1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
|
#!/usr/bin/make -f
# Sample debian/rules that uses debhelper.
# GNU copyright 1997 to 1999 by Joey Hess.
# Uncomment this to turn on verbose mode.
#export DH_VERBOSE=1
# This is the debhelper compatability version to use.
export DH_COMPAT=3
export DH_OPTIONS
ifeq (,$(wildcard /usr/bin/po2debconf))
PO2DEBCONF := no
MINDEBCONFVER := 0.5
else
PO2DEBCONF := yes
MINDEBCONFVER := 1.2.0
endif
configure: configure-stamp
configure-stamp:
dh_testdir
# Add here commands to configure the package.
touch configure-stamp
patch-stamp:
dh_testdir
# apply the x509 patches
-echo "Applying the x509 patches"
if [ ! -e "patch-x509-stamp" ] && \
[ -e $(wildcard $(CURDIR)/debian/x509-*-freeswan-*/freeswan.diff) ]; \
then \
patch -p1 < "$(wildcard $(CURDIR)/debian/x509-*-freeswan-*/freeswan.diff)" || exit 1 ; \
touch patch-x509-stamp ; \
fi
# Hack, hack, hack !
rm -f debian/pre-build-patches/00-notify_delete-freeswan-1.98b-020724_with_freeswan-alg.diff
# and all other patches that are pre-build
-echo "Applying all pre-build patches"
if [ ! -e "patch-pre-build.stamp" ]; then \
for f in `ls $(CURDIR)/debian/pre-build-patches/*.diff | sort`; do \
echo "Applying patch $$f"; \
patch -p1 < $$f || exit 1; \
done ; \
touch patch-pre-build.stamp; \
fi
# and replace all calls of 'awk' by 'gawk'
-echo "Replacing all calls of awk by gawk"
if [ ! -e "patch-awk-to-gawk.stamp" ]; then \
for f in `grep "awk " --recursive --files-with-match programs/*`; \
do \
cp $$f $$f.awk-to-gawk.save; \
sed 's/awk /gawk /' $$f.awk-to-gawk.save > $$f; \
done ; \
touch patch-awk-to-gawk.stamp; \
fi
touch patch-stamp
unpatch:
-mv $(CURDIR)/programs/pluto/Makefile.before-edit $(CURDIR)/programs/pluto/Makefile
# undo the replacement of all calls of 'awk' by 'gawk'
-echo "Undoing the replacement of awk by gawk"
if [ -e "patch-awk-to-gawk.stamp" ]; then \
for f in `find $(CURDIR) -name "*.awk-to-gawk.save"`; \
do \
sh -c "oldf=\`expr $$f : '\(.*\)\.awk-to-gawk.save'\`; \
echo \"Restoring \$$oldf\"; \
mv $$f \$$oldf" ; \
done ; \
rm -f patch-awk-to-gawk.stamp; \
fi
# remove the pre-build patches
-echo "Removing the pre-build patches"
if [ -e "patch-pre-build.stamp" ]; then \
for f in `ls $(CURDIR)/debian/pre-build-patches/*.diff | sort -r`; do \
echo "Removing patch $$f" || exit 1; \
patch -R -p1 < $$f; \
done ; \
rm -f patch-pre-build.stamp; \
fi
# remove the x509 patches
-echo "Removing the x509 patches"
if [ -e "patch-x509-stamp" ]; then \
patch -p1 -R < "$(wildcard $(CURDIR)/debian/x509-*-freeswan-*/freeswan.diff)" || exit 1 ; \
rm -f patch-x509-stamp ; \
fi
rm -f patch-stamp
# I know that this isn't really correct according to Debian standards -
# the package should be built here. However, when we build it _before_
# installing the binary-indep (kernel-patch-*) packages, it will need to
# be built again for installing the binary-dep (freeswan) package. The
# reason is that the patch-ext applied patches MUST be applied for build
# but MUST NOT be applied for install-kernel-patch-freeswan.
# Thus I am opting for build speed instead of standard build procedure.
build: build-stamp
build-stamp: patch-stamp
# create a dummy ipsec.secrets file before building the package so
# that no RSA keys are created during the build process
# (a package should not include a RSA key, it should produce the key
# on demand, e.g. in the postinst script)
touch $(CURDIR)/debian/ipsec.secrets
# enable additional features in the pluto Makefile (provided by the
# X.509 patch)
cp $(CURDIR)/programs/pluto/Makefile $(CURDIR)/programs/pluto/Makefile.before-edit
cat $(CURDIR)/programs/pluto/Makefile.before-edit |\
sed 's/#LDAP_VERSION=3/LDAP_VERSION=3/' |\
sed 's/#LIBCURL=1/LIBCURL=1/' |\
sed 's/#SMARTCARD=1/SMARTCARD=1/' >\
$(CURDIR)/programs/pluto/Makefile
$(MAKE) programs INC_USRLOCAL=/usr \
FINALBINDIR=/usr/lib/ipsec \
FINALLIBEXECDIR=/usr/lib/ipsec \
PUBDIR=/usr/sbin \
MANTREE=/usr/share/man \
CONFDIR=$(CURDIR)/debian
# remove the temporary file, it will be created during install
rm -f $(CURDIR)/debian/ipsec.secrets
#/usr/bin/docbook-to-man debian/freeswan.sgml > freeswan.1
# here we re-generate the upstream HTML documentation
$(MAKE) -C doc/ index.html
# also generate the fswcert tool
$(MAKE) -C debian/fswcert/
touch build-stamp
clean: unpatch
dh_testdir
dh_testroot
rm -f build-stamp configure-stamp
-$(MAKE) clean
-$(MAKE) -C debian/fswcert/ clean
# after a make clean, no binaries _should_ be left, but ....
-find $(CURDIR) -name "*.o" | xargs --no-run-if-empty rm
-find $(CURDIR)/lib/libcrypto -name "*.a" | xargs --no-run-if-empty rm
-$(MAKE) -f debian/rules unpatch
# also clean up the temp dir
rm -rf $(CURDIR)/debian/freeswan-modules-source-build
# just in case something went wrong
rm -f $(CURDIR)/debian/ipsec.secrets
dh_clean
ifeq ($(PO2DEBCONF),yes)
# Hack for woody compatibility. This makes sure that the
# debian/templates file shipped in the source package doesn't
# specify encodings, which woody's debconf can't handle. If building
# on a system with po-debconf installed (conveniently debhelper (>=
# 4.1.16) depends on it), the binary-arch target will generate a
# better version for sarge.
echo 1 > debian/po/output
po2debconf debian/freeswan.templates.master > debian/freeswan.templates
rm -f debian/po/output
endif
install-freeswan: DH_OPTIONS=-a
# This should depend on "build" of we were completely standards-compliant.
install-freeswan: build-stamp
dh_testdir
dh_testroot
dh_installdirs
# Add here commands to install the package into debian/tmp.
$(MAKE) install INC_USRLOCAL=/usr \
FINALBINDIR=/usr/lib/ipsec \
FINALLIBEXECDIR=/usr/lib/ipsec \
PUBDIR=$(CURDIR)/debian/freeswan/usr/sbin \
MANTREE=$(CURDIR)/debian/freeswan/usr/share/man \
DESTDIR=$(CURDIR)/debian/freeswan
rm -rf $(CURDIR)/debian/freeswan/usr/local
install --mode=0600 $(CURDIR)/debian/ipsec.secrets.proto $(CURDIR)/debian/freeswan/etc/ipsec.secrets
install $(CURDIR)/debian/mkx509cert.sh $(CURDIR)/debian/freeswan/usr/lib/ipsec/mkx509cert
# install the fswcert tool
install $(CURDIR)/debian/fswcert/fswcert $(CURDIR)/debian/freeswan/usr/bin
# patch the setup script to check for availability of kernel support
#patch -p1 $(CURDIR)/debian/freeswan/etc/init.d/ipsec < debian/pre-install-patches/init.d-add-kernelsupport-check.diff
# patch the init.d script to not call 'depmod -a'
#patch -p1 $(CURDIR)/debian/freeswan/usr/lib/ipsec/_startklips < debian/pre-install-patches/init.d-remove-depmod.diff
rm -f $(CURDIR)/debian/freeswan/etc/init.d/ipsec?*
rm -f $(CURDIR)/debian/freeswan/usr/lib/ipsec/_startklips?*
# this is handled by update-rc.d
rm -rf $(CURDIR)/debian/freeswan/etc/rc?.d
dh_installdocs -pfreeswan -n
# change the paths in the installed doc files (but only in regular
# files, not in links to the outside of the build tree !)
( cd $(CURDIR)/debian/freeswan/; \
for f in `grep "/usr/local/" --recursive --files-with-match *`; \
do \
if [ -f $$f -a ! -L $$f ]; then \
cp $$f $$f.old; \
sed 's/\/usr\/local\//\/usr\//' $$f.old > $$f; \
rm $$f.old; \
fi; \
done )
# the logcheck ignore files
install --mode=0600 $(CURDIR)/debian/logcheck.ignore.paranoid $(CURDIR)/debian/freeswan/etc/logcheck/ignore.d.paranoid/freeswan
install --mode=0600 $(CURDIR)/debian/logcheck.ignore.server $(CURDIR)/debian/freeswan/etc/logcheck/ignore.d.server/freeswan
install --mode=0600 $(CURDIR)/debian/logcheck.ignore.server $(CURDIR)/debian/freeswan/etc/logcheck/ignore.d.workstation/freeswan
install --mode=0600 $(CURDIR)/debian/logcheck.violations.ignore $(CURDIR)/debian/freeswan/etc/logcheck/violations.ignore.d/freeswan
# additional docs from the crypto-ext patches (and NAT-T)
-dh_installdocs -pfreeswan -n $(CURDIR)/README.ipsec_alg \
$(CURDIR)/CHANGES.ipsec_alg
-dh_installdocs -pfreeswan -n $(CURDIR)/README.NAT-Traversal
# additional docs from the x509 patch
-dh_installdocs -pfreeswan -n $(CURDIR)/README.x509 \
$(CURDIR)/README.selectors
-install --mode=644 $(CURDIR)/debian/x509-*-freeswan-*/CHANGES \
$(CURDIR)/debian/freeswan/usr/share/doc/freeswan/CHANGES.x509
# but remove the doc/src dir, which just duplicates the HTML files
rm -r $(CURDIR)/debian/freeswan/usr/share/doc/freeswan/doc/src
# if we don't have the crypto-ext patches, this can fail
-dh_installexamples debian/crypto-ext-patches/*.conf \
debian/x509-*-freeswan-*/ipsec.secrets.template
# set permissions on ipsec.secrets (only for freeswan package)
chmod 600 $(CURDIR)/debian/freeswan/etc/ipsec.secrets
chmod 644 $(CURDIR)/debian/freeswan/etc/ipsec.conf
# this also only works with the X.509 patch applied
-chmod 700 -R $(CURDIR)/debian/freeswan/etc/ipsec.d/private/
# more lintian cleanups
find $(CURDIR)/debian/freeswan -name ".cvsignore" | xargs --no-run-if-empty rm
install-freeswan-module-source: DH_OPTIONS=-i
install-freeswan-module-source: PKGDIR=$(CURDIR)/debian/freeswan-modules-source
install-freeswan-module-source: BUILDDIR=$(CURDIR)/debian/freeswan-modules-source-build
install-freeswan-module-source: patch-stamp
dh_testdir
dh_testroot
dh_installdirs
mkdir -p "$(BUILDDIR)/modules/freeswan"
mkdir -p "$(BUILDDIR)/modules/freeswan/lib"
mkdir -p "$(BUILDDIR)/modules/freeswan/debian"
cp -r Makefile.inc Makefile.ver linux/ \
"$(BUILDDIR)/modules/freeswan"
# if we don't have the crypto-ext patches, this can fail
-cp -r lib/libcrypto \
"$(BUILDDIR)/modules/freeswan/lib/"
-find "$(BUILDDIR)/modules/freeswan/lib/" -name "*.o" | xargs --no-run-if-empty rm
install --mode=644 debian/freeswan-modules-source.kernel-config "$(BUILDDIR)/modules/freeswan/config-all.h"
install --mode=755 debian/freeswan-modules-source.rules "$(BUILDDIR)/modules/freeswan/debian/rules"
install --mode=644 debian/freeswan-modules-source.control.in "$(BUILDDIR)/modules/freeswan/debian/control.in"
install --mode=644 debian/changelog "$(BUILDDIR)/modules/freeswan/debian/"
tar -C $(BUILDDIR) -c modules/ | gzip -9 > \
"$(PKGDIR)/usr/src/freeswan-modules.tar.gz"
dh_installdocs -pfreeswan-modules-source -n
# more lintian cleanups
find $(CURDIR)/debian/freeswan-modules-source -name ".cvsignore" | xargs --no-run-if-empty rm
install-kernel-patch-freeswan: DH_OPTIONS=-i
install-kernel-patch-freeswan: PKGDIR=$(CURDIR)/debian/kernel-patch-freeswan
install-kernel-patch-freeswan: patch-stamp
dh_testdir
dh_testroot
dh_installdirs
# some of this has been taken from Tommi Virtanen's package
install --mode=0755 debian/kernel-patch-freeswan.apply \
"$(PKGDIR)/usr/src/kernel-patches/all/apply/freeswan"
install --mode=0755 debian/kernel-patch-freeswan.unpatch \
"$(PKGDIR)/usr/src/kernel-patches/all/unpatch/freeswan"
install --mode=0755 packaging/utils/patcher \
"$(PKGDIR)/usr/src/kernel-patches/all/freeswan"
cp -r Makefile Makefile.inc Makefile.ver lib/ linux/ packaging/ "$(PKGDIR)/usr/src/kernel-patches/all/freeswan"
# also don't generate the out.kpatch file under /usr/src/....
sed 's/>>out.kpatch//' \
"$(PKGDIR)/usr/src/kernel-patches/all/freeswan/Makefile" \
> "$(PKGDIR)/usr/src/kernel-patches/all/freeswan/Makefile.tmp"
mv "$(PKGDIR)/usr/src/kernel-patches/all/freeswan/Makefile.tmp" \
"$(PKGDIR)/usr/src/kernel-patches/all/freeswan/Makefile"
sed 's/>out.kpatch//' \
"$(PKGDIR)/usr/src/kernel-patches/all/freeswan/Makefile" \
> "$(PKGDIR)/usr/src/kernel-patches/all/freeswan/Makefile.tmp"
mv "$(PKGDIR)/usr/src/kernel-patches/all/freeswan/Makefile.tmp" \
"$(PKGDIR)/usr/src/kernel-patches/all/freeswan/Makefile"
sed 's/rm -f out.kpatch//' \
"$(PKGDIR)/usr/src/kernel-patches/all/freeswan/Makefile" \
> "$(PKGDIR)/usr/src/kernel-patches/all/freeswan/Makefile.tmp"
mv "$(PKGDIR)/usr/src/kernel-patches/all/freeswan/Makefile.tmp" \
"$(PKGDIR)/usr/src/kernel-patches/all/freeswan/Makefile"
chmod u=rwX,go=rX "$(PKGDIR)/usr/src/kernel-patches/all/freeswan"
# remove extra junk not needed on linux / that lintian would complain about
find "$(PKGDIR)/usr/src/kernel-patches/all/freeswan" \
-name '*.o' -print0 | xargs --no-run-if-empty -0 rm -f
find "$(PKGDIR)/usr/src/kernel-patches/all/freeswan" \
-name '*.a' -print0 | xargs --no-run-if-empty -0 rm -f
rm -r "$(PKGDIR)/usr/src/kernel-patches/all/freeswan/lib/libfreeswan/"
rm -r "$(PKGDIR)/usr/src/kernel-patches/all/freeswan/lib/libdes/"
rm -r "$(PKGDIR)/usr/src/kernel-patches/all/freeswan/lib/liblwres/"
rm -f "$(PKGDIR)/usr/src/kernel-patches/all/freeswan/lib/COPYING.LIB"
rm -f "$(PKGDIR)/usr/src/kernel-patches/all/freeswan/lib/README"
rm -r "$(PKGDIR)/usr/src/kernel-patches/all/freeswan/packaging/linus"
rm -r "$(PKGDIR)/usr/src/kernel-patches/all/freeswan/packaging/ipkg"
rm -r "$(PKGDIR)/usr/src/kernel-patches/all/freeswan/packaging/makefiles"
rm -r "$(PKGDIR)/usr/src/kernel-patches/all/freeswan/packaging/redhat"
find "$(PKGDIR)/usr/src/kernel-patches/all/freeswan/linux/crypto/ciphers/des/asm/" \
-name '*.pl' -print0 | xargs --no-run-if-empty -0 \
perl -pi -e 's{^#!/usr/local/bin/perl}{#!/usr/bin/perl}g'
# if we don't have the crypto-ext patches, this can fail
-find "$(PKGDIR)/usr/src/kernel-patches/all/freeswan/lib/libcrypto/" \
-name '*.pl' -print0 | xargs --no-run-if-empty -0 \
perl -pi -e 's{^#!/usr/local/bin/perl}{#!/usr/bin/perl}g'
find "$(PKGDIR)/usr/src/kernel-patches/all/freeswan/linux/crypto/ciphers/des/asm/" \
-name '*.pl' -print0 | xargs --no-run-if-empty -0 chmod a+x
# if we don't have the crypto-ext patches, this can fail
-find "$(PKGDIR)/usr/src/kernel-patches/all/freeswan/lib/libcrypto/" \
-name '*.pl' -print0 | xargs --no-run-if-empty -0 chmod a+x
# if we don't have the crypto-ext patches, this can fail
-find "$(PKGDIR)/usr/src/kernel-patches/all/freeswan/linux/net/ipsec/alg/scripts/" \
-name '*.sh' -print0 | xargs --no-run-if-empty -0 chmod a+x
chmod -R u=rwX,go=rX "$(PKGDIR)/usr/src/kernel-patches/all/freeswan"
dh_installdocs -pkernel-patch-freeswan -n
# more lintian cleanups
find $(PKGDIR) -name ".cvsignore" | xargs --no-run-if-empty rm
binary-common:
dh_testdir
dh_testroot
dh_installdebconf
# dh_installinit
# dh_installmanpages
dh_installchangelogs CHANGES
dh_link
dh_strip
dh_compress
dh_fixperms -X etc/ipsec.conf -X etc/ipsec.secrets -X etc/ipsec.d
# dh_makeshlibs
dh_installdeb
dh_shlibdeps
ifeq ($(PO2DEBCONF),yes)
po2debconf -e utf8 debian/freeswan.templates.master > debian/freeswan.templates
endif
dh_gencontrol -- -V'debconf-depends=debconf (>= $(MINDEBCONFVER))'
dh_md5sums
dh_builddeb
# Build architecture-independent files here.
binary-indep: install-freeswan-module-source install-kernel-patch-freeswan
$(MAKE) -f debian/rules DH_OPTIONS=-i binary-common
# Build architecture-dependent files here.
binary-arch: install-freeswan
$(MAKE) -f debian/rules DH_OPTIONS=-a binary-common
# Any other binary targets build just one binary package at a time.
#binary-%: build install
# make -f debian/rules binary-common DH_OPTIONS=-p$*
binary: binary-indep binary-arch
#.PHONY: clean binary-indep binary-arch binary install
.PHONY: clean binary-indep binary-arch
|
