/[gentoo-x86]/net-misc/strongswan/strongswan-5.0.4-r1.ebuild
Gentoo

Contents of /net-misc/strongswan/strongswan-5.0.4-r1.ebuild

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.3 - (show annotations) (download)
Thu Aug 1 15:41:58 2013 UTC (6 years, 4 months ago) by gurligebis
Branch: MAIN
CVS Tags: HEAD
Changes since 1.2: +1 -1 lines
FILE REMOVED
Bumping to 5.1.0, to help fix #479396

(Portage version: 2.2.0_alpha190/cvs/Linux i686, signed Manifest commit with key 15AE484C)

1 # Copyright 1999-2013 Gentoo Foundation
2 # Distributed under the terms of the GNU General Public License v2
3 # $Header: /var/cvsroot/gentoo-x86/net-misc/strongswan/strongswan-5.0.4-r1.ebuild,v 1.2 2013/07/20 14:34:37 pacho Exp $
4
5 EAPI=5
6 inherit eutils linux-info systemd user
7
8 DESCRIPTION="IPsec-based VPN solution focused on security and ease of use, supporting IKEv1/IKEv2 and MOBIKE"
9 HOMEPAGE="http://www.strongswan.org/"
10 SRC_URI="http://download.strongswan.org/${P}.tar.bz2"
11
12 LICENSE="GPL-2 RSA DES"
13 SLOT="0"
14 KEYWORDS="~amd64 ~arm ~ppc ~ppc64 ~x86"
15 IUSE="+caps curl debug dhcp eap farp gcrypt ldap mysql networkmanager +non-root +openssl sqlite pam"
16
17 COMMON_DEPEND="!net-misc/openswan
18 >=dev-libs/gmp-4.1.5
19 gcrypt? ( dev-libs/libgcrypt )
20 caps? ( sys-libs/libcap )
21 curl? ( net-misc/curl )
22 ldap? ( net-nds/openldap )
23 openssl? ( >=dev-libs/openssl-0.9.8[-bindist] )
24 mysql? ( virtual/mysql )
25 sqlite? ( >=dev-db/sqlite-3.3.1 )
26 pam? ( sys-libs/pam )"
27 DEPEND="${COMMON_DEPEND}
28 virtual/linux-sources
29 sys-kernel/linux-headers"
30 RDEPEND="${COMMON_DEPEND}
31 virtual/logger
32 sys-apps/iproute2"
33
34 UGID="ipsec"
35
36 pkg_setup() {
37 linux-info_pkg_setup
38 elog "Linux kernel version: ${KV_FULL}"
39
40 if ! kernel_is -ge 2 6 16; then
41 eerror
42 eerror "This ebuild currently only supports ${PN} with the"
43 eerror "native Linux 2.6 IPsec stack on kernels >= 2.6.16."
44 eerror
45 fi
46
47 if kernel_is -lt 2 6 34; then
48 ewarn
49 ewarn "IMPORTANT KERNEL NOTES: Please read carefully..."
50 ewarn
51
52 if kernel_is -lt 2 6 29; then
53 ewarn "[ < 2.6.29 ] Due to a missing kernel feature, you have to"
54 ewarn "include all required IPv6 modules even if you just intend"
55 ewarn "to run on IPv4 only."
56 ewarn
57 ewarn "This has been fixed with kernels >= 2.6.29."
58 ewarn
59 fi
60
61 if kernel_is -lt 2 6 33; then
62 ewarn "[ < 2.6.33 ] Kernels prior to 2.6.33 include a non-standards"
63 ewarn "compliant implementation for SHA-2 HMAC support in ESP and"
64 ewarn "miss SHA384 and SHA512 HMAC support altogether."
65 ewarn
66 ewarn "If you need any of those features, please use kernel >= 2.6.33."
67 ewarn
68 fi
69
70 if kernel_is -lt 2 6 34; then
71 ewarn "[ < 2.6.34 ] Support for the AES-GMAC authentification-only"
72 ewarn "ESP cipher is only included in kernels >= 2.6.34."
73 ewarn
74 ewarn "If you need it, please use kernel >= 2.6.34."
75 ewarn
76 fi
77 fi
78
79 if use non-root; then
80 enewgroup ${UGID}
81 enewuser ${UGID} -1 -1 -1 ${UGID}
82 fi
83 }
84
85 src_prepare() {
86 epatch_user
87 }
88
89 src_configure() {
90 local myconf=""
91
92 if use non-root; then
93 myconf="${myconf} --with-user=${UGID} --with-group=${UGID}"
94 fi
95
96 # If a user has already enabled db support, those plugins will
97 # most likely be desired as well. Besides they don't impose new
98 # dependencies and come at no cost (except for space).
99 if use mysql || use sqlite; then
100 myconf="${myconf} --enable-attr-sql --enable-sql"
101 fi
102
103 # strongSwan builds and installs static libs by default which are
104 # useless to the user (and to strongSwan for that matter) because no
105 # header files or alike get installed... so disabling them is safe.
106 if use pam && use eap; then
107 myconf="${myconf} --enable-eap-gtc"
108 else
109 myconf="${myconf} --disable-eap-gtc"
110 fi
111 econf \
112 --disable-static \
113 --enable-ikev1 \
114 --enable-ikev2 \
115 $(use_with caps capabilities libcap) \
116 $(use_enable curl) \
117 $(use_enable ldap) \
118 $(use_enable debug leak-detective) \
119 $(use_enable eap eap-sim) \
120 $(use_enable eap eap-sim-file) \
121 $(use_enable eap eap-simaka-sql) \
122 $(use_enable eap eap-simaka-pseudonym) \
123 $(use_enable eap eap-simaka-reauth) \
124 $(use_enable eap eap-identity) \
125 $(use_enable eap eap-md5) \
126 $(use_enable eap eap-aka) \
127 $(use_enable eap eap-aka-3gpp2) \
128 $(use_enable eap eap-mschapv2) \
129 $(use_enable eap eap-radius) \
130 $(use_enable eap eap-tls) \
131 $(use_enable openssl) \
132 $(use_enable gcrypt) \
133 $(use_enable mysql) \
134 $(use_enable sqlite) \
135 $(use_enable dhcp) \
136 $(use_enable farp) \
137 $(use_enable networkmanager nm) \
138 "$(systemd_with_unitdir)" \
139 ${myconf}
140 }
141
142 src_install() {
143 emake DESTDIR="${D}" install
144
145 doinitd "${FILESDIR}"/ipsec
146
147 local dir_ugid
148 if use non-root; then
149 fowners ${UGID}:${UGID} \
150 /etc/ipsec.conf \
151 /etc/strongswan.conf
152
153 dir_ugid="${UGID}"
154 else
155 dir_ugid="root"
156 fi
157
158 diropts -m 0750 -o ${dir_ugid} -g ${dir_ugid}
159 dodir /etc/ipsec.d \
160 /etc/ipsec.d/aacerts \
161 /etc/ipsec.d/acerts \
162 /etc/ipsec.d/cacerts \
163 /etc/ipsec.d/certs \
164 /etc/ipsec.d/crls \
165 /etc/ipsec.d/ocspcerts \
166 /etc/ipsec.d/private \
167 /etc/ipsec.d/reqs
168
169 dodoc NEWS README TODO || die
170
171 # shared libs are used only internally and there are no static libs,
172 # so it's safe to get rid of the .la files
173 find "${D}" -name '*.la' -delete || die "Failed to remove .la files."
174 }
175
176 pkg_preinst() {
177 has_version "<net-misc/strongswan-4.3.6-r1"
178 upgrade_from_leq_4_3_6=$(( !$? ))
179
180 has_version "<net-misc/strongswan-4.3.6-r1[-caps]"
181 previous_4_3_6_with_caps=$(( !$? ))
182 }
183
184 pkg_postinst() {
185 if ! use openssl && ! use gcrypt; then
186 elog
187 elog "${PN} has been compiled without both OpenSSL and libgcrypt support."
188 elog "Please note that this might effect availability and speed of some"
189 elog "cryptographic features. You are advised to enable the OpenSSL plugin."
190 elif ! use openssl; then
191 elog
192 elog "${PN} has been compiled without the OpenSSL plugin. This might effect"
193 elog "availability and speed of some cryptographic features. There will be"
194 elog "no support for Elliptic Curve Cryptography (Diffie-Hellman groups 19-21,"
195 elog "25, 26) and ECDSA."
196 fi
197
198 if [[ $upgrade_from_leq_4_3_6 == 1 ]]; then
199 chmod 0750 "${ROOT}"/etc/ipsec.d \
200 "${ROOT}"/etc/ipsec.d/aacerts \
201 "${ROOT}"/etc/ipsec.d/acerts \
202 "${ROOT}"/etc/ipsec.d/cacerts \
203 "${ROOT}"/etc/ipsec.d/certs \
204 "${ROOT}"/etc/ipsec.d/crls \
205 "${ROOT}"/etc/ipsec.d/ocspcerts \
206 "${ROOT}"/etc/ipsec.d/private \
207 "${ROOT}"/etc/ipsec.d/reqs
208
209 ewarn
210 ewarn "The default permissions for /etc/ipsec.d/* have been tightened for"
211 ewarn "security reasons. Your system installed directories have been"
212 ewarn "updated accordingly. Please check if necessary."
213 ewarn
214
215 if [[ $previous_4_3_6_with_caps == 1 ]]; then
216 if ! use non-root; then
217 ewarn
218 ewarn "IMPORTANT: You previously had ${PN} installed without root"
219 ewarn "privileges because it was implied by the 'caps' USE flag."
220 ewarn "This has been changed. If you want ${PN} with user privileges,"
221 ewarn "you have to re-emerge it with the 'non-root' USE flag enabled."
222 ewarn
223 fi
224 fi
225 fi
226 if ! use caps && ! use non-root; then
227 ewarn
228 ewarn "You have decided to run ${PN} with root privileges and built it"
229 ewarn "without support for POSIX capability dropping. It is generally"
230 ewarn "strongly suggested that you reconsider- especially if you intend"
231 ewarn "to run ${PN} as server with a public ip address."
232 ewarn
233 ewarn "You should re-emerge ${PN} with at least the 'caps' USE flag enabled."
234 ewarn
235 fi
236 if use non-root; then
237 elog
238 elog "${PN} has been installed without superuser privileges (USE=non-root)."
239 elog "This imposes several limitations mainly to the IKEv1 daemon 'pluto'"
240 elog "but also a few to the IKEv2 daemon 'charon'."
241 elog
242 elog "Please carefully read: http://wiki.strongswan.org/wiki/nonRoot"
243 elog
244 elog "pluto uses a helper script by default to insert/remove routing and"
245 elog "policy rules upon connection start/stop which requires superuser"
246 elog "privileges. charon in contrast does this internally and can do so"
247 elog "even with reduced (user) privileges."
248 elog
249 elog "Thus if you require IKEv1 (pluto) or need to specify a custom updown"
250 elog "script to pluto or charon which requires superuser privileges, you"
251 elog "can work around this limitation by using sudo to grant the"
252 elog "user \"ipsec\" the appropriate rights."
253 elog "For example (the default case):"
254 elog "/etc/sudoers:"
255 elog " ipsec ALL=(ALL) NOPASSWD: SETENV: /usr/sbin/ipsec"
256 elog "Under the specific connection block in /etc/ipsec.conf:"
257 elog " leftupdown=\"sudo -E ipsec _updown iptables\""
258 elog
259 fi
260 elog
261 elog "Make sure you have _all_ required kernel modules available including"
262 elog "the appropriate cryptographic algorithms. A list is available at:"
263 elog " http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules"
264 elog
265 elog "The up-to-date manual is available online at:"
266 elog " http://wiki.strongswan.org/"
267 elog
268 }

  ViewVC Help
Powered by ViewVC 1.1.20