Accepting request 230123 from network:vpn

- Updated to strongSwan 5.1.3 providing the following changes: - Fixed an authentication bypass vulnerability triggered by rekeying an unestablished IKEv2 SA while it gets actively initiated. This allowed an attacker to trick a peer's IKE_SA state to established, without the need to provide any valid authentication credentials. (CVE-2014-2338, bnc#870572). - The acert plugin evaluates X.509 Attribute Certificates. Group membership information encoded as strings can be used to fulfill authorization checks defined with the rightgroups option. Attribute Certificates can be loaded locally or get exchanged in IKEv2 certificate payloads. - The pki command gained support to generate X.509 Attribute Certificates using the --acert subcommand, while the --print command supports the ac type. The openac utility has been removed in favor of the new pki functionality. - The libtls TLS 1.2 implementation as used by EAP-(T)TLS and other protocols has been extended by AEAD mode support, currently limited to AES-GCM. - Fixed an issue where CRL/OCSP trustchain validation broke enforcing CA constraints - Limited OCSP signing to specific certificates to improve performance - authKeyIdentifier is not added to self-signed certificates anymore - Fixed the comparison of IKE configs if only the cipher suites were different - Updated to strongSwan 5.1.2 providing the following changes: - A new default configuration file layout is introduced. The new default strongswan.conf file mainly includes config snippets from the strongswan.d and strongswan.d/charon directories (the latter containing snippets for all plugins). The snippets, with commented defaults, are automatically generated and installed, if they don't exist yet. Also installed in $prefix/share/strongswan/templates so existing files can be compared to the current defaults. OBS-URL: https://build.opensuse.org/request/show/230123 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=54
2014-04-17 12:09:47 +00:00 · 2014-04-17 12:09:47 +00:00 · 088068a3b3
commit 088068a3b3
parent d911ed5612 9fe4c49c74
7 changed files with 321 additions and 27 deletions
--- a/strongswan-5.1.1.tar.bz2
+++ b/strongswan-5.1.1.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:fbf2a668221fc4a36a34bdeac2dfeda25b96f572d551df022585177953622406
-size 3673200
--- a/strongswan-5.1.1.tar.bz2.sig
+++ b/strongswan-5.1.1.tar.bz2.sig
@ -1,14 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-Version: GnuPG v1.4.11 (GNU/Linux)
-
-iQGcBAABAgAGBQJSc1ufAAoJEN9CwXCzTbp3Y48L/RW112f7JryXe4dTekfzBehN
-9n5ycczrK8xEc6RqLbD7WI6Av97fJd/FDLAieSE3FTk2znAbf0iFXuBb7ORhOr4H
-IywXex9uXgJtDI9WBVCbL/PPBYk/JiBWeviJv5ESji0oc+Uvtx5y2xShx3YwaZCt
-38peoT2EKPmaj98OIDslfDK0q9n55puKdM0NPewtPLVOfcfhBTh5XvwI/qdZhqRH
-7hG4QHsFeY3t5sy5/XllEDXckx9vWmogchxRltoGPUfjxJb7X3empsCK8o3gbWcf
-mX887cROOxXpPHzxj887orCwu+vmSlDRJXhHaTbYbhYdOnpo0o/R/HGwdO4Bv4PY
-7yrpbz9DnpYw1XPZqd2ed4wgQMCWCuFmPFuJZBxQ2lza7QxDeC6EIc+dhT5AC7GI
-XTqU3jw3kfm+b7N0MWmMkU5iL5cgNiR23v4D8U697ruoR6Qx310xe473Yh7ZhzoV
-gJ6Z1jvc6d82ywsxo04hhv/yT7LeLyFmg+vyAAmbtg==
-=040C
-----END PGP SIGNATURE-----
--- a/strongswan-5.1.3-rpmlintrc
+++ b/strongswan-5.1.3-rpmlintrc
--- a/strongswan-5.1.3.tar.bz2
+++ b/strongswan-5.1.3.tar.bz2
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:84e46d5ce801e1b874e2bfba8d21dbd78b432e23b7fb1f4f2d637359e7a183a8
+size 3807212
--- a/strongswan-5.1.3.tar.bz2.sig
+++ b/strongswan-5.1.3.tar.bz2.sig
@ -0,0 +1,14 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.11 (GNU/Linux)
+
+iQGcBAABAgAGBQJTS9jUAAoJEN9CwXCzTbp3E3cMAJuQv7IsG5XDNQB/Wcb66hLQ
+2DSZN2zXRI2Ku5ONXDqnzCzyGRO84SOsGVzX9AQTHactr29B0n9rZxSCKZrm+ZRX
+lMKu6UNsS+jSKhXkXfmDSilFnM7ap7tAlFUuH/7uz8LcG34643W5BOJH0oMq7Rx3
+WN/7/TbrYf1aE0s3C8tcJXc5OghkvAfsE0jBPWhwT7dwi5eczluPMyYYdGxg8zNP
+LdBdoHTfnFRnMcL18SGwUYl09hj2YkZMoo+2Qt4I6WNy3yIINRIQluPSl2f91HHG
+VXyzGLpC3W63WYxXhPmjdmkpaT9+kulF6WVhgt3i6VMOv6nSNitHs5/X0W6N5xuX
+BhPmJRFmT0Oej3MJVxSKqUy89Ny3DyRmai5bERAFe+FOt9HN1UWqpK+qYFI+YQw/
+dMS9kviW2UhSq4BM9F9F+QrL66Bz0gc5+jXolm971FII62cV4i6n9U6veGPY9qkg
+Jcn6XpKOe2JXLsIeIMQgc0GitIaEHq/zdST/pn2Gw==
+=NZ/K
+-----END PGP SIGNATURE-----
--- a/strongswan.changes
+++ b/strongswan.changes
@ -1,3 +1,75 @@
+-------------------------------------------------------------------
+Mon Apr 14 23:36:07 UTC 2014 - mt@suse.de
+
+- Updated to strongSwan 5.1.3 providing the following changes:
+  - Fixed an authentication bypass vulnerability triggered by rekeying
+    an unestablished IKEv2 SA while it gets actively initiated. This
+    allowed an attacker to trick a peer's IKE_SA state to established,
+    without the need to provide any valid authentication credentials.
+    (CVE-2014-2338, bnc#870572).
+  - The acert plugin evaluates X.509 Attribute Certificates. Group
+    membership information encoded as strings can be used to fulfill
+    authorization checks defined with the rightgroups option.
+    Attribute Certificates can be loaded locally or get exchanged in
+    IKEv2 certificate payloads.
+  - The pki command gained support to generate X.509 Attribute
+    Certificates using the --acert subcommand, while the --print
+    command supports the ac type. The openac utility has been removed
+    in favor of the new pki functionality.
+  - The libtls TLS 1.2 implementation as used by EAP-(T)TLS and other
+    protocols has been extended by AEAD mode support, currently limited
+    to AES-GCM.
+  - Fixed an issue where CRL/OCSP trustchain validation broke enforcing
+    CA constraints
+  - Limited OCSP signing to specific certificates to improve performance
+  - authKeyIdentifier is not added to self-signed certificates anymore
+  - Fixed the comparison of IKE configs if only the cipher suites were
+    different
+
+-------------------------------------------------------------------
+Wed Apr  2 05:53:21 UTC 2014 - mt@suse.de
+
+- Updated to strongSwan 5.1.2 providing the following changes:
+  - A new default configuration file layout is introduced. The new
+    default strongswan.conf file mainly includes config snippets from
+    the strongswan.d and strongswan.d/charon directories (the latter
+    containing snippets for all plugins). The snippets, with commented
+    defaults, are automatically generated and installed, if they don't
+    exist yet. Also installed in $prefix/share/strongswan/templates so
+    existing files can be compared to the current defaults.
+  - As an alternative to the non-extensible charon.load setting, the
+    plugins to load in charon (and optionally other applications) can
+    now be determined via the charon.plugins.<name>.load setting for
+    each plugin (enabled in the new default strongswan.conf file via the
+    charon.load_modular option). The load setting optionally takes a
+    numeric priority value that allows reordering the plugins (otherwise
+    the default plugin order is preserved).
+  - All strongswan.conf settings that were formerly defined in library
+    specific "global" sections are now application specific (e.g.
+    settings for plugins in libstrongswan.plugins can now be set only
+    for charon in charon.plugins). The old options are still supported,
+    which now allows to define defaults for all applications in the
+    libstrongswan section.
+  - The ntru libstrongswan plugin supports NTRUEncrypt as a post-quantum
+    computer IKE key exchange mechanism. The implementation is based on
+    the ntru-crypto library from the NTRUOpenSourceProject.
+    The supported security strengths are ntru112, ntru128, ntru192, and
+    ntru256. Since the private DH group IDs 1030..1033 have been
+    assigned, the strongSwan Vendor ID must be sent in order to use NTRU
+    (charon.send_vendor_id = yes).
+  - Defined a TPMRA remote attestation workitem and added support for it
+    to the Attestation IMV.
+  - Compatibility issues between IPComp (compress=yes) and
+    leftfirewall=yes as well as multiple subnets in left|rightsubnet
+    have been fixed.
+  - When enabling its "session" strongswan.conf option, the xauth-pam
+    plugin opens and closes a PAM session for each established IKE_SA.
+    Patch courtesy of Andrea Bonomi.
+  - The strongSwan unit testing framework has been rewritten without the
+    "check" dependency for improved flexibility and portability. It now
+    properly supports multi-threaded and memory leak testing and brings
+    a bunch of new test cases.
+
 -------------------------------------------------------------------
 Fri Nov  1 12:28:39 UTC 2013 - mt@suse.de

--- a/strongswan.spec
+++ b/strongswan.spec
@ -1,7 +1,7 @@
 #
 # spec file for package strongswan
 #
-# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -17,12 +17,15 @@


 Name:           strongswan
-Version:        5.1.1
+Version:        5.1.3
 Release:        0
-%define         upstream_version   %{version}
-%define         strongswan_docdir  %{_docdir}/%{name}
-%define         strongswan_libdir  %{_libdir}/ipsec
-%define         strongswan_plugins %{strongswan_libdir}/plugins
+%define         upstream_version     %{version}
+%define         strongswan_docdir    %{_docdir}/%{name}
+%define         strongswan_libdir    %{_libdir}/ipsec
+%define         strongswan_configs   %{_sysconfdir}/strongswan.d
+%define         strongswan_datadir   %{_datadir}/strongswan
+%define         strongswan_plugins   %{strongswan_libdir}/plugins
+%define         strongswan_templates %{strongswan_datadir}/templates
 %if 0
 %bcond_without  tests
 %else
@ -244,7 +247,7 @@ sed -e 's|@libexecdir@|%_libexecdir|g'    \
     > strongswan.init

 %build
-CFLAGS="$RPM_OPT_FLAGS -W -Wall -Wno-pointer-sign -Wno-strict-aliasing"
+CFLAGS="$RPM_OPT_FLAGS -W -Wall -Wno-pointer-sign -Wno-strict-aliasing -Wno-unused-parameter"
 export RPM_OPT_FLAGS CFLAGS
 #libtoolize --force
 #autoreconf
@ -434,7 +437,6 @@ fi
 %{_libexecdir}/ipsec/_updown_espmark
 %{_libexecdir}/ipsec/conftest
 %{_libexecdir}/ipsec/duplicheck
-%{_libexecdir}/ipsec/openac
 %{_libexecdir}/ipsec/pool
 %{_libexecdir}/ipsec/pt-tls-client
 %{_libexecdir}/ipsec/scepclient
@ -459,13 +461,105 @@ fi
 %{strongswan_docdir}/ChangeLog
 %{_mandir}/man8/_updown.8*
 %{_mandir}/man8/_updown_espmark.8*
-%{_mandir}/man8/openac.8*
 %{_mandir}/man8/scepclient.8*

 %files libs0
 %defattr(-,root,root)
 %config(noreplace) %attr(600,root,root) %{_sysconfdir}/strongswan.conf
-%dir %{_libexecdir}/ipsec
+%dir %{strongswan_configs}
+%dir %{strongswan_configs}/charon
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon-logging.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/imcv.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/pool.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/starter.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/tnc.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/tools.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/addrblock.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/aes.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/af-alg.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/agent.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/attr.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/attr-sql.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/blowfish.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/ccm.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/certexpire.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/cmac.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/constraints.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/coupling.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/ctr.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/curl.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/des.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/dhcp.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/dnskey.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/duplicheck.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-aka-3gpp2.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-aka.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-dynamic.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-gtc.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-identity.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-md5.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-mschapv2.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-peap.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-radius.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-simaka-pseudonym.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-simaka-reauth.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-simaka-sql.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-sim.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-sim-file.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-sim-pcsc.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-tls.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-tnc.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-ttls.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/farp.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/fips-prf.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/gcm.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/gcrypt.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/gmp.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/ha.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/hmac.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/kernel-netlink.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/ldap.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/led.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/md4.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/md5.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/nonce.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/openssl.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pem.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pgp.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs11.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs12.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs1.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs7.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs8.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pubkey.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/radattr.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/random.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/rc2.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/resolve.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/revocation.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/sha1.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/sha2.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/smp.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/socket-default.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/soup.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/sql.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/sshkey.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/stroke.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnccs-11.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnccs-20.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnccs-dynamic.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnc-imc.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnc-imv.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnc-pdp.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnc-tnccs.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/unity.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/updown.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/x509.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/xauth-eap.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/xauth-generic.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/xauth-pam.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/xcbc.conf
 %dir %{strongswan_libdir}
 %{strongswan_libdir}/libchecksum.so
 %{strongswan_libdir}/libcharon.so.*
@ -569,6 +663,109 @@ fi
 %{strongswan_plugins}/libstrongswan-xauth-pam.so
 %{strongswan_plugins}/libstrongswan-xcbc.so
 %dir %ghost %{_localstatedir}/run/strongswan
+%dir %{strongswan_datadir}
+%dir %{strongswan_templates}
+%dir %{strongswan_templates}/config
+%dir %{strongswan_templates}/config/plugins
+%dir %{strongswan_templates}/config/strongswan.d
+%dir %{strongswan_templates}/database
+%dir %{strongswan_templates}/database/imv
+%dir %{strongswan_templates}/database/sql
+%{strongswan_templates}/config/strongswan.conf
+%{strongswan_templates}/config/plugins/addrblock.conf
+%{strongswan_templates}/config/plugins/aes.conf
+%{strongswan_templates}/config/plugins/af-alg.conf
+%{strongswan_templates}/config/plugins/agent.conf
+%{strongswan_templates}/config/plugins/attr-sql.conf
+%{strongswan_templates}/config/plugins/attr.conf
+%{strongswan_templates}/config/plugins/blowfish.conf
+%{strongswan_templates}/config/plugins/ccm.conf
+%{strongswan_templates}/config/plugins/certexpire.conf
+%{strongswan_templates}/config/plugins/cmac.conf
+%{strongswan_templates}/config/plugins/constraints.conf
+%{strongswan_templates}/config/plugins/coupling.conf
+%{strongswan_templates}/config/plugins/ctr.conf
+%{strongswan_templates}/config/plugins/curl.conf
+%{strongswan_templates}/config/plugins/des.conf
+%{strongswan_templates}/config/plugins/dhcp.conf
+%{strongswan_templates}/config/plugins/dnskey.conf
+%{strongswan_templates}/config/plugins/duplicheck.conf
+%{strongswan_templates}/config/plugins/eap-aka-3gpp2.conf
+%{strongswan_templates}/config/plugins/eap-aka.conf
+%{strongswan_templates}/config/plugins/eap-dynamic.conf
+%{strongswan_templates}/config/plugins/eap-gtc.conf
+%{strongswan_templates}/config/plugins/eap-identity.conf
+%{strongswan_templates}/config/plugins/eap-md5.conf
+%{strongswan_templates}/config/plugins/eap-mschapv2.conf
+%{strongswan_templates}/config/plugins/eap-peap.conf
+%{strongswan_templates}/config/plugins/eap-radius.conf
+%{strongswan_templates}/config/plugins/eap-sim-file.conf
+%{strongswan_templates}/config/plugins/eap-sim-pcsc.conf
+%{strongswan_templates}/config/plugins/eap-sim.conf
+%{strongswan_templates}/config/plugins/eap-simaka-pseudonym.conf
+%{strongswan_templates}/config/plugins/eap-simaka-reauth.conf
+%{strongswan_templates}/config/plugins/eap-simaka-sql.conf
+%{strongswan_templates}/config/plugins/eap-tls.conf
+%{strongswan_templates}/config/plugins/eap-tnc.conf
+%{strongswan_templates}/config/plugins/eap-ttls.conf
+%{strongswan_templates}/config/plugins/farp.conf
+%{strongswan_templates}/config/plugins/fips-prf.conf
+%{strongswan_templates}/config/plugins/gcm.conf
+%{strongswan_templates}/config/plugins/gcrypt.conf
+%{strongswan_templates}/config/plugins/gmp.conf
+%{strongswan_templates}/config/plugins/ha.conf
+%{strongswan_templates}/config/plugins/hmac.conf
+%{strongswan_templates}/config/plugins/kernel-netlink.conf
+%{strongswan_templates}/config/plugins/ldap.conf
+%{strongswan_templates}/config/plugins/led.conf
+%{strongswan_templates}/config/plugins/md4.conf
+%{strongswan_templates}/config/plugins/md5.conf
+%{strongswan_templates}/config/plugins/nonce.conf
+%{strongswan_templates}/config/plugins/openssl.conf
+%{strongswan_templates}/config/plugins/pem.conf
+%{strongswan_templates}/config/plugins/pgp.conf
+%{strongswan_templates}/config/plugins/pkcs1.conf
+%{strongswan_templates}/config/plugins/pkcs11.conf
+%{strongswan_templates}/config/plugins/pkcs12.conf
+%{strongswan_templates}/config/plugins/pkcs7.conf
+%{strongswan_templates}/config/plugins/pkcs8.conf
+%{strongswan_templates}/config/plugins/pubkey.conf
+%{strongswan_templates}/config/plugins/radattr.conf
+%{strongswan_templates}/config/plugins/random.conf
+%{strongswan_templates}/config/plugins/rc2.conf
+%{strongswan_templates}/config/plugins/resolve.conf
+%{strongswan_templates}/config/plugins/revocation.conf
+%{strongswan_templates}/config/plugins/sha1.conf
+%{strongswan_templates}/config/plugins/sha2.conf
+%{strongswan_templates}/config/plugins/smp.conf
+%{strongswan_templates}/config/plugins/socket-default.conf
+%{strongswan_templates}/config/plugins/soup.conf
+%{strongswan_templates}/config/plugins/sql.conf
+%{strongswan_templates}/config/plugins/sshkey.conf
+%{strongswan_templates}/config/plugins/stroke.conf
+%{strongswan_templates}/config/plugins/tnc-imc.conf
+%{strongswan_templates}/config/plugins/tnc-imv.conf
+%{strongswan_templates}/config/plugins/tnc-pdp.conf
+%{strongswan_templates}/config/plugins/tnc-tnccs.conf
+%{strongswan_templates}/config/plugins/tnccs-11.conf
+%{strongswan_templates}/config/plugins/tnccs-20.conf
+%{strongswan_templates}/config/plugins/tnccs-dynamic.conf
+%{strongswan_templates}/config/plugins/unity.conf
+%{strongswan_templates}/config/plugins/updown.conf
+%{strongswan_templates}/config/plugins/x509.conf
+%{strongswan_templates}/config/plugins/xauth-eap.conf
+%{strongswan_templates}/config/plugins/xauth-generic.conf
+%{strongswan_templates}/config/plugins/xauth-pam.conf
+%{strongswan_templates}/config/plugins/xcbc.conf
+%{strongswan_templates}/config/strongswan.d/charon-logging.conf
+%{strongswan_templates}/config/strongswan.d/charon.conf
+%{strongswan_templates}/config/strongswan.d/imcv.conf
+%{strongswan_templates}/config/strongswan.d/pool.conf
+%{strongswan_templates}/config/strongswan.d/starter.conf
+%{strongswan_templates}/config/strongswan.d/tnc.conf
+%{strongswan_templates}/config/strongswan.d/tools.conf
+%{strongswan_templates}/database/imv/data.sql
+%{strongswan_templates}/database/imv/tables.sql

 %if %{with nm}

@ -583,22 +780,47 @@ fi

 %files mysql
 %defattr(-,root,root)
+%dir %{strongswan_libdir}
 %dir %{strongswan_plugins}
 %{strongswan_plugins}/libstrongswan-mysql.so
+%dir %{strongswan_configs}
+%dir %{strongswan_configs}/charon
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/mysql.conf
+%dir %{strongswan_datadir}
+%dir %{strongswan_templates}
+%dir %{strongswan_templates}/config
+%dir %{strongswan_templates}/config/plugins
+%dir %{strongswan_templates}/database
+%dir %{strongswan_templates}/database/sql
+%{strongswan_templates}/config/plugins/mysql.conf
+%{strongswan_templates}/database/sql/mysql.sql
 %endif

 %if %{with sqlite}

 %files sqlite
 %defattr(-,root,root)
+%dir %{strongswan_libdir}
 %dir %{strongswan_plugins}
 %{strongswan_plugins}/libstrongswan-sqlite.so
+%dir %{strongswan_configs}
+%dir %{strongswan_configs}/charon
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/sqlite.conf
+%dir %{strongswan_datadir}
+%dir %{strongswan_templates}
+%dir %{strongswan_templates}/config
+%dir %{strongswan_templates}/config/plugins
+%dir %{strongswan_templates}/database
+%dir %{strongswan_templates}/database/sql
+%{strongswan_templates}/config/plugins/sqlite.conf
+%{strongswan_templates}/database/sql/sqlite.sql
 %endif

 %if %{with tests}

 %files tests
 %defattr(-,root,root)
+%dir %{strongswan_libdir}
 %dir %{strongswan_plugins}
 %{strongswan_plugins}/libstrongswan-load-tester.so
 %{strongswan_plugins}/libstrongswan-test-vectors.so