rpm-sequoia-crypto-policy: Fix build failure on Debian 12+Strongswan

rpm-sequoia-crypto-policy tries to validate the configuration files
using host tools. For the Strongswan policy, it uses
"ipsec readwriteconf" which is not available on Debian 12 with
Strongswan installed.
To fix this, add and use an option to skip the problematic validation.

(From OE-Core rev: d10ca0fe194b62b2f383be880a008cde2bd0fd4f)

Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

2 files changed, 35 insertions, 2 deletions

diff --git a/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy/0001-libreswan-Allow-skipping-test_config-for-old-ipsec.patch b/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy/0001-libreswan-Allow-skipping-test_config-for-old-ipsec.patch
new file mode 100644
index 0000000000..db3ea4b843
--- /dev/null
+++ b/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy/0001-libreswan-Allow-skipping-test_config-for-old-ipsec.patch
@@ -0,0 +1,29 @@
+From f7a8e2c049c2c3e2bfcb801d7b65214c0a5bad77 Mon Sep 17 00:00:00 2001
+From: Yoann Congal <yoann.congal@smile.fr>
+Date: Tue, 15 Apr 2025 17:27:20 +0200
+Subject: [PATCH] libreswan: Allow skipping test_config for old ipsec
+
+In some case, /usr/sbin/ipsec does not handle the readwriteconf command.
+e.g. on Debian 12 with strongswan installed.
+As with the other OLD_* variables, add an OLD_LIBRESWAN environment
+variable to skip configuration testing on those systems.
+
+Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
+Upstream-Status: Backport [https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/237]
+---
+ python/policygenerators/libreswan.py | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/python/policygenerators/libreswan.py b/python/policygenerators/libreswan.py
+index a2b02f5..d81ec0c 100644
+--- a/python/policygenerators/libreswan.py
++++ b/python/policygenerators/libreswan.py
+@@ -227,6 +227,8 @@ class LibreswanGenerator(ConfigGenerator):
+ 
+     @classmethod
+     def test_config(cls, config):
++        if os.getenv('OLD_LIBRESWAN') == '1':
++            return True
+         if not os.access('/usr/sbin/ipsec', os.X_OK):
+             return True
+ 
diff --git a/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy_git.bb b/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy_git.bb
index 522e9a393d..4ccfc95c33 100644
--- a/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy_git.bb
+++ b/meta/recipes-devtools/rpm-sequoia/rpm-sequoia-crypto-policy_git.bb
@@ -8,7 +8,10 @@ LIC_FILES_CHKSUM = "file://COPYING.LESSER;md5=a6f89e2100d9b6cdffcea4f398e37343"
 # Python 3.11+ is needed to build fedora-crypto-policies
 inherit allarch python3native
 
-SRC_URI = "git://gitlab.com/redhat-crypto/fedora-crypto-policies.git;protocol=https;branch=master"
+SRC_URI = " \
+    git://gitlab.com/redhat-crypto/fedora-crypto-policies.git;protocol=https;branch=master \
+    file://0001-libreswan-Allow-skipping-test_config-for-old-ipsec.patch \
+"
 
 SRCREV = "032b418a6db842f0eab330eb5909e4604e888728"
 UPSTREAM_CHECK_COMMITS = "1"
@@ -20,10 +23,11 @@ do_compile () {
         # It speeds up the build and we only need DEFAULT/rpm-sequoia.
         rm -f $(ls -1 policies/*.pol | grep -v DEFAULT.pol) || echo nothing to delete
 
-        # Don't validate openssh and gnutls policy variants.
+        # Don't validate openssh, gnutls and libreswan policy variants.
         # Validation may fail and these variants are not needed.
         export OLD_OPENSSH=1
         export OLD_GNUTLS=1
+        export OLD_LIBRESWAN=1
 
         make ASCIIDOC=echo XSLTPROC=echo
 }