From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from mail-lj1-x242.google.com ([2a00:1450:4864:20::242]) by metis.ext.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1icnXG-0001Db-Us for ptxdist@pengutronix.de; Thu, 05 Dec 2019 10:34:59 +0100 Received: by mail-lj1-x242.google.com with SMTP id u17so2751407lja.4 for ; Thu, 05 Dec 2019 01:34:58 -0800 (PST) From: Lars Pedersen Date: Thu, 5 Dec 2019 10:34:26 +0100 Message-Id: <20191205093426.62635-1-lapeddk@gmail.com> In-Reply-To: <20191118124538.223808-1-lapeddk@gmail.com> References: <20191118124538.223808-1-lapeddk@gmail.com> MIME-Version: 1.0 Subject: [ptxdist] [PATCH v2] strongswan: Version bump 5.6.1 -> 5.8.1 List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ptxdist-bounces@pengutronix.de Sender: "ptxdist" To: ptxdist@pengutronix.de Cc: Lars Pedersen Add swanctl support which replaces the old starter, ipsec and stroke backend. In this patch swanctl requires systemd. https://wiki.strongswan.org/projects/strongswan/wiki/Charon-systemd Option to enable strongswan service if systemd is used. Option to set sysconfdir. Default /etc. Signed-off-by: Lars Pedersen --- v2: - Install_lib and plugins installed like before - Set rpath to /usr/lib/plugins - Add license_files field rules/strongswan.in | 25 ++++++++++-- rules/strongswan.make | 91 ++++++++++++++++++++++++++++--------------- 2 files changed, 81 insertions(+), 35 deletions(-) diff --git a/rules/strongswan.in b/rules/strongswan.in index d0e660c57..5bcef7d8d 100644 --- a/rules/strongswan.in +++ b/rules/strongswan.in @@ -48,10 +48,27 @@ config STRONGSWAN_AFALG config STRONGSWAN_SYSTEMD_UNIT bool - default y - # uses old systemd-daemon / libsystemd-journal libs - depends on BROKEN depends on INITMETHOD_SYSTEMD - prompt "install systemd service file" + prompt "install systemd unit file" + +config STRONGSWAN_SYSTEMD_UNIT_ENABLE_SERVICE + bool + depends on STRONGSWAN_SYSTEMD_UNIT + prompt "Enable strongswan unit file" + +config STRONGSWAN_SWANCTL + bool + depends on STRONGSWAN_SYSTEMD_UNIT + prompt "Use swanctl for configuration" + help + Swanctl is a new, portable command line utility to configure, + control and monitor the IKE daemon charon using the vici interface. + +config STRONGSWAN_SYSCONF_DIR + string + prompt "Sysconf directory" + default "/etc" + help + Override default /etc sysconf directory for strongswan. endif diff --git a/rules/strongswan.make b/rules/strongswan.make index 90db7bef7..e5ecac591 100644 --- a/rules/strongswan.make +++ b/rules/strongswan.make @@ -15,14 +15,17 @@ PACKAGES-$(PTXCONF_STRONGSWAN) += strongswan # # Paths and names # -STRONGSWAN_VERSION := 5.6.1 -STRONGSWAN_MD5 := cb2241f1b96c524cd15b1c0f50ed9a27 +STRONGSWAN_VERSION := 5.8.1 +STRONGSWAN_MD5 := 5a6b9980cd1ac4fad3c24b55ed960ac9 STRONGSWAN := strongswan-$(STRONGSWAN_VERSION) STRONGSWAN_SUFFIX := tar.bz2 STRONGSWAN_URL := https://download.strongswan.org/$(STRONGSWAN).$(STRONGSWAN_SUFFIX) STRONGSWAN_SOURCE := $(SRCDIR)/$(STRONGSWAN).$(STRONGSWAN_SUFFIX) STRONGSWAN_DIR := $(BUILDDIR)/$(STRONGSWAN) STRONGSWAN_LICENSE := GPL +STRONGSWAN_LICENSE_FILES := \ + file://LICENSE;md5=7744b64eaadabebdfd17e8a5ae6c9855 \ + file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 # ---------------------------------------------------------------------------- # Prepare @@ -36,6 +39,7 @@ STRONGSWAN_CONF_OPT := \ --$(call ptx/endis, PTXCONF_STRONGSWAN_AFALG)-af-alg \ --disable-bliss \ --disable-blowfish \ + --disable-botan \ --disable-ccm \ --disable-chapoly \ --enable-cmac \ @@ -54,6 +58,7 @@ STRONGSWAN_CONF_OPT := \ --enable-nonce \ --disable-ntru \ --$(call ptx/endis, PTXCONF_STRONGSWAN_OPENSSL)-openssl \ + --disable-wolfssl \ --disable-padlock \ --enable-random \ --disable-rc2 \ @@ -126,11 +131,11 @@ STRONGSWAN_CONF_OPT := \ --enable-socket-default \ --disable-socket-dynamic \ --disable-socket-win \ - --enable-stroke \ + --$(call ptx/disen, PTXCONF_STRONGSWAN_SWANCTL)-stroke \ --disable-smp \ --disable-sql \ --disable-uci \ - --disable-vici \ + --$(call ptx/endis, PTXCONF_STRONGSWAN_SWANCTL)-vici \ --disable-android-dns \ --enable-attr \ --disable-attr-sql \ @@ -147,8 +152,6 @@ STRONGSWAN_CONF_OPT := \ --disable-imv-os \ --disable-imc-attestation \ --disable-imv-attestation \ - --disable-imc-swid \ - --disable-imv-swid \ --disable-imc-swima \ --disable-imv-swima \ --disable-imc-hcd \ @@ -174,14 +177,14 @@ STRONGSWAN_CONF_OPT := \ --disable-load-tester \ --disable-lookip \ --disable-radattr \ + --disable-save-keys \ --disable-systime-fix \ --disable-test-vectors \ --enable-updown \ --disable-aikgen \ - --enable-charon \ + --$(call ptx/disen, PTXCONF_STRONGSWAN_SWANCTL)-charon \ --disable-cmd \ --disable-conftest \ - --disable-dumm \ --disable-fast \ --disable-fuzzing \ --disable-libipsec \ @@ -190,11 +193,10 @@ STRONGSWAN_CONF_OPT := \ --disable-medsrv \ --disable-nm \ --enable-pki \ - --enable-scepclient \ + --$(call ptx/disen, PTXCONF_STRONGSWAN_SWANCTL)-scepclient \ --enable-scripts \ --disable-svc \ --$(call ptx/endis, PTXCONF_STRONGSWAN_SYSTEMD_UNIT)-systemd \ - --disable-swanctl \ --disable-tkm \ --disable-bfd-backtraces \ --disable-dbghelp-backtraces \ @@ -220,8 +222,12 @@ STRONGSWAN_CONF_OPT := \ --disable-defaults \ --enable-dependency-tracking \ --enable-shared \ + --$(call ptx/endis, PTXCONF_STRONGSWAN_SWANCTL)-swanctl \ --with-ipseclibdir=/usr/lib \ - --with-systemdsystemunitdir=/usr/lib/systemd/system + --with-systemdsystemunitdir=/usr/lib/systemd/system \ + --sysconfdir=$(PTXCONF_STRONGSWAN_SYSCONF_DIR) + +STRONGSWAN_LDFLAGS := -Wl,-rpath,/usr/lib/plugins # ---------------------------------------------------------------------------- # Target-Install @@ -251,12 +257,17 @@ STRONGSWAN_PLUGINS := \ libstrongswan-sha1.so \ libstrongswan-sha2.so \ libstrongswan-socket-default.so \ - libstrongswan-stroke.so \ libstrongswan-updown.so \ libstrongswan-x509.so \ libstrongswan-xauth-generic.so \ libstrongswan-xcbc.so +ifdef PTXCONF_STRONGSWAN_SWANCTL + STRONGSWAN_PLUGINS += libstrongswan-vici.so +else + STRONGSWAN_PLUGINS += libstrongswan-stroke.so +endif + ifdef PTXCONF_STRONGSWAN_LIBCURL STRONGSWAN_PLUGINS += libstrongswan-curl.so endif @@ -267,6 +278,7 @@ ifdef PTXCONF_STRONGSWAN_AFALG STRONGSWAN_PLUGINS += libstrongswan-af-alg.so endif + $(STATEDIR)/strongswan.targetinstall: @$(call targetinfo) @@ -276,34 +288,51 @@ $(STATEDIR)/strongswan.targetinstall: @$(call install_fixup, strongswan,AUTHOR,"Christoph Fritz ") @$(call install_fixup, strongswan,DESCRIPTION,missing) - @$(call install_alternative, strongswan, 0, 0, 0644, /etc/strongswan.conf) - - @$(call install_copy, strongswan, 0, 0, 0755, -, /usr/sbin/ipsec) +ifdef PTXCONF_STRONGSWAN_SYSTEMD_UNIT_ENABLE_SERVICE + @$(call install_link, strongswan, ../strongswan.service, \ + /usr/lib/systemd/system/multi-user.target.wants/strongswan.service) +endif - @$(call install_tree, strongswan, 0, 0, -, /usr/libexec/ipsec) + @$(call install_tree, strongswan, 0, 0, -, /usr/bin) + @$(call install_tree, strongswan, 0, 0, -, /usr/libexec) + @$(call install_tree, strongswan, 0, 0, -, /usr/sbin) @$(call install_lib, strongswan, 0, 0, 0644, libcharon) @$(call install_lib, strongswan, 0, 0, 0644, libstrongswan) @$(foreach plugin, $(STRONGSWAN_PLUGINS), \ - $(call install_copy, strongswan, 0, 0, 0644, -, \ - /usr/lib/plugins/$(plugin));) + $(call install_copy, strongswan, 0, 0, 0644, -, \ + /usr/lib/plugins/$(plugin));) -ifdef PTXCONF_STRONGSWAN_SYSTEMD_UNIT - @$(call install_alternative, strongswan, 0, 0, 0644, \ - /usr/lib/systemd/system/strongswan.service) - @$(call install_link, strongswan, ../strongswan.service, \ - /usr/lib/systemd/system/multi-user.target.wants/strongswan.service) + @$(call install_alternative, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/strongswan.conf) + +ifdef PTXCONF_STRONGSWAN_SWANCTL + @$(call install_lib, strongswan, 0, 0, 0644, libvici) + @$(call install_tree, strongswan, 0, 0, -, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/strongswan.d) + @$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/bliss) + @$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/conf.d) + @$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/ecdsa) + @$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/pkcs12) + @$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/pkcs8) + @$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/private) + @$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/pubkey) + @$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/rsa) + @$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509) + @$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509aa) + @$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509ac) + @$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509ca) + @$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509crl) + @$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509ocsp) endif - @$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/aacerts) - @$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/acerts) - @$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/cacerts) - @$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/certs) - @$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/crls) - @$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/ocspcerts) - @$(call install_copy, strongswan, 0, 0, 0600, /etc/ipsec.d/private) - @$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/reqs) + @$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/aacerts) + @$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/acerts) + @$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/cacerts) + @$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/certs) + @$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/crls) + @$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/ocspcerts) + @$(call install_copy, strongswan, 0, 0, 0600, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/private) + @$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/reqs) @$(call install_finish, strongswan) -- 2.23.0 _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de