- Start building network manager plugin.

- No longer support plain RSA keypairs.
- Other minor changes to make packaging simpler.

6 files changed, 130 insertions, 198 deletions

diff --git a/debian/changelog b/debian/changelog
index b2515cc6f..098436a8b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,11 +1,11 @@
 strongswan (4.2.12-1) unstable; urgency=low
 
-  * New upstream release
+  * New upstream release. Starting with this version, the strongswan
+    packages is modularized and includes support for plugins like the 
+    NetworkManager plugin.
+  * Dropping support for raw RSA public/private keypairs, as charon does
+    not support it.
   * Explicitly remove directories /etc/ipsec.d and /var/run/pluto on purge.
-  * No longer mark ipsec.conf and ipsec.secrets as conffiles, as they
-    are modified by postinst. Although I don't particularly like this
-    method of patching DEBIAN/conffiles, I don't have a better solution
-    right now. Thus take patch from Mathieu Parent.
 
  -- Rene Mayrhofer <rmayr@debian.org>  Sun, 01 Mar 2009 10:46:08 +0000
 
diff --git a/debian/control b/debian/control
index 90379e87e..956e19e96 100644
--- a/debian/control
+++ b/debian/control
@@ -3,7 +3,8 @@ Section: net
 Priority: optional
 Maintainer: Rene Mayrhofer <rmayr@debian.org>
 Standards-Version: 3.8.0
-Build-Depends: debhelper (>= 4.1.16), libtool, libgmp3-dev, libssl-dev (>= 0.9.8-1), libcurl3-dev | libcurl2-dev, libopensc2-dev | libopensc1-dev | libopensc0-dev, libldap2-dev, libpam0g-dev, libkrb5-dev, bison, flex, dpatch, bzip2, po-debconf, hardening-wrapper, network-manager-dev, libfcgi-dev, clearsilver-dev, libxml2-dev, libsqlite3-dev
+Build-Depends: debhelper (>= 7.0.0), libtool, libgmp3-dev, libssl-dev (>= 0.9.8), libcurl4-openssl-dev | libcurl3-dev | libcurl2-dev, libopensc2-dev | libopensc1-dev | libopensc0-dev, libldap2-dev, libpam0g-dev, libkrb5-dev, bison, flex, dpatch, bzip2, po-debconf, hardening-wrapper, network-manager-dev, libfcgi-dev, clearsilver-dev, libxml2-dev, libsqlite3-dev, network-manager-dev (>= 0.7), libnm-glib-dev (>= 0.7)
+Homepage: http://www.strongswan.org
 
 Package: strongswan
 Architecture: any
@@ -14,28 +15,27 @@ Provides: ike-server
 Conflicts: freeswan (<< 2.04-12), openswan
 Replaces: openswan
 Description: IPSec utilities for strongSwan
- IPSec is Internet Protocol SECurity. It uses strong cryptography to provide
- both authentication and encryption services. Authentication ensures that
- packets are from the right sender and have not been altered in transit.
- Encryption prevents unauthorised reading of packet contents.
- .
- This version of strongSwan supports Opportunistic Encryption (OE) out of the
- box. OE enables you to set up IPSec tunnels to a site without
- co-ordinating with the site administrator, and without hand
- configuring each tunnel. If enough sites support OE, a "FAX effect"
- occurs, and many of us can communicate without eavesdroppers. 
+ strongSwan is an open source IPsec implementation for the Linux
+ operating system. It is one of the two remaining forks of the 
+ original FreeS/WAN projects and focuses on IKEv2 support, X.509 
+ authentication and complete PKI support. For a focus on
+ Opportunistic Encryption (OE) and interoperability with non-standard
+ IPsec features, see Openswan.
  .
  In addition to OE, you may manually configure secure tunnels through
  untrusted networks. Everything passing through the untrusted net is
- encrypted by the IPSec gateway machine and decrypted by the gateway
+ encrypted by the IPsec gateway machine and decrypted by the gateway
  at the other end. The result is Virtual Private Network or VPN. This
  is a network which is effectively private even though it includes
  machines at several different sites connected by the insecure Internet.
  .
  Please note that you will need a recent kernel (>=2.4.24 or 2.6.x)
- for using this package. The standard Debian kernel includes both IPSec
+ for using this package. The standard Debian kernel includes both IPsec
  and crypto support, patching the kernel is no longer necessary!
- .
- If you want to use the KLIPS IPSec code for kernel modules instead of the
- native ones, you will need to install either openswan-modules-source or
- linux-patch-openswan and build the respective modules for your kernel.
+
+Package: network-manager-strongswan
+Architecture: any
+Depends: ${shlibs:Depends}, strongswan, network-manager (>= 0.7)
+Description: strongSwan plugin to interact with NetworkManager
+ This plugin for NetworkManager allows to configure strongSwan
+ and control the IKEv2 daemon directly through DBUS. 
diff --git a/debian/rules b/debian/rules
index 618717875..5e0321a58 100755
--- a/debian/rules
+++ b/debian/rules
@@ -20,7 +20,8 @@ CONFIGUREARGS := --prefix=/usr --sysconfdir=/etc --localstatedir=/var \
 		--enable-openssl --enable-agent \
 		--enable-kernel-klips \
 		--disable-aes --disable-des --disable-fips-prf --disable-gmp \
-		--disable-md5 --disable-sha1 --disable-sha2
+		--disable-md5 --disable-sha1 --disable-sha2 \
+		--enable-nm
 	# Could enable --enable-nat-transport, but this is actually insecure,
 	# so don't!
 	# And for --enable-eap-sim we would need the library, which we don't
@@ -28,20 +29,18 @@ CONFIGUREARGS := --prefix=/usr --sysconfdir=/etc --localstatedir=/var \
 
 DEB_BUILD_ARCH_CPU ?=$(shell dpkg-architecture -qDEB_BUILD_ARCH_CPU)
 
+ifeq (,$(filter noopt,$(DEB_BUILD_OPTIONS)))
+	CFLAGS += -O2
+endif
+ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
+	NUMJOBS = $(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
+	MAKEFLAGS += -j$(NUMJOBS)
+endif
 # the padlock plugin only makes sense on i386 
-# but it actually doesn't do much, so no need to enable it
-#ifeq ($(DEB_BUILD_ARCH_CPU),i386)
-#  CONFIGUREARGS += --enable-padlock
-#endif
-
-
-configure: configure-stamp
-configure-stamp: patch
-	dh_testdir
-	# Add here commands to configure the package.
-	./configure $(CONFIGUREARGS)
-
-	touch configure-stamp
+# but it actually doesn't do much, so maybe we don't need it
+ifeq ($(DEB_BUILD_ARCH_CPU),i386)
+  CONFIGURE_ARGS += --enable-padlock
+endif
 
 patch:
 	dh_testdir
@@ -51,17 +50,17 @@ unpatch:
 	dpatch deapply-all
 
 build: build-stamp
-build-stamp: configure-stamp
-	$(MAKE)
-
-	touch build-stamp
+build-stamp: patch
+	dh_testdir
+	./configure $(CONFIGUREARGS)
+	$(MAKE) CC="$(CC)" CFLAGS="$(CFLAGS)"
 
 clean: unpatch
 	dh_testdir
 	dh_testroot
-	rm -f build-stamp configure-stamp
+	rm -f build-stamp
 
-	-$(MAKE) clean
+	[ ! -f Makefile ] || $(MAKE) clean
 	#-$(MAKE) -C programs/fswcert/ clean
 	# after a make clean, no binaries _should_ be left, but ....
 	-find $(CURDIR) -name "*.o" | xargs --no-run-if-empty rm
@@ -140,17 +139,13 @@ binary-common:
 	dh_installinit --name=ipsec
 	dh_installdebconf
 	dh_installchangelogs NEWS
+	dh_installdocs README
 	dh_link
 	dh_strip
 	dh_compress
 	dh_fixperms -X etc/ipsec.secrets -X etc/ipsec.d
 	dh_makeshlibs
 	dh_installdeb
-ifeq ($(DH_OPTIONS), -a)
-	        # /etc/ipsec.{conf,secrets} are not conffiles (#515095)
-	egrep -v '^/etc/ipsec.(conf|secrets)' debian/openswan/DEBIAN/conffiles > debian/openswan/DEBIAN/conffiles.new
-	mv debian/openswan/DEBIAN/conffiles.new debian/openswan/DEBIAN/conffiles
-endif
 	dh_shlibdeps
 	dh_gencontrol
 	dh_md5sums
diff --git a/debian/strongswan.config b/debian/strongswan.config
index 673c2dcda..eb5f2c2dd 100644
--- a/debian/strongswan.config
+++ b/debian/strongswan.config
@@ -17,39 +17,25 @@ db_go || true
 
 db_get strongswan/create_rsa_key
 if [ "$RET" = "true" ]; then
-    db_input high strongswan/rsa_key_type || true
+    # create a new certificate
+    db_input medium strongswan/rsa_key_length || true
+    db_input high strongswan/x509_self_signed || true
+    # we can't allow the country code to be empty - openssl will 
+    # refuse to create a certificate this way
+    countrycode=""
+    while [ -z "$countrycode" ]; do
+       db_input medium strongswan/x509_country_code || true
+       db_go || true
+       db_get strongswan/x509_country_code
+       countrycode="$RET"
+    done
+    db_input medium strongswan/x509_state_name || true
+    db_input medium strongswan/x509_locality_name || true
+    db_input medium strongswan/x509_organization_name || true
+    db_input medium strongswan/x509_organizational_unit || true
+    db_input medium strongswan/x509_common_name || true
+    db_input medium strongswan/x509_email_address || true
     db_go || true
-
-    db_get strongswan/rsa_key_type
-    if [ "$RET" = "plain" ]; then
-        # create just a plain RSA keypair
-        db_input medium strongswan/rsa_key_length || true
-        db_go || true
-    else
-        # extract the RSA keypair from a x509 certificate
-        db_input high strongswan/existing_x509_certificate || true
-        db_go || true
-
-        # create a new certificate
-        db_input medium strongswan/rsa_key_length || true
-        db_input high strongswan/x509_self_signed || true
-        # we can't allow the country code to be empty - openssl will 
-        # refuse to create a certificate this way
-        countrycode=""
-        while [ -z "$countrycode" ]; do
-           db_input medium strongswan/x509_country_code || true
-           db_go || true
-           db_get strongswan/x509_country_code
-           countrycode="$RET"
-        done
-        db_input medium strongswan/x509_state_name || true
-        db_input medium strongswan/x509_locality_name || true
-        db_input medium strongswan/x509_organization_name || true
-        db_input medium strongswan/x509_organizational_unit || true
-        db_input medium strongswan/x509_common_name || true
-        db_input medium strongswan/x509_email_address || true
-        db_go || true
-    fi
 else
     db_get strongswan/existing_x509_certificate
     if [ "$RET" = "true" ]; then
diff --git a/debian/strongswan.postinst b/debian/strongswan.postinst
index 7d670dd36..c63273dc2 100644
--- a/debian/strongswan.postinst
+++ b/debian/strongswan.postinst
@@ -32,14 +32,6 @@ set -e
 CONF_FILE=/var/lib/strongswan/ipsec.conf.inc
 SECRETS_FILE=/var/lib/strongswan/ipsec.secrets.inc
 
-insert_private_key() {
-       	cat <<EOF >> $SECRETS_FILE
-: RSA	{
-$1
-	}
-EOF
-}
-
 insert_private_key_filename() {
 	if [ ! -e $SECRETS_FILE ] || ! grep -q ": RSA $1" $SECRETS_FILE; then
             echo ": RSA $1" >> $SECRETS_FILE
@@ -154,67 +146,45 @@ case "$1" in
 	if [ "$RET" = "true" ]; then
             repair_legacy_secrets
  	    # OK, ipsec.secrets should now be correct
-	    db_get strongswan/rsa_key_type
-	    if [ "$RET" = "plain" ]; then
-	        # a RSA keypair should be created - check if there is one already
-		if [ -e /etc/ipsec.secrets ] && egrep -q ": RSA[:space:]*" /etc/ipsec.secrets; then
-                    echo "Warning: there is already a RSA key in /etc/ipsec.secrets."
-                    echo "Creating an additional one."
-                fi
-		if [ -e $SECRETS_FILE ] && egrep -q ": RSA[:space:]*" $SECRETS_FILE; then
-                    echo "Warning: there is already a RSA key in $SECRETS_FILE."
-                    echo "Creating an additional one."
-                fi
-                # create a plain strongswan keypair
-      	        db_get strongswan/rsa_key_length
-                umask 077
-                keylength=$RET
-                privkey=`mktemp /tmp/ipsec-postinst.XXXXXX`
-                /usr/lib/ipsec/rsasigkey $keylength > $privkey
-		insert_private_key "`cat $privkey`"
-                rm $privkey
-		echo "Successfully created a plain strongSwan RSA keypair."
-	    else
-                # extract the key from a (newly created) x509 certificate
-		host=`hostname`
-		newkeyfile="/etc/ipsec.d/private/${host}Key.pem"
-       		newcertfile="/etc/ipsec.d/certs/${host}Cert.pem"
-                if [ -e $newcertfile -o -e $newkeyfile ]; then
-                    echo "Error: $newcertfile or $newkeyfile already exists."
-                    echo "Please remove them first an re-run dpkg-reconfigure to create a new keypair."
-                else
-     			# create a new certificate
-       			db_get strongswan/rsa_key_length
-       			keylength=$RET
-       			db_get strongswan/x509_self_signed
-       			selfsigned=$RET
-       			db_get strongswan/x509_country_code
-       			countrycode=$RET
-       			if [ -z "$countrycode" ]; then countrycode="."; fi
-       			db_get strongswan/x509_state_name
-       			statename=$RET
-       			if [ -z "$statename" ]; then statename="."; fi
-       			db_get strongswan/x509_locality_name
-       			localityname=$RET
-       			if [ -z "$localityname" ]; then localityname="."; fi
-       			db_get strongswan/x509_organization_name
-       			orgname=$RET
-       			if [ -z "$orgname" ]; then orgname="."; fi
-       			db_get strongswan/x509_organizational_unit
-       			orgunit=$RET
-       			if [ -z "$orgunit" ]; then orgunit="."; fi
-       			db_get strongswan/x509_common_name
-       			commonname=$RET
-       			if [ -z "$commonname" ]; then commonname="."; fi
-       			db_get strongswan/x509_email_address
-       			email=$RET
-       			if [ -z "$email" ]; then email="."; fi
-       			make_x509_cert $keylength 1500 "$newkeyfile" "$newcertfile" "$selfsigned" "$countrycode" "$statename" "$localityname" "$orgname" "$orgunit" "$commonname" "$email"
-       			chmod 0600 "$newkeyfile"
-       			umask 077
-       			insert_private_key_filename "$newkeyfile"
-       			echo "Successfully created x509 certificate."
-       		fi
+            # create a new keypair
+	    host=`hostname`
+	    newkeyfile="/etc/ipsec.d/private/${host}Key.pem"
+       	    newcertfile="/etc/ipsec.d/certs/${host}Cert.pem"
+            if [ -e $newcertfile -o -e $newkeyfile ]; then
+                echo "Error: $newcertfile or $newkeyfile already exists."
+                echo "Please remove them first an re-run dpkg-reconfigure to create a new keypair."
+            else
+     		# create a new certificate
+       		db_get strongswan/rsa_key_length
+       		keylength=$RET
+       		db_get strongswan/x509_self_signed
+       		selfsigned=$RET
+       		db_get strongswan/x509_country_code
+       		countrycode=$RET
+       		if [ -z "$countrycode" ]; then countrycode="."; fi
+       		db_get strongswan/x509_state_name
+       		statename=$RET
+       		if [ -z "$statename" ]; then statename="."; fi
+       		db_get strongswan/x509_locality_name
+       		localityname=$RET
+       		if [ -z "$localityname" ]; then localityname="."; fi
+       		db_get strongswan/x509_organization_name
+       		orgname=$RET
+       		if [ -z "$orgname" ]; then orgname="."; fi
+       		db_get strongswan/x509_organizational_unit
+       		orgunit=$RET
+       		if [ -z "$orgunit" ]; then orgunit="."; fi
+       		db_get strongswan/x509_common_name
+       		commonname=$RET
+       		if [ -z "$commonname" ]; then commonname="."; fi
+       		db_get strongswan/x509_email_address
+       		email=$RET
+       		if [ -z "$email" ]; then email="."; fi
+       		make_x509_cert $keylength 1500 "$newkeyfile" "$newcertfile" "$selfsigned" "$countrycode" "$statename" "$localityname" "$orgname" "$orgunit" "$commonname" "$email"
+       		chmod 0600 "$newkeyfile"
+       		umask 077
+       		insert_private_key_filename "$newkeyfile"
+       		echo "Successfully created x509 certificate."
        	    fi
         else
 	    db_get strongswan/existing_x509_certificate
diff --git a/debian/strongswan.templates b/debian/strongswan.templates
index 3fac9039e..781773ac5 100644
--- a/debian/strongswan.templates
+++ b/debian/strongswan.templates
@@ -54,59 +54,41 @@ Template: strongswan/create_rsa_key
 Type: boolean
 Default: true
 _Description: Do you want to create a RSA public/private keypair for this host?
- This installer can automatically create a RSA public/private keypair for
- this host. This keypair can be used to authenticate IPSec connections to
- other hosts and is the preferred way for building up secure IPSec
- connections. The other possibility would be to use shared secrets
- (passwords that are the same on both sides of the tunnel) for
+ This installer can automatically create a RSA public/private keypair
+ with an X.509 certificate for this host. This can be used to authenticate 
+ IPSec connections to other hosts and is the preferred way for building up 
+ secure IPSec connections. The other possibility would be to use pre-shared 
+ secrets (PSKs, passwords that are the same on both sides of the tunnel) for
  authenticating an connection, but for a larger number of connections RSA
- authentication is easier to administer and more secure.
+ authentication is easier to administer and more secure. Note that
+ having a keypair allows to use both X.509 and PSK authentication for IPsec 
+ tunnels.
  .
  If you do not want to create a new public/private keypair, you can choose to
- use an existing one.
-
-Template: strongswan/rsa_key_type
-Type: select
-_Choices: x509, plain
-Default: x509
-_Description: The type of RSA keypair to create:
- It is possible to create a plain RSA public/private keypair for use
- with strongSwan or to create a X509 certificate file which contains the RSA
- public key and additionally stores the corresponding private key.
- .
- If you only want to build up IPSec connections to hosts also running
- strongSwan, it might be a bit easier using plain RSA keypairs. But if you
- want to connect to other IPSec implementations, you will need a X509
- certificate. It is also possible to create a X509 certificate here and
- extract the RSA public key in plain format if the other side runs
- strongSwan without X509 certificate support.
- .
- Therefore a X509 certificate is recommended since it is more flexible and
- this installer should be able to hide the complex creation of the X509
- certificate and its use in strongSwan anyway.
+ use an existing one in the next step.
 
 Template: strongswan/existing_x509_certificate
 Type: boolean
 Default: false
-_Description: Do you have an existing X509 certificate file for strongSwan?
+_Description: Do you have an existing X.509 certificate file for strongSwan?
  This installer can automatically extract the needed information from an
- existing X509 certificate with a matching RSA private key. Both parts can
+ existing X.509 certificate with a matching RSA private key. Both parts can
  be in one file, if it is in PEM format. If you have such an existing
  certificate and key file and want to use it for authenticating IPSec
  connections, then please answer yes.
 
 Template: strongswan/existing_x509_certificate_filename
 Type: string
-_Description: File name of your X509 certificate in PEM format:
- Please enter the full location of the file containing your X509
+_Description: File name of your X.509 certificate in PEM format:
+ Please enter the full location of the file containing your X.509
  certificate in PEM format.
 
 Template: strongswan/existing_x509_key_filename
 Type: string
-_Description: File name of your X509 private key in PEM format:
+_Description: File name of your X.509 private key in PEM format:
  Please enter the full location of the file containing the private RSA key
- matching your X509 certificate in PEM format. This can be the same file
- that contains the X509 certificate.
+ matching your X.509 certificate in PEM format. This can be the same file
+ that contains the X.509 certificate.
 
 Template: strongswan/rsa_key_length
 Type: string
@@ -120,14 +102,14 @@ _Description: The length of the created RSA key (in bits):
 Template: strongswan/x509_self_signed
 Type: boolean
 Default: true
-_Description: Do you want to create a self-signed X509 certificate?
- This installer can only create self-signed X509 certificates
+_Description: Do you want to create a self-signed X.509 certificate?
+ This installer can only create self-signed X.509 certificates
  automatically, because otherwise a certificate authority is needed to sign
  the certificate request. If you want to create a self-signed certificate,
  you can use it immediately to connect to other IPSec hosts that support
- X509 certificate for authentication of IPSec connections. However, if you
+ X.509 certificate for authentication of IPSec connections. However, if you
  want to use the new PKI features of strongSwan >= 1.91, you will need to
- have all X509 certificates signed by a single certificate authority to
+ have all X.509 certificates signed by a single certificate authority to
  create a trust path.
  .
  If you do not want to create a self-signed certificate, then this
@@ -138,7 +120,7 @@ _Description: Do you want to create a self-signed X509 certificate?
 Template: strongswan/x509_country_code
 Type: string
 Default: AT
-_Description: Country code for the X509 certificate request:
+_Description: Country code for the X.509 certificate request:
  Please enter the 2 letter country code for your country. This code will be
  placed in the certificate request. 
  .
@@ -151,7 +133,7 @@ _Description: Country code for the X509 certificate request:
 Template: strongswan/x509_state_name
 Type: string
 Default:
-_Description: State or province name for the X509 certificate request:
+_Description: State or province name for the X.509 certificate request:
  Please enter the full name of the state or province you live in. This name
  will be placed in the certificate request.
  .
@@ -160,7 +142,7 @@ _Description: State or province name for the X509 certificate request:
 Template: strongswan/x509_locality_name
 Type: string
 Default: 
-_Description: Locality name for the X509 certificate request:
+_Description: Locality name for the X.509 certificate request:
  Please enter the locality (e.g. city) where you live. This name will be
  placed in the certificate request.
  .
@@ -169,8 +151,8 @@ _Description: Locality name for the X509 certificate request:
 Template: strongswan/x509_organization_name
 Type: string
 Default: 
-_Description: Organization name for the X509 certificate request:
- Please enter the organization (e.g. company) that the X509 certificate
+_Description: Organization name for the X.509 certificate request:
+ Please enter the organization (e.g. company) that the X.509 certificate
  should be created for. This name will be placed in the certificate
  request.
  .
@@ -179,8 +161,8 @@ _Description: Organization name for the X509 certificate request:
 Template: strongswan/x509_organizational_unit
 Type: string
 Default: 
-_Description: Organizational unit for the X509 certificate request:
- Please enter the organizational unit (e.g. section) that the X509
+_Description: Organizational unit for the X.509 certificate request:
+ Please enter the organizational unit (e.g. section) that the X.509
  certificate should be created for. This name will be placed in the
  certificate request.
  .
@@ -189,9 +171,9 @@ _Description: Organizational unit for the X509 certificate request:
 Template: strongswan/x509_common_name
 Type: string
 Default: 
-_Description: Common name for the X509 certificate request:
+_Description: Common name for the X.509 certificate request:
  Please enter the common name (e.g. the host name of this machine) for
- which the X509 certificate should be created for. This name will be placed
+ which the X.509 certificate should be created for. This name will be placed
  in the certificate request.
  .
  Example: gateway.debian.org
@@ -199,9 +181,9 @@ _Description: Common name for the X509 certificate request:
 Template: strongswan/x509_email_address
 Type: string
 Default: 
-_Description: Email address for the X509 certificate request:
+_Description: Email address for the X.509 certificate request:
  Please enter the email address of the person or organization who is
- responsible for the X509 certificate, This address will be placed in the
+ responsible for the X.509 certificate. This address will be placed in the
  certificate request.
 
 Template: strongswan/enable-oe
@@ -218,4 +200,3 @@ _Description: Do you wish to enable opportunistic encryption in strongSwan?
  .
  Please choose whether you want to enable support for OE. If unsure, do not
  enable it.
-