strongswan-5.3.4.ebuild 9.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303
  1. # Copyright 1999-2016 Gentoo Foundation
  2. # Distributed under the terms of the GNU General Public License v2
  3. EAPI=5
  4. inherit eutils linux-info systemd user
  5. DESCRIPTION="IPsec-based VPN solution focused on security and ease of use, supporting IKEv1/IKEv2 and MOBIKE"
  6. HOMEPAGE="http://www.strongswan.org/"
  7. SRC_URI="http://download.strongswan.org/${P}.tar.bz2"
  8. LICENSE="GPL-2 RSA DES"
  9. SLOT="0"
  10. KEYWORDS="amd64 arm ppc ~ppc64 x86"
  11. IUSE="+caps curl +constraints debug dhcp eap farp gcrypt +gmp ldap mysql networkmanager +non-root +openssl selinux sqlite pam pkcs11"
  12. STRONGSWAN_PLUGINS_STD="led lookip systime-fix unity vici"
  13. STRONGSWAN_PLUGINS_OPT="blowfish ccm ctr gcm ha ipseckey ntru padlock rdrand unbound whitelist"
  14. for mod in $STRONGSWAN_PLUGINS_STD; do
  15. IUSE="${IUSE} +strongswan_plugins_${mod}"
  16. done
  17. for mod in $STRONGSWAN_PLUGINS_OPT; do
  18. IUSE="${IUSE} strongswan_plugins_${mod}"
  19. done
  20. COMMON_DEPEND="!net-misc/openswan
  21. gmp? ( >=dev-libs/gmp-4.1.5:= )
  22. gcrypt? ( dev-libs/libgcrypt:0 )
  23. caps? ( sys-libs/libcap )
  24. curl? ( net-misc/curl )
  25. ldap? ( net-nds/openldap )
  26. openssl? ( >=dev-libs/openssl-0.9.8:=[-bindist] )
  27. mysql? ( virtual/mysql )
  28. sqlite? ( >=dev-db/sqlite-3.3.1 )
  29. networkmanager? ( net-misc/networkmanager )
  30. pam? ( sys-libs/pam )
  31. strongswan_plugins_unbound? ( net-dns/unbound )"
  32. DEPEND="${COMMON_DEPEND}
  33. virtual/linux-sources
  34. sys-kernel/linux-headers"
  35. RDEPEND="${COMMON_DEPEND}
  36. virtual/logger
  37. sys-apps/iproute2
  38. !net-vpn/libreswan
  39. selinux? ( sec-policy/selinux-ipsec )"
  40. UGID="ipsec"
  41. pkg_setup() {
  42. linux-info_pkg_setup
  43. elog "Linux kernel version: ${KV_FULL}"
  44. if ! kernel_is -ge 2 6 16; then
  45. eerror
  46. eerror "This ebuild currently only supports ${PN} with the"
  47. eerror "native Linux 2.6 IPsec stack on kernels >= 2.6.16."
  48. eerror
  49. fi
  50. if kernel_is -lt 2 6 34; then
  51. ewarn
  52. ewarn "IMPORTANT KERNEL NOTES: Please read carefully..."
  53. ewarn
  54. if kernel_is -lt 2 6 29; then
  55. ewarn "[ < 2.6.29 ] Due to a missing kernel feature, you have to"
  56. ewarn "include all required IPv6 modules even if you just intend"
  57. ewarn "to run on IPv4 only."
  58. ewarn
  59. ewarn "This has been fixed with kernels >= 2.6.29."
  60. ewarn
  61. fi
  62. if kernel_is -lt 2 6 33; then
  63. ewarn "[ < 2.6.33 ] Kernels prior to 2.6.33 include a non-standards"
  64. ewarn "compliant implementation for SHA-2 HMAC support in ESP and"
  65. ewarn "miss SHA384 and SHA512 HMAC support altogether."
  66. ewarn
  67. ewarn "If you need any of those features, please use kernel >= 2.6.33."
  68. ewarn
  69. fi
  70. if kernel_is -lt 2 6 34; then
  71. ewarn "[ < 2.6.34 ] Support for the AES-GMAC authentification-only"
  72. ewarn "ESP cipher is only included in kernels >= 2.6.34."
  73. ewarn
  74. ewarn "If you need it, please use kernel >= 2.6.34."
  75. ewarn
  76. fi
  77. fi
  78. if use non-root; then
  79. enewgroup ${UGID}
  80. enewuser ${UGID} -1 -1 -1 ${UGID}
  81. fi
  82. }
  83. src_prepare() {
  84. epatch_user
  85. }
  86. src_configure() {
  87. local myconf=""
  88. if use non-root; then
  89. myconf="${myconf} --with-user=${UGID} --with-group=${UGID}"
  90. fi
  91. # If a user has already enabled db support, those plugins will
  92. # most likely be desired as well. Besides they don't impose new
  93. # dependencies and come at no cost (except for space).
  94. if use mysql || use sqlite; then
  95. myconf="${myconf} --enable-attr-sql --enable-sql"
  96. fi
  97. # strongSwan builds and installs static libs by default which are
  98. # useless to the user (and to strongSwan for that matter) because no
  99. # header files or alike get installed... so disabling them is safe.
  100. if use pam && use eap; then
  101. myconf="${myconf} --enable-eap-gtc"
  102. else
  103. myconf="${myconf} --disable-eap-gtc"
  104. fi
  105. for mod in $STRONGSWAN_PLUGINS_STD; do
  106. if use strongswan_plugins_${mod}; then
  107. myconf+=" --enable-${mod}"
  108. fi
  109. done
  110. for mod in $STRONGSWAN_PLUGINS_OPT; do
  111. if use strongswan_plugins_${mod}; then
  112. myconf+=" --enable-${mod}"
  113. fi
  114. done
  115. econf \
  116. --disable-static \
  117. --enable-ikev1 \
  118. --enable-ikev2 \
  119. --enable-swanctl \
  120. --enable-socket-dynamic \
  121. $(use_with caps capabilities libcap) \
  122. $(use_enable curl) \
  123. $(use_enable constraints) \
  124. $(use_enable ldap) \
  125. $(use_enable debug leak-detective) \
  126. $(use_enable dhcp) \
  127. $(use_enable eap eap-sim) \
  128. $(use_enable eap eap-sim-file) \
  129. $(use_enable eap eap-simaka-sql) \
  130. $(use_enable eap eap-simaka-pseudonym) \
  131. $(use_enable eap eap-simaka-reauth) \
  132. $(use_enable eap eap-identity) \
  133. $(use_enable eap eap-md5) \
  134. $(use_enable eap eap-aka) \
  135. $(use_enable eap eap-aka-3gpp2) \
  136. $(use_enable eap md4) \
  137. $(use_enable eap eap-mschapv2) \
  138. $(use_enable eap eap-radius) \
  139. $(use_enable eap eap-tls) \
  140. $(use_enable eap xauth-eap) \
  141. $(use_enable farp) \
  142. $(use_enable gmp) \
  143. $(use_enable gcrypt) \
  144. $(use_enable mysql) \
  145. $(use_enable networkmanager nm) \
  146. $(use_enable openssl) \
  147. $(use_enable pam xauth-pam) \
  148. $(use_enable pkcs11) \
  149. $(use_enable sqlite) \
  150. "$(systemd_with_unitdir)" \
  151. ${myconf}
  152. }
  153. src_install() {
  154. emake DESTDIR="${D}" install
  155. doinitd "${FILESDIR}"/ipsec
  156. local dir_ugid
  157. if use non-root; then
  158. fowners ${UGID}:${UGID} \
  159. /etc/ipsec.conf \
  160. /etc/strongswan.conf
  161. dir_ugid="${UGID}"
  162. else
  163. dir_ugid="root"
  164. fi
  165. diropts -m 0750 -o ${dir_ugid} -g ${dir_ugid}
  166. dodir /etc/ipsec.d \
  167. /etc/ipsec.d/aacerts \
  168. /etc/ipsec.d/acerts \
  169. /etc/ipsec.d/cacerts \
  170. /etc/ipsec.d/certs \
  171. /etc/ipsec.d/crls \
  172. /etc/ipsec.d/ocspcerts \
  173. /etc/ipsec.d/private \
  174. /etc/ipsec.d/reqs
  175. dodoc NEWS README TODO || die
  176. # shared libs are used only internally and there are no static libs,
  177. # so it's safe to get rid of the .la files
  178. find "${D}" -name '*.la' -delete || die "Failed to remove .la files."
  179. }
  180. pkg_preinst() {
  181. has_version "<net-vpn/strongswan-4.3.6-r1"
  182. upgrade_from_leq_4_3_6=$(( !$? ))
  183. has_version "<net-vpn/strongswan-4.3.6-r1[-caps]"
  184. previous_4_3_6_with_caps=$(( !$? ))
  185. }
  186. pkg_postinst() {
  187. if ! use openssl && ! use gcrypt; then
  188. elog
  189. elog "${PN} has been compiled without both OpenSSL and libgcrypt support."
  190. elog "Please note that this might effect availability and speed of some"
  191. elog "cryptographic features. You are advised to enable the OpenSSL plugin."
  192. elif ! use openssl; then
  193. elog
  194. elog "${PN} has been compiled without the OpenSSL plugin. This might effect"
  195. elog "availability and speed of some cryptographic features. There will be"
  196. elog "no support for Elliptic Curve Cryptography (Diffie-Hellman groups 19-21,"
  197. elog "25, 26) and ECDSA."
  198. fi
  199. if [[ $upgrade_from_leq_4_3_6 == 1 ]]; then
  200. chmod 0750 "${ROOT}"/etc/ipsec.d \
  201. "${ROOT}"/etc/ipsec.d/aacerts \
  202. "${ROOT}"/etc/ipsec.d/acerts \
  203. "${ROOT}"/etc/ipsec.d/cacerts \
  204. "${ROOT}"/etc/ipsec.d/certs \
  205. "${ROOT}"/etc/ipsec.d/crls \
  206. "${ROOT}"/etc/ipsec.d/ocspcerts \
  207. "${ROOT}"/etc/ipsec.d/private \
  208. "${ROOT}"/etc/ipsec.d/reqs
  209. ewarn
  210. ewarn "The default permissions for /etc/ipsec.d/* have been tightened for"
  211. ewarn "security reasons. Your system installed directories have been"
  212. ewarn "updated accordingly. Please check if necessary."
  213. ewarn
  214. if [[ $previous_4_3_6_with_caps == 1 ]]; then
  215. if ! use non-root; then
  216. ewarn
  217. ewarn "IMPORTANT: You previously had ${PN} installed without root"
  218. ewarn "privileges because it was implied by the 'caps' USE flag."
  219. ewarn "This has been changed. If you want ${PN} with user privileges,"
  220. ewarn "you have to re-emerge it with the 'non-root' USE flag enabled."
  221. ewarn
  222. fi
  223. fi
  224. fi
  225. if ! use caps && ! use non-root; then
  226. ewarn
  227. ewarn "You have decided to run ${PN} with root privileges and built it"
  228. ewarn "without support for POSIX capability dropping. It is generally"
  229. ewarn "strongly suggested that you reconsider- especially if you intend"
  230. ewarn "to run ${PN} as server with a public ip address."
  231. ewarn
  232. ewarn "You should re-emerge ${PN} with at least the 'caps' USE flag enabled."
  233. ewarn
  234. fi
  235. if use non-root; then
  236. elog
  237. elog "${PN} has been installed without superuser privileges (USE=non-root)."
  238. elog "This imposes several limitations mainly to the IKEv1 daemon 'pluto'"
  239. elog "but also a few to the IKEv2 daemon 'charon'."
  240. elog
  241. elog "Please carefully read: http://wiki.strongswan.org/wiki/nonRoot"
  242. elog
  243. elog "pluto uses a helper script by default to insert/remove routing and"
  244. elog "policy rules upon connection start/stop which requires superuser"
  245. elog "privileges. charon in contrast does this internally and can do so"
  246. elog "even with reduced (user) privileges."
  247. elog
  248. elog "Thus if you require IKEv1 (pluto) or need to specify a custom updown"
  249. elog "script to pluto or charon which requires superuser privileges, you"
  250. elog "can work around this limitation by using sudo to grant the"
  251. elog "user \"ipsec\" the appropriate rights."
  252. elog "For example (the default case):"
  253. elog "/etc/sudoers:"
  254. elog " ipsec ALL=(ALL) NOPASSWD: SETENV: /usr/sbin/ipsec"
  255. elog "Under the specific connection block in /etc/ipsec.conf:"
  256. elog " leftupdown=\"sudo -E ipsec _updown iptables\""
  257. elog
  258. fi
  259. elog
  260. elog "Make sure you have _all_ required kernel modules available including"
  261. elog "the appropriate cryptographic algorithms. A list is available at:"
  262. elog " http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules"
  263. elog
  264. elog "The up-to-date manual is available online at:"
  265. elog " http://wiki.strongswan.org/"
  266. elog
  267. }