Add iptfs.conf to %files

harden_strongswan.service.patch

@@ -1,9 +1,13 @@
-Index: strongswan-5.9.5/init/systemd/strongswan.service.in
+---
+ init/systemd/strongswan.service.in |   11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+Index: strongswan-6.0.0/init/systemd/strongswan.service.in
 ===================================================================
---- strongswan-5.9.5.orig/init/systemd/strongswan.service.in
+--- strongswan-6.0.0.orig/init/systemd/strongswan.service.in
-+++ strongswan-5.9.5/init/systemd/strongswan.service.in
++++ strongswan-6.0.0/init/systemd/strongswan.service.in
-@@ -3,6 +3,17 @@ Description=strongSwan IPsec IKEv1/IKEv2
+@@ -4,6 +4,17 @@ After=network-online.target
- After=network-online.target
+ Wants=network-online.target
  
  [Service]
 +# added automatically, for details please see

strongswan-5.9.14.tar.bz2.sig

@@ -1,14 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQGzBAABCgAdFiEElI8Vik52onvz0HUy30LBcLNNuncFAmX5cHAACgkQ30LBcLNN
-une5oAwAiNFc9r4zuuJ9+Qd3q4AYTiCa7g4j6OhneQwY7Y6fzYOROfKKDzPoDhwJ
-juU5vj+5d9yKVLEEueACCY2hM9cmAZL3mWMy5s86FmrNQcPRJ24cU19ZkyoxKGZ9
-8lvEtPzb5r5aTrdJnSu3rydGK7nSVysxA5ZyamviUndx1lWUkGYlz3lKMl8xm2qa
-QNCnBQiUcwm9mADl4txlxkCvSDPb1Ez7Y40K5lVTpKa/awaM9e9JuKXSgOJmBUBY
-C/E8pCzC8lENEoq5EZI/eV7VNwlc1ussqp2iSj0Nhy45cmXvCHpCIslkhPuReQzW
-nNDFbuMGiDzCvD2RNdi+l1z+74oLPFeC7663K2/VYMMobqwYVhdC4hg/PMOzDa1x
-L18Y7Pffna4gNa/jarx1U7fMFLW4c0q5DVvM8qoLtnc7Q9zFw4A+EU6i3sFa5EF+
-aVNbmHTIBXnf0YVoHmuOgjRH9kjjshnl/kSszOeW+wkoZzhuJkTzz/gllc9YWQNG
-y+PFcIVK
-=dVex
------END PGP SIGNATURE-----

strongswan-6.0.2.tar.bz2.sig

@@ -0,0 +1,14 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQGzBAABCgAdFiEElI8Vik52onvz0HUy30LBcLNNuncFAmhzZ7MACgkQ30LBcLNN
+und9wQv+O2IUyvwR8T7+hDt9JIXcGWLdN6/gV42l0mR/KY5Yg18w57SQNbPqoIHq
+OddaLAMmd2yRWtpSCd8eTjBJjuBq5h2LX3w5mdu7x97+Y3tI3QWUCG9zC9Sjiu3D
+o+5KkRpUyXjWZ8068RMBVJ/zFXnybF5cCSqnC+NBDkRMoA6OjytgP+cVdPnO9GTY
+f4rEiuu8DYrdVDGv2elvLihXzhRzfxgPRYHgO3KfwBWdhg0mS/CucVx3piUqoVjt
+RR4XdyKpOU+Yh/ObACGTY3yIGxMKfKlsDbOVeH1xzlL8ZKRsRhB+GAuJ7Vz3wJRP
+ZXcW+00ZXxichUfyUcd8fEiIpgcODIT0u19ZF62fqe1VL0ltGw+Uvdn1L6VEV/ZQ
+VzGl6tByRpQegmw4/ElmYFynYnj7d8hQm9SZguX1d8DHg6Oyz3jRq13JBqKcuQYZ
+ljLWqCH+FBWwdGyU4Oh7vhHdVHKoXU2g/LuUN7G0BfW6r7fVkQKcFvSZK/qf5CtC
+Anpr4za4
+=JGRz
+-----END PGP SIGNATURE-----

strongswan.changes

@@ -1,3 +1,110 @@
+-------------------------------------------------------------------
+Mon Jul 14 21:10:28 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
+
+- Update to release 6.0.2
+  * Support for per-CPU SAs (RFC 9611) has been added on Linux
+    6.13+. The new per_cpu_sas setting enables the installation of
+    special trap policies (start_action=trap) that instruct the
+    kernel to consider the CPU from which a packet originates.
+  * Basic support for IP-TFS's (RFC 9347) new AGGFRAG mode has been
+    added on Linux 6.14+. It's similar to tunnel mode but allows
+    aggregating small IP packets into single ESP packets and
+    fragmenting large IP packets into multiple ESP packets.
+  * POSIX regular expressions are now supported to match remote
+    identities. They must start with an explicit type prefix,
+    followed by a caret character (^), and end with a dollar sign
+    ($) to indicate an anchored pattern. Regular expressions are
+    always matched case insensitive against the string
+    representation of other identities, however, the type must
+    match as well.
+  * Switching configs based on EAP-Identities is supported. This
+    changes how configured EAP identities are used. Instead of
+    statically setting and using a configured remote.eap_id !=
+    %any, an EAP-Identity exchange is now always initiated (and
+    required). If the received identity doesn't match the
+    configuration, the peer config is switched to one with a
+    matching identity (wildcards and regular expressions are
+    supported for that match).
+  * ML-KEM is now supported via OpenSSL 3.5+ by the openssl plugin.
+- Delete init.patch (merged), strongswan-gcc15-part1.patch
+  strongswan-gcc15-part2.patch, strongswan-gcc15-part3.patch
+
+-------------------------------------------------------------------
+Thu Jun  5 07:41:56 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
+
+- Add pkgconfig(libxml-2.0) BuildRequire which was previously
+  implicitly pulled in through SOUP. Move everything else to
+  pkgconfig() symbols as well.
+
+-------------------------------------------------------------------
+Tue Jun  3 17:45:03 UTC 2025 - Michael Gorse <mgorse@suse.com>
+
+- Disable soup fetcher. It is redundant with the curl fetcher, and
+  this allows us to drop the dependency on libsoup2.
+
+-------------------------------------------------------------------
+Tue May  6 14:01:21 UTC 2025 - Friedrich Haubensak <hsk17@mail.de>
+
+- Add patches from upstream github.com/strongswan/strongswan
+  to fix gcc-15 compile-time errors:
+  * strongswan-gcc15-part1.patch
+  * strongswan-gcc15-part2.patch
+  * strongswan-gcc15-part3.patch
+
+-------------------------------------------------------------------
+Tue Mar 11 18:54:30 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
+
+- Update to release 6.0.1
+  * The `dhcp` plugin has gained a new `interface_receive` option
+  * The `eap-radius` plugin hsa gained a new `source` option
+  * The NetworkManager plugin (charon-nm) received an option to
+    configure the local traffic selectors.
+  * The `ha` plugin now supports synchronizing IKE and Child SAs
+    with multiple key exchanges
+  * Self-signed root CAs that do not contain policies are now
+    excluded from policy validation.
+  * When deciding whether to send a DPD, inbound traffic on Child
+    SAs is now ignored unless UDP-encapsulation is used.
+  * When connecting to port 4500 or a custom server port, the
+    initial IKE_SA_INIT request is now sent from the NAT-T
+    socket.
+  * The NetworkManager backend (charon-nm) now enables
+    charon-nm.check_current_path to force a DPD after
+    connectivity changes without IP change.
+- Ensure build recipe is POSIX sh compatible
+
+-------------------------------------------------------------------
+Tue Dec  3 15:59:06 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
+
+- /usr/sbin/ipsec is deprecated since 5.2.0 and will be removed
+  in the future.
+- Update to release 6.0.0
+  * Support for multiple IKEv2 key exchanges (RFC 9370)
+  * Support for the Module-Lattice-Based Key-Encapsulation
+    Mechanism (ML-KEM, FIPS 203)
+  * AF_VSOCK socket support
+  * The file logger can optionally log messages as JSON objects
+  * Handling of CHILD_SA rekey collisions has been improved
+  * The kernel-netlink plugin explicitly configures the direction
+    of IPsec SAs when running on 6.10+ kernels
+  * The NetworkManager plugin (charon-nm) now uses a different
+    routing table than the regular IKE daemon to avoid conflicts
+    if both are running
+  * The following crypto plugins are no longer built:
+    aes, curve25519, des, fips-prf, gmp, hmac, md5, pkcs12, rc2,
+    sha1, sha2. (Their replacement is the "openssl" plugin.)
+  * The following deprecated plugins have been removed: bliss
+    (signature scheme), newhope (key exchange method), ntru (key
+    exchange method).
+- Add init.patch
+
+-------------------------------------------------------------------
+Tue Nov 26 12:02:16 UTC 2024 - Dirk Müller <dmueller@suse.com>
+
+- rename -hmac subpackage to -fips because it isn't providing
+  the hmac files, it provides the configuration drop in to
+  enforce fips mode.
+
 -------------------------------------------------------------------
 Thu Jun 20 12:10:36 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
 

strongswan.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package strongswan
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -16,21 +16,14 @@
 #
 
 
-Name:           strongswan
-Version:        5.9.14
-Release:        0
-%define         upstream_version     %{version}
 %define         strongswan_docdir    %{_docdir}/%{name}
 %define         strongswan_libdir    %{_libdir}/ipsec
 %define         strongswan_configs   %{_sysconfdir}/strongswan.d
 %define         strongswan_datadir   %{_datadir}/strongswan
 %define         strongswan_plugins   %{strongswan_libdir}/plugins
 %define         strongswan_templates %{strongswan_datadir}/templates
-%if 0
+%bcond_without  stroke
-%bcond_without  tests
-%else
 %bcond_with     tests
-%endif
 %bcond_without  fipscheck
 %ifarch %{ix86} ppc64le
 %bcond_without  integrity
@@ -44,70 +37,72 @@ Release:        0
 %bcond_without  gcrypt
 %bcond_without  nm
 %bcond_without  systemd
+
+Name:           strongswan
+Version:        6.0.2
+Release:        0
 Summary:        IPsec-based VPN solution
 License:        GPL-2.0-or-later
 Group:          Productivity/Networking/Security
 URL:            https://www.strongswan.org/
-Source0:        http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2
+Source0:        http://download.strongswan.org/strongswan-%version.tar.bz2
-Source1:        http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2.sig
+Source1:        http://download.strongswan.org/strongswan-%version.tar.bz2.sig
 Source2:        %{name}.init.in
 Source3:        %{name}-rpmlintrc
 Source4:        README.SUSE
 Source5:        %{name}.keyring
-%if %{with fipscheck}
 Source7:        fips-enforce.conf
-%endif
 Patch2:         %{name}_ipsec_service.patch
 Patch5:         0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch
 Patch6:         harden_strongswan.service.patch
+BuildRequires:  autoconf
+BuildRequires:  automake
 BuildRequires:  bison
-BuildRequires:  curl-devel
 BuildRequires:  flex
 BuildRequires:  gmp-devel
 BuildRequires:  gperf
-BuildRequires:  libcap-devel
+BuildRequires:  iptables
-BuildRequires:  libopenssl-devel
+BuildRequires:  libtool
-BuildRequires:  openldap2-devel
-BuildRequires:  pam-devel
-BuildRequires:  pcsc-lite-devel
 BuildRequires:  pkg-config
-BuildRequires:  pkgconfig(libsoup-2.4)
+BuildRequires:  pkgconfig(ldap)
+BuildRequires:  pkgconfig(libcap)
+BuildRequires:  pkgconfig(libcrypto)
+BuildRequires:  pkgconfig(libcurl)
+BuildRequires:  pkgconfig(libpcsclite)
+BuildRequires:  pkgconfig(libsystemd)
+BuildRequires:  pkgconfig(libxml-2.0)
+BuildRequires:  pkgconfig(pam)
 %if %{with mysql}
 BuildRequires:  libmysqlclient-devel
 %endif
 %if %{with sqlite}
-BuildRequires:  sqlite3-devel
+BuildRequires:  pkgconfig(sqlite3)
 %endif
 %if %{with gcrypt}
-BuildRequires:  libgcrypt-devel
+BuildRequires:  pkgconfig(libgcrypt)
 %endif
 %if %{with nm}
 BuildRequires:  pkgconfig(libnm)
 %endif
+Obsoletes:      strongswan-libs0 < %version-%release
+Provides:       strongswan-libs0 = %version-%release
 %{?systemd_requires}
-BuildRequires:  iptables
-BuildRequires:  pkgconfig(libsystemd)
 %{!?_rundir: %global _rundir /run}
 %{!?_tmpfilesdir: %global _tmpfilesdir /usr/lib/tmpfiles.d}
-BuildRequires:  autoconf
-BuildRequires:  automake
-BuildRequires:  libtool
-Requires:       strongswan-ipsec = %{version}
 
 %description
 StrongSwan is an IPsec-based VPN solution for Linux.
 
-* Implements both the IKEv1 and IKEv2 (RFC 4306) key exchange protocols
+* IKEv1 and IKEv2 (RFC 4306, 9370) key exchange protocol support
-* Fully tested support of IPv6 IPsec tunnel and transport connections
+* Support of IPv6 IPsec tunnel and transport connections
 * Dynamic IP address and interface update with IKEv2 MOBIKE (RFC 4555)
 * Automatic insertion and deletion of IPsec-policy-based firewall rules
-* Strong 128/192/256 bit AES or Camellia encryption, 3DES support
+* 128/192/256-bit AES encryption
 * NAT Traversal via UDP encapsulation and port floating (RFC 3947)
-* Dead Peer Detection (DPD, RFC 3706) takes care of dangling tunnels
+* Dead Peer Detection (DPD, RFC 3706) to detect dangling tunnels
-* Static virtual IP addresses and IKEv1 ModeConfig pull and push modes
 * XAUTH server and client functionality on top of IKEv1 Main Mode authentication
 * Virtual IP address pool managed by IKE daemon or SQL database
-* Secure IKEv2 EAP user authentication (EAP-SIM, EAP-AKA, EAP-MSCHAPv2, etc.)
+* IKEv2 EAP user authentication (EAP-SIM, EAP-AKA, EAP-MSCHAPv2, etc.)
 * Optional relaying of EAP messages to AAA server via EAP-RADIUS plugin
 * Support of IKEv2 Multiple Authentication Exchanges (RFC 4739)
 * Authentication based on X.509 certificates or preshared keys
@@ -115,12 +110,11 @@ StrongSwan is an IPsec-based VPN solution for Linux.
 * Retrieval and local caching of Certificate Revocation Lists via HTTP or LDAP
 * Full support of the Online Certificate Status Protocol (OCSP, RCF 2560).
 * CA management (OCSP and CRL URIs, default LDAP server)
-* Powerful IPsec policies based on wildcards or intermediate CAs
+* IPsec policies based on wildcards or intermediate CAs
 * Group policies based on X.509 attribute certificates (RFC 3281)
-* Storage of RSA private keys and certificates on a smartcard (PKCS #11 interface)
+* Storage of RSA private keys and certificates on a smartcard (PKCS#11 interface)
 * Modular plugins for crypto algorithms and relational database interfaces
 * Support of elliptic curve DH groups and ECDSA certificates (Suite B, RFC 4869)
-* Optional built-in integrity and crypto tests for plugins and libraries
 * Linux desktop integration via the strongSwan NetworkManager applet
 
 This package triggers the installation of both, IKEv1 and IKEv2 daemons.
@@ -135,48 +129,39 @@ StrongSwan is an IPsec-based VPN solution for Linux.
 
 This package provides the StrongSwan documentation.
 
-%package libs0
+%package fips
-Summary:        strongSwan core libraries and basic plugins
-Group:          Productivity/Networking/Security
-Conflicts:      strongswan < %{version}
-
-%description libs0
-StrongSwan is an IPsec-based VPN solution for Linux.
-
-This package provides the strongswan library and plugins.
-
-%package hmac
 Summary:        Config file to disable non FIPS-140-2 algos in strongSwan
 Group:          Productivity/Networking/Security
-Requires:       strongswan-ipsec = %{version}
+Requires:       strongswan = %version
-Requires:       strongswan-libs0 = %{version}
+Provides:       strongswan-hmac = %{version}-%{release}
+Obsoletes:      strongswan-hmac < %{version}-%{release}
 
-%description hmac
+%description fips
 The package provides a config file disabling alternative algorithm
 implementation when FIPS-140-2 compliant operation mode is enabled.
 
 %package ipsec
-Summary:        IPsec-based VPN solution
+Summary:        Old-style "ipsec" interface (stroke/starter) for strongSwan
 Group:          Productivity/Networking/Security
-Requires:       strongswan-libs0 = %{version}
+Requires:       strongswan = %version
 Provides:       VPN
 Provides:       ipsec
-Provides:       strongswan = %{version}
-Obsoletes:      strongswan < %{version}
 Conflicts:      freeswan
 Conflicts:      openswan
 
 %description ipsec
 StrongSwan is an IPsec-based VPN solution for Linux.
 
-This package provides the systemd service definition and allows
+This package provides an ipsec(8) command-line interface and
-to maintain both IKEv1 and IKEv2 using the /etc/ipsec.conf and the
+configuration mechanism (/etc/ipsec.conf, ipsec.secrets).
-/etc/ipsec.secrets files.
+
+Old-style ipsec(8) management of strongSwan is deprecated since
+version 5.2.0.
 
 %package mysql
 Summary:        MySQL plugin for strongSwan
 Group:          Productivity/Networking/Security
-Requires:       strongswan-libs0 = %{version}
+Requires:       strongswan = %version
 
 %description mysql
 StrongSwan is an IPsec-based VPN solution for Linux.
@@ -186,20 +171,20 @@ This package provides the strongswan mysql plugin.
 %package sqlite
 Summary:        SQLite plugin for strongSwan
 Group:          Productivity/Networking/Security
-Requires:       strongswan-libs0 = %{version}
+Requires:       strongswan = %version
 
 %description sqlite
-StrongSwan is an OpenSource IPsec-based VPN solution for Linux.
+StrongSwan is an IPsec-based VPN solution for Linux.
 
 This package provides the strongswan sqlite plugin.
 
 %package nm
 Summary:        NetworkManager plugin for strongSwan
 Group:          Productivity/Networking/Security
-Requires:       strongswan-libs0 = %{version}
+Requires:       strongswan = %version
 
 %description nm
-StrongSwan is an OpenSource IPsec-based VPN solution for Linux.
+StrongSwan is an IPsec-based VPN solution for Linux.
 
 This package provides the NetworkManager plugin to control the
 charon IKEv2 daemon through D-Bus, designed to work using the
@@ -208,28 +193,24 @@ NetworkManager-strongswan graphical user interface.
 %package tests
 Summary:        Testing plugins for strongSwan
 Group:          Productivity/Networking/Security
-Requires:       strongswan-libs0 = %{version}
+Requires:       strongswan = %version
 
 %description tests
-StrongSwan is an OpenSource IPsec-based VPN solution for Linux.
+StrongSwan is an IPsec-based VPN solution for Linux.
 
 This package provides the strongswan crypto test vectors plugin
 and the load testing plugin for IKEv2 daemon.
 
 %prep
-%setup -q -n %{name}-%{upstream_version}
+%autosetup -p1
-%patch -P 2 -p1
-%patch -P 5 -p1
 sed -e 's|@libexecdir@|%_libexecdir|g'    \
      < %{_sourcedir}/strongswan.init.in \
      > strongswan.init
-%patch -P 6 -p1
 
 %build
-CFLAGS="%{optflags} -W -Wall -Wno-pointer-sign -Wno-strict-aliasing -Wno-unused-parameter"
-export CFLAGS
 autoreconf --force --install
 %configure \
+	CFLAGS="%optflags -W -Wall -Wno-pointer-sign -Wno-strict-aliasing -Wno-unused-parameter" \
 %if %{with integrity}
 	--enable-integrity-test \
 %endif
@@ -312,13 +293,15 @@ autoreconf --force --install
 %else
 	--disable-nm \
 %endif
+%if %{with stroke}
+	--enable-stroke \
+%endif
 %if %{with tests}
 	--enable-conftest \
 	--enable-load-tester \
 	--enable-test-vectors \
 %endif
 	--enable-ldap \
-	--enable-soup \
 	--enable-curl \
 	--enable-bypass-lan \
 	--disable-static
@@ -358,7 +341,7 @@ LD_LIBRARY_PATH="%{buildroot}-$$/%{strongswan_libdir}" \
 }
 %endif
 #
-rm -f %{buildroot}/%{_sysconfdir}/ipsec.secrets
+%if %{with stroke}
 cat << EOT > %{buildroot}/%{_sysconfdir}/ipsec.secrets
 #
 # ipsec.secrets
@@ -368,16 +351,17 @@ cat << EOT > %{buildroot}/%{_sysconfdir}/ipsec.secrets
 #
 EOT
 #
+%endif
 %if ! %{with mysql}
 rm -f %{buildroot}/%{strongswan_templates}/database/sql/mysql.sql
 %endif
 %if ! %{with sqlite}
 rm -f %{buildroot}/%{strongswan_templates}/database/sql/sqlite.sql
 %endif
-rm -f %{buildroot}/%{strongswan_libdir}/lib{charon,hydra,strongswan,pttls}.so
+for i in charon hydra strongswan pttls radius simaka tls tnccs imcv; do
-rm -f %{buildroot}/%{strongswan_libdir}/lib{radius,simaka,tls,tnccs,imcv}.so
+	rm -fv %{buildroot}/%{strongswan_libdir}/lib$i.so
+done
 find %{buildroot}/%{strongswan_libdir} -type f -name "*.la" -delete
-#
 install -d -m755 %{buildroot}/%{strongswan_docdir}/
 install -c -m644 TODO NEWS README COPYING LICENSE \
 		 AUTHORS ChangeLog \
@@ -393,36 +377,37 @@ install -c -m644 %{_sourcedir}/fips-enforce.conf \
 sed -i 's/\(load[ ]*=[ ]*\)yes/\1no/g' %{buildroot}/%{strongswan_configs}/charon/bypass-lan.conf
 %endif
 
-%post libs0
+%post
 /sbin/ldconfig
 %{?tmpfiles_create:%tmpfiles_create %{_tmpfilesdir}/%{name}.conf}
 %{!?tmpfiles_create:test -d %{_rundir}/%{name} || mkdir -p %{_rundir}/%{name}}
 
-%postun libs0 -p /sbin/ldconfig
+%postun -p /sbin/ldconfig
 
 %pre ipsec
 %service_add_pre %{name}-starter.service
 
 %post ipsec
+%service_add_post %{name}-starter.service
 # Following code does the migration from strongwan.service (ver < 5.8.0) to
 # strongswan-starter.service (ver >= 5.8.0) during update. The systemd service
 # units have been renamed. The modern unit, which was called strongswan-swanctl,
 # is now called strongswan (the previous name is configured as alias in the unit,
 # for which a symlink is created when the unit is enabled). The legacy unit is now
 # called strongswan-starter.
-_ipsec_active=`/usr/bin/systemctl is-active %{name}-starter.service 2>/dev/null` || :
+_ipsec_active=$(/usr/bin/systemctl is-active %{name}-starter.service 2>/dev/null) || :
-_swanctl_active=`/usr/bin/systemctl is-active %{name}.service 2>/dev/null` || :
+_swanctl_active=$(/usr/bin/systemctl is-active %{name}.service 2>/dev/null) || :
-_ipsec_enable=`/usr/bin/systemctl is-enabled %{name}-starter.service 2>/dev/null` || :
+_ipsec_enable=$(/usr/bin/systemctl is-enabled %{name}-starter.service 2>/dev/null) || :
-_swanctl_enable=`/usr/bin/systemctl is-enabled %{name}.service 2>/dev/null` || :
+_swanctl_enable=$(/usr/bin/systemctl is-enabled %{name}.service 2>/dev/null) || :
-if [[ "$_swanctl_enable" == "enabled" || "$_swanctl_active" == "active" ]]; then
+if [ "$_swanctl_enable" = "enabled" ] || [ "$_swanctl_active" = "active" ]; then
         /usr/bin/systemctl disable --now %{name}.service || :
         /usr/bin/systemctl mask %{name}.service || :
 fi
-if [[ "$_swanctl_enable" == "enabled" || "$_ipsec_enable" == "enabled" ]]; then
+if [ "$_swanctl_enable" = "enabled" ] || [ "$_ipsec_enable" = "enabled" ]; then
         /usr/bin/systemctl daemon-reload
         /usr/bin/systemctl enable %{name}-starter.service || :
 fi
-if [[ "$_swanctl_active" == "active" || "$_ipsec_active" == "active" ]]; then
+if [ "$_swanctl_active" = "active" ] || [ "$_ipsec_active" = "active" ]; then
         /usr/bin/systemctl start %{name}-starter.service || :
 fi
 
@@ -440,45 +425,26 @@ fi
 %postun ipsec
 %service_del_postun %{name}-starter.service
 
-%files
-%dir %{strongswan_docdir}
-%{strongswan_docdir}/README.SUSE
-
 %if %{with fipscheck}
-
+%files fips
-%files hmac
 %dir %{strongswan_configs}
 %dir %{strongswan_configs}/charon
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/zzz_fips-enforce.conf
 %endif
 
-%files ipsec
+%files
-%config(noreplace) %attr(600,root,root) %{_sysconfdir}/ipsec.conf
+%dir %{strongswan_docdir}
-%config(noreplace) %attr(600,root,root) %{_sysconfdir}/ipsec.secrets
+%{strongswan_docdir}/README.SUSE
 %config(noreplace) %attr(600,root,root) %{_sysconfdir}/swanctl/swanctl.conf
 %dir %{_sysconfdir}/swanctl
-%dir %{_sysconfdir}/ipsec.d
-%dir %{_sysconfdir}/ipsec.d/crls
-%dir %{_sysconfdir}/ipsec.d/reqs
-%dir %{_sysconfdir}/ipsec.d/certs
-%dir %{_sysconfdir}/ipsec.d/acerts
-%dir %{_sysconfdir}/ipsec.d/aacerts
-%dir %{_sysconfdir}/ipsec.d/cacerts
-%dir %{_sysconfdir}/ipsec.d/ocspcerts
-%dir %attr(700,root,root) %{_sysconfdir}/ipsec.d/private
-%{_unitdir}/strongswan-starter.service
 %{_unitdir}/strongswan.service
 %{_sbindir}/charon-systemd
 %{_bindir}/pki
 %{_bindir}/pt-tls-client
 %{_bindir}/tpm_extendpcr
-%{_sbindir}/ipsec
 %{_sbindir}/swanctl
 %{_mandir}/man1/pki*.1*
 %{_mandir}/man1/pt-tls-client.1*
-%{_mandir}/man8/ipsec.8*
-%{_mandir}/man5/ipsec.conf.5*
-%{_mandir}/man5/ipsec.secrets.5*
 %{_mandir}/man5/strongswan.conf.5*
 %dir %{_libexecdir}/ipsec
 %{_libexecdir}/ipsec/_updown
@@ -488,46 +454,31 @@ fi
 %{_libexecdir}/ipsec/xfrmi
 %{_libexecdir}/ipsec/duplicheck
 %{_libexecdir}/ipsec/pool
-%{_libexecdir}/ipsec/starter
-%{_libexecdir}/ipsec/stroke
 %{_libexecdir}/ipsec/charon
 %{_libexecdir}/ipsec/_imv_policy
 %{_libexecdir}/ipsec/imv_policy_manager
 %dir %{strongswan_plugins}
 %{strongswan_plugins}/libstrongswan-drbg.so
-%{strongswan_plugins}/libstrongswan-stroke.so
 %{strongswan_plugins}/libstrongswan-updown.so
-
+%_mandir/man5/swanctl.conf.5.*
-%files doc
+%_mandir/man8/swanctl.8.*
-%dir %{strongswan_docdir}
-%{strongswan_docdir}/TODO
-%{strongswan_docdir}/NEWS
-%{strongswan_docdir}/README
-%{strongswan_docdir}/COPYING
-%{strongswan_docdir}/LICENSE
-%{strongswan_docdir}/AUTHORS
-%{strongswan_docdir}/ChangeLog
-%{_mandir}/man5/swanctl.conf.5.*
-%{_mandir}/man8/swanctl.8.*
-
-%files libs0
 %{_tmpfilesdir}/%{name}.conf
 %config(noreplace) %attr(600,root,root) %{_sysconfdir}/strongswan.conf
 %dir %{strongswan_configs}
 %dir %{strongswan_configs}/charon
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon-nm.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon-systemd.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon-logging.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/imcv.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/imv_policy_manager.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/iptfs.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/pki.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/pool.conf
-%config(noreplace) %attr(600,root,root) %{strongswan_configs}/starter.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/tnc.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/swanctl.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/addrblock.conf
-%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/aes.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/counters.conf
-%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/curve25519.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/drbg.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/vici.conf
 %if %{with afalg}
@@ -544,7 +495,6 @@ fi
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/coupling.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/ctr.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/curl.conf
-%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/des.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/dhcp.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/dnskey.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/duplicheck.conf
@@ -576,37 +526,29 @@ fi
 %endif
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/gmp.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/ha.conf
-%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/hmac.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/kdf.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/kernel-netlink.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/ldap.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/led.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/md4.conf
-%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/md5.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/mgf1.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/nonce.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/openssl.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pem.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pgp.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs11.conf
-%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs12.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs1.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs7.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs8.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pubkey.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/radattr.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/random.conf
-%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/rc2.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/resolve.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/revocation.conf
-%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/sha1.conf
-%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/sha2.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/smp.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/socket-default.conf
-%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/soup.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/sql.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/sshkey.conf
-%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/stroke.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnccs-11.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnccs-20.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnccs-dynamic.conf
@@ -645,7 +587,6 @@ fi
 %{strongswan_libdir}/imcvs/imv-test.so
 %dir %{strongswan_plugins}
 %{strongswan_plugins}/libstrongswan-addrblock.so
-%{strongswan_plugins}/libstrongswan-aes.so
 %if %{with afalg}
 %{strongswan_plugins}/libstrongswan-af-alg.so
 %endif
@@ -661,7 +602,6 @@ fi
 %{strongswan_plugins}/libstrongswan-coupling.so
 %{strongswan_plugins}/libstrongswan-ctr.so
 %{strongswan_plugins}/libstrongswan-curl.so
-%{strongswan_plugins}/libstrongswan-des.so
 %{strongswan_plugins}/libstrongswan-dhcp.so
 %{strongswan_plugins}/libstrongswan-dnskey.so
 %{strongswan_plugins}/libstrongswan-duplicheck.so
@@ -693,13 +633,11 @@ fi
 %endif
 %{strongswan_plugins}/libstrongswan-gmp.so
 %{strongswan_plugins}/libstrongswan-ha.so
-%{strongswan_plugins}/libstrongswan-hmac.so
 %{strongswan_plugins}/libstrongswan-kdf.so
 %{strongswan_plugins}/libstrongswan-kernel-netlink.so
 %{strongswan_plugins}/libstrongswan-ldap.so
 %{strongswan_plugins}/libstrongswan-led.so
 %{strongswan_plugins}/libstrongswan-md4.so
-%{strongswan_plugins}/libstrongswan-md5.so
 %{strongswan_plugins}/libstrongswan-mgf1.so
 %{strongswan_plugins}/libstrongswan-nonce.so
 %{strongswan_plugins}/libstrongswan-openssl.so
@@ -707,20 +645,15 @@ fi
 %{strongswan_plugins}/libstrongswan-pgp.so
 %{strongswan_plugins}/libstrongswan-pkcs1.so
 %{strongswan_plugins}/libstrongswan-pkcs11.so
-%{strongswan_plugins}/libstrongswan-pkcs12.so
 %{strongswan_plugins}/libstrongswan-pkcs7.so
 %{strongswan_plugins}/libstrongswan-pkcs8.so
 %{strongswan_plugins}/libstrongswan-pubkey.so
 %{strongswan_plugins}/libstrongswan-radattr.so
 %{strongswan_plugins}/libstrongswan-random.so
-%{strongswan_plugins}/libstrongswan-rc2.so
 %{strongswan_plugins}/libstrongswan-resolve.so
 %{strongswan_plugins}/libstrongswan-revocation.so
-%{strongswan_plugins}/libstrongswan-sha1.so
-%{strongswan_plugins}/libstrongswan-sha2.so
 %{strongswan_plugins}/libstrongswan-smp.so
 %{strongswan_plugins}/libstrongswan-socket-default.so
-%{strongswan_plugins}/libstrongswan-soup.so
 %{strongswan_plugins}/libstrongswan-sql.so
 %{strongswan_plugins}/libstrongswan-sshkey.so
 %{strongswan_plugins}/libstrongswan-tnc-imc.so
@@ -736,7 +669,6 @@ fi
 %{strongswan_plugins}/libstrongswan-xauth-generic.so
 %{strongswan_plugins}/libstrongswan-xauth-pam.so
 %{strongswan_plugins}/libstrongswan-xcbc.so
-%{strongswan_plugins}/libstrongswan-curve25519.so
 %{strongswan_plugins}/libstrongswan-vici.so
 %{strongswan_plugins}/libstrongswan-bypass-lan.so
 %dir %{strongswan_datadir}
@@ -749,7 +681,6 @@ fi
 %dir %{strongswan_templates}/database/sql
 %{strongswan_templates}/config/strongswan.conf
 %{strongswan_templates}/config/plugins/addrblock.conf
-%{strongswan_templates}/config/plugins/aes.conf
 %if %{with afalg}
 %{strongswan_templates}/config/plugins/af-alg.conf
 %endif
@@ -765,7 +696,6 @@ fi
 %{strongswan_templates}/config/plugins/coupling.conf
 %{strongswan_templates}/config/plugins/ctr.conf
 %{strongswan_templates}/config/plugins/curl.conf
-%{strongswan_templates}/config/plugins/des.conf
 %{strongswan_templates}/config/plugins/dhcp.conf
 %{strongswan_templates}/config/plugins/dnskey.conf
 %{strongswan_templates}/config/plugins/drbg.conf
@@ -798,13 +728,11 @@ fi
 %endif
 %{strongswan_templates}/config/plugins/gmp.conf
 %{strongswan_templates}/config/plugins/ha.conf
-%{strongswan_templates}/config/plugins/hmac.conf
 %{strongswan_templates}/config/plugins/kdf.conf
 %{strongswan_templates}/config/plugins/kernel-netlink.conf
 %{strongswan_templates}/config/plugins/ldap.conf
 %{strongswan_templates}/config/plugins/led.conf
 %{strongswan_templates}/config/plugins/md4.conf
-%{strongswan_templates}/config/plugins/md5.conf
 %{strongswan_templates}/config/plugins/mgf1.conf
 %{strongswan_templates}/config/plugins/nonce.conf
 %{strongswan_templates}/config/plugins/openssl.conf
@@ -812,23 +740,17 @@ fi
 %{strongswan_templates}/config/plugins/pgp.conf
 %{strongswan_templates}/config/plugins/pkcs1.conf
 %{strongswan_templates}/config/plugins/pkcs11.conf
-%{strongswan_templates}/config/plugins/pkcs12.conf
 %{strongswan_templates}/config/plugins/pkcs7.conf
 %{strongswan_templates}/config/plugins/pkcs8.conf
 %{strongswan_templates}/config/plugins/pubkey.conf
 %{strongswan_templates}/config/plugins/radattr.conf
 %{strongswan_templates}/config/plugins/random.conf
-%{strongswan_templates}/config/plugins/rc2.conf
 %{strongswan_templates}/config/plugins/resolve.conf
 %{strongswan_templates}/config/plugins/revocation.conf
-%{strongswan_templates}/config/plugins/sha1.conf
-%{strongswan_templates}/config/plugins/sha2.conf
 %{strongswan_templates}/config/plugins/smp.conf
 %{strongswan_templates}/config/plugins/socket-default.conf
-%{strongswan_templates}/config/plugins/soup.conf
 %{strongswan_templates}/config/plugins/sql.conf
 %{strongswan_templates}/config/plugins/sshkey.conf
-%{strongswan_templates}/config/plugins/stroke.conf
 %{strongswan_templates}/config/plugins/tnc-imc.conf
 %{strongswan_templates}/config/plugins/tnc-imv.conf
 %{strongswan_templates}/config/plugins/tnc-pdp.conf
@@ -843,23 +765,23 @@ fi
 %{strongswan_templates}/config/plugins/xauth-generic.conf
 %{strongswan_templates}/config/plugins/xauth-pam.conf
 %{strongswan_templates}/config/plugins/xcbc.conf
-%{strongswan_templates}/config/plugins/curve25519.conf
 %{strongswan_templates}/config/plugins/vici.conf
 %{strongswan_templates}/config/plugins/bypass-lan.conf
 %{strongswan_templates}/config/strongswan.d/charon-systemd.conf
 %{strongswan_templates}/config/strongswan.d/charon-logging.conf
 %{strongswan_templates}/config/strongswan.d/charon.conf
+%{strongswan_templates}/config/strongswan.d/charon-nm.conf
 %{strongswan_templates}/config/strongswan.d/imcv.conf
+%{strongswan_templates}/config/strongswan.d/imv_policy_manager.conf
+%{strongswan_templates}/config/strongswan.d/iptfs.conf
 %{strongswan_templates}/config/strongswan.d/pki.conf
 %{strongswan_templates}/config/strongswan.d/pool.conf
-%{strongswan_templates}/config/strongswan.d/starter.conf
 %{strongswan_templates}/config/strongswan.d/tnc.conf
 %{strongswan_templates}/config/strongswan.d/swanctl.conf
 %{strongswan_templates}/database/imv/data.sql
 %{strongswan_templates}/database/imv/tables.sql
 
 %if %{with nm}
-
 %files nm
 %dir %{_libexecdir}/ipsec
 %dir %{strongswan_plugins}
@@ -868,7 +790,6 @@ fi
 %endif
 
 %if %{with mysql}
-
 %files mysql
 %dir %{strongswan_libdir}
 %dir %{strongswan_plugins}
@@ -888,7 +809,6 @@ fi
 %endif
 
 %if %{with sqlite}
-
 %files sqlite
 %dir %{strongswan_libdir}
 %dir %{strongswan_plugins}
@@ -907,7 +827,6 @@ fi
 %endif
 
 %if %{with tests}
-
 %files tests
 %dir %{strongswan_configs}
 %dir %{strongswan_configs}/charon
@@ -927,4 +846,49 @@ fi
 %{strongswan_plugins}/libstrongswan-test-vectors.so
 %endif
 
+%if %{with stroke}
+%files ipsec
+%config(noreplace) %attr(600,root,root) %_sysconfdir/ipsec.conf
+%config(noreplace) %attr(600,root,root) %_sysconfdir/ipsec.secrets
+%dir %_sysconfdir/ipsec.d
+%dir %_sysconfdir/ipsec.d/crls
+%dir %_sysconfdir/ipsec.d/reqs
+%dir %_sysconfdir/ipsec.d/certs
+%dir %_sysconfdir/ipsec.d/acerts
+%dir %_sysconfdir/ipsec.d/aacerts
+%dir %_sysconfdir/ipsec.d/cacerts
+%dir %_sysconfdir/ipsec.d/ocspcerts
+%dir %attr(700,root,root) %_sysconfdir/ipsec.d/private
+%_sbindir/ipsec
+%_mandir/man8/ipsec.8*
+%_mandir/man5/ipsec.conf.5*
+%_mandir/man5/ipsec.secrets.5*
+%dir %_libexecdir/ipsec/
+%_libexecdir/ipsec/starter
+%_libexecdir/ipsec/stroke
+%_unitdir/strongswan-starter.service
+%dir %strongswan_plugins/
+%strongswan_plugins/libstrongswan-stroke.so
+%dir %strongswan_configs/
+%dir %strongswan_configs/charon/
+%config(noreplace) %attr(600,root,root) %strongswan_configs/starter.conf
+%config(noreplace) %attr(600,root,root) %strongswan_configs/charon/stroke.conf
+%dir %strongswan_templates/
+%dir %strongswan_templates/config/
+%dir %strongswan_templates/config/plugins/
+%strongswan_templates/config/plugins/stroke.conf
+%dir %strongswan_templates/config/strongswan.d/
+%strongswan_templates/config/strongswan.d/starter.conf
+%endif
+
+%files doc
+%dir %strongswan_docdir
+%strongswan_docdir/TODO
+%strongswan_docdir/NEWS
+%strongswan_docdir/README
+%strongswan_docdir/COPYING
+%strongswan_docdir/LICENSE
+%strongswan_docdir/AUTHORS
+%strongswan_docdir/ChangeLog
+
 %changelog