Accepting request 1230634 from network:vpn

- /usr/sbin/ipsec is deprecated since 5.2.0 and will be removed
  in the future.
- Update to release 6.0.0

OBS-URL: https://build.opensuse.org/request/show/1230634
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=98

_scmsync.obsinfo

@@ -0,0 +1,4 @@
+mtime: 1734001585
+commit: 46bea0264513c39e6ae4994587410457fe0ffb8fe1ccbd431d7a7fd338768f89
+url: https://src.opensuse.org/jengelh/strongswan
+revision: master

build.specials.obscpio

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:62325c078f84c3007f3e88be6d0258f3d5640ece9cb801076c8399991d05869a
+size 256

init.patch

@@ -0,0 +1,31 @@
+From c58507ff186ae9cf014c0b54082c8bf74aef3219 Mon Sep 17 00:00:00 2001
+From: Jan Engelhardt <jengelh@inai.de>
+Date: Tue, 3 Dec 2024 21:56:33 +0100
+Subject: [PATCH] init: put strongswan-starter.service behind USE_FILE_CONFIG
+References: https://github.com/strongswan/strongswan/pull/2553
+
+stroke is no longer enabled by default, but the systemd unit
+still is copied on `make install`. Fix that.
+---
+ init/Makefile.am | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/init/Makefile.am b/init/Makefile.am
+index 54c090cea..824ebd695 100644
+--- a/init/Makefile.am
++++ b/init/Makefile.am
+@@ -3,9 +3,11 @@ SUBDIRS =
+ 
+ if USE_LEGACY_SYSTEMD
+ if USE_CHARON
++if USE_FILE_CONFIG
+   SUBDIRS += systemd-starter
+ endif
+ endif
++endif
+ 
+ if USE_SYSTEMD
+ if USE_SWANCTL
+-- 
+2.47.1
+

strongswan-6.0.0.tar.bz2.sig

@@ -0,0 +1,14 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQGzBAABCgAdFiEElI8Vik52onvz0HUy30LBcLNNuncFAmdO+hMACgkQ30LBcLNN
+undilgwAgiT5p2PyMhwSp4qo1EUX8+PWwJ9Plqz7TNCCdFJe3uYre3hM2K5hFey0
+azrPrqZ2HWtBycH0gI4BFzUSVO8E4SZOBQnPH/g3bsFg9VU71ML30LdZYx+Lg7wK
+7AaMxYhl7xIvfb4D8+ZpYV6bSDH0o2tRN5h5gPk4IECOTTRhsLWL89IL8xOXgNPj
+ao0meIUNfvg6cl1uLFff/c7H7cAGSFsKPSWtMWLfK0PglW4LVJJvr5PhGsduVPsE
+JwY2VAMVi1BI1Y7I1WxS7T1qEAXLKAuNHKJHgIvd3xvSM1Q197qFrGyuujDQV5Yn
+Olp583ccs2LJbfmDQiPD/AHeDpikMMtBZ3Hk7Od3CqRVpeIDyBC0/oEwiascw6Q4
+5SDclgEdL9jHU7Uo1Z9v+Ltn0lihGAkAsAMgJMFyfCFiB03yCXFQu34PK65ZoIk7
+GN3XeUqu7sdmK7Tg4RbsrZ1P7J9TiFllMiu7noYVluhW4My68A76yHIbk66i8DwF
+pzxPfTqH
+=8zOA
+-----END PGP SIGNATURE-----

strongswan-6.0.2.tar.bz2.sig

@@ -1,14 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQGzBAABCgAdFiEElI8Vik52onvz0HUy30LBcLNNuncFAmhzZ7MACgkQ30LBcLNN
-und9wQv+O2IUyvwR8T7+hDt9JIXcGWLdN6/gV42l0mR/KY5Yg18w57SQNbPqoIHq
-OddaLAMmd2yRWtpSCd8eTjBJjuBq5h2LX3w5mdu7x97+Y3tI3QWUCG9zC9Sjiu3D
-o+5KkRpUyXjWZ8068RMBVJ/zFXnybF5cCSqnC+NBDkRMoA6OjytgP+cVdPnO9GTY
-f4rEiuu8DYrdVDGv2elvLihXzhRzfxgPRYHgO3KfwBWdhg0mS/CucVx3piUqoVjt
-RR4XdyKpOU+Yh/ObACGTY3yIGxMKfKlsDbOVeH1xzlL8ZKRsRhB+GAuJ7Vz3wJRP
-ZXcW+00ZXxichUfyUcd8fEiIpgcODIT0u19ZF62fqe1VL0ltGw+Uvdn1L6VEV/ZQ
-VzGl6tByRpQegmw4/ElmYFynYnj7d8hQm9SZguX1d8DHg6Oyz3jRq13JBqKcuQYZ
-ljLWqCH+FBWwdGyU4Oh7vhHdVHKoXU2g/LuUN7G0BfW6r7fVkQKcFvSZK/qf5CtC
-Anpr4za4
-=JGRz
------END PGP SIGNATURE-----

strongswan.changes

@@ -1,78 +1,3 @@
--------------------------------------------------------------------
-Mon Jul 14 21:10:28 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
-
-- Update to release 6.0.2
-  * Support for per-CPU SAs (RFC 9611) has been added on Linux
-    6.13+. The new per_cpu_sas setting enables the installation of
-    special trap policies (start_action=trap) that instruct the
-    kernel to consider the CPU from which a packet originates.
-  * Basic support for IP-TFS's (RFC 9347) new AGGFRAG mode has been
-    added on Linux 6.14+. It's similar to tunnel mode but allows
-    aggregating small IP packets into single ESP packets and
-    fragmenting large IP packets into multiple ESP packets.
-  * POSIX regular expressions are now supported to match remote
-    identities. They must start with an explicit type prefix,
-    followed by a caret character (^), and end with a dollar sign
-    ($) to indicate an anchored pattern. Regular expressions are
-    always matched case insensitive against the string
-    representation of other identities, however, the type must
-    match as well.
-  * Switching configs based on EAP-Identities is supported. This
-    changes how configured EAP identities are used. Instead of
-    statically setting and using a configured remote.eap_id !=
-    %any, an EAP-Identity exchange is now always initiated (and
-    required). If the received identity doesn't match the
-    configuration, the peer config is switched to one with a
-    matching identity (wildcards and regular expressions are
-    supported for that match).
-  * ML-KEM is now supported via OpenSSL 3.5+ by the openssl plugin.
-- Delete init.patch (merged), strongswan-gcc15-part1.patch
-  strongswan-gcc15-part2.patch, strongswan-gcc15-part3.patch
-
--------------------------------------------------------------------
-Thu Jun  5 07:41:56 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
-
-- Add pkgconfig(libxml-2.0) BuildRequire which was previously
-  implicitly pulled in through SOUP. Move everything else to
-  pkgconfig() symbols as well.
-
--------------------------------------------------------------------
-Tue Jun  3 17:45:03 UTC 2025 - Michael Gorse <mgorse@suse.com>
-
-- Disable soup fetcher. It is redundant with the curl fetcher, and
-  this allows us to drop the dependency on libsoup2.
-
--------------------------------------------------------------------
-Tue May  6 14:01:21 UTC 2025 - Friedrich Haubensak <hsk17@mail.de>
-
-- Add patches from upstream github.com/strongswan/strongswan
-  to fix gcc-15 compile-time errors:
-  * strongswan-gcc15-part1.patch
-  * strongswan-gcc15-part2.patch
-  * strongswan-gcc15-part3.patch
-
--------------------------------------------------------------------
-Tue Mar 11 18:54:30 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
-
-- Update to release 6.0.1
-  * The `dhcp` plugin has gained a new `interface_receive` option
-  * The `eap-radius` plugin hsa gained a new `source` option
-  * The NetworkManager plugin (charon-nm) received an option to
-    configure the local traffic selectors.
-  * The `ha` plugin now supports synchronizing IKE and Child SAs
-    with multiple key exchanges
-  * Self-signed root CAs that do not contain policies are now
-    excluded from policy validation.
-  * When deciding whether to send a DPD, inbound traffic on Child
-    SAs is now ignored unless UDP-encapsulation is used.
-  * When connecting to port 4500 or a custom server port, the
-    initial IKE_SA_INIT request is now sent from the NAT-T
-    socket.
-  * The NetworkManager backend (charon-nm) now enables
-    charon-nm.check_current_path to force a DPD after
-    connectivity changes without IP change.
-- Ensure build recipe is POSIX sh compatible
-
 -------------------------------------------------------------------
 Tue Dec  3 15:59:06 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
 

strongswan.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package strongswan
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -39,7 +39,7 @@
 %bcond_without  systemd
 
 Name:           strongswan
-Version:        6.0.2
+Version:        6.0.0
 Release:        0
 Summary:        IPsec-based VPN solution
 License:        GPL-2.0-or-later
@@ -55,23 +55,24 @@ Source7:        fips-enforce.conf
 Patch2:         %{name}_ipsec_service.patch
 Patch5:         0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch
 Patch6:         harden_strongswan.service.patch
+Patch7:         init.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  bison
+BuildRequires:  curl-devel
 BuildRequires:  flex
 BuildRequires:  gmp-devel
 BuildRequires:  gperf
 BuildRequires:  iptables
+BuildRequires:  libcap-devel
+BuildRequires:  libopenssl-devel
 BuildRequires:  libtool
+BuildRequires:  openldap2-devel
+BuildRequires:  pam-devel
+BuildRequires:  pcsc-lite-devel
 BuildRequires:  pkg-config
-BuildRequires:  pkgconfig(ldap)
+BuildRequires:  pkgconfig(libsoup-2.4)
-BuildRequires:  pkgconfig(libcap)
-BuildRequires:  pkgconfig(libcrypto)
-BuildRequires:  pkgconfig(libcurl)
-BuildRequires:  pkgconfig(libpcsclite)
 BuildRequires:  pkgconfig(libsystemd)
-BuildRequires:  pkgconfig(libxml-2.0)
-BuildRequires:  pkgconfig(pam)
 %if %{with mysql}
 BuildRequires:  libmysqlclient-devel
 %endif
@@ -302,6 +303,7 @@ autoreconf --force --install
 	--enable-test-vectors \
 %endif
 	--enable-ldap \
+	--enable-soup \
 	--enable-curl \
 	--enable-bypass-lan \
 	--disable-static
@@ -358,9 +360,8 @@ rm -f %{buildroot}/%{strongswan_templates}/database/sql/mysql.sql
 %if ! %{with sqlite}
 rm -f %{buildroot}/%{strongswan_templates}/database/sql/sqlite.sql
 %endif
-for i in charon hydra strongswan pttls radius simaka tls tnccs imcv; do
+rm -f %{buildroot}/%{strongswan_libdir}/lib{charon,hydra,strongswan,pttls}.so
-	rm -fv %{buildroot}/%{strongswan_libdir}/lib$i.so
+rm -f %{buildroot}/%{strongswan_libdir}/lib{radius,simaka,tls,tnccs,imcv}.so
-done
 find %{buildroot}/%{strongswan_libdir} -type f -name "*.la" -delete
 install -d -m755 %{buildroot}/%{strongswan_docdir}/
 install -c -m644 TODO NEWS README COPYING LICENSE \
@@ -467,12 +468,9 @@ fi
 %dir %{strongswan_configs}
 %dir %{strongswan_configs}/charon
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon.conf
-%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon-nm.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon-systemd.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon-logging.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/imcv.conf
-%config(noreplace) %attr(600,root,root) %{strongswan_configs}/imv_policy_manager.conf
-%config(noreplace) %attr(600,root,root) %{strongswan_configs}/iptfs.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/pki.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/pool.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/tnc.conf
@@ -547,6 +545,7 @@ fi
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/revocation.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/smp.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/socket-default.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/soup.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/sql.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/sshkey.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnccs-11.conf
@@ -654,6 +653,7 @@ fi
 %{strongswan_plugins}/libstrongswan-revocation.so
 %{strongswan_plugins}/libstrongswan-smp.so
 %{strongswan_plugins}/libstrongswan-socket-default.so
+%{strongswan_plugins}/libstrongswan-soup.so
 %{strongswan_plugins}/libstrongswan-sql.so
 %{strongswan_plugins}/libstrongswan-sshkey.so
 %{strongswan_plugins}/libstrongswan-tnc-imc.so
@@ -749,6 +749,7 @@ fi
 %{strongswan_templates}/config/plugins/revocation.conf
 %{strongswan_templates}/config/plugins/smp.conf
 %{strongswan_templates}/config/plugins/socket-default.conf
+%{strongswan_templates}/config/plugins/soup.conf
 %{strongswan_templates}/config/plugins/sql.conf
 %{strongswan_templates}/config/plugins/sshkey.conf
 %{strongswan_templates}/config/plugins/tnc-imc.conf
@@ -770,10 +771,7 @@ fi
 %{strongswan_templates}/config/strongswan.d/charon-systemd.conf
 %{strongswan_templates}/config/strongswan.d/charon-logging.conf
 %{strongswan_templates}/config/strongswan.d/charon.conf
-%{strongswan_templates}/config/strongswan.d/charon-nm.conf
 %{strongswan_templates}/config/strongswan.d/imcv.conf
-%{strongswan_templates}/config/strongswan.d/imv_policy_manager.conf
-%{strongswan_templates}/config/strongswan.d/iptfs.conf
 %{strongswan_templates}/config/strongswan.d/pki.conf
 %{strongswan_templates}/config/strongswan.d/pool.conf
 %{strongswan_templates}/config/strongswan.d/tnc.conf