1 # Openswan pathnames and other master configuration
2 # Copyright (C) 2001, 2002 Henry Spencer.
3 # Copyright (C) 2003-2006 Xelerance Corporation
5 # This program is free software; you can redistribute it and/or modify it
6 # under the terms of the GNU General Public License as published by the
7 # Free Software Foundation; either version 2 of the License, or (at your
8 # option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 # This program is distributed in the hope that it will be useful, but
11 # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 # TODO: Some creative ifeq ($(BUILDENV,xxx) to automatically determine
17 # where we are building on and disable things (eg KLIPS on OSX)
20 # Doc: http://www.gnu.org/software/make/manual/make.html
23 # If there is a "local" makfile include it, else ignore:
24 -include ${OPENSWANSRCDIR}/Makefile.inc.local
27 # Variables in this file with names starting with INC_ are not for use
28 # by Makefiles which include it; they are subject to change without warning.
30 # "Final" and "finally" refer to where the files will end up on the
31 # running IPsec system, as opposed to where they get installed by our
32 # Makefiles. (The two are different for cross-compiles and the like,
33 # where our Makefiles are not the end of the installation process.)
34 # Paths with FINAL in their names are the only ones that the installed
35 # software itself depends on. (Very few things should know about the
36 # FINAL paths; think twice and consult Henry before making something new
37 # depend on them.) All other paths are install targets.
38 # See also DESTDIR, below.
42 ### boilerplate, do not change, various scripts use extended BASH syntax!
46 .PHONY: programs checkprograms clean
50 # DESTDIR can be used to supply a prefix to all install targets.
51 # (Note that "final" pathnames, signifying where files will eventually
52 # reside rather than where install puts them, are exempt from this.)
53 # The prefixing is done in this file, so as to have central control over
54 # it; DESTDIR itself should never appear in any other Makefile.
57 # "local" part of tree, used in building other pathnames
58 INC_USRLOCAL=/usr/local
60 # PUBDIR is where the "ipsec" command goes; beware, many things define PATH
61 # settings which are assumed to include it (or at least, to include *some*
62 # copy of the "ipsec" command).
63 PUBDIR=$(DESTDIR)$(INC_USRLOCAL)/sbin
65 # BINDIR is where sub-commands get put, FINALBINDIR is where the "ipsec"
66 # command will look for them when it is run. Also called LIBEXECDIR.
67 FINALLIBEXECDIR?=$(INC_USRLOCAL)/libexec/ipsec
68 LIBEXECDIR=$(DESTDIR)$(FINALBINDIR)
70 FINALBINDIR=${FINALLIBEXECDIR}
74 # SBINDIR is where the user interface command goes.
75 FINALSBINDIR?=$(INC_USRLOCAL)/sbin
76 SBINDIR=$(DESTDIR)$(FINALSBINDIR)
78 # libdir is where utility files go
79 FINALLIBDIR?=$(INC_USRLOCAL)/lib/ipsec
80 LIBDIR=$(DESTDIR)$(FINALLIBDIR)
83 # where the appropriate manpage tree is located
84 # location within INC_USRLOCAL
87 MANTREE=$(DESTDIR)$(INC_USRLOCAL)/$(INC_MANDIR)
88 # all relevant subdirectories of MANTREE
89 MANPLACES=man3 man5 man8
91 # where configuration files go
92 FINALCONFFILE?=/etc/ipsec.conf
93 CONFFILE?=$(DESTDIR)$(FINALCONFFILE)
96 CONFDIR?=$(DESTDIR)$(FINALCONFDIR)
98 FINALCONFDDIR?=${FINALCONFDIR}/ipsec.d
99 CONFDDIR?=$(DESTDIR)$(FINALCONFDDIR)
101 # sample configuration files go into
102 INC_DOCDIR?=share/doc
103 FINALEXAMPLECONFDIR?=${INC_USRLOCAL}/${INC_DOCDIR}/openswan
104 EXAMPLECONFDIR?=${DESTDIR}${FINALEXAMPLECONFDIR}
106 FINALDOCDIR?=${INC_USRLOCAL}/${INC_DOCDIR}/openswan
107 DOCDIR=${DESTDIR}${FINALDOCDIR}
109 # where per-conn pluto logs go
111 VARDIR?=${DESTDIR}${FINALVARDIR}
112 FINALLOGDIR?=${FINALVARDIR}/log
113 LOGDIR?=${DESTDIR}${FINALLOGDIR}
116 # An attempt is made to automatically figure out where boot/shutdown scripts
117 # will finally go: the first directory in INC_RCDIRS which exists gets them.
118 # If none of those exists (or INC_RCDIRS is empty), INC_RCDEFAULT gets them.
119 # With a non-null DESTDIR, INC_RCDEFAULT will be used unless one of the
120 # INC_RCDIRS directories has been pre-created under DESTDIR.
121 INC_RCDIRS?=/etc/rc.d/init.d /etc/rc.d /etc/init.d /sbin/init.d
122 INC_RCDEFAULT?=/etc/rc.d/init.d
124 # RCDIR is where boot/shutdown scripts go; FINALRCDIR is where they think
125 # will finally be (so utils/Makefile can create a symlink in BINDIR to the
126 # place where the boot/shutdown script will finally be, rather than the
127 # place where it is installed).
128 FINALRCDIR?=$(shell for d in $(INC_RCDIRS) ; \
129 do if test -d $(DESTDIR)/$$d ; \
130 then echo $$d ; exit 0 ; \
131 fi ; done ; echo $(INC_RCDEFAULT) )
132 RCDIR?=$(DESTDIR)$(FINALRCDIR)
138 # Kernel location: where patches are inserted, where kernel builds are done.
140 # this is a hack using the wildcard to look for existence of a file/dir
141 ifneq ($(wildcard /usr/src/linux-2.6),)
142 KERNELSRC?=/usr/src/linux-2.6
144 ifneq ($(wildcard /usr/src/linux-2.4),)
145 KERNELSRC?=/usr/src/linux-2.4
147 KERNELSRC?=/lib/modules/$(shell uname -r)/build
151 # where kernel configuration outputs are located
152 KCFILE=$(KERNELSRC)/.config
153 ACFILE=$(KERNELSRC)/include/linux/autoconf.h
154 VERFILE=$(KERNELSRC)/include/linux/version.h
156 # where KLIPS kernel module is install
157 OSMOD_DESTDIR?=net/ipsec
159 # What command to use to load the modules. openwrt does not have modprobe
160 MODPROBE?=modprobe -q
162 ### misc installation stuff
164 # what program to use when installing things
167 # flags to the install program, for programs, manpages, and config files
168 # -b has install make backups (n.b., unlinks original), --suffix controls
169 # how backup names are composed.
170 # Note that the install procedures will never overwrite an existing config
171 # file, which is why -b is not specified for them.
172 INSTBINFLAGS=-b --suffix=.old
173 INSTSUIDFLAGS=--mode=u+rxs,g+rx,o+rx --group=root -b --suffix=.old
177 #INSTBINFLAGS=-b -B .old
178 #INSTSUIDFLAGS=--mode=u+rxs,g+rx,o+rx --group=root -b -B .old
180 # flags for bison, overrode in packages/default/foo
184 ### misc configuration, included here in hopes that other files will not
185 ### have to be changed for common customizations.
187 # extra compile flags, for userland and kernel stuff, e.g. -g for debug info
188 # you can add to this in the defaults file using +=
189 # -DGCC_LINT uses gcc-specific declarations to improve compile-time diagnostics.
190 # -DCOMPILER_HAS_NO_PRINTF_LIKE if your old compiler gives you errors with PRINTF_LIKE(x)
191 #Example for a cross compile:
192 #USERCOMPILE?=-g ${PORTDEFINE} -I/usr/local/arm_tools/arm-elf/inc -L/usr/local/arm_tools/lib/gcc-lib
193 GCC_LINT ?= -DGCC_LINT
194 USERCOMPILE?=-g -O3 ${WERROR} $(GCC_LINT)
195 KLIPSCOMPILE=-O3 -DCONFIG_KLIPS_ALG -DDISABLE_UDP_CHECKSUM
196 # Additional debugging for developers (warning: can crash openswan!)
197 #USERCOMPILE?=-g -DLEAK_DETECTVE -lefence
198 # You can also run this before starting openswan on glibc systems:
199 #export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
202 USERLINK?=-Wl,-z,relro
206 # command used to link/copy KLIPS into kernel source tree
207 # There are good reasons why this is "ln -s"; only people like distribution
208 # builders should ever change it.
211 # extra options for use in kernel build
214 # kernel Makefile targets to be done before build
215 # Can be overridden if you are *sure* your kernel doesn't need them. (2.2.xx
216 # and later reportedly do not.)
220 # kernel make name: zImage for 2.0.xx, bzImage for 2.2.xx and later, and
221 # boot on non-x86s (what ever happened to standards?)
222 INC_B=$(shell test -d $(DIRIN22) && echo b)
223 KERNEL=$(shell if expr " `uname -m`" : ' i.86' >/dev/null ; \
224 then echo $(INC_B)zImage ; \
228 # look for XMLTO command
229 XMLTO?=$(shell which xmlto | grep / | head -n1)
231 # look for POD2MAN command
232 POD2MAN?=$(shell which pod2man | grep / | head -n1)
235 # default number of bits for ipsec newhostkey
239 # temporary directory to be used when building RPMs, and where to put the
241 RPMKERNDIR := $(shell echo `pwd`/tmp.rpmkernel)
242 RPMTMPDIR := $(shell echo `pwd`/tmp.rpmbuild)
243 RPMDEST := $(shell echo `pwd`/rpms)
245 # Newer versions of RPM do not permit building of packages with the "rpm"
246 # command. For RedHat systems with older version of RPM, use:
251 ### paths to resources on the host system
253 # Set this to a RedHat kernel-sources RPM. This normally extracts into
254 # /usr/src/linux-2.4, but you might have extracted it elsewhere with
256 # Note: there is no kernel-source rpm anymore for Fedora. Either run
257 # rpmbuild -bp on the kernel src.rpm and grab the tree from
258 # /usr/src/redhat/BUILD/ or use something like the example below using the
260 # note: there is now a kernel-devel rpm.
261 #RH_KERNELSRC?=/usr/src/linux-2.4
262 RH_KERNELSRC?=/lib/modules/2.6.9-1.681_FC3/build
264 #RH_KERNELSRC=/c2/kernel/rh/linux-2.4.9-13
267 ## build environment variations
271 # USE_ variables determine if features are compiled into Openswan.
272 # these let you turn on/off specific features
273 # HAVE_ variables let you tell Openswan what system related libraries
274 # you may or maynot have
276 # LWRES is the lightweight resolver, part of BIND9
277 # We test with LWRES, but ship with it off, as it requires
278 # additional headers not present on most systems.
279 # Note you need a locally running bind9 nameserver with lwres{} enabled
280 # to use this, or have the "lwres" package installed and running.
281 # This only affects conns that use DNS for keys in lookups.
284 # Do a new lookup every time a connection is (re)started. This works better
285 # on hosts with some dyndns service, since DPD will cause a new dns lookup,
286 # but it could be a potential security issue if receiving spoofed dns.
289 # Do we want all the configuration files like ipsec.conf and ipsec.secrets
290 # and any certificates to be in a single directory defined by
292 USE_SINGLE_CONF_DIR?=false
294 # whether or not to include ipsec policy code into pluto. This allows non-root
295 # users to query pluto for certain information without having full whack access
296 # to make modifications. This was used in 2003 to convey DNSSEC status information
297 # to other applications / webserver cgi. See further lib/libipsecpolicy/
298 USE_IPSECPOLICY?=false
300 # Build ikeping (a utility for testing IKE daemons) in the distribution
303 # Build support for KEY RR
304 # this will become false in the future, as all OE sites transition to
305 # using IPSECKEY instead of KEY records. See references to 'Flag Day'
306 # Except this to change in Q1 2011
309 # Build support for Linux 2.4 and 2.6 KLIPS kernel level IPsec support
313 # Build support for 2.6 KLIPS/MAST variation in pluto
316 # MAST requires KLIPS
317 ifeq ($(USE_MAST),true)
321 # MAST is generally a prerequisite for SAREF support in applications
322 USE_SAREF_KERNEL?=false
324 # Build support for Linux NETKEY (XFRM) kernel level IPsec support for
325 # pluto (aka "native", "kame")
328 # KLIPS needs PFKEYv2, but sometimes we want PFKEY without KLIPS
329 # Note: NETLINK does not use PFKEY, but it does share some code,
330 # so it is required for NETKEY as well.
331 ifeq ($(USE_KLIPS),true)
334 ifeq ($(USE_NETKEY),true)
339 # These days, this must always be true on Linux systems, false otherwise.
342 # include support for BSD/KAME IPsec in pluto (on *BSD and OSX)
344 ifeq ($(USE_BSDKAME),true)
349 # Build support for sending Openswan Vendor IDs
352 # Build aggressive mode authentication system code - both Server and Client.
353 # This was off by default, since aggressive mode leads to denial of service
357 # Build XAUTH authentication system code - both Server and Client.
358 # XAUTH is tricky, and you can get into security trouble unless you
359 # do additional configuration - but it is often needed for Cisco interop
362 # When doing XAUTH, include PAM support as well, requires HAVE_THREADS be
366 ifeq ($(USE_XAUTHPAM),true)
370 # Support for integrity check for binaries (requires USE_LIBNSS and fipscheck-devel)
373 # Support for NSS crypto library (does not requires HAVE_THREADS)
374 # USE_LIBNSS uses pthreads by default.
377 ifeq ($(USE_FIPSCHECK),true)
381 # Support for LIBCAP-NG to drop unneeded capabilities for the pluto daemon
384 # Support for Network Manager
387 # Support for MODP groups described in RFC 5114
388 USE_MODP_RFC5114?=true
390 # whether to support NAT Traversal (aka NAT-T)
391 USE_NAT_TRAVERSAL?=true
393 # where to support NAT-T in transport mode (needed for Win2K NAT-T Interop)
394 USE_NAT_TRAVERSAL_TRANSPORT_MODE?=true
396 # Include LDAP support (currently used for fetching CRLs)
399 # Include libcurl support (currently used for fetching CRLs)
402 # should we include all manner of known to be broken/weak?
403 # use this only if you are building some kind of a testing
404 # device. Normal use does not need any of this.
407 # Build algorithms that don't even encrypt (also must set WEAKSTUFF)
408 # unless you are doing negative testing, turning this on is foolish.
411 # should we include additional (strong) algorithms? It adds a measureable
412 # amount of code space to pluto, and many of the algorithms have not had
413 # the same scrutiny that AES and 3DES have received, but offers possibilities
414 # of switching away from AES/3DES quickly.
415 USE_EXTRACRYPTO?=false
417 # Do we want to limit the number of ipsec connections artificially
418 USE_IPSEC_CONNECTION_LIMIT?=false
419 IPSEC_CONNECTION_LIMIT?=250
421 # Do we have pthreads available? Only yes if you need it for XAUTH+PAM,
422 # or if you need it for CRL fetching.
423 # Note: USE_LIBNSS by default uses pthreads, enabling it here will only
424 # affect it for XAUTH+PAM, and CRL.
427 # Do we have an external stats daemon we can push state changes to?
428 # Currently hardcoded to /bin/openswan-statsd
431 # Do we have Openssl libraries available for BIGNUM support?
432 # Required of HAVE_OCF support
435 # Userland (IKE) Open Cryptographic Framework support (hw crypto offload)
436 # For Kernel level OCF support, enable CONFIG_KLIPS_OCF on a kernel that
437 # has support for OCF (inline or module)
440 ifeq ($(HAVE_OCF),true)
444 # Whether or not to include TaProoM (TCL Pluto Mix) into pluto.
445 # you need at least swig 1.3.24, as well as tcl libraries and includes
448 # Whether to use LEAK_DETECTIVE to find memory leaks.
449 # disabled for now as it causes some pfree()s due to bad code
450 USE_LEAK_DETECTIVE?=false
452 # Use dmalloc. Requires USE_LEAK_DETECTIVE
454 ifeq ($(USE_DMALLOC),true)
455 USE_LEAK_DETECTIVE=true
458 # For Angstrom linux with broken popen() set to true. See bug #1067
459 HAVE_BROKEN_POPEN?=false
461 # For systems with no fork (uclibc nommu)
462 # requires USE_LWRES=false
465 ifeq ($(HAVE_NO_FORK),true)
469 NONINTCONFIG=oldconfig
471 # Should we build with object directories?
472 # (not really a code option, but a build option)
473 # by default we will start using object directories.
474 ifeq ($(USE_OBJDIR),)
478 # supply kernel-configuration ARCH defaults
480 ARCH := $(shell uname -m)
482 # always sanitize $(ARCH)
483 ARCH := $(shell echo $(ARCH) | sed -e s/i.86/i386/ -e s/sun4u/sparc64/ -e s/arm.*/arm/ -e s/sa110/arm/ -e 's/ //g')
486 OSDEP:=$(shell uname -s | tr 'A-Z' 'a-z')
489 -include ${OPENSWANSRCDIR}/Makefile.ver
491 # make sure we only run this once per build, its too expensive to run
492 # every time Makefile.inc is included
494 IPSECVERSION:=$(shell ${OPENSWANSRCDIR}/packaging/utils/setlocalversion ${IPSECBASEVERSION} ${OPENSWANSRCDIR})
498 # include OSDEP/ARCH specific makefiles, if any.
499 # OSDEP=linux,bsd,cygwin,darwin
501 # but, BUILDENV could be mingw32-linux, darwin, or mingw32, etc..
503 BUILDENV=$(shell uname -s | tr 'A-Z' 'a-z' | sed -e 's/\(.*\)-.*/\1/')
507 include ${OPENSWANSRCDIR}/packaging/defaults/${BUILDENV}
508 -include ${OPENSWANSRCDIR}/packaging/defaults/${BUILDENV}.${ARCH}
510 # On MAC OSX , we have to use YACC and not BISON. And use different backup
512 ifeq ($(BUILDENV),"darwin")
514 INSTBINFLAGS=-D -b -B .old
515 INSTSUIDFLAGS=--mode=u+rxs,g+rx,o+rx --group=root -b -B .old
518 ifeq ($(USE_OBJDIR),true)
519 OBJDIR?=OBJ.${BUILDENV}.${ARCH}
520 OBJDIRTOP?=${OPENSWANSRCDIR}/${OBJDIR}
522 # where to place the object files which are built
524 OBJDIRTOP?=${OPENSWANSRCDIR}
528 # Paranoia says to export these just to sure:
533 ### paths within the source tree
535 KLIPSINC=${OPENSWANSRCDIR}/linux/include
536 KLIPSSRCDIR=${OPENSWANSRCDIR}/linux/net/ipsec
537 #KLIPSSRCDIR=/mara1/git/klips/net/ipsec
539 LIBOPENSWANDIR=${OPENSWANSRCDIR}/lib/libopenswan
540 OPENSWANLIB=${OBJDIRTOP}/lib/libopenswan/libopenswan.a
541 PLUTOLIB=${OBJDIRTOP}/lib/libpluto/libpluto.a
542 OSWLOGLIB=${OBJDIRTOP}/lib/libopenswan/liboswlog.a
544 LWRESDIR=${OPENSWANSRCDIR}/lib/liblwres
545 LIBLWRES=${OBJDIRTOP}/lib/liblwres/liblwres.a
546 LIBDNS=${OBJDIRTOP}/lib/libdns/libdns.a
547 LIBISC=${OBJDIRTOP}/lib/libisc/libisc.a
548 LIBBSDPFKEY=${OBJDIRTOP}/lib/libbsdpfkey/libbsdpfkey.a
552 LIBDESSRCDIR=${OPENSWANSRCDIR}/linux/crypto/ciphers/des
553 LIBDESLITE:=${OBJDIRTOP}/lib/libcrypto/libdes/libdes.a
554 LIBOSWCRYPTO=${OBJDIRTOP}/lib/libcrypto/liboswcrypto/liboswcrypto.a
555 LIBAES=${OBJDIRTOP}/lib/libcrypto/libaes/libaes.a
556 LIBMD5=${OBJDIRTOP}/lib/libcrypto/libmd5/libmd5.a
557 LIBMD2=${OBJDIRTOP}/lib/libcrypto/libmd2/libmd2.a
558 LIBSHA1=${OBJDIRTOP}/lib/libcrypto/libsha1/libsha1.a
559 LIBBLOWFISH=${OBJDIRTOP}/lib/libcrypto/libblowfish/libblowfish.a
560 LIBTWOFISH=${OBJDIRTOP}/lib/libcrypto/libtwofish/libtwofish.a
561 LIBSERPENT=${OBJDIRTOP}/lib/libcrypto/libserpent/libserpent.a
562 LIBSHA2=${OBJDIRTOP}/lib/libcrypto/libsha2/libsha2.a
563 CRYPTOLIBS=${LIBAES} ${LIBSHA1} ${LIBMD5} ${LIBMD2} ${LIBDESLITE} ${LIBSHA2}
565 ifeq ($(USE_EXTRACRYPTO),true)
566 CRYPTOLIBS+= ${LIBSERPENT} ${LIBTWOFISH} ${LIBBLOWFISH}
569 CRYPTOLIBS += ${LIBOSWCRYPTO}
570 ifeq ($(HAVE_OCF),true)
571 CRYPTOLIBS += -lcrypto
574 LIBPOLICYDIR=${OPENSWANSRCDIR}/linux/lib/libipsecpolicy
575 POLICYLIB=${OBJDIRTOP}/lib/libipsecpolicy/libipsecpolicy.a
577 WHACKLIB=${OBJDIRTOP}/lib/libwhack/libwhack.a
578 IPSECCONFLIB=${OBJDIRTOP}/lib/libipsecconf/libipsecconf.a
580 # export everything so that scripts can use them.
581 export LIBOPENSWANDIR OPENSWANSRCDIR ARCH PORTINCLUDE
582 export LIBOPENSWANDIR OPENSWANLIB OSWLOGLIB PLUTOLIB LWRESDIR LIBLWRES LIBDNS
583 export LIBISC ISCARCH ISCHOSTARCH LIBDESSRCDIR LIBDESLITE LIBAES
584 export LIBMD5 LIBMD2 LIBSHA1 LIBBLOWFISH LIBTWOFISH LIBSERPENT
585 export LIBSHA2 CRYPTOLIBS LIBPOLICYDIR POLICYLIB WHACKLIB IPSECCONFLIB
588 #KERNELBUILDMFLAGS=--debug=biv V=1
592 # Local Variables: ;;;