diff --git a/harden_strongswan.service.patch b/harden_strongswan.service.patch index 7820dda..fadaa87 100644 --- a/harden_strongswan.service.patch +++ b/harden_strongswan.service.patch @@ -1,9 +1,13 @@ -Index: strongswan-5.9.5/init/systemd/strongswan.service.in +--- + init/systemd/strongswan.service.in | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +Index: strongswan-6.0.0/init/systemd/strongswan.service.in =================================================================== ---- strongswan-5.9.5.orig/init/systemd/strongswan.service.in -+++ strongswan-5.9.5/init/systemd/strongswan.service.in -@@ -3,6 +3,17 @@ Description=strongSwan IPsec IKEv1/IKEv2 - After=network-online.target +--- strongswan-6.0.0.orig/init/systemd/strongswan.service.in ++++ strongswan-6.0.0/init/systemd/strongswan.service.in +@@ -4,6 +4,17 @@ After=network-online.target + Wants=network-online.target [Service] +# added automatically, for details please see diff --git a/init.patch b/init.patch new file mode 100644 index 0000000..db3e2db --- /dev/null +++ b/init.patch @@ -0,0 +1,31 @@ +From c58507ff186ae9cf014c0b54082c8bf74aef3219 Mon Sep 17 00:00:00 2001 +From: Jan Engelhardt +Date: Tue, 3 Dec 2024 21:56:33 +0100 +Subject: [PATCH] init: put strongswan-starter.service behind USE_FILE_CONFIG +References: https://github.com/strongswan/strongswan/pull/2553 + +stroke is no longer enabled by default, but the systemd unit +still is copied on `make install`. Fix that. +--- + init/Makefile.am | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/init/Makefile.am b/init/Makefile.am +index 54c090cea..824ebd695 100644 +--- a/init/Makefile.am ++++ b/init/Makefile.am +@@ -3,9 +3,11 @@ SUBDIRS = + + if USE_LEGACY_SYSTEMD + if USE_CHARON ++if USE_FILE_CONFIG + SUBDIRS += systemd-starter + endif + endif ++endif + + if USE_SYSTEMD + if USE_SWANCTL +-- +2.47.1 + diff --git a/strongswan-5.9.14.tar.bz2 b/strongswan-5.9.14.tar.bz2 deleted file mode 100644 index ca34227..0000000 --- a/strongswan-5.9.14.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:728027ddda4cb34c67c4cec97d3ddb8c274edfbabdaeecf7e74693b54fc33678 -size 4869709 diff --git a/strongswan-5.9.14.tar.bz2.sig b/strongswan-5.9.14.tar.bz2.sig deleted file mode 100644 index d8f021c..0000000 --- a/strongswan-5.9.14.tar.bz2.sig +++ /dev/null @@ -1,14 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQGzBAABCgAdFiEElI8Vik52onvz0HUy30LBcLNNuncFAmX5cHAACgkQ30LBcLNN -une5oAwAiNFc9r4zuuJ9+Qd3q4AYTiCa7g4j6OhneQwY7Y6fzYOROfKKDzPoDhwJ -juU5vj+5d9yKVLEEueACCY2hM9cmAZL3mWMy5s86FmrNQcPRJ24cU19ZkyoxKGZ9 -8lvEtPzb5r5aTrdJnSu3rydGK7nSVysxA5ZyamviUndx1lWUkGYlz3lKMl8xm2qa -QNCnBQiUcwm9mADl4txlxkCvSDPb1Ez7Y40K5lVTpKa/awaM9e9JuKXSgOJmBUBY -C/E8pCzC8lENEoq5EZI/eV7VNwlc1ussqp2iSj0Nhy45cmXvCHpCIslkhPuReQzW -nNDFbuMGiDzCvD2RNdi+l1z+74oLPFeC7663K2/VYMMobqwYVhdC4hg/PMOzDa1x -L18Y7Pffna4gNa/jarx1U7fMFLW4c0q5DVvM8qoLtnc7Q9zFw4A+EU6i3sFa5EF+ -aVNbmHTIBXnf0YVoHmuOgjRH9kjjshnl/kSszOeW+wkoZzhuJkTzz/gllc9YWQNG -y+PFcIVK -=dVex ------END PGP SIGNATURE----- diff --git a/strongswan-6.0.0.tar.bz2 b/strongswan-6.0.0.tar.bz2 new file mode 100644 index 0000000..0f4d639 --- /dev/null +++ b/strongswan-6.0.0.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:72fe58b7523155703b65b08c3cc559c2c9a5c96da54afebd8136f6623e7dda82 +size 4863821 diff --git a/strongswan-6.0.0.tar.bz2.sig b/strongswan-6.0.0.tar.bz2.sig new file mode 100644 index 0000000..bf43539 --- /dev/null +++ b/strongswan-6.0.0.tar.bz2.sig @@ -0,0 +1,14 @@ +-----BEGIN PGP SIGNATURE----- + +iQGzBAABCgAdFiEElI8Vik52onvz0HUy30LBcLNNuncFAmdO+hMACgkQ30LBcLNN +undilgwAgiT5p2PyMhwSp4qo1EUX8+PWwJ9Plqz7TNCCdFJe3uYre3hM2K5hFey0 +azrPrqZ2HWtBycH0gI4BFzUSVO8E4SZOBQnPH/g3bsFg9VU71ML30LdZYx+Lg7wK +7AaMxYhl7xIvfb4D8+ZpYV6bSDH0o2tRN5h5gPk4IECOTTRhsLWL89IL8xOXgNPj +ao0meIUNfvg6cl1uLFff/c7H7cAGSFsKPSWtMWLfK0PglW4LVJJvr5PhGsduVPsE +JwY2VAMVi1BI1Y7I1WxS7T1qEAXLKAuNHKJHgIvd3xvSM1Q197qFrGyuujDQV5Yn +Olp583ccs2LJbfmDQiPD/AHeDpikMMtBZ3Hk7Od3CqRVpeIDyBC0/oEwiascw6Q4 +5SDclgEdL9jHU7Uo1Z9v+Ltn0lihGAkAsAMgJMFyfCFiB03yCXFQu34PK65ZoIk7 +GN3XeUqu7sdmK7Tg4RbsrZ1P7J9TiFllMiu7noYVluhW4My68A76yHIbk66i8DwF +pzxPfTqH +=8zOA +-----END PGP SIGNATURE----- diff --git a/strongswan.changes b/strongswan.changes index dd2a70a..8d3ff4c 100644 --- a/strongswan.changes +++ b/strongswan.changes @@ -1,3 +1,27 @@ +------------------------------------------------------------------- +Tue Dec 3 15:59:06 UTC 2024 - Jan Engelhardt + +- /usr/sbin/ipsec is no longer built after being deprecated in 5.2.0 +- Update to release 6.0.0 + * Support for multiple IKEv2 key exchanges (RFC 9370) + * Support for the Module-Lattice-Based Key-Encapsulation + Mechanism (ML-KEM, FIPS 203) + * AF_VSOCK socket support + * The file logger can optionally log messages as JSON objects + * Handling of CHILD_SA rekey collisions has been improved + * The kernel-netlink plugin explicitly configures the direction + of IPsec SAs when running on 6.10+ kernels + * The NetworkManager plugin (charon-nm) now uses a different + routing table than the regular IKE daemon to avoid conflicts + if both are running + * The following crypto plugins are no longer built: + aes, curve25519, des, fips-prf, gmp, hmac, md5, pkcs12, rc2, + sha1, sha2. (Their replacement is the "openssl" plugin.) + * The following deprecated plugins have been removed: bliss + (signature scheme), newhope (key exchange method), ntru (key + exchange method). +- Add init.patch + ------------------------------------------------------------------- Tue Nov 26 12:02:16 UTC 2024 - Dirk Müller diff --git a/strongswan.spec b/strongswan.spec index 11cb243..7618674 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -16,21 +16,18 @@ # -Name: strongswan -Version: 5.9.14 -Release: 0 -%define upstream_version %{version} %define strongswan_docdir %{_docdir}/%{name} %define strongswan_libdir %{_libdir}/ipsec %define strongswan_configs %{_sysconfdir}/strongswan.d %define strongswan_datadir %{_datadir}/strongswan %define strongswan_plugins %{strongswan_libdir}/plugins %define strongswan_templates %{strongswan_datadir}/templates -%if 0 -%bcond_without tests +%if 0%{?suse_version} < 1600 +%bcond_without stroke %else -%bcond_with tests +%bcond_with stroke %endif +%bcond_with tests %bcond_without fipscheck %ifarch %{ix86} ppc64le %bcond_without integrity @@ -44,70 +41,73 @@ Release: 0 %bcond_without gcrypt %bcond_without nm %bcond_without systemd + +Name: strongswan +Version: 6.0.0 +Release: 0 Summary: IPsec-based VPN solution License: GPL-2.0-or-later Group: Productivity/Networking/Security URL: https://www.strongswan.org/ -Source0: http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2 -Source1: http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2.sig +Source0: http://download.strongswan.org/strongswan-%version.tar.bz2 +Source1: http://download.strongswan.org/strongswan-%version.tar.bz2.sig Source2: %{name}.init.in Source3: %{name}-rpmlintrc Source4: README.SUSE Source5: %{name}.keyring -%if %{with fipscheck} Source7: fips-enforce.conf -%endif Patch2: %{name}_ipsec_service.patch Patch5: 0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch Patch6: harden_strongswan.service.patch +Patch7: init.patch +BuildRequires: autoconf +BuildRequires: automake BuildRequires: bison BuildRequires: curl-devel BuildRequires: flex BuildRequires: gmp-devel BuildRequires: gperf +BuildRequires: iptables BuildRequires: libcap-devel BuildRequires: libopenssl-devel +BuildRequires: libtool BuildRequires: openldap2-devel BuildRequires: pam-devel BuildRequires: pcsc-lite-devel BuildRequires: pkg-config BuildRequires: pkgconfig(libsoup-2.4) +BuildRequires: pkgconfig(libsystemd) %if %{with mysql} BuildRequires: libmysqlclient-devel %endif %if %{with sqlite} -BuildRequires: sqlite3-devel +BuildRequires: pkgconfig(sqlite3) %endif %if %{with gcrypt} -BuildRequires: libgcrypt-devel +BuildRequires: pkgconfig(libgcrypt) %endif %if %{with nm} BuildRequires: pkgconfig(libnm) %endif +Obsoletes: strongswan-libs0 < %version-%release +Provides: strongswan-libs0 = %version-%release %{?systemd_requires} -BuildRequires: iptables -BuildRequires: pkgconfig(libsystemd) %{!?_rundir: %global _rundir /run} %{!?_tmpfilesdir: %global _tmpfilesdir /usr/lib/tmpfiles.d} -BuildRequires: autoconf -BuildRequires: automake -BuildRequires: libtool -Requires: strongswan-ipsec = %{version} %description StrongSwan is an IPsec-based VPN solution for Linux. -* Implements both the IKEv1 and IKEv2 (RFC 4306) key exchange protocols -* Fully tested support of IPv6 IPsec tunnel and transport connections +* IKEv1 and IKEv2 (RFC 4306, 9370) key exchange protocol support +* Support of IPv6 IPsec tunnel and transport connections * Dynamic IP address and interface update with IKEv2 MOBIKE (RFC 4555) * Automatic insertion and deletion of IPsec-policy-based firewall rules -* Strong 128/192/256 bit AES or Camellia encryption, 3DES support +* 128/192/256-bit AES encryption * NAT Traversal via UDP encapsulation and port floating (RFC 3947) -* Dead Peer Detection (DPD, RFC 3706) takes care of dangling tunnels -* Static virtual IP addresses and IKEv1 ModeConfig pull and push modes +* Dead Peer Detection (DPD, RFC 3706) to detect dangling tunnels * XAUTH server and client functionality on top of IKEv1 Main Mode authentication * Virtual IP address pool managed by IKE daemon or SQL database -* Secure IKEv2 EAP user authentication (EAP-SIM, EAP-AKA, EAP-MSCHAPv2, etc.) +* IKEv2 EAP user authentication (EAP-SIM, EAP-AKA, EAP-MSCHAPv2, etc.) * Optional relaying of EAP messages to AAA server via EAP-RADIUS plugin * Support of IKEv2 Multiple Authentication Exchanges (RFC 4739) * Authentication based on X.509 certificates or preshared keys @@ -115,12 +115,11 @@ StrongSwan is an IPsec-based VPN solution for Linux. * Retrieval and local caching of Certificate Revocation Lists via HTTP or LDAP * Full support of the Online Certificate Status Protocol (OCSP, RCF 2560). * CA management (OCSP and CRL URIs, default LDAP server) -* Powerful IPsec policies based on wildcards or intermediate CAs +* IPsec policies based on wildcards or intermediate CAs * Group policies based on X.509 attribute certificates (RFC 3281) -* Storage of RSA private keys and certificates on a smartcard (PKCS #11 interface) +* Storage of RSA private keys and certificates on a smartcard (PKCS#11 interface) * Modular plugins for crypto algorithms and relational database interfaces * Support of elliptic curve DH groups and ECDSA certificates (Suite B, RFC 4869) -* Optional built-in integrity and crypto tests for plugins and libraries * Linux desktop integration via the strongSwan NetworkManager applet This package triggers the installation of both, IKEv1 and IKEv2 daemons. @@ -135,21 +134,10 @@ StrongSwan is an IPsec-based VPN solution for Linux. This package provides the StrongSwan documentation. -%package libs0 -Summary: strongSwan core libraries and basic plugins -Group: Productivity/Networking/Security -Conflicts: strongswan < %{version} - -%description libs0 -StrongSwan is an IPsec-based VPN solution for Linux. - -This package provides the strongswan library and plugins. - %package fips Summary: Config file to disable non FIPS-140-2 algos in strongSwan Group: Productivity/Networking/Security -Requires: strongswan-ipsec = %{version} -Requires: strongswan-libs0 = %{version} +Requires: strongswan = %version Provides: strongswan-hmac = %{version}-%{release} Obsoletes: strongswan-hmac < %{version}-%{release} @@ -158,27 +146,27 @@ The package provides a config file disabling alternative algorithm implementation when FIPS-140-2 compliant operation mode is enabled. %package ipsec -Summary: IPsec-based VPN solution +Summary: Old-style "ipsec" interface (stroke/starter) for strongSwan Group: Productivity/Networking/Security -Requires: strongswan-libs0 = %{version} +Requires: strongswan = %version Provides: VPN Provides: ipsec -Provides: strongswan = %{version} -Obsoletes: strongswan < %{version} Conflicts: freeswan Conflicts: openswan %description ipsec StrongSwan is an IPsec-based VPN solution for Linux. -This package provides the systemd service definition and allows -to maintain both IKEv1 and IKEv2 using the /etc/ipsec.conf and the -/etc/ipsec.secrets files. +This package provides an ipsec(8) command-line interface and +configuration mechanism (/etc/ipsec.conf, ipsec.secrets). + +Old-style ipsec(8) management of strongSwan is deprecated since +version 5.2.0. %package mysql Summary: MySQL plugin for strongSwan Group: Productivity/Networking/Security -Requires: strongswan-libs0 = %{version} +Requires: strongswan = %version %description mysql StrongSwan is an IPsec-based VPN solution for Linux. @@ -188,20 +176,20 @@ This package provides the strongswan mysql plugin. %package sqlite Summary: SQLite plugin for strongSwan Group: Productivity/Networking/Security -Requires: strongswan-libs0 = %{version} +Requires: strongswan = %version %description sqlite -StrongSwan is an OpenSource IPsec-based VPN solution for Linux. +StrongSwan is an IPsec-based VPN solution for Linux. This package provides the strongswan sqlite plugin. %package nm Summary: NetworkManager plugin for strongSwan Group: Productivity/Networking/Security -Requires: strongswan-libs0 = %{version} +Requires: strongswan = %version %description nm -StrongSwan is an OpenSource IPsec-based VPN solution for Linux. +StrongSwan is an IPsec-based VPN solution for Linux. This package provides the NetworkManager plugin to control the charon IKEv2 daemon through D-Bus, designed to work using the @@ -210,28 +198,24 @@ NetworkManager-strongswan graphical user interface. %package tests Summary: Testing plugins for strongSwan Group: Productivity/Networking/Security -Requires: strongswan-libs0 = %{version} +Requires: strongswan = %version %description tests -StrongSwan is an OpenSource IPsec-based VPN solution for Linux. +StrongSwan is an IPsec-based VPN solution for Linux. This package provides the strongswan crypto test vectors plugin and the load testing plugin for IKEv2 daemon. %prep -%setup -q -n %{name}-%{upstream_version} -%patch -P 2 -p1 -%patch -P 5 -p1 +%autosetup -p1 sed -e 's|@libexecdir@|%_libexecdir|g' \ < %{_sourcedir}/strongswan.init.in \ > strongswan.init -%patch -P 6 -p1 %build -CFLAGS="%{optflags} -W -Wall -Wno-pointer-sign -Wno-strict-aliasing -Wno-unused-parameter" -export CFLAGS autoreconf --force --install %configure \ + CFLAGS="%optflags -W -Wall -Wno-pointer-sign -Wno-strict-aliasing -Wno-unused-parameter" \ %if %{with integrity} --enable-integrity-test \ %endif @@ -314,6 +298,9 @@ autoreconf --force --install %else --disable-nm \ %endif +%if %{with stroke} + --enable-stroke \ +%endif %if %{with tests} --enable-conftest \ --enable-load-tester \ @@ -360,7 +347,7 @@ LD_LIBRARY_PATH="%{buildroot}-$$/%{strongswan_libdir}" \ } %endif # -rm -f %{buildroot}/%{_sysconfdir}/ipsec.secrets +%if %{with stroke} cat << EOT > %{buildroot}/%{_sysconfdir}/ipsec.secrets # # ipsec.secrets @@ -370,6 +357,7 @@ cat << EOT > %{buildroot}/%{_sysconfdir}/ipsec.secrets # EOT # +%endif %if ! %{with mysql} rm -f %{buildroot}/%{strongswan_templates}/database/sql/mysql.sql %endif @@ -379,7 +367,6 @@ rm -f %{buildroot}/%{strongswan_templates}/database/sql/sqlite.sql rm -f %{buildroot}/%{strongswan_libdir}/lib{charon,hydra,strongswan,pttls}.so rm -f %{buildroot}/%{strongswan_libdir}/lib{radius,simaka,tls,tnccs,imcv}.so find %{buildroot}/%{strongswan_libdir} -type f -name "*.la" -delete -# install -d -m755 %{buildroot}/%{strongswan_docdir}/ install -c -m644 TODO NEWS README COPYING LICENSE \ AUTHORS ChangeLog \ @@ -395,36 +382,37 @@ install -c -m644 %{_sourcedir}/fips-enforce.conf \ sed -i 's/\(load[ ]*=[ ]*\)yes/\1no/g' %{buildroot}/%{strongswan_configs}/charon/bypass-lan.conf %endif -%post libs0 +%post /sbin/ldconfig %{?tmpfiles_create:%tmpfiles_create %{_tmpfilesdir}/%{name}.conf} %{!?tmpfiles_create:test -d %{_rundir}/%{name} || mkdir -p %{_rundir}/%{name}} -%postun libs0 -p /sbin/ldconfig +%postun -p /sbin/ldconfig %pre ipsec %service_add_pre %{name}-starter.service %post ipsec +%service_add_post %{name}-starter.service # Following code does the migration from strongwan.service (ver < 5.8.0) to # strongswan-starter.service (ver >= 5.8.0) during update. The systemd service # units have been renamed. The modern unit, which was called strongswan-swanctl, # is now called strongswan (the previous name is configured as alias in the unit, # for which a symlink is created when the unit is enabled). The legacy unit is now # called strongswan-starter. -_ipsec_active=`/usr/bin/systemctl is-active %{name}-starter.service 2>/dev/null` || : -_swanctl_active=`/usr/bin/systemctl is-active %{name}.service 2>/dev/null` || : -_ipsec_enable=`/usr/bin/systemctl is-enabled %{name}-starter.service 2>/dev/null` || : -_swanctl_enable=`/usr/bin/systemctl is-enabled %{name}.service 2>/dev/null` || : -if [[ "$_swanctl_enable" == "enabled" || "$_swanctl_active" == "active" ]]; then +_ipsec_active=$(/usr/bin/systemctl is-active %{name}-starter.service 2>/dev/null) || : +_swanctl_active=$(/usr/bin/systemctl is-active %{name}.service 2>/dev/null) || : +_ipsec_enable=$(/usr/bin/systemctl is-enabled %{name}-starter.service 2>/dev/null) || : +_swanctl_enable=$(/usr/bin/systemctl is-enabled %{name}.service 2>/dev/null) || : +if [ "$_swanctl_enable" = "enabled" ] || [ "$_swanctl_active" = "active" ]; then /usr/bin/systemctl disable --now %{name}.service || : /usr/bin/systemctl mask %{name}.service || : fi -if [[ "$_swanctl_enable" == "enabled" || "$_ipsec_enable" == "enabled" ]]; then +if [ "$_swanctl_enable" = "enabled" ] || [ "$_ipsec_enable" = "enabled" ]; then /usr/bin/systemctl daemon-reload /usr/bin/systemctl enable %{name}-starter.service || : fi -if [[ "$_swanctl_active" == "active" || "$_ipsec_active" == "active" ]]; then +if [ "$_swanctl_active" = "active" ] || [ "$_ipsec_active" = "active" ]; then /usr/bin/systemctl start %{name}-starter.service || : fi @@ -442,45 +430,26 @@ fi %postun ipsec %service_del_postun %{name}-starter.service -%files -%dir %{strongswan_docdir} -%{strongswan_docdir}/README.SUSE - %if %{with fipscheck} - %files fips %dir %{strongswan_configs} %dir %{strongswan_configs}/charon %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/zzz_fips-enforce.conf %endif -%files ipsec -%config(noreplace) %attr(600,root,root) %{_sysconfdir}/ipsec.conf -%config(noreplace) %attr(600,root,root) %{_sysconfdir}/ipsec.secrets +%files +%dir %{strongswan_docdir} +%{strongswan_docdir}/README.SUSE %config(noreplace) %attr(600,root,root) %{_sysconfdir}/swanctl/swanctl.conf %dir %{_sysconfdir}/swanctl -%dir %{_sysconfdir}/ipsec.d -%dir %{_sysconfdir}/ipsec.d/crls -%dir %{_sysconfdir}/ipsec.d/reqs -%dir %{_sysconfdir}/ipsec.d/certs -%dir %{_sysconfdir}/ipsec.d/acerts -%dir %{_sysconfdir}/ipsec.d/aacerts -%dir %{_sysconfdir}/ipsec.d/cacerts -%dir %{_sysconfdir}/ipsec.d/ocspcerts -%dir %attr(700,root,root) %{_sysconfdir}/ipsec.d/private -%{_unitdir}/strongswan-starter.service %{_unitdir}/strongswan.service %{_sbindir}/charon-systemd %{_bindir}/pki %{_bindir}/pt-tls-client %{_bindir}/tpm_extendpcr -%{_sbindir}/ipsec %{_sbindir}/swanctl %{_mandir}/man1/pki*.1* %{_mandir}/man1/pt-tls-client.1* -%{_mandir}/man8/ipsec.8* -%{_mandir}/man5/ipsec.conf.5* -%{_mandir}/man5/ipsec.secrets.5* %{_mandir}/man5/strongswan.conf.5* %dir %{_libexecdir}/ipsec %{_libexecdir}/ipsec/_updown @@ -490,29 +459,14 @@ fi %{_libexecdir}/ipsec/xfrmi %{_libexecdir}/ipsec/duplicheck %{_libexecdir}/ipsec/pool -%{_libexecdir}/ipsec/starter -%{_libexecdir}/ipsec/stroke %{_libexecdir}/ipsec/charon %{_libexecdir}/ipsec/_imv_policy %{_libexecdir}/ipsec/imv_policy_manager %dir %{strongswan_plugins} %{strongswan_plugins}/libstrongswan-drbg.so -%{strongswan_plugins}/libstrongswan-stroke.so %{strongswan_plugins}/libstrongswan-updown.so - -%files doc -%dir %{strongswan_docdir} -%{strongswan_docdir}/TODO -%{strongswan_docdir}/NEWS -%{strongswan_docdir}/README -%{strongswan_docdir}/COPYING -%{strongswan_docdir}/LICENSE -%{strongswan_docdir}/AUTHORS -%{strongswan_docdir}/ChangeLog -%{_mandir}/man5/swanctl.conf.5.* -%{_mandir}/man8/swanctl.8.* - -%files libs0 +%_mandir/man5/swanctl.conf.5.* +%_mandir/man8/swanctl.8.* %{_tmpfilesdir}/%{name}.conf %config(noreplace) %attr(600,root,root) %{_sysconfdir}/strongswan.conf %dir %{strongswan_configs} @@ -523,13 +477,10 @@ fi %config(noreplace) %attr(600,root,root) %{strongswan_configs}/imcv.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/pki.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/pool.conf -%config(noreplace) %attr(600,root,root) %{strongswan_configs}/starter.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/tnc.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/swanctl.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/addrblock.conf -%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/aes.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/counters.conf -%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/curve25519.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/drbg.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/vici.conf %if %{with afalg} @@ -546,7 +497,6 @@ fi %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/coupling.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/ctr.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/curl.conf -%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/des.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/dhcp.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/dnskey.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/duplicheck.conf @@ -578,37 +528,30 @@ fi %endif %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/gmp.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/ha.conf -%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/hmac.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/kdf.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/kernel-netlink.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/ldap.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/led.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/md4.conf -%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/md5.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/mgf1.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/nonce.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/openssl.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pem.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pgp.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs11.conf -%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs12.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs1.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs7.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs8.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pubkey.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/radattr.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/random.conf -%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/rc2.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/resolve.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/revocation.conf -%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/sha1.conf -%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/sha2.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/smp.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/socket-default.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/soup.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/sql.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/sshkey.conf -%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/stroke.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnccs-11.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnccs-20.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnccs-dynamic.conf @@ -647,7 +590,6 @@ fi %{strongswan_libdir}/imcvs/imv-test.so %dir %{strongswan_plugins} %{strongswan_plugins}/libstrongswan-addrblock.so -%{strongswan_plugins}/libstrongswan-aes.so %if %{with afalg} %{strongswan_plugins}/libstrongswan-af-alg.so %endif @@ -663,7 +605,6 @@ fi %{strongswan_plugins}/libstrongswan-coupling.so %{strongswan_plugins}/libstrongswan-ctr.so %{strongswan_plugins}/libstrongswan-curl.so -%{strongswan_plugins}/libstrongswan-des.so %{strongswan_plugins}/libstrongswan-dhcp.so %{strongswan_plugins}/libstrongswan-dnskey.so %{strongswan_plugins}/libstrongswan-duplicheck.so @@ -695,13 +636,11 @@ fi %endif %{strongswan_plugins}/libstrongswan-gmp.so %{strongswan_plugins}/libstrongswan-ha.so -%{strongswan_plugins}/libstrongswan-hmac.so %{strongswan_plugins}/libstrongswan-kdf.so %{strongswan_plugins}/libstrongswan-kernel-netlink.so %{strongswan_plugins}/libstrongswan-ldap.so %{strongswan_plugins}/libstrongswan-led.so %{strongswan_plugins}/libstrongswan-md4.so -%{strongswan_plugins}/libstrongswan-md5.so %{strongswan_plugins}/libstrongswan-mgf1.so %{strongswan_plugins}/libstrongswan-nonce.so %{strongswan_plugins}/libstrongswan-openssl.so @@ -709,17 +648,13 @@ fi %{strongswan_plugins}/libstrongswan-pgp.so %{strongswan_plugins}/libstrongswan-pkcs1.so %{strongswan_plugins}/libstrongswan-pkcs11.so -%{strongswan_plugins}/libstrongswan-pkcs12.so %{strongswan_plugins}/libstrongswan-pkcs7.so %{strongswan_plugins}/libstrongswan-pkcs8.so %{strongswan_plugins}/libstrongswan-pubkey.so %{strongswan_plugins}/libstrongswan-radattr.so %{strongswan_plugins}/libstrongswan-random.so -%{strongswan_plugins}/libstrongswan-rc2.so %{strongswan_plugins}/libstrongswan-resolve.so %{strongswan_plugins}/libstrongswan-revocation.so -%{strongswan_plugins}/libstrongswan-sha1.so -%{strongswan_plugins}/libstrongswan-sha2.so %{strongswan_plugins}/libstrongswan-smp.so %{strongswan_plugins}/libstrongswan-socket-default.so %{strongswan_plugins}/libstrongswan-soup.so @@ -738,7 +673,6 @@ fi %{strongswan_plugins}/libstrongswan-xauth-generic.so %{strongswan_plugins}/libstrongswan-xauth-pam.so %{strongswan_plugins}/libstrongswan-xcbc.so -%{strongswan_plugins}/libstrongswan-curve25519.so %{strongswan_plugins}/libstrongswan-vici.so %{strongswan_plugins}/libstrongswan-bypass-lan.so %dir %{strongswan_datadir} @@ -751,7 +685,6 @@ fi %dir %{strongswan_templates}/database/sql %{strongswan_templates}/config/strongswan.conf %{strongswan_templates}/config/plugins/addrblock.conf -%{strongswan_templates}/config/plugins/aes.conf %if %{with afalg} %{strongswan_templates}/config/plugins/af-alg.conf %endif @@ -767,7 +700,6 @@ fi %{strongswan_templates}/config/plugins/coupling.conf %{strongswan_templates}/config/plugins/ctr.conf %{strongswan_templates}/config/plugins/curl.conf -%{strongswan_templates}/config/plugins/des.conf %{strongswan_templates}/config/plugins/dhcp.conf %{strongswan_templates}/config/plugins/dnskey.conf %{strongswan_templates}/config/plugins/drbg.conf @@ -800,13 +732,11 @@ fi %endif %{strongswan_templates}/config/plugins/gmp.conf %{strongswan_templates}/config/plugins/ha.conf -%{strongswan_templates}/config/plugins/hmac.conf %{strongswan_templates}/config/plugins/kdf.conf %{strongswan_templates}/config/plugins/kernel-netlink.conf %{strongswan_templates}/config/plugins/ldap.conf %{strongswan_templates}/config/plugins/led.conf %{strongswan_templates}/config/plugins/md4.conf -%{strongswan_templates}/config/plugins/md5.conf %{strongswan_templates}/config/plugins/mgf1.conf %{strongswan_templates}/config/plugins/nonce.conf %{strongswan_templates}/config/plugins/openssl.conf @@ -814,23 +744,18 @@ fi %{strongswan_templates}/config/plugins/pgp.conf %{strongswan_templates}/config/plugins/pkcs1.conf %{strongswan_templates}/config/plugins/pkcs11.conf -%{strongswan_templates}/config/plugins/pkcs12.conf %{strongswan_templates}/config/plugins/pkcs7.conf %{strongswan_templates}/config/plugins/pkcs8.conf %{strongswan_templates}/config/plugins/pubkey.conf %{strongswan_templates}/config/plugins/radattr.conf %{strongswan_templates}/config/plugins/random.conf -%{strongswan_templates}/config/plugins/rc2.conf %{strongswan_templates}/config/plugins/resolve.conf %{strongswan_templates}/config/plugins/revocation.conf -%{strongswan_templates}/config/plugins/sha1.conf -%{strongswan_templates}/config/plugins/sha2.conf %{strongswan_templates}/config/plugins/smp.conf %{strongswan_templates}/config/plugins/socket-default.conf %{strongswan_templates}/config/plugins/soup.conf %{strongswan_templates}/config/plugins/sql.conf %{strongswan_templates}/config/plugins/sshkey.conf -%{strongswan_templates}/config/plugins/stroke.conf %{strongswan_templates}/config/plugins/tnc-imc.conf %{strongswan_templates}/config/plugins/tnc-imv.conf %{strongswan_templates}/config/plugins/tnc-pdp.conf @@ -845,7 +770,6 @@ fi %{strongswan_templates}/config/plugins/xauth-generic.conf %{strongswan_templates}/config/plugins/xauth-pam.conf %{strongswan_templates}/config/plugins/xcbc.conf -%{strongswan_templates}/config/plugins/curve25519.conf %{strongswan_templates}/config/plugins/vici.conf %{strongswan_templates}/config/plugins/bypass-lan.conf %{strongswan_templates}/config/strongswan.d/charon-systemd.conf @@ -854,14 +778,12 @@ fi %{strongswan_templates}/config/strongswan.d/imcv.conf %{strongswan_templates}/config/strongswan.d/pki.conf %{strongswan_templates}/config/strongswan.d/pool.conf -%{strongswan_templates}/config/strongswan.d/starter.conf %{strongswan_templates}/config/strongswan.d/tnc.conf %{strongswan_templates}/config/strongswan.d/swanctl.conf %{strongswan_templates}/database/imv/data.sql %{strongswan_templates}/database/imv/tables.sql %if %{with nm} - %files nm %dir %{_libexecdir}/ipsec %dir %{strongswan_plugins} @@ -870,7 +792,6 @@ fi %endif %if %{with mysql} - %files mysql %dir %{strongswan_libdir} %dir %{strongswan_plugins} @@ -890,7 +811,6 @@ fi %endif %if %{with sqlite} - %files sqlite %dir %{strongswan_libdir} %dir %{strongswan_plugins} @@ -909,7 +829,6 @@ fi %endif %if %{with tests} - %files tests %dir %{strongswan_configs} %dir %{strongswan_configs}/charon @@ -929,4 +848,49 @@ fi %{strongswan_plugins}/libstrongswan-test-vectors.so %endif +%if %{with stroke} +%files ipsec +%config(noreplace) %attr(600,root,root) %_sysconfdir/ipsec.conf +%config(noreplace) %attr(600,root,root) %_sysconfdir/ipsec.secrets +%dir %_sysconfdir/ipsec.d +%dir %_sysconfdir/ipsec.d/crls +%dir %_sysconfdir/ipsec.d/reqs +%dir %_sysconfdir/ipsec.d/certs +%dir %_sysconfdir/ipsec.d/acerts +%dir %_sysconfdir/ipsec.d/aacerts +%dir %_sysconfdir/ipsec.d/cacerts +%dir %_sysconfdir/ipsec.d/ocspcerts +%dir %attr(700,root,root) %_sysconfdir/ipsec.d/private +%_sbindir/ipsec +%_mandir/man8/ipsec.8* +%_mandir/man5/ipsec.conf.5* +%_mandir/man5/ipsec.secrets.5* +%dir %_libexecdir/ipsec/ +%_libexecdir/ipsec/starter +%_libexecdir/ipsec/stroke +%_unitdir/strongswan-starter.service +%dir %strongswan_plugins/ +%strongswan_plugins/libstrongswan-stroke.so +%dir %strongswan_configs/ +%dir %strongswan_configs/charon/ +%config(noreplace) %attr(600,root,root) %strongswan_configs/starter.conf +%config(noreplace) %attr(600,root,root) %strongswan_configs/charon/stroke.conf +%dir %strongswan_templates/ +%dir %strongswan_templates/config/ +%dir %strongswan_templates/config/plugins/ +%strongswan_templates/config/plugins/stroke.conf +%dir %strongswan_templates/config/strongswan.d/ +%strongswan_templates/config/strongswan.d/starter.conf +%endif + +%files doc +%dir %strongswan_docdir +%strongswan_docdir/TODO +%strongswan_docdir/NEWS +%strongswan_docdir/README +%strongswan_docdir/COPYING +%strongswan_docdir/LICENSE +%strongswan_docdir/AUTHORS +%strongswan_docdir/ChangeLog + %changelog