merge in master branch changes (5.8.4-2)

.gitignore

@@ -1,21 +1 @@
 /strongswan-5.8.4.tar.bz2
-/strongswan-5.9.0.tar.bz2
-/strongswan-5.9.1.tar.bz2
-/strongswan-5.9.2.tar.bz2
-/strongswan-5.9.3.tar.bz2
-/strongswan-5.9.4.tar.bz2
-/948F158A4E76A27BF3D07532DF42C170B34DBA77
-/strongswan-5.9.5.tar.bz2
-/strongswan-5.9.5.tar.bz2.sig
-/strongswan-5.9.6.tar.bz2
-/strongswan-5.9.6.tar.bz2.sig
-/strongswan-5.9.8.tar.bz2
-/strongswan-5.9.8.tar.bz2.sig
-/strongswan-5.9.9.tar.bz2
-/strongswan-5.9.9.tar.bz2.sig
-/strongswan-5.9.10.tar.bz2
-/strongswan-5.9.10.tar.bz2.sig
-/strongswan-5.9.11.tar.bz2
-/strongswan-5.9.11.tar.bz2.sig
-/strongswan-5.9.14.tar.bz2
-/strongswan-5.9.14.tar.bz2.sig

STRONGSWAN-RELEASE-PGP-KEY

@@ -1,48 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-
-mQGNBEoycP0BDACzL8ymURD7gnaNbGx2VGieNQr/gNISWhqgHaeUxuSkrInxl89A
-ClvN7DoF2cD7slEqIMQh/8t6xVzmh9teu5uyeV1eyG/CuFMUqawXqpn/sYa2SkgX
-C/qHB2hIbFg2K4k5LJHxzqHb1OdtOcU6lHg9yrvYcoO+FTVR+rYaVgYbbbziTB/v
-hAAzvdTdgwMgoQMSXA7FsJ0mALny4IeiCoi6S6qRVDm4zcu11UFT9g1VmhmeHqtU
-SQso72bPKKhYvu7ZaQrLhkvY9inWr6m9dxV8Zgb1ivZGhzsNzrhGAsz9jmiB5POF
-Mfph0hREMiS33ph/YMJducGQHYGEza9mKBdUaaAAEL3fCpde7vRa+c5Gc/Y5RUB7
-iUsb2KQY+7xTiSUnCHbsMwhndG0dJspVXcz6X+2S3Ty4GaiqkvxI9KLiwiECNl0I
-oLX5s/FIW6KW+GnxJTp/3h6vvqm8i0+yIwk+ETM4XfhHMwuPkDyf6km1ag3nIUw6
-pSSfnQMPhj5rXIMAEQEAAbQwQW5kcmVhcyBTdGVmZmVuIDxhbmRyZWFzLnN0ZWZm
-ZW5Ac3Ryb25nc3dhbi5vcmc+iQG3BBMBAgAhBQJKMnD9AhsDBwsJCAcDAgEEFQII
-AwQWAgMBAh4BAheAAAoJEN9CwXCzTbp3t5AL/jrXnnGIHLn8M9rmyoeNe7JQUE5A
-GSV3UFaZHgHmjbvIHA+dRvh1MPlHuWbaZkHVPtRFvFtEgksc944+XcKoNoExKGKr
-wLQcUExUiQ0IyNwH70u7f1uFNcbY85Oue5ASzm+wAntnmIlNsN+MHewRWC6f6gYn
-1aHwsvh09fz0A34v9wdtim2ek/Voxe3AIDIw2MTNmwF61pXEsrH0wqYnGhYLZ7Qb
-thnDnHQaUd3IPSa6uAgOOiCoCbKCvP4u/iVm0rmXN9uzmm/i4Y0cE3DopGsqrR5D
-fWYJjgP4KBCln0LgWtYI8pcYcmA5E+l+fijNcMidtzWHMW2Mj0oZZsO+wlRUYLGh
-/jRASgq7rXuxV+oGKcBn4RqSHlZ5/BYlvowUxnNFC4tLLlneHidS8TurjacM3fwR
-MP5NMmcS5d9sVLG1uxl+/g2cRMtphHiziz+79jDc+tSxqRO5lhqyItAD6LC2GxB3
-iC5afnMx49+YWzhUTeL/KfkrD9w3/n7O00kLtLkDDQRKjOHDEAwAxdh8W7j/QhE3
-KZNmJGsK/QtJ72zZRGRcdUPH6GG//GaAG5hSCjM8q+0MR/G+31uk32RbzRIj1sHQ
-8fY0znxPmaeD1wow0hCbDTq+Ep3K8ouaqoqjlP4rd+I94OtxNfXgmllf7BDOZ6lI
-wUY8ba8cFCPYsv8ZvRXo82XfwFYevQ9kTLqkJT52mMyPZLwYx4DNwuqFtQQEBLKg
-IVXVgpK6SE72MFP8vyFsdrL0ORgxoWI6PIHbnIRY1KiWUzOSrqirZUHH9MPuzFuB
-R0+jEAajeKoxycn0ILLM5PBAEFXFgBdtNNCtshe1fR5aPsXcGZsZRjc7mbAHLRqa
-pVhk7oX31WrGqGHkSM/GAnf3aAzsnCkO5+Tje2iyuoG5OhQbHsvMBOtdvQrwnorl
-56EguzuK1mGDsczNsuAYRcKiasCWpsjoytDH+dGEQmKXydD9r06cxPx+mWmWKLo4
-w+k4mMC0lFRYKi83cwTpaMpHOeW4+3d1tJfkCQy+vjUz4aZJ/WSXAAMFDACqmeXA
-Al7WssHkjVZ/vwQfHLHNMZsGEEucvV7KNqMF4Fe6nRbbE6GJOuz6taeFkJIppBqV
-xhSNOsf5soOXfGp0IgYoC37GPI6AAb4UnG5GVcaAMQAXUYcwfDGGuV/EO5pPrEyP
-jy++GvjhxcKV3HmUuAfcgyhTGhDOVPxU28Roz3+8Eig085v+lyqAsgFduBrf+ZV+
-lHjIOSXSWmTiT8EVSA3fpN14/qhltudhdGIZ/pCW303H9Bd9c4Uc9OzYhRr1VpO6
-lpYfTFNey8KQL4z9Kjt0RPscz2hYDOJ1cTFWs/4Z+9mBJODwrnIiORLlgV2NlP5E
-ZY4MccVFd9K7E/OPQdt3Uv6+6BjYRntY7wsX617T5Rmj8n6AhbpngmWg2D6wRfm7
-TyI0Wtz5icCoJIEHQwB/3EhBzQl7tBc0cClwCYm7nTYRt+SL2tfylWy9Leail+ay
-M6zwMW0klV42E4u8DCy/aJrwmEiVwuwGbXL6z46M9EZguof38MTEmLsHls+JAZ8E
-GAECAAkFAkqM4cMCGwwACgkQ30LBcLNNunffBgv/b/v3eQoZTWgOB5MnXhIrg/Ki
-kYTYbnEG9wWM7XIST8bpP7f/UKyD44CCVJH7SVTGAXeyjglnuYXy4FwaTdFmm6al
-W0sCp4rnmADi5BLLzQlCUa5J0iZ+oAZnAH60BezUM+CYz/QBW3NJmP3323PeM4H4
-MZ0vLv3wgaLkFlaK/eASBoC7KuZWAnvsNOdLQ29L4BYgW2Jwk1+PxszjT369DsMU
-Y3iY6gM9rM71Ajd8x98hd1r26LILGntAEEXxs+13Kka7J4GCqf8/J9ZR01dDp8QM
-+M9EHFLnthpAyUuSXm5Qlglavnf7tU6AA0SFuA0pP5CXVLG1DLT1fJvNOqjdzPsf
-u/48AM2Lpxj0gKt1yDQc890GxwnOL1iZ6+XMh9/ujWy7Q7dI4M2mthwYFXldWrPS
-CmMToWfl62BxPdY5FIECXeRwTIO9sI0LQVc2eAG8lDsge05q1nJFxo9WKr7ewAdF
-b/fMIr7XMwoMj2SQSy/tZVCBnDXR5Gw5HSxRnIAS
-=ze82
------END PGP PUBLIC KEY BLOCK-----

sources

@@ -1,2 +1 @@
-SHA512 (strongswan-5.9.14.tar.bz2) = e48bc9d215f9de6b54e24f7b4765d59aec4c615291d5c1f24f6a6d7da45dc8b17b2e0e150faf5fabb35e5d465abc5e6f6efa06cd002467067c5d7844ead359f6
-SHA512 (strongswan-5.9.14.tar.bz2.sig) = 1b3d57448caab91060fe3d209d90708c57dbf35ae62c97574107b32677cff73f13f7545dc91682ef84400bb8a2f105a1761aba8334763dc8c35d97be7921c242
+SHA512 (strongswan-5.8.4.tar.bz2) = 15e866b0d6cc4ea94f17856b519d926ae08c15d3b62f675f62685d0722ca8fa26b46afb1ad1c866e9d5f347d77a747f57d0c6d7f6bd57762f37d7798f9e28103

strongswan-5.6.2-CVE-2018-5388.patch

@@ -0,0 +1,15 @@
+diff -Naur strongswan-5.6.2-orig/src/libcharon/plugins/stroke/stroke_socket.c strongswan-5.6.2/src/libcharon/plugins/stroke/stroke_socket.c
+--- strongswan-5.6.2-orig/src/libcharon/plugins/stroke/stroke_socket.c	2017-11-09 10:57:30.000000000 -0500
++++ strongswan-5.6.2/src/libcharon/plugins/stroke/stroke_socket.c	2018-05-24 00:00:32.382953618 -0400
+@@ -628,6 +628,11 @@
+ 		return FALSE;
+ 	}
+ 
++	if (len < offsetof(stroke_msg_t, buffer))
++	{
++		DBG1(DBG_CFG, "invalid stroke message length %d", len);
++		return FALSE;
++	}
+ 	/* read message (we need an additional byte to terminate the buffer) */
+ 	msg = malloc(len + 1);
+ 	msg->length = len;

strongswan-5.8.2-extern-global.patch

@@ -0,0 +1,11 @@
+--- strongswan-5.8.2/src/swanctl/swanctl.h.orig	2020-02-23 00:35:39.051000000 +0200
++++ strongswan-5.8.2/src/swanctl/swanctl.h	2020-02-23 00:35:51.930355656 +0200
+@@ -30,7 +30,7 @@
+ /**
+  * Base directory for credentials and config
+  */
+-char *swanctl_dir;
++extern char *swanctl_dir;
+ 
+ /**
+  * Configuration file for connections, etc.

strongswan-5.8.4-runtime-dir.patch

@@ -0,0 +1,24 @@
+diff -ur strongswan-5.8.4.orig/init/systemd/strongswan.service.in strongswan-5.8.4/init/systemd/strongswan.service.in
+--- strongswan-5.8.4.orig/init/systemd/strongswan.service.in	2019-08-27 16:26:53.000000000 +0300
++++ strongswan-5.8.4/init/systemd/strongswan.service.in	2020-04-12 12:05:57.383596844 +0300
+@@ -9,6 +9,8 @@
+ ExecReload=@SBINDIR@/swanctl --reload
+ ExecReload=@SBINDIR@/swanctl --load-all --noprompt
+ Restart=on-abnormal
++RuntimeDirectory=strongswan
++RuntimeDirectoryMode=0755
+ 
+ [Install]
+ WantedBy=multi-user.target
+diff -ur strongswan-5.8.4.orig/init/systemd-starter/strongswan-starter.service.in strongswan-5.8.4/init/systemd-starter/strongswan-starter.service.in
+--- strongswan-5.8.4.orig/init/systemd-starter/strongswan-starter.service.in	2019-08-27 16:26:53.000000000 +0300
++++ strongswan-5.8.4/init/systemd-starter/strongswan-starter.service.in	2020-04-12 12:05:51.810559482 +0300
+@@ -6,6 +6,8 @@
+ ExecStart=@SBINDIR@/@IPSEC_SCRIPT@ start --nofork
+ StandardOutput=syslog
+ Restart=on-abnormal
++RuntimeDirectory=strongswan
++RuntimeDirectoryMode=0755
+ 
+ [Install]
+ WantedBy=multi-user.target

strongswan-5.9.7-error-no-format.patch

@@ -1,12 +0,0 @@
-diff --git a/configure.ac b/configure.ac
-index f9e6e55c2..247d055d8 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -1480,7 +1480,6 @@ else
- fi
- # disable some warnings, whether explicitly enabled above or by default
- # these are not compatible with our custom printf specifiers
--WARN_CFLAGS="$WARN_CFLAGS -Wno-format"
- WARN_CFLAGS="$WARN_CFLAGS -Wno-format-security"
- # we generally use comments, but GCC doesn't seem to recognize many of them
- WARN_CFLAGS="$WARN_CFLAGS -Wno-implicit-fallthrough"

strongswan.spec

@@ -1,76 +1,36 @@
 %global _hardened_build 1
 #%%define prerelease dr1
 
-%bcond_without python3
-%bcond_without perl
-%bcond_with    check
-
-%if (0%{?fedora} && 0%{?fedora} < 36) || (0%{?rhel} && 0%{?rhel} < 9)
-# trousers was retired for F36+ and no longer available in RHEL with 9+
-%bcond_without tss_trousers
-%else
-%bcond_with tss_trousers
-%endif
-
-%global forgeurl0 https://github.com/strongswan/strongswan
-
 Name:           strongswan
-Version:        5.9.14
-Release:        5%{?dist}
+Version:        5.8.4
+Release:        2%{?dist}
 Summary:        An OpenSource IPsec-based VPN and TNC solution
-# Automatically converted from old format: GPLv2+ - review is highly recommended.
-License:        GPL-2.0-or-later
-URL:            https://www.strongswan.org/
-VCS:            git:%{forgeurl0}
-Source0:        https://download.strongswan.org/strongswan-%{version}%{?prerelease}.tar.bz2
-Source1:        https://download.strongswan.org/strongswan-%{version}%{?prerelease}.tar.bz2.sig
-Source2:        https://download.strongswan.org/STRONGSWAN-RELEASE-PGP-KEY
-Source3:        tmpfiles-strongswan.conf
-Patch0:         strongswan-5.6.0-uintptr_t.patch
-# https://github.com/strongswan/strongswan/issues/1198
-Patch1:         strongswan-5.9.7-error-no-format.patch
+License:        GPLv2+
+URL:            http://www.strongswan.org/
+Source0:        http://download.strongswan.org/%{name}-%{version}%{?prerelease}.tar.bz2
+Source1:        tmpfiles-strongswan.conf
+Patch0:         strongswan-5.8.4-runtime-dir.patch
+Patch1:         strongswan-5.6.0-uintptr_t.patch
+Patch3:         strongswan-5.6.2-CVE-2018-5388.patch
+
+# only needed for pre-release versions
+#BuildRequires:  autoconf automake
 
-BuildRequires:  autoconf
-BuildRequires:  automake
-BuildRequires:  gnupg2
-BuildRequires:  make
 BuildRequires:  gcc
-BuildRequires:  systemd
 BuildRequires:  systemd-devel
-BuildRequires:  systemd-rpm-macros
 BuildRequires:  gmp-devel
 BuildRequires:  libcurl-devel
 BuildRequires:  openldap-devel
 BuildRequires:  openssl-devel
-%if 0%{?fedora} >= 41
-# https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine
-BuildRequires:  openssl-devel-engine
-%endif
 BuildRequires:  sqlite-devel
 BuildRequires:  gettext-devel
+BuildRequires:  trousers-devel
 BuildRequires:  libxml2-devel
 BuildRequires:  pam-devel
 BuildRequires:  json-c-devel
 BuildRequires:  libgcrypt-devel
+BuildRequires:  systemd-devel
 BuildRequires:  iptables-devel
-BuildRequires:  libcap-devel
-BuildRequires:  tpm2-tss-devel
-Recommends:     tpm2-tools
-
-%if %{with python3}
-BuildRequires:  python3-devel
-BuildRequires:  python3-setuptools
-BuildRequires:  python3-pytest
-%endif
-
-%if %{with perl}
-BuildRequires:  perl-devel perl-generators
-BuildRequires:  perl(ExtUtils::MakeMaker)
-%endif
-
-%if %{with tss_trousers}
-BuildRequires:  trousers-devel
-%endif
 
 BuildRequires:  NetworkManager-libnm-devel
 Requires(post): systemd
@@ -91,8 +51,8 @@ in userland, using TUN devices and its own IPsec implementation libipsec.
 %package charon-nm
 Summary:        NetworkManager plugin for Strongswan
 Requires:       dbus
-Obsoletes:      strongswan-NetworkManager < 0:5.0.4-5
-Conflicts:      strongswan-NetworkManager < 0:5.0.4-5
+Obsoletes:      %{name}-NetworkManager < 0:5.0.4-5
+Conflicts:      %{name}-NetworkManager < 0:5.0.4-5
 Conflicts:      NetworkManager-strongswan < 1.4.2-1
 %description charon-nm
 NetworkManager plugin integrates a subset of Strongswan capabilities
@@ -100,14 +60,14 @@ to NetworkManager.
 
 %package sqlite
 Summary: SQLite support for strongSwan
-Requires: strongswan = %{version}-%{release}
+Requires: %{name} = %{version}-%{release}
 %description sqlite
 The sqlite plugin adds an SQLite database backend to strongSwan.
 
 %package tnc-imcvs
 Summary: Trusted network connect (TNC)'s IMC/IMV functionality
-Requires: strongswan = %{version}-%{release}
-Requires: strongswan-sqlite = %{version}-%{release}
+Requires: %{name} = %{version}-%{release}
+Requires: %{name}-sqlite = %{version}-%{release}
 %description tnc-imcvs
 This package provides Trusted Network Connect's (TNC) architecture support.
 It includes support for TNC client and server (IF-TNCCS), IMC and IMV message
@@ -118,39 +78,11 @@ modules can be used by any third party TNC Client/Server implementation
 possessing a standard IF-IMC/IMV interface. In addition, it implements
 PT-TLS to support TNC over TLS.
 
-%if %{with python3}
-%package -n python3-vici
-Summary: Strongswan Versatile IKE Configuration Interface python bindings
-BuildArch: noarch
-%description -n python3-vici
-VICI is an attempt to improve the situation for system integrators by providing
-a stable IPC interface, allowing external tools to query, configure
-and control the IKE daemon.
-
-The Versatile IKE Configuration Interface (VICI) python bindings provides module
-for Strongswan runtime configuration from python applications.
-
-%endif
-
-%if %{with perl}
-%package -n perl-vici
-Summary: Strongswan Versatile IKE Configuration Interface perl bindings
-BuildArch: noarch
-%description -n perl-vici
-VICI is an attempt to improve the situation for system integrators by providing
-a stable IPC interface, allowing external tools to query, configure
-and control the IKE daemon.
-
-The Versatile IKE Configuration Interface (VICI) perl bindings provides module
-for Strongswan runtime configuration from perl applications.
-%endif
-
-# TODO: make also ruby-vici
-
-
 %prep
-%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
-%autosetup -n %{name}-%{version}%{?prerelease} -p1
+%setup -q -n %{name}-%{version}%{?prerelease}
+%patch0 -p1
+%patch1 -p1
+%patch3 -p1
 
 %build
 # only for snapshots
@@ -167,9 +99,9 @@ for Strongswan runtime configuration from perl applications.
     --bindir=%{_libexecdir}/strongswan \
     --with-ipseclibdir=%{_libdir}/strongswan \
     --with-piddir=%{_rundir}/strongswan \
-    --with-nm-ca-dir=%{_sysconfdir}/strongswan/ipsec.d/cacerts/ \
+    --with-fips-mode=2 \
     --enable-bypass-lan \
-    --enable-tss-tss2 \
+    --enable-tss-trousers \
     --enable-nm \
     --enable-systemd \
     --enable-openssl \
@@ -224,6 +156,8 @@ for Strongswan runtime configuration from perl applications.
     --enable-imv-attestation \
     --enable-imv-os \
     --enable-imc-os \
+    --enable-imc-swid \
+    --enable-imv-swid \
     --enable-imc-swima \
     --enable-imv-swima \
     --enable-imc-hcd \
@@ -231,77 +165,24 @@ for Strongswan runtime configuration from perl applications.
     --enable-curl \
     --enable-cmd \
     --enable-acert \
+    --enable-aikgen \
     --enable-vici \
     --enable-swanctl \
     --enable-duplicheck \
 %ifarch x86_64 %{ix86}
     --enable-aesni \
 %endif
-%if %{with python3}
-    PYTHON=%{python3} --enable-python-eggs \
-%endif
-%if %{with perl}
-    --enable-perl-cpan \
-%endif
-%if %{with check}
-    --enable-test-vectors \
-%endif
-%if %{with tss_trousers}
-    --enable-tss-trousers \
-    --enable-aikgen \
-%endif
-    --enable-kernel-libipsec \
-    --with-capabilities=libcap \
-    CPPFLAGS="-DSTARTER_ALLOW_NON_ROOT"
-# TODO: --enable-python-eggs-install not python3 ready
+    --enable-kernel-libipsec
 
 # disable certain plugins in the daemon configuration by default
 for p in bypass-lan; do
     echo -e "\ncharon.plugins.${p}.load := no" >> conf/plugins/${p}.opt
 done
 
-# ensure manual page is regenerated with local configuration
-rm -f src/ipsec/_ipsec.8
-
-%make_build
-
-pushd src/libcharon/plugins/vici
-
-%if %{with python3}
-  pushd python
-    %make_build
-    sed -e "s,/var/run/charon.vici,%{_rundir}/strongswan/charon.vici," -i vici/session.py
-    #py3_build
-  popd
-%endif
-
-%if %{with perl}
-  pushd perl/Vici-Session/
-    perl Makefile.PL INSTALLDIRS=vendor
-    %make_build
-  popd
-%endif
-
-popd
+make %{?_smp_mflags}
 
 %install
-%make_install
-
-
-pushd src/libcharon/plugins/vici
-%if %{with python3}
-  pushd python
-    # TODO: --enable-python-eggs breaks our previous build. Do it now
-    # propose better way to upstream
-    %py3_build
-    %py3_install
-  popd
-%endif
-%if %{with perl}
-  %make_install -C perl/Vici-Session
-  rm -f %{buildroot}{%{perl_archlib}/perllocal.pod,%{perl_vendorarch}/auto/Vici/Session/.packlist}
-%endif
-popd
+make install DESTDIR=%{buildroot}
 # prefix man pages
 for i in %{buildroot}%{_mandir}/*/*; do
     if echo "$i" | grep -vq '/strongswan[^\/]*$'; then
@@ -320,36 +201,21 @@ for i in aacerts acerts certs cacerts crls ocspcerts private reqs; do
     install -d -m 700 %{buildroot}%{_sysconfdir}/strongswan/ipsec.d/${i}
 done
 install -d -m 0700 %{buildroot}%{_rundir}/strongswan
-install -D -m 0644 %{SOURCE3} %{buildroot}/%{_tmpfilesdir}/strongswan.conf
-install -D -m 0644 %{SOURCE3} %{buildroot}/%{_tmpfilesdir}/strongswan-starter.conf
-
-
-%check
-%if %{with check}
-  # Seen some tests hang. Ensure we do not block builder forever
-  export TESTS_VERBOSITY=1
-  timeout 600 %make_build check
-%endif
-%if %{with python}
-  pushd src/libcharon/plugins/vici
-    %pytest
-  popd
-%endif
-:
+install -D -m 0644 %{SOURCE1} %{buildroot}/%{_tmpfilesdir}/strongswan.conf
 
 %post
-%systemd_post strongswan.service strongswan-starter.service
+%systemd_post %{name}.service
 
 %preun
-%systemd_preun strongswan.service strongswan-starter.service
+%systemd_preun %{name}.service
 
 %postun
-%systemd_postun_with_restart strongswan.service strongswan-starter.service
+%systemd_postun_with_restart %{name}.service
 
 %files
 %doc README NEWS TODO ChangeLog
 %license COPYING
-%dir %attr(0755,root,root) %{_sysconfdir}/strongswan
+%dir %attr(0700,root,root) %{_sysconfdir}/strongswan
 %config(noreplace) %{_sysconfdir}/strongswan/*
 %dir %{_libdir}/strongswan
 %exclude %{_libdir}/strongswan/imcvs
@@ -379,7 +245,6 @@ install -D -m 0644 %{SOURCE3} %{buildroot}/%{_tmpfilesdir}/strongswan-starter.co
 %{_datadir}/strongswan/templates/database/
 %attr(0755,root,root) %dir %{_rundir}/strongswan
 %attr(0644,root,root) %{_tmpfilesdir}/strongswan.conf
-%attr(0644,root,root) %{_tmpfilesdir}/strongswan-starter.conf
 
 %files sqlite
 %{_libdir}/strongswan/plugins/libstrongswan-sqlite.so
@@ -406,162 +271,7 @@ install -D -m 0644 %{SOURCE3} %{buildroot}/%{_tmpfilesdir}/strongswan-starter.co
 %{_datadir}/dbus-1/system.d/nm-strongswan-service.conf
 %{_libexecdir}/strongswan/charon-nm
 
-%if %{with python3}
-%files -n python3-vici
-%license COPYING
-%doc src/libcharon/plugins/vici/python/README.rst
-%{python3_sitelib}/vici
-%{python3_sitelib}/vici-%{version}-py*.egg-info
-%endif
-
-%if %{with perl}
-%license COPYING
-%files -n perl-vici
-%{perl_vendorlib}/Vici
-%endif
-
 %changelog
-* Sat Jul 27 2024 Michel Lind <salimma@fedoraproject.org> - 5.9.14-5
-- Depend on openssl-devel-engine since we still use this deprecated feature (rhbz#2295335)
-
-* Fri Jul 26 2024 Miroslav Suchý <msuchy@redhat.com> - 5.9.14-4
-- convert license to SPDX
-
-* Sat Jul 20 2024 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.14-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
-
-* Fri Jun 07 2024 Python Maint <python-maint@redhat.com> - 5.9.14-2
-- Rebuilt for Python 3.13
-
-* Fri May 31 2024 Paul Wouters <paul.wouters@aiven.io> - 5.9.14-1
-- Resolves: rhbz#2254560 CVE-2023-41913 buffer overflow and possible RCE
-- Resolved: rhbz#2250666 Update to 5.9.14 (IKEv2 OCSP extensions, seqno/regno overflow handling
-- Update to 5.9.13 (OCSP nonce set regression configuration option charon.ocsp_nonce_len)
-- Update to 5.9.12 (CVE-2023-41913 fix, various IKEv2 fixes)
-
-* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.11-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
-
-* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.11-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
-
-* Fri Jul 14 2023 Paul Wouters <paul.wouters@aiven.io - 5.9.11-1
-- Resolves: rhbz#2214186 strongswan-5.9.11 is available
-
-* Tue Jun 13 2023 Python Maint <python-maint@redhat.com> - 5.9.10-2
-- Rebuilt for Python 3.12
-
-* Thu Mar 02 2023 Paul Wouters <paul.wouters@aiven.io - 5.9.10-1
-- Update to 5.9.10
-
-* Tue Feb 28 2023 Paul Wouters <paul.wouters@aiven.io - 5.9.9-3
-- Resolves: CVE-2023-26463 authorization bypass in TLS-based EAP methods
-
-* Mon Jan 16 2023 Petr Menšík <pemensik@redhat.com> - 5.9.9-2
-- Use configure paths in manual pages (#2106120)
-
-* Sun Jan 15 2023 Petr Menšík <pemensik@redhat.com> - 5.9.9-1
-- Update to 5.9.9 (#2157850)
-
-* Thu Dec 08 2022 Jitka Plesnikova <jplesnik@redhat.com> - 5.9.8-2
-- Add BR perl-generators to automatically generates run-time dependencies
-  for installed Perl files
-
-* Sun Oct 16 2022 Arne Reiter <redhat@arnereiter.de> - 5.9.8-1
-- Resolves rhbz#2112274 strongswan-5.9.8 is available
-- Patch1 removes CFLAGS -Wno-format which interferes with -Werror=format-security
-- Add BuildRequire for autoconf and automake, now required for release
-- Remove obsolete patches
-
-* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.6-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
-
-* Wed Jun 22 2022 Arne Reiter <redhat@arnereiter.de> - 5.9.6-1
-- Resolves rhbz#2080070 strongswan-5.9.6 is available
-- Fixed missing format string in enum_flags_to_string()
-
-* Mon Jun 13 2022 Python Maint <python-maint@redhat.com> - 5.9.5-4
-- Rebuilt for Python 3.11
-
-* Fri Feb 25 2022 Arne Reiter <redhat@arnereiter.de> - 5.9.5-3
-- Resolves: rhbz#2048108 - segfault at 18 ip 00007f4c7c0d841c sp 00007ffe49f61b70 error 4 in libc.so.6
-
-* Tue Jan 25 2022 Paul Wouters <paul.wouters@aiven.io> - 5.9.5-2
-- Use newly published/cleaned strongswan gpg key
-
-* Mon Jan 24 2022 Paul Wouters <paul.wouters@aiven.io> - 5.9.5-1
-- Resolves rhbz#2044361 strongswan-5.9.5 is available (CVE-2021-45079)
-
-* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.4-5
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
-
-* Thu Dec 16 2021 Neal Gompa <ngompa@datto.com> - 5.9.4-4
-- Disable TPM/TSS 1.2 support for F36+ / RHEL9+
-- Resolves: rhbz#2033299 Drop TPM/TSS 1.2 support (trousers)
-
-* Thu Nov 11 2021 Petr Menšík <pemensik@redhat.com> - 5.9.4-3
-- Resolves rhbz#1419441 Add python and perl vici bindings
-- Adds optional tests run
-
-* Tue Nov 09 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.4-2
-- Resolves rhbz#2018547 'strongswan restart' breaks ipsec started with strongswan-starter
-- Return to using tmpfiles, but extend to cover strongswan-starter service too
-- Cleanup old patches
-
-* Wed Oct 20 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.4-1
-- Resolves: rhbz#2015165 strongswan-5.9.4 is available
-- Resolves: rhbz#2015611 CVE-2021-41990 strongswan: gmp plugin: integer overflow via a crafted certificate with an RSASSA-PSS signature
-- Resolves: rhbz#2015614 CVE-2021-41991 strongswan: integer overflow when replacing certificates in cache
-- Add BuildRequire for tpm2-tss-devel and weak dependency for tpm2-tools
-
-* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 5.9.3-4
-- Rebuilt with OpenSSL 3.0.0
-
-* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.3-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
-
-* Sat Jul 10 2021 Björn Esser <besser82@fedoraproject.org> - 5.9.3-2
-- Rebuild for versioned symbols in json-c
-
-* Tue Jul 06 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.3-1
-- Resolves: rhbz#1979574 strongswan-5.9.3 is available
-- Make strongswan main dir world readable so apps can find strongswan.conf
-
-* Thu Jun 03 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.2-1
-- Resolves: rhbz#1896545 strongswan-5.9.2 is available
-
-* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 5.9.1-2
-- Rebuilt for updated systemd-rpm-macros
-  See https://pagure.io/fesco/issue/2583.
-
-* Fri Feb 12 2021 Paul Wouters <pwouters@redhat.com> - 5.9.1-1
-- Resolves: rhbz#1896545 strongswan-5.9.1 is available
-
-* Thu Feb 11 2021 Davide Cavalca <dcavalca@fedoraproject.org> - 5.9.0-4
-- Build with with capabilities support
-- Resolves: rhbz#1911572 StrongSwan not configured with libcap support
-
-* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.0-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
-
-* Thu Oct 22 12:43:48 EDT 2020 Paul Wouters <pwouters@redhat.com> - 5.9.0-2
-- Resolves: rhbz#1886759 charon looking for certificates in the wrong place
-
-* Mon Sep 28 12:36:45 EDT 2020 Paul Wouters <pwouters@redhat.com> - 5.9.0-1
-- Resolves: rhbz#1861747 strongswan-5.9.0 is available
-- Remove --enable-fips-mode=2, which defaults strongswan to FIPS only.
-  (use fips_mode = 2 in plugins {} openssl {} in strongswan.conf to enable FIPS)
-
-* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.8.4-5
-- Second attempt - Rebuilt for
-  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.8.4-4
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Tue Apr 21 2020 Björn Esser <besser82@fedoraproject.org> - 5.8.4-3
-- Rebuild (json-c)
-
 * Sun Apr 12 2020 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.4-2
 - Patch0: Add RuntimeDirectory options to service files (#1789263)
 
@@ -569,6 +279,9 @@ install -D -m 0644 %{SOURCE3} %{buildroot}/%{_tmpfilesdir}/strongswan-starter.co
 - Updated to 5.8.4
 - Patch4 has been applied upstream
 
+* Sun Apr 12 2020 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.2-6
+- Patch0: Add RuntimeDirectory options to service files (#1789263)
+
 * Sat Feb 22 2020 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.2-5
 - Patch to declare a global variable with extern (#1800117)