Re: [ptxdist] [PATCH v3] strongswan: Version bump 5.6.1 -> 5.8.2

Michael Olbrich Fri, 31 Jan 2020 22:48:03 -0800

On Mon, Jan 13, 2020 at 01:55:12PM +0100, Lars Pedersen wrote:
> Add swanctl support which replaces the old starter, ipsec and stroke
> backend. Swanctl is only tested with systemd.
> https://wiki.strongswan.org/projects/strongswan/wiki/Charon-systemd
> 
> Signed-off-by: Lars Pedersen <lape...@gmail.com>
> ---
> v3:
> - Removed unnecessary configuration options
> - Install/enable strongswan systemd service if systemd is used
> - Use install_alternative for conf.d folder and swanctl.conf
> - Enabling swanctl installs default folder structure like fedora
> 
> v2:
> - Install_lib and plugins installed like before
> - Set rpath to /usr/lib/plugins
> - Add license_files field
> 
>  rules/strongswan.in   |  9 +++++--
>  rules/strongswan.make | 59 +++++++++++++++++++++++++++++++++----------
>  2 files changed, 52 insertions(+), 16 deletions(-)
> 
> diff --git a/rules/strongswan.in b/rules/strongswan.in
> index d0e660c57..8b1adff65 100644
> --- a/rules/strongswan.in
> +++ b/rules/strongswan.in
> @@ -49,9 +49,14 @@ config STRONGSWAN_AFALG
>  config STRONGSWAN_SYSTEMD_UNIT
>       bool
>       default y
> -     # uses old systemd-daemon / libsystemd-journal libs
> -     depends on BROKEN
>       depends on INITMETHOD_SYSTEMD
>       prompt "install systemd service file"
>  
> +config STRONGSWAN_SWANCTL
> +     bool
> +     prompt "Use swanctl for configuration"
> +     help
> +       Swanctl is a new, portable command line utility to configure,
> +       control and monitor the IKE daemon charon using the vici interface.
> +
>  endif
> diff --git a/rules/strongswan.make b/rules/strongswan.make
> index 90db7bef7..1bf78b2b0 100644
> --- a/rules/strongswan.make
> +++ b/rules/strongswan.make
> @@ -15,14 +15,17 @@ PACKAGES-$(PTXCONF_STRONGSWAN) += strongswan
>  #
>  # Paths and names
>  #
> -STRONGSWAN_VERSION   := 5.6.1
> -STRONGSWAN_MD5               := cb2241f1b96c524cd15b1c0f50ed9a27
> +STRONGSWAN_VERSION   := 5.8.2
> +STRONGSWAN_MD5               := d94eac2caed51b0cc776e5887b10bace
>  STRONGSWAN           := strongswan-$(STRONGSWAN_VERSION)
>  STRONGSWAN_SUFFIX    := tar.bz2
>  STRONGSWAN_URL               := 
> https://download.strongswan.org/$(STRONGSWAN).$(STRONGSWAN_SUFFIX)
>  STRONGSWAN_SOURCE    := $(SRCDIR)/$(STRONGSWAN).$(STRONGSWAN_SUFFIX)
>  STRONGSWAN_DIR               := $(BUILDDIR)/$(STRONGSWAN)
>  STRONGSWAN_LICENSE   := GPL
> +STRONGSWAN_LICENSE_FILES     := \
> +     file://LICENSE;md5=7744b64eaadabebdfd17e8a5ae6c9855 \
> +     file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263
>  
>  # 
> ----------------------------------------------------------------------------
>  # Prepare
> @@ -36,11 +39,13 @@ STRONGSWAN_CONF_OPT       := \
>       --$(call ptx/endis, PTXCONF_STRONGSWAN_AFALG)-af-alg \
>       --disable-bliss \
>       --disable-blowfish \
> +     --disable-botan \
>       --disable-ccm \
>       --disable-chapoly \
>       --enable-cmac \
>       --disable-ctr \
>       --disable-des \
> +     --disable-drbg \
>       --enable-fips-prf \
>       --enable-gcm \
>       --disable-gcrypt \
> @@ -54,6 +59,7 @@ STRONGSWAN_CONF_OPT := \
>       --enable-nonce \
>       --disable-ntru \
>       --$(call ptx/endis, PTXCONF_STRONGSWAN_OPENSSL)-openssl \
> +     --disable-wolfssl \
>       --disable-padlock \
>       --enable-random \
>       --disable-rc2 \
> @@ -126,11 +132,11 @@ STRONGSWAN_CONF_OPT     := \
>       --enable-socket-default \
>       --disable-socket-dynamic \
>       --disable-socket-win \
> -     --enable-stroke \
> +     --$(call ptx/disen, PTXCONF_STRONGSWAN_SWANCTL)-stroke \
>       --disable-smp \
>       --disable-sql \
>       --disable-uci \
> -     --disable-vici \
> +     --$(call ptx/endis, PTXCONF_STRONGSWAN_SWANCTL)-vici \
>       --disable-android-dns \
>       --enable-attr \
>       --disable-attr-sql \
> @@ -147,8 +153,6 @@ STRONGSWAN_CONF_OPT       := \
>       --disable-imv-os \
>       --disable-imc-attestation \
>       --disable-imv-attestation \
> -     --disable-imc-swid \
> -     --disable-imv-swid \
>       --disable-imc-swima \
>       --disable-imv-swima \
>       --disable-imc-hcd \
> @@ -174,14 +178,14 @@ STRONGSWAN_CONF_OPT     := \
>       --disable-load-tester \
>       --disable-lookip \
>       --disable-radattr \
> +     --disable-save-keys \
>       --disable-systime-fix \
>       --disable-test-vectors \
>       --enable-updown \
>       --disable-aikgen \
> -     --enable-charon \
> +     --$(call ptx/disen, PTXCONF_STRONGSWAN_SWANCTL)-charon \
>       --disable-cmd \
>       --disable-conftest \
> -     --disable-dumm \
>       --disable-fast \
>       --disable-fuzzing \
>       --disable-libipsec \
> @@ -190,11 +194,10 @@ STRONGSWAN_CONF_OPT     := \
>       --disable-medsrv \
>       --disable-nm \
>       --enable-pki \
> -     --enable-scepclient \
> +     --$(call ptx/disen, PTXCONF_STRONGSWAN_SWANCTL)-scepclient \
>       --enable-scripts \
>       --disable-svc \
>       --$(call ptx/endis, PTXCONF_STRONGSWAN_SYSTEMD_UNIT)-systemd \
> -     --disable-swanctl \
>       --disable-tkm \
>       --disable-bfd-backtraces \
>       --disable-dbghelp-backtraces \
> @@ -220,9 +223,12 @@ STRONGSWAN_CONF_OPT      := \
>       --disable-defaults \
>       --enable-dependency-tracking \
>       --enable-shared \
> +     --$(call ptx/endis, PTXCONF_STRONGSWAN_SWANCTL)-swanctl \
>       --with-ipseclibdir=/usr/lib \
>       --with-systemdsystemunitdir=/usr/lib/systemd/system
>  
> +STRONGSWAN_LDFLAGS   := -Wl,-rpath,/usr/lib/plugins
> +
>  # 
> ----------------------------------------------------------------------------
>  # Target-Install
>  # 
> ----------------------------------------------------------------------------
> @@ -251,12 +257,17 @@ STRONGSWAN_PLUGINS := \
>       libstrongswan-sha1.so \
>       libstrongswan-sha2.so \
>       libstrongswan-socket-default.so \
> -     libstrongswan-stroke.so \
>       libstrongswan-updown.so \
>       libstrongswan-x509.so \
>       libstrongswan-xauth-generic.so \
>       libstrongswan-xcbc.so
>  
> +ifdef PTXCONF_STRONGSWAN_SWANCTL
> +     STRONGSWAN_PLUGINS += libstrongswan-vici.so
> +else
> +     STRONGSWAN_PLUGINS += libstrongswan-stroke.so
> +endif
> +
>  ifdef PTXCONF_STRONGSWAN_LIBCURL
>       STRONGSWAN_PLUGINS += libstrongswan-curl.so
>  endif
> @@ -278,9 +289,9 @@ $(STATEDIR)/strongswan.targetinstall:
>  
>       @$(call install_alternative, strongswan, 0, 0, 0644, 
> /etc/strongswan.conf)
>  
> -     @$(call install_copy, strongswan, 0, 0, 0755, -, /usr/sbin/ipsec)
> -
> -     @$(call install_tree, strongswan, 0, 0, -, /usr/libexec/ipsec)
> +     @$(call install_tree, strongswan, 0, 0, -, /usr/bin)
> +     @$(call install_tree, strongswan, 0, 0, -, /usr/libexec)
> +     @$(call install_tree, strongswan, 0, 0, -, /usr/sbin)
>  
>       @$(call install_lib, strongswan, 0, 0, 0644, libcharon)
>       @$(call install_lib, strongswan, 0, 0, 0644, libstrongswan)
> @@ -296,6 +307,26 @@ ifdef PTXCONF_STRONGSWAN_SYSTEMD_UNIT
>               
> /usr/lib/systemd/system/multi-user.target.wants/strongswan.service)
>  endif
>  
> +ifdef PTXCONF_STRONGSWAN_SWANCTL
> +     @$(call install_lib, strongswan, 0, 0, 0644, libvici)
> +     @$(call install_tree, strongswan, 0, 0, -, /etc/strongswan.d)
> +     @$(call install_alternative, strongswan, 0, 0, 0644, 
> /etc/swanctl/swanctl.conf)
> +     @$(call install_alternative, strongswan, 0, 0, 750, /etc/swanctl/conf.d)


/etc/swanctl/conf.d does not exist here. From the naming, I expect this to
be a directory to extend swanctl.conf. If that is the case, then just
remove this here.
If someone needs this instead of overwriting swanctl.conf, then an
auxiliary package can be used.

I can do a local fixup, if this is ok with you. No need to resend.

Michael

> +     @$(call install_copy, strongswan, 0, 0, 750, /etc/swanctl/bliss)
> +     @$(call install_copy, strongswan, 0, 0, 750, /etc/swanctl/ecdsa)
> +     @$(call install_copy, strongswan, 0, 0, 750, /etc/swanctl/pkcs12)
> +     @$(call install_copy, strongswan, 0, 0, 750, /etc/swanctl/pkcs8)
> +     @$(call install_copy, strongswan, 0, 0, 750, /etc/swanctl/private)
> +     @$(call install_copy, strongswan, 0, 0, 755, /etc/swanctl/pubkey)
> +     @$(call install_copy, strongswan, 0, 0, 750, /etc/swanctl/rsa)
> +     @$(call install_copy, strongswan, 0, 0, 755, /etc/swanctl/x509)
> +     @$(call install_copy, strongswan, 0, 0, 755, /etc/swanctl/x509aa)
> +     @$(call install_copy, strongswan, 0, 0, 755, /etc/swanctl/x509ac)
> +     @$(call install_copy, strongswan, 0, 0, 755, /etc/swanctl/x509ca)
> +     @$(call install_copy, strongswan, 0, 0, 755, /etc/swanctl/x509crl)
> +     @$(call install_copy, strongswan, 0, 0, 755, /etc/swanctl/x509ocsp)
> +endif
> +
>       @$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/aacerts)
>       @$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/acerts)
>       @$(call install_copy, strongswan, 0, 0, 0644, /etc/ipsec.d/cacerts)
> -- 
> 2.24.1
> 
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [PATCH v3] strongswan: Version bump 5.6.1 -> 5.8.2

Reply via email to