/[gentoo-x86]/net-misc/strongswan/strongswan-4.5.0-r1.ebuild
Gentoo

Contents of /net-misc/strongswan/strongswan-4.5.0-r1.ebuild

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.2 - (show annotations) (download)
Sat Feb 12 16:08:59 2011 UTC (8 years, 9 months ago) by gurligebis
Branch: MAIN
CVS Tags: HEAD
Changes since 1.1: +1 -1 lines
FILE REMOVED
Bumping to 4.5.1 and removing old version

(Portage version: 2.2.0_alpha23/cvs/Linux i686)

1 # Copyright 1999-2011 Gentoo Foundation
2 # Distributed under the terms of the GNU General Public License v2
3 # $Header: /var/cvsroot/gentoo-x86/net-misc/strongswan/strongswan-4.5.0-r1.ebuild,v 1.1 2011/01/18 21:31:18 gurligebis Exp $
4
5 EAPI=2
6 inherit eutils linux-info
7
8 DESCRIPTION="IPsec-based VPN solution focused on security and ease of use, supporting IKEv1/IKEv2 and MOBIKE"
9 HOMEPAGE="http://www.strongswan.org/"
10 SRC_URI="http://download.strongswan.org/${P}.tar.bz2"
11
12 LICENSE="GPL-2 RSA-MD5 RSA-PKCS11 DES"
13 SLOT="0"
14 KEYWORDS="~amd64 ~ppc ~sparc ~x86"
15 IUSE="+caps cisco curl debug dhcp eap farp gcrypt ldap +ikev1 +ikev2 mysql nat-transport +non-root +openssl smartcard sqlite"
16
17 COMMON_DEPEND="!net-misc/openswan
18 >=dev-libs/gmp-4.1.5
19 gcrypt? ( dev-libs/libgcrypt )
20 caps? ( sys-libs/libcap )
21 curl? ( net-misc/curl )
22 ldap? ( net-nds/openldap )
23 smartcard? ( dev-libs/opensc )
24 openssl? ( >=dev-libs/openssl-0.9.8[-bindist] )
25 mysql? ( virtual/mysql )
26 sqlite? ( >=dev-db/sqlite-3.3.1 )"
27 DEPEND="${COMMON_DEPEND}
28 virtual/linux-sources
29 sys-kernel/linux-headers"
30 RDEPEND="${COMMON_DEPEND}
31 virtual/logger
32 sys-apps/iproute2"
33
34 UGID="ipsec"
35
36 pkg_setup() {
37 linux-info_pkg_setup
38 elog "Linux kernel version: ${KV_FULL}"
39
40 if ! kernel_is -ge 2 6 16; then
41 eerror
42 eerror "This ebuild currently only supports ${PN} with the"
43 eerror "native Linux 2.6 IPsec stack on kernels >= 2.6.16."
44 eerror
45 die "Please install a recent 2.6 kernel."
46 fi
47
48 if use nat-transport; then
49 ewarn
50 ewarn "You have enabled NAT Traversal for transport mode with the IKEv1"
51 ewarn "protocol. Please double check if you really require this feature"
52 ewarn "as it is potentially insecure and usually only required in certain"
53 ewarn "situations when interoperating with Windows using L2TP/IPsec."
54 ewarn
55 fi
56
57 if kernel_is -lt 2 6 34; then
58 ewarn
59 ewarn "IMPORTANT KERNEL NOTES: Please read carefully..."
60 ewarn
61
62 if kernel_is -lt 2 6 29; then
63 ewarn "[ < 2.6.29 ] Due to a missing kernel feature, you have to"
64 ewarn "include all required IPv6 modules even if you just intend"
65 ewarn "to run on IPv4 only."
66 ewarn
67 ewarn "This has been fixed with kernels >= 2.6.29."
68 ewarn
69 fi
70
71 if kernel_is -lt 2 6 33; then
72 ewarn "[ < 2.6.33 ] Kernels prior to 2.6.33 include a non-standards"
73 ewarn "compliant implementation for SHA-2 HMAC support in ESP and"
74 ewarn "miss SHA384 and SHA512 HMAC support altogether."
75 ewarn
76 ewarn "If you need any of those features, please use kernel >= 2.6.33."
77 ewarn
78 fi
79
80 if kernel_is -lt 2 6 34; then
81 ewarn "[ < 2.6.34 ] Support for the AES-GMAC authentification-only"
82 ewarn "ESP cipher is only included in kernels >= 2.6.34."
83 ewarn
84 ewarn "If you need it, please use kernel >= 2.6.34."
85 ewarn
86 fi
87 fi
88
89 if use non-root; then
90 enewgroup ${UGID}
91 enewuser ${UGID} -1 -1 -1 ${UGID}
92 fi
93 }
94
95 src_prepare() {
96 epatch "${FILESDIR}/strongswan-4.5.0-dhcp_segfault.patch"
97 }
98
99 src_configure() {
100 local myconf=""
101
102 if use non-root; then
103 myconf="${myconf} --with-user=${UGID} --with-group=${UGID}"
104 fi
105
106 # If a user has already enabled db support, those plugins will
107 # most likely be desired as well. Besides they don't impose new
108 # dependencies and come at no cost (except for space).
109 if use mysql || use sqlite; then
110 myconf="${myconf} --enable-attr-sql --enable-sql"
111 fi
112
113 # strongSwan builds and installs static libs by default which are
114 # useless to the user (and to strongSwan for that matter) because no
115 # header files or alike get installed... so disabling them is safe.
116 econf \
117 --disable-static \
118 $(use_with caps capabilities libcap) \
119 $(use_enable curl) \
120 $(use_enable ldap) \
121 $(use_enable smartcard) \
122 $(use_enable cisco cisco-quirks) \
123 $(use_enable debug leak-detective) \
124 $(use_enable eap eap-sim) \
125 $(use_enable eap eap-sim-file) \
126 $(use_enable eap eap-simaka-sql) \
127 $(use_enable eap eap-simaka-pseudonym) \
128 $(use_enable eap eap-simaka-reauth) \
129 $(use_enable eap eap-identity) \
130 $(use_enable eap eap-md5) \
131 $(use_enable eap eap-gtc) \
132 $(use_enable eap eap-aka) \
133 $(use_enable eap eap-aka-3gpp2) \
134 $(use_enable eap eap-mschapv2) \
135 $(use_enable eap eap-radius) \
136 $(use_enable nat-transport) \
137 $(use_enable openssl) \
138 $(use_enable gcrypt) \
139 $(use_enable mysql) \
140 $(use_enable sqlite) \
141 $(use_enable ikev1 pluto) \
142 $(use_enable ikev2 charon) \
143 $(use_enable dhcp) \
144 $(use_enable farp) \
145 ${myconf}
146 }
147
148 src_install() {
149 einstall || die "einstall failed"
150
151 doinitd "${FILESDIR}"/ipsec
152
153 local dir_ugid
154 if use non-root; then
155 fowners ${UGID}:${UGID} \
156 /etc/ipsec.conf \
157 /etc/ipsec.secrets \
158 /etc/strongswan.conf
159
160 dir_ugid="${UGID}"
161 else
162 dir_ugid="root"
163 fi
164
165 diropts -m 0750 -o ${dir_ugid} -g ${dir_ugid}
166 dodir /etc/ipsec.d \
167 /etc/ipsec.d/aacerts \
168 /etc/ipsec.d/acerts \
169 /etc/ipsec.d/cacerts \
170 /etc/ipsec.d/certs \
171 /etc/ipsec.d/crls \
172 /etc/ipsec.d/ocspcerts \
173 /etc/ipsec.d/private \
174 /etc/ipsec.d/reqs
175
176 dodoc CREDITS NEWS README TODO || die
177
178 # shared libs are used only internally and there are no static libs,
179 # so it's safe to get rid of the .la files
180 find "${D}" -name '*.la' -delete || die "Failed to remove .la files."
181 }
182
183 pkg_preinst() {
184 has_version "<net-misc/strongswan-4.3.6-r1"
185 upgrade_from_leq_4_3_6=$(( !$? ))
186
187 has_version "<net-misc/strongswan-4.3.6-r1[-caps]"
188 previous_4_3_6_with_caps=$(( !$? ))
189 }
190
191 pkg_postinst() {
192 if ! use openssl && ! use gcrypt; then
193 elog
194 elog "${PN} has been compiled without both OpenSSL and libgcrypt support."
195 elog "Please note that this might effect availability and speed of some"
196 elog "cryptographic features. You are advised to enable the OpenSSL plugin."
197 elif ! use openssl; then
198 elog
199 elog "${PN} has been compiled without the OpenSSL plugin. This might effect"
200 elog "availability and speed of some cryptographic features. There will be"
201 elog "no support for Elliptic Curve Cryptography (Diffie-Hellman groups 19-21,"
202 elog "25, 26) and ECDSA."
203 fi
204
205 if [[ $upgrade_from_leq_4_3_6 == 1 ]]; then
206 chmod 0750 "${ROOT}"/etc/ipsec.d \
207 "${ROOT}"/etc/ipsec.d/aacerts \
208 "${ROOT}"/etc/ipsec.d/acerts \
209 "${ROOT}"/etc/ipsec.d/cacerts \
210 "${ROOT}"/etc/ipsec.d/certs \
211 "${ROOT}"/etc/ipsec.d/crls \
212 "${ROOT}"/etc/ipsec.d/ocspcerts \
213 "${ROOT}"/etc/ipsec.d/private \
214 "${ROOT}"/etc/ipsec.d/reqs
215
216 ewarn
217 ewarn "The default permissions for /etc/ipsec.d/* have been tightened for"
218 ewarn "security reasons. Your system installed directories have been"
219 ewarn "updated accordingly. Please check if necessary."
220 ewarn
221
222 if [[ $previous_4_3_6_with_caps == 1 ]]; then
223 if ! use non-root; then
224 ewarn
225 ewarn "IMPORTANT: You previously had ${PN} installed without root"
226 ewarn "privileges because it was implied by the 'caps' USE flag."
227 ewarn "This has been changed. If you want ${PN} with user privileges,"
228 ewarn "you have to re-emerge it with the 'non-root' USE flag enabled."
229 ewarn
230 fi
231 fi
232 fi
233 if ! use caps && ! use non-root; then
234 ewarn
235 ewarn "You have decided to run ${PN} with root privileges and built it"
236 ewarn "without support for POSIX capability dropping. It is generally"
237 ewarn "strongly suggested that you reconsider- especially if you intend"
238 ewarn "to run ${PN} as server with a public ip address."
239 ewarn
240 ewarn "You should re-emerge ${PN} with at least the 'caps' USE flag enabled."
241 ewarn
242 fi
243 if use non-root; then
244 elog
245 elog "${PN} has been installed without superuser privileges (USE=non-root)."
246 elog "This imposes several limitations mainly to the IKEv1 daemon 'pluto'"
247 elog "but also a few to the IKEv2 daemon 'charon'."
248 elog
249 elog "Please carefully read: http://wiki.strongswan.org/wiki/nonRoot"
250 elog
251 elog "pluto uses a helper script by default to insert/remove routing and"
252 elog "policy rules upon connection start/stop which requires superuser"
253 elog "privileges. charon in contrast does this internally and can do so"
254 elog "even with reduced (user) privileges."
255 elog
256 elog "Thus if you require IKEv1 (pluto) or need to specify a custom updown"
257 elog "script to pluto or charon which requires superuser privileges, you"
258 elog "can work around this limitation by using sudo to grant the"
259 elog "user \"ipsec\" the appropriate rights."
260 elog "For example (the default case):"
261 elog "/etc/sudoers:"
262 elog " Defaults:ipsec always_set_home,!env_reset"
263 elog " ipsec ALL=(ALL) NOPASSWD: /usr/sbin/ipsec"
264 elog "Under the specific connection block in /etc/ipsec.conf:"
265 elog " leftupdown=\"sudo ipsec _updown\""
266 elog
267 fi
268 elog
269 elog "Make sure you have _all_ required kernel modules available including"
270 elog "the appropriate cryptographic algorithms. A list is available at:"
271 elog " http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules"
272 elog
273 elog "The up-to-date manual is available online at:"
274 elog " http://wiki.strongswan.org/"
275 elog
276 }

  ViewVC Help
Powered by ViewVC 1.1.20