/[gentoo-x86]/net-misc/strongswan/strongswan-4.5.3.ebuild
Gentoo

Contents of /net-misc/strongswan/strongswan-4.5.3.ebuild

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.3 - (show annotations) (download)
Fri Nov 4 20:53:59 2011 UTC (8 years, 1 month ago) by gurligebis
Branch: MAIN
CVS Tags: HEAD
Changes since 1.2: +1 -1 lines
FILE REMOVED
Bumping to 4.6.0 and adding ~arm keyword

(Portage version: 2.2.0_alpha72/cvs/Linux i686)

1 # Copyright 1999-2011 Gentoo Foundation
2 # Distributed under the terms of the GNU General Public License v2
3 # $Header: /var/cvsroot/gentoo-x86/net-misc/strongswan/strongswan-4.5.3.ebuild,v 1.2 2011/08/05 08:16:55 gurligebis Exp $
4
5 EAPI=2
6 inherit eutils linux-info
7
8 DESCRIPTION="IPsec-based VPN solution focused on security and ease of use, supporting IKEv1/IKEv2 and MOBIKE"
9 HOMEPAGE="http://www.strongswan.org/"
10 SRC_URI="http://download.strongswan.org/${P}.tar.bz2"
11
12 LICENSE="GPL-2 RSA-MD5 RSA-PKCS11 DES"
13 SLOT="0"
14 KEYWORDS="~amd64 ~ppc ~sparc ~x86"
15 IUSE="+caps cisco curl debug dhcp eap farp gcrypt ldap +ikev1 +ikev2 mysql nat-transport +non-root +openssl smartcard sqlite"
16
17 COMMON_DEPEND="!net-misc/openswan
18 >=dev-libs/gmp-4.1.5
19 gcrypt? ( dev-libs/libgcrypt )
20 caps? ( sys-libs/libcap )
21 curl? ( net-misc/curl )
22 ldap? ( net-nds/openldap )
23 smartcard? ( dev-libs/opensc )
24 openssl? ( >=dev-libs/openssl-0.9.8[-bindist] )
25 mysql? ( virtual/mysql )
26 sqlite? ( >=dev-db/sqlite-3.3.1 )"
27 DEPEND="${COMMON_DEPEND}
28 virtual/linux-sources
29 sys-kernel/linux-headers"
30 RDEPEND="${COMMON_DEPEND}
31 virtual/logger
32 sys-apps/iproute2"
33
34 UGID="ipsec"
35
36 pkg_setup() {
37 linux-info_pkg_setup
38 elog "Linux kernel version: ${KV_FULL}"
39
40 if ! kernel_is -ge 2 6 16; then
41 eerror
42 eerror "This ebuild currently only supports ${PN} with the"
43 eerror "native Linux 2.6 IPsec stack on kernels >= 2.6.16."
44 eerror
45 die "Please install a recent 2.6 kernel."
46 fi
47
48 if use nat-transport; then
49 ewarn
50 ewarn "You have enabled NAT Traversal for transport mode with the IKEv1"
51 ewarn "protocol. Please double check if you really require this feature"
52 ewarn "as it is potentially insecure and usually only required in certain"
53 ewarn "situations when interoperating with Windows using L2TP/IPsec."
54 ewarn
55 fi
56
57 if kernel_is -lt 2 6 34; then
58 ewarn
59 ewarn "IMPORTANT KERNEL NOTES: Please read carefully..."
60 ewarn
61
62 if kernel_is -lt 2 6 29; then
63 ewarn "[ < 2.6.29 ] Due to a missing kernel feature, you have to"
64 ewarn "include all required IPv6 modules even if you just intend"
65 ewarn "to run on IPv4 only."
66 ewarn
67 ewarn "This has been fixed with kernels >= 2.6.29."
68 ewarn
69 fi
70
71 if kernel_is -lt 2 6 33; then
72 ewarn "[ < 2.6.33 ] Kernels prior to 2.6.33 include a non-standards"
73 ewarn "compliant implementation for SHA-2 HMAC support in ESP and"
74 ewarn "miss SHA384 and SHA512 HMAC support altogether."
75 ewarn
76 ewarn "If you need any of those features, please use kernel >= 2.6.33."
77 ewarn
78 fi
79
80 if kernel_is -lt 2 6 34; then
81 ewarn "[ < 2.6.34 ] Support for the AES-GMAC authentification-only"
82 ewarn "ESP cipher is only included in kernels >= 2.6.34."
83 ewarn
84 ewarn "If you need it, please use kernel >= 2.6.34."
85 ewarn
86 fi
87 fi
88
89 if use non-root; then
90 enewgroup ${UGID}
91 enewuser ${UGID} -1 -1 -1 ${UGID}
92 fi
93 }
94
95 src_configure() {
96 local myconf=""
97
98 if use non-root; then
99 myconf="${myconf} --with-user=${UGID} --with-group=${UGID}"
100 fi
101
102 # If a user has already enabled db support, those plugins will
103 # most likely be desired as well. Besides they don't impose new
104 # dependencies and come at no cost (except for space).
105 if use mysql || use sqlite; then
106 myconf="${myconf} --enable-attr-sql --enable-sql"
107 fi
108
109 # strongSwan builds and installs static libs by default which are
110 # useless to the user (and to strongSwan for that matter) because no
111 # header files or alike get installed... so disabling them is safe.
112 econf \
113 --disable-static \
114 $(use_with caps capabilities libcap) \
115 $(use_enable curl) \
116 $(use_enable ldap) \
117 $(use_enable smartcard) \
118 $(use_enable cisco cisco-quirks) \
119 $(use_enable debug leak-detective) \
120 $(use_enable eap eap-sim) \
121 $(use_enable eap eap-sim-file) \
122 $(use_enable eap eap-simaka-sql) \
123 $(use_enable eap eap-simaka-pseudonym) \
124 $(use_enable eap eap-simaka-reauth) \
125 $(use_enable eap eap-identity) \
126 $(use_enable eap eap-md5) \
127 $(use_enable eap eap-gtc) \
128 $(use_enable eap eap-aka) \
129 $(use_enable eap eap-aka-3gpp2) \
130 $(use_enable eap eap-mschapv2) \
131 $(use_enable eap eap-radius) \
132 $(use_enable nat-transport) \
133 $(use_enable openssl) \
134 $(use_enable gcrypt) \
135 $(use_enable mysql) \
136 $(use_enable sqlite) \
137 $(use_enable ikev1 pluto) \
138 $(use_enable ikev2 charon) \
139 $(use_enable dhcp) \
140 $(use_enable farp) \
141 ${myconf}
142 }
143
144 src_install() {
145 emake DESTDIR="${D}" install || die "Install failed"
146
147 doinitd "${FILESDIR}"/ipsec
148
149 local dir_ugid
150 if use non-root; then
151 fowners ${UGID}:${UGID} \
152 /etc/ipsec.conf \
153 /etc/ipsec.secrets \
154 /etc/strongswan.conf
155
156 dir_ugid="${UGID}"
157 else
158 dir_ugid="root"
159 fi
160
161 diropts -m 0750 -o ${dir_ugid} -g ${dir_ugid}
162 dodir /etc/ipsec.d \
163 /etc/ipsec.d/aacerts \
164 /etc/ipsec.d/acerts \
165 /etc/ipsec.d/cacerts \
166 /etc/ipsec.d/certs \
167 /etc/ipsec.d/crls \
168 /etc/ipsec.d/ocspcerts \
169 /etc/ipsec.d/private \
170 /etc/ipsec.d/reqs
171
172 dodoc CREDITS NEWS README TODO || die
173
174 # shared libs are used only internally and there are no static libs,
175 # so it's safe to get rid of the .la files
176 find "${D}" -name '*.la' -delete || die "Failed to remove .la files."
177 }
178
179 pkg_preinst() {
180 has_version "<net-misc/strongswan-4.3.6-r1"
181 upgrade_from_leq_4_3_6=$(( !$? ))
182
183 has_version "<net-misc/strongswan-4.3.6-r1[-caps]"
184 previous_4_3_6_with_caps=$(( !$? ))
185 }
186
187 pkg_postinst() {
188 if ! use openssl && ! use gcrypt; then
189 elog
190 elog "${PN} has been compiled without both OpenSSL and libgcrypt support."
191 elog "Please note that this might effect availability and speed of some"
192 elog "cryptographic features. You are advised to enable the OpenSSL plugin."
193 elif ! use openssl; then
194 elog
195 elog "${PN} has been compiled without the OpenSSL plugin. This might effect"
196 elog "availability and speed of some cryptographic features. There will be"
197 elog "no support for Elliptic Curve Cryptography (Diffie-Hellman groups 19-21,"
198 elog "25, 26) and ECDSA."
199 fi
200
201 if [[ $upgrade_from_leq_4_3_6 == 1 ]]; then
202 chmod 0750 "${ROOT}"/etc/ipsec.d \
203 "${ROOT}"/etc/ipsec.d/aacerts \
204 "${ROOT}"/etc/ipsec.d/acerts \
205 "${ROOT}"/etc/ipsec.d/cacerts \
206 "${ROOT}"/etc/ipsec.d/certs \
207 "${ROOT}"/etc/ipsec.d/crls \
208 "${ROOT}"/etc/ipsec.d/ocspcerts \
209 "${ROOT}"/etc/ipsec.d/private \
210 "${ROOT}"/etc/ipsec.d/reqs
211
212 ewarn
213 ewarn "The default permissions for /etc/ipsec.d/* have been tightened for"
214 ewarn "security reasons. Your system installed directories have been"
215 ewarn "updated accordingly. Please check if necessary."
216 ewarn
217
218 if [[ $previous_4_3_6_with_caps == 1 ]]; then
219 if ! use non-root; then
220 ewarn
221 ewarn "IMPORTANT: You previously had ${PN} installed without root"
222 ewarn "privileges because it was implied by the 'caps' USE flag."
223 ewarn "This has been changed. If you want ${PN} with user privileges,"
224 ewarn "you have to re-emerge it with the 'non-root' USE flag enabled."
225 ewarn
226 fi
227 fi
228 fi
229 if ! use caps && ! use non-root; then
230 ewarn
231 ewarn "You have decided to run ${PN} with root privileges and built it"
232 ewarn "without support for POSIX capability dropping. It is generally"
233 ewarn "strongly suggested that you reconsider- especially if you intend"
234 ewarn "to run ${PN} as server with a public ip address."
235 ewarn
236 ewarn "You should re-emerge ${PN} with at least the 'caps' USE flag enabled."
237 ewarn
238 fi
239 if use non-root; then
240 elog
241 elog "${PN} has been installed without superuser privileges (USE=non-root)."
242 elog "This imposes several limitations mainly to the IKEv1 daemon 'pluto'"
243 elog "but also a few to the IKEv2 daemon 'charon'."
244 elog
245 elog "Please carefully read: http://wiki.strongswan.org/wiki/nonRoot"
246 elog
247 elog "pluto uses a helper script by default to insert/remove routing and"
248 elog "policy rules upon connection start/stop which requires superuser"
249 elog "privileges. charon in contrast does this internally and can do so"
250 elog "even with reduced (user) privileges."
251 elog
252 elog "Thus if you require IKEv1 (pluto) or need to specify a custom updown"
253 elog "script to pluto or charon which requires superuser privileges, you"
254 elog "can work around this limitation by using sudo to grant the"
255 elog "user \"ipsec\" the appropriate rights."
256 elog "For example (the default case):"
257 elog "/etc/sudoers:"
258 elog " Defaults:ipsec always_set_home,!env_reset"
259 elog " ipsec ALL=(ALL) NOPASSWD: /usr/sbin/ipsec"
260 elog "Under the specific connection block in /etc/ipsec.conf:"
261 elog " leftupdown=\"sudo ipsec _updown\""
262 elog
263 fi
264 elog
265 elog "Make sure you have _all_ required kernel modules available including"
266 elog "the appropriate cryptographic algorithms. A list is available at:"
267 elog " http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules"
268 elog
269 elog "The up-to-date manual is available online at:"
270 elog " http://wiki.strongswan.org/"
271 elog
272 }

  ViewVC Help
Powered by ViewVC 1.1.20