diff mbox series

rpm-sequoia-crypto-policy: Fix build failure on Debian 12+Strongswan

Message ID 20250415213427.2213414-1-yoann.congal@smile.fr
State Accepted, archived
Commit d10ca0fe194b62b2f383be880a008cde2bd0fd4f
Headers show
Series rpm-sequoia-crypto-policy: Fix build failure on Debian 12+Strongswan | expand

Commit Message

Yoann Congal April 15, 2025, 9:34 p.m. UTC 
From: Yoann Congal <yoann.congal@smile.fr>

rpm-sequoia-crypto-policy tries to validate the configuration files
using host tools. For the Strongswan policy, it uses
"ipsec readwriteconf" which is not available on Debian 12 with
Strongswan installed.
To fix this, add and use an option to skip the problematic validation.

Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 ...w-skipping-test_config-for-old-ipsec.patch | 29 +++++++++++++++++++
 .../rpm-sequoia-crypto-policy_git.bb          |  8 +++--
 2 files changed, 35 insertions(+), 2 deletions(-)
 create mode 100644 meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy/0001-libreswan-Allow-skipping-test_config-for-old-ipsec.patch
diff mbox series

Patch

diff --git a/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy/0001-libreswan-Allow-skipping-test_config-for-old-ipsec.patch b/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy/0001-libreswan-Allow-skipping-test_config-for-old-ipsec.patch
new file mode 100644
index 0000000000..afb302e75e
--- /dev/null
+++ b/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy/0001-libreswan-Allow-skipping-test_config-for-old-ipsec.patch
@@ -0,0 +1,29 @@ 
+From f7a8e2c049c2c3e2bfcb801d7b65214c0a5bad77 Mon Sep 17 00:00:00 2001
+From: Yoann Congal <yoann.congal@smile.fr>
+Date: Tue, 15 Apr 2025 17:27:20 +0200
+Subject: [PATCH] libreswan: Allow skipping test_config for old ipsec
+
+In some case, /usr/sbin/ipsec does not handle the readwriteconf command.
+e.g. on Debian 12 with strongswan installed.
+As with the other OLD_* variables, add an OLD_LIBRESWAN environment
+variable to skip configuration testing on those systems.
+
+Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
+Upstream-Status: Submitted [https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/237]
+---
+ python/policygenerators/libreswan.py | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/python/policygenerators/libreswan.py b/python/policygenerators/libreswan.py
+index a2b02f5..d81ec0c 100644
+--- a/python/policygenerators/libreswan.py
++++ b/python/policygenerators/libreswan.py
+@@ -227,6 +227,8 @@ class LibreswanGenerator(ConfigGenerator):
+ 
+     @classmethod
+     def test_config(cls, config):
++        if os.getenv('OLD_LIBRESWAN') == '1':
++            return True
+         if not os.access('/usr/sbin/ipsec', os.X_OK):
+             return True
+ 
diff --git a/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy_git.bb b/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy_git.bb
index 522e9a393d..4ccfc95c33 100644
--- a/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy_git.bb
+++ b/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy_git.bb
@@ -8,7 +8,10 @@  LIC_FILES_CHKSUM = "file://COPYING.LESSER;md5=a6f89e2100d9b6cdffcea4f398e37343"
 # Python 3.11+ is needed to build fedora-crypto-policies
 inherit allarch python3native
 
-SRC_URI = "git://gitlab.com/redhat-crypto/fedora-crypto-policies.git;protocol=https;branch=master"
+SRC_URI = " \
+    git://gitlab.com/redhat-crypto/fedora-crypto-policies.git;protocol=https;branch=master \
+    file://0001-libreswan-Allow-skipping-test_config-for-old-ipsec.patch \
+"
 
 SRCREV = "032b418a6db842f0eab330eb5909e4604e888728"
 UPSTREAM_CHECK_COMMITS = "1"
@@ -20,10 +23,11 @@  do_compile () {
 	# It speeds up the build and we only need DEFAULT/rpm-sequoia.
 	rm -f $(ls -1 policies/*.pol | grep -v DEFAULT.pol) || echo nothing to delete
 
-	# Don't validate openssh and gnutls policy variants.
+	# Don't validate openssh, gnutls and libreswan policy variants.
 	# Validation may fail and these variants are not needed.
 	export OLD_OPENSSH=1
 	export OLD_GNUTLS=1
+	export OLD_LIBRESWAN=1
 
 	make ASCIIDOC=echo XSLTPROC=echo
 }