Merge ~paelzer/ubuntu/+source/strongswan:lp1753018-remerge-bionic into ubuntu/+source/strongswan:debian/sid
- Git
- lp:~paelzer/ubuntu/+source/strongswan
- lp1753018-remerge-bionic
- Merge into debian/sid
Status: | Merged | ||||
---|---|---|---|---|---|
Merge reported by: | Christian Ehrhardt | ||||
Merged at revision: | 7dac81e8309161dde75495ad8c7a717d57799fc0 | ||||
Proposed branch: | ~paelzer/ubuntu/+source/strongswan:lp1753018-remerge-bionic | ||||
Merge into: | ubuntu/+source/strongswan:debian/sid | ||||
Diff against target: |
1989 lines (+1466/-96) 18 files modified
debian/changelog (+1082/-0) debian/control (+128/-12) debian/ipsec.secrets.proto (+0/-3) debian/libcharon-extra-plugins.install (+64/-12) debian/libcharon-standard-plugins.install (+19/-0) debian/libstrongswan-extra-plugins.install (+58/-0) debian/libstrongswan.install (+11/-6) debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch (+11/-0) debian/patches/series (+1/-0) debian/rules (+50/-6) debian/strongswan-starter.install (+4/-0) debian/strongswan-starter.maintscript (+1/-0) debian/strongswan-starter.postinst (+0/-57) debian/strongswan-tnc-base.install (+16/-0) debian/strongswan-tnc-client.install (+5/-0) debian/strongswan-tnc-ifmap.install (+3/-0) debian/strongswan-tnc-pdp.install (+3/-0) debian/strongswan-tnc-server.install (+10/-0) |
||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Andreas Hasenack | Approve | ||
Canonical Server | Pending | ||
git-ubuntu developers | Pending | ||
Review via email: mp+341514@code.launchpad.net |
Commit message
Description of the change
Christian Ehrhardt (paelzer) wrote : | # |
Andreas Hasenack (ahasenack) wrote : | # |
Taking a look.
Andreas Hasenack (ahasenack) wrote : | # |
First, could you please push the tags? :)
I hit an upgrade error:
The following packages will be upgraded:
libcharon-
strongswan-charon strongswan-
17 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 1.795 kB of archives.
After this operation, 57,3 kB of additional disk space will be used.
Get:1 http://
Get:2 http://
Get:3 http://
Get:4 http://
Get:5 http://
Get:6 http://
Get:7 http://
Get:8 http://
Get:9 http://
Get:10 http://
Get:11 http://
Get:12 http://
Get:13 http://
Get:14 http://
Get:15 http://
Get:16 http://
Andreas Hasenack (ahasenack) wrote : | # |
The rest is ok:
- strongswan-nm is now linked with libnm instead of libnm-glib. Build-deps adjusted accordingly. This is potentially a bigger code change, but if the -glib backend was deprecated already, it's good to start fresh in a new LTS. I would just keep an eye open for new bugs about this change upstream
- save-keys plugin is disabled by default
- bypass-lan plugin is built, but disabled by default in the config via a debian patch
Christian Ehrhardt (paelzer) wrote : | # |
Thanks for the check, the tags to some extend didn't create due to known issues in git ubuntu.
I those that failed manually now and push them ...
The upgrade issue is a good catch.
Debian moved that and we need to bump the breaks/replaces to match our versions.
Fir is easy, I'm testing it and will push once confirmed.
- ccddd22... by Christian Ehrhardt
-
d/control: bump breaks/replaces for the move of the updown plugin (Droppable >18.04).
Signed-off-by: Christian Ehrhardt <email address hidden>
- a5bc697... by Christian Ehrhardt
-
changelog: d/control: bump breaks/replaces for the move of the updown plugin (Droppable >18.04).
Signed-off-by: Christian Ehrhardt <email address hidden>
- 7dac81e... by Christian Ehrhardt
-
REMOVEME ppa build
Signed-off-by: Christian Ehrhardt <email address hidden>
Christian Ehrhardt (paelzer) wrote : | # |
$ git push --dry-run paelzer lp1753018/
To ssh://<email address hidden>
* [new tag] lp1753018/
* [new tag] lp1753018/
* [new tag] lp1753018/
* [new tag] lp1753018/
* [new tag] lp1753018/
* [new tag] lp1753018/
Christian Ehrhardt (paelzer) wrote : | # |
Ok, the new ppa build 5.6.2-1ubuntu2~ppa1 worked and there were no other similar collisions on the upgrade.
That said please re-review for final ack please.
Christian Ehrhardt (paelzer) wrote : | # |
Thanks for the review,
tag pushed and package uploaded.
Christian Ehrhardt (paelzer) wrote : | # |
FYI - we both overlooked that
strongswan-
is actually wrong.
It worked fine in the ppa test because the ppa was on 5.6.2-1ubuntu2~ppa1 at the time.
Never the less correct is:
strongswan-
Fixing as a follow on.
Preview Diff
1 | diff --git a/debian/changelog b/debian/changelog |
2 | index 2eab197..e54e4d9 100644 |
3 | --- a/debian/changelog |
4 | +++ b/debian/changelog |
5 | @@ -1,3 +1,64 @@ |
6 | +strongswan (5.6.2-1ubuntu2~ppa1) bionic; urgency=medium |
7 | + |
8 | + * Merge with Debian unstable (LP: #1753018). Remaining changes: |
9 | + + Clean up d/strongswan-starter.postinst: section about runlevel changes |
10 | + + Clean up d/strongswan-starter.postinst: Removed entire section on |
11 | + opportunistic encryption disabling - this was never in strongSwan and |
12 | + won't be see upstream issue #2160. |
13 | + + Ubuntu is not using the debconf triggered private key generation |
14 | + - d/rules: Removed patching ipsec.conf on build (not using the |
15 | + debconf-managed config.) |
16 | + - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was |
17 | + used for debconf-managed include of private key). |
18 | + + Mass enablement of extra plugins and features to allow a user to use |
19 | + strongswan for a variety of extra use cases without having to rebuild. |
20 | + - d/control: Add required additional build-deps |
21 | + - d/control: Mention addtionally enabled plugins |
22 | + - d/rules: Enable features at configure stage |
23 | + - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) |
24 | + - d/libstrongswan.install: Add plugins (so, conf) |
25 | + + d/strongswan-starter.install: Install pool feature, which is useful since |
26 | + we have attr-sql plugin enabled as well using it. |
27 | + + Add plugin kernel-libipsec to allow the use of strongswan in containers |
28 | + via this userspace implementation (please do note that this is still |
29 | + considered experimental by upstream). |
30 | + - d/libcharon-extra-plugins.install: Add kernel-libipsec components |
31 | + - d/control: List kernel-libipsec plugin at extra plugins description |
32 | + - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As |
33 | + upstream recommends to not load kernel-libipsec by default. |
34 | + + Relocate tnc plugin |
35 | + - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins |
36 | + - Add new subpackage for TNC in d/strongswan-tnc-* and d/control |
37 | + + d/libstrongswan.install: Reorder conf and .so alphabetically |
38 | + + d/libstrongswan.install: Add kernel-netlink configuration files |
39 | + + Complete the disabling of libfast; This was partially accepted in Debian, |
40 | + it is no more packaging medcli and medsrv, but still builds and |
41 | + mentions it. |
42 | + - d/rules: Add --disable-fast to avoid build time and dependencies |
43 | + - d/control: Remove medcli, medsrv from package description |
44 | + + d/control: Mention mgf1 plugin which is in libstrongswan now |
45 | + + Add now built (since 5.5.1) libraries libtpmtss and nttfft to |
46 | + libstrongswan-extra-plugins (no deps from default plugins). |
47 | + + Add rm_conffile for /etc/init.d/ipsec (transition from precies had |
48 | + missed that, droppable after 18.04) |
49 | + + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon |
50 | + plugins for the most common use cases from extra-plugins into a new |
51 | + standard-plugins package. This will allow those use cases without pulling |
52 | + in too much more plugins (a bit like the tnc package). Recommend that |
53 | + package from strongswan-libcharon. |
54 | + + d/control: bump breaks/replaces from libstrongswan-extra-plugins to |
55 | + libstrongswan as we dropped relocating ccm and test-vectors. |
56 | + (droppable >18.04). |
57 | + + d/control: add breaks/replace from libstrongswan to |
58 | + libstrongswan-extra-plugins for the move of mgf1 to libstrongswan. |
59 | + (droppable >18.04). |
60 | + * Added Changes: |
61 | + + d/control: bump breaks/replaces from strongswan-libcharon to strongswan- |
62 | + starter as we followed Debian to move the updown plugin but need to |
63 | + match Ubuntu versions (Droppable >18.04). |
64 | + |
65 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Fri, 16 Mar 2018 11:08:47 +0100 |
66 | + |
67 | strongswan (5.6.2-1) unstable; urgency=medium |
68 | |
69 | * d/NEWS: add information about disabled algorithms (closes: #883072) |
70 | @@ -20,6 +81,129 @@ strongswan (5.6.1-3) unstable; urgency=medium |
71 | |
72 | -- Yves-Alexis Perez <corsac@debian.org> Sun, 17 Dec 2017 16:40:39 +0100 |
73 | |
74 | +strongswan (5.6.1-2ubuntu4) bionic; urgency=medium |
75 | + |
76 | + * SECURITY UPDATE: DoS via crafted RSASSA-PSS signature |
77 | + - debian/patches/CVE-2018-6459.patch: Properly handle MGF1 algorithm |
78 | + identifier without parameters in |
79 | + src/libstrongswan/credentials/keys/signature_params.c. |
80 | + - CVE-2018-6459 |
81 | + |
82 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 07 Mar 2018 14:52:02 +0100 |
83 | + |
84 | +strongswan (5.6.1-2ubuntu3) bionic; urgency=medium |
85 | + |
86 | + * No-change rebuild against libcurl4 |
87 | + |
88 | + -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 28 Feb 2018 08:52:09 +0000 |
89 | + |
90 | +strongswan (5.6.1-2ubuntu2) bionic; urgency=high |
91 | + |
92 | + * No change rebuild against openssl1.1. |
93 | + |
94 | + -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 12 Feb 2018 16:00:24 +0000 |
95 | + |
96 | +strongswan (5.6.1-2ubuntu1) bionic; urgency=medium |
97 | + |
98 | + * Merge with Debian unstable (LP: #1717343). |
99 | + Also fixes and issue with multiple psk's (LP: #1734207). Remaining changes: |
100 | + + Clean up d/strongswan-starter.postinst: section about runlevel changes |
101 | + + Clean up d/strongswan-starter.postinst: Removed entire section on |
102 | + opportunistic encryption disabling - this was never in strongSwan and |
103 | + won't be see upstream issue #2160. |
104 | + + Ubuntu is not using the debconf triggered private key generation |
105 | + - d/rules: Removed patching ipsec.conf on build (not using the |
106 | + debconf-managed config.) |
107 | + - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was |
108 | + used for debconf-managed include of private key). |
109 | + + Mass enablement of extra plugins and features to allow a user to use |
110 | + strongswan for a variety of extra use cases without having to rebuild. |
111 | + - d/control: Add required additional build-deps |
112 | + - d/control: Mention addtionally enabled plugins |
113 | + - d/rules: Enable features at configure stage |
114 | + - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) |
115 | + - d/libstrongswan.install: Add plugins (so, conf) |
116 | + + d/strongswan-starter.install: Install pool feature, which is useful since |
117 | + we have attr-sql plugin enabled as well using it. |
118 | + + Add plugin kernel-libipsec to allow the use of strongswan in containers |
119 | + via this userspace implementation (please do note that this is still |
120 | + considered experimental by upstream). |
121 | + - d/libcharon-extra-plugins.install: Add kernel-libipsec components |
122 | + - d/control: List kernel-libipsec plugin at extra plugins description |
123 | + - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As |
124 | + upstream recommends to not load kernel-libipsec by default. |
125 | + + Relocate tnc plugin |
126 | + - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins |
127 | + - Add new subpackage for TNC in d/strongswan-tnc-* and d/control |
128 | + + d/libstrongswan.install: Reorder conf and .so alphabetically |
129 | + + d/libstrongswan.install: Add kernel-netlink configuration files |
130 | + + Complete the disabling of libfast; This was partially accepted in Debian, |
131 | + it is no more packaging medcli and medsrv, but still builds and |
132 | + mentions it. |
133 | + - d/rules: Add --disable-fast to avoid build time and dependencies |
134 | + - d/control: Remove medcli, medsrv from package description |
135 | + + d/control: Mention mgf1 plugin which is in libstrongswan now |
136 | + + Add now built (since 5.5.1) libraries libtpmtss and nttfft to |
137 | + libstrongswan-extra-plugins (no deps from default plugins). |
138 | + + Add rm_conffile for /etc/init.d/ipsec (transition from precies had |
139 | + missed that, droppable after 18.04) |
140 | + + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon |
141 | + plugins for the most common use cases from extra-plugins into a new |
142 | + standard-plugins package. This will allow those use cases without pulling |
143 | + in too much more plugins (a bit like the tnc package). Recommend that |
144 | + package from strongswan-libcharon. |
145 | + * Added changes: |
146 | + + d/strongswan-tnc-client.install (relocate tnc) swidtag creation changed |
147 | + in 5.6 |
148 | + + d/strongswan-tnc-server.install (relocate tnc) pacman no more needed |
149 | + + d/control: bump breaks/replaces from libstrongswan-extra-plugins to |
150 | + libstrongswan as we dropped relocating ccm and test-vectors. |
151 | + (droppable >18.04). |
152 | + - d/control: add breaks/replace from libstrongswan to |
153 | + libstrongswan-extra-plugins for the move of mgf1 to libstrongswan. |
154 | + (droppable >18.04). |
155 | + * Dropped changes: |
156 | + + Update init/service handling (debian default matches Ubuntu past now) |
157 | + Dropping this fixes (LP: #1734886) |
158 | + - d/rules: Change init/systemd program name to strongswan |
159 | + - d/strongswan-starter.strongswan.service: Add new systemd file instead of |
160 | + patching upstream |
161 | + - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of |
162 | + linking to upstream |
163 | + + d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call |
164 | + (this is a never failing no-op for us, no need for Delta). |
165 | + + d/strongswan-starter.prerm: Stop strongswan service on package removal |
166 | + (ipsec now maps to strongswan service, so this works as-is). |
167 | + + Clean up d/strongswan-starter.postinst: rename service ipsec to |
168 | + strongswan (ipsec now maps to strongswan service, so this works as-is) |
169 | + + Clean up d/strongswan-starter.postinst: daemon enable/disable (the |
170 | + whole section is disabled, so no need for delta) |
171 | + + (is upstream) CVE-2017-11185 patches |
172 | + + (is upstream) FTBFS upstream fix for changed include files |
173 | + + (is upstream) debian/patches/increase-bliss-test-timeout.patch: Under |
174 | + QEMU/KVM autopkgtest the bliss test takes longer than the default |
175 | + + (in Debian) add now built (since 5.5.1) mgf1 plugin to |
176 | + libstrongswan-extra-plugins. |
177 | + + (in Debian) d/strongswan-starter.install: install stroke apparmor profile |
178 | + + (this was enabled as part of the former delta, squash changes to no-up) |
179 | + d/rules: Disable duplicheck. |
180 | + + (not needed) Relocate plugins test-vectors from extra-plugins to |
181 | + libstrongswan |
182 | + - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles |
183 | + - d/libstrongswan.install: Add plugins/confiles |
184 | + - d/control: move package descriptions and add required breaks/replaces |
185 | + + (not needed) Relocate plugins ccm from extra-plugins to libstrongswan |
186 | + - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles |
187 | + - d/libstrongswan.install: Add plugins/confiles |
188 | + - d/control: move package descriptions and add required breaks/replaces |
189 | + + (while using it requires special kernel, it does not hurt to be |
190 | + available in the package) Remove ha plugin |
191 | + - d/libcharon-extra-plugins.install: Stop installing ha (so, conf) |
192 | + - d/rules: Do not enable ha plugin |
193 | + - d/control: Drop listing the ha plugin in the package description |
194 | + |
195 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 29 Nov 2017 15:55:18 +0100 |
196 | + |
197 | strongswan (5.6.1-2) unstable; urgency=medium |
198 | |
199 | * move counters plugin from -starter to -libcharon. closes: #882431 |
200 | @@ -106,6 +290,213 @@ strongswan (5.5.2-1) experimental; urgency=medium |
201 | |
202 | -- Yves-Alexis Perez <corsac@debian.org> Fri, 19 May 2017 11:32:00 +0200 |
203 | |
204 | +strongswan (5.5.1-4ubuntu3) bionic; urgency=medium |
205 | + |
206 | + * Fix Artful FTBFS due to newer glibc (LP: #1724859) |
207 | + - d/p/utils-Include-stdint.h.patch: upstream fix for changed include |
208 | + files. |
209 | + |
210 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 19 Oct 2017 15:18:52 +0200 |
211 | + |
212 | +strongswan (5.5.1-4ubuntu2) artful; urgency=medium |
213 | + |
214 | + * SECURITY UPDATE: Fix RSA signature verification |
215 | + - debian/patches/CVE-2017-11185.patch: does some |
216 | + verifications in order to avoid null-point dereference |
217 | + in src/libstrongswan/gmp/gmp_rsa_public_key.c |
218 | + - CVE-2017-11185 |
219 | + |
220 | + -- Leonidas S. Barbosa <leo.barbosa@canonical.com> Tue, 15 Aug 2017 14:49:49 -0300 |
221 | + |
222 | +strongswan (5.5.1-4ubuntu1) artful; urgency=medium |
223 | + |
224 | + * Merge from Debian to pick up latest security changes (CVE-2017-9022, |
225 | + CVE-2017-9023). |
226 | + * Remaining Changes: |
227 | + + Update init/service handling |
228 | + - d/rules: Change init/systemd program name to strongswan |
229 | + - d/strongswan-starter.strongswan.service: Add new systemd file instead of |
230 | + patching upstream |
231 | + - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of |
232 | + linking to upstream |
233 | + - d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call. |
234 | + - d/strongswan-starter.prerm: Stop strongswan service on package |
235 | + removal (as opposed to using the old init.d script). |
236 | + + Clean up d/strongswan-starter.postinst: |
237 | + - Removed section about runlevel changes |
238 | + - Adapted service restart section for Upstart (kept to be Trusty |
239 | + backportable). |
240 | + - Remove old symlinks to init.d files is necessary. |
241 | + - Removed further out-dated code |
242 | + - Removed entire section on opportunistic encryption - this was never in |
243 | + strongSwan. |
244 | + + d/rules: Removed pieces on 'patching ipsec.conf' on build. |
245 | + + Mass enablement of extra plugins and features to allow a user to use |
246 | + strongswan for a variety of use cases without having to rebuild. |
247 | + - d/control: Add required additional build-deps |
248 | + - d/rules: Enable features at configure stage |
249 | + - d/control: Mention addtionally enabled plugins |
250 | + - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) |
251 | + - d/libstrongswan.install: Add plugins (so, conf) |
252 | + + d/rules: Disable duplicheck as per |
253 | + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10 |
254 | + + Remove ha plugin (requires special kernel) |
255 | + - d/libcharon-extra-plugins.install: Stop installing ha (so, conf) |
256 | + - d/rules: Do not enable ha plugin |
257 | + - d/control: Drop listing the ha plugin in the package description |
258 | + + Add plugin kernel-libipsec to allow the use of strongswan in containers |
259 | + via this userspace implementation (please do note that this is still |
260 | + considered experimental by upstream). |
261 | + - d/libcharon-extra-plugins.install: Add kernel-libipsec components |
262 | + - d/control: List kernel-libipsec plugin at extra plugins description |
263 | + - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As |
264 | + upstream recommends to not load kernel-libipsec by default. |
265 | + + Relocate tnc plugin |
266 | + - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins |
267 | + - Add new subpackage for TNC in d/strongswan-tnc-* and d/control |
268 | + + d/strongswan-starter.install: Install pool feature, that useful due to |
269 | + having attr-sql plugin that is enabled now. |
270 | + + Relocate plugins test-vectors and ccm from extra-plugins to libstrongswan |
271 | + - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles |
272 | + - d/libstrongswan.install: Add plugins/confiles |
273 | + - d/control: move package descriptions and add required breaks/replaces |
274 | + + d/libstrongswan.install: Reorder conf and .so alphabetically |
275 | + + d/libstrongswan.install: Add kernel-netlink configuration files |
276 | + + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference. |
277 | + + debian/patches/increase-bliss-test-timeout.patch: Under QEMU/KVM |
278 | + autopkgtest the bliss test takes longer than the default (Upstream in |
279 | + 5.5.2 via issue 2204) |
280 | + + Complete the disabling of libfast; This was partially accepted in Debian, |
281 | + it is no more packaging medcli and medsrv, but still builds and |
282 | + mentions it. |
283 | + - d/rules: Add --disable-fast to avoid build time and dependencies |
284 | + - d/control: Remove medcli, medsrv from package description |
285 | + + Add now built (5.5.1 vs 5.3.5) mgf1 plugin to libstrongswan-extra-plugins. |
286 | + "only" to extra-plugins Mgf1 is not listed as default plugin at |
287 | + https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist. |
288 | + + Add now built (5.5.1 vs 5.3.5) libraries libtpmtss and nttfft to |
289 | + libstrongswan-extra-plugins. |
290 | + + Add missing mention of md4 plugin in d/control |
291 | + + Add rm_conffile for /etc/init.d/ipsec (transition from precies had |
292 | + missed that) |
293 | + + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon |
294 | + plugins for the most common use cases from extra-plugins into a new |
295 | + standard-plugins package. This will allow those use cases without pulling |
296 | + in too much more plugins (a bit like the tnc package). Recommend that |
297 | + package from strongswan-libcharon. |
298 | + |
299 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 31 May 2017 15:57:54 +0200 |
300 | + |
301 | +strongswan (5.5.1-3ubuntu1) artful; urgency=medium |
302 | + |
303 | + * Merge from Debian to pick up latest changes. Among others this includes: |
304 | + - a lot of the Delta we upstreamed to Debian (more discussions are ongoing |
305 | + but likely have to wait until Debian stretch was released) |
306 | + - enabling mediation support (LP: #1657413) |
307 | + * Remaining Changes: |
308 | + + Update init/service handling |
309 | + - d/rules: Change init/systemd program name to strongswan |
310 | + - d/strongswan-starter.strongswan.service: Add new systemd file instead of |
311 | + patching upstream |
312 | + - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of |
313 | + linking to upstream |
314 | + - d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call. |
315 | + - d/strongswan-starter.prerm: Stop strongswan service on package |
316 | + removal (as opposed to using the old init.d script). |
317 | + + Clean up d/strongswan-starter.postinst: |
318 | + - Removed section about runlevel changes |
319 | + - Adapted service restart section for Upstart (kept to be Trusty |
320 | + backportable). |
321 | + - Remove old symlinks to init.d files is necessary. |
322 | + - Removed further out-dated code |
323 | + - Removed entire section on opportunistic encryption - this was never in |
324 | + strongSwan. |
325 | + + d/rules: Removed pieces on 'patching ipsec.conf' on build. |
326 | + + Mass enablement of extra plugins and features to allow a user to use |
327 | + strongswan for a variety of use cases without having to rebuild. |
328 | + - d/control: Add required additional build-deps |
329 | + - d/rules: Enable features at configure stage |
330 | + - d/control: Mention addtionally enabled plugins |
331 | + - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) |
332 | + - d/libstrongswan.install: Add plugins (so, conf) |
333 | + + d/rules: Disable duplicheck as per |
334 | + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10 |
335 | + + Remove ha plugin (requires special kernel) |
336 | + - d/libcharon-extra-plugins.install: Stop installing ha (so, conf) |
337 | + - d/rules: Do not enable ha plugin |
338 | + - d/control: Drop listing the ha plugin in the package description |
339 | + + Add plugin kernel-libipsec to allow the use of strongswan in containers |
340 | + via this userspace implementation (please do note that this is still |
341 | + considered experimental by upstream). |
342 | + - d/libcharon-extra-plugins.install: Add kernel-libipsec components |
343 | + - d/control: List kernel-libipsec plugin at extra plugins description |
344 | + - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As |
345 | + upstream recommends to not load kernel-libipsec by default. |
346 | + + Relocate tnc plugin |
347 | + - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins |
348 | + - Add new subpackage for TNC in d/strongswan-tnc-* and d/control |
349 | + + d/strongswan-starter.install: Install pool feature, that useful due to |
350 | + having attr-sql plugin that is enabled now. |
351 | + + Relocate plugins test-vectors and ccm from extra-plugins to libstrongswan |
352 | + - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles |
353 | + - d/libstrongswan.install: Add plugins/confiles |
354 | + - d/control: move package descriptions and add required breaks/replaces |
355 | + + d/libstrongswan.install: Reorder conf and .so alphabetically |
356 | + + d/libstrongswan.install: Add kernel-netlink configuration files |
357 | + + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference. |
358 | + + debian/patches/increase-bliss-test-timeout.patch: Under QEMU/KVM |
359 | + autopkgtest the bliss test takes longer than the default (Upstream in |
360 | + 5.5.2 via issue 2204) |
361 | + + Complete the disabling of libfast; This was partially accepted in Debian, |
362 | + it is no more packaging medcli and medsrv, but still builds and |
363 | + mentions it. |
364 | + - d/rules: Add --disable-fast to avoid build time and dependencies |
365 | + - d/control: Remove medcli, medsrv from package description |
366 | + + Add now built (5.5.1 vs 5.3.5) mgf1 plugin to libstrongswan-extra-plugins. |
367 | + "only" to extra-plugins Mgf1 is not listed as default plugin at |
368 | + https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist. |
369 | + + Add now built (5.5.1 vs 5.3.5) libraries libtpmtss and nttfft to |
370 | + libstrongswan-extra-plugins. |
371 | + + Add missing mention of md4 plugin in d/control |
372 | + + Add rm_conffile for /etc/init.d/ipsec (transition from precies had |
373 | + missed that) |
374 | + + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon |
375 | + plugins for the most common use cases from extra-plugins into a new |
376 | + standard-plugins package. This will allow those use cases without pulling |
377 | + in too much more plugins (a bit like the tnc package). Recommend that |
378 | + package from strongswan-libcharon. |
379 | + * Dropped Changes: |
380 | + + Add and install apparmor profiles (in Debian) |
381 | + - d/rules: Install AppArmor profiles |
382 | + - d/control: Add dh-apparmor build-dep |
383 | + - d/usr.lib.ipsec.{charon, lookip, stroke}: Add latest AppArmor profiles |
384 | + for charon, lookip and stroke |
385 | + - d/libcharon-extra-plugins.install: Install profile for lookip |
386 | + - d/strongswan-charon.install: Install profile for charon |
387 | + - d/strongswan-starter.install: Install profile for stroke |
388 | + - Fix strongswan ipsec status issue with apparmor |
389 | + - Fix Dep8 tests for the now extra strongswan-pki package for pki |
390 | + - Fix Dep8 tests for the now extra strongswan-scepclient package |
391 | + + d/rules: Sorted and only one enable option per configure line (in |
392 | + Debian) |
393 | + + Add updated logcheck rules (in Debian) |
394 | + - debian/libstrongswan.strongswan.logcheck.*: Remove outdated files |
395 | + - debian/strongswan.logcheck: Add updated logcheck rules |
396 | + + Add updated DEP8 tests (in Debian) |
397 | + - d/tests/*: Add DEP8 tests |
398 | + - d/control: Enable autotestpkg |
399 | + + d/rules: do not strip for library integrity checking (After Discussion |
400 | + with Debian this isn't acceptable there, but at the same time it turned |
401 | + out the real use-case of this never uses this lib but instead third |
402 | + party checks of checksums for e.g. FIPS cert; so drop the Delta) |
403 | + - Use override_dh_strip to to avoid overwriting user build flags. |
404 | + - Add missing mention of libchecksum integrity test in d/control |
405 | + + d/rules: Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths |
406 | + in tests to avoid issues in low entropy environments. (Debian has |
407 | + disabled !x86 tests for the same reason, one solution is enough) |
408 | + |
409 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 04 May 2017 14:06:23 +0200 |
410 | + |
411 | strongswan (5.5.1-3) unstable; urgency=medium |
412 | |
413 | [ Christian Ehrhardt ] |
414 | @@ -139,6 +530,136 @@ strongswan (5.5.1-2) unstable; urgency=medium |
415 | |
416 | -- Yves-Alexis Perez <corsac@debian.org> Wed, 07 Dec 2016 08:34:52 +0100 |
417 | |
418 | +strongswan (5.5.1-1ubuntu2) zesty; urgency=medium |
419 | + |
420 | + * Update Maintainers which was missed while merging 5.5.1-1. |
421 | + |
422 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 19 Dec 2016 16:02:40 +0100 |
423 | + |
424 | +strongswan (5.5.1-1ubuntu1) zesty; urgency=medium |
425 | + |
426 | + * Merge from Debian (complex delta, discussions and broken out changes can be |
427 | + found in the merge proposal linked from the merge bug LP: #1631198) |
428 | + * Remaining Changes: |
429 | + + d/rules: Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity |
430 | + checking. |
431 | + + d/rules: Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths |
432 | + in tests to avoid issues in low entropy environments. |
433 | + + Update init/service handling |
434 | + - d/rules: Change init/systemd program name to strongswan |
435 | + - d/strongswan-starter.strongswan.service: Add new systemd file instead of |
436 | + patching upstream |
437 | + - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of |
438 | + linking to upstream |
439 | + - d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call. |
440 | + - d/strongswan-starter.prerm: Stop strongswan service on package |
441 | + removal (as opposed to using the old init.d script). |
442 | + + Clean up d/strongswan-starter.postinst: |
443 | + - Removed section about runlevel changes |
444 | + - Adapted service restart section for Upstart (kept to be Trusty |
445 | + backportable). |
446 | + - Remove old symlinks to init.d files is necessary. |
447 | + - Removed further out-dated code |
448 | + - Removed entire section on opportunistic encryption - this was never in |
449 | + strongSwan. |
450 | + + Add and install apparmor profiles |
451 | + - d/rules: Install AppArmor profiles |
452 | + - d/control: Add dh-apparmor build-dep |
453 | + - d/usr.lib.ipsec.{charon, lookip, stroke}: Add latest AppArmor profiles |
454 | + for charon, lookip and stroke |
455 | + - d/libcharon-extra-plugins.install: Install profile for lookip |
456 | + - d/strongswan-charon.install: Install profile for charon |
457 | + - d/strongswan-starter.install: Install profile for stroke |
458 | + + d/rules: Removed pieces on 'patching ipsec.conf' on build. |
459 | + + d/rules: Sorted and only one enable option per configure line |
460 | + + Mass enablement of extra plugins and features to allow a user to use |
461 | + strongswan for a variety of use cases without having to rebuild. |
462 | + - d/control: Add required additional build-deps |
463 | + - d/rules: Enable features at configure stage |
464 | + - d/control: Mention addtionally enabled plugins |
465 | + - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf) |
466 | + - d/libstrongswan.install: Add plugins (so, conf) |
467 | + + d/rules: Disable duplicheck as per |
468 | + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10 |
469 | + + Remove ha plugin (requires special kernel) |
470 | + - d/libcharon-extra-plugins.install: Stop installing ha (so, conf) |
471 | + - d/rules: Do not enable ha plugin |
472 | + - d/control: Drop listing the ha plugin in the package description |
473 | + + Add plugin kernel-libipsec to allow the use of strongswan in containers |
474 | + via this userspace implementation (please do note that this is still |
475 | + considered experimental by upstream). |
476 | + - d/libcharon-extra-plugins.install: Add kernel-libipsec components |
477 | + - d/control: List kernel-libipsec plugin at extra plugins description |
478 | + - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As |
479 | + upstream recommends to not load kernel-libipsec by default. |
480 | + + Relocate tnc plugin |
481 | + - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins |
482 | + - Add new subpackage for TNC in d/strongswan-tnc-* and d/control |
483 | + + d/strongswan-starter.install: Install pool feature, that useful due to |
484 | + having attr-sql plugin that is enabled now. |
485 | + + Relocate plugins test-vectors and ccm from extra-plugins to libstrongswan |
486 | + - d/libstrongswan-extra-plugins.install: Remove plugins |
487 | + - d/libstrongswan.install: Add plugins |
488 | + + d/libstrongswan.install: Reorder conf and .so alphabetically |
489 | + + d/libstrongswan.install: Add kernel-netlink configuration files |
490 | + + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference. |
491 | + + Add updated logcheck rules |
492 | + - debian/libstrongswan.strongswan.logcheck.*: Remove outdated files |
493 | + - debian/strongswan.logcheck: Add updated logcheck rules |
494 | + + Add updated DEP8 tests |
495 | + - d/tests/*: Add DEP8 tests |
496 | + - d/control: Enable autotestpkg |
497 | + + debian/patches/increase-bliss-test-timeout.patch: Under QEMU/KVM |
498 | + autopkgtest the bliss test takes longer than the default |
499 | + + Complete the disabling of libfast |
500 | + - Note: This was partially accepted in Debian, it is no more |
501 | + packaging medcli and medsrv, but still builds and mentions it |
502 | + - d/rules: Add --disable-fast to avoid build time and dependencies |
503 | + - d/control: Remove medcli, medsrv from package description |
504 | + * Dropped Changes: |
505 | + + Adding build-dep to iptables-dev (no change, was only in Changelog) |
506 | + + Dropping of build deps libfcgi-dev, clearsilver-dev (in Debian) |
507 | + + Adding strongswan-plugin-* virtual packages for dist-upgrade (no |
508 | + upgrade path left needing them) |
509 | + + Most of "disabling libfast" (Debian dropped it from package content) |
510 | + + Transition for ipsec service (no upgrade path left) |
511 | + + Reverted part of the cleanup to d/strongswan-starter.postinst as using |
512 | + service should rather use invoke-rc.d (so it is a partial revert of our |
513 | + delta) |
514 | + + Transition handling (breaks/replaces) from per-plugin packages to the |
515 | + three grouped plugin packages (no upgrade path left) |
516 | + + debian/strongswan-starter.dirs: Don't touch /etc/init.d. (while "correct" |
517 | + it is effectively a no-op still, so not worth the delta) |
518 | + + Lower dpkg-dev to 1.16.1 from 1.16.2 to enable backporting to Precise |
519 | + (no more needed) |
520 | + + d/rules: Remove configure option --enable-unit-test (unit tests run by |
521 | + default) |
522 | + * Added Changes: |
523 | + + Fix strongswan ipsec status issue with apparmor (LP: #1587886) |
524 | + + d/control, d/libstrongswan.install, d/libstrongswan-extra-plugins: Fixup |
525 | + the relocation of the ccm plugin which missed to move the conffiles. |
526 | + + Complete move of test-vectors (was missing in d/control) |
527 | + + Add now built (5.5.1 vs 5.3.5) mgf1 plugin to libstrongswan-extra-plugins. |
528 | + "only" to extra-plugins Mgf1 is not listed as default plugin at |
529 | + https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist. |
530 | + + Add now built (5.5.1 vs 5.3.5) libraries libtpmtss and nttfft to |
531 | + libstrongswan-extra-plugins. |
532 | + + Add missing mention of md4 plugin in d/control |
533 | + + Add missing mention of libchecksum integrity test in d/control |
534 | + + Add rm_conffile for /etc/init.d/ipsec (transition from precies had |
535 | + missed that) |
536 | + + Use override_dh_strip to to fix library integrity checking instead of |
537 | + DEB_BUILD_OPTION to avoid overwriting user build flags. |
538 | + + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon |
539 | + plugins for the most common use cases from extra-plugins into a new |
540 | + standard-plugins package. This will allow those use cases without pulling |
541 | + in too much more plugins (a bit like the tnc package). Recommend that |
542 | + package from strongswan-libcharon (LP: #1640826). |
543 | + + Fix Dep8 tests for the now extra strongswan-pki package for pki |
544 | + + Fix Dep8 tests for the now extra strongswan-scepclient package |
545 | + |
546 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 07 Nov 2016 16:16:41 +0100 |
547 | + |
548 | strongswan (5.5.1-1) unstable; urgency=medium |
549 | |
550 | * New upstream bugfix release. |
551 | @@ -255,6 +776,177 @@ strongswan (5.3.5-2) unstable; urgency=medium |
552 | |
553 | -- Yves-Alexis Perez <corsac@debian.org> Mon, 14 Mar 2016 23:53:34 +0100 |
554 | |
555 | +strongswan (5.3.5-1ubuntu4) yakkety; urgency=medium |
556 | + |
557 | + * Build-depend on libjson-c-dev instead of libjson0-dev. |
558 | + * Rebuild against libjson-c3. |
559 | + |
560 | + -- Graham Inggs <ginggs@ubuntu.com> Fri, 29 Apr 2016 19:04:22 +0200 |
561 | + |
562 | +strongswan (5.3.5-1ubuntu3) xenial; urgency=medium |
563 | + |
564 | + * Rebuild against libmysqlclient20. |
565 | + |
566 | + -- Robie Basak <robie.basak@ubuntu.com> Tue, 05 Apr 2016 13:02:48 +0000 |
567 | + |
568 | +strongswan (5.3.5-1ubuntu2) xenial; urgency=medium |
569 | + |
570 | + * debian/tests/plugins: rdrand may or may not be loaded, depending on the |
571 | + cpu features. |
572 | + |
573 | + -- Iain Lane <iain@orangesquash.org.uk> Mon, 22 Feb 2016 17:13:01 +0000 |
574 | + |
575 | +strongswan (5.3.5-1ubuntu1) xenial; urgency=medium |
576 | + |
577 | + * debian/{rules,control,libstrongswan-extra-plugins.install} |
578 | + Enable bliss plugin |
579 | + * debian/{rules,control,libstrongswan-extra-plugins.install} |
580 | + Enable chapoly plugin |
581 | + * debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch |
582 | + Upstream suggests to not load this plugin by default as it has |
583 | + some limitations. |
584 | + https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-libipsec |
585 | + * debian/patches/increase-bliss-test-timeout.patch |
586 | + Under QEMU/KVM for autopkgtest bliss test takes a bit longer then default |
587 | + * Update Apparmor profiles |
588 | + - usr.lib.ipsec.charon |
589 | + - add capability audit_write for xauth-pam (LP: #1470277) |
590 | + - add capability dac_override (needed by agent plugin) |
591 | + - allow priv dropping (LP: #1333655) |
592 | + - allow caching CRLs (LP: #1505222) |
593 | + - allow rw access to /dev/net/tun for kernel-libipsec (LP: #1309594) |
594 | + - usr.lib.ipsec.stroke |
595 | + - allow priv dropping (LP: #1333655) |
596 | + - add local include |
597 | + - usr.lib.ipsec.lookip |
598 | + - add local include |
599 | + * Merge from Debian, which includes fixes for all previous CVEs |
600 | + Fixes (LP: #1330504, #1451091, #1448870, #1470277) |
601 | + Remaining changes: |
602 | + * debian/control |
603 | + - Lower dpkg-dev to 1.16.1 from 1.16.2 to enable backporting to Precise |
604 | + - Update Maintainer for Ubuntu |
605 | + - Add build-deps |
606 | + - dh-apparmor |
607 | + - iptables-dev |
608 | + - libjson0-dev |
609 | + - libldns-dev |
610 | + - libmysqlclient-dev |
611 | + - libpcsclite-dev |
612 | + - libsoup2.4-dev |
613 | + - libtspi-dev |
614 | + - libunbound-dev |
615 | + - Drop build-deps |
616 | + - libfcgi-dev |
617 | + - clearsilver-dev |
618 | + - Create virtual packages for all strongswan-plugin-* for dist-upgrade |
619 | + - Set XS-Testsuite: autopkgtest |
620 | + * debian/rules: |
621 | + - Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity checking. |
622 | + - Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths in |
623 | + tests. |
624 | + - Change init/systemd program name to strongswan |
625 | + - Install AppArmor profiles |
626 | + - Removed pieces on 'patching ipsec.conf' on build. |
627 | + - Enablement of features per Ubuntu current config suggested from |
628 | + upstream recommendation |
629 | + - Unpack and sort enabled features to one-per-line |
630 | + - Disable duplicheck as per |
631 | + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10 |
632 | + - Disable libfast (--disable-fast): |
633 | + Requires dropping medsrv, medcli plugins which depend on libfast |
634 | + - Add configure options |
635 | + --with-tss=trousers |
636 | + - Remove configure options: |
637 | + --enable-ha (requires special kernel) |
638 | + --enable-unit-test (unit tests run by default) |
639 | + - Drop logcheck install |
640 | + * debian/tests/* |
641 | + - Add DEP8 test for strongswan service and plugins |
642 | + * debian/strongswan-starter.strongswan.service |
643 | + - Add new systemd file instead of patching upstream |
644 | + * debian/strongswan-starter.links |
645 | + - removed, use Ubuntu systemd file instead of linking to upstream |
646 | + * debian/usr.lib.ipsec.{charon, lookip, stroke} |
647 | + - added AppArmor profiles for charon, lookip and stroke |
648 | + * debian/libcharon-extra-plugins.install |
649 | + - Add plugins |
650 | + - kernel-libipsec.{so, lib, conf, apparmor} |
651 | + - Remove plugins |
652 | + - libstrongswan-ha.so |
653 | + - Relocate plugins |
654 | + - libstrongswan-tnc-tnccs.so (strongswan-tnc-base.install) |
655 | + * debian/libstrongswan-extra-plugins.install |
656 | + - Add plugins (so, lib, conf) |
657 | + - acert |
658 | + - attr-sql |
659 | + - coupling |
660 | + - dnscert |
661 | + - fips-prf |
662 | + - gmp |
663 | + - ipseckey |
664 | + - load-tester |
665 | + - mysql |
666 | + - ntru |
667 | + - radattr |
668 | + - soup |
669 | + - sqlite |
670 | + - sql |
671 | + - systime-fix |
672 | + - unbound |
673 | + - whitelist |
674 | + - Relocate plugins (so, lib, conf) |
675 | + - ccm (libstrongswan.install) |
676 | + - test-vectors (libstrongswan.install) |
677 | + * debian/libstrongswan.install |
678 | + - Sort sections |
679 | + - Add plugins (so, lib, conf) |
680 | + - libchecksum |
681 | + - ccm |
682 | + - eap-identity |
683 | + - md4 |
684 | + - test-vectors |
685 | + * debian/strongswan-charon.install |
686 | + - Add AppArmor profile for charon |
687 | + * debian/strongswan-starter.install |
688 | + - Add tools, manpages, conf |
689 | + - openac |
690 | + - pool |
691 | + - _updown_espmark |
692 | + - Add AppArmor profile for stroke |
693 | + * debian/strongswan-tnc-base.install |
694 | + - Add new subpackage for TNC |
695 | + - remove non-existent (dropped in 5.2.1) libpts library files |
696 | + * debian/strongswan-tnc-client.install |
697 | + - Add new subpackage for TNC |
698 | + * debian/strongswan-tnc-ifmap.install |
699 | + - Add new subpackage for TNC |
700 | + * debian/strongswan-tnc-pdp.install |
701 | + - Add new subpackage for TNC |
702 | + * debian/strongswan-tnc-server.install |
703 | + - Add new subpackage for TNC |
704 | + * debian/strongswan-starter.postinit: |
705 | + - Removed section about runlevel changes, it's almost 2014. |
706 | + - Adapted service restart section for Upstart. |
707 | + - Remove old symlinks to init.d files is necessary. |
708 | + * debian/strongswan-starter.dirs: Don't touch /etc/init.d. |
709 | + * debian/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call. |
710 | + * debian/strongswan-starter.prerm: Stop strongswan service on package |
711 | + removal (as opposed to using the old init.d script). |
712 | + * debian/libstrongswan.strongswan.logcheck combined into debian/strongswan.logcheck |
713 | + - logcheck patterns updated to be helpful |
714 | + * debian/strongswan-starter.postinst: Removed further out-dated code and |
715 | + entire section on opportunistic encryption - this was never in strongSwan. |
716 | + * debian/ipsec.secrets.proto: Removed ipsec.secrets.inc reference. |
717 | + Drop changes: |
718 | + * debian/control |
719 | + - Per-plugin package breakup: Reducing packaging delta from Debian |
720 | + - Don't build dhcp, farp subpackages: Reduce packging delta from Debian |
721 | + * debian/watch: Already exists in Debian merge |
722 | + * debian/upstream/signing-key.asc: Upstream has newer version. |
723 | + |
724 | + -- Ryan Harper <ryan.harper@canonical.com> Fri, 12 Feb 2016 11:24:53 -0600 |
725 | + |
726 | strongswan (5.3.5-1) unstable; urgency=medium |
727 | |
728 | * New upstream bugfix release. |
729 | @@ -527,6 +1219,210 @@ strongswan (5.1.2-1) unstable; urgency=medium |
730 | |
731 | -- Yves-Alexis Perez <corsac@debian.org> Wed, 12 Mar 2014 11:22:38 +0100 |
732 | |
733 | +strongswan (5.1.2-0ubuntu8) xenial; urgency=medium |
734 | + |
735 | + * Import FTBFS for s390x from Debian 5.1.2-3 upload. (LP: #1521240) |
736 | + |
737 | + -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 30 Nov 2015 15:46:06 +0000 |
738 | + |
739 | +strongswan (5.1.2-0ubuntu7) xenial; urgency=medium |
740 | + |
741 | + * SECURITY UPDATE: authentication bypass in eap-mschapv2 plugin |
742 | + - debian/patches/CVE-2015-8023.patch: only succeed authentication if |
743 | + MSK was established in |
744 | + src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c. |
745 | + - CVE-2015-8023 |
746 | + * debian/patches/disable_ntru_test.patch: disable test causing FTBFS |
747 | + until regression is properly investigated. |
748 | + |
749 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 19 Nov 2015 14:00:17 -0500 |
750 | + |
751 | +strongswan (5.1.2-0ubuntu6) wily; urgency=medium |
752 | + |
753 | + * SECURITY UPDATE: user credential disclosure to rogue servers |
754 | + - debian/patches/CVE-2015-4171.patch: enforce remote authentication |
755 | + config before proceeding with own authentication in |
756 | + src/libcharon/sa/ikev2/tasks/ike_auth.c. |
757 | + - CVE-2015-4171 |
758 | + * debian/rules: don't FTBFS from unused service file |
759 | + |
760 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 08 Jun 2015 12:50:38 -0400 |
761 | + |
762 | +strongswan (5.1.2-0ubuntu5) vivid; urgency=medium |
763 | + |
764 | + * Add a systemd unit corresponding to strongswan-starter.strongswan.upstart. |
765 | + |
766 | + -- Martin Pitt <martin.pitt@ubuntu.com> Fri, 16 Jan 2015 08:27:54 +0100 |
767 | + |
768 | +strongswan (5.1.2-0ubuntu4) vivid; urgency=medium |
769 | + |
770 | + * SECURITY UPDATE: denial of service via DH group 1025 |
771 | + - debian/patches/CVE-2014-9221.patch: define MODP_CUSTOM outside of |
772 | + IKE DH range in src/libstrongswan/crypto/diffie_hellman.c, |
773 | + src/libstrongswan/crypto/diffie_hellman.h. |
774 | + - CVE-2014-9221 |
775 | + |
776 | + -- Tyler Hicks <tyhicks@canonical.com> Mon, 05 Jan 2015 08:25:29 -0500 |
777 | + |
778 | +strongswan (5.1.2-0ubuntu3) utopic; urgency=low |
779 | + |
780 | + * Added "libgcrypt20-dev | libgcrypt11-dev" to build dependencies to fix |
781 | + build. |
782 | + |
783 | + -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 15 Oct 2014 16:49:18 +0000 |
784 | + |
785 | +strongswan (5.1.2-0ubuntu2) trusty; urgency=medium |
786 | + |
787 | + * SECURITY UPDATE: remote authentication bypass |
788 | + - debian/patches/CVE-2014-2338.patch: reject CREATE_CHILD_SA exchange |
789 | + on unestablished IKE_SAs in src/libcharon/sa/ikev2/task_manager_v2.c. |
790 | + - CVE-2014-2338 |
791 | + |
792 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 14 Apr 2014 11:24:34 -0400 |
793 | + |
794 | +strongswan (5.1.2-0ubuntu1) trusty; urgency=low |
795 | + |
796 | + * New upstream release. |
797 | + |
798 | + -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 01 Mar 2014 08:53:17 +0000 |
799 | + |
800 | +strongswan (5.1.2~rc2-0ubuntu2) trusty; urgency=low |
801 | + |
802 | + * debian/ipsec.secrets.proto: Removed ipsec.secrets.inc reference. |
803 | + * debian/usr.lib.ipsec.charon: Allow read access to /run/charon. |
804 | + |
805 | + -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 19 Feb 2014 13:07:16 +0000 |
806 | + |
807 | +strongswan (5.1.2~rc2-0ubuntu1) trusty; urgency=low |
808 | + |
809 | + * New upstream release candidate. |
810 | + |
811 | + -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 19 Feb 2014 12:59:21 +0000 |
812 | + |
813 | +strongswan (5.1.2~rc1-0ubuntu4) trusty; urgency=medium |
814 | + |
815 | + * debian/strongswan-tnc-*.install: Fixed files so libraries go into correct |
816 | + packages. |
817 | + * debian/usr.lib.ipsec.stroke: Allow access to strongswan.d directories. |
818 | + |
819 | + -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 17 Feb 2014 18:12:38 +0000 |
820 | + |
821 | +strongswan (5.1.2~rc1-0ubuntu3) trusty; urgency=low |
822 | + |
823 | + * debian/rules: Exclude rdrand.conf in dh_install's --fail-missing. |
824 | + |
825 | + -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 15 Feb 2014 15:46:46 +0000 |
826 | + |
827 | +strongswan (5.1.2~rc1-0ubuntu2) trusty; urgency=low |
828 | + |
829 | + * debian/libstrongswan.install: Moved rdrand plugin configuration to rules |
830 | + as it's only useful on amd64. |
831 | + * debian/watch: Added opts=pgpsigurlmangle option. |
832 | + * debian/upstream/signing-key.asc: Added key: 0xB34DBA77. |
833 | + |
834 | + -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 15 Feb 2014 15:32:10 +0000 |
835 | + |
836 | +strongswan (5.1.2~rc1-0ubuntu1) trusty; urgency=medium |
837 | + |
838 | + * New upstream release candidate. |
839 | + * debian/*.install - include new configuration files for plugins in |
840 | + appropiate packages. |
841 | + |
842 | + -- Jonathan Davies <jonathan.davies@canonical.com> Sat, 15 Feb 2014 15:03:14 +0000 |
843 | + |
844 | +strongswan (5.1.2~dr3+git20130120-0ubuntu3) trusty; urgency=low |
845 | + |
846 | + * debian/control: |
847 | + - Added Breaks/Replaces for all library files which have been moved |
848 | + about (LP: #1278176). |
849 | + - Removed build-dependency on check and added one on dh-apparmor. |
850 | + * debian/strongswan-starter.postinst: Removed further out-dated code and |
851 | + entire section on opportunistic encryption - this was never in strongSwan. |
852 | + * debian/rules: Removed pieces on 'patching ipsec.conf' on build. |
853 | + |
854 | + -- Jonathan Davies <jonathan.davies@canonical.com> Sun, 09 Feb 2014 23:53:23 +0000 |
855 | + |
856 | +strongswan (5.1.2~dr3+git20130120-0ubuntu2) trusty; urgency=low |
857 | + |
858 | + * debian/control: Fixed references to plugin-fips-prf. |
859 | + |
860 | + -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 22 Jan 2014 11:22:14 +0000 |
861 | + |
862 | +strongswan (5.1.2~dr3+git20130120-0ubuntu1) trusty; urgency=low |
863 | + |
864 | + * Upstream Git snapshot for build fixes with regards to entropy. |
865 | + * debian/rules: |
866 | + - Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity checking. |
867 | + - Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths in |
868 | + tests. |
869 | + |
870 | + -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 20 Jan 2014 19:00:59 +0000 |
871 | + |
872 | +strongswan (5.1.2~dr3-0ubuntu1) trusty; urgency=low |
873 | + |
874 | + * New upstream developer release. |
875 | + * Made changes to packaging per upstream suggestions. |
876 | + - Dropped medcli and medsrv packages - not recommended by upstream at this |
877 | + time. |
878 | + - Dropped ha plugin - needs special kernel. |
879 | + - Improved all package descriptions in general. |
880 | + - Drop build-dep on clearsilver-dev and libfcgi-dev - no longer needed. |
881 | + - Removed debian/*logcheck* files - not relevant to strongSwan. |
882 | + - Split dhcp and farp packages into sub-packages. |
883 | + - Build kernel-libipsec, ntru, systime-fix, and xauth-noauth plugins. |
884 | + - Changes to TNC-related packages. |
885 | + * Created AppArmor profiles for lookip and stroke. |
886 | + |
887 | + -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 15 Jan 2014 22:52:53 +0000 |
888 | + |
889 | +strongswan (5.1.2~dr2+git20130106-0ubuntu2) trusty; urgency=low |
890 | + |
891 | + * libstrongswan.install: Removed lingering unit-tester.so reference. |
892 | + |
893 | + -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 06 Jan 2014 20:29:59 +0000 |
894 | + |
895 | +strongswan (5.1.2~dr2+git20130106-0ubuntu1) trusty; urgency=low |
896 | + |
897 | + * Git snapshot of commit 94e10f15e51ead788d9947e966878ebfdc95b7ce. |
898 | + Incorporates upstream fixes for: |
899 | + - Integrity testing. |
900 | + - Unit test failures on little endian systems. |
901 | + * Dropped debian/patches/02_test_asn1_fix_32bit_time_test.patch - fixed |
902 | + upstream. |
903 | + * debian/rules: |
904 | + - Stop using CK_TIMEOUT_MULTIPLIER. |
905 | + - Stop enabling the test suite only on non-powerpc arches (it runs |
906 | + anyway). |
907 | + |
908 | + -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 06 Jan 2014 20:17:20 +0000 |
909 | + |
910 | +strongswan (5.1.2~dr2-0ubuntu3) trusty; urgency=low |
911 | + |
912 | + * debian/control: Reinstate missing comma in dependencies. |
913 | + |
914 | + -- Jonathan Davies <jonathan.davies@canonical.com> Fri, 03 Jan 2014 05:39:13 +0000 |
915 | + |
916 | +strongswan (5.1.2~dr2-0ubuntu2) trusty; urgency=low |
917 | + |
918 | + * Added debian/patches/02_test_asn1_fix_32bit_time_test.patch - fixes issue |
919 | + where test for >2038 tests on 32-bit platforms is broken. |
920 | + - Reported upstream: https://wiki.strongswan.org/issues/477 |
921 | + * debian/control: Added strongswan-plugin-ntru to strongswan-ike Suggests. |
922 | + |
923 | + -- Jonathan Davies <jonathan.davies@canonical.com> Fri, 03 Jan 2014 05:02:32 +0000 |
924 | + |
925 | +strongswan (5.1.2~dr2-0ubuntu1) trusty; urgency=low |
926 | + |
927 | + * New upstream developer release. |
928 | + * debian/rules: Configure with: --enable-af-alg, --enable-ntru, --enable-soup, |
929 | + and --enable-unity. |
930 | + * debian/control: |
931 | + - New plugin packages created for the above |
932 | + - Split fips-prf into its own package. |
933 | + - Added build-dependency on libsoup2.4-dev. |
934 | + |
935 | + -- Jonathan Davies <jonathan.davies@canonical.com> Thu, 02 Jan 2014 17:37:33 +0000 |
936 | + |
937 | strongswan (5.1.1-3) unstable; urgency=low |
938 | |
939 | * Upload to unstable. |
940 | @@ -618,6 +1514,192 @@ strongswan (5.1.1-1) unstable; urgency=low |
941 | |
942 | -- Yves-Alexis Perez <corsac@debian.org> Fri, 24 Jan 2014 21:22:32 +0100 |
943 | |
944 | +strongswan (5.1.1-0ubuntu17) trusty; urgency=low |
945 | + |
946 | + * debian/control: |
947 | + - Make strongswan-ike depend on iproute2. |
948 | + - Added xauth plugin dependency on strongswan-plugin-eap-gtc. |
949 | + - Created strongswan-libfast package. |
950 | + |
951 | + -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 01 Jan 2014 17:04:45 +0000 |
952 | + |
953 | +strongswan (5.1.1-0ubuntu16) trusty; urgency=low |
954 | + |
955 | + * debian/control: |
956 | + - Further splitting of plugins into subpackages (such as all EAP plugins |
957 | + to their own packages). |
958 | + - Added libpcsclite-dev to build-dependencies. |
959 | + * debian/rules: |
960 | + - Sort configure options in alphabetical order. |
961 | + - Added configure option of --enable-eap-aka-3gpp2, --enable-eap-dynamic, |
962 | + --enable-eap-sim-file, --enable-eap-sim-pcsc, |
963 | + --enable-eap-simaka-pseudonym, --enable-eap-simaka-reauth and |
964 | + --enable-eap-simaka-sql. |
965 | + - Don't exclude medsrv from install. |
966 | + * Moved eap-identity.so to libstrongswan package as it's used by all the |
967 | + other EAP plugins. |
968 | + |
969 | + -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 21:25:50 +0000 |
970 | + |
971 | +strongswan (5.1.1-0ubuntu15) trusty; urgency=low |
972 | + |
973 | + * debian/control: |
974 | + - Split plugins from libstrongswan package into modular subpackages. |
975 | + - Added libmysqlclient-dev to build-dependencies. |
976 | + - strongswan-ike: Set to depend on either strongswan-plugins-openssl or |
977 | + strongswan-plugins-gcrypt. |
978 | + - strongswan-ike: All other plugins added to Suggests. |
979 | + - Created two new TNC packages: strongswan-tnc-ifmap and |
980 | + strongswan-tnc-pdp and added to tnc-imcvs Suggests. |
981 | + * debian/rules: Added to CONFIGUREARGS: --enable-certexpire, |
982 | + --enable-error-notify, --enable-mysql, --enable-load-tester, |
983 | + --enable-radattr, --enable-tnc-pdp, and --enable-whitelist. |
984 | + * debian/strongswan-ike.install: Moved eap-identity.so to -tnc-imcvs package. |
985 | + |
986 | + -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 16:15:32 +0000 |
987 | + |
988 | +strongswan (5.1.1-0ubuntu14) trusty; urgency=low |
989 | + |
990 | + * debian/rules: |
991 | + - CK_TIMEOUT_MULTIPLIER back down to 6. |
992 | + - Disable unit tests on powerpc. |
993 | + |
994 | + -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 07:39:48 +0000 |
995 | + |
996 | +strongswan (5.1.1-0ubuntu13) trusty; urgency=low |
997 | + |
998 | + * debian/rules: CK_TIMEOUT_MULTIPLIER to 10 as just powerppc is being stubborn. |
999 | + |
1000 | + -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 07:23:42 +0000 |
1001 | + |
1002 | +strongswan (5.1.1-0ubuntu12) trusty; urgency=low |
1003 | + |
1004 | + * debian/rules: Bring CK_TIMEOUT_MULTIPLIER up to 6 to fix powerppc and |
1005 | + armhf. |
1006 | + |
1007 | + -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 07:03:40 +0000 |
1008 | + |
1009 | +strongswan (5.1.1-0ubuntu11) trusty; urgency=low |
1010 | + |
1011 | + * 02_increase-test_rsa_generate-timeout.patch: Removed - only fixed build on |
1012 | + one extra arch. |
1013 | + * debian/rules: Set CK_TIMEOUT_MULTIPLIER to 4. |
1014 | + |
1015 | + -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 06:51:47 +0000 |
1016 | + |
1017 | +strongswan (5.1.1-0ubuntu10) trusty; urgency=low |
1018 | + |
1019 | + * debian/patches: Added patch 02_increase-test_rsa_generate-timeout.patch - |
1020 | + - Increases RSA key generate test timeout to 30 seconds so that it doesn't |
1021 | + fail on armhf, arm64, and powerppc. |
1022 | + * Contrary to what the last changelog entry says, we are still running |
1023 | + strongswan as root (with AppArmor protection). |
1024 | + |
1025 | + -- Jonathan Davies <jonathan.davies@canonical.com> Tue, 31 Dec 2013 06:06:47 +0000 |
1026 | + |
1027 | +strongswan (5.1.1-0ubuntu9) trusty; urgency=low |
1028 | + |
1029 | + * debian/rules: Added to configure options: |
1030 | + - --enable-tnc-ifmap: enable TNC IF-MAP module. |
1031 | + - --enable-duplicheck: enable duplicheck plugin. |
1032 | + - --enable-imv-swid, --enable-imc-swid: Added. |
1033 | + - Run strongswan as it's own user. |
1034 | + * debian/strongswan-starter.install: Install duplicheck. |
1035 | + * debian/strongswan-tnc-imcvs.install: Install swidtags. |
1036 | + |
1037 | + -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 19:33:27 +0000 |
1038 | + |
1039 | +strongswan (5.1.1-0ubuntu8) trusty; urgency=low |
1040 | + |
1041 | + * debian/rules: Added to configure options: |
1042 | + - --enable-unit-tests: check unit testing on build. |
1043 | + - --enable-unbound: for validating DNS lookups. |
1044 | + - --enable-dnscert: for DNSCERT peer authentication. |
1045 | + - --enable-ipseckey: for IPSEC key authentication. |
1046 | + - --enable-lookip: for LookIP functionality. |
1047 | + - --enable-coupling: certificate coupling functionality. |
1048 | + * debian/control: Added check, libldns-dev, libunbound-dev to |
1049 | + build-dependencies. |
1050 | + * debian/libstrongswan.install: Install new plugin .so's. |
1051 | + * debian/strongswan-starter.install: Added lookip. |
1052 | + |
1053 | + -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 17:52:07 +0000 |
1054 | + |
1055 | +strongswan (5.1.1-0ubuntu7) trusty; urgency=low |
1056 | + |
1057 | + * strongswan-starter.install: Moved pt-tls-client to tnc-imcvs (to prevent |
1058 | + the former from depending on the latter). |
1059 | + |
1060 | + -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 17:30:19 +0000 |
1061 | + |
1062 | +strongswan (5.1.1-0ubuntu6) trusty; urgency=low |
1063 | + |
1064 | + * debian/strongswan-starter.prerm: Stop strongswan service on package |
1065 | + removal (as opposed to using the old init.d script). |
1066 | + |
1067 | + -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 17:22:10 +0000 |
1068 | + |
1069 | +strongswan (5.1.1-0ubuntu5) trusty; urgency=low |
1070 | + |
1071 | + * debian/rules: |
1072 | + - CONFIGUREARGS: Merged Debian and RPM options. |
1073 | + - Brings in TNC functionality. |
1074 | + * debian/control: |
1075 | + - Added build-dependency on libtspi-dev. |
1076 | + - Created strongswan-tnc-imcvs binary package for TNC components. |
1077 | + - Added strongswan-tnc-imcvs to libstrongswan's Suggests. |
1078 | + * debian/libstrongswan.install: |
1079 | + - Included newly built MD4 and SQLite libraries. |
1080 | + - Removed 'tnc' references (moved to TNC package). |
1081 | + * debian/strongswan-tnc-imcvs.install: Created - handle new TNC libraries and |
1082 | + binaries. |
1083 | + * debian/usr.lib.ipsec.charon: Allow access to TNC modules. |
1084 | + |
1085 | + -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 14:05:43 +0000 |
1086 | + |
1087 | +strongswan (5.1.1-0ubuntu4) trusty; urgency=low |
1088 | + |
1089 | + * debian/usr.lib.ipsec.charon: Added - AppArmor profile for charon. |
1090 | + * debian/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call. |
1091 | + * debian/control: strongswan-ike - Stop depending on ipsec-tools. |
1092 | + |
1093 | + -- Jonathan Davies <jonathan.davies@canonical.com> Mon, 30 Dec 2013 05:35:17 +0000 |
1094 | + |
1095 | +strongswan (5.1.1-0ubuntu3) trusty; urgency=low |
1096 | + |
1097 | + * strongswan-starter.strongswan.upstart - Only start strongSwan when a |
1098 | + network connection is available. |
1099 | + * debian/control: Downgrade build-dep version of dpkg-dev from 1.16.2 to |
1100 | + 1.16.1 - to make precise backporting easier. |
1101 | + |
1102 | + -- Jonathan Davies <jonathan.davies@canonical.com> Thu, 12 Dec 2013 10:43:15 +0000 |
1103 | + |
1104 | +strongswan (5.1.1-0ubuntu2) trusty; urgency=low |
1105 | + |
1106 | + * strongswan-starter.strongswan.upstart - Created Upstart job for |
1107 | + strongSwan. |
1108 | + * debian/rules: Set dh_installinit to install above file. |
1109 | + * debian/strongswan-starter.postinit: |
1110 | + - Removed section about runlevel changes, it's almost 2014. |
1111 | + - Adapted service restart section for Upstart. |
1112 | + - Remove old symlinks to init.d files is necessary. |
1113 | + * debian/strongswan-starter.dirs: Don't touch /etc/init.d. |
1114 | + |
1115 | + -- Jonathan Davies <jonathan.davies@canonical.com> Wed, 11 Dec 2013 23:10:28 +0000 |
1116 | + |
1117 | +strongswan (5.1.1-0ubuntu1) trusty; urgency=low |
1118 | + |
1119 | + * New upstream release. |
1120 | + * Removed: debian/patches/CVE-2013-6075, CVE-2013-6076.patch - upsteamed. |
1121 | + * debian/control: Updated Standards-Version to 3.9.5 and applied |
1122 | + XSBC-Original-Maintainer policy. |
1123 | + * strongswan-starter.install: |
1124 | + - pki tool is now in /usr/bin. |
1125 | + - Install pt-tls-client. |
1126 | + - Install manpages (LP: #1206263). |
1127 | + |
1128 | + -- Jonathan Davies <jpds@ubuntu.com> Sun, 01 Dec 2013 17:43:59 +0000 |
1129 | + |
1130 | strongswan (5.1.0-3) unstable; urgency=high |
1131 | |
1132 | * urgency=high for the security fixes. |
1133 | diff --git a/debian/control b/debian/control |
1134 | index a0b8711..66fffd6 100644 |
1135 | --- a/debian/control |
1136 | +++ b/debian/control |
1137 | @@ -1,7 +1,8 @@ |
1138 | Source: strongswan |
1139 | Section: net |
1140 | Priority: optional |
1141 | -Maintainer: strongSwan Maintainers <pkg-swan-devel@lists.alioth.debian.org> |
1142 | +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> |
1143 | +XSBC-Original-Maintainer: strongSwan Maintainers <pkg-swan-devel@lists.alioth.debian.org> |
1144 | Uploaders: Rene Mayrhofer <rmayr@debian.org>, |
1145 | Yves-Alexis Perez <corsac@debian.org> |
1146 | Standards-Version: 4.1.2 |
1147 | @@ -20,14 +21,21 @@ Build-Depends: bison, |
1148 | libcurl4-openssl-dev | libcurl3-dev | libcurl2-dev, |
1149 | libgcrypt20-dev | libgcrypt11-dev, |
1150 | libgmp3-dev, |
1151 | + libjson-c-dev, |
1152 | libkrb5-dev, |
1153 | libldap2-dev, |
1154 | + libldns-dev, |
1155 | + libmysqlclient-dev, |
1156 | libnm-dev, |
1157 | libpam0g-dev, |
1158 | + libpcsclite-dev, |
1159 | + libsoup2.4-dev, |
1160 | libsqlite3-dev, |
1161 | libssl-dev (>= 0.9.8), |
1162 | libsystemd-dev [linux-any], |
1163 | libtool, |
1164 | + libtspi-dev, |
1165 | + libunbound-dev, |
1166 | libxml2-dev, |
1167 | network-manager-dev (>= 0.7) [linux-any], |
1168 | pkg-config, |
1169 | @@ -50,8 +58,8 @@ Description: IPsec VPN solution metapackage |
1170 | Package: libstrongswan |
1171 | Architecture: any |
1172 | Depends: ${misc:Depends}, ${shlibs:Depends} |
1173 | -Breaks: strongswan-starter (<< 5.3.5-2) |
1174 | -Replaces: strongswan-starter (<< 5.3.5-2) |
1175 | +Breaks: strongswan-starter (<< 5.3.5-2), libstrongswan-extra-plugins (<= 5.6.1-2ubuntu1~) |
1176 | +Replaces: strongswan-starter (<< 5.3.5-2), libstrongswan-extra-plugins (<= 5.6.1-2ubuntu1~) |
1177 | Recommends: libstrongswan-standard-plugins |
1178 | Suggests: libstrongswan-extra-plugins |
1179 | Description: strongSwan utility and crypto library |
1180 | @@ -70,7 +78,9 @@ Description: strongSwan utility and crypto library |
1181 | - fips-prf (PRF specified by FIPS, used by EAP-SIM/AKA algorithms) |
1182 | - gmp (RSA/DH crypto backend based on libgmp) |
1183 | - hmac (HMAC wrapper using various hashers) |
1184 | + - md4 (MD4 hasher software implementation) |
1185 | - md5 (MD5 hasher software implementation) |
1186 | + - mgf1 (Mask Generation Functions based on the SHA-1, SHA-256 and SHA-512) |
1187 | - nonce (Default nonce generation plugin) |
1188 | - pem (PEM encoding/decoding routines) |
1189 | - pgp (PGP encoding/decoding routines) |
1190 | @@ -123,8 +133,8 @@ Architecture: any |
1191 | Depends: libstrongswan (= ${binary:Version}), |
1192 | ${misc:Depends}, |
1193 | ${shlibs:Depends} |
1194 | -Breaks: libstrongswan (<= 5.1.1-1), strongswan-ike (<= 5.1.1-1), libcharon-extra-plugins (<= 5.5.3-1) |
1195 | -Replaces: libstrongswan (<= 5.1.1-1), strongswan-ike (<= 5.1.1-1), libcharon-extra-plugins (<= 5.5.3-1) |
1196 | +Breaks: libstrongswan (<= 5.6.1-2ubuntu1~), strongswan-ike (<= 5.1.1-1), libcharon-extra-plugins (<= 5.5.3-1) |
1197 | +Replaces: libstrongswan (<= 5.6.1-2ubuntu1~), strongswan-ike (<= 5.1.1-1), libcharon-extra-plugins (<= 5.5.3-1) |
1198 | Description: strongSwan utility and crypto library (extra plugins) |
1199 | The strongSwan VPN suite uses the native IPsec stack in the standard |
1200 | Linux kernel. It supports both the IKEv1 and IKEv2 protocols. |
1201 | @@ -133,22 +143,57 @@ Description: strongSwan utility and crypto library (extra plugins) |
1202 | cryptographic library. |
1203 | . |
1204 | Included plugins are: |
1205 | + - acert (Support of X.509 attribute certificates (since 5.1.3)) |
1206 | - af-alg [linux] (AF_ALG Linux crypto API interface, provides |
1207 | ciphers/hashers/hmac/xcbc) |
1208 | + - attr-sql (provide IKE attributes read from a database to peers) |
1209 | + - bliss (Bimodal Lattice Signature Scheme (BLISS) post-quantum computer |
1210 | + signature scheme) |
1211 | - ccm (CCM cipher mode wrapper) |
1212 | + - chapoly (ChaCha20/Poly1305 AEAD implementation) |
1213 | - cmac (CMAC cipher mode wrapper) |
1214 | - ctr (CTR cipher mode wrapper) |
1215 | + - coupling (Permanent peer certificate coupling) |
1216 | - curl (libcurl based HTTP/FTP fetcher) |
1217 | - curve25519 (support for Diffie-Hellman group 31 using Curve25519 and |
1218 | support for the Ed25519 digital signature algorithm for IKEv2) |
1219 | + - dnscert (authentication via CERT RRs protected by DNSSEC) |
1220 | - gcrypt (Crypto backend based on libgcrypt, provides |
1221 | RSA/DH/ciphers/hashers/rng) |
1222 | + - ipseckey (authentication via IPSECKEY RRs protected by DNSSEC) |
1223 | - ldap (LDAP fetching plugin based on libldap) |
1224 | + - load-tester (perform IKE load tests against self or gateway) |
1225 | + - mysql (database backend) |
1226 | + - ntru (key exchanged based on post-quantum computer NTRU) |
1227 | + - nttfft (Number Theoretic Transform via the FFT algorithm) |
1228 | - padlock (VIA padlock crypto backend, provides AES128/SHA1) |
1229 | - pkcs11 (PKCS#11 smartcard backend) |
1230 | + - radattr (inject and process custom RADIUS attributes as IKEv2 client) |
1231 | + - sql (SQL configuration and creds engine) |
1232 | + - sqlite (SQLite database backend) |
1233 | + - soup (libsoup based HTTP fetcher) |
1234 | + - tpmtss (TPM 1.2 and TPM 2.0 Trusted Platform Modules) |
1235 | - rdrand (High quality / high performance random source using the Intel |
1236 | rdrand instruction found on Ivy Bridge processors) |
1237 | - test-vectors (Set of test vectors for various algorithms) |
1238 | + - unbound (DNSSEC enabled resolver using libunbound) |
1239 | + - whitelist (peer verification against a whitelist) |
1240 | + |
1241 | +Package: libcharon-standard-plugins |
1242 | +Architecture: any |
1243 | +Depends: libstrongswan (= ${binary:Version}), |
1244 | + ${misc:Depends}, |
1245 | + ${shlibs:Depends} |
1246 | +Breaks: libcharon-extra-plugins (<< 5.5.1-1ubuntu1~) |
1247 | +Replaces: libcharon-extra-plugins (<< 5.5.1-1ubuntu1~) |
1248 | +Description: strongSwan charon library (standard plugins) |
1249 | + The strongSwan VPN suite uses the native IPsec stack in the standard |
1250 | + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. |
1251 | + . |
1252 | + This package provides standard plugins for the charon library: |
1253 | + - eap-mschapv2 (EAP-MSCHAPv2 protocol handler using passwords/NT hashes) |
1254 | + - xauth-generic (Generic XAuth backend that provides passwords from |
1255 | + ipsec.secrets and other credential sets) |
1256 | |
1257 | Package: libcharon-extra-plugins |
1258 | Architecture: any |
1259 | @@ -164,13 +209,13 @@ Description: strongSwan charon library (extra plugins) |
1260 | This package provides extra plugins for the charon library: |
1261 | - addrblock (Narrow traffic selectors to RFC 3779 address blocks in X.509 |
1262 | certificates) |
1263 | + - dhcp (Forwarding of DHCP requests for virtual IPs to DHCP server) |
1264 | - certexpire (Export expiration dates of used certificates) |
1265 | - eap-aka (Generic EAP-AKA protocol handler using different backends) |
1266 | - eap-gtc (EAP-GTC protocol handler authenticating with XAuth backends) |
1267 | - eap-identity (EAP-Identity identity exchange algorithm, to use with other |
1268 | EAP protocols) |
1269 | - eap-md5 (EAP-MD5 protocol handler using passwords) |
1270 | - - eap-mschapv2 (EAP-MSCHAPv2 protocol handler using passwords/NT hashes) |
1271 | - eap-radius (EAP server proxy plugin forwarding EAP conversations to a |
1272 | RADIUS server) |
1273 | - eap-tls (EAP-TLS protocol handler, to authenticate with certificates in |
1274 | @@ -178,17 +223,25 @@ Description: strongSwan charon library (extra plugins) |
1275 | - eap-tnc (EAP-TNC protocol handler, Trusted Network Connect in a TLS tunnel) |
1276 | - eap-ttls (EAP-TTLS protocol handler, wraps other EAP methods securely) |
1277 | - error-notify (Notification about errors via UNIX socket) |
1278 | + - farp (fake ARP responses for requests to virtual IP address) |
1279 | - ha (High-Availability clustering) |
1280 | + - kernel-libipsec (Userspace IPsec Backend with TUN devices) |
1281 | - led (Let Linux LED subsystem LEDs blink on IKE activity) |
1282 | - lookip (Virtual IP lookup facility using a UNIX socket) |
1283 | - - medcli (Web interface based mediation client interface) |
1284 | - - medsrv (Web interface based mediation server interface) |
1285 | - tnc (Trusted Network Connect) |
1286 | - unity (Cisco Unity extensions for IKEv1) |
1287 | - xauth-eap (XAuth backend that uses EAP methods to verify passwords) |
1288 | - - xauth-generic (Generic XAuth backend that provides passwords from |
1289 | - ipsec.secrets and other credential sets) |
1290 | - xauth-pam (XAuth backend that uses PAM modules to verify passwords) |
1291 | + - eap-aka-3gpp2 (EAP-AKA backend implementing standard 3GPP2 algorithm in software) |
1292 | + - eap-dynamic (EAP proxy plugin that dynamically selects an EAP method requested/supported by the client (since 5.0.1)) |
1293 | + - eap-peap (EAP-PEAP protocol handler, wraps other EAP methods securely) |
1294 | + - eap-sim (Generic EAP-SIM protocol handler using different backends) |
1295 | + - eap-sim-file (EAP-SIM backend reading triplets from a file) |
1296 | + - eap-sim-pcsc (EAP-SIM backend based on a PC/SC smartcard reader) |
1297 | + - eap-simaka-pseudonym (EAP-SIM/AKA in-memory pseudonym identity database) |
1298 | + - eap-simaka-reauth (EAP-SIM/AKA in-memory reauthentication identity database) |
1299 | + - eap-simaka-sql (EAP-SIM/AKA backend reading triplets/quintuplets from a SQL database) |
1300 | + - xauth-noauth (XAuth backend that does not do any authentication (since 5.0.3)) |
1301 | |
1302 | Package: strongswan-starter |
1303 | Architecture: any |
1304 | @@ -212,8 +265,9 @@ Architecture: any |
1305 | Depends: libstrongswan (= ${binary:Version}), |
1306 | ${misc:Depends}, |
1307 | ${shlibs:Depends} |
1308 | -Breaks: strongswan-starter (<= 5.6.1-2) |
1309 | -Replaces: strongswan-starter (<= 5.6.1-2) |
1310 | +Breaks: strongswan-starter (<= 5.6.2-1ubuntu1) |
1311 | +Replaces: strongswan-starter (<= 5.6.2-1ubuntu1) |
1312 | +Recommends: libcharon-standard-plugins |
1313 | Suggests: libcharon-extra-plugins |
1314 | Description: strongSwan charon library |
1315 | The strongSwan VPN suite uses the native IPsec stack in the standard |
1316 | @@ -257,6 +311,68 @@ Description: strongSwan plugin to interact with NetworkManager |
1317 | in conjunction with the network-manager-strongswan package, providing |
1318 | a simple graphical frontend to configure IPsec based VPNs. |
1319 | |
1320 | +Package: strongswan-tnc-ifmap |
1321 | +Architecture: any |
1322 | +Depends: ${shlibs:Depends}, ${misc:Depends}, libstrongswan (= ${binary:Version}) |
1323 | +Description: strongSwan plugin for Trusted Network Connect's (TNC) IF-MAP client |
1324 | + The strongSwan VPN suite uses the native IPsec stack in the standard |
1325 | + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. |
1326 | + . |
1327 | + This package provides Trusted Network Connect's (TNC) IF-MAP 2.0 client. |
1328 | + |
1329 | +Package: strongswan-tnc-base |
1330 | +Architecture: any |
1331 | +Depends: ${shlibs:Depends}, ${misc:Depends}, libstrongswan (= ${binary:Version}) |
1332 | +Suggests: strongswan-tnc-ifmap, strongswan-tnc-pdp |
1333 | +Description: strongSwan Trusted Network Connect's (TNC) - base files |
1334 | + The strongSwan VPN suite uses the native IPsec stack in the standard |
1335 | + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. |
1336 | + . |
1337 | + This package provides the base files for strongSwan's Trusted Network |
1338 | + Connect's (TNC) functionality. |
1339 | + . |
1340 | + strongSwan's IMC/IMV dynamic libraries can be used by any third party TNC |
1341 | + client/server implementation possessing a standard IF-IMC/IMV interface. |
1342 | + |
1343 | +Package: strongswan-tnc-client |
1344 | +Architecture: any |
1345 | +Depends: ${shlibs:Depends}, ${misc:Depends}, |
1346 | + libstrongswan (= ${binary:Version}), strongswan-tnc-base (= ${binary:Version}) |
1347 | +Suggests: libcharon-extra-plugins |
1348 | +Description: strongSwan Trusted Network Connect's (TNC) - client files |
1349 | + The strongSwan VPN suite uses the native IPsec stack in the standard |
1350 | + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. |
1351 | + . |
1352 | + This package provides the client functionality for strongSwan's Trusted Network |
1353 | + Connect's (TNC) features. |
1354 | + . |
1355 | + It includes the OS, scanner, test, SWID, and attestation IMCs. |
1356 | + |
1357 | +Package: strongswan-tnc-server |
1358 | +Architecture: any |
1359 | +Depends: ${shlibs:Depends}, ${misc:Depends}, |
1360 | + libstrongswan (= ${binary:Version}), |
1361 | + strongswan-tnc-base (= ${binary:Version}), |
1362 | + libstrongswan-extra-plugins (= ${binary:Version}) |
1363 | +Description: strongSwan Trusted Network Connect's (TNC) - server files |
1364 | + The strongSwan VPN suite uses the native IPsec stack in the standard |
1365 | + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. |
1366 | + . |
1367 | + This package provides the server functionality for strongSwan's Trusted Network |
1368 | + Connect's (TNC) features. |
1369 | + |
1370 | +Package: strongswan-tnc-pdp |
1371 | +Architecture: any |
1372 | +Depends: ${shlibs:Depends}, ${misc:Depends}, |
1373 | + libstrongswan (= ${binary:Version}), |
1374 | + strongswan-tnc-server (= ${binary:Version}) |
1375 | +Description: strongSwan plugin for Trusted Network Connect's (TNC) PDP |
1376 | + The strongSwan VPN suite uses the native IPsec stack in the standard |
1377 | + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. |
1378 | + . |
1379 | + This package provides Trusted Network Connect's (TNC) Policy Decision Point |
1380 | + (PDP) with RADIUS server interface. |
1381 | + |
1382 | Package: charon-cmd |
1383 | Architecture: any |
1384 | Depends: libstrongswan (= ${binary:Version}), |
1385 | diff --git a/debian/ipsec.secrets.proto b/debian/ipsec.secrets.proto |
1386 | index dfa6dde..309e3fc 100644 |
1387 | --- a/debian/ipsec.secrets.proto |
1388 | +++ b/debian/ipsec.secrets.proto |
1389 | @@ -3,6 +3,3 @@ |
1390 | # RSA private key for this host, authenticating it to any other host |
1391 | # which knows the public part. |
1392 | |
1393 | -# this file is managed with debconf and will contain the automatically created private key |
1394 | -include /var/lib/strongswan/ipsec.secrets.inc |
1395 | - |
1396 | diff --git a/debian/libcharon-extra-plugins.install b/debian/libcharon-extra-plugins.install |
1397 | index 1b0cbca..cb539ec 100644 |
1398 | --- a/debian/libcharon-extra-plugins.install |
1399 | +++ b/debian/libcharon-extra-plugins.install |
1400 | @@ -1,50 +1,102 @@ |
1401 | # libcharon plugins |
1402 | usr/lib/ipsec/plugins/libstrongswan-addrblock.so |
1403 | usr/lib/ipsec/plugins/libstrongswan-certexpire.so |
1404 | -usr/lib/ipsec/plugins/libstrongswan-eap*.so |
1405 | +usr/lib/ipsec/plugins/libstrongswan-eap-aka-3gpp2.so |
1406 | +usr/lib/ipsec/plugins/libstrongswan-eap-aka.so |
1407 | +usr/lib/ipsec/plugins/libstrongswan-eap-dynamic.so |
1408 | +usr/lib/ipsec/plugins/libstrongswan-eap-gtc.so |
1409 | +usr/lib/ipsec/plugins/libstrongswan-eap-identity.so |
1410 | +usr/lib/ipsec/plugins/libstrongswan-eap-md5.so |
1411 | +usr/lib/ipsec/plugins/libstrongswan-eap-peap.so |
1412 | +usr/lib/ipsec/plugins/libstrongswan-eap-radius.so |
1413 | +usr/lib/ipsec/plugins/libstrongswan-eap-sim-file.so |
1414 | +usr/lib/ipsec/plugins/libstrongswan-eap-sim-pcsc.so |
1415 | +usr/lib/ipsec/plugins/libstrongswan-eap-sim.so |
1416 | +usr/lib/ipsec/plugins/libstrongswan-eap-simaka-pseudonym.so |
1417 | +usr/lib/ipsec/plugins/libstrongswan-eap-simaka-reauth.so |
1418 | +usr/lib/ipsec/plugins/libstrongswan-eap-simaka-sql.so |
1419 | +usr/lib/ipsec/plugins/libstrongswan-eap-tls.so |
1420 | +usr/lib/ipsec/plugins/libstrongswan-eap-tnc.so |
1421 | +usr/lib/ipsec/plugins/libstrongswan-eap-ttls.so |
1422 | usr/lib/ipsec/plugins/libstrongswan-error-notify.so |
1423 | usr/lib/ipsec/plugins/libstrongswan-ha.so |
1424 | +usr/lib/ipsec/plugins/libstrongswan-kernel-libipsec.so |
1425 | usr/lib/ipsec/plugins/libstrongswan-led.so |
1426 | usr/lib/ipsec/plugins/libstrongswan-lookip.so |
1427 | #usr/lib/ipsec/plugins/libstrongswan-medsrv.so |
1428 | #usr/lib/ipsec/plugins/libstrongswan-medcli.so |
1429 | -usr/lib/ipsec/plugins/libstrongswan-tnc-tnccs.so |
1430 | usr/lib/ipsec/plugins/libstrongswan-unity.so |
1431 | -usr/lib/ipsec/plugins/libstrongswan-xauth-*.so |
1432 | +usr/lib/ipsec/plugins/libstrongswan-xauth-eap.so |
1433 | +usr/lib/ipsec/plugins/libstrongswan-xauth-noauth.so |
1434 | +usr/lib/ipsec/plugins/libstrongswan-xauth-pam.so |
1435 | # standard configuration files |
1436 | usr/share/strongswan/templates/config/plugins/addrblock.conf |
1437 | usr/share/strongswan/templates/config/plugins/certexpire.conf |
1438 | -usr/share/strongswan/templates/config/plugins/eap-*.conf |
1439 | +usr/share/strongswan/templates/config/plugins/eap-aka-3gpp2.conf |
1440 | +usr/share/strongswan/templates/config/plugins/eap-aka.conf |
1441 | +usr/share/strongswan/templates/config/plugins/eap-dynamic.conf |
1442 | +usr/share/strongswan/templates/config/plugins/eap-gtc.conf |
1443 | +usr/share/strongswan/templates/config/plugins/eap-identity.conf |
1444 | +usr/share/strongswan/templates/config/plugins/eap-md5.conf |
1445 | +usr/share/strongswan/templates/config/plugins/eap-peap.conf |
1446 | +usr/share/strongswan/templates/config/plugins/eap-radius.conf |
1447 | +usr/share/strongswan/templates/config/plugins/eap-sim-file.conf |
1448 | +usr/share/strongswan/templates/config/plugins/eap-sim-pcsc.conf |
1449 | +usr/share/strongswan/templates/config/plugins/eap-sim.conf |
1450 | +usr/share/strongswan/templates/config/plugins/eap-simaka-pseudonym.conf |
1451 | +usr/share/strongswan/templates/config/plugins/eap-simaka-reauth.conf |
1452 | +usr/share/strongswan/templates/config/plugins/eap-simaka-sql.conf |
1453 | +usr/share/strongswan/templates/config/plugins/eap-tls.conf |
1454 | +usr/share/strongswan/templates/config/plugins/eap-tnc.conf |
1455 | +usr/share/strongswan/templates/config/plugins/eap-ttls.conf |
1456 | usr/share/strongswan/templates/config/plugins/error-notify.conf |
1457 | usr/share/strongswan/templates/config/plugins/ha.conf |
1458 | +usr/share/strongswan/templates/config/plugins/kernel-libipsec.conf |
1459 | usr/share/strongswan/templates/config/plugins/led.conf |
1460 | usr/share/strongswan/templates/config/plugins/lookip.conf |
1461 | #usr/share/strongswan/templates/config/plugins/medsrv.conf |
1462 | #usr/share/strongswan/templates/config/plugins/medcli.conf |
1463 | -usr/share/strongswan/templates/config/plugins/tnc-tnccs.conf |
1464 | usr/share/strongswan/templates/config/plugins/unity.conf |
1465 | -usr/share/strongswan/templates/config/plugins/xauth-*.conf |
1466 | -usr/share/strongswan/templates/config/strongswan.d/tnc.conf |
1467 | -etc/strongswan.d/tnc.conf |
1468 | +usr/share/strongswan/templates/config/plugins/xauth-eap.conf |
1469 | +usr/share/strongswan/templates/config/plugins/xauth-noauth.conf |
1470 | +usr/share/strongswan/templates/config/plugins/xauth-pam.conf |
1471 | etc/strongswan.d/charon/addrblock.conf |
1472 | etc/strongswan.d/charon/certexpire.conf |
1473 | -etc/strongswan.d/charon/eap-*.conf |
1474 | +etc/strongswan.d/charon/eap-aka-3gpp2.conf |
1475 | +etc/strongswan.d/charon/eap-aka.conf |
1476 | +etc/strongswan.d/charon/eap-dynamic.conf |
1477 | +etc/strongswan.d/charon/eap-gtc.conf |
1478 | +etc/strongswan.d/charon/eap-identity.conf |
1479 | +etc/strongswan.d/charon/eap-md5.conf |
1480 | +etc/strongswan.d/charon/eap-peap.conf |
1481 | +etc/strongswan.d/charon/eap-radius.conf |
1482 | +etc/strongswan.d/charon/eap-sim-file.conf |
1483 | +etc/strongswan.d/charon/eap-sim-pcsc.conf |
1484 | +etc/strongswan.d/charon/eap-sim.conf |
1485 | +etc/strongswan.d/charon/eap-simaka-pseudonym.conf |
1486 | +etc/strongswan.d/charon/eap-simaka-reauth.conf |
1487 | +etc/strongswan.d/charon/eap-simaka-sql.conf |
1488 | +etc/strongswan.d/charon/eap-tls.conf |
1489 | +etc/strongswan.d/charon/eap-tnc.conf |
1490 | +etc/strongswan.d/charon/eap-ttls.conf |
1491 | etc/strongswan.d/charon/error-notify.conf |
1492 | etc/strongswan.d/charon/ha.conf |
1493 | +etc/strongswan.d/charon/kernel-libipsec.conf |
1494 | etc/strongswan.d/charon/led.conf |
1495 | etc/strongswan.d/charon/lookip.conf |
1496 | #etc/strongswan.d/charon/medsrv.conf |
1497 | #etc/strongswan.d/charon/medcli.conf |
1498 | -etc/strongswan.d/charon/tnc-tnccs.conf |
1499 | etc/strongswan.d/charon/unity.conf |
1500 | -etc/strongswan.d/charon/xauth-*.conf |
1501 | +etc/strongswan.d/charon/xauth-eap.conf |
1502 | +etc/strongswan.d/charon/xauth-noauth.conf |
1503 | +etc/strongswan.d/charon/xauth-pam.conf |
1504 | debian/usr.lib.ipsec.lookip /etc/apparmor.d/ |
1505 | # support libs |
1506 | #usr/lib/ipsec/libfast.so* |
1507 | +usr/lib/ipsec/libipsec.so* |
1508 | usr/lib/ipsec/libpttls.so* |
1509 | usr/lib/ipsec/libradius.so* |
1510 | usr/lib/ipsec/libsimaka.so* |
1511 | -usr/lib/ipsec/libtnccs.so* |
1512 | usr/lib/ipsec/libtls.so* |
1513 | # binaries |
1514 | usr/bin/pt-tls-client |
1515 | diff --git a/debian/libcharon-standard-plugins.install b/debian/libcharon-standard-plugins.install |
1516 | new file mode 100644 |
1517 | index 0000000..25e580c |
1518 | --- /dev/null |
1519 | +++ b/debian/libcharon-standard-plugins.install |
1520 | @@ -0,0 +1,19 @@ |
1521 | +# most commonly used libcharon plugins |
1522 | +# 1) eap-mschapv2 is required on the client side to connect to VPN |
1523 | +# concentrators configured for Windows 7+ and modern OSX/iOS using IKEv2. |
1524 | +# In such scenario, the VPN concentrator identifies itself with a public |
1525 | +# key and asks the client to authenticate with MSCHAPv2. |
1526 | +# 2) xauth-generic is required on the client side to connect to VPN |
1527 | +# concentrators configured for Android and older OSX/iOS using IKEv1 and |
1528 | +# XAUTH. In such scenario, the VPN concentrator identifies itself with a |
1529 | +# public key or a shared secret and asks the client to authenticate with a |
1530 | +# XAUTH password. |
1531 | +# plugins |
1532 | +usr/lib/ipsec/plugins/libstrongswan-eap-mschapv2.so |
1533 | +usr/lib/ipsec/plugins/libstrongswan-xauth-generic.so |
1534 | +# config templates |
1535 | +usr/share/strongswan/templates/config/plugins/eap-mschapv2.conf |
1536 | +usr/share/strongswan/templates/config/plugins/xauth-generic.conf |
1537 | +# configuration files |
1538 | +etc/strongswan.d/charon/eap-mschapv2.conf |
1539 | +etc/strongswan.d/charon/xauth-generic.conf |
1540 | diff --git a/debian/libstrongswan-extra-plugins.install b/debian/libstrongswan-extra-plugins.install |
1541 | index cfa5978..4cd01d4 100644 |
1542 | --- a/debian/libstrongswan-extra-plugins.install |
1543 | +++ b/debian/libstrongswan-extra-plugins.install |
1544 | @@ -1,37 +1,95 @@ |
1545 | # Tool for TPM PCR extension |
1546 | usr/bin/tpm_extendpcr |
1547 | # libstrongswan plugins |
1548 | +usr/lib/ipsec/plugins/libstrongswan-acert.so |
1549 | +usr/lib/ipsec/plugins/libstrongswan-attr-sql.so |
1550 | +usr/lib/ipsec/plugins/libstrongswan-bliss.so |
1551 | usr/lib/ipsec/plugins/libstrongswan-ccm.so |
1552 | +usr/lib/ipsec/plugins/libstrongswan-chapoly.so |
1553 | usr/lib/ipsec/plugins/libstrongswan-cmac.so |
1554 | +usr/lib/ipsec/plugins/libstrongswan-coupling.so |
1555 | usr/lib/ipsec/plugins/libstrongswan-ctr.so |
1556 | usr/lib/ipsec/plugins/libstrongswan-curl.so |
1557 | usr/lib/ipsec/plugins/libstrongswan-curve25519.so |
1558 | +usr/lib/ipsec/plugins/libstrongswan-dnscert.so |
1559 | usr/lib/ipsec/plugins/libstrongswan-gcrypt.so |
1560 | +usr/lib/ipsec/plugins/libstrongswan-ipseckey.so |
1561 | usr/lib/ipsec/plugins/libstrongswan-ldap.so |
1562 | +usr/lib/ipsec/plugins/libstrongswan-load-tester.so |
1563 | +usr/lib/ipsec/plugins/libstrongswan-mysql.so |
1564 | +usr/lib/ipsec/plugins/libstrongswan-ntru.so |
1565 | usr/lib/ipsec/plugins/libstrongswan-pkcs11.so |
1566 | +usr/lib/ipsec/plugins/libstrongswan-radattr.so |
1567 | +usr/lib/ipsec/plugins/libstrongswan-soup.so |
1568 | +usr/lib/ipsec/plugins/libstrongswan-sqlite.so |
1569 | +usr/lib/ipsec/plugins/libstrongswan-sql.so |
1570 | +usr/lib/ipsec/plugins/libstrongswan-systime-fix.so |
1571 | usr/lib/ipsec/plugins/libstrongswan-test-vectors.so |
1572 | usr/lib/ipsec/plugins/libstrongswan-tpm.so |
1573 | +usr/lib/ipsec/plugins/libstrongswan-unbound.so |
1574 | +usr/lib/ipsec/plugins/libstrongswan-whitelist.so |
1575 | # default configuration files |
1576 | +usr/share/strongswan/templates/config/plugins/acert.conf |
1577 | +usr/share/strongswan/templates/config/plugins/attr-sql.conf |
1578 | +usr/share/strongswan/templates/config/plugins/bliss.conf |
1579 | usr/share/strongswan/templates/config/plugins/ccm.conf |
1580 | +usr/share/strongswan/templates/config/plugins/chapoly.conf |
1581 | usr/share/strongswan/templates/config/plugins/cmac.conf |
1582 | +usr/share/strongswan/templates/config/plugins/coupling.conf |
1583 | usr/share/strongswan/templates/config/plugins/ctr.conf |
1584 | usr/share/strongswan/templates/config/plugins/curl.conf |
1585 | usr/share/strongswan/templates/config/plugins/curve25519.conf |
1586 | +usr/share/strongswan/templates/config/plugins/dnscert.conf |
1587 | usr/share/strongswan/templates/config/plugins/gcrypt.conf |
1588 | +usr/share/strongswan/templates/config/plugins/ipseckey.conf |
1589 | usr/share/strongswan/templates/config/plugins/ldap.conf |
1590 | +usr/share/strongswan/templates/config/plugins/load-tester.conf |
1591 | +usr/share/strongswan/templates/config/plugins/mysql.conf |
1592 | +usr/share/strongswan/templates/config/plugins/ntru.conf |
1593 | usr/share/strongswan/templates/config/plugins/pkcs11.conf |
1594 | +usr/share/strongswan/templates/config/plugins/radattr.conf |
1595 | +usr/share/strongswan/templates/config/plugins/soup.conf |
1596 | +usr/share/strongswan/templates/config/plugins/sql.conf |
1597 | +usr/share/strongswan/templates/config/plugins/sqlite.conf |
1598 | +usr/share/strongswan/templates/config/plugins/systime-fix.conf |
1599 | usr/share/strongswan/templates/config/plugins/test-vectors.conf |
1600 | usr/share/strongswan/templates/config/plugins/tpm.conf |
1601 | +usr/share/strongswan/templates/config/plugins/unbound.conf |
1602 | +usr/share/strongswan/templates/config/plugins/whitelist.conf |
1603 | +usr/share/strongswan/templates/database/sql/mysql.sql |
1604 | +usr/share/strongswan/templates/database/sql/sqlite.sql |
1605 | +etc/strongswan.d/charon/acert.conf |
1606 | +etc/strongswan.d/charon/attr-sql.conf |
1607 | +etc/strongswan.d/charon/bliss.conf |
1608 | etc/strongswan.d/charon/ccm.conf |
1609 | +etc/strongswan.d/charon/chapoly.conf |
1610 | etc/strongswan.d/charon/cmac.conf |
1611 | +etc/strongswan.d/charon/coupling.conf |
1612 | etc/strongswan.d/charon/ctr.conf |
1613 | etc/strongswan.d/charon/curl.conf |
1614 | etc/strongswan.d/charon/curve25519.conf |
1615 | +etc/strongswan.d/charon/dnscert.conf |
1616 | etc/strongswan.d/charon/gcrypt.conf |
1617 | +etc/strongswan.d/charon/ipseckey.conf |
1618 | etc/strongswan.d/charon/ldap.conf |
1619 | +etc/strongswan.d/charon/load-tester.conf |
1620 | +etc/strongswan.d/charon/mysql.conf |
1621 | +etc/strongswan.d/charon/ntru.conf |
1622 | etc/strongswan.d/charon/pkcs11.conf |
1623 | +etc/strongswan.d/charon/radattr.conf |
1624 | +etc/strongswan.d/charon/soup.conf |
1625 | +etc/strongswan.d/charon/sql.conf |
1626 | +etc/strongswan.d/charon/sqlite.conf |
1627 | +etc/strongswan.d/charon/systime-fix.conf |
1628 | etc/strongswan.d/charon/test-vectors.conf |
1629 | etc/strongswan.d/charon/tpm.conf |
1630 | # TPM libs |
1631 | usr/lib/ipsec/libtpmtss.so.* |
1632 | usr/lib/ipsec/libtpmtss.so |
1633 | +etc/strongswan.d/charon/unbound.conf |
1634 | +etc/strongswan.d/charon/whitelist.conf |
1635 | +usr/lib/ipsec/load-tester |
1636 | +usr/lib/ipsec/whitelist |
1637 | +# support libs |
1638 | +usr/lib/ipsec/libtpmtss.so* |
1639 | +usr/lib/ipsec/libnttfft.so* |
1640 | diff --git a/debian/libstrongswan.install b/debian/libstrongswan.install |
1641 | index 072ff7e..5d458bb 100644 |
1642 | --- a/debian/libstrongswan.install |
1643 | +++ b/debian/libstrongswan.install |
1644 | @@ -6,15 +6,16 @@ usr/lib/ipsec/plugins/libstrongswan-dnskey.so |
1645 | usr/lib/ipsec/plugins/libstrongswan-fips-prf.so |
1646 | usr/lib/ipsec/plugins/libstrongswan-gmp.so |
1647 | usr/lib/ipsec/plugins/libstrongswan-hmac.so |
1648 | +usr/lib/ipsec/plugins/libstrongswan-md4.so |
1649 | usr/lib/ipsec/plugins/libstrongswan-md5.so |
1650 | usr/lib/ipsec/plugins/libstrongswan-mgf1.so |
1651 | usr/lib/ipsec/plugins/libstrongswan-nonce.so |
1652 | -usr/lib/ipsec/plugins/libstrongswan-pgp.so |
1653 | usr/lib/ipsec/plugins/libstrongswan-pem.so |
1654 | +usr/lib/ipsec/plugins/libstrongswan-pgp.so |
1655 | usr/lib/ipsec/plugins/libstrongswan-pkcs1.so |
1656 | +usr/lib/ipsec/plugins/libstrongswan-pkcs12.so |
1657 | usr/lib/ipsec/plugins/libstrongswan-pkcs7.so |
1658 | usr/lib/ipsec/plugins/libstrongswan-pkcs8.so |
1659 | -usr/lib/ipsec/plugins/libstrongswan-pkcs12.so |
1660 | usr/lib/ipsec/plugins/libstrongswan-pubkey.so |
1661 | usr/lib/ipsec/plugins/libstrongswan-random.so |
1662 | usr/lib/ipsec/plugins/libstrongswan-rc2.so |
1663 | @@ -31,15 +32,17 @@ usr/share/strongswan/templates/config/plugins/dnskey.conf |
1664 | usr/share/strongswan/templates/config/plugins/fips-prf.conf |
1665 | usr/share/strongswan/templates/config/plugins/gmp.conf |
1666 | usr/share/strongswan/templates/config/plugins/hmac.conf |
1667 | +usr/share/strongswan/templates/config/plugins/kernel-netlink.conf |
1668 | +usr/share/strongswan/templates/config/plugins/md4.conf |
1669 | usr/share/strongswan/templates/config/plugins/md5.conf |
1670 | usr/share/strongswan/templates/config/plugins/mgf1.conf |
1671 | usr/share/strongswan/templates/config/plugins/nonce.conf |
1672 | -usr/share/strongswan/templates/config/plugins/pgp.conf |
1673 | usr/share/strongswan/templates/config/plugins/pem.conf |
1674 | +usr/share/strongswan/templates/config/plugins/pgp.conf |
1675 | usr/share/strongswan/templates/config/plugins/pkcs1.conf |
1676 | +usr/share/strongswan/templates/config/plugins/pkcs12.conf |
1677 | usr/share/strongswan/templates/config/plugins/pkcs7.conf |
1678 | usr/share/strongswan/templates/config/plugins/pkcs8.conf |
1679 | -usr/share/strongswan/templates/config/plugins/pkcs12.conf |
1680 | usr/share/strongswan/templates/config/plugins/pubkey.conf |
1681 | usr/share/strongswan/templates/config/plugins/random.conf |
1682 | usr/share/strongswan/templates/config/plugins/rc2.conf |
1683 | @@ -55,15 +58,17 @@ etc/strongswan.d/charon/dnskey.conf |
1684 | etc/strongswan.d/charon/fips-prf.conf |
1685 | etc/strongswan.d/charon/gmp.conf |
1686 | etc/strongswan.d/charon/hmac.conf |
1687 | +etc/strongswan.d/charon/kernel-netlink.conf |
1688 | +etc/strongswan.d/charon/md4.conf |
1689 | etc/strongswan.d/charon/md5.conf |
1690 | etc/strongswan.d/charon/mgf1.conf |
1691 | etc/strongswan.d/charon/nonce.conf |
1692 | -etc/strongswan.d/charon/pgp.conf |
1693 | etc/strongswan.d/charon/pem.conf |
1694 | +etc/strongswan.d/charon/pgp.conf |
1695 | +etc/strongswan.d/charon/pkcs12.conf |
1696 | etc/strongswan.d/charon/pkcs1.conf |
1697 | etc/strongswan.d/charon/pkcs7.conf |
1698 | etc/strongswan.d/charon/pkcs8.conf |
1699 | -etc/strongswan.d/charon/pkcs12.conf |
1700 | etc/strongswan.d/charon/pubkey.conf |
1701 | etc/strongswan.d/charon/random.conf |
1702 | etc/strongswan.d/charon/rc2.conf |
1703 | diff --git a/debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch b/debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch |
1704 | new file mode 100644 |
1705 | index 0000000..004b50b |
1706 | --- /dev/null |
1707 | +++ b/debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch |
1708 | @@ -0,0 +1,11 @@ |
1709 | +--- a/conf/plugins/kernel-libipsec.conf |
1710 | ++++ b/conf/plugins/kernel-libipsec.conf |
1711 | +@@ -5,7 +5,7 @@ |
1712 | + |
1713 | + # Whether to load the plugin. Can also be an integer to increase the |
1714 | + # priority of this plugin. |
1715 | +- load = yes |
1716 | ++ load = no |
1717 | + |
1718 | + } |
1719 | + |
1720 | diff --git a/debian/patches/series b/debian/patches/series |
1721 | index fde45f5..c72895f 100644 |
1722 | --- a/debian/patches/series |
1723 | +++ b/debian/patches/series |
1724 | @@ -2,3 +2,4 @@ |
1725 | 02_disable-bypass-lan.patch |
1726 | 03_systemd-service.patch |
1727 | 04_disable-libtls-tests.patch |
1728 | +dont-load-kernel-libipsec-plugin-by-default.patch |
1729 | diff --git a/debian/rules b/debian/rules |
1730 | index 8f5f922..a8f84a1 100755 |
1731 | --- a/debian/rules |
1732 | +++ b/debian/rules |
1733 | @@ -4,20 +4,36 @@ export DEB_LDFLAGS_MAINT_APPEND=-Wl,--as-needed -Wl,-O1 |
1734 | export DEB_BUILD_MAINT_OPTIONS=hardening=+all |
1735 | |
1736 | CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \ |
1737 | + --with-tss=trousers \ |
1738 | + --enable-acert \ |
1739 | --enable-addrblock \ |
1740 | --enable-agent \ |
1741 | --enable-bypass-lan \ |
1742 | + --enable-attr-sql \ |
1743 | + --enable-bliss \ |
1744 | --enable-ccm \ |
1745 | --enable-certexpire \ |
1746 | + --enable-chapoly \ |
1747 | --enable-cmd \ |
1748 | + --enable-coupling \ |
1749 | --enable-ctr \ |
1750 | --enable-curl \ |
1751 | + --enable-dnscert \ |
1752 | --enable-eap-aka \ |
1753 | + --enable-eap-aka-3gpp2 \ |
1754 | + --enable-eap-dynamic \ |
1755 | --enable-eap-gtc \ |
1756 | --enable-eap-identity \ |
1757 | --enable-eap-md5 \ |
1758 | --enable-eap-mschapv2 \ |
1759 | + --enable-eap-peap \ |
1760 | --enable-eap-radius \ |
1761 | + --enable-eap-sim \ |
1762 | + --enable-eap-simaka-pseudonym \ |
1763 | + --enable-eap-simaka-reauth \ |
1764 | + --enable-eap-simaka-sql \ |
1765 | + --enable-eap-sim-file \ |
1766 | + --enable-eap-sim-pcsc \ |
1767 | --enable-eap-tls \ |
1768 | --enable-eap-tnc \ |
1769 | --enable-eap-ttls \ |
1770 | @@ -25,18 +41,52 @@ CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \ |
1771 | --enable-gcm \ |
1772 | --enable-gcrypt \ |
1773 | --enable-ha \ |
1774 | + --enable-imc-attestation \ |
1775 | + --enable-imc-os \ |
1776 | + --enable-imc-scanner \ |
1777 | + --enable-imc-swid \ |
1778 | + --enable-imc-test \ |
1779 | + --enable-imv-attestation \ |
1780 | + --enable-imv-os \ |
1781 | + --enable-imv-scanner \ |
1782 | + --enable-imv-swid \ |
1783 | + --enable-imv-test \ |
1784 | + --enable-ipseckey \ |
1785 | + --enable-kernel-libipsec \ |
1786 | --enable-ldap \ |
1787 | --enable-led \ |
1788 | + --enable-load-tester \ |
1789 | --enable-lookip \ |
1790 | --enable-mediation \ |
1791 | + --enable-md4 \ |
1792 | + --enable-mysql \ |
1793 | + --enable-ntru \ |
1794 | --enable-openssl \ |
1795 | --enable-pkcs11 \ |
1796 | + --enable-radattr \ |
1797 | + --enable-soup \ |
1798 | + --enable-sql \ |
1799 | + --enable-sqlite \ |
1800 | + --enable-systime-fix \ |
1801 | --enable-test-vectors \ |
1802 | --enable-tpm \ |
1803 | + --enable-tnccs-11 \ |
1804 | + --enable-tnccs-20 \ |
1805 | + --enable-tnccs-dynamic \ |
1806 | + --enable-tnc-ifmap \ |
1807 | + --enable-tnc-imc \ |
1808 | + --enable-tnc-imv \ |
1809 | + --enable-tnc-pdp \ |
1810 | + --enable-unbound \ |
1811 | + --enable-unit-tests \ |
1812 | --enable-unity \ |
1813 | + --enable-whitelist \ |
1814 | --enable-xauth-eap \ |
1815 | + --enable-xauth-generic \ |
1816 | + --enable-xauth-noauth \ |
1817 | --enable-xauth-pam \ |
1818 | --disable-blowfish \ |
1819 | + --disable-fast \ |
1820 | --disable-des # BSD-Young license |
1821 | #--with-user=strongswan --with-group=nogroup |
1822 | # --enable-kernel-pfkey --enable-kernel-klips \ |
1823 | @@ -190,12 +240,6 @@ endif |
1824 | |
1825 | # add additional files not covered by upstream makefile... |
1826 | install --mode=0600 $(CURDIR)/debian/ipsec.secrets.proto $(CURDIR)/debian/strongswan-starter/etc/ipsec.secrets |
1827 | - # also "patch" ipsec.conf to include the debconf-managed file |
1828 | - echo >> $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf |
1829 | - echo "include /var/lib/strongswan/ipsec.conf.inc" >> $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf |
1830 | - # and to enable both IKEv1 and IKEv2 by default |
1831 | - sed -r 's/^[ \t]+# *charonstart=(yes|no) */\tcharonstart=yes/' < $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf > $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf.tmp |
1832 | - mv $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf.tmp $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf |
1833 | |
1834 | # set permissions on ipsec.secrets and private key directories |
1835 | chmod 600 $(CURDIR)/debian/strongswan-starter/etc/ipsec.secrets |
1836 | diff --git a/debian/strongswan-starter.install b/debian/strongswan-starter.install |
1837 | index 9a4c0d1..b5250dc 100644 |
1838 | --- a/debian/strongswan-starter.install |
1839 | +++ b/debian/strongswan-starter.install |
1840 | @@ -16,3 +16,7 @@ usr/lib/ipsec/plugins/libstrongswan-stroke.so |
1841 | usr/share/strongswan/templates/config/plugins/stroke.conf |
1842 | etc/strongswan.d/charon/stroke.conf |
1843 | debian/usr.lib.ipsec.stroke /etc/apparmor.d/ |
1844 | +#pool |
1845 | +usr/lib/ipsec/pool |
1846 | +usr/share/strongswan/templates/config/strongswan.d/pool.conf |
1847 | +etc/strongswan.d/pool.conf |
1848 | diff --git a/debian/strongswan-starter.maintscript b/debian/strongswan-starter.maintscript |
1849 | new file mode 100644 |
1850 | index 0000000..6dcc68a |
1851 | --- /dev/null |
1852 | +++ b/debian/strongswan-starter.maintscript |
1853 | @@ -0,0 +1 @@ |
1854 | +rm_conffile /etc/init.d/ipsec 5.5.1-1ubuntu1~ |
1855 | diff --git a/debian/strongswan-starter.postinst b/debian/strongswan-starter.postinst |
1856 | index 9e4d7b1..9b7c734 100644 |
1857 | --- a/debian/strongswan-starter.postinst |
1858 | +++ b/debian/strongswan-starter.postinst |
1859 | @@ -220,63 +220,6 @@ case "$1" in |
1860 | db_set strongswan/install_x509_certificate false |
1861 | fi |
1862 | |
1863 | - # lets see if we are already using dependency based booting or the correct runlevel parameters |
1864 | - if ! ( [ "`find /etc/init.d/ -name '.depend.*'`" ] || [ "$runlevels" = "0K841K842S163S164S165S166K84" ] ); then |
1865 | - db_fset strongswan/runlevel_changes seen false |
1866 | - db_input high strongswan/runlevel_changes || true |
1867 | - db_go |
1868 | - |
1869 | - # if the admin did not change the runlevels which got installed by older packages we can modify them |
1870 | - if [ "$runlevels" = "0K346K34SS41" ] || [ "$runlevels" = "0K301K302S153S154S155S156K30" ] || [ "$runlevels" = "0K191K192S213S214S215S216K19" ]; then |
1871 | - update-rc.d -f ipsec remove |
1872 | - fi |
1873 | - |
1874 | - update-rc.d ipsec defaults 16 84 > /dev/null |
1875 | - fi |
1876 | - |
1877 | - db_get strongswan/enable-oe |
1878 | - if [ "$RET" != "true" ]; then |
1879 | - echo -n "Disabling opportunistic encryption (OE) in config file ... " |
1880 | - if [ -e $CONF_FILE ] && egrep -q "include /etc/ipsec.d/examples/no_oe.conf$" $CONF_FILE; then |
1881 | - # also update to new-style config |
1882 | - sed 's/.*include \/etc\/ipsec.d\/examples\/no_oe.conf/#include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp |
1883 | - mv $CONF_FILE.tmp $CONF_FILE |
1884 | - echo -n "converted old config line to new format" |
1885 | - fi |
1886 | - if [ -e $CONF_FILE ] && egrep -q "^include /etc/ipsec.d/examples/oe.conf$" $CONF_FILE; then |
1887 | - sed 's/include \/etc\/ipsec.d\/examples\/oe.conf/#include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp |
1888 | - mv $CONF_FILE.tmp $CONF_FILE |
1889 | - echo "done" |
1890 | - elif [ ! -e $CONF_FILE ]; then |
1891 | - echo "#include /etc/ipsec.d/examples/oe.conf" > $CONF_FILE |
1892 | - else |
1893 | - echo "already disabled" |
1894 | - fi |
1895 | - else |
1896 | - echo -n "Enabling opportunistic encryption (OE) in config file ... " |
1897 | - if [ -e $CONF_FILE ] && egrep -q "include /etc/ipsec.d/examples/no_oe.conf$" $CONF_FILE; then |
1898 | - # also update to new-style config |
1899 | - sed 's/.*include \/etc\/ipsec.d\/examples\/no_oe.conf/include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp |
1900 | - mv $CONF_FILE.tmp $CONF_FILE |
1901 | - echo -n "converted old config line to new format" |
1902 | - fi |
1903 | - if [ -e $CONF_FILE ] && egrep -q "^include /etc/ipsec.d/examples/oe.conf$" $CONF_FILE; then |
1904 | - echo "already enabled" |
1905 | - elif [ -e $CONF_FILE ] && egrep -q "^#.*include /etc/ipsec.d/examples/oe.conf$" $CONF_FILE; then |
1906 | - sed 's/#.*include \/etc\/ipsec.d\/examples\/oe.conf/include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp |
1907 | - mv $CONF_FILE.tmp $CONF_FILE |
1908 | - echo "done" |
1909 | - elif [ ! -e $CONF_FILE ]; then |
1910 | - echo "include /etc/ipsec.d/examples/oe.conf" > $CONF_FILE |
1911 | - else |
1912 | - cat <<EOF >> $CONF_FILE |
1913 | -#Enable Opportunistic Encryption |
1914 | -include /etc/ipsec.d/examples/oe.conf |
1915 | -EOF |
1916 | - echo "done" |
1917 | - fi |
1918 | - fi |
1919 | - |
1920 | # disabled for now, until we can solve the don't-edit-conffiles issue |
1921 | #db_get strongswan/ikev1 |
1922 | #if [ "$RET" != "true" ]; then |
1923 | diff --git a/debian/strongswan-tnc-base.install b/debian/strongswan-tnc-base.install |
1924 | new file mode 100644 |
1925 | index 0000000..a9e3f32 |
1926 | --- /dev/null |
1927 | +++ b/debian/strongswan-tnc-base.install |
1928 | @@ -0,0 +1,16 @@ |
1929 | +etc/strongswan.d/charon/tnccs-11.conf |
1930 | +etc/strongswan.d/charon/tnccs-20.conf |
1931 | +etc/strongswan.d/charon/tnccs-dynamic.conf |
1932 | +etc/strongswan.d/charon/tnc-tnccs.conf |
1933 | +etc/strongswan.d/imcv.conf |
1934 | +etc/strongswan.d/tnc.conf |
1935 | +usr/lib/ipsec/libimcv.* |
1936 | +usr/lib/ipsec/libtnccs.so* |
1937 | +usr/lib/ipsec/plugins/libstrongswan-tnccs-*.so |
1938 | +usr/lib/ipsec/plugins/libstrongswan-tnc-tnccs.so |
1939 | +usr/share/strongswan/templates/config/plugins/tnccs-11.conf |
1940 | +usr/share/strongswan/templates/config/plugins/tnccs-20.conf |
1941 | +usr/share/strongswan/templates/config/plugins/tnccs-dynamic.conf |
1942 | +usr/share/strongswan/templates/config/plugins/tnc-tnccs.conf |
1943 | +usr/share/strongswan/templates/config/strongswan.d/imcv.conf |
1944 | +usr/share/strongswan/templates/config/strongswan.d/tnc.conf |
1945 | diff --git a/debian/strongswan-tnc-client.install b/debian/strongswan-tnc-client.install |
1946 | new file mode 100644 |
1947 | index 0000000..88449c6 |
1948 | --- /dev/null |
1949 | +++ b/debian/strongswan-tnc-client.install |
1950 | @@ -0,0 +1,5 @@ |
1951 | +etc/strongswan.d/charon/tnc-imc.conf |
1952 | +usr/lib/ipsec/imcvs/imc-*.so |
1953 | +usr/lib/ipsec/plugins/libstrongswan-tnc-imc.so |
1954 | +usr/share/strongswan/swidtag/strongswan.org__strongSwan-*.swidtag |
1955 | +usr/share/strongswan/templates/config/plugins/tnc-imc.conf |
1956 | diff --git a/debian/strongswan-tnc-ifmap.install b/debian/strongswan-tnc-ifmap.install |
1957 | new file mode 100644 |
1958 | index 0000000..3c8083b |
1959 | --- /dev/null |
1960 | +++ b/debian/strongswan-tnc-ifmap.install |
1961 | @@ -0,0 +1,3 @@ |
1962 | +etc/strongswan.d/charon/tnc-ifmap.conf |
1963 | +usr/lib/ipsec/plugins/libstrongswan-tnc-ifmap.so |
1964 | +usr/share/strongswan/templates/config/plugins/tnc-ifmap.conf |
1965 | diff --git a/debian/strongswan-tnc-pdp.install b/debian/strongswan-tnc-pdp.install |
1966 | new file mode 100644 |
1967 | index 0000000..2534386 |
1968 | --- /dev/null |
1969 | +++ b/debian/strongswan-tnc-pdp.install |
1970 | @@ -0,0 +1,3 @@ |
1971 | +etc/strongswan.d/charon/tnc-pdp.conf |
1972 | +usr/lib/ipsec/plugins/libstrongswan-tnc-pdp.so |
1973 | +usr/share/strongswan/templates/config/plugins/tnc-pdp.conf |
1974 | diff --git a/debian/strongswan-tnc-server.install b/debian/strongswan-tnc-server.install |
1975 | new file mode 100644 |
1976 | index 0000000..da633f6 |
1977 | --- /dev/null |
1978 | +++ b/debian/strongswan-tnc-server.install |
1979 | @@ -0,0 +1,10 @@ |
1980 | +etc/strongswan.d/attest.conf |
1981 | +etc/strongswan.d/charon/tnc-imv.conf |
1982 | +usr/lib/ipsec/attest |
1983 | +usr/lib/ipsec/imcvs/imv-*.so |
1984 | +usr/lib/ipsec/_imv_policy |
1985 | +usr/lib/ipsec/imv_policy_manager |
1986 | +usr/lib/ipsec/plugins/libstrongswan-tnc-imv.so |
1987 | +usr/share/strongswan/templates/config/plugins/tnc-imv.conf |
1988 | +usr/share/strongswan/templates/config/strongswan.d/attest.conf |
1989 | +usr/share/strongswan/templates/database/imv/*.sql |
Ran the QA Tests
name base - 4/4 ok
ip based - 4/4 ok
Test build is in PPA https:/ /launchpad. net/~ci- train-ppa- service/ +archive/ ubuntu/ 3199
For more details on the reasoning see https:/ /bugs.launchpad .net/ubuntu/ +source/ strongswan/ +bug/1753018
IMHO it is not a FFE case, as all new things are either bugfixes or default off and minor (the bypass plugin).