Commit 5fe1d71204 for strongswan.org
commit 5fe1d712041d7ab0feff137cf51603577543cab8
Author: Tobias Brunner <tobias@strongswan.org>
Date: Mon Jan 5 16:32:02 2026 +0100
swanctl: Use a custom default plugin list
Loading all libstrongswan plugins isn't necessary as the tool only uses
the plugins to parse/decrypt credentials. So it's similar to pki, but
it doesn't do (online) certificate validation, access tokens, or need
access to databases.
While it's usually not an issue to load unnecessary plugins, one thing
that came up recently are the new capabilities required by the agent
plugin. Since Debian's AppArmor policy for swanctl doesn't grant them,
this produces an error message that might confuse users.
diff --git a/configure.ac b/configure.ac
index 0ae769a77e..87b7636bbc 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1519,6 +1519,7 @@ CFLAGS="$WARN_CFLAGS $CFLAGS"
# plugin lists for all components
charon_plugins=
+swanctl_plugins=
pool_plugins=
attest_plugins=
pki_plugins=
@@ -1537,61 +1538,61 @@ s_plugins=
t_plugins=
p_plugins=
-ADD_PLUGIN([test-vectors], [s charon pki])
+ADD_PLUGIN([test-vectors], [s charon swanctl pki])
ADD_PLUGIN([unbound], [s charon scripts])
ADD_PLUGIN([ldap], [s charon pki scripts nm cmd])
ADD_PLUGIN([pkcs11], [s charon pki nm cmd])
ADD_PLUGIN([tpm], [p charon pki nm cmd])
-ADD_PLUGIN([aesni], [s charon pki scripts medsrv attest nm cmd aikgen])
-ADD_PLUGIN([aes], [s charon pki scripts nm cmd])
-ADD_PLUGIN([des], [s charon pki scripts nm cmd])
-ADD_PLUGIN([blowfish], [s charon pki scripts nm cmd])
-ADD_PLUGIN([rc2], [s charon pki scripts nm cmd])
-ADD_PLUGIN([sha2], [s charon pki scripts medsrv attest nm cmd aikgen fuzz])
-ADD_PLUGIN([sha3], [s charon pki scripts medsrv attest nm cmd aikgen fuzz])
-ADD_PLUGIN([sha1], [s charon pki scripts manager medsrv attest nm cmd aikgen fuzz])
-ADD_PLUGIN([md4], [s charon pki nm cmd])
-ADD_PLUGIN([md5], [s charon pki scripts attest nm cmd aikgen])
-ADD_PLUGIN([mgf1], [s charon pki scripts medsrv attest nm cmd aikgen])
-ADD_PLUGIN([rdrand], [s charon pki scripts medsrv attest nm cmd aikgen])
-ADD_PLUGIN([random], [s charon pki scripts manager medsrv attest nm cmd aikgen])
+ADD_PLUGIN([aesni], [s charon swanctl pki scripts medsrv attest nm cmd aikgen])
+ADD_PLUGIN([aes], [s charon swanctl pki scripts nm cmd])
+ADD_PLUGIN([des], [s charon swanctl pki scripts nm cmd])
+ADD_PLUGIN([blowfish], [s charon swanctl pki scripts nm cmd])
+ADD_PLUGIN([rc2], [s charon swanctl pki scripts nm cmd])
+ADD_PLUGIN([sha2], [s charon swanctl pki scripts medsrv attest nm cmd aikgen fuzz])
+ADD_PLUGIN([sha3], [s charon swanctl pki scripts medsrv attest nm cmd aikgen fuzz])
+ADD_PLUGIN([sha1], [s charon swanctl pki scripts manager medsrv attest nm cmd aikgen fuzz])
+ADD_PLUGIN([md4], [s charon swanctl pki nm cmd])
+ADD_PLUGIN([md5], [s charon swanctl pki scripts attest nm cmd aikgen])
+ADD_PLUGIN([mgf1], [s charon swanctl pki scripts medsrv attest nm cmd aikgen])
+ADD_PLUGIN([rdrand], [s charon swanctl pki scripts medsrv attest nm cmd aikgen])
+ADD_PLUGIN([random], [s charon swanctl pki scripts manager medsrv attest nm cmd aikgen])
ADD_PLUGIN([nonce], [s charon nm cmd aikgen])
-ADD_PLUGIN([x509], [s charon pki scripts attest nm cmd aikgen fuzz])
+ADD_PLUGIN([x509], [s charon swanctl pki scripts attest nm cmd aikgen fuzz])
ADD_PLUGIN([revocation], [s charon pki nm cmd])
ADD_PLUGIN([constraints], [s charon pki nm cmd])
ADD_PLUGIN([acert], [s charon])
-ADD_PLUGIN([pubkey], [s charon pki cmd aikgen])
-ADD_PLUGIN([pkcs1], [s charon pki scripts manager medsrv attest nm cmd aikgen fuzz])
-ADD_PLUGIN([pkcs7], [s charon pki scripts nm cmd])
-ADD_PLUGIN([pkcs12], [s charon pki scripts cmd])
+ADD_PLUGIN([pubkey], [s charon swanctl pki cmd aikgen])
+ADD_PLUGIN([pkcs1], [s charon swanctl pki scripts manager medsrv attest nm cmd aikgen fuzz])
+ADD_PLUGIN([pkcs7], [s charon swanctl pki scripts nm cmd])
+ADD_PLUGIN([pkcs12], [s charon swanctl pki scripts cmd])
ADD_PLUGIN([pgp], [s charon])
-ADD_PLUGIN([dnskey], [s charon pki])
-ADD_PLUGIN([sshkey], [s charon pki nm cmd])
+ADD_PLUGIN([dnskey], [s charon swanctl pki])
+ADD_PLUGIN([sshkey], [s charon swanctl pki nm cmd])
ADD_PLUGIN([dnscert], [c charon])
ADD_PLUGIN([ipseckey], [c charon])
-ADD_PLUGIN([pem], [s charon pki scripts manager medsrv attest nm cmd aikgen fuzz])
+ADD_PLUGIN([pem], [s charon swanctl pki scripts manager medsrv attest nm cmd aikgen fuzz])
ADD_PLUGIN([padlock], [s charon])
-ADD_PLUGIN([openssl], [s charon pki scripts manager medsrv attest nm cmd aikgen])
-ADD_PLUGIN([wolfssl], [s charon pki scripts manager medsrv attest nm cmd aikgen])
-ADD_PLUGIN([gcrypt], [s charon pki scripts manager medsrv attest nm cmd aikgen])
-ADD_PLUGIN([botan], [s charon pki scripts manager medsrv attest nm cmd aikgen])
-ADD_PLUGIN([pkcs8], [s charon pki scripts manager medsrv attest nm cmd])
-ADD_PLUGIN([af-alg], [s charon pki scripts medsrv attest nm cmd aikgen])
+ADD_PLUGIN([openssl], [s charon swanctl pki scripts manager medsrv attest nm cmd aikgen])
+ADD_PLUGIN([wolfssl], [s charon swanctl pki scripts manager medsrv attest nm cmd aikgen])
+ADD_PLUGIN([gcrypt], [s charon swanctl pki scripts manager medsrv attest nm cmd aikgen])
+ADD_PLUGIN([botan], [s charon swanctl pki scripts manager medsrv attest nm cmd aikgen])
+ADD_PLUGIN([pkcs8], [s charon swanctl pki scripts manager medsrv attest nm cmd])
+ADD_PLUGIN([af-alg], [s charon swanctl pki scripts medsrv attest nm cmd aikgen])
ADD_PLUGIN([fips-prf], [s charon nm cmd])
-ADD_PLUGIN([gmp], [s charon pki scripts manager medsrv attest nm cmd aikgen fuzz])
-ADD_PLUGIN([curve25519], [s charon pki scripts nm cmd])
+ADD_PLUGIN([gmp], [s charon swanctl pki scripts manager medsrv attest nm cmd aikgen fuzz])
+ADD_PLUGIN([curve25519], [s charon swanctl pki scripts nm cmd])
ADD_PLUGIN([agent], [s charon nm cmd])
ADD_PLUGIN([keychain], [s charon cmd])
ADD_PLUGIN([chapoly], [s charon scripts nm cmd])
ADD_PLUGIN([xcbc], [s charon nm cmd])
ADD_PLUGIN([cmac], [s charon nm cmd])
-ADD_PLUGIN([hmac], [s charon pki scripts nm cmd])
-ADD_PLUGIN([kdf], [s charon pki scripts nm cmd])
+ADD_PLUGIN([hmac], [s charon swanctl pki scripts nm cmd])
+ADD_PLUGIN([kdf], [s charon swanctl pki scripts nm cmd])
ADD_PLUGIN([ctr], [s charon scripts nm cmd])
ADD_PLUGIN([ccm], [s charon scripts nm cmd])
ADD_PLUGIN([gcm], [s charon scripts nm cmd])
ADD_PLUGIN([ml], [s charon scripts nm cmd])
-ADD_PLUGIN([drbg], [s charon pki scripts nm cmd])
+ADD_PLUGIN([drbg], [s charon swanctl pki scripts nm cmd])
ADD_PLUGIN([curl], [s charon pki scripts nm cmd])
ADD_PLUGIN([files], [s charon pki scripts nm cmd])
ADD_PLUGIN([winhttp], [s charon pki scripts])
@@ -1677,6 +1678,7 @@ ADD_PLUGIN([unity], [c charon])
ADD_PLUGIN([counters], [c charon])
AC_SUBST(charon_plugins)
+AC_SUBST(swanctl_plugins)
AC_SUBST(pool_plugins)
AC_SUBST(attest_plugins)
AC_SUBST(pki_plugins)
diff --git a/src/swanctl/Makefile.am b/src/swanctl/Makefile.am
index 1bd743883d..496e521f9d 100644
--- a/src/swanctl/Makefile.am
+++ b/src/swanctl/Makefile.am
@@ -38,7 +38,7 @@ AM_CPPFLAGS = \
-I$(top_srcdir)/src/libstrongswan \
-I$(top_srcdir)/src/libcharon/plugins/vici \
-DSWANCTLDIR=\""${swanctldir}\"" \
- -DPLUGINS=\""${s_plugins}\""
+ -DPLUGINS=\""${swanctl_plugins}\""
man_MANS = \
swanctl.8 \