Accepting request 442527 from network:vpn

1

OBS-URL: https://build.opensuse.org/request/show/442527
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=63
This commit is contained in:
Dominique Leuenberger 2016-11-29 11:50:28 +00:00 committed by Git OBS Bridge
commit 253288c928
10 changed files with 164 additions and 331 deletions

View File

@ -1,166 +0,0 @@
From 7733b99198111ef1f30a964e15e93cb1e6d27a85 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 15 May 2015 11:15:57 +0200
References: bsc#931272,CVE-2015-3991
Subject: [PATCH] unknown-payload: Use a new private payload type and make
original type available
This fixes a DoS and potential remote code execution vulnerability that was
caused because the original payload type that was returned previously was
used to cast such payload objects to payloads of the indicated type (e.g.
when logging notify payloads with a payload type for the wrong IKE version).
Fixes CVE-2015-3991.
---
src/libcharon/encoding/message.c | 2 +-
src/libcharon/encoding/payloads/payload.c | 2 ++
src/libcharon/encoding/payloads/payload.h | 7 ++++++-
src/libcharon/encoding/payloads/unknown_payload.c | 8 ++++++++
src/libcharon/encoding/payloads/unknown_payload.h | 8 ++++++++
src/libcharon/sa/ikev2/task_manager_v2.c | 18 ++++++++++--------
6 files changed, 35 insertions(+), 10 deletions(-)
diff --git a/src/libcharon/encoding/message.c b/src/libcharon/encoding/message.c
index 1ee2cf81b035..478f531eae28 100644
--- a/src/libcharon/encoding/message.c
+++ b/src/libcharon/encoding/message.c
@@ -2513,7 +2513,7 @@ static status_t decrypt_payloads(private_message_t *this, keymat_t *keymat)
was_encrypted = "encrypted fragment payload";
}
- if (payload_is_known(type, this->major_version) && !was_encrypted &&
+ if (type != PL_UNKNOWN && !was_encrypted &&
!is_connectivity_check(this, payload) &&
this->exchange_type != AGGRESSIVE)
{
diff --git a/src/libcharon/encoding/payloads/payload.c b/src/libcharon/encoding/payloads/payload.c
index a1cd2f945588..f7c2754e05c3 100644
--- a/src/libcharon/encoding/payloads/payload.c
+++ b/src/libcharon/encoding/payloads/payload.c
@@ -97,6 +97,7 @@ ENUM_NEXT(payload_type_names, PLV1_NAT_D_DRAFT_00_03, PLV1_FRAGMENT, PLV2_FRAGME
#endif /* ME */
ENUM_NEXT(payload_type_names, PL_HEADER, PLV1_ENCRYPTED, PLV1_FRAGMENT,
"HEADER",
+ "UNKNOWN",
"PROPOSAL_SUBSTRUCTURE",
"PROPOSAL_SUBSTRUCTURE_V1",
"TRANSFORM_SUBSTRUCTURE",
@@ -167,6 +168,7 @@ ENUM_NEXT(payload_type_short_names, PLV1_NAT_D_DRAFT_00_03, PLV1_FRAGMENT, PLV2_
#endif /* ME */
ENUM_NEXT(payload_type_short_names, PL_HEADER, PLV1_ENCRYPTED, PLV1_FRAGMENT,
"HDR",
+ "UNKN",
"PROP",
"PROP",
"TRANS",
diff --git a/src/libcharon/encoding/payloads/payload.h b/src/libcharon/encoding/payloads/payload.h
index 920779bd1032..72003894f307 100644
--- a/src/libcharon/encoding/payloads/payload.h
+++ b/src/libcharon/encoding/payloads/payload.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2007 Tobias Brunner
+ * Copyright (C) 2007-2015 Tobias Brunner
* Copyright (C) 2005-2006 Martin Willi
* Copyright (C) 2005 Jan Hutter
* Hochschule fuer Technik Rapperswil
@@ -264,6 +264,11 @@ enum payload_type_t {
PL_HEADER = 256,
/**
+ * Used to handle unknown or invalid payload types.
+ */
+ PL_UNKNOWN,
+
+ /**
* PLV2_PROPOSAL_SUBSTRUCTURE, IKEv2 proposals in a SA payload.
*/
PLV2_PROPOSAL_SUBSTRUCTURE,
diff --git a/src/libcharon/encoding/payloads/unknown_payload.c b/src/libcharon/encoding/payloads/unknown_payload.c
index 45b91fd0b32f..c69254fc008c 100644
--- a/src/libcharon/encoding/payloads/unknown_payload.c
+++ b/src/libcharon/encoding/payloads/unknown_payload.c
@@ -1,4 +1,5 @@
/*
+ * Copyright (C) 2015 Tobias Brunner
* Copyright (C) 2005-2006 Martin Willi
* Copyright (C) 2005 Jan Hutter
* Hochschule fuer Technik Rapperswil
@@ -121,6 +122,12 @@ METHOD(payload_t, get_header_length, int,
METHOD(payload_t, get_payload_type, payload_type_t,
private_unknown_payload_t *this)
{
+ return PL_UNKNOWN;
+}
+
+METHOD(unknown_payload_t, get_type, payload_type_t,
+ private_unknown_payload_t *this)
+{
return this->type;
}
@@ -181,6 +188,7 @@ unknown_payload_t *unknown_payload_create(payload_type_t type)
.destroy = _destroy,
},
.is_critical = _is_critical,
+ .get_type = _get_type,
.get_data = _get_data,
.destroy = _destroy,
},
diff --git a/src/libcharon/encoding/payloads/unknown_payload.h b/src/libcharon/encoding/payloads/unknown_payload.h
index 326b550cd872..09341bcc79b5 100644
--- a/src/libcharon/encoding/payloads/unknown_payload.h
+++ b/src/libcharon/encoding/payloads/unknown_payload.h
@@ -1,4 +1,5 @@
/*
+ * Copyright (C) 2015 Tobias Brunner
* Copyright (C) 2005-2006 Martin Willi
* Copyright (C) 2005 Jan Hutter
* Hochschule fuer Technik Rapperswil
@@ -42,6 +43,13 @@ struct unknown_payload_t {
payload_t payload_interface;
/**
+ * Get the original payload type as sent by the peer.
+ *
+ * @return type of the original payload
+ */
+ payload_type_t (*get_type) (unknown_payload_t *this);
+
+ /**
* Get the raw data of this payload, without
* the generic payload header.
*
diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
index 298167703cbf..4676867dfec2 100644
--- a/src/libcharon/sa/ikev2/task_manager_v2.c
+++ b/src/libcharon/sa/ikev2/task_manager_v2.c
@@ -1184,15 +1184,17 @@ static status_t parse_message(private_task_manager_t *this, message_t *msg)
enumerator = msg->create_payload_enumerator(msg);
while (enumerator->enumerate(enumerator, &payload))
{
- unknown = (unknown_payload_t*)payload;
- type = payload->get_type(payload);
- if (!payload_is_known(type, msg->get_major_version(msg)) &&
- unknown->is_critical(unknown))
+ if (payload->get_type(payload) == PL_UNKNOWN)
{
- DBG1(DBG_ENC, "payload type %N is not supported, "
- "but its critical!", payload_type_names, type);
- status = NOT_SUPPORTED;
- break;
+ unknown = (unknown_payload_t*)payload;
+ if (unknown->is_critical(unknown))
+ {
+ type = unknown->get_type(unknown);
+ DBG1(DBG_ENC, "payload type %N is not supported, "
+ "but its critical!", payload_type_names, type);
+ status = NOT_SUPPORTED;
+ break;
+ }
}
}
enumerator->destroy(enumerator);
--
1.9.1

View File

@ -1,102 +0,0 @@
From ca1a65cc6aef2e037b529574783b7c571d1d82a9 Mon Sep 17 00:00:00 2001
From: Martin Willi <martin@strongswan.org>
Date: Wed, 3 Jun 2015 10:52:34 +0200
References: bsc#933591,CVE-2015-4171
Subject: [PATCH] ikev2: Enforce remote authentication config before proceeding
with own authentication
Previously the constraints in the authentication configuration of an
initiator were enforced only after all authentication rounds were
complete. This posed a problem if an initiator used EAP or PSK
authentication while the responder was authenticated with a certificate
and if a rogue server was able to authenticate itself with a valid
certificate issued by any CA the initiator trusted.
Because any constraints for the responder's identity (rightid) or other
aspects of the authentication (e.g. rightca) the initiator had were not
enforced until the initiator itself finished its authentication such a rogue
responder was able to acquire usernames and password hashes from the client.
And if a client supported EAP-GTC it was even possible to trick it into
sending plaintext passwords.
This patch enforces the configured constraints right after the responder's
authentication successfully finished for each round and before the initiator
starts with its own authentication.
Fixes CVE-2015-4171.
---
src/libcharon/sa/ikev2/tasks/ike_auth.c | 44 +++++++++++++++++++++++++++++++++
1 file changed, 44 insertions(+)
diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth.c b/src/libcharon/sa/ikev2/tasks/ike_auth.c
index bf747a49edde..2554496c1916 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_auth.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_auth.c
@@ -112,6 +112,11 @@ struct private_ike_auth_t {
* received an INITIAL_CONTACT?
*/
bool initial_contact;
+
+ /**
+ * Is EAP acceptable, did we strictly authenticate peer?
+ */
+ bool eap_acceptable;
};
/**
@@ -879,6 +884,37 @@ static void send_auth_failed_informational(private_ike_auth_t *this,
message->destroy(message);
}
+/**
+ * Check if strict constraint fullfillment required to continue current auth
+ */
+static bool require_strict(private_ike_auth_t *this, bool mutual_eap)
+{
+ auth_cfg_t *cfg;
+
+ if (this->eap_acceptable)
+ {
+ return FALSE;
+ }
+
+ cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
+ switch ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS))
+ {
+ case AUTH_CLASS_EAP:
+ if (mutual_eap && this->my_auth)
+ {
+ this->eap_acceptable = TRUE;
+ return !this->my_auth->is_mutual(this->my_auth);
+ }
+ return TRUE;
+ case AUTH_CLASS_PSK:
+ return TRUE;
+ case AUTH_CLASS_PUBKEY:
+ case AUTH_CLASS_ANY:
+ default:
+ return FALSE;
+ }
+}
+
METHOD(task_t, process_i, status_t,
private_ike_auth_t *this, message_t *message)
{
@@ -1014,6 +1050,14 @@ METHOD(task_t, process_i, status_t,
}
}
+ if (require_strict(this, mutual_eap))
+ {
+ if (!update_cfg_candidates(this, TRUE))
+ {
+ goto peer_auth_failed;
+ }
+ }
+
if (this->my_auth)
{
switch (this->my_auth->process(this->my_auth, message))
--
1.9.1

View File

@ -1,35 +0,0 @@
From 91762f11e223e33b82182150d7c4cf7c2ec3cefa Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Thu, 29 Oct 2015 11:18:27 +0100
References: CVE-2015-8023, bsc#953817
Subject: [PATCH] eap-mschapv2: Only succeed authentication if MSK was
established
An MSK is only established if the client successfully authenticated
itself and only then must we accept an MSCHAPV2_SUCCESS message.
Fixes CVE-2015-8023
---
src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
index f7f39f9841d2..931e3c41dde4 100644
--- a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
+++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
@@ -1145,7 +1145,11 @@ METHOD(eap_method_t, process_server, status_t,
}
case MSCHAPV2_SUCCESS:
{
- return SUCCESS;
+ if (this->msk.ptr)
+ {
+ return SUCCESS;
+ }
+ break;
}
case MSCHAPV2_FAILURE:
{
--
1.9.1

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:cf2fbfdf200a5eced796f00dc11fea67ce477d38c54d5f073ac6c51618b172f4
size 4169095

View File

@ -1,14 +0,0 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQGcBAABAgAGBQJUn/PYAAoJEN9CwXCzTbp3+PML/2IJQEI240BwPOpXEGrJ0jnR
Mmq7qXD3QLnUtpyX2/dXVV6X6PzdXiCubOj9m59VNSD6Qsr5W3d44rg90Vf9VxX6
5nwAWP9fWl1L8xKtC93dyPAe8eet9tMqIf6QY5LYCmKRXi9aotoARiyEjKRUsWdy
O+nDS43PrwjcgHcV+dVbpA1FyFSwoX2zoDu0d1MMzOb+b8np9+2SdtsNVKaIqW5c
39PphkQgpqBqM1nkO0LUydsdCpE+/Xq4yNP77eSio7b6b2eyAjD9gBlNsE4FHoU0
gyDKgdcOIPYmS8VD2J4efxQDjGpj6VV4wvXAo9tE7x/joIFT+Eg9LsD42l7yReaY
G/G87HVgA0DH67lBjoMfkhZcHCSTofM4cm7eOC7s48PF4HvnAM1L5bH7UzoehV9c
YvIUO/Q+7on6nvnW4AYUVXc/fAq7IUB6hYYCX6CHsb1U7gkEa7NseLwcoLmbMIfB
QaziGo6KHG4XFTdlu1LrQBip8NdJZh7v7fYJd/sFjA==
=bacU
-----END PGP SIGNATURE-----

3
strongswan-5.3.5.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:2c84b663da652b1ff180a1a73c24a3d7b9fc4b9b8ba6bd07f94a1e33092e6350
size 4415297

View File

@ -0,0 +1,14 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQGcBAABAgAGBQJWVtUVAAoJEN9CwXCzTbp3dpUL/j5Dio8w6LbKtCf4QRItnG2/
3U6apa56nxDWD3rpnN20OjSUzgulMIOjv/ZtRuruRPGWoFwrG6WzrsY/0ZrV929J
hSmEVuu6qgt/2i/OJdBUHfNGbhJ9JbTXGMxnWUp38mr4SasZlzHZAxbiKmnKXKtO
H5XebtVFR0/yNBPkv6wcJID/vFhJxfWpU2dblvVfSVo9VgV7lXkD0W+S++LJDTVo
PgV/a8NZEFswLIZCPct4i3QBYCDkCiS5MGlGCa+xltPYdLpwQUqhEBUkvF8yur7K
hnpT9cLk/gMSfFQmSOoN/31yx+ZSHTGR75QEh0pXRvo+oLJse7tw5/MJOHEJu+Hp
c/0iVL7qSIXbX5DBF3c03nG3ZdWcVQW32VEp//mC5yEpqFz28dlNSpVwWHLMym/D
kddiJjkZGCm7jBaPWTHSq2l8y9zdQzyHNNQ0HUpchUcpCn7B2nQO4tDSz3AFBECT
32LKSXnpRb7BAnIW/TZhZqWs1WzbQHogUF+wx+Rl6w==
=+fm3
-----END PGP SIGNATURE-----

View File

@ -1,3 +1,148 @@
-------------------------------------------------------------------
Mon Jul 4 12:00:00 UTC 2016 - doug@uq.edu.au
- Updated to strongSwan 5.3.5 providing the following changes:
Changes in version 5.3.5:
* Properly handle potential EINTR errors in sigwaitinfo(2) calls
that replaced sigwait(3) calls with 5.3.4.
* RADIUS retransmission timeouts are now configurable, courtesy
of Thom Troy.
Changes in version 5.3.4:
* Fixed an authentication bypass vulnerability in the
eap-mschapv2 plugin that was caused by insufficient
verification of the internal state when handling MSCHAPv2
Success messages received by the client. This vulnerability
has been registered as CVE-2015-8023.
* The sha3 plugin implements the SHA3 Keccak-F1600 hash
algorithm family. Within the strongSwan framework SHA3 is
currently used for BLISS signatures only because the OIDs for
other signature algorithms haven't been defined yet. Also the
use of SHA3 for IKEv2 has not been standardized yet.
Changes in version 5.3.3:
* Added support for the ChaCha20/Poly1305 AEAD cipher specified
in RFC 7539 and RFC 7634 using the chacha20poly1305 ike/esp
proposal keyword. The new chapoly plugin implements the
cipher, if possible SSE-accelerated on x86/x64 architectures.
It is usable both in IKEv2 and the strongSwan libipsec ESP
backend. On Linux 4.2 or newer the kernel-netlink plugin can
configure the cipher for ESP SAs.
* The vici interface now supports the configuration of auxiliary
certification authority information as CRL and OCSP URIs.
* In the bliss plugin the c_indices derivation using a SHA-512
based random oracle has been fixed, generalized and
standardized by employing the MGF1 mask generation function
with SHA-512. As a consequence BLISS signatures unsing the
improved oracle are not compatible with the earlier
implementation.
* Support for auto=route with right=%any for transport mode
connections has been added (the ikev2/trap-any scenario
provides examples).
* The starter daemon does not flush IPsec policies and SAs
anymore when it is stopped. Already existing duplicate
policies are now overwritten by the IKE daemon when it
installs its policies.
* Init limits (like charon.init_limit_half_open) can now
optionally be enforced when initiating SAs via VICI. For this,
IKE_SAs initiated by the daemon are now also counted as half
open SAs, which, as a side-effect, fixes the status output
while connecting (e.g. in ipsec status).
* Symmetric configuration of EAP methods in left|rightauth is
now possible when mutual EAP-only authentication is used
(previously, the client had to configure rightauth=eap or
rightauth=any, which prevented it from using this same config
as responder).
* The initiator flag in the IKEv2 header is compared again
(wasn't the case since 5.0.0) and packets that have the flag
set incorrectly are again ignored.
* Implemented a demo Hardcopy Device IMC/IMV pair based on the
"Hardcopy Device Health Assessment Trusted Network Connect
Binding" (HCD-TNC) document drafted by the IEEE Printer
Working Group (PWG).
* Fixed IF-M segmentation which failed in the presence of
multiple small attributes in front of a huge attribute to be
segmented.
Changes in version 5.3.2:
* Fixed a vulnerability that allowed rogue servers with a valid
certificate accepted by the client to trick it into disclosing
its username and even password (if the client accepts
EAP-GTC). This was caused because constraints against the
responder's authentication were enforced too late. This
vulnerability has been registered as CVE-2015-4171.
Changes in version 5.3.1:
* Fixed a denial-of-service and potential remote code execution
vulnerability triggered by IKEv1/IKEv2 messages that contain
payloads for the respective other IKE version. Such payload
are treated specially since 5.2.2 but because they were still
identified by their original payload type they were used as
such in some places causing invalid function pointer
dereferences. The vulnerability has been registered as
CVE-2015-3991.
* The new aesni plugin provides CBC, CTR, XCBC, CMAC, CCM and
GCM crypto primitives for AES-128/192/256. The plugin requires
AES-NI and PCLMULQDQ instructions and works on both x86 and
x64 architectures. It provides superior crypto performance in
userland without any external libraries.
Changes in version 5.3.0:
* Added support for IKEv2 make-before-break reauthentication. By
using a global CHILD_SA reqid allocation mechanism, charon
supports overlapping CHILD_SAs. This allows the use of
make-before-break instead of the previously supported
break-before-make reauthentication, avoiding connectivity gaps
during that procedure. As the new mechanism may fail with peers
not supporting it (such as any previous strongSwan release) it
must be explicitly enabled using the charon.make_before_break
strongswan.conf option.
* Support for "Signature Authentication in IKEv2" (RFC 7427) has
been added. This allows the use of stronger hash algorithms
for public key authentication. By default, signature schemes
are chosen based on the strength of the signature key, but
specific hash algorithms may be configured in leftauth.
* Key types and hash algorithms specified in rightauth are now
also checked against IKEv2 signature schemes. If such
constraints are used for certificate chain validation in
existing configurations, in particular with peers that don't
support RFC 7427, it may be necessary to disable this feature
with the charon.signature_authentication_constraints setting,
because the signature scheme used in classic IKEv2 public key
authentication may not be strong enough.
* The new connmark plugin allows a host to bind conntrack flows
to a specific CHILD_SA by applying and restoring the SA mark
to conntrack entries. This allows a peer to handle multiple
transport mode connections coming over the same NAT device for
client-initiated flows. A common use case is to protect
L2TP/IPsec, as supported by some systems.
* The forecast plugin can forward broadcast and multicast
messages between connected clients and a LAN. For CHILD_SA
using unique marks, it sets up the required Netfilter rules
and uses a multicast/broadcast listener that forwards such
messages to all connected clients. This plugin is designed for
Windows 7 IKEv2 clients, which announces its services over the
tunnel if the negotiated IPsec policy allows it.
* For the vici plugin a Python Egg has been added to allow
Python applications to control or monitor the IKE daemon using
the VICI interface, similar to the existing ruby gem. The
Python library has been contributed by Björn Schuberg.
* EAP server methods now can fulfill public key constraints,
such as rightcert or rightca. Additionally, public key and
signature constraints can be specified for EAP methods in the
rightauth keyword. Currently the EAP-TLS and EAP-TTLS methods
provide verification details to constraints checking.
* Upgrade of the BLISS post-quantum signature algorithm to the
improved BLISS-B variant. Can be used in conjunction with the
SHA256, SHA384 and SHA512 hash algorithms with SHA512 being
the default.
* The IF-IMV 1.4 interface now makes the IP address of the TNC
access requestor as seen by the TNC server available to all
IMVs. This information can be forwarded to policy enforcement
points (e.g. firewalls or routers).
* The new mutual tnccs-20 plugin parameter activates mutual TNC
measurements in PB-TNC half-duplex mode between two endpoints
over either a PT-EAP or PT-TLS transport medium.
- Adjusted file lists and removed obsolete patches
[- 0005-strongswan-5.2.2-5.3.0_unknown_payload.patch,
- 0006-strongswan-5.1.0-5.3.1_enforce_remote_auth.patch,
- 0007-strongswan-4.4.0-5.3.3_eap_mschapv2_state.patch]
-------------------------------------------------------------------
Fri Nov 13 10:25:59 UTC 2015 - mt@suse.de

View File

@ -1,7 +1,7 @@
#
# spec file for package strongswan
#
# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -17,7 +17,7 @@
Name: strongswan
Version: 5.2.2
Version: 5.3.5
Release: 0
%define upstream_version %{version}
%define strongswan_docdir %{_docdir}/%{name}
@ -82,9 +82,6 @@ Patch2: %{name}_ipsec_service.patch
Patch3: %{name}_fipscheck.patch
Patch4: %{name}_fipsfilter.patch
%endif
Patch5: 0005-strongswan-5.2.2-5.3.0_unknown_payload.patch
Patch6: 0006-strongswan-5.1.0-5.3.1_enforce_remote_auth.patch
Patch7: 0007-strongswan-4.4.0-5.3.3_eap_mschapv2_state.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: bison
BuildRequires: curl-devel
@ -295,9 +292,6 @@ and the load testing plugin for IKEv2 daemon.
%patch3 -p0
%patch4 -p1
%endif
%patch5 -p1
%patch6 -p1
%patch7 -p1
sed -e 's|@libexecdir@|%_libexecdir|g' \
< $RPM_SOURCE_DIR/strongswan.init.in \
> strongswan.init
@ -605,7 +599,6 @@ fi
%dir %{_libexecdir}/ipsec
%{_libexecdir}/ipsec/_copyright
%{_libexecdir}/ipsec/_updown
%{_libexecdir}/ipsec/_updown_espmark
%if %{with test}
%{_libexecdir}/ipsec/conftest
%endif
@ -632,8 +625,6 @@ fi
%{strongswan_docdir}/LICENSE
%{strongswan_docdir}/AUTHORS
%{strongswan_docdir}/ChangeLog
%{_mandir}/man8/_updown.8*
%{_mandir}/man8/_updown_espmark.8*
%{_mandir}/man8/scepclient.8*
%files libs0