1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
|
#!/usr/bin/make -f
#export DEB_LDFLAGS_MAINT_APPEND=-Wl,--as-needed -Wl,-O1 -Wl,-z,defs
export DEB_BUILD_MAINT_OPTIONS=hardening=+pie,+bindnow
CONFIGUREARGS := --prefix=/usr --sysconfdir=/etc --localstatedir=/var \
--enable-ldap --enable-curl \
--with-capabilities=libcap \
--enable-smartcard --enable-pkcs11 \
--with-default-pkcs11=/usr/lib/$(DEB_HOST_MULTIARCH)/opensc-pkcs11.so \
--enable-mediation --enable-medsrv --enable-medcli \
--enable-openssl --enable-agent \
--enable-ctr --enable-ccm --enable-gcm --enable-addrblock \
--enable-eap-radius --enable-eap-identity --enable-eap-md5 \
--enable-eap-gtc --enable-eap-aka --enable-eap-mschapv2 \
--enable-eap-tls --enable-eap-ttls --enable-eap-tnc \
--enable-sql --enable-integrity-test \
--enable-ha --enable-dhcp --enable-farp \
--enable-led \
--enable-test-vectors --enable-nat-transport \
--enable-nm \
--disable-blowfish --disable-des # BSD-Young license
# --with-user=strongswan --with-group=nogroup \
# --enable-kernel-pfkey --enable-kernel-klips \
# And for --enable-eap-sim we would need the library, which we don't
# have right now.
# Don't --enable-cisco-quirks, because some other IPsec implementations
# (most notably the Phion one) have problems connecting when pluto
# sends these Cisco options.
# the padlock plugin only makes sense on i386
# but it actually doesn't do much, so maybe we don't need it
DEB_BUILD_ARCH_CPU ?=$(shell dpkg-architecture -qDEB_BUILD_ARCH_CPU)
ifeq ($(DEB_BUILD_ARCH_CPU),i386)
CONFIGUREARGS += --enable-padlock
endif
override_dh_auto_configure:
dh_auto_configure -- $(CONFIGUREARGS)
override_dh_auto_clean:
dh_auto_clean
# after a make clean, no binaries _should_ be left, but ....
-find $(CURDIR) -name "*.o" | xargs --no-run-if-empty rm
# Really clean (#356716)
# This is a hack: should be better implemented
rm -f lib/libstrongswan/libstrongswan.a || true
rm -f lib/libstrongswan/liboswlog.a || true
# just in case something went wrong
rm -f $(CURDIR)/debian/ipsec.secrets
# and make sure that template are up-to-date
debconf-updatepo
override_dh_install:
# install files from debian/tmp into proper package dirs
dh_install --fail-missing -X\.la -X\.a -Xmedsrv -Xman3 -Xlibstrongswan-padlock.so
# special handling for padlock, as it is only built on i386
ifeq ($(DEB_BUILD_ARCH_CPU),i386)
install $(CURDIR)/debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/ipsec/plugins/libstrongswan-padlock.so* $(CURDIR)/debian/libstrongswan/usr/lib/$(DEB_HOST_MULTIARCH)/ipsec/plugins/
endif
# add additional files not covered by upstream makefile...
install --mode=0600 $(CURDIR)/debian/ipsec.secrets.proto $(CURDIR)/debian/strongswan-starter/etc/ipsec.secrets
# also "patch" ipsec.conf to include the debconf-managed file
echo >> $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf
echo "include /var/lib/strongswan/ipsec.conf.inc" >> $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf
# and to enable both IKEv1 and IKEv2 by default
sed -r 's/^[ \t]+# *plutostart=(yes|no) */\tplutostart=yes/;s/^[ \t]+# *charonstart=(yes|no) */\tcharonstart=yes/' < $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf > $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf.tmp
mv $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf.tmp $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf
# set permissions on ipsec.secrets
chmod 600 $(CURDIR)/debian/strongswan-starter/etc/ipsec.secrets
chmod 700 -R $(CURDIR)/debian/strongswan-starter/etc/ipsec.d/private/
chmod 700 -R $(CURDIR)/debian/strongswan-starter/var/lib/strongswan/
# this is handled by update-rc.d
rm -rf $(CURDIR)/debian/strongswan-starter/etc/rc?.d
# delete var/lock/subsys and var/run to satisfy lintian
rm -rf $(CURDIR)/debian/openswan/var/lock
rm -rf $(CURDIR)/debian/openswan/var/run
# the logcheck ignore files
install -D --mode=0600 $(CURDIR)/debian/logcheck.ignore.paranoid $(CURDIR)/debian/libstrongswan/etc/logcheck/ignore.d.paranoid/strongswan
install -D --mode=0600 $(CURDIR)/debian/logcheck.ignore.server $(CURDIR)/debian/libstrongswan/etc/logcheck/ignore.d.server/strongswan
install -D --mode=0600 $(CURDIR)/debian/logcheck.ignore.server $(CURDIR)/debian/libstrongswan/etc/logcheck/ignore.d.workstation/strongswan
install -D --mode=0600 $(CURDIR)/debian/logcheck.violations.ignore $(CURDIR)/debian/libstrongswan/etc/logcheck/violations.ignore.d/strongswan
# more lintian cleanups
find $(CURDIR)/debian/*strongswan*/ -name ".cvsignore" | xargs --no-run-if-empty rm -f
find $(CURDIR)/debian/*strongswan*/ -name "/.svn/" | xargs --no-run-if-empty rm -rf
override_dh_installinit:
dh_installinit -n --name=ipsec
override_dh_installchangelogs:
dh_installchangelogs NEWS
override_dh_strip:
dh_strip --dbg-package=strongswan-dbg
override_dh_fixperms:
dh_fixperms -X etc/ipsec.secrets -X etc/ipsec.d -X var/lib/strongswan
override_dh_makeshlibs:
dh_makeshlibs -n -X usr/lib/$(DEB_HOST_MULTIARCH)/ipsec/plugins
%:
dh $@ --parallel
|