#!/usr/bin/make -f export DEB_LDFLAGS_MAINT_APPEND=-Wl,--as-needed -Wl,-O1 #export DEB_LDFLAGS_MAINT_APPEND=-Wl,--as-needed -Wl,-O1 -Wl,-z,defs export DEB_BUILD_MAINT_OPTIONS=hardening=+all CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \ --enable-ldap --enable-curl \ --enable-pkcs11 \ --enable-mediation --enable-medsrv --enable-medcli \ --enable-openssl --enable-agent \ --enable-ctr --enable-ccm --enable-gcm --enable-addrblock \ --enable-eap-radius --enable-eap-identity --enable-eap-md5 \ --enable-eap-gtc --enable-eap-aka --enable-eap-mschapv2 \ --enable-eap-tls --enable-eap-ttls --enable-eap-tnc \ --enable-ha \ --enable-led --enable-gcrypt \ --enable-test-vectors \ --enable-xauth-eap --enable-xauth-pam \ --enable-cmd \ --enable-certexpire \ --enable-lookip \ --enable-error-notify \ --enable-unity \ --disable-blowfish --disable-des # BSD-Young license #--with-user=strongswan --with-group=nogroup # --enable-kernel-pfkey --enable-kernel-klips \ # And for --enable-eap-sim we would need the library, which we don't # have right now. # Don't --enable-cisco-quirks, because some other IPsec implementations # (most notably the Phion one) have problems connecting when pluto # sends these Cisco options. # the padlock plugin only makes sense on i386 # RdRand only makes sense on i386 and amd64 DEB_BUILD_ARCH_CPU ?=$(shell dpkg-architecture -qDEB_BUILD_ARCH_CPU) ifeq ($(DEB_BUILD_ARCH_CPU),i386) CONFIGUREARGS += --enable-padlock --enable-rdrand endif ifeq ($(DEB_BUILD_ARCH_CPU),amd64) CONFIGUREARGS += --enable-rdrand endif ifeq ($(DEB_BUILD_ARCH_OS),linux) # only enable network-manager and capabilities dropping on linux hosts # some plugins are linux-only too CONFIGUREARGS += --enable-nm \ --with-capabilities=libcap \ --enable-farp \ --enable-dhcp \ --enable-af-alg endif ifeq ($(DEB_BUILD_ARCH_OS),kfreebsd) # recommended configure line for FreeBSD # http://wiki.strongswan.org/projects/strongswan/wiki/FreeBSD CONFIGUREARGS += --disable-kernel-netlink \ --enable-kernel-pfkey --enable-kernel-pfroute \ --with-group=wheel endif override_dh_auto_configure: dh_auto_configure -- $(CONFIGUREARGS) override_dh_auto_clean: dh_auto_clean # after a make clean, no binaries _should_ be left, but .... -find $(CURDIR) -name "*.o" | xargs --no-run-if-empty rm # Really clean (#356716) # This is a hack: should be better implemented rm -f lib/libstrongswan/libstrongswan.a || true rm -f lib/libstrongswan/liboswlog.a || true # just in case something went wrong rm -f $(CURDIR)/debian/ipsec.secrets # and make sure that template are up-to-date debconf-updatepo override_dh_install: # first special cases ifeq ($(DEB_BUILD_ARCH_OS),linux) # handle Linux-only plugins dh_install -p libcharon-extra-plugins usr/lib/ipsec/plugins/libstrongswan-dhcp.so dh_install -p libcharon-extra-plugins usr/share/strongswan/templates/config/plugins/dhcp.conf dh_install -p libcharon-extra-plugins etc/strongswan.d/charon/dhcp.conf dh_install -p libcharon-extra-plugins usr/lib/ipsec/plugins/libstrongswan-farp.so dh_install -p libcharon-extra-plugins usr/share/strongswan/templates/config/plugins/farp.conf dh_install -p libcharon-extra-plugins etc/strongswan.d/charon/farp.conf dh_install -p libstrongswan usr/lib/ipsec/plugins/libstrongswan-kernel-netlink.so dh_install -p libstrongswan usr/share/strongswan/templates/config/plugins/kernel-netlink.conf dh_install -p libstrongswan etc/strongswan.d/charon/kernel-netlink.conf dh_install -p libstrongswan-extra-plugins usr/lib/ipsec/plugins/libstrongswan-af-alg.so dh_install -p libstrongswan-extra-plugins usr/share/strongswan/templates/config/plugins/af-alg.conf dh_install -p libstrongswan-extra-plugins etc/strongswan.d/charon/af-alg.conf endif ifeq ($(DEB_BUILD_ARCH_OS),kfreebsd) # handle FreeBSD-only plugins dh_install -p libstrongswan usr/lib/ipsec/plugins/libstrongswan-kernel-pfkey.so dh_install -p libstrongswan usr/share/strongswan/templates/config/plugins/kernel-pfkey.conf dh_install -p libstrongswan etc/strongswan.d/charon/kernel-pfkey.conf dh_install -p libstrongswan usr/lib/ipsec/plugins/libstrongswan-kernel-pfroute.so dh_install -p libstrongswan usr/share/strongswan/templates/config/plugins/kernel-pfroute.conf dh_install -p libstrongswan etc/strongswan.d/charon/kernel-pfroute.conf endif ifeq ($(DEB_BUILD_ARCH_CPU),i386) # special handling for padlock, as it is only built on i386 dh_install -p libstrongswan-extra-plugins usr/lib/ipsec/plugins/libstrongswan-padlock.so dh_install -p libstrongswan-extra-plugins usr/share/strongswan/templates/config/plugins/padlock.conf dh_install -p libstrongswan-extra-plugins etc/strongswan.d/charon/padlock.conf dh_install -p libstrongswan-extra-plugins usr/lib/ipsec/plugins/libstrongswan-rdrand.so dh_install -p libstrongswan-extra-plugins usr/share/strongswan/templates/config/plugins/rdrand.conf dh_install -p libstrongswan-extra-plugins etc/strongswan.d/charon/rdrand.conf endif ifeq ($(DEB_BUILD_ARCH_CPU), amd64) dh_install -p libstrongswan-extra-plugins usr/lib/ipsec/plugins/libstrongswan-rdrand.so dh_install -p libstrongswan-extra-plugins usr/share/strongswan/templates/config/plugins/rdrand.conf dh_install -p libstrongswan-extra-plugins etc/strongswan.d/charon/rdrand.conf endif # then install the rest, ignoring the above dh_install --fail-missing \ -X\.la -X\.a \ -Xmedsrv -Xman3 \ -Xlibstrongswan-kernel- -X kernel- \ -Xlibstrongswan-dhcp.so -X dhcp.conf \ -Xlibstrongswan-farp.so -X farp.conf \ -Xlibstrongswan-padlock.so -X padlock.conf \ -Xlibstrongswan-rdrand.so -X rdrand.conf \ -Xlibstrongswan-af-alg.so -X af-alg.conf # add additional files not covered by upstream makefile... install --mode=0600 $(CURDIR)/debian/ipsec.secrets.proto $(CURDIR)/debian/strongswan-starter/etc/ipsec.secrets # also "patch" ipsec.conf to include the debconf-managed file echo >> $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf echo "include /var/lib/strongswan/ipsec.conf.inc" >> $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf # and to enable both IKEv1 and IKEv2 by default sed -r 's/^[ \t]+# *charonstart=(yes|no) */\tcharonstart=yes/' < $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf > $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf.tmp mv $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf.tmp $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf # set permissions on ipsec.secrets chmod 600 $(CURDIR)/debian/strongswan-starter/etc/ipsec.secrets chmod 700 -R $(CURDIR)/debian/strongswan-starter/etc/ipsec.d/private/ chmod 700 -R $(CURDIR)/debian/strongswan-starter/var/lib/strongswan/ # this is handled by update-rc.d rm -rf $(CURDIR)/debian/strongswan-starter/etc/rc?.d # delete var/lock/subsys and var/run to satisfy lintian rm -rf $(CURDIR)/debian/openswan/var/lock rm -rf $(CURDIR)/debian/openswan/var/run # more lintian cleanups find $(CURDIR)/debian/*strongswan*/ -name ".cvsignore" | xargs --no-run-if-empty rm -f find $(CURDIR)/debian/*strongswan*/ -name "/.svn/" | xargs --no-run-if-empty rm -rf override_dh_installinit: dh_installinit -n --name=ipsec override_dh_installchangelogs: dh_installchangelogs NEWS override_dh_strip: dh_strip --dbg-package=strongswan-dbg override_dh_fixperms: dh_fixperms -X etc/ipsec.secrets -X etc/ipsec.d -X var/lib/strongswan override_dh_makeshlibs: dh_makeshlibs -n -X usr/lib/ipsec/plugins override_dh_installlogcheck: dh_installlogcheck --name strongswan %: dh $@ --parallel --with autoreconf