From 36e010fbc092a1d36698409a03831652a5ce915e Mon Sep 17 00:00:00 2001
From: Denis Silakov <denis.silakov@rosalab.ru>
Date: Mon, 6 Oct 2014 03:58:35 -0400
Subject: [PATCH] Updated to 5.1.1, migrated to systemd (sync with cooker

---
 .abf.yml                                      |   5 +-
 libstrongswan-plugin.patch                    |  12 +
 libstrongswan-settings-debug.patch            |  30 ++
 ...tring_literal_and_no_format_arguments.diff |  11 -
 strongswan-5.0.1-rosa-link.patch              |  26 --
 strongswan-pts-ecp-disable.patch              |  20 ++
 strongswan.init                               | 132 --------
 strongswan.spec                               | 310 ++++++++++++++----
 8 files changed, 317 insertions(+), 229 deletions(-)
 create mode 100644 libstrongswan-plugin.patch
 create mode 100644 libstrongswan-settings-debug.patch
 delete mode 100644 strongswan-4.5.2-format_not_a_string_literal_and_no_format_arguments.diff
 delete mode 100644 strongswan-5.0.1-rosa-link.patch
 create mode 100644 strongswan-pts-ecp-disable.patch
 delete mode 100644 strongswan.init

diff --git a/.abf.yml b/.abf.yml
index 9f4b6cc..5276f25 100644
--- a/.abf.yml
+++ b/.abf.yml
@@ -1,3 +1,4 @@
----
-sources:
+removed_sources:
   strongswan-5.0.1.tar.bz2: e338399e4237caee148da2197515233fcfd44822
+sources:
+  strongswan-5.1.1.tar.bz2: eba9c90e3e910edd18ef4f1e380e59751965258b
diff --git a/libstrongswan-plugin.patch b/libstrongswan-plugin.patch
new file mode 100644
index 0000000..ce0951d
--- /dev/null
+++ b/libstrongswan-plugin.patch
@@ -0,0 +1,12 @@
+diff -urNp strongswan-5.1.0-patched/src/libstrongswan/plugins/plugin_loader.c strongswan-5.1.0-current/src/libstrongswan/plugins/plugin_loader.c
+--- strongswan-5.1.0-patched/src/libstrongswan/plugins/plugin_loader.c	2013-08-06 17:16:36.266031511 -0400
++++ strongswan-5.1.0-current/src/libstrongswan/plugins/plugin_loader.c	2013-08-06 17:49:15.703354848 -0400
+@@ -353,7 +353,7 @@ static plugin_entry_t *load_plugin(priva
+ 			return NULL;
+ 		}
+ 	}
+-	handle = dlopen(file, RTLD_LAZY);
++	handle = dlopen(file, RTLD_NOW|RTLD_GLOBAL);
+ 	if (handle == NULL)
+ 	{
+ 		DBG1(DBG_LIB, "plugin '%s' failed to load: %s", name, dlerror());
diff --git a/libstrongswan-settings-debug.patch b/libstrongswan-settings-debug.patch
new file mode 100644
index 0000000..66bca56
--- /dev/null
+++ b/libstrongswan-settings-debug.patch
@@ -0,0 +1,30 @@
+diff -urNp strongswan-5.1.0-patched/src/libstrongswan/utils/settings.c strongswan-5.1.0-current/src/libstrongswan/utils/settings.c
+--- strongswan-5.1.0-patched/src/libstrongswan/utils/settings.c	2013-08-06 17:16:36.244031484 -0400
++++ strongswan-5.1.0-current/src/libstrongswan/utils/settings.c	2013-08-06 17:52:43.272606717 -0400
+@@ -960,7 +960,7 @@ static bool parse_file(linked_list_t *co
+ 	{
+ 		if (errno == ENOENT)
+ 		{
+-			DBG2(DBG_LIB, "'%s' does not exist, ignored", file);
++			DBG1(DBG_LIB, "'%s' does not exist, ignored", file);
+ 			return TRUE;
+ 		}
+ 		DBG1(DBG_LIB, "failed to stat '%s': %s", file, strerror(errno));
+@@ -1023,7 +1023,7 @@ static bool parse_files(linked_list_t *c
+ 
+ 	if (!strlen(pattern))
+ 	{
+-		DBG2(DBG_LIB, "empty include pattern, ignored");
++		DBG1(DBG_LIB, "empty include pattern, ignored");
+ 		return TRUE;
+ 	}
+ 
+@@ -1055,7 +1055,7 @@ static bool parse_files(linked_list_t *c
+ 		status = glob(pat, GLOB_ERR, NULL, &buf);
+ 		if (status == GLOB_NOMATCH)
+ 		{
+-			DBG2(DBG_LIB, "no files found matching '%s', ignored", pat);
++			DBG1(DBG_LIB, "no files found matching '%s', ignored", pat);
+ 		}
+ 		else if (status != 0)
+ 		{
diff --git a/strongswan-4.5.2-format_not_a_string_literal_and_no_format_arguments.diff b/strongswan-4.5.2-format_not_a_string_literal_and_no_format_arguments.diff
deleted file mode 100644
index c5750e3..0000000
--- a/strongswan-4.5.2-format_not_a_string_literal_and_no_format_arguments.diff
+++ /dev/null
@@ -1,11 +0,0 @@
---- src/libcharon/plugins/stroke/stroke_ca.c.str	2011-05-25 14:49:41.000000000 +0200
-+++ src/libcharon/plugins/stroke/stroke_ca.c	2011-05-25 14:49:57.000000000 +0200
-@@ -319,7 +319,7 @@
- 	{
- 		if (first)
- 		{
--			fprintf(out, label);
-+			fprintf(out, "%s", label);
- 			first = FALSE;
- 		}
- 		else
diff --git a/strongswan-5.0.1-rosa-link.patch b/strongswan-5.0.1-rosa-link.patch
deleted file mode 100644
index d623a63..0000000
--- a/strongswan-5.0.1-rosa-link.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-Index: strongswan-5.0.1/src/libcharon/Makefile.am
-===================================================================
---- strongswan-5.0.1.orig/src/libcharon/Makefile.am
-+++ strongswan-5.0.1/src/libcharon/Makefile.am
-@@ -137,7 +137,7 @@ AM_CFLAGS = \
- 	-DIPSEC_DIR=\"${ipsecdir}\" \
- 	-DIPSEC_PIDDIR=\"${piddir}\"
- 
--libcharon_la_LIBADD = -lm $(PTHREADLIB) $(DLLIB) $(SOCKLIB)
-+libcharon_la_LIBADD = -lm $(PTHREADLIB) $(DLLIB) $(SOCKLIB) $(top_builddir)/src/libhydra/libhydra.la $(top_builddir)/src/libstrongswan/libstrongswan.la
- 
- EXTRA_DIST = Android.mk
- 
-Index: strongswan-5.0.1/src/libhydra/Makefile.am
-===================================================================
---- strongswan-5.0.1.orig/src/libhydra/Makefile.am
-+++ strongswan-5.0.1/src/libhydra/Makefile.am
-@@ -11,7 +11,7 @@ kernel/kernel_ipsec.c kernel/kernel_ipse
- kernel/kernel_net.c kernel/kernel_net.h \
- kernel/kernel_listener.h
- 
--libhydra_la_LIBADD =
-+libhydra_la_LIBADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
- 
- INCLUDES = -I$(top_srcdir)/src/libstrongswan
- AM_CFLAGS = \
diff --git a/strongswan-pts-ecp-disable.patch b/strongswan-pts-ecp-disable.patch
new file mode 100644
index 0000000..59054eb
--- /dev/null
+++ b/strongswan-pts-ecp-disable.patch
@@ -0,0 +1,20 @@
+diff -urNp strongswan-5.1.0-patched/src/libpts/pts/pts_dh_group.c strongswan-5.1.0-current/src/libpts/pts/pts_dh_group.c
+--- strongswan-5.1.0-patched/src/libpts/pts/pts_dh_group.c	2013-08-06 17:16:36.238031476 -0400
++++ strongswan-5.1.0-current/src/libpts/pts/pts_dh_group.c	2013-08-06 17:44:48.005036651 -0400
+@@ -74,6 +74,16 @@ bool pts_dh_group_probe(pts_dh_group_t *
+ 	{
+ 		DBG1(DBG_PTS, format2, "mandatory", diffie_hellman_group_names,
+ 											ECP_256_BIT);
++		/* Openssl in Fedora does not allow ECP_256 and ECP_384, so lets not die
++ 		 * here. As far as, there is one dh group available, lets continue. It makes
++ 		 * it non-compliant to TCG's PTS standard, but there is no choice right now.
++ 		 * see redhat bz # 319901.	
++ 		 */ 
++		if(*dh_groups != PTS_DH_GROUP_NONE) 
++		{
++			return TRUE;		
++		}
++
+ 	}
+ 	return FALSE;
+ }
diff --git a/strongswan.init b/strongswan.init
deleted file mode 100644
index e0a8dcc..0000000
--- a/strongswan.init
+++ /dev/null
@@ -1,132 +0,0 @@
-#!/bin/sh
-# IPsec startup and shutdown script
-# Copyright (C) 1998, 1999, 2001  Henry Spencer.
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: setup,v 1.110 2001/06/20 15:55:13 henry Exp $
-#
-# ipsec         init.d script for starting and stopping
-#               the IPsec security subsystem (KLIPS and Pluto).
-#
-# This script becomes /etc/rc.d/init.d/ipsec (or possibly /etc/init.d/ipsec)
-# and is also accessible as "ipsec setup" (the preferred route for human
-# invocation).
-#
-# The startup and shutdown times are a difficult compromise (in particular,
-# it is almost impossible to reconcile them with the insanely early/late
-# times of NFS filesystem startup/shutdown).  Startup is after startup of
-# syslog and pcmcia support; shutdown is just before shutdown of syslog.
-#
-# chkconfig: 2345 47 68
-# description: IPsec provides encrypted and authenticated communications; \
-# KLIPS is the kernel half of it, Pluto is the user-level management daemon.
-
-me='ipsec setup'		# for messages
-
-if [ -f /etc/rc.d/init.d/functions ]
-then
-    . /etc/rc.d/init.d/functions
-    LOGGERMINUSS=""
-else
-    failure() {
-	echo $* >&2
-    }
-    LOGGERMINUSS="-s"
-fi
-
-if test " $IPSEC_DIR" = " "	# if we were not called by the ipsec command
-then
-	# we must establish a suitable PATH ourselves
-	PATH=/usr/local/sbin:/sbin:/usr/sbin:/usr/local/bin:/bin:/usr/bin
-	export PATH
-fi
-
-# Check that the ipsec command is available.
-found=
-for dir in `echo $PATH | tr ':' ' '`
-do
-	if test -f $dir/ipsec -a -x $dir/ipsec
-	then
-		found=yes
-		break			# NOTE BREAK OUT
-	fi
-done
-if ! test "$found"
-then
-	echo "cannot find ipsec command -- \`$1' aborted" |
-	exit 1
-fi
-
-# misc setup
-umask 022
-
-
-
-# do it
-case "$1" in
-  start|stop|_autostop|_autostart)
-        case $1 in
-	  start|_autostart) echo -n "Starting IPsec";;
-	  stop|_autostop) echo -n "Stopping IPsec";;
-        esac
-	if test " `id -u`" != " 0"
-	then
-		echo "permission denied (must be superuser)" |
-			logger $LOGGERMINUSS -p $IPSECsyslog -t ipsec_setup 2>&1
-			failure "ipsec startup"
-		exit 1
-	fi
-	tmp=/var/run/ipsec_setup.st
-	(
-		ipsec _realsetup $1
-		echo "$?" >$tmp
-	) 2>&1 | logger $LOGGERMINUSS -p $IPSECsyslog -t ipsec_setup 2>&1
-	st=`cat $tmp`
-	rm -f $tmp
-	if [ $st -ne 0 ]
-	then
-	    failure "ipsec startup"
-	fi
-	exit $st
-	;;
-
-  restart|--restart)
-	$0 stop
-	$0 start
-	;;
-
-  _autorestart)			# for internal use only
-	$0 _autostop
-	$0 _autostart
-	;;
-
-  status)
-	ipsec _realsetup $1
-	exit
-	;;
-
-  version)
-	echo "$me $IPSEC_VERSION"
-	exit 0
-	;;
-
-  help)
-	echo "Usage: $me {start|stop|restart|status}"
-	exit 0
-	;;
-
-  *)
-	echo "Usage: $me {start|stop|restart|status}" >&2
-	exit 2
-esac
-
-exit 0
diff --git a/strongswan.spec b/strongswan.spec
index c268c98..a1eb8e6 100644
--- a/strongswan.spec
+++ b/strongswan.spec
@@ -1,25 +1,36 @@
 #%%define Werror_cflags %nil
+%define _disable_ld_no_undefined 1
+%bcond_without	nm
 
-Summary:	StrongSWAN IPSEC implementation
+Summary:	IPSEC implementation
 Name:		strongswan
-Version:	5.0.1
-Release:	3
+Version:	5.1.1
+Release:	2
 License:	GPLv2+
-Group:		System/Servers
-Url:		http://www.strongswan.org/
+URL:		http://www.strongswan.org/
 Source0:	http://download.strongswan.org/%{name}-%{version}.tar.bz2
-Source1:	strongswan.init
-Patch0:		strongswan-4.5.2-format_not_a_string_literal_and_no_format_arguments.diff
-Patch1:		strongswan-5.0.1-rosa-link.patch
-BuildRequires:	intltool
-BuildRequires:	gmp-devel
-BuildRequires:	libfcgi-devel
-BuildRequires:	libldap-devel
-#BuildRequires:	opensc-devel
-BuildRequires:	pkgconfig(libcurl)
+
+Patch1:		strongswan-pts-ecp-disable.patch
+Patch2:		libstrongswan-plugin.patch
+Patch3:		libstrongswan-settings-debug.patch
+
+Group:		System/Servers
+
+BuildRequires:  gmp-devel
+BuildRequires:  curl-devel
+BuildRequires:  openldap-devel
+BuildRequires:  openssl-devel
+BuildRequires:  sqlite-devel
+BuildRequires:  gettext-devel
+BuildRequires:  trousers-devel
 BuildRequires:	pkgconfig(libxml-2.0)
-Requires:	%{_lib}opensc3
-Requires(post,preun):	rpm-helper
+BuildRequires:	pkgconfig(systemd)
+%if %{with nm}
+BuildRequires:	pkgconfig(NetworkManager)
+BuildRequires:	pkgconfig(libnm-glib-vpn)
+BuildRequires:	pkgconfig(libnm-util)
+BuildRequires:	pkgconfig(libnm-glib)
+%endif
 
 %description
 FreeS/WAN is a free implementation of IPSEC & IKE for Linux.  IPSEC is
@@ -33,61 +44,244 @@ tunnel is a virtual private network or VPN.
 This package contains the daemons and userland tools for setting up
 FreeS/WAN on a freeswan enabled kernel.
 
-%files
-%defattr(-,root,root,755)
-%doc AUTHORS TODO NEWS README LICENSE
-%attr(700,root,root) %dir %{_sysconfdir}/ipsec.d/
-%attr(700,root,root) %dir %{_sysconfdir}/ipsec.d/acerts
-%attr(700,root,root) %dir %{_sysconfdir}/ipsec.d/aacerts
-%attr(700,root,root) %dir %{_sysconfdir}/ipsec.d/ocspcerts
-%attr(700,root,root) %dir %{_sysconfdir}/ipsec.d/certs
-%attr(700,root,root) %dir %{_sysconfdir}/ipsec.d/cacerts
-%attr(700,root,root) %dir %{_sysconfdir}/ipsec.d/crls
-%attr(700,root,root) %dir %{_sysconfdir}/ipsec.d/private
-%config(noreplace) %{_sysconfdir}/ipsec.conf
-%{_initrddir}/ipsec
-%config(noreplace) %{_sysconfdir}/strongswan.conf
-%{_systemunitdir}/strongswan.service
-%{_libdir}/ipsec
-%{_mandir}/man*/*
-%{_sbindir}/ipsec
 
-%post
-%_post_service ipsec
+%if %{with nm}
+%package	charon-nm
+Summary:	NetworkManager plugin for Strongswan
+Group:		System/Servers
 
-%preun
-%_preun_service ipsec
+%description charon-nm
+NetworkManager plugin integrates a subset of Strongswan capabilities
+to NetworkManager.
+%endif
+
+%package	tnc-imcvs
+Summary:	Trusted network connect (TNC)'s IMC/IMV functionality
+Group:		System/Servers
+Requires:	%{name} = %{version}
+
+%description tnc-imcvs
+This package provides Trusted Network Connect's (TNC) IMC and IMV
+functionality. Specifically it includes PTS based IMC/IMV for TPM based
+remote attestation and scanner and test IMCs and IMVs. The Strongswan's
+IMC/IMV dynamic libraries can be used by any third party TNC Client/Server
+implementation possessing a standard IF-IMC/IMV interface.
 
-#----------------------------------------------------------------------------
 
 %prep
 %setup -q
-#patch0 -p0 -b .str
-%patch1 -p1 -b .link
-
-find . -name "Makefile*" -o -name "*.m4" |xargs sed -i -e 's,configure.in,configure.ac,g'
+%apply_patches
+echo "For migration from 4.6 to 5.0 see http://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1" > README.omv
 
 %build
-autoreconf -fi
-%serverbuild
 
-%configure2_5x \
-	--enable-smartcard \
-	--enable-cisco-quirks \
-	--enable-ldap \
-	--with-default-pkcs11=%{_libdir}/opensc-pkcs11.so \
-	--disable-static \
-	--with-systemdsystemunitdir=%{_systemunitdir}
+libtoolize --install --copy --force --automake
+aclocal -I m4
+autoconf
+autoheader
+automake --add-missing --copy
+
+%serverbuild
+%configure \
+    --disable-static \
+    --with-ipsec-script=%{name} \
+    --sysconfdir=%{_sysconfdir}/%{name} \
+    --with-ipsecdir=%{_libexecdir}/%{name} \
+    --with-ipseclibdir=%{_libdir}/%{name} \
+    --with-fips-mode=2 \
+    --with-tss=trousers \
+    --enable-openssl \
+    --enable-md4 \
+    --enable-xauth-eap \
+    --enable-eap-md5 \
+    --enable-eap-gtc \
+    --enable-eap-tls \
+    --enable-eap-ttls \
+    --enable-eap-peap \
+    --enable-eap-mschapv2 \
+    --enable-farp \
+    --enable-dhcp \
+    --enable-sqlite \
+    --enable-tnc-ifmap \
+    --enable-tnc-pdp \
+    --enable-imc-test \
+    --enable-imv-test \
+    --enable-imc-scanner \
+    --enable-imv-scanner  \
+    --enable-imc-attestation \
+    --enable-imv-attestation \
+    --enable-imv-os \
+    --enable-imc-os \
+    --enable-eap-tnc \
+    --enable-tnccs-20 \
+    --enable-tnccs-11 \
+    --enable-tnccs-dynamic \
+    --enable-tnc-imc \
+    --enable-tnc-imv \
+    --enable-eap-radius \
+    --enable-curl \
+    --enable-eap-identity \
+%if %{with nm}
+    --enable-nm \
+%endif
 
 %make
+sed -i 's/\t/    /' src/strongswan.conf src/starter/ipsec.conf
 
 %install
-install -d %{buildroot}%{_sysconfdir}/ipsec.d/{cacerts,crls,private,certs,acerts,aacerts,ocspcerts}
-install -d %{buildroot}%{_initrddir}
-install -d %{buildroot}/var/run/pluto
-
 %makeinstall_std
+# prefix man pages
+for i in %{buildroot}%{_mandir}/*/*; do
+    if echo "$i" | grep -vq '/%{name}[^\/]*$'; then
+        mv "$i" "`echo "$i" | sed -re 's|/([^/]+)$|/%{name}_\1|'`"
+    fi
+done
+# delete unwanted library files
+rm %{buildroot}%{_libdir}/%{name}/*.so
+find %{buildroot} -type f -name '*.la' -delete
+# fix config permissions
+chmod 644 %{buildroot}%{_sysconfdir}/%{name}/%{name}.conf
+# protect configuration from ordinary user's eyes
+chmod 700 %{buildroot}%{_sysconfdir}/%{name}
 
-# (fg) File is copied over here
-install -m0755 %{SOURCE1} %{buildroot}%{_initrddir}/ipsec
+# Create ipsec.d directory tree.
+install -d -m 700 %{buildroot}%{_sysconfdir}/%{name}/ipsec.d
+for i in aacerts acerts certs cacerts crls ocspcerts private reqs; do
+    install -d -m 700 %{buildroot}%{_sysconfdir}/%{name}/ipsec.d/${i}
+done
 
+%post
+%_post_service %{name}
+
+%preun
+%_preun_service %{name}
+
+#%postun
+#%_postun_userdel strongswan
+
+%files
+%doc README README.omv COPYING NEWS TODO
+%dir %{_sysconfdir}/%{name}
+%{_sysconfdir}/%{name}/ipsec.d/
+%config(noreplace) %{_sysconfdir}/%{name}/ipsec.conf
+%config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf
+%{_unitdir}/%{name}.service
+%{_libdir}/%{name}/libcharon.so.0
+%{_libdir}/%{name}/libcharon.so.0.0.0
+%{_libdir}/%{name}/libhydra.so.0
+%{_libdir}/%{name}/libhydra.so.0.0.0
+%{_libdir}/%{name}/libtls.so.0
+%{_libdir}/%{name}/libtls.so.0.0.0
+%{_libdir}/%{name}/libpttls.so.0
+%{_libdir}/%{name}/libpttls.so.0.0.0
+%{_libdir}/%{name}/lib%{name}.so.0
+%{_libdir}/%{name}/lib%{name}.so.0.0.0
+%dir %{_libdir}/%{name}/plugins
+%{_libdir}/%{name}/plugins/lib%{name}-aes.so
+%{_libdir}/%{name}/plugins/lib%{name}-attr.so
+%{_libdir}/%{name}/plugins/lib%{name}-cmac.so
+%{_libdir}/%{name}/plugins/lib%{name}-constraints.so
+%{_libdir}/%{name}/plugins/lib%{name}-des.so
+%{_libdir}/%{name}/plugins/lib%{name}-dnskey.so
+%{_libdir}/%{name}/plugins/lib%{name}-fips-prf.so
+%{_libdir}/%{name}/plugins/lib%{name}-gmp.so
+%{_libdir}/%{name}/plugins/lib%{name}-hmac.so
+%{_libdir}/%{name}/plugins/lib%{name}-kernel-netlink.so
+%{_libdir}/%{name}/plugins/lib%{name}-md5.so
+%{_libdir}/%{name}/plugins/lib%{name}-nonce.so
+%{_libdir}/%{name}/plugins/lib%{name}-openssl.so
+%{_libdir}/%{name}/plugins/lib%{name}-pem.so
+%{_libdir}/%{name}/plugins/lib%{name}-pgp.so
+%{_libdir}/%{name}/plugins/lib%{name}-pkcs1.so
+%{_libdir}/%{name}/plugins/lib%{name}-pkcs8.so
+%{_libdir}/%{name}/plugins/lib%{name}-pkcs12.so
+%{_libdir}/%{name}/plugins/lib%{name}-rc2.so
+%{_libdir}/%{name}/plugins/lib%{name}-sshkey.so
+%{_libdir}/%{name}/plugins/lib%{name}-pubkey.so
+%{_libdir}/%{name}/plugins/lib%{name}-random.so
+%{_libdir}/%{name}/plugins/lib%{name}-resolve.so
+%{_libdir}/%{name}/plugins/lib%{name}-revocation.so
+%{_libdir}/%{name}/plugins/lib%{name}-sha1.so
+%{_libdir}/%{name}/plugins/lib%{name}-sha2.so
+%{_libdir}/%{name}/plugins/lib%{name}-socket-default.so
+%{_libdir}/%{name}/plugins/lib%{name}-stroke.so
+%{_libdir}/%{name}/plugins/lib%{name}-updown.so
+%{_libdir}/%{name}/plugins/lib%{name}-x509.so
+%{_libdir}/%{name}/plugins/lib%{name}-xauth-generic.so
+%{_libdir}/%{name}/plugins/lib%{name}-xauth-eap.so
+%{_libdir}/%{name}/plugins/lib%{name}-xcbc.so
+%{_libdir}/%{name}/plugins/lib%{name}-md4.so
+%{_libdir}/%{name}/plugins/lib%{name}-eap-md5.so
+%{_libdir}/%{name}/plugins/lib%{name}-eap-gtc.so
+%{_libdir}/%{name}/plugins/lib%{name}-eap-tls.so
+%{_libdir}/%{name}/plugins/lib%{name}-eap-ttls.so
+%{_libdir}/%{name}/plugins/lib%{name}-eap-peap.so
+%{_libdir}/%{name}/plugins/lib%{name}-eap-mschapv2.so
+%{_libdir}/%{name}/plugins/lib%{name}-farp.so
+%{_libdir}/%{name}/plugins/lib%{name}-dhcp.so
+%{_libdir}/%{name}/plugins/lib%{name}-curl.so
+%{_libdir}/%{name}/plugins/lib%{name}-eap-identity.so
+%dir %{_libexecdir}/%{name}
+%{_libexecdir}/%{name}/_copyright
+%{_libexecdir}/%{name}/_updown
+%{_libexecdir}/%{name}/_updown_espmark
+%{_libexecdir}/%{name}/charon
+%{_libexecdir}/%{name}/openac
+%{_libexecdir}/%{name}/scepclient
+%{_libexecdir}/%{name}/starter
+%{_libexecdir}/%{name}/stroke
+%{_libexecdir}/%{name}/_imv_policy
+%{_libexecdir}/%{name}/imv_policy_manager
+%{_libexecdir}/%{name}/pt-tls-client
+%{_sbindir}/%{name}
+%{_bindir}/pki
+%{_mandir}/man5/%{name}.conf.5.*
+%{_mandir}/man1/%{name}*.1.*
+%{_mandir}/man5/%{name}_ipsec.conf.5.*
+%{_mandir}/man5/%{name}_ipsec.secrets.5.*
+%{_mandir}/man8/%{name}.8.*
+%{_mandir}/man8/%{name}__updown.8.*
+%{_mandir}/man8/%{name}__updown_espmark.8.*
+%{_mandir}/man8/%{name}_openac.8.*
+%{_mandir}/man8/%{name}_scepclient.8.*
+
+%files tnc-imcvs
+%{_libdir}/%{name}/libimcv.so.0
+%{_libdir}/%{name}/libimcv.so.0.0.0
+%{_libdir}/%{name}/libpts.so.0
+%{_libdir}/%{name}/libpts.so.0.0.0
+%{_libdir}/%{name}/libtnccs.so.0
+%{_libdir}/%{name}/libtnccs.so.0.0.0
+%{_libdir}/%{name}/libradius.so.0
+%{_libdir}/%{name}/libradius.so.0.0.0
+%dir %{_libdir}/%{name}/imcvs
+%{_libdir}/%{name}/imcvs/imc-attestation.so
+%{_libdir}/%{name}/imcvs/imc-scanner.so
+%{_libdir}/%{name}/imcvs/imc-test.so
+%{_libdir}/%{name}/imcvs/imc-os.so
+%{_libdir}/%{name}/imcvs/imv-attestation.so
+%{_libdir}/%{name}/imcvs/imv-scanner.so
+%{_libdir}/%{name}/imcvs/imv-test.so
+%{_libdir}/%{name}/imcvs/imv-os.so
+%dir %{_libdir}/%{name}/plugins
+%{_libdir}/%{name}/plugins/lib%{name}-pkcs7.so
+%{_libdir}/%{name}/plugins/lib%{name}-sqlite.so
+%{_libdir}/%{name}/plugins/lib%{name}-eap-tnc.so
+%{_libdir}/%{name}/plugins/lib%{name}-tnc-imc.so
+%{_libdir}/%{name}/plugins/lib%{name}-tnc-imv.so
+%{_libdir}/%{name}/plugins/lib%{name}-tnc-tnccs.so
+%{_libdir}/%{name}/plugins/lib%{name}-tnccs-20.so
+%{_libdir}/%{name}/plugins/lib%{name}-tnccs-11.so
+%{_libdir}/%{name}/plugins/lib%{name}-tnccs-dynamic.so
+%{_libdir}/%{name}/plugins/lib%{name}-eap-radius.so
+%{_libdir}/%{name}/plugins/lib%{name}-tnc-ifmap.so
+%{_libdir}/%{name}/plugins/lib%{name}-tnc-pdp.so
+%dir %{_libexecdir}/%{name}
+%{_libexecdir}/%{name}/attest
+%{_libexecdir}/%{name}/pacman
+
+%if %{with nm}
+%files charon-nm
+%doc COPYING
+%{_libexecdir}/%{name}/charon-nm
+%endif