/[gentoo-x86]/net-misc/strongswan/strongswan-5.1.3.ebuild
Gentoo

Contents of /net-misc/strongswan/strongswan-5.1.3.ebuild

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.8 - (show annotations) (download)
Sat Jun 6 16:11:32 2015 UTC (4 years, 6 months ago) by gurligebis
Branch: MAIN
CVS Tags: HEAD
Changes since 1.7: +1 -1 lines
FILE REMOVED
Removing old version, wrt. bug #536226

(Portage version: 2.2.20/cvs/Linux x86_64, signed Manifest commit with key 15AE484C)

1 # Copyright 1999-2014 Gentoo Foundation
2 # Distributed under the terms of the GNU General Public License v2
3 # $Header: /var/cvsroot/gentoo-x86/net-misc/strongswan/strongswan-5.1.3.ebuild,v 1.7 2014/05/10 14:00:53 ago Exp $
4
5 EAPI=5
6 inherit eutils linux-info systemd user
7
8 DESCRIPTION="IPsec-based VPN solution focused on security and ease of use, supporting IKEv1/IKEv2 and MOBIKE"
9 HOMEPAGE="http://www.strongswan.org/"
10 SRC_URI="http://download.strongswan.org/${P}.tar.bz2"
11
12 LICENSE="GPL-2 RSA DES"
13 SLOT="0"
14 KEYWORDS="amd64 arm ppc ~ppc64 x86"
15 IUSE="+caps curl +constraints debug dhcp eap farp gcrypt ldap mysql networkmanager +non-root +openssl sqlite pam"
16
17 COMMON_DEPEND="!net-misc/openswan
18 >=dev-libs/gmp-4.1.5
19 gcrypt? ( dev-libs/libgcrypt:0 )
20 caps? ( sys-libs/libcap )
21 curl? ( net-misc/curl )
22 ldap? ( net-nds/openldap )
23 openssl? ( >=dev-libs/openssl-0.9.8[-bindist] )
24 mysql? ( virtual/mysql )
25 sqlite? ( >=dev-db/sqlite-3.3.1 )
26 networkmanager? ( net-misc/networkmanager )
27 pam? ( sys-libs/pam )"
28 DEPEND="${COMMON_DEPEND}
29 virtual/linux-sources
30 sys-kernel/linux-headers"
31 RDEPEND="${COMMON_DEPEND}
32 virtual/logger
33 sys-apps/iproute2
34 !net-misc/libreswan"
35
36 UGID="ipsec"
37
38 pkg_setup() {
39 linux-info_pkg_setup
40 elog "Linux kernel version: ${KV_FULL}"
41
42 if ! kernel_is -ge 2 6 16; then
43 eerror
44 eerror "This ebuild currently only supports ${PN} with the"
45 eerror "native Linux 2.6 IPsec stack on kernels >= 2.6.16."
46 eerror
47 fi
48
49 if kernel_is -lt 2 6 34; then
50 ewarn
51 ewarn "IMPORTANT KERNEL NOTES: Please read carefully..."
52 ewarn
53
54 if kernel_is -lt 2 6 29; then
55 ewarn "[ < 2.6.29 ] Due to a missing kernel feature, you have to"
56 ewarn "include all required IPv6 modules even if you just intend"
57 ewarn "to run on IPv4 only."
58 ewarn
59 ewarn "This has been fixed with kernels >= 2.6.29."
60 ewarn
61 fi
62
63 if kernel_is -lt 2 6 33; then
64 ewarn "[ < 2.6.33 ] Kernels prior to 2.6.33 include a non-standards"
65 ewarn "compliant implementation for SHA-2 HMAC support in ESP and"
66 ewarn "miss SHA384 and SHA512 HMAC support altogether."
67 ewarn
68 ewarn "If you need any of those features, please use kernel >= 2.6.33."
69 ewarn
70 fi
71
72 if kernel_is -lt 2 6 34; then
73 ewarn "[ < 2.6.34 ] Support for the AES-GMAC authentification-only"
74 ewarn "ESP cipher is only included in kernels >= 2.6.34."
75 ewarn
76 ewarn "If you need it, please use kernel >= 2.6.34."
77 ewarn
78 fi
79 fi
80
81 if use non-root; then
82 enewgroup ${UGID}
83 enewuser ${UGID} -1 -1 -1 ${UGID}
84 fi
85 }
86
87 src_prepare() {
88 epatch_user
89 }
90
91 src_configure() {
92 local myconf=""
93
94 if use non-root; then
95 myconf="${myconf} --with-user=${UGID} --with-group=${UGID}"
96 fi
97
98 # If a user has already enabled db support, those plugins will
99 # most likely be desired as well. Besides they don't impose new
100 # dependencies and come at no cost (except for space).
101 if use mysql || use sqlite; then
102 myconf="${myconf} --enable-attr-sql --enable-sql"
103 fi
104
105 # strongSwan builds and installs static libs by default which are
106 # useless to the user (and to strongSwan for that matter) because no
107 # header files or alike get installed... so disabling them is safe.
108 if use pam && use eap; then
109 myconf="${myconf} --enable-eap-gtc"
110 else
111 myconf="${myconf} --disable-eap-gtc"
112 fi
113 econf \
114 --disable-static \
115 --enable-ikev1 \
116 --enable-ikev2 \
117 $(use_with caps capabilities libcap) \
118 $(use_enable curl) \
119 $(use_enable constraints) \
120 $(use_enable ldap) \
121 $(use_enable debug leak-detective) \
122 $(use_enable eap eap-sim) \
123 $(use_enable eap eap-sim-file) \
124 $(use_enable eap eap-simaka-sql) \
125 $(use_enable eap eap-simaka-pseudonym) \
126 $(use_enable eap eap-simaka-reauth) \
127 $(use_enable eap eap-identity) \
128 $(use_enable eap eap-md5) \
129 $(use_enable eap eap-aka) \
130 $(use_enable eap eap-aka-3gpp2) \
131 $(use_enable eap eap-mschapv2) \
132 $(use_enable eap eap-radius) \
133 $(use_enable eap eap-tls) \
134 $(use_enable openssl) \
135 $(use_enable gcrypt) \
136 $(use_enable mysql) \
137 $(use_enable sqlite) \
138 $(use_enable dhcp) \
139 $(use_enable farp) \
140 $(use_enable networkmanager nm) \
141 "$(systemd_with_unitdir)" \
142 ${myconf}
143 }
144
145 src_install() {
146 emake DESTDIR="${D}" install
147
148 doinitd "${FILESDIR}"/ipsec
149
150 local dir_ugid
151 if use non-root; then
152 fowners ${UGID}:${UGID} \
153 /etc/ipsec.conf \
154 /etc/strongswan.conf
155
156 dir_ugid="${UGID}"
157 else
158 dir_ugid="root"
159 fi
160
161 diropts -m 0750 -o ${dir_ugid} -g ${dir_ugid}
162 dodir /etc/ipsec.d \
163 /etc/ipsec.d/aacerts \
164 /etc/ipsec.d/acerts \
165 /etc/ipsec.d/cacerts \
166 /etc/ipsec.d/certs \
167 /etc/ipsec.d/crls \
168 /etc/ipsec.d/ocspcerts \
169 /etc/ipsec.d/private \
170 /etc/ipsec.d/reqs
171
172 dodoc NEWS README TODO || die
173
174 # shared libs are used only internally and there are no static libs,
175 # so it's safe to get rid of the .la files
176 find "${D}" -name '*.la' -delete || die "Failed to remove .la files."
177 }
178
179 pkg_preinst() {
180 has_version "<net-misc/strongswan-4.3.6-r1"
181 upgrade_from_leq_4_3_6=$(( !$? ))
182
183 has_version "<net-misc/strongswan-4.3.6-r1[-caps]"
184 previous_4_3_6_with_caps=$(( !$? ))
185 }
186
187 pkg_postinst() {
188 if ! use openssl && ! use gcrypt; then
189 elog
190 elog "${PN} has been compiled without both OpenSSL and libgcrypt support."
191 elog "Please note that this might effect availability and speed of some"
192 elog "cryptographic features. You are advised to enable the OpenSSL plugin."
193 elif ! use openssl; then
194 elog
195 elog "${PN} has been compiled without the OpenSSL plugin. This might effect"
196 elog "availability and speed of some cryptographic features. There will be"
197 elog "no support for Elliptic Curve Cryptography (Diffie-Hellman groups 19-21,"
198 elog "25, 26) and ECDSA."
199 fi
200
201 if [[ $upgrade_from_leq_4_3_6 == 1 ]]; then
202 chmod 0750 "${ROOT}"/etc/ipsec.d \
203 "${ROOT}"/etc/ipsec.d/aacerts \
204 "${ROOT}"/etc/ipsec.d/acerts \
205 "${ROOT}"/etc/ipsec.d/cacerts \
206 "${ROOT}"/etc/ipsec.d/certs \
207 "${ROOT}"/etc/ipsec.d/crls \
208 "${ROOT}"/etc/ipsec.d/ocspcerts \
209 "${ROOT}"/etc/ipsec.d/private \
210 "${ROOT}"/etc/ipsec.d/reqs
211
212 ewarn
213 ewarn "The default permissions for /etc/ipsec.d/* have been tightened for"
214 ewarn "security reasons. Your system installed directories have been"
215 ewarn "updated accordingly. Please check if necessary."
216 ewarn
217
218 if [[ $previous_4_3_6_with_caps == 1 ]]; then
219 if ! use non-root; then
220 ewarn
221 ewarn "IMPORTANT: You previously had ${PN} installed without root"
222 ewarn "privileges because it was implied by the 'caps' USE flag."
223 ewarn "This has been changed. If you want ${PN} with user privileges,"
224 ewarn "you have to re-emerge it with the 'non-root' USE flag enabled."
225 ewarn
226 fi
227 fi
228 fi
229 if ! use caps && ! use non-root; then
230 ewarn
231 ewarn "You have decided to run ${PN} with root privileges and built it"
232 ewarn "without support for POSIX capability dropping. It is generally"
233 ewarn "strongly suggested that you reconsider- especially if you intend"
234 ewarn "to run ${PN} as server with a public ip address."
235 ewarn
236 ewarn "You should re-emerge ${PN} with at least the 'caps' USE flag enabled."
237 ewarn
238 fi
239 if use non-root; then
240 elog
241 elog "${PN} has been installed without superuser privileges (USE=non-root)."
242 elog "This imposes several limitations mainly to the IKEv1 daemon 'pluto'"
243 elog "but also a few to the IKEv2 daemon 'charon'."
244 elog
245 elog "Please carefully read: http://wiki.strongswan.org/wiki/nonRoot"
246 elog
247 elog "pluto uses a helper script by default to insert/remove routing and"
248 elog "policy rules upon connection start/stop which requires superuser"
249 elog "privileges. charon in contrast does this internally and can do so"
250 elog "even with reduced (user) privileges."
251 elog
252 elog "Thus if you require IKEv1 (pluto) or need to specify a custom updown"
253 elog "script to pluto or charon which requires superuser privileges, you"
254 elog "can work around this limitation by using sudo to grant the"
255 elog "user \"ipsec\" the appropriate rights."
256 elog "For example (the default case):"
257 elog "/etc/sudoers:"
258 elog " ipsec ALL=(ALL) NOPASSWD: SETENV: /usr/sbin/ipsec"
259 elog "Under the specific connection block in /etc/ipsec.conf:"
260 elog " leftupdown=\"sudo -E ipsec _updown iptables\""
261 elog
262 fi
263 elog
264 elog "Make sure you have _all_ required kernel modules available including"
265 elog "the appropriate cryptographic algorithms. A list is available at:"
266 elog " http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules"
267 elog
268 elog "The up-to-date manual is available online at:"
269 elog " http://wiki.strongswan.org/"
270 elog
271 }

  ViewVC Help
Powered by ViewVC 1.1.20