15 files changed, 101 insertions, 31 deletions

diff --git a/.gitignore b/.gitignore
index 4fb5a01..67bea90 100644
--- a/.gitignore
+++ b/.gitignore
@@ -27,3 +27,4 @@ libtool
 /Makefile
 
 /command_proc_show_vpn
+/scripts/vyatta-gen-x509-keypair.sh
\ No newline at end of file
diff --git a/Makefile.am b/Makefile.am
index c4a71ec..f15d7c0 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -21,10 +21,10 @@ cpiop = find  . ! -regex '\(.*~\|.*\.bak\|.*\.swp\|.*\#.*\#\)' -print0 | \
 	cpio -0pd
 
 install-exec-hook:
-	mkdir -p $(DESTDIR)/opt/vyatta/etc/
-	mkdir -p $(DESTDIR)/opt/vyatta/sbin/
-	cp scripts/vyatta-gen-x509-keypair.sh $(DESTDIR)/opt/vyatta/sbin
-	cp scripts/key-pair.template $(DESTDIR)/opt/vyatta/etc
+	mkdir -p $(DESTDIR)${sysconfdir}
+	mkdir -p $(DESTDIR)${sbindir}
+	cp scripts/vyatta-gen-x509-keypair.sh $(DESTDIR)${sbindir}/vyatta-gen-x509-keypair
+	cp scripts/key-pair.template $(DESTDIR)${sysconfdir}
 	mkdir -p $(DESTDIR)$(opdir)
 	cd templates; $(cpiop) $(DESTDIR)$(opdir)
 
diff --git a/configure.ac b/configure.ac
index 2d5ef35..3d9a504 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,6 +1,8 @@
 # Process this file with autoconf to produce a configure script.
 AC_PREREQ(2.59)
 
+m4_define([DEFAULT_PREFIX], "/opt/vyatta")
+
 m4_define([VERSION_ID], [m4_esyscmd([
 	if test -f .version ; then
 	    head -n 1 .version | tr -d \\n
@@ -14,10 +16,13 @@ test -n "$VYATTA_VERSION" || VYATTA_VERSION=$PACKAGE_VERSION
 AC_CONFIG_MACRO_DIR([m4])
 AC_CONFIG_AUX_DIR([config])
 AM_INIT_AUTOMAKE([gnu no-dist-gzip dist-bzip2 subdir-objects])
-AC_PREFIX_DEFAULT([/opt/vyatta])
-
-XSLDIR=/opt/vyatta/share/xsl/
+AC_PREFIX_DEFAULT(DEFAULT_PREFIX)
 
+if test "$prefix" = "NONE" ; then
+  XSLDIR="DEFAULT_PREFIX/share/xsl/"
+else
+  XSLDIR="$prefix/share/xsl/"
+fi
 
 AC_PROG_CC
 AC_PROG_CXX
@@ -27,17 +32,21 @@ AC_PROG_LIBTOOL
 AC_PROG_LEX
 AC_PROG_YACC
 
-
 AC_ARG_ENABLE([nostrip],
 	AC_HELP_STRING([--enable-nostrip],
 	[include -nostrip option during packaging]),
 	[NOSTRIP=-nostrip], [NOSTRIP=])
 
-AC_CONFIG_FILES(
-	[Makefile])
-
 AC_SUBST(NOSTRIP)
 AC_SUBST(XSLDIR)
 
-AC_OUTPUT
+AC_OUTPUT([
+	Makefile
+	scripts/vyatta-gen-x509-keypair.sh
+])
+
 
+echo "prefix: ${prefix}"
+echo "sysconfdir: ${sysconfdir}"
+echo "datarootdir: ${datarootdir}"
+echo "XSLDIR: ${XSLDIR}"
diff --git a/debian/changelog b/debian/changelog
index fb88360..c7cd4d1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,23 @@
+vyatta-op-vpn (0.15.0+vyos2+current2+nmu1) UNRELEASED; urgency=low
+
+  * Non-maintainer upload.
+  * address lintian issues
+  - script-not-executable: removed #!/usr/bin/perl from .pm files
+  - debhelper-but-no-misc-depends: added ${misc:Depends} to Depends: field
+  - debian-rules-missing-recommended-target: added build-arch build-indep
+  - out-of-date-standards-version: updated standards version to 3.9.4
+  - package-contains-linda-override: removed linda override
+  - file-in-unusual-dir: not triggering, removed from override
+  - script-with-language-extension: renamed vyatta-gen-x509-keypair.sh
+    vyatta-gen-x509-keypair
+  * address dpkg-gencontrol issue:
+  - unknown substitution variable ${shlibs:Depends} - removed
+  * address dpkg-source issue:
+  - debian/source/format set to "3.0 (native)"
+
+
+ -- C.J. Collier <cjcollier@linuxfoundation.org>  Wed, 11 May 2016 02:33:38 +0000
+
 vyatta-op-vpn (0.15.0+vyos2+current2) unstable; urgency=low
 
   * Remove vyatta-ipsec dependency for migration to upstream strongswan.
diff --git a/debian/conffiles b/debian/conffiles
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/debian/conffiles
@@ -0,0 +1 @@
+
diff --git a/debian/control b/debian/control
index aeb9c65..c3f2ec0 100644
--- a/debian/control
+++ b/debian/control
@@ -3,7 +3,7 @@ Section: contrib/net
 Priority: extra
 Maintainer: VyOS Package Maintainers <maintainers@vyos.net>
 Build-Depends: debhelper (>= 5), autotools-dev, automake, autoconf, cpio, libtool
-Standards-Version: 3.9.1
+Standards-Version: 3.9.4
 
 Package: vyatta-op-vpn
 Architecture: all
@@ -11,11 +11,11 @@ Depends: vyatta-op,
  vyatta-bash | bash (>= 3.1),
  vyatta-cfg-vpn,
  strongswan (>= 5.2),
- ${shlibs:Depends}
+ ${misc:Depends}
 Suggests: util-linux (>= 2.13-5),
  net-tools,
  ethtool,
  ncurses-bin (>= 5.5-5),
  ntpdate
 Description: VyOS operational commands for IPsec VPN
- VyOS commands fpr IPsec VPN operations.
+ VyOS commands for IPsec VPN operations.
diff --git a/debian/linda b/debian/linda
deleted file mode 100644
index 0381d9d..0000000
--- a/debian/linda
+++ /dev/null
@@ -1 +0,0 @@
-Tag: file-in-opt
diff --git a/debian/lintian b/debian/lintian
index a5d78e0..7a94f59 100644
--- a/debian/lintian
+++ b/debian/lintian
@@ -1,2 +1,2 @@
-vyatta-op-vpn: file-in-unusual-dir
-vyatta-op-vpn: dir-or-file-in-opt
+# It's a hassle to move it out of /opt.  I'll get to it later
+#vyatta-op-vpn binary: dir-or-file-in-opt
diff --git a/debian/rules b/debian/rules
index 4b68fde..67f4ee5 100755
--- a/debian/rules
+++ b/debian/rules
@@ -22,7 +22,8 @@ CFLAGS = -Wall -g
 configure	 = ./configure
 configure	+= --host=$(DEB_HOST_GNU_TYPE)
 configure	+= --build=$(DEB_BUILD_GNU_TYPE)
-configure	+= --prefix=/opt/vyatta
+configure	+= --prefix=/usr
+configure	+= --sysconfdir=/etc
 configure	+= --mandir=\$${prefix}/share/man
 configure	+= --infodir=\$${prefix}/share/info
 configure	+= CFLAGS="$(CFLAGS)"
@@ -43,9 +44,10 @@ config.status: configure
 	rm -f config.cache
 	$(configure)
 
-build: build-stamp
-
-build-stamp:  config.status
+build: build-arch build-indep
+build-arch: build-stamp
+build-indep: build-stamp
+build-stamp: config.status
 	dh_testdir
 	$(MAKE)
 	touch $@
@@ -68,13 +70,12 @@ clean-patched:
 install: build
 	dh_testdir
 	dh_testroot
-	dh_clean -k 
+	dh_prep
 	dh_installdirs
 
 	$(MAKE) DESTDIR=$(PKGDIR) install
 
 	install -D --mode=0644 debian/lintian $(PKGDIR)/usr/share/lintian/overrides/$(PACKAGE)
-	install -D --mode=0644 debian/linda $(PKGDIR)/usr/share/linda/overrides/$(PACKAGE)
 
 # Build architecture-independent files here.
 binary-indep: build install
diff --git a/debian/source/format b/debian/source/format
new file mode 100644
index 0000000..9f67427
--- /dev/null
+++ b/debian/source/format
@@ -0,0 +1 @@
+3.0 (native)
\ No newline at end of file
diff --git a/lib/OPMode.pm b/lib/OPMode.pm
index 49bc966..fa51c66 100644
--- a/lib/OPMode.pm
+++ b/lib/OPMode.pm
@@ -1,4 +1,3 @@
-#!/usr/bin/perl
 #
 # Module Vyatta::VPN::OpMode.pm
 #
diff --git a/lib/vpnprof/OPMode.pm b/lib/vpnprof/OPMode.pm
index 99c6268..05e1f00 100644
--- a/lib/vpnprof/OPMode.pm
+++ b/lib/vpnprof/OPMode.pm
@@ -1,4 +1,3 @@
-#!/usr/bin/perl
 #
 # Module Vyatta::vpnprof::OpMode.pm
 #
diff --git a/scripts/key-pair.template b/scripts/key-pair.template
index 5b5b2a6..bbf5eb9 100644
--- a/scripts/key-pair.template
+++ b/scripts/key-pair.template
@@ -1,10 +1,15 @@
 [ req ]
- default_bits           = 1024
+ default_bits           = 2048
  default_keyfile        = privkey.pem
  distinguished_name     = req_distinguished_name
+ string_mask            = utf8only
  attributes             = req_attributes
+ dirstring_type         = nobmp
+# SHA-1 is deprecated, so use SHA-2 instead.
+ default_md             = sha256
+# Extension to add when the -x509 option is used.
  x509_extensions        = v3_ca
- dirstring_type = nobmp
+
 [ req_distinguished_name ]
  countryName                    = Country Name (2 letter code)
  countryName_min                = 2
@@ -24,4 +29,39 @@
 [ v3_ca ]
  subjectKeyIdentifier=hash
  authorityKeyIdentifier=keyid:always,issuer:always
- basicConstraints = CA:true
+ basicConstraints = critical, CA:true
+ keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+ subjectKeyIdentifier = hash
+ authorityKeyIdentifier = keyid:always,issuer
+ basicConstraints = critical, CA:true, pathlen:0
+ keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+[ usr_cert ]
+# Extensions for client certificates (`man x509v3_config`).
+ basicConstraints = CA:FALSE
+ nsCertType = client, email
+ nsComment = "OpenSSL Generated Client Certificate"
+ subjectKeyIdentifier = hash
+ authorityKeyIdentifier = keyid,issuer
+ keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+ extendedKeyUsage = clientAuth, emailProtection
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+ basicConstraints = CA:FALSE
+ nsCertType = server
+ nsComment = "OpenSSL Generated Server Certificate"
+ subjectKeyIdentifier = hash
+ authorityKeyIdentifier = keyid,issuer:always
+ keyUsage = critical, digitalSignature, keyEncipherment
+ extendedKeyUsage = serverAuth
+[ crl_ext ]
+# Extension for CRLs (`man x509v3_config`).
+ authorityKeyIdentifier=keyid:always
+[ ocsp ]
+# Extension for OCSP signing certificates (`man ocsp`).
+ basicConstraints = CA:FALSE
+ subjectKeyIdentifier = hash
+ authorityKeyIdentifier = keyid,issuer
+ keyUsage = critical, digitalSignature
+ extendedKeyUsage = critical, OCSPSigning
\ No newline at end of file
diff --git a/scripts/vyatta-gen-x509-keypair.sh b/scripts/vyatta-gen-x509-keypair.sh.in
index 5a66d0a..194ac4f 100755
--- a/scripts/vyatta-gen-x509-keypair.sh
+++ b/scripts/vyatta-gen-x509-keypair.sh.in
@@ -1,7 +1,7 @@
 #!/bin/bash
 CN=$1
 genkeypair (){
-  openssl req -new -nodes -keyout /config/auth/$CN.key -out /config/auth/$CN.csr -config /opt/vyatta/etc/key-pair.template
+  openssl req -new -nodes -keyout /config/auth/$CN.key -out /config/auth/$CN.csr -config @sysconfdir@/key-pair.template
 }
 if [ -f /config/auth/$CN.csr ]; then
   read -p "A certificate request named $CN.csr already exists. Overwrite (y/n)?"
diff --git a/templates/generate/vpn/x509/key-pair/node.tag/node.def b/templates/generate/vpn/x509/key-pair/node.tag/node.def
index 9882df8..dc21935 100644
--- a/templates/generate/vpn/x509/key-pair/node.tag/node.def
+++ b/templates/generate/vpn/x509/key-pair/node.tag/node.def
@@ -1,4 +1,4 @@
 help: Generate x509 key-pair
 run:
-  sudo /opt/vyatta/sbin/vyatta-gen-x509-keypair.sh $5
+  sudo /opt/vyatta/sbin/vyatta-gen-x509-keypair $5
 allowed: echo -n '<common-name>'