Patch vici for NHRP

Key should be tracked by git. It is small and should not change very
often. Ensure signature has trust anchor.

.gitignore

@@ -9,7 +9,3 @@
 /strongswan-5.9.5.tar.bz2.sig
 /strongswan-5.9.6.tar.bz2
 /strongswan-5.9.6.tar.bz2.sig
-/strongswan-5.9.8.tar.bz2
-/strongswan-5.9.8.tar.bz2.sig
-/strongswan-5.9.9.tar.bz2
-/strongswan-5.9.9.tar.bz2.sig

sources

@@ -1,2 +1,2 @@
-SHA512 (strongswan-5.9.9.tar.bz2) = 7f5d94527193ce7716292f30db75303a0594169647e41e8c9530a7dedd914ad7fecf94885356738fd54d3781a066fa591c621d531923b20780b1fca76ad7bd46
+SHA512 (strongswan-5.9.6.tar.bz2.sig) = c5f863eb1f504033aec2ab48f802584f97bb39650e55e829e31f36ea1594428caab84ea559ba82b56b060019598aada02df09311b583b098e32f5abad9fab29b
-SHA512 (strongswan-5.9.9.tar.bz2.sig) = b2aba6e7cf1add4cf1c891dbd77e658d338c80abb2a1c6efcf5a23c65ff71d6b63857daa6613fae21b4d23adc0ef0df9d6e245198cd799bdf5534da097050d0e
+SHA512 (strongswan-5.9.6.tar.bz2) = 8efb7a55b074485b874e941e42462e97a404b4f84e2f90ed18ef66274731b22d167a571f6fd028dccc1f199f2e591c82616d0a832a5084e1981c6b867fe5bb6a

strongswan-5.9.4-test-socket.patch

@@ -0,0 +1,31 @@
+From 377039d24648f82dac35dcf22a2b43de81f2fb96 Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Thu, 11 Nov 2021 05:48:38 +0100
+Subject: [PATCH] Skip test case, which always hangs
+
+It just stops and does not continue. Avoid that test.
+---
+ src/libtls/tests/suites/test_socket.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/libtls/tests/suites/test_socket.c b/src/libtls/tests/suites/test_socket.c
+index 9e26e91..5296680 100644
+--- a/src/libtls/tests/suites/test_socket.c
++++ b/src/libtls/tests/suites/test_socket.c
+@@ -804,11 +804,13 @@ Suite *socket_suite_create()
+ 	add_tls_versions_test(test_tls_12_server, TLS_1_0, TLS_1_3);
+ 	suite_add_tcase(s, tc);
+ 
++#if 0
+ 	tc = tcase_create("TLS 1.3/key exchange groups");
+ 	tcase_add_checked_fixture(tc, setup_creds, teardown_creds);
+ 	tcase_add_loop_test(tc, test_tls13_ke_groups, 0,
+ 						tls_crypto_get_supported_groups(NULL));
+ 	suite_add_tcase(s, tc);
++#endif
+ 
+ 	tc = tcase_create("TLS 1.3/signature schemes");
+ 	tcase_add_checked_fixture(tc, setup_all_creds, teardown_creds);
+-- 
+2.31.1
+

strongswan-5.9.5-atexit-handlers.patch

@@ -0,0 +1,71 @@
+--- strongswan-5.9.5-orig/src/libstrongswan/plugins/openssl/openssl_plugin.c	2022-01-08 12:54:02.000000000 +0100
++++ strongswan-5.9.5/src/libstrongswan/plugins/openssl/openssl_plugin.c	2022-02-23 23:12:03.685111475 +0100
+@@ -16,7 +16,6 @@
+ 
+ #include <library.h>
+ #include <utils/debug.h>
+-#include <collections/array.h>
+ #include <threading/thread.h>
+ #include <threading/mutex.h>
+ #include <threading/thread_value.h>
+@@ -74,13 +73,6 @@
+ 	 * public functions
+ 	 */
+ 	openssl_plugin_t public;
+-
+-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+-	/**
+-	 * Loaded providers
+-	 */
+-	array_t *providers;
+-#endif
+ };
+ 
+ /**
+@@ -881,21 +873,12 @@
+ #endif
+ 	}
+ 	*features = f;
+-	return countof(f);
++	return count;
+ }
+ 
+ METHOD(plugin_t, destroy, void,
+ 	private_openssl_plugin_t *this)
+ {
+-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+-	OSSL_PROVIDER *provider;
+-	while (array_remove(this->providers, ARRAY_TAIL, &provider))
+-	{
+-		OSSL_PROVIDER_unload(provider);
+-	}
+-	array_destroy(this->providers);
+-#endif /* OPENSSL_VERSION_NUMBER */
+-
+ /* OpenSSL 1.1.0 cleans up itself at exit and while OPENSSL_cleanup() exists we
+  * can't call it as we couldn't re-initialize the library (as required by the
+  * unit tests and the Android app) */
+@@ -1009,20 +992,16 @@
+ 			DBG1(DBG_LIB, "unable to load OpenSSL FIPS provider");
+ 			return NULL;
+ 		}
+-		array_insert_create(&this->providers, ARRAY_TAIL, fips);
+ 		/* explicitly load the base provider containing encoding functions */
+-		array_insert_create(&this->providers, ARRAY_TAIL,
+-							OSSL_PROVIDER_load(NULL, "base"));
++		OSSL_PROVIDER_load(NULL, "base");
+ 	}
+ 	else if (lib->settings->get_bool(lib->settings, "%s.plugins.openssl.load_legacy",
+ 									 TRUE, lib->ns))
+ 	{
+ 		/* load the legacy provider for algorithms like MD4, DES, BF etc. */
+-		array_insert_create(&this->providers, ARRAY_TAIL,
+-							OSSL_PROVIDER_load(NULL, "legacy"));
++		OSSL_PROVIDER_load(NULL, "legacy");
+ 		/* explicitly load the default provider, as mentioned by crypto(7) */
+-		array_insert_create(&this->providers, ARRAY_TAIL,
+-							OSSL_PROVIDER_load(NULL, "default"));
++		OSSL_PROVIDER_load(NULL, "default");
+ 	}
+ 	ossl_provider_names_t data = {};
+ 	OSSL_PROVIDER_do_all(NULL, concat_ossl_providers, &data);

strongswan-5.9.6-error-format-security.patch

@@ -0,0 +1,11 @@
+--- strongswan-5.9.6-orig/src/libstrongswan/utils/enum.c	2022-04-16 10:08:07.000000000 +0200
++++ strongswan-5.9.6/src/libstrongswan/utils/enum.c	2022-06-20 23:21:47.408857710 +0200
+@@ -97,7 +97,7 @@
+ 		return buf;
+ 	}
+ 
+-	if (snprintf(buf, len, e->names[0]) >= len)
++	if (snprintf(buf, len, "%s", e->names[0]) >= len)
+ 	{
+ 		return NULL;
+ 	}

strongswan-5.9.7-error-no-format.patch

@@ -1,12 +0,0 @@
-diff --git a/configure.ac b/configure.ac
-index f9e6e55c2..247d055d8 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -1480,7 +1480,6 @@ else
- fi
- # disable some warnings, whether explicitly enabled above or by default
- # these are not compatible with our custom printf specifiers
--WARN_CFLAGS="$WARN_CFLAGS -Wno-format"
- WARN_CFLAGS="$WARN_CFLAGS -Wno-format-security"
- # we generally use comments, but GCC doesn't seem to recognize many of them
- WARN_CFLAGS="$WARN_CFLAGS -Wno-implicit-fallthrough"

strongswan-5.9.9-man-paths.patch

@@ -1,348 +0,0 @@
-From 111cbd3d2ca4385d326db333ee86843ada652663 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
-Date: Mon, 16 Jan 2023 19:38:17 +0100
-Subject: [PATCH] Make manual paths follow build configuration
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Use build-configured paths in manual pages instead of default values.
-Makes easier customization to non-default values as done on Fedora for
-example.
-
-Squashed commit of the following:
-
-commit e99de2aee9f26e3ab97d88902308107d9f048acd
-Merge: 8effb06d6 29e324709
-Author: Tobias Brunner <tobias@strongswan.org>
-Date:   Mon Jan 16 11:41:17 2023 +0100
-
-    Merge branch 'man-sysconfdir'
-
-    Closes strongswan/strongswan#1511
-
-commit 29e32470974aea614c2486c2982767bd62670063
-Author: Tobias Brunner <tobias@strongswan.org>
-Date:   Mon Jan 16 11:39:29 2023 +0100
-
-    swanctl: Don't use hard-coded path to sysconfdir
-
-commit 1c0b14baa3c04606ad9357dfc658d11f0f96ca65
-Author: Tobias Brunner <tobias@strongswan.org>
-Date:   Mon Jan 16 11:37:27 2023 +0100
-
-    conf: Add swanctl.conf and swanctl man pages to SEE ALSO
-
-commit 7e43a5f3d28424abfb648b7afd24e25a042efd24
-Author: Tobias Brunner <tobias@strongswan.org>
-Date:   Mon Jan 16 11:35:42 2023 +0100
-
-    conf: Replace hard-coded /etc where appropriate
-
-    Also document the actual value of ${sysconfdir}.
-
-commit ee046552bb1f3c98d89837d58f7da7d83c8fbb82
-Author: Petr Menšík <pemensik@redhat.com>
-Date:   Sun Jan 15 16:55:45 2023 +0100
-
-    man: Use configured path for config files in man pages
-
-commit ab4ed21b5cb28eafbc29b09523b062bee159a0d0
-Author: Petr Menšík <pemensik@redhat.com>
-Date:   Sun Jan 15 16:17:07 2023 +0100
-
-    ipsec: Include IPSEC_CONFDIR variable replacement in man page
-
-    Fedora has chosena different default directory to avoid conflicts with
-    libreswan. Use ${sysconfdir} variable to provide the correct location.
----
- conf/options/charon.opt            |  4 ++--
- conf/plugins/unbound.opt           |  2 +-
- conf/strongswan.conf.5.tail.in     | 10 ++++++----
- man/ipsec.conf.5.in                | 22 +++++++++++-----------
- man/ipsec.secrets.5.in             |  8 ++++----
- src/ipsec/Makefile.am              |  1 +
- src/ipsec/_ipsec.8.in              | 20 ++++++++++----------
- src/swanctl/swanctl.conf.5.tail.in |  2 +-
- 8 files changed, 36 insertions(+), 33 deletions(-)
-
-diff --git a/conf/options/charon.opt b/conf/options/charon.opt
-index 00949222a..72efd17de 100644
---- a/conf/options/charon.opt
-+++ b/conf/options/charon.opt
-@@ -38,8 +38,8 @@ charon.cert_cache = yes
- charon.cache_crls = no
- 	Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP should
- 	be saved under a unique file name derived from the public key of the
--	Certification Authority (CA) to **/etc/ipsec.d/crls** (stroke) or
--	**/etc/swanctl/x509crl** (vici), respectively.
-+	Certification Authority (CA) to **${sysconfdir}/ipsec.d/crls** (stroke) or
-+	**${sysconfdir}/swanctl/x509crl** (vici), respectively.
- 
- charon.check_current_path = no
- 	Whether to use DPD to check if the current path still works after any
-diff --git a/conf/plugins/unbound.opt b/conf/plugins/unbound.opt
-index f8ca9ca12..007797310 100644
---- a/conf/plugins/unbound.opt
-+++ b/conf/plugins/unbound.opt
-@@ -1,7 +1,7 @@
- charon.plugins.unbound.resolv_conf = /etc/resolv.conf
- 	File to read DNS resolver configuration from.
- 
--charon.plugins.unbound.trust_anchors = /etc/ipsec.d/dnssec.keys
-+charon.plugins.unbound.trust_anchors = ${sysconfdir}/ipsec.d/dnssec.keys
- 	File to read DNSSEC trust anchors from (usually root zone KSK).
- 
- 	File to read DNSSEC trust anchors from (usually root zone KSK). The format
-diff --git a/conf/strongswan.conf.5.tail.in b/conf/strongswan.conf.5.tail.in
-index baad476d1..74bbd8eec 100644
---- a/conf/strongswan.conf.5.tail.in
-+++ b/conf/strongswan.conf.5.tail.in
-@@ -458,6 +458,7 @@ The variables used above are configured as follows:
- .na
- ${piddir}               @piddir@
- ${prefix}               @prefix@
-+${sysconfdir}           @sysconfdir@
- ${random_device}        @random_device@
- ${urandom_device}       @urandom_device@
- .ad
-@@ -467,18 +468,19 @@ ${urandom_device}       @urandom_device@
- .
- .nf
- .na
--/etc/strongswan.conf       configuration file
--/etc/strongswan.d/         directory containing included config snippets
--/etc/strongswan.d/charon/  plugin specific config snippets
-+@sysconfdir@/strongswan.conf       configuration file
-+@sysconfdir@/strongswan.d/         directory containing included config snippets
-+@sysconfdir@/strongswan.d/charon/  plugin specific config snippets
- .ad
- .fi
- .
- .SH SEE ALSO
-+\fBswanctl.conf\fR(5), \fBswanctl\fR(8),
- \fBipsec.conf\fR(5), \fBipsec.secrets\fR(5), \fBipsec\fR(8), \fBcharon-cmd\fR(8)
- 
- .SH HISTORY
- Written for the
--.UR http://www.strongswan.org
-+.UR https://www.strongswan.org
- strongSwan project
- .UE
- by Tobias Brunner, Andreas Steffen and Martin Willi.
-diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
-index ced12680f..4e256538e 100644
---- a/man/ipsec.conf.5.in
-+++ b/man/ipsec.conf.5.in
-@@ -690,7 +690,7 @@ but for the second authentication round (IKEv2 only).
- .BR leftcert " = <path>"
- the path to the left participant's X.509 certificate. The file can be encoded
- either in PEM or DER format. OpenPGP certificates are supported as well.
--Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP
-+Both absolute paths or paths relative to \fI@sysconfdir@/ipsec.d/certs\fP
- are accepted. By default
- .B leftcert
- sets
-@@ -871,7 +871,7 @@ prefix in front of 0x or 0s, the public key is expected to be in either
- the RFC 3110 (not the full RR, only RSA key part) or RFC 4253 public key format,
- respectively.
- Also accepted is the path to a file containing the public key in PEM, DER or SSH
--encoding. Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP
-+encoding. Both absolute paths or paths relative to \fI@sysconfdir@/ipsec.d/certs\fP
- are accepted.
- .TP
- .BR leftsendcert " = never | no | " ifasked " | always | yes"
-@@ -1219,7 +1219,7 @@ of this connection will be used as peer ID.
- .SH "CA SECTIONS"
- These are optional sections that can be used to assign special
- parameters to a Certification Authority (CA). Because the daemons
--automatically import CA certificates from \fI/etc/ipsec.d/cacerts\fP,
-+automatically import CA certificates from \fI@sysconfdir@/ipsec.d/cacerts\fP,
- there is no need to explicitly add them with a CA section, unless you
- want to assign special parameters (like a CRL) to a CA.
- .TP
-@@ -1235,7 +1235,7 @@ currently can have either the value
- .TP
- .BR cacert " = <path>"
- defines a path to the CA certificate either relative to
--\fI/etc/ipsec.d/cacerts\fP or as an absolute path.
-+\fI@sysconfdir@/ipsec.d/cacerts\fP or as an absolute path.
- .br
- A value in the form
- .B %smartcard[<slot nr>[@<module>]]:<keyid>
-@@ -1284,7 +1284,7 @@ section are:
- .BR cachecrls " = yes | " no
- if enabled, certificate revocation lists (CRLs) fetched via HTTP or LDAP will
- be cached in
--.I /etc/ipsec.d/crls/
-+.I @sysconfdir@/ipsec.d/crls/
- under a unique file name derived from the certification authority's public key.
- .TP
- .BR charondebug " = <debug list>"
-@@ -1463,12 +1463,12 @@ time equals zero and, thus, rekeying gets disabled.
- 
- .SH FILES
- .nf
--/etc/ipsec.conf
--/etc/ipsec.d/aacerts
--/etc/ipsec.d/acerts
--/etc/ipsec.d/cacerts
--/etc/ipsec.d/certs
--/etc/ipsec.d/crls
-+@sysconfdir@/ipsec.conf
-+@sysconfdir@/ipsec.d/aacerts
-+@sysconfdir@/ipsec.d/acerts
-+@sysconfdir@/ipsec.d/cacerts
-+@sysconfdir@/ipsec.d/certs
-+@sysconfdir@/ipsec.d/crls
- 
- .SH SEE ALSO
- strongswan.conf(5), ipsec.secrets(5), ipsec(8)
-diff --git a/man/ipsec.secrets.5.in b/man/ipsec.secrets.5.in
-index 15e36faff..c54e1a18b 100644
---- a/man/ipsec.secrets.5.in
-+++ b/man/ipsec.secrets.5.in
-@@ -15,7 +15,7 @@ Here is an example.
- .LP
- .RS
- .nf
--# /etc/ipsec.secrets - strongSwan IPsec secrets file
-+# @sysconfdir@/ipsec.secrets - strongSwan IPsec secrets file
- 192.168.0.1 %any : PSK "v+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL"
- 
- : RSA moonKey.pem
-@@ -140,7 +140,7 @@ is interpreted as Base64 encoded binary data.
- .TQ
- .B : ECDSA <private key file> [ <passphrase> | %prompt ]
- For the private key file both absolute paths or paths relative to
--\fI/etc/ipsec.d/private\fP are accepted. If the private key file is
-+\fI@sysconfdir@/ipsec.d/private\fP are accepted. If the private key file is
- encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase
- .B %prompt
- can be used which then causes the daemon to ask the user for the password
-@@ -148,7 +148,7 @@ whenever it is required to decrypt the key.
- .TP
- .B : P12 <PKCS#12 file> [ <passphrase> | %prompt ]
- For the PKCS#12 file both absolute paths or paths relative to
--\fI/etc/ipsec.d/private\fP are accepted. If the container is
-+\fI@sysconfdir@/ipsec.d/private\fP are accepted. If the container is
- encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase
- .B %prompt
- can be used which then causes the daemon to ask the user for the password
-@@ -182,7 +182,7 @@ can be specified, which causes the daemon to ask the user for the pin code.
- .LP
- 
- .SH FILES
--/etc/ipsec.secrets
-+@sysconfdir@/ipsec.secrets
- .SH SEE ALSO
- ipsec.conf(5), strongswan.conf(5), ipsec(8)
- .br
-diff --git a/src/ipsec/Makefile.am b/src/ipsec/Makefile.am
-index 0ab9ab27c..656eba49b 100644
---- a/src/ipsec/Makefile.am
-+++ b/src/ipsec/Makefile.am
-@@ -10,6 +10,7 @@ _ipsec.8 : _ipsec.8.in
- 	-e "s:@IPSEC_SCRIPT@:$(ipsec_script):g" \
- 	-e "s:@IPSEC_SCRIPT_UPPER@:$(ipsec_script_upper):g" \
- 	-e "s:@IPSEC_DIR@:$(ipsecdir):" \
-+	-e "s:@IPSEC_CONFDIR@:$(sysconfdir):" \
- 	$(srcdir)/$@.in > $@
- 
- _ipsec : _ipsec.in
-diff --git a/src/ipsec/_ipsec.8.in b/src/ipsec/_ipsec.8.in
-index bfc4d50c2..de00d3075 100644
---- a/src/ipsec/_ipsec.8.in
-+++ b/src/ipsec/_ipsec.8.in
-@@ -145,25 +145,25 @@ locally by the IKE daemon or received via the IKE protocol.
- .TP
- .BI "listcacerts [" --utc ]
- returns a list of X.509 Certification Authority (CA) certificates that were
--loaded locally by the IKE daemon from the \fI/etc/ipsec.d/cacerts/\fP
-+loaded locally by the IKE daemon from the \fI@IPSEC_CONFDIR@/ipsec.d/cacerts/\fP
- directory or received via the IKE protocol.
- .
- .TP
- .BI "listaacerts [" --utc ]
- returns a list of X.509 Authorization Authority (AA) certificates that were
--loaded locally by the IKE daemon from the \fI/etc/ipsec.d/aacerts/\fP
-+loaded locally by the IKE daemon from the \fI@IPSEC_CONFDIR@/ipsec.d/aacerts/\fP
- directory.
- .
- .TP
- .BI "listocspcerts [" --utc ]
- returns a list of X.509 OCSP Signer certificates that were either loaded
--locally by the IKE daemon from the \fI/etc/ipsec.d/ocspcerts/\fP
-+locally by the IKE daemon from the \fI@IPSEC_CONFDIR@/ipsec.d/ocspcerts/\fP
- directory or were sent by an OCSP server.
- .
- .TP
- .BI "listacerts [" --utc ]
- returns a list of X.509 Attribute certificates that were loaded locally by
--the IKE daemon from the \fI/etc/ipsec.d/acerts/\fP directory.
-+the IKE daemon from the \fI@IPSEC_CONFDIR@/ipsec.d/acerts/\fP directory.
- .
- .TP
- .BI "listgroups [" --utc ]
-@@ -179,7 +179,7 @@ sections in \fIipsec.conf\fP.
- .TP
- .BI "listcrls [" --utc ]
- returns a list of Certificate Revocation Lists (CRLs) that were either loaded
--by the IKE daemon from the \fI/etc/ipsec.d/crls\fP directory or fetched from
-+by the IKE daemon from the \fI@IPSEC_CONFDIR@/ipsec.d/crls\fP directory or fetched from
- an HTTP- or LDAP-based CRL distribution point.
- .
- .TP
-@@ -211,7 +211,7 @@ flushes and rereads all secrets defined in \fIipsec.secrets\fP.
- .TP
- .B "rereadcacerts"
- removes previously loaded CA certificates, reads all certificate files
--contained in the \fI/etc/ipsec.d/cacerts\fP directory and adds them to the list
-+contained in the \fI@IPSEC_CONFDIR@/ipsec.d/cacerts\fP directory and adds them to the list
- of Certification Authority (CA) certificates. This does not affect certificates
- explicitly defined in a
- .BR ipsec.conf (5)
-@@ -220,23 +220,23 @@ ca section, which may be separately updated using the \fBupdate\fP command.
- .TP
- .B "rereadaacerts"
- removes previously loaded AA certificates, reads all certificate files
--contained in the \fI/etc/ipsec.d/aacerts\fP directory and adds them to the list
-+contained in the \fI@IPSEC_CONFDIR@/ipsec.d/aacerts\fP directory and adds them to the list
- of Authorization Authority (AA) certificates.
- .
- .TP
- .B "rereadocspcerts"
--reads all certificate files contained in the \fI/etc/ipsec.d/ocspcerts/\fP
-+reads all certificate files contained in the \fI@IPSEC_CONFDIR@/ipsec.d/ocspcerts/\fP
- directory and adds them to the list of OCSP signer certificates.
- .
- .TP
- .B "rereadacerts"
--reads all certificate files contained in the  \fI/etc/ipsec.d/acerts/\fP
-+reads all certificate files contained in the  \fI@IPSEC_CONFDIR@/ipsec.d/acerts/\fP
- directory and adds them to the list of attribute certificates.
- .
- .TP
- .B "rereadcrls"
- reads  all Certificate  Revocation Lists (CRLs) contained in the
--\fI/etc/ipsec.d/crls/\fP directory and adds them to the list of CRLs.
-+\fI@IPSEC_CONFDIR@/ipsec.d/crls/\fP directory and adds them to the list of CRLs.
- .
- .TP
- .B "rereadall"
-diff --git a/src/swanctl/swanctl.conf.5.tail.in b/src/swanctl/swanctl.conf.5.tail.in
-index 4d24608da..036443843 100644
---- a/src/swanctl/swanctl.conf.5.tail.in
-+++ b/src/swanctl/swanctl.conf.5.tail.in
-@@ -2,7 +2,7 @@
- .
- .nf
- .na
--/etc/swanctl/swanctl.conf       configuration file
-+@sysconfdir@/swanctl/swanctl.conf       configuration file
- .ad
- .fi
- .
--- 
-2.39.0
-

strongswan.spec

@@ -13,38 +13,31 @@
 %bcond_with tss_trousers
 %endif
 
-%global forgeurl0 https://github.com/strongswan/strongswan
-
 Name:           strongswan
-Version:        5.9.9
+Version:        5.9.6
-Release:        2%{?dist}
+Release:        1%{?dist}
 Summary:        An OpenSource IPsec-based VPN and TNC solution
 License:        GPLv2+
-URL:            https://www.strongswan.org/
+URL:            http://www.strongswan.org/
-VCS:            git:%{forgeurl0}
+Source0:        http://download.strongswan.org/strongswan-%{version}%{?prerelease}.tar.bz2
-Source0:        https://download.strongswan.org/strongswan-%{version}%{?prerelease}.tar.bz2
+Source1:        http://download.strongswan.org/strongswan-%{version}%{?prerelease}.tar.bz2.sig
-Source1:        https://download.strongswan.org/strongswan-%{version}%{?prerelease}.tar.bz2.sig
 Source2:        https://download.strongswan.org/STRONGSWAN-RELEASE-PGP-KEY
 Source3:        tmpfiles-strongswan.conf
 Patch0:         strongswan-5.6.0-uintptr_t.patch
-# https://github.com/strongswan/strongswan/issues/1198
+# https://github.com/strongswan/strongswan/issues/1025
-Patch1:         strongswan-5.9.7-error-no-format.patch
+Patch1:         strongswan-5.9.6-error-format-security.patch
-# https://github.com/strongswan/strongswan/pull/1511
-# https://github.com/strongswan/strongswan/commit/e99de2aee9f26e3ab97d88902308107d9f048acd
-Patch2:         strongswan-5.9.9-man-paths.patch
 
 Patch10:        0001-charon-add-optional-source-and-remote-overrides-for-.patch
 Patch11:        0002-vici-send-certificates-for-ike-sa-events.patch
 Patch12:        0003-vici-add-support-for-individual-sa-state-changes.patch
 
-BuildRequires:  autoconf
+# only needed for pre-release versions
-BuildRequires:  automake
+#BuildRequires:  autoconf automake
+
 BuildRequires:  gnupg2
 BuildRequires:  make
 BuildRequires:  gcc
-BuildRequires:  systemd
 BuildRequires:  systemd-devel
-BuildRequires:  systemd-rpm-macros
 BuildRequires:  gmp-devel
 BuildRequires:  libcurl-devel
 BuildRequires:  openldap-devel
@@ -55,6 +48,7 @@ BuildRequires:  libxml2-devel
 BuildRequires:  pam-devel
 BuildRequires:  json-c-devel
 BuildRequires:  libgcrypt-devel
+BuildRequires:  systemd-devel
 BuildRequires:  iptables-devel
 BuildRequires:  libcap-devel
 BuildRequires:  tpm2-tss-devel
@@ -227,6 +221,8 @@ for Strongswan runtime configuration from perl applications.
     --enable-imv-attestation \
     --enable-imv-os \
     --enable-imc-os \
+    --enable-imc-swid \
+    --enable-imv-swid \
     --enable-imc-swima \
     --enable-imv-swima \
     --enable-imc-hcd \
@@ -263,9 +259,6 @@ for p in bypass-lan; do
     echo -e "\ncharon.plugins.${p}.load := no" >> conf/plugins/${p}.opt
 done
 
-# ensure manual page is regenerated with local configuration
-rm -f src/ipsec/_ipsec.8
-
 %make_build
 
 pushd src/libcharon/plugins/vici
@@ -424,28 +417,10 @@ install -D -m 0644 %{SOURCE3} %{buildroot}/%{_tmpfilesdir}/strongswan-starter.co
 %endif
 
 %changelog
-* Mon Jan 16 2023 Petr Menšík <pemensik@redhat.com> - 5.9.9-2
-- Use configure paths in manual pages (#2106120)
-
-* Sun Jan 15 2023 Petr Menšík <pemensik@redhat.com> - 5.9.9-1
-- Update to 5.9.9 (#2157850)
-
-* Sun Oct 16 2022 Arne Reiter <redhat@arnereiter.de> - 5.9.8-1
-- Resolves rhbz#2112274 strongswan-5.9.8 is available
-- Patch1 removes CFLAGS -Wno-format which interferes with -Werror=format-security
-- Add BuildRequire for autoconf and automake, now required for release
-- Remove obsolete patches
-
-* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.6-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
-
 * Wed Jun 22 2022 Arne Reiter <redhat@arnereiter.de> - 5.9.6-1
 - Resolves rhbz#2080070 strongswan-5.9.6 is available
 - Fixed missing format string in enum_flags_to_string()
 
-* Mon Jun 13 2022 Python Maint <python-maint@redhat.com> - 5.9.5-4
-- Rebuilt for Python 3.11
-
 * Fri Feb 25 2022 Arne Reiter <redhat@arnereiter.de> - 5.9.5-3
 - Resolves: rhbz#2048108 - segfault at 18 ip 00007f4c7c0d841c sp 00007ffe49f61b70 error 4 in libc.so.6