Ubuntu
strongswan package

Merge ~ahasenack/ubuntu/+source/strongswan:cosmic-strongswan-merge-5.6.3-1 into ubuntu/+source/strongswan:debian/sid

  1. Git
  2. lp:~ahasenack/ubuntu/+source/strongswan
  3. cosmic-strongswan-merge-5.6.3-1
  4. Merge into debian/sid
Proposed by Andreas Hasenack
Status: Merged
Approved by: Christian Ehrhardt 
Approved revision: 914d0606e00afd407437ea850454beba437a0ea2
Merge reported by: Andreas Hasenack
Merged at revision: 914d0606e00afd407437ea850454beba437a0ea2
Proposed branch: ~ahasenack/ubuntu/+source/strongswan:cosmic-strongswan-merge-5.6.3-1
Merge into: ubuntu/+source/strongswan:debian/sid
Diff against target: 2138 lines (+1596/-92)
19 files modified
debian/changelog (+1216/-0)
debian/control (+122/-6)
debian/ipsec.secrets.proto (+0/-3)
debian/libcharon-extra-plugins.install (+64/-12)
debian/libcharon-standard-plugins.install (+19/-0)
debian/libstrongswan-extra-plugins.install (+58/-0)
debian/libstrongswan.install (+11/-6)
debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch (+11/-0)
debian/patches/series (+1/-0)
debian/rules (+50/-6)
debian/strongswan-starter.install (+4/-0)
debian/strongswan-starter.postinst (+0/-57)
debian/strongswan-tnc-base.install (+16/-0)
debian/strongswan-tnc-client.install (+5/-0)
debian/strongswan-tnc-ifmap.install (+3/-0)
debian/strongswan-tnc-pdp.install (+3/-0)
debian/strongswan-tnc-server.install (+10/-0)
debian/usr.lib.ipsec.charon (+1/-1)
debian/usr.sbin.charon-systemd (+2/-1)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  (community) Approve
Canonical Server packageset reviewers Pending
Review via email: mp+353642@code.launchpad.net

Description of the change

Merge with debian's 5.6.3, fixing CVE-2018-10811 and CVE-2018-5388, dropping one bit of delta that Christian submitted, acquiring another bit of delta.

https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1776857 is requesting an update to 5.6.3, but for xenial. I could change that bug a bit, make it be about an upgrade to 5.6.3, close it with this upload and add a xenial task, but doubt we will do that kind of sru since xenial has 5.3.5.

Bileto ticket: https://bileto.ubuntu.com/#/ticket/3376

The DEP8 failure in neutron-vpnaas is because python3-paramiko (2.0.0-1ubuntu1) is not installable. If you look in the architectures where the test passed, there we have paramiko 2.4.1-0ubuntu1 which is fixed.

paramiko's own dep8 tests seem to be having trouble in migration at the moment (http://people.canonical.com/~ubuntu-archive/proposed-migration/update_excuses.html#paramiko)

qa regression test run with old and new strongswan:
old: gw1 (https://pastebin.ubuntu.com/p/qMH4d8YQ87/) and gw2 (https://pastebin.ubuntu.com/p/d7t7WnWTJV/)

Then dist-upgrade was run with the bileto ppa enabled (ppa:ci-train-ppa-service/3376):
new: gw1 (https://pastebin.ubuntu.com/p/v3YzP2Gmzx/) and gw2 (https://pastebin.ubuntu.com/p/MNWKHRpzx9/)

To post a comment you must log in.
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Paramiko's failures are due to an incorrect packaging of the 2.4.1 orig tarball I believe. The failures are because of the missing .pub files, which are present in the upstream 2.4.1 tarball, but not in our orig one:

https://pastebin.ubuntu.com/p/GKgxv64t2K/

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

- Deconstruct and Logical is good
- Changelogs are mostly good
- old changes are retained correctly (All 100% identical, you just updated the commit messages)
- as discussed the tests look good as well thanks for doing that two system test that I linked you

I only must ask to fixup the changelog in one place - the mentioning of 1784023.
That is
a) not added on the merge but in 5.6.2-2ubuntu2 (currently in Added changes)
b) please break the LP: #1784023 string so that tools will not try to close the bug again

Please fix this little thing in the changelog, then I think we can upload.

review: Needs Fixing
~ahasenack/ubuntu/+source/strongswan:cosmic-strongswan-merge-5.6.3-1 updated
bb919ae... by Andreas Hasenack

merge-changelogs

1c941f6... by Andreas Hasenack

reconstruct-changelog

bcb24b5... by Andreas Hasenack

update-maintainer

914d060... by Andreas Hasenack

Cleanup d/changelog (removed signed-off lines)

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Thanks for the fixup, looks good now.

review: Approve
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/strongswan
 * [new tag] upload/5.6.3-1ubuntu1 -> upload/5.6.3-1ubuntu1

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Uploaded, thanks

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Here is my MP to fix the paramiko dep8 failures: https://code.launchpad.net/~ahasenack/ubuntu/+source/paramiko/+git/paramiko/+merge/353660

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Jamie also accepted the related qa-regression-test change today.
So overall all should fit together :-)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/changelog b/debian/changelog
index 6270ae7..3be3a4a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,58 @@
1strongswan (5.6.3-1ubuntu1) cosmic; urgency=medium
2
3 * Merge with Debian unstable. Remaining changes:
4 - Clean up d/strongswan-starter.postinst: section about runlevel changes
5 - Clean up d/strongswan-starter.postinst: Removed entire section on
6 opportunistic encryption disabling - this was never in strongSwan and
7 won't be see upstream issue #2160.
8 - d/rules: Removed patching ipsec.conf on build (not using the
9 debconf-managed config.)
10 - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
11 used for debconf-managed include of private key).
12 - Mass enablement of extra plugins and features to allow a user to use
13 strongswan for a variety of extra use cases without having to rebuild.
14 + d/control: Add required additional build-deps
15 + d/control: Mention addtionally enabled plugins
16 + d/rules: Enable features at configure stage
17 + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
18 + d/libstrongswan.install: Add plugins (so, conf)
19 - d/strongswan-starter.install: Install pool feature, which is useful since
20 we have attr-sql plugin enabled as well using it.
21 - Add plugin kernel-libipsec to allow the use of strongswan in containers
22 via this userspace implementation (please do note that this is still
23 considered experimental by upstream).
24 + d/libcharon-extra-plugins.install: Add kernel-libipsec components
25 + d/control: List kernel-libipsec plugin at extra plugins description
26 + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
27 upstream recommends to not load kernel-libipsec by default.
28 - Relocate tnc plugin
29 + debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
30 + Add new subpackage for TNC in d/strongswan-tnc-* and d/control
31 - d/libstrongswan.install: Reorder conf and .so alphabetically
32 - d/libstrongswan.install: Add kernel-netlink configuration files
33 - Complete the disabling of libfast; This was partially accepted in Debian,
34 it is no more packaging medcli and medsrv, but still builds and
35 mentions it.
36 + d/rules: Add --disable-fast to avoid build time and dependencies
37 + d/control: Remove medcli, medsrv from package description
38 - d/control: Mention mgf1 plugin which is in libstrongswan now
39 - Add now built (since 5.5.1) libraries libtpmtss and nttfft to
40 libstrongswan-extra-plugins (no deps from default plugins).
41 - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
42 plugins for the most common use cases from extra-plugins into a new
43 standard-plugins package. This will allow those use cases without pulling
44 in too much more plugins (a bit like the tnc package). Recommend that
45 package from strongswan-libcharon.
46 - d/usr.sbin.charon-systemd: allow to contact mysql for sql and
47 attr-sql plugins (LP #1766240)
48 - d/usr.lib.ipsec.charon, d/usr/sbin/charon-systemd: Add support for
49 usr-merge, thanks to Christian Ehrhardt. LP #1784023
50 * Dropped:
51 - d/usr.sbin.charon-systemd: allow systemd notifications (LP: #1765652)
52 [Fixed in 5.6.3-1]
53
54 -- Andreas Hasenack <andreas@canonical.com> Thu, 23 Aug 2018 13:05:11 -0300
55
1strongswan (5.6.3-1) unstable; urgency=medium56strongswan (5.6.3-1) unstable; urgency=medium
257
3 * New upstream version 5.6.258 * New upstream version 5.6.2
@@ -13,6 +68,78 @@ strongswan (5.6.3-1) unstable; urgency=medium
1368
14 -- Yves-Alexis Perez <corsac@debian.org> Mon, 04 Jun 2018 10:23:22 +020069 -- Yves-Alexis Perez <corsac@debian.org> Mon, 04 Jun 2018 10:23:22 +0200
1570
71strongswan (5.6.2-2ubuntu2) cosmic; urgency=medium
72
73 * Add support for usr-merge, thanks to Christian Ehrhardt. LP: #1784023
74
75 -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 21 Aug 2018 00:42:38 +0100
76
77strongswan (5.6.2-2ubuntu1) cosmic; urgency=medium
78
79 * Merge with Debian unstable, closes LP: #1773814 and LP: #1772705.
80 Remaining changes:
81 + Clean up d/strongswan-starter.postinst: section about runlevel changes
82 + Clean up d/strongswan-starter.postinst: Removed entire section on
83 opportunistic encryption disabling - this was never in strongSwan and
84 won't be see upstream issue #2160.
85 + d/rules: Removed patching ipsec.conf on build (not using the
86 debconf-managed config.)
87 + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
88 used for debconf-managed include of private key).
89 + Mass enablement of extra plugins and features to allow a user to use
90 strongswan for a variety of extra use cases without having to rebuild.
91 - d/control: Add required additional build-deps
92 - d/control: Mention addtionally enabled plugins
93 - d/rules: Enable features at configure stage
94 - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
95 - d/libstrongswan.install: Add plugins (so, conf)
96 + d/strongswan-starter.install: Install pool feature, which is useful since
97 we have attr-sql plugin enabled as well using it.
98 + Add plugin kernel-libipsec to allow the use of strongswan in containers
99 via this userspace implementation (please do note that this is still
100 considered experimental by upstream).
101 - d/libcharon-extra-plugins.install: Add kernel-libipsec components
102 - d/control: List kernel-libipsec plugin at extra plugins description
103 - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
104 upstream recommends to not load kernel-libipsec by default.
105 + Relocate tnc plugin
106 - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
107 - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
108 + d/libstrongswan.install: Reorder conf and .so alphabetically
109 + d/libstrongswan.install: Add kernel-netlink configuration files
110 + Complete the disabling of libfast; This was partially accepted in Debian,
111 it is no more packaging medcli and medsrv, but still builds and
112 mentions it.
113 - d/rules: Add --disable-fast to avoid build time and dependencies
114 - d/control: Remove medcli, medsrv from package description
115 + d/control: Mention mgf1 plugin which is in libstrongswan now
116 + Add now built (since 5.5.1) libraries libtpmtss and nttfft to
117 libstrongswan-extra-plugins (no deps from default plugins).
118 + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
119 plugins for the most common use cases from extra-plugins into a new
120 standard-plugins package. This will allow those use cases without pulling
121 in too much more plugins (a bit like the tnc package). Recommend that
122 package from strongswan-libcharon.
123 * Dropped Changes (no more needed after 18.04)
124 + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
125 missed that, droppable after 18.04)
126 + d/control: bump breaks/replaces from libstrongswan-extra-plugins to
127 libstrongswan as we dropped relocating ccm and test-vectors.
128 (droppable >18.04).
129 + d/control: add breaks/replace from libstrongswan to
130 libstrongswan-extra-plugins for the move of mgf1 to libstrongswan.
131 (droppable >18.04).
132 + d/control: bump breaks/replaces for the move of the updown plugin
133 (Missed Changelog entry on last merge)
134 + d/control: fix dependencies of strongswan-libcharon due to the move
135 the updown plugin (droppable >18.04).
136 * Added Changes:
137 + d/usr.sbin.charon-systemd: allow to contact mysql for sql and
138 attr-sql plugins (LP: #1766240)
139 + d/usr.sbin.charon-systemd: allow systemd notifications (LP: #1765652)
140
141 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 29 May 2018 08:21:42 +0200
142
16strongswan (5.6.2-2) unstable; urgency=medium143strongswan (5.6.2-2) unstable; urgency=medium
17144
18 * charon-nm: Fix building list of DNS/MDNS servers with libnm145 * charon-nm: Fix building list of DNS/MDNS servers with libnm
@@ -23,6 +150,74 @@ strongswan (5.6.2-2) unstable; urgency=medium
23150
24 -- Yves-Alexis Perez <corsac@debian.org> Fri, 13 Apr 2018 13:46:04 +0200151 -- Yves-Alexis Perez <corsac@debian.org> Fri, 13 Apr 2018 13:46:04 +0200
25152
153strongswan (5.6.2-1ubuntu2) bionic; urgency=medium
154
155 * d/control: fix dependencies of strongswan-libcharon due to the move
156 the updown plugin.
157
158 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 20 Mar 2018 07:37:29 +0100
159
160strongswan (5.6.2-1ubuntu1) bionic; urgency=medium
161
162 * Merge with Debian unstable (LP: #1753018). Remaining changes:
163 + Clean up d/strongswan-starter.postinst: section about runlevel changes
164 + Clean up d/strongswan-starter.postinst: Removed entire section on
165 opportunistic encryption disabling - this was never in strongSwan and
166 won't be see upstream issue #2160.
167 + Ubuntu is not using the debconf triggered private key generation
168 - d/rules: Removed patching ipsec.conf on build (not using the
169 debconf-managed config.)
170 - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
171 used for debconf-managed include of private key).
172 + Mass enablement of extra plugins and features to allow a user to use
173 strongswan for a variety of extra use cases without having to rebuild.
174 - d/control: Add required additional build-deps
175 - d/control: Mention addtionally enabled plugins
176 - d/rules: Enable features at configure stage
177 - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
178 - d/libstrongswan.install: Add plugins (so, conf)
179 + d/strongswan-starter.install: Install pool feature, which is useful since
180 we have attr-sql plugin enabled as well using it.
181 + Add plugin kernel-libipsec to allow the use of strongswan in containers
182 via this userspace implementation (please do note that this is still
183 considered experimental by upstream).
184 - d/libcharon-extra-plugins.install: Add kernel-libipsec components
185 - d/control: List kernel-libipsec plugin at extra plugins description
186 - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
187 upstream recommends to not load kernel-libipsec by default.
188 + Relocate tnc plugin
189 - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
190 - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
191 + d/libstrongswan.install: Reorder conf and .so alphabetically
192 + d/libstrongswan.install: Add kernel-netlink configuration files
193 + Complete the disabling of libfast; This was partially accepted in Debian,
194 it is no more packaging medcli and medsrv, but still builds and
195 mentions it.
196 - d/rules: Add --disable-fast to avoid build time and dependencies
197 - d/control: Remove medcli, medsrv from package description
198 + d/control: Mention mgf1 plugin which is in libstrongswan now
199 + Add now built (since 5.5.1) libraries libtpmtss and nttfft to
200 libstrongswan-extra-plugins (no deps from default plugins).
201 + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
202 missed that, droppable after 18.04)
203 + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
204 plugins for the most common use cases from extra-plugins into a new
205 standard-plugins package. This will allow those use cases without pulling
206 in too much more plugins (a bit like the tnc package). Recommend that
207 package from strongswan-libcharon.
208 + d/control: bump breaks/replaces from libstrongswan-extra-plugins to
209 libstrongswan as we dropped relocating ccm and test-vectors.
210 (droppable >18.04).
211 + d/control: add breaks/replace from libstrongswan to
212 libstrongswan-extra-plugins for the move of mgf1 to libstrongswan.
213 (droppable >18.04).
214 * Added Changes:
215 + d/control: bump breaks/replaces from strongswan-libcharon to strongswan-
216 starter as we followed Debian to move the updown plugin but need to
217 match Ubuntu versions (Droppable >18.04).
218
219 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Fri, 16 Mar 2018 11:08:47 +0100
220
26strongswan (5.6.2-1) unstable; urgency=medium221strongswan (5.6.2-1) unstable; urgency=medium
27222
28 * d/NEWS: add information about disabled algorithms (closes: #883072)223 * d/NEWS: add information about disabled algorithms (closes: #883072)
@@ -45,6 +240,129 @@ strongswan (5.6.1-3) unstable; urgency=medium
45240
46 -- Yves-Alexis Perez <corsac@debian.org> Sun, 17 Dec 2017 16:40:39 +0100241 -- Yves-Alexis Perez <corsac@debian.org> Sun, 17 Dec 2017 16:40:39 +0100
47242
243strongswan (5.6.1-2ubuntu4) bionic; urgency=medium
244
245 * SECURITY UPDATE: DoS via crafted RSASSA-PSS signature
246 - debian/patches/CVE-2018-6459.patch: Properly handle MGF1 algorithm
247 identifier without parameters in
248 src/libstrongswan/credentials/keys/signature_params.c.
249 - CVE-2018-6459
250
251 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 07 Mar 2018 14:52:02 +0100
252
253strongswan (5.6.1-2ubuntu3) bionic; urgency=medium
254
255 * No-change rebuild against libcurl4
256
257 -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 28 Feb 2018 08:52:09 +0000
258
259strongswan (5.6.1-2ubuntu2) bionic; urgency=high
260
261 * No change rebuild against openssl1.1.
262
263 -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 12 Feb 2018 16:00:24 +0000
264
265strongswan (5.6.1-2ubuntu1) bionic; urgency=medium
266
267 * Merge with Debian unstable (LP: #1717343).
268 Also fixes and issue with multiple psk's (LP: #1734207). Remaining changes:
269 + Clean up d/strongswan-starter.postinst: section about runlevel changes
270 + Clean up d/strongswan-starter.postinst: Removed entire section on
271 opportunistic encryption disabling - this was never in strongSwan and
272 won't be see upstream issue #2160.
273 + Ubuntu is not using the debconf triggered private key generation
274 - d/rules: Removed patching ipsec.conf on build (not using the
275 debconf-managed config.)
276 - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
277 used for debconf-managed include of private key).
278 + Mass enablement of extra plugins and features to allow a user to use
279 strongswan for a variety of extra use cases without having to rebuild.
280 - d/control: Add required additional build-deps
281 - d/control: Mention addtionally enabled plugins
282 - d/rules: Enable features at configure stage
283 - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
284 - d/libstrongswan.install: Add plugins (so, conf)
285 + d/strongswan-starter.install: Install pool feature, which is useful since
286 we have attr-sql plugin enabled as well using it.
287 + Add plugin kernel-libipsec to allow the use of strongswan in containers
288 via this userspace implementation (please do note that this is still
289 considered experimental by upstream).
290 - d/libcharon-extra-plugins.install: Add kernel-libipsec components
291 - d/control: List kernel-libipsec plugin at extra plugins description
292 - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
293 upstream recommends to not load kernel-libipsec by default.
294 + Relocate tnc plugin
295 - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
296 - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
297 + d/libstrongswan.install: Reorder conf and .so alphabetically
298 + d/libstrongswan.install: Add kernel-netlink configuration files
299 + Complete the disabling of libfast; This was partially accepted in Debian,
300 it is no more packaging medcli and medsrv, but still builds and
301 mentions it.
302 - d/rules: Add --disable-fast to avoid build time and dependencies
303 - d/control: Remove medcli, medsrv from package description
304 + d/control: Mention mgf1 plugin which is in libstrongswan now
305 + Add now built (since 5.5.1) libraries libtpmtss and nttfft to
306 libstrongswan-extra-plugins (no deps from default plugins).
307 + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
308 missed that, droppable after 18.04)
309 + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
310 plugins for the most common use cases from extra-plugins into a new
311 standard-plugins package. This will allow those use cases without pulling
312 in too much more plugins (a bit like the tnc package). Recommend that
313 package from strongswan-libcharon.
314 * Added changes:
315 + d/strongswan-tnc-client.install (relocate tnc) swidtag creation changed
316 in 5.6
317 + d/strongswan-tnc-server.install (relocate tnc) pacman no more needed
318 + d/control: bump breaks/replaces from libstrongswan-extra-plugins to
319 libstrongswan as we dropped relocating ccm and test-vectors.
320 (droppable >18.04).
321 - d/control: add breaks/replace from libstrongswan to
322 libstrongswan-extra-plugins for the move of mgf1 to libstrongswan.
323 (droppable >18.04).
324 * Dropped changes:
325 + Update init/service handling (debian default matches Ubuntu past now)
326 Dropping this fixes (LP: #1734886)
327 - d/rules: Change init/systemd program name to strongswan
328 - d/strongswan-starter.strongswan.service: Add new systemd file instead of
329 patching upstream
330 - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of
331 linking to upstream
332 + d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call
333 (this is a never failing no-op for us, no need for Delta).
334 + d/strongswan-starter.prerm: Stop strongswan service on package removal
335 (ipsec now maps to strongswan service, so this works as-is).
336 + Clean up d/strongswan-starter.postinst: rename service ipsec to
337 strongswan (ipsec now maps to strongswan service, so this works as-is)
338 + Clean up d/strongswan-starter.postinst: daemon enable/disable (the
339 whole section is disabled, so no need for delta)
340 + (is upstream) CVE-2017-11185 patches
341 + (is upstream) FTBFS upstream fix for changed include files
342 + (is upstream) debian/patches/increase-bliss-test-timeout.patch: Under
343 QEMU/KVM autopkgtest the bliss test takes longer than the default
344 + (in Debian) add now built (since 5.5.1) mgf1 plugin to
345 libstrongswan-extra-plugins.
346 + (in Debian) d/strongswan-starter.install: install stroke apparmor profile
347 + (this was enabled as part of the former delta, squash changes to no-up)
348 d/rules: Disable duplicheck.
349 + (not needed) Relocate plugins test-vectors from extra-plugins to
350 libstrongswan
351 - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles
352 - d/libstrongswan.install: Add plugins/confiles
353 - d/control: move package descriptions and add required breaks/replaces
354 + (not needed) Relocate plugins ccm from extra-plugins to libstrongswan
355 - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles
356 - d/libstrongswan.install: Add plugins/confiles
357 - d/control: move package descriptions and add required breaks/replaces
358 + (while using it requires special kernel, it does not hurt to be
359 available in the package) Remove ha plugin
360 - d/libcharon-extra-plugins.install: Stop installing ha (so, conf)
361 - d/rules: Do not enable ha plugin
362 - d/control: Drop listing the ha plugin in the package description
363
364 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 29 Nov 2017 15:55:18 +0100
365
48strongswan (5.6.1-2) unstable; urgency=medium366strongswan (5.6.1-2) unstable; urgency=medium
49367
50 * move counters plugin from -starter to -libcharon. closes: #882431368 * move counters plugin from -starter to -libcharon. closes: #882431
@@ -131,6 +449,213 @@ strongswan (5.5.2-1) experimental; urgency=medium
131449
132 -- Yves-Alexis Perez <corsac@debian.org> Fri, 19 May 2017 11:32:00 +0200450 -- Yves-Alexis Perez <corsac@debian.org> Fri, 19 May 2017 11:32:00 +0200
133451
452strongswan (5.5.1-4ubuntu3) bionic; urgency=medium
453
454 * Fix Artful FTBFS due to newer glibc (LP: #1724859)
455 - d/p/utils-Include-stdint.h.patch: upstream fix for changed include
456 files.
457
458 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 19 Oct 2017 15:18:52 +0200
459
460strongswan (5.5.1-4ubuntu2) artful; urgency=medium
461
462 * SECURITY UPDATE: Fix RSA signature verification
463 - debian/patches/CVE-2017-11185.patch: does some
464 verifications in order to avoid null-point dereference
465 in src/libstrongswan/gmp/gmp_rsa_public_key.c
466 - CVE-2017-11185
467
468 -- Leonidas S. Barbosa <leo.barbosa@canonical.com> Tue, 15 Aug 2017 14:49:49 -0300
469
470strongswan (5.5.1-4ubuntu1) artful; urgency=medium
471
472 * Merge from Debian to pick up latest security changes (CVE-2017-9022,
473 CVE-2017-9023).
474 * Remaining Changes:
475 + Update init/service handling
476 - d/rules: Change init/systemd program name to strongswan
477 - d/strongswan-starter.strongswan.service: Add new systemd file instead of
478 patching upstream
479 - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of
480 linking to upstream
481 - d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
482 - d/strongswan-starter.prerm: Stop strongswan service on package
483 removal (as opposed to using the old init.d script).
484 + Clean up d/strongswan-starter.postinst:
485 - Removed section about runlevel changes
486 - Adapted service restart section for Upstart (kept to be Trusty
487 backportable).
488 - Remove old symlinks to init.d files is necessary.
489 - Removed further out-dated code
490 - Removed entire section on opportunistic encryption - this was never in
491 strongSwan.
492 + d/rules: Removed pieces on 'patching ipsec.conf' on build.
493 + Mass enablement of extra plugins and features to allow a user to use
494 strongswan for a variety of use cases without having to rebuild.
495 - d/control: Add required additional build-deps
496 - d/rules: Enable features at configure stage
497 - d/control: Mention addtionally enabled plugins
498 - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
499 - d/libstrongswan.install: Add plugins (so, conf)
500 + d/rules: Disable duplicheck as per
501 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10
502 + Remove ha plugin (requires special kernel)
503 - d/libcharon-extra-plugins.install: Stop installing ha (so, conf)
504 - d/rules: Do not enable ha plugin
505 - d/control: Drop listing the ha plugin in the package description
506 + Add plugin kernel-libipsec to allow the use of strongswan in containers
507 via this userspace implementation (please do note that this is still
508 considered experimental by upstream).
509 - d/libcharon-extra-plugins.install: Add kernel-libipsec components
510 - d/control: List kernel-libipsec plugin at extra plugins description
511 - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
512 upstream recommends to not load kernel-libipsec by default.
513 + Relocate tnc plugin
514 - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
515 - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
516 + d/strongswan-starter.install: Install pool feature, that useful due to
517 having attr-sql plugin that is enabled now.
518 + Relocate plugins test-vectors and ccm from extra-plugins to libstrongswan
519 - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles
520 - d/libstrongswan.install: Add plugins/confiles
521 - d/control: move package descriptions and add required breaks/replaces
522 + d/libstrongswan.install: Reorder conf and .so alphabetically
523 + d/libstrongswan.install: Add kernel-netlink configuration files
524 + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
525 + debian/patches/increase-bliss-test-timeout.patch: Under QEMU/KVM
526 autopkgtest the bliss test takes longer than the default (Upstream in
527 5.5.2 via issue 2204)
528 + Complete the disabling of libfast; This was partially accepted in Debian,
529 it is no more packaging medcli and medsrv, but still builds and
530 mentions it.
531 - d/rules: Add --disable-fast to avoid build time and dependencies
532 - d/control: Remove medcli, medsrv from package description
533 + Add now built (5.5.1 vs 5.3.5) mgf1 plugin to libstrongswan-extra-plugins.
534 "only" to extra-plugins Mgf1 is not listed as default plugin at
535 https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist.
536 + Add now built (5.5.1 vs 5.3.5) libraries libtpmtss and nttfft to
537 libstrongswan-extra-plugins.
538 + Add missing mention of md4 plugin in d/control
539 + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
540 missed that)
541 + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
542 plugins for the most common use cases from extra-plugins into a new
543 standard-plugins package. This will allow those use cases without pulling
544 in too much more plugins (a bit like the tnc package). Recommend that
545 package from strongswan-libcharon.
546
547 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 31 May 2017 15:57:54 +0200
548
549strongswan (5.5.1-3ubuntu1) artful; urgency=medium
550
551 * Merge from Debian to pick up latest changes. Among others this includes:
552 - a lot of the Delta we upstreamed to Debian (more discussions are ongoing
553 but likely have to wait until Debian stretch was released)
554 - enabling mediation support (LP: #1657413)
555 * Remaining Changes:
556 + Update init/service handling
557 - d/rules: Change init/systemd program name to strongswan
558 - d/strongswan-starter.strongswan.service: Add new systemd file instead of
559 patching upstream
560 - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of
561 linking to upstream
562 - d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
563 - d/strongswan-starter.prerm: Stop strongswan service on package
564 removal (as opposed to using the old init.d script).
565 + Clean up d/strongswan-starter.postinst:
566 - Removed section about runlevel changes
567 - Adapted service restart section for Upstart (kept to be Trusty
568 backportable).
569 - Remove old symlinks to init.d files is necessary.
570 - Removed further out-dated code
571 - Removed entire section on opportunistic encryption - this was never in
572 strongSwan.
573 + d/rules: Removed pieces on 'patching ipsec.conf' on build.
574 + Mass enablement of extra plugins and features to allow a user to use
575 strongswan for a variety of use cases without having to rebuild.
576 - d/control: Add required additional build-deps
577 - d/rules: Enable features at configure stage
578 - d/control: Mention addtionally enabled plugins
579 - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
580 - d/libstrongswan.install: Add plugins (so, conf)
581 + d/rules: Disable duplicheck as per
582 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10
583 + Remove ha plugin (requires special kernel)
584 - d/libcharon-extra-plugins.install: Stop installing ha (so, conf)
585 - d/rules: Do not enable ha plugin
586 - d/control: Drop listing the ha plugin in the package description
587 + Add plugin kernel-libipsec to allow the use of strongswan in containers
588 via this userspace implementation (please do note that this is still
589 considered experimental by upstream).
590 - d/libcharon-extra-plugins.install: Add kernel-libipsec components
591 - d/control: List kernel-libipsec plugin at extra plugins description
592 - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
593 upstream recommends to not load kernel-libipsec by default.
594 + Relocate tnc plugin
595 - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
596 - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
597 + d/strongswan-starter.install: Install pool feature, that useful due to
598 having attr-sql plugin that is enabled now.
599 + Relocate plugins test-vectors and ccm from extra-plugins to libstrongswan
600 - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles
601 - d/libstrongswan.install: Add plugins/confiles
602 - d/control: move package descriptions and add required breaks/replaces
603 + d/libstrongswan.install: Reorder conf and .so alphabetically
604 + d/libstrongswan.install: Add kernel-netlink configuration files
605 + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
606 + debian/patches/increase-bliss-test-timeout.patch: Under QEMU/KVM
607 autopkgtest the bliss test takes longer than the default (Upstream in
608 5.5.2 via issue 2204)
609 + Complete the disabling of libfast; This was partially accepted in Debian,
610 it is no more packaging medcli and medsrv, but still builds and
611 mentions it.
612 - d/rules: Add --disable-fast to avoid build time and dependencies
613 - d/control: Remove medcli, medsrv from package description
614 + Add now built (5.5.1 vs 5.3.5) mgf1 plugin to libstrongswan-extra-plugins.
615 "only" to extra-plugins Mgf1 is not listed as default plugin at
616 https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist.
617 + Add now built (5.5.1 vs 5.3.5) libraries libtpmtss and nttfft to
618 libstrongswan-extra-plugins.
619 + Add missing mention of md4 plugin in d/control
620 + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
621 missed that)
622 + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
623 plugins for the most common use cases from extra-plugins into a new
624 standard-plugins package. This will allow those use cases without pulling
625 in too much more plugins (a bit like the tnc package). Recommend that
626 package from strongswan-libcharon.
627 * Dropped Changes:
628 + Add and install apparmor profiles (in Debian)
629 - d/rules: Install AppArmor profiles
630 - d/control: Add dh-apparmor build-dep
631 - d/usr.lib.ipsec.{charon, lookip, stroke}: Add latest AppArmor profiles
632 for charon, lookip and stroke
633 - d/libcharon-extra-plugins.install: Install profile for lookip
634 - d/strongswan-charon.install: Install profile for charon
635 - d/strongswan-starter.install: Install profile for stroke
636 - Fix strongswan ipsec status issue with apparmor
637 - Fix Dep8 tests for the now extra strongswan-pki package for pki
638 - Fix Dep8 tests for the now extra strongswan-scepclient package
639 + d/rules: Sorted and only one enable option per configure line (in
640 Debian)
641 + Add updated logcheck rules (in Debian)
642 - debian/libstrongswan.strongswan.logcheck.*: Remove outdated files
643 - debian/strongswan.logcheck: Add updated logcheck rules
644 + Add updated DEP8 tests (in Debian)
645 - d/tests/*: Add DEP8 tests
646 - d/control: Enable autotestpkg
647 + d/rules: do not strip for library integrity checking (After Discussion
648 with Debian this isn't acceptable there, but at the same time it turned
649 out the real use-case of this never uses this lib but instead third
650 party checks of checksums for e.g. FIPS cert; so drop the Delta)
651 - Use override_dh_strip to to avoid overwriting user build flags.
652 - Add missing mention of libchecksum integrity test in d/control
653 + d/rules: Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths
654 in tests to avoid issues in low entropy environments. (Debian has
655 disabled !x86 tests for the same reason, one solution is enough)
656
657 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 04 May 2017 14:06:23 +0200
658
134strongswan (5.5.1-3) unstable; urgency=medium659strongswan (5.5.1-3) unstable; urgency=medium
135660
136 [ Christian Ehrhardt ]661 [ Christian Ehrhardt ]
@@ -164,6 +689,136 @@ strongswan (5.5.1-2) unstable; urgency=medium
164689
165 -- Yves-Alexis Perez <corsac@debian.org> Wed, 07 Dec 2016 08:34:52 +0100690 -- Yves-Alexis Perez <corsac@debian.org> Wed, 07 Dec 2016 08:34:52 +0100
166691
692strongswan (5.5.1-1ubuntu2) zesty; urgency=medium
693
694 * Update Maintainers which was missed while merging 5.5.1-1.
695
696 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 19 Dec 2016 16:02:40 +0100
697
698strongswan (5.5.1-1ubuntu1) zesty; urgency=medium
699
700 * Merge from Debian (complex delta, discussions and broken out changes can be
701 found in the merge proposal linked from the merge bug LP: #1631198)
702 * Remaining Changes:
703 + d/rules: Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity
704 checking.
705 + d/rules: Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths
706 in tests to avoid issues in low entropy environments.
707 + Update init/service handling
708 - d/rules: Change init/systemd program name to strongswan
709 - d/strongswan-starter.strongswan.service: Add new systemd file instead of
710 patching upstream
711 - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of
712 linking to upstream
713 - d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
714 - d/strongswan-starter.prerm: Stop strongswan service on package
715 removal (as opposed to using the old init.d script).
716 + Clean up d/strongswan-starter.postinst:
717 - Removed section about runlevel changes
718 - Adapted service restart section for Upstart (kept to be Trusty
719 backportable).
720 - Remove old symlinks to init.d files is necessary.
721 - Removed further out-dated code
722 - Removed entire section on opportunistic encryption - this was never in
723 strongSwan.
724 + Add and install apparmor profiles
725 - d/rules: Install AppArmor profiles
726 - d/control: Add dh-apparmor build-dep
727 - d/usr.lib.ipsec.{charon, lookip, stroke}: Add latest AppArmor profiles
728 for charon, lookip and stroke
729 - d/libcharon-extra-plugins.install: Install profile for lookip
730 - d/strongswan-charon.install: Install profile for charon
731 - d/strongswan-starter.install: Install profile for stroke
732 + d/rules: Removed pieces on 'patching ipsec.conf' on build.
733 + d/rules: Sorted and only one enable option per configure line
734 + Mass enablement of extra plugins and features to allow a user to use
735 strongswan for a variety of use cases without having to rebuild.
736 - d/control: Add required additional build-deps
737 - d/rules: Enable features at configure stage
738 - d/control: Mention addtionally enabled plugins
739 - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
740 - d/libstrongswan.install: Add plugins (so, conf)
741 + d/rules: Disable duplicheck as per
742 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10
743 + Remove ha plugin (requires special kernel)
744 - d/libcharon-extra-plugins.install: Stop installing ha (so, conf)
745 - d/rules: Do not enable ha plugin
746 - d/control: Drop listing the ha plugin in the package description
747 + Add plugin kernel-libipsec to allow the use of strongswan in containers
748 via this userspace implementation (please do note that this is still
749 considered experimental by upstream).
750 - d/libcharon-extra-plugins.install: Add kernel-libipsec components
751 - d/control: List kernel-libipsec plugin at extra plugins description
752 - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
753 upstream recommends to not load kernel-libipsec by default.
754 + Relocate tnc plugin
755 - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
756 - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
757 + d/strongswan-starter.install: Install pool feature, that useful due to
758 having attr-sql plugin that is enabled now.
759 + Relocate plugins test-vectors and ccm from extra-plugins to libstrongswan
760 - d/libstrongswan-extra-plugins.install: Remove plugins
761 - d/libstrongswan.install: Add plugins
762 + d/libstrongswan.install: Reorder conf and .so alphabetically
763 + d/libstrongswan.install: Add kernel-netlink configuration files
764 + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
765 + Add updated logcheck rules
766 - debian/libstrongswan.strongswan.logcheck.*: Remove outdated files
767 - debian/strongswan.logcheck: Add updated logcheck rules
768 + Add updated DEP8 tests
769 - d/tests/*: Add DEP8 tests
770 - d/control: Enable autotestpkg
771 + debian/patches/increase-bliss-test-timeout.patch: Under QEMU/KVM
772 autopkgtest the bliss test takes longer than the default
773 + Complete the disabling of libfast
774 - Note: This was partially accepted in Debian, it is no more
775 packaging medcli and medsrv, but still builds and mentions it
776 - d/rules: Add --disable-fast to avoid build time and dependencies
777 - d/control: Remove medcli, medsrv from package description
778 * Dropped Changes:
779 + Adding build-dep to iptables-dev (no change, was only in Changelog)
780 + Dropping of build deps libfcgi-dev, clearsilver-dev (in Debian)
781 + Adding strongswan-plugin-* virtual packages for dist-upgrade (no
782 upgrade path left needing them)
783 + Most of "disabling libfast" (Debian dropped it from package content)
784 + Transition for ipsec service (no upgrade path left)
785 + Reverted part of the cleanup to d/strongswan-starter.postinst as using
786 service should rather use invoke-rc.d (so it is a partial revert of our
787 delta)
788 + Transition handling (breaks/replaces) from per-plugin packages to the
789 three grouped plugin packages (no upgrade path left)
790 + debian/strongswan-starter.dirs: Don't touch /etc/init.d. (while "correct"
791 it is effectively a no-op still, so not worth the delta)
792 + Lower dpkg-dev to 1.16.1 from 1.16.2 to enable backporting to Precise
793 (no more needed)
794 + d/rules: Remove configure option --enable-unit-test (unit tests run by
795 default)
796 * Added Changes:
797 + Fix strongswan ipsec status issue with apparmor (LP: #1587886)
798 + d/control, d/libstrongswan.install, d/libstrongswan-extra-plugins: Fixup
799 the relocation of the ccm plugin which missed to move the conffiles.
800 + Complete move of test-vectors (was missing in d/control)
801 + Add now built (5.5.1 vs 5.3.5) mgf1 plugin to libstrongswan-extra-plugins.
802 "only" to extra-plugins Mgf1 is not listed as default plugin at
803 https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist.
804 + Add now built (5.5.1 vs 5.3.5) libraries libtpmtss and nttfft to
805 libstrongswan-extra-plugins.
806 + Add missing mention of md4 plugin in d/control
807 + Add missing mention of libchecksum integrity test in d/control
808 + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
809 missed that)
810 + Use override_dh_strip to to fix library integrity checking instead of
811 DEB_BUILD_OPTION to avoid overwriting user build flags.
812 + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
813 plugins for the most common use cases from extra-plugins into a new
814 standard-plugins package. This will allow those use cases without pulling
815 in too much more plugins (a bit like the tnc package). Recommend that
816 package from strongswan-libcharon (LP: #1640826).
817 + Fix Dep8 tests for the now extra strongswan-pki package for pki
818 + Fix Dep8 tests for the now extra strongswan-scepclient package
819
820 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 07 Nov 2016 16:16:41 +0100
821
167strongswan (5.5.1-1) unstable; urgency=medium822strongswan (5.5.1-1) unstable; urgency=medium
168823
169 * New upstream bugfix release.824 * New upstream bugfix release.
@@ -280,6 +935,177 @@ strongswan (5.3.5-2) unstable; urgency=medium
280935
281 -- Yves-Alexis Perez <corsac@debian.org> Mon, 14 Mar 2016 23:53:34 +0100936 -- Yves-Alexis Perez <corsac@debian.org> Mon, 14 Mar 2016 23:53:34 +0100
282937
938strongswan (5.3.5-1ubuntu4) yakkety; urgency=medium
939
940 * Build-depend on libjson-c-dev instead of libjson0-dev.
941 * Rebuild against libjson-c3.
942
943 -- Graham Inggs <ginggs@ubuntu.com> Fri, 29 Apr 2016 19:04:22 +0200
944
945strongswan (5.3.5-1ubuntu3) xenial; urgency=medium
946
947 * Rebuild against libmysqlclient20.
948
949 -- Robie Basak <robie.basak@ubuntu.com> Tue, 05 Apr 2016 13:02:48 +0000
950
951strongswan (5.3.5-1ubuntu2) xenial; urgency=medium
952
953 * debian/tests/plugins: rdrand may or may not be loaded, depending on the
954 cpu features.
955
956 -- Iain Lane <iain@orangesquash.org.uk> Mon, 22 Feb 2016 17:13:01 +0000
957
958strongswan (5.3.5-1ubuntu1) xenial; urgency=medium
959
960 * debian/{rules,control,libstrongswan-extra-plugins.install}
961 Enable bliss plugin
962 * debian/{rules,control,libstrongswan-extra-plugins.install}
963 Enable chapoly plugin
964 * debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch
965 Upstream suggests to not load this plugin by default as it has
966 some limitations.
967 https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-libipsec
968 * debian/patches/increase-bliss-test-timeout.patch
969 Under QEMU/KVM for autopkgtest bliss test takes a bit longer then default
970 * Update Apparmor profiles
971 - usr.lib.ipsec.charon
972 - add capability audit_write for xauth-pam (LP: #1470277)
973 - add capability dac_override (needed by agent plugin)
974 - allow priv dropping (LP: #1333655)
975 - allow caching CRLs (LP: #1505222)
976 - allow rw access to /dev/net/tun for kernel-libipsec (LP: #1309594)
977 - usr.lib.ipsec.stroke
978 - allow priv dropping (LP: #1333655)
979 - add local include
980 - usr.lib.ipsec.lookip
981 - add local include
982 * Merge from Debian, which includes fixes for all previous CVEs
983 Fixes (LP: #1330504, #1451091, #1448870, #1470277)
984 Remaining changes:
985 * debian/control
986 - Lower dpkg-dev to 1.16.1 from 1.16.2 to enable backporting to Precise
987 - Update Maintainer for Ubuntu
988 - Add build-deps
989 - dh-apparmor
990 - iptables-dev
991 - libjson0-dev
992 - libldns-dev
993 - libmysqlclient-dev
994 - libpcsclite-dev
995 - libsoup2.4-dev
996 - libtspi-dev
997 - libunbound-dev
998 - Drop build-deps
999 - libfcgi-dev
1000 - clearsilver-dev
1001 - Create virtual packages for all strongswan-plugin-* for dist-upgrade
1002 - Set XS-Testsuite: autopkgtest
1003 * debian/rules:
1004 - Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity checking.
1005 - Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths in
1006 tests.
1007 - Change init/systemd program name to strongswan
1008 - Install AppArmor profiles
1009 - Removed pieces on 'patching ipsec.conf' on build.
1010 - Enablement of features per Ubuntu current config suggested from
1011 upstream recommendation
1012 - Unpack and sort enabled features to one-per-line
1013 - Disable duplicheck as per
1014 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10
1015 - Disable libfast (--disable-fast):
1016 Requires dropping medsrv, medcli plugins which depend on libfast
1017 - Add configure options
1018 --with-tss=trousers
1019 - Remove configure options:
1020 --enable-ha (requires special kernel)
1021 --enable-unit-test (unit tests run by default)
1022 - Drop logcheck install
1023 * debian/tests/*
1024 - Add DEP8 test for strongswan service and plugins
1025 * debian/strongswan-starter.strongswan.service
1026 - Add new systemd file instead of patching upstream
1027 * debian/strongswan-starter.links
1028 - removed, use Ubuntu systemd file instead of linking to upstream
1029 * debian/usr.lib.ipsec.{charon, lookip, stroke}
1030 - added AppArmor profiles for charon, lookip and stroke
1031 * debian/libcharon-extra-plugins.install
1032 - Add plugins
1033 - kernel-libipsec.{so, lib, conf, apparmor}
1034 - Remove plugins
1035 - libstrongswan-ha.so
1036 - Relocate plugins
1037 - libstrongswan-tnc-tnccs.so (strongswan-tnc-base.install)
1038 * debian/libstrongswan-extra-plugins.install
1039 - Add plugins (so, lib, conf)
1040 - acert
1041 - attr-sql
1042 - coupling
1043 - dnscert
1044 - fips-prf
1045 - gmp
1046 - ipseckey
1047 - load-tester
1048 - mysql
1049 - ntru
1050 - radattr
1051 - soup
1052 - sqlite
1053 - sql
1054 - systime-fix
1055 - unbound
1056 - whitelist
1057 - Relocate plugins (so, lib, conf)
1058 - ccm (libstrongswan.install)
1059 - test-vectors (libstrongswan.install)
1060 * debian/libstrongswan.install
1061 - Sort sections
1062 - Add plugins (so, lib, conf)
1063 - libchecksum
1064 - ccm
1065 - eap-identity
1066 - md4
1067 - test-vectors
1068 * debian/strongswan-charon.install
1069 - Add AppArmor profile for charon
1070 * debian/strongswan-starter.install
1071 - Add tools, manpages, conf
1072 - openac
1073 - pool
1074 - _updown_espmark
1075 - Add AppArmor profile for stroke
1076 * debian/strongswan-tnc-base.install
1077 - Add new subpackage for TNC
1078 - remove non-existent (dropped in 5.2.1) libpts library files
1079 * debian/strongswan-tnc-client.install
1080 - Add new subpackage for TNC
1081 * debian/strongswan-tnc-ifmap.install
1082 - Add new subpackage for TNC
1083 * debian/strongswan-tnc-pdp.install
1084 - Add new subpackage for TNC
1085 * debian/strongswan-tnc-server.install
1086 - Add new subpackage for TNC
1087 * debian/strongswan-starter.postinit:
1088 - Removed section about runlevel changes, it's almost 2014.
1089 - Adapted service restart section for Upstart.
1090 - Remove old symlinks to init.d files is necessary.
1091 * debian/strongswan-starter.dirs: Don't touch /etc/init.d.
1092 * debian/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
1093 * debian/strongswan-starter.prerm: Stop strongswan service on package
1094 removal (as opposed to using the old init.d script).
1095 * debian/libstrongswan.strongswan.logcheck combined into debian/strongswan.logcheck
1096 - logcheck patterns updated to be helpful
1097 * debian/strongswan-starter.postinst: Removed further out-dated code and
1098 entire section on opportunistic encryption - this was never in strongSwan.
1099 * debian/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
1100 Drop changes:
1101 * debian/control
1102 - Per-plugin package breakup: Reducing packaging delta from Debian
1103 - Don't build dhcp, farp subpackages: Reduce packging delta from Debian
1104 * debian/watch: Already exists in Debian merge
1105 * debian/upstream/signing-key.asc: Upstream has newer version.
1106
1107 -- Ryan Harper <ryan.harper@canonical.com> Fri, 12 Feb 2016 11:24:53 -0600
1108
283strongswan (5.3.5-1) unstable; urgency=medium1109strongswan (5.3.5-1) unstable; urgency=medium
2841110
285 * New upstream bugfix release.1111 * New upstream bugfix release.
@@ -552,6 +1378,210 @@ strongswan (5.1.2-1) unstable; urgency=medium
5521378
553 -- Yves-Alexis Perez <corsac@debian.org> Wed, 12 Mar 2014 11:22:38 +01001379 -- Yves-Alexis Perez <corsac@debian.org> Wed, 12 Mar 2014 11:22:38 +0100
5541380
1381strongswan (5.1.2-0ubuntu8) xenial; urgency=medium
1382
1383 * Import FTBFS for s390x from Debian 5.1.2-3 upload. (LP: #1521240)
1384
1385 -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 30 Nov 2015 15:46:06 +0000
1386
1387strongswan (5.1.2-0ubuntu7) xenial; urgency=medium
1388
1389 * SECURITY UPDATE: authentication bypass in eap-mschapv2 plugin
1390 - debian/patches/CVE-2015-8023.patch: only succeed authentication if
1391 MSK was established in
1392 src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c.
1393 - CVE-2015-8023
1394 * debian/patches/disable_ntru_test.patch: disable test causing FTBFS
1395 until regression is properly investigated.
1396
1397 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 19 Nov 2015 14:00:17 -0500
1398
1399strongswan (5.1.2-0ubuntu6) wily; urgency=medium
1400
1401 * SECURITY UPDATE: user credential disclosure to rogue servers
1402 - debian/patches/CVE-2015-4171.patch: enforce remote authentication
1403 config before proceeding with own authentication in
1404 src/libcharon/sa/ikev2/tasks/ike_auth.c.
1405 - CVE-2015-4171
1406 * debian/rules: don't FTBFS from unused service file
1407
1408 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 08 Jun 2015 12:50:38 -0400
1409
1410strongswan (5.1.2-0ubuntu5) vivid; urgency=medium
1411
1412 * Add a systemd unit corresponding to strongswan-starter.strongswan.upstart.
1413
1414 -- Martin Pitt <martin.pitt@ubuntu.com> Fri, 16 Jan 2015 08:27:54 +0100
1415
1416strongswan (5.1.2-0ubuntu4) vivid; urgency=medium
1417
1418 * SECURITY UPDATE: denial of service via DH group 1025
1419 - debian/patches/CVE-2014-9221.patch: define MODP_CUSTOM outside of
1420 IKE DH range in src/libstrongswan/crypto/diffie_hellman.c,
1421 src/libstrongswan/crypto/diffie_hellman.h.
1422 - CVE-2014-9221
1423
1424 -- Tyler Hicks <tyhicks@canonical.com> Mon, 05 Jan 2015 08:25:29 -0500
1425
1426strongswan (5.1.2-0ubuntu3) utopic; urgency=low
1427
1428 * Added "libgcrypt20-dev | libgcrypt11-dev" to build dependencies to fix
1429 build.
1430
1431 -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 15 Oct 2014 16:49:18 +0000
1432
1433strongswan (5.1.2-0ubuntu2) trusty; urgency=medium
1434
1435 * SECURITY UPDATE: remote authentication bypass
1436 - debian/patches/CVE-2014-2338.patch: reject CREATE_CHILD_SA exchange
1437 on unestablished IKE_SAs in src/libcharon/sa/ikev2/task_manager_v2.c.
1438 - CVE-2014-2338
1439
1440 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 14 Apr 2014 11:24:34 -0400
1441
1442strongswan (5.1.2-0ubuntu1) trusty; urgency=low
1443
1444 * New upstream release.
1445
1446 -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 01 Mar 2014 08:53:17 +0000
1447
1448strongswan (5.1.2~rc2-0ubuntu2) trusty; urgency=low
1449
1450 * debian/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
1451 * debian/usr.lib.ipsec.charon: Allow read access to /run/charon.
1452
1453 -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 19 Feb 2014 13:07:16 +0000
1454
1455strongswan (5.1.2~rc2-0ubuntu1) trusty; urgency=low
1456
1457 * New upstream release candidate.
1458
1459 -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 19 Feb 2014 12:59:21 +0000
1460
1461strongswan (5.1.2~rc1-0ubuntu4) trusty; urgency=medium
1462
1463 * debian/strongswan-tnc-*.install: Fixed files so libraries go into correct
1464 packages.
1465 * debian/usr.lib.ipsec.stroke: Allow access to strongswan.d directories.
1466
1467 -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 17 Feb 2014 18:12:38 +0000
1468
1469strongswan (5.1.2~rc1-0ubuntu3) trusty; urgency=low
1470
1471 * debian/rules: Exclude rdrand.conf in dh_install's --fail-missing.
1472
1473 -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 15 Feb 2014 15:46:46 +0000
1474
1475strongswan (5.1.2~rc1-0ubuntu2) trusty; urgency=low
1476
1477 * debian/libstrongswan.install: Moved rdrand plugin configuration to rules
1478 as it's only useful on amd64.
1479 * debian/watch: Added opts=pgpsigurlmangle option.
1480 * debian/upstream/signing-key.asc: Added key: 0xB34DBA77.
1481
1482 -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 15 Feb 2014 15:32:10 +0000
1483
1484strongswan (5.1.2~rc1-0ubuntu1) trusty; urgency=medium
1485
1486 * New upstream release candidate.
1487 * debian/*.install - include new configuration files for plugins in
1488 appropiate packages.
1489
1490 -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 15 Feb 2014 15:03:14 +0000
1491
1492strongswan (5.1.2~dr3+git20130120-0ubuntu3) trusty; urgency=low
1493
1494 * debian/control:
1495 - Added Breaks/Replaces for all library files which have been moved
1496 about (LP: #1278176).
1497 - Removed build-dependency on check and added one on dh-apparmor.
1498 * debian/strongswan-starter.postinst: Removed further out-dated code and
1499 entire section on opportunistic encryption - this was never in strongSwan.
1500 * debian/rules: Removed pieces on 'patching ipsec.conf' on build.
1501
1502 -- Jonathan Davies <jonathan.davies@canonical.com> Sun, 09 Feb 2014 23:53:23 +0000
1503
1504strongswan (5.1.2~dr3+git20130120-0ubuntu2) trusty; urgency=low
1505
1506 * debian/control: Fixed references to plugin-fips-prf.
1507
1508 -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 22 Jan 2014 11:22:14 +0000
1509
1510strongswan (5.1.2~dr3+git20130120-0ubuntu1) trusty; urgency=low
1511
1512 * Upstream Git snapshot for build fixes with regards to entropy.
1513 * debian/rules:
1514 - Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity checking.
1515 - Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths in
1516 tests.
1517
1518 -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 20 Jan 2014 19:00:59 +0000
1519
1520strongswan (5.1.2~dr3-0ubuntu1) trusty; urgency=low
1521
1522 * New upstream developer release.
1523 * Made changes to packaging per upstream suggestions.
1524 - Dropped medcli and medsrv packages - not recommended by upstream at this
1525 time.
1526 - Dropped ha plugin - needs special kernel.
1527 - Improved all package descriptions in general.
1528 - Drop build-dep on clearsilver-dev and libfcgi-dev - no longer needed.
1529 - Removed debian/*logcheck* files - not relevant to strongSwan.
1530 - Split dhcp and farp packages into sub-packages.
1531 - Build kernel-libipsec, ntru, systime-fix, and xauth-noauth plugins.
1532 - Changes to TNC-related packages.
1533 * Created AppArmor profiles for lookip and stroke.
1534
1535 -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 15 Jan 2014 22:52:53 +0000
1536
1537strongswan (5.1.2~dr2+git20130106-0ubuntu2) trusty; urgency=low
1538
1539 * libstrongswan.install: Removed lingering unit-tester.so reference.
1540
1541 -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 06 Jan 2014 20:29:59 +0000
1542
1543strongswan (5.1.2~dr2+git20130106-0ubuntu1) trusty; urgency=low
1544
1545 * Git snapshot of commit 94e10f15e51ead788d9947e966878ebfdc95b7ce.
1546 Incorporates upstream fixes for:
1547 - Integrity testing.
1548 - Unit test failures on little endian systems.
1549 * Dropped debian/patches/02_test_asn1_fix_32bit_time_test.patch - fixed
1550 upstream.
1551 * debian/rules:
1552 - Stop using CK_TIMEOUT_MULTIPLIER.
1553 - Stop enabling the test suite only on non-powerpc arches (it runs
1554 anyway).
1555
1556 -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 06 Jan 2014 20:17:20 +0000
1557
1558strongswan (5.1.2~dr2-0ubuntu3) trusty; urgency=low
1559
1560 * debian/control: Reinstate missing comma in dependencies.
1561
1562 -- Jonathan Davies <jonathan.davies@canonical.com> Fri, 03 Jan 2014 05:39:13 +0000
1563
1564strongswan (5.1.2~dr2-0ubuntu2) trusty; urgency=low
1565
1566 * Added debian/patches/02_test_asn1_fix_32bit_time_test.patch - fixes issue
1567 where test for >2038 tests on 32-bit platforms is broken.
1568 - Reported upstream: https://wiki.strongswan.org/issues/477
1569 * debian/control: Added strongswan-plugin-ntru to strongswan-ike Suggests.
1570
1571 -- Jonathan Davies <jonathan.davies@canonical.com> Fri, 03 Jan 2014 05:02:32 +0000
1572
1573strongswan (5.1.2~dr2-0ubuntu1) trusty; urgency=low
1574
1575 * New upstream developer release.
1576 * debian/rules: Configure with: --enable-af-alg, --enable-ntru, --enable-soup,
1577 and --enable-unity.
1578 * debian/control:
1579 - New plugin packages created for the above
1580 - Split fips-prf into its own package.
1581 - Added build-dependency on libsoup2.4-dev.
1582
1583 -- Jonathan Davies <jonathan.davies@canonical.com> Thu, 02 Jan 2014 17:37:33 +0000
1584
555strongswan (5.1.1-3) unstable; urgency=low1585strongswan (5.1.1-3) unstable; urgency=low
5561586
557 * Upload to unstable.1587 * Upload to unstable.
@@ -643,6 +1673,192 @@ strongswan (5.1.1-1) unstable; urgency=low
6431673
644 -- Yves-Alexis Perez <corsac@debian.org> Fri, 24 Jan 2014 21:22:32 +01001674 -- Yves-Alexis Perez <corsac@debian.org> Fri, 24 Jan 2014 21:22:32 +0100
6451675
1676strongswan (5.1.1-0ubuntu17) trusty; urgency=low
1677
1678 * debian/control:
1679 - Make strongswan-ike depend on iproute2.
1680 - Added xauth plugin dependency on strongswan-plugin-eap-gtc.
1681 - Created strongswan-libfast package.
1682
1683 -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 01 Jan 2014 17:04:45 +0000
1684
1685strongswan (5.1.1-0ubuntu16) trusty; urgency=low
1686
1687 * debian/control:
1688 - Further splitting of plugins into subpackages (such as all EAP plugins
1689 to their own packages).
1690 - Added libpcsclite-dev to build-dependencies.
1691 * debian/rules:
1692 - Sort configure options in alphabetical order.
1693 - Added configure option of --enable-eap-aka-3gpp2, --enable-eap-dynamic,
1694 --enable-eap-sim-file, --enable-eap-sim-pcsc,
1695 --enable-eap-simaka-pseudonym, --enable-eap-simaka-reauth and
1696 --enable-eap-simaka-sql.
1697 - Don't exclude medsrv from install.
1698 * Moved eap-identity.so to libstrongswan package as it's used by all the
1699 other EAP plugins.
1700
1701 -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 21:25:50 +0000
1702
1703strongswan (5.1.1-0ubuntu15) trusty; urgency=low
1704
1705 * debian/control:
1706 - Split plugins from libstrongswan package into modular subpackages.
1707 - Added libmysqlclient-dev to build-dependencies.
1708 - strongswan-ike: Set to depend on either strongswan-plugins-openssl or
1709 strongswan-plugins-gcrypt.
1710 - strongswan-ike: All other plugins added to Suggests.
1711 - Created two new TNC packages: strongswan-tnc-ifmap and
1712 strongswan-tnc-pdp and added to tnc-imcvs Suggests.
1713 * debian/rules: Added to CONFIGUREARGS: --enable-certexpire,
1714 --enable-error-notify, --enable-mysql, --enable-load-tester,
1715 --enable-radattr, --enable-tnc-pdp, and --enable-whitelist.
1716 * debian/strongswan-ike.install: Moved eap-identity.so to -tnc-imcvs package.
1717
1718 -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 16:15:32 +0000
1719
1720strongswan (5.1.1-0ubuntu14) trusty; urgency=low
1721
1722 * debian/rules:
1723 - CK_TIMEOUT_MULTIPLIER back down to 6.
1724 - Disable unit tests on powerpc.
1725
1726 -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 07:39:48 +0000
1727
1728strongswan (5.1.1-0ubuntu13) trusty; urgency=low
1729
1730 * debian/rules: CK_TIMEOUT_MULTIPLIER to 10 as just powerppc is being stubborn.
1731
1732 -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 07:23:42 +0000
1733
1734strongswan (5.1.1-0ubuntu12) trusty; urgency=low
1735
1736 * debian/rules: Bring CK_TIMEOUT_MULTIPLIER up to 6 to fix powerppc and
1737 armhf.
1738
1739 -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 07:03:40 +0000
1740
1741strongswan (5.1.1-0ubuntu11) trusty; urgency=low
1742
1743 * 02_increase-test_rsa_generate-timeout.patch: Removed - only fixed build on
1744 one extra arch.
1745 * debian/rules: Set CK_TIMEOUT_MULTIPLIER to 4.
1746
1747 -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 06:51:47 +0000
1748
1749strongswan (5.1.1-0ubuntu10) trusty; urgency=low
1750
1751 * debian/patches: Added patch 02_increase-test_rsa_generate-timeout.patch -
1752 - Increases RSA key generate test timeout to 30 seconds so that it doesn't
1753 fail on armhf, arm64, and powerppc.
1754 * Contrary to what the last changelog entry says, we are still running
1755 strongswan as root (with AppArmor protection).
1756
1757 -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 06:06:47 +0000
1758
1759strongswan (5.1.1-0ubuntu9) trusty; urgency=low
1760
1761 * debian/rules: Added to configure options:
1762 - --enable-tnc-ifmap: enable TNC IF-MAP module.
1763 - --enable-duplicheck: enable duplicheck plugin.
1764 - --enable-imv-swid, --enable-imc-swid: Added.
1765 - Run strongswan as it's own user.
1766 * debian/strongswan-starter.install: Install duplicheck.
1767 * debian/strongswan-tnc-imcvs.install: Install swidtags.
1768
1769 -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 19:33:27 +0000
1770
1771strongswan (5.1.1-0ubuntu8) trusty; urgency=low
1772
1773 * debian/rules: Added to configure options:
1774 - --enable-unit-tests: check unit testing on build.
1775 - --enable-unbound: for validating DNS lookups.
1776 - --enable-dnscert: for DNSCERT peer authentication.
1777 - --enable-ipseckey: for IPSEC key authentication.
1778 - --enable-lookip: for LookIP functionality.
1779 - --enable-coupling: certificate coupling functionality.
1780 * debian/control: Added check, libldns-dev, libunbound-dev to
1781 build-dependencies.
1782 * debian/libstrongswan.install: Install new plugin .so's.
1783 * debian/strongswan-starter.install: Added lookip.
1784
1785 -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 17:52:07 +0000
1786
1787strongswan (5.1.1-0ubuntu7) trusty; urgency=low
1788
1789 * strongswan-starter.install: Moved pt-tls-client to tnc-imcvs (to prevent
1790 the former from depending on the latter).
1791
1792 -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 17:30:19 +0000
1793
1794strongswan (5.1.1-0ubuntu6) trusty; urgency=low
1795
1796 * debian/strongswan-starter.prerm: Stop strongswan service on package
1797 removal (as opposed to using the old init.d script).
1798
1799 -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 17:22:10 +0000
1800
1801strongswan (5.1.1-0ubuntu5) trusty; urgency=low
1802
1803 * debian/rules:
1804 - CONFIGUREARGS: Merged Debian and RPM options.
1805 - Brings in TNC functionality.
1806 * debian/control:
1807 - Added build-dependency on libtspi-dev.
1808 - Created strongswan-tnc-imcvs binary package for TNC components.
1809 - Added strongswan-tnc-imcvs to libstrongswan's Suggests.
1810 * debian/libstrongswan.install:
1811 - Included newly built MD4 and SQLite libraries.
1812 - Removed 'tnc' references (moved to TNC package).
1813 * debian/strongswan-tnc-imcvs.install: Created - handle new TNC libraries and
1814 binaries.
1815 * debian/usr.lib.ipsec.charon: Allow access to TNC modules.
1816
1817 -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 14:05:43 +0000
1818
1819strongswan (5.1.1-0ubuntu4) trusty; urgency=low
1820
1821 * debian/usr.lib.ipsec.charon: Added - AppArmor profile for charon.
1822 * debian/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
1823 * debian/control: strongswan-ike - Stop depending on ipsec-tools.
1824
1825 -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 05:35:17 +0000
1826
1827strongswan (5.1.1-0ubuntu3) trusty; urgency=low
1828
1829 * strongswan-starter.strongswan.upstart - Only start strongSwan when a
1830 network connection is available.
1831 * debian/control: Downgrade build-dep version of dpkg-dev from 1.16.2 to
1832 1.16.1 - to make precise backporting easier.
1833
1834 -- Jonathan Davies <jonathan.davies@canonical.com> Thu, 12 Dec 2013 10:43:15 +0000
1835
1836strongswan (5.1.1-0ubuntu2) trusty; urgency=low
1837
1838 * strongswan-starter.strongswan.upstart - Created Upstart job for
1839 strongSwan.
1840 * debian/rules: Set dh_installinit to install above file.
1841 * debian/strongswan-starter.postinit:
1842 - Removed section about runlevel changes, it's almost 2014.
1843 - Adapted service restart section for Upstart.
1844 - Remove old symlinks to init.d files is necessary.
1845 * debian/strongswan-starter.dirs: Don't touch /etc/init.d.
1846
1847 -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 11 Dec 2013 23:10:28 +0000
1848
1849strongswan (5.1.1-0ubuntu1) trusty; urgency=low
1850
1851 * New upstream release.
1852 * Removed: debian/patches/CVE-2013-6075, CVE-2013-6076.patch - upsteamed.
1853 * debian/control: Updated Standards-Version to 3.9.5 and applied
1854 XSBC-Original-Maintainer policy.
1855 * strongswan-starter.install:
1856 - pki tool is now in /usr/bin.
1857 - Install pt-tls-client.
1858 - Install manpages (LP: #1206263).
1859
1860 -- Jonathan Davies <jpds@ubuntu.com> Sun, 01 Dec 2013 17:43:59 +0000
1861
646strongswan (5.1.0-3) unstable; urgency=high1862strongswan (5.1.0-3) unstable; urgency=high
6471863
648 * urgency=high for the security fixes.1864 * urgency=high for the security fixes.
diff --git a/debian/control b/debian/control
index 4f12140..5792e50 100644
--- a/debian/control
+++ b/debian/control
@@ -1,7 +1,8 @@
1Source: strongswan1Source: strongswan
2Section: net2Section: net
3Priority: optional3Priority: optional
4Maintainer: strongSwan Maintainers <pkg-swan-devel@lists.alioth.debian.org>4Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
5XSBC-Original-Maintainer: strongSwan Maintainers <pkg-swan-devel@lists.alioth.debian.org>
5Uploaders: Rene Mayrhofer <rmayr@debian.org>,6Uploaders: Rene Mayrhofer <rmayr@debian.org>,
6 Yves-Alexis Perez <corsac@debian.org>7 Yves-Alexis Perez <corsac@debian.org>
7Standards-Version: 4.1.28Standards-Version: 4.1.2
@@ -19,14 +20,21 @@ Build-Depends: bison,
19 libcurl4-openssl-dev | libcurl3-dev | libcurl2-dev,20 libcurl4-openssl-dev | libcurl3-dev | libcurl2-dev,
20 libgcrypt20-dev | libgcrypt11-dev,21 libgcrypt20-dev | libgcrypt11-dev,
21 libgmp3-dev,22 libgmp3-dev,
23 libjson-c-dev,
22 libkrb5-dev,24 libkrb5-dev,
23 libldap2-dev,25 libldap2-dev,
26 libldns-dev,
27 libmysqlclient-dev,
24 libnm-dev [linux-any],28 libnm-dev [linux-any],
25 libpam0g-dev,29 libpam0g-dev,
30 libpcsclite-dev,
31 libsoup2.4-dev,
26 libsqlite3-dev,32 libsqlite3-dev,
27 libssl-dev (>= 0.9.8),33 libssl-dev (>= 0.9.8),
28 libsystemd-dev [linux-any],34 libsystemd-dev [linux-any],
29 libtool,35 libtool,
36 libtspi-dev,
37 libunbound-dev,
30 libxml2-dev,38 libxml2-dev,
31 pkg-config,39 pkg-config,
32 po-debconf,40 po-debconf,
@@ -68,7 +76,9 @@ Description: strongSwan utility and crypto library
68 - fips-prf (PRF specified by FIPS, used by EAP-SIM/AKA algorithms)76 - fips-prf (PRF specified by FIPS, used by EAP-SIM/AKA algorithms)
69 - gmp (RSA/DH crypto backend based on libgmp)77 - gmp (RSA/DH crypto backend based on libgmp)
70 - hmac (HMAC wrapper using various hashers)78 - hmac (HMAC wrapper using various hashers)
79 - md4 (MD4 hasher software implementation)
71 - md5 (MD5 hasher software implementation)80 - md5 (MD5 hasher software implementation)
81 - mgf1 (Mask Generation Functions based on the SHA-1, SHA-256 and SHA-512)
72 - nonce (Default nonce generation plugin)82 - nonce (Default nonce generation plugin)
73 - pem (PEM encoding/decoding routines)83 - pem (PEM encoding/decoding routines)
74 - pgp (PGP encoding/decoding routines)84 - pgp (PGP encoding/decoding routines)
@@ -131,22 +141,57 @@ Description: strongSwan utility and crypto library (extra plugins)
131 cryptographic library.141 cryptographic library.
132 .142 .
133 Included plugins are:143 Included plugins are:
144 - acert (Support of X.509 attribute certificates (since 5.1.3))
134 - af-alg [linux] (AF_ALG Linux crypto API interface, provides145 - af-alg [linux] (AF_ALG Linux crypto API interface, provides
135 ciphers/hashers/hmac/xcbc)146 ciphers/hashers/hmac/xcbc)
147 - attr-sql (provide IKE attributes read from a database to peers)
148 - bliss (Bimodal Lattice Signature Scheme (BLISS) post-quantum computer
149 signature scheme)
136 - ccm (CCM cipher mode wrapper)150 - ccm (CCM cipher mode wrapper)
151 - chapoly (ChaCha20/Poly1305 AEAD implementation)
137 - cmac (CMAC cipher mode wrapper)152 - cmac (CMAC cipher mode wrapper)
138 - ctr (CTR cipher mode wrapper)153 - ctr (CTR cipher mode wrapper)
154 - coupling (Permanent peer certificate coupling)
139 - curl (libcurl based HTTP/FTP fetcher)155 - curl (libcurl based HTTP/FTP fetcher)
140 - curve25519 (support for Diffie-Hellman group 31 using Curve25519 and156 - curve25519 (support for Diffie-Hellman group 31 using Curve25519 and
141 support for the Ed25519 digital signature algorithm for IKEv2)157 support for the Ed25519 digital signature algorithm for IKEv2)
158 - dnscert (authentication via CERT RRs protected by DNSSEC)
142 - gcrypt (Crypto backend based on libgcrypt, provides159 - gcrypt (Crypto backend based on libgcrypt, provides
143 RSA/DH/ciphers/hashers/rng)160 RSA/DH/ciphers/hashers/rng)
161 - ipseckey (authentication via IPSECKEY RRs protected by DNSSEC)
144 - ldap (LDAP fetching plugin based on libldap)162 - ldap (LDAP fetching plugin based on libldap)
163 - load-tester (perform IKE load tests against self or gateway)
164 - mysql (database backend)
165 - ntru (key exchanged based on post-quantum computer NTRU)
166 - nttfft (Number Theoretic Transform via the FFT algorithm)
145 - padlock (VIA padlock crypto backend, provides AES128/SHA1)167 - padlock (VIA padlock crypto backend, provides AES128/SHA1)
146 - pkcs11 (PKCS#11 smartcard backend)168 - pkcs11 (PKCS#11 smartcard backend)
169 - radattr (inject and process custom RADIUS attributes as IKEv2 client)
170 - sql (SQL configuration and creds engine)
171 - sqlite (SQLite database backend)
172 - soup (libsoup based HTTP fetcher)
173 - tpmtss (TPM 1.2 and TPM 2.0 Trusted Platform Modules)
147 - rdrand (High quality / high performance random source using the Intel174 - rdrand (High quality / high performance random source using the Intel
148 rdrand instruction found on Ivy Bridge processors)175 rdrand instruction found on Ivy Bridge processors)
149 - test-vectors (Set of test vectors for various algorithms)176 - test-vectors (Set of test vectors for various algorithms)
177 - unbound (DNSSEC enabled resolver using libunbound)
178 - whitelist (peer verification against a whitelist)
179
180Package: libcharon-standard-plugins
181Architecture: any
182Depends: libstrongswan (= ${binary:Version}),
183 ${misc:Depends},
184 ${shlibs:Depends}
185Breaks: libcharon-extra-plugins (<< 5.5.1-1ubuntu1~)
186Replaces: libcharon-extra-plugins (<< 5.5.1-1ubuntu1~)
187Description: strongSwan charon library (standard plugins)
188 The strongSwan VPN suite uses the native IPsec stack in the standard
189 Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
190 .
191 This package provides standard plugins for the charon library:
192 - eap-mschapv2 (EAP-MSCHAPv2 protocol handler using passwords/NT hashes)
193 - xauth-generic (Generic XAuth backend that provides passwords from
194 ipsec.secrets and other credential sets)
150195
151Package: libcharon-extra-plugins196Package: libcharon-extra-plugins
152Architecture: any197Architecture: any
@@ -162,13 +207,13 @@ Description: strongSwan charon library (extra plugins)
162 This package provides extra plugins for the charon library:207 This package provides extra plugins for the charon library:
163 - addrblock (Narrow traffic selectors to RFC 3779 address blocks in X.509208 - addrblock (Narrow traffic selectors to RFC 3779 address blocks in X.509
164 certificates)209 certificates)
210 - dhcp (Forwarding of DHCP requests for virtual IPs to DHCP server)
165 - certexpire (Export expiration dates of used certificates)211 - certexpire (Export expiration dates of used certificates)
166 - eap-aka (Generic EAP-AKA protocol handler using different backends)212 - eap-aka (Generic EAP-AKA protocol handler using different backends)
167 - eap-gtc (EAP-GTC protocol handler authenticating with XAuth backends)213 - eap-gtc (EAP-GTC protocol handler authenticating with XAuth backends)
168 - eap-identity (EAP-Identity identity exchange algorithm, to use with other214 - eap-identity (EAP-Identity identity exchange algorithm, to use with other
169 EAP protocols)215 EAP protocols)
170 - eap-md5 (EAP-MD5 protocol handler using passwords)216 - eap-md5 (EAP-MD5 protocol handler using passwords)
171 - eap-mschapv2 (EAP-MSCHAPv2 protocol handler using passwords/NT hashes)
172 - eap-radius (EAP server proxy plugin forwarding EAP conversations to a217 - eap-radius (EAP server proxy plugin forwarding EAP conversations to a
173 RADIUS server)218 RADIUS server)
174 - eap-tls (EAP-TLS protocol handler, to authenticate with certificates in219 - eap-tls (EAP-TLS protocol handler, to authenticate with certificates in
@@ -176,17 +221,25 @@ Description: strongSwan charon library (extra plugins)
176 - eap-tnc (EAP-TNC protocol handler, Trusted Network Connect in a TLS tunnel)221 - eap-tnc (EAP-TNC protocol handler, Trusted Network Connect in a TLS tunnel)
177 - eap-ttls (EAP-TTLS protocol handler, wraps other EAP methods securely)222 - eap-ttls (EAP-TTLS protocol handler, wraps other EAP methods securely)
178 - error-notify (Notification about errors via UNIX socket)223 - error-notify (Notification about errors via UNIX socket)
224 - farp (fake ARP responses for requests to virtual IP address)
179 - ha (High-Availability clustering)225 - ha (High-Availability clustering)
226 - kernel-libipsec (Userspace IPsec Backend with TUN devices)
180 - led (Let Linux LED subsystem LEDs blink on IKE activity)227 - led (Let Linux LED subsystem LEDs blink on IKE activity)
181 - lookip (Virtual IP lookup facility using a UNIX socket)228 - lookip (Virtual IP lookup facility using a UNIX socket)
182 - medcli (Web interface based mediation client interface)
183 - medsrv (Web interface based mediation server interface)
184 - tnc (Trusted Network Connect)229 - tnc (Trusted Network Connect)
185 - unity (Cisco Unity extensions for IKEv1)230 - unity (Cisco Unity extensions for IKEv1)
186 - xauth-eap (XAuth backend that uses EAP methods to verify passwords)231 - xauth-eap (XAuth backend that uses EAP methods to verify passwords)
187 - xauth-generic (Generic XAuth backend that provides passwords from
188 ipsec.secrets and other credential sets)
189 - xauth-pam (XAuth backend that uses PAM modules to verify passwords)232 - xauth-pam (XAuth backend that uses PAM modules to verify passwords)
233 - eap-aka-3gpp2 (EAP-AKA backend implementing standard 3GPP2 algorithm in software)
234 - eap-dynamic (EAP proxy plugin that dynamically selects an EAP method requested/supported by the client (since 5.0.1))
235 - eap-peap (EAP-PEAP protocol handler, wraps other EAP methods securely)
236 - eap-sim (Generic EAP-SIM protocol handler using different backends)
237 - eap-sim-file (EAP-SIM backend reading triplets from a file)
238 - eap-sim-pcsc (EAP-SIM backend based on a PC/SC smartcard reader)
239 - eap-simaka-pseudonym (EAP-SIM/AKA in-memory pseudonym identity database)
240 - eap-simaka-reauth (EAP-SIM/AKA in-memory reauthentication identity database)
241 - eap-simaka-sql (EAP-SIM/AKA backend reading triplets/quintuplets from a SQL database)
242 - xauth-noauth (XAuth backend that does not do any authentication (since 5.0.3))
190243
191Package: strongswan-starter244Package: strongswan-starter
192Architecture: any245Architecture: any
@@ -212,6 +265,7 @@ Depends: libstrongswan (= ${binary:Version}),
212 ${shlibs:Depends}265 ${shlibs:Depends}
213Breaks: strongswan-starter (<= 5.6.1-2)266Breaks: strongswan-starter (<= 5.6.1-2)
214Replaces: strongswan-starter (<= 5.6.1-2)267Replaces: strongswan-starter (<= 5.6.1-2)
268Recommends: libcharon-standard-plugins
215Suggests: libcharon-extra-plugins269Suggests: libcharon-extra-plugins
216Description: strongSwan charon library270Description: strongSwan charon library
217 The strongSwan VPN suite uses the native IPsec stack in the standard271 The strongSwan VPN suite uses the native IPsec stack in the standard
@@ -255,6 +309,68 @@ Description: strongSwan plugin to interact with NetworkManager
255 in conjunction with the network-manager-strongswan package, providing309 in conjunction with the network-manager-strongswan package, providing
256 a simple graphical frontend to configure IPsec based VPNs.310 a simple graphical frontend to configure IPsec based VPNs.
257311
312Package: strongswan-tnc-ifmap
313Architecture: any
314Depends: ${shlibs:Depends}, ${misc:Depends}, libstrongswan (= ${binary:Version})
315Description: strongSwan plugin for Trusted Network Connect's (TNC) IF-MAP client
316 The strongSwan VPN suite uses the native IPsec stack in the standard
317 Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
318 .
319 This package provides Trusted Network Connect's (TNC) IF-MAP 2.0 client.
320
321Package: strongswan-tnc-base
322Architecture: any
323Depends: ${shlibs:Depends}, ${misc:Depends}, libstrongswan (= ${binary:Version})
324Suggests: strongswan-tnc-ifmap, strongswan-tnc-pdp
325Description: strongSwan Trusted Network Connect's (TNC) - base files
326 The strongSwan VPN suite uses the native IPsec stack in the standard
327 Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
328 .
329 This package provides the base files for strongSwan's Trusted Network
330 Connect's (TNC) functionality.
331 .
332 strongSwan's IMC/IMV dynamic libraries can be used by any third party TNC
333 client/server implementation possessing a standard IF-IMC/IMV interface.
334
335Package: strongswan-tnc-client
336Architecture: any
337Depends: ${shlibs:Depends}, ${misc:Depends},
338 libstrongswan (= ${binary:Version}), strongswan-tnc-base (= ${binary:Version})
339Suggests: libcharon-extra-plugins
340Description: strongSwan Trusted Network Connect's (TNC) - client files
341 The strongSwan VPN suite uses the native IPsec stack in the standard
342 Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
343 .
344 This package provides the client functionality for strongSwan's Trusted Network
345 Connect's (TNC) features.
346 .
347 It includes the OS, scanner, test, SWID, and attestation IMCs.
348
349Package: strongswan-tnc-server
350Architecture: any
351Depends: ${shlibs:Depends}, ${misc:Depends},
352 libstrongswan (= ${binary:Version}),
353 strongswan-tnc-base (= ${binary:Version}),
354 libstrongswan-extra-plugins (= ${binary:Version})
355Description: strongSwan Trusted Network Connect's (TNC) - server files
356 The strongSwan VPN suite uses the native IPsec stack in the standard
357 Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
358 .
359 This package provides the server functionality for strongSwan's Trusted Network
360 Connect's (TNC) features.
361
362Package: strongswan-tnc-pdp
363Architecture: any
364Depends: ${shlibs:Depends}, ${misc:Depends},
365 libstrongswan (= ${binary:Version}),
366 strongswan-tnc-server (= ${binary:Version})
367Description: strongSwan plugin for Trusted Network Connect's (TNC) PDP
368 The strongSwan VPN suite uses the native IPsec stack in the standard
369 Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
370 .
371 This package provides Trusted Network Connect's (TNC) Policy Decision Point
372 (PDP) with RADIUS server interface.
373
258Package: charon-cmd374Package: charon-cmd
259Architecture: any375Architecture: any
260Depends: libstrongswan (= ${binary:Version}),376Depends: libstrongswan (= ${binary:Version}),
diff --git a/debian/ipsec.secrets.proto b/debian/ipsec.secrets.proto
index dfa6dde..309e3fc 100644
--- a/debian/ipsec.secrets.proto
+++ b/debian/ipsec.secrets.proto
@@ -3,6 +3,3 @@
3# RSA private key for this host, authenticating it to any other host3# RSA private key for this host, authenticating it to any other host
4# which knows the public part.4# which knows the public part.
55
6# this file is managed with debconf and will contain the automatically created private key
7include /var/lib/strongswan/ipsec.secrets.inc
8
diff --git a/debian/libcharon-extra-plugins.install b/debian/libcharon-extra-plugins.install
index 1b0cbca..cb539ec 100644
--- a/debian/libcharon-extra-plugins.install
+++ b/debian/libcharon-extra-plugins.install
@@ -1,50 +1,102 @@
1# libcharon plugins1# libcharon plugins
2usr/lib/ipsec/plugins/libstrongswan-addrblock.so2usr/lib/ipsec/plugins/libstrongswan-addrblock.so
3usr/lib/ipsec/plugins/libstrongswan-certexpire.so3usr/lib/ipsec/plugins/libstrongswan-certexpire.so
4usr/lib/ipsec/plugins/libstrongswan-eap*.so4usr/lib/ipsec/plugins/libstrongswan-eap-aka-3gpp2.so
5usr/lib/ipsec/plugins/libstrongswan-eap-aka.so
6usr/lib/ipsec/plugins/libstrongswan-eap-dynamic.so
7usr/lib/ipsec/plugins/libstrongswan-eap-gtc.so
8usr/lib/ipsec/plugins/libstrongswan-eap-identity.so
9usr/lib/ipsec/plugins/libstrongswan-eap-md5.so
10usr/lib/ipsec/plugins/libstrongswan-eap-peap.so
11usr/lib/ipsec/plugins/libstrongswan-eap-radius.so
12usr/lib/ipsec/plugins/libstrongswan-eap-sim-file.so
13usr/lib/ipsec/plugins/libstrongswan-eap-sim-pcsc.so
14usr/lib/ipsec/plugins/libstrongswan-eap-sim.so
15usr/lib/ipsec/plugins/libstrongswan-eap-simaka-pseudonym.so
16usr/lib/ipsec/plugins/libstrongswan-eap-simaka-reauth.so
17usr/lib/ipsec/plugins/libstrongswan-eap-simaka-sql.so
18usr/lib/ipsec/plugins/libstrongswan-eap-tls.so
19usr/lib/ipsec/plugins/libstrongswan-eap-tnc.so
20usr/lib/ipsec/plugins/libstrongswan-eap-ttls.so
5usr/lib/ipsec/plugins/libstrongswan-error-notify.so21usr/lib/ipsec/plugins/libstrongswan-error-notify.so
6usr/lib/ipsec/plugins/libstrongswan-ha.so22usr/lib/ipsec/plugins/libstrongswan-ha.so
23usr/lib/ipsec/plugins/libstrongswan-kernel-libipsec.so
7usr/lib/ipsec/plugins/libstrongswan-led.so24usr/lib/ipsec/plugins/libstrongswan-led.so
8usr/lib/ipsec/plugins/libstrongswan-lookip.so25usr/lib/ipsec/plugins/libstrongswan-lookip.so
9#usr/lib/ipsec/plugins/libstrongswan-medsrv.so26#usr/lib/ipsec/plugins/libstrongswan-medsrv.so
10#usr/lib/ipsec/plugins/libstrongswan-medcli.so27#usr/lib/ipsec/plugins/libstrongswan-medcli.so
11usr/lib/ipsec/plugins/libstrongswan-tnc-tnccs.so
12usr/lib/ipsec/plugins/libstrongswan-unity.so28usr/lib/ipsec/plugins/libstrongswan-unity.so
13usr/lib/ipsec/plugins/libstrongswan-xauth-*.so29usr/lib/ipsec/plugins/libstrongswan-xauth-eap.so
30usr/lib/ipsec/plugins/libstrongswan-xauth-noauth.so
31usr/lib/ipsec/plugins/libstrongswan-xauth-pam.so
14# standard configuration files32# standard configuration files
15usr/share/strongswan/templates/config/plugins/addrblock.conf33usr/share/strongswan/templates/config/plugins/addrblock.conf
16usr/share/strongswan/templates/config/plugins/certexpire.conf34usr/share/strongswan/templates/config/plugins/certexpire.conf
17usr/share/strongswan/templates/config/plugins/eap-*.conf35usr/share/strongswan/templates/config/plugins/eap-aka-3gpp2.conf
36usr/share/strongswan/templates/config/plugins/eap-aka.conf
37usr/share/strongswan/templates/config/plugins/eap-dynamic.conf
38usr/share/strongswan/templates/config/plugins/eap-gtc.conf
39usr/share/strongswan/templates/config/plugins/eap-identity.conf
40usr/share/strongswan/templates/config/plugins/eap-md5.conf
41usr/share/strongswan/templates/config/plugins/eap-peap.conf
42usr/share/strongswan/templates/config/plugins/eap-radius.conf
43usr/share/strongswan/templates/config/plugins/eap-sim-file.conf
44usr/share/strongswan/templates/config/plugins/eap-sim-pcsc.conf
45usr/share/strongswan/templates/config/plugins/eap-sim.conf
46usr/share/strongswan/templates/config/plugins/eap-simaka-pseudonym.conf
47usr/share/strongswan/templates/config/plugins/eap-simaka-reauth.conf
48usr/share/strongswan/templates/config/plugins/eap-simaka-sql.conf
49usr/share/strongswan/templates/config/plugins/eap-tls.conf
50usr/share/strongswan/templates/config/plugins/eap-tnc.conf
51usr/share/strongswan/templates/config/plugins/eap-ttls.conf
18usr/share/strongswan/templates/config/plugins/error-notify.conf52usr/share/strongswan/templates/config/plugins/error-notify.conf
19usr/share/strongswan/templates/config/plugins/ha.conf53usr/share/strongswan/templates/config/plugins/ha.conf
54usr/share/strongswan/templates/config/plugins/kernel-libipsec.conf
20usr/share/strongswan/templates/config/plugins/led.conf55usr/share/strongswan/templates/config/plugins/led.conf
21usr/share/strongswan/templates/config/plugins/lookip.conf56usr/share/strongswan/templates/config/plugins/lookip.conf
22#usr/share/strongswan/templates/config/plugins/medsrv.conf57#usr/share/strongswan/templates/config/plugins/medsrv.conf
23#usr/share/strongswan/templates/config/plugins/medcli.conf58#usr/share/strongswan/templates/config/plugins/medcli.conf
24usr/share/strongswan/templates/config/plugins/tnc-tnccs.conf
25usr/share/strongswan/templates/config/plugins/unity.conf59usr/share/strongswan/templates/config/plugins/unity.conf
26usr/share/strongswan/templates/config/plugins/xauth-*.conf60usr/share/strongswan/templates/config/plugins/xauth-eap.conf
27usr/share/strongswan/templates/config/strongswan.d/tnc.conf61usr/share/strongswan/templates/config/plugins/xauth-noauth.conf
28etc/strongswan.d/tnc.conf62usr/share/strongswan/templates/config/plugins/xauth-pam.conf
29etc/strongswan.d/charon/addrblock.conf63etc/strongswan.d/charon/addrblock.conf
30etc/strongswan.d/charon/certexpire.conf64etc/strongswan.d/charon/certexpire.conf
31etc/strongswan.d/charon/eap-*.conf65etc/strongswan.d/charon/eap-aka-3gpp2.conf
66etc/strongswan.d/charon/eap-aka.conf
67etc/strongswan.d/charon/eap-dynamic.conf
68etc/strongswan.d/charon/eap-gtc.conf
69etc/strongswan.d/charon/eap-identity.conf
70etc/strongswan.d/charon/eap-md5.conf
71etc/strongswan.d/charon/eap-peap.conf
72etc/strongswan.d/charon/eap-radius.conf
73etc/strongswan.d/charon/eap-sim-file.conf
74etc/strongswan.d/charon/eap-sim-pcsc.conf
75etc/strongswan.d/charon/eap-sim.conf
76etc/strongswan.d/charon/eap-simaka-pseudonym.conf
77etc/strongswan.d/charon/eap-simaka-reauth.conf
78etc/strongswan.d/charon/eap-simaka-sql.conf
79etc/strongswan.d/charon/eap-tls.conf
80etc/strongswan.d/charon/eap-tnc.conf
81etc/strongswan.d/charon/eap-ttls.conf
32etc/strongswan.d/charon/error-notify.conf82etc/strongswan.d/charon/error-notify.conf
33etc/strongswan.d/charon/ha.conf83etc/strongswan.d/charon/ha.conf
84etc/strongswan.d/charon/kernel-libipsec.conf
34etc/strongswan.d/charon/led.conf85etc/strongswan.d/charon/led.conf
35etc/strongswan.d/charon/lookip.conf86etc/strongswan.d/charon/lookip.conf
36#etc/strongswan.d/charon/medsrv.conf87#etc/strongswan.d/charon/medsrv.conf
37#etc/strongswan.d/charon/medcli.conf88#etc/strongswan.d/charon/medcli.conf
38etc/strongswan.d/charon/tnc-tnccs.conf
39etc/strongswan.d/charon/unity.conf89etc/strongswan.d/charon/unity.conf
40etc/strongswan.d/charon/xauth-*.conf90etc/strongswan.d/charon/xauth-eap.conf
91etc/strongswan.d/charon/xauth-noauth.conf
92etc/strongswan.d/charon/xauth-pam.conf
41debian/usr.lib.ipsec.lookip /etc/apparmor.d/93debian/usr.lib.ipsec.lookip /etc/apparmor.d/
42# support libs94# support libs
43#usr/lib/ipsec/libfast.so*95#usr/lib/ipsec/libfast.so*
96usr/lib/ipsec/libipsec.so*
44usr/lib/ipsec/libpttls.so*97usr/lib/ipsec/libpttls.so*
45usr/lib/ipsec/libradius.so*98usr/lib/ipsec/libradius.so*
46usr/lib/ipsec/libsimaka.so*99usr/lib/ipsec/libsimaka.so*
47usr/lib/ipsec/libtnccs.so*
48usr/lib/ipsec/libtls.so*100usr/lib/ipsec/libtls.so*
49# binaries101# binaries
50usr/bin/pt-tls-client102usr/bin/pt-tls-client
diff --git a/debian/libcharon-standard-plugins.install b/debian/libcharon-standard-plugins.install
51new file mode 100644103new file mode 100644
index 0000000..25e580c
--- /dev/null
+++ b/debian/libcharon-standard-plugins.install
@@ -0,0 +1,19 @@
1# most commonly used libcharon plugins
2# 1) eap-mschapv2 is required on the client side to connect to VPN
3# concentrators configured for Windows 7+ and modern OSX/iOS using IKEv2.
4# In such scenario, the VPN concentrator identifies itself with a public
5# key and asks the client to authenticate with MSCHAPv2.
6# 2) xauth-generic is required on the client side to connect to VPN
7# concentrators configured for Android and older OSX/iOS using IKEv1 and
8# XAUTH. In such scenario, the VPN concentrator identifies itself with a
9# public key or a shared secret and asks the client to authenticate with a
10# XAUTH password.
11# plugins
12usr/lib/ipsec/plugins/libstrongswan-eap-mschapv2.so
13usr/lib/ipsec/plugins/libstrongswan-xauth-generic.so
14# config templates
15usr/share/strongswan/templates/config/plugins/eap-mschapv2.conf
16usr/share/strongswan/templates/config/plugins/xauth-generic.conf
17# configuration files
18etc/strongswan.d/charon/eap-mschapv2.conf
19etc/strongswan.d/charon/xauth-generic.conf
diff --git a/debian/libstrongswan-extra-plugins.install b/debian/libstrongswan-extra-plugins.install
index cfa5978..4cd01d4 100644
--- a/debian/libstrongswan-extra-plugins.install
+++ b/debian/libstrongswan-extra-plugins.install
@@ -1,37 +1,95 @@
1# Tool for TPM PCR extension1# Tool for TPM PCR extension
2usr/bin/tpm_extendpcr2usr/bin/tpm_extendpcr
3# libstrongswan plugins3# libstrongswan plugins
4usr/lib/ipsec/plugins/libstrongswan-acert.so
5usr/lib/ipsec/plugins/libstrongswan-attr-sql.so
6usr/lib/ipsec/plugins/libstrongswan-bliss.so
4usr/lib/ipsec/plugins/libstrongswan-ccm.so7usr/lib/ipsec/plugins/libstrongswan-ccm.so
8usr/lib/ipsec/plugins/libstrongswan-chapoly.so
5usr/lib/ipsec/plugins/libstrongswan-cmac.so9usr/lib/ipsec/plugins/libstrongswan-cmac.so
10usr/lib/ipsec/plugins/libstrongswan-coupling.so
6usr/lib/ipsec/plugins/libstrongswan-ctr.so11usr/lib/ipsec/plugins/libstrongswan-ctr.so
7usr/lib/ipsec/plugins/libstrongswan-curl.so12usr/lib/ipsec/plugins/libstrongswan-curl.so
8usr/lib/ipsec/plugins/libstrongswan-curve25519.so13usr/lib/ipsec/plugins/libstrongswan-curve25519.so
14usr/lib/ipsec/plugins/libstrongswan-dnscert.so
9usr/lib/ipsec/plugins/libstrongswan-gcrypt.so15usr/lib/ipsec/plugins/libstrongswan-gcrypt.so
16usr/lib/ipsec/plugins/libstrongswan-ipseckey.so
10usr/lib/ipsec/plugins/libstrongswan-ldap.so17usr/lib/ipsec/plugins/libstrongswan-ldap.so
18usr/lib/ipsec/plugins/libstrongswan-load-tester.so
19usr/lib/ipsec/plugins/libstrongswan-mysql.so
20usr/lib/ipsec/plugins/libstrongswan-ntru.so
11usr/lib/ipsec/plugins/libstrongswan-pkcs11.so21usr/lib/ipsec/plugins/libstrongswan-pkcs11.so
22usr/lib/ipsec/plugins/libstrongswan-radattr.so
23usr/lib/ipsec/plugins/libstrongswan-soup.so
24usr/lib/ipsec/plugins/libstrongswan-sqlite.so
25usr/lib/ipsec/plugins/libstrongswan-sql.so
26usr/lib/ipsec/plugins/libstrongswan-systime-fix.so
12usr/lib/ipsec/plugins/libstrongswan-test-vectors.so27usr/lib/ipsec/plugins/libstrongswan-test-vectors.so
13usr/lib/ipsec/plugins/libstrongswan-tpm.so28usr/lib/ipsec/plugins/libstrongswan-tpm.so
29usr/lib/ipsec/plugins/libstrongswan-unbound.so
30usr/lib/ipsec/plugins/libstrongswan-whitelist.so
14# default configuration files31# default configuration files
32usr/share/strongswan/templates/config/plugins/acert.conf
33usr/share/strongswan/templates/config/plugins/attr-sql.conf
34usr/share/strongswan/templates/config/plugins/bliss.conf
15usr/share/strongswan/templates/config/plugins/ccm.conf35usr/share/strongswan/templates/config/plugins/ccm.conf
36usr/share/strongswan/templates/config/plugins/chapoly.conf
16usr/share/strongswan/templates/config/plugins/cmac.conf37usr/share/strongswan/templates/config/plugins/cmac.conf
38usr/share/strongswan/templates/config/plugins/coupling.conf
17usr/share/strongswan/templates/config/plugins/ctr.conf39usr/share/strongswan/templates/config/plugins/ctr.conf
18usr/share/strongswan/templates/config/plugins/curl.conf40usr/share/strongswan/templates/config/plugins/curl.conf
19usr/share/strongswan/templates/config/plugins/curve25519.conf41usr/share/strongswan/templates/config/plugins/curve25519.conf
42usr/share/strongswan/templates/config/plugins/dnscert.conf
20usr/share/strongswan/templates/config/plugins/gcrypt.conf43usr/share/strongswan/templates/config/plugins/gcrypt.conf
44usr/share/strongswan/templates/config/plugins/ipseckey.conf
21usr/share/strongswan/templates/config/plugins/ldap.conf45usr/share/strongswan/templates/config/plugins/ldap.conf
46usr/share/strongswan/templates/config/plugins/load-tester.conf
47usr/share/strongswan/templates/config/plugins/mysql.conf
48usr/share/strongswan/templates/config/plugins/ntru.conf
22usr/share/strongswan/templates/config/plugins/pkcs11.conf49usr/share/strongswan/templates/config/plugins/pkcs11.conf
50usr/share/strongswan/templates/config/plugins/radattr.conf
51usr/share/strongswan/templates/config/plugins/soup.conf
52usr/share/strongswan/templates/config/plugins/sql.conf
53usr/share/strongswan/templates/config/plugins/sqlite.conf
54usr/share/strongswan/templates/config/plugins/systime-fix.conf
23usr/share/strongswan/templates/config/plugins/test-vectors.conf55usr/share/strongswan/templates/config/plugins/test-vectors.conf
24usr/share/strongswan/templates/config/plugins/tpm.conf56usr/share/strongswan/templates/config/plugins/tpm.conf
57usr/share/strongswan/templates/config/plugins/unbound.conf
58usr/share/strongswan/templates/config/plugins/whitelist.conf
59usr/share/strongswan/templates/database/sql/mysql.sql
60usr/share/strongswan/templates/database/sql/sqlite.sql
61etc/strongswan.d/charon/acert.conf
62etc/strongswan.d/charon/attr-sql.conf
63etc/strongswan.d/charon/bliss.conf
25etc/strongswan.d/charon/ccm.conf64etc/strongswan.d/charon/ccm.conf
65etc/strongswan.d/charon/chapoly.conf
26etc/strongswan.d/charon/cmac.conf66etc/strongswan.d/charon/cmac.conf
67etc/strongswan.d/charon/coupling.conf
27etc/strongswan.d/charon/ctr.conf68etc/strongswan.d/charon/ctr.conf
28etc/strongswan.d/charon/curl.conf69etc/strongswan.d/charon/curl.conf
29etc/strongswan.d/charon/curve25519.conf70etc/strongswan.d/charon/curve25519.conf
71etc/strongswan.d/charon/dnscert.conf
30etc/strongswan.d/charon/gcrypt.conf72etc/strongswan.d/charon/gcrypt.conf
73etc/strongswan.d/charon/ipseckey.conf
31etc/strongswan.d/charon/ldap.conf74etc/strongswan.d/charon/ldap.conf
75etc/strongswan.d/charon/load-tester.conf
76etc/strongswan.d/charon/mysql.conf
77etc/strongswan.d/charon/ntru.conf
32etc/strongswan.d/charon/pkcs11.conf78etc/strongswan.d/charon/pkcs11.conf
79etc/strongswan.d/charon/radattr.conf
80etc/strongswan.d/charon/soup.conf
81etc/strongswan.d/charon/sql.conf
82etc/strongswan.d/charon/sqlite.conf
83etc/strongswan.d/charon/systime-fix.conf
33etc/strongswan.d/charon/test-vectors.conf84etc/strongswan.d/charon/test-vectors.conf
34etc/strongswan.d/charon/tpm.conf85etc/strongswan.d/charon/tpm.conf
35# TPM libs86# TPM libs
36usr/lib/ipsec/libtpmtss.so.*87usr/lib/ipsec/libtpmtss.so.*
37usr/lib/ipsec/libtpmtss.so88usr/lib/ipsec/libtpmtss.so
89etc/strongswan.d/charon/unbound.conf
90etc/strongswan.d/charon/whitelist.conf
91usr/lib/ipsec/load-tester
92usr/lib/ipsec/whitelist
93# support libs
94usr/lib/ipsec/libtpmtss.so*
95usr/lib/ipsec/libnttfft.so*
diff --git a/debian/libstrongswan.install b/debian/libstrongswan.install
index 072ff7e..5d458bb 100644
--- a/debian/libstrongswan.install
+++ b/debian/libstrongswan.install
@@ -6,15 +6,16 @@ usr/lib/ipsec/plugins/libstrongswan-dnskey.so
6usr/lib/ipsec/plugins/libstrongswan-fips-prf.so6usr/lib/ipsec/plugins/libstrongswan-fips-prf.so
7usr/lib/ipsec/plugins/libstrongswan-gmp.so7usr/lib/ipsec/plugins/libstrongswan-gmp.so
8usr/lib/ipsec/plugins/libstrongswan-hmac.so8usr/lib/ipsec/plugins/libstrongswan-hmac.so
9usr/lib/ipsec/plugins/libstrongswan-md4.so
9usr/lib/ipsec/plugins/libstrongswan-md5.so10usr/lib/ipsec/plugins/libstrongswan-md5.so
10usr/lib/ipsec/plugins/libstrongswan-mgf1.so11usr/lib/ipsec/plugins/libstrongswan-mgf1.so
11usr/lib/ipsec/plugins/libstrongswan-nonce.so12usr/lib/ipsec/plugins/libstrongswan-nonce.so
12usr/lib/ipsec/plugins/libstrongswan-pgp.so
13usr/lib/ipsec/plugins/libstrongswan-pem.so13usr/lib/ipsec/plugins/libstrongswan-pem.so
14usr/lib/ipsec/plugins/libstrongswan-pgp.so
14usr/lib/ipsec/plugins/libstrongswan-pkcs1.so15usr/lib/ipsec/plugins/libstrongswan-pkcs1.so
16usr/lib/ipsec/plugins/libstrongswan-pkcs12.so
15usr/lib/ipsec/plugins/libstrongswan-pkcs7.so17usr/lib/ipsec/plugins/libstrongswan-pkcs7.so
16usr/lib/ipsec/plugins/libstrongswan-pkcs8.so18usr/lib/ipsec/plugins/libstrongswan-pkcs8.so
17usr/lib/ipsec/plugins/libstrongswan-pkcs12.so
18usr/lib/ipsec/plugins/libstrongswan-pubkey.so19usr/lib/ipsec/plugins/libstrongswan-pubkey.so
19usr/lib/ipsec/plugins/libstrongswan-random.so20usr/lib/ipsec/plugins/libstrongswan-random.so
20usr/lib/ipsec/plugins/libstrongswan-rc2.so21usr/lib/ipsec/plugins/libstrongswan-rc2.so
@@ -31,15 +32,17 @@ usr/share/strongswan/templates/config/plugins/dnskey.conf
31usr/share/strongswan/templates/config/plugins/fips-prf.conf32usr/share/strongswan/templates/config/plugins/fips-prf.conf
32usr/share/strongswan/templates/config/plugins/gmp.conf33usr/share/strongswan/templates/config/plugins/gmp.conf
33usr/share/strongswan/templates/config/plugins/hmac.conf34usr/share/strongswan/templates/config/plugins/hmac.conf
35usr/share/strongswan/templates/config/plugins/kernel-netlink.conf
36usr/share/strongswan/templates/config/plugins/md4.conf
34usr/share/strongswan/templates/config/plugins/md5.conf37usr/share/strongswan/templates/config/plugins/md5.conf
35usr/share/strongswan/templates/config/plugins/mgf1.conf38usr/share/strongswan/templates/config/plugins/mgf1.conf
36usr/share/strongswan/templates/config/plugins/nonce.conf39usr/share/strongswan/templates/config/plugins/nonce.conf
37usr/share/strongswan/templates/config/plugins/pgp.conf
38usr/share/strongswan/templates/config/plugins/pem.conf40usr/share/strongswan/templates/config/plugins/pem.conf
41usr/share/strongswan/templates/config/plugins/pgp.conf
39usr/share/strongswan/templates/config/plugins/pkcs1.conf42usr/share/strongswan/templates/config/plugins/pkcs1.conf
43usr/share/strongswan/templates/config/plugins/pkcs12.conf
40usr/share/strongswan/templates/config/plugins/pkcs7.conf44usr/share/strongswan/templates/config/plugins/pkcs7.conf
41usr/share/strongswan/templates/config/plugins/pkcs8.conf45usr/share/strongswan/templates/config/plugins/pkcs8.conf
42usr/share/strongswan/templates/config/plugins/pkcs12.conf
43usr/share/strongswan/templates/config/plugins/pubkey.conf46usr/share/strongswan/templates/config/plugins/pubkey.conf
44usr/share/strongswan/templates/config/plugins/random.conf47usr/share/strongswan/templates/config/plugins/random.conf
45usr/share/strongswan/templates/config/plugins/rc2.conf48usr/share/strongswan/templates/config/plugins/rc2.conf
@@ -55,15 +58,17 @@ etc/strongswan.d/charon/dnskey.conf
55etc/strongswan.d/charon/fips-prf.conf58etc/strongswan.d/charon/fips-prf.conf
56etc/strongswan.d/charon/gmp.conf59etc/strongswan.d/charon/gmp.conf
57etc/strongswan.d/charon/hmac.conf60etc/strongswan.d/charon/hmac.conf
61etc/strongswan.d/charon/kernel-netlink.conf
62etc/strongswan.d/charon/md4.conf
58etc/strongswan.d/charon/md5.conf63etc/strongswan.d/charon/md5.conf
59etc/strongswan.d/charon/mgf1.conf64etc/strongswan.d/charon/mgf1.conf
60etc/strongswan.d/charon/nonce.conf65etc/strongswan.d/charon/nonce.conf
61etc/strongswan.d/charon/pgp.conf
62etc/strongswan.d/charon/pem.conf66etc/strongswan.d/charon/pem.conf
67etc/strongswan.d/charon/pgp.conf
68etc/strongswan.d/charon/pkcs12.conf
63etc/strongswan.d/charon/pkcs1.conf69etc/strongswan.d/charon/pkcs1.conf
64etc/strongswan.d/charon/pkcs7.conf70etc/strongswan.d/charon/pkcs7.conf
65etc/strongswan.d/charon/pkcs8.conf71etc/strongswan.d/charon/pkcs8.conf
66etc/strongswan.d/charon/pkcs12.conf
67etc/strongswan.d/charon/pubkey.conf72etc/strongswan.d/charon/pubkey.conf
68etc/strongswan.d/charon/random.conf73etc/strongswan.d/charon/random.conf
69etc/strongswan.d/charon/rc2.conf74etc/strongswan.d/charon/rc2.conf
diff --git a/debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch b/debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch
70new file mode 10064475new file mode 100644
index 0000000..004b50b
--- /dev/null
+++ b/debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch
@@ -0,0 +1,11 @@
1--- a/conf/plugins/kernel-libipsec.conf
2+++ b/conf/plugins/kernel-libipsec.conf
3@@ -5,7 +5,7 @@
4
5 # Whether to load the plugin. Can also be an integer to increase the
6 # priority of this plugin.
7- load = yes
8+ load = no
9
10 }
11
diff --git a/debian/patches/series b/debian/patches/series
index fde45f5..c72895f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@
202_disable-bypass-lan.patch202_disable-bypass-lan.patch
303_systemd-service.patch303_systemd-service.patch
404_disable-libtls-tests.patch404_disable-libtls-tests.patch
5dont-load-kernel-libipsec-plugin-by-default.patch
diff --git a/debian/rules b/debian/rules
index d1dbf8a..d3450c7 100755
--- a/debian/rules
+++ b/debian/rules
@@ -4,20 +4,36 @@ export DEB_LDFLAGS_MAINT_APPEND=-Wl,--as-needed -Wl,-O1
4export DEB_BUILD_MAINT_OPTIONS=hardening=+all4export DEB_BUILD_MAINT_OPTIONS=hardening=+all
55
6CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \6CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \
7 --with-tss=trousers \
8 --enable-acert \
7 --enable-addrblock \9 --enable-addrblock \
8 --enable-agent \10 --enable-agent \
9 --enable-bypass-lan \11 --enable-bypass-lan \
12 --enable-attr-sql \
13 --enable-bliss \
10 --enable-ccm \14 --enable-ccm \
11 --enable-certexpire \15 --enable-certexpire \
16 --enable-chapoly \
12 --enable-cmd \17 --enable-cmd \
18 --enable-coupling \
13 --enable-ctr \19 --enable-ctr \
14 --enable-curl \20 --enable-curl \
21 --enable-dnscert \
15 --enable-eap-aka \22 --enable-eap-aka \
23 --enable-eap-aka-3gpp2 \
24 --enable-eap-dynamic \
16 --enable-eap-gtc \25 --enable-eap-gtc \
17 --enable-eap-identity \26 --enable-eap-identity \
18 --enable-eap-md5 \27 --enable-eap-md5 \
19 --enable-eap-mschapv2 \28 --enable-eap-mschapv2 \
29 --enable-eap-peap \
20 --enable-eap-radius \30 --enable-eap-radius \
31 --enable-eap-sim \
32 --enable-eap-simaka-pseudonym \
33 --enable-eap-simaka-reauth \
34 --enable-eap-simaka-sql \
35 --enable-eap-sim-file \
36 --enable-eap-sim-pcsc \
21 --enable-eap-tls \37 --enable-eap-tls \
22 --enable-eap-tnc \38 --enable-eap-tnc \
23 --enable-eap-ttls \39 --enable-eap-ttls \
@@ -25,18 +41,52 @@ CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \
25 --enable-gcm \41 --enable-gcm \
26 --enable-gcrypt \42 --enable-gcrypt \
27 --enable-ha \43 --enable-ha \
44 --enable-imc-attestation \
45 --enable-imc-os \
46 --enable-imc-scanner \
47 --enable-imc-swid \
48 --enable-imc-test \
49 --enable-imv-attestation \
50 --enable-imv-os \
51 --enable-imv-scanner \
52 --enable-imv-swid \
53 --enable-imv-test \
54 --enable-ipseckey \
55 --enable-kernel-libipsec \
28 --enable-ldap \56 --enable-ldap \
29 --enable-led \57 --enable-led \
58 --enable-load-tester \
30 --enable-lookip \59 --enable-lookip \
31 --enable-mediation \60 --enable-mediation \
61 --enable-md4 \
62 --enable-mysql \
63 --enable-ntru \
32 --enable-openssl \64 --enable-openssl \
33 --enable-pkcs11 \65 --enable-pkcs11 \
66 --enable-radattr \
67 --enable-soup \
68 --enable-sql \
69 --enable-sqlite \
70 --enable-systime-fix \
34 --enable-test-vectors \71 --enable-test-vectors \
35 --enable-tpm \72 --enable-tpm \
73 --enable-tnccs-11 \
74 --enable-tnccs-20 \
75 --enable-tnccs-dynamic \
76 --enable-tnc-ifmap \
77 --enable-tnc-imc \
78 --enable-tnc-imv \
79 --enable-tnc-pdp \
80 --enable-unbound \
81 --enable-unit-tests \
36 --enable-unity \82 --enable-unity \
83 --enable-whitelist \
37 --enable-xauth-eap \84 --enable-xauth-eap \
85 --enable-xauth-generic \
86 --enable-xauth-noauth \
38 --enable-xauth-pam \87 --enable-xauth-pam \
39 --disable-blowfish \88 --disable-blowfish \
89 --disable-fast \
40 --disable-des # BSD-Young license90 --disable-des # BSD-Young license
41 #--with-user=strongswan --with-group=nogroup91 #--with-user=strongswan --with-group=nogroup
42 # --enable-kernel-pfkey --enable-kernel-klips \92 # --enable-kernel-pfkey --enable-kernel-klips \
@@ -190,12 +240,6 @@ endif
190240
191 # add additional files not covered by upstream makefile...241 # add additional files not covered by upstream makefile...
192 install --mode=0600 $(CURDIR)/debian/ipsec.secrets.proto $(CURDIR)/debian/strongswan-starter/etc/ipsec.secrets242 install --mode=0600 $(CURDIR)/debian/ipsec.secrets.proto $(CURDIR)/debian/strongswan-starter/etc/ipsec.secrets
193 # also "patch" ipsec.conf to include the debconf-managed file
194 echo >> $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf
195 echo "include /var/lib/strongswan/ipsec.conf.inc" >> $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf
196 # and to enable both IKEv1 and IKEv2 by default
197 sed -r 's/^[ \t]+# *charonstart=(yes|no) */\tcharonstart=yes/' < $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf > $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf.tmp
198 mv $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf.tmp $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf
199243
200 # set permissions on ipsec.secrets and private key directories244 # set permissions on ipsec.secrets and private key directories
201 chmod 600 $(CURDIR)/debian/strongswan-starter/etc/ipsec.secrets245 chmod 600 $(CURDIR)/debian/strongswan-starter/etc/ipsec.secrets
diff --git a/debian/strongswan-starter.install b/debian/strongswan-starter.install
index 9a4c0d1..b5250dc 100644
--- a/debian/strongswan-starter.install
+++ b/debian/strongswan-starter.install
@@ -16,3 +16,7 @@ usr/lib/ipsec/plugins/libstrongswan-stroke.so
16usr/share/strongswan/templates/config/plugins/stroke.conf16usr/share/strongswan/templates/config/plugins/stroke.conf
17etc/strongswan.d/charon/stroke.conf17etc/strongswan.d/charon/stroke.conf
18debian/usr.lib.ipsec.stroke /etc/apparmor.d/18debian/usr.lib.ipsec.stroke /etc/apparmor.d/
19#pool
20usr/lib/ipsec/pool
21usr/share/strongswan/templates/config/strongswan.d/pool.conf
22etc/strongswan.d/pool.conf
diff --git a/debian/strongswan-starter.postinst b/debian/strongswan-starter.postinst
index 9e4d7b1..9b7c734 100644
--- a/debian/strongswan-starter.postinst
+++ b/debian/strongswan-starter.postinst
@@ -220,63 +220,6 @@ case "$1" in
220 db_set strongswan/install_x509_certificate false220 db_set strongswan/install_x509_certificate false
221 fi221 fi
222222
223 # lets see if we are already using dependency based booting or the correct runlevel parameters
224 if ! ( [ "`find /etc/init.d/ -name '.depend.*'`" ] || [ "$runlevels" = "0K841K842S163S164S165S166K84" ] ); then
225 db_fset strongswan/runlevel_changes seen false
226 db_input high strongswan/runlevel_changes || true
227 db_go
228
229 # if the admin did not change the runlevels which got installed by older packages we can modify them
230 if [ "$runlevels" = "0K346K34SS41" ] || [ "$runlevels" = "0K301K302S153S154S155S156K30" ] || [ "$runlevels" = "0K191K192S213S214S215S216K19" ]; then
231 update-rc.d -f ipsec remove
232 fi
233
234 update-rc.d ipsec defaults 16 84 > /dev/null
235 fi
236
237 db_get strongswan/enable-oe
238 if [ "$RET" != "true" ]; then
239 echo -n "Disabling opportunistic encryption (OE) in config file ... "
240 if [ -e $CONF_FILE ] && egrep -q "include /etc/ipsec.d/examples/no_oe.conf$" $CONF_FILE; then
241 # also update to new-style config
242 sed 's/.*include \/etc\/ipsec.d\/examples\/no_oe.conf/#include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp
243 mv $CONF_FILE.tmp $CONF_FILE
244 echo -n "converted old config line to new format"
245 fi
246 if [ -e $CONF_FILE ] && egrep -q "^include /etc/ipsec.d/examples/oe.conf$" $CONF_FILE; then
247 sed 's/include \/etc\/ipsec.d\/examples\/oe.conf/#include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp
248 mv $CONF_FILE.tmp $CONF_FILE
249 echo "done"
250 elif [ ! -e $CONF_FILE ]; then
251 echo "#include /etc/ipsec.d/examples/oe.conf" > $CONF_FILE
252 else
253 echo "already disabled"
254 fi
255 else
256 echo -n "Enabling opportunistic encryption (OE) in config file ... "
257 if [ -e $CONF_FILE ] && egrep -q "include /etc/ipsec.d/examples/no_oe.conf$" $CONF_FILE; then
258 # also update to new-style config
259 sed 's/.*include \/etc\/ipsec.d\/examples\/no_oe.conf/include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp
260 mv $CONF_FILE.tmp $CONF_FILE
261 echo -n "converted old config line to new format"
262 fi
263 if [ -e $CONF_FILE ] && egrep -q "^include /etc/ipsec.d/examples/oe.conf$" $CONF_FILE; then
264 echo "already enabled"
265 elif [ -e $CONF_FILE ] && egrep -q "^#.*include /etc/ipsec.d/examples/oe.conf$" $CONF_FILE; then
266 sed 's/#.*include \/etc\/ipsec.d\/examples\/oe.conf/include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp
267 mv $CONF_FILE.tmp $CONF_FILE
268 echo "done"
269 elif [ ! -e $CONF_FILE ]; then
270 echo "include /etc/ipsec.d/examples/oe.conf" > $CONF_FILE
271 else
272 cat <<EOF >> $CONF_FILE
273#Enable Opportunistic Encryption
274include /etc/ipsec.d/examples/oe.conf
275EOF
276 echo "done"
277 fi
278 fi
279
280 # disabled for now, until we can solve the don't-edit-conffiles issue223 # disabled for now, until we can solve the don't-edit-conffiles issue
281 #db_get strongswan/ikev1224 #db_get strongswan/ikev1
282 #if [ "$RET" != "true" ]; then225 #if [ "$RET" != "true" ]; then
diff --git a/debian/strongswan-tnc-base.install b/debian/strongswan-tnc-base.install
283new file mode 100644226new file mode 100644
index 0000000..a9e3f32
--- /dev/null
+++ b/debian/strongswan-tnc-base.install
@@ -0,0 +1,16 @@
1etc/strongswan.d/charon/tnccs-11.conf
2etc/strongswan.d/charon/tnccs-20.conf
3etc/strongswan.d/charon/tnccs-dynamic.conf
4etc/strongswan.d/charon/tnc-tnccs.conf
5etc/strongswan.d/imcv.conf
6etc/strongswan.d/tnc.conf
7usr/lib/ipsec/libimcv.*
8usr/lib/ipsec/libtnccs.so*
9usr/lib/ipsec/plugins/libstrongswan-tnccs-*.so
10usr/lib/ipsec/plugins/libstrongswan-tnc-tnccs.so
11usr/share/strongswan/templates/config/plugins/tnccs-11.conf
12usr/share/strongswan/templates/config/plugins/tnccs-20.conf
13usr/share/strongswan/templates/config/plugins/tnccs-dynamic.conf
14usr/share/strongswan/templates/config/plugins/tnc-tnccs.conf
15usr/share/strongswan/templates/config/strongswan.d/imcv.conf
16usr/share/strongswan/templates/config/strongswan.d/tnc.conf
diff --git a/debian/strongswan-tnc-client.install b/debian/strongswan-tnc-client.install
0new file mode 10064417new file mode 100644
index 0000000..88449c6
--- /dev/null
+++ b/debian/strongswan-tnc-client.install
@@ -0,0 +1,5 @@
1etc/strongswan.d/charon/tnc-imc.conf
2usr/lib/ipsec/imcvs/imc-*.so
3usr/lib/ipsec/plugins/libstrongswan-tnc-imc.so
4usr/share/strongswan/swidtag/strongswan.org__strongSwan-*.swidtag
5usr/share/strongswan/templates/config/plugins/tnc-imc.conf
diff --git a/debian/strongswan-tnc-ifmap.install b/debian/strongswan-tnc-ifmap.install
0new file mode 1006446new file mode 100644
index 0000000..3c8083b
--- /dev/null
+++ b/debian/strongswan-tnc-ifmap.install
@@ -0,0 +1,3 @@
1etc/strongswan.d/charon/tnc-ifmap.conf
2usr/lib/ipsec/plugins/libstrongswan-tnc-ifmap.so
3usr/share/strongswan/templates/config/plugins/tnc-ifmap.conf
diff --git a/debian/strongswan-tnc-pdp.install b/debian/strongswan-tnc-pdp.install
0new file mode 1006444new file mode 100644
index 0000000..2534386
--- /dev/null
+++ b/debian/strongswan-tnc-pdp.install
@@ -0,0 +1,3 @@
1etc/strongswan.d/charon/tnc-pdp.conf
2usr/lib/ipsec/plugins/libstrongswan-tnc-pdp.so
3usr/share/strongswan/templates/config/plugins/tnc-pdp.conf
diff --git a/debian/strongswan-tnc-server.install b/debian/strongswan-tnc-server.install
0new file mode 1006444new file mode 100644
index 0000000..da633f6
--- /dev/null
+++ b/debian/strongswan-tnc-server.install
@@ -0,0 +1,10 @@
1etc/strongswan.d/attest.conf
2etc/strongswan.d/charon/tnc-imv.conf
3usr/lib/ipsec/attest
4usr/lib/ipsec/imcvs/imv-*.so
5usr/lib/ipsec/_imv_policy
6usr/lib/ipsec/imv_policy_manager
7usr/lib/ipsec/plugins/libstrongswan-tnc-imv.so
8usr/share/strongswan/templates/config/plugins/tnc-imv.conf
9usr/share/strongswan/templates/config/strongswan.d/attest.conf
10usr/share/strongswan/templates/database/imv/*.sql
diff --git a/debian/usr.lib.ipsec.charon b/debian/usr.lib.ipsec.charon
index 9e24c74..14cfa6d 100644
--- a/debian/usr.lib.ipsec.charon
+++ b/debian/usr.lib.ipsec.charon
@@ -41,7 +41,7 @@
41 network,41 network,
42 network raw,42 network raw,
4343
44 /bin/dash rmPUx,44 /{,usr/}bin/dash rmPUx,
4545
46 # libchron-extra-plugins: kernel-libipsec46 # libchron-extra-plugins: kernel-libipsec
47 /dev/net/tun rw,47 /dev/net/tun rw,
diff --git a/debian/usr.sbin.charon-systemd b/debian/usr.sbin.charon-systemd
index 920fe72..940de46 100644
--- a/debian/usr.sbin.charon-systemd
+++ b/debian/usr.sbin.charon-systemd
@@ -19,6 +19,7 @@
19 #include <abstractions/authentication>19 #include <abstractions/authentication>
20 #include <abstractions/openssl>20 #include <abstractions/openssl>
21 #include <abstractions/p11-kit>21 #include <abstractions/p11-kit>
22 #include <abstractions/mysql>
2223
23 capability ipc_lock,24 capability ipc_lock,
24 capability net_admin,25 capability net_admin,
@@ -41,7 +42,7 @@
41 network,42 network,
42 network raw,43 network raw,
4344
44 /bin/dash rmPUx,45 /{,usr/}bin/dash rmPUx,
4546
46 # libchron-extra-plugins: kernel-libipsec47 # libchron-extra-plugins: kernel-libipsec
47 /dev/net/tun rw,48 /dev/net/tun rw,

Subscribers

People subscribed via source and target branches