Re: [ptxdist] [PATCH v2] strongswan: Version bump 5.6.1 -> 5.8.1

[Michael Olbrich <m.olbrich@pengutronix.de>]

On Thu, Dec 05, 2019 at 10:34:26AM +0100, Lars Pedersen wrote:
> Add swanctl support which replaces the old starter, ipsec and stroke
> backend. In this patch swanctl requires systemd.
> https://wiki.strongswan.org/projects/strongswan/wiki/Charon-systemd
> 
> Option to enable strongswan service if systemd is used.
> 
> Option to set sysconfdir. Default /etc.
> 
> Signed-off-by: Lars Pedersen <lapeddk@gmail.com>
> ---
> v2:
> - Install_lib and plugins installed like before
> - Set rpath to /usr/lib/plugins
> - Add license_files field
> 
>  rules/strongswan.in   | 25 ++++++++++--
>  rules/strongswan.make | 91 ++++++++++++++++++++++++++++---------------
>  2 files changed, 81 insertions(+), 35 deletions(-)
> 
> diff --git a/rules/strongswan.in b/rules/strongswan.in
> index d0e660c57..5bcef7d8d 100644
> --- a/rules/strongswan.in
> +++ b/rules/strongswan.in
> @@ -48,10 +48,27 @@ config STRONGSWAN_AFALG
>  
>  config STRONGSWAN_SYSTEMD_UNIT
>  	bool
> -	default y

keep the default.

> -	# uses old systemd-daemon / libsystemd-journal libs
> -	depends on BROKEN
>  	depends on INITMETHOD_SYSTEMD
> -	prompt "install systemd service file"
> +	prompt "install systemd unit file"

Why change this? It's a service.

> +
> +config STRONGSWAN_SYSTEMD_UNIT_ENABLE_SERVICE
> +	bool
> +	depends on STRONGSWAN_SYSTEMD_UNIT
> +	prompt "Enable strongswan unit file"

No, why install the unit but not enable it?

> +
> +config STRONGSWAN_SWANCTL
> +	bool
> +	depends on STRONGSWAN_SYSTEMD_UNIT

Why the dependency?

> +	prompt "Use swanctl for configuration"
> +	help
> +	  Swanctl is a new, portable command line utility to configure,
> +	  control and monitor the IKE daemon charon using the vici interface.
> +
> +config STRONGSWAN_SYSCONF_DIR
> +	string
> +	prompt "Sysconf directory"
> +	default "/etc"
> +	help
> +	  Override default /etc sysconf directory for strongswan.

No. I don't want something like this configurable in PTXdist upstream.
If you need to move this elsewhere, then there are other ways to do this.

E.g. create /dev/null links[1] for all the config files in projectroot/ and
create a symlink for /etc/ipsec.d that points to your directory.


[1] https://www.ptxdist.org/doc/ref_manual.html#install-alternative

>  endif
> diff --git a/rules/strongswan.make b/rules/strongswan.make
> index 90db7bef7..e5ecac591 100644
> --- a/rules/strongswan.make
> +++ b/rules/strongswan.make
> @@ -15,14 +15,17 @@ PACKAGES-$(PTXCONF_STRONGSWAN) += strongswan
>  #
>  # Paths and names
>  #
> -STRONGSWAN_VERSION	:= 5.6.1
> -STRONGSWAN_MD5		:= cb2241f1b96c524cd15b1c0f50ed9a27
> +STRONGSWAN_VERSION	:= 5.8.1
> +STRONGSWAN_MD5		:= 5a6b9980cd1ac4fad3c24b55ed960ac9
>  STRONGSWAN		:= strongswan-$(STRONGSWAN_VERSION)
>  STRONGSWAN_SUFFIX	:= tar.bz2
>  STRONGSWAN_URL		:= https://download.strongswan.org/$(STRONGSWAN).$(STRONGSWAN_SUFFIX)
>  STRONGSWAN_SOURCE	:= $(SRCDIR)/$(STRONGSWAN).$(STRONGSWAN_SUFFIX)
>  STRONGSWAN_DIR		:= $(BUILDDIR)/$(STRONGSWAN)
>  STRONGSWAN_LICENSE	:= GPL
> +STRONGSWAN_LICENSE_FILES	:= \
> +	file://LICENSE;md5=7744b64eaadabebdfd17e8a5ae6c9855 \
> +	file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263
>  
>  # ----------------------------------------------------------------------------
>  # Prepare
> @@ -36,6 +39,7 @@ STRONGSWAN_CONF_OPT	:= \
>  	--$(call ptx/endis, PTXCONF_STRONGSWAN_AFALG)-af-alg \
>  	--disable-bliss \
>  	--disable-blowfish \
> +	--disable-botan \
>  	--disable-ccm \
>  	--disable-chapoly \
>  	--enable-cmac \
> @@ -54,6 +58,7 @@ STRONGSWAN_CONF_OPT	:= \
>  	--enable-nonce \
>  	--disable-ntru \
>  	--$(call ptx/endis, PTXCONF_STRONGSWAN_OPENSSL)-openssl \
> +	--disable-wolfssl \
>  	--disable-padlock \
>  	--enable-random \
>  	--disable-rc2 \
> @@ -126,11 +131,11 @@ STRONGSWAN_CONF_OPT	:= \
>  	--enable-socket-default \
>  	--disable-socket-dynamic \
>  	--disable-socket-win \
> -	--enable-stroke \
> +	--$(call ptx/disen, PTXCONF_STRONGSWAN_SWANCTL)-stroke \
>  	--disable-smp \
>  	--disable-sql \
>  	--disable-uci \
> -	--disable-vici \
> +	--$(call ptx/endis, PTXCONF_STRONGSWAN_SWANCTL)-vici \
>  	--disable-android-dns \
>  	--enable-attr \
>  	--disable-attr-sql \
> @@ -147,8 +152,6 @@ STRONGSWAN_CONF_OPT	:= \
>  	--disable-imv-os \
>  	--disable-imc-attestation \
>  	--disable-imv-attestation \
> -	--disable-imc-swid \
> -	--disable-imv-swid \
>  	--disable-imc-swima \
>  	--disable-imv-swima \
>  	--disable-imc-hcd \
> @@ -174,14 +177,14 @@ STRONGSWAN_CONF_OPT	:= \
>  	--disable-load-tester \
>  	--disable-lookip \
>  	--disable-radattr \
> +	--disable-save-keys \
>  	--disable-systime-fix \
>  	--disable-test-vectors \
>  	--enable-updown \
>  	--disable-aikgen \
> -	--enable-charon \
> +	--$(call ptx/disen, PTXCONF_STRONGSWAN_SWANCTL)-charon \
>  	--disable-cmd \
>  	--disable-conftest \
> -	--disable-dumm \
>  	--disable-fast \
>  	--disable-fuzzing \
>  	--disable-libipsec \
> @@ -190,11 +193,10 @@ STRONGSWAN_CONF_OPT	:= \
>  	--disable-medsrv \
>  	--disable-nm \
>  	--enable-pki \
> -	--enable-scepclient \
> +	--$(call ptx/disen, PTXCONF_STRONGSWAN_SWANCTL)-scepclient \
>  	--enable-scripts \
>  	--disable-svc \
>  	--$(call ptx/endis, PTXCONF_STRONGSWAN_SYSTEMD_UNIT)-systemd \
> -	--disable-swanctl \
>  	--disable-tkm \
>  	--disable-bfd-backtraces \
>  	--disable-dbghelp-backtraces \
> @@ -220,8 +222,12 @@ STRONGSWAN_CONF_OPT	:= \
>  	--disable-defaults \
>  	--enable-dependency-tracking \
>  	--enable-shared \
> +	--$(call ptx/endis, PTXCONF_STRONGSWAN_SWANCTL)-swanctl \
>  	--with-ipseclibdir=/usr/lib \
> -	--with-systemdsystemunitdir=/usr/lib/systemd/system
> +	--with-systemdsystemunitdir=/usr/lib/systemd/system \
> +	--sysconfdir=$(PTXCONF_STRONGSWAN_SYSCONF_DIR)
> +
> +STRONGSWAN_LDFLAGS	:= -Wl,-rpath,/usr/lib/plugins
>  
>  # ----------------------------------------------------------------------------
>  # Target-Install
> @@ -251,12 +257,17 @@ STRONGSWAN_PLUGINS := \
>  	libstrongswan-sha1.so \
>  	libstrongswan-sha2.so \
>  	libstrongswan-socket-default.so \
> -	libstrongswan-stroke.so \
>  	libstrongswan-updown.so \
>  	libstrongswan-x509.so \
>  	libstrongswan-xauth-generic.so \
>  	libstrongswan-xcbc.so
>  
> +ifdef PTXCONF_STRONGSWAN_SWANCTL
> +	STRONGSWAN_PLUGINS += libstrongswan-vici.so
> +else
> +	STRONGSWAN_PLUGINS += libstrongswan-stroke.so
> +endif
> +
>  ifdef PTXCONF_STRONGSWAN_LIBCURL
>  	STRONGSWAN_PLUGINS += libstrongswan-curl.so
>  endif
> @@ -267,6 +278,7 @@ ifdef PTXCONF_STRONGSWAN_AFALG
>  	STRONGSWAN_PLUGINS += libstrongswan-af-alg.so
>  endif
>  
> +
>  $(STATEDIR)/strongswan.targetinstall:
>  	@$(call targetinfo)
>  
> @@ -276,34 +288,51 @@ $(STATEDIR)/strongswan.targetinstall:
>  	@$(call install_fixup, strongswan,AUTHOR,"Christoph Fritz <chf@fritzc.com>")
>  	@$(call install_fixup, strongswan,DESCRIPTION,missing)
>  
> -	@$(call install_alternative, strongswan, 0, 0, 0644, /etc/strongswan.conf)
> -
> -	@$(call install_copy, strongswan, 0, 0, 0755, -, /usr/sbin/ipsec)
> +ifdef PTXCONF_STRONGSWAN_SYSTEMD_UNIT_ENABLE_SERVICE
> +	@$(call install_link, strongswan, ../strongswan.service, \
> +		/usr/lib/systemd/system/multi-user.target.wants/strongswan.service)
> +endif
>  
> -	@$(call install_tree, strongswan, 0, 0, -, /usr/libexec/ipsec)
> +	@$(call install_tree, strongswan, 0, 0, -, /usr/bin)
> +	@$(call install_tree, strongswan, 0, 0, -, /usr/libexec)
> +	@$(call install_tree, strongswan, 0, 0, -, /usr/sbin)
>  
>  	@$(call install_lib, strongswan, 0, 0, 0644, libcharon)
>  	@$(call install_lib, strongswan, 0, 0, 0644, libstrongswan)
>  
>  	@$(foreach plugin, $(STRONGSWAN_PLUGINS), \
> -		$(call install_copy, strongswan, 0, 0, 0644, -, \
> -			/usr/lib/plugins/$(plugin));)
> +	$(call install_copy, strongswan, 0, 0, 0644, -, \
> +		/usr/lib/plugins/$(plugin));)

Keep the indention.

>  
> -ifdef PTXCONF_STRONGSWAN_SYSTEMD_UNIT
> -	@$(call install_alternative, strongswan, 0, 0, 0644, \
> -		/usr/lib/systemd/system/strongswan.service)

This looks wrong. It looks like strongswan.service is not installed any
more.

> -	@$(call install_link, strongswan, ../strongswan.service, \
> -		/usr/lib/systemd/system/multi-user.target.wants/strongswan.service)
> +	@$(call install_alternative, strongswan, 0, 0, 0644,  $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/strongswan.conf)
> +
> +ifdef PTXCONF_STRONGSWAN_SWANCTL
> +	@$(call install_lib, strongswan, 0, 0, 0644, libvici)
> +	@$(call install_tree, strongswan, 0, 0, -, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/strongswan.d)
> +	@$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/bliss)
> +	@$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/conf.d)
> +	@$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/ecdsa)
> +	@$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/pkcs12)
> +	@$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/pkcs8)
> +	@$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/private)
> +	@$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/pubkey)
> +	@$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/rsa)
> +	@$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509)
> +	@$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509aa)
> +	@$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509ac)
> +	@$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509ca)
> +	@$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509crl)
> +	@$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509ocsp)
>  endif
>  
> -	@$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/aacerts)
> -	@$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/acerts)
> -	@$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/cacerts)
> -	@$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/certs)
> -	@$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/crls)
> -	@$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/ocspcerts)
> -	@$(call install_copy, strongswan, 0, 0, 0600, /etc/ipsec.d/private)
> -	@$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/reqs)
> +	@$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/aacerts)
> +	@$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/acerts)
> +	@$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/cacerts)
> +	@$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/certs)
> +	@$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/crls)
> +	@$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/ocspcerts)
> +	@$(call install_copy, strongswan, 0, 0, 0600, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/private)
> +	@$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/reqs)

see above.

Michael

>  
>  	@$(call install_finish, strongswan)
>  
> -- 
> 2.23.0
> 
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de