Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 366143

Summary: net-vpn/strongswan ebuild issues/improvements
Product: Gentoo Linux Reporter: Diego Elio Pettenò (RETIRED) <flameeyes>
Component: Current packagesAssignee: Dennis Eisele <kernlpanic>
Status: CONFIRMED ---    
Severity: normal CC: kuraga333, mrness, patrick, proxy-maint, rndxelement, tobias.pal, ua_gentoo_bugzilla
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Diego Elio Pettenò (RETIRED) gentoo-dev 2011-05-05 21:36:25 UTC 
Just dropping here a few notes for which I should be providing an ebuild diff at some point, but I'd prefer having some comments about them first:

openssl[-bindist] dependency: as of 4.5.1 there is OPENSSL_NO_EC to disable elliptic curve support, which allows strongswan to be bindist, so I'd suggest something like this:

 - add a bindist USE flag to strongswan
 - require !bindist? ( openssl[bindist] )
 - use bindist && append-cppflags -DOPENSSL_NO_EC

this way EC is only used if -bindist is set, and you can build against openssl[bindist just fine].

USE=smartcard and opensc dependency: this looks mostly bogus; strongswan uses a PKCS#11 provider for sure, but you can use a number of alternative software rather than OpenSC, including Mozilla's NSS. You can see the whole mess in my blog posts on the topic:

http://blog.flameeyes.eu/2011/04/13/smartcards-again
http://blog.flameeyes.eu/2011/04/14/additional-notes-about-the-smartcard-components-diagram
http://blog.flameeyes.eu/2011/04/25/network-security-services-nss-and-pkcs-11
Comment 1 Diego Elio Pettenò (RETIRED) gentoo-dev 2011-05-06 09:33:14 UTC 
The smartcard comment applies to openswan as well.
Comment 2 Diego Elio Pettenò (RETIRED) gentoo-dev 2011-05-06 09:34:03 UTC 
And I should check better if I'm looking at the latest version of a package next time.
Comment 3 Bjarke Istrup Pedersen (RETIRED) gentoo-dev 2011-05-19 08:06:08 UTC 
Wouldn't it be colliding with this?

openssl? ( >=dev-libs/openssl-0.9.8[-bindist] )

Also, how would you suggest changing the smartcard part?
Comment 4 Diego Elio Pettenò (RETIRED) gentoo-dev 2011-05-27 21:05:35 UTC 
The idea is to replace the openssl[-bindist] requirement so that you can use a binary version of OpenSSL just fine, and at the same time you can build a binary redistributable version of strongswan (that does not require or employ the Elliptic Curve feature).

As for the smartcard issue, I'm not sure. Maybe we could use a virtual/pkcs11 but I'm not really sure if it makes sense; I'd probably just replace smartcard USE flag with pkcs11 to enable/disable the use of PKCS#11 API, USE flag is already common:

/media/repos/portage/yamato/profiles/use.local.desc:app-crypt/tpm-tools:pkcs11 - Build Token data management utilities based on OpenCryptoki's (dev-libs/opencryptoki) PKCS#11 implementation.
/media/repos/portage/yamato/profiles/use.local.desc:net-libs/neon:pkcs11 - Add support for PKCS#11 using dev-libs/pakchois
/media/repos/portage/yamato/profiles/use.local.desc:net-misc/openvpn:pkcs11 - Enable PKCS#11 smartcard support
/media/repos/portage/yamato/profiles/use.local.desc:sys-fs/ecryptfs-utils:pkcs11 - Enable PKCS#11 (Smartcards) key module