5.9.14 - New patches

- Resolves: rhbz#2254560 CVE-2023-41913 buffer overflow and possible RCE
- Resolved: rhbz#2250666 Update to 5.9.14 (IKEv2 OCSP extensions, seqno/regno overflow handling
- Update to 5.9.13 (OCSP nonce set regression configuration option charon.ocsp_nonce_len)
- Update to 5.9.12 (CVE-2023-41913 fix, various IKEv2 fixes)

.gitignore

@@ -1 +1,21 @@
-/strongswan-5.6.3.tar.bz2
+/strongswan-5.8.4.tar.bz2
+/strongswan-5.9.0.tar.bz2
+/strongswan-5.9.1.tar.bz2
+/strongswan-5.9.2.tar.bz2
+/strongswan-5.9.3.tar.bz2
+/strongswan-5.9.4.tar.bz2
+/948F158A4E76A27BF3D07532DF42C170B34DBA77
+/strongswan-5.9.5.tar.bz2
+/strongswan-5.9.5.tar.bz2.sig
+/strongswan-5.9.6.tar.bz2
+/strongswan-5.9.6.tar.bz2.sig
+/strongswan-5.9.8.tar.bz2
+/strongswan-5.9.8.tar.bz2.sig
+/strongswan-5.9.9.tar.bz2
+/strongswan-5.9.9.tar.bz2.sig
+/strongswan-5.9.10.tar.bz2
+/strongswan-5.9.10.tar.bz2.sig
+/strongswan-5.9.11.tar.bz2
+/strongswan-5.9.11.tar.bz2.sig
+/strongswan-5.9.14.tar.bz2
+/strongswan-5.9.14.tar.bz2.sig

0001-charon-add-optional-source-and-remote-overrides-for-.patch

@@ -0,0 +1,476 @@
+From 1baf500104e963e0d0d410c95e7dcec899173b77 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= <zpericic@netst.org>
+Date: Tue, 9 Jul 2024 19:07:57 +0200
+Subject: [PATCH 1/4] charon: add optional source and remote overrides for
+ initiate
+
+This introduces support for specifying optional IKE SA specific
+source and remote address for child sa initiation. This allows
+to initiate wildcard connection for known address via vici.
+
+In addition this allows simpler implementation of trap-any patches
+and is a prerequisite for dmvpn support.
+---
+ src/libcharon/control/controller.c        | 34 ++++++++++++++++--
+ src/libcharon/control/controller.h        | 28 +++++++++++++++
+ src/libcharon/plugins/vici/vici_control.c | 41 +++++++++++++++++----
+ src/libcharon/sa/ike_sa_manager.c         | 34 +++++++++++++++++-
+ src/libcharon/sa/ike_sa_manager.h         | 25 ++++++++++++-
+ src/libcharon/sa/trap_manager.c           | 44 +++++++++--------------
+ src/swanctl/commands/initiate.c           | 19 +++++++++-
+ 7 files changed, 186 insertions(+), 39 deletions(-)
+
+diff --git a/src/libcharon/control/controller.c b/src/libcharon/control/controller.c
+index 027f48e93..26501768d 100644
+--- a/src/libcharon/control/controller.c
++++ b/src/libcharon/control/controller.c
+@@ -1,4 +1,6 @@
+ /*
++ * Copyright (C) 2023 Zoran Peričić <zpericic@netst.org>
++ * Copyright (C) 2014 Timo Teräs <timo.teras@iki.fi>
+  * Copyright (C) 2011-2023 Tobias Brunner
+  * Copyright (C) 2007-2011 Martin Willi
+  *
+@@ -107,6 +109,16 @@ struct interface_listener_t {
+ 	 */
+ 	ike_sa_t *ike_sa;
+ 
++	/**
++	 * Our host hint.
++	 */
++	host_t *my_host;
++
++	/**
++	 * Other host hint.
++	 */
++	host_t *other_host;
++
+ 	/**
+ 	 * unique ID, used for various methods
+ 	 */
+@@ -417,10 +429,16 @@ METHOD(job_t, initiate_execute, job_requeue_t,
+ 	ike_sa_t *ike_sa;
+ 	interface_listener_t *listener = &job->listener;
+ 	peer_cfg_t *peer_cfg = listener->peer_cfg;
++	host_t *my_host = listener->my_host;
++	host_t *other_host = listener->other_host;
+ 
+-	ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
+-														peer_cfg);
++	ike_sa = charon->ike_sa_manager->checkout_by_config2(charon->ike_sa_manager,
++														peer_cfg, my_host, other_host);
+ 	peer_cfg->destroy(peer_cfg);
++
++	if (my_host) my_host->destroy(my_host);
++	if (other_host) other_host->destroy(other_host);
++
+ 	if (!ike_sa)
+ 	{
+ 		DESTROY_IF(listener->child_cfg);
+@@ -501,6 +519,15 @@ METHOD(controller_t, initiate, status_t,
+ 	private_controller_t *this, peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
+ 	controller_cb_t callback, void *param, level_t max_level, u_int timeout,
+ 	bool limits)
++{
++	return this->public.initiate2(this, peer_cfg, child_cfg, NULL, NULL, callback, param, max_level, timeout, limits);
++}
++
++METHOD(controller_t, initiate2, status_t,
++	private_controller_t *this, peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
++	host_t *my_host, host_t *other_host,
++	controller_cb_t callback, void *param, level_t max_level, u_int timeout,
++	bool limits)
+ {
+ 	interface_job_t *job;
+ 	status_t status;
+@@ -523,6 +550,8 @@ METHOD(controller_t, initiate, status_t,
+ 			.status = FAILED,
+ 			.child_cfg = child_cfg,
+ 			.peer_cfg = peer_cfg,
++			.my_host = my_host ? my_host->clone(my_host) : NULL,
++			.other_host = other_host ? other_host->clone(other_host) : NULL,
+ 			.lock = spinlock_create(),
+ 			.options.limits = limits,
+ 		},
+@@ -770,6 +799,7 @@ controller_t *controller_create(void)
+ 		.public = {
+ 			.create_ike_sa_enumerator = _create_ike_sa_enumerator,
+ 			.initiate = _initiate,
++			.initiate2 = _initiate2,
+ 			.terminate_ike = _terminate_ike,
+ 			.terminate_child = _terminate_child,
+ 			.destroy = _destroy,
+diff --git a/src/libcharon/control/controller.h b/src/libcharon/control/controller.h
+index 36a1d4631..f5c60e2e7 100644
+--- a/src/libcharon/control/controller.h
++++ b/src/libcharon/control/controller.h
+@@ -98,6 +98,34 @@ struct controller_t {
+ 						 controller_cb_t callback, void *param,
+ 						 level_t max_level, u_int timeout, bool limits);
+ 
++	/**
++	 * Initiate a CHILD_SA, and if required, an IKE_SA.
++	 *
++	 * If a callback is provided the function is synchronous and thus blocks
++	 * until the IKE_SA is established or failed.
++	 *
++	 * @param peer_cfg		peer_cfg to use for IKE_SA setup
++	 * @param child_cfg		optional child_cfg to set up CHILD_SA from
++	 * @param my_host		optional address hint for source
++	 * @param other_host		optional address hint for destination
++	 * @param cb			logging callback
++	 * @param param			parameter to include in each call of cb
++	 * @param max_level		maximum log level for which cb is invoked
++	 * @param timeout		timeout in ms to wait for callbacks, 0 to disable
++	 * @param limits		whether to check limits regarding IKE_SA initiation
++	 * @return
++	 *						- SUCCESS, if CHILD_SA established
++	 *						- FAILED, if setup failed
++	 *						- NEED_MORE, if callback returned FALSE
++	 *						- OUT_OF_RES if timed out
++	 *						- INVALID_STATE if limits prevented initiation
++	 */
++	status_t (*initiate2)(controller_t *this,
++						 peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
++						 host_t *my_host, host_t *other_host,
++						 controller_cb_t callback, void *param,
++						 level_t max_level, u_int timeout, bool limits);
++
+ 	/**
+ 	 * Terminate an IKE_SA and all of its CHILD_SAs.
+ 	 *
+diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c
+index 1c236d249..932d0cb5a 100644
+--- a/src/libcharon/plugins/vici/vici_control.c
++++ b/src/libcharon/plugins/vici/vici_control.c
+@@ -1,4 +1,6 @@
+ /*
++ * Copyright (C) 2023 Zoran Peričić <zpericic@netst.org>
++ * Copyright (C) 2014 Timo Teräs <timo.teras@iki.fi>
+  * Copyright (C) 2015-2017 Tobias Brunner
+  * Copyright (C) 2014 Martin Willi
+  *
+@@ -173,9 +175,12 @@ static child_cfg_t* find_child_cfg(char *name, char *pname, peer_cfg_t **out)
+ CALLBACK(initiate, vici_message_t*,
+ 	private_vici_control_t *this, char *name, u_int id, vici_message_t *request)
+ {
++	vici_message_t* msg;
+ 	peer_cfg_t *peer_cfg = NULL;
+ 	child_cfg_t *child_cfg;
+ 	char *child, *ike, *type, *sa;
++	host_t *my_host = NULL, *other_host = NULL;
++	char *my_host_str, *other_host_str;
+ 	int timeout;
+ 	bool limits;
+ 	controller_cb_t log_cb = NULL;
+@@ -189,6 +194,8 @@ CALLBACK(initiate, vici_message_t*,
+ 	timeout = request->get_int(request, 0, "timeout");
+ 	limits = request->get_bool(request, FALSE, "init-limits");
+ 	log.level = request->get_int(request, 1, "loglevel");
++	my_host_str = request->get_str(request, NULL, "my-host");
++	other_host_str = request->get_str(request, NULL, "other-host");
+ 
+ 	if (!child && !ike)
+ 	{
+@@ -202,28 +209,48 @@ CALLBACK(initiate, vici_message_t*,
+ 	type = child ? "CHILD_SA" : "IKE_SA";
+ 	sa = child ?: ike;
+ 
++	if (my_host_str)
++	{
++		my_host = host_create_from_string(my_host_str, 0);
++	}
++	if (other_host_str)
++	{
++		other_host = host_create_from_string(other_host_str, 0);
++	}
++
++	DBG1(DBG_CFG, "vici initiate %s '%s', me %H, other %H, limits %d", type, sa, my_host, other_host, limits);
++
+ 	child_cfg = find_child_cfg(child, ike, &peer_cfg);
+ 
+-	DBG1(DBG_CFG, "vici initiate %s '%s'", type, sa);
+ 	if (!peer_cfg)
+ 	{
+-		return send_reply(this, "%s config '%s' not found", type, sa);
++		msg = send_reply(this, "%s config '%s' not found", type, sa);
++		goto ret;
+ 	}
+-	switch (charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
++	switch (charon->controller->initiate2(charon->controller, peer_cfg, child_cfg,
++										 my_host, other_host,
+ 										 log_cb, &log, log.level, timeout, limits))
+ 	{
+ 		case SUCCESS:
+-			return send_reply(this, NULL);
++			msg = send_reply(this, NULL);
++			break;
+ 		case OUT_OF_RES:
+-			return send_reply(this, "%s '%s' not established after %dms", type,
++			msg = send_reply(this, "%s '%s' not established after %dms", type,
+ 							  sa, timeout);
++			break;
+ 		case INVALID_STATE:
+-			return send_reply(this, "establishing %s '%s' not possible at the "
++			msg = send_reply(this, "establishing %s '%s' not possible at the "
+ 							  "moment due to limits", type, sa);
++			break;
+ 		case FAILED:
+ 		default:
+-			return send_reply(this, "establishing %s '%s' failed", type, sa);
++			msg = send_reply(this, "establishing %s '%s' failed", type, sa);
++			break;
+ 	}
++ret:
++	if (my_host) my_host->destroy(my_host);
++	if (other_host) other_host->destroy(other_host);
++	return msg;
+ }
+ 
+ /**
+diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
+index 7763ae844..59852f253 100644
+--- a/src/libcharon/sa/ike_sa_manager.c
++++ b/src/libcharon/sa/ike_sa_manager.c
+@@ -1,4 +1,6 @@
+ /*
++ * Copyright (C) 2023 Zoran Peričić <zpericic@netst.org>
++ * Copyright (C) 2014 Timo Teräs <timo.teras@iki.fi>
+  * Copyright (C) 2008-2022 Tobias Brunner
+  * Copyright (C) 2005-2011 Martin Willi
+  * Copyright (C) 2005 Jan Hutter
+@@ -1499,6 +1501,13 @@ typedef struct {
+ 
+ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
+ 	private_ike_sa_manager_t *this, peer_cfg_t *peer_cfg)
++{
++	return this->public.checkout_by_config2(this, peer_cfg, NULL, NULL);
++}
++
++METHOD(ike_sa_manager_t, checkout_by_config2, ike_sa_t*,
++	private_ike_sa_manager_t *this, peer_cfg_t *peer_cfg,
++	host_t *my_host, host_t *other_host)
+ {
+ 	enumerator_t *enumerator;
+ 	entry_t *entry;
+@@ -1509,7 +1518,16 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
+ 	u_int segment;
+ 	int i;
+ 
+-	DBG2(DBG_MGR, "checkout IKE_SA by config");
++	if (my_host && my_host->get_port(my_host) == 0)
++	{
++		my_host->set_port(my_host, IKEV2_UDP_PORT);
++	}
++	if (other_host && other_host->get_port(other_host) == 0)
++	{
++		other_host->set_port(other_host, IKEV2_UDP_PORT);
++	}
++	DBG2(DBG_MGR, "checkout IKE_SA by config '%s', me %H, other %H",
++		peer_cfg->get_name(peer_cfg), my_host, other_host);
+ 
+ 	if (!this->reuse_ikesa && peer_cfg->get_ike_version(peer_cfg) != IKEV1)
+ 	{	/* IKE_SA reuse disabled by config (not possible for IKEv1) */
+@@ -1567,6 +1585,15 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
+ 			continue;
+ 		}
+ 
++		if (my_host && !my_host->ip_equals(my_host, entry->ike_sa->get_my_host(entry->ike_sa)))
++		{
++			continue;
++		}
++		if (other_host && !other_host->ip_equals(other_host, entry->ike_sa->get_other_host(entry->ike_sa)))
++		{
++			continue;
++		}
++
+ 		current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa);
+ 		if (current_peer && current_peer->equals(current_peer, peer_cfg))
+ 		{
+@@ -1593,6 +1620,10 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
+ 		{
+ 			ike_sa->set_peer_cfg(ike_sa, peer_cfg);
+ 			checkout_new(this, ike_sa);
++			if (my_host || other_host)
++			{
++				ike_sa->update_hosts(ike_sa, my_host, other_host, TRUE);
++			}
+ 		}
+ 	}
+ 	charon->bus->set_sa(charon->bus, ike_sa);
+@@ -2558,6 +2589,7 @@ ike_sa_manager_t *ike_sa_manager_create()
+ 			.checkout = _checkout,
+ 			.checkout_by_message = _checkout_by_message,
+ 			.checkout_by_config = _checkout_by_config,
++			.checkout_by_config2 = _checkout_by_config,
+ 			.checkout_by_id = _checkout_by_id,
+ 			.checkout_by_name = _checkout_by_name,
+ 			.new_initiator_spi = _new_initiator_spi,
+diff --git a/src/libcharon/sa/ike_sa_manager.h b/src/libcharon/sa/ike_sa_manager.h
+index 004cc2216..d001f5a80 100644
+--- a/src/libcharon/sa/ike_sa_manager.h
++++ b/src/libcharon/sa/ike_sa_manager.h
+@@ -123,7 +123,8 @@ struct ike_sa_manager_t {
+ 	ike_sa_t* (*checkout_by_message) (ike_sa_manager_t* this, message_t *message);
+ 
+ 	/**
+-	 * Checkout an IKE_SA for initiation by a peer_config.
++	 * Checkout an IKE_SA for initiation by a peer_config and optional
++	 * source and remote host addresses.
+ 	 *
+ 	 * To initiate, a CHILD_SA may be established within an existing IKE_SA.
+ 	 * This call checks for an existing IKE_SA by comparing the configuration.
+@@ -140,6 +141,28 @@ struct ike_sa_manager_t {
+ 	 */
+ 	ike_sa_t *(*checkout_by_config)(ike_sa_manager_t* this, peer_cfg_t *peer_cfg);
+ 
++	/**
++	 * Checkout an IKE_SA for initiation by a peer_config and optional
++	 * source and remote host addresses.
++	 *
++	 * To initiate, a CHILD_SA may be established within an existing IKE_SA.
++	 * This call checks for an existing IKE_SA by comparing the configuration.
++	 * If the CHILD_SA can be created in an existing IKE_SA, the matching SA
++	 * is returned.
++	 * If no IKE_SA is found, a new one is created and registered in the
++	 * manager. This is also the case when the found IKE_SA is in an unusable
++	 * state (e.g. DELETING).
++	 *
++	 * @note The peer_config is always set on the returned IKE_SA.
++	 *
++	 * @param peer_cfg			configuration used to find an existing IKE_SA
++	 * @param my_host			source host address for wildcard peer_cfg
++	 * @param other_host		remote host address for wildcard peer_cfg
++	 * @return					checked out/created IKE_SA
++	 */
++	ike_sa_t *(*checkout_by_config2)(ike_sa_manager_t* this, peer_cfg_t *peer_cfg,
++									 host_t *my_host, host_t *other_host);
++
+ 	/**
+ 	 * Reset initiator SPI.
+ 	 *
+diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c
+index 1b85c66a5..bbc480c0c 100644
+--- a/src/libcharon/sa/trap_manager.c
++++ b/src/libcharon/sa/trap_manager.c
+@@ -523,7 +523,7 @@ METHOD(trap_manager_t, acquire, void,
+ 	peer_cfg_t *peer;
+ 	child_cfg_t *child;
+ 	ike_sa_t *ike_sa;
+-	host_t *host;
++	host_t *host, *my_host = NULL, *other_host = NULL;
+ 	uint32_t allocated_reqid;
+ 	bool wildcard, ignore = FALSE;
+ 
+@@ -603,36 +603,26 @@ METHOD(trap_manager_t, acquire, void,
+ 	this->lock->unlock(this->lock);
+ 
+ 	if (wildcard)
+-	{	/* the peer config would match IKE_SAs with other peers */
+-		ike_sa = charon->ike_sa_manager->create_new(charon->ike_sa_manager,
+-											peer->get_ike_version(peer), TRUE);
+-		if (ike_sa)
+-		{
+-			ike_cfg_t *ike_cfg;
+-			uint16_t port;
+-			uint8_t mask;
+-
+-			ike_sa->set_peer_cfg(ike_sa, peer);
+-			ike_cfg = ike_sa->get_ike_cfg(ike_sa);
++	{
++		ike_cfg_t *ike_cfg;
++		uint16_t port;
++		uint8_t mask;
+ 
+-			port = ike_cfg->get_other_port(ike_cfg);
+-			data->dst->to_subnet(data->dst, &host, &mask);
+-			host->set_port(host, port);
+-			ike_sa->set_other_host(ike_sa, host);
++		ike_cfg = peer->get_ike_cfg(peer);
+ 
+-			port = ike_cfg->get_my_port(ike_cfg);
+-			data->src->to_subnet(data->src, &host, &mask);
+-			host->set_port(host, port);
+-			ike_sa->set_my_host(ike_sa, host);
++		port = ike_cfg->get_other_port(ike_cfg);
++		data->dst->to_subnet(data->dst, &other_host, &mask);
++		other_host->set_port(other_host, port);
+ 
+-			charon->bus->set_sa(charon->bus, ike_sa);
+-		}
+-	}
+-	else
+-	{
+-		ike_sa = charon->ike_sa_manager->checkout_by_config(
+-											charon->ike_sa_manager, peer);
++		port = ike_cfg->get_my_port(ike_cfg);
++		data->src->to_subnet(data->src, &my_host, &mask);
++		my_host->set_port(my_host, port);
+ 	}
++	ike_sa = charon->ike_sa_manager->checkout_by_config2(
++											charon->ike_sa_manager, peer,
++											my_host, other_host);
++	if (my_host) my_host->destroy(my_host);
++	if (other_host) other_host->destroy(other_host);
+ 	peer->destroy(peer);
+ 
+ 	if (ike_sa)
+diff --git a/src/swanctl/commands/initiate.c b/src/swanctl/commands/initiate.c
+index e0fffb907..c0fc8c595 100644
+--- a/src/swanctl/commands/initiate.c
++++ b/src/swanctl/commands/initiate.c
+@@ -1,4 +1,5 @@
+ /*
++ * Copyright (C) 2014 Timo Teräs <timo.teras@iki.fi>
+  * Copyright (C) 2014 Martin Willi
+  *
+  * Copyright (C) secunet Security Networks AG
+@@ -38,7 +39,7 @@ static int initiate(vici_conn_t *conn)
+ 	vici_req_t *req;
+ 	vici_res_t *res;
+ 	command_format_options_t format = COMMAND_FORMAT_NONE;
+-	char *arg, *child = NULL, *ike = NULL;
++	char *arg, *child = NULL, *ike = NULL, *my_host = NULL, *other_host = NULL;
+ 	int ret = 0, timeout = 0, level = 1;
+ 
+ 	while (TRUE)
+@@ -65,6 +66,12 @@ static int initiate(vici_conn_t *conn)
+ 			case 'l':
+ 				level = atoi(arg);
+ 				continue;
++			case 'S':
++				my_host = arg;
++				continue;
++			case 'R':
++				other_host = arg;
++				continue;
+ 			case EOF:
+ 				break;
+ 			default:
+@@ -88,6 +95,14 @@ static int initiate(vici_conn_t *conn)
+ 	{
+ 		vici_add_key_valuef(req, "ike", "%s", ike);
+ 	}
++	if (my_host)
++	{
++		vici_add_key_valuef(req, "my-host", "%s", my_host);
++	}
++	if (other_host)
++	{
++		vici_add_key_valuef(req, "other-host", "%s", other_host);
++	}
+ 	if (timeout)
+ 	{
+ 		vici_add_key_valuef(req, "timeout", "%d", timeout * 1000);
+@@ -134,6 +149,8 @@ static void __attribute__ ((constructor))reg()
+ 			{"help",		'h', 0, "show usage information"},
+ 			{"child",		'c', 1, "initiate a CHILD_SA configuration"},
+ 			{"ike",			'i', 1, "initiate an IKE_SA, or name of child's parent"},
++			{"source",		'S', 1, "override source address"},
++			{"remote",		'R', 1, "override remote address"},
+ 			{"timeout",		't', 1, "timeout in seconds before detaching"},
+ 			{"raw",			'r', 0, "dump raw response message"},
+ 			{"pretty",		'P', 0, "dump raw response message in pretty print"},
+-- 
+2.45.2
+

0002-vici-send-certificates-for-ike-sa-events.patch

@@ -0,0 +1,140 @@
+From ea77f7d906d5e7bbe44ba6e912dd386f25414492 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
+Date: Mon, 21 Sep 2015 13:42:05 +0300
+Subject: [PATCH 2/4] vici: send certificates for ike-sa events
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Timo Teräs <timo.teras@iki.fi>
+---
+ src/libcharon/plugins/vici/vici_query.c | 50 +++++++++++++++++++++----
+ 1 file changed, 42 insertions(+), 8 deletions(-)
+
+diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
+index bacb7b101..19acc0789 100644
+--- a/src/libcharon/plugins/vici/vici_query.c
++++ b/src/libcharon/plugins/vici/vici_query.c
+@@ -402,7 +402,7 @@ static void list_vips(private_vici_query_t *this, vici_builder_t *b,
+  * List details of an IKE_SA
+  */
+ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
+-					 ike_sa_t *ike_sa, time_t now)
++					 ike_sa_t *ike_sa, time_t now, bool add_certs)
+ {
+ 	time_t t;
+ 	ike_sa_id_t *id;
+@@ -411,6 +411,8 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
+ 	uint32_t if_id;
+ 	uint16_t alg, ks;
+ 	host_t *host;
++	auth_cfg_t *auth_cfg;
++	enumerator_t *enumerator;
+ 
+ 	b->add_kv(b, "uniqueid", "%u", ike_sa->get_unique_id(ike_sa));
+ 	b->add_kv(b, "version", "%u", ike_sa->get_version(ike_sa));
+@@ -420,11 +422,43 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
+ 	b->add_kv(b, "local-host", "%H", host);
+ 	b->add_kv(b, "local-port", "%d", host->get_port(host));
+ 	b->add_kv(b, "local-id", "%Y", ike_sa->get_my_id(ike_sa));
++	if (add_certs)
++	{
++		enumerator = ike_sa->create_auth_cfg_enumerator(ike_sa, TRUE);
++		if (enumerator->enumerate(enumerator, &auth_cfg))
++		{
++			certificate_t *cert = auth_cfg->get(auth_cfg, AUTH_RULE_SUBJECT_CERT);
++			chunk_t encoding;
++
++			if (cert && cert->get_encoding(cert, CERT_ASN1_DER, &encoding))
++			{
++				b->add(b, VICI_KEY_VALUE, "local-cert-data", encoding);
++				free(encoding.ptr);
++			}
++		}
++		enumerator->destroy(enumerator);
++	}
+ 
+ 	host = ike_sa->get_other_host(ike_sa);
+ 	b->add_kv(b, "remote-host", "%H", host);
+ 	b->add_kv(b, "remote-port", "%d", host->get_port(host));
+ 	b->add_kv(b, "remote-id", "%Y", ike_sa->get_other_id(ike_sa));
++	if (add_certs)
++	{
++		enumerator = ike_sa->create_auth_cfg_enumerator(ike_sa, FALSE);
++		if (enumerator->enumerate(enumerator, &auth_cfg))
++		{
++			certificate_t *cert = auth_cfg->get(auth_cfg, AUTH_RULE_SUBJECT_CERT);
++			chunk_t encoding;
++
++			if (cert && cert->get_encoding(cert, CERT_ASN1_DER, &encoding))
++			{
++				b->add(b, VICI_KEY_VALUE, "remote-cert-data", encoding);
++				free(encoding.ptr);
++			}
++		}
++		enumerator->destroy(enumerator);
++	}
+ 
+ 	eap = ike_sa->get_other_eap_id(ike_sa);
+ 
+@@ -556,7 +590,7 @@ CALLBACK(list_sas, vici_message_t*,
+ 		b = vici_builder_create();
+ 		b->begin_section(b, ike_sa->get_name(ike_sa));
+ 
+-		list_ike(this, b, ike_sa, now);
++		list_ike(this, b, ike_sa, now, TRUE);
+ 
+ 		b->begin_section(b, "child-sas");
+ 		csas = ike_sa->create_child_sa_enumerator(ike_sa);
+@@ -1774,7 +1808,7 @@ METHOD(listener_t, ike_updown, bool,
+ 	}
+ 
+ 	b->begin_section(b, ike_sa->get_name(ike_sa));
+-	list_ike(this, b, ike_sa, now);
++	list_ike(this, b, ike_sa, now, up);
+ 	b->end_section(b);
+ 
+ 	this->dispatcher->raise_event(this->dispatcher,
+@@ -1799,10 +1833,10 @@ METHOD(listener_t, ike_rekey, bool,
+ 	b = vici_builder_create();
+ 	b->begin_section(b, old->get_name(old));
+ 	b->begin_section(b, "old");
+-	list_ike(this, b, old, now);
++	list_ike(this, b, old, now, TRUE);
+ 	b->end_section(b);
+ 	b->begin_section(b, "new");
+-	list_ike(this, b, new, now);
++	list_ike(this, b, new, now, TRUE);
+ 	b->end_section(b);
+ 	b->end_section(b);
+ 
+@@ -1833,7 +1867,7 @@ METHOD(listener_t, ike_update, bool,
+ 	b->add_kv(b, "remote-port", "%d", remote->get_port(remote));
+ 
+ 	b->begin_section(b, ike_sa->get_name(ike_sa));
+-	list_ike(this, b, ike_sa, now);
++	list_ike(this, b, ike_sa, now, TRUE);
+ 	b->end_section(b);
+ 
+ 	this->dispatcher->raise_event(this->dispatcher,
+@@ -1863,7 +1897,7 @@ METHOD(listener_t, child_updown, bool,
+ 	}
+ 
+ 	b->begin_section(b, ike_sa->get_name(ike_sa));
+-	list_ike(this, b, ike_sa, now);
++	list_ike(this, b, ike_sa, now, up);
+ 	b->begin_section(b, "child-sas");
+ 
+ 	snprintf(buf, sizeof(buf), "%s-%u", child_sa->get_name(child_sa),
+@@ -1898,7 +1932,7 @@ METHOD(listener_t, child_rekey, bool,
+ 	b = vici_builder_create();
+ 
+ 	b->begin_section(b, ike_sa->get_name(ike_sa));
+-	list_ike(this, b, ike_sa, now);
++	list_ike(this, b, ike_sa, now, TRUE);
+ 	b->begin_section(b, "child-sas");
+ 
+ 	b->begin_section(b, old->get_name(old));
+-- 
+2.45.2
+

0003-vici-add-support-for-individual-sa-state-changes.patch

@@ -0,0 +1,160 @@
+From 3f4e26a2163bf30481887795f9faad208bfc1be0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
+Date: Mon, 21 Sep 2015 13:42:11 +0300
+Subject: [PATCH 3/4] vici: add support for individual sa state changes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Useful for monitoring and tracking full SA.
+
+Signed-off-by: Timo Teräs <timo.teras@iki.fi>
+---
+ src/libcharon/plugins/vici/vici_query.c | 106 ++++++++++++++++++++++++
+ 1 file changed, 106 insertions(+)
+
+diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
+index 19acc0789..fa1aca953 100644
+--- a/src/libcharon/plugins/vici/vici_query.c
++++ b/src/libcharon/plugins/vici/vici_query.c
+@@ -1774,8 +1774,16 @@ static void manage_commands(private_vici_query_t *this, bool reg)
+ 	this->dispatcher->manage_event(this->dispatcher, "ike-updown", reg);
+ 	this->dispatcher->manage_event(this->dispatcher, "ike-rekey", reg);
+ 	this->dispatcher->manage_event(this->dispatcher, "ike-update", reg);
++	this->dispatcher->manage_event(this->dispatcher, "ike-state-established", reg);
++	this->dispatcher->manage_event(this->dispatcher, "ike-state-destroying", reg);
+ 	this->dispatcher->manage_event(this->dispatcher, "child-updown", reg);
+ 	this->dispatcher->manage_event(this->dispatcher, "child-rekey", reg);
++	this->dispatcher->manage_event(this->dispatcher, "child-state-installing", reg);
++	this->dispatcher->manage_event(this->dispatcher, "child-state-installed", reg);
++	this->dispatcher->manage_event(this->dispatcher, "child-state-updating", reg);
++	this->dispatcher->manage_event(this->dispatcher, "child-state-rekeying", reg);
++	this->dispatcher->manage_event(this->dispatcher, "child-state-rekeyed", reg);
++	this->dispatcher->manage_event(this->dispatcher, "child-state-destroying", reg);
+ 	manage_command(this, "list-sas", list_sas, reg);
+ 	manage_command(this, "list-policies", list_policies, reg);
+ 	manage_command(this, "list-conns", list_conns, reg);
+@@ -1876,6 +1884,46 @@ METHOD(listener_t, ike_update, bool,
+ 	return TRUE;
+ }
+ 
++
++METHOD(listener_t, ike_state_change, bool,
++	private_vici_query_t *this, ike_sa_t *ike_sa, ike_sa_state_t state)
++{
++	char *event;
++	vici_builder_t *b;
++	time_t now;
++
++	switch (state)
++	{
++	case IKE_ESTABLISHED:
++		event = "ike-state-established";
++		break;
++	case IKE_DESTROYING:
++		event = "ike-state-destroying";
++		break;
++	default:
++		return TRUE;
++	}
++
++	if (!this->dispatcher->has_event_listeners(this->dispatcher, event))
++	{
++		return TRUE;
++	}
++
++	now = time_monotonic(NULL);
++
++	b = vici_builder_create();
++	b->begin_section(b, ike_sa->get_name(ike_sa));
++	list_ike(this, b, ike_sa, now, state != IKE_DESTROYING);
++	b->begin_section(b, "child-sas");
++	b->end_section(b);
++	b->end_section(b);
++
++	this->dispatcher->raise_event(this->dispatcher,
++								  event, 0, b->finalize(b));
++
++	return TRUE;
++}
++
+ METHOD(listener_t, child_updown, bool,
+ 	private_vici_query_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, bool up)
+ {
+@@ -1955,6 +2003,62 @@ METHOD(listener_t, child_rekey, bool,
+ 	return TRUE;
+ }
+ 
++METHOD(listener_t, child_state_change, bool,
++	private_vici_query_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, child_sa_state_t state)
++{
++	char *event;
++	vici_builder_t *b;
++	time_t now;
++
++	switch (state)
++	{
++	case CHILD_INSTALLING:
++		event = "child-state-installing";
++		break;
++	case CHILD_INSTALLED:
++		event = "child-state-installed";
++		break;
++	case CHILD_UPDATING:
++		event = "child-state-updating";
++		break;
++	case CHILD_REKEYING:
++		event = "child-state-rekeying";
++		break;
++	case CHILD_REKEYED:
++		event = "child-state-rekeyed";
++		break;
++	case CHILD_DESTROYING:
++		event = "child-state-destroying";
++		break;
++	default:
++		return TRUE;
++	}
++
++	if (!this->dispatcher->has_event_listeners(this->dispatcher, event))
++	{
++		return TRUE;
++	}
++
++	now = time_monotonic(NULL);
++
++	b = vici_builder_create();
++	b->begin_section(b, ike_sa->get_name(ike_sa));
++	list_ike(this, b, ike_sa, now, state != CHILD_DESTROYING);
++	b->begin_section(b, "child-sas");
++
++	b->begin_section(b, child_sa->get_name(child_sa));
++	list_child(this, b, child_sa, now);
++	b->end_section(b);
++
++	b->end_section(b);
++	b->end_section(b);
++
++	this->dispatcher->raise_event(this->dispatcher,
++								  event, 0, b->finalize(b));
++
++	return TRUE;
++}
++
+ METHOD(vici_query_t, destroy, void,
+ 	private_vici_query_t *this)
+ {
+@@ -1975,8 +2079,10 @@ vici_query_t *vici_query_create(vici_dispatcher_t *dispatcher)
+ 				.ike_updown = _ike_updown,
+ 				.ike_rekey = _ike_rekey,
+ 				.ike_update = _ike_update,
++				.ike_state_change = _ike_state_change,
+ 				.child_updown = _child_updown,
+ 				.child_rekey = _child_rekey,
++				.child_state_change = _child_state_change,
+ 			},
+ 			.destroy = _destroy,
+ 		},
+-- 
+2.45.2
+

0004-Support-GRE-key-in-selectors.patch

@@ -0,0 +1,292 @@
+From 0ceda5a95355bb803cbcdf3eeabbcb6ec2577922 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= <zoran.pericic@infomaas.com>
+Date: Sun, 21 Jan 2024 03:11:32 +0100
+Subject: [PATCH 4/4] Support GRE key in selectors.
+
+---
+ .../kernel_netlink/kernel_netlink_ipsec.c     | 20 ++++++++++++
+ .../plugins/load_tester/load_tester_config.c  | 22 ++++++++++++-
+ src/libcharon/plugins/stroke/stroke_config.c  | 22 ++++++++++++-
+ src/libcharon/plugins/vici/vici_config.c      | 32 ++++++++++++++++++-
+ .../selectors/traffic_selector.c              | 20 ++++++++++++
+ .../selectors/traffic_selector.h              | 12 +++++++
+ src/starter/confread.c                        | 24 +++++++++++++-
+ src/swanctl/swanctl.opt                       |  3 ++
+ 8 files changed, 151 insertions(+), 4 deletions(-)
+
+diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+index db0b2ac37..e4e7d9ecb 100644
+--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
++++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+@@ -864,6 +864,7 @@ static struct xfrm_selector ts2selector(traffic_selector_t *src,
+ {
+ 	struct xfrm_selector sel;
+ 	uint16_t port;
++	uint32_t gre_key;
+ 
+ 	memset(&sel, 0, sizeof(sel));
+ 	sel.family = (src->get_type(src) == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6;
+@@ -884,6 +885,25 @@ static struct xfrm_selector ts2selector(traffic_selector_t *src,
+ 		sel.dport = htons(traffic_selector_icmp_code(port));
+ 		sel.dport_mask = sel.dport ? ~0 : 0;
+ 	}
++	if (sel.proto == IPPROTO_GRE)
++	{
++		/* the kernel expects the GRE key in the source and destination
++		 * port fields, respectively. */
++		gre_key = htons(traffic_selector_gre_key(dst->get_from_port(dst), dst->get_to_port(dst)));
++		if ( gre_key != 0 )
++		{
++			DBG2(DBG_KNL, "Policy GRE key: %d (%d-%d) %d", gre_key, dst->get_from_port(dst), dst->get_to_port(dst), traffic_selector_gre_key(dst->get_from_port(dst), dst->get_to_port(dst)));
++			sel.sport = gre_key >> 16;
++			sel.sport_mask = ~0;
++			sel.dport = gre_key & 0xffff;
++			sel.dport_mask = ~0;
++		} else {
++			sel.sport = 0;
++			sel.sport_mask = 0;
++			sel.dport = 0;
++			sel.dport_mask = 0;
++		}
++	}
+ 	sel.ifindex = interface ? if_nametoindex(interface) : 0;
+ 	sel.user = 0;
+ 
+diff --git a/src/libcharon/plugins/load_tester/load_tester_config.c b/src/libcharon/plugins/load_tester/load_tester_config.c
+index 58e1cd98a..ac67875d8 100644
+--- a/src/libcharon/plugins/load_tester/load_tester_config.c
++++ b/src/libcharon/plugins/load_tester/load_tester_config.c
+@@ -498,7 +498,27 @@ static bool parse_protoport(char *token, uint16_t *from_port,
+ 			*protocol = (uint8_t)p;
+ 		}
+ 	}
+-	if (streq(port, "%any"))
++	if (*protocol == IPPROTO_GRE)
++	{
++		if (*port && !streq(port, "%any"))
++		{
++			p = strtol(port, &endptr, 0);
++			if (p < 0 || p > 0xffffffff)
++			{
++				return FALSE;
++			}
++			end->from_port = (p >> 16) & 0xffff;
++			end->to_port = p & 0xffff;
++			if (*endptr)
++			{
++				return FALSE;
++			}
++		} else {
++			end->from_port = 0;
++			end->to_port = 0;
++		}
++	}
++	else if (streq(port, "%any"))
+ 	{
+ 		*from_port = 0;
+ 		*to_port = 0xffff;
+diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
+index 55db379ff..b4340b8d1 100644
+--- a/src/libcharon/plugins/stroke/stroke_config.c
++++ b/src/libcharon/plugins/stroke/stroke_config.c
+@@ -927,7 +927,27 @@ static bool parse_protoport(char *token, uint16_t *from_port,
+ 			*protocol = (uint8_t)p;
+ 		}
+ 	}
+-	if (streq(port, "%any"))
++	if (*protocol == IPPROTO_GRE)
++	{
++		if (*port && !streq(port, "%any"))
++		{
++			p = strtol(port, &endptr, 0);
++			if (p < 0 || p > 0xffffffff)
++			{
++				return FALSE;
++			}
++			*from_port = (p >> 16) & 0xffff;
++			*to_port = p & 0xffff;
++			if (*endptr)
++				return FALSE;
++		}
++		else
++		{
++			*from_port = 0;
++			*to_port = 0;
++		}
++	}
++	else if (streq(port, "%any"))
+ 	{
+ 		*from_port = 0;
+ 		*to_port = 0xffff;
+diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
+index c858e9945..c72c97f76 100644
+--- a/src/libcharon/plugins/vici/vici_config.c
++++ b/src/libcharon/plugins/vici/vici_config.c
+@@ -715,7 +715,31 @@ CALLBACK(parse_ts, bool,
+ 				proto = (uint8_t)p;
+ 			}
+ 		}
+-		if (streq(port, "opaque"))
++		if (proto == IPPROTO_GRE)
++		{
++			if (*port && !streq(port, "any"))
++			{
++				DBG2(DBG_CFG, "   GRE key %s", port);
++				p = strtol(port, &end, 0);
++				if (p < 0 || p > 0xffffffff)
++				{
++					DBG2(DBG_CFG, "   Invalid GRE key %s", port);
++					return FALSE;
++				}
++				from = (p >> 16) & 0xffff;
++				to = p & 0xffff;
++				DBG2(DBG_CFG, "   Parsed GRE key %d-%d(%d)", from, to, p);
++				if (*end)
++				{
++					DBG2(DBG_CFG, "   Invalid GRE key %s", port);
++					return FALSE;
++				}
++			} else {
++				from = 0;
++				to = 0;
++			}
++		}
++		else if (streq(port, "opaque"))
+ 		{
+ 			from = 0xffff;
+ 			to = 0;
+@@ -752,8 +776,14 @@ CALLBACK(parse_ts, bool,
+ 			}
+ 		}
+ 	}
++	else if (proto == IPPROTO_GRE)
++	{
++		from = 0;
++		to = 0;
++	}
+ 	if (streq(buf, "dynamic"))
+ 	{
++		DBG2(DBG_CFG, "   Create dynamic selector GRE key proto=%d, from_port=%d, to_port=%d", proto, from, to);
+ 		ts = traffic_selector_create_dynamic(proto, from, to);
+ 	}
+ 	else if (strchr(buf, '-'))
+diff --git a/src/libstrongswan/selectors/traffic_selector.c b/src/libstrongswan/selectors/traffic_selector.c
+index fe61e3768..09757ec36 100644
+--- a/src/libstrongswan/selectors/traffic_selector.c
++++ b/src/libstrongswan/selectors/traffic_selector.c
+@@ -205,6 +205,18 @@ static int print_icmp(printf_hook_data_t *data, uint16_t port)
+ 	return print_in_hook(data, "%d", type);
+ }
+ 
++/**
++ * Print GRE key
++ */
++static int print_gre(printf_hook_data_t *data, uint16_t from_port, uint16_t to_port)
++{
++	uint32_t gre_key;
++
++	gre_key = traffic_selector_gre_key(from_port, to_port);
++
++	return print_in_hook(data, "%d", gre_key);
++}
++
+ /**
+  * Described in header.
+  */
+@@ -319,6 +331,10 @@ int traffic_selector_printf_hook(printf_hook_data_t *data,
+ 			{
+ 				written += print_icmp(data, this->from_port);
+ 			}
++			else if (this->protocol == IPPROTO_GRE)
++			{
++				written += print_gre(data, this->from_port, this->to_port);
++			}
+ 			else
+ 			{
+ 				serv = getservbyport(htons(this->from_port), serv_proto);
+@@ -332,6 +348,10 @@ int traffic_selector_printf_hook(printf_hook_data_t *data,
+ 				}
+ 			}
+ 		}
++		else if (this->protocol == IPPROTO_GRE)
++		{
++			written += print_gre(data, this->from_port, this->to_port);
++		}
+ 		else if (is_opaque(this))
+ 		{
+ 			written += print_in_hook(data, "OPAQUE");
+diff --git a/src/libstrongswan/selectors/traffic_selector.h b/src/libstrongswan/selectors/traffic_selector.h
+index 367b4fff9..b7010e4a7 100644
+--- a/src/libstrongswan/selectors/traffic_selector.h
++++ b/src/libstrongswan/selectors/traffic_selector.h
+@@ -272,6 +272,18 @@ static inline uint8_t traffic_selector_icmp_code(uint16_t port)
+ 	return port & 0xff;
+ }
+ 
++/**
++ * Extract the GRE key from a source and destination port in host order
++ *
++ * @param from_port		port number in host order
++ * @param to_port		port number in host order
++ * @return				GRE key
++ */
++static inline uint8_t traffic_selector_gre_key(uint16_t from_port, uint16_t to_port)
++{
++	return (from_port & 0xffff) << 16 | (to_port & 0xffff);
++}
++
+ /**
+  * Compare two traffic selectors, usable as sort function
+  *
+diff --git a/src/starter/confread.c b/src/starter/confread.c
+index 5065bc369..039b6f402 100644
+--- a/src/starter/confread.c
++++ b/src/starter/confread.c
+@@ -325,7 +325,29 @@ static void kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token,
+ 					end->protocol = (uint8_t)p;
+ 				}
+ 			}
+-			if (streq(port, "%any"))
++			if (end->protocol == IPPROTO_GRE)
++			{
++				if (*port && !streq(port, "%any"))
++				{
++					p = strtol(port, &endptr, 0);
++					if (p < 0 || p > 0xffffffff)
++					{
++						DBG1(DBG_APP, "# bad GRE key: %s=%s", key, port);
++						goto err;
++					}
++					end->from_port = (p >> 16) & 0xffff;
++					end->to_port = p & 0xffff;
++					if (*endptr)
++					{
++						DBG1(DBG_APP, "# bad GRE key: %s=%s", key, port);
++						goto err;
++					}
++				} else {
++					end->from_port = 0;
++					end->to_port = 0;
++				}
++			}
++			else if (streq(port, "%any"))
+ 			{
+ 				end->from_port = 0;
+ 				end->to_port = 0xffff;
+diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt
+index d9fd949ed..1d63dadb8 100644
+--- a/src/swanctl/swanctl.opt
++++ b/src/swanctl/swanctl.opt
+@@ -765,6 +765,9 @@ connections.<conn>.children.<child>.local_ts = dynamic
+ 	value _opaque_ for RFC 4301 OPAQUE selectors. Port ranges may be specified
+ 	as well, none of the kernel backends currently support port ranges, though.
+ 
++	If protocol is restricted to GRE, port restriction specifies GRE key
++	in 32 bit numeric form eg. dynamic[gre/100].
++
+ 	When IKEv1 is used only the first selector is interpreted, except if
+ 	the Cisco Unity extension plugin is used. This is due to a limitation of the
+ 	IKEv1 protocol, which only allows a single pair of selectors per CHILD_SA.
+-- 
+2.45.2
+

STRONGSWAN-RELEASE-PGP-KEY

@@ -0,0 +1,48 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQGNBEoycP0BDACzL8ymURD7gnaNbGx2VGieNQr/gNISWhqgHaeUxuSkrInxl89A
+ClvN7DoF2cD7slEqIMQh/8t6xVzmh9teu5uyeV1eyG/CuFMUqawXqpn/sYa2SkgX
+C/qHB2hIbFg2K4k5LJHxzqHb1OdtOcU6lHg9yrvYcoO+FTVR+rYaVgYbbbziTB/v
+hAAzvdTdgwMgoQMSXA7FsJ0mALny4IeiCoi6S6qRVDm4zcu11UFT9g1VmhmeHqtU
+SQso72bPKKhYvu7ZaQrLhkvY9inWr6m9dxV8Zgb1ivZGhzsNzrhGAsz9jmiB5POF
+Mfph0hREMiS33ph/YMJducGQHYGEza9mKBdUaaAAEL3fCpde7vRa+c5Gc/Y5RUB7
+iUsb2KQY+7xTiSUnCHbsMwhndG0dJspVXcz6X+2S3Ty4GaiqkvxI9KLiwiECNl0I
+oLX5s/FIW6KW+GnxJTp/3h6vvqm8i0+yIwk+ETM4XfhHMwuPkDyf6km1ag3nIUw6
+pSSfnQMPhj5rXIMAEQEAAbQwQW5kcmVhcyBTdGVmZmVuIDxhbmRyZWFzLnN0ZWZm
+ZW5Ac3Ryb25nc3dhbi5vcmc+iQG3BBMBAgAhBQJKMnD9AhsDBwsJCAcDAgEEFQII
+AwQWAgMBAh4BAheAAAoJEN9CwXCzTbp3t5AL/jrXnnGIHLn8M9rmyoeNe7JQUE5A
+GSV3UFaZHgHmjbvIHA+dRvh1MPlHuWbaZkHVPtRFvFtEgksc944+XcKoNoExKGKr
+wLQcUExUiQ0IyNwH70u7f1uFNcbY85Oue5ASzm+wAntnmIlNsN+MHewRWC6f6gYn
+1aHwsvh09fz0A34v9wdtim2ek/Voxe3AIDIw2MTNmwF61pXEsrH0wqYnGhYLZ7Qb
+thnDnHQaUd3IPSa6uAgOOiCoCbKCvP4u/iVm0rmXN9uzmm/i4Y0cE3DopGsqrR5D
+fWYJjgP4KBCln0LgWtYI8pcYcmA5E+l+fijNcMidtzWHMW2Mj0oZZsO+wlRUYLGh
+/jRASgq7rXuxV+oGKcBn4RqSHlZ5/BYlvowUxnNFC4tLLlneHidS8TurjacM3fwR
+MP5NMmcS5d9sVLG1uxl+/g2cRMtphHiziz+79jDc+tSxqRO5lhqyItAD6LC2GxB3
+iC5afnMx49+YWzhUTeL/KfkrD9w3/n7O00kLtLkDDQRKjOHDEAwAxdh8W7j/QhE3
+KZNmJGsK/QtJ72zZRGRcdUPH6GG//GaAG5hSCjM8q+0MR/G+31uk32RbzRIj1sHQ
+8fY0znxPmaeD1wow0hCbDTq+Ep3K8ouaqoqjlP4rd+I94OtxNfXgmllf7BDOZ6lI
+wUY8ba8cFCPYsv8ZvRXo82XfwFYevQ9kTLqkJT52mMyPZLwYx4DNwuqFtQQEBLKg
+IVXVgpK6SE72MFP8vyFsdrL0ORgxoWI6PIHbnIRY1KiWUzOSrqirZUHH9MPuzFuB
+R0+jEAajeKoxycn0ILLM5PBAEFXFgBdtNNCtshe1fR5aPsXcGZsZRjc7mbAHLRqa
+pVhk7oX31WrGqGHkSM/GAnf3aAzsnCkO5+Tje2iyuoG5OhQbHsvMBOtdvQrwnorl
+56EguzuK1mGDsczNsuAYRcKiasCWpsjoytDH+dGEQmKXydD9r06cxPx+mWmWKLo4
+w+k4mMC0lFRYKi83cwTpaMpHOeW4+3d1tJfkCQy+vjUz4aZJ/WSXAAMFDACqmeXA
+Al7WssHkjVZ/vwQfHLHNMZsGEEucvV7KNqMF4Fe6nRbbE6GJOuz6taeFkJIppBqV
+xhSNOsf5soOXfGp0IgYoC37GPI6AAb4UnG5GVcaAMQAXUYcwfDGGuV/EO5pPrEyP
+jy++GvjhxcKV3HmUuAfcgyhTGhDOVPxU28Roz3+8Eig085v+lyqAsgFduBrf+ZV+
+lHjIOSXSWmTiT8EVSA3fpN14/qhltudhdGIZ/pCW303H9Bd9c4Uc9OzYhRr1VpO6
+lpYfTFNey8KQL4z9Kjt0RPscz2hYDOJ1cTFWs/4Z+9mBJODwrnIiORLlgV2NlP5E
+ZY4MccVFd9K7E/OPQdt3Uv6+6BjYRntY7wsX617T5Rmj8n6AhbpngmWg2D6wRfm7
+TyI0Wtz5icCoJIEHQwB/3EhBzQl7tBc0cClwCYm7nTYRt+SL2tfylWy9Leail+ay
+M6zwMW0klV42E4u8DCy/aJrwmEiVwuwGbXL6z46M9EZguof38MTEmLsHls+JAZ8E
+GAECAAkFAkqM4cMCGwwACgkQ30LBcLNNunffBgv/b/v3eQoZTWgOB5MnXhIrg/Ki
+kYTYbnEG9wWM7XIST8bpP7f/UKyD44CCVJH7SVTGAXeyjglnuYXy4FwaTdFmm6al
+W0sCp4rnmADi5BLLzQlCUa5J0iZ+oAZnAH60BezUM+CYz/QBW3NJmP3323PeM4H4
+MZ0vLv3wgaLkFlaK/eASBoC7KuZWAnvsNOdLQ29L4BYgW2Jwk1+PxszjT369DsMU
+Y3iY6gM9rM71Ajd8x98hd1r26LILGntAEEXxs+13Kka7J4GCqf8/J9ZR01dDp8QM
++M9EHFLnthpAyUuSXm5Qlglavnf7tU6AA0SFuA0pP5CXVLG1DLT1fJvNOqjdzPsf
+u/48AM2Lpxj0gKt1yDQc890GxwnOL1iZ6+XMh9/ujWy7Q7dI4M2mthwYFXldWrPS
+CmMToWfl62BxPdY5FIECXeRwTIO9sI0LQVc2eAG8lDsge05q1nJFxo9WKr7ewAdF
+b/fMIr7XMwoMj2SQSy/tZVCBnDXR5Gw5HSxRnIAS
+=ze82
+-----END PGP PUBLIC KEY BLOCK-----

sources

@@ -1 +1,2 @@
-SHA512 (strongswan-5.6.3.tar.bz2) = 080402640952b1a08e95bfe9c7f33c6a7dd01ac401b5e7e2e78257c0f2bf0a4d6078141232ac62abfacef892c493f6824948b3165d54d72b4e436ed564fd2609
+SHA512 (strongswan-5.9.14.tar.bz2) = e48bc9d215f9de6b54e24f7b4765d59aec4c615291d5c1f24f6a6d7da45dc8b17b2e0e150faf5fabb35e5d465abc5e6f6efa06cd002467067c5d7844ead359f6
+SHA512 (strongswan-5.9.14.tar.bz2.sig) = 1b3d57448caab91060fe3d209d90708c57dbf35ae62c97574107b32677cff73f13f7545dc91682ef84400bb8a2f105a1761aba8334763dc8c35d97be7921c242

strongswan-5.6.2-CVE-2018-5388.patch

@@ -1,15 +0,0 @@
-diff -Naur strongswan-5.6.2-orig/src/libcharon/plugins/stroke/stroke_socket.c strongswan-5.6.2/src/libcharon/plugins/stroke/stroke_socket.c
---- strongswan-5.6.2-orig/src/libcharon/plugins/stroke/stroke_socket.c	2017-11-09 10:57:30.000000000 -0500
-+++ strongswan-5.6.2/src/libcharon/plugins/stroke/stroke_socket.c	2018-05-24 00:00:32.382953618 -0400
-@@ -628,6 +628,11 @@
- 		return FALSE;
- 	}
- 
-+	if (len < offsetof(stroke_msg_t, buffer))
-+	{
-+		DBG1(DBG_CFG, "invalid stroke message length %d", len);
-+		return FALSE;
-+	}
- 	/* read message (we need an additional byte to terminate the buffer) */
- 	msg = malloc(len + 1);
- 	msg->length = len;

strongswan-5.9.7-error-no-format.patch

@@ -0,0 +1,12 @@
+diff --git a/configure.ac b/configure.ac
+index f9e6e55c2..247d055d8 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1480,7 +1480,6 @@ else
+ fi
+ # disable some warnings, whether explicitly enabled above or by default
+ # these are not compatible with our custom printf specifiers
+-WARN_CFLAGS="$WARN_CFLAGS -Wno-format"
+ WARN_CFLAGS="$WARN_CFLAGS -Wno-format-security"
+ # we generally use comments, but GCC doesn't seem to recognize many of them
+ WARN_CFLAGS="$WARN_CFLAGS -Wno-implicit-fallthrough"

strongswan.spec

@@ -1,34 +1,77 @@
 %global _hardened_build 1
 #%%define prerelease dr1
+%global dist .nhrp.11%{?dist}
+
+%bcond_without python3
+%bcond_without perl
+%bcond_with    check
+
+%if (0%{?fedora} && 0%{?fedora} < 36) || (0%{?rhel} && 0%{?rhel} < 9)
+# trousers was retired for F36+ and no longer available in RHEL with 9+
+%bcond_without tss_trousers
+%else
+%bcond_with tss_trousers
+%endif
+
+%global forgeurl0 https://github.com/strongswan/strongswan
 
 Name:           strongswan
-Version:        5.6.3
-Release:        3%{?dist}
+Version:        5.9.14
+Release:        1%{?dist}
 Summary:        An OpenSource IPsec-based VPN and TNC solution
 License:        GPLv2+
-URL:            http://www.strongswan.org/
-Source0:        http://download.strongswan.org/%{name}-%{version}%{?prerelease}.tar.bz2
-Patch1:         strongswan-5.6.0-uintptr_t.patch
-Patch3:         strongswan-5.6.2-CVE-2018-5388.patch
+URL:            https://www.strongswan.org/
+VCS:            git:%{forgeurl0}
+Source0:        https://download.strongswan.org/strongswan-%{version}%{?prerelease}.tar.bz2
+Source1:        https://download.strongswan.org/strongswan-%{version}%{?prerelease}.tar.bz2.sig
+Source2:        https://download.strongswan.org/STRONGSWAN-RELEASE-PGP-KEY
+Source3:        tmpfiles-strongswan.conf
+Patch0:         strongswan-5.6.0-uintptr_t.patch
+# https://github.com/strongswan/strongswan/issues/1198
+Patch1:         strongswan-5.9.7-error-no-format.patch
 
-# only needed for pre-release versions
-#BuildRequires:  autoconf automake
+Patch10:        0001-charon-add-optional-source-and-remote-overrides-for-.patch
+Patch11:        0002-vici-send-certificates-for-ike-sa-events.patch
+Patch12:        0003-vici-add-support-for-individual-sa-state-changes.patch
+Patch13:        0004-Support-GRE-key-in-selectors.patch
 
+BuildRequires:  autoconf
+BuildRequires:  automake
+BuildRequires:  gnupg2
+BuildRequires:  make
 BuildRequires:  gcc
+BuildRequires:  systemd
 BuildRequires:  systemd-devel
+BuildRequires:  systemd-rpm-macros
 BuildRequires:  gmp-devel
 BuildRequires:  libcurl-devel
 BuildRequires:  openldap-devel
 BuildRequires:  openssl-devel
 BuildRequires:  sqlite-devel
 BuildRequires:  gettext-devel
-BuildRequires:  trousers-devel
 BuildRequires:  libxml2-devel
 BuildRequires:  pam-devel
 BuildRequires:  json-c-devel
 BuildRequires:  libgcrypt-devel
-BuildRequires:  systemd-devel
 BuildRequires:  iptables-devel
+BuildRequires:  libcap-devel
+BuildRequires:  tpm2-tss-devel
+Recommends:     tpm2-tools
+
+%if %{with python3}
+BuildRequires:  python3-devel
+BuildRequires:  python3-setuptools
+BuildRequires:  python3-pytest
+%endif
+
+%if %{with perl}
+BuildRequires:  perl-devel perl-generators
+BuildRequires:  perl(ExtUtils::MakeMaker)
+%endif
+
+%if %{with tss_trousers}
+BuildRequires:  trousers-devel
+%endif
 
 BuildRequires:  NetworkManager-libnm-devel
 Requires(post): systemd
@@ -49,8 +92,8 @@ in userland, using TUN devices and its own IPsec implementation libipsec.
 %package charon-nm
 Summary:        NetworkManager plugin for Strongswan
 Requires:       dbus
-Obsoletes:      %{name}-NetworkManager < 0:5.0.4-5
-Conflicts:      %{name}-NetworkManager < 0:5.0.4-5
+Obsoletes:      strongswan-NetworkManager < 0:5.0.4-5
+Conflicts:      strongswan-NetworkManager < 0:5.0.4-5
 Conflicts:      NetworkManager-strongswan < 1.4.2-1
 %description charon-nm
 NetworkManager plugin integrates a subset of Strongswan capabilities
@@ -58,14 +101,14 @@ to NetworkManager.
 
 %package sqlite
 Summary: SQLite support for strongSwan
-Requires: %{name} = %{version}-%{release}
+Requires: strongswan = %{version}-%{release}
 %description sqlite
 The sqlite plugin adds an SQLite database backend to strongSwan.
 
 %package tnc-imcvs
 Summary: Trusted network connect (TNC)'s IMC/IMV functionality
-Requires: %{name} = %{version}-%{release}
-Requires: %{name}-sqlite = %{version}-%{release}
+Requires: strongswan = %{version}-%{release}
+Requires: strongswan-sqlite = %{version}-%{release}
 %description tnc-imcvs
 This package provides Trusted Network Connect's (TNC) architecture support.
 It includes support for TNC client and server (IF-TNCCS), IMC and IMV message
@@ -76,10 +119,39 @@ modules can be used by any third party TNC Client/Server implementation
 possessing a standard IF-IMC/IMV interface. In addition, it implements
 PT-TLS to support TNC over TLS.
 
+%if %{with python3}
+%package -n python3-vici
+Summary: Strongswan Versatile IKE Configuration Interface python bindings
+BuildArch: noarch
+%description -n python3-vici
+VICI is an attempt to improve the situation for system integrators by providing
+a stable IPC interface, allowing external tools to query, configure
+and control the IKE daemon.
+
+The Versatile IKE Configuration Interface (VICI) python bindings provides module
+for Strongswan runtime configuration from python applications.
+
+%endif
+
+%if %{with perl}
+%package -n perl-vici
+Summary: Strongswan Versatile IKE Configuration Interface perl bindings
+BuildArch: noarch
+%description -n perl-vici
+VICI is an attempt to improve the situation for system integrators by providing
+a stable IPC interface, allowing external tools to query, configure
+and control the IKE daemon.
+
+The Versatile IKE Configuration Interface (VICI) perl bindings provides module
+for Strongswan runtime configuration from perl applications.
+%endif
+
+# TODO: make also ruby-vici
+
+
 %prep
-%setup -q -n %{name}-%{version}%{?prerelease}
-%patch1 -p1
-%patch3 -p1
+%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
+%autosetup -n %{name}-%{version}%{?prerelease} -p1
 
 %build
 # only for snapshots
@@ -95,9 +167,10 @@ PT-TLS to support TNC over TLS.
     --with-ipsecdir=%{_libexecdir}/strongswan \
     --bindir=%{_libexecdir}/strongswan \
     --with-ipseclibdir=%{_libdir}/strongswan \
-    --with-fips-mode=2 \
+    --with-piddir=%{_rundir}/strongswan \
+    --with-nm-ca-dir=%{_sysconfdir}/strongswan/ipsec.d/cacerts/ \
     --enable-bypass-lan \
-    --enable-tss-trousers \
+    --enable-tss-tss2 \
     --enable-nm \
     --enable-systemd \
     --enable-openssl \
@@ -152,8 +225,6 @@ PT-TLS to support TNC over TLS.
     --enable-imv-attestation \
     --enable-imv-os \
     --enable-imc-os \
-    --enable-imc-swid \
-    --enable-imv-swid \
     --enable-imc-swima \
     --enable-imv-swima \
     --enable-imc-hcd \
@@ -161,25 +232,77 @@ PT-TLS to support TNC over TLS.
     --enable-curl \
     --enable-cmd \
     --enable-acert \
-    --enable-aikgen \
     --enable-vici \
     --enable-swanctl \
     --enable-duplicheck \
 %ifarch x86_64 %{ix86}
     --enable-aesni \
 %endif
-    --enable-kernel-libipsec
+%if %{with python3}
+    PYTHON=%{python3} --enable-python-eggs \
+%endif
+%if %{with perl}
+    --enable-perl-cpan \
+%endif
+%if %{with check}
+    --enable-test-vectors \
+%endif
+%if %{with tss_trousers}
+    --enable-tss-trousers \
+    --enable-aikgen \
+%endif
+    --enable-kernel-libipsec \
+    --with-capabilities=libcap \
+    CPPFLAGS="-DSTARTER_ALLOW_NON_ROOT"
+# TODO: --enable-python-eggs-install not python3 ready
 
 # disable certain plugins in the daemon configuration by default
 for p in bypass-lan; do
     echo -e "\ncharon.plugins.${p}.load := no" >> conf/plugins/${p}.opt
 done
 
-make %{?_smp_mflags}
+# ensure manual page is regenerated with local configuration
+rm -f src/ipsec/_ipsec.8
+
+%make_build
+
+pushd src/libcharon/plugins/vici
+
+%if %{with python3}
+  pushd python
+    %make_build
+    sed -e "s,/var/run/charon.vici,%{_rundir}/strongswan/charon.vici," -i vici/session.py
+    #py3_build
+  popd
+%endif
+
+%if %{with perl}
+  pushd perl/Vici-Session/
+    perl Makefile.PL INSTALLDIRS=vendor
+    %make_build
+  popd
+%endif
+
+popd
 
 %install
-make install DESTDIR=%{buildroot}
-mv %{buildroot}%{_sysconfdir}/strongswan/dbus-1 %{buildroot}%{_sysconfdir}/
+%make_install
+
+
+pushd src/libcharon/plugins/vici
+%if %{with python3}
+  pushd python
+    # TODO: --enable-python-eggs breaks our previous build. Do it now
+    # propose better way to upstream
+    %py3_build
+    %py3_install
+  popd
+%endif
+%if %{with perl}
+  %make_install -C perl/Vici-Session
+  rm -f %{buildroot}{%{perl_archlib}/perllocal.pod,%{perl_vendorarch}/auto/Vici/Session/.packlist}
+%endif
+popd
 # prefix man pages
 for i in %{buildroot}%{_mandir}/*/*; do
     if echo "$i" | grep -vq '/strongswan[^\/]*$'; then
@@ -197,27 +320,44 @@ install -d -m 700 %{buildroot}%{_sysconfdir}/strongswan/ipsec.d
 for i in aacerts acerts certs cacerts crls ocspcerts private reqs; do
     install -d -m 700 %{buildroot}%{_sysconfdir}/strongswan/ipsec.d/${i}
 done
+install -d -m 0700 %{buildroot}%{_rundir}/strongswan
+install -D -m 0644 %{SOURCE3} %{buildroot}/%{_tmpfilesdir}/strongswan.conf
+install -D -m 0644 %{SOURCE3} %{buildroot}/%{_tmpfilesdir}/strongswan-starter.conf
+
+
+%check
+%if %{with check}
+  # Seen some tests hang. Ensure we do not block builder forever
+  export TESTS_VERBOSITY=1
+  timeout 600 %make_build check
+%endif
+%if %{with python}
+  pushd src/libcharon/plugins/vici
+    %pytest
+  popd
+%endif
+:
 
 %post
-%systemd_post %{name}.service
+%systemd_post strongswan.service strongswan-starter.service
 
 %preun
-%systemd_preun %{name}.service
+%systemd_preun strongswan.service strongswan-starter.service
 
 %postun
-%systemd_postun_with_restart %{name}.service
+%systemd_postun_with_restart strongswan.service strongswan-starter.service
 
 %files
 %doc README NEWS TODO ChangeLog
 %license COPYING
-%dir %attr(0700,root,root) %{_sysconfdir}/strongswan
+%dir %attr(0755,root,root) %{_sysconfdir}/strongswan
 %config(noreplace) %{_sysconfdir}/strongswan/*
 %dir %{_libdir}/strongswan
 %exclude %{_libdir}/strongswan/imcvs
 %dir %{_libdir}/strongswan/plugins
 %dir %{_libexecdir}/strongswan
 %{_unitdir}/strongswan.service
-%{_unitdir}/strongswan-swanctl.service
+%{_unitdir}/strongswan-starter.service
 %{_sbindir}/charon-cmd
 %{_sbindir}/charon-systemd
 %{_sbindir}/strongswan
@@ -238,6 +378,9 @@ done
 %{_mandir}/man?/*.gz
 %{_datadir}/strongswan/templates/config/
 %{_datadir}/strongswan/templates/database/
+%attr(0755,root,root) %dir %{_rundir}/strongswan
+%attr(0644,root,root) %{_tmpfilesdir}/strongswan.conf
+%attr(0644,root,root) %{_tmpfilesdir}/strongswan-starter.conf
 
 %files sqlite
 %{_libdir}/strongswan/plugins/libstrongswan-sqlite.so
@@ -261,10 +404,195 @@ done
 
 %files charon-nm
 %doc COPYING
-%{_sysconfdir}/dbus-1/system.d/nm-strongswan-service.conf
+%{_datadir}/dbus-1/system.d/nm-strongswan-service.conf
 %{_libexecdir}/strongswan/charon-nm
 
+%if %{with python3}
+%files -n python3-vici
+%license COPYING
+%doc src/libcharon/plugins/vici/python/README.rst
+%{python3_sitelib}/vici
+%{python3_sitelib}/vici-%{version}-py*.egg-info
+%endif
+
+%if %{with perl}
+%license COPYING
+%files -n perl-vici
+%{perl_vendorlib}/Vici
+%endif
+
 %changelog
+* Fri May 31 2024 Paul Wouters <paul.wouters@aiven.io> - 5.9.14-1
+- Resolves: rhbz#2254560 CVE-2023-41913 buffer overflow and possible RCE
+- Resolved: rhbz#2250666 Update to 5.9.14 (IKEv2 OCSP extensions, seqno/regno overflow handling
+- Update to 5.9.13 (OCSP nonce set regression configuration option charon.ocsp_nonce_len)
+- Update to 5.9.12 (CVE-2023-41913 fix, various IKEv2 fixes)
+
+* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.11-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.11-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Fri Jul 14 2023 Paul Wouters <paul.wouters@aiven.io - 5.9.11-1
+- Resolves: rhbz#2214186 strongswan-5.9.11 is available
+
+* Tue Jun 13 2023 Python Maint <python-maint@redhat.com> - 5.9.10-2
+- Rebuilt for Python 3.12
+
+* Thu Mar 02 2023 Paul Wouters <paul.wouters@aiven.io - 5.9.10-1
+- Update to 5.9.10
+
+* Tue Feb 28 2023 Paul Wouters <paul.wouters@aiven.io - 5.9.9-3
+- Resolves: CVE-2023-26463 authorization bypass in TLS-based EAP methods
+
+* Mon Jan 16 2023 Petr Menšík <pemensik@redhat.com> - 5.9.9-2
+- Use configure paths in manual pages (#2106120)
+
+* Sun Jan 15 2023 Petr Menšík <pemensik@redhat.com> - 5.9.9-1
+- Update to 5.9.9 (#2157850)
+
+* Thu Dec 08 2022 Jitka Plesnikova <jplesnik@redhat.com> - 5.9.8-2
+- Add BR perl-generators to automatically generates run-time dependencies
+  for installed Perl files
+
+* Sun Oct 16 2022 Arne Reiter <redhat@arnereiter.de> - 5.9.8-1
+- Resolves rhbz#2112274 strongswan-5.9.8 is available
+- Patch1 removes CFLAGS -Wno-format which interferes with -Werror=format-security
+- Add BuildRequire for autoconf and automake, now required for release
+- Remove obsolete patches
+
+* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.6-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Wed Jun 22 2022 Arne Reiter <redhat@arnereiter.de> - 5.9.6-1
+- Resolves rhbz#2080070 strongswan-5.9.6 is available
+- Fixed missing format string in enum_flags_to_string()
+
+* Mon Jun 13 2022 Python Maint <python-maint@redhat.com> - 5.9.5-4
+- Rebuilt for Python 3.11
+
+* Fri Feb 25 2022 Arne Reiter <redhat@arnereiter.de> - 5.9.5-3
+- Resolves: rhbz#2048108 - segfault at 18 ip 00007f4c7c0d841c sp 00007ffe49f61b70 error 4 in libc.so.6
+
+* Tue Jan 25 2022 Paul Wouters <paul.wouters@aiven.io> - 5.9.5-2
+- Use newly published/cleaned strongswan gpg key
+
+* Mon Jan 24 2022 Paul Wouters <paul.wouters@aiven.io> - 5.9.5-1
+- Resolves rhbz#2044361 strongswan-5.9.5 is available (CVE-2021-45079)
+
+* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.4-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Thu Dec 16 2021 Neal Gompa <ngompa@datto.com> - 5.9.4-4
+- Disable TPM/TSS 1.2 support for F36+ / RHEL9+
+- Resolves: rhbz#2033299 Drop TPM/TSS 1.2 support (trousers)
+
+* Thu Nov 11 2021 Petr Menšík <pemensik@redhat.com> - 5.9.4-3
+- Resolves rhbz#1419441 Add python and perl vici bindings
+- Adds optional tests run
+
+* Tue Nov 09 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.4-2
+- Resolves rhbz#2018547 'strongswan restart' breaks ipsec started with strongswan-starter
+- Return to using tmpfiles, but extend to cover strongswan-starter service too
+- Cleanup old patches
+
+* Wed Oct 20 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.4-1
+- Resolves: rhbz#2015165 strongswan-5.9.4 is available
+- Resolves: rhbz#2015611 CVE-2021-41990 strongswan: gmp plugin: integer overflow via a crafted certificate with an RSASSA-PSS signature
+- Resolves: rhbz#2015614 CVE-2021-41991 strongswan: integer overflow when replacing certificates in cache
+- Add BuildRequire for tpm2-tss-devel and weak dependency for tpm2-tools
+
+* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 5.9.3-4
+- Rebuilt with OpenSSL 3.0.0
+
+* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Sat Jul 10 2021 Björn Esser <besser82@fedoraproject.org> - 5.9.3-2
+- Rebuild for versioned symbols in json-c
+
+* Tue Jul 06 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.3-1
+- Resolves: rhbz#1979574 strongswan-5.9.3 is available
+- Make strongswan main dir world readable so apps can find strongswan.conf
+
+* Thu Jun 03 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.2-1
+- Resolves: rhbz#1896545 strongswan-5.9.2 is available
+
+* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 5.9.1-2
+- Rebuilt for updated systemd-rpm-macros
+  See https://pagure.io/fesco/issue/2583.
+
+* Fri Feb 12 2021 Paul Wouters <pwouters@redhat.com> - 5.9.1-1
+- Resolves: rhbz#1896545 strongswan-5.9.1 is available
+
+* Thu Feb 11 2021 Davide Cavalca <dcavalca@fedoraproject.org> - 5.9.0-4
+- Build with with capabilities support
+- Resolves: rhbz#1911572 StrongSwan not configured with libcap support
+
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Thu Oct 22 12:43:48 EDT 2020 Paul Wouters <pwouters@redhat.com> - 5.9.0-2
+- Resolves: rhbz#1886759 charon looking for certificates in the wrong place
+
+* Mon Sep 28 12:36:45 EDT 2020 Paul Wouters <pwouters@redhat.com> - 5.9.0-1
+- Resolves: rhbz#1861747 strongswan-5.9.0 is available
+- Remove --enable-fips-mode=2, which defaults strongswan to FIPS only.
+  (use fips_mode = 2 in plugins {} openssl {} in strongswan.conf to enable FIPS)
+
+* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.8.4-5
+- Second attempt - Rebuilt for
+  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.8.4-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Apr 21 2020 Björn Esser <besser82@fedoraproject.org> - 5.8.4-3
+- Rebuild (json-c)
+
+* Sun Apr 12 2020 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.4-2
+- Patch0: Add RuntimeDirectory options to service files (#1789263)
+
+* Sun Apr 12 2020 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.4-1
+- Updated to 5.8.4
+- Patch4 has been applied upstream
+
+* Sat Feb 22 2020 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.2-5
+- Patch to declare a global variable with extern (#1800117)
+
+* Mon Feb 10 2020 Paul Wouters <pwouters@redhat.com> - 5.8.2-4
+- use tmpfile to ensure rundir is present
+
+* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.8.2-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Sat Dec 28 2019 Paul Wouters <pwouters@redhat.com> - 5.8.2-2
+- Use /run/strongswan as rundir to support strongswans in namespaces
+
+* Tue Dec 17 2019 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.2-1
+- Update to 5.8.2 (#1784457)
+- The D-Bus config file moved under datadir
+
+* Mon Sep 02 2019 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.1-1
+- Update to 5.8.1 (#1711920)
+- No more separate strongswan-swanctl.service to start out of order (#1775548)
+- Added strongswan-starter.service
+
+* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 5.7.2-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 5.7.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Wed Jan 09 2019 Paul Wouters <pwouters@redhat.com> - 5.7.2-1
+- Updated to 5.7.2
+
+* Thu Oct 04 2018 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.7.1-1
+- Updated to 5.7.1
+- Resolves rhbz#1635872 CVE-2018-16152
+- Resolves rhbz#1635875 CVE-2018-16151
+
 * Thu Aug 23 2018 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.6.3-3
 - Add plugin bypass-lan, disabled by default
 - Resolves rhbz#1554479 Update to strongswan-charon-nm fails
@@ -612,10 +940,10 @@ done
 * Mon Mar 11 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.0.2-1
 - Update to upstream release 5.0.2
 - Created sub package strongswan-tnc-imcvs that provides trusted network
-  connect's IMC and IMV funtionality. Specifically it includes PTS 
-  based IMC/IMV for TPM based remote attestation and scanner and test 
-  IMCs and IMVs. The Strongswan's IMC/IMV dynamic libraries can be used 
-  by any third party TNC Client/Server implementation possessing a 
+  connect's IMC and IMV funtionality. Specifically it includes PTS
+  based IMC/IMV for TPM based remote attestation and scanner and test
+  IMCs and IMVs. The Strongswan's IMC/IMV dynamic libraries can be used
+  by any third party TNC Client/Server implementation possessing a
   standard IF-IMC/IMV interface.
 
 * Fri Feb 15 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.0.1-2

tmpfiles-strongswan.conf

@@ -0,0 +1 @@
+D /run/strongswan 0755 root root -