The default strongswan.conf loads plugins via strongswan.d/charon/*.conf files. Signed-off-by: Lars Pedersen <lapeddk@gmail.com> --- rules/strongswan.make | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/strongswan.make b/rules/strongswan.make index 99f2fae74..07a7ade73 100644 --- a/rules/strongswan.make +++ b/rules/strongswan.make @@ -312,7 +312,6 @@ endif ifdef PTXCONF_STRONGSWAN_SWANCTL @$(call install_lib, strongswan, 0, 0, 0644, libvici) - @$(call install_tree, strongswan, 0, 0, -, /etc/strongswan.d) @$(call install_alternative, strongswan, 0, 0, 0644, /etc/swanctl/swanctl.conf) @$(call install_copy, strongswan, 0, 0, 0750, /etc/swanctl/bliss) @$(call install_copy, strongswan, 0, 0, 0750, /etc/swanctl/ecdsa) @@ -329,6 +328,7 @@ ifdef PTXCONF_STRONGSWAN_SWANCTL @$(call install_copy, strongswan, 0, 0, 0755, /etc/swanctl/x509ocsp) endif + @$(call install_tree, strongswan, 0, 0, -, /etc/strongswan.d) @$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/aacerts) @$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/acerts) @$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/cacerts) -- 2.38.1
Configure options: * scepclient deprecated and removed * Disabled AddressSanitizer (--disable-asan) * New --with-python-sys-prefix unspecified for GNU default values * New --with-python_prefix unspecified for GNU default values * New --with-python_exec_prefix unspecified for GNU default values * Disabled extended compiler warnings (--disable-warnings) because of compile error: (OSELAS.Toolchain-2021.07.0) cmac.c: In function 'derive_key': cmac.c:236:36: error: writing 1 byte into a region of size 0 [-Werror=stringop-overflow=] 236 | rb.ptr[rb.len - 1] = 0x87; | ~~~~~~~~~~~~~~~~~~~^~~~~~ cc1: all warnings being treated as errors Plugins: * Fixed missing plugin targetinstall of libstrongswan-acert.so * Enabled mgf1 since swanctl and starting strongswan gave following error: plugin 'mgf1': failed to load - mgf1_plugin_create not found and no plugin file available Signed-off-by: Lars Pedersen <lapeddk@gmail.com> --- rules/strongswan.make | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/rules/strongswan.make b/rules/strongswan.make index 07a7ade73..f8e8236a5 100644 --- a/rules/strongswan.make +++ b/rules/strongswan.make @@ -15,8 +15,8 @@ PACKAGES-$(PTXCONF_STRONGSWAN) += strongswan # # Paths and names # -STRONGSWAN_VERSION := 5.9.6 -STRONGSWAN_MD5 := 0eeb13eda09fb34e9ab5e2bfcfab1211 +STRONGSWAN_VERSION := 5.9.8 +STRONGSWAN_MD5 := f46b0d3e7aed88824650d0721c887443 STRONGSWAN := strongswan-$(STRONGSWAN_VERSION) STRONGSWAN_SUFFIX := tar.bz2 STRONGSWAN_URL := https://download.strongswan.org/$(STRONGSWAN).$(STRONGSWAN_SUFFIX) @@ -54,7 +54,7 @@ STRONGSWAN_CONF_OPT := \ --enable-hmac \ --disable-md4 \ --disable-md5 \ - --disable-mgf1 \ + --enable-mgf1 \ --disable-newhope \ --enable-nonce \ --disable-ntru \ @@ -194,7 +194,6 @@ STRONGSWAN_CONF_OPT := \ --disable-medsrv \ --disable-nm \ --enable-pki \ - --$(call ptx/disen, PTXCONF_STRONGSWAN_SWANCTL)-scepclient \ --enable-scripts \ --disable-svc \ --$(call ptx/endis, PTXCONF_STRONGSWAN_SYSTEMD_UNIT)-systemd \ @@ -224,6 +223,8 @@ STRONGSWAN_CONF_OPT := \ --enable-kdf \ --enable-dependency-tracking \ --enable-shared \ + --disable-warnings \ + --disable-asan \ --$(call ptx/endis, PTXCONF_GLOBAL_SELINUX)-selinux \ --$(call ptx/endis, PTXCONF_STRONGSWAN_SWANCTL)-swanctl \ --with-ipseclibdir=/usr/lib \ @@ -236,6 +237,7 @@ STRONGSWAN_LDFLAGS := -Wl,-rpath,/usr/lib/plugins # ---------------------------------------------------------------------------- STRONGSWAN_PLUGINS := \ + libstrongswan-acert.so \ libstrongswan-aes.so \ libstrongswan-attr.so \ libstrongswan-cmac.so \ @@ -247,6 +249,7 @@ STRONGSWAN_PLUGINS := \ libstrongswan-hmac.so \ libstrongswan-kdf.so \ libstrongswan-kernel-netlink.so \ + libstrongswan-mgf1.so \ libstrongswan-nonce.so \ libstrongswan-pem.so \ libstrongswan-pgp.so \ -- 2.38.1
On Mon, Dec 05, 2022 at 09:56:44AM +0100, Lars Pedersen wrote: > Configure options: > > * scepclient deprecated and removed > * Disabled AddressSanitizer (--disable-asan) > * New --with-python-sys-prefix unspecified for GNU default values > * New --with-python_prefix unspecified for GNU default values > * New --with-python_exec_prefix unspecified for GNU default values > * Disabled extended compiler warnings (--disable-warnings) because of > compile error: (OSELAS.Toolchain-2021.07.0) > > cmac.c: In function 'derive_key': > cmac.c:236:36: error: writing 1 byte into a region of size 0 > [-Werror=stringop-overflow=] > 236 | rb.ptr[rb.len - 1] = 0x87; > | ~~~~~~~~~~~~~~~~~~~^~~~~~ > cc1: all warnings being treated as errors > > Plugins: > > * Fixed missing plugin targetinstall of libstrongswan-acert.so > * Enabled mgf1 since swanctl and starting strongswan gave following > error: > > plugin 'mgf1': failed to load - mgf1_plugin_create not found and no > plugin file available My sanity checker complains that /usr/bin/pki (installed by this package) uses libtls.so.0 which is not in the rootfs. That's also provided by this package, so it needs to be installed as well (or don't install pki, I have no idea it it's needed). Michael > Signed-off-by: Lars Pedersen <lapeddk@gmail.com> > --- > rules/strongswan.make | 11 +++++++---- > 1 file changed, 7 insertions(+), 4 deletions(-) > > diff --git a/rules/strongswan.make b/rules/strongswan.make > index 07a7ade73..f8e8236a5 100644 > --- a/rules/strongswan.make > +++ b/rules/strongswan.make > @@ -15,8 +15,8 @@ PACKAGES-$(PTXCONF_STRONGSWAN) += strongswan > # > # Paths and names > # > -STRONGSWAN_VERSION := 5.9.6 > -STRONGSWAN_MD5 := 0eeb13eda09fb34e9ab5e2bfcfab1211 > +STRONGSWAN_VERSION := 5.9.8 > +STRONGSWAN_MD5 := f46b0d3e7aed88824650d0721c887443 > STRONGSWAN := strongswan-$(STRONGSWAN_VERSION) > STRONGSWAN_SUFFIX := tar.bz2 > STRONGSWAN_URL := https://download.strongswan.org/$(STRONGSWAN).$(STRONGSWAN_SUFFIX) > @@ -54,7 +54,7 @@ STRONGSWAN_CONF_OPT := \ > --enable-hmac \ > --disable-md4 \ > --disable-md5 \ > - --disable-mgf1 \ > + --enable-mgf1 \ > --disable-newhope \ > --enable-nonce \ > --disable-ntru \ > @@ -194,7 +194,6 @@ STRONGSWAN_CONF_OPT := \ > --disable-medsrv \ > --disable-nm \ > --enable-pki \ > - --$(call ptx/disen, PTXCONF_STRONGSWAN_SWANCTL)-scepclient \ > --enable-scripts \ > --disable-svc \ > --$(call ptx/endis, PTXCONF_STRONGSWAN_SYSTEMD_UNIT)-systemd \ > @@ -224,6 +223,8 @@ STRONGSWAN_CONF_OPT := \ > --enable-kdf \ > --enable-dependency-tracking \ > --enable-shared \ > + --disable-warnings \ > + --disable-asan \ > --$(call ptx/endis, PTXCONF_GLOBAL_SELINUX)-selinux \ > --$(call ptx/endis, PTXCONF_STRONGSWAN_SWANCTL)-swanctl \ > --with-ipseclibdir=/usr/lib \ > @@ -236,6 +237,7 @@ STRONGSWAN_LDFLAGS := -Wl,-rpath,/usr/lib/plugins > # ---------------------------------------------------------------------------- > > STRONGSWAN_PLUGINS := \ > + libstrongswan-acert.so \ > libstrongswan-aes.so \ > libstrongswan-attr.so \ > libstrongswan-cmac.so \ > @@ -247,6 +249,7 @@ STRONGSWAN_PLUGINS := \ > libstrongswan-hmac.so \ > libstrongswan-kdf.so \ > libstrongswan-kernel-netlink.so \ > + libstrongswan-mgf1.so \ > libstrongswan-nonce.so \ > libstrongswan-pem.so \ > libstrongswan-pgp.so \ > -- > 2.38.1 > > > -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
Thanks, applied as 4b88e91e28e84a77e55237b1c3f2053de9fa8869.
Michael
[sent from post-receive hook]
On Thu, 15 Dec 2022 08:34:52 +0100, Lars Pedersen <lapeddk@gmail.com> wrote:
> The default strongswan.conf loads plugins via
> strongswan.d/charon/*.conf files.
>
> Signed-off-by: Lars Pedersen <lapeddk@gmail.com>
> Message-Id: <20221205085644.221422-1-lapeddk@gmail.com>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
>
> diff --git a/rules/strongswan.make b/rules/strongswan.make
> index 99f2fae74143..07a7ade73748 100644
> --- a/rules/strongswan.make
> +++ b/rules/strongswan.make
> @@ -312,7 +312,6 @@ endif
>
> ifdef PTXCONF_STRONGSWAN_SWANCTL
> @$(call install_lib, strongswan, 0, 0, 0644, libvici)
> - @$(call install_tree, strongswan, 0, 0, -, /etc/strongswan.d)
> @$(call install_alternative, strongswan, 0, 0, 0644, /etc/swanctl/swanctl.conf)
> @$(call install_copy, strongswan, 0, 0, 0750, /etc/swanctl/bliss)
> @$(call install_copy, strongswan, 0, 0, 0750, /etc/swanctl/ecdsa)
> @@ -329,6 +328,7 @@ ifdef PTXCONF_STRONGSWAN_SWANCTL
> @$(call install_copy, strongswan, 0, 0, 0755, /etc/swanctl/x509ocsp)
> endif
>
> + @$(call install_tree, strongswan, 0, 0, -, /etc/strongswan.d)
> @$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/aacerts)
> @$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/acerts)
> @$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/cacerts)