Ubuntu
strongswan package

Merge ~paelzer/ubuntu/+source/strongswan:cosmic-merge-5.6.2-2 into ubuntu/+source/strongswan:debian/sid

Proposed by Christian Ehrhardt  on 2018-05-29

Status:

Merged

Merge reported by:

Christian Ehrhardt 

Merged at revision:

160ffc1245f6373f9875244a91b7a9d8e78d0957

Proposed branch:

~paelzer/ubuntu/+source/strongswan:cosmic-merge-5.6.2-2

Merge into:

ubuntu/+source/strongswan:debian/sid

Diff against target:

2059 lines (+1537/-90)

18 files modified

debian/changelog (+1155/-0)
debian/control (+122/-6)
debian/ipsec.secrets.proto (+0/-3)
debian/libcharon-extra-plugins.install (+64/-12)
debian/libcharon-standard-plugins.install (+19/-0)
debian/libstrongswan-extra-plugins.install (+58/-0)
debian/libstrongswan.install (+11/-6)
debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch (+11/-0)
debian/patches/series (+1/-0)
debian/rules (+50/-6)
debian/strongswan-starter.install (+4/-0)
debian/strongswan-starter.postinst (+0/-57)
debian/strongswan-tnc-base.install (+16/-0)
debian/strongswan-tnc-client.install (+5/-0)
debian/strongswan-tnc-ifmap.install (+3/-0)
debian/strongswan-tnc-pdp.install (+3/-0)
debian/strongswan-tnc-server.install (+10/-0)
debian/usr.sbin.charon-systemd (+5/-0)

Related bugs:

Bug #1765652: app armor profile for systemd daemon missing entry for /run/systemd/notify	Undecided	Fix Released
Bug #1766240: apparmor profile prevent mysql backend usage	Medium	Fix Released
Bug #1772705: IKEv2 VPN connections fail to use DNS servers provided by the server	Medium	Fix Released
Bug #1773814: merge latest strongswan from Debian (Cosmic)	Undecided	Fix Released

Link a bug report

Reviewer	Date Requested	Status
Andreas Hasenack	2018-05-29	Approve on 2018-06-04
Canonical Server	2018-05-29	Pending
git-ubuntu developers	2018-05-29	Pending
Review via email: mp+347026@code.launchpad.net

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2018-05-29:

From my log in the Bug:
Done - base Merge
Done - add planned bug fixes
Done - autopkgtests on Bileto https://bileto.ubuntu.com/excuses/3272/cosmic.html
Done - test with QA-Regression tests (two VMs doing tunnels)
Done - Test apparmor Denials that we expected to be fixed

I also pushed the related tags:
* [new tag] lp1773814/deconstruct/5.6.2-1ubuntu1 -> lp1773814/deconstruct/5.6.2-1ubuntu1
* [new tag] lp1773814/new/debian -> lp1773814/new/debian
* [new tag] lp1773814/old/ubuntu -> lp1773814/old/ubuntu
* [new tag] lp1773814/logical/5.6.2-1ubuntu1 -> lp1773814/logical/5.6.2-1ubuntu1
* [new tag] lp1773814/old/debian -> lp1773814/old/debian
* [new tag] lp1773814/reconstruct/5.6.2-1ubuntu1 -> lp1773814/reconstruct/5.6.2-1ubuntu1

With Tests complete I think this is ready for review to be uploaded.

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2018-05-29:

PPA is at https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3272

Revision history for this message

Simon Déziel (sdeziel) wrote on 2018-05-29:

> With Tests complete I think this is ready for review to be uploaded.

I didn't test the result but I took a quick look at your MP and it LGTM, thanks!

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2018-05-30:

Shouldn't the logical, deconstruct and reconstruct tags be pointing at 5.6.2-1ubuntu*2* instead of 5.6.2-1ubuntu1? 1ubuntu2 is the current package in cosmic.

I realize I will probably not finish this review today, and since I'm off the rest of the week, feel free to grab other volunteers :)

review: Needs Information

~paelzer/ubuntu/+source/strongswan:cosmic-merge-5.6.2-2 updated on 2018-05-31

160ffc1... by Christian Ehrhardt  on 2018-05-31

changelog: DROP: fix dependencies of strongswan-libcharon

Signed-off-by: Christian Ehrhardt <email address hidden>

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2018-05-31:

Hmm it seems git Ubuntu merge start tricked me on that and I didn't realize when checking old tags.
But this is rather safe, as the change of 5.6.2-1ubuntu2 is one that is droppable after 18.04.
Thanks for spotting this Andreas, I pushed a new entry to the changelog to correctly mention its dropping.

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2018-06-04:

cosmic dist upgrade works, upgrade from bionic works

git ubuntu lint is unhappy because of the incorrect tagging, but we can overlook that for this merge.

review: Approve

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2018-06-05:

Thanks for the checks, tags pushed and uploading.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Christian Ehrhardt 

git-ubuntu developers

Ubuntu
strongswan package

Merge ~paelzer/ubuntu/+source/strongswan:cosmic-merge-5.6.2-2 into ubuntu/+source/strongswan:debian/sid

Commit message

Description of the change

Preview Diff

Subscribers

 diff --git a/debian/changelog b/debian/changelog
 index 6dc4787..005f321 100644
 --- a/debian/changelog
 +++ b/debian/changelog
@@ -1,3 +1,69 @@
++strongswan (5.6.2-2ubuntu1) cosmic; urgency=medium
++
++  * Merge with Debian unstable, closes LP: #1773814 and LP: #1772705.
++    Remaining changes:
++    + Clean up d/strongswan-starter.postinst: section about runlevel changes
++    + Clean up d/strongswan-starter.postinst: Removed entire section on
++      opportunistic encryption disabling - this was never in strongSwan and
++      won't be see upstream issue #2160.
++    + d/rules: Removed patching ipsec.conf on build (not using the
++      debconf-managed config.)
++    + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
++      used for debconf-managed include of private key).
++    + Mass enablement of extra plugins and features to allow a user to use
++      strongswan for a variety of extra use cases without having to rebuild.
++      - d/control: Add required additional build-deps
++      - d/control: Mention addtionally enabled plugins
++      - d/rules: Enable features at configure stage
++      - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
++      - d/libstrongswan.install: Add plugins (so, conf)
++    + d/strongswan-starter.install: Install pool feature, which is useful since
++      we have attr-sql plugin enabled as well using it.
++    + Add plugin kernel-libipsec to allow the use of strongswan in containers
++      via this userspace implementation (please do note that this is still
++      considered experimental by upstream).
++      - d/libcharon-extra-plugins.install: Add kernel-libipsec components
++      - d/control: List kernel-libipsec plugin at extra plugins description
++      - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
++        upstream recommends to not load kernel-libipsec by default.
++    + Relocate tnc plugin
++     - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
++     - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
++    + d/libstrongswan.install: Reorder conf and .so alphabetically
++    + d/libstrongswan.install: Add kernel-netlink configuration files
++    + Complete the disabling of libfast; This was partially accepted in Debian,
++        it is no more packaging medcli and medsrv, but still builds and
++        mentions it.
++      - d/rules: Add --disable-fast to avoid build time and dependencies
++      - d/control: Remove medcli, medsrv from package description
++    + d/control: Mention mgf1 plugin which is in libstrongswan now
++    + Add now built (since 5.5.1) libraries libtpmtss and nttfft to
++      libstrongswan-extra-plugins (no deps from default plugins).
++    + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
++      plugins for the most common use cases from extra-plugins into a new
++      standard-plugins package. This will allow those use cases without pulling
++      in too much more plugins (a bit like the tnc package). Recommend that
++      package from strongswan-libcharon.
++  * Dropped Changes (no more needed after 18.04)
++    + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
++      missed that, droppable after 18.04)
++    + d/control: bump breaks/replaces from libstrongswan-extra-plugins to
++      libstrongswan as we dropped relocating ccm and test-vectors.
++      (droppable >18.04).
++    + d/control: add breaks/replace from libstrongswan to
++      libstrongswan-extra-plugins for the move of mgf1 to libstrongswan.
++      (droppable >18.04).
++    + d/control: bump breaks/replaces for the move of the updown plugin
++      (Missed Changelog entry on last merge)
++    + d/control: fix dependencies of strongswan-libcharon due to the move
++      the updown plugin (droppable >18.04).
++  * Added Changes:
++    + d/usr.sbin.charon-systemd: allow to contact mysql for sql and
++      attr-sql plugins (LP: #1766240)
++    + d/usr.sbin.charon-systemd: allow systemd notifications (LP: #1765652)
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Tue, 29 May 2018 08:21:42 +0200
++
  strongswan (5.6.2-2) unstable; urgency=medium
    * charon-nm: Fix building list of DNS/MDNS servers with libnm
@@ -8,6 +74,74 @@ strongswan (5.6.2-2) unstable; urgency=medium
   -- Yves-Alexis Perez <corsac@debian.org>  Fri, 13 Apr 2018 13:46:04 +0200
++strongswan (5.6.2-1ubuntu2) bionic; urgency=medium
++
++  * d/control: fix dependencies of strongswan-libcharon due to the move
++    the updown plugin.
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Tue, 20 Mar 2018 07:37:29 +0100
++
++strongswan (5.6.2-1ubuntu1) bionic; urgency=medium
++
++  * Merge with Debian unstable (LP: #1753018). Remaining changes:
++    + Clean up d/strongswan-starter.postinst: section about runlevel changes
++    + Clean up d/strongswan-starter.postinst: Removed entire section on
++      opportunistic encryption disabling - this was never in strongSwan and
++      won't be see upstream issue #2160.
++    + Ubuntu is not using the debconf triggered private key generation
++      - d/rules: Removed patching ipsec.conf on build (not using the
++        debconf-managed config.)
++      - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
++        used for debconf-managed include of private key).
++    + Mass enablement of extra plugins and features to allow a user to use
++      strongswan for a variety of extra use cases without having to rebuild.
++      - d/control: Add required additional build-deps
++      - d/control: Mention addtionally enabled plugins
++      - d/rules: Enable features at configure stage
++      - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
++      - d/libstrongswan.install: Add plugins (so, conf)
++    + d/strongswan-starter.install: Install pool feature, which is useful since
++      we have attr-sql plugin enabled as well using it.
++    + Add plugin kernel-libipsec to allow the use of strongswan in containers
++      via this userspace implementation (please do note that this is still
++      considered experimental by upstream).
++      - d/libcharon-extra-plugins.install: Add kernel-libipsec components
++      - d/control: List kernel-libipsec plugin at extra plugins description
++      - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
++        upstream recommends to not load kernel-libipsec by default.
++    + Relocate tnc plugin
++     - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
++     - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
++    + d/libstrongswan.install: Reorder conf and .so alphabetically
++    + d/libstrongswan.install: Add kernel-netlink configuration files
++    + Complete the disabling of libfast; This was partially accepted in Debian,
++        it is no more packaging medcli and medsrv, but still builds and
++        mentions it.
++      - d/rules: Add --disable-fast to avoid build time and dependencies
++      - d/control: Remove medcli, medsrv from package description
++    + d/control: Mention mgf1 plugin which is in libstrongswan now
++    + Add now built (since 5.5.1) libraries libtpmtss and nttfft to
++      libstrongswan-extra-plugins (no deps from default plugins).
++    + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
++      missed that, droppable after 18.04)
++    + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
++      plugins for the most common use cases from extra-plugins into a new
++      standard-plugins package. This will allow those use cases without pulling
++      in too much more plugins (a bit like the tnc package). Recommend that
++      package from strongswan-libcharon.
++    + d/control: bump breaks/replaces from libstrongswan-extra-plugins to
++      libstrongswan as we dropped relocating ccm and test-vectors.
++      (droppable >18.04).
++    + d/control: add breaks/replace from libstrongswan to
++      libstrongswan-extra-plugins for the move of mgf1 to libstrongswan.
++      (droppable >18.04).
++  * Added Changes:
++    + d/control: bump breaks/replaces from strongswan-libcharon to strongswan-
++      starter as we followed Debian to move the updown plugin but need to
++      match Ubuntu versions (Droppable >18.04).
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Fri, 16 Mar 2018 11:08:47 +0100
++
  strongswan (5.6.2-1) unstable; urgency=medium
    * d/NEWS: add information about disabled algorithms (closes: #883072)
@@ -30,6 +164,129 @@ strongswan (5.6.1-3) unstable; urgency=medium
   -- Yves-Alexis Perez <corsac@debian.org>  Sun, 17 Dec 2017 16:40:39 +0100
++strongswan (5.6.1-2ubuntu4) bionic; urgency=medium
++
++  * SECURITY UPDATE: DoS via crafted RSASSA-PSS signature
++    - debian/patches/CVE-2018-6459.patch: Properly handle MGF1 algorithm
++      identifier without parameters in
++      src/libstrongswan/credentials/keys/signature_params.c.
++    - CVE-2018-6459
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 07 Mar 2018 14:52:02 +0100
++
++strongswan (5.6.1-2ubuntu3) bionic; urgency=medium
++
++  * No-change rebuild against libcurl4
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Wed, 28 Feb 2018 08:52:09 +0000
++
++strongswan (5.6.1-2ubuntu2) bionic; urgency=high
++
++  * No change rebuild against openssl1.1.
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Mon, 12 Feb 2018 16:00:24 +0000
++
++strongswan (5.6.1-2ubuntu1) bionic; urgency=medium
++
++  * Merge with Debian unstable (LP: #1717343).
++    Also fixes and issue with multiple psk's (LP: #1734207). Remaining changes:
++    + Clean up d/strongswan-starter.postinst: section about runlevel changes
++    + Clean up d/strongswan-starter.postinst: Removed entire section on
++      opportunistic encryption disabling - this was never in strongSwan and
++      won't be see upstream issue #2160.
++    + Ubuntu is not using the debconf triggered private key generation
++      - d/rules: Removed patching ipsec.conf on build (not using the
++        debconf-managed config.)
++      - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
++        used for debconf-managed include of private key).
++    + Mass enablement of extra plugins and features to allow a user to use
++      strongswan for a variety of extra use cases without having to rebuild.
++      - d/control: Add required additional build-deps
++      - d/control: Mention addtionally enabled plugins
++      - d/rules: Enable features at configure stage
++      - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
++      - d/libstrongswan.install: Add plugins (so, conf)
++    + d/strongswan-starter.install: Install pool feature, which is useful since
++      we have attr-sql plugin enabled as well using it.
++    + Add plugin kernel-libipsec to allow the use of strongswan in containers
++      via this userspace implementation (please do note that this is still
++      considered experimental by upstream).
++      - d/libcharon-extra-plugins.install: Add kernel-libipsec components
++      - d/control: List kernel-libipsec plugin at extra plugins description
++      - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
++        upstream recommends to not load kernel-libipsec by default.
++    + Relocate tnc plugin
++     - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
++     - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
++    + d/libstrongswan.install: Reorder conf and .so alphabetically
++    + d/libstrongswan.install: Add kernel-netlink configuration files
++    + Complete the disabling of libfast; This was partially accepted in Debian,
++        it is no more packaging medcli and medsrv, but still builds and
++        mentions it.
++      - d/rules: Add --disable-fast to avoid build time and dependencies
++      - d/control: Remove medcli, medsrv from package description
++    + d/control: Mention mgf1 plugin which is in libstrongswan now
++    + Add now built (since 5.5.1) libraries libtpmtss and nttfft to
++      libstrongswan-extra-plugins (no deps from default plugins).
++    + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
++      missed that, droppable after 18.04)
++    + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
++      plugins for the most common use cases from extra-plugins into a new
++      standard-plugins package. This will allow those use cases without pulling
++      in too much more plugins (a bit like the tnc package). Recommend that
++      package from strongswan-libcharon.
++  * Added changes:
++    + d/strongswan-tnc-client.install (relocate tnc) swidtag creation changed
++      in 5.6
++    + d/strongswan-tnc-server.install (relocate tnc) pacman no more needed
++    + d/control: bump breaks/replaces from libstrongswan-extra-plugins to
++      libstrongswan as we dropped relocating ccm and test-vectors.
++      (droppable >18.04).
++    - d/control: add breaks/replace from libstrongswan to
++      libstrongswan-extra-plugins for the move of mgf1 to libstrongswan.
++      (droppable >18.04).
++  * Dropped changes:
++    + Update init/service handling (debian default matches Ubuntu past now)
++      Dropping this fixes (LP: #1734886)
++      - d/rules: Change init/systemd program name to strongswan
++      - d/strongswan-starter.strongswan.service: Add new systemd file instead of
++        patching upstream
++      - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of
++        linking to upstream
++    + d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call
++      (this is a never failing no-op for us, no need for Delta).
++    + d/strongswan-starter.prerm: Stop strongswan service on package removal
++      (ipsec now maps to strongswan service, so this works as-is).
++    + Clean up d/strongswan-starter.postinst: rename service ipsec to
++      strongswan (ipsec now maps to strongswan service, so this works as-is)
++    + Clean up d/strongswan-starter.postinst: daemon enable/disable (the
++      whole section is disabled, so no need for delta)
++    + (is upstream) CVE-2017-11185 patches
++    + (is upstream) FTBFS upstream fix for changed include files
++    + (is upstream) debian/patches/increase-bliss-test-timeout.patch: Under
++       QEMU/KVM autopkgtest the bliss test takes longer than the default
++    + (in Debian) add now built (since 5.5.1) mgf1 plugin to
++      libstrongswan-extra-plugins.
++    + (in Debian) d/strongswan-starter.install: install stroke apparmor profile
++    + (this was enabled as part of the former delta, squash changes to no-up)
++      d/rules: Disable duplicheck.
++    + (not needed) Relocate plugins test-vectors from extra-plugins to
++      libstrongswan
++      - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles
++      - d/libstrongswan.install: Add plugins/confiles
++      - d/control: move package descriptions and add required breaks/replaces
++    + (not needed) Relocate plugins ccm from extra-plugins to libstrongswan
++      - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles
++      - d/libstrongswan.install: Add plugins/confiles
++      - d/control: move package descriptions and add required breaks/replaces
++    + (while using it requires special kernel, it does not hurt to be
++      available in the package) Remove ha plugin
++      - d/libcharon-extra-plugins.install: Stop installing ha (so, conf)
++      - d/rules: Do not enable ha plugin
++      - d/control: Drop listing the ha plugin in the package description
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Wed, 29 Nov 2017 15:55:18 +0100
++
  strongswan (5.6.1-2) unstable; urgency=medium
    * move counters plugin from -starter to -libcharon. closes: #882431
@@ -116,6 +373,213 @@ strongswan (5.5.2-1) experimental; urgency=medium
   -- Yves-Alexis Perez <corsac@debian.org>  Fri, 19 May 2017 11:32:00 +0200
++strongswan (5.5.1-4ubuntu3) bionic; urgency=medium
++
++  * Fix Artful FTBFS due to newer glibc (LP: #1724859)
++    - d/p/utils-Include-stdint.h.patch: upstream fix for changed include
++      files.
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Thu, 19 Oct 2017 15:18:52 +0200
++
++strongswan (5.5.1-4ubuntu2) artful; urgency=medium
++
++  * SECURITY UPDATE: Fix RSA signature verification
++    - debian/patches/CVE-2017-11185.patch: does some
++      verifications in order to avoid null-point dereference
++      in src/libstrongswan/gmp/gmp_rsa_public_key.c
++    - CVE-2017-11185
++
++ -- Leonidas S. Barbosa <leo.barbosa@canonical.com>  Tue, 15 Aug 2017 14:49:49 -0300
++
++strongswan (5.5.1-4ubuntu1) artful; urgency=medium
++
++  * Merge from Debian to pick up latest security changes (CVE-2017-9022,
++    CVE-2017-9023).
++  * Remaining Changes:
++    + Update init/service handling
++      - d/rules: Change init/systemd program name to strongswan
++      - d/strongswan-starter.strongswan.service: Add new systemd file instead of
++        patching upstream
++      - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of
++        linking to upstream
++      - d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
++      - d/strongswan-starter.prerm: Stop strongswan service on package
++        removal (as opposed to using the old init.d script).
++    + Clean up d/strongswan-starter.postinst:
++      - Removed section about runlevel changes
++      - Adapted service restart section for Upstart (kept to be Trusty
++        backportable).
++      - Remove old symlinks to init.d files is necessary.
++      - Removed further out-dated code
++      - Removed entire section on opportunistic encryption - this was never in
++        strongSwan.
++    + d/rules: Removed pieces on 'patching ipsec.conf' on build.
++    + Mass enablement of extra plugins and features to allow a user to use
++      strongswan for a variety of use cases without having to rebuild.
++      - d/control: Add required additional build-deps
++      - d/rules: Enable features at configure stage
++      - d/control: Mention addtionally enabled plugins
++      - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
++      - d/libstrongswan.install: Add plugins (so, conf)
++    + d/rules: Disable duplicheck as per
++      https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10
++    + Remove ha plugin (requires special kernel)
++      - d/libcharon-extra-plugins.install: Stop installing ha (so, conf)
++      - d/rules: Do not enable ha plugin
++      - d/control: Drop listing the ha plugin in the package description
++    + Add plugin kernel-libipsec to allow the use of strongswan in containers
++      via this userspace implementation (please do note that this is still
++      considered experimental by upstream).
++      - d/libcharon-extra-plugins.install: Add kernel-libipsec components
++      - d/control: List kernel-libipsec plugin at extra plugins description
++      - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
++        upstream recommends to not load kernel-libipsec by default.
++    + Relocate tnc plugin
++     - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
++     - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
++    + d/strongswan-starter.install: Install pool feature, that useful due to
++      having attr-sql plugin that is enabled now.
++    + Relocate plugins test-vectors and ccm from extra-plugins to libstrongswan
++      - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles
++      - d/libstrongswan.install: Add plugins/confiles
++      - d/control: move package descriptions and add required breaks/replaces
++    + d/libstrongswan.install: Reorder conf and .so alphabetically
++    + d/libstrongswan.install: Add kernel-netlink configuration files
++    + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
++    + debian/patches/increase-bliss-test-timeout.patch: Under QEMU/KVM
++      autopkgtest the bliss test takes longer than the default (Upstream in
++      5.5.2 via issue 2204)
++    + Complete the disabling of libfast; This was partially accepted in Debian,
++        it is no more packaging medcli and medsrv, but still builds and
++        mentions it.
++      - d/rules: Add --disable-fast to avoid build time and dependencies
++      - d/control: Remove medcli, medsrv from package description
++    + Add now built (5.5.1 vs 5.3.5) mgf1 plugin to libstrongswan-extra-plugins.
++      "only" to extra-plugins Mgf1 is not listed as default plugin at
++      https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist.
++    + Add now built (5.5.1 vs 5.3.5) libraries libtpmtss and nttfft to
++      libstrongswan-extra-plugins.
++    + Add missing mention of md4 plugin in d/control
++    + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
++      missed that)
++    + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
++      plugins for the most common use cases from extra-plugins into a new
++      standard-plugins package. This will allow those use cases without pulling
++      in too much more plugins (a bit like the tnc package). Recommend that
++      package from strongswan-libcharon.
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Wed, 31 May 2017 15:57:54 +0200
++
++strongswan (5.5.1-3ubuntu1) artful; urgency=medium
++
++  * Merge from Debian to pick up latest changes. Among others this includes:
++    - a lot of the Delta we upstreamed to Debian (more discussions are ongoing
++      but likely have to wait until Debian stretch was released)
++    - enabling mediation support (LP: #1657413)
++  * Remaining Changes:
++    + Update init/service handling
++      - d/rules: Change init/systemd program name to strongswan
++      - d/strongswan-starter.strongswan.service: Add new systemd file instead of
++        patching upstream
++      - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of
++        linking to upstream
++      - d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
++      - d/strongswan-starter.prerm: Stop strongswan service on package
++        removal (as opposed to using the old init.d script).
++    + Clean up d/strongswan-starter.postinst:
++      - Removed section about runlevel changes
++      - Adapted service restart section for Upstart (kept to be Trusty
++        backportable).
++      - Remove old symlinks to init.d files is necessary.
++      - Removed further out-dated code
++      - Removed entire section on opportunistic encryption - this was never in
++        strongSwan.
++    + d/rules: Removed pieces on 'patching ipsec.conf' on build.
++    + Mass enablement of extra plugins and features to allow a user to use
++      strongswan for a variety of use cases without having to rebuild.
++      - d/control: Add required additional build-deps
++      - d/rules: Enable features at configure stage
++      - d/control: Mention addtionally enabled plugins
++      - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
++      - d/libstrongswan.install: Add plugins (so, conf)
++    + d/rules: Disable duplicheck as per
++      https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10
++    + Remove ha plugin (requires special kernel)
++      - d/libcharon-extra-plugins.install: Stop installing ha (so, conf)
++      - d/rules: Do not enable ha plugin
++      - d/control: Drop listing the ha plugin in the package description
++    + Add plugin kernel-libipsec to allow the use of strongswan in containers
++      via this userspace implementation (please do note that this is still
++      considered experimental by upstream).
++      - d/libcharon-extra-plugins.install: Add kernel-libipsec components
++      - d/control: List kernel-libipsec plugin at extra plugins description
++      - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
++        upstream recommends to not load kernel-libipsec by default.
++    + Relocate tnc plugin
++     - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
++     - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
++    + d/strongswan-starter.install: Install pool feature, that useful due to
++      having attr-sql plugin that is enabled now.
++    + Relocate plugins test-vectors and ccm from extra-plugins to libstrongswan
++      - d/libstrongswan-extra-plugins.install: Remove plugins/conffiles
++      - d/libstrongswan.install: Add plugins/confiles
++      - d/control: move package descriptions and add required breaks/replaces
++    + d/libstrongswan.install: Reorder conf and .so alphabetically
++    + d/libstrongswan.install: Add kernel-netlink configuration files
++    + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
++    + debian/patches/increase-bliss-test-timeout.patch: Under QEMU/KVM
++      autopkgtest the bliss test takes longer than the default (Upstream in
++      5.5.2 via issue 2204)
++    + Complete the disabling of libfast; This was partially accepted in Debian,
++        it is no more packaging medcli and medsrv, but still builds and
++        mentions it.
++      - d/rules: Add --disable-fast to avoid build time and dependencies
++      - d/control: Remove medcli, medsrv from package description
++    + Add now built (5.5.1 vs 5.3.5) mgf1 plugin to libstrongswan-extra-plugins.
++      "only" to extra-plugins Mgf1 is not listed as default plugin at
++      https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist.
++    + Add now built (5.5.1 vs 5.3.5) libraries libtpmtss and nttfft to
++      libstrongswan-extra-plugins.
++    + Add missing mention of md4 plugin in d/control
++    + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
++      missed that)
++    + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
++      plugins for the most common use cases from extra-plugins into a new
++      standard-plugins package. This will allow those use cases without pulling
++      in too much more plugins (a bit like the tnc package). Recommend that
++      package from strongswan-libcharon.
++  * Dropped Changes:
++    + Add and install apparmor profiles (in Debian)
++      - d/rules: Install AppArmor profiles
++      - d/control: Add dh-apparmor build-dep
++      - d/usr.lib.ipsec.{charon, lookip, stroke}: Add latest AppArmor profiles
++        for charon, lookip and stroke
++      - d/libcharon-extra-plugins.install: Install profile for lookip
++      - d/strongswan-charon.install: Install profile for charon
++      - d/strongswan-starter.install: Install profile for stroke
++      - Fix strongswan ipsec status issue with apparmor
++      - Fix Dep8 tests for the now extra strongswan-pki package for pki
++      - Fix Dep8 tests for the now extra strongswan-scepclient package
++    + d/rules: Sorted and only one enable option per configure line (in
++      Debian)
++    + Add updated logcheck rules (in Debian)
++      - debian/libstrongswan.strongswan.logcheck.*:  Remove outdated files
++      - debian/strongswan.logcheck: Add updated logcheck rules
++    + Add updated DEP8 tests (in Debian)
++      - d/tests/*: Add DEP8 tests
++      - d/control: Enable autotestpkg
++    + d/rules: do not strip for library integrity checking (After Discussion
++      with Debian this isn't acceptable there, but at the same time it turned
++      out the real use-case of this never uses this lib but instead third
++      party checks of checksums for e.g. FIPS cert; so drop the Delta)
++      - Use override_dh_strip to to avoid overwriting user build flags.
++      - Add missing mention of libchecksum integrity test in d/control
++    + d/rules: Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths
++      in tests to avoid issues in low entropy environments. (Debian has
++      disabled !x86 tests for the same reason, one solution is enough)
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Thu, 04 May 2017 14:06:23 +0200
++
  strongswan (5.5.1-3) unstable; urgency=medium
    [ Christian Ehrhardt ]
@@ -149,6 +613,136 @@ strongswan (5.5.1-2) unstable; urgency=medium
   -- Yves-Alexis Perez <corsac@debian.org>  Wed, 07 Dec 2016 08:34:52 +0100
++strongswan (5.5.1-1ubuntu2) zesty; urgency=medium
++
++  * Update Maintainers which was missed while merging 5.5.1-1.
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Mon, 19 Dec 2016 16:02:40 +0100
++
++strongswan (5.5.1-1ubuntu1) zesty; urgency=medium
++
++  * Merge from Debian (complex delta, discussions and broken out changes can be
++    found in the merge proposal linked from the merge bug LP: #1631198)
++  * Remaining Changes:
++    + d/rules: Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity
++      checking.
++    + d/rules: Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths
++      in tests to avoid issues in low entropy environments.
++    + Update init/service handling
++      - d/rules: Change init/systemd program name to strongswan
++      - d/strongswan-starter.strongswan.service: Add new systemd file instead of
++        patching upstream
++      - d/strongswan-starter.links: Removed, use Ubuntu systemd file instead of
++        linking to upstream
++      - d/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
++      - d/strongswan-starter.prerm: Stop strongswan service on package
++        removal (as opposed to using the old init.d script).
++    + Clean up d/strongswan-starter.postinst:
++      - Removed section about runlevel changes
++      - Adapted service restart section for Upstart (kept to be Trusty
++        backportable).
++      - Remove old symlinks to init.d files is necessary.
++      - Removed further out-dated code
++      - Removed entire section on opportunistic encryption - this was never in
++        strongSwan.
++    + Add and install apparmor profiles
++      - d/rules: Install AppArmor profiles
++      - d/control: Add dh-apparmor build-dep
++      - d/usr.lib.ipsec.{charon, lookip, stroke}: Add latest AppArmor profiles
++        for charon, lookip and stroke
++      - d/libcharon-extra-plugins.install: Install profile for lookip
++      - d/strongswan-charon.install: Install profile for charon
++      - d/strongswan-starter.install: Install profile for stroke
++    + d/rules: Removed pieces on 'patching ipsec.conf' on build.
++    + d/rules: Sorted and only one enable option per configure line
++    + Mass enablement of extra plugins and features to allow a user to use
++      strongswan for a variety of use cases without having to rebuild.
++      - d/control: Add required additional build-deps
++      - d/rules: Enable features at configure stage
++      - d/control: Mention addtionally enabled plugins
++      - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
++      - d/libstrongswan.install: Add plugins (so, conf)
++    + d/rules: Disable duplicheck as per
++      https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10
++    + Remove ha plugin (requires special kernel)
++      - d/libcharon-extra-plugins.install: Stop installing ha (so, conf)
++      - d/rules: Do not enable ha plugin
++      - d/control: Drop listing the ha plugin in the package description
++    + Add plugin kernel-libipsec to allow the use of strongswan in containers
++      via this userspace implementation (please do note that this is still
++      considered experimental by upstream).
++      - d/libcharon-extra-plugins.install: Add kernel-libipsec components
++      - d/control: List kernel-libipsec plugin at extra plugins description
++      - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
++        upstream recommends to not load kernel-libipsec by default.
++    + Relocate tnc plugin
++     - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
++     - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
++    + d/strongswan-starter.install: Install pool feature, that useful due to
++      having attr-sql plugin that is enabled now.
++    + Relocate plugins test-vectors and ccm from extra-plugins to libstrongswan
++      - d/libstrongswan-extra-plugins.install: Remove plugins
++      - d/libstrongswan.install: Add plugins
++    + d/libstrongswan.install: Reorder conf and .so alphabetically
++    + d/libstrongswan.install: Add kernel-netlink configuration files
++    + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
++    + Add updated logcheck rules
++      - debian/libstrongswan.strongswan.logcheck.*:  Remove outdated files
++      - debian/strongswan.logcheck: Add updated logcheck rules
++    + Add updated DEP8 tests
++      - d/tests/*: Add DEP8 tests
++      - d/control: Enable autotestpkg
++    + debian/patches/increase-bliss-test-timeout.patch: Under QEMU/KVM
++      autopkgtest the bliss test takes longer than the default
++    + Complete the disabling of libfast
++      - Note: This was partially accepted in Debian, it is no more
++        packaging medcli and medsrv, but still builds and mentions it
++      - d/rules: Add --disable-fast to avoid build time and dependencies
++      - d/control: Remove medcli, medsrv from package description
++  * Dropped Changes:
++    + Adding build-dep to iptables-dev (no change, was only in Changelog)
++    + Dropping of build deps libfcgi-dev, clearsilver-dev (in Debian)
++    + Adding strongswan-plugin-* virtual packages for dist-upgrade (no
++      upgrade path left needing them)
++    + Most of "disabling libfast" (Debian dropped it from package content)
++    + Transition for ipsec service (no upgrade path left)
++    + Reverted part of the cleanup to d/strongswan-starter.postinst as using
++      service should rather use invoke-rc.d (so it is a partial revert of our
++      delta)
++    + Transition handling (breaks/replaces) from per-plugin packages to the
++      three grouped plugin packages (no upgrade path left)
++    + debian/strongswan-starter.dirs: Don't touch /etc/init.d. (while "correct"
++      it is effectively a no-op still, so not worth the delta)
++    + Lower dpkg-dev to 1.16.1 from 1.16.2 to enable backporting to Precise
++      (no more needed)
++    + d/rules: Remove configure option --enable-unit-test (unit tests run by
++      default)
++  * Added Changes:
++    + Fix strongswan ipsec status issue with apparmor (LP: #1587886)
++    + d/control, d/libstrongswan.install, d/libstrongswan-extra-plugins: Fixup
++      the relocation of the ccm plugin which missed to move the conffiles.
++    + Complete move of test-vectors (was missing in d/control)
++    + Add now built (5.5.1 vs 5.3.5) mgf1 plugin to libstrongswan-extra-plugins.
++      "only" to extra-plugins Mgf1 is not listed as default plugin at
++      https://wiki.strongswan.org/projects/strongswan/wiki/Pluginlist.
++    + Add now built (5.5.1 vs 5.3.5) libraries libtpmtss and nttfft to
++      libstrongswan-extra-plugins.
++    + Add missing mention of md4 plugin in d/control
++    + Add missing mention of libchecksum integrity test in d/control
++    + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
++      missed that)
++    + Use override_dh_strip to to fix library integrity checking instead of
++      DEB_BUILD_OPTION to avoid overwriting user build flags.
++    + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
++      plugins for the most common use cases from extra-plugins into a new
++      standard-plugins package. This will allow those use cases without pulling
++      in too much more plugins (a bit like the tnc package). Recommend that
++      package from strongswan-libcharon (LP: #1640826).
++    + Fix Dep8 tests for the now extra strongswan-pki package for pki
++    + Fix Dep8 tests for the now extra strongswan-scepclient package
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Mon, 07 Nov 2016 16:16:41 +0100
++
  strongswan (5.5.1-1) unstable; urgency=medium
    * New upstream bugfix release.
@@ -265,6 +859,177 @@ strongswan (5.3.5-2) unstable; urgency=medium
   -- Yves-Alexis Perez <corsac@debian.org>  Mon, 14 Mar 2016 23:53:34 +0100
++strongswan (5.3.5-1ubuntu4) yakkety; urgency=medium
++
++  * Build-depend on libjson-c-dev instead of libjson0-dev.
++  * Rebuild against libjson-c3.
++
++ -- Graham Inggs <ginggs@ubuntu.com>  Fri, 29 Apr 2016 19:04:22 +0200
++
++strongswan (5.3.5-1ubuntu3) xenial; urgency=medium
++
++  * Rebuild against libmysqlclient20.
++
++ -- Robie Basak <robie.basak@ubuntu.com>  Tue, 05 Apr 2016 13:02:48 +0000
++
++strongswan (5.3.5-1ubuntu2) xenial; urgency=medium
++
++  * debian/tests/plugins: rdrand may or may not be loaded, depending on the
++    cpu features.
++
++ -- Iain Lane <iain@orangesquash.org.uk>  Mon, 22 Feb 2016 17:13:01 +0000
++
++strongswan (5.3.5-1ubuntu1) xenial; urgency=medium
++
++  * debian/{rules,control,libstrongswan-extra-plugins.install}
++    Enable bliss plugin
++  * debian/{rules,control,libstrongswan-extra-plugins.install}
++    Enable chapoly plugin
++  * debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch
++    Upstream suggests to not load this plugin by default as it has
++    some limitations.
++    https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-libipsec
++  * debian/patches/increase-bliss-test-timeout.patch
++    Under QEMU/KVM for autopkgtest bliss test takes a bit longer then default
++  * Update Apparmor profiles
++    - usr.lib.ipsec.charon
++      - add capability audit_write for xauth-pam (LP: #1470277)
++      - add capability dac_override (needed by agent plugin)
++      - allow priv dropping (LP: #1333655)
++      - allow caching CRLs (LP: #1505222)
++      - allow rw access to /dev/net/tun for kernel-libipsec (LP: #1309594)
++    - usr.lib.ipsec.stroke
++      - allow priv dropping (LP: #1333655)
++      - add local include
++    - usr.lib.ipsec.lookip
++      - add local include
++  * Merge from Debian, which includes fixes for all previous CVEs
++    Fixes (LP: #1330504, #1451091, #1448870, #1470277)
++    Remaining changes:
++      * debian/control
++        - Lower dpkg-dev to 1.16.1 from 1.16.2 to enable backporting to Precise
++        - Update Maintainer for Ubuntu
++        - Add build-deps
++          - dh-apparmor
++          - iptables-dev
++          - libjson0-dev
++          - libldns-dev
++          - libmysqlclient-dev
++          - libpcsclite-dev
++          - libsoup2.4-dev
++          - libtspi-dev
++          - libunbound-dev
++        - Drop build-deps
++          - libfcgi-dev
++          - clearsilver-dev
++        - Create virtual packages for all strongswan-plugin-* for dist-upgrade
++        - Set XS-Testsuite: autopkgtest
++      * debian/rules:
++        - Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity checking.
++        - Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths in
++          tests.
++        - Change init/systemd program name to strongswan
++        - Install AppArmor profiles
++        - Removed pieces on 'patching ipsec.conf' on build.
++        - Enablement of features per Ubuntu current config suggested from
++          upstream recommendation
++        - Unpack and sort enabled features to one-per-line
++        - Disable duplicheck as per
++          https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10
++        - Disable libfast (--disable-fast):
++          Requires dropping medsrv, medcli plugins which depend on libfast
++        - Add configure options
++          --with-tss=trousers
++        - Remove configure options:
++          --enable-ha (requires special kernel)
++          --enable-unit-test (unit tests run by default)
++        - Drop logcheck install
++      * debian/tests/*
++        - Add DEP8 test for strongswan service and plugins
++      * debian/strongswan-starter.strongswan.service
++        - Add new systemd file instead of patching upstream
++      * debian/strongswan-starter.links
++        - removed, use Ubuntu systemd file instead of linking to upstream
++      * debian/usr.lib.ipsec.{charon, lookip, stroke}
++        - added AppArmor profiles for charon, lookip and stroke
++      * debian/libcharon-extra-plugins.install
++        - Add plugins
++          - kernel-libipsec.{so, lib, conf, apparmor}
++        - Remove plugins
++          - libstrongswan-ha.so
++        - Relocate plugins
++          - libstrongswan-tnc-tnccs.so (strongswan-tnc-base.install)
++      * debian/libstrongswan-extra-plugins.install
++        - Add plugins (so, lib, conf)
++          - acert
++          - attr-sql
++          - coupling
++          - dnscert
++          - fips-prf
++          - gmp
++          - ipseckey
++          - load-tester
++          - mysql
++          - ntru
++          - radattr
++          - soup
++          - sqlite
++          - sql
++          - systime-fix
++          - unbound
++          - whitelist
++        - Relocate plugins (so, lib, conf)
++          - ccm (libstrongswan.install)
++          - test-vectors (libstrongswan.install)
++      * debian/libstrongswan.install
++        - Sort sections
++        - Add plugins (so, lib, conf)
++          - libchecksum
++          - ccm
++          - eap-identity
++          - md4
++          - test-vectors
++      * debian/strongswan-charon.install
++        - Add AppArmor profile for charon
++      * debian/strongswan-starter.install
++        - Add tools, manpages, conf
++          - openac
++          - pool
++          - _updown_espmark
++        - Add AppArmor profile for stroke
++      * debian/strongswan-tnc-base.install
++        - Add new subpackage for TNC
++        - remove non-existent (dropped in 5.2.1) libpts library files
++      * debian/strongswan-tnc-client.install
++        - Add new subpackage for TNC
++      * debian/strongswan-tnc-ifmap.install
++        - Add new subpackage for TNC
++      * debian/strongswan-tnc-pdp.install
++        - Add new subpackage for TNC
++      * debian/strongswan-tnc-server.install
++        - Add new subpackage for TNC
++      * debian/strongswan-starter.postinit:
++        - Removed section about runlevel changes, it's almost 2014.
++        - Adapted service restart section for Upstart.
++        - Remove old symlinks to init.d files is necessary.
++      * debian/strongswan-starter.dirs: Don't touch /etc/init.d.
++      * debian/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
++      * debian/strongswan-starter.prerm: Stop strongswan service on package
++        removal (as opposed to using the old init.d script).
++      * debian/libstrongswan.strongswan.logcheck combined into debian/strongswan.logcheck
++        - logcheck patterns updated to be helpful
++      * debian/strongswan-starter.postinst: Removed further out-dated code and
++        entire section on opportunistic encryption - this was never in strongSwan.
++      * debian/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
++    Drop changes:
++      * debian/control
++        - Per-plugin package breakup: Reducing packaging delta from Debian
++        - Don't build dhcp, farp subpackages: Reduce packging delta from Debian
++      * debian/watch: Already exists in Debian merge
++      * debian/upstream/signing-key.asc:  Upstream has newer version.
++
++ -- Ryan Harper <ryan.harper@canonical.com>  Fri, 12 Feb 2016 11:24:53 -0600
++
  strongswan (5.3.5-1) unstable; urgency=medium
    * New upstream bugfix release.
@@ -537,6 +1302,210 @@ strongswan (5.1.2-1) unstable; urgency=medium
   -- Yves-Alexis Perez <corsac@debian.org>  Wed, 12 Mar 2014 11:22:38 +0100
++strongswan (5.1.2-0ubuntu8) xenial; urgency=medium
++
++  * Import FTBFS for s390x from Debian 5.1.2-3 upload. (LP: #1521240)
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Mon, 30 Nov 2015 15:46:06 +0000
++
++strongswan (5.1.2-0ubuntu7) xenial; urgency=medium
++
++  * SECURITY UPDATE: authentication bypass in eap-mschapv2 plugin
++    - debian/patches/CVE-2015-8023.patch: only succeed authentication if
++      MSK was established in
++      src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c.
++    - CVE-2015-8023
++  * debian/patches/disable_ntru_test.patch: disable test causing FTBFS
++    until regression is properly investigated.
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 19 Nov 2015 14:00:17 -0500
++
++strongswan (5.1.2-0ubuntu6) wily; urgency=medium
++
++  * SECURITY UPDATE: user credential disclosure to rogue servers
++    - debian/patches/CVE-2015-4171.patch: enforce remote authentication
++      config before proceeding with own authentication in
++      src/libcharon/sa/ikev2/tasks/ike_auth.c.
++    - CVE-2015-4171
++  * debian/rules: don't FTBFS from unused service file
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 08 Jun 2015 12:50:38 -0400
++
++strongswan (5.1.2-0ubuntu5) vivid; urgency=medium
++
++  * Add a systemd unit corresponding to strongswan-starter.strongswan.upstart.
++
++ -- Martin Pitt <martin.pitt@ubuntu.com>  Fri, 16 Jan 2015 08:27:54 +0100
++
++strongswan (5.1.2-0ubuntu4) vivid; urgency=medium
++
++  * SECURITY UPDATE: denial of service via DH group 1025
++    - debian/patches/CVE-2014-9221.patch: define MODP_CUSTOM outside of
++      IKE DH range in src/libstrongswan/crypto/diffie_hellman.c,
++      src/libstrongswan/crypto/diffie_hellman.h.
++    - CVE-2014-9221
++
++ -- Tyler Hicks <tyhicks@canonical.com>  Mon, 05 Jan 2015 08:25:29 -0500
++
++strongswan (5.1.2-0ubuntu3) utopic; urgency=low
++
++  * Added "libgcrypt20-dev | libgcrypt11-dev" to build dependencies to fix
++    build.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Wed, 15 Oct 2014 16:49:18 +0000
++
++strongswan (5.1.2-0ubuntu2) trusty; urgency=medium
++
++  * SECURITY UPDATE: remote authentication bypass
++    - debian/patches/CVE-2014-2338.patch: reject CREATE_CHILD_SA exchange
++      on unestablished IKE_SAs in src/libcharon/sa/ikev2/task_manager_v2.c.
++    - CVE-2014-2338
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 14 Apr 2014 11:24:34 -0400
++
++strongswan (5.1.2-0ubuntu1) trusty; urgency=low
++
++  * New upstream release.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Sat, 01 Mar 2014 08:53:17 +0000
++
++strongswan (5.1.2~rc2-0ubuntu2) trusty; urgency=low
++
++  * debian/ipsec.secrets.proto: Removed ipsec.secrets.inc reference.
++  * debian/usr.lib.ipsec.charon: Allow read access to /run/charon.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Wed, 19 Feb 2014 13:07:16 +0000
++
++strongswan (5.1.2~rc2-0ubuntu1) trusty; urgency=low
++
++  * New upstream release candidate.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Wed, 19 Feb 2014 12:59:21 +0000
++
++strongswan (5.1.2~rc1-0ubuntu4) trusty; urgency=medium
++
++  * debian/strongswan-tnc-*.install: Fixed files so libraries go into correct
++    packages.
++  * debian/usr.lib.ipsec.stroke: Allow access to strongswan.d directories.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Mon, 17 Feb 2014 18:12:38 +0000
++
++strongswan (5.1.2~rc1-0ubuntu3) trusty; urgency=low
++
++  * debian/rules: Exclude rdrand.conf in dh_install's --fail-missing.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Sat, 15 Feb 2014 15:46:46 +0000
++
++strongswan (5.1.2~rc1-0ubuntu2) trusty; urgency=low
++
++  * debian/libstrongswan.install: Moved rdrand plugin configuration to rules
++    as it's only useful on amd64.
++  * debian/watch: Added opts=pgpsigurlmangle option.
++  * debian/upstream/signing-key.asc: Added key: 0xB34DBA77.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Sat, 15 Feb 2014 15:32:10 +0000
++
++strongswan (5.1.2~rc1-0ubuntu1) trusty; urgency=medium
++
++  * New upstream release candidate.
++  * debian/*.install - include new configuration files for plugins in
++    appropiate packages.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Sat, 15 Feb 2014 15:03:14 +0000
++
++strongswan (5.1.2~dr3+git20130120-0ubuntu3) trusty; urgency=low
++
++  * debian/control:
++    - Added Breaks/Replaces for all library files which have been moved
++      about (LP: #1278176).
++    - Removed build-dependency on check and added one on dh-apparmor.
++  * debian/strongswan-starter.postinst: Removed further out-dated code and
++    entire section on opportunistic encryption - this was never in strongSwan.
++  * debian/rules: Removed pieces on 'patching ipsec.conf' on build.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Sun, 09 Feb 2014 23:53:23 +0000
++
++strongswan (5.1.2~dr3+git20130120-0ubuntu2) trusty; urgency=low
++
++  * debian/control: Fixed references to plugin-fips-prf.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Wed, 22 Jan 2014 11:22:14 +0000
++
++strongswan (5.1.2~dr3+git20130120-0ubuntu1) trusty; urgency=low
++
++  * Upstream Git snapshot for build fixes with regards to entropy.
++  * debian/rules:
++    - Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity checking.
++    - Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths in
++      tests.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Mon, 20 Jan 2014 19:00:59 +0000
++
++strongswan (5.1.2~dr3-0ubuntu1) trusty; urgency=low
++
++  * New upstream developer release.
++  * Made changes to packaging per upstream suggestions.
++    - Dropped medcli and medsrv packages - not recommended by upstream at this
++      time.
++    - Dropped ha plugin - needs special kernel.
++    - Improved all package descriptions in general.
++    - Drop build-dep on clearsilver-dev and libfcgi-dev - no longer needed.
++    - Removed debian/*logcheck* files - not relevant to strongSwan.
++    - Split dhcp and farp packages into sub-packages.
++    - Build kernel-libipsec, ntru, systime-fix, and xauth-noauth plugins.
++    - Changes to TNC-related packages.
++  * Created AppArmor profiles for lookip and stroke.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Wed, 15 Jan 2014 22:52:53 +0000
++
++strongswan (5.1.2~dr2+git20130106-0ubuntu2) trusty; urgency=low
++
++  * libstrongswan.install: Removed lingering unit-tester.so reference.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Mon, 06 Jan 2014 20:29:59 +0000
++
++strongswan (5.1.2~dr2+git20130106-0ubuntu1) trusty; urgency=low
++
++  * Git snapshot of commit 94e10f15e51ead788d9947e966878ebfdc95b7ce.
++    Incorporates upstream fixes for:
++      - Integrity testing.
++      - Unit test failures on little endian systems.
++  * Dropped debian/patches/02_test_asn1_fix_32bit_time_test.patch - fixed
++    upstream.
++  * debian/rules:
++    - Stop using CK_TIMEOUT_MULTIPLIER.
++    - Stop enabling the test suite only on non-powerpc arches (it runs
++      anyway).
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Mon, 06 Jan 2014 20:17:20 +0000
++
++strongswan (5.1.2~dr2-0ubuntu3) trusty; urgency=low
++
++  * debian/control: Reinstate missing comma in dependencies.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Fri, 03 Jan 2014 05:39:13 +0000
++
++strongswan (5.1.2~dr2-0ubuntu2) trusty; urgency=low
++
++  * Added debian/patches/02_test_asn1_fix_32bit_time_test.patch - fixes issue
++    where test for >2038 tests on 32-bit platforms is broken.
++    - Reported upstream: https://wiki.strongswan.org/issues/477
++  * debian/control: Added strongswan-plugin-ntru to strongswan-ike Suggests.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Fri, 03 Jan 2014 05:02:32 +0000
++
++strongswan (5.1.2~dr2-0ubuntu1) trusty; urgency=low
++
++  * New upstream developer release.
++  * debian/rules: Configure with: --enable-af-alg, --enable-ntru, --enable-soup,
++    and --enable-unity.
++  * debian/control:
++    - New plugin packages created for the above
++    - Split fips-prf into its own package.
++    - Added build-dependency on libsoup2.4-dev.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Thu, 02 Jan 2014 17:37:33 +0000
++
  strongswan (5.1.1-3) unstable; urgency=low
    * Upload to unstable.
@@ -628,6 +1597,192 @@ strongswan (5.1.1-1) unstable; urgency=low
   -- Yves-Alexis Perez <corsac@debian.org>  Fri, 24 Jan 2014 21:22:32 +0100
++strongswan (5.1.1-0ubuntu17) trusty; urgency=low
++
++  * debian/control:
++    - Make strongswan-ike depend on iproute2.
++    - Added xauth plugin dependency on strongswan-plugin-eap-gtc.
++    - Created strongswan-libfast package.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Wed, 01 Jan 2014 17:04:45 +0000
++
++strongswan (5.1.1-0ubuntu16) trusty; urgency=low
++
++  * debian/control:
++    - Further splitting of plugins into subpackages (such as all EAP plugins
++      to their own packages).
++    - Added libpcsclite-dev to build-dependencies.
++  * debian/rules:
++    - Sort configure options in alphabetical order.
++    - Added configure option of --enable-eap-aka-3gpp2, --enable-eap-dynamic,
++      --enable-eap-sim-file, --enable-eap-sim-pcsc,
++      --enable-eap-simaka-pseudonym, --enable-eap-simaka-reauth and
++      --enable-eap-simaka-sql.
++    - Don't exclude medsrv from install.
++  * Moved eap-identity.so to libstrongswan package as it's used by all the
++    other EAP plugins.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Tue, 31 Dec 2013 21:25:50 +0000
++
++strongswan (5.1.1-0ubuntu15) trusty; urgency=low
++
++  * debian/control:
++    - Split plugins from libstrongswan package into modular subpackages.
++    - Added libmysqlclient-dev to build-dependencies.
++    - strongswan-ike: Set to depend on either strongswan-plugins-openssl or
++      strongswan-plugins-gcrypt.
++    - strongswan-ike: All other plugins added to Suggests.
++    - Created two new TNC packages: strongswan-tnc-ifmap and
++      strongswan-tnc-pdp and added to tnc-imcvs Suggests.
++  * debian/rules: Added to CONFIGUREARGS: --enable-certexpire,
++    --enable-error-notify, --enable-mysql, --enable-load-tester,
++    --enable-radattr, --enable-tnc-pdp, and --enable-whitelist.
++  * debian/strongswan-ike.install: Moved eap-identity.so to -tnc-imcvs package.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Tue, 31 Dec 2013 16:15:32 +0000
++
++strongswan (5.1.1-0ubuntu14) trusty; urgency=low
++
++  * debian/rules:
++    - CK_TIMEOUT_MULTIPLIER back down to 6.
++    - Disable unit tests on powerpc.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Tue, 31 Dec 2013 07:39:48 +0000
++
++strongswan (5.1.1-0ubuntu13) trusty; urgency=low
++
++  * debian/rules: CK_TIMEOUT_MULTIPLIER to 10 as just powerppc is being stubborn.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Tue, 31 Dec 2013 07:23:42 +0000
++
++strongswan (5.1.1-0ubuntu12) trusty; urgency=low
++
++  * debian/rules: Bring CK_TIMEOUT_MULTIPLIER up to 6 to fix powerppc and
++    armhf.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Tue, 31 Dec 2013 07:03:40 +0000
++
++strongswan (5.1.1-0ubuntu11) trusty; urgency=low
++
++  * 02_increase-test_rsa_generate-timeout.patch: Removed - only fixed build on
++    one extra arch.
++  * debian/rules: Set CK_TIMEOUT_MULTIPLIER to 4.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Tue, 31 Dec 2013 06:51:47 +0000
++
++strongswan (5.1.1-0ubuntu10) trusty; urgency=low
++
++  * debian/patches: Added patch 02_increase-test_rsa_generate-timeout.patch -
++    - Increases RSA key generate test timeout to 30 seconds so that it doesn't
++      fail on armhf, arm64, and powerppc.
++  * Contrary to what the last changelog entry says, we are still running
++    strongswan as root (with AppArmor protection).
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Tue, 31 Dec 2013 06:06:47 +0000
++
++strongswan (5.1.1-0ubuntu9) trusty; urgency=low
++
++  * debian/rules: Added to configure options:
++    - --enable-tnc-ifmap: enable TNC IF-MAP module.
++    - --enable-duplicheck: enable duplicheck plugin.
++    - --enable-imv-swid, --enable-imc-swid: Added.
++    - Run strongswan as it's own user.
++  * debian/strongswan-starter.install: Install duplicheck.
++  * debian/strongswan-tnc-imcvs.install: Install swidtags.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Mon, 30 Dec 2013 19:33:27 +0000
++
++strongswan (5.1.1-0ubuntu8) trusty; urgency=low
++
++  * debian/rules: Added to configure options:
++    - --enable-unit-tests: check unit testing on build.
++    - --enable-unbound: for validating DNS lookups.
++    - --enable-dnscert: for DNSCERT peer authentication.
++    - --enable-ipseckey: for IPSEC key authentication.
++    - --enable-lookip: for LookIP functionality.
++    - --enable-coupling: certificate coupling functionality.
++  * debian/control: Added check, libldns-dev, libunbound-dev to
++    build-dependencies.
++  * debian/libstrongswan.install: Install new plugin .so's.
++  * debian/strongswan-starter.install: Added lookip.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Mon, 30 Dec 2013 17:52:07 +0000
++
++strongswan (5.1.1-0ubuntu7) trusty; urgency=low
++
++  * strongswan-starter.install: Moved pt-tls-client to tnc-imcvs (to prevent
++    the former from depending on the latter).
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Mon, 30 Dec 2013 17:30:19 +0000
++
++strongswan (5.1.1-0ubuntu6) trusty; urgency=low
++
++  * debian/strongswan-starter.prerm: Stop strongswan service on package
++    removal (as opposed to using the old init.d script).
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Mon, 30 Dec 2013 17:22:10 +0000
++
++strongswan (5.1.1-0ubuntu5) trusty; urgency=low
++
++  * debian/rules:
++    - CONFIGUREARGS: Merged Debian and RPM options.
++    - Brings in TNC functionality.
++  * debian/control:
++    - Added build-dependency on libtspi-dev.
++    - Created strongswan-tnc-imcvs binary package for TNC components.
++    - Added strongswan-tnc-imcvs to libstrongswan's Suggests.
++  * debian/libstrongswan.install:
++    - Included newly built MD4 and SQLite libraries.
++    - Removed 'tnc' references (moved to TNC package).
++  * debian/strongswan-tnc-imcvs.install: Created - handle new TNC libraries and
++    binaries.
++  * debian/usr.lib.ipsec.charon: Allow access to TNC modules.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Mon, 30 Dec 2013 14:05:43 +0000
++
++strongswan (5.1.1-0ubuntu4) trusty; urgency=low
++
++  * debian/usr.lib.ipsec.charon: Added - AppArmor profile for charon.
++  * debian/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call.
++  * debian/control: strongswan-ike - Stop depending on ipsec-tools.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Mon, 30 Dec 2013 05:35:17 +0000
++
++strongswan (5.1.1-0ubuntu3) trusty; urgency=low
++
++  * strongswan-starter.strongswan.upstart - Only start strongSwan when a
++    network connection is available.
++  * debian/control: Downgrade build-dep version of dpkg-dev from 1.16.2 to
++    1.16.1 - to make precise backporting easier.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Thu, 12 Dec 2013 10:43:15 +0000
++
++strongswan (5.1.1-0ubuntu2) trusty; urgency=low
++
++  * strongswan-starter.strongswan.upstart - Created Upstart job for
++    strongSwan.
++  * debian/rules: Set dh_installinit to install above file.
++  * debian/strongswan-starter.postinit:
++    - Removed section about runlevel changes, it's almost 2014.
++    - Adapted service restart section for Upstart.
++    - Remove old symlinks to init.d files is necessary.
++  * debian/strongswan-starter.dirs: Don't touch /etc/init.d.
++
++ -- Jonathan Davies <jonathan.davies@canonical.com>  Wed, 11 Dec 2013 23:10:28 +0000
++
++strongswan (5.1.1-0ubuntu1) trusty; urgency=low
++
++  * New upstream release.
++  * Removed: debian/patches/CVE-2013-6075, CVE-2013-6076.patch - upsteamed.
++  * debian/control: Updated Standards-Version to 3.9.5 and applied
++    XSBC-Original-Maintainer policy.
++  * strongswan-starter.install:
++    - pki tool is now in /usr/bin.
++    - Install pt-tls-client.
++    - Install manpages (LP: #1206263).
++
++ -- Jonathan Davies <jpds@ubuntu.com>  Sun, 01 Dec 2013 17:43:59 +0000
++
  strongswan (5.1.0-3) unstable; urgency=high
    * urgency=high for the security fixes.
 diff --git a/debian/control b/debian/control
 index 4f12140..5792e50 100644
 --- a/debian/control
 +++ b/debian/control
@@ -1,7 +1,8 @@
  Source: strongswan
  Section: net
  Priority: optional
--Maintainer: strongSwan Maintainers <pkg-swan-devel@lists.alioth.debian.org>
++Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
++XSBC-Original-Maintainer: strongSwan Maintainers <pkg-swan-devel@lists.alioth.debian.org>
  Uploaders: Rene Mayrhofer <rmayr@debian.org>,
             Yves-Alexis Perez <corsac@debian.org>
  Standards-Version: 4.1.2
@@ -19,14 +20,21 @@ Build-Depends: bison,
                 libcurl4-openssl-dev | libcurl3-dev | libcurl2-dev,
                 libgcrypt20-dev | libgcrypt11-dev,
                 libgmp3-dev,
++               libjson-c-dev,
                 libkrb5-dev,
                 libldap2-dev,
++               libldns-dev,
++               libmysqlclient-dev,
                 libnm-dev [linux-any],
                 libpam0g-dev,
++               libpcsclite-dev,
++               libsoup2.4-dev,
                 libsqlite3-dev,
                 libssl-dev (>= 0.9.8),
                 libsystemd-dev [linux-any],
                 libtool,
++               libtspi-dev,
++               libunbound-dev,
                 libxml2-dev,
                 pkg-config,
                 po-debconf,
@@ -68,7 +76,9 @@ Description: strongSwan utility and crypto library
    - fips-prf (PRF specified by FIPS, used by EAP-SIM/AKA algorithms)
    - gmp (RSA/DH crypto backend based on libgmp)
    - hmac (HMAC wrapper using various hashers)
++  - md4 (MD4 hasher software implementation)
    - md5 (MD5 hasher software implementation)
++  - mgf1 (Mask Generation Functions based on the SHA-1, SHA-256 and SHA-512)
    - nonce (Default nonce generation plugin)
    - pem (PEM encoding/decoding routines)
    - pgp (PGP encoding/decoding routines)
@@ -131,22 +141,57 @@ Description: strongSwan utility and crypto library (extra plugins)
   cryptographic library.
+  .
   Included plugins are:
++  - acert (Support of X.509 attribute certificates (since 5.1.3))
    - af-alg [linux] (AF_ALG Linux crypto API interface, provides
      ciphers/hashers/hmac/xcbc)
++  - attr-sql (provide IKE attributes read from a database to peers)
++  - bliss (Bimodal Lattice Signature Scheme (BLISS) post-quantum computer
++    signature scheme)
    - ccm (CCM cipher mode wrapper)
++  - chapoly (ChaCha20/Poly1305 AEAD implementation)
    - cmac (CMAC cipher mode wrapper)
    - ctr (CTR cipher mode wrapper)
++  - coupling (Permanent peer certificate coupling)
    - curl (libcurl based HTTP/FTP fetcher)
    - curve25519 (support for Diffie-Hellman group 31 using Curve25519 and
      support for the Ed25519 digital signature algorithm for IKEv2)
++  - dnscert (authentication via CERT RRs protected by DNSSEC)
    - gcrypt (Crypto backend based on libgcrypt, provides
      RSA/DH/ciphers/hashers/rng)
++  - ipseckey (authentication via IPSECKEY RRs protected by DNSSEC)
    - ldap (LDAP fetching plugin based on libldap)
++  - load-tester (perform IKE load tests against self or gateway)
++  - mysql (database backend)
++  - ntru (key exchanged based on post-quantum computer NTRU)
++  - nttfft (Number Theoretic Transform via the FFT algorithm)
    - padlock (VIA padlock crypto backend, provides AES128/SHA1)
    - pkcs11 (PKCS#11 smartcard backend)
++  - radattr (inject and process custom RADIUS attributes as IKEv2 client)
++  - sql (SQL configuration and creds engine)
++  - sqlite (SQLite database backend)
++  - soup (libsoup based HTTP fetcher)
++  - tpmtss (TPM 1.2 and TPM 2.0 Trusted Platform Modules)
    - rdrand (High quality / high performance random source using the Intel
      rdrand instruction found on Ivy Bridge processors)
    - test-vectors (Set of test vectors for various algorithms)
++  - unbound (DNSSEC enabled resolver using libunbound)
++  - whitelist (peer verification against a whitelist)
++
++Package: libcharon-standard-plugins
++Architecture: any
++Depends: libstrongswan (= ${binary:Version}),
++         ${misc:Depends},
++         ${shlibs:Depends}
++Breaks: libcharon-extra-plugins (<< 5.5.1-1ubuntu1~)
++Replaces: libcharon-extra-plugins (<< 5.5.1-1ubuntu1~)
++Description: strongSwan charon library (standard plugins)
++ The strongSwan VPN suite uses the native IPsec stack in the standard
++ Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
++ .
++ This package provides standard plugins for the charon library:
++  - eap-mschapv2 (EAP-MSCHAPv2 protocol handler using passwords/NT hashes)
++  - xauth-generic (Generic XAuth backend that provides passwords from
++    ipsec.secrets and other credential sets)
  Package: libcharon-extra-plugins
  Architecture: any
@@ -162,13 +207,13 @@ Description: strongSwan charon library (extra plugins)
   This package provides extra plugins for the charon library:
    - addrblock (Narrow traffic selectors to RFC 3779 address blocks in X.509
      certificates)
++  - dhcp (Forwarding of DHCP requests for virtual IPs to DHCP server)
    - certexpire (Export expiration dates of used certificates)
    - eap-aka (Generic EAP-AKA protocol handler using different backends)
    - eap-gtc (EAP-GTC protocol handler authenticating with XAuth backends)
    - eap-identity (EAP-Identity identity exchange algorithm, to use with other
      EAP protocols)
    - eap-md5 (EAP-MD5 protocol handler using passwords)
--  - eap-mschapv2 (EAP-MSCHAPv2 protocol handler using passwords/NT hashes)
    - eap-radius (EAP server proxy plugin forwarding EAP conversations to a
      RADIUS server)
    - eap-tls (EAP-TLS protocol handler, to authenticate with certificates in
@@ -176,17 +221,25 @@ Description: strongSwan charon library (extra plugins)
    - eap-tnc (EAP-TNC protocol handler, Trusted Network Connect in a TLS tunnel)
    - eap-ttls (EAP-TTLS protocol handler, wraps other EAP methods securely)
    - error-notify (Notification about errors via UNIX socket)
++  - farp (fake ARP responses for requests to virtual IP address)
    - ha (High-Availability clustering)
++  - kernel-libipsec (Userspace IPsec Backend with TUN devices)
    - led (Let Linux LED subsystem LEDs blink on IKE activity)
    - lookip (Virtual IP lookup facility using a UNIX socket)
--  - medcli (Web interface based mediation client interface)
--  - medsrv (Web interface based mediation server interface)
    - tnc (Trusted Network Connect)
    - unity (Cisco Unity extensions for IKEv1)
    - xauth-eap (XAuth backend that uses EAP methods to verify passwords)
--  - xauth-generic (Generic XAuth backend that provides passwords from
--    ipsec.secrets and other credential sets)
    - xauth-pam (XAuth backend that uses PAM modules to verify passwords)
++  - eap-aka-3gpp2 (EAP-AKA backend implementing standard 3GPP2 algorithm in software)
++  - eap-dynamic (EAP proxy plugin that dynamically selects an EAP method requested/supported by the client (since 5.0.1))
++  - eap-peap (EAP-PEAP protocol handler, wraps other EAP methods securely)
++  - eap-sim (Generic EAP-SIM protocol handler using different backends)
++  - eap-sim-file (EAP-SIM backend reading triplets from a file)
++  - eap-sim-pcsc (EAP-SIM backend based on a PC/SC smartcard reader)
++  - eap-simaka-pseudonym (EAP-SIM/AKA in-memory pseudonym identity database)
++  - eap-simaka-reauth (EAP-SIM/AKA in-memory reauthentication identity database)
++  - eap-simaka-sql (EAP-SIM/AKA backend reading triplets/quintuplets from a SQL database)
++  - xauth-noauth (XAuth backend that does not do any authentication (since 5.0.3))
  Package: strongswan-starter
  Architecture: any
@@ -212,6 +265,7 @@ Depends: libstrongswan (= ${binary:Version}),
           ${shlibs:Depends}
  Breaks: strongswan-starter (<= 5.6.1-2)
  Replaces: strongswan-starter (<= 5.6.1-2)
++Recommends: libcharon-standard-plugins
  Suggests: libcharon-extra-plugins
  Description: strongSwan charon library
   The strongSwan VPN suite uses the native IPsec stack in the standard
@@ -255,6 +309,68 @@ Description: strongSwan plugin to interact with NetworkManager
   in conjunction with the network-manager-strongswan package, providing
   a simple graphical frontend to configure IPsec based VPNs.
++Package: strongswan-tnc-ifmap
++Architecture: any
++Depends: ${shlibs:Depends}, ${misc:Depends}, libstrongswan (= ${binary:Version})
++Description: strongSwan plugin for Trusted Network Connect's (TNC) IF-MAP client
++ The strongSwan VPN suite uses the native IPsec stack in the standard
++ Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
++ .
++ This package provides Trusted Network Connect's (TNC) IF-MAP 2.0 client.
++
++Package: strongswan-tnc-base
++Architecture: any
++Depends: ${shlibs:Depends}, ${misc:Depends}, libstrongswan (= ${binary:Version})
++Suggests: strongswan-tnc-ifmap, strongswan-tnc-pdp
++Description: strongSwan Trusted Network Connect's (TNC) - base files
++ The strongSwan VPN suite uses the native IPsec stack in the standard
++ Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
++ .
++ This package provides the base files for strongSwan's Trusted Network
++ Connect's (TNC) functionality.
++ .
++ strongSwan's IMC/IMV dynamic libraries can be used by any third party TNC
++ client/server implementation possessing a standard IF-IMC/IMV interface.
++
++Package: strongswan-tnc-client
++Architecture: any
++Depends: ${shlibs:Depends}, ${misc:Depends},
++  libstrongswan (= ${binary:Version}), strongswan-tnc-base (= ${binary:Version})
++Suggests: libcharon-extra-plugins
++Description: strongSwan Trusted Network Connect's (TNC) - client files
++ The strongSwan VPN suite uses the native IPsec stack in the standard
++ Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
++ .
++ This package provides the client functionality for strongSwan's Trusted Network
++ Connect's (TNC) features.
++ .
++ It includes the OS, scanner, test, SWID, and attestation IMCs.
++
++Package: strongswan-tnc-server
++Architecture: any
++Depends: ${shlibs:Depends}, ${misc:Depends},
++  libstrongswan (= ${binary:Version}),
++  strongswan-tnc-base (= ${binary:Version}),
++  libstrongswan-extra-plugins (= ${binary:Version})
++Description: strongSwan Trusted Network Connect's (TNC) - server files
++ The strongSwan VPN suite uses the native IPsec stack in the standard
++ Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
++ .
++ This package provides the server functionality for strongSwan's Trusted Network
++ Connect's (TNC) features.
++
++Package: strongswan-tnc-pdp
++Architecture: any
++Depends: ${shlibs:Depends}, ${misc:Depends},
++  libstrongswan (= ${binary:Version}),
++  strongswan-tnc-server (= ${binary:Version})
++Description: strongSwan plugin for Trusted Network Connect's (TNC) PDP
++ The strongSwan VPN suite uses the native IPsec stack in the standard
++ Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
++ .
++ This package provides Trusted Network Connect's (TNC) Policy Decision Point
++ (PDP) with RADIUS server interface.
++
  Package: charon-cmd
  Architecture: any
  Depends: libstrongswan (= ${binary:Version}),
 diff --git a/debian/ipsec.secrets.proto b/debian/ipsec.secrets.proto
 index dfa6dde..309e3fc 100644
 --- a/debian/ipsec.secrets.proto
 +++ b/debian/ipsec.secrets.proto
@@ -3,6 +3,3 @@
  # RSA private key for this host, authenticating it to any other host
  # which knows the public part.
--# this file is managed with debconf and will contain the automatically created private key
--include /var/lib/strongswan/ipsec.secrets.inc
--
 diff --git a/debian/libcharon-extra-plugins.install b/debian/libcharon-extra-plugins.install
 index 1b0cbca..cb539ec 100644
 --- a/debian/libcharon-extra-plugins.install
 +++ b/debian/libcharon-extra-plugins.install
@@ -1,50 +1,102 @@
  # libcharon plugins
  usr/lib/ipsec/plugins/libstrongswan-addrblock.so
  usr/lib/ipsec/plugins/libstrongswan-certexpire.so
--usr/lib/ipsec/plugins/libstrongswan-eap*.so
++usr/lib/ipsec/plugins/libstrongswan-eap-aka-3gpp2.so
++usr/lib/ipsec/plugins/libstrongswan-eap-aka.so
++usr/lib/ipsec/plugins/libstrongswan-eap-dynamic.so
++usr/lib/ipsec/plugins/libstrongswan-eap-gtc.so
++usr/lib/ipsec/plugins/libstrongswan-eap-identity.so
++usr/lib/ipsec/plugins/libstrongswan-eap-md5.so
++usr/lib/ipsec/plugins/libstrongswan-eap-peap.so
++usr/lib/ipsec/plugins/libstrongswan-eap-radius.so
++usr/lib/ipsec/plugins/libstrongswan-eap-sim-file.so
++usr/lib/ipsec/plugins/libstrongswan-eap-sim-pcsc.so
++usr/lib/ipsec/plugins/libstrongswan-eap-sim.so
++usr/lib/ipsec/plugins/libstrongswan-eap-simaka-pseudonym.so
++usr/lib/ipsec/plugins/libstrongswan-eap-simaka-reauth.so
++usr/lib/ipsec/plugins/libstrongswan-eap-simaka-sql.so
++usr/lib/ipsec/plugins/libstrongswan-eap-tls.so
++usr/lib/ipsec/plugins/libstrongswan-eap-tnc.so
++usr/lib/ipsec/plugins/libstrongswan-eap-ttls.so
  usr/lib/ipsec/plugins/libstrongswan-error-notify.so
  usr/lib/ipsec/plugins/libstrongswan-ha.so
++usr/lib/ipsec/plugins/libstrongswan-kernel-libipsec.so
  usr/lib/ipsec/plugins/libstrongswan-led.so
  usr/lib/ipsec/plugins/libstrongswan-lookip.so
  #usr/lib/ipsec/plugins/libstrongswan-medsrv.so
  #usr/lib/ipsec/plugins/libstrongswan-medcli.so
--usr/lib/ipsec/plugins/libstrongswan-tnc-tnccs.so
  usr/lib/ipsec/plugins/libstrongswan-unity.so
--usr/lib/ipsec/plugins/libstrongswan-xauth-*.so
++usr/lib/ipsec/plugins/libstrongswan-xauth-eap.so
++usr/lib/ipsec/plugins/libstrongswan-xauth-noauth.so
++usr/lib/ipsec/plugins/libstrongswan-xauth-pam.so
  # standard configuration files
  usr/share/strongswan/templates/config/plugins/addrblock.conf
  usr/share/strongswan/templates/config/plugins/certexpire.conf
--usr/share/strongswan/templates/config/plugins/eap-*.conf
++usr/share/strongswan/templates/config/plugins/eap-aka-3gpp2.conf
++usr/share/strongswan/templates/config/plugins/eap-aka.conf
++usr/share/strongswan/templates/config/plugins/eap-dynamic.conf
++usr/share/strongswan/templates/config/plugins/eap-gtc.conf
++usr/share/strongswan/templates/config/plugins/eap-identity.conf
++usr/share/strongswan/templates/config/plugins/eap-md5.conf
++usr/share/strongswan/templates/config/plugins/eap-peap.conf
++usr/share/strongswan/templates/config/plugins/eap-radius.conf
++usr/share/strongswan/templates/config/plugins/eap-sim-file.conf
++usr/share/strongswan/templates/config/plugins/eap-sim-pcsc.conf
++usr/share/strongswan/templates/config/plugins/eap-sim.conf
++usr/share/strongswan/templates/config/plugins/eap-simaka-pseudonym.conf
++usr/share/strongswan/templates/config/plugins/eap-simaka-reauth.conf
++usr/share/strongswan/templates/config/plugins/eap-simaka-sql.conf
++usr/share/strongswan/templates/config/plugins/eap-tls.conf
++usr/share/strongswan/templates/config/plugins/eap-tnc.conf
++usr/share/strongswan/templates/config/plugins/eap-ttls.conf
  usr/share/strongswan/templates/config/plugins/error-notify.conf
  usr/share/strongswan/templates/config/plugins/ha.conf
++usr/share/strongswan/templates/config/plugins/kernel-libipsec.conf
  usr/share/strongswan/templates/config/plugins/led.conf
  usr/share/strongswan/templates/config/plugins/lookip.conf
  #usr/share/strongswan/templates/config/plugins/medsrv.conf
  #usr/share/strongswan/templates/config/plugins/medcli.conf
--usr/share/strongswan/templates/config/plugins/tnc-tnccs.conf
  usr/share/strongswan/templates/config/plugins/unity.conf
--usr/share/strongswan/templates/config/plugins/xauth-*.conf
--usr/share/strongswan/templates/config/strongswan.d/tnc.conf
--etc/strongswan.d/tnc.conf
++usr/share/strongswan/templates/config/plugins/xauth-eap.conf
++usr/share/strongswan/templates/config/plugins/xauth-noauth.conf
++usr/share/strongswan/templates/config/plugins/xauth-pam.conf
  etc/strongswan.d/charon/addrblock.conf
  etc/strongswan.d/charon/certexpire.conf
--etc/strongswan.d/charon/eap-*.conf
++etc/strongswan.d/charon/eap-aka-3gpp2.conf
++etc/strongswan.d/charon/eap-aka.conf
++etc/strongswan.d/charon/eap-dynamic.conf
++etc/strongswan.d/charon/eap-gtc.conf
++etc/strongswan.d/charon/eap-identity.conf
++etc/strongswan.d/charon/eap-md5.conf
++etc/strongswan.d/charon/eap-peap.conf
++etc/strongswan.d/charon/eap-radius.conf
++etc/strongswan.d/charon/eap-sim-file.conf
++etc/strongswan.d/charon/eap-sim-pcsc.conf
++etc/strongswan.d/charon/eap-sim.conf
++etc/strongswan.d/charon/eap-simaka-pseudonym.conf
++etc/strongswan.d/charon/eap-simaka-reauth.conf
++etc/strongswan.d/charon/eap-simaka-sql.conf
++etc/strongswan.d/charon/eap-tls.conf
++etc/strongswan.d/charon/eap-tnc.conf
++etc/strongswan.d/charon/eap-ttls.conf
  etc/strongswan.d/charon/error-notify.conf
  etc/strongswan.d/charon/ha.conf
++etc/strongswan.d/charon/kernel-libipsec.conf
  etc/strongswan.d/charon/led.conf
  etc/strongswan.d/charon/lookip.conf
  #etc/strongswan.d/charon/medsrv.conf
  #etc/strongswan.d/charon/medcli.conf
--etc/strongswan.d/charon/tnc-tnccs.conf
  etc/strongswan.d/charon/unity.conf
--etc/strongswan.d/charon/xauth-*.conf
++etc/strongswan.d/charon/xauth-eap.conf
++etc/strongswan.d/charon/xauth-noauth.conf
++etc/strongswan.d/charon/xauth-pam.conf
  debian/usr.lib.ipsec.lookip /etc/apparmor.d/
  # support libs
  #usr/lib/ipsec/libfast.so*
++usr/lib/ipsec/libipsec.so*
  usr/lib/ipsec/libpttls.so*
  usr/lib/ipsec/libradius.so*
  usr/lib/ipsec/libsimaka.so*
--usr/lib/ipsec/libtnccs.so*
  usr/lib/ipsec/libtls.so*
  # binaries
  usr/bin/pt-tls-client
 diff --git a/debian/libcharon-standard-plugins.install b/debian/libcharon-standard-plugins.install
 new file mode 100644
 index 0000000..25e580c
 --- /dev/null
 +++ b/debian/libcharon-standard-plugins.install
@@ -0,0 +1,19 @@
++# most commonly used libcharon plugins
++# 1) eap-mschapv2 is required on the client side to connect to VPN
++# concentrators configured for Windows 7+ and modern OSX/iOS using IKEv2.
++# In such scenario, the VPN concentrator identifies itself with a public
++# key and asks the client to authenticate with MSCHAPv2.
++# 2) xauth-generic is required on the client side to connect to VPN
++# concentrators configured for Android and older OSX/iOS using IKEv1 and
++# XAUTH. In such scenario, the VPN concentrator identifies itself with a
++# public key or a shared secret and asks the client to authenticate with a
++# XAUTH password.
++# plugins
++usr/lib/ipsec/plugins/libstrongswan-eap-mschapv2.so
++usr/lib/ipsec/plugins/libstrongswan-xauth-generic.so
++# config templates
++usr/share/strongswan/templates/config/plugins/eap-mschapv2.conf
++usr/share/strongswan/templates/config/plugins/xauth-generic.conf
++# configuration files
++etc/strongswan.d/charon/eap-mschapv2.conf
++etc/strongswan.d/charon/xauth-generic.conf
 diff --git a/debian/libstrongswan-extra-plugins.install b/debian/libstrongswan-extra-plugins.install
 index cfa5978..4cd01d4 100644
 --- a/debian/libstrongswan-extra-plugins.install
 +++ b/debian/libstrongswan-extra-plugins.install
@@ -1,37 +1,95 @@
  # Tool for TPM PCR extension
  usr/bin/tpm_extendpcr
  # libstrongswan plugins
++usr/lib/ipsec/plugins/libstrongswan-acert.so
++usr/lib/ipsec/plugins/libstrongswan-attr-sql.so
++usr/lib/ipsec/plugins/libstrongswan-bliss.so
  usr/lib/ipsec/plugins/libstrongswan-ccm.so
++usr/lib/ipsec/plugins/libstrongswan-chapoly.so
  usr/lib/ipsec/plugins/libstrongswan-cmac.so
++usr/lib/ipsec/plugins/libstrongswan-coupling.so
  usr/lib/ipsec/plugins/libstrongswan-ctr.so
  usr/lib/ipsec/plugins/libstrongswan-curl.so
  usr/lib/ipsec/plugins/libstrongswan-curve25519.so
++usr/lib/ipsec/plugins/libstrongswan-dnscert.so
  usr/lib/ipsec/plugins/libstrongswan-gcrypt.so
++usr/lib/ipsec/plugins/libstrongswan-ipseckey.so
  usr/lib/ipsec/plugins/libstrongswan-ldap.so
++usr/lib/ipsec/plugins/libstrongswan-load-tester.so
++usr/lib/ipsec/plugins/libstrongswan-mysql.so
++usr/lib/ipsec/plugins/libstrongswan-ntru.so
  usr/lib/ipsec/plugins/libstrongswan-pkcs11.so
++usr/lib/ipsec/plugins/libstrongswan-radattr.so
++usr/lib/ipsec/plugins/libstrongswan-soup.so
++usr/lib/ipsec/plugins/libstrongswan-sqlite.so
++usr/lib/ipsec/plugins/libstrongswan-sql.so
++usr/lib/ipsec/plugins/libstrongswan-systime-fix.so
  usr/lib/ipsec/plugins/libstrongswan-test-vectors.so
  usr/lib/ipsec/plugins/libstrongswan-tpm.so
++usr/lib/ipsec/plugins/libstrongswan-unbound.so
++usr/lib/ipsec/plugins/libstrongswan-whitelist.so
  # default configuration files
++usr/share/strongswan/templates/config/plugins/acert.conf
++usr/share/strongswan/templates/config/plugins/attr-sql.conf
++usr/share/strongswan/templates/config/plugins/bliss.conf
  usr/share/strongswan/templates/config/plugins/ccm.conf
++usr/share/strongswan/templates/config/plugins/chapoly.conf
  usr/share/strongswan/templates/config/plugins/cmac.conf
++usr/share/strongswan/templates/config/plugins/coupling.conf
  usr/share/strongswan/templates/config/plugins/ctr.conf
  usr/share/strongswan/templates/config/plugins/curl.conf
  usr/share/strongswan/templates/config/plugins/curve25519.conf
++usr/share/strongswan/templates/config/plugins/dnscert.conf
  usr/share/strongswan/templates/config/plugins/gcrypt.conf
++usr/share/strongswan/templates/config/plugins/ipseckey.conf
  usr/share/strongswan/templates/config/plugins/ldap.conf
++usr/share/strongswan/templates/config/plugins/load-tester.conf
++usr/share/strongswan/templates/config/plugins/mysql.conf
++usr/share/strongswan/templates/config/plugins/ntru.conf
  usr/share/strongswan/templates/config/plugins/pkcs11.conf
++usr/share/strongswan/templates/config/plugins/radattr.conf
++usr/share/strongswan/templates/config/plugins/soup.conf
++usr/share/strongswan/templates/config/plugins/sql.conf
++usr/share/strongswan/templates/config/plugins/sqlite.conf
++usr/share/strongswan/templates/config/plugins/systime-fix.conf
  usr/share/strongswan/templates/config/plugins/test-vectors.conf
  usr/share/strongswan/templates/config/plugins/tpm.conf
++usr/share/strongswan/templates/config/plugins/unbound.conf
++usr/share/strongswan/templates/config/plugins/whitelist.conf
++usr/share/strongswan/templates/database/sql/mysql.sql
++usr/share/strongswan/templates/database/sql/sqlite.sql
++etc/strongswan.d/charon/acert.conf
++etc/strongswan.d/charon/attr-sql.conf
++etc/strongswan.d/charon/bliss.conf
  etc/strongswan.d/charon/ccm.conf
++etc/strongswan.d/charon/chapoly.conf
  etc/strongswan.d/charon/cmac.conf
++etc/strongswan.d/charon/coupling.conf
  etc/strongswan.d/charon/ctr.conf
  etc/strongswan.d/charon/curl.conf
  etc/strongswan.d/charon/curve25519.conf
++etc/strongswan.d/charon/dnscert.conf
  etc/strongswan.d/charon/gcrypt.conf
++etc/strongswan.d/charon/ipseckey.conf
  etc/strongswan.d/charon/ldap.conf
++etc/strongswan.d/charon/load-tester.conf
++etc/strongswan.d/charon/mysql.conf
++etc/strongswan.d/charon/ntru.conf
  etc/strongswan.d/charon/pkcs11.conf
++etc/strongswan.d/charon/radattr.conf
++etc/strongswan.d/charon/soup.conf
++etc/strongswan.d/charon/sql.conf
++etc/strongswan.d/charon/sqlite.conf
++etc/strongswan.d/charon/systime-fix.conf
  etc/strongswan.d/charon/test-vectors.conf
  etc/strongswan.d/charon/tpm.conf
  # TPM libs
  usr/lib/ipsec/libtpmtss.so.*
  usr/lib/ipsec/libtpmtss.so
++etc/strongswan.d/charon/unbound.conf
++etc/strongswan.d/charon/whitelist.conf
++usr/lib/ipsec/load-tester
++usr/lib/ipsec/whitelist
++# support libs
++usr/lib/ipsec/libtpmtss.so*
++usr/lib/ipsec/libnttfft.so*
 diff --git a/debian/libstrongswan.install b/debian/libstrongswan.install
 index 072ff7e..5d458bb 100644
 --- a/debian/libstrongswan.install
 +++ b/debian/libstrongswan.install
@@ -6,15 +6,16 @@ usr/lib/ipsec/plugins/libstrongswan-dnskey.so
  usr/lib/ipsec/plugins/libstrongswan-fips-prf.so
  usr/lib/ipsec/plugins/libstrongswan-gmp.so
  usr/lib/ipsec/plugins/libstrongswan-hmac.so
++usr/lib/ipsec/plugins/libstrongswan-md4.so
  usr/lib/ipsec/plugins/libstrongswan-md5.so
  usr/lib/ipsec/plugins/libstrongswan-mgf1.so
  usr/lib/ipsec/plugins/libstrongswan-nonce.so
--usr/lib/ipsec/plugins/libstrongswan-pgp.so
  usr/lib/ipsec/plugins/libstrongswan-pem.so
++usr/lib/ipsec/plugins/libstrongswan-pgp.so
  usr/lib/ipsec/plugins/libstrongswan-pkcs1.so
++usr/lib/ipsec/plugins/libstrongswan-pkcs12.so
  usr/lib/ipsec/plugins/libstrongswan-pkcs7.so
  usr/lib/ipsec/plugins/libstrongswan-pkcs8.so
--usr/lib/ipsec/plugins/libstrongswan-pkcs12.so
  usr/lib/ipsec/plugins/libstrongswan-pubkey.so
  usr/lib/ipsec/plugins/libstrongswan-random.so
  usr/lib/ipsec/plugins/libstrongswan-rc2.so
@@ -31,15 +32,17 @@ usr/share/strongswan/templates/config/plugins/dnskey.conf
  usr/share/strongswan/templates/config/plugins/fips-prf.conf
  usr/share/strongswan/templates/config/plugins/gmp.conf
  usr/share/strongswan/templates/config/plugins/hmac.conf
++usr/share/strongswan/templates/config/plugins/kernel-netlink.conf
++usr/share/strongswan/templates/config/plugins/md4.conf
  usr/share/strongswan/templates/config/plugins/md5.conf
  usr/share/strongswan/templates/config/plugins/mgf1.conf
  usr/share/strongswan/templates/config/plugins/nonce.conf
--usr/share/strongswan/templates/config/plugins/pgp.conf
  usr/share/strongswan/templates/config/plugins/pem.conf
++usr/share/strongswan/templates/config/plugins/pgp.conf
  usr/share/strongswan/templates/config/plugins/pkcs1.conf
++usr/share/strongswan/templates/config/plugins/pkcs12.conf
  usr/share/strongswan/templates/config/plugins/pkcs7.conf
  usr/share/strongswan/templates/config/plugins/pkcs8.conf
--usr/share/strongswan/templates/config/plugins/pkcs12.conf
  usr/share/strongswan/templates/config/plugins/pubkey.conf
  usr/share/strongswan/templates/config/plugins/random.conf
  usr/share/strongswan/templates/config/plugins/rc2.conf
@@ -55,15 +58,17 @@ etc/strongswan.d/charon/dnskey.conf
  etc/strongswan.d/charon/fips-prf.conf
  etc/strongswan.d/charon/gmp.conf
  etc/strongswan.d/charon/hmac.conf
++etc/strongswan.d/charon/kernel-netlink.conf
++etc/strongswan.d/charon/md4.conf
  etc/strongswan.d/charon/md5.conf
  etc/strongswan.d/charon/mgf1.conf
  etc/strongswan.d/charon/nonce.conf
--etc/strongswan.d/charon/pgp.conf
  etc/strongswan.d/charon/pem.conf
++etc/strongswan.d/charon/pgp.conf
++etc/strongswan.d/charon/pkcs12.conf
  etc/strongswan.d/charon/pkcs1.conf
  etc/strongswan.d/charon/pkcs7.conf
  etc/strongswan.d/charon/pkcs8.conf
--etc/strongswan.d/charon/pkcs12.conf
  etc/strongswan.d/charon/pubkey.conf
  etc/strongswan.d/charon/random.conf
  etc/strongswan.d/charon/rc2.conf
 diff --git a/debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch b/debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch
 new file mode 100644
 index 0000000..004b50b
 --- /dev/null
 +++ b/debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch
@@ -0,0 +1,11 @@
++--- a/conf/plugins/kernel-libipsec.conf
+++++ b/conf/plugins/kernel-libipsec.conf
++@@ -5,7 +5,7 @@
++
++     # Whether to load the plugin. Can also be an integer to increase the
++     # priority of this plugin.
++-    load = yes
+++    load = no
++
++ }
++
 diff --git a/debian/patches/series b/debian/patches/series
 index ecc6257..59b4eaf 100644
 --- a/debian/patches/series
 +++ b/debian/patches/series
@@ -3,3 +3,4 @@
 _systemd-service.patch
 _disable-libtls-tests.patch
 _charon-nm-Fix-building-list-of-DNS-MDNS-servers-with.patch
++dont-load-kernel-libipsec-plugin-by-default.patch
 diff --git a/debian/rules b/debian/rules
 index d1dbf8a..d3450c7 100755
 --- a/debian/rules
 +++ b/debian/rules
@@ -4,20 +4,36 @@ export DEB_LDFLAGS_MAINT_APPEND=-Wl,--as-needed -Wl,-O1
  export DEB_BUILD_MAINT_OPTIONS=hardening=+all
  CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \
++		--with-tss=trousers \
++		--enable-acert \
  		--enable-addrblock \
  		--enable-agent \
  		--enable-bypass-lan \
++		--enable-attr-sql \
++		--enable-bliss \
  		--enable-ccm \
  		--enable-certexpire \
++		--enable-chapoly \
  		--enable-cmd \
++		--enable-coupling \
  		--enable-ctr \
  		--enable-curl \
++		--enable-dnscert \
  		--enable-eap-aka \
++		--enable-eap-aka-3gpp2 \
++		--enable-eap-dynamic \
  		--enable-eap-gtc \
  		--enable-eap-identity \
  		--enable-eap-md5 \
  		--enable-eap-mschapv2 \
++		--enable-eap-peap \
  		--enable-eap-radius \
++		--enable-eap-sim \
++		--enable-eap-simaka-pseudonym \
++		--enable-eap-simaka-reauth \
++		--enable-eap-simaka-sql \
++		--enable-eap-sim-file \
++		--enable-eap-sim-pcsc \
  		--enable-eap-tls \
  		--enable-eap-tnc \
  		--enable-eap-ttls \
@@ -25,18 +41,52 @@ CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \
  		--enable-gcm \
  		--enable-gcrypt \
  		--enable-ha \
++		--enable-imc-attestation \
++		--enable-imc-os \
++		--enable-imc-scanner \
++		--enable-imc-swid \
++		--enable-imc-test \
++		--enable-imv-attestation \
++		--enable-imv-os \
++		--enable-imv-scanner  \
++		--enable-imv-swid \
++		--enable-imv-test \
++		--enable-ipseckey \
++		--enable-kernel-libipsec \
  		--enable-ldap \
  		--enable-led \
++		--enable-load-tester \
  		--enable-lookip \
  		--enable-mediation \
++		--enable-md4 \
++		--enable-mysql \
++		--enable-ntru \
  		--enable-openssl \
  		--enable-pkcs11 \
++		--enable-radattr \
++		--enable-soup \
++		--enable-sql \
++		--enable-sqlite \
++		--enable-systime-fix \
  		--enable-test-vectors \
  		--enable-tpm \
++		--enable-tnccs-11 \
++		--enable-tnccs-20 \
++		--enable-tnccs-dynamic \
++		--enable-tnc-ifmap \
++		--enable-tnc-imc \
++		--enable-tnc-imv \
++		--enable-tnc-pdp \
++		--enable-unbound \
++		--enable-unit-tests \
  		--enable-unity \
++		--enable-whitelist \
  		--enable-xauth-eap \
++		--enable-xauth-generic \
++		--enable-xauth-noauth \
  		--enable-xauth-pam \
  		--disable-blowfish \
++		--disable-fast \
  		--disable-des # BSD-Young license
  	#--with-user=strongswan --with-group=nogroup
  	#	--enable-kernel-pfkey --enable-kernel-klips \
@@ -190,12 +240,6 @@ endif
  	# add additional files not covered by upstream makefile...
  	install --mode=0600 $(CURDIR)/debian/ipsec.secrets.proto $(CURDIR)/debian/strongswan-starter/etc/ipsec.secrets
--	# also "patch" ipsec.conf to include the debconf-managed file
--	echo >> $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf
--	echo "include /var/lib/strongswan/ipsec.conf.inc" >> $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf
--	# and to enable both IKEv1 and IKEv2 by default
--	sed -r 's/^[ \t]+# *charonstart=(yes|no) */\tcharonstart=yes/' < $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf > $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf.tmp
--	mv $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf.tmp $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf
  	# set permissions on ipsec.secrets and private key directories
  	chmod 600 $(CURDIR)/debian/strongswan-starter/etc/ipsec.secrets
 diff --git a/debian/strongswan-starter.install b/debian/strongswan-starter.install
 index 9a4c0d1..b5250dc 100644
 --- a/debian/strongswan-starter.install
 +++ b/debian/strongswan-starter.install
@@ -16,3 +16,7 @@ usr/lib/ipsec/plugins/libstrongswan-stroke.so
  usr/share/strongswan/templates/config/plugins/stroke.conf
  etc/strongswan.d/charon/stroke.conf
  debian/usr.lib.ipsec.stroke /etc/apparmor.d/
++#pool
++usr/lib/ipsec/pool
++usr/share/strongswan/templates/config/strongswan.d/pool.conf
++etc/strongswan.d/pool.conf
 diff --git a/debian/strongswan-starter.postinst b/debian/strongswan-starter.postinst
 index 9e4d7b1..9b7c734 100644
 --- a/debian/strongswan-starter.postinst
 +++ b/debian/strongswan-starter.postinst
@@ -220,63 +220,6 @@ case "$1" in
  	    db_set strongswan/install_x509_certificate false
  	fi
--	# lets see if we are already using dependency based booting or the correct runlevel parameters
--	if ! ( [ "`find /etc/init.d/ -name '.depend.*'`" ] || [ "$runlevels" = "0K841K842S163S164S165S166K84" ] ); then
--	    db_fset strongswan/runlevel_changes seen false
--	    db_input high strongswan/runlevel_changes || true
--	    db_go
--
--	    # if the admin did not change the runlevels which got installed by older packages we can modify them
--	    if [ "$runlevels" = "0K346K34SS41" ] || [ "$runlevels" = "0K301K302S153S154S155S156K30" ] || [ "$runlevels" = "0K191K192S213S214S215S216K19" ]; then
--		update-rc.d -f ipsec remove
--	    fi
--
--	    update-rc.d ipsec defaults 16 84 > /dev/null
--	fi
--
--        db_get strongswan/enable-oe
--        if [ "$RET" != "true" ]; then
--            echo -n "Disabling opportunistic encryption (OE) in config file ... "
--            if [ -e $CONF_FILE ] && egrep -q "include /etc/ipsec.d/examples/no_oe.conf$" $CONF_FILE; then
--                # also update to new-style config
--                sed 's/.*include \/etc\/ipsec.d\/examples\/no_oe.conf/#include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp
--                mv $CONF_FILE.tmp $CONF_FILE
--                echo -n "converted old config line to new format"
--            fi
--            if [ -e $CONF_FILE ] && egrep -q "^include /etc/ipsec.d/examples/oe.conf$" $CONF_FILE; then
--            	sed 's/include \/etc\/ipsec.d\/examples\/oe.conf/#include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp
--                mv $CONF_FILE.tmp $CONF_FILE
--                echo "done"
--            elif [ ! -e $CONF_FILE ]; then
--                echo "#include /etc/ipsec.d/examples/oe.conf" > $CONF_FILE
--            else
--                echo "already disabled"
--            fi
--	else
--            echo -n "Enabling opportunistic encryption (OE) in config file ... "
--            if [ -e $CONF_FILE ] && egrep -q "include /etc/ipsec.d/examples/no_oe.conf$" $CONF_FILE; then
--                # also update to new-style config
--            	sed 's/.*include \/etc\/ipsec.d\/examples\/no_oe.conf/include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp
--                mv $CONF_FILE.tmp $CONF_FILE
--                echo -n "converted old config line to new format"
--            fi
--            if [ -e $CONF_FILE ] && egrep -q "^include /etc/ipsec.d/examples/oe.conf$" $CONF_FILE; then
--                echo "already enabled"
--            elif [ -e $CONF_FILE ] && egrep -q "^#.*include /etc/ipsec.d/examples/oe.conf$" $CONF_FILE; then
--            	sed 's/#.*include \/etc\/ipsec.d\/examples\/oe.conf/include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp
--                mv $CONF_FILE.tmp $CONF_FILE
--                echo "done"
--            elif [ ! -e $CONF_FILE ]; then
--                echo "include /etc/ipsec.d/examples/oe.conf" > $CONF_FILE
--            else
--                cat <<EOF >> $CONF_FILE
--#Enable Opportunistic Encryption
--include /etc/ipsec.d/examples/oe.conf
--EOF
--              echo "done"
--            fi
--        fi
--
  	# disabled for now, until we can solve the don't-edit-conffiles issue
          #db_get strongswan/ikev1
          #if [ "$RET" != "true" ]; then
 diff --git a/debian/strongswan-tnc-base.install b/debian/strongswan-tnc-base.install
 new file mode 100644
 index 0000000..a9e3f32
 --- /dev/null
 +++ b/debian/strongswan-tnc-base.install
@@ -0,0 +1,16 @@
++etc/strongswan.d/charon/tnccs-11.conf
++etc/strongswan.d/charon/tnccs-20.conf
++etc/strongswan.d/charon/tnccs-dynamic.conf
++etc/strongswan.d/charon/tnc-tnccs.conf
++etc/strongswan.d/imcv.conf
++etc/strongswan.d/tnc.conf
++usr/lib/ipsec/libimcv.*
++usr/lib/ipsec/libtnccs.so*
++usr/lib/ipsec/plugins/libstrongswan-tnccs-*.so
++usr/lib/ipsec/plugins/libstrongswan-tnc-tnccs.so
++usr/share/strongswan/templates/config/plugins/tnccs-11.conf
++usr/share/strongswan/templates/config/plugins/tnccs-20.conf
++usr/share/strongswan/templates/config/plugins/tnccs-dynamic.conf
++usr/share/strongswan/templates/config/plugins/tnc-tnccs.conf
++usr/share/strongswan/templates/config/strongswan.d/imcv.conf
++usr/share/strongswan/templates/config/strongswan.d/tnc.conf
 diff --git a/debian/strongswan-tnc-client.install b/debian/strongswan-tnc-client.install
 new file mode 100644
 index 0000000..88449c6
 --- /dev/null
 +++ b/debian/strongswan-tnc-client.install
@@ -0,0 +1,5 @@
++etc/strongswan.d/charon/tnc-imc.conf
++usr/lib/ipsec/imcvs/imc-*.so
++usr/lib/ipsec/plugins/libstrongswan-tnc-imc.so
++usr/share/strongswan/swidtag/strongswan.org__strongSwan-*.swidtag
++usr/share/strongswan/templates/config/plugins/tnc-imc.conf
 diff --git a/debian/strongswan-tnc-ifmap.install b/debian/strongswan-tnc-ifmap.install
 new file mode 100644
 index 0000000..3c8083b
 --- /dev/null
 +++ b/debian/strongswan-tnc-ifmap.install
@@ -0,0 +1,3 @@
++etc/strongswan.d/charon/tnc-ifmap.conf
++usr/lib/ipsec/plugins/libstrongswan-tnc-ifmap.so
++usr/share/strongswan/templates/config/plugins/tnc-ifmap.conf
 diff --git a/debian/strongswan-tnc-pdp.install b/debian/strongswan-tnc-pdp.install
 new file mode 100644
 index 0000000..2534386
 --- /dev/null
 +++ b/debian/strongswan-tnc-pdp.install
@@ -0,0 +1,3 @@
++etc/strongswan.d/charon/tnc-pdp.conf
++usr/lib/ipsec/plugins/libstrongswan-tnc-pdp.so
++usr/share/strongswan/templates/config/plugins/tnc-pdp.conf
 diff --git a/debian/strongswan-tnc-server.install b/debian/strongswan-tnc-server.install
 new file mode 100644
 index 0000000..da633f6
 --- /dev/null
 +++ b/debian/strongswan-tnc-server.install
@@ -0,0 +1,10 @@
++etc/strongswan.d/attest.conf
++etc/strongswan.d/charon/tnc-imv.conf
++usr/lib/ipsec/attest
++usr/lib/ipsec/imcvs/imv-*.so
++usr/lib/ipsec/_imv_policy
++usr/lib/ipsec/imv_policy_manager
++usr/lib/ipsec/plugins/libstrongswan-tnc-imv.so
++usr/share/strongswan/templates/config/plugins/tnc-imv.conf
++usr/share/strongswan/templates/config/strongswan.d/attest.conf
++usr/share/strongswan/templates/database/imv/*.sql
 diff --git a/debian/usr.sbin.charon-systemd b/debian/usr.sbin.charon-systemd
 index e1769f2..b3daa46 100644
 --- a/debian/usr.sbin.charon-systemd
 +++ b/debian/usr.sbin.charon-systemd
@@ -19,6 +19,7 @@
    #include <abstractions/authentication>
    #include <abstractions/openssl>
    #include <abstractions/p11-kit>
++  #include <abstractions/mysql>
    capability ipc_lock,
    capability net_admin,
@@ -71,6 +72,10 @@
    /var/lib/strongswan/*     r,
++  # There is no systemd abstraction in base yet (https://gitlab.com/apparmor/apparmor/issues/5)
++  # until there is one, we need this for systemd notifications (LP: #1765652)
++  /{,var/}run/systemd/notify w,
++
    # Site-specific additions and overrides. See local/README for details.
    #include <local/usr.sbin.charon-systemd>
+ }

Ubuntustrongswan package

Merge ~paelzer/ubuntu/+source/strongswan:cosmic-merge-5.6.2-2 into ubuntu/+source/strongswan:debian/sid

Commit message

Description of the change

Preview Diff

Subscribers

Ubuntu
strongswan package