Fix build issue (rhbz#2368971)

GCC 15 defaults to C23, which is stricter in mutiple ways.  Some fixes were
already included in 6.0.1, but some were just merged upstream and not yet
released.

.gitignore

@@ -1,3 +1,21 @@
-/strongswan-5.7.2.tar.bz2
-/strongswan-5.8.1.tar.bz2
-/strongswan-5.8.2.tar.bz2
+/strongswan-5.8.4.tar.bz2
+/strongswan-5.9.0.tar.bz2
+/strongswan-5.9.1.tar.bz2
+/strongswan-5.9.2.tar.bz2
+/strongswan-5.9.3.tar.bz2
+/strongswan-5.9.4.tar.bz2
+/948F158A4E76A27BF3D07532DF42C170B34DBA77
+/strongswan-5.9.5.tar.bz2
+/strongswan-5.9.5.tar.bz2.sig
+/strongswan-5.9.6.tar.bz2
+/strongswan-5.9.6.tar.bz2.sig
+/strongswan-5.9.8.tar.bz2
+/strongswan-5.9.8.tar.bz2.sig
+/strongswan-5.9.9.tar.bz2
+/strongswan-5.9.9.tar.bz2.sig
+/strongswan-5.9.10.tar.bz2
+/strongswan-5.9.10.tar.bz2.sig
+/strongswan-5.9.11.tar.bz2
+/strongswan-5.9.11.tar.bz2.sig
+/strongswan-5.9.14.tar.bz2
+/strongswan-5.9.14.tar.bz2.sig

STRONGSWAN-RELEASE-PGP-KEY

@@ -0,0 +1,48 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQGNBEoycP0BDACzL8ymURD7gnaNbGx2VGieNQr/gNISWhqgHaeUxuSkrInxl89A
+ClvN7DoF2cD7slEqIMQh/8t6xVzmh9teu5uyeV1eyG/CuFMUqawXqpn/sYa2SkgX
+C/qHB2hIbFg2K4k5LJHxzqHb1OdtOcU6lHg9yrvYcoO+FTVR+rYaVgYbbbziTB/v
+hAAzvdTdgwMgoQMSXA7FsJ0mALny4IeiCoi6S6qRVDm4zcu11UFT9g1VmhmeHqtU
+SQso72bPKKhYvu7ZaQrLhkvY9inWr6m9dxV8Zgb1ivZGhzsNzrhGAsz9jmiB5POF
+Mfph0hREMiS33ph/YMJducGQHYGEza9mKBdUaaAAEL3fCpde7vRa+c5Gc/Y5RUB7
+iUsb2KQY+7xTiSUnCHbsMwhndG0dJspVXcz6X+2S3Ty4GaiqkvxI9KLiwiECNl0I
+oLX5s/FIW6KW+GnxJTp/3h6vvqm8i0+yIwk+ETM4XfhHMwuPkDyf6km1ag3nIUw6
+pSSfnQMPhj5rXIMAEQEAAbQwQW5kcmVhcyBTdGVmZmVuIDxhbmRyZWFzLnN0ZWZm
+ZW5Ac3Ryb25nc3dhbi5vcmc+iQG3BBMBAgAhBQJKMnD9AhsDBwsJCAcDAgEEFQII
+AwQWAgMBAh4BAheAAAoJEN9CwXCzTbp3t5AL/jrXnnGIHLn8M9rmyoeNe7JQUE5A
+GSV3UFaZHgHmjbvIHA+dRvh1MPlHuWbaZkHVPtRFvFtEgksc944+XcKoNoExKGKr
+wLQcUExUiQ0IyNwH70u7f1uFNcbY85Oue5ASzm+wAntnmIlNsN+MHewRWC6f6gYn
+1aHwsvh09fz0A34v9wdtim2ek/Voxe3AIDIw2MTNmwF61pXEsrH0wqYnGhYLZ7Qb
+thnDnHQaUd3IPSa6uAgOOiCoCbKCvP4u/iVm0rmXN9uzmm/i4Y0cE3DopGsqrR5D
+fWYJjgP4KBCln0LgWtYI8pcYcmA5E+l+fijNcMidtzWHMW2Mj0oZZsO+wlRUYLGh
+/jRASgq7rXuxV+oGKcBn4RqSHlZ5/BYlvowUxnNFC4tLLlneHidS8TurjacM3fwR
+MP5NMmcS5d9sVLG1uxl+/g2cRMtphHiziz+79jDc+tSxqRO5lhqyItAD6LC2GxB3
+iC5afnMx49+YWzhUTeL/KfkrD9w3/n7O00kLtLkDDQRKjOHDEAwAxdh8W7j/QhE3
+KZNmJGsK/QtJ72zZRGRcdUPH6GG//GaAG5hSCjM8q+0MR/G+31uk32RbzRIj1sHQ
+8fY0znxPmaeD1wow0hCbDTq+Ep3K8ouaqoqjlP4rd+I94OtxNfXgmllf7BDOZ6lI
+wUY8ba8cFCPYsv8ZvRXo82XfwFYevQ9kTLqkJT52mMyPZLwYx4DNwuqFtQQEBLKg
+IVXVgpK6SE72MFP8vyFsdrL0ORgxoWI6PIHbnIRY1KiWUzOSrqirZUHH9MPuzFuB
+R0+jEAajeKoxycn0ILLM5PBAEFXFgBdtNNCtshe1fR5aPsXcGZsZRjc7mbAHLRqa
+pVhk7oX31WrGqGHkSM/GAnf3aAzsnCkO5+Tje2iyuoG5OhQbHsvMBOtdvQrwnorl
+56EguzuK1mGDsczNsuAYRcKiasCWpsjoytDH+dGEQmKXydD9r06cxPx+mWmWKLo4
+w+k4mMC0lFRYKi83cwTpaMpHOeW4+3d1tJfkCQy+vjUz4aZJ/WSXAAMFDACqmeXA
+Al7WssHkjVZ/vwQfHLHNMZsGEEucvV7KNqMF4Fe6nRbbE6GJOuz6taeFkJIppBqV
+xhSNOsf5soOXfGp0IgYoC37GPI6AAb4UnG5GVcaAMQAXUYcwfDGGuV/EO5pPrEyP
+jy++GvjhxcKV3HmUuAfcgyhTGhDOVPxU28Roz3+8Eig085v+lyqAsgFduBrf+ZV+
+lHjIOSXSWmTiT8EVSA3fpN14/qhltudhdGIZ/pCW303H9Bd9c4Uc9OzYhRr1VpO6
+lpYfTFNey8KQL4z9Kjt0RPscz2hYDOJ1cTFWs/4Z+9mBJODwrnIiORLlgV2NlP5E
+ZY4MccVFd9K7E/OPQdt3Uv6+6BjYRntY7wsX617T5Rmj8n6AhbpngmWg2D6wRfm7
+TyI0Wtz5icCoJIEHQwB/3EhBzQl7tBc0cClwCYm7nTYRt+SL2tfylWy9Leail+ay
+M6zwMW0klV42E4u8DCy/aJrwmEiVwuwGbXL6z46M9EZguof38MTEmLsHls+JAZ8E
+GAECAAkFAkqM4cMCGwwACgkQ30LBcLNNunffBgv/b/v3eQoZTWgOB5MnXhIrg/Ki
+kYTYbnEG9wWM7XIST8bpP7f/UKyD44CCVJH7SVTGAXeyjglnuYXy4FwaTdFmm6al
+W0sCp4rnmADi5BLLzQlCUa5J0iZ+oAZnAH60BezUM+CYz/QBW3NJmP3323PeM4H4
+MZ0vLv3wgaLkFlaK/eASBoC7KuZWAnvsNOdLQ29L4BYgW2Jwk1+PxszjT369DsMU
+Y3iY6gM9rM71Ajd8x98hd1r26LILGntAEEXxs+13Kka7J4GCqf8/J9ZR01dDp8QM
++M9EHFLnthpAyUuSXm5Qlglavnf7tU6AA0SFuA0pP5CXVLG1DLT1fJvNOqjdzPsf
+u/48AM2Lpxj0gKt1yDQc890GxwnOL1iZ6+XMh9/ujWy7Q7dI4M2mthwYFXldWrPS
+CmMToWfl62BxPdY5FIECXeRwTIO9sI0LQVc2eAG8lDsge05q1nJFxo9WKr7ewAdF
+b/fMIr7XMwoMj2SQSy/tZVCBnDXR5Gw5HSxRnIAS
+=ze82
+-----END PGP PUBLIC KEY BLOCK-----

sources

@@ -1 +1,2 @@
-SHA512 (strongswan-5.8.2.tar.bz2) = 423e7924acfe8a03ad7d4359ae9086fd516798fcf5eb948a27b52ea719f4d8954b83ea30ce94191ea1647616611df8a1215cb4d5c7ec48676624df6c41853e1d
+SHA512 (strongswan-5.9.14.tar.bz2) = e48bc9d215f9de6b54e24f7b4765d59aec4c615291d5c1f24f6a6d7da45dc8b17b2e0e150faf5fabb35e5d465abc5e6f6efa06cd002467067c5d7844ead359f6
+SHA512 (strongswan-5.9.14.tar.bz2.sig) = 1b3d57448caab91060fe3d209d90708c57dbf35ae62c97574107b32677cff73f13f7545dc91682ef84400bb8a2f105a1761aba8334763dc8c35d97be7921c242

strongswan-5.6.2-CVE-2018-5388.patch

@@ -1,15 +0,0 @@
-diff -Naur strongswan-5.6.2-orig/src/libcharon/plugins/stroke/stroke_socket.c strongswan-5.6.2/src/libcharon/plugins/stroke/stroke_socket.c
---- strongswan-5.6.2-orig/src/libcharon/plugins/stroke/stroke_socket.c	2017-11-09 10:57:30.000000000 -0500
-+++ strongswan-5.6.2/src/libcharon/plugins/stroke/stroke_socket.c	2018-05-24 00:00:32.382953618 -0400
-@@ -628,6 +628,11 @@
- 		return FALSE;
- 	}
- 
-+	if (len < offsetof(stroke_msg_t, buffer))
-+	{
-+		DBG1(DBG_CFG, "invalid stroke message length %d", len);
-+		return FALSE;
-+	}
- 	/* read message (we need an additional byte to terminate the buffer) */
- 	msg = malloc(len + 1);
- 	msg->length = len;

strongswan-5.9.7-error-no-format.patch

@@ -0,0 +1,12 @@
+diff --git a/configure.ac b/configure.ac
+index f9e6e55c2..247d055d8 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1480,7 +1480,6 @@ else
+ fi
+ # disable some warnings, whether explicitly enabled above or by default
+ # these are not compatible with our custom printf specifiers
+-WARN_CFLAGS="$WARN_CFLAGS -Wno-format"
+ WARN_CFLAGS="$WARN_CFLAGS -Wno-format-security"
+ # we generally use comments, but GCC doesn't seem to recognize many of them
+ WARN_CFLAGS="$WARN_CFLAGS -Wno-implicit-fallthrough"

strongswan-6.0.0-gcc15.patch

@@ -0,0 +1,109 @@
+From cf7fb47788dfb83bb5d8bd0bffdb582e381a2f0a Mon Sep 17 00:00:00 2001
+From: Thomas Egerer <thomas.egerer@secunet.com>
+Date: Fri, 6 Sep 2024 13:29:40 +0200
+Subject: [PATCH] array: Don't use realloc() with zero size in array_compress()
+
+The behavior of realloc(3) with zero size was apparently implementation
+defined.  While glibc documents the behavior as equivalent to free(3),
+that might not apply to other C libraries.  With C17, this behavior has
+been deprecated, and with C23, the behavior is now undefined.  It's also
+why valgrind warns about this use.
+
+Hence, when array_compress() would call realloc() with a zero size, we
+now call free() explicitly and set the pointer to NULL.
+
+Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
+---
+ src/libstrongswan/collections/array.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/src/libstrongswan/collections/array.c b/src/libstrongswan/collections/array.c
+index 8acc8051d53..8b6c6d7397e 100644
+--- a/src/libstrongswan/collections/array.c
++++ b/src/libstrongswan/collections/array.c
+@@ -197,7 +197,17 @@ void array_compress(array_t *array)
+ 		}
+ 		if (tail)
+ 		{
+-			array->data = realloc(array->data, get_size(array, array->count));
++			size_t size = get_size(array, array->count);
++
++			if (size)
++			{
++				array->data = realloc(array->data, size);
++			}
++			else
++			{
++				free(array->data);
++				array->data = NULL;
++			}
+ 			array->tail = 0;
+ 		}
+ 	}
+---
+
+From f1f0bd9de60e2697a712e72b7ae9f79763a0901d Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Thu, 9 Jan 2025 16:05:39 +0100
+Subject: [PATCH] ctr: Remove parameter-less constructor prototype
+
+Useless and causes a compiler warning/error:
+
+  error: a function declaration without a prototype is deprecated in all versions of C and is treated as a zero-parameter prototype in C23, conflicting with a subsequent declaration [-Werror,-Wdeprecated-non-prototype]
+---
+ src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.h | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.h b/src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.h
+index e9421a1be9f..3814465e48b 100644
+--- a/src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.h
++++ b/src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.h
+@@ -37,11 +37,6 @@ struct ctr_ipsec_crypter_t {
+ 	crypter_t crypter;
+ };
+ 
+-/**
+- * Create a ctr_ipsec_crypter instance.
+- */
+-ctr_ipsec_crypter_t *ctr_ipsec_crypter_create();
+-
+ /**
+  * Create a ctr_ipsec_crypter instance.
+  *
+---
+
+From 227d7ef9a24b8c62d6965c1c1690252bde7c698d Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Fri, 10 Jan 2025 15:43:11 +0100
+Subject: [PATCH] tnc-imv: Add missing argument to IMV recommendations
+ constructor
+
+This avoids the following warning/error:
+
+tnc_imv_manager.c:244:39: error: passing arguments to 'tnc_imv_recommendations_create' without a prototype is deprecated in all versions of C and is not supported in C23 [-Werror,-Wdeprecated-non-prototype]
+  244 |         return tnc_imv_recommendations_create(this->imvs);
+      |                                              ^
+---
+ src/libtnccs/plugins/tnc_imv/tnc_imv_recommendations.h | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/src/libtnccs/plugins/tnc_imv/tnc_imv_recommendations.h b/src/libtnccs/plugins/tnc_imv/tnc_imv_recommendations.h
+index f7178876cfd..60272978ad3 100644
+--- a/src/libtnccs/plugins/tnc_imv/tnc_imv_recommendations.h
++++ b/src/libtnccs/plugins/tnc_imv/tnc_imv_recommendations.h
+@@ -27,8 +27,11 @@
+ #include <collections/linked_list.h>
+ 
+ /**
+- * Create an IMV empty recommendations instance
++ * Create an empty IMV recommendations instance
++ *
++ * @param imv_list		list of IMVs that could provide recommendations
++ * @return				created instance
+  */
+-recommendations_t *tnc_imv_recommendations_create();
++recommendations_t *tnc_imv_recommendations_create(linked_list_t *imv_list);
+ 
+ #endif /** TNC_IMV_RECOMMENDATIONS_H_ @}*/
+---
+

strongswan-6.0.1-gcc15.patch

@@ -0,0 +1,597 @@
+From a7b5de569082398a14b7e571498e55d005903aaf Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Fri, 21 Feb 2025 17:18:35 +0100
+Subject: [PATCH] pki: Fix signature of help() to match that of a callback in
+ command_t
+
+---
+ src/pki/command.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/pki/command.c b/src/pki/command.c
+index accec5fe51b..6e6bf041e18 100644
+--- a/src/pki/command.c
++++ b/src/pki/command.c
+@@ -265,7 +265,7 @@ int command_usage(char *error)
+ /**
+  * Show usage information
+  */
+-static int help(int c, char *v[])
++static int help()
+ {
+ 	return command_usage(NULL);
+ }
+---
+
+From 38d89f57f0771d3cc7b2ab70849584685ada2bc0 Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Fri, 21 Feb 2025 16:47:34 +0100
+Subject: [PATCH] charon-nm: Use CALLBACK macro for callback job's cancel
+ implementation
+
+Casting to this specific function type doesn't work anymore if C23 is
+used as the types mismatch.
+---
+ src/charon-nm/nm/nm_backend.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/charon-nm/nm/nm_backend.c b/src/charon-nm/nm/nm_backend.c
+index aefd3f95688..8ee1785212e 100644
+--- a/src/charon-nm/nm/nm_backend.c
++++ b/src/charon-nm/nm/nm_backend.c
+@@ -78,7 +78,8 @@ static job_requeue_t run(nm_backend_t *this)
+ /**
+  * Cancel the GLib Main Event Loop
+  */
+-static bool cancel(nm_backend_t *this)
++CALLBACK(cancel, bool,
++	nm_backend_t *this)
+ {
+ 	if (this->loop)
+ 	{
+@@ -152,7 +153,7 @@ static bool nm_backend_init()
+ 
+ 	lib->processor->queue_job(lib->processor,
+ 		(job_t*)callback_job_create_with_prio((callback_job_cb_t)run, this,
+-				NULL, (callback_job_cancel_t)cancel, JOB_PRIO_CRITICAL));
++				NULL, cancel, JOB_PRIO_CRITICAL));
+ 	return TRUE;
+ }
+ 
+---
+
+From d5d2568ff0e88d364dadf50b67bf17050763cf98 Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Fri, 21 Feb 2025 16:45:57 +0100
+Subject: [PATCH] callback-job: Replace return_false() in constructors with
+ dedicated function
+
+Besides being clearer, this fixes issues with GCC 15.  The latter uses
+C23 by default, which changes the meaning of function declarations
+without parameters such as
+
+	bool return false();
+
+Instead of "this function takes an unknown number of arguments", this
+now equals (void), that is, "this function takes no arguments".  So we
+run into incompatible pointer type warnings all over when using such
+functions.  They could be cast to (void*) but this seems the cleaner
+solution for this use case.
+---
+ src/charon-cmd/cmd/cmd_connection.c                   |  2 +-
+ .../jni/libandroidbridge/backend/android_dns_proxy.c  |  2 +-
+ .../jni/libandroidbridge/backend/android_service.c    |  6 +++---
+ src/libcharon/network/receiver.c                      |  2 +-
+ src/libcharon/network/sender.c                        |  2 +-
+ .../plugins/bypass_lan/bypass_lan_listener.c          |  4 ++--
+ .../plugins/eap_radius/eap_radius_accounting.c        |  2 +-
+ src/libcharon/plugins/eap_radius/eap_radius_plugin.c  |  2 +-
+ src/libcharon/plugins/ha/ha_ctl.c                     |  2 +-
+ src/libcharon/plugins/ha/ha_dispatcher.c              |  2 +-
+ src/libcharon/plugins/ha/ha_segments.c                |  6 +++---
+ .../kernel_libipsec/kernel_libipsec_esp_handler.c     |  2 +-
+ .../plugins/kernel_libipsec/kernel_libipsec_router.c  |  2 +-
+ src/libcharon/plugins/smp/smp.c                       |  4 ++--
+ src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c   |  2 +-
+ src/libcharon/plugins/uci/uci_control.c               |  2 +-
+ src/libipsec/ipsec_event_relay.c                      |  2 +-
+ src/libipsec/ipsec_processor.c                        |  4 ++--
+ src/libpttls/pt_tls_dispatcher.c                      |  2 +-
+ src/libstrongswan/networking/streams/stream_service.c |  2 +-
+ src/libstrongswan/processing/jobs/callback_job.c      | 10 +++++++++-
+ src/libstrongswan/processing/jobs/callback_job.h      | 11 ++++++++++-
+ src/libstrongswan/processing/scheduler.c              |  3 ++-
+ src/libstrongswan/processing/watcher.c                |  4 ++--
+ src/libtls/tests/suites/test_socket.c                 |  2 +-
+ 25 files changed, 51 insertions(+), 33 deletions(-)
+
+diff --git a/src/charon-cmd/cmd/cmd_connection.c b/src/charon-cmd/cmd/cmd_connection.c
+index 8e8d8236e52..e220e33a62a 100644
+--- a/src/charon-cmd/cmd/cmd_connection.c
++++ b/src/charon-cmd/cmd/cmd_connection.c
+@@ -585,7 +585,7 @@ cmd_connection_t *cmd_connection_create()
+ 	lib->processor->queue_job(lib->processor,
+ 		(job_t*)callback_job_create_with_prio(
+ 			(callback_job_cb_t)initiate, this, NULL,
+-			(callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
++			callback_job_cancel_thread, JOB_PRIO_CRITICAL));
+ 
+ 	return &this->public;
+ }
+diff --git a/src/libcharon/network/receiver.c b/src/libcharon/network/receiver.c
+index e79d5974409..480d1d622d5 100644
+--- a/src/libcharon/network/receiver.c
++++ b/src/libcharon/network/receiver.c
+@@ -737,7 +737,7 @@ receiver_t *receiver_create()
+ 
+ 	lib->processor->queue_job(lib->processor,
+ 		(job_t*)callback_job_create_with_prio((callback_job_cb_t)receive_packets,
+-			this, NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
++			this, NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL));
+ 
+ 	return &this->public;
+ }
+diff --git a/src/libcharon/network/sender.c b/src/libcharon/network/sender.c
+index 4543766d62e..3fcd17f1b63 100644
+--- a/src/libcharon/network/sender.c
++++ b/src/libcharon/network/sender.c
+@@ -216,7 +216,7 @@ sender_t * sender_create()
+ 
+ 	lib->processor->queue_job(lib->processor,
+ 		(job_t*)callback_job_create_with_prio((callback_job_cb_t)send_packets,
+-			this, NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
++			this, NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL));
+ 
+ 	return &this->public;
+ }
+diff --git a/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c b/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c
+index db7abd8146b..c9aed3666fc 100644
+--- a/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c
++++ b/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c
+@@ -227,7 +227,7 @@ METHOD(kernel_listener_t, roam, bool,
+ {
+ 	lib->processor->queue_job(lib->processor,
+ 			(job_t*)callback_job_create((callback_job_cb_t)update_bypass, this,
+-									NULL, (callback_job_cancel_t)return_false));
++									NULL, callback_job_cancel_thread));
+ 	return TRUE;
+ }
+ 
+@@ -269,7 +269,7 @@ METHOD(bypass_lan_listener_t, reload_interfaces, void,
+ 	this->mutex->unlock(this->mutex);
+ 	lib->processor->queue_job(lib->processor,
+ 			(job_t*)callback_job_create((callback_job_cb_t)update_bypass, this,
+-									NULL, (callback_job_cancel_t)return_false));
++									NULL, callback_job_cancel_thread));
+ }
+ 
+ METHOD(bypass_lan_listener_t, destroy, void,
+diff --git a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
+index f833dc3c0b4..2f29d080764 100644
+--- a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
++++ b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
+@@ -706,7 +706,7 @@ static void schedule_interim(private_eap_radius_accounting_t *this,
+ 			(job_t*)callback_job_create_with_prio(
+ 				(callback_job_cb_t)send_interim,
+ 				data, (void*)destroy_interim_data,
+-				(callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL), tv);
++				callback_job_cancel_thread, JOB_PRIO_CRITICAL), tv);
+ 	}
+ }
+ 
+diff --git a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
+index 5051542615a..55d5e032cea 100644
+--- a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
++++ b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
+@@ -445,7 +445,7 @@ void eap_radius_handle_timeout(ike_sa_id_t *id)
+ 		lib->processor->queue_job(lib->processor,
+ 				(job_t*)callback_job_create_with_prio(
+ 						(callback_job_cb_t)delete_all_async, NULL, NULL,
+-						(callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
++						callback_job_cancel_thread, JOB_PRIO_CRITICAL));
+ 	}
+ 	else if (id)
+ 	{
+diff --git a/src/libcharon/plugins/ha/ha_ctl.c b/src/libcharon/plugins/ha/ha_ctl.c
+index 8859bae166b..3d2ac7de84d 100644
+--- a/src/libcharon/plugins/ha/ha_ctl.c
++++ b/src/libcharon/plugins/ha/ha_ctl.c
+@@ -199,6 +199,6 @@ ha_ctl_t *ha_ctl_create(ha_segments_t *segments, ha_cache_t *cache)
+ 
+ 	lib->processor->queue_job(lib->processor,
+ 		(job_t*)callback_job_create_with_prio((callback_job_cb_t)dispatch_fifo,
+-			this, NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
++			this, NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL));
+ 	return &this->public;
+ }
+diff --git a/src/libcharon/plugins/ha/ha_dispatcher.c b/src/libcharon/plugins/ha/ha_dispatcher.c
+index 5de26a65a27..83be91ab159 100644
+--- a/src/libcharon/plugins/ha/ha_dispatcher.c
++++ b/src/libcharon/plugins/ha/ha_dispatcher.c
+@@ -1184,7 +1184,7 @@ ha_dispatcher_t *ha_dispatcher_create(ha_socket_t *socket,
+ 	);
+ 	lib->processor->queue_job(lib->processor,
+ 		(job_t*)callback_job_create_with_prio((callback_job_cb_t)dispatch, this,
+-				NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
++				NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL));
+ 
+ 	return &this->public;
+ }
+diff --git a/src/libcharon/plugins/ha/ha_segments.c b/src/libcharon/plugins/ha/ha_segments.c
+index afb76b39ea2..32d9ee40717 100644
+--- a/src/libcharon/plugins/ha/ha_segments.c
++++ b/src/libcharon/plugins/ha/ha_segments.c
+@@ -316,7 +316,7 @@ static void start_watchdog(private_ha_segments_t *this)
+ 	this->heartbeat_active = TRUE;
+ 	lib->processor->queue_job(lib->processor,
+ 		(job_t*)callback_job_create_with_prio((callback_job_cb_t)watchdog, this,
+-				NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
++				NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL));
+ }
+ 
+ METHOD(ha_segments_t, handle_status, void,
+@@ -404,7 +404,7 @@ static void start_heartbeat(private_ha_segments_t *this)
+ {
+ 	lib->processor->queue_job(lib->processor,
+ 		(job_t*)callback_job_create_with_prio((callback_job_cb_t)send_status,
+-			this, NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
++			this, NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL));
+ }
+ 
+ /**
+@@ -451,7 +451,7 @@ static void start_autobalance(private_ha_segments_t *this)
+ 	DBG1(DBG_CFG, "scheduling HA autobalance every %ds", this->autobalance);
+ 	lib->scheduler->schedule_job(lib->scheduler,
+ 		(job_t*)callback_job_create_with_prio((callback_job_cb_t)autobalance,
+-			this, NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL),
++			this, NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL),
+ 		this->autobalance);
+ }
+ 
+diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_esp_handler.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_esp_handler.c
+index 095ad67b4b0..c18e266e4d1 100644
+--- a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_esp_handler.c
++++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_esp_handler.c
+@@ -337,7 +337,7 @@ kernel_libipsec_esp_handler_t *kernel_libipsec_esp_handler_create()
+ 	}
+ 	lib->processor->queue_job(lib->processor,
+ 			(job_t*)callback_job_create(send_esp, this, NULL,
+-										(callback_job_cancel_t)return_false));
++										callback_job_cancel_thread));
+ 	return &this->public;
+ }
+ 
+diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c
+index 74746e251de..07adc70be3e 100644
+--- a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c
++++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c
+@@ -364,7 +364,7 @@ kernel_libipsec_router_t *kernel_libipsec_router_create()
+ 	charon->receiver->add_esp_cb(charon->receiver, receiver_esp_cb, NULL);
+ 	lib->processor->queue_job(lib->processor,
+ 			(job_t*)callback_job_create((callback_job_cb_t)handle_plain, this,
+-									NULL, (callback_job_cancel_t)return_false));
++										NULL, callback_job_cancel_thread));
+ 
+ 	router = &this->public;
+ 	return &this->public;
+diff --git a/src/libcharon/plugins/smp/smp.c b/src/libcharon/plugins/smp/smp.c
+index 6ca9f13997e..85ff5830bc5 100644
+--- a/src/libcharon/plugins/smp/smp.c
++++ b/src/libcharon/plugins/smp/smp.c
+@@ -710,7 +710,7 @@ static job_requeue_t dispatch(private_smp_t *this)
+ 	fdp = malloc_thing(int);
+ 	*fdp = fd;
+ 	job = callback_job_create((callback_job_cb_t)process, fdp, free,
+-							  (callback_job_cancel_t)return_false);
++							  callback_job_cancel_thread);
+ 	lib->processor->queue_job(lib->processor, (job_t*)job);
+ 
+ 	return JOB_REQUEUE_DIRECT;
+@@ -800,7 +800,7 @@ plugin_t *smp_plugin_create()
+ 
+ 	lib->processor->queue_job(lib->processor,
+ 		(job_t*)callback_job_create_with_prio((callback_job_cb_t)dispatch, this,
+-				NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
++				NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL));
+ 
+ 	return &this->public.plugin;
+ }
+diff --git a/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c b/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c
+index 30aeb116dec..da317a894d9 100644
+--- a/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c
++++ b/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c
+@@ -210,7 +210,7 @@ METHOD(tnc_pdp_connections_t, add, void,
+ 	/* schedule timeout checking */
+ 	lib->scheduler->schedule_job_ms(lib->scheduler,
+ 				(job_t*)callback_job_create((callback_job_cb_t)check_timeouts,
+-					this, NULL, (callback_job_cancel_t)return_false),
++					this, NULL, callback_job_cancel_thread),
+ 				this->timeout * 1000);
+ 
+ 	dbg_nas_user(nas_id, user_name, FALSE, "created");
+diff --git a/src/libcharon/plugins/uci/uci_control.c b/src/libcharon/plugins/uci/uci_control.c
+index b033c832c8c..8074005ee57 100644
+--- a/src/libcharon/plugins/uci/uci_control.c
++++ b/src/libcharon/plugins/uci/uci_control.c
+@@ -296,7 +296,7 @@ uci_control_t *uci_control_create()
+ 	{
+ 		lib->processor->queue_job(lib->processor,
+ 			(job_t*)callback_job_create_with_prio((callback_job_cb_t)receive,
+-							this, NULL, (callback_job_cancel_t)return_false,
++							this, NULL, callback_job_cancel_thread,
+ 							JOB_PRIO_CRITICAL));
+ 	}
+ 	return &this->public;
+diff --git a/src/libipsec/ipsec_event_relay.c b/src/libipsec/ipsec_event_relay.c
+index 0f10795d168..802146eef21 100644
+--- a/src/libipsec/ipsec_event_relay.c
++++ b/src/libipsec/ipsec_event_relay.c
+@@ -230,7 +230,7 @@ ipsec_event_relay_t *ipsec_event_relay_create()
+ 
+ 	lib->processor->queue_job(lib->processor,
+ 		(job_t*)callback_job_create((callback_job_cb_t)handle_events, this,
+-			NULL, (callback_job_cancel_t)return_false));
++			NULL, callback_job_cancel_thread));
+ 
+ 	return &this->public;
+ }
+diff --git a/src/libipsec/ipsec_processor.c b/src/libipsec/ipsec_processor.c
+index 2572b088089..8549fefe261 100644
+--- a/src/libipsec/ipsec_processor.c
++++ b/src/libipsec/ipsec_processor.c
+@@ -336,9 +336,9 @@ ipsec_processor_t *ipsec_processor_create()
+ 
+ 	lib->processor->queue_job(lib->processor,
+ 		(job_t*)callback_job_create((callback_job_cb_t)process_inbound, this,
+-									NULL, (callback_job_cancel_t)return_false));
++									NULL, callback_job_cancel_thread));
+ 	lib->processor->queue_job(lib->processor,
+ 		(job_t*)callback_job_create((callback_job_cb_t)process_outbound, this,
+-									NULL, (callback_job_cancel_t)return_false));
++									NULL, callback_job_cancel_thread));
+ 	return &this->public;
+ }
+diff --git a/src/libpttls/pt_tls_dispatcher.c b/src/libpttls/pt_tls_dispatcher.c
+index a134bee238f..c7e42b277e1 100644
+--- a/src/libpttls/pt_tls_dispatcher.c
++++ b/src/libpttls/pt_tls_dispatcher.c
+@@ -156,7 +156,7 @@ METHOD(pt_tls_dispatcher_t, dispatch, void,
+ 		lib->processor->queue_job(lib->processor,
+ 				(job_t*)callback_job_create_with_prio((callback_job_cb_t)handle,
+ 										connection, (void*)cleanup,
+-										(callback_job_cancel_t)return_false,
++										callback_job_cancel_thread,
+ 										JOB_PRIO_CRITICAL));
+ 	}
+ }
+diff --git a/src/libstrongswan/networking/streams/stream_service.c b/src/libstrongswan/networking/streams/stream_service.c
+index 5b709a2247d..c85a0664351 100644
+--- a/src/libstrongswan/networking/streams/stream_service.c
++++ b/src/libstrongswan/networking/streams/stream_service.c
+@@ -221,7 +221,7 @@ static bool watch(private_stream_service_t *this, int fd, watcher_event_t event)
+ 
+ 		lib->processor->queue_job(lib->processor,
+ 			(job_t*)callback_job_create_with_prio((void*)accept_async, data,
+-				(void*)destroy_async_data, (callback_job_cancel_t)return_false,
++				(void*)destroy_async_data, callback_job_cancel_thread,
+ 				this->prio));
+ 	}
+ 	else
+diff --git a/src/libstrongswan/processing/jobs/callback_job.c b/src/libstrongswan/processing/jobs/callback_job.c
+index cb2a0aba5b9..3ab40b947c9 100644
+--- a/src/libstrongswan/processing/jobs/callback_job.c
++++ b/src/libstrongswan/processing/jobs/callback_job.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (C) 2009-2012 Tobias Brunner
++ * Copyright (C) 2009-2025 Tobias Brunner
+  * Copyright (C) 2007-2011 Martin Willi
+  *
+  * Copyright (C) secunet Security Networks AG
+@@ -131,3 +131,11 @@ callback_job_t *callback_job_create(callback_job_cb_t cb, void *data,
+ 	return callback_job_create_with_prio(cb, data, cleanup, cancel,
+ 										 JOB_PRIO_MEDIUM);
+ }
++
++/*
++ * Described in header
++ */
++bool callback_job_cancel_thread(void *data)
++{
++	return FALSE;
++}
+diff --git a/src/libstrongswan/processing/jobs/callback_job.h b/src/libstrongswan/processing/jobs/callback_job.h
+index 0f1ae212d87..fda86887944 100644
+--- a/src/libstrongswan/processing/jobs/callback_job.h
++++ b/src/libstrongswan/processing/jobs/callback_job.h
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (C) 2012 Tobias Brunner
++ * Copyright (C) 2012-2025 Tobias Brunner
+  * Copyright (C) 2007-2011 Martin Willi
+  *
+  * Copyright (C) secunet Security Networks AG
+@@ -62,6 +62,15 @@ typedef void (*callback_job_cleanup_t)(void *data);
+  */
+ typedef bool (*callback_job_cancel_t)(void *data);
+ 
++/**
++ * Default implementation of callback_job_cancel_t that simply returns FALSE
++ * to force cancellation of the thread by the processor.
++ *
++ * @param data			ignored argument
++ * @return				always returns FALSE
++ */
++bool callback_job_cancel_thread(void *data);
++
+ /**
+  * Class representing an callback Job.
+  *
+diff --git a/src/libstrongswan/processing/scheduler.c b/src/libstrongswan/processing/scheduler.c
+index c5e5dd83e70..76d98ddff51 100644
+--- a/src/libstrongswan/processing/scheduler.c
++++ b/src/libstrongswan/processing/scheduler.c
+@@ -329,7 +329,8 @@ scheduler_t * scheduler_create()
+ 	this->heap = (event_t**)calloc(this->heap_size + 1, sizeof(event_t*));
+ 
+ 	job = callback_job_create_with_prio((callback_job_cb_t)schedule, this,
+-										NULL, return_false, JOB_PRIO_CRITICAL);
++										NULL, callback_job_cancel_thread,
++										JOB_PRIO_CRITICAL);
+ 	lib->processor->queue_job(lib->processor, (job_t*)job);
+ 
+ 	return &this->public;
+diff --git a/src/libstrongswan/processing/watcher.c b/src/libstrongswan/processing/watcher.c
+index 1200d670959..a86ec0910d1 100644
+--- a/src/libstrongswan/processing/watcher.c
++++ b/src/libstrongswan/processing/watcher.c
+@@ -291,7 +291,7 @@ static void notify(private_watcher_t *this, entry_t *entry,
+ 
+ 	this->jobs->insert_last(this->jobs,
+ 					callback_job_create_with_prio((void*)notify_async, data,
+-						(void*)notify_end, (callback_job_cancel_t)return_false,
++						(void*)notify_end, callback_job_cancel_thread,
+ 						JOB_PRIO_CRITICAL));
+ }
+ 
+@@ -559,7 +559,7 @@ METHOD(watcher_t, add, void,
+ 
+ 		lib->processor->queue_job(lib->processor,
+ 			(job_t*)callback_job_create_with_prio((void*)watch, this,
+-				NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
++				NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL));
+ 	}
+ 	else
+ 	{
+diff --git a/src/libtls/tests/suites/test_socket.c b/src/libtls/tests/suites/test_socket.c
+index 91ee58b975f..c17d0a8873e 100644
+--- a/src/libtls/tests/suites/test_socket.c
++++ b/src/libtls/tests/suites/test_socket.c
+@@ -587,7 +587,7 @@ static void start_echo_server(echo_server_config_t *config)
+ 
+ 	lib->processor->queue_job(lib->processor, (job_t*)
+ 				callback_job_create((void*)serve_echo, config, NULL,
+-									(callback_job_cancel_t)return_false));
++									callback_job_cancel_thread));
+ }
+ 
+ /**
+---
+
+From 11978ddd39e800b5f35f721d726e8a4cb7e4ec0f Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Fri, 21 Feb 2025 17:00:44 +0100
+Subject: [PATCH] Cast uses of return_*(), nop() and enumerator_create_empty()
+
+As described in the previous commit, GCC 15 uses C23 by default and that
+changes the meaning of such argument-less function declarations.  So
+whenever we assign such a function to a pointer that expects a function
+with arguments it causes an incompatible pointer type warning.  We
+could define dedicated functions/callbacks whenever necessary, but this
+seems like the simpler approach for now (especially since most uses of
+these functions have already been cast).
+---
+ src/charon-nm/nm/nm_handler.c                           | 2 +-
+ src/libcharon/encoding/payloads/encrypted_payload.c     | 2 +-
+ src/libcharon/plugins/android_dns/android_dns_handler.c | 2 +-
+ src/libcharon/plugins/ha/ha_attribute.c                 | 2 +-
+ src/libcharon/plugins/updown/updown_handler.c           | 2 +-
+ src/libstrongswan/utils/identification.c                | 6 +++---
+ 6 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/src/charon-nm/nm/nm_handler.c b/src/charon-nm/nm/nm_handler.c
+index d7331ad72f6..39d0190ac9e 100644
+--- a/src/charon-nm/nm/nm_handler.c
++++ b/src/charon-nm/nm/nm_handler.c
+@@ -195,7 +195,7 @@ nm_handler_t *nm_handler_create()
+ 		.public = {
+ 			.handler = {
+ 				.handle = _handle,
+-				.release = nop,
++				.release = (void*)nop,
+ 				.create_attribute_enumerator = _create_attribute_enumerator,
+ 			},
+ 			.create_enumerator = _create_enumerator,
+diff --git a/src/libcharon/encoding/payloads/encrypted_payload.c b/src/libcharon/encoding/payloads/encrypted_payload.c
+index 676d00b7a29..4821c6108ed 100644
+--- a/src/libcharon/encoding/payloads/encrypted_payload.c
++++ b/src/libcharon/encoding/payloads/encrypted_payload.c
+@@ -1023,7 +1023,7 @@ encrypted_fragment_payload_t *encrypted_fragment_payload_create()
+ 				.get_length = _frag_get_length,
+ 				.add_payload = _frag_add_payload,
+ 				.remove_payload = (void*)return_null,
+-				.generate_payloads = nop,
++				.generate_payloads = (void*)nop,
+ 				.set_transform = _frag_set_transform,
+ 				.get_transform = _frag_get_transform,
+ 				.encrypt = _frag_encrypt,
+diff --git a/src/libcharon/plugins/android_dns/android_dns_handler.c b/src/libcharon/plugins/android_dns/android_dns_handler.c
+index 78f4f702aec..14d2ff99aa3 100644
+--- a/src/libcharon/plugins/android_dns/android_dns_handler.c
++++ b/src/libcharon/plugins/android_dns/android_dns_handler.c
+@@ -191,7 +191,7 @@ METHOD(enumerator_t, enumerate_dns, bool,
+ 	VA_ARGS_VGET(args, type, data);
+ 	*type = INTERNAL_IP4_DNS;
+ 	*data = chunk_empty;
+-	this->venumerate = return_false;
++	this->venumerate = (void*)return_false;
+ 	return TRUE;
+ }
+ 
+diff --git a/src/libcharon/plugins/ha/ha_attribute.c b/src/libcharon/plugins/ha/ha_attribute.c
+index b865a4b829b..103d1a93784 100644
+--- a/src/libcharon/plugins/ha/ha_attribute.c
++++ b/src/libcharon/plugins/ha/ha_attribute.c
+@@ -381,7 +381,7 @@ ha_attribute_t *ha_attribute_create(ha_kernel_t *kernel, ha_segments_t *segments
+ 			.provider = {
+ 				.acquire_address = _acquire_address,
+ 				.release_address = _release_address,
+-				.create_attribute_enumerator = enumerator_create_empty,
++				.create_attribute_enumerator = (void*)enumerator_create_empty,
+ 			},
+ 			.reserve = _reserve,
+ 			.destroy = _destroy,
+diff --git a/src/libcharon/plugins/updown/updown_handler.c b/src/libcharon/plugins/updown/updown_handler.c
+index 36eb15615a4..3707e1e658c 100644
+--- a/src/libcharon/plugins/updown/updown_handler.c
++++ b/src/libcharon/plugins/updown/updown_handler.c
+@@ -220,7 +220,7 @@ updown_handler_t *updown_handler_create()
+ 			.handler = {
+ 				.handle = _handle,
+ 				.release = _release,
+-				.create_attribute_enumerator = enumerator_create_empty,
++				.create_attribute_enumerator = (void*)enumerator_create_empty,
+ 			},
+ 			.create_dns_enumerator = _create_dns_enumerator,
+ 			.destroy = _destroy,
+diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identifi
+100  5229  100  5229    0     0  26091      0 --:--:-- --:--:-- --:--:-- 26145
+cation.c
+index d31955b3806..58a05052dc1 100644
+--- a/src/libstrongswan/utils/identification.c
++++ b/src/libstrongswan/utils/identification.c
+@@ -1625,7 +1625,7 @@ static private_identification_t *identification_create(id_type_t type)
+ 			this->public.hash = _hash_binary;
+ 			this->public.equals = _equals_binary;
+ 			this->public.matches = _matches_any;
+-			this->public.contains_wildcards = return_true;
++			this->public.contains_wildcards = (void*)return_true;
+ 			break;
+ 		case ID_FQDN:
+ 		case ID_RFC822_ADDR:
+@@ -1660,13 +1660,13 @@ static private_identification_t *identification_create(id_type_t type)
+ 			this->public.hash = _hash_binary;
+ 			this->public.equals = _equals_binary;
+ 			this->public.matches = _matches_range;
+-			this->public.contains_wildcards = return_false;
++			this->public.contains_wildcards = (void*)return_false;
+ 			break;
+ 		default:
+ 			this->public.hash = _hash_binary;
+ 			this->public.equals = _equals_binary;
+ 			this->public.matches = _matches_binary;
+-			this->public.contains_wildcards = return_false;
++			this->public.contains_wildcards = (void*)return_false;
+ 			break;
+ 	}
+ 	return this;

strongswan.spec

@@ -1,34 +1,81 @@
 %global _hardened_build 1
 #%%define prerelease dr1
 
+%bcond_without python3
+%bcond_without perl
+%bcond_with    check
+
+%if (0%{?fedora} && 0%{?fedora} < 36) || (0%{?rhel} && 0%{?rhel} < 9)
+# trousers was retired for F36+ and no longer available in RHEL with 9+
+%bcond_without tss_trousers
+%else
+%bcond_with tss_trousers
+%endif
+
+%global forgeurl0 https://github.com/strongswan/strongswan
+
 Name:           strongswan
-Version:        5.8.2
-Release:        2%{?dist}
+Version:        5.9.14
+Release:        8%{?dist}
 Summary:        An OpenSource IPsec-based VPN and TNC solution
-License:        GPLv2+
-URL:            http://www.strongswan.org/
-Source0:        http://download.strongswan.org/%{name}-%{version}%{?prerelease}.tar.bz2
-Patch1:         strongswan-5.6.0-uintptr_t.patch
-Patch3:         strongswan-5.6.2-CVE-2018-5388.patch
-
-# only needed for pre-release versions
-#BuildRequires:  autoconf automake
+# Automatically converted from old format: GPLv2+ - review is highly recommended.
+License:        GPL-2.0-or-later
+URL:            https://www.strongswan.org/
+VCS:            git:%{forgeurl0}
+Source0:        https://download.strongswan.org/strongswan-%{version}%{?prerelease}.tar.bz2
+Source1:        https://download.strongswan.org/strongswan-%{version}%{?prerelease}.tar.bz2.sig
+Source2:        https://download.strongswan.org/STRONGSWAN-RELEASE-PGP-KEY
+Source3:        tmpfiles-strongswan.conf
+Patch0:         strongswan-5.6.0-uintptr_t.patch
+# https://github.com/strongswan/strongswan/issues/1198
+Patch1:         strongswan-5.9.7-error-no-format.patch
+# C23 fixes included in 6.0.1
+Patch2:         strongswan-6.0.0-gcc15.patch
+# C23 fixed merged but not yet released
+Patch3:         strongswan-6.0.1-gcc15.patch
 
+BuildRequires:  autoconf
+BuildRequires:  automake
+BuildRequires:  gnupg2
+BuildRequires:  libtool
+BuildRequires:  make
 BuildRequires:  gcc
+BuildRequires:  systemd
 BuildRequires:  systemd-devel
+BuildRequires:  systemd-rpm-macros
 BuildRequires:  gmp-devel
 BuildRequires:  libcurl-devel
 BuildRequires:  openldap-devel
 BuildRequires:  openssl-devel
+%if 0%{?fedora} >= 41
+# https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine
+BuildRequires:  openssl-devel-engine
+%endif
 BuildRequires:  sqlite-devel
 BuildRequires:  gettext-devel
-BuildRequires:  trousers-devel
 BuildRequires:  libxml2-devel
 BuildRequires:  pam-devel
 BuildRequires:  json-c-devel
 BuildRequires:  libgcrypt-devel
-BuildRequires:  systemd-devel
 BuildRequires:  iptables-devel
+BuildRequires:  libcap-devel
+BuildRequires:  tpm2-tss-devel
+Recommends:     tpm2-tools
+
+%if %{with python3}
+BuildRequires:  python3-devel
+BuildRequires:  python3-setuptools
+BuildRequires:  python3-pytest
+%endif
+
+%if %{with perl}
+BuildRequires:  perl-devel perl-generators
+BuildRequires:  perl(ExtUtils::MakeMaker)
+%endif
+
+%if %{with tss_trousers}
+BuildRequires:  trousers-devel
+%endif
 
 BuildRequires:  NetworkManager-libnm-devel
 Requires(post): systemd
@@ -49,8 +96,8 @@ in userland, using TUN devices and its own IPsec implementation libipsec.
 %package charon-nm
 Summary:        NetworkManager plugin for Strongswan
 Requires:       dbus
-Obsoletes:      %{name}-NetworkManager < 0:5.0.4-5
-Conflicts:      %{name}-NetworkManager < 0:5.0.4-5
+Obsoletes:      strongswan-NetworkManager < 0:5.0.4-5
+Conflicts:      strongswan-NetworkManager < 0:5.0.4-5
 Conflicts:      NetworkManager-strongswan < 1.4.2-1
 %description charon-nm
 NetworkManager plugin integrates a subset of Strongswan capabilities
@@ -58,14 +105,14 @@ to NetworkManager.
 
 %package sqlite
 Summary: SQLite support for strongSwan
-Requires: %{name} = %{version}-%{release}
+Requires: strongswan = %{version}-%{release}
 %description sqlite
 The sqlite plugin adds an SQLite database backend to strongSwan.
 
 %package tnc-imcvs
 Summary: Trusted network connect (TNC)'s IMC/IMV functionality
-Requires: %{name} = %{version}-%{release}
-Requires: %{name}-sqlite = %{version}-%{release}
+Requires: strongswan = %{version}-%{release}
+Requires: strongswan-sqlite = %{version}-%{release}
 %description tnc-imcvs
 This package provides Trusted Network Connect's (TNC) architecture support.
 It includes support for TNC client and server (IF-TNCCS), IMC and IMV message
@@ -76,14 +123,44 @@ modules can be used by any third party TNC Client/Server implementation
 possessing a standard IF-IMC/IMV interface. In addition, it implements
 PT-TLS to support TNC over TLS.
 
+%if %{with python3}
+%package -n python3-vici
+Summary: Strongswan Versatile IKE Configuration Interface python bindings
+BuildArch: noarch
+%description -n python3-vici
+VICI is an attempt to improve the situation for system integrators by providing
+a stable IPC interface, allowing external tools to query, configure
+and control the IKE daemon.
+
+The Versatile IKE Configuration Interface (VICI) python bindings provides module
+for Strongswan runtime configuration from python applications.
+
+%endif
+
+%if %{with perl}
+%package -n perl-vici
+Summary: Strongswan Versatile IKE Configuration Interface perl bindings
+BuildArch: noarch
+%description -n perl-vici
+VICI is an attempt to improve the situation for system integrators by providing
+a stable IPC interface, allowing external tools to query, configure
+and control the IKE daemon.
+
+The Versatile IKE Configuration Interface (VICI) perl bindings provides module
+for Strongswan runtime configuration from perl applications.
+%endif
+
+# TODO: make also ruby-vici
+
+
 %prep
-%setup -q -n %{name}-%{version}%{?prerelease}
-%patch1 -p1
-%patch3 -p1
+%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
+%autosetup -n %{name}-%{version}%{?prerelease} -p1
 
 %build
 # only for snapshots
-#autoreconf
+export ACLOCAL_PATH=/usr/share/gettext/m4:$ACLOCAL_PATH
+autoreconf -fiv
 
 # --with-ipsecdir moves internal commands to /usr/libexec/strongswan
 # --bindir moves 'pki' command to /usr/libexec/strongswan
@@ -96,9 +173,9 @@ PT-TLS to support TNC over TLS.
     --bindir=%{_libexecdir}/strongswan \
     --with-ipseclibdir=%{_libdir}/strongswan \
     --with-piddir=%{_rundir}/strongswan \
-    --with-fips-mode=2 \
+    --with-nm-ca-dir=%{_sysconfdir}/strongswan/ipsec.d/cacerts/ \
     --enable-bypass-lan \
-    --enable-tss-trousers \
+    --enable-tss-tss2 \
     --enable-nm \
     --enable-systemd \
     --enable-openssl \
@@ -153,8 +230,6 @@ PT-TLS to support TNC over TLS.
     --enable-imv-attestation \
     --enable-imv-os \
     --enable-imc-os \
-    --enable-imc-swid \
-    --enable-imv-swid \
     --enable-imc-swima \
     --enable-imv-swima \
     --enable-imc-hcd \
@@ -162,24 +237,77 @@ PT-TLS to support TNC over TLS.
     --enable-curl \
     --enable-cmd \
     --enable-acert \
-    --enable-aikgen \
     --enable-vici \
     --enable-swanctl \
     --enable-duplicheck \
 %ifarch x86_64 %{ix86}
     --enable-aesni \
 %endif
-    --enable-kernel-libipsec
+%if %{with python3}
+    PYTHON=%{python3} --enable-python-eggs \
+%endif
+%if %{with perl}
+    --enable-perl-cpan \
+%endif
+%if %{with check}
+    --enable-test-vectors \
+%endif
+%if %{with tss_trousers}
+    --enable-tss-trousers \
+    --enable-aikgen \
+%endif
+    --enable-kernel-libipsec \
+    --with-capabilities=libcap \
+    CPPFLAGS="-DSTARTER_ALLOW_NON_ROOT"
+# TODO: --enable-python-eggs-install not python3 ready
 
 # disable certain plugins in the daemon configuration by default
 for p in bypass-lan; do
     echo -e "\ncharon.plugins.${p}.load := no" >> conf/plugins/${p}.opt
 done
 
-make %{?_smp_mflags}
+# ensure manual page is regenerated with local configuration
+rm -f src/ipsec/_ipsec.8
+
+%make_build
+
+pushd src/libcharon/plugins/vici
+
+%if %{with python3}
+  pushd python
+    %make_build
+    sed -e "s,/var/run/charon.vici,%{_rundir}/strongswan/charon.vici," -i vici/session.py
+    #py3_build
+  popd
+%endif
+
+%if %{with perl}
+  pushd perl/Vici-Session/
+    perl Makefile.PL INSTALLDIRS=vendor
+    %make_build
+  popd
+%endif
+
+popd
 
 %install
-make install DESTDIR=%{buildroot}
+%make_install
+
+
+pushd src/libcharon/plugins/vici
+%if %{with python3}
+  pushd python
+    # TODO: --enable-python-eggs breaks our previous build. Do it now
+    # propose better way to upstream
+    %py3_build
+    %py3_install
+  popd
+%endif
+%if %{with perl}
+  %make_install -C perl/Vici-Session
+  rm -f %{buildroot}{%{perl_archlib}/perllocal.pod,%{perl_vendorarch}/auto/Vici/Session/.packlist}
+%endif
+popd
 # prefix man pages
 for i in %{buildroot}%{_mandir}/*/*; do
     if echo "$i" | grep -vq '/strongswan[^\/]*$'; then
@@ -198,20 +326,36 @@ for i in aacerts acerts certs cacerts crls ocspcerts private reqs; do
     install -d -m 700 %{buildroot}%{_sysconfdir}/strongswan/ipsec.d/${i}
 done
 install -d -m 0700 %{buildroot}%{_rundir}/strongswan
+install -D -m 0644 %{SOURCE3} %{buildroot}/%{_tmpfilesdir}/strongswan.conf
+install -D -m 0644 %{SOURCE3} %{buildroot}/%{_tmpfilesdir}/strongswan-starter.conf
+
+
+%check
+%if %{with check}
+  # Seen some tests hang. Ensure we do not block builder forever
+  export TESTS_VERBOSITY=1
+  timeout 600 %make_build check
+%endif
+%if %{with python}
+  pushd src/libcharon/plugins/vici
+    %pytest
+  popd
+%endif
+:
 
 %post
-%systemd_post %{name}.service
+%systemd_post strongswan.service strongswan-starter.service
 
 %preun
-%systemd_preun %{name}.service
+%systemd_preun strongswan.service strongswan-starter.service
 
 %postun
-%systemd_postun_with_restart %{name}.service
+%systemd_postun_with_restart strongswan.service strongswan-starter.service
 
 %files
 %doc README NEWS TODO ChangeLog
 %license COPYING
-%dir %attr(0700,root,root) %{_sysconfdir}/strongswan
+%dir %attr(0755,root,root) %{_sysconfdir}/strongswan
 %config(noreplace) %{_sysconfdir}/strongswan/*
 %dir %{_libdir}/strongswan
 %exclude %{_libdir}/strongswan/imcvs
@@ -240,6 +384,8 @@ install -d -m 0700 %{buildroot}%{_rundir}/strongswan
 %{_datadir}/strongswan/templates/config/
 %{_datadir}/strongswan/templates/database/
 %attr(0755,root,root) %dir %{_rundir}/strongswan
+%attr(0644,root,root) %{_tmpfilesdir}/strongswan.conf
+%attr(0644,root,root) %{_tmpfilesdir}/strongswan-starter.conf
 
 %files sqlite
 %{_libdir}/strongswan/plugins/libstrongswan-sqlite.so
@@ -266,7 +412,190 @@ install -d -m 0700 %{buildroot}%{_rundir}/strongswan
 %{_datadir}/dbus-1/system.d/nm-strongswan-service.conf
 %{_libexecdir}/strongswan/charon-nm
 
+%if %{with python3}
+%files -n python3-vici
+%license COPYING
+%doc src/libcharon/plugins/vici/python/README.rst
+%{python3_sitelib}/vici
+%{python3_sitelib}/vici-%{version}-py*.egg-info
+%endif
+
+%if %{with perl}
+%license COPYING
+%files -n perl-vici
+%{perl_vendorlib}/Vici
+%endif
+
 %changelog
+* Thu Aug 14 2025 Carlos Rodriguez-Fernandez <carlosrodrifernandez@gmail.com> - 5.9.14-9
+- Fix build issue (rhbz#2368971)
+
+* Fri Jul 25 2025 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.14-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
+
+* Mon Jun 02 2025 Python Maint <python-maint@redhat.com> - 5.9.14-7
+- Rebuilt for Python 3.14
+
+* Sun Jan 19 2025 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.14-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
+
+* Sat Jul 27 2024 Michel Lind <salimma@fedoraproject.org> - 5.9.14-5
+- Depend on openssl-devel-engine since we still use this deprecated feature (rhbz#2295335)
+
+* Fri Jul 26 2024 Miroslav Suchý <msuchy@redhat.com> - 5.9.14-4
+- convert license to SPDX
+
+* Sat Jul 20 2024 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.14-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
+
+* Fri Jun 07 2024 Python Maint <python-maint@redhat.com> - 5.9.14-2
+- Rebuilt for Python 3.13
+
+* Fri May 31 2024 Paul Wouters <paul.wouters@aiven.io> - 5.9.14-1
+- Resolves: rhbz#2254560 CVE-2023-41913 buffer overflow and possible RCE
+- Resolved: rhbz#2250666 Update to 5.9.14 (IKEv2 OCSP extensions, seqno/regno overflow handling
+- Update to 5.9.13 (OCSP nonce set regression configuration option charon.ocsp_nonce_len)
+- Update to 5.9.12 (CVE-2023-41913 fix, various IKEv2 fixes)
+
+* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.11-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.11-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Fri Jul 14 2023 Paul Wouters <paul.wouters@aiven.io - 5.9.11-1
+- Resolves: rhbz#2214186 strongswan-5.9.11 is available
+
+* Tue Jun 13 2023 Python Maint <python-maint@redhat.com> - 5.9.10-2
+- Rebuilt for Python 3.12
+
+* Thu Mar 02 2023 Paul Wouters <paul.wouters@aiven.io - 5.9.10-1
+- Update to 5.9.10
+
+* Tue Feb 28 2023 Paul Wouters <paul.wouters@aiven.io - 5.9.9-3
+- Resolves: CVE-2023-26463 authorization bypass in TLS-based EAP methods
+
+* Mon Jan 16 2023 Petr Menšík <pemensik@redhat.com> - 5.9.9-2
+- Use configure paths in manual pages (#2106120)
+
+* Sun Jan 15 2023 Petr Menšík <pemensik@redhat.com> - 5.9.9-1
+- Update to 5.9.9 (#2157850)
+
+* Thu Dec 08 2022 Jitka Plesnikova <jplesnik@redhat.com> - 5.9.8-2
+- Add BR perl-generators to automatically generates run-time dependencies
+  for installed Perl files
+
+* Sun Oct 16 2022 Arne Reiter <redhat@arnereiter.de> - 5.9.8-1
+- Resolves rhbz#2112274 strongswan-5.9.8 is available
+- Patch1 removes CFLAGS -Wno-format which interferes with -Werror=format-security
+- Add BuildRequire for autoconf and automake, now required for release
+- Remove obsolete patches
+
+* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.6-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Wed Jun 22 2022 Arne Reiter <redhat@arnereiter.de> - 5.9.6-1
+- Resolves rhbz#2080070 strongswan-5.9.6 is available
+- Fixed missing format string in enum_flags_to_string()
+
+* Mon Jun 13 2022 Python Maint <python-maint@redhat.com> - 5.9.5-4
+- Rebuilt for Python 3.11
+
+* Fri Feb 25 2022 Arne Reiter <redhat@arnereiter.de> - 5.9.5-3
+- Resolves: rhbz#2048108 - segfault at 18 ip 00007f4c7c0d841c sp 00007ffe49f61b70 error 4 in libc.so.6
+
+* Tue Jan 25 2022 Paul Wouters <paul.wouters@aiven.io> - 5.9.5-2
+- Use newly published/cleaned strongswan gpg key
+
+* Mon Jan 24 2022 Paul Wouters <paul.wouters@aiven.io> - 5.9.5-1
+- Resolves rhbz#2044361 strongswan-5.9.5 is available (CVE-2021-45079)
+
+* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.4-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Thu Dec 16 2021 Neal Gompa <ngompa@datto.com> - 5.9.4-4
+- Disable TPM/TSS 1.2 support for F36+ / RHEL9+
+- Resolves: rhbz#2033299 Drop TPM/TSS 1.2 support (trousers)
+
+* Thu Nov 11 2021 Petr Menšík <pemensik@redhat.com> - 5.9.4-3
+- Resolves rhbz#1419441 Add python and perl vici bindings
+- Adds optional tests run
+
+* Tue Nov 09 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.4-2
+- Resolves rhbz#2018547 'strongswan restart' breaks ipsec started with strongswan-starter
+- Return to using tmpfiles, but extend to cover strongswan-starter service too
+- Cleanup old patches
+
+* Wed Oct 20 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.4-1
+- Resolves: rhbz#2015165 strongswan-5.9.4 is available
+- Resolves: rhbz#2015611 CVE-2021-41990 strongswan: gmp plugin: integer overflow via a crafted certificate with an RSASSA-PSS signature
+- Resolves: rhbz#2015614 CVE-2021-41991 strongswan: integer overflow when replacing certificates in cache
+- Add BuildRequire for tpm2-tss-devel and weak dependency for tpm2-tools
+
+* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 5.9.3-4
+- Rebuilt with OpenSSL 3.0.0
+
+* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Sat Jul 10 2021 Björn Esser <besser82@fedoraproject.org> - 5.9.3-2
+- Rebuild for versioned symbols in json-c
+
+* Tue Jul 06 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.3-1
+- Resolves: rhbz#1979574 strongswan-5.9.3 is available
+- Make strongswan main dir world readable so apps can find strongswan.conf
+
+* Thu Jun 03 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.2-1
+- Resolves: rhbz#1896545 strongswan-5.9.2 is available
+
+* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 5.9.1-2
+- Rebuilt for updated systemd-rpm-macros
+  See https://pagure.io/fesco/issue/2583.
+
+* Fri Feb 12 2021 Paul Wouters <pwouters@redhat.com> - 5.9.1-1
+- Resolves: rhbz#1896545 strongswan-5.9.1 is available
+
+* Thu Feb 11 2021 Davide Cavalca <dcavalca@fedoraproject.org> - 5.9.0-4
+- Build with with capabilities support
+- Resolves: rhbz#1911572 StrongSwan not configured with libcap support
+
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Thu Oct 22 12:43:48 EDT 2020 Paul Wouters <pwouters@redhat.com> - 5.9.0-2
+- Resolves: rhbz#1886759 charon looking for certificates in the wrong place
+
+* Mon Sep 28 12:36:45 EDT 2020 Paul Wouters <pwouters@redhat.com> - 5.9.0-1
+- Resolves: rhbz#1861747 strongswan-5.9.0 is available
+- Remove --enable-fips-mode=2, which defaults strongswan to FIPS only.
+  (use fips_mode = 2 in plugins {} openssl {} in strongswan.conf to enable FIPS)
+
+* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.8.4-5
+- Second attempt - Rebuilt for
+  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.8.4-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Apr 21 2020 Björn Esser <besser82@fedoraproject.org> - 5.8.4-3
+- Rebuild (json-c)
+
+* Sun Apr 12 2020 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.4-2
+- Patch0: Add RuntimeDirectory options to service files (#1789263)
+
+* Sun Apr 12 2020 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.4-1
+- Updated to 5.8.4
+- Patch4 has been applied upstream
+
+* Sat Feb 22 2020 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.2-5
+- Patch to declare a global variable with extern (#1800117)
+
+* Mon Feb 10 2020 Paul Wouters <pwouters@redhat.com> - 5.8.2-4
+- use tmpfile to ensure rundir is present
+
+* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.8.2-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
 * Sat Dec 28 2019 Paul Wouters <pwouters@redhat.com> - 5.8.2-2
 - Use /run/strongswan as rundir to support strongswans in namespaces
 

tmpfiles-strongswan.conf

@@ -0,0 +1 @@
+D /run/strongswan 0755 root root -