From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from dude02.hi.pengutronix.de ([2001:67c:670:100:1d::28] helo=dude02.lab.pengutronix.de) by metis.ext.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1ictJy-00088m-LO for ptxdist@pengutronix.de; Thu, 05 Dec 2019 16:45:38 +0100 Received: from mol by dude02.lab.pengutronix.de with local (Exim 4.92) (envelope-from ) id 1ictJy-0002r6-Cp for ptxdist@pengutronix.de; Thu, 05 Dec 2019 16:45:38 +0100 Date: Thu, 5 Dec 2019 16:45:38 +0100 From: Michael Olbrich Message-ID: <20191205154538.GK14948@pengutronix.de> References: <20191118124538.223808-1-lapeddk@gmail.com> <20191205093426.62635-1-lapeddk@gmail.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20191205093426.62635-1-lapeddk@gmail.com> Subject: Re: [ptxdist] [PATCH v2] strongswan: Version bump 5.6.1 -> 5.8.1 List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ptxdist-bounces@pengutronix.de Sender: "ptxdist" To: ptxdist@pengutronix.de On Thu, Dec 05, 2019 at 10:34:26AM +0100, Lars Pedersen wrote: > Add swanctl support which replaces the old starter, ipsec and stroke > backend. In this patch swanctl requires systemd. > https://wiki.strongswan.org/projects/strongswan/wiki/Charon-systemd > > Option to enable strongswan service if systemd is used. > > Option to set sysconfdir. Default /etc. > > Signed-off-by: Lars Pedersen > --- > v2: > - Install_lib and plugins installed like before > - Set rpath to /usr/lib/plugins > - Add license_files field > > rules/strongswan.in | 25 ++++++++++-- > rules/strongswan.make | 91 ++++++++++++++++++++++++++++--------------- > 2 files changed, 81 insertions(+), 35 deletions(-) > > diff --git a/rules/strongswan.in b/rules/strongswan.in > index d0e660c57..5bcef7d8d 100644 > --- a/rules/strongswan.in > +++ b/rules/strongswan.in > @@ -48,10 +48,27 @@ config STRONGSWAN_AFALG > > config STRONGSWAN_SYSTEMD_UNIT > bool > - default y keep the default. > - # uses old systemd-daemon / libsystemd-journal libs > - depends on BROKEN > depends on INITMETHOD_SYSTEMD > - prompt "install systemd service file" > + prompt "install systemd unit file" Why change this? It's a service. > + > +config STRONGSWAN_SYSTEMD_UNIT_ENABLE_SERVICE > + bool > + depends on STRONGSWAN_SYSTEMD_UNIT > + prompt "Enable strongswan unit file" No, why install the unit but not enable it? > + > +config STRONGSWAN_SWANCTL > + bool > + depends on STRONGSWAN_SYSTEMD_UNIT Why the dependency? > + prompt "Use swanctl for configuration" > + help > + Swanctl is a new, portable command line utility to configure, > + control and monitor the IKE daemon charon using the vici interface. > + > +config STRONGSWAN_SYSCONF_DIR > + string > + prompt "Sysconf directory" > + default "/etc" > + help > + Override default /etc sysconf directory for strongswan. No. I don't want something like this configurable in PTXdist upstream. If you need to move this elsewhere, then there are other ways to do this. E.g. create /dev/null links[1] for all the config files in projectroot/ and create a symlink for /etc/ipsec.d that points to your directory. [1] https://www.ptxdist.org/doc/ref_manual.html#install-alternative > endif > diff --git a/rules/strongswan.make b/rules/strongswan.make > index 90db7bef7..e5ecac591 100644 > --- a/rules/strongswan.make > +++ b/rules/strongswan.make > @@ -15,14 +15,17 @@ PACKAGES-$(PTXCONF_STRONGSWAN) += strongswan > # > # Paths and names > # > -STRONGSWAN_VERSION := 5.6.1 > -STRONGSWAN_MD5 := cb2241f1b96c524cd15b1c0f50ed9a27 > +STRONGSWAN_VERSION := 5.8.1 > +STRONGSWAN_MD5 := 5a6b9980cd1ac4fad3c24b55ed960ac9 > STRONGSWAN := strongswan-$(STRONGSWAN_VERSION) > STRONGSWAN_SUFFIX := tar.bz2 > STRONGSWAN_URL := https://download.strongswan.org/$(STRONGSWAN).$(STRONGSWAN_SUFFIX) > STRONGSWAN_SOURCE := $(SRCDIR)/$(STRONGSWAN).$(STRONGSWAN_SUFFIX) > STRONGSWAN_DIR := $(BUILDDIR)/$(STRONGSWAN) > STRONGSWAN_LICENSE := GPL > +STRONGSWAN_LICENSE_FILES := \ > + file://LICENSE;md5=7744b64eaadabebdfd17e8a5ae6c9855 \ > + file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 > > # ---------------------------------------------------------------------------- > # Prepare > @@ -36,6 +39,7 @@ STRONGSWAN_CONF_OPT := \ > --$(call ptx/endis, PTXCONF_STRONGSWAN_AFALG)-af-alg \ > --disable-bliss \ > --disable-blowfish \ > + --disable-botan \ > --disable-ccm \ > --disable-chapoly \ > --enable-cmac \ > @@ -54,6 +58,7 @@ STRONGSWAN_CONF_OPT := \ > --enable-nonce \ > --disable-ntru \ > --$(call ptx/endis, PTXCONF_STRONGSWAN_OPENSSL)-openssl \ > + --disable-wolfssl \ > --disable-padlock \ > --enable-random \ > --disable-rc2 \ > @@ -126,11 +131,11 @@ STRONGSWAN_CONF_OPT := \ > --enable-socket-default \ > --disable-socket-dynamic \ > --disable-socket-win \ > - --enable-stroke \ > + --$(call ptx/disen, PTXCONF_STRONGSWAN_SWANCTL)-stroke \ > --disable-smp \ > --disable-sql \ > --disable-uci \ > - --disable-vici \ > + --$(call ptx/endis, PTXCONF_STRONGSWAN_SWANCTL)-vici \ > --disable-android-dns \ > --enable-attr \ > --disable-attr-sql \ > @@ -147,8 +152,6 @@ STRONGSWAN_CONF_OPT := \ > --disable-imv-os \ > --disable-imc-attestation \ > --disable-imv-attestation \ > - --disable-imc-swid \ > - --disable-imv-swid \ > --disable-imc-swima \ > --disable-imv-swima \ > --disable-imc-hcd \ > @@ -174,14 +177,14 @@ STRONGSWAN_CONF_OPT := \ > --disable-load-tester \ > --disable-lookip \ > --disable-radattr \ > + --disable-save-keys \ > --disable-systime-fix \ > --disable-test-vectors \ > --enable-updown \ > --disable-aikgen \ > - --enable-charon \ > + --$(call ptx/disen, PTXCONF_STRONGSWAN_SWANCTL)-charon \ > --disable-cmd \ > --disable-conftest \ > - --disable-dumm \ > --disable-fast \ > --disable-fuzzing \ > --disable-libipsec \ > @@ -190,11 +193,10 @@ STRONGSWAN_CONF_OPT := \ > --disable-medsrv \ > --disable-nm \ > --enable-pki \ > - --enable-scepclient \ > + --$(call ptx/disen, PTXCONF_STRONGSWAN_SWANCTL)-scepclient \ > --enable-scripts \ > --disable-svc \ > --$(call ptx/endis, PTXCONF_STRONGSWAN_SYSTEMD_UNIT)-systemd \ > - --disable-swanctl \ > --disable-tkm \ > --disable-bfd-backtraces \ > --disable-dbghelp-backtraces \ > @@ -220,8 +222,12 @@ STRONGSWAN_CONF_OPT := \ > --disable-defaults \ > --enable-dependency-tracking \ > --enable-shared \ > + --$(call ptx/endis, PTXCONF_STRONGSWAN_SWANCTL)-swanctl \ > --with-ipseclibdir=/usr/lib \ > - --with-systemdsystemunitdir=/usr/lib/systemd/system > + --with-systemdsystemunitdir=/usr/lib/systemd/system \ > + --sysconfdir=$(PTXCONF_STRONGSWAN_SYSCONF_DIR) > + > +STRONGSWAN_LDFLAGS := -Wl,-rpath,/usr/lib/plugins > > # ---------------------------------------------------------------------------- > # Target-Install > @@ -251,12 +257,17 @@ STRONGSWAN_PLUGINS := \ > libstrongswan-sha1.so \ > libstrongswan-sha2.so \ > libstrongswan-socket-default.so \ > - libstrongswan-stroke.so \ > libstrongswan-updown.so \ > libstrongswan-x509.so \ > libstrongswan-xauth-generic.so \ > libstrongswan-xcbc.so > > +ifdef PTXCONF_STRONGSWAN_SWANCTL > + STRONGSWAN_PLUGINS += libstrongswan-vici.so > +else > + STRONGSWAN_PLUGINS += libstrongswan-stroke.so > +endif > + > ifdef PTXCONF_STRONGSWAN_LIBCURL > STRONGSWAN_PLUGINS += libstrongswan-curl.so > endif > @@ -267,6 +278,7 @@ ifdef PTXCONF_STRONGSWAN_AFALG > STRONGSWAN_PLUGINS += libstrongswan-af-alg.so > endif > > + > $(STATEDIR)/strongswan.targetinstall: > @$(call targetinfo) > > @@ -276,34 +288,51 @@ $(STATEDIR)/strongswan.targetinstall: > @$(call install_fixup, strongswan,AUTHOR,"Christoph Fritz ") > @$(call install_fixup, strongswan,DESCRIPTION,missing) > > - @$(call install_alternative, strongswan, 0, 0, 0644, /etc/strongswan.conf) > - > - @$(call install_copy, strongswan, 0, 0, 0755, -, /usr/sbin/ipsec) > +ifdef PTXCONF_STRONGSWAN_SYSTEMD_UNIT_ENABLE_SERVICE > + @$(call install_link, strongswan, ../strongswan.service, \ > + /usr/lib/systemd/system/multi-user.target.wants/strongswan.service) > +endif > > - @$(call install_tree, strongswan, 0, 0, -, /usr/libexec/ipsec) > + @$(call install_tree, strongswan, 0, 0, -, /usr/bin) > + @$(call install_tree, strongswan, 0, 0, -, /usr/libexec) > + @$(call install_tree, strongswan, 0, 0, -, /usr/sbin) > > @$(call install_lib, strongswan, 0, 0, 0644, libcharon) > @$(call install_lib, strongswan, 0, 0, 0644, libstrongswan) > > @$(foreach plugin, $(STRONGSWAN_PLUGINS), \ > - $(call install_copy, strongswan, 0, 0, 0644, -, \ > - /usr/lib/plugins/$(plugin));) > + $(call install_copy, strongswan, 0, 0, 0644, -, \ > + /usr/lib/plugins/$(plugin));) Keep the indention. > > -ifdef PTXCONF_STRONGSWAN_SYSTEMD_UNIT > - @$(call install_alternative, strongswan, 0, 0, 0644, \ > - /usr/lib/systemd/system/strongswan.service) This looks wrong. It looks like strongswan.service is not installed any more. > - @$(call install_link, strongswan, ../strongswan.service, \ > - /usr/lib/systemd/system/multi-user.target.wants/strongswan.service) > + @$(call install_alternative, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/strongswan.conf) > + > +ifdef PTXCONF_STRONGSWAN_SWANCTL > + @$(call install_lib, strongswan, 0, 0, 0644, libvici) > + @$(call install_tree, strongswan, 0, 0, -, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/strongswan.d) > + @$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/bliss) > + @$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/conf.d) > + @$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/ecdsa) > + @$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/pkcs12) > + @$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/pkcs8) > + @$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/private) > + @$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/pubkey) > + @$(call install_copy, strongswan, 0, 0, 750, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/rsa) > + @$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509) > + @$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509aa) > + @$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509ac) > + @$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509ca) > + @$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509crl) > + @$(call install_copy, strongswan, 0, 0, 755, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/swanctl/x509ocsp) > endif > > - @$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/aacerts) > - @$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/acerts) > - @$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/cacerts) > - @$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/certs) > - @$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/crls) > - @$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/ocspcerts) > - @$(call install_copy, strongswan, 0, 0, 0600, /etc/ipsec.d/private) > - @$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/reqs) > + @$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/aacerts) > + @$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/acerts) > + @$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/cacerts) > + @$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/certs) > + @$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/crls) > + @$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/ocspcerts) > + @$(call install_copy, strongswan, 0, 0, 0600, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/private) > + @$(call install_copy, strongswan, 0, 0, 0644, $(PTXCONF_STRONGSWAN_SYSCONF_DIR)/ipsec.d/reqs) see above. Michael > > @$(call install_finish, strongswan) > > -- > 2.23.0 > > > _______________________________________________ > ptxdist mailing list > ptxdist@pengutronix.de > -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de