[Pkg-swan-devel] Bug#718302: strongswan: Enable sqlite and mysql plugins

Gerald Turner gturner at unzane.com
Sun Apr 23 22:14:47 UTC 2017


Control: tags -1 + patch

I've tested this patch extensively with the sqlite plugin, works great,
except for my first run when I thought that adding an IPv6 /64 pool
would be reasonable! (it's not, that's 2^64 record insertions) ;-)

Per Tobias Brunner's suggestion of building separate libstrongswan-mysql
and libstrongswan-sqlite packages, I'd be happy to work on this patch to
build additional packages.  However as Yves-Alexis Perez points out, one
package per plugin may be overkill.  Personally I think something near
having one package per plugin would be useful (especially if each plugin
package had Depends, Recommends, Suggests meticulously maintained), for
instance on my installations, I have overwritten 'load = no' in several
plugin conf files, and on package upgrade I have to deal with the dpkg
conffile prompts (sometimes killing my IPsec tunnel, due to charon being
shutdown for those prompts, rather than autonomously upgraded/restarted,
and have to shell in from another network and manually cleanup the dpkg
processes that have been detached from the terminal).

Example:

  libcharon-attr-sql-plugin
    Recommends: libstrongswan-mysql-plugin | libstrongswan-sqlite-plugin

  libstrongswan-mysql-plugin
    Depends: libcharon-attr-sql-plugin

  libstrongswan-sqlite-plugin
    Depends: libcharon-attr-sql-plugin

  libstrongswan
    Suggests: libcharon-attr-sql-plugin

Would you like me to work on that?

Otherwise this patch, as-is, simply adds the three plugins to the
existing libcharon-extra-plugins and libstrongswan-extra-plugins
packages.

BTW, I'm uncertain about the Build-Depends on
default-libmysqlclient-dev, I realize that there's some kind of
MySQL/MariaDB transition, but haven't researched any policy on how to
best depend on libmysqlclient-dev.

---
 debian/control                             | 4 ++++
 debian/libcharon-extra-plugins.install     | 6 ++++++
 debian/libstrongswan-extra-plugins.install | 8 ++++++++
 debian/rules                               | 3 +++
 4 files changed, 21 insertions(+)

diff --git a/debian/control b/debian/control
index 25e0c16f..59e08ce9 100644
--- a/debian/control
+++ b/debian/control
@@ -11,6 +11,7 @@ Vcs-Git: git://anonscm.debian.org/pkg-swan/strongswan.git
 Build-Depends: bison,
                bzip2,
                debhelper (>= 9.20151219),
+               default-libmysqlclient-dev,
                dh-apparmor,
                dh-autoreconf,
                dh-systemd (>= 1.5),
@@ -146,10 +147,12 @@ Description: strongSwan utility and crypto library (extra plugins)
   - gcrypt (Crypto backend based on libgcrypt, provides
     RSA/DH/ciphers/hashers/rng)
   - ldap (LDAP fetching plugin based on libldap)
+  - mysql (MySQL database backend based on libmysqlclient)
   - padlock (VIA padlock crypto backend, provides AES128/SHA1)
   - pkcs11 (PKCS#11 smartcard backend)
   - rdrand (High quality / high performance random source using the Intel
     rdrand instruction found on Ivy Bridge processors)
+  - sqlite (SQLite database backend based on libsqlite3)
   - test-vectors (Set of test vectors for various algorithms)
 
 Package: libcharon-extra-plugins
@@ -166,6 +169,7 @@ Description: strongSwan charon library (extra plugins)
  This package provides extra plugins for the charon library:
   - addrblock (Narrow traffic selectors to RFC 3779 address blocks in X.509
     certificates)
+  - attr-sql (Provides IKE attributes read from a database to peers)
   - certexpire (Export expiration dates of used certificates)
   - dnscert (Provides authentication via CERT RRs protected by DNSSEC)
   - eap-aka (Generic EAP-AKA protocol handler using different backends)
diff --git a/debian/libcharon-extra-plugins.install b/debian/libcharon-extra-plugins.install
index 3e242e00..d2535506 100644
--- a/debian/libcharon-extra-plugins.install
+++ b/debian/libcharon-extra-plugins.install
@@ -1,5 +1,6 @@
 # libcharon plugins
 usr/lib/ipsec/plugins/libstrongswan-addrblock.so
+usr/lib/ipsec/plugins/libstrongswan-attr-sql.so
 usr/lib/ipsec/plugins/libstrongswan-certexpire.so
 usr/lib/ipsec/plugins/libstrongswan-dnscert.so
 usr/lib/ipsec/plugins/libstrongswan-eap*.so
@@ -15,6 +16,7 @@ usr/lib/ipsec/plugins/libstrongswan-unity.so
 usr/lib/ipsec/plugins/libstrongswan-xauth-*.so
 # standard configuration files
 usr/share/strongswan/templates/config/plugins/addrblock.conf
+usr/share/strongswan/templates/config/plugins/attr-sql.conf
 usr/share/strongswan/templates/config/plugins/certexpire.conf
 usr/share/strongswan/templates/config/plugins/dnscert.conf
 usr/share/strongswan/templates/config/plugins/eap-*.conf
@@ -28,9 +30,12 @@ usr/share/strongswan/templates/config/plugins/lookip.conf
 usr/share/strongswan/templates/config/plugins/tnc-tnccs.conf
 usr/share/strongswan/templates/config/plugins/unity.conf
 usr/share/strongswan/templates/config/plugins/xauth-*.conf
+usr/share/strongswan/templates/config/strongswan.d/pool.conf
 usr/share/strongswan/templates/config/strongswan.d/tnc.conf
+etc/strongswan.d/pool.conf
 etc/strongswan.d/tnc.conf
 etc/strongswan.d/charon/addrblock.conf
+etc/strongswan.d/charon/attr-sql.conf
 etc/strongswan.d/charon/certexpire.conf
 etc/strongswan.d/charon/dnscert.conf
 etc/strongswan.d/charon/eap-*.conf
@@ -56,4 +61,5 @@ usr/lib/ipsec/libtpmtss.so*
 # binaries
 usr/lib/ipsec/error-notify
 usr/lib/ipsec/lookip
+usr/lib/ipsec/pool
 usr/lib/ipsec/pt-tls-client
diff --git a/debian/libstrongswan-extra-plugins.install b/debian/libstrongswan-extra-plugins.install
index b922ea3b..e5f8baac 100644
--- a/debian/libstrongswan-extra-plugins.install
+++ b/debian/libstrongswan-extra-plugins.install
@@ -5,7 +5,9 @@ usr/lib/ipsec/plugins/libstrongswan-ctr.so
 usr/lib/ipsec/plugins/libstrongswan-curl.so
 usr/lib/ipsec/plugins/libstrongswan-gcrypt.so
 usr/lib/ipsec/plugins/libstrongswan-ldap.so
+usr/lib/ipsec/plugins/libstrongswan-mysql.so
 usr/lib/ipsec/plugins/libstrongswan-pkcs11.so
+usr/lib/ipsec/plugins/libstrongswan-sqlite.so
 usr/lib/ipsec/plugins/libstrongswan-test-vectors.so
 usr/lib/ipsec/plugins/libstrongswan-unbound.so
 # default configuration files
@@ -15,15 +17,21 @@ usr/share/strongswan/templates/config/plugins/ctr.conf
 usr/share/strongswan/templates/config/plugins/curl.conf
 usr/share/strongswan/templates/config/plugins/gcrypt.conf
 usr/share/strongswan/templates/config/plugins/ldap.conf
+usr/share/strongswan/templates/config/plugins/mysql.conf
 usr/share/strongswan/templates/config/plugins/pkcs11.conf
+usr/share/strongswan/templates/config/plugins/sqlite.conf
 usr/share/strongswan/templates/config/plugins/test-vectors.conf
 usr/share/strongswan/templates/config/plugins/unbound.conf
+usr/share/strongswan/templates/database/sql/mysql.sql
+usr/share/strongswan/templates/database/sql/sqlite.sql
 etc/strongswan.d/charon/ccm.conf
 etc/strongswan.d/charon/cmac.conf
 etc/strongswan.d/charon/ctr.conf
 etc/strongswan.d/charon/curl.conf
 etc/strongswan.d/charon/gcrypt.conf
 etc/strongswan.d/charon/ldap.conf
+etc/strongswan.d/charon/mysql.conf
 etc/strongswan.d/charon/pkcs11.conf
+etc/strongswan.d/charon/sqlite.conf
 etc/strongswan.d/charon/test-vectors.conf
 etc/strongswan.d/charon/unbound.conf
diff --git a/debian/rules b/debian/rules
index e687018a..08c8aa09 100755
--- a/debian/rules
+++ b/debian/rules
@@ -6,6 +6,7 @@ export DEB_BUILD_MAINT_OPTIONS=hardening=+all
 CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \
 		--enable-addrblock \
 		--enable-agent \
+		--enable-attr-sql \
 		--enable-ccm \
 		--enable-certexpire \
 		--enable-cmd \
@@ -30,8 +31,10 @@ CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \
 		--enable-led \
 		--enable-lookip \
 		--enable-mediation \
+		--enable-mysql \
 		--enable-openssl \
 		--enable-pkcs11 \
+		--enable-sqlite \
 		--enable-test-vectors \
 		--enable-unbound \
 		--enable-unity \
-- 
Gerald Turner <gturner at unzane.com>        Encrypted mail preferred!
OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80  3858 EC94 2276 FDB8 716D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-swan-devel/attachments/20170423/58383447/attachment.sig>


More information about the Pkg-swan-devel mailing list