/[gentoo-x86]/net-misc/strongswan/strongswan-5.0.1.ebuild
Gentoo

Contents of /net-misc/strongswan/strongswan-5.0.1.ebuild

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.4 - (show annotations) (download)
Sat Feb 2 17:34:50 2013 UTC (6 years, 10 months ago) by gurligebis
Branch: MAIN
CVS Tags: HEAD
Changes since 1.3: +1 -1 lines
FILE REMOVED
Bumping to 5.0.2 and removing old version

(Portage version: 2.2.0_alpha161/cvs/Linux i686, signed Manifest commit with key 15AE484C)

1 # Copyright 1999-2013 Gentoo Foundation
2 # Distributed under the terms of the GNU General Public License v2
3 # $Header: /var/cvsroot/gentoo-x86/net-misc/strongswan/strongswan-5.0.1.ebuild,v 1.3 2013/01/24 20:48:48 vapier Exp $
4
5 EAPI=2
6 inherit eutils linux-info user
7
8 DESCRIPTION="IPsec-based VPN solution focused on security and ease of use, supporting IKEv1/IKEv2 and MOBIKE"
9 HOMEPAGE="http://www.strongswan.org/"
10 SRC_URI="http://download.strongswan.org/${P}.tar.bz2"
11
12 LICENSE="GPL-2 RSA DES"
13 SLOT="0"
14 KEYWORDS="~amd64 ~arm ~ppc ~ppc64 ~x86"
15 IUSE="+caps curl debug dhcp eap farp gcrypt ldap mysql +non-root +openssl sqlite pam"
16
17 COMMON_DEPEND="!net-misc/openswan
18 >=dev-libs/gmp-4.1.5
19 gcrypt? ( dev-libs/libgcrypt )
20 caps? ( sys-libs/libcap )
21 curl? ( net-misc/curl )
22 ldap? ( net-nds/openldap )
23 openssl? ( >=dev-libs/openssl-0.9.8[-bindist] )
24 mysql? ( virtual/mysql )
25 sqlite? ( >=dev-db/sqlite-3.3.1 )
26 pam? ( sys-libs/pam )"
27 DEPEND="${COMMON_DEPEND}
28 virtual/linux-sources
29 sys-kernel/linux-headers"
30 RDEPEND="${COMMON_DEPEND}
31 virtual/logger
32 sys-apps/iproute2"
33
34 UGID="ipsec"
35
36 pkg_setup() {
37 linux-info_pkg_setup
38 elog "Linux kernel version: ${KV_FULL}"
39
40 if ! kernel_is -ge 2 6 16; then
41 eerror
42 eerror "This ebuild currently only supports ${PN} with the"
43 eerror "native Linux 2.6 IPsec stack on kernels >= 2.6.16."
44 eerror
45 fi
46
47 if kernel_is -lt 2 6 34; then
48 ewarn
49 ewarn "IMPORTANT KERNEL NOTES: Please read carefully..."
50 ewarn
51
52 if kernel_is -lt 2 6 29; then
53 ewarn "[ < 2.6.29 ] Due to a missing kernel feature, you have to"
54 ewarn "include all required IPv6 modules even if you just intend"
55 ewarn "to run on IPv4 only."
56 ewarn
57 ewarn "This has been fixed with kernels >= 2.6.29."
58 ewarn
59 fi
60
61 if kernel_is -lt 2 6 33; then
62 ewarn "[ < 2.6.33 ] Kernels prior to 2.6.33 include a non-standards"
63 ewarn "compliant implementation for SHA-2 HMAC support in ESP and"
64 ewarn "miss SHA384 and SHA512 HMAC support altogether."
65 ewarn
66 ewarn "If you need any of those features, please use kernel >= 2.6.33."
67 ewarn
68 fi
69
70 if kernel_is -lt 2 6 34; then
71 ewarn "[ < 2.6.34 ] Support for the AES-GMAC authentification-only"
72 ewarn "ESP cipher is only included in kernels >= 2.6.34."
73 ewarn
74 ewarn "If you need it, please use kernel >= 2.6.34."
75 ewarn
76 fi
77 fi
78
79 if use non-root; then
80 enewgroup ${UGID}
81 enewuser ${UGID} -1 -1 -1 ${UGID}
82 fi
83 }
84
85 src_configure() {
86 local myconf=""
87
88 if use non-root; then
89 myconf="${myconf} --with-user=${UGID} --with-group=${UGID}"
90 fi
91
92 # If a user has already enabled db support, those plugins will
93 # most likely be desired as well. Besides they don't impose new
94 # dependencies and come at no cost (except for space).
95 if use mysql || use sqlite; then
96 myconf="${myconf} --enable-attr-sql --enable-sql"
97 fi
98
99 # strongSwan builds and installs static libs by default which are
100 # useless to the user (and to strongSwan for that matter) because no
101 # header files or alike get installed... so disabling them is safe.
102 if use pam && use eap; then
103 myconf="${myconf} --enable-eap-gtc"
104 else
105 myconf="${myconf} --disable-eap-gtc"
106 fi
107 econf \
108 --disable-static \
109 --enable-ikev1 \
110 --enable-ikev2 \
111 $(use_with caps capabilities libcap) \
112 $(use_enable curl) \
113 $(use_enable ldap) \
114 $(use_enable debug leak-detective) \
115 $(use_enable eap eap-sim) \
116 $(use_enable eap eap-sim-file) \
117 $(use_enable eap eap-simaka-sql) \
118 $(use_enable eap eap-simaka-pseudonym) \
119 $(use_enable eap eap-simaka-reauth) \
120 $(use_enable eap eap-identity) \
121 $(use_enable eap eap-md5) \
122 $(use_enable eap eap-aka) \
123 $(use_enable eap eap-aka-3gpp2) \
124 $(use_enable eap eap-mschapv2) \
125 $(use_enable eap eap-radius) \
126 $(use_enable openssl) \
127 $(use_enable gcrypt) \
128 $(use_enable mysql) \
129 $(use_enable sqlite) \
130 $(use_enable dhcp) \
131 $(use_enable farp) \
132 ${myconf}
133 }
134
135 src_install() {
136 emake DESTDIR="${D}" install || die "Install failed"
137
138 doinitd "${FILESDIR}"/ipsec
139
140 local dir_ugid
141 if use non-root; then
142 fowners ${UGID}:${UGID} \
143 /etc/ipsec.conf \
144 /etc/strongswan.conf
145
146 dir_ugid="${UGID}"
147 else
148 dir_ugid="root"
149 fi
150
151 diropts -m 0750 -o ${dir_ugid} -g ${dir_ugid}
152 dodir /etc/ipsec.d \
153 /etc/ipsec.d/aacerts \
154 /etc/ipsec.d/acerts \
155 /etc/ipsec.d/cacerts \
156 /etc/ipsec.d/certs \
157 /etc/ipsec.d/crls \
158 /etc/ipsec.d/ocspcerts \
159 /etc/ipsec.d/private \
160 /etc/ipsec.d/reqs
161
162 dodoc NEWS README TODO || die
163
164 # shared libs are used only internally and there are no static libs,
165 # so it's safe to get rid of the .la files
166 find "${D}" -name '*.la' -delete || die "Failed to remove .la files."
167 }
168
169 pkg_preinst() {
170 has_version "<net-misc/strongswan-4.3.6-r1"
171 upgrade_from_leq_4_3_6=$(( !$? ))
172
173 has_version "<net-misc/strongswan-4.3.6-r1[-caps]"
174 previous_4_3_6_with_caps=$(( !$? ))
175 }
176
177 pkg_postinst() {
178 if ! use openssl && ! use gcrypt; then
179 elog
180 elog "${PN} has been compiled without both OpenSSL and libgcrypt support."
181 elog "Please note that this might effect availability and speed of some"
182 elog "cryptographic features. You are advised to enable the OpenSSL plugin."
183 elif ! use openssl; then
184 elog
185 elog "${PN} has been compiled without the OpenSSL plugin. This might effect"
186 elog "availability and speed of some cryptographic features. There will be"
187 elog "no support for Elliptic Curve Cryptography (Diffie-Hellman groups 19-21,"
188 elog "25, 26) and ECDSA."
189 fi
190
191 if [[ $upgrade_from_leq_4_3_6 == 1 ]]; then
192 chmod 0750 "${ROOT}"/etc/ipsec.d \
193 "${ROOT}"/etc/ipsec.d/aacerts \
194 "${ROOT}"/etc/ipsec.d/acerts \
195 "${ROOT}"/etc/ipsec.d/cacerts \
196 "${ROOT}"/etc/ipsec.d/certs \
197 "${ROOT}"/etc/ipsec.d/crls \
198 "${ROOT}"/etc/ipsec.d/ocspcerts \
199 "${ROOT}"/etc/ipsec.d/private \
200 "${ROOT}"/etc/ipsec.d/reqs
201
202 ewarn
203 ewarn "The default permissions for /etc/ipsec.d/* have been tightened for"
204 ewarn "security reasons. Your system installed directories have been"
205 ewarn "updated accordingly. Please check if necessary."
206 ewarn
207
208 if [[ $previous_4_3_6_with_caps == 1 ]]; then
209 if ! use non-root; then
210 ewarn
211 ewarn "IMPORTANT: You previously had ${PN} installed without root"
212 ewarn "privileges because it was implied by the 'caps' USE flag."
213 ewarn "This has been changed. If you want ${PN} with user privileges,"
214 ewarn "you have to re-emerge it with the 'non-root' USE flag enabled."
215 ewarn
216 fi
217 fi
218 fi
219 if ! use caps && ! use non-root; then
220 ewarn
221 ewarn "You have decided to run ${PN} with root privileges and built it"
222 ewarn "without support for POSIX capability dropping. It is generally"
223 ewarn "strongly suggested that you reconsider- especially if you intend"
224 ewarn "to run ${PN} as server with a public ip address."
225 ewarn
226 ewarn "You should re-emerge ${PN} with at least the 'caps' USE flag enabled."
227 ewarn
228 fi
229 if use non-root; then
230 elog
231 elog "${PN} has been installed without superuser privileges (USE=non-root)."
232 elog "This imposes several limitations mainly to the IKEv1 daemon 'pluto'"
233 elog "but also a few to the IKEv2 daemon 'charon'."
234 elog
235 elog "Please carefully read: http://wiki.strongswan.org/wiki/nonRoot"
236 elog
237 elog "pluto uses a helper script by default to insert/remove routing and"
238 elog "policy rules upon connection start/stop which requires superuser"
239 elog "privileges. charon in contrast does this internally and can do so"
240 elog "even with reduced (user) privileges."
241 elog
242 elog "Thus if you require IKEv1 (pluto) or need to specify a custom updown"
243 elog "script to pluto or charon which requires superuser privileges, you"
244 elog "can work around this limitation by using sudo to grant the"
245 elog "user \"ipsec\" the appropriate rights."
246 elog "For example (the default case):"
247 elog "/etc/sudoers:"
248 elog " Defaults:ipsec always_set_home,!env_reset"
249 elog " ipsec ALL=(ALL) NOPASSWD: /usr/sbin/ipsec"
250 elog "Under the specific connection block in /etc/ipsec.conf:"
251 elog " leftupdown=\"sudo ipsec _updown\""
252 elog
253 fi
254 elog
255 elog "Make sure you have _all_ required kernel modules available including"
256 elog "the appropriate cryptographic algorithms. A list is available at:"
257 elog " http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules"
258 elog
259 elog "The up-to-date manual is available online at:"
260 elog " http://wiki.strongswan.org/"
261 elog
262 }

  ViewVC Help
Powered by ViewVC 1.1.20