diff --git a/Dockerfile b/Dockerfile index 12b930a..1c55508 100644 --- a/Dockerfile +++ b/Dockerfile @@ -21,6 +21,7 @@ RUN curl -fL https://storage.googleapis.com/buildroot-cache/2018.11.1.tar.gz | t WORKDIR /usr/src/buildroot COPY conntrack-tools/* /usr/src/buildroot/package/conntrack-tools/ COPY slirp4netns/* /usr/src/buildroot/package/slirp4netns/ +COPY strongswan/* /usr/src/buildroot/package/strongswan/ COPY busybox.config /usr/src/buildroot/package/busybox/ COPY package/Config.in /usr/src/buildroot/package/ @@ -43,6 +44,17 @@ RUN cd .. && \ cp buildroot/output/target/sbin/ip bin/ && \ cp buildroot/output/target/sbin/ebtables bin/ && \ cp buildroot/output/target/bin/busybox bin/ + +# strongswan +RUN cd .. && \ + cp buildroot/output/target/usr/sbin/swanctl bin/ && \ + cp buildroot/output/target/usr/libexec/ipsec/charon bin/ + +# save strongswan etc config +RUN cd .. && \ + mkdir etc && \ + cp -rp buildroot/output/target/var/lib/rancher/k3s/agent/* etc/ + RUN cd ../bin && \ for i in addgroup adduser ar arch arp arping ash awk basename blkid bunzip2 bzcat cat chattr chgrp chmod chown chroot chrt chvt cksum clear cmp cp cpio crond crontab cut date dc dd deallocvt delgroup deluser devmem df diff dirname dmesg dnsd dnsdomainname dos2unix du dumpkmap echo egrep eject env ether-wake expr factor fallocate false fbset fdflush fdformat fdisk fgrep flock fold free freeramdisk fsck fsfreeze fstrim fuser getopt getty grep gunzip gzip halt hdparm head hexdump hexedit hostid hostname hwclock i2cdetect i2cdump i2cget i2cset id ifconfig ifdown ifup inetd init insmod install ipaddr ipcrm ipcs iplink ipneigh iproute iprule iptunnel kill killall killall5 klogd last less link linux32 linux64 linuxrc ln loadfont loadkmap logger login logname losetup ls lsattr lsmod lsof lspci lsscsi lsusb lzcat lzma lzopcat makedevs md5sum mdev mesg microcom mkdir mkdosfs mke2fs mkfifo mknod mkpasswd mkswap mktemp modprobe more mount mountpoint mt mv nameif netstat nice nl nohup nproc nsenter nslookup nuke od openvt partprobe passwd paste patch pidof ping pipe_progress pivot_root poweroff printenv printf ps pwd rdate readlink readprofile realpath reboot renice reset resize resume rm rmdir rmmod route run-init run-parts runlevel sed seq setarch setconsole setfattr setkeycodes setlogcons setpriv setserial setsid sh sha1sum sha256sum sha3sum sha512sum shred sleep sort start-stop-daemon strings stty su sulogin svc svok swapoff swapon switch_root sync sysctl syslogd tail tar tc tee telnet test tftp time top touch tr traceroute true truncate tty ubirename udhcpc uevent umount uname uniq unix2dos unlink unlzma unlzop unxz unzip uptime usleep uudecode uuencode vconfig vi vlock w watch watchdog wc wget which who whoami xargs xxd xz xzcat yes zcat; do ln -s busybox $i; done && \ for i in iptables iptables-save iptables-restore; do ln -s xtables-multi $i; done && \ diff --git a/Vagrantfile b/Vagrantfile new file mode 100644 index 0000000..27f7bae --- /dev/null +++ b/Vagrantfile @@ -0,0 +1,124 @@ +################################################################################ +# +# Vagrantfile +# +################################################################################ + +# Buildroot version to use +# RELEASE='2019.05.1' +RELEASE='2018.11.1' + +### Change here for more memory/cores ### +VM_MEMORY=4096 +VM_CORES=4 + +PROJECT_DIR="/vbox" +ARCH="amd64" + +plugin_installed = false +required_plugins = %w( vagrant-vbguest ) + +required_plugins.each do |plugin| + unless Vagrant.has_plugin?(plugin) + system "vagrant plugin install #{plugin}" + plugin_installed = true + end +end + +if plugin_installed === true + exec "vagrant #{ARGV.join' '}" +end + +Vagrant.configure('2') do |config| + config.vm.box = 'ubuntu/bionic64' + + config.vm.provider :vmware_fusion do |v, override| + v.vmx['memsize'] = VM_MEMORY + v.vmx['numvcpus'] = VM_CORES + end + + config.vm.synced_folder ".", PROJECT_DIR + + config.vm.provider :virtualbox do |v, override| + v.memory = VM_MEMORY + v.cpus = VM_CORES + end + + config.vm.provision 'shell' do |s| + s.inline = 'echo Setting up machine name' + + config.vm.provider :vmware_fusion do |v, override| + v.vmx['displayname'] = "Buildroot #{RELEASE}" + end + + config.vm.provider :virtualbox do |v, override| + v.name = "Buildroot #{RELEASE}" + end + end + + config.vm.provision 'shell', privileged: true, inline: + " + sed -i 's|deb http://us.archive.ubuntu.com/ubuntu/|deb mirror://mirrors.ubuntu.com/mirrors.txt|g' /etc/apt/sources.list + dpkg --add-architecture i386 + apt-get -q update + apt-get purge -q -y snapd lxcfs lxd ubuntu-core-launcher snap-confine + UCF_FORCE_CONFOLD=1 \ + DEBIAN_FRONTEND=noninteractive \ + apt-get -o 'Dpkg::Options::=--force-confdef' -o 'Dpkg::Options::=--force-confold' -qq -y install \ + build-essential \ + libncurses5-dev \ + git \ + bzr \ + cvs \ + mercurial \ + subversion \ + libc6:i386 \ + unzip \ + bc \ + ccache \ + gcc \ + g++ \ + rsync \ + wget \ + curl \ + ca-certificates \ + ncurses-dev \ + python \ + + apt-get -q -y autoremove + apt-get -q -y clean + update-locale LC_ALL=C + " + + config.vm.provision 'shell', privileged: false, inline: + " + echo 'Downloading and extracting buildroot #{RELEASE}' + sudo mkdir -m 777 -p /usr/src/buildroot + curl -sL https://buildroot.org/downloads/buildroot-#{RELEASE}.tar.bz2 | tar xvjf - -C /usr/src/buildroot --strip-components=1 + curl -sL https://storage.googleapis.com/buildroot-cache/#{RELEASE}.tar.gz | tar xvzf - -C /usr/src/buildroot + " + + config.vm.provision 'shell', privileged: false, inline: + " + cd #{PROJECT_DIR} + cp package/Config.in /usr/src/buildroot/package/ + + mkdir -p /usr/src/buildroot/package/conntrack-tools/ + cp conntrack-tools/* /usr/src/buildroot/package/conntrack-tools/ + + mkdir -p /usr/src/buildroot/package/slirp4netns/ + cp slirp4netns/* /usr/src/buildroot/package/slirp4netns/ + + mkdir -p /usr/src/buildroot/package/strongswan/ + cp strongswan/* /usr/src/buildroot/package/strongswan/ + + mkdir -p /usr/src/buildroot/package/busybox/ + cp busybox.config /usr/src/buildroot/package/busybox/ + + cat buildroot/config buildroot/#{ARCH}config >/usr/src/buildroot/.config + + cd /usr/src/buildroot/ + # make oldconfig + " + +end diff --git a/build.sh b/build.sh index 310a1fc..0225761 100755 --- a/build.sh +++ b/build.sh @@ -4,5 +4,5 @@ set -x -e mkdir -p dist for ARCH in amd64 arm arm64; do docker build --build-arg ARCH=${ARCH} -t k3s-root . - docker run -i --rm -v k3s-root-cache:/usr/src/ccache k3s-root tar cf - -C /usr/src ./bin > dist/k3s-root-${ARCH}.tar + docker run -i --rm -v k3s-root-cache:/usr/src/ccache k3s-root tar cf - -C /usr/src ./bin ./etc > dist/k3s-root-${ARCH}.tar done diff --git a/buildroot/config b/buildroot/config index 317f8bd..aed470b 100644 --- a/buildroot/config +++ b/buildroot/config @@ -77,10 +77,10 @@ BR2_COMPILER_PARANOID_UNSAFE_PATH=y # # Security Hardening Options # - -# -# Stack Smashing Protection needs a toolchain w/ SSP -# +BR2_SSP_NONE=y +# BR2_SSP_REGULAR is not set +# BR2_SSP_STRONG is not set +# BR2_SSP_ALL is not set # # RELocation Read Only (RELRO) needs shared libraries @@ -94,7 +94,7 @@ BR2_COMPILER_PARANOID_UNSAFE_PATH=y # Toolchain # BR2_TOOLCHAIN=y -BR2_TOOLCHAIN_USES_UCLIBC=y +BR2_TOOLCHAIN_USES_MUSL=y BR2_TOOLCHAIN_BUILDROOT=y # BR2_TOOLCHAIN_EXTERNAL is not set @@ -102,13 +102,13 @@ BR2_TOOLCHAIN_BUILDROOT=y # Toolchain Buildroot Options # BR2_TOOLCHAIN_BUILDROOT_VENDOR="buildroot" -BR2_TOOLCHAIN_BUILDROOT_UCLIBC=y +# BR2_TOOLCHAIN_BUILDROOT_UCLIBC is not set # # glibc needs a toolchain w/ dynamic library, kernel headers >= 3.2 # -# BR2_TOOLCHAIN_BUILDROOT_MUSL is not set -BR2_TOOLCHAIN_BUILDROOT_LIBC="uclibc" +BR2_TOOLCHAIN_BUILDROOT_MUSL=y +BR2_TOOLCHAIN_BUILDROOT_LIBC="musl" # # Kernel Header Options @@ -125,21 +125,7 @@ BR2_KERNEL_HEADERS_4_18=y # BR2_KERNEL_HEADERS_CUSTOM_GIT is not set BR2_DEFAULT_KERNEL_HEADERS="4.18.20" BR2_PACKAGE_LINUX_HEADERS=y - -# -# uClibc Options -# -BR2_PACKAGE_UCLIBC=y -BR2_UCLIBC_CONFIG="package/uclibc/uClibc-ng.config" -BR2_UCLIBC_CONFIG_FRAGMENT_FILES="" -BR2_TOOLCHAIN_BUILDROOT_WCHAR=y -# BR2_TOOLCHAIN_BUILDROOT_LOCALE is not set -BR2_PTHREADS_NATIVE=y -# BR2_PTHREADS_NONE is not set -# BR2_PTHREAD_DEBUG is not set -# BR2_TOOLCHAIN_BUILDROOT_USE_SSP is not set -BR2_UCLIBC_INSTALL_UTILS=y -BR2_UCLIBC_TARGET_ARCH="x86_64" +BR2_PACKAGE_MUSL=y # # Binutils Options @@ -181,8 +167,11 @@ BR2_PACKAGE_GDB_NEEDS_CXX11=y # BR2_TOOLCHAIN_SUPPORTS_ALWAYS_LOCKFREE_ATOMIC_INTS=y BR2_USE_WCHAR=y +BR2_ENABLE_LOCALE=y BR2_TOOLCHAIN_HAS_THREADS=y +BR2_TOOLCHAIN_HAS_THREADS_DEBUG=y BR2_TOOLCHAIN_HAS_THREADS_NPTL=y +BR2_TOOLCHAIN_HAS_SSP=y BR2_USE_MMU=y BR2_TARGET_OPTIMIZATION="" BR2_TARGET_LDFLAGS="" @@ -499,7 +488,10 @@ BR2_PACKAGE_PIGZ=y # # dstat needs a toolchain w/ wchar, threads, dynamic library # -# BR2_PACKAGE_DT is not set + +# +# dt needs a glibc or uClibc toolchain w/ threads +# # # duma needs a toolchain w/ C++, threads, dynamic library @@ -514,10 +506,6 @@ BR2_PACKAGE_PIGZ=y # BR2_PACKAGE_GDB_ARCH_SUPPORTS=y -# -# gdb/gdbserver needs a toolchain w/ threads, threads debug -# - # # gdb/gdbserver >= 8.x needs a toolchain w/ C++, gcc >= 4.8 # @@ -538,7 +526,10 @@ BR2_PACKAGE_KVM_UNIT_TESTS_ARCH_SUPPORTS=y # BR2_PACKAGE_LMBENCH is not set # BR2_PACKAGE_LSOF is not set BR2_PACKAGE_LTP_TESTSUITE_ARCH_SUPPORTS=y -# BR2_PACKAGE_LTP_TESTSUITE is not set + +# +# ltp-testsuite needs a glibc or uClibc toolchain w/ NPTL +# BR2_PACKAGE_LTRACE_ARCH_SUPPORTS=y # @@ -556,10 +547,7 @@ BR2_PACKAGE_LTRACE_ARCH_SUPPORTS=y # BR2_PACKAGE_MCELOG is not set # BR2_PACKAGE_MEMSTAT is not set # BR2_PACKAGE_NETPERF is not set - -# -# netsniff-ng needs a glibc or musl toolchain w/ threads, headers >= 3.0 -# +# BR2_PACKAGE_NETSNIFF_NG is not set # # nmon needs a glibc toolchain @@ -685,7 +673,10 @@ BR2_PACKAGE_FINDUTILS=y # # curlftpfs needs a toolchain w/ wchar, threads, dynamic library # -# BR2_PACKAGE_DAVFS2 is not set + +# +# davfs2 needs a glibc or uClibc toolchain +# # BR2_PACKAGE_DOSFSTOOLS is not set # BR2_PACKAGE_E2FSPROGS is not set # BR2_PACKAGE_E2TOOLS is not set @@ -1906,7 +1897,7 @@ BR2_PACKAGE_WEBKITGTK_ARCH_SUPPORTS_JIT=y # # BR2_PACKAGE_LIBROXML is not set # BR2_PACKAGE_LIBUCL is not set -# BR2_PACKAGE_LIBXML2 is not set +BR2_PACKAGE_LIBXML2=y # # libxml++ needs a toolchain w/ C++, wchar, threads, gcc >= 4.9 @@ -2397,7 +2388,7 @@ BR2_PACKAGE_CLASSPATH_ARCH_SUPPORTS=y # # glm needs a toolchain w/ C++ # -# BR2_PACKAGE_GMP is not set +BR2_PACKAGE_GMP=y # BR2_PACKAGE_GSL is not set # @@ -2536,6 +2527,7 @@ BR2_PACKAGE_LLVM_TARGET_ARCH="X86" # msgpack needs a toolchain w/ C++ # # BR2_PACKAGE_MTDEV2TUIO is not set +BR2_PACKAGE_MUSL_COMPAT_HEADERS=y BR2_PACKAGE_OPENBLAS_DEFAULT_TARGET="PRESCOTT" BR2_PACKAGE_OPENBLAS_ARCH_SUPPORTS=y # BR2_PACKAGE_OPENBLAS is not set @@ -2616,7 +2608,6 @@ BR2_PACKAGE_PROTOBUF_ARCH_SUPPORTS=y # BR2_PACKAGE_LIBENCA is not set # BR2_PACKAGE_LIBESTR is not set # BR2_PACKAGE_LIBFRIBIDI is not set -# BR2_PACKAGE_LIBICONV is not set # BR2_PACKAGE_LIBUNISTRING is not set # BR2_PACKAGE_LINENOISE is not set # BR2_PACKAGE_NCURSES is not set @@ -2634,10 +2625,6 @@ BR2_PACKAGE_PROTOBUF_ARCH_SUPPORTS=y # tclap needs a toolchain w/ C++ # -# -# ustr needs a toolchain w/ dynamic library -# - # # Mail # @@ -2758,7 +2745,10 @@ BR2_PACKAGE_QEMU_ARCH_SUPPORTS_TARGET=y # # c-icap needs a toolchain w/ threads and dynamic library # -# BR2_PACKAGE_CAN_UTILS is not set + +# +# can-utils needs a glibc or uClibc toolchain +# # # cannelloni needs a toolchain w/ C++, threads, dynamic library, gcc >= 4.8 @@ -2872,7 +2862,6 @@ BR2_PACKAGE_IFUPDOWN_SCRIPTS=y # # BR2_PACKAGE_IPERF3 is not set BR2_PACKAGE_IPROUTE2=y -# BR2_PACKAGE_IPSEC_TOOLS is not set BR2_PACKAGE_IPSET=y BR2_PACKAGE_IPTABLES=y # BR2_PACKAGE_IPTABLES_BPF_NFSYNPROXY is not set @@ -2937,7 +2926,6 @@ BR2_PACKAGE_IPTABLES=y # mjpg-streamer needs a toolchain w/ threads, headers >= 3.16, dynamic library # # BR2_PACKAGE_MODEM_MANAGER is not set -BR2_PACKAGE_MONGREL2_LIBC_SUPPORTS=y # # mongrel2 needs a uClibc or glibc toolchain w/ C++, threads, dynamic library @@ -3007,7 +2995,10 @@ BR2_PACKAGE_MONGREL2_LIBC_SUPPORTS=y # BR2_PACKAGE_OPENOBEX is not set # BR2_PACKAGE_OPENRESOLV is not set # BR2_PACKAGE_OPENSSH is not set -# BR2_PACKAGE_OPENSWAN is not set + +# +# openswan needs a uClibc or glibc toolchain w/ headers >= 3.4 +# # BR2_PACKAGE_OPENVPN is not set # BR2_PACKAGE_P910ND is not set # BR2_PACKAGE_PHYTOOL is not set @@ -3101,6 +3092,23 @@ BR2_PACKAGE_SOCAT=y # # strongswan needs a toolchain w/ threads, dynamic library # +BR2_PACKAGE_STRONGSWAN=y +# BR2_PACKAGE_STRONGSWAN_OPENSSL is not set +# BR2_PACKAGE_STRONGSWAN_GCRYPT is not set +BR2_PACKAGE_STRONGSWAN_GMP=y +BR2_PACKAGE_STRONGSWAN_AF_ALG=y +# BR2_PACKAGE_STRONGSWAN_CURL is not set +BR2_PACKAGE_STRONGSWAN_CHARON=y +BR2_PACKAGE_STRONGSWAN_TNCCS_11=y +BR2_PACKAGE_STRONGSWAN_TNCCS_20=y +BR2_PACKAGE_STRONGSWAN_TNCCS_DYNAMIC=y +BR2_PACKAGE_STRONGSWAN_EAP=y +# BR2_PACKAGE_STRONGSWAN_UNITY is not set +BR2_PACKAGE_STRONGSWAN_STROKE=y +BR2_PACKAGE_STRONGSWAN_PKI=y +# BR2_PACKAGE_STRONGSWAN_SCEP is not set +BR2_PACKAGE_STRONGSWAN_SCRIPTS=y +BR2_PACKAGE_STRONGSWAN_VICI=y # BR2_PACKAGE_STUNNEL is not set # BR2_PACKAGE_TCPDUMP is not set # BR2_PACKAGE_TCPING is not set @@ -3234,7 +3242,10 @@ BR2_PACKAGE_SOCAT=y # Real-Time # BR2_PACKAGE_XENOMAI_ARCH_SUPPORTS=y -# BR2_PACKAGE_XENOMAI is not set + +# +# xenomai needs an glibc or uClibc toolchain w/ threads +# # # Security @@ -3312,10 +3323,7 @@ BR2_PACKAGE_XENOMAI_ARCH_SUPPORTS=y # time needs a toolchain w/ dynamic library # # BR2_PACKAGE_TINI is not set - -# -# tmux needs a toolchain w/ wchar, locale -# +# BR2_PACKAGE_TMUX is not set # BR2_PACKAGE_WHICH is not set # BR2_PACKAGE_XMLSTARLET is not set # BR2_PACKAGE_XXHASH is not set @@ -3340,7 +3348,10 @@ BR2_PACKAGE_AUDIT_ARCH_SUPPORTS=y BR2_PACKAGE_COREUTILS=y # BR2_PACKAGE_CPULOAD is not set # BR2_PACKAGE_DAEMON is not set -# BR2_PACKAGE_DC3DD is not set + +# +# dc3dd needs a glibc or uClibc toolchain w/ threads +# # BR2_PACKAGE_DCRON is not set # @@ -3386,10 +3397,7 @@ BR2_PACKAGE_INITSCRIPTS=y # # kmod needs a toolchain w/ dynamic library # - -# -# kvmtool needs a glibc or musl toolchain -# +# BR2_PACKAGE_KVMTOOL is not set # # libostree needs a uClibc or glibc toolchain w/ threads, dynamic library, wchar diff --git a/strongswan/Config.in b/strongswan/Config.in new file mode 100644 index 0000000..6d51b8c --- /dev/null +++ b/strongswan/Config.in @@ -0,0 +1,133 @@ +comment "strongswan needs a toolchain w/ threads, dynamic library" + depends on BR2_USE_MMU + depends on BR2_TOOLCHAIN_HAS_ATOMIC + depends on !BR2_TOOLCHAIN_HAS_THREADS || BR2_STATIC_LIBS + +menuconfig BR2_PACKAGE_STRONGSWAN + bool "strongswan" + depends on BR2_USE_MMU # fork() + depends on BR2_TOOLCHAIN_HAS_THREADS + depends on BR2_TOOLCHAIN_HAS_ATOMIC +# depends on !BR2_STATIC_LIBS + help + strongSwan is an OpenSource IPsec implementation for the + Linux operating system. It is based on the discontinued + FreeS/WAN project and the X.509 patch. + + The focus is on: + - simplicity of configuration + - strong encryption and authentication methods + - powerful IPsec policies supporting large and complex + VPN networks + + strongSwan provide many plugins. Only a few are presented + here. + + http://www.strongswan.org/ + +if BR2_PACKAGE_STRONGSWAN + +choice + prompt "Cryptographic backend" + default BR2_PACKAGE_STRONGSWAN_GMP + +config BR2_PACKAGE_STRONGSWAN_OPENSSL + bool "OpenSSL" + select BR2_PACKAGE_OPENSSL + +config BR2_PACKAGE_STRONGSWAN_GCRYPT + bool "libgcrypt" + depends on BR2_PACKAGE_LIBGPG_ERROR_ARCH_SUPPORTS # libgcrypt + select BR2_PACKAGE_LIBGCRYPT + +config BR2_PACKAGE_STRONGSWAN_GMP + bool "GNU MP (libgmp)" + select BR2_PACKAGE_GMP + +endchoice + +config BR2_PACKAGE_STRONGSWAN_AF_ALG + bool "Enable AF_ALG crypto interface to Linux Crypto API" + +config BR2_PACKAGE_STRONGSWAN_CURL + bool "Enable CURL fetcher plugin to fetch files via libcurl" + select BR2_PACKAGE_LIBCURL + +config BR2_PACKAGE_STRONGSWAN_CHARON + bool "Enable the IKEv1/IKEv2 keying daemon charon" + default y + +if BR2_PACKAGE_STRONGSWAN_CHARON + +config BR2_PACKAGE_STRONGSWAN_TNCCS_11 + bool "Enable TNCCS 1.1 protocol module" + select BR2_PACKAGE_LIBXML2 + +config BR2_PACKAGE_STRONGSWAN_TNCCS_20 + bool "Enable TNCCS 2.0 protocol module" + +config BR2_PACKAGE_STRONGSWAN_TNCCS_DYNAMIC + bool "Enable dynamic TNCCS protocol discovery module" + +config BR2_PACKAGE_STRONGSWAN_EAP + bool "Enable EAP protocols" + help + Enable various EAP protocols: + - mschapv2 + - tls + - ttls + - peap + - sim + - sim-file + - aka + - aka-3gpp2 + - simaka-sql + - simaka-pseudonym + - simaka-reauth + - identity + - md5 + - gtc + - tnc + - dynamic + - radius + +if BR2_PACKAGE_STRONGSWAN_EAP + +config BR2_PACKAGE_STRONGSWAN_EAP_SIM_PCSC + bool "Enable EAP-SIM smart card backend" + depends on !BR2_STATIC_LIBS # pcsc-lite + select BR2_PACKAGE_PCSC_LITE + +endif + +config BR2_PACKAGE_STRONGSWAN_UNITY + bool "Enables Cisco Unity extension plugin" + +config BR2_PACKAGE_STRONGSWAN_STROKE + bool "Enable charons stroke configuration backend" + default y + +config BR2_PACKAGE_STRONGSWAN_SQL + bool "Enable SQL database configuration backend" + depends on BR2_PACKAGE_SQLITE || BR2_PACKAGE_MYSQL + +endif + +config BR2_PACKAGE_STRONGSWAN_PKI + bool "Enable pki certificate utility" + default y + +config BR2_PACKAGE_STRONGSWAN_SCEP + bool "Enable SCEP client tool" + +config BR2_PACKAGE_STRONGSWAN_SCRIPTS + bool "Enable additional utilities (found in scripts directory)" + default y + depends on BR2_PACKAGE_STRONGSWAN_CHARON + +config BR2_PACKAGE_STRONGSWAN_VICI + bool "Enable vici/swanctl" + default y + depends on BR2_PACKAGE_STRONGSWAN_CHARON + +endif diff --git a/strongswan/strongswan.hash b/strongswan/strongswan.hash new file mode 100644 index 0000000..3e71c61 --- /dev/null +++ b/strongswan/strongswan.hash @@ -0,0 +1,7 @@ +# From http://download.strongswan.org/strongswan-5.8.1.tar.bz2.md5 +md5 5a6b9980cd1ac4fad3c24b55ed960ac9 strongswan-5.8.1.tar.bz2 +# Calculated based on the hash above +sha256 d9af70acea5c054952ad1584916c1bf231b064eb6c8a9791dcb6ae90a769990c strongswan-5.8.1.tar.bz2 +# Locally calculated +sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING +sha256 2292e21797754548dccdef9eef6aee7584e552fbd890fa914e1de8d3577d23f0 LICENSE diff --git a/strongswan/strongswan.mk b/strongswan/strongswan.mk new file mode 100644 index 0000000..1990c14 --- /dev/null +++ b/strongswan/strongswan.mk @@ -0,0 +1,95 @@ +################################################################################ +# +# strongswan +# +################################################################################ + +STRONGSWAN_VERSION = 5.8.1 +STRONGSWAN_SOURCE = strongswan-$(STRONGSWAN_VERSION).tar.bz2 +STRONGSWAN_SITE = http://download.strongswan.org +STRONGSWAN_LICENSE = GPL-2.0+ +STRONGSWAN_LICENSE_FILES = COPYING LICENSE +STRONGSWAN_DEPENDENCIES = host-pkgconf +STRONGSWAN_INSTALL_STAGING = YES +STRONGSWAN_CONF_OPTS += \ + --with-resolv-conf=/etc/resolv.conf \ + --sysconfdir=/var/lib/rancher/k3s/agent/strongswan \ + --enable-monolithic \ + --enable-static \ + --disable-shared \ + --without-lib-prefix \ + --enable-kernel-netlink=yes \ + --enable-socket-default=yes \ + --enable-openssl=$(if $(BR2_PACKAGE_STRONGSWAN_OPENSSL),yes,no) \ + --enable-gcrypt=$(if $(BR2_PACKAGE_STRONGSWAN_GCRYPT),yes,no) \ + --enable-gmp=$(if $(BR2_PACKAGE_STRONGSWAN_GMP),yes,no) \ + --enable-af-alg=$(if $(BR2_PACKAGE_STRONGSWAN_AF_ALG),yes,no) \ + --enable-curl=$(if $(BR2_PACKAGE_STRONGSWAN_CURL),yes,no) \ + --enable-charon=$(if $(BR2_PACKAGE_STRONGSWAN_CHARON),yes,no) \ + --enable-tnccs-11=$(if $(BR2_PACKAGE_STRONGSWAN_TNCCS_11),yes,no) \ + --enable-tnccs-20=$(if $(BR2_PACKAGE_STRONGSWAN_TNCCS_20),yes,no) \ + --enable-tnccs-dynamic=$(if $(BR2_PACKAGE_STRONGSWAN_TNCCS_DYNAMIC),yes,no) \ + --enable-eap-sim-pcsc=$(if $(BR2_PACKAGE_STRONGSWAN_EAP_SIM_PCSC),yes,no) \ + --enable-unity=$(if $(BR2_PACKAGE_STRONGSWAN_UNITY),yes,no) \ + --enable-stroke=$(if $(BR2_PACKAGE_STRONGSWAN_STROKE),yes,no) \ + --enable-sql=$(if $(BR2_PACKAGE_STRONGSWAN_SQL),yes,no) \ + --enable-pki=$(if $(BR2_PACKAGE_STRONGSWAN_PKI),yes,no) \ + --enable-scepclient=$(if $(BR2_PACKAGE_STRONGSWAN_SCEP),yes,no) \ + --enable-scripts=$(if $(BR2_PACKAGE_STRONGSWAN_SCRIPTS),yes,no) \ + --enable-vici=$(if $(BR2_PACKAGE_STRONGSWAN_VICI),yes,no) \ + --enable-swanctl=$(if $(BR2_PACKAGE_STRONGSWAN_VICI),yes,no) \ + --with-ipseclibdir=/usr/lib \ + --with-plugindir=/usr/lib/ipsec/plugins \ + --with-imcvdir=/usr/lib/ipsec/imcvs \ + --with-dev-headers=/usr/include + +# --enable-led \ +# --enable-pkcs11=yes \ + +ifeq ($(BR2_TOOLCHAIN_HAS_LIBATOMIC),y) +STRONGSWAN_CONF_ENV += LIBS='-latomic' +endif + +ifeq ($(BR2_PACKAGE_STRONGSWAN_EAP),y) +STRONGSWAN_CONF_OPTS += \ + --enable-eap-sim \ + --enable-eap-sim-file \ + --enable-eap-aka \ + --enable-eap-aka-3gpp2 \ + --enable-eap-simaka-sql \ + --enable-eap-simaka-pseudonym \ + --enable-eap-simaka-reauth \ + --enable-eap-identity \ + --enable-eap-md5 \ + --enable-eap-gtc \ + --enable-eap-mschapv2 \ + --enable-eap-tls \ + --enable-eap-ttls \ + --enable-eap-peap \ + --enable-eap-tnc \ + --enable-eap-dynamic \ + --enable-eap-radius +STRONGSWAN_DEPENDENCIES += gmp +endif + +STRONGSWAN_DEPENDENCIES += \ + $(if $(BR2_PACKAGE_STRONGSWAN_OPENSSL),openssl) \ + $(if $(BR2_PACKAGE_STRONGSWAN_GCRYPT),libgcrypt) \ + $(if $(BR2_PACKAGE_STRONGSWAN_GMP),gmp) \ + $(if $(BR2_PACKAGE_STRONGSWAN_CURL),libcurl) \ + $(if $(BR2_PACKAGE_STRONGSWAN_TNCCS_11),libxml2) \ + $(if $(BR2_PACKAGE_STRONGSWAN_EAP_SIM_PCSC),pcsc-lite) + +ifeq ($(BR2_PACKAGE_STRONGSWAN_SQL),y) +STRONGSWAN_DEPENDENCIES += \ + $(if $(BR2_PACKAGE_SQLITE),sqlite) \ + $(if $(BR2_PACKAGE_MYSQL),mysql) +endif + +# disable connmark/forecast until net/if.h vs. linux/if.h conflict resolved +# problem exist since linux 4.5 header changes +STRONGSWAN_CONF_OPTS += \ + --disable-connmark \ + --disable-forecast + +$(eval $(autotools-package))