gentoo resync : 16.06.2019

8 files changed, 461 insertions, 2 deletions

diff --git a/net-vpn/Manifest.gz b/net-vpn/Manifest.gz
index a18d13b2ccba..f0170ef3c7d1 100644
--- a/net-vpn/Manifest.gz
+++ b/net-vpn/Manifest.gz
diff --git a/net-vpn/libreswan/Manifest b/net-vpn/libreswan/Manifest
index c94ccf7ca756..934c8fb9c46e 100644
--- a/net-vpn/libreswan/Manifest
+++ b/net-vpn/libreswan/Manifest
@@ -1,6 +1,11 @@
+AUX libreswan-3.28-barf-syntax.patch 732 BLAKE2B 1d98339ca0b63ad4dfd7c14e01464e21f7101de9c551b9aff64d58066a6a44528a5d664e4a900f0ca671146a5c550f37f440a8c731fc4f636fae2210b2a86317 SHA512 a20386e9d8e63b7824ebce5d48b0247e453937e00a8704f5b22c40da57e72ae81c2bbf511a9fdef99671ce0afc64d8faeb27a4533182d840779efccc726c4702
+AUX libreswan-3.28-xfrm-detection.patch 7504 BLAKE2B f02c79dedfef07b8ae06b5d5106639095f4a74506ffc0d1f06e8c8b70d447a94adfac1f8ae0c90257d22aabb401e5444dc94aae790df3b7c8cc303d58b08d12d SHA512 27b333a1481f58f1e7b38729c46eb13e51c4d7faeddfffe5eb632da30d5ef134ac81cca4a761e18912dcdfe71761a5e30cfc78939353fb74cb875a6516f9a3a1
 DIST libreswan-3.27.tar.gz 3720103 BLAKE2B 51ee792cd3fb8330a9cfee0b1a27e48c9a8c8fd3346e8c06fe0a911c813c400ef62d68b1d06bb849695aad5f4d5a496dc444b2543aa9ffbc59d373081c0b85e5 SHA512 b92ecfd08b9d19dc801032176eff3dd07f625223d4f0dd07ff10f639644573430a55f7aebfcc8b9d2424e194ca9d06b17ad5a13dad5dc6f659d19bc5d32520f5
 DIST libreswan-3.28.tar.gz 3842828 BLAKE2B 7e78f3c6d1d6a22a64f1316bb63366823ce763a3eb236e2cd64dc7f3fa9a84caff7a31cb65a6583521280e5ee84ac220c1770d230ba0b7098a1582613751c456 SHA512 aeb3ea723f2ca10098f2626172166cddea59b3bc084f0fefc823fd784d8986b12adc5a5b0965f2c7ecdfff5ac8029a922b8357debf79ff43605783d80e144983
+DIST libreswan-3.29.tar.gz 3848730 BLAKE2B 32dc839186fb511534a4959014082f8efe27708da7bc09dc5977532ffc7ea0ccdc92407932b3c3166f14b9ff85933e9a3f76325bbe620e09a5fa5a5c496d1f44 SHA512 4b4d91204d8b1724e0a9ad3ed55fc232c9a526211c3b47b6cc33fd160feb72538ef1661becca250bde815b9d7b75709bf16c7b372476605557b47c785cdf2535
 EBUILD libreswan-3.27-r1.ebuild 2939 BLAKE2B bbceef07aaefbf8323a2342bf8479ae47ef9824581095d065a5d61ffc9e3c6434f8217b88221c421f2d1f377cf8f50c3e31661b7627abbc81a51ad7e2fc9a759 SHA512 6de7bbf1962589cfd1b4cdb4d9b3db2fec2d997a5e7c46dbfd35330521a3c42915adf36a6214736da5173f851fd3f659f89d23782a197d72a5d33be29e42b093
 EBUILD libreswan-3.27.ebuild 2811 BLAKE2B 04ac4dc887783fcadd8aaa444ec59c71b9221b4f968d6ab13305866d26f5025208c806307b63874607de8617ad64e69fce54b7a08d3e958b20e5331531048f94 SHA512 e3b7a8b50f17f426cdab73fc237ef555e8d0d89d06546a60d0c38d01001620e9b03ec4e8e933aa587561019057aa71ee80250b8c3ae6aac502a93e5c6a5cd77b
+EBUILD libreswan-3.28-r1.ebuild 3131 BLAKE2B f767654d1f1559f19eee212bc8d014341ce626578b6a6e50390867d0fc30b40a415643c3026b0da77275528b67b5a48ca8708f8a4c21f0542ed1cffc9ea191e7 SHA512 091be1b1c399bd0e215eb162c0bbc4e670624847f0b5c3ca91536c1539a7e269cd58ecdf9f99e1cebc2b3ed6fc64a2ce2f5b5191d88adb26197c8470399cff9e
 EBUILD libreswan-3.28.ebuild 3034 BLAKE2B a6090d25ece09914c2e19fd9053723da4194ade3fa81672bd76298ef9b384d03afe8d34d70d8ba4a49c8e8a381e57df7bab1fd81fc7ad8af0db94fca3bcec6ca SHA512 301339b30907e081873f2170308d5f1baa96bea8ae3a216209d78f26aece50dd8c6d4959bdb1ac0b1c8705180ee35298258ad900108160b8b14e6b3730f82760
+EBUILD libreswan-3.29.ebuild 3034 BLAKE2B a6090d25ece09914c2e19fd9053723da4194ade3fa81672bd76298ef9b384d03afe8d34d70d8ba4a49c8e8a381e57df7bab1fd81fc7ad8af0db94fca3bcec6ca SHA512 301339b30907e081873f2170308d5f1baa96bea8ae3a216209d78f26aece50dd8c6d4959bdb1ac0b1c8705180ee35298258ad900108160b8b14e6b3730f82760
 MISC metadata.xml 319 BLAKE2B 6bae0756e29efeb1cf77d60f7e38fe62ffa5f24c3745e07900e6ef5f65194c50f6a479d97fdcc24804ccdcfefd9707b12f08dffe613fcf798afc421826de36e4 SHA512 924161f15c0f7a9666a6d7a422b45da679190e1a0f2859b997ddd753cbf49df9da337e5420040210736f76fa712dca3ec8862480f62bd321de71e74bee7c0865
diff --git a/net-vpn/libreswan/files/libreswan-3.28-barf-syntax.patch b/net-vpn/libreswan/files/libreswan-3.28-barf-syntax.patch
new file mode 100644
index 000000000000..69786bba99f0
--- /dev/null
+++ b/net-vpn/libreswan/files/libreswan-3.28-barf-syntax.patch
@@ -0,0 +1,23 @@
+From 8c3ba6a5f73ae64aa5171252f54c15d65c9930db Mon Sep 17 00:00:00 2001
+From: Tuomo Soini <tis@foobar.fi>
+Date: Fri, 24 May 2019 19:19:12 +0300
+Subject: [PATCH] barf: fix syntax error caused by removing pfkey checks
+
+Fixes problem introduced in beccfe9f7a40816a9ec663e4076ff051bf4c91cb
+---
+ programs/barf/barf.in | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/programs/barf/barf.in b/programs/barf/barf.in
+index fce05994cf..9cb92ffc58 100755
+--- a/programs/barf/barf.in
++++ b/programs/barf/barf.in
+@@ -170,6 +170,8 @@ if test -r /proc/net/ipsec_tncfg
+ then
+ 	cat /proc/net/ipsec_tncfg
+ fi
++if test -r /proc/net/xfrm_stat
++then
+ _________________________ ip-xfrm-state
+ 	ip xfrm state
+ _________________________ ip-xfrm-policy
diff --git a/net-vpn/libreswan/files/libreswan-3.28-xfrm-detection.patch b/net-vpn/libreswan/files/libreswan-3.28-xfrm-detection.patch
new file mode 100644
index 000000000000..7cda675af776
--- /dev/null
+++ b/net-vpn/libreswan/files/libreswan-3.28-xfrm-detection.patch
@@ -0,0 +1,200 @@
+From 716f4b712724c6698469563e531dea3667507ceb Mon Sep 17 00:00:00 2001
+From: Paul Wouters <pwouters@redhat.com>
+Date: Tue, 28 May 2019 00:24:30 -0400
+Subject: [PATCH] programs: Change to use /proc/sys/net/core/xfrm_acq_expires
+ to detect XFRM
+
+Apparently, not all kernels with XFRM support also enable support for
+CONFIG_XFRM_STATISTICS, causing XFRM auto-detection to fail.
+
+This affected openwrt and also some other distribution/custom kernels.
+---
+ programs/_realsetup.bsd/_realsetup.in   | 2 +-
+ programs/_stackmanager/_stackmanager.in | 2 +-
+ programs/barf/barf.in                   | 6 +++---
+ programs/eroute/eroute.c                | 2 +-
+ programs/ipsec/ipsec.in                 | 2 +-
+ programs/look/look.in                   | 2 +-
+ programs/pluto/kernel.c                 | 2 +-
+ programs/setup/setup.in                 | 2 +-
+ programs/spi/spi.c                      | 2 +-
+ programs/spigrp/spigrp.c                | 2 +-
+ programs/tncfg/tncfg.c                  | 2 +-
+ programs/verify/verify.in               | 2 +-
+ 12 files changed, 14 insertions(+), 14 deletions(-)
+
+diff --git a/programs/_realsetup.bsd/_realsetup.in b/programs/_realsetup.bsd/_realsetup.in
+index 91cca98ac8..4a783772f6 100755
+--- a/programs/_realsetup.bsd/_realsetup.in
++++ b/programs/_realsetup.bsd/_realsetup.in
+@@ -28,7 +28,7 @@ plutoctl=/var/run/pluto/pluto.ctl
+ subsyslock=/var/lock/subsys/ipsec
+ lock=/var/run/pluto/ipsec_setup.pid
+ 
+-xfrm_stat=/proc/net/xfrm_stat
++xfrm_stat=/proc/sys/net/core/xfrm_acq_expires
+ 
+ # defaults for "config setup" items
+ IPSECuniqueids=${IPSECuniqueids:-yes}
+diff --git a/programs/_stackmanager/_stackmanager.in b/programs/_stackmanager/_stackmanager.in
+index 4d41c5ad51..21616a31c9 100644
+--- a/programs/_stackmanager/_stackmanager.in
++++ b/programs/_stackmanager/_stackmanager.in
+@@ -29,7 +29,7 @@ eval $(ASAN_OPTIONS=detect_leaks=0 ipsec addconn  --configsetup | grep -v "#" |
+ test ${IPSEC_INIT_SCRIPT_DEBUG} && set -v -x
+ MODPROBE="@MODPROBEBIN@ @MODPROBEARGS@"
+ 
+-xfrm_stat=/proc/net/xfrm_stat
++xfrm_stat=/proc/sys/net/core/xfrm_acq_expires
+ klipsstack=/proc/net/ipsec/version
+ action="${1}"
+ 
+diff --git a/programs/barf/barf.in b/programs/barf/barf.in
+index 17f830d4a3..15eb252f11 100755
+--- a/programs/barf/barf.in
++++ b/programs/barf/barf.in
+@@ -174,14 +174,13 @@ _________________________ /proc/net/ipsec_tncfg
+ if test -r /proc/net/ipsec_tncfg
+ then
+     cat /proc/net/ipsec_tncfg
+ fi
+-if test -r /proc/net/xfrm_stat
+-then
++if [ -r /proc/sys/net/core/xfrm_acq_expires ]; then
+ _________________________ ip-xfrm-state
+     ip xfrm state
+ _________________________ ip-xfrm-policy
+     ip xfrm policy
+-_________________________ ip-xfrm-stats
++_________________________ cat-proc-net-xfrm_stat
+     cat /proc/net/xfrm_stat
+ fi
+ _________________________ ip-l2tp-tunnel
+@@ -283,9 +283,8 @@ _________________________ /proc/net/ipsec_version
+ if test -r /proc/net/ipsec_version
+ then
+     cat /proc/net/ipsec_version
+ else
+-    if test -r /proc/net/xfrm_stat
+-    then
++    if [ -r /proc/sys/net/core/xfrm_acq_expires ]; then
+ 	echo "NETKEY (`uname -r`) support detected "
+     else
+ 	echo "no KLIPS or NETKEY support detected"
+diff --git a/programs/eroute/eroute.c b/programs/eroute/eroute.c
+index c33234c194..6f058d9232 100644
+--- a/programs/eroute/eroute.c
++++ b/programs/eroute/eroute.c
+@@ -495,7 +495,7 @@ int main(int argc, char **argv)
+ 	if (argcount == 1) {
+ 		struct stat sts;
+ 
+-		if (stat("/proc/net/xfrm_stat", &sts) == 0) {
++		if (stat("/proc/sys/net/core/xfrm_acq_expires", &sts) == 0) {
+ 			fprintf(stderr,
+ 				"%s: NETKEY does not support eroute table.\n",
+ 				progname);
+diff --git a/programs/ipsec/ipsec.in b/programs/ipsec/ipsec.in
+index 401a596628..06bec21632 100755
+--- a/programs/ipsec/ipsec.in
++++ b/programs/ipsec/ipsec.in
+@@ -61,7 +61,7 @@ fixversion() {
+ 	stack=" (klips)"
+ 	kv="$(awk '{print $NF}' /proc/net/ipsec_version)"
+     else
+-	if [ -f /proc/net/xfrm_stat ]; then
++	if [ -f /proc/sys/net/core/xfrm_acq_expires ]; then
+ 	    stack=" (netkey)"
+ 	    kv="${version}"
+ 	else
+diff --git a/programs/look/look.in b/programs/look/look.in
+index bb55e8eda2..192856c630 100755
+--- a/programs/look/look.in
++++ b/programs/look/look.in
+@@ -72,7 +72,7 @@ if [ -f /proc/net/ipsec_spi ]; then
+ fi
+ 
+ # xfrm
+-if [ -f /proc/net/xfrm_stat ]; then
++if [ -f /proc/sys/net/core/xfrm_acq_expires ]; then
+     echo "XFRM state:"
+     ip xfrm state
+     echo "XFRM policy:"
+diff --git a/programs/pluto/kernel.c b/programs/pluto/kernel.c
+index 39b1e32389..5c71c04af3 100644
+--- a/programs/pluto/kernel.c
++++ b/programs/pluto/kernel.c
+@@ -2666,7 +2666,7 @@ void init_kernel(void)
+ 	switch (kern_interface) {
+ #if defined(NETKEY_SUPPORT)
+ 	case USE_NETKEY:
+-		if (stat("/proc/net/xfrm_stat", &buf) != 0) {
++		if (stat("/proc/sys/net/core/xfrm_acq_expires", &buf) != 0) {
+ 			libreswan_log("No XFRM kernel interface detected");
+ 			exit_pluto(PLUTO_EXIT_KERNEL_FAIL);
+ 		}
+diff --git a/programs/setup/setup.in b/programs/setup/setup.in
+index 8c28b0e157..1933089459 100755
+--- a/programs/setup/setup.in
++++ b/programs/setup/setup.in
+@@ -110,7 +110,7 @@ case "$1" in
+ 
+ 	# If stack is non-modular, we want to force clean too
+ 	[ -f /proc/net/pf_key ] && ipsec eroute --clear
+-	[ -f /proc/net/xfrm_stat ] && ip xfrm state flush && ip xfrm policy flush
++	[ -f /proc/sys/net/core/xfrm_acq_expires ] && ip xfrm state flush && ip xfrm policy flush
+ 
+ 	# Cleaning up backup resolv.conf
+ 	if [ -e ${LIBRESWAN_RESOLV_CONF} ]; then
+diff --git a/programs/spi/spi.c b/programs/spi/spi.c
+index c45fe6a517..742898a86f 100644
+--- a/programs/spi/spi.c
++++ b/programs/spi/spi.c
+@@ -1135,7 +1135,7 @@ int main(int argc, char *argv[])
+ 			progname);
+ 	}
+ 
+-	if (stat("/proc/net/xfrm_stat", &sts) == 0) {
++	if (stat("/proc/sys/net/core/xfrm_acq_expires", &sts) == 0) {
+ 		fprintf(stderr,
+ 			"%s: XFRM does not use the ipsec spi command. Use 'ip xfrm' instead.\n",
+ 			progname);
+diff --git a/programs/spigrp/spigrp.c b/programs/spigrp/spigrp.c
+index 79d6c50e5e..fe0942325d 100644
+--- a/programs/spigrp/spigrp.c
++++ b/programs/spigrp/spigrp.c
+@@ -151,7 +151,7 @@ int main(int argc, char **argv)
+ 	if (debug)
+ 		fprintf(stdout, "...After check for --label option.\n");
+ 
+-	if (stat("/proc/net/xfrm_stat", &sts) == 0) {
++	if (stat("/proc/sys/net/core/xfrm_acq_expires", &sts) == 0) {
+ 		fprintf(stderr,
+ 			"%s: XFRM does not use the ipsec spigrp command. Use 'ip xfrm' instead.\n",
+ 			progname);
+diff --git a/programs/tncfg/tncfg.c b/programs/tncfg/tncfg.c
+index 55de83b1ef..5a9f2e9aee 100644
+--- a/programs/tncfg/tncfg.c
++++ b/programs/tncfg/tncfg.c
+@@ -259,7 +259,7 @@ int main(int argc, char *argv[])
+ 		}
+ 	}
+ 
+-	if (stat("/proc/net/xfrm_stat", &sts) == 0) {
++	if (stat("/proc/sys/net/core/xfrm_acq_expires", &sts) == 0) {
+ 		fprintf(stderr,
+ 			"%s: XFRM does not support virtual interfaces.\n",
+ 			progname);
+diff --git a/programs/verify/verify.in b/programs/verify/verify.in
+index 9321631931..81ae1d32fe 100755
+--- a/programs/verify/verify.in
++++ b/programs/verify/verify.in
+@@ -223,7 +223,7 @@ def installstartcheck():
+ 		print_result("FAIL","FAILED")
+ 
+ 	printfun("Checking for IPsec support in kernel")
+-	if not os.path.isfile("/proc/net/ipsec_eroute") and not os.path.isfile("/proc/net/xfrm_stat"):
++	if not os.path.isfile("/proc/net/ipsec_eroute") and not os.path.isfile("/proc/sys/net/core/xfrm_acq_expires"):
+ 		print_result("FAIL","FAILED")
+ 		if "no kernel code presently loaded" in output:
+ 			print("\n The ipsec service should be started before running 'ipsec verify'\n")
diff --git a/net-vpn/libreswan/libreswan-3.28-r1.ebuild b/net-vpn/libreswan/libreswan-3.28-r1.ebuild
new file mode 100644
index 000000000000..ee813e6e8443
--- /dev/null
+++ b/net-vpn/libreswan/libreswan-3.28-r1.ebuild
@@ -0,0 +1,117 @@
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit systemd toolchain-funcs
+
+SRC_URI="https://download.libreswan.org/${P}.tar.gz"
+KEYWORDS="~amd64 ~ppc ~x86"
+
+DESCRIPTION="IPsec implementation for Linux, fork of Openswan"
+HOMEPAGE="https://libreswan.org/"
+
+LICENSE="GPL-2 BSD-4 RSA DES"
+SLOT="0"
+IUSE="caps curl dnssec ldap pam seccomp selinux systemd test"
+
+DEPEND="
+	dev-libs/gmp:0=
+	dev-libs/libevent:0=
+	dev-libs/nspr
+	>=dev-libs/nss-3.42
+	caps? ( sys-libs/libcap-ng )
+	curl? ( net-misc/curl )
+	dnssec? ( >=net-dns/unbound-1.9.1-r1:= net-libs/ldns )
+	ldap? ( net-nds/openldap )
+	pam? ( sys-libs/pam )
+	seccomp? ( sys-libs/libseccomp )
+	selinux? ( sys-libs/libselinux )
+	systemd? ( sys-apps/systemd:0= )
+"
+BDEPEND="
+	app-text/docbook-xml-dtd:4.1.2
+	app-text/xmlto
+	dev-libs/nss
+	sys-devel/bison
+	sys-devel/flex
+	virtual/pkgconfig
+	test? ( dev-python/setproctitle )
+"
+RDEPEND="${DEPEND}
+	dev-libs/nss[utils(+)]
+	sys-apps/iproute2
+	!net-misc/openswan
+	!net-vpn/strongswan
+	selinux? ( sec-policy/selinux-ipsec )
+"
+
+usetf() {
+	usex "$1" true false
+}
+
+src_prepare() {
+	eapply "${FILESDIR}/${P}-barf-syntax.patch"
+	eapply -l "${FILESDIR}/${P}-xfrm-detection.patch"
+
+	sed -i -e 's:/sbin/runscript:/sbin/openrc-run:' initsystems/openrc/ipsec.init.in || die
+	sed -i -e '/^install/ s/postcheck//' -e '/^doinstall/ s/oldinitdcheck//' initsystems/systemd/Makefile || die
+	default
+}
+
+src_configure() {
+	tc-export AR CC
+	export INC_USRLOCAL=/usr
+	export INC_MANDIR=share/man
+	export FINALEXAMPLECONFDIR=/usr/share/doc/${PF}
+	export FINALDOCDIR=/usr/share/doc/${PF}/html
+	export INITSYSTEM=openrc
+	export INC_RCDIRS=
+	export INC_RCDEFAULT=/etc/init.d
+	export USERCOMPILE=
+	export USERLINK=
+	export USE_DNSSEC=$(usetf dnssec)
+	export USE_LABELED_IPSEC=$(usetf selinux)
+	export USE_LIBCAP_NG=$(usetf caps)
+	export USE_LIBCURL=$(usetf curl)
+	export USE_LINUX_AUDIT=$(usetf selinux)
+	export USE_LDAP=$(usetf ldap)
+	export USE_SECCOMP=$(usetf seccomp)
+	export USE_SYSTEMD_WATCHDOG=$(usetf systemd)
+	export SD_WATCHDOGSEC=$(usex systemd 200 0)
+	export USE_XAUTHPAM=$(usetf pam)
+	export DEBUG_CFLAGS=
+	export OPTIMIZE_CFLAGS=
+	export WERROR_CFLAGS=
+}
+
+src_compile() {
+	emake all
+	emake -C initsystems INITSYSTEM=systemd SYSTEMUNITDIR="$(systemd_get_systemunitdir)" SYSTEMTMPFILESDIR="/usr/lib/tmpfiles.d" all
+}
+
+src_test() {
+	: # integration tests only that require set of kvms to be set up
+}
+
+src_install() {
+	default
+	emake -C initsystems INITSYSTEM=systemd SYSTEMUNITDIR="$(systemd_get_systemunitdir)" SYSTEMTMPFILESDIR="/usr/lib/tmpfiles.d" DESTDIR="${D}" install
+
+	echo "include /etc/ipsec.d/*.secrets" > "${D}"/etc/ipsec.secrets
+	fperms 0600 /etc/ipsec.secrets
+
+	dodoc -r docs
+
+	find "${D}" -type d -empty -delete || die
+}
+
+pkg_postinst() {
+	local IPSEC_CONFDIR=${ROOT%/}/etc/ipsec.d
+	if [[ ! -f ${IPSEC_CONFDIR}/cert8.db && ! -f ${IPSEC_CONFDIR}/cert9.db ]] ; then
+		ebegin "Setting up NSS database in ${IPSEC_CONFDIR} with empty password"
+		certutil -N -d "${IPSEC_CONFDIR}" --empty-password
+		eend $?
+		einfo "To set a password: certutil -W -d sql:${IPSEC_CONFDIR}"
+	fi
+}
diff --git a/net-vpn/libreswan/libreswan-3.29.ebuild b/net-vpn/libreswan/libreswan-3.29.ebuild
new file mode 100644
index 000000000000..6a7f68a383b7
--- /dev/null
+++ b/net-vpn/libreswan/libreswan-3.29.ebuild
@@ -0,0 +1,114 @@
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit systemd toolchain-funcs
+
+SRC_URI="https://download.libreswan.org/${P}.tar.gz"
+KEYWORDS="~amd64 ~ppc ~x86"
+
+DESCRIPTION="IPsec implementation for Linux, fork of Openswan"
+HOMEPAGE="https://libreswan.org/"
+
+LICENSE="GPL-2 BSD-4 RSA DES"
+SLOT="0"
+IUSE="caps curl dnssec ldap pam seccomp selinux systemd test"
+
+DEPEND="
+	dev-libs/gmp:0=
+	dev-libs/libevent:0=
+	dev-libs/nspr
+	>=dev-libs/nss-3.42
+	caps? ( sys-libs/libcap-ng )
+	curl? ( net-misc/curl )
+	dnssec? ( >=net-dns/unbound-1.9.1-r1:= net-libs/ldns )
+	ldap? ( net-nds/openldap )
+	pam? ( sys-libs/pam )
+	seccomp? ( sys-libs/libseccomp )
+	selinux? ( sys-libs/libselinux )
+	systemd? ( sys-apps/systemd:0= )
+"
+BDEPEND="
+	app-text/docbook-xml-dtd:4.1.2
+	app-text/xmlto
+	dev-libs/nss
+	sys-devel/bison
+	sys-devel/flex
+	virtual/pkgconfig
+	test? ( dev-python/setproctitle )
+"
+RDEPEND="${DEPEND}
+	dev-libs/nss[utils(+)]
+	sys-apps/iproute2
+	!net-misc/openswan
+	!net-vpn/strongswan
+	selinux? ( sec-policy/selinux-ipsec )
+"
+
+usetf() {
+	usex "$1" true false
+}
+
+src_prepare() {
+	sed -i -e 's:/sbin/runscript:/sbin/openrc-run:' initsystems/openrc/ipsec.init.in || die
+	sed -i -e '/^install/ s/postcheck//' -e '/^doinstall/ s/oldinitdcheck//' initsystems/systemd/Makefile || die
+	default
+}
+
+src_configure() {
+	tc-export AR CC
+	export INC_USRLOCAL=/usr
+	export INC_MANDIR=share/man
+	export FINALEXAMPLECONFDIR=/usr/share/doc/${PF}
+	export FINALDOCDIR=/usr/share/doc/${PF}/html
+	export INITSYSTEM=openrc
+	export INC_RCDIRS=
+	export INC_RCDEFAULT=/etc/init.d
+	export USERCOMPILE=
+	export USERLINK=
+	export USE_DNSSEC=$(usetf dnssec)
+	export USE_LABELED_IPSEC=$(usetf selinux)
+	export USE_LIBCAP_NG=$(usetf caps)
+	export USE_LIBCURL=$(usetf curl)
+	export USE_LINUX_AUDIT=$(usetf selinux)
+	export USE_LDAP=$(usetf ldap)
+	export USE_SECCOMP=$(usetf seccomp)
+	export USE_SYSTEMD_WATCHDOG=$(usetf systemd)
+	export SD_WATCHDOGSEC=$(usex systemd 200 0)
+	export USE_XAUTHPAM=$(usetf pam)
+	export DEBUG_CFLAGS=
+	export OPTIMIZE_CFLAGS=
+	export WERROR_CFLAGS=
+}
+
+src_compile() {
+	emake all
+	emake -C initsystems INITSYSTEM=systemd SYSTEMUNITDIR="$(systemd_get_systemunitdir)" SYSTEMTMPFILESDIR="/usr/lib/tmpfiles.d" all
+}
+
+src_test() {
+	: # integration tests only that require set of kvms to be set up
+}
+
+src_install() {
+	default
+	emake -C initsystems INITSYSTEM=systemd SYSTEMUNITDIR="$(systemd_get_systemunitdir)" SYSTEMTMPFILESDIR="/usr/lib/tmpfiles.d" DESTDIR="${D}" install
+
+	echo "include /etc/ipsec.d/*.secrets" > "${D}"/etc/ipsec.secrets
+	fperms 0600 /etc/ipsec.secrets
+
+	dodoc -r docs
+
+	find "${D}" -type d -empty -delete || die
+}
+
+pkg_postinst() {
+	local IPSEC_CONFDIR=${ROOT%/}/etc/ipsec.d
+	if [[ ! -f ${IPSEC_CONFDIR}/cert8.db && ! -f ${IPSEC_CONFDIR}/cert9.db ]] ; then
+		ebegin "Setting up NSS database in ${IPSEC_CONFDIR} with empty password"
+		certutil -N -d "${IPSEC_CONFDIR}" --empty-password
+		eend $?
+		einfo "To set a password: certutil -W -d sql:${IPSEC_CONFDIR}"
+	fi
+}
diff --git a/net-vpn/tor/Manifest b/net-vpn/tor/Manifest
index c544304759c4..622b9fce2985 100644
--- a/net-vpn/tor/Manifest
+++ b/net-vpn/tor/Manifest
@@ -5,7 +5,7 @@ AUX tor.confd 44 BLAKE2B 70df86a361c7b735283c5699e4d8d8a054a84629c749adb4dc57c19
 AUX tor.initd-r8 953 BLAKE2B 7af04f23c95b7edd90bfb6989741973cb63a846ad8a34be9a07e347308523caad1a1e0255e5597bdfb818257ab6db03da0f07622707ff60c62926f91d9d7d6e8 SHA512 4b690a721311a310131041ab962c571f1898f884f55fedf91b842e5190ce58399cccf59d34b4716d5dc15df4183f994d84c7c39f8458cb5f5da870ddc2db1730
 AUX torrc-r1 140 BLAKE2B 4b7e0795c09e737c5dda014c2b87811757bb8d68d581ece49f5002a2c42ee29c64899c635daf27b3465194a73ca5fd21a3a7ca655682fa5f5ffc7f4b2360b125 SHA512 6e3c481b34f2cb6f48bf87fe10565daded00415cc233332d43e18206d46eb7b32f92c55035584b5992e7a056e79e862124a573a9724f7762f76d4c4f0824de82
 DIST tor-0.4.0.5.tar.gz 7203877 BLAKE2B e03710038615a5b9baf327933917c369bb3fabd4df6dd9f16053a0b72bcf20219e956e74258d0e39ae297d406035a89fab017d2e28c795f5d713c3933ad7cd29 SHA512 f6bccc52aaa436a501077b0891ecd3a9779f288b3b15fd76fa2c612e60aba04763b5951f55b2357e6271797b2f924bee9a6d2c1ee20419daa02d9d38ec68510b
-DIST tor-0.4.1.1-alpha.tar.gz 7350019 BLAKE2B 5e5022f9a150d87955b438e8afeef053bdc4196b87c891016a2ecc43d44b0a2a271ef4088cb16d539d2ccfaedc8e73c7d663e9878cf7a10af0d368c5a4512409 SHA512 d8fc5c124de8127a1b06081fb45e6cb0e1d2b77dc2cc4677370317961869f82282483b717fadd932f1d86ae32291ba51f61421c89005703c9625237cb84d2e8e
+DIST tor-0.4.1.2-alpha.tar.gz 7355589 BLAKE2B cbc564624298f810266e785f81ed443ad1a2f44c565a6203f91382648f82954b5547bdc98c8bda358d4ce4423d5ffba53aba28a5ba461288a09e441192d7c748 SHA512 e138f836bc40f16a405e08024168176ed3eafdc26eca06f2a5e31b856e299e1ea04d84fea71a48bd9d79572fad060462d3bd2d4151c6009d04b14848d99102f6
 EBUILD tor-0.4.0.5.ebuild 2232 BLAKE2B fed112e92aa7b11f4646ea94db9fea5ef81a80dd57a4b95990d906142991ee8f4b900601a011246ff6e707069c255555195041929c97e753d16a16bc8d820719 SHA512 44a4958239f006307178121e4cb49f79ca2063561dc593af840456895eaa4f7d272592a1a3658645b29fe9e82a71e73a731eccbc7cab0ebbbfe37b41068f1c1b
-EBUILD tor-0.4.1.1_alpha.ebuild 2237 BLAKE2B c4b181a5383703dd236901b8a7c6f7af27caa9f2e2cc8824bed97e17fa7dde3eed93ef1e341b9d34197040c4d25a6eb6d2d009115f936539da447464747fbc01 SHA512 347aac4e1fdd00208a2949c42804110b0d4c10b499d8d85c5b97cadf54577b966f76bb90d38ab5c732a29ae533024b6207d1508d5ec166f2b1f650d58bde7498
+EBUILD tor-0.4.1.2_alpha.ebuild 2237 BLAKE2B c4b181a5383703dd236901b8a7c6f7af27caa9f2e2cc8824bed97e17fa7dde3eed93ef1e341b9d34197040c4d25a6eb6d2d009115f936539da447464747fbc01 SHA512 347aac4e1fdd00208a2949c42804110b0d4c10b499d8d85c5b97cadf54577b966f76bb90d38ab5c732a29ae533024b6207d1508d5ec166f2b1f650d58bde7498
 MISC metadata.xml 502 BLAKE2B 62cfa9bebca4f57461228105fc7433ba9d56494197768549f6dc62ec048654918bfc04958c321239b5f223c5d263415b346168ab30c6ea3cc78a5b0bef93f08f SHA512 70b258fd1bab0a13d24e20ccff51ba8b0b1f3a526986a0140c5d2344c781f257ff0f7b60cb6a193b6727faf21d7a4ce96071b9b09373fd9636ed2f01ee1f2000
diff --git a/net-vpn/tor/tor-0.4.1.1_alpha.ebuild b/net-vpn/tor/tor-0.4.1.2_alpha.ebuild
index 5260bac68c8c..5260bac68c8c 100644
--- a/net-vpn/tor/tor-0.4.1.1_alpha.ebuild
+++ b/net-vpn/tor/tor-0.4.1.2_alpha.ebuild