From: Lars Pedersen <lapeddk@gmail.com>
To: ptxdist@pengutronix.de
Cc: Lars Pedersen <lapeddk@gmail.com>
Subject: [ptxdist] [PATCH v2] strongswan: Version bump 5.6.1 -> 5.8.1
Date: Tue, 19 Nov 2019 13:49:37 +0100 [thread overview]
Message-ID: <20191119124937.274447-1-lapeddk@gmail.com> (raw)
In-Reply-To: <20191118124538.223808-1-lapeddk@gmail.com>
Add swanctl support which replaces the old starter, ipsec and stroke
backend. In this patch swanctl requires systemd.
https://wiki.strongswan.org/projects/strongswan/wiki/Charon-systemd
Use install_glob to install all compiled plugins.
Option to enable strongswan service if systemd is used.
Option to set sysconfdir. Default /etc.
Signed-off-by: Lars Pedersen <lapeddk@gmail.com>
---
v2: Missing tree install of strongswan.d directory in sysconf dir.
rules/strongswan.in | 25 ++++++--
rules/strongswan.make | 130 ++++++++++++++++++------------------------
2 files changed, 77 insertions(+), 78 deletions(-)
diff --git a/rules/strongswan.in b/rules/strongswan.in
index d0e660c57..651fd86a6 100644
--- a/rules/strongswan.in
+++ b/rules/strongswan.in
@@ -48,10 +48,27 @@ config STRONGSWAN_AFALG
config STRONGSWAN_SYSTEMD_UNIT
bool
- default y
- # uses old systemd-daemon / libsystemd-journal libs
- depends on BROKEN
depends on INITMETHOD_SYSTEMD
- prompt "install systemd service file"
+ prompt "install systemd unit file"
+
+config STRONGSWAN_SYSTEMD_UNIT_ENABLE_SERVICE
+ bool
+ depends on STRONGSWAN_SYSTEMD_UNIT
+ prompt "Enable strongswan unit file"
+
+config STRONGSWAN_SWANCTL
+ bool
+ depends on STRONGSWAN_SYSTEMD_UNIT
+ prompt "Use swanctl for configuration"
+ help
+ Swanctl is a new, portable command line utility to configure,
+ control and monitor the IKE daemon charon using the vici interface.
+
+config STRONGSWAN_SYSCONF_DIR
+ string
+ prompt "Sysconf directory"
+ default "/etc"
+ help
+ Override default /etc sysconf directory for strongswan.
endif
diff --git a/rules/strongswan.make b/rules/strongswan.make
index 90db7bef7..c0116e286 100644
--- a/rules/strongswan.make
+++ b/rules/strongswan.make
@@ -15,8 +15,8 @@ PACKAGES-$(PTXCONF_STRONGSWAN) += strongswan
#
# Paths and names
#
-STRONGSWAN_VERSION := 5.6.1
-STRONGSWAN_MD5 := cb2241f1b96c524cd15b1c0f50ed9a27
+STRONGSWAN_VERSION := 5.8.1
+STRONGSWAN_MD5 := 5a6b9980cd1ac4fad3c24b55ed960ac9
STRONGSWAN := strongswan-$(STRONGSWAN_VERSION)
STRONGSWAN_SUFFIX := tar.bz2
STRONGSWAN_URL := https://download.strongswan.org/$(STRONGSWAN).$(STRONGSWAN_SUFFIX)
@@ -36,6 +36,7 @@ STRONGSWAN_CONF_OPT := \
--$(call ptx/endis, PTXCONF_STRONGSWAN_AFALG)-af-alg \
--disable-bliss \
--disable-blowfish \
+ --disable-botan \
--disable-ccm \
--disable-chapoly \
--enable-cmac \
@@ -54,6 +55,7 @@ STRONGSWAN_CONF_OPT := \
--enable-nonce \
--disable-ntru \
--$(call ptx/endis, PTXCONF_STRONGSWAN_OPENSSL)-openssl \
+ --disable-wolfssl \
--disable-padlock \
--enable-random \
--disable-rc2 \
@@ -126,11 +128,9 @@ STRONGSWAN_CONF_OPT := \
--enable-socket-default \
--disable-socket-dynamic \
--disable-socket-win \
- --enable-stroke \
--disable-smp \
--disable-sql \
--disable-uci \
- --disable-vici \
--disable-android-dns \
--enable-attr \
--disable-attr-sql \
@@ -147,8 +147,6 @@ STRONGSWAN_CONF_OPT := \
--disable-imv-os \
--disable-imc-attestation \
--disable-imv-attestation \
- --disable-imc-swid \
- --disable-imv-swid \
--disable-imc-swima \
--disable-imv-swima \
--disable-imc-hcd \
@@ -174,14 +172,13 @@ STRONGSWAN_CONF_OPT := \
--disable-load-tester \
--disable-lookip \
--disable-radattr \
+ --disable-save-keys \
--disable-systime-fix \
--disable-test-vectors \
--enable-updown \
--disable-aikgen \
- --enable-charon \
--disable-cmd \
--disable-conftest \
- --disable-dumm \
--disable-fast \
--disable-fuzzing \
--disable-libipsec \
@@ -190,11 +187,9 @@ STRONGSWAN_CONF_OPT := \
--disable-medsrv \
--disable-nm \
--enable-pki \
- --enable-scepclient \
--enable-scripts \
--disable-svc \
--$(call ptx/endis, PTXCONF_STRONGSWAN_SYSTEMD_UNIT)-systemd \
- --disable-swanctl \
--disable-tkm \
--disable-bfd-backtraces \
--disable-dbghelp-backtraces \
@@ -221,52 +216,29 @@ STRONGSWAN_CONF_OPT := \
--enable-dependency-tracking \
--enable-shared \
--with-ipseclibdir=/usr/lib \
- --with-systemdsystemunitdir=/usr/lib/systemd/system
+ --with-systemdsystemunitdir=/usr/lib/systemd/system \
+ --sysconfdir=$(PTXCONF_STRONGSWAN_SYSCONF_DIR)
+
+ifdef PTXCONF_STRONGSWAN_SWANCTL
+ STRONGSWAN_CONF_OPT += \
+ --enable-swanctl \
+ --disable-charon \
+ --disable-stroke \
+ --enable-vici \
+ --disable-scepclient
+else
+ STRONGSWAN_CONF_OPT += \
+ --disable-swanctl \
+ --enable-charon \
+ --enable-stroke \
+ --disable-vici \
+ --enable-scepclient
+endif
# ----------------------------------------------------------------------------
# Target-Install
# ----------------------------------------------------------------------------
-STRONGSWAN_PLUGINS := \
- libstrongswan-aes.so \
- libstrongswan-attr.so \
- libstrongswan-cmac.so \
- libstrongswan-constraints.so \
- libstrongswan-dnskey.so \
- libstrongswan-fips-prf.so \
- libstrongswan-gcm.so \
- libstrongswan-gmp.so \
- libstrongswan-hmac.so \
- libstrongswan-kernel-netlink.so \
- libstrongswan-nonce.so \
- libstrongswan-pem.so \
- libstrongswan-pgp.so \
- libstrongswan-pkcs1.so \
- libstrongswan-pkcs7.so \
- libstrongswan-pkcs8.so \
- libstrongswan-pubkey.so \
- libstrongswan-random.so \
- libstrongswan-resolve.so \
- libstrongswan-revocation.so \
- libstrongswan-sha1.so \
- libstrongswan-sha2.so \
- libstrongswan-socket-default.so \
- libstrongswan-stroke.so \
- libstrongswan-updown.so \
- libstrongswan-x509.so \
- libstrongswan-xauth-generic.so \
- libstrongswan-xcbc.so
-
-ifdef PTXCONF_STRONGSWAN_LIBCURL
- STRONGSWAN_PLUGINS += libstrongswan-curl.so
-endif
-ifdef PTXCONF_STRONGSWAN_OPENSSL
- STRONGSWAN_PLUGINS += libstrongswan-openssl.so
-endif
-ifdef PTXCONF_STRONGSWAN_AFALG
- STRONGSWAN_PLUGINS += libstrongswan-af-alg.so
-endif
-
$(STATEDIR)/strongswan.targetinstall:
@$(call targetinfo)
@@ -276,34 +248,44 @@ $(STATEDIR)/strongswan.targetinstall:
@$(call install_fixup, strongswan,AUTHOR,"Christoph Fritz <chf@fritzc.com>")
@$(call install_fixup, strongswan,DESCRIPTION,missing)
- @$(call install_alternative, strongswan, 0, 0, 0644, /etc/strongswan.conf)
-
- @$(call install_copy, strongswan, 0, 0, 0755, -, /usr/sbin/ipsec)
-
- @$(call install_tree, strongswan, 0, 0, -, /usr/libexec/ipsec)
+ifdef PTXCONF_STRONGSWAN_SYSTEMD_UNIT_ENABLE_SERVICE
+ @$(call install_link, strongswan, ../strongswan.service, \
+ /usr/lib/systemd/system/multi-user.target.wants/strongswan.service)
+endif
- @$(call install_lib, strongswan, 0, 0, 0644, libcharon)
- @$(call install_lib, strongswan, 0, 0, 0644, libstrongswan)
+ @$(call install_tree, strongswan, 0, 0, -, /usr/bin)
+ @$(call install_glob, strongswan, 0, 0, -, /usr/lib,,*.la)
+ @$(call install_tree, strongswan, 0, 0, -, /usr/libexec)
+ @$(call install_tree, strongswan, 0, 0, -, /usr/sbin)
- @$(foreach plugin, $(STRONGSWAN_PLUGINS), \
- $(call install_copy, strongswan, 0, 0, 0644, -, \
- /usr/lib/plugins/$(plugin));)
+ @$(call install_alternative, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/strongswan.conf)
-ifdef PTXCONF_STRONGSWAN_SYSTEMD_UNIT
- @$(call install_alternative, strongswan, 0, 0, 0644, \
- /usr/lib/systemd/system/strongswan.service)
- @$(call install_link, strongswan, ../strongswan.service, \
- /usr/lib/systemd/system/multi-user.target.wants/strongswan.service)
+ifdef PTXCONF_STRONGSWAN_SWANCTL
+ @$(call install_tree, strongswan, 0, 0, -, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/strongswan.d)
+ @$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/bliss)
+ @$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/conf.d)
+ @$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/ecdsa)
+ @$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/pkcs12)
+ @$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/pkcs8)
+ @$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/private)
+ @$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/pubkey)
+ @$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/rsa)
+ @$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509)
+ @$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509aa)
+ @$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509ac)
+ @$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509ca)
+ @$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509crl)
+ @$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509ocsp)
endif
- @$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/aacerts)
- @$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/acerts)
- @$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/cacerts)
- @$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/certs)
- @$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/crls)
- @$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/ocspcerts)
- @$(call install_copy, strongswan, 0, 0, 0600, /etc/ipsec.d/private)
- @$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/reqs)
+ @$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/aacerts)
+ @$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/acerts)
+ @$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/cacerts)
+ @$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/certs)
+ @$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/crls)
+ @$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/ocspcerts)
+ @$(call install_copy, strongswan, 0, 0, 0600, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/private)
+ @$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/reqs)
@$(call install_finish, strongswan)
--
2.23.0
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
next prev parent reply other threads:[~2019-11-19 12:49 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-18 12:45 [ptxdist] [PATCH] " Lars Pedersen
2019-11-19 12:49 ` Lars Pedersen [this message]
2019-11-19 14:56 ` [ptxdist] [PATCH v2] " Bruno Thomsen
2019-11-25 6:53 ` Michael Olbrich
2019-11-26 10:21 ` Lars Pedersen
2019-11-28 16:21 ` Michael Olbrich
2019-12-05 9:34 ` Lars Pedersen
2019-12-05 15:45 ` Michael Olbrich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191119124937.274447-1-lapeddk@gmail.com \
--to=lapeddk@gmail.com \
--cc=ptxdist@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox