summaryrefslogtreecommitdiff
blob: c9e2f853b1535a09a9f4803021a8598ef0c11a3f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
# Copyright 1999-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2

EAPI=8

inherit systemd flag-o-matic toolchain-funcs tmpfiles

DESCRIPTION="IPsec implementation for Linux, fork of Openswan"
HOMEPAGE="https://libreswan.org/"
SRC_URI="https://download.libreswan.org/${P}.tar.gz"

LICENSE="GPL-2 BSD-4 RSA DES"
SLOT="0"
KEYWORDS="~amd64 ~arm ~arm64 ~ppc ~x86"
IUSE="caps curl dnssec +ikev1 ldap networkmanager pam seccomp selinux systemd test"
RESTRICT="!test? ( test )"

DEPEND="
	dev-libs/gmp:0=
	dev-libs/libevent:0=
	dev-libs/nspr
	>=dev-libs/nss-3.42
	>=sys-kernel/linux-headers-4.19
	virtual/libcrypt:=
	caps? ( sys-libs/libcap-ng )
	curl? ( net-misc/curl )
	dnssec? ( >=net-dns/unbound-1.9.1-r1:= net-libs/ldns:= net-dns/dnssec-root )
	ldap? ( net-nds/openldap:= )
	pam? ( sys-libs/pam )
	seccomp? ( sys-libs/libseccomp )
	selinux? ( sys-libs/libselinux )
	systemd? ( sys-apps/systemd:0= )
"
BDEPEND="
	app-text/docbook-xml-dtd:4.1.2
	app-text/xmlto
	dev-libs/nss
	sys-devel/bison
	sys-devel/flex
	virtual/pkgconfig
	test? ( dev-python/setproctitle )
"
RDEPEND="${DEPEND}
	dev-libs/nss[utils(+)]
	sys-apps/iproute2
	!net-vpn/strongswan
	selinux? ( sec-policy/selinux-ipsec )
"
DEPEND+=" elibc_musl? ( sys-libs/queue-standalone )"

usetf() {
	usex "$1" true false
}

src_prepare() {
	sed -i -e 's:/sbin/runscript:/sbin/openrc-run:' initsystems/openrc/ipsec.init.in || die
	sed -i -e '/^install/ s/postcheck//' -e '/^doinstall/ s/oldinitdcheck//' initsystems/systemd/Makefile || die
	default
}

src_configure() {
	tc-export AR CC

	use elibc_musl && append-cflags -DGLIBC_KERN_FLIP_HEADERS

	export PREFIX=/usr
	export DEFAULT_DNSSEC_ROOTKEY_FILE=/etc/dnssec/icannbundle.pem
	export EXAMPLE_IPSEC_SYSCONFDIR=/usr/share/doc/${PF}
	export FINALEXAMPLECONFDIR=/usr/share/doc/${PF}
	export INITSYSTEM=$(usex systemd systemd openrc)
	export INITDDIRS=
	export INITDDIR_DEFAULT=/etc/init.d
	export USERCOMPILE=${CFLAGS}
	export USERLINK=${LDFLAGS}
	export USE_DNSSEC=$(usetf dnssec)
	export USE_IKEV1=$(usetf ikev1)
	export USE_LABELED_IPSEC=$(usetf selinux)
	export USE_LIBCAP_NG=$(usetf caps)
	export USE_LIBCURL=$(usetf curl)
	export USE_LINUX_AUDIT=$(usetf selinux)
	export USE_LDAP=$(usetf ldap)
	export USE_NM=$(usetf networkmanager)
	export USE_SECCOMP=$(usetf seccomp)
	export USE_SYSTEMD_WATCHDOG=$(usetf systemd)
	export SD_WATCHDOGSEC=$(usex systemd 200 0)
	export USE_AUTHPAM=$(usetf pam)
	export DEBUG_CFLAGS=
	export OPTIMIZE_CFLAGS=
	export WERROR_CFLAGS=
}

src_compile() {
	emake all
	emake -C initsystems \
		INITSYSTEM=systemd \
		SYSTEMUNITDIR="$(systemd_get_systemunitdir)" \
		SYSTEMTMPFILESDIR="/usr/lib/tmpfiles.d" \
		all
}

src_test() {
	: # integration tests only that require set of kvms to be set up
}

src_install() {
	default
	emake -C initsystems \
		  INITSYSTEM=systemd \
		  SYSTEMUNITDIR="$(systemd_get_systemunitdir)" \
		  SYSTEMTMPFILESDIR="/usr/lib/tmpfiles.d" \
		  DESTDIR="${D}" \
		  install

	echo "include /etc/ipsec.d/*.secrets" > "${D}"/etc/ipsec.secrets
	fperms 0600 /etc/ipsec.secrets

	keepdir /var/lib/ipsec/nss
	fperms 0700 /var/lib/ipsec/nss

	dodoc -r docs

	find "${D}" -type d -empty -delete || die
}

pkg_postinst() {
	tmpfiles_process libreswan.conf

	local IPSEC_CONFDIR=${ROOT}/var/lib/ipsec/nss
	if [[ ! -f ${IPSEC_CONFDIR}/cert8.db && ! -f ${IPSEC_CONFDIR}/cert9.db ]] ; then
		ebegin "Setting up NSS database in ${IPSEC_CONFDIR} with empty password"
		certutil -N -d "${IPSEC_CONFDIR}" --empty-password
		eend $?
		einfo "To set a password: certutil -W -d sql:${IPSEC_CONFDIR}"
	fi
}