Patch vici for NHRP

Include also github repository link in package to simplify upstream
changes tracking.

.gitignore

@@ -13,9 +13,3 @@
 /strongswan-5.9.8.tar.bz2.sig
 /strongswan-5.9.9.tar.bz2
 /strongswan-5.9.9.tar.bz2.sig
-/strongswan-5.9.10.tar.bz2
-/strongswan-5.9.10.tar.bz2.sig
-/strongswan-5.9.11.tar.bz2
-/strongswan-5.9.11.tar.bz2.sig
-/strongswan-5.9.14.tar.bz2
-/strongswan-5.9.14.tar.bz2.sig

0001-charon-add-optional-source-and-remote-overrides-for-.patch

@@ -1,37 +1,115 @@
-From d917774f73954cc6367e73b775ff9ea115d6fd28 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= <zpericic@netst.org>
-Date: Tue, 9 Jul 2024 19:07:57 +0200
-Subject: [PATCH 1/4] charon: add optional source and remote overrides for
+From 84b1ee5c075b731618ff342ba4df94c3f9f2eaef Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
+Date: Mon, 21 Sep 2015 13:41:58 +0300
+Subject: [PATCH 1/3] charon: add optional source and remote overrides for
  initiate
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
 
 This introduces support for specifying optional IKE SA specific
 source and remote address for child sa initiation. This allows
 to initiate wildcard connection for known address via vici.
 
-In addition this allows simpler implementation of trap-any patches
+In addition this allows impler implementation of trap-any patches
 and is a prerequisite for dmvpn support.
----
- src/libcharon/control/controller.c        | 34 ++++++++++++++++--
- src/libcharon/control/controller.h        | 28 +++++++++++++++
- src/libcharon/plugins/vici/vici_control.c | 41 +++++++++++++++++----
- src/libcharon/sa/ike_sa_manager.c         | 34 +++++++++++++++++-
- src/libcharon/sa/ike_sa_manager.h         | 25 ++++++++++++-
- src/libcharon/sa/trap_manager.c           | 44 +++++++++--------------
- src/swanctl/commands/initiate.c           | 19 +++++++++-
- 7 files changed, 186 insertions(+), 39 deletions(-)
 
+Signed-off-by: Timo Teräs <timo.teras@iki.fi>
+---
+ src/charon-cmd/cmd/cmd_connection.c           |  2 +-
+ src/charon-nm/nm/nm_service.c                 |  2 +-
+ src/conftest/actions.c                        |  2 +-
+ src/libcharon/control/controller.c            | 43 ++++++++++++-
+ src/libcharon/control/controller.h            |  3 +
+ .../plugins/load_tester/load_tester_control.c |  1 +
+ .../plugins/load_tester/load_tester_plugin.c  |  1 +
+ src/libcharon/plugins/medcli/medcli_config.c  |  3 +-
+ src/libcharon/plugins/smp/smp.c               |  3 +-
+ src/libcharon/plugins/stroke/stroke_control.c |  5 +-
+ src/libcharon/plugins/uci/uci_control.c       |  1 +
+ src/libcharon/plugins/vici/vici_config.c      |  2 +-
+ src/libcharon/plugins/vici/vici_control.c     | 61 ++++++++++++++++---
+ .../processing/jobs/initiate_mediation_job.c  |  1 +
+ .../processing/jobs/start_action_job.c        |  2 +-
+ src/libcharon/sa/ike_sa_manager.c             | 49 ++++++++++++++-
+ src/libcharon/sa/ike_sa_manager.h             |  8 ++-
+ src/libcharon/sa/trap_manager.c               | 44 ++++++-------
+ src/swanctl/commands/initiate.c               | 40 +++++++++++-
+ 21 files changed, 226 insertions(+), 50 deletions(-)
+
+diff --git a/src/charon-cmd/cmd/cmd_connection.c b/src/charon-cmd/cmd/cmd_connection.c
+index 37d951951..d91eb951c 100644
+--- a/src/charon-cmd/cmd/cmd_connection.c
++++ b/src/charon-cmd/cmd/cmd_connection.c
+@@ -440,7 +440,7 @@ static job_requeue_t initiate(private_cmd_connection_t *this)
+ 	child_cfg = create_child_cfg(this, peer_cfg);
+ 
+ 	if (charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
+-								controller_cb_empty, NULL, 0, FALSE) != SUCCESS)
++								NULL, NULL, controller_cb_empty, NULL, 0, FALSE) != SUCCESS)
+ 	{
+ 		terminate(pid);
+ 	}
+diff --git a/src/charon-nm/nm/nm_service.c b/src/charon-nm/nm/nm_service.c
+index 09107a76b..0b15a1835 100644
+--- a/src/charon-nm/nm/nm_service.c
++++ b/src/charon-nm/nm/nm_service.c
+@@ -883,7 +883,7 @@ static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection,
+ 	 * Prepare IKE_SA
+ 	 */
+ 	ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
+-														peer_cfg);
++														peer_cfg, NULL, NULL);
+ 	peer_cfg->destroy(peer_cfg);
+ 	if (!ike_sa)
+ 	{
+diff --git a/src/conftest/actions.c b/src/conftest/actions.c
+index 66e41f743..64ef8e9ee 100644
+--- a/src/conftest/actions.c
++++ b/src/conftest/actions.c
+@@ -65,7 +65,7 @@ static job_requeue_t initiate(char *config)
+ 	{
+ 		DBG1(DBG_CFG, "initiating IKE_SA for CHILD_SA config '%s'", config);
+ 		charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
+-									 NULL, NULL, 0, FALSE);
++									 NULL, NULL, NULL, NULL, 0, FALSE);
+ 	}
+ 	else
+ 	{
 diff --git a/src/libcharon/control/controller.c b/src/libcharon/control/controller.c
-index 027f48e937..ac4661a323 100644
+index cd25b28fe..36d6cd7be 100644
 --- a/src/libcharon/control/controller.c
 +++ b/src/libcharon/control/controller.c
-@@ -1,4 +1,6 @@
- /*
-+ * Copyright (C) 2023 Zoran Peričić <zpericic@netst.org>
+@@ -15,6 +15,28 @@
+  * for more details.
+  */
+ 
++/*
 + * Copyright (C) 2014 Timo Teräs <timo.teras@iki.fi>
-  * Copyright (C) 2011-2023 Tobias Brunner
-  * Copyright (C) 2007-2011 Martin Willi
-  *
-@@ -107,6 +109,16 @@ struct interface_listener_t {
++ *
++ * Permission is hereby granted, free of charge, to any person obtaining a copy
++ * of this software and associated documentation files (the "Software"), to deal
++ * in the Software without restriction, including without limitation the rights
++ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
++ * copies of the Software, and to permit persons to whom the Software is
++ * furnished to do so, subject to the following conditions:
++ *
++ * The above copyright notice and this permission notice shall be included in
++ * all copies or substantial portions of the Software.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
++ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
++ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
++ * THE SOFTWARE.
++ */
++
+ #include "controller.h"
+ 
+ #include <sys/types.h>
+@@ -102,6 +124,16 @@ struct interface_listener_t {
  	 */
  	ike_sa_t *ike_sa;
  
@@ -48,16 +126,15 @@ index 027f48e937..ac4661a323 100644
  	/**
  	 * unique ID, used for various methods
  	 */
-@@ -417,10 +429,16 @@ METHOD(job_t, initiate_execute, job_requeue_t,
+@@ -414,10 +446,16 @@ METHOD(job_t, initiate_execute, job_requeue_t,
  	ike_sa_t *ike_sa;
  	interface_listener_t *listener = &job->listener;
  	peer_cfg_t *peer_cfg = listener->peer_cfg;
 +	host_t *my_host = listener->my_host;
 +	host_t *other_host = listener->other_host;
  
--	ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
+ 	ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
 -														peer_cfg);
-+	ike_sa = charon->ike_sa_manager->checkout_by_config2(charon->ike_sa_manager,
 +														peer_cfg, my_host, other_host);
  	peer_cfg->destroy(peer_cfg);
 +
@@ -67,23 +144,15 @@ index 027f48e937..ac4661a323 100644
  	if (!ike_sa)
  	{
  		DESTROY_IF(listener->child_cfg);
-@@ -501,6 +519,15 @@ METHOD(controller_t, initiate, status_t,
+@@ -492,6 +530,7 @@ METHOD(job_t, initiate_execute, job_requeue_t,
+ 
+ METHOD(controller_t, initiate, status_t,
  	private_controller_t *this, peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
- 	controller_cb_t callback, void *param, level_t max_level, u_int timeout,
- 	bool limits)
-+{
-+	return this->public.initiate2(&this->public, peer_cfg, child_cfg, NULL, NULL, callback, param, max_level, timeout, limits);
-+}
-+
-+METHOD(controller_t, initiate2, status_t,
-+	private_controller_t *this, peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
 +	host_t *my_host, host_t *other_host,
-+	controller_cb_t callback, void *param, level_t max_level, u_int timeout,
-+	bool limits)
+ 	controller_cb_t callback, void *param, u_int timeout, bool limits)
  {
  	interface_job_t *job;
- 	status_t status;
-@@ -523,6 +550,8 @@ METHOD(controller_t, initiate, status_t,
+@@ -514,6 +553,8 @@ METHOD(controller_t, initiate, status_t,
  			.status = FAILED,
  			.child_cfg = child_cfg,
  			.peer_cfg = peer_cfg,
@@ -92,65 +161,161 @@ index 027f48e937..ac4661a323 100644
  			.lock = spinlock_create(),
  			.options.limits = limits,
  		},
-@@ -770,6 +799,7 @@ controller_t *controller_create(void)
- 		.public = {
- 			.create_ike_sa_enumerator = _create_ike_sa_enumerator,
- 			.initiate = _initiate,
-+			.initiate2 = _initiate2,
- 			.terminate_ike = _terminate_ike,
- 			.terminate_child = _terminate_child,
- 			.destroy = _destroy,
 diff --git a/src/libcharon/control/controller.h b/src/libcharon/control/controller.h
-index 36a1d46317..f5c60e2e72 100644
+index b4ccfced2..7a088b122 100644
 --- a/src/libcharon/control/controller.h
 +++ b/src/libcharon/control/controller.h
-@@ -98,6 +98,34 @@ struct controller_t {
- 						 controller_cb_t callback, void *param,
- 						 level_t max_level, u_int timeout, bool limits);
- 
-+	/**
-+	 * Initiate a CHILD_SA, and if required, an IKE_SA.
-+	 *
-+	 * If a callback is provided the function is synchronous and thus blocks
-+	 * until the IKE_SA is established or failed.
-+	 *
-+	 * @param peer_cfg		peer_cfg to use for IKE_SA setup
-+	 * @param child_cfg		optional child_cfg to set up CHILD_SA from
+@@ -79,6 +79,8 @@ struct controller_t {
+ 	 *
+ 	 * @param peer_cfg		peer_cfg to use for IKE_SA setup
+ 	 * @param child_cfg		optional child_cfg to set up CHILD_SA from
 +	 * @param my_host		optional address hint for source
 +	 * @param other_host		optional address hint for destination
-+	 * @param cb			logging callback
-+	 * @param param			parameter to include in each call of cb
-+	 * @param max_level		maximum log level for which cb is invoked
-+	 * @param timeout		timeout in ms to wait for callbacks, 0 to disable
-+	 * @param limits		whether to check limits regarding IKE_SA initiation
-+	 * @return
-+	 *						- SUCCESS, if CHILD_SA established
-+	 *						- FAILED, if setup failed
-+	 *						- NEED_MORE, if callback returned FALSE
-+	 *						- OUT_OF_RES if timed out
-+	 *						- INVALID_STATE if limits prevented initiation
-+	 */
-+	status_t (*initiate2)(controller_t *this,
-+						 peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
+ 	 * @param cb			logging callback
+ 	 * @param param			parameter to include in each call of cb
+ 	 * @param timeout		timeout in ms to wait for callbacks, 0 to disable
+@@ -92,6 +94,7 @@ struct controller_t {
+ 	 */
+ 	status_t (*initiate)(controller_t *this,
+ 						 peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
 +						 host_t *my_host, host_t *other_host,
-+						 controller_cb_t callback, void *param,
-+						 level_t max_level, u_int timeout, bool limits);
-+
- 	/**
- 	 * Terminate an IKE_SA and all of its CHILD_SAs.
- 	 *
+ 						 controller_cb_t callback, void *param, u_int timeout,
+ 						 bool limits);
+ 
+diff --git a/src/libcharon/plugins/load_tester/load_tester_control.c b/src/libcharon/plugins/load_tester/load_tester_control.c
+index 8e89ab435..9dfd415ca 100644
+--- a/src/libcharon/plugins/load_tester/load_tester_control.c
++++ b/src/libcharon/plugins/load_tester/load_tester_control.c
+@@ -239,6 +239,7 @@ static bool on_accept(private_load_tester_control_t *this, stream_t *io)
+ 
+ 		switch (charon->controller->initiate(charon->controller,
+ 										peer_cfg, child_cfg->get_ref(child_cfg),
++										NULL, NULL,
+ 										(void*)initiate_cb, listener, 0, FALSE))
+ 		{
+ 			case NEED_MORE:
+diff --git a/src/libcharon/plugins/load_tester/load_tester_plugin.c b/src/libcharon/plugins/load_tester/load_tester_plugin.c
+index 961c10406..f59294d88 100644
+--- a/src/libcharon/plugins/load_tester/load_tester_plugin.c
++++ b/src/libcharon/plugins/load_tester/load_tester_plugin.c
+@@ -151,6 +151,7 @@ static job_requeue_t do_load_test(private_load_tester_plugin_t *this)
+ 
+ 		charon->controller->initiate(charon->controller,
+ 					peer_cfg, child_cfg->get_ref(child_cfg),
++					NULL, NULL,
+ 					NULL, NULL, 0, FALSE);
+ 		if (s)
+ 		{
+diff --git a/src/libcharon/plugins/medcli/medcli_config.c b/src/libcharon/plugins/medcli/medcli_config.c
+index e88c11d3a..d4ce4f203 100644
+--- a/src/libcharon/plugins/medcli/medcli_config.c
++++ b/src/libcharon/plugins/medcli/medcli_config.c
+@@ -349,7 +349,8 @@ static job_requeue_t initiate_config(peer_cfg_t *peer_cfg)
+ 		peer_cfg->get_ref(peer_cfg);
+ 		enumerator->destroy(enumerator);
+ 		charon->controller->initiate(charon->controller,
+-									 peer_cfg, child_cfg, NULL, NULL, 0, FALSE);
++									 peer_cfg, child_cfg, NULL, NULL,
++									 NULL, NULL, 0, FALSE);
+ 	}
+ 	else
+ 	{
+diff --git a/src/libcharon/plugins/smp/smp.c b/src/libcharon/plugins/smp/smp.c
+index 2953a603b..f028406fb 100644
+--- a/src/libcharon/plugins/smp/smp.c
++++ b/src/libcharon/plugins/smp/smp.c
+@@ -493,7 +493,8 @@ static void request_control_initiate(xmlTextReaderPtr reader,
+ 			if (child)
+ 			{
+ 				status = charon->controller->initiate(charon->controller,
+-							peer, child, (controller_cb_t)xml_callback,
++							peer, child, NULL, NULL,
++							(controller_cb_t)xml_callback,
+ 							writer, 0, FALSE);
+ 			}
+ 			else
+diff --git a/src/libcharon/plugins/stroke/stroke_control.c b/src/libcharon/plugins/stroke/stroke_control.c
+index 8d84b934e..b00d0e62d 100644
+--- a/src/libcharon/plugins/stroke/stroke_control.c
++++ b/src/libcharon/plugins/stroke/stroke_control.c
+@@ -108,7 +108,7 @@ static void charon_initiate(private_stroke_control_t *this, peer_cfg_t *peer_cfg
+ 	if (msg->output_verbosity < 0)
+ 	{
+ 		charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
+-									 NULL, NULL, 0, FALSE);
++									 NULL, NULL, NULL, NULL, 0, FALSE);
+ 	}
+ 	else
+ 	{
+@@ -116,7 +116,8 @@ static void charon_initiate(private_stroke_control_t *this, peer_cfg_t *peer_cfg
+ 		status_t status;
+ 
+ 		status = charon->controller->initiate(charon->controller,
+-							peer_cfg, child_cfg, (controller_cb_t)stroke_log,
++							peer_cfg, child_cfg, NULL, NULL,
++							(controller_cb_t)stroke_log,
+ 							&info, this->timeout, FALSE);
+ 		switch (status)
+ 		{
+diff --git a/src/libcharon/plugins/uci/uci_control.c b/src/libcharon/plugins/uci/uci_control.c
+index b6cfda082..115e0a82e 100644
+--- a/src/libcharon/plugins/uci/uci_control.c
++++ b/src/libcharon/plugins/uci/uci_control.c
+@@ -147,6 +147,7 @@ static void initiate(private_uci_control_t *this, char *name)
+ 		if (enumerator->enumerate(enumerator, &child_cfg) &&
+ 			charon->controller->initiate(charon->controller, peer_cfg,
+ 								child_cfg->get_ref(child_cfg),
++								NULL, NULL,
+ 								controller_cb_empty, NULL, 0, FALSE) == SUCCESS)
+ 		{
+ 			write_fifo(this, "connection '%s' established\n", name);
+diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
+index 3a783b822..ea9a5c6b2 100644
+--- a/src/libcharon/plugins/vici/vici_config.c
++++ b/src/libcharon/plugins/vici/vici_config.c
+@@ -2216,7 +2216,7 @@ static void run_start_action(private_vici_config_t *this, peer_cfg_t *peer_cfg,
+ 		DBG1(DBG_CFG, "initiating '%s'", child_cfg->get_name(child_cfg));
+ 		charon->controller->initiate(charon->controller,
+ 					peer_cfg->get_ref(peer_cfg), child_cfg->get_ref(child_cfg),
+-					NULL, NULL, 0, FALSE);
++					NULL, NULL, NULL, NULL, 0, FALSE);
+ 	}
+ }
+ 
 diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c
-index 1c236d2491..932d0cb5a8 100644
+index 4c09b578d..4c00c2be5 100644
 --- a/src/libcharon/plugins/vici/vici_control.c
 +++ b/src/libcharon/plugins/vici/vici_control.c
-@@ -1,4 +1,6 @@
- /*
-+ * Copyright (C) 2023 Zoran Peričić <zpericic@netst.org>
+@@ -16,6 +16,28 @@
+  * for more details.
+  */
+ 
++/*
 + * Copyright (C) 2014 Timo Teräs <timo.teras@iki.fi>
-  * Copyright (C) 2015-2017 Tobias Brunner
-  * Copyright (C) 2014 Martin Willi
-  *
-@@ -173,9 +175,12 @@ static child_cfg_t* find_child_cfg(char *name, char *pname, peer_cfg_t **out)
++ *
++ * Permission is hereby granted, free of charge, to any person obtaining a copy
++ * of this software and associated documentation files (the "Software"), to deal
++ * in the Software without restriction, including without limitation the rights
++ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
++ * copies of the Software, and to permit persons to whom the Software is
++ * furnished to do so, subject to the following conditions:
++ *
++ * The above copyright notice and this permission notice shall be included in
++ * all copies or substantial portions of the Software.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
++ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
++ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
++ * THE SOFTWARE.
++ */
++
+ #include "vici_control.h"
+ #include "vici_builder.h"
+ 
+@@ -174,9 +196,12 @@ static child_cfg_t* find_child_cfg(char *name, char *pname, peer_cfg_t **out)
  CALLBACK(initiate, vici_message_t*,
  	private_vici_control_t *this, char *name, u_int id, vici_message_t *request)
  {
@@ -163,7 +328,7 @@ index 1c236d2491..932d0cb5a8 100644
  	int timeout;
  	bool limits;
  	controller_cb_t log_cb = NULL;
-@@ -189,6 +194,8 @@ CALLBACK(initiate, vici_message_t*,
+@@ -190,6 +215,8 @@ CALLBACK(initiate, vici_message_t*,
  	timeout = request->get_int(request, 0, "timeout");
  	limits = request->get_bool(request, FALSE, "init-limits");
  	log.level = request->get_int(request, 1, "loglevel");
@@ -172,7 +337,7 @@ index 1c236d2491..932d0cb5a8 100644
  
  	if (!child && !ike)
  	{
-@@ -202,28 +209,48 @@ CALLBACK(initiate, vici_message_t*,
+@@ -203,28 +230,48 @@ CALLBACK(initiate, vici_message_t*,
  	type = child ? "CHILD_SA" : "IKE_SA";
  	sa = child ?: ike;
  
@@ -196,10 +361,10 @@ index 1c236d2491..932d0cb5a8 100644
 +		msg = send_reply(this, "%s config '%s' not found", type, sa);
 +		goto ret;
  	}
--	switch (charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
-+	switch (charon->controller->initiate2(charon->controller, peer_cfg, child_cfg,
-+										 my_host, other_host,
- 										 log_cb, &log, log.level, timeout, limits))
+ 	switch (charon->controller->initiate(charon->controller, peer_cfg,
+-									child_cfg, log_cb, &log, timeout, limits))
++				 child_cfg, my_host, other_host,
++				log_cb, &log, timeout, limits))
  	{
  		case SUCCESS:
 -			return send_reply(this, NULL);
@@ -227,34 +392,76 @@ index 1c236d2491..932d0cb5a8 100644
 +	return msg;
  }
  
- /**
+ CALLBACK(terminate, vici_message_t*,
+diff --git a/src/libcharon/processing/jobs/initiate_mediation_job.c b/src/libcharon/processing/jobs/initiate_mediation_job.c
+index 6a72499d3..eb0ad3846 100644
+--- a/src/libcharon/processing/jobs/initiate_mediation_job.c
++++ b/src/libcharon/processing/jobs/initiate_mediation_job.c
+@@ -137,6 +137,7 @@ METHOD(job_t, initiate, job_requeue_t,
+ 		mediation_cfg->get_ref(mediation_cfg);
+ 
+ 		if (charon->controller->initiate(charon->controller, mediation_cfg, NULL,
++				NULL, NULL,
+ 				(controller_cb_t)initiate_callback, this, 0, FALSE) != SUCCESS)
+ 		{
+ 			mediation_cfg->destroy(mediation_cfg);
+diff --git a/src/libcharon/processing/jobs/start_action_job.c b/src/libcharon/processing/jobs/start_action_job.c
+index 31e154a77..0371293b1 100644
+--- a/src/libcharon/processing/jobs/start_action_job.c
++++ b/src/libcharon/processing/jobs/start_action_job.c
+@@ -83,7 +83,7 @@ METHOD(job_t, execute, job_requeue_t,
+ 				charon->controller->initiate(charon->controller,
+ 											 peer_cfg->get_ref(peer_cfg),
+ 											 child_cfg->get_ref(child_cfg),
+-											 NULL, NULL, 0, FALSE);
++											 NULL, NULL, NULL, NULL, 0, FALSE);
+ 			}
+ 		}
+ 		children->destroy(children);
 diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
-index 7763ae844e..cf53e9ae00 100644
+index fe615a6bc..5839f8827 100644
 --- a/src/libcharon/sa/ike_sa_manager.c
 +++ b/src/libcharon/sa/ike_sa_manager.c
-@@ -1,5 +1,7 @@
- /*
-  * Copyright (C) 2008-2022 Tobias Brunner
-+ * Copyright (C) 2023 Zoran Peričić <zpericic@netst.org>
+@@ -17,6 +17,28 @@
+  * for more details.
+  */
+ 
++/*
 + * Copyright (C) 2014 Timo Teräs <timo.teras@iki.fi>
-  * Copyright (C) 2005-2011 Martin Willi
-  * Copyright (C) 2005 Jan Hutter
-  *
-@@ -1499,6 +1501,13 @@ typedef struct {
++ *
++ * Permission is hereby granted, free of charge, to any person obtaining a copy
++ * of this software and associated documentation files (the "Software"), to deal
++ * in the Software without restriction, including without limitation the rights
++ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
++ * copies of the Software, and to permit persons to whom the Software is
++ * furnished to do so, subject to the following conditions:
++ *
++ * The above copyright notice and this permission notice shall be included in
++ * all copies or substantial portions of the Software.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
++ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
++ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
++ * THE SOFTWARE.
++ */
++
+ #include <string.h>
+ #include <inttypes.h>
+ 
+@@ -1495,7 +1517,8 @@ typedef struct {
+ } config_entry_t;
  
  METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
- 	private_ike_sa_manager_t *this, peer_cfg_t *peer_cfg)
-+{
-+	return this->public.checkout_by_config2(&this->public, peer_cfg, NULL, NULL);
-+}
-+
-+METHOD(ike_sa_manager_t, checkout_by_config2, ike_sa_t*,
+-	private_ike_sa_manager_t *this, peer_cfg_t *peer_cfg)
 +	private_ike_sa_manager_t *this, peer_cfg_t *peer_cfg,
 +	host_t *my_host, host_t *other_host)
  {
  	enumerator_t *enumerator;
  	entry_t *entry;
-@@ -1509,7 +1518,16 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
+@@ -1506,7 +1529,16 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
  	u_int segment;
  	int i;
  
@@ -272,7 +479,7 @@ index 7763ae844e..cf53e9ae00 100644
  
  	if (!this->reuse_ikesa && peer_cfg->get_ike_version(peer_cfg) != IKEV1)
  	{	/* IKE_SA reuse disabled by config (not possible for IKEv1) */
-@@ -1567,6 +1585,15 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
+@@ -1564,6 +1596,15 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
  			continue;
  		}
  
@@ -288,7 +495,7 @@ index 7763ae844e..cf53e9ae00 100644
  		current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa);
  		if (current_peer && current_peer->equals(current_peer, peer_cfg))
  		{
-@@ -1593,6 +1620,10 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
+@@ -1590,6 +1631,10 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
  		{
  			ike_sa->set_peer_cfg(ike_sa, peer_cfg);
  			checkout_new(this, ike_sa);
@@ -299,19 +506,11 @@ index 7763ae844e..cf53e9ae00 100644
  		}
  	}
  	charon->bus->set_sa(charon->bus, ike_sa);
-@@ -2558,6 +2589,7 @@ ike_sa_manager_t *ike_sa_manager_create()
- 			.checkout = _checkout,
- 			.checkout_by_message = _checkout_by_message,
- 			.checkout_by_config = _checkout_by_config,
-+			.checkout_by_config2 = _checkout_by_config2,
- 			.checkout_by_id = _checkout_by_id,
- 			.checkout_by_name = _checkout_by_name,
- 			.new_initiator_spi = _new_initiator_spi,
 diff --git a/src/libcharon/sa/ike_sa_manager.h b/src/libcharon/sa/ike_sa_manager.h
-index 004cc22168..d001f5a802 100644
+index d87ba2d68..ba4f2c7e7 100644
 --- a/src/libcharon/sa/ike_sa_manager.h
 +++ b/src/libcharon/sa/ike_sa_manager.h
-@@ -123,7 +123,8 @@ struct ike_sa_manager_t {
+@@ -122,7 +122,8 @@ struct ike_sa_manager_t {
  	ike_sa_t* (*checkout_by_message) (ike_sa_manager_t* this, message_t *message);
  
  	/**
@@ -321,49 +520,34 @@ index 004cc22168..d001f5a802 100644
  	 *
  	 * To initiate, a CHILD_SA may be established within an existing IKE_SA.
  	 * This call checks for an existing IKE_SA by comparing the configuration.
-@@ -140,6 +141,28 @@ struct ike_sa_manager_t {
- 	 */
- 	ike_sa_t *(*checkout_by_config)(ike_sa_manager_t* this, peer_cfg_t *peer_cfg);
- 
-+	/**
-+	 * Checkout an IKE_SA for initiation by a peer_config and optional
-+	 * source and remote host addresses.
-+	 *
-+	 * To initiate, a CHILD_SA may be established within an existing IKE_SA.
-+	 * This call checks for an existing IKE_SA by comparing the configuration.
-+	 * If the CHILD_SA can be created in an existing IKE_SA, the matching SA
-+	 * is returned.
-+	 * If no IKE_SA is found, a new one is created and registered in the
-+	 * manager. This is also the case when the found IKE_SA is in an unusable
-+	 * state (e.g. DELETING).
-+	 *
-+	 * @note The peer_config is always set on the returned IKE_SA.
-+	 *
-+	 * @param peer_cfg			configuration used to find an existing IKE_SA
+@@ -135,9 +136,12 @@ struct ike_sa_manager_t {
+ 	 * @note The peer_config is always set on the returned IKE_SA.
+ 	 *
+ 	 * @param peer_cfg			configuration used to find an existing IKE_SA
 +	 * @param my_host			source host address for wildcard peer_cfg
 +	 * @param other_host		remote host address for wildcard peer_cfg
-+	 * @return					checked out/created IKE_SA
-+	 */
-+	ike_sa_t *(*checkout_by_config2)(ike_sa_manager_t* this, peer_cfg_t *peer_cfg,
+ 	 * @return					checked out/created IKE_SA
+ 	 */
+-	ike_sa_t *(*checkout_by_config)(ike_sa_manager_t* this, peer_cfg_t *peer_cfg);
++	ike_sa_t *(*checkout_by_config)(ike_sa_manager_t* this, peer_cfg_t *peer_cfg,
 +									 host_t *my_host, host_t *other_host);
-+
+ 
  	/**
  	 * Reset initiator SPI.
- 	 *
 diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c
-index 1b85c66a5b..bbc480c0cd 100644
+index e45c8ff3f..58a956a78 100644
 --- a/src/libcharon/sa/trap_manager.c
 +++ b/src/libcharon/sa/trap_manager.c
-@@ -523,7 +523,7 @@ METHOD(trap_manager_t, acquire, void,
+@@ -522,7 +522,7 @@ METHOD(trap_manager_t, acquire, void,
  	peer_cfg_t *peer;
  	child_cfg_t *child;
  	ike_sa_t *ike_sa;
 -	host_t *host;
 +	host_t *host, *my_host = NULL, *other_host = NULL;
- 	uint32_t allocated_reqid;
  	bool wildcard, ignore = FALSE;
  
-@@ -603,36 +603,26 @@ METHOD(trap_manager_t, acquire, void,
+ 	this->lock->read_lock(this->lock);
+@@ -599,36 +599,26 @@ METHOD(trap_manager_t, acquire, void,
  	this->lock->unlock(this->lock);
  
  	if (wildcard)
@@ -408,7 +592,7 @@ index 1b85c66a5b..bbc480c0cd 100644
 +		data->src->to_subnet(data->src, &my_host, &mask);
 +		my_host->set_port(my_host, port);
  	}
-+	ike_sa = charon->ike_sa_manager->checkout_by_config2(
++	ike_sa = charon->ike_sa_manager->checkout_by_config(
 +											charon->ike_sa_manager, peer,
 +											my_host, other_host);
 +	if (my_host) my_host->destroy(my_host);
@@ -417,16 +601,39 @@ index 1b85c66a5b..bbc480c0cd 100644
  
  	if (ike_sa)
 diff --git a/src/swanctl/commands/initiate.c b/src/swanctl/commands/initiate.c
-index e0fffb907d..c0fc8c5952 100644
+index 8ade8bf41..03b2cb0f4 100644
 --- a/src/swanctl/commands/initiate.c
 +++ b/src/swanctl/commands/initiate.c
-@@ -1,4 +1,5 @@
- /*
+@@ -13,6 +13,28 @@
+  * for more details.
+  */
+ 
++/*
 + * Copyright (C) 2014 Timo Teräs <timo.teras@iki.fi>
-  * Copyright (C) 2014 Martin Willi
-  *
-  * Copyright (C) secunet Security Networks AG
-@@ -38,7 +39,7 @@ static int initiate(vici_conn_t *conn)
++ *
++ * Permission is hereby granted, free of charge, to any person obtaining a copy
++ * of this software and associated documentation files (the "Software"), to deal
++ * in the Software without restriction, including without limitation the rights
++ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
++ * copies of the Software, and to permit persons to whom the Software is
++ * furnished to do so, subject to the following conditions:
++ *
++ * The above copyright notice and this permission notice shall be included in
++ * all copies or substantial portions of the Software.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
++ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
++ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
++ * THE SOFTWARE.
++ */
++
+ #include "command.h"
+ 
+ #include <errno.h>
+@@ -37,7 +59,7 @@ static int initiate(vici_conn_t *conn)
  	vici_req_t *req;
  	vici_res_t *res;
  	command_format_options_t format = COMMAND_FORMAT_NONE;
@@ -435,7 +642,7 @@ index e0fffb907d..c0fc8c5952 100644
  	int ret = 0, timeout = 0, level = 1;
  
  	while (TRUE)
-@@ -65,6 +66,12 @@ static int initiate(vici_conn_t *conn)
+@@ -64,6 +86,12 @@ static int initiate(vici_conn_t *conn)
  			case 'l':
  				level = atoi(arg);
  				continue;
@@ -448,7 +655,7 @@ index e0fffb907d..c0fc8c5952 100644
  			case EOF:
  				break;
  			default:
-@@ -88,6 +95,14 @@ static int initiate(vici_conn_t *conn)
+@@ -87,6 +115,14 @@ static int initiate(vici_conn_t *conn)
  	{
  		vici_add_key_valuef(req, "ike", "%s", ike);
  	}
@@ -463,7 +670,7 @@ index e0fffb907d..c0fc8c5952 100644
  	if (timeout)
  	{
  		vici_add_key_valuef(req, "timeout", "%d", timeout * 1000);
-@@ -134,6 +149,8 @@ static void __attribute__ ((constructor))reg()
+@@ -133,6 +169,8 @@ static void __attribute__ ((constructor))reg()
  			{"help",		'h', 0, "show usage information"},
  			{"child",		'c', 1, "initiate a CHILD_SA configuration"},
  			{"ike",			'i', 1, "initiate an IKE_SA, or name of child's parent"},
@@ -473,5 +680,5 @@ index e0fffb907d..c0fc8c5952 100644
  			{"raw",			'r', 0, "dump raw response message"},
  			{"pretty",		'P', 0, "dump raw response message in pretty print"},
 -- 
-2.49.0
+2.36.1
 

0002-vici-send-certificates-for-ike-sa-events.patch

@@ -1,7 +1,7 @@
-From f6210f6ab72ead26a24a8f231eee67948d3ca543 Mon Sep 17 00:00:00 2001
+From d357d62bf0661294e063cec94d48ca929f119351 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
 Date: Mon, 21 Sep 2015 13:42:05 +0300
-Subject: [PATCH 2/4] vici: send certificates for ike-sa events
+Subject: [PATCH 2/3] vici: send certificates for ike-sa events
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -12,10 +12,10 @@ Signed-off-by: Timo Teräs <timo.teras@iki.fi>
  1 file changed, 42 insertions(+), 8 deletions(-)
 
 diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
-index bacb7b101e..19acc0789b 100644
+index c35f4e1a9..001631e99 100644
 --- a/src/libcharon/plugins/vici/vici_query.c
 +++ b/src/libcharon/plugins/vici/vici_query.c
-@@ -402,7 +402,7 @@ static void list_vips(private_vici_query_t *this, vici_builder_t *b,
+@@ -403,7 +403,7 @@ static void list_vips(private_vici_query_t *this, vici_builder_t *b,
   * List details of an IKE_SA
   */
  static void list_ike(private_vici_query_t *this, vici_builder_t *b,
@@ -24,7 +24,7 @@ index bacb7b101e..19acc0789b 100644
  {
  	time_t t;
  	ike_sa_id_t *id;
-@@ -411,6 +411,8 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
+@@ -412,6 +412,8 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
  	uint32_t if_id;
  	uint16_t alg, ks;
  	host_t *host;
@@ -33,7 +33,7 @@ index bacb7b101e..19acc0789b 100644
  
  	b->add_kv(b, "uniqueid", "%u", ike_sa->get_unique_id(ike_sa));
  	b->add_kv(b, "version", "%u", ike_sa->get_version(ike_sa));
-@@ -420,11 +422,43 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
+@@ -421,11 +423,43 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
  	b->add_kv(b, "local-host", "%H", host);
  	b->add_kv(b, "local-port", "%d", host->get_port(host));
  	b->add_kv(b, "local-id", "%Y", ike_sa->get_my_id(ike_sa));
@@ -77,7 +77,7 @@ index bacb7b101e..19acc0789b 100644
  
  	eap = ike_sa->get_other_eap_id(ike_sa);
  
-@@ -556,7 +590,7 @@ CALLBACK(list_sas, vici_message_t*,
+@@ -557,7 +591,7 @@ CALLBACK(list_sas, vici_message_t*,
  		b = vici_builder_create();
  		b->begin_section(b, ike_sa->get_name(ike_sa));
  
@@ -86,7 +86,7 @@ index bacb7b101e..19acc0789b 100644
  
  		b->begin_section(b, "child-sas");
  		csas = ike_sa->create_child_sa_enumerator(ike_sa);
-@@ -1774,7 +1808,7 @@ METHOD(listener_t, ike_updown, bool,
+@@ -1775,7 +1809,7 @@ METHOD(listener_t, ike_updown, bool,
  	}
  
  	b->begin_section(b, ike_sa->get_name(ike_sa));
@@ -95,7 +95,7 @@ index bacb7b101e..19acc0789b 100644
  	b->end_section(b);
  
  	this->dispatcher->raise_event(this->dispatcher,
-@@ -1799,10 +1833,10 @@ METHOD(listener_t, ike_rekey, bool,
+@@ -1800,10 +1834,10 @@ METHOD(listener_t, ike_rekey, bool,
  	b = vici_builder_create();
  	b->begin_section(b, old->get_name(old));
  	b->begin_section(b, "old");
@@ -108,7 +108,7 @@ index bacb7b101e..19acc0789b 100644
  	b->end_section(b);
  	b->end_section(b);
  
-@@ -1833,7 +1867,7 @@ METHOD(listener_t, ike_update, bool,
+@@ -1834,7 +1868,7 @@ METHOD(listener_t, ike_update, bool,
  	b->add_kv(b, "remote-port", "%d", remote->get_port(remote));
  
  	b->begin_section(b, ike_sa->get_name(ike_sa));
@@ -117,7 +117,7 @@ index bacb7b101e..19acc0789b 100644
  	b->end_section(b);
  
  	this->dispatcher->raise_event(this->dispatcher,
-@@ -1863,7 +1897,7 @@ METHOD(listener_t, child_updown, bool,
+@@ -1864,7 +1898,7 @@ METHOD(listener_t, child_updown, bool,
  	}
  
  	b->begin_section(b, ike_sa->get_name(ike_sa));
@@ -126,7 +126,7 @@ index bacb7b101e..19acc0789b 100644
  	b->begin_section(b, "child-sas");
  
  	snprintf(buf, sizeof(buf), "%s-%u", child_sa->get_name(child_sa),
-@@ -1898,7 +1932,7 @@ METHOD(listener_t, child_rekey, bool,
+@@ -1899,7 +1933,7 @@ METHOD(listener_t, child_rekey, bool,
  	b = vici_builder_create();
  
  	b->begin_section(b, ike_sa->get_name(ike_sa));
@@ -136,5 +136,5 @@ index bacb7b101e..19acc0789b 100644
  
  	b->begin_section(b, old->get_name(old));
 -- 
-2.49.0
+2.36.1
 

0003-vici-add-support-for-individual-sa-state-changes.patch

@@ -1,7 +1,7 @@
-From effc140ed0ed5c7f1897c8abb6364d2d4789a4ee Mon Sep 17 00:00:00 2001
+From 0a5809a8807c5160ee86da2c1c1586b23d98f04e Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
 Date: Mon, 21 Sep 2015 13:42:11 +0300
-Subject: [PATCH 3/4] vici: add support for individual sa state changes
+Subject: [PATCH 3/3] vici: add support for individual sa state changes
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -14,10 +14,10 @@ Signed-off-by: Timo Teräs <timo.teras@iki.fi>
  1 file changed, 106 insertions(+)
 
 diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
-index 19acc0789b..fa1aca9536 100644
+index 001631e99..8010d8da8 100644
 --- a/src/libcharon/plugins/vici/vici_query.c
 +++ b/src/libcharon/plugins/vici/vici_query.c
-@@ -1774,8 +1774,16 @@ static void manage_commands(private_vici_query_t *this, bool reg)
+@@ -1775,8 +1775,16 @@ static void manage_commands(private_vici_query_t *this, bool reg)
  	this->dispatcher->manage_event(this->dispatcher, "ike-updown", reg);
  	this->dispatcher->manage_event(this->dispatcher, "ike-rekey", reg);
  	this->dispatcher->manage_event(this->dispatcher, "ike-update", reg);
@@ -34,7 +34,7 @@ index 19acc0789b..fa1aca9536 100644
  	manage_command(this, "list-sas", list_sas, reg);
  	manage_command(this, "list-policies", list_policies, reg);
  	manage_command(this, "list-conns", list_conns, reg);
-@@ -1876,6 +1884,46 @@ METHOD(listener_t, ike_update, bool,
+@@ -1877,6 +1885,46 @@ METHOD(listener_t, ike_update, bool,
  	return TRUE;
  }
  
@@ -81,7 +81,7 @@ index 19acc0789b..fa1aca9536 100644
  METHOD(listener_t, child_updown, bool,
  	private_vici_query_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, bool up)
  {
-@@ -1955,6 +2003,62 @@ METHOD(listener_t, child_rekey, bool,
+@@ -1956,6 +2004,62 @@ METHOD(listener_t, child_rekey, bool,
  	return TRUE;
  }
  
@@ -144,7 +144,7 @@ index 19acc0789b..fa1aca9536 100644
  METHOD(vici_query_t, destroy, void,
  	private_vici_query_t *this)
  {
-@@ -1975,8 +2079,10 @@ vici_query_t *vici_query_create(vici_dispatcher_t *dispatcher)
+@@ -1976,8 +2080,10 @@ vici_query_t *vici_query_create(vici_dispatcher_t *dispatcher)
  				.ike_updown = _ike_updown,
  				.ike_rekey = _ike_rekey,
  				.ike_update = _ike_update,
@@ -156,5 +156,5 @@ index 19acc0789b..fa1aca9536 100644
  			.destroy = _destroy,
  		},
 -- 
-2.49.0
+2.36.1
 

0004-Support-GRE-key-in-selectors-with-kernel-netlink.patch

@@ -1,286 +0,0 @@
-From 7f32aed540533e50fa05486df471ef3c19879324 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= <zoran.pericic@infomaas.com>
-Date: Sun, 21 Jan 2024 03:11:32 +0100
-Subject: [PATCH 4/4] Support GRE key in selectors with kernel-netlink.
-
-Implementation use two 2-byte port fields (from/to range) to store key
-similar to ICMP.
----
- .../kernel_netlink/kernel_netlink_ipsec.c     | 19 +++++++++++++
- .../plugins/load_tester/load_tester_config.c  | 22 ++++++++++++++-
- src/libcharon/plugins/stroke/stroke_config.c  | 22 ++++++++++++++-
- src/libcharon/plugins/vici/vici_config.c      | 27 ++++++++++++++++++-
- .../selectors/traffic_selector.c              | 20 ++++++++++++++
- .../selectors/traffic_selector.h              | 12 +++++++++
- src/starter/confread.c                        | 24 ++++++++++++++++-
- src/swanctl/swanctl.opt                       |  3 +++
- 8 files changed, 145 insertions(+), 4 deletions(-)
-
-diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
-index db0b2ac37a..d4f9571817 100644
---- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
-+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
-@@ -864,6 +864,7 @@ static struct xfrm_selector ts2selector(traffic_selector_t *src,
- {
- 	struct xfrm_selector sel;
- 	uint16_t port;
-+	uint32_t gre_key;
- 
- 	memset(&sel, 0, sizeof(sel));
- 	sel.family = (src->get_type(src) == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6;
-@@ -884,6 +885,24 @@ static struct xfrm_selector ts2selector(traffic_selector_t *src,
- 		sel.dport = htons(traffic_selector_icmp_code(port));
- 		sel.dport_mask = sel.dport ? ~0 : 0;
- 	}
-+	if (sel.proto == IPPROTO_GRE)
-+	{
-+		/* the kernel expects the GRE key in the source and destination
-+		 * port fields, respectively. */
-+		gre_key = htons(traffic_selector_gre_key(dst->get_from_port(dst), dst->get_to_port(dst)));
-+		if ( gre_key != 0 )
-+		{
-+			sel.sport = gre_key >> 16;
-+			sel.sport_mask = ~0;
-+			sel.dport = gre_key & 0xffff;
-+			sel.dport_mask = ~0;
-+		} else {
-+			sel.sport = 0;
-+			sel.sport_mask = 0;
-+			sel.dport = 0;
-+			sel.dport_mask = 0;
-+		}
-+	}
- 	sel.ifindex = interface ? if_nametoindex(interface) : 0;
- 	sel.user = 0;
- 
-diff --git a/src/libcharon/plugins/load_tester/load_tester_config.c b/src/libcharon/plugins/load_tester/load_tester_config.c
-index 58e1cd98a0..f20fdae522 100644
---- a/src/libcharon/plugins/load_tester/load_tester_config.c
-+++ b/src/libcharon/plugins/load_tester/load_tester_config.c
-@@ -498,7 +498,27 @@ static bool parse_protoport(char *token, uint16_t *from_port,
- 			*protocol = (uint8_t)p;
- 		}
- 	}
--	if (streq(port, "%any"))
-+	if (*protocol == IPPROTO_GRE)
-+	{
-+		if (*port && !streq(port, "%any"))
-+		{
-+			p = strtol(port, &endptr, 0);
-+			if (p < 0 || p > 0xffffffff)
-+			{
-+				return FALSE;
-+			}
-+			*from_port = (p >> 16) & 0xffff;
-+			*to_port = p & 0xffff;
-+			if (*endptr)
-+			{
-+				return FALSE;
-+			}
-+		} else {
-+			*from_port = 0;
-+			*to_port = 0;
-+		}
-+	}
-+	else if (streq(port, "%any"))
- 	{
- 		*from_port = 0;
- 		*to_port = 0xffff;
-diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
-index 55db379ffe..b4340b8d1b 100644
---- a/src/libcharon/plugins/stroke/stroke_config.c
-+++ b/src/libcharon/plugins/stroke/stroke_config.c
-@@ -927,7 +927,27 @@ static bool parse_protoport(char *token, uint16_t *from_port,
- 			*protocol = (uint8_t)p;
- 		}
- 	}
--	if (streq(port, "%any"))
-+	if (*protocol == IPPROTO_GRE)
-+	{
-+		if (*port && !streq(port, "%any"))
-+		{
-+			p = strtol(port, &endptr, 0);
-+			if (p < 0 || p > 0xffffffff)
-+			{
-+				return FALSE;
-+			}
-+			*from_port = (p >> 16) & 0xffff;
-+			*to_port = p & 0xffff;
-+			if (*endptr)
-+				return FALSE;
-+		}
-+		else
-+		{
-+			*from_port = 0;
-+			*to_port = 0;
-+		}
-+	}
-+	else if (streq(port, "%any"))
- 	{
- 		*from_port = 0;
- 		*to_port = 0xffff;
-diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
-index c858e9945c..24a254689b 100644
---- a/src/libcharon/plugins/vici/vici_config.c
-+++ b/src/libcharon/plugins/vici/vici_config.c
-@@ -715,7 +715,27 @@ CALLBACK(parse_ts, bool,
- 				proto = (uint8_t)p;
- 			}
- 		}
--		if (streq(port, "opaque"))
-+		if (proto == IPPROTO_GRE)
-+		{
-+			if (*port && !streq(port, "any"))
-+			{
-+				p = strtol(port, &end, 0);
-+				if (p < 0 || p > 0xffffffff)
-+				{
-+					return FALSE;
-+				}
-+				from = (p >> 16) & 0xffff;
-+				to = p & 0xffff;
-+				if (*end)
-+				{
-+					return FALSE;
-+				}
-+			} else {
-+				from = 0;
-+				to = 0;
-+			}
-+		}
-+		else if (streq(port, "opaque"))
- 		{
- 			from = 0xffff;
- 			to = 0;
-@@ -752,6 +772,11 @@ CALLBACK(parse_ts, bool,
- 			}
- 		}
- 	}
-+	else if (proto == IPPROTO_GRE)
-+	{
-+		from = 0;
-+		to = 0;
-+	}
- 	if (streq(buf, "dynamic"))
- 	{
- 		ts = traffic_selector_create_dynamic(proto, from, to);
-diff --git a/src/libstrongswan/selectors/traffic_selector.c b/src/libstrongswan/selectors/traffic_selector.c
-index fe61e3768b..09757ec36f 100644
---- a/src/libstrongswan/selectors/traffic_selector.c
-+++ b/src/libstrongswan/selectors/traffic_selector.c
-@@ -205,6 +205,18 @@ static int print_icmp(printf_hook_data_t *data, uint16_t port)
- 	return print_in_hook(data, "%d", type);
- }
- 
-+/**
-+ * Print GRE key
-+ */
-+static int print_gre(printf_hook_data_t *data, uint16_t from_port, uint16_t to_port)
-+{
-+	uint32_t gre_key;
-+
-+	gre_key = traffic_selector_gre_key(from_port, to_port);
-+
-+	return print_in_hook(data, "%d", gre_key);
-+}
-+
- /**
-  * Described in header.
-  */
-@@ -319,6 +331,10 @@ int traffic_selector_printf_hook(printf_hook_data_t *data,
- 			{
- 				written += print_icmp(data, this->from_port);
- 			}
-+			else if (this->protocol == IPPROTO_GRE)
-+			{
-+				written += print_gre(data, this->from_port, this->to_port);
-+			}
- 			else
- 			{
- 				serv = getservbyport(htons(this->from_port), serv_proto);
-@@ -332,6 +348,10 @@ int traffic_selector_printf_hook(printf_hook_data_t *data,
- 				}
- 			}
- 		}
-+		else if (this->protocol == IPPROTO_GRE)
-+		{
-+			written += print_gre(data, this->from_port, this->to_port);
-+		}
- 		else if (is_opaque(this))
- 		{
- 			written += print_in_hook(data, "OPAQUE");
-diff --git a/src/libstrongswan/selectors/traffic_selector.h b/src/libstrongswan/selectors/traffic_selector.h
-index 367b4fff94..b7010e4a73 100644
---- a/src/libstrongswan/selectors/traffic_selector.h
-+++ b/src/libstrongswan/selectors/traffic_selector.h
-@@ -272,6 +272,18 @@ static inline uint8_t traffic_selector_icmp_code(uint16_t port)
- 	return port & 0xff;
- }
- 
-+/**
-+ * Extract the GRE key from a source and destination port in host order
-+ *
-+ * @param from_port		port number in host order
-+ * @param to_port		port number in host order
-+ * @return				GRE key
-+ */
-+static inline uint8_t traffic_selector_gre_key(uint16_t from_port, uint16_t to_port)
-+{
-+	return (from_port & 0xffff) << 16 | (to_port & 0xffff);
-+}
-+
- /**
-  * Compare two traffic selectors, usable as sort function
-  *
-diff --git a/src/starter/confread.c b/src/starter/confread.c
-index 5065bc369f..039b6f402b 100644
---- a/src/starter/confread.c
-+++ b/src/starter/confread.c
-@@ -325,7 +325,29 @@ static void kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token,
- 					end->protocol = (uint8_t)p;
- 				}
- 			}
--			if (streq(port, "%any"))
-+			if (end->protocol == IPPROTO_GRE)
-+			{
-+				if (*port && !streq(port, "%any"))
-+				{
-+					p = strtol(port, &endptr, 0);
-+					if (p < 0 || p > 0xffffffff)
-+					{
-+						DBG1(DBG_APP, "# bad GRE key: %s=%s", key, port);
-+						goto err;
-+					}
-+					end->from_port = (p >> 16) & 0xffff;
-+					end->to_port = p & 0xffff;
-+					if (*endptr)
-+					{
-+						DBG1(DBG_APP, "# bad GRE key: %s=%s", key, port);
-+						goto err;
-+					}
-+				} else {
-+					end->from_port = 0;
-+					end->to_port = 0;
-+				}
-+			}
-+			else if (streq(port, "%any"))
- 			{
- 				end->from_port = 0;
- 				end->to_port = 0xffff;
-diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt
-index d9fd949ed1..1d63dadb89 100644
---- a/src/swanctl/swanctl.opt
-+++ b/src/swanctl/swanctl.opt
-@@ -765,6 +765,9 @@ connections.<conn>.children.<child>.local_ts = dynamic
- 	value _opaque_ for RFC 4301 OPAQUE selectors. Port ranges may be specified
- 	as well, none of the kernel backends currently support port ranges, though.
- 
-+	If protocol is restricted to GRE, port restriction specifies GRE key
-+	in 32 bit numeric form eg. dynamic[gre/100].
-+
- 	When IKEv1 is used only the first selector is interpreted, except if
- 	the Cisco Unity extension plugin is used. This is due to a limitation of the
- 	IKEv1 protocol, which only allows a single pair of selectors per CHILD_SA.
--- 
-2.49.0
-

sources

@@ -1,2 +1,2 @@
-SHA512 (strongswan-5.9.14.tar.bz2) = e48bc9d215f9de6b54e24f7b4765d59aec4c615291d5c1f24f6a6d7da45dc8b17b2e0e150faf5fabb35e5d465abc5e6f6efa06cd002467067c5d7844ead359f6
-SHA512 (strongswan-5.9.14.tar.bz2.sig) = 1b3d57448caab91060fe3d209d90708c57dbf35ae62c97574107b32677cff73f13f7545dc91682ef84400bb8a2f105a1761aba8334763dc8c35d97be7921c242
+SHA512 (strongswan-5.9.9.tar.bz2) = 7f5d94527193ce7716292f30db75303a0594169647e41e8c9530a7dedd914ad7fecf94885356738fd54d3781a066fa591c621d531923b20780b1fca76ad7bd46
+SHA512 (strongswan-5.9.9.tar.bz2.sig) = b2aba6e7cf1add4cf1c891dbd77e658d338c80abb2a1c6efcf5a23c65ff71d6b63857daa6613fae21b4d23adc0ef0df9d6e245198cd799bdf5534da097050d0e

strongswan-5.9.9-man-paths.patch

@@ -0,0 +1,348 @@
+From 111cbd3d2ca4385d326db333ee86843ada652663 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Mon, 16 Jan 2023 19:38:17 +0100
+Subject: [PATCH] Make manual paths follow build configuration
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Use build-configured paths in manual pages instead of default values.
+Makes easier customization to non-default values as done on Fedora for
+example.
+
+Squashed commit of the following:
+
+commit e99de2aee9f26e3ab97d88902308107d9f048acd
+Merge: 8effb06d6 29e324709
+Author: Tobias Brunner <tobias@strongswan.org>
+Date:   Mon Jan 16 11:41:17 2023 +0100
+
+    Merge branch 'man-sysconfdir'
+
+    Closes strongswan/strongswan#1511
+
+commit 29e32470974aea614c2486c2982767bd62670063
+Author: Tobias Brunner <tobias@strongswan.org>
+Date:   Mon Jan 16 11:39:29 2023 +0100
+
+    swanctl: Don't use hard-coded path to sysconfdir
+
+commit 1c0b14baa3c04606ad9357dfc658d11f0f96ca65
+Author: Tobias Brunner <tobias@strongswan.org>
+Date:   Mon Jan 16 11:37:27 2023 +0100
+
+    conf: Add swanctl.conf and swanctl man pages to SEE ALSO
+
+commit 7e43a5f3d28424abfb648b7afd24e25a042efd24
+Author: Tobias Brunner <tobias@strongswan.org>
+Date:   Mon Jan 16 11:35:42 2023 +0100
+
+    conf: Replace hard-coded /etc where appropriate
+
+    Also document the actual value of ${sysconfdir}.
+
+commit ee046552bb1f3c98d89837d58f7da7d83c8fbb82
+Author: Petr Menšík <pemensik@redhat.com>
+Date:   Sun Jan 15 16:55:45 2023 +0100
+
+    man: Use configured path for config files in man pages
+
+commit ab4ed21b5cb28eafbc29b09523b062bee159a0d0
+Author: Petr Menšík <pemensik@redhat.com>
+Date:   Sun Jan 15 16:17:07 2023 +0100
+
+    ipsec: Include IPSEC_CONFDIR variable replacement in man page
+
+    Fedora has chosena different default directory to avoid conflicts with
+    libreswan. Use ${sysconfdir} variable to provide the correct location.
+---
+ conf/options/charon.opt            |  4 ++--
+ conf/plugins/unbound.opt           |  2 +-
+ conf/strongswan.conf.5.tail.in     | 10 ++++++----
+ man/ipsec.conf.5.in                | 22 +++++++++++-----------
+ man/ipsec.secrets.5.in             |  8 ++++----
+ src/ipsec/Makefile.am              |  1 +
+ src/ipsec/_ipsec.8.in              | 20 ++++++++++----------
+ src/swanctl/swanctl.conf.5.tail.in |  2 +-
+ 8 files changed, 36 insertions(+), 33 deletions(-)
+
+diff --git a/conf/options/charon.opt b/conf/options/charon.opt
+index 00949222a..72efd17de 100644
+--- a/conf/options/charon.opt
++++ b/conf/options/charon.opt
+@@ -38,8 +38,8 @@ charon.cert_cache = yes
+ charon.cache_crls = no
+ 	Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP should
+ 	be saved under a unique file name derived from the public key of the
+-	Certification Authority (CA) to **/etc/ipsec.d/crls** (stroke) or
+-	**/etc/swanctl/x509crl** (vici), respectively.
++	Certification Authority (CA) to **${sysconfdir}/ipsec.d/crls** (stroke) or
++	**${sysconfdir}/swanctl/x509crl** (vici), respectively.
+ 
+ charon.check_current_path = no
+ 	Whether to use DPD to check if the current path still works after any
+diff --git a/conf/plugins/unbound.opt b/conf/plugins/unbound.opt
+index f8ca9ca12..007797310 100644
+--- a/conf/plugins/unbound.opt
++++ b/conf/plugins/unbound.opt
+@@ -1,7 +1,7 @@
+ charon.plugins.unbound.resolv_conf = /etc/resolv.conf
+ 	File to read DNS resolver configuration from.
+ 
+-charon.plugins.unbound.trust_anchors = /etc/ipsec.d/dnssec.keys
++charon.plugins.unbound.trust_anchors = ${sysconfdir}/ipsec.d/dnssec.keys
+ 	File to read DNSSEC trust anchors from (usually root zone KSK).
+ 
+ 	File to read DNSSEC trust anchors from (usually root zone KSK). The format
+diff --git a/conf/strongswan.conf.5.tail.in b/conf/strongswan.conf.5.tail.in
+index baad476d1..74bbd8eec 100644
+--- a/conf/strongswan.conf.5.tail.in
++++ b/conf/strongswan.conf.5.tail.in
+@@ -458,6 +458,7 @@ The variables used above are configured as follows:
+ .na
+ ${piddir}               @piddir@
+ ${prefix}               @prefix@
++${sysconfdir}           @sysconfdir@
+ ${random_device}        @random_device@
+ ${urandom_device}       @urandom_device@
+ .ad
+@@ -467,18 +468,19 @@ ${urandom_device}       @urandom_device@
+ .
+ .nf
+ .na
+-/etc/strongswan.conf       configuration file
+-/etc/strongswan.d/         directory containing included config snippets
+-/etc/strongswan.d/charon/  plugin specific config snippets
++@sysconfdir@/strongswan.conf       configuration file
++@sysconfdir@/strongswan.d/         directory containing included config snippets
++@sysconfdir@/strongswan.d/charon/  plugin specific config snippets
+ .ad
+ .fi
+ .
+ .SH SEE ALSO
++\fBswanctl.conf\fR(5), \fBswanctl\fR(8),
+ \fBipsec.conf\fR(5), \fBipsec.secrets\fR(5), \fBipsec\fR(8), \fBcharon-cmd\fR(8)
+ 
+ .SH HISTORY
+ Written for the
+-.UR http://www.strongswan.org
++.UR https://www.strongswan.org
+ strongSwan project
+ .UE
+ by Tobias Brunner, Andreas Steffen and Martin Willi.
+diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
+index ced12680f..4e256538e 100644
+--- a/man/ipsec.conf.5.in
++++ b/man/ipsec.conf.5.in
+@@ -690,7 +690,7 @@ but for the second authentication round (IKEv2 only).
+ .BR leftcert " = <path>"
+ the path to the left participant's X.509 certificate. The file can be encoded
+ either in PEM or DER format. OpenPGP certificates are supported as well.
+-Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP
++Both absolute paths or paths relative to \fI@sysconfdir@/ipsec.d/certs\fP
+ are accepted. By default
+ .B leftcert
+ sets
+@@ -871,7 +871,7 @@ prefix in front of 0x or 0s, the public key is expected to be in either
+ the RFC 3110 (not the full RR, only RSA key part) or RFC 4253 public key format,
+ respectively.
+ Also accepted is the path to a file containing the public key in PEM, DER or SSH
+-encoding. Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP
++encoding. Both absolute paths or paths relative to \fI@sysconfdir@/ipsec.d/certs\fP
+ are accepted.
+ .TP
+ .BR leftsendcert " = never | no | " ifasked " | always | yes"
+@@ -1219,7 +1219,7 @@ of this connection will be used as peer ID.
+ .SH "CA SECTIONS"
+ These are optional sections that can be used to assign special
+ parameters to a Certification Authority (CA). Because the daemons
+-automatically import CA certificates from \fI/etc/ipsec.d/cacerts\fP,
++automatically import CA certificates from \fI@sysconfdir@/ipsec.d/cacerts\fP,
+ there is no need to explicitly add them with a CA section, unless you
+ want to assign special parameters (like a CRL) to a CA.
+ .TP
+@@ -1235,7 +1235,7 @@ currently can have either the value
+ .TP
+ .BR cacert " = <path>"
+ defines a path to the CA certificate either relative to
+-\fI/etc/ipsec.d/cacerts\fP or as an absolute path.
++\fI@sysconfdir@/ipsec.d/cacerts\fP or as an absolute path.
+ .br
+ A value in the form
+ .B %smartcard[<slot nr>[@<module>]]:<keyid>
+@@ -1284,7 +1284,7 @@ section are:
+ .BR cachecrls " = yes | " no
+ if enabled, certificate revocation lists (CRLs) fetched via HTTP or LDAP will
+ be cached in
+-.I /etc/ipsec.d/crls/
++.I @sysconfdir@/ipsec.d/crls/
+ under a unique file name derived from the certification authority's public key.
+ .TP
+ .BR charondebug " = <debug list>"
+@@ -1463,12 +1463,12 @@ time equals zero and, thus, rekeying gets disabled.
+ 
+ .SH FILES
+ .nf
+-/etc/ipsec.conf
+-/etc/ipsec.d/aacerts
+-/etc/ipsec.d/acerts
+-/etc/ipsec.d/cacerts
+-/etc/ipsec.d/certs
+-/etc/ipsec.d/crls
++@sysconfdir@/ipsec.conf
++@sysconfdir@/ipsec.d/aacerts
++@sysconfdir@/ipsec.d/acerts
++@sysconfdir@/ipsec.d/cacerts
++@sysconfdir@/ipsec.d/certs
++@sysconfdir@/ipsec.d/crls
+ 
+ .SH SEE ALSO
+ strongswan.conf(5), ipsec.secrets(5), ipsec(8)
+diff --git a/man/ipsec.secrets.5.in b/man/ipsec.secrets.5.in
+index 15e36faff..c54e1a18b 100644
+--- a/man/ipsec.secrets.5.in
++++ b/man/ipsec.secrets.5.in
+@@ -15,7 +15,7 @@ Here is an example.
+ .LP
+ .RS
+ .nf
+-# /etc/ipsec.secrets - strongSwan IPsec secrets file
++# @sysconfdir@/ipsec.secrets - strongSwan IPsec secrets file
+ 192.168.0.1 %any : PSK "v+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL"
+ 
+ : RSA moonKey.pem
+@@ -140,7 +140,7 @@ is interpreted as Base64 encoded binary data.
+ .TQ
+ .B : ECDSA <private key file> [ <passphrase> | %prompt ]
+ For the private key file both absolute paths or paths relative to
+-\fI/etc/ipsec.d/private\fP are accepted. If the private key file is
++\fI@sysconfdir@/ipsec.d/private\fP are accepted. If the private key file is
+ encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase
+ .B %prompt
+ can be used which then causes the daemon to ask the user for the password
+@@ -148,7 +148,7 @@ whenever it is required to decrypt the key.
+ .TP
+ .B : P12 <PKCS#12 file> [ <passphrase> | %prompt ]
+ For the PKCS#12 file both absolute paths or paths relative to
+-\fI/etc/ipsec.d/private\fP are accepted. If the container is
++\fI@sysconfdir@/ipsec.d/private\fP are accepted. If the container is
+ encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase
+ .B %prompt
+ can be used which then causes the daemon to ask the user for the password
+@@ -182,7 +182,7 @@ can be specified, which causes the daemon to ask the user for the pin code.
+ .LP
+ 
+ .SH FILES
+-/etc/ipsec.secrets
++@sysconfdir@/ipsec.secrets
+ .SH SEE ALSO
+ ipsec.conf(5), strongswan.conf(5), ipsec(8)
+ .br
+diff --git a/src/ipsec/Makefile.am b/src/ipsec/Makefile.am
+index 0ab9ab27c..656eba49b 100644
+--- a/src/ipsec/Makefile.am
++++ b/src/ipsec/Makefile.am
+@@ -10,6 +10,7 @@ _ipsec.8 : _ipsec.8.in
+ 	-e "s:@IPSEC_SCRIPT@:$(ipsec_script):g" \
+ 	-e "s:@IPSEC_SCRIPT_UPPER@:$(ipsec_script_upper):g" \
+ 	-e "s:@IPSEC_DIR@:$(ipsecdir):" \
++	-e "s:@IPSEC_CONFDIR@:$(sysconfdir):" \
+ 	$(srcdir)/$@.in > $@
+ 
+ _ipsec : _ipsec.in
+diff --git a/src/ipsec/_ipsec.8.in b/src/ipsec/_ipsec.8.in
+index bfc4d50c2..de00d3075 100644
+--- a/src/ipsec/_ipsec.8.in
++++ b/src/ipsec/_ipsec.8.in
+@@ -145,25 +145,25 @@ locally by the IKE daemon or received via the IKE protocol.
+ .TP
+ .BI "listcacerts [" --utc ]
+ returns a list of X.509 Certification Authority (CA) certificates that were
+-loaded locally by the IKE daemon from the \fI/etc/ipsec.d/cacerts/\fP
++loaded locally by the IKE daemon from the \fI@IPSEC_CONFDIR@/ipsec.d/cacerts/\fP
+ directory or received via the IKE protocol.
+ .
+ .TP
+ .BI "listaacerts [" --utc ]
+ returns a list of X.509 Authorization Authority (AA) certificates that were
+-loaded locally by the IKE daemon from the \fI/etc/ipsec.d/aacerts/\fP
++loaded locally by the IKE daemon from the \fI@IPSEC_CONFDIR@/ipsec.d/aacerts/\fP
+ directory.
+ .
+ .TP
+ .BI "listocspcerts [" --utc ]
+ returns a list of X.509 OCSP Signer certificates that were either loaded
+-locally by the IKE daemon from the \fI/etc/ipsec.d/ocspcerts/\fP
++locally by the IKE daemon from the \fI@IPSEC_CONFDIR@/ipsec.d/ocspcerts/\fP
+ directory or were sent by an OCSP server.
+ .
+ .TP
+ .BI "listacerts [" --utc ]
+ returns a list of X.509 Attribute certificates that were loaded locally by
+-the IKE daemon from the \fI/etc/ipsec.d/acerts/\fP directory.
++the IKE daemon from the \fI@IPSEC_CONFDIR@/ipsec.d/acerts/\fP directory.
+ .
+ .TP
+ .BI "listgroups [" --utc ]
+@@ -179,7 +179,7 @@ sections in \fIipsec.conf\fP.
+ .TP
+ .BI "listcrls [" --utc ]
+ returns a list of Certificate Revocation Lists (CRLs) that were either loaded
+-by the IKE daemon from the \fI/etc/ipsec.d/crls\fP directory or fetched from
++by the IKE daemon from the \fI@IPSEC_CONFDIR@/ipsec.d/crls\fP directory or fetched from
+ an HTTP- or LDAP-based CRL distribution point.
+ .
+ .TP
+@@ -211,7 +211,7 @@ flushes and rereads all secrets defined in \fIipsec.secrets\fP.
+ .TP
+ .B "rereadcacerts"
+ removes previously loaded CA certificates, reads all certificate files
+-contained in the \fI/etc/ipsec.d/cacerts\fP directory and adds them to the list
++contained in the \fI@IPSEC_CONFDIR@/ipsec.d/cacerts\fP directory and adds them to the list
+ of Certification Authority (CA) certificates. This does not affect certificates
+ explicitly defined in a
+ .BR ipsec.conf (5)
+@@ -220,23 +220,23 @@ ca section, which may be separately updated using the \fBupdate\fP command.
+ .TP
+ .B "rereadaacerts"
+ removes previously loaded AA certificates, reads all certificate files
+-contained in the \fI/etc/ipsec.d/aacerts\fP directory and adds them to the list
++contained in the \fI@IPSEC_CONFDIR@/ipsec.d/aacerts\fP directory and adds them to the list
+ of Authorization Authority (AA) certificates.
+ .
+ .TP
+ .B "rereadocspcerts"
+-reads all certificate files contained in the \fI/etc/ipsec.d/ocspcerts/\fP
++reads all certificate files contained in the \fI@IPSEC_CONFDIR@/ipsec.d/ocspcerts/\fP
+ directory and adds them to the list of OCSP signer certificates.
+ .
+ .TP
+ .B "rereadacerts"
+-reads all certificate files contained in the  \fI/etc/ipsec.d/acerts/\fP
++reads all certificate files contained in the  \fI@IPSEC_CONFDIR@/ipsec.d/acerts/\fP
+ directory and adds them to the list of attribute certificates.
+ .
+ .TP
+ .B "rereadcrls"
+ reads  all Certificate  Revocation Lists (CRLs) contained in the
+-\fI/etc/ipsec.d/crls/\fP directory and adds them to the list of CRLs.
++\fI@IPSEC_CONFDIR@/ipsec.d/crls/\fP directory and adds them to the list of CRLs.
+ .
+ .TP
+ .B "rereadall"
+diff --git a/src/swanctl/swanctl.conf.5.tail.in b/src/swanctl/swanctl.conf.5.tail.in
+index 4d24608da..036443843 100644
+--- a/src/swanctl/swanctl.conf.5.tail.in
++++ b/src/swanctl/swanctl.conf.5.tail.in
+@@ -2,7 +2,7 @@
+ .
+ .nf
+ .na
+-/etc/swanctl/swanctl.conf       configuration file
++@sysconfdir@/swanctl/swanctl.conf       configuration file
+ .ad
+ .fi
+ .
+-- 
+2.39.0
+

strongswan.spec

@@ -1,6 +1,6 @@
 %global _hardened_build 1
 #%%define prerelease dr1
-%global dist .nhrp.11%{?dist}
+%global dist .nhrp.9%{?dist}
 
 %bcond_without python3
 %bcond_without perl
@@ -16,11 +16,10 @@
 %global forgeurl0 https://github.com/strongswan/strongswan
 
 Name:           strongswan
-Version:        5.9.14
-Release:        5%{?dist}
+Version:        5.9.9
+Release:        2%{?dist}
 Summary:        An OpenSource IPsec-based VPN and TNC solution
-# Automatically converted from old format: GPLv2+ - review is highly recommended.
-License:        GPL-2.0-or-later
+License:        GPLv2+
 URL:            https://www.strongswan.org/
 VCS:            git:%{forgeurl0}
 Source0:        https://download.strongswan.org/strongswan-%{version}%{?prerelease}.tar.bz2
@@ -30,11 +29,13 @@ Source3:        tmpfiles-strongswan.conf
 Patch0:         strongswan-5.6.0-uintptr_t.patch
 # https://github.com/strongswan/strongswan/issues/1198
 Patch1:         strongswan-5.9.7-error-no-format.patch
+# https://github.com/strongswan/strongswan/pull/1511
+# https://github.com/strongswan/strongswan/commit/e99de2aee9f26e3ab97d88902308107d9f048acd
+Patch2:         strongswan-5.9.9-man-paths.patch
 
 Patch10:        0001-charon-add-optional-source-and-remote-overrides-for-.patch
 Patch11:        0002-vici-send-certificates-for-ike-sa-events.patch
 Patch12:        0003-vici-add-support-for-individual-sa-state-changes.patch
-Patch13:        0004-Support-GRE-key-in-selectors-with-kernel-netlink.patch
 
 BuildRequires:  autoconf
 BuildRequires:  automake
@@ -48,10 +49,6 @@ BuildRequires:  gmp-devel
 BuildRequires:  libcurl-devel
 BuildRequires:  openldap-devel
 BuildRequires:  openssl-devel
-%if 0%{?fedora} >= 41
-# https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine
-BuildRequires:  openssl-devel-engine
-%endif
 BuildRequires:  sqlite-devel
 BuildRequires:  gettext-devel
 BuildRequires:  libxml2-devel
@@ -70,7 +67,7 @@ BuildRequires:  python3-pytest
 %endif
 
 %if %{with perl}
-BuildRequires:  perl-devel perl-generators
+BuildRequires:  perl-devel perl-macros
 BuildRequires:  perl(ExtUtils::MakeMaker)
 %endif
 
@@ -427,52 +424,12 @@ install -D -m 0644 %{SOURCE3} %{buildroot}/%{_tmpfilesdir}/strongswan-starter.co
 %endif
 
 %changelog
-* Sat Jul 27 2024 Michel Lind <salimma@fedoraproject.org> - 5.9.14-5
-- Depend on openssl-devel-engine since we still use this deprecated feature (rhbz#2295335)
-
-* Fri Jul 26 2024 Miroslav Suchý <msuchy@redhat.com> - 5.9.14-4
-- convert license to SPDX
-
-* Sat Jul 20 2024 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.14-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
-
-* Fri Jun 07 2024 Python Maint <python-maint@redhat.com> - 5.9.14-2
-- Rebuilt for Python 3.13
-
-* Fri May 31 2024 Paul Wouters <paul.wouters@aiven.io> - 5.9.14-1
-- Resolves: rhbz#2254560 CVE-2023-41913 buffer overflow and possible RCE
-- Resolved: rhbz#2250666 Update to 5.9.14 (IKEv2 OCSP extensions, seqno/regno overflow handling
-- Update to 5.9.13 (OCSP nonce set regression configuration option charon.ocsp_nonce_len)
-- Update to 5.9.12 (CVE-2023-41913 fix, various IKEv2 fixes)
-
-* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.11-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
-
-* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.11-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
-
-* Fri Jul 14 2023 Paul Wouters <paul.wouters@aiven.io - 5.9.11-1
-- Resolves: rhbz#2214186 strongswan-5.9.11 is available
-
-* Tue Jun 13 2023 Python Maint <python-maint@redhat.com> - 5.9.10-2
-- Rebuilt for Python 3.12
-
-* Thu Mar 02 2023 Paul Wouters <paul.wouters@aiven.io - 5.9.10-1
-- Update to 5.9.10
-
-* Tue Feb 28 2023 Paul Wouters <paul.wouters@aiven.io - 5.9.9-3
-- Resolves: CVE-2023-26463 authorization bypass in TLS-based EAP methods
-
 * Mon Jan 16 2023 Petr Menšík <pemensik@redhat.com> - 5.9.9-2
 - Use configure paths in manual pages (#2106120)
 
 * Sun Jan 15 2023 Petr Menšík <pemensik@redhat.com> - 5.9.9-1
 - Update to 5.9.9 (#2157850)
 
-* Thu Dec 08 2022 Jitka Plesnikova <jplesnik@redhat.com> - 5.9.8-2
-- Add BR perl-generators to automatically generates run-time dependencies
-  for installed Perl files
-
 * Sun Oct 16 2022 Arne Reiter <redhat@arnereiter.de> - 5.9.8-1
 - Resolves rhbz#2112274 strongswan-5.9.8 is available
 - Patch1 removes CFLAGS -Wno-format which interferes with -Werror=format-security