From 84852c31c60ae123dad4676979539e96384cb790 Mon Sep 17 00:00:00 2001 From: Avesh Agarwal Date: Wed, 1 May 2013 16:07:32 -0400 Subject: [PATCH 01/14] New upstream release - Fixes fo CVE-2013-2944 - Enabled support for OS IMV/IMC - Created and applied a patch to disable ECP in fedora, because Openssl in Fedora does not allow ECP_256 and ECP_384. It makes it non-compliant to TCG's PTS standard, but there is no choice right now. see redhat bz # 319901. - Enabled Trousers support for TPM based operations. --- .gitignore | 1 + sources | 2 +- strongswan-pts-ecp-disable.patch | 20 ++++++++++++++++++++ strongswan.spec | 23 +++++++++++++++++++++-- 4 files changed, 43 insertions(+), 3 deletions(-) create mode 100644 strongswan-pts-ecp-disable.patch diff --git a/.gitignore b/.gitignore index 81bf4de..d316010 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,4 @@ /strongswan-5.0.1.tar.bz2 /strongswan-5.0.2.tar.bz2 /strongswan-5.0.3.tar.bz2 +/strongswan-5.0.4.tar.bz2 diff --git a/sources b/sources index bb79e8d..c5e1904 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -12e0a7a1be2ca0490c69146899e8a9bb strongswan-5.0.3.tar.bz2 +0ab0397b44b197febfd0f89148344035 strongswan-5.0.4.tar.bz2 diff --git a/strongswan-pts-ecp-disable.patch b/strongswan-pts-ecp-disable.patch new file mode 100644 index 0000000..6cd3ff4 --- /dev/null +++ b/strongswan-pts-ecp-disable.patch @@ -0,0 +1,20 @@ +diff -urNp strongswan-5.0.4-patched/src/libpts/pts/pts_dh_group.c strongswan-5.0.4-current/src/libpts/pts/pts_dh_group.c +--- strongswan-5.0.4-patched/src/libpts/pts/pts_dh_group.c 2013-05-01 15:50:51.332560748 -0400 ++++ strongswan-5.0.4-current/src/libpts/pts/pts_dh_group.c 2013-05-01 15:57:53.545271367 -0400 +@@ -74,6 +74,16 @@ bool pts_dh_group_probe(pts_dh_group_t * + { + DBG1(DBG_PTS, format2, "mandatory", diffie_hellman_group_names, + ECP_256_BIT); ++ /* Openssl in Fedora does not allow ECP_256 and ECP_384, so lets not die ++ * here. As far as, there is one dh group available, lets continue. It makes ++ * it non-compliant to TCG's PTS standard, but there is no choice right now. ++ * see redhat bz # 319901. ++ */ ++ if(*dh_groups != PTS_DH_GROUP_NONE) ++ { ++ return TRUE; ++ } ++ + } + return FALSE; + } diff --git a/strongswan.spec b/strongswan.spec index c9cda40..af19112 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -1,12 +1,13 @@ Name: strongswan -Version: 5.0.3 -Release: 2%{?dist} +Version: 5.0.4 +Release: 1%{?dist} Summary: An OpenSource IPsec-based VPN Solution Group: System Environment/Daemons License: GPLv2+ URL: http://www.strongswan.org/ Source0: http://download.strongswan.org/%{name}-%{version}.tar.bz2 Patch0: strongswan-init.patch +Patch1: strongswan-pts-ecp-disable.patch BuildRequires: gmp-devel BuildRequires: libcurl-devel BuildRequires: openldap-devel @@ -15,6 +16,7 @@ BuildRequires: NetworkManager-devel BuildRequires: NetworkManager-glib-devel BuildRequires: sqlite-devel BuildRequires: gettext-devel +BuildRequires: trousers-devel %if 0%{?fedora} >= 15 || 0%{?rhel} >= 7 BuildRequires: systemd-units @@ -53,6 +55,7 @@ IF-IMC/IMV interface. %prep %setup -q %patch0 -p1 +%patch1 -p1 echo "For migration from 4.6 to 5.0 see http://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1" > README.Fedora %build @@ -63,6 +66,7 @@ echo "For migration from 4.6 to 5.0 see http://wiki.strongswan.org/projects/stro --sysconfdir=%{_sysconfdir}/%{name} \ --with-ipsecdir=%{_libexecdir}/%{name} \ --with-ipseclibdir=%{_libdir}/%{name} \ + --with-tss=trousers \ --enable-openssl \ --enable-md4 \ --enable-xauth-eap \ @@ -82,6 +86,8 @@ echo "For migration from 4.6 to 5.0 see http://wiki.strongswan.org/projects/stro --enable-imv-scanner \ --enable-imc-attestation \ --enable-imv-attestation \ + --enable-imv-os \ + --enable-imc-os \ --enable-eap-tnc \ --enable-tnccs-20 \ --enable-tnc-imc \ @@ -213,9 +219,11 @@ install -D -m 755 init/sysvinit/%{name} %{buildroot}/%{_initddir}/%{name} %dir %{_libdir}/%{name}/imcvs/imc-attestation.so %dir %{_libdir}/%{name}/imcvs/imc-scanner.so %dir %{_libdir}/%{name}/imcvs/imc-test.so +%dir %{_libdir}/%{name}/imcvs/imc-os.so %dir %{_libdir}/%{name}/imcvs/imv-attestation.so %dir %{_libdir}/%{name}/imcvs/imv-scanner.so %dir %{_libdir}/%{name}/imcvs/imv-test.so +%dir %{_libdir}/%{name}/imcvs/imv-os.so %dir %{_libdir}/%{name}/plugins %{_libdir}/%{name}/plugins/lib%{name}-pkcs7.so %{_libdir}/%{name}/plugins/lib%{name}-sqlite.so @@ -227,6 +235,7 @@ install -D -m 755 init/sysvinit/%{name} %{buildroot}/%{_initddir}/%{name} %{_libdir}/%{name}/plugins/lib%{name}-eap-radius.so %dir %{_libexecdir}/%{name} %{_libexecdir}/%{name}/attest +%{_libexecdir}/%{name}/pacman %files NetworkManager @@ -271,6 +280,16 @@ fi %endif %changelog +* Wed May 1 2013 Avesh Agarwal - 5.0.4-1 +- New upstream release +- Fixes fo CVE-2013-2944 +- Enabled support for OS IMV/IMC +- Created and applied a patch to disable ECP in fedora, because + Openssl in Fedora does not allow ECP_256 and ECP_384. It makes + it non-compliant to TCG's PTS standard, but there is no choice + right now. see redhat bz # 319901. +- Enabled Trousers support for TPM based operations. + * Sat Apr 20 2013 Pavel Šimerda - 5.0.3-2 - Rebuilt for a single specfile for rawhide/f19/f18/el6 From 8bc5b16e8f9b7c3e00f1cb2edbd34dcf8b453d21 Mon Sep 17 00:00:00 2001 From: Avesh Agarwal Date: Tue, 11 Jun 2013 12:01:15 -0400 Subject: [PATCH 02/14] Enabled TNCCS 1.1 protocol - Fixed libxm2-devel build dependency - Patch to fix the issue with loading of plugins --- libstrongswan-plugin.patch | 12 ++++++++++++ strongswan.spec | 18 ++++++++++++++++-- 2 files changed, 28 insertions(+), 2 deletions(-) create mode 100644 libstrongswan-plugin.patch diff --git a/libstrongswan-plugin.patch b/libstrongswan-plugin.patch new file mode 100644 index 0000000..0f4dc32 --- /dev/null +++ b/libstrongswan-plugin.patch @@ -0,0 +1,12 @@ +diff -urNp strongswan-5.0.4-patched/src/libstrongswan/plugins/plugin_loader.c strongswan-5.0.4-current/src/libstrongswan/plugins/plugin_loader.c +--- strongswan-5.0.4-patched/src/libstrongswan/plugins/plugin_loader.c 2013-05-01 15:50:51.375560719 -0400 ++++ strongswan-5.0.4-current/src/libstrongswan/plugins/plugin_loader.c 2013-05-22 16:30:24.121091911 -0400 +@@ -267,7 +267,7 @@ static bool load_plugin(private_plugin_l + return FALSE; + } + } +- handle = dlopen(file, RTLD_LAZY); ++ handle = dlopen(file, RTLD_NOW|RTLD_GLOBAL); + if (handle == NULL) + { + DBG1(DBG_LIB, "plugin '%s' failed to load: %s", name, dlerror()); diff --git a/strongswan.spec b/strongswan.spec index af19112..a2e3612 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -1,6 +1,6 @@ Name: strongswan Version: 5.0.4 -Release: 1%{?dist} +Release: 2%{?dist} Summary: An OpenSource IPsec-based VPN Solution Group: System Environment/Daemons License: GPLv2+ @@ -8,6 +8,7 @@ URL: http://www.strongswan.org/ Source0: http://download.strongswan.org/%{name}-%{version}.tar.bz2 Patch0: strongswan-init.patch Patch1: strongswan-pts-ecp-disable.patch +Patch2: libstrongswan-plugin.patch BuildRequires: gmp-devel BuildRequires: libcurl-devel BuildRequires: openldap-devel @@ -17,6 +18,7 @@ BuildRequires: NetworkManager-glib-devel BuildRequires: sqlite-devel BuildRequires: gettext-devel BuildRequires: trousers-devel +BuildRequires: libxml2-devel %if 0%{?fedora} >= 15 || 0%{?rhel} >= 7 BuildRequires: systemd-units @@ -56,6 +58,8 @@ IF-IMC/IMV interface. %setup -q %patch0 -p1 %patch1 -p1 +%patch2 -p1 + echo "For migration from 4.6 to 5.0 see http://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1" > README.Fedora %build @@ -90,6 +94,8 @@ echo "For migration from 4.6 to 5.0 see http://wiki.strongswan.org/projects/stro --enable-imc-os \ --enable-eap-tnc \ --enable-tnccs-20 \ + --enable-tnccs-11 \ + --enable-tnccs-dynamic \ --enable-tnc-imc \ --enable-tnc-imv \ --enable-eap-radius \ @@ -97,6 +103,7 @@ echo "For migration from 4.6 to 5.0 see http://wiki.strongswan.org/projects/stro --enable-eap-identity +#make %{?_smp_mflags} IPSEC_CONFDIR=%{_sysconfdir}/%{name} make %{?_smp_mflags} sed -i 's/\t/ /' src/strongswan.conf src/starter/ipsec.conf @@ -232,6 +239,8 @@ install -D -m 755 init/sysvinit/%{name} %{buildroot}/%{_initddir}/%{name} %{_libdir}/%{name}/plugins/lib%{name}-tnc-imv.so %{_libdir}/%{name}/plugins/lib%{name}-tnc-tnccs.so %{_libdir}/%{name}/plugins/lib%{name}-tnccs-20.so +%{_libdir}/%{name}/plugins/lib%{name}-tnccs-11.so +%{_libdir}/%{name}/plugins/lib%{name}-tnccs-dynamic.so %{_libdir}/%{name}/plugins/lib%{name}-eap-radius.so %dir %{_libexecdir}/%{name} %{_libexecdir}/%{name}/attest @@ -280,9 +289,14 @@ fi %endif %changelog +* Tue Jun 11 2013 Avesh Agarwal - 5.0.4-2 +- Enabled TNCCS 1.1 protocol +- Fixed libxm2-devel build dependency +- Patch to fix the issue with loading of plugins + * Wed May 1 2013 Avesh Agarwal - 5.0.4-1 - New upstream release -- Fixes fo CVE-2013-2944 +- Fixes for CVE-2013-2944 - Enabled support for OS IMV/IMC - Created and applied a patch to disable ECP in fedora, because Openssl in Fedora does not allow ECP_256 and ECP_384. It makes From e0b5ee21d4cb5e9289ec5c3a6797ad677c82960b Mon Sep 17 00:00:00 2001 From: Avesh Agarwal Date: Fri, 28 Jun 2013 15:06:33 -0400 Subject: [PATCH 03/14] Patch to fix a major crash issue when Freeradius loads attestatiom-imv and does not initialize libstrongswan which causes crash due to calls to PTS algorithms probing APIs. So this patch fixes the order of initialization. This issues does not occur with charon because libstrongswan gets initialized earlier. - Patch that allows to outputs errors when there are permission issues when accessing strongswan.conf. - Patch to make loading of modules configurable when libimcv is used in stand alone mode without charon with freeradius and wpa_supplicant. --- libimcv-attestatiom-imv-crash.patch | 27 +++++++++++++++++ libstrongswan-settings-debug.patch | 30 +++++++++++++++++++ ...40cac68f83c77d981368a4c041eb620310ed.patch | 26 ++++++++++++++++ strongswan.spec | 21 ++++++++++++- 4 files changed, 103 insertions(+), 1 deletion(-) create mode 100644 libimcv-attestatiom-imv-crash.patch create mode 100644 libstrongswan-settings-debug.patch create mode 100644 strongswan.git-71d740cac68f83c77d981368a4c041eb620310ed.patch diff --git a/libimcv-attestatiom-imv-crash.patch b/libimcv-attestatiom-imv-crash.patch new file mode 100644 index 0000000..825ce81 --- /dev/null +++ b/libimcv-attestatiom-imv-crash.patch @@ -0,0 +1,27 @@ +diff -urNp strongswan-5.0.4-patched/src/libpts/plugins/imv_attestation/imv_attestation.c strongswan-5.0.4-current/src/libpts/plugins/imv_attestation/imv_attestation.c +--- strongswan-5.0.4-patched/src/libpts/plugins/imv_attestation/imv_attestation.c 2013-05-01 15:50:51.331560749 -0400 ++++ strongswan-5.0.4-current/src/libpts/plugins/imv_attestation/imv_attestation.c 2013-06-28 11:10:30.703893643 -0400 +@@ -90,11 +90,6 @@ TNC_Result TNC_IMV_Initialize(TNC_IMVID + DBG1(DBG_IMV, "IMV \"%s\" has already been initialized", imv_name); + return TNC_RESULT_ALREADY_INITIALIZED; + } +- if (!pts_meas_algo_probe(&supported_algorithms) || +- !pts_dh_group_probe(&supported_dh_groups)) +- { +- return TNC_RESULT_FATAL; +- } + imv_attestation = imv_agent_create(imv_name, msg_types, countof(msg_types), + imv_id, actual_version); + if (!imv_attestation) +@@ -104,6 +99,11 @@ TNC_Result TNC_IMV_Initialize(TNC_IMVID + + libpts_init(); + ++ if (!pts_meas_algo_probe(&supported_algorithms) || ++ !pts_dh_group_probe(&supported_dh_groups)) ++ { ++ return TNC_RESULT_FATAL; ++ } + if (min_version > TNC_IFIMV_VERSION_1 || max_version < TNC_IFIMV_VERSION_1) + { + DBG1(DBG_IMV, "no common IF-IMV version"); diff --git a/libstrongswan-settings-debug.patch b/libstrongswan-settings-debug.patch new file mode 100644 index 0000000..f7cb93f --- /dev/null +++ b/libstrongswan-settings-debug.patch @@ -0,0 +1,30 @@ +diff -urNp strongswan-5.0.4-patched/src/libstrongswan/utils/settings.c strongswan-5.0.4-current/src/libstrongswan/utils/settings.c +--- strongswan-5.0.4-patched/src/libstrongswan/utils/settings.c 2013-05-01 15:50:51.337560745 -0400 ++++ strongswan-5.0.4-current/src/libstrongswan/utils/settings.c 2013-06-18 13:13:27.801428152 -0400 +@@ -940,7 +940,7 @@ static bool parse_file(linked_list_t *co + { + if (errno == ENOENT) + { +- DBG2(DBG_LIB, "'%s' does not exist, ignored", file); ++ DBG1(DBG_LIB, "'%s' does not exist, ignored", file); + return TRUE; + } + DBG1(DBG_LIB, "failed to stat '%s': %s", file, strerror(errno)); +@@ -1003,7 +1003,7 @@ static bool parse_files(linked_list_t *c + + if (!strlen(pattern)) + { +- DBG2(DBG_LIB, "empty include pattern, ignored"); ++ DBG1(DBG_LIB, "empty include pattern, ignored"); + return TRUE; + } + +@@ -1035,7 +1035,7 @@ static bool parse_files(linked_list_t *c + status = glob(pat, GLOB_ERR, NULL, &buf); + if (status == GLOB_NOMATCH) + { +- DBG2(DBG_LIB, "no files found matching '%s', ignored", pat); ++ DBG1(DBG_LIB, "no files found matching '%s', ignored", pat); + } + else if (status != 0) + { diff --git a/strongswan.git-71d740cac68f83c77d981368a4c041eb620310ed.patch b/strongswan.git-71d740cac68f83c77d981368a4c041eb620310ed.patch new file mode 100644 index 0000000..d58cc00 --- /dev/null +++ b/strongswan.git-71d740cac68f83c77d981368a4c041eb620310ed.patch @@ -0,0 +1,26 @@ +From 71d740cac68f83c77d981368a4c041eb620310ed Mon Sep 17 00:00:00 2001 +From: Andreas Steffen +Date: Fri, 24 May 2013 12:56:21 +0200 +Subject: [PATCH] Make plugins in standalone libimcv configurable + +--- + src/libimcv/imcv.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +diff --git a/src/libimcv/imcv.c b/src/libimcv/imcv.c +index 6cee0ad..f9ecf79 100644 +--- a/src/libimcv/imcv.c ++++ b/src/libimcv/imcv.c +@@ -118,7 +118,8 @@ bool libimcv_init(void) + openlog("imcv", 0, LOG_DAEMON); + + if (!lib->plugins->load(lib->plugins, NULL, +- "sha1 sha2 random nonce gmp pubkey x509")) ++ lib->settings->get_str(lib->settings, "libimcv.load", ++ "random nonce gmp pubkey x509"))) + { + library_deinit(); + return FALSE; +-- +1.7.4.1 + diff --git a/strongswan.spec b/strongswan.spec index a2e3612..6a2fe20 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -1,6 +1,6 @@ Name: strongswan Version: 5.0.4 -Release: 2%{?dist} +Release: 3%{?dist} Summary: An OpenSource IPsec-based VPN Solution Group: System Environment/Daemons License: GPLv2+ @@ -9,6 +9,9 @@ Source0: http://download.strongswan.org/%{name}-%{version}.tar.bz2 Patch0: strongswan-init.patch Patch1: strongswan-pts-ecp-disable.patch Patch2: libstrongswan-plugin.patch +Patch3: libstrongswan-settings-debug.patch +Patch4: strongswan.git-71d740cac68f83c77d981368a4c041eb620310ed.patch +Patch5: libimcv-attestatiom-imv-crash.patch BuildRequires: gmp-devel BuildRequires: libcurl-devel BuildRequires: openldap-devel @@ -59,6 +62,9 @@ IF-IMC/IMV interface. %patch0 -p1 %patch1 -p1 %patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 echo "For migration from 4.6 to 5.0 see http://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1" > README.Fedora @@ -289,6 +295,19 @@ fi %endif %changelog +* Fri Jun 28 2013 Avesh Agarwal - 5.0.4-3 +- Patch to fix a major crash issue when Freeradius loads + attestatiom-imv and does not initialize libstrongswan which + causes crash due to calls to PTS algorithms probing APIs. + So this patch fixes the order of initialization. This issues + does not occur with charon because libstrongswan gets + initialized earlier. +- Patch that allows to outputs errors when there are permission + issues when accessing strongswan.conf. +- Patch to make loading of modules configurable when libimcv + is used in stand alone mode without charon with freeradius + and wpa_supplicant. + * Tue Jun 11 2013 Avesh Agarwal - 5.0.4-2 - Enabled TNCCS 1.1 protocol - Fixed libxm2-devel build dependency From f3c41f08e2d801b7d0d9f03c2352e8a72057150b Mon Sep 17 00:00:00 2001 From: Jamie Nguyen Date: Mon, 15 Jul 2013 15:10:29 +0100 Subject: [PATCH 04/14] %files section packages some files as directories (#984437) --- strongswan.spec | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/strongswan.spec b/strongswan.spec index 6a2fe20..b428f7a 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -1,6 +1,6 @@ Name: strongswan Version: 5.0.4 -Release: 3%{?dist} +Release: 4%{?dist} Summary: An OpenSource IPsec-based VPN Solution Group: System Environment/Daemons License: GPLv2+ @@ -229,14 +229,14 @@ install -D -m 755 init/sysvinit/%{name} %{buildroot}/%{_initddir}/%{name} %{_libdir}/%{name}/libradius.so.0 %{_libdir}/%{name}/libradius.so.0.0.0 %dir %{_libdir}/%{name}/imcvs -%dir %{_libdir}/%{name}/imcvs/imc-attestation.so -%dir %{_libdir}/%{name}/imcvs/imc-scanner.so -%dir %{_libdir}/%{name}/imcvs/imc-test.so -%dir %{_libdir}/%{name}/imcvs/imc-os.so -%dir %{_libdir}/%{name}/imcvs/imv-attestation.so -%dir %{_libdir}/%{name}/imcvs/imv-scanner.so -%dir %{_libdir}/%{name}/imcvs/imv-test.so -%dir %{_libdir}/%{name}/imcvs/imv-os.so +%{_libdir}/%{name}/imcvs/imc-attestation.so +%{_libdir}/%{name}/imcvs/imc-scanner.so +%{_libdir}/%{name}/imcvs/imc-test.so +%{_libdir}/%{name}/imcvs/imc-os.so +%{_libdir}/%{name}/imcvs/imv-attestation.so +%{_libdir}/%{name}/imcvs/imv-scanner.so +%{_libdir}/%{name}/imcvs/imv-test.so +%{_libdir}/%{name}/imcvs/imv-os.so %dir %{_libdir}/%{name}/plugins %{_libdir}/%{name}/plugins/lib%{name}-pkcs7.so %{_libdir}/%{name}/plugins/lib%{name}-sqlite.so @@ -295,6 +295,9 @@ fi %endif %changelog +* Mon Jul 15 2013 Jamie Nguyen - 5.0.4-4 +- %%files tries to package some of the shared objects as directories (#984437) + * Fri Jun 28 2013 Avesh Agarwal - 5.0.4-3 - Patch to fix a major crash issue when Freeradius loads attestatiom-imv and does not initialize libstrongswan which From 70b72e4d7f20badbbd3853b43c578372a81b2a8f Mon Sep 17 00:00:00 2001 From: Jamie Nguyen Date: Mon, 15 Jul 2013 15:18:44 +0100 Subject: [PATCH 05/14] Fix broken systemd unit file (#984300) --- strongswan-init.patch | 32 +------------------------------- strongswan.spec | 1 + 2 files changed, 2 insertions(+), 31 deletions(-) diff --git a/strongswan-init.patch b/strongswan-init.patch index 6ad4d59..89317f8 100644 --- a/strongswan-init.patch +++ b/strongswan-init.patch @@ -124,32 +124,15 @@ Index: strongswan-5.0.0/configure.in =================================================================== --- strongswan-5.0.0.orig/configure.in +++ strongswan-5.0.0/configure.in -@@ -1082,6 +1082,9 @@ AC_OUTPUT( +@@ -1082,6 +1082,8 @@ AC_OUTPUT( man/Makefile init/Makefile init/systemd/Makefile -+ init/systemd/strongswan.service + init/sysvinit/Makefile + init/sysvinit/strongswan src/Makefile src/include/Makefile src/libstrongswan/Makefile -Index: strongswan-5.0.0/init/systemd/Makefile.am -=================================================================== ---- strongswan-5.0.0.orig/init/systemd/Makefile.am -+++ strongswan-5.0.0/init/systemd/Makefile.am -@@ -1,11 +1 @@ -- --EXTRA_DIST = strongswan.service.in --CLEANFILES = strongswan.service -- - systemdsystemunit_DATA = strongswan.service -- --strongswan.service : strongswan.service.in -- sed \ -- -e "s:@SBINDIR@:$(sbindir):" \ -- -e "s:@IPSEC_SCRIPT@:$(ipsec_script):" \ -- $(srcdir)/$@.in > $@ Index: strongswan-5.0.0/init/sysvinit/strongswan =================================================================== --- /dev/null @@ -255,16 +238,3 @@ Index: strongswan-5.0.0/init/sysvinit/strongswan + exit 2 +esac +exit $? -Index: strongswan-5.0.0/init/systemd/strongswan.service.in -=================================================================== ---- strongswan-5.0.0.orig/init/systemd/strongswan.service.in -+++ strongswan-5.0.0/init/systemd/strongswan.service.in -@@ -3,7 +3,7 @@ Description=strongSwan IPsec - After=syslog.target - - [Service] --ExecStart=@SBINDIR@/@IPSEC_SCRIPT@ start --nofork -+ExecStart=@sbindir@/@ipsec_script@ start --nofork - StandardOutput=syslog - - [Install] diff --git a/strongswan.spec b/strongswan.spec index b428f7a..073e438 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -297,6 +297,7 @@ fi %changelog * Mon Jul 15 2013 Jamie Nguyen - 5.0.4-4 - %%files tries to package some of the shared objects as directories (#984437) +- fix broken systemd unit file (#984300) * Fri Jun 28 2013 Avesh Agarwal - 5.0.4-3 - Patch to fix a major crash issue when Freeradius loads From 2df6f4d1976d9f96ced7fc07762b4ae6d9274733 Mon Sep 17 00:00:00 2001 From: Jamie Nguyen Date: Mon, 15 Jul 2013 15:22:19 +0100 Subject: [PATCH 06/14] Fix various minor rpmlint errors --- strongswan.spec | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/strongswan.spec b/strongswan.spec index 073e438..45f7b30 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -34,9 +34,9 @@ Requires(preun): chkconfig Requires(preun): initscripts %endif %description -The strongSwan IPsec implementation supports both the IKEv1 and IKEv2 key exchange -protocols in conjunction with the native NETKEY IPsec stack of the Linux -kernel. +The strongSwan IPsec implementation supports both the IKEv1 and IKEv2 key +exchange protocols in conjunction with the native NETKEY IPsec stack of the +Linux kernel. %package NetworkManager Summary: NetworkManager plugin for Strongswan @@ -46,15 +46,15 @@ NetworkManager plugin integrates a subset of Strongswan capabilities to NetworkManager. %package tnc-imcvs -Summary: Trusted network connect (TNC)'s IMC/IMV fuctionality +Summary: Trusted network connect (TNC)'s IMC/IMV functionality Group: Applications/System Requires: %{name} = %{version} %description tnc-imcvs -This package provides Trusted Network Connect's (TNC) IMC and IMV functionality. -Specifically it includes PTS based IMC/IMV for TPM based remote attestation and -scanner and test IMCs and IMVs. The Strongswan's IMC/IMV dynamic libraries can be -used by any third party TNC Client/Server implementation possessing a standard -IF-IMC/IMV interface. +This package provides Trusted Network Connect's (TNC) IMC and IMV +functionality. Specifically it includes PTS based IMC/IMV for TPM based +remote attestation and scanner and test IMCs and IMVs. The Strongswan's +IMC/IMV dynamic libraries can be used by any third party TNC Client/Server +implementation possessing a standard IF-IMC/IMV interface. %prep @@ -106,10 +106,10 @@ echo "For migration from 4.6 to 5.0 see http://wiki.strongswan.org/projects/stro --enable-tnc-imv \ --enable-eap-radius \ --enable-curl \ - --enable-eap-identity + --enable-eap-identity -#make %{?_smp_mflags} IPSEC_CONFDIR=%{_sysconfdir}/%{name} +#make %%{?_smp_mflags} IPSEC_CONFDIR=%%{_sysconfdir}/%%{name} make %{?_smp_mflags} sed -i 's/\t/ /' src/strongswan.conf src/starter/ipsec.conf @@ -298,6 +298,9 @@ fi * Mon Jul 15 2013 Jamie Nguyen - 5.0.4-4 - %%files tries to package some of the shared objects as directories (#984437) - fix broken systemd unit file (#984300) +- fix rpmlint error: description-line-too-long +- fix rpmlint error: macro-in-comment +- fix rpmlint error: spelling-error Summary(en_US) fuctionality * Fri Jun 28 2013 Avesh Agarwal - 5.0.4-3 - Patch to fix a major crash issue when Freeradius loads From b8944e4e753c1b39b95c30e8d03ad1305d8460ac Mon Sep 17 00:00:00 2001 From: Jamie Nguyen Date: Mon, 15 Jul 2013 15:26:49 +0100 Subject: [PATCH 07/14] Update system related dependencies and scriptlets --- strongswan.spec | 27 +++++++++------------------ 1 file changed, 9 insertions(+), 18 deletions(-) diff --git a/strongswan.spec b/strongswan.spec index 45f7b30..b3ad6b2 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -24,10 +24,10 @@ BuildRequires: trousers-devel BuildRequires: libxml2-devel %if 0%{?fedora} >= 15 || 0%{?rhel} >= 7 -BuildRequires: systemd-units -Requires(post): systemd-units -Requires(preun): systemd-units -Requires(postun): systemd-units +BuildRequires: systemd +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd %else Requires(post): chkconfig Requires(preun): chkconfig @@ -260,21 +260,14 @@ install -D -m 755 init/sysvinit/%{name} %{buildroot}/%{_initddir}/%{name} %post /sbin/ldconfig %if 0%{?fedora} >= 15 || 0%{?rhel} >= 7 -if [ $1 -eq 1 ] ; then - # Initial installation - /bin/systemctl daemon-reload >/dev/null 2>&1 || : -fi +%systemd_post %{name}.service %else /sbin/chkconfig --add %{name} %endif %preun %if 0%{?fedora} >= 15 || 0%{?rhel} >= 7 -if [ $1 -eq 0 ] ; then - # Package removal, not upgrade - /bin/systemctl --no-reload disable %{name}.service > /dev/null 2>&1 || : - /bin/systemctl stop %{name}.service > /dev/null 2>&1 || : -fi +%systemd_preun %{name}.service %else if [ $1 -eq 0 ] ; then # Package removal, not upgrade @@ -286,11 +279,7 @@ fi %postun /sbin/ldconfig %if 0%{?fedora} >= 15 || 0%{?rhel} >= 7 -/bin/systemctl daemon-reload >/dev/null 2>&1 || : -if [ $1 -ge 1 ] ; then - # Package upgrade, not uninstall - /bin/systemctl try-restart %{name}.service >/dev/null 2>&1 || : -fi +%systemd_postun_with_restart %{name}.service %else %endif @@ -301,6 +290,8 @@ fi - fix rpmlint error: description-line-too-long - fix rpmlint error: macro-in-comment - fix rpmlint error: spelling-error Summary(en_US) fuctionality +- depend on 'systemd' instead of 'systemd-units' +- use new systemd scriptlet macros * Fri Jun 28 2013 Avesh Agarwal - 5.0.4-3 - Patch to fix a major crash issue when Freeradius loads From e323196d1b920bf2b430489b793d0acfc18c9ba8 Mon Sep 17 00:00:00 2001 From: Jamie Nguyen Date: Mon, 15 Jul 2013 15:27:16 +0100 Subject: [PATCH 08/14] NetworkManager subpackage is missing a license (#984490) --- strongswan.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/strongswan.spec b/strongswan.spec index b3ad6b2..6c34448 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -254,6 +254,7 @@ install -D -m 755 init/sysvinit/%{name} %{buildroot}/%{_initddir}/%{name} %files NetworkManager +%doc COPYING %{_libexecdir}/%{name}/charon-nm @@ -292,6 +293,7 @@ fi - fix rpmlint error: spelling-error Summary(en_US) fuctionality - depend on 'systemd' instead of 'systemd-units' - use new systemd scriptlet macros +- NetworkManager subpackage should have a copy of the license (#984490) * Fri Jun 28 2013 Avesh Agarwal - 5.0.4-3 - Patch to fix a major crash issue when Freeradius loads From a011295026e736dbc2099329aef1db68a5bbc7b6 Mon Sep 17 00:00:00 2001 From: Jamie Nguyen Date: Mon, 15 Jul 2013 15:28:17 +0100 Subject: [PATCH 09/14] Enable hardened_build as it meets the criteria (#984429) --- strongswan.spec | 3 +++ 1 file changed, 3 insertions(+) diff --git a/strongswan.spec b/strongswan.spec index 6c34448..104cb79 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -1,3 +1,5 @@ +%global hardened_build 1 + Name: strongswan Version: 5.0.4 Release: 4%{?dist} @@ -294,6 +296,7 @@ fi - depend on 'systemd' instead of 'systemd-units' - use new systemd scriptlet macros - NetworkManager subpackage should have a copy of the license (#984490) +- enable hardened_build as this package meets the PIE criteria (#984429) * Fri Jun 28 2013 Avesh Agarwal - 5.0.4-3 - Patch to fix a major crash issue when Freeradius loads From 4db20548af58bc396ff3976172eba2c2e0bd62d3 Mon Sep 17 00:00:00 2001 From: Jamie Nguyen Date: Mon, 15 Jul 2013 15:31:03 +0100 Subject: [PATCH 10/14] Patch to change 'ipsec _updown' to 'strongswan _updown' --- ...ge-ipsec-updown-to-strongswan-updown.patch | 25 +++++++++++++++++++ strongswan.spec | 5 ++++ 2 files changed, 30 insertions(+) create mode 100644 strongswan-Change-ipsec-updown-to-strongswan-updown.patch diff --git a/strongswan-Change-ipsec-updown-to-strongswan-updown.patch b/strongswan-Change-ipsec-updown-to-strongswan-updown.patch new file mode 100644 index 0000000..2f62d39 --- /dev/null +++ b/strongswan-Change-ipsec-updown-to-strongswan-updown.patch @@ -0,0 +1,25 @@ +From daa81c04068956ff34fb0efb72956401969a8d9b Mon Sep 17 00:00:00 2001 +From: Jamie Nguyen +Date: Mon, 15 Jul 2013 13:42:14 +0100 +Subject: [PATCH] Change 'ipsec _updown' to 'strongswan _updown' + +--- + src/starter/confread.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/starter/confread.c b/src/starter/confread.c +index f0f05b0..ffd44c0 100644 +--- a/src/starter/confread.c ++++ b/src/starter/confread.c +@@ -38,7 +38,7 @@ + static const char ike_defaults[] = "aes128-sha1-modp2048,3des-sha1-modp1536"; + static const char esp_defaults[] = "aes128-sha1,3des-sha1"; + +-static const char firewall_defaults[] = "ipsec _updown iptables"; ++static const char firewall_defaults[] = "strongswan _updown iptables"; + + static bool daemon_exists(char *daemon, char *path) + { +-- +1.8.3.1 + diff --git a/strongswan.spec b/strongswan.spec index 104cb79..9bbdf8d 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -14,6 +14,8 @@ Patch2: libstrongswan-plugin.patch Patch3: libstrongswan-settings-debug.patch Patch4: strongswan.git-71d740cac68f83c77d981368a4c041eb620310ed.patch Patch5: libimcv-attestatiom-imv-crash.patch +Patch6: strongswan-Change-ipsec-updown-to-strongswan-updown.patch + BuildRequires: gmp-devel BuildRequires: libcurl-devel BuildRequires: openldap-devel @@ -67,6 +69,7 @@ implementation possessing a standard IF-IMC/IMV interface. %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 echo "For migration from 4.6 to 5.0 see http://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1" > README.Fedora @@ -297,6 +300,8 @@ fi - use new systemd scriptlet macros - NetworkManager subpackage should have a copy of the license (#984490) - enable hardened_build as this package meets the PIE criteria (#984429) +- invocation of "ipsec _updown iptables" is broken as ipsec is renamed + to strongswan in this package (#948306) * Fri Jun 28 2013 Avesh Agarwal - 5.0.4-3 - Patch to fix a major crash issue when Freeradius loads From 79e547f661e0dbd2a7ab4713958fd0b3071c9e48 Mon Sep 17 00:00:00 2001 From: Jamie Nguyen Date: Mon, 15 Jul 2013 22:46:14 +0100 Subject: [PATCH 11/14] Patch to change 'ipsec scepclient' to 'strongswan scepclient' --- ...-scepclient-to-strongswan-scepclient.patch | 25 +++++++++++++++++++ strongswan.spec | 4 +++ 2 files changed, 29 insertions(+) create mode 100644 strongswan-Change-ipsec-scepclient-to-strongswan-scepclient.patch diff --git a/strongswan-Change-ipsec-scepclient-to-strongswan-scepclient.patch b/strongswan-Change-ipsec-scepclient-to-strongswan-scepclient.patch new file mode 100644 index 0000000..ca4e05e --- /dev/null +++ b/strongswan-Change-ipsec-scepclient-to-strongswan-scepclient.patch @@ -0,0 +1,25 @@ +From c282e8fa3c55a9d0046a3119d7b2a3fe07d83c37 Mon Sep 17 00:00:00 2001 +From: Jamie Nguyen +Date: Mon, 15 Jul 2013 22:31:34 +0100 +Subject: [PATCH] Change 'ipsec scepclient' to 'strongswan scepclent' + +--- + src/starter/starter.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/starter/starter.c b/src/starter/starter.c +index 917e52d..868b224 100644 +--- a/src/starter/starter.c ++++ b/src/starter/starter.c +@@ -293,7 +293,7 @@ static void generate_selfcert() + #endif + setegid(gid); + seteuid(uid); +- ignore_result(system("ipsec scepclient --out pkcs1 --out cert-self --quiet")); ++ ignore_result(system("strongswan scepclient --out pkcs1 --out cert-self --quiet")); + seteuid(0); + setegid(0); + +-- +1.8.3.1 + diff --git a/strongswan.spec b/strongswan.spec index 9bbdf8d..5f89918 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -15,6 +15,7 @@ Patch3: libstrongswan-settings-debug.patch Patch4: strongswan.git-71d740cac68f83c77d981368a4c041eb620310ed.patch Patch5: libimcv-attestatiom-imv-crash.patch Patch6: strongswan-Change-ipsec-updown-to-strongswan-updown.patch +Patch7: strongswan-Change-ipsec-scepclient-to-strongswan-scepclient.patch BuildRequires: gmp-devel BuildRequires: libcurl-devel @@ -70,6 +71,7 @@ implementation possessing a standard IF-IMC/IMV interface. %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 echo "For migration from 4.6 to 5.0 see http://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1" > README.Fedora @@ -302,6 +304,8 @@ fi - enable hardened_build as this package meets the PIE criteria (#984429) - invocation of "ipsec _updown iptables" is broken as ipsec is renamed to strongswan in this package (#948306) +- invocation of "ipsec scepclient" is broken as ipsec is renamed + to strongswan in this package * Fri Jun 28 2013 Avesh Agarwal - 5.0.4-3 - Patch to fix a major crash issue when Freeradius loads From 6106c07f9ee39ca891e5bade046c4d009238463c Mon Sep 17 00:00:00 2001 From: Jamie Nguyen Date: Mon, 15 Jul 2013 22:49:59 +0100 Subject: [PATCH 12/14] Add /etc/strongswan/ipsec.d and missing subdirectories --- strongswan.spec | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/strongswan.spec b/strongswan.spec index 5f89918..e464c82 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -141,10 +141,17 @@ chmod 700 %{buildroot}%{_sysconfdir}/%{name} install -D -m 755 init/sysvinit/%{name} %{buildroot}/%{_initddir}/%{name} %endif +# Create ipsec.d directory tree. +install -d -m 700 %{buildroot}%{_sysconfdir}/%{name}/ipsec.d +for i in aacerts acerts certs cacerts crls ocspcerts private reqs; do + install -d -m 700 %{buildroot}%{_sysconfdir}/%{name}/ipsec.d/${i} +done + %files %doc README README.Fedora COPYING NEWS TODO %dir %{_sysconfdir}/%{name} +%{_sysconfdir}/%{name}/ipsec.d/ %config(noreplace) %{_sysconfdir}/%{name}/ipsec.conf %config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf %if 0%{?fedora} >= 15 || 0%{?rhel} >= 7 @@ -306,6 +313,7 @@ fi to strongswan in this package (#948306) - invocation of "ipsec scepclient" is broken as ipsec is renamed to strongswan in this package +- add /etc/strongswan/ipsec.d and missing subdirectories * Fri Jun 28 2013 Avesh Agarwal - 5.0.4-3 - Patch to fix a major crash issue when Freeradius loads From 492496d78fb827a881888c69097437f9a1edd950 Mon Sep 17 00:00:00 2001 From: Jamie Nguyen Date: Mon, 15 Jul 2013 23:30:42 +0100 Subject: [PATCH 13/14] Conditionalize NM subpackage as NM on EL6 is too old --- strongswan.spec | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/strongswan.spec b/strongswan.spec index e464c82..06e7e64 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -1,5 +1,11 @@ %global hardened_build 1 +%if 0%{?rhel} <= 6 +%global enable_nm 0 +%else +%global _enable_nm --enable-nm +%endif + Name: strongswan Version: 5.0.4 Release: 4%{?dist} @@ -21,12 +27,16 @@ BuildRequires: gmp-devel BuildRequires: libcurl-devel BuildRequires: openldap-devel BuildRequires: openssl-devel -BuildRequires: NetworkManager-devel -BuildRequires: NetworkManager-glib-devel BuildRequires: sqlite-devel BuildRequires: gettext-devel BuildRequires: trousers-devel BuildRequires: libxml2-devel +%if 0%{?enable_nm} +BuildRequires: NetworkManager-devel +BuildRequires: NetworkManager-glib-devel +%else +Obsoletes: %{name}-NetworkManager < 5.0.0-3.git20120619 +%endif %if 0%{?fedora} >= 15 || 0%{?rhel} >= 7 BuildRequires: systemd @@ -43,12 +53,14 @@ The strongSwan IPsec implementation supports both the IKEv1 and IKEv2 key exchange protocols in conjunction with the native NETKEY IPsec stack of the Linux kernel. +%if 0%{enable_nm} %package NetworkManager Summary: NetworkManager plugin for Strongswan Group: System Environment/Daemons %description NetworkManager NetworkManager plugin integrates a subset of Strongswan capabilities to NetworkManager. +%endif %package tnc-imcvs Summary: Trusted network connect (TNC)'s IMC/IMV functionality @@ -95,7 +107,6 @@ echo "For migration from 4.6 to 5.0 see http://wiki.strongswan.org/projects/stro --enable-eap-mschapv2 \ --enable-farp \ --enable-dhcp \ - --enable-nm \ --enable-sqlite \ --enable-imc-test \ --enable-imv-test \ @@ -113,7 +124,8 @@ echo "For migration from 4.6 to 5.0 see http://wiki.strongswan.org/projects/stro --enable-tnc-imv \ --enable-eap-radius \ --enable-curl \ - --enable-eap-identity + --enable-eap-identity \ + %{?_enable_nm} #make %%{?_smp_mflags} IPSEC_CONFDIR=%%{_sysconfdir}/%%{name} @@ -267,9 +279,11 @@ done %{_libexecdir}/%{name}/pacman +%if 0%{?enable_nm} %files NetworkManager %doc COPYING %{_libexecdir}/%{name}/charon-nm +%endif %post @@ -314,6 +328,8 @@ fi - invocation of "ipsec scepclient" is broken as ipsec is renamed to strongswan in this package - add /etc/strongswan/ipsec.d and missing subdirectories +- conditionalize building of strongswan-NetworkManager subpackage as the + version of NetworkManager in EL6 is too old (#984497) * Fri Jun 28 2013 Avesh Agarwal - 5.0.4-3 - Patch to fix a major crash issue when Freeradius loads From 12770476b6361d50a121cffd26b91785bf3b78b1 Mon Sep 17 00:00:00 2001 From: Jamie Nguyen Date: Thu, 25 Jul 2013 07:23:48 +0100 Subject: [PATCH 14/14] Rename strongswan-NetworkManager to strongswan-charon-nm --- strongswan.spec | 80 ++++++++++++++++++++++++++----------------------- 1 file changed, 43 insertions(+), 37 deletions(-) diff --git a/strongswan.spec b/strongswan.spec index 06e7e64..1ffc703 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -1,14 +1,15 @@ %global hardened_build 1 -%if 0%{?rhel} <= 6 -%global enable_nm 0 +%if 0%{?fedora} >= 15 || 0%{?rhel} >= 7 +%global enable_nm 1 +%global _enable_nm '--enable-nm' %else -%global _enable_nm --enable-nm +%global enable_nm 0 %endif Name: strongswan Version: 5.0.4 -Release: 4%{?dist} +Release: 5%{?dist} Summary: An OpenSource IPsec-based VPN Solution Group: System Environment/Daemons License: GPLv2+ @@ -34,8 +35,10 @@ BuildRequires: libxml2-devel %if 0%{?enable_nm} BuildRequires: NetworkManager-devel BuildRequires: NetworkManager-glib-devel +Obsoletes: %{name}-NetworkManager < 0:5.0.4-5 +Provides: %{name}-NetworkManager = 0:%{version}-%{release} %else -Obsoletes: %{name}-NetworkManager < 5.0.0-3.git20120619 +Obsoletes: %{name}-NetworkManager < 0:5.0.0-3.git20120619 %endif %if 0%{?fedora} >= 15 || 0%{?rhel} >= 7 @@ -53,11 +56,11 @@ The strongSwan IPsec implementation supports both the IKEv1 and IKEv2 key exchange protocols in conjunction with the native NETKEY IPsec stack of the Linux kernel. -%if 0%{enable_nm} -%package NetworkManager +%if 0%{?enable_nm} +%package charon-nm Summary: NetworkManager plugin for Strongswan Group: System Environment/Daemons -%description NetworkManager +%description charon-nm NetworkManager plugin integrates a subset of Strongswan capabilities to NetworkManager. %endif @@ -128,7 +131,6 @@ echo "For migration from 4.6 to 5.0 see http://wiki.strongswan.org/projects/stro %{?_enable_nm} -#make %%{?_smp_mflags} IPSEC_CONFDIR=%%{_sysconfdir}/%%{name} make %{?_smp_mflags} sed -i 's/\t/ /' src/strongswan.conf src/starter/ipsec.conf @@ -160,6 +162,33 @@ for i in aacerts acerts certs cacerts crls ocspcerts private reqs; do done +%post +/sbin/ldconfig +%if 0%{?fedora} >= 15 || 0%{?rhel} >= 7 +%systemd_post %{name}.service +%else +/sbin/chkconfig --add %{name} +%endif + +%preun +%if 0%{?fedora} >= 15 || 0%{?rhel} >= 7 +%systemd_preun %{name}.service +%else +if [ $1 -eq 0 ] ; then + # Package removal, not upgrade + /sbin/service %{name} stop >/dev/null 2>&1 + /sbin/chkconfig --del %{name} +fi +%endif + +%postun +/sbin/ldconfig +%if 0%{?fedora} >= 15 || 0%{?rhel} >= 7 +%systemd_postun_with_restart %{name}.service +%else +%endif + + %files %doc README README.Fedora COPYING NEWS TODO %dir %{_sysconfdir}/%{name} @@ -278,41 +307,18 @@ done %{_libexecdir}/%{name}/attest %{_libexecdir}/%{name}/pacman - %if 0%{?enable_nm} -%files NetworkManager +%files charon-nm %doc COPYING %{_libexecdir}/%{name}/charon-nm %endif -%post -/sbin/ldconfig -%if 0%{?fedora} >= 15 || 0%{?rhel} >= 7 -%systemd_post %{name}.service -%else -/sbin/chkconfig --add %{name} -%endif - -%preun -%if 0%{?fedora} >= 15 || 0%{?rhel} >= 7 -%systemd_preun %{name}.service -%else -if [ $1 -eq 0 ] ; then - # Package removal, not upgrade - /sbin/service %{name} stop >/dev/null 2>&1 - /sbin/chkconfig --del %{name} -fi -%endif - -%postun -/sbin/ldconfig -%if 0%{?fedora} >= 15 || 0%{?rhel} >= 7 -%systemd_postun_with_restart %{name}.service -%else -%endif - %changelog +* Thu Jul 25 2013 Jamie Nguyen - 5.0.4-5 +- rename strongswan-NetworkManager to strongswan-charon-nm +- fix enable_nm macro + * Mon Jul 15 2013 Jamie Nguyen - 5.0.4-4 - %%files tries to package some of the shared objects as directories (#984437) - fix broken systemd unit file (#984300)