summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorYves-Alexis Perez <corsac@debian.org>2014-02-02 14:00:14 +0100
committerYves-Alexis Perez <corsac@debian.org>2014-02-02 20:14:58 +0100
commit82c45c901d5c8ccb1050ffba39371d37b8b6676c (patch)
tree3b3a6db533d2536eb520cc7663bde7ed91e913a7
parentc4f8572c895447aaff9de350630e6baf96ceffbd (diff)
downloadvyos-strongswan-82c45c901d5c8ccb1050ffba39371d37b8b6676c.tar.gz
vyos-strongswan-82c45c901d5c8ccb1050ffba39371d37b8b6676c.zip
split libstrongswan package
add new binary packages: - libstrongswan-standard-plugins - libstrongswan-extra-plugins - libcharon-extra-plugins packages The libstrongswan package now only provide upstream default plugins
-rw-r--r--debian/NEWS14
-rw-r--r--debian/changelog2
-rw-r--r--debian/control133
-rw-r--r--debian/libcharon-extra-plugins.install25
-rw-r--r--debian/libstrongswan-extra-plugins.install9
-rw-r--r--debian/libstrongswan-standard-plugins.install4
-rw-r--r--debian/libstrongswan.install61
-rwxr-xr-xdebian/rules12
-rw-r--r--debian/strongswan-ike.install10
-rw-r--r--debian/strongswan-starter.install1
10 files changed, 207 insertions, 64 deletions
diff --git a/debian/NEWS b/debian/NEWS
index f6fd43e8c..6e68b8f02 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,17 @@
+strongswan (5.1.1-2) UNRELEASED; urgency=medium
+
+ in 5.1.1-2 package, few plugins have been splitted from the main
+ libstrongswan package. The plugins are now in following packages:
+ - libstrongswan: main/default plugins, as defined by the strongSwan
+ project
+ - libstrongswan-standard-plugins: non default but useful plugins (agent,
+ gcm and openssl)
+ - libstrongswan-extra-plugins: more scarcely used plugins
+ - libcharon-extra-plugins: more scarecely used plugins for the charon
+ daemon
+
+ -- Yves-Alexis Perez <corsac@debian.org> Sun, 02 Feb 2014 20:05:15 +0100
+
strongswan (5.1.0-1) unstable; urgency=low
Starting with strongSwan 5, the IKEv1 daemon (pluto) is gone, and the charon
diff --git a/debian/changelog b/debian/changelog
index 597c60640..68a5c955c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,8 @@ strongswan (5.1.1-2) UNRELEASED; urgency=medium
* debian/control:
- drop dependency on host, inherited from openSwan. closes: #736661
- split charon-cmd to a standalone package.
+ - add new plugins packages: libstrongswan-standard-plugins,
+ libstrongswan-extra-plugins and libcharon-extra-plugins.
* debian/po:
- sv.po updated, thanks Martin Bagge. closes: #725667
* debian/charon-cmd.lintian-overrides: override lintian error about
diff --git a/debian/control b/debian/control
index 2d590ce2a..e7bacbdfe 100644
--- a/debian/control
+++ b/debian/control
@@ -29,23 +29,143 @@ Description: IPsec VPN solution metapackage
Package: libstrongswan
Architecture: any
-Depends: ${shlibs:Depends}, ${misc:Depends}, openssl
+Depends: ${shlibs:Depends}, ${misc:Depends}
Conflicts: strongswan (<< 4.2.12-1)
Breaks: strongswan-ikev2 (<< 4.6.4)
Replaces: strongswan-ikev2 (<< 4.6.4)
+Recommends: libstrongswan-standard-plugins
+Suggests: libstrongswan-extra-plugins
Description: strongSwan utility and crypto library
The strongSwan VPN suite uses the native IPsec stack in the standard
Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
.
- This package provides the underlying library of charon and other strongSwan
+ This package provides the underlying libraries of charon and other strongSwan
components. It is built in a modular way and is extendable through various
plugins.
+ .
+ Some default (as specified by the strongSwan projet) plugins are included.
+ For libstrongswan (cryptographic backends, URI fetchers and database layers):
+ - aes (AES-128/192/256 cipher software implementation)
+ - constraints (X.509 certificate advanced constraint checking)
+ - dnskey (Parse RFC 4034 public keys)
+ - fips-prf (PRF specified by FIPS, used by EAP-SIM/AKA algorithms)
+ - gmp (RSA/DH crypto backend based on libgmp)
+ - hmac (HMAC wrapper using various hashers)
+ - md5 (MD5 hasher software implementation)
+ - nonce (Default nonce generation plugin)
+ - pem (PEM encoding/decoding routines)
+ - pgp (PGP encoding/decoding routines)
+ - pkcs1 (PKCS#1 encoding/decoding routines)
+ - pkcs8 (PKCS#8 decoding routines)
+ - pkcs12 (PKCS#12 decoding routines)
+ - pubkey (Wrapper to handle raw public keys as trusted certificates)
+ - random (RNG reading from /dev/[u]random)
+ - rc2 (RC2 cipher software implementation)
+ - revocation (X.509 CRL/OCSP revocation checking)
+ - sha1 (SHA1 hasher software implementation)
+ - sha2 (SHA256/SHA384/SHA512 hasher software implementation)
+ - sshkey (SSH key decoding routines)
+ - x509 (Advanced X.509 plugin for parsing/generating X.509 certificates/CRLs
+ and OCSP messages)
+ - xcbc (XCBC wrapper using various ciphers)
+ For libhydra (IKE daemon plugins):
+ - attr (Provides IKE attributes configured in strongswan.conf)
+ - kernel-netlink [linux] (IPsec/Networking kernel interface using Linux
+ Netlink)
+ - kernel-pfkey [kfreebsd] (IPsec kernel interface using PF_KEY)
+ - kernel-pfroute [kfreebsd] (Networking kernel interface using PF_ROUTE)
+ - resolve (Writes name servers received via IKE to a resolv.conf file or
+ installs them via resolvconf(8))
+
+Package: libstrongswan-standard-plugins
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, libstrongswan (= ${binary:Version})
+Breaks: libstrongswan (<= 5.1.1-1), strongswan-ike (<= 5.1.1-1)
+Replaces: libstrongswan (<= 5.1.1-1),strongswan-ike (<= 5.1.1-1)
+Description: strongSwan utility and crypto library (extra plugins)
+ The strongSwan VPN suite uses the native IPsec stack in the standard
+ Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
+ .
+ This package provides some common plugins for the strongSwan utility and
+ cryptograhic library.
+ .
+ Included plugins are:
+ - agent (RSA/ECDSA private key backend connecting to SSH-Agent)
+ - gcm (GCM cipher mode wrapper)
+ - openssl (Crypto backend based on OpenSSL, provides
+ RSA/ECDSA/DH/ECDH/ciphers/hashers/HMAC/X.509/CRL/RNG)
+
+Package: libstrongswan-extra-plugins
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, libstrongswan (= ${binary:Version})
+Breaks: libstrongswan (<= 5.1.1-1), strongswan-ike (<= 5.1.1-1)
+Replaces: libstrongswan (<= 5.1.1-1),strongswan-ike (<= 5.1.1-1)
+Description: strongSwan utility and crypto library (extra plugins)
+ The strongSwan VPN suite uses the native IPsec stack in the standard
+ Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
+ .
+ This package provides extra plugins for the strongSwan utility and
+ cryptograhic library.
+ .
+ Included plugins are:
+ - af-alg [linux] (AF_ALG Linux crypto API interface, provides
+ ciphers/hashers/hmac/xcbc)
+ - ccm (CCM cipher mode wrapper)
+ - cmac (CMAC cipher mode wrapper)
+ - ctr (CTR cipher mode wrapper)
+ - curl (libcurl based HTTP/FTP fetcher)
+ - gcrypt (Crypto backend based on libgcrypt, provides
+ RSA/DH/ciphers/hashers/rng)
+ - ldap (LDAP fetching plugin based on libldap)
+ - padlock (VIA padlock crypto backend, provides AES128/SHA1)
+ - pkcs11 (PKCS#11 smartcard backend)
+ - rdrand (High quality / high performance random source using the Intel
+ rdrand instruction found on Ivy Bridge processors)
+ - test-vectors (Set of test vectors for various algorithms)
+
+Package: libcharon-extra-plugins
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, libstrongswan (= ${binary:Version})
+Breaks: libstrongswan (<= 5.1.1-1), strongswan-ike (<= 5.1.1-1)
+Replaces: libstrongswan (<= 5.1.1-1),strongswan-ike (<= 5.1.1-1)
+Description: strongSwan charon library (extra plugins)
+ The strongSwan VPN suite uses the native IPsec stack in the standard
+ Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
+ .
+ This package provides extra plugins for the charon library:
+ - addrblock (Narrow traffic selectors to RFC 3779 address blocks in X.509
+ certificates)
+ - certexpire (Export expiration dates of used certificates)
+ - eap-aka (Generic EAP-AKA protocol handler using different backends)
+ - eap-gtc (EAP-GTC protocol handler authenticating with XAuth backends)
+ - eap-identity (EAP-Identity identity exchange algorithm, to use with other
+ EAP protocols)
+ - eap-md5 (EAP-MD5 protocol handler using passwords)
+ - eap-mschapv2 (EAP-MSCHAPv2 protocol handler using passwords/NT hashes)
+ - eap-radius (EAP server proxy plugin forwarding EAP conversations to a
+ RADIUS server)
+ - eap-tls (EAP-TLS protocol handler, to authenticate with certificates in
+ EAP)
+ - eap-tnc (EAP-TNC protocol handler, Trusted Network Connect in a TLS tunnel)
+ - eap-ttls (EAP-TTLS protocol handler, wraps other EAP methods securely)
+ - error-notify (Notification about errors via UNIX socket)
+ - ha (High-Availability clustering)
+ - led (Let Linux LED subsystem LEDs blink on IKE activity)
+ - lookip (Virtual IP lookup facility using a UNIX socket)
+ - medcli (Web interface based mediation client interface)
+ - medsrv (Web interface based mediation server interface)
+ - tnc (Trusted Network Connect)
+ - unity (Cisco Unity extensions for IKEv1)
+ - xauth-eap (XAuth backend that uses EAP methods to verify passwords)
+ - xauth-generic (Generic XAuth backend that provides passwords from
+ ipsec.secrets and other credential sets)
+ - xauth-pam (XAuth backend that uses PAM modules to verify passwords)
Package: strongswan-dbg
Architecture: any
Section: debug
Priority: extra
-Depends: ${misc:Depends}, strongswan, libstrongswan
+Depends: ${misc:Depends}, strongswan, libstrongswan (= ${binary:Version})
Description: strongSwan library and binaries - debugging symbols
The strongSwan VPN suite uses the native IPsec stack in the standard
Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
@@ -72,16 +192,17 @@ Pre-Depends: debconf | debconf-2.0
Depends: ${shlibs:Depends}, ${misc:Depends},
libstrongswan (= ${binary:Version}), strongswan-starter | strongswan-nm,
bsdmainutils, debianutils (>=1.7), ipsec-tools, iproute [linux-any]
-Suggests: curl
+Suggests: libcharon-extra-plugins
Provides: ike-server
Conflicts: freeswan (<< 2.04-12), openswan, strongswan (<< 4.2.12-1)
-Replaces: strongswan-ikev1, strongswan-ikev2
+Breaks: libstrongswan (<= 5.1.1-1)
+Replaces: strongswan-ikev1, strongswan-ikev2, libstrongswan (<= 5.1.1-1)
Description: strongSwan Internet Key Exchange (v2) daemon
The strongSwan VPN suite uses the native IPsec stack in the standard
Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
.
charon is an IPsec IKEv2 daemon. It is written from scratch using a fully
- multi-threaded design and a modular architecture. Various plugins provide
+ multi-threaded design and a modular architecture. Various plugins can provide
additional functionality.
Package: strongswan-nm
diff --git a/debian/libcharon-extra-plugins.install b/debian/libcharon-extra-plugins.install
new file mode 100644
index 000000000..e126c5fda
--- /dev/null
+++ b/debian/libcharon-extra-plugins.install
@@ -0,0 +1,25 @@
+# libcharon plugins
+usr/lib/ipsec/plugins/libstrongswan-addrblock.so
+usr/lib/ipsec/plugins/libstrongswan-certexpire.so
+usr/lib/ipsec/plugins/libstrongswan-eap*.so
+usr/lib/ipsec/plugins/libstrongswan-error-notify.so
+usr/lib/ipsec/plugins/libstrongswan-ha.so
+usr/lib/ipsec/plugins/libstrongswan-led.so
+usr/lib/ipsec/plugins/libstrongswan-lookip.so
+usr/lib/ipsec/plugins/libstrongswan-medsrv.so
+usr/lib/ipsec/plugins/libstrongswan-medcli.so
+usr/lib/ipsec/plugins/libstrongswan-tnc-tnccs.so
+usr/lib/ipsec/plugins/libstrongswan-unity.so
+usr/lib/ipsec/plugins/libstrongswan-xauth-eap.so
+usr/lib/ipsec/plugins/libstrongswan-xauth-generic.so
+usr/lib/ipsec/plugins/libstrongswan-xauth-pam.so
+# support libs
+usr/lib/ipsec/libpttls.so*
+usr/lib/ipsec/libradius.so*
+usr/lib/ipsec/libsimaka.so*
+usr/lib/ipsec/libtnccs.so*
+usr/lib/ipsec/libtls.so*
+# binaries
+usr/lib/ipsec/error-notify
+usr/lib/ipsec/lookip
+usr/lib/ipsec/pt-tls-client
diff --git a/debian/libstrongswan-extra-plugins.install b/debian/libstrongswan-extra-plugins.install
new file mode 100644
index 000000000..db196e3a0
--- /dev/null
+++ b/debian/libstrongswan-extra-plugins.install
@@ -0,0 +1,9 @@
+# libstrongswan
+usr/lib/ipsec/plugins/libstrongswan-ccm.so
+usr/lib/ipsec/plugins/libstrongswan-cmac.so
+usr/lib/ipsec/plugins/libstrongswan-ctr.so
+usr/lib/ipsec/plugins/libstrongswan-curl.so
+usr/lib/ipsec/plugins/libstrongswan-gcrypt.so
+usr/lib/ipsec/plugins/libstrongswan-ldap.so
+usr/lib/ipsec/plugins/libstrongswan-pkcs11.so
+usr/lib/ipsec/plugins/libstrongswan-test-vectors.so
diff --git a/debian/libstrongswan-standard-plugins.install b/debian/libstrongswan-standard-plugins.install
new file mode 100644
index 000000000..e1c3e313f
--- /dev/null
+++ b/debian/libstrongswan-standard-plugins.install
@@ -0,0 +1,4 @@
+# libstrongswan
+usr/lib/ipsec/plugins/libstrongswan-agent.so
+usr/lib/ipsec/plugins/libstrongswan-gcm.so
+usr/lib/ipsec/plugins/libstrongswan-openssl.so
diff --git a/debian/libstrongswan.install b/debian/libstrongswan.install
index c25c099b9..c278d82e1 100644
--- a/debian/libstrongswan.install
+++ b/debian/libstrongswan.install
@@ -1,52 +1,31 @@
+# libstrongswan
usr/lib/ipsec/libstrongswan.so*
-usr/lib/ipsec/libhydra.so*
-usr/lib/ipsec/libfast.so*
-usr/lib/ipsec/libsimaka.so*
-usr/lib/ipsec/libtnccs.so*
-usr/lib/ipsec/libradius.so*
-usr/lib/ipsec/libtls.so*
-usr/lib/ipsec/libpttls.so*
+usr/lib/ipsec/plugins/libstrongswan-aes.so
+usr/lib/ipsec/plugins/libstrongswan-constraints.so
+usr/lib/ipsec/plugins/libstrongswan-dnskey.so
+usr/lib/ipsec/plugins/libstrongswan-fips-prf.so
usr/lib/ipsec/plugins/libstrongswan-gmp.so
-usr/lib/ipsec/plugins/libstrongswan-openssl.so
-usr/lib/ipsec/plugins/libstrongswan-x509.so
-usr/lib/ipsec/plugins/libstrongswan-pkcs7.so
-usr/lib/ipsec/plugins/libstrongswan-pkcs11.so
+usr/lib/ipsec/plugins/libstrongswan-hmac.so
+usr/lib/ipsec/plugins/libstrongswan-md5.so
+usr/lib/ipsec/plugins/libstrongswan-nonce.so
usr/lib/ipsec/plugins/libstrongswan-pgp.so
usr/lib/ipsec/plugins/libstrongswan-pem.so
usr/lib/ipsec/plugins/libstrongswan-pkcs1.so
+usr/lib/ipsec/plugins/libstrongswan-pkcs7.so
+usr/lib/ipsec/plugins/libstrongswan-pkcs8.so
+usr/lib/ipsec/plugins/libstrongswan-pkcs12.so
usr/lib/ipsec/plugins/libstrongswan-pubkey.so
-usr/lib/ipsec/plugins/libstrongswan-hmac.so
-usr/lib/ipsec/plugins/libstrongswan-xcbc.so
usr/lib/ipsec/plugins/libstrongswan-random.so
-usr/lib/ipsec/plugins/libstrongswan-aes.so
-usr/lib/ipsec/plugins/libstrongswan-xcbc.so
-usr/lib/ipsec/plugins/libstrongswan-ctr.so
-usr/lib/ipsec/plugins/libstrongswan-ccm.so
-usr/lib/ipsec/plugins/libstrongswan-gcm.so
-usr/lib/ipsec/plugins/libstrongswan-led.so
-usr/lib/ipsec/plugins/libstrongswan-addrblock.so
-usr/lib/ipsec/plugins/libstrongswan-md5.so
+usr/lib/ipsec/plugins/libstrongswan-rc2.so
+usr/lib/ipsec/plugins/libstrongswan-revocation.so
usr/lib/ipsec/plugins/libstrongswan-sha1.so
usr/lib/ipsec/plugins/libstrongswan-sha2.so
-usr/lib/ipsec/plugins/libstrongswan-dnskey.so
-usr/lib/ipsec/plugins/libstrongswan-fips-prf.so
-usr/lib/ipsec/plugins/libstrongswan-resolve.so
-usr/lib/ipsec/plugins/libstrongswan-ha.so
-usr/lib/ipsec/plugins/libstrongswan-revocation.so
-usr/lib/ipsec/plugins/libstrongswan-constraints.so
-usr/lib/ipsec/plugins/libstrongswan-test-vectors.so
-usr/lib/ipsec/plugins/libstrongswan-tnc-tnccs.so
-usr/lib/ipsec/plugins/libstrongswan-pkcs8.so
-usr/lib/ipsec/plugins/libstrongswan-cmac.so
-usr/lib/ipsec/plugins/libstrongswan-ldap.so
-usr/lib/ipsec/plugins/libstrongswan-attr*.so
-usr/lib/ipsec/plugins/libstrongswan-curl.so
-usr/lib/ipsec/plugins/libstrongswan-gcrypt.so
-usr/lib/ipsec/plugins/libstrongswan-nonce.so
-usr/lib/ipsec/plugins/libstrongswan-xauth-eap.so
-usr/lib/ipsec/plugins/libstrongswan-xauth-generic.so
-usr/lib/ipsec/plugins/libstrongswan-xauth-pam.so
-usr/lib/ipsec/plugins/libstrongswan-rc2.so
-usr/lib/ipsec/plugins/libstrongswan-pkcs12.so
usr/lib/ipsec/plugins/libstrongswan-sshkey.so
+usr/lib/ipsec/plugins/libstrongswan-x509.so
+usr/lib/ipsec/plugins/libstrongswan-xcbc.so
+# libhydra
+usr/lib/ipsec/libhydra.so*
+usr/lib/ipsec/plugins/libstrongswan-attr.so
+usr/lib/ipsec/plugins/libstrongswan-resolve.so
etc/strongswan.conf
+usr/lib/ipsec/libfast.so*
diff --git a/debian/rules b/debian/rules
index 85b75aabb..d7ad51ad3 100755
--- a/debian/rules
+++ b/debian/rules
@@ -84,10 +84,10 @@ override_dh_install:
# first special cases
ifeq ($(DEB_BUILD_ARCH_OS),linux)
# handle Linux-only plugins
- dh_install -p libstrongswan usr/lib/ipsec/plugins/libstrongswan-dhcp.so
- dh_install -p libstrongswan usr/lib/ipsec/plugins/libstrongswan-farp.so
+ dh_install -p libcharon-extra-plugins usr/lib/ipsec/plugins/libstrongswan-dhcp.so
+ dh_install -p libcharon-extra-plugins usr/lib/ipsec/plugins/libstrongswan-farp.so
dh_install -p libstrongswan usr/lib/ipsec/plugins/libstrongswan-kernel-netlink.so
- dh_install -p libstrongswan usr/lib/ipsec/plugins/libstrongswan-af-alg.so
+ dh_install -p libstrongswan-extras-plugins usr/lib/ipsec/plugins/libstrongswan-af-alg.so
endif
ifeq ($(DEB_BUILD_ARCH_OS),kfreebsd)
@@ -98,12 +98,12 @@ endif
ifeq ($(DEB_BUILD_ARCH_CPU),i386)
# special handling for padlock, as it is only built on i386
- dh_install -p libstrongswan usr/lib/ipsec/plugins/libstrongswan-padlock.so
- dh_install -p libstrongswan usr/lib/ipsec/plugins/libstrongswan-rdrand.so
+ dh_install -p libstrongswan-extras-plugins usr/lib/ipsec/plugins/libstrongswan-padlock.so
+ dh_install -p libstrongswan-extras-plugins usr/lib/ipsec/plugins/libstrongswan-rdrand.so
endif
ifeq ($(DEB_BUILD_ARCH_CPU), amd64)
- dh_install -p libstrongswan usr/lib/ipsec/plugins/libstrongswan-rdrand.so
+ dh_install -p libstrongswan-extras-plugins usr/lib/ipsec/plugins/libstrongswan-rdrand.so
endif
# then install the rest, ignoring the above
diff --git a/debian/strongswan-ike.install b/debian/strongswan-ike.install
index e00deaa94..6c1185f83 100644
--- a/debian/strongswan-ike.install
+++ b/debian/strongswan-ike.install
@@ -1,13 +1,3 @@
usr/lib/ipsec/libcharon.so*
usr/lib/ipsec/charon
-usr/lib/ipsec/lookip
-usr/lib/ipsec/error-notify
usr/lib/ipsec/plugins/libstrongswan-socket*.so
-usr/lib/ipsec/plugins/libstrongswan-eap*.so
-usr/lib/ipsec/plugins/libstrongswan-agent.so
-usr/lib/ipsec/plugins/libstrongswan-medsrv.so
-usr/lib/ipsec/plugins/libstrongswan-medcli.so
-usr/lib/ipsec/plugins/libstrongswan-certexpire.so
-usr/lib/ipsec/plugins/libstrongswan-lookip.so
-usr/lib/ipsec/plugins/libstrongswan-error-notify.so
-usr/lib/ipsec/plugins/libstrongswan-unity.so
diff --git a/debian/strongswan-starter.install b/debian/strongswan-starter.install
index dff09e33a..feb578bc6 100644
--- a/debian/strongswan-starter.install
+++ b/debian/strongswan-starter.install
@@ -18,7 +18,6 @@ usr/share/man/man8/_updown_espmark.8
usr/bin/pki
usr/lib/ipsec/scepclient
usr/lib/ipsec/openac
-usr/lib/ipsec/pt-tls-client
usr/share/man/man8/scepclient.8
usr/share/man/man8/openac.8
usr/share/man/man1/pki---gen.1