summaryrefslogtreecommitdiff
path: root/debian/rules
blob: c76816404022787f0509ee6e35c1a682cc7f3b12 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
#!/usr/bin/make -f
export DEB_LDFLAGS_MAINT_APPEND=-Wl,--as-needed -Wl,-O1
#export DEB_LDFLAGS_MAINT_APPEND=-Wl,--as-needed -Wl,-O1 -Wl,-z,defs
export DEB_BUILD_MAINT_OPTIONS=hardening=+all

CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \
		--enable-ldap --enable-curl \
		--enable-pkcs11 \
		--enable-mediation --enable-medsrv --enable-medcli \
		--enable-openssl --enable-agent \
		--enable-ctr --enable-ccm --enable-gcm --enable-addrblock \
		--enable-eap-radius --enable-eap-identity --enable-eap-md5 \
		--enable-eap-gtc --enable-eap-aka --enable-eap-mschapv2 \
		--enable-eap-tls --enable-eap-ttls --enable-eap-tnc \
		--enable-sql --enable-integrity-test \
		--enable-ha \
		--enable-led --enable-gcrypt \
		--enable-test-vectors \
		--enable-xauth-eap --enable-xauth-pam \
		--enable-attr-sql \
		--enable-rdrand \
		--disable-blowfish --disable-des # BSD-Young license
	#--with-user=strongswan --with-group=nogroup
	#	--enable-kernel-pfkey --enable-kernel-klips \
	# And for --enable-eap-sim we would need the library, which we don't
	# have right now.
	# Don't --enable-cisco-quirks, because some other IPsec implementations
	# (most notably the Phion one) have problems connecting when pluto 
	# sends these Cisco options.

# the padlock plugin only makes sense on i386 
# but it actually doesn't do much, so maybe we don't need it
DEB_BUILD_ARCH_CPU ?=$(shell dpkg-architecture -qDEB_BUILD_ARCH_CPU)
ifeq ($(DEB_BUILD_ARCH_CPU),i386)
  CONFIGUREARGS += --enable-padlock
endif

ifeq ($(DEB_BUILD_ARCH_OS),linux)
	# only enable network-manager and capabilities dropping on linux hosts
	# some plugins are linux-only too
	CONFIGUREARGS += --enable-nm \
		--with-capabilities=libcap \
		--enable-farp \
		--enable-dhcp
endif

ifeq ($(DEB_BUILD_ARCH_OS),kfreebsd)
	# recommended configure line for FreeBSD
	# http://wiki.strongswan.org/projects/strongswan/wiki/FreeBSD
	CONFIGUREARGS += --disable-kernel-netlink \
		--enable-kernel-pfkey --enable-kernel-pfroute \
		--with-group=wheel
endif

override_dh_auto_configure:
	dh_auto_configure -- $(CONFIGUREARGS)

override_dh_auto_clean:
	dh_auto_clean
	# after a make clean, no binaries _should_ be left, but ....
	-find $(CURDIR) -name "*.o" | xargs --no-run-if-empty rm

	# Really clean (#356716)
	# This is a hack: should be better implemented
	rm -f lib/libstrongswan/libstrongswan.a || true
	rm -f lib/libstrongswan/liboswlog.a || true

	# just in case something went wrong
	rm -f $(CURDIR)/debian/ipsec.secrets
	
	# and make sure that template are up-to-date
	debconf-updatepo


override_dh_install:

	# first special cases
ifeq ($(DEB_BUILD_ARCH_OS),linux)
	# handle Linux-only plugins
	dh_install -p libstrongswan usr/lib/ipsec/plugins/libstrongswan-dhcp.so
	dh_install -p libstrongswan usr/lib/ipsec/plugins/libstrongswan-farp.so
	dh_install -p libstrongswan usr/lib/ipsec/plugins/libstrongswan-kernel-netlink.so
endif

ifeq ($(DEB_BUILD_ARCH_OS),kfreebsd)
	# handle FreeBSD-only plugins
	dh_install -p libstrongswan usr/lib/ipsec/plugins/libstrongswan-kernel-pfkey.so
	dh_install -p libstrongswan usr/lib/ipsec/plugins/libstrongswan-kernel-pfroute.so
endif

ifeq ($(DEB_BUILD_ARCH_CPU),i386)
	# special handling for padlock, as it is only built on i386
	dh_install -p libstrongswan usr/lib/ipsec/plugins/libstrongswan-padlock.so
endif

	# then install the rest, ignoring the above
	dh_install --fail-missing \
		-X\.la -X\.a \
		-Xmedsrv -Xman3 \
		-Xlibstrongswan-kernel \
		-Xlibstrongswan-dhcp.so \
		-Xlibstrongswan-farp.so \
	 	-Xlibstrongswan-padlock.so

	# add additional files not covered by upstream makefile...
	install --mode=0600 $(CURDIR)/debian/ipsec.secrets.proto $(CURDIR)/debian/strongswan-starter/etc/ipsec.secrets
	# also "patch" ipsec.conf to include the debconf-managed file
	echo >> $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf
	echo "include /var/lib/strongswan/ipsec.conf.inc" >> $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf
	# and to enable both IKEv1 and IKEv2 by default
	sed -r 's/^[ \t]+# *charonstart=(yes|no) */\tcharonstart=yes/' < $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf > $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf.tmp
	mv $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf.tmp $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf

	# set permissions on ipsec.secrets
	chmod 600 $(CURDIR)/debian/strongswan-starter/etc/ipsec.secrets
	chmod 700 -R $(CURDIR)/debian/strongswan-starter/etc/ipsec.d/private/
	chmod 700 -R $(CURDIR)/debian/strongswan-starter/var/lib/strongswan/

	# this is handled by update-rc.d
	rm -rf $(CURDIR)/debian/strongswan-starter/etc/rc?.d

	# delete var/lock/subsys and var/run to satisfy lintian
	rm -rf $(CURDIR)/debian/openswan/var/lock
	rm -rf $(CURDIR)/debian/openswan/var/run

	# more lintian cleanups
	find $(CURDIR)/debian/*strongswan*/ -name ".cvsignore" | xargs --no-run-if-empty rm -f
	find $(CURDIR)/debian/*strongswan*/ -name "/.svn/" | xargs --no-run-if-empty rm -rf

override_dh_installinit:
	dh_installinit -n --name=ipsec

override_dh_installchangelogs:
	dh_installchangelogs NEWS

override_dh_strip:
	dh_strip --dbg-package=strongswan-dbg

override_dh_fixperms:
	dh_fixperms -X etc/ipsec.secrets -X etc/ipsec.d -X var/lib/strongswan

override_dh_makeshlibs:
	dh_makeshlibs -n -X usr/lib/ipsec/plugins

override_dh_installlogcheck:
	dh_installlogcheck --name strongswan

%:
	dh $@ --parallel