Accepting request 139871 from network:vpn

- Updated to strongSwan 5.0.1 release. Changes digest: - Introduced the sending of the standard IETF Assessment Result PA-TNC attribute by all strongSwan Integrity Measurement Verifiers. - Extended PTS Attestation IMC/IMV pair to provide full evidence of the Linux IMA measurement process. All pertinent file information of a Linux OS can be collected and stored in an SQL database. - The PA-TNC and PB-TNC protocols can now process huge data payloads. - The xauth-pam backend can authenticate IKEv1 XAuth and Hybrid authenticated clients against any PAM service. - The new unity plugin brings support for some parts of the IKEv1 Cisco Unity Extensions. - The kernel-netlink plugin supports the new strongswan.conf option charon.install_virtual_ip_on. - Job handling in controller_t was fixed, which occasionally caused crashes on ipsec up/down. - Fixed transmission EAP-MSCHAPv2 user name if it contains a domain part. Changes digest from strongSwan 5.0.0 version: * The charon IKE daemon gained experimental support for the IKEv1 protocol. Pluto has been removed from the 5.x series. * The NetworkManager charon plugin of previous releases is now provided by a separate executable (charon-nm) and it should work again with NM 0.9. * scepclient was updated and it now works fine with Windows Server 2008 R2. - Adopted spec file, enabled several plugins, e.g.: ccm, certexpire, coupling, ctr, duplicheck, eap-dynamic, eap-peap, eap-tls, eap-tnc, eap-ttls, gcm, nonce, radattr, tnc, tnccs, unity, xauth-eap and pam. - Changed to install strongswan.service with alias to ipsec.service instead of the /etc/init.d/ipsec init script on openSUSE > 12.2. OBS-URL: https://build.opensuse.org/request/show/139871 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=46
2012-11-08 20:54:04 +00:00 · 2012-11-08 20:54:04 +00:00 · 4b7aea4880
commit 4b7aea4880
parent b5cb816081 3f181ce1a7
11 changed files with 245 additions and 220 deletions
--- a/0001-openssl-Ensure-the-thread-ID-is-never-zero.patch
+++ b/0001-openssl-Ensure-the-thread-ID-is-never-zero.patch
@ -1,30 +0,0 @@
-From 901dbc1077f6c9bd29369cad848bc79a29c1a65b Mon Sep 17 00:00:00 2001
-From: Tobias Brunner <tobias@strongswan.org>
-Date: Sat, 30 Jun 2012 10:05:41 +0200
-Subject: [PATCH] openssl: Ensure the thread ID is never zero
-
-This might otherwise cause problems because OpenSSL tries to lock
-mutexes recursively if it assumes the lock is held by a different
-thread e.g. during FIPS initialization.
---
- src/libstrongswan/plugins/openssl/openssl_plugin.c |    4 +++-
- 1 files changed, 3 insertions(+), 1 deletions(-)
-
-diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
-index 5a11412..7daa92b 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
-+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
-@@ -129,7 +129,9 @@ static void destroy_function(struct CRYPTO_dynlock_value *lock,
-  */
- static unsigned long id_function(void)
- {
-	return (unsigned long)thread_current_id();
-+	/* ensure the thread ID is never zero, otherwise OpenSSL might try to
-+	 * acquire locks recursively */
-+	return 1 + (unsigned long)thread_current_id();
- }
- 
- /**
-- 
-1.7.7
-
--- a/strongswan-4.6.4-fmt-warnings.patch
+++ b/strongswan-4.6.4-fmt-warnings.patch
@ -1,31 +0,0 @@
--- src/checksum/checksum_builder.c
-+++ src/checksum/checksum_builder.c	2012/02/15 13:08:35
-@@ -64,9 +64,9 @@ static void build_checksum(char *path, c
- 			fprintf(stderr, "dlopen failed: %s\n", dlerror());
- 		}
- 	}
-	printf("\t{\"%-25s%7u, 0x%08x, %6u, 0x%08x},\n",
-+	printf("\t{\"%-25s%7zu, 0x%08x, %6zu, 0x%08x},\n",
- 		   name, fsize, fsum, ssize, ssum);
-	fprintf(stderr, "\"%-25s%7u / 0x%08x       %6u / 0x%08x\n",
-+	fprintf(stderr, "\"%-25s%7zu / 0x%08x       %6zu / 0x%08x\n",
- 			name, fsize, fsum, ssize, ssum);
- }
- 
-@@ -106,14 +106,14 @@ static void build_binary_checksum(char *
- 		pos = strrchr(binary, '.');
- 		if (pos && streq(pos, ".so"))
- 		{
-			snprintf(name, sizeof(name), "%.*s\",", pos - binary, binary);
-+			snprintf(name, sizeof(name), "%.*s\",", (int)(pos - binary), binary);
- 			if (streq(name, "libstrongswan\","))
- 			{
- 				snprintf(sname, sizeof(sname), "%s", "library_init");
- 			}
- 			else
- 			{
-				snprintf(sname, sizeof(sname), "%.*s_init", pos - binary, binary);
-+				snprintf(sname, sizeof(sname), "%.*s_init", (int)(pos - binary), binary);
- 			}
- 			build_checksum(path, name, sname);
- 		}
--- a/strongswan-4.6.4.tar.bz2
+++ b/strongswan-4.6.4.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:f372b4cc3d6c8a50a0b262e02e6a7fad43f91cc5a80cbd9432eb3c48ab2d4c69
-size 3504672
--- a/strongswan-4.6.4.tar.bz2.sig
+++ b/strongswan-4.6.4.tar.bz2.sig
@ -1,14 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-Version: GnuPG v1.4.11 (GNU/Linux)
-
-iQGcBAABAgAGBQJPx4AbAAoJEN9CwXCzTbp3+GoL/Rs0El+oVlfUTT20/6IhwhI2
-1DJ2kRB97EqDYe7qzBVHaRs1ceU61JhsOEF+DICDttDamAYOlPMkU0Lonmk4uSqe
-Z1TVC7vcQdJEW5dPgx8UYRSxB4VdYkGq8FZSfK0Hdcn69EVnRneqb1oqGPXs3unI
-Eut8dounWYXSXtUhfajKeKmCXyMJDfSRAIoCsF4D/BpiU+VtHPqwLGS6KEfWsYyJ
-cqq5mc4rAL4Y6rLsi6YhqXvrV9klmVpMnlq7dftod7xWXOFX6d6mDSCIH0BrNyar
-AuWJ8CqO06Olp6V8sKTdrtBfuJelM4cEUyehwJbssem7bRCBikkzj0/Yxl7Uu77v
-QplLktKlsq/K8SkzNaqjTNxe7SvrIcrY1ErJTm6iMuinvlIjzoYPhpfnbNcyrrXQ
-qqJ1RTnrXWxDAt41vHTV8I4afhQdt9WlBrp+xYT42PiPll1V6vLx5f/OLDQUVvSo
-co+HFiKgg43090Pi4x5N0J1D1tuVuE7g9IGa1RAyYg==
-=XivO
-----END PGP SIGNATURE-----
--- a/strongswan-5.0.1-rpmlintrc
+++ b/strongswan-5.0.1-rpmlintrc
--- a/strongswan-5.0.1.tar.bz2
+++ b/strongswan-5.0.1.tar.bz2
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1a4dff19ef69d15e0b90b1ea80bd183235ac73b4ecd114aab58ed54de0f5c3b4
+size 3146776
--- a/strongswan-5.0.1.tar.bz2.sig
+++ b/strongswan-5.0.1.tar.bz2.sig
@ -0,0 +1,14 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.11 (GNU/Linux)
+
+iQGcBAABAgAGBQJQa9S/AAoJEN9CwXCzTbp30d0L/3Uj1RYm8+25k+RLIWvU1q/L
+z5+mLjNAZpxoV7t1lUuMAA2STvZFisMtoNkw2EhsdanRsEV+WYpL101EPPMja077
+BT86DVKk/IDtoGLKpQK41mV5h0bWzrUBXodw2ggoG1bOLhdfuV6z7hAn3GI+AgxM
+Eus0TUWNT6VRZzYgTAcofmUyKM4Hruh5+82OSJtj8eeCqe333fdV/k6mumxYhoLB
+b1Yp8NVuMmjbfp0T/kyMAlRMnOb1DGjun9sBNaPK+t6+wcToLDeijl+D83l67ZIl
+Et0fehugK5dbkGtUbZHOJFWiSGyVP3eDVOjxMBp6ejBAwi0GwqNWXsE0GnHJr9TL
+Q3TrM8Kt0vJ6mhlWU9KFGoRwpiyR+3pBc8smZkJvIs3kKIL5ItTVPsJcWJKu2iEd
+L6+X15ZScalcrMJOGRYjgKh7cchIgVaudJOnPLtXjfyMuq+07Zz1ZhybUIu+i5Zo
+q8AVLAoM6MkUXWKkJR51CH08+w32DaDp5p7yRyxCRA==
+=100T
+-----END PGP SIGNATURE-----
--- a/strongswan.changes
+++ b/strongswan.changes
@ -1,3 +1,40 @@
+-------------------------------------------------------------------
+Wed Oct 31 15:25:16 UTC 2012 - mt@suse.de
+
+- Updated to strongSwan 5.0.1 release. Changes digest:
+  - Introduced the sending of the standard IETF Assessment Result
+    PA-TNC attribute by all strongSwan Integrity Measurement Verifiers.
+  - Extended PTS Attestation IMC/IMV pair to provide full evidence of
+    the Linux IMA measurement process. All pertinent file information
+    of a Linux OS can be collected and stored in an SQL database.
+  - The PA-TNC and PB-TNC protocols can now process huge data payloads.
+  - The xauth-pam backend can authenticate IKEv1 XAuth and Hybrid
+    authenticated clients against any PAM service.
+  - The new unity plugin brings support for some parts of the IKEv1
+    Cisco Unity Extensions.
+  - The kernel-netlink plugin supports the new strongswan.conf option
+    charon.install_virtual_ip_on.
+  - Job handling in controller_t was fixed, which occasionally caused
+    crashes on ipsec up/down.
+  - Fixed transmission EAP-MSCHAPv2 user name if it contains a domain
+    part.
+  Changes digest from strongSwan 5.0.0 version:
+  * The charon IKE daemon gained experimental support for the IKEv1
+    protocol. Pluto has been removed from the 5.x series.
+  * The NetworkManager charon plugin of previous releases is now
+    provided by a separate executable (charon-nm) and it should work
+    again with NM 0.9.
+  * scepclient was updated and it now works fine with Windows Server
+    2008 R2.
+  For full list of the changes, please read the NEWS file shipped
+  in the strongswan-doc package or online:
+  http://wiki.strongswan.org/projects/strongswan/wiki/Changelog50
+- Adopted spec file, enabled several plugins, e.g.: ccm, certexpire,
+  coupling, ctr, duplicheck, eap-dynamic, eap-peap, eap-tls, eap-tnc,
+  eap-ttls, gcm, nonce, radattr, tnc, tnccs, unity, xauth-eap and pam.
+- Changed to install strongswan.service with alias to ipsec.service
+  instead of the /etc/init.d/ipsec init script on openSUSE > 12.2.
+
 -------------------------------------------------------------------
 Fri Sep  7 08:36:57 UTC 2012 - mt@suse.de

--- a/strongswan.spec
+++ b/strongswan.spec
@ -17,23 +17,40 @@


 Name:           strongswan
-Version:        4.6.4
+Version:        5.0.1
 Release:        0
 %define         upstream_version   %{version}
 %define         strongswan_docdir  %{_docdir}/%{name}
 %define         strongswan_libdir  %{_libdir}/ipsec
 %define         strongswan_plugins %{strongswan_libdir}/plugins
-%define		with_mysql	1
-%define		with_sqlite	0%{suse_version} >= 1110
-%define		with_gcrypt	0%{suse_version} >= 1110
-%define		with_nm		0%{suse_version} >= 1110
-%define		with_tests	0
+%if 0
+%bcond_without  tests
+%else
+%bcond_with     tests
+%endif
+%if 1
+%bcond_without  mysql
+%else
+%bcond_with     mysql
+%endif
+%if 0%{suse_version} >= 1110
+%bcond_without  sqlite
+%bcond_without  gcrypt
+%bcond_without  nm
+%else
+%bcond_with     sqlite
+%bcond_with     gcrypt
+%bcond_with     nm
+%endif
+%if 0%{suse_version} > 1220
+%bcond_without  systemd
+%else
+%bcond_with     systemd
+%endif
 Summary:        OpenSource IPsec-based VPN Solution
 License:        GPL-2.0+
 Group:          Productivity/Networking/Security
 Url:            http://www.strongswan.org/
-Requires:       strongswan-ikev1 = %{version}
-Requires:       strongswan-ikev2 = %{version}
 Requires:       strongswan-ipsec = %{version}
 Source0:        http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2
 Source1:        http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2.sig
@ -41,8 +58,7 @@ Source2:        %{name}.init.in
 Source3:        %{name}-%{version}-rpmlintrc
 Source4:        README.SUSE
 Patch1:         %{name}_modprobe_syslog.patch
-Patch2:         %{name}-%{version}-fmt-warnings.patch
-Patch3:         0001-openssl-Ensure-the-thread-ID-is-never-zero.patch
+Patch2:         %{name}_ipsec_service.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  bison
 BuildRequires:  curl-devel
@ -51,21 +67,26 @@ BuildRequires:  gmp-devel
 BuildRequires:  gperf
 BuildRequires:  libcap-devel
 BuildRequires:  libopenssl-devel
+BuildRequires:  libsoup-devel
 BuildRequires:  openldap2-devel
 BuildRequires:  pam-devel
+BuildRequires:  pcsc-lite-devel
 BuildRequires:  pkg-config
-%if %with_mysql
+%if %{with mysql}
 BuildRequires:  libmysqlclient-devel
 %endif
-%if %with_sqlite
+%if %{with sqlite}
 BuildRequires:  sqlite3-devel
 %endif
-%if %with_gcrypt
+%if %{with gcrypt}
 BuildRequires:  libgcrypt-devel
 %endif
-%if %with_nm
+%if %{with nm}
 BuildRequires:  NetworkManager-devel
 %endif
+%if %{with systemd}
+BuildRequires:  systemd-devel
+%endif
 BuildRequires:  iptables
 BuildRequires:  libnl >= 1.1

@ -133,47 +154,14 @@ StrongSwan is an OpenSource IPsec-based VPN Solution for Linux

 This package provides the strongswan library and plugins.

-%package ikev1
-Summary:        OpenSource IPsec-based VPN Solution
-Group:          Productivity/Networking/Security
-Requires:       iproute2
-Requires:       strongswan-ipsec = %{version}
-Requires:       strongswan-libs0 = %{version}
-Provides:       ikev1
-Provides:       pluto
-Provides:       strongswan-daemon = %{version}
-Conflicts:      freeswan openswan strongswan < %{version}
-
-%description ikev1
-StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
-
-This package provides the pluto IKEv1 daemon.
-
-%package ikev2
-Summary:        OpenSource IPsec-based VPN Solution
-Group:          Productivity/Networking/Security
-Requires:       iproute2
-Requires:       strongswan-daemon-starter = %{version}
-Requires:       strongswan-libs0 = %{version}
-Provides:       ikev2
-Provides:       strongswan-daemon = %{version}
-Conflicts:      openswan strongswan < %{version}
-
-%description ikev2
-StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
-
-This package provides the charon IKEv2 daemon.
-
 %package ipsec
 Summary:        OpenSource IPsec-based VPN Solution
 Group:          Productivity/Networking/Security
 PreReq:         grep %insserv_prereq %fillup_prereq
-Requires:       strongswan-daemon = %{version}
 Requires:       strongswan-libs0 = %{version}
 Provides:       VPN
 Provides:       ipsec
 Provides:       strongswan = %{version}
-Provides:       strongswan-daemon-starter = %{version}
 Obsoletes:      strongswan < %{version}
 Conflicts:      freeswan openswan

@ -181,10 +169,10 @@ Conflicts:      freeswan openswan
 StrongSwan is an OpenSource IPsec-based VPN Solution for Linux

 This package provides the /etc/init.d/ipsec service script and allows
-to maintain both, IKEv1 and IKEv2 daemons, using /etc/ipsec.conf and
+to maintain both, IKEv1 and IKEv2, using the /etc/ipsec.conf and the
 /etc/ipsec.sectes files.

-%if %with_mysql
+%if %{with mysql}

 %package mysql
 Summary:        OpenSource IPsec-based VPN Solution
@ -198,7 +186,7 @@ This package provides the strongswan mysql plugin.

 %endif

-%if %with_sqlite
+%if %{with sqlite}

 %package sqlite
 Summary:        OpenSource IPsec-based VPN Solution
@ -212,14 +200,12 @@ This package provides the strongswan sqlite plugin.

 %endif

-%if %with_nm
+%if %{with nm}

 %package nm
 Summary:        OpenSource IPsec-based VPN Solution
 Group:          Productivity/Networking/Security
-Requires:       strongswan-ikev2 = %{version}
 Requires:       strongswan-libs0 = %{version}
-Provides:       strongswan-daemon-starter = %{version}

 %description nm
 StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
@ -230,7 +216,7 @@ NetworkManager-strongswan graphical user interface.

 %endif

-%if %with_tests
+%if %{with tests}

 %package tests

@ -250,7 +236,6 @@ and the load testing plugin for IKEv2 daemon.
 %setup -q -n %{name}-%{upstream_version}
 %patch1 -p0
 %patch2 -p0
-%patch3 -p1
 sed -e 's|@libexecdir@|%_libexecdir|g'    \
     < $RPM_SOURCE_DIR/strongswan.init.in \
     > strongswan.init
@ -261,62 +246,95 @@ export RPM_OPT_FLAGS CFLAGS
 #libtoolize --force
 #autoreconf
 %configure \
+	--enable-conftest \
 	--enable-integrity-test \
 	--with-capabilities=libcap \
 	--with-plugindir=%{strongswan_plugins} \
 	--with-resolv-conf=%{_localstatedir}/run/strongswan/resolv.conf \
-	--enable-smartcard \
-	--with-default-pkcs11=%{_libdir}/opensc-pkcs11.so \
-	--enable-cisco-quirks \
+	--enable-pkcs11 \
 	--enable-openssl \
 	--enable-agent \
-	--enable-md4 \
+	--enable-gcrypt \
 	--enable-blowfish \
+	--enable-ctr \
+	--enable-ccm \
+	--enable-gcm \
+	--enable-unity \
+	--enable-md4 \
+	--enable-af-alg \
 	--enable-eap-sim \
 	--enable-eap-sim-file \
+	--enable-eap-sim-pcsc \
+	--enable-eap-aka \
+	--enable-eap-aka-3gpp2 \
 	--enable-eap-simaka-sql \
 	--enable-eap-simaka-pseudonym \
 	--enable-eap-simaka-reauth \
+	--enable-eap-identity \
 	--enable-eap-md5 \
 	--enable-eap-gtc \
-	--enable-eap-aka \
-	--enable-eap-radius \
-	--enable-eap-identity \
 	--enable-eap-mschapv2 \
-	--enable-eap-aka-3gpp2 \
+	--enable-eap-tls \
+	--enable-eap-ttls \
+	--enable-eap-peap \
+	--enable-eap-tnc \
+	--enable-eap-dynamic \
+	--enable-eap-radius \
+	--enable-xauth-eap \
+	--enable-xauth-pam \
+	--enable-tnc-pdp \
+	--enable-tnc-imc \
+	--enable-tnc-imv \
+	--enable-tnccs-11 \
+	--enable-tnccs-20 \
+	--enable-tnccs-dynamic \
+	--enable-imc-test \
+	--enable-imv-test \
+	--enable-imc-scanner \
+	--enable-imv-scanner \
 	--enable-ha \
 	--enable-dhcp \
 	--enable-farp \
+	--enable-smp \
 	--enable-sql \
 	--enable-attr-sql \
 	--enable-addrblock \
-%if %with_mysql
+	--enable-radattr \
+	--enable-mediation \
+	--enable-led \
+	--enable-certexpire \
+	--enable-duplicheck \
+	--enable-coupling \
+%if %{with mysql}
 	--enable-mysql \
 %endif
-%if %with_sqlite
+%if %{with sqlite}
 	--enable-sqlite \
 %endif
-%if %with_gcrypt
+%if %{with gcrypt}
 	--enable-gcrypt \
 %endif
-%if %with_nm
+%if %{with nm}
 	--enable-nm \
 %endif
-%if %with_tests
+%if %{with tests}
 	--enable-load-tester \
 	--enable-test-vectors \
 %endif
 	--enable-ldap \
+	--enable-soup \
 	--enable-curl
 make %{?_smp_mflags:%_smp_mflags}

 %install
 export RPM_BUILD_ROOT
-install -m755 -d              ${RPM_BUILD_ROOT}%{_sbindir}/
-install -m755 -d              ${RPM_BUILD_ROOT}%{_sysconfdir}/ipsec.d/
-install -m755 -d              ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d/
+install -d -m755              ${RPM_BUILD_ROOT}%{_sbindir}/
+install -d -m755              ${RPM_BUILD_ROOT}%{_sysconfdir}/ipsec.d/
+%if ! %{with systemd}
+install -d -m755              ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d/
 install -m755 strongswan.init ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d/ipsec
 ln -s %{_sysconfdir}/init.d/ipsec ${RPM_BUILD_ROOT}%{_sbindir}/rcipsec
+%endif
 #
 make install DESTDIR="$RPM_BUILD_ROOT"
 #
@ -330,15 +348,18 @@ cat << EOT > ${RPM_BUILD_ROOT}%{_sysconfdir}/ipsec.secrets
 #
 EOT
 #
-rm -f $RPM_BUILD_ROOT%{strongswan_libdir}/lib{charon,hydra,radius,strongswan,simaka}.so
+rm -f $RPM_BUILD_ROOT%{strongswan_libdir}/lib{charon,hydra,strongswan}.so
+rm -f $RPM_BUILD_ROOT%{strongswan_libdir}/lib{radius,simaka,tls,tnccs,imcv}.so
 find  $RPM_BUILD_ROOT%{strongswan_libdir} \
      -name "*.a" -o -name "*.la" | xargs -r rm -f
 #
-install -m755 -d ${RPM_BUILD_ROOT}%{strongswan_docdir}/
-install -m644 TODO NEWS README COPYING CREDITS \
-              ${RPM_SOURCE_DIR}/README.SUSE \
-                 ${RPM_BUILD_ROOT}%{strongswan_docdir}/
-install -m755 -d $RPM_BUILD_ROOT%{_localstatedir}/run/strongswan
+install -d -m755 ${RPM_BUILD_ROOT}%{strongswan_docdir}/
+install -c -m644 TODO NEWS README COPYING LICENSE \
+		 AUTHORS ChangeLog \
+		 ${RPM_BUILD_ROOT}%{strongswan_docdir}/
+install -c -m644 ${RPM_SOURCE_DIR}/README.SUSE \
+		 ${RPM_BUILD_ROOT}%{strongswan_docdir}/
+install -d -m755 $RPM_BUILD_ROOT%{_localstatedir}/run/strongswan

 %post libs0
 %{run_ldconfig}
@ -349,19 +370,27 @@ test -d %{_localstatedir}/run/strongswan || \
 %{run_ldconfig}

 %post ipsec
+%if ! %{with systemd}
 %{fillup_and_insserv ipsec}
+%endif

 %preun ipsec
+%if ! %{with systemd}
 %{stop_on_removal ipsec}
-if test -s %{_sysconfdir}/ipsec.secrets.rpmsave; then
-  cp -p --backup=numbered %{_sysconfdir}/ipsec.secrets.rpmsave %{_sysconfdir}/ipsec.secrets.rpmsave.old
+%endif
+if test -s %{_sysconfdir}/ipsec.secrets.rpmsave ; then
+	cp -p --backup=numbered %{_sysconfdir}/ipsec.secrets.rpmsave \
+	                        %{_sysconfdir}/ipsec.secrets.rpmsave.old
 fi
-if test -s %{_sysconfdir}/ipsec.conf.rpmsave; then
-  cp -p --backup=numbered %{_sysconfdir}/ipsec.conf.rpmsave %{_sysconfdir}/ipsec.conf.rpmsave.old
+if test -s %{_sysconfdir}/ipsec.conf.rpmsave ; then
+	cp -p --backup=numbered %{_sysconfdir}/ipsec.conf.rpmsave \
+	                        %{_sysconfdir}/ipsec.conf.rpmsave.old
 fi

 %postun ipsec
+%if ! %{with systemd}
 %{insserv_cleanup}
+%endif

 %files
 %defattr(-,root,root)
@ -381,38 +410,34 @@ fi
 %dir %{_sysconfdir}/ipsec.d/cacerts
 %dir %{_sysconfdir}/ipsec.d/ocspcerts
 %dir %attr(700,root,root) %{_sysconfdir}/ipsec.d/private
+%if %{with systemd}
+/lib/systemd/system/strongswan.service
+%else
 %config %{_sysconfdir}/init.d/ipsec
 %{_sbindir}/rcipsec
+%endif
 %{_sbindir}/ipsec
 %{_mandir}/man8/ipsec.8*
 %{_mandir}/man5/ipsec.conf.5*
 %{_mandir}/man5/ipsec.secrets.5*
 %{_mandir}/man5/strongswan.conf.5*
 %dir %{_libexecdir}/ipsec
+%{_libexecdir}/ipsec/_copyright
 %{_libexecdir}/ipsec/_updown
 %{_libexecdir}/ipsec/_updown_espmark
-%{_libexecdir}/ipsec/_copyright
-%{_libexecdir}/ipsec/pki
+%{_libexecdir}/ipsec/conftest
+%{_libexecdir}/ipsec/duplicheck
 %{_libexecdir}/ipsec/openac
+%{_libexecdir}/ipsec/pki
+%{_libexecdir}/ipsec/pool
 %{_libexecdir}/ipsec/scepclient
 %{_libexecdir}/ipsec/starter
 %{_libexecdir}/ipsec/stroke
+%{_libexecdir}/ipsec/charon
 %dir %{strongswan_plugins}
 %{strongswan_plugins}/libstrongswan-stroke.so
 %{strongswan_plugins}/libstrongswan-updown.so

-%files ikev1
-%defattr(-,root,root)
-%dir %{_libexecdir}/ipsec
-%{_libexecdir}/ipsec/whack
-%{_libexecdir}/ipsec/pluto
-%{_libexecdir}/ipsec/_pluto_adns
-
-%files ikev2
-%defattr(-,root,root)
-%dir %{_libexecdir}/ipsec
-%{_libexecdir}/ipsec/charon
-
 %files doc
 %defattr(-,root,root)
 %dir %{strongswan_docdir}
@ -420,73 +445,74 @@ fi
 %{strongswan_docdir}/NEWS
 %{strongswan_docdir}/README
 %{strongswan_docdir}/COPYING
-%{strongswan_docdir}/CREDITS
-%{_mandir}/man3/anyaddr.3*
-%{_mandir}/man3/atoaddr.3*
-%{_mandir}/man3/atoasr.3*
-%{_mandir}/man3/atoul.3*
-%{_mandir}/man3/goodmask.3*
-%{_mandir}/man3/initaddr.3*
-%{_mandir}/man3/initsubnet.3*
-%{_mandir}/man3/portof.3*
-%{_mandir}/man3/rangetosubnet.3*
-%{_mandir}/man3/sameaddr.3*
-%{_mandir}/man3/subnetof.3*
-%{_mandir}/man3/ttoaddr.3*
-%{_mandir}/man3/ttodata.3*
-%{_mandir}/man3/ttosa.3*
-%{_mandir}/man3/ttoul.3*
+%{strongswan_docdir}/LICENSE
+%{strongswan_docdir}/AUTHORS
+%{strongswan_docdir}/ChangeLog
 %{_mandir}/man8/_updown.8*
 %{_mandir}/man8/_updown_espmark.8*
 %{_mandir}/man8/openac.8*
-%{_mandir}/man8/pluto.8*
 %{_mandir}/man8/scepclient.8*

 %files libs0
 %defattr(-,root,root)
 %config(noreplace) %attr(600,root,root) %{_sysconfdir}/strongswan.conf
 %dir %{_libexecdir}/ipsec
-%dir %{_libexecdir}/ipsec/pool
 %dir %{strongswan_libdir}
 %{strongswan_libdir}/libchecksum.so
-%{strongswan_libdir}/libhydra.so.0
-%{strongswan_libdir}/libhydra.so.0.0.0
-%{strongswan_libdir}/libcharon.so.0
-%{strongswan_libdir}/libcharon.so.0.0.0
-%{strongswan_libdir}/libradius.so.0
-%{strongswan_libdir}/libradius.so.0.0.0
-%{strongswan_libdir}/libsimaka.so.0
-%{strongswan_libdir}/libsimaka.so.0.0.0
-%{strongswan_libdir}/libstrongswan.so.0
-%{strongswan_libdir}/libstrongswan.so.0.0.0
+%{strongswan_libdir}/libcharon.so.*
+%{strongswan_libdir}/libhydra.so.*
+%{strongswan_libdir}/libradius.so.*
+%{strongswan_libdir}/libsimaka.so.*
+%{strongswan_libdir}/libstrongswan.so.*
+%{strongswan_libdir}/libtls.so.*
+%{strongswan_libdir}/libtnccs.so.*
+%{strongswan_libdir}/libimcv.so.*
+%dir %{strongswan_libdir}/imcvs
+%{strongswan_libdir}/imcvs/imc-scanner.so
+%{strongswan_libdir}/imcvs/imc-test.so
+%{strongswan_libdir}/imcvs/imv-scanner.so
+%{strongswan_libdir}/imcvs/imv-test.so
 %dir %{strongswan_plugins}
 %{strongswan_plugins}/libstrongswan-addrblock.so
 %{strongswan_plugins}/libstrongswan-aes.so
+%{strongswan_plugins}/libstrongswan-af-alg.so
 %{strongswan_plugins}/libstrongswan-agent.so
 %{strongswan_plugins}/libstrongswan-attr.so
 %{strongswan_plugins}/libstrongswan-attr-sql.so
 %{strongswan_plugins}/libstrongswan-blowfish.so
+%{strongswan_plugins}/libstrongswan-ccm.so
+%{strongswan_plugins}/libstrongswan-certexpire.so
 %{strongswan_plugins}/libstrongswan-cmac.so
 %{strongswan_plugins}/libstrongswan-constraints.so
+%{strongswan_plugins}/libstrongswan-coupling.so
+%{strongswan_plugins}/libstrongswan-ctr.so
 %{strongswan_plugins}/libstrongswan-curl.so
 %{strongswan_plugins}/libstrongswan-des.so
 %{strongswan_plugins}/libstrongswan-dhcp.so
 %{strongswan_plugins}/libstrongswan-dnskey.so
+%{strongswan_plugins}/libstrongswan-duplicheck.so
 %{strongswan_plugins}/libstrongswan-eap-aka-3gpp2.so
 %{strongswan_plugins}/libstrongswan-eap-aka.so
+%{strongswan_plugins}/libstrongswan-eap-dynamic.so
 %{strongswan_plugins}/libstrongswan-eap-gtc.so
 %{strongswan_plugins}/libstrongswan-eap-identity.so
 %{strongswan_plugins}/libstrongswan-eap-md5.so
 %{strongswan_plugins}/libstrongswan-eap-mschapv2.so
+%{strongswan_plugins}/libstrongswan-eap-peap.so
 %{strongswan_plugins}/libstrongswan-eap-radius.so
+%{strongswan_plugins}/libstrongswan-eap-sim-file.so
+%{strongswan_plugins}/libstrongswan-eap-sim-pcsc.so
+%{strongswan_plugins}/libstrongswan-eap-sim.so
 %{strongswan_plugins}/libstrongswan-eap-simaka-pseudonym.so
 %{strongswan_plugins}/libstrongswan-eap-simaka-reauth.so
 %{strongswan_plugins}/libstrongswan-eap-simaka-sql.so
-%{strongswan_plugins}/libstrongswan-eap-sim-file.so
-%{strongswan_plugins}/libstrongswan-eap-sim.so
+%{strongswan_plugins}/libstrongswan-eap-tls.so
+%{strongswan_plugins}/libstrongswan-eap-tnc.so
+%{strongswan_plugins}/libstrongswan-eap-ttls.so
 %{strongswan_plugins}/libstrongswan-farp.so
 %{strongswan_plugins}/libstrongswan-fips-prf.so
-%if %with_gcrypt
+%{strongswan_plugins}/libstrongswan-gcm.so
+%if %{with gcrypt}
 %{strongswan_plugins}/libstrongswan-gcrypt.so
 %endif
 %{strongswan_plugins}/libstrongswan-gmp.so
@ -494,36 +520,52 @@ fi
 %{strongswan_plugins}/libstrongswan-hmac.so
 %{strongswan_plugins}/libstrongswan-kernel-netlink.so
 %{strongswan_plugins}/libstrongswan-ldap.so
+%{strongswan_plugins}/libstrongswan-led.so
 %{strongswan_plugins}/libstrongswan-md4.so
 %{strongswan_plugins}/libstrongswan-md5.so
+%{strongswan_plugins}/libstrongswan-nonce.so
 %{strongswan_plugins}/libstrongswan-openssl.so
 %{strongswan_plugins}/libstrongswan-pem.so
 %{strongswan_plugins}/libstrongswan-pgp.so
 %{strongswan_plugins}/libstrongswan-pkcs1.so
+%{strongswan_plugins}/libstrongswan-pkcs11.so
 %{strongswan_plugins}/libstrongswan-pkcs8.so
 %{strongswan_plugins}/libstrongswan-pubkey.so
+%{strongswan_plugins}/libstrongswan-radattr.so
 %{strongswan_plugins}/libstrongswan-random.so
 %{strongswan_plugins}/libstrongswan-resolve.so
 %{strongswan_plugins}/libstrongswan-revocation.so
 %{strongswan_plugins}/libstrongswan-sha1.so
 %{strongswan_plugins}/libstrongswan-sha2.so
-%{strongswan_plugins}/libstrongswan-socket*.so
+%{strongswan_plugins}/libstrongswan-smp.so
+%{strongswan_plugins}/libstrongswan-socket-default.so
+%{strongswan_plugins}/libstrongswan-soup.so
 %{strongswan_plugins}/libstrongswan-sql.so
+%{strongswan_plugins}/libstrongswan-tnc-imc.so
+%{strongswan_plugins}/libstrongswan-tnc-imv.so
+%{strongswan_plugins}/libstrongswan-tnc-pdp.so
+%{strongswan_plugins}/libstrongswan-tnc-tnccs.so
+%{strongswan_plugins}/libstrongswan-tnccs-11.so
+%{strongswan_plugins}/libstrongswan-tnccs-20.so
+%{strongswan_plugins}/libstrongswan-tnccs-dynamic.so
+%{strongswan_plugins}/libstrongswan-unity.so
 %{strongswan_plugins}/libstrongswan-x509.so
-%{strongswan_plugins}/libstrongswan-xauth.so
+%{strongswan_plugins}/libstrongswan-xauth-eap.so
+%{strongswan_plugins}/libstrongswan-xauth-generic.so
+%{strongswan_plugins}/libstrongswan-xauth-pam.so
 %{strongswan_plugins}/libstrongswan-xcbc.so
 %dir %ghost %{_localstatedir}/run/strongswan

-%if %with_nm
+%if %{with nm}

 %files nm
 %defattr(-,root,root)
 %dir %{_libexecdir}/ipsec
 %dir %{strongswan_plugins}
-%{strongswan_plugins}/libstrongswan-nm.so
+%{_libexecdir}/ipsec/charon-nm
 %endif

-%if %with_mysql
+%if %{with mysql}

 %files mysql
 %defattr(-,root,root)
@ -531,7 +573,7 @@ fi
 %{strongswan_plugins}/libstrongswan-mysql.so
 %endif

-%if %with_sqlite
+%if %{with sqlite}

 %files sqlite
 %defattr(-,root,root)
@ -539,7 +581,7 @@ fi
 %{strongswan_plugins}/libstrongswan-sqlite.so
 %endif

-%if %with_tests
+%if %{with tests}

 %files tests
 %defattr(-,root,root)
--- a/strongswan_ipsec_service.patch
+++ b/strongswan_ipsec_service.patch
@ -0,0 +1,7 @@
+--- init/systemd/strongswan.service.in
+++ init/systemd/strongswan.service.in	2012/10/31 15:21:11
+@@ -8,3 +8,4 @@ StandardOutput=syslog
+ 
+ [Install]
+ WantedBy=multi-user.target
+Alias=ipsec.service
--- a/strongswan_modprobe_syslog.patch
+++ b/strongswan_modprobe_syslog.patch
@ -1,6 +1,6 @@
 --- src/starter/klips.c
-+++ src/starter/klips.c	2010/03/02 16:43:05
-@@ -34,7 +34,7 @@ starter_klips_init(void)
+++ src/starter/klips.c	2012/10/30 17:07:23
+@@ -30,7 +30,7 @@ bool starter_klips_init(void)
 		/* ipsec module makes the pf_key proc interface visible */
 		if (stat(PROC_MODULES, &stb) == 0)
 		{
@ -9,7 +9,7 @@
 		}
 
 		/* now test again */
-@@ -48,9 +48,9 @@ starter_klips_init(void)
+@@ -42,9 +42,9 @@ bool starter_klips_init(void)
 	}
 
 	/* load crypto algorithm modules */
@ -20,11 +20,11 @@
 +	ignore_result(system("modprobe -s ipsec_blowfish"));
 +	ignore_result(system("modprobe -s ipsec_sha2"));
 
- 	DBG(DBG_CONTROL,
- 		DBG_log("Found KLIPS IPsec stack")
+ 	DBG2(DBG_APP, "found KLIPS IPsec stack");
+ 	return TRUE;
 --- src/starter/netkey.c
-+++ src/starter/netkey.c	2010/03/02 16:43:05
-@@ -34,7 +34,7 @@ starter_netkey_init(void)
+++ src/starter/netkey.c	2012/10/30 17:07:02
+@@ -31,7 +31,7 @@ bool starter_netkey_init(void)
 		/* af_key module makes the netkey proc interface visible */
 		if (stat(PROC_MODULES, &stb) == 0)
 		{
@ -33,7 +33,7 @@
 		}
 
 		/* now test again */
-@@ -50,11 +50,11 @@ starter_netkey_init(void)
+@@ -45,11 +45,11 @@ bool starter_netkey_init(void)
 	/* make sure that all required IPsec modules are loaded */
 	if (stat(PROC_MODULES, &stb) == 0)
 	{
@ -49,4 +49,4 @@
 +		ignore_result(system("modprobe -s xfrm_user"));
 	}
 
- 	DBG(DBG_CONTROL,
+ 	DBG2(DBG_APP, "found netkey IPsec stack");