debian/control

@@ -65,6 +65,7 @@ Description: strongSwan utility and crypto library
   - gmp (RSA/DH crypto backend based on libgmp)
   - hmac (HMAC wrapper using various hashers)
   - md5 (MD5 hasher software implementation)
+  - mgf1 (Mask Generation Functions based on the SHA-1, SHA-256 and SHA-512)
   - nonce (Default nonce generation plugin)
   - pem (PEM encoding/decoding routines)
   - pgp (PGP encoding/decoding routines)
@@ -88,9 +89,6 @@ Description: strongSwan utility and crypto library
   - kernel-pfroute [kfreebsd] (Networking kernel interface using PF_ROUTE)
   - resolve (Writes name servers received via IKE to a resolv.conf file or
     installs them via resolvconf(8))
- .
- Also included is the libtpmtss library adding support for TPM plugin
- (https://wiki.strongswan.org/projects/strongswan/wiki/TpmPlugin)
 
 Package: libstrongswan-standard-plugins
 Architecture: any
@@ -141,6 +139,34 @@ Description: strongSwan utility and crypto library (extra plugins)
   - rdrand (High quality / high performance random source using the Intel
     rdrand instruction found on Ivy Bridge processors)
   - test-vectors (Set of test vectors for various algorithms)
+ .
+ Also included is the libtpmtss library adding support for TPM plugin
+ (https://wiki.strongswan.org/projects/strongswan/wiki/TpmPlugin)
+
+Package: libcharon-extauth-plugins
+Architecture: any
+Depends: libstrongswan (= ${binary:Version}),
+         ${misc:Depends},
+         ${shlibs:Depends}
+Breaks: libcharon-extra-plugins (<< 5.8.0-2~)
+Replaces: libcharon-extra-plugins (<< 5.8.0-2~)
+Description: strongSwan charon library (extended authentication plugins)
+ The strongSwan VPN suite uses the native IPsec stack in the standard
+ Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
+ .
+ This package provides extended authentication plugins for the charon library:
+  - eap-mschapv2 (EAP-MSCHAPv2 protocol handler using passwords/NT hashes)
+    Used for client side to connect to some VPN concentrators configured for
+    Windows 7+ and modern OSX/iOS using IKEv2 (identify with public key,
+    authenticate with MSCHAPv2).
+  - xauth-generic (Generic XAuth backend that provides passwords from
+    ipsec.secrets and other credential sets)
+    Used for the client side to connect to VPN concentrators configured for
+    Android and older OSX/iOS using IKEv1 and XAUTH (identify with public key,
+    authenticate with XAUTH password).
+ .
+ These are the "not always, but still more commonly used" plugins, for further
+ needs even more plugins can be found in the package libcharon-extra-plugins.
 
 Package: libcharon-extra-plugins
 Architecture: any
@@ -160,7 +186,6 @@ Description: strongSwan charon library (extra plugins)
   - eap-identity (EAP-Identity identity exchange algorithm, to use with other
     EAP protocols)
   - eap-md5 (EAP-MD5 protocol handler using passwords)
-  - eap-mschapv2 (EAP-MSCHAPv2 protocol handler using passwords/NT hashes)
   - eap-radius (EAP server proxy plugin forwarding EAP conversations to a
     RADIUS server)
   - eap-tls (EAP-TLS protocol handler, to authenticate with certificates in
@@ -169,15 +194,12 @@ Description: strongSwan charon library (extra plugins)
   - eap-ttls (EAP-TTLS protocol handler, wraps other EAP methods securely)
   - error-notify (Notification about errors via UNIX socket)
   - ha (High-Availability clustering)
+  - kernel-libipsec (Userspace IPsec Backend with TUN devices)
   - led (Let Linux LED subsystem LEDs blink on IKE activity)
   - lookip (Virtual IP lookup facility using a UNIX socket)
-  - medcli (Web interface based mediation client interface)
-  - medsrv (Web interface based mediation server interface)
   - tnc (Trusted Network Connect)
   - unity (Cisco Unity extensions for IKEv1)
   - xauth-eap (XAuth backend that uses EAP methods to verify passwords)
-  - xauth-generic (Generic XAuth backend that provides passwords from
-    ipsec.secrets and other credential sets)
   - xauth-pam (XAuth backend that uses PAM modules to verify passwords)
 
 Package: strongswan-starter
@@ -204,6 +226,7 @@ Depends: libstrongswan (= ${binary:Version}),
          ${shlibs:Depends}
 Breaks: strongswan-starter (<= 5.6.1-2)
 Replaces: strongswan-starter (<= 5.6.1-2)
+Recommends: libcharon-extauth-plugins
 Suggests: libcharon-extra-plugins
 Description: strongSwan charon library
  The strongSwan VPN suite uses the native IPsec stack in the standard

debian/ipsec.secrets.proto

@@ -3,6 +3,3 @@
 # RSA private key for this host, authenticating it to any other host
 # which knows the public part.
 
-# this file is managed with debconf and will contain the automatically created private key
-include /var/lib/strongswan/ipsec.secrets.inc
-

debian/libcharon-extauth-plugins.install

+# most commonly used libcharon plugins
+# 1) eap-mschapv2 is required on the client side to connect to VPN
+# concentrators configured for Windows 7+ and modern OSX/iOS using IKEv2.
+# In such scenario, the VPN concentrator identifies itself with a public
+# key and asks the client to authenticate with MSCHAPv2.
+# 2) xauth-generic is required on the client side to connect to VPN
+# concentrators configured for Android and older OSX/iOS using IKEv1 and
+# XAUTH. In such scenario, the VPN concentrator identifies itself with a
+# public key or a shared secret and asks the client to authenticate with a
+# XAUTH password.
+# plugins
+usr/lib/ipsec/plugins/libstrongswan-eap-mschapv2.so
+usr/lib/ipsec/plugins/libstrongswan-xauth-generic.so
+# config templates
+usr/share/strongswan/templates/config/plugins/eap-mschapv2.conf
+usr/share/strongswan/templates/config/plugins/xauth-generic.conf
+# configuration files
+etc/strongswan.d/charon/eap-mschapv2.conf
+etc/strongswan.d/charon/xauth-generic.conf

debian/libcharon-extra-plugins.install

 # libcharon plugins
 usr/lib/ipsec/plugins/libstrongswan-addrblock.so
 usr/lib/ipsec/plugins/libstrongswan-certexpire.so
-usr/lib/ipsec/plugins/libstrongswan-eap*.so
+usr/lib/ipsec/plugins/libstrongswan-eap-aka-3gpp2.so
+usr/lib/ipsec/plugins/libstrongswan-eap-aka.so
+usr/lib/ipsec/plugins/libstrongswan-eap-dynamic.so
+usr/lib/ipsec/plugins/libstrongswan-eap-gtc.so
+usr/lib/ipsec/plugins/libstrongswan-eap-identity.so
+usr/lib/ipsec/plugins/libstrongswan-eap-md5.so
+usr/lib/ipsec/plugins/libstrongswan-eap-peap.so
+usr/lib/ipsec/plugins/libstrongswan-eap-radius.so
+usr/lib/ipsec/plugins/libstrongswan-eap-sim-file.so
+usr/lib/ipsec/plugins/libstrongswan-eap-sim-pcsc.so
+usr/lib/ipsec/plugins/libstrongswan-eap-sim.so
+usr/lib/ipsec/plugins/libstrongswan-eap-simaka-pseudonym.so
+usr/lib/ipsec/plugins/libstrongswan-eap-simaka-reauth.so
+usr/lib/ipsec/plugins/libstrongswan-eap-simaka-sql.so
+usr/lib/ipsec/plugins/libstrongswan-eap-tls.so
+usr/lib/ipsec/plugins/libstrongswan-eap-tnc.so
+usr/lib/ipsec/plugins/libstrongswan-eap-ttls.so
 usr/lib/ipsec/plugins/libstrongswan-error-notify.so
 usr/lib/ipsec/plugins/libstrongswan-ha.so
+usr/lib/ipsec/plugins/libstrongswan-kernel-libipsec.so
 usr/lib/ipsec/plugins/libstrongswan-led.so
 usr/lib/ipsec/plugins/libstrongswan-lookip.so
 #usr/lib/ipsec/plugins/libstrongswan-medsrv.so
 #usr/lib/ipsec/plugins/libstrongswan-medcli.so
 usr/lib/ipsec/plugins/libstrongswan-tnc-tnccs.so
 usr/lib/ipsec/plugins/libstrongswan-unity.so
-usr/lib/ipsec/plugins/libstrongswan-xauth-*.so
+usr/lib/ipsec/plugins/libstrongswan-xauth-eap.so
+usr/lib/ipsec/plugins/libstrongswan-xauth-noauth.so
+usr/lib/ipsec/plugins/libstrongswan-xauth-pam.so
 # standard configuration files
 usr/share/strongswan/templates/config/plugins/addrblock.conf
 usr/share/strongswan/templates/config/plugins/certexpire.conf
-usr/share/strongswan/templates/config/plugins/eap-*.conf
+usr/share/strongswan/templates/config/plugins/eap-aka-3gpp2.conf
+usr/share/strongswan/templates/config/plugins/eap-aka.conf
+usr/share/strongswan/templates/config/plugins/eap-dynamic.conf
+usr/share/strongswan/templates/config/plugins/eap-gtc.conf
+usr/share/strongswan/templates/config/plugins/eap-identity.conf
+usr/share/strongswan/templates/config/plugins/eap-md5.conf
+usr/share/strongswan/templates/config/plugins/eap-peap.conf
+usr/share/strongswan/templates/config/plugins/eap-radius.conf
+usr/share/strongswan/templates/config/plugins/eap-sim-file.conf
+usr/share/strongswan/templates/config/plugins/eap-sim-pcsc.conf
+usr/share/strongswan/templates/config/plugins/eap-sim.conf
+usr/share/strongswan/templates/config/plugins/eap-simaka-pseudonym.conf
+usr/share/strongswan/templates/config/plugins/eap-simaka-reauth.conf
+usr/share/strongswan/templates/config/plugins/eap-simaka-sql.conf
+usr/share/strongswan/templates/config/plugins/eap-tls.conf
+usr/share/strongswan/templates/config/plugins/eap-tnc.conf
+usr/share/strongswan/templates/config/plugins/eap-ttls.conf
 usr/share/strongswan/templates/config/plugins/error-notify.conf
 usr/share/strongswan/templates/config/plugins/ha.conf
+usr/share/strongswan/templates/config/plugins/kernel-libipsec.conf
 usr/share/strongswan/templates/config/plugins/led.conf
 usr/share/strongswan/templates/config/plugins/lookip.conf
 #usr/share/strongswan/templates/config/plugins/medsrv.conf
 #usr/share/strongswan/templates/config/plugins/medcli.conf
 usr/share/strongswan/templates/config/plugins/tnc-tnccs.conf
 usr/share/strongswan/templates/config/plugins/unity.conf
-usr/share/strongswan/templates/config/plugins/xauth-*.conf
+usr/share/strongswan/templates/config/plugins/xauth-eap.conf
+usr/share/strongswan/templates/config/plugins/xauth-noauth.conf
+usr/share/strongswan/templates/config/plugins/xauth-pam.conf
 usr/share/strongswan/templates/config/strongswan.d/tnc.conf
 etc/strongswan.d/tnc.conf
 etc/strongswan.d/charon/addrblock.conf
 etc/strongswan.d/charon/certexpire.conf
-etc/strongswan.d/charon/eap-*.conf
+etc/strongswan.d/charon/eap-aka-3gpp2.conf
+etc/strongswan.d/charon/eap-aka.conf
+etc/strongswan.d/charon/eap-dynamic.conf
+etc/strongswan.d/charon/eap-gtc.conf
+etc/strongswan.d/charon/eap-identity.conf
+etc/strongswan.d/charon/eap-md5.conf
+etc/strongswan.d/charon/eap-peap.conf
+etc/strongswan.d/charon/eap-radius.conf
+etc/strongswan.d/charon/eap-sim-file.conf
+etc/strongswan.d/charon/eap-sim-pcsc.conf
+etc/strongswan.d/charon/eap-sim.conf
+etc/strongswan.d/charon/eap-simaka-pseudonym.conf
+etc/strongswan.d/charon/eap-simaka-reauth.conf
+etc/strongswan.d/charon/eap-simaka-sql.conf
+etc/strongswan.d/charon/eap-tls.conf
+etc/strongswan.d/charon/eap-tnc.conf
+etc/strongswan.d/charon/eap-ttls.conf
 etc/strongswan.d/charon/error-notify.conf
 etc/strongswan.d/charon/ha.conf
+etc/strongswan.d/charon/kernel-libipsec.conf
 etc/strongswan.d/charon/led.conf
 etc/strongswan.d/charon/lookip.conf
 #etc/strongswan.d/charon/medsrv.conf
 #etc/strongswan.d/charon/medcli.conf
 etc/strongswan.d/charon/tnc-tnccs.conf
 etc/strongswan.d/charon/unity.conf
-etc/strongswan.d/charon/xauth-*.conf
+etc/strongswan.d/charon/xauth-eap.conf
+etc/strongswan.d/charon/xauth-noauth.conf
+etc/strongswan.d/charon/xauth-pam.conf
 debian/usr.lib.ipsec.lookip /etc/apparmor.d/
 # support libs
 #usr/lib/ipsec/libfast.so*
+usr/lib/ipsec/libipsec.so*
 usr/lib/ipsec/libpttls.so*
 usr/lib/ipsec/libradius.so*
 usr/lib/ipsec/libsimaka.so*

debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch

+--- a/conf/plugins/kernel-libipsec.conf
++++ b/conf/plugins/kernel-libipsec.conf
+@@ -5,7 +5,7 @@
+ 
+     # Whether to load the plugin. Can also be an integer to increase the
+     # priority of this plugin.
+-    load = yes
++    load = no
+ 
+ }
+ 

debian/patches/series

@@ -2,3 +2,4 @@
 02_disable-bypass-lan.patch
 03_systemd-service.patch
 04_disable-libtls-tests.patch
+dont-load-kernel-libipsec-plugin-by-default.patch

debian/rules

@@ -26,6 +26,7 @@ CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \
 		--enable-gcm \
 		--enable-gcrypt \
 		--enable-ha \
+		--enable-kernel-libipsec \
 		--enable-ldap \
 		--enable-led \
 		--enable-lookip \
@@ -38,6 +39,7 @@ CONFIGUREARGS := --libdir=/usr/lib --libexecdir=/usr/lib \
 		--enable-xauth-eap \
 		--enable-xauth-pam \
 		--disable-blowfish \
+		--disable-fast \
 		--disable-des # BSD-Young license
 	#--with-user=strongswan --with-group=nogroup
 	#	--enable-kernel-pfkey --enable-kernel-klips \
@@ -191,12 +193,6 @@ endif
 
 	# add additional files not covered by upstream makefile...
 	install --mode=0600 $(CURDIR)/debian/ipsec.secrets.proto $(CURDIR)/debian/strongswan-starter/etc/ipsec.secrets
-	# also "patch" ipsec.conf to include the debconf-managed file
-	echo >> $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf
-	echo "include /var/lib/strongswan/ipsec.conf.inc" >> $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf
-	# and to enable both IKEv1 and IKEv2 by default
-	sed -r 's/^[ \t]+# *charonstart=(yes|no) */\tcharonstart=yes/' < $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf > $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf.tmp
-	mv $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf.tmp $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf
 
 	# set permissions on ipsec.secrets and private key directories
 	chmod 600 $(CURDIR)/debian/strongswan-starter/etc/ipsec.secrets

debian/strongswan-starter.postinst

@@ -220,63 +220,6 @@ case "$1" in
 	    db_set strongswan/install_x509_certificate false
 	fi
 
-	# lets see if we are already using dependency based booting or the correct runlevel parameters
-	if ! ( [ "`find /etc/init.d/ -name '.depend.*'`" ] || [ "$runlevels" = "0K841K842S163S164S165S166K84" ] ); then
-	    db_fset strongswan/runlevel_changes seen false
-	    db_input high strongswan/runlevel_changes || true
-	    db_go
-
-	    # if the admin did not change the runlevels which got installed by older packages we can modify them
-	    if [ "$runlevels" = "0K346K34SS41" ] || [ "$runlevels" = "0K301K302S153S154S155S156K30" ] || [ "$runlevels" = "0K191K192S213S214S215S216K19" ]; then
-		update-rc.d -f ipsec remove
-	    fi
-
-	    update-rc.d ipsec defaults 16 84 > /dev/null
-	fi
-
-        db_get strongswan/enable-oe
-        if [ "$RET" != "true" ]; then
-            echo -n "Disabling opportunistic encryption (OE) in config file ... "
-            if [ -e $CONF_FILE ] && egrep -q "include /etc/ipsec.d/examples/no_oe.conf$" $CONF_FILE; then
-                # also update to new-style config
-                sed 's/.*include \/etc\/ipsec.d\/examples\/no_oe.conf/#include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp
-                mv $CONF_FILE.tmp $CONF_FILE
-                echo -n "converted old config line to new format"
-            fi
-            if [ -e $CONF_FILE ] && egrep -q "^include /etc/ipsec.d/examples/oe.conf$" $CONF_FILE; then
-            	sed 's/include \/etc\/ipsec.d\/examples\/oe.conf/#include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp
-                mv $CONF_FILE.tmp $CONF_FILE
-                echo "done"
-            elif [ ! -e $CONF_FILE ]; then
-                echo "#include /etc/ipsec.d/examples/oe.conf" > $CONF_FILE
-            else
-                echo "already disabled"
-            fi
-	else
-            echo -n "Enabling opportunistic encryption (OE) in config file ... "
-            if [ -e $CONF_FILE ] && egrep -q "include /etc/ipsec.d/examples/no_oe.conf$" $CONF_FILE; then
-                # also update to new-style config
-            	sed 's/.*include \/etc\/ipsec.d\/examples\/no_oe.conf/include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp
-                mv $CONF_FILE.tmp $CONF_FILE
-                echo -n "converted old config line to new format"
-            fi
-            if [ -e $CONF_FILE ] && egrep -q "^include /etc/ipsec.d/examples/oe.conf$" $CONF_FILE; then
-                echo "already enabled"
-            elif [ -e $CONF_FILE ] && egrep -q "^#.*include /etc/ipsec.d/examples/oe.conf$" $CONF_FILE; then
-            	sed 's/#.*include \/etc\/ipsec.d\/examples\/oe.conf/include \/etc\/ipsec.d\/examples\/oe.conf/' < $CONF_FILE > $CONF_FILE.tmp
-                mv $CONF_FILE.tmp $CONF_FILE
-                echo "done"
-            elif [ ! -e $CONF_FILE ]; then
-                echo "include /etc/ipsec.d/examples/oe.conf" > $CONF_FILE
-            else
-                cat <<EOF >> $CONF_FILE
-#Enable Opportunistic Encryption
-include /etc/ipsec.d/examples/oe.conf
-EOF
-              echo "done"
-            fi
-        fi
-
 	# disabled for now, until we can solve the don't-edit-conffiles issue
         #db_get strongswan/ikev1
         #if [ "$RET" != "true" ]; then

debian/usr.lib.ipsec.charon

@@ -69,6 +69,16 @@
 
   /var/lib/strongswan/*     r,
 
+  /{,var/}run/systemd/notify w,
+
+  # allow self to read file descriptors (LP #1786250)
+  # restrict to our own process-ID as per apparmor vars
+  @{PROC}/@{pid}/fd/        r,
+
+  # for using the ha plugin (LP: #1773956)
+  @{PROC}/@{pid}/net/ipt_CLUSTERIP/ r,
+  @{PROC}/@{pid}/net/ipt_CLUSTERIP/* rw,
+
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.lib.ipsec.charon>
 }

debian/usr.lib.ipsec.lookip

@@ -15,6 +15,8 @@
 /usr/lib/ipsec/lookip {
   #include <abstractions/base>
 
+  /usr/lib/ipsec/lookip     rmix,
+
   /run/charon.lkp           rw,
 
   # Site-specific additions and overrides. See local/README for details.

debian/usr.lib.ipsec.stroke

@@ -17,6 +17,8 @@
 
   capability dac_override,
 
+  /usr/lib/ipsec/stroke         rmix,
+
   /etc/strongswan.conf          r,
   /etc/strongswan.d/            r,
   /etc/strongswan.d/**          r,

debian/usr.sbin.charon-systemd

@@ -71,6 +71,14 @@
 
   /{,var/}run/systemd/notify w,
 
+  # allow self to read file descriptors (LP #1786250)
+  # restrict to our own process-ID as per apparmor vars
+  @{PROC}/@{pid}/fd/        r,
+
+  # for using the ha plugin (LP: #1773956)
+  @{PROC}/@{pid}/net/ipt_CLUSTERIP/ r,
+  @{PROC}/@{pid}/net/ipt_CLUSTERIP/* rw,
+
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.sbin.charon-systemd>
 }

debian/usr.sbin.swanctl

@@ -24,6 +24,9 @@
   # Allow reading own binary
   /usr/sbin/swanctl             r,
 
+  # for af-alg plugin
+  network alg seqpacket,
+
   # As of 5.5.2, swanctl unnecessarily loads plugins by default, even though no
   # plugins are actually used by swanctl.  The following can be removed if
   # plugin loading is disabled.