From 6000262f4705f83b72aacebebc985b974cb71c8f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Mon, 16 Jan 2023 19:46:37 +0100
Subject: [PATCH] Use configure paths in manual pages (#2106120)

---
 strongswan-5.9.9-man-paths.patch | 348 +++++++++++++++++++++++++++++++
 strongswan.spec                  |  11 +-
 2 files changed, 358 insertions(+), 1 deletion(-)
 create mode 100644 strongswan-5.9.9-man-paths.patch

diff --git a/strongswan-5.9.9-man-paths.patch b/strongswan-5.9.9-man-paths.patch
new file mode 100644
index 0000000..9472c26
--- /dev/null
+++ b/strongswan-5.9.9-man-paths.patch
@@ -0,0 +1,348 @@
+From 111cbd3d2ca4385d326db333ee86843ada652663 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Mon, 16 Jan 2023 19:38:17 +0100
+Subject: [PATCH] Make manual paths follow build configuration
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Use build-configured paths in manual pages instead of default values.
+Makes easier customization to non-default values as done on Fedora for
+example.
+
+Squashed commit of the following:
+
+commit e99de2aee9f26e3ab97d88902308107d9f048acd
+Merge: 8effb06d6 29e324709
+Author: Tobias Brunner <tobias@strongswan.org>
+Date:   Mon Jan 16 11:41:17 2023 +0100
+
+    Merge branch 'man-sysconfdir'
+
+    Closes strongswan/strongswan#1511
+
+commit 29e32470974aea614c2486c2982767bd62670063
+Author: Tobias Brunner <tobias@strongswan.org>
+Date:   Mon Jan 16 11:39:29 2023 +0100
+
+    swanctl: Don't use hard-coded path to sysconfdir
+
+commit 1c0b14baa3c04606ad9357dfc658d11f0f96ca65
+Author: Tobias Brunner <tobias@strongswan.org>
+Date:   Mon Jan 16 11:37:27 2023 +0100
+
+    conf: Add swanctl.conf and swanctl man pages to SEE ALSO
+
+commit 7e43a5f3d28424abfb648b7afd24e25a042efd24
+Author: Tobias Brunner <tobias@strongswan.org>
+Date:   Mon Jan 16 11:35:42 2023 +0100
+
+    conf: Replace hard-coded /etc where appropriate
+
+    Also document the actual value of ${sysconfdir}.
+
+commit ee046552bb1f3c98d89837d58f7da7d83c8fbb82
+Author: Petr Menšík <pemensik@redhat.com>
+Date:   Sun Jan 15 16:55:45 2023 +0100
+
+    man: Use configured path for config files in man pages
+
+commit ab4ed21b5cb28eafbc29b09523b062bee159a0d0
+Author: Petr Menšík <pemensik@redhat.com>
+Date:   Sun Jan 15 16:17:07 2023 +0100
+
+    ipsec: Include IPSEC_CONFDIR variable replacement in man page
+
+    Fedora has chosena different default directory to avoid conflicts with
+    libreswan. Use ${sysconfdir} variable to provide the correct location.
+---
+ conf/options/charon.opt            |  4 ++--
+ conf/plugins/unbound.opt           |  2 +-
+ conf/strongswan.conf.5.tail.in     | 10 ++++++----
+ man/ipsec.conf.5.in                | 22 +++++++++++-----------
+ man/ipsec.secrets.5.in             |  8 ++++----
+ src/ipsec/Makefile.am              |  1 +
+ src/ipsec/_ipsec.8.in              | 20 ++++++++++----------
+ src/swanctl/swanctl.conf.5.tail.in |  2 +-
+ 8 files changed, 36 insertions(+), 33 deletions(-)
+
+diff --git a/conf/options/charon.opt b/conf/options/charon.opt
+index 00949222a..72efd17de 100644
+--- a/conf/options/charon.opt
++++ b/conf/options/charon.opt
+@@ -38,8 +38,8 @@ charon.cert_cache = yes
+ charon.cache_crls = no
+ 	Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP should
+ 	be saved under a unique file name derived from the public key of the
+-	Certification Authority (CA) to **/etc/ipsec.d/crls** (stroke) or
+-	**/etc/swanctl/x509crl** (vici), respectively.
++	Certification Authority (CA) to **${sysconfdir}/ipsec.d/crls** (stroke) or
++	**${sysconfdir}/swanctl/x509crl** (vici), respectively.
+ 
+ charon.check_current_path = no
+ 	Whether to use DPD to check if the current path still works after any
+diff --git a/conf/plugins/unbound.opt b/conf/plugins/unbound.opt
+index f8ca9ca12..007797310 100644
+--- a/conf/plugins/unbound.opt
++++ b/conf/plugins/unbound.opt
+@@ -1,7 +1,7 @@
+ charon.plugins.unbound.resolv_conf = /etc/resolv.conf
+ 	File to read DNS resolver configuration from.
+ 
+-charon.plugins.unbound.trust_anchors = /etc/ipsec.d/dnssec.keys
++charon.plugins.unbound.trust_anchors = ${sysconfdir}/ipsec.d/dnssec.keys
+ 	File to read DNSSEC trust anchors from (usually root zone KSK).
+ 
+ 	File to read DNSSEC trust anchors from (usually root zone KSK). The format
+diff --git a/conf/strongswan.conf.5.tail.in b/conf/strongswan.conf.5.tail.in
+index baad476d1..74bbd8eec 100644
+--- a/conf/strongswan.conf.5.tail.in
++++ b/conf/strongswan.conf.5.tail.in
+@@ -458,6 +458,7 @@ The variables used above are configured as follows:
+ .na
+ ${piddir}               @piddir@
+ ${prefix}               @prefix@
++${sysconfdir}           @sysconfdir@
+ ${random_device}        @random_device@
+ ${urandom_device}       @urandom_device@
+ .ad
+@@ -467,18 +468,19 @@ ${urandom_device}       @urandom_device@
+ .
+ .nf
+ .na
+-/etc/strongswan.conf       configuration file
+-/etc/strongswan.d/         directory containing included config snippets
+-/etc/strongswan.d/charon/  plugin specific config snippets
++@sysconfdir@/strongswan.conf       configuration file
++@sysconfdir@/strongswan.d/         directory containing included config snippets
++@sysconfdir@/strongswan.d/charon/  plugin specific config snippets
+ .ad
+ .fi
+ .
+ .SH SEE ALSO
++\fBswanctl.conf\fR(5), \fBswanctl\fR(8),
+ \fBipsec.conf\fR(5), \fBipsec.secrets\fR(5), \fBipsec\fR(8), \fBcharon-cmd\fR(8)
+ 
+ .SH HISTORY
+ Written for the
+-.UR http://www.strongswan.org
++.UR https://www.strongswan.org
+ strongSwan project
+ .UE
+ by Tobias Brunner, Andreas Steffen and Martin Willi.
+diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
+index ced12680f..4e256538e 100644
+--- a/man/ipsec.conf.5.in
++++ b/man/ipsec.conf.5.in
+@@ -690,7 +690,7 @@ but for the second authentication round (IKEv2 only).
+ .BR leftcert " = <path>"
+ the path to the left participant's X.509 certificate. The file can be encoded
+ either in PEM or DER format. OpenPGP certificates are supported as well.
+-Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP
++Both absolute paths or paths relative to \fI@sysconfdir@/ipsec.d/certs\fP
+ are accepted. By default
+ .B leftcert
+ sets
+@@ -871,7 +871,7 @@ prefix in front of 0x or 0s, the public key is expected to be in either
+ the RFC 3110 (not the full RR, only RSA key part) or RFC 4253 public key format,
+ respectively.
+ Also accepted is the path to a file containing the public key in PEM, DER or SSH
+-encoding. Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP
++encoding. Both absolute paths or paths relative to \fI@sysconfdir@/ipsec.d/certs\fP
+ are accepted.
+ .TP
+ .BR leftsendcert " = never | no | " ifasked " | always | yes"
+@@ -1219,7 +1219,7 @@ of this connection will be used as peer ID.
+ .SH "CA SECTIONS"
+ These are optional sections that can be used to assign special
+ parameters to a Certification Authority (CA). Because the daemons
+-automatically import CA certificates from \fI/etc/ipsec.d/cacerts\fP,
++automatically import CA certificates from \fI@sysconfdir@/ipsec.d/cacerts\fP,
+ there is no need to explicitly add them with a CA section, unless you
+ want to assign special parameters (like a CRL) to a CA.
+ .TP
+@@ -1235,7 +1235,7 @@ currently can have either the value
+ .TP
+ .BR cacert " = <path>"
+ defines a path to the CA certificate either relative to
+-\fI/etc/ipsec.d/cacerts\fP or as an absolute path.
++\fI@sysconfdir@/ipsec.d/cacerts\fP or as an absolute path.
+ .br
+ A value in the form
+ .B %smartcard[<slot nr>[@<module>]]:<keyid>
+@@ -1284,7 +1284,7 @@ section are:
+ .BR cachecrls " = yes | " no
+ if enabled, certificate revocation lists (CRLs) fetched via HTTP or LDAP will
+ be cached in
+-.I /etc/ipsec.d/crls/
++.I @sysconfdir@/ipsec.d/crls/
+ under a unique file name derived from the certification authority's public key.
+ .TP
+ .BR charondebug " = <debug list>"
+@@ -1463,12 +1463,12 @@ time equals zero and, thus, rekeying gets disabled.
+ 
+ .SH FILES
+ .nf
+-/etc/ipsec.conf
+-/etc/ipsec.d/aacerts
+-/etc/ipsec.d/acerts
+-/etc/ipsec.d/cacerts
+-/etc/ipsec.d/certs
+-/etc/ipsec.d/crls
++@sysconfdir@/ipsec.conf
++@sysconfdir@/ipsec.d/aacerts
++@sysconfdir@/ipsec.d/acerts
++@sysconfdir@/ipsec.d/cacerts
++@sysconfdir@/ipsec.d/certs
++@sysconfdir@/ipsec.d/crls
+ 
+ .SH SEE ALSO
+ strongswan.conf(5), ipsec.secrets(5), ipsec(8)
+diff --git a/man/ipsec.secrets.5.in b/man/ipsec.secrets.5.in
+index 15e36faff..c54e1a18b 100644
+--- a/man/ipsec.secrets.5.in
++++ b/man/ipsec.secrets.5.in
+@@ -15,7 +15,7 @@ Here is an example.
+ .LP
+ .RS
+ .nf
+-# /etc/ipsec.secrets - strongSwan IPsec secrets file
++# @sysconfdir@/ipsec.secrets - strongSwan IPsec secrets file
+ 192.168.0.1 %any : PSK "v+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL"
+ 
+ : RSA moonKey.pem
+@@ -140,7 +140,7 @@ is interpreted as Base64 encoded binary data.
+ .TQ
+ .B : ECDSA <private key file> [ <passphrase> | %prompt ]
+ For the private key file both absolute paths or paths relative to
+-\fI/etc/ipsec.d/private\fP are accepted. If the private key file is
++\fI@sysconfdir@/ipsec.d/private\fP are accepted. If the private key file is
+ encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase
+ .B %prompt
+ can be used which then causes the daemon to ask the user for the password
+@@ -148,7 +148,7 @@ whenever it is required to decrypt the key.
+ .TP
+ .B : P12 <PKCS#12 file> [ <passphrase> | %prompt ]
+ For the PKCS#12 file both absolute paths or paths relative to
+-\fI/etc/ipsec.d/private\fP are accepted. If the container is
++\fI@sysconfdir@/ipsec.d/private\fP are accepted. If the container is
+ encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase
+ .B %prompt
+ can be used which then causes the daemon to ask the user for the password
+@@ -182,7 +182,7 @@ can be specified, which causes the daemon to ask the user for the pin code.
+ .LP
+ 
+ .SH FILES
+-/etc/ipsec.secrets
++@sysconfdir@/ipsec.secrets
+ .SH SEE ALSO
+ ipsec.conf(5), strongswan.conf(5), ipsec(8)
+ .br
+diff --git a/src/ipsec/Makefile.am b/src/ipsec/Makefile.am
+index 0ab9ab27c..656eba49b 100644
+--- a/src/ipsec/Makefile.am
++++ b/src/ipsec/Makefile.am
+@@ -10,6 +10,7 @@ _ipsec.8 : _ipsec.8.in
+ 	-e "s:@IPSEC_SCRIPT@:$(ipsec_script):g" \
+ 	-e "s:@IPSEC_SCRIPT_UPPER@:$(ipsec_script_upper):g" \
+ 	-e "s:@IPSEC_DIR@:$(ipsecdir):" \
++	-e "s:@IPSEC_CONFDIR@:$(sysconfdir):" \
+ 	$(srcdir)/$@.in > $@
+ 
+ _ipsec : _ipsec.in
+diff --git a/src/ipsec/_ipsec.8.in b/src/ipsec/_ipsec.8.in
+index bfc4d50c2..de00d3075 100644
+--- a/src/ipsec/_ipsec.8.in
++++ b/src/ipsec/_ipsec.8.in
+@@ -145,25 +145,25 @@ locally by the IKE daemon or received via the IKE protocol.
+ .TP
+ .BI "listcacerts [" --utc ]
+ returns a list of X.509 Certification Authority (CA) certificates that were
+-loaded locally by the IKE daemon from the \fI/etc/ipsec.d/cacerts/\fP
++loaded locally by the IKE daemon from the \fI@IPSEC_CONFDIR@/ipsec.d/cacerts/\fP
+ directory or received via the IKE protocol.
+ .
+ .TP
+ .BI "listaacerts [" --utc ]
+ returns a list of X.509 Authorization Authority (AA) certificates that were
+-loaded locally by the IKE daemon from the \fI/etc/ipsec.d/aacerts/\fP
++loaded locally by the IKE daemon from the \fI@IPSEC_CONFDIR@/ipsec.d/aacerts/\fP
+ directory.
+ .
+ .TP
+ .BI "listocspcerts [" --utc ]
+ returns a list of X.509 OCSP Signer certificates that were either loaded
+-locally by the IKE daemon from the \fI/etc/ipsec.d/ocspcerts/\fP
++locally by the IKE daemon from the \fI@IPSEC_CONFDIR@/ipsec.d/ocspcerts/\fP
+ directory or were sent by an OCSP server.
+ .
+ .TP
+ .BI "listacerts [" --utc ]
+ returns a list of X.509 Attribute certificates that were loaded locally by
+-the IKE daemon from the \fI/etc/ipsec.d/acerts/\fP directory.
++the IKE daemon from the \fI@IPSEC_CONFDIR@/ipsec.d/acerts/\fP directory.
+ .
+ .TP
+ .BI "listgroups [" --utc ]
+@@ -179,7 +179,7 @@ sections in \fIipsec.conf\fP.
+ .TP
+ .BI "listcrls [" --utc ]
+ returns a list of Certificate Revocation Lists (CRLs) that were either loaded
+-by the IKE daemon from the \fI/etc/ipsec.d/crls\fP directory or fetched from
++by the IKE daemon from the \fI@IPSEC_CONFDIR@/ipsec.d/crls\fP directory or fetched from
+ an HTTP- or LDAP-based CRL distribution point.
+ .
+ .TP
+@@ -211,7 +211,7 @@ flushes and rereads all secrets defined in \fIipsec.secrets\fP.
+ .TP
+ .B "rereadcacerts"
+ removes previously loaded CA certificates, reads all certificate files
+-contained in the \fI/etc/ipsec.d/cacerts\fP directory and adds them to the list
++contained in the \fI@IPSEC_CONFDIR@/ipsec.d/cacerts\fP directory and adds them to the list
+ of Certification Authority (CA) certificates. This does not affect certificates
+ explicitly defined in a
+ .BR ipsec.conf (5)
+@@ -220,23 +220,23 @@ ca section, which may be separately updated using the \fBupdate\fP command.
+ .TP
+ .B "rereadaacerts"
+ removes previously loaded AA certificates, reads all certificate files
+-contained in the \fI/etc/ipsec.d/aacerts\fP directory and adds them to the list
++contained in the \fI@IPSEC_CONFDIR@/ipsec.d/aacerts\fP directory and adds them to the list
+ of Authorization Authority (AA) certificates.
+ .
+ .TP
+ .B "rereadocspcerts"
+-reads all certificate files contained in the \fI/etc/ipsec.d/ocspcerts/\fP
++reads all certificate files contained in the \fI@IPSEC_CONFDIR@/ipsec.d/ocspcerts/\fP
+ directory and adds them to the list of OCSP signer certificates.
+ .
+ .TP
+ .B "rereadacerts"
+-reads all certificate files contained in the  \fI/etc/ipsec.d/acerts/\fP
++reads all certificate files contained in the  \fI@IPSEC_CONFDIR@/ipsec.d/acerts/\fP
+ directory and adds them to the list of attribute certificates.
+ .
+ .TP
+ .B "rereadcrls"
+ reads  all Certificate  Revocation Lists (CRLs) contained in the
+-\fI/etc/ipsec.d/crls/\fP directory and adds them to the list of CRLs.
++\fI@IPSEC_CONFDIR@/ipsec.d/crls/\fP directory and adds them to the list of CRLs.
+ .
+ .TP
+ .B "rereadall"
+diff --git a/src/swanctl/swanctl.conf.5.tail.in b/src/swanctl/swanctl.conf.5.tail.in
+index 4d24608da..036443843 100644
+--- a/src/swanctl/swanctl.conf.5.tail.in
++++ b/src/swanctl/swanctl.conf.5.tail.in
+@@ -2,7 +2,7 @@
+ .
+ .nf
+ .na
+-/etc/swanctl/swanctl.conf       configuration file
++@sysconfdir@/swanctl/swanctl.conf       configuration file
+ .ad
+ .fi
+ .
+-- 
+2.39.0
+
diff --git a/strongswan.spec b/strongswan.spec
index 2dbcb93..4a17976 100644
--- a/strongswan.spec
+++ b/strongswan.spec
@@ -16,7 +16,7 @@
 
 Name:           strongswan
 Version:        5.9.9
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        An OpenSource IPsec-based VPN and TNC solution
 License:        GPLv2+
 URL:            https://www.strongswan.org/
@@ -28,6 +28,9 @@ Source3:        tmpfiles-strongswan.conf
 Patch0:         strongswan-5.6.0-uintptr_t.patch
 # https://github.com/strongswan/strongswan/issues/1198
 Patch1:         strongswan-5.9.7-error-no-format.patch
+# https://github.com/strongswan/strongswan/pull/1511
+# https://github.com/strongswan/strongswan/commit/e99de2aee9f26e3ab97d88902308107d9f048acd
+Patch2:         strongswan-5.9.9-man-paths.patch
 
 BuildRequires:  autoconf
 BuildRequires:  automake
@@ -255,6 +258,9 @@ for p in bypass-lan; do
     echo -e "\ncharon.plugins.${p}.load := no" >> conf/plugins/${p}.opt
 done
 
+# ensure manual page is regenerated with local configuration
+rm -f src/ipsec/_ipsec.8
+
 %make_build
 
 pushd src/libcharon/plugins/vici
@@ -413,6 +419,9 @@ install -D -m 0644 %{SOURCE3} %{buildroot}/%{_tmpfilesdir}/strongswan-starter.co
 %endif
 
 %changelog
+* Mon Jan 16 2023 Petr Menšík <pemensik@redhat.com> - 5.9.9-2
+- Use configure paths in manual pages (#2106120)
+
 * Sun Jan 15 2023 Petr Menšík <pemensik@redhat.com> - 5.9.9-1
 - Update to 5.9.9 (#2157850)