From fe149bbb3689c3ed83eddfec46c9a54e86308cb9 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Thu, 31 Mar 2022 09:20:37 +0800 Subject: strongswan: 5.9.4 -> 5.9.5 * Backport a patch to fix the segfault with swanctl: $ /usr/sbin/charon-systemd & $ /usr/sbin/swanctl --load-all --noprompt no files found matching '/etc/swanctl/conf.d/*.conf' no authorities found, 0 unloaded no pools found, 0 unloaded no connections found, 0 unloaded Segmentation fault * Drop fix-funtion-parameter.patch and 0001-memory.h-Include-stdint.h-for-uintptr_t.patch as the issues have been fixed upstream. Signed-off-by: Yi Zhao Signed-off-by: Khem Raj --- ...1-memory.h-Include-stdint.h-for-uintptr_t.patch | 22 --- .../0001-openssl-Don-t-unload-providers.patch | 92 ++++++++++ .../strongswan/files/fix-funtion-parameter.patch | 99 ----------- .../recipes-support/strongswan/strongswan_5.9.4.bb | 187 --------------------- .../recipes-support/strongswan/strongswan_5.9.5.bb | 186 ++++++++++++++++++++ 5 files changed, 278 insertions(+), 308 deletions(-) delete mode 100644 meta-networking/recipes-support/strongswan/files/0001-memory.h-Include-stdint.h-for-uintptr_t.patch create mode 100644 meta-networking/recipes-support/strongswan/files/0001-openssl-Don-t-unload-providers.patch delete mode 100644 meta-networking/recipes-support/strongswan/files/fix-funtion-parameter.patch delete mode 100644 meta-networking/recipes-support/strongswan/strongswan_5.9.4.bb create mode 100644 meta-networking/recipes-support/strongswan/strongswan_5.9.5.bb diff --git a/meta-networking/recipes-support/strongswan/files/0001-memory.h-Include-stdint.h-for-uintptr_t.patch b/meta-networking/recipes-support/strongswan/files/0001-memory.h-Include-stdint.h-for-uintptr_t.patch deleted file mode 100644 index 2d17507b17..0000000000 --- a/meta-networking/recipes-support/strongswan/files/0001-memory.h-Include-stdint.h-for-uintptr_t.patch +++ /dev/null @@ -1,22 +0,0 @@ -From 33a53dc13fd924949a582109b45fedd8d0bed59b Mon Sep 17 00:00:00 2001 -From: Khem Raj -Date: Tue, 27 Jun 2017 07:42:11 -0700 -Subject: [PATCH] memory.h: Include stdint.h for uintptr_t - -Signed-off-by: Khem Raj - ---- - src/libstrongswan/utils/utils/memory.h | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/src/libstrongswan/utils/utils/memory.h -+++ b/src/libstrongswan/utils/utils/memory.h -@@ -26,6 +26,8 @@ - #include - #endif - -+#include -+ - /** - * Helper function that compares two binary blobs for equality - */ diff --git a/meta-networking/recipes-support/strongswan/files/0001-openssl-Don-t-unload-providers.patch b/meta-networking/recipes-support/strongswan/files/0001-openssl-Don-t-unload-providers.patch new file mode 100644 index 0000000000..7da48cd2cf --- /dev/null +++ b/meta-networking/recipes-support/strongswan/files/0001-openssl-Don-t-unload-providers.patch @@ -0,0 +1,92 @@ +From 3eecd40cec6415fc033f8d9141ab652047e71524 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner +Date: Wed, 23 Feb 2022 17:29:02 +0100 +Subject: [PATCH] openssl: Don't unload providers + +There is a conflict between atexit() handlers registered by OpenSSL and +some executables (e.g. swanctl or pki) to deinitialize libstrongswan. +Because plugins are usually loaded after atexit() has been called, the +handler registered by OpenSSL will run before our handler. So when the +latter destroys the plugins it's a bad idea to try to access any OpenSSL +objects as they might already be invalid. + +Fixes: f556fce16b60 ("openssl: Load "legacy" provider in OpenSSL 3 for algorithms like MD4, DES etc.") +Closes strongswan/strongswan#921 + +Upstream-Status: Backport +[https://github.com/strongswan/strongswan/commit/3eecd40cec6415fc033f8d9141ab652047e71524] + +Signed-off-by: Yi Zhao +--- + .../plugins/openssl/openssl_plugin.c | 27 +++---------------- + 1 file changed, 3 insertions(+), 24 deletions(-) + +diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c +index 6b4923649..1491d5cf8 100644 +--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c ++++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c +@@ -16,7 +16,6 @@ + + #include + #include +-#include + #include + #include + #include +@@ -74,13 +73,6 @@ struct private_openssl_plugin_t { + * public functions + */ + openssl_plugin_t public; +- +-#if OPENSSL_VERSION_NUMBER >= 0x30000000L +- /** +- * Loaded providers +- */ +- array_t *providers; +-#endif + }; + + /** +@@ -887,15 +879,6 @@ METHOD(plugin_t, get_features, int, + METHOD(plugin_t, destroy, void, + private_openssl_plugin_t *this) + { +-#if OPENSSL_VERSION_NUMBER >= 0x30000000L +- OSSL_PROVIDER *provider; +- while (array_remove(this->providers, ARRAY_TAIL, &provider)) +- { +- OSSL_PROVIDER_unload(provider); +- } +- array_destroy(this->providers); +-#endif /* OPENSSL_VERSION_NUMBER */ +- + /* OpenSSL 1.1.0 cleans up itself at exit and while OPENSSL_cleanup() exists we + * can't call it as we couldn't re-initialize the library (as required by the + * unit tests and the Android app) */ +@@ -1009,20 +992,16 @@ plugin_t *openssl_plugin_create() + DBG1(DBG_LIB, "unable to load OpenSSL FIPS provider"); + return NULL; + } +- array_insert_create(&this->providers, ARRAY_TAIL, fips); + /* explicitly load the base provider containing encoding functions */ +- array_insert_create(&this->providers, ARRAY_TAIL, +- OSSL_PROVIDER_load(NULL, "base")); ++ OSSL_PROVIDER_load(NULL, "base"); + } + else if (lib->settings->get_bool(lib->settings, "%s.plugins.openssl.load_legacy", + TRUE, lib->ns)) + { + /* load the legacy provider for algorithms like MD4, DES, BF etc. */ +- array_insert_create(&this->providers, ARRAY_TAIL, +- OSSL_PROVIDER_load(NULL, "legacy")); ++ OSSL_PROVIDER_load(NULL, "legacy"); + /* explicitly load the default provider, as mentioned by crypto(7) */ +- array_insert_create(&this->providers, ARRAY_TAIL, +- OSSL_PROVIDER_load(NULL, "default")); ++ OSSL_PROVIDER_load(NULL, "default"); + } + ossl_provider_names_t data = {}; + OSSL_PROVIDER_do_all(NULL, concat_ossl_providers, &data); +-- +2.25.1 + diff --git a/meta-networking/recipes-support/strongswan/files/fix-funtion-parameter.patch b/meta-networking/recipes-support/strongswan/files/fix-funtion-parameter.patch deleted file mode 100644 index 5945507bf1..0000000000 --- a/meta-networking/recipes-support/strongswan/files/fix-funtion-parameter.patch +++ /dev/null @@ -1,99 +0,0 @@ -From 9f97479373f3fceedc471074b81486d77a49618d Mon Sep 17 00:00:00 2001 -From: "Roy.Li" -Date: Tue, 4 Mar 2014 14:38:42 +0800 -Subject: [PATCH] fix the function parameter - -Upstream-Status: Pending - -Original openssl_diffie_hellman_create has three parameters, but -it is reassigned a function pointer which has one parameter, and -is called with one parameter, which will lead to segment fault -on PPC, Now we simply correct the number of parameters. - - #0 0x484d4aa0 in __GI_raise (sig=6) - at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 - #1 0x484d9930 in __GI_abort () at abort.c:91 - #2 0x10002064 in segv_handler (signal=11) at charon.c:224 - #3 - #4 0x48d89630 in openssl_diffie_hellman_create (group=MODP_1024_BIT, g=..., - p=) - at openssl_diffie_hellman.c:143 - #5 0x482c54f8 in create_dh (this=0x11ac6e68, group=MODP_1024_BIT) - at crypto/crypto_factory.c:358 - #6 0x48375884 in create_dh (this=, group=) - at sa/keymat.c:132 - #7 0x483843b8 in process_payloads (this=0x51400a78, message=) - at sa/tasks/ike_init.c:200 - #8 0x483844d0 in process_r (this=0x51400a78, message=0x51500778) - at sa/tasks/ike_init.c:319 - #9 0x48374c9c in process_request (message=0x51500778, this=0x51400d20) - at sa/task_manager.c:870 - #10 process_message (this=0x51400d20, msg=0x51500778) at - sa/task_manager.c:925 - #11 0x4836c378 in process_message (this=0x514005f0, message=0x51500778) - at sa/ike_sa.c:1317 - #12 0x48362270 in execute (this=0x515008d0) - at processing/jobs/process_message_job.c:74 - -Signed-off-by: Roy.Li - ---- - src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c | 8 +++++++- - src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h | 4 +++- - src/libstrongswan/plugins/openssl/openssl_plugin.c | 1 + - 3 files changed, 11 insertions(+), 2 deletions(-) - -diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c -index 8e9c118..a73b038 100644 ---- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c -+++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c -@@ -192,7 +192,7 @@ METHOD(diffie_hellman_t, destroy, void, - /* - * Described in header. - */ --openssl_diffie_hellman_t *openssl_diffie_hellman_create( -+openssl_diffie_hellman_t *openssl_diffie_hellman_create_custom( - diffie_hellman_group_t group, ...) - { - private_openssl_diffie_hellman_t *this; -@@ -255,5 +255,11 @@ openssl_diffie_hellman_t *openssl_diffie_hellman_create( - DBG2(DBG_LIB, "size of DH secret exponent: %d bits", BN_num_bits(privkey)); - return &this->public; - } -+openssl_diffie_hellman_t *openssl_diffie_hellman_create( diffie_hellman_group_t group) -+{ -+ chunk_t g; -+ chunk_t p; -+ openssl_diffie_hellman_create_custom(group, g, p); -+} - - #endif /* OPENSSL_NO_DH */ -diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h -index 5de5520..22586e0 100644 ---- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h -+++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.h -@@ -43,8 +43,10 @@ struct openssl_diffie_hellman_t { - * @param ... expects generator and prime as chunk_t if MODP_CUSTOM - * @return openssl_diffie_hellman_t object, NULL if not supported - */ --openssl_diffie_hellman_t *openssl_diffie_hellman_create( -+openssl_diffie_hellman_t *openssl_diffie_hellman_create_custom( - diffie_hellman_group_t group, ...); -+openssl_diffie_hellman_t *openssl_diffie_hellman_create( -+ diffie_hellman_group_t group); - - #endif /** OPENSSL_DIFFIE_HELLMAN_H_ @}*/ - -diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c -index 8b0a7c5..114d575 100644 ---- a/src/libstrongswan/plugins/openssl/openssl_plugin.c -+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c -@@ -609,6 +609,7 @@ METHOD(plugin_t, get_features, int, - PLUGIN_PROVIDE(DH, MODP_1024_BIT), - PLUGIN_PROVIDE(DH, MODP_1024_160), - PLUGIN_PROVIDE(DH, MODP_768_BIT), -+ PLUGIN_REGISTER(DH, openssl_diffie_hellman_create_custom), - PLUGIN_PROVIDE(DH, MODP_CUSTOM), - #endif - #ifndef OPENSSL_NO_RSA diff --git a/meta-networking/recipes-support/strongswan/strongswan_5.9.4.bb b/meta-networking/recipes-support/strongswan/strongswan_5.9.4.bb deleted file mode 100644 index babfe17d29..0000000000 --- a/meta-networking/recipes-support/strongswan/strongswan_5.9.4.bb +++ /dev/null @@ -1,187 +0,0 @@ -DESCRIPTION = "strongSwan is an OpenSource IPsec implementation for the \ -Linux operating system." -SUMMARY = "strongSwan is an OpenSource IPsec implementation" -HOMEPAGE = "http://www.strongswan.org" -SECTION = "net" -LICENSE = "GPL-2.0-only" -LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" -DEPENDS = "flex-native flex bison-native" -DEPENDS:append = "${@bb.utils.contains('DISTRO_FEATURES', 'tpm2', ' tpm2-tss', '', d)}" - -SRC_URI = "http://download.strongswan.org/strongswan-${PV}.tar.bz2 \ - file://fix-funtion-parameter.patch \ - file://0001-memory.h-Include-stdint.h-for-uintptr_t.patch \ - " - -SRC_URI[sha256sum] = "45fdf1a4c2af086d8ff5b76fd7b21d3b6f0890f365f83bf4c9a75dda26887518" - -UPSTREAM_CHECK_REGEX = "strongswan-(?P\d+(\.\d+)+)\.tar" - -EXTRA_OECONF = " \ - --without-lib-prefix \ - --with-dev-headers=${includedir}/strongswan \ -" - -EXTRA_OECONF += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '--with-systemdsystemunitdir=${systemd_unitdir}/system/', '--without-systemdsystemunitdir', d)}" - -PACKAGECONFIG ?= "curl gmp openssl sqlite3 swanctl curve25519\ - ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd-charon', 'charon', d)} \ - ${@bb.utils.contains('DISTRO_FEATURES', 'tpm2', 'tpm2', '', d)} \ - ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'tnc-imc imc-hcd imc-os imc-scanner imc-attestation', '', d)} \ - ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'tnc-imv imv-hcd imv-os imv-scanner imv-attestation', '', d)} \ -" - -PACKAGECONFIG[aesni] = "--enable-aesni,--disable-aesni,,${PN}-plugin-aesni" -PACKAGECONFIG[bfd] = "--enable-bfd-backtraces,--disable-bfd-backtraces,binutils" -PACKAGECONFIG[charon] = "--enable-charon,--disable-charon," -PACKAGECONFIG[curl] = "--enable-curl,--disable-curl,curl,${PN}-plugin-curl" -PACKAGECONFIG[eap-identity] = "--enable-eap-identity,--disable-eap-identity,,${PN}-plugin-eap-identity" -PACKAGECONFIG[eap-mschapv2] = "--enable-eap-mschapv2,--disable-eap-mschapv2,,${PN}-plugin-eap-mschapv2" -PACKAGECONFIG[gmp] = "--enable-gmp,--disable-gmp,gmp,${PN}-plugin-gmp" -PACKAGECONFIG[ldap] = "--enable-ldap,--disable-ldap,openldap,${PN}-plugin-ldap" -PACKAGECONFIG[mysql] = "--enable-mysql,--disable-mysql,mysql5,${PN}-plugin-mysql" -PACKAGECONFIG[openssl] = "--enable-openssl,--disable-openssl,openssl,${PN}-plugin-openssl" -PACKAGECONFIG[scep] = "--enable-scepclient,--disable-scepclient," -PACKAGECONFIG[soup] = "--enable-soup,--disable-soup,libsoup-2.4,${PN}-plugin-soup" -PACKAGECONFIG[sqlite3] = "--enable-sqlite,--disable-sqlite,sqlite3,${PN}-plugin-sqlite" -PACKAGECONFIG[stroke] = "--enable-stroke,--disable-stroke,,${PN}-plugin-stroke" -PACKAGECONFIG[swanctl] = "--enable-swanctl,--disable-swanctl,,libgcc" -PACKAGECONFIG[curve25519] = "--enable-curve25519,--disable-curve25519,, ${PN}-plugin-curve25519" - -# requires swanctl -PACKAGECONFIG[systemd-charon] = "--enable-systemd,--disable-systemd,systemd," - -# tpm needs meta-tpm layer -PACKAGECONFIG[tpm2] = "--enable-tpm,--disable-tpm,,${PN}-plugin-tpm" - - -# integraty configuration needs meta-integraty -#imc -PACKAGECONFIG[tnc-imc] = "--enable-tnc-imc,--disable-tnc-imc,, ${PN}-plugin-tnc-imc ${PN}-plugin-tnc-tnccs" -PACKAGECONFIG[imc-test] = "--enable-imc-test,--disable-imc-test,," -PACKAGECONFIG[imc-scanner] = "--enable-imc-scanner,--disable-imc-scanner,," -PACKAGECONFIG[imc-os] = "--enable-imc-os,--disable-imc-os,," -PACKAGECONFIG[imc-attestation] = "--enable-imc-attestation,--disable-imc-attestation,," -PACKAGECONFIG[imc-swima] = "--enable-imc-swima, --disable-imc-swima, json-c," -PACKAGECONFIG[imc-hcd] = "--enable-imc-hcd, --disable-imc-hcd,," - -#imv set -PACKAGECONFIG[tnc-imv] = "--enable-tnc-imv,--disable-tnc-imv,, ${PN}-plugin-tnc-imv ${PN}-plugin-tnc-tnccs" -PACKAGECONFIG[imv-test] = "--enable-imv-test,--disable-imv-test,," -PACKAGECONFIG[imv-scanner] = "--enable-imv-scanner,--disable-imv-scanner,," -PACKAGECONFIG[imv-os] = "--enable-imv-os,--disable-imv-os,," -PACKAGECONFIG[imv-attestation] = "--enable-imv-attestation,--disable-imv-attestation,," -PACKAGECONFIG[imv-swima] = "--enable-imv-swima, --disable-imv-swima, json-c," -PACKAGECONFIG[imv-hcd] = "--enable-imv-hcd, --disable-imv-hcd,," - -PACKAGECONFIG[tnc-ifmap] = "--enable-tnc-ifmap,--disable-tnc-ifmap, libxml2, ${PN}-plugin-tnc-ifmap" -PACKAGECONFIG[tnc-pdp] = "--enable-tnc-pdp,--disable-tnc-pdp,, ${PN}-plugin-tnc-pdp" - -PACKAGECONFIG[tnccs-11] = "--enable-tnccs-11,--disable-tnccs-11,libxml2, ${PN}-plugin-tnccs-11" -PACKAGECONFIG[tnccs-20] = "--enable-tnccs-20,--disable-tnccs-20,, ${PN}-plugin-tnccs-20" -PACKAGECONFIG[tnccs-dynamic] = "--enable-tnccs-dynamic,--disable-tnccs-dynamic,,${PN}-plugin-tnccs-dynamic" - -inherit autotools systemd pkgconfig - -RRECOMMENDS:${PN} = "kernel-module-ah4 \ - kernel-module-esp4 \ - kernel-module-xfrm-user \ - " - -FILES:${PN} += "${libdir}/ipsec/lib*${SOLIBS}" -FILES:${PN}-dbg += "${bindir}/.debug ${sbindir}/.debug ${libdir}/ipsec/.debug ${libexecdir}/ipsec/.debug" -FILES:${PN}-dev += "${libdir}/ipsec/lib*${SOLIBSDEV} ${libdir}/ipsec/*.la ${libdir}/ipsec/include/config.h" -FILES:${PN}-staticdev += "${libdir}/ipsec/*.a" - -CONFFILES:${PN} = "${sysconfdir}/*.conf ${sysconfdir}/ipsec.d/*.conf ${sysconfdir}/strongswan.d/*.conf" - -PACKAGES += "${PN}-plugins" -ALLOW_EMPTY:${PN}-plugins = "1" - -PACKAGE_BEFORE_PN = "${PN}-imcvs ${PN}-imcvs-dbg" -ALLOW_EMPTY:${PN}-imcvs = "1" - -FILES:${PN}-imcvs = "${libdir}/ipsec/imcvs/*.so" -FILES:${PN}-imcvs-dbg += "${libdir}/ipsec/imcvs/.debug" - -PACKAGES_DYNAMIC += "^${PN}-plugin-.*$" -NOAUTOPACKAGEDEBUG = "1" - -python split_strongswan_plugins () { - sysconfdir = d.expand('${sysconfdir}/strongswan.d/charon') - libdir = d.expand('${libdir}/ipsec/plugins') - dbglibdir = os.path.join(libdir, '.debug') - - def add_plugin_conf(f, pkg, file_regex, output_pattern, modulename): - dvar = d.getVar('PKGD') - oldfiles = d.getVar('CONFFILES:' + pkg) - newfile = '/' + os.path.relpath(f, dvar) - - if not oldfiles: - d.setVar('CONFFILES:' + pkg, newfile) - else: - d.setVar('CONFFILES:' + pkg, oldfiles + " " + newfile) - - split_packages = do_split_packages(d, libdir, r'libstrongswan-(.*)\.so', '${PN}-plugin-%s', 'strongSwan %s plugin', prepend=True) - do_split_packages(d, sysconfdir, r'(.*)\.conf', '${PN}-plugin-%s', 'strongSwan %s plugin', prepend=True, hook=add_plugin_conf) - - split_dbg_packages = do_split_packages(d, dbglibdir, r'libstrongswan-(.*)\.so', '${PN}-plugin-%s-dbg', 'strongSwan %s plugin - Debugging files', prepend=True, extra_depends='${PN}-dbg') - split_dev_packages = do_split_packages(d, libdir, r'libstrongswan-(.*)\.la', '${PN}-plugin-%s-dev', 'strongSwan %s plugin - Development files', prepend=True, extra_depends='${PN}-dev') - split_staticdev_packages = do_split_packages(d, libdir, r'libstrongswan-(.*)\.a', '${PN}-plugin-%s-staticdev', 'strongSwan %s plugin - Development files (Static Libraries)', prepend=True, extra_depends='${PN}-staticdev') - - if split_packages: - pn = d.getVar('PN') - d.setVar('RRECOMMENDS:' + pn + '-plugins', ' '.join(split_packages)) - d.appendVar('RRECOMMENDS:' + pn + '-dbg', ' ' + ' '.join(split_dbg_packages)) - d.appendVar('RRECOMMENDS:' + pn + '-dev', ' ' + ' '.join(split_dev_packages)) - d.appendVar('RRECOMMENDS:' + pn + '-staticdev', ' ' + ' '.join(split_staticdev_packages)) -} - -PACKAGESPLITFUNCS:prepend = "split_strongswan_plugins " - -# Install some default plugins based on default strongSwan ./configure options -# See https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist -RDEPENDS:${PN} += "\ - ${PN}-plugin-aes \ - ${PN}-plugin-attr \ - ${PN}-plugin-cmac \ - ${PN}-plugin-constraints \ - ${PN}-plugin-des \ - ${PN}-plugin-dnskey \ - ${PN}-plugin-hmac \ - ${PN}-plugin-kernel-netlink \ - ${PN}-plugin-md5 \ - ${PN}-plugin-nonce \ - ${PN}-plugin-pem \ - ${PN}-plugin-pgp \ - ${PN}-plugin-pkcs1 \ - ${PN}-plugin-pkcs7 \ - ${PN}-plugin-pkcs8 \ - ${PN}-plugin-pkcs12 \ - ${PN}-plugin-pubkey \ - ${PN}-plugin-random \ - ${PN}-plugin-rc2 \ - ${PN}-plugin-resolve \ - ${PN}-plugin-revocation \ - ${PN}-plugin-sha1 \ - ${PN}-plugin-sha2 \ - ${PN}-plugin-socket-default \ - ${PN}-plugin-sshkey \ - ${PN}-plugin-updown \ - ${PN}-plugin-vici \ - ${PN}-plugin-x509 \ - ${PN}-plugin-xauth-generic \ - ${PN}-plugin-xcbc \ - " - -RPROVIDES:${PN} += "${PN}-systemd" -RREPLACES:${PN} += "${PN}-systemd" -RCONFLICTS:${PN} += "${PN}-systemd" - -# The deprecated legacy 'strongswan-starter' service should only be used when charon and -# stroke are enabled. When swanctl is in use, 'strongswan.service' is needed. -# See: https://wiki.strongswan.org/projects/strongswan/wiki/Charon-systemd -SYSTEMD_SERVICE:${PN} = " \ - ${@bb.utils.contains('PACKAGECONFIG', 'swanctl', '${BPN}.service', '', d)} \ - ${@bb.utils.contains('PACKAGECONFIG', 'charon', '${BPN}-starter.service', '', d)} \ -" diff --git a/meta-networking/recipes-support/strongswan/strongswan_5.9.5.bb b/meta-networking/recipes-support/strongswan/strongswan_5.9.5.bb new file mode 100644 index 0000000000..cfb7b41fa4 --- /dev/null +++ b/meta-networking/recipes-support/strongswan/strongswan_5.9.5.bb @@ -0,0 +1,186 @@ +DESCRIPTION = "strongSwan is an OpenSource IPsec implementation for the \ +Linux operating system." +SUMMARY = "strongSwan is an OpenSource IPsec implementation" +HOMEPAGE = "http://www.strongswan.org" +SECTION = "net" +LICENSE = "GPL-2.0-only" +LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" +DEPENDS = "flex-native flex bison-native" +DEPENDS:append = "${@bb.utils.contains('DISTRO_FEATURES', 'tpm2', ' tpm2-tss', '', d)}" + +SRC_URI = "http://download.strongswan.org/strongswan-${PV}.tar.bz2 \ + file://0001-openssl-Don-t-unload-providers.patch \ + " + +SRC_URI[sha256sum] = "983e4ef4a4c6c9d69f5fe6707c7fe0b2b9a9291943bbf4e008faab6bf91c0bdd" + +UPSTREAM_CHECK_REGEX = "strongswan-(?P\d+(\.\d+)+)\.tar" + +EXTRA_OECONF = " \ + --without-lib-prefix \ + --with-dev-headers=${includedir}/strongswan \ +" + +EXTRA_OECONF += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '--with-systemdsystemunitdir=${systemd_unitdir}/system/', '--without-systemdsystemunitdir', d)}" + +PACKAGECONFIG ?= "curl gmp openssl sqlite3 swanctl curve25519\ + ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd-charon', 'charon', d)} \ + ${@bb.utils.contains('DISTRO_FEATURES', 'tpm2', 'tpm2', '', d)} \ + ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'tnc-imc imc-hcd imc-os imc-scanner imc-attestation', '', d)} \ + ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'tnc-imv imv-hcd imv-os imv-scanner imv-attestation', '', d)} \ +" + +PACKAGECONFIG[aesni] = "--enable-aesni,--disable-aesni,,${PN}-plugin-aesni" +PACKAGECONFIG[bfd] = "--enable-bfd-backtraces,--disable-bfd-backtraces,binutils" +PACKAGECONFIG[charon] = "--enable-charon,--disable-charon," +PACKAGECONFIG[curl] = "--enable-curl,--disable-curl,curl,${PN}-plugin-curl" +PACKAGECONFIG[eap-identity] = "--enable-eap-identity,--disable-eap-identity,,${PN}-plugin-eap-identity" +PACKAGECONFIG[eap-mschapv2] = "--enable-eap-mschapv2,--disable-eap-mschapv2,,${PN}-plugin-eap-mschapv2" +PACKAGECONFIG[gmp] = "--enable-gmp,--disable-gmp,gmp,${PN}-plugin-gmp" +PACKAGECONFIG[ldap] = "--enable-ldap,--disable-ldap,openldap,${PN}-plugin-ldap" +PACKAGECONFIG[mysql] = "--enable-mysql,--disable-mysql,mysql5,${PN}-plugin-mysql" +PACKAGECONFIG[openssl] = "--enable-openssl,--disable-openssl,openssl,${PN}-plugin-openssl" +PACKAGECONFIG[scep] = "--enable-scepclient,--disable-scepclient," +PACKAGECONFIG[soup] = "--enable-soup,--disable-soup,libsoup-2.4,${PN}-plugin-soup" +PACKAGECONFIG[sqlite3] = "--enable-sqlite,--disable-sqlite,sqlite3,${PN}-plugin-sqlite" +PACKAGECONFIG[stroke] = "--enable-stroke,--disable-stroke,,${PN}-plugin-stroke" +PACKAGECONFIG[swanctl] = "--enable-swanctl,--disable-swanctl,,libgcc" +PACKAGECONFIG[curve25519] = "--enable-curve25519,--disable-curve25519,, ${PN}-plugin-curve25519" + +# requires swanctl +PACKAGECONFIG[systemd-charon] = "--enable-systemd,--disable-systemd,systemd," + +# tpm needs meta-tpm layer +PACKAGECONFIG[tpm2] = "--enable-tpm,--disable-tpm,,${PN}-plugin-tpm" + + +# integraty configuration needs meta-integraty +#imc +PACKAGECONFIG[tnc-imc] = "--enable-tnc-imc,--disable-tnc-imc,, ${PN}-plugin-tnc-imc ${PN}-plugin-tnc-tnccs" +PACKAGECONFIG[imc-test] = "--enable-imc-test,--disable-imc-test,," +PACKAGECONFIG[imc-scanner] = "--enable-imc-scanner,--disable-imc-scanner,," +PACKAGECONFIG[imc-os] = "--enable-imc-os,--disable-imc-os,," +PACKAGECONFIG[imc-attestation] = "--enable-imc-attestation,--disable-imc-attestation,," +PACKAGECONFIG[imc-swima] = "--enable-imc-swima, --disable-imc-swima, json-c," +PACKAGECONFIG[imc-hcd] = "--enable-imc-hcd, --disable-imc-hcd,," + +#imv set +PACKAGECONFIG[tnc-imv] = "--enable-tnc-imv,--disable-tnc-imv,, ${PN}-plugin-tnc-imv ${PN}-plugin-tnc-tnccs" +PACKAGECONFIG[imv-test] = "--enable-imv-test,--disable-imv-test,," +PACKAGECONFIG[imv-scanner] = "--enable-imv-scanner,--disable-imv-scanner,," +PACKAGECONFIG[imv-os] = "--enable-imv-os,--disable-imv-os,," +PACKAGECONFIG[imv-attestation] = "--enable-imv-attestation,--disable-imv-attestation,," +PACKAGECONFIG[imv-swima] = "--enable-imv-swima, --disable-imv-swima, json-c," +PACKAGECONFIG[imv-hcd] = "--enable-imv-hcd, --disable-imv-hcd,," + +PACKAGECONFIG[tnc-ifmap] = "--enable-tnc-ifmap,--disable-tnc-ifmap, libxml2, ${PN}-plugin-tnc-ifmap" +PACKAGECONFIG[tnc-pdp] = "--enable-tnc-pdp,--disable-tnc-pdp,, ${PN}-plugin-tnc-pdp" + +PACKAGECONFIG[tnccs-11] = "--enable-tnccs-11,--disable-tnccs-11,libxml2, ${PN}-plugin-tnccs-11" +PACKAGECONFIG[tnccs-20] = "--enable-tnccs-20,--disable-tnccs-20,, ${PN}-plugin-tnccs-20" +PACKAGECONFIG[tnccs-dynamic] = "--enable-tnccs-dynamic,--disable-tnccs-dynamic,,${PN}-plugin-tnccs-dynamic" + +inherit autotools systemd pkgconfig + +RRECOMMENDS:${PN} = "kernel-module-ah4 \ + kernel-module-esp4 \ + kernel-module-xfrm-user \ + " + +FILES:${PN} += "${libdir}/ipsec/lib*${SOLIBS}" +FILES:${PN}-dbg += "${bindir}/.debug ${sbindir}/.debug ${libdir}/ipsec/.debug ${libexecdir}/ipsec/.debug" +FILES:${PN}-dev += "${libdir}/ipsec/lib*${SOLIBSDEV} ${libdir}/ipsec/*.la ${libdir}/ipsec/include/config.h" +FILES:${PN}-staticdev += "${libdir}/ipsec/*.a" + +CONFFILES:${PN} = "${sysconfdir}/*.conf ${sysconfdir}/ipsec.d/*.conf ${sysconfdir}/strongswan.d/*.conf" + +PACKAGES += "${PN}-plugins" +ALLOW_EMPTY:${PN}-plugins = "1" + +PACKAGE_BEFORE_PN = "${PN}-imcvs ${PN}-imcvs-dbg" +ALLOW_EMPTY:${PN}-imcvs = "1" + +FILES:${PN}-imcvs = "${libdir}/ipsec/imcvs/*.so" +FILES:${PN}-imcvs-dbg += "${libdir}/ipsec/imcvs/.debug" + +PACKAGES_DYNAMIC += "^${PN}-plugin-.*$" +NOAUTOPACKAGEDEBUG = "1" + +python split_strongswan_plugins () { + sysconfdir = d.expand('${sysconfdir}/strongswan.d/charon') + libdir = d.expand('${libdir}/ipsec/plugins') + dbglibdir = os.path.join(libdir, '.debug') + + def add_plugin_conf(f, pkg, file_regex, output_pattern, modulename): + dvar = d.getVar('PKGD') + oldfiles = d.getVar('CONFFILES:' + pkg) + newfile = '/' + os.path.relpath(f, dvar) + + if not oldfiles: + d.setVar('CONFFILES:' + pkg, newfile) + else: + d.setVar('CONFFILES:' + pkg, oldfiles + " " + newfile) + + split_packages = do_split_packages(d, libdir, r'libstrongswan-(.*)\.so', '${PN}-plugin-%s', 'strongSwan %s plugin', prepend=True) + do_split_packages(d, sysconfdir, r'(.*)\.conf', '${PN}-plugin-%s', 'strongSwan %s plugin', prepend=True, hook=add_plugin_conf) + + split_dbg_packages = do_split_packages(d, dbglibdir, r'libstrongswan-(.*)\.so', '${PN}-plugin-%s-dbg', 'strongSwan %s plugin - Debugging files', prepend=True, extra_depends='${PN}-dbg') + split_dev_packages = do_split_packages(d, libdir, r'libstrongswan-(.*)\.la', '${PN}-plugin-%s-dev', 'strongSwan %s plugin - Development files', prepend=True, extra_depends='${PN}-dev') + split_staticdev_packages = do_split_packages(d, libdir, r'libstrongswan-(.*)\.a', '${PN}-plugin-%s-staticdev', 'strongSwan %s plugin - Development files (Static Libraries)', prepend=True, extra_depends='${PN}-staticdev') + + if split_packages: + pn = d.getVar('PN') + d.setVar('RRECOMMENDS:' + pn + '-plugins', ' '.join(split_packages)) + d.appendVar('RRECOMMENDS:' + pn + '-dbg', ' ' + ' '.join(split_dbg_packages)) + d.appendVar('RRECOMMENDS:' + pn + '-dev', ' ' + ' '.join(split_dev_packages)) + d.appendVar('RRECOMMENDS:' + pn + '-staticdev', ' ' + ' '.join(split_staticdev_packages)) +} + +PACKAGESPLITFUNCS:prepend = "split_strongswan_plugins " + +# Install some default plugins based on default strongSwan ./configure options +# See https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist +RDEPENDS:${PN} += "\ + ${PN}-plugin-aes \ + ${PN}-plugin-attr \ + ${PN}-plugin-cmac \ + ${PN}-plugin-constraints \ + ${PN}-plugin-des \ + ${PN}-plugin-dnskey \ + ${PN}-plugin-hmac \ + ${PN}-plugin-kernel-netlink \ + ${PN}-plugin-md5 \ + ${PN}-plugin-nonce \ + ${PN}-plugin-pem \ + ${PN}-plugin-pgp \ + ${PN}-plugin-pkcs1 \ + ${PN}-plugin-pkcs7 \ + ${PN}-plugin-pkcs8 \ + ${PN}-plugin-pkcs12 \ + ${PN}-plugin-pubkey \ + ${PN}-plugin-random \ + ${PN}-plugin-rc2 \ + ${PN}-plugin-resolve \ + ${PN}-plugin-revocation \ + ${PN}-plugin-sha1 \ + ${PN}-plugin-sha2 \ + ${PN}-plugin-socket-default \ + ${PN}-plugin-sshkey \ + ${PN}-plugin-updown \ + ${PN}-plugin-vici \ + ${PN}-plugin-x509 \ + ${PN}-plugin-xauth-generic \ + ${PN}-plugin-xcbc \ + " + +RPROVIDES:${PN} += "${PN}-systemd" +RREPLACES:${PN} += "${PN}-systemd" +RCONFLICTS:${PN} += "${PN}-systemd" + +# The deprecated legacy 'strongswan-starter' service should only be used when charon and +# stroke are enabled. When swanctl is in use, 'strongswan.service' is needed. +# See: https://wiki.strongswan.org/projects/strongswan/wiki/Charon-systemd +SYSTEMD_SERVICE:${PN} = " \ + ${@bb.utils.contains('PACKAGECONFIG', 'swanctl', '${BPN}.service', '', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'charon', '${BPN}-starter.service', '', d)} \ +" -- cgit 1.2.3-korg