/[gentoo-x86]/net-misc/strongswan/strongswan-5.1.1.ebuild
Gentoo

Contents of /net-misc/strongswan/strongswan-5.1.1.ebuild

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.8 - (show annotations) (download)
Sat May 10 15:22:51 2014 UTC (5 years, 7 months ago) by gurligebis
Branch: MAIN
CVS Tags: HEAD
Changes since 1.7: +1 -1 lines
FILE REMOVED
Removing old version, with known issues, fixing bug #507722 and #509832

(Portage version: 2.2.10/cvs/Linux i686, signed Manifest commit with key 15AE484C)

1 # Copyright 1999-2014 Gentoo Foundation
2 # Distributed under the terms of the GNU General Public License v2
3 # $Header: /var/cvsroot/gentoo-x86/net-misc/strongswan/strongswan-5.1.1.ebuild,v 1.7 2014/03/01 22:21:33 mgorny Exp $
4
5 EAPI=5
6 inherit eutils linux-info systemd user
7
8 DESCRIPTION="IPsec-based VPN solution focused on security and ease of use, supporting IKEv1/IKEv2 and MOBIKE"
9 HOMEPAGE="http://www.strongswan.org/"
10 SRC_URI="http://download.strongswan.org/${P}.tar.bz2"
11
12 LICENSE="GPL-2 RSA DES"
13 SLOT="0"
14 KEYWORDS="amd64 arm ppc ~ppc64 x86"
15 IUSE="+caps curl debug dhcp eap farp gcrypt ldap mysql networkmanager +non-root +openssl sqlite pam"
16
17 COMMON_DEPEND="!net-misc/openswan
18 >=dev-libs/gmp-4.1.5
19 gcrypt? ( dev-libs/libgcrypt:0 )
20 caps? ( sys-libs/libcap )
21 curl? ( net-misc/curl )
22 ldap? ( net-nds/openldap )
23 openssl? ( >=dev-libs/openssl-0.9.8[-bindist] )
24 mysql? ( virtual/mysql )
25 sqlite? ( >=dev-db/sqlite-3.3.1 )
26 networkmanager? ( net-misc/networkmanager )
27 pam? ( sys-libs/pam )"
28 DEPEND="${COMMON_DEPEND}
29 virtual/linux-sources
30 sys-kernel/linux-headers"
31 RDEPEND="${COMMON_DEPEND}
32 virtual/logger
33 sys-apps/iproute2
34 !net-misc/libreswan"
35
36 UGID="ipsec"
37
38 pkg_setup() {
39 linux-info_pkg_setup
40 elog "Linux kernel version: ${KV_FULL}"
41
42 if ! kernel_is -ge 2 6 16; then
43 eerror
44 eerror "This ebuild currently only supports ${PN} with the"
45 eerror "native Linux 2.6 IPsec stack on kernels >= 2.6.16."
46 eerror
47 fi
48
49 if kernel_is -lt 2 6 34; then
50 ewarn
51 ewarn "IMPORTANT KERNEL NOTES: Please read carefully..."
52 ewarn
53
54 if kernel_is -lt 2 6 29; then
55 ewarn "[ < 2.6.29 ] Due to a missing kernel feature, you have to"
56 ewarn "include all required IPv6 modules even if you just intend"
57 ewarn "to run on IPv4 only."
58 ewarn
59 ewarn "This has been fixed with kernels >= 2.6.29."
60 ewarn
61 fi
62
63 if kernel_is -lt 2 6 33; then
64 ewarn "[ < 2.6.33 ] Kernels prior to 2.6.33 include a non-standards"
65 ewarn "compliant implementation for SHA-2 HMAC support in ESP and"
66 ewarn "miss SHA384 and SHA512 HMAC support altogether."
67 ewarn
68 ewarn "If you need any of those features, please use kernel >= 2.6.33."
69 ewarn
70 fi
71
72 if kernel_is -lt 2 6 34; then
73 ewarn "[ < 2.6.34 ] Support for the AES-GMAC authentification-only"
74 ewarn "ESP cipher is only included in kernels >= 2.6.34."
75 ewarn
76 ewarn "If you need it, please use kernel >= 2.6.34."
77 ewarn
78 fi
79 fi
80
81 if use non-root; then
82 enewgroup ${UGID}
83 enewuser ${UGID} -1 -1 -1 ${UGID}
84 fi
85 }
86
87 src_prepare() {
88 epatch_user
89 }
90
91 src_configure() {
92 local myconf=""
93
94 if use non-root; then
95 myconf="${myconf} --with-user=${UGID} --with-group=${UGID}"
96 fi
97
98 # If a user has already enabled db support, those plugins will
99 # most likely be desired as well. Besides they don't impose new
100 # dependencies and come at no cost (except for space).
101 if use mysql || use sqlite; then
102 myconf="${myconf} --enable-attr-sql --enable-sql"
103 fi
104
105 # strongSwan builds and installs static libs by default which are
106 # useless to the user (and to strongSwan for that matter) because no
107 # header files or alike get installed... so disabling them is safe.
108 if use pam && use eap; then
109 myconf="${myconf} --enable-eap-gtc"
110 else
111 myconf="${myconf} --disable-eap-gtc"
112 fi
113 econf \
114 --disable-static \
115 --enable-ikev1 \
116 --enable-ikev2 \
117 $(use_with caps capabilities libcap) \
118 $(use_enable curl) \
119 $(use_enable ldap) \
120 $(use_enable debug leak-detective) \
121 $(use_enable eap eap-sim) \
122 $(use_enable eap eap-sim-file) \
123 $(use_enable eap eap-simaka-sql) \
124 $(use_enable eap eap-simaka-pseudonym) \
125 $(use_enable eap eap-simaka-reauth) \
126 $(use_enable eap eap-identity) \
127 $(use_enable eap eap-md5) \
128 $(use_enable eap eap-aka) \
129 $(use_enable eap eap-aka-3gpp2) \
130 $(use_enable eap eap-mschapv2) \
131 $(use_enable eap eap-radius) \
132 $(use_enable eap eap-tls) \
133 $(use_enable openssl) \
134 $(use_enable gcrypt) \
135 $(use_enable mysql) \
136 $(use_enable sqlite) \
137 $(use_enable dhcp) \
138 $(use_enable farp) \
139 $(use_enable networkmanager nm) \
140 "$(systemd_with_unitdir)" \
141 ${myconf}
142 }
143
144 src_install() {
145 emake DESTDIR="${D}" install
146
147 doinitd "${FILESDIR}"/ipsec
148
149 local dir_ugid
150 if use non-root; then
151 fowners ${UGID}:${UGID} \
152 /etc/ipsec.conf \
153 /etc/strongswan.conf
154
155 dir_ugid="${UGID}"
156 else
157 dir_ugid="root"
158 fi
159
160 diropts -m 0750 -o ${dir_ugid} -g ${dir_ugid}
161 dodir /etc/ipsec.d \
162 /etc/ipsec.d/aacerts \
163 /etc/ipsec.d/acerts \
164 /etc/ipsec.d/cacerts \
165 /etc/ipsec.d/certs \
166 /etc/ipsec.d/crls \
167 /etc/ipsec.d/ocspcerts \
168 /etc/ipsec.d/private \
169 /etc/ipsec.d/reqs
170
171 dodoc NEWS README TODO || die
172
173 # shared libs are used only internally and there are no static libs,
174 # so it's safe to get rid of the .la files
175 find "${D}" -name '*.la' -delete || die "Failed to remove .la files."
176 }
177
178 pkg_preinst() {
179 has_version "<net-misc/strongswan-4.3.6-r1"
180 upgrade_from_leq_4_3_6=$(( !$? ))
181
182 has_version "<net-misc/strongswan-4.3.6-r1[-caps]"
183 previous_4_3_6_with_caps=$(( !$? ))
184 }
185
186 pkg_postinst() {
187 if ! use openssl && ! use gcrypt; then
188 elog
189 elog "${PN} has been compiled without both OpenSSL and libgcrypt support."
190 elog "Please note that this might effect availability and speed of some"
191 elog "cryptographic features. You are advised to enable the OpenSSL plugin."
192 elif ! use openssl; then
193 elog
194 elog "${PN} has been compiled without the OpenSSL plugin. This might effect"
195 elog "availability and speed of some cryptographic features. There will be"
196 elog "no support for Elliptic Curve Cryptography (Diffie-Hellman groups 19-21,"
197 elog "25, 26) and ECDSA."
198 fi
199
200 if [[ $upgrade_from_leq_4_3_6 == 1 ]]; then
201 chmod 0750 "${ROOT}"/etc/ipsec.d \
202 "${ROOT}"/etc/ipsec.d/aacerts \
203 "${ROOT}"/etc/ipsec.d/acerts \
204 "${ROOT}"/etc/ipsec.d/cacerts \
205 "${ROOT}"/etc/ipsec.d/certs \
206 "${ROOT}"/etc/ipsec.d/crls \
207 "${ROOT}"/etc/ipsec.d/ocspcerts \
208 "${ROOT}"/etc/ipsec.d/private \
209 "${ROOT}"/etc/ipsec.d/reqs
210
211 ewarn
212 ewarn "The default permissions for /etc/ipsec.d/* have been tightened for"
213 ewarn "security reasons. Your system installed directories have been"
214 ewarn "updated accordingly. Please check if necessary."
215 ewarn
216
217 if [[ $previous_4_3_6_with_caps == 1 ]]; then
218 if ! use non-root; then
219 ewarn
220 ewarn "IMPORTANT: You previously had ${PN} installed without root"
221 ewarn "privileges because it was implied by the 'caps' USE flag."
222 ewarn "This has been changed. If you want ${PN} with user privileges,"
223 ewarn "you have to re-emerge it with the 'non-root' USE flag enabled."
224 ewarn
225 fi
226 fi
227 fi
228 if ! use caps && ! use non-root; then
229 ewarn
230 ewarn "You have decided to run ${PN} with root privileges and built it"
231 ewarn "without support for POSIX capability dropping. It is generally"
232 ewarn "strongly suggested that you reconsider- especially if you intend"
233 ewarn "to run ${PN} as server with a public ip address."
234 ewarn
235 ewarn "You should re-emerge ${PN} with at least the 'caps' USE flag enabled."
236 ewarn
237 fi
238 if use non-root; then
239 elog
240 elog "${PN} has been installed without superuser privileges (USE=non-root)."
241 elog "This imposes several limitations mainly to the IKEv1 daemon 'pluto'"
242 elog "but also a few to the IKEv2 daemon 'charon'."
243 elog
244 elog "Please carefully read: http://wiki.strongswan.org/wiki/nonRoot"
245 elog
246 elog "pluto uses a helper script by default to insert/remove routing and"
247 elog "policy rules upon connection start/stop which requires superuser"
248 elog "privileges. charon in contrast does this internally and can do so"
249 elog "even with reduced (user) privileges."
250 elog
251 elog "Thus if you require IKEv1 (pluto) or need to specify a custom updown"
252 elog "script to pluto or charon which requires superuser privileges, you"
253 elog "can work around this limitation by using sudo to grant the"
254 elog "user \"ipsec\" the appropriate rights."
255 elog "For example (the default case):"
256 elog "/etc/sudoers:"
257 elog " ipsec ALL=(ALL) NOPASSWD: SETENV: /usr/sbin/ipsec"
258 elog "Under the specific connection block in /etc/ipsec.conf:"
259 elog " leftupdown=\"sudo -E ipsec _updown iptables\""
260 elog
261 fi
262 elog
263 elog "Make sure you have _all_ required kernel modules available including"
264 elog "the appropriate cryptographic algorithms. A list is available at:"
265 elog " http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules"
266 elog
267 elog "The up-to-date manual is available online at:"
268 elog " http://wiki.strongswan.org/"
269 elog
270 }

  ViewVC Help
Powered by ViewVC 1.1.20