diff options
-rw-r--r-- | debian/changelog | 10 | ||||
-rw-r--r-- | debian/control | 34 | ||||
-rwxr-xr-x | debian/rules | 45 | ||||
-rw-r--r-- | debian/strongswan.config | 50 | ||||
-rw-r--r-- | debian/strongswan.postinst | 108 | ||||
-rw-r--r-- | debian/strongswan.templates | 81 |
6 files changed, 130 insertions, 198 deletions
diff --git a/debian/changelog b/debian/changelog index b2515cc6f..098436a8b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,11 +1,11 @@ strongswan (4.2.12-1) unstable; urgency=low - * New upstream release + * New upstream release. Starting with this version, the strongswan + packages is modularized and includes support for plugins like the + NetworkManager plugin. + * Dropping support for raw RSA public/private keypairs, as charon does + not support it. * Explicitly remove directories /etc/ipsec.d and /var/run/pluto on purge. - * No longer mark ipsec.conf and ipsec.secrets as conffiles, as they - are modified by postinst. Although I don't particularly like this - method of patching DEBIAN/conffiles, I don't have a better solution - right now. Thus take patch from Mathieu Parent. -- Rene Mayrhofer <rmayr@debian.org> Sun, 01 Mar 2009 10:46:08 +0000 diff --git a/debian/control b/debian/control index 90379e87e..956e19e96 100644 --- a/debian/control +++ b/debian/control @@ -3,7 +3,8 @@ Section: net Priority: optional Maintainer: Rene Mayrhofer <rmayr@debian.org> Standards-Version: 3.8.0 -Build-Depends: debhelper (>= 4.1.16), libtool, libgmp3-dev, libssl-dev (>= 0.9.8-1), libcurl3-dev | libcurl2-dev, libopensc2-dev | libopensc1-dev | libopensc0-dev, libldap2-dev, libpam0g-dev, libkrb5-dev, bison, flex, dpatch, bzip2, po-debconf, hardening-wrapper, network-manager-dev, libfcgi-dev, clearsilver-dev, libxml2-dev, libsqlite3-dev +Build-Depends: debhelper (>= 7.0.0), libtool, libgmp3-dev, libssl-dev (>= 0.9.8), libcurl4-openssl-dev | libcurl3-dev | libcurl2-dev, libopensc2-dev | libopensc1-dev | libopensc0-dev, libldap2-dev, libpam0g-dev, libkrb5-dev, bison, flex, dpatch, bzip2, po-debconf, hardening-wrapper, network-manager-dev, libfcgi-dev, clearsilver-dev, libxml2-dev, libsqlite3-dev, network-manager-dev (>= 0.7), libnm-glib-dev (>= 0.7) +Homepage: http://www.strongswan.org Package: strongswan Architecture: any @@ -14,28 +15,27 @@ Provides: ike-server Conflicts: freeswan (<< 2.04-12), openswan Replaces: openswan Description: IPSec utilities for strongSwan - IPSec is Internet Protocol SECurity. It uses strong cryptography to provide - both authentication and encryption services. Authentication ensures that - packets are from the right sender and have not been altered in transit. - Encryption prevents unauthorised reading of packet contents. - . - This version of strongSwan supports Opportunistic Encryption (OE) out of the - box. OE enables you to set up IPSec tunnels to a site without - co-ordinating with the site administrator, and without hand - configuring each tunnel. If enough sites support OE, a "FAX effect" - occurs, and many of us can communicate without eavesdroppers. + strongSwan is an open source IPsec implementation for the Linux + operating system. It is one of the two remaining forks of the + original FreeS/WAN projects and focuses on IKEv2 support, X.509 + authentication and complete PKI support. For a focus on + Opportunistic Encryption (OE) and interoperability with non-standard + IPsec features, see Openswan. . In addition to OE, you may manually configure secure tunnels through untrusted networks. Everything passing through the untrusted net is - encrypted by the IPSec gateway machine and decrypted by the gateway + encrypted by the IPsec gateway machine and decrypted by the gateway at the other end. The result is Virtual Private Network or VPN. This is a network which is effectively private even though it includes machines at several different sites connected by the insecure Internet. . Please note that you will need a recent kernel (>=2.4.24 or 2.6.x) - for using this package. The standard Debian kernel includes both IPSec + for using this package. The standard Debian kernel includes both IPsec and crypto support, patching the kernel is no longer necessary! - . - If you want to use the KLIPS IPSec code for kernel modules instead of the - native ones, you will need to install either openswan-modules-source or - linux-patch-openswan and build the respective modules for your kernel. + +Package: network-manager-strongswan +Architecture: any +Depends: ${shlibs:Depends}, strongswan, network-manager (>= 0.7) +Description: strongSwan plugin to interact with NetworkManager + This plugin for NetworkManager allows to configure strongSwan + and control the IKEv2 daemon directly through DBUS. diff --git a/debian/rules b/debian/rules index 618717875..5e0321a58 100755 --- a/debian/rules +++ b/debian/rules @@ -20,7 +20,8 @@ CONFIGUREARGS := --prefix=/usr --sysconfdir=/etc --localstatedir=/var \ --enable-openssl --enable-agent \ --enable-kernel-klips \ --disable-aes --disable-des --disable-fips-prf --disable-gmp \ - --disable-md5 --disable-sha1 --disable-sha2 + --disable-md5 --disable-sha1 --disable-sha2 \ + --enable-nm # Could enable --enable-nat-transport, but this is actually insecure, # so don't! # And for --enable-eap-sim we would need the library, which we don't @@ -28,20 +29,18 @@ CONFIGUREARGS := --prefix=/usr --sysconfdir=/etc --localstatedir=/var \ DEB_BUILD_ARCH_CPU ?=$(shell dpkg-architecture -qDEB_BUILD_ARCH_CPU) +ifeq (,$(filter noopt,$(DEB_BUILD_OPTIONS))) + CFLAGS += -O2 +endif +ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) + NUMJOBS = $(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) + MAKEFLAGS += -j$(NUMJOBS) +endif # the padlock plugin only makes sense on i386 -# but it actually doesn't do much, so no need to enable it -#ifeq ($(DEB_BUILD_ARCH_CPU),i386) -# CONFIGUREARGS += --enable-padlock -#endif - - -configure: configure-stamp -configure-stamp: patch - dh_testdir - # Add here commands to configure the package. - ./configure $(CONFIGUREARGS) - - touch configure-stamp +# but it actually doesn't do much, so maybe we don't need it +ifeq ($(DEB_BUILD_ARCH_CPU),i386) + CONFIGURE_ARGS += --enable-padlock +endif patch: dh_testdir @@ -51,17 +50,17 @@ unpatch: dpatch deapply-all build: build-stamp -build-stamp: configure-stamp - $(MAKE) - - touch build-stamp +build-stamp: patch + dh_testdir + ./configure $(CONFIGUREARGS) + $(MAKE) CC="$(CC)" CFLAGS="$(CFLAGS)" clean: unpatch dh_testdir dh_testroot - rm -f build-stamp configure-stamp + rm -f build-stamp - -$(MAKE) clean + [ ! -f Makefile ] || $(MAKE) clean #-$(MAKE) -C programs/fswcert/ clean # after a make clean, no binaries _should_ be left, but .... -find $(CURDIR) -name "*.o" | xargs --no-run-if-empty rm @@ -140,17 +139,13 @@ binary-common: dh_installinit --name=ipsec dh_installdebconf dh_installchangelogs NEWS + dh_installdocs README dh_link dh_strip dh_compress dh_fixperms -X etc/ipsec.secrets -X etc/ipsec.d dh_makeshlibs dh_installdeb -ifeq ($(DH_OPTIONS), -a) - # /etc/ipsec.{conf,secrets} are not conffiles (#515095) - egrep -v '^/etc/ipsec.(conf|secrets)' debian/openswan/DEBIAN/conffiles > debian/openswan/DEBIAN/conffiles.new - mv debian/openswan/DEBIAN/conffiles.new debian/openswan/DEBIAN/conffiles -endif dh_shlibdeps dh_gencontrol dh_md5sums diff --git a/debian/strongswan.config b/debian/strongswan.config index 673c2dcda..eb5f2c2dd 100644 --- a/debian/strongswan.config +++ b/debian/strongswan.config @@ -17,39 +17,25 @@ db_go || true db_get strongswan/create_rsa_key if [ "$RET" = "true" ]; then - db_input high strongswan/rsa_key_type || true + # create a new certificate + db_input medium strongswan/rsa_key_length || true + db_input high strongswan/x509_self_signed || true + # we can't allow the country code to be empty - openssl will + # refuse to create a certificate this way + countrycode="" + while [ -z "$countrycode" ]; do + db_input medium strongswan/x509_country_code || true + db_go || true + db_get strongswan/x509_country_code + countrycode="$RET" + done + db_input medium strongswan/x509_state_name || true + db_input medium strongswan/x509_locality_name || true + db_input medium strongswan/x509_organization_name || true + db_input medium strongswan/x509_organizational_unit || true + db_input medium strongswan/x509_common_name || true + db_input medium strongswan/x509_email_address || true db_go || true - - db_get strongswan/rsa_key_type - if [ "$RET" = "plain" ]; then - # create just a plain RSA keypair - db_input medium strongswan/rsa_key_length || true - db_go || true - else - # extract the RSA keypair from a x509 certificate - db_input high strongswan/existing_x509_certificate || true - db_go || true - - # create a new certificate - db_input medium strongswan/rsa_key_length || true - db_input high strongswan/x509_self_signed || true - # we can't allow the country code to be empty - openssl will - # refuse to create a certificate this way - countrycode="" - while [ -z "$countrycode" ]; do - db_input medium strongswan/x509_country_code || true - db_go || true - db_get strongswan/x509_country_code - countrycode="$RET" - done - db_input medium strongswan/x509_state_name || true - db_input medium strongswan/x509_locality_name || true - db_input medium strongswan/x509_organization_name || true - db_input medium strongswan/x509_organizational_unit || true - db_input medium strongswan/x509_common_name || true - db_input medium strongswan/x509_email_address || true - db_go || true - fi else db_get strongswan/existing_x509_certificate if [ "$RET" = "true" ]; then diff --git a/debian/strongswan.postinst b/debian/strongswan.postinst index 7d670dd36..c63273dc2 100644 --- a/debian/strongswan.postinst +++ b/debian/strongswan.postinst @@ -32,14 +32,6 @@ set -e CONF_FILE=/var/lib/strongswan/ipsec.conf.inc SECRETS_FILE=/var/lib/strongswan/ipsec.secrets.inc -insert_private_key() { - cat <<EOF >> $SECRETS_FILE -: RSA { -$1 - } -EOF -} - insert_private_key_filename() { if [ ! -e $SECRETS_FILE ] || ! grep -q ": RSA $1" $SECRETS_FILE; then echo ": RSA $1" >> $SECRETS_FILE @@ -154,67 +146,45 @@ case "$1" in if [ "$RET" = "true" ]; then repair_legacy_secrets # OK, ipsec.secrets should now be correct - db_get strongswan/rsa_key_type - if [ "$RET" = "plain" ]; then - # a RSA keypair should be created - check if there is one already - if [ -e /etc/ipsec.secrets ] && egrep -q ": RSA[:space:]*" /etc/ipsec.secrets; then - echo "Warning: there is already a RSA key in /etc/ipsec.secrets." - echo "Creating an additional one." - fi - if [ -e $SECRETS_FILE ] && egrep -q ": RSA[:space:]*" $SECRETS_FILE; then - echo "Warning: there is already a RSA key in $SECRETS_FILE." - echo "Creating an additional one." - fi - # create a plain strongswan keypair - db_get strongswan/rsa_key_length - umask 077 - keylength=$RET - privkey=`mktemp /tmp/ipsec-postinst.XXXXXX` - /usr/lib/ipsec/rsasigkey $keylength > $privkey - insert_private_key "`cat $privkey`" - rm $privkey - echo "Successfully created a plain strongSwan RSA keypair." - else - # extract the key from a (newly created) x509 certificate - host=`hostname` - newkeyfile="/etc/ipsec.d/private/${host}Key.pem" - newcertfile="/etc/ipsec.d/certs/${host}Cert.pem" - if [ -e $newcertfile -o -e $newkeyfile ]; then - echo "Error: $newcertfile or $newkeyfile already exists." - echo "Please remove them first an re-run dpkg-reconfigure to create a new keypair." - else - # create a new certificate - db_get strongswan/rsa_key_length - keylength=$RET - db_get strongswan/x509_self_signed - selfsigned=$RET - db_get strongswan/x509_country_code - countrycode=$RET - if [ -z "$countrycode" ]; then countrycode="."; fi - db_get strongswan/x509_state_name - statename=$RET - if [ -z "$statename" ]; then statename="."; fi - db_get strongswan/x509_locality_name - localityname=$RET - if [ -z "$localityname" ]; then localityname="."; fi - db_get strongswan/x509_organization_name - orgname=$RET - if [ -z "$orgname" ]; then orgname="."; fi - db_get strongswan/x509_organizational_unit - orgunit=$RET - if [ -z "$orgunit" ]; then orgunit="."; fi - db_get strongswan/x509_common_name - commonname=$RET - if [ -z "$commonname" ]; then commonname="."; fi - db_get strongswan/x509_email_address - email=$RET - if [ -z "$email" ]; then email="."; fi - make_x509_cert $keylength 1500 "$newkeyfile" "$newcertfile" "$selfsigned" "$countrycode" "$statename" "$localityname" "$orgname" "$orgunit" "$commonname" "$email" - chmod 0600 "$newkeyfile" - umask 077 - insert_private_key_filename "$newkeyfile" - echo "Successfully created x509 certificate." - fi + # create a new keypair + host=`hostname` + newkeyfile="/etc/ipsec.d/private/${host}Key.pem" + newcertfile="/etc/ipsec.d/certs/${host}Cert.pem" + if [ -e $newcertfile -o -e $newkeyfile ]; then + echo "Error: $newcertfile or $newkeyfile already exists." + echo "Please remove them first an re-run dpkg-reconfigure to create a new keypair." + else + # create a new certificate + db_get strongswan/rsa_key_length + keylength=$RET + db_get strongswan/x509_self_signed + selfsigned=$RET + db_get strongswan/x509_country_code + countrycode=$RET + if [ -z "$countrycode" ]; then countrycode="."; fi + db_get strongswan/x509_state_name + statename=$RET + if [ -z "$statename" ]; then statename="."; fi + db_get strongswan/x509_locality_name + localityname=$RET + if [ -z "$localityname" ]; then localityname="."; fi + db_get strongswan/x509_organization_name + orgname=$RET + if [ -z "$orgname" ]; then orgname="."; fi + db_get strongswan/x509_organizational_unit + orgunit=$RET + if [ -z "$orgunit" ]; then orgunit="."; fi + db_get strongswan/x509_common_name + commonname=$RET + if [ -z "$commonname" ]; then commonname="."; fi + db_get strongswan/x509_email_address + email=$RET + if [ -z "$email" ]; then email="."; fi + make_x509_cert $keylength 1500 "$newkeyfile" "$newcertfile" "$selfsigned" "$countrycode" "$statename" "$localityname" "$orgname" "$orgunit" "$commonname" "$email" + chmod 0600 "$newkeyfile" + umask 077 + insert_private_key_filename "$newkeyfile" + echo "Successfully created x509 certificate." fi else db_get strongswan/existing_x509_certificate diff --git a/debian/strongswan.templates b/debian/strongswan.templates index 3fac9039e..781773ac5 100644 --- a/debian/strongswan.templates +++ b/debian/strongswan.templates @@ -54,59 +54,41 @@ Template: strongswan/create_rsa_key Type: boolean Default: true _Description: Do you want to create a RSA public/private keypair for this host? - This installer can automatically create a RSA public/private keypair for - this host. This keypair can be used to authenticate IPSec connections to - other hosts and is the preferred way for building up secure IPSec - connections. The other possibility would be to use shared secrets - (passwords that are the same on both sides of the tunnel) for + This installer can automatically create a RSA public/private keypair + with an X.509 certificate for this host. This can be used to authenticate + IPSec connections to other hosts and is the preferred way for building up + secure IPSec connections. The other possibility would be to use pre-shared + secrets (PSKs, passwords that are the same on both sides of the tunnel) for authenticating an connection, but for a larger number of connections RSA - authentication is easier to administer and more secure. + authentication is easier to administer and more secure. Note that + having a keypair allows to use both X.509 and PSK authentication for IPsec + tunnels. . If you do not want to create a new public/private keypair, you can choose to - use an existing one. - -Template: strongswan/rsa_key_type -Type: select -_Choices: x509, plain -Default: x509 -_Description: The type of RSA keypair to create: - It is possible to create a plain RSA public/private keypair for use - with strongSwan or to create a X509 certificate file which contains the RSA - public key and additionally stores the corresponding private key. - . - If you only want to build up IPSec connections to hosts also running - strongSwan, it might be a bit easier using plain RSA keypairs. But if you - want to connect to other IPSec implementations, you will need a X509 - certificate. It is also possible to create a X509 certificate here and - extract the RSA public key in plain format if the other side runs - strongSwan without X509 certificate support. - . - Therefore a X509 certificate is recommended since it is more flexible and - this installer should be able to hide the complex creation of the X509 - certificate and its use in strongSwan anyway. + use an existing one in the next step. Template: strongswan/existing_x509_certificate Type: boolean Default: false -_Description: Do you have an existing X509 certificate file for strongSwan? +_Description: Do you have an existing X.509 certificate file for strongSwan? This installer can automatically extract the needed information from an - existing X509 certificate with a matching RSA private key. Both parts can + existing X.509 certificate with a matching RSA private key. Both parts can be in one file, if it is in PEM format. If you have such an existing certificate and key file and want to use it for authenticating IPSec connections, then please answer yes. Template: strongswan/existing_x509_certificate_filename Type: string -_Description: File name of your X509 certificate in PEM format: - Please enter the full location of the file containing your X509 +_Description: File name of your X.509 certificate in PEM format: + Please enter the full location of the file containing your X.509 certificate in PEM format. Template: strongswan/existing_x509_key_filename Type: string -_Description: File name of your X509 private key in PEM format: +_Description: File name of your X.509 private key in PEM format: Please enter the full location of the file containing the private RSA key - matching your X509 certificate in PEM format. This can be the same file - that contains the X509 certificate. + matching your X.509 certificate in PEM format. This can be the same file + that contains the X.509 certificate. Template: strongswan/rsa_key_length Type: string @@ -120,14 +102,14 @@ _Description: The length of the created RSA key (in bits): Template: strongswan/x509_self_signed Type: boolean Default: true -_Description: Do you want to create a self-signed X509 certificate? - This installer can only create self-signed X509 certificates +_Description: Do you want to create a self-signed X.509 certificate? + This installer can only create self-signed X.509 certificates automatically, because otherwise a certificate authority is needed to sign the certificate request. If you want to create a self-signed certificate, you can use it immediately to connect to other IPSec hosts that support - X509 certificate for authentication of IPSec connections. However, if you + X.509 certificate for authentication of IPSec connections. However, if you want to use the new PKI features of strongSwan >= 1.91, you will need to - have all X509 certificates signed by a single certificate authority to + have all X.509 certificates signed by a single certificate authority to create a trust path. . If you do not want to create a self-signed certificate, then this @@ -138,7 +120,7 @@ _Description: Do you want to create a self-signed X509 certificate? Template: strongswan/x509_country_code Type: string Default: AT -_Description: Country code for the X509 certificate request: +_Description: Country code for the X.509 certificate request: Please enter the 2 letter country code for your country. This code will be placed in the certificate request. . @@ -151,7 +133,7 @@ _Description: Country code for the X509 certificate request: Template: strongswan/x509_state_name Type: string Default: -_Description: State or province name for the X509 certificate request: +_Description: State or province name for the X.509 certificate request: Please enter the full name of the state or province you live in. This name will be placed in the certificate request. . @@ -160,7 +142,7 @@ _Description: State or province name for the X509 certificate request: Template: strongswan/x509_locality_name Type: string Default: -_Description: Locality name for the X509 certificate request: +_Description: Locality name for the X.509 certificate request: Please enter the locality (e.g. city) where you live. This name will be placed in the certificate request. . @@ -169,8 +151,8 @@ _Description: Locality name for the X509 certificate request: Template: strongswan/x509_organization_name Type: string Default: -_Description: Organization name for the X509 certificate request: - Please enter the organization (e.g. company) that the X509 certificate +_Description: Organization name for the X.509 certificate request: + Please enter the organization (e.g. company) that the X.509 certificate should be created for. This name will be placed in the certificate request. . @@ -179,8 +161,8 @@ _Description: Organization name for the X509 certificate request: Template: strongswan/x509_organizational_unit Type: string Default: -_Description: Organizational unit for the X509 certificate request: - Please enter the organizational unit (e.g. section) that the X509 +_Description: Organizational unit for the X.509 certificate request: + Please enter the organizational unit (e.g. section) that the X.509 certificate should be created for. This name will be placed in the certificate request. . @@ -189,9 +171,9 @@ _Description: Organizational unit for the X509 certificate request: Template: strongswan/x509_common_name Type: string Default: -_Description: Common name for the X509 certificate request: +_Description: Common name for the X.509 certificate request: Please enter the common name (e.g. the host name of this machine) for - which the X509 certificate should be created for. This name will be placed + which the X.509 certificate should be created for. This name will be placed in the certificate request. . Example: gateway.debian.org @@ -199,9 +181,9 @@ _Description: Common name for the X509 certificate request: Template: strongswan/x509_email_address Type: string Default: -_Description: Email address for the X509 certificate request: +_Description: Email address for the X.509 certificate request: Please enter the email address of the person or organization who is - responsible for the X509 certificate, This address will be placed in the + responsible for the X.509 certificate. This address will be placed in the certificate request. Template: strongswan/enable-oe @@ -218,4 +200,3 @@ _Description: Do you wish to enable opportunistic encryption in strongSwan? . Please choose whether you want to enable support for OE. If unsure, do not enable it. - |