[SRU] No EAP-PEAP support anymore

I confirm the EAP-PEAP plugin is missing, check below.

Bionic:

$ dpkg -c libcharon-extra-plugins_5.6.2-1ubuntu2.5_amd64.deb | grep eap-peap
-rw-r--r-- root/root 777 2019-11-12 08:32 ./etc/strongswan.d/charon/eap-peap.conf
-rw-r--r-- root/root 18616 2019-11-12 08:32 ./usr/lib/ipsec/plugins/libstrongswan-eap-peap.so
-rw-r--r-- root/root 777 2019-11-12 08:32 ./usr/share/strongswan/templates/config/plugins/eap-peap.conf

Focal:

$ dpkg -c libcharon-extra-plugins_5.8.2-1ubuntu3_amd64.deb | grep eap-peap

The plugin is also not present in Debian unstable:

$ dpkg -c libcharon-extra-plugins_5.8.4-1_amd64.deb | grep eap-peap

Hi Alex,

Could you please provide some insight about your use case? The EAP-PEAP plugin was disabled in Debian and the Debian maintainer prefers to keep the package simple and not enable too complicated stuff like EAP plugins [1]. For us to convince them to accept its inclusion back we need some good arguments, and I believe you as an user is the best person to help us on this based on your use case.

[1] https://salsa.debian.org/debian/strongswan/-/merge_requests/6#note_115919

Hi,
When the system is clear installed Network Manager uses eap-ttls with mschapv2 login/password authentication and there are no problems, but when the system is upgraded from previous versions like 18.04 it tries peap by default and fails, so you need manually configure strongswan.conf with the following lines
charon-nm {
        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
        eap-peap {
                load = no
                        }
}
As a result all my colleagues, who upgraded their systems, got VPN service broken.
I guess eap-peap as much useful as eap-ttls and there is no point to remove it to save like 1 KB of package size.

EAP-PEAP (Protected EAP) is one of those protocols that nobody wants to use (there are nicer, more modern alternatives) but lots of people have to because it's what Microsoft implements. It's often used in combination with EAP-MSCHAPv2 to authenticate e.g. WiFi clients (the TLS connection in EAP-PEAP protects the potentially weak password authentication in EAP-MSCHAPv2). Using the same protocol for VPN clients allows reusing the existing AAA infrastructure (AD/RADIUS server). Also because many clients support it.

Another plugin that was removed (or has never been packaged in Debian) but which can be quite useful on servers is eap-dynamic. It allows clients to select an alternative EAP method if the one selected by the server initially is not supported.

> but when the system is upgraded from previous versions like 18.04 it tries peap by default and fails

If the plugin is not there, it won't be loaded (the conf snipped, which might not have been removed by the upgrade, doesn't change that). Or are you saying that the plugin file (libstrongswan-eap-peap.so) from 18.04 was not removed during the upgrade? This could actually cause crashes as plugin files from different releases (in particular with many versions in between) are usually not compatible.

Thanks Tobias to provide detailed reasoning on these plugins!

@Lucas - chances are that when dropping the old plugins I didn't rm_conffile all of them :-/

You might want to look into these steps:
1. re-add eap-peap + eap-dynamic (we had both before)
2. send the same to Debian and pass Tobias reasoning for it
3. analyze if we need any/all rm_conffiles for the upgrade -> Focal and add that to Groovy
4. SRU the lost-plugins-with-reasonable-use-case and rm_conffiles changes to Focal

@Christian the plan you presented looks good to me.

I'd like to take advantage of this discussion and ask @Tobias his opinion about all the plugins that were removed since 18.04 (the list of plugins is the same in 20.10 and 20.04):

libstrongswan-eap-aka-3gpp2.so
libstrongswan-eap-dynamic.so
libstrongswan-eap-peap.so
libstrongswan-eap-sim-file.so
libstrongswan-eap-sim-pcsc.so
libstrongswan-eap-sim.so
libstrongswan-eap-simaka-pseudonym.so
libstrongswan-eap-simaka-reauth.so
libstrongswan-eap-simaka-sql.so
libstrongswan-xauth-noauth.so

You mentioned eap-dynamic and eap-peap would be great to re-introduce but what about the others? Any of them are interesting from an user perspective?

@Christian Re: rm_conffile, I don't think this is a config file issue (or is this command also used to remove shared libs/plugins? If so, then definitely make sure to remove old plugins). The config snippets in strongswan.d/charon are actually not relevant for charon-nm by default (charon-nm uses its own list of plugins, which is hard-coded during compilation to avoid clashes with e.g. different approaches to installing DNS servers - plugins can be disabled, though, by simply adding a plugin-specific load=no setting). If the server supports EAP-TTLS and that plugin is loaded by charon-nm, this should work on fresh and upgraded installs, by default, as the "new" charon-nm would not make any attempt to load the eap-peap plugin even if the shared library was still around. So if we assume the config snippet and plugin files were not removed during the upgrade, then the first part of Alex' workaround causes a problem (only due to the include would an attempt load load the eap-peap plugin be made) that the second part of it then "fixes". Removing all of that from strongswan.conf completely should achieve the same thing (and even load less of potentially conflicting plugins).

@Lucas The EAP-SIM/AKA plugins are probably not that useful on general purpose distros. They require a special server setup and client hardware (some plugins allow configuration via files/database, but those are mostly for test purposes). The xauth-noauth plugin was a workaround for an issue with iOS clients, in the seven years since it was introduced, Apple clients gained support for IKEv2 so that plugin is of not much use anymore.

The proposed package is available here:

https://launchpad.net/~lucaskanashiro/+archive/ubuntu/focal-strongswan-bug-fixes

I performed the test above to check if both plugins are installed again and also if the old conf files were removed:

[in the same container I was using to describe the Test Case section in the description]
$ add-apt-repository ppa:lucaskanashiro/focal-strongswan-bug-fixes -y
$ apt install strongswan libcharon-extra-plugins -y

$ dpkg -L libcharon-extra-plugins | grep eap-dynamic
/etc/strongswan.d/charon/eap-dynamic.conf
/usr/lib/ipsec/plugins/libstrongswan-eap-dynamic.so
/usr/share/strongswan/templates/config/plugins/eap-dynamic.conf

$ dpkg -L libcharon-extra-plugins | grep eap-peap
/etc/strongswan.d/charon/eap-peap.conf
/usr/lib/ipsec/plugins/libstrongswan-eap-peap.so
/usr/share/strongswan/templates/config/plugins/eap-peap.conf

# List all the EAP plugins available in the proposed libcharon-extra-plugins. Now there is no old conf file at the end of the output
$ dpkg -L libcharon-extra-plugins | grep eap
/etc/strongswan.d/charon/eap-aka.conf
/etc/strongswan.d/charon/eap-dynamic.conf
/etc/strongswan.d/charon/eap-gtc.conf
/etc/strongswan.d/charon/eap-identity.conf
/etc/strongswan.d/charon/eap-md5.conf
/etc/strongswan.d/charon/eap-peap.conf
/etc/strongswan.d/charon/eap-radius.conf
/etc/strongswan.d/charon/eap-tls.conf
/etc/strongswan.d/charon/eap-tnc.conf
/etc/strongswan.d/charon/eap-ttls.conf
/etc/strongswan.d/charon/xauth-eap.conf
/usr/lib/ipsec/plugins/libstrongswan-eap-aka.so
/usr/lib/ipsec/plugins/libstrongswan-eap-dynamic.so
/usr/lib/ipsec/plugins/libstrongswan-eap-gtc.so
/usr/lib/ipsec/plugins/libstrongswan-eap-identity.so
/usr/lib/ipsec/plugins/libstrongswan-eap-md5.so
/usr/lib/ipsec/plugins/libstrongswan-eap-peap.so
/usr/lib/ipsec/plugins/libstrongswan-eap-radius.so
/usr/lib/ipsec/plugins/libstrongswan-eap-tls.so
/usr/lib/ipsec/plugins/libstrongswan-eap-tnc.so
/usr/lib/ipsec/plugins/libstrongswan-eap-ttls.so
/usr/lib/ipsec/plugins/libstrongswan-xauth-eap.so
/usr/share/strongswan/templates/config/plugins/eap-aka.conf
/usr/share/strongswan/templates/config/plugins/eap-dynamic.conf
/usr/share/strongswan/templates/config/plugins/eap-gtc.conf
/usr/share/strongswan/templates/config/plugins/eap-identity.conf
/usr/share/strongswan/templates/config/plugins/eap-md5.conf
/usr/share/strongswan/templates/config/plugins/eap-peap.conf
/usr/share/strongswan/templates/config/plugins/eap-radius.conf
/usr/share/strongswan/templates/config/plugins/eap-tls.conf
/usr/share/strongswan/templates/config/plugins/eap-tnc.conf
/usr/share/strongswan/templates/config/plugins/eap-ttls.conf
/usr/share/strongswan/templates/config/plugins/xauth-eap.conf

This bug was fixed in the package strongswan - 5.8.4-1ubuntu2

---------------
strongswan (5.8.4-1ubuntu2) groovy; urgency=medium

  * Re-enable eap-{dynamic,peap} libcharon plugins (LP: #1878887)
    - d/control: update libcharon-extra-plugins description.
    - d/libcharon-extra-plugins.install: install .so and conf files.
    - d/rules: add plugins to the configuration arguments.
  * Remove conf files of plugins removed from libcharon-extra-plugins
    - The conf file of the following plugins were removed: eap-aka-3gpp2,
      eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym,
      eap-simaka-reauth, eap-simaka-sql, xauth-noauth.
    - Created d/libcharon-extra-plugins.maintscript to handle the removals
      properly.

 -- Lucas Kanashiro <email address hidden> Thu, 21 May 2020 14:53:05 -0300

Hello Alex, or anyone else affected,

Accepted strongswan into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/strongswan/5.8.2-1ubuntu3.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello,
I've installed version 5.8.2-1ubuntu3.1 and can confirm that everything works fine again.
Thank you, guys!

This bug was fixed in the package strongswan - 5.8.2-1ubuntu3.1

---------------
strongswan (5.8.2-1ubuntu3.1) focal; urgency=medium

  * Re-enable eap-{dynamic,peap} libcharon plugins (LP: #1878887)
    - d/control: update libcharon-extra-plugins description.
    - d/libcharon-extra-plugins.install: install .so and conf files.
    - d/rules: add plugins to the configuration arguments.
  * Remove conf files of plugins removed from libcharon-extra-plugins
    - The conf file of the following plugins were removed: eap-aka-3gpp2,
      eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym,
      eap-simaka-reauth, eap-simaka-sql, xauth-noauth.
    - Created d/libcharon-extra-plugins.maintscript to handle the removals
      properly.
  * Add patches to fix the chunk_from_chars() macro compiled with GCC 9+
    (LP: #1879692)
    - Patches backported from upstream: lp-1879692-{1,2,3,4,5}.patch.
    - Fix the pki CA certificate creation issue.

 -- Lucas Kanashiro <email address hidden> Fri, 22 May 2020 10:53:07 -0300

The verification of the Stable Release Update for strongswan has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.