From 49bf9e74e53dbed0079595f8a6fb9f1aa8247de3 Mon Sep 17 00:00:00 2001 From: Rene Mayrhofer Date: Thu, 26 Mar 2009 16:03:13 +0000 Subject: - Modularize: move stuff to sub-packages. --- debian/changelog | 3 +- debian/control | 105 +++++++++--- debian/libstrongswan.install | 9 + debian/rules | 1 - debian/strongswan-ikev1.install | 4 + debian/strongswan-ikev2.install | 9 + debian/strongswan-starter.config | 47 ++++++ debian/strongswan-starter.install | 25 +++ debian/strongswan-starter.ipsec.init | 133 +++++++++++++++ debian/strongswan-starter.postinst | 313 +++++++++++++++++++++++++++++++++++ debian/strongswan-starter.postrm | 44 +++++ debian/strongswan-starter.prerm | 40 +++++ debian/strongswan-starter.templates | 202 ++++++++++++++++++++++ debian/strongswan.config | 47 ------ debian/strongswan.ipsec.init | 133 --------------- debian/strongswan.postinst | 313 ----------------------------------- debian/strongswan.postrm | 44 ----- debian/strongswan.prerm | 40 ----- debian/strongswan.templates | 202 ---------------------- 19 files changed, 910 insertions(+), 804 deletions(-) create mode 100644 debian/libstrongswan.install create mode 100644 debian/strongswan-ikev1.install create mode 100644 debian/strongswan-ikev2.install create mode 100644 debian/strongswan-starter.config create mode 100644 debian/strongswan-starter.install create mode 100644 debian/strongswan-starter.ipsec.init create mode 100644 debian/strongswan-starter.postinst create mode 100644 debian/strongswan-starter.postrm create mode 100644 debian/strongswan-starter.prerm create mode 100644 debian/strongswan-starter.templates delete mode 100644 debian/strongswan.config delete mode 100644 debian/strongswan.ipsec.init delete mode 100644 debian/strongswan.postinst delete mode 100644 debian/strongswan.postrm delete mode 100644 debian/strongswan.prerm delete mode 100644 debian/strongswan.templates (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index d2e7a6740..1b4060aa0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -10,7 +10,8 @@ strongswan (4.2.12-1) unstable; urgency=low * New upstream release. Starting with this version, the strongswan packages is modularized and includes support for plugins like the - NetworkManager plugin. + NetworkManager plugin. Many details were adopted from Martin Willi's + packages. * Dropping support for raw RSA public/private keypairs, as charon does not support it. * Explicitly remove directories /etc/ipsec.d and /var/run/pluto on purge. diff --git a/debian/control b/debian/control index e79379786..0e9d005aa 100644 --- a/debian/control +++ b/debian/control @@ -7,35 +7,94 @@ Build-Depends: debhelper (>= 7.0.0), libtool, libgmp3-dev, libssl-dev (>= 0.9.8) Homepage: http://www.strongswan.org Package: strongswan +Architecture: all +Depends: strongswan-ikev1, strongswan-ikev2 +Suggests: network-manager-strongswan +Description: IPsec VPN solution metapackage + strongSwan is a IPsec based VPN solution for the Linux kernel. It uses the + native IPsec stack and runs on any recent 2.6 kernel (no patching required). + It supports both IKEv1 and the newer IKEv2 protocols. + . + strongSwan is one of the two remaining forks of the original FreeS/WAN + project and focuses on IKEv2 support, X.509 authentication and complete PKI + support. For a focus on Opportunistic Encryption (OE) and interoperability + with non-standard IPsec features, see Openswan. + . + This metapackage has dependencies to the IKEv1 daemon pluto and IKEv2 daemon + charon. It installs the required packages to run IKEv1 and IKEv2 connections + using a ipsec.conf/ipsec.secrets based configuration. + +Package: libstrongswan +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, openssl +Description: strongSwan utility and crypto library + strongSwan is a IPsec based VPN solution for the Linux kernel. It uses the + native IPsec stack and runs on any recent 2.6 kernel (no patching required). + It supports both IKEv1 and the newer IKEv2 protocols. + . + libstrongswan is the underlying library of charon and other strongSwan + components. It is built in a modular way and is extendable through various + plugins. + +Package: strongswan-starter +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, libstrongswan, strongswan-ikev1 | strongswan-ikev2 +Description: strongSwan daemon starter and configuration file parser + strongSwan is a IPsec based VPN solution for the Linux kernel. It uses the + native IPsec stack and runs on any recent 2.6 kernel (no patching required). + It supports both IKEv1 and the newer IKEv2 protocols. + . + The starter and the associated "ipsec" script control both pluto and charon + from the command line. It parses ipsec.conf and loads the configurations to + the daemons. While the IKEv2 daemon can use other configuration backends, the + IKEv1 daemon is limited to configurations from ipsec.conf. + +Package: strongswan-ikev1 Architecture: any Pre-Depends: debconf | debconf-2.0 -Depends: ${shlibs:Depends}, ${misc:Depends}, bsdmainutils, debianutils (>=1.7), ipsec-tools, openssl, host, iproute +Depends: ${shlibs:Depends}, ${misc:Depends}, strongswan-starter, bsdmainutils, debianutils (>=1.7), ipsec-tools, host, iproute Suggests: curl Provides: ike-server Conflicts: freeswan (<< 2.04-12), openswan Replaces: openswan -Description: IPSec utilities for strongSwan - strongSwan is an open source IPsec implementation for the Linux - operating system. It is one of the two remaining forks of the - original FreeS/WAN projects and focuses on IKEv2 support, X.509 - authentication and complete PKI support. For a focus on - Opportunistic Encryption (OE) and interoperability with non-standard - IPsec features, see Openswan. - . - In addition to OE, you may manually configure secure tunnels through - untrusted networks. Everything passing through the untrusted net is - encrypted by the IPsec gateway machine and decrypted by the gateway - at the other end. The result is Virtual Private Network or VPN. This - is a network which is effectively private even though it includes - machines at several different sites connected by the insecure Internet. - . - Please note that you will need a recent kernel (>=2.4.24 or 2.6.x) - for using this package. The standard Debian kernel includes both IPsec - and crypto support, patching the kernel is no longer necessary! +Description: strongSwan IKEv1 keying daemon + strongSwan is a IPsec based VPN solution for the Linux kernel. It uses the + native IPsec stack and runs on any recent 2.6 kernel (no patching required). + It supports both IKEv1 and the newer IKEv2 protocols. + . + Pluto is a IPsec IKEv1 keying daemon. It was inherited from the FreeS/WAN + project, but provides improved X.509 certificate support and other features. + . + Pluto can run in parallel with charon, the newer IKEv2 daemon. + +Package: strongswan-ikev2 +Architecture: any +Pre-Depends: debconf | debconf-2.0 +Depends: ${shlibs:Depends}, ${misc:Depends}, libstrongswan, strongswan-starter | strongswan-nm, bsdmainutils, debianutils (>=1.7), ipsec-tools, host, iproute +Suggests: curl +Provides: ike-server +Conflicts: freeswan (<< 2.04-12), openswan +Description: strongSwan IKEv2 keying daemon + strongSwan is a IPsec based VPN solution for the Linux kernel. It uses the + native IPsec stack and runs on any recent 2.6 kernel (no patching required). + It supports both IKEv1 and the newer IKEv2 protocols. + . + Charon is the IPsec IKEv2 keying daemon of the strongSwan project. It is + written from scratch using a fully multi-threaded design and a modular + architecture. Various plugins provide additional functionality. + . + This build of charon can run in parallel with pluto, the IKEv1 daemon. -Package: network-manager-strongswan +Package: strongswan-nm Architecture: any -Depends: ${shlibs:Depends}, strongswan, network-manager (>= 0.7) +Depends: ${shlibs:Depends}, strongswan-ikev2 +Recommends: network-manager-strongswan Description: strongSwan plugin to interact with NetworkManager - This plugin for NetworkManager allows to configure strongSwan - and control the IKEv2 daemon directly through DBUS. + strongSwan is a IPsec based VPN solution for the Linux kernel. It uses the + native IPsec stack and runs on any recent 2.6 kernel (no patching required). + It supports both IKEv1 and the newer IKEv2 protocols. + . + This plugin provides an interface which allows NetworkManager to configure + and control the IKEv2 daemon directly through DBUS. It is designed to work + in conjunction with the network-manager-strongswan package, providing + a simple graphical frontend to configure IPsec based VPNs. diff --git a/debian/libstrongswan.install b/debian/libstrongswan.install new file mode 100644 index 000000000..9c2a6659b --- /dev/null +++ b/debian/libstrongswan.install @@ -0,0 +1,9 @@ +usr/lib/libstrongswan.so* usr/lib/ +usr/lib/strongswan/plugins/libstrongswan-x509.so* usr/lib/strongswan/plugins/ +usr/lib/strongswan/plugins/libstrongswan-pubkey.so* usr/lib/strongswan/plugins/ +usr/lib/strongswan/plugins/libstrongswan-hmac.so* usr/lib/strongswan/plugins/ +usr/lib/strongswan/plugins/libstrongswan-xcbc.so* usr/lib/strongswan/plugins/ +usr/lib/strongswan/plugins/libstrongswan-random.so* usr/lib/strongswan/plugins/ +usr/lib/strongswan/plugins/libstrongswan-openssl.so* usr/lib/strongswan/plugins/ +usr/lib/strongswan/plugins/libstrongswan-padlock.so* usr/lib/strongswan/plugins/ +etc/strongswan.conf etc/ diff --git a/debian/rules b/debian/rules index a743af7a1..2ab2b68de 100755 --- a/debian/rules +++ b/debian/rules @@ -18,7 +18,6 @@ CONFIGUREARGS := --prefix=/usr --sysconfdir=/etc --localstatedir=/var \ --with-default-pkcs11=/usr/lib/opensc-pkcs11.so \ --enable-mediation --enable-medsrv --enable-medcli \ --enable-openssl --enable-agent \ - --enable-kernel-klips \ --disable-aes --disable-des --disable-fips-prf --disable-gmp \ --disable-md5 --disable-sha1 --disable-sha2 \ --enable-nm diff --git a/debian/strongswan-ikev1.install b/debian/strongswan-ikev1.install new file mode 100644 index 000000000..1ac8dce5a --- /dev/null +++ b/debian/strongswan-ikev1.install @@ -0,0 +1,4 @@ +usr/lib/strongswan/pluto usr/lib/strongswan/ +usr/lib/strongswan/_pluto_adns usr/lib/strongswan/ +usr/lib/strongswan/whack usr/lib/strongswan/ +usr/share/man/man8/pluto.8 usr/share/man/man8/ diff --git a/debian/strongswan-ikev2.install b/debian/strongswan-ikev2.install new file mode 100644 index 000000000..6827b7d6f --- /dev/null +++ b/debian/strongswan-ikev2.install @@ -0,0 +1,9 @@ +usr/lib/strongswan/charon usr/lib/strongswan/ +usr/lib/strongswan/plugins/libstrongswan-kernel-netlink.so* usr/lib/strongswan/plugins/ +usr/lib/strongswan/plugins/libstrongswan-eapgtc.so* usr/lib/strongswan/plugins/ +usr/lib/strongswan/plugins/libstrongswan-eapidentity.so* usr/lib/strongswan/plugins/ +usr/lib/strongswan/plugins/libstrongswan-eapmd5.so* usr/lib/strongswan/plugins/ +usr/lib/strongswan/plugins/libstrongswan-eapmschapv2.so* usr/lib/strongswan/plugins/ +usr/lib/strongswan/plugins/libstrongswan-agent.so* usr/lib/strongswan/plugins/ +usr/lib/strongswan/plugins/libstrongswan-curl.so* usr/lib/strongswan/plugins/ +usr/lib/strongswan/plugins/libstrongswan-ldap.so* usr/lib/strongswan/plugins/ diff --git a/debian/strongswan-starter.config b/debian/strongswan-starter.config new file mode 100644 index 000000000..eb5f2c2dd --- /dev/null +++ b/debian/strongswan-starter.config @@ -0,0 +1,47 @@ +#!/bin/sh -e + +. /usr/share/debconf/confmodule + +db_input medium strongswan/start_level || true + +# disable for now, until we can deal with the don't-edit-conffiles situation +#db_input high strongswan/ikev1 || true +#db_input high strongswan/ikev2 || true + +db_input medium strongswan/restart || true + +db_input high strongswan/enable-oe || true + +db_input high strongswan/create_rsa_key || true +db_go || true + +db_get strongswan/create_rsa_key +if [ "$RET" = "true" ]; then + # create a new certificate + db_input medium strongswan/rsa_key_length || true + db_input high strongswan/x509_self_signed || true + # we can't allow the country code to be empty - openssl will + # refuse to create a certificate this way + countrycode="" + while [ -z "$countrycode" ]; do + db_input medium strongswan/x509_country_code || true + db_go || true + db_get strongswan/x509_country_code + countrycode="$RET" + done + db_input medium strongswan/x509_state_name || true + db_input medium strongswan/x509_locality_name || true + db_input medium strongswan/x509_organization_name || true + db_input medium strongswan/x509_organizational_unit || true + db_input medium strongswan/x509_common_name || true + db_input medium strongswan/x509_email_address || true + db_go || true +else + db_get strongswan/existing_x509_certificate + if [ "$RET" = "true" ]; then + # existing certificate - use it + db_input critical strongswan/existing_x509_certificate_filename || true + db_input critical strongswan/existing_x509_key_filename || true + db_go || true + fi +fi diff --git a/debian/strongswan-starter.install b/debian/strongswan-starter.install new file mode 100644 index 000000000..60de34d5a --- /dev/null +++ b/debian/strongswan-starter.install @@ -0,0 +1,25 @@ +# starter +usr/lib/strongswan/starter usr/lib/strongswan/ +usr/lib/strongswan/_copyright usr/lib/strongswan/ +usr/sbin/ipsec usr/sbin/ +etc/ipsec.d etc/ +etc/ipsec.conf etc/ +etc/ipsec.secrets etc/ +usr/share/man/man8/ipsec.8 usr/share/man/man8/ +usr/share/man/man8/_copyright.8 usr/share/man/man8/ +usr/share/man/man5/ipsec.conf.5 usr/share/man/man5/ +usr/share/man/man5/ipsec.secrets.5 usr/share/man/man5/ +# updown +usr/lib/strongswan/plugins/libstrongswan-updown.so* usr/lib/strongswan/plugins/ +usr/lib/strongswan/_updown usr/lib/strongswan/ +usr/lib/strongswan/_updown_espmark usr/lib/strongswan/ +usr/share/man/man8/_updown.8 usr/share/man/man8/ +usr/share/man/man8/_updown_espmark.8 usr/share/man/man8/ +# tools +usr/lib/strongswan/scepclient usr/lib/strongswan/ +usr/lib/strongswan/openac usr/lib/strongswan/ +usr/share/man/man8/scepclient.8 usr/share/man/man8/ +usr/share/man/man8/openac.8 usr/share/man/man8/ +# stroke +usr/lib/strongswan/stroke usr/lib/strongswan/ +usr/lib/strongswan/plugins/libstrongswan-stroke.so* usr/lib/strongswan/plugins/ diff --git a/debian/strongswan-starter.ipsec.init b/debian/strongswan-starter.ipsec.init new file mode 100644 index 000000000..5cefef516 --- /dev/null +++ b/debian/strongswan-starter.ipsec.init @@ -0,0 +1,133 @@ +#! /bin/sh +### BEGIN INIT INFO +# Provides: vpn +# Required-Start: $network $local_fs +# Required-Stop: $network $local_fs +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Strongswan IPsec services +### END INIT INFO + +# Author: Rene Mayrhofer + +# PATH should only include /usr/* if it runs after the mountnfs.sh script +PATH=/sbin:/usr/sbin:/bin:/usr/bin +DESC="strongswan IPsec services" +NAME=ipsec +DAEMON=/usr/sbin/$NAME +PIDFILE=/var/run/$NAME.pid +SCRIPTNAME=/etc/init.d/$NAME + +# Exit if the package is not installed +[ -x "$DAEMON" ] || exit 0 + +# Read configuration variable file if it is present +[ -r /etc/default/$NAME ] && . /etc/default/$NAME + +# Load the VERBOSE setting and other rcS variables +. /lib/init/vars.sh + +# Define LSB log_* functions. +# Depend on lsb-base (>= 3.0-6) to ensure that this file is present. +. /lib/lsb/init-functions + +# +# Function that starts the daemon/service +# +do_start() +{ + # Return + # 0 if daemon has been started + # 1 if daemon was already running + # 2 if daemon could not be started + start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ + || return 1 + start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- start \ + || return 2 +} + +# +# Function that stops the daemon/service +# +do_stop() +{ + # Return + # 0 if daemon has been stopped + # 1 if daemon was already stopped + # 2 if daemon could not be stopped + # other if a failure occurred + # give the proper signal to stop + start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- stop \ + || return 2 + # but kill if that didn't work + start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME + RETVAL="$?" + [ "$RETVAL" = 2 ] && return 2 + # Wait for children to finish too if this is a daemon that forks + # and if the daemon is only ever run from this initscript. + # If the above conditions are not satisfied then add some other code + # that waits for the process to drop all resources that could be + # needed by services started subsequently. A last resort is to + # sleep for some time. + start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON + [ "$?" = 2 ] && return 2 + # Many daemons don't delete their pidfiles when they exit. + rm -f $PIDFILE + return "$RETVAL" +} + +do_reload() { + $DAEMON reload + return 0 +} + +case "$1" in + start) + [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" + do_start + case "$?" in + 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; + 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + esac + ;; + stop) + [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" + do_stop + case "$?" in + 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; + 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + esac + ;; + status) + $DAEMON status + ;; + reload|force-reload) + log_daemon_msg "Reloading $DESC" "$NAME" + do_reload + log_end_msg $? + ;; + restart) + log_daemon_msg "Restarting $DESC" "$NAME" + do_stop + case "$?" in + 0|1) + do_start + case "$?" in + 0) log_end_msg 0 ;; + 1) log_end_msg 1 ;; # Old process is still running + *) log_end_msg 1 ;; # Failed to start + esac + ;; + *) + # Failed to stop + log_end_msg 1 + ;; + esac + ;; + *) + echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2 + exit 3 + ;; +esac + +: diff --git a/debian/strongswan-starter.postinst b/debian/strongswan-starter.postinst new file mode 100644 index 000000000..c63273dc2 --- /dev/null +++ b/debian/strongswan-starter.postinst @@ -0,0 +1,313 @@ +#! /bin/bash +# postinst script for strongswan +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `configure' +# * `abort-upgrade' +# * `abort-remove' `in-favour' +# +# * `abort-deconfigure' `in-favour' +# `removing' +# +# for details, see /usr/share/doc/packaging-manual/ +# +# quoting from the policy: +# Any necessary prompting should almost always be confined to the +# * `abort-deconfigure' `in-favour' +# `removing' +# +# for details, see /usr/share/doc/packaging-manual/ +# +# quoting from the policy: +# Any necessary prompting should almost always be confined to the +# post-installation script, and should be protected with a conditional +# so that unnecessary prompting doesn't happen if a package's +# installation fails and the `postinst' is called with `abort-upgrade', +# `abort-remove' or `abort-deconfigure'. + +CONF_FILE=/var/lib/strongswan/ipsec.conf.inc +SECRETS_FILE=/var/lib/strongswan/ipsec.secrets.inc + +insert_private_key_filename() { + if [ ! -e $SECRETS_FILE ] || ! grep -q ": RSA $1" $SECRETS_FILE; then + echo ": RSA $1" >> $SECRETS_FILE + fi +} + +IPSEC_SECRETS_PATTERN_1=': RSA {' +IPSEC_SECRETS_PATTERN_2=' # yyy' +IPSEC_SECRETS_PATTERN_3=' }' +IPSEC_SECRETS_PATTERN_4='# do not change the indenting of that "}"' + +# remove old, misguided attempts at a default ipsec.secrets files +repair_legacy_secrets() { + if [ -e $SECRETS_FILE ] && grep -A 2 "$IPSEC_SECRETS_PATTERN_1" $SECRETS_FILE | + tail --lines=2 | + grep -A 1 "$IPSEC_SECRETS_PATTERN_2" | + tail --lines=1 | + grep "$IPSEC_SECRETS_PATTERN_3" >/dev/null; then + echo "Old default config file detected, removing the old defaults now." + umask 077 ; ( + # this is ugly, and someone maybe can formulate this in sed, but + # this was the quickest way for me + line=`grep -n "$IPSEC_SECRETS_PATTERN_2" $SECRETS_FILE | cut -d':' -f1` + until=`expr $line - 1` + head -n $until $SECRETS_FILE + sum=`wc -l $SECRETS_FILE | cut -d ' ' -f1` + from=`expr $sum - $line -1` + tail -n $from $SECRETS_FILE + ) > $SECRETS_FILE.tmp + mv $SECRETS_FILE.tmp $SECRETS_FILE + grep -v "$IPSEC_SECRETS_PATTERN_4" $SECRETS_FILE > $SECRETS_FILE.tmp + mv $SECRETS_FILE.tmp $SECRETS_FILE + fi +} + +make_x509_cert() { + if [ $# -ne 12 ]; then + echo "Error in creating X.509 certificate" + exit 1 + fi + + case $5 in + false) + certreq=$4.req + selfsigned="" + ;; + true) + certreq=$4 + selfsigned="-x509" + ;; + *) + echo "Error in creating X.509 certificate" + exit 1 + ;; + esac + + echo -e "$6\n$7\n$8\n$9\n${10}\n${11}\n${12}\n\n\n" | \ + /usr/bin/openssl req -new -outform PEM -out $certreq \ + -newkey rsa:$1 -nodes -keyout $3 -keyform PEM \ + -days $2 $selfsigned >/dev/null +} + +enable_daemon_start() { + daemon=$1 + protocol=$2 + + echo -n "Enabling ${protocol} support by pluto ... " + if [ -e $CONF_FILE ] && egrep -q "^\w+${daemon}start=yes\w*$" $CONF_FILE; then + echo "already enabled" + elif [ -e $CONF_FILE ] && egrep -q "^\w+${daemon}start=no\w*$" $CONF_FILE; then + sed "s/${daemon}start=no/${daemon}start=yes/" < $CONF_FILE > $CONF_FILE.tmp + cp $CONF_FILE.tmp $CONF_FILE + rm $CONF_FILE.tmp + echo "done" + elif [ -e $CONF_FILE ] && egrep -q "^\w+#\w*${daemon}start=(yes|no)\w*$" $CONF_FILE; then + sed "s/^\w+#\w*${daemon}start=(yes|no)\w*$/\t${daemon}start=yes/" < $CONF_FILE > $CONF_FILE.tmp + cp $CONF_FILE.tmp $CONF_FILE + rm $CONF_FILE.tmp + echo "done" + elif [ ! -e $CONF_FILE ]; then + echo -e "\t${daemon}start=yes" > $CONF_FILE + else + echo "ERROR: unknown or nonexistant ${daemon}start= directive, please fix manually!" + fi +} + +disable_daemon_start() { + daemon=$1 + protocol=$2 + + echo -n "Disabling ${protocol} support by pluto ... " + if [ -e $CONF_FILE ] && ( egrep -q "^\w+${daemon}start=no\w*$" $CONF_FILE || + egrep -q "^\w+#\w*${daemon}start=(yes|no)\w*$" $CONF_FILE ); then + echo "already disabled" + elif [ -e $CONF_FILE ] && egrep -q "^\w+${daemon}start=yes\w*$" $CONF_FILE; then + sed "s/${daemon}start=yes/${daemon}start=no/" < $CONF_FILE > $CONF_FILE.tmp + cp $CONF_FILE.tmp $CONF_FILE + rm $CONF_FILE.tmp + echo "done" + elif [ ! -e $CONF_FILE ]; then + echo -e "\t${daemon}start=yes" > $CONF_FILE + else + echo "ERROR: unknown or nonexistant ${daemon}start= directive, please fix manually!" + fi +} + +. /usr/share/debconf/confmodule + +case "$1" in + configure) + db_get strongswan/create_rsa_key + if [ "$RET" = "true" ]; then + repair_legacy_secrets + # OK, ipsec.secrets should now be correct + # create a new keypair + host=`hostname` + newkeyfile="/etc/ipsec.d/private/${host}Key.pem" + newcertfile="/etc/ipsec.d/certs/${host}Cert.pem" + if [ -e $newcertfile -o -e $newkeyfile ]; then + echo "Error: $newcertfile or $newkeyfile already exists." + echo "Please remove them first an re-run dpkg-reconfigure to create a new keypair." + else + # create a new certificate + db_get strongswan/rsa_key_length + keylength=$RET + db_get strongswan/x509_self_signed + selfsigned=$RET + db_get strongswan/x509_country_code + countrycode=$RET + if [ -z "$countrycode" ]; then countrycode="."; fi + db_get strongswan/x509_state_name + statename=$RET + if [ -z "$statename" ]; then statename="."; fi + db_get strongswan/x509_locality_name + localityname=$RET + if [ -z "$localityname" ]; then localityname="."; fi + db_get strongswan/x509_organization_name + orgname=$RET + if [ -z "$orgname" ]; then orgname="."; fi + db_get strongswan/x509_organizational_unit + orgunit=$RET + if [ -z "$orgunit" ]; then orgunit="."; fi + db_get strongswan/x509_common_name + commonname=$RET + if [ -z "$commonname" ]; then commonname="."; fi + db_get strongswan/x509_email_address + email=$RET + if [ -z "$email" ]; then email="."; fi + make_x509_cert $keylength 1500 "$newkeyfile" "$newcertfile" "$selfsigned" "$countrycode" "$statename" "$localityname" "$orgname" "$orgunit" "$commonname" "$email" + chmod 0600 "$newkeyfile" + umask 077 + insert_private_key_filename "$newkeyfile" + echo "Successfully created x509 certificate." + fi + else + db_get strongswan/existing_x509_certificate + if [ "$RET" = "true" ]; then + if [ -e $newcertfile -o -e $newkeyfile ]; then + echo "Error: $newcertfile or $newkeyfile already exists." + echo "Please remove them first an re-run dpkg-reconfigure to create a new keypair." + else + # existing certificate - use it + db_get strongswan/existing_x509_certificate_filename + certfile=$RET + db_get strongswan/existing_x509_key_filename + keyfile=$RET + if [ ! -r $certfile ] || [ ! -r $keyfile ]; then + echo "Either the certificate or the key file could not be read !" + else + cp "$certfile" /etc/ipsec.d/certs + umask 077 + cp "$keyfile" "/etc/ipsec.d/private" + newkeyfile="/etc/ipsec.d/private/`basename $keyfile`" + chmod 0600 "$newkeyfile" + insert_private_key_filename "$newkeyfile" + echo "Successfully extracted RSA key from existing x509 certificate." + fi + fi + fi + fi + + # figure out the correct start time + db_get strongswan/start_level + if [ "$RET" = "earliest" ]; then + LEVELS="start 41 S . stop 34 0 6 ." + elif [ "$RET" = "after NFS" ]; then + LEVELS="start 15 2 3 4 5 . stop 30 0 1 6 ." + else + LEVELS="start 21 2 3 4 5 . stop 19 0 1 6 ." + fi + update-rc.d ipsec $LEVELS > /dev/null + + db_get strongswan/enable-oe + if [ "$RET" != "true" ]; then + echo -n "Disabling opportunistic encryption (OE) in config file ... " + if [ -e $CONF_FILE ] && egrep -q "include /etc/ipsec.d/examples/no_oe.conf$" $CONF_FILE; then + # also update to new-style config + sed 's/.*include \/etc\/ipsec.d\/examples\/no_oe.conf/#include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp + mv $CONF_FILE.tmp $CONF_FILE + echo -n "converted old config line to new format" + fi + if [ -e $CONF_FILE ] && egrep -q "^include /etc/ipsec.d/examples/oe.conf$" $CONF_FILE; then + sed 's/include \/etc\/ipsec.d\/examples\/oe.conf/#include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp + mv $CONF_FILE.tmp $CONF_FILE + echo "done" + elif [ ! -e $CONF_FILE ]; then + echo "#include /etc/ipsec.d/examples/oe.conf" > $CONF_FILE + else + echo "already disabled" + fi + else + echo -n "Enabling opportunistic encryption (OE) in config file ... " + if [ -e $CONF_FILE ] && egrep -q "include /etc/ipsec.d/examples/no_oe.conf$" $CONF_FILE; then + # also update to new-style config + sed 's/.*include \/etc\/ipsec.d\/examples\/no_oe.conf/include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp + mv $CONF_FILE.tmp $CONF_FILE + echo -n "converted old config line to new format" + fi + if [ -e $CONF_FILE ] && egrep -q "^include /etc/ipsec.d/examples/oe.conf$" $CONF_FILE; then + echo "already enabled" + elif [ -e $CONF_FILE ] && egrep -q "^#.*include /etc/ipsec.d/examples/oe.conf$" $CONF_FILE; then + sed 's/#.*include \/etc\/ipsec.d\/examples\/oe.conf/include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp + mv $CONF_FILE.tmp $CONF_FILE + echo "done" + elif [ ! -e $CONF_FILE ]; then + echo "include /etc/ipsec.d/examples/oe.conf" > $CONF_FILE + else + cat <> $CONF_FILE +#Enable Opportunistic Encryption +include /etc/ipsec.d/examples/oe.conf +EOF + echo "done" + fi + fi + + # disabled for now, until we can solve the don't-edit-conffiles issue + #db_get strongswan/ikev1 + #if [ "$RET" != "true" ]; then + # enable_daemon_start "pluto" "IKEv1" + #else + # disable_daemon_start "pluto" "IKEv1" + #fi + #db_get strongswan/ikev2 + #if [ "$RET" != "true" ]; then + # enable_daemon_start "charon" "IKEv2" + #else + # disable_daemon_start "charon" "IKEv2" + #fi + + if [ -z "$2" ]; then + # no old configured version - start strongswan now + invoke-rc.d ipsec start || true + else + # does the user wish strongswan to restart? + db_get strongswan/restart + if [ "$RET" = "true" ]; then + invoke-rc.d ipsec restart || true # sure, we'll restart it for you + fi + fi + + db_stop + + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + + ;; + + *) + echo "postinst called with unknown argument '$1'" >&2 + exit 0 + ;; +esac + +# dh_installdeb will replace this with shell code automatically + +#DEBHELPER# + +exit 0 diff --git a/debian/strongswan-starter.postrm b/debian/strongswan-starter.postrm new file mode 100644 index 000000000..18f9069b6 --- /dev/null +++ b/debian/strongswan-starter.postrm @@ -0,0 +1,44 @@ +#! /bin/sh +# postrm script for strongswan +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `remove' +# * `purge' +# * `upgrade' +# * `failed-upgrade' +# * `abort-install' +# * `abort-install' +# * `abort-upgrade' +# * `disappear' overwrit>r> +# for details, see /usr/share/doc/packaging-manual/ + +case "$1" in + purge|remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) + + # update the menu system +# if [ -x /usr/bin/update-menus ]; then update-menus; fi + + ;; + + *) + echo "postrm called with unknown argument \`$1'" >&2 + exit 0 + +esac + +if [ "$1" = "purge" ] ; then + update-rc.d ipsec remove >/dev/null + rm -rf /etc/ipsec.d/ + rm -rf /var/run/pluto/ +fi + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + + diff --git a/debian/strongswan-starter.prerm b/debian/strongswan-starter.prerm new file mode 100644 index 000000000..c1ba063d6 --- /dev/null +++ b/debian/strongswan-starter.prerm @@ -0,0 +1,40 @@ +#! /bin/sh +# prerm script for strongswan +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `remove' +# * `upgrade' +# * `failed-upgrade' +# * `remove' `in-favour' +# * `deconfigure' `in-favour' +# `removing' +# +# for details, see /usr/share/doc/packaging-manual/ + +case "$1" in + upgrade) + ;; + remove|deconfigure) + invoke-rc.d ipsec stop || true +# install-info --quiet --remove /usr/info/strongswan.info.gz + ;; + failed-upgrade) + ;; + *) + echo "prerm called with unknown argument \`$1'" >&2 + exit 0 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 + + diff --git a/debian/strongswan-starter.templates b/debian/strongswan-starter.templates new file mode 100644 index 000000000..781773ac5 --- /dev/null +++ b/debian/strongswan-starter.templates @@ -0,0 +1,202 @@ +Template: strongswan/start_level +Type: select +_Choices: earliest, "after NFS", "after PCMCIA" +Default: earliest +_Description: When to start strongSwan: + There are three possibilities when strongSwan can start: before or + after the NFS services and after the PCMCIA services. The correct answer + depends on your specific setup. + . + If you do not have your /usr tree mounted via NFS (either you only mount + other, less vital trees via NFS or don't use NFS mounted trees at all) and + don't use a PCMCIA network card, then it's best to start strongSwan at + the earliest possible time, thus allowing the NFS mounts to be secured by + IPSec. In this case (or if you don't understand or care about this + issue), answer "earliest" to this question (the default). + . + If you have your /usr tree mounted via NFS and don't use a PCMCIA network + card, then you will need to start strongSwan after NFS so that all + necessary files are available. In this case, answer "after NFS" to this + question. Please note that the NFS mount of /usr can not be secured by + IPSec in this case. + . + If you use a PCMCIA network card for your IPSec connections, then you only + have to choose to start it after the PCMCIA services. Answer "after + PCMCIA" in this case. This is also the correct answer if you want to fetch + keys from a locally running DNS server with DNSSec support. + +Template: strongswan/restart +Type: boolean +Default: true +_Description: Do you wish to restart strongSwan? + Restarting strongSwan is a good idea, since if there is a security fix, it + will not be fixed until the daemon restarts. Most people expect the daemon + to restart, so this is generally a good idea. However this might take down + existing connections and then bring them back up. + +Template: strongswan/ikev1 +Type: boolean +Default: true +_Description: Do you wish to support IKEv1? + strongSwan supports both versions of the Internet Key Exchange protocol, + IKEv1 and IKEv2. Do you want to start the "pluto" daemon for IKEv1 support + when strongSwan is started? + +Template: strongswan/ikev2 +Type: boolean +Default: true +_Description: Do you wish to support IKEv2? + strongSwan supports both versions of the Internet Key Exchange protocol, + IKEv1 and IKEv2. Do you want to start the "charon" daemon for IKEv2 support + when strongSwan is started? + +Template: strongswan/create_rsa_key +Type: boolean +Default: true +_Description: Do you want to create a RSA public/private keypair for this host? + This installer can automatically create a RSA public/private keypair + with an X.509 certificate for this host. This can be used to authenticate + IPSec connections to other hosts and is the preferred way for building up + secure IPSec connections. The other possibility would be to use pre-shared + secrets (PSKs, passwords that are the same on both sides of the tunnel) for + authenticating an connection, but for a larger number of connections RSA + authentication is easier to administer and more secure. Note that + having a keypair allows to use both X.509 and PSK authentication for IPsec + tunnels. + . + If you do not want to create a new public/private keypair, you can choose to + use an existing one in the next step. + +Template: strongswan/existing_x509_certificate +Type: boolean +Default: false +_Description: Do you have an existing X.509 certificate file for strongSwan? + This installer can automatically extract the needed information from an + existing X.509 certificate with a matching RSA private key. Both parts can + be in one file, if it is in PEM format. If you have such an existing + certificate and key file and want to use it for authenticating IPSec + connections, then please answer yes. + +Template: strongswan/existing_x509_certificate_filename +Type: string +_Description: File name of your X.509 certificate in PEM format: + Please enter the full location of the file containing your X.509 + certificate in PEM format. + +Template: strongswan/existing_x509_key_filename +Type: string +_Description: File name of your X.509 private key in PEM format: + Please enter the full location of the file containing the private RSA key + matching your X.509 certificate in PEM format. This can be the same file + that contains the X.509 certificate. + +Template: strongswan/rsa_key_length +Type: string +Default: 2048 +_Description: The length of the created RSA key (in bits): + Please enter the length of the created RSA key. It should not be less than + 1024 bits because this should be considered unsecure and you will probably + not need anything more than 2048 bits because it only slows the + authentication process down and is not needed at the moment. + +Template: strongswan/x509_self_signed +Type: boolean +Default: true +_Description: Do you want to create a self-signed X.509 certificate? + This installer can only create self-signed X.509 certificates + automatically, because otherwise a certificate authority is needed to sign + the certificate request. If you want to create a self-signed certificate, + you can use it immediately to connect to other IPSec hosts that support + X.509 certificate for authentication of IPSec connections. However, if you + want to use the new PKI features of strongSwan >= 1.91, you will need to + have all X.509 certificates signed by a single certificate authority to + create a trust path. + . + If you do not want to create a self-signed certificate, then this + installer will only create the RSA private key and the certificate request + and you will have to get the certificate request signed by your certificate + authority. + +Template: strongswan/x509_country_code +Type: string +Default: AT +_Description: Country code for the X.509 certificate request: + Please enter the 2 letter country code for your country. This code will be + placed in the certificate request. + . + You really need to enter a valid country code here, because openssl will + refuse to generate certificates without one. An empty field is allowed for + any other field of the X.509 certificate, but not for this one. + . + Example: AT + +Template: strongswan/x509_state_name +Type: string +Default: +_Description: State or province name for the X.509 certificate request: + Please enter the full name of the state or province you live in. This name + will be placed in the certificate request. + . + Example: Upper Austria + +Template: strongswan/x509_locality_name +Type: string +Default: +_Description: Locality name for the X.509 certificate request: + Please enter the locality (e.g. city) where you live. This name will be + placed in the certificate request. + . + Example: Vienna + +Template: strongswan/x509_organization_name +Type: string +Default: +_Description: Organization name for the X.509 certificate request: + Please enter the organization (e.g. company) that the X.509 certificate + should be created for. This name will be placed in the certificate + request. + . + Example: Debian + +Template: strongswan/x509_organizational_unit +Type: string +Default: +_Description: Organizational unit for the X.509 certificate request: + Please enter the organizational unit (e.g. section) that the X.509 + certificate should be created for. This name will be placed in the + certificate request. + . + Example: security group + +Template: strongswan/x509_common_name +Type: string +Default: +_Description: Common name for the X.509 certificate request: + Please enter the common name (e.g. the host name of this machine) for + which the X.509 certificate should be created for. This name will be placed + in the certificate request. + . + Example: gateway.debian.org + +Template: strongswan/x509_email_address +Type: string +Default: +_Description: Email address for the X.509 certificate request: + Please enter the email address of the person or organization who is + responsible for the X.509 certificate. This address will be placed in the + certificate request. + +Template: strongswan/enable-oe +Type: boolean +Default: false +_Description: Do you wish to enable opportunistic encryption in strongSwan? + strongSwan comes with support for opportunistic encryption (OE), which stores + IPSec authentication information (i.e. RSA public keys) in (preferably + secure) DNS records. Until this is widely deployed, activating it will + cause a significant slow-down for every new, outgoing connection. Since + version 2.0, strongSwan upstream comes with OE enabled by default and is thus + likely to break your existing connection to the Internet (i.e. your default + route) as soon as pluto (the strongSwan keying daemon) is started. + . + Please choose whether you want to enable support for OE. If unsure, do not + enable it. diff --git a/debian/strongswan.config b/debian/strongswan.config deleted file mode 100644 index eb5f2c2dd..000000000 --- a/debian/strongswan.config +++ /dev/null @@ -1,47 +0,0 @@ -#!/bin/sh -e - -. /usr/share/debconf/confmodule - -db_input medium strongswan/start_level || true - -# disable for now, until we can deal with the don't-edit-conffiles situation -#db_input high strongswan/ikev1 || true -#db_input high strongswan/ikev2 || true - -db_input medium strongswan/restart || true - -db_input high strongswan/enable-oe || true - -db_input high strongswan/create_rsa_key || true -db_go || true - -db_get strongswan/create_rsa_key -if [ "$RET" = "true" ]; then - # create a new certificate - db_input medium strongswan/rsa_key_length || true - db_input high strongswan/x509_self_signed || true - # we can't allow the country code to be empty - openssl will - # refuse to create a certificate this way - countrycode="" - while [ -z "$countrycode" ]; do - db_input medium strongswan/x509_country_code || true - db_go || true - db_get strongswan/x509_country_code - countrycode="$RET" - done - db_input medium strongswan/x509_state_name || true - db_input medium strongswan/x509_locality_name || true - db_input medium strongswan/x509_organization_name || true - db_input medium strongswan/x509_organizational_unit || true - db_input medium strongswan/x509_common_name || true - db_input medium strongswan/x509_email_address || true - db_go || true -else - db_get strongswan/existing_x509_certificate - if [ "$RET" = "true" ]; then - # existing certificate - use it - db_input critical strongswan/existing_x509_certificate_filename || true - db_input critical strongswan/existing_x509_key_filename || true - db_go || true - fi -fi diff --git a/debian/strongswan.ipsec.init b/debian/strongswan.ipsec.init deleted file mode 100644 index 5cefef516..000000000 --- a/debian/strongswan.ipsec.init +++ /dev/null @@ -1,133 +0,0 @@ -#! /bin/sh -### BEGIN INIT INFO -# Provides: vpn -# Required-Start: $network $local_fs -# Required-Stop: $network $local_fs -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: Strongswan IPsec services -### END INIT INFO - -# Author: Rene Mayrhofer - -# PATH should only include /usr/* if it runs after the mountnfs.sh script -PATH=/sbin:/usr/sbin:/bin:/usr/bin -DESC="strongswan IPsec services" -NAME=ipsec -DAEMON=/usr/sbin/$NAME -PIDFILE=/var/run/$NAME.pid -SCRIPTNAME=/etc/init.d/$NAME - -# Exit if the package is not installed -[ -x "$DAEMON" ] || exit 0 - -# Read configuration variable file if it is present -[ -r /etc/default/$NAME ] && . /etc/default/$NAME - -# Load the VERBOSE setting and other rcS variables -. /lib/init/vars.sh - -# Define LSB log_* functions. -# Depend on lsb-base (>= 3.0-6) to ensure that this file is present. -. /lib/lsb/init-functions - -# -# Function that starts the daemon/service -# -do_start() -{ - # Return - # 0 if daemon has been started - # 1 if daemon was already running - # 2 if daemon could not be started - start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ - || return 1 - start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- start \ - || return 2 -} - -# -# Function that stops the daemon/service -# -do_stop() -{ - # Return - # 0 if daemon has been stopped - # 1 if daemon was already stopped - # 2 if daemon could not be stopped - # other if a failure occurred - # give the proper signal to stop - start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- stop \ - || return 2 - # but kill if that didn't work - start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME - RETVAL="$?" - [ "$RETVAL" = 2 ] && return 2 - # Wait for children to finish too if this is a daemon that forks - # and if the daemon is only ever run from this initscript. - # If the above conditions are not satisfied then add some other code - # that waits for the process to drop all resources that could be - # needed by services started subsequently. A last resort is to - # sleep for some time. - start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON - [ "$?" = 2 ] && return 2 - # Many daemons don't delete their pidfiles when they exit. - rm -f $PIDFILE - return "$RETVAL" -} - -do_reload() { - $DAEMON reload - return 0 -} - -case "$1" in - start) - [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" - do_start - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - stop) - [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" - do_stop - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - status) - $DAEMON status - ;; - reload|force-reload) - log_daemon_msg "Reloading $DESC" "$NAME" - do_reload - log_end_msg $? - ;; - restart) - log_daemon_msg "Restarting $DESC" "$NAME" - do_stop - case "$?" in - 0|1) - do_start - case "$?" in - 0) log_end_msg 0 ;; - 1) log_end_msg 1 ;; # Old process is still running - *) log_end_msg 1 ;; # Failed to start - esac - ;; - *) - # Failed to stop - log_end_msg 1 - ;; - esac - ;; - *) - echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2 - exit 3 - ;; -esac - -: diff --git a/debian/strongswan.postinst b/debian/strongswan.postinst deleted file mode 100644 index c63273dc2..000000000 --- a/debian/strongswan.postinst +++ /dev/null @@ -1,313 +0,0 @@ -#! /bin/bash -# postinst script for strongswan -# -# see: dh_installdeb(1) - -set -e - -# summary of how this script can be called: -# * `configure' -# * `abort-upgrade' -# * `abort-remove' `in-favour' -# -# * `abort-deconfigure' `in-favour' -# `removing' -# -# for details, see /usr/share/doc/packaging-manual/ -# -# quoting from the policy: -# Any necessary prompting should almost always be confined to the -# * `abort-deconfigure' `in-favour' -# `removing' -# -# for details, see /usr/share/doc/packaging-manual/ -# -# quoting from the policy: -# Any necessary prompting should almost always be confined to the -# post-installation script, and should be protected with a conditional -# so that unnecessary prompting doesn't happen if a package's -# installation fails and the `postinst' is called with `abort-upgrade', -# `abort-remove' or `abort-deconfigure'. - -CONF_FILE=/var/lib/strongswan/ipsec.conf.inc -SECRETS_FILE=/var/lib/strongswan/ipsec.secrets.inc - -insert_private_key_filename() { - if [ ! -e $SECRETS_FILE ] || ! grep -q ": RSA $1" $SECRETS_FILE; then - echo ": RSA $1" >> $SECRETS_FILE - fi -} - -IPSEC_SECRETS_PATTERN_1=': RSA {' -IPSEC_SECRETS_PATTERN_2=' # yyy' -IPSEC_SECRETS_PATTERN_3=' }' -IPSEC_SECRETS_PATTERN_4='# do not change the indenting of that "}"' - -# remove old, misguided attempts at a default ipsec.secrets files -repair_legacy_secrets() { - if [ -e $SECRETS_FILE ] && grep -A 2 "$IPSEC_SECRETS_PATTERN_1" $SECRETS_FILE | - tail --lines=2 | - grep -A 1 "$IPSEC_SECRETS_PATTERN_2" | - tail --lines=1 | - grep "$IPSEC_SECRETS_PATTERN_3" >/dev/null; then - echo "Old default config file detected, removing the old defaults now." - umask 077 ; ( - # this is ugly, and someone maybe can formulate this in sed, but - # this was the quickest way for me - line=`grep -n "$IPSEC_SECRETS_PATTERN_2" $SECRETS_FILE | cut -d':' -f1` - until=`expr $line - 1` - head -n $until $SECRETS_FILE - sum=`wc -l $SECRETS_FILE | cut -d ' ' -f1` - from=`expr $sum - $line -1` - tail -n $from $SECRETS_FILE - ) > $SECRETS_FILE.tmp - mv $SECRETS_FILE.tmp $SECRETS_FILE - grep -v "$IPSEC_SECRETS_PATTERN_4" $SECRETS_FILE > $SECRETS_FILE.tmp - mv $SECRETS_FILE.tmp $SECRETS_FILE - fi -} - -make_x509_cert() { - if [ $# -ne 12 ]; then - echo "Error in creating X.509 certificate" - exit 1 - fi - - case $5 in - false) - certreq=$4.req - selfsigned="" - ;; - true) - certreq=$4 - selfsigned="-x509" - ;; - *) - echo "Error in creating X.509 certificate" - exit 1 - ;; - esac - - echo -e "$6\n$7\n$8\n$9\n${10}\n${11}\n${12}\n\n\n" | \ - /usr/bin/openssl req -new -outform PEM -out $certreq \ - -newkey rsa:$1 -nodes -keyout $3 -keyform PEM \ - -days $2 $selfsigned >/dev/null -} - -enable_daemon_start() { - daemon=$1 - protocol=$2 - - echo -n "Enabling ${protocol} support by pluto ... " - if [ -e $CONF_FILE ] && egrep -q "^\w+${daemon}start=yes\w*$" $CONF_FILE; then - echo "already enabled" - elif [ -e $CONF_FILE ] && egrep -q "^\w+${daemon}start=no\w*$" $CONF_FILE; then - sed "s/${daemon}start=no/${daemon}start=yes/" < $CONF_FILE > $CONF_FILE.tmp - cp $CONF_FILE.tmp $CONF_FILE - rm $CONF_FILE.tmp - echo "done" - elif [ -e $CONF_FILE ] && egrep -q "^\w+#\w*${daemon}start=(yes|no)\w*$" $CONF_FILE; then - sed "s/^\w+#\w*${daemon}start=(yes|no)\w*$/\t${daemon}start=yes/" < $CONF_FILE > $CONF_FILE.tmp - cp $CONF_FILE.tmp $CONF_FILE - rm $CONF_FILE.tmp - echo "done" - elif [ ! -e $CONF_FILE ]; then - echo -e "\t${daemon}start=yes" > $CONF_FILE - else - echo "ERROR: unknown or nonexistant ${daemon}start= directive, please fix manually!" - fi -} - -disable_daemon_start() { - daemon=$1 - protocol=$2 - - echo -n "Disabling ${protocol} support by pluto ... " - if [ -e $CONF_FILE ] && ( egrep -q "^\w+${daemon}start=no\w*$" $CONF_FILE || - egrep -q "^\w+#\w*${daemon}start=(yes|no)\w*$" $CONF_FILE ); then - echo "already disabled" - elif [ -e $CONF_FILE ] && egrep -q "^\w+${daemon}start=yes\w*$" $CONF_FILE; then - sed "s/${daemon}start=yes/${daemon}start=no/" < $CONF_FILE > $CONF_FILE.tmp - cp $CONF_FILE.tmp $CONF_FILE - rm $CONF_FILE.tmp - echo "done" - elif [ ! -e $CONF_FILE ]; then - echo -e "\t${daemon}start=yes" > $CONF_FILE - else - echo "ERROR: unknown or nonexistant ${daemon}start= directive, please fix manually!" - fi -} - -. /usr/share/debconf/confmodule - -case "$1" in - configure) - db_get strongswan/create_rsa_key - if [ "$RET" = "true" ]; then - repair_legacy_secrets - # OK, ipsec.secrets should now be correct - # create a new keypair - host=`hostname` - newkeyfile="/etc/ipsec.d/private/${host}Key.pem" - newcertfile="/etc/ipsec.d/certs/${host}Cert.pem" - if [ -e $newcertfile -o -e $newkeyfile ]; then - echo "Error: $newcertfile or $newkeyfile already exists." - echo "Please remove them first an re-run dpkg-reconfigure to create a new keypair." - else - # create a new certificate - db_get strongswan/rsa_key_length - keylength=$RET - db_get strongswan/x509_self_signed - selfsigned=$RET - db_get strongswan/x509_country_code - countrycode=$RET - if [ -z "$countrycode" ]; then countrycode="."; fi - db_get strongswan/x509_state_name - statename=$RET - if [ -z "$statename" ]; then statename="."; fi - db_get strongswan/x509_locality_name - localityname=$RET - if [ -z "$localityname" ]; then localityname="."; fi - db_get strongswan/x509_organization_name - orgname=$RET - if [ -z "$orgname" ]; then orgname="."; fi - db_get strongswan/x509_organizational_unit - orgunit=$RET - if [ -z "$orgunit" ]; then orgunit="."; fi - db_get strongswan/x509_common_name - commonname=$RET - if [ -z "$commonname" ]; then commonname="."; fi - db_get strongswan/x509_email_address - email=$RET - if [ -z "$email" ]; then email="."; fi - make_x509_cert $keylength 1500 "$newkeyfile" "$newcertfile" "$selfsigned" "$countrycode" "$statename" "$localityname" "$orgname" "$orgunit" "$commonname" "$email" - chmod 0600 "$newkeyfile" - umask 077 - insert_private_key_filename "$newkeyfile" - echo "Successfully created x509 certificate." - fi - else - db_get strongswan/existing_x509_certificate - if [ "$RET" = "true" ]; then - if [ -e $newcertfile -o -e $newkeyfile ]; then - echo "Error: $newcertfile or $newkeyfile already exists." - echo "Please remove them first an re-run dpkg-reconfigure to create a new keypair." - else - # existing certificate - use it - db_get strongswan/existing_x509_certificate_filename - certfile=$RET - db_get strongswan/existing_x509_key_filename - keyfile=$RET - if [ ! -r $certfile ] || [ ! -r $keyfile ]; then - echo "Either the certificate or the key file could not be read !" - else - cp "$certfile" /etc/ipsec.d/certs - umask 077 - cp "$keyfile" "/etc/ipsec.d/private" - newkeyfile="/etc/ipsec.d/private/`basename $keyfile`" - chmod 0600 "$newkeyfile" - insert_private_key_filename "$newkeyfile" - echo "Successfully extracted RSA key from existing x509 certificate." - fi - fi - fi - fi - - # figure out the correct start time - db_get strongswan/start_level - if [ "$RET" = "earliest" ]; then - LEVELS="start 41 S . stop 34 0 6 ." - elif [ "$RET" = "after NFS" ]; then - LEVELS="start 15 2 3 4 5 . stop 30 0 1 6 ." - else - LEVELS="start 21 2 3 4 5 . stop 19 0 1 6 ." - fi - update-rc.d ipsec $LEVELS > /dev/null - - db_get strongswan/enable-oe - if [ "$RET" != "true" ]; then - echo -n "Disabling opportunistic encryption (OE) in config file ... " - if [ -e $CONF_FILE ] && egrep -q "include /etc/ipsec.d/examples/no_oe.conf$" $CONF_FILE; then - # also update to new-style config - sed 's/.*include \/etc\/ipsec.d\/examples\/no_oe.conf/#include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp - mv $CONF_FILE.tmp $CONF_FILE - echo -n "converted old config line to new format" - fi - if [ -e $CONF_FILE ] && egrep -q "^include /etc/ipsec.d/examples/oe.conf$" $CONF_FILE; then - sed 's/include \/etc\/ipsec.d\/examples\/oe.conf/#include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp - mv $CONF_FILE.tmp $CONF_FILE - echo "done" - elif [ ! -e $CONF_FILE ]; then - echo "#include /etc/ipsec.d/examples/oe.conf" > $CONF_FILE - else - echo "already disabled" - fi - else - echo -n "Enabling opportunistic encryption (OE) in config file ... " - if [ -e $CONF_FILE ] && egrep -q "include /etc/ipsec.d/examples/no_oe.conf$" $CONF_FILE; then - # also update to new-style config - sed 's/.*include \/etc\/ipsec.d\/examples\/no_oe.conf/include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp - mv $CONF_FILE.tmp $CONF_FILE - echo -n "converted old config line to new format" - fi - if [ -e $CONF_FILE ] && egrep -q "^include /etc/ipsec.d/examples/oe.conf$" $CONF_FILE; then - echo "already enabled" - elif [ -e $CONF_FILE ] && egrep -q "^#.*include /etc/ipsec.d/examples/oe.conf$" $CONF_FILE; then - sed 's/#.*include \/etc\/ipsec.d\/examples\/oe.conf/include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp - mv $CONF_FILE.tmp $CONF_FILE - echo "done" - elif [ ! -e $CONF_FILE ]; then - echo "include /etc/ipsec.d/examples/oe.conf" > $CONF_FILE - else - cat <> $CONF_FILE -#Enable Opportunistic Encryption -include /etc/ipsec.d/examples/oe.conf -EOF - echo "done" - fi - fi - - # disabled for now, until we can solve the don't-edit-conffiles issue - #db_get strongswan/ikev1 - #if [ "$RET" != "true" ]; then - # enable_daemon_start "pluto" "IKEv1" - #else - # disable_daemon_start "pluto" "IKEv1" - #fi - #db_get strongswan/ikev2 - #if [ "$RET" != "true" ]; then - # enable_daemon_start "charon" "IKEv2" - #else - # disable_daemon_start "charon" "IKEv2" - #fi - - if [ -z "$2" ]; then - # no old configured version - start strongswan now - invoke-rc.d ipsec start || true - else - # does the user wish strongswan to restart? - db_get strongswan/restart - if [ "$RET" = "true" ]; then - invoke-rc.d ipsec restart || true # sure, we'll restart it for you - fi - fi - - db_stop - - ;; - - abort-upgrade|abort-remove|abort-deconfigure) - - ;; - - *) - echo "postinst called with unknown argument '$1'" >&2 - exit 0 - ;; -esac - -# dh_installdeb will replace this with shell code automatically - -#DEBHELPER# - -exit 0 diff --git a/debian/strongswan.postrm b/debian/strongswan.postrm deleted file mode 100644 index 18f9069b6..000000000 --- a/debian/strongswan.postrm +++ /dev/null @@ -1,44 +0,0 @@ -#! /bin/sh -# postrm script for strongswan -# -# see: dh_installdeb(1) - -set -e - -# summary of how this script can be called: -# * `remove' -# * `purge' -# * `upgrade' -# * `failed-upgrade' -# * `abort-install' -# * `abort-install' -# * `abort-upgrade' -# * `disappear' overwrit>r> -# for details, see /usr/share/doc/packaging-manual/ - -case "$1" in - purge|remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) - - # update the menu system -# if [ -x /usr/bin/update-menus ]; then update-menus; fi - - ;; - - *) - echo "postrm called with unknown argument \`$1'" >&2 - exit 0 - -esac - -if [ "$1" = "purge" ] ; then - update-rc.d ipsec remove >/dev/null - rm -rf /etc/ipsec.d/ - rm -rf /var/run/pluto/ -fi - -# dh_installdeb will replace this with shell code automatically -# generated by other debhelper scripts. - -#DEBHELPER# - - diff --git a/debian/strongswan.prerm b/debian/strongswan.prerm deleted file mode 100644 index c1ba063d6..000000000 --- a/debian/strongswan.prerm +++ /dev/null @@ -1,40 +0,0 @@ -#! /bin/sh -# prerm script for strongswan -# -# see: dh_installdeb(1) - -set -e - -# summary of how this script can be called: -# * `remove' -# * `upgrade' -# * `failed-upgrade' -# * `remove' `in-favour' -# * `deconfigure' `in-favour' -# `removing' -# -# for details, see /usr/share/doc/packaging-manual/ - -case "$1" in - upgrade) - ;; - remove|deconfigure) - invoke-rc.d ipsec stop || true -# install-info --quiet --remove /usr/info/strongswan.info.gz - ;; - failed-upgrade) - ;; - *) - echo "prerm called with unknown argument \`$1'" >&2 - exit 0 - ;; -esac - -# dh_installdeb will replace this with shell code automatically -# generated by other debhelper scripts. - -#DEBHELPER# - -exit 0 - - diff --git a/debian/strongswan.templates b/debian/strongswan.templates deleted file mode 100644 index 781773ac5..000000000 --- a/debian/strongswan.templates +++ /dev/null @@ -1,202 +0,0 @@ -Template: strongswan/start_level -Type: select -_Choices: earliest, "after NFS", "after PCMCIA" -Default: earliest -_Description: When to start strongSwan: - There are three possibilities when strongSwan can start: before or - after the NFS services and after the PCMCIA services. The correct answer - depends on your specific setup. - . - If you do not have your /usr tree mounted via NFS (either you only mount - other, less vital trees via NFS or don't use NFS mounted trees at all) and - don't use a PCMCIA network card, then it's best to start strongSwan at - the earliest possible time, thus allowing the NFS mounts to be secured by - IPSec. In this case (or if you don't understand or care about this - issue), answer "earliest" to this question (the default). - . - If you have your /usr tree mounted via NFS and don't use a PCMCIA network - card, then you will need to start strongSwan after NFS so that all - necessary files are available. In this case, answer "after NFS" to this - question. Please note that the NFS mount of /usr can not be secured by - IPSec in this case. - . - If you use a PCMCIA network card for your IPSec connections, then you only - have to choose to start it after the PCMCIA services. Answer "after - PCMCIA" in this case. This is also the correct answer if you want to fetch - keys from a locally running DNS server with DNSSec support. - -Template: strongswan/restart -Type: boolean -Default: true -_Description: Do you wish to restart strongSwan? - Restarting strongSwan is a good idea, since if there is a security fix, it - will not be fixed until the daemon restarts. Most people expect the daemon - to restart, so this is generally a good idea. However this might take down - existing connections and then bring them back up. - -Template: strongswan/ikev1 -Type: boolean -Default: true -_Description: Do you wish to support IKEv1? - strongSwan supports both versions of the Internet Key Exchange protocol, - IKEv1 and IKEv2. Do you want to start the "pluto" daemon for IKEv1 support - when strongSwan is started? - -Template: strongswan/ikev2 -Type: boolean -Default: true -_Description: Do you wish to support IKEv2? - strongSwan supports both versions of the Internet Key Exchange protocol, - IKEv1 and IKEv2. Do you want to start the "charon" daemon for IKEv2 support - when strongSwan is started? - -Template: strongswan/create_rsa_key -Type: boolean -Default: true -_Description: Do you want to create a RSA public/private keypair for this host? - This installer can automatically create a RSA public/private keypair - with an X.509 certificate for this host. This can be used to authenticate - IPSec connections to other hosts and is the preferred way for building up - secure IPSec connections. The other possibility would be to use pre-shared - secrets (PSKs, passwords that are the same on both sides of the tunnel) for - authenticating an connection, but for a larger number of connections RSA - authentication is easier to administer and more secure. Note that - having a keypair allows to use both X.509 and PSK authentication for IPsec - tunnels. - . - If you do not want to create a new public/private keypair, you can choose to - use an existing one in the next step. - -Template: strongswan/existing_x509_certificate -Type: boolean -Default: false -_Description: Do you have an existing X.509 certificate file for strongSwan? - This installer can automatically extract the needed information from an - existing X.509 certificate with a matching RSA private key. Both parts can - be in one file, if it is in PEM format. If you have such an existing - certificate and key file and want to use it for authenticating IPSec - connections, then please answer yes. - -Template: strongswan/existing_x509_certificate_filename -Type: string -_Description: File name of your X.509 certificate in PEM format: - Please enter the full location of the file containing your X.509 - certificate in PEM format. - -Template: strongswan/existing_x509_key_filename -Type: string -_Description: File name of your X.509 private key in PEM format: - Please enter the full location of the file containing the private RSA key - matching your X.509 certificate in PEM format. This can be the same file - that contains the X.509 certificate. - -Template: strongswan/rsa_key_length -Type: string -Default: 2048 -_Description: The length of the created RSA key (in bits): - Please enter the length of the created RSA key. It should not be less than - 1024 bits because this should be considered unsecure and you will probably - not need anything more than 2048 bits because it only slows the - authentication process down and is not needed at the moment. - -Template: strongswan/x509_self_signed -Type: boolean -Default: true -_Description: Do you want to create a self-signed X.509 certificate? - This installer can only create self-signed X.509 certificates - automatically, because otherwise a certificate authority is needed to sign - the certificate request. If you want to create a self-signed certificate, - you can use it immediately to connect to other IPSec hosts that support - X.509 certificate for authentication of IPSec connections. However, if you - want to use the new PKI features of strongSwan >= 1.91, you will need to - have all X.509 certificates signed by a single certificate authority to - create a trust path. - . - If you do not want to create a self-signed certificate, then this - installer will only create the RSA private key and the certificate request - and you will have to get the certificate request signed by your certificate - authority. - -Template: strongswan/x509_country_code -Type: string -Default: AT -_Description: Country code for the X.509 certificate request: - Please enter the 2 letter country code for your country. This code will be - placed in the certificate request. - . - You really need to enter a valid country code here, because openssl will - refuse to generate certificates without one. An empty field is allowed for - any other field of the X.509 certificate, but not for this one. - . - Example: AT - -Template: strongswan/x509_state_name -Type: string -Default: -_Description: State or province name for the X.509 certificate request: - Please enter the full name of the state or province you live in. This name - will be placed in the certificate request. - . - Example: Upper Austria - -Template: strongswan/x509_locality_name -Type: string -Default: -_Description: Locality name for the X.509 certificate request: - Please enter the locality (e.g. city) where you live. This name will be - placed in the certificate request. - . - Example: Vienna - -Template: strongswan/x509_organization_name -Type: string -Default: -_Description: Organization name for the X.509 certificate request: - Please enter the organization (e.g. company) that the X.509 certificate - should be created for. This name will be placed in the certificate - request. - . - Example: Debian - -Template: strongswan/x509_organizational_unit -Type: string -Default: -_Description: Organizational unit for the X.509 certificate request: - Please enter the organizational unit (e.g. section) that the X.509 - certificate should be created for. This name will be placed in the - certificate request. - . - Example: security group - -Template: strongswan/x509_common_name -Type: string -Default: -_Description: Common name for the X.509 certificate request: - Please enter the common name (e.g. the host name of this machine) for - which the X.509 certificate should be created for. This name will be placed - in the certificate request. - . - Example: gateway.debian.org - -Template: strongswan/x509_email_address -Type: string -Default: -_Description: Email address for the X.509 certificate request: - Please enter the email address of the person or organization who is - responsible for the X.509 certificate. This address will be placed in the - certificate request. - -Template: strongswan/enable-oe -Type: boolean -Default: false -_Description: Do you wish to enable opportunistic encryption in strongSwan? - strongSwan comes with support for opportunistic encryption (OE), which stores - IPSec authentication information (i.e. RSA public keys) in (preferably - secure) DNS records. Until this is widely deployed, activating it will - cause a significant slow-down for every new, outgoing connection. Since - version 2.0, strongSwan upstream comes with OE enabled by default and is thus - likely to break your existing connection to the Internet (i.e. your default - route) as soon as pluto (the strongSwan keying daemon) is started. - . - Please choose whether you want to enable support for OE. If unsure, do not - enable it. -- cgit v1.2.3