commit: a6b7c63798a7bad92264fca643fb2380ae90c937 Author: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org> AuthorDate: Thu Jan 15 20:39:54 2026 +0000 Commit: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org> CommitDate: Sat Jan 17 21:23:27 2026 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a6b7c637
net-vpn/strongswan: cleanup vulnerable versions Clean up dev-libs/botan:2 revdeps. Bug: https://bugs.gentoo.org/965550 Signed-off-by: Andreas Sturmlechner <asturm <AT> gentoo.org> net-vpn/strongswan/Manifest | 4 - .../strongswan/files/strongswan-6.0.1-c23.patch | 601 --------------------- net-vpn/strongswan/metadata.xml | 2 - net-vpn/strongswan/strongswan-5.9.13.ebuild | 318 ----------- net-vpn/strongswan/strongswan-5.9.14-r2.ebuild | 322 ----------- net-vpn/strongswan/strongswan-5.9.14.ebuild | 318 ----------- net-vpn/strongswan/strongswan-6.0.1-r1.ebuild | 330 ----------- net-vpn/strongswan/strongswan-6.0.1-r2.ebuild | 330 ----------- net-vpn/strongswan/strongswan-6.0.1.ebuild | 326 ----------- net-vpn/strongswan/strongswan-6.0.2.ebuild | 326 ----------- 10 files changed, 2877 deletions(-) diff --git a/net-vpn/strongswan/Manifest b/net-vpn/strongswan/Manifest index 45be0def5251..a0d2bc5355da 100644 --- a/net-vpn/strongswan/Manifest +++ b/net-vpn/strongswan/Manifest @@ -1,5 +1 @@ -DIST strongswan-5.9.13.tar.bz2 4825644 BLAKE2B 1d60864a557cf14e84c62d4c04ae64eb24331e2576c157b276cf13691ac2a7f5d1b92925e4c3e6ab51dc1f6f64aeb7c60ffb16309673a9f78a73f652cb24da8c SHA512 a929c1fb2a5e7d3064f6cd0be76703198406dad981f4b345311a004c18aa3c12adcb49eb33705fe4c3c31daf556cef5906d8753f5d9fbff5a27b732f93d8f19f -DIST strongswan-5.9.14.tar.bz2 4869709 BLAKE2B 8b64903cfa087d42ae0895e7c11a2fcbd9c6a4a4241548d947753e081a4a4e3c5946e5cf4bbd326840e596e51c61554146f007e6882f11c874454b9480f6f7a6 SHA512 e48bc9d215f9de6b54e24f7b4765d59aec4c615291d5c1f24f6a6d7da45dc8b17b2e0e150faf5fabb35e5d465abc5e6f6efa06cd002467067c5d7844ead359f6 -DIST strongswan-6.0.1.tar.bz2 4844260 BLAKE2B 5c751073412ce25dd06400043b8daaa9751052b7f686c46ef7b6fc8e8e4f622dd58e30b1eed634a75174a8032a1ece2c24bf5809689152927539c12e2d25edbf SHA512 86aa89242fd5a5569c3e8b73ea9a2b613be1d1674a4384f05ec7e74669cec2ed0b82c0900f797dd374b4c5a165385a4723dc674b84b28498a835a4c8d42a2eff -DIST strongswan-6.0.2.tar.bz2 4876066 BLAKE2B 3cfc248831832a9b75da549fcaf490a4a0c33e2f680e04a02d04a035c05215ae0236f1fdcdb4a00b71b5a08d07626e8028959045aff1b77827c21fe7e1fb13ad SHA512 b1ee61b7d0eab40a9fcb5a7e28cfea9050f5f894fa66032edf9511b1e260104870e23fc19329b48be01f03eb491bfc27c9b74838722c80ba0284a48596a68d71 DIST strongswan-6.0.3.tar.bz2 4877482 BLAKE2B 355dff5de259e545b1bb5e24853dc91148c3d400b1977a2de35271e019dfc236c838ccac4552974a4999e2768900150c432753fc0d422444d4cc34486566e192 SHA512 d085add33b04c908b0dfb9fdcab5c39c68b499e266cd0d5599f9bebf5974a12f0c6197f2e8a4013bf579735a648dfaa20d28dfe4fae32f5bae713d8bb8aa7dab diff --git a/net-vpn/strongswan/files/strongswan-6.0.1-c23.patch b/net-vpn/strongswan/files/strongswan-6.0.1-c23.patch deleted file mode 100644 index 18beb801fde3..000000000000 --- a/net-vpn/strongswan/files/strongswan-6.0.1-c23.patch +++ /dev/null @@ -1,601 +0,0 @@ -https://bugs.gentoo.org/943833 -https://src.fedoraproject.org/rpms/strongswan/blob/rawhide/f/strongswan-6.0.1-gcc15.patch - -From a7b5de569082398a14b7e571498e55d005903aaf Mon Sep 17 00:00:00 2001 -From: Tobias Brunner <[email protected]> -Date: Fri, 21 Feb 2025 17:18:35 +0100 -Subject: [PATCH] pki: Fix signature of help() to match that of a callback in - command_t - ---- - src/pki/command.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/pki/command.c b/src/pki/command.c -index accec5fe51b..6e6bf041e18 100644 ---- a/src/pki/command.c -+++ b/src/pki/command.c -@@ -265,7 +265,7 @@ int command_usage(char *error) - /** - * Show usage information - */ --static int help(int c, char *v[]) -+static int help() - { - return command_usage(NULL); - } ---- - -From 38d89f57f0771d3cc7b2ab70849584685ada2bc0 Mon Sep 17 00:00:00 2001 -From: Tobias Brunner <[email protected]> -Date: Fri, 21 Feb 2025 16:47:34 +0100 -Subject: [PATCH] charon-nm: Use CALLBACK macro for callback job's cancel - implementation - -Casting to this specific function type doesn't work anymore if C23 is -used as the types mismatch. ---- - src/charon-nm/nm/nm_backend.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/src/charon-nm/nm/nm_backend.c b/src/charon-nm/nm/nm_backend.c -index aefd3f95688..8ee1785212e 100644 ---- a/src/charon-nm/nm/nm_backend.c -+++ b/src/charon-nm/nm/nm_backend.c -@@ -78,7 +78,8 @@ static job_requeue_t run(nm_backend_t *this) - /** - * Cancel the GLib Main Event Loop - */ --static bool cancel(nm_backend_t *this) -+CALLBACK(cancel, bool, -+ nm_backend_t *this) - { - if (this->loop) - { -@@ -152,7 +153,7 @@ static bool nm_backend_init() - - lib->processor->queue_job(lib->processor, - (job_t*)callback_job_create_with_prio((callback_job_cb_t)run, this, -- NULL, (callback_job_cancel_t)cancel, JOB_PRIO_CRITICAL)); -+ NULL, cancel, JOB_PRIO_CRITICAL)); - return TRUE; - } - ---- - -From d5d2568ff0e88d364dadf50b67bf17050763cf98 Mon Sep 17 00:00:00 2001 -From: Tobias Brunner <[email protected]> -Date: Fri, 21 Feb 2025 16:45:57 +0100 -Subject: [PATCH] callback-job: Replace return_false() in constructors with - dedicated function - -Besides being clearer, this fixes issues with GCC 15. The latter uses -C23 by default, which changes the meaning of function declarations -without parameters such as - - bool return false(); - -Instead of "this function takes an unknown number of arguments", this -now equals (void), that is, "this function takes no arguments". So we -run into incompatible pointer type warnings all over when using such -functions. They could be cast to (void*) but this seems the cleaner -solution for this use case. ---- - src/charon-cmd/cmd/cmd_connection.c | 2 +- - .../jni/libandroidbridge/backend/android_dns_proxy.c | 2 +- - .../jni/libandroidbridge/backend/android_service.c | 6 +++--- - src/libcharon/network/receiver.c | 2 +- - src/libcharon/network/sender.c | 2 +- - .../plugins/bypass_lan/bypass_lan_listener.c | 4 ++-- - .../plugins/eap_radius/eap_radius_accounting.c | 2 +- - src/libcharon/plugins/eap_radius/eap_radius_plugin.c | 2 +- - src/libcharon/plugins/ha/ha_ctl.c | 2 +- - src/libcharon/plugins/ha/ha_dispatcher.c | 2 +- - src/libcharon/plugins/ha/ha_segments.c | 6 +++--- - .../kernel_libipsec/kernel_libipsec_esp_handler.c | 2 +- - .../plugins/kernel_libipsec/kernel_libipsec_router.c | 2 +- - src/libcharon/plugins/smp/smp.c | 4 ++-- - src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c | 2 +- - src/libcharon/plugins/uci/uci_control.c | 2 +- - src/libipsec/ipsec_event_relay.c | 2 +- - src/libipsec/ipsec_processor.c | 4 ++-- - src/libpttls/pt_tls_dispatcher.c | 2 +- - src/libstrongswan/networking/streams/stream_service.c | 2 +- - src/libstrongswan/processing/jobs/callback_job.c | 10 +++++++++- - src/libstrongswan/processing/jobs/callback_job.h | 11 ++++++++++- - src/libstrongswan/processing/scheduler.c | 3 ++- - src/libstrongswan/processing/watcher.c | 4 ++-- - src/libtls/tests/suites/test_socket.c | 2 +- - 25 files changed, 51 insertions(+), 33 deletions(-) - -diff --git a/src/charon-cmd/cmd/cmd_connection.c b/src/charon-cmd/cmd/cmd_connection.c -index 8e8d8236e52..e220e33a62a 100644 ---- a/src/charon-cmd/cmd/cmd_connection.c -+++ b/src/charon-cmd/cmd/cmd_connection.c -@@ -585,7 +585,7 @@ cmd_connection_t *cmd_connection_create() - lib->processor->queue_job(lib->processor, - (job_t*)callback_job_create_with_prio( - (callback_job_cb_t)initiate, this, NULL, -- (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL)); -+ callback_job_cancel_thread, JOB_PRIO_CRITICAL)); - - return &this->public; - } -diff --git a/src/libcharon/network/receiver.c b/src/libcharon/network/receiver.c -index e79d5974409..480d1d622d5 100644 ---- a/src/libcharon/network/receiver.c -+++ b/src/libcharon/network/receiver.c -@@ -737,7 +737,7 @@ receiver_t *receiver_create() - - lib->processor->queue_job(lib->processor, - (job_t*)callback_job_create_with_prio((callback_job_cb_t)receive_packets, -- this, NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL)); -+ this, NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL)); - - return &this->public; - } -diff --git a/src/libcharon/network/sender.c b/src/libcharon/network/sender.c -index 4543766d62e..3fcd17f1b63 100644 ---- a/src/libcharon/network/sender.c -+++ b/src/libcharon/network/sender.c -@@ -216,7 +216,7 @@ sender_t * sender_create() - - lib->processor->queue_job(lib->processor, - (job_t*)callback_job_create_with_prio((callback_job_cb_t)send_packets, -- this, NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL)); -+ this, NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL)); - - return &this->public; - } -diff --git a/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c b/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c -index db7abd8146b..c9aed3666fc 100644 ---- a/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c -+++ b/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c -@@ -227,7 +227,7 @@ METHOD(kernel_listener_t, roam, bool, - { - lib->processor->queue_job(lib->processor, - (job_t*)callback_job_create((callback_job_cb_t)update_bypass, this, -- NULL, (callback_job_cancel_t)return_false)); -+ NULL, callback_job_cancel_thread)); - return TRUE; - } - -@@ -269,7 +269,7 @@ METHOD(bypass_lan_listener_t, reload_interfaces, void, - this->mutex->unlock(this->mutex); - lib->processor->queue_job(lib->processor, - (job_t*)callback_job_create((callback_job_cb_t)update_bypass, this, -- NULL, (callback_job_cancel_t)return_false)); -+ NULL, callback_job_cancel_thread)); - } - - METHOD(bypass_lan_listener_t, destroy, void, -diff --git a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c -index f833dc3c0b4..2f29d080764 100644 ---- a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c -+++ b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c -@@ -706,7 +706,7 @@ static void schedule_interim(private_eap_radius_accounting_t *this, - (job_t*)callback_job_create_with_prio( - (callback_job_cb_t)send_interim, - data, (void*)destroy_interim_data, -- (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL), tv); -+ callback_job_cancel_thread, JOB_PRIO_CRITICAL), tv); - } - } - -diff --git a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c -index 5051542615a..55d5e032cea 100644 ---- a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c -+++ b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c -@@ -445,7 +445,7 @@ void eap_radius_handle_timeout(ike_sa_id_t *id) - lib->processor->queue_job(lib->processor, - (job_t*)callback_job_create_with_prio( - (callback_job_cb_t)delete_all_async, NULL, NULL, -- (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL)); -+ callback_job_cancel_thread, JOB_PRIO_CRITICAL)); - } - else if (id) - { -diff --git a/src/libcharon/plugins/ha/ha_ctl.c b/src/libcharon/plugins/ha/ha_ctl.c -index 8859bae166b..3d2ac7de84d 100644 ---- a/src/libcharon/plugins/ha/ha_ctl.c -+++ b/src/libcharon/plugins/ha/ha_ctl.c -@@ -199,6 +199,6 @@ ha_ctl_t *ha_ctl_create(ha_segments_t *segments, ha_cache_t *cache) - - lib->processor->queue_job(lib->processor, - (job_t*)callback_job_create_with_prio((callback_job_cb_t)dispatch_fifo, -- this, NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL)); -+ this, NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL)); - return &this->public; - } -diff --git a/src/libcharon/plugins/ha/ha_dispatcher.c b/src/libcharon/plugins/ha/ha_dispatcher.c -index 5de26a65a27..83be91ab159 100644 ---- a/src/libcharon/plugins/ha/ha_dispatcher.c -+++ b/src/libcharon/plugins/ha/ha_dispatcher.c -@@ -1184,7 +1184,7 @@ ha_dispatcher_t *ha_dispatcher_create(ha_socket_t *socket, - ); - lib->processor->queue_job(lib->processor, - (job_t*)callback_job_create_with_prio((callback_job_cb_t)dispatch, this, -- NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL)); -+ NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL)); - - return &this->public; - } -diff --git a/src/libcharon/plugins/ha/ha_segments.c b/src/libcharon/plugins/ha/ha_segments.c -index afb76b39ea2..32d9ee40717 100644 ---- a/src/libcharon/plugins/ha/ha_segments.c -+++ b/src/libcharon/plugins/ha/ha_segments.c -@@ -316,7 +316,7 @@ static void start_watchdog(private_ha_segments_t *this) - this->heartbeat_active = TRUE; - lib->processor->queue_job(lib->processor, - (job_t*)callback_job_create_with_prio((callback_job_cb_t)watchdog, this, -- NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL)); -+ NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL)); - } - - METHOD(ha_segments_t, handle_status, void, -@@ -404,7 +404,7 @@ static void start_heartbeat(private_ha_segments_t *this) - { - lib->processor->queue_job(lib->processor, - (job_t*)callback_job_create_with_prio((callback_job_cb_t)send_status, -- this, NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL)); -+ this, NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL)); - } - - /** -@@ -451,7 +451,7 @@ static void start_autobalance(private_ha_segments_t *this) - DBG1(DBG_CFG, "scheduling HA autobalance every %ds", this->autobalance); - lib->scheduler->schedule_job(lib->scheduler, - (job_t*)callback_job_create_with_prio((callback_job_cb_t)autobalance, -- this, NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL), -+ this, NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL), - this->autobalance); - } - -diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_esp_handler.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_esp_handler.c -index 095ad67b4b0..c18e266e4d1 100644 ---- a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_esp_handler.c -+++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_esp_handler.c -@@ -337,7 +337,7 @@ kernel_libipsec_esp_handler_t *kernel_libipsec_esp_handler_create() - } - lib->processor->queue_job(lib->processor, - (job_t*)callback_job_create(send_esp, this, NULL, -- (callback_job_cancel_t)return_false)); -+ callback_job_cancel_thread)); - return &this->public; - } - -diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c -index 74746e251de..07adc70be3e 100644 ---- a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c -+++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c -@@ -364,7 +364,7 @@ kernel_libipsec_router_t *kernel_libipsec_router_create() - charon->receiver->add_esp_cb(charon->receiver, receiver_esp_cb, NULL); - lib->processor->queue_job(lib->processor, - (job_t*)callback_job_create((callback_job_cb_t)handle_plain, this, -- NULL, (callback_job_cancel_t)return_false)); -+ NULL, callback_job_cancel_thread)); - - router = &this->public; - return &this->public; -diff --git a/src/libcharon/plugins/smp/smp.c b/src/libcharon/plugins/smp/smp.c -index 6ca9f13997e..85ff5830bc5 100644 ---- a/src/libcharon/plugins/smp/smp.c -+++ b/src/libcharon/plugins/smp/smp.c -@@ -710,7 +710,7 @@ static job_requeue_t dispatch(private_smp_t *this) - fdp = malloc_thing(int); - *fdp = fd; - job = callback_job_create((callback_job_cb_t)process, fdp, free, -- (callback_job_cancel_t)return_false); -+ callback_job_cancel_thread); - lib->processor->queue_job(lib->processor, (job_t*)job); - - return JOB_REQUEUE_DIRECT; -@@ -800,7 +800,7 @@ plugin_t *smp_plugin_create() - - lib->processor->queue_job(lib->processor, - (job_t*)callback_job_create_with_prio((callback_job_cb_t)dispatch, this, -- NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL)); -+ NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL)); - - return &this->public.plugin; - } -diff --git a/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c b/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c -index 30aeb116dec..da317a894d9 100644 ---- a/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c -+++ b/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c -@@ -210,7 +210,7 @@ METHOD(tnc_pdp_connections_t, add, void, - /* schedule timeout checking */ - lib->scheduler->schedule_job_ms(lib->scheduler, - (job_t*)callback_job_create((callback_job_cb_t)check_timeouts, -- this, NULL, (callback_job_cancel_t)return_false), -+ this, NULL, callback_job_cancel_thread), - this->timeout * 1000); - - dbg_nas_user(nas_id, user_name, FALSE, "created"); -diff --git a/src/libcharon/plugins/uci/uci_control.c b/src/libcharon/plugins/uci/uci_control.c -index b033c832c8c..8074005ee57 100644 ---- a/src/libcharon/plugins/uci/uci_control.c -+++ b/src/libcharon/plugins/uci/uci_control.c -@@ -296,7 +296,7 @@ uci_control_t *uci_control_create() - { - lib->processor->queue_job(lib->processor, - (job_t*)callback_job_create_with_prio((callback_job_cb_t)receive, -- this, NULL, (callback_job_cancel_t)return_false, -+ this, NULL, callback_job_cancel_thread, - JOB_PRIO_CRITICAL)); - } - return &this->public; -diff --git a/src/libipsec/ipsec_event_relay.c b/src/libipsec/ipsec_event_relay.c -index 0f10795d168..802146eef21 100644 ---- a/src/libipsec/ipsec_event_relay.c -+++ b/src/libipsec/ipsec_event_relay.c -@@ -230,7 +230,7 @@ ipsec_event_relay_t *ipsec_event_relay_create() - - lib->processor->queue_job(lib->processor, - (job_t*)callback_job_create((callback_job_cb_t)handle_events, this, -- NULL, (callback_job_cancel_t)return_false)); -+ NULL, callback_job_cancel_thread)); - - return &this->public; - } -diff --git a/src/libipsec/ipsec_processor.c b/src/libipsec/ipsec_processor.c -index 2572b088089..8549fefe261 100644 ---- a/src/libipsec/ipsec_processor.c -+++ b/src/libipsec/ipsec_processor.c -@@ -336,9 +336,9 @@ ipsec_processor_t *ipsec_processor_create() - - lib->processor->queue_job(lib->processor, - (job_t*)callback_job_create((callback_job_cb_t)process_inbound, this, -- NULL, (callback_job_cancel_t)return_false)); -+ NULL, callback_job_cancel_thread)); - lib->processor->queue_job(lib->processor, - (job_t*)callback_job_create((callback_job_cb_t)process_outbound, this, -- NULL, (callback_job_cancel_t)return_false)); -+ NULL, callback_job_cancel_thread)); - return &this->public; - } -diff --git a/src/libpttls/pt_tls_dispatcher.c b/src/libpttls/pt_tls_dispatcher.c -index a134bee238f..c7e42b277e1 100644 ---- a/src/libpttls/pt_tls_dispatcher.c -+++ b/src/libpttls/pt_tls_dispatcher.c -@@ -156,7 +156,7 @@ METHOD(pt_tls_dispatcher_t, dispatch, void, - lib->processor->queue_job(lib->processor, - (job_t*)callback_job_create_with_prio((callback_job_cb_t)handle, - connection, (void*)cleanup, -- (callback_job_cancel_t)return_false, -+ callback_job_cancel_thread, - JOB_PRIO_CRITICAL)); - } - } -diff --git a/src/libstrongswan/networking/streams/stream_service.c b/src/libstrongswan/networking/streams/stream_service.c -index 5b709a2247d..c85a0664351 100644 ---- a/src/libstrongswan/networking/streams/stream_service.c -+++ b/src/libstrongswan/networking/streams/stream_service.c -@@ -221,7 +221,7 @@ static bool watch(private_stream_service_t *this, int fd, watcher_event_t event) - - lib->processor->queue_job(lib->processor, - (job_t*)callback_job_create_with_prio((void*)accept_async, data, -- (void*)destroy_async_data, (callback_job_cancel_t)return_false, -+ (void*)destroy_async_data, callback_job_cancel_thread, - this->prio)); - } - else -diff --git a/src/libstrongswan/processing/jobs/callback_job.c b/src/libstrongswan/processing/jobs/callback_job.c -index cb2a0aba5b9..3ab40b947c9 100644 ---- a/src/libstrongswan/processing/jobs/callback_job.c -+++ b/src/libstrongswan/processing/jobs/callback_job.c -@@ -1,5 +1,5 @@ - /* -- * Copyright (C) 2009-2012 Tobias Brunner -+ * Copyright (C) 2009-2025 Tobias Brunner - * Copyright (C) 2007-2011 Martin Willi - * - * Copyright (C) secunet Security Networks AG -@@ -131,3 +131,11 @@ callback_job_t *callback_job_create(callback_job_cb_t cb, void *data, - return callback_job_create_with_prio(cb, data, cleanup, cancel, - JOB_PRIO_MEDIUM); - } -+ -+/* -+ * Described in header -+ */ -+bool callback_job_cancel_thread(void *data) -+{ -+ return FALSE; -+} -diff --git a/src/libstrongswan/processing/jobs/callback_job.h b/src/libstrongswan/processing/jobs/callback_job.h -index 0f1ae212d87..fda86887944 100644 ---- a/src/libstrongswan/processing/jobs/callback_job.h -+++ b/src/libstrongswan/processing/jobs/callback_job.h -@@ -1,5 +1,5 @@ - /* -- * Copyright (C) 2012 Tobias Brunner -+ * Copyright (C) 2012-2025 Tobias Brunner - * Copyright (C) 2007-2011 Martin Willi - * - * Copyright (C) secunet Security Networks AG -@@ -62,6 +62,15 @@ typedef void (*callback_job_cleanup_t)(void *data); - */ - typedef bool (*callback_job_cancel_t)(void *data); - -+/** -+ * Default implementation of callback_job_cancel_t that simply returns FALSE -+ * to force cancellation of the thread by the processor. -+ * -+ * @param data ignored argument -+ * @return always returns FALSE -+ */ -+bool callback_job_cancel_thread(void *data); -+ - /** - * Class representing an callback Job. - * -diff --git a/src/libstrongswan/processing/scheduler.c b/src/libstrongswan/processing/scheduler.c -index c5e5dd83e70..76d98ddff51 100644 ---- a/src/libstrongswan/processing/scheduler.c -+++ b/src/libstrongswan/processing/scheduler.c -@@ -329,7 +329,8 @@ scheduler_t * scheduler_create() - this->heap = (event_t**)calloc(this->heap_size + 1, sizeof(event_t*)); - - job = callback_job_create_with_prio((callback_job_cb_t)schedule, this, -- NULL, return_false, JOB_PRIO_CRITICAL); -+ NULL, callback_job_cancel_thread, -+ JOB_PRIO_CRITICAL); - lib->processor->queue_job(lib->processor, (job_t*)job); - - return &this->public; -diff --git a/src/libstrongswan/processing/watcher.c b/src/libstrongswan/processing/watcher.c -index 1200d670959..a86ec0910d1 100644 ---- a/src/libstrongswan/processing/watcher.c -+++ b/src/libstrongswan/processing/watcher.c -@@ -291,7 +291,7 @@ static void notify(private_watcher_t *this, entry_t *entry, - - this->jobs->insert_last(this->jobs, - callback_job_create_with_prio((void*)notify_async, data, -- (void*)notify_end, (callback_job_cancel_t)return_false, -+ (void*)notify_end, callback_job_cancel_thread, - JOB_PRIO_CRITICAL)); - } - -@@ -559,7 +559,7 @@ METHOD(watcher_t, add, void, - - lib->processor->queue_job(lib->processor, - (job_t*)callback_job_create_with_prio((void*)watch, this, -- NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL)); -+ NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL)); - } - else - { -diff --git a/src/libtls/tests/suites/test_socket.c b/src/libtls/tests/suites/test_socket.c -index 91ee58b975f..c17d0a8873e 100644 ---- a/src/libtls/tests/suites/test_socket.c -+++ b/src/libtls/tests/suites/test_socket.c -@@ -587,7 +587,7 @@ static void start_echo_server(echo_server_config_t *config) - - lib->processor->queue_job(lib->processor, (job_t*) - callback_job_create((void*)serve_echo, config, NULL, -- (callback_job_cancel_t)return_false)); -+ callback_job_cancel_thread)); - } - - /** ---- - -From 11978ddd39e800b5f35f721d726e8a4cb7e4ec0f Mon Sep 17 00:00:00 2001 -From: Tobias Brunner <[email protected]> -Date: Fri, 21 Feb 2025 17:00:44 +0100 -Subject: [PATCH] Cast uses of return_*(), nop() and enumerator_create_empty() - -As described in the previous commit, GCC 15 uses C23 by default and that -changes the meaning of such argument-less function declarations. So -whenever we assign such a function to a pointer that expects a function -with arguments it causes an incompatible pointer type warning. We -could define dedicated functions/callbacks whenever necessary, but this -seems like the simpler approach for now (especially since most uses of -these functions have already been cast). ---- - src/charon-nm/nm/nm_handler.c | 2 +- - src/libcharon/encoding/payloads/encrypted_payload.c | 2 +- - src/libcharon/plugins/android_dns/android_dns_handler.c | 2 +- - src/libcharon/plugins/ha/ha_attribute.c | 2 +- - src/libcharon/plugins/updown/updown_handler.c | 2 +- - src/libstrongswan/utils/identification.c | 6 +++--- - 6 files changed, 8 insertions(+), 8 deletions(-) - -diff --git a/src/charon-nm/nm/nm_handler.c b/src/charon-nm/nm/nm_handler.c -index d7331ad72f6..39d0190ac9e 100644 ---- a/src/charon-nm/nm/nm_handler.c -+++ b/src/charon-nm/nm/nm_handler.c -@@ -195,7 +195,7 @@ nm_handler_t *nm_handler_create() - .public = { - .handler = { - .handle = _handle, -- .release = nop, -+ .release = (void*)nop, - .create_attribute_enumerator = _create_attribute_enumerator, - }, - .create_enumerator = _create_enumerator, -diff --git a/src/libcharon/encoding/payloads/encrypted_payload.c b/src/libcharon/encoding/payloads/encrypted_payload.c -index 676d00b7a29..4821c6108ed 100644 ---- a/src/libcharon/encoding/payloads/encrypted_payload.c -+++ b/src/libcharon/encoding/payloads/encrypted_payload.c -@@ -1023,7 +1023,7 @@ encrypted_fragment_payload_t *encrypted_fragment_payload_create() - .get_length = _frag_get_length, - .add_payload = _frag_add_payload, - .remove_payload = (void*)return_null, -- .generate_payloads = nop, -+ .generate_payloads = (void*)nop, - .set_transform = _frag_set_transform, - .get_transform = _frag_get_transform, - .encrypt = _frag_encrypt, -diff --git a/src/libcharon/plugins/android_dns/android_dns_handler.c b/src/libcharon/plugins/android_dns/android_dns_handler.c -index 78f4f702aec..14d2ff99aa3 100644 ---- a/src/libcharon/plugins/android_dns/android_dns_handler.c -+++ b/src/libcharon/plugins/android_dns/android_dns_handler.c -@@ -191,7 +191,7 @@ METHOD(enumerator_t, enumerate_dns, bool, - VA_ARGS_VGET(args, type, data); - *type = INTERNAL_IP4_DNS; - *data = chunk_empty; -- this->venumerate = return_false; -+ this->venumerate = (void*)return_false; - return TRUE; - } - -diff --git a/src/libcharon/plugins/ha/ha_attribute.c b/src/libcharon/plugins/ha/ha_attribute.c -index b865a4b829b..103d1a93784 100644 ---- a/src/libcharon/plugins/ha/ha_attribute.c -+++ b/src/libcharon/plugins/ha/ha_attribute.c -@@ -381,7 +381,7 @@ ha_attribute_t *ha_attribute_create(ha_kernel_t *kernel, ha_segments_t *segments - .provider = { - .acquire_address = _acquire_address, - .release_address = _release_address, -- .create_attribute_enumerator = enumerator_create_empty, -+ .create_attribute_enumerator = (void*)enumerator_create_empty, - }, - .reserve = _reserve, - .destroy = _destroy, -diff --git a/src/libcharon/plugins/updown/updown_handler.c b/src/libcharon/plugins/updown/updown_handler.c -index 36eb15615a4..3707e1e658c 100644 ---- a/src/libcharon/plugins/updown/updown_handler.c -+++ b/src/libcharon/plugins/updown/updown_handler.c -@@ -220,7 +220,7 @@ updown_handler_t *updown_handler_create() - .handler = { - .handle = _handle, - .release = _release, -- .create_attribute_enumerator = enumerator_create_empty, -+ .create_attribute_enumerator = (void*)enumerator_create_empty, - }, - .create_dns_enumerator = _create_dns_enumerator, - .destroy = _destroy, -diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identifi -100 5229 100 5229 0 0 26091 0 --:--:-- --:--:-- --:--:-- 26145 -cation.c -index d31955b3806..58a05052dc1 100644 ---- a/src/libstrongswan/utils/identification.c -+++ b/src/libstrongswan/utils/identification.c -@@ -1625,7 +1625,7 @@ static private_identification_t *identification_create(id_type_t type) - this->public.hash = _hash_binary; - this->public.equals = _equals_binary; - this->public.matches = _matches_any; -- this->public.contains_wildcards = return_true; -+ this->public.contains_wildcards = (void*)return_true; - break; - case ID_FQDN: - case ID_RFC822_ADDR: -@@ -1660,13 +1660,13 @@ static private_identification_t *identification_create(id_type_t type) - this->public.hash = _hash_binary; - this->public.equals = _equals_binary; - this->public.matches = _matches_range; -- this->public.contains_wildcards = return_false; -+ this->public.contains_wildcards = (void*)return_false; - break; - default: - this->public.hash = _hash_binary; - this->public.equals = _equals_binary; - this->public.matches = _matches_binary; -- this->public.contains_wildcards = return_false; -+ this->public.contains_wildcards = (void*)return_false; - break; - } - return this; ---- diff --git a/net-vpn/strongswan/metadata.xml b/net-vpn/strongswan/metadata.xml index 8d5fa9784967..e887bae78198 100644 --- a/net-vpn/strongswan/metadata.xml +++ b/net-vpn/strongswan/metadata.xml @@ -63,9 +63,7 @@ <flag name="strongswan_plugins_md4">Enable support for the md4 plugin</flag> <flag name="strongswan_plugins_md5">Enable support for the md5 plugin</flag> <flag name="strongswan_plugins_mgf1">Enable support for the mgf1 plugin</flag> - <flag name="strongswan_plugins_newhope">Enable plugin that allows key exchange based on post-quantum computer New Hope algorithm</flag> <flag name="strongswan_plugins_nonce">Enable support the nonce plugin</flag> - <flag name="strongswan_plugins_ntru">Enable support for the ntru plugin</flag> <flag name="strongswan_plugins_openxpki">Enable OCSP responder accessing OpenXPKI MySQL/MariaDB certificate database</flag> <flag name="strongswan_plugins_padlock">Enable support for the padlock plugin</flag> <flag name="strongswan_plugins_pem">Enable support for the pem plugin</flag> diff --git a/net-vpn/strongswan/strongswan-5.9.13.ebuild b/net-vpn/strongswan/strongswan-5.9.13.ebuild deleted file mode 100644 index 9ff569276908..000000000000 --- a/net-vpn/strongswan/strongswan-5.9.13.ebuild +++ /dev/null @@ -1,318 +0,0 @@ -# Copyright 1999-2024 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI="8" -inherit linux-info systemd - -DESCRIPTION="IPsec-based VPN solution, supporting IKEv1/IKEv2 and MOBIKE" -HOMEPAGE="https://www.strongswan.org/"; -SRC_URI="https://download.strongswan.org/${P}.tar.bz2"; - -LICENSE="GPL-2 RSA DES" -SLOT="0" -KEYWORDS="amd64 arm ~arm64 ~ppc ~ppc64 ~riscv x86" -IUSE="+caps curl +constraints debug dhcp eap farp gcrypt +gmp ldap mysql networkmanager +non-root +openssl selinux sqlite systemd pam pkcs11" - -STRONGSWAN_PLUGINS_STD="gcm led lookip systime-fix unity vici" -STRONGSWAN_PLUGINS_OPT_DISABLE="kdf" -STRONGSWAN_PLUGINS_OPT="addrblock aesni blowfish bypass-lan ccm chapoly ctr error-notify forecast -ha ipseckey newhope ntru padlock rdrand save-keys unbound whitelist -xauth-noauth" -for mod in $STRONGSWAN_PLUGINS_STD; do - IUSE="${IUSE} +strongswan_plugins_${mod}" -done - -for mod in $STRONGSWAN_PLUGINS_OPT_DISABLE; do - IUSE="${IUSE} strongswan_plugins_${mod}" -done - -for mod in $STRONGSWAN_PLUGINS_OPT; do - IUSE="${IUSE} strongswan_plugins_${mod}" -done - -COMMON_DEPEND="non-root? ( - acct-user/ipsec - acct-group/ipsec - ) - dev-libs/glib:2 - gmp? ( >=dev-libs/gmp-4.1.5:= ) - gcrypt? ( dev-libs/libgcrypt:= ) - caps? ( sys-libs/libcap ) - curl? ( net-misc/curl ) - ldap? ( net-nds/openldap:= ) - openssl? ( >=dev-libs/openssl-0.9.8:=[-bindist(-)] ) - mysql? ( dev-db/mysql-connector-c:= ) - sqlite? ( >=dev-db/sqlite-3.3.1:3 ) - systemd? ( sys-apps/systemd ) - networkmanager? ( net-misc/networkmanager ) - pam? ( sys-libs/pam ) - strongswan_plugins_unbound? ( net-dns/unbound:= net-libs/ldns:= )" - -DEPEND="${COMMON_DEPEND} - virtual/linux-sources - sys-kernel/linux-headers" - -RDEPEND="${COMMON_DEPEND} - virtual/logger - sys-apps/iproute2 - !net-vpn/libreswan - selinux? ( sec-policy/selinux-ipsec )" - -UGID="ipsec" - -pkg_setup() { - linux-info_pkg_setup - - elog "Linux kernel version: ${KV_FULL}" - - if ! kernel_is -ge 2 6 16; then - eerror - eerror "This ebuild currently only supports ${PN} with the" - eerror "native Linux 2.6 IPsec stack on kernels >= 2.6.16." - eerror - fi - - if kernel_is -lt 2 6 34; then - ewarn - ewarn "IMPORTANT KERNEL NOTES: Please read carefully..." - ewarn - - if kernel_is -lt 2 6 29; then - ewarn "[ < 2.6.29 ] Due to a missing kernel feature, you have to" - ewarn "include all required IPv6 modules even if you just intend" - ewarn "to run on IPv4 only." - ewarn - ewarn "This has been fixed with kernels >= 2.6.29." - ewarn - fi - - if kernel_is -lt 2 6 33; then - ewarn "[ < 2.6.33 ] Kernels prior to 2.6.33 include a non-standards" - ewarn "compliant implementation for SHA-2 HMAC support in ESP and" - ewarn "miss SHA384 and SHA512 HMAC support altogether." - ewarn - ewarn "If you need any of those features, please use kernel >= 2.6.33." - ewarn - fi - - if kernel_is -lt 2 6 34; then - ewarn "[ < 2.6.34 ] Support for the AES-GMAC authentification-only" - ewarn "ESP cipher is only included in kernels >= 2.6.34." - ewarn - ewarn "If you need it, please use kernel >= 2.6.34." - ewarn - fi - fi -} - -src_configure() { - local myconf="" - - if use non-root; then - myconf="${myconf} --with-user=${UGID} --with-group=${UGID}" - fi - - # If a user has already enabled db support, those plugins will - # most likely be desired as well. Besides they don't impose new - # dependencies and come at no cost (except for space). - if use mysql || use sqlite; then - myconf="${myconf} --enable-attr-sql --enable-sql" - fi - - # strongSwan builds and installs static libs by default which are - # useless to the user (and to strongSwan for that matter) because no - # header files or alike get installed... so disabling them is safe. - if use pam && use eap; then - myconf="${myconf} --enable-eap-gtc" - else - myconf="${myconf} --disable-eap-gtc" - fi - - for mod in $STRONGSWAN_PLUGINS_STD; do - if use strongswan_plugins_${mod}; then - myconf+=" --enable-${mod}" - fi - done - - for mod in $STRONGSWAN_PLUGINS_OPT_DISABLE; do - if ! use strongswan_plugins_${mod}; then - myconf+=" --disable-${mod}" - fi - done - - for mod in $STRONGSWAN_PLUGINS_OPT; do - if use strongswan_plugins_${mod}; then - myconf+=" --enable-${mod}" - fi - done - - econf \ - --disable-static \ - --enable-ikev1 \ - --enable-ikev2 \ - --enable-swanctl \ - --enable-socket-dynamic \ - --enable-cmd \ - $(use_enable curl) \ - $(use_enable constraints) \ - $(use_enable ldap) \ - $(use_enable debug leak-detective) \ - $(use_enable dhcp) \ - $(use_enable eap eap-sim) \ - $(use_enable eap eap-sim-file) \ - $(use_enable eap eap-simaka-sql) \ - $(use_enable eap eap-simaka-pseudonym) \ - $(use_enable eap eap-simaka-reauth) \ - $(use_enable eap eap-identity) \ - $(use_enable eap eap-md5) \ - $(use_enable eap eap-aka) \ - $(use_enable eap eap-aka-3gpp2) \ - $(use_enable eap md4) \ - $(use_enable eap eap-mschapv2) \ - $(use_enable eap eap-radius) \ - $(use_enable eap eap-tls) \ - $(use_enable eap eap-ttls) \ - $(use_enable eap xauth-eap) \ - $(use_enable eap eap-dynamic) \ - $(use_enable farp) \ - $(use_enable gmp) \ - $(use_enable gcrypt) \ - $(use_enable mysql) \ - $(use_enable networkmanager nm) \ - $(use_enable openssl) \ - $(use_enable pam xauth-pam) \ - $(use_enable pkcs11) \ - $(use_enable sqlite) \ - $(use_enable systemd) \ - $(use_with caps capabilities libcap) \ - --with-piddir=/run \ - --with-systemdsystemunitdir="$(systemd_get_systemunitdir)" \ - ${myconf} -} - -src_install() { - emake DESTDIR="${D}" install - - if ! use systemd; then - rm -rf "${ED}"/lib/systemd || die "Failed removing systemd lib." - fi - - doinitd "${FILESDIR}"/ipsec - - local dir_ugid - if use non-root; then - fowners ${UGID}:${UGID} \ - /etc/ipsec.conf \ - /etc/strongswan.conf - - dir_ugid="${UGID}" - else - dir_ugid="root" - fi - - diropts -m 0750 -o ${dir_ugid} -g ${dir_ugid} - dodir /etc/ipsec.d \ - /etc/ipsec.d/aacerts \ - /etc/ipsec.d/acerts \ - /etc/ipsec.d/cacerts \ - /etc/ipsec.d/certs \ - /etc/ipsec.d/crls \ - /etc/ipsec.d/ocspcerts \ - /etc/ipsec.d/private \ - /etc/ipsec.d/reqs - - dodoc NEWS README TODO - - # shared libs are used only internally and there are no static libs, - # so it's safe to get rid of the .la files - find "${D}" -name '*.la' -delete || die "Failed to remove .la files." -} - -pkg_preinst() { - has_version "<net-vpn/strongswan-4.3.6-r1" - upgrade_from_leq_4_3_6=$(( !$? )) - - has_version "<net-vpn/strongswan-4.3.6-r1[-caps]" - previous_4_3_6_with_caps=$(( !$? )) -} - -pkg_postinst() { - if ! use openssl && ! use gcrypt; then - elog - elog "${PN} has been compiled without both OpenSSL and libgcrypt support." - elog "Please note that this might effect availability and speed of some" - elog "cryptographic features. You are advised to enable the OpenSSL plugin." - elif ! use openssl; then - elog - elog "${PN} has been compiled without the OpenSSL plugin. This might effect" - elog "availability and speed of some cryptographic features. There will be" - elog "no support for Elliptic Curve Cryptography (Diffie-Hellman groups 19-21," - elog "25, 26) and ECDSA." - fi - - if [[ $upgrade_from_leq_4_3_6 == 1 ]]; then - chmod 0750 "${ROOT}"/etc/ipsec.d \ - "${ROOT}"/etc/ipsec.d/aacerts \ - "${ROOT}"/etc/ipsec.d/acerts \ - "${ROOT}"/etc/ipsec.d/cacerts \ - "${ROOT}"/etc/ipsec.d/certs \ - "${ROOT}"/etc/ipsec.d/crls \ - "${ROOT}"/etc/ipsec.d/ocspcerts \ - "${ROOT}"/etc/ipsec.d/private \ - "${ROOT}"/etc/ipsec.d/reqs - - ewarn - ewarn "The default permissions for /etc/ipsec.d/* have been tightened for" - ewarn "security reasons. Your system installed directories have been" - ewarn "updated accordingly. Please check if necessary." - ewarn - - if [[ $previous_4_3_6_with_caps == 1 ]]; then - if ! use non-root; then - ewarn - ewarn "IMPORTANT: You previously had ${PN} installed without root" - ewarn "privileges because it was implied by the 'caps' USE flag." - ewarn "This has been changed. If you want ${PN} with user privileges," - ewarn "you have to re-emerge it with the 'non-root' USE flag enabled." - ewarn - fi - fi - fi - if ! use caps && ! use non-root; then - ewarn - ewarn "You have decided to run ${PN} with root privileges and built it" - ewarn "without support for POSIX capability dropping. It is generally" - ewarn "strongly suggested that you reconsider- especially if you intend" - ewarn "to run ${PN} as server with a public ip address." - ewarn - ewarn "You should re-emerge ${PN} with at least the 'caps' USE flag enabled." - ewarn - fi - if use non-root; then - elog - elog "${PN} has been installed without superuser privileges (USE=non-root)." - elog "This imposes a few limitations mainly to the daemon 'charon' in" - elog "regards of the use of iptables." - elog - elog "Please carefully read: http://wiki.strongswan.org/projects/strongswan/wiki/ReducedPrivileges"; - elog - elog "Thus if you require to specify a custom updown" - elog "script to charon which requires superuser privileges, you" - elog "can work around this limitation by using sudo to grant the" - elog "user \"ipsec\" the appropriate rights." - elog "For example (the default case):" - elog "/etc/sudoers:" - elog " ipsec ALL=(ALL) NOPASSWD: SETENV: /usr/sbin/ipsec" - elog "Under the specific connection block in /etc/ipsec.conf:" - elog " leftupdown=\"sudo -E ipsec _updown iptables\"" - elog - fi - elog - elog "Make sure you have _all_ required kernel modules available including" - elog "the appropriate cryptographic algorithms. A list is available at:" - elog " https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules"; - elog - elog "The up-to-date manual is available online at:" - elog " https://wiki.strongswan.org/"; - elog -} diff --git a/net-vpn/strongswan/strongswan-5.9.14-r2.ebuild b/net-vpn/strongswan/strongswan-5.9.14-r2.ebuild deleted file mode 100644 index f1bcf615b235..000000000000 --- a/net-vpn/strongswan/strongswan-5.9.14-r2.ebuild +++ /dev/null @@ -1,322 +0,0 @@ -# Copyright 1999-2025 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI="8" -inherit linux-info systemd - -DESCRIPTION="IPsec-based VPN solution, supporting IKEv1/IKEv2 and MOBIKE" -HOMEPAGE="https://www.strongswan.org/"; -SRC_URI="https://download.strongswan.org/${P}.tar.bz2"; - -LICENSE="GPL-2 RSA DES" -SLOT="0" -KEYWORDS="amd64 arm ~arm64 ~ppc ~ppc64 ~riscv x86" -IUSE="+caps curl +constraints debug dhcp eap farp gcrypt +gmp ldap mysql networkmanager +non-root +openssl selinux sqlite systemd pam pkcs11" - -STRONGSWAN_PLUGINS_STD="aes cmac curve25519 des dnskey drbg eap-radius fips-prf gcm hmac led lookip md5 nonce pem pgp -pkcs1 pkcs7 pkcs8 pkcs12 pubkey random rc2 revocation sha1 sha2 sshkey systime-fix unity vici x509 xcbc" -STRONGSWAN_PLUGINS_OPT_DISABLE="kdf" -STRONGSWAN_PLUGINS_OPT="acert af-alg agent addrblock aesni botan blowfish bypass-lan -ccm chapoly ctr error-notify forecast files gcm ha ipseckey md4 mgf1 ntru newhope -openxpki padlock rdrand save-keys sha3 soup test-vectors unbound whitelist xauth-noauth" - -for mod in $STRONGSWAN_PLUGINS_STD; do - IUSE="${IUSE} +strongswan_plugins_${mod}" -done - -for mod in $STRONGSWAN_PLUGINS_OPT_DISABLE; do - IUSE="${IUSE} strongswan_plugins_${mod}" -done - -for mod in $STRONGSWAN_PLUGINS_OPT; do - IUSE="${IUSE} strongswan_plugins_${mod}" -done - -COMMON_DEPEND="non-root? ( - acct-user/ipsec - acct-group/ipsec - ) - dev-libs/glib:2 - gmp? ( >=dev-libs/gmp-4.1.5:= ) - gcrypt? ( dev-libs/libgcrypt:= ) - caps? ( sys-libs/libcap ) - curl? ( net-misc/curl ) - ldap? ( net-nds/openldap:= ) - openssl? ( >=dev-libs/openssl-0.9.8:=[-bindist(-)] ) - mysql? ( dev-db/mysql-connector-c:= ) - sqlite? ( >=dev-db/sqlite-3.3.1:3 ) - systemd? ( sys-apps/systemd ) - networkmanager? ( net-misc/networkmanager ) - pam? ( sys-libs/pam ) - strongswan_plugins_botan? ( dev-libs/botan:2= ) - strongswan_plugins_soup? ( net-libs/libsoup:2.4= ) - strongswan_plugins_unbound? ( net-dns/unbound:= net-libs/ldns:= )" - -DEPEND="${COMMON_DEPEND} - virtual/linux-sources - sys-kernel/linux-headers" - -RDEPEND="${COMMON_DEPEND} - virtual/logger - sys-apps/iproute2 - !net-vpn/libreswan - selinux? ( sec-policy/selinux-ipsec )" - -UGID="ipsec" - -pkg_setup() { - linux-info_pkg_setup - - elog "Linux kernel version: ${KV_FULL}" - - if ! kernel_is -ge 2 6 16; then - eerror - eerror "This ebuild currently only supports ${PN} with the" - eerror "native Linux 2.6 IPsec stack on kernels >= 2.6.16." - eerror - fi - - if kernel_is -lt 2 6 34; then - ewarn - ewarn "IMPORTANT KERNEL NOTES: Please read carefully..." - ewarn - - if kernel_is -lt 2 6 29; then - ewarn "[ < 2.6.29 ] Due to a missing kernel feature, you have to" - ewarn "include all required IPv6 modules even if you just intend" - ewarn "to run on IPv4 only." - ewarn - ewarn "This has been fixed with kernels >= 2.6.29." - ewarn - fi - - if kernel_is -lt 2 6 33; then - ewarn "[ < 2.6.33 ] Kernels prior to 2.6.33 include a non-standards" - ewarn "compliant implementation for SHA-2 HMAC support in ESP and" - ewarn "miss SHA384 and SHA512 HMAC support altogether." - ewarn - ewarn "If you need any of those features, please use kernel >= 2.6.33." - ewarn - fi - - if kernel_is -lt 2 6 34; then - ewarn "[ < 2.6.34 ] Support for the AES-GMAC authentification-only" - ewarn "ESP cipher is only included in kernels >= 2.6.34." - ewarn - ewarn "If you need it, please use kernel >= 2.6.34." - ewarn - fi - fi -} - -src_configure() { - local myconf="" - - if use non-root; then - myconf="${myconf} --with-user=${UGID} --with-group=${UGID}" - fi - - # If a user has already enabled db support, those plugins will - # most likely be desired as well. Besides they don't impose new - # dependencies and come at no cost (except for space). - if use mysql || use sqlite; then - myconf="${myconf} --enable-attr-sql --enable-sql" - fi - - # strongSwan builds and installs static libs by default which are - # useless to the user (and to strongSwan for that matter) because no - # header files or alike get installed... so disabling them is safe. - if use pam && use eap; then - myconf="${myconf} --enable-eap-gtc" - else - myconf="${myconf} --disable-eap-gtc" - fi - - for mod in $STRONGSWAN_PLUGINS_STD; do - if use strongswan_plugins_${mod}; then - myconf+=" --enable-${mod}" - fi - done - - for mod in $STRONGSWAN_PLUGINS_OPT_DISABLE; do - if ! use strongswan_plugins_${mod}; then - myconf+=" --disable-${mod}" - fi - done - - for mod in $STRONGSWAN_PLUGINS_OPT; do - if use strongswan_plugins_${mod}; then - myconf+=" --enable-${mod}" - fi - done - - econf \ - --disable-static \ - --enable-ikev1 \ - --enable-ikev2 \ - --enable-swanctl \ - --enable-socket-dynamic \ - --enable-cmd \ - $(use_enable curl) \ - $(use_enable constraints) \ - $(use_enable ldap) \ - $(use_enable debug leak-detective) \ - $(use_enable dhcp) \ - $(use_enable eap eap-sim) \ - $(use_enable eap eap-sim-file) \ - $(use_enable eap eap-simaka-sql) \ - $(use_enable eap eap-simaka-pseudonym) \ - $(use_enable eap eap-simaka-reauth) \ - $(use_enable eap eap-identity) \ - $(use_enable eap eap-md5) \ - $(use_enable eap eap-aka) \ - $(use_enable eap eap-aka-3gpp2) \ - $(use_enable eap md4) \ - $(use_enable eap eap-mschapv2) \ - $(use_enable eap eap-radius) \ - $(use_enable eap eap-tls) \ - $(use_enable eap eap-ttls) \ - $(use_enable eap xauth-eap) \ - $(use_enable eap eap-dynamic) \ - $(use_enable farp) \ - $(use_enable gmp) \ - $(use_enable gcrypt) \ - $(use_enable mysql) \ - $(use_enable networkmanager nm) \ - $(use_enable openssl) \ - $(use_enable pam xauth-pam) \ - $(use_enable pkcs11) \ - $(use_enable sqlite) \ - $(use_enable systemd) \ - $(use_with caps capabilities libcap) \ - --with-piddir=/run \ - --with-systemdsystemunitdir="$(systemd_get_systemunitdir)" \ - ${myconf} -} - -src_install() { - emake DESTDIR="${D}" install - - if ! use systemd; then - rm -rf "${ED}"/lib/systemd || die "Failed removing systemd lib." - fi - - doinitd "${FILESDIR}"/ipsec - - local dir_ugid - if use non-root; then - fowners ${UGID}:${UGID} \ - /etc/ipsec.conf \ - /etc/strongswan.conf - - dir_ugid="${UGID}" - else - dir_ugid="root" - fi - - diropts -m 0750 -o ${dir_ugid} -g ${dir_ugid} - dodir /etc/ipsec.d \ - /etc/ipsec.d/aacerts \ - /etc/ipsec.d/acerts \ - /etc/ipsec.d/cacerts \ - /etc/ipsec.d/certs \ - /etc/ipsec.d/crls \ - /etc/ipsec.d/ocspcerts \ - /etc/ipsec.d/private \ - /etc/ipsec.d/reqs - - dodoc NEWS README TODO - - # shared libs are used only internally and there are no static libs, - # so it's safe to get rid of the .la files - find "${D}" -name '*.la' -delete || die "Failed to remove .la files." -} - -pkg_preinst() { - has_version "<net-vpn/strongswan-4.3.6-r1" - upgrade_from_leq_4_3_6=$(( !$? )) - - has_version "<net-vpn/strongswan-4.3.6-r1[-caps]" - previous_4_3_6_with_caps=$(( !$? )) -} - -pkg_postinst() { - if ! use openssl && ! use gcrypt; then - elog - elog "${PN} has been compiled without both OpenSSL and libgcrypt support." - elog "Please note that this might effect availability and speed of some" - elog "cryptographic features. You are advised to enable the OpenSSL plugin." - elif ! use openssl; then - elog - elog "${PN} has been compiled without the OpenSSL plugin. This might effect" - elog "availability and speed of some cryptographic features. There will be" - elog "no support for Elliptic Curve Cryptography (Diffie-Hellman groups 19-21," - elog "25, 26) and ECDSA." - fi - - if [[ $upgrade_from_leq_4_3_6 == 1 ]]; then - chmod 0750 "${ROOT}"/etc/ipsec.d \ - "${ROOT}"/etc/ipsec.d/aacerts \ - "${ROOT}"/etc/ipsec.d/acerts \ - "${ROOT}"/etc/ipsec.d/cacerts \ - "${ROOT}"/etc/ipsec.d/certs \ - "${ROOT}"/etc/ipsec.d/crls \ - "${ROOT}"/etc/ipsec.d/ocspcerts \ - "${ROOT}"/etc/ipsec.d/private \ - "${ROOT}"/etc/ipsec.d/reqs - - ewarn - ewarn "The default permissions for /etc/ipsec.d/* have been tightened for" - ewarn "security reasons. Your system installed directories have been" - ewarn "updated accordingly. Please check if necessary." - ewarn - - if [[ $previous_4_3_6_with_caps == 1 ]]; then - if ! use non-root; then - ewarn - ewarn "IMPORTANT: You previously had ${PN} installed without root" - ewarn "privileges because it was implied by the 'caps' USE flag." - ewarn "This has been changed. If you want ${PN} with user privileges," - ewarn "you have to re-emerge it with the 'non-root' USE flag enabled." - ewarn - fi - fi - fi - if ! use caps && ! use non-root; then - ewarn - ewarn "You have decided to run ${PN} with root privileges and built it" - ewarn "without support for POSIX capability dropping. It is generally" - ewarn "strongly suggested that you reconsider- especially if you intend" - ewarn "to run ${PN} as server with a public ip address." - ewarn - ewarn "You should re-emerge ${PN} with at least the 'caps' USE flag enabled." - ewarn - fi - if use non-root; then - elog - elog "${PN} has been installed without superuser privileges (USE=non-root)." - elog "This imposes a few limitations mainly to the daemon 'charon' in" - elog "regards of the use of iptables." - elog - elog "Please carefully read: http://wiki.strongswan.org/projects/strongswan/wiki/ReducedPrivileges"; - elog - elog "Thus if you require to specify a custom updown" - elog "script to charon which requires superuser privileges, you" - elog "can work around this limitation by using sudo to grant the" - elog "user \"ipsec\" the appropriate rights." - elog "For example (the default case):" - elog "/etc/sudoers:" - elog " ipsec ALL=(ALL) NOPASSWD: SETENV: /usr/sbin/ipsec" - elog "Under the specific connection block in /etc/ipsec.conf:" - elog " leftupdown=\"sudo -E ipsec _updown iptables\"" - elog - fi - elog - elog "Make sure you have _all_ required kernel modules available including" - elog "the appropriate cryptographic algorithms. A list is available at:" - elog " https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules"; - elog - elog "The up-to-date manual is available online at:" - elog " https://wiki.strongswan.org/"; - elog -} diff --git a/net-vpn/strongswan/strongswan-5.9.14.ebuild b/net-vpn/strongswan/strongswan-5.9.14.ebuild deleted file mode 100644 index 9ff569276908..000000000000 --- a/net-vpn/strongswan/strongswan-5.9.14.ebuild +++ /dev/null @@ -1,318 +0,0 @@ -# Copyright 1999-2024 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI="8" -inherit linux-info systemd - -DESCRIPTION="IPsec-based VPN solution, supporting IKEv1/IKEv2 and MOBIKE" -HOMEPAGE="https://www.strongswan.org/"; -SRC_URI="https://download.strongswan.org/${P}.tar.bz2"; - -LICENSE="GPL-2 RSA DES" -SLOT="0" -KEYWORDS="amd64 arm ~arm64 ~ppc ~ppc64 ~riscv x86" -IUSE="+caps curl +constraints debug dhcp eap farp gcrypt +gmp ldap mysql networkmanager +non-root +openssl selinux sqlite systemd pam pkcs11" - -STRONGSWAN_PLUGINS_STD="gcm led lookip systime-fix unity vici" -STRONGSWAN_PLUGINS_OPT_DISABLE="kdf" -STRONGSWAN_PLUGINS_OPT="addrblock aesni blowfish bypass-lan ccm chapoly ctr error-notify forecast -ha ipseckey newhope ntru padlock rdrand save-keys unbound whitelist -xauth-noauth" -for mod in $STRONGSWAN_PLUGINS_STD; do - IUSE="${IUSE} +strongswan_plugins_${mod}" -done - -for mod in $STRONGSWAN_PLUGINS_OPT_DISABLE; do - IUSE="${IUSE} strongswan_plugins_${mod}" -done - -for mod in $STRONGSWAN_PLUGINS_OPT; do - IUSE="${IUSE} strongswan_plugins_${mod}" -done - -COMMON_DEPEND="non-root? ( - acct-user/ipsec - acct-group/ipsec - ) - dev-libs/glib:2 - gmp? ( >=dev-libs/gmp-4.1.5:= ) - gcrypt? ( dev-libs/libgcrypt:= ) - caps? ( sys-libs/libcap ) - curl? ( net-misc/curl ) - ldap? ( net-nds/openldap:= ) - openssl? ( >=dev-libs/openssl-0.9.8:=[-bindist(-)] ) - mysql? ( dev-db/mysql-connector-c:= ) - sqlite? ( >=dev-db/sqlite-3.3.1:3 ) - systemd? ( sys-apps/systemd ) - networkmanager? ( net-misc/networkmanager ) - pam? ( sys-libs/pam ) - strongswan_plugins_unbound? ( net-dns/unbound:= net-libs/ldns:= )" - -DEPEND="${COMMON_DEPEND} - virtual/linux-sources - sys-kernel/linux-headers" - -RDEPEND="${COMMON_DEPEND} - virtual/logger - sys-apps/iproute2 - !net-vpn/libreswan - selinux? ( sec-policy/selinux-ipsec )" - -UGID="ipsec" - -pkg_setup() { - linux-info_pkg_setup - - elog "Linux kernel version: ${KV_FULL}" - - if ! kernel_is -ge 2 6 16; then - eerror - eerror "This ebuild currently only supports ${PN} with the" - eerror "native Linux 2.6 IPsec stack on kernels >= 2.6.16." - eerror - fi - - if kernel_is -lt 2 6 34; then - ewarn - ewarn "IMPORTANT KERNEL NOTES: Please read carefully..." - ewarn - - if kernel_is -lt 2 6 29; then - ewarn "[ < 2.6.29 ] Due to a missing kernel feature, you have to" - ewarn "include all required IPv6 modules even if you just intend" - ewarn "to run on IPv4 only." - ewarn - ewarn "This has been fixed with kernels >= 2.6.29." - ewarn - fi - - if kernel_is -lt 2 6 33; then - ewarn "[ < 2.6.33 ] Kernels prior to 2.6.33 include a non-standards" - ewarn "compliant implementation for SHA-2 HMAC support in ESP and" - ewarn "miss SHA384 and SHA512 HMAC support altogether." - ewarn - ewarn "If you need any of those features, please use kernel >= 2.6.33." - ewarn - fi - - if kernel_is -lt 2 6 34; then - ewarn "[ < 2.6.34 ] Support for the AES-GMAC authentification-only" - ewarn "ESP cipher is only included in kernels >= 2.6.34." - ewarn - ewarn "If you need it, please use kernel >= 2.6.34." - ewarn - fi - fi -} - -src_configure() { - local myconf="" - - if use non-root; then - myconf="${myconf} --with-user=${UGID} --with-group=${UGID}" - fi - - # If a user has already enabled db support, those plugins will - # most likely be desired as well. Besides they don't impose new - # dependencies and come at no cost (except for space). - if use mysql || use sqlite; then - myconf="${myconf} --enable-attr-sql --enable-sql" - fi - - # strongSwan builds and installs static libs by default which are - # useless to the user (and to strongSwan for that matter) because no - # header files or alike get installed... so disabling them is safe. - if use pam && use eap; then - myconf="${myconf} --enable-eap-gtc" - else - myconf="${myconf} --disable-eap-gtc" - fi - - for mod in $STRONGSWAN_PLUGINS_STD; do - if use strongswan_plugins_${mod}; then - myconf+=" --enable-${mod}" - fi - done - - for mod in $STRONGSWAN_PLUGINS_OPT_DISABLE; do - if ! use strongswan_plugins_${mod}; then - myconf+=" --disable-${mod}" - fi - done - - for mod in $STRONGSWAN_PLUGINS_OPT; do - if use strongswan_plugins_${mod}; then - myconf+=" --enable-${mod}" - fi - done - - econf \ - --disable-static \ - --enable-ikev1 \ - --enable-ikev2 \ - --enable-swanctl \ - --enable-socket-dynamic \ - --enable-cmd \ - $(use_enable curl) \ - $(use_enable constraints) \ - $(use_enable ldap) \ - $(use_enable debug leak-detective) \ - $(use_enable dhcp) \ - $(use_enable eap eap-sim) \ - $(use_enable eap eap-sim-file) \ - $(use_enable eap eap-simaka-sql) \ - $(use_enable eap eap-simaka-pseudonym) \ - $(use_enable eap eap-simaka-reauth) \ - $(use_enable eap eap-identity) \ - $(use_enable eap eap-md5) \ - $(use_enable eap eap-aka) \ - $(use_enable eap eap-aka-3gpp2) \ - $(use_enable eap md4) \ - $(use_enable eap eap-mschapv2) \ - $(use_enable eap eap-radius) \ - $(use_enable eap eap-tls) \ - $(use_enable eap eap-ttls) \ - $(use_enable eap xauth-eap) \ - $(use_enable eap eap-dynamic) \ - $(use_enable farp) \ - $(use_enable gmp) \ - $(use_enable gcrypt) \ - $(use_enable mysql) \ - $(use_enable networkmanager nm) \ - $(use_enable openssl) \ - $(use_enable pam xauth-pam) \ - $(use_enable pkcs11) \ - $(use_enable sqlite) \ - $(use_enable systemd) \ - $(use_with caps capabilities libcap) \ - --with-piddir=/run \ - --with-systemdsystemunitdir="$(systemd_get_systemunitdir)" \ - ${myconf} -} - -src_install() { - emake DESTDIR="${D}" install - - if ! use systemd; then - rm -rf "${ED}"/lib/systemd || die "Failed removing systemd lib." - fi - - doinitd "${FILESDIR}"/ipsec - - local dir_ugid - if use non-root; then - fowners ${UGID}:${UGID} \ - /etc/ipsec.conf \ - /etc/strongswan.conf - - dir_ugid="${UGID}" - else - dir_ugid="root" - fi - - diropts -m 0750 -o ${dir_ugid} -g ${dir_ugid} - dodir /etc/ipsec.d \ - /etc/ipsec.d/aacerts \ - /etc/ipsec.d/acerts \ - /etc/ipsec.d/cacerts \ - /etc/ipsec.d/certs \ - /etc/ipsec.d/crls \ - /etc/ipsec.d/ocspcerts \ - /etc/ipsec.d/private \ - /etc/ipsec.d/reqs - - dodoc NEWS README TODO - - # shared libs are used only internally and there are no static libs, - # so it's safe to get rid of the .la files - find "${D}" -name '*.la' -delete || die "Failed to remove .la files." -} - -pkg_preinst() { - has_version "<net-vpn/strongswan-4.3.6-r1" - upgrade_from_leq_4_3_6=$(( !$? )) - - has_version "<net-vpn/strongswan-4.3.6-r1[-caps]" - previous_4_3_6_with_caps=$(( !$? )) -} - -pkg_postinst() { - if ! use openssl && ! use gcrypt; then - elog - elog "${PN} has been compiled without both OpenSSL and libgcrypt support." - elog "Please note that this might effect availability and speed of some" - elog "cryptographic features. You are advised to enable the OpenSSL plugin." - elif ! use openssl; then - elog - elog "${PN} has been compiled without the OpenSSL plugin. This might effect" - elog "availability and speed of some cryptographic features. There will be" - elog "no support for Elliptic Curve Cryptography (Diffie-Hellman groups 19-21," - elog "25, 26) and ECDSA." - fi - - if [[ $upgrade_from_leq_4_3_6 == 1 ]]; then - chmod 0750 "${ROOT}"/etc/ipsec.d \ - "${ROOT}"/etc/ipsec.d/aacerts \ - "${ROOT}"/etc/ipsec.d/acerts \ - "${ROOT}"/etc/ipsec.d/cacerts \ - "${ROOT}"/etc/ipsec.d/certs \ - "${ROOT}"/etc/ipsec.d/crls \ - "${ROOT}"/etc/ipsec.d/ocspcerts \ - "${ROOT}"/etc/ipsec.d/private \ - "${ROOT}"/etc/ipsec.d/reqs - - ewarn - ewarn "The default permissions for /etc/ipsec.d/* have been tightened for" - ewarn "security reasons. Your system installed directories have been" - ewarn "updated accordingly. Please check if necessary." - ewarn - - if [[ $previous_4_3_6_with_caps == 1 ]]; then - if ! use non-root; then - ewarn - ewarn "IMPORTANT: You previously had ${PN} installed without root" - ewarn "privileges because it was implied by the 'caps' USE flag." - ewarn "This has been changed. If you want ${PN} with user privileges," - ewarn "you have to re-emerge it with the 'non-root' USE flag enabled." - ewarn - fi - fi - fi - if ! use caps && ! use non-root; then - ewarn - ewarn "You have decided to run ${PN} with root privileges and built it" - ewarn "without support for POSIX capability dropping. It is generally" - ewarn "strongly suggested that you reconsider- especially if you intend" - ewarn "to run ${PN} as server with a public ip address." - ewarn - ewarn "You should re-emerge ${PN} with at least the 'caps' USE flag enabled." - ewarn - fi - if use non-root; then - elog - elog "${PN} has been installed without superuser privileges (USE=non-root)." - elog "This imposes a few limitations mainly to the daemon 'charon' in" - elog "regards of the use of iptables." - elog - elog "Please carefully read: http://wiki.strongswan.org/projects/strongswan/wiki/ReducedPrivileges"; - elog - elog "Thus if you require to specify a custom updown" - elog "script to charon which requires superuser privileges, you" - elog "can work around this limitation by using sudo to grant the" - elog "user \"ipsec\" the appropriate rights." - elog "For example (the default case):" - elog "/etc/sudoers:" - elog " ipsec ALL=(ALL) NOPASSWD: SETENV: /usr/sbin/ipsec" - elog "Under the specific connection block in /etc/ipsec.conf:" - elog " leftupdown=\"sudo -E ipsec _updown iptables\"" - elog - fi - elog - elog "Make sure you have _all_ required kernel modules available including" - elog "the appropriate cryptographic algorithms. A list is available at:" - elog " https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules"; - elog - elog "The up-to-date manual is available online at:" - elog " https://wiki.strongswan.org/"; - elog -} diff --git a/net-vpn/strongswan/strongswan-6.0.1-r1.ebuild b/net-vpn/strongswan/strongswan-6.0.1-r1.ebuild deleted file mode 100644 index c23c2cce7067..000000000000 --- a/net-vpn/strongswan/strongswan-6.0.1-r1.ebuild +++ /dev/null @@ -1,330 +0,0 @@ -# Copyright 1999-2025 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI="8" -inherit linux-info systemd - -DESCRIPTION="IPsec-based VPN solution, supporting IKEv1/IKEv2 and MOBIKE" -HOMEPAGE="https://www.strongswan.org/"; -SRC_URI="https://download.strongswan.org/${P}.tar.bz2"; - -LICENSE="GPL-2 RSA DES" -SLOT="0" -KEYWORDS="~amd64 ~arm ~arm64 ~ppc ~ppc64 ~riscv ~x86" -IUSE="+caps curl +constraints debug dhcp eap farp gcrypt +gmp ldap mysql networkmanager +non-root +openssl selinux sqlite systemd pam pkcs11" - -STRONGSWAN_PLUGINS_STD="aes cmac curve25519 des dnskey drbg eap-radius fips-prf gcm hmac led lookip md5 nonce pem pgp -pkcs1 pkcs7 pkcs8 pkcs12 pubkey random rc2 revocation sha1 sha2 sshkey systime-fix stroke unity vici x509 xcbc" -STRONGSWAN_PLUGINS_OPT_DISABLE="kdf" -STRONGSWAN_PLUGINS_OPT="acert af-alg agent addrblock aesni botan blowfish bypass-lan -ccm chapoly ctr error-notify forecast files gcm ha ipseckey md4 mgf1 ntru newhope -openxpki padlock rdrand save-keys sha3 soup test-vectors unbound whitelist xauth-noauth" - -for mod in $STRONGSWAN_PLUGINS_STD; do - IUSE="${IUSE} +strongswan_plugins_${mod}" -done - -for mod in $STRONGSWAN_PLUGINS_OPT_DISABLE; do - IUSE="${IUSE} strongswan_plugins_${mod}" -done - -for mod in $STRONGSWAN_PLUGINS_OPT; do - IUSE="${IUSE} strongswan_plugins_${mod}" -done - -COMMON_DEPEND="non-root? ( - acct-user/ipsec - acct-group/ipsec - ) - dev-libs/glib:2 - gmp? ( >=dev-libs/gmp-4.1.5:= ) - gcrypt? ( dev-libs/libgcrypt:= ) - caps? ( sys-libs/libcap ) - curl? ( net-misc/curl ) - ldap? ( net-nds/openldap:= ) - openssl? ( >=dev-libs/openssl-0.9.8:=[-bindist(-)] ) - mysql? ( dev-db/mysql-connector-c:= ) - sqlite? ( >=dev-db/sqlite-3.3.1:3 ) - systemd? ( sys-apps/systemd ) - networkmanager? ( net-misc/networkmanager ) - pam? ( sys-libs/pam ) - strongswan_plugins_botan? ( dev-libs/botan:2= ) - strongswan_plugins_soup? ( net-libs/libsoup:2.4= ) - strongswan_plugins_unbound? ( net-dns/unbound:= net-libs/ldns:= )" - -DEPEND="${COMMON_DEPEND} - virtual/linux-sources - sys-kernel/linux-headers" - -RDEPEND="${COMMON_DEPEND} - virtual/logger - sys-apps/iproute2 - !net-vpn/libreswan - selinux? ( sec-policy/selinux-ipsec )" - -UGID="ipsec" - -PATCHES=( - "${FILESDIR}"/${PN}-6.0.1-c23.patch -) - -pkg_setup() { - linux-info_pkg_setup - - elog "Linux kernel version: ${KV_FULL}" - - if ! kernel_is -ge 2 6 16; then - eerror - eerror "This ebuild currently only supports ${PN} with the" - eerror "native Linux 2.6 IPsec stack on kernels >= 2.6.16." - eerror - fi - - if kernel_is -lt 2 6 34; then - ewarn - ewarn "IMPORTANT KERNEL NOTES: Please read carefully..." - ewarn - - if kernel_is -lt 2 6 29; then - ewarn "[ < 2.6.29 ] Due to a missing kernel feature, you have to" - ewarn "include all required IPv6 modules even if you just intend" - ewarn "to run on IPv4 only." - ewarn - ewarn "This has been fixed with kernels >= 2.6.29." - ewarn - fi - - if kernel_is -lt 2 6 33; then - ewarn "[ < 2.6.33 ] Kernels prior to 2.6.33 include a non-standards" - ewarn "compliant implementation for SHA-2 HMAC support in ESP and" - ewarn "miss SHA384 and SHA512 HMAC support altogether." - ewarn - ewarn "If you need any of those features, please use kernel >= 2.6.33." - ewarn - fi - - if kernel_is -lt 2 6 34; then - ewarn "[ < 2.6.34 ] Support for the AES-GMAC authentification-only" - ewarn "ESP cipher is only included in kernels >= 2.6.34." - ewarn - ewarn "If you need it, please use kernel >= 2.6.34." - ewarn - fi - fi -} - -src_configure() { - local myconf="" - - if use non-root; then - myconf="${myconf} --with-user=${UGID} --with-group=${UGID}" - fi - - # If a user has already enabled db support, those plugins will - # most likely be desired as well. Besides they don't impose new - # dependencies and come at no cost (except for space). - if use mysql || use sqlite; then - myconf="${myconf} --enable-attr-sql --enable-sql" - fi - - # strongSwan builds and installs static libs by default which are - # useless to the user (and to strongSwan for that matter) because no - # header files or alike get installed... so disabling them is safe. - if use pam && use eap; then - myconf="${myconf} --enable-eap-gtc" - else - myconf="${myconf} --disable-eap-gtc" - fi - - for mod in $STRONGSWAN_PLUGINS_STD; do - if use strongswan_plugins_${mod}; then - myconf+=" --enable-${mod}" - fi - done - - for mod in $STRONGSWAN_PLUGINS_OPT_DISABLE; do - if ! use strongswan_plugins_${mod}; then - myconf+=" --disable-${mod}" - fi - done - - for mod in $STRONGSWAN_PLUGINS_OPT; do - if use strongswan_plugins_${mod}; then - myconf+=" --enable-${mod}" - fi - done - - econf \ - --disable-static \ - --enable-ikev1 \ - --enable-ikev2 \ - --enable-swanctl \ - --enable-socket-dynamic \ - --enable-cmd \ - $(use_enable curl) \ - $(use_enable constraints) \ - $(use_enable ldap) \ - $(use_enable debug leak-detective) \ - $(use_enable dhcp) \ - $(use_enable eap eap-sim) \ - $(use_enable eap eap-sim-file) \ - $(use_enable eap eap-simaka-sql) \ - $(use_enable eap eap-simaka-pseudonym) \ - $(use_enable eap eap-simaka-reauth) \ - $(use_enable eap eap-identity) \ - $(use_enable eap eap-md5) \ - $(use_enable eap eap-aka) \ - $(use_enable eap eap-aka-3gpp2) \ - $(use_enable eap md4) \ - $(use_enable eap eap-mschapv2) \ - $(use_enable eap eap-radius) \ - $(use_enable eap eap-tls) \ - $(use_enable eap eap-ttls) \ - $(use_enable eap xauth-eap) \ - $(use_enable eap eap-dynamic) \ - $(use_enable farp) \ - $(use_enable gmp) \ - $(use_enable gcrypt) \ - $(use_enable mysql) \ - $(use_enable networkmanager nm) \ - $(use_enable openssl) \ - $(use_enable pam xauth-pam) \ - $(use_enable pkcs11) \ - $(use_enable sqlite) \ - $(use_enable systemd) \ - $(use_with caps capabilities libcap) \ - --with-piddir=/run \ - --with-systemdsystemunitdir="$(systemd_get_systemunitdir)" \ - ${myconf} -} - -src_install() { - emake DESTDIR="${D}" install - - if ! use systemd; then - rm -rf "${ED}"/lib/systemd || die "Failed removing systemd lib." - fi - - doinitd "${FILESDIR}"/ipsec - - local dir_ugid - if use non-root; then - if [ -f /etc/ipsec.conf ]; then - fowners ${UGID}:${UGID} \ - /etc/ipsec.conf - fi - - fowners ${UGID}:${UGID} \ - /etc/strongswan.conf - - dir_ugid="${UGID}" - else - dir_ugid="root" - fi - - diropts -m 0750 -o ${dir_ugid} -g ${dir_ugid} - dodir /etc/ipsec.d \ - /etc/ipsec.d/aacerts \ - /etc/ipsec.d/acerts \ - /etc/ipsec.d/cacerts \ - /etc/ipsec.d/certs \ - /etc/ipsec.d/crls \ - /etc/ipsec.d/ocspcerts \ - /etc/ipsec.d/private \ - /etc/ipsec.d/reqs - - dodoc NEWS README TODO - - # shared libs are used only internally and there are no static libs, - # so it's safe to get rid of the .la files - find "${D}" -name '*.la' -delete || die "Failed to remove .la files." -} - -pkg_preinst() { - has_version "<net-vpn/strongswan-4.3.6-r1" - upgrade_from_leq_4_3_6=$(( !$? )) - - has_version "<net-vpn/strongswan-4.3.6-r1[-caps]" - previous_4_3_6_with_caps=$(( !$? )) -} - -pkg_postinst() { - if ! use openssl && ! use gcrypt; then - elog - elog "${PN} has been compiled without both OpenSSL and libgcrypt support." - elog "Please note that this might effect availability and speed of some" - elog "cryptographic features. You are advised to enable the OpenSSL plugin." - elif ! use openssl; then - elog - elog "${PN} has been compiled without the OpenSSL plugin. This might effect" - elog "availability and speed of some cryptographic features. There will be" - elog "no support for Elliptic Curve Cryptography (Diffie-Hellman groups 19-21," - elog "25, 26) and ECDSA." - fi - - if [[ $upgrade_from_leq_4_3_6 == 1 ]]; then - chmod 0750 "${ROOT}"/etc/ipsec.d \ - "${ROOT}"/etc/ipsec.d/aacerts \ - "${ROOT}"/etc/ipsec.d/acerts \ - "${ROOT}"/etc/ipsec.d/cacerts \ - "${ROOT}"/etc/ipsec.d/certs \ - "${ROOT}"/etc/ipsec.d/crls \ - "${ROOT}"/etc/ipsec.d/ocspcerts \ - "${ROOT}"/etc/ipsec.d/private \ - "${ROOT}"/etc/ipsec.d/reqs - - ewarn - ewarn "The default permissions for /etc/ipsec.d/* have been tightened for" - ewarn "security reasons. Your system installed directories have been" - ewarn "updated accordingly. Please check if necessary." - ewarn - - if [[ $previous_4_3_6_with_caps == 1 ]]; then - if ! use non-root; then - ewarn - ewarn "IMPORTANT: You previously had ${PN} installed without root" - ewarn "privileges because it was implied by the 'caps' USE flag." - ewarn "This has been changed. If you want ${PN} with user privileges," - ewarn "you have to re-emerge it with the 'non-root' USE flag enabled." - ewarn - fi - fi - fi - if ! use caps && ! use non-root; then - ewarn - ewarn "You have decided to run ${PN} with root privileges and built it" - ewarn "without support for POSIX capability dropping. It is generally" - ewarn "strongly suggested that you reconsider- especially if you intend" - ewarn "to run ${PN} as server with a public ip address." - ewarn - ewarn "You should re-emerge ${PN} with at least the 'caps' USE flag enabled." - ewarn - fi - if use non-root; then - elog - elog "${PN} has been installed without superuser privileges (USE=non-root)." - elog "This imposes a few limitations mainly to the daemon 'charon' in" - elog "regards of the use of iptables." - elog - elog "Please carefully read: http://wiki.strongswan.org/projects/strongswan/wiki/ReducedPrivileges"; - elog - elog "Thus if you require to specify a custom updown" - elog "script to charon which requires superuser privileges, you" - elog "can work around this limitation by using sudo to grant the" - elog "user \"ipsec\" the appropriate rights." - elog "For example (the default case):" - elog "/etc/sudoers:" - elog " ipsec ALL=(ALL) NOPASSWD: SETENV: /usr/sbin/ipsec" - elog "Under the specific connection block in /etc/ipsec.conf:" - elog " leftupdown=\"sudo -E ipsec _updown iptables\"" - elog - fi - elog - elog "Make sure you have _all_ required kernel modules available including" - elog "the appropriate cryptographic algorithms. A list is available at:" - elog " https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules"; - elog - elog "The up-to-date manual is available online at:" - elog " https://wiki.strongswan.org/"; - elog -} diff --git a/net-vpn/strongswan/strongswan-6.0.1-r2.ebuild b/net-vpn/strongswan/strongswan-6.0.1-r2.ebuild deleted file mode 100644 index 1986e6dc5ab3..000000000000 --- a/net-vpn/strongswan/strongswan-6.0.1-r2.ebuild +++ /dev/null @@ -1,330 +0,0 @@ -# Copyright 1999-2025 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI="8" -inherit linux-info systemd - -DESCRIPTION="IPsec-based VPN solution, supporting IKEv1/IKEv2 and MOBIKE" -HOMEPAGE="https://www.strongswan.org/"; -SRC_URI="https://download.strongswan.org/${P}.tar.bz2"; - -LICENSE="GPL-2 RSA DES" -SLOT="0" -KEYWORDS="~amd64 ~arm ~arm64 ~ppc ~ppc64 ~riscv ~x86" -IUSE="+caps curl +constraints debug dhcp eap farp gcrypt +gmp ldap mysql networkmanager +non-root +openssl selinux sqlite systemd pam pkcs11" - -STRONGSWAN_PLUGINS_STD="aes cmac curve25519 des dnskey drbg eap-radius fips-prf gcm hmac led lookip md5 nonce pem pgp -pkcs1 pkcs7 pkcs8 pkcs12 pubkey random rc2 revocation sha1 sha2 sshkey systime-fix stroke unity vici x509 xcbc" -STRONGSWAN_PLUGINS_OPT_DISABLE="kdf" -STRONGSWAN_PLUGINS_OPT="acert af-alg agent addrblock aesni botan blowfish bypass-lan -ccm chapoly ctr error-notify forecast files gcm ha ipseckey md4 mgf1 ntru newhope -openxpki padlock rdrand save-keys sha3 soup test-vectors unbound whitelist xauth-noauth" - -for mod in $STRONGSWAN_PLUGINS_STD; do - IUSE="${IUSE} +strongswan_plugins_${mod}" -done - -for mod in $STRONGSWAN_PLUGINS_OPT_DISABLE; do - IUSE="${IUSE} strongswan_plugins_${mod}" -done - -for mod in $STRONGSWAN_PLUGINS_OPT; do - IUSE="${IUSE} strongswan_plugins_${mod}" -done - -COMMON_DEPEND="non-root? ( - acct-user/ipsec - acct-group/ipsec - ) - dev-libs/glib:2 - gmp? ( >=dev-libs/gmp-4.1.5:= ) - gcrypt? ( dev-libs/libgcrypt:= ) - caps? ( sys-libs/libcap ) - curl? ( net-misc/curl ) - ldap? ( net-nds/openldap:= ) - openssl? ( >=dev-libs/openssl-0.9.8:=[-bindist(-)] ) - mysql? ( dev-db/mysql-connector-c:= ) - sqlite? ( >=dev-db/sqlite-3.3.1:3 ) - systemd? ( sys-apps/systemd ) - networkmanager? ( net-misc/networkmanager ) - pam? ( sys-libs/pam ) - strongswan_plugins_botan? ( dev-libs/botan:2= ) - strongswan_plugins_soup? ( net-libs/libsoup:2.4= ) - strongswan_plugins_unbound? ( net-dns/unbound:= net-libs/ldns:= )" - -DEPEND="${COMMON_DEPEND} - virtual/linux-sources - sys-kernel/linux-headers" - -RDEPEND="${COMMON_DEPEND} - virtual/logger - sys-apps/iproute2 - !net-vpn/libreswan - selinux? ( sec-policy/selinux-ipsec )" - -UGID="ipsec" - -PATCHES=( - "${FILESDIR}"/${PN}-6.0.1-c23.patch -) - -pkg_setup() { - linux-info_pkg_setup - - elog "Linux kernel version: ${KV_FULL}" - - if ! kernel_is -ge 2 6 16; then - eerror - eerror "This ebuild currently only supports ${PN} with the" - eerror "native Linux 2.6 IPsec stack on kernels >= 2.6.16." - eerror - fi - - if kernel_is -lt 2 6 34; then - ewarn - ewarn "IMPORTANT KERNEL NOTES: Please read carefully..." - ewarn - - if kernel_is -lt 2 6 29; then - ewarn "[ < 2.6.29 ] Due to a missing kernel feature, you have to" - ewarn "include all required IPv6 modules even if you just intend" - ewarn "to run on IPv4 only." - ewarn - ewarn "This has been fixed with kernels >= 2.6.29." - ewarn - fi - - if kernel_is -lt 2 6 33; then - ewarn "[ < 2.6.33 ] Kernels prior to 2.6.33 include a non-standards" - ewarn "compliant implementation for SHA-2 HMAC support in ESP and" - ewarn "miss SHA384 and SHA512 HMAC support altogether." - ewarn - ewarn "If you need any of those features, please use kernel >= 2.6.33." - ewarn - fi - - if kernel_is -lt 2 6 34; then - ewarn "[ < 2.6.34 ] Support for the AES-GMAC authentification-only" - ewarn "ESP cipher is only included in kernels >= 2.6.34." - ewarn - ewarn "If you need it, please use kernel >= 2.6.34." - ewarn - fi - fi -} - -src_configure() { - local myconf="" - - if use non-root; then - myconf="${myconf} --with-user=${UGID} --with-group=${UGID}" - fi - - # If a user has already enabled db support, those plugins will - # most likely be desired as well. Besides they don't impose new - # dependencies and come at no cost (except for space). - if use mysql || use sqlite; then - myconf="${myconf} --enable-attr-sql --enable-sql" - fi - - # strongSwan builds and installs static libs by default which are - # useless to the user (and to strongSwan for that matter) because no - # header files or alike get installed... so disabling them is safe. - if use pam && use eap; then - myconf="${myconf} --enable-eap-gtc" - else - myconf="${myconf} --disable-eap-gtc" - fi - - for mod in $STRONGSWAN_PLUGINS_STD; do - if use strongswan_plugins_${mod}; then - myconf+=" --enable-${mod}" - fi - done - - for mod in $STRONGSWAN_PLUGINS_OPT_DISABLE; do - if ! use strongswan_plugins_${mod}; then - myconf+=" --disable-${mod}" - fi - done - - for mod in $STRONGSWAN_PLUGINS_OPT; do - if use strongswan_plugins_${mod}; then - myconf+=" --enable-${mod}" - fi - done - - econf \ - --disable-static \ - --enable-ikev1 \ - --enable-ikev2 \ - --enable-swanctl \ - --enable-socket-dynamic \ - --enable-cmd \ - $(use_enable curl) \ - $(use_enable constraints) \ - $(use_enable ldap) \ - $(use_enable debug leak-detective) \ - $(use_enable dhcp) \ - $(use_enable eap eap-sim) \ - $(use_enable eap eap-sim-file) \ - $(use_enable eap eap-simaka-sql) \ - $(use_enable eap eap-simaka-pseudonym) \ - $(use_enable eap eap-simaka-reauth) \ - $(use_enable eap eap-identity) \ - $(use_enable eap eap-md5) \ - $(use_enable eap eap-aka) \ - $(use_enable eap eap-aka-3gpp2) \ - $(use_enable eap md4) \ - $(use_enable eap eap-mschapv2) \ - $(use_enable eap eap-radius) \ - $(use_enable eap eap-tls) \ - $(use_enable eap eap-ttls) \ - $(use_enable eap xauth-eap) \ - $(use_enable eap eap-dynamic) \ - $(use_enable farp) \ - $(use_enable gmp) \ - $(use_enable gcrypt) \ - $(use_enable mysql) \ - $(use_enable networkmanager nm) \ - $(use_enable openssl) \ - $(use_enable pam xauth-pam) \ - $(use_enable pkcs11) \ - $(use_enable sqlite) \ - $(use_enable systemd) \ - $(use_with caps capabilities libcap) \ - --with-piddir=/run \ - --with-systemdsystemunitdir="$(systemd_get_systemunitdir)" \ - ${myconf} -} - -src_install() { - emake DESTDIR="${D}" install - - if ! use systemd; then - rm -rf "${ED}"/lib/systemd || die "Failed removing systemd lib." - fi - - doinitd "${FILESDIR}"/ipsec - - local dir_ugid - if use non-root && use strongswan_plugins_stroke; then - if [ -f /etc/ipsec.conf ]; then - fowners ${UGID}:${UGID} \ - /etc/ipsec.conf - fi - - fowners ${UGID}:${UGID} \ - /etc/strongswan.conf - - dir_ugid="${UGID}" - else - dir_ugid="root" - fi - - diropts -m 0750 -o ${dir_ugid} -g ${dir_ugid} - dodir /etc/ipsec.d \ - /etc/ipsec.d/aacerts \ - /etc/ipsec.d/acerts \ - /etc/ipsec.d/cacerts \ - /etc/ipsec.d/certs \ - /etc/ipsec.d/crls \ - /etc/ipsec.d/ocspcerts \ - /etc/ipsec.d/private \ - /etc/ipsec.d/reqs - - dodoc NEWS README TODO - - # shared libs are used only internally and there are no static libs, - # so it's safe to get rid of the .la files - find "${D}" -name '*.la' -delete || die "Failed to remove .la files." -} - -pkg_preinst() { - has_version "<net-vpn/strongswan-4.3.6-r1" - upgrade_from_leq_4_3_6=$(( !$? )) - - has_version "<net-vpn/strongswan-4.3.6-r1[-caps]" - previous_4_3_6_with_caps=$(( !$? )) -} - -pkg_postinst() { - if ! use openssl && ! use gcrypt; then - elog - elog "${PN} has been compiled without both OpenSSL and libgcrypt support." - elog "Please note that this might effect availability and speed of some" - elog "cryptographic features. You are advised to enable the OpenSSL plugin." - elif ! use openssl; then - elog - elog "${PN} has been compiled without the OpenSSL plugin. This might effect" - elog "availability and speed of some cryptographic features. There will be" - elog "no support for Elliptic Curve Cryptography (Diffie-Hellman groups 19-21," - elog "25, 26) and ECDSA." - fi - - if [[ $upgrade_from_leq_4_3_6 == 1 ]]; then - chmod 0750 "${ROOT}"/etc/ipsec.d \ - "${ROOT}"/etc/ipsec.d/aacerts \ - "${ROOT}"/etc/ipsec.d/acerts \ - "${ROOT}"/etc/ipsec.d/cacerts \ - "${ROOT}"/etc/ipsec.d/certs \ - "${ROOT}"/etc/ipsec.d/crls \ - "${ROOT}"/etc/ipsec.d/ocspcerts \ - "${ROOT}"/etc/ipsec.d/private \ - "${ROOT}"/etc/ipsec.d/reqs - - ewarn - ewarn "The default permissions for /etc/ipsec.d/* have been tightened for" - ewarn "security reasons. Your system installed directories have been" - ewarn "updated accordingly. Please check if necessary." - ewarn - - if [[ $previous_4_3_6_with_caps == 1 ]]; then - if ! use non-root; then - ewarn - ewarn "IMPORTANT: You previously had ${PN} installed without root" - ewarn "privileges because it was implied by the 'caps' USE flag." - ewarn "This has been changed. If you want ${PN} with user privileges," - ewarn "you have to re-emerge it with the 'non-root' USE flag enabled." - ewarn - fi - fi - fi - if ! use caps && ! use non-root; then - ewarn - ewarn "You have decided to run ${PN} with root privileges and built it" - ewarn "without support for POSIX capability dropping. It is generally" - ewarn "strongly suggested that you reconsider- especially if you intend" - ewarn "to run ${PN} as server with a public ip address." - ewarn - ewarn "You should re-emerge ${PN} with at least the 'caps' USE flag enabled." - ewarn - fi - if use non-root; then - elog - elog "${PN} has been installed without superuser privileges (USE=non-root)." - elog "This imposes a few limitations mainly to the daemon 'charon' in" - elog "regards of the use of iptables." - elog - elog "Please carefully read: http://wiki.strongswan.org/projects/strongswan/wiki/ReducedPrivileges"; - elog - elog "Thus if you require to specify a custom updown" - elog "script to charon which requires superuser privileges, you" - elog "can work around this limitation by using sudo to grant the" - elog "user \"ipsec\" the appropriate rights." - elog "For example (the default case):" - elog "/etc/sudoers:" - elog " ipsec ALL=(ALL) NOPASSWD: SETENV: /usr/sbin/ipsec" - elog "Under the specific connection block in /etc/ipsec.conf:" - elog " leftupdown=\"sudo -E ipsec _updown iptables\"" - elog - fi - elog - elog "Make sure you have _all_ required kernel modules available including" - elog "the appropriate cryptographic algorithms. A list is available at:" - elog " https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules"; - elog - elog "The up-to-date manual is available online at:" - elog " https://wiki.strongswan.org/"; - elog -} diff --git a/net-vpn/strongswan/strongswan-6.0.1.ebuild b/net-vpn/strongswan/strongswan-6.0.1.ebuild deleted file mode 100644 index 7035e8c77e87..000000000000 --- a/net-vpn/strongswan/strongswan-6.0.1.ebuild +++ /dev/null @@ -1,326 +0,0 @@ -# Copyright 1999-2025 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI="8" -inherit linux-info systemd - -DESCRIPTION="IPsec-based VPN solution, supporting IKEv1/IKEv2 and MOBIKE" -HOMEPAGE="https://www.strongswan.org/"; -SRC_URI="https://download.strongswan.org/${P}.tar.bz2"; - -LICENSE="GPL-2 RSA DES" -SLOT="0" -KEYWORDS="amd64 arm ~arm64 ~ppc ~ppc64 ~riscv x86" -IUSE="+caps curl +constraints debug dhcp eap farp gcrypt +gmp ldap mysql networkmanager +non-root +openssl selinux sqlite systemd pam pkcs11" - -STRONGSWAN_PLUGINS_STD="aes cmac curve25519 des dnskey drbg eap-radius fips-prf gcm hmac led lookip md5 nonce pem pgp -pkcs1 pkcs7 pkcs8 pkcs12 pubkey random rc2 revocation sha1 sha2 sshkey systime-fix stroke unity vici x509 xcbc" -STRONGSWAN_PLUGINS_OPT_DISABLE="kdf" -STRONGSWAN_PLUGINS_OPT="acert af-alg agent addrblock aesni botan blowfish bypass-lan -ccm chapoly ctr error-notify forecast files gcm ha ipseckey md4 mgf1 ntru newhope -openxpki padlock rdrand save-keys sha3 soup test-vectors unbound whitelist xauth-noauth" - -for mod in $STRONGSWAN_PLUGINS_STD; do - IUSE="${IUSE} +strongswan_plugins_${mod}" -done - -for mod in $STRONGSWAN_PLUGINS_OPT_DISABLE; do - IUSE="${IUSE} strongswan_plugins_${mod}" -done - -for mod in $STRONGSWAN_PLUGINS_OPT; do - IUSE="${IUSE} strongswan_plugins_${mod}" -done - -COMMON_DEPEND="non-root? ( - acct-user/ipsec - acct-group/ipsec - ) - dev-libs/glib:2 - gmp? ( >=dev-libs/gmp-4.1.5:= ) - gcrypt? ( dev-libs/libgcrypt:= ) - caps? ( sys-libs/libcap ) - curl? ( net-misc/curl ) - ldap? ( net-nds/openldap:= ) - openssl? ( >=dev-libs/openssl-0.9.8:=[-bindist(-)] ) - mysql? ( dev-db/mysql-connector-c:= ) - sqlite? ( >=dev-db/sqlite-3.3.1:3 ) - systemd? ( sys-apps/systemd ) - networkmanager? ( net-misc/networkmanager ) - pam? ( sys-libs/pam ) - strongswan_plugins_botan? ( dev-libs/botan:2= ) - strongswan_plugins_soup? ( net-libs/libsoup:2.4= ) - strongswan_plugins_unbound? ( net-dns/unbound:= net-libs/ldns:= )" - -DEPEND="${COMMON_DEPEND} - virtual/linux-sources - sys-kernel/linux-headers" - -RDEPEND="${COMMON_DEPEND} - virtual/logger - sys-apps/iproute2 - !net-vpn/libreswan - selinux? ( sec-policy/selinux-ipsec )" - -UGID="ipsec" - -pkg_setup() { - linux-info_pkg_setup - - elog "Linux kernel version: ${KV_FULL}" - - if ! kernel_is -ge 2 6 16; then - eerror - eerror "This ebuild currently only supports ${PN} with the" - eerror "native Linux 2.6 IPsec stack on kernels >= 2.6.16." - eerror - fi - - if kernel_is -lt 2 6 34; then - ewarn - ewarn "IMPORTANT KERNEL NOTES: Please read carefully..." - ewarn - - if kernel_is -lt 2 6 29; then - ewarn "[ < 2.6.29 ] Due to a missing kernel feature, you have to" - ewarn "include all required IPv6 modules even if you just intend" - ewarn "to run on IPv4 only." - ewarn - ewarn "This has been fixed with kernels >= 2.6.29." - ewarn - fi - - if kernel_is -lt 2 6 33; then - ewarn "[ < 2.6.33 ] Kernels prior to 2.6.33 include a non-standards" - ewarn "compliant implementation for SHA-2 HMAC support in ESP and" - ewarn "miss SHA384 and SHA512 HMAC support altogether." - ewarn - ewarn "If you need any of those features, please use kernel >= 2.6.33." - ewarn - fi - - if kernel_is -lt 2 6 34; then - ewarn "[ < 2.6.34 ] Support for the AES-GMAC authentification-only" - ewarn "ESP cipher is only included in kernels >= 2.6.34." - ewarn - ewarn "If you need it, please use kernel >= 2.6.34." - ewarn - fi - fi -} - -src_configure() { - local myconf="" - - if use non-root; then - myconf="${myconf} --with-user=${UGID} --with-group=${UGID}" - fi - - # If a user has already enabled db support, those plugins will - # most likely be desired as well. Besides they don't impose new - # dependencies and come at no cost (except for space). - if use mysql || use sqlite; then - myconf="${myconf} --enable-attr-sql --enable-sql" - fi - - # strongSwan builds and installs static libs by default which are - # useless to the user (and to strongSwan for that matter) because no - # header files or alike get installed... so disabling them is safe. - if use pam && use eap; then - myconf="${myconf} --enable-eap-gtc" - else - myconf="${myconf} --disable-eap-gtc" - fi - - for mod in $STRONGSWAN_PLUGINS_STD; do - if use strongswan_plugins_${mod}; then - myconf+=" --enable-${mod}" - fi - done - - for mod in $STRONGSWAN_PLUGINS_OPT_DISABLE; do - if ! use strongswan_plugins_${mod}; then - myconf+=" --disable-${mod}" - fi - done - - for mod in $STRONGSWAN_PLUGINS_OPT; do - if use strongswan_plugins_${mod}; then - myconf+=" --enable-${mod}" - fi - done - - econf \ - --disable-static \ - --enable-ikev1 \ - --enable-ikev2 \ - --enable-swanctl \ - --enable-socket-dynamic \ - --enable-cmd \ - $(use_enable curl) \ - $(use_enable constraints) \ - $(use_enable ldap) \ - $(use_enable debug leak-detective) \ - $(use_enable dhcp) \ - $(use_enable eap eap-sim) \ - $(use_enable eap eap-sim-file) \ - $(use_enable eap eap-simaka-sql) \ - $(use_enable eap eap-simaka-pseudonym) \ - $(use_enable eap eap-simaka-reauth) \ - $(use_enable eap eap-identity) \ - $(use_enable eap eap-md5) \ - $(use_enable eap eap-aka) \ - $(use_enable eap eap-aka-3gpp2) \ - $(use_enable eap md4) \ - $(use_enable eap eap-mschapv2) \ - $(use_enable eap eap-radius) \ - $(use_enable eap eap-tls) \ - $(use_enable eap eap-ttls) \ - $(use_enable eap xauth-eap) \ - $(use_enable eap eap-dynamic) \ - $(use_enable farp) \ - $(use_enable gmp) \ - $(use_enable gcrypt) \ - $(use_enable mysql) \ - $(use_enable networkmanager nm) \ - $(use_enable openssl) \ - $(use_enable pam xauth-pam) \ - $(use_enable pkcs11) \ - $(use_enable sqlite) \ - $(use_enable systemd) \ - $(use_with caps capabilities libcap) \ - --with-piddir=/run \ - --with-systemdsystemunitdir="$(systemd_get_systemunitdir)" \ - ${myconf} -} - -src_install() { - emake DESTDIR="${D}" install - - if ! use systemd; then - rm -rf "${ED}"/lib/systemd || die "Failed removing systemd lib." - fi - - doinitd "${FILESDIR}"/ipsec - - local dir_ugid - if use non-root; then - if [ -f /etc/ipsec.conf ]; then - fowners ${UGID}:${UGID} \ - /etc/ipsec.conf - fi - - fowners ${UGID}:${UGID} \ - /etc/strongswan.conf - - dir_ugid="${UGID}" - else - dir_ugid="root" - fi - - diropts -m 0750 -o ${dir_ugid} -g ${dir_ugid} - dodir /etc/ipsec.d \ - /etc/ipsec.d/aacerts \ - /etc/ipsec.d/acerts \ - /etc/ipsec.d/cacerts \ - /etc/ipsec.d/certs \ - /etc/ipsec.d/crls \ - /etc/ipsec.d/ocspcerts \ - /etc/ipsec.d/private \ - /etc/ipsec.d/reqs - - dodoc NEWS README TODO - - # shared libs are used only internally and there are no static libs, - # so it's safe to get rid of the .la files - find "${D}" -name '*.la' -delete || die "Failed to remove .la files." -} - -pkg_preinst() { - has_version "<net-vpn/strongswan-4.3.6-r1" - upgrade_from_leq_4_3_6=$(( !$? )) - - has_version "<net-vpn/strongswan-4.3.6-r1[-caps]" - previous_4_3_6_with_caps=$(( !$? )) -} - -pkg_postinst() { - if ! use openssl && ! use gcrypt; then - elog - elog "${PN} has been compiled without both OpenSSL and libgcrypt support." - elog "Please note that this might effect availability and speed of some" - elog "cryptographic features. You are advised to enable the OpenSSL plugin." - elif ! use openssl; then - elog - elog "${PN} has been compiled without the OpenSSL plugin. This might effect" - elog "availability and speed of some cryptographic features. There will be" - elog "no support for Elliptic Curve Cryptography (Diffie-Hellman groups 19-21," - elog "25, 26) and ECDSA." - fi - - if [[ $upgrade_from_leq_4_3_6 == 1 ]]; then - chmod 0750 "${ROOT}"/etc/ipsec.d \ - "${ROOT}"/etc/ipsec.d/aacerts \ - "${ROOT}"/etc/ipsec.d/acerts \ - "${ROOT}"/etc/ipsec.d/cacerts \ - "${ROOT}"/etc/ipsec.d/certs \ - "${ROOT}"/etc/ipsec.d/crls \ - "${ROOT}"/etc/ipsec.d/ocspcerts \ - "${ROOT}"/etc/ipsec.d/private \ - "${ROOT}"/etc/ipsec.d/reqs - - ewarn - ewarn "The default permissions for /etc/ipsec.d/* have been tightened for" - ewarn "security reasons. Your system installed directories have been" - ewarn "updated accordingly. Please check if necessary." - ewarn - - if [[ $previous_4_3_6_with_caps == 1 ]]; then - if ! use non-root; then - ewarn - ewarn "IMPORTANT: You previously had ${PN} installed without root" - ewarn "privileges because it was implied by the 'caps' USE flag." - ewarn "This has been changed. If you want ${PN} with user privileges," - ewarn "you have to re-emerge it with the 'non-root' USE flag enabled." - ewarn - fi - fi - fi - if ! use caps && ! use non-root; then - ewarn - ewarn "You have decided to run ${PN} with root privileges and built it" - ewarn "without support for POSIX capability dropping. It is generally" - ewarn "strongly suggested that you reconsider- especially if you intend" - ewarn "to run ${PN} as server with a public ip address." - ewarn - ewarn "You should re-emerge ${PN} with at least the 'caps' USE flag enabled." - ewarn - fi - if use non-root; then - elog - elog "${PN} has been installed without superuser privileges (USE=non-root)." - elog "This imposes a few limitations mainly to the daemon 'charon' in" - elog "regards of the use of iptables." - elog - elog "Please carefully read: http://wiki.strongswan.org/projects/strongswan/wiki/ReducedPrivileges"; - elog - elog "Thus if you require to specify a custom updown" - elog "script to charon which requires superuser privileges, you" - elog "can work around this limitation by using sudo to grant the" - elog "user \"ipsec\" the appropriate rights." - elog "For example (the default case):" - elog "/etc/sudoers:" - elog " ipsec ALL=(ALL) NOPASSWD: SETENV: /usr/sbin/ipsec" - elog "Under the specific connection block in /etc/ipsec.conf:" - elog " leftupdown=\"sudo -E ipsec _updown iptables\"" - elog - fi - elog - elog "Make sure you have _all_ required kernel modules available including" - elog "the appropriate cryptographic algorithms. A list is available at:" - elog " https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules"; - elog - elog "The up-to-date manual is available online at:" - elog " https://wiki.strongswan.org/"; - elog -} diff --git a/net-vpn/strongswan/strongswan-6.0.2.ebuild b/net-vpn/strongswan/strongswan-6.0.2.ebuild deleted file mode 100644 index c3320cbe6a17..000000000000 --- a/net-vpn/strongswan/strongswan-6.0.2.ebuild +++ /dev/null @@ -1,326 +0,0 @@ -# Copyright 1999-2025 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI="8" -inherit linux-info systemd - -DESCRIPTION="IPsec-based VPN solution, supporting IKEv1/IKEv2 and MOBIKE" -HOMEPAGE="https://www.strongswan.org/"; -SRC_URI="https://download.strongswan.org/${P}.tar.bz2"; - -LICENSE="GPL-2 RSA DES" -SLOT="0" -KEYWORDS="~amd64 ~arm ~arm64 ~ppc ~ppc64 ~riscv ~x86" -IUSE="+caps curl +constraints debug dhcp eap farp gcrypt +gmp ldap mysql networkmanager +non-root +openssl selinux sqlite systemd pam pkcs11" - -STRONGSWAN_PLUGINS_STD="aes cmac curve25519 des dnskey drbg eap-radius fips-prf gcm hmac led lookip md5 nonce pem pgp -pkcs1 pkcs7 pkcs8 pkcs12 pubkey random rc2 revocation sha1 sha2 sshkey systime-fix stroke unity vici x509 xcbc" -STRONGSWAN_PLUGINS_OPT_DISABLE="kdf" -STRONGSWAN_PLUGINS_OPT="acert af-alg agent addrblock aesni botan blowfish bypass-lan -ccm chapoly ctr error-notify forecast files gcm ha ipseckey md4 mgf1 ntru newhope -openxpki padlock rdrand save-keys sha3 soup test-vectors unbound whitelist xauth-noauth" - -for mod in $STRONGSWAN_PLUGINS_STD; do - IUSE="${IUSE} +strongswan_plugins_${mod}" -done - -for mod in $STRONGSWAN_PLUGINS_OPT_DISABLE; do - IUSE="${IUSE} strongswan_plugins_${mod}" -done - -for mod in $STRONGSWAN_PLUGINS_OPT; do - IUSE="${IUSE} strongswan_plugins_${mod}" -done - -COMMON_DEPEND="non-root? ( - acct-user/ipsec - acct-group/ipsec - ) - dev-libs/glib:2 - gmp? ( >=dev-libs/gmp-4.1.5:= ) - gcrypt? ( dev-libs/libgcrypt:= ) - caps? ( sys-libs/libcap ) - curl? ( net-misc/curl ) - ldap? ( net-nds/openldap:= ) - openssl? ( >=dev-libs/openssl-0.9.8:=[-bindist(-)] ) - mysql? ( dev-db/mysql-connector-c:= ) - sqlite? ( >=dev-db/sqlite-3.3.1:3 ) - systemd? ( sys-apps/systemd ) - networkmanager? ( net-misc/networkmanager ) - pam? ( sys-libs/pam ) - strongswan_plugins_botan? ( dev-libs/botan:2= ) - strongswan_plugins_soup? ( net-libs/libsoup:2.4= ) - strongswan_plugins_unbound? ( net-dns/unbound:= net-libs/ldns:= )" - -DEPEND="${COMMON_DEPEND} - virtual/linux-sources - sys-kernel/linux-headers" - -RDEPEND="${COMMON_DEPEND} - virtual/logger - sys-apps/iproute2 - !net-vpn/libreswan - selinux? ( sec-policy/selinux-ipsec )" - -UGID="ipsec" - -pkg_setup() { - linux-info_pkg_setup - - elog "Linux kernel version: ${KV_FULL}" - - if ! kernel_is -ge 2 6 16; then - eerror - eerror "This ebuild currently only supports ${PN} with the" - eerror "native Linux 2.6 IPsec stack on kernels >= 2.6.16." - eerror - fi - - if kernel_is -lt 2 6 34; then - ewarn - ewarn "IMPORTANT KERNEL NOTES: Please read carefully..." - ewarn - - if kernel_is -lt 2 6 29; then - ewarn "[ < 2.6.29 ] Due to a missing kernel feature, you have to" - ewarn "include all required IPv6 modules even if you just intend" - ewarn "to run on IPv4 only." - ewarn - ewarn "This has been fixed with kernels >= 2.6.29." - ewarn - fi - - if kernel_is -lt 2 6 33; then - ewarn "[ < 2.6.33 ] Kernels prior to 2.6.33 include a non-standards" - ewarn "compliant implementation for SHA-2 HMAC support in ESP and" - ewarn "miss SHA384 and SHA512 HMAC support altogether." - ewarn - ewarn "If you need any of those features, please use kernel >= 2.6.33." - ewarn - fi - - if kernel_is -lt 2 6 34; then - ewarn "[ < 2.6.34 ] Support for the AES-GMAC authentification-only" - ewarn "ESP cipher is only included in kernels >= 2.6.34." - ewarn - ewarn "If you need it, please use kernel >= 2.6.34." - ewarn - fi - fi -} - -src_configure() { - local myconf="" - - if use non-root; then - myconf="${myconf} --with-user=${UGID} --with-group=${UGID}" - fi - - # If a user has already enabled db support, those plugins will - # most likely be desired as well. Besides they don't impose new - # dependencies and come at no cost (except for space). - if use mysql || use sqlite; then - myconf="${myconf} --enable-attr-sql --enable-sql" - fi - - # strongSwan builds and installs static libs by default which are - # useless to the user (and to strongSwan for that matter) because no - # header files or alike get installed... so disabling them is safe. - if use pam && use eap; then - myconf="${myconf} --enable-eap-gtc" - else - myconf="${myconf} --disable-eap-gtc" - fi - - for mod in $STRONGSWAN_PLUGINS_STD; do - if use strongswan_plugins_${mod}; then - myconf+=" --enable-${mod}" - fi - done - - for mod in $STRONGSWAN_PLUGINS_OPT_DISABLE; do - if ! use strongswan_plugins_${mod}; then - myconf+=" --disable-${mod}" - fi - done - - for mod in $STRONGSWAN_PLUGINS_OPT; do - if use strongswan_plugins_${mod}; then - myconf+=" --enable-${mod}" - fi - done - - econf \ - --disable-static \ - --enable-ikev1 \ - --enable-ikev2 \ - --enable-swanctl \ - --enable-socket-dynamic \ - --enable-cmd \ - $(use_enable curl) \ - $(use_enable constraints) \ - $(use_enable ldap) \ - $(use_enable debug leak-detective) \ - $(use_enable dhcp) \ - $(use_enable eap eap-sim) \ - $(use_enable eap eap-sim-file) \ - $(use_enable eap eap-simaka-sql) \ - $(use_enable eap eap-simaka-pseudonym) \ - $(use_enable eap eap-simaka-reauth) \ - $(use_enable eap eap-identity) \ - $(use_enable eap eap-md5) \ - $(use_enable eap eap-aka) \ - $(use_enable eap eap-aka-3gpp2) \ - $(use_enable eap md4) \ - $(use_enable eap eap-mschapv2) \ - $(use_enable eap eap-radius) \ - $(use_enable eap eap-tls) \ - $(use_enable eap eap-ttls) \ - $(use_enable eap xauth-eap) \ - $(use_enable eap eap-dynamic) \ - $(use_enable farp) \ - $(use_enable gmp) \ - $(use_enable gcrypt) \ - $(use_enable mysql) \ - $(use_enable networkmanager nm) \ - $(use_enable openssl) \ - $(use_enable pam xauth-pam) \ - $(use_enable pkcs11) \ - $(use_enable sqlite) \ - $(use_enable systemd) \ - $(use_with caps capabilities libcap) \ - --with-piddir=/run \ - --with-systemdsystemunitdir="$(systemd_get_systemunitdir)" \ - ${myconf} -} - -src_install() { - emake DESTDIR="${D}" install - - if ! use systemd; then - rm -rf "${ED}"/lib/systemd || die "Failed removing systemd lib." - fi - - doinitd "${FILESDIR}"/ipsec - - local dir_ugid - if use non-root && use strongswan_plugins_stroke; then - if [ -f /etc/ipsec.conf ]; then - fowners ${UGID}:${UGID} \ - /etc/ipsec.conf - fi - - fowners ${UGID}:${UGID} \ - /etc/strongswan.conf - - dir_ugid="${UGID}" - else - dir_ugid="root" - fi - - diropts -m 0750 -o ${dir_ugid} -g ${dir_ugid} - dodir /etc/ipsec.d \ - /etc/ipsec.d/aacerts \ - /etc/ipsec.d/acerts \ - /etc/ipsec.d/cacerts \ - /etc/ipsec.d/certs \ - /etc/ipsec.d/crls \ - /etc/ipsec.d/ocspcerts \ - /etc/ipsec.d/private \ - /etc/ipsec.d/reqs - - dodoc NEWS README TODO - - # shared libs are used only internally and there are no static libs, - # so it's safe to get rid of the .la files - find "${D}" -name '*.la' -delete || die "Failed to remove .la files." -} - -pkg_preinst() { - has_version "<net-vpn/strongswan-4.3.6-r1" - upgrade_from_leq_4_3_6=$(( !$? )) - - has_version "<net-vpn/strongswan-4.3.6-r1[-caps]" - previous_4_3_6_with_caps=$(( !$? )) -} - -pkg_postinst() { - if ! use openssl && ! use gcrypt; then - elog - elog "${PN} has been compiled without both OpenSSL and libgcrypt support." - elog "Please note that this might effect availability and speed of some" - elog "cryptographic features. You are advised to enable the OpenSSL plugin." - elif ! use openssl; then - elog - elog "${PN} has been compiled without the OpenSSL plugin. This might effect" - elog "availability and speed of some cryptographic features. There will be" - elog "no support for Elliptic Curve Cryptography (Diffie-Hellman groups 19-21," - elog "25, 26) and ECDSA." - fi - - if [[ $upgrade_from_leq_4_3_6 == 1 ]]; then - chmod 0750 "${ROOT}"/etc/ipsec.d \ - "${ROOT}"/etc/ipsec.d/aacerts \ - "${ROOT}"/etc/ipsec.d/acerts \ - "${ROOT}"/etc/ipsec.d/cacerts \ - "${ROOT}"/etc/ipsec.d/certs \ - "${ROOT}"/etc/ipsec.d/crls \ - "${ROOT}"/etc/ipsec.d/ocspcerts \ - "${ROOT}"/etc/ipsec.d/private \ - "${ROOT}"/etc/ipsec.d/reqs - - ewarn - ewarn "The default permissions for /etc/ipsec.d/* have been tightened for" - ewarn "security reasons. Your system installed directories have been" - ewarn "updated accordingly. Please check if necessary." - ewarn - - if [[ $previous_4_3_6_with_caps == 1 ]]; then - if ! use non-root; then - ewarn - ewarn "IMPORTANT: You previously had ${PN} installed without root" - ewarn "privileges because it was implied by the 'caps' USE flag." - ewarn "This has been changed. If you want ${PN} with user privileges," - ewarn "you have to re-emerge it with the 'non-root' USE flag enabled." - ewarn - fi - fi - fi - if ! use caps && ! use non-root; then - ewarn - ewarn "You have decided to run ${PN} with root privileges and built it" - ewarn "without support for POSIX capability dropping. It is generally" - ewarn "strongly suggested that you reconsider- especially if you intend" - ewarn "to run ${PN} as server with a public ip address." - ewarn - ewarn "You should re-emerge ${PN} with at least the 'caps' USE flag enabled." - ewarn - fi - if use non-root; then - elog - elog "${PN} has been installed without superuser privileges (USE=non-root)." - elog "This imposes a few limitations mainly to the daemon 'charon' in" - elog "regards of the use of iptables." - elog - elog "Please carefully read: http://wiki.strongswan.org/projects/strongswan/wiki/ReducedPrivileges"; - elog - elog "Thus if you require to specify a custom updown" - elog "script to charon which requires superuser privileges, you" - elog "can work around this limitation by using sudo to grant the" - elog "user \"ipsec\" the appropriate rights." - elog "For example (the default case):" - elog "/etc/sudoers:" - elog " ipsec ALL=(ALL) NOPASSWD: SETENV: /usr/sbin/ipsec" - elog "Under the specific connection block in /etc/ipsec.conf:" - elog " leftupdown=\"sudo -E ipsec _updown iptables\"" - elog - fi - elog - elog "Make sure you have _all_ required kernel modules available including" - elog "the appropriate cryptographic algorithms. A list is available at:" - elog " https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules"; - elog - elog "The up-to-date manual is available online at:" - elog " https://wiki.strongswan.org/"; - elog -}
