forked from gentoo/gentoo
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Package-Manager: Portage-2.3.24, Repoman-2.3.6
- Loading branch information
1 parent
5eb373a
commit e7b41c0
Showing
2 changed files
with
304 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,3 @@ | ||
DIST strongswan-5.5.3.tar.bz2 4768820 BLAKE2B 9f9da6c2ef27cec7f6a07f1cd5a7ecc8a92576fad2a5c6379b93d8a2e9d3b0804fe26dc0bc7b303754ef499ee938549c7cafbdf9a3f8f818d14cf88f613fe0fd SHA512 0b0b25d2102c98cda54300dc8c3c3a49a55e64f7c695dda65a24f2194f19bce0b7aab9e4f7486c243b552f9d1a94867d6a8782ee504aad1c9973809706d599ac | ||
DIST strongswan-5.6.0.tar.bz2 4850722 BLAKE2B edb9f2b277cd8bccf886a824e4b3fb3c06af7510d9e21283fcb8d8ba9cf234f38182fcd1ca0c350b4039945ab10888406986d9a0b8edac24fe09faf0b8967fb2 SHA512 9362069a01c3642e62864d88fdb409a3c7514bf7c92cbe36e552c6a80915119cf5bb91c39592aab2d15b562684a0628a764e4fa7636d3b5fd2ebaf165c0ce649 | ||
DIST strongswan-5.6.2.tar.bz2 4977859 BLAKE2B 83943ec95e6b95724e9fc130a09f7c7364147d0ce50528ac8b64452db53516b143e92c7dcb746c0c25aaac9182dda14d55e5c267fbdcd5bb9a63cbf48801274b SHA512 cf2d5cb6c45d991fe0ad8eed4ea8628f95a1871e9728ddf0985aa26e78d1e6da1c92c961772aafd3e55cfcfa84516204a15561389d373f78140f05607b248c52 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,303 @@ | ||
# Copyright 1999-2018 Gentoo Foundation | ||
# Distributed under the terms of the GNU General Public License v2 | ||
|
||
EAPI=5 | ||
inherit eutils linux-info systemd user | ||
|
||
DESCRIPTION="IPsec-based VPN solution focused on security and ease of use, supporting IKEv1/IKEv2 and MOBIKE" | ||
HOMEPAGE="http://www.strongswan.org/" | ||
SRC_URI="http://download.strongswan.org/${P}.tar.bz2" | ||
|
||
LICENSE="GPL-2 RSA DES" | ||
SLOT="0" | ||
KEYWORDS="~amd64 ~arm ~ppc ~ppc64 ~x86" | ||
IUSE="+caps curl +constraints debug dhcp eap farp gcrypt +gmp ldap mysql networkmanager +non-root +openssl selinux sqlite pam pkcs11" | ||
|
||
STRONGSWAN_PLUGINS_STD="led lookip systime-fix unity vici" | ||
STRONGSWAN_PLUGINS_OPT="blowfish ccm ctr gcm ha ipseckey ntru padlock rdrand unbound whitelist" | ||
for mod in $STRONGSWAN_PLUGINS_STD; do | ||
IUSE="${IUSE} +strongswan_plugins_${mod}" | ||
done | ||
|
||
for mod in $STRONGSWAN_PLUGINS_OPT; do | ||
IUSE="${IUSE} strongswan_plugins_${mod}" | ||
done | ||
|
||
COMMON_DEPEND="!net-misc/openswan | ||
gmp? ( >=dev-libs/gmp-4.1.5:= ) | ||
gcrypt? ( dev-libs/libgcrypt:0 ) | ||
caps? ( sys-libs/libcap ) | ||
curl? ( net-misc/curl ) | ||
ldap? ( net-nds/openldap ) | ||
openssl? ( >=dev-libs/openssl-0.9.8:=[-bindist] ) | ||
mysql? ( virtual/mysql ) | ||
sqlite? ( >=dev-db/sqlite-3.3.1 ) | ||
networkmanager? ( net-misc/networkmanager ) | ||
pam? ( sys-libs/pam ) | ||
strongswan_plugins_unbound? ( net-dns/unbound net-libs/ldns )" | ||
DEPEND="${COMMON_DEPEND} | ||
virtual/linux-sources | ||
sys-kernel/linux-headers" | ||
RDEPEND="${COMMON_DEPEND} | ||
virtual/logger | ||
sys-apps/iproute2 | ||
!net-vpn/libreswan | ||
selinux? ( sec-policy/selinux-ipsec )" | ||
|
||
UGID="ipsec" | ||
|
||
pkg_setup() { | ||
linux-info_pkg_setup | ||
elog "Linux kernel version: ${KV_FULL}" | ||
|
||
if ! kernel_is -ge 2 6 16; then | ||
eerror | ||
eerror "This ebuild currently only supports ${PN} with the" | ||
eerror "native Linux 2.6 IPsec stack on kernels >= 2.6.16." | ||
eerror | ||
fi | ||
|
||
if kernel_is -lt 2 6 34; then | ||
ewarn | ||
ewarn "IMPORTANT KERNEL NOTES: Please read carefully..." | ||
ewarn | ||
|
||
if kernel_is -lt 2 6 29; then | ||
ewarn "[ < 2.6.29 ] Due to a missing kernel feature, you have to" | ||
ewarn "include all required IPv6 modules even if you just intend" | ||
ewarn "to run on IPv4 only." | ||
ewarn | ||
ewarn "This has been fixed with kernels >= 2.6.29." | ||
ewarn | ||
fi | ||
|
||
if kernel_is -lt 2 6 33; then | ||
ewarn "[ < 2.6.33 ] Kernels prior to 2.6.33 include a non-standards" | ||
ewarn "compliant implementation for SHA-2 HMAC support in ESP and" | ||
ewarn "miss SHA384 and SHA512 HMAC support altogether." | ||
ewarn | ||
ewarn "If you need any of those features, please use kernel >= 2.6.33." | ||
ewarn | ||
fi | ||
|
||
if kernel_is -lt 2 6 34; then | ||
ewarn "[ < 2.6.34 ] Support for the AES-GMAC authentification-only" | ||
ewarn "ESP cipher is only included in kernels >= 2.6.34." | ||
ewarn | ||
ewarn "If you need it, please use kernel >= 2.6.34." | ||
ewarn | ||
fi | ||
fi | ||
|
||
if use non-root; then | ||
enewgroup ${UGID} | ||
enewuser ${UGID} -1 -1 -1 ${UGID} | ||
fi | ||
} | ||
|
||
src_prepare() { | ||
epatch_user | ||
} | ||
|
||
src_configure() { | ||
local myconf="" | ||
|
||
if use non-root; then | ||
myconf="${myconf} --with-user=${UGID} --with-group=${UGID}" | ||
fi | ||
|
||
# If a user has already enabled db support, those plugins will | ||
# most likely be desired as well. Besides they don't impose new | ||
# dependencies and come at no cost (except for space). | ||
if use mysql || use sqlite; then | ||
myconf="${myconf} --enable-attr-sql --enable-sql" | ||
fi | ||
|
||
# strongSwan builds and installs static libs by default which are | ||
# useless to the user (and to strongSwan for that matter) because no | ||
# header files or alike get installed... so disabling them is safe. | ||
if use pam && use eap; then | ||
myconf="${myconf} --enable-eap-gtc" | ||
else | ||
myconf="${myconf} --disable-eap-gtc" | ||
fi | ||
|
||
for mod in $STRONGSWAN_PLUGINS_STD; do | ||
if use strongswan_plugins_${mod}; then | ||
myconf+=" --enable-${mod}" | ||
fi | ||
done | ||
|
||
for mod in $STRONGSWAN_PLUGINS_OPT; do | ||
if use strongswan_plugins_${mod}; then | ||
myconf+=" --enable-${mod}" | ||
fi | ||
done | ||
|
||
econf \ | ||
--disable-static \ | ||
--enable-ikev1 \ | ||
--enable-ikev2 \ | ||
--enable-swanctl \ | ||
--enable-socket-dynamic \ | ||
$(use_with caps capabilities libcap) \ | ||
$(use_enable curl) \ | ||
$(use_enable constraints) \ | ||
$(use_enable ldap) \ | ||
$(use_enable debug leak-detective) \ | ||
$(use_enable dhcp) \ | ||
$(use_enable eap eap-sim) \ | ||
$(use_enable eap eap-sim-file) \ | ||
$(use_enable eap eap-simaka-sql) \ | ||
$(use_enable eap eap-simaka-pseudonym) \ | ||
$(use_enable eap eap-simaka-reauth) \ | ||
$(use_enable eap eap-identity) \ | ||
$(use_enable eap eap-md5) \ | ||
$(use_enable eap eap-aka) \ | ||
$(use_enable eap eap-aka-3gpp2) \ | ||
$(use_enable eap md4) \ | ||
$(use_enable eap eap-mschapv2) \ | ||
$(use_enable eap eap-radius) \ | ||
$(use_enable eap eap-tls) \ | ||
$(use_enable eap xauth-eap) \ | ||
$(use_enable eap eap-dynamic) \ | ||
$(use_enable farp) \ | ||
$(use_enable gmp) \ | ||
$(use_enable gcrypt) \ | ||
$(use_enable mysql) \ | ||
$(use_enable networkmanager nm) \ | ||
$(use_enable openssl) \ | ||
$(use_enable pam xauth-pam) \ | ||
$(use_enable pkcs11) \ | ||
$(use_enable sqlite) \ | ||
"$(systemd_with_unitdir)" \ | ||
${myconf} | ||
} | ||
|
||
src_install() { | ||
emake DESTDIR="${D}" install | ||
|
||
doinitd "${FILESDIR}"/ipsec | ||
|
||
local dir_ugid | ||
if use non-root; then | ||
fowners ${UGID}:${UGID} \ | ||
/etc/ipsec.conf \ | ||
/etc/strongswan.conf | ||
|
||
dir_ugid="${UGID}" | ||
else | ||
dir_ugid="root" | ||
fi | ||
|
||
diropts -m 0750 -o ${dir_ugid} -g ${dir_ugid} | ||
dodir /etc/ipsec.d \ | ||
/etc/ipsec.d/aacerts \ | ||
/etc/ipsec.d/acerts \ | ||
/etc/ipsec.d/cacerts \ | ||
/etc/ipsec.d/certs \ | ||
/etc/ipsec.d/crls \ | ||
/etc/ipsec.d/ocspcerts \ | ||
/etc/ipsec.d/private \ | ||
/etc/ipsec.d/reqs | ||
|
||
dodoc NEWS README TODO || die | ||
|
||
# shared libs are used only internally and there are no static libs, | ||
# so it's safe to get rid of the .la files | ||
find "${D}" -name '*.la' -delete || die "Failed to remove .la files." | ||
} | ||
|
||
pkg_preinst() { | ||
has_version "<net-vpn/strongswan-4.3.6-r1" | ||
upgrade_from_leq_4_3_6=$(( !$? )) | ||
|
||
has_version "<net-vpn/strongswan-4.3.6-r1[-caps]" | ||
previous_4_3_6_with_caps=$(( !$? )) | ||
} | ||
|
||
pkg_postinst() { | ||
if ! use openssl && ! use gcrypt; then | ||
elog | ||
elog "${PN} has been compiled without both OpenSSL and libgcrypt support." | ||
elog "Please note that this might effect availability and speed of some" | ||
elog "cryptographic features. You are advised to enable the OpenSSL plugin." | ||
elif ! use openssl; then | ||
elog | ||
elog "${PN} has been compiled without the OpenSSL plugin. This might effect" | ||
elog "availability and speed of some cryptographic features. There will be" | ||
elog "no support for Elliptic Curve Cryptography (Diffie-Hellman groups 19-21," | ||
elog "25, 26) and ECDSA." | ||
fi | ||
|
||
if [[ $upgrade_from_leq_4_3_6 == 1 ]]; then | ||
chmod 0750 "${ROOT}"/etc/ipsec.d \ | ||
"${ROOT}"/etc/ipsec.d/aacerts \ | ||
"${ROOT}"/etc/ipsec.d/acerts \ | ||
"${ROOT}"/etc/ipsec.d/cacerts \ | ||
"${ROOT}"/etc/ipsec.d/certs \ | ||
"${ROOT}"/etc/ipsec.d/crls \ | ||
"${ROOT}"/etc/ipsec.d/ocspcerts \ | ||
"${ROOT}"/etc/ipsec.d/private \ | ||
"${ROOT}"/etc/ipsec.d/reqs | ||
|
||
ewarn | ||
ewarn "The default permissions for /etc/ipsec.d/* have been tightened for" | ||
ewarn "security reasons. Your system installed directories have been" | ||
ewarn "updated accordingly. Please check if necessary." | ||
ewarn | ||
|
||
if [[ $previous_4_3_6_with_caps == 1 ]]; then | ||
if ! use non-root; then | ||
ewarn | ||
ewarn "IMPORTANT: You previously had ${PN} installed without root" | ||
ewarn "privileges because it was implied by the 'caps' USE flag." | ||
ewarn "This has been changed. If you want ${PN} with user privileges," | ||
ewarn "you have to re-emerge it with the 'non-root' USE flag enabled." | ||
ewarn | ||
fi | ||
fi | ||
fi | ||
if ! use caps && ! use non-root; then | ||
ewarn | ||
ewarn "You have decided to run ${PN} with root privileges and built it" | ||
ewarn "without support for POSIX capability dropping. It is generally" | ||
ewarn "strongly suggested that you reconsider- especially if you intend" | ||
ewarn "to run ${PN} as server with a public ip address." | ||
ewarn | ||
ewarn "You should re-emerge ${PN} with at least the 'caps' USE flag enabled." | ||
ewarn | ||
fi | ||
if use non-root; then | ||
elog | ||
elog "${PN} has been installed without superuser privileges (USE=non-root)." | ||
elog "This imposes several limitations mainly to the IKEv1 daemon 'pluto'" | ||
elog "but also a few to the IKEv2 daemon 'charon'." | ||
elog | ||
elog "Please carefully read: http://wiki.strongswan.org/wiki/nonRoot" | ||
elog | ||
elog "pluto uses a helper script by default to insert/remove routing and" | ||
elog "policy rules upon connection start/stop which requires superuser" | ||
elog "privileges. charon in contrast does this internally and can do so" | ||
elog "even with reduced (user) privileges." | ||
elog | ||
elog "Thus if you require IKEv1 (pluto) or need to specify a custom updown" | ||
elog "script to pluto or charon which requires superuser privileges, you" | ||
elog "can work around this limitation by using sudo to grant the" | ||
elog "user \"ipsec\" the appropriate rights." | ||
elog "For example (the default case):" | ||
elog "/etc/sudoers:" | ||
elog " ipsec ALL=(ALL) NOPASSWD: SETENV: /usr/sbin/ipsec" | ||
elog "Under the specific connection block in /etc/ipsec.conf:" | ||
elog " leftupdown=\"sudo -E ipsec _updown iptables\"" | ||
elog | ||
fi | ||
elog | ||
elog "Make sure you have _all_ required kernel modules available including" | ||
elog "the appropriate cryptographic algorithms. A list is available at:" | ||
elog " http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules" | ||
elog | ||
elog "The up-to-date manual is available online at:" | ||
elog " http://wiki.strongswan.org/" | ||
elog | ||
} |