1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
|
#!/usr/bin/make -f
export DEB_LDFLAGS_MAINT_APPEND=-Wl,--as-needed -Wl,-O1
#export DEB_LDFLAGS_MAINT_APPEND=-Wl,--as-needed -Wl,-O1 -Wl,-z,defs
export DEB_BUILD_MAINT_OPTIONS=hardening=+all
CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \
--enable-ldap --enable-curl \
--enable-pkcs11 \
--enable-mediation --enable-medsrv --enable-medcli \
--enable-openssl --enable-agent \
--enable-ctr --enable-ccm --enable-gcm --enable-addrblock \
--enable-eap-radius --enable-eap-identity --enable-eap-md5 \
--enable-eap-gtc --enable-eap-aka --enable-eap-mschapv2 \
--enable-eap-tls --enable-eap-ttls --enable-eap-tnc \
--enable-sql --enable-integrity-test \
--enable-ha \
--enable-led --enable-gcrypt \
--enable-test-vectors \
--enable-xauth-eap --enable-xauth-pam \
--enable-attr-sql \
--disable-blowfish --disable-des # BSD-Young license
#--with-user=strongswan --with-group=nogroup
# --enable-kernel-pfkey --enable-kernel-klips \
# And for --enable-eap-sim we would need the library, which we don't
# have right now.
# Don't --enable-cisco-quirks, because some other IPsec implementations
# (most notably the Phion one) have problems connecting when pluto
# sends these Cisco options.
# the padlock plugin only makes sense on i386
# RdRand only makes sense on i386 and amd64
DEB_BUILD_ARCH_CPU ?=$(shell dpkg-architecture -qDEB_BUILD_ARCH_CPU)
ifeq ($(DEB_BUILD_ARCH_CPU),i386)
CONFIGUREARGS += --enable-padlock --enable-rdrand
endif
ifeq ($(DEB_BUILD_ARCH_CPU),amd64)
CONFIGUREARGS += --enable-rdrand
endif
ifeq ($(DEB_BUILD_ARCH_OS),linux)
# only enable network-manager and capabilities dropping on linux hosts
# some plugins are linux-only too
CONFIGUREARGS += --enable-nm \
--with-capabilities=libcap \
--enable-farp \
--enable-dhcp
endif
ifeq ($(DEB_BUILD_ARCH_OS),kfreebsd)
# recommended configure line for FreeBSD
# http://wiki.strongswan.org/projects/strongswan/wiki/FreeBSD
CONFIGUREARGS += --disable-kernel-netlink \
--enable-kernel-pfkey --enable-kernel-pfroute \
--with-group=wheel
endif
override_dh_auto_configure:
dh_auto_configure -- $(CONFIGUREARGS)
override_dh_auto_clean:
dh_auto_clean
# after a make clean, no binaries _should_ be left, but ....
-find $(CURDIR) -name "*.o" | xargs --no-run-if-empty rm
# Really clean (#356716)
# This is a hack: should be better implemented
rm -f lib/libstrongswan/libstrongswan.a || true
rm -f lib/libstrongswan/liboswlog.a || true
# just in case something went wrong
rm -f $(CURDIR)/debian/ipsec.secrets
# and make sure that template are up-to-date
debconf-updatepo
override_dh_install:
# first special cases
ifeq ($(DEB_BUILD_ARCH_OS),linux)
# handle Linux-only plugins
dh_install -p libstrongswan usr/lib/ipsec/plugins/libstrongswan-dhcp.so
dh_install -p libstrongswan usr/lib/ipsec/plugins/libstrongswan-farp.so
dh_install -p libstrongswan usr/lib/ipsec/plugins/libstrongswan-kernel-netlink.so
endif
ifeq ($(DEB_BUILD_ARCH_OS),kfreebsd)
# handle FreeBSD-only plugins
dh_install -p libstrongswan usr/lib/ipsec/plugins/libstrongswan-kernel-pfkey.so
dh_install -p libstrongswan usr/lib/ipsec/plugins/libstrongswan-kernel-pfroute.so
endif
ifeq ($(DEB_BUILD_ARCH_CPU),i386)
# special handling for padlock, as it is only built on i386
dh_install -p libstrongswan usr/lib/ipsec/plugins/libstrongswan-padlock.so
dh_install -p libstrongswan usr/lib/ipsec/plugins/libstrongswan-rdrand.so
endif
ifeq ($(DEB_BUILD_ARCH_CPU), amd64)
dh_install -p libstrongswan usr/lib/ipsec/plugins/libstrongswan-rdrand.so
endif
# then install the rest, ignoring the above
dh_install --fail-missing \
-X\.la -X\.a \
-Xmedsrv -Xman3 \
-Xlibstrongswan-kernel \
-Xlibstrongswan-dhcp.so \
-Xlibstrongswan-farp.so \
-Xlibstrongswan-padlock.so \
-Xlibstrongswan-rdrand.so
# add additional files not covered by upstream makefile...
install --mode=0600 $(CURDIR)/debian/ipsec.secrets.proto $(CURDIR)/debian/strongswan-starter/etc/ipsec.secrets
# also "patch" ipsec.conf to include the debconf-managed file
echo >> $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf
echo "include /var/lib/strongswan/ipsec.conf.inc" >> $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf
# and to enable both IKEv1 and IKEv2 by default
sed -r 's/^[ \t]+# *charonstart=(yes|no) */\tcharonstart=yes/' < $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf > $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf.tmp
mv $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf.tmp $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf
# set permissions on ipsec.secrets
chmod 600 $(CURDIR)/debian/strongswan-starter/etc/ipsec.secrets
chmod 700 -R $(CURDIR)/debian/strongswan-starter/etc/ipsec.d/private/
chmod 700 -R $(CURDIR)/debian/strongswan-starter/var/lib/strongswan/
# this is handled by update-rc.d
rm -rf $(CURDIR)/debian/strongswan-starter/etc/rc?.d
# delete var/lock/subsys and var/run to satisfy lintian
rm -rf $(CURDIR)/debian/openswan/var/lock
rm -rf $(CURDIR)/debian/openswan/var/run
# more lintian cleanups
find $(CURDIR)/debian/*strongswan*/ -name ".cvsignore" | xargs --no-run-if-empty rm -f
find $(CURDIR)/debian/*strongswan*/ -name "/.svn/" | xargs --no-run-if-empty rm -rf
override_dh_installinit:
dh_installinit -n --name=ipsec
override_dh_installchangelogs:
dh_installchangelogs NEWS
override_dh_strip:
dh_strip --dbg-package=strongswan-dbg
override_dh_fixperms:
dh_fixperms -X etc/ipsec.secrets -X etc/ipsec.d -X var/lib/strongswan
override_dh_makeshlibs:
dh_makeshlibs -n -X usr/lib/ipsec/plugins
override_dh_installlogcheck:
dh_installlogcheck --name strongswan
%:
dh $@ --parallel --with autoreconf
|