Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 366143 - net-vpn/strongswan ebuild issues/improvements
Summary: net-vpn/strongswan ebuild issues/improvements
Status: CONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Dennis Eisele
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-05-05 21:36 UTC by Diego Elio Pettenò (RETIRED)
Modified: 2023-11-24 16:34 UTC (History)
7 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Diego Elio Pettenò (RETIRED) gentoo-dev 2011-05-05 21:36:25 UTC 
Just dropping here a few notes for which I should be providing an ebuild diff at some point, but I'd prefer having some comments about them first:

openssl[-bindist] dependency: as of 4.5.1 there is OPENSSL_NO_EC to disable elliptic curve support, which allows strongswan to be bindist, so I'd suggest something like this:

 - add a bindist USE flag to strongswan
 - require !bindist? ( openssl[bindist] )
 - use bindist && append-cppflags -DOPENSSL_NO_EC

this way EC is only used if -bindist is set, and you can build against openssl[bindist just fine].

USE=smartcard and opensc dependency: this looks mostly bogus; strongswan uses a PKCS#11 provider for sure, but you can use a number of alternative software rather than OpenSC, including Mozilla's NSS. You can see the whole mess in my blog posts on the topic:

http://blog.flameeyes.eu/2011/04/13/smartcards-again
http://blog.flameeyes.eu/2011/04/14/additional-notes-about-the-smartcard-components-diagram
http://blog.flameeyes.eu/2011/04/25/network-security-services-nss-and-pkcs-11
Comment 1 Diego Elio Pettenò (RETIRED) gentoo-dev 2011-05-06 09:33:14 UTC 
The smartcard comment applies to openswan as well.
Comment 2 Diego Elio Pettenò (RETIRED) gentoo-dev 2011-05-06 09:34:03 UTC 
And I should check better if I'm looking at the latest version of a package next time.
Comment 3 Bjarke Istrup Pedersen (RETIRED) gentoo-dev 2011-05-19 08:06:08 UTC 
Wouldn't it be colliding with this?

openssl? ( >=dev-libs/openssl-0.9.8[-bindist] )

Also, how would you suggest changing the smartcard part?
Comment 4 Diego Elio Pettenò (RETIRED) gentoo-dev 2011-05-27 21:05:35 UTC 
The idea is to replace the openssl[-bindist] requirement so that you can use a binary version of OpenSSL just fine, and at the same time you can build a binary redistributable version of strongswan (that does not require or employ the Elliptic Curve feature).

As for the smartcard issue, I'm not sure. Maybe we could use a virtual/pkcs11 but I'm not really sure if it makes sense; I'd probably just replace smartcard USE flag with pkcs11 to enable/disable the use of PKCS#11 API, USE flag is already common:

/media/repos/portage/yamato/profiles/use.local.desc:app-crypt/tpm-tools:pkcs11 - Build Token data management utilities based on OpenCryptoki's (dev-libs/opencryptoki) PKCS#11 implementation.
/media/repos/portage/yamato/profiles/use.local.desc:net-libs/neon:pkcs11 - Add support for PKCS#11 using dev-libs/pakchois
/media/repos/portage/yamato/profiles/use.local.desc:net-misc/openvpn:pkcs11 - Enable PKCS#11 smartcard support
/media/repos/portage/yamato/profiles/use.local.desc:sys-fs/ecryptfs-utils:pkcs11 - Enable PKCS#11 (Smartcards) key module