Support GRE key in selectors

Patch vici for NHRP
Enable ML-KEM
2025-10-11 15:26:17 +02:00 · 2025-10-11 15:26:17 +02:00 · 2025-09-25 13:57:21 -04:00 · 2025-09-24 15:44:22 -04:00 · 2025-09-11 10:58:08 -04:00 · 2025-09-11 09:55:37 -04:00
16 changed files with 3233 additions and 556 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,23 @@
-/strongswan-5.7.2.tar.bz2
-/strongswan-5.8.1.tar.bz2
-/strongswan-5.8.2.tar.bz2
+/strongswan-5.8.4.tar.bz2
+/strongswan-5.9.0.tar.bz2
+/strongswan-5.9.1.tar.bz2
+/strongswan-5.9.2.tar.bz2
+/strongswan-5.9.3.tar.bz2
+/strongswan-5.9.4.tar.bz2
+/948F158A4E76A27BF3D07532DF42C170B34DBA77
+/strongswan-5.9.5.tar.bz2
+/strongswan-5.9.5.tar.bz2.sig
+/strongswan-5.9.6.tar.bz2
+/strongswan-5.9.6.tar.bz2.sig
+/strongswan-5.9.8.tar.bz2
+/strongswan-5.9.8.tar.bz2.sig
+/strongswan-5.9.9.tar.bz2
+/strongswan-5.9.9.tar.bz2.sig
+/strongswan-5.9.10.tar.bz2
+/strongswan-5.9.10.tar.bz2.sig
+/strongswan-5.9.11.tar.bz2
+/strongswan-5.9.11.tar.bz2.sig
+/strongswan-5.9.14.tar.bz2
+/strongswan-5.9.14.tar.bz2.sig
+/strongswan-6.0.2.tar.bz2
+/strongswan-6.0.2.tar.bz2.sig
--- a/0001-charon-add-optional-source-and-remote-overrides-for-.patch
+++ b/0001-charon-add-optional-source-and-remote-overrides-for-.patch
@@ -0,0 +1,476 @@
+From 1baf500104e963e0d0d410c95e7dcec899173b77 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= <zpericic@netst.org>
+Date: Tue, 9 Jul 2024 19:07:57 +0200
+Subject: [PATCH 1/4] charon: add optional source and remote overrides for
+ initiate
+
+This introduces support for specifying optional IKE SA specific
+source and remote address for child sa initiation. This allows
+to initiate wildcard connection for known address via vici.
+
+In addition this allows simpler implementation of trap-any patches
+and is a prerequisite for dmvpn support.
+---
+ src/libcharon/control/controller.c        | 34 ++++++++++++++++--
+ src/libcharon/control/controller.h        | 28 +++++++++++++++
+ src/libcharon/plugins/vici/vici_control.c | 41 +++++++++++++++++----
+ src/libcharon/sa/ike_sa_manager.c         | 34 +++++++++++++++++-
+ src/libcharon/sa/ike_sa_manager.h         | 25 ++++++++++++-
+ src/libcharon/sa/trap_manager.c           | 44 +++++++++--------------
+ src/swanctl/commands/initiate.c           | 19 +++++++++-
+ 7 files changed, 186 insertions(+), 39 deletions(-)
+
+diff --git a/src/libcharon/control/controller.c b/src/libcharon/control/controller.c
+index 027f48e93..26501768d 100644
+--- a/src/libcharon/control/controller.c
+++ b/src/libcharon/control/controller.c
+@@ -1,4 +1,6 @@
+ /*
+ * Copyright (C) 2023 Zoran Peričić <zpericic@netst.org>
+ * Copyright (C) 2014 Timo Teräs <timo.teras@iki.fi>
+  * Copyright (C) 2011-2023 Tobias Brunner
+  * Copyright (C) 2007-2011 Martin Willi
+  *
+@@ -107,6 +109,16 @@ struct interface_listener_t {
+ 	 */
+ 	ike_sa_t *ike_sa;
+ 
+	/**
+	 * Our host hint.
+	 */
+	host_t *my_host;
+
+	/**
+	 * Other host hint.
+	 */
+	host_t *other_host;
+
+ 	/**
+ 	 * unique ID, used for various methods
+ 	 */
+@@ -417,10 +429,16 @@ METHOD(job_t, initiate_execute, job_requeue_t,
+ 	ike_sa_t *ike_sa;
+ 	interface_listener_t *listener = &job->listener;
+ 	peer_cfg_t *peer_cfg = listener->peer_cfg;
+	host_t *my_host = listener->my_host;
+	host_t *other_host = listener->other_host;
+ 
+-	ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
+-														peer_cfg);
+	ike_sa = charon->ike_sa_manager->checkout_by_config2(charon->ike_sa_manager,
+														peer_cfg, my_host, other_host);
+ 	peer_cfg->destroy(peer_cfg);
+
+	if (my_host) my_host->destroy(my_host);
+	if (other_host) other_host->destroy(other_host);
+
+ 	if (!ike_sa)
+ 	{
+ 		DESTROY_IF(listener->child_cfg);
+@@ -501,6 +519,15 @@ METHOD(controller_t, initiate, status_t,
+ 	private_controller_t *this, peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
+ 	controller_cb_t callback, void *param, level_t max_level, u_int timeout,
+ 	bool limits)
+{
+	return this->public.initiate2(this, peer_cfg, child_cfg, NULL, NULL, callback, param, max_level, timeout, limits);
+}
+
+METHOD(controller_t, initiate2, status_t,
+	private_controller_t *this, peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
+	host_t *my_host, host_t *other_host,
+	controller_cb_t callback, void *param, level_t max_level, u_int timeout,
+	bool limits)
+ {
+ 	interface_job_t *job;
+ 	status_t status;
+@@ -523,6 +550,8 @@ METHOD(controller_t, initiate, status_t,
+ 			.status = FAILED,
+ 			.child_cfg = child_cfg,
+ 			.peer_cfg = peer_cfg,
+			.my_host = my_host ? my_host->clone(my_host) : NULL,
+			.other_host = other_host ? other_host->clone(other_host) : NULL,
+ 			.lock = spinlock_create(),
+ 			.options.limits = limits,
+ 		},
+@@ -770,6 +799,7 @@ controller_t *controller_create(void)
+ 		.public = {
+ 			.create_ike_sa_enumerator = _create_ike_sa_enumerator,
+ 			.initiate = _initiate,
+			.initiate2 = _initiate2,
+ 			.terminate_ike = _terminate_ike,
+ 			.terminate_child = _terminate_child,
+ 			.destroy = _destroy,
+diff --git a/src/libcharon/control/controller.h b/src/libcharon/control/controller.h
+index 36a1d4631..f5c60e2e7 100644
+--- a/src/libcharon/control/controller.h
+++ b/src/libcharon/control/controller.h
+@@ -98,6 +98,34 @@ struct controller_t {
+ 						 controller_cb_t callback, void *param,
+ 						 level_t max_level, u_int timeout, bool limits);
+ 
+	/**
+	 * Initiate a CHILD_SA, and if required, an IKE_SA.
+	 *
+	 * If a callback is provided the function is synchronous and thus blocks
+	 * until the IKE_SA is established or failed.
+	 *
+	 * @param peer_cfg		peer_cfg to use for IKE_SA setup
+	 * @param child_cfg		optional child_cfg to set up CHILD_SA from
+	 * @param my_host		optional address hint for source
+	 * @param other_host		optional address hint for destination
+	 * @param cb			logging callback
+	 * @param param			parameter to include in each call of cb
+	 * @param max_level		maximum log level for which cb is invoked
+	 * @param timeout		timeout in ms to wait for callbacks, 0 to disable
+	 * @param limits		whether to check limits regarding IKE_SA initiation
+	 * @return
+	 *						- SUCCESS, if CHILD_SA established
+	 *						- FAILED, if setup failed
+	 *						- NEED_MORE, if callback returned FALSE
+	 *						- OUT_OF_RES if timed out
+	 *						- INVALID_STATE if limits prevented initiation
+	 */
+	status_t (*initiate2)(controller_t *this,
+						 peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
+						 host_t *my_host, host_t *other_host,
+						 controller_cb_t callback, void *param,
+						 level_t max_level, u_int timeout, bool limits);
+
+ 	/**
+ 	 * Terminate an IKE_SA and all of its CHILD_SAs.
+ 	 *
+diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c
+index 1c236d249..932d0cb5a 100644
+--- a/src/libcharon/plugins/vici/vici_control.c
+++ b/src/libcharon/plugins/vici/vici_control.c
+@@ -1,4 +1,6 @@
+ /*
+ * Copyright (C) 2023 Zoran Peričić <zpericic@netst.org>
+ * Copyright (C) 2014 Timo Teräs <timo.teras@iki.fi>
+  * Copyright (C) 2015-2017 Tobias Brunner
+  * Copyright (C) 2014 Martin Willi
+  *
+@@ -173,9 +175,12 @@ static child_cfg_t* find_child_cfg(char *name, char *pname, peer_cfg_t **out)
+ CALLBACK(initiate, vici_message_t*,
+ 	private_vici_control_t *this, char *name, u_int id, vici_message_t *request)
+ {
+	vici_message_t* msg;
+ 	peer_cfg_t *peer_cfg = NULL;
+ 	child_cfg_t *child_cfg;
+ 	char *child, *ike, *type, *sa;
+	host_t *my_host = NULL, *other_host = NULL;
+	char *my_host_str, *other_host_str;
+ 	int timeout;
+ 	bool limits;
+ 	controller_cb_t log_cb = NULL;
+@@ -189,6 +194,8 @@ CALLBACK(initiate, vici_message_t*,
+ 	timeout = request->get_int(request, 0, "timeout");
+ 	limits = request->get_bool(request, FALSE, "init-limits");
+ 	log.level = request->get_int(request, 1, "loglevel");
+	my_host_str = request->get_str(request, NULL, "my-host");
+	other_host_str = request->get_str(request, NULL, "other-host");
+ 
+ 	if (!child && !ike)
+ 	{
+@@ -202,28 +209,48 @@ CALLBACK(initiate, vici_message_t*,
+ 	type = child ? "CHILD_SA" : "IKE_SA";
+ 	sa = child ?: ike;
+ 
+	if (my_host_str)
+	{
+		my_host = host_create_from_string(my_host_str, 0);
+	}
+	if (other_host_str)
+	{
+		other_host = host_create_from_string(other_host_str, 0);
+	}
+
+	DBG1(DBG_CFG, "vici initiate %s '%s', me %H, other %H, limits %d", type, sa, my_host, other_host, limits);
+
+ 	child_cfg = find_child_cfg(child, ike, &peer_cfg);
+ 
+-	DBG1(DBG_CFG, "vici initiate %s '%s'", type, sa);
+ 	if (!peer_cfg)
+ 	{
+-		return send_reply(this, "%s config '%s' not found", type, sa);
+		msg = send_reply(this, "%s config '%s' not found", type, sa);
+		goto ret;
+ 	}
+-	switch (charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
+	switch (charon->controller->initiate2(charon->controller, peer_cfg, child_cfg,
+										 my_host, other_host,
+ 										 log_cb, &log, log.level, timeout, limits))
+ 	{
+ 		case SUCCESS:
+-			return send_reply(this, NULL);
+			msg = send_reply(this, NULL);
+			break;
+ 		case OUT_OF_RES:
+-			return send_reply(this, "%s '%s' not established after %dms", type,
+			msg = send_reply(this, "%s '%s' not established after %dms", type,
+ 							  sa, timeout);
+			break;
+ 		case INVALID_STATE:
+-			return send_reply(this, "establishing %s '%s' not possible at the "
+			msg = send_reply(this, "establishing %s '%s' not possible at the "
+ 							  "moment due to limits", type, sa);
+			break;
+ 		case FAILED:
+ 		default:
+-			return send_reply(this, "establishing %s '%s' failed", type, sa);
+			msg = send_reply(this, "establishing %s '%s' failed", type, sa);
+			break;
+ 	}
+ret:
+	if (my_host) my_host->destroy(my_host);
+	if (other_host) other_host->destroy(other_host);
+	return msg;
+ }
+ 
+ /**
+diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
+index 7763ae844..59852f253 100644
+--- a/src/libcharon/sa/ike_sa_manager.c
+++ b/src/libcharon/sa/ike_sa_manager.c
+@@ -1,4 +1,6 @@
+ /*
+ * Copyright (C) 2023 Zoran Peričić <zpericic@netst.org>
+ * Copyright (C) 2014 Timo Teräs <timo.teras@iki.fi>
+  * Copyright (C) 2008-2022 Tobias Brunner
+  * Copyright (C) 2005-2011 Martin Willi
+  * Copyright (C) 2005 Jan Hutter
+@@ -1499,6 +1501,13 @@ typedef struct {
+ 
+ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
+ 	private_ike_sa_manager_t *this, peer_cfg_t *peer_cfg)
+{
+	return this->public.checkout_by_config2(this, peer_cfg, NULL, NULL);
+}
+
+METHOD(ike_sa_manager_t, checkout_by_config2, ike_sa_t*,
+	private_ike_sa_manager_t *this, peer_cfg_t *peer_cfg,
+	host_t *my_host, host_t *other_host)
+ {
+ 	enumerator_t *enumerator;
+ 	entry_t *entry;
+@@ -1509,7 +1518,16 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
+ 	u_int segment;
+ 	int i;
+ 
+-	DBG2(DBG_MGR, "checkout IKE_SA by config");
+	if (my_host && my_host->get_port(my_host) == 0)
+	{
+		my_host->set_port(my_host, IKEV2_UDP_PORT);
+	}
+	if (other_host && other_host->get_port(other_host) == 0)
+	{
+		other_host->set_port(other_host, IKEV2_UDP_PORT);
+	}
+	DBG2(DBG_MGR, "checkout IKE_SA by config '%s', me %H, other %H",
+		peer_cfg->get_name(peer_cfg), my_host, other_host);
+ 
+ 	if (!this->reuse_ikesa && peer_cfg->get_ike_version(peer_cfg) != IKEV1)
+ 	{	/* IKE_SA reuse disabled by config (not possible for IKEv1) */
+@@ -1567,6 +1585,15 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
+ 			continue;
+ 		}
+ 
+		if (my_host && !my_host->ip_equals(my_host, entry->ike_sa->get_my_host(entry->ike_sa)))
+		{
+			continue;
+		}
+		if (other_host && !other_host->ip_equals(other_host, entry->ike_sa->get_other_host(entry->ike_sa)))
+		{
+			continue;
+		}
+
+ 		current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa);
+ 		if (current_peer && current_peer->equals(current_peer, peer_cfg))
+ 		{
+@@ -1593,6 +1620,10 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
+ 		{
+ 			ike_sa->set_peer_cfg(ike_sa, peer_cfg);
+ 			checkout_new(this, ike_sa);
+			if (my_host || other_host)
+			{
+				ike_sa->update_hosts(ike_sa, my_host, other_host, TRUE);
+			}
+ 		}
+ 	}
+ 	charon->bus->set_sa(charon->bus, ike_sa);
+@@ -2558,6 +2589,7 @@ ike_sa_manager_t *ike_sa_manager_create()
+ 			.checkout = _checkout,
+ 			.checkout_by_message = _checkout_by_message,
+ 			.checkout_by_config = _checkout_by_config,
+			.checkout_by_config2 = _checkout_by_config,
+ 			.checkout_by_id = _checkout_by_id,
+ 			.checkout_by_name = _checkout_by_name,
+ 			.new_initiator_spi = _new_initiator_spi,
+diff --git a/src/libcharon/sa/ike_sa_manager.h b/src/libcharon/sa/ike_sa_manager.h
+index 004cc2216..d001f5a80 100644
+--- a/src/libcharon/sa/ike_sa_manager.h
+++ b/src/libcharon/sa/ike_sa_manager.h
+@@ -123,7 +123,8 @@ struct ike_sa_manager_t {
+ 	ike_sa_t* (*checkout_by_message) (ike_sa_manager_t* this, message_t *message);
+ 
+ 	/**
+-	 * Checkout an IKE_SA for initiation by a peer_config.
+	 * Checkout an IKE_SA for initiation by a peer_config and optional
+	 * source and remote host addresses.
+ 	 *
+ 	 * To initiate, a CHILD_SA may be established within an existing IKE_SA.
+ 	 * This call checks for an existing IKE_SA by comparing the configuration.
+@@ -140,6 +141,28 @@ struct ike_sa_manager_t {
+ 	 */
+ 	ike_sa_t *(*checkout_by_config)(ike_sa_manager_t* this, peer_cfg_t *peer_cfg);
+ 
+	/**
+	 * Checkout an IKE_SA for initiation by a peer_config and optional
+	 * source and remote host addresses.
+	 *
+	 * To initiate, a CHILD_SA may be established within an existing IKE_SA.
+	 * This call checks for an existing IKE_SA by comparing the configuration.
+	 * If the CHILD_SA can be created in an existing IKE_SA, the matching SA
+	 * is returned.
+	 * If no IKE_SA is found, a new one is created and registered in the
+	 * manager. This is also the case when the found IKE_SA is in an unusable
+	 * state (e.g. DELETING).
+	 *
+	 * @note The peer_config is always set on the returned IKE_SA.
+	 *
+	 * @param peer_cfg			configuration used to find an existing IKE_SA
+	 * @param my_host			source host address for wildcard peer_cfg
+	 * @param other_host		remote host address for wildcard peer_cfg
+	 * @return					checked out/created IKE_SA
+	 */
+	ike_sa_t *(*checkout_by_config2)(ike_sa_manager_t* this, peer_cfg_t *peer_cfg,
+									 host_t *my_host, host_t *other_host);
+
+ 	/**
+ 	 * Reset initiator SPI.
+ 	 *
+diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c
+index 1b85c66a5..bbc480c0c 100644
+--- a/src/libcharon/sa/trap_manager.c
+++ b/src/libcharon/sa/trap_manager.c
+@@ -523,7 +523,7 @@ METHOD(trap_manager_t, acquire, void,
+ 	peer_cfg_t *peer;
+ 	child_cfg_t *child;
+ 	ike_sa_t *ike_sa;
+-	host_t *host;
+	host_t *host, *my_host = NULL, *other_host = NULL;
+ 	uint32_t allocated_reqid;
+ 	bool wildcard, ignore = FALSE;
+ 
+@@ -603,36 +603,26 @@ METHOD(trap_manager_t, acquire, void,
+ 	this->lock->unlock(this->lock);
+ 
+ 	if (wildcard)
+-	{	/* the peer config would match IKE_SAs with other peers */
+-		ike_sa = charon->ike_sa_manager->create_new(charon->ike_sa_manager,
+-											peer->get_ike_version(peer), TRUE);
+-		if (ike_sa)
+-		{
+-			ike_cfg_t *ike_cfg;
+-			uint16_t port;
+-			uint8_t mask;
+-
+-			ike_sa->set_peer_cfg(ike_sa, peer);
+-			ike_cfg = ike_sa->get_ike_cfg(ike_sa);
+	{
+		ike_cfg_t *ike_cfg;
+		uint16_t port;
+		uint8_t mask;
+ 
+-			port = ike_cfg->get_other_port(ike_cfg);
+-			data->dst->to_subnet(data->dst, &host, &mask);
+-			host->set_port(host, port);
+-			ike_sa->set_other_host(ike_sa, host);
+		ike_cfg = peer->get_ike_cfg(peer);
+ 
+-			port = ike_cfg->get_my_port(ike_cfg);
+-			data->src->to_subnet(data->src, &host, &mask);
+-			host->set_port(host, port);
+-			ike_sa->set_my_host(ike_sa, host);
+		port = ike_cfg->get_other_port(ike_cfg);
+		data->dst->to_subnet(data->dst, &other_host, &mask);
+		other_host->set_port(other_host, port);
+ 
+-			charon->bus->set_sa(charon->bus, ike_sa);
+-		}
+-	}
+-	else
+-	{
+-		ike_sa = charon->ike_sa_manager->checkout_by_config(
+-											charon->ike_sa_manager, peer);
+		port = ike_cfg->get_my_port(ike_cfg);
+		data->src->to_subnet(data->src, &my_host, &mask);
+		my_host->set_port(my_host, port);
+ 	}
+	ike_sa = charon->ike_sa_manager->checkout_by_config2(
+											charon->ike_sa_manager, peer,
+											my_host, other_host);
+	if (my_host) my_host->destroy(my_host);
+	if (other_host) other_host->destroy(other_host);
+ 	peer->destroy(peer);
+ 
+ 	if (ike_sa)
+diff --git a/src/swanctl/commands/initiate.c b/src/swanctl/commands/initiate.c
+index e0fffb907..c0fc8c595 100644
+--- a/src/swanctl/commands/initiate.c
+++ b/src/swanctl/commands/initiate.c
+@@ -1,4 +1,5 @@
+ /*
+ * Copyright (C) 2014 Timo Teräs <timo.teras@iki.fi>
+  * Copyright (C) 2014 Martin Willi
+  *
+  * Copyright (C) secunet Security Networks AG
+@@ -38,7 +39,7 @@ static int initiate(vici_conn_t *conn)
+ 	vici_req_t *req;
+ 	vici_res_t *res;
+ 	command_format_options_t format = COMMAND_FORMAT_NONE;
+-	char *arg, *child = NULL, *ike = NULL;
+	char *arg, *child = NULL, *ike = NULL, *my_host = NULL, *other_host = NULL;
+ 	int ret = 0, timeout = 0, level = 1;
+ 
+ 	while (TRUE)
+@@ -65,6 +66,12 @@ static int initiate(vici_conn_t *conn)
+ 			case 'l':
+ 				level = atoi(arg);
+ 				continue;
+			case 'S':
+				my_host = arg;
+				continue;
+			case 'R':
+				other_host = arg;
+				continue;
+ 			case EOF:
+ 				break;
+ 			default:
+@@ -88,6 +95,14 @@ static int initiate(vici_conn_t *conn)
+ 	{
+ 		vici_add_key_valuef(req, "ike", "%s", ike);
+ 	}
+	if (my_host)
+	{
+		vici_add_key_valuef(req, "my-host", "%s", my_host);
+	}
+	if (other_host)
+	{
+		vici_add_key_valuef(req, "other-host", "%s", other_host);
+	}
+ 	if (timeout)
+ 	{
+ 		vici_add_key_valuef(req, "timeout", "%d", timeout * 1000);
+@@ -134,6 +149,8 @@ static void __attribute__ ((constructor))reg()
+ 			{"help",		'h', 0, "show usage information"},
+ 			{"child",		'c', 1, "initiate a CHILD_SA configuration"},
+ 			{"ike",			'i', 1, "initiate an IKE_SA, or name of child's parent"},
+			{"source",		'S', 1, "override source address"},
+			{"remote",		'R', 1, "override remote address"},
+ 			{"timeout",		't', 1, "timeout in seconds before detaching"},
+ 			{"raw",			'r', 0, "dump raw response message"},
+ 			{"pretty",		'P', 0, "dump raw response message in pretty print"},
+-- 
+2.45.2
+
--- a/0002-vici-send-certificates-for-ike-sa-events.patch
+++ b/0002-vici-send-certificates-for-ike-sa-events.patch
@@ -0,0 +1,140 @@
+From ea77f7d906d5e7bbe44ba6e912dd386f25414492 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
+Date: Mon, 21 Sep 2015 13:42:05 +0300
+Subject: [PATCH 2/4] vici: send certificates for ike-sa events
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Timo Teräs <timo.teras@iki.fi>
+---
+ src/libcharon/plugins/vici/vici_query.c | 50 +++++++++++++++++++++----
+ 1 file changed, 42 insertions(+), 8 deletions(-)
+
+diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
+index bacb7b101..19acc0789 100644
+--- a/src/libcharon/plugins/vici/vici_query.c
+++ b/src/libcharon/plugins/vici/vici_query.c
+@@ -402,7 +402,7 @@ static void list_vips(private_vici_query_t *this, vici_builder_t *b,
+  * List details of an IKE_SA
+  */
+ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
+-					 ike_sa_t *ike_sa, time_t now)
+					 ike_sa_t *ike_sa, time_t now, bool add_certs)
+ {
+ 	time_t t;
+ 	ike_sa_id_t *id;
+@@ -411,6 +411,8 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
+ 	uint32_t if_id;
+ 	uint16_t alg, ks;
+ 	host_t *host;
+	auth_cfg_t *auth_cfg;
+	enumerator_t *enumerator;
+ 
+ 	b->add_kv(b, "uniqueid", "%u", ike_sa->get_unique_id(ike_sa));
+ 	b->add_kv(b, "version", "%u", ike_sa->get_version(ike_sa));
+@@ -420,11 +422,43 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
+ 	b->add_kv(b, "local-host", "%H", host);
+ 	b->add_kv(b, "local-port", "%d", host->get_port(host));
+ 	b->add_kv(b, "local-id", "%Y", ike_sa->get_my_id(ike_sa));
+	if (add_certs)
+	{
+		enumerator = ike_sa->create_auth_cfg_enumerator(ike_sa, TRUE);
+		if (enumerator->enumerate(enumerator, &auth_cfg))
+		{
+			certificate_t *cert = auth_cfg->get(auth_cfg, AUTH_RULE_SUBJECT_CERT);
+			chunk_t encoding;
+
+			if (cert && cert->get_encoding(cert, CERT_ASN1_DER, &encoding))
+			{
+				b->add(b, VICI_KEY_VALUE, "local-cert-data", encoding);
+				free(encoding.ptr);
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+ 
+ 	host = ike_sa->get_other_host(ike_sa);
+ 	b->add_kv(b, "remote-host", "%H", host);
+ 	b->add_kv(b, "remote-port", "%d", host->get_port(host));
+ 	b->add_kv(b, "remote-id", "%Y", ike_sa->get_other_id(ike_sa));
+	if (add_certs)
+	{
+		enumerator = ike_sa->create_auth_cfg_enumerator(ike_sa, FALSE);
+		if (enumerator->enumerate(enumerator, &auth_cfg))
+		{
+			certificate_t *cert = auth_cfg->get(auth_cfg, AUTH_RULE_SUBJECT_CERT);
+			chunk_t encoding;
+
+			if (cert && cert->get_encoding(cert, CERT_ASN1_DER, &encoding))
+			{
+				b->add(b, VICI_KEY_VALUE, "remote-cert-data", encoding);
+				free(encoding.ptr);
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+ 
+ 	eap = ike_sa->get_other_eap_id(ike_sa);
+ 
+@@ -556,7 +590,7 @@ CALLBACK(list_sas, vici_message_t*,
+ 		b = vici_builder_create();
+ 		b->begin_section(b, ike_sa->get_name(ike_sa));
+ 
+-		list_ike(this, b, ike_sa, now);
+		list_ike(this, b, ike_sa, now, TRUE);
+ 
+ 		b->begin_section(b, "child-sas");
+ 		csas = ike_sa->create_child_sa_enumerator(ike_sa);
+@@ -1774,7 +1808,7 @@ METHOD(listener_t, ike_updown, bool,
+ 	}
+ 
+ 	b->begin_section(b, ike_sa->get_name(ike_sa));
+-	list_ike(this, b, ike_sa, now);
+	list_ike(this, b, ike_sa, now, up);
+ 	b->end_section(b);
+ 
+ 	this->dispatcher->raise_event(this->dispatcher,
+@@ -1799,10 +1833,10 @@ METHOD(listener_t, ike_rekey, bool,
+ 	b = vici_builder_create();
+ 	b->begin_section(b, old->get_name(old));
+ 	b->begin_section(b, "old");
+-	list_ike(this, b, old, now);
+	list_ike(this, b, old, now, TRUE);
+ 	b->end_section(b);
+ 	b->begin_section(b, "new");
+-	list_ike(this, b, new, now);
+	list_ike(this, b, new, now, TRUE);
+ 	b->end_section(b);
+ 	b->end_section(b);
+ 
+@@ -1833,7 +1867,7 @@ METHOD(listener_t, ike_update, bool,
+ 	b->add_kv(b, "remote-port", "%d", remote->get_port(remote));
+ 
+ 	b->begin_section(b, ike_sa->get_name(ike_sa));
+-	list_ike(this, b, ike_sa, now);
+	list_ike(this, b, ike_sa, now, TRUE);
+ 	b->end_section(b);
+ 
+ 	this->dispatcher->raise_event(this->dispatcher,
+@@ -1863,7 +1897,7 @@ METHOD(listener_t, child_updown, bool,
+ 	}
+ 
+ 	b->begin_section(b, ike_sa->get_name(ike_sa));
+-	list_ike(this, b, ike_sa, now);
+	list_ike(this, b, ike_sa, now, up);
+ 	b->begin_section(b, "child-sas");
+ 
+ 	snprintf(buf, sizeof(buf), "%s-%u", child_sa->get_name(child_sa),
+@@ -1898,7 +1932,7 @@ METHOD(listener_t, child_rekey, bool,
+ 	b = vici_builder_create();
+ 
+ 	b->begin_section(b, ike_sa->get_name(ike_sa));
+-	list_ike(this, b, ike_sa, now);
+	list_ike(this, b, ike_sa, now, TRUE);
+ 	b->begin_section(b, "child-sas");
+ 
+ 	b->begin_section(b, old->get_name(old));
+-- 
+2.45.2
+
--- a/0003-vici-add-support-for-individual-sa-state-changes.patch
+++ b/0003-vici-add-support-for-individual-sa-state-changes.patch
@@ -0,0 +1,160 @@
+From 3f4e26a2163bf30481887795f9faad208bfc1be0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
+Date: Mon, 21 Sep 2015 13:42:11 +0300
+Subject: [PATCH 3/4] vici: add support for individual sa state changes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Useful for monitoring and tracking full SA.
+
+Signed-off-by: Timo Teräs <timo.teras@iki.fi>
+---
+ src/libcharon/plugins/vici/vici_query.c | 106 ++++++++++++++++++++++++
+ 1 file changed, 106 insertions(+)
+
+diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
+index 19acc0789..fa1aca953 100644
+--- a/src/libcharon/plugins/vici/vici_query.c
+++ b/src/libcharon/plugins/vici/vici_query.c
+@@ -1774,8 +1774,16 @@ static void manage_commands(private_vici_query_t *this, bool reg)
+ 	this->dispatcher->manage_event(this->dispatcher, "ike-updown", reg);
+ 	this->dispatcher->manage_event(this->dispatcher, "ike-rekey", reg);
+ 	this->dispatcher->manage_event(this->dispatcher, "ike-update", reg);
+	this->dispatcher->manage_event(this->dispatcher, "ike-state-established", reg);
+	this->dispatcher->manage_event(this->dispatcher, "ike-state-destroying", reg);
+ 	this->dispatcher->manage_event(this->dispatcher, "child-updown", reg);
+ 	this->dispatcher->manage_event(this->dispatcher, "child-rekey", reg);
+	this->dispatcher->manage_event(this->dispatcher, "child-state-installing", reg);
+	this->dispatcher->manage_event(this->dispatcher, "child-state-installed", reg);
+	this->dispatcher->manage_event(this->dispatcher, "child-state-updating", reg);
+	this->dispatcher->manage_event(this->dispatcher, "child-state-rekeying", reg);
+	this->dispatcher->manage_event(this->dispatcher, "child-state-rekeyed", reg);
+	this->dispatcher->manage_event(this->dispatcher, "child-state-destroying", reg);
+ 	manage_command(this, "list-sas", list_sas, reg);
+ 	manage_command(this, "list-policies", list_policies, reg);
+ 	manage_command(this, "list-conns", list_conns, reg);
+@@ -1876,6 +1884,46 @@ METHOD(listener_t, ike_update, bool,
+ 	return TRUE;
+ }
+ 
+
+METHOD(listener_t, ike_state_change, bool,
+	private_vici_query_t *this, ike_sa_t *ike_sa, ike_sa_state_t state)
+{
+	char *event;
+	vici_builder_t *b;
+	time_t now;
+
+	switch (state)
+	{
+	case IKE_ESTABLISHED:
+		event = "ike-state-established";
+		break;
+	case IKE_DESTROYING:
+		event = "ike-state-destroying";
+		break;
+	default:
+		return TRUE;
+	}
+
+	if (!this->dispatcher->has_event_listeners(this->dispatcher, event))
+	{
+		return TRUE;
+	}
+
+	now = time_monotonic(NULL);
+
+	b = vici_builder_create();
+	b->begin_section(b, ike_sa->get_name(ike_sa));
+	list_ike(this, b, ike_sa, now, state != IKE_DESTROYING);
+	b->begin_section(b, "child-sas");
+	b->end_section(b);
+	b->end_section(b);
+
+	this->dispatcher->raise_event(this->dispatcher,
+								  event, 0, b->finalize(b));
+
+	return TRUE;
+}
+
+ METHOD(listener_t, child_updown, bool,
+ 	private_vici_query_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, bool up)
+ {
+@@ -1955,6 +2003,62 @@ METHOD(listener_t, child_rekey, bool,
+ 	return TRUE;
+ }
+ 
+METHOD(listener_t, child_state_change, bool,
+	private_vici_query_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, child_sa_state_t state)
+{
+	char *event;
+	vici_builder_t *b;
+	time_t now;
+
+	switch (state)
+	{
+	case CHILD_INSTALLING:
+		event = "child-state-installing";
+		break;
+	case CHILD_INSTALLED:
+		event = "child-state-installed";
+		break;
+	case CHILD_UPDATING:
+		event = "child-state-updating";
+		break;
+	case CHILD_REKEYING:
+		event = "child-state-rekeying";
+		break;
+	case CHILD_REKEYED:
+		event = "child-state-rekeyed";
+		break;
+	case CHILD_DESTROYING:
+		event = "child-state-destroying";
+		break;
+	default:
+		return TRUE;
+	}
+
+	if (!this->dispatcher->has_event_listeners(this->dispatcher, event))
+	{
+		return TRUE;
+	}
+
+	now = time_monotonic(NULL);
+
+	b = vici_builder_create();
+	b->begin_section(b, ike_sa->get_name(ike_sa));
+	list_ike(this, b, ike_sa, now, state != CHILD_DESTROYING);
+	b->begin_section(b, "child-sas");
+
+	b->begin_section(b, child_sa->get_name(child_sa));
+	list_child(this, b, child_sa, now);
+	b->end_section(b);
+
+	b->end_section(b);
+	b->end_section(b);
+
+	this->dispatcher->raise_event(this->dispatcher,
+								  event, 0, b->finalize(b));
+
+	return TRUE;
+}
+
+ METHOD(vici_query_t, destroy, void,
+ 	private_vici_query_t *this)
+ {
+@@ -1975,8 +2079,10 @@ vici_query_t *vici_query_create(vici_dispatcher_t *dispatcher)
+ 				.ike_updown = _ike_updown,
+ 				.ike_rekey = _ike_rekey,
+ 				.ike_update = _ike_update,
+				.ike_state_change = _ike_state_change,
+ 				.child_updown = _child_updown,
+ 				.child_rekey = _child_rekey,
+				.child_state_change = _child_state_change,
+ 			},
+ 			.destroy = _destroy,
+ 		},
+-- 
+2.45.2
+
--- a/0004-Support-GRE-key-in-selectors.patch
+++ b/0004-Support-GRE-key-in-selectors.patch
@@ -0,0 +1,292 @@
+From 0ceda5a95355bb803cbcdf3eeabbcb6ec2577922 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= <zoran.pericic@infomaas.com>
+Date: Sun, 21 Jan 2024 03:11:32 +0100
+Subject: [PATCH 4/4] Support GRE key in selectors.
+
+---
+ .../kernel_netlink/kernel_netlink_ipsec.c     | 20 ++++++++++++
+ .../plugins/load_tester/load_tester_config.c  | 22 ++++++++++++-
+ src/libcharon/plugins/stroke/stroke_config.c  | 22 ++++++++++++-
+ src/libcharon/plugins/vici/vici_config.c      | 32 ++++++++++++++++++-
+ .../selectors/traffic_selector.c              | 20 ++++++++++++
+ .../selectors/traffic_selector.h              | 12 +++++++
+ src/starter/confread.c                        | 24 +++++++++++++-
+ src/swanctl/swanctl.opt                       |  3 ++
+ 8 files changed, 151 insertions(+), 4 deletions(-)
+
+diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+index db0b2ac37..e4e7d9ecb 100644
+--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+@@ -864,6 +864,7 @@ static struct xfrm_selector ts2selector(traffic_selector_t *src,
+ {
+ 	struct xfrm_selector sel;
+ 	uint16_t port;
+	uint32_t gre_key;
+ 
+ 	memset(&sel, 0, sizeof(sel));
+ 	sel.family = (src->get_type(src) == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6;
+@@ -884,6 +885,25 @@ static struct xfrm_selector ts2selector(traffic_selector_t *src,
+ 		sel.dport = htons(traffic_selector_icmp_code(port));
+ 		sel.dport_mask = sel.dport ? ~0 : 0;
+ 	}
+	if (sel.proto == IPPROTO_GRE)
+	{
+		/* the kernel expects the GRE key in the source and destination
+		 * port fields, respectively. */
+		gre_key = htons(traffic_selector_gre_key(dst->get_from_port(dst), dst->get_to_port(dst)));
+		if ( gre_key != 0 )
+		{
+			DBG2(DBG_KNL, "Policy GRE key: %d (%d-%d) %d", gre_key, dst->get_from_port(dst), dst->get_to_port(dst), traffic_selector_gre_key(dst->get_from_port(dst), dst->get_to_port(dst)));
+			sel.sport = gre_key >> 16;
+			sel.sport_mask = ~0;
+			sel.dport = gre_key & 0xffff;
+			sel.dport_mask = ~0;
+		} else {
+			sel.sport = 0;
+			sel.sport_mask = 0;
+			sel.dport = 0;
+			sel.dport_mask = 0;
+		}
+	}
+ 	sel.ifindex = interface ? if_nametoindex(interface) : 0;
+ 	sel.user = 0;
+ 
+diff --git a/src/libcharon/plugins/load_tester/load_tester_config.c b/src/libcharon/plugins/load_tester/load_tester_config.c
+index 58e1cd98a..ac67875d8 100644
+--- a/src/libcharon/plugins/load_tester/load_tester_config.c
+++ b/src/libcharon/plugins/load_tester/load_tester_config.c
+@@ -498,7 +498,27 @@ static bool parse_protoport(char *token, uint16_t *from_port,
+ 			*protocol = (uint8_t)p;
+ 		}
+ 	}
+-	if (streq(port, "%any"))
+	if (*protocol == IPPROTO_GRE)
+	{
+		if (*port && !streq(port, "%any"))
+		{
+			p = strtol(port, &endptr, 0);
+			if (p < 0 || p > 0xffffffff)
+			{
+				return FALSE;
+			}
+			end->from_port = (p >> 16) & 0xffff;
+			end->to_port = p & 0xffff;
+			if (*endptr)
+			{
+				return FALSE;
+			}
+		} else {
+			end->from_port = 0;
+			end->to_port = 0;
+		}
+	}
+	else if (streq(port, "%any"))
+ 	{
+ 		*from_port = 0;
+ 		*to_port = 0xffff;
+diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
+index 55db379ff..b4340b8d1 100644
+--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
+@@ -927,7 +927,27 @@ static bool parse_protoport(char *token, uint16_t *from_port,
+ 			*protocol = (uint8_t)p;
+ 		}
+ 	}
+-	if (streq(port, "%any"))
+	if (*protocol == IPPROTO_GRE)
+	{
+		if (*port && !streq(port, "%any"))
+		{
+			p = strtol(port, &endptr, 0);
+			if (p < 0 || p > 0xffffffff)
+			{
+				return FALSE;
+			}
+			*from_port = (p >> 16) & 0xffff;
+			*to_port = p & 0xffff;
+			if (*endptr)
+				return FALSE;
+		}
+		else
+		{
+			*from_port = 0;
+			*to_port = 0;
+		}
+	}
+	else if (streq(port, "%any"))
+ 	{
+ 		*from_port = 0;
+ 		*to_port = 0xffff;
+diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
+index c858e9945..c72c97f76 100644
+--- a/src/libcharon/plugins/vici/vici_config.c
+++ b/src/libcharon/plugins/vici/vici_config.c
+@@ -715,7 +715,31 @@ CALLBACK(parse_ts, bool,
+ 				proto = (uint8_t)p;
+ 			}
+ 		}
+-		if (streq(port, "opaque"))
+		if (proto == IPPROTO_GRE)
+		{
+			if (*port && !streq(port, "any"))
+			{
+				DBG2(DBG_CFG, "   GRE key %s", port);
+				p = strtol(port, &end, 0);
+				if (p < 0 || p > 0xffffffff)
+				{
+					DBG2(DBG_CFG, "   Invalid GRE key %s", port);
+					return FALSE;
+				}
+				from = (p >> 16) & 0xffff;
+				to = p & 0xffff;
+				DBG2(DBG_CFG, "   Parsed GRE key %d-%d(%d)", from, to, p);
+				if (*end)
+				{
+					DBG2(DBG_CFG, "   Invalid GRE key %s", port);
+					return FALSE;
+				}
+			} else {
+				from = 0;
+				to = 0;
+			}
+		}
+		else if (streq(port, "opaque"))
+ 		{
+ 			from = 0xffff;
+ 			to = 0;
+@@ -752,8 +776,14 @@ CALLBACK(parse_ts, bool,
+ 			}
+ 		}
+ 	}
+	else if (proto == IPPROTO_GRE)
+	{
+		from = 0;
+		to = 0;
+	}
+ 	if (streq(buf, "dynamic"))
+ 	{
+		DBG2(DBG_CFG, "   Create dynamic selector GRE key proto=%d, from_port=%d, to_port=%d", proto, from, to);
+ 		ts = traffic_selector_create_dynamic(proto, from, to);
+ 	}
+ 	else if (strchr(buf, '-'))
+diff --git a/src/libstrongswan/selectors/traffic_selector.c b/src/libstrongswan/selectors/traffic_selector.c
+index fe61e3768..09757ec36 100644
+--- a/src/libstrongswan/selectors/traffic_selector.c
+++ b/src/libstrongswan/selectors/traffic_selector.c
+@@ -205,6 +205,18 @@ static int print_icmp(printf_hook_data_t *data, uint16_t port)
+ 	return print_in_hook(data, "%d", type);
+ }
+ 
+/**
+ * Print GRE key
+ */
+static int print_gre(printf_hook_data_t *data, uint16_t from_port, uint16_t to_port)
+{
+	uint32_t gre_key;
+
+	gre_key = traffic_selector_gre_key(from_port, to_port);
+
+	return print_in_hook(data, "%d", gre_key);
+}
+
+ /**
+  * Described in header.
+  */
+@@ -319,6 +331,10 @@ int traffic_selector_printf_hook(printf_hook_data_t *data,
+ 			{
+ 				written += print_icmp(data, this->from_port);
+ 			}
+			else if (this->protocol == IPPROTO_GRE)
+			{
+				written += print_gre(data, this->from_port, this->to_port);
+			}
+ 			else
+ 			{
+ 				serv = getservbyport(htons(this->from_port), serv_proto);
+@@ -332,6 +348,10 @@ int traffic_selector_printf_hook(printf_hook_data_t *data,
+ 				}
+ 			}
+ 		}
+		else if (this->protocol == IPPROTO_GRE)
+		{
+			written += print_gre(data, this->from_port, this->to_port);
+		}
+ 		else if (is_opaque(this))
+ 		{
+ 			written += print_in_hook(data, "OPAQUE");
+diff --git a/src/libstrongswan/selectors/traffic_selector.h b/src/libstrongswan/selectors/traffic_selector.h
+index 367b4fff9..b7010e4a7 100644
+--- a/src/libstrongswan/selectors/traffic_selector.h
+++ b/src/libstrongswan/selectors/traffic_selector.h
+@@ -272,6 +272,18 @@ static inline uint8_t traffic_selector_icmp_code(uint16_t port)
+ 	return port & 0xff;
+ }
+ 
+/**
+ * Extract the GRE key from a source and destination port in host order
+ *
+ * @param from_port		port number in host order
+ * @param to_port		port number in host order
+ * @return				GRE key
+ */
+static inline uint8_t traffic_selector_gre_key(uint16_t from_port, uint16_t to_port)
+{
+	return (from_port & 0xffff) << 16 | (to_port & 0xffff);
+}
+
+ /**
+  * Compare two traffic selectors, usable as sort function
+  *
+diff --git a/src/starter/confread.c b/src/starter/confread.c
+index 5065bc369..039b6f402 100644
+--- a/src/starter/confread.c
+++ b/src/starter/confread.c
+@@ -325,7 +325,29 @@ static void kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token,
+ 					end->protocol = (uint8_t)p;
+ 				}
+ 			}
+-			if (streq(port, "%any"))
+			if (end->protocol == IPPROTO_GRE)
+			{
+				if (*port && !streq(port, "%any"))
+				{
+					p = strtol(port, &endptr, 0);
+					if (p < 0 || p > 0xffffffff)
+					{
+						DBG1(DBG_APP, "# bad GRE key: %s=%s", key, port);
+						goto err;
+					}
+					end->from_port = (p >> 16) & 0xffff;
+					end->to_port = p & 0xffff;
+					if (*endptr)
+					{
+						DBG1(DBG_APP, "# bad GRE key: %s=%s", key, port);
+						goto err;
+					}
+				} else {
+					end->from_port = 0;
+					end->to_port = 0;
+				}
+			}
+			else if (streq(port, "%any"))
+ 			{
+ 				end->from_port = 0;
+ 				end->to_port = 0xffff;
+diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt
+index d9fd949ed..1d63dadb8 100644
+--- a/src/swanctl/swanctl.opt
+++ b/src/swanctl/swanctl.opt
+@@ -765,6 +765,9 @@ connections.<conn>.children.<child>.local_ts = dynamic
+ 	value _opaque_ for RFC 4301 OPAQUE selectors. Port ranges may be specified
+ 	as well, none of the kernel backends currently support port ranges, though.
+ 
+	If protocol is restricted to GRE, port restriction specifies GRE key
+	in 32 bit numeric form eg. dynamic[gre/100].
+
+ 	When IKEv1 is used only the first selector is interpreted, except if
+ 	the Cisco Unity extension plugin is used. This is due to a limitation of the
+ 	IKEv1 protocol, which only allows a single pair of selectors per CHILD_SA.
+-- 
+2.45.2
+
--- a/48
+++ b/48
@@ -0,0 +1,48 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQGNBEoycP0BDACzL8ymURD7gnaNbGx2VGieNQr/gNISWhqgHaeUxuSkrInxl89A
+ClvN7DoF2cD7slEqIMQh/8t6xVzmh9teu5uyeV1eyG/CuFMUqawXqpn/sYa2SkgX
+C/qHB2hIbFg2K4k5LJHxzqHb1OdtOcU6lHg9yrvYcoO+FTVR+rYaVgYbbbziTB/v
+hAAzvdTdgwMgoQMSXA7FsJ0mALny4IeiCoi6S6qRVDm4zcu11UFT9g1VmhmeHqtU
+SQso72bPKKhYvu7ZaQrLhkvY9inWr6m9dxV8Zgb1ivZGhzsNzrhGAsz9jmiB5POF
+Mfph0hREMiS33ph/YMJducGQHYGEza9mKBdUaaAAEL3fCpde7vRa+c5Gc/Y5RUB7
+iUsb2KQY+7xTiSUnCHbsMwhndG0dJspVXcz6X+2S3Ty4GaiqkvxI9KLiwiECNl0I
+oLX5s/FIW6KW+GnxJTp/3h6vvqm8i0+yIwk+ETM4XfhHMwuPkDyf6km1ag3nIUw6
+pSSfnQMPhj5rXIMAEQEAAbQwQW5kcmVhcyBTdGVmZmVuIDxhbmRyZWFzLnN0ZWZm
+ZW5Ac3Ryb25nc3dhbi5vcmc+iQG3BBMBAgAhBQJKMnD9AhsDBwsJCAcDAgEEFQII
+AwQWAgMBAh4BAheAAAoJEN9CwXCzTbp3t5AL/jrXnnGIHLn8M9rmyoeNe7JQUE5A
+GSV3UFaZHgHmjbvIHA+dRvh1MPlHuWbaZkHVPtRFvFtEgksc944+XcKoNoExKGKr
+wLQcUExUiQ0IyNwH70u7f1uFNcbY85Oue5ASzm+wAntnmIlNsN+MHewRWC6f6gYn
+1aHwsvh09fz0A34v9wdtim2ek/Voxe3AIDIw2MTNmwF61pXEsrH0wqYnGhYLZ7Qb
+thnDnHQaUd3IPSa6uAgOOiCoCbKCvP4u/iVm0rmXN9uzmm/i4Y0cE3DopGsqrR5D
+fWYJjgP4KBCln0LgWtYI8pcYcmA5E+l+fijNcMidtzWHMW2Mj0oZZsO+wlRUYLGh
+/jRASgq7rXuxV+oGKcBn4RqSHlZ5/BYlvowUxnNFC4tLLlneHidS8TurjacM3fwR
+MP5NMmcS5d9sVLG1uxl+/g2cRMtphHiziz+79jDc+tSxqRO5lhqyItAD6LC2GxB3
+iC5afnMx49+YWzhUTeL/KfkrD9w3/n7O00kLtLkDDQRKjOHDEAwAxdh8W7j/QhE3
+KZNmJGsK/QtJ72zZRGRcdUPH6GG//GaAG5hSCjM8q+0MR/G+31uk32RbzRIj1sHQ
+8fY0znxPmaeD1wow0hCbDTq+Ep3K8ouaqoqjlP4rd+I94OtxNfXgmllf7BDOZ6lI
+wUY8ba8cFCPYsv8ZvRXo82XfwFYevQ9kTLqkJT52mMyPZLwYx4DNwuqFtQQEBLKg
+IVXVgpK6SE72MFP8vyFsdrL0ORgxoWI6PIHbnIRY1KiWUzOSrqirZUHH9MPuzFuB
+R0+jEAajeKoxycn0ILLM5PBAEFXFgBdtNNCtshe1fR5aPsXcGZsZRjc7mbAHLRqa
+pVhk7oX31WrGqGHkSM/GAnf3aAzsnCkO5+Tje2iyuoG5OhQbHsvMBOtdvQrwnorl
+56EguzuK1mGDsczNsuAYRcKiasCWpsjoytDH+dGEQmKXydD9r06cxPx+mWmWKLo4
+w+k4mMC0lFRYKi83cwTpaMpHOeW4+3d1tJfkCQy+vjUz4aZJ/WSXAAMFDACqmeXA
+Al7WssHkjVZ/vwQfHLHNMZsGEEucvV7KNqMF4Fe6nRbbE6GJOuz6taeFkJIppBqV
+xhSNOsf5soOXfGp0IgYoC37GPI6AAb4UnG5GVcaAMQAXUYcwfDGGuV/EO5pPrEyP
+jy++GvjhxcKV3HmUuAfcgyhTGhDOVPxU28Roz3+8Eig085v+lyqAsgFduBrf+ZV+
+lHjIOSXSWmTiT8EVSA3fpN14/qhltudhdGIZ/pCW303H9Bd9c4Uc9OzYhRr1VpO6
+lpYfTFNey8KQL4z9Kjt0RPscz2hYDOJ1cTFWs/4Z+9mBJODwrnIiORLlgV2NlP5E
+ZY4MccVFd9K7E/OPQdt3Uv6+6BjYRntY7wsX617T5Rmj8n6AhbpngmWg2D6wRfm7
+TyI0Wtz5icCoJIEHQwB/3EhBzQl7tBc0cClwCYm7nTYRt+SL2tfylWy9Leail+ay
+M6zwMW0klV42E4u8DCy/aJrwmEiVwuwGbXL6z46M9EZguof38MTEmLsHls+JAZ8E
+GAECAAkFAkqM4cMCGwwACgkQ30LBcLNNunffBgv/b/v3eQoZTWgOB5MnXhIrg/Ki
+kYTYbnEG9wWM7XIST8bpP7f/UKyD44CCVJH7SVTGAXeyjglnuYXy4FwaTdFmm6al
+W0sCp4rnmADi5BLLzQlCUa5J0iZ+oAZnAH60BezUM+CYz/QBW3NJmP3323PeM4H4
+MZ0vLv3wgaLkFlaK/eASBoC7KuZWAnvsNOdLQ29L4BYgW2Jwk1+PxszjT369DsMU
+Y3iY6gM9rM71Ajd8x98hd1r26LILGntAEEXxs+13Kka7J4GCqf8/J9ZR01dDp8QM
+M9EHFLnthpAyUuSXm5Qlglavnf7tU6AA0SFuA0pP5CXVLG1DLT1fJvNOqjdzPsf
+u/48AM2Lpxj0gKt1yDQc890GxwnOL1iZ6+XMh9/ujWy7Q7dI4M2mthwYFXldWrPS
+CmMToWfl62BxPdY5FIECXeRwTIO9sI0LQVc2eAG8lDsge05q1nJFxo9WKr7ewAdF
+b/fMIr7XMwoMj2SQSy/tZVCBnDXR5Gw5HSxRnIAS
+=ze82
+-----END PGP PUBLIC KEY BLOCK-----
--- a/659
+++ b/659
@@ -0,0 +1,659 @@
+* Mon Aug 25 2025 Carlos Rodriguez-Fernandez <carlosrodrifernandez@gmail.com> - 5.9.14-12
+- Fix ipsec.d cacerts removing system ca
+
+* Fri Aug 22 2025 Carlos Rodriguez-Fernandez <carlosrodrifernandez@gmail.com> - 5.9.14-11
+- Link new system ca bundle in the ipsec.d cacerts
+
+* Fri Aug 15 2025 Python Maint <python-maint@redhat.com> - 5.9.14-10
+- Rebuilt for Python 3.14.0rc2 bytecode
+
+* Thu Aug 14 2025 Carlos Rodriguez-Fernandez <carlosrodrifernandez@gmail.com> - 5.9.14-9
+- Fix build issue (rhbz#2368971)
+
+* Fri Jul 25 2025 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.14-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
+
+* Mon Jun 02 2025 Python Maint <python-maint@redhat.com> - 5.9.14-7
+- Rebuilt for Python 3.14
+
+* Sun Jan 19 2025 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.14-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
+
+* Sat Jul 27 2024 Michel Lind <salimma@fedoraproject.org> - 5.9.14-5
+- Depend on openssl-devel-engine since we still use this deprecated feature (rhbz#2295335)
+
+* Fri Jul 26 2024 Miroslav Suchý <msuchy@redhat.com> - 5.9.14-4
+- convert license to SPDX
+
+* Sat Jul 20 2024 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.14-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
+
+* Fri Jun 07 2024 Python Maint <python-maint@redhat.com> - 5.9.14-2
+- Rebuilt for Python 3.13
+
+* Fri May 31 2024 Paul Wouters <paul.wouters@aiven.io> - 5.9.14-1
+- Resolves: rhbz#2254560 CVE-2023-41913 buffer overflow and possible RCE
+- Resolved: rhbz#2250666 Update to 5.9.14 (IKEv2 OCSP extensions, seqno/regno overflow handling
+- Update to 5.9.13 (OCSP nonce set regression configuration option charon.ocsp_nonce_len)
+- Update to 5.9.12 (CVE-2023-41913 fix, various IKEv2 fixes)
+
+* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.11-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.11-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Fri Jul 14 2023 Paul Wouters <paul.wouters@aiven.io - 5.9.11-1
+- Resolves: rhbz#2214186 strongswan-5.9.11 is available
+
+* Tue Jun 13 2023 Python Maint <python-maint@redhat.com> - 5.9.10-2
+- Rebuilt for Python 3.12
+
+* Thu Mar 02 2023 Paul Wouters <paul.wouters@aiven.io - 5.9.10-1
+- Update to 5.9.10
+
+* Tue Feb 28 2023 Paul Wouters <paul.wouters@aiven.io - 5.9.9-3
+- Resolves: CVE-2023-26463 authorization bypass in TLS-based EAP methods
+
+* Mon Jan 16 2023 Petr Menšík <pemensik@redhat.com> - 5.9.9-2
+- Use configure paths in manual pages (#2106120)
+
+* Sun Jan 15 2023 Petr Menšík <pemensik@redhat.com> - 5.9.9-1
+- Update to 5.9.9 (#2157850)
+
+* Thu Dec 08 2022 Jitka Plesnikova <jplesnik@redhat.com> - 5.9.8-2
+- Add BR perl-generators to automatically generates run-time dependencies
+  for installed Perl files
+
+* Sun Oct 16 2022 Arne Reiter <redhat@arnereiter.de> - 5.9.8-1
+- Resolves rhbz#2112274 strongswan-5.9.8 is available
+- Patch1 removes CFLAGS -Wno-format which interferes with -Werror=format-security
+- Add BuildRequire for autoconf and automake, now required for release
+- Remove obsolete patches
+
+* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.6-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Wed Jun 22 2022 Arne Reiter <redhat@arnereiter.de> - 5.9.6-1
+- Resolves rhbz#2080070 strongswan-5.9.6 is available
+- Fixed missing format string in enum_flags_to_string()
+
+* Mon Jun 13 2022 Python Maint <python-maint@redhat.com> - 5.9.5-4
+- Rebuilt for Python 3.11
+
+* Fri Feb 25 2022 Arne Reiter <redhat@arnereiter.de> - 5.9.5-3
+- Resolves: rhbz#2048108 - segfault at 18 ip 00007f4c7c0d841c sp 00007ffe49f61b70 error 4 in libc.so.6
+
+* Tue Jan 25 2022 Paul Wouters <paul.wouters@aiven.io> - 5.9.5-2
+- Use newly published/cleaned strongswan gpg key
+
+* Mon Jan 24 2022 Paul Wouters <paul.wouters@aiven.io> - 5.9.5-1
+- Resolves rhbz#2044361 strongswan-5.9.5 is available (CVE-2021-45079)
+
+* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.4-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Thu Dec 16 2021 Neal Gompa <ngompa@datto.com> - 5.9.4-4
+- Disable TPM/TSS 1.2 support for F36+ / RHEL9+
+- Resolves: rhbz#2033299 Drop TPM/TSS 1.2 support (trousers)
+
+* Thu Nov 11 2021 Petr Menšík <pemensik@redhat.com> - 5.9.4-3
+- Resolves rhbz#1419441 Add python and perl vici bindings
+- Adds optional tests run
+
+* Tue Nov 09 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.4-2
+- Resolves rhbz#2018547 'strongswan restart' breaks ipsec started with strongswan-starter
+- Return to using tmpfiles, but extend to cover strongswan-starter service too
+- Cleanup old patches
+
+* Wed Oct 20 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.4-1
+- Resolves: rhbz#2015165 strongswan-5.9.4 is available
+- Resolves: rhbz#2015611 CVE-2021-41990 strongswan: gmp plugin: integer overflow via a crafted certificate with an RSASSA-PSS signature
+- Resolves: rhbz#2015614 CVE-2021-41991 strongswan: integer overflow when replacing certificates in cache
+- Add BuildRequire for tpm2-tss-devel and weak dependency for tpm2-tools
+
+* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 5.9.3-4
+- Rebuilt with OpenSSL 3.0.0
+
+* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Sat Jul 10 2021 Björn Esser <besser82@fedoraproject.org> - 5.9.3-2
+- Rebuild for versioned symbols in json-c
+
+* Tue Jul 06 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.3-1
+- Resolves: rhbz#1979574 strongswan-5.9.3 is available
+- Make strongswan main dir world readable so apps can find strongswan.conf
+
+* Thu Jun 03 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.2-1
+- Resolves: rhbz#1896545 strongswan-5.9.2 is available
+
+* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 5.9.1-2
+- Rebuilt for updated systemd-rpm-macros
+  See https://pagure.io/fesco/issue/2583.
+
+* Fri Feb 12 2021 Paul Wouters <pwouters@redhat.com> - 5.9.1-1
+- Resolves: rhbz#1896545 strongswan-5.9.1 is available
+
+* Thu Feb 11 2021 Davide Cavalca <dcavalca@fedoraproject.org> - 5.9.0-4
+- Build with with capabilities support
+- Resolves: rhbz#1911572 StrongSwan not configured with libcap support
+
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Thu Oct 22 12:43:48 EDT 2020 Paul Wouters <pwouters@redhat.com> - 5.9.0-2
+- Resolves: rhbz#1886759 charon looking for certificates in the wrong place
+
+* Mon Sep 28 12:36:45 EDT 2020 Paul Wouters <pwouters@redhat.com> - 5.9.0-1
+- Resolves: rhbz#1861747 strongswan-5.9.0 is available
+- Remove --enable-fips-mode=2, which defaults strongswan to FIPS only.
+  (use fips_mode = 2 in plugins {} openssl {} in strongswan.conf to enable FIPS)
+
+* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.8.4-5
+- Second attempt - Rebuilt for
+  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.8.4-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Apr 21 2020 Björn Esser <besser82@fedoraproject.org> - 5.8.4-3
+- Rebuild (json-c)
+
+* Sun Apr 12 2020 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.4-2
+- Patch0: Add RuntimeDirectory options to service files (#1789263)
+
+* Sun Apr 12 2020 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.4-1
+- Updated to 5.8.4
+- Patch4 has been applied upstream
+
+* Sat Feb 22 2020 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.2-5
+- Patch to declare a global variable with extern (#1800117)
+
+* Mon Feb 10 2020 Paul Wouters <pwouters@redhat.com> - 5.8.2-4
+- use tmpfile to ensure rundir is present
+
+* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.8.2-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Sat Dec 28 2019 Paul Wouters <pwouters@redhat.com> - 5.8.2-2
+- Use /run/strongswan as rundir to support strongswans in namespaces
+
+* Tue Dec 17 2019 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.2-1
+- Update to 5.8.2 (#1784457)
+- The D-Bus config file moved under datadir
+
+* Mon Sep 02 2019 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.1-1
+- Update to 5.8.1 (#1711920)
+- No more separate strongswan-swanctl.service to start out of order (#1775548)
+- Added strongswan-starter.service
+
+* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 5.7.2-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 5.7.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Wed Jan 09 2019 Paul Wouters <pwouters@redhat.com> - 5.7.2-1
+- Updated to 5.7.2
+
+* Thu Oct 04 2018 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.7.1-1
+- Updated to 5.7.1
+- Resolves rhbz#1635872 CVE-2018-16152
+- Resolves rhbz#1635875 CVE-2018-16151
+
+* Thu Aug 23 2018 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.6.3-3
+- Add plugin bypass-lan, disabled by default
+- Resolves rhbz#1554479 Update to strongswan-charon-nm fails
+
+* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 5.6.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Tue May 29 2018 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.6.3-1
+- New version 5.6.3
+
+* Thu May 24 2018 Paul Wouters <pwouters@redhat.com> - 5.6.2-6
+- Resolves rhbz#1581868 CVE-2018-5388 strongswan: buffer underflow in stroke_socket.c
+
+* Thu May 24 2018 Paul Wouters <pwouters@redhat.com> - 5.6.2-5
+- Resolves rhbz#1574939 IKEv2 VPN connections fail to use DNS servers provided by the server
+- Resolves rhbz#1449875 Strongswan on epel built without the sql plugin but with the sqlite plugin
+
+* Sun May 20 2018 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.6.2-3
+- Move eap-radius, sqlite, and pkcs7 plugins out of tnc-imcvs, added package
+  sqlite (#1579945)
+
+* Tue Mar 06 2018 Björn Esser <besser82@fedoraproject.org> - 5.6.2-2
+- Rebuilt for libjson-c.so.4 (json-c v0.13.1)
+
+* Wed Feb 21 2018 Lubomir Rintel <lkundrak@v3.sk> - 5.6.2-1
+- Updated to 5.6.2 (Dropped libnm-glib use in charon-nm)
+
+* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 5.6.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Fri Dec 22 2017 Paul Wouters <pwouters@redhat.com> - 5.6.1-1
+- Updated to 5.6.1 (RSA-PSS support)
+
+* Sun Dec 10 2017 Björn Esser <besser82@fedoraproject.org> - 5.6.0-3
+- Rebuilt for libjson-c.so.3
+
+* Fri Dec 01 2017 Lubomir Rintel <lkundrak@v3.sk> - 5.6.0-2
+- Fix the placement of charon-nm D-Bus policy
+
+* Sat Sep 09 2017 Paul Wouters <pwouters@redhat.com> - 5.6.0-1
+- Updated to 5.6.0
+- Fixup configure arguments, enabled a bunch of new features
+- Added new BuildRequires:
+- Fixup Obsolete/Conflicts, use license macro
+- Don't require autoconf/autotools for non-snapshots
+- Remove macro overuse, remove fedora/rhel checks and sysvinit support
+- Make listings/grouping of all plugins/libs to reduce file listing
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 5.5.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 5.5.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Mon Jun 12 2017 Paul Wouters <pwouters@redhat.com> - 5.5.3-1
+- Updated to 5.5.3
+
+* Sat May 27 2017 Paul Wouters <pwouters@redhat.com> - 5.5.2-1
+- Updated to 5.5.2
+
+* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 5.5.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Thu Sep 15 2016 Pavel Šimerda <psimerda@redhat.com> - 5.5.0-2
+- Resolves: #1367796 - Enable the unity plugin
+
+* Mon Aug 08 2016 Pavel Šimerda <psimerda@redhat.com> - 5.5.0-1
+- New version 5.5.0
+
+* Wed Jun 22 2016 Pavel Šimerda <psimerda@redhat.com>
+- Enable IKEv2 GCM (requires gcrypt module as well) - merged from f22 by Paul Wouters
+
+* Wed Jun 22 2016 Pavel Šimerda <psimerda@redhat.com> - 5.4.0-1
+- New version 5.4.0
+
+* Thu Mar 03 2016 Pavel Šimerda <psimerda@redhat.com> - 5.3.5-1
+- New version 5.3.5
+
+* Fri Feb 05 2016 Fedora Release Engineering <releng@fedoraproject.org> - 5.3.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Fri Jan 15 2016 Paul Wouters <pwouters@redhat.com> - 5.3.3-2
+- Enable IKEv2 GCM (requires gcrypt module as well)
+
+* Tue Sep 29 2015 Pavel Šimerda <psimerda@redhat.com> - 5.3.3-1
+- new version 5.3.3
+
+* Thu Sep 24 2015 Pavel Šimerda <psimerda@redhat.com> - 5.3.2-3
+- Resolves: #1264598 - strongswan: many configuration files are not protected
+
+* Fri Jun 19 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.3.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Tue Jun 09 2015 Pavel Šimerda <psimerda@redhat.com>
+- new version 5.3.2
+
+* Fri Jun 05 2015 Pavel Šimerda <psimerda@redhat.com> - 5.3.1-1
+- new version 5.3.1
+
+* Tue Mar 31 2015 Pavel Šimerda <psimerda@redhat.com> - 5.3.0-1
+- new version 5.3.0
+
+* Fri Feb 20 2015 Avesh Agarwal <avagarwa@redhat.com> - 5.2.2-2
+- Fixes strongswan swanctl service issue rhbz#1193106
+
+* Tue Jan 06 2015 Pavel Šimerda <psimerda@redhat.com> - 5.2.2-1
+- new version 5.2.2
+
+* Thu Dec 18 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.2-0.2.dr1
+- Enabled ccm, and ctr plugins as it seems enabling just openssl does
+  not work for using ccm and ctr algos.
+
+* Mon Dec 8 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.2-0.1.dr1
+- New strongswan developer release 5.2.2dr1
+
+* Mon Nov 24 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.1-2
+- 1167331: Enabled native systemd support.
+- Does not disable old systemd, starter, ipsec.conf support yet.
+
+* Thu Oct 30 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.1-1
+- New upstream release 5.2.1
+
+* Thu Oct 16 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.1-0.2.rc1
+- New upstream release candidate 5.2.1rc1
+
+* Fri Oct 10 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.1-1
+- new version 5.2.1dr1
+
+* Thu Sep 25 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-7
+- use upstream patch for json/json-c dependency
+
+* Thu Sep 25 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-6
+- Resolves: #1146145 - Strongswan is compiled without xauth-noauth plugin
+
+* Mon Aug 18 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.2.0-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Tue Aug 05 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-4
+- Resolves: #1081804 - enable Kernel IPSec support
+
+* Wed Jul 30 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-3
+- rebuilt
+
+* Tue Jul 29 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-2
+- fix json-c dependency
+
+* Tue Jul 15 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.0-1
+- New upstream release 5.2.0
+- The Attestation IMC/IMV pair supports the IMA-NG
+  measurement format
+- Aikgen tool to generate an Attestation Identity Key bound
+  to a TPM
+- Swanctl tool to provide a portable, complete IKE
+  configuration and control interface for the command
+  line using vici interface with libvici library
+- PT-EAP transport protocol (RFC 7171) for TNC
+- Enabled support for acert for checking X509 attribute certificate
+- Updated patches, removed selinux patch as upstream has fixed it
+  in this release.
+- Updated spec file with minor cleanups
+
+* Thu Jun 26 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-0.4.dr6
+- improve prerelease macro
+
+* Thu Jun 26 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-0.3
+- Resolves: #1111895 - bump to 5.2.0dr6
+
+* Thu Jun 12 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-0.2
+- Related: #1087437 - remove or upstream all patches not specific to fedora/epel
+
+* Thu Jun 12 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-0.1.dr5
+- fix the pre-release version according to guidelines before it gets branched
+
+* Fri Jun 06 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0dr5-1
+- new version 5.2.0dr5
+- add json-c-devel to build deps
+
+* Mon May 26 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0dr4-3
+- merge two related patches
+
+* Mon May 26 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0dr4-2
+- clean up the patches a bit
+
+* Thu May 22 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.0dr4-1
+- New upstream developer release 5.2.0dr4
+- Attestation IMV/IMC supports IMA-NG measurement format now
+- Aikgen tool to generate an Attestation Identity Key bound
+  to a TPM
+- PT-EAP transport protocol (RFC 7171) for TNC
+- vici plugin provides IKE Configuration Interface for charon
+- Enabled support for acert for checking X509 attribute certificate
+- Updated patches
+- Updated spec file with minor cleanups
+
+* Tue Apr 15 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.3-1
+- new version 5.1.3
+
+* Mon Apr 14 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.3rc1-1
+- new version 5.1.3rc1
+
+* Mon Mar 24 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.2-4
+- #1069928 - updated libexec patch.
+
+* Tue Mar 18 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.2-3
+- fixed el6 initscript
+- fixed pki directory location
+
+* Fri Mar 14 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.2-2
+- clean up the specfile a bit
+- replace the initscript patch with an individual initscript
+- patch to build for epel6
+
+* Mon Mar 03 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.2-1
+- #1071353 - bump to 5.1.2
+- #1071338 - strongswan is compiled without xauth-pam plugin
+- remove obsolete patches
+- sent all patches upstream
+- added comments to all patches
+- don't touch the config with sed
+
+* Thu Feb 20 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.1.1-6
+- Fixed full hardening for strongswan (full relro and PIE).
+  The previous macros had a typo and did not work
+  (see bz#1067119).
+- Fixed tnc package description to reflect the current state of
+  the package.
+- Fixed pki binary and moved it to /usr/libexece/strongswan as
+  others binaries are there too.
+
+* Wed Feb 19 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.1-5
+- #903638 - SELinux is preventing /usr/sbin/xtables-multi from 'read' accesses on the chr_file /dev/random
+
+* Thu Jan 09 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.1-4
+- Removed redundant patches and *.spec commands caused by branch merging
+
+* Wed Jan 08 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.1-3
+- rebuilt
+
+* Mon Dec 2 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.1.1-2
+- Resolves: 973315
+- Resolves: 1036844
+
+* Fri Nov 1 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.1.1-1
+- Support for PT-TLS  (RFC 6876)
+- Support for SWID IMC/IMV
+- Support for command line IKE client charon-cmd
+- Changed location of pki to /usr/bin
+- Added swid tags files
+- Added man pages for pki and charon-cmd
+- Renamed pki to strongswan-pki to avoid conflict with
+  pki-core/pki-tools package.
+- Update local patches
+- Fixes CVE-2013-6075
+- Fixes CVE-2013-6076
+- Fixed autoconf/automake issue as configure.ac got changed
+  and it required running autoreconf during the build process.
+- added strongswan signature file to the sources.
+
+* Thu Sep 12 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.1.0-3
+- Fixed initialization crash of IMV and IMC particularly
+  attestation imv/imc as libstrongswas was not getting
+  initialized.
+
+* Fri Aug 30 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.1.0-2
+- Enabled fips support
+- Enabled TNC's ifmap support
+- Enabled TNC's pdp support
+- Fixed hardocded package name in this spec file
+
+* Wed Aug 7 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.1.0-1
+- rhbz#981429: New upstream release
+- Fixes CVE-2013-5018: rhbz#991216, rhbz#991215
+- Fixes rhbz#991859 failed to build in rawhide
+- Updated local patches and removed which are not needed
+- Fixed errors around charon-nm
+- Added plugins libstrongswan-pkcs12.so, libstrongswan-rc2.so,
+  libstrongswan-sshkey.so
+- Added utility imv_policy_manager
+
+* Thu Jul 25 2013 Jamie Nguyen <jamielinux@fedoraproject.org> - 5.0.4-5
+- rename strongswan-NetworkManager to strongswan-charon-nm
+- fix enable_nm macro
+
+* Mon Jul 15 2013 Jamie Nguyen <jamielinux@fedoraproject.org> - 5.0.4-4
+- %%files tries to package some of the shared objects as directories (#984437)
+- fix broken systemd unit file (#984300)
+- fix rpmlint error: description-line-too-long
+- fix rpmlint error: macro-in-comment
+- fix rpmlint error: spelling-error Summary(en_US) fuctionality
+- depend on 'systemd' instead of 'systemd-units'
+- use new systemd scriptlet macros
+- NetworkManager subpackage should have a copy of the license (#984490)
+- enable hardened_build as this package meets the PIE criteria (#984429)
+- invocation of "ipsec _updown iptables" is broken as ipsec is renamed
+  to strongswan in this package (#948306)
+- invocation of "ipsec scepclient" is broken as ipsec is renamed
+  to strongswan in this package
+- add /etc/strongswan/ipsec.d and missing subdirectories
+- conditionalize building of strongswan-NetworkManager subpackage as the
+  version of NetworkManager in EL6 is too old (#984497)
+
+* Fri Jun 28 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.0.4-3
+- Patch to fix a major crash issue when Freeradius loads
+  attestatiom-imv and does not initialize libstrongswan which
+  causes crash due to calls to PTS algorithms probing APIs.
+  So this patch fixes the order of initialization. This issues
+  does not occur with charon because libstrongswan gets
+  initialized earlier.
+- Patch that allows to outputs errors when there are permission
+  issues when accessing strongswan.conf.
+- Patch to make loading of modules configurable when libimcv
+  is used in stand alone mode without charon with freeradius
+  and wpa_supplicant.
+
+* Tue Jun 11 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.0.4-2
+- Enabled TNCCS 1.1 protocol
+- Fixed libxm2-devel build dependency
+- Patch to fix the issue with loading of plugins
+
+* Wed May 1 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.0.4-1
+- New upstream release
+- Fixes for CVE-2013-2944
+- Enabled support for OS IMV/IMC
+- Created and applied a patch to disable ECP in fedora, because
+  Openssl in Fedora does not allow ECP_256 and ECP_384. It makes
+  it non-compliant to TCG's PTS standard, but there is no choice
+  right now. see redhat bz # 319901.
+- Enabled Trousers support for TPM based operations.
+
+* Sat Apr 20 2013 Pavel Šimerda <psimerda@redhat.com> - 5.0.3-2
+- Rebuilt for a single specfile for rawhide/f19/f18/el6
+
+* Fri Apr 19 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.0.3-1
+- New upstream release
+- Enabled curl and eap-identity plugins
+- Enabled support for eap-radius plugin.
+
+* Thu Apr 18 2013 Pavel Šimerda <psimerda@redhat.com> - 5.0.2-3
+- Add gettext-devel to BuildRequires because of epel6
+- Remove unnecessary comments
+
+* Tue Mar 19 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.0.2-2
+- Enabled support for eap-radius plugin.
+
+* Mon Mar 11 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.0.2-1
+- Update to upstream release 5.0.2
+- Created sub package strongswan-tnc-imcvs that provides trusted network
+  connect's IMC and IMV funtionality. Specifically it includes PTS
+  based IMC/IMV for TPM based remote attestation and scanner and test
+  IMCs and IMVs. The Strongswan's IMC/IMV dynamic libraries can be used
+  by any third party TNC Client/Server implementation possessing a
+  standard IF-IMC/IMV interface.
+
+* Fri Feb 15 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.0.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Thu Oct 04 2012 Pavel Šimerda <psimerda@redhat.com> - 5.0.1-1
+- Update to release 5.0.1
+
+* Thu Oct 04 2012 Pavel Šimerda <psimerda@redhat.com> - 5.0.0-4.git20120619
+- Add plugins to interoperate with Windows 7 and Android (#862472)
+  (contributed by Haim Gelfenbeyn)
+
+* Sat Jul 21 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.0.0-3.git20120619
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Sun Jul 08 2012 Pavel Šimerda <pavlix@pavlix.net> - 5.0.0-2.git20120619
+- Fix configure substitutions in initscripts
+
+* Wed Jul 04 2012 Pavel Šimerda <psimerda@redhat.com> - 5.0.0-1.git20120619
+- Update to current upstream release
+- Comment out all stuff that is only needed for git builds
+- Remove renaming patch from git
+- Improve init patch used for EPEL
+
+* Thu Jun 21 2012 Pavel Šimerda <psimerda@redhat.com> - 5.0.0-0.3.git20120619
+- Build with openssl plugin enabled
+
+* Wed Jun 20 2012 Pavel Šimerda <psimerda@redhat.com> - 5.0.0-0.2.git20120619
+- Add README.Fedora with link to 4.6 to 5.0 migration information
+
+* Tue Jun 19 2012 Pavel Šimerda - 5.0.0-0.1.git20120619
+- Snapshot of upcoming major release
+- Move patches and renaming upstream
+  http://wiki.strongswan.org/issues/194
+  http://wiki.strongswan.org/issues/195
+- Notified upstream about manpage issues
+
+* Tue Jun 19 2012 Pavel Šimerda - 4.6.4-2
+- Make initscript patch more distro-neutral
+- Add links to bugreports for patches
+
+* Fri Jun 01 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.4-1
+- New upstream version (CVE-2012-2388)
+
+* Sat May 26 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.3-2
+- Add --enable-nm to configure
+- Add NetworkManager-devel to BuildRequires
+- Add NetworkManager-glib-devel to BuildRequires
+- Add strongswan-NetworkManager package
+
+* Sat May 26 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.3-1
+- New version of Strongswan
+- Support for RFC 3110 DNSKEY (see upstream changelog)
+- Fix corrupt scriptlets
+
+* Fri Mar 30 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.2-2
+- #808612 - strongswan binary renaming side-effect
+
+* Sun Feb 26 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.2-1
+- New upstream version
+- Changed from .tar.gz to .tar.bz2
+- Added libstrongswan-pkcs8.so
+
+* Wed Feb 15 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-8
+- Fix initscript's status function
+
+* Wed Feb 15 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-7
+- Expand tabs in config files for better readability
+- Add sysvinit script for epel6
+
+* Wed Feb 15 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-6
+- Fix program name in systemd unit file
+
+* Tue Feb 14 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-5
+- Improve fedora/epel conditionals
+
+* Sat Jan 21 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-4
+- Protect configuration directory from ordinary users
+- Add still missing directory /etc/strongswan
+
+* Fri Jan 20 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-3
+- Change directory structure to avoid clashes with Openswan
+- Prefixed all manpages with 'strongswan_'
+- Every file now includes 'strongswan' somewhere in its path
+- Removed conflict with Openswan
+- Finally fix permissions on strongswan.conf
+
+* Fri Jan 20 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-2
+- Change license tag from GPL to GPLv2+
+- Change permissions on /etc/strongswan.conf to 644
+- Rename ipsec.8 manpage to strongswan.8
+- Fix empty scriptlets for non-fedora builds
+- Add ldconfig scriptlet
+- Add missing directories and files
+
+* Sun Jan 01 2012 Pavel Šimerda <pavlix@pavlix.net - 4.6.1-1
+- Bump to version 4.6.1
+
+* Sun Jan 01 2012 Pavel Šimerda <pavlix@pavlix.net - 4.6.0-3
+- Add systemd scriptlets
+- Add conditions to also support EPEL6
+
+* Sat Dec 10 2011 Pavel Šimerda <pavlix@pavlix.net> - 4.6.0-2
+- Experimental build for development
--- a/3
+++ b/3
@@ -1 +1,2 @@
-SHA512 (strongswan-5.8.2.tar.bz2) = 423e7924acfe8a03ad7d4359ae9086fd516798fcf5eb948a27b52ea719f4d8954b83ea30ce94191ea1647616611df8a1215cb4d5c7ec48676624df6c41853e1d
+SHA512 (strongswan-6.0.2.tar.bz2) = b1ee61b7d0eab40a9fcb5a7e28cfea9050f5f894fa66032edf9511b1e260104870e23fc19329b48be01f03eb491bfc27c9b74838722c80ba0284a48596a68d71
+SHA512 (strongswan-6.0.2.tar.bz2.sig) = 374e16baf4b3ee24966abdb872890eb29da4aa6fc4e8a5e2a67d6099e2a72bad195257e505765cecbfae3a77ea42942fc3cea543b954f1f7b3e415ad536321ff
--- a/strongswan-5.6.2-CVE-2018-5388.patch
+++ b/strongswan-5.6.2-CVE-2018-5388.patch
@@ -1,15 +0,0 @@
-diff -Naur strongswan-5.6.2-orig/src/libcharon/plugins/stroke/stroke_socket.c strongswan-5.6.2/src/libcharon/plugins/stroke/stroke_socket.c
--- strongswan-5.6.2-orig/src/libcharon/plugins/stroke/stroke_socket.c	2017-11-09 10:57:30.000000000 -0500
-+++ strongswan-5.6.2/src/libcharon/plugins/stroke/stroke_socket.c	2018-05-24 00:00:32.382953618 -0400
-@@ -628,6 +628,11 @@
- 		return FALSE;
- 	}
- 
-+	if (len < offsetof(stroke_msg_t, buffer))
-+	{
-+		DBG1(DBG_CFG, "invalid stroke message length %d", len);
-+		return FALSE;
-+	}
- 	/* read message (we need an additional byte to terminate the buffer) */
- 	msg = malloc(len + 1);
- 	msg->length = len;
--- a/strongswan-5.8.2-extern-global.patch
+++ b/strongswan-5.8.2-extern-global.patch
@@ -1,11 +0,0 @@
--- strongswan-5.8.2/src/swanctl/swanctl.h.orig	2020-02-23 00:35:39.051000000 +0200
-+++ strongswan-5.8.2/src/swanctl/swanctl.h	2020-02-23 00:35:51.930355656 +0200
-@@ -30,7 +30,7 @@
- /**
-  * Base directory for credentials and config
-  */
-char *swanctl_dir;
-+extern char *swanctl_dir;
- 
- /**
-  * Configuration file for connections, etc.
--- a/strongswan-5.9.7-error-no-format.patch
+++ b/strongswan-5.9.7-error-no-format.patch
@@ -0,0 +1,12 @@
+diff --git a/configure.ac b/configure.ac
+index f9e6e55c2..247d055d8 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -1480,7 +1480,6 @@ else
+ fi
+ # disable some warnings, whether explicitly enabled above or by default
+ # these are not compatible with our custom printf specifiers
+-WARN_CFLAGS="$WARN_CFLAGS -Wno-format"
+ WARN_CFLAGS="$WARN_CFLAGS -Wno-format-security"
+ # we generally use comments, but GCC doesn't seem to recognize many of them
+ WARN_CFLAGS="$WARN_CFLAGS -Wno-implicit-fallthrough"
--- a/strongswan-6.0.0-gcc15.patch
+++ b/strongswan-6.0.0-gcc15.patch
@@ -0,0 +1,109 @@
+From cf7fb47788dfb83bb5d8bd0bffdb582e381a2f0a Mon Sep 17 00:00:00 2001
+From: Thomas Egerer <thomas.egerer@secunet.com>
+Date: Fri, 6 Sep 2024 13:29:40 +0200
+Subject: [PATCH] array: Don't use realloc() with zero size in array_compress()
+
+The behavior of realloc(3) with zero size was apparently implementation
+defined.  While glibc documents the behavior as equivalent to free(3),
+that might not apply to other C libraries.  With C17, this behavior has
+been deprecated, and with C23, the behavior is now undefined.  It's also
+why valgrind warns about this use.
+
+Hence, when array_compress() would call realloc() with a zero size, we
+now call free() explicitly and set the pointer to NULL.
+
+Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
+---
+ src/libstrongswan/collections/array.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/src/libstrongswan/collections/array.c b/src/libstrongswan/collections/array.c
+index 8acc8051d53..8b6c6d7397e 100644
+--- a/src/libstrongswan/collections/array.c
+++ b/src/libstrongswan/collections/array.c
+@@ -197,7 +197,17 @@ void array_compress(array_t *array)
+ 		}
+ 		if (tail)
+ 		{
+-			array->data = realloc(array->data, get_size(array, array->count));
+			size_t size = get_size(array, array->count);
+
+			if (size)
+			{
+				array->data = realloc(array->data, size);
+			}
+			else
+			{
+				free(array->data);
+				array->data = NULL;
+			}
+ 			array->tail = 0;
+ 		}
+ 	}
+---
+
+From f1f0bd9de60e2697a712e72b7ae9f79763a0901d Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Thu, 9 Jan 2025 16:05:39 +0100
+Subject: [PATCH] ctr: Remove parameter-less constructor prototype
+
+Useless and causes a compiler warning/error:
+
+  error: a function declaration without a prototype is deprecated in all versions of C and is treated as a zero-parameter prototype in C23, conflicting with a subsequent declaration [-Werror,-Wdeprecated-non-prototype]
+---
+ src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.h | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.h b/src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.h
+index e9421a1be9f..3814465e48b 100644
+--- a/src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.h
+++ b/src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.h
+@@ -37,11 +37,6 @@ struct ctr_ipsec_crypter_t {
+ 	crypter_t crypter;
+ };
+ 
+-/**
+- * Create a ctr_ipsec_crypter instance.
+- */
+-ctr_ipsec_crypter_t *ctr_ipsec_crypter_create();
+-
+ /**
+  * Create a ctr_ipsec_crypter instance.
+  *
+---
+
+From 227d7ef9a24b8c62d6965c1c1690252bde7c698d Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Fri, 10 Jan 2025 15:43:11 +0100
+Subject: [PATCH] tnc-imv: Add missing argument to IMV recommendations
+ constructor
+
+This avoids the following warning/error:
+
+tnc_imv_manager.c:244:39: error: passing arguments to 'tnc_imv_recommendations_create' without a prototype is deprecated in all versions of C and is not supported in C23 [-Werror,-Wdeprecated-non-prototype]
+  244 |         return tnc_imv_recommendations_create(this->imvs);
+      |                                              ^
+---
+ src/libtnccs/plugins/tnc_imv/tnc_imv_recommendations.h | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/src/libtnccs/plugins/tnc_imv/tnc_imv_recommendations.h b/src/libtnccs/plugins/tnc_imv/tnc_imv_recommendations.h
+index f7178876cfd..60272978ad3 100644
+--- a/src/libtnccs/plugins/tnc_imv/tnc_imv_recommendations.h
+++ b/src/libtnccs/plugins/tnc_imv/tnc_imv_recommendations.h
+@@ -27,8 +27,11 @@
+ #include <collections/linked_list.h>
+ 
+ /**
+- * Create an IMV empty recommendations instance
+ * Create an empty IMV recommendations instance
+ *
+ * @param imv_list		list of IMVs that could provide recommendations
+ * @return				created instance
+  */
+-recommendations_t *tnc_imv_recommendations_create();
+recommendations_t *tnc_imv_recommendations_create(linked_list_t *imv_list);
+ 
+ #endif /** TNC_IMV_RECOMMENDATIONS_H_ @}*/
+---
+
--- a/strongswan-6.0.1-gcc15.patch
+++ b/strongswan-6.0.1-gcc15.patch
@@ -0,0 +1,597 @@
+From a7b5de569082398a14b7e571498e55d005903aaf Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Fri, 21 Feb 2025 17:18:35 +0100
+Subject: [PATCH] pki: Fix signature of help() to match that of a callback in
+ command_t
+
+---
+ src/pki/command.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/pki/command.c b/src/pki/command.c
+index accec5fe51b..6e6bf041e18 100644
+--- a/src/pki/command.c
+++ b/src/pki/command.c
+@@ -265,7 +265,7 @@ int command_usage(char *error)
+ /**
+  * Show usage information
+  */
+-static int help(int c, char *v[])
+static int help()
+ {
+ 	return command_usage(NULL);
+ }
+---
+
+From 38d89f57f0771d3cc7b2ab70849584685ada2bc0 Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Fri, 21 Feb 2025 16:47:34 +0100
+Subject: [PATCH] charon-nm: Use CALLBACK macro for callback job's cancel
+ implementation
+
+Casting to this specific function type doesn't work anymore if C23 is
+used as the types mismatch.
+---
+ src/charon-nm/nm/nm_backend.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/charon-nm/nm/nm_backend.c b/src/charon-nm/nm/nm_backend.c
+index aefd3f95688..8ee1785212e 100644
+--- a/src/charon-nm/nm/nm_backend.c
+++ b/src/charon-nm/nm/nm_backend.c
+@@ -78,7 +78,8 @@ static job_requeue_t run(nm_backend_t *this)
+ /**
+  * Cancel the GLib Main Event Loop
+  */
+-static bool cancel(nm_backend_t *this)
+CALLBACK(cancel, bool,
+	nm_backend_t *this)
+ {
+ 	if (this->loop)
+ 	{
+@@ -152,7 +153,7 @@ static bool nm_backend_init()
+ 
+ 	lib->processor->queue_job(lib->processor,
+ 		(job_t*)callback_job_create_with_prio((callback_job_cb_t)run, this,
+-				NULL, (callback_job_cancel_t)cancel, JOB_PRIO_CRITICAL));
+				NULL, cancel, JOB_PRIO_CRITICAL));
+ 	return TRUE;
+ }
+ 
+---
+
+From d5d2568ff0e88d364dadf50b67bf17050763cf98 Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Fri, 21 Feb 2025 16:45:57 +0100
+Subject: [PATCH] callback-job: Replace return_false() in constructors with
+ dedicated function
+
+Besides being clearer, this fixes issues with GCC 15.  The latter uses
+C23 by default, which changes the meaning of function declarations
+without parameters such as
+
+	bool return false();
+
+Instead of "this function takes an unknown number of arguments", this
+now equals (void), that is, "this function takes no arguments".  So we
+run into incompatible pointer type warnings all over when using such
+functions.  They could be cast to (void*) but this seems the cleaner
+solution for this use case.
+---
+ src/charon-cmd/cmd/cmd_connection.c                   |  2 +-
+ .../jni/libandroidbridge/backend/android_dns_proxy.c  |  2 +-
+ .../jni/libandroidbridge/backend/android_service.c    |  6 +++---
+ src/libcharon/network/receiver.c                      |  2 +-
+ src/libcharon/network/sender.c                        |  2 +-
+ .../plugins/bypass_lan/bypass_lan_listener.c          |  4 ++--
+ .../plugins/eap_radius/eap_radius_accounting.c        |  2 +-
+ src/libcharon/plugins/eap_radius/eap_radius_plugin.c  |  2 +-
+ src/libcharon/plugins/ha/ha_ctl.c                     |  2 +-
+ src/libcharon/plugins/ha/ha_dispatcher.c              |  2 +-
+ src/libcharon/plugins/ha/ha_segments.c                |  6 +++---
+ .../kernel_libipsec/kernel_libipsec_esp_handler.c     |  2 +-
+ .../plugins/kernel_libipsec/kernel_libipsec_router.c  |  2 +-
+ src/libcharon/plugins/smp/smp.c                       |  4 ++--
+ src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c   |  2 +-
+ src/libcharon/plugins/uci/uci_control.c               |  2 +-
+ src/libipsec/ipsec_event_relay.c                      |  2 +-
+ src/libipsec/ipsec_processor.c                        |  4 ++--
+ src/libpttls/pt_tls_dispatcher.c                      |  2 +-
+ src/libstrongswan/networking/streams/stream_service.c |  2 +-
+ src/libstrongswan/processing/jobs/callback_job.c      | 10 +++++++++-
+ src/libstrongswan/processing/jobs/callback_job.h      | 11 ++++++++++-
+ src/libstrongswan/processing/scheduler.c              |  3 ++-
+ src/libstrongswan/processing/watcher.c                |  4 ++--
+ src/libtls/tests/suites/test_socket.c                 |  2 +-
+ 25 files changed, 51 insertions(+), 33 deletions(-)
+
+diff --git a/src/charon-cmd/cmd/cmd_connection.c b/src/charon-cmd/cmd/cmd_connection.c
+index 8e8d8236e52..e220e33a62a 100644
+--- a/src/charon-cmd/cmd/cmd_connection.c
+++ b/src/charon-cmd/cmd/cmd_connection.c
+@@ -585,7 +585,7 @@ cmd_connection_t *cmd_connection_create()
+ 	lib->processor->queue_job(lib->processor,
+ 		(job_t*)callback_job_create_with_prio(
+ 			(callback_job_cb_t)initiate, this, NULL,
+-			(callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
+			callback_job_cancel_thread, JOB_PRIO_CRITICAL));
+ 
+ 	return &this->public;
+ }
+diff --git a/src/libcharon/network/receiver.c b/src/libcharon/network/receiver.c
+index e79d5974409..480d1d622d5 100644
+--- a/src/libcharon/network/receiver.c
+++ b/src/libcharon/network/receiver.c
+@@ -737,7 +737,7 @@ receiver_t *receiver_create()
+ 
+ 	lib->processor->queue_job(lib->processor,
+ 		(job_t*)callback_job_create_with_prio((callback_job_cb_t)receive_packets,
+-			this, NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
+			this, NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL));
+ 
+ 	return &this->public;
+ }
+diff --git a/src/libcharon/network/sender.c b/src/libcharon/network/sender.c
+index 4543766d62e..3fcd17f1b63 100644
+--- a/src/libcharon/network/sender.c
+++ b/src/libcharon/network/sender.c
+@@ -216,7 +216,7 @@ sender_t * sender_create()
+ 
+ 	lib->processor->queue_job(lib->processor,
+ 		(job_t*)callback_job_create_with_prio((callback_job_cb_t)send_packets,
+-			this, NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
+			this, NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL));
+ 
+ 	return &this->public;
+ }
+diff --git a/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c b/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c
+index db7abd8146b..c9aed3666fc 100644
+--- a/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c
+++ b/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c
+@@ -227,7 +227,7 @@ METHOD(kernel_listener_t, roam, bool,
+ {
+ 	lib->processor->queue_job(lib->processor,
+ 			(job_t*)callback_job_create((callback_job_cb_t)update_bypass, this,
+-									NULL, (callback_job_cancel_t)return_false));
+									NULL, callback_job_cancel_thread));
+ 	return TRUE;
+ }
+ 
+@@ -269,7 +269,7 @@ METHOD(bypass_lan_listener_t, reload_interfaces, void,
+ 	this->mutex->unlock(this->mutex);
+ 	lib->processor->queue_job(lib->processor,
+ 			(job_t*)callback_job_create((callback_job_cb_t)update_bypass, this,
+-									NULL, (callback_job_cancel_t)return_false));
+									NULL, callback_job_cancel_thread));
+ }
+ 
+ METHOD(bypass_lan_listener_t, destroy, void,
+diff --git a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
+index f833dc3c0b4..2f29d080764 100644
+--- a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
+@@ -706,7 +706,7 @@ static void schedule_interim(private_eap_radius_accounting_t *this,
+ 			(job_t*)callback_job_create_with_prio(
+ 				(callback_job_cb_t)send_interim,
+ 				data, (void*)destroy_interim_data,
+-				(callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL), tv);
+				callback_job_cancel_thread, JOB_PRIO_CRITICAL), tv);
+ 	}
+ }
+ 
+diff --git a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
+index 5051542615a..55d5e032cea 100644
+--- a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
+@@ -445,7 +445,7 @@ void eap_radius_handle_timeout(ike_sa_id_t *id)
+ 		lib->processor->queue_job(lib->processor,
+ 				(job_t*)callback_job_create_with_prio(
+ 						(callback_job_cb_t)delete_all_async, NULL, NULL,
+-						(callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
+						callback_job_cancel_thread, JOB_PRIO_CRITICAL));
+ 	}
+ 	else if (id)
+ 	{
+diff --git a/src/libcharon/plugins/ha/ha_ctl.c b/src/libcharon/plugins/ha/ha_ctl.c
+index 8859bae166b..3d2ac7de84d 100644
+--- a/src/libcharon/plugins/ha/ha_ctl.c
+++ b/src/libcharon/plugins/ha/ha_ctl.c
+@@ -199,6 +199,6 @@ ha_ctl_t *ha_ctl_create(ha_segments_t *segments, ha_cache_t *cache)
+ 
+ 	lib->processor->queue_job(lib->processor,
+ 		(job_t*)callback_job_create_with_prio((callback_job_cb_t)dispatch_fifo,
+-			this, NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
+			this, NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL));
+ 	return &this->public;
+ }
+diff --git a/src/libcharon/plugins/ha/ha_dispatcher.c b/src/libcharon/plugins/ha/ha_dispatcher.c
+index 5de26a65a27..83be91ab159 100644
+--- a/src/libcharon/plugins/ha/ha_dispatcher.c
+++ b/src/libcharon/plugins/ha/ha_dispatcher.c
+@@ -1184,7 +1184,7 @@ ha_dispatcher_t *ha_dispatcher_create(ha_socket_t *socket,
+ 	);
+ 	lib->processor->queue_job(lib->processor,
+ 		(job_t*)callback_job_create_with_prio((callback_job_cb_t)dispatch, this,
+-				NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
+				NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL));
+ 
+ 	return &this->public;
+ }
+diff --git a/src/libcharon/plugins/ha/ha_segments.c b/src/libcharon/plugins/ha/ha_segments.c
+index afb76b39ea2..32d9ee40717 100644
+--- a/src/libcharon/plugins/ha/ha_segments.c
+++ b/src/libcharon/plugins/ha/ha_segments.c
+@@ -316,7 +316,7 @@ static void start_watchdog(private_ha_segments_t *this)
+ 	this->heartbeat_active = TRUE;
+ 	lib->processor->queue_job(lib->processor,
+ 		(job_t*)callback_job_create_with_prio((callback_job_cb_t)watchdog, this,
+-				NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
+				NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL));
+ }
+ 
+ METHOD(ha_segments_t, handle_status, void,
+@@ -404,7 +404,7 @@ static void start_heartbeat(private_ha_segments_t *this)
+ {
+ 	lib->processor->queue_job(lib->processor,
+ 		(job_t*)callback_job_create_with_prio((callback_job_cb_t)send_status,
+-			this, NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
+			this, NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL));
+ }
+ 
+ /**
+@@ -451,7 +451,7 @@ static void start_autobalance(private_ha_segments_t *this)
+ 	DBG1(DBG_CFG, "scheduling HA autobalance every %ds", this->autobalance);
+ 	lib->scheduler->schedule_job(lib->scheduler,
+ 		(job_t*)callback_job_create_with_prio((callback_job_cb_t)autobalance,
+-			this, NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL),
+			this, NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL),
+ 		this->autobalance);
+ }
+ 
+diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_esp_handler.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_esp_handler.c
+index 095ad67b4b0..c18e266e4d1 100644
+--- a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_esp_handler.c
+++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_esp_handler.c
+@@ -337,7 +337,7 @@ kernel_libipsec_esp_handler_t *kernel_libipsec_esp_handler_create()
+ 	}
+ 	lib->processor->queue_job(lib->processor,
+ 			(job_t*)callback_job_create(send_esp, this, NULL,
+-										(callback_job_cancel_t)return_false));
+										callback_job_cancel_thread));
+ 	return &this->public;
+ }
+ 
+diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c
+index 74746e251de..07adc70be3e 100644
+--- a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c
+++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c
+@@ -364,7 +364,7 @@ kernel_libipsec_router_t *kernel_libipsec_router_create()
+ 	charon->receiver->add_esp_cb(charon->receiver, receiver_esp_cb, NULL);
+ 	lib->processor->queue_job(lib->processor,
+ 			(job_t*)callback_job_create((callback_job_cb_t)handle_plain, this,
+-									NULL, (callback_job_cancel_t)return_false));
+										NULL, callback_job_cancel_thread));
+ 
+ 	router = &this->public;
+ 	return &this->public;
+diff --git a/src/libcharon/plugins/smp/smp.c b/src/libcharon/plugins/smp/smp.c
+index 6ca9f13997e..85ff5830bc5 100644
+--- a/src/libcharon/plugins/smp/smp.c
+++ b/src/libcharon/plugins/smp/smp.c
+@@ -710,7 +710,7 @@ static job_requeue_t dispatch(private_smp_t *this)
+ 	fdp = malloc_thing(int);
+ 	*fdp = fd;
+ 	job = callback_job_create((callback_job_cb_t)process, fdp, free,
+-							  (callback_job_cancel_t)return_false);
+							  callback_job_cancel_thread);
+ 	lib->processor->queue_job(lib->processor, (job_t*)job);
+ 
+ 	return JOB_REQUEUE_DIRECT;
+@@ -800,7 +800,7 @@ plugin_t *smp_plugin_create()
+ 
+ 	lib->processor->queue_job(lib->processor,
+ 		(job_t*)callback_job_create_with_prio((callback_job_cb_t)dispatch, this,
+-				NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
+				NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL));
+ 
+ 	return &this->public.plugin;
+ }
+diff --git a/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c b/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c
+index 30aeb116dec..da317a894d9 100644
+--- a/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c
+++ b/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c
+@@ -210,7 +210,7 @@ METHOD(tnc_pdp_connections_t, add, void,
+ 	/* schedule timeout checking */
+ 	lib->scheduler->schedule_job_ms(lib->scheduler,
+ 				(job_t*)callback_job_create((callback_job_cb_t)check_timeouts,
+-					this, NULL, (callback_job_cancel_t)return_false),
+					this, NULL, callback_job_cancel_thread),
+ 				this->timeout * 1000);
+ 
+ 	dbg_nas_user(nas_id, user_name, FALSE, "created");
+diff --git a/src/libcharon/plugins/uci/uci_control.c b/src/libcharon/plugins/uci/uci_control.c
+index b033c832c8c..8074005ee57 100644
+--- a/src/libcharon/plugins/uci/uci_control.c
+++ b/src/libcharon/plugins/uci/uci_control.c
+@@ -296,7 +296,7 @@ uci_control_t *uci_control_create()
+ 	{
+ 		lib->processor->queue_job(lib->processor,
+ 			(job_t*)callback_job_create_with_prio((callback_job_cb_t)receive,
+-							this, NULL, (callback_job_cancel_t)return_false,
+							this, NULL, callback_job_cancel_thread,
+ 							JOB_PRIO_CRITICAL));
+ 	}
+ 	return &this->public;
+diff --git a/src/libipsec/ipsec_event_relay.c b/src/libipsec/ipsec_event_relay.c
+index 0f10795d168..802146eef21 100644
+--- a/src/libipsec/ipsec_event_relay.c
+++ b/src/libipsec/ipsec_event_relay.c
+@@ -230,7 +230,7 @@ ipsec_event_relay_t *ipsec_event_relay_create()
+ 
+ 	lib->processor->queue_job(lib->processor,
+ 		(job_t*)callback_job_create((callback_job_cb_t)handle_events, this,
+-			NULL, (callback_job_cancel_t)return_false));
+			NULL, callback_job_cancel_thread));
+ 
+ 	return &this->public;
+ }
+diff --git a/src/libipsec/ipsec_processor.c b/src/libipsec/ipsec_processor.c
+index 2572b088089..8549fefe261 100644
+--- a/src/libipsec/ipsec_processor.c
+++ b/src/libipsec/ipsec_processor.c
+@@ -336,9 +336,9 @@ ipsec_processor_t *ipsec_processor_create()
+ 
+ 	lib->processor->queue_job(lib->processor,
+ 		(job_t*)callback_job_create((callback_job_cb_t)process_inbound, this,
+-									NULL, (callback_job_cancel_t)return_false));
+									NULL, callback_job_cancel_thread));
+ 	lib->processor->queue_job(lib->processor,
+ 		(job_t*)callback_job_create((callback_job_cb_t)process_outbound, this,
+-									NULL, (callback_job_cancel_t)return_false));
+									NULL, callback_job_cancel_thread));
+ 	return &this->public;
+ }
+diff --git a/src/libpttls/pt_tls_dispatcher.c b/src/libpttls/pt_tls_dispatcher.c
+index a134bee238f..c7e42b277e1 100644
+--- a/src/libpttls/pt_tls_dispatcher.c
+++ b/src/libpttls/pt_tls_dispatcher.c
+@@ -156,7 +156,7 @@ METHOD(pt_tls_dispatcher_t, dispatch, void,
+ 		lib->processor->queue_job(lib->processor,
+ 				(job_t*)callback_job_create_with_prio((callback_job_cb_t)handle,
+ 										connection, (void*)cleanup,
+-										(callback_job_cancel_t)return_false,
+										callback_job_cancel_thread,
+ 										JOB_PRIO_CRITICAL));
+ 	}
+ }
+diff --git a/src/libstrongswan/networking/streams/stream_service.c b/src/libstrongswan/networking/streams/stream_service.c
+index 5b709a2247d..c85a0664351 100644
+--- a/src/libstrongswan/networking/streams/stream_service.c
+++ b/src/libstrongswan/networking/streams/stream_service.c
+@@ -221,7 +221,7 @@ static bool watch(private_stream_service_t *this, int fd, watcher_event_t event)
+ 
+ 		lib->processor->queue_job(lib->processor,
+ 			(job_t*)callback_job_create_with_prio((void*)accept_async, data,
+-				(void*)destroy_async_data, (callback_job_cancel_t)return_false,
+				(void*)destroy_async_data, callback_job_cancel_thread,
+ 				this->prio));
+ 	}
+ 	else
+diff --git a/src/libstrongswan/processing/jobs/callback_job.c b/src/libstrongswan/processing/jobs/callback_job.c
+index cb2a0aba5b9..3ab40b947c9 100644
+--- a/src/libstrongswan/processing/jobs/callback_job.c
+++ b/src/libstrongswan/processing/jobs/callback_job.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (C) 2009-2012 Tobias Brunner
+ * Copyright (C) 2009-2025 Tobias Brunner
+  * Copyright (C) 2007-2011 Martin Willi
+  *
+  * Copyright (C) secunet Security Networks AG
+@@ -131,3 +131,11 @@ callback_job_t *callback_job_create(callback_job_cb_t cb, void *data,
+ 	return callback_job_create_with_prio(cb, data, cleanup, cancel,
+ 										 JOB_PRIO_MEDIUM);
+ }
+
+/*
+ * Described in header
+ */
+bool callback_job_cancel_thread(void *data)
+{
+	return FALSE;
+}
+diff --git a/src/libstrongswan/processing/jobs/callback_job.h b/src/libstrongswan/processing/jobs/callback_job.h
+index 0f1ae212d87..fda86887944 100644
+--- a/src/libstrongswan/processing/jobs/callback_job.h
+++ b/src/libstrongswan/processing/jobs/callback_job.h
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012-2025 Tobias Brunner
+  * Copyright (C) 2007-2011 Martin Willi
+  *
+  * Copyright (C) secunet Security Networks AG
+@@ -62,6 +62,15 @@ typedef void (*callback_job_cleanup_t)(void *data);
+  */
+ typedef bool (*callback_job_cancel_t)(void *data);
+ 
+/**
+ * Default implementation of callback_job_cancel_t that simply returns FALSE
+ * to force cancellation of the thread by the processor.
+ *
+ * @param data			ignored argument
+ * @return				always returns FALSE
+ */
+bool callback_job_cancel_thread(void *data);
+
+ /**
+  * Class representing an callback Job.
+  *
+diff --git a/src/libstrongswan/processing/scheduler.c b/src/libstrongswan/processing/scheduler.c
+index c5e5dd83e70..76d98ddff51 100644
+--- a/src/libstrongswan/processing/scheduler.c
+++ b/src/libstrongswan/processing/scheduler.c
+@@ -329,7 +329,8 @@ scheduler_t * scheduler_create()
+ 	this->heap = (event_t**)calloc(this->heap_size + 1, sizeof(event_t*));
+ 
+ 	job = callback_job_create_with_prio((callback_job_cb_t)schedule, this,
+-										NULL, return_false, JOB_PRIO_CRITICAL);
+										NULL, callback_job_cancel_thread,
+										JOB_PRIO_CRITICAL);
+ 	lib->processor->queue_job(lib->processor, (job_t*)job);
+ 
+ 	return &this->public;
+diff --git a/src/libstrongswan/processing/watcher.c b/src/libstrongswan/processing/watcher.c
+index 1200d670959..a86ec0910d1 100644
+--- a/src/libstrongswan/processing/watcher.c
+++ b/src/libstrongswan/processing/watcher.c
+@@ -291,7 +291,7 @@ static void notify(private_watcher_t *this, entry_t *entry,
+ 
+ 	this->jobs->insert_last(this->jobs,
+ 					callback_job_create_with_prio((void*)notify_async, data,
+-						(void*)notify_end, (callback_job_cancel_t)return_false,
+						(void*)notify_end, callback_job_cancel_thread,
+ 						JOB_PRIO_CRITICAL));
+ }
+ 
+@@ -559,7 +559,7 @@ METHOD(watcher_t, add, void,
+ 
+ 		lib->processor->queue_job(lib->processor,
+ 			(job_t*)callback_job_create_with_prio((void*)watch, this,
+-				NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
+				NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL));
+ 	}
+ 	else
+ 	{
+diff --git a/src/libtls/tests/suites/test_socket.c b/src/libtls/tests/suites/test_socket.c
+index 91ee58b975f..c17d0a8873e 100644
+--- a/src/libtls/tests/suites/test_socket.c
+++ b/src/libtls/tests/suites/test_socket.c
+@@ -587,7 +587,7 @@ static void start_echo_server(echo_server_config_t *config)
+ 
+ 	lib->processor->queue_job(lib->processor, (job_t*)
+ 				callback_job_create((void*)serve_echo, config, NULL,
+-									(callback_job_cancel_t)return_false));
+									callback_job_cancel_thread));
+ }
+ 
+ /**
+---
+
+From 11978ddd39e800b5f35f721d726e8a4cb7e4ec0f Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Fri, 21 Feb 2025 17:00:44 +0100
+Subject: [PATCH] Cast uses of return_*(), nop() and enumerator_create_empty()
+
+As described in the previous commit, GCC 15 uses C23 by default and that
+changes the meaning of such argument-less function declarations.  So
+whenever we assign such a function to a pointer that expects a function
+with arguments it causes an incompatible pointer type warning.  We
+could define dedicated functions/callbacks whenever necessary, but this
+seems like the simpler approach for now (especially since most uses of
+these functions have already been cast).
+---
+ src/charon-nm/nm/nm_handler.c                           | 2 +-
+ src/libcharon/encoding/payloads/encrypted_payload.c     | 2 +-
+ src/libcharon/plugins/android_dns/android_dns_handler.c | 2 +-
+ src/libcharon/plugins/ha/ha_attribute.c                 | 2 +-
+ src/libcharon/plugins/updown/updown_handler.c           | 2 +-
+ src/libstrongswan/utils/identification.c                | 6 +++---
+ 6 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/src/charon-nm/nm/nm_handler.c b/src/charon-nm/nm/nm_handler.c
+index d7331ad72f6..39d0190ac9e 100644
+--- a/src/charon-nm/nm/nm_handler.c
+++ b/src/charon-nm/nm/nm_handler.c
+@@ -195,7 +195,7 @@ nm_handler_t *nm_handler_create()
+ 		.public = {
+ 			.handler = {
+ 				.handle = _handle,
+-				.release = nop,
+				.release = (void*)nop,
+ 				.create_attribute_enumerator = _create_attribute_enumerator,
+ 			},
+ 			.create_enumerator = _create_enumerator,
+diff --git a/src/libcharon/encoding/payloads/encrypted_payload.c b/src/libcharon/encoding/payloads/encrypted_payload.c
+index 676d00b7a29..4821c6108ed 100644
+--- a/src/libcharon/encoding/payloads/encrypted_payload.c
+++ b/src/libcharon/encoding/payloads/encrypted_payload.c
+@@ -1023,7 +1023,7 @@ encrypted_fragment_payload_t *encrypted_fragment_payload_create()
+ 				.get_length = _frag_get_length,
+ 				.add_payload = _frag_add_payload,
+ 				.remove_payload = (void*)return_null,
+-				.generate_payloads = nop,
+				.generate_payloads = (void*)nop,
+ 				.set_transform = _frag_set_transform,
+ 				.get_transform = _frag_get_transform,
+ 				.encrypt = _frag_encrypt,
+diff --git a/src/libcharon/plugins/android_dns/android_dns_handler.c b/src/libcharon/plugins/android_dns/android_dns_handler.c
+index 78f4f702aec..14d2ff99aa3 100644
+--- a/src/libcharon/plugins/android_dns/android_dns_handler.c
+++ b/src/libcharon/plugins/android_dns/android_dns_handler.c
+@@ -191,7 +191,7 @@ METHOD(enumerator_t, enumerate_dns, bool,
+ 	VA_ARGS_VGET(args, type, data);
+ 	*type = INTERNAL_IP4_DNS;
+ 	*data = chunk_empty;
+-	this->venumerate = return_false;
+	this->venumerate = (void*)return_false;
+ 	return TRUE;
+ }
+ 
+diff --git a/src/libcharon/plugins/ha/ha_attribute.c b/src/libcharon/plugins/ha/ha_attribute.c
+index b865a4b829b..103d1a93784 100644
+--- a/src/libcharon/plugins/ha/ha_attribute.c
+++ b/src/libcharon/plugins/ha/ha_attribute.c
+@@ -381,7 +381,7 @@ ha_attribute_t *ha_attribute_create(ha_kernel_t *kernel, ha_segments_t *segments
+ 			.provider = {
+ 				.acquire_address = _acquire_address,
+ 				.release_address = _release_address,
+-				.create_attribute_enumerator = enumerator_create_empty,
+				.create_attribute_enumerator = (void*)enumerator_create_empty,
+ 			},
+ 			.reserve = _reserve,
+ 			.destroy = _destroy,
+diff --git a/src/libcharon/plugins/updown/updown_handler.c b/src/libcharon/plugins/updown/updown_handler.c
+index 36eb15615a4..3707e1e658c 100644
+--- a/src/libcharon/plugins/updown/updown_handler.c
+++ b/src/libcharon/plugins/updown/updown_handler.c
+@@ -220,7 +220,7 @@ updown_handler_t *updown_handler_create()
+ 			.handler = {
+ 				.handle = _handle,
+ 				.release = _release,
+-				.create_attribute_enumerator = enumerator_create_empty,
+				.create_attribute_enumerator = (void*)enumerator_create_empty,
+ 			},
+ 			.create_dns_enumerator = _create_dns_enumerator,
+ 			.destroy = _destroy,
+diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identifi
+100  5229  100  5229    0     0  26091      0 --:--:-- --:--:-- --:--:-- 26145
+cation.c
+index d31955b3806..58a05052dc1 100644
+--- a/src/libstrongswan/utils/identification.c
+++ b/src/libstrongswan/utils/identification.c
+@@ -1625,7 +1625,7 @@ static private_identification_t *identification_create(id_type_t type)
+ 			this->public.hash = _hash_binary;
+ 			this->public.equals = _equals_binary;
+ 			this->public.matches = _matches_any;
+-			this->public.contains_wildcards = return_true;
+			this->public.contains_wildcards = (void*)return_true;
+ 			break;
+ 		case ID_FQDN:
+ 		case ID_RFC822_ADDR:
+@@ -1660,13 +1660,13 @@ static private_identification_t *identification_create(id_type_t type)
+ 			this->public.hash = _hash_binary;
+ 			this->public.equals = _equals_binary;
+ 			this->public.matches = _matches_range;
+-			this->public.contains_wildcards = return_false;
+			this->public.contains_wildcards = (void*)return_false;
+ 			break;
+ 		default:
+ 			this->public.hash = _hash_binary;
+ 			this->public.equals = _equals_binary;
+ 			this->public.matches = _matches_binary;
+-			this->public.contains_wildcards = return_false;
+			this->public.contains_wildcards = (void*)return_false;
+ 			break;
+ 	}
+ 	return this;
--- a/strongswan-6.0.2-no-isolation.patch
+++ b/strongswan-6.0.2-no-isolation.patch
@@ -0,0 +1,12 @@
+diff -Naur strongswan-6.0.2-orig/src/libcharon/plugins/vici/python/Makefile.am strongswan-6.0.2/src/libcharon/plugins/vici/python/Makefile.am
+--- strongswan-6.0.2-orig/src/libcharon/plugins/vici/python/Makefile.am	2025-07-12 02:36:20.000000000 -0400
+++ strongswan-6.0.2/src/libcharon/plugins/vici/python/Makefile.am	2025-09-10 15:31:43.217806666 -0400
+@@ -19,7 +19,7 @@
+ all-local: dist/vici-$(PYTHON_PACKAGE_VERSION)-py3-none-any.whl
+ 
+ dist/vici-$(PYTHON_PACKAGE_VERSION)-py3-none-any.whl: $(EXTRA_DIST) $(srcdir)/setup.py
+-	(cd $(srcdir); $(PYTHON) -m build -o $(abs_builddir)/dist)
+	(cd $(srcdir); $(PYTHON) -m build --no-isolation -o $(abs_builddir)/dist) 
+ 
+ clean-local:
+ 	rm -rf $(srcdir)/setup.py $(srcdir)/vici.egg-info $(builddir)/dist
--- a/strongswan-6.0.2-no-md5-b3011e8e.patch
+++ b/strongswan-6.0.2-no-md5-b3011e8e.patch
@@ -0,0 +1,514 @@
+From b3011e8e87a1fad1bfb026448fc37b80b7cfc007 Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Tue, 23 Sep 2025 14:59:37 +0200
+Subject: [PATCH] Remove support for MD2
+
+No part of IKE/IPsec or X.509 uses MD2 anymore, so there really is no
+reason to still support it (unlike MD4 that is used in EAP-MSCHAPv2,
+MD5 that's used in EAP-MD5, or SHA-1 that's used for e.g. NAT-D hashes).
+
+It caused test vectors to fail on systems where OpenSSL is built with
+MD2 support but has it disabled at runtime.
+---
+ src/libstrongswan/asn1/oid.txt                |   4 +-
+ .../credentials/containers/pkcs12.c           |   1 -
+ src/libstrongswan/crypto/hashers/hasher.c     |  15 ---
+ src/libstrongswan/crypto/hashers/hasher.h     |  16 +--
+ src/libstrongswan/crypto/xofs/xof.c           |   1 -
+ .../plugins/gcrypt/gcrypt_hasher.c            |   3 -
+ .../plugins/openssl/openssl_plugin.c          |   3 -
+ .../plugins/pkcs11/pkcs11_hasher.c            |   1 -
+ .../plugins/pkcs11/pkcs11_plugin.c            |   1 -
+ .../plugins/test_vectors/Makefile.am          |   1 -
+ .../plugins/test_vectors/test_vectors.h       |   7 -
+ .../plugins/test_vectors/test_vectors/md2.c   |  64 ---------
+ src/libstrongswan/tests/suites/test_hasher.c  | 127 +++++++++---------
+ 13 files changed, 71 insertions(+), 173 deletions(-)
+ delete mode 100644 src/libstrongswan/plugins/test_vectors/test_vectors/md2.c
+
+diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt
+index f58a44d326..b9c3189cd2 100644
+--- a/src/libstrongswan/asn1/oid.txt
+++ b/src/libstrongswan/asn1/oid.txt
+@@ -94,7 +94,7 @@
+             0x01             "PKCS"
+               0x01           "PKCS-1"
+                 0x01         "rsaEncryption"			OID_RSA_ENCRYPTION
+-                0x02         "md2WithRSAEncryption"		OID_MD2_WITH_RSA
+                0x02         "md2WithRSAEncryption"
+                 0x04         "md5WithRSAEncryption"		OID_MD5_WITH_RSA
+                 0x05         "sha-1WithRSAEncryption"	OID_SHA1_WITH_RSA
+                 0x07         "id-RSAES-OAEP"			OID_RSAES_OAEP
+@@ -148,7 +148,7 @@
+                     0x05     "secretBag"
+                     0x06     "safeContentsBag"
+             0x02             "digestAlgorithm"
+-              0x02           "md2"						OID_MD2
+              0x02           "md2"
+               0x05           "md5"						OID_MD5
+               0x07           "hmacWithSHA1"				OID_HMAC_SHA1
+               0x08           "hmacWithSHA224"			OID_HMAC_SHA224
+diff --git a/src/libstrongswan/credentials/containers/pkcs12.c b/src/libstrongswan/credentials/containers/pkcs12.c
+index d738910077..be0c750393 100644
+--- a/src/libstrongswan/credentials/containers/pkcs12.c
+++ b/src/libstrongswan/credentials/containers/pkcs12.c
+@@ -83,7 +83,6 @@ static bool derive_key(hash_algorithm_t hash, chunk_t unicode, chunk_t salt,
+ 	}
+ 	switch (hash)
+ 	{
+-		case HASH_MD2:
+ 		case HASH_MD5:
+ 		case HASH_SHA1:
+ 		case HASH_SHA224:
+diff --git a/src/libstrongswan/crypto/hashers/hasher.c b/src/libstrongswan/crypto/hashers/hasher.c
+index 2fed3b4133..444a59c5f0 100644
+--- a/src/libstrongswan/crypto/hashers/hasher.c
+++ b/src/libstrongswan/crypto/hashers/hasher.c
+@@ -30,7 +30,6 @@ ENUM_BEGIN(hash_algorithm_names, HASH_SHA1, HASH_IDENTITY,
+ 	"HASH_IDENTITY");
+ ENUM_NEXT(hash_algorithm_names, HASH_UNKNOWN, HASH_SHA3_512, HASH_IDENTITY,
+ 	"HASH_UNKNOWN",
+-	"HASH_MD2",
+ 	"HASH_MD4",
+ 	"HASH_MD5",
+ 	"HASH_SHA2_224",
+@@ -48,7 +47,6 @@ ENUM_BEGIN(hash_algorithm_short_names, HASH_SHA1, HASH_IDENTITY,
+ 	"identity");
+ ENUM_NEXT(hash_algorithm_short_names, HASH_UNKNOWN, HASH_SHA3_512, HASH_IDENTITY,
+ 	"unknown",
+-	"md2",
+ 	"md4",
+ 	"md5",
+ 	"sha224",
+@@ -66,7 +64,6 @@ ENUM_BEGIN(hash_algorithm_short_names_upper, HASH_SHA1, HASH_IDENTITY,
+ 	"IDENTITY");
+ ENUM_NEXT(hash_algorithm_short_names_upper, HASH_UNKNOWN, HASH_SHA3_512, HASH_IDENTITY,
+ 	"UNKNOWN",
+-	"MD2",
+ 	"MD4",
+ 	"MD5",
+ 	"SHA2_224",
+@@ -91,8 +88,6 @@ size_t hasher_hash_size(hash_algorithm_t alg)
+ 			return HASH_SIZE_SHA384;
+ 		case HASH_SHA512:
+ 			return HASH_SIZE_SHA512;
+-		case HASH_MD2:
+-			return HASH_SIZE_MD2;
+ 		case HASH_MD4:
+ 			return HASH_SIZE_MD4;
+ 		case HASH_MD5:
+@@ -121,9 +116,6 @@ hash_algorithm_t hasher_algorithm_from_oid(int oid)
+ {
+ 	switch (oid)
+ 	{
+-		case OID_MD2:
+-		case OID_MD2_WITH_RSA:
+-			return HASH_MD2;
+ 		case OID_MD5:
+ 		case OID_MD5_WITH_RSA:
+ 			return HASH_MD5;
+@@ -323,7 +315,6 @@ integrity_algorithm_t hasher_algorithm_to_integrity(hash_algorithm_t alg,
+ 					return AUTH_HMAC_SHA2_512_512;
+ 			}
+ 			break;
+-		case HASH_MD2:
+ 		case HASH_MD4:
+ 		case HASH_SHA224:
+ 		case HASH_SHA3_224:
+@@ -350,7 +341,6 @@ bool hasher_algorithm_for_ikev2(hash_algorithm_t alg)
+ 		case HASH_SHA512:
+ 			return TRUE;
+ 		case HASH_UNKNOWN:
+-		case HASH_MD2:
+ 		case HASH_MD4:
+ 		case HASH_MD5:
+ 		case HASH_SHA1:
+@@ -373,9 +363,6 @@ int hasher_algorithm_to_oid(hash_algorithm_t alg)
+ 
+ 	switch (alg)
+ 	{
+-		case HASH_MD2:
+-			oid = OID_MD2;
+-			break;
+ 		case HASH_MD5:
+ 			oid = OID_MD5;
+ 			break;
+@@ -422,8 +409,6 @@ int hasher_signature_algorithm_to_oid(hash_algorithm_t alg, key_type_t key)
+ 		case KEY_RSA:
+ 			switch (alg)
+ 			{
+-				case HASH_MD2:
+-					return OID_MD2_WITH_RSA;
+ 				case HASH_MD5:
+ 					return OID_MD5_WITH_RSA;
+ 				case HASH_SHA1:
+diff --git a/src/libstrongswan/crypto/hashers/hasher.h b/src/libstrongswan/crypto/hashers/hasher.h
+index ad434035da..0a4237cd93 100644
+--- a/src/libstrongswan/crypto/hashers/hasher.h
+++ b/src/libstrongswan/crypto/hashers/hasher.h
+@@ -45,17 +45,15 @@ enum hash_algorithm_t {
+ 	HASH_IDENTITY		= 5,
+ 	/* use private use range for algorithms not defined/permitted by RFC 7427 */
+ 	HASH_UNKNOWN 		= 1024,
+-	HASH_MD2 			= 1025,
+-	HASH_MD4			= 1026,
+-	HASH_MD5 			= 1027,
+-	HASH_SHA224			= 1028,
+-	HASH_SHA3_224		= 1029,
+-	HASH_SHA3_256		= 1030,
+-	HASH_SHA3_384		= 1031,
+-	HASH_SHA3_512		= 1032
+	HASH_MD4			= 1025,
+	HASH_MD5 			= 1026,
+	HASH_SHA224			= 1027,
+	HASH_SHA3_224		= 1028,
+	HASH_SHA3_256		= 1029,
+	HASH_SHA3_384		= 1030,
+	HASH_SHA3_512		= 1031
+ };
+ 
+-#define HASH_SIZE_MD2		16
+ #define HASH_SIZE_MD4		16
+ #define HASH_SIZE_MD5		16
+ #define HASH_SIZE_SHA1		20
+diff --git a/src/libstrongswan/crypto/xofs/xof.c b/src/libstrongswan/crypto/xofs/xof.c
+index 7c1eb37e42..f21e037a5a 100644
+--- a/src/libstrongswan/crypto/xofs/xof.c
+++ b/src/libstrongswan/crypto/xofs/xof.c
+@@ -60,7 +60,6 @@ ext_out_function_t xof_mgf1_from_hash_algorithm(hash_algorithm_t alg)
+ 			return XOF_MGF1_SHA3_384;
+ 		case HASH_IDENTITY:
+ 		case HASH_UNKNOWN:
+-		case HASH_MD2:
+ 		case HASH_MD4:
+ 		case HASH_MD5:
+ 			break;
+diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
+index 29f86a5139..5e30ac7dc3 100644
+--- a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
+@@ -92,9 +92,6 @@ gcrypt_hasher_t *gcrypt_hasher_create(hash_algorithm_t algo)
+ 
+ 	switch (algo)
+ 	{
+-		case HASH_MD2:
+-			gcrypt_alg = GCRY_MD_MD2;
+-			break;
+ 		case HASH_MD4:
+ 			gcrypt_alg = GCRY_MD_MD4;
+ 			break;
+diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
+index c3e1d2e173..ef7fe8908f 100644
+--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
+@@ -400,9 +400,6 @@ METHOD(plugin_t, get_features, int,
+ 			PLUGIN_PROVIDE(CRYPTER, ENCR_NULL, 0),
+ 		/* hashers */
+ 		PLUGIN_REGISTER(HASHER, openssl_hasher_create),
+-#ifndef OPENSSL_NO_MD2
+-			PLUGIN_PROVIDE(HASHER, HASH_MD2),
+-#endif
+ #ifndef OPENSSL_NO_MD4
+ 			PLUGIN_PROVIDE(HASHER, HASH_MD4),
+ #endif
+diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.c b/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.c
+index e5ac18ed8c..409a05a2ab 100644
+--- a/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.c
+@@ -234,7 +234,6 @@ static CK_MECHANISM_PTR algo_to_mechanism(hash_algorithm_t algo, size_t *size)
+ 		CK_MECHANISM mechanism;
+ 		size_t size;
+ 	} mappings[] = {
+-		{HASH_MD2,		{CKM_MD2,		NULL, 0},	HASH_SIZE_MD2},
+ 		{HASH_MD5,		{CKM_MD5,		NULL, 0},	HASH_SIZE_MD5},
+ 		{HASH_SHA1,		{CKM_SHA_1,		NULL, 0},	HASH_SIZE_SHA1},
+ 		{HASH_SHA256,	{CKM_SHA256,	NULL, 0},	HASH_SIZE_SHA256},
+diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
+index 5510db99f4..aa27f1e384 100644
+--- a/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
+@@ -189,7 +189,6 @@ METHOD(plugin_t, get_features, int,
+ {
+ 	static plugin_feature_t f_hash[] = {
+ 		PLUGIN_REGISTER(HASHER, pkcs11_hasher_create),
+-			PLUGIN_PROVIDE(HASHER, HASH_MD2),
+ 			PLUGIN_PROVIDE(HASHER, HASH_MD5),
+ 			PLUGIN_PROVIDE(HASHER, HASH_SHA1),
+ 			PLUGIN_PROVIDE(HASHER, HASH_SHA256),
+diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.am b/src/libstrongswan/plugins/test_vectors/Makefile.am
+index 6074027f7d..eaf6485abc 100644
+--- a/src/libstrongswan/plugins/test_vectors/Makefile.am
+++ b/src/libstrongswan/plugins/test_vectors/Makefile.am
+@@ -37,7 +37,6 @@ libstrongswan_test_vectors_la_SOURCES = \
+ 	test_vectors/rc5.c \
+ 	test_vectors/serpent_cbc.c \
+ 	test_vectors/twofish_cbc.c \
+-	test_vectors/md2.c \
+ 	test_vectors/md4.c \
+ 	test_vectors/md5.c \
+ 	test_vectors/md5_hmac.c \
+diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors.h b/src/libstrongswan/plugins/test_vectors/test_vectors.h
+index bf8609cb62..85436ff74a 100644
+--- a/src/libstrongswan/plugins/test_vectors/test_vectors.h
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors.h
+@@ -160,13 +160,6 @@ TEST_VECTOR_SIGNER(sha512_hmac_s1)
+ TEST_VECTOR_SIGNER(sha512_hmac_s2)
+ TEST_VECTOR_SIGNER(sha512_hmac_s3)
+ 
+-TEST_VECTOR_HASHER(md2_1)
+-TEST_VECTOR_HASHER(md2_2)
+-TEST_VECTOR_HASHER(md2_3)
+-TEST_VECTOR_HASHER(md2_4)
+-TEST_VECTOR_HASHER(md2_5)
+-TEST_VECTOR_HASHER(md2_6)
+-TEST_VECTOR_HASHER(md2_7)
+ TEST_VECTOR_HASHER(md4_1)
+ TEST_VECTOR_HASHER(md4_2)
+ TEST_VECTOR_HASHER(md4_3)
+diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/md2.c b/src/libstrongswan/plugins/test_vectors/test_vectors/md2.c
+deleted file mode 100644
+index b2707a1317..0000000000
+--- a/src/libstrongswan/plugins/test_vectors/test_vectors/md2.c
+++ /dev/null
+@@ -1,64 +0,0 @@
+-/*
+- * Copyright (C) 2009 Martin Willi
+- *
+- * Copyright (C) secunet Security Networks AG
+- *
+- * This program is free software; you can redistribute it and/or modify it
+- * under the terms of the GNU General Public License as published by the
+- * Free Software Foundation; either version 2 of the Licenseor (at your
+- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+- *
+- * This program is distributed in the hope that it will be usefulbut
+- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+- * for more details.
+- */
+-
+-#include <crypto/crypto_tester.h>
+-
+-/**
+- * MD2 vectors from RFC 1319
+- */
+-hasher_test_vector_t md2_1 = {
+-	.alg = HASH_MD2, .len = 0,
+-	.data	= "",
+-	.hash	= "\x83\x50\xe5\xa3\xe2\x4c\x15\x3d\xf2\x27\x5c\x9f\x80\x69\x27\x73"
+-};
+-
+-hasher_test_vector_t md2_2 = {
+-	.alg = HASH_MD2, .len = 1,
+-	.data	= "a",
+-	.hash	= "\x32\xec\x01\xec\x4a\x6d\xac\x72\xc0\xab\x96\xfb\x34\xc0\xb5\xd1"
+-};
+-
+-hasher_test_vector_t md2_3 = {
+-	.alg = HASH_MD2, .len = 3,
+-	.data	= "abc",
+-	.hash	= "\xda\x85\x3b\x0d\x3f\x88\xd9\x9b\x30\x28\x3a\x69\xe6\xde\xd6\xbb"
+-};
+-
+-hasher_test_vector_t md2_4 = {
+-	.alg = HASH_MD2, .len = 14,
+-	.data	= "message digest",
+-	.hash	= "\xab\x4f\x49\x6b\xfb\x2a\x53\x0b\x21\x9f\xf3\x30\x31\xfe\x06\xb0"
+-};
+-
+-hasher_test_vector_t md2_5 = {
+-	.alg = HASH_MD2, .len = 26,
+-	.data	= "abcdefghijklmnopqrstuvwxyz",
+-	.hash	= "\x4e\x8d\xdf\xf3\x65\x02\x92\xab\x5a\x41\x08\xc3\xaa\x47\x94\x0b"
+-};
+-
+-hasher_test_vector_t md2_6 = {
+-	.alg = HASH_MD2, .len = 62,
+-	.data	= "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
+-	.hash	= "\xda\x33\xde\xf2\xa4\x2d\xf1\x39\x75\x35\x28\x46\xc3\x03\x38\xcd"
+-};
+-
+-hasher_test_vector_t md2_7 = {
+-	.alg = HASH_MD2, .len = 80,
+-	.data	= "1234567890123456789012345678901234567890"
+-			  "1234567890123456789012345678901234567890",
+-	.hash	= "\xd5\x97\x6f\x79\xd8\x3d\x3a\x0d\xc9\x80\x6c\x3c\x66\xf3\xef\xd8"
+-};
+-
+diff --git a/src/libstrongswan/tests/suites/test_hasher.c b/src/libstrongswan/tests/suites/test_hasher.c
+index c07eed8d93..3bdcc7e3d7 100644
+--- a/src/libstrongswan/tests/suites/test_hasher.c
+++ b/src/libstrongswan/tests/suites/test_hasher.c
+@@ -28,41 +28,39 @@ typedef struct {
+ 	key_type_t key;
+ }hasher_oid_t;
+ 
+/* make sure to adjust offsets in constructor when changing this array */
+ static hasher_oid_t oids[] = {
+-	{ OID_MD2, HASH_MD2, KEY_ANY },                                /*  0 */
+-	{ OID_MD5, HASH_MD5, KEY_ANY },                                /*  1 */
+-	{ OID_SHA1, HASH_SHA1, KEY_ANY },                              /*  2 */
+-	{ OID_SHA224, HASH_SHA224, KEY_ANY },                          /*  3 */
+-	{ OID_SHA256, HASH_SHA256, KEY_ANY },                          /*  4 */
+-	{ OID_SHA384, HASH_SHA384, KEY_ANY },                          /*  5 */
+-	{ OID_SHA512, HASH_SHA512, KEY_ANY },                          /*  6 */
+-	{ OID_SHA3_224, HASH_SHA3_224, KEY_ANY },                      /*  7 */
+-	{ OID_SHA3_256, HASH_SHA3_256, KEY_ANY },                      /*  8 */
+-	{ OID_SHA3_384, HASH_SHA3_384, KEY_ANY },                      /*  9 */
+-	{ OID_SHA3_512, HASH_SHA3_512, KEY_ANY },                      /* 10 */
+-	{ OID_UNKNOWN, HASH_UNKNOWN, KEY_ANY },                        /* 11 */
+-	{ OID_MD2_WITH_RSA, HASH_MD2, KEY_RSA },                       /* 12 */
+-	{ OID_MD5_WITH_RSA, HASH_MD5, KEY_RSA },                       /* 13 */
+-	{ OID_SHA1_WITH_RSA, HASH_SHA1, KEY_RSA },                     /* 14 */
+-	{ OID_SHA224_WITH_RSA, HASH_SHA224, KEY_RSA },                 /* 15 */
+-	{ OID_SHA256_WITH_RSA, HASH_SHA256, KEY_RSA },                 /* 16 */
+-	{ OID_SHA384_WITH_RSA, HASH_SHA384, KEY_RSA },                 /* 17 */
+-	{ OID_SHA512_WITH_RSA, HASH_SHA512, KEY_RSA },                 /* 18 */
+-	{ OID_RSASSA_PKCS1V15_WITH_SHA3_224, HASH_SHA3_224, KEY_RSA }, /* 19 */
+-	{ OID_RSASSA_PKCS1V15_WITH_SHA3_256, HASH_SHA3_256, KEY_RSA }, /* 20 */
+-	{ OID_RSASSA_PKCS1V15_WITH_SHA3_384, HASH_SHA3_384, KEY_RSA }, /* 21 */
+-	{ OID_RSASSA_PKCS1V15_WITH_SHA3_512, HASH_SHA3_512, KEY_RSA }, /* 22 */
+-	{ OID_UNKNOWN, HASH_UNKNOWN, KEY_RSA },                        /* 23 */
+-	{ OID_ED25519, HASH_IDENTITY, KEY_ED25519 },                   /* 24 */
+-	{ OID_UNKNOWN, HASH_UNKNOWN, KEY_ED25519 },                    /* 25 */
+-	{ OID_ED448, HASH_IDENTITY, KEY_ED448 },                       /* 26 */
+-	{ OID_UNKNOWN, HASH_UNKNOWN, KEY_ED448 },                      /* 27 */
+-	{ OID_ECDSA_WITH_SHA1, HASH_SHA1, KEY_ECDSA },                 /* 28 */
+-	{ OID_ECDSA_WITH_SHA256, HASH_SHA256, KEY_ECDSA },             /* 29 */
+-	{ OID_ECDSA_WITH_SHA384, HASH_SHA384, KEY_ECDSA },             /* 30 */
+-	{ OID_ECDSA_WITH_SHA512, HASH_SHA512, KEY_ECDSA },             /* 31 */
+-	{ OID_UNKNOWN, HASH_UNKNOWN, KEY_ECDSA },                      /* 32 */
+-
+	{ OID_MD5, HASH_MD5, KEY_ANY },                                /*  0 */
+	{ OID_SHA1, HASH_SHA1, KEY_ANY },                              /*  1 */
+	{ OID_SHA224, HASH_SHA224, KEY_ANY },                          /*  2 */
+	{ OID_SHA256, HASH_SHA256, KEY_ANY },                          /*  3 */
+	{ OID_SHA384, HASH_SHA384, KEY_ANY },                          /*  4 */
+	{ OID_SHA512, HASH_SHA512, KEY_ANY },                          /*  5 */
+	{ OID_SHA3_224, HASH_SHA3_224, KEY_ANY },                      /*  6 */
+	{ OID_SHA3_256, HASH_SHA3_256, KEY_ANY },                      /*  7 */
+	{ OID_SHA3_384, HASH_SHA3_384, KEY_ANY },                      /*  8 */
+	{ OID_SHA3_512, HASH_SHA3_512, KEY_ANY },                      /*  9 */
+	{ OID_UNKNOWN, HASH_UNKNOWN, KEY_ANY },                        /* 10 */
+	{ OID_MD5_WITH_RSA, HASH_MD5, KEY_RSA },                       /* 11 */
+	{ OID_SHA1_WITH_RSA, HASH_SHA1, KEY_RSA },                     /* 12 */
+	{ OID_SHA224_WITH_RSA, HASH_SHA224, KEY_RSA },                 /* 13 */
+	{ OID_SHA256_WITH_RSA, HASH_SHA256, KEY_RSA },                 /* 14 */
+	{ OID_SHA384_WITH_RSA, HASH_SHA384, KEY_RSA },                 /* 15 */
+	{ OID_SHA512_WITH_RSA, HASH_SHA512, KEY_RSA },                 /* 16 */
+	{ OID_RSASSA_PKCS1V15_WITH_SHA3_224, HASH_SHA3_224, KEY_RSA }, /* 17 */
+	{ OID_RSASSA_PKCS1V15_WITH_SHA3_256, HASH_SHA3_256, KEY_RSA }, /* 18 */
+	{ OID_RSASSA_PKCS1V15_WITH_SHA3_384, HASH_SHA3_384, KEY_RSA }, /* 19 */
+	{ OID_RSASSA_PKCS1V15_WITH_SHA3_512, HASH_SHA3_512, KEY_RSA }, /* 20 */
+	{ OID_UNKNOWN, HASH_UNKNOWN, KEY_RSA },                        /* 21 */
+	{ OID_ED25519, HASH_IDENTITY, KEY_ED25519 },                   /* 22 */
+	{ OID_UNKNOWN, HASH_UNKNOWN, KEY_ED25519 },                    /* 23 */
+	{ OID_ED448, HASH_IDENTITY, KEY_ED448 },                       /* 24 */
+	{ OID_UNKNOWN, HASH_UNKNOWN, KEY_ED448 },                      /* 25 */
+	{ OID_ECDSA_WITH_SHA1, HASH_SHA1, KEY_ECDSA },                 /* 26 */
+	{ OID_ECDSA_WITH_SHA256, HASH_SHA256, KEY_ECDSA },             /* 27 */
+	{ OID_ECDSA_WITH_SHA384, HASH_SHA384, KEY_ECDSA },             /* 28 */
+	{ OID_ECDSA_WITH_SHA512, HASH_SHA512, KEY_ECDSA },             /* 29 */
+	{ OID_UNKNOWN, HASH_UNKNOWN, KEY_ECDSA },                      /* 30 */
+ };
+ 
+ START_TEST(test_hasher_from_oid)
+@@ -174,32 +172,32 @@ typedef struct {
+ 	size_t length;
+ }hasher_auth_t;
+ 
+/* make sure to adjust offsets in constructor when changing this array */
+ static hasher_auth_t auths[] = {
+-	{ AUTH_UNDEFINED, HASH_MD2, 0 },
+-	{ AUTH_UNDEFINED, HASH_MD4, 0 },
+-	{ AUTH_UNDEFINED, HASH_SHA224, 0 },
+-	{ AUTH_UNDEFINED, 9, 0 },
+-	{ AUTH_UNDEFINED, HASH_UNKNOWN, 0 },
+-	{ AUTH_HMAC_MD5_96, HASH_MD5, 12 },
+-	{ AUTH_HMAC_SHA1_96, HASH_SHA1, 12 },
+-	{ AUTH_HMAC_SHA2_256_96, HASH_SHA256, 12 },
+-	{ AUTH_HMAC_MD5_128, HASH_MD5, 16 },
+-	{ AUTH_HMAC_SHA1_128, HASH_SHA1, 16 },
+-	{ AUTH_HMAC_SHA2_256_128, HASH_SHA256, 16 },
+-	{ AUTH_HMAC_SHA1_160, HASH_SHA1, 20 },
+-	{ AUTH_HMAC_SHA2_384_192, HASH_SHA384, 24 },
+-	{ AUTH_HMAC_SHA2_256_256, HASH_SHA256, 32 },
+-	{ AUTH_HMAC_SHA2_512_256, HASH_SHA512, 32 },
+-	{ AUTH_HMAC_SHA2_384_384, HASH_SHA384, 48 },
+-	{ AUTH_HMAC_SHA2_512_512, HASH_SHA512, 64 },
+-	{ AUTH_AES_CMAC_96, HASH_UNKNOWN, 0 },
+-	{ AUTH_AES_128_GMAC, HASH_UNKNOWN, 0 },
+-	{ AUTH_AES_192_GMAC, HASH_UNKNOWN, 0 },
+-	{ AUTH_AES_256_GMAC, HASH_UNKNOWN, 0 },
+-	{ AUTH_AES_XCBC_96, HASH_UNKNOWN, 0 },
+-	{ AUTH_DES_MAC, HASH_UNKNOWN, 0 },
+-	{ AUTH_CAMELLIA_XCBC_96, HASH_UNKNOWN, 0 },
+-	{ 0, HASH_UNKNOWN, 0 }
+	{ AUTH_UNDEFINED, HASH_MD4, 0 },             /*  0 */
+	{ AUTH_UNDEFINED, HASH_SHA224, 0 },          /*  1 */
+	{ AUTH_UNDEFINED, 9, 0 },                    /*  2 */
+	{ AUTH_UNDEFINED, HASH_UNKNOWN, 0 },         /*  3 */
+	{ AUTH_HMAC_MD5_96, HASH_MD5, 12 },          /*  4 */
+	{ AUTH_HMAC_SHA1_96, HASH_SHA1, 12 },        /*  5 */
+	{ AUTH_HMAC_SHA2_256_96, HASH_SHA256, 12 },  /*  6 */
+	{ AUTH_HMAC_MD5_128, HASH_MD5, 16 },         /*  7 */
+	{ AUTH_HMAC_SHA1_128, HASH_SHA1, 16 },       /*  8 */
+	{ AUTH_HMAC_SHA2_256_128, HASH_SHA256, 16 }, /*  9 */
+	{ AUTH_HMAC_SHA1_160, HASH_SHA1, 20 },       /* 10 */
+	{ AUTH_HMAC_SHA2_384_192, HASH_SHA384, 24 }, /* 11 */
+	{ AUTH_HMAC_SHA2_256_256, HASH_SHA256, 32 }, /* 12 */
+	{ AUTH_HMAC_SHA2_512_256, HASH_SHA512, 32 }, /* 13 */
+	{ AUTH_HMAC_SHA2_384_384, HASH_SHA384, 48 }, /* 14 */
+	{ AUTH_HMAC_SHA2_512_512, HASH_SHA512, 64 }, /* 15 */
+	{ AUTH_AES_CMAC_96, HASH_UNKNOWN, 0 },       /* 16 */
+	{ AUTH_AES_128_GMAC, HASH_UNKNOWN, 0 },      /* 17 */
+	{ AUTH_AES_192_GMAC, HASH_UNKNOWN, 0 },      /* 18 */
+	{ AUTH_AES_256_GMAC, HASH_UNKNOWN, 0 },      /* 19 */
+	{ AUTH_AES_XCBC_96, HASH_UNKNOWN, 0 },       /* 20 */
+	{ AUTH_DES_MAC, HASH_UNKNOWN, 0 },           /* 21 */
+	{ AUTH_CAMELLIA_XCBC_96, HASH_UNKNOWN, 0 },  /* 22 */
+	{ 0, HASH_UNKNOWN, 0 }                       /* 23 */
+ };
+ 
+ START_TEST(test_hasher_from_integrity)
+@@ -237,7 +235,6 @@ static hasher_ikev2_t ikev2[] = {
+ 	{ HASH_SHA384,   TRUE  },
+ 	{ HASH_SHA512,   TRUE  },
+ 	{ HASH_UNKNOWN,  FALSE },
+-	{ HASH_MD2,      FALSE },
+ 	{ HASH_MD4,      FALSE },
+ 	{ HASH_MD5,      FALSE },
+ 	{ HASH_SHA224,   FALSE },
+@@ -262,15 +259,15 @@ Suite *hasher_suite_create()
+ 	s = suite_create("hasher");
+ 
+ 	tc = tcase_create("from_oid");
+-	tcase_add_loop_test(tc, test_hasher_from_oid, 0, 28);
+	tcase_add_loop_test(tc, test_hasher_from_oid, 0, 26);
+ 	suite_add_tcase(s, tc);
+ 
+ 	tc = tcase_create("to_oid");
+-	tcase_add_loop_test(tc, test_hasher_to_oid, 0, 12);
+	tcase_add_loop_test(tc, test_hasher_to_oid, 0, 11);
+ 	suite_add_tcase(s, tc);
+ 
+ 	tc = tcase_create("sig_to_oid");
+-	tcase_add_loop_test(tc, test_hasher_sig_to_oid, 11, countof(oids));
+	tcase_add_loop_test(tc, test_hasher_sig_to_oid, 10, countof(oids));
+ 	suite_add_tcase(s, tc);
+ 
+ 	tc = tcase_create("from_sig_scheme");
+@@ -283,11 +280,11 @@ Suite *hasher_suite_create()
+ 	suite_add_tcase(s, tc);
+ 
+ 	tc = tcase_create("from_integrity");
+-	tcase_add_loop_test(tc, test_hasher_from_integrity, 4, countof(auths));
+	tcase_add_loop_test(tc, test_hasher_from_integrity, 3, countof(auths));
+ 	suite_add_tcase(s, tc);
+ 
+ 	tc = tcase_create("to_integrity");
+-	tcase_add_loop_test(tc, test_hasher_to_integrity, 0, 17);
+	tcase_add_loop_test(tc, test_hasher_to_integrity, 0, 16);
+ 	suite_add_tcase(s, tc);
+ 
+ 	tc = tcase_create("for_ikev2");
--- a/strongswan.spec
+++ b/strongswan.spec
@@ -1,36 +1,80 @@
 %global _hardened_build 1
 #%%define prerelease dr1
+%global dist .nhrp.11%{?dist}
+
+# pytho vici bindings cannot build without network, so temp. disabled
+%bcond_with python3
+%bcond_without perl
+# checks fail for test_params_parse_rsa_pss
+%bcond_with    check
+
+%global forgeurl0 https://github.com/strongswan/strongswan

 Name:           strongswan
-Version:        5.8.2
-Release:        5%{?dist}
+Version:        6.0.2
+Release:        %autorelease
 Summary:        An OpenSource IPsec-based VPN and TNC solution
-License:        GPLv2+
-URL:            http://www.strongswan.org/
-Source0:        http://download.strongswan.org/%{name}-%{version}%{?prerelease}.tar.bz2
-Source1:	tmpfiles-strongswan.conf
-Patch1:         strongswan-5.6.0-uintptr_t.patch
-Patch3:         strongswan-5.6.2-CVE-2018-5388.patch
-Patch4:         strongswan-5.8.2-extern-global.patch
+# Automatically converted from old format: GPLv2+ - review is highly recommended.
+License:        GPL-2.0-or-later
+URL:            https://www.strongswan.org/
+VCS:            git:%{forgeurl0}
+Source0:        https://download.strongswan.org/strongswan-%{version}%{?prerelease}.tar.bz2
+Source1:        https://download.strongswan.org/strongswan-%{version}%{?prerelease}.tar.bz2.sig
+Source2:        https://download.strongswan.org/STRONGSWAN-RELEASE-PGP-KEY
+Source3:        tmpfiles-strongswan.conf
+# https://github.com/strongswan/strongswan/issues/1198  (also pinged upstream via email)
+Patch1:         strongswan-5.9.7-error-no-format.patch
+# Use isolation to prevent pip attempting to download during build
+Patch2:         strongswan-6.0.2-no-isolation.patch
+# Remove MD2, which causes test case failures due to fedora crypto policies
+# https://github.com/strongswan/strongswan/commit/b3011e8e87a1fad1bfb026448fc37b80b7cfc007
+Patch3:         strongswan-6.0.2-no-md5-b3011e8e.patch

-# only needed for pre-release versions
-#BuildRequires:  autoconf automake
+Patch10:        0001-charon-add-optional-source-and-remote-overrides-for-.patch
+Patch11:        0002-vici-send-certificates-for-ike-sa-events.patch
+Patch12:        0003-vici-add-support-for-individual-sa-state-changes.patch
+Patch13:        0004-Support-GRE-key-in-selectors.patch

+BuildRequires:  autoconf
+BuildRequires:  automake
+BuildRequires:  gnupg2
+BuildRequires:  libtool
+BuildRequires:  make
 BuildRequires:  gcc
+BuildRequires:  systemd
 BuildRequires:  systemd-devel
+BuildRequires:  systemd-rpm-macros
 BuildRequires:  gmp-devel
 BuildRequires:  libcurl-devel
 BuildRequires:  openldap-devel
 BuildRequires:  openssl-devel
+%if 0%{?fedora} >= 41
+# https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine
+BuildRequires:  openssl-devel-engine
+%endif
 BuildRequires:  sqlite-devel
 BuildRequires:  gettext-devel
-BuildRequires:  trousers-devel
 BuildRequires:  libxml2-devel
 BuildRequires:  pam-devel
 BuildRequires:  json-c-devel
 BuildRequires:  libgcrypt-devel
-BuildRequires:  systemd-devel
 BuildRequires:  iptables-devel
+BuildRequires:  libcap-devel
+BuildRequires:  tpm2-tss-devel
+Recommends:     tpm2-tools
+
+%if %{with python3}
+BuildRequires:  python3-devel
+BuildRequires:  python3-build
+BuildRequires:  python3-setuptools
+BuildRequires:  python3-daemon
+BuildRequires:  python3-pytest
+%endif
+
+%if %{with perl}
+BuildRequires:  perl-devel perl-generators
+BuildRequires:  perl(ExtUtils::MakeMaker)
+%endif

 BuildRequires:  NetworkManager-libnm-devel
 Requires(post): systemd
@@ -51,8 +95,8 @@ in userland, using TUN devices and its own IPsec implementation libipsec.
 %package charon-nm
 Summary:        NetworkManager plugin for Strongswan
 Requires:       dbus
-Obsoletes:      %{name}-NetworkManager < 0:5.0.4-5
-Conflicts:      %{name}-NetworkManager < 0:5.0.4-5
+Obsoletes:      strongswan-NetworkManager < 0:5.0.4-5
+Conflicts:      strongswan-NetworkManager < 0:5.0.4-5
 Conflicts:      NetworkManager-strongswan < 1.4.2-1
 %description charon-nm
 NetworkManager plugin integrates a subset of Strongswan capabilities
@@ -60,14 +104,14 @@ to NetworkManager.

 %package sqlite
 Summary: SQLite support for strongSwan
-Requires: %{name} = %{version}-%{release}
+Requires: strongswan = %{version}-%{release}
 %description sqlite
 The sqlite plugin adds an SQLite database backend to strongSwan.

 %package tnc-imcvs
 Summary: Trusted network connect (TNC)'s IMC/IMV functionality
-Requires: %{name} = %{version}-%{release}
-Requires: %{name}-sqlite = %{version}-%{release}
+Requires: strongswan = %{version}-%{release}
+Requires: strongswan-sqlite = %{version}-%{release}
 %description tnc-imcvs
 This package provides Trusted Network Connect's (TNC) architecture support.
 It includes support for TNC client and server (IF-TNCCS), IMC and IMV message
@@ -78,15 +122,44 @@ modules can be used by any third party TNC Client/Server implementation
 possessing a standard IF-IMC/IMV interface. In addition, it implements
 PT-TLS to support TNC over TLS.

+%if %{with python3}
+%package -n python3-vici
+Summary: Strongswan Versatile IKE Configuration Interface python bindings
+BuildArch: noarch
+%description -n python3-vici
+VICI is an attempt to improve the situation for system integrators by providing
+a stable IPC interface, allowing external tools to query, configure
+and control the IKE daemon.
+
+The Versatile IKE Configuration Interface (VICI) python bindings provides module
+for Strongswan runtime configuration from python applications.
+
+%endif
+
+%if %{with perl}
+%package -n perl-vici
+Summary: Strongswan Versatile IKE Configuration Interface perl bindings
+BuildArch: noarch
+%description -n perl-vici
+VICI is an attempt to improve the situation for system integrators by providing
+a stable IPC interface, allowing external tools to query, configure
+and control the IKE daemon.
+
+The Versatile IKE Configuration Interface (VICI) perl bindings provides module
+for Strongswan runtime configuration from perl applications.
+%endif
+
+# TODO: make also ruby-vici
+
+
 %prep
-%setup -q -n %{name}-%{version}%{?prerelease}
-%patch1 -p1
-%patch3 -p1
-%patch4 -p1
+%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
+%autosetup -n %{name}-%{version}%{?prerelease} -p1

 %build
 # only for snapshots
-#autoreconf
+export ACLOCAL_PATH=/usr/share/gettext/m4:$ACLOCAL_PATH
+autoreconf -fiv

 # --with-ipsecdir moves internal commands to /usr/libexec/strongswan
 # --bindir moves 'pki' command to /usr/libexec/strongswan
@@ -99,9 +172,9 @@ PT-TLS to support TNC over TLS.
    --bindir=%{_libexecdir}/strongswan \
    --with-ipseclibdir=%{_libdir}/strongswan \
    --with-piddir=%{_rundir}/strongswan \
-    --with-fips-mode=2 \
+    --with-nm-ca-dir=%{_sysconfdir}/strongswan/ipsec.d/cacerts/ \
    --enable-bypass-lan \
-    --enable-tss-trousers \
+    --enable-tss-tss2 \
    --enable-nm \
    --enable-systemd \
    --enable-openssl \
@@ -111,6 +184,7 @@ PT-TLS to support TNC over TLS.
    --enable-gcm \
    --enable-chapoly \
    --enable-md4 \
+    --enable-ml \
    --enable-gcrypt \
    --enable-newhope \
    --enable-xauth-eap \
@@ -156,8 +230,6 @@ PT-TLS to support TNC over TLS.
    --enable-imv-attestation \
    --enable-imv-os \
    --enable-imc-os \
-    --enable-imc-swid \
-    --enable-imv-swid \
    --enable-imc-swima \
    --enable-imv-swima \
    --enable-imc-hcd \
@@ -165,24 +237,74 @@ PT-TLS to support TNC over TLS.
    --enable-curl \
    --enable-cmd \
    --enable-acert \
-    --enable-aikgen \
    --enable-vici \
    --enable-swanctl \
    --enable-duplicheck \
+    --enable-selinux \
+    --enable-stroke \
 %ifarch x86_64 %{ix86}
    --enable-aesni \
 %endif
-    --enable-kernel-libipsec
+%if %{with python3}
+    PYTHON=%{python3} --enable-python-wheels \
+%endif
+%if %{with perl}
+    --enable-perl-cpan \
+%endif
+%if %{with check}
+    --enable-test-vectors \
+%endif
+    --enable-kernel-libipsec \
+    --with-capabilities=libcap \
+    CPPFLAGS="-DSTARTER_ALLOW_NON_ROOT"

 # disable certain plugins in the daemon configuration by default
 for p in bypass-lan; do
    echo -e "\ncharon.plugins.${p}.load := no" >> conf/plugins/${p}.opt
 done

-make %{?_smp_mflags}
+# ensure manual page is regenerated with local configuration
+rm -f src/ipsec/_ipsec.8
+
+%make_build
+
+pushd src/libcharon/plugins/vici
+
+%if %{with python3}
+  pushd python
+    %make_build
+    sed -e "s,/var/run/charon.vici,%{_rundir}/strongswan/charon.vici," -i vici/session.py
+    #py3_build
+  popd
+%endif
+
+%if %{with perl}
+  pushd perl/Vici-Session/
+    perl Makefile.PL INSTALLDIRS=vendor
+    %make_build
+  popd
+%endif
+
+popd

 %install
-make install DESTDIR=%{buildroot}
+%make_install
+
+
+pushd src/libcharon/plugins/vici
+%if %{with python3}
+  pushd python
+    # TODO: --enable-python-eggs breaks our previous build. Do it now
+    # propose better way to upstream
+    %pyproject_wheel
+    %pyproject_install
+  popd
+%endif
+%if %{with perl}
+  %make_install -C perl/Vici-Session
+  rm -f %{buildroot}{%{perl_archlib}/perllocal.pod,%{perl_vendorarch}/auto/Vici/Session/.packlist}
+%endif
+popd
 # prefix man pages
 for i in %{buildroot}%{_mandir}/*/*; do
    if echo "$i" | grep -vq '/strongswan[^\/]*$'; then
@@ -201,21 +323,35 @@ for i in aacerts acerts certs cacerts crls ocspcerts private reqs; do
    install -d -m 700 %{buildroot}%{_sysconfdir}/strongswan/ipsec.d/${i}
 done
 install -d -m 0700 %{buildroot}%{_rundir}/strongswan
-install -D -m 0644 %{SOURCE1} %{buildroot}/%{_tmpfilesdir}/strongswan.conf
+install -D -m 0644 %{SOURCE3} %{buildroot}/%{_tmpfilesdir}/strongswan.conf
+install -D -m 0644 %{SOURCE3} %{buildroot}/%{_tmpfilesdir}/strongswan-starter.conf
+
+%check
+%if %{with check}
+  # Seen some tests hang. Ensure we do not block builder forever
+  export TESTS_VERBOSITY=1
+  timeout 600 %make_build check
+%endif
+%if %{with python}
+  pushd src/libcharon/plugins/vici
+    %pytest
+  popd
+%endif
+:

 %post
-%systemd_post %{name}.service
+%systemd_post strongswan.service strongswan-starter.service

 %preun
-%systemd_preun %{name}.service
+%systemd_preun strongswan.service strongswan-starter.service

 %postun
-%systemd_postun_with_restart %{name}.service
+%systemd_postun_with_restart strongswan.service strongswan-starter.service

 %files
 %doc README NEWS TODO ChangeLog
 %license COPYING
-%dir %attr(0700,root,root) %{_sysconfdir}/strongswan
+%dir %attr(0755,root,root) %{_sysconfdir}/strongswan
 %config(noreplace) %{_sysconfdir}/strongswan/*
 %dir %{_libdir}/strongswan
 %exclude %{_libdir}/strongswan/imcvs
@@ -228,6 +364,7 @@ install -D -m 0644 %{SOURCE1} %{buildroot}/%{_tmpfilesdir}/strongswan.conf
 %{_sbindir}/strongswan
 %{_sbindir}/swanctl
 %{_libdir}/strongswan/*.so.*
+%{_libdir}/strongswan/plugins/*.so.*
 %exclude %{_libdir}/strongswan/libimcv.so.*
 %exclude %{_libdir}/strongswan/libtnccs.so.*
 %exclude %{_libdir}/strongswan/libipsec.so.*
@@ -245,6 +382,7 @@ install -D -m 0644 %{SOURCE1} %{buildroot}/%{_tmpfilesdir}/strongswan.conf
 %{_datadir}/strongswan/templates/database/
 %attr(0755,root,root) %dir %{_rundir}/strongswan
 %attr(0644,root,root) %{_tmpfilesdir}/strongswan.conf
+%attr(0644,root,root) %{_tmpfilesdir}/strongswan-starter.conf

 %files sqlite
 %{_libdir}/strongswan/plugins/libstrongswan-sqlite.so
@@ -271,494 +409,19 @@ install -D -m 0644 %{SOURCE1} %{buildroot}/%{_tmpfilesdir}/strongswan.conf
 %{_datadir}/dbus-1/system.d/nm-strongswan-service.conf
 %{_libexecdir}/strongswan/charon-nm

+%if %{with python3}
+%files -n python3-vici
+%license COPYING
+%doc src/libcharon/plugins/vici/python/README.rst
+%{python3_sitelib}/vici
+%{python3_sitelib}/vici-%{version}.dist-info
+%endif
+
+%if %{with perl}
+%license COPYING
+%files -n perl-vici
+%{perl_vendorlib}/Vici
+%endif
+
 %changelog
-* Sat Feb 22 2020 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.2-5
- Patch to declare a global variable with extern (#1800117)
-
-* Mon Feb 10 2020 Paul Wouters <pwouters@redhat.com> - 5.8.2-4
- use tmpfile to ensure rundir is present
-
-* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.8.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-
-* Sat Dec 28 2019 Paul Wouters <pwouters@redhat.com> - 5.8.2-2
- Use /run/strongswan as rundir to support strongswans in namespaces
-
-* Tue Dec 17 2019 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.2-1
- Update to 5.8.2 (#1784457)
- The D-Bus config file moved under datadir
-
-* Mon Sep 02 2019 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.1-1
- Update to 5.8.1 (#1711920)
- No more separate strongswan-swanctl.service to start out of order (#1775548)
- Added strongswan-starter.service
-
-* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 5.7.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 5.7.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-
-* Wed Jan 09 2019 Paul Wouters <pwouters@redhat.com> - 5.7.2-1
- Updated to 5.7.2
-
-* Thu Oct 04 2018 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.7.1-1
- Updated to 5.7.1
- Resolves rhbz#1635872 CVE-2018-16152
- Resolves rhbz#1635875 CVE-2018-16151
-
-* Thu Aug 23 2018 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.6.3-3
- Add plugin bypass-lan, disabled by default
- Resolves rhbz#1554479 Update to strongswan-charon-nm fails
-
-* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 5.6.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
-
-* Tue May 29 2018 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.6.3-1
- New version 5.6.3
-
-* Thu May 24 2018 Paul Wouters <pwouters@redhat.com> - 5.6.2-6
- Resolves rhbz#1581868 CVE-2018-5388 strongswan: buffer underflow in stroke_socket.c
-
-* Thu May 24 2018 Paul Wouters <pwouters@redhat.com> - 5.6.2-5
- Resolves rhbz#1574939 IKEv2 VPN connections fail to use DNS servers provided by the server
- Resolves rhbz#1449875 Strongswan on epel built without the sql plugin but with the sqlite plugin
-
-* Sun May 20 2018 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.6.2-3
- Move eap-radius, sqlite, and pkcs7 plugins out of tnc-imcvs, added package
-  sqlite (#1579945)
-
-* Tue Mar 06 2018 Björn Esser <besser82@fedoraproject.org> - 5.6.2-2
- Rebuilt for libjson-c.so.4 (json-c v0.13.1)
-
-* Wed Feb 21 2018 Lubomir Rintel <lkundrak@v3.sk> - 5.6.2-1
- Updated to 5.6.2 (Dropped libnm-glib use in charon-nm)
-
-* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 5.6.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
-
-* Fri Dec 22 2017 Paul Wouters <pwouters@redhat.com> - 5.6.1-1
- Updated to 5.6.1 (RSA-PSS support)
-
-* Sun Dec 10 2017 Björn Esser <besser82@fedoraproject.org> - 5.6.0-3
- Rebuilt for libjson-c.so.3
-
-* Fri Dec 01 2017 Lubomir Rintel <lkundrak@v3.sk> - 5.6.0-2
- Fix the placement of charon-nm D-Bus policy
-
-* Sat Sep 09 2017 Paul Wouters <pwouters@redhat.com> - 5.6.0-1
- Updated to 5.6.0
- Fixup configure arguments, enabled a bunch of new features
- Added new BuildRequires:
- Fixup Obsolete/Conflicts, use license macro
- Don't require autoconf/autotools for non-snapshots
- Remove macro overuse, remove fedora/rhel checks and sysvinit support
- Make listings/grouping of all plugins/libs to reduce file listing
-
-* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 5.5.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
-
-* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 5.5.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
-
-* Mon Jun 12 2017 Paul Wouters <pwouters@redhat.com> - 5.5.3-1
- Updated to 5.5.3
-
-* Sat May 27 2017 Paul Wouters <pwouters@redhat.com> - 5.5.2-1
- Updated to 5.5.2
-
-* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 5.5.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
-
-* Thu Sep 15 2016 Pavel Šimerda <psimerda@redhat.com> - 5.5.0-2
- Resolves: #1367796 - Enable the unity plugin
-
-* Mon Aug 08 2016 Pavel Šimerda <psimerda@redhat.com> - 5.5.0-1
- New version 5.5.0
-
-* Wed Jun 22 2016 Pavel Šimerda <psimerda@redhat.com>
- Enable IKEv2 GCM (requires gcrypt module as well) - merged from f22 by Paul Wouters
-
-* Wed Jun 22 2016 Pavel Šimerda <psimerda@redhat.com> - 5.4.0-1
- New version 5.4.0
-
-* Thu Mar 03 2016 Pavel Šimerda <psimerda@redhat.com> - 5.3.5-1
- New version 5.3.5
-
-* Fri Feb 05 2016 Fedora Release Engineering <releng@fedoraproject.org> - 5.3.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
-
-* Fri Jan 15 2016 Paul Wouters <pwouters@redhat.com> - 5.3.3-2
- Enable IKEv2 GCM (requires gcrypt module as well)
-
-* Tue Sep 29 2015 Pavel Šimerda <psimerda@redhat.com> - 5.3.3-1
- new version 5.3.3
-
-* Thu Sep 24 2015 Pavel Šimerda <psimerda@redhat.com> - 5.3.2-3
- Resolves: #1264598 - strongswan: many configuration files are not protected
-
-* Fri Jun 19 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.3.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
-
-* Tue Jun 09 2015 Pavel Šimerda <psimerda@redhat.com>
- new version 5.3.2
-
-* Fri Jun 05 2015 Pavel Šimerda <psimerda@redhat.com> - 5.3.1-1
- new version 5.3.1
-
-* Tue Mar 31 2015 Pavel Šimerda <psimerda@redhat.com> - 5.3.0-1
- new version 5.3.0
-
-* Fri Feb 20 2015 Avesh Agarwal <avagarwa@redhat.com> - 5.2.2-2
- Fixes strongswan swanctl service issue rhbz#1193106
-
-* Tue Jan 06 2015 Pavel Šimerda <psimerda@redhat.com> - 5.2.2-1
- new version 5.2.2
-
-* Thu Dec 18 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.2-0.2.dr1
- Enabled ccm, and ctr plugins as it seems enabling just openssl does
-  not work for using ccm and ctr algos.
-
-* Mon Dec 8 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.2-0.1.dr1
- New strongswan developer release 5.2.2dr1
-
-* Mon Nov 24 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.1-2
- 1167331: Enabled native systemd support.
- Does not disable old systemd, starter, ipsec.conf support yet.
-
-* Thu Oct 30 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.1-1
- New upstream release 5.2.1
-
-* Thu Oct 16 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.1-0.2.rc1
- New upstream release candidate 5.2.1rc1
-
-* Fri Oct 10 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.1-1
- new version 5.2.1dr1
-
-* Thu Sep 25 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-7
- use upstream patch for json/json-c dependency
-
-* Thu Sep 25 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-6
- Resolves: #1146145 - Strongswan is compiled without xauth-noauth plugin
-
-* Mon Aug 18 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.2.0-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
-
-* Tue Aug 05 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-4
- Resolves: #1081804 - enable Kernel IPSec support
-
-* Wed Jul 30 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-3
- rebuilt
-
-* Tue Jul 29 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-2
- fix json-c dependency
-
-* Tue Jul 15 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.0-1
- New upstream release 5.2.0
- The Attestation IMC/IMV pair supports the IMA-NG
-  measurement format
- Aikgen tool to generate an Attestation Identity Key bound
-  to a TPM
- Swanctl tool to provide a portable, complete IKE
-  configuration and control interface for the command
-  line using vici interface with libvici library
- PT-EAP transport protocol (RFC 7171) for TNC
- Enabled support for acert for checking X509 attribute certificate
- Updated patches, removed selinux patch as upstream has fixed it
-  in this release.
- Updated spec file with minor cleanups
-
-* Thu Jun 26 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-0.4.dr6
- improve prerelease macro
-
-* Thu Jun 26 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-0.3
- Resolves: #1111895 - bump to 5.2.0dr6
-
-* Thu Jun 12 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-0.2
- Related: #1087437 - remove or upstream all patches not specific to fedora/epel
-
-* Thu Jun 12 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-0.1.dr5
- fix the pre-release version according to guidelines before it gets branched
-
-* Fri Jun 06 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0dr5-1
- new version 5.2.0dr5
- add json-c-devel to build deps
-
-* Mon May 26 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0dr4-3
- merge two related patches
-
-* Mon May 26 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0dr4-2
- clean up the patches a bit
-
-* Thu May 22 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.0dr4-1
- New upstream developer release 5.2.0dr4
- Attestation IMV/IMC supports IMA-NG measurement format now
- Aikgen tool to generate an Attestation Identity Key bound
-  to a TPM
- PT-EAP transport protocol (RFC 7171) for TNC
- vici plugin provides IKE Configuration Interface for charon
- Enabled support for acert for checking X509 attribute certificate
- Updated patches
- Updated spec file with minor cleanups
-
-* Tue Apr 15 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.3-1
- new version 5.1.3
-
-* Mon Apr 14 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.3rc1-1
- new version 5.1.3rc1
-
-* Mon Mar 24 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.2-4
- #1069928 - updated libexec patch.
-
-* Tue Mar 18 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.2-3
- fixed el6 initscript
- fixed pki directory location
-
-* Fri Mar 14 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.2-2
- clean up the specfile a bit
- replace the initscript patch with an individual initscript
- patch to build for epel6
-
-* Mon Mar 03 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.2-1
- #1071353 - bump to 5.1.2
- #1071338 - strongswan is compiled without xauth-pam plugin
- remove obsolete patches
- sent all patches upstream
- added comments to all patches
- don't touch the config with sed
-
-* Thu Feb 20 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.1.1-6
- Fixed full hardening for strongswan (full relro and PIE).
-  The previous macros had a typo and did not work
-  (see bz#1067119).
- Fixed tnc package description to reflect the current state of
-  the package.
- Fixed pki binary and moved it to /usr/libexece/strongswan as
-  others binaries are there too.
-
-* Wed Feb 19 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.1-5
- #903638 - SELinux is preventing /usr/sbin/xtables-multi from 'read' accesses on the chr_file /dev/random
-
-* Thu Jan 09 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.1-4
- Removed redundant patches and *.spec commands caused by branch merging
-
-* Wed Jan 08 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.1-3
- rebuilt
-
-* Mon Dec 2 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.1.1-2
- Resolves: 973315
- Resolves: 1036844
-
-* Fri Nov 1 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.1.1-1
- Support for PT-TLS  (RFC 6876)
- Support for SWID IMC/IMV
- Support for command line IKE client charon-cmd
- Changed location of pki to /usr/bin
- Added swid tags files
- Added man pages for pki and charon-cmd
- Renamed pki to strongswan-pki to avoid conflict with
-  pki-core/pki-tools package.
- Update local patches
- Fixes CVE-2013-6075
- Fixes CVE-2013-6076
- Fixed autoconf/automake issue as configure.ac got changed
-  and it required running autoreconf during the build process.
- added strongswan signature file to the sources.
-
-* Thu Sep 12 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.1.0-3
- Fixed initialization crash of IMV and IMC particularly
-  attestation imv/imc as libstrongswas was not getting
-  initialized.
-
-* Fri Aug 30 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.1.0-2
- Enabled fips support
- Enabled TNC's ifmap support
- Enabled TNC's pdp support
- Fixed hardocded package name in this spec file
-
-* Wed Aug 7 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.1.0-1
- rhbz#981429: New upstream release
- Fixes CVE-2013-5018: rhbz#991216, rhbz#991215
- Fixes rhbz#991859 failed to build in rawhide
- Updated local patches and removed which are not needed
- Fixed errors around charon-nm
- Added plugins libstrongswan-pkcs12.so, libstrongswan-rc2.so,
-  libstrongswan-sshkey.so
- Added utility imv_policy_manager
-
-* Thu Jul 25 2013 Jamie Nguyen <jamielinux@fedoraproject.org> - 5.0.4-5
- rename strongswan-NetworkManager to strongswan-charon-nm
- fix enable_nm macro
-
-* Mon Jul 15 2013 Jamie Nguyen <jamielinux@fedoraproject.org> - 5.0.4-4
- %%files tries to package some of the shared objects as directories (#984437)
- fix broken systemd unit file (#984300)
- fix rpmlint error: description-line-too-long
- fix rpmlint error: macro-in-comment
- fix rpmlint error: spelling-error Summary(en_US) fuctionality
- depend on 'systemd' instead of 'systemd-units'
- use new systemd scriptlet macros
- NetworkManager subpackage should have a copy of the license (#984490)
- enable hardened_build as this package meets the PIE criteria (#984429)
- invocation of "ipsec _updown iptables" is broken as ipsec is renamed
-  to strongswan in this package (#948306)
- invocation of "ipsec scepclient" is broken as ipsec is renamed
-  to strongswan in this package
- add /etc/strongswan/ipsec.d and missing subdirectories
- conditionalize building of strongswan-NetworkManager subpackage as the
-  version of NetworkManager in EL6 is too old (#984497)
-
-* Fri Jun 28 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.0.4-3
- Patch to fix a major crash issue when Freeradius loads
-  attestatiom-imv and does not initialize libstrongswan which
-  causes crash due to calls to PTS algorithms probing APIs.
-  So this patch fixes the order of initialization. This issues
-  does not occur with charon because libstrongswan gets
-  initialized earlier.
- Patch that allows to outputs errors when there are permission
-  issues when accessing strongswan.conf.
- Patch to make loading of modules configurable when libimcv
-  is used in stand alone mode without charon with freeradius
-  and wpa_supplicant.
-
-* Tue Jun 11 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.0.4-2
- Enabled TNCCS 1.1 protocol
- Fixed libxm2-devel build dependency
- Patch to fix the issue with loading of plugins
-
-* Wed May 1 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.0.4-1
- New upstream release
- Fixes for CVE-2013-2944
- Enabled support for OS IMV/IMC
- Created and applied a patch to disable ECP in fedora, because
-  Openssl in Fedora does not allow ECP_256 and ECP_384. It makes
-  it non-compliant to TCG's PTS standard, but there is no choice
-  right now. see redhat bz # 319901.
- Enabled Trousers support for TPM based operations.
-
-* Sat Apr 20 2013 Pavel Šimerda <psimerda@redhat.com> - 5.0.3-2
- Rebuilt for a single specfile for rawhide/f19/f18/el6
-
-* Fri Apr 19 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.0.3-1
- New upstream release
- Enabled curl and eap-identity plugins
- Enabled support for eap-radius plugin.
-
-* Thu Apr 18 2013 Pavel Šimerda <psimerda@redhat.com> - 5.0.2-3
- Add gettext-devel to BuildRequires because of epel6
- Remove unnecessary comments
-
-* Tue Mar 19 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.0.2-2
- Enabled support for eap-radius plugin.
-
-* Mon Mar 11 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.0.2-1
- Update to upstream release 5.0.2
- Created sub package strongswan-tnc-imcvs that provides trusted network
-  connect's IMC and IMV funtionality. Specifically it includes PTS
-  based IMC/IMV for TPM based remote attestation and scanner and test
-  IMCs and IMVs. The Strongswan's IMC/IMV dynamic libraries can be used
-  by any third party TNC Client/Server implementation possessing a
-  standard IF-IMC/IMV interface.
-
-* Fri Feb 15 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.0.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
-
-* Thu Oct 04 2012 Pavel Šimerda <psimerda@redhat.com> - 5.0.1-1
- Update to release 5.0.1
-
-* Thu Oct 04 2012 Pavel Šimerda <psimerda@redhat.com> - 5.0.0-4.git20120619
- Add plugins to interoperate with Windows 7 and Android (#862472)
-  (contributed by Haim Gelfenbeyn)
-
-* Sat Jul 21 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.0.0-3.git20120619
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
-
-* Sun Jul 08 2012 Pavel Šimerda <pavlix@pavlix.net> - 5.0.0-2.git20120619
- Fix configure substitutions in initscripts
-
-* Wed Jul 04 2012 Pavel Šimerda <psimerda@redhat.com> - 5.0.0-1.git20120619
- Update to current upstream release
- Comment out all stuff that is only needed for git builds
- Remove renaming patch from git
- Improve init patch used for EPEL
-
-* Thu Jun 21 2012 Pavel Šimerda <psimerda@redhat.com> - 5.0.0-0.3.git20120619
- Build with openssl plugin enabled
-
-* Wed Jun 20 2012 Pavel Šimerda <psimerda@redhat.com> - 5.0.0-0.2.git20120619
- Add README.Fedora with link to 4.6 to 5.0 migration information
-
-* Tue Jun 19 2012 Pavel Šimerda - 5.0.0-0.1.git20120619
- Snapshot of upcoming major release
- Move patches and renaming upstream
-  http://wiki.strongswan.org/issues/194
-  http://wiki.strongswan.org/issues/195
- Notified upstream about manpage issues
-
-* Tue Jun 19 2012 Pavel Šimerda - 4.6.4-2
- Make initscript patch more distro-neutral
- Add links to bugreports for patches
-
-* Fri Jun 01 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.4-1
- New upstream version (CVE-2012-2388)
-
-* Sat May 26 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.3-2
- Add --enable-nm to configure
- Add NetworkManager-devel to BuildRequires
- Add NetworkManager-glib-devel to BuildRequires
- Add strongswan-NetworkManager package
-
-* Sat May 26 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.3-1
- New version of Strongswan
- Support for RFC 3110 DNSKEY (see upstream changelog)
- Fix corrupt scriptlets
-
-* Fri Mar 30 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.2-2
- #808612 - strongswan binary renaming side-effect
-
-* Sun Feb 26 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.2-1
- New upstream version
- Changed from .tar.gz to .tar.bz2
- Added libstrongswan-pkcs8.so
-
-* Wed Feb 15 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-8
- Fix initscript's status function
-
-* Wed Feb 15 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-7
- Expand tabs in config files for better readability
- Add sysvinit script for epel6
-
-* Wed Feb 15 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-6
- Fix program name in systemd unit file
-
-* Tue Feb 14 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-5
- Improve fedora/epel conditionals
-
-* Sat Jan 21 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-4
- Protect configuration directory from ordinary users
- Add still missing directory /etc/strongswan
-
-* Fri Jan 20 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-3
- Change directory structure to avoid clashes with Openswan
- Prefixed all manpages with 'strongswan_'
- Every file now includes 'strongswan' somewhere in its path
- Removed conflict with Openswan
- Finally fix permissions on strongswan.conf
-
-* Fri Jan 20 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-2
- Change license tag from GPL to GPLv2+
- Change permissions on /etc/strongswan.conf to 644
- Rename ipsec.8 manpage to strongswan.8
- Fix empty scriptlets for non-fedora builds
- Add ldconfig scriptlet
- Add missing directories and files
-
-* Sun Jan 01 2012 Pavel Šimerda <pavlix@pavlix.net - 4.6.1-1
- Bump to version 4.6.1
-
-* Sun Jan 01 2012 Pavel Šimerda <pavlix@pavlix.net - 4.6.0-3
- Add systemd scriptlets
- Add conditions to also support EPEL6
-
-* Sat Dec 10 2011 Pavel Šimerda <pavlix@pavlix.net> - 4.6.0-2
- Experimental build for development
+%autochangelog
Author	SHA1	Message	Date
Zoran Peričić	00883c0a68	Support GRE key in selectors	2025-10-11 15:26:17 +02:00
Zoran Peričić	42cc29e3c6	Patch vici for NHRP	2025-10-11 15:26:17 +02:00
Paul Wouters	cf44976287	Enable ML-KEM	2025-09-25 13:57:21 -04:00
Paul Wouters	043053ad27	Re-enable python subpackage, re-enable upstream tests - patch to use --no-isolation with python by Carlos Rodriguez-Fernandez - python dependencies fixed so pip no longer tries to download items - apply upstream patch to remove md2 support - now all tests pass again	2025-09-24 15:44:22 -04:00
Paul Wouters	84430ef729	Convert to %autorelease and %autochangelog [skip changelog]	2025-09-11 10:58:08 -04:00
Paul Wouters	efe247ce1b	Update to 6.0.2 (rhbz#2312429) - Disable vici python bindings as it does not build offline yet - Stop using old pythin macros (rhbz#2378468) - Remove old trouser support conditional - Add strongswan-6.0.2-no-isolation.patch - strongswan-5.6.0-uintptr_t.patch and gcc15 patches no longer needed	2025-09-11 09:55:37 -04:00
Carlos Rodriguez-Fernandez	fdcc203679	Fix ipsec.d cacerts removing system ca	2025-08-25 08:42:03 -07:00
Carlos Rodriguez-Fernandez	01038af28f	Link new system ca bundle in the ipsec.d cacerts	2025-08-22 10:16:45 -07:00
Python Maint	d7d39ff599	Rebuilt for Python 3.14.0rc2 bytecode	2025-08-15 15:19:05 +02:00
Carlos Rodriguez-Fernandez	83e7e49414	Correct release number	2025-08-14 13:37:29 -07:00
Carlos Rodriguez-Fernandez	a7a616463d	Fix build issue (rhbz#2368971)	2025-08-14 13:09:22 -07:00
Fedora Release Engineering	974c23787b	Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild	2025-07-25 18:48:51 +00:00
Python Maint	4338448384	Rebuilt for Python 3.14	2025-06-02 22:55:42 +02:00
Yaakov Selkowitz	2a89bad808	Fix build with GCC 15 GCC 15 defaults to C23, which is stricter in mutiple ways. Some fixes were already included in 6.0.1, but some were just merged upstream and not yet released.	2025-03-19 14:44:30 -04:00
Yaakov Selkowitz	3d23992091	Fix build with automake-1.17 The original source tarball has something out of sync, which triggers calls to aclocal/automake after running configure. Since it was generated with automake 1.16, it expects that exact version, and fails now in F42+ with 1.17. Running autoreconf to force a regeneration avoids this.	2025-03-19 14:41:03 -04:00
Fedora Release Engineering	17e64c709c	Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild	2025-01-19 11:48:20 +00:00
Michel Lind	78d3aed4af	Depend on openssl-devel-engine since we still use this deprecated feature (rhbz#2295335) Signed-off-by: Michel Lind <salimma@fedoraproject.org>	2024-07-27 21:40:43 -05:00
Miroslav Suchý	3bf66dd5e8	convert GPLv2+ license to SPDX This is part of https://fedoraproject.org/wiki/Changes/SPDX_Licenses_Phase_4	2024-07-26 03:05:56 +02:00
Fedora Release Engineering	279afb5fc2	Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild	2024-07-20 06:34:35 +00:00
Python Maint	9c80b5c38a	Rebuilt for Python 3.13	2024-06-07 10:59:25 +02:00
Paul Wouters	2ba804af93	* Fri May 31 2024 Paul Wouters <paul.wouters@aiven.io> - 5.9.14-1 - Resolves: rhbz#2254560 CVE-2023-41913 buffer overflow and possible RCE - Resolved: rhbz#2250666 Update to 5.9.14 (IKEv2 OCSP extensions, seqno/regno overflow handling - Update to 5.9.13 (OCSP nonce set regression configuration option charon.ocsp_nonce_len) - Update to 5.9.12 (CVE-2023-41913 fix, various IKEv2 fixes)	2024-05-31 18:21:01 -04:00
Fedora Release Engineering	19c48bd52d	Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild	2024-01-27 04:30:59 +00:00
Fedora Release Engineering	c14cb600a0	Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>	2023-07-22 02:39:37 +00:00
Paul Wouters	9e397bfc7d	new sources	2023-07-17 17:14:14 -04:00
Paul Wouters	9d159bf0d0	- Resolves: rhbz#2214186 strongswan-5.9.11 is available	2023-07-14 13:45:25 -04:00
Python Maint	f779b6c7bb	Rebuilt for Python 3.12	2023-06-13 23:05:47 +02:00
Paul Wouters	9d642ad352	no longer use patches merged upstream	2023-03-02 11:02:38 -05:00
Paul Wouters	0132cc5668	- Update to 5.9.10	2023-03-02 10:24:58 -05:00
Paul Wouters	33fb3b13a3	- Resolves: CVE-2023-26463 authorization bypass in TLS-based EAP methods	2023-02-28 17:38:50 -05:00
Petr Menšík	6000262f47	Use configure paths in manual pages (#2106120 )	2023-01-16 19:46:37 +01:00
Petr Menšík	d7206ab591	Switch all URLs to https Include also github repository link in package to simplify upstream changes tracking.	2023-01-16 14:04:39 +01:00
Petr Menšík	585aca3015	Update to 5.9.9 (#2157850 )	2023-01-15 15:33:16 +01:00
Jitka Plesnikova	ea8056eb33	Add BR perl-generators to automatically generates run-time dependencies for installed Perl files	2022-12-08 16:46:43 +01:00
Paul Wouters	199f1d8708	fixup systemd build requires	2022-10-16 22:42:15 -04:00
Paul Wouters	243ac7aa4a	remove obsoleted --enable-imc-swid, --enable-imv-swid	2022-10-16 21:55:29 -04:00
Arne Reiter	d8e91f4aa4	Resolves rhbz#2112274 strongswan-5.9.8 is available Patch1 removes CFLAGS -Wno-format which interferes with -Werror=format-security Add BuildRequire for autoconf and automake, now required for release Remove obsolete patches	2022-10-16 11:47:16 +02:00
Fedora Release Engineering	27a4aa8167	Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>	2022-07-23 09:32:45 +00:00
Petr Menšík	ea8baece11	fixup! Remove signature key from a cache, include it inside git	2022-06-23 19:41:55 +02:00
Petr Menšík	de70bbe3c5	Remove signature key from a cache, include it inside git Key should be tracked by git. It is small and should not change very often. Ensure signature has trust anchor.	2022-06-23 17:15:48 +02:00
Arne Reiter	271d4eca54	Resolves rhbz#2080070 strongswan-5.9.6 is available	2022-06-23 08:54:21 +02:00
Arne Reiter	9f5e4942d3	Resolves rhbz#2080070 strongswan-5.9.6 is available	2022-06-22 18:02:45 +02:00
Python Maint	15e47bc297	Rebuilt for Python 3.11	2022-06-13 17:17:06 +02:00
Davide Cavalca	c164f65462	Fix changelog entry	2022-03-04 20:49:42 -08:00
reitear	29f8c752f8	Resolves: rhbz#048108 - segfault at 18 ip 00007f4c7c0d841c sp 00007ffe49f61b70 error 4 in libc.so.6	2022-03-04 23:44:00 +01:00
Paul Wouters	e2ccbbed7e	- Use newly published/cleaned strongswan gpg key	2022-01-25 09:14:37 -05:00
Paul Wouters	3f12242eea	- Resolves rhbz#2044361 strongswan-5.9.5 is available (CVE-2021-45079)	2022-01-24 22:05:17 -05:00
Fedora Release Engineering	3067ecdcc7	- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>	2022-01-22 01:46:58 +00:00
Neal Gompa	2f04e6389f	Disable TPM/TSS 1.2 support for F36+ / RHEL9+ TPM/TSS 1.2 has long since been superseded by TPM/TSS 2.0, and trousers is more or less dead and replaced by the tpm-tss toolkit for TPM/TSS 2.0. Resolves: rhbz#2033299	2021-12-16 08:22:26 -05:00
Petr Menšík	b7c6e022d4	Add timeout and verbosity to tests In case any test hangs, ensure it would release builder. Increase verbosity to know more about possible failures. Interactive debugging is not possible on builders.	2021-11-12 21:12:04 +01:00
Petr Menšík	0e9ffbc66d	Enable additional module for testing	2021-11-12 21:12:04 +01:00
Petr Menšík	f751d41f23	Add quirks needed for python install --enable-python-eggs is required to provide correct version. But otherwise does different thing than is required for python bindings package. Rebuild python after installation of main package, because it changed destination directory used later by install. Related: rhbz#1419441	2021-11-12 21:12:04 +01:00
Petr Menšík	3d925e79dd	Add optional support for tests running Now my tests did not finish successfully even on local build. Not enabling them by default.	2021-11-12 21:12:02 +01:00
Petr Menšík	b097119cff	Add pytest	2021-11-12 21:10:01 +01:00
Petr Menšík	a894518822	Add python3 and perl vici bindings Work in progress to enable vici bindings. It seems they are not under active support, because changes required for python3 are not in upstream code.	2021-11-12 21:09:58 +01:00
Paul Wouters	8d04445d34	strongswan: don't use RuntimeDirectory in systemd service file Because there are two services, strongswan and strongswan-starter that use this directory. Otherwise when stopping a service, the directory is removed from /run and the other service that does not start anymore. Also cleanup old patches that are obsolete.	2021-11-08 20:45:23 -05:00
Paul Wouters	28ee63eed5	* Wed Oct 20 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.4-1 - Resolves: rhbz#2015165 strongswan-5.9.4 is available - Resolves: rhbz#2015611 CVE-2021-41990 strongswan: gmp plugin: integer overflow via a crafted certificate with an RSASSA-PSS signature - Resolves: rhbz#2015614 CVE-2021-41991 strongswan: integer overflow when replacing certificates in cache - Add BuildRequire for tpm2-tss-devel and weak dependency for tpm2-tools	2021-10-20 17:47:06 -04:00
Sahana Prasad	23b5b73cd8	Rebuilt with OpenSSL 3.0.0	2021-09-14 19:15:51 +02:00
Fedora Release Engineering	48629b5950	- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>	2021-07-23 18:23:56 +00:00
Björn Esser	8ce4072e4d	Rebuild for versioned symbols in json-c	2021-07-10 11:58:08 +02:00
Paul Wouters	6ccc325c15	- Resolves: rhbz#1979574 strongswan-5.9.3 is available - Make strongswan main dir world readable so apps can find strongswan.conf	2021-07-06 17:31:55 -04:00
Paul Wouters	4d2f255b10	- Resolves: rhbz#1896545 strongswan-5.9.2 is available	2021-06-02 20:28:03 -04:00
Zbigniew Jędrzejewski-Szmek	12be37ab1b	Rebuilt for updated systemd-rpm-macros See https://pagure.io/fesco/issue/2583.	2021-03-02 16:12:17 +01:00
Paul Wouters	dafd128e1f	update rundir patch	2021-02-12 14:07:45 -05:00
Paul Wouters	7e67e8cca6	- Resolves: rhbz# 1896545 strongswan-5.9.1 is available	2021-02-12 13:52:44 -05:00
Paul Wouters	04aee4b450	update changelog with rhbz	2021-02-12 13:47:19 -05:00
Davide Cavalca	8f80a71a01	Build with with capabilities support	2021-02-11 13:26:29 -08:00
Fedora Release Engineering	5449a7c2dc	- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>	2021-01-27 21:09:17 +00:00
Tom Stellard	0bc1b9e952	Add BuildRequires: make https://fedoraproject.org/wiki/Changes/Remove_make_from_BuildRoot	2021-01-08 22:02:14 +00:00
Paul Wouters	d2bf10503b	* Thu Oct 22 12:43:48 EDT 2020 Paul Wouters <pwouters@redhat.com> - 5.9.0-2 - Resolves: rhbz#1886759 charon looking for certificates in the wrong place	2020-10-22 12:46:04 -04:00
Paul Wouters	206f1fff39	* Mon Sep 28 12:36:45 EDT 2020 Paul Wouters <pwouters@redhat.com> - 5.9.0-1 - Resolves: rhbz#1861747 strongswan-5.9.0 is available - Remove --enable-fips-mode=2, which defaults strongswan to FIPS only. (use fips_mode = 2 in plugins {} openssl {} in strongswan.conf to enable FIPS)	2020-09-28 13:15:59 -04:00
Fedora Release Engineering	c671c8eddf	- Second attempt - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>	2020-08-01 09:12:59 +00:00
Fedora Release Engineering	2054770361	- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>	2020-07-29 11:35:14 +00:00
Björn Esser	1bd38c323e	Rebuild (json-c)	2020-04-22 00:12:55 +02:00
Mikhail Zabaluev	6c46f34786	Patch0: Add RuntimeDirectory options to service files (#1789263 )	2020-04-12 12:13:28 +03:00
Mikhail Zabaluev	66c97839f3	Updated to 5.8.4 Patch4 has been applied upstream	2020-04-12 11:24:37 +03:00