rpm-sequoia-crypto-policy: Fix build failure on Debian 12+Strongswan

rpm-sequoia-crypto-policy tries to validate the configuration files using host tools. For the Strongswan policy, it uses "ipsec readwriteconf" which is not available on Debian 12 with Strongswan installed. To fix this, add and use an option to skip the problematic validation. (From OE-Core rev: d10ca0fe194b62b2f383be880a008cde2bd0fd4f) Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-07-19 12:59:02 +02:00 · 2025-04-15 23:34:27 +02:00 · 2025-04-15 23:34:27 +02:00 · 706085aaf7
commit 706085aaf7
parent 576c4fd9e0
2 changed files with 35 additions and 2 deletions
--- a/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy/0001-libreswan-Allow-skipping-test_config-for-old-ipsec.patch
+++ b/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy/0001-libreswan-Allow-skipping-test_config-for-old-ipsec.patch
@ -0,0 +1,29 @@
+From f7a8e2c049c2c3e2bfcb801d7b65214c0a5bad77 Mon Sep 17 00:00:00 2001
+From: Yoann Congal <yoann.congal@smile.fr>
+Date: Tue, 15 Apr 2025 17:27:20 +0200
+Subject: [PATCH] libreswan: Allow skipping test_config for old ipsec
+
+In some case, /usr/sbin/ipsec does not handle the readwriteconf command.
+e.g. on Debian 12 with strongswan installed.
+As with the other OLD_* variables, add an OLD_LIBRESWAN environment
+variable to skip configuration testing on those systems.
+
+Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
+Upstream-Status: Backport [https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/237]
+---
+ python/policygenerators/libreswan.py | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/python/policygenerators/libreswan.py b/python/policygenerators/libreswan.py
+index a2b02f5..d81ec0c 100644
+--- a/python/policygenerators/libreswan.py
+++ b/python/policygenerators/libreswan.py
+@@ -227,6 +227,8 @@ class LibreswanGenerator(ConfigGenerator):
+ 
+     @classmethod
+     def test_config(cls, config):
+        if os.getenv('OLD_LIBRESWAN') == '1':
+            return True
+         if not os.access('/usr/sbin/ipsec', os.X_OK):
+             return True
+ 
--- a/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy_git.bb
+++ b/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy_git.bb
@ -8,7 +8,10 @@ LIC_FILES_CHKSUM = "file://COPYING.LESSER;md5=a6f89e2100d9b6cdffcea4f398e37343"
 # Python 3.11+ is needed to build fedora-crypto-policies
 inherit allarch python3native

-SRC_URI = "git://gitlab.com/redhat-crypto/fedora-crypto-policies.git;protocol=https;branch=master"
+SRC_URI = " \
+    git://gitlab.com/redhat-crypto/fedora-crypto-policies.git;protocol=https;branch=master \
+    file://0001-libreswan-Allow-skipping-test_config-for-old-ipsec.patch \
+"

 SRCREV = "032b418a6db842f0eab330eb5909e4604e888728"
 UPSTREAM_CHECK_COMMITS = "1"
@ -20,10 +23,11 @@ do_compile () {
 	# It speeds up the build and we only need DEFAULT/rpm-sequoia.
 	rm -f $(ls -1 policies/*.pol | grep -v DEFAULT.pol) || echo nothing to delete

-	# Don't validate openssh and gnutls policy variants.
+	# Don't validate openssh, gnutls and libreswan policy variants.
 	# Validation may fail and these variants are not needed.
 	export OLD_OPENSSH=1
 	export OLD_GNUTLS=1
+	export OLD_LIBRESWAN=1

 	make ASCIIDOC=echo XSLTPROC=echo
 }