From f013a86fad326182ed321f2a94863a0279d1bab520a431e13f6d15cf22f5961e Mon Sep 17 00:00:00 2001
From: Marius Tomaschewski <mt@suse.com>
Date: Wed, 31 Oct 2012 16:08:08 +0000
Subject: [PATCH] - Updated to strongSwan 5.0.1 release. Changes digest:   -
 Introduced the sending of the standard IETF Assessment Result     PA-TNC
 attribute by all strongSwan Integrity Measurement Verifiers.   - Extended PTS
 Attestation IMC/IMV pair to provide full evidence of     the Linux IMA
 measurement process. All pertinent file information     of a Linux OS can be
 collected and stored in an SQL database.   - The PA-TNC and PB-TNC protocols
 can now process huge data payloads.   - The xauth-pam backend can
 authenticate IKEv1 XAuth and Hybrid     authenticated clients against any PAM
 service.   - The new unity plugin brings support for some parts of the IKEv1 
    Cisco Unity Extensions.   - The kernel-netlink plugin supports the new
 strongswan.conf option     charon.install_virtual_ip_on.   - Job handling in
 controller_t was fixed, which occasionally caused     crashes on ipsec
 up/down.   - Fixed transmission EAP-MSCHAPv2 user name if it contains a
 domain     part.   Changes digest from strongSwan 5.0.0 version:   * The
 charon IKE daemon gained experimental support for the IKEv1     protocol.
 Pluto has been removed from the 5.x series.   * The NetworkManager charon
 plugin of previous releases is now     provided by a separate executable
 (charon-nm) and it should work     again with NM 0.9.   * scepclient was
 updated and it now works fine with Windows Server     2008 R2.   For full
 list of the changes, please read the NEWS file shipped   in the
 strongswan-doc package or online:  
 http://wiki.strongswan.org/projects/strongswan/wiki/Changelog50 - Adopted
 spec file, enabled several plugins. - Changed to install strongswan.service
 with alias to ipsec.service

OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=51
---
 strongswan.changes             |  34 ++++++-
 strongswan.spec                | 168 +++++++++++++++++++--------------
 strongswan_ipsec_service.patch |   7 ++
 3 files changed, 134 insertions(+), 75 deletions(-)
 create mode 100644 strongswan_ipsec_service.patch

diff --git a/strongswan.changes b/strongswan.changes
index 64f2832..4b524e5 100644
--- a/strongswan.changes
+++ b/strongswan.changes
@@ -1,7 +1,37 @@
 -------------------------------------------------------------------
-Tue Oct 30 17:09:36 UTC 2012 - mt@suse.de
+Wed Oct 31 15:25:16 UTC 2012 - mt@suse.de
 
-- WORK-IN-PROGRESS snapshot: Update to strongSwan 5.0.1
+- Updated to strongSwan 5.0.1 release. Changes digest:
+  - Introduced the sending of the standard IETF Assessment Result
+    PA-TNC attribute by all strongSwan Integrity Measurement Verifiers.
+  - Extended PTS Attestation IMC/IMV pair to provide full evidence of
+    the Linux IMA measurement process. All pertinent file information
+    of a Linux OS can be collected and stored in an SQL database.
+  - The PA-TNC and PB-TNC protocols can now process huge data payloads.
+  - The xauth-pam backend can authenticate IKEv1 XAuth and Hybrid
+    authenticated clients against any PAM service.
+  - The new unity plugin brings support for some parts of the IKEv1
+    Cisco Unity Extensions.
+  - The kernel-netlink plugin supports the new strongswan.conf option
+    charon.install_virtual_ip_on.
+  - Job handling in controller_t was fixed, which occasionally caused
+    crashes on ipsec up/down.
+  - Fixed transmission EAP-MSCHAPv2 user name if it contains a domain
+    part.
+  Changes digest from strongSwan 5.0.0 version:
+  * The charon IKE daemon gained experimental support for the IKEv1
+    protocol. Pluto has been removed from the 5.x series.
+  * The NetworkManager charon plugin of previous releases is now
+    provided by a separate executable (charon-nm) and it should work
+    again with NM 0.9.
+  * scepclient was updated and it now works fine with Windows Server
+    2008 R2.
+  For full list of the changes, please read the NEWS file shipped
+  in the strongswan-doc package or online:
+  http://wiki.strongswan.org/projects/strongswan/wiki/Changelog50
+- Adopted spec file, enabled several plugins.
+- Changed to install strongswan.service with alias to ipsec.service
+  instead of the /etc/init.d/ipsec init script on openSUSE > 12.2.
 
 -------------------------------------------------------------------
 Fri Sep  7 08:36:57 UTC 2012 - mt@suse.de
diff --git a/strongswan.spec b/strongswan.spec
index 1a67c6f..36b0c5f 100644
--- a/strongswan.spec
+++ b/strongswan.spec
@@ -23,11 +23,30 @@ Release:        0
 %define         strongswan_docdir  %{_docdir}/%{name}
 %define         strongswan_libdir  %{_libdir}/ipsec
 %define         strongswan_plugins %{strongswan_libdir}/plugins
-%define		with_mysql	1
-%define		with_sqlite	0%{suse_version} >= 1110
-%define		with_gcrypt	0%{suse_version} >= 1110
-%define		with_nm		0%{suse_version} >= 1110
-%define		with_tests	0
+%if 0
+%bcond_without  tests
+%else
+%bcond_with     tests
+%endif
+%if 1
+%bcond_without  mysql
+%else
+%bcond_with     mysql
+%endif
+%if 0%{suse_version} >= 1110
+%bcond_without  sqlite
+%bcond_without  gcrypt
+%bcond_without  nm
+%else
+%bcond_with     sqlite
+%bcond_with     gcrypt
+%bcond_with     nm
+%endif
+%if 0%{suse_version} > 1220
+%bcond_without  systemd
+%else
+%bcond_with     systemd
+%endif
 Summary:        OpenSource IPsec-based VPN Solution
 License:        GPL-2.0+
 Group:          Productivity/Networking/Security
@@ -39,6 +58,7 @@ Source2:        %{name}.init.in
 Source3:        %{name}-%{version}-rpmlintrc
 Source4:        README.SUSE
 Patch1:         %{name}_modprobe_syslog.patch
+Patch2:         %{name}_ipsec_service.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  bison
 BuildRequires:  curl-devel
@@ -52,18 +72,21 @@ BuildRequires:  openldap2-devel
 BuildRequires:  pam-devel
 BuildRequires:  pcsc-lite-devel
 BuildRequires:  pkg-config
-%if %with_mysql
+%if %{with mysql}
 BuildRequires:  libmysqlclient-devel
 %endif
-%if %with_sqlite
+%if %{with sqlite}
 BuildRequires:  sqlite3-devel
 %endif
-%if %with_gcrypt
+%if %{with gcrypt}
 BuildRequires:  libgcrypt-devel
 %endif
-%if %with_nm
+%if %{with nm}
 BuildRequires:  NetworkManager-devel
 %endif
+%if %{with systemd}
+BuildRequires:  systemd-devel
+%endif
 BuildRequires:  iptables
 BuildRequires:  libnl >= 1.1
 
@@ -131,30 +154,14 @@ StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
 
 This package provides the strongswan library and plugins.
 
-%package charon
-Summary:        OpenSource IPsec-based VPN Solution
-Group:          Productivity/Networking/Security
-Requires:       iproute2
-Requires:       strongswan-daemon-starter = %{version}
-Requires:       strongswan-libs0 = %{version}
-Provides:       strongswan-daemon = %{version}
-Conflicts:      openswan strongswan < %{version}
-
-%description charon
-StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
-
-This package provides the charon daemon supporting IKEv1 & IKEv2.
-
 %package ipsec
 Summary:        OpenSource IPsec-based VPN Solution
 Group:          Productivity/Networking/Security
 PreReq:         grep %insserv_prereq %fillup_prereq
-Requires:       strongswan-daemon = %{version}
 Requires:       strongswan-libs0 = %{version}
 Provides:       VPN
 Provides:       ipsec
 Provides:       strongswan = %{version}
-Provides:       strongswan-daemon-starter = %{version}
 Obsoletes:      strongswan < %{version}
 Conflicts:      freeswan openswan
 
@@ -162,10 +169,10 @@ Conflicts:      freeswan openswan
 StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
 
 This package provides the /etc/init.d/ipsec service script and allows
-to maintain both, IKEv1 and IKEv2 daemons, using /etc/ipsec.conf and
+to maintain both, IKEv1 and IKEv2, using the /etc/ipsec.conf and the
 /etc/ipsec.sectes files.
 
-%if %with_mysql
+%if %{with mysql}
 
 %package mysql
 Summary:        OpenSource IPsec-based VPN Solution
@@ -179,7 +186,7 @@ This package provides the strongswan mysql plugin.
 
 %endif
 
-%if %with_sqlite
+%if %{with sqlite}
 
 %package sqlite
 Summary:        OpenSource IPsec-based VPN Solution
@@ -193,14 +200,12 @@ This package provides the strongswan sqlite plugin.
 
 %endif
 
-%if %with_nm
+%if %{with nm}
 
 %package nm
 Summary:        OpenSource IPsec-based VPN Solution
 Group:          Productivity/Networking/Security
-Requires:       strongswan-ikev2 = %{version}
 Requires:       strongswan-libs0 = %{version}
-Provides:       strongswan-daemon-starter = %{version}
 
 %description nm
 StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
@@ -211,7 +216,7 @@ NetworkManager-strongswan graphical user interface.
 
 %endif
 
-%if %with_tests
+%if %{with tests}
 
 %package tests
 
@@ -230,6 +235,7 @@ and the load testing plugin for IKEv2 daemon.
 %prep
 %setup -q -n %{name}-%{upstream_version}
 %patch1 -p0
+%patch2 -p0
 sed -e 's|@libexecdir@|%_libexecdir|g'    \
      < $RPM_SOURCE_DIR/strongswan.init.in \
      > strongswan.init
@@ -276,6 +282,16 @@ export RPM_OPT_FLAGS CFLAGS
 	--enable-eap-radius \
 	--enable-xauth-eap \
 	--enable-xauth-pam \
+	--enable-tnc-pdp \
+	--enable-tnc-imc \
+	--enable-tnc-imv \
+	--enable-tnccs-11 \
+	--enable-tnccs-20 \
+	--enable-tnccs-dynamic \
+	--enable-imc-test \
+	--enable-imv-test \
+	--enable-imc-scanner \
+	--enable-imv-scanner \
 	--enable-ha \
 	--enable-dhcp \
 	--enable-farp \
@@ -289,19 +305,19 @@ export RPM_OPT_FLAGS CFLAGS
 	--enable-certexpire \
 	--enable-duplicheck \
 	--enable-coupling \
-%if %with_mysql
+%if %{with mysql}
 	--enable-mysql \
 %endif
-%if %with_sqlite
+%if %{with sqlite}
 	--enable-sqlite \
 %endif
-%if %with_gcrypt
+%if %{with gcrypt}
 	--enable-gcrypt \
 %endif
-%if %with_nm
+%if %{with nm}
 	--enable-nm \
 %endif
-%if %with_tests
+%if %{with tests}
 	--enable-load-tester \
 	--enable-test-vectors \
 %endif
@@ -314,9 +330,11 @@ make %{?_smp_mflags:%_smp_mflags}
 export RPM_BUILD_ROOT
 install -d -m755              ${RPM_BUILD_ROOT}%{_sbindir}/
 install -d -m755              ${RPM_BUILD_ROOT}%{_sysconfdir}/ipsec.d/
+%if ! %{with systemd}
 install -d -m755              ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d/
 install -m755 strongswan.init ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d/ipsec
 ln -s %{_sysconfdir}/init.d/ipsec ${RPM_BUILD_ROOT}%{_sbindir}/rcipsec
+%endif
 #
 make install DESTDIR="$RPM_BUILD_ROOT"
 #
@@ -331,16 +349,16 @@ cat << EOT > ${RPM_BUILD_ROOT}%{_sysconfdir}/ipsec.secrets
 EOT
 #
 rm -f $RPM_BUILD_ROOT%{strongswan_libdir}/lib{charon,hydra,strongswan}.so
-rm -f $RPM_BUILD_ROOT%{strongswan_libdir}/lib{radius,simaka,tls,tnccs}.so
+rm -f $RPM_BUILD_ROOT%{strongswan_libdir}/lib{radius,simaka,tls,tnccs,imcv}.so
 find  $RPM_BUILD_ROOT%{strongswan_libdir} \
       -name "*.a" -o -name "*.la" | xargs -r rm -f
 #
 install -d -m755 ${RPM_BUILD_ROOT}%{strongswan_docdir}/
-#install -m644 TODO NEWS README COPYING CREDITS \
-#              ${RPM_SOURCE_DIR}/README.SUSE \
-#                 ${RPM_BUILD_ROOT}%{strongswan_docdir}/
+install -c -m644 TODO NEWS README COPYING LICENSE \
+		 AUTHORS ChangeLog \
+		 ${RPM_BUILD_ROOT}%{strongswan_docdir}/
 install -c -m644 ${RPM_SOURCE_DIR}/README.SUSE \
-		${RPM_BUILD_ROOT}%{strongswan_docdir}/
+		 ${RPM_BUILD_ROOT}%{strongswan_docdir}/
 install -d -m755 $RPM_BUILD_ROOT%{_localstatedir}/run/strongswan
 
 %post libs0
@@ -352,10 +370,14 @@ test -d %{_localstatedir}/run/strongswan || \
 %{run_ldconfig}
 
 %post ipsec
+%if ! %{with systemd}
 %{fillup_and_insserv ipsec}
+%endif
 
 %preun ipsec
+%if ! %{with systemd}
 %{stop_on_removal ipsec}
+%endif
 if test -s %{_sysconfdir}/ipsec.secrets.rpmsave ; then
 	cp -p --backup=numbered %{_sysconfdir}/ipsec.secrets.rpmsave \
 	                        %{_sysconfdir}/ipsec.secrets.rpmsave.old
@@ -366,7 +388,9 @@ if test -s %{_sysconfdir}/ipsec.conf.rpmsave ; then
 fi
 
 %postun ipsec
+%if ! %{with systemd}
 %{insserv_cleanup}
+%endif
 
 %files
 %defattr(-,root,root)
@@ -386,8 +410,12 @@ fi
 %dir %{_sysconfdir}/ipsec.d/cacerts
 %dir %{_sysconfdir}/ipsec.d/ocspcerts
 %dir %attr(700,root,root) %{_sysconfdir}/ipsec.d/private
+%if %{with systemd}
+/lib/systemd/system/strongswan.service
+%else
 %config %{_sysconfdir}/init.d/ipsec
 %{_sbindir}/rcipsec
+%endif
 %{_sbindir}/ipsec
 %{_mandir}/man8/ipsec.8*
 %{_mandir}/man5/ipsec.conf.5*
@@ -405,38 +433,21 @@ fi
 %{_libexecdir}/ipsec/scepclient
 %{_libexecdir}/ipsec/starter
 %{_libexecdir}/ipsec/stroke
+%{_libexecdir}/ipsec/charon
 %dir %{strongswan_plugins}
 %{strongswan_plugins}/libstrongswan-stroke.so
 %{strongswan_plugins}/libstrongswan-updown.so
 
-%files charon
-%defattr(-,root,root)
-%dir %{_libexecdir}/ipsec
-%{_libexecdir}/ipsec/charon
-
 %files doc
 %defattr(-,root,root)
 %dir %{strongswan_docdir}
-#%{strongswan_docdir}/TODO
-#%{strongswan_docdir}/NEWS
-#%{strongswan_docdir}/README
-#%{strongswan_docdir}/COPYING
-#%{strongswan_docdir}/CREDITS
-#%{_mandir}/man3/anyaddr.3*
-#%{_mandir}/man3/atoaddr.3*
-#%{_mandir}/man3/atoasr.3*
-#%{_mandir}/man3/atoul.3*
-#%{_mandir}/man3/goodmask.3*
-#%{_mandir}/man3/initaddr.3*
-#%{_mandir}/man3/initsubnet.3*
-#%{_mandir}/man3/portof.3*
-#%{_mandir}/man3/rangetosubnet.3*
-#%{_mandir}/man3/sameaddr.3*
-#%{_mandir}/man3/subnetof.3*
-#%{_mandir}/man3/ttoaddr.3*
-#%{_mandir}/man3/ttodata.3*
-#%{_mandir}/man3/ttosa.3*
-#%{_mandir}/man3/ttoul.3*
+%{strongswan_docdir}/TODO
+%{strongswan_docdir}/NEWS
+%{strongswan_docdir}/README
+%{strongswan_docdir}/COPYING
+%{strongswan_docdir}/LICENSE
+%{strongswan_docdir}/AUTHORS
+%{strongswan_docdir}/ChangeLog
 %{_mandir}/man8/_updown.8*
 %{_mandir}/man8/_updown_espmark.8*
 %{_mandir}/man8/openac.8*
@@ -446,7 +457,6 @@ fi
 %defattr(-,root,root)
 %config(noreplace) %attr(600,root,root) %{_sysconfdir}/strongswan.conf
 %dir %{_libexecdir}/ipsec
-#%dir %{_libexecdir}/ipsec/pool
 %dir %{strongswan_libdir}
 %{strongswan_libdir}/libchecksum.so
 %{strongswan_libdir}/libcharon.so.*
@@ -456,6 +466,12 @@ fi
 %{strongswan_libdir}/libstrongswan.so.*
 %{strongswan_libdir}/libtls.so.*
 %{strongswan_libdir}/libtnccs.so.*
+%{strongswan_libdir}/libimcv.so.*
+%dir %{strongswan_libdir}/imcvs
+%{strongswan_libdir}/imcvs/imc-scanner.so
+%{strongswan_libdir}/imcvs/imc-test.so
+%{strongswan_libdir}/imcvs/imv-scanner.so
+%{strongswan_libdir}/imcvs/imv-test.so
 %dir %{strongswan_plugins}
 %{strongswan_plugins}/libstrongswan-addrblock.so
 %{strongswan_plugins}/libstrongswan-aes.so
@@ -496,7 +512,7 @@ fi
 %{strongswan_plugins}/libstrongswan-farp.so
 %{strongswan_plugins}/libstrongswan-fips-prf.so
 %{strongswan_plugins}/libstrongswan-gcm.so
-%if %with_gcrypt
+%if %{with gcrypt}
 %{strongswan_plugins}/libstrongswan-gcrypt.so
 %endif
 %{strongswan_plugins}/libstrongswan-gmp.so
@@ -525,7 +541,13 @@ fi
 %{strongswan_plugins}/libstrongswan-socket-default.so
 %{strongswan_plugins}/libstrongswan-soup.so
 %{strongswan_plugins}/libstrongswan-sql.so
+%{strongswan_plugins}/libstrongswan-tnc-imc.so
+%{strongswan_plugins}/libstrongswan-tnc-imv.so
+%{strongswan_plugins}/libstrongswan-tnc-pdp.so
 %{strongswan_plugins}/libstrongswan-tnc-tnccs.so
+%{strongswan_plugins}/libstrongswan-tnccs-11.so
+%{strongswan_plugins}/libstrongswan-tnccs-20.so
+%{strongswan_plugins}/libstrongswan-tnccs-dynamic.so
 %{strongswan_plugins}/libstrongswan-unity.so
 %{strongswan_plugins}/libstrongswan-x509.so
 %{strongswan_plugins}/libstrongswan-xauth-eap.so
@@ -534,7 +556,7 @@ fi
 %{strongswan_plugins}/libstrongswan-xcbc.so
 %dir %ghost %{_localstatedir}/run/strongswan
 
-%if %with_nm
+%if %{with nm}
 
 %files nm
 %defattr(-,root,root)
@@ -543,7 +565,7 @@ fi
 %{_libexecdir}/ipsec/charon-nm
 %endif
 
-%if %with_mysql
+%if %{with mysql}
 
 %files mysql
 %defattr(-,root,root)
@@ -551,7 +573,7 @@ fi
 %{strongswan_plugins}/libstrongswan-mysql.so
 %endif
 
-%if %with_sqlite
+%if %{with sqlite}
 
 %files sqlite
 %defattr(-,root,root)
@@ -559,7 +581,7 @@ fi
 %{strongswan_plugins}/libstrongswan-sqlite.so
 %endif
 
-%if %with_tests
+%if %{with tests}
 
 %files tests
 %defattr(-,root,root)
diff --git a/strongswan_ipsec_service.patch b/strongswan_ipsec_service.patch
new file mode 100644
index 0000000..ab8b13b
--- /dev/null
+++ b/strongswan_ipsec_service.patch
@@ -0,0 +1,7 @@
+--- init/systemd/strongswan.service.in
++++ init/systemd/strongswan.service.in	2012/10/31 15:21:11
+@@ -8,3 +8,4 @@ StandardOutput=syslog
+ 
+ [Install]
+ WantedBy=multi-user.target
++Alias=ipsec.service