/[gentoo-x86]/net-misc/strongswan/strongswan-5.2.1.ebuild
Gentoo

Contents of /net-misc/strongswan/strongswan-5.2.1.ebuild

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.2 - (show annotations) (download)
Sun Jan 11 09:02:58 2015 UTC (4 years, 11 months ago) by gurligebis
Branch: MAIN
CVS Tags: HEAD
Changes since 1.1: +1 -1 lines
FILE REMOVED
Bumping to 5.2.2, containing fix for CVE-2014-9221.

(Portage version: 2.2.15/cvs/Linux x86_64, signed Manifest commit with key 15AE484C)

1 # Copyright 1999-2014 Gentoo Foundation
2 # Distributed under the terms of the GNU General Public License v2
3 # $Header: /var/cvsroot/gentoo-x86/net-misc/strongswan/strongswan-5.2.1.ebuild,v 1.1 2014/10/26 13:13:00 gurligebis Exp $
4
5 EAPI=5
6 inherit eutils linux-info systemd user
7
8 DESCRIPTION="IPsec-based VPN solution focused on security and ease of use, supporting IKEv1/IKEv2 and MOBIKE"
9 HOMEPAGE="http://www.strongswan.org/"
10 SRC_URI="http://download.strongswan.org/${P}.tar.bz2"
11
12 LICENSE="GPL-2 RSA DES"
13 SLOT="0"
14 KEYWORDS="~amd64 ~arm ~ppc ~ppc64 ~x86"
15 IUSE="+caps curl +constraints debug dhcp eap farp gcrypt +gmp ldap mysql networkmanager +non-root +openssl sqlite pam pkcs11"
16
17 STRONGSWAN_PLUGINS_STD="led lookip systime-fix unity vici"
18 STRONGSWAN_PLUGINS_OPT="blowfish ccm ctr gcm ha ipseckey ntru padlock rdrand unbound whitelist"
19 for mod in $STRONGSWAN_PLUGINS_STD; do
20 IUSE="${IUSE} +strongswan_plugins_${mod}"
21 done
22
23 for mod in $STRONGSWAN_PLUGINS_OPT; do
24 IUSE="${IUSE} strongswan_plugins_${mod}"
25 done
26
27 COMMON_DEPEND="!net-misc/openswan
28 gmp? ( >=dev-libs/gmp-4.1.5 )
29 gcrypt? ( dev-libs/libgcrypt:0 )
30 caps? ( sys-libs/libcap )
31 curl? ( net-misc/curl )
32 ldap? ( net-nds/openldap )
33 openssl? ( >=dev-libs/openssl-0.9.8[-bindist] )
34 mysql? ( virtual/mysql )
35 sqlite? ( >=dev-db/sqlite-3.3.1 )
36 networkmanager? ( net-misc/networkmanager )
37 pam? ( sys-libs/pam )
38 strongswan_plugins_unbound? ( net-dns/unbound )"
39 DEPEND="${COMMON_DEPEND}
40 virtual/linux-sources
41 sys-kernel/linux-headers"
42 RDEPEND="${COMMON_DEPEND}
43 virtual/logger
44 sys-apps/iproute2
45 !net-misc/libreswan"
46
47 UGID="ipsec"
48
49 pkg_setup() {
50 linux-info_pkg_setup
51 elog "Linux kernel version: ${KV_FULL}"
52
53 if ! kernel_is -ge 2 6 16; then
54 eerror
55 eerror "This ebuild currently only supports ${PN} with the"
56 eerror "native Linux 2.6 IPsec stack on kernels >= 2.6.16."
57 eerror
58 fi
59
60 if kernel_is -lt 2 6 34; then
61 ewarn
62 ewarn "IMPORTANT KERNEL NOTES: Please read carefully..."
63 ewarn
64
65 if kernel_is -lt 2 6 29; then
66 ewarn "[ < 2.6.29 ] Due to a missing kernel feature, you have to"
67 ewarn "include all required IPv6 modules even if you just intend"
68 ewarn "to run on IPv4 only."
69 ewarn
70 ewarn "This has been fixed with kernels >= 2.6.29."
71 ewarn
72 fi
73
74 if kernel_is -lt 2 6 33; then
75 ewarn "[ < 2.6.33 ] Kernels prior to 2.6.33 include a non-standards"
76 ewarn "compliant implementation for SHA-2 HMAC support in ESP and"
77 ewarn "miss SHA384 and SHA512 HMAC support altogether."
78 ewarn
79 ewarn "If you need any of those features, please use kernel >= 2.6.33."
80 ewarn
81 fi
82
83 if kernel_is -lt 2 6 34; then
84 ewarn "[ < 2.6.34 ] Support for the AES-GMAC authentification-only"
85 ewarn "ESP cipher is only included in kernels >= 2.6.34."
86 ewarn
87 ewarn "If you need it, please use kernel >= 2.6.34."
88 ewarn
89 fi
90 fi
91
92 if use non-root; then
93 enewgroup ${UGID}
94 enewuser ${UGID} -1 -1 -1 ${UGID}
95 fi
96 }
97
98 src_prepare() {
99 epatch_user
100 }
101
102 src_configure() {
103 local myconf=""
104
105 if use non-root; then
106 myconf="${myconf} --with-user=${UGID} --with-group=${UGID}"
107 fi
108
109 # If a user has already enabled db support, those plugins will
110 # most likely be desired as well. Besides they don't impose new
111 # dependencies and come at no cost (except for space).
112 if use mysql || use sqlite; then
113 myconf="${myconf} --enable-attr-sql --enable-sql"
114 fi
115
116 # strongSwan builds and installs static libs by default which are
117 # useless to the user (and to strongSwan for that matter) because no
118 # header files or alike get installed... so disabling them is safe.
119 if use pam && use eap; then
120 myconf="${myconf} --enable-eap-gtc"
121 else
122 myconf="${myconf} --disable-eap-gtc"
123 fi
124
125 for mod in $STRONGSWAN_PLUGINS_STD; do
126 if use strongswan_plugins_${mod}; then
127 myconf+=" --enable-${mod}"
128 fi
129 done
130
131 for mod in $STRONGSWAN_PLUGINS_OPT; do
132 if use strongswan_plugins_${mod}; then
133 myconf+=" --enable-${mod}"
134 fi
135 done
136
137 econf \
138 --disable-static \
139 --enable-ikev1 \
140 --enable-ikev2 \
141 --enable-swanctl \
142 --enable-socket-dynamic \
143 $(use_with caps capabilities libcap) \
144 $(use_enable curl) \
145 $(use_enable constraints) \
146 $(use_enable ldap) \
147 $(use_enable debug leak-detective) \
148 $(use_enable dhcp) \
149 $(use_enable eap eap-sim) \
150 $(use_enable eap eap-sim-file) \
151 $(use_enable eap eap-simaka-sql) \
152 $(use_enable eap eap-simaka-pseudonym) \
153 $(use_enable eap eap-simaka-reauth) \
154 $(use_enable eap eap-identity) \
155 $(use_enable eap eap-md5) \
156 $(use_enable eap eap-aka) \
157 $(use_enable eap eap-aka-3gpp2) \
158 $(use_enable eap md4) \
159 $(use_enable eap eap-mschapv2) \
160 $(use_enable eap eap-radius) \
161 $(use_enable eap eap-tls) \
162 $(use_enable eap xauth-eap) \
163 $(use_enable farp) \
164 $(use_enable gmp) \
165 $(use_enable gcrypt) \
166 $(use_enable mysql) \
167 $(use_enable networkmanager nm) \
168 $(use_enable openssl) \
169 $(use_enable pam xauth-pam) \
170 $(use_enable pkcs11) \
171 $(use_enable sqlite) \
172 "$(systemd_with_unitdir)" \
173 ${myconf}
174 }
175
176 src_install() {
177 emake DESTDIR="${D}" install
178
179 doinitd "${FILESDIR}"/ipsec
180
181 local dir_ugid
182 if use non-root; then
183 fowners ${UGID}:${UGID} \
184 /etc/ipsec.conf \
185 /etc/strongswan.conf
186
187 dir_ugid="${UGID}"
188 else
189 dir_ugid="root"
190 fi
191
192 diropts -m 0750 -o ${dir_ugid} -g ${dir_ugid}
193 dodir /etc/ipsec.d \
194 /etc/ipsec.d/aacerts \
195 /etc/ipsec.d/acerts \
196 /etc/ipsec.d/cacerts \
197 /etc/ipsec.d/certs \
198 /etc/ipsec.d/crls \
199 /etc/ipsec.d/ocspcerts \
200 /etc/ipsec.d/private \
201 /etc/ipsec.d/reqs
202
203 dodoc NEWS README TODO || die
204
205 # shared libs are used only internally and there are no static libs,
206 # so it's safe to get rid of the .la files
207 find "${D}" -name '*.la' -delete || die "Failed to remove .la files."
208 }
209
210 pkg_preinst() {
211 has_version "<net-misc/strongswan-4.3.6-r1"
212 upgrade_from_leq_4_3_6=$(( !$? ))
213
214 has_version "<net-misc/strongswan-4.3.6-r1[-caps]"
215 previous_4_3_6_with_caps=$(( !$? ))
216 }
217
218 pkg_postinst() {
219 if ! use openssl && ! use gcrypt; then
220 elog
221 elog "${PN} has been compiled without both OpenSSL and libgcrypt support."
222 elog "Please note that this might effect availability and speed of some"
223 elog "cryptographic features. You are advised to enable the OpenSSL plugin."
224 elif ! use openssl; then
225 elog
226 elog "${PN} has been compiled without the OpenSSL plugin. This might effect"
227 elog "availability and speed of some cryptographic features. There will be"
228 elog "no support for Elliptic Curve Cryptography (Diffie-Hellman groups 19-21,"
229 elog "25, 26) and ECDSA."
230 fi
231
232 if [[ $upgrade_from_leq_4_3_6 == 1 ]]; then
233 chmod 0750 "${ROOT}"/etc/ipsec.d \
234 "${ROOT}"/etc/ipsec.d/aacerts \
235 "${ROOT}"/etc/ipsec.d/acerts \
236 "${ROOT}"/etc/ipsec.d/cacerts \
237 "${ROOT}"/etc/ipsec.d/certs \
238 "${ROOT}"/etc/ipsec.d/crls \
239 "${ROOT}"/etc/ipsec.d/ocspcerts \
240 "${ROOT}"/etc/ipsec.d/private \
241 "${ROOT}"/etc/ipsec.d/reqs
242
243 ewarn
244 ewarn "The default permissions for /etc/ipsec.d/* have been tightened for"
245 ewarn "security reasons. Your system installed directories have been"
246 ewarn "updated accordingly. Please check if necessary."
247 ewarn
248
249 if [[ $previous_4_3_6_with_caps == 1 ]]; then
250 if ! use non-root; then
251 ewarn
252 ewarn "IMPORTANT: You previously had ${PN} installed without root"
253 ewarn "privileges because it was implied by the 'caps' USE flag."
254 ewarn "This has been changed. If you want ${PN} with user privileges,"
255 ewarn "you have to re-emerge it with the 'non-root' USE flag enabled."
256 ewarn
257 fi
258 fi
259 fi
260 if ! use caps && ! use non-root; then
261 ewarn
262 ewarn "You have decided to run ${PN} with root privileges and built it"
263 ewarn "without support for POSIX capability dropping. It is generally"
264 ewarn "strongly suggested that you reconsider- especially if you intend"
265 ewarn "to run ${PN} as server with a public ip address."
266 ewarn
267 ewarn "You should re-emerge ${PN} with at least the 'caps' USE flag enabled."
268 ewarn
269 fi
270 if use non-root; then
271 elog
272 elog "${PN} has been installed without superuser privileges (USE=non-root)."
273 elog "This imposes several limitations mainly to the IKEv1 daemon 'pluto'"
274 elog "but also a few to the IKEv2 daemon 'charon'."
275 elog
276 elog "Please carefully read: http://wiki.strongswan.org/wiki/nonRoot"
277 elog
278 elog "pluto uses a helper script by default to insert/remove routing and"
279 elog "policy rules upon connection start/stop which requires superuser"
280 elog "privileges. charon in contrast does this internally and can do so"
281 elog "even with reduced (user) privileges."
282 elog
283 elog "Thus if you require IKEv1 (pluto) or need to specify a custom updown"
284 elog "script to pluto or charon which requires superuser privileges, you"
285 elog "can work around this limitation by using sudo to grant the"
286 elog "user \"ipsec\" the appropriate rights."
287 elog "For example (the default case):"
288 elog "/etc/sudoers:"
289 elog " ipsec ALL=(ALL) NOPASSWD: SETENV: /usr/sbin/ipsec"
290 elog "Under the specific connection block in /etc/ipsec.conf:"
291 elog " leftupdown=\"sudo -E ipsec _updown iptables\""
292 elog
293 fi
294 elog
295 elog "Make sure you have _all_ required kernel modules available including"
296 elog "the appropriate cryptographic algorithms. A list is available at:"
297 elog " http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules"
298 elog
299 elog "The up-to-date manual is available online at:"
300 elog " http://wiki.strongswan.org/"
301 elog
302 }

  ViewVC Help
Powered by ViewVC 1.1.20