Android.common.mk

@@ -26,5 +26,5 @@ add_plugin_subdirs = $(if $(call plugin_enabled,$(1)), \
               )
 
 # strongSwan version, replaced by top Makefile
-strongswan_VERSION := "5.7.1"
+strongswan_VERSION := "5.7.2"
 

ChangeLog

 A summary of changes is available in the NEWS file. For a more
-detailed Changelog, use the repository (see HACKING) or the
-online interface available at http://git.strongswan.org.
+detailed Changelog, refer to the completed versions on the project's roadmap
+(https://wiki.strongswan.org/projects/strongswan/roadmap) or use the Git
+repository (see HACKING) or its web interface available at
+https://git.strongswan.org.

Doxyfile.in

@@ -1789,18 +1789,6 @@ GENERATE_XML           = NO
 
 XML_OUTPUT             = xml
 
-# The XML_SCHEMA tag can be used to specify a XML schema, which can be used by a
-# validating XML parser to check the syntax of the XML files.
-# This tag requires that the tag GENERATE_XML is set to YES.
-
-XML_SCHEMA             =
-
-# The XML_DTD tag can be used to specify a XML DTD, which can be used by a
-# validating XML parser to check the syntax of the XML files.
-# This tag requires that the tag GENERATE_XML is set to YES.
-
-XML_DTD                =
-
 # If the XML_PROGRAMLISTING tag is set to YES doxygen will dump the program
 # listings (including syntax highlighting and cross-referencing information) to
 # the XML output. Note that enabling this will significantly increase the size

Makefile.am

@@ -24,6 +24,11 @@ config_includedir = $(ipseclibdir)/include
 nodist_config_include_HEADERS = config.h
 endif
 
+# we can't (and shouldn't) install/uninstall system files during make distcheck,
+# so override the autodetected path for systemd units
+AM_DISTCHECK_CONFIGURE_FLAGS = \
+	--with-systemdsystemunitdir='$$(prefix)/lib/systemd/system'
+
 # we leave config files behind intentionally so prevent distcheck from complaining
 distuninstallcheck_listfiles = find . -type f \! -name '*.conf' \! -name '*.secrets' -print
 

Makefile.in

@@ -492,6 +492,12 @@ MAINTAINERCLEANFILES = Android.common.mk
 @USE_DEV_HEADERS_TRUE@config_includedir = $(ipseclibdir)/include
 @USE_DEV_HEADERS_TRUE@nodist_config_include_HEADERS = config.h
 
+# we can't (and shouldn't) install/uninstall system files during make distcheck,
+# so override the autodetected path for systemd units
+AM_DISTCHECK_CONFIGURE_FLAGS = \
+	--with-systemdsystemunitdir='$$(prefix)/lib/systemd/system'
+
+
 # we leave config files behind intentionally so prevent distcheck from complaining
 distuninstallcheck_listfiles = find . -type f \! -name '*.conf' \! -name '*.secrets' -print
 all: $(BUILT_SOURCES) config.h

NEWS

+strongswan-5.7.2
+----------------
+
+- Private key implementations may optionally provide a list of supported
+  signature schemes, which is used by the tpm plugin because for each key on a
+  TPM 2.0 the hash algorithm and for RSA also the padding scheme is predefined.
+
+- For RSA with PSS padding, the TPM 2.0 specification mandates the maximum salt
+  length (as defined by the length of the key and hash).  However, if the TPM is
+  FIPS-168-4 compliant, the salt length equals the hash length.  This is assumed
+  for FIPS-140-2 compliant TPMs, but if that's not the case, it might be
+  necessary to manually enable charon.plugins.tpm.fips_186_4 if the TPM doesn't
+  use the maximum salt length.
+
+- swanctl now accesses directories for credentials relative to swanctl.conf, in
+  particular, when it's loaded from a custom location via --file argument.  The
+  base directory that's used if --file is not given is configurable at runtime
+  via SWANCTL_DIR environment variable.
+
+- With RADIUS Accounting enabled, the eap-radius plugin adds the session ID to
+  Access-Request messages, simplifying associating database entries for IP
+  leases and accounting with sessions.
+
+- IPs assigned by RADIUS servers are included in Accounting-Stop even if clients
+  don't claim them, allowing releasing them early on connection errors.
+
+- Selectors installed on transport mode SAs by the kernel-netlink plugin are
+  updated on IP address changes (e.g. via MOBIKE).
+
+- Added support for RSA signatures with SHA-256 and SHA-512 to the agent plugin.
+  For older versions of ssh/gpg-agent that only support SHA-1, IKEv2 signature
+  authentication has to be disabled via charon.signature_authentication.
+
+- The sshkey and agent plugins support Ed25519/Ed448 SSH keys and signatures.
+
+- The openssl plugin supports X25519/X448 Diffie-Hellman and Ed25519/Ed448 keys
+  and signatures when built against OpenSSL 1.1.1.
+
+- Ed25519, ChaCha20/Poly1305, SHA-3 and AES-CCM were added to the botan plugin.
+
+- The mysql plugin now properly handles database connections with transactions
+  under heavy load.
+
+- IP addresses in HA pools are now distributed evenly among all segments.
+
+- On newer FreeBSD kernels, the kernel-pfkey plugin reads the reqid directly
+  from SADB_ACQUIRE messages, i.e. not requiring previous policy installation by
+  the plugin, e.g. for compatibility with if_ipsec(4) VTIs.
+
+
 strongswan-5.7.1
 ----------------
 
@@ -1031,7 +1081,7 @@ strongswan-5.0.3
   charon-tkm does not result in the compromise of cryptographic keys.
   The extracted functionality has been implemented from scratch in a minimal TCB
   (trusted computing base) in the Ada programming language. Further information
-  can be found at http://www.codelabs.ch/tkm/.
+  can be found at https://www.codelabs.ch/tkm/.
 
 strongswan-5.0.2
 ----------------
@@ -1169,7 +1219,7 @@ strongswan-5.0.0
   pluto, but currently does not support AH or bundled AH+ESP SAs. Beside
   RSA/ECDSA, PSK and XAuth, charon also supports the Hybrid authentication
   mode. Information for interoperability and migration is available at
-  http://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1.
+  https://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1.
 
 - Charon's bus_t has been refactored so that loggers and other listeners are
   now handled separately.  The single lock was previously cause for deadlocks
@@ -1600,7 +1650,7 @@ strongswan-4.4.0
 - The IKEv2 High Availability plugin has been integrated. It provides
   load sharing and failover capabilities in a cluster of currently two nodes,
   based on an extend ClusterIP kernel module. More information is available at
-  http://wiki.strongswan.org/projects/strongswan/wiki/HighAvailability.
+  https://wiki.strongswan.org/projects/strongswan/wiki/HighAvailability.
   The development of the High Availability functionality was sponsored by
   secunet Security Networks AG.
 
@@ -2308,7 +2358,7 @@ strongswan-4.1.7
 
 - Preview of strongSwan Manager, a web based configuration and monitoring
   application. It uses a new XML control interface to query the IKEv2 daemon
-  (see http://wiki.strongswan.org/wiki/Manager).
+  (see https://wiki.strongswan.org/wiki/Manager).
 
 - Experimental SQLite configuration backend which will provide the configuration
   interface for strongSwan Manager in future releases.

README

@@ -9,7 +9,7 @@ which uses the modern [**vici**](src/libcharon/plugins/vici/README.md) *Versatil
 IKE Configuration Interface*. The deprecated **ipsec** command using the legacy
 **stroke** configuration interface is described [**here**](README_LEGACY.md).
 For more detailed information consult the man pages and
-[**our wiki**](http://wiki.strongswan.org).
+[**our wiki**](https://wiki.strongswan.org).
 
 
 ## Quickstart ##

TODO

@@ -4,5 +4,5 @@
 
 A roadmap of the strongSwan project is available online at:
 
-        http://wiki.strongswan.org/projects/strongswan/roadmap
+        https://wiki.strongswan.org/projects/strongswan/roadmap
 

conf/plugins/tpm.conf

 tpm {
 
+    # Is the TPM 2.0 FIPS-186-4 compliant, forcing e.g. the use of the default
+    # salt length instead of maximum salt length with RSAPSS padding.
+    # fips_186_4 = no
+
     # Whether to load the plugin. Can also be an integer to increase the
     # priority of this plugin.
     load = yes

conf/plugins/tpm.opt

 charon.plugins.tpm.use_rng = no
 	Whether the TPM should be used as RNG.
 
+charon.plugins.tpm.fips_186_4 = no
+	Is the TPM 2.0 FIPS-186-4 compliant, forcing e.g. the use of the default
+	salt length instead of maximum salt length with RSAPSS padding.
+
 charon.plugins.tpm.tcti.name = device|tabrmd
 	Name of TPM 2.0 TCTI library. Valid values: _tabrmd_, _device_ or _mssim_.
 	Defaults are _device_ if the _/dev/tpmrm0_ in-kernel TPM 2.0 resource manager

conf/strongswan.conf.5.main

@@ -1684,6 +1684,11 @@ Send an unsupported PB\-TNC message type with the NOSKIP flag set.
 .BR charon.plugins.tnccs-20.tests.pb_tnc_version " [2]"
 Send a PB\-TNC batch with a modified PB\-TNC version.
 
+.TP
+.BR charon.plugins.tpm.fips_186_4 " [no]"
+Is the TPM 2.0 FIPS\-186\-4 compliant, forcing e.g. the use of the default salt
+length instead of maximum salt length with RSAPSS padding.
+
 .TP
 .BR charon.plugins.tpm.tcti.name " [device|tabrmd]"
 Name of TPM 2.0 TCTI library. Valid values:

configure

 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for strongSwan 5.7.1.
+# Generated by GNU Autoconf 2.69 for strongSwan 5.7.2.
 #
 #
 # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -587,8 +587,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='strongSwan'
 PACKAGE_TARNAME='strongswan'
-PACKAGE_VERSION='5.7.1'
-PACKAGE_STRING='strongSwan 5.7.1'
+PACKAGE_VERSION='5.7.2'
+PACKAGE_STRING='strongSwan 5.7.2'
 PACKAGE_BUGREPORT=''
 PACKAGE_URL=''
@@ -2108,7 +2108,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures strongSwan 5.7.1 to adapt to many kinds of systems.
+\`configure' configures strongSwan 5.7.2 to adapt to many kinds of systems.
 Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -2179,7 +2179,7 @@ fi
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of strongSwan 5.7.1:";;
+     short | recursive ) echo "Configuration of strongSwan 5.7.2:";;
    esac
   cat <<\_ACEOF
@@ -2666,7 +2666,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-strongSwan configure 5.7.1
+strongSwan configure 5.7.2
 generated by GNU Autoconf 2.69
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -3188,7 +3188,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
-It was created by strongSwan $as_me 5.7.1, which was
+It was created by strongSwan $as_me 5.7.2, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
   $ $0 $@
@@ -4051,7 +4051,7 @@ fi
 # Define the identity of the package.
  PACKAGE='strongswan'
- VERSION='5.7.1'
+ VERSION='5.7.2'
 cat >>confdefs.h <<_ACEOF
@@ -23080,6 +23080,9 @@ $as_echo "$as_me: fuzz targets enabled without libFuzzer, using local driver" >&
 	else
 		# required for libFuzzer
 		FUZZING_LDFLAGS="-stdlib=libc++ -lstdc++"
+		if test "$SANITIZER" = "coverage"; then
+			FUZZING_LDFLAGS="$FUZZING_LDFLAGS -lm"
+		fi
 	fi
 fi
@@ -27550,7 +27553,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by strongSwan $as_me 5.7.1, which was
+This file was extended by strongSwan $as_me 5.7.2, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
   CONFIG_FILES    = $CONFIG_FILES
@@ -27616,7 +27619,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-strongSwan config.status 5.7.1
+strongSwan config.status 5.7.2
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"

configure.ac

@@ -19,7 +19,7 @@
 #  initialize & set some vars
 # ============================
 
-AC_INIT([strongSwan],[5.7.1])
+AC_INIT([strongSwan],[5.7.2])
 AM_INIT_AUTOMAKE(m4_esyscmd([
 	echo tar-ustar
 	echo subdir-objects
@@ -1292,6 +1292,9 @@ if test x$fuzzing = xtrue; then
 	else
 		# required for libFuzzer
 		FUZZING_LDFLAGS="-stdlib=libc++ -lstdc++"
+		if test "$SANITIZER" = "coverage"; then
+			FUZZING_LDFLAGS="$FUZZING_LDFLAGS -lm"
+		fi
 		AC_SUBST(FUZZING_LDFLAGS)
 	fi
 fi

debian/changelog

+strongswan (5.7.2-1) unstable; urgency=medium
+
+  * d/control: remove Rene from Uploaders, thanks!
+  * d/copyright: fix typos
+  * d/watch: use HTTPS protocol
+  * d/control: update standards version to 4.2.1
+  * drop unused debconf template
+  * use a clean export for upstream signing key
+  * d/copyright update
+  * New upstream version 5.7.2
+  * d/copyright updated
+  * d/control: update standards version to 4.3.0
+  * d/libstrongswan.dirs: drop lintian overrides dir
+  * d/u/signing-key.asc: strip signatures from upstream signing key
+  * d/patches: import patches in gbp pq
+
+ -- Yves-Alexis Perez <corsac@debian.org>  Wed, 02 Jan 2019 13:02:11 +0100
+
 strongswan (5.7.1-1) unstable; urgency=medium
 
   [ Ondřej Nový ]

debian/control

@@ -2,9 +2,8 @@ Source: strongswan
 Section: net
 Priority: optional
 Maintainer: strongSwan Maintainers <pkg-swan-devel@lists.alioth.debian.org>
-Uploaders: Rene Mayrhofer <rmayr@debian.org>,
-           Yves-Alexis Perez <corsac@debian.org>
-Standards-Version: 4.1.2
+Uploaders: Yves-Alexis Perez <corsac@debian.org>
+Standards-Version: 4.3.0
 Vcs-Browser: https://salsa.debian.org/debian/strongswan
 Vcs-Git: https://salsa.debian.org/debian/strongswan.git
 Build-Depends: bison,

debian/copyright

@@ -2,9 +2,12 @@ Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Upstream-Name: strongswan
 Upstream-Contact: http://strongswan.org/
 Source: http://strongswan.org/
+License: GPL-2+ with OpenSSL exception
+Copyright: Martin Willi, Tobias Brunner, Andreas Steffen
 
-Files: *
-Copyright: 2005-2011, Martin Willi
+Files: debian/*
+Copyright: 2006-2011 Rene Mayrhofer <rene@mayrhofer.eu.org>,
+  2012-2018 Yves-Alexis Perez <corsac@debian.org>
 License: GPL-2+
 
 Files: conf/*
@@ -15,9 +18,26 @@ Files: ltmain.sh
 Copyright: 1996-2001, 2003-2005, 2006
 License: GPL-2+
 
-Files: scripts/aes-test.c
+Files: scripts/bin2array.c
+ scripts/bin2sql.c
+ scripts/dh_speed.c
+ scripts/id2sql.c
+ scripts/key2keyid.c
+ scripts/pubkey_speed.c
+Copyright: 2008, Martin Willi
+  2008-2009, Martin Willi
+  2009, Martin Willi
+License: GPL-2+
+
+
+Files: conf/format-options.py
+ fuzz/libFuzzerLocal.c
+ scripts/aes-test.c
  scripts/settings-test.c
-Copyright: 2007-2015, Tobias Brunner
+Copyright: 2013, Tobias Brunner
+  2014-2017, Tobias Brunner
+  2014-2018, Tobias Brunner
+  2017, Tobias Brunner
 License: GPL-2+
 
 Files: scripts/crypt_burn.c
@@ -25,8 +45,10 @@ Files: scripts/crypt_burn.c
  scripts/hash_burn.c
  scripts/oid2der.c
  scripts/tls_test.c
-Copyright: 2010-2015, revosec AG
-  2006-2015, Martin Willi
+Copyright: 2010, Martin Willi
+  2010, revosec AG
+  2012, Martin Willi
+  2012, revosec AG
 License: GPL-2+
 
 Files: scripts/dnssec.c
@@ -141,41 +163,6 @@ Copyright: 2012, achelos GmbH
   2010, Martin Willi
 License: Expat and GPL-2+
 
-Files: src/dumm/*
-Copyright: 2007-2015, Tobias Brunner
-  2005-2013, Martin Willi
-License: GPL-2+
-
-Files: src/dumm/bridge.c
-  src/dumm/bridge.h
-  src/dumm/iface.h
-  src/dumm/irdumm.c
-  src/dumm/main.c
-  src/dumm/mconsole.h
-Copyright: 2005-2011, Martin Willi
-License: GPL-2+
-
-Files: src/dumm/cowfs.c
-Copyright: 2009, Tobias Brunner
-  2007, Martin Willi
-  2001-2007, Miklos Szeredi
-License: GPL-2+
-
-Files: src/dumm/ext/lib/*
-Copyright: 2007-2015, Tobias Brunner
-License: GPL-2+
-
-Files: src/dumm/iface.c
-Copyright: 2008, Tobias Brunner
-  2007, Martin Willi
-  2002, Jeff Dike
-License: GPL-2+
-
-Files: src/dumm/mconsole.c
-Copyright: 2007, Martin Willi
-  2001-2004, Jeff Dike
-License: GPL-2+
-
 Files: src/include/*
 Copyright: *No copyright*
 License: GPL-2+
@@ -190,7 +177,7 @@ License: GPL-2+
 
 Files: src/include/sys/*
 Copyright: 1991, 1993
-License: BSD-3-clause
+License: BSD-3
 
 Files: src/libcharon/attributes/attributes.c
   src/libcharon/attributes/attributes.h
@@ -225,7 +212,6 @@ License: GPL-2+
 Files: src/libcharon/config/backend.h
   src/libcharon/config/backend_manager.c
   src/libcharon/config/backend_manager.h
-  src/libcharon/config/proposal.h
 Copyright: 2005-2011, Martin Willi
 License: GPL-2+
 
@@ -234,11 +220,6 @@ Copyright: 2005-2009, Martin Willi
   2005, Jan Hutter
 License: GPL-2+
 
-Files: src/libcharon/config/proposal.c
-Copyright: 2007-2015, Tobias Brunner
-  2005-2013, Martin Willi
-License: GPL-2+
-
 Files: src/libcharon/control/controller.c
 Copyright: 2010-2014, revosec AG
   2009-2014, Tobias Brunner
@@ -626,10 +607,6 @@ Copyright: 2010-2015, revosec AG
   2006-2015, Martin Willi
 License: GPL-2+
 
-Files: src/libcharon/plugins/maemo/*
-Copyright: 2007-2015, Tobias Brunner
-License: GPL-2+
-
 Files: src/libcharon/plugins/medcli/*
 Copyright: 2005-2011, Martin Willi
 License: GPL-2+
@@ -1144,10 +1121,6 @@ Files: src/libimcv/plugins/imc_scanner/imc_scanner_state.h
 Copyright: 2010, 2011, 2013, Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
 License: GPL-2+
 
-Files: src/libimcv/plugins/imc_swid/imc_swid_state.h
-Copyright: 2010, 2011, 2013, Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
-License: GPL-2+
-
 Files: src/libimcv/plugins/imc_test/imc_test_state.h
 Copyright: 2010, 2011, 2013, Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
 License: GPL-2+
@@ -1211,11 +1184,6 @@ Files: src/libimcv/pts/pts_dh_group.c
   src/libimcv/pts/pts_file_type.h
   src/libimcv/pts/pts_proto_caps.h
   src/libimcv/pts/pts_req_func_comp_evid.h
-  src/libimcv/pts/pts_simple_evid_final.h
-Copyright: 2010, 2011, Sansar Choinyambuu
-License: GPL-2+
-
-Files: src/libimcv/swid/swid_error.c
 Copyright: 2010, 2011, Sansar Choinyambuu
 License: GPL-2+
 
@@ -1272,10 +1240,6 @@ Files: src/libradius/radius_mppe.h
 Copyright: 2001-2015, Andreas Steffen
 License: GPL-2+
 
-Files: src/libstrongswan/AndroidConfigLocal.h
-Copyright: 2007-2015, Tobias Brunner
-License: GPL-2+
-
 Files: src/libstrongswan/asn1/*
 Copyright: 2006, Martin Will
   2000-2008, Andreas Steffen
@@ -1449,10 +1413,6 @@ Files: src/libstrongswan/crypto/iv/*
 Copyright: 2007-2015, Tobias Brunner
 License: GPL-2+
 
-Files: src/libstrongswan/crypto/mgf1/*
-Copyright: 2001-2015, Andreas Steffen
-License: GPL-2+
-
 Files: src/libstrongswan/crypto/nonce_gen.h
 Copyright: 2012, Adrian-Ken Rueegsegger
 License: GPL-2+
@@ -2614,7 +2574,7 @@ License: BSD-3-clause
 
 License: BSD-Young
  This library is free for commercial and non-commercial use as long as
- the following conditions are aheared to.  The following conditions
+ the following conditions are adhered to.  The following conditions
  apply to all code found in this distribution, be it the RC4, RSA,
  lhash, DES, etc., code; not just the SSL code.  The SSL documentation
  included with this distribution is covered by the same copyright terms
@@ -2639,7 +2599,7 @@ License: BSD-Young
     must display the following acknowledgement:
     "This product includes cryptographic software written by
      Eric Young (eay@cryptsoft.com)"
-    The word 'cryptographic' can be left out if the rouines from the library
+    The word 'cryptographic' can be left out if the routines from the library
     being used are not cryptographic related :-).
  4. If you include any Windows specific code (or a derivative thereof) from
     the apps directory (application code) you must include an acknowledgement:
@@ -2660,7 +2620,7 @@ License: BSD-Young
  The licence and distribution terms for any publically available version or
  derivative of this code cannot be changed.  i.e. this code cannot simply be
  copied and put under another distribution licence
- [including the GNU Public Licence.]
+ [including the GNU General Public License.]
 
 License: Expat
  Permission is hereby granted, free of charge, to any person obtaining a copy
@@ -2692,49 +2652,46 @@ License: GPL-2+
  `/usr/share/common-licenses/GPL-2'.
 
 License: GPL-2+ with OpenSSL exception
- This program is free software; you can redistribute it
- and/or modify it under the terms of the GNU General Public
- License as published by the Free Software Foundation; either
- version 2 of the License, or (at your option) any later
+ This program is free software; you can redistribute it and/or modify it under
+ the terms of the GNU General Public License as published by the Free Software
+ Foundation; either version 2 of the License, or (at your option) any later
  version.
  .
- In addition, as a special exception, the author of this
- program gives permission to link the code of its
- release with the OpenSSL project's "OpenSSL" library (or
- with modified versions of it that use the same license as
- the "OpenSSL" library), and distribute the linked
- executables. You must obey the GNU General Public
- License in all respects for all of the code used other
- than "OpenSSL".  If you modify this file, you may extend
- this exception to your version of the file, but you are
- not obligated to do so.  If you do not wish to do so,
- delete this exception statement from your version.
+ This program is distributed in the hope that it will be useful, but WITHOUT
+ ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
  .
- This program is distributed in the hope that it will be
- useful, but WITHOUT ANY WARRANTY; without even the implied
- warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
- PURPOSE.  See the GNU General Public License for more
- details.
+ You should have received a copy of the GNU General Public License along with
+ this program; if not, see <http://www.gnu.org/licenses>.
  .
- You should have received a copy of the GNU General Public
- License along with this package; if not, write to the Free
- Software Foundation, Inc., 51 Franklin St, Fifth Floor,
- Boston, MA  02110-1301 USA
+ Linking strongSwan statically or dynamically with other modules is making a
+ combined work based on strongSwan. Thus, the terms and conditions of the GNU
+ General Public License cover the whole combination.
  .
- On Debian systems, the full text of the GNU General Public
- License version 2 can be found in the file
- `/usr/share/common-licenses/GPL-2'.
+ In addition, as a special exception, the copyright holders of strongSwan give
+ you permission to combine strongSwan with free software programs or libraries
+ that are released under the GNU LGPL and with code included in the standard
+ release of the OpenSSL project's OpenSSL library under the OpenSSL or SSLeay
+ licenses (or modified versions of such code, with unchanged license). You may
+ copy and distribute such a system following the terms of the GNU GPL for
+ strongSwan and the licenses of the other code concerned, provided that you
+ include the source code of that other code when and as the GNU GPL requires
+ distribution of source code.
+ .
+ Note that people who make modified versions of strongSwan are not obligated to
+ grant this special exception for their modified versions; it is their choice
+ whether to do so. The GNU General Public License gives permission to release a
+ modified version without this exception; this exception also makes it possible
+ to release a modified version which carries forward this exception.
+ .
+ On Debian systems, the full text of the GNU General Public License version 2
+ can be found in the file `/usr/share/common-licenses/GPL-2'.
 
 License: GPL-3+
  On Debian systems, the complete text of the GNU General
  Public License version 3 can be found in
  `/usr/share/common-licenses/GPL-3'.
 
-License: LGPL-2+
- On Debian systems, the complete text of the Lesser GNU
- General Public License version 2 can be found in
- `/usr/share/common-licenses/LGPL-2'.
-
 License: MIT
  This file is free software; as a special exception the author gives
  unlimited permission to copy and/or distribute it, with or without

debian/libstrongswan.dirs

@@ -3,4 +3,3 @@
 /etc/logcheck/ignore.d.workstation
 /etc/logcheck/violations.ignore.d
 /usr/lib/ipsec/plugins
-/usr/share/lintian/overrides

debian/patches/01_fix-manpages.patch

+From: Yves-Alexis Perez <corsac@debian.org>
+Date: Wed, 2 Jan 2019 11:35:11 +0100
+Subject: Fix typo in ipsec-scepclient(8) manpage name
+
+---
+ src/scepclient/scepclient.8 | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/scepclient/scepclient.8 b/src/scepclient/scepclient.8
+index 78ce5c6..1267364 100644
 --- a/src/scepclient/scepclient.8
 +++ b/src/scepclient/scepclient.8
 @@ -1,7 +1,7 @@

debian/patches/02_disable-bypass-lan.patch

+From: Yves-Alexis Perez <corsac@debian.org>
+Date: Wed, 2 Jan 2019 11:35:52 +0100
+Subject: Don't load bypass-lan plugin by default
+
+---
+ conf/plugins/bypass-lan.conf | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
 diff --git a/conf/plugins/bypass-lan.conf b/conf/plugins/bypass-lan.conf
-index ad496db67..e470ce68e 100644
+index ad496db..e470ce6 100644
 --- a/conf/plugins/bypass-lan.conf
 +++ b/conf/plugins/bypass-lan.conf
 @@ -11,7 +11,7 @@ bypass-lan {

debian/patches/03_systemd-service.patch

-diff --git a/debian/patches/03_systemd-service.patch b/debian/patches/03_systemd-service.patch
+From: Romain Francoise <rfrancoise@debian.org>
+Date: Wed, 2 Jan 2019 11:37:27 +0100
+Subject: Tune the ipsec systemd service file
+
+- add a reload argument
+- don't wait on syslog
+---
+ init/systemd/strongswan.service.in | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
 diff --git a/init/systemd/strongswan.service.in b/init/systemd/strongswan.service.in
-index 474284a19..8060d1ea2 100644
+index 474284a..8060d1e 100644
 --- a/init/systemd/strongswan.service.in
 +++ b/init/systemd/strongswan.service.in
 @@ -1,9 +1,10 @@