diff -Nru strongswan-5.3.5/debian/changelog strongswan-5.3.5/debian/changelog --- strongswan-5.3.5/debian/changelog 2015-11-26 08:27:01.000000000 -0600 +++ strongswan-5.3.5/debian/changelog 2016-02-17 16:11:54.000000000 -0600 @@ -1,3 +1,151 @@ +strongswan (5.3.5-1ubuntu1) xenial; urgency=medium + + * debian/{rules,control,libstrongswan-extra-plugins.install} + Enable bliss plugin + * debian/{rules,control,libstrongswan-extra-plugins.install} + Enable chapoly plugin + * debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch + Upstream suggests to not load this plugin by default as it has + some limitations. + https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-libipsec + * debian/patches/increase-bliss-test-timeout.patch + Under QEMU/KVM for autopkgtest bliss test takes a bit longer then default + * Update Apparmor profiles + - usr.lib.ipsec.charon + - add capability audit_write for xauth-pam (LP: #1470277) + - add capability dac_override (needed by agent plugin) + - allow priv dropping (LP: #1333655) + - allow caching CRLs (LP: #1505222) + - allow rw access to /dev/net/tun for kernel-libipsec (LP: #1309594) + - usr.lib.ipsec.stroke + - allow priv dropping (LP: #1333655) + - add local include + - usr.lib.ipsec.lookip + - add local include + * Merge from Debian, which includes fixes for all previous CVEs + Fixes (LP: #1330504, #1451091, #1448870, #1470277) + Remaining changes: + * debian/control + - Lower dpkg-dev to 1.16.1 from 1.16.2 to enable backporting to Precise + - Update Maintainer for Ubuntu + - Add build-deps + - clearsilver-dev + - dh-apparmor + - iptables-dev + - libfcgi-dev + - libjson0-dev + - libldns-dev + - libmysqlclient-dev + - libpcsclite-dev + - libsoup2.4-dev + - libtspi-dev + - libunbound-dev + - Create virtual packages for all strongswan-plugin-* for dist-upgrade + - Set XS-Testsuite: autopkgtest + * debian/rules: + - Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity checking. + - Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths in + tests. + - Change init/systemd program name to strongswan + - Install AppArmor profiles + - Removed pieces on 'patching ipsec.conf' on build. + - Enablement of features per Ubuntu current config suggested from + upstream recommendation + - Unpack and sort enabled features to one-per-line + - Disable duplicheck as per + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718291#10 + - Add configure options + --with-tss=trousers + - Remove configure options: + --enable-ha (requires special kernel) + --enable-unit-test (unit tests run by default) + - Drop logcheck install + * debian/tests/* + - Add DEP8 test for strongswan service and plugins + * debian/strongswan-starter.strongswan.service + - Add new systemd file instead of patching upstream + * debian/strongswan-starter.links + - removed, use Ubuntu systemd file instead of linking to upstream + * debian/usr.lib.ipsec.{charon, lookip, stroke} + - added AppArmor profiles for charon, lookip and stroke + * debian/libcharon-extra-plugins.install + - Add plugins + - kernel-libipsec.{so, lib, conf, apparmor} + - Remove plugins + - libstrongswan-ha.so + - Relocate plugins + - libstrongswan-tnc-tnccs.so (strongswan-tnc-base.install) + * debian/libstrongswan-extra-plugins.install + - Add plugins (so, lib, conf) + - acert + - attr-sql + - coupling + - dnscert + - fips-prf + - gmp + - ipseckey + - load-tester + - mysql + - ntru + - radattr + - soup + - sqlite + - sql + - systime-fix + - unbound + - whitelist + - Relocate plugins (so, lib, conf) + - ccm (libstrongswan.install) + - test-vectors (libstrongswan.install) + * debian/libstrongswan.install + - Sort sections + - Add plugins (so, lib, conf) + - libchecksum + - ccm + - eap-identity + - md4 + - test-vectors + * debian/strongswan-charon.install + - Add AppArmor profile for charon + * debian/strongswan-starter.install + - Add tools, manpages, conf + - openac + - pool + - _updown_espmark + - Add AppArmor profile for stroke + * debian/strongswan-tnc-base.install + - Add new subpackage for TNC + - remove non-existent (dropped in 5.2.1) libpts library files + * debian/strongswan-tnc-client.install + - Add new subpackage for TNC + * debian/strongswan-tnc-ifmap.install + - Add new subpackage for TNC + * debian/strongswan-tnc-pdp.install + - Add new subpackage for TNC + * debian/strongswan-tnc-server.install + - Add new subpackage for TNC + * debian/strongswan-starter.postinit: + - Removed section about runlevel changes, it's almost 2014. + - Adapted service restart section for Upstart. + - Remove old symlinks to init.d files is necessary. + * debian/strongswan-starter.dirs: Don't touch /etc/init.d. + * debian/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call. + * debian/strongswan-starter.prerm: Stop strongswan service on package + removal (as opposed to using the old init.d script). + * debian/libstrongswan.strongswan.logcheck combined into debian/strongswan.logcheck + - logcheck patterns updated to be helpful + * debian/strongswan-starter.postinst: Removed further out-dated code and + entire section on opportunistic encryption - this was never in strongSwan. + * debian/ipsec.secrets.proto: Removed ipsec.secrets.inc reference. + Drop changes: + * debian/control + - Per-plugin package breakup: Reducing packaging delta from Debian + - Don't build dhcp, farp subpackages: Reduce packging delta from Debian + * debian/watch: Already exists in Debian merge + * debian/upstream/signing-key.asc: Upstream has newer version. + + -- Ryan Harper Fri, 12 Feb 2016 11:24:53 -0600 + strongswan (5.3.5-1) unstable; urgency=medium * New upstream bugfix release. @@ -270,6 +418,210 @@ -- Yves-Alexis Perez Wed, 12 Mar 2014 11:22:38 +0100 +strongswan (5.1.2-0ubuntu8) xenial; urgency=medium + + * Import FTBFS for s390x from Debian 5.1.2-3 upload. (LP: #1521240) + + -- Dimitri John Ledkov Mon, 30 Nov 2015 15:46:06 +0000 + +strongswan (5.1.2-0ubuntu7) xenial; urgency=medium + + * SECURITY UPDATE: authentication bypass in eap-mschapv2 plugin + - debian/patches/CVE-2015-8023.patch: only succeed authentication if + MSK was established in + src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c. + - CVE-2015-8023 + * debian/patches/disable_ntru_test.patch: disable test causing FTBFS + until regression is properly investigated. + + -- Marc Deslauriers Thu, 19 Nov 2015 14:00:17 -0500 + +strongswan (5.1.2-0ubuntu6) wily; urgency=medium + + * SECURITY UPDATE: user credential disclosure to rogue servers + - debian/patches/CVE-2015-4171.patch: enforce remote authentication + config before proceeding with own authentication in + src/libcharon/sa/ikev2/tasks/ike_auth.c. + - CVE-2015-4171 + * debian/rules: don't FTBFS from unused service file + + -- Marc Deslauriers Mon, 08 Jun 2015 12:50:38 -0400 + +strongswan (5.1.2-0ubuntu5) vivid; urgency=medium + + * Add a systemd unit corresponding to strongswan-starter.strongswan.upstart. + + -- Martin Pitt Fri, 16 Jan 2015 08:27:54 +0100 + +strongswan (5.1.2-0ubuntu4) vivid; urgency=medium + + * SECURITY UPDATE: denial of service via DH group 1025 + - debian/patches/CVE-2014-9221.patch: define MODP_CUSTOM outside of + IKE DH range in src/libstrongswan/crypto/diffie_hellman.c, + src/libstrongswan/crypto/diffie_hellman.h. + - CVE-2014-9221 + + -- Tyler Hicks Mon, 05 Jan 2015 08:25:29 -0500 + +strongswan (5.1.2-0ubuntu3) utopic; urgency=low + + * Added "libgcrypt20-dev | libgcrypt11-dev" to build dependencies to fix + build. + + -- Jonathan Davies Wed, 15 Oct 2014 16:49:18 +0000 + +strongswan (5.1.2-0ubuntu2) trusty; urgency=medium + + * SECURITY UPDATE: remote authentication bypass + - debian/patches/CVE-2014-2338.patch: reject CREATE_CHILD_SA exchange + on unestablished IKE_SAs in src/libcharon/sa/ikev2/task_manager_v2.c. + - CVE-2014-2338 + + -- Marc Deslauriers Mon, 14 Apr 2014 11:24:34 -0400 + +strongswan (5.1.2-0ubuntu1) trusty; urgency=low + + * New upstream release. + + -- Jonathan Davies Sat, 01 Mar 2014 08:53:17 +0000 + +strongswan (5.1.2~rc2-0ubuntu2) trusty; urgency=low + + * debian/ipsec.secrets.proto: Removed ipsec.secrets.inc reference. + * debian/usr.lib.ipsec.charon: Allow read access to /run/charon. + + -- Jonathan Davies Wed, 19 Feb 2014 13:07:16 +0000 + +strongswan (5.1.2~rc2-0ubuntu1) trusty; urgency=low + + * New upstream release candidate. + + -- Jonathan Davies Wed, 19 Feb 2014 12:59:21 +0000 + +strongswan (5.1.2~rc1-0ubuntu4) trusty; urgency=medium + + * debian/strongswan-tnc-*.install: Fixed files so libraries go into correct + packages. + * debian/usr.lib.ipsec.stroke: Allow access to strongswan.d directories. + + -- Jonathan Davies Mon, 17 Feb 2014 18:12:38 +0000 + +strongswan (5.1.2~rc1-0ubuntu3) trusty; urgency=low + + * debian/rules: Exclude rdrand.conf in dh_install's --fail-missing. + + -- Jonathan Davies Sat, 15 Feb 2014 15:46:46 +0000 + +strongswan (5.1.2~rc1-0ubuntu2) trusty; urgency=low + + * debian/libstrongswan.install: Moved rdrand plugin configuration to rules + as it's only useful on amd64. + * debian/watch: Added opts=pgpsigurlmangle option. + * debian/upstream/signing-key.asc: Added key: 0xB34DBA77. + + -- Jonathan Davies Sat, 15 Feb 2014 15:32:10 +0000 + +strongswan (5.1.2~rc1-0ubuntu1) trusty; urgency=medium + + * New upstream release candidate. + * debian/*.install - include new configuration files for plugins in + appropiate packages. + + -- Jonathan Davies Sat, 15 Feb 2014 15:03:14 +0000 + +strongswan (5.1.2~dr3+git20130120-0ubuntu3) trusty; urgency=low + + * debian/control: + - Added Breaks/Replaces for all library files which have been moved + about (LP: #1278176). + - Removed build-dependency on check and added one on dh-apparmor. + * debian/strongswan-starter.postinst: Removed further out-dated code and + entire section on opportunistic encryption - this was never in strongSwan. + * debian/rules: Removed pieces on 'patching ipsec.conf' on build. + + -- Jonathan Davies Sun, 09 Feb 2014 23:53:23 +0000 + +strongswan (5.1.2~dr3+git20130120-0ubuntu2) trusty; urgency=low + + * debian/control: Fixed references to plugin-fips-prf. + + -- Jonathan Davies Wed, 22 Jan 2014 11:22:14 +0000 + +strongswan (5.1.2~dr3+git20130120-0ubuntu1) trusty; urgency=low + + * Upstream Git snapshot for build fixes with regards to entropy. + * debian/rules: + - Enforcing DEB_BUILD_OPTIONS=nostrip for library integrity checking. + - Set TESTS_REDUCED_KEYLENGTHS to one generate smallest key-lengths in + tests. + + -- Jonathan Davies Mon, 20 Jan 2014 19:00:59 +0000 + +strongswan (5.1.2~dr3-0ubuntu1) trusty; urgency=low + + * New upstream developer release. + * Made changes to packaging per upstream suggestions. + - Dropped medcli and medsrv packages - not recommended by upstream at this + time. + - Dropped ha plugin - needs special kernel. + - Improved all package descriptions in general. + - Drop build-dep on clearsilver-dev and libfcgi-dev - no longer needed. + - Removed debian/*logcheck* files - not relevant to strongSwan. + - Split dhcp and farp packages into sub-packages. + - Build kernel-libipsec, ntru, systime-fix, and xauth-noauth plugins. + - Changes to TNC-related packages. + * Created AppArmor profiles for lookip and stroke. + + -- Jonathan Davies Wed, 15 Jan 2014 22:52:53 +0000 + +strongswan (5.1.2~dr2+git20130106-0ubuntu2) trusty; urgency=low + + * libstrongswan.install: Removed lingering unit-tester.so reference. + + -- Jonathan Davies Mon, 06 Jan 2014 20:29:59 +0000 + +strongswan (5.1.2~dr2+git20130106-0ubuntu1) trusty; urgency=low + + * Git snapshot of commit 94e10f15e51ead788d9947e966878ebfdc95b7ce. + Incorporates upstream fixes for: + - Integrity testing. + - Unit test failures on little endian systems. + * Dropped debian/patches/02_test_asn1_fix_32bit_time_test.patch - fixed + upstream. + * debian/rules: + - Stop using CK_TIMEOUT_MULTIPLIER. + - Stop enabling the test suite only on non-powerpc arches (it runs + anyway). + + -- Jonathan Davies Mon, 06 Jan 2014 20:17:20 +0000 + +strongswan (5.1.2~dr2-0ubuntu3) trusty; urgency=low + + * debian/control: Reinstate missing comma in dependencies. + + -- Jonathan Davies Fri, 03 Jan 2014 05:39:13 +0000 + +strongswan (5.1.2~dr2-0ubuntu2) trusty; urgency=low + + * Added debian/patches/02_test_asn1_fix_32bit_time_test.patch - fixes issue + where test for >2038 tests on 32-bit platforms is broken. + - Reported upstream: https://wiki.strongswan.org/issues/477 + * debian/control: Added strongswan-plugin-ntru to strongswan-ike Suggests. + + -- Jonathan Davies Fri, 03 Jan 2014 05:02:32 +0000 + +strongswan (5.1.2~dr2-0ubuntu1) trusty; urgency=low + + * New upstream developer release. + * debian/rules: Configure with: --enable-af-alg, --enable-ntru, --enable-soup, + and --enable-unity. + * debian/control: + - New plugin packages created for the above + - Split fips-prf into its own package. + - Added build-dependency on libsoup2.4-dev. + + -- Jonathan Davies Thu, 02 Jan 2014 17:37:33 +0000 + strongswan (5.1.1-3) unstable; urgency=low * Upload to unstable. @@ -361,6 +713,192 @@ -- Yves-Alexis Perez Fri, 24 Jan 2014 21:22:32 +0100 +strongswan (5.1.1-0ubuntu17) trusty; urgency=low + + * debian/control: + - Make strongswan-ike depend on iproute2. + - Added xauth plugin dependency on strongswan-plugin-eap-gtc. + - Created strongswan-libfast package. + + -- Jonathan Davies Wed, 01 Jan 2014 17:04:45 +0000 + +strongswan (5.1.1-0ubuntu16) trusty; urgency=low + + * debian/control: + - Further splitting of plugins into subpackages (such as all EAP plugins + to their own packages). + - Added libpcsclite-dev to build-dependencies. + * debian/rules: + - Sort configure options in alphabetical order. + - Added configure option of --enable-eap-aka-3gpp2, --enable-eap-dynamic, + --enable-eap-sim-file, --enable-eap-sim-pcsc, + --enable-eap-simaka-pseudonym, --enable-eap-simaka-reauth and + --enable-eap-simaka-sql. + - Don't exclude medsrv from install. + * Moved eap-identity.so to libstrongswan package as it's used by all the + other EAP plugins. + + -- Jonathan Davies Tue, 31 Dec 2013 21:25:50 +0000 + +strongswan (5.1.1-0ubuntu15) trusty; urgency=low + + * debian/control: + - Split plugins from libstrongswan package into modular subpackages. + - Added libmysqlclient-dev to build-dependencies. + - strongswan-ike: Set to depend on either strongswan-plugins-openssl or + strongswan-plugins-gcrypt. + - strongswan-ike: All other plugins added to Suggests. + - Created two new TNC packages: strongswan-tnc-ifmap and + strongswan-tnc-pdp and added to tnc-imcvs Suggests. + * debian/rules: Added to CONFIGUREARGS: --enable-certexpire, + --enable-error-notify, --enable-mysql, --enable-load-tester, + --enable-radattr, --enable-tnc-pdp, and --enable-whitelist. + * debian/strongswan-ike.install: Moved eap-identity.so to -tnc-imcvs package. + + -- Jonathan Davies Tue, 31 Dec 2013 16:15:32 +0000 + +strongswan (5.1.1-0ubuntu14) trusty; urgency=low + + * debian/rules: + - CK_TIMEOUT_MULTIPLIER back down to 6. + - Disable unit tests on powerpc. + + -- Jonathan Davies Tue, 31 Dec 2013 07:39:48 +0000 + +strongswan (5.1.1-0ubuntu13) trusty; urgency=low + + * debian/rules: CK_TIMEOUT_MULTIPLIER to 10 as just powerppc is being stubborn. + + -- Jonathan Davies Tue, 31 Dec 2013 07:23:42 +0000 + +strongswan (5.1.1-0ubuntu12) trusty; urgency=low + + * debian/rules: Bring CK_TIMEOUT_MULTIPLIER up to 6 to fix powerppc and + armhf. + + -- Jonathan Davies Tue, 31 Dec 2013 07:03:40 +0000 + +strongswan (5.1.1-0ubuntu11) trusty; urgency=low + + * 02_increase-test_rsa_generate-timeout.patch: Removed - only fixed build on + one extra arch. + * debian/rules: Set CK_TIMEOUT_MULTIPLIER to 4. + + -- Jonathan Davies Tue, 31 Dec 2013 06:51:47 +0000 + +strongswan (5.1.1-0ubuntu10) trusty; urgency=low + + * debian/patches: Added patch 02_increase-test_rsa_generate-timeout.patch - + - Increases RSA key generate test timeout to 30 seconds so that it doesn't + fail on armhf, arm64, and powerppc. + * Contrary to what the last changelog entry says, we are still running + strongswan as root (with AppArmor protection). + + -- Jonathan Davies Tue, 31 Dec 2013 06:06:47 +0000 + +strongswan (5.1.1-0ubuntu9) trusty; urgency=low + + * debian/rules: Added to configure options: + - --enable-tnc-ifmap: enable TNC IF-MAP module. + - --enable-duplicheck: enable duplicheck plugin. + - --enable-imv-swid, --enable-imc-swid: Added. + - Run strongswan as it's own user. + * debian/strongswan-starter.install: Install duplicheck. + * debian/strongswan-tnc-imcvs.install: Install swidtags. + + -- Jonathan Davies Mon, 30 Dec 2013 19:33:27 +0000 + +strongswan (5.1.1-0ubuntu8) trusty; urgency=low + + * debian/rules: Added to configure options: + - --enable-unit-tests: check unit testing on build. + - --enable-unbound: for validating DNS lookups. + - --enable-dnscert: for DNSCERT peer authentication. + - --enable-ipseckey: for IPSEC key authentication. + - --enable-lookip: for LookIP functionality. + - --enable-coupling: certificate coupling functionality. + * debian/control: Added check, libldns-dev, libunbound-dev to + build-dependencies. + * debian/libstrongswan.install: Install new plugin .so's. + * debian/strongswan-starter.install: Added lookip. + + -- Jonathan Davies Mon, 30 Dec 2013 17:52:07 +0000 + +strongswan (5.1.1-0ubuntu7) trusty; urgency=low + + * strongswan-starter.install: Moved pt-tls-client to tnc-imcvs (to prevent + the former from depending on the latter). + + -- Jonathan Davies Mon, 30 Dec 2013 17:30:19 +0000 + +strongswan (5.1.1-0ubuntu6) trusty; urgency=low + + * debian/strongswan-starter.prerm: Stop strongswan service on package + removal (as opposed to using the old init.d script). + + -- Jonathan Davies Mon, 30 Dec 2013 17:22:10 +0000 + +strongswan (5.1.1-0ubuntu5) trusty; urgency=low + + * debian/rules: + - CONFIGUREARGS: Merged Debian and RPM options. + - Brings in TNC functionality. + * debian/control: + - Added build-dependency on libtspi-dev. + - Created strongswan-tnc-imcvs binary package for TNC components. + - Added strongswan-tnc-imcvs to libstrongswan's Suggests. + * debian/libstrongswan.install: + - Included newly built MD4 and SQLite libraries. + - Removed 'tnc' references (moved to TNC package). + * debian/strongswan-tnc-imcvs.install: Created - handle new TNC libraries and + binaries. + * debian/usr.lib.ipsec.charon: Allow access to TNC modules. + + -- Jonathan Davies Mon, 30 Dec 2013 14:05:43 +0000 + +strongswan (5.1.1-0ubuntu4) trusty; urgency=low + + * debian/usr.lib.ipsec.charon: Added - AppArmor profile for charon. + * debian/strongswan-starter.postrm: Removed 'update-rc.d ipsec remove' call. + * debian/control: strongswan-ike - Stop depending on ipsec-tools. + + -- Jonathan Davies Mon, 30 Dec 2013 05:35:17 +0000 + +strongswan (5.1.1-0ubuntu3) trusty; urgency=low + + * strongswan-starter.strongswan.upstart - Only start strongSwan when a + network connection is available. + * debian/control: Downgrade build-dep version of dpkg-dev from 1.16.2 to + 1.16.1 - to make precise backporting easier. + + -- Jonathan Davies Thu, 12 Dec 2013 10:43:15 +0000 + +strongswan (5.1.1-0ubuntu2) trusty; urgency=low + + * strongswan-starter.strongswan.upstart - Created Upstart job for + strongSwan. + * debian/rules: Set dh_installinit to install above file. + * debian/strongswan-starter.postinit: + - Removed section about runlevel changes, it's almost 2014. + - Adapted service restart section for Upstart. + - Remove old symlinks to init.d files is necessary. + * debian/strongswan-starter.dirs: Don't touch /etc/init.d. + + -- Jonathan Davies Wed, 11 Dec 2013 23:10:28 +0000 + +strongswan (5.1.1-0ubuntu1) trusty; urgency=low + + * New upstream release. + * Removed: debian/patches/CVE-2013-6075, CVE-2013-6076.patch - upsteamed. + * debian/control: Updated Standards-Version to 3.9.5 and applied + XSBC-Original-Maintainer policy. + * strongswan-starter.install: + - pki tool is now in /usr/bin. + - Install pt-tls-client. + - Install manpages (LP: #1206263). + + -- Jonathan Davies Sun, 01 Dec 2013 17:43:59 +0000 + strongswan (5.1.0-3) unstable; urgency=high * urgency=high for the security fixes. diff -Nru strongswan-5.3.5/debian/control strongswan-5.3.5/debian/control --- strongswan-5.3.5/debian/control 2015-11-19 15:17:36.000000000 -0600 +++ strongswan-5.3.5/debian/control 2016-02-17 16:11:54.000000000 -0600 @@ -1,22 +1,26 @@ Source: strongswan Section: net Priority: optional -Maintainer: strongSwan Maintainers +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: strongSwan Maintainers Uploaders: Rene Mayrhofer , Yves-Alexis Perez , Romain Francoise Standards-Version: 3.9.6 Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-swan/strongswan.git;a=summary Vcs-Git: git://anonscm.debian.org/pkg-swan/strongswan.git -Build-Depends: debhelper (>= 9), dpkg-dev (>= 1.16.2), libtool, libgmp3-dev, - libssl-dev (>= 0.9.8), libcurl4-openssl-dev | libcurl3-dev | libcurl2-dev, - libldap2-dev, libpam0g-dev, libkrb5-dev, bison, flex, bzip2, po-debconf, - libfcgi-dev, clearsilver-dev, libgcrypt20-dev | libgcrypt11-dev, - libxml2-dev, libsqlite3-dev, network-manager-dev (>= 0.7) [linux-any], - libnm-glib-vpn-dev (>= 0.7) [linux-any], libnm-util-dev (>= 0.7) [linux-any], - gperf, libcap-dev [linux-any], dh-autoreconf, pkg-config, - systemd [linux-any], dh-systemd (>= 1.5), iptables-dev +Build-Depends: debhelper (>= 9), dpkg-dev (>= 1.16.1), dh-apparmor, + libtool, libgmp3-dev, libssl-dev (>= 0.9.8), libldns-dev, libunbound-dev, + libcurl4-openssl-dev | libcurl3-dev | libcurl2-dev, libsoup2.4-dev, + libpcsclite-dev, libldap2-dev, libpam0g-dev, libkrb5-dev, bison, flex, bzip2, + po-debconf, libtspi-dev, libmysqlclient-dev, libgcrypt20-dev | libgcrypt11-dev, + libxml2-dev, libsqlite3-dev, network-manager-dev (>= 0.7) [linux-any], + libnm-glib-vpn-dev (>= 0.7) [linux-any], libnm-util-dev (>= 0.7) [linux-any], + gperf, libcap-dev [linux-any], dh-autoreconf, pkg-config, libjson0-dev, + iptables-dev, libfcgi-dev, clearsilver-dev, systemd [linux-any], + dh-systemd (>= 1.5) Homepage: http://www.strongswan.org +XS-Testsuite: autopkgtest Package: strongswan Architecture: all @@ -32,8 +36,20 @@ Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends} Conflicts: strongswan (<< 4.2.12-1) -Breaks: strongswan-ikev2 (<< 4.6.4) -Replaces: strongswan-ikev2 (<< 4.6.4) +Breaks: strongswan-ikev2 (<< 4.6.4), + strongswan-plugin-dnskey (<< 5.3.5-1ubuntu1~), + strongswan-plugin-fips-prf (<< 5.3.5-1ubuntu1~), + strongswan-plugin-gmp (<< 5.3.5-1ubuntu1~), + strongswan-plugin-pgp (<< 5.3.5-1ubuntu1~), + strongswan-plugin-pubkey (<< 5.3.5-1ubuntu1~), + strongswan-plugin-sshkey (<< 5.3.5-1ubuntu1~), +Replaces: strongswan-ikev2 (<< 4.6.4), + strongswan-plugin-dnskey (<< 5.3.5-1ubuntu1~), + strongswan-plugin-fips-prf (<< 5.3.5-1ubuntu1~), + strongswan-plugin-gmp (<< 5.3.5-1ubuntu1~), + strongswan-plugin-pgp (<< 5.3.5-1ubuntu1~), + strongswan-plugin-pubkey (<< 5.3.5-1ubuntu1~), + strongswan-plugin-sshkey (<< 5.3.5-1ubuntu1~), Recommends: libstrongswan-standard-plugins Suggests: libstrongswan-extra-plugins Description: strongSwan utility and crypto library @@ -81,8 +97,14 @@ Package: libstrongswan-standard-plugins Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends}, libstrongswan (= ${binary:Version}) -Breaks: libstrongswan (<= 5.1.1-1), strongswan-ike (<= 5.1.1-1) -Replaces: libstrongswan (<= 5.1.1-1),strongswan-ike (<= 5.1.1-1) +Breaks: libstrongswan (<< 5.3.5-1ubuntu1~), + strongswan-ike (<< 5.3.5-1ubuntu1~), + strongswan-plugin-agent (<< 5.3.5-1ubuntu1~), + strongswan-plugin-openssl (<< 5.3.5-1ubuntu1~), +Replaces: libstrongswan (<< 5.3.5-1ubuntu1~), + strongswan-ike (<< 5.3.5-1ubuntu1~), + strongswan-plugin-agent (<< 5.3.5-1ubuntu1~), + strongswan-plugin-openssl (<< 5.3.5-1ubuntu1~), Description: strongSwan utility and crypto library (standard plugins) The strongSwan VPN suite uses the native IPsec stack in the standard Linux kernel. It supports both the IKEv1 and IKEv2 protocols. @@ -96,11 +118,137 @@ - openssl (Crypto backend based on OpenSSL, provides RSA/ECDSA/DH/ECDH/ciphers/hashers/HMAC/X.509/CRL/RNG) +Package: strongswan-plugin-dnskey +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libstrongswan (= ${binary:Version}) +Description: strongSwan plugin for parsing RFC 4034 public keys + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the plugin for parsing RFC 4034 public keys for + strongSwan. + . + This plugin is now included in libstrongswan. This package can + be safely removed once it's installed. + +Package: strongswan-plugin-fips-prf +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libstrongswan (= ${binary:Version}) +Description: strongSwan plugin for PRF specified by FIPS + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the strongSwan plugin for the special + pseudo-random-function (PRF) specified by FIPS, used by EAP-SIM/AKA algorithms. + . + This plugin is now included in libstrongswan. This package can + be safely removed once it's installed. + +Package: strongswan-plugin-gmp +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libstrongswan (= ${binary:Version}) +Description: strongSwan plugin for libgmp based crypto + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the crypto backend based on libgmp, which provides a + RSA/DH plugin for strongSwan. + . + This plugin is now included in libstrongswan. This package can + be safely removed once it's installed. + +Package: strongswan-plugin-pgp +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libstrongswan (= ${binary:Version}) +Description: strongSwan plugin for PGP encoding/decoding routines + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the strongSwan plugin for PGP encoding/decoding routines. + . + This plugin is now included in libstrongswan. This package can + be safely removed once it's installed. + +Package: strongswan-plugin-pubkey +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libstrongswan (= ${binary:Version}) +Description: strongSwan plugin for raw public keys + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the strongSwan plugin for handling raw public keys as + trusted certificates. + . + This plugin is now included in libstrongswan. This package can + be safely removed once it's installed. + +Package: strongswan-plugin-sshkey +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libstrongswan (= ${binary:Version}) +Description: strongSwan plugin for SSH key decoding routines + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the strongSwan plugin for SSH key decoding routines. + . + This plugin is now included in libstrongswan. This package can + be safely removed once it's installed. + Package: libstrongswan-extra-plugins Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends}, libstrongswan (= ${binary:Version}) -Breaks: libstrongswan (<= 5.1.1-1), strongswan-ike (<= 5.1.1-1) -Replaces: libstrongswan (<= 5.1.1-1),strongswan-ike (<= 5.1.1-1) +Breaks: libstrongswan (<< 5.3.5-1ubuntu1~), strongswan-ike (<= 5.1.1-1), + strongswan-plugin-af-alg (<< 5.3.5-1ubuntu1~), + strongswan-plugin-attr-sql (<< 5.3.5-1ubuntu1~), + strongswan-plugin-coupling (<< 5.3.5-1ubuntu1~), + strongswan-plugin-curl (<< 5.3.5-1ubuntu1~), + strongswan-plugin-dnscert (<< 5.3.5-1ubuntu1~), + strongswan-plugin-gcrypt (<< 5.3.5-1ubuntu1~), + strongswan-plugin-ipseckey (<< 5.3.5-1ubuntu1~), + strongswan-plugin-ldap (<< 5.3.5-1ubuntu1~), + strongswan-plugin-load-tester (<< 5.3.5-1ubuntu1~), + strongswan-plugin-mysql (<< 5.3.5-1ubuntu1~), + strongswan-plugin-ntru (<< 5.3.5-1ubuntu1~), + strongswan-plugin-pkcs11 (<< 5.3.5-1ubuntu1~), + strongswan-plugin-radattr (<< 5.3.5-1ubuntu1~), + strongswan-plugin-sql (<< 5.3.5-1ubuntu1~), + strongswan-plugin-sqlite (<< 5.3.5-1ubuntu1~), + strongswan-plugin-soup (<< 5.3.5-1ubuntu1~), + strongswan-plugin-systime-fix (<< 5.3.5-1ubuntu1~), + strongswan-plugin-unbound (<< 5.3.5-1ubuntu1~), + strongswan-plugin-whitelist (<< 5.3.5-1ubuntu1~), +Replaces: libstrongswan (<< 5.3.5-1ubuntu1~), strongswan-ike (<= 5.1.1-1), + strongswan-plugin-af-alg (<< 5.3.5-1ubuntu1~), + strongswan-plugin-attr-sql (<< 5.3.5-1ubuntu1~), + strongswan-plugin-coupling (<< 5.3.5-1ubuntu1~), + strongswan-plugin-curl (<< 5.3.5-1ubuntu1~), + strongswan-plugin-dnscert (<< 5.3.5-1ubuntu1~), + strongswan-plugin-gcrypt (<< 5.3.5-1ubuntu1~), + strongswan-plugin-ipseckey (<< 5.3.5-1ubuntu1~), + strongswan-plugin-ldap (<< 5.3.5-1ubuntu1~), + strongswan-plugin-load-tester (<< 5.3.5-1ubuntu1~), + strongswan-plugin-mysql (<< 5.3.5-1ubuntu1~), + strongswan-plugin-ntru (<< 5.3.5-1ubuntu1~), + strongswan-plugin-pkcs11 (<< 5.3.5-1ubuntu1~), + strongswan-plugin-radattr (<< 5.3.5-1ubuntu1~), + strongswan-plugin-sql (<< 5.3.5-1ubuntu1~), + strongswan-plugin-sqlite (<< 5.3.5-1ubuntu1~), + strongswan-plugin-soup (<< 5.3.5-1ubuntu1~), + strongswan-plugin-systime-fix (<< 5.3.5-1ubuntu1~), + strongswan-plugin-unbound (<< 5.3.5-1ubuntu1~), + strongswan-plugin-whitelist (<< 5.3.5-1ubuntu1~) Description: strongSwan utility and crypto library (extra plugins) The strongSwan VPN suite uses the native IPsec stack in the standard Linux kernel. It supports both the IKEv1 and IKEv2 protocols. @@ -109,26 +257,101 @@ cryptograhic library. . Included plugins are: + - acert (Support of X.509 attribute certificates (since 5.1.3)) - af-alg [linux] (AF_ALG Linux crypto API interface, provides ciphers/hashers/hmac/xcbc) + - attr-sql (provide IKE attributes read from a database to peers) + - bliss (Bimodal Lattice Signature Scheme (BLISS) post-quantum computer + signature scheme) - ccm (CCM cipher mode wrapper) + - chapoly (ChaCha20/Poly1305 AEAD implementation) - cmac (CMAC cipher mode wrapper) - ctr (CTR cipher mode wrapper) + - coupling (Permanent peer certificate coupling) - curl (libcurl based HTTP/FTP fetcher) + - dnscert (authentication via CERT RRs protected by DNSSEC) - gcrypt (Crypto backend based on libgcrypt, provides RSA/DH/ciphers/hashers/rng) + - ipseckey (authentication via IPSECKEY RRs protected by DNSSEC) - ldap (LDAP fetching plugin based on libldap) + - load-tester (perform IKE load tests against self or gateway) + - mysql (database backend) + - ntru (key exchanged based on post-quantum computer NTRU) - padlock (VIA padlock crypto backend, provides AES128/SHA1) - pkcs11 (PKCS#11 smartcard backend) + - radattr (inject and process custom RADIUS attributes as IKEv2 client) + - sql (SQL configuration and creds engine) + - sqlite (SQLite database backend) + - soup (libsoup based HTTP fetcher) - rdrand (High quality / high performance random source using the Intel rdrand instruction found on Ivy Bridge processors) - test-vectors (Set of test vectors for various algorithms) + - unbound (DNSSEC enabled resolver using libunbound) + - whitelist (peer verification against a whitelist) Package: libcharon-extra-plugins Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends}, libstrongswan (= ${binary:Version}) -Breaks: libstrongswan (<= 5.1.1-1), strongswan-ike (<= 5.1.1-1) -Replaces: libstrongswan (<= 5.1.1-1),strongswan-ike (<= 5.1.1-1) +Breaks: libstrongswan (<< 5.3.5-1ubuntu1~), strongswan-ike (<= 5.1.1-1), + strongswan-plugin-certexpire (<< 5.3.5-1ubuntu1~), + strongswan-plugin-dhcp (<< 5.3.5-1ubuntu1~), + strongswan-plugin-eap-aka-3gpp2 (<< 5.3.5-1ubuntu1~), + strongswan-plugin-eap-aka (<< 5.3.5-1ubuntu1~), + strongswan-plugin-eap-dynamic (<< 5.3.5-1ubuntu1~), + strongswan-plugin-eap-gtc (<< 5.3.5-1ubuntu1~), + strongswan-plugin-eap-md5 (<< 5.3.5-1ubuntu1~), + strongswan-plugin-eap-mschapv2 (<< 5.3.5-1ubuntu1~), + strongswan-plugin-eap-peap (<< 5.3.5-1ubuntu1~), + strongswan-plugin-eap-radius (<< 5.3.5-1ubuntu1~), + strongswan-plugin-eap-sim (<< 5.3.5-1ubuntu1~), + strongswan-plugin-eap-simaka-pseudonym (<< 5.3.5-1ubuntu1~), + strongswan-plugin-eap-simaka-reauth (<< 5.3.5-1ubuntu1~), + strongswan-plugin-eap-simaka-sql (<< 5.3.5-1ubuntu1~), + strongswan-plugin-eap-sim-file (<< 5.3.5-1ubuntu1~), + strongswan-plugin-eap-sim-pcsc (<< 5.3.5-1ubuntu1~), + strongswan-plugin-eap-tls (<< 5.3.5-1ubuntu1~), + strongswan-plugin-eap-tnc (<< 5.3.5-1ubuntu1~), + strongswan-plugin-eap-ttls (<< 5.3.5-1ubuntu1~), + strongswan-plugin-error-notify (<< 5.3.5-1ubuntu1~), + strongswan-plugin-farp (<< 5.3.5-1ubuntu1~), + strongswan-plugin-kernel-libipsec (<< 5.3.5-1ubuntu1~), + strongswan-plugin-led (<< 5.3.5-1ubuntu1~), + strongswan-plugin-lookip (<< 5.3.5-1ubuntu1~), + strongswan-plugin-unity (<< 5.3.5-1ubuntu1~), + strongswan-plugin-xauth-eap (<< 5.3.5-1ubuntu1~), + strongswan-plugin-xauth-generic (<< 5.3.5-1ubuntu1~), + strongswan-plugin-xauth-noauth (<< 5.3.5-1ubuntu1~), + strongswan-plugin-xauth-pam (<< 5.3.5-1ubuntu1~), +Replaces: libstrongswan (<< 5.3.5-1ubuntu1~), strongswan-ike (<= 5.1.1-1), + strongswan-plugin-certexpire (<< 5.3.5-1ubuntu1~), + strongswan-plugin-dhcp (<< 5.3.5-1ubuntu1~), + strongswan-plugin-eap-aka-3gpp2 (<< 5.3.5-1ubuntu1~), + strongswan-plugin-eap-aka (<< 5.3.5-1ubuntu1~), + strongswan-plugin-eap-dynamic (<< 5.3.5-1ubuntu1~), + strongswan-plugin-eap-gtc (<< 5.3.5-1ubuntu1~), + strongswan-plugin-eap-md5 (<< 5.3.5-1ubuntu1~), + strongswan-plugin-eap-mschapv2 (<< 5.3.5-1ubuntu1~), + strongswan-plugin-eap-peap (<< 5.3.5-1ubuntu1~), + strongswan-plugin-eap-radius (<< 5.3.5-1ubuntu1~), + strongswan-plugin-eap-sim (<< 5.3.5-1ubuntu1~), + strongswan-plugin-eap-simaka-pseudonym (<< 5.3.5-1ubuntu1~), + strongswan-plugin-eap-simaka-reauth (<< 5.3.5-1ubuntu1~), + strongswan-plugin-eap-simaka-sql (<< 5.3.5-1ubuntu1~), + strongswan-plugin-eap-sim-file (<< 5.3.5-1ubuntu1~), + strongswan-plugin-eap-sim-pcsc (<< 5.3.5-1ubuntu1~), + strongswan-plugin-eap-tls (<< 5.3.5-1ubuntu1~), + strongswan-plugin-eap-tnc (<< 5.3.5-1ubuntu1~), + strongswan-plugin-eap-ttls (<< 5.3.5-1ubuntu1~), + strongswan-plugin-error-notify (<< 5.3.5-1ubuntu1~), + strongswan-plugin-farp (<< 5.3.5-1ubuntu1~), + strongswan-plugin-kernel-libipsec (<< 5.3.5-1ubuntu1~), + strongswan-plugin-led (<< 5.3.5-1ubuntu1~), + strongswan-plugin-lookip (<< 5.3.5-1ubuntu1~), + strongswan-plugin-unity (<< 5.3.5-1ubuntu1~), + strongswan-plugin-xauth-eap (<< 5.3.5-1ubuntu1~), + strongswan-plugin-xauth-generic (<< 5.3.5-1ubuntu1~), + strongswan-plugin-xauth-noauth (<< 5.3.5-1ubuntu1~), + strongswan-plugin-xauth-pam (<< 5.3.5-1ubuntu1~), Description: strongSwan charon library (extra plugins) The strongSwan VPN suite uses the native IPsec stack in the standard Linux kernel. It supports both the IKEv1 and IKEv2 protocols. @@ -136,6 +359,7 @@ This package provides extra plugins for the charon library: - addrblock (Narrow traffic selectors to RFC 3779 address blocks in X.509 certificates) + - dhcp (Forwarding of DHCP requests for virtual IPs to DHCP server) - certexpire (Export expiration dates of used certificates) - eap-aka (Generic EAP-AKA protocol handler using different backends) - eap-gtc (EAP-GTC protocol handler authenticating with XAuth backends) @@ -150,7 +374,8 @@ - eap-tnc (EAP-TNC protocol handler, Trusted Network Connect in a TLS tunnel) - eap-ttls (EAP-TTLS protocol handler, wraps other EAP methods securely) - error-notify (Notification about errors via UNIX socket) - - ha (High-Availability clustering) + - farp (fake ARP responses for requests to virtual IP address) + - kernel-libipsec (Userspace IPsec Backend with TUN devices) - led (Let Linux LED subsystem LEDs blink on IKE activity) - lookip (Virtual IP lookup facility using a UNIX socket) - medcli (Web interface based mediation client interface) @@ -161,6 +386,16 @@ - xauth-generic (Generic XAuth backend that provides passwords from ipsec.secrets and other credential sets) - xauth-pam (XAuth backend that uses PAM modules to verify passwords) + - strongswan-plugin-eap-aka-3gpp2 (EAP-AKA backend implementing standard 3GPP2 algorithm in software) + - strongswan-plugin-eap-dynamic (EAP proxy plugin that dynamically selects an EAP method requested/supported by the client (since 5.0.1)) + - strongswan-plugin-eap-peap (EAP-PEAP protocol handler, wraps other EAP methods securely) + - strongswan-plugin-eap-sim (Generic EAP-SIM protocol handler using different backends) + - strongswan-plugin-eap-sim-file (EAP-SIM backend reading triplets from a file) + - strongswan-plugin-eap-sim-pcsc (EAP-SIM backend based on a PC/SC smartcard reader) + - strongswan-plugin-eap-simaka-pseudonym (EAP-SIM/AKA in-memory pseudonym identity database) + - strongswan-plugin-eap-simaka-reauth (EAP-SIM/AKA in-memory reauthentication identity database) + - strongswan-plugin-eap-simaka-sql (EAP-SIM/AKA backend reading triplets/quintuplets from a SQL database) + - strongswan-plugin-xauth-noauth (XAuth backend that does not do any authentication (since 5.0.3)) Package: strongswan-dbg Architecture: any @@ -243,6 +478,68 @@ in conjunction with the network-manager-strongswan package, providing a simple graphical frontend to configure IPsec based VPNs. +Package: strongswan-tnc-ifmap +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, libstrongswan (= ${binary:Version}) +Description: strongSwan plugin for Trusted Network Connect's (TNC) IF-MAP client + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides Trusted Network Connect's (TNC) IF-MAP 2.0 client. + +Package: strongswan-tnc-base +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, libstrongswan (= ${binary:Version}) +Suggests: strongswan-tnc-ifmap, strongswan-tnc-pdp +Description: strongSwan Trusted Network Connect's (TNC) - base files + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the base files for strongSwan's Trusted Network + Connect's (TNC) functionality. + . + strongSwan's IMC/IMV dynamic libraries can be used by any third party TNC + client/server implementation possessing a standard IF-IMC/IMV interface. + +Package: strongswan-tnc-client +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, + libstrongswan (= ${binary:Version}), strongswan-tnc-base (= ${binary:Version}) +Suggests: libcharon-extra-plugins +Description: strongSwan Trusted Network Connect's (TNC) - client files + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the client functionality for strongSwan's Trusted Network + Connect's (TNC) features. + . + It includes the OS, scanner, test, SWID, and attestation IMCs. + +Package: strongswan-tnc-server +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, + libstrongswan (= ${binary:Version}), + strongswan-tnc-base (= ${binary:Version}), + libstrongswan-extra-plugins (= ${binary:Version}) +Description: strongSwan Trusted Network Connect's (TNC) - server files + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the server functionality for strongSwan's Trusted Network + Connect's (TNC) features. + +Package: strongswan-tnc-pdp +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, + libstrongswan (= ${binary:Version}), + strongswan-tnc-server (= ${binary:Version}) +Description: strongSwan plugin for Trusted Network Connect's (TNC) PDP + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides Trusted Network Connect's (TNC) Policy Decision Point + (PDP) with RADIUS server interface. + Package: strongswan-ikev1 Architecture: all Depends: ${misc:Depends}, strongswan-ike @@ -280,3 +577,798 @@ . This package contains the charon-cmd command, which can be used as a client to connect to a remote IKE daemon. + +############################################################################### +# libstrongswan standard plugins # +############################################################################### + +Package: strongswan-plugin-agent +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libstrongswan-standard-plugins (= ${binary:Version}) +Description: strongSwan plugin for accessing private keys via ssh-agent + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the strongSwan plugin for accessing to private keys via + ssh-agent. + . + This plugin is now included in libstrongswan-standard-plugins. This package can + be safely removed once it's installed. + +Package: strongswan-plugin-openssl +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libstrongswan-standard-plugins (= ${binary:Version}) +Description: strongSwan plugin for OpenSSL + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the crypto backend based on OpenSSL for strongSwan, + providing RSA/ECDSA/DH/ECDH/ciphers/hashers/HMAC/X.509/CRL/RN + . + This plugin is now included in libstrongswan-standard-plugins. This package can + be safely removed once it's installed. + +############################################################################### +# libstrongswan extra plugins # +############################################################################### + +Package: strongswan-plugin-af-alg +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libstrongswan-extra-plugins (= ${binary:Version}) +Description: strongSwan plugin for AF_ALG Linux crypto API interface + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the AF_ALG Linux crypto API interface plugin for + strongSwan. It provides ciphers/hashers/hmac/xcbc. + . + This plugin is now included in libstrongswan-extra-plugins. This package can + be safely removed once it's installed. + +Package: strongswan-plugin-attr-sql +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libstrongswan-extra-plugins (= ${binary:Version}) +Description: strongSwan plugin for providing IKE attributes from databases + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the strongSwan plugin for providing IKE attributes read + from a database to peers. + . + This plugin is now included in libstrongswan-extra-plugins. This package can + be safely removed once it's installed. + +Package: strongswan-plugin-coupling +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libstrongswan-extra-plugins (= ${binary:Version}) +Description: strongSwan plugin for permanent peer certificate coupling + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the permanent peer certificate coupling plugin for + strongSwan. + . + This plugin is now included in libstrongswan-extra-plugins. This package can + be safely removed once it's installed. + +Package: strongswan-plugin-curl +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libstrongswan-extra-plugins (= ${binary:Version}) +Description: strongSwan plugin for the libcurl based HTTP/FTP fetcher + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the libcurl based HTTP/FTP fetcher plugin for strongSwan. + . + This plugin is now included in libstrongswan-extra-plugins. This package can + be safely removed once it's installed. + +Package: strongswan-plugin-dnscert +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libstrongswan-extra-plugins (= ${binary:Version}) +Description: strongSwan plugin for authentication via CERT RRs + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the strongSwan plugin for authentication via CERT RRs + protected by DNSSEC. + . + This plugin is now included in libstrongswan-extra-plugins. This package can + be safely removed once it's installed. + +Package: strongswan-plugin-gcrypt +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libstrongswan-extra-plugins (= ${binary:Version}) +Description: strongSwan plugin for gcrypt + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the crypto backend based on libgcrypt, which provides a + RSA/DH/ciphers/hashers/rng plugin for strongSwan. + . + This plugin is now included in libstrongswan-extra-plugins. This package can + be safely removed once it's installed. + +Package: strongswan-plugin-ipseckey +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libstrongswan-extra-plugins (= ${binary:Version}) +Description: strongSwan plugin for authentication via IPSECKEY RRs + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the strongSwan plugin for authentication via IPSECKEY RRs + protected by DNSSEC. + . + This plugin is now included in libstrongswan-extra-plugins. This package can + be safely removed once it's installed. + +Package: strongswan-plugin-ldap +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libstrongswan-extra-plugins (= ${binary:Version}) +Description: strongSwan plugin for LDAP CRL fetching + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the strongSwan plugin for fetching CRL from ldap:// URLs. + . + This plugin is now included in libstrongswan-extra-plugins. This package can + be safely removed once it's installed. + +Package: strongswan-plugin-load-tester +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libstrongswan-extra-plugins (= ${binary:Version}) +Description: strongSwan plugin for load testing + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the load testing plugin for strongSwan. + . + WARNING: Never enable the load-testing plugin on production systems. It + provides preconfigured credentials and allows an attacker to authenticate as + any user. + . + This plugin is now included in libstrongswan-extra-plugins. This package can + be safely removed once it's installed. + +Package: strongswan-plugin-mysql +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libstrongswan-extra-plugins (= ${binary:Version}) +Description: strongSwan plugin for MySQL + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the MySQL database backend plugin for strongSwan. + . + This plugin is now included in libstrongswan-extra-plugins. This package can + be safely removed once it's installed. + +Package: strongswan-plugin-ntru +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libstrongswan-extra-plugins (= ${binary:Version}) +Description: strongSwan plugin for NTRU crypto + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the key exchange based on post-quantum computer NTRU + encryption plugin for strongSwan. + . + This plugin is now included in libstrongswan-extra-plugins. This package can + be safely removed once it's installed. + +Package: strongswan-plugin-pkcs11 +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libstrongswan-extra-plugins (= ${binary:Version}) +Description: strongSwan plugin for PKCS#11 smartcard backend + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the PKCS#11 smartcard backend for strongSwan. + . + This plugin is now included in libstrongswan-extra-plugins. This package can + be safely removed once it's installed. + +Package: strongswan-plugin-radattr +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libstrongswan-extra-plugins (= ${binary:Version}) +Description: strongSwan plugin for custom RADIUS attribute processing + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the strongSwan plugin to inject and process custom RADIUS + attributes as IKEv2 client. + . + This plugin is now included in libstrongswan-extra-plugins. This package can + be safely removed once it's installed. + +Package: strongswan-plugin-sql +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libstrongswan-extra-plugins (= ${binary:Version}) +Description: strongSwan plugin for SQL configuration and credentials + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the SQL configuration and credentials engine plugin for + strongSwan. Using either SQLite or MySQL. + . + This plugin is now included in libstrongswan-extra-plugins. This package can + be safely removed once it's installed. + +Package: strongswan-plugin-sqlite +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libstrongswan-extra-plugins (= ${binary:Version}) +Description: strongSwan plugin for SQLite + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the SQLite database backend plugin for strongSwan. + . + This plugin is now included in libstrongswan-extra-plugins. This package can + be safely removed once it's installed. + +Package: strongswan-plugin-soup +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libstrongswan-extra-plugins (= ${binary:Version}) +Description: strongSwan plugin for the libsoup based HTTP fetcher + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the libsoup based HTTP fetcher plugin for strongSwan. + . + This plugin is now included in libstrongswan-extra-plugins. This package can + be safely removed once it's installed. + +Package: strongswan-plugin-systime-fix +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libstrongswan-extra-plugins (= ${binary:Version}) +Description: strongSwan plugin for system time fixing + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + The systime-fix plugin for strongSwan is designed for embedded systems that + don't have a valid system time just after boot. It detects if the system time + is incorrect and disables certificate lifetime validation during this period. + This allows the device to establish tunnels, even if the system time is out of + sync, and for example connect to an NTP server. + . + Once the system time gets corrected, the plugin can detect it and verify the + lifetimes of all certificates used for active tunnels. If any certificate in + the trust-chain is not valid for the given system time, the tunnel gets either + closed or reestablished. + . + This plugin is now included in libstrongswan-extra-plugins. This package can + be safely removed once it's installed. + +Package: strongswan-plugin-unbound +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libstrongswan-extra-plugins (= ${binary:Version}) +Description: strongSwan plugin for DNSSEC-enabled resolver using libunbound + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the DNSSEC enabled resolver, using libunbound for + strongSwan. + . + This plugin is now included in libstrongswan-extra-plugins. This package can + be safely removed once it's installed. + +Package: strongswan-plugin-whitelist +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, libstrongswan (= ${binary:Version}) +Description: strongSwan plugin for peer-verification against a whitelist + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the plugin for checking authenticated identities against + a whitelist for strongSwan. + . + This plugin is now included in libstrongswan-extra-plugins. This package can + be safely removed once it's installed. + +############################################################################### +# libcharon extra plugins # +############################################################################### + +Package: strongswan-plugin-dhcp +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libcharon-extra-plugins (= ${binary:Version}) +Description: strongSwan plugin for forwarding DHCP request to a server + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the strongSwan plugin for allowing the forwarding of DHCP + requests for virtual IP addresses to a DHCP server. + . + This plugin is now included in libcharon-extra-plugins. This package can + be safely removed once it's installed. + +Package: strongswan-plugin-certexpire +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libcharon-extra-plugins (= ${binary:Version}) +Description: strongSwan plugin for exporting expiration dates of certificates + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the plugin for exporting expiration dates of used + certificates for strongSwan. + . + This plugin is now included in libcharon-extra-plugins. This package can + be safely removed once it's installed. + +Package: strongswan-plugin-eap-aka +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libcharon-extra-plugins (= ${binary:Version}) +Description: strongSwan plugin for generic EAP-AKA protocol handling + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the strongSwan plugin for generic EAP-AKA protocol + handling using different backends. + . + This plugin is now included in libcharon-extra-plugins. This package can + be safely removed once it's installed. + +Package: strongswan-plugin-eap-gtc +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libcharon-extra-plugins (= ${binary:Version}) +Description: strongSwan plugin for EAP-GTC protocol handler + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the strongSwan plugin for EAP-GTC protocol handling while + authenticating with XAuth backends. + . + This plugin is now included in libcharon-extra-plugins. This package can + be safely removed once it's installed. + +Package: strongswan-plugin-eap-md5 +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libcharon-extra-plugins (= ${binary:Version}) +Description: strongSwan plugin for EAP-MD5 protocol handler + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the strongSwan plugin for EAP-MD5 protocol handling using + passwords. + . + This plugin is now included in libcharon-extra-plugins. This package can + be safely removed once it's installed. + +Package: strongswan-plugin-eap-mschapv2 +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libcharon-extra-plugins (= ${binary:Version}) +Description: strongSwan plugin for EAP-MSCHAPv2 protocol handler + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the strongSwan plugin for EAP-MSCHAPv2 protocol handling + using passwords/NT hashes. + . + This plugin is now included in libcharon-extra-plugins. This package can + be safely removed once it's installed. + +Package: strongswan-plugin-eap-radius +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libcharon-extra-plugins (= ${binary:Version}) +Description: strongSwan plugin for EAP interface to a RADIUS server + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the strongSwan plugin for forwarding EAP conversations + from an EAP server to a RADIUS server. + . + This plugin is now included in libcharon-extra-plugins. This package can + be safely removed once it's installed. + +Package: strongswan-plugin-eap-tls +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libcharon-extra-plugins (= ${binary:Version}) +Description: strongSwan plugin for the EAP-TLS protocol handler + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the strongSwan plugin for EAP-TLS protocol handling, to + authenticate with certificates in EAP. + . + This plugin is now included in libcharon-extra-plugins. This package can + be safely removed once it's installed. + +Package: strongswan-plugin-eap-tnc +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libcharon-extra-plugins (= ${binary:Version}) +Description: strongSwan plugin for the EAP-TNC protocol handler + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the strongSwan plugin for EAP-TNC protocol handling, + Trusted Network Connect in a TLS tunnel. + . + This plugin is now included in libcharon-extra-plugins. This package can + be safely removed once it's installed. + +Package: strongswan-plugin-eap-ttls +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libcharon-extra-plugins (= ${binary:Version}) +Description: strongSwan plugin for the EAP-TTLS protocol handler + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the strongSwan plugin for EAP-TTLS protocol handling, + which wraps other EAP methods securely. + . + This plugin is now included in libcharon-extra-plugins. This package can + be safely removed once it's installed. + +Package: strongswan-plugin-error-notify +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libcharon-extra-plugins (= ${binary:Version}) +Description: strongSwan plugin for error notifications + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the plugin for error notifications, via UNIX socket, for + strongSwan. + . + This plugin is now included in libcharon-extra-plugins. This package can + be safely removed once it's installed. + +Package: strongswan-plugin-kernel-libipsec +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libcharon-extra-plugins (= ${binary:Version}) +Description: strongSwan plugin for a IPsec backend that entirely in userland + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the strongSwan plugin which provides an IPsec backend + that works entirely in userland, using TUN devices and strongSwan's own IPsec + implementation libipsec. This is useful for when there is no kernel support for + IPsec. + . + This plugin is now included in libcharon-extra-plugins. This package can + be safely removed once it's installed. + +Package: strongswan-plugin-led +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libcharon-extra-plugins (= ${binary:Version}) +Description: strongSwan plugin for LEDs blinking on IKE activity + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the strongSwan plugin for letting the Linux LED subsystem + blink LEDs on IKE activity. + . + This plugin is now included in libcharon-extra-plugins. This package can + be safely removed once it's installed. + +Package: strongswan-plugin-lookip +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libcharon-extra-plugins (= ${binary:Version}) +Description: strongSwan plugin for lookip interface + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the strongSwan plugin which provides an interface to + query information about tunnels via the peer's virtual IP address. + . + This plugin is now included in libcharon-extra-plugins. This package can + be safely removed once it's installed. + +Package: strongswan-plugin-unity +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libcharon-extra-plugins (= ${binary:Version}) +Description: strongSwan plugin for IKEv1 Cisco Unity Extensions + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the Unity plugin for strongSwan. It provides support for + parts of the IKEv1 Cisco Unity Extensions. + . + This plugin is now included in libcharon-extra-plugins. This package can + be safely removed once it's installed. + +Package: strongswan-plugin-xauth-eap +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libcharon-extra-plugins (= ${binary:Version}) +Description: strongSwan plugin for XAuth backend using EAP methods + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the strongSwan plugin for the XAuth backend that uses + EAP methods to verify passwords. + . + This plugin is now included in libcharon-extra-plugins. This package can + be safely removed once it's installed. + +Package: strongswan-plugin-xauth-generic +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libcharon-extra-plugins (= ${binary:Version}) +Description: strongSwan plugin for the generic XAuth backend + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the strongSwan plugin for the generic XAuth backend that + provides passwords from ipsec.secrets and other credential sets. + . + This plugin is now included in libcharon-extra-plugins. This package can + be safely removed once it's installed. + +Package: strongswan-plugin-xauth-pam +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libcharon-extra-plugins (= ${binary:Version}) +Description: strongSwan plugin for XAuth backend using PAM + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the strongSwan plugin for the XAuth backend that uses + PAM modules to verify passwords. + . + This plugin is now included in libcharon-extra-plugins. This package can + be safely removed once it's installed. + +############################################################################### +# libcharon extra ubuntu plugins # +############################################################################### + +Package: strongswan-plugin-eap-aka-3gpp2 +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libcharon-extra-plugins (= ${binary:Version}) +Description: strongSwan plugin for the 3GPP2-based EAP-AKA backend + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the strongSwan plugin for the EAP-AKA backend + implementing the standard 3GPP2 algorithm in software. + . + This plugin is now included in libcharon-extra-plugins. This package can + be safely removed once it's installed. + +Package: strongswan-plugin-eap-dynamic +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libcharon-extra-plugins (= ${binary:Version}) +Description: strongSwan plugin for dynamic EAP method selection + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the strongSwan plugin for EAP proxying that dynamically + selects an EAP method requested/supported by the client. + . + This plugin is now included in libcharon-extra-plugins. This package can + be safely removed once it's installed. + +Package: strongswan-plugin-eap-peap +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libcharon-extra-plugins (= ${binary:Version}) +Description: strongSwan plugin for EAP-PEAP protocol handler + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the strongSwan plugin for EAP-PEAP protocol handling, + which wraps other EAP methods securely. + . + This plugin is now included in libcharon-extra-plugins. This package can + be safely removed once it's installed. + +Package: strongswan-plugin-eap-sim +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libcharon-extra-plugins (= ${binary:Version}) +Description: strongSwan plugin for generic EAP-SIM protocol handling + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the strongSwan plugin for generic EAP-SIM protocol + handling using different backends. + . + This plugin is now included in libcharon-extra-plugins. This package can + be safely removed once it's installed. + +Package: strongswan-plugin-eap-sim-file +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libcharon-extra-plugins (= ${binary:Version}) +Description: strongSwan plugin for EAP-SIM credentials from files + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the strongSwan plugin for the EAP-SIM backend for reading + triplets from a file. + . + This plugin is now included in libcharon-extra-plugins. This package can + be safely removed once it's installed. + +Package: strongswan-plugin-eap-sim-pcsc +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libcharon-extra-plugins (= ${binary:Version}) +Description: strongSwan plugin for EAP-SIM credentials on smartcards + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the strongSwan plugin for the EAP-SIM backend based on a + PC/SC smartcard reader. + . + This plugin is now included in libcharon-extra-plugins. This package can + be safely removed once it's installed. + +Package: strongswan-plugin-eap-simaka-pseudonym +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libcharon-extra-plugins (= ${binary:Version}) +Description: strongSwan plugin for the EAP-SIM/AKA identity database + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the strongSwan plugin for the EAP-SIM/AKA in-memory + pseudonym identity database. + . + This plugin is now included in libcharon-extra-plugins. This package can + be safely removed once it's installed. + +Package: strongswan-plugin-eap-simaka-reauth +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libcharon-extra-plugins (= ${binary:Version}) +Description: strongSwan plugin for the EAP-SIM/AKA reauthentication database + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the strongSwan plugin for the EAP-SIM/AKA in-memory + reauthentication identity database. + . + This plugin is now included in libcharon-extra-plugins. This package can + be safely removed once it's installed. + +Package: strongswan-plugin-eap-simaka-sql +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libcharon-extra-plugins (= ${binary:Version}) +Description: strongSwan plugin for SQL-based EAP-SIM/AKA backend reading + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the strongSwan plugin for the EAP-SIM/AKA backend reading + triplets/quintuplets from a SQL database. + . + This plugin is now included in libcharon-extra-plugins. This package can + be safely removed once it's installed. + +Package: strongswan-plugin-farp +Architecture: any +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libcharon-extra-plugins (= ${binary:Version}) +Description: strongSwan plugin for faking ARP responses + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the strongSwan plugin for faking ARP responses for + requests to a virtual IP address assigned to a peer. + . + This plugin is now included in libcharon-extra-plugins. This package can + be safely removed once it's installed. + +Package: strongswan-plugin-xauth-noauth +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends}, + libcharon-extra-plugins (= ${binary:Version}) +Description: strongSwan plugin for the generic XAuth backend + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the strongSwan plugin for the XAuth backend that does no + authentication. + . + This plugin is now included in libcharon-extra-plugins. This package can + be safely removed once it's installed. + +############################################################################### +# disabled extra plugins # +############################################################################### + +Package: strongswan-plugin-duplicheck +Architecture: all +Section: oldlibs +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: strongSwan plugin for duplicheck functionality + The strongSwan VPN suite uses the native IPsec stack in the standard + Linux kernel. It supports both the IKEv1 and IKEv2 protocols. + . + This package provides the strongSwan plugin for the duplicheck functionality. + . + The duplicheck plugin provides an advanced but very specialized peer identity + duplicate checking. It works independent from the ipsec.conf uniqueids feature. + . + More information may be found at: + http://wiki.strongswan.org/projects/strongswan/wiki/Duplicheck + . + This plugin is now disabled. This package can be safely removed once it's + installed. diff -Nru strongswan-5.3.5/debian/ipsec.secrets.proto strongswan-5.3.5/debian/ipsec.secrets.proto --- strongswan-5.3.5/debian/ipsec.secrets.proto 2015-11-19 15:17:36.000000000 -0600 +++ strongswan-5.3.5/debian/ipsec.secrets.proto 2016-02-17 16:11:54.000000000 -0600 @@ -3,6 +3,3 @@ # RSA private key for this host, authenticating it to any other host # which knows the public part. -# this file is managed with debconf and will contain the automatically created private key -include /var/lib/strongswan/ipsec.secrets.inc - diff -Nru strongswan-5.3.5/debian/libcharon-extra-plugins.install strongswan-5.3.5/debian/libcharon-extra-plugins.install --- strongswan-5.3.5/debian/libcharon-extra-plugins.install 2015-11-19 15:17:36.000000000 -0600 +++ strongswan-5.3.5/debian/libcharon-extra-plugins.install 2016-02-17 16:11:54.000000000 -0600 @@ -3,12 +3,11 @@ usr/lib/ipsec/plugins/libstrongswan-certexpire.so usr/lib/ipsec/plugins/libstrongswan-eap*.so usr/lib/ipsec/plugins/libstrongswan-error-notify.so -usr/lib/ipsec/plugins/libstrongswan-ha.so +usr/lib/ipsec/plugins/libstrongswan-kernel-libipsec.so usr/lib/ipsec/plugins/libstrongswan-led.so usr/lib/ipsec/plugins/libstrongswan-lookip.so usr/lib/ipsec/plugins/libstrongswan-medsrv.so usr/lib/ipsec/plugins/libstrongswan-medcli.so -usr/lib/ipsec/plugins/libstrongswan-tnc-tnccs.so usr/lib/ipsec/plugins/libstrongswan-unity.so usr/lib/ipsec/plugins/libstrongswan-xauth-*.so # standard configuration files @@ -16,34 +15,31 @@ usr/share/strongswan/templates/config/plugins/certexpire.conf usr/share/strongswan/templates/config/plugins/eap-*.conf usr/share/strongswan/templates/config/plugins/error-notify.conf -usr/share/strongswan/templates/config/plugins/ha.conf +usr/share/strongswan/templates/config/plugins/kernel-libipsec.conf usr/share/strongswan/templates/config/plugins/led.conf usr/share/strongswan/templates/config/plugins/lookip.conf usr/share/strongswan/templates/config/plugins/medsrv.conf usr/share/strongswan/templates/config/plugins/medcli.conf -usr/share/strongswan/templates/config/plugins/tnc-tnccs.conf usr/share/strongswan/templates/config/plugins/unity.conf usr/share/strongswan/templates/config/plugins/xauth-*.conf -usr/share/strongswan/templates/config/strongswan.d/tnc.conf -etc/strongswan.d/tnc.conf etc/strongswan.d/charon/addrblock.conf etc/strongswan.d/charon/certexpire.conf etc/strongswan.d/charon/eap-*.conf etc/strongswan.d/charon/error-notify.conf -etc/strongswan.d/charon/ha.conf +etc/strongswan.d/charon/kernel-libipsec.conf etc/strongswan.d/charon/led.conf etc/strongswan.d/charon/lookip.conf etc/strongswan.d/charon/medsrv.conf etc/strongswan.d/charon/medcli.conf -etc/strongswan.d/charon/tnc-tnccs.conf etc/strongswan.d/charon/unity.conf etc/strongswan.d/charon/xauth-*.conf +debian/usr.lib.ipsec.lookip /etc/apparmor.d/ # support libs usr/lib/ipsec/libfast.so* +usr/lib/ipsec/libipsec.so* usr/lib/ipsec/libpttls.so* usr/lib/ipsec/libradius.so* usr/lib/ipsec/libsimaka.so* -usr/lib/ipsec/libtnccs.so* usr/lib/ipsec/libtls.so* # binaries usr/lib/ipsec/error-notify diff -Nru strongswan-5.3.5/debian/libstrongswan-extra-plugins.install strongswan-5.3.5/debian/libstrongswan-extra-plugins.install --- strongswan-5.3.5/debian/libstrongswan-extra-plugins.install 2015-11-19 15:17:36.000000000 -0600 +++ strongswan-5.3.5/debian/libstrongswan-extra-plugins.install 2016-02-17 16:11:54.000000000 -0600 @@ -1,26 +1,77 @@ # libstrongswan plugins -usr/lib/ipsec/plugins/libstrongswan-ccm.so +usr/lib/ipsec/plugins/libstrongswan-acert.so +usr/lib/ipsec/plugins/libstrongswan-attr-sql.so +usr/lib/ipsec/plugins/libstrongswan-bliss.so +usr/lib/ipsec/plugins/libstrongswan-chapoly.so usr/lib/ipsec/plugins/libstrongswan-cmac.so +usr/lib/ipsec/plugins/libstrongswan-coupling.so usr/lib/ipsec/plugins/libstrongswan-ctr.so usr/lib/ipsec/plugins/libstrongswan-curl.so +usr/lib/ipsec/plugins/libstrongswan-dnscert.so usr/lib/ipsec/plugins/libstrongswan-gcrypt.so +usr/lib/ipsec/plugins/libstrongswan-ipseckey.so usr/lib/ipsec/plugins/libstrongswan-ldap.so +usr/lib/ipsec/plugins/libstrongswan-load-tester.so +usr/lib/ipsec/plugins/libstrongswan-mysql.so +usr/lib/ipsec/plugins/libstrongswan-ntru.so usr/lib/ipsec/plugins/libstrongswan-pkcs11.so -usr/lib/ipsec/plugins/libstrongswan-test-vectors.so +usr/lib/ipsec/plugins/libstrongswan-radattr.so +usr/lib/ipsec/plugins/libstrongswan-soup.so +usr/lib/ipsec/plugins/libstrongswan-sqlite.so +usr/lib/ipsec/plugins/libstrongswan-sql.so +usr/lib/ipsec/plugins/libstrongswan-systime-fix.so +usr/lib/ipsec/plugins/libstrongswan-unbound.so +usr/lib/ipsec/plugins/libstrongswan-whitelist.so # default configuration files +usr/share/strongswan/templates/config/plugins/acert.conf +usr/share/strongswan/templates/config/plugins/attr-sql.conf usr/share/strongswan/templates/config/plugins/ccm.conf +usr/share/strongswan/templates/config/plugins/bliss.conf +usr/share/strongswan/templates/config/plugins/chapoly.conf usr/share/strongswan/templates/config/plugins/cmac.conf +usr/share/strongswan/templates/config/plugins/coupling.conf usr/share/strongswan/templates/config/plugins/ctr.conf usr/share/strongswan/templates/config/plugins/curl.conf +usr/share/strongswan/templates/config/plugins/dnscert.conf usr/share/strongswan/templates/config/plugins/gcrypt.conf +usr/share/strongswan/templates/config/plugins/ipseckey.conf usr/share/strongswan/templates/config/plugins/ldap.conf +usr/share/strongswan/templates/config/plugins/load-tester.conf +usr/share/strongswan/templates/config/plugins/mysql.conf +usr/share/strongswan/templates/config/plugins/ntru.conf usr/share/strongswan/templates/config/plugins/pkcs11.conf -usr/share/strongswan/templates/config/plugins/test-vectors.conf +usr/share/strongswan/templates/config/plugins/radattr.conf +usr/share/strongswan/templates/config/plugins/soup.conf +usr/share/strongswan/templates/config/plugins/sql.conf +usr/share/strongswan/templates/config/plugins/sqlite.conf +usr/share/strongswan/templates/config/plugins/systime-fix.conf +usr/share/strongswan/templates/config/plugins/unbound.conf +usr/share/strongswan/templates/config/plugins/whitelist.conf +usr/share/strongswan/templates/database/sql/mysql.sql +usr/share/strongswan/templates/database/sql/sqlite.sql +etc/strongswan.d/charon/acert.conf +etc/strongswan.d/charon/attr-sql.conf etc/strongswan.d/charon/ccm.conf +etc/strongswan.d/charon/bliss.conf +etc/strongswan.d/charon/chapoly.conf etc/strongswan.d/charon/cmac.conf +etc/strongswan.d/charon/coupling.conf etc/strongswan.d/charon/ctr.conf etc/strongswan.d/charon/curl.conf +etc/strongswan.d/charon/dnscert.conf etc/strongswan.d/charon/gcrypt.conf +etc/strongswan.d/charon/ipseckey.conf etc/strongswan.d/charon/ldap.conf +etc/strongswan.d/charon/load-tester.conf +etc/strongswan.d/charon/mysql.conf +etc/strongswan.d/charon/ntru.conf etc/strongswan.d/charon/pkcs11.conf -etc/strongswan.d/charon/test-vectors.conf +etc/strongswan.d/charon/radattr.conf +etc/strongswan.d/charon/soup.conf +etc/strongswan.d/charon/sql.conf +etc/strongswan.d/charon/sqlite.conf +etc/strongswan.d/charon/systime-fix.conf +etc/strongswan.d/charon/unbound.conf +etc/strongswan.d/charon/whitelist.conf +usr/lib/ipsec/load-tester +usr/lib/ipsec/whitelist diff -Nru strongswan-5.3.5/debian/libstrongswan.install strongswan-5.3.5/debian/libstrongswan.install --- strongswan-5.3.5/debian/libstrongswan.install 2015-11-19 15:17:36.000000000 -0600 +++ strongswan-5.3.5/debian/libstrongswan.install 2016-02-17 16:11:54.000000000 -0600 @@ -1,19 +1,22 @@ # libstrongswan plugins usr/lib/ipsec/libstrongswan.so* +usr/lib/ipsec/libchecksum.so* usr/lib/ipsec/plugins/libstrongswan-aes.so +usr/lib/ipsec/plugins/libstrongswan-ccm.so usr/lib/ipsec/plugins/libstrongswan-constraints.so usr/lib/ipsec/plugins/libstrongswan-dnskey.so usr/lib/ipsec/plugins/libstrongswan-fips-prf.so usr/lib/ipsec/plugins/libstrongswan-gmp.so usr/lib/ipsec/plugins/libstrongswan-hmac.so +usr/lib/ipsec/plugins/libstrongswan-md4.so usr/lib/ipsec/plugins/libstrongswan-md5.so usr/lib/ipsec/plugins/libstrongswan-nonce.so -usr/lib/ipsec/plugins/libstrongswan-pgp.so usr/lib/ipsec/plugins/libstrongswan-pem.so +usr/lib/ipsec/plugins/libstrongswan-pgp.so +usr/lib/ipsec/plugins/libstrongswan-pkcs12.so usr/lib/ipsec/plugins/libstrongswan-pkcs1.so usr/lib/ipsec/plugins/libstrongswan-pkcs7.so usr/lib/ipsec/plugins/libstrongswan-pkcs8.so -usr/lib/ipsec/plugins/libstrongswan-pkcs12.so usr/lib/ipsec/plugins/libstrongswan-pubkey.so usr/lib/ipsec/plugins/libstrongswan-random.so usr/lib/ipsec/plugins/libstrongswan-rc2.so @@ -21,6 +24,7 @@ usr/lib/ipsec/plugins/libstrongswan-sha1.so usr/lib/ipsec/plugins/libstrongswan-sha2.so usr/lib/ipsec/plugins/libstrongswan-sshkey.so +usr/lib/ipsec/plugins/libstrongswan-test-vectors.so usr/lib/ipsec/plugins/libstrongswan-x509.so usr/lib/ipsec/plugins/libstrongswan-xcbc.so # config files @@ -30,14 +34,16 @@ usr/share/strongswan/templates/config/plugins/fips-prf.conf usr/share/strongswan/templates/config/plugins/gmp.conf usr/share/strongswan/templates/config/plugins/hmac.conf +usr/share/strongswan/templates/config/plugins/kernel-netlink.conf +usr/share/strongswan/templates/config/plugins/md4.conf usr/share/strongswan/templates/config/plugins/md5.conf usr/share/strongswan/templates/config/plugins/nonce.conf -usr/share/strongswan/templates/config/plugins/pgp.conf usr/share/strongswan/templates/config/plugins/pem.conf +usr/share/strongswan/templates/config/plugins/pgp.conf +usr/share/strongswan/templates/config/plugins/pkcs12.conf usr/share/strongswan/templates/config/plugins/pkcs1.conf usr/share/strongswan/templates/config/plugins/pkcs7.conf usr/share/strongswan/templates/config/plugins/pkcs8.conf -usr/share/strongswan/templates/config/plugins/pkcs12.conf usr/share/strongswan/templates/config/plugins/pubkey.conf usr/share/strongswan/templates/config/plugins/random.conf usr/share/strongswan/templates/config/plugins/rc2.conf @@ -45,6 +51,7 @@ usr/share/strongswan/templates/config/plugins/sha1.conf usr/share/strongswan/templates/config/plugins/sha2.conf usr/share/strongswan/templates/config/plugins/sshkey.conf +usr/share/strongswan/templates/config/plugins/test-vectors.conf usr/share/strongswan/templates/config/plugins/x509.conf usr/share/strongswan/templates/config/plugins/xcbc.conf etc/strongswan.d/charon/aes.conf @@ -53,14 +60,16 @@ etc/strongswan.d/charon/fips-prf.conf etc/strongswan.d/charon/gmp.conf etc/strongswan.d/charon/hmac.conf +etc/strongswan.d/charon/kernel-netlink.conf +etc/strongswan.d/charon/md4.conf etc/strongswan.d/charon/md5.conf etc/strongswan.d/charon/nonce.conf -etc/strongswan.d/charon/pgp.conf etc/strongswan.d/charon/pem.conf +etc/strongswan.d/charon/pgp.conf +etc/strongswan.d/charon/pkcs12.conf etc/strongswan.d/charon/pkcs1.conf etc/strongswan.d/charon/pkcs7.conf etc/strongswan.d/charon/pkcs8.conf -etc/strongswan.d/charon/pkcs12.conf etc/strongswan.d/charon/pubkey.conf etc/strongswan.d/charon/random.conf etc/strongswan.d/charon/rc2.conf @@ -68,6 +77,7 @@ etc/strongswan.d/charon/sha1.conf etc/strongswan.d/charon/sha2.conf etc/strongswan.d/charon/sshkey.conf +etc/strongswan.d/charon/test-vectors.conf etc/strongswan.d/charon/x509.conf etc/strongswan.d/charon/xcbc.conf # libhydra plugins diff -Nru strongswan-5.3.5/debian/libstrongswan.strongswan.logcheck.ignore.paranoid strongswan-5.3.5/debian/libstrongswan.strongswan.logcheck.ignore.paranoid --- strongswan-5.3.5/debian/libstrongswan.strongswan.logcheck.ignore.paranoid 2015-11-19 15:17:36.000000000 -0600 +++ strongswan-5.3.5/debian/libstrongswan.strongswan.logcheck.ignore.paranoid 1969-12-31 18:00:00.000000000 -0600 @@ -1,20 +0,0 @@ -ipsec_setup: KLIPS debug \`none\' -ipsec_setup: Stopping FreeS/WAN IPsec\.\.\. -ipsec_setup: stop ordered -ipsec_setup: doing cleanup anywan... -ipsec_setup: \.\.\.FreeS/WAN IPsec stopped -ipsec_setup: Starting FreeS/WAN IPsec -ipsec_setup: \.\.\.FreeS/WAN IPsec started -ipsec_plutorun: .*: initiate -pluto.*: deleting state -pluto.*: forgetting secrets -pluto.*: shutting down -pluto.*: \| -pluto.*: .* bytes loaded -pluto.*: including X\.509 patch -pluto.*: Loading my X\.509 certificate -pluto.*: Starting pluto -pluto.*: adding interface -pluto.*: listening for IKE messages -pluto.*: loading secrets -pluto.*: regenerating DH private secret diff -Nru strongswan-5.3.5/debian/libstrongswan.strongswan.logcheck.ignore.server strongswan-5.3.5/debian/libstrongswan.strongswan.logcheck.ignore.server --- strongswan-5.3.5/debian/libstrongswan.strongswan.logcheck.ignore.server 2015-11-19 15:17:36.000000000 -0600 +++ strongswan-5.3.5/debian/libstrongswan.strongswan.logcheck.ignore.server 1969-12-31 18:00:00.000000000 -0600 @@ -1,25 +0,0 @@ -ipsec_setup: KLIPS debug \`none\' -ipsec_setup: Stopping FreeS/WAN IPsec\.\.\. -ipsec_setup: stop ordered -ipsec_setup: doing cleanup anywan... -ipsec_setup: \.\.\.FreeS/WAN IPsec stopped -ipsec_setup: Starting FreeS/WAN IPsec -ipsec_setup: \.\.\.FreeS/WAN IPsec started -ipsec_plutorun: .*: initiate -pluto.*: deleting state -pluto.*: forgetting secrets -pluto.*: shutting down -pluto.*: \| -pluto.*: .* bytes loaded -pluto.*: including X\.509 patch -pluto.*: Loading my X\.509 certificate -pluto.*: Starting pluto -pluto.*: added connection description -pluto.*: adding interface -pluto.*: listening for IKE messages -pluto.*: loading secrets -pluto.*: .* SA established -pluto.*: .* SA expired -pluto.*: replacing stale .* SA -pluto.*: initiating Quick Mode -pluto.*: regenerating DH private secret diff -Nru strongswan-5.3.5/debian/libstrongswan.strongswan.logcheck.ignore.workstation strongswan-5.3.5/debian/libstrongswan.strongswan.logcheck.ignore.workstation --- strongswan-5.3.5/debian/libstrongswan.strongswan.logcheck.ignore.workstation 2015-11-19 15:17:36.000000000 -0600 +++ strongswan-5.3.5/debian/libstrongswan.strongswan.logcheck.ignore.workstation 1969-12-31 18:00:00.000000000 -0600 @@ -1,25 +0,0 @@ -ipsec_setup: KLIPS debug \`none\' -ipsec_setup: Stopping FreeS/WAN IPsec\.\.\. -ipsec_setup: stop ordered -ipsec_setup: doing cleanup anywan... -ipsec_setup: \.\.\.FreeS/WAN IPsec stopped -ipsec_setup: Starting FreeS/WAN IPsec -ipsec_setup: \.\.\.FreeS/WAN IPsec started -ipsec_plutorun: .*: initiate -pluto.*: deleting state -pluto.*: forgetting secrets -pluto.*: shutting down -pluto.*: \| -pluto.*: .* bytes loaded -pluto.*: including X\.509 patch -pluto.*: Loading my X\.509 certificate -pluto.*: Starting pluto -pluto.*: added connection description -pluto.*: adding interface -pluto.*: listening for IKE messages -pluto.*: loading secrets -pluto.*: .* SA established -pluto.*: .* SA expired -pluto.*: replacing stale .* SA -pluto.*: initiating Quick Mode -pluto.*: regenerating DH private secret diff -Nru strongswan-5.3.5/debian/libstrongswan.strongswan.logcheck.violations.ignore strongswan-5.3.5/debian/libstrongswan.strongswan.logcheck.violations.ignore --- strongswan-5.3.5/debian/libstrongswan.strongswan.logcheck.violations.ignore 2015-11-19 15:17:36.000000000 -0600 +++ strongswan-5.3.5/debian/libstrongswan.strongswan.logcheck.violations.ignore 1969-12-31 18:00:00.000000000 -0600 @@ -1 +0,0 @@ -ipsec_setup: KLIPS debug `none' diff -Nru strongswan-5.3.5/debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch strongswan-5.3.5/debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch --- strongswan-5.3.5/debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch 1969-12-31 18:00:00.000000000 -0600 +++ strongswan-5.3.5/debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch 2016-02-17 16:11:54.000000000 -0600 @@ -0,0 +1,11 @@ +--- a/conf/plugins/kernel-libipsec.conf ++++ b/conf/plugins/kernel-libipsec.conf +@@ -5,7 +5,7 @@ + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. +- load = yes ++ load = no + + } + diff -Nru strongswan-5.3.5/debian/patches/increase-bliss-test-timeout.patch strongswan-5.3.5/debian/patches/increase-bliss-test-timeout.patch --- strongswan-5.3.5/debian/patches/increase-bliss-test-timeout.patch 1969-12-31 18:00:00.000000000 -0600 +++ strongswan-5.3.5/debian/patches/increase-bliss-test-timeout.patch 2016-02-17 16:11:54.000000000 -0600 @@ -0,0 +1,11 @@ +--- a/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sampler.c ++++ b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sampler.c +@@ -89,7 +89,7 @@ + s = suite_create("bliss_sampler"); + + tc = tcase_create("sampler_gaussian"); +- tcase_set_timeout(tc, 10); ++ tcase_set_timeout(tc, 30); + tcase_add_loop_test(tc, test_bliss_sampler_gaussian, 0, countof(key_size)); + suite_add_tcase(s, tc); + diff -Nru strongswan-5.3.5/debian/patches/series strongswan-5.3.5/debian/patches/series --- strongswan-5.3.5/debian/patches/series 2015-11-26 08:24:57.000000000 -0600 +++ strongswan-5.3.5/debian/patches/series 2016-02-17 16:11:54.000000000 -0600 @@ -1,3 +1,5 @@ 01_fix-manpages.patch 03_systemd-service.patch 04_disable-libtls-tests.patch +dont-load-kernel-libipsec-plugin-by-default.patch +increase-bliss-test-timeout.patch diff -Nru strongswan-5.3.5/debian/rules strongswan-5.3.5/debian/rules --- strongswan-5.3.5/debian/rules 2015-11-19 15:17:36.000000000 -0600 +++ strongswan-5.3.5/debian/rules 2016-02-17 16:11:54.000000000 -0600 @@ -2,27 +2,94 @@ export DEB_LDFLAGS_MAINT_APPEND=-Wl,--as-needed -Wl,-O1 #export DEB_LDFLAGS_MAINT_APPEND=-Wl,--as-needed -Wl,-O1 -Wl,-z,defs export DEB_BUILD_MAINT_OPTIONS=hardening=+all +export DEB_BUILD_OPTIONS=nostrip +export TESTS_REDUCED_KEYLENGTHS=1 CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \ - --enable-ldap --enable-curl \ - --enable-pkcs11 \ - --enable-mediation --enable-medsrv --enable-medcli \ - --enable-openssl --enable-agent \ - --enable-ctr --enable-ccm --enable-gcm --enable-addrblock \ - --enable-eap-radius --enable-eap-identity --enable-eap-md5 \ - --enable-eap-gtc --enable-eap-aka --enable-eap-mschapv2 \ - --enable-eap-tls --enable-eap-ttls --enable-eap-tnc \ - --enable-ha \ - --enable-led --enable-gcrypt \ - --enable-test-vectors \ - --enable-xauth-eap --enable-xauth-pam \ - --enable-cmd \ + --with-tss=trousers \ + --enable-acert \ + --enable-addrblock \ + --enable-addrblock \ + --enable-agent \ + --enable-attr-sql \ + --enable-bliss \ + --enable-ccm \ --enable-certexpire \ - --enable-lookip \ + --enable-chapoly \ + --enable-cmd \ + --enable-connmark \ + --enable-coupling \ + --enable-ctr \ + --enable-curl \ + --enable-dnscert \ + --enable-eap-aka \ + --enable-eap-aka-3gpp2 \ + --enable-eap-dynamic \ + --enable-eap-gtc \ + --enable-eap-identity \ + --enable-eap-md5 \ + --enable-eap-mschapv2 \ + --enable-eap-peap \ + --enable-eap-radius \ + --enable-eap-sim \ + --enable-eap-simaka-pseudonym \ + --enable-eap-simaka-reauth \ + --enable-eap-simaka-sql \ + --enable-eap-sim-file \ + --enable-eap-sim-pcsc \ + --enable-eap-tls \ + --enable-eap-tnc \ + --enable-eap-ttls \ --enable-error-notify \ + --enable-gcm \ + --enable-gcrypt \ + --enable-imc-attestation \ + --enable-imc-os \ + --enable-imc-scanner \ + --enable-imc-swid \ + --enable-imc-test \ + --enable-imv-attestation \ + --enable-imv-os \ + --enable-imv-scanner \ + --enable-imv-swid \ + --enable-imv-test \ + --enable-integrity-test \ + --enable-ipseckey \ + --enable-kernel-libipsec \ + --enable-ldap \ + --enable-led \ + --enable-load-tester \ + --enable-lookip \ + --enable-md4 \ + --enable-medcli \ + --enable-mediation \ + --enable-medsrv \ + --enable-mysql \ + --enable-ntru \ + --enable-openssl \ + --enable-pkcs11 \ + --enable-radattr \ + --enable-soup \ + --enable-sql \ + --enable-sqlite \ + --enable-systime-fix \ + --enable-test-vectors \ + --enable-tnccs-11 \ + --enable-tnccs-20 \ + --enable-tnccs-dynamic \ + --enable-tnc-ifmap \ + --enable-tnc-imc \ + --enable-tnc-imv \ + --enable-tnc-pdp \ + --enable-unbound \ --enable-unity \ - --enable-connmark \ - --disable-blowfish --disable-des # BSD-Young license + --enable-whitelist \ + --enable-xauth-eap \ + --enable-xauth-generic \ + --enable-xauth-noauth \ + --enable-xauth-pam \ + --disable-blowfish \ + --disable-des # BSD-Young license #--with-user=strongswan --with-group=nogroup # --enable-kernel-pfkey --enable-kernel-klips \ # And for --enable-eap-sim we would need the library, which we don't @@ -103,7 +170,8 @@ dh_install -p libstrongswan-extra-plugins usr/share/strongswan/templates/config/plugins/af-alg.conf dh_install -p libstrongswan-extra-plugins etc/strongswan.d/charon/af-alg.conf # the systemd service file only gets generated on Linux - dh_install -p strongswan-starter lib/systemd/system/strongswan.service + dh_systemd_enable --name=strongswan + dh_systemd_start --name=strongswan endif ifeq ($(DEB_BUILD_ARCH_OS),kfreebsd) @@ -146,14 +214,13 @@ -Xlibstrongswan-af-alg.so -X af-alg.conf \ -Xstrongswan.service + # AppArmor. + dh_apparmor --profile-name=usr.lib.ipsec.charon -p strongswan-charon + dh_apparmor --profile-name=usr.lib.ipsec.lookip -p libcharon-extra-plugins + dh_apparmor --profile-name=usr.lib.ipsec.stroke -p strongswan-starter + # add additional files not covered by upstream makefile... install --mode=0600 $(CURDIR)/debian/ipsec.secrets.proto $(CURDIR)/debian/strongswan-starter/etc/ipsec.secrets - # also "patch" ipsec.conf to include the debconf-managed file - echo >> $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf - echo "include /var/lib/strongswan/ipsec.conf.inc" >> $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf - # and to enable both IKEv1 and IKEv2 by default - sed -r 's/^[ \t]+# *charonstart=(yes|no) */\tcharonstart=yes/' < $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf > $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf.tmp - mv $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf.tmp $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf # set permissions on ipsec.secrets chmod 600 $(CURDIR)/debian/strongswan-starter/etc/ipsec.secrets @@ -172,7 +239,7 @@ find $(CURDIR)/debian/*strongswan*/ -name "/.svn/" | xargs --no-run-if-empty rm -rf override_dh_installinit: - dh_installinit -n --name=ipsec + dh_installinit -n --name=strongswan override_dh_installchangelogs: dh_installchangelogs NEWS diff -Nru strongswan-5.3.5/debian/strongswan-charon.install strongswan-5.3.5/debian/strongswan-charon.install --- strongswan-5.3.5/debian/strongswan-charon.install 2015-11-19 15:17:36.000000000 -0600 +++ strongswan-5.3.5/debian/strongswan-charon.install 2016-02-17 16:11:54.000000000 -0600 @@ -3,3 +3,4 @@ usr/share/strongswan/templates/config/strongswan.d/charon-logging.conf etc/strongswan.d/charon-logging.conf etc/strongswan.d/charon.conf +debian/usr.lib.ipsec.charon /etc/apparmor.d/ diff -Nru strongswan-5.3.5/debian/strongswan.logcheck strongswan-5.3.5/debian/strongswan.logcheck --- strongswan-5.3.5/debian/strongswan.logcheck 1969-12-31 18:00:00.000000000 -0600 +++ strongswan-5.3.5/debian/strongswan.logcheck 2016-02-17 16:11:54.000000000 -0600 @@ -0,0 +1,83 @@ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[CFG\] added child to existing configuration '[^']+'$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[CFG\] added configuration '[^']+'$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[CFG\] adding virtual IP address pool [.:[:xdigit:]]+/[0-9]{1,3}$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[CFG\] assigning new lease to '[^']+'$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[CFG\] certificate status is not available$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[CFG\] checking certificate status of "[^"]+"$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[CFG\] deleted connection '[^']+'$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[CFG\] id '%any' not confirmed by certificate, defaulting to '[^']+'$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[CFG\] lease [.:[:xdigit:]]+ by '[^']+' went offline$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[CFG\] left nor right host is our side, assuming left=local$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[CFG\] loaded (ca )?certificate "[^"]+" from '[^']+'$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[CFG\] loaded (ECDSA|RSA) private key from '[^']+'$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[CFG\] loaded (IKE|EAP) secret for .+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[CFG\] loading (aa|attribute|ca|ocsp signer) certificates from '[^']+'$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[CFG\] loading (crls|secrets) from '/[^']+'$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[CFG\] looking for (XAuthInitPSK )?peer configs matching [.:[:xdigit:]]+(\[[^\[]+\])?\.\.\.[.:[:xdigit:]]+\[[^\[]+\]$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[CFG\] reached self-signed root ca with a path length of 0$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[CFG\] reassigning offline lease to '[^']+'$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[CFG\] received stroke: add connection '[^']+'$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[CFG\] received stroke: ((add|delete) connection|initiate|terminate) '[^']+'$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[CFG\] selected peer config .+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[CFG\] sending UNITY_SPLIT_INCLUDE: [.:[:xdigit:]]+/[0-9]{1,3}$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[CFG\] using trusted (ca )?certificate "[^"]+"$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[DMN\] signal of type SIGINT received\. Shutting down$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[DMN\] Starting IKE charon daemon \(strongSwan [^)]+\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[ENC\] (generating|parsed) (CREATE_CHILD_SA|INFORMATIONAL(|_V1)|ID_PROT|IKE_(AUTH|SA_INIT)|QUICK_MODE|TRANSACTION) re(sponse|quest) [0-9]+ \[ [^]]*\]$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[ENC\] received unknown vendor ID: [:[:xdigit:]]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[ENC\] unknown attribute type \(28683\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[IKE\] assigning virtual IP [.:[:xdigit:]]+ to peer '.+'$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[IKE\] authentication of '[^']+' (\(myself\) )?with .+ (signature )?successful$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[IKE\] CHILD_SA [^{]+\{[0-9]+\} established with SPIs [[:xdigit:]]+_i [[:xdigit:]]+_o and TS [.:[:xdigit:]]+/[0-9]{1,3}(\[[^]]+\])? === [.:[:xdigit:]]+/[0-9]{1,3}(\[[^]]+\])?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[IKE\] CHILD_SA closed$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[IKE\] CHILD_SA not found, ignored$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[IKE\] closing CHILD_SA [^{]+\{[0-9]+\} with SPIs [[:xdigit:]]+_i \([0-9]+ bytes\) [[:xdigit:]]+_o \([0-9]+ bytes\) and TS [.:[:xdigit:]]+/[0-9]{1,3}(\[[^]]+\])? === [.:[:xdigit:]]+/[0-9]{1,3}(\[[^]]+\])?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[IKE\] closing expired CHILD_SA [^{]+\{[0-9]+\} with SPIs [[:xdigit:]]+_i [[:xdigit:]]+_o and TS [.:[:xdigit:]]+/[0-9]{1,3}(\[[^]]+\])? === [.:[:xdigit:]]+/[0-9]{1,3}(\[[^]]+\])?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[IKE\] deleting IKE_SA [^\[]+\[[0-9]+\] between [.:[:xdigit:]]+\[[^]]+\]\.\.\.[.:[:xdigit:]]+\[[^]]+\]$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[IKE\] destroying IKE_SA in state CONNECTING without notification$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[IKE\] (establish|restart)ing CHILD_SA .+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[IKE\] faking NAT situation to enforce UDP encapsulation$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[IKE\] giving up after [0-9]+ retransmits$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[IKE\] IKE_SA [^\[]+\[[0-9]+\] established between [.:[:xdigit:]]+\[[^]]+\]\.\.\.[.:[:xdigit:]]+\[[^]]+\]$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[IKE\] IKE_SA deleted$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[IKE\] initiating (Main Mode )?IKE_SA [^\[]+\[[0-9]+\] to [.:[:xdigit:]]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[IKE\] local host is behind NAT, sending keep alives$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[IKE\] looking for a route to [.:[:xdigit:]]+ \.\.\.$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[IKE\] maximum IKE_SA lifetime [0-9]+s$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[IKE\] no route found to reach [.:[:xdigit:]]+, MOBIKE update deferred$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[IKE\] old path is not available anymore, try to find another$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[IKE\] peer not responding, trying again \([0-9]+/[0-9]+\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[IKE\] peer requested virtual IP (%any|[.:[:xdigit:]]+)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[IKE\] reauthenticating IKE_SA .+(\[[0-9]+\])$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[IKE\] reauthenticating IKE_SA due to address change$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[IKE\] received AUTH_LIFETIME of [0-9]+s, scheduling reauthentication in [0-9]+s$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[IKE\] received retransmit of response with ID [0-9]+, but next request already sent$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[IKE\] (received|sending) (cert request|end entity cert) for "[^"]+"$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[IKE\] (received|sending) DELETE for ESP CHILD_SA with SPI [[:xdigit:]]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[IKE\] (received|sending) DELETE for IKE_SA .+\[[0-9]+\]$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[IKE\] received .+ vendor ID$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[IKE\] remote host is behind NAT$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[IKE\] retransmit [0-9]+ of request with message ID [0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[IKE\] scheduling reauthentication in [0-9]+s$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[IKE\] sending DPD request$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[IKE\] sending keep alive to [.:[:xdigit:]]+\[[0-9]+\]$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[IKE\] sending retransmit [0-9]+ of request message ID [0-9]+, seq [0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[IKE\] XAuth authentication of '[^']+' successful$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[IKE\] [.:[:xdigit:]]+ is initiating an IKE_SA$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[JOB\] deleting CHILD_SA after [0-9]+ seconds of inactivity$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[JOB\] DPD check timed out, enforcing DPD action$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[JOB\] spawning [0-9]+ worker threads$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[KNL\] creating (delete|rekey) job for CHILD_SA ESP/0x[[:xdigit:]]+/[.:[:xdigit:]]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[KNL\] creating (delete|rekey) job for ESP CHILD_SA with SPI [[:xdigit:]]+ and reqid \{[0-9]+\}$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[KNL\] interface .+ ((de)?activated|deleted)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[KNL\] [.:[:xdigit:]]+ (dis)?appeared (from|on) .+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[LIB\] dropped capabilities, running as uid [0-9]+, gid [0-9]+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[LIB\] loaded plugins: .+$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[LIB\] unable to load [0-9]+ plugin features \([0-9]+ due to unmet dependencies\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[NET\] error writing to socket: Network is unreachable$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ charon: [0-9]+\[NET\] (received|sending) packet: from [.:[:xdigit:]]+\[[0-9]+\] to [.:[:xdigit:]]+\[[0-9]+\]( \([0-9]+ bytes\))?$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ipsec\[[0-9]+\]: Stopping strongSwan IPsec\.\.\.$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ipsec_starter\[[0-9]+\]: charon \([0-9]+\) started after [0-9]+ ms$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ipsec_starter\[[0-9]+\]: charon stopped after [0-9]+ ms$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ipsec_starter\[[0-9]+\]: ipsec starter stopped$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ipsec(_starter)?\[[0-9]+\]: Starting strongSwan [0-9.]+ IPsec \[starter\]\.\.\.$ diff -Nru strongswan-5.3.5/debian/strongswan-starter.dirs strongswan-5.3.5/debian/strongswan-starter.dirs --- strongswan-5.3.5/debian/strongswan-starter.dirs 2015-11-19 15:17:36.000000000 -0600 +++ strongswan-5.3.5/debian/strongswan-starter.dirs 2016-02-17 09:52:39.000000000 -0600 @@ -5,5 +5,4 @@ /etc/ipsec.d/crls /etc/ipsec.d/private /etc/ipsec.d/policies -/etc/init.d /var/lib/strongswan diff -Nru strongswan-5.3.5/debian/strongswan-starter.install strongswan-5.3.5/debian/strongswan-starter.install --- strongswan-5.3.5/debian/strongswan-starter.install 2015-11-19 15:17:36.000000000 -0600 +++ strongswan-5.3.5/debian/strongswan-starter.install 2016-02-17 16:11:54.000000000 -0600 @@ -17,6 +17,7 @@ usr/lib/ipsec/_updown #tools usr/bin/pki +usr/lib/ipsec/pool usr/lib/ipsec/scepclient usr/share/man/man8/scepclient.8 usr/share/man/man1/pki---acert.1 @@ -33,11 +34,14 @@ usr/share/man/man1/pki---verify.1 usr/share/man/man1/pki.1 usr/share/strongswan/templates/config/strongswan.d/pki.conf +usr/share/strongswan/templates/config/strongswan.d/pool.conf usr/share/strongswan/templates/config/strongswan.d/scepclient.conf etc/strongswan.d/pki.conf +etc/strongswan.d/pool.conf etc/strongswan.d/scepclient.conf #stroke usr/lib/ipsec/stroke usr/lib/ipsec/plugins/libstrongswan-stroke.so usr/share/strongswan/templates/config/plugins/stroke.conf etc/strongswan.d/charon/stroke.conf +debian/usr.lib.ipsec.stroke /etc/apparmor.d/ diff -Nru strongswan-5.3.5/debian/strongswan-starter.links strongswan-5.3.5/debian/strongswan-starter.links --- strongswan-5.3.5/debian/strongswan-starter.links 2015-11-19 15:17:36.000000000 -0600 +++ strongswan-5.3.5/debian/strongswan-starter.links 1969-12-31 18:00:00.000000000 -0600 @@ -1 +0,0 @@ -lib/systemd/system/strongswan.service lib/systemd/system/ipsec.service diff -Nru strongswan-5.3.5/debian/strongswan-starter.postinst strongswan-5.3.5/debian/strongswan-starter.postinst --- strongswan-5.3.5/debian/strongswan-starter.postinst 2015-11-19 15:17:36.000000000 -0600 +++ strongswan-5.3.5/debian/strongswan-starter.postinst 2016-02-17 09:52:42.000000000 -0600 @@ -29,7 +29,6 @@ # installation fails and the `postinst' is called with `abort-upgrade', # `abort-remove' or `abort-deconfigure'. -CONF_FILE=/var/lib/strongswan/ipsec.conf.inc SECRETS_FILE=/var/lib/strongswan/ipsec.secrets.inc Warn () @@ -75,50 +74,6 @@ -days $2 $selfsigned >/dev/null } -enable_daemon_start() { - daemon=$1 - protocol=$2 - - echo -n "Enabling ${protocol} support by ${daemon}... " - if [ -e $CONF_FILE ] && egrep -q "^\w+${daemon}start=yes\w*$" $CONF_FILE; then - echo "already enabled" - elif [ -e $CONF_FILE ] && egrep -q "^\w+${daemon}start=no\w*$" $CONF_FILE; then - sed "s/${daemon}start=no/${daemon}start=yes/" < $CONF_FILE > $CONF_FILE.tmp - cp $CONF_FILE.tmp $CONF_FILE - rm $CONF_FILE.tmp - echo "done" - elif [ -e $CONF_FILE ] && egrep -q "^\w+#\w*${daemon}start=(yes|no)\w*$" $CONF_FILE; then - sed "s/^\w+#\w*${daemon}start=(yes|no)\w*$/\t${daemon}start=yes/" < $CONF_FILE > $CONF_FILE.tmp - cp $CONF_FILE.tmp $CONF_FILE - rm $CONF_FILE.tmp - echo "done" - elif [ ! -e $CONF_FILE ]; then - echo -e "\t${daemon}start=yes" > $CONF_FILE - else - echo "ERROR: unknown or nonexistant ${daemon}start= directive, please fix manually!" - fi -} - -disable_daemon_start() { - daemon=$1 - protocol=$2 - - echo -n "Disabling ${protocol} support by ${daemon}... " - if [ -e $CONF_FILE ] && ( egrep -q "^\w+${daemon}start=no\w*$" $CONF_FILE || - egrep -q "^\w+#\w*${daemon}start=(yes|no)\w*$" $CONF_FILE ); then - echo "already disabled" - elif [ -e $CONF_FILE ] && egrep -q "^\w+${daemon}start=yes\w*$" $CONF_FILE; then - sed "s/${daemon}start=yes/${daemon}start=no/" < $CONF_FILE > $CONF_FILE.tmp - cp $CONF_FILE.tmp $CONF_FILE - rm $CONF_FILE.tmp - echo "done" - elif [ ! -e $CONF_FILE ]; then - echo -e "\t${daemon}start=yes" > $CONF_FILE - else - echo "ERROR: unknown or nonexistant ${daemon}start= directive, please fix manually!" - fi -} - setup_strongswan_user() { if ! getent passwd strongswan >/dev/null; then adduser --quiet --system --no-create-home --home /var/lib/strongswan --shell /usr/sbin/nologin strongswan @@ -220,88 +175,22 @@ db_set strongswan/install_x509_certificate false fi - # lets see if we are already using dependency based booting or the correct runlevel parameters - if ! ( [ "`find /etc/init.d/ -name '.depend.*'`" ] || [ "$runlevels" = "0K841K842S163S164S165S166K84" ] ); then - db_fset strongswan/runlevel_changes seen false - db_input high strongswan/runlevel_changes || true - db_go - - # if the admin did not change the runlevels which got installed by older packages we can modify them - if [ "$runlevels" = "0K346K34SS41" ] || [ "$runlevels" = "0K301K302S153S154S155S156K30" ] || [ "$runlevels" = "0K191K192S213S214S215S216K19" ]; then - update-rc.d -f ipsec remove - fi - - update-rc.d ipsec defaults 16 84 > /dev/null - fi - - db_get strongswan/enable-oe - if [ "$RET" != "true" ]; then - echo -n "Disabling opportunistic encryption (OE) in config file ... " - if [ -e $CONF_FILE ] && egrep -q "include /etc/ipsec.d/examples/no_oe.conf$" $CONF_FILE; then - # also update to new-style config - sed 's/.*include \/etc\/ipsec.d\/examples\/no_oe.conf/#include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp - mv $CONF_FILE.tmp $CONF_FILE - echo -n "converted old config line to new format" - fi - if [ -e $CONF_FILE ] && egrep -q "^include /etc/ipsec.d/examples/oe.conf$" $CONF_FILE; then - sed 's/include \/etc\/ipsec.d\/examples\/oe.conf/#include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp - mv $CONF_FILE.tmp $CONF_FILE - echo "done" - elif [ ! -e $CONF_FILE ]; then - echo "#include /etc/ipsec.d/examples/oe.conf" > $CONF_FILE - else - echo "already disabled" - fi - else - echo -n "Enabling opportunistic encryption (OE) in config file ... " - if [ -e $CONF_FILE ] && egrep -q "include /etc/ipsec.d/examples/no_oe.conf$" $CONF_FILE; then - # also update to new-style config - sed 's/.*include \/etc\/ipsec.d\/examples\/no_oe.conf/include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp - mv $CONF_FILE.tmp $CONF_FILE - echo -n "converted old config line to new format" - fi - if [ -e $CONF_FILE ] && egrep -q "^include /etc/ipsec.d/examples/oe.conf$" $CONF_FILE; then - echo "already enabled" - elif [ -e $CONF_FILE ] && egrep -q "^#.*include /etc/ipsec.d/examples/oe.conf$" $CONF_FILE; then - sed 's/#.*include \/etc\/ipsec.d\/examples\/oe.conf/include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp - mv $CONF_FILE.tmp $CONF_FILE - echo "done" - elif [ ! -e $CONF_FILE ]; then - echo "include /etc/ipsec.d/examples/oe.conf" > $CONF_FILE - else - cat <> $CONF_FILE -#Enable Opportunistic Encryption -include /etc/ipsec.d/examples/oe.conf -EOF - echo "done" - fi - fi - - # disabled for now, until we can solve the don't-edit-conffiles issue - #db_get strongswan/ikev1 - #if [ "$RET" != "true" ]; then - # enable_daemon_start "pluto" "IKEv1" - #else - # disable_daemon_start "pluto" "IKEv1" - #fi - #db_get strongswan/ikev2 - #if [ "$RET" != "true" ]; then - # enable_daemon_start "charon" "IKEv2" - #else - # disable_daemon_start "charon" "IKEv2" - #fi - # create user for strongswan to change its uid into setup_strongswan_user if [ -z "$2" ]; then # no old configured version - start strongswan now - invoke-rc.d ipsec start || true + service strongswan start || true else + # Remove old init.d scripts if necessary. + if [ -f /etc/init.d/ipsec ]; then + update-rc.d -f ipsec remove > /dev/null + fi + # does the user wish strongswan to restart? db_get strongswan/restart if [ "$RET" = "true" ]; then - invoke-rc.d ipsec restart || true # sure, we'll restart it for you + service strongswan restart || true # sure, we'll restart it for you fi fi diff -Nru strongswan-5.3.5/debian/strongswan-starter.postrm strongswan-5.3.5/debian/strongswan-starter.postrm --- strongswan-5.3.5/debian/strongswan-starter.postrm 2015-11-19 15:17:36.000000000 -0600 +++ strongswan-5.3.5/debian/strongswan-starter.postrm 2016-02-17 16:11:54.000000000 -0600 @@ -31,7 +31,6 @@ esac if [ "$1" = "purge" ] ; then - update-rc.d ipsec remove >/dev/null if getent passwd strongswan>/dev/null; then if [ -x /usr/sbin/deluser ]; then deluser --system strongswan diff -Nru strongswan-5.3.5/debian/strongswan-starter.prerm strongswan-5.3.5/debian/strongswan-starter.prerm --- strongswan-5.3.5/debian/strongswan-starter.prerm 2015-06-01 07:53:13.000000000 -0500 +++ strongswan-5.3.5/debian/strongswan-starter.prerm 2016-02-17 09:52:39.000000000 -0600 @@ -19,7 +19,7 @@ upgrade) ;; remove|deconfigure) - invoke-rc.d ipsec stop || true + service strongswan stop || true # install-info --quiet --remove /usr/info/strongswan.info.gz ;; failed-upgrade) diff -Nru strongswan-5.3.5/debian/strongswan-starter.strongswan.service strongswan-5.3.5/debian/strongswan-starter.strongswan.service --- strongswan-5.3.5/debian/strongswan-starter.strongswan.service 1969-12-31 18:00:00.000000000 -0600 +++ strongswan-5.3.5/debian/strongswan-starter.strongswan.service 2016-02-17 09:52:43.000000000 -0600 @@ -0,0 +1,16 @@ +[Unit] +Description=strongSwan IPsec services +Wants=network-online.target +After=network-online.target + +[Service] +Type=forking +Restart=on-failure +ExecStartPre=/bin/mkdir -p /var/lock/subsys +Environment="PIDFILE=/var/run/charon.pid" +ExecStart=/usr/sbin/ipsec start +ExecStop=/usr/sbin/ipsec stop +ExecStopPost=/bin/rm -f /var/run/charon.pid /var/run/starter.charon.pid + +[Install] +WantedBy=multi-user.target diff -Nru strongswan-5.3.5/debian/strongswan-tnc-base.install strongswan-5.3.5/debian/strongswan-tnc-base.install --- strongswan-5.3.5/debian/strongswan-tnc-base.install 1969-12-31 18:00:00.000000000 -0600 +++ strongswan-5.3.5/debian/strongswan-tnc-base.install 2016-02-17 16:11:54.000000000 -0600 @@ -0,0 +1,16 @@ +etc/strongswan.d/charon/tnccs-11.conf +etc/strongswan.d/charon/tnccs-20.conf +etc/strongswan.d/charon/tnccs-dynamic.conf +etc/strongswan.d/charon/tnc-tnccs.conf +etc/strongswan.d/imcv.conf +etc/strongswan.d/tnc.conf +usr/lib/ipsec/libimcv.* +usr/lib/ipsec/libtnccs.so* +usr/lib/ipsec/plugins/libstrongswan-tnccs-*.so +usr/lib/ipsec/plugins/libstrongswan-tnc-tnccs.so +usr/share/strongswan/templates/config/plugins/tnccs-11.conf +usr/share/strongswan/templates/config/plugins/tnccs-20.conf +usr/share/strongswan/templates/config/plugins/tnccs-dynamic.conf +usr/share/strongswan/templates/config/plugins/tnc-tnccs.conf +usr/share/strongswan/templates/config/strongswan.d/imcv.conf +usr/share/strongswan/templates/config/strongswan.d/tnc.conf diff -Nru strongswan-5.3.5/debian/strongswan-tnc-client.install strongswan-5.3.5/debian/strongswan-tnc-client.install --- strongswan-5.3.5/debian/strongswan-tnc-client.install 1969-12-31 18:00:00.000000000 -0600 +++ strongswan-5.3.5/debian/strongswan-tnc-client.install 2016-02-17 16:11:54.000000000 -0600 @@ -0,0 +1,6 @@ +etc/strongswan.d/charon/tnc-imc.conf +usr/lib/ipsec/imcvs/imc-*.so +usr/lib/ipsec/plugins/libstrongswan-tnc-imc.so +usr/lib/ipsec/regid.*.strongswan_strongSwan-*.swidtag +usr/share/regid.*.org.strongswan/regid.*.org.strongswan_strongSwan-*.swidtag +usr/share/strongswan/templates/config/plugins/tnc-imc.conf diff -Nru strongswan-5.3.5/debian/strongswan-tnc-ifmap.install strongswan-5.3.5/debian/strongswan-tnc-ifmap.install --- strongswan-5.3.5/debian/strongswan-tnc-ifmap.install 1969-12-31 18:00:00.000000000 -0600 +++ strongswan-5.3.5/debian/strongswan-tnc-ifmap.install 2016-02-17 09:52:42.000000000 -0600 @@ -0,0 +1,3 @@ +etc/strongswan.d/charon/tnc-ifmap.conf +usr/lib/ipsec/plugins/libstrongswan-tnc-ifmap.so +usr/share/strongswan/templates/config/plugins/tnc-ifmap.conf diff -Nru strongswan-5.3.5/debian/strongswan-tnc-pdp.install strongswan-5.3.5/debian/strongswan-tnc-pdp.install --- strongswan-5.3.5/debian/strongswan-tnc-pdp.install 1969-12-31 18:00:00.000000000 -0600 +++ strongswan-5.3.5/debian/strongswan-tnc-pdp.install 2016-02-17 09:52:42.000000000 -0600 @@ -0,0 +1,3 @@ +etc/strongswan.d/charon/tnc-pdp.conf +usr/lib/ipsec/plugins/libstrongswan-tnc-pdp.so +usr/share/strongswan/templates/config/plugins/tnc-pdp.conf diff -Nru strongswan-5.3.5/debian/strongswan-tnc-server.install strongswan-5.3.5/debian/strongswan-tnc-server.install --- strongswan-5.3.5/debian/strongswan-tnc-server.install 1969-12-31 18:00:00.000000000 -0600 +++ strongswan-5.3.5/debian/strongswan-tnc-server.install 2016-02-17 16:11:54.000000000 -0600 @@ -0,0 +1,13 @@ +etc/strongswan.d/attest.conf +etc/strongswan.d/charon/tnc-imv.conf +etc/strongswan.d/pacman.conf +usr/lib/ipsec/attest +usr/lib/ipsec/imcvs/imv-*.so +usr/lib/ipsec/_imv_policy +usr/lib/ipsec/imv_policy_manager +usr/lib/ipsec/pacman +usr/lib/ipsec/plugins/libstrongswan-tnc-imv.so +usr/share/strongswan/templates/config/plugins/tnc-imv.conf +usr/share/strongswan/templates/config/strongswan.d/attest.conf +usr/share/strongswan/templates/config/strongswan.d/pacman.conf +usr/share/strongswan/templates/database/imv/*.sql diff -Nru strongswan-5.3.5/debian/tests/admin-strongswan-charon strongswan-5.3.5/debian/tests/admin-strongswan-charon --- strongswan-5.3.5/debian/tests/admin-strongswan-charon 1969-12-31 18:00:00.000000000 -0600 +++ strongswan-5.3.5/debian/tests/admin-strongswan-charon 2016-02-17 16:11:54.000000000 -0600 @@ -0,0 +1,17 @@ +#!/bin/sh +#-------------------------- +# Testing strongswan-charon +#-------------------------- +CMDS=" +/usr/lib/ipsec/charon +" + +for cmd in $CMDS; do + $cmd --help > /dev/null 2>&1 + RET=$? + + if [ $RET -ne 0 ]; then + echo "ERROR, failed to run ${cmd}" >&2 + exit $RET + fi +done diff -Nru strongswan-5.3.5/debian/tests/admin-strongswan-starter strongswan-5.3.5/debian/tests/admin-strongswan-starter --- strongswan-5.3.5/debian/tests/admin-strongswan-starter 1969-12-31 18:00:00.000000000 -0600 +++ strongswan-5.3.5/debian/tests/admin-strongswan-starter 2016-02-17 16:11:54.000000000 -0600 @@ -0,0 +1,21 @@ +#!/bin/sh +#--------------------------- +# Testing strongswan-starter +#--------------------------- +CMDS=" +/usr/bin/pki +/usr/lib/ipsec/_copyright +/usr/lib/ipsec/scepclient +/usr/lib/ipsec/stroke +/usr/sbin/ipsec +" + +for cmd in $CMDS; do + $cmd --help > /dev/null 2>&1 + RET=$? + + if [ $RET -ne 0 ]; then + echo "ERROR, failed to run ${cmd}" >&2 + exit $RET + fi +done diff -Nru strongswan-5.3.5/debian/tests/control strongswan-5.3.5/debian/tests/control --- strongswan-5.3.5/debian/tests/control 1969-12-31 18:00:00.000000000 -0600 +++ strongswan-5.3.5/debian/tests/control 2016-02-17 16:11:54.000000000 -0600 @@ -0,0 +1,3 @@ +Tests: daemon admin-strongswan-charon admin-strongswan-starter plugins +Depends: strongswan, libstrongswan-standard-plugins, libstrongswan-extra-plugins, libcharon-extra-plugins +Restrictions: needs-root isolation-container allow-stderr diff -Nru strongswan-5.3.5/debian/tests/daemon strongswan-5.3.5/debian/tests/daemon --- strongswan-5.3.5/debian/tests/daemon 1969-12-31 18:00:00.000000000 -0600 +++ strongswan-5.3.5/debian/tests/daemon 2016-02-17 16:11:54.000000000 -0600 @@ -0,0 +1,14 @@ +#!/bin/sh +#------------------------ +# Testing starter, charon +#------------------------ +DAEMONS="starter charon" + +for daemon in $DAEMONS; do + if pidof -x $daemon > /dev/null; then + echo "$daemon OK" + else + echo "ERROR: ${daemon} IS NOT RUNNING" + exit 1 + fi +done diff -Nru strongswan-5.3.5/debian/tests/plugins strongswan-5.3.5/debian/tests/plugins --- strongswan-5.3.5/debian/tests/plugins 1969-12-31 18:00:00.000000000 -0600 +++ strongswan-5.3.5/debian/tests/plugins 2016-02-17 16:11:54.000000000 -0600 @@ -0,0 +1,25 @@ +#!/bin/bash +# find the set of plugins from default installed libraries +# and compare that with what ipsec has loaded. + +# restart strongswan to get current list of loaded modules +invoke-rc.d strongswan restart +invoke-rc.d strongswan status + +STRONGSWAN_PKGS="$(dpkg --list | awk '/(strongswan|charon)/ {print $2}')" +PLUGIN_PATH="/usr/lib/ipsec/plugins/" +EXPECTED_MODULES="charon" +for pkg in $STRONGSWAN_PKGS; do + P=$(dpkg -L $pkg | grep "^${PLUGIN_PATH}" | + sed -e "s,${PLUGIN_PATH}libstrongswan-,,g" -e 's,.so$,,') + EXPECTED_MODULES="${EXPECTED_MODULES} ${P}" +done +# expected to not load; they require configuration +# NB: keep leading/trailing space for regex generation +NOLOAD=" attr-sql coupling eap-simaka-sql eap-sim-file kernel-libipsec load-tester medcli medsrv rdrand sql systime-fix " +NOLOADR="(`echo ${NOLOAD} | sed 's, ,$|^,g'`)" +EXPECTED=( `echo $EXPECTED_MODULES | fmt -w1 | egrep -v "$NOLOADR"` ) +LOADED=( `ipsec listplugins | grep :$ | grep -v "Plugin" | sed 's,:,,g'` ) + +diff <(printf "%s\n" "${EXPECTED[@]}"|sort) <(printf "%s\n" "${LOADED[@]}"|sort) +exit $? diff -Nru strongswan-5.3.5/debian/usr.lib.ipsec.charon strongswan-5.3.5/debian/usr.lib.ipsec.charon --- strongswan-5.3.5/debian/usr.lib.ipsec.charon 1969-12-31 18:00:00.000000000 -0600 +++ strongswan-5.3.5/debian/usr.lib.ipsec.charon 2016-02-17 16:11:54.000000000 -0600 @@ -0,0 +1,76 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2016 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# Author: Jonathan Davies +# Ryan Harper +# +# ------------------------------------------------------------------ + +#include + +/usr/lib/ipsec/charon { + #include + #include + #include + #include + #include + + capability ipc_lock, + capability net_admin, + capability net_raw, + + # allow priv dropping (LP: #1333655) + capability chown, + capability setgid, + capability setuid, + + # libcharon-extra-plugins: xauth-pam + capability audit_write, + + # libstrongswan-standard-plugins: agent + capability dac_override, + + capability net_admin, + capability net_raw, + + network, + network raw, + + /bin/dash rmPUx, + + # libchron-extra-plugins: kernel-libipsec + /dev/net/tun rw, + + /etc/ipsec.conf r, + /etc/ipsec.secrets r, + /etc/ipsec.*.secrets r, + /etc/ipsec.d/ r, + /etc/ipsec.d/** r, + /etc/ipsec.d/crls/* rw, + /etc/opensc/opensc.conf r, + /etc/strongswan.conf r, + /etc/strongswan.d/ r, + /etc/strongswan.d/** r, + /etc/tnc_config r, + + /proc/sys/net/core/xfrm_acq_expires w, + + /run/charon.* rw, + /run/pcscd/pcscd.comm rw, + + /usr/lib/ipsec/charon rmix, + /usr/lib/ipsec/imcvs/ r, + /usr/lib/ipsec/imcvs/** rm, + + /usr/lib/*/opensc-pkcs11.so rm, + + /var/lib/strongswan/* r, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff -Nru strongswan-5.3.5/debian/usr.lib.ipsec.lookip strongswan-5.3.5/debian/usr.lib.ipsec.lookip --- strongswan-5.3.5/debian/usr.lib.ipsec.lookip 1969-12-31 18:00:00.000000000 -0600 +++ strongswan-5.3.5/debian/usr.lib.ipsec.lookip 2016-02-17 16:11:54.000000000 -0600 @@ -0,0 +1,22 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2014 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# Author: Jonathan Davies +# +# ------------------------------------------------------------------ + +#include + +/usr/lib/ipsec/lookip { + #include + + /run/charon.lkp rw, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff -Nru strongswan-5.3.5/debian/usr.lib.ipsec.stroke strongswan-5.3.5/debian/usr.lib.ipsec.stroke --- strongswan-5.3.5/debian/usr.lib.ipsec.stroke 1969-12-31 18:00:00.000000000 -0600 +++ strongswan-5.3.5/debian/usr.lib.ipsec.stroke 2016-02-17 16:11:54.000000000 -0600 @@ -0,0 +1,28 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2014 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# Author: Jonathan Davies +# +# ------------------------------------------------------------------ + +#include + +/usr/lib/ipsec/stroke { + #include + + capability dac_override, + + /etc/strongswan.conf r, + /etc/strongswan.d/ r, + /etc/strongswan.d/** r, + + /run/charon.ctl rw, + + # Site-specific additions and overrides. See local/README for details. + #include +}