strongswan 6.0.0

2024-12-03 19:05:45 +01:00 · 2024-12-03 19:05:45 +01:00 · b5f8ae4845
commit b5f8ae4845
parent da8f2965e2
8 changed files with 190 additions and 167 deletions
--- a/harden_strongswan.service.patch
+++ b/harden_strongswan.service.patch
@ -1,9 +1,13 @@
-Index: strongswan-5.9.5/init/systemd/strongswan.service.in
+---
+ init/systemd/strongswan.service.in |   11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+Index: strongswan-6.0.0/init/systemd/strongswan.service.in
 ===================================================================
--- strongswan-5.9.5.orig/init/systemd/strongswan.service.in
-+++ strongswan-5.9.5/init/systemd/strongswan.service.in
-@@ -3,6 +3,17 @@ Description=strongSwan IPsec IKEv1/IKEv2
- After=network-online.target
+--- strongswan-6.0.0.orig/init/systemd/strongswan.service.in
+++ strongswan-6.0.0/init/systemd/strongswan.service.in
+@@ -4,6 +4,17 @@ After=network-online.target
+ Wants=network-online.target
 
 [Service]
 +# added automatically, for details please see
--- a/init.patch
+++ b/init.patch
@ -0,0 +1,31 @@
+From c58507ff186ae9cf014c0b54082c8bf74aef3219 Mon Sep 17 00:00:00 2001
+From: Jan Engelhardt <jengelh@inai.de>
+Date: Tue, 3 Dec 2024 21:56:33 +0100
+Subject: [PATCH] init: put strongswan-starter.service behind USE_FILE_CONFIG
+References: https://github.com/strongswan/strongswan/pull/2553
+
+stroke is no longer enabled by default, but the systemd unit
+still is copied on `make install`. Fix that.
+---
+ init/Makefile.am | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/init/Makefile.am b/init/Makefile.am
+index 54c090cea..824ebd695 100644
+--- a/init/Makefile.am
+++ b/init/Makefile.am
+@@ -3,9 +3,11 @@ SUBDIRS =
+ 
+ if USE_LEGACY_SYSTEMD
+ if USE_CHARON
+if USE_FILE_CONFIG
+   SUBDIRS += systemd-starter
+ endif
+ endif
+endif
+ 
+ if USE_SYSTEMD
+ if USE_SWANCTL
+-- 
+2.47.1
+
--- a/strongswan-5.9.14.tar.bz2
+++ b/strongswan-5.9.14.tar.bz2
--- a/strongswan-5.9.14.tar.bz2.sig
+++ b/strongswan-5.9.14.tar.bz2.sig
@ -1,14 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQGzBAABCgAdFiEElI8Vik52onvz0HUy30LBcLNNuncFAmX5cHAACgkQ30LBcLNN
-une5oAwAiNFc9r4zuuJ9+Qd3q4AYTiCa7g4j6OhneQwY7Y6fzYOROfKKDzPoDhwJ
-juU5vj+5d9yKVLEEueACCY2hM9cmAZL3mWMy5s86FmrNQcPRJ24cU19ZkyoxKGZ9
-8lvEtPzb5r5aTrdJnSu3rydGK7nSVysxA5ZyamviUndx1lWUkGYlz3lKMl8xm2qa
-QNCnBQiUcwm9mADl4txlxkCvSDPb1Ez7Y40K5lVTpKa/awaM9e9JuKXSgOJmBUBY
-C/E8pCzC8lENEoq5EZI/eV7VNwlc1ussqp2iSj0Nhy45cmXvCHpCIslkhPuReQzW
-nNDFbuMGiDzCvD2RNdi+l1z+74oLPFeC7663K2/VYMMobqwYVhdC4hg/PMOzDa1x
-L18Y7Pffna4gNa/jarx1U7fMFLW4c0q5DVvM8qoLtnc7Q9zFw4A+EU6i3sFa5EF+
-aVNbmHTIBXnf0YVoHmuOgjRH9kjjshnl/kSszOeW+wkoZzhuJkTzz/gllc9YWQNG
-y+PFcIVK
-=dVex
-----END PGP SIGNATURE-----
--- a/strongswan-6.0.0.tar.bz2
+++ b/strongswan-6.0.0.tar.bz2
--- a/strongswan-6.0.0.tar.bz2.sig
+++ b/strongswan-6.0.0.tar.bz2.sig
@ -0,0 +1,14 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQGzBAABCgAdFiEElI8Vik52onvz0HUy30LBcLNNuncFAmdO+hMACgkQ30LBcLNN
+undilgwAgiT5p2PyMhwSp4qo1EUX8+PWwJ9Plqz7TNCCdFJe3uYre3hM2K5hFey0
+azrPrqZ2HWtBycH0gI4BFzUSVO8E4SZOBQnPH/g3bsFg9VU71ML30LdZYx+Lg7wK
+7AaMxYhl7xIvfb4D8+ZpYV6bSDH0o2tRN5h5gPk4IECOTTRhsLWL89IL8xOXgNPj
+ao0meIUNfvg6cl1uLFff/c7H7cAGSFsKPSWtMWLfK0PglW4LVJJvr5PhGsduVPsE
+JwY2VAMVi1BI1Y7I1WxS7T1qEAXLKAuNHKJHgIvd3xvSM1Q197qFrGyuujDQV5Yn
+Olp583ccs2LJbfmDQiPD/AHeDpikMMtBZ3Hk7Od3CqRVpeIDyBC0/oEwiascw6Q4
+5SDclgEdL9jHU7Uo1Z9v+Ltn0lihGAkAsAMgJMFyfCFiB03yCXFQu34PK65ZoIk7
+GN3XeUqu7sdmK7Tg4RbsrZ1P7J9TiFllMiu7noYVluhW4My68A76yHIbk66i8DwF
+pzxPfTqH
+=8zOA
+-----END PGP SIGNATURE-----
--- a/strongswan.changes
+++ b/strongswan.changes
@ -1,3 +1,27 @@
+-------------------------------------------------------------------
+Tue Dec  3 15:59:06 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
+
+- /usr/sbin/ipsec is no longer built after being deprecated in 5.2.0
+- Update to release 6.0.0
+  * Support for multiple IKEv2 key exchanges (RFC 9370)
+  * Support for the Module-Lattice-Based Key-Encapsulation
+    Mechanism (ML-KEM, FIPS 203)
+  * AF_VSOCK socket support
+  * The file logger can optionally log messages as JSON objects
+  * Handling of CHILD_SA rekey collisions has been improved
+  * The kernel-netlink plugin explicitly configures the direction
+    of IPsec SAs when running on 6.10+ kernels
+  * The NetworkManager plugin (charon-nm) now uses a different
+    routing table than the regular IKE daemon to avoid conflicts
+    if both are running
+  * The following crypto plugins are no longer built:
+    aes, curve25519, des, fips-prf, gmp, hmac, md5, pkcs12, rc2,
+    sha1, sha2. (Their replacement is the "openssl" plugin.)
+  * The following deprecated plugins have been removed: bliss
+    (signature scheme), newhope (key exchange method), ntru (key
+    exchange method).
+- Add init.patch
+
 -------------------------------------------------------------------
 Tue Nov 26 12:02:16 UTC 2024 - Dirk Müller <dmueller@suse.com>

--- a/strongswan.spec
+++ b/strongswan.spec
@ -16,21 +16,18 @@
 #


-Name:           strongswan
-Version:        5.9.14
-Release:        0
-%define         upstream_version     %{version}
 %define         strongswan_docdir    %{_docdir}/%{name}
 %define         strongswan_libdir    %{_libdir}/ipsec
 %define         strongswan_configs   %{_sysconfdir}/strongswan.d
 %define         strongswan_datadir   %{_datadir}/strongswan
 %define         strongswan_plugins   %{strongswan_libdir}/plugins
 %define         strongswan_templates %{strongswan_datadir}/templates
-%if 0
-%bcond_without  tests
+%if 0%{?suse_version} < 1600
+%bcond_without  stroke
 %else
-%bcond_with     tests
+%bcond_with     stroke
 %endif
+%bcond_with     tests
 %bcond_without  fipscheck
 %ifarch %{ix86} ppc64le
 %bcond_without  integrity
@ -44,70 +41,73 @@ Release:        0
 %bcond_without  gcrypt
 %bcond_without  nm
 %bcond_without  systemd
+
+Name:           strongswan
+Version:        6.0.0
+Release:        0
 Summary:        IPsec-based VPN solution
 License:        GPL-2.0-or-later
 Group:          Productivity/Networking/Security
 URL:            https://www.strongswan.org/
-Source0:        http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2
-Source1:        http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2.sig
+Source0:        http://download.strongswan.org/strongswan-%version.tar.bz2
+Source1:        http://download.strongswan.org/strongswan-%version.tar.bz2.sig
 Source2:        %{name}.init.in
 Source3:        %{name}-rpmlintrc
 Source4:        README.SUSE
 Source5:        %{name}.keyring
-%if %{with fipscheck}
 Source7:        fips-enforce.conf
-%endif
 Patch2:         %{name}_ipsec_service.patch
 Patch5:         0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch
 Patch6:         harden_strongswan.service.patch
+Patch7:         init.patch
+BuildRequires:  autoconf
+BuildRequires:  automake
 BuildRequires:  bison
 BuildRequires:  curl-devel
 BuildRequires:  flex
 BuildRequires:  gmp-devel
 BuildRequires:  gperf
+BuildRequires:  iptables
 BuildRequires:  libcap-devel
 BuildRequires:  libopenssl-devel
+BuildRequires:  libtool
 BuildRequires:  openldap2-devel
 BuildRequires:  pam-devel
 BuildRequires:  pcsc-lite-devel
 BuildRequires:  pkg-config
 BuildRequires:  pkgconfig(libsoup-2.4)
+BuildRequires:  pkgconfig(libsystemd)
 %if %{with mysql}
 BuildRequires:  libmysqlclient-devel
 %endif
 %if %{with sqlite}
-BuildRequires:  sqlite3-devel
+BuildRequires:  pkgconfig(sqlite3)
 %endif
 %if %{with gcrypt}
-BuildRequires:  libgcrypt-devel
+BuildRequires:  pkgconfig(libgcrypt)
 %endif
 %if %{with nm}
 BuildRequires:  pkgconfig(libnm)
 %endif
+Obsoletes:      strongswan-libs0 < %version-%release
+Provides:       strongswan-libs0 = %version-%release
 %{?systemd_requires}
-BuildRequires:  iptables
-BuildRequires:  pkgconfig(libsystemd)
 %{!?_rundir: %global _rundir /run}
 %{!?_tmpfilesdir: %global _tmpfilesdir /usr/lib/tmpfiles.d}
-BuildRequires:  autoconf
-BuildRequires:  automake
-BuildRequires:  libtool
-Requires:       strongswan-ipsec = %{version}

 %description
 StrongSwan is an IPsec-based VPN solution for Linux.

-* Implements both the IKEv1 and IKEv2 (RFC 4306) key exchange protocols
-* Fully tested support of IPv6 IPsec tunnel and transport connections
+* IKEv1 and IKEv2 (RFC 4306, 9370) key exchange protocol support
+* Support of IPv6 IPsec tunnel and transport connections
 * Dynamic IP address and interface update with IKEv2 MOBIKE (RFC 4555)
 * Automatic insertion and deletion of IPsec-policy-based firewall rules
-* Strong 128/192/256 bit AES or Camellia encryption, 3DES support
+* 128/192/256-bit AES encryption
 * NAT Traversal via UDP encapsulation and port floating (RFC 3947)
-* Dead Peer Detection (DPD, RFC 3706) takes care of dangling tunnels
-* Static virtual IP addresses and IKEv1 ModeConfig pull and push modes
+* Dead Peer Detection (DPD, RFC 3706) to detect dangling tunnels
 * XAUTH server and client functionality on top of IKEv1 Main Mode authentication
 * Virtual IP address pool managed by IKE daemon or SQL database
-* Secure IKEv2 EAP user authentication (EAP-SIM, EAP-AKA, EAP-MSCHAPv2, etc.)
+* IKEv2 EAP user authentication (EAP-SIM, EAP-AKA, EAP-MSCHAPv2, etc.)
 * Optional relaying of EAP messages to AAA server via EAP-RADIUS plugin
 * Support of IKEv2 Multiple Authentication Exchanges (RFC 4739)
 * Authentication based on X.509 certificates or preshared keys
@ -115,12 +115,11 @@ StrongSwan is an IPsec-based VPN solution for Linux.
 * Retrieval and local caching of Certificate Revocation Lists via HTTP or LDAP
 * Full support of the Online Certificate Status Protocol (OCSP, RCF 2560).
 * CA management (OCSP and CRL URIs, default LDAP server)
-* Powerful IPsec policies based on wildcards or intermediate CAs
+* IPsec policies based on wildcards or intermediate CAs
 * Group policies based on X.509 attribute certificates (RFC 3281)
-* Storage of RSA private keys and certificates on a smartcard (PKCS #11 interface)
+* Storage of RSA private keys and certificates on a smartcard (PKCS#11 interface)
 * Modular plugins for crypto algorithms and relational database interfaces
 * Support of elliptic curve DH groups and ECDSA certificates (Suite B, RFC 4869)
-* Optional built-in integrity and crypto tests for plugins and libraries
 * Linux desktop integration via the strongSwan NetworkManager applet

 This package triggers the installation of both, IKEv1 and IKEv2 daemons.
@ -135,21 +134,10 @@ StrongSwan is an IPsec-based VPN solution for Linux.

 This package provides the StrongSwan documentation.

-%package libs0
-Summary:        strongSwan core libraries and basic plugins
-Group:          Productivity/Networking/Security
-Conflicts:      strongswan < %{version}
-
-%description libs0
-StrongSwan is an IPsec-based VPN solution for Linux.
-
-This package provides the strongswan library and plugins.
-
 %package fips
 Summary:        Config file to disable non FIPS-140-2 algos in strongSwan
 Group:          Productivity/Networking/Security
-Requires:       strongswan-ipsec = %{version}
-Requires:       strongswan-libs0 = %{version}
+Requires:       strongswan = %version
 Provides:       strongswan-hmac = %{version}-%{release}
 Obsoletes:      strongswan-hmac < %{version}-%{release}

@ -158,27 +146,27 @@ The package provides a config file disabling alternative algorithm
 implementation when FIPS-140-2 compliant operation mode is enabled.

 %package ipsec
-Summary:        IPsec-based VPN solution
+Summary:        Old-style "ipsec" interface (stroke/starter) for strongSwan
 Group:          Productivity/Networking/Security
-Requires:       strongswan-libs0 = %{version}
+Requires:       strongswan = %version
 Provides:       VPN
 Provides:       ipsec
-Provides:       strongswan = %{version}
-Obsoletes:      strongswan < %{version}
 Conflicts:      freeswan
 Conflicts:      openswan

 %description ipsec
 StrongSwan is an IPsec-based VPN solution for Linux.

-This package provides the systemd service definition and allows
-to maintain both IKEv1 and IKEv2 using the /etc/ipsec.conf and the
-/etc/ipsec.secrets files.
+This package provides an ipsec(8) command-line interface and
+configuration mechanism (/etc/ipsec.conf, ipsec.secrets).
+
+Old-style ipsec(8) management of strongSwan is deprecated since
+version 5.2.0.

 %package mysql
 Summary:        MySQL plugin for strongSwan
 Group:          Productivity/Networking/Security
-Requires:       strongswan-libs0 = %{version}
+Requires:       strongswan = %version

 %description mysql
 StrongSwan is an IPsec-based VPN solution for Linux.
@ -188,20 +176,20 @@ This package provides the strongswan mysql plugin.
 %package sqlite
 Summary:        SQLite plugin for strongSwan
 Group:          Productivity/Networking/Security
-Requires:       strongswan-libs0 = %{version}
+Requires:       strongswan = %version

 %description sqlite
-StrongSwan is an OpenSource IPsec-based VPN solution for Linux.
+StrongSwan is an IPsec-based VPN solution for Linux.

 This package provides the strongswan sqlite plugin.

 %package nm
 Summary:        NetworkManager plugin for strongSwan
 Group:          Productivity/Networking/Security
-Requires:       strongswan-libs0 = %{version}
+Requires:       strongswan = %version

 %description nm
-StrongSwan is an OpenSource IPsec-based VPN solution for Linux.
+StrongSwan is an IPsec-based VPN solution for Linux.

 This package provides the NetworkManager plugin to control the
 charon IKEv2 daemon through D-Bus, designed to work using the
@ -210,28 +198,24 @@ NetworkManager-strongswan graphical user interface.
 %package tests
 Summary:        Testing plugins for strongSwan
 Group:          Productivity/Networking/Security
-Requires:       strongswan-libs0 = %{version}
+Requires:       strongswan = %version

 %description tests
-StrongSwan is an OpenSource IPsec-based VPN solution for Linux.
+StrongSwan is an IPsec-based VPN solution for Linux.

 This package provides the strongswan crypto test vectors plugin
 and the load testing plugin for IKEv2 daemon.

 %prep
-%setup -q -n %{name}-%{upstream_version}
-%patch -P 2 -p1
-%patch -P 5 -p1
+%autosetup -p1
 sed -e 's|@libexecdir@|%_libexecdir|g'    \
     < %{_sourcedir}/strongswan.init.in \
     > strongswan.init
-%patch -P 6 -p1

 %build
-CFLAGS="%{optflags} -W -Wall -Wno-pointer-sign -Wno-strict-aliasing -Wno-unused-parameter"
-export CFLAGS
 autoreconf --force --install
 %configure \
+	CFLAGS="%optflags -W -Wall -Wno-pointer-sign -Wno-strict-aliasing -Wno-unused-parameter" \
 %if %{with integrity}
 	--enable-integrity-test \
 %endif
@ -314,6 +298,9 @@ autoreconf --force --install
 %else
 	--disable-nm \
 %endif
+%if %{with stroke}
+	--enable-stroke \
+%endif
 %if %{with tests}
 	--enable-conftest \
 	--enable-load-tester \
@ -360,7 +347,7 @@ LD_LIBRARY_PATH="%{buildroot}-$$/%{strongswan_libdir}" \
 }
 %endif
 #
-rm -f %{buildroot}/%{_sysconfdir}/ipsec.secrets
+%if %{with stroke}
 cat << EOT > %{buildroot}/%{_sysconfdir}/ipsec.secrets
 #
 # ipsec.secrets
@ -370,6 +357,7 @@ cat << EOT > %{buildroot}/%{_sysconfdir}/ipsec.secrets
 #
 EOT
 #
+%endif
 %if ! %{with mysql}
 rm -f %{buildroot}/%{strongswan_templates}/database/sql/mysql.sql
 %endif
@ -379,7 +367,6 @@ rm -f %{buildroot}/%{strongswan_templates}/database/sql/sqlite.sql
 rm -f %{buildroot}/%{strongswan_libdir}/lib{charon,hydra,strongswan,pttls}.so
 rm -f %{buildroot}/%{strongswan_libdir}/lib{radius,simaka,tls,tnccs,imcv}.so
 find %{buildroot}/%{strongswan_libdir} -type f -name "*.la" -delete
-#
 install -d -m755 %{buildroot}/%{strongswan_docdir}/
 install -c -m644 TODO NEWS README COPYING LICENSE \
 		 AUTHORS ChangeLog \
@ -395,36 +382,37 @@ install -c -m644 %{_sourcedir}/fips-enforce.conf \
 sed -i 's/\(load[ ]*=[ ]*\)yes/\1no/g' %{buildroot}/%{strongswan_configs}/charon/bypass-lan.conf
 %endif

-%post libs0
+%post
 /sbin/ldconfig
 %{?tmpfiles_create:%tmpfiles_create %{_tmpfilesdir}/%{name}.conf}
 %{!?tmpfiles_create:test -d %{_rundir}/%{name} || mkdir -p %{_rundir}/%{name}}

-%postun libs0 -p /sbin/ldconfig
+%postun -p /sbin/ldconfig

 %pre ipsec
 %service_add_pre %{name}-starter.service

 %post ipsec
+%service_add_post %{name}-starter.service
 # Following code does the migration from strongwan.service (ver < 5.8.0) to
 # strongswan-starter.service (ver >= 5.8.0) during update. The systemd service
 # units have been renamed. The modern unit, which was called strongswan-swanctl,
 # is now called strongswan (the previous name is configured as alias in the unit,
 # for which a symlink is created when the unit is enabled). The legacy unit is now
 # called strongswan-starter.
-_ipsec_active=`/usr/bin/systemctl is-active %{name}-starter.service 2>/dev/null` || :
-_swanctl_active=`/usr/bin/systemctl is-active %{name}.service 2>/dev/null` || :
-_ipsec_enable=`/usr/bin/systemctl is-enabled %{name}-starter.service 2>/dev/null` || :
-_swanctl_enable=`/usr/bin/systemctl is-enabled %{name}.service 2>/dev/null` || :
-if [[ "$_swanctl_enable" == "enabled" || "$_swanctl_active" == "active" ]]; then
+_ipsec_active=$(/usr/bin/systemctl is-active %{name}-starter.service 2>/dev/null) || :
+_swanctl_active=$(/usr/bin/systemctl is-active %{name}.service 2>/dev/null) || :
+_ipsec_enable=$(/usr/bin/systemctl is-enabled %{name}-starter.service 2>/dev/null) || :
+_swanctl_enable=$(/usr/bin/systemctl is-enabled %{name}.service 2>/dev/null) || :
+if [ "$_swanctl_enable" = "enabled" ] || [ "$_swanctl_active" = "active" ]; then
        /usr/bin/systemctl disable --now %{name}.service || :
        /usr/bin/systemctl mask %{name}.service || :
 fi
-if [[ "$_swanctl_enable" == "enabled" || "$_ipsec_enable" == "enabled" ]]; then
+if [ "$_swanctl_enable" = "enabled" ] || [ "$_ipsec_enable" = "enabled" ]; then
        /usr/bin/systemctl daemon-reload
        /usr/bin/systemctl enable %{name}-starter.service || :
 fi
-if [[ "$_swanctl_active" == "active" || "$_ipsec_active" == "active" ]]; then
+if [ "$_swanctl_active" = "active" ] || [ "$_ipsec_active" = "active" ]; then
        /usr/bin/systemctl start %{name}-starter.service || :
 fi

@ -442,45 +430,26 @@ fi
 %postun ipsec
 %service_del_postun %{name}-starter.service

-%files
-%dir %{strongswan_docdir}
-%{strongswan_docdir}/README.SUSE
-
 %if %{with fipscheck}
-
 %files fips
 %dir %{strongswan_configs}
 %dir %{strongswan_configs}/charon
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/zzz_fips-enforce.conf
 %endif

-%files ipsec
-%config(noreplace) %attr(600,root,root) %{_sysconfdir}/ipsec.conf
-%config(noreplace) %attr(600,root,root) %{_sysconfdir}/ipsec.secrets
+%files
+%dir %{strongswan_docdir}
+%{strongswan_docdir}/README.SUSE
 %config(noreplace) %attr(600,root,root) %{_sysconfdir}/swanctl/swanctl.conf
 %dir %{_sysconfdir}/swanctl
-%dir %{_sysconfdir}/ipsec.d
-%dir %{_sysconfdir}/ipsec.d/crls
-%dir %{_sysconfdir}/ipsec.d/reqs
-%dir %{_sysconfdir}/ipsec.d/certs
-%dir %{_sysconfdir}/ipsec.d/acerts
-%dir %{_sysconfdir}/ipsec.d/aacerts
-%dir %{_sysconfdir}/ipsec.d/cacerts
-%dir %{_sysconfdir}/ipsec.d/ocspcerts
-%dir %attr(700,root,root) %{_sysconfdir}/ipsec.d/private
-%{_unitdir}/strongswan-starter.service
 %{_unitdir}/strongswan.service
 %{_sbindir}/charon-systemd
 %{_bindir}/pki
 %{_bindir}/pt-tls-client
 %{_bindir}/tpm_extendpcr
-%{_sbindir}/ipsec
 %{_sbindir}/swanctl
 %{_mandir}/man1/pki*.1*
 %{_mandir}/man1/pt-tls-client.1*
-%{_mandir}/man8/ipsec.8*
-%{_mandir}/man5/ipsec.conf.5*
-%{_mandir}/man5/ipsec.secrets.5*
 %{_mandir}/man5/strongswan.conf.5*
 %dir %{_libexecdir}/ipsec
 %{_libexecdir}/ipsec/_updown
@ -490,29 +459,14 @@ fi
 %{_libexecdir}/ipsec/xfrmi
 %{_libexecdir}/ipsec/duplicheck
 %{_libexecdir}/ipsec/pool
-%{_libexecdir}/ipsec/starter
-%{_libexecdir}/ipsec/stroke
 %{_libexecdir}/ipsec/charon
 %{_libexecdir}/ipsec/_imv_policy
 %{_libexecdir}/ipsec/imv_policy_manager
 %dir %{strongswan_plugins}
 %{strongswan_plugins}/libstrongswan-drbg.so
-%{strongswan_plugins}/libstrongswan-stroke.so
 %{strongswan_plugins}/libstrongswan-updown.so
-
-%files doc
-%dir %{strongswan_docdir}
-%{strongswan_docdir}/TODO
-%{strongswan_docdir}/NEWS
-%{strongswan_docdir}/README
-%{strongswan_docdir}/COPYING
-%{strongswan_docdir}/LICENSE
-%{strongswan_docdir}/AUTHORS
-%{strongswan_docdir}/ChangeLog
-%{_mandir}/man5/swanctl.conf.5.*
-%{_mandir}/man8/swanctl.8.*
-
-%files libs0
+%_mandir/man5/swanctl.conf.5.*
+%_mandir/man8/swanctl.8.*
 %{_tmpfilesdir}/%{name}.conf
 %config(noreplace) %attr(600,root,root) %{_sysconfdir}/strongswan.conf
 %dir %{strongswan_configs}
@ -523,13 +477,10 @@ fi
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/imcv.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/pki.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/pool.conf
-%config(noreplace) %attr(600,root,root) %{strongswan_configs}/starter.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/tnc.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/swanctl.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/addrblock.conf
-%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/aes.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/counters.conf
-%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/curve25519.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/drbg.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/vici.conf
 %if %{with afalg}
@ -546,7 +497,6 @@ fi
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/coupling.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/ctr.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/curl.conf
-%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/des.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/dhcp.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/dnskey.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/duplicheck.conf
@ -578,37 +528,30 @@ fi
 %endif
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/gmp.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/ha.conf
-%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/hmac.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/kdf.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/kernel-netlink.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/ldap.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/led.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/md4.conf
-%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/md5.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/mgf1.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/nonce.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/openssl.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pem.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pgp.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs11.conf
-%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs12.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs1.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs7.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs8.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pubkey.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/radattr.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/random.conf
-%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/rc2.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/resolve.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/revocation.conf
-%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/sha1.conf
-%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/sha2.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/smp.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/socket-default.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/soup.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/sql.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/sshkey.conf
-%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/stroke.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnccs-11.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnccs-20.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnccs-dynamic.conf
@ -647,7 +590,6 @@ fi
 %{strongswan_libdir}/imcvs/imv-test.so
 %dir %{strongswan_plugins}
 %{strongswan_plugins}/libstrongswan-addrblock.so
-%{strongswan_plugins}/libstrongswan-aes.so
 %if %{with afalg}
 %{strongswan_plugins}/libstrongswan-af-alg.so
 %endif
@ -663,7 +605,6 @@ fi
 %{strongswan_plugins}/libstrongswan-coupling.so
 %{strongswan_plugins}/libstrongswan-ctr.so
 %{strongswan_plugins}/libstrongswan-curl.so
-%{strongswan_plugins}/libstrongswan-des.so
 %{strongswan_plugins}/libstrongswan-dhcp.so
 %{strongswan_plugins}/libstrongswan-dnskey.so
 %{strongswan_plugins}/libstrongswan-duplicheck.so
@ -695,13 +636,11 @@ fi
 %endif
 %{strongswan_plugins}/libstrongswan-gmp.so
 %{strongswan_plugins}/libstrongswan-ha.so
-%{strongswan_plugins}/libstrongswan-hmac.so
 %{strongswan_plugins}/libstrongswan-kdf.so
 %{strongswan_plugins}/libstrongswan-kernel-netlink.so
 %{strongswan_plugins}/libstrongswan-ldap.so
 %{strongswan_plugins}/libstrongswan-led.so
 %{strongswan_plugins}/libstrongswan-md4.so
-%{strongswan_plugins}/libstrongswan-md5.so
 %{strongswan_plugins}/libstrongswan-mgf1.so
 %{strongswan_plugins}/libstrongswan-nonce.so
 %{strongswan_plugins}/libstrongswan-openssl.so
@ -709,17 +648,13 @@ fi
 %{strongswan_plugins}/libstrongswan-pgp.so
 %{strongswan_plugins}/libstrongswan-pkcs1.so
 %{strongswan_plugins}/libstrongswan-pkcs11.so
-%{strongswan_plugins}/libstrongswan-pkcs12.so
 %{strongswan_plugins}/libstrongswan-pkcs7.so
 %{strongswan_plugins}/libstrongswan-pkcs8.so
 %{strongswan_plugins}/libstrongswan-pubkey.so
 %{strongswan_plugins}/libstrongswan-radattr.so
 %{strongswan_plugins}/libstrongswan-random.so
-%{strongswan_plugins}/libstrongswan-rc2.so
 %{strongswan_plugins}/libstrongswan-resolve.so
 %{strongswan_plugins}/libstrongswan-revocation.so
-%{strongswan_plugins}/libstrongswan-sha1.so
-%{strongswan_plugins}/libstrongswan-sha2.so
 %{strongswan_plugins}/libstrongswan-smp.so
 %{strongswan_plugins}/libstrongswan-socket-default.so
 %{strongswan_plugins}/libstrongswan-soup.so
@ -738,7 +673,6 @@ fi
 %{strongswan_plugins}/libstrongswan-xauth-generic.so
 %{strongswan_plugins}/libstrongswan-xauth-pam.so
 %{strongswan_plugins}/libstrongswan-xcbc.so
-%{strongswan_plugins}/libstrongswan-curve25519.so
 %{strongswan_plugins}/libstrongswan-vici.so
 %{strongswan_plugins}/libstrongswan-bypass-lan.so
 %dir %{strongswan_datadir}
@ -751,7 +685,6 @@ fi
 %dir %{strongswan_templates}/database/sql
 %{strongswan_templates}/config/strongswan.conf
 %{strongswan_templates}/config/plugins/addrblock.conf
-%{strongswan_templates}/config/plugins/aes.conf
 %if %{with afalg}
 %{strongswan_templates}/config/plugins/af-alg.conf
 %endif
@ -767,7 +700,6 @@ fi
 %{strongswan_templates}/config/plugins/coupling.conf
 %{strongswan_templates}/config/plugins/ctr.conf
 %{strongswan_templates}/config/plugins/curl.conf
-%{strongswan_templates}/config/plugins/des.conf
 %{strongswan_templates}/config/plugins/dhcp.conf
 %{strongswan_templates}/config/plugins/dnskey.conf
 %{strongswan_templates}/config/plugins/drbg.conf
@ -800,13 +732,11 @@ fi
 %endif
 %{strongswan_templates}/config/plugins/gmp.conf
 %{strongswan_templates}/config/plugins/ha.conf
-%{strongswan_templates}/config/plugins/hmac.conf
 %{strongswan_templates}/config/plugins/kdf.conf
 %{strongswan_templates}/config/plugins/kernel-netlink.conf
 %{strongswan_templates}/config/plugins/ldap.conf
 %{strongswan_templates}/config/plugins/led.conf
 %{strongswan_templates}/config/plugins/md4.conf
-%{strongswan_templates}/config/plugins/md5.conf
 %{strongswan_templates}/config/plugins/mgf1.conf
 %{strongswan_templates}/config/plugins/nonce.conf
 %{strongswan_templates}/config/plugins/openssl.conf
@ -814,23 +744,18 @@ fi
 %{strongswan_templates}/config/plugins/pgp.conf
 %{strongswan_templates}/config/plugins/pkcs1.conf
 %{strongswan_templates}/config/plugins/pkcs11.conf
-%{strongswan_templates}/config/plugins/pkcs12.conf
 %{strongswan_templates}/config/plugins/pkcs7.conf
 %{strongswan_templates}/config/plugins/pkcs8.conf
 %{strongswan_templates}/config/plugins/pubkey.conf
 %{strongswan_templates}/config/plugins/radattr.conf
 %{strongswan_templates}/config/plugins/random.conf
-%{strongswan_templates}/config/plugins/rc2.conf
 %{strongswan_templates}/config/plugins/resolve.conf
 %{strongswan_templates}/config/plugins/revocation.conf
-%{strongswan_templates}/config/plugins/sha1.conf
-%{strongswan_templates}/config/plugins/sha2.conf
 %{strongswan_templates}/config/plugins/smp.conf
 %{strongswan_templates}/config/plugins/socket-default.conf
 %{strongswan_templates}/config/plugins/soup.conf
 %{strongswan_templates}/config/plugins/sql.conf
 %{strongswan_templates}/config/plugins/sshkey.conf
-%{strongswan_templates}/config/plugins/stroke.conf
 %{strongswan_templates}/config/plugins/tnc-imc.conf
 %{strongswan_templates}/config/plugins/tnc-imv.conf
 %{strongswan_templates}/config/plugins/tnc-pdp.conf
@ -845,7 +770,6 @@ fi
 %{strongswan_templates}/config/plugins/xauth-generic.conf
 %{strongswan_templates}/config/plugins/xauth-pam.conf
 %{strongswan_templates}/config/plugins/xcbc.conf
-%{strongswan_templates}/config/plugins/curve25519.conf
 %{strongswan_templates}/config/plugins/vici.conf
 %{strongswan_templates}/config/plugins/bypass-lan.conf
 %{strongswan_templates}/config/strongswan.d/charon-systemd.conf
@ -854,14 +778,12 @@ fi
 %{strongswan_templates}/config/strongswan.d/imcv.conf
 %{strongswan_templates}/config/strongswan.d/pki.conf
 %{strongswan_templates}/config/strongswan.d/pool.conf
-%{strongswan_templates}/config/strongswan.d/starter.conf
 %{strongswan_templates}/config/strongswan.d/tnc.conf
 %{strongswan_templates}/config/strongswan.d/swanctl.conf
 %{strongswan_templates}/database/imv/data.sql
 %{strongswan_templates}/database/imv/tables.sql

 %if %{with nm}
-
 %files nm
 %dir %{_libexecdir}/ipsec
 %dir %{strongswan_plugins}
@ -870,7 +792,6 @@ fi
 %endif

 %if %{with mysql}
-
 %files mysql
 %dir %{strongswan_libdir}
 %dir %{strongswan_plugins}
@ -890,7 +811,6 @@ fi
 %endif

 %if %{with sqlite}
-
 %files sqlite
 %dir %{strongswan_libdir}
 %dir %{strongswan_plugins}
@ -909,7 +829,6 @@ fi
 %endif

 %if %{with tests}
-
 %files tests
 %dir %{strongswan_configs}
 %dir %{strongswan_configs}/charon
@ -929,4 +848,49 @@ fi
 %{strongswan_plugins}/libstrongswan-test-vectors.so
 %endif

+%if %{with stroke}
+%files ipsec
+%config(noreplace) %attr(600,root,root) %_sysconfdir/ipsec.conf
+%config(noreplace) %attr(600,root,root) %_sysconfdir/ipsec.secrets
+%dir %_sysconfdir/ipsec.d
+%dir %_sysconfdir/ipsec.d/crls
+%dir %_sysconfdir/ipsec.d/reqs
+%dir %_sysconfdir/ipsec.d/certs
+%dir %_sysconfdir/ipsec.d/acerts
+%dir %_sysconfdir/ipsec.d/aacerts
+%dir %_sysconfdir/ipsec.d/cacerts
+%dir %_sysconfdir/ipsec.d/ocspcerts
+%dir %attr(700,root,root) %_sysconfdir/ipsec.d/private
+%_sbindir/ipsec
+%_mandir/man8/ipsec.8*
+%_mandir/man5/ipsec.conf.5*
+%_mandir/man5/ipsec.secrets.5*
+%dir %_libexecdir/ipsec/
+%_libexecdir/ipsec/starter
+%_libexecdir/ipsec/stroke
+%_unitdir/strongswan-starter.service
+%dir %strongswan_plugins/
+%strongswan_plugins/libstrongswan-stroke.so
+%dir %strongswan_configs/
+%dir %strongswan_configs/charon/
+%config(noreplace) %attr(600,root,root) %strongswan_configs/starter.conf
+%config(noreplace) %attr(600,root,root) %strongswan_configs/charon/stroke.conf
+%dir %strongswan_templates/
+%dir %strongswan_templates/config/
+%dir %strongswan_templates/config/plugins/
+%strongswan_templates/config/plugins/stroke.conf
+%dir %strongswan_templates/config/strongswan.d/
+%strongswan_templates/config/strongswan.d/starter.conf
+%endif
+
+%files doc
+%dir %strongswan_docdir
+%strongswan_docdir/TODO
+%strongswan_docdir/NEWS
+%strongswan_docdir/README
+%strongswan_docdir/COPYING
+%strongswan_docdir/LICENSE
+%strongswan_docdir/AUTHORS
+%strongswan_docdir/ChangeLog
+
 %changelog