CVE Packages Update

Move libfastjson to the rsyslog directory rsyslog 8.2002.0 -> 8.2206.0 add ntp4.2.8 recipe with fixed CVEs update cryptsetup to 2.4.3 fix libxml2 CVE-2016-3709 curl 7.75.0 -> 7.86.0 strongswan 5.8.4 -> 5.9.8 libmodbus 3.1.6 -> 3.1.7 libesmtp 1.0.6 -> 1.1.0 cifs-utils 6.1 -> 7.0 update libtirpc to version 1.3.3 update rsync to version 3.2.5 Add zlib 1.2.13 upgrade gnutls to 3.7.8 upgrade openssh to 8.9p1 Add cmake 3.24.2 and cmake-native 3.24.2 to avoid loop dependecies building expat Add expat 2.5.0 to fix CVE-2022-40674 and CVE-2022-43680 openvpn 2.4.9 -> 2.4.12 hostapd 2.9 -> 2.10 [GP-1837] mPower R.6.3.X (Fall'22): CVE Upgrade (after 2022-12-28) Openssh 8.9p1 no longer needed, because all necessary CVE fixes, backports and whitelists are present for current Openssh 8.4p1. There are no new CVE's in report. [GP-1837] mPower R.6.3.X (Fall'22): CVE Upgrade (after 2022-12-28) Backported CVE patches for python3 component. Need to remove after upgrading Yocto to version more than 3.1.21. [GP-1837] mPower R.6.3.X (Fall'22): CVE Upgrade (after 2022-12-28) Backported CVE patch for sudo component. Added 2 CVE's to whitelist for OpenVPN component.
author: Andrii Davydenko <andrii.davydenko@globallogic.com> 2022-12-14 12:08:42 +0200
committer: Mykyta Dorokhin <mykyta.dorokhin@globallogic.com> 2023-01-24 12:41:29 +0200
commit: 2eaa3fd064097eb221b56d5df0e7136ba705a0cd (patch)
tree: 2ca46c9a625d6f743933b1ea7e2fc6bd2581e6eb /recipes-connectivity
parent: 1e52890ac41318d28923787af35541a8f9ee0653 (diff)
download: meta-mlinux-2eaa3fd064097eb221b56d5df0e7136ba705a0cd.tar.gz
meta-mlinux-2eaa3fd064097eb221b56d5df0e7136ba705a0cd.tar.bz2
meta-mlinux-2eaa3fd064097eb221b56d5df0e7136ba705a0cd.zip
7 files changed, 367 insertions, 1 deletions
diff --git a/recipes-connectivity/hostapd/files/hostapd.service b/recipes-connectivity/hostapd/files/hostapd.service
new file mode 100644
index 0000000..151c050
--- /dev/null
+++ b/recipes-connectivity/hostapd/files/hostapd.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=Hostapd IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator
+After=network.target
+
+[Service]
+Type=forking
+PIDFile=/run/hostapd.pid
+ExecStart=@SBINDIR@/hostapd @SYSCONFDIR@/hostapd.conf -P /run/hostapd.pid -B
+
+[Install]
+WantedBy=multi-user.target
diff --git a/recipes-connectivity/hostapd/hostapd_2.10.bb b/recipes-connectivity/hostapd/hostapd_2.10.bb
new file mode 100644
index 0000000..04b70d9
--- /dev/null
+++ b/recipes-connectivity/hostapd/hostapd_2.10.bb
@@ -0,0 +1,51 @@
+SUMMARY = "User space daemon for extended IEEE 802.11 management"
+HOMEPAGE = "http://w1.fi/hostapd/"
+SECTION = "kernel/userland"
+LICENSE = "BSD-3-Clause"
+LIC_FILES_CHKSUM = "file://hostapd/README;md5=c905478466c90f1cefc0df987c40e172"
+
+DEPENDS = "libnl openssl"
+
+SRC_URI = " \
+    http://w1.fi/releases/hostapd-${PV}.tar.gz \
+    file://defconfig \
+    file://init \
+    file://hostapd.service \
+"
+
+
+SRC_URI[sha256sum] = "206e7c799b678572c2e3d12030238784bc4a9f82323b0156b4c9466f1498915d"
+
+S = "${WORKDIR}/hostapd-${PV}"
+B = "${WORKDIR}/hostapd-${PV}/hostapd"
+
+inherit update-rc.d systemd pkgconfig features_check
+
+CONFLICT_DISTRO_FEATURES = "openssl-no-weak-ciphers"
+
+INITSCRIPT_NAME = "hostapd"
+
+SYSTEMD_SERVICE_${PN} = "hostapd.service"
+SYSTEMD_AUTO_ENABLE_${PN} = "disable"
+
+do_configure_append() {
+    install -m 0644 ${WORKDIR}/defconfig ${B}/.config
+}
+
+do_compile() {
+    export CFLAGS="-MMD -O2 -Wall -g"
+    export EXTRA_CFLAGS="${CFLAGS}"
+    make V=1
+}
+
+do_install() {
+    install -d ${D}${sbindir} ${D}${sysconfdir}/init.d ${D}${systemd_unitdir}/system/
+    install -m 0644 ${B}/hostapd.conf ${D}${sysconfdir}
+    install -m 0755 ${B}/hostapd ${D}${sbindir}
+    install -m 0755 ${B}/hostapd_cli ${D}${sbindir}
+    install -m 755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/hostapd
+    install -m 0644 ${WORKDIR}/hostapd.service ${D}${systemd_unitdir}/system/
+    sed -i -e 's,@SBINDIR@,${sbindir},g' -e 's,@SYSCONFDIR@,${sysconfdir},g' ${D}${systemd_unitdir}/system/hostapd.service
+}
+
+CONFFILES_${PN} += "${sysconfdir}/hostapd.conf"
diff --git a/recipes-connectivity/openssh/openssh/CVE-2021-28041.patch b/recipes-connectivity/openssh/openssh/CVE-2021-28041.patch
new file mode 100644
index 0000000..9fd7e93
--- /dev/null
+++ b/recipes-connectivity/openssh/openssh/CVE-2021-28041.patch
@@ -0,0 +1,20 @@
+Description: fix double-free memory corruption in ssh-agent
+Author: Marc Deslauriers <marc.deslauriers@canonical.com>
+Origin: minimal fix for https://github.com/openssh/openssh-portable/commit/e04fd6dde16de1cdc5a4d9946397ff60d96568db
+
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+
+CVE: CVE-2021-28041
+Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_8.2p1-4ubuntu0.3.debian.tar.xz]
+Comment: No change in any hunk
+
+--- a/ssh-agent.c
++++ b/ssh-agent.c
+@@ -496,6 +496,7 @@ process_add_identity(SocketEntry *e)
+				goto err;
+			}
+			free(ext_name);
++			ext_name = NULL;
+			break;
+		default:
+			error("%s: Unknown constraint %d", __func__, ctype);
diff --git a/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch b/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch
new file mode 100644
index 0000000..bda896f
--- /dev/null
+++ b/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch
@@ -0,0 +1,52 @@
+From a6414400ec94a17871081f7df24f910a6ee01b8b Mon Sep 17 00:00:00 2001
+From: Ali Abdallah <aabdallah@suse.de>
+Date: Wed, 24 Nov 2021 13:33:39 +0100
+Subject: [PATCH] CVE-2021-41617 fix
+
+backport of the following two upstream commits
+
+f3cbe43e28fe71427d41cfe3a17125b972710455
+bf944e3794eff5413f2df1ef37cddf96918c6bde
+
+CVE-2021-41617 failed to correctly initialise supplemental groups
+when executing an AuthorizedKeysCommand or AuthorizedPrincipalsCommand,
+where a AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser
+directive has been set to run the command as a different user. Instead
+these commands would inherit the groups that sshd(8) was started with.
+---
+ auth.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+CVE: CVE-2021-41617
+Upstream-Status: Backport [https://bugzilla.suse.com/attachment.cgi?id=854015]
+Comment: No change in any hunk
+Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
+
+diff --git a/auth.c b/auth.c
+index 163038f..a47b267 100644
+--- a/auth.c
++++ b/auth.c
+@@ -52,6 +52,7 @@
+ #include <limits.h>
+ #include <netdb.h>
+ #include <time.h>
++#include <grp.h>
+ 
+ #include "xmalloc.h"
+ #include "match.h"
+@@ -851,6 +852,13 @@ subprocess(const char *tag, struct passwd *pw, const char *command,
+ 		}
+ 		closefrom(STDERR_FILENO + 1);
+ 
++		if (geteuid() == 0 &&
++		    initgroups(pw->pw_name, pw->pw_gid) == -1) {
++			error("%s: initgroups(%s, %u): %s", tag,
++			    pw->pw_name, (u_int)pw->pw_gid, strerror(errno));
++			_exit(1);
++		}
++
+ 		/* Don't use permanently_set_uid() here to avoid fatal() */
+ 		if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) {
+ 			error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid,
+-- 
+2.26.2
diff --git a/recipes-connectivity/openssh/openssh_8.4p1.bb b/recipes-connectivity/openssh/openssh_8.4p1.bb
index 2fb4816..8e73ceb 100644
--- a/recipes-connectivity/openssh/openssh_8.4p1.bb
+++ b/recipes-connectivity/openssh/openssh_8.4p1.bb
@@ -25,13 +25,40 @@ SRC_URI = "https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.ta
            file://sshd_check_keys \
            file://add-test-support-for-busybox.patch \
            file://0f90440ca70abab947acbd77795e9f130967956c.patch \
+           file://CVE-2021-28041.patch \
+           file://CVE-2021-41617.patch \
            "
 SRC_URI[sha256sum] = "5a01d22e407eb1c05ba8a8f7c654d388a13e9f226e4ed33bd38748dafa1d2b24"
 
+# This CVE is specific to OpenSSH with the pam opie which we don't build/use here
+CVE_CHECK_WHITELIST += "CVE-2007-2768"
+
 # This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7
 # and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded
 CVE_CHECK_WHITELIST += "CVE-2014-9278"
 
+# CVE-2008-3844 was reported in OpenSSH on Red Hat Enterprise Linux and
+# certain packages may have been compromised. This CVE is not applicable
+# as our source is OpenBSD. https://securitytracker.com/id?1020730
+# https://www.securityfocus.com/bid/30794
+CVE_CHECK_WHITELIST += "CVE-2008-3844"
+
+# openssh-ssh1 is provided for compatibility with old devices that
+# cannot be upgraded to modern protocols. Thus they may not provide security
+# support for this package because doing so would prevent access to equipment.
+# The upstream OpenSSH developers see this as an important
+# security feature and do not intend to 'fix' it.
+# https://security-tracker.debian.org/tracker/CVE-2016-20012
+# https://ubuntu.com/security/CVE-2016-20012
+CVE_CHECK_WHITELIST += "CVE-2016-20012"
+
+# As per debian, the issue is fixed by a feature called "agent restriction" in openssh 8.9
+# Urgency is unimportant as per debian, Hence this CVE is whitelisting.
+# https://security-tracker.debian.org/tracker/CVE-2021-36368
+# https://bugzilla.mindrot.org/show_bug.cgi?id=3316#c2
+# https://docs.ssh-mitm.at/trivialauth.html
+CVE_CHECK_WHITELIST += "CVE-2021-36368"
+
 PAM_SRC_URI = "file://sshd"
 
 inherit manpages useradd update-rc.d update-alternatives systemd
diff --git a/recipes-connectivity/strongswan/strongswan_%.bbappend b/recipes-connectivity/strongswan/strongswan_%.bbappend
index c68b45e..3286caa 100644
--- a/recipes-connectivity/strongswan/strongswan_%.bbappend
+++ b/recipes-connectivity/strongswan/strongswan_%.bbappend
@@ -1,3 +1,19 @@
-FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:${THISDIR}/files:"
+
+PR.=".mts2"
 
 PACKAGECONFIG_remove = "sqlite3"
+
+PACKAGECONFIG_append = "stroke"
+
+do_install_append() {
+    install -d ${D}${sysconfdir}/ ${D}${sysconfdir}/ipsec.d/
+    ln -sf /var/run/ipsec/ipsec.conf ${D}${sysconfdir}/ipsec.conf
+    ln -sf /var/run/ipsec/ipsec.secrets ${D}${sysconfdir}/ipsec.secrets
+    rm -rf ${D}${sysconfdir}/ipsec.d/cacerts
+    ln -sf /var/run/ipsec/cacerts ${D}${sysconfdir}/ipsec.d/cacerts
+    rm -rf ${D}${sysconfdir}/ipsec.d/certs
+    ln -sf /var/run/ipsec/certs ${D}${sysconfdir}/ipsec.d/certs
+    rm -rf ${D}${sysconfdir}/ipsec.d/private
+    ln -sf /var/run/ipsec/private ${D}${sysconfdir}/ipsec.d/private
+}
diff --git a/recipes-connectivity/strongswan/strongswan_5.9.8.bb b/recipes-connectivity/strongswan/strongswan_5.9.8.bb
new file mode 100644
index 0000000..9025f68
--- /dev/null
+++ b/recipes-connectivity/strongswan/strongswan_5.9.8.bb
@@ -0,0 +1,189 @@
+DESCRIPTION = "strongSwan is an OpenSource IPsec implementation for the \
+Linux operating system."
+SUMMARY = "strongSwan is an OpenSource IPsec implementation"
+HOMEPAGE = "http://www.strongswan.org"
+SECTION = "net"
+LICENSE = "GPL-2.0"
+LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
+DEPENDS = "flex-native flex bison-native"
+DEPENDS_append = "${@bb.utils.contains('DISTRO_FEATURES', 'tpm2', '  tpm2-tss', '', d)}"
+
+SRC_URI = "http://download.strongswan.org/strongswan-${PV}.tar.bz2 \
+           "
+
+SRC_URI[sha256sum] = "d3303a43c0bd7b75a12b64855e8edcb53696f06190364f26d1533bde1f2e453c"
+
+UPSTREAM_CHECK_REGEX = "strongswan-(?P<pver>\d+(\.\d+)+)\.tar"
+
+EXTRA_OECONF = " \
+        --without-lib-prefix \
+        --with-dev-headers=${includedir}/strongswan \
+"
+
+EXTRA_OECONF += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '--with-systemdsystemunitdir=${systemd_unitdir}/system/', '--without-systemdsystemunitdir', d)}"
+
+PACKAGECONFIG ?= "curl gmp openssl sqlite3 swanctl curve25519 \
+        ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd-charon', 'charon', d)} \
+        ${@bb.utils.contains('DISTRO_FEATURES', 'tpm2', 'tpm2', '', d)} \
+        ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'tnc-imc imc-hcd imc-os imc-scanner imc-attestation', '', d)} \
+        ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'tnc-imv imv-hcd imv-os imv-scanner imv-attestation', '', d)} \
+"
+
+PACKAGECONFIG[aesni] = "--enable-aesni,--disable-aesni,,${PN}-plugin-aesni"
+PACKAGECONFIG[bfd] = "--enable-bfd-backtraces,--disable-bfd-backtraces,binutils"
+PACKAGECONFIG[charon] = "--enable-charon,--disable-charon,"
+PACKAGECONFIG[curl] = "--enable-curl,--disable-curl,curl,${PN}-plugin-curl"
+PACKAGECONFIG[eap-identity] = "--enable-eap-identity,--disable-eap-identity,,${PN}-plugin-eap-identity"
+PACKAGECONFIG[eap-mschapv2] = "--enable-eap-mschapv2,--disable-eap-mschapv2,,${PN}-plugin-eap-mschapv2"
+PACKAGECONFIG[gmp] = "--enable-gmp,--disable-gmp,gmp,${PN}-plugin-gmp"
+PACKAGECONFIG[ldap] = "--enable-ldap,--disable-ldap,openldap,${PN}-plugin-ldap"
+PACKAGECONFIG[mysql] = "--enable-mysql,--disable-mysql,mysql5,${PN}-plugin-mysql"
+PACKAGECONFIG[openssl] = "--enable-openssl,--disable-openssl,openssl,${PN}-plugin-openssl"
+PACKAGECONFIG[soup] = "--enable-soup,--disable-soup,libsoup-2.4,${PN}-plugin-soup"
+PACKAGECONFIG[sqlite3] = "--enable-sqlite,--disable-sqlite,sqlite3,${PN}-plugin-sqlite"
+PACKAGECONFIG[stroke] = "--enable-stroke,--disable-stroke,,${PN}-plugin-stroke"
+PACKAGECONFIG[swanctl] = "--enable-swanctl,--disable-swanctl,,libgcc"
+PACKAGECONFIG[curve25519] = "--enable-curve25519,--disable-curve25519,, ${PN}-plugin-curve25519"
+
+# requires swanctl
+PACKAGECONFIG[systemd-charon] = "--enable-systemd,--disable-systemd,systemd,"
+
+# tpm needs meta-tpm layer
+PACKAGECONFIG[tpm2] = "--enable-tpm,--disable-tpm,,${PN}-plugin-tpm"
+
+
+# integraty configuration needs meta-integraty
+#imc 
+PACKAGECONFIG[tnc-imc] = "--enable-tnc-imc,--disable-tnc-imc,,  ${PN}-plugin-tnc-imc ${PN}-plugin-tnc-tnccs"
+PACKAGECONFIG[imc-test] = "--enable-imc-test,--disable-imc-test,,"
+PACKAGECONFIG[imc-scanner] = "--enable-imc-scanner,--disable-imc-scanner,,"
+PACKAGECONFIG[imc-os] = "--enable-imc-os,--disable-imc-os,,"
+PACKAGECONFIG[imc-attestation] = "--enable-imc-attestation,--disable-imc-attestation,,"
+PACKAGECONFIG[imc-swima] = "--enable-imc-swima, --disable-imc-swima, json-c,"
+PACKAGECONFIG[imc-hcd] = "--enable-imc-hcd, --disable-imc-hcd,,"
+
+#imv set
+PACKAGECONFIG[tnc-imv] = "--enable-tnc-imv,--disable-tnc-imv,, ${PN}-plugin-tnc-imv ${PN}-plugin-tnc-tnccs"
+PACKAGECONFIG[imv-test] = "--enable-imv-test,--disable-imv-test,,"
+PACKAGECONFIG[imv-scanner] = "--enable-imv-scanner,--disable-imv-scanner,,"
+PACKAGECONFIG[imv-os] = "--enable-imv-os,--disable-imv-os,,"
+PACKAGECONFIG[imv-attestation] = "--enable-imv-attestation,--disable-imv-attestation,,"
+PACKAGECONFIG[imv-swima] = "--enable-imv-swima, --disable-imv-swima, json-c,"
+PACKAGECONFIG[imv-hcd] = "--enable-imv-hcd, --disable-imv-hcd,,"
+
+PACKAGECONFIG[tnc-ifmap] = "--enable-tnc-ifmap,--disable-tnc-ifmap, libxml2, ${PN}-plugin-tnc-ifmap"
+PACKAGECONFIG[tnc-pdp] = "--enable-tnc-pdp,--disable-tnc-pdp,, ${PN}-plugin-tnc-pdp"
+
+PACKAGECONFIG[tnccs-11] = "--enable-tnccs-11,--disable-tnccs-11,libxml2, ${PN}-plugin-tnccs-11"
+PACKAGECONFIG[tnccs-20] = "--enable-tnccs-20,--disable-tnccs-20,, ${PN}-plugin-tnccs-20"
+PACKAGECONFIG[tnccs-dynamic] = "--enable-tnccs-dynamic,--disable-tnccs-dynamic,,${PN}-plugin-tnccs-dynamic"
+
+inherit autotools systemd pkgconfig
+
+RRECOMMENDS_${PN} = "kernel-module-ah4 \
+                     kernel-module-esp4 \
+                     kernel-module-xfrm-user \
+                    "
+
+FILES_${PN} += "${libdir}/ipsec/lib*${SOLIBS}"
+FILES_${PN}-dbg += "${bindir}/.debug ${sbindir}/.debug ${libdir}/ipsec/.debug ${libexecdir}/ipsec/.debug"
+FILES_${PN}-dev += "${libdir}/ipsec/lib*${SOLIBSDEV} ${libdir}/ipsec/*.la ${libdir}/ipsec/include/config.h"
+FILES_${PN}-staticdev += "${libdir}/ipsec/*.a"
+
+CONFFILES_${PN} = "${sysconfdir}/*.conf ${sysconfdir}/ipsec.d/*.conf ${sysconfdir}/strongswan.d/*.conf"
+
+PACKAGES += "${PN}-plugins"
+ALLOW_EMPTY_${PN}-plugins = "1"
+
+PACKAGE_BEFORE_PN = "${PN}-imcvs ${PN}-imcvs-dbg"
+ALLOW_EMPTY_${PN}-imcvs = "1"
+
+FILES_${PN}-imcvs = "${libdir}/ipsec/imcvs/*.so"
+FILES_${PN}-imcvs-dbg += "${libdir}/ipsec/imcvs/.debug"
+
+PACKAGES_DYNAMIC += "^${PN}-plugin-.*$"
+NOAUTOPACKAGEDEBUG = "1"
+
+python split_strongswan_plugins () {
+    sysconfdir = d.expand('${sysconfdir}/strongswan.d/charon')
+    libdir = d.expand('${libdir}/ipsec/plugins')
+    dbglibdir = os.path.join(libdir, '.debug')
+
+    def add_plugin_conf(f, pkg, file_regex, output_pattern, modulename):
+        dvar = d.getVar('PKGD')
+        oldfiles = d.getVar('CONFFILES_' + pkg)
+        newfile = '/' + os.path.relpath(f, dvar)
+
+        if not oldfiles:
+            d.setVar('CONFFILES_' + pkg, newfile)
+        else:
+            d.setVar('CONFFILES_' + pkg, oldfiles + " " + newfile)
+
+    split_packages = do_split_packages(d, libdir, r'libstrongswan-(.*)\.so', '${PN}-plugin-%s', 'strongSwan %s plugin', prepend=True)
+    do_split_packages(d, sysconfdir, r'(.*)\.conf', '${PN}-plugin-%s', 'strongSwan %s plugin', prepend=True, hook=add_plugin_conf)
+
+    split_dbg_packages = do_split_packages(d, dbglibdir, r'libstrongswan-(.*)\.so', '${PN}-plugin-%s-dbg', 'strongSwan %s plugin - Debugging files', prepend=True, extra_depends='${PN}-dbg')
+    split_dev_packages = do_split_packages(d, libdir, r'libstrongswan-(.*)\.la', '${PN}-plugin-%s-dev', 'strongSwan %s plugin - Development files', prepend=True, extra_depends='${PN}-dev')
+    split_staticdev_packages = do_split_packages(d, libdir, r'libstrongswan-(.*)\.a', '${PN}-plugin-%s-staticdev', 'strongSwan %s plugin - Development files (Static Libraries)', prepend=True, extra_depends='${PN}-staticdev')
+
+    if split_packages:
+        pn = d.getVar('PN')
+        d.setVar('RRECOMMENDS_' + pn + '-plugins', ' '.join(split_packages))
+        d.appendVar('RRECOMMENDS_' + pn + '-dbg', ' ' + ' '.join(split_dbg_packages))
+        d.appendVar('RRECOMMENDS_' + pn + '-dev', ' ' + ' '.join(split_dev_packages))
+        d.appendVar('RRECOMMENDS_' + pn + '-staticdev', ' ' + ' '.join(split_staticdev_packages))
+}
+
+PACKAGESPLITFUNCS_prepend = "split_strongswan_plugins "
+
+# Install some default plugins based on default strongSwan ./configure options
+# See https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist
+RDEPENDS_${PN} += "\
+    ${PN}-plugin-aes \
+    ${PN}-plugin-attr \
+    ${PN}-plugin-cmac \
+    ${PN}-plugin-constraints \
+    ${PN}-plugin-des \
+    ${PN}-plugin-dnskey \
+    ${PN}-plugin-drbg \
+    ${PN}-plugin-fips-prf \
+    ${PN}-plugin-gcm \
+    ${PN}-plugin-hmac \
+    ${PN}-plugin-kdf \
+    ${PN}-plugin-kernel-netlink \
+    ${PN}-plugin-md5 \
+    ${PN}-plugin-mgf1 \
+    ${PN}-plugin-nonce \
+    ${PN}-plugin-pem \
+    ${PN}-plugin-pgp \
+    ${PN}-plugin-pkcs1 \
+    ${PN}-plugin-pkcs7 \
+    ${PN}-plugin-pkcs8 \
+    ${PN}-plugin-pkcs12 \
+    ${PN}-plugin-pubkey \
+    ${PN}-plugin-random \
+    ${PN}-plugin-rc2 \
+    ${PN}-plugin-resolve \
+    ${PN}-plugin-revocation \
+    ${PN}-plugin-sha1 \
+    ${PN}-plugin-sha2 \
+    ${PN}-plugin-socket-default \
+    ${PN}-plugin-sshkey \
+    ${PN}-plugin-updown \
+    ${PN}-plugin-vici \
+    ${PN}-plugin-x509 \
+    ${PN}-plugin-xauth-generic \
+    ${PN}-plugin-xcbc \
+    "
+
+RPROVIDES_${PN} += "${PN}-systemd"
+RREPLACES_${PN} += "${PN}-systemd"
+RCONFLICTS_${PN} += "${PN}-systemd"
+
+# The deprecated legacy 'strongswan-starter' service should only be used when charon and
+# stroke are enabled. When swanctl is in use, 'strongswan.service' is needed.
+# See: https://wiki.strongswan.org/projects/strongswan/wiki/Charon-systemd
+SYSTEMD_SERVICE_${PN} = " \
+    ${@bb.utils.contains('PACKAGECONFIG', 'swanctl', '${BPN}.service', '', d)} \
+    ${@bb.utils.contains('PACKAGECONFIG', 'charon', '${BPN}-starter.service', '', d)} \
+"
author	Andrii Davydenko <andrii.davydenko@globallogic.com>	2022-12-14 12:08:42 +0200
committer	Mykyta Dorokhin <mykyta.dorokhin@globallogic.com>	2023-01-24 12:41:29 +0200
commit	2eaa3fd064097eb221b56d5df0e7136ba705a0cd (patch)
tree	2ca46c9a625d6f743933b1ea7e2fc6bd2581e6eb /recipes-connectivity
parent	1e52890ac41318d28923787af35541a8f9ee0653 (diff)
download	meta-mlinux-2eaa3fd064097eb221b56d5df0e7136ba705a0cd.tar.gz meta-mlinux-2eaa3fd064097eb221b56d5df0e7136ba705a0cd.tar.bz2 meta-mlinux-2eaa3fd064097eb221b56d5df0e7136ba705a0cd.zip