From 2b9e429a242d8899c77281b6c2387b63534b8d82 Mon Sep 17 00:00:00 2001 From: Wang Mingyu Date: Wed, 16 Jul 2025 14:41:01 +0800 Subject: strongswan: upgrade 6.0.1 -> 6.0.2 0001-pki-Fix-signature-of-help-to-match-that-of-a-callbac.patch 0002-callback-job-Replace-return_false-in-constructors-wi.patch 0003-Cast-uses-of-return_-nop-and-enumerator_create_empty.patch removed since they're included in 6.0.2 Changelog: ============= - Support for per-CPU SAs (RFC 9611) has been added (Linux 6.13+). - Basic support for AGGFRAG mode (RFC 9347) has been added (Linux 6.14+). - POSIX regular expressions can be used to match remote identities. - Switching configs based on EAP-Identities is supported. Setting 'remote.eap_id' now always initiates an EAP-Identity exchange. - On Linux, sequence numbers from acquires are used when installing SAs. This allows handling narrowing properly. - During rekeying, the narrowed traffic selectors are now proposed instead of the configured ones. - The default AH/ESP proposals contain all supported key exchange methods plus 'none' to make PFS optional and accept proposals of older peers. - GRO for ESP in enabled for NAT-T UDP sockets, which can improve performance if the esp4|6_offload modules are loaded. - charon-nm sets the VPN connection as persistent, preventing NetworkManager from tearing down the connection if the network connectivity changes. - ML-KEM is supported via OpenSSL 3.5+. - The wolfssl plugin is now compatible to wolfSSL's FIPS module. - The libsoup plugin has been migrated to libsoup 3, libsoup 2 is not supported anymore. - The long defunct uci plugin has been removed. - Log messages by watcher_t are now logged in a separate log group ('wch'). Signed-off-by: Wang Mingyu Signed-off-by: Khem Raj --- ...nature-of-help-to-match-that-of-a-callbac.patch | 25 --- ...b-Replace-return_false-in-constructors-wi.patch | 90 ---------- ...f-return_-nop-and-enumerator_create_empty.patch | 118 ------------- .../recipes-support/strongswan/strongswan_6.0.1.bb | 196 --------------------- .../recipes-support/strongswan/strongswan_6.0.2.bb | 191 ++++++++++++++++++++ 5 files changed, 191 insertions(+), 429 deletions(-) delete mode 100644 meta-networking/recipes-support/strongswan/strongswan/0001-pki-Fix-signature-of-help-to-match-that-of-a-callbac.patch delete mode 100644 meta-networking/recipes-support/strongswan/strongswan/0002-callback-job-Replace-return_false-in-constructors-wi.patch delete mode 100644 meta-networking/recipes-support/strongswan/strongswan/0003-Cast-uses-of-return_-nop-and-enumerator_create_empty.patch delete mode 100644 meta-networking/recipes-support/strongswan/strongswan_6.0.1.bb create mode 100644 meta-networking/recipes-support/strongswan/strongswan_6.0.2.bb diff --git a/meta-networking/recipes-support/strongswan/strongswan/0001-pki-Fix-signature-of-help-to-match-that-of-a-callbac.patch b/meta-networking/recipes-support/strongswan/strongswan/0001-pki-Fix-signature-of-help-to-match-that-of-a-callbac.patch deleted file mode 100644 index 92c848f095..0000000000 --- a/meta-networking/recipes-support/strongswan/strongswan/0001-pki-Fix-signature-of-help-to-match-that-of-a-callbac.patch +++ /dev/null @@ -1,25 +0,0 @@ -From a7b5de569082398a14b7e571498e55d005903aaf Mon Sep 17 00:00:00 2001 -From: Tobias Brunner -Date: Fri, 21 Feb 2025 17:18:35 +0100 -Subject: [PATCH] pki: Fix signature of help() to match that of a callback in - command_t - -Upstream-Status: Backport [a7b5de5 pki: Fix signature of help() to match that of a callback in command_t] -Signed-off-by: mark.yang ---- - src/pki/command.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/pki/command.c b/src/pki/command.c -index accec5fe5..6e6bf041e 100644 ---- a/src/pki/command.c -+++ b/src/pki/command.c -@@ -265,7 +265,7 @@ int command_usage(char *error) - /** - * Show usage information - */ --static int help(int c, char *v[]) -+static int help() - { - return command_usage(NULL); - } diff --git a/meta-networking/recipes-support/strongswan/strongswan/0002-callback-job-Replace-return_false-in-constructors-wi.patch b/meta-networking/recipes-support/strongswan/strongswan/0002-callback-job-Replace-return_false-in-constructors-wi.patch deleted file mode 100644 index 09451206ca..0000000000 --- a/meta-networking/recipes-support/strongswan/strongswan/0002-callback-job-Replace-return_false-in-constructors-wi.patch +++ /dev/null @@ -1,90 +0,0 @@ -From d5d2568ff0e88d364dadf50b67bf17050763cf98 Mon Sep 17 00:00:00 2001 -From: Tobias Brunner -Date: Fri, 21 Feb 2025 16:45:57 +0100 -Subject: [PATCH] callback-job: Replace return_false() in constructors with - dedicated function - -Besides being clearer, this fixes issues with GCC 15. The latter uses -C23 by default, which changes the meaning of function declarations -without parameters such as - - bool return false(); - -Instead of "this function takes an unknown number of arguments", this -now equals (void), that is, "this function takes no arguments". So we -run into incompatible pointer type warnings all over when using such -functions. They could be cast to (void*) but this seems the cleaner -solution for this use case. - -Upstream-Status: Backport [d5d2568 callback-job: Replace return_false() in constructors with dedicated function] -Signed-off-by: mark.yang ---- - src/libstrongswan/processing/jobs/callback_job.c | 10 +++++++++- - src/libstrongswan/processing/jobs/callback_job.h | 11 ++++++++++- - src/libstrongswan/processing/scheduler.c | 3 ++- - 3 files changed, 21 insertions(+), 3 deletions(-) - -diff --git a/src/libstrongswan/processing/jobs/callback_job.c b/src/libstrongswan/processing/jobs/callback_job.c -index cb2a0aba5..3ab40b947 100644 ---- a/src/libstrongswan/processing/jobs/callback_job.c -+++ b/src/libstrongswan/processing/jobs/callback_job.c -@@ -1,5 +1,5 @@ - /* -- * Copyright (C) 2009-2012 Tobias Brunner -+ * Copyright (C) 2009-2025 Tobias Brunner - * Copyright (C) 2007-2011 Martin Willi - * - * Copyright (C) secunet Security Networks AG -@@ -131,3 +131,11 @@ callback_job_t *callback_job_create(callback_job_cb_t cb, void *data, - return callback_job_create_with_prio(cb, data, cleanup, cancel, - JOB_PRIO_MEDIUM); - } -+ -+/* -+ * Described in header -+ */ -+bool callback_job_cancel_thread(void *data) -+{ -+ return FALSE; -+} -diff --git a/src/libstrongswan/processing/jobs/callback_job.h b/src/libstrongswan/processing/jobs/callback_job.h -index 0f1ae212d..fda868879 100644 ---- a/src/libstrongswan/processing/jobs/callback_job.h -+++ b/src/libstrongswan/processing/jobs/callback_job.h -@@ -1,5 +1,5 @@ - /* -- * Copyright (C) 2012 Tobias Brunner -+ * Copyright (C) 2012-2025 Tobias Brunner - * Copyright (C) 2007-2011 Martin Willi - * - * Copyright (C) secunet Security Networks AG -@@ -62,6 +62,15 @@ typedef void (*callback_job_cleanup_t)(void *data); - */ - typedef bool (*callback_job_cancel_t)(void *data); - -+/** -+ * Default implementation of callback_job_cancel_t that simply returns FALSE -+ * to force cancellation of the thread by the processor. -+ * -+ * @param data ignored argument -+ * @return always returns FALSE -+ */ -+bool callback_job_cancel_thread(void *data); -+ - /** - * Class representing an callback Job. - * -diff --git a/src/libstrongswan/processing/scheduler.c b/src/libstrongswan/processing/scheduler.c -index c5e5dd83e..76d98ddff 100644 ---- a/src/libstrongswan/processing/scheduler.c -+++ b/src/libstrongswan/processing/scheduler.c -@@ -329,7 +329,8 @@ scheduler_t * scheduler_create() - this->heap = (event_t**)calloc(this->heap_size + 1, sizeof(event_t*)); - - job = callback_job_create_with_prio((callback_job_cb_t)schedule, this, -- NULL, return_false, JOB_PRIO_CRITICAL); -+ NULL, callback_job_cancel_thread, -+ JOB_PRIO_CRITICAL); - lib->processor->queue_job(lib->processor, (job_t*)job); - - return &this->public; diff --git a/meta-networking/recipes-support/strongswan/strongswan/0003-Cast-uses-of-return_-nop-and-enumerator_create_empty.patch b/meta-networking/recipes-support/strongswan/strongswan/0003-Cast-uses-of-return_-nop-and-enumerator_create_empty.patch deleted file mode 100644 index 6c2a77105a..0000000000 --- a/meta-networking/recipes-support/strongswan/strongswan/0003-Cast-uses-of-return_-nop-and-enumerator_create_empty.patch +++ /dev/null @@ -1,118 +0,0 @@ -From 11978ddd39e800b5f35f721d726e8a4cb7e4ec0f Mon Sep 17 00:00:00 2001 -From: Tobias Brunner -Date: Fri, 21 Feb 2025 17:00:44 +0100 -Subject: [PATCH] Cast uses of return_*(), nop() and enumerator_create_empty() - -As described in the previous commit, GCC 15 uses C23 by default and that -changes the meaning of such argument-less function declarations. So -whenever we assign such a function to a pointer that expects a function -with arguments it causes an incompatible pointer type warning. We -could define dedicated functions/callbacks whenever necessary, but this -seems like the simpler approach for now (especially since most uses of -these functions have already been cast). - -Upstream-Status: Backport [11978dd Cast uses of return_*(), nop() and enumerator_create_empty()] -Signed-off-by: mark.yang ---- - src/charon-nm/nm/nm_handler.c | 2 +- - src/libcharon/encoding/payloads/encrypted_payload.c | 2 +- - src/libcharon/plugins/android_dns/android_dns_handler.c | 2 +- - src/libcharon/plugins/ha/ha_attribute.c | 2 +- - src/libcharon/plugins/updown/updown_handler.c | 2 +- - src/libstrongswan/utils/identification.c | 6 +++--- - 6 files changed, 8 insertions(+), 8 deletions(-) - -diff --git a/src/charon-nm/nm/nm_handler.c b/src/charon-nm/nm/nm_handler.c -index d7331ad72..39d0190ac 100644 ---- a/src/charon-nm/nm/nm_handler.c -+++ b/src/charon-nm/nm/nm_handler.c -@@ -195,7 +195,7 @@ nm_handler_t *nm_handler_create() - .public = { - .handler = { - .handle = _handle, -- .release = nop, -+ .release = (void*)nop, - .create_attribute_enumerator = _create_attribute_enumerator, - }, - .create_enumerator = _create_enumerator, -diff --git a/src/libcharon/encoding/payloads/encrypted_payload.c b/src/libcharon/encoding/payloads/encrypted_payload.c -index 676d00b7a..4821c6108 100644 ---- a/src/libcharon/encoding/payloads/encrypted_payload.c -+++ b/src/libcharon/encoding/payloads/encrypted_payload.c -@@ -1023,7 +1023,7 @@ encrypted_fragment_payload_t *encrypted_fragment_payload_create() - .get_length = _frag_get_length, - .add_payload = _frag_add_payload, - .remove_payload = (void*)return_null, -- .generate_payloads = nop, -+ .generate_payloads = (void*)nop, - .set_transform = _frag_set_transform, - .get_transform = _frag_get_transform, - .encrypt = _frag_encrypt, -diff --git a/src/libcharon/plugins/android_dns/android_dns_handler.c b/src/libcharon/plugins/android_dns/android_dns_handler.c -index 78f4f702a..14d2ff99a 100644 ---- a/src/libcharon/plugins/android_dns/android_dns_handler.c -+++ b/src/libcharon/plugins/android_dns/android_dns_handler.c -@@ -191,7 +191,7 @@ METHOD(enumerator_t, enumerate_dns, bool, - VA_ARGS_VGET(args, type, data); - *type = INTERNAL_IP4_DNS; - *data = chunk_empty; -- this->venumerate = return_false; -+ this->venumerate = (void*)return_false; - return TRUE; - } - -diff --git a/src/libcharon/plugins/ha/ha_attribute.c b/src/libcharon/plugins/ha/ha_attribute.c -index b865a4b82..103d1a937 100644 ---- a/src/libcharon/plugins/ha/ha_attribute.c -+++ b/src/libcharon/plugins/ha/ha_attribute.c -@@ -381,7 +381,7 @@ ha_attribute_t *ha_attribute_create(ha_kernel_t *kernel, ha_segments_t *segments - .provider = { - .acquire_address = _acquire_address, - .release_address = _release_address, -- .create_attribute_enumerator = enumerator_create_empty, -+ .create_attribute_enumerator = (void*)enumerator_create_empty, - }, - .reserve = _reserve, - .destroy = _destroy, -diff --git a/src/libcharon/plugins/updown/updown_handler.c b/src/libcharon/plugins/updown/updown_handler.c -index 36eb15615..3707e1e65 100644 ---- a/src/libcharon/plugins/updown/updown_handler.c -+++ b/src/libcharon/plugins/updown/updown_handler.c -@@ -220,7 +220,7 @@ updown_handler_t *updown_handler_create() - .handler = { - .handle = _handle, - .release = _release, -- .create_attribute_enumerator = enumerator_create_empty, -+ .create_attribute_enumerator = (void*)enumerator_create_empty, - }, - .create_dns_enumerator = _create_dns_enumerator, - .destroy = _destroy, -diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c -index d31955b38..58a05052d 100644 ---- a/src/libstrongswan/utils/identification.c -+++ b/src/libstrongswan/utils/identification.c -@@ -1625,7 +1625,7 @@ static private_identification_t *identification_create(id_type_t type) - this->public.hash = _hash_binary; - this->public.equals = _equals_binary; - this->public.matches = _matches_any; -- this->public.contains_wildcards = return_true; -+ this->public.contains_wildcards = (void*)return_true; - break; - case ID_FQDN: - case ID_RFC822_ADDR: -@@ -1660,13 +1660,13 @@ static private_identification_t *identification_create(id_type_t type) - this->public.hash = _hash_binary; - this->public.equals = _equals_binary; - this->public.matches = _matches_range; -- this->public.contains_wildcards = return_false; -+ this->public.contains_wildcards = (void*)return_false; - break; - default: - this->public.hash = _hash_binary; - this->public.equals = _equals_binary; - this->public.matches = _matches_binary; -- this->public.contains_wildcards = return_false; -+ this->public.contains_wildcards = (void*)return_false; - break; - } - return this; diff --git a/meta-networking/recipes-support/strongswan/strongswan_6.0.1.bb b/meta-networking/recipes-support/strongswan/strongswan_6.0.1.bb deleted file mode 100644 index 771470f695..0000000000 --- a/meta-networking/recipes-support/strongswan/strongswan_6.0.1.bb +++ /dev/null @@ -1,196 +0,0 @@ -DESCRIPTION = "strongSwan is an OpenSource IPsec implementation for the \ -Linux operating system." -SUMMARY = "strongSwan is an OpenSource IPsec implementation" -HOMEPAGE = "http://www.strongswan.org" -SECTION = "net" -LICENSE = "GPL-2.0-only" -LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" -DEPENDS = "flex-native flex bison-native" -DEPENDS:append = "${@bb.utils.contains('DISTRO_FEATURES', 'tpm2', ' tpm2-tss', '', d)}" - -SRC_URI = " \ - https://download.strongswan.org/strongswan-${PV}.tar.bz2 \ - file://0001-pki-Fix-signature-of-help-to-match-that-of-a-callbac.patch \ - file://0002-callback-job-Replace-return_false-in-constructors-wi.patch \ - file://0003-Cast-uses-of-return_-nop-and-enumerator_create_empty.patch \ - " - -SRC_URI[sha256sum] = "212368cbc674fed31f3292210303fff06da8b90acad2d1387375ed855e6879c4" - -UPSTREAM_CHECK_REGEX = "strongswan-(?P\d+(\.\d+)+)\.tar" - -EXTRA_OECONF = " \ - --without-lib-prefix \ - --with-dev-headers=${includedir}/strongswan \ -" - -EXTRA_OECONF += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '--with-systemdsystemunitdir=${systemd_unitdir}/system/', '--without-systemdsystemunitdir', d)}" - -PACKAGECONFIG ?= "curl openssl sqlite3 swanctl \ - ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd-charon', 'charon', d)} \ - ${@bb.utils.contains('DISTRO_FEATURES', 'tpm2', 'tpm2', '', d)} \ - ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'tnc-imc imc-hcd imc-os imc-scanner imc-attestation', '', d)} \ - ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'tnc-imv imv-hcd imv-os imv-scanner imv-attestation', '', d)} \ -" - -PACKAGECONFIG[aes] = "--enable-aes,--disable-aes,,${PN}-plugin-aes" -PACKAGECONFIG[aesni] = "--enable-aesni,--disable-aesni,,${PN}-plugin-aesni" -PACKAGECONFIG[bfd] = "--enable-bfd-backtraces,--disable-bfd-backtraces,binutils" -PACKAGECONFIG[charon] = "--enable-charon,--disable-charon," -PACKAGECONFIG[curl] = "--enable-curl,--disable-curl,curl,${PN}-plugin-curl" -PACKAGECONFIG[des] = "--enable-des,--disable-des,,${PN}-plugin-des" -PACKAGECONFIG[eap-identity] = "--enable-eap-identity,--disable-eap-identity,,${PN}-plugin-eap-identity" -PACKAGECONFIG[eap-mschapv2] = "--enable-eap-mschapv2,--disable-eap-mschapv2,,${PN}-plugin-eap-mschapv2" -PACKAGECONFIG[fips-prf] = "--enable-fips-prf,--disable-fips-prf,,${PN}-plugin-fips-prf" -PACKAGECONFIG[gmp] = "--enable-gmp,--disable-gmp,gmp,${PN}-plugin-gmp" -PACKAGECONFIG[hmac] = "--enable-hmac,--disable-hmac,,${PN}-plugin-hmac" -PACKAGECONFIG[ldap] = "--enable-ldap,--disable-ldap,openldap,${PN}-plugin-ldap" -PACKAGECONFIG[md5] = "--enable-md5,--disable-md5,,${PN}-plugin-md5" -PACKAGECONFIG[mysql] = "--enable-mysql,--disable-mysql,mysql5,${PN}-plugin-mysql" -PACKAGECONFIG[nm] = "--enable-nm,--disable-nm,networkmanager,${PN}-nm" -PACKAGECONFIG[openssl] = "--enable-openssl,--disable-openssl,openssl,${PN}-plugin-openssl" -PACKAGECONFIG[pkcs12] = "--enable-pkcs12,--disable-pkcs12,,${PN}-plugin-pkcs12" -PACKAGECONFIG[rc2] = "--enable-rc2,--disable-rc2,,${PN}-plugin-rc2" -PACKAGECONFIG[sha1] = "--enable-sha1,--disable-sha1,,${PN}-plugin-sha1" -PACKAGECONFIG[sha2] = "--enable-sha2,--disable-sha2,,${PN}-plugin-sha2" -PACKAGECONFIG[soup] = "--enable-soup,--disable-soup,libsoup-2.4,${PN}-plugin-soup" -PACKAGECONFIG[sqlite3] = "--enable-sqlite,--disable-sqlite,sqlite3,${PN}-plugin-sqlite" -PACKAGECONFIG[stroke] = "--enable-stroke,--disable-stroke,,${PN}-plugin-stroke" -PACKAGECONFIG[swanctl] = "--enable-swanctl,--disable-swanctl,,libgcc" -PACKAGECONFIG[curve25519] = "--enable-curve25519,--disable-curve25519,, ${PN}-plugin-curve25519" - -# requires swanctl -PACKAGECONFIG[systemd-charon] = "--enable-systemd,--disable-systemd,systemd," - -# tpm needs meta-tpm layer -PACKAGECONFIG[tpm2] = "--enable-tpm,--disable-tpm,,${PN}-plugin-tpm" - - -# integraty configuration needs meta-integraty -#imc -PACKAGECONFIG[tnc-imc] = "--enable-tnc-imc,--disable-tnc-imc,, ${PN}-plugin-tnc-imc ${PN}-plugin-tnc-tnccs" -PACKAGECONFIG[imc-test] = "--enable-imc-test,--disable-imc-test,," -PACKAGECONFIG[imc-scanner] = "--enable-imc-scanner,--disable-imc-scanner,," -PACKAGECONFIG[imc-os] = "--enable-imc-os,--disable-imc-os,," -PACKAGECONFIG[imc-attestation] = "--enable-imc-attestation,--disable-imc-attestation,," -PACKAGECONFIG[imc-swima] = "--enable-imc-swima, --disable-imc-swima, json-c," -PACKAGECONFIG[imc-hcd] = "--enable-imc-hcd, --disable-imc-hcd,," - -#imv set -PACKAGECONFIG[tnc-imv] = "--enable-tnc-imv,--disable-tnc-imv,, ${PN}-plugin-tnc-imv ${PN}-plugin-tnc-tnccs" -PACKAGECONFIG[imv-test] = "--enable-imv-test,--disable-imv-test,," -PACKAGECONFIG[imv-scanner] = "--enable-imv-scanner,--disable-imv-scanner,," -PACKAGECONFIG[imv-os] = "--enable-imv-os,--disable-imv-os,," -PACKAGECONFIG[imv-attestation] = "--enable-imv-attestation,--disable-imv-attestation,," -PACKAGECONFIG[imv-swima] = "--enable-imv-swima, --disable-imv-swima, json-c," -PACKAGECONFIG[imv-hcd] = "--enable-imv-hcd, --disable-imv-hcd,," - -PACKAGECONFIG[tnc-ifmap] = "--enable-tnc-ifmap,--disable-tnc-ifmap, libxml2, ${PN}-plugin-tnc-ifmap" -PACKAGECONFIG[tnc-pdp] = "--enable-tnc-pdp,--disable-tnc-pdp,, ${PN}-plugin-tnc-pdp" - -PACKAGECONFIG[tnccs-11] = "--enable-tnccs-11,--disable-tnccs-11,libxml2, ${PN}-plugin-tnccs-11" -PACKAGECONFIG[tnccs-20] = "--enable-tnccs-20,--disable-tnccs-20,, ${PN}-plugin-tnccs-20" -PACKAGECONFIG[tnccs-dynamic] = "--enable-tnccs-dynamic,--disable-tnccs-dynamic,,${PN}-plugin-tnccs-dynamic" - -inherit autotools systemd pkgconfig - -RRECOMMENDS:${PN} = "kernel-module-ah4 \ - kernel-module-esp4 \ - kernel-module-xfrm-user \ - " - -FILES:${PN} += "${libdir}/ipsec/lib*${SOLIBS}" -FILES:${PN}-dbg += "${bindir}/.debug ${sbindir}/.debug ${libdir}/ipsec/.debug ${libexecdir}/ipsec/.debug" -FILES:${PN}-dev += "${libdir}/ipsec/lib*${SOLIBSDEV} ${libdir}/ipsec/*.la ${libdir}/ipsec/include/config.h" -FILES:${PN}-staticdev += "${libdir}/ipsec/*.a" - -CONFFILES:${PN} = "${sysconfdir}/*.conf ${sysconfdir}/ipsec.d/*.conf ${sysconfdir}/strongswan.d/*.conf" - -PACKAGES += "${PN}-plugins" -ALLOW_EMPTY:${PN}-plugins = "1" - -PACKAGE_BEFORE_PN = "${PN}-imcvs ${PN}-imcvs-dbg" -ALLOW_EMPTY:${PN}-imcvs = "1" - -FILES:${PN}-imcvs = "${libdir}/ipsec/imcvs/*.so" -FILES:${PN}-imcvs-dbg += "${libdir}/ipsec/imcvs/.debug" - -PACKAGES =+ "${PN}-nm ${PN}-nm-dbg" -FILES:${PN}-nm = "${libexecdir}/ipsec/charon-nm ${datadir}/dbus-1/system.d/nm-strongswan-service.conf" -FILES:${PN}-nm-dbg = "${libexecdir}/ipsec/.debug/charon-nm" - -PACKAGES_DYNAMIC += "^${PN}-plugin-.*$" -NOAUTOPACKAGEDEBUG = "1" - -python split_strongswan_plugins () { - sysconfdir = d.expand('${sysconfdir}/strongswan.d/charon') - libdir = d.expand('${libdir}/ipsec/plugins') - dbglibdir = os.path.join(libdir, '.debug') - - def add_plugin_conf(f, pkg, file_regex, output_pattern, modulename): - dvar = d.getVar('PKGD') - oldfiles = d.getVar('CONFFILES:' + pkg) - newfile = '/' + os.path.relpath(f, dvar) - - if not oldfiles: - d.setVar('CONFFILES:' + pkg, newfile) - else: - d.setVar('CONFFILES:' + pkg, oldfiles + " " + newfile) - - split_packages = do_split_packages(d, libdir, r'libstrongswan-(.*)\.so', '${PN}-plugin-%s', 'strongSwan %s plugin', prepend=True) - do_split_packages(d, sysconfdir, r'(.*)\.conf', '${PN}-plugin-%s', 'strongSwan %s plugin', prepend=True, hook=add_plugin_conf) - - split_dbg_packages = do_split_packages(d, dbglibdir, r'libstrongswan-(.*)\.so', '${PN}-plugin-%s-dbg', 'strongSwan %s plugin - Debugging files', prepend=True, extra_depends='${PN}-dbg') - split_dev_packages = do_split_packages(d, libdir, r'libstrongswan-(.*)\.la', '${PN}-plugin-%s-dev', 'strongSwan %s plugin - Development files', prepend=True, extra_depends='${PN}-dev') - split_staticdev_packages = do_split_packages(d, libdir, r'libstrongswan-(.*)\.a', '${PN}-plugin-%s-staticdev', 'strongSwan %s plugin - Development files (Static Libraries)', prepend=True, extra_depends='${PN}-staticdev') - - if split_packages: - pn = d.getVar('PN') - d.setVar('RRECOMMENDS:' + pn + '-plugins', ' '.join(split_packages)) - d.appendVar('RRECOMMENDS:' + pn + '-dbg', ' ' + ' '.join(split_dbg_packages)) - d.appendVar('RRECOMMENDS:' + pn + '-dev', ' ' + ' '.join(split_dev_packages)) - d.appendVar('RRECOMMENDS:' + pn + '-staticdev', ' ' + ' '.join(split_staticdev_packages)) -} - -PACKAGESPLITFUNCS:prepend = "split_strongswan_plugins " - -# Install some default plugins based on default strongSwan ./configure options -# See https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist -RDEPENDS:${PN} += "\ - ${PN}-plugin-attr \ - ${PN}-plugin-cmac \ - ${PN}-plugin-constraints \ - ${PN}-plugin-dnskey \ - ${PN}-plugin-drbg \ - ${PN}-plugin-kdf \ - ${PN}-plugin-kernel-netlink \ - ${PN}-plugin-nonce \ - ${PN}-plugin-pem \ - ${PN}-plugin-pgp \ - ${PN}-plugin-pkcs1 \ - ${PN}-plugin-pkcs7 \ - ${PN}-plugin-pkcs8 \ - ${PN}-plugin-pubkey \ - ${PN}-plugin-random \ - ${PN}-plugin-resolve \ - ${PN}-plugin-revocation \ - ${PN}-plugin-socket-default \ - ${PN}-plugin-sshkey \ - ${PN}-plugin-updown \ - ${PN}-plugin-vici \ - ${PN}-plugin-x509 \ - ${PN}-plugin-xauth-generic \ - ${PN}-plugin-xcbc \ - " - -RPROVIDES:${PN} += "${PN}-systemd" -RREPLACES:${PN} += "${PN}-systemd" -RCONFLICTS:${PN} += "${PN}-systemd" - -# The deprecated legacy 'strongswan-starter' service should only be used when charon and -# stroke are enabled. When swanctl is in use, 'strongswan.service' is needed. -# See: https://wiki.strongswan.org/projects/strongswan/wiki/Charon-systemd -SYSTEMD_SERVICE:${PN} = " \ - ${@bb.utils.contains('PACKAGECONFIG', 'swanctl', '${BPN}.service', '', d)} \ - ${@bb.utils.contains('PACKAGECONFIG', 'charon', '${BPN}-starter.service', '', d)} \ -" diff --git a/meta-networking/recipes-support/strongswan/strongswan_6.0.2.bb b/meta-networking/recipes-support/strongswan/strongswan_6.0.2.bb new file mode 100644 index 0000000000..aa4524ab3e --- /dev/null +++ b/meta-networking/recipes-support/strongswan/strongswan_6.0.2.bb @@ -0,0 +1,191 @@ +DESCRIPTION = "strongSwan is an OpenSource IPsec implementation for the \ +Linux operating system." +SUMMARY = "strongSwan is an OpenSource IPsec implementation" +HOMEPAGE = "http://www.strongswan.org" +SECTION = "net" +LICENSE = "GPL-2.0-only" +LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" +DEPENDS = "flex-native flex bison-native" +DEPENDS:append = "${@bb.utils.contains('DISTRO_FEATURES', 'tpm2', ' tpm2-tss', '', d)}" + +SRC_URI = "https://download.strongswan.org/strongswan-${PV}.tar.bz2" + +SRC_URI[sha256sum] = "b8bfc897b84001fd810a281918d6c9ce37503cae0f41b39c43d4aba0201277cf" + +UPSTREAM_CHECK_REGEX = "strongswan-(?P\d+(\.\d+)+)\.tar" + +EXTRA_OECONF = " \ + --without-lib-prefix \ + --with-dev-headers=${includedir}/strongswan \ +" + +EXTRA_OECONF += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '--with-systemdsystemunitdir=${systemd_unitdir}/system/', '--without-systemdsystemunitdir', d)}" + +PACKAGECONFIG ?= "curl openssl sqlite3 swanctl \ + ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd-charon', 'charon', d)} \ + ${@bb.utils.contains('DISTRO_FEATURES', 'tpm2', 'tpm2', '', d)} \ + ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'tnc-imc imc-hcd imc-os imc-scanner imc-attestation', '', d)} \ + ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'tnc-imv imv-hcd imv-os imv-scanner imv-attestation', '', d)} \ +" + +PACKAGECONFIG[aes] = "--enable-aes,--disable-aes,,${PN}-plugin-aes" +PACKAGECONFIG[aesni] = "--enable-aesni,--disable-aesni,,${PN}-plugin-aesni" +PACKAGECONFIG[bfd] = "--enable-bfd-backtraces,--disable-bfd-backtraces,binutils" +PACKAGECONFIG[charon] = "--enable-charon,--disable-charon," +PACKAGECONFIG[curl] = "--enable-curl,--disable-curl,curl,${PN}-plugin-curl" +PACKAGECONFIG[des] = "--enable-des,--disable-des,,${PN}-plugin-des" +PACKAGECONFIG[eap-identity] = "--enable-eap-identity,--disable-eap-identity,,${PN}-plugin-eap-identity" +PACKAGECONFIG[eap-mschapv2] = "--enable-eap-mschapv2,--disable-eap-mschapv2,,${PN}-plugin-eap-mschapv2" +PACKAGECONFIG[fips-prf] = "--enable-fips-prf,--disable-fips-prf,,${PN}-plugin-fips-prf" +PACKAGECONFIG[gmp] = "--enable-gmp,--disable-gmp,gmp,${PN}-plugin-gmp" +PACKAGECONFIG[hmac] = "--enable-hmac,--disable-hmac,,${PN}-plugin-hmac" +PACKAGECONFIG[ldap] = "--enable-ldap,--disable-ldap,openldap,${PN}-plugin-ldap" +PACKAGECONFIG[md5] = "--enable-md5,--disable-md5,,${PN}-plugin-md5" +PACKAGECONFIG[mysql] = "--enable-mysql,--disable-mysql,mysql5,${PN}-plugin-mysql" +PACKAGECONFIG[nm] = "--enable-nm,--disable-nm,networkmanager,${PN}-nm" +PACKAGECONFIG[openssl] = "--enable-openssl,--disable-openssl,openssl,${PN}-plugin-openssl" +PACKAGECONFIG[pkcs12] = "--enable-pkcs12,--disable-pkcs12,,${PN}-plugin-pkcs12" +PACKAGECONFIG[rc2] = "--enable-rc2,--disable-rc2,,${PN}-plugin-rc2" +PACKAGECONFIG[sha1] = "--enable-sha1,--disable-sha1,,${PN}-plugin-sha1" +PACKAGECONFIG[sha2] = "--enable-sha2,--disable-sha2,,${PN}-plugin-sha2" +PACKAGECONFIG[soup] = "--enable-soup,--disable-soup,libsoup-2.4,${PN}-plugin-soup" +PACKAGECONFIG[sqlite3] = "--enable-sqlite,--disable-sqlite,sqlite3,${PN}-plugin-sqlite" +PACKAGECONFIG[stroke] = "--enable-stroke,--disable-stroke,,${PN}-plugin-stroke" +PACKAGECONFIG[swanctl] = "--enable-swanctl,--disable-swanctl,,libgcc" +PACKAGECONFIG[curve25519] = "--enable-curve25519,--disable-curve25519,, ${PN}-plugin-curve25519" + +# requires swanctl +PACKAGECONFIG[systemd-charon] = "--enable-systemd,--disable-systemd,systemd," + +# tpm needs meta-tpm layer +PACKAGECONFIG[tpm2] = "--enable-tpm,--disable-tpm,,${PN}-plugin-tpm" + + +# integraty configuration needs meta-integraty +#imc +PACKAGECONFIG[tnc-imc] = "--enable-tnc-imc,--disable-tnc-imc,, ${PN}-plugin-tnc-imc ${PN}-plugin-tnc-tnccs" +PACKAGECONFIG[imc-test] = "--enable-imc-test,--disable-imc-test,," +PACKAGECONFIG[imc-scanner] = "--enable-imc-scanner,--disable-imc-scanner,," +PACKAGECONFIG[imc-os] = "--enable-imc-os,--disable-imc-os,," +PACKAGECONFIG[imc-attestation] = "--enable-imc-attestation,--disable-imc-attestation,," +PACKAGECONFIG[imc-swima] = "--enable-imc-swima, --disable-imc-swima, json-c," +PACKAGECONFIG[imc-hcd] = "--enable-imc-hcd, --disable-imc-hcd,," + +#imv set +PACKAGECONFIG[tnc-imv] = "--enable-tnc-imv,--disable-tnc-imv,, ${PN}-plugin-tnc-imv ${PN}-plugin-tnc-tnccs" +PACKAGECONFIG[imv-test] = "--enable-imv-test,--disable-imv-test,," +PACKAGECONFIG[imv-scanner] = "--enable-imv-scanner,--disable-imv-scanner,," +PACKAGECONFIG[imv-os] = "--enable-imv-os,--disable-imv-os,," +PACKAGECONFIG[imv-attestation] = "--enable-imv-attestation,--disable-imv-attestation,," +PACKAGECONFIG[imv-swima] = "--enable-imv-swima, --disable-imv-swima, json-c," +PACKAGECONFIG[imv-hcd] = "--enable-imv-hcd, --disable-imv-hcd,," + +PACKAGECONFIG[tnc-ifmap] = "--enable-tnc-ifmap,--disable-tnc-ifmap, libxml2, ${PN}-plugin-tnc-ifmap" +PACKAGECONFIG[tnc-pdp] = "--enable-tnc-pdp,--disable-tnc-pdp,, ${PN}-plugin-tnc-pdp" + +PACKAGECONFIG[tnccs-11] = "--enable-tnccs-11,--disable-tnccs-11,libxml2, ${PN}-plugin-tnccs-11" +PACKAGECONFIG[tnccs-20] = "--enable-tnccs-20,--disable-tnccs-20,, ${PN}-plugin-tnccs-20" +PACKAGECONFIG[tnccs-dynamic] = "--enable-tnccs-dynamic,--disable-tnccs-dynamic,,${PN}-plugin-tnccs-dynamic" + +inherit autotools systemd pkgconfig + +RRECOMMENDS:${PN} = "kernel-module-ah4 \ + kernel-module-esp4 \ + kernel-module-xfrm-user \ + " + +FILES:${PN} += "${libdir}/ipsec/lib*${SOLIBS}" +FILES:${PN}-dbg += "${bindir}/.debug ${sbindir}/.debug ${libdir}/ipsec/.debug ${libexecdir}/ipsec/.debug" +FILES:${PN}-dev += "${libdir}/ipsec/lib*${SOLIBSDEV} ${libdir}/ipsec/*.la ${libdir}/ipsec/include/config.h" +FILES:${PN}-staticdev += "${libdir}/ipsec/*.a" + +CONFFILES:${PN} = "${sysconfdir}/*.conf ${sysconfdir}/ipsec.d/*.conf ${sysconfdir}/strongswan.d/*.conf" + +PACKAGES += "${PN}-plugins" +ALLOW_EMPTY:${PN}-plugins = "1" + +PACKAGE_BEFORE_PN = "${PN}-imcvs ${PN}-imcvs-dbg" +ALLOW_EMPTY:${PN}-imcvs = "1" + +FILES:${PN}-imcvs = "${libdir}/ipsec/imcvs/*.so" +FILES:${PN}-imcvs-dbg += "${libdir}/ipsec/imcvs/.debug" + +PACKAGES =+ "${PN}-nm ${PN}-nm-dbg" +FILES:${PN}-nm = "${libexecdir}/ipsec/charon-nm ${datadir}/dbus-1/system.d/nm-strongswan-service.conf" +FILES:${PN}-nm-dbg = "${libexecdir}/ipsec/.debug/charon-nm" + +PACKAGES_DYNAMIC += "^${PN}-plugin-.*$" +NOAUTOPACKAGEDEBUG = "1" + +python split_strongswan_plugins () { + sysconfdir = d.expand('${sysconfdir}/strongswan.d/charon') + libdir = d.expand('${libdir}/ipsec/plugins') + dbglibdir = os.path.join(libdir, '.debug') + + def add_plugin_conf(f, pkg, file_regex, output_pattern, modulename): + dvar = d.getVar('PKGD') + oldfiles = d.getVar('CONFFILES:' + pkg) + newfile = '/' + os.path.relpath(f, dvar) + + if not oldfiles: + d.setVar('CONFFILES:' + pkg, newfile) + else: + d.setVar('CONFFILES:' + pkg, oldfiles + " " + newfile) + + split_packages = do_split_packages(d, libdir, r'libstrongswan-(.*)\.so', '${PN}-plugin-%s', 'strongSwan %s plugin', prepend=True) + do_split_packages(d, sysconfdir, r'(.*)\.conf', '${PN}-plugin-%s', 'strongSwan %s plugin', prepend=True, hook=add_plugin_conf) + + split_dbg_packages = do_split_packages(d, dbglibdir, r'libstrongswan-(.*)\.so', '${PN}-plugin-%s-dbg', 'strongSwan %s plugin - Debugging files', prepend=True, extra_depends='${PN}-dbg') + split_dev_packages = do_split_packages(d, libdir, r'libstrongswan-(.*)\.la', '${PN}-plugin-%s-dev', 'strongSwan %s plugin - Development files', prepend=True, extra_depends='${PN}-dev') + split_staticdev_packages = do_split_packages(d, libdir, r'libstrongswan-(.*)\.a', '${PN}-plugin-%s-staticdev', 'strongSwan %s plugin - Development files (Static Libraries)', prepend=True, extra_depends='${PN}-staticdev') + + if split_packages: + pn = d.getVar('PN') + d.setVar('RRECOMMENDS:' + pn + '-plugins', ' '.join(split_packages)) + d.appendVar('RRECOMMENDS:' + pn + '-dbg', ' ' + ' '.join(split_dbg_packages)) + d.appendVar('RRECOMMENDS:' + pn + '-dev', ' ' + ' '.join(split_dev_packages)) + d.appendVar('RRECOMMENDS:' + pn + '-staticdev', ' ' + ' '.join(split_staticdev_packages)) +} + +PACKAGESPLITFUNCS:prepend = "split_strongswan_plugins " + +# Install some default plugins based on default strongSwan ./configure options +# See https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist +RDEPENDS:${PN} += "\ + ${PN}-plugin-attr \ + ${PN}-plugin-cmac \ + ${PN}-plugin-constraints \ + ${PN}-plugin-dnskey \ + ${PN}-plugin-drbg \ + ${PN}-plugin-kdf \ + ${PN}-plugin-kernel-netlink \ + ${PN}-plugin-nonce \ + ${PN}-plugin-pem \ + ${PN}-plugin-pgp \ + ${PN}-plugin-pkcs1 \ + ${PN}-plugin-pkcs7 \ + ${PN}-plugin-pkcs8 \ + ${PN}-plugin-pubkey \ + ${PN}-plugin-random \ + ${PN}-plugin-resolve \ + ${PN}-plugin-revocation \ + ${PN}-plugin-socket-default \ + ${PN}-plugin-sshkey \ + ${PN}-plugin-updown \ + ${PN}-plugin-vici \ + ${PN}-plugin-x509 \ + ${PN}-plugin-xauth-generic \ + ${PN}-plugin-xcbc \ + " + +RPROVIDES:${PN} += "${PN}-systemd" +RREPLACES:${PN} += "${PN}-systemd" +RCONFLICTS:${PN} += "${PN}-systemd" + +# The deprecated legacy 'strongswan-starter' service should only be used when charon and +# stroke are enabled. When swanctl is in use, 'strongswan.service' is needed. +# See: https://wiki.strongswan.org/projects/strongswan/wiki/Charon-systemd +SYSTEMD_SERVICE:${PN} = " \ + ${@bb.utils.contains('PACKAGECONFIG', 'swanctl', '${BPN}.service', '', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'charon', '${BPN}-starter.service', '', d)} \ +" -- cgit v1.2.3-54-g00ecf