |
+# Copyright 1999-2020 Gentoo Authors |
57 |
+# Distributed under the terms of the GNU General Public License v2 |
58 |
+ |
59 |
+EAPI=7 |
60 |
+ |
61 |
+inherit systemd toolchain-funcs |
62 |
+ |
63 |
+SRC_URI="https://download.libreswan.org/${P}.tar.gz" |
64 |
+KEYWORDS="~amd64 ~arm ~ppc ~x86" |
65 |
+ |
66 |
+DESCRIPTION="IPsec implementation for Linux, fork of Openswan" |
67 |
+HOMEPAGE="https://libreswan.org/" |
68 |
+ |
69 |
+LICENSE="GPL-2 BSD-4 RSA DES" |
70 |
+SLOT="0" |
71 |
+IUSE="caps curl dnssec ldap pam seccomp selinux systemd test" |
72 |
+RESTRICT="!test? ( test )" |
73 |
+ |
74 |
+DEPEND=" |
75 |
+ dev-libs/gmp:0= |
76 |
+ dev-libs/libevent:0= |
77 |
+ dev-libs/nspr |
78 |
+ >=dev-libs/nss-3.42 |
79 |
+ >=sys-kernel/linux-headers-4.19 |
80 |
+ caps? ( sys-libs/libcap-ng ) |
81 |
+ curl? ( net-misc/curl ) |
82 |
+ dnssec? ( >=net-dns/unbound-1.9.1-r1:= net-libs/ldns ) |
83 |
+ ldap? ( net-nds/openldap ) |
84 |
+ pam? ( sys-libs/pam ) |
85 |
+ seccomp? ( sys-libs/libseccomp ) |
86 |
+ selinux? ( sys-libs/libselinux ) |
87 |
+ systemd? ( sys-apps/systemd:0= ) |
88 |
+" |
89 |
+BDEPEND=" |
90 |
+ app-text/docbook-xml-dtd:4.1.2 |
91 |
+ app-text/xmlto |
92 |
+ dev-libs/nss |
93 |
+ sys-devel/bison |
94 |
+ sys-devel/flex |
95 |
+ virtual/pkgconfig |
96 |
+ test? ( dev-python/setproctitle ) |
97 |
+" |
98 |
+RDEPEND="${DEPEND} |
99 |
+ dev-libs/nss[utils(+)] |
100 |
+ sys-apps/iproute2 |
101 |
+ !net-vpn/strongswan |
102 |
+ selinux? ( sec-policy/selinux-ipsec ) |
103 |
+" |
104 |
+ |
105 |
+usetf() { |
106 |
+ usex "$1" true false |
107 |
+} |
108 |
+ |
109 |
+PATCHES=( "${FILESDIR}/${PN}-3.30-ip-path.patch" "${FILESDIR}/${P}-nss-compat.patch" ) |
110 |
+ |
111 |
+src_prepare() { |
112 |
+ sed -i -e 's:/sbin/runscript:/sbin/openrc-run:' initsystems/openrc/ipsec.init.in || die |
113 |
+ sed -i -e '/^install/ s/postcheck//' -e '/^doinstall/ s/oldinitdcheck//' initsystems/systemd/Makefile || die |
114 |
+ default |
115 |
+} |
116 |
+ |
117 |
+src_configure() { |
118 |
+ tc-export AR CC |
119 |
+ export INC_USRLOCAL=/usr |
120 |
+ export INC_MANDIR=share/man |
121 |
+ export FINALEXAMPLECONFDIR=/usr/share/doc/${PF} |
122 |
+ export FINALDOCDIR=/usr/share/doc/${PF}/html |
123 |
+ export INITSYSTEM=openrc |
124 |
+ export INC_RCDIRS= |
125 |
+ export INC_RCDEFAULT=/etc/init.d |
126 |
+ export USERCOMPILE= |
127 |
+ export USERLINK= |
128 |
+ export USE_DNSSEC=$(usetf dnssec) |
129 |
+ export USE_LABELED_IPSEC=$(usetf selinux) |
130 |
+ export USE_LIBCAP_NG=$(usetf caps) |
131 |
+ export USE_LIBCURL=$(usetf curl) |
132 |
+ export USE_LINUX_AUDIT=$(usetf selinux) |
133 |
+ export USE_LDAP=$(usetf ldap) |
134 |
+ export USE_SECCOMP=$(usetf seccomp) |
135 |
+ export USE_SYSTEMD_WATCHDOG=$(usetf systemd) |
136 |
+ export SD_WATCHDOGSEC=$(usex systemd 200 0) |
137 |
+ export USE_XAUTHPAM=$(usetf pam) |
138 |
+ export DEBUG_CFLAGS= |
139 |
+ export OPTIMIZE_CFLAGS= |
140 |
+ export WERROR_CFLAGS= |
141 |
+} |
142 |
+ |
143 |
+src_compile() { |
144 |
+ emake all |
145 |
+ emake -C initsystems INITSYSTEM=systemd SYSTEMUNITDIR="$(systemd_get_systemunitdir)" SYSTEMTMPFILESDIR="/usr/lib/tmpfiles.d" all |
146 |
+} |
147 |
+ |
148 |
+src_test() { |
149 |
+ : # integration tests only that require set of kvms to be set up |
150 |
+} |
151 |
+ |
152 |
+src_install() { |
153 |
+ default |
154 |
+ emake -C initsystems INITSYSTEM=systemd SYSTEMUNITDIR="$(systemd_get_systemunitdir)" SYSTEMTMPFILESDIR="/usr/lib/tmpfiles.d" DESTDIR="${D}" install |
155 |
+ |
156 |
+ echo "include /etc/ipsec.d/*.secrets" > "${D}"/etc/ipsec.secrets |
157 |
+ fperms 0600 /etc/ipsec.secrets |
158 |
+ |
159 |
+ dodoc -r docs |
160 |
+ |
161 |
+ find "${D}" -type d -empty -delete || die |
162 |
+} |
163 |
+ |
164 |
+pkg_postinst() { |
165 |
+ local IPSEC_CONFDIR=${ROOT}/etc/ipsec.d |
166 |
+ if [[ ! -f ${IPSEC_CONFDIR}/cert8.db && ! -f ${IPSEC_CONFDIR}/cert9.db ]] ; then |
167 |
+ ebegin "Setting up NSS database in ${IPSEC_CONFDIR} with empty password" |
168 |
+ certutil -N -d "${IPSEC_CONFDIR}" --empty-password |
169 |
+ eend $? |
170 |
+ einfo "To set a password: certutil -W -d sql:${IPSEC_CONFDIR}" |
171 |
+ fi |
172 |
+} |