strongswan 5.8.1-1ubuntu1 source package in Ubuntu

Changelog

strongswan (5.8.1-1ubuntu1) focal; urgency=medium

  * Merge with Debian unstable (LP: #1852579). Remaining changes:
    - d/control: Transition from strongswan-tnc-* being in extra packages
      to libcharon-extra-plugins
  * Added Changes:
    - d/control: Transition from former Ubuntu only libcharon-standard-plugins
      to common libcharon-extauth-plugins (drop after 20.04)
    - d/control: strongswan-starter hard-depends on strongswan-charon,
      therefore bump the dependency from Recommends to Depends. At the same
      time avoid a circular dependency by dropping
      strongswan-charon->strongswan-starter from Depends to Recommends as the
      binaries can work without the services but not vice versa.
  * Dropped Changes (now in Debian):
    - Clean up d/strongswan-starter.postinst: section about runlevel changes
    - Clean up d/strongswan-starter.postinst: Removed entire section on
      opportunistic encryption disabling - this was never in strongSwan and
      won't be see upstream issue #2160.
    - d/rules: Removed patching ipsec.conf on build (not using the
      debconf-managed config.)
    - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
      used for debconf-managed include of private key).
    - Add plugin kernel-libipsec to allow the use of strongswan in containers
      via this userspace implementation (please do note that this is still
      considered experimental by upstream).
      + d/libcharon-extra-plugins.install: Add kernel-libipsec components
      + d/control: List kernel-libipsec plugin at extra plugins description
      + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
        upstream recommends to not load kernel-libipsec by default.
    - d/control: Mention mgf1 plugin which is in libstrongswan now
    - Complete the disabling of libfast; This was partially accepted in Debian,
      it is no more packaging medcli and medsrv, but still builds and
      mentions it.
      + d/rules: Add --disable-fast to avoid build time and dependencies
      + d/control: Remove medcli, medsrv from package description
    - Add now built (since 5.5.1) libraries libtpmtss and nttfft to
      libstrongswan-extra-plugins (no deps from default plugins).
    - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
      plugins for the most common use cases from extra-plugins into a new
      standard-plugins package. This will allow those use cases without pulling
      in too much more plugins (a bit like the tnc package). Recommend that
      package from strongswan-libcharon.
    - d/usr.lib.ipsec.charon: allow reading of own FDs (LP 1786250)
    - d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin (LP 1773956)
    - executables need to be able to read map and execute themselves otherwise
      execution in some environments e.g. containers is blocked (LP 1780534)
      + d/usr.lib.ipsec.stroke: add rmix permission to stroke binary
      + d/usr.lib.ipsec.lookip: add rmix permission to lookip binary
    - d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: resync apparmor
      profiles of both ways to start charon (LP 1807664)
    - d/usr.sbin.swanctl: add apparmor rule for af-alg plugin (LP 1807962)
    - We fixed up tpmtss and nttfft in the past, but tpmtss is now packaged in
      Debian so this part was be dropped. Two changes remain
      - d/control: fix the mentioning of tpmtss in d/control
    - apparmor fixes for container and root usage (LP 1826238)
      + d/usr.sbin.swanctl: allow reading own binary
      + d/usr.sbin.charon-systemd: allow accessing the binary
      + d/usr.sbin.swanctl: add attach_disconnected to work inside containers
      + d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: add CAP_SETPCAP
        to apparmor to allow dropping caps
  * Dropped Changes (too uncommon to support by default)
    - d/libstrongswan.install: Add kernel-netlink configuration files
    - d/usr.sbin.charon-systemd: allow to contact mysql for sql and
      attr-sql plugins (LP 1766240) - no more needed as itisn't enabled.
    - Mass enablement of extra plugins and features to allow a user to use
      strongswan for a variety of extra use cases without having to rebuild.
      + d/control: Add required additional build-deps
      + d/control: Mention addtionally enabled plugins
      + d/rules: Enable features at configure stage
      + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
      + d/libstrongswan.install: Add plugins (so, conf)
      + d/strongswan-starter.install: Install pool feature, which is useful
        since we now have attr-sql plugin enabled it.
    - Enable additional TNC plugins and add them to libcharon-extra-plugins

strongswan (5.8.1-1) unstable; urgency=medium

  * d/rules: disable http and stream tests under CI
  * New upstream version 5.8.1

strongswan (5.8.0-2) unstable; urgency=medium

  [ Christian Ehrhardt ]
  * d/control: Mention mgf1 plugin which is in libstrongswan now
  * Complete the disabling of libfast
  * Clean up d/strongswan-starter.postinst: section about runlevel changes
  * Clean up d/strongswan-starter.postinst: opportunistic encryption
  * Enable kernel-libipsec for use of strongswan in containers
  * d/control, d/libcharon-{extras,extauth}-plugins.install: Add
    extauth-plugins package (Recommends)
  * apparmor: d/usr.lib.ipsec.charon: sync notify rule from charon-systemd
  * apparmor: fix apparmor denies reading the own FDs (LP: 1786250)
  * apparmor: d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin
    (LP: 1773956)
  * apparmor: d/usr.lib.ipsec.stroke: executables need to be able to read map
    and execute themselves
  * apparmor: d/usr.lib.ipsec.lookip: executables need to be able to read map
    and execute themselves
  * apparmor: d/usr.sbin.swanctl: add apparmor rule for af-alg plugin
    (LP: 1807962)
  * d/control: libtpmtss is actually packaged in libstrongswan-extra-plugins

  [ Ryan Harper ]
  * Remove code related to unused debconf managed config

  [ Yves-Alexis Perez ]
  * ship xfrmi only on Linux, fix FTBFS on kfreebsd
  * d/libcharon-extra-plugins.install: drop plugins disabled in Debian
  * d/control: update standards version to 4.4.1
  * d/strongswan-starter.templates: drop runlevel_changes
  * let dh_installinit handle update-rc.d calls
  * d/salsa-ci.yml: add a salsa pipeline config
  * d/rules: drop dbgsym migration
  * strongswan-starter: update line number in lintian override

strongswan (5.8.0-1) unstable; urgency=medium

  [ Christian Ehrhardt ]
  * Fix fails in debian CI (Closes: #926479)

  [ Simon Deziel ]
  * d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: add CAP_SETPCAP to
    apparmor to allow dropping caps
  * d/usr.sbin.swanctl: add attach_disconnected to work inside containers
  * d/usr.sbin.charon-systemd: allow accessing the binary
  * d/usr.sbin.swanctl: allow reading own binary

  [ Yves-Alexis Perez ]
  * New upstream version 5.8.0
  * d/control: update standards version to 4.4.0
  * use debhelper-compat b-d for dh compat level
  * d/control: bump dh compat level to 11
  * d/rules: drop systemd addon, useless in compat 11
  * strongswan-libcharon: install xfrmi binary
  * d/patches refreshed for new upstream release
  * handle renaming of systemd service files
  * d/control: remove obsolete breaks/replaces

 -- Christian Ehrhardt <email address hidden>  Thu, 14 Nov 2019 15:00:15 +0100

Upload details

Uploaded by:
Christian Ehrhardt  on 2019-11-19
Uploaded to:
Focal
Original maintainer:
Ubuntu Developers
Architectures:
any all
Section:
net
Urgency:
Medium Urgency

See full publishing history Publishing

Series Pocket Published Component Section
Focal release on 2019-11-21 main net

Downloads

File Size SHA-256 Checksum
strongswan_5.8.1.orig.tar.bz2 4.3 MiB d9af70acea5c054952ad1584916c1bf231b064eb6c8a9791dcb6ae90a769990c
strongswan_5.8.1-1ubuntu1.debian.tar.xz 123.0 KiB 90abf941fbe039ba72cc8f67644a9304bd50b403e2166147aed7baf5a1660fdd
strongswan_5.8.1-1ubuntu1.dsc 3.8 KiB 7782ad53b453408b74fd23045d100ad8cb73771febc3c3e2734e032c8ac8f6e4

Available diffs

View changes file

Binary packages built by this source

charon-cmd: standalone IPsec client

 The strongSwan VPN suite uses the native IPsec stack in the standard
 Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
 .
 This package contains the charon-cmd command, which can be used as a client to
 connect to a remote IKE daemon.

charon-cmd-dbgsym: debug symbols for charon-cmd
charon-systemd: strongSwan IPsec client, systemd support

 The strongSwan VPN suite uses the native IPsec stack in the standard
 Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
 .
 This package contains the charon-systemd files.

charon-systemd-dbgsym: debug symbols for charon-systemd
libcharon-extauth-plugins: strongSwan charon library (extended authentication plugins)

 The strongSwan VPN suite uses the native IPsec stack in the standard
 Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
 .
 This package provides extended authentication plugins for the charon library:
  - eap-mschapv2 (EAP-MSCHAPv2 protocol handler using passwords/NT hashes)
    Used for client side to connect to some VPN concentrators configured for
    Windows 7+ and modern OSX/iOS using IKEv2 (identify with public key,
    authenticate with MSCHAPv2).
  - xauth-generic (Generic XAuth backend that provides passwords from
    ipsec.secrets and other credential sets)
    Used for the client side to connect to VPN concentrators configured for
    Android and older OSX/iOS using IKEv1 and XAUTH (identify with public key,
    authenticate with XAUTH password).
 .
 These are the "not always, but still more commonly used" plugins, for further
 needs even more plugins can be found in the package libcharon-extra-plugins.

libcharon-extauth-plugins-dbgsym: debug symbols for libcharon-extauth-plugins
libcharon-extra-plugins: strongSwan charon library (extra plugins)

 The strongSwan VPN suite uses the native IPsec stack in the standard
 Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
 .
 This package provides extra plugins for the charon library:
  - addrblock (Narrow traffic selectors to RFC 3779 address blocks in X.509
    certificates)
  - certexpire (Export expiration dates of used certificates)
  - eap-aka (Generic EAP-AKA protocol handler using different backends)
  - eap-gtc (EAP-GTC protocol handler authenticating with XAuth backends)
  - eap-identity (EAP-Identity identity exchange algorithm, to use with other
    EAP protocols)
  - eap-md5 (EAP-MD5 protocol handler using passwords)
  - eap-radius (EAP server proxy plugin forwarding EAP conversations to a
    RADIUS server)
  - eap-tls (EAP-TLS protocol handler, to authenticate with certificates in
    EAP)
  - eap-tnc (EAP-TNC protocol handler, Trusted Network Connect in a TLS tunnel)
  - eap-ttls (EAP-TTLS protocol handler, wraps other EAP methods securely)
  - error-notify (Notification about errors via UNIX socket)
  - ha (High-Availability clustering)
  - kernel-libipsec (Userspace IPsec Backend with TUN devices)
  - led (Let Linux LED subsystem LEDs blink on IKE activity)
  - lookip (Virtual IP lookup facility using a UNIX socket)
  - tnc (Trusted Network Connect)
  - unity (Cisco Unity extensions for IKEv1)
  - xauth-eap (XAuth backend that uses EAP methods to verify passwords)
  - xauth-pam (XAuth backend that uses PAM modules to verify passwords)

libcharon-extra-plugins-dbgsym: debug symbols for libcharon-extra-plugins
libcharon-standard-plugins: transitional package

 This is a transitional package. It can safely be removed.

libstrongswan: strongSwan utility and crypto library

 The strongSwan VPN suite uses the native IPsec stack in the standard
 Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
 .
 This package provides the underlying libraries of charon and other strongSwan
 components. It is built in a modular way and is extendable through various
 plugins.
 .
 Some default (as specified by the strongSwan projet) plugins are included.
 For libstrongswan (cryptographic backends, URI fetchers and database layers):
  - aes (AES-128/192/256 cipher software implementation)
  - constraints (X.509 certificate advanced constraint checking)
  - dnskey (Parse RFC 4034 public keys)
  - fips-prf (PRF specified by FIPS, used by EAP-SIM/AKA algorithms)
  - gmp (RSA/DH crypto backend based on libgmp)
  - hmac (HMAC wrapper using various hashers)
  - md5 (MD5 hasher software implementation)
  - mgf1 (Mask Generation Functions based on the SHA-1, SHA-256 and SHA-512)
  - nonce (Default nonce generation plugin)
  - pem (PEM encoding/decoding routines)
  - pgp (PGP encoding/decoding routines)
  - pkcs1 (PKCS#1 encoding/decoding routines)
  - pkcs8 (PKCS#8 decoding routines)
  - pkcs12 (PKCS#12 decoding routines)
  - pubkey (Wrapper to handle raw public keys as trusted certificates)
  - random (RNG reading from /dev/[u]random)
  - rc2 (RC2 cipher software implementation)
  - revocation (X.509 CRL/OCSP revocation checking)
  - sha1 (SHA1 hasher software implementation)
  - sha2 (SHA256/SHA384/SHA512 hasher software implementation)
  - sshkey (SSH key decoding routines)
  - x509 (Advanced X.509 plugin for parsing/generating X.509 certificates/CRLs
    and OCSP messages)
  - xcbc (XCBC wrapper using various ciphers)
  - attr (Provides IKE attributes configured in strongswan.conf)
  - kernel-netlink [linux] (IPsec/Networking kernel interface using Linux
    Netlink)
  - kernel-pfkey [kfreebsd] (IPsec kernel interface using PF_KEY)
  - kernel-pfroute [kfreebsd] (Networking kernel interface using PF_ROUTE)
  - resolve (Writes name servers received via IKE to a resolv.conf file or
    installs them via resolvconf(8))

libstrongswan-dbgsym: debug symbols for libstrongswan
libstrongswan-extra-plugins: strongSwan utility and crypto library (extra plugins)

 The strongSwan VPN suite uses the native IPsec stack in the standard
 Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
 .
 This package provides extra plugins for the strongSwan utility and
 cryptographic library.
 .
 Included plugins are:
  - af-alg [linux] (AF_ALG Linux crypto API interface, provides
    ciphers/hashers/hmac/xcbc)
  - ccm (CCM cipher mode wrapper)
  - cmac (CMAC cipher mode wrapper)
  - ctr (CTR cipher mode wrapper)
  - curl (libcurl based HTTP/FTP fetcher)
  - curve25519 (support for Diffie-Hellman group 31 using Curve25519 and
    support for the Ed25519 digital signature algorithm for IKEv2)
  - gcrypt (Crypto backend based on libgcrypt, provides
    RSA/DH/ciphers/hashers/rng)
  - ldap (LDAP fetching plugin based on libldap)
  - padlock (VIA padlock crypto backend, provides AES128/SHA1)
  - pkcs11 (PKCS#11 smartcard backend)
  - rdrand (High quality / high performance random source using the Intel
    rdrand instruction found on Ivy Bridge processors)
  - test-vectors (Set of test vectors for various algorithms)
 .
 Also included is the libtpmtss library adding support for TPM plugin
 (https://wiki.strongswan.org/projects/strongswan/wiki/TpmPlugin)

libstrongswan-extra-plugins-dbgsym: debug symbols for libstrongswan-extra-plugins
libstrongswan-standard-plugins: strongSwan utility and crypto library (standard plugins)

 The strongSwan VPN suite uses the native IPsec stack in the standard
 Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
 .
 This package provides some common plugins for the strongSwan utility and
 cryptograhic library.
 .
 Included plugins are:
  - agent (RSA/ECDSA private key backend connecting to SSH-Agent)
  - gcm (GCM cipher mode wrapper)
  - openssl (Crypto backend based on OpenSSL, provides
    RSA/ECDSA/DH/ECDH/ciphers/hashers/HMAC/X.509/CRL/RNG)

libstrongswan-standard-plugins-dbgsym: debug symbols for libstrongswan-standard-plugins
strongswan: IPsec VPN solution metapackage

 The strongSwan VPN suite uses the native IPsec stack in the standard Linux
 kernel. It supports both the IKEv1 and IKEv2 protocols.
 .
 This metapackage installs the packages required to maintain IKEv1 and IKEv2
 connections via ipsec.conf or ipsec.secrets.

strongswan-charon: strongSwan Internet Key Exchange daemon

 The strongSwan VPN suite uses the native IPsec stack in the standard
 Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
 .
 charon is an IPsec IKEv2 daemon which can act as an initiator or a responder.
 It is written from scratch using a fully multi-threaded design and a modular
 architecture. Various plugins can provide additional functionality.

strongswan-charon-dbgsym: debug symbols for strongswan-charon
strongswan-libcharon: strongSwan charon library

 The strongSwan VPN suite uses the native IPsec stack in the standard
 Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
 .
 This package contains the charon library, used by IKE client like
 strongswan-charon, strongswan-charon-cmd or strongswan-nm as well as standard
 plugins:
   - socket-default
   - counters
   - bypass-lan (disabled by default)
 .
 On Linux, it also contains the xfrmi binary which can be used on Linux 4.19+
 to create XFRM interfaces (for more information, see
 https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN)

strongswan-libcharon-dbgsym: debug symbols for strongswan-libcharon
strongswan-nm: strongSwan plugin to interact with NetworkManager

 The strongSwan VPN suite uses the native IPsec stack in the standard
 Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
 .
 This plugin provides an interface which allows NetworkManager to configure
 and control the IKEv2 daemon directly through D-Bus. It is designed to work
 in conjunction with the network-manager-strongswan package, providing
 a simple graphical frontend to configure IPsec based VPNs.

strongswan-nm-dbgsym: debug symbols for strongswan-nm
strongswan-pki: strongSwan IPsec client, pki command

 The strongSwan VPN suite uses the native IPsec stack in the standard
 Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
 .
 This package contains the pki tool which allows on to run a simple public key
 infrastructure.

strongswan-pki-dbgsym: debug symbols for strongswan-pki
strongswan-scepclient: strongSwan IPsec client, SCEP client

 The strongSwan VPN suite uses the native IPsec stack in the standard
 Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
 .
 This package contains the SCEP client, an implementation of the Cisco System's
 Simple Certificate Enrollment Protocol (SCEP).

strongswan-scepclient-dbgsym: debug symbols for strongswan-scepclient
strongswan-starter: strongSwan daemon starter and configuration file parser

 The strongSwan VPN suite uses the native IPsec stack in the standard
 Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
 .
 The starter and the associated "ipsec" script control the charon daemon from
 the command line. It parses ipsec.conf and loads the configurations to the
 daemon.

strongswan-starter-dbgsym: debug symbols for strongswan-starter
strongswan-swanctl: strongSwan IPsec client, swanctl command

 The strongSwan VPN suite uses the native IPsec stack in the standard
 Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
 .
 This package contains the swanctl interface, used to configure a running
 charon daemon

strongswan-swanctl-dbgsym: debug symbols for strongswan-swanctl
strongswan-tnc-base: transitional package

 This is a transitional package. It can safely be removed.

strongswan-tnc-client: transitional package

 This is a transitional package. It can safely be removed.

strongswan-tnc-ifmap: transitional package

 This is a transitional package. It can safely be removed.

strongswan-tnc-pdp: transitional package

 This is a transitional package. It can safely be removed.

strongswan-tnc-server: transitional package

 This is a transitional package. It can safely be removed.