From 84852c31c60ae123dad4676979539e96384cb790 Mon Sep 17 00:00:00 2001
From: Avesh Agarwal <avagarwa@redhat.com>
Date: Wed, 1 May 2013 16:07:32 -0400
Subject: [PATCH] New upstream release

- Fixes fo CVE-2013-2944
- Enabled support for OS IMV/IMC
- Created and applied a patch to disable ECP in fedora, because
  Openssl in Fedora does not allow ECP_256 and ECP_384. It makes
  it non-compliant to TCG's PTS standard, but there is no choice
  right now. see redhat bz # 319901.
- Enabled Trousers support for TPM based operations.
---
 .gitignore                       |  1 +
 sources                          |  2 +-
 strongswan-pts-ecp-disable.patch | 20 ++++++++++++++++++++
 strongswan.spec                  | 23 +++++++++++++++++++++--
 4 files changed, 43 insertions(+), 3 deletions(-)
 create mode 100644 strongswan-pts-ecp-disable.patch

diff --git a/.gitignore b/.gitignore
index 81bf4de..d316010 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,3 +3,4 @@
 /strongswan-5.0.1.tar.bz2
 /strongswan-5.0.2.tar.bz2
 /strongswan-5.0.3.tar.bz2
+/strongswan-5.0.4.tar.bz2
diff --git a/sources b/sources
index bb79e8d..c5e1904 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-12e0a7a1be2ca0490c69146899e8a9bb  strongswan-5.0.3.tar.bz2
+0ab0397b44b197febfd0f89148344035  strongswan-5.0.4.tar.bz2
diff --git a/strongswan-pts-ecp-disable.patch b/strongswan-pts-ecp-disable.patch
new file mode 100644
index 0000000..6cd3ff4
--- /dev/null
+++ b/strongswan-pts-ecp-disable.patch
@@ -0,0 +1,20 @@
+diff -urNp strongswan-5.0.4-patched/src/libpts/pts/pts_dh_group.c strongswan-5.0.4-current/src/libpts/pts/pts_dh_group.c
+--- strongswan-5.0.4-patched/src/libpts/pts/pts_dh_group.c	2013-05-01 15:50:51.332560748 -0400
++++ strongswan-5.0.4-current/src/libpts/pts/pts_dh_group.c	2013-05-01 15:57:53.545271367 -0400
+@@ -74,6 +74,16 @@ bool pts_dh_group_probe(pts_dh_group_t *
+ 	{
+ 		DBG1(DBG_PTS, format2, "mandatory", diffie_hellman_group_names,
+ 											ECP_256_BIT);
++		/* Openssl in Fedora does not allow ECP_256 and ECP_384, so lets not die
++ 		 * here. As far as, there is one dh group available, lets continue. It makes
++ 		 * it non-compliant to TCG's PTS standard, but there is no choice right now.
++ 		 * see redhat bz # 319901.	
++ 		 */ 
++		if(*dh_groups != PTS_DH_GROUP_NONE) 
++		{
++			return TRUE;		
++		}
++
+ 	}
+ 	return FALSE;
+ }
diff --git a/strongswan.spec b/strongswan.spec
index c9cda40..af19112 100644
--- a/strongswan.spec
+++ b/strongswan.spec
@@ -1,12 +1,13 @@
 Name:           strongswan
-Version:        5.0.3
-Release:        2%{?dist}
+Version:        5.0.4
+Release:        1%{?dist}
 Summary:        An OpenSource IPsec-based VPN Solution
 Group:          System Environment/Daemons
 License:        GPLv2+
 URL:            http://www.strongswan.org/
 Source0:        http://download.strongswan.org/%{name}-%{version}.tar.bz2
 Patch0:         strongswan-init.patch
+Patch1:         strongswan-pts-ecp-disable.patch
 BuildRequires:  gmp-devel
 BuildRequires:  libcurl-devel
 BuildRequires:  openldap-devel
@@ -15,6 +16,7 @@ BuildRequires:  NetworkManager-devel
 BuildRequires:  NetworkManager-glib-devel
 BuildRequires:  sqlite-devel
 BuildRequires:  gettext-devel
+BuildRequires:  trousers-devel
 
 %if 0%{?fedora} >= 15 || 0%{?rhel} >= 7
 BuildRequires:  systemd-units
@@ -53,6 +55,7 @@ IF-IMC/IMV interface.
 %prep
 %setup -q
 %patch0 -p1
+%patch1 -p1
 echo "For migration from 4.6 to 5.0 see http://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1" > README.Fedora
 
 %build
@@ -63,6 +66,7 @@ echo "For migration from 4.6 to 5.0 see http://wiki.strongswan.org/projects/stro
     --sysconfdir=%{_sysconfdir}/%{name} \
     --with-ipsecdir=%{_libexecdir}/%{name} \
     --with-ipseclibdir=%{_libdir}/%{name} \
+    --with-tss=trousers \
     --enable-openssl \
     --enable-md4 \
     --enable-xauth-eap \
@@ -82,6 +86,8 @@ echo "For migration from 4.6 to 5.0 see http://wiki.strongswan.org/projects/stro
     --enable-imv-scanner  \
     --enable-imc-attestation \
     --enable-imv-attestation \
+    --enable-imv-os \
+    --enable-imc-os \
     --enable-eap-tnc \
     --enable-tnccs-20 \
     --enable-tnc-imc \
@@ -213,9 +219,11 @@ install -D -m 755 init/sysvinit/%{name} %{buildroot}/%{_initddir}/%{name}
 %dir %{_libdir}/%{name}/imcvs/imc-attestation.so
 %dir %{_libdir}/%{name}/imcvs/imc-scanner.so
 %dir %{_libdir}/%{name}/imcvs/imc-test.so
+%dir %{_libdir}/%{name}/imcvs/imc-os.so
 %dir %{_libdir}/%{name}/imcvs/imv-attestation.so
 %dir %{_libdir}/%{name}/imcvs/imv-scanner.so
 %dir %{_libdir}/%{name}/imcvs/imv-test.so
+%dir %{_libdir}/%{name}/imcvs/imv-os.so
 %dir %{_libdir}/%{name}/plugins
 %{_libdir}/%{name}/plugins/lib%{name}-pkcs7.so
 %{_libdir}/%{name}/plugins/lib%{name}-sqlite.so
@@ -227,6 +235,7 @@ install -D -m 755 init/sysvinit/%{name} %{buildroot}/%{_initddir}/%{name}
 %{_libdir}/%{name}/plugins/lib%{name}-eap-radius.so
 %dir %{_libexecdir}/%{name}
 %{_libexecdir}/%{name}/attest
+%{_libexecdir}/%{name}/pacman
 
 
 %files NetworkManager
@@ -271,6 +280,16 @@ fi
 %endif
 
 %changelog
+* Wed May 1 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.0.4-1
+- New upstream release
+- Fixes fo CVE-2013-2944
+- Enabled support for OS IMV/IMC
+- Created and applied a patch to disable ECP in fedora, because
+  Openssl in Fedora does not allow ECP_256 and ECP_384. It makes
+  it non-compliant to TCG's PTS standard, but there is no choice
+  right now. see redhat bz # 319901.
+- Enabled Trousers support for TPM based operations.
+
 * Sat Apr 20 2013 Pavel Šimerda <psimerda@redhat.com> - 5.0.3-2
 - Rebuilt for a single specfile for rawhide/f19/f18/el6