10 files changed, 207 insertions, 64 deletions

diff --git a/debian/NEWS b/debian/NEWS
index f6fd43e8c..6e68b8f02 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,17 @@
+strongswan (5.1.1-2) UNRELEASED; urgency=medium
+
+  in 5.1.1-2 package, few plugins have been splitted from the main
+  libstrongswan package. The plugins are now in following packages:
+    - libstrongswan: main/default plugins, as defined by the strongSwan
+    project
+    - libstrongswan-standard-plugins: non default but useful plugins (agent,
+    gcm and openssl)
+    - libstrongswan-extra-plugins: more scarcely used plugins
+    - libcharon-extra-plugins: more scarecely used plugins for the charon
+    daemon
+
+ -- Yves-Alexis Perez <corsac@debian.org>  Sun, 02 Feb 2014 20:05:15 +0100
+
 strongswan (5.1.0-1) unstable; urgency=low
 
   Starting with strongSwan 5, the IKEv1 daemon (pluto) is gone, and the charon
diff --git a/debian/changelog b/debian/changelog
index 597c60640..68a5c955c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,8 @@ strongswan (5.1.1-2) UNRELEASED; urgency=medium
   * debian/control:
     - drop dependency on host, inherited from openSwan.         closes: #736661
     - split charon-cmd to a standalone package.
+    - add new plugins packages: libstrongswan-standard-plugins,
+      libstrongswan-extra-plugins and libcharon-extra-plugins.
   * debian/po:
     - sv.po updated, thanks Martin Bagge.                       closes: #725667
   * debian/charon-cmd.lintian-overrides: override lintian error about
diff --git a/debian/control b/debian/control
index 2d590ce2a..e7bacbdfe 100644
--- a/debian/control
+++ b/debian/control
@@ -29,23 +29,143 @@ Description: IPsec VPN solution metapackage
 
 Package: libstrongswan
 Architecture: any
-Depends: ${shlibs:Depends}, ${misc:Depends}, openssl
+Depends: ${shlibs:Depends}, ${misc:Depends}
 Conflicts: strongswan (<< 4.2.12-1)
 Breaks: strongswan-ikev2 (<< 4.6.4)
 Replaces: strongswan-ikev2 (<< 4.6.4)
+Recommends: libstrongswan-standard-plugins
+Suggests: libstrongswan-extra-plugins
 Description: strongSwan utility and crypto library
  The strongSwan VPN suite uses the native IPsec stack in the standard
  Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
  .
- This package provides the underlying library of charon and other strongSwan
+ This package provides the underlying libraries of charon and other strongSwan
  components. It is built in a modular way and is extendable through various
  plugins.
+ .
+ Some default (as specified by the strongSwan projet) plugins are included.
+ For libstrongswan (cryptographic backends, URI fetchers and database layers):
+  - aes (AES-128/192/256 cipher software implementation)
+  - constraints (X.509 certificate advanced constraint checking)
+  - dnskey (Parse RFC 4034 public keys)
+  - fips-prf (PRF specified by FIPS, used by EAP-SIM/AKA algorithms)
+  - gmp (RSA/DH crypto backend based on libgmp)
+  - hmac (HMAC wrapper using various hashers)
+  - md5 (MD5 hasher software implementation)
+  - nonce (Default nonce generation plugin)
+  - pem (PEM encoding/decoding routines)
+  - pgp (PGP encoding/decoding routines)
+  - pkcs1 (PKCS#1 encoding/decoding routines)
+  - pkcs8 (PKCS#8 decoding routines)
+  - pkcs12 (PKCS#12 decoding routines)
+  - pubkey (Wrapper to handle raw public keys as trusted certificates)
+  - random (RNG reading from /dev/[u]random)
+  - rc2 (RC2 cipher software implementation)
+  - revocation (X.509 CRL/OCSP revocation checking)
+  - sha1 (SHA1 hasher software implementation)
+  - sha2 (SHA256/SHA384/SHA512 hasher software implementation)
+  - sshkey (SSH key decoding routines)
+  - x509 (Advanced X.509 plugin for parsing/generating X.509 certificates/CRLs
+    and OCSP messages)
+  - xcbc (XCBC wrapper using various ciphers)
+ For libhydra (IKE daemon plugins):
+  - attr (Provides IKE attributes configured in strongswan.conf)
+  - kernel-netlink [linux] (IPsec/Networking kernel interface using Linux
+    Netlink)
+  - kernel-pfkey [kfreebsd] (IPsec kernel interface using PF_KEY)
+  - kernel-pfroute [kfreebsd] (Networking kernel interface using PF_ROUTE)
+  - resolve (Writes name servers received via IKE to a resolv.conf file or
+    installs them via resolvconf(8))
+
+Package: libstrongswan-standard-plugins
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, libstrongswan (= ${binary:Version})
+Breaks: libstrongswan (<= 5.1.1-1), strongswan-ike (<= 5.1.1-1)
+Replaces: libstrongswan (<= 5.1.1-1),strongswan-ike (<= 5.1.1-1)
+Description: strongSwan utility and crypto library (extra plugins)
+ The strongSwan VPN suite uses the native IPsec stack in the standard
+ Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
+ .
+ This package provides some common plugins for the strongSwan utility and
+ cryptograhic library.
+ .
+ Included plugins are:
+  - agent (RSA/ECDSA private key backend connecting to SSH-Agent)
+  - gcm (GCM cipher mode wrapper)
+  - openssl (Crypto backend based on OpenSSL, provides
+    RSA/ECDSA/DH/ECDH/ciphers/hashers/HMAC/X.509/CRL/RNG)
+
+Package: libstrongswan-extra-plugins
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, libstrongswan (= ${binary:Version})
+Breaks: libstrongswan (<= 5.1.1-1), strongswan-ike (<= 5.1.1-1)
+Replaces: libstrongswan (<= 5.1.1-1),strongswan-ike (<= 5.1.1-1)
+Description: strongSwan utility and crypto library (extra plugins)
+ The strongSwan VPN suite uses the native IPsec stack in the standard
+ Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
+ .
+ This package provides extra plugins for the strongSwan utility and
+ cryptograhic library.
+ .
+ Included plugins are:
+  - af-alg [linux] (AF_ALG Linux crypto API interface, provides
+    ciphers/hashers/hmac/xcbc)
+  - ccm (CCM cipher mode wrapper)
+  - cmac (CMAC cipher mode wrapper)
+  - ctr (CTR cipher mode wrapper)
+  - curl (libcurl based HTTP/FTP fetcher)
+  - gcrypt (Crypto backend based on libgcrypt, provides
+    RSA/DH/ciphers/hashers/rng)
+  - ldap (LDAP fetching plugin based on libldap)
+  - padlock (VIA padlock crypto backend, provides AES128/SHA1)
+  - pkcs11 (PKCS#11 smartcard backend)
+  - rdrand (High quality / high performance random source using the Intel
+    rdrand instruction found on Ivy Bridge processors)
+  - test-vectors (Set of test vectors for various algorithms)
+
+Package: libcharon-extra-plugins
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, libstrongswan (= ${binary:Version})
+Breaks: libstrongswan (<= 5.1.1-1), strongswan-ike (<= 5.1.1-1)
+Replaces: libstrongswan (<= 5.1.1-1),strongswan-ike (<= 5.1.1-1)
+Description: strongSwan charon library (extra plugins)
+ The strongSwan VPN suite uses the native IPsec stack in the standard
+ Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
+ .
+ This package provides extra plugins for the charon library:
+  - addrblock (Narrow traffic selectors to RFC 3779 address blocks in X.509
+    certificates)
+  - certexpire (Export expiration dates of used certificates)
+  - eap-aka (Generic EAP-AKA protocol handler using different backends)
+  - eap-gtc (EAP-GTC protocol handler authenticating with XAuth backends)
+  - eap-identity (EAP-Identity identity exchange algorithm, to use with other
+    EAP protocols)
+  - eap-md5 (EAP-MD5 protocol handler using passwords)
+  - eap-mschapv2 (EAP-MSCHAPv2 protocol handler using passwords/NT hashes)
+  - eap-radius (EAP server proxy plugin forwarding EAP conversations to a
+    RADIUS server)
+  - eap-tls (EAP-TLS protocol handler, to authenticate with certificates in
+    EAP)
+  - eap-tnc (EAP-TNC protocol handler, Trusted Network Connect in a TLS tunnel)
+  - eap-ttls (EAP-TTLS protocol handler, wraps other EAP methods securely)
+  - error-notify (Notification about errors via UNIX socket)
+  - ha (High-Availability clustering)
+  - led (Let Linux LED subsystem LEDs blink on IKE activity)
+  - lookip (Virtual IP lookup facility using a UNIX socket)
+  - medcli (Web interface based mediation client interface)
+  - medsrv (Web interface based mediation server interface)
+  - tnc (Trusted Network Connect)
+  - unity (Cisco Unity extensions for IKEv1)
+  - xauth-eap (XAuth backend that uses EAP methods to verify passwords)
+  - xauth-generic (Generic XAuth backend that provides passwords from
+    ipsec.secrets and other credential sets)
+  - xauth-pam (XAuth backend that uses PAM modules to verify passwords)
 
 Package: strongswan-dbg
 Architecture: any
 Section: debug
 Priority: extra
-Depends: ${misc:Depends}, strongswan, libstrongswan
+Depends: ${misc:Depends}, strongswan, libstrongswan (= ${binary:Version})
 Description: strongSwan library and binaries - debugging symbols
  The strongSwan VPN suite uses the native IPsec stack in the standard
  Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
@@ -72,16 +192,17 @@ Pre-Depends: debconf | debconf-2.0
 Depends: ${shlibs:Depends}, ${misc:Depends}, 
   libstrongswan (= ${binary:Version}), strongswan-starter | strongswan-nm,
   bsdmainutils, debianutils (>=1.7), ipsec-tools, iproute [linux-any]
-Suggests: curl
+Suggests: libcharon-extra-plugins
 Provides: ike-server
 Conflicts: freeswan (<< 2.04-12), openswan, strongswan (<< 4.2.12-1)
-Replaces: strongswan-ikev1, strongswan-ikev2
+Breaks: libstrongswan (<= 5.1.1-1)
+Replaces: strongswan-ikev1, strongswan-ikev2, libstrongswan (<= 5.1.1-1)
 Description: strongSwan Internet Key Exchange (v2) daemon
  The strongSwan VPN suite uses the native IPsec stack in the standard
  Linux kernel. It supports both the IKEv1 and IKEv2 protocols.
  .
  charon is an IPsec IKEv2 daemon. It is written from scratch using a fully
- multi-threaded design and a modular architecture. Various plugins provide
+ multi-threaded design and a modular architecture. Various plugins can provide
  additional functionality.
 
 Package: strongswan-nm
diff --git a/debian/libcharon-extra-plugins.install b/debian/libcharon-extra-plugins.install
new file mode 100644
index 000000000..e126c5fda
--- /dev/null
+++ b/debian/libcharon-extra-plugins.install
@@ -0,0 +1,25 @@
+# libcharon plugins
+usr/lib/ipsec/plugins/libstrongswan-addrblock.so
+usr/lib/ipsec/plugins/libstrongswan-certexpire.so
+usr/lib/ipsec/plugins/libstrongswan-eap*.so
+usr/lib/ipsec/plugins/libstrongswan-error-notify.so
+usr/lib/ipsec/plugins/libstrongswan-ha.so
+usr/lib/ipsec/plugins/libstrongswan-led.so
+usr/lib/ipsec/plugins/libstrongswan-lookip.so
+usr/lib/ipsec/plugins/libstrongswan-medsrv.so
+usr/lib/ipsec/plugins/libstrongswan-medcli.so
+usr/lib/ipsec/plugins/libstrongswan-tnc-tnccs.so
+usr/lib/ipsec/plugins/libstrongswan-unity.so
+usr/lib/ipsec/plugins/libstrongswan-xauth-eap.so
+usr/lib/ipsec/plugins/libstrongswan-xauth-generic.so
+usr/lib/ipsec/plugins/libstrongswan-xauth-pam.so
+# support libs
+usr/lib/ipsec/libpttls.so*
+usr/lib/ipsec/libradius.so*
+usr/lib/ipsec/libsimaka.so*
+usr/lib/ipsec/libtnccs.so*
+usr/lib/ipsec/libtls.so*
+# binaries
+usr/lib/ipsec/error-notify
+usr/lib/ipsec/lookip
+usr/lib/ipsec/pt-tls-client
diff --git a/debian/libstrongswan-extra-plugins.install b/debian/libstrongswan-extra-plugins.install
new file mode 100644
index 000000000..db196e3a0
--- /dev/null
+++ b/debian/libstrongswan-extra-plugins.install
@@ -0,0 +1,9 @@
+# libstrongswan
+usr/lib/ipsec/plugins/libstrongswan-ccm.so
+usr/lib/ipsec/plugins/libstrongswan-cmac.so
+usr/lib/ipsec/plugins/libstrongswan-ctr.so
+usr/lib/ipsec/plugins/libstrongswan-curl.so
+usr/lib/ipsec/plugins/libstrongswan-gcrypt.so
+usr/lib/ipsec/plugins/libstrongswan-ldap.so
+usr/lib/ipsec/plugins/libstrongswan-pkcs11.so
+usr/lib/ipsec/plugins/libstrongswan-test-vectors.so
diff --git a/debian/libstrongswan-standard-plugins.install b/debian/libstrongswan-standard-plugins.install
new file mode 100644
index 000000000..e1c3e313f
--- /dev/null
+++ b/debian/libstrongswan-standard-plugins.install
@@ -0,0 +1,4 @@
+# libstrongswan
+usr/lib/ipsec/plugins/libstrongswan-agent.so
+usr/lib/ipsec/plugins/libstrongswan-gcm.so
+usr/lib/ipsec/plugins/libstrongswan-openssl.so
diff --git a/debian/libstrongswan.install b/debian/libstrongswan.install
index c25c099b9..c278d82e1 100644
--- a/debian/libstrongswan.install
+++ b/debian/libstrongswan.install
@@ -1,52 +1,31 @@
+# libstrongswan
 usr/lib/ipsec/libstrongswan.so*
-usr/lib/ipsec/libhydra.so*
-usr/lib/ipsec/libfast.so*
-usr/lib/ipsec/libsimaka.so*
-usr/lib/ipsec/libtnccs.so*
-usr/lib/ipsec/libradius.so*
-usr/lib/ipsec/libtls.so*
-usr/lib/ipsec/libpttls.so*
+usr/lib/ipsec/plugins/libstrongswan-aes.so
+usr/lib/ipsec/plugins/libstrongswan-constraints.so
+usr/lib/ipsec/plugins/libstrongswan-dnskey.so
+usr/lib/ipsec/plugins/libstrongswan-fips-prf.so
 usr/lib/ipsec/plugins/libstrongswan-gmp.so
-usr/lib/ipsec/plugins/libstrongswan-openssl.so
-usr/lib/ipsec/plugins/libstrongswan-x509.so
-usr/lib/ipsec/plugins/libstrongswan-pkcs7.so
-usr/lib/ipsec/plugins/libstrongswan-pkcs11.so
+usr/lib/ipsec/plugins/libstrongswan-hmac.so
+usr/lib/ipsec/plugins/libstrongswan-md5.so
+usr/lib/ipsec/plugins/libstrongswan-nonce.so
 usr/lib/ipsec/plugins/libstrongswan-pgp.so
 usr/lib/ipsec/plugins/libstrongswan-pem.so
 usr/lib/ipsec/plugins/libstrongswan-pkcs1.so
+usr/lib/ipsec/plugins/libstrongswan-pkcs7.so
+usr/lib/ipsec/plugins/libstrongswan-pkcs8.so
+usr/lib/ipsec/plugins/libstrongswan-pkcs12.so
 usr/lib/ipsec/plugins/libstrongswan-pubkey.so
-usr/lib/ipsec/plugins/libstrongswan-hmac.so
-usr/lib/ipsec/plugins/libstrongswan-xcbc.so
 usr/lib/ipsec/plugins/libstrongswan-random.so
-usr/lib/ipsec/plugins/libstrongswan-aes.so
-usr/lib/ipsec/plugins/libstrongswan-xcbc.so
-usr/lib/ipsec/plugins/libstrongswan-ctr.so
-usr/lib/ipsec/plugins/libstrongswan-ccm.so
-usr/lib/ipsec/plugins/libstrongswan-gcm.so
-usr/lib/ipsec/plugins/libstrongswan-led.so
-usr/lib/ipsec/plugins/libstrongswan-addrblock.so
-usr/lib/ipsec/plugins/libstrongswan-md5.so
+usr/lib/ipsec/plugins/libstrongswan-rc2.so
+usr/lib/ipsec/plugins/libstrongswan-revocation.so
 usr/lib/ipsec/plugins/libstrongswan-sha1.so
 usr/lib/ipsec/plugins/libstrongswan-sha2.so
-usr/lib/ipsec/plugins/libstrongswan-dnskey.so
-usr/lib/ipsec/plugins/libstrongswan-fips-prf.so
-usr/lib/ipsec/plugins/libstrongswan-resolve.so
-usr/lib/ipsec/plugins/libstrongswan-ha.so
-usr/lib/ipsec/plugins/libstrongswan-revocation.so
-usr/lib/ipsec/plugins/libstrongswan-constraints.so
-usr/lib/ipsec/plugins/libstrongswan-test-vectors.so
-usr/lib/ipsec/plugins/libstrongswan-tnc-tnccs.so
-usr/lib/ipsec/plugins/libstrongswan-pkcs8.so
-usr/lib/ipsec/plugins/libstrongswan-cmac.so
-usr/lib/ipsec/plugins/libstrongswan-ldap.so
-usr/lib/ipsec/plugins/libstrongswan-attr*.so
-usr/lib/ipsec/plugins/libstrongswan-curl.so
-usr/lib/ipsec/plugins/libstrongswan-gcrypt.so
-usr/lib/ipsec/plugins/libstrongswan-nonce.so
-usr/lib/ipsec/plugins/libstrongswan-xauth-eap.so
-usr/lib/ipsec/plugins/libstrongswan-xauth-generic.so
-usr/lib/ipsec/plugins/libstrongswan-xauth-pam.so
-usr/lib/ipsec/plugins/libstrongswan-rc2.so
-usr/lib/ipsec/plugins/libstrongswan-pkcs12.so
 usr/lib/ipsec/plugins/libstrongswan-sshkey.so
+usr/lib/ipsec/plugins/libstrongswan-x509.so
+usr/lib/ipsec/plugins/libstrongswan-xcbc.so
+# libhydra
+usr/lib/ipsec/libhydra.so*
+usr/lib/ipsec/plugins/libstrongswan-attr.so
+usr/lib/ipsec/plugins/libstrongswan-resolve.so
 etc/strongswan.conf
+usr/lib/ipsec/libfast.so*
diff --git a/debian/rules b/debian/rules
index 85b75aabb..d7ad51ad3 100755
--- a/debian/rules
+++ b/debian/rules
@@ -84,10 +84,10 @@ override_dh_install:
 	# first special cases
 ifeq ($(DEB_BUILD_ARCH_OS),linux)
 	# handle Linux-only plugins
-	dh_install -p libstrongswan usr/lib/ipsec/plugins/libstrongswan-dhcp.so
-	dh_install -p libstrongswan usr/lib/ipsec/plugins/libstrongswan-farp.so
+	dh_install -p libcharon-extra-plugins usr/lib/ipsec/plugins/libstrongswan-dhcp.so
+	dh_install -p libcharon-extra-plugins usr/lib/ipsec/plugins/libstrongswan-farp.so
 	dh_install -p libstrongswan usr/lib/ipsec/plugins/libstrongswan-kernel-netlink.so
-	dh_install -p libstrongswan usr/lib/ipsec/plugins/libstrongswan-af-alg.so
+	dh_install -p libstrongswan-extras-plugins usr/lib/ipsec/plugins/libstrongswan-af-alg.so
 endif
 
 ifeq ($(DEB_BUILD_ARCH_OS),kfreebsd)
@@ -98,12 +98,12 @@ endif
 
 ifeq ($(DEB_BUILD_ARCH_CPU),i386)
 	# special handling for padlock, as it is only built on i386
-	dh_install -p libstrongswan usr/lib/ipsec/plugins/libstrongswan-padlock.so
-	dh_install -p libstrongswan usr/lib/ipsec/plugins/libstrongswan-rdrand.so
+	dh_install -p libstrongswan-extras-plugins usr/lib/ipsec/plugins/libstrongswan-padlock.so
+	dh_install -p libstrongswan-extras-plugins usr/lib/ipsec/plugins/libstrongswan-rdrand.so
 endif
 
 ifeq ($(DEB_BUILD_ARCH_CPU), amd64)
-	dh_install -p libstrongswan usr/lib/ipsec/plugins/libstrongswan-rdrand.so
+	dh_install -p libstrongswan-extras-plugins usr/lib/ipsec/plugins/libstrongswan-rdrand.so
 endif
 
 	# then install the rest, ignoring the above
diff --git a/debian/strongswan-ike.install b/debian/strongswan-ike.install
index e00deaa94..6c1185f83 100644
--- a/debian/strongswan-ike.install
+++ b/debian/strongswan-ike.install
@@ -1,13 +1,3 @@
 usr/lib/ipsec/libcharon.so*
 usr/lib/ipsec/charon
-usr/lib/ipsec/lookip
-usr/lib/ipsec/error-notify
 usr/lib/ipsec/plugins/libstrongswan-socket*.so
-usr/lib/ipsec/plugins/libstrongswan-eap*.so
-usr/lib/ipsec/plugins/libstrongswan-agent.so
-usr/lib/ipsec/plugins/libstrongswan-medsrv.so
-usr/lib/ipsec/plugins/libstrongswan-medcli.so
-usr/lib/ipsec/plugins/libstrongswan-certexpire.so
-usr/lib/ipsec/plugins/libstrongswan-lookip.so
-usr/lib/ipsec/plugins/libstrongswan-error-notify.so
-usr/lib/ipsec/plugins/libstrongswan-unity.so
diff --git a/debian/strongswan-starter.install b/debian/strongswan-starter.install
index dff09e33a..feb578bc6 100644
--- a/debian/strongswan-starter.install
+++ b/debian/strongswan-starter.install
@@ -18,7 +18,6 @@ usr/share/man/man8/_updown_espmark.8
 usr/bin/pki
 usr/lib/ipsec/scepclient
 usr/lib/ipsec/openac
-usr/lib/ipsec/pt-tls-client
 usr/share/man/man8/scepclient.8
 usr/share/man/man8/openac.8
 usr/share/man/man1/pki---gen.1