Remove 'nat' useflag as it is misleading and replace it with an

appropriate 'nat-transport' flag and warn users about it. Fix dependency on openssl[-bindist] wrt bug #311981. Thanks to Thomas Klute for reporting this. Overhaul of package/useflag descriptions. Drop built_with_use again (deprecated) which I introduced in the latest revision. Addition of several new warnings/logs that will hopefully help the user. Drop old (and unsupported by proxy maintainer) ebuilds. Update metadata.xml. Package-Manager: portage-2.2_rc67/cvs/Linux x86_64
author: Ben de Groot <yngwin@gentoo.org> 2010-04-02 15:39:54 +0000
committer: Ben de Groot <yngwin@gentoo.org> 2010-04-02 15:39:54 +0000
commit: 4120165b8247632956846cf9142c63d7556122d6 (patch)
tree: 0f0bc650d49547f56a9f281c98431bc908ba97a7 /net-misc
parent: Stable for HPPA (bug #309395). (diff)
download: historical-4120165b8247632956846cf9142c63d7556122d6.tar.gz
historical-4120165b8247632956846cf9142c63d7556122d6.tar.bz2
historical-4120165b8247632956846cf9142c63d7556122d6.zip
9 files changed, 136 insertions, 660 deletions
diff --git a/net-misc/strongswan/ChangeLog b/net-misc/strongswan/ChangeLog
index 22fae27f996d..2463938935ba 100644
--- a/net-misc/strongswan/ChangeLog
+++ b/net-misc/strongswan/ChangeLog
@@ -1,6 +1,20 @@
 # ChangeLog for net-misc/strongswan
 # Copyright 1999-2010 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-misc/strongswan/ChangeLog,v 1.81 2010/03/23 01:38:58 yngwin Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-misc/strongswan/ChangeLog,v 1.82 2010/04/02 15:39:54 yngwin Exp $
+
+*strongswan-4.3.6-r2 (02 Apr 2010)
+
+  02 Apr 2010; Ben de Groot <yngwin@gentoo.org> -strongswan-4.2.17.ebuild,
+  -strongswan-4.3.3.ebuild, -strongswan-4.3.4.ebuild,
+  -strongswan-4.3.5.ebuild, -strongswan-4.3.6.ebuild,
+  -strongswan-4.3.6-r1.ebuild, +strongswan-4.3.6-r2.ebuild, metadata.xml:
+  Remove 'nat' useflag as it is misleading and replace it with an
+  appropriate 'nat-transport' flag and warn users about it. Fix dependency on
+  openssl[-bindist] wrt bug #311981. Thanks to Thomas Klute for reporting this.
+  Overhaul of package/useflag descriptions. Drop built_with_use again
+  (deprecated) which I introduced in the latest revision. Addition of several
+  new warnings/logs that will hopefully help the user. Drop old (and
+  unsupported by proxy maintainer) ebuilds. Update metadata.xml.
 
   23 Mar 2010; Ben de Groot <yngwin@gentoo.org> strongswan-4.3.6-r1.ebuild:
   Fix directory ownership for '+non-root -caps'/'-non-root +caps'
diff --git a/net-misc/strongswan/Manifest b/net-misc/strongswan/Manifest
index 885f9d3ab25a..1391d2f5fccb 100644
--- a/net-misc/strongswan/Manifest
+++ b/net-misc/strongswan/Manifest
@@ -1,16 +1,7 @@
 AUX ipsec 445 RMD160 9240cf2699984634fae9b0f45c813742fd05e047 SHA1 efcc1bedfbeae8a5b85f85e4926472edbca37be0 SHA256 5ba492de6d612d7def1cb7ceacadf8397e50f8433b91c4f2f09bf216eed34da6
 AUX strongswan-4.2.7-install.patch 1070 RMD160 fa5815d1de4d4bba5674832def181f139a66ae7e SHA1 4adc2f9e704553dabf744667d74d8c6ed6ae9c59 SHA256 0ea8ba27ba6ad5a4f90ad4f233fd05ec431dccdb1c08b794e2f7ee72ea4fc87a
 AUX strongswan-4.3.3-install.patch 1070 RMD160 1a9e97eba9e7e9bd4718f601754b62a7e31c48cc SHA1 eaffc515f9373513ada676799d78413aa96411cf SHA256 60d440ff105efbd45c0a11d8df3a5b2f3b733b04b91239c6d70f19b4988e31b7
-DIST strongswan-4.2.17.tar.bz2 2734072 RMD160 83237b06b8b9dcfe4338a626439749eb1c08ef02 SHA1 1d18c889f94ac6b42ea0a5aa52e3e1eb7339ff0a SHA256 cbda6e8431b4b68acb2f3cf3ce75d1aa251557bf25d82c616307cb48a82eb731
-DIST strongswan-4.3.3.tar.bz2 2666862 RMD160 cf85ffff83c51ab9f9f5a6794397ec4de3a2e527 SHA1 935c822084b332a269821edf1e4a951132f962b2 SHA256 24717a99b0af34059aad2c9ffceaaa02efedab0050278605e493cb489c5f3c73
-DIST strongswan-4.3.4.tar.bz2 2680982 RMD160 4478c6860119400fe478a8fce1a985943a023c0c SHA1 4c3bd24d286c340dc43e8ff8f1f6147b35dc2767 SHA256 6073c244232f2e741233533fd4a13498421398174757c5e42a51afa4bf16600c
-DIST strongswan-4.3.5.tar.bz2 2700284 RMD160 440dba766d6200445ddd0003eb7a7f6ac337b3a3 SHA1 7dc9f39f8bcd30e264225383f069e34ba829c1da SHA256 12b5d4a62dac7ecbc5afa0eb706a8d30d62f8e9dfd552d038b43db962cc7febb
 DIST strongswan-4.3.6.tar.bz2 2831944 RMD160 9cef4ba83e19c17693d09a512e91cdadee1e3beb SHA1 f38c237047f9d81d1af6277eb27f94101188d3bb SHA256 39a311c62f4f2474faf239c0edf6518a14a953b9c2092bbfa473cd34dcb8f5e7
-EBUILD strongswan-4.2.17.ebuild 2812 RMD160 29491eb031f13c780eacc38f3231d0bb476f9cbc SHA1 07d1fbb57fc2aed75a28cf5195ae799f040e4f28 SHA256 ba9672f320e7c8d8bdbf9f861522c3434006d301f45e83bb1f7b27526bc3d17d
-EBUILD strongswan-4.3.3.ebuild 2750 RMD160 50ea7a0e30dcf598f889a1365db8ec7805cec856 SHA1 9e98e2eb6bb26b1927d7ad4ff789fc04935e997c SHA256 f6fb07f907578eea9028368659a776248eabdba3869ebd04a8f4b08b9f0a809a
-EBUILD strongswan-4.3.4.ebuild 3765 RMD160 1f94475dc6ecc8e30be2457d85a671ee6027cced SHA1 14ac5ce3c1babece2969537eab4259c371912c19 SHA256 307caf1edb75110743a3bf56619271d9493f755fcaeb817cb599d31246a5edb1
-EBUILD strongswan-4.3.5.ebuild 3759 RMD160 473a22ef91a31529f646cc5d5249957c1bdf71d2 SHA1 a424e03d679785c229e3714d8166792eb50531be SHA256 36e27c266d192aeb54d404b84bf609e4faa9825733617a2a3734ec14c1d70b60
-EBUILD strongswan-4.3.6-r1.ebuild 6652 RMD160 4f9cc2557597596d63f682b59f4314c3c5c66f1d SHA1 9fb1ea9912a1ff15066ca3651658323fb63e5b3e SHA256 c8ddd25f7838cf9c94642d8cc9f12ae1eef92d956bc0a55b1be399bb743e9cbf
-EBUILD strongswan-4.3.6.ebuild 3759 RMD160 c6a07a383cd5ad553a539f4794c88ed167ae5415 SHA1 67427e4382b8c68a2ee272630b801ec3e13f0ce7 SHA256 182fe06c642242c6048815c86ebfe77c1574746bffd429714bbabff263ae6951
-MISC ChangeLog 14519 RMD160 dac1cda38bceb46068792803baf87a26e1c7bd75 SHA1 eded413fe3812e9e88232eb078e3e75d68b50c7e SHA256 890f8b85d2e2dc1783a60dfdbbdf9a6fd8f4d146279703b35f85a477b455e27c
-MISC metadata.xml 1276 RMD160 0fb9ce53d85de2cbd5b640f77c7742ceb19bec11 SHA1 961790fed6e1189c26671b8ce1aef2e2d0328699 SHA256 2a4b623e516b5e9d820dbc53e3c7bc1b76946d7a20deb2fca21f5a92e2e0679c
+EBUILD strongswan-4.3.6-r2.ebuild 8080 RMD160 5d68a2e39afa9f07a1e210bedab85fa13ec0e3a3 SHA1 4742eaf5a16d526cb1d177a1cb1f6542623769bb SHA256 ea51bbbcb297ea87bf0b4e595376ecc106eaa25a14677339718440fd002f8b9a
+MISC ChangeLog 15319 RMD160 eaae4bebf0e91dc56cad4e4ac8501aa7a5acbb60 SHA1 3f4c6cdd239d6635ae28e491f9e4c1f518ff69d9 SHA256 77842ef21bdc219cf214ed3dd38e0261e5cd6b05fe194c90841039cf46446218
+MISC metadata.xml 2269 RMD160 15cf1b61232531d9351307f2e0f8ec607ab31bb0 SHA1 f55ee9f60427d617f60ed87893adab0f1668cd78 SHA256 a8ba00d38f0b70e35b2d195388cb4e4ea2dc04f002055150fca49fa6f80b0be9
diff --git a/net-misc/strongswan/metadata.xml b/net-misc/strongswan/metadata.xml
index 572b05153ec4..6953e6b7177e 100644
--- a/net-misc/strongswan/metadata.xml
+++ b/net-misc/strongswan/metadata.xml
@@ -2,29 +2,54 @@
 <!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
 <pkgmetadata>
   <herd>no-herd</herd>
-        <maintainer>
-                <email>patrick@gentoo.org</email>
-                <name>Patrick Lauer</name>
-        </maintainer>
-        <maintainer>
-                <email>ua_bugz_gentoo@mortal-soul.de</email>
-                <name>Matthias Dahl </name>
-        </maintainer>
-
+  <maintainer>
+    <email>patrick@gentoo.org</email>
+    <name>Patrick Lauer</name>
+  </maintainer>
+  <maintainer>
+    <email>ua_bugz_gentoo@mortal-soul.de</email>
+    <name>Matthias Dahl</name>
+    <description>Proxy Maintainer, CC on all bugs</description>
+  </maintainer>
   <longdescription lang="en">
-		strongSwan is an OpenSource IPsec implementation for the Linux
-		operating system. It is based on the discontinued FreeS/WAN project and
-		the X.509 patch which we developed over the last three years. In order
-		to have a stable IPsec platform to base our future extensions of the
-		X.509 capability on, we decided to lauch the strongSwan project.
-	</longdescription>
+    StrongSwan is direct descendant of the discontinued FreeS/WAN project.
+    As an IPsec based VPN solution which is focused on security and ease of
+    use, it fully implements the IKEv1/IKEv2 protocols, MOBIKE, NAT-Traversal
+    via UDP encapsulation (incl. port floating) and Dead Peer Detection. It
+    also fully supports the Linux 2.6 IPsec stack, IPv6, certificates/keys on
+    Smartcards and virtual IP address pools.
+  </longdescription>
   <use>
-    <flag name="cisco">Enable support of Cisco VPN client</flag>
-    <flag name="nat">Enable NAT traversal with IPsec transport mode</flag>
-    <flag name="gcrypt">Enable gcrypt support</flag>
-    <flag name="ikev1">Enable ikev1 protocol</flag>
-    <flag name="ikev2">Enable ikev2 protocol</flag>
-    <flag name="openssl">Enable openssl support</flag>
-    <flag name="non-root">Enable running as non-root</flag>
+    <flag name="cisco">
+      Enable support for the Cisco VPN client.
+    </flag>
+    <flag name="gcrypt">
+      Enable <pkg>dev-libs/libgcrypt</pkg> plugin which provides 3DES, AES,
+      Blowfish, Camellia, CAST, DES, Serpent and Twofish ciphers along with
+      MD4, MD5 and SHA1/2 hash algorithms, RSA and a software	random number
+      generator.
+    </flag>
+    <flag name="nat-transport">
+      Enable potentially insecure NAT traversal for transport mode in IKEv1.
+      Only enable if you really need this.
+    </flag>
+    <flag name="ikev1">
+      Enable IKEv1 protocol (pluto daemon).
+    </flag>
+    <flag name="ikev2">
+      Enable IKEv2 protocol (charon daemon).
+    </flag>
+    <flag name="openssl">
+      Enable <pkg>dev-libs/openssl</pkg> plugin which is required for Elliptic
+      Curve Cryptography (Diffie-Hellman groups 19-21, 25, 26) and ECDSA. Also
+      provides 3DES, AES, Blowfish, Camellia, CAST, DES, IDEA and RC5 ciphers
+      along with MD2, MD4, MD5 and SHA1/2 hash algorithms and RSA.
+      <pkg>dev-libs/openssl</pkg> has to be compiled with USE="-bindist".
+    </flag>
+    <flag name="non-root">
+      Force IKEv1/IKEv2 daemons to normal user privileges. This might impose
+      some restrictions mainly to the IKEv1 daemon. Disable only if you really
+      require superuser privileges.
+    </flag>
   </use>
 </pkgmetadata>
diff --git a/net-misc/strongswan/strongswan-4.2.17.ebuild b/net-misc/strongswan/strongswan-4.2.17.ebuild
deleted file mode 100644
index 9ca651fd9a73..000000000000
--- a/net-misc/strongswan/strongswan-4.2.17.ebuild
+++ /dev/null
@@ -1,103 +0,0 @@
-# Copyright 1999-2009 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/net-misc/strongswan/strongswan-4.2.17.ebuild,v 1.1 2009/07/29 08:33:36 wschlich Exp $
-
-EAPI=2
-inherit eutils linux-info autotools
-
-UGID="ipsec"
-
-DESCRIPTION="Open Source implementation of IPsec for the Linux operating system."
-HOMEPAGE="http://www.strongswan.org/"
-SRC_URI="http://download.strongswan.org/${P}.tar.bz2"
-
-LICENSE="GPL-2 RSA-MD2 RSA-MD5 RSA-PKCS11 DES"
-SLOT="0"
-KEYWORDS="~ppc ~sparc ~x86 ~amd64"
-IUSE="caps cisco curl debug ldap nat smartcard static xml"
-
-COMMON_DEPEND="!net-misc/openswan
-	dev-libs/gmp
-	caps? ( sys-libs/libcap )
-	curl? ( net-misc/curl )
-	ldap? ( net-nds/openldap )
-	smartcard? ( dev-libs/opensc )
-	xml? ( dev-libs/libxml2 )"
-DEPEND="${COMMON_DEPEND}
-	virtual/linux-sources
-	sys-kernel/linux-headers"
-RDEPEND="${COMMON_DEPEND}
-	virtual/logger
-	sys-apps/iproute2"
-
-src_prepare() {
-	sed -i -e 's/getline/getline_own/g' src/libfreeswan/optionsfrom.c
-
-	epatch "${FILESDIR}"/${PN}-4.2.7-install.patch
-	eautoreconf
-}
-
-pkg_setup() {
-	linux-info_pkg_setup
-
-	einfo "Linux kernel is version ${KV_FULL}"
-
-	if kernel_is 2 6; then
-		einfo "This ebuild will set ${P} to use 2.6 native IPsec (KAME)."
-	else
-		eerror "Sorry, no support for your kernel version ${KV_FULL}."
-		die "Install an IPsec enabled 2.6 kernel."
-	fi
-
-	# change to an unprivileged user by default
-	enewgroup ${UGID}
-	enewuser ${UGID} -1 -1 -1 ${UGID}
-}
-
-src_configure() {
-	local myconf=""
-
-	# change to an unprivileged user by default
-	myconf="${myconf} --with-user=${UGID} --with-group=${UGID}"
-	# strongswan enables both by default; switch to the user's wish
-	if use static; then
-		myconf="${myconf} --enable-static --disable-shared"
-	else
-		myconf="${myconf} --disable-static --enable-shared"
-	fi
-
-	# TODO: Review new configure options such as networkmanager
-	econf \
-		$(use_with caps capabilities libcap) \
-		$(use_enable curl) \
-		$(use_enable ldap) \
-		$(use_enable xml smp) \
-		$(use_enable smartcard) \
-		$(use_enable cisco cisco-quirks) \
-		$(use_enable debug leak-detective) \
-		$(use_enable nat nat-transport) \
-		${myconf} \
-		|| die "econf failed"
-}
-
-src_install() {
-	einstall || die "einstall failed."
-
-	doinitd "${FILESDIR}"/ipsec
-
-	fowners ipsec:ipsec /etc/ipsec.conf
-}
-
-pkg_postinst() {
-	echo
-	einfo "For your own security we install strongSwan without superuser"
-	einfo "privileges.  If you use iptables, you might want to change that"
-	einfo "setting.  See http://wiki.strongswan.org/wiki/nonRoot for more"
-	einfo "information."
-	# TODO: Should we recommend this sudoers line to users?
-	# %ipsec ALL = NOPASSWD: /sbin/iptables
-	echo
-	einfo "The up-to-date configuration manual is available online at"
-	einfo "http://www.strongswan.org/docs/readme42.htm"
-	echo
-}
diff --git a/net-misc/strongswan/strongswan-4.3.3.ebuild b/net-misc/strongswan/strongswan-4.3.3.ebuild
deleted file mode 100644
index bb22fd34d29c..000000000000
--- a/net-misc/strongswan/strongswan-4.3.3.ebuild
+++ /dev/null
@@ -1,102 +0,0 @@
-# Copyright 1999-2010 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/net-misc/strongswan/strongswan-4.3.3.ebuild,v 1.2 2010/02/27 22:43:10 ulm Exp $
-
-EAPI=2
-inherit eutils linux-info autotools
-
-UGID="ipsec"
-
-DESCRIPTION="Open Source implementation of IPsec for the Linux operating system."
-HOMEPAGE="http://www.strongswan.org/"
-SRC_URI="http://download.strongswan.org/${P}.tar.bz2"
-
-LICENSE="GPL-2 RSA-MD5 RSA-PKCS11 DES"
-SLOT="0"
-KEYWORDS="~ppc ~sparc ~x86 ~amd64"
-IUSE="caps cisco curl debug ldap nat smartcard static xml"
-
-COMMON_DEPEND="!net-misc/openswan
-	dev-libs/gmp
-	dev-libs/libgcrypt
-	caps? ( sys-libs/libcap )
-	curl? ( net-misc/curl )
-	ldap? ( net-nds/openldap )
-	smartcard? ( dev-libs/opensc )
-	xml? ( dev-libs/libxml2 )"
-DEPEND="${COMMON_DEPEND}
-	virtual/linux-sources
-	sys-kernel/linux-headers"
-RDEPEND="${COMMON_DEPEND}
-	virtual/logger
-	sys-apps/iproute2"
-
-src_prepare() {
-	epatch "${FILESDIR}"/${PN}-4.3.3-install.patch
-	eautoreconf
-}
-
-pkg_setup() {
-	linux-info_pkg_setup
-
-	einfo "Linux kernel is version ${KV_FULL}"
-
-	if kernel_is 2 6; then
-		einfo "This ebuild will set ${P} to use 2.6 native IPsec (KAME)."
-	else
-		eerror "Sorry, no support for your kernel version ${KV_FULL}."
-		die "Install an IPsec enabled 2.6 kernel."
-	fi
-
-	# change to an unprivileged user by default
-	enewgroup ${UGID}
-	enewuser ${UGID} -1 -1 -1 ${UGID}
-}
-
-src_configure() {
-	local myconf=""
-
-	# change to an unprivileged user by default
-	myconf="${myconf} --with-user=${UGID} --with-group=${UGID}"
-	# strongswan enables both by default; switch to the user's wish
-	if use static; then
-		myconf="${myconf} --enable-static --disable-shared"
-	else
-		myconf="${myconf} --disable-static --enable-shared"
-	fi
-
-	# TODO: Review new configure options such as networkmanager
-	econf \
-		$(use_with caps capabilities libcap) \
-		$(use_enable curl) \
-		$(use_enable ldap) \
-		$(use_enable xml smp) \
-		$(use_enable smartcard) \
-		$(use_enable cisco cisco-quirks) \
-		$(use_enable debug leak-detective) \
-		$(use_enable nat nat-transport) \
-		${myconf} \
-		|| die "econf failed"
-}
-
-src_install() {
-	einstall || die "einstall failed."
-
-	doinitd "${FILESDIR}"/ipsec
-
-	fowners ipsec:ipsec /etc/ipsec.conf
-}
-
-pkg_postinst() {
-	echo
-	einfo "For your own security we install strongSwan without superuser"
-	einfo "privileges.  If you use iptables, you might want to change that"
-	einfo "setting.  See http://wiki.strongswan.org/wiki/nonRoot for more"
-	einfo "information."
-	# TODO: Should we recommend this sudoers line to users?
-	# %ipsec ALL = NOPASSWD: /sbin/iptables
-	echo
-	einfo "The up-to-date configuration manual is available online at"
-	einfo "http://www.strongswan.org/docs/readme42.htm"
-	echo
-}
diff --git a/net-misc/strongswan/strongswan-4.3.4.ebuild b/net-misc/strongswan/strongswan-4.3.4.ebuild
deleted file mode 100644
index 6c9386ecf075..000000000000
--- a/net-misc/strongswan/strongswan-4.3.4.ebuild
+++ /dev/null
@@ -1,128 +0,0 @@
-# Copyright 1999-2010 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/net-misc/strongswan/strongswan-4.3.4.ebuild,v 1.2 2010/02/27 22:43:10 ulm Exp $
-
-EAPI=2
-inherit eutils linux-info autotools
-
-UGID="ipsec"
-
-DESCRIPTION="Open Source implementation of IPsec for the Linux operating system."
-HOMEPAGE="http://www.strongswan.org/"
-SRC_URI="http://download.strongswan.org/${P}.tar.bz2"
-
-LICENSE="GPL-2 RSA-MD5 RSA-PKCS11 DES"
-SLOT="0"
-KEYWORDS="~ppc ~sparc ~x86 ~amd64"
-IUSE="caps cisco curl debug ldap nat smartcard static xml"
-
-COMMON_DEPEND="!net-misc/openswan
-	dev-libs/gmp
-	dev-libs/libgcrypt
-	caps? ( sys-libs/libcap )
-	curl? ( net-misc/curl )
-	ldap? ( net-nds/openldap )
-	smartcard? ( dev-libs/opensc )
-	xml? ( dev-libs/libxml2 )"
-DEPEND="${COMMON_DEPEND}
-	virtual/linux-sources
-	sys-kernel/linux-headers"
-RDEPEND="${COMMON_DEPEND}
-	virtual/logger
-	sys-apps/iproute2"
-
-src_prepare() {
-	epatch "${FILESDIR}"/${PN}-4.3.3-install.patch
-	eautoreconf
-}
-
-pkg_setup() {
-	linux-info_pkg_setup
-
-	elog "Linux kernel is version ${KV_FULL}"
-
-	if kernel_is 2 6; then
-		elog "This ebuild will set ${P} to use 2.6 native IPsec (KAME)."
-	else
-		eerror "Sorry, no support for your kernel version ${KV_FULL}."
-		die "Install an IPsec enabled 2.6 kernel."
-	fi
-
-	if use caps; then
-		# change to an unprivileged user if libcaps support is requested
-		enewgroup ${UGID}
-		enewuser ${UGID} -1 -1 -1 ${UGID}
-	fi
-}
-
-src_configure() {
-	local myconf=""
-
-	if use caps; then
-		# change to an unprivileged user if libcaps support is requested
-		myconf="${myconf} --with-user=${UGID} --with-group=${UGID}"
-	fi
-
-	# strongswan enables both by default; switch to the user's wish
-	if use static; then
-		myconf="${myconf} --enable-static --disable-shared"
-	else
-		myconf="${myconf} --disable-static --enable-shared"
-	fi
-
-	# TODO: Review new configure options such as networkmanager
-	econf \
-		$(use_with caps capabilities libcap) \
-		$(use_enable curl) \
-		$(use_enable ldap) \
-		$(use_enable xml smp) \
-		$(use_enable smartcard) \
-		$(use_enable cisco cisco-quirks) \
-		$(use_enable debug leak-detective) \
-		$(use_enable nat nat-transport) \
-		${myconf} \
-		|| die "econf failed"
-}
-
-src_install() {
-	einstall || die "einstall failed."
-
-	doinitd "${FILESDIR}"/ipsec
-
-	if use caps; then
-		fowners ipsec:ipsec /etc/ipsec.conf
-	fi
-}
-
-pkg_postinst() {
-	if use caps; then
-		echo
-		elog "strongSwan has been installed without superuser privileges as"
-		elog "requested (USE=caps). There are certain restrictions and"
-		elog "issues regarding non-root operation, so please have a look at:"
-		elog "  http://wiki.strongswan.org/wiki/nonRoot"
-		echo
-		elog "Please be aware that with dropped privileges most leftupdown and"
-		elog "rightupdown scripts will no longer run if they require root privileges."
-		elog "You might want to use sudo to allow the user \"ipsec\" to run"
-		elog "the ipsec helper script (/usr/sbin/ipsec) as root."
-		elog "Example for /etc/sudoers:"
-		elog "  Defaults:ipsec always_set_home,!env_reset"
-		elog "  ipsec ALL=(ALL) NOPASSWD: /usr/sbin/ipsec"
-		elog "Example for a connection block in /etc/ipsec.conf:"
-		elog "  leftupdown=\"sudo ipsec _updown\""
-		echo
-#		elog "And please do not forget to add CAP_NET_ADMIN capabilities to"
-#		elog "your charon and pluto binaries each time you emerge this ebuild."
-#		echo
-#		elog "setcap -v cap_net_admin=ep /usr/libexec/ipsec/pluto"
-#		elog "setcap -v cap_net_admin=ep /usr/libexec/ipsec/charon"
-#		echo
-#		elog "For more information reagrding POSIX capabilities support please"
-#		elog "have a look at http://www.friedhoff.org/posixfilecaps.html"
-#		echo
-	fi
-	elog "The up-to-date manual is available online at:"
-	elog "  http://wiki.strongswan.org/"
-	echo
-}
diff --git a/net-misc/strongswan/strongswan-4.3.5.ebuild b/net-misc/strongswan/strongswan-4.3.5.ebuild
deleted file mode 100644
index 446bfb7bdc67..000000000000
--- a/net-misc/strongswan/strongswan-4.3.5.ebuild
+++ /dev/null
@@ -1,128 +0,0 @@
-# Copyright 1999-2010 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/net-misc/strongswan/strongswan-4.3.5.ebuild,v 1.2 2010/02/27 22:43:10 ulm Exp $
-
-EAPI=2
-inherit eutils linux-info
-
-UGID="ipsec"
-
-DESCRIPTION="Open Source implementation of IPsec for the Linux operating system."
-HOMEPAGE="http://www.strongswan.org/"
-SRC_URI="http://download.strongswan.org/${P}.tar.bz2"
-
-LICENSE="GPL-2 RSA-MD5 RSA-PKCS11 DES"
-SLOT="0"
-KEYWORDS="~ppc ~sparc ~x86 ~amd64"
-IUSE="caps cisco curl debug ldap nat smartcard static xml"
-
-COMMON_DEPEND="!net-misc/openswan
-	dev-libs/gmp
-	dev-libs/libgcrypt
-	caps? ( sys-libs/libcap )
-	curl? ( net-misc/curl )
-	ldap? ( net-nds/openldap )
-	smartcard? ( dev-libs/opensc )
-	xml? ( dev-libs/libxml2 )"
-DEPEND="${COMMON_DEPEND}
-	virtual/linux-sources
-	sys-kernel/linux-headers"
-RDEPEND="${COMMON_DEPEND}
-	virtual/logger
-	sys-apps/iproute2"
-
-#src_prepare() {
-#	epatch "${FILESDIR}"/${PN}-4.3.3-install.patch
-#	eautoreconf
-#}
-
-pkg_setup() {
-	linux-info_pkg_setup
-
-	elog "Linux kernel is version ${KV_FULL}"
-
-	if kernel_is 2 6; then
-		elog "This ebuild will set ${P} to use 2.6 native IPsec (KAME)."
-	else
-		eerror "Sorry, no support for your kernel version ${KV_FULL}."
-		die "Install an IPsec enabled 2.6 kernel."
-	fi
-
-	if use caps; then
-		# change to an unprivileged user if libcaps support is requested
-		enewgroup ${UGID}
-		enewuser ${UGID} -1 -1 -1 ${UGID}
-	fi
-}
-
-src_configure() {
-	local myconf=""
-
-	if use caps; then
-		# change to an unprivileged user if libcaps support is requested
-		myconf="${myconf} --with-user=${UGID} --with-group=${UGID}"
-	fi
-
-	# strongswan enables both by default; switch to the user's wish
-	if use static; then
-		myconf="${myconf} --enable-static --disable-shared"
-	else
-		myconf="${myconf} --disable-static --enable-shared"
-	fi
-
-	# TODO: Review new configure options such as networkmanager
-	econf \
-		$(use_with caps capabilities libcap) \
-		$(use_enable curl) \
-		$(use_enable ldap) \
-		$(use_enable xml smp) \
-		$(use_enable smartcard) \
-		$(use_enable cisco cisco-quirks) \
-		$(use_enable debug leak-detective) \
-		$(use_enable nat nat-transport) \
-		${myconf} \
-		|| die "econf failed"
-}
-
-src_install() {
-	einstall || die "einstall failed."
-
-	doinitd "${FILESDIR}"/ipsec
-
-	if use caps; then
-		fowners ipsec:ipsec /etc/ipsec.conf
-	fi
-}
-
-pkg_postinst() {
-	if use caps; then
-		echo
-		elog "strongSwan has been installed without superuser privileges as"
-		elog "requested (USE=caps). There are certain restrictions and"
-		elog "issues regarding non-root operation, so please have a look at:"
-		elog "  http://wiki.strongswan.org/wiki/nonRoot"
-		echo
-		elog "Please be aware that with dropped privileges most leftupdown and"
-		elog "rightupdown scripts will no longer run if they require root privileges."
-		elog "You might want to use sudo to allow the user \"ipsec\" to run"
-		elog "the ipsec helper script (/usr/sbin/ipsec) as root."
-		elog "Example for /etc/sudoers:"
-		elog "  Defaults:ipsec always_set_home,!env_reset"
-		elog "  ipsec ALL=(ALL) NOPASSWD: /usr/sbin/ipsec"
-		elog "Example for a connection block in /etc/ipsec.conf:"
-		elog "  leftupdown=\"sudo ipsec _updown\""
-		echo
-#		elog "And please do not forget to add CAP_NET_ADMIN capabilities to"
-#		elog "your charon and pluto binaries each time you emerge this ebuild."
-#		echo
-#		elog "setcap -v cap_net_admin=ep /usr/libexec/ipsec/pluto"
-#		elog "setcap -v cap_net_admin=ep /usr/libexec/ipsec/charon"
-#		echo
-#		elog "For more information reagrding POSIX capabilities support please"
-#		elog "have a look at http://www.friedhoff.org/posixfilecaps.html"
-#		echo
-	fi
-	elog "The up-to-date manual is available online at:"
-	elog "  http://wiki.strongswan.org/"
-	echo
-}
diff --git a/net-misc/strongswan/strongswan-4.3.6-r1.ebuild b/net-misc/strongswan/strongswan-4.3.6-r2.ebuild
index ee8ad6571487..fbde055efb76 100644
--- a/net-misc/strongswan/strongswan-4.3.6-r1.ebuild
+++ b/net-misc/strongswan/strongswan-4.3.6-r2.ebuild
@@ -1,28 +1,27 @@
 # Copyright 1999-2010 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/net-misc/strongswan/strongswan-4.3.6-r1.ebuild,v 1.3 2010/03/23 01:38:58 yngwin Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-misc/strongswan/strongswan-4.3.6-r2.ebuild,v 1.1 2010/04/02 15:39:54 yngwin Exp $
 
 EAPI=2
-
 inherit eutils linux-info
 
-DESCRIPTION="Open Source IPsec based VPN solution with a strong focus on security. Fully supports IKEv1/IKEv2, MOBIKE and the Linux 2.6 IPsec stack."
+DESCRIPTION="IPsec-based VPN solution focused on security and ease of use, supporting IKEv1/IKEv2 and MOBIKE"
 HOMEPAGE="http://www.strongswan.org/"
 SRC_URI="http://download.strongswan.org/${P}.tar.bz2"
 
 LICENSE="GPL-2 RSA-MD5 RSA-PKCS11 DES"
 SLOT="0"
-KEYWORDS="~ppc ~sparc ~x86 ~amd64"
-IUSE="+caps cisco curl debug gcrypt ldap +ikev1 +ikev2 mysql nat +non-root +openssl smartcard sqlite"
+KEYWORDS="~amd64 ~ppc ~sparc ~x86"
+IUSE="+caps cisco curl debug gcrypt ldap +ikev1 +ikev2 mysql nat-transport +non-root +openssl smartcard sqlite"
 
 COMMON_DEPEND="!net-misc/openswan
-	dev-libs/gmp
+	>=dev-libs/gmp-4.1.5
 	gcrypt? ( dev-libs/libgcrypt )
 	caps? ( sys-libs/libcap )
 	curl? ( net-misc/curl )
 	ldap? ( net-nds/openldap )
 	smartcard? ( dev-libs/opensc )
-	openssl? ( >=dev-libs/openssl-0.9.8 )
+	openssl? ( >=dev-libs/openssl-0.9.8[-bindist] )
 	mysql? ( virtual/mysql )
 	sqlite? ( >=dev-db/sqlite-3.3.1 )"
 DEPEND="${COMMON_DEPEND}
@@ -38,16 +37,47 @@ pkg_setup() {
 	linux-info_pkg_setup
 	elog "Linux kernel version: ${KV_FULL}"
 
-	if kernel_is 2 6; then
-		elog "Using native Linux 2.6 IPsec stack."
-	else
+	if ! kernel_is -ge 2 6 16; then
 		eerror
 		eerror "This ebuild currently only supports ${PN} with the"
-		eerror "native Linux 2.6 IPsec stack."
+		eerror "native Linux 2.6 IPsec stack on kernels >= 2.6.16."
 		eerror
 		die "Please install a recent 2.6 kernel."
 	fi
 
+	if use nat-transport; then
+		ewarn
+		ewarn "You have enabled NAT Traversal for transport mode with the IKEv1"
+		ewarn "protocol. Please double check if you really require this feature"
+		ewarn "as it is potentially insecure and usually only required in certain"
+		ewarn "situations when interoperating with Windows using L2TP/IPsec."
+		ewarn
+	fi
+
+	if kernel_is -lt 2 6 33; then
+		ewarn
+		ewarn "IMPORTANT KERNEL NOTES: Please read carefully..."
+		ewarn
+
+		if kernel_is -lt 2 6 29; then
+			ewarn "[ < 2.6.29 ] Due to a missing kernel feature, you have to"
+			ewarn "include all required IPv6 modules even if you just intend"
+			ewarn "to run on IPv4 only."
+			ewarn
+			ewarn "This has been fixed with kernels >= 2.6.29."
+			ewarn
+		fi
+
+		if kernel_is -lt 2 6 33; then
+			ewarn "[ < 2.6.33 ] Kernels prior to 2.6.33 include a non-standards"
+			ewarn "compliant implementation for SHA-2 HMAC support in ESP and"
+			ewarn "miss SHA384 and SHA512 HMAC support altogether."
+			ewarn
+			ewarn "If you need any of those features, please use kernel >= 2.6.33."
+			ewarn
+		fi
+	fi
+
 	if use non-root; then
 		enewgroup ${UGID}
 		enewuser ${UGID} -1 -1 -1 ${UGID}
@@ -79,15 +109,14 @@ src_configure() {
 		$(use_enable smartcard) \
 		$(use_enable cisco cisco-quirks) \
 		$(use_enable debug leak-detective) \
-		$(use_enable nat nat-transport) \
+		$(use_enable nat-transport) \
 		$(use_enable openssl) \
 		$(use_enable gcrypt) \
 		$(use_enable mysql) \
 		$(use_enable sqlite) \
 		$(use_enable ikev1 pluto) \
 		$(use_enable ikev2 charon) \
-		${myconf} \
-		|| die "econf failed"
+		${myconf}
 }
 
 src_install() {
@@ -118,7 +147,7 @@ src_install() {
 		/etc/ipsec.d/private \
 		/etc/ipsec.d/reqs
 
-	dodoc CREDITS NEWS README TODO
+	dodoc CREDITS NEWS README TODO || die
 
 	# shared libs are used only internally and there are no static libs,
 	# so it's safe to get rid of the .la files
@@ -127,25 +156,27 @@ src_install() {
 
 pkg_preinst() {
 	has_version "<net-misc/strongswan-4.3.6-r1"
-	upgrade_from_leq_4_3_6=$?
-	if [[ $upgrade_from_leq_4_3_6 == 0 ]]; then
-		built_with_use net-misc/strongswan caps
-		previous_4_3_6_with_caps=$?
-	fi
+	upgrade_from_leq_4_3_6=$(( !$? ))
+
+	has_version "<net-misc/strongswan-4.3.6-r1[-caps]"
+	previous_4_3_6_with_caps=$(( !$? ))
 }
 
 pkg_postinst() {
-	if ! use openssl ; then
+	if ! use openssl && ! use gcrypt; then
 		elog
-		elog "${PN} has been compiled without OpenSSL support."
-		elog "Please note that (among other things), support for"
-		elog "ECDSA authentification and several ECP Diffie-Hellman groups"
-		elog "is missing."
-		elog "If you require any of the above functionality, please re-emerge"
-		elog "with the \"openssl\" USE flag enabled."
+		elog "${PN} has been compiled without both OpenSSL and libgcrypt support."
+		elog "Please note that this might effect availability and speed of some"
+		elog "cryptographic features. You are advised to enable the OpenSSL plugin."
+	elif ! use openssl; then
 		elog
+		elog "${PN} has been compiled without the OpenSSL plugin. This might effect"
+		elog "availability and speed of some cryptographic features. There will be"
+		elog "no support for Elliptic Curve Cryptography (Diffie-Hellman groups 19-21,"
+		elog "25, 26) and ECDSA."
 	fi
-	if [[ $upgrade_from_leq_4_3_6 == 0 ]]; then
+
+	if [[ $upgrade_from_leq_4_3_6 == 1 ]]; then
 		chmod 0750 "${ROOT}"/etc/ipsec.d \
 			"${ROOT}"/etc/ipsec.d/aacerts \
 			"${ROOT}"/etc/ipsec.d/acerts \
@@ -162,12 +193,12 @@ pkg_postinst() {
 		ewarn "updated accordingly. Please check if necessary."
 		ewarn
 
-		if [[ $previous_4_3_6_with_caps == 0 ]]; then
+		if [[ $previous_4_3_6_with_caps == 1 ]]; then
 			if ! use non-root; then
 				ewarn
 				ewarn "IMPORTANT: You previously had ${PN} installed without root"
-				ewarn "priviledges because it was implied by the 'caps' USE flag."
-				ewarn "This has been changed. If you want ${PN} with user priviledges,"
+				ewarn "privileges because it was implied by the 'caps' USE flag."
+				ewarn "This has been changed. If you want ${PN} with user privileges,"
 				ewarn "you have to re-emerge it with the 'non-root' USE flag enabled."
 				ewarn
 			fi
@@ -175,7 +206,7 @@ pkg_postinst() {
 	fi
 	if ! use caps && ! use non-root; then
 		ewarn
-		ewarn "You have decided to run ${PN} with root priviledges and built it"
+		ewarn "You have decided to run ${PN} with root privileges and built it"
 		ewarn "without support for POSIX capability dropping. It is generally"
 		ewarn "strongly suggested that you reconsider- especially if you intend"
 		ewarn "to run ${PN} as server with a public ip address."
@@ -185,7 +216,7 @@ pkg_postinst() {
 	fi
 	if use non-root; then
 		elog
-		elog "${PN} has been installed without superuser priviledges (USE=non-root)."
+		elog "${PN} has been installed without superuser privileges (USE=non-root)."
 		elog "This imposes several limitations mainly to the IKEv1 daemon 'pluto'"
 		elog "but also a few to the IKEv2 daemon 'charon'."
 		elog
@@ -193,11 +224,11 @@ pkg_postinst() {
 		elog
 		elog "pluto uses a helper script by default to insert/remove routing and"
 		elog "policy rules upon connection start/stop which requires superuser"
-		elog "priviledges. charon in contrast does this internally and can do so"
-		elog "even with reduced (user) priviledges."
+		elog "privileges. charon in contrast does this internally and can do so"
+		elog "even with reduced (user) privileges."
 		elog
 		elog "Thus if you require IKEv1 (pluto) or need to specify a custom updown"
-		elog "script to pluto or charon which requires superuser priviledges, you"
+		elog "script to pluto or charon which requires superuser privileges, you"
 		elog "can work around this limitation by using sudo to grant the"
 		elog "user \"ipsec\" the appropriate rights."
 		elog "For example (the default case):"
@@ -209,6 +240,10 @@ pkg_postinst() {
 		elog
 	fi
 	elog
+	elog "Make sure you have _all_ required kernel modules available including"
+	elog "the appropriate cryptographic algorithms. A list is available at:"
+	elog "  http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules"
+	elog
 	elog "The up-to-date manual is available online at:"
 	elog "  http://wiki.strongswan.org/"
 	elog
diff --git a/net-misc/strongswan/strongswan-4.3.6.ebuild b/net-misc/strongswan/strongswan-4.3.6.ebuild
deleted file mode 100644
index 244ce85cd096..000000000000
--- a/net-misc/strongswan/strongswan-4.3.6.ebuild
+++ /dev/null
@@ -1,128 +0,0 @@
-# Copyright 1999-2010 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/net-misc/strongswan/strongswan-4.3.6.ebuild,v 1.2 2010/02/27 22:43:10 ulm Exp $
-
-EAPI=2
-inherit eutils linux-info
-
-UGID="ipsec"
-
-DESCRIPTION="Open Source implementation of IPsec for the Linux operating system."
-HOMEPAGE="http://www.strongswan.org/"
-SRC_URI="http://download.strongswan.org/${P}.tar.bz2"
-
-LICENSE="GPL-2 RSA-MD5 RSA-PKCS11 DES"
-SLOT="0"
-KEYWORDS="~ppc ~sparc ~x86 ~amd64"
-IUSE="caps cisco curl debug ldap nat smartcard static xml"
-
-COMMON_DEPEND="!net-misc/openswan
-	dev-libs/gmp
-	dev-libs/libgcrypt
-	caps? ( sys-libs/libcap )
-	curl? ( net-misc/curl )
-	ldap? ( net-nds/openldap )
-	smartcard? ( dev-libs/opensc )
-	xml? ( dev-libs/libxml2 )"
-DEPEND="${COMMON_DEPEND}
-	virtual/linux-sources
-	sys-kernel/linux-headers"
-RDEPEND="${COMMON_DEPEND}
-	virtual/logger
-	sys-apps/iproute2"
-
-#src_prepare() {
-#	epatch "${FILESDIR}"/${PN}-4.3.3-install.patch
-#	eautoreconf
-#}
-
-pkg_setup() {
-	linux-info_pkg_setup
-
-	elog "Linux kernel is version ${KV_FULL}"
-
-	if kernel_is 2 6; then
-		elog "This ebuild will set ${P} to use 2.6 native IPsec (KAME)."
-	else
-		eerror "Sorry, no support for your kernel version ${KV_FULL}."
-		die "Install an IPsec enabled 2.6 kernel."
-	fi
-
-	if use caps; then
-		# change to an unprivileged user if libcaps support is requested
-		enewgroup ${UGID}
-		enewuser ${UGID} -1 -1 -1 ${UGID}
-	fi
-}
-
-src_configure() {
-	local myconf=""
-
-	if use caps; then
-		# change to an unprivileged user if libcaps support is requested
-		myconf="${myconf} --with-user=${UGID} --with-group=${UGID}"
-	fi
-
-	# strongswan enables both by default; switch to the user's wish
-	if use static; then
-		myconf="${myconf} --enable-static --disable-shared"
-	else
-		myconf="${myconf} --disable-static --enable-shared"
-	fi
-
-	# TODO: Review new configure options such as networkmanager
-	econf \
-		$(use_with caps capabilities libcap) \
-		$(use_enable curl) \
-		$(use_enable ldap) \
-		$(use_enable xml smp) \
-		$(use_enable smartcard) \
-		$(use_enable cisco cisco-quirks) \
-		$(use_enable debug leak-detective) \
-		$(use_enable nat nat-transport) \
-		${myconf} \
-		|| die "econf failed"
-}
-
-src_install() {
-	einstall || die "einstall failed."
-
-	doinitd "${FILESDIR}"/ipsec
-
-	if use caps; then
-		fowners ipsec:ipsec /etc/ipsec.conf
-	fi
-}
-
-pkg_postinst() {
-	if use caps; then
-		echo
-		elog "strongSwan has been installed without superuser privileges as"
-		elog "requested (USE=caps). There are certain restrictions and"
-		elog "issues regarding non-root operation, so please have a look at:"
-		elog "  http://wiki.strongswan.org/wiki/nonRoot"
-		echo
-		elog "Please be aware that with dropped privileges most leftupdown and"
-		elog "rightupdown scripts will no longer run if they require root privileges."
-		elog "You might want to use sudo to allow the user \"ipsec\" to run"
-		elog "the ipsec helper script (/usr/sbin/ipsec) as root."
-		elog "Example for /etc/sudoers:"
-		elog "  Defaults:ipsec always_set_home,!env_reset"
-		elog "  ipsec ALL=(ALL) NOPASSWD: /usr/sbin/ipsec"
-		elog "Example for a connection block in /etc/ipsec.conf:"
-		elog "  leftupdown=\"sudo ipsec _updown\""
-		echo
-#		elog "And please do not forget to add CAP_NET_ADMIN capabilities to"
-#		elog "your charon and pluto binaries each time you emerge this ebuild."
-#		echo
-#		elog "setcap -v cap_net_admin=ep /usr/libexec/ipsec/pluto"
-#		elog "setcap -v cap_net_admin=ep /usr/libexec/ipsec/charon"
-#		echo
-#		elog "For more information reagrding POSIX capabilities support please"
-#		elog "have a look at http://www.friedhoff.org/posixfilecaps.html"
-#		echo
-	fi
-	elog "The up-to-date manual is available online at:"
-	elog "  http://wiki.strongswan.org/"
-	echo
-}
author	Ben de Groot <yngwin@gentoo.org>	2010-04-02 15:39:54 +0000
committer	Ben de Groot <yngwin@gentoo.org>	2010-04-02 15:39:54 +0000
commit	4120165b8247632956846cf9142c63d7556122d6 (patch)
tree	0f0bc650d49547f56a9f281c98431bc908ba97a7 /net-misc
parent	Stable for HPPA (bug #309395). (diff)
download	historical-4120165b8247632956846cf9142c63d7556122d6.tar.gz historical-4120165b8247632956846cf9142c63d7556122d6.tar.bz2 historical-4120165b8247632956846cf9142c63d7556122d6.zip