summaryrefslogtreecommitdiff
path: root/debian/rules
blob: d2d7702f9b527b13ed5003dca7461aafccacc365 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
#!/usr/bin/make -f
# Sample debian/rules that uses debhelper.
# GNU copyright 1997 to 1999 by Joey Hess.

# Uncomment this to turn on verbose mode.
#export DH_VERBOSE=1

export DH_OPTIONS

# this is a security-critical package, set all the options we can
export DEB_BUILD_HARDENING=1

CONFIGUREARGS := --prefix=/usr --sysconfdir=/etc --localstatedir=/var \
		--libexecdir=/usr/lib \
		--enable-http --enable-ldap \
		--enable-nonblocking --enable-thread \
		--enable-smartcard --enable-cisco-quirks \
		--with-default-pkcs11=/usr/lib/opensc-pkcs11.so \
		--enable-xml \
		--enable-p2p --enable-manager \
		--enable-openssl
	# Could enable --enable-nat-transport, but this is actually insecure,
	# so don't!
	# And for --enable-eap-sim we would need the library, which we don't
	# have right now.

DEB_BUILD_ARCH_CPU ?=$(shell dpkg-architecture -qDEB_BUILD_ARCH_CPU)

#the padlock plugin only makes sense on i386 
ifeq ($(DEB_BUILD_ARCH_CPU),i386)
  CONFIGUREARGS += --enable-padlock
endif


configure: configure-stamp
configure-stamp: patch
	dh_testdir
	# Add here commands to configure the package.
	./configure $(CONFIGUREARGS)

	touch configure-stamp

patch:
	dh_testdir
	dpatch apply-all

unpatch:
	dpatch deapply-all

build: build-stamp
build-stamp: configure-stamp
	$(MAKE)

	touch build-stamp

clean: unpatch
	dh_testdir
	dh_testroot
	rm -f build-stamp configure-stamp

	-$(MAKE) clean
	#-$(MAKE) -C programs/fswcert/ clean
	# after a make clean, no binaries _should_ be left, but ....
	-find $(CURDIR) -name "*.o" | xargs --no-run-if-empty rm
	-find $(CURDIR)/lib/libcrypto -name "*.a" | xargs --no-run-if-empty rm

	# Really clean (#356716)
	# This is a hack: should be better implemented
	rm -f lib/libstrongswan/libstrongswan.a || true
	rm -f lib/libstrongswan/liboswlog.a || true

	# just in case something went wrong
	rm -f $(CURDIR)/debian/ipsec.secrets
	
	# and make sure that template are up-to-date
	debconf-updatepo

	dh_clean

install-strongswan: DH_OPTIONS=-a
install-strongswan: build-stamp
	dh_testdir
	dh_testroot
	dh_installdirs

	# Add here commands to install the package into debian/tmp.
	$(MAKE) install DESTDIR=$(CURDIR)/debian/strongswan
	install --mode=0600 $(CURDIR)/debian/ipsec.secrets.proto $(CURDIR)/debian/strongswan/etc/ipsec.secrets
	# also "patch" ipsec.conf to include the debconf-managed file
	echo >> $(CURDIR)/debian/strongswan/etc/ipsec.conf
	echo "include /var/lib/strongswan/ipsec.conf.inc" >> $(CURDIR)/debian/strongswan/etc/ipsec.conf
	# and to enable both IKEv1 and IKEv2 by default
	sed -r 's/^[ \t]+# *plutostart=(yes|no) */\tplutostart=yes/;s/^[ \t]+# *charonstart=(yes|no) */\tcharonstart=yes/' < $(CURDIR)/debian/strongswan/etc/ipsec.conf > $(CURDIR)/debian/strongswan/etc/ipsec.conf.tmp
	mv $(CURDIR)/debian/strongswan/etc/ipsec.conf.tmp $(CURDIR)/debian/strongswan/etc/ipsec.conf

	# this is handled by update-rc.d
	rm -rf $(CURDIR)/debian/strongswan/etc/rc?.d

	dh_installdocs -pstrongswan -n
	# change the paths in the installed doc files (but only in regular 
	# files, not in links to the outside of the build tree !)
	# TODO: check if we still need this
	( cd $(CURDIR)/debian/strongswan/; \
	  for f in `grep "/usr/local/" --recursive --files-with-match *`; \
	  do \
		if [ -f $$f -a ! -L $$f ]; then \
		    cp $$f $$f.old; \
 		    sed 's/\/usr\/local\//\/usr\//' $$f.old > $$f; \
		    rm $$f.old; \
		fi; \
	  done )

	# the logcheck ignore files
	install -D --mode=0600 $(CURDIR)/debian/logcheck.ignore.paranoid $(CURDIR)/debian/strongswan/etc/logcheck/ignore.d.paranoid/strongswan
	install -D --mode=0600 $(CURDIR)/debian/logcheck.ignore.server $(CURDIR)/debian/strongswan/etc/logcheck/ignore.d.server/strongswan
	install -D --mode=0600 $(CURDIR)/debian/logcheck.ignore.server $(CURDIR)/debian/strongswan/etc/logcheck/ignore.d.workstation/strongswan
	install -D --mode=0600 $(CURDIR)/debian/logcheck.violations.ignore $(CURDIR)/debian/strongswan/etc/logcheck/violations.ignore.d/strongswan

	# set permissions on ipsec.secrets
	chmod 600 $(CURDIR)/debian/strongswan/etc/ipsec.secrets
	#chmod 644 $(CURDIR)/debian/strongswan/etc/ipsec.conf
	chmod 700 -R $(CURDIR)/debian/strongswan/etc/ipsec.d/private/
	# don't know why they come with +x set by default...
	#chmod 644 $(CURDIR)/debian/strongswan/etc/ipsec.d/policies/*
	#chmod 644 $(CURDIR)/debian/strongswan/etc/ipsec.d/examples/*

	# more lintian cleanups
	find $(CURDIR)/debian/strongswan -name ".cvsignore" | xargs --no-run-if-empty rm -f
	find $(CURDIR)/debian/strongswan -name "/.svn/" | xargs --no-run-if-empty rm -rf

	# and lintian overrides
	install --mode=0644 $(CURDIR)/debian/strongswan.lintian-overrides $(CURDIR)/debian/strongswan/usr/share/lintian/overrides/strongswan

binary-common:
	dh_testdir
	dh_testroot
	dh_installinit --name=ipsec
	dh_installdebconf
	dh_installchangelogs NEWS
	dh_link
	dh_strip
	dh_compress
	dh_fixperms -X etc/ipsec.secrets -X etc/ipsec.d
	dh_makeshlibs
	dh_installdeb
	dh_shlibdeps
	dh_gencontrol
	dh_md5sums
	dh_builddeb

# Build architecture-independent files here.
binary-indep: 
	$(MAKE) -f debian/rules binary-common DH_OPTIONS=-i

# Build architecture-dependent files here.
binary-arch: install-strongswan
	$(MAKE) -f debian/rules binary-common DH_OPTIONS=-a

# Any other binary targets build just one binary package at a time.
binary-%: build-stamp install-strongswan
	make -f debian/rules binary-common DH_OPTIONS=-p$*

binary: binary-indep binary-arch
.PHONY: clean binary-indep binary-arch