Ubuntu
strongswan package

debian/changelog (+1905/-0)
debian/control (+8/-3)
debian/libcharon-extra-plugins.install (+6/-0)
debian/libcharon-extra-plugins.maintscript (+8/-0)
debian/libstrongswan-extra-plugins.install (+3/-0)
debian/rules (+3/-0)
debian/tests/control (+6/-0)
debian/tests/host-to-host (+401/-0)
debian/tests/utils (+61/-0)
debian/usr.sbin.swanctl (+1/-1)

Related bugs:

Bug #1999525: Add VPN DEP8 test	Undecided	Fix Released
Bug #1999935: swanctl apparmor DENIED on ppc64el LXD	Undecided	Fix Released
Bug #2040430: Merge strongswan from Debian unstable for noble	Undecided	Fix Released

Link a bug report

Reviewer	Date Requested	Status
git-ubuntu bot		Approve on 2024-01-04
Bryce Harrington (community)	2024-01-03	Approve on 2024-01-04
Canonical Server Reporter	2024-01-03	Pending
Review via email: mp+457882@code.launchpad.net

Description of the change

Merge from debian, just dropping a security patch which is already applied in the upstream version.

PPA with just amd64 and arm64: https://launchpad.net/~ahasenack/+archive/ubuntu/noble-strongswan-merge/+packages

DEP8: green for arm64, still running for amd64:
Results: (from http://autopkgtest.ubuntu.com/results/autopkgtest-noble-ahasenack-noble-strongswan-merge/?format=plain)
  strongswan @ arm64:
    03.01.24 09:42:53 Log 🗒️ ✅ Triggers: strongswan/5.9.12-1ubuntu1~ppa1
Running:
    time pkg release arch ppa trigger
    470 strongswan noble amd64 ahasenack/noble-strongswan-merge strongswan/5.9.12-1ubuntu1~ppa1
Waiting: (none)

A lot of our delta was already submitted to debian but it doesn't look like they will take it. All the outstanding merge requests are from canonical:

https://salsa.debian.org/debian/strongswan/-/merge_requests?scope=all&state=opened

The host-to-host DEP8 test I did not submit to debian because it uses lxd, which in our case is installed by a snap. Making that work in debian without the setup our snap does is a bit of an effort.

Revision history for this message

Bryce Harrington (bryce) wrote on 2024-01-04:

The ppa test for amd64 is still running, but the arm64 one looks like it completed successfully. Packaging all looks good, and all delta appears to be carried appropriately.

I wonder if some of the delta might be possible to forward to Debian? The dep8 host-to-host test in particular looks like some good work went into it, and I wonder if it might be of value to them and if extra eyes on it may end up helping us? If it's not upstreamable, you might want to consider using the "--CL--" style annotation to document rationale. (C.f. https://code.launchpad.net/~bryce/ubuntu/+source/chrony/+git/chrony/+merge/455531) Might be worth considering for the next merge.

Everything else LGTM, +1.

review: Approve

Revision history for this message

git-ubuntu bot (git-ubuntu-bot) wrote on 2024-01-04:

Approvers: ahasenack, bryce
Uploaders: ahasenack, bryce
MP auto-approved

review: Approve

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2024-01-04:

I did mention the host-to-host DEP8 test situation regarding forwarding to debian:

> The host-to-host DEP8 test I did not submit to debian because it uses lxd, which in our case is installed
> by a snap. Making that work in debian without the setup our snap does is a bit of an effort.

Let me add an annotation as you suggested.

~ahasenack/ubuntu/+source/strongswan:noble-strongswan-merge-1 updated on 2024-01-04

6153229... by Andreas Hasenack on 2024-01-04: merge-changelogs
8f240d2... by Andreas Hasenack on 2024-01-04: reconstruct-changelog
07b4dc4... by Andreas Hasenack on 2024-01-04: update-maintainer

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2024-01-04:

I changed the commit message of the host-to-host dep8 test to this:
commit ab609fa2b09450f8009dd60141e7027044d3a227
Author: Andreas Hasenack <email address hidden>
Date: Fri Nov 25 14:55:39 2022 -0300

Host-to-host DEP8 test.

This test relies heavily on the setup we get with the lxd snap. Making
it work on debian is not straightforward, thus it was not forwarded yet.

--CL--

- d/t/{control,host-to-host,utils}: new host-to-host test
(LP: #1999525)

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2024-01-04:

Uploaded with rich history:

Uploading strongswan_5.9.12-1ubuntu1.dsc
Uploading strongswan_5.9.12.orig.tar.bz2
Uploading strongswan_5.9.12-1ubuntu1.debian.tar.xz
Uploading strongswan_5.9.12-1ubuntu1_source.buildinfo
Uploading strongswan_5.9.12-1ubuntu1_source.changes

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Andreas Hasenack

git-ubuntu developers

 diff --git a/debian/changelog b/debian/changelog
 index eca1cb0..d808d29 100644
 --- a/debian/changelog
 +++ b/debian/changelog
@@ -1,3 +1,39 @@
++strongswan (5.9.12-1ubuntu1) noble; urgency=medium
++
++  * Merge with Debian unstable (LP: #2040430). Remaining changes:
++    - d/control: strongswan-starter hard-depends on strongswan-charon,
++      therefore bump the dependency from Recommends to Depends. At the same
++      time avoid a circular dependency by dropping
++      strongswan-charon->strongswan-starter from Depends to Recommends as the
++      binaries can work without the services but not vice versa.
++    - re-add post-quantum encryption algorithm (NTRU) (LP #1863749)
++      + d/control: mention plugins in package description
++      + d/rules: enable ntru at build time
++      + d/libstrongswan-extra-plugins.install: ship config and shared objects
++    - Re-enable eap-{dynamic,peap} libcharon plugins (LP #1878887)
++      + d/control: update libcharon-extra-plugins description.
++      + d/libcharon-extra-plugins.install: install .so and conf files.
++      + d/rules: add plugins to the configuration arguments.
++    - Remove conf files of plugins removed from libcharon-extra-plugins
++      + The conf file of the following plugins were removed: eap-aka-3gpp2,
++        eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym,
++        eap-simaka-reauth, eap-simaka-sql, xauth-noauth.
++      + Created d/libcharon-extra-plugins.maintscript to handle the removals
++        properly.
++    - d/t/{control,host-to-host,utils}: new host-to-host test
++      (LP #1999525)
++    - d/usr.sbin.swanctl: allow "m" flag for /usr/sbin/swanctl
++      (LP #1999935)
++  * Dropped:
++    - SECURITY UPDATE: Buffer Overflow When Handling DH Public Values
++      + debian/patches/CVE-2023-41913.patch: Validate DH public key to fix
++        potential buffer overflow in
++        src/charon-tkm/src/tkm/tkm_diffie_hellman.c.
++      + CVE-2023-41913
++      [Fixed upstream in 5.9.12]
++
++ -- Andreas Hasenack <andreas@canonical.com>  Thu, 04 Jan 2024 10:25:23 -0300
++
  strongswan (5.9.12-1) unstable; urgency=medium
    * New upstream version 5.9.12
@@ -14,6 +50,52 @@ strongswan (5.9.11-2) unstable; urgency=medium
   -- Yves-Alexis Perez <corsac@debian.org>  Mon, 13 Nov 2023 20:22:47 +0100
++strongswan (5.9.11-1ubuntu2) noble; urgency=medium
++
++  * SECURITY UPDATE: Buffer Overflow When Handling DH Public Values
++    - debian/patches/CVE-2023-41913.patch: Validate DH public key to fix
++      potential buffer overflow in
++      src/charon-tkm/src/tkm/tkm_diffie_hellman.c.
++    - CVE-2023-41913
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Tue, 07 Nov 2023 11:43:00 +0200
++
++strongswan (5.9.11-1ubuntu1) mantic; urgency=medium
++
++  * Merge with Debian unstable (LP: #2018113). Remaining changes:
++    - d/control: strongswan-starter hard-depends on strongswan-charon,
++      therefore bump the dependency from Recommends to Depends. At the same
++      time avoid a circular dependency by dropping
++      strongswan-charon->strongswan-starter from Depends to Recommends as the
++      binaries can work without the services but not vice versa.
++    - re-add post-quantum encryption algorithm (NTRU) (LP #1863749)
++      + d/control: mention plugins in package description
++      + d/rules: enable ntru at build time
++      + d/libstrongswan-extra-plugins.install: ship config and shared objects
++    - Re-enable eap-{dynamic,peap} libcharon plugins (LP #1878887)
++      + d/control: update libcharon-extra-plugins description.
++      + d/libcharon-extra-plugins.install: install .so and conf files.
++      + d/rules: add plugins to the configuration arguments.
++    - Remove conf files of plugins removed from libcharon-extra-plugins
++      + The conf file of the following plugins were removed: eap-aka-3gpp2,
++        eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym,
++        eap-simaka-reauth, eap-simaka-sql, xauth-noauth.
++      + Created d/libcharon-extra-plugins.maintscript to handle the removals
++        properly.
++    - d/t/{control,host-to-host,utils}: new host-to-host test
++      (LP #1999525)
++    - d/usr.sbin.swanctl: allow "m" flag for /usr/sbin/swanctl
++      (LP #1999935)
++  * Dropped:
++    - SECURITY UPDATE: Incorrectly Accepted Untrusted Public Key With
++      Incorrect Refcount
++      + debian/patches/CVE-2023-26463.patch: fix authentication bypass and
++        expired pointer dereference in src/libtls/tls_server.c.
++      + CVE-2023-26463
++      [Fixed upstream in 5.9.10]
++
++ -- Andreas Hasenack <andreas@canonical.com>  Fri, 23 Jun 2023 14:05:18 -0300
++
  strongswan (5.9.11-1) unstable; urgency=medium
    * New upstream version 5.9.10
@@ -33,6 +115,66 @@ strongswan (5.9.8-4) unstable; urgency=medium
   -- Yves-Alexis Perez <corsac@debian.org>  Sun, 26 Feb 2023 09:40:09 +0100
++strongswan (5.9.8-3ubuntu4) lunar; urgency=medium
++
++  * d/t/utils: also give `cloud-init status --wait` the same amount of
++    ${limit} seconds to complete, and bump limit to 5min. The logs show
++    the container started up fine, with an IP.
++
++ -- Andreas Hasenack <andreas@canonical.com>  Mon, 06 Mar 2023 11:00:58 -0300
++
++strongswan (5.9.8-3ubuntu3) lunar; urgency=medium
++
++  * SECURITY UPDATE: Incorrectly Accepted Untrusted Public Key With
++    Incorrect Refcount
++    - debian/patches/CVE-2023-26463.patch: fix authentication bypass and
++      expired pointer dereference in src/libtls/tls_server.c.
++    - CVE-2023-26463
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 02 Mar 2023 12:58:47 -0500
++
++strongswan (5.9.8-3ubuntu2) lunar; urgency=medium
++
++  * d/usr.sbin.swanctl: allow "m" flag for /usr/sbin/swanctl
++    (LP: #1999935)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Fri, 16 Dec 2022 16:07:51 -0300
++
++strongswan (5.9.8-3ubuntu1) lunar; urgency=medium
++
++  * Merge with Debian unstable (LP: #1993449). Remaining changes:
++    - d/control: strongswan-starter hard-depends on strongswan-charon,
++      therefore bump the dependency from Recommends to Depends. At the same
++      time avoid a circular dependency by dropping
++      strongswan-charon->strongswan-starter from Depends to Recommends as the
++      binaries can work without the services but not vice versa.
++    - re-add post-quantum encryption algorithm (NTRU) (LP #1863749)
++      + d/control: mention plugins in package description
++      + d/rules: enable ntru at build time
++      + d/libstrongswan-extra-plugins.install: ship config and shared objects
++    - Re-enable eap-{dynamic,peap} libcharon plugins (LP #1878887)
++      + d/control: update libcharon-extra-plugins description.
++      + d/libcharon-extra-plugins.install: install .so and conf files.
++      + d/rules: add plugins to the configuration arguments.
++    - Remove conf files of plugins removed from libcharon-extra-plugins
++      + The conf file of the following plugins were removed: eap-aka-3gpp2,
++        eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym,
++        eap-simaka-reauth, eap-simaka-sql, xauth-noauth.
++      + Created d/libcharon-extra-plugins.maintscript to handle the removals
++        properly.
++  * Dropped:
++    - SECURITY UPDATE: Using Untrusted URIs for Revocation Checking
++      + debian/patches/CVE-2022-40617.patch: do online revocation checks only
++        after basic trust chain validation in
++        src/libstrongswan/credentials/credential_manager.c.
++      + CVE-2022-40617
++        [Included upstream in 5.9.8]
++  * Added:
++    - d/t/{control,host-to-host,utils}: new host-to-host test
++      (LP: #1999525)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Tue, 13 Dec 2022 11:04:24 -0300
++
  strongswan (5.9.8-3) unstable; urgency=medium
    * d/tests: also drop _copyright test since the util is gone as well
@@ -61,6 +203,46 @@ strongswan (5.9.8-1) unstable; urgency=medium
   -- Yves-Alexis Perez <corsac@debian.org>  Wed, 05 Oct 2022 15:25:18 +0200
++strongswan (5.9.6-1ubuntu2) kinetic; urgency=medium
++
++  * SECURITY UPDATE: Using Untrusted URIs for Revocation Checking
++    - debian/patches/CVE-2022-40617.patch: do online revocation checks only
++      after basic trust chain validation in
++      src/libstrongswan/credentials/credential_manager.c.
++    - CVE-2022-40617
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 05 Oct 2022 08:11:03 -0400
++
++strongswan (5.9.6-1ubuntu1) kinetic; urgency=medium
++
++  * Merge with Debian unstable (LP: #1971328). Remaining changes:
++    - d/control: strongswan-starter hard-depends on strongswan-charon,
++      therefore bump the dependency from Recommends to Depends. At the same
++      time avoid a circular dependency by dropping
++      strongswan-charon->strongswan-starter from Depends to Recommends as the
++      binaries can work without the services but not vice versa.
++    - re-add post-quantum encryption algorithm (NTRU) (LP #1863749)
++      + d/control: mention plugins in package description
++      + d/rules: enable ntru at build time
++      + d/libstrongswan-extra-plugins.install: ship config and shared objects
++    - Re-enable eap-{dynamic,peap} libcharon plugins (LP #1878887)
++      + d/control: update libcharon-extra-plugins description.
++      + d/libcharon-extra-plugins.install: install .so and conf files.
++      + d/rules: add plugins to the configuration arguments.
++    - Remove conf files of plugins removed from libcharon-extra-plugins
++      + The conf file of the following plugins were removed: eap-aka-3gpp2,
++        eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym,
++        eap-simaka-reauth, eap-simaka-sql, xauth-noauth.
++      + Created d/libcharon-extra-plugins.maintscript to handle the removals
++        properly.
++  * Dropped:
++    - d/p/lp1964977-fix-ipsec-pki-segfault.patch: Fix "ipsec pki"
++      segmentation fault; don't access OpenSSL objects inside atexit()
++      handlers. (LP #1964977)
++      [included by upstream in version 5.9.6]
++
++ -- Lucas Kanashiro <kanashiro@ubuntu.com>  Fri, 10 Jun 2022 15:03:17 -0300
++
  strongswan (5.9.6-1) unstable; urgency=medium
    * New upstream version 5.9.6
@@ -69,6 +251,42 @@ strongswan (5.9.6-1) unstable; urgency=medium
   -- Yves-Alexis Perez <corsac@debian.org>  Sat, 07 May 2022 20:19:18 +0200
++strongswan (5.9.5-2ubuntu2) jammy; urgency=medium
++
++  * d/p/lp1964977-fix-ipsec-pki-segfault.patch: Fix "ipsec pki"
++    segmentation fault; don't access OpenSSL objects inside atexit()
++    handlers. (LP: #1964977)
++
++ -- Sergio Durigan Junior <sergio.durigan@canonical.com>  Fri, 18 Mar 2022 14:24:34 -0400
++
++strongswan (5.9.5-2ubuntu1) jammy; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - d/control: strongswan-starter hard-depends on strongswan-charon,
++      therefore bump the dependency from Recommends to Depends. At the same
++      time avoid a circular dependency by dropping
++      strongswan-charon->strongswan-starter from Depends to Recommends as the
++      binaries can work without the services but not vice versa.
++    - re-add post-quantum encryption algorithm (NTRU) (LP #1863749)
++      + d/control: mention plugins in package description
++      + d/rules: enable ntru at build time
++      + d/libstrongswan-extra-plugins.install: ship config and shared objects
++    - Re-enable eap-{dynamic,peap} libcharon plugins (LP: 1878887)
++      + d/control: update libcharon-extra-plugins description.
++      + d/libcharon-extra-plugins.install: install .so and conf files.
++      + d/rules: add plugins to the configuration arguments.
++    - Remove conf files of plugins removed from libcharon-extra-plugins
++      + The conf file of the following plugins were removed: eap-aka-3gpp2,
++        eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym,
++        eap-simaka-reauth, eap-simaka-sql, xauth-noauth.
++      + Created d/libcharon-extra-plugins.maintscript to handle the removals
++        properly.
++   * Dropped patches included in new version:
++    - debian/patches/CVE-2021-45079.patch
++    - debian/patches/load-legacy-provider-in-openssl3.patch
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 03 Feb 2022 10:49:49 -0500
++
  strongswan (5.9.5-2) unstable; urgency=medium
    * actually fix lintian overrides
@@ -84,6 +302,60 @@ strongswan (5.9.5-1) unstable; urgency=medium
   -- Yves-Alexis Perez <corsac@debian.org>  Wed, 26 Jan 2022 14:38:54 +0100
++strongswan (5.9.4-1ubuntu4) jammy; urgency=medium
++
++  * SECURITY UPDATE: Incorrect Handling of Early EAP-Success Messages
++    - debian/patches/CVE-2021-45079.patch: enforce failure if MSK
++      generation fails in src/libcharon/plugins/eap_gtc/eap_gtc.c,
++      src/libcharon/plugins/eap_md5/eap_md5.c,
++      src/libcharon/plugins/eap_radius/eap_radius.c,
++      src/libcharon/sa/eap/eap_method.h,
++      src/libcharon/sa/ikev2/authenticators/eap_authenticator.c.
++    - CVE-2021-45079
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Tue, 01 Feb 2022 07:23:37 -0500
++
++strongswan (5.9.4-1ubuntu3) jammy; urgency=medium
++
++  * No-change rebuild against libssl3
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Thu, 09 Dec 2021 00:19:38 +0000
++
++strongswan (5.9.4-1ubuntu2) jammy; urgency=medium
++
++  * Add d/p/load-legacy-provider-in-openssl3.patch.
++    Upstream cherry-pick to fix FTBFS against OpenSSL 3.0. (LP: #1946213)
++
++ -- Paride Legovini <paride@ubuntu.com>  Wed, 17 Nov 2021 17:04:27 +0100
++
++strongswan (5.9.4-1ubuntu1) jammy; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - d/control: strongswan-starter hard-depends on strongswan-charon,
++      therefore bump the dependency from Recommends to Depends. At the same
++      time avoid a circular dependency by dropping
++      strongswan-charon->strongswan-starter from Depends to Recommends as the
++      binaries can work without the services but not vice versa.
++    - re-add post-quantum encryption algorithm (NTRU) (LP #1863749)
++      + d/control: mention plugins in package description
++      + d/rules: enable ntru at build time
++      + d/libstrongswan-extra-plugins.install: ship config and shared objects
++    - Re-enable eap-{dynamic,peap} libcharon plugins (LP: 1878887)
++      + d/control: update libcharon-extra-plugins description.
++      + d/libcharon-extra-plugins.install: install .so and conf files.
++      + d/rules: add plugins to the configuration arguments.
++    - Remove conf files of plugins removed from libcharon-extra-plugins
++      + The conf file of the following plugins were removed: eap-aka-3gpp2,
++        eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym,
++        eap-simaka-reauth, eap-simaka-sql, xauth-noauth.
++      + Created d/libcharon-extra-plugins.maintscript to handle the removals
++        properly.
++  * Dropped changes:
++    - Compile the tpm plugin against the tpm2 software stack (tss2).
++      Merged in Debian (5.9.4-1).
++
++ -- Paride Legovini <paride@ubuntu.com>  Fri, 12 Nov 2021 12:34:30 +0100
++
  strongswan (5.9.4-1) unstable; urgency=medium
    [ Paride Legovini ]
@@ -100,6 +372,62 @@ strongswan (5.9.4-1) unstable; urgency=medium
   -- Yves-Alexis Perez <corsac@debian.org>  Tue, 19 Oct 2021 22:34:40 +0200
++strongswan (5.9.1-1ubuntu3.1) impish-security; urgency=medium
++
++  * SECURITY UPDATE: Integer Overflow in gmp Plugin
++    - debian/patches/CVE-2021-41990.patch: reject RSASSA-PSS params with
++      negative salt length in
++      src/libstrongswan/credentials/keys/signature_params.c,
++      src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c.
++    - CVE-2021-41990
++  * SECURITY UPDATE: Integer Overflow When Replacing Certificates in Cache
++    - debian/patches/CVE-2021-41991.patch: prevent crash due to integer
++      overflow/sign change in
++      src/libstrongswan/credentials/sets/cert_cache.c.
++    - CVE-2021-41991
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 18 Oct 2021 13:10:30 -0400
++
++strongswan (5.9.1-1ubuntu3) impish; urgency=medium
++
++  * Compile the tpm plugin against the tpm2 software stack (tss2)
++    (Debian packaging cherry-pick, LP: #1940079)
++    - d/rules: add the --enable-tss-tss2 configure flag
++    - d/control: add Build-Depends: libtss2-dev
++
++ -- Paride Legovini <paride@ubuntu.com>  Thu, 16 Sep 2021 11:40:38 +0200
++
++strongswan (5.9.1-1ubuntu2) impish; urgency=medium
++
++  * No-change rebuild due to OpenLDAP soname bump.
++
++ -- Sergio Durigan Junior <sergio.durigan@canonical.com>  Mon, 21 Jun 2021 18:09:22 -0400
++
++strongswan (5.9.1-1ubuntu1) hirsute; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - d/control: strongswan-starter hard-depends on strongswan-charon,
++      therefore bump the dependency from Recommends to Depends. At the same
++      time avoid a circular dependency by dropping
++      strongswan-charon->strongswan-starter from Depends to Recommends as the
++      binaries can work without the services but not vice versa.
++    - re-add post-quantum encryption algorithm (NTRU) (LP: 1863749)
++      + d/control: mention plugins in package description
++      + d/rules: enable ntru at build time
++      + d/libstrongswan-extra-plugins.install: ship config and shared objects
++    - Re-enable eap-{dynamic,peap} libcharon plugins (LP: 1878887)
++      + d/control: update libcharon-extra-plugins description.
++      + d/libcharon-extra-plugins.install: install .so and conf files.
++      + d/rules: add plugins to the configuration arguments.
++    - Remove conf files of plugins removed from libcharon-extra-plugins
++      + The conf file of the following plugins were removed: eap-aka-3gpp2,
++        eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym,
++        eap-simaka-reauth, eap-simaka-sql, xauth-noauth.
++      + Created d/libcharon-extra-plugins.maintscript to handle the removals
++        properly.
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Tue, 19 Jan 2021 12:39:11 +0100
++
  strongswan (5.9.1-1) unstable; urgency=medium
    * New upstream version 5.9.1
@@ -114,6 +442,45 @@ strongswan (5.9.0-1) unstable; urgency=medium
   -- Yves-Alexis Perez <corsac@debian.org>  Thu, 17 Sep 2020 10:21:30 +0200
++strongswan (5.8.4-1ubuntu2) groovy; urgency=medium
++
++  * Re-enable eap-{dynamic,peap} libcharon plugins (LP: #1878887)
++    - d/control: update libcharon-extra-plugins description.
++    - d/libcharon-extra-plugins.install: install .so and conf files.
++    - d/rules: add plugins to the configuration arguments.
++  * Remove conf files of plugins removed from libcharon-extra-plugins
++    - The conf file of the following plugins were removed: eap-aka-3gpp2,
++      eap-sim-file, eap-sim-pcsc, eap-sim, eap-simaka-pseudonym,
++      eap-simaka-reauth, eap-simaka-sql, xauth-noauth.
++    - Created d/libcharon-extra-plugins.maintscript to handle the removals
++      properly.
++
++ -- Lucas Kanashiro <kanashiro@ubuntu.com>  Thu, 21 May 2020 14:53:05 -0300
++
++strongswan (5.8.4-1ubuntu1) groovy; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - d/control: strongswan-starter hard-depends on strongswan-charon,
++      therefore bump the dependency from Recommends to Depends. At the same
++      time avoid a circular dependency by dropping
++      strongswan-charon->strongswan-starter from Depends to Recommends as the
++      binaries can work without the services but not vice versa.
++    - re-add post-quantum encryption algorithm (NTRU) (LP: 1863749)
++      + d/control: mention plugins in package description
++      + d/rules: enable ntru at build time
++      + d/libstrongswan-extra-plugins.install: ship config and shared objects
++  * Dropped:
++    - d/control: build-depend on libiptc-dev to avoid FTBFS (LP: #1861975)
++      This is needed due to changes in regard to Debian bug 947176 and 939243
++      and can later be dropped again.
++      [applied by Debian in version 5.8.2-2]
++    - d/control: Transition from former Ubuntu only libcharon-standard-plugins
++      to common libcharon-extauth-plugins (drop after 20.04)
++    - d/control: Transition from strongswan-tnc-* being in extra packages
++      to libcharon-extra-plugins (drop after 20.04)
++
++ -- Lucas Kanashiro <lucas.kanashiro@canonical.com>  Thu, 30 Apr 2020 18:06:55 -0300
++
  strongswan (5.8.4-1) unstable; urgency=medium
    * New upstream version 5.8.4 (Closes: #956446)
@@ -129,6 +496,43 @@ strongswan (5.8.2-2) unstable; urgency=medium
   -- Yves-Alexis Perez <corsac@debian.org>  Thu, 13 Feb 2020 22:46:40 +0100
++strongswan (5.8.2-1ubuntu3) focal; urgency=medium
++
++  * Reverting part of 5.8.2-1ubuntu2 changes to remove BLISS again as
++    there is a potential local side-channel attack on strongSwan's BLISS
++    implementation (https://eprint.iacr.org/2017/505). (LP: #1866765)
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Tue, 10 Mar 2020 07:56:56 +0100
++
++strongswan (5.8.2-1ubuntu2) focal; urgency=medium
++
++  * re-add post-quantum computer signature scheme (BLISS) and encryption
++    algorithm (NTRU) as well as the dependent nttfft library (LP: #1863749)
++    - d/control: mention plugins in package description
++    - d/rules: enable ntru and bliss at build time
++    - d/libstrongswan-extra-plugins.install: ship config and shared objects
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Wed, 04 Mar 2020 07:54:26 +0100
++
++strongswan (5.8.2-1ubuntu1) focal; urgency=medium
++
++  * Merge with Debian unstable (LP: #1861971). Remaining changes:
++    - d/control: Transition from strongswan-tnc-* being in extra packages
++      to libcharon-extra-plugins (drop after 20.04)
++    - d/control: Transition from former Ubuntu only libcharon-standard-plugins
++      to common libcharon-extauth-plugins (drop after 20.04)
++    - d/control: strongswan-starter hard-depends on strongswan-charon,
++      therefore bump the dependency from Recommends to Depends. At the same
++      time avoid a circular dependency by dropping
++      strongswan-charon->strongswan-starter from Depends to Recommends as the
++      binaries can work without the services but not vice versa.
++  * Added Changes
++    - d/control: build-depend on libiptc-dev to avoid FTBFS (LP: #1861975)
++      This is needed due to changes in regard to Debian bug 947176 and 939243
++      and can later be dropped again.
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Wed, 05 Feb 2020 08:28:30 +0100
++
  strongswan (5.8.2-1) unstable; urgency=medium
    [ Jean-Michel Vourgère ]
@@ -145,6 +549,83 @@ strongswan (5.8.2-1) unstable; urgency=medium
   -- Yves-Alexis Perez <corsac@debian.org>  Wed, 01 Jan 2020 14:35:46 +0100
++strongswan (5.8.1-1ubuntu1) focal; urgency=medium
++
++  * Merge with Debian unstable (LP: #1852579). Remaining changes:
++    - d/control: Transition from strongswan-tnc-* being in extra packages
++      to libcharon-extra-plugins
++  * Added Changes:
++    - d/control: Transition from former Ubuntu only libcharon-standard-plugins
++      to common libcharon-extauth-plugins (drop after 20.04)
++    - d/control: strongswan-starter hard-depends on strongswan-charon,
++      therefore bump the dependency from Recommends to Depends. At the same
++      time avoid a circular dependency by dropping
++      strongswan-charon->strongswan-starter from Depends to Recommends as the
++      binaries can work without the services but not vice versa.
++  * Dropped Changes (now in Debian):
++    - Clean up d/strongswan-starter.postinst: section about runlevel changes
++    - Clean up d/strongswan-starter.postinst: Removed entire section on
++      opportunistic encryption disabling - this was never in strongSwan and
++      won't be see upstream issue #2160.
++    - d/rules: Removed patching ipsec.conf on build (not using the
++      debconf-managed config.)
++    - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
++      used for debconf-managed include of private key).
++    - Add plugin kernel-libipsec to allow the use of strongswan in containers
++      via this userspace implementation (please do note that this is still
++      considered experimental by upstream).
++      + d/libcharon-extra-plugins.install: Add kernel-libipsec components
++      + d/control: List kernel-libipsec plugin at extra plugins description
++      + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
++        upstream recommends to not load kernel-libipsec by default.
++    - d/control: Mention mgf1 plugin which is in libstrongswan now
++    - Complete the disabling of libfast; This was partially accepted in Debian,
++      it is no more packaging medcli and medsrv, but still builds and
++      mentions it.
++      + d/rules: Add --disable-fast to avoid build time and dependencies
++      + d/control: Remove medcli, medsrv from package description
++    - Add now built (since 5.5.1) libraries libtpmtss and nttfft to
++      libstrongswan-extra-plugins (no deps from default plugins).
++    - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
++      plugins for the most common use cases from extra-plugins into a new
++      standard-plugins package. This will allow those use cases without pulling
++      in too much more plugins (a bit like the tnc package). Recommend that
++      package from strongswan-libcharon.
++    - d/usr.lib.ipsec.charon: allow reading of own FDs (LP 1786250)
++    - d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin (LP 1773956)
++    - executables need to be able to read map and execute themselves otherwise
++      execution in some environments e.g. containers is blocked (LP 1780534)
++      + d/usr.lib.ipsec.stroke: add rmix permission to stroke binary
++      + d/usr.lib.ipsec.lookip: add rmix permission to lookip binary
++    - d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: resync apparmor
++      profiles of both ways to start charon (LP 1807664)
++    - d/usr.sbin.swanctl: add apparmor rule for af-alg plugin (LP 1807962)
++    - We fixed up tpmtss and nttfft in the past, but tpmtss is now packaged in
++      Debian so this part was be dropped. Two changes remain
++      - d/control: fix the mentioning of tpmtss in d/control
++    - apparmor fixes for container and root usage (LP 1826238)
++      + d/usr.sbin.swanctl: allow reading own binary
++      + d/usr.sbin.charon-systemd: allow accessing the binary
++      + d/usr.sbin.swanctl: add attach_disconnected to work inside containers
++      + d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: add CAP_SETPCAP
++        to apparmor to allow dropping caps
++  * Dropped Changes (too uncommon to support by default)
++    - d/libstrongswan.install: Add kernel-netlink configuration files
++    - d/usr.sbin.charon-systemd: allow to contact mysql for sql and
++      attr-sql plugins (LP 1766240) - no more needed as itisn't enabled.
++    - Mass enablement of extra plugins and features to allow a user to use
++      strongswan for a variety of extra use cases without having to rebuild.
++      + d/control: Add required additional build-deps
++      + d/control: Mention addtionally enabled plugins
++      + d/rules: Enable features at configure stage
++      + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
++      + d/libstrongswan.install: Add plugins (so, conf)
++      + d/strongswan-starter.install: Install pool feature, which is useful
++        since we now have attr-sql plugin enabled it.
++    - Enable additional TNC plugins and add them to libcharon-extra-plugins
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Thu, 14 Nov 2019 15:00:15 +0100
++
  strongswan (5.8.1-1) unstable; urgency=medium
    * d/rules: disable http and stream tests under CI
@@ -214,6 +695,99 @@ strongswan (5.8.0-1) unstable; urgency=medium
   -- Yves-Alexis Perez <corsac@debian.org>  Mon, 26 Aug 2019 12:58:23 +0200
++strongswan (5.7.2-1ubuntu3) eoan; urgency=medium
++
++  * No change rebuild for libmysqlclient21.
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Thu, 15 Aug 2019 09:34:34 +0200
++
++strongswan (5.7.2-1ubuntu2) eoan; urgency=medium
++
++  * Rebuild against new libjson-c4.
++
++ -- Gianfranco Costamagna <locutusofborg@debian.org>  Mon, 01 Jul 2019 10:53:07 +0200
++
++strongswan (5.7.2-1ubuntu1) eoan; urgency=medium
++
++  [ Christian Ehrhardt ]
++  * Merge with Debian unstable. Remaining changes:
++    - Clean up d/strongswan-starter.postinst: section about runlevel changes
++    - Clean up d/strongswan-starter.postinst: Removed entire section on
++      opportunistic encryption disabling - this was never in strongSwan and
++      won't be see upstream issue #2160.
++    - d/rules: Removed patching ipsec.conf on build (not using the
++      debconf-managed config.)
++    - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
++      used for debconf-managed include of private key).
++    - Mass enablement of extra plugins and features to allow a user to use
++      strongswan for a variety of extra use cases without having to rebuild.
++      + d/control: Add required additional build-deps
++      + d/control: Mention addtionally enabled plugins
++      + d/rules: Enable features at configure stage
++      + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
++      + d/libstrongswan.install: Add plugins (so, conf)
++      + d/strongswan-starter.install: Install pool feature, which is useful
++        since we now have attr-sql plugin enabled it.
++    - Add plugin kernel-libipsec to allow the use of strongswan in containers
++      via this userspace implementation (please do note that this is still
++      considered experimental by upstream).
++      + d/libcharon-extra-plugins.install: Add kernel-libipsec components
++      + d/control: List kernel-libipsec plugin at extra plugins description
++      + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
++        upstream recommends to not load kernel-libipsec by default.
++    - d/libstrongswan.install: Add kernel-netlink configuration files
++    - Complete the disabling of libfast; This was partially accepted in Debian,
++      it is no more packaging medcli and medsrv, but still builds and
++      mentions it.
++      + d/rules: Add --disable-fast to avoid build time and dependencies
++      + d/control: Remove medcli, medsrv from package description
++    - d/control: Mention mgf1 plugin which is in libstrongswan now
++    - Add now built (since 5.5.1) libraries libtpmtss and nttfft to
++      libstrongswan-extra-plugins (no deps from default plugins).
++    - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
++      plugins for the most common use cases from extra-plugins into a new
++      standard-plugins package. This will allow those use cases without pulling
++      in too much more plugins (a bit like the tnc package). Recommend that
++      package from strongswan-libcharon.
++    - d/usr.sbin.charon-systemd: allow to contact mysql for sql and
++      attr-sql plugins (LP #1766240)
++    - d/usr.lib.ipsec.charon: allow reading of own FDs (LP #1786250)
++    - d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin (LP: 1773956)
++    - executables need to be able to read map and execute themselves otherwise
++      execution in some environments e.g. containers is blocked (LP: 1780534)
++      + d/usr.lib.ipsec.stroke: add rmix permission to stroke binary
++      + d/usr.lib.ipsec.lookip: add rmix permission to lookip binary
++    - d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: resync apparmor
++      profiles of both ways to start charon (LP: 1807664)
++    - d/usr.sbin.swanctl: add apparmor rule for af-alg plugin (LP: 1807962)
++  * Dropped changes
++    - d/p/lp1795813-mysql-Don-t-release-the-connection-if-transactions-a.patch:
++      fix SIGSEGV when using mysql plugin (LP: 1795813)
++      [upstream in 5.7.2]
++    - d/libstrongswan.install: Reorder conf and .so alphabetically
++      [was a non functional change, dropped to avoid merge noise]
++    - Relocate tnc plugin
++      [TNC is back at libcharon-extra-plugins as it is in Debian]
++  * Added changes:
++    - We fixed up tpmtss and nttfft in the past, but tpmtss is now packaged in
++      Debian so this part was be dropped. Two changes remain
++      - d/control: fix the mentioning of tpmtss in d/control
++      - add nttfft (can be merged with the mass enablement change later)
++    - Transitional packages to go back from strongswan-tnc-* being in extra
++      packages to be part of libcharon-extra-plugins.
++      [can be dropped after 20.04]
++
++  [ Simon Deziel ]
++  * Added changes:
++    - apparmor fixes for container and root usage (LP: #1826238)
++      + d/usr.sbin.swanctl: allow reading own binary
++      + d/usr.sbin.charon-systemd: allow accessing the binary
++      + d/usr.sbin.swanctl: add attach_disconnected to work inside containers
++      + d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: add CAP_SETPCAP
++        to apparmor to allow dropping caps
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Fri, 26 Apr 2019 11:31:17 +0200
++
  strongswan (5.7.2-1) unstable; urgency=medium
    * d/control: remove Rene from Uploaders, thanks!
@@ -232,6 +806,86 @@ strongswan (5.7.2-1) unstable; urgency=medium
   -- Yves-Alexis Perez <corsac@debian.org>  Wed, 02 Jan 2019 13:02:11 +0100
++strongswan (5.7.1-1ubuntu2) disco; urgency=medium
++
++  * d/usr.sbin.charon-systemd: fix rule for CLUSTERIP to match effective
++    path (LP: #1773956)
++  * d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: resync apparmor
++    profiles of both ways to start charon (LP: #1807664)
++  * d/usr.sbin.swanctl: add apparmor rule for af-alg plugin (LP: #1807962)
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Mon, 10 Dec 2018 08:30:01 +0100
++
++strongswan (5.7.1-1ubuntu1) disco; urgency=medium
++
++  * Merge with Debian unstable (LP: #1806401). Remaining changes:
++    - Clean up d/strongswan-starter.postinst: section about runlevel changes
++    - Clean up d/strongswan-starter.postinst: Removed entire section on
++      opportunistic encryption disabling - this was never in strongSwan and
++      won't be see upstream issue #2160.
++    - d/rules: Removed patching ipsec.conf on build (not using the
++      debconf-managed config.)
++    - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
++      used for debconf-managed include of private key).
++    - Mass enablement of extra plugins and features to allow a user to use
++      strongswan for a variety of extra use cases without having to rebuild.
++      + d/control: Add required additional build-deps
++      + d/control: Mention addtionally enabled plugins
++      + d/rules: Enable features at configure stage
++      + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
++      + d/libstrongswan.install: Add plugins (so, conf)
++    - d/strongswan-starter.install: Install pool feature, which is useful since
++      we have attr-sql plugin enabled as well using it.
++    - Add plugin kernel-libipsec to allow the use of strongswan in containers
++      via this userspace implementation (please do note that this is still
++      considered experimental by upstream).
++      + d/libcharon-extra-plugins.install: Add kernel-libipsec components
++      + d/control: List kernel-libipsec plugin at extra plugins description
++      + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
++        upstream recommends to not load kernel-libipsec by default.
++    - Relocate tnc plugin
++      + debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
++      + Add new subpackage for TNC in d/strongswan-tnc-* and d/control
++    - d/libstrongswan.install: Reorder conf and .so alphabetically
++    - d/libstrongswan.install: Add kernel-netlink configuration files
++    - Complete the disabling of libfast; This was partially accepted in Debian,
++      it is no more packaging medcli and medsrv, but still builds and
++      mentions it.
++      + d/rules: Add --disable-fast to avoid build time and dependencies
++      + d/control: Remove medcli, medsrv from package description
++    - d/control: Mention mgf1 plugin which is in libstrongswan now
++    - Add now built (since 5.5.1) libraries libtpmtss and nttfft to
++      libstrongswan-extra-plugins (no deps from default plugins).
++    - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
++      plugins for the most common use cases from extra-plugins into a new
++      standard-plugins package. This will allow those use cases without pulling
++      in too much more plugins (a bit like the tnc package). Recommend that
++      package from strongswan-libcharon.
++    - d/usr.sbin.charon-systemd: allow to contact mysql for sql and
++      attr-sql plugins (LP #1766240)
++    - d/usr.lib.ipsec.charon: allow reading of own FDs (LP #1786250)
++  * Added Changes:
++    - d/p/lp1795813-mysql-Don-t-release-the-connection-if-transactions-a.patch:
++      fix SIGSEGV when using mysql plugin (LP: #1795813)
++    - d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin (LP: #1773956)
++    - executables need to be able to read map and execute themselves otherwise
++      execution in some environments e.g. containers is blocked (LP: #1780534)
++      + d/usr.lib.ipsec.stroke: add rmix permission to stroke binary
++      + d/usr.lib.ipsec.lookip: add rmix permission to lookip binary
++    - adapt "mass enablement of extra plugins" to match 5.7.x changes
++      + d/rules: use new options for swima instead of swid
++      + d/strongswan-tnc-server.install: add new sec updater tool
++      + d/strongswan-tnc-client.install: add new sw-collector tool
++  * Dropped (in Debian now):
++    - SECURITY UPDATE: Insufficient input validation in gmp plugin
++      (CVE-2018-17540)
++    - SECURITY UPDATE: Insufficient input validation in gmp plugin
++      (CVE-2018-16151 CVE-2018-16152)
++    - d/usr.lib.ipsec.charon, d/usr/sbin/charon-systemd: Add support for
++      usr-merge, thanks to Christian Ehrhardt. LP #1784023
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Mon, 03 Dec 2018 15:18:31 +0100
++
  strongswan (5.7.1-1) unstable; urgency=medium
    [ Ondřej Nový ]
@@ -262,6 +916,96 @@ strongswan (5.7.0-1) unstable; urgency=medium
   -- Yves-Alexis Perez <corsac@debian.org>  Mon, 24 Sep 2018 16:36:28 +0200
++strongswan (5.6.3-1ubuntu5) disco; urgency=medium
++
++  * No-change rebuild against libunbound8
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Sun, 11 Nov 2018 09:01:53 +0000
++
++strongswan (5.6.3-1ubuntu4) cosmic; urgency=medium
++
++  * d/usr.lib.ipsec.charon: allow reading of own FDs (LP: #1786250)
++    Thanks to Matt Callaghan.
++
++ -- Andreas Hasenack <andreas@canonical.com>  Thu, 04 Oct 2018 10:34:01 -0300
++
++strongswan (5.6.3-1ubuntu3) cosmic; urgency=medium
++
++  * SECURITY UPDATE: Insufficient input validation in gmp plugin
++    - debian/patches/strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch: fix
++      buffer overflow with very small RSA keys in
++      src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c.
++    - CVE-2018-17540
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 01 Oct 2018 13:23:59 -0400
++
++strongswan (5.6.3-1ubuntu2) cosmic; urgency=medium
++
++  * SECURITY UPDATE: Insufficient input validation in gmp plugin
++    - debian/patches/strongswan-5.6.1-5.6.3_gmp-pkcs1-verify.patch: don't
++      parse PKCS1 v1.5 RSA signatures to verify them in
++      src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c,
++      src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c.
++    - CVE-2018-16151
++    - CVE-2018-16152
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Tue, 25 Sep 2018 10:16:15 -0400
++
++strongswan (5.6.3-1ubuntu1) cosmic; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - Clean up d/strongswan-starter.postinst: section about runlevel changes
++    - Clean up d/strongswan-starter.postinst: Removed entire section on
++      opportunistic encryption disabling - this was never in strongSwan and
++      won't be see upstream issue #2160.
++    - d/rules: Removed patching ipsec.conf on build (not using the
++      debconf-managed config.)
++    - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
++      used for debconf-managed include of private key).
++    - Mass enablement of extra plugins and features to allow a user to use
++      strongswan for a variety of extra use cases without having to rebuild.
++      + d/control: Add required additional build-deps
++      + d/control: Mention addtionally enabled plugins
++      + d/rules: Enable features at configure stage
++      + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
++      + d/libstrongswan.install: Add plugins (so, conf)
++    - d/strongswan-starter.install: Install pool feature, which is useful since
++      we have attr-sql plugin enabled as well using it.
++    - Add plugin kernel-libipsec to allow the use of strongswan in containers
++      via this userspace implementation (please do note that this is still
++      considered experimental by upstream).
++      + d/libcharon-extra-plugins.install: Add kernel-libipsec components
++      + d/control: List kernel-libipsec plugin at extra plugins description
++      + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
++        upstream recommends to not load kernel-libipsec by default.
++    - Relocate tnc plugin
++      + debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
++      + Add new subpackage for TNC in d/strongswan-tnc-* and d/control
++    - d/libstrongswan.install: Reorder conf and .so alphabetically
++    - d/libstrongswan.install: Add kernel-netlink configuration files
++    - Complete the disabling of libfast; This was partially accepted in Debian,
++      it is no more packaging medcli and medsrv, but still builds and
++      mentions it.
++      + d/rules: Add --disable-fast to avoid build time and dependencies
++      + d/control: Remove medcli, medsrv from package description
++    - d/control: Mention mgf1 plugin which is in libstrongswan now
++    - Add now built (since 5.5.1) libraries libtpmtss and nttfft to
++      libstrongswan-extra-plugins (no deps from default plugins).
++    - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
++      plugins for the most common use cases from extra-plugins into a new
++      standard-plugins package. This will allow those use cases without pulling
++      in too much more plugins (a bit like the tnc package). Recommend that
++      package from strongswan-libcharon.
++    - d/usr.sbin.charon-systemd: allow to contact mysql for sql and
++      attr-sql plugins (LP #1766240)
++    - d/usr.lib.ipsec.charon, d/usr/sbin/charon-systemd: Add support for
++      usr-merge, thanks to Christian Ehrhardt. LP #1784023
++  * Dropped:
++    - d/usr.sbin.charon-systemd: allow systemd notifications (LP: #1765652)
++      [Fixed in 5.6.3-1]
++
++ -- Andreas Hasenack <andreas@canonical.com>  Thu, 23 Aug 2018 13:05:11 -0300
++
  strongswan (5.6.3-1) unstable; urgency=medium
    * New upstream version 5.6.2
@@ -277,6 +1021,78 @@ strongswan (5.6.3-1) unstable; urgency=medium
   -- Yves-Alexis Perez <corsac@debian.org>  Mon, 04 Jun 2018 10:23:22 +0200
++strongswan (5.6.2-2ubuntu2) cosmic; urgency=medium
++
++  * Add support for usr-merge, thanks to Christian Ehrhardt. LP: #1784023
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Tue, 21 Aug 2018 00:42:38 +0100
++
++strongswan (5.6.2-2ubuntu1) cosmic; urgency=medium
++
++  * Merge with Debian unstable, closes LP: #1773814 and LP: #1772705.
++    Remaining changes:
++    + Clean up d/strongswan-starter.postinst: section about runlevel changes
++    + Clean up d/strongswan-starter.postinst: Removed entire section on
++      opportunistic encryption disabling - this was never in strongSwan and
++      won't be see upstream issue #2160.
++    + d/rules: Removed patching ipsec.conf on build (not using the
++      debconf-managed config.)
++    + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
++      used for debconf-managed include of private key).
++    + Mass enablement of extra plugins and features to allow a user to use
++      strongswan for a variety of extra use cases without having to rebuild.
++      - d/control: Add required additional build-deps
++      - d/control: Mention addtionally enabled plugins
++      - d/rules: Enable features at configure stage
++      - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
++      - d/libstrongswan.install: Add plugins (so, conf)
++    + d/strongswan-starter.install: Install pool feature, which is useful since
++      we have attr-sql plugin enabled as well using it.
++    + Add plugin kernel-libipsec to allow the use of strongswan in containers
++      via this userspace implementation (please do note that this is still
++      considered experimental by upstream).
++      - d/libcharon-extra-plugins.install: Add kernel-libipsec components
++      - d/control: List kernel-libipsec plugin at extra plugins description
++      - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
++        upstream recommends to not load kernel-libipsec by default.
++    + Relocate tnc plugin
++     - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
++     - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
++    + d/libstrongswan.install: Reorder conf and .so alphabetically
++    + d/libstrongswan.install: Add kernel-netlink configuration files
++    + Complete the disabling of libfast; This was partially accepted in Debian,
++        it is no more packaging medcli and medsrv, but still builds and
++        mentions it.
++      - d/rules: Add --disable-fast to avoid build time and dependencies
++      - d/control: Remove medcli, medsrv from package description
++    + d/control: Mention mgf1 plugin which is in libstrongswan now
++    + Add now built (since 5.5.1) libraries libtpmtss and nttfft to
++      libstrongswan-extra-plugins (no deps from default plugins).
++    + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
++      plugins for the most common use cases from extra-plugins into a new
++      standard-plugins package. This will allow those use cases without pulling
++      in too much more plugins (a bit like the tnc package). Recommend that
++      package from strongswan-libcharon.
++  * Dropped Changes (no more needed after 18.04)
++    + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
++      missed that, droppable after 18.04)
++    + d/control: bump breaks/replaces from libstrongswan-extra-plugins to
++      libstrongswan as we dropped relocating ccm and test-vectors.
++      (droppable >18.04).
++    + d/control: add breaks/replace from libstrongswan to
++      libstrongswan-extra-plugins for the move of mgf1 to libstrongswan.
++      (droppable >18.04).
++    + d/control: bump breaks/replaces for the move of the updown plugin
++      (Missed Changelog entry on last merge)
++    + d/control: fix dependencies of strongswan-libcharon due to the move
++      the updown plugin (droppable >18.04).
++  * Added Changes:
++    + d/usr.sbin.charon-systemd: allow to contact mysql for sql and
++      attr-sql plugins (LP: #1766240)
++    + d/usr.sbin.charon-systemd: allow systemd notifications (LP: #1765652)
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Tue, 29 May 2018 08:21:42 +0200
++
  strongswan (5.6.2-2) unstable; urgency=medium
    * charon-nm: Fix building list of DNS/MDNS servers with libnm
@@ -287,6 +1103,74 @@ strongswan (5.6.2-2) unstable; urgency=medium
   -- Yves-Alexis Perez <corsac@debian.org>  Fri, 13 Apr 2018 13:46:04 +0200
++strongswan (5.6.2-1ubuntu2) bionic; urgency=medium
++
++  * d/control: fix dependencies of strongswan-libcharon due to the move
++    the updown plugin.
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Tue, 20 Mar 2018 07:37:29 +0100
++
++strongswan (5.6.2-1ubuntu1) bionic; urgency=medium
++
++  * Merge with Debian unstable (LP: #1753018). Remaining changes:
++    + Clean up d/strongswan-starter.postinst: section about runlevel changes
++    + Clean up d/strongswan-starter.postinst: Removed entire section on
++      opportunistic encryption disabling - this was never in strongSwan and
++      won't be see upstream issue #2160.
++    + Ubuntu is not using the debconf triggered private key generation
++      - d/rules: Removed patching ipsec.conf on build (not using the
++        debconf-managed config.)
++      - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
++        used for debconf-managed include of private key).
++    + Mass enablement of extra plugins and features to allow a user to use
++      strongswan for a variety of extra use cases without having to rebuild.
++      - d/control: Add required additional build-deps
++      - d/control: Mention addtionally enabled plugins
++      - d/rules: Enable features at configure stage
++      - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
++      - d/libstrongswan.install: Add plugins (so, conf)
++    + d/strongswan-starter.install: Install pool feature, which is useful since
++      we have attr-sql plugin enabled as well using it.
++    + Add plugin kernel-libipsec to allow the use of strongswan in containers
++      via this userspace implementation (please do note that this is still
++      considered experimental by upstream).
++      - d/libcharon-extra-plugins.install: Add kernel-libipsec components
++      - d/control: List kernel-libipsec plugin at extra plugins description
++      - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
++        upstream recommends to not load kernel-libipsec by default.
++    + Relocate tnc plugin
++     - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
++     - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
++    + d/libstrongswan.install: Reorder conf and .so alphabetically
++    + d/libstrongswan.install: Add kernel-netlink configuration files
++    + Complete the disabling of libfast; This was partially accepted in Debian,
++        it is no more packaging medcli and medsrv, but still builds and
++        mentions it.
++      - d/rules: Add --disable-fast to avoid build time and dependencies
++      - d/control: Remove medcli, medsrv from package description
++    + d/control: Mention mgf1 plugin which is in libstrongswan now
++    + Add now built (since 5.5.1) libraries libtpmtss and nttfft to
++      libstrongswan-extra-plugins (no deps from default plugins).
++    + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
++      missed that, droppable after 18.04)
++    + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
++      plugins for the most common use cases from extra-plugins into a new
++      standard-plugins package. This will allow those use cases without pulling
++      in too much more plugins (a bit like the tnc package). Recommend that
++      package from strongswan-libcharon.
++    + d/control: bump breaks/replaces from libstrongswan-extra-plugins to
++      libstrongswan as we dropped relocating ccm and test-vectors.
++      (droppable >18.04).
++    + d/control: add breaks/replace from libstrongswan to
++      libstrongswan-extra-plugins for the move of mgf1 to libstrongswan.
++      (droppable >18.04).
++  * Added Changes:
++    + d/control: bump breaks/replaces from strongswan-libcharon to strongswan-
++      starter as we followed Debian to move the updown plugin but need to
++      match Ubuntu versions (Droppable >18.04).
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Fri, 16 Mar 2018 11:08:47 +0100
++
  strongswan (5.6.2-1) unstable; urgency=medium
    * d/NEWS: add information about disabled algorithms (closes: #883072)
@@ -309,6 +1193,129 @@ strongswan (5.6.1-3) unstable; urgency=medium
   -- Yves-Alexis Perez <corsac@debian.org>  Sun, 17 Dec 2017 16:40:39 +0100
++strongswan (5.6.1-2ubuntu4) bionic; urgency=medium
++
++  * SECURITY UPDATE: DoS via crafted RSASSA-PSS signature
++    - debian/patches/CVE-2018-6459.patch: Properly handle MGF1 algorithm
++      identifier without parameters in
++      src/libstrongswan/credentials/keys/signature_params.c.
++    - CVE-2018-6459
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 07 Mar 2018 14:52:02 +0100
++
++strongswan (5.6.1-2ubuntu3) bionic; urgency=medium
++
++  * No-change rebuild against libcurl4
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Wed, 28 Feb 2018 08:52:09 +0000
++
++strongswan (5.6.1-2ubuntu2) bionic; urgency=high
++
++  * No change rebuild against openssl1.1.
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Mon, 12 Feb 2018 16:00:24 +0000
++
++strongswan (5.6.1-2ubuntu1) bionic; urgency=medium
++
++  * Merge with Debian unstable (LP: #1717343).
++    Also fixes and issue with multiple psk's (LP: #1734207). Remaining changes:
++    + Clean up d/strongswan-starter.postinst: section about runlevel changes
++    + Clean up d/strongswan-starter.postinst: Removed entire section on
++      opportunistic encryption disabling - this was never in strongSwan and
++      won't be see upstream issue #2160.
++    + Ubuntu is not using the debconf triggered private key generation
++      - d/rules: Removed patching ipsec.conf on build (not using the
++        debconf-managed config.)
++      - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
++        used for debconf-managed include of private key).
++    + Mass enablement of extra plugins and features to allow a user to use
++      strongswan for a variety of extra use cases without having to rebuild.
++      - d/control: Add required additional build-deps
++      - d/control: Mention addtionally enabled plugins
++      - d/rules: Enable features at configure stage
++      - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
++      - d/libstrongswan.install: Add plugins (so, conf)
++    + d/strongswan-starter.install: Install pool feature, which is useful since
++      we have attr-sql plugin enabled as well using it.
++    + Add plugin kernel-libipsec to allow the use of strongswan in containers
++      via this userspace implementation (please do note that this is still
++      considered experimental by upstream).
++      - d/libcharon-extra-plugins.install: Add kernel-libipsec components
++      - d/control: List kernel-libipsec plugin at extra plugins description
++      - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
++        upstream recommends to not load kernel-libipsec by default.
++    + Relocate tnc plugin
++     - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
++     - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
++    + d/libstrongswan.install: Reorder conf and .so alphabetically
++    + d/libstrongswan.install: Add kernel-netlink configuration files
++    + Complete the disabling of libfast; This was partially accepted in Debian,
++        it is no more packaging medcli and medsrv, but still builds and
++        mentions it.
++      - d/rules: Add --disable-fast to avoid build time and dependencies
++      - d/control: Remove medcli, medsrv from package description
++    + d/control: Mention mgf1 plugin which is in libstrongswan now
++    + Add now built (since 5.5.1) libraries libtpmtss and nttfft to
++      libstrongswan-extra-plugins (no deps from default plugins).
++    + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
++      missed that, droppable after 18.04)
++    + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
++      plugins for the most common use cases from extra-plugins into a new
++      standard-plugins package. This will allow those use cases without pulling
++      in too much more plugins (a bit like the tnc package). Recommend that
++      package from strongswan-libcharon.
++  * Added changes:
++    + d/strongswan-tnc-client.install (relocate tnc) swidtag creation changed
++      in 5.6
++    + d/strongswan-tnc-server.install (relocate tnc) pacman no more needed
++    + d/control: bump breaks/replaces from libstrongswan-extra-plugins to
++      libstrongswan as we dropped relocating ccm and test-vectors.
++      (droppable >18.04).
++    - d/control: add breaks/replace from libstrongswan to
++      libstrongswan-extra-plugins for the move of mgf1 to libstrongswan.
++      (droppable >18.04).
++  * Dropped changes:
++    + Update init/service handling (debian default matches Ubuntu past now)
++      Dropping this fixes (LP: #1734886)
++      - d/rules: Change init/systemd program name to strongswan
++      - d/strongswan-starter.strongswan.service: Add new systemd file instead of
++        patching upstream
++      - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of
++        linking to upstream
++    + d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call
++      (this is a never failing no-op for us, no need for Delta).
++    + d/strongswan-starter.prerm: Stop strongswan service on package removal
++      (ipsec now maps to strongswan service, so this works as-is).
++    + Clean up d/strongswan-starter.postinst: rename service ipsec to
++      strongswan (ipsec now maps to strongswan service, so this works as-is)
++    + Clean up d/strongswan-starter.postinst: daemon enable/disable (the
++      whole section is disabled, so no need for delta)
++    + (is upstream) CVE-2017-11185 patches
++    + (is upstream) FTBFS upstream fix for changed include files
++    + (is upstream) debian/patches/increase-bliss-test-timeout.patch: Under
++       QEMU/KVM autopkgtest the bliss test takes longer than the default
++    + (in Debian) add now built (since 5.5.1) mgf1 plugin to
++      libstrongswan-extra-plugins.
++    + (in Debian) d/strongswan-starter.install: install stroke apparmor profile
++    + (this was enabled as part of the former delta, squash changes to no-up)
++      d/rules: Disable duplicheck.
++    + (not needed) Relocate plugins test-vectors from extra-plugins to
++      libstrongswan
++      - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles
++      - d/libstrongswan.install: Add plugins/confiles
++      - d/control: move package descriptions and add required breaks/replaces
++    + (not needed) Relocate plugins ccm from extra-plugins to libstrongswan
++      - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles
++      - d/libstrongswan.install: Add plugins/confiles
++      - d/control: move package descriptions and add required breaks/replaces
++    + (while using it requires special kernel, it does not hurt to be
++      available in the package) Remove ha plugin
++      - d/libcharon-extra-plugins.install: Stop installing ha (so, conf)
++      - d/rules: Do not enable ha plugin
++      - d/control: Drop listing the ha plugin in the package description
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Wed, 29 Nov 2017 15:55:18 +0100
++
  strongswan (5.6.1-2) unstable; urgency=medium
    * move counters plugin from -starter to -libcharon. closes: #882431
@@ -395,6 +1402,213 @@ strongswan (5.5.2-1) experimental; urgency=medium
   -- Yves-Alexis Perez <corsac@debian.org>  Fri, 19 May 2017 11:32:00 +0200
++strongswan (5.5.1-4ubuntu3) bionic; urgency=medium
++
++  * Fix Artful FTBFS due to newer glibc (LP: #1724859)
++    - d/p/utils-Include-stdint.h.patch: upstream fix for changed include
++      files.
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Thu, 19 Oct 2017 15:18:52 +0200
++
++strongswan (5.5.1-4ubuntu2) artful; urgency=medium
++
++  * SECURITY UPDATE: Fix RSA signature verification
++    - debian/patches/CVE-2017-11185.patch: does some
++      verifications in order to avoid null-point dereference
++      in src/libstrongswan/gmp/gmp_rsa_public_key.c
++    - CVE-2017-11185
++
++ -- Leonidas S. Barbosa <leo.barbosa@canonical.com>  Tue, 15 Aug 2017 14:49:49 -0300
++
++strongswan (5.5.1-4ubuntu1) artful; urgency=medium
++
++  * Merge from Debian to pick up latest security changes (CVE-2017-9022,
++    CVE-2017-9023).
++  * Remaining Changes:
++    + Update init/service handling
++      - d/rules: Change init/systemd program name to strongswan
++      - d/strongswan-starter.strongswan.service: Add new systemd file instead of
++        patching upstream
++      - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of
++        linking to upstream
++      - d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
++      - d/strongswan-starter.prerm: Stop strongswan service on package
++        removal (as opposed to using the old init.d script).
++    + Clean up d/strongswan-starter.postinst:
++      - Removed section about runlevel changes
++      - Adapted service restart section for Upstart (kept to be Trusty
++        backportable).
++      - Remove old symlinks to init.d files is necessary.
++      - Removed further out-dated code
++      - Removed entire section on opportunistic encryption - this was never in
++        strongSwan.
++    + d/rules: Removed pieces on 'patching ipsec.conf' on build.
++    + Mass enablement of extra plugins and features to allow a user to use
++      strongswan for a variety of use cases without having to rebuild.
++      - d/control: Add required additional build-deps
++      - d/rules: Enable features at configure stage
++      - d/control: Mention addtionally enabled plugins
++      - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
++      - d/libstrongswan.install: Add plugins (so, conf)
++    + d/rules: Disable duplicheck as per
++      https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10
++    + Remove ha plugin (requires special kernel)
++      - d/libcharon-extra-plugins.install: Stop installing ha (so, conf)
++      - d/rules: Do not enable ha plugin
++      - d/control: Drop listing the ha plugin in the package description
++    + Add plugin kernel-libipsec to allow the use of strongswan in containers
++      via this userspace implementation (please do note that this is still
++      considered experimental by upstream).
++      - d/libcharon-extra-plugins.install: Add kernel-libipsec components
++      - d/control: List kernel-libipsec plugin at extra plugins description
++      - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
++        upstream recommends to not load kernel-libipsec by default.
++    + Relocate tnc plugin
++     - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
++     - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
++    + d/strongswan-starter.install: Install pool feature, that useful due to
++      having attr-sql plugin that is enabled now.
++    + Relocate plugins test-vectors and ccm from extra-plugins to libstrongswan
++      - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles
++      - d/libstrongswan.install: Add plugins/confiles
++      - d/control: move package descriptions and add required breaks/replaces
++    + d/libstrongswan.install: Reorder conf and .so alphabetically
++    + d/libstrongswan.install: Add kernel-netlink configuration files
++    + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
++    + debian/patches/increase-bliss-test-timeout.patch: Under QEMU/KVM
++      autopkgtest the bliss test takes longer than the default (Upstream in
++      5.5.2 via issue 2204)
++    + Complete the disabling of libfast; This was partially accepted in Debian,
++        it is no more packaging medcli and medsrv, but still builds and
++        mentions it.
++      - d/rules: Add --disable-fast to avoid build time and dependencies
++      - d/control: Remove medcli, medsrv from package description
++    + Add now built (5.5.1 vs 5.3.5) mgf1 plugin to libstrongswan-extra-plugins.
++      "only" to extra-plugins Mgf1 is not listed as default plugin at
++      https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist.
++    + Add now built (5.5.1 vs 5.3.5) libraries libtpmtss and nttfft to
++      libstrongswan-extra-plugins.
++    + Add missing mention of md4 plugin in d/control
++    + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
++      missed that)
++    + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
++      plugins for the most common use cases from extra-plugins into a new
++      standard-plugins package. This will allow those use cases without pulling
++      in too much more plugins (a bit like the tnc package). Recommend that
++      package from strongswan-libcharon.
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Wed, 31 May 2017 15:57:54 +0200
++
++strongswan (5.5.1-3ubuntu1) artful; urgency=medium
++
++  * Merge from Debian to pick up latest changes. Among others this includes:
++    - a lot of the Delta we upstreamed to Debian (more discussions are ongoing
++      but likely have to wait until Debian stretch was released)
++    - enabling mediation support (LP: #1657413)
++  * Remaining Changes:
++    + Update init/service handling
++      - d/rules: Change init/systemd program name to strongswan
++      - d/strongswan-starter.strongswan.service: Add new systemd file instead of
++        patching upstream
++      - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of
++        linking to upstream
++      - d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
++      - d/strongswan-starter.prerm: Stop strongswan service on package
++        removal (as opposed to using the old init.d script).
++    + Clean up d/strongswan-starter.postinst:
++      - Removed section about runlevel changes
++      - Adapted service restart section for Upstart (kept to be Trusty
++        backportable).
++      - Remove old symlinks to init.d files is necessary.
++      - Removed further out-dated code
++      - Removed entire section on opportunistic encryption - this was never in
++        strongSwan.
++    + d/rules: Removed pieces on 'patching ipsec.conf' on build.
++    + Mass enablement of extra plugins and features to allow a user to use
++      strongswan for a variety of use cases without having to rebuild.
++      - d/control: Add required additional build-deps
++      - d/rules: Enable features at configure stage
++      - d/control: Mention addtionally enabled plugins
++      - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
++      - d/libstrongswan.install: Add plugins (so, conf)
++    + d/rules: Disable duplicheck as per
++      https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10
++    + Remove ha plugin (requires special kernel)
++      - d/libcharon-extra-plugins.install: Stop installing ha (so, conf)
++      - d/rules: Do not enable ha plugin
++      - d/control: Drop listing the ha plugin in the package description
++    + Add plugin kernel-libipsec to allow the use of strongswan in containers
++      via this userspace implementation (please do note that this is still
++      considered experimental by upstream).
++      - d/libcharon-extra-plugins.install: Add kernel-libipsec components
++      - d/control: List kernel-libipsec plugin at extra plugins description
++      - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
++        upstream recommends to not load kernel-libipsec by default.
++    + Relocate tnc plugin
++     - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
++     - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
++    + d/strongswan-starter.install: Install pool feature, that useful due to
++      having attr-sql plugin that is enabled now.
++    + Relocate plugins test-vectors and ccm from extra-plugins to libstrongswan
++      - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles
++      - d/libstrongswan.install: Add plugins/confiles
++      - d/control: move package descriptions and add required breaks/replaces
++    + d/libstrongswan.install: Reorder conf and .so alphabetically
++    + d/libstrongswan.install: Add kernel-netlink configuration files
++    + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
++    + debian/patches/increase-bliss-test-timeout.patch: Under QEMU/KVM
++      autopkgtest the bliss test takes longer than the default (Upstream in
++      5.5.2 via issue 2204)
++    + Complete the disabling of libfast; This was partially accepted in Debian,
++        it is no more packaging medcli and medsrv, but still builds and
++        mentions it.
++      - d/rules: Add --disable-fast to avoid build time and dependencies
++      - d/control: Remove medcli, medsrv from package description
++    + Add now built (5.5.1 vs 5.3.5) mgf1 plugin to libstrongswan-extra-plugins.
++      "only" to extra-plugins Mgf1 is not listed as default plugin at
++      https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist.
++    + Add now built (5.5.1 vs 5.3.5) libraries libtpmtss and nttfft to
++      libstrongswan-extra-plugins.
++    + Add missing mention of md4 plugin in d/control
++    + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
++      missed that)
++    + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
++      plugins for the most common use cases from extra-plugins into a new
++      standard-plugins package. This will allow those use cases without pulling
++      in too much more plugins (a bit like the tnc package). Recommend that
++      package from strongswan-libcharon.
++  * Dropped Changes:
++    + Add and install apparmor profiles (in Debian)
++      - d/rules: Install AppArmor profiles
++      - d/control: Add dh-apparmor build-dep
++      - d/usr.lib.ipsec.{charon, lookip, stroke}: Add latest AppArmor profiles
++        for charon, lookip and stroke
++      - d/libcharon-extra-plugins.install: Install profile for lookip
++      - d/strongswan-charon.install: Install profile for charon
++      - d/strongswan-starter.install: Install profile for stroke
++      - Fix strongswan ipsec status issue with apparmor
++      - Fix Dep8 tests for the now extra strongswan-pki package for pki
++      - Fix Dep8 tests for the now extra strongswan-scepclient package
++    + d/rules: Sorted and only one enable option per configure line (in
++      Debian)
++    + Add updated logcheck rules (in Debian)
++      - debian/libstrongswan.strongswan.logcheck.*:  Remove outdated files
++      - debian/strongswan.logcheck: Add updated logcheck rules
++    + Add updated DEP8 tests (in Debian)
++      - d/tests/*: Add DEP8 tests
++      - d/control: Enable autotestpkg
++    + d/rules: do not strip for library integrity checking (After Discussion
++      with Debian this isn't acceptable there, but at the same time it turned
++      out the real use-case of this never uses this lib but instead third
++      party checks of checksums for e.g. FIPS cert; so drop the Delta)
++      - Use override_dh_strip to to avoid overwriting user build flags.
++      - Add missing mention of libchecksum integrity test in d/control
++    + d/rules: Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths
++      in tests to avoid issues in low entropy environments. (Debian has
++      disabled !x86 tests for the same reason, one solution is enough)
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Thu, 04 May 2017 14:06:23 +0200
++
  strongswan (5.5.1-3) unstable; urgency=medium
    [ Christian Ehrhardt ]
@@ -428,6 +1642,136 @@ strongswan (5.5.1-2) unstable; urgency=medium
   -- Yves-Alexis Perez <corsac@debian.org>  Wed, 07 Dec 2016 08:34:52 +0100
++strongswan (5.5.1-1ubuntu2) zesty; urgency=medium
++
++  * Update Maintainers which was missed while merging 5.5.1-1.
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Mon, 19 Dec 2016 16:02:40 +0100
++
++strongswan (5.5.1-1ubuntu1) zesty; urgency=medium
++
++  * Merge from Debian (complex delta, discussions and broken out changes can be
++    found in the merge proposal linked from the merge bug LP: #1631198)
++  * Remaining Changes:
++    + d/rules: Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity
++      checking.
++    + d/rules: Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths
++      in tests to avoid issues in low entropy environments.
++    + Update init/service handling
++      - d/rules: Change init/systemd program name to strongswan
++      - d/strongswan-starter.strongswan.service: Add new systemd file instead of
++        patching upstream
++      - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of
++        linking to upstream
++      - d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
++      - d/strongswan-starter.prerm: Stop strongswan service on package
++        removal (as opposed to using the old init.d script).
++    + Clean up d/strongswan-starter.postinst:
++      - Removed section about runlevel changes
++      - Adapted service restart section for Upstart (kept to be Trusty
++        backportable).
++      - Remove old symlinks to init.d files is necessary.
++      - Removed further out-dated code
++      - Removed entire section on opportunistic encryption - this was never in
++        strongSwan.
++    + Add and install apparmor profiles
++      - d/rules: Install AppArmor profiles
++      - d/control: Add dh-apparmor build-dep
++      - d/usr.lib.ipsec.{charon, lookip, stroke}: Add latest AppArmor profiles
++        for charon, lookip and stroke
++      - d/libcharon-extra-plugins.install: Install profile for lookip
++      - d/strongswan-charon.install: Install profile for charon
++      - d/strongswan-starter.install: Install profile for stroke
++    + d/rules: Removed pieces on 'patching ipsec.conf' on build.
++    + d/rules: Sorted and only one enable option per configure line
++    + Mass enablement of extra plugins and features to allow a user to use
++      strongswan for a variety of use cases without having to rebuild.
++      - d/control: Add required additional build-deps
++      - d/rules: Enable features at configure stage
++      - d/control: Mention addtionally enabled plugins
++      - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
++      - d/libstrongswan.install: Add plugins (so, conf)
++    + d/rules: Disable duplicheck as per
++      https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10
++    + Remove ha plugin (requires special kernel)
++      - d/libcharon-extra-plugins.install: Stop installing ha (so, conf)
++      - d/rules: Do not enable ha plugin
++      - d/control: Drop listing the ha plugin in the package description
++    + Add plugin kernel-libipsec to allow the use of strongswan in containers
++      via this userspace implementation (please do note that this is still
++      considered experimental by upstream).
++      - d/libcharon-extra-plugins.install: Add kernel-libipsec components
++      - d/control: List kernel-libipsec plugin at extra plugins description
++      - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
++        upstream recommends to not load kernel-libipsec by default.
++    + Relocate tnc plugin
++     - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
++     - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
++    + d/strongswan-starter.install: Install pool feature, that useful due to
++      having attr-sql plugin that is enabled now.
++    + Relocate plugins test-vectors and ccm from extra-plugins to libstrongswan
++      - d/libstrongswan-extra-plugins.install: Remove plugins
++      - d/libstrongswan.install: Add plugins
++    + d/libstrongswan.install: Reorder conf and .so alphabetically
++    + d/libstrongswan.install: Add kernel-netlink configuration files
++    + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
++    + Add updated logcheck rules
++      - debian/libstrongswan.strongswan.logcheck.*:  Remove outdated files
++      - debian/strongswan.logcheck: Add updated logcheck rules
++    + Add updated DEP8 tests
++      - d/tests/*: Add DEP8 tests
++      - d/control: Enable autotestpkg
++    + debian/patches/increase-bliss-test-timeout.patch: Under QEMU/KVM
++      autopkgtest the bliss test takes longer than the default
++    + Complete the disabling of libfast
++      - Note: This was partially accepted in Debian, it is no more
++        packaging medcli and medsrv, but still builds and mentions it
++      - d/rules: Add --disable-fast to avoid build time and dependencies
++      - d/control: Remove medcli, medsrv from package description
++  * Dropped Changes:
++    + Adding build-dep to iptables-dev (no change, was only in Changelog)
++    + Dropping of build deps libfcgi-dev, clearsilver-dev (in Debian)
++    + Adding strongswan-plugin-* virtual packages for dist-upgrade (no
++      upgrade path left needing them)
++    + Most of "disabling libfast" (Debian dropped it from package content)
++    + Transition for ipsec service (no upgrade path left)
++    + Reverted part of the cleanup to d/strongswan-starter.postinst as using
++      service should rather use invoke-rc.d (so it is a partial revert of our
++      delta)
++    + Transition handling (breaks/replaces) from per-plugin packages to the
++      three grouped plugin packages (no upgrade path left)
++    + debian/strongswan-starter.dirs: Don't touch /etc/init.d. (while "correct"
++      it is effectively a no-op still, so not worth the delta)
++    + Lower dpkg-dev to 1.16.1 from 1.16.2 to enable backporting to Precise
++      (no more needed)
++    + d/rules: Remove configure option --enable-unit-test (unit tests run by
++      default)
++  * Added Changes:
++    + Fix strongswan ipsec status issue with apparmor (LP: #1587886)
++    + d/control, d/libstrongswan.install, d/libstrongswan-extra-plugins: Fixup
++      the relocation of the ccm plugin which missed to move the conffiles.
++    + Complete move of test-vectors (was missing in d/control)
++    + Add now built (5.5.1 vs 5.3.5) mgf1 plugin to libstrongswan-extra-plugins.
++      "only" to extra-plugins Mgf1 is not listed as default plugin at
++      https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist.
++    + Add now built (5.5.1 vs 5.3.5) libraries libtpmtss and nttfft to
++      libstrongswan-extra-plugins.
++    + Add missing mention of md4 plugin in d/control
++    + Add missing mention of libchecksum integrity test in d/control
++    + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
++      missed that)
++    + Use override_dh_strip to to fix library integrity checking instead of
++      DEB_BUILD_OPTION to avoid overwriting user build flags.
++    + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
++      plugins for the most common use cases from extra-plugins into a new
++      standard-plugins package. This will allow those use cases without pulling
++      in too much more plugins (a bit like the tnc package). Recommend that
++      package from strongswan-libcharon (LP: #1640826).
++    + Fix Dep8 tests for the now extra strongswan-pki package for pki
++    + Fix Dep8 tests for the now extra strongswan-scepclient package
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Mon, 07 Nov 2016 16:16:41 +0100
++
  strongswan (5.5.1-1) unstable; urgency=medium
    * New upstream bugfix release.
@@ -544,6 +1888,177 @@ strongswan (5.3.5-2) unstable; urgency=medium
   -- Yves-Alexis Perez <corsac@debian.org>  Mon, 14 Mar 2016 23:53:34 +0100
++strongswan (5.3.5-1ubuntu4) yakkety; urgency=medium
++
++  * Build-depend on libjson-c-dev instead of libjson0-dev.
++  * Rebuild against libjson-c3.
++
++ -- Graham Inggs <ginggs@ubuntu.com>  Fri, 29 Apr 2016 19:04:22 +0200
++
++strongswan (5.3.5-1ubuntu3) xenial; urgency=medium
++
++  * Rebuild against libmysqlclient20.
++
++ -- Robie Basak <robie.basak@ubuntu.com>  Tue, 05 Apr 2016 13:02:48 +0000
++
++strongswan (5.3.5-1ubuntu2) xenial; urgency=medium
++
++  * debian/tests/plugins: rdrand may or may not be loaded, depending on the
++    cpu features.
++
++ -- Iain Lane <iain@orangesquash.org.uk>  Mon, 22 Feb 2016 17:13:01 +0000
++
++strongswan (5.3.5-1ubuntu1) xenial; urgency=medium
++
++  * debian/{rules,control,libstrongswan-extra-plugins.install}
++    Enable bliss plugin
++  * debian/{rules,control,libstrongswan-extra-plugins.install}
++    Enable chapoly plugin
++  * debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch
++    Upstream suggests to not load this plugin by default as it has
++    some limitations.
++    https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-libipsec
++  * debian/patches/increase-bliss-test-timeout.patch
++    Under QEMU/KVM for autopkgtest bliss test takes a bit longer then default
++  * Update Apparmor profiles
++    - usr.lib.ipsec.charon
++      - add capability audit_write for xauth-pam (LP: #1470277)
++      - add capability dac_override (needed by agent plugin)
++      - allow priv dropping (LP: #1333655)
++      - allow caching CRLs (LP: #1505222)
++      - allow rw access to /dev/net/tun for kernel-libipsec (LP: #1309594)
++    - usr.lib.ipsec.stroke
++      - allow priv dropping (LP: #1333655)
++      - add local include
++    - usr.lib.ipsec.lookip
++      - add local include
++  * Merge from Debian, which includes fixes for all previous CVEs
++    Fixes (LP: #1330504, #1451091, #1448870, #1470277)
++    Remaining changes:
++      * debian/control
++        - Lower dpkg-dev to 1.16.1 from 1.16.2 to enable backporting to Precise
++        - Update Maintainer for Ubuntu
++        - Add build-deps
++          - dh-apparmor
++          - iptables-dev
++          - libjson0-dev
++          - libldns-dev
++          - libmysqlclient-dev
++          - libpcsclite-dev
++          - libsoup2.4-dev
++          - libtspi-dev
++          - libunbound-dev
++        - Drop build-deps
++          - libfcgi-dev
++          - clearsilver-dev
++        - Create virtual packages for all strongswan-plugin-* for dist-upgrade
++        - Set XS-Testsuite: autopkgtest
++      * debian/rules:
++        - Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity checking.
++        - Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths in
++          tests.
++        - Change init/systemd program name to strongswan
++        - Install AppArmor profiles
++        - Removed pieces on 'patching ipsec.conf' on build.
++        - Enablement of features per Ubuntu current config suggested from
++          upstream recommendation
++        - Unpack and sort enabled features to one-per-line
++        - Disable duplicheck as per
++          https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10
++        - Disable libfast (--disable-fast):
++          Requires dropping medsrv, medcli plugins which depend on libfast
++        - Add configure options
++          --with-tss=trousers
++        - Remove configure options:
++          --enable-ha (requires special kernel)
++          --enable-unit-test (unit tests run by default)
++        - Drop logcheck install
++      * debian/tests/*
++        - Add DEP8 test for strongswan service and plugins
++      * debian/strongswan-starter.strongswan.service
++        - Add new systemd file instead of patching upstream
++      * debian/strongswan-starter.links
++        - removed, use Ubuntu systemd file instead of linking to upstream
++      * debian/usr.lib.ipsec.{charon, lookip, stroke}
++        - added AppArmor profiles for charon, lookip and stroke
++      * debian/libcharon-extra-plugins.install
++        - Add plugins
++          - kernel-libipsec.{so, lib, conf, apparmor}
++        - Remove plugins
++          - libstrongswan-ha.so
++        - Relocate plugins
++          - libstrongswan-tnc-tnccs.so (strongswan-tnc-base.install)
++      * debian/libstrongswan-extra-plugins.install
++        - Add plugins (so, lib, conf)
++          - acert
++          - attr-sql
++          - coupling
++          - dnscert
++          - fips-prf
++          - gmp
++          - ipseckey
++          - load-tester
++          - mysql
++          - ntru
++          - radattr
++          - soup
++          - sqlite
++          - sql
++          - systime-fix
++          - unbound
++          - whitelist
++        - Relocate plugins (so, lib, conf)
++          - ccm (libstrongswan.install)
++          - test-vectors (libstrongswan.install)
++      * debian/libstrongswan.install
++        - Sort sections
++        - Add plugins (so, lib, conf)
++          - libchecksum
++          - ccm
++          - eap-identity
++          - md4
++          - test-vectors
++      * debian/strongswan-charon.install
++        - Add AppArmor profile for charon
++      * debian/strongswan-starter.install
++        - Add tools, manpages, conf
++          - openac
++          - pool
++          - _updown_espmark
++        - Add AppArmor profile for stroke
++      * debian/strongswan-tnc-base.install
++        - Add new subpackage for TNC
++        - remove non-existent (dropped in 5.2.1) libpts library files
++      * debian/strongswan-tnc-client.install
++        - Add new subpackage for TNC
++      * debian/strongswan-tnc-ifmap.install
++        - Add new subpackage for TNC
++      * debian/strongswan-tnc-pdp.install
++        - Add new subpackage for TNC
++      * debian/strongswan-tnc-server.install
++        - Add new subpackage for TNC
++      * debian/strongswan-starter.postinit:
++        - Removed section about runlevel changes, it's almost 2014.
++        - Adapted service restart section for Upstart.
++        - Remove old symlinks to init.d files is necessary.
++      * debian/strongswan-starter.dirs: Don't touch /etc/init.d.
++      * debian/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
++      * debian/strongswan-starter.prerm: Stop strongswan service on package
++        removal (as opposed to using the old init.d script).
++      * debian/libstrongswan.strongswan.logcheck combined into debian/strongswan.logcheck
++        - logcheck patterns updated to be helpful
++      * debian/strongswan-starter.postinst: Removed further out-dated code and
++        entire section on opportunistic encryption - this was never in strongSwan.
++      * debian/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
++    Drop changes:
++      * debian/control
++        - Per-plugin package breakup: Reducing packaging delta from Debian
++        - Don't build dhcp, farp subpackages: Reduce packging delta from Debian
++      * debian/watch: Already exists in Debian merge
++      * debian/upstream/signing-key.asc:  Upstream has newer version.
++
++ -- Ryan Harper <ryan.harper@canonical.com>  Fri, 12 Feb 2016 11:24:53 -0600
++
  strongswan (5.3.5-1) unstable; urgency=medium
    * New upstream bugfix release.
@@ -816,6 +2331,210 @@ strongswan (5.1.2-1) unstable; urgency=medium
   -- Yves-Alexis Perez <corsac@debian.org>  Wed, 12 Mar 2014 11:22:38 +0100
++strongswan (5.1.2-0ubuntu8) xenial; urgency=medium
++
++  * Import FTBFS for s390x from Debian 5.1.2-3 upload. (LP: #1521240)
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Mon, 30 Nov 2015 15:46:06 +0000
++
++strongswan (5.1.2-0ubuntu7) xenial; urgency=medium
++
++  * SECURITY UPDATE: authentication bypass in eap-mschapv2 plugin
++    - debian/patches/CVE-2015-8023.patch: only succeed authentication if
++      MSK was established in
++      src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c.
++    - CVE-2015-8023
++  * debian/patches/disable_ntru_test.patch: disable test causing FTBFS
++    until regression is properly investigated.
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 19 Nov 2015 14:00:17 -0500
++
++strongswan (5.1.2-0ubuntu6) wily; urgency=medium
++
++  * SECURITY UPDATE: user credential disclosure to rogue servers
++    - debian/patches/CVE-2015-4171.patch: enforce remote authentication
++      config before proceeding with own authentication in
++      src/libcharon/sa/ikev2/tasks/ike_auth.c.
++    - CVE-2015-4171
++  * debian/rules: don't FTBFS from unused service file
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 08 Jun 2015 12:50:38 -0400
++
++strongswan (5.1.2-0ubuntu5) vivid; urgency=medium
++
++  * Add a systemd unit corresponding to strongswan-starter.strongswan.upstart.
++
++ -- Martin Pitt <martin.pitt@ubuntu.com>  Fri, 16 Jan 2015 08:27:54 +0100
++
++strongswan (5.1.2-0ubuntu4) vivid; urgency=medium
++
++  * SECURITY UPDATE: denial of service via DH group 1025
++    - debian/patches/CVE-2014-9221.patch: define MODP_CUSTOM outside of
++      IKE DH range in src/libstrongswan/crypto/diffie_hellman.c,
++      src/libstrongswan/crypto/diffie_hellman.h.
++    - CVE-2014-9221
++
++ -- Tyler Hicks <tyhicks@canonical.com>  Mon, 05 Jan 2015 08:25:29 -0500
++
++strongswan (5.1.2-0ubuntu3) utopic; urgency=low
++
++  * Added "libgcrypt20-dev | libgcrypt11-dev" to build dependencies to fix
++    build.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Wed, 15 Oct 2014 16:49:18 +0000
++
++strongswan (5.1.2-0ubuntu2) trusty; urgency=medium
++
++  * SECURITY UPDATE: remote authentication bypass
++    - debian/patches/CVE-2014-2338.patch: reject CREATE_CHILD_SA exchange
++      on unestablished IKE_SAs in src/libcharon/sa/ikev2/task_manager_v2.c.
++    - CVE-2014-2338
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 14 Apr 2014 11:24:34 -0400
++
++strongswan (5.1.2-0ubuntu1) trusty; urgency=low
++
++  * New upstream release.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Sat, 01 Mar 2014 08:53:17 +0000
++
++strongswan (5.1.2~rc2-0ubuntu2) trusty; urgency=low
++
++  * debian/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
++  * debian/usr.lib.ipsec.charon: Allow read access to /run/charon.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Wed, 19 Feb 2014 13:07:16 +0000
++
++strongswan (5.1.2~rc2-0ubuntu1) trusty; urgency=low
++
++  * New upstream release candidate.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Wed, 19 Feb 2014 12:59:21 +0000
++
++strongswan (5.1.2~rc1-0ubuntu4) trusty; urgency=medium
++
++  * debian/strongswan-tnc-*.install: Fixed files so libraries go into correct
++    packages.
++  * debian/usr.lib.ipsec.stroke: Allow access to strongswan.d directories.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Mon, 17 Feb 2014 18:12:38 +0000
++
++strongswan (5.1.2~rc1-0ubuntu3) trusty; urgency=low
++
++  * debian/rules: Exclude rdrand.conf in dh_install's --fail-missing.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Sat, 15 Feb 2014 15:46:46 +0000
++
++strongswan (5.1.2~rc1-0ubuntu2) trusty; urgency=low
++
++  * debian/libstrongswan.install: Moved rdrand plugin configuration to rules
++    as it's only useful on amd64.
++  * debian/watch: Added opts=pgpsigurlmangle option.
++  * debian/upstream/signing-key.asc: Added key: 0xB34DBA77.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Sat, 15 Feb 2014 15:32:10 +0000
++
++strongswan (5.1.2~rc1-0ubuntu1) trusty; urgency=medium
++
++  * New upstream release candidate.
++  * debian/*.install - include new configuration files for plugins in
++    appropiate packages.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Sat, 15 Feb 2014 15:03:14 +0000
++
++strongswan (5.1.2~dr3+git20130120-0ubuntu3) trusty; urgency=low
++
++  * debian/control:
++    - Added Breaks/Replaces for all library files which have been moved
++      about (LP: #1278176).
++    - Removed build-dependency on check and added one on dh-apparmor.
++  * debian/strongswan-starter.postinst: Removed further out-dated code and
++    entire section on opportunistic encryption - this was never in strongSwan.
++  * debian/rules: Removed pieces on 'patching ipsec.conf' on build.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Sun, 09 Feb 2014 23:53:23 +0000
++
++strongswan (5.1.2~dr3+git20130120-0ubuntu2) trusty; urgency=low
++
++  * debian/control: Fixed references to plugin-fips-prf.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Wed, 22 Jan 2014 11:22:14 +0000
++
++strongswan (5.1.2~dr3+git20130120-0ubuntu1) trusty; urgency=low
++
++  * Upstream Git snapshot for build fixes with regards to entropy.
++  * debian/rules:
++    - Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity checking.
++    - Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths in
++      tests.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Mon, 20 Jan 2014 19:00:59 +0000
++
++strongswan (5.1.2~dr3-0ubuntu1) trusty; urgency=low
++
++  * New upstream developer release.
++  * Made changes to packaging per upstream suggestions.
++    - Dropped medcli and medsrv packages - not recommended by upstream at this
++      time.
++    - Dropped ha plugin - needs special kernel.
++    - Improved all package descriptions in general.
++    - Drop build-dep on clearsilver-dev and libfcgi-dev - no longer needed.
++    - Removed debian/*logcheck* files - not relevant to strongSwan.
++    - Split dhcp and farp packages into sub-packages.
++    - Build kernel-libipsec, ntru, systime-fix, and xauth-noauth plugins.
++    - Changes to TNC-related packages.
++  * Created AppArmor profiles for lookip and stroke.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Wed, 15 Jan 2014 22:52:53 +0000
++
++strongswan (5.1.2~dr2+git20130106-0ubuntu2) trusty; urgency=low
++
++  * libstrongswan.install: Removed lingering unit-tester.so reference.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Mon, 06 Jan 2014 20:29:59 +0000
++
++strongswan (5.1.2~dr2+git20130106-0ubuntu1) trusty; urgency=low
++
++  * Git snapshot of commit 94e10f15e51ead788d9947e966878ebfdc95b7ce.
++    Incorporates upstream fixes for:
++      - Integrity testing.
++      - Unit test failures on little endian systems.
++  * Dropped debian/patches/02_test_asn1_fix_32bit_time_test.patch - fixed
++    upstream.
++  * debian/rules:
++    - Stop using CK_TIMEOUT_MULTIPLIER.
++    - Stop enabling the test suite only on non-powerpc arches (it runs
++      anyway).
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Mon, 06 Jan 2014 20:17:20 +0000
++
++strongswan (5.1.2~dr2-0ubuntu3) trusty; urgency=low
++
++  * debian/control: Reinstate missing comma in dependencies.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Fri, 03 Jan 2014 05:39:13 +0000
++
++strongswan (5.1.2~dr2-0ubuntu2) trusty; urgency=low
++
++  * Added debian/patches/02_test_asn1_fix_32bit_time_test.patch - fixes issue
++    where test for >2038 tests on 32-bit platforms is broken.
++    - Reported upstream: https://wiki.strongswan.org/issues/477
++  * debian/control: Added strongswan-plugin-ntru to strongswan-ike Suggests.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Fri, 03 Jan 2014 05:02:32 +0000
++
++strongswan (5.1.2~dr2-0ubuntu1) trusty; urgency=low
++
++  * New upstream developer release.
++  * debian/rules: Configure with: --enable-af-alg, --enable-ntru, --enable-soup,
++    and --enable-unity.
++  * debian/control:
++    - New plugin packages created for the above
++    - Split fips-prf into its own package.
++    - Added build-dependency on libsoup2.4-dev.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Thu, 02 Jan 2014 17:37:33 +0000
++
  strongswan (5.1.1-3) unstable; urgency=low
    * Upload to unstable.
@@ -907,6 +2626,192 @@ strongswan (5.1.1-1) unstable; urgency=low
   -- Yves-Alexis Perez <corsac@debian.org>  Fri, 24 Jan 2014 21:22:32 +0100
++strongswan (5.1.1-0ubuntu17) trusty; urgency=low
++
++  * debian/control:
++    - Make strongswan-ike depend on iproute2.
++    - Added xauth plugin dependency on strongswan-plugin-eap-gtc.
++    - Created strongswan-libfast package.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Wed, 01 Jan 2014 17:04:45 +0000
++
++strongswan (5.1.1-0ubuntu16) trusty; urgency=low
++
++  * debian/control:
++    - Further splitting of plugins into subpackages (such as all EAP plugins
++      to their own packages).
++    - Added libpcsclite-dev to build-dependencies.
++  * debian/rules:
++    - Sort configure options in alphabetical order.
++    - Added configure option of --enable-eap-aka-3gpp2, --enable-eap-dynamic,
++      --enable-eap-sim-file, --enable-eap-sim-pcsc,
++      --enable-eap-simaka-pseudonym, --enable-eap-simaka-reauth and
++      --enable-eap-simaka-sql.
++    - Don't exclude medsrv from install.
++  * Moved eap-identity.so to libstrongswan package as it's used by all the
++    other EAP plugins.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Tue, 31 Dec 2013 21:25:50 +0000
++
++strongswan (5.1.1-0ubuntu15) trusty; urgency=low
++
++  * debian/control:
++    - Split plugins from libstrongswan package into modular subpackages.
++    - Added libmysqlclient-dev to build-dependencies.
++    - strongswan-ike: Set to depend on either strongswan-plugins-openssl or
++      strongswan-plugins-gcrypt.
++    - strongswan-ike: All other plugins added to Suggests.
++    - Created two new TNC packages: strongswan-tnc-ifmap and
++      strongswan-tnc-pdp and added to tnc-imcvs Suggests.
++  * debian/rules: Added to CONFIGUREARGS: --enable-certexpire,
++    --enable-error-notify, --enable-mysql, --enable-load-tester,
++    --enable-radattr, --enable-tnc-pdp, and --enable-whitelist.
++  * debian/strongswan-ike.install: Moved eap-identity.so to -tnc-imcvs package.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Tue, 31 Dec 2013 16:15:32 +0000
++
++strongswan (5.1.1-0ubuntu14) trusty; urgency=low
++
++  * debian/rules:
++    - CK_TIMEOUT_MULTIPLIER back down to 6.
++    - Disable unit tests on powerpc.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Tue, 31 Dec 2013 07:39:48 +0000
++
++strongswan (5.1.1-0ubuntu13) trusty; urgency=low
++
++  * debian/rules: CK_TIMEOUT_MULTIPLIER to 10 as just powerppc is being stubborn.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Tue, 31 Dec 2013 07:23:42 +0000
++
++strongswan (5.1.1-0ubuntu12) trusty; urgency=low
++
++  * debian/rules: Bring CK_TIMEOUT_MULTIPLIER up to 6 to fix powerppc and
++    armhf.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Tue, 31 Dec 2013 07:03:40 +0000
++
++strongswan (5.1.1-0ubuntu11) trusty; urgency=low
++
++  * 02_increase-test_rsa_generate-timeout.patch: Removed - only fixed build on
++    one extra arch.
++  * debian/rules: Set CK_TIMEOUT_MULTIPLIER to 4.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Tue, 31 Dec 2013 06:51:47 +0000
++
++strongswan (5.1.1-0ubuntu10) trusty; urgency=low
++
++  * debian/patches: Added patch 02_increase-test_rsa_generate-timeout.patch -
++    - Increases RSA key generate test timeout to 30 seconds so that it doesn't
++      fail on armhf, arm64, and powerppc.
++  * Contrary to what the last changelog entry says, we are still running
++    strongswan as root (with AppArmor protection).
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Tue, 31 Dec 2013 06:06:47 +0000
++
++strongswan (5.1.1-0ubuntu9) trusty; urgency=low
++
++  * debian/rules: Added to configure options:
++    - --enable-tnc-ifmap: enable TNC IF-MAP module.
++    - --enable-duplicheck: enable duplicheck plugin.
++    - --enable-imv-swid, --enable-imc-swid: Added.
++    - Run strongswan as it's own user.
++  * debian/strongswan-starter.install: Install duplicheck.
++  * debian/strongswan-tnc-imcvs.install: Install swidtags.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Mon, 30 Dec 2013 19:33:27 +0000
++
++strongswan (5.1.1-0ubuntu8) trusty; urgency=low
++
++  * debian/rules: Added to configure options:
++    - --enable-unit-tests: check unit testing on build.
++    - --enable-unbound: for validating DNS lookups.
++    - --enable-dnscert: for DNSCERT peer authentication.
++    - --enable-ipseckey: for IPSEC key authentication.
++    - --enable-lookip: for LookIP functionality.
++    - --enable-coupling: certificate coupling functionality.
++  * debian/control: Added check, libldns-dev, libunbound-dev to
++    build-dependencies.
++  * debian/libstrongswan.install: Install new plugin .so's.
++  * debian/strongswan-starter.install: Added lookip.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Mon, 30 Dec 2013 17:52:07 +0000
++
++strongswan (5.1.1-0ubuntu7) trusty; urgency=low
++
++  * strongswan-starter.install: Moved pt-tls-client to tnc-imcvs (to prevent
++    the former from depending on the latter).
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Mon, 30 Dec 2013 17:30:19 +0000
++
++strongswan (5.1.1-0ubuntu6) trusty; urgency=low
++
++  * debian/strongswan-starter.prerm: Stop strongswan service on package
++    removal (as opposed to using the old init.d script).
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Mon, 30 Dec 2013 17:22:10 +0000
++
++strongswan (5.1.1-0ubuntu5) trusty; urgency=low
++
++  * debian/rules:
++    - CONFIGUREARGS: Merged Debian and RPM options.
++    - Brings in TNC functionality.
++  * debian/control:
++    - Added build-dependency on libtspi-dev.
++    - Created strongswan-tnc-imcvs binary package for TNC components.
++    - Added strongswan-tnc-imcvs to libstrongswan's Suggests.
++  * debian/libstrongswan.install:
++    - Included newly built MD4 and SQLite libraries.
++    - Removed 'tnc' references (moved to TNC package).
++  * debian/strongswan-tnc-imcvs.install: Created - handle new TNC libraries and
++    binaries.
++  * debian/usr.lib.ipsec.charon: Allow access to TNC modules.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Mon, 30 Dec 2013 14:05:43 +0000
++
++strongswan (5.1.1-0ubuntu4) trusty; urgency=low
++
++  * debian/usr.lib.ipsec.charon: Added - AppArmor profile for charon.
++  * debian/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
++  * debian/control: strongswan-ike - Stop depending on ipsec-tools.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Mon, 30 Dec 2013 05:35:17 +0000
++
++strongswan (5.1.1-0ubuntu3) trusty; urgency=low
++
++  * strongswan-starter.strongswan.upstart - Only start strongSwan when a
++    network connection is available.
++  * debian/control: Downgrade build-dep version of dpkg-dev from 1.16.2 to
++    1.16.1 - to make precise backporting easier.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Thu, 12 Dec 2013 10:43:15 +0000
++
++strongswan (5.1.1-0ubuntu2) trusty; urgency=low
++
++  * strongswan-starter.strongswan.upstart - Created Upstart job for
++    strongSwan.
++  * debian/rules: Set dh_installinit to install above file.
++  * debian/strongswan-starter.postinit:
++    - Removed section about runlevel changes, it's almost 2014.
++    - Adapted service restart section for Upstart.
++    - Remove old symlinks to init.d files is necessary.
++  * debian/strongswan-starter.dirs: Don't touch /etc/init.d.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Wed, 11 Dec 2013 23:10:28 +0000
++
++strongswan (5.1.1-0ubuntu1) trusty; urgency=low
++
++  * New upstream release.
++  * Removed: debian/patches/CVE-2013-6075, CVE-2013-6076.patch - upsteamed.
++  * debian/control: Updated Standards-Version to 3.9.5 and applied
++    XSBC-Original-Maintainer policy.
++  * strongswan-starter.install:
++    - pki tool is now in /usr/bin.
++    - Install pt-tls-client.
++    - Install manpages (LP: #1206263).
++
++ -- Jonathan Davies <jpds@ubuntu.com>  Sun, 01 Dec 2013 17:43:59 +0000
++
  strongswan (5.1.0-3) unstable; urgency=high
    * urgency=high for the security fixes.
 diff --git a/debian/control b/debian/control
 index e8bb298..a433e83 100644
 --- a/debian/control
 +++ b/debian/control
@@ -1,7 +1,8 @@
  Source: strongswan
  Section: net
  Priority: optional
--Maintainer: strongSwan Maintainers <pkg-swan-devel@lists.alioth.debian.org>
++Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
++XSBC-Original-Maintainer: strongSwan Maintainers <pkg-swan-devel@lists.alioth.debian.org>
  Uploaders: Yves-Alexis Perez <corsac@debian.org>
  Standards-Version: 4.6.2
  Vcs-Browser: https://salsa.debian.org/debian/strongswan
@@ -137,6 +138,7 @@ Description: strongSwan utility and crypto library (extra plugins)
    - gcrypt (Crypto backend based on libgcrypt, provides
      RSA/DH/ciphers/hashers/rng)
    - ldap (LDAP fetching plugin based on libldap)
++  - ntru (key exchanged based on post-quantum computer NTRU)
    - padlock (VIA padlock crypto backend, provides AES128/SHA1)
    - pkcs11 (PKCS#11 smartcard backend)
    - rdrand (High quality / high performance random source using the Intel
@@ -204,6 +206,9 @@ Description: strongSwan charon library (extra plugins)
    - unity (Cisco Unity extensions for IKEv1)
    - xauth-eap (XAuth backend that uses EAP methods to verify passwords)
    - xauth-pam (XAuth backend that uses PAM modules to verify passwords)
++  - eap-dynamic (EAP proxy plugin that dynamically selects an EAP method
++    requested/supported by the client (since 5.0.1))
++  - eap-peap (EAP-PEAP protocol handler, wraps other EAP methods securely)
  Package: strongswan-starter
  Architecture: any
@@ -211,9 +216,9 @@ Pre-Depends: ${misc:Pre-Depends}
  Depends: adduser,
           libstrongswan (= ${binary:Version}),
           sysvinit-utils (>= 3.05-3),
++         strongswan-charon,
           ${misc:Depends},
           ${shlibs:Depends}
--Recommends: strongswan-charon
  Conflicts: openswan
  Description: strongSwan daemon starter and configuration file parser
   The strongSwan VPN suite uses the native IPsec stack in the standard
@@ -252,9 +257,9 @@ Architecture: any
  Pre-Depends: debconf | debconf-2.0
  Depends: iproute2 [linux-any] | iproute [linux-any],
           libstrongswan (= ${binary:Version}),
--         strongswan-starter,
           ${misc:Depends},
           ${shlibs:Depends}
++Recommends: strongswan-starter,
  Provides: ike-server
  Description: strongSwan Internet Key Exchange daemon
   The strongSwan VPN suite uses the native IPsec stack in the standard
 diff --git a/debian/libcharon-extra-plugins.install b/debian/libcharon-extra-plugins.install
 index 94fbabd..91ca716 100644
 --- a/debian/libcharon-extra-plugins.install
 +++ b/debian/libcharon-extra-plugins.install
@@ -2,9 +2,11 @@
  usr/lib/ipsec/plugins/libstrongswan-addrblock.so
  usr/lib/ipsec/plugins/libstrongswan-certexpire.so
  usr/lib/ipsec/plugins/libstrongswan-eap-aka.so
++usr/lib/ipsec/plugins/libstrongswan-eap-dynamic.so
  usr/lib/ipsec/plugins/libstrongswan-eap-gtc.so
  usr/lib/ipsec/plugins/libstrongswan-eap-identity.so
  usr/lib/ipsec/plugins/libstrongswan-eap-md5.so
++usr/lib/ipsec/plugins/libstrongswan-eap-peap.so
  usr/lib/ipsec/plugins/libstrongswan-eap-radius.so
  usr/lib/ipsec/plugins/libstrongswan-eap-tls.so
  usr/lib/ipsec/plugins/libstrongswan-eap-tnc.so
@@ -25,9 +27,11 @@ usr/lib/ipsec/plugins/libstrongswan-xauth-pam.so
  usr/share/strongswan/templates/config/plugins/addrblock.conf
  usr/share/strongswan/templates/config/plugins/certexpire.conf
  usr/share/strongswan/templates/config/plugins/eap-aka.conf
++usr/share/strongswan/templates/config/plugins/eap-dynamic.conf
  usr/share/strongswan/templates/config/plugins/eap-gtc.conf
  usr/share/strongswan/templates/config/plugins/eap-identity.conf
  usr/share/strongswan/templates/config/plugins/eap-md5.conf
++usr/share/strongswan/templates/config/plugins/eap-peap.conf
  usr/share/strongswan/templates/config/plugins/eap-radius.conf
  usr/share/strongswan/templates/config/plugins/eap-tls.conf
  usr/share/strongswan/templates/config/plugins/eap-tnc.conf
@@ -49,9 +53,11 @@ etc/strongswan.d/tnc.conf
  etc/strongswan.d/charon/addrblock.conf
  etc/strongswan.d/charon/certexpire.conf
  etc/strongswan.d/charon/eap-aka.conf
++etc/strongswan.d/charon/eap-dynamic.conf
  etc/strongswan.d/charon/eap-gtc.conf
  etc/strongswan.d/charon/eap-identity.conf
  etc/strongswan.d/charon/eap-md5.conf
++etc/strongswan.d/charon/eap-peap.conf
  etc/strongswan.d/charon/eap-radius.conf
  etc/strongswan.d/charon/eap-tls.conf
  etc/strongswan.d/charon/eap-tnc.conf
 diff --git a/debian/libcharon-extra-plugins.maintscript b/debian/libcharon-extra-plugins.maintscript
 new file mode 100644
 index 0000000..f6e7a3a
 --- /dev/null
 +++ b/debian/libcharon-extra-plugins.maintscript
@@ -0,0 +1,8 @@
++rm_conffile /etc/strongswan.d/charon/eap-aka-3gpp2.conf 5.8.4-1ubuntu2~ libcharon-extra-plugins
++rm_conffile /etc/strongswan.d/charon/eap-sim-file.conf 5.8.4-1ubuntu2~ libcharon-extra-plugins
++rm_conffile /etc/strongswan.d/charon/eap-sim-pcsc.conf 5.8.4-1ubuntu2~ libcharon-extra-plugins
++rm_conffile /etc/strongswan.d/charon/eap-sim.conf 5.8.4-1ubuntu2~ libcharon-extra-plugins
++rm_conffile /etc/strongswan.d/charon/eap-simaka-pseudonym.conf 5.8.4-1ubuntu2~ libcharon-extra-plugins
++rm_conffile /etc/strongswan.d/charon/eap-simaka-reauth.conf 5.8.4-1ubuntu2~ libcharon-extra-plugins
++rm_conffile /etc/strongswan.d/charon/eap-simaka-sql.conf 5.8.4-1ubuntu2~ libcharon-extra-plugins
++rm_conffile /etc/strongswan.d/charon/xauth-noauth.conf 5.8.4-1ubuntu2~ libcharon-extra-plugins
 diff --git a/debian/libstrongswan-extra-plugins.install b/debian/libstrongswan-extra-plugins.install
 index 2846e21..8f71239 100644
 --- a/debian/libstrongswan-extra-plugins.install
 +++ b/debian/libstrongswan-extra-plugins.install
@@ -9,6 +9,7 @@ usr/lib/ipsec/plugins/libstrongswan-curl.so
  usr/lib/ipsec/plugins/libstrongswan-curve25519.so
  usr/lib/ipsec/plugins/libstrongswan-gcrypt.so
  usr/lib/ipsec/plugins/libstrongswan-ldap.so
++usr/lib/ipsec/plugins/libstrongswan-ntru.so
  usr/lib/ipsec/plugins/libstrongswan-pkcs11.so
  usr/lib/ipsec/plugins/libstrongswan-test-vectors.so
  usr/lib/ipsec/plugins/libstrongswan-tpm.so
@@ -21,6 +22,7 @@ usr/share/strongswan/templates/config/plugins/curl.conf
  usr/share/strongswan/templates/config/plugins/curve25519.conf
  usr/share/strongswan/templates/config/plugins/gcrypt.conf
  usr/share/strongswan/templates/config/plugins/ldap.conf
++usr/share/strongswan/templates/config/plugins/ntru.conf
  usr/share/strongswan/templates/config/plugins/pkcs11.conf
  usr/share/strongswan/templates/config/plugins/test-vectors.conf
  usr/share/strongswan/templates/config/plugins/tpm.conf
@@ -32,6 +34,7 @@ etc/strongswan.d/charon/curl.conf
  etc/strongswan.d/charon/curve25519.conf
  etc/strongswan.d/charon/gcrypt.conf
  etc/strongswan.d/charon/ldap.conf
++etc/strongswan.d/charon/ntru.conf
  etc/strongswan.d/charon/pkcs11.conf
  etc/strongswan.d/charon/test-vectors.conf
  etc/strongswan.d/charon/tpm.conf
 diff --git a/debian/rules b/debian/rules
 index 14c7ca7..155946a 100755
 --- a/debian/rules
 +++ b/debian/rules
@@ -15,9 +15,11 @@ CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \
  		--enable-curl \
  		--enable-eap-aka \
  		--enable-eap-gtc \
++		--enable-eap-dynamic \
  		--enable-eap-identity \
  		--enable-eap-md5 \
  		--enable-eap-mschapv2 \
++		--enable-eap-peap \
  		--enable-eap-radius \
  		--enable-eap-tls \
  		--enable-eap-tnc \
@@ -32,6 +34,7 @@ CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \
  		--enable-led \
  		--enable-lookip \
  		--enable-mediation \
++		--enable-ntru \
  		--enable-openssl \
  		--enable-pkcs11 \
  		--enable-test-vectors \
 diff --git a/debian/tests/control b/debian/tests/control
 index 997a870..3675f33 100644
 --- a/debian/tests/control
 +++ b/debian/tests/control
@@ -5,3 +5,9 @@ Restrictions: needs-root isolation-container allow-stderr
  Tests: daemon plugins
  Depends: strongswan-starter, libstrongswan-standard-plugins, libstrongswan-extra-plugins, libcharon-extra-plugins
  Restrictions: needs-root isolation-machine allow-stderr
++
++Tests: host-to-host
++Depends: strongswan-swanctl, strongswan-pki, libstrongswan-extra-plugins,
++ charon-systemd, lsb-release, snapd, dctrl-tools, libtss2-tcti-tabrmd0,
++ bind9-dnsutils
++Restrictions: needs-root isolation-machine allow-stderr skippable
 diff --git a/debian/tests/host-to-host b/debian/tests/host-to-host
 new file mode 100755
 index 0000000..3a76da0
 --- /dev/null
 +++ b/debian/tests/host-to-host
@@ -0,0 +1,401 @@
++#!/bin/bash
++
++# host to host setup from https://docs.strongswan.org/docs/5.9/config/quickstart.html
++
++set -e
++set -o pipefail
++
++# exit early if not on Ubuntu
++if [ "$(lsb_release --short --id)" != "Ubuntu" ]; then
++    echo "This test only runs on Ubuntu, skipping."
++    exit 77
++fi
++
++cleanup() {
++    if [ $? -ne 0 ]; then
++        set +e
++        echo "Something failed, gathering debug info"
++        echo
++        echo "Installed strongswan packages:"
++        dpkg -l | grep -E "(strongswan|charon)"
++        echo
++        echo "loaded kernel modules:"
++        lsmod
++        echo
++        echo "journal logs from host:"
++        journalctl --no-pager -u strongswan.service || :
++        echo
++        echo "LXD details:"
++        lxc network list
++        lxc list
++        echo
++        for container in $(lxc list -f compact -c ns | grep -F RUNNING | awk '{print $1}'); do
++            echo "journal logs from container ${container}"
++            lxc exec "${container}" -- journalctl -u strongswan.service --no-pager || :
++            echo
++            echo "strongswan data from container ${container}"
++            for cmd in stats list-certs list-conns list-pols list-sas; do
++                echo "${cmd}:"
++                lxc exec "${container}" -- swanctl --${cmd} || :
++                echo
++            done
++        done
++    fi
++    set +e
++    rm -rf "${WORKDIR}"
++    for container in "${PEERS[@]}"; do
++        lxc delete --force "${container}" > /dev/null 2>&1 || :
++    done
++}
++
++trap cleanup EXIT
++
++WORKDIR=$(mktemp -d)
++PEERS=("moon" "sun")
++declare -A REMOTE
++REMOTE["moon"]="sun"
++REMOTE["sun"]="moon"
++PUBKEY_ALGO="ed25519"
++TESTNAME=$(basename "${0}")
++
++# ca
++CA_KEY_FILE="${WORKDIR}/strongswanKey.pem"
++REQ_FILE="${WORKDIR}/req.pem" # can be reused for multiple reqs
++CA_CERT_FILE="${WORKDIR}/strongswanCert.pem"
++
++source debian/tests/utils
++
++check_pol() {
++    #root@moon:~# swanctl --list-pols
++    #moon-sun/moon-sun, TUNNEL
++    #  local:  10.38.71.14/32
++    #  remote: 10.38.71.194/32
++    local me="${1}"
++    local pol="${2}"
++    local -i failures=0
++    local tunnel
++    local ip
++    local policy_ip
++
++    echo "Checking policy for:"
++    echo -n "  we have a tunnel: "
++    if echo "${pol}" | head -n 1 | grep -qF TUNNEL; then
++        echo "OK"
++    else
++        echo "FAIL"
++        failures=$((failures+1))
++    fi
++
++    # moon-sun/moon-sun, TUNNEL -> tunnel = moon-sun
++    tunnel=$(echo "${pol}" | head -n 1 | cut -d , -f 1)
++    echo -n "  tunnel matches local-remote: "
++    if echo "${tunnel}" | grep -qE "^${me}-${REMOTE[${me}]}/${me}-${REMOTE[${me}]}"; then
++        echo "OK"
++    else
++        echo "FAIL (tunnel=${tunnel})"
++        failures=$((failures+1))
++    fi
++
++    echo -n "  local IP matches local peer: "
++    ip=$(lxc exec "${me}" -- dig +short "${me}.lxd")/32
++    policy_ip=$(echo "${pol}" | sed -n -r "s,^[[:blank:]]+local:[[:blank:]]+([0-9.]+/32),\1,p")
++    if [ "${ip}" = "${policy_ip}" ]; then
++        echo "OK"
++    else
++        echo "FAIL: local ip ${ip} != policy local ip ${policy_ip}"
++        failures=$((failures+1))
++    fi
++
++    echo -n "  remote IP matches remote peer: "
++    ip=$(lxc exec "${me}" -- dig +short "${REMOTE[${me}]}.lxd")/32
++    policy_ip=$(echo "${pol}" | sed -n -r "s,^[[:blank:]]+remote:[[:blank:]]+([0-9.]+/32),\1,p")
++    if [ "${ip}" = "${policy_ip}" ]; then
++        echo "OK"
++    else
++        echo "FAIL: local ip ${ip} != policy local ip ${policy_ip}"
++        failures=$((failures+1))
++    fi
++
++    return ${failures}
++}
++
++check_sa() {
++    local -i failures=0
++    local me="${1}"
++    local sa="${2}"
++    local name=""
++    local sa_ip
++
++    # SAs look like this:
++    # moon-sun: #1, ESTABLISHED, IKEv2, f1bdc688a5078946_i* bf6e1559c5a87ab9_r
++    #   local  'C=CH, O=strongswan, CN=moon.strongswan.org' @ 10.84.128.22[4500]
++    #   remote 'C=CH, O=strongswan, CN=sun.strongswan.org' @ 10.84.128.191[4500]
++    #   AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519
++    #   established 11s ago, rekeying in 14147s
++    #   moon-sun: #2, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-128
++    #     installed 11s ago, rekeying in 3285s, expires in 3949s
++    #     in  c3bcdf8d,    168 bytes,     2 packets,     0s ago
++    #     out caf49378,    168 bytes,     2 packets,     0s ago
++    #     local  10.84.128.22/32
++    #     remote 10.84.128.191/32
++
++    echo "Checking SA for:"
++
++    echo -n "  established SA: "
++    if echo "${sa}" | grep -qE "^[[:alnum:]]+-[[:alnum:]]+:.*ESTABLISHED"; then
++        echo "OK"
++    else
++        echo "FAIL"
++        failures=$((failures+1))
++    fi
++
++    # parse the connection name from the first line: $local-$remote: #1,....
++    name=$(echo "${sa}" | head -n 1 | sed -r "s/^([[:alnum:]]+)-[[:alnum:]]+:.*/\1/")
++    echo -n "  local DN matches CN=${name}.strongswan.org: "
++    if echo "${sa}" | grep -qE "^[[:blank:]]*local.*CN=${name}\.strongswan\.org"; then
++        echo "OK"
++    else
++        echo "FAIL"
++        failures=$((failures+1))
++    fi
++
++    # parse the connection name from the first line: $local-$remote: #1,....
++    name=$(echo "${sa}" | head -n 1 | sed -r "s/^[[:alnum:]]+-([[:alnum:]]+):.*/\1/")
++    echo -n "  remote DN matches CN=${name}.strongswan.org: "
++    if echo "${sa}" | grep -qE "^[[:blank:]]*remote.*CN=${name}\.strongswan\.org"; then
++        echo "OK"
++    else
++        echo "FAIL"
++        failures=$((failures+1))
++    fi
++
++    echo -n "  local IP matches local peer: "
++    ip=$(lxc exec "${me}" -- dig +short "${me}.lxd")/32
++    sa_ip=$(echo "${sa}" | sed -n -r "s,^[[:blank:]]+local[[:blank:]]+([0-9.]+/32),\1,p")
++    if [ "${ip}" = "${sa_ip}" ]; then
++        echo "OK"
++    else
++        echo "FAIL: local ip ${ip} != SA local ip ${sa_ip}"
++        failures=$((failures+1))
++    fi
++
++    echo -n "  remote IP matches remote peer: "
++    ip=$(lxc exec "${me}" -- dig +short "${REMOTE[${me}]}.lxd")/32
++    sa_ip=$(echo "${sa}" | sed -n -r "s,^[[:blank:]]+remote[[:blank:]]+([0-9.]+/32),\1,p")
++    if [ "${ip}" = "${sa_ip}" ]; then
++        echo "OK"
++    else
++        echo "FAIL: remote ip ${ip} != SA remote ip ${sa_ip}"
++        failures=$((failures+1))
++    fi
++
++    # TODO: check for cipher, if it matches the algo used in the pubkey
++    # TODO: check for traffic, should not be zero
++
++    return ${failures}
++}
++
++_setup_peer() {
++    local peer="${1}"
++    local algo="${2}"
++    local key_file="${WORKDIR}/${peer}Key.pem"
++    local cert_file="${WORKDIR}/${peer}Cert.pem"
++
++    pki --gen --type "${algo}" --outform pem > "${key_file}"
++
++    pki --req --type priv --in "${key_file}" \
++        --dn "C=CH, O=strongswan, CN=${peer}.strongswan.org" \
++        --san "${peer}.strongswan.org" --outform pem > "${REQ_FILE}"
++
++    pki --issue --cacert "${CA_CERT_FILE}" --cakey "${CA_KEY_FILE}" \
++        --type pkcs10 --in "${REQ_FILE}" --serial 01 --lifetime 5 \
++        --outform pem --flag serverAuth > "${cert_file}"
++}
++
++_setup_lxd() {
++    lxd init --auto
++    network=$(lxc network list --format=compact | grep -E "bridge.*YES.*CREATED" | awk '{print $1}')
++    lxc network set "${network:-lxdbr0}" ipv6.address=none
++    if [ -n "${http_proxy}" ]; then
++        lxc config set core.proxy_http "${http_proxy}"
++    fi
++    if [ -n "${https_proxy}" ]; then
++        lxc config set core.proxy_https "${https_proxy}"
++    fi
++    if [ -n "${noproxy}" ]; then
++        lxc config set core.proxy_ignore_hosts "${noproxy}"
++    fi
++}
++
++_setup_host_containers() {
++    local release
++    local ip
++    local -i result=0
++    local -a deps
++
++    release=$(lsb_release -cs)
++    readarray -t deps < <(get_test_dependencies "${TESTNAME}" snapd dctrl-tools)
++
++    for container in "${PEERS[@]}"; do
++        echo "Launching container ${container} with release ${release}"
++        lxc launch "ubuntu-daily:${release}" "${container}" -c security.nesting=true -q
++        echo -en "Waiting for container ${container} to be ready "
++        wait_container_ready "${container}"
++
++        echo "Copying over /etc/apt to container ${container}"
++        lxc exec "${container}" -- rm -rf /etc/apt
++        lxc exec "${container}" -- mkdir -p /etc/apt
++        tar -cC /etc/apt . | lxc exec "${container}" -- tar -xC /etc/apt
++
++        echo "Installing deps in container ${container} (${deps[*]})"
++        output=$(lxc exec "${container}" -- apt-get update -q) || {
++            result=$?
++            echo "apt-get update failed in container ${container}"
++            echo "${output}"
++            return ${result}
++        }
++        output=$(lxc exec "${container}" --env DEBIAN_FRONTEND=noninteractive -- apt-get dist-upgrade -q -y) || {
++            result=$?
++            echo "apt-get dist-upgrade failed in container ${container}"
++            echo "${output}"
++            return ${result}
++        }
++        output=$(lxc exec "${container}" --env DEBIAN_FRONTEND=noninteractive -- apt-get install -q -y "${deps[@]}") || {
++            result=$?
++            echo "apt-get install ${deps[*]} failed in container ${container}"
++            echo "${output}"
++            return ${result}
++        }
++        echo "Done for container ${container}"
++    done
++}
++
++_setup_host_containers_certs() {
++    for container in "${PEERS[@]}"; do
++        echo "Copying ${CA_CERT_FILE} to container ${container}"
++        lxc file push "${CA_CERT_FILE}" "${container}/etc/swanctl/x509ca/"
++
++        echo "Copying ${container} cert and key"
++        lxc file push "${WORKDIR}/${container}Key.pem" "${container}/etc/swanctl/private/"
++        lxc file push "${WORKDIR}/${container}Cert.pem" "${container}/etc/swanctl/x509/"
++    done
++}
++
++_setup_host_containers_strongswan() {
++    local config
++
++    config=$(mktemp)
++
++    for peer in "${PEERS[@]}"; do
++        conn_name="${peer}-${REMOTE[${peer}]}"
++        cat > "${config}" <<EOF
++connections {
++    ${conn_name} {
++        remote_addrs = ${REMOTE[${peer}]}.lxd
++        local {
++            auth=pubkey
++            certs = ${peer}Cert.pem
++        }
++        remote {
++            auth = pubkey
++            id = "C=CH, O=strongswan, CN=${REMOTE[${peer}]}.strongswan.org"
++        }
++        children {
++            ${conn_name} {
++                start_action = trap
++            }
++        }
++    }
++}
++EOF
++        lxc file push "${config}" "${peer}/etc/swanctl/conf.d/${conn_name}.conf"
++        echo "Loading creds in container ${peer}"
++        lxc exec "${peer}" -- swanctl --load-creds
++        echo "Loading connections in container ${peer}"
++        lxc exec "${peer}" -- swanctl --load-conns
++    done
++}
++
++setup() {
++    local algo=${1:-ed25519}
++    echo "Creating a CA"
++    echo
++    echo "Generating private key for CA"
++    pki --gen --type "${algo}" --outform pem > "${CA_KEY_FILE}"
++
++    echo "Generating self-signed certificate for CA"
++    pki \
++        --self --ca --lifetime 10 --in "${CA_KEY_FILE}" \
++        --dn "C=CH, O=strongSwan, CN=strongSwan Root CA" \
++        --outform pem > "${CA_CERT_FILE}"
++    echo "Here is the CA cert:"
++    pki --print --in "${CA_CERT_FILE}"
++
++    for peer in "${PEERS[@]}"; do
++        echo "Generating key and certificate for peer ${peer}"
++        _setup_peer "${peer}" "${algo}"
++    done
++
++    echo "Setting up host LXD"
++    _setup_lxd
++
++    echo "Creating host containers"
++    _setup_host_containers
++
++    echo "Copy certificates to containers"
++    _setup_host_containers_certs
++
++    echo "Configuring strongswan in containers"
++    _setup_host_containers_strongswan
++}
++
++test_ping() {
++    for peer in "${PEERS[@]}"; do
++        echo "Generating traffic from ${peer} to ${REMOTE[${peer}]}"
++        # first ping to establish the tunnel always fails
++        lxc exec "${peer}" -- ping -c 2 -W 3 "${REMOTE[${peer}]}.lxd" > /dev/null 2>&1 || :
++        # this one must work
++        lxc exec "${peer}" -- ping -c 4 -W 3 "${REMOTE[${peer}]}.lxd"
++        echo
++    done
++}
++
++test_sa() {
++    for peer in "${PEERS[@]}"; do
++        sa=$(lxc exec "${peer}" -- swanctl --list-sas)
++        echo "This is the ${peer} SA:"
++        if [ -z "${sa}" ]; then
++            echo "FAILED: SA is empty (swanctl --list-sas)"
++            return 1
++        fi
++        echo "${sa}"
++        echo
++        check_sa "${peer}" "${sa}"
++        echo
++    done
++}
++
++test_pol() {
++    for peer in "${PEERS[@]}"; do
++        pol=$(lxc exec "${peer}" -- swanctl --list-pols)
++        echo "This is the ${peer} policy:"
++        if [ -z "${pol}" ]; then
++            echo "FAILED: pol is empty (swanctl --list-pols)"
++            return 1
++        fi
++        echo "${pol}"
++        echo
++        check_pol "${peer}" "${pol}"
++        echo
++    done
++}
++
++
++# the lxd deb package last existed in focal, so we install the snap
++snap list lxd > /dev/null 2>&1 || snap install lxd
++
++setup "${PUBKEY_ALGO}"
++
++test_ping
++test_sa
++test_pol
 diff --git a/debian/tests/utils b/debian/tests/utils
 new file mode 100644
 index 0000000..e8a8584
 --- /dev/null
 +++ b/debian/tests/utils
@@ -0,0 +1,61 @@
++wait_container_ready() {
++    local container="${1}"
++    local -i limit=300 # seconds
++    local -i i=0
++    while /bin/true; do
++        ip=$(lxc list "${container}" -c 4 --format=compact | tail -1 | awk '{print $1}')
++        if [ -n "${ip}" ]; then
++            break
++        fi
++        i=$((i+1))
++        if [ ${i} -ge ${limit} ]; then
++            return 1
++        fi
++        sleep 1s
++        echo -n "."
++    done
++    while ! nc -z "${ip}" 22; do
++        echo -n "."
++        i=$((i+1))
++        if [ ${i} -ge ${limit} ]; then
++            return 1
++        fi
++        sleep 1s
++    done
++    # cloud-init might still be doing things...
++    # this call blocks, so wrap it in its own little timeout
++    # Give it ${limit} seconds too
++    output=$(lxc exec "${container}" -- timeout --verbose ${limit} cloud-init status --wait) || {
++        result=$?
++        echo "cloud-init status --wait failed on container ${container}"
++        echo "${output}"
++        return ${result}
++    }
++    echo
++}
++
++get_test_dependencies() {
++    local test_name="${1}"
++    shift
++    local exclusions="$*"
++    # Get test dependencies which we need to install in the containers
++    # we will create:
++    # -s: show Depends field
++    # -n: omit field name in output
++    # -X: do an exact match, instead of substring
++    # -F Tests: apply regexp to Tests field
++    depends=$(grep-dctrl -s Depends -n -F Tests -X "${test_name}" debian/tests/control | tr -d ,)
++    [ -n "${depends}" ] || {
++        echo "Failed to obtain list of dependencies for this test"
++        return 1
++    }
++    # remove exclusions, if any
++    for p in ${depends}; do
++        if echo "${exclusions}" | grep -qwF "${p}"; then
++            continue
++        else
++            echo "${p}"
++        fi
++    done
++}
++
 diff --git a/debian/usr.sbin.swanctl b/debian/usr.sbin.swanctl
 index 455c7cb..54c2b06 100644
 --- a/debian/usr.sbin.swanctl
 +++ b/debian/usr.sbin.swanctl
@@ -22,7 +22,7 @@
    /run/charon.vici              rw,
    # Allow reading own binary
--  /usr/sbin/swanctl             r,
++  /usr/sbin/swanctl             rm,
    # for af-alg plugin
    network alg seqpacket,

Ubuntustrongswan package

Merge ~ahasenack/ubuntu/+source/strongswan:noble-strongswan-merge-1 into ubuntu/+source/strongswan:debian/sid

Commit message

Description of the change

Preview Diff

Subscribers

Ubuntu
strongswan package