Support GRE key in selectors

- patch to use --no-isolation with python by Carlos Rodriguez-Fernandez
- python dependencies fixed so pip no longer tries to download items
- apply upstream patch to remove md2 support - now all tests pass again

.gitignore

@@ -1,2 +1,23 @@
-/strongswan-5.7.1.tar.bz2
-/strongswan-5.7.2.tar.bz2
+/strongswan-5.8.4.tar.bz2
+/strongswan-5.9.0.tar.bz2
+/strongswan-5.9.1.tar.bz2
+/strongswan-5.9.2.tar.bz2
+/strongswan-5.9.3.tar.bz2
+/strongswan-5.9.4.tar.bz2
+/948F158A4E76A27BF3D07532DF42C170B34DBA77
+/strongswan-5.9.5.tar.bz2
+/strongswan-5.9.5.tar.bz2.sig
+/strongswan-5.9.6.tar.bz2
+/strongswan-5.9.6.tar.bz2.sig
+/strongswan-5.9.8.tar.bz2
+/strongswan-5.9.8.tar.bz2.sig
+/strongswan-5.9.9.tar.bz2
+/strongswan-5.9.9.tar.bz2.sig
+/strongswan-5.9.10.tar.bz2
+/strongswan-5.9.10.tar.bz2.sig
+/strongswan-5.9.11.tar.bz2
+/strongswan-5.9.11.tar.bz2.sig
+/strongswan-5.9.14.tar.bz2
+/strongswan-5.9.14.tar.bz2.sig
+/strongswan-6.0.2.tar.bz2
+/strongswan-6.0.2.tar.bz2.sig

0001-charon-add-optional-source-and-remote-overrides-for-.patch

@@ -0,0 +1,481 @@
+From 8ca99fb0a9d0027d08937bc2b198dc74bd5bb7a2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= <zpericic@netst.org>
+Date: Tue, 9 Jul 2024 19:07:57 +0200
+Subject: [PATCH 1/4] charon: add optional source and remote overrides for
+ initiate
+
+This introduces support for specifying optional IKE SA specific
+source and remote address for child sa initiation. This allows
+to initiate wildcard connection for known address via vici.
+
+In addition this allows simpler implementation of trap-any patches
+and is a prerequisite for dmvpn support.
+---
+ src/libcharon/control/controller.c        | 36 +++++++++++++++++-
+ src/libcharon/control/controller.h        | 28 ++++++++++++++
+ src/libcharon/plugins/vici/vici_control.c | 41 ++++++++++++++++----
+ src/libcharon/sa/ike_sa_manager.c         | 34 ++++++++++++++++-
+ src/libcharon/sa/ike_sa_manager.h         | 25 +++++++++++-
+ src/libcharon/sa/trap_manager.c           | 46 +++++++++--------------
+ src/swanctl/commands/initiate.c           | 19 +++++++++-
+ 7 files changed, 189 insertions(+), 40 deletions(-)
+
+diff --git a/src/libcharon/control/controller.c b/src/libcharon/control/controller.c
+index 4e778ed63d..2b8a75e2c1 100644
+--- a/src/libcharon/control/controller.c
++++ b/src/libcharon/control/controller.c
+@@ -1,4 +1,6 @@
+ /*
++ * Copyright (C) 2023 Zoran Peričić <zpericic@netst.org>
++ * Copyright (C) 2014 Timo Teräs <timo.teras@iki.fi>
+  * Copyright (C) 2011-2023 Tobias Brunner
+  * Copyright (C) 2007-2011 Martin Willi
+  *
+@@ -107,6 +109,16 @@ struct interface_listener_t {
+ 	 */
+ 	ike_sa_t *ike_sa;
+ 
++	/**
++	 * Our host hint.
++	 */
++	host_t *my_host;
++
++	/**
++	 * Other host hint.
++	 */
++	host_t *other_host;
++
+ 	/**
+ 	 * unique ID, used for various methods
+ 	 */
+@@ -418,9 +430,17 @@ METHOD(job_t, initiate_execute, job_requeue_t,
+ {
+ 	ike_sa_t *ike_sa;
+ 	interface_listener_t *listener = &job->listener;
++	peer_cfg_t *peer_cfg = listener->peer_cfg;
++	host_t *my_host = listener->my_host;
++	host_t *other_host = listener->other_host;
++
++	ike_sa = charon->ike_sa_manager->checkout_by_config2(charon->ike_sa_manager,
++														peer_cfg, my_host, other_host);
++	peer_cfg->destroy(peer_cfg);
++
++	if (my_host) my_host->destroy(my_host);
++	if (other_host) other_host->destroy(other_host);
+ 
+-	ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
+-														listener->peer_cfg);
+ 	if (!ike_sa)
+ 	{
+ 		listener->status = FAILED;
+@@ -502,6 +522,15 @@ METHOD(controller_t, initiate, status_t,
+ 	private_controller_t *this, peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
+ 	controller_cb_t callback, void *param, level_t max_level, u_int timeout,
+ 	bool limits)
++{
++	return this->public.initiate2(&this->public, peer_cfg, child_cfg, NULL, NULL, callback, param, max_level, timeout, limits);
++}
++
++METHOD(controller_t, initiate2, status_t,
++	private_controller_t *this, peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
++	host_t *my_host, host_t *other_host,
++	controller_cb_t callback, void *param, level_t max_level, u_int timeout,
++	bool limits)
+ {
+ 	interface_job_t *job;
+ 	status_t status;
+@@ -524,6 +553,8 @@ METHOD(controller_t, initiate, status_t,
+ 			.status = FAILED,
+ 			.child_cfg = child_cfg,
+ 			.peer_cfg = peer_cfg,
++			.my_host = my_host ? my_host->clone(my_host) : NULL,
++			.other_host = other_host ? other_host->clone(other_host) : NULL,
+ 			.lock = spinlock_create(),
+ 			.options.limits = limits,
+ 		},
+@@ -771,6 +802,7 @@ controller_t *controller_create(void)
+ 		.public = {
+ 			.create_ike_sa_enumerator = _create_ike_sa_enumerator,
+ 			.initiate = _initiate,
++			.initiate2 = _initiate2,
+ 			.terminate_ike = _terminate_ike,
+ 			.terminate_child = _terminate_child,
+ 			.destroy = _destroy,
+diff --git a/src/libcharon/control/controller.h b/src/libcharon/control/controller.h
+index 36a1d46317..f5c60e2e72 100644
+--- a/src/libcharon/control/controller.h
++++ b/src/libcharon/control/controller.h
+@@ -98,6 +98,34 @@ struct controller_t {
+ 						 controller_cb_t callback, void *param,
+ 						 level_t max_level, u_int timeout, bool limits);
+ 
++	/**
++	 * Initiate a CHILD_SA, and if required, an IKE_SA.
++	 *
++	 * If a callback is provided the function is synchronous and thus blocks
++	 * until the IKE_SA is established or failed.
++	 *
++	 * @param peer_cfg		peer_cfg to use for IKE_SA setup
++	 * @param child_cfg		optional child_cfg to set up CHILD_SA from
++	 * @param my_host		optional address hint for source
++	 * @param other_host		optional address hint for destination
++	 * @param cb			logging callback
++	 * @param param			parameter to include in each call of cb
++	 * @param max_level		maximum log level for which cb is invoked
++	 * @param timeout		timeout in ms to wait for callbacks, 0 to disable
++	 * @param limits		whether to check limits regarding IKE_SA initiation
++	 * @return
++	 *						- SUCCESS, if CHILD_SA established
++	 *						- FAILED, if setup failed
++	 *						- NEED_MORE, if callback returned FALSE
++	 *						- OUT_OF_RES if timed out
++	 *						- INVALID_STATE if limits prevented initiation
++	 */
++	status_t (*initiate2)(controller_t *this,
++						 peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
++						 host_t *my_host, host_t *other_host,
++						 controller_cb_t callback, void *param,
++						 level_t max_level, u_int timeout, bool limits);
++
+ 	/**
+ 	 * Terminate an IKE_SA and all of its CHILD_SAs.
+ 	 *
+diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c
+index 1c236d2491..932d0cb5a8 100644
+--- a/src/libcharon/plugins/vici/vici_control.c
++++ b/src/libcharon/plugins/vici/vici_control.c
+@@ -1,4 +1,6 @@
+ /*
++ * Copyright (C) 2023 Zoran Peričić <zpericic@netst.org>
++ * Copyright (C) 2014 Timo Teräs <timo.teras@iki.fi>
+  * Copyright (C) 2015-2017 Tobias Brunner
+  * Copyright (C) 2014 Martin Willi
+  *
+@@ -173,9 +175,12 @@ static child_cfg_t* find_child_cfg(char *name, char *pname, peer_cfg_t **out)
+ CALLBACK(initiate, vici_message_t*,
+ 	private_vici_control_t *this, char *name, u_int id, vici_message_t *request)
+ {
++	vici_message_t* msg;
+ 	peer_cfg_t *peer_cfg = NULL;
+ 	child_cfg_t *child_cfg;
+ 	char *child, *ike, *type, *sa;
++	host_t *my_host = NULL, *other_host = NULL;
++	char *my_host_str, *other_host_str;
+ 	int timeout;
+ 	bool limits;
+ 	controller_cb_t log_cb = NULL;
+@@ -189,6 +194,8 @@ CALLBACK(initiate, vici_message_t*,
+ 	timeout = request->get_int(request, 0, "timeout");
+ 	limits = request->get_bool(request, FALSE, "init-limits");
+ 	log.level = request->get_int(request, 1, "loglevel");
++	my_host_str = request->get_str(request, NULL, "my-host");
++	other_host_str = request->get_str(request, NULL, "other-host");
+ 
+ 	if (!child && !ike)
+ 	{
+@@ -202,28 +209,48 @@ CALLBACK(initiate, vici_message_t*,
+ 	type = child ? "CHILD_SA" : "IKE_SA";
+ 	sa = child ?: ike;
+ 
++	if (my_host_str)
++	{
++		my_host = host_create_from_string(my_host_str, 0);
++	}
++	if (other_host_str)
++	{
++		other_host = host_create_from_string(other_host_str, 0);
++	}
++
++	DBG1(DBG_CFG, "vici initiate %s '%s', me %H, other %H, limits %d", type, sa, my_host, other_host, limits);
++
+ 	child_cfg = find_child_cfg(child, ike, &peer_cfg);
+ 
+-	DBG1(DBG_CFG, "vici initiate %s '%s'", type, sa);
+ 	if (!peer_cfg)
+ 	{
+-		return send_reply(this, "%s config '%s' not found", type, sa);
++		msg = send_reply(this, "%s config '%s' not found", type, sa);
++		goto ret;
+ 	}
+-	switch (charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
++	switch (charon->controller->initiate2(charon->controller, peer_cfg, child_cfg,
++										 my_host, other_host,
+ 										 log_cb, &log, log.level, timeout, limits))
+ 	{
+ 		case SUCCESS:
+-			return send_reply(this, NULL);
++			msg = send_reply(this, NULL);
++			break;
+ 		case OUT_OF_RES:
+-			return send_reply(this, "%s '%s' not established after %dms", type,
++			msg = send_reply(this, "%s '%s' not established after %dms", type,
+ 							  sa, timeout);
++			break;
+ 		case INVALID_STATE:
+-			return send_reply(this, "establishing %s '%s' not possible at the "
++			msg = send_reply(this, "establishing %s '%s' not possible at the "
+ 							  "moment due to limits", type, sa);
++			break;
+ 		case FAILED:
+ 		default:
+-			return send_reply(this, "establishing %s '%s' failed", type, sa);
++			msg = send_reply(this, "establishing %s '%s' failed", type, sa);
++			break;
+ 	}
++ret:
++	if (my_host) my_host->destroy(my_host);
++	if (other_host) other_host->destroy(other_host);
++	return msg;
+ }
+ 
+ /**
+diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
+index c128cc0787..bf4e125c84 100644
+--- a/src/libcharon/sa/ike_sa_manager.c
++++ b/src/libcharon/sa/ike_sa_manager.c
+@@ -1,5 +1,7 @@
+ /*
+  * Copyright (C) 2008-2024 Tobias Brunner
++ * Copyright (C) 2023 Zoran Peričić <zpericic@netst.org>
++ * Copyright (C) 2014 Timo Teräs <timo.teras@iki.fi>
+  * Copyright (C) 2005-2011 Martin Willi
+  * Copyright (C) 2005 Jan Hutter
+  *
+@@ -1500,6 +1502,13 @@ typedef struct {
+ 
+ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
+ 	private_ike_sa_manager_t *this, peer_cfg_t *peer_cfg)
++{
++	return this->public.checkout_by_config2(&this->public, peer_cfg, NULL, NULL);
++}
++
++METHOD(ike_sa_manager_t, checkout_by_config2, ike_sa_t*,
++	private_ike_sa_manager_t *this, peer_cfg_t *peer_cfg,
++	host_t *my_host, host_t *other_host)
+ {
+ 	enumerator_t *enumerator;
+ 	entry_t *entry;
+@@ -1510,7 +1519,16 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
+ 	u_int segment;
+ 	int i;
+ 
+-	DBG2(DBG_MGR, "checkout IKE_SA by config");
++	if (my_host && my_host->get_port(my_host) == 0)
++	{
++		my_host->set_port(my_host, IKEV2_UDP_PORT);
++	}
++	if (other_host && other_host->get_port(other_host) == 0)
++	{
++		other_host->set_port(other_host, IKEV2_UDP_PORT);
++	}
++	DBG2(DBG_MGR, "checkout IKE_SA by config '%s', me %H, other %H",
++		peer_cfg->get_name(peer_cfg), my_host, other_host);
+ 
+ 	if (!this->reuse_ikesa && peer_cfg->get_ike_version(peer_cfg) != IKEV1)
+ 	{	/* IKE_SA reuse disabled by config (not possible for IKEv1) */
+@@ -1569,6 +1587,15 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
+ 			continue;
+ 		}
+ 
++		if (my_host && !my_host->ip_equals(my_host, entry->ike_sa->get_my_host(entry->ike_sa)))
++		{
++			continue;
++		}
++		if (other_host && !other_host->ip_equals(other_host, entry->ike_sa->get_other_host(entry->ike_sa)))
++		{
++			continue;
++		}
++
+ 		current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa);
+ 		if (current_peer && current_peer->equals(current_peer, peer_cfg))
+ 		{
+@@ -1595,6 +1622,10 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
+ 		{
+ 			ike_sa->set_peer_cfg(ike_sa, peer_cfg);
+ 			checkout_new(this, ike_sa);
++			if (my_host || other_host)
++			{
++				ike_sa->update_hosts(ike_sa, my_host, other_host, TRUE);
++			}
+ 		}
+ 	}
+ 	charon->bus->set_sa(charon->bus, ike_sa);
+@@ -2560,6 +2591,7 @@ ike_sa_manager_t *ike_sa_manager_create()
+ 			.checkout = _checkout,
+ 			.checkout_by_message = _checkout_by_message,
+ 			.checkout_by_config = _checkout_by_config,
++			.checkout_by_config2 = _checkout_by_config2,
+ 			.checkout_by_id = _checkout_by_id,
+ 			.checkout_by_name = _checkout_by_name,
+ 			.new_initiator_spi = _new_initiator_spi,
+diff --git a/src/libcharon/sa/ike_sa_manager.h b/src/libcharon/sa/ike_sa_manager.h
+index 004cc22168..d001f5a802 100644
+--- a/src/libcharon/sa/ike_sa_manager.h
++++ b/src/libcharon/sa/ike_sa_manager.h
+@@ -123,7 +123,8 @@ struct ike_sa_manager_t {
+ 	ike_sa_t* (*checkout_by_message) (ike_sa_manager_t* this, message_t *message);
+ 
+ 	/**
+-	 * Checkout an IKE_SA for initiation by a peer_config.
++	 * Checkout an IKE_SA for initiation by a peer_config and optional
++	 * source and remote host addresses.
+ 	 *
+ 	 * To initiate, a CHILD_SA may be established within an existing IKE_SA.
+ 	 * This call checks for an existing IKE_SA by comparing the configuration.
+@@ -140,6 +141,28 @@ struct ike_sa_manager_t {
+ 	 */
+ 	ike_sa_t *(*checkout_by_config)(ike_sa_manager_t* this, peer_cfg_t *peer_cfg);
+ 
++	/**
++	 * Checkout an IKE_SA for initiation by a peer_config and optional
++	 * source and remote host addresses.
++	 *
++	 * To initiate, a CHILD_SA may be established within an existing IKE_SA.
++	 * This call checks for an existing IKE_SA by comparing the configuration.
++	 * If the CHILD_SA can be created in an existing IKE_SA, the matching SA
++	 * is returned.
++	 * If no IKE_SA is found, a new one is created and registered in the
++	 * manager. This is also the case when the found IKE_SA is in an unusable
++	 * state (e.g. DELETING).
++	 *
++	 * @note The peer_config is always set on the returned IKE_SA.
++	 *
++	 * @param peer_cfg			configuration used to find an existing IKE_SA
++	 * @param my_host			source host address for wildcard peer_cfg
++	 * @param other_host		remote host address for wildcard peer_cfg
++	 * @return					checked out/created IKE_SA
++	 */
++	ike_sa_t *(*checkout_by_config2)(ike_sa_manager_t* this, peer_cfg_t *peer_cfg,
++									 host_t *my_host, host_t *other_host);
++
+ 	/**
+ 	 * Reset initiator SPI.
+ 	 *
+diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c
+index 17953010a1..c316eea213 100644
+--- a/src/libcharon/sa/trap_manager.c
++++ b/src/libcharon/sa/trap_manager.c
+@@ -532,9 +532,9 @@ METHOD(trap_manager_t, acquire, void,
+ 	peer_cfg_t *peer;
+ 	child_cfg_t *child;
+ 	ike_sa_t *ike_sa;
+-	host_t *host = NULL;
++	host_t *host = NULL, *my_host = NULL, *other_host = NULL;
+ 	uint32_t allocated_reqid, seq = 0;
+-	bool wildcard;
++	bool wildcard, ignore = FALSE;
+ 
+ 	this->lock->read_lock(this->lock);
+ 	enumerator = this->traps->create_enumerator(this->traps);
+@@ -609,36 +609,26 @@ METHOD(trap_manager_t, acquire, void,
+ 	this->lock->unlock(this->lock);
+ 
+ 	if (wildcard)
+-	{	/* the peer config would match IKE_SAs with other peers */
+-		ike_sa = charon->ike_sa_manager->create_new(charon->ike_sa_manager,
+-											peer->get_ike_version(peer), TRUE);
+-		if (ike_sa)
+-		{
+-			ike_cfg_t *ike_cfg;
+-			uint16_t port;
+-			uint8_t mask;
+-
+-			ike_sa->set_peer_cfg(ike_sa, peer);
+-			ike_cfg = ike_sa->get_ike_cfg(ike_sa);
++	{
++		ike_cfg_t *ike_cfg;
++		uint16_t port;
++		uint8_t mask;
+ 
+-			port = ike_cfg->get_other_port(ike_cfg);
+-			data->dst->to_subnet(data->dst, &host, &mask);
+-			host->set_port(host, port);
+-			ike_sa->set_other_host(ike_sa, host);
++		ike_cfg = peer->get_ike_cfg(peer);
+ 
+-			port = ike_cfg->get_my_port(ike_cfg);
+-			data->src->to_subnet(data->src, &host, &mask);
+-			host->set_port(host, port);
+-			ike_sa->set_my_host(ike_sa, host);
++		port = ike_cfg->get_other_port(ike_cfg);
++		data->dst->to_subnet(data->dst, &other_host, &mask);
++		other_host->set_port(other_host, port);
+ 
+-			charon->bus->set_sa(charon->bus, ike_sa);
+-		}
+-	}
+-	else
+-	{
+-		ike_sa = charon->ike_sa_manager->checkout_by_config(
+-											charon->ike_sa_manager, peer);
++		port = ike_cfg->get_my_port(ike_cfg);
++		data->src->to_subnet(data->src, &my_host, &mask);
++		my_host->set_port(my_host, port);
+ 	}
++	ike_sa = charon->ike_sa_manager->checkout_by_config2(
++											charon->ike_sa_manager, peer,
++											my_host, other_host);
++	if (my_host) my_host->destroy(my_host);
++	if (other_host) other_host->destroy(other_host);
+ 	peer->destroy(peer);
+ 
+ 	if (ike_sa)
+diff --git a/src/swanctl/commands/initiate.c b/src/swanctl/commands/initiate.c
+index e0fffb907d..c0fc8c5952 100644
+--- a/src/swanctl/commands/initiate.c
++++ b/src/swanctl/commands/initiate.c
+@@ -1,4 +1,5 @@
+ /*
++ * Copyright (C) 2014 Timo Teräs <timo.teras@iki.fi>
+  * Copyright (C) 2014 Martin Willi
+  *
+  * Copyright (C) secunet Security Networks AG
+@@ -38,7 +39,7 @@ static int initiate(vici_conn_t *conn)
+ 	vici_req_t *req;
+ 	vici_res_t *res;
+ 	command_format_options_t format = COMMAND_FORMAT_NONE;
+-	char *arg, *child = NULL, *ike = NULL;
++	char *arg, *child = NULL, *ike = NULL, *my_host = NULL, *other_host = NULL;
+ 	int ret = 0, timeout = 0, level = 1;
+ 
+ 	while (TRUE)
+@@ -65,6 +66,12 @@ static int initiate(vici_conn_t *conn)
+ 			case 'l':
+ 				level = atoi(arg);
+ 				continue;
++			case 'S':
++				my_host = arg;
++				continue;
++			case 'R':
++				other_host = arg;
++				continue;
+ 			case EOF:
+ 				break;
+ 			default:
+@@ -88,6 +95,14 @@ static int initiate(vici_conn_t *conn)
+ 	{
+ 		vici_add_key_valuef(req, "ike", "%s", ike);
+ 	}
++	if (my_host)
++	{
++		vici_add_key_valuef(req, "my-host", "%s", my_host);
++	}
++	if (other_host)
++	{
++		vici_add_key_valuef(req, "other-host", "%s", other_host);
++	}
+ 	if (timeout)
+ 	{
+ 		vici_add_key_valuef(req, "timeout", "%d", timeout * 1000);
+@@ -134,6 +149,8 @@ static void __attribute__ ((constructor))reg()
+ 			{"help",		'h', 0, "show usage information"},
+ 			{"child",		'c', 1, "initiate a CHILD_SA configuration"},
+ 			{"ike",			'i', 1, "initiate an IKE_SA, or name of child's parent"},
++			{"source",		'S', 1, "override source address"},
++			{"remote",		'R', 1, "override remote address"},
+ 			{"timeout",		't', 1, "timeout in seconds before detaching"},
+ 			{"raw",			'r', 0, "dump raw response message"},
+ 			{"pretty",		'P', 0, "dump raw response message in pretty print"},
+-- 
+2.51.0
+

0001-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch

@@ -1,104 +0,0 @@
-From 4904344754c2884e36b40532a8b65229c3355ff6 Mon Sep 17 00:00:00 2001
-From: Tobias Brunner <tobias@strongswan.org>
-Date: Fri, 17 Jul 2015 11:53:58 +0200
-Subject: [PATCH 1/7] ike: Adhere to IKE_SA limit when checking out by config
-
-This prevents new SAs from getting created if we hit the global IKE_SA
-limit (we still allow checkout_new(), which is used for rekeying).
----
- src/libcharon/sa/ike_sa_manager.c | 71 ++++++++++++++++---------------
- 1 file changed, 37 insertions(+), 34 deletions(-)
-
-diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
-index 3bac4b109..8a3178674 100644
---- a/src/libcharon/sa/ike_sa_manager.c
-+++ b/src/libcharon/sa/ike_sa_manager.c
-@@ -1419,48 +1419,51 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
- 
- 	DBG2(DBG_MGR, "checkout IKE_SA by config");
- 
--	if (!this->reuse_ikesa && peer_cfg->get_ike_version(peer_cfg) != IKEV1)
--	{	/* IKE_SA reuse disabled by config (not possible for IKEv1) */
--		ike_sa = checkout_new(this, peer_cfg->get_ike_version(peer_cfg), TRUE);
--		charon->bus->set_sa(charon->bus, ike_sa);
--		goto out;
--	}
--
--	enumerator = create_table_enumerator(this);
--	while (enumerator->enumerate(enumerator, &entry, &segment))
-+	if (this->reuse_ikesa || peer_cfg->get_ike_version(peer_cfg) == IKEV1)
- 	{
--		if (!wait_for_entry(this, entry, segment))
-+		enumerator = create_table_enumerator(this);
-+		while (enumerator->enumerate(enumerator, &entry, &segment))
- 		{
--			continue;
--		}
--		if (entry->ike_sa->get_state(entry->ike_sa) == IKE_DELETING ||
--			entry->ike_sa->get_state(entry->ike_sa) == IKE_REKEYED)
--		{	/* skip IKE_SAs which are not usable, wake other waiting threads */
--			entry->condvar->signal(entry->condvar);
--			continue;
--		}
--
--		current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa);
--		if (current_peer && current_peer->equals(current_peer, peer_cfg))
--		{
--			current_ike = current_peer->get_ike_cfg(current_peer);
--			if (current_ike->equals(current_ike, peer_cfg->get_ike_cfg(peer_cfg)))
-+			if (!wait_for_entry(this, entry, segment))
- 			{
--				entry->checked_out = thread_current();
--				ike_sa = entry->ike_sa;
--				DBG2(DBG_MGR, "found existing IKE_SA %u with a '%s' config",
--						ike_sa->get_unique_id(ike_sa),
--						current_peer->get_name(current_peer));
--				break;
-+				continue;
- 			}
-+			if (entry->ike_sa->get_state(entry->ike_sa) == IKE_DELETING ||
-+				entry->ike_sa->get_state(entry->ike_sa) == IKE_REKEYED)
-+			{	/* skip IKE_SAs which are not usable, wake other waiting threads */
-+				entry->condvar->signal(entry->condvar);
-+				continue;
-+			}
-+			current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa);
-+			if (current_peer && current_peer->equals(current_peer, peer_cfg))
-+			{
-+				current_ike = current_peer->get_ike_cfg(current_peer);
-+				if (current_ike->equals(current_ike,
-+										peer_cfg->get_ike_cfg(peer_cfg)))
-+				{
-+					entry->checked_out = thread_current();
-+					ike_sa = entry->ike_sa;
-+					DBG2(DBG_MGR, "found existing IKE_SA %u with a '%s' config",
-+							ike_sa->get_unique_id(ike_sa),
-+							current_peer->get_name(current_peer));
-+					break;
-+				}
-+			}
-+			/* other threads might be waiting for this entry */
-+			entry->condvar->signal(entry->condvar);
- 		}
--		/* other threads might be waiting for this entry */
--		entry->condvar->signal(entry->condvar);
-+		enumerator->destroy(enumerator);
- 	}
--	enumerator->destroy(enumerator);
- 
- 	if (!ike_sa)
--	{	/* no IKE_SA using such a config, hand out a new */
-+	{	/* no IKE_SA using such a config, or reuse disabled, hand out a new */
-+		if (this->ikesa_limit &&
-+			this->public.get_count(&this->public) >= this->ikesa_limit)
-+		{
-+			DBG1(DBG_MGR, "IKE_SA creation failed, hitting IKE_SA limit (%u)",
-+				 this->ikesa_limit);
-+			return NULL;
-+		}
- 		ike_sa = checkout_new(this, peer_cfg->get_ike_version(peer_cfg), TRUE);
- 	}
- 	charon->bus->set_sa(charon->bus, ike_sa);
--- 
-2.24.1
-

0002-charon-add-optional-source-and-remote-overrides-for-.patch

@@ -1,598 +0,0 @@
-From bc5cee05ee42b7566ed3539546757c3183aa7053 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
-Date: Mon, 21 Sep 2015 13:41:58 +0300
-Subject: [PATCH 2/7] charon: add optional source and remote overrides for
- initiate
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This introduces support for specifying optional IKE SA specific
-source and remote address for child sa initiation. This allows
-to initiate wildcard connection for known address via vici.
-
-In addition this allows impler implementation of trap-any patches
-and is a prerequisite for dmvpn support.
-
-Signed-off-by: Timo Teräs <timo.teras@iki.fi>
----
- src/charon-cmd/cmd/cmd_connection.c           |  2 +-
- src/charon-nm/nm/nm_service.c                 |  2 +-
- src/libcharon/control/controller.c            | 43 ++++++++++++-
- src/libcharon/control/controller.h            |  3 +
- src/libcharon/plugins/stroke/stroke_control.c |  5 +-
- src/libcharon/plugins/vici/vici_config.c      |  2 +-
- src/libcharon/plugins/vici/vici_control.c     | 63 ++++++++++++++++---
- .../processing/jobs/start_action_job.c        |  2 +-
- src/libcharon/sa/ike_sa_manager.c             | 51 ++++++++++++++-
- src/libcharon/sa/ike_sa_manager.h             |  8 ++-
- src/libcharon/sa/trap_manager.c               | 45 ++++++-------
- src/swanctl/commands/initiate.c               | 40 +++++++++++-
- 12 files changed, 218 insertions(+), 48 deletions(-)
-
-diff --git a/src/charon-cmd/cmd/cmd_connection.c b/src/charon-cmd/cmd/cmd_connection.c
-index 1cf431ff2..ae406393f 100644
---- a/src/charon-cmd/cmd/cmd_connection.c
-+++ b/src/charon-cmd/cmd/cmd_connection.c
-@@ -436,7 +436,7 @@ static job_requeue_t initiate(private_cmd_connection_t *this)
- 	child_cfg = create_child_cfg(this, peer_cfg);
- 
- 	if (charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
--								controller_cb_empty, NULL, 0, FALSE) != SUCCESS)
-+								NULL, NULL, controller_cb_empty, NULL, 0, FALSE) != SUCCESS)
- 	{
- 		terminate(pid);
- 	}
-diff --git a/src/charon-nm/nm/nm_service.c b/src/charon-nm/nm/nm_service.c
-index fb9044d29..b47a0c7f5 100644
---- a/src/charon-nm/nm/nm_service.c
-+++ b/src/charon-nm/nm/nm_service.c
-@@ -622,7 +622,7 @@ static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection,
- 	 * Prepare IKE_SA
- 	 */
- 	ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
--														peer_cfg);
-+														peer_cfg, NULL, NULL);
- 	if (!ike_sa)
- 	{
- 		peer_cfg->destroy(peer_cfg);
-diff --git a/src/libcharon/control/controller.c b/src/libcharon/control/controller.c
-index 589c536d2..037e6a72d 100644
---- a/src/libcharon/control/controller.c
-+++ b/src/libcharon/control/controller.c
-@@ -15,6 +15,28 @@
-  * for more details.
-  */
- 
-+/*
-+ * Copyright (C) 2014 Timo Teräs <timo.teras@iki.fi>
-+ *
-+ * Permission is hereby granted, free of charge, to any person obtaining a copy
-+ * of this software and associated documentation files (the "Software"), to deal
-+ * in the Software without restriction, including without limitation the rights
-+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-+ * copies of the Software, and to permit persons to whom the Software is
-+ * furnished to do so, subject to the following conditions:
-+ *
-+ * The above copyright notice and this permission notice shall be included in
-+ * all copies or substantial portions of the Software.
-+ *
-+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-+ * THE SOFTWARE.
-+ */
-+
- #include "controller.h"
- 
- #include <sys/types.h>
-@@ -102,6 +124,16 @@ struct interface_listener_t {
- 	 */
- 	ike_sa_t *ike_sa;
- 
-+	/**
-+	 * Our host hint.
-+	 */
-+	host_t *my_host;
-+
-+	/**
-+	 * Other host hint.
-+	 */
-+	host_t *other_host;
-+
- 	/**
- 	 * unique ID, used for various methods
- 	 */
-@@ -409,9 +441,14 @@ METHOD(job_t, initiate_execute, job_requeue_t,
- 	ike_sa_t *ike_sa;
- 	interface_listener_t *listener = &job->listener;
- 	peer_cfg_t *peer_cfg = listener->peer_cfg;
-+	host_t *my_host = listener->my_host;
-+	host_t *other_host = listener->other_host;
- 
- 	ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
--														peer_cfg);
-+														peer_cfg, my_host, other_host);
-+	DESTROY_IF(my_host);
-+	DESTROY_IF(other_host);
-+
- 	if (!ike_sa)
- 	{
- 		listener->child_cfg->destroy(listener->child_cfg);
-@@ -420,6 +457,7 @@ METHOD(job_t, initiate_execute, job_requeue_t,
- 		listener_done(listener);
- 		return JOB_REQUEUE_NONE;
- 	}
-+
- 	listener->lock->lock(listener->lock);
- 	listener->ike_sa = ike_sa;
- 	listener->lock->unlock(listener->lock);
-@@ -492,6 +530,7 @@ METHOD(job_t, initiate_execute, job_requeue_t,
- 
- METHOD(controller_t, initiate, status_t,
- 	private_controller_t *this, peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
-+	host_t *my_host, host_t *other_host,
- 	controller_cb_t callback, void *param, u_int timeout, bool limits)
- {
- 	interface_job_t *job;
-@@ -514,6 +553,8 @@ METHOD(controller_t, initiate, status_t,
- 			.status = FAILED,
- 			.child_cfg = child_cfg,
- 			.peer_cfg = peer_cfg,
-+			.my_host = my_host ? my_host->clone(my_host) : NULL,
-+			.other_host = other_host ? other_host->clone(other_host) : NULL,
- 			.lock = spinlock_create(),
- 			.options.limits = limits,
- 		},
-diff --git a/src/libcharon/control/controller.h b/src/libcharon/control/controller.h
-index af9baca01..02f17a8e3 100644
---- a/src/libcharon/control/controller.h
-+++ b/src/libcharon/control/controller.h
-@@ -79,6 +79,8 @@ struct controller_t {
- 	 *
- 	 * @param peer_cfg		peer_cfg to use for IKE_SA setup
- 	 * @param child_cfg		child_cfg to set up CHILD_SA from
-+	 * @param my_host		optional address hint for source
-+	 * @param other_host	optional address hint for destination
- 	 * @param cb			logging callback
- 	 * @param param			parameter to include in each call of cb
- 	 * @param timeout		timeout in ms to wait for callbacks, 0 to disable
-@@ -92,6 +94,7 @@ struct controller_t {
- 	 */
- 	status_t (*initiate)(controller_t *this,
- 						 peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
-+						 host_t *my_host, host_t *other_host,
- 						 controller_cb_t callback, void *param, u_int timeout,
- 						 bool limits);
- 
-diff --git a/src/libcharon/plugins/stroke/stroke_control.c b/src/libcharon/plugins/stroke/stroke_control.c
-index 8d84b934e..b00d0e62d 100644
---- a/src/libcharon/plugins/stroke/stroke_control.c
-+++ b/src/libcharon/plugins/stroke/stroke_control.c
-@@ -108,7 +108,7 @@ static void charon_initiate(private_stroke_control_t *this, peer_cfg_t *peer_cfg
- 	if (msg->output_verbosity < 0)
- 	{
- 		charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
--									 NULL, NULL, 0, FALSE);
-+									 NULL, NULL, NULL, NULL, 0, FALSE);
- 	}
- 	else
- 	{
-@@ -116,7 +116,8 @@ static void charon_initiate(private_stroke_control_t *this, peer_cfg_t *peer_cfg
- 		status_t status;
- 
- 		status = charon->controller->initiate(charon->controller,
--							peer_cfg, child_cfg, (controller_cb_t)stroke_log,
-+							peer_cfg, child_cfg, NULL, NULL,
-+							(controller_cb_t)stroke_log,
- 							&info, this->timeout, FALSE);
- 		switch (status)
- 		{
-diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
-index ace7a4528..f0fd8a989 100644
---- a/src/libcharon/plugins/vici/vici_config.c
-+++ b/src/libcharon/plugins/vici/vici_config.c
-@@ -2057,7 +2057,7 @@ static void run_start_action(private_vici_config_t *this, peer_cfg_t *peer_cfg,
- 			DBG1(DBG_CFG, "initiating '%s'", child_cfg->get_name(child_cfg));
- 			charon->controller->initiate(charon->controller,
- 					peer_cfg->get_ref(peer_cfg), child_cfg->get_ref(child_cfg),
--					NULL, NULL, 0, FALSE);
-+					NULL, NULL, NULL, NULL, 0, FALSE);
- 			break;
- 		case ACTION_ROUTE:
- 			DBG1(DBG_CFG, "installing '%s'", child_cfg->get_name(child_cfg));
-diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c
-index 16e49fdbc..9c6b86741 100644
---- a/src/libcharon/plugins/vici/vici_control.c
-+++ b/src/libcharon/plugins/vici/vici_control.c
-@@ -16,6 +16,28 @@
-  * for more details.
-  */
- 
-+/*
-+ * Copyright (C) 2014 Timo Teräs <timo.teras@iki.fi>
-+ *
-+ * Permission is hereby granted, free of charge, to any person obtaining a copy
-+ * of this software and associated documentation files (the "Software"), to deal
-+ * in the Software without restriction, including without limitation the rights
-+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-+ * copies of the Software, and to permit persons to whom the Software is
-+ * furnished to do so, subject to the following conditions:
-+ *
-+ * The above copyright notice and this permission notice shall be included in
-+ * all copies or substantial portions of the Software.
-+ *
-+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-+ * THE SOFTWARE.
-+ */
-+
- #include "vici_control.h"
- #include "vici_builder.h"
- 
-@@ -169,9 +191,11 @@ static child_cfg_t* find_child_cfg(char *name, char *pname, peer_cfg_t **out)
- CALLBACK(initiate, vici_message_t*,
- 	private_vici_control_t *this, char *name, u_int id, vici_message_t *request)
- {
-+	vici_message_t* msg;
- 	child_cfg_t *child_cfg = NULL;
- 	peer_cfg_t *peer_cfg;
--	char *child, *ike;
-+	host_t *my_host = NULL, *other_host = NULL;
-+	char *child, *ike, *my_host_str, *other_host_str;
- 	int timeout;
- 	bool limits;
- 	controller_cb_t log_cb = NULL;
-@@ -185,6 +209,8 @@ CALLBACK(initiate, vici_message_t*,
- 	timeout = request->get_int(request, 0, "timeout");
- 	limits = request->get_bool(request, FALSE, "init-limits");
- 	log.level = request->get_int(request, 1, "loglevel");
-+	my_host_str = request->get_str(request, NULL, "my-host");
-+	other_host_str = request->get_str(request, NULL, "other-host");
- 
- 	if (!child)
- 	{
-@@ -195,28 +221,47 @@ CALLBACK(initiate, vici_message_t*,
- 		log_cb = (controller_cb_t)log_vici;
- 	}
- 
--	DBG1(DBG_CFG, "vici initiate '%s'", child);
-+	if (my_host_str)
-+	{
-+		my_host = host_create_from_string(my_host_str, 0);
-+	}
-+	if (other_host_str)
-+	{
-+		other_host = host_create_from_string(other_host_str, 0);
-+	}
-+
-+	DBG1(DBG_CFG, "vici initiate '%s', me %H, other %H, limits %d", child, my_host, other_host, limits);
- 
- 	child_cfg = find_child_cfg(child, ike, &peer_cfg);
- 	if (!child_cfg)
- 	{
--		return send_reply(this, "CHILD_SA config '%s' not found", child);
-+		msg = send_reply(this, "CHILD_SA config '%s' not found", child);
-+		goto ret;
- 	}
--	switch (charon->controller->initiate(charon->controller, peer_cfg,
--									child_cfg, log_cb, &log, timeout, limits))
-+	switch (charon->controller->initiate(charon->controller,
-+				peer_cfg, child_cfg, my_host, other_host,
-+				log_cb, &log, timeout, limits))
- 	{
- 		case SUCCESS:
--			return send_reply(this, NULL);
-+			msg = send_reply(this, NULL);
-+			break;
- 		case OUT_OF_RES:
--			return send_reply(this, "CHILD_SA '%s' not established after %dms",
-+			msg = send_reply(this, "CHILD_SA '%s' not established after %dms",
- 							  child, timeout);
-+			break;
- 		case INVALID_STATE:
--			return send_reply(this, "establishing CHILD_SA '%s' not possible "
-+			msg = send_reply(this, "establishing CHILD_SA '%s' not possible "
- 							  "at the moment due to limits", child);
-+			break;
- 		case FAILED:
- 		default:
--			return send_reply(this, "establishing CHILD_SA '%s' failed", child);
-+			msg = send_reply(this, "establishing CHILD_SA '%s' failed", child);
-+			break;
- 	}
-+ret:
-+	if (my_host) my_host->destroy(my_host);
-+	if (other_host) other_host->destroy(other_host);
-+	return msg;
- }
- 
- CALLBACK(terminate, vici_message_t*,
-diff --git a/src/libcharon/processing/jobs/start_action_job.c b/src/libcharon/processing/jobs/start_action_job.c
-index 3a0ed879f..e3399007b 100644
---- a/src/libcharon/processing/jobs/start_action_job.c
-+++ b/src/libcharon/processing/jobs/start_action_job.c
-@@ -61,7 +61,7 @@ METHOD(job_t, execute, job_requeue_t,
- 					charon->controller->initiate(charon->controller,
- 												 peer_cfg->get_ref(peer_cfg),
- 												 child_cfg->get_ref(child_cfg),
--												 NULL, NULL, 0, FALSE);
-+												 NULL, NULL, NULL, NULL, 0, FALSE);
- 					break;
- 				case ACTION_ROUTE:
- 					DBG1(DBG_JOB, "start action: route '%s'", name);
-diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
-index 8a3178674..ad338b04c 100644
---- a/src/libcharon/sa/ike_sa_manager.c
-+++ b/src/libcharon/sa/ike_sa_manager.c
-@@ -17,6 +17,28 @@
-  * for more details.
-  */
- 
-+/*
-+ * Copyright (C) 2014 Timo Teräs <timo.teras@iki.fi>
-+ *
-+ * Permission is hereby granted, free of charge, to any person obtaining a copy
-+ * of this software and associated documentation files (the "Software"), to deal
-+ * in the Software without restriction, including without limitation the rights
-+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-+ * copies of the Software, and to permit persons to whom the Software is
-+ * furnished to do so, subject to the following conditions:
-+ *
-+ * The above copyright notice and this permission notice shall be included in
-+ * all copies or substantial portions of the Software.
-+ *
-+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-+ * THE SOFTWARE.
-+ */
-+
- #include <string.h>
- #include <inttypes.h>
- 
-@@ -1408,7 +1430,8 @@ out:
- }
- 
- METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
--	private_ike_sa_manager_t *this, peer_cfg_t *peer_cfg)
-+	private_ike_sa_manager_t *this, peer_cfg_t *peer_cfg,
-+	host_t *my_host, host_t *other_host)
- {
- 	enumerator_t *enumerator;
- 	entry_t *entry;
-@@ -1417,7 +1440,17 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
- 	ike_cfg_t *current_ike;
- 	u_int segment;
- 
--	DBG2(DBG_MGR, "checkout IKE_SA by config");
-+	if (my_host && my_host->get_port(my_host) == 0)
-+	{
-+		my_host->set_port(my_host, IKEV2_UDP_PORT);
-+	}
-+	if (other_host && other_host->get_port(other_host) == 0)
-+	{
-+		other_host->set_port(other_host, IKEV2_UDP_PORT);
-+	}
-+
-+	DBG2(DBG_MGR, "checkout IKE_SA by config '%s', me %H, other %H",
-+		 peer_cfg->get_name(peer_cfg), my_host, other_host);
- 
- 	if (this->reuse_ikesa || peer_cfg->get_ike_version(peer_cfg) == IKEV1)
- 	{
-@@ -1434,6 +1467,16 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
- 				entry->condvar->signal(entry->condvar);
- 				continue;
- 			}
-+
-+			if (my_host && !my_host->ip_equals(my_host, entry->ike_sa->get_my_host(entry->ike_sa)))
-+			{
-+				continue;
-+			}
-+			if (other_host && !other_host->ip_equals(other_host, entry->ike_sa->get_other_host(entry->ike_sa)))
-+			{
-+				continue;
-+			}
-+
- 			current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa);
- 			if (current_peer && current_peer->equals(current_peer, peer_cfg))
- 			{
-@@ -1465,6 +1508,10 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
- 			return NULL;
- 		}
- 		ike_sa = checkout_new(this, peer_cfg->get_ike_version(peer_cfg), TRUE);
-+		if (my_host || other_host)
-+		{
-+			ike_sa->update_hosts(ike_sa, my_host, other_host, TRUE);
-+		}
- 	}
- 	charon->bus->set_sa(charon->bus, ike_sa);
- 
-diff --git a/src/libcharon/sa/ike_sa_manager.h b/src/libcharon/sa/ike_sa_manager.h
-index efad2e4d6..c43edabbb 100644
---- a/src/libcharon/sa/ike_sa_manager.h
-+++ b/src/libcharon/sa/ike_sa_manager.h
-@@ -93,7 +93,8 @@ struct ike_sa_manager_t {
- 	ike_sa_t* (*checkout_by_message) (ike_sa_manager_t* this, message_t *message);
- 
- 	/**
--	 * Checkout an IKE_SA for initiation by a peer_config.
-+	 * Checkout an IKE_SA for initiation by a peer_config and optional
-+	 * source and remote host addresses.
- 	 *
- 	 * To initiate, a CHILD_SA may be established within an existing IKE_SA.
- 	 * This call checks for an existing IKE_SA by comparing the configuration.
-@@ -103,10 +104,13 @@ struct ike_sa_manager_t {
- 	 * the found IKE_SA is in the DELETING state.
- 	 *
- 	 * @param peer_cfg			configuration used to find an existing IKE_SA
-+	 * @param my_host			source host address for wildcard peer_cfg
-+	 * @param other_host		remote host address for wildcard peer_cfg
- 	 * @return					checked out/created IKE_SA
- 	 */
- 	ike_sa_t* (*checkout_by_config) (ike_sa_manager_t* this,
--									 peer_cfg_t *peer_cfg);
-+									 peer_cfg_t *peer_cfg,
-+									 host_t *my_host, host_t *other_host);
- 
- 	/**
- 	 * Reset initiator SPI.
-diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c
-index 148df3923..901a8ba10 100644
---- a/src/libcharon/sa/trap_manager.c
-+++ b/src/libcharon/sa/trap_manager.c
-@@ -421,7 +421,7 @@ METHOD(trap_manager_t, acquire, void,
- 	peer_cfg_t *peer;
- 	child_cfg_t *child;
- 	ike_sa_t *ike_sa;
--	host_t *host;
-+	host_t *host, *my_host = NULL, *other_host = NULL;
- 	bool wildcard, ignore = FALSE;
- 
- 	this->lock->read_lock(this->lock);
-@@ -497,36 +497,27 @@ METHOD(trap_manager_t, acquire, void,
- 	this->lock->unlock(this->lock);
- 
- 	if (wildcard)
--	{	/* the peer config would match IKE_SAs with other peers */
--		ike_sa = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
--											peer->get_ike_version(peer), TRUE);
--		if (ike_sa)
--		{
--			ike_cfg_t *ike_cfg;
--			uint16_t port;
--			uint8_t mask;
--
--			ike_sa->set_peer_cfg(ike_sa, peer);
--			ike_cfg = ike_sa->get_ike_cfg(ike_sa);
-+	{
-+		ike_cfg_t *ike_cfg;
-+		uint16_t port;
-+		uint8_t mask;
- 
--			port = ike_cfg->get_other_port(ike_cfg);
--			dst->to_subnet(dst, &host, &mask);
--			host->set_port(host, port);
--			ike_sa->set_other_host(ike_sa, host);
-+		ike_cfg = peer->get_ike_cfg(peer);
- 
--			port = ike_cfg->get_my_port(ike_cfg);
--			src->to_subnet(src, &host, &mask);
--			host->set_port(host, port);
--			ike_sa->set_my_host(ike_sa, host);
-+		port = ike_cfg->get_other_port(ike_cfg);
-+		dst->to_subnet(dst, &other_host, &mask);
-+		other_host->set_port(other_host, port);
- 
--			charon->bus->set_sa(charon->bus, ike_sa);
--		}
--	}
--	else
--	{
--		ike_sa = charon->ike_sa_manager->checkout_by_config(
--											charon->ike_sa_manager, peer);
-+		port = ike_cfg->get_my_port(ike_cfg);
-+		src->to_subnet(src, &my_host, &mask);
-+		my_host->set_port(my_host, port);
- 	}
-+	ike_sa = charon->ike_sa_manager->checkout_by_config(
-+											charon->ike_sa_manager, peer,
-+											my_host, other_host);
-+	DESTROY_IF(my_host);
-+	DESTROY_IF(other_host);
-+
- 	if (ike_sa)
- 	{
- 		if (ike_sa->get_peer_cfg(ike_sa) == NULL)
-diff --git a/src/swanctl/commands/initiate.c b/src/swanctl/commands/initiate.c
-index bf8d2cd79..29d95d85c 100644
---- a/src/swanctl/commands/initiate.c
-+++ b/src/swanctl/commands/initiate.c
-@@ -13,6 +13,28 @@
-  * for more details.
-  */
- 
-+/*
-+ * Copyright (C) 2014 Timo Teräs <timo.teras@iki.fi>
-+ *
-+ * Permission is hereby granted, free of charge, to any person obtaining a copy
-+ * of this software and associated documentation files (the "Software"), to deal
-+ * in the Software without restriction, including without limitation the rights
-+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-+ * copies of the Software, and to permit persons to whom the Software is
-+ * furnished to do so, subject to the following conditions:
-+ *
-+ * The above copyright notice and this permission notice shall be included in
-+ * all copies or substantial portions of the Software.
-+ *
-+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-+ * THE SOFTWARE.
-+ */
-+
- #include "command.h"
- 
- #include <errno.h>
-@@ -37,7 +59,7 @@ static int initiate(vici_conn_t *conn)
- 	vici_req_t *req;
- 	vici_res_t *res;
- 	command_format_options_t format = COMMAND_FORMAT_NONE;
--	char *arg, *child = NULL, *ike = NULL;
-+	char *arg, *child = NULL, *ike = NULL, *my_host = NULL, *other_host = NULL;
- 	int ret = 0, timeout = 0, level = 1;
- 
- 	while (TRUE)
-@@ -64,6 +86,12 @@ static int initiate(vici_conn_t *conn)
- 			case 'l':
- 				level = atoi(arg);
- 				continue;
-+			case 'S':
-+				my_host = arg;
-+				continue;
-+			case 'R':
-+				other_host = arg;
-+				continue;
- 			case EOF:
- 				break;
- 			default:
-@@ -87,6 +115,14 @@ static int initiate(vici_conn_t *conn)
- 	{
- 		vici_add_key_valuef(req, "ike", "%s", ike);
- 	}
-+	if (my_host)
-+	{
-+		vici_add_key_valuef(req, "my-host", "%s", my_host);
-+	}
-+	if (other_host)
-+	{
-+		vici_add_key_valuef(req, "other-host", "%s", other_host);
-+	}
- 	if (timeout)
- 	{
- 		vici_add_key_valuef(req, "timeout", "%d", timeout * 1000);
-@@ -133,6 +169,8 @@ static void __attribute__ ((constructor))reg()
- 			{"help",		'h', 0, "show usage information"},
- 			{"child",		'c', 1, "initiate a CHILD_SA configuration"},
- 			{"ike",			'i', 1, "name of the connection to which the child belongs"},
-+			{"source",		'S', 1, "override source address"},
-+			{"remote",		'R', 1, "override remote address"},
- 			{"timeout",		't', 1, "timeout in seconds before detaching"},
- 			{"raw",			'r', 0, "dump raw response message"},
- 			{"pretty",		'P', 0, "dump raw response message in pretty print"},
--- 
-2.24.1
-

0002-vici-send-certificates-for-ike-sa-events.patch

@@ -1,21 +1,21 @@
-From 0220ba579f8df26f90a1152f115f2a339a755708 Mon Sep 17 00:00:00 2001
+From 59e1a0469bbd50704f777835c0fcd7013f7841c7 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
 Date: Mon, 21 Sep 2015 13:42:05 +0300
-Subject: [PATCH 3/7] vici: send certificates for ike-sa events
+Subject: [PATCH 2/4] vici: send certificates for ike-sa events
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 
 Signed-off-by: Timo Teräs <timo.teras@iki.fi>
 ---
- src/libcharon/plugins/vici/vici_query.c | 48 +++++++++++++++++++++----
- 1 file changed, 41 insertions(+), 7 deletions(-)
+ src/libcharon/plugins/vici/vici_query.c | 50 +++++++++++++++++++++----
+ 1 file changed, 42 insertions(+), 8 deletions(-)
 
 diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
-index d7b61ca72..f986ef8ab 100644
+index 43e3f44137..5e49cb8a0b 100644
 --- a/src/libcharon/plugins/vici/vici_query.c
 +++ b/src/libcharon/plugins/vici/vici_query.c
-@@ -337,7 +337,7 @@ static void list_vips(private_vici_query_t *this, vici_builder_t *b,
+@@ -433,7 +433,7 @@ static void list_vips(private_vici_query_t *this, vici_builder_t *b,
   * List details of an IKE_SA
   */
  static void list_ike(private_vici_query_t *this, vici_builder_t *b,
@@ -24,8 +24,8 @@ index d7b61ca72..f986ef8ab 100644
  {
  	time_t t;
  	ike_sa_id_t *id;
-@@ -345,6 +345,8 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
- 	proposal_t *proposal;
+@@ -442,6 +442,8 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
+ 	uint32_t if_id;
  	uint16_t alg, ks;
  	host_t *host;
 +	auth_cfg_t *auth_cfg;
@@ -33,7 +33,7 @@ index d7b61ca72..f986ef8ab 100644
  
  	b->add_kv(b, "uniqueid", "%u", ike_sa->get_unique_id(ike_sa));
  	b->add_kv(b, "version", "%u", ike_sa->get_version(ike_sa));
-@@ -354,11 +356,43 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
+@@ -451,11 +453,43 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
  	b->add_kv(b, "local-host", "%H", host);
  	b->add_kv(b, "local-port", "%d", host->get_port(host));
  	b->add_kv(b, "local-id", "%Y", ike_sa->get_my_id(ike_sa));
@@ -77,7 +77,7 @@ index d7b61ca72..f986ef8ab 100644
  
  	eap = ike_sa->get_other_eap_id(ike_sa);
  
-@@ -477,7 +511,7 @@ CALLBACK(list_sas, vici_message_t*,
+@@ -588,7 +622,7 @@ CALLBACK(list_sas, vici_message_t*,
  		b = vici_builder_create();
  		b->begin_section(b, ike_sa->get_name(ike_sa));
  
@@ -86,7 +86,7 @@ index d7b61ca72..f986ef8ab 100644
  
  		b->begin_section(b, "child-sas");
  		csas = ike_sa->create_child_sa_enumerator(ike_sa);
-@@ -1650,7 +1684,7 @@ METHOD(listener_t, ike_updown, bool,
+@@ -1805,7 +1839,7 @@ METHOD(listener_t, ike_updown, bool,
  	}
  
  	b->begin_section(b, ike_sa->get_name(ike_sa));
@@ -95,7 +95,7 @@ index d7b61ca72..f986ef8ab 100644
  	b->end_section(b);
  
  	this->dispatcher->raise_event(this->dispatcher,
-@@ -1675,10 +1709,10 @@ METHOD(listener_t, ike_rekey, bool,
+@@ -1830,10 +1864,10 @@ METHOD(listener_t, ike_rekey, bool,
  	b = vici_builder_create();
  	b->begin_section(b, old->get_name(old));
  	b->begin_section(b, "old");
@@ -108,7 +108,16 @@ index d7b61ca72..f986ef8ab 100644
  	b->end_section(b);
  	b->end_section(b);
  
-@@ -1708,7 +1742,7 @@ METHOD(listener_t, child_updown, bool,
+@@ -1864,7 +1898,7 @@ METHOD(listener_t, ike_update, bool,
+ 	b->add_kv(b, "remote-port", "%d", remote->get_port(remote));
+ 
+ 	b->begin_section(b, ike_sa->get_name(ike_sa));
+-	list_ike(this, b, ike_sa, now);
++	list_ike(this, b, ike_sa, now, TRUE);
+ 	b->end_section(b);
+ 
+ 	this->dispatcher->raise_event(this->dispatcher,
+@@ -1894,7 +1928,7 @@ METHOD(listener_t, child_updown, bool,
  	}
  
  	b->begin_section(b, ike_sa->get_name(ike_sa));
@@ -116,8 +125,8 @@ index d7b61ca72..f986ef8ab 100644
 +	list_ike(this, b, ike_sa, now, up);
  	b->begin_section(b, "child-sas");
  
- 	b->begin_section(b, child_sa->get_name(child_sa));
-@@ -1740,7 +1774,7 @@ METHOD(listener_t, child_rekey, bool,
+ 	snprintf(buf, sizeof(buf), "%s-%u", child_sa->get_name(child_sa),
+@@ -1929,7 +1963,7 @@ METHOD(listener_t, child_rekey, bool,
  	b = vici_builder_create();
  
  	b->begin_section(b, ike_sa->get_name(ike_sa));
@@ -127,5 +136,5 @@ index d7b61ca72..f986ef8ab 100644
  
  	b->begin_section(b, old->get_name(old));
 -- 
-2.24.1
+2.51.0
 

0003-vici-add-support-for-individual-sa-state-changes.patch

@@ -1,7 +1,7 @@
-From 5ad4fd199b718d8281021a6e31d682872b59a34c Mon Sep 17 00:00:00 2001
+From 17118385d600eeb9814af4106b690c8e2b285971 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
 Date: Mon, 21 Sep 2015 13:42:11 +0300
-Subject: [PATCH 4/7] vici: add support for individual sa state changes
+Subject: [PATCH 3/4] vici: add support for individual sa state changes
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -10,17 +10,17 @@ Useful for monitoring and tracking full SA.
 
 Signed-off-by: Timo Teräs <timo.teras@iki.fi>
 ---
- src/libcharon/plugins/vici/vici_query.c | 105 ++++++++++++++++++++++++
- 1 file changed, 105 insertions(+)
+ src/libcharon/plugins/vici/vici_query.c | 106 ++++++++++++++++++++++++
+ 1 file changed, 106 insertions(+)
 
 diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
-index f986ef8ab..c7b07fca0 100644
+index 5e49cb8a0b..1115161f6b 100644
 --- a/src/libcharon/plugins/vici/vici_query.c
 +++ b/src/libcharon/plugins/vici/vici_query.c
-@@ -1650,8 +1650,16 @@ static void manage_commands(private_vici_query_t *this, bool reg)
- 	this->dispatcher->manage_event(this->dispatcher, "list-cert", reg);
+@@ -1805,8 +1805,16 @@ static void manage_commands(private_vici_query_t *this, bool reg)
  	this->dispatcher->manage_event(this->dispatcher, "ike-updown", reg);
  	this->dispatcher->manage_event(this->dispatcher, "ike-rekey", reg);
+ 	this->dispatcher->manage_event(this->dispatcher, "ike-update", reg);
 +	this->dispatcher->manage_event(this->dispatcher, "ike-state-established", reg);
 +	this->dispatcher->manage_event(this->dispatcher, "ike-state-destroying", reg);
  	this->dispatcher->manage_event(this->dispatcher, "child-updown", reg);
@@ -34,10 +34,11 @@ index f986ef8ab..c7b07fca0 100644
  	manage_command(this, "list-sas", list_sas, reg);
  	manage_command(this, "list-policies", list_policies, reg);
  	manage_command(this, "list-conns", list_conns, reg);
-@@ -1722,6 +1730,45 @@ METHOD(listener_t, ike_rekey, bool,
+@@ -1907,6 +1915,46 @@ METHOD(listener_t, ike_update, bool,
  	return TRUE;
  }
  
++
 +METHOD(listener_t, ike_state_change, bool,
 +	private_vici_query_t *this, ike_sa_t *ike_sa, ike_sa_state_t state)
 +{
@@ -80,7 +81,7 @@ index f986ef8ab..c7b07fca0 100644
  METHOD(listener_t, child_updown, bool,
  	private_vici_query_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, bool up)
  {
-@@ -1797,6 +1844,62 @@ METHOD(listener_t, child_rekey, bool,
+@@ -1986,6 +2034,62 @@ METHOD(listener_t, child_rekey, bool,
  	return TRUE;
  }
  
@@ -143,10 +144,10 @@ index f986ef8ab..c7b07fca0 100644
  METHOD(vici_query_t, destroy, void,
  	private_vici_query_t *this)
  {
-@@ -1816,8 +1919,10 @@ vici_query_t *vici_query_create(vici_dispatcher_t *dispatcher)
- 			.listener = {
+@@ -2006,8 +2110,10 @@ vici_query_t *vici_query_create(vici_dispatcher_t *dispatcher)
  				.ike_updown = _ike_updown,
  				.ike_rekey = _ike_rekey,
+ 				.ike_update = _ike_update,
 +				.ike_state_change = _ike_state_change,
  				.child_updown = _child_updown,
  				.child_rekey = _child_rekey,
@@ -155,5 +156,5 @@ index f986ef8ab..c7b07fca0 100644
  			.destroy = _destroy,
  		},
 -- 
-2.24.1
+2.51.0
 

0004-Support-GRE-key-in-selectors-with-kernel-netlink.patch

@@ -0,0 +1,286 @@
+From 30238c949e7c1ba2df4f8adfaefdc205f7ddb98f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= <zoran.pericic@infomaas.com>
+Date: Sun, 21 Jan 2024 03:11:32 +0100
+Subject: [PATCH 4/4] Support GRE key in selectors with kernel-netlink.
+
+Implementation use two 2-byte port fields (from/to range) to store key
+similar to ICMP.
+---
+ .../kernel_netlink/kernel_netlink_ipsec.c     | 19 +++++++++++++
+ .../plugins/load_tester/load_tester_config.c  | 22 ++++++++++++++-
+ src/libcharon/plugins/stroke/stroke_config.c  | 22 ++++++++++++++-
+ src/libcharon/plugins/vici/vici_config.c      | 27 ++++++++++++++++++-
+ .../selectors/traffic_selector.c              | 20 ++++++++++++++
+ .../selectors/traffic_selector.h              | 12 +++++++++
+ src/starter/confread.c                        | 24 ++++++++++++++++-
+ src/swanctl/swanctl.opt                       |  3 +++
+ 8 files changed, 145 insertions(+), 4 deletions(-)
+
+diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+index d951aa0737..dd279c24aa 100644
+--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
++++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+@@ -893,6 +893,7 @@ static struct xfrm_selector ts2selector(traffic_selector_t *src,
+ {
+ 	struct xfrm_selector sel;
+ 	uint16_t port;
++	uint32_t gre_key;
+ 
+ 	memset(&sel, 0, sizeof(sel));
+ 	sel.family = (src->get_type(src) == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6;
+@@ -913,6 +914,24 @@ static struct xfrm_selector ts2selector(traffic_selector_t *src,
+ 		sel.dport = htons(traffic_selector_icmp_code(port));
+ 		sel.dport_mask = sel.dport ? ~0 : 0;
+ 	}
++	if (sel.proto == IPPROTO_GRE)
++	{
++		/* the kernel expects the GRE key in the source and destination
++		 * port fields, respectively. */
++		gre_key = htons(traffic_selector_gre_key(dst->get_from_port(dst), dst->get_to_port(dst)));
++		if ( gre_key != 0 )
++		{
++			sel.sport = gre_key >> 16;
++			sel.sport_mask = ~0;
++			sel.dport = gre_key & 0xffff;
++			sel.dport_mask = ~0;
++		} else {
++			sel.sport = 0;
++			sel.sport_mask = 0;
++			sel.dport = 0;
++			sel.dport_mask = 0;
++		}
++	}
+ 	sel.ifindex = interface ? if_nametoindex(interface) : 0;
+ 	sel.user = 0;
+ 
+diff --git a/src/libcharon/plugins/load_tester/load_tester_config.c b/src/libcharon/plugins/load_tester/load_tester_config.c
+index 2a440aa630..bc9a1e40b9 100644
+--- a/src/libcharon/plugins/load_tester/load_tester_config.c
++++ b/src/libcharon/plugins/load_tester/load_tester_config.c
+@@ -507,7 +507,27 @@ static bool parse_protoport(char *token, uint16_t *from_port,
+ 			*protocol = (uint8_t)p;
+ 		}
+ 	}
+-	if (streq(port, "%any"))
++	if (*protocol == IPPROTO_GRE)
++	{
++		if (*port && !streq(port, "%any"))
++		{
++			p = strtol(port, &endptr, 0);
++			if (p < 0 || p > 0xffffffff)
++			{
++				return FALSE;
++			}
++			*from_port = (p >> 16) & 0xffff;
++			*to_port = p & 0xffff;
++			if (*endptr)
++			{
++				return FALSE;
++			}
++		} else {
++			*from_port = 0;
++			*to_port = 0;
++		}
++	}
++	else if (streq(port, "%any"))
+ 	{
+ 		*from_port = 0;
+ 		*to_port = 0xffff;
+diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
+index b6e700fa9c..017e6b4766 100644
+--- a/src/libcharon/plugins/stroke/stroke_config.c
++++ b/src/libcharon/plugins/stroke/stroke_config.c
+@@ -926,7 +926,27 @@ static bool parse_protoport(char *token, uint16_t *from_port,
+ 			*protocol = (uint8_t)p;
+ 		}
+ 	}
+-	if (streq(port, "%any"))
++	if (*protocol == IPPROTO_GRE)
++	{
++		if (*port && !streq(port, "%any"))
++		{
++			p = strtol(port, &endptr, 0);
++			if (p < 0 || p > 0xffffffff)
++			{
++				return FALSE;
++			}
++			*from_port = (p >> 16) & 0xffff;
++			*to_port = p & 0xffff;
++			if (*endptr)
++				return FALSE;
++		}
++		else
++		{
++			*from_port = 0;
++			*to_port = 0;
++		}
++	}
++	else if (streq(port, "%any"))
+ 	{
+ 		*from_port = 0;
+ 		*to_port = 0xffff;
+diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
+index 6ea239f0a1..96c2d1276e 100644
+--- a/src/libcharon/plugins/vici/vici_config.c
++++ b/src/libcharon/plugins/vici/vici_config.c
+@@ -749,7 +749,27 @@ CALLBACK(parse_ts, bool,
+ 				proto = (uint8_t)p;
+ 			}
+ 		}
+-		if (streq(port, "opaque"))
++		if (proto == IPPROTO_GRE)
++		{
++			if (*port && !streq(port, "any"))
++			{
++				p = strtol(port, &end, 0);
++				if (p < 0 || p > 0xffffffff)
++				{
++					return FALSE;
++				}
++				from = (p >> 16) & 0xffff;
++				to = p & 0xffff;
++				if (*end)
++				{
++					return FALSE;
++				}
++			} else {
++				from = 0;
++				to = 0;
++			}
++		}
++		else if (streq(port, "opaque"))
+ 		{
+ 			from = 0xffff;
+ 			to = 0;
+@@ -786,6 +806,11 @@ CALLBACK(parse_ts, bool,
+ 			}
+ 		}
+ 	}
++	else if (proto == IPPROTO_GRE)
++	{
++		from = 0;
++		to = 0;
++	}
+ 	if (streq(buf, "dynamic"))
+ 	{
+ 		ts = traffic_selector_create_dynamic(proto, from, to);
+diff --git a/src/libstrongswan/selectors/traffic_selector.c b/src/libstrongswan/selectors/traffic_selector.c
+index 4022c45c13..ae07e02995 100644
+--- a/src/libstrongswan/selectors/traffic_selector.c
++++ b/src/libstrongswan/selectors/traffic_selector.c
+@@ -205,6 +205,18 @@ static int print_icmp(printf_hook_data_t *data, uint16_t port)
+ 	return print_in_hook(data, "%d", type);
+ }
+ 
++/**
++ * Print GRE key
++ */
++static int print_gre(printf_hook_data_t *data, uint16_t from_port, uint16_t to_port)
++{
++	uint32_t gre_key;
++
++	gre_key = traffic_selector_gre_key(from_port, to_port);
++
++	return print_in_hook(data, "%d", gre_key);
++}
++
+ /**
+  * Described in header.
+  */
+@@ -319,6 +331,10 @@ int traffic_selector_printf_hook(printf_hook_data_t *data,
+ 			{
+ 				written += print_icmp(data, this->from_port);
+ 			}
++			else if (this->protocol == IPPROTO_GRE)
++			{
++				written += print_gre(data, this->from_port, this->to_port);
++			}
+ 			else
+ 			{
+ 				serv = getservbyport(htons(this->from_port), serv_proto);
+@@ -332,6 +348,10 @@ int traffic_selector_printf_hook(printf_hook_data_t *data,
+ 				}
+ 			}
+ 		}
++		else if (this->protocol == IPPROTO_GRE)
++		{
++			written += print_gre(data, this->from_port, this->to_port);
++		}
+ 		else if (is_opaque(this))
+ 		{
+ 			written += print_in_hook(data, "OPAQUE");
+diff --git a/src/libstrongswan/selectors/traffic_selector.h b/src/libstrongswan/selectors/traffic_selector.h
+index 367b4fff94..b7010e4a73 100644
+--- a/src/libstrongswan/selectors/traffic_selector.h
++++ b/src/libstrongswan/selectors/traffic_selector.h
+@@ -272,6 +272,18 @@ static inline uint8_t traffic_selector_icmp_code(uint16_t port)
+ 	return port & 0xff;
+ }
+ 
++/**
++ * Extract the GRE key from a source and destination port in host order
++ *
++ * @param from_port		port number in host order
++ * @param to_port		port number in host order
++ * @return				GRE key
++ */
++static inline uint8_t traffic_selector_gre_key(uint16_t from_port, uint16_t to_port)
++{
++	return (from_port & 0xffff) << 16 | (to_port & 0xffff);
++}
++
+ /**
+  * Compare two traffic selectors, usable as sort function
+  *
+diff --git a/src/starter/confread.c b/src/starter/confread.c
+index 5065bc369f..039b6f402b 100644
+--- a/src/starter/confread.c
++++ b/src/starter/confread.c
+@@ -325,7 +325,29 @@ static void kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token,
+ 					end->protocol = (uint8_t)p;
+ 				}
+ 			}
+-			if (streq(port, "%any"))
++			if (end->protocol == IPPROTO_GRE)
++			{
++				if (*port && !streq(port, "%any"))
++				{
++					p = strtol(port, &endptr, 0);
++					if (p < 0 || p > 0xffffffff)
++					{
++						DBG1(DBG_APP, "# bad GRE key: %s=%s", key, port);
++						goto err;
++					}
++					end->from_port = (p >> 16) & 0xffff;
++					end->to_port = p & 0xffff;
++					if (*endptr)
++					{
++						DBG1(DBG_APP, "# bad GRE key: %s=%s", key, port);
++						goto err;
++					}
++				} else {
++					end->from_port = 0;
++					end->to_port = 0;
++				}
++			}
++			else if (streq(port, "%any"))
+ 			{
+ 				end->from_port = 0;
+ 				end->to_port = 0xffff;
+diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt
+index 8336735fff..be185bc056 100644
+--- a/src/swanctl/swanctl.opt
++++ b/src/swanctl/swanctl.opt
+@@ -805,6 +805,9 @@ connections.<conn>.children.<child>.local_ts = dynamic
+ 	equal to 256, with the type in the most significant 8 bits and the code in
+ 	the least significant 8 bits.
+ 
++	If protocol is restricted to GRE, port restriction specifies GRE key
++	in 32 bit numeric form eg. dynamic[gre/100].
++
+ 	When IKEv1 is used only the first selector is interpreted, except if
+ 	the Cisco Unity extension plugin is used. This is due to a limitation of the
+ 	IKEv1 protocol, which only allows a single pair of selectors per CHILD_SA.
+-- 
+2.51.0
+

0005-vici-add-deprecated-async-parameter.patch

@@ -1,49 +0,0 @@
-From b251c17bfba838ee565a4f4af35b249024e35e77 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
-Date: Mon, 21 Sep 2015 13:42:15 +0300
-Subject: [PATCH 5/7] vici: add (deprecated) async parameter
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This is obsoleted by the new "timeout=-1" option that achieves
-the same. Only for compatibility with old versions of quagga-nhrp.
-
-Signed-off-by: Timo Teräs <timo.teras@iki.fi>
----
- src/libcharon/plugins/vici/vici_control.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c
-index 9c6b86741..718d14b3c 100644
---- a/src/libcharon/plugins/vici/vici_control.c
-+++ b/src/libcharon/plugins/vici/vici_control.c
-@@ -197,7 +197,7 @@ CALLBACK(initiate, vici_message_t*,
- 	host_t *my_host = NULL, *other_host = NULL;
- 	char *child, *ike, *my_host_str, *other_host_str;
- 	int timeout;
--	bool limits;
-+	bool limits, async;
- 	controller_cb_t log_cb = NULL;
- 	log_info_t log = {
- 		.dispatcher = this->dispatcher,
-@@ -208,6 +208,7 @@ CALLBACK(initiate, vici_message_t*,
- 	ike = request->get_str(request, NULL, "ike");
- 	timeout = request->get_int(request, 0, "timeout");
- 	limits = request->get_bool(request, FALSE, "init-limits");
-+	async = request->get_bool(request, FALSE, "async");
- 	log.level = request->get_int(request, 1, "loglevel");
- 	my_host_str = request->get_str(request, NULL, "my-host");
- 	other_host_str = request->get_str(request, NULL, "other-host");
-@@ -216,7 +217,7 @@ CALLBACK(initiate, vici_message_t*,
- 	{
- 		return send_reply(this, "missing configuration name");
- 	}
--	if (timeout >= 0)
-+	if (timeout >= 0 && !async)
- 	{
- 		log_cb = (controller_cb_t)log_vici;
- 	}
--- 
-2.24.1
-

0006-support-gre-key-in-ikev1.patch

@@ -1,507 +0,0 @@
-From b2e130f8ce765d5bd0f12ad16ef2434c820c11b1 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
-Date: Mon, 21 Sep 2015 13:42:18 +0300
-Subject: [PATCH 6/7] support gre key in ikev1
-
-this implements gre key negotiation in ikev1 similarly to the
-ipsec-tools patch in alpine.
-
-the from/to port pair is internally used as gre key for gre
-protocol traffic selectors. since from/to pairs 0/0xffff and
-0xffff/0 have special meaning, the gre keys 0xffff and 0xffff0000
-will not work.
-
-this is not standard compliant, and should probably not be upstreamed
-or used widely, but it is applied for interoperability with alpine
-racoon for the time being.
----
- src/libcharon/encoding/payloads/id_payload.c  | 68 ++++++++++++++-----
- src/libcharon/encoding/payloads/id_payload.h  |  6 +-
- .../kernel_netlink/kernel_netlink_ipsec.c     | 40 ++++++++---
- src/libcharon/plugins/stroke/stroke_config.c  |  5 ++
- src/libcharon/plugins/unity/unity_narrow.c    |  2 +-
- src/libcharon/plugins/vici/vici_config.c      |  9 ++-
- src/libcharon/sa/ikev1/tasks/quick_mode.c     | 16 +++--
- .../selectors/traffic_selector.c              | 33 ++++++++-
- .../selectors/traffic_selector.h              | 31 +++++++++
- 9 files changed, 171 insertions(+), 39 deletions(-)
-
-diff --git a/src/libcharon/encoding/payloads/id_payload.c b/src/libcharon/encoding/payloads/id_payload.c
-index b2f1adbbc..6b44d0cf6 100644
---- a/src/libcharon/encoding/payloads/id_payload.c
-+++ b/src/libcharon/encoding/payloads/id_payload.c
-@@ -245,18 +245,20 @@ METHOD(id_payload_t, get_identification, identification_t*,
-  * Create a traffic selector from an range ID
-  */
- static traffic_selector_t *get_ts_from_range(private_id_payload_t *this,
--											 ts_type_t type)
-+											 ts_type_t type,
-+											 uint16_t from_port, uint16_t to_port)
- {
- 	return traffic_selector_create_from_bytes(this->protocol_id, type,
--		chunk_create(this->id_data.ptr, this->id_data.len / 2), this->port,
--		chunk_skip(this->id_data, this->id_data.len / 2), this->port ?: 65535);
-+		chunk_create(this->id_data.ptr, this->id_data.len / 2), from_port,
-+		chunk_skip(this->id_data, this->id_data.len / 2), to_port);
- }
- 
- /**
-  * Create a traffic selector from an subnet ID
-  */
- static traffic_selector_t *get_ts_from_subnet(private_id_payload_t *this,
--											  ts_type_t type)
-+											  ts_type_t type,
-+											  uint16_t from_port, uint16_t to_port)
- {
- 	traffic_selector_t *ts;
- 	chunk_t net, netmask;
-@@ -269,7 +271,7 @@ static traffic_selector_t *get_ts_from_subnet(private_id_payload_t *this,
- 		netmask.ptr[i] = (netmask.ptr[i] ^ 0xFF) | net.ptr[i];
- 	}
- 	ts = traffic_selector_create_from_bytes(this->protocol_id, type,
--								net, this->port, netmask, this->port ?: 65535);
-+								net, from_port, netmask, to_port);
- 	chunk_free(&netmask);
- 	return ts;
- }
-@@ -278,51 +280,76 @@ static traffic_selector_t *get_ts_from_subnet(private_id_payload_t *this,
-  * Create a traffic selector from an IP ID
-  */
- static traffic_selector_t *get_ts_from_ip(private_id_payload_t *this,
--										  ts_type_t type)
-+										  ts_type_t type,
-+										  uint16_t from_port, uint16_t to_port)
- {
- 	return traffic_selector_create_from_bytes(this->protocol_id, type,
--				this->id_data, this->port, this->id_data, this->port ?: 65535);
-+				this->id_data, from_port, this->id_data, to_port);
- }
- 
- METHOD(id_payload_t, get_ts, traffic_selector_t*,
--	private_id_payload_t *this)
-+	private_id_payload_t *this, id_payload_t *other_, bool initiator)
- {
-+	private_id_payload_t *other = (private_id_payload_t *) other_;
-+	uint16_t from_port, to_port;
-+
-+	if (other && this->protocol_id == IPPROTO_GRE && other->protocol_id == IPPROTO_GRE)
-+	{
-+		if (initiator)
-+		{
-+			from_port = this->port;
-+			to_port = other->port;
-+		}
-+		else
-+		{
-+			from_port = other->port;
-+			to_port = this->port;
-+		}
-+		if (from_port == 0 && to_port == 0)
-+			to_port = 0xffff;
-+	}
-+	else
-+	{
-+		from_port = this->port;
-+		to_port = this->port ?: 0xffff;
-+	}
-+
- 	switch (this->id_type)
- 	{
- 		case ID_IPV4_ADDR_SUBNET:
- 			if (this->id_data.len == 8)
- 			{
--				return get_ts_from_subnet(this, TS_IPV4_ADDR_RANGE);
-+				return get_ts_from_subnet(this, TS_IPV4_ADDR_RANGE, from_port, to_port);
- 			}
- 			break;
- 		case ID_IPV6_ADDR_SUBNET:
- 			if (this->id_data.len == 32)
- 			{
--				return get_ts_from_subnet(this, TS_IPV6_ADDR_RANGE);
-+				return get_ts_from_subnet(this, TS_IPV6_ADDR_RANGE, from_port, to_port);
- 			}
- 			break;
- 		case ID_IPV4_ADDR_RANGE:
- 			if (this->id_data.len == 8)
- 			{
--				return get_ts_from_range(this, TS_IPV4_ADDR_RANGE);
-+				return get_ts_from_range(this, TS_IPV4_ADDR_RANGE, from_port, to_port);
- 			}
- 			break;
- 		case ID_IPV6_ADDR_RANGE:
- 			if (this->id_data.len == 32)
- 			{
--				return get_ts_from_range(this, TS_IPV6_ADDR_RANGE);
-+				return get_ts_from_range(this, TS_IPV6_ADDR_RANGE, from_port, to_port);
- 			}
- 			break;
- 		case ID_IPV4_ADDR:
- 			if (this->id_data.len == 4)
- 			{
--				return get_ts_from_ip(this, TS_IPV4_ADDR_RANGE);
-+				return get_ts_from_ip(this, TS_IPV4_ADDR_RANGE, from_port, to_port);
- 			}
- 			break;
- 		case ID_IPV6_ADDR:
- 			if (this->id_data.len == 16)
- 			{
--				return get_ts_from_ip(this, TS_IPV6_ADDR_RANGE);
-+				return get_ts_from_ip(this, TS_IPV6_ADDR_RANGE, from_port, to_port);
- 			}
- 			break;
- 		default:
-@@ -397,7 +424,7 @@ id_payload_t *id_payload_create_from_identification(payload_type_t type,
- /*
-  * Described in header.
-  */
--id_payload_t *id_payload_create_from_ts(traffic_selector_t *ts)
-+id_payload_t *id_payload_create_from_ts(traffic_selector_t *ts, bool initiator)
- {
- 	private_id_payload_t *this;
- 	uint8_t mask;
-@@ -460,8 +487,17 @@ id_payload_t *id_payload_create_from_ts(traffic_selector_t *ts)
- 							ts->get_from_address(ts), ts->get_to_address(ts));
- 		net->destroy(net);
- 	}
--	this->port = ts->get_from_port(ts);
- 	this->protocol_id = ts->get_protocol(ts);
-+	if (initiator || this->protocol_id != IPPROTO_GRE)
-+	{
-+		this->port = ts->get_from_port(ts);
-+	}
-+	else
-+	{
-+		this->port = ts->get_to_port(ts);
-+		if (this->port == 0xffff && ts->get_from_port(ts) == 0)
-+			this->port = 0;
-+	}
- 	this->payload_length += this->id_data.len;
- 
- 	return &this->public;
-diff --git a/src/libcharon/encoding/payloads/id_payload.h b/src/libcharon/encoding/payloads/id_payload.h
-index 283780624..fafeca8bc 100644
---- a/src/libcharon/encoding/payloads/id_payload.h
-+++ b/src/libcharon/encoding/payloads/id_payload.h
-@@ -48,11 +48,11 @@ struct id_payload_t {
- 	identification_t *(*get_identification) (id_payload_t *this);
- 
- 	/**
--	 * Creates a traffic selector form a ID_ADDR_SUBNET/RANGE identity.
-+	 * Creates a traffic selector form a ID_ADDR_SUBNET/RANGE identity pair.
- 	 *
- 	 * @return				traffic selector, NULL on failure
- 	 */
--	traffic_selector_t* (*get_ts)(id_payload_t *this);
-+	traffic_selector_t* (*get_ts)(id_payload_t *this, id_payload_t *other, bool initiator);
- 
- 	/**
- 	 * Get encoded payload without fixed payload header (used for IKEv1).
-@@ -91,6 +91,6 @@ id_payload_t *id_payload_create_from_identification(payload_type_t type,
-  * @param ts		traffic selector
-  * @return			PLV1_ID id_paylad_t object.
-  */
--id_payload_t *id_payload_create_from_ts(traffic_selector_t *ts);
-+id_payload_t *id_payload_create_from_ts(traffic_selector_t *ts, bool initiator);
- 
- #endif /** ID_PAYLOAD_H_ @}*/
-diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
-index 40fff7e05..0743f7a95 100644
---- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
-+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
-@@ -869,7 +869,18 @@ static struct xfrm_selector ts2selector(traffic_selector_t *src,
- 	ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
- 	ts2ports(dst, &sel.dport, &sel.dport_mask);
- 	ts2ports(src, &sel.sport, &sel.sport_mask);
--	if ((sel.proto == IPPROTO_ICMP || sel.proto == IPPROTO_ICMPV6) &&
-+	if (sel.proto == IPPROTO_GRE)
-+	{
-+		sel.sport = htons(src->get_from_port(src));
-+		sel.dport = htons(src->get_to_port(src));
-+		sel.sport_mask = ~0;
-+		sel.dport_mask = ~0;
-+		if (sel.sport == htons(0) && sel.dport == htons(0xffff))
-+		{
-+			sel.sport = sel.dport = sel.sport_mask = sel.dport_mask = 0;
-+		}
-+	}
-+	else if ((sel.proto == IPPROTO_ICMP || sel.proto == IPPROTO_ICMPV6) &&
- 		(sel.dport || sel.sport))
- 	{
- 		/* the kernel expects the ICMP type and code in the source and
-@@ -893,7 +904,7 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
- {
- 	u_char *addr;
- 	uint8_t prefixlen;
--	uint16_t port = 0;
-+	uint16_t from_port = 0, to_port = 65535;
- 	host_t *host = NULL;
- 
- 	if (src)
-@@ -902,7 +913,7 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
- 		prefixlen = sel->prefixlen_s;
- 		if (sel->sport_mask)
- 		{
--			port = ntohs(sel->sport);
-+			from_port = to_port = ntohs(sel->sport);
- 		}
- 	}
- 	else
-@@ -911,14 +922,27 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
- 		prefixlen = sel->prefixlen_d;
- 		if (sel->dport_mask)
- 		{
--			port = ntohs(sel->dport);
-+			from_port = to_port = ntohs(sel->dport);
-+		}
-+	}
-+	if (sel->proto == IPPROTO_GRE)
-+	{
-+		if (sel->sport_mask)
-+		{
-+			from_port = ntohs(sel->sport);
-+			to_port = ntohs(sel->dport);
-+		}
-+		else
-+		{
-+			from_port = 0;
-+			to_port = 0xffff;
- 		}
- 	}
--	if (sel->proto == IPPROTO_ICMP || sel->proto == IPPROTO_ICMPV6)
-+	else if (sel->proto == IPPROTO_ICMP || sel->proto == IPPROTO_ICMPV6)
- 	{	/* convert ICMP[v6] message type and code as supplied by the kernel in
- 		 * source and destination ports (both in network order) */
--		port = (sel->sport >> 8) | (sel->dport & 0xff00);
--		port = ntohs(port);
-+		from_port = (sel->sport >> 8) | (sel->dport & 0xff00);
-+		from_port = to_port = ntohs(from_port);
- 	}
- 	/* The Linux 2.6 kernel does not set the selector's family field,
- 	 * so as a kludge we additionally test the prefix length.
-@@ -935,7 +959,7 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
- 	if (host)
- 	{
- 		return traffic_selector_create_from_subnet(host, prefixlen,
--											sel->proto, port, port ?: 65535);
-+											sel->proto, from_port, to_port);
- 	}
- 	return NULL;
- }
-diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
-index 8cdb5ef48..a81949c09 100644
---- a/src/libcharon/plugins/stroke/stroke_config.c
-+++ b/src/libcharon/plugins/stroke/stroke_config.c
-@@ -936,6 +936,11 @@ static bool parse_protoport(char *token, uint16_t *from_port,
- 		*from_port = 0xffff;
- 		*to_port = 0;
- 	}
-+	else if (*port && *protocol == IPPROTO_GRE)
-+	{
-+		p = strtol(port, &endptr, 0);
-+		traffic_selector_split_grekey(p, from_port, to_port);
-+	}
- 	else if (*port)
- 	{
- 		svc = getservbyname(port, NULL);
-diff --git a/src/libcharon/plugins/unity/unity_narrow.c b/src/libcharon/plugins/unity/unity_narrow.c
-index afbd6cc7e..911fe70c6 100644
---- a/src/libcharon/plugins/unity/unity_narrow.c
-+++ b/src/libcharon/plugins/unity/unity_narrow.c
-@@ -248,7 +248,7 @@ METHOD(listener_t, message, bool,
- 			if (!first)
- 			{
- 				id_payload = (id_payload_t*)payload;
--				tsr = id_payload->get_ts(id_payload);
-+				tsr = id_payload->get_ts(id_payload, NULL, FALSE);
- 				break;
- 			}
- 			first = FALSE;
-diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
-index f0fd8a989..9f9dcfa45 100644
---- a/src/libcharon/plugins/vici/vici_config.c
-+++ b/src/libcharon/plugins/vici/vici_config.c
-@@ -691,8 +691,13 @@ CALLBACK(parse_ts, bool,
- 		}
- 		else if (*port && !streq(port, "any"))
- 		{
--			svc = getservbyname(port, NULL);
--			if (svc)
-+			if (proto == IPPROTO_GRE)
-+			{
-+				p = strtol(port, &end, 0);
-+				if (*end) return FALSE;
-+				traffic_selector_split_grekey(p, &from, &to);
-+			}
-+			else if ((svc = getservbyname(port, NULL)) != NULL)
- 			{
- 				from = to = ntohs(svc->s_port);
- 			}
-diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c
-index b0a42b8bd..4ef4bf324 100644
---- a/src/libcharon/sa/ikev1/tasks/quick_mode.c
-+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c
-@@ -567,9 +567,9 @@ static void add_ts(private_quick_mode_t *this, message_t *message)
- {
- 	id_payload_t *id_payload;
- 
--	id_payload = id_payload_create_from_ts(this->tsi);
-+	id_payload = id_payload_create_from_ts(this->tsi, TRUE);
- 	message->add_payload(message, &id_payload->payload_interface);
--	id_payload = id_payload_create_from_ts(this->tsr);
-+	id_payload = id_payload_create_from_ts(this->tsr, FALSE);
- 	message->add_payload(message, &id_payload->payload_interface);
- }
- 
-@@ -580,7 +580,7 @@ static bool get_ts(private_quick_mode_t *this, message_t *message)
- {
- 	traffic_selector_t *tsi = NULL, *tsr = NULL;
- 	enumerator_t *enumerator;
--	id_payload_t *id_payload;
-+	id_payload_t *idi = NULL, *idr = NULL;
- 	payload_t *payload;
- 	host_t *hsi, *hsr;
- 	bool first = TRUE;
-@@ -590,20 +590,22 @@ static bool get_ts(private_quick_mode_t *this, message_t *message)
- 	{
- 		if (payload->get_type(payload) == PLV1_ID)
- 		{
--			id_payload = (id_payload_t*)payload;
--
- 			if (first)
- 			{
--				tsi = id_payload->get_ts(id_payload);
-+				idi = (id_payload_t*)payload;
- 				first = FALSE;
- 			}
- 			else
- 			{
--				tsr = id_payload->get_ts(id_payload);
-+				idr = (id_payload_t*)payload;
- 				break;
- 			}
- 		}
- 	}
-+	if (idi && idr) {
-+		tsi = idi->get_ts(idi, idr, TRUE);
-+		tsr = idr->get_ts(idr, idi, FALSE);
-+	}
- 	enumerator->destroy(enumerator);
- 
- 	/* create host2host selectors if ID payloads missing */
-diff --git a/src/libstrongswan/selectors/traffic_selector.c b/src/libstrongswan/selectors/traffic_selector.c
-index cfd2b029d..d01e2ccec 100644
---- a/src/libstrongswan/selectors/traffic_selector.c
-+++ b/src/libstrongswan/selectors/traffic_selector.c
-@@ -198,6 +198,14 @@ static int print_icmp(printf_hook_data_t *data, uint16_t port)
- 	return print_in_hook(data, "%d", type);
- }
- 
-+/**
-+ * Print GRE key
-+ */
-+static int print_grekey(printf_hook_data_t *data, uint16_t from_port, uint16_t to_port)
-+{
-+	return print_in_hook(data, "%d", traffic_selector_grekey(from_port, to_port));
-+}
-+
- /**
-  * Described in header.
-  */
-@@ -303,7 +311,11 @@ int traffic_selector_printf_hook(printf_hook_data_t *data,
- 	{
- 		written += print_in_hook(data, "/");
- 
--		if (this->from_port == this->to_port)
-+		if (this->protocol == IPPROTO_GRE)
-+		{
-+			written += print_grekey(data, this->from_port, this->to_port);
-+		}
-+		else if (this->from_port == this->to_port)
- 		{
- 			struct servent *serv;
- 
-@@ -377,7 +389,24 @@ METHOD(traffic_selector_t, get_subset, traffic_selector_t*,
- 	/* select protocol, which is not zero */
- 	protocol = max(this->protocol, other->protocol);
- 
--	if ((is_opaque(this) && is_opaque(other)) ||
-+	if (this->protocol == IPPROTO_GRE)
-+	{
-+		if (is_any(this))
-+		{
-+			from_port = other->from_port;
-+			to_port = other->to_port;
-+		}
-+		else if (is_any(other) ||
-+			 (this->from_port == other->from_port &&
-+			  this->to_port == other->to_port))
-+		{
-+			from_port = this->from_port;
-+			to_port = this->to_port;
-+		}
-+		else
-+			return NULL;
-+	}
-+	else if ((is_opaque(this) && is_opaque(other)) ||
- 		(is_opaque(this) && is_any(other)) ||
- 		(is_opaque(other) && is_any(this)))
- 	{
-diff --git a/src/libstrongswan/selectors/traffic_selector.h b/src/libstrongswan/selectors/traffic_selector.h
-index 03f7a6d8c..b27ca4ad1 100644
---- a/src/libstrongswan/selectors/traffic_selector.h
-+++ b/src/libstrongswan/selectors/traffic_selector.h
-@@ -120,6 +120,9 @@ struct traffic_selector_t {
- 	 * 8 bits and the code in the least significant 8 bits.  Use the utility
- 	 * functions to extract them.
- 	 *
-+	 * If the protocol is GRE, the high 16-bits of the 32-bit GRE key is stored
-+	 * in the from port. Use the utility function to merge and split them.
-+	 *
- 	 * @return			port
- 	 */
- 	uint16_t (*get_from_port)(traffic_selector_t *this);
-@@ -134,6 +137,9 @@ struct traffic_selector_t {
- 	 * 8 bits and the code in the least significant 8 bits.  Use the utility
- 	 * functions to extract them.
- 	 *
-+	 * If the protocol is GRE, the low 16-bits of the 32-bit GRE key is stored
-+	 * in the to port. Use the utility function to merge and split them.
-+	 *
- 	 * @return			port
- 	 */
- 	uint16_t (*get_to_port)(traffic_selector_t *this);
-@@ -277,6 +283,31 @@ static inline uint8_t traffic_selector_icmp_code(uint16_t port)
- int traffic_selector_cmp(traffic_selector_t *a, traffic_selector_t *b,
- 						 void *opts);
- 
-+/**
-+ * Reconstruct the 32-bit GRE KEY in host order from a from/to ports.
-+ *
-+ * @param from_port			port number in host order
-+ * @param to_port			port number in host order
-+ * @return				GRE KEY in host order
-+ */
-+static inline uint32_t traffic_selector_grekey(uint16_t from_port, uint16_t to_port)
-+{
-+	return (from_port << 16) | to_port;
-+}
-+
-+/**
-+ * Split 32-bit GRE KEY in host order to from/to ports.
-+ *
-+ * @param grekey			grekey in host order
-+ * @param from_port			from port in host order
-+ * @param to_port			to port in host order
-+ */
-+static inline void traffic_selector_split_grekey(uint32_t grekey, uint16_t *from_port, uint16_t *to_port)
-+{
-+	*from_port = grekey >> 16;
-+	*to_port = grekey & 0xffff;
-+}
-+
- /**
-  * Create a new traffic selector using human readable params.
-  *
--- 
-2.24.1
-

0007-vyos-terminate-connections-source-dest.patch

@@ -1,124 +0,0 @@
-From 4e0a88132b5e3e99b250d044f4434702cae2abaa Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= <zpericic@netst.org>
-Date: Wed, 22 Jan 2020 13:12:39 +0100
-Subject: [PATCH 7/7] vyos-terminate-connections-source-dest
-
----
- src/libcharon/plugins/vici/vici_control.c | 27 ++++++++++++++++++++---
- src/swanctl/commands/terminate.c          | 18 ++++++++++++++-
- 2 files changed, 41 insertions(+), 4 deletions(-)
-
-diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c
-index 718d14b3c..39da4a10d 100644
---- a/src/libcharon/plugins/vici/vici_control.c
-+++ b/src/libcharon/plugins/vici/vici_control.c
-@@ -269,12 +269,13 @@ CALLBACK(terminate, vici_message_t*,
- 	private_vici_control_t *this, char *name, u_int id, vici_message_t *request)
- {
- 	enumerator_t *enumerator, *isas, *csas;
--	char *child, *ike, *errmsg = NULL;
-+	char *child, *ike, *errmsg = NULL, *my_host_str, *other_host_str;
- 	u_int child_id, ike_id, current, *del, done = 0;
- 	bool force;
- 	int timeout;
- 	ike_sa_t *ike_sa;
- 	child_sa_t *child_sa;
-+	host_t *my_host = NULL, *other_host = NULL;
- 	array_t *ids;
- 	vici_builder_t *builder;
- 	controller_cb_t log_cb = NULL;
-@@ -290,12 +291,23 @@ CALLBACK(terminate, vici_message_t*,
- 	force = request->get_bool(request, FALSE, "force");
- 	timeout = request->get_int(request, 0, "timeout");
- 	log.level = request->get_int(request, 1, "loglevel");
-+	my_host_str = request->get_str(request, NULL, "my-host");
-+	other_host_str = request->get_str(request, NULL, "other-host");
- 
--	if (!child && !ike && !ike_id && !child_id)
-+	if (!child && !ike && !ike_id && !child_id && !my_host_str &&!other_host_str)
- 	{
- 		return send_reply(this, "missing terminate selector");
- 	}
--
-+	if (my_host_str && !other_host_str || other_host_str && !my_host_str)
-+	{
-+		return send_reply(this, "missing source or remote");
-+	}
-+	else
-+	{
-+		my_host = host_create_from_string(my_host_str, 0);
-+		other_host = host_create_from_string(other_host_str, 0);
-+		DBG1(DBG_CFG, "vici terminate with source me %H and other %H", my_host, other_host);
-+	}
- 	if (ike_id)
- 	{
- 		DBG1(DBG_CFG, "vici terminate IKE_SA #%d", ike_id);
-@@ -358,6 +370,15 @@ CALLBACK(terminate, vici_message_t*,
- 		{
- 			array_insert(ids, ARRAY_TAIL, &ike_id);
- 		}
-+		else if (my_host && other_host)
-+		{
-+			if (!my_host->ip_equals(my_host, ike_sa->get_my_host(ike_sa)) || !other_host->ip_equals(other_host, ike_sa->get_other_host(ike_sa)))
-+			{
-+				continue;
-+			}
-+			current = ike_sa->get_unique_id(ike_sa);
-+			array_insert(ids, ARRAY_TAIL, &current);
-+		}
- 	}
- 	isas->destroy(isas);
- 
-diff --git a/src/swanctl/commands/terminate.c b/src/swanctl/commands/terminate.c
-index 2309843b2..37d0bde3f 100644
---- a/src/swanctl/commands/terminate.c
-+++ b/src/swanctl/commands/terminate.c
-@@ -37,7 +37,7 @@ static int terminate(vici_conn_t *conn)
- 	vici_req_t *req;
- 	vici_res_t *res;
- 	command_format_options_t format = COMMAND_FORMAT_NONE;
--	char *arg, *child = NULL, *ike = NULL;
-+	char *arg, *child = NULL, *ike = NULL, *my_host = NULL, *other_host = NULL;
- 	int ret = 0, timeout = 0, level = 1, child_id = 0, ike_id = 0;
- 	bool force = FALSE;
- 
-@@ -74,6 +74,12 @@ static int terminate(vici_conn_t *conn)
- 			case 'l':
- 				level = atoi(arg);
- 				continue;
-+			case 'S':
-+				my_host = arg;
-+				continue;
-+			case 'R':
-+				other_host = arg;
-+				continue;
- 			case EOF:
- 				break;
- 			default:
-@@ -109,6 +115,14 @@ static int terminate(vici_conn_t *conn)
- 	{
- 		vici_add_key_valuef(req, "force", "yes");
- 	}
-+	if (my_host)
-+	{
-+		vici_add_key_valuef(req, "my-host", "%s", my_host);
-+	}
-+	if (other_host)
-+	{
-+		vici_add_key_valuef(req, "other-host", "%s", other_host);
-+	}
- 	if (timeout)
- 	{
- 		vici_add_key_valuef(req, "timeout", "%d", timeout * 1000);
-@@ -155,6 +169,8 @@ static void __attribute__ ((constructor))reg()
- 		{
- 			{"help",		'h', 0, "show usage information"},
- 			{"child",		'c', 1, "terminate by CHILD_SA name"},
-+			{"source",		'S', 1, "override source address"},
-+			{"remote",		'R', 1, "override remote address"},
- 			{"ike",			'i', 1, "terminate by IKE_SA name"},
- 			{"child-id",	'C', 1, "terminate by CHILD_SA reqid"},
- 			{"ike-id",		'I', 1, "terminate by IKE_SA unique identifier"},
--- 
-2.24.1
-

STRONGSWAN-RELEASE-PGP-KEY

@@ -0,0 +1,48 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQGNBEoycP0BDACzL8ymURD7gnaNbGx2VGieNQr/gNISWhqgHaeUxuSkrInxl89A
+ClvN7DoF2cD7slEqIMQh/8t6xVzmh9teu5uyeV1eyG/CuFMUqawXqpn/sYa2SkgX
+C/qHB2hIbFg2K4k5LJHxzqHb1OdtOcU6lHg9yrvYcoO+FTVR+rYaVgYbbbziTB/v
+hAAzvdTdgwMgoQMSXA7FsJ0mALny4IeiCoi6S6qRVDm4zcu11UFT9g1VmhmeHqtU
+SQso72bPKKhYvu7ZaQrLhkvY9inWr6m9dxV8Zgb1ivZGhzsNzrhGAsz9jmiB5POF
+Mfph0hREMiS33ph/YMJducGQHYGEza9mKBdUaaAAEL3fCpde7vRa+c5Gc/Y5RUB7
+iUsb2KQY+7xTiSUnCHbsMwhndG0dJspVXcz6X+2S3Ty4GaiqkvxI9KLiwiECNl0I
+oLX5s/FIW6KW+GnxJTp/3h6vvqm8i0+yIwk+ETM4XfhHMwuPkDyf6km1ag3nIUw6
+pSSfnQMPhj5rXIMAEQEAAbQwQW5kcmVhcyBTdGVmZmVuIDxhbmRyZWFzLnN0ZWZm
+ZW5Ac3Ryb25nc3dhbi5vcmc+iQG3BBMBAgAhBQJKMnD9AhsDBwsJCAcDAgEEFQII
+AwQWAgMBAh4BAheAAAoJEN9CwXCzTbp3t5AL/jrXnnGIHLn8M9rmyoeNe7JQUE5A
+GSV3UFaZHgHmjbvIHA+dRvh1MPlHuWbaZkHVPtRFvFtEgksc944+XcKoNoExKGKr
+wLQcUExUiQ0IyNwH70u7f1uFNcbY85Oue5ASzm+wAntnmIlNsN+MHewRWC6f6gYn
+1aHwsvh09fz0A34v9wdtim2ek/Voxe3AIDIw2MTNmwF61pXEsrH0wqYnGhYLZ7Qb
+thnDnHQaUd3IPSa6uAgOOiCoCbKCvP4u/iVm0rmXN9uzmm/i4Y0cE3DopGsqrR5D
+fWYJjgP4KBCln0LgWtYI8pcYcmA5E+l+fijNcMidtzWHMW2Mj0oZZsO+wlRUYLGh
+/jRASgq7rXuxV+oGKcBn4RqSHlZ5/BYlvowUxnNFC4tLLlneHidS8TurjacM3fwR
+MP5NMmcS5d9sVLG1uxl+/g2cRMtphHiziz+79jDc+tSxqRO5lhqyItAD6LC2GxB3
+iC5afnMx49+YWzhUTeL/KfkrD9w3/n7O00kLtLkDDQRKjOHDEAwAxdh8W7j/QhE3
+KZNmJGsK/QtJ72zZRGRcdUPH6GG//GaAG5hSCjM8q+0MR/G+31uk32RbzRIj1sHQ
+8fY0znxPmaeD1wow0hCbDTq+Ep3K8ouaqoqjlP4rd+I94OtxNfXgmllf7BDOZ6lI
+wUY8ba8cFCPYsv8ZvRXo82XfwFYevQ9kTLqkJT52mMyPZLwYx4DNwuqFtQQEBLKg
+IVXVgpK6SE72MFP8vyFsdrL0ORgxoWI6PIHbnIRY1KiWUzOSrqirZUHH9MPuzFuB
+R0+jEAajeKoxycn0ILLM5PBAEFXFgBdtNNCtshe1fR5aPsXcGZsZRjc7mbAHLRqa
+pVhk7oX31WrGqGHkSM/GAnf3aAzsnCkO5+Tje2iyuoG5OhQbHsvMBOtdvQrwnorl
+56EguzuK1mGDsczNsuAYRcKiasCWpsjoytDH+dGEQmKXydD9r06cxPx+mWmWKLo4
+w+k4mMC0lFRYKi83cwTpaMpHOeW4+3d1tJfkCQy+vjUz4aZJ/WSXAAMFDACqmeXA
+Al7WssHkjVZ/vwQfHLHNMZsGEEucvV7KNqMF4Fe6nRbbE6GJOuz6taeFkJIppBqV
+xhSNOsf5soOXfGp0IgYoC37GPI6AAb4UnG5GVcaAMQAXUYcwfDGGuV/EO5pPrEyP
+jy++GvjhxcKV3HmUuAfcgyhTGhDOVPxU28Roz3+8Eig085v+lyqAsgFduBrf+ZV+
+lHjIOSXSWmTiT8EVSA3fpN14/qhltudhdGIZ/pCW303H9Bd9c4Uc9OzYhRr1VpO6
+lpYfTFNey8KQL4z9Kjt0RPscz2hYDOJ1cTFWs/4Z+9mBJODwrnIiORLlgV2NlP5E
+ZY4MccVFd9K7E/OPQdt3Uv6+6BjYRntY7wsX617T5Rmj8n6AhbpngmWg2D6wRfm7
+TyI0Wtz5icCoJIEHQwB/3EhBzQl7tBc0cClwCYm7nTYRt+SL2tfylWy9Leail+ay
+M6zwMW0klV42E4u8DCy/aJrwmEiVwuwGbXL6z46M9EZguof38MTEmLsHls+JAZ8E
+GAECAAkFAkqM4cMCGwwACgkQ30LBcLNNunffBgv/b/v3eQoZTWgOB5MnXhIrg/Ki
+kYTYbnEG9wWM7XIST8bpP7f/UKyD44CCVJH7SVTGAXeyjglnuYXy4FwaTdFmm6al
+W0sCp4rnmADi5BLLzQlCUa5J0iZ+oAZnAH60BezUM+CYz/QBW3NJmP3323PeM4H4
+MZ0vLv3wgaLkFlaK/eASBoC7KuZWAnvsNOdLQ29L4BYgW2Jwk1+PxszjT369DsMU
+Y3iY6gM9rM71Ajd8x98hd1r26LILGntAEEXxs+13Kka7J4GCqf8/J9ZR01dDp8QM
++M9EHFLnthpAyUuSXm5Qlglavnf7tU6AA0SFuA0pP5CXVLG1DLT1fJvNOqjdzPsf
+u/48AM2Lpxj0gKt1yDQc890GxwnOL1iZ6+XMh9/ujWy7Q7dI4M2mthwYFXldWrPS
+CmMToWfl62BxPdY5FIECXeRwTIO9sI0LQVc2eAG8lDsge05q1nJFxo9WKr7ewAdF
+b/fMIr7XMwoMj2SQSy/tZVCBnDXR5Gw5HSxRnIAS
+=ze82
+-----END PGP PUBLIC KEY BLOCK-----

changelog

@@ -0,0 +1,659 @@
+* Mon Aug 25 2025 Carlos Rodriguez-Fernandez <carlosrodrifernandez@gmail.com> - 5.9.14-12
+- Fix ipsec.d cacerts removing system ca
+
+* Fri Aug 22 2025 Carlos Rodriguez-Fernandez <carlosrodrifernandez@gmail.com> - 5.9.14-11
+- Link new system ca bundle in the ipsec.d cacerts
+
+* Fri Aug 15 2025 Python Maint <python-maint@redhat.com> - 5.9.14-10
+- Rebuilt for Python 3.14.0rc2 bytecode
+
+* Thu Aug 14 2025 Carlos Rodriguez-Fernandez <carlosrodrifernandez@gmail.com> - 5.9.14-9
+- Fix build issue (rhbz#2368971)
+
+* Fri Jul 25 2025 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.14-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
+
+* Mon Jun 02 2025 Python Maint <python-maint@redhat.com> - 5.9.14-7
+- Rebuilt for Python 3.14
+
+* Sun Jan 19 2025 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.14-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
+
+* Sat Jul 27 2024 Michel Lind <salimma@fedoraproject.org> - 5.9.14-5
+- Depend on openssl-devel-engine since we still use this deprecated feature (rhbz#2295335)
+
+* Fri Jul 26 2024 Miroslav Suchý <msuchy@redhat.com> - 5.9.14-4
+- convert license to SPDX
+
+* Sat Jul 20 2024 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.14-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
+
+* Fri Jun 07 2024 Python Maint <python-maint@redhat.com> - 5.9.14-2
+- Rebuilt for Python 3.13
+
+* Fri May 31 2024 Paul Wouters <paul.wouters@aiven.io> - 5.9.14-1
+- Resolves: rhbz#2254560 CVE-2023-41913 buffer overflow and possible RCE
+- Resolved: rhbz#2250666 Update to 5.9.14 (IKEv2 OCSP extensions, seqno/regno overflow handling
+- Update to 5.9.13 (OCSP nonce set regression configuration option charon.ocsp_nonce_len)
+- Update to 5.9.12 (CVE-2023-41913 fix, various IKEv2 fixes)
+
+* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.11-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.11-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Fri Jul 14 2023 Paul Wouters <paul.wouters@aiven.io - 5.9.11-1
+- Resolves: rhbz#2214186 strongswan-5.9.11 is available
+
+* Tue Jun 13 2023 Python Maint <python-maint@redhat.com> - 5.9.10-2
+- Rebuilt for Python 3.12
+
+* Thu Mar 02 2023 Paul Wouters <paul.wouters@aiven.io - 5.9.10-1
+- Update to 5.9.10
+
+* Tue Feb 28 2023 Paul Wouters <paul.wouters@aiven.io - 5.9.9-3
+- Resolves: CVE-2023-26463 authorization bypass in TLS-based EAP methods
+
+* Mon Jan 16 2023 Petr Menšík <pemensik@redhat.com> - 5.9.9-2
+- Use configure paths in manual pages (#2106120)
+
+* Sun Jan 15 2023 Petr Menšík <pemensik@redhat.com> - 5.9.9-1
+- Update to 5.9.9 (#2157850)
+
+* Thu Dec 08 2022 Jitka Plesnikova <jplesnik@redhat.com> - 5.9.8-2
+- Add BR perl-generators to automatically generates run-time dependencies
+  for installed Perl files
+
+* Sun Oct 16 2022 Arne Reiter <redhat@arnereiter.de> - 5.9.8-1
+- Resolves rhbz#2112274 strongswan-5.9.8 is available
+- Patch1 removes CFLAGS -Wno-format which interferes with -Werror=format-security
+- Add BuildRequire for autoconf and automake, now required for release
+- Remove obsolete patches
+
+* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.6-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Wed Jun 22 2022 Arne Reiter <redhat@arnereiter.de> - 5.9.6-1
+- Resolves rhbz#2080070 strongswan-5.9.6 is available
+- Fixed missing format string in enum_flags_to_string()
+
+* Mon Jun 13 2022 Python Maint <python-maint@redhat.com> - 5.9.5-4
+- Rebuilt for Python 3.11
+
+* Fri Feb 25 2022 Arne Reiter <redhat@arnereiter.de> - 5.9.5-3
+- Resolves: rhbz#2048108 - segfault at 18 ip 00007f4c7c0d841c sp 00007ffe49f61b70 error 4 in libc.so.6
+
+* Tue Jan 25 2022 Paul Wouters <paul.wouters@aiven.io> - 5.9.5-2
+- Use newly published/cleaned strongswan gpg key
+
+* Mon Jan 24 2022 Paul Wouters <paul.wouters@aiven.io> - 5.9.5-1
+- Resolves rhbz#2044361 strongswan-5.9.5 is available (CVE-2021-45079)
+
+* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.4-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Thu Dec 16 2021 Neal Gompa <ngompa@datto.com> - 5.9.4-4
+- Disable TPM/TSS 1.2 support for F36+ / RHEL9+
+- Resolves: rhbz#2033299 Drop TPM/TSS 1.2 support (trousers)
+
+* Thu Nov 11 2021 Petr Menšík <pemensik@redhat.com> - 5.9.4-3
+- Resolves rhbz#1419441 Add python and perl vici bindings
+- Adds optional tests run
+
+* Tue Nov 09 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.4-2
+- Resolves rhbz#2018547 'strongswan restart' breaks ipsec started with strongswan-starter
+- Return to using tmpfiles, but extend to cover strongswan-starter service too
+- Cleanup old patches
+
+* Wed Oct 20 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.4-1
+- Resolves: rhbz#2015165 strongswan-5.9.4 is available
+- Resolves: rhbz#2015611 CVE-2021-41990 strongswan: gmp plugin: integer overflow via a crafted certificate with an RSASSA-PSS signature
+- Resolves: rhbz#2015614 CVE-2021-41991 strongswan: integer overflow when replacing certificates in cache
+- Add BuildRequire for tpm2-tss-devel and weak dependency for tpm2-tools
+
+* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 5.9.3-4
+- Rebuilt with OpenSSL 3.0.0
+
+* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Sat Jul 10 2021 Björn Esser <besser82@fedoraproject.org> - 5.9.3-2
+- Rebuild for versioned symbols in json-c
+
+* Tue Jul 06 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.3-1
+- Resolves: rhbz#1979574 strongswan-5.9.3 is available
+- Make strongswan main dir world readable so apps can find strongswan.conf
+
+* Thu Jun 03 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.2-1
+- Resolves: rhbz#1896545 strongswan-5.9.2 is available
+
+* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 5.9.1-2
+- Rebuilt for updated systemd-rpm-macros
+  See https://pagure.io/fesco/issue/2583.
+
+* Fri Feb 12 2021 Paul Wouters <pwouters@redhat.com> - 5.9.1-1
+- Resolves: rhbz#1896545 strongswan-5.9.1 is available
+
+* Thu Feb 11 2021 Davide Cavalca <dcavalca@fedoraproject.org> - 5.9.0-4
+- Build with with capabilities support
+- Resolves: rhbz#1911572 StrongSwan not configured with libcap support
+
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Thu Oct 22 12:43:48 EDT 2020 Paul Wouters <pwouters@redhat.com> - 5.9.0-2
+- Resolves: rhbz#1886759 charon looking for certificates in the wrong place
+
+* Mon Sep 28 12:36:45 EDT 2020 Paul Wouters <pwouters@redhat.com> - 5.9.0-1
+- Resolves: rhbz#1861747 strongswan-5.9.0 is available
+- Remove --enable-fips-mode=2, which defaults strongswan to FIPS only.
+  (use fips_mode = 2 in plugins {} openssl {} in strongswan.conf to enable FIPS)
+
+* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.8.4-5
+- Second attempt - Rebuilt for
+  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.8.4-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Apr 21 2020 Björn Esser <besser82@fedoraproject.org> - 5.8.4-3
+- Rebuild (json-c)
+
+* Sun Apr 12 2020 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.4-2
+- Patch0: Add RuntimeDirectory options to service files (#1789263)
+
+* Sun Apr 12 2020 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.4-1
+- Updated to 5.8.4
+- Patch4 has been applied upstream
+
+* Sat Feb 22 2020 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.2-5
+- Patch to declare a global variable with extern (#1800117)
+
+* Mon Feb 10 2020 Paul Wouters <pwouters@redhat.com> - 5.8.2-4
+- use tmpfile to ensure rundir is present
+
+* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.8.2-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Sat Dec 28 2019 Paul Wouters <pwouters@redhat.com> - 5.8.2-2
+- Use /run/strongswan as rundir to support strongswans in namespaces
+
+* Tue Dec 17 2019 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.2-1
+- Update to 5.8.2 (#1784457)
+- The D-Bus config file moved under datadir
+
+* Mon Sep 02 2019 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.1-1
+- Update to 5.8.1 (#1711920)
+- No more separate strongswan-swanctl.service to start out of order (#1775548)
+- Added strongswan-starter.service
+
+* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 5.7.2-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 5.7.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Wed Jan 09 2019 Paul Wouters <pwouters@redhat.com> - 5.7.2-1
+- Updated to 5.7.2
+
+* Thu Oct 04 2018 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.7.1-1
+- Updated to 5.7.1
+- Resolves rhbz#1635872 CVE-2018-16152
+- Resolves rhbz#1635875 CVE-2018-16151
+
+* Thu Aug 23 2018 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.6.3-3
+- Add plugin bypass-lan, disabled by default
+- Resolves rhbz#1554479 Update to strongswan-charon-nm fails
+
+* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 5.6.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Tue May 29 2018 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.6.3-1
+- New version 5.6.3
+
+* Thu May 24 2018 Paul Wouters <pwouters@redhat.com> - 5.6.2-6
+- Resolves rhbz#1581868 CVE-2018-5388 strongswan: buffer underflow in stroke_socket.c
+
+* Thu May 24 2018 Paul Wouters <pwouters@redhat.com> - 5.6.2-5
+- Resolves rhbz#1574939 IKEv2 VPN connections fail to use DNS servers provided by the server
+- Resolves rhbz#1449875 Strongswan on epel built without the sql plugin but with the sqlite plugin
+
+* Sun May 20 2018 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.6.2-3
+- Move eap-radius, sqlite, and pkcs7 plugins out of tnc-imcvs, added package
+  sqlite (#1579945)
+
+* Tue Mar 06 2018 Björn Esser <besser82@fedoraproject.org> - 5.6.2-2
+- Rebuilt for libjson-c.so.4 (json-c v0.13.1)
+
+* Wed Feb 21 2018 Lubomir Rintel <lkundrak@v3.sk> - 5.6.2-1
+- Updated to 5.6.2 (Dropped libnm-glib use in charon-nm)
+
+* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 5.6.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Fri Dec 22 2017 Paul Wouters <pwouters@redhat.com> - 5.6.1-1
+- Updated to 5.6.1 (RSA-PSS support)
+
+* Sun Dec 10 2017 Björn Esser <besser82@fedoraproject.org> - 5.6.0-3
+- Rebuilt for libjson-c.so.3
+
+* Fri Dec 01 2017 Lubomir Rintel <lkundrak@v3.sk> - 5.6.0-2
+- Fix the placement of charon-nm D-Bus policy
+
+* Sat Sep 09 2017 Paul Wouters <pwouters@redhat.com> - 5.6.0-1
+- Updated to 5.6.0
+- Fixup configure arguments, enabled a bunch of new features
+- Added new BuildRequires:
+- Fixup Obsolete/Conflicts, use license macro
+- Don't require autoconf/autotools for non-snapshots
+- Remove macro overuse, remove fedora/rhel checks and sysvinit support
+- Make listings/grouping of all plugins/libs to reduce file listing
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 5.5.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 5.5.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Mon Jun 12 2017 Paul Wouters <pwouters@redhat.com> - 5.5.3-1
+- Updated to 5.5.3
+
+* Sat May 27 2017 Paul Wouters <pwouters@redhat.com> - 5.5.2-1
+- Updated to 5.5.2
+
+* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 5.5.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Thu Sep 15 2016 Pavel Šimerda <psimerda@redhat.com> - 5.5.0-2
+- Resolves: #1367796 - Enable the unity plugin
+
+* Mon Aug 08 2016 Pavel Šimerda <psimerda@redhat.com> - 5.5.0-1
+- New version 5.5.0
+
+* Wed Jun 22 2016 Pavel Šimerda <psimerda@redhat.com>
+- Enable IKEv2 GCM (requires gcrypt module as well) - merged from f22 by Paul Wouters
+
+* Wed Jun 22 2016 Pavel Šimerda <psimerda@redhat.com> - 5.4.0-1
+- New version 5.4.0
+
+* Thu Mar 03 2016 Pavel Šimerda <psimerda@redhat.com> - 5.3.5-1
+- New version 5.3.5
+
+* Fri Feb 05 2016 Fedora Release Engineering <releng@fedoraproject.org> - 5.3.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Fri Jan 15 2016 Paul Wouters <pwouters@redhat.com> - 5.3.3-2
+- Enable IKEv2 GCM (requires gcrypt module as well)
+
+* Tue Sep 29 2015 Pavel Šimerda <psimerda@redhat.com> - 5.3.3-1
+- new version 5.3.3
+
+* Thu Sep 24 2015 Pavel Šimerda <psimerda@redhat.com> - 5.3.2-3
+- Resolves: #1264598 - strongswan: many configuration files are not protected
+
+* Fri Jun 19 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.3.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Tue Jun 09 2015 Pavel Šimerda <psimerda@redhat.com>
+- new version 5.3.2
+
+* Fri Jun 05 2015 Pavel Šimerda <psimerda@redhat.com> - 5.3.1-1
+- new version 5.3.1
+
+* Tue Mar 31 2015 Pavel Šimerda <psimerda@redhat.com> - 5.3.0-1
+- new version 5.3.0
+
+* Fri Feb 20 2015 Avesh Agarwal <avagarwa@redhat.com> - 5.2.2-2
+- Fixes strongswan swanctl service issue rhbz#1193106
+
+* Tue Jan 06 2015 Pavel Šimerda <psimerda@redhat.com> - 5.2.2-1
+- new version 5.2.2
+
+* Thu Dec 18 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.2-0.2.dr1
+- Enabled ccm, and ctr plugins as it seems enabling just openssl does
+  not work for using ccm and ctr algos.
+
+* Mon Dec 8 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.2-0.1.dr1
+- New strongswan developer release 5.2.2dr1
+
+* Mon Nov 24 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.1-2
+- 1167331: Enabled native systemd support.
+- Does not disable old systemd, starter, ipsec.conf support yet.
+
+* Thu Oct 30 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.1-1
+- New upstream release 5.2.1
+
+* Thu Oct 16 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.1-0.2.rc1
+- New upstream release candidate 5.2.1rc1
+
+* Fri Oct 10 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.1-1
+- new version 5.2.1dr1
+
+* Thu Sep 25 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-7
+- use upstream patch for json/json-c dependency
+
+* Thu Sep 25 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-6
+- Resolves: #1146145 - Strongswan is compiled without xauth-noauth plugin
+
+* Mon Aug 18 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.2.0-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Tue Aug 05 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-4
+- Resolves: #1081804 - enable Kernel IPSec support
+
+* Wed Jul 30 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-3
+- rebuilt
+
+* Tue Jul 29 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-2
+- fix json-c dependency
+
+* Tue Jul 15 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.0-1
+- New upstream release 5.2.0
+- The Attestation IMC/IMV pair supports the IMA-NG
+  measurement format
+- Aikgen tool to generate an Attestation Identity Key bound
+  to a TPM
+- Swanctl tool to provide a portable, complete IKE
+  configuration and control interface for the command
+  line using vici interface with libvici library
+- PT-EAP transport protocol (RFC 7171) for TNC
+- Enabled support for acert for checking X509 attribute certificate
+- Updated patches, removed selinux patch as upstream has fixed it
+  in this release.
+- Updated spec file with minor cleanups
+
+* Thu Jun 26 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-0.4.dr6
+- improve prerelease macro
+
+* Thu Jun 26 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-0.3
+- Resolves: #1111895 - bump to 5.2.0dr6
+
+* Thu Jun 12 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-0.2
+- Related: #1087437 - remove or upstream all patches not specific to fedora/epel
+
+* Thu Jun 12 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-0.1.dr5
+- fix the pre-release version according to guidelines before it gets branched
+
+* Fri Jun 06 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0dr5-1
+- new version 5.2.0dr5
+- add json-c-devel to build deps
+
+* Mon May 26 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0dr4-3
+- merge two related patches
+
+* Mon May 26 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0dr4-2
+- clean up the patches a bit
+
+* Thu May 22 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.0dr4-1
+- New upstream developer release 5.2.0dr4
+- Attestation IMV/IMC supports IMA-NG measurement format now
+- Aikgen tool to generate an Attestation Identity Key bound
+  to a TPM
+- PT-EAP transport protocol (RFC 7171) for TNC
+- vici plugin provides IKE Configuration Interface for charon
+- Enabled support for acert for checking X509 attribute certificate
+- Updated patches
+- Updated spec file with minor cleanups
+
+* Tue Apr 15 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.3-1
+- new version 5.1.3
+
+* Mon Apr 14 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.3rc1-1
+- new version 5.1.3rc1
+
+* Mon Mar 24 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.2-4
+- #1069928 - updated libexec patch.
+
+* Tue Mar 18 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.2-3
+- fixed el6 initscript
+- fixed pki directory location
+
+* Fri Mar 14 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.2-2
+- clean up the specfile a bit
+- replace the initscript patch with an individual initscript
+- patch to build for epel6
+
+* Mon Mar 03 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.2-1
+- #1071353 - bump to 5.1.2
+- #1071338 - strongswan is compiled without xauth-pam plugin
+- remove obsolete patches
+- sent all patches upstream
+- added comments to all patches
+- don't touch the config with sed
+
+* Thu Feb 20 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.1.1-6
+- Fixed full hardening for strongswan (full relro and PIE).
+  The previous macros had a typo and did not work
+  (see bz#1067119).
+- Fixed tnc package description to reflect the current state of
+  the package.
+- Fixed pki binary and moved it to /usr/libexece/strongswan as
+  others binaries are there too.
+
+* Wed Feb 19 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.1-5
+- #903638 - SELinux is preventing /usr/sbin/xtables-multi from 'read' accesses on the chr_file /dev/random
+
+* Thu Jan 09 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.1-4
+- Removed redundant patches and *.spec commands caused by branch merging
+
+* Wed Jan 08 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.1-3
+- rebuilt
+
+* Mon Dec 2 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.1.1-2
+- Resolves: 973315
+- Resolves: 1036844
+
+* Fri Nov 1 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.1.1-1
+- Support for PT-TLS  (RFC 6876)
+- Support for SWID IMC/IMV
+- Support for command line IKE client charon-cmd
+- Changed location of pki to /usr/bin
+- Added swid tags files
+- Added man pages for pki and charon-cmd
+- Renamed pki to strongswan-pki to avoid conflict with
+  pki-core/pki-tools package.
+- Update local patches
+- Fixes CVE-2013-6075
+- Fixes CVE-2013-6076
+- Fixed autoconf/automake issue as configure.ac got changed
+  and it required running autoreconf during the build process.
+- added strongswan signature file to the sources.
+
+* Thu Sep 12 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.1.0-3
+- Fixed initialization crash of IMV and IMC particularly
+  attestation imv/imc as libstrongswas was not getting
+  initialized.
+
+* Fri Aug 30 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.1.0-2
+- Enabled fips support
+- Enabled TNC's ifmap support
+- Enabled TNC's pdp support
+- Fixed hardocded package name in this spec file
+
+* Wed Aug 7 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.1.0-1
+- rhbz#981429: New upstream release
+- Fixes CVE-2013-5018: rhbz#991216, rhbz#991215
+- Fixes rhbz#991859 failed to build in rawhide
+- Updated local patches and removed which are not needed
+- Fixed errors around charon-nm
+- Added plugins libstrongswan-pkcs12.so, libstrongswan-rc2.so,
+  libstrongswan-sshkey.so
+- Added utility imv_policy_manager
+
+* Thu Jul 25 2013 Jamie Nguyen <jamielinux@fedoraproject.org> - 5.0.4-5
+- rename strongswan-NetworkManager to strongswan-charon-nm
+- fix enable_nm macro
+
+* Mon Jul 15 2013 Jamie Nguyen <jamielinux@fedoraproject.org> - 5.0.4-4
+- %%files tries to package some of the shared objects as directories (#984437)
+- fix broken systemd unit file (#984300)
+- fix rpmlint error: description-line-too-long
+- fix rpmlint error: macro-in-comment
+- fix rpmlint error: spelling-error Summary(en_US) fuctionality
+- depend on 'systemd' instead of 'systemd-units'
+- use new systemd scriptlet macros
+- NetworkManager subpackage should have a copy of the license (#984490)
+- enable hardened_build as this package meets the PIE criteria (#984429)
+- invocation of "ipsec _updown iptables" is broken as ipsec is renamed
+  to strongswan in this package (#948306)
+- invocation of "ipsec scepclient" is broken as ipsec is renamed
+  to strongswan in this package
+- add /etc/strongswan/ipsec.d and missing subdirectories
+- conditionalize building of strongswan-NetworkManager subpackage as the
+  version of NetworkManager in EL6 is too old (#984497)
+
+* Fri Jun 28 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.0.4-3
+- Patch to fix a major crash issue when Freeradius loads
+  attestatiom-imv and does not initialize libstrongswan which
+  causes crash due to calls to PTS algorithms probing APIs.
+  So this patch fixes the order of initialization. This issues
+  does not occur with charon because libstrongswan gets
+  initialized earlier.
+- Patch that allows to outputs errors when there are permission
+  issues when accessing strongswan.conf.
+- Patch to make loading of modules configurable when libimcv
+  is used in stand alone mode without charon with freeradius
+  and wpa_supplicant.
+
+* Tue Jun 11 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.0.4-2
+- Enabled TNCCS 1.1 protocol
+- Fixed libxm2-devel build dependency
+- Patch to fix the issue with loading of plugins
+
+* Wed May 1 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.0.4-1
+- New upstream release
+- Fixes for CVE-2013-2944
+- Enabled support for OS IMV/IMC
+- Created and applied a patch to disable ECP in fedora, because
+  Openssl in Fedora does not allow ECP_256 and ECP_384. It makes
+  it non-compliant to TCG's PTS standard, but there is no choice
+  right now. see redhat bz # 319901.
+- Enabled Trousers support for TPM based operations.
+
+* Sat Apr 20 2013 Pavel Šimerda <psimerda@redhat.com> - 5.0.3-2
+- Rebuilt for a single specfile for rawhide/f19/f18/el6
+
+* Fri Apr 19 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.0.3-1
+- New upstream release
+- Enabled curl and eap-identity plugins
+- Enabled support for eap-radius plugin.
+
+* Thu Apr 18 2013 Pavel Šimerda <psimerda@redhat.com> - 5.0.2-3
+- Add gettext-devel to BuildRequires because of epel6
+- Remove unnecessary comments
+
+* Tue Mar 19 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.0.2-2
+- Enabled support for eap-radius plugin.
+
+* Mon Mar 11 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.0.2-1
+- Update to upstream release 5.0.2
+- Created sub package strongswan-tnc-imcvs that provides trusted network
+  connect's IMC and IMV funtionality. Specifically it includes PTS
+  based IMC/IMV for TPM based remote attestation and scanner and test
+  IMCs and IMVs. The Strongswan's IMC/IMV dynamic libraries can be used
+  by any third party TNC Client/Server implementation possessing a
+  standard IF-IMC/IMV interface.
+
+* Fri Feb 15 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.0.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Thu Oct 04 2012 Pavel Šimerda <psimerda@redhat.com> - 5.0.1-1
+- Update to release 5.0.1
+
+* Thu Oct 04 2012 Pavel Šimerda <psimerda@redhat.com> - 5.0.0-4.git20120619
+- Add plugins to interoperate with Windows 7 and Android (#862472)
+  (contributed by Haim Gelfenbeyn)
+
+* Sat Jul 21 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.0.0-3.git20120619
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Sun Jul 08 2012 Pavel Šimerda <pavlix@pavlix.net> - 5.0.0-2.git20120619
+- Fix configure substitutions in initscripts
+
+* Wed Jul 04 2012 Pavel Šimerda <psimerda@redhat.com> - 5.0.0-1.git20120619
+- Update to current upstream release
+- Comment out all stuff that is only needed for git builds
+- Remove renaming patch from git
+- Improve init patch used for EPEL
+
+* Thu Jun 21 2012 Pavel Šimerda <psimerda@redhat.com> - 5.0.0-0.3.git20120619
+- Build with openssl plugin enabled
+
+* Wed Jun 20 2012 Pavel Šimerda <psimerda@redhat.com> - 5.0.0-0.2.git20120619
+- Add README.Fedora with link to 4.6 to 5.0 migration information
+
+* Tue Jun 19 2012 Pavel Šimerda - 5.0.0-0.1.git20120619
+- Snapshot of upcoming major release
+- Move patches and renaming upstream
+  http://wiki.strongswan.org/issues/194
+  http://wiki.strongswan.org/issues/195
+- Notified upstream about manpage issues
+
+* Tue Jun 19 2012 Pavel Šimerda - 4.6.4-2
+- Make initscript patch more distro-neutral
+- Add links to bugreports for patches
+
+* Fri Jun 01 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.4-1
+- New upstream version (CVE-2012-2388)
+
+* Sat May 26 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.3-2
+- Add --enable-nm to configure
+- Add NetworkManager-devel to BuildRequires
+- Add NetworkManager-glib-devel to BuildRequires
+- Add strongswan-NetworkManager package
+
+* Sat May 26 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.3-1
+- New version of Strongswan
+- Support for RFC 3110 DNSKEY (see upstream changelog)
+- Fix corrupt scriptlets
+
+* Fri Mar 30 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.2-2
+- #808612 - strongswan binary renaming side-effect
+
+* Sun Feb 26 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.2-1
+- New upstream version
+- Changed from .tar.gz to .tar.bz2
+- Added libstrongswan-pkcs8.so
+
+* Wed Feb 15 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-8
+- Fix initscript's status function
+
+* Wed Feb 15 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-7
+- Expand tabs in config files for better readability
+- Add sysvinit script for epel6
+
+* Wed Feb 15 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-6
+- Fix program name in systemd unit file
+
+* Tue Feb 14 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-5
+- Improve fedora/epel conditionals
+
+* Sat Jan 21 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-4
+- Protect configuration directory from ordinary users
+- Add still missing directory /etc/strongswan
+
+* Fri Jan 20 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-3
+- Change directory structure to avoid clashes with Openswan
+- Prefixed all manpages with 'strongswan_'
+- Every file now includes 'strongswan' somewhere in its path
+- Removed conflict with Openswan
+- Finally fix permissions on strongswan.conf
+
+* Fri Jan 20 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-2
+- Change license tag from GPL to GPLv2+
+- Change permissions on /etc/strongswan.conf to 644
+- Rename ipsec.8 manpage to strongswan.8
+- Fix empty scriptlets for non-fedora builds
+- Add ldconfig scriptlet
+- Add missing directories and files
+
+* Sun Jan 01 2012 Pavel Šimerda <pavlix@pavlix.net - 4.6.1-1
+- Bump to version 4.6.1
+
+* Sun Jan 01 2012 Pavel Šimerda <pavlix@pavlix.net - 4.6.0-3
+- Add systemd scriptlets
+- Add conditions to also support EPEL6
+
+* Sat Dec 10 2011 Pavel Šimerda <pavlix@pavlix.net> - 4.6.0-2
+- Experimental build for development

sources

@@ -1 +1,2 @@
-SHA512 (strongswan-5.7.2.tar.bz2) = e2169dbbc0c03737e34af90d7bc07e444408c5e2ac1f81764eeccbac8b142b984ce9ed512a89071075a930e0997632267f6912aa5b352eee2edbd551b5a64e7e
+SHA512 (strongswan-6.0.2.tar.bz2) = b1ee61b7d0eab40a9fcb5a7e28cfea9050f5f894fa66032edf9511b1e260104870e23fc19329b48be01f03eb491bfc27c9b74838722c80ba0284a48596a68d71
+SHA512 (strongswan-6.0.2.tar.bz2.sig) = 374e16baf4b3ee24966abdb872890eb29da4aa6fc4e8a5e2a67d6099e2a72bad195257e505765cecbfae3a77ea42942fc3cea543b954f1f7b3e415ad536321ff

strongswan-5.6.2-CVE-2018-5388.patch

@@ -1,15 +0,0 @@
-diff -Naur strongswan-5.6.2-orig/src/libcharon/plugins/stroke/stroke_socket.c strongswan-5.6.2/src/libcharon/plugins/stroke/stroke_socket.c
---- strongswan-5.6.2-orig/src/libcharon/plugins/stroke/stroke_socket.c	2017-11-09 10:57:30.000000000 -0500
-+++ strongswan-5.6.2/src/libcharon/plugins/stroke/stroke_socket.c	2018-05-24 00:00:32.382953618 -0400
-@@ -628,6 +628,11 @@
- 		return FALSE;
- 	}
- 
-+	if (len < offsetof(stroke_msg_t, buffer))
-+	{
-+		DBG1(DBG_CFG, "invalid stroke message length %d", len);
-+		return FALSE;
-+	}
- 	/* read message (we need an additional byte to terminate the buffer) */
- 	msg = malloc(len + 1);
- 	msg->length = len;

strongswan-5.9.7-error-no-format.patch

@@ -0,0 +1,12 @@
+diff --git a/configure.ac b/configure.ac
+index f9e6e55c2..247d055d8 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1480,7 +1480,6 @@ else
+ fi
+ # disable some warnings, whether explicitly enabled above or by default
+ # these are not compatible with our custom printf specifiers
+-WARN_CFLAGS="$WARN_CFLAGS -Wno-format"
+ WARN_CFLAGS="$WARN_CFLAGS -Wno-format-security"
+ # we generally use comments, but GCC doesn't seem to recognize many of them
+ WARN_CFLAGS="$WARN_CFLAGS -Wno-implicit-fallthrough"

strongswan-6.0.0-gcc15.patch

@@ -0,0 +1,109 @@
+From cf7fb47788dfb83bb5d8bd0bffdb582e381a2f0a Mon Sep 17 00:00:00 2001
+From: Thomas Egerer <thomas.egerer@secunet.com>
+Date: Fri, 6 Sep 2024 13:29:40 +0200
+Subject: [PATCH] array: Don't use realloc() with zero size in array_compress()
+
+The behavior of realloc(3) with zero size was apparently implementation
+defined.  While glibc documents the behavior as equivalent to free(3),
+that might not apply to other C libraries.  With C17, this behavior has
+been deprecated, and with C23, the behavior is now undefined.  It's also
+why valgrind warns about this use.
+
+Hence, when array_compress() would call realloc() with a zero size, we
+now call free() explicitly and set the pointer to NULL.
+
+Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
+---
+ src/libstrongswan/collections/array.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/src/libstrongswan/collections/array.c b/src/libstrongswan/collections/array.c
+index 8acc8051d53..8b6c6d7397e 100644
+--- a/src/libstrongswan/collections/array.c
++++ b/src/libstrongswan/collections/array.c
+@@ -197,7 +197,17 @@ void array_compress(array_t *array)
+ 		}
+ 		if (tail)
+ 		{
+-			array->data = realloc(array->data, get_size(array, array->count));
++			size_t size = get_size(array, array->count);
++
++			if (size)
++			{
++				array->data = realloc(array->data, size);
++			}
++			else
++			{
++				free(array->data);
++				array->data = NULL;
++			}
+ 			array->tail = 0;
+ 		}
+ 	}
+---
+
+From f1f0bd9de60e2697a712e72b7ae9f79763a0901d Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Thu, 9 Jan 2025 16:05:39 +0100
+Subject: [PATCH] ctr: Remove parameter-less constructor prototype
+
+Useless and causes a compiler warning/error:
+
+  error: a function declaration without a prototype is deprecated in all versions of C and is treated as a zero-parameter prototype in C23, conflicting with a subsequent declaration [-Werror,-Wdeprecated-non-prototype]
+---
+ src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.h | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.h b/src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.h
+index e9421a1be9f..3814465e48b 100644
+--- a/src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.h
++++ b/src/libstrongswan/plugins/ctr/ctr_ipsec_crypter.h
+@@ -37,11 +37,6 @@ struct ctr_ipsec_crypter_t {
+ 	crypter_t crypter;
+ };
+ 
+-/**
+- * Create a ctr_ipsec_crypter instance.
+- */
+-ctr_ipsec_crypter_t *ctr_ipsec_crypter_create();
+-
+ /**
+  * Create a ctr_ipsec_crypter instance.
+  *
+---
+
+From 227d7ef9a24b8c62d6965c1c1690252bde7c698d Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Fri, 10 Jan 2025 15:43:11 +0100
+Subject: [PATCH] tnc-imv: Add missing argument to IMV recommendations
+ constructor
+
+This avoids the following warning/error:
+
+tnc_imv_manager.c:244:39: error: passing arguments to 'tnc_imv_recommendations_create' without a prototype is deprecated in all versions of C and is not supported in C23 [-Werror,-Wdeprecated-non-prototype]
+  244 |         return tnc_imv_recommendations_create(this->imvs);
+      |                                              ^
+---
+ src/libtnccs/plugins/tnc_imv/tnc_imv_recommendations.h | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/src/libtnccs/plugins/tnc_imv/tnc_imv_recommendations.h b/src/libtnccs/plugins/tnc_imv/tnc_imv_recommendations.h
+index f7178876cfd..60272978ad3 100644
+--- a/src/libtnccs/plugins/tnc_imv/tnc_imv_recommendations.h
++++ b/src/libtnccs/plugins/tnc_imv/tnc_imv_recommendations.h
+@@ -27,8 +27,11 @@
+ #include <collections/linked_list.h>
+ 
+ /**
+- * Create an IMV empty recommendations instance
++ * Create an empty IMV recommendations instance
++ *
++ * @param imv_list		list of IMVs that could provide recommendations
++ * @return				created instance
+  */
+-recommendations_t *tnc_imv_recommendations_create();
++recommendations_t *tnc_imv_recommendations_create(linked_list_t *imv_list);
+ 
+ #endif /** TNC_IMV_RECOMMENDATIONS_H_ @}*/
+---
+

strongswan-6.0.1-gcc15.patch

@@ -0,0 +1,597 @@
+From a7b5de569082398a14b7e571498e55d005903aaf Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Fri, 21 Feb 2025 17:18:35 +0100
+Subject: [PATCH] pki: Fix signature of help() to match that of a callback in
+ command_t
+
+---
+ src/pki/command.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/pki/command.c b/src/pki/command.c
+index accec5fe51b..6e6bf041e18 100644
+--- a/src/pki/command.c
++++ b/src/pki/command.c
+@@ -265,7 +265,7 @@ int command_usage(char *error)
+ /**
+  * Show usage information
+  */
+-static int help(int c, char *v[])
++static int help()
+ {
+ 	return command_usage(NULL);
+ }
+---
+
+From 38d89f57f0771d3cc7b2ab70849584685ada2bc0 Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Fri, 21 Feb 2025 16:47:34 +0100
+Subject: [PATCH] charon-nm: Use CALLBACK macro for callback job's cancel
+ implementation
+
+Casting to this specific function type doesn't work anymore if C23 is
+used as the types mismatch.
+---
+ src/charon-nm/nm/nm_backend.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/charon-nm/nm/nm_backend.c b/src/charon-nm/nm/nm_backend.c
+index aefd3f95688..8ee1785212e 100644
+--- a/src/charon-nm/nm/nm_backend.c
++++ b/src/charon-nm/nm/nm_backend.c
+@@ -78,7 +78,8 @@ static job_requeue_t run(nm_backend_t *this)
+ /**
+  * Cancel the GLib Main Event Loop
+  */
+-static bool cancel(nm_backend_t *this)
++CALLBACK(cancel, bool,
++	nm_backend_t *this)
+ {
+ 	if (this->loop)
+ 	{
+@@ -152,7 +153,7 @@ static bool nm_backend_init()
+ 
+ 	lib->processor->queue_job(lib->processor,
+ 		(job_t*)callback_job_create_with_prio((callback_job_cb_t)run, this,
+-				NULL, (callback_job_cancel_t)cancel, JOB_PRIO_CRITICAL));
++				NULL, cancel, JOB_PRIO_CRITICAL));
+ 	return TRUE;
+ }
+ 
+---
+
+From d5d2568ff0e88d364dadf50b67bf17050763cf98 Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Fri, 21 Feb 2025 16:45:57 +0100
+Subject: [PATCH] callback-job: Replace return_false() in constructors with
+ dedicated function
+
+Besides being clearer, this fixes issues with GCC 15.  The latter uses
+C23 by default, which changes the meaning of function declarations
+without parameters such as
+
+	bool return false();
+
+Instead of "this function takes an unknown number of arguments", this
+now equals (void), that is, "this function takes no arguments".  So we
+run into incompatible pointer type warnings all over when using such
+functions.  They could be cast to (void*) but this seems the cleaner
+solution for this use case.
+---
+ src/charon-cmd/cmd/cmd_connection.c                   |  2 +-
+ .../jni/libandroidbridge/backend/android_dns_proxy.c  |  2 +-
+ .../jni/libandroidbridge/backend/android_service.c    |  6 +++---
+ src/libcharon/network/receiver.c                      |  2 +-
+ src/libcharon/network/sender.c                        |  2 +-
+ .../plugins/bypass_lan/bypass_lan_listener.c          |  4 ++--
+ .../plugins/eap_radius/eap_radius_accounting.c        |  2 +-
+ src/libcharon/plugins/eap_radius/eap_radius_plugin.c  |  2 +-
+ src/libcharon/plugins/ha/ha_ctl.c                     |  2 +-
+ src/libcharon/plugins/ha/ha_dispatcher.c              |  2 +-
+ src/libcharon/plugins/ha/ha_segments.c                |  6 +++---
+ .../kernel_libipsec/kernel_libipsec_esp_handler.c     |  2 +-
+ .../plugins/kernel_libipsec/kernel_libipsec_router.c  |  2 +-
+ src/libcharon/plugins/smp/smp.c                       |  4 ++--
+ src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c   |  2 +-
+ src/libcharon/plugins/uci/uci_control.c               |  2 +-
+ src/libipsec/ipsec_event_relay.c                      |  2 +-
+ src/libipsec/ipsec_processor.c                        |  4 ++--
+ src/libpttls/pt_tls_dispatcher.c                      |  2 +-
+ src/libstrongswan/networking/streams/stream_service.c |  2 +-
+ src/libstrongswan/processing/jobs/callback_job.c      | 10 +++++++++-
+ src/libstrongswan/processing/jobs/callback_job.h      | 11 ++++++++++-
+ src/libstrongswan/processing/scheduler.c              |  3 ++-
+ src/libstrongswan/processing/watcher.c                |  4 ++--
+ src/libtls/tests/suites/test_socket.c                 |  2 +-
+ 25 files changed, 51 insertions(+), 33 deletions(-)
+
+diff --git a/src/charon-cmd/cmd/cmd_connection.c b/src/charon-cmd/cmd/cmd_connection.c
+index 8e8d8236e52..e220e33a62a 100644
+--- a/src/charon-cmd/cmd/cmd_connection.c
++++ b/src/charon-cmd/cmd/cmd_connection.c
+@@ -585,7 +585,7 @@ cmd_connection_t *cmd_connection_create()
+ 	lib->processor->queue_job(lib->processor,
+ 		(job_t*)callback_job_create_with_prio(
+ 			(callback_job_cb_t)initiate, this, NULL,
+-			(callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
++			callback_job_cancel_thread, JOB_PRIO_CRITICAL));
+ 
+ 	return &this->public;
+ }
+diff --git a/src/libcharon/network/receiver.c b/src/libcharon/network/receiver.c
+index e79d5974409..480d1d622d5 100644
+--- a/src/libcharon/network/receiver.c
++++ b/src/libcharon/network/receiver.c
+@@ -737,7 +737,7 @@ receiver_t *receiver_create()
+ 
+ 	lib->processor->queue_job(lib->processor,
+ 		(job_t*)callback_job_create_with_prio((callback_job_cb_t)receive_packets,
+-			this, NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
++			this, NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL));
+ 
+ 	return &this->public;
+ }
+diff --git a/src/libcharon/network/sender.c b/src/libcharon/network/sender.c
+index 4543766d62e..3fcd17f1b63 100644
+--- a/src/libcharon/network/sender.c
++++ b/src/libcharon/network/sender.c
+@@ -216,7 +216,7 @@ sender_t * sender_create()
+ 
+ 	lib->processor->queue_job(lib->processor,
+ 		(job_t*)callback_job_create_with_prio((callback_job_cb_t)send_packets,
+-			this, NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
++			this, NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL));
+ 
+ 	return &this->public;
+ }
+diff --git a/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c b/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c
+index db7abd8146b..c9aed3666fc 100644
+--- a/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c
++++ b/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c
+@@ -227,7 +227,7 @@ METHOD(kernel_listener_t, roam, bool,
+ {
+ 	lib->processor->queue_job(lib->processor,
+ 			(job_t*)callback_job_create((callback_job_cb_t)update_bypass, this,
+-									NULL, (callback_job_cancel_t)return_false));
++									NULL, callback_job_cancel_thread));
+ 	return TRUE;
+ }
+ 
+@@ -269,7 +269,7 @@ METHOD(bypass_lan_listener_t, reload_interfaces, void,
+ 	this->mutex->unlock(this->mutex);
+ 	lib->processor->queue_job(lib->processor,
+ 			(job_t*)callback_job_create((callback_job_cb_t)update_bypass, this,
+-									NULL, (callback_job_cancel_t)return_false));
++									NULL, callback_job_cancel_thread));
+ }
+ 
+ METHOD(bypass_lan_listener_t, destroy, void,
+diff --git a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
+index f833dc3c0b4..2f29d080764 100644
+--- a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
++++ b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
+@@ -706,7 +706,7 @@ static void schedule_interim(private_eap_radius_accounting_t *this,
+ 			(job_t*)callback_job_create_with_prio(
+ 				(callback_job_cb_t)send_interim,
+ 				data, (void*)destroy_interim_data,
+-				(callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL), tv);
++				callback_job_cancel_thread, JOB_PRIO_CRITICAL), tv);
+ 	}
+ }
+ 
+diff --git a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
+index 5051542615a..55d5e032cea 100644
+--- a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
++++ b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
+@@ -445,7 +445,7 @@ void eap_radius_handle_timeout(ike_sa_id_t *id)
+ 		lib->processor->queue_job(lib->processor,
+ 				(job_t*)callback_job_create_with_prio(
+ 						(callback_job_cb_t)delete_all_async, NULL, NULL,
+-						(callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
++						callback_job_cancel_thread, JOB_PRIO_CRITICAL));
+ 	}
+ 	else if (id)
+ 	{
+diff --git a/src/libcharon/plugins/ha/ha_ctl.c b/src/libcharon/plugins/ha/ha_ctl.c
+index 8859bae166b..3d2ac7de84d 100644
+--- a/src/libcharon/plugins/ha/ha_ctl.c
++++ b/src/libcharon/plugins/ha/ha_ctl.c
+@@ -199,6 +199,6 @@ ha_ctl_t *ha_ctl_create(ha_segments_t *segments, ha_cache_t *cache)
+ 
+ 	lib->processor->queue_job(lib->processor,
+ 		(job_t*)callback_job_create_with_prio((callback_job_cb_t)dispatch_fifo,
+-			this, NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
++			this, NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL));
+ 	return &this->public;
+ }
+diff --git a/src/libcharon/plugins/ha/ha_dispatcher.c b/src/libcharon/plugins/ha/ha_dispatcher.c
+index 5de26a65a27..83be91ab159 100644
+--- a/src/libcharon/plugins/ha/ha_dispatcher.c
++++ b/src/libcharon/plugins/ha/ha_dispatcher.c
+@@ -1184,7 +1184,7 @@ ha_dispatcher_t *ha_dispatcher_create(ha_socket_t *socket,
+ 	);
+ 	lib->processor->queue_job(lib->processor,
+ 		(job_t*)callback_job_create_with_prio((callback_job_cb_t)dispatch, this,
+-				NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
++				NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL));
+ 
+ 	return &this->public;
+ }
+diff --git a/src/libcharon/plugins/ha/ha_segments.c b/src/libcharon/plugins/ha/ha_segments.c
+index afb76b39ea2..32d9ee40717 100644
+--- a/src/libcharon/plugins/ha/ha_segments.c
++++ b/src/libcharon/plugins/ha/ha_segments.c
+@@ -316,7 +316,7 @@ static void start_watchdog(private_ha_segments_t *this)
+ 	this->heartbeat_active = TRUE;
+ 	lib->processor->queue_job(lib->processor,
+ 		(job_t*)callback_job_create_with_prio((callback_job_cb_t)watchdog, this,
+-				NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
++				NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL));
+ }
+ 
+ METHOD(ha_segments_t, handle_status, void,
+@@ -404,7 +404,7 @@ static void start_heartbeat(private_ha_segments_t *this)
+ {
+ 	lib->processor->queue_job(lib->processor,
+ 		(job_t*)callback_job_create_with_prio((callback_job_cb_t)send_status,
+-			this, NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
++			this, NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL));
+ }
+ 
+ /**
+@@ -451,7 +451,7 @@ static void start_autobalance(private_ha_segments_t *this)
+ 	DBG1(DBG_CFG, "scheduling HA autobalance every %ds", this->autobalance);
+ 	lib->scheduler->schedule_job(lib->scheduler,
+ 		(job_t*)callback_job_create_with_prio((callback_job_cb_t)autobalance,
+-			this, NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL),
++			this, NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL),
+ 		this->autobalance);
+ }
+ 
+diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_esp_handler.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_esp_handler.c
+index 095ad67b4b0..c18e266e4d1 100644
+--- a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_esp_handler.c
++++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_esp_handler.c
+@@ -337,7 +337,7 @@ kernel_libipsec_esp_handler_t *kernel_libipsec_esp_handler_create()
+ 	}
+ 	lib->processor->queue_job(lib->processor,
+ 			(job_t*)callback_job_create(send_esp, this, NULL,
+-										(callback_job_cancel_t)return_false));
++										callback_job_cancel_thread));
+ 	return &this->public;
+ }
+ 
+diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c
+index 74746e251de..07adc70be3e 100644
+--- a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c
++++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c
+@@ -364,7 +364,7 @@ kernel_libipsec_router_t *kernel_libipsec_router_create()
+ 	charon->receiver->add_esp_cb(charon->receiver, receiver_esp_cb, NULL);
+ 	lib->processor->queue_job(lib->processor,
+ 			(job_t*)callback_job_create((callback_job_cb_t)handle_plain, this,
+-									NULL, (callback_job_cancel_t)return_false));
++										NULL, callback_job_cancel_thread));
+ 
+ 	router = &this->public;
+ 	return &this->public;
+diff --git a/src/libcharon/plugins/smp/smp.c b/src/libcharon/plugins/smp/smp.c
+index 6ca9f13997e..85ff5830bc5 100644
+--- a/src/libcharon/plugins/smp/smp.c
++++ b/src/libcharon/plugins/smp/smp.c
+@@ -710,7 +710,7 @@ static job_requeue_t dispatch(private_smp_t *this)
+ 	fdp = malloc_thing(int);
+ 	*fdp = fd;
+ 	job = callback_job_create((callback_job_cb_t)process, fdp, free,
+-							  (callback_job_cancel_t)return_false);
++							  callback_job_cancel_thread);
+ 	lib->processor->queue_job(lib->processor, (job_t*)job);
+ 
+ 	return JOB_REQUEUE_DIRECT;
+@@ -800,7 +800,7 @@ plugin_t *smp_plugin_create()
+ 
+ 	lib->processor->queue_job(lib->processor,
+ 		(job_t*)callback_job_create_with_prio((callback_job_cb_t)dispatch, this,
+-				NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
++				NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL));
+ 
+ 	return &this->public.plugin;
+ }
+diff --git a/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c b/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c
+index 30aeb116dec..da317a894d9 100644
+--- a/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c
++++ b/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c
+@@ -210,7 +210,7 @@ METHOD(tnc_pdp_connections_t, add, void,
+ 	/* schedule timeout checking */
+ 	lib->scheduler->schedule_job_ms(lib->scheduler,
+ 				(job_t*)callback_job_create((callback_job_cb_t)check_timeouts,
+-					this, NULL, (callback_job_cancel_t)return_false),
++					this, NULL, callback_job_cancel_thread),
+ 				this->timeout * 1000);
+ 
+ 	dbg_nas_user(nas_id, user_name, FALSE, "created");
+diff --git a/src/libcharon/plugins/uci/uci_control.c b/src/libcharon/plugins/uci/uci_control.c
+index b033c832c8c..8074005ee57 100644
+--- a/src/libcharon/plugins/uci/uci_control.c
++++ b/src/libcharon/plugins/uci/uci_control.c
+@@ -296,7 +296,7 @@ uci_control_t *uci_control_create()
+ 	{
+ 		lib->processor->queue_job(lib->processor,
+ 			(job_t*)callback_job_create_with_prio((callback_job_cb_t)receive,
+-							this, NULL, (callback_job_cancel_t)return_false,
++							this, NULL, callback_job_cancel_thread,
+ 							JOB_PRIO_CRITICAL));
+ 	}
+ 	return &this->public;
+diff --git a/src/libipsec/ipsec_event_relay.c b/src/libipsec/ipsec_event_relay.c
+index 0f10795d168..802146eef21 100644
+--- a/src/libipsec/ipsec_event_relay.c
++++ b/src/libipsec/ipsec_event_relay.c
+@@ -230,7 +230,7 @@ ipsec_event_relay_t *ipsec_event_relay_create()
+ 
+ 	lib->processor->queue_job(lib->processor,
+ 		(job_t*)callback_job_create((callback_job_cb_t)handle_events, this,
+-			NULL, (callback_job_cancel_t)return_false));
++			NULL, callback_job_cancel_thread));
+ 
+ 	return &this->public;
+ }
+diff --git a/src/libipsec/ipsec_processor.c b/src/libipsec/ipsec_processor.c
+index 2572b088089..8549fefe261 100644
+--- a/src/libipsec/ipsec_processor.c
++++ b/src/libipsec/ipsec_processor.c
+@@ -336,9 +336,9 @@ ipsec_processor_t *ipsec_processor_create()
+ 
+ 	lib->processor->queue_job(lib->processor,
+ 		(job_t*)callback_job_create((callback_job_cb_t)process_inbound, this,
+-									NULL, (callback_job_cancel_t)return_false));
++									NULL, callback_job_cancel_thread));
+ 	lib->processor->queue_job(lib->processor,
+ 		(job_t*)callback_job_create((callback_job_cb_t)process_outbound, this,
+-									NULL, (callback_job_cancel_t)return_false));
++									NULL, callback_job_cancel_thread));
+ 	return &this->public;
+ }
+diff --git a/src/libpttls/pt_tls_dispatcher.c b/src/libpttls/pt_tls_dispatcher.c
+index a134bee238f..c7e42b277e1 100644
+--- a/src/libpttls/pt_tls_dispatcher.c
++++ b/src/libpttls/pt_tls_dispatcher.c
+@@ -156,7 +156,7 @@ METHOD(pt_tls_dispatcher_t, dispatch, void,
+ 		lib->processor->queue_job(lib->processor,
+ 				(job_t*)callback_job_create_with_prio((callback_job_cb_t)handle,
+ 										connection, (void*)cleanup,
+-										(callback_job_cancel_t)return_false,
++										callback_job_cancel_thread,
+ 										JOB_PRIO_CRITICAL));
+ 	}
+ }
+diff --git a/src/libstrongswan/networking/streams/stream_service.c b/src/libstrongswan/networking/streams/stream_service.c
+index 5b709a2247d..c85a0664351 100644
+--- a/src/libstrongswan/networking/streams/stream_service.c
++++ b/src/libstrongswan/networking/streams/stream_service.c
+@@ -221,7 +221,7 @@ static bool watch(private_stream_service_t *this, int fd, watcher_event_t event)
+ 
+ 		lib->processor->queue_job(lib->processor,
+ 			(job_t*)callback_job_create_with_prio((void*)accept_async, data,
+-				(void*)destroy_async_data, (callback_job_cancel_t)return_false,
++				(void*)destroy_async_data, callback_job_cancel_thread,
+ 				this->prio));
+ 	}
+ 	else
+diff --git a/src/libstrongswan/processing/jobs/callback_job.c b/src/libstrongswan/processing/jobs/callback_job.c
+index cb2a0aba5b9..3ab40b947c9 100644
+--- a/src/libstrongswan/processing/jobs/callback_job.c
++++ b/src/libstrongswan/processing/jobs/callback_job.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (C) 2009-2012 Tobias Brunner
++ * Copyright (C) 2009-2025 Tobias Brunner
+  * Copyright (C) 2007-2011 Martin Willi
+  *
+  * Copyright (C) secunet Security Networks AG
+@@ -131,3 +131,11 @@ callback_job_t *callback_job_create(callback_job_cb_t cb, void *data,
+ 	return callback_job_create_with_prio(cb, data, cleanup, cancel,
+ 										 JOB_PRIO_MEDIUM);
+ }
++
++/*
++ * Described in header
++ */
++bool callback_job_cancel_thread(void *data)
++{
++	return FALSE;
++}
+diff --git a/src/libstrongswan/processing/jobs/callback_job.h b/src/libstrongswan/processing/jobs/callback_job.h
+index 0f1ae212d87..fda86887944 100644
+--- a/src/libstrongswan/processing/jobs/callback_job.h
++++ b/src/libstrongswan/processing/jobs/callback_job.h
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (C) 2012 Tobias Brunner
++ * Copyright (C) 2012-2025 Tobias Brunner
+  * Copyright (C) 2007-2011 Martin Willi
+  *
+  * Copyright (C) secunet Security Networks AG
+@@ -62,6 +62,15 @@ typedef void (*callback_job_cleanup_t)(void *data);
+  */
+ typedef bool (*callback_job_cancel_t)(void *data);
+ 
++/**
++ * Default implementation of callback_job_cancel_t that simply returns FALSE
++ * to force cancellation of the thread by the processor.
++ *
++ * @param data			ignored argument
++ * @return				always returns FALSE
++ */
++bool callback_job_cancel_thread(void *data);
++
+ /**
+  * Class representing an callback Job.
+  *
+diff --git a/src/libstrongswan/processing/scheduler.c b/src/libstrongswan/processing/scheduler.c
+index c5e5dd83e70..76d98ddff51 100644
+--- a/src/libstrongswan/processing/scheduler.c
++++ b/src/libstrongswan/processing/scheduler.c
+@@ -329,7 +329,8 @@ scheduler_t * scheduler_create()
+ 	this->heap = (event_t**)calloc(this->heap_size + 1, sizeof(event_t*));
+ 
+ 	job = callback_job_create_with_prio((callback_job_cb_t)schedule, this,
+-										NULL, return_false, JOB_PRIO_CRITICAL);
++										NULL, callback_job_cancel_thread,
++										JOB_PRIO_CRITICAL);
+ 	lib->processor->queue_job(lib->processor, (job_t*)job);
+ 
+ 	return &this->public;
+diff --git a/src/libstrongswan/processing/watcher.c b/src/libstrongswan/processing/watcher.c
+index 1200d670959..a86ec0910d1 100644
+--- a/src/libstrongswan/processing/watcher.c
++++ b/src/libstrongswan/processing/watcher.c
+@@ -291,7 +291,7 @@ static void notify(private_watcher_t *this, entry_t *entry,
+ 
+ 	this->jobs->insert_last(this->jobs,
+ 					callback_job_create_with_prio((void*)notify_async, data,
+-						(void*)notify_end, (callback_job_cancel_t)return_false,
++						(void*)notify_end, callback_job_cancel_thread,
+ 						JOB_PRIO_CRITICAL));
+ }
+ 
+@@ -559,7 +559,7 @@ METHOD(watcher_t, add, void,
+ 
+ 		lib->processor->queue_job(lib->processor,
+ 			(job_t*)callback_job_create_with_prio((void*)watch, this,
+-				NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
++				NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL));
+ 	}
+ 	else
+ 	{
+diff --git a/src/libtls/tests/suites/test_socket.c b/src/libtls/tests/suites/test_socket.c
+index 91ee58b975f..c17d0a8873e 100644
+--- a/src/libtls/tests/suites/test_socket.c
++++ b/src/libtls/tests/suites/test_socket.c
+@@ -587,7 +587,7 @@ static void start_echo_server(echo_server_config_t *config)
+ 
+ 	lib->processor->queue_job(lib->processor, (job_t*)
+ 				callback_job_create((void*)serve_echo, config, NULL,
+-									(callback_job_cancel_t)return_false));
++									callback_job_cancel_thread));
+ }
+ 
+ /**
+---
+
+From 11978ddd39e800b5f35f721d726e8a4cb7e4ec0f Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Fri, 21 Feb 2025 17:00:44 +0100
+Subject: [PATCH] Cast uses of return_*(), nop() and enumerator_create_empty()
+
+As described in the previous commit, GCC 15 uses C23 by default and that
+changes the meaning of such argument-less function declarations.  So
+whenever we assign such a function to a pointer that expects a function
+with arguments it causes an incompatible pointer type warning.  We
+could define dedicated functions/callbacks whenever necessary, but this
+seems like the simpler approach for now (especially since most uses of
+these functions have already been cast).
+---
+ src/charon-nm/nm/nm_handler.c                           | 2 +-
+ src/libcharon/encoding/payloads/encrypted_payload.c     | 2 +-
+ src/libcharon/plugins/android_dns/android_dns_handler.c | 2 +-
+ src/libcharon/plugins/ha/ha_attribute.c                 | 2 +-
+ src/libcharon/plugins/updown/updown_handler.c           | 2 +-
+ src/libstrongswan/utils/identification.c                | 6 +++---
+ 6 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/src/charon-nm/nm/nm_handler.c b/src/charon-nm/nm/nm_handler.c
+index d7331ad72f6..39d0190ac9e 100644
+--- a/src/charon-nm/nm/nm_handler.c
++++ b/src/charon-nm/nm/nm_handler.c
+@@ -195,7 +195,7 @@ nm_handler_t *nm_handler_create()
+ 		.public = {
+ 			.handler = {
+ 				.handle = _handle,
+-				.release = nop,
++				.release = (void*)nop,
+ 				.create_attribute_enumerator = _create_attribute_enumerator,
+ 			},
+ 			.create_enumerator = _create_enumerator,
+diff --git a/src/libcharon/encoding/payloads/encrypted_payload.c b/src/libcharon/encoding/payloads/encrypted_payload.c
+index 676d00b7a29..4821c6108ed 100644
+--- a/src/libcharon/encoding/payloads/encrypted_payload.c
++++ b/src/libcharon/encoding/payloads/encrypted_payload.c
+@@ -1023,7 +1023,7 @@ encrypted_fragment_payload_t *encrypted_fragment_payload_create()
+ 				.get_length = _frag_get_length,
+ 				.add_payload = _frag_add_payload,
+ 				.remove_payload = (void*)return_null,
+-				.generate_payloads = nop,
++				.generate_payloads = (void*)nop,
+ 				.set_transform = _frag_set_transform,
+ 				.get_transform = _frag_get_transform,
+ 				.encrypt = _frag_encrypt,
+diff --git a/src/libcharon/plugins/android_dns/android_dns_handler.c b/src/libcharon/plugins/android_dns/android_dns_handler.c
+index 78f4f702aec..14d2ff99aa3 100644
+--- a/src/libcharon/plugins/android_dns/android_dns_handler.c
++++ b/src/libcharon/plugins/android_dns/android_dns_handler.c
+@@ -191,7 +191,7 @@ METHOD(enumerator_t, enumerate_dns, bool,
+ 	VA_ARGS_VGET(args, type, data);
+ 	*type = INTERNAL_IP4_DNS;
+ 	*data = chunk_empty;
+-	this->venumerate = return_false;
++	this->venumerate = (void*)return_false;
+ 	return TRUE;
+ }
+ 
+diff --git a/src/libcharon/plugins/ha/ha_attribute.c b/src/libcharon/plugins/ha/ha_attribute.c
+index b865a4b829b..103d1a93784 100644
+--- a/src/libcharon/plugins/ha/ha_attribute.c
++++ b/src/libcharon/plugins/ha/ha_attribute.c
+@@ -381,7 +381,7 @@ ha_attribute_t *ha_attribute_create(ha_kernel_t *kernel, ha_segments_t *segments
+ 			.provider = {
+ 				.acquire_address = _acquire_address,
+ 				.release_address = _release_address,
+-				.create_attribute_enumerator = enumerator_create_empty,
++				.create_attribute_enumerator = (void*)enumerator_create_empty,
+ 			},
+ 			.reserve = _reserve,
+ 			.destroy = _destroy,
+diff --git a/src/libcharon/plugins/updown/updown_handler.c b/src/libcharon/plugins/updown/updown_handler.c
+index 36eb15615a4..3707e1e658c 100644
+--- a/src/libcharon/plugins/updown/updown_handler.c
++++ b/src/libcharon/plugins/updown/updown_handler.c
+@@ -220,7 +220,7 @@ updown_handler_t *updown_handler_create()
+ 			.handler = {
+ 				.handle = _handle,
+ 				.release = _release,
+-				.create_attribute_enumerator = enumerator_create_empty,
++				.create_attribute_enumerator = (void*)enumerator_create_empty,
+ 			},
+ 			.create_dns_enumerator = _create_dns_enumerator,
+ 			.destroy = _destroy,
+diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identifi
+100  5229  100  5229    0     0  26091      0 --:--:-- --:--:-- --:--:-- 26145
+cation.c
+index d31955b3806..58a05052dc1 100644
+--- a/src/libstrongswan/utils/identification.c
++++ b/src/libstrongswan/utils/identification.c
+@@ -1625,7 +1625,7 @@ static private_identification_t *identification_create(id_type_t type)
+ 			this->public.hash = _hash_binary;
+ 			this->public.equals = _equals_binary;
+ 			this->public.matches = _matches_any;
+-			this->public.contains_wildcards = return_true;
++			this->public.contains_wildcards = (void*)return_true;
+ 			break;
+ 		case ID_FQDN:
+ 		case ID_RFC822_ADDR:
+@@ -1660,13 +1660,13 @@ static private_identification_t *identification_create(id_type_t type)
+ 			this->public.hash = _hash_binary;
+ 			this->public.equals = _equals_binary;
+ 			this->public.matches = _matches_range;
+-			this->public.contains_wildcards = return_false;
++			this->public.contains_wildcards = (void*)return_false;
+ 			break;
+ 		default:
+ 			this->public.hash = _hash_binary;
+ 			this->public.equals = _equals_binary;
+ 			this->public.matches = _matches_binary;
+-			this->public.contains_wildcards = return_false;
++			this->public.contains_wildcards = (void*)return_false;
+ 			break;
+ 	}
+ 	return this;

strongswan-6.0.2-no-isolation.patch

@@ -0,0 +1,12 @@
+diff -Naur strongswan-6.0.2-orig/src/libcharon/plugins/vici/python/Makefile.am strongswan-6.0.2/src/libcharon/plugins/vici/python/Makefile.am
+--- strongswan-6.0.2-orig/src/libcharon/plugins/vici/python/Makefile.am	2025-07-12 02:36:20.000000000 -0400
++++ strongswan-6.0.2/src/libcharon/plugins/vici/python/Makefile.am	2025-09-10 15:31:43.217806666 -0400
+@@ -19,7 +19,7 @@
+ all-local: dist/vici-$(PYTHON_PACKAGE_VERSION)-py3-none-any.whl
+ 
+ dist/vici-$(PYTHON_PACKAGE_VERSION)-py3-none-any.whl: $(EXTRA_DIST) $(srcdir)/setup.py
+-	(cd $(srcdir); $(PYTHON) -m build -o $(abs_builddir)/dist)
++	(cd $(srcdir); $(PYTHON) -m build --no-isolation -o $(abs_builddir)/dist) 
+ 
+ clean-local:
+ 	rm -rf $(srcdir)/setup.py $(srcdir)/vici.egg-info $(builddir)/dist

strongswan-6.0.2-no-md5-b3011e8e.patch

@@ -0,0 +1,514 @@
+From b3011e8e87a1fad1bfb026448fc37b80b7cfc007 Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Tue, 23 Sep 2025 14:59:37 +0200
+Subject: [PATCH] Remove support for MD2
+
+No part of IKE/IPsec or X.509 uses MD2 anymore, so there really is no
+reason to still support it (unlike MD4 that is used in EAP-MSCHAPv2,
+MD5 that's used in EAP-MD5, or SHA-1 that's used for e.g. NAT-D hashes).
+
+It caused test vectors to fail on systems where OpenSSL is built with
+MD2 support but has it disabled at runtime.
+---
+ src/libstrongswan/asn1/oid.txt                |   4 +-
+ .../credentials/containers/pkcs12.c           |   1 -
+ src/libstrongswan/crypto/hashers/hasher.c     |  15 ---
+ src/libstrongswan/crypto/hashers/hasher.h     |  16 +--
+ src/libstrongswan/crypto/xofs/xof.c           |   1 -
+ .../plugins/gcrypt/gcrypt_hasher.c            |   3 -
+ .../plugins/openssl/openssl_plugin.c          |   3 -
+ .../plugins/pkcs11/pkcs11_hasher.c            |   1 -
+ .../plugins/pkcs11/pkcs11_plugin.c            |   1 -
+ .../plugins/test_vectors/Makefile.am          |   1 -
+ .../plugins/test_vectors/test_vectors.h       |   7 -
+ .../plugins/test_vectors/test_vectors/md2.c   |  64 ---------
+ src/libstrongswan/tests/suites/test_hasher.c  | 127 +++++++++---------
+ 13 files changed, 71 insertions(+), 173 deletions(-)
+ delete mode 100644 src/libstrongswan/plugins/test_vectors/test_vectors/md2.c
+
+diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt
+index f58a44d326..b9c3189cd2 100644
+--- a/src/libstrongswan/asn1/oid.txt
++++ b/src/libstrongswan/asn1/oid.txt
+@@ -94,7 +94,7 @@
+             0x01             "PKCS"
+               0x01           "PKCS-1"
+                 0x01         "rsaEncryption"			OID_RSA_ENCRYPTION
+-                0x02         "md2WithRSAEncryption"		OID_MD2_WITH_RSA
++                0x02         "md2WithRSAEncryption"
+                 0x04         "md5WithRSAEncryption"		OID_MD5_WITH_RSA
+                 0x05         "sha-1WithRSAEncryption"	OID_SHA1_WITH_RSA
+                 0x07         "id-RSAES-OAEP"			OID_RSAES_OAEP
+@@ -148,7 +148,7 @@
+                     0x05     "secretBag"
+                     0x06     "safeContentsBag"
+             0x02             "digestAlgorithm"
+-              0x02           "md2"						OID_MD2
++              0x02           "md2"
+               0x05           "md5"						OID_MD5
+               0x07           "hmacWithSHA1"				OID_HMAC_SHA1
+               0x08           "hmacWithSHA224"			OID_HMAC_SHA224
+diff --git a/src/libstrongswan/credentials/containers/pkcs12.c b/src/libstrongswan/credentials/containers/pkcs12.c
+index d738910077..be0c750393 100644
+--- a/src/libstrongswan/credentials/containers/pkcs12.c
++++ b/src/libstrongswan/credentials/containers/pkcs12.c
+@@ -83,7 +83,6 @@ static bool derive_key(hash_algorithm_t hash, chunk_t unicode, chunk_t salt,
+ 	}
+ 	switch (hash)
+ 	{
+-		case HASH_MD2:
+ 		case HASH_MD5:
+ 		case HASH_SHA1:
+ 		case HASH_SHA224:
+diff --git a/src/libstrongswan/crypto/hashers/hasher.c b/src/libstrongswan/crypto/hashers/hasher.c
+index 2fed3b4133..444a59c5f0 100644
+--- a/src/libstrongswan/crypto/hashers/hasher.c
++++ b/src/libstrongswan/crypto/hashers/hasher.c
+@@ -30,7 +30,6 @@ ENUM_BEGIN(hash_algorithm_names, HASH_SHA1, HASH_IDENTITY,
+ 	"HASH_IDENTITY");
+ ENUM_NEXT(hash_algorithm_names, HASH_UNKNOWN, HASH_SHA3_512, HASH_IDENTITY,
+ 	"HASH_UNKNOWN",
+-	"HASH_MD2",
+ 	"HASH_MD4",
+ 	"HASH_MD5",
+ 	"HASH_SHA2_224",
+@@ -48,7 +47,6 @@ ENUM_BEGIN(hash_algorithm_short_names, HASH_SHA1, HASH_IDENTITY,
+ 	"identity");
+ ENUM_NEXT(hash_algorithm_short_names, HASH_UNKNOWN, HASH_SHA3_512, HASH_IDENTITY,
+ 	"unknown",
+-	"md2",
+ 	"md4",
+ 	"md5",
+ 	"sha224",
+@@ -66,7 +64,6 @@ ENUM_BEGIN(hash_algorithm_short_names_upper, HASH_SHA1, HASH_IDENTITY,
+ 	"IDENTITY");
+ ENUM_NEXT(hash_algorithm_short_names_upper, HASH_UNKNOWN, HASH_SHA3_512, HASH_IDENTITY,
+ 	"UNKNOWN",
+-	"MD2",
+ 	"MD4",
+ 	"MD5",
+ 	"SHA2_224",
+@@ -91,8 +88,6 @@ size_t hasher_hash_size(hash_algorithm_t alg)
+ 			return HASH_SIZE_SHA384;
+ 		case HASH_SHA512:
+ 			return HASH_SIZE_SHA512;
+-		case HASH_MD2:
+-			return HASH_SIZE_MD2;
+ 		case HASH_MD4:
+ 			return HASH_SIZE_MD4;
+ 		case HASH_MD5:
+@@ -121,9 +116,6 @@ hash_algorithm_t hasher_algorithm_from_oid(int oid)
+ {
+ 	switch (oid)
+ 	{
+-		case OID_MD2:
+-		case OID_MD2_WITH_RSA:
+-			return HASH_MD2;
+ 		case OID_MD5:
+ 		case OID_MD5_WITH_RSA:
+ 			return HASH_MD5;
+@@ -323,7 +315,6 @@ integrity_algorithm_t hasher_algorithm_to_integrity(hash_algorithm_t alg,
+ 					return AUTH_HMAC_SHA2_512_512;
+ 			}
+ 			break;
+-		case HASH_MD2:
+ 		case HASH_MD4:
+ 		case HASH_SHA224:
+ 		case HASH_SHA3_224:
+@@ -350,7 +341,6 @@ bool hasher_algorithm_for_ikev2(hash_algorithm_t alg)
+ 		case HASH_SHA512:
+ 			return TRUE;
+ 		case HASH_UNKNOWN:
+-		case HASH_MD2:
+ 		case HASH_MD4:
+ 		case HASH_MD5:
+ 		case HASH_SHA1:
+@@ -373,9 +363,6 @@ int hasher_algorithm_to_oid(hash_algorithm_t alg)
+ 
+ 	switch (alg)
+ 	{
+-		case HASH_MD2:
+-			oid = OID_MD2;
+-			break;
+ 		case HASH_MD5:
+ 			oid = OID_MD5;
+ 			break;
+@@ -422,8 +409,6 @@ int hasher_signature_algorithm_to_oid(hash_algorithm_t alg, key_type_t key)
+ 		case KEY_RSA:
+ 			switch (alg)
+ 			{
+-				case HASH_MD2:
+-					return OID_MD2_WITH_RSA;
+ 				case HASH_MD5:
+ 					return OID_MD5_WITH_RSA;
+ 				case HASH_SHA1:
+diff --git a/src/libstrongswan/crypto/hashers/hasher.h b/src/libstrongswan/crypto/hashers/hasher.h
+index ad434035da..0a4237cd93 100644
+--- a/src/libstrongswan/crypto/hashers/hasher.h
++++ b/src/libstrongswan/crypto/hashers/hasher.h
+@@ -45,17 +45,15 @@ enum hash_algorithm_t {
+ 	HASH_IDENTITY		= 5,
+ 	/* use private use range for algorithms not defined/permitted by RFC 7427 */
+ 	HASH_UNKNOWN 		= 1024,
+-	HASH_MD2 			= 1025,
+-	HASH_MD4			= 1026,
+-	HASH_MD5 			= 1027,
+-	HASH_SHA224			= 1028,
+-	HASH_SHA3_224		= 1029,
+-	HASH_SHA3_256		= 1030,
+-	HASH_SHA3_384		= 1031,
+-	HASH_SHA3_512		= 1032
++	HASH_MD4			= 1025,
++	HASH_MD5 			= 1026,
++	HASH_SHA224			= 1027,
++	HASH_SHA3_224		= 1028,
++	HASH_SHA3_256		= 1029,
++	HASH_SHA3_384		= 1030,
++	HASH_SHA3_512		= 1031
+ };
+ 
+-#define HASH_SIZE_MD2		16
+ #define HASH_SIZE_MD4		16
+ #define HASH_SIZE_MD5		16
+ #define HASH_SIZE_SHA1		20
+diff --git a/src/libstrongswan/crypto/xofs/xof.c b/src/libstrongswan/crypto/xofs/xof.c
+index 7c1eb37e42..f21e037a5a 100644
+--- a/src/libstrongswan/crypto/xofs/xof.c
++++ b/src/libstrongswan/crypto/xofs/xof.c
+@@ -60,7 +60,6 @@ ext_out_function_t xof_mgf1_from_hash_algorithm(hash_algorithm_t alg)
+ 			return XOF_MGF1_SHA3_384;
+ 		case HASH_IDENTITY:
+ 		case HASH_UNKNOWN:
+-		case HASH_MD2:
+ 		case HASH_MD4:
+ 		case HASH_MD5:
+ 			break;
+diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
+index 29f86a5139..5e30ac7dc3 100644
+--- a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
++++ b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
+@@ -92,9 +92,6 @@ gcrypt_hasher_t *gcrypt_hasher_create(hash_algorithm_t algo)
+ 
+ 	switch (algo)
+ 	{
+-		case HASH_MD2:
+-			gcrypt_alg = GCRY_MD_MD2;
+-			break;
+ 		case HASH_MD4:
+ 			gcrypt_alg = GCRY_MD_MD4;
+ 			break;
+diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
+index c3e1d2e173..ef7fe8908f 100644
+--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
++++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
+@@ -400,9 +400,6 @@ METHOD(plugin_t, get_features, int,
+ 			PLUGIN_PROVIDE(CRYPTER, ENCR_NULL, 0),
+ 		/* hashers */
+ 		PLUGIN_REGISTER(HASHER, openssl_hasher_create),
+-#ifndef OPENSSL_NO_MD2
+-			PLUGIN_PROVIDE(HASHER, HASH_MD2),
+-#endif
+ #ifndef OPENSSL_NO_MD4
+ 			PLUGIN_PROVIDE(HASHER, HASH_MD4),
+ #endif
+diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.c b/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.c
+index e5ac18ed8c..409a05a2ab 100644
+--- a/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.c
++++ b/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.c
+@@ -234,7 +234,6 @@ static CK_MECHANISM_PTR algo_to_mechanism(hash_algorithm_t algo, size_t *size)
+ 		CK_MECHANISM mechanism;
+ 		size_t size;
+ 	} mappings[] = {
+-		{HASH_MD2,		{CKM_MD2,		NULL, 0},	HASH_SIZE_MD2},
+ 		{HASH_MD5,		{CKM_MD5,		NULL, 0},	HASH_SIZE_MD5},
+ 		{HASH_SHA1,		{CKM_SHA_1,		NULL, 0},	HASH_SIZE_SHA1},
+ 		{HASH_SHA256,	{CKM_SHA256,	NULL, 0},	HASH_SIZE_SHA256},
+diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
+index 5510db99f4..aa27f1e384 100644
+--- a/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
++++ b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
+@@ -189,7 +189,6 @@ METHOD(plugin_t, get_features, int,
+ {
+ 	static plugin_feature_t f_hash[] = {
+ 		PLUGIN_REGISTER(HASHER, pkcs11_hasher_create),
+-			PLUGIN_PROVIDE(HASHER, HASH_MD2),
+ 			PLUGIN_PROVIDE(HASHER, HASH_MD5),
+ 			PLUGIN_PROVIDE(HASHER, HASH_SHA1),
+ 			PLUGIN_PROVIDE(HASHER, HASH_SHA256),
+diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.am b/src/libstrongswan/plugins/test_vectors/Makefile.am
+index 6074027f7d..eaf6485abc 100644
+--- a/src/libstrongswan/plugins/test_vectors/Makefile.am
++++ b/src/libstrongswan/plugins/test_vectors/Makefile.am
+@@ -37,7 +37,6 @@ libstrongswan_test_vectors_la_SOURCES = \
+ 	test_vectors/rc5.c \
+ 	test_vectors/serpent_cbc.c \
+ 	test_vectors/twofish_cbc.c \
+-	test_vectors/md2.c \
+ 	test_vectors/md4.c \
+ 	test_vectors/md5.c \
+ 	test_vectors/md5_hmac.c \
+diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors.h b/src/libstrongswan/plugins/test_vectors/test_vectors.h
+index bf8609cb62..85436ff74a 100644
+--- a/src/libstrongswan/plugins/test_vectors/test_vectors.h
++++ b/src/libstrongswan/plugins/test_vectors/test_vectors.h
+@@ -160,13 +160,6 @@ TEST_VECTOR_SIGNER(sha512_hmac_s1)
+ TEST_VECTOR_SIGNER(sha512_hmac_s2)
+ TEST_VECTOR_SIGNER(sha512_hmac_s3)
+ 
+-TEST_VECTOR_HASHER(md2_1)
+-TEST_VECTOR_HASHER(md2_2)
+-TEST_VECTOR_HASHER(md2_3)
+-TEST_VECTOR_HASHER(md2_4)
+-TEST_VECTOR_HASHER(md2_5)
+-TEST_VECTOR_HASHER(md2_6)
+-TEST_VECTOR_HASHER(md2_7)
+ TEST_VECTOR_HASHER(md4_1)
+ TEST_VECTOR_HASHER(md4_2)
+ TEST_VECTOR_HASHER(md4_3)
+diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/md2.c b/src/libstrongswan/plugins/test_vectors/test_vectors/md2.c
+deleted file mode 100644
+index b2707a1317..0000000000
+--- a/src/libstrongswan/plugins/test_vectors/test_vectors/md2.c
++++ /dev/null
+@@ -1,64 +0,0 @@
+-/*
+- * Copyright (C) 2009 Martin Willi
+- *
+- * Copyright (C) secunet Security Networks AG
+- *
+- * This program is free software; you can redistribute it and/or modify it
+- * under the terms of the GNU General Public License as published by the
+- * Free Software Foundation; either version 2 of the Licenseor (at your
+- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+- *
+- * This program is distributed in the hope that it will be usefulbut
+- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+- * for more details.
+- */
+-
+-#include <crypto/crypto_tester.h>
+-
+-/**
+- * MD2 vectors from RFC 1319
+- */
+-hasher_test_vector_t md2_1 = {
+-	.alg = HASH_MD2, .len = 0,
+-	.data	= "",
+-	.hash	= "\x83\x50\xe5\xa3\xe2\x4c\x15\x3d\xf2\x27\x5c\x9f\x80\x69\x27\x73"
+-};
+-
+-hasher_test_vector_t md2_2 = {
+-	.alg = HASH_MD2, .len = 1,
+-	.data	= "a",
+-	.hash	= "\x32\xec\x01\xec\x4a\x6d\xac\x72\xc0\xab\x96\xfb\x34\xc0\xb5\xd1"
+-};
+-
+-hasher_test_vector_t md2_3 = {
+-	.alg = HASH_MD2, .len = 3,
+-	.data	= "abc",
+-	.hash	= "\xda\x85\x3b\x0d\x3f\x88\xd9\x9b\x30\x28\x3a\x69\xe6\xde\xd6\xbb"
+-};
+-
+-hasher_test_vector_t md2_4 = {
+-	.alg = HASH_MD2, .len = 14,
+-	.data	= "message digest",
+-	.hash	= "\xab\x4f\x49\x6b\xfb\x2a\x53\x0b\x21\x9f\xf3\x30\x31\xfe\x06\xb0"
+-};
+-
+-hasher_test_vector_t md2_5 = {
+-	.alg = HASH_MD2, .len = 26,
+-	.data	= "abcdefghijklmnopqrstuvwxyz",
+-	.hash	= "\x4e\x8d\xdf\xf3\x65\x02\x92\xab\x5a\x41\x08\xc3\xaa\x47\x94\x0b"
+-};
+-
+-hasher_test_vector_t md2_6 = {
+-	.alg = HASH_MD2, .len = 62,
+-	.data	= "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
+-	.hash	= "\xda\x33\xde\xf2\xa4\x2d\xf1\x39\x75\x35\x28\x46\xc3\x03\x38\xcd"
+-};
+-
+-hasher_test_vector_t md2_7 = {
+-	.alg = HASH_MD2, .len = 80,
+-	.data	= "1234567890123456789012345678901234567890"
+-			  "1234567890123456789012345678901234567890",
+-	.hash	= "\xd5\x97\x6f\x79\xd8\x3d\x3a\x0d\xc9\x80\x6c\x3c\x66\xf3\xef\xd8"
+-};
+-
+diff --git a/src/libstrongswan/tests/suites/test_hasher.c b/src/libstrongswan/tests/suites/test_hasher.c
+index c07eed8d93..3bdcc7e3d7 100644
+--- a/src/libstrongswan/tests/suites/test_hasher.c
++++ b/src/libstrongswan/tests/suites/test_hasher.c
+@@ -28,41 +28,39 @@ typedef struct {
+ 	key_type_t key;
+ }hasher_oid_t;
+ 
++/* make sure to adjust offsets in constructor when changing this array */
+ static hasher_oid_t oids[] = {
+-	{ OID_MD2, HASH_MD2, KEY_ANY },                                /*  0 */
+-	{ OID_MD5, HASH_MD5, KEY_ANY },                                /*  1 */
+-	{ OID_SHA1, HASH_SHA1, KEY_ANY },                              /*  2 */
+-	{ OID_SHA224, HASH_SHA224, KEY_ANY },                          /*  3 */
+-	{ OID_SHA256, HASH_SHA256, KEY_ANY },                          /*  4 */
+-	{ OID_SHA384, HASH_SHA384, KEY_ANY },                          /*  5 */
+-	{ OID_SHA512, HASH_SHA512, KEY_ANY },                          /*  6 */
+-	{ OID_SHA3_224, HASH_SHA3_224, KEY_ANY },                      /*  7 */
+-	{ OID_SHA3_256, HASH_SHA3_256, KEY_ANY },                      /*  8 */
+-	{ OID_SHA3_384, HASH_SHA3_384, KEY_ANY },                      /*  9 */
+-	{ OID_SHA3_512, HASH_SHA3_512, KEY_ANY },                      /* 10 */
+-	{ OID_UNKNOWN, HASH_UNKNOWN, KEY_ANY },                        /* 11 */
+-	{ OID_MD2_WITH_RSA, HASH_MD2, KEY_RSA },                       /* 12 */
+-	{ OID_MD5_WITH_RSA, HASH_MD5, KEY_RSA },                       /* 13 */
+-	{ OID_SHA1_WITH_RSA, HASH_SHA1, KEY_RSA },                     /* 14 */
+-	{ OID_SHA224_WITH_RSA, HASH_SHA224, KEY_RSA },                 /* 15 */
+-	{ OID_SHA256_WITH_RSA, HASH_SHA256, KEY_RSA },                 /* 16 */
+-	{ OID_SHA384_WITH_RSA, HASH_SHA384, KEY_RSA },                 /* 17 */
+-	{ OID_SHA512_WITH_RSA, HASH_SHA512, KEY_RSA },                 /* 18 */
+-	{ OID_RSASSA_PKCS1V15_WITH_SHA3_224, HASH_SHA3_224, KEY_RSA }, /* 19 */
+-	{ OID_RSASSA_PKCS1V15_WITH_SHA3_256, HASH_SHA3_256, KEY_RSA }, /* 20 */
+-	{ OID_RSASSA_PKCS1V15_WITH_SHA3_384, HASH_SHA3_384, KEY_RSA }, /* 21 */
+-	{ OID_RSASSA_PKCS1V15_WITH_SHA3_512, HASH_SHA3_512, KEY_RSA }, /* 22 */
+-	{ OID_UNKNOWN, HASH_UNKNOWN, KEY_RSA },                        /* 23 */
+-	{ OID_ED25519, HASH_IDENTITY, KEY_ED25519 },                   /* 24 */
+-	{ OID_UNKNOWN, HASH_UNKNOWN, KEY_ED25519 },                    /* 25 */
+-	{ OID_ED448, HASH_IDENTITY, KEY_ED448 },                       /* 26 */
+-	{ OID_UNKNOWN, HASH_UNKNOWN, KEY_ED448 },                      /* 27 */
+-	{ OID_ECDSA_WITH_SHA1, HASH_SHA1, KEY_ECDSA },                 /* 28 */
+-	{ OID_ECDSA_WITH_SHA256, HASH_SHA256, KEY_ECDSA },             /* 29 */
+-	{ OID_ECDSA_WITH_SHA384, HASH_SHA384, KEY_ECDSA },             /* 30 */
+-	{ OID_ECDSA_WITH_SHA512, HASH_SHA512, KEY_ECDSA },             /* 31 */
+-	{ OID_UNKNOWN, HASH_UNKNOWN, KEY_ECDSA },                      /* 32 */
+-
++	{ OID_MD5, HASH_MD5, KEY_ANY },                                /*  0 */
++	{ OID_SHA1, HASH_SHA1, KEY_ANY },                              /*  1 */
++	{ OID_SHA224, HASH_SHA224, KEY_ANY },                          /*  2 */
++	{ OID_SHA256, HASH_SHA256, KEY_ANY },                          /*  3 */
++	{ OID_SHA384, HASH_SHA384, KEY_ANY },                          /*  4 */
++	{ OID_SHA512, HASH_SHA512, KEY_ANY },                          /*  5 */
++	{ OID_SHA3_224, HASH_SHA3_224, KEY_ANY },                      /*  6 */
++	{ OID_SHA3_256, HASH_SHA3_256, KEY_ANY },                      /*  7 */
++	{ OID_SHA3_384, HASH_SHA3_384, KEY_ANY },                      /*  8 */
++	{ OID_SHA3_512, HASH_SHA3_512, KEY_ANY },                      /*  9 */
++	{ OID_UNKNOWN, HASH_UNKNOWN, KEY_ANY },                        /* 10 */
++	{ OID_MD5_WITH_RSA, HASH_MD5, KEY_RSA },                       /* 11 */
++	{ OID_SHA1_WITH_RSA, HASH_SHA1, KEY_RSA },                     /* 12 */
++	{ OID_SHA224_WITH_RSA, HASH_SHA224, KEY_RSA },                 /* 13 */
++	{ OID_SHA256_WITH_RSA, HASH_SHA256, KEY_RSA },                 /* 14 */
++	{ OID_SHA384_WITH_RSA, HASH_SHA384, KEY_RSA },                 /* 15 */
++	{ OID_SHA512_WITH_RSA, HASH_SHA512, KEY_RSA },                 /* 16 */
++	{ OID_RSASSA_PKCS1V15_WITH_SHA3_224, HASH_SHA3_224, KEY_RSA }, /* 17 */
++	{ OID_RSASSA_PKCS1V15_WITH_SHA3_256, HASH_SHA3_256, KEY_RSA }, /* 18 */
++	{ OID_RSASSA_PKCS1V15_WITH_SHA3_384, HASH_SHA3_384, KEY_RSA }, /* 19 */
++	{ OID_RSASSA_PKCS1V15_WITH_SHA3_512, HASH_SHA3_512, KEY_RSA }, /* 20 */
++	{ OID_UNKNOWN, HASH_UNKNOWN, KEY_RSA },                        /* 21 */
++	{ OID_ED25519, HASH_IDENTITY, KEY_ED25519 },                   /* 22 */
++	{ OID_UNKNOWN, HASH_UNKNOWN, KEY_ED25519 },                    /* 23 */
++	{ OID_ED448, HASH_IDENTITY, KEY_ED448 },                       /* 24 */
++	{ OID_UNKNOWN, HASH_UNKNOWN, KEY_ED448 },                      /* 25 */
++	{ OID_ECDSA_WITH_SHA1, HASH_SHA1, KEY_ECDSA },                 /* 26 */
++	{ OID_ECDSA_WITH_SHA256, HASH_SHA256, KEY_ECDSA },             /* 27 */
++	{ OID_ECDSA_WITH_SHA384, HASH_SHA384, KEY_ECDSA },             /* 28 */
++	{ OID_ECDSA_WITH_SHA512, HASH_SHA512, KEY_ECDSA },             /* 29 */
++	{ OID_UNKNOWN, HASH_UNKNOWN, KEY_ECDSA },                      /* 30 */
+ };
+ 
+ START_TEST(test_hasher_from_oid)
+@@ -174,32 +172,32 @@ typedef struct {
+ 	size_t length;
+ }hasher_auth_t;
+ 
++/* make sure to adjust offsets in constructor when changing this array */
+ static hasher_auth_t auths[] = {
+-	{ AUTH_UNDEFINED, HASH_MD2, 0 },
+-	{ AUTH_UNDEFINED, HASH_MD4, 0 },
+-	{ AUTH_UNDEFINED, HASH_SHA224, 0 },
+-	{ AUTH_UNDEFINED, 9, 0 },
+-	{ AUTH_UNDEFINED, HASH_UNKNOWN, 0 },
+-	{ AUTH_HMAC_MD5_96, HASH_MD5, 12 },
+-	{ AUTH_HMAC_SHA1_96, HASH_SHA1, 12 },
+-	{ AUTH_HMAC_SHA2_256_96, HASH_SHA256, 12 },
+-	{ AUTH_HMAC_MD5_128, HASH_MD5, 16 },
+-	{ AUTH_HMAC_SHA1_128, HASH_SHA1, 16 },
+-	{ AUTH_HMAC_SHA2_256_128, HASH_SHA256, 16 },
+-	{ AUTH_HMAC_SHA1_160, HASH_SHA1, 20 },
+-	{ AUTH_HMAC_SHA2_384_192, HASH_SHA384, 24 },
+-	{ AUTH_HMAC_SHA2_256_256, HASH_SHA256, 32 },
+-	{ AUTH_HMAC_SHA2_512_256, HASH_SHA512, 32 },
+-	{ AUTH_HMAC_SHA2_384_384, HASH_SHA384, 48 },
+-	{ AUTH_HMAC_SHA2_512_512, HASH_SHA512, 64 },
+-	{ AUTH_AES_CMAC_96, HASH_UNKNOWN, 0 },
+-	{ AUTH_AES_128_GMAC, HASH_UNKNOWN, 0 },
+-	{ AUTH_AES_192_GMAC, HASH_UNKNOWN, 0 },
+-	{ AUTH_AES_256_GMAC, HASH_UNKNOWN, 0 },
+-	{ AUTH_AES_XCBC_96, HASH_UNKNOWN, 0 },
+-	{ AUTH_DES_MAC, HASH_UNKNOWN, 0 },
+-	{ AUTH_CAMELLIA_XCBC_96, HASH_UNKNOWN, 0 },
+-	{ 0, HASH_UNKNOWN, 0 }
++	{ AUTH_UNDEFINED, HASH_MD4, 0 },             /*  0 */
++	{ AUTH_UNDEFINED, HASH_SHA224, 0 },          /*  1 */
++	{ AUTH_UNDEFINED, 9, 0 },                    /*  2 */
++	{ AUTH_UNDEFINED, HASH_UNKNOWN, 0 },         /*  3 */
++	{ AUTH_HMAC_MD5_96, HASH_MD5, 12 },          /*  4 */
++	{ AUTH_HMAC_SHA1_96, HASH_SHA1, 12 },        /*  5 */
++	{ AUTH_HMAC_SHA2_256_96, HASH_SHA256, 12 },  /*  6 */
++	{ AUTH_HMAC_MD5_128, HASH_MD5, 16 },         /*  7 */
++	{ AUTH_HMAC_SHA1_128, HASH_SHA1, 16 },       /*  8 */
++	{ AUTH_HMAC_SHA2_256_128, HASH_SHA256, 16 }, /*  9 */
++	{ AUTH_HMAC_SHA1_160, HASH_SHA1, 20 },       /* 10 */
++	{ AUTH_HMAC_SHA2_384_192, HASH_SHA384, 24 }, /* 11 */
++	{ AUTH_HMAC_SHA2_256_256, HASH_SHA256, 32 }, /* 12 */
++	{ AUTH_HMAC_SHA2_512_256, HASH_SHA512, 32 }, /* 13 */
++	{ AUTH_HMAC_SHA2_384_384, HASH_SHA384, 48 }, /* 14 */
++	{ AUTH_HMAC_SHA2_512_512, HASH_SHA512, 64 }, /* 15 */
++	{ AUTH_AES_CMAC_96, HASH_UNKNOWN, 0 },       /* 16 */
++	{ AUTH_AES_128_GMAC, HASH_UNKNOWN, 0 },      /* 17 */
++	{ AUTH_AES_192_GMAC, HASH_UNKNOWN, 0 },      /* 18 */
++	{ AUTH_AES_256_GMAC, HASH_UNKNOWN, 0 },      /* 19 */
++	{ AUTH_AES_XCBC_96, HASH_UNKNOWN, 0 },       /* 20 */
++	{ AUTH_DES_MAC, HASH_UNKNOWN, 0 },           /* 21 */
++	{ AUTH_CAMELLIA_XCBC_96, HASH_UNKNOWN, 0 },  /* 22 */
++	{ 0, HASH_UNKNOWN, 0 }                       /* 23 */
+ };
+ 
+ START_TEST(test_hasher_from_integrity)
+@@ -237,7 +235,6 @@ static hasher_ikev2_t ikev2[] = {
+ 	{ HASH_SHA384,   TRUE  },
+ 	{ HASH_SHA512,   TRUE  },
+ 	{ HASH_UNKNOWN,  FALSE },
+-	{ HASH_MD2,      FALSE },
+ 	{ HASH_MD4,      FALSE },
+ 	{ HASH_MD5,      FALSE },
+ 	{ HASH_SHA224,   FALSE },
+@@ -262,15 +259,15 @@ Suite *hasher_suite_create()
+ 	s = suite_create("hasher");
+ 
+ 	tc = tcase_create("from_oid");
+-	tcase_add_loop_test(tc, test_hasher_from_oid, 0, 28);
++	tcase_add_loop_test(tc, test_hasher_from_oid, 0, 26);
+ 	suite_add_tcase(s, tc);
+ 
+ 	tc = tcase_create("to_oid");
+-	tcase_add_loop_test(tc, test_hasher_to_oid, 0, 12);
++	tcase_add_loop_test(tc, test_hasher_to_oid, 0, 11);
+ 	suite_add_tcase(s, tc);
+ 
+ 	tc = tcase_create("sig_to_oid");
+-	tcase_add_loop_test(tc, test_hasher_sig_to_oid, 11, countof(oids));
++	tcase_add_loop_test(tc, test_hasher_sig_to_oid, 10, countof(oids));
+ 	suite_add_tcase(s, tc);
+ 
+ 	tc = tcase_create("from_sig_scheme");
+@@ -283,11 +280,11 @@ Suite *hasher_suite_create()
+ 	suite_add_tcase(s, tc);
+ 
+ 	tc = tcase_create("from_integrity");
+-	tcase_add_loop_test(tc, test_hasher_from_integrity, 4, countof(auths));
++	tcase_add_loop_test(tc, test_hasher_from_integrity, 3, countof(auths));
+ 	suite_add_tcase(s, tc);
+ 
+ 	tc = tcase_create("to_integrity");
+-	tcase_add_loop_test(tc, test_hasher_to_integrity, 0, 17);
++	tcase_add_loop_test(tc, test_hasher_to_integrity, 0, 16);
+ 	suite_add_tcase(s, tc);
+ 
+ 	tc = tcase_create("for_ikev2");

strongswan.spec

@@ -1,42 +1,80 @@
 %global _hardened_build 1
 #%%define prerelease dr1
+%global dist .nhrp.11%{?dist}
+
+# pytho vici bindings cannot build without network, so temp. disabled
+%bcond_with python3
+%bcond_without perl
+# checks fail for test_params_parse_rsa_pss
+%bcond_with    check
+
+%global forgeurl0 https://github.com/strongswan/strongswan
 
 Name:           strongswan
-Version:        5.7.2
-Release:        3.nhrp.2%{?dist}
+Version:        6.0.2
+Release:        4%{?dist}
 Summary:        An OpenSource IPsec-based VPN and TNC solution
-License:        GPLv2+
-URL:            http://www.strongswan.org/
-Source0:        http://download.strongswan.org/%{name}-%{version}%{?prerelease}.tar.bz2
-Patch1:         strongswan-5.6.0-uintptr_t.patch
-Patch3:         strongswan-5.6.2-CVE-2018-5388.patch
+# Automatically converted from old format: GPLv2+ - review is highly recommended.
+License:        GPL-2.0-or-later
+URL:            https://www.strongswan.org/
+VCS:            git:%{forgeurl0}
+Source0:        https://download.strongswan.org/strongswan-%{version}%{?prerelease}.tar.bz2
+Source1:        https://download.strongswan.org/strongswan-%{version}%{?prerelease}.tar.bz2.sig
+Source2:        https://download.strongswan.org/STRONGSWAN-RELEASE-PGP-KEY
+Source3:        tmpfiles-strongswan.conf
+# https://github.com/strongswan/strongswan/issues/1198  (also pinged upstream via email)
+Patch1:         strongswan-5.9.7-error-no-format.patch
+# Use isolation to prevent pip attempting to download during build
+Patch2:         strongswan-6.0.2-no-isolation.patch
+# Remove MD2, which causes test case failures due to fedora crypto policies
+# https://github.com/strongswan/strongswan/commit/b3011e8e87a1fad1bfb026448fc37b80b7cfc007
+Patch3:         strongswan-6.0.2-no-md5-b3011e8e.patch
 
-Patch10:        0001-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch
-Patch11:        0002-charon-add-optional-source-and-remote-overrides-for-.patch
-Patch12:        0003-vici-send-certificates-for-ike-sa-events.patch
-Patch13:        0004-vici-add-support-for-individual-sa-state-changes.patch
-Patch14:        0005-vici-add-deprecated-async-parameter.patch
-Patch15:        0006-support-gre-key-in-ikev1.patch
-Patch16:        0007-vyos-terminate-connections-source-dest.patch
-
-# only needed for pre-release versions
-#BuildRequires:  autoconf automake
+Patch10:        0001-charon-add-optional-source-and-remote-overrides-for-.patch
+Patch11:        0002-vici-send-certificates-for-ike-sa-events.patch
+Patch12:        0003-vici-add-support-for-individual-sa-state-changes.patch
+Patch13:        0004-Support-GRE-key-in-selectors-with-kernel-netlink.patch
 
+BuildRequires:  autoconf
+BuildRequires:  automake
+BuildRequires:  gnupg2
+BuildRequires:  libtool
+BuildRequires:  make
 BuildRequires:  gcc
+BuildRequires:  systemd
 BuildRequires:  systemd-devel
+BuildRequires:  systemd-rpm-macros
 BuildRequires:  gmp-devel
 BuildRequires:  libcurl-devel
 BuildRequires:  openldap-devel
 BuildRequires:  openssl-devel
+%if 0%{?fedora} >= 41
+# https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine
+BuildRequires:  openssl-devel-engine
+%endif
 BuildRequires:  sqlite-devel
 BuildRequires:  gettext-devel
-BuildRequires:  trousers-devel
 BuildRequires:  libxml2-devel
 BuildRequires:  pam-devel
 BuildRequires:  json-c-devel
 BuildRequires:  libgcrypt-devel
-BuildRequires:  systemd-devel
 BuildRequires:  iptables-devel
+BuildRequires:  libcap-devel
+BuildRequires:  tpm2-tss-devel
+Recommends:     tpm2-tools
+
+%if %{with python3}
+BuildRequires:  python3-devel
+BuildRequires:  python3-build
+BuildRequires:  python3-setuptools
+BuildRequires:  python3-daemon
+BuildRequires:  python3-pytest
+%endif
+
+%if %{with perl}
+BuildRequires:  perl-devel perl-generators
+BuildRequires:  perl(ExtUtils::MakeMaker)
+%endif
 
 BuildRequires:  NetworkManager-libnm-devel
 Requires(post): systemd
@@ -57,8 +95,8 @@ in userland, using TUN devices and its own IPsec implementation libipsec.
 %package charon-nm
 Summary:        NetworkManager plugin for Strongswan
 Requires:       dbus
-Obsoletes:      %{name}-NetworkManager < 0:5.0.4-5
-Conflicts:      %{name}-NetworkManager < 0:5.0.4-5
+Obsoletes:      strongswan-NetworkManager < 0:5.0.4-5
+Conflicts:      strongswan-NetworkManager < 0:5.0.4-5
 Conflicts:      NetworkManager-strongswan < 1.4.2-1
 %description charon-nm
 NetworkManager plugin integrates a subset of Strongswan capabilities
@@ -66,14 +104,14 @@ to NetworkManager.
 
 %package sqlite
 Summary: SQLite support for strongSwan
-Requires: %{name} = %{version}-%{release}
+Requires: strongswan = %{version}-%{release}
 %description sqlite
 The sqlite plugin adds an SQLite database backend to strongSwan.
 
 %package tnc-imcvs
 Summary: Trusted network connect (TNC)'s IMC/IMV functionality
-Requires: %{name} = %{version}-%{release}
-Requires: %{name}-sqlite = %{version}-%{release}
+Requires: strongswan = %{version}-%{release}
+Requires: strongswan-sqlite = %{version}-%{release}
 %description tnc-imcvs
 This package provides Trusted Network Connect's (TNC) architecture support.
 It includes support for TNC client and server (IF-TNCCS), IMC and IMV message
@@ -84,22 +122,44 @@ modules can be used by any third party TNC Client/Server implementation
 possessing a standard IF-IMC/IMV interface. In addition, it implements
 PT-TLS to support TNC over TLS.
 
-%prep
-%setup -q -n %{name}-%{version}%{?prerelease}
-%patch1 -p1
-%patch3 -p1
+%if %{with python3}
+%package -n python3-vici
+Summary: Strongswan Versatile IKE Configuration Interface python bindings
+BuildArch: noarch
+%description -n python3-vici
+VICI is an attempt to improve the situation for system integrators by providing
+a stable IPC interface, allowing external tools to query, configure
+and control the IKE daemon.
 
-%patch10 -p1
-%patch11 -p1
-%patch12 -p1
-%patch13 -p1
-%patch14 -p1
-%patch15 -p1
-%patch16 -p1
+The Versatile IKE Configuration Interface (VICI) python bindings provides module
+for Strongswan runtime configuration from python applications.
+
+%endif
+
+%if %{with perl}
+%package -n perl-vici
+Summary: Strongswan Versatile IKE Configuration Interface perl bindings
+BuildArch: noarch
+%description -n perl-vici
+VICI is an attempt to improve the situation for system integrators by providing
+a stable IPC interface, allowing external tools to query, configure
+and control the IKE daemon.
+
+The Versatile IKE Configuration Interface (VICI) perl bindings provides module
+for Strongswan runtime configuration from perl applications.
+%endif
+
+# TODO: make also ruby-vici
+
+
+%prep
+%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
+%autosetup -n %{name}-%{version}%{?prerelease} -p1
 
 %build
 # only for snapshots
-#autoreconf
+export ACLOCAL_PATH=/usr/share/gettext/m4:$ACLOCAL_PATH
+autoreconf -fiv
 
 # --with-ipsecdir moves internal commands to /usr/libexec/strongswan
 # --bindir moves 'pki' command to /usr/libexec/strongswan
@@ -111,9 +171,10 @@ PT-TLS to support TNC over TLS.
     --with-ipsecdir=%{_libexecdir}/strongswan \
     --bindir=%{_libexecdir}/strongswan \
     --with-ipseclibdir=%{_libdir}/strongswan \
-    --with-fips-mode=2 \
+    --with-piddir=%{_rundir}/strongswan \
+    --with-nm-ca-dir=%{_sysconfdir}/strongswan/ipsec.d/cacerts/ \
     --enable-bypass-lan \
-    --enable-tss-trousers \
+    --enable-tss-tss2 \
     --enable-nm \
     --enable-systemd \
     --enable-openssl \
@@ -123,6 +184,7 @@ PT-TLS to support TNC over TLS.
     --enable-gcm \
     --enable-chapoly \
     --enable-md4 \
+    --enable-ml \
     --enable-gcrypt \
     --enable-newhope \
     --enable-xauth-eap \
@@ -168,8 +230,6 @@ PT-TLS to support TNC over TLS.
     --enable-imv-attestation \
     --enable-imv-os \
     --enable-imc-os \
-    --enable-imc-swid \
-    --enable-imv-swid \
     --enable-imc-swima \
     --enable-imv-swima \
     --enable-imc-hcd \
@@ -177,25 +237,74 @@ PT-TLS to support TNC over TLS.
     --enable-curl \
     --enable-cmd \
     --enable-acert \
-    --enable-aikgen \
     --enable-vici \
     --enable-swanctl \
     --enable-duplicheck \
+    --enable-selinux \
+    --enable-stroke \
 %ifarch x86_64 %{ix86}
     --enable-aesni \
 %endif
-    --enable-kernel-libipsec
+%if %{with python3}
+    PYTHON=%{python3} --enable-python-wheels \
+%endif
+%if %{with perl}
+    --enable-perl-cpan \
+%endif
+%if %{with check}
+    --enable-test-vectors \
+%endif
+    --enable-kernel-libipsec \
+    --with-capabilities=libcap \
+    CPPFLAGS="-DSTARTER_ALLOW_NON_ROOT"
 
 # disable certain plugins in the daemon configuration by default
 for p in bypass-lan; do
     echo -e "\ncharon.plugins.${p}.load := no" >> conf/plugins/${p}.opt
 done
 
-make %{?_smp_mflags}
+# ensure manual page is regenerated with local configuration
+rm -f src/ipsec/_ipsec.8
+
+%make_build
+
+pushd src/libcharon/plugins/vici
+
+%if %{with python3}
+  pushd python
+    %make_build
+    sed -e "s,/var/run/charon.vici,%{_rundir}/strongswan/charon.vici," -i vici/session.py
+    #py3_build
+  popd
+%endif
+
+%if %{with perl}
+  pushd perl/Vici-Session/
+    perl Makefile.PL INSTALLDIRS=vendor
+    %make_build
+  popd
+%endif
+
+popd
 
 %install
-make install DESTDIR=%{buildroot}
-mv %{buildroot}%{_sysconfdir}/strongswan/dbus-1 %{buildroot}%{_sysconfdir}/
+%make_install
+
+
+pushd src/libcharon/plugins/vici
+%if %{with python3}
+  pushd python
+    # TODO: --enable-python-eggs breaks our previous build. Do it now
+    # propose better way to upstream
+    %pyproject_wheel
+    %pyproject_install
+  popd
+%endif
+%if %{with perl}
+  %make_install -C perl/Vici-Session
+  rm -f %{buildroot}{%{perl_archlib}/perllocal.pod,%{perl_vendorarch}/auto/Vici/Session/.packlist}
+%endif
+popd
 # prefix man pages
 for i in %{buildroot}%{_mandir}/*/*; do
     if echo "$i" | grep -vq '/strongswan[^\/]*$'; then
@@ -213,32 +322,49 @@ install -d -m 700 %{buildroot}%{_sysconfdir}/strongswan/ipsec.d
 for i in aacerts acerts certs cacerts crls ocspcerts private reqs; do
     install -d -m 700 %{buildroot}%{_sysconfdir}/strongswan/ipsec.d/${i}
 done
+install -d -m 0700 %{buildroot}%{_rundir}/strongswan
+install -D -m 0644 %{SOURCE3} %{buildroot}/%{_tmpfilesdir}/strongswan.conf
+install -D -m 0644 %{SOURCE3} %{buildroot}/%{_tmpfilesdir}/strongswan-starter.conf
+
+%check
+%if %{with check}
+  # Seen some tests hang. Ensure we do not block builder forever
+  export TESTS_VERBOSITY=1
+  timeout 600 %make_build check
+%endif
+%if %{with python}
+  pushd src/libcharon/plugins/vici
+    %pytest
+  popd
+%endif
+:
 
 %post
-%systemd_post %{name}.service
+%systemd_post strongswan.service strongswan-starter.service
 
 %preun
-%systemd_preun %{name}.service
+%systemd_preun strongswan.service strongswan-starter.service
 
 %postun
-%systemd_postun_with_restart %{name}.service
+%systemd_postun_with_restart strongswan.service strongswan-starter.service
 
 %files
 %doc README NEWS TODO ChangeLog
 %license COPYING
-%dir %attr(0700,root,root) %{_sysconfdir}/strongswan
+%dir %attr(0755,root,root) %{_sysconfdir}/strongswan
 %config(noreplace) %{_sysconfdir}/strongswan/*
 %dir %{_libdir}/strongswan
 %exclude %{_libdir}/strongswan/imcvs
 %dir %{_libdir}/strongswan/plugins
 %dir %{_libexecdir}/strongswan
 %{_unitdir}/strongswan.service
-%{_unitdir}/strongswan-swanctl.service
+%{_unitdir}/strongswan-starter.service
 %{_sbindir}/charon-cmd
 %{_sbindir}/charon-systemd
 %{_sbindir}/strongswan
 %{_sbindir}/swanctl
 %{_libdir}/strongswan/*.so.*
+%{_libdir}/strongswan/plugins/*.so.*
 %exclude %{_libdir}/strongswan/libimcv.so.*
 %exclude %{_libdir}/strongswan/libtnccs.so.*
 %exclude %{_libdir}/strongswan/libipsec.so.*
@@ -254,6 +380,9 @@ done
 %{_mandir}/man?/*.gz
 %{_datadir}/strongswan/templates/config/
 %{_datadir}/strongswan/templates/database/
+%attr(0755,root,root) %dir %{_rundir}/strongswan
+%attr(0644,root,root) %{_tmpfilesdir}/strongswan.conf
+%attr(0644,root,root) %{_tmpfilesdir}/strongswan-starter.conf
 
 %files sqlite
 %{_libdir}/strongswan/plugins/libstrongswan-sqlite.so
@@ -277,476 +406,22 @@ done
 
 %files charon-nm
 %doc COPYING
-%{_sysconfdir}/dbus-1/system.d/nm-strongswan-service.conf
+%{_datadir}/dbus-1/system.d/nm-strongswan-service.conf
 %{_libexecdir}/strongswan/charon-nm
 
+%if %{with python3}
+%files -n python3-vici
+%license COPYING
+%doc src/libcharon/plugins/vici/python/README.rst
+%{python3_sitelib}/vici
+%{python3_sitelib}/vici-%{version}.dist-info
+%endif
+
+%if %{with perl}
+%license COPYING
+%files -n perl-vici
+%{perl_vendorlib}/Vici
+%endif
+
 %changelog
-* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 5.7.2-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 5.7.2-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-
-* Wed Jan 09 2019 Paul Wouters <pwouters@redhat.com> - 5.7.2-1
-- Updated to 5.7.2
-
-* Thu Oct 04 2018 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.7.1-1
-- Updated to 5.7.1
-- Resolves rhbz#1635872 CVE-2018-16152
-- Resolves rhbz#1635875 CVE-2018-16151
-
-* Thu Aug 23 2018 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.6.3-3
-- Add plugin bypass-lan, disabled by default
-- Resolves rhbz#1554479 Update to strongswan-charon-nm fails
-
-* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 5.6.3-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
-
-* Tue May 29 2018 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.6.3-1
-- New version 5.6.3
-
-* Thu May 24 2018 Paul Wouters <pwouters@redhat.com> - 5.6.2-6
-- Resolves rhbz#1581868 CVE-2018-5388 strongswan: buffer underflow in stroke_socket.c
-
-* Thu May 24 2018 Paul Wouters <pwouters@redhat.com> - 5.6.2-5
-- Resolves rhbz#1574939 IKEv2 VPN connections fail to use DNS servers provided by the server
-- Resolves rhbz#1449875 Strongswan on epel built without the sql plugin but with the sqlite plugin
-
-* Sun May 20 2018 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.6.2-3
-- Move eap-radius, sqlite, and pkcs7 plugins out of tnc-imcvs, added package
-  sqlite (#1579945)
-
-* Tue Mar 06 2018 Björn Esser <besser82@fedoraproject.org> - 5.6.2-2
-- Rebuilt for libjson-c.so.4 (json-c v0.13.1)
-
-* Wed Feb 21 2018 Lubomir Rintel <lkundrak@v3.sk> - 5.6.2-1
-- Updated to 5.6.2 (Dropped libnm-glib use in charon-nm)
-
-* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 5.6.1-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
-
-* Fri Dec 22 2017 Paul Wouters <pwouters@redhat.com> - 5.6.1-1
-- Updated to 5.6.1 (RSA-PSS support)
-
-* Sun Dec 10 2017 Björn Esser <besser82@fedoraproject.org> - 5.6.0-3
-- Rebuilt for libjson-c.so.3
-
-* Fri Dec 01 2017 Lubomir Rintel <lkundrak@v3.sk> - 5.6.0-2
-- Fix the placement of charon-nm D-Bus policy
-
-* Sat Sep 09 2017 Paul Wouters <pwouters@redhat.com> - 5.6.0-1
-- Updated to 5.6.0
-- Fixup configure arguments, enabled a bunch of new features
-- Added new BuildRequires:
-- Fixup Obsolete/Conflicts, use license macro
-- Don't require autoconf/autotools for non-snapshots
-- Remove macro overuse, remove fedora/rhel checks and sysvinit support
-- Make listings/grouping of all plugins/libs to reduce file listing
-
-* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 5.5.3-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
-
-* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 5.5.3-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
-
-* Mon Jun 12 2017 Paul Wouters <pwouters@redhat.com> - 5.5.3-1
-- Updated to 5.5.3
-
-* Sat May 27 2017 Paul Wouters <pwouters@redhat.com> - 5.5.2-1
-- Updated to 5.5.2
-
-* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 5.5.0-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
-
-* Thu Sep 15 2016 Pavel Šimerda <psimerda@redhat.com> - 5.5.0-2
-- Resolves: #1367796 - Enable the unity plugin
-
-* Mon Aug 08 2016 Pavel Šimerda <psimerda@redhat.com> - 5.5.0-1
-- New version 5.5.0
-
-* Wed Jun 22 2016 Pavel Šimerda <psimerda@redhat.com>
-- Enable IKEv2 GCM (requires gcrypt module as well) - merged from f22 by Paul Wouters
-
-* Wed Jun 22 2016 Pavel Šimerda <psimerda@redhat.com> - 5.4.0-1
-- New version 5.4.0
-
-* Thu Mar 03 2016 Pavel Šimerda <psimerda@redhat.com> - 5.3.5-1
-- New version 5.3.5
-
-* Fri Feb 05 2016 Fedora Release Engineering <releng@fedoraproject.org> - 5.3.3-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
-
-* Fri Jan 15 2016 Paul Wouters <pwouters@redhat.com> - 5.3.3-2
-- Enable IKEv2 GCM (requires gcrypt module as well)
-
-* Tue Sep 29 2015 Pavel Šimerda <psimerda@redhat.com> - 5.3.3-1
-- new version 5.3.3
-
-* Thu Sep 24 2015 Pavel Šimerda <psimerda@redhat.com> - 5.3.2-3
-- Resolves: #1264598 - strongswan: many configuration files are not protected
-
-* Fri Jun 19 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.3.2-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
-
-* Tue Jun 09 2015 Pavel Šimerda <psimerda@redhat.com>
-- new version 5.3.2
-
-* Fri Jun 05 2015 Pavel Šimerda <psimerda@redhat.com> - 5.3.1-1
-- new version 5.3.1
-
-* Tue Mar 31 2015 Pavel Šimerda <psimerda@redhat.com> - 5.3.0-1
-- new version 5.3.0
-
-* Fri Feb 20 2015 Avesh Agarwal <avagarwa@redhat.com> - 5.2.2-2
-- Fixes strongswan swanctl service issue rhbz#1193106
-
-* Tue Jan 06 2015 Pavel Šimerda <psimerda@redhat.com> - 5.2.2-1
-- new version 5.2.2
-
-* Thu Dec 18 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.2-0.2.dr1
-- Enabled ccm, and ctr plugins as it seems enabling just openssl does
-  not work for using ccm and ctr algos.
-
-* Mon Dec 8 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.2-0.1.dr1
-- New strongswan developer release 5.2.2dr1
-
-* Mon Nov 24 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.1-2
-- 1167331: Enabled native systemd support.
-- Does not disable old systemd, starter, ipsec.conf support yet.
-
-* Thu Oct 30 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.1-1
-- New upstream release 5.2.1
-
-* Thu Oct 16 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.1-0.2.rc1
-- New upstream release candidate 5.2.1rc1
-
-* Fri Oct 10 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.1-1
-- new version 5.2.1dr1
-
-* Thu Sep 25 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-7
-- use upstream patch for json/json-c dependency
-
-* Thu Sep 25 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-6
-- Resolves: #1146145 - Strongswan is compiled without xauth-noauth plugin
-
-* Mon Aug 18 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.2.0-5
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
-
-* Tue Aug 05 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-4
-- Resolves: #1081804 - enable Kernel IPSec support
-
-* Wed Jul 30 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-3
-- rebuilt
-
-* Tue Jul 29 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-2
-- fix json-c dependency
-
-* Tue Jul 15 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.0-1
-- New upstream release 5.2.0
-- The Attestation IMC/IMV pair supports the IMA-NG
-  measurement format
-- Aikgen tool to generate an Attestation Identity Key bound
-  to a TPM
-- Swanctl tool to provide a portable, complete IKE
-  configuration and control interface for the command
-  line using vici interface with libvici library
-- PT-EAP transport protocol (RFC 7171) for TNC
-- Enabled support for acert for checking X509 attribute certificate
-- Updated patches, removed selinux patch as upstream has fixed it
-  in this release.
-- Updated spec file with minor cleanups
-
-* Thu Jun 26 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-0.4.dr6
-- improve prerelease macro
-
-* Thu Jun 26 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-0.3
-- Resolves: #1111895 - bump to 5.2.0dr6
-
-* Thu Jun 12 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-0.2
-- Related: #1087437 - remove or upstream all patches not specific to fedora/epel
-
-* Thu Jun 12 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-0.1.dr5
-- fix the pre-release version according to guidelines before it gets branched
-
-* Fri Jun 06 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0dr5-1
-- new version 5.2.0dr5
-- add json-c-devel to build deps
-
-* Mon May 26 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0dr4-3
-- merge two related patches
-
-* Mon May 26 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0dr4-2
-- clean up the patches a bit
-
-* Thu May 22 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.0dr4-1
-- New upstream developer release 5.2.0dr4
-- Attestation IMV/IMC supports IMA-NG measurement format now
-- Aikgen tool to generate an Attestation Identity Key bound
-  to a TPM
-- PT-EAP transport protocol (RFC 7171) for TNC
-- vici plugin provides IKE Configuration Interface for charon
-- Enabled support for acert for checking X509 attribute certificate
-- Updated patches
-- Updated spec file with minor cleanups
-
-* Tue Apr 15 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.3-1
-- new version 5.1.3
-
-* Mon Apr 14 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.3rc1-1
-- new version 5.1.3rc1
-
-* Mon Mar 24 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.2-4
-- #1069928 - updated libexec patch.
-
-* Tue Mar 18 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.2-3
-- fixed el6 initscript
-- fixed pki directory location
-
-* Fri Mar 14 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.2-2
-- clean up the specfile a bit
-- replace the initscript patch with an individual initscript
-- patch to build for epel6
-
-* Mon Mar 03 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.2-1
-- #1071353 - bump to 5.1.2
-- #1071338 - strongswan is compiled without xauth-pam plugin
-- remove obsolete patches
-- sent all patches upstream
-- added comments to all patches
-- don't touch the config with sed
-
-* Thu Feb 20 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.1.1-6
-- Fixed full hardening for strongswan (full relro and PIE).
-  The previous macros had a typo and did not work
-  (see bz#1067119).
-- Fixed tnc package description to reflect the current state of
-  the package.
-- Fixed pki binary and moved it to /usr/libexece/strongswan as
-  others binaries are there too.
-
-* Wed Feb 19 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.1-5
-- #903638 - SELinux is preventing /usr/sbin/xtables-multi from 'read' accesses on the chr_file /dev/random
-
-* Thu Jan 09 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.1-4
-- Removed redundant patches and *.spec commands caused by branch merging
-
-* Wed Jan 08 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.1-3
-- rebuilt
-
-* Mon Dec 2 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.1.1-2
-- Resolves: 973315
-- Resolves: 1036844
-
-* Fri Nov 1 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.1.1-1
-- Support for PT-TLS  (RFC 6876)
-- Support for SWID IMC/IMV
-- Support for command line IKE client charon-cmd
-- Changed location of pki to /usr/bin
-- Added swid tags files
-- Added man pages for pki and charon-cmd
-- Renamed pki to strongswan-pki to avoid conflict with
-  pki-core/pki-tools package.
-- Update local patches
-- Fixes CVE-2013-6075
-- Fixes CVE-2013-6076
-- Fixed autoconf/automake issue as configure.ac got changed
-  and it required running autoreconf during the build process.
-- added strongswan signature file to the sources.
-
-* Thu Sep 12 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.1.0-3
-- Fixed initialization crash of IMV and IMC particularly
-  attestation imv/imc as libstrongswas was not getting
-  initialized.
-
-* Fri Aug 30 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.1.0-2
-- Enabled fips support
-- Enabled TNC's ifmap support
-- Enabled TNC's pdp support
-- Fixed hardocded package name in this spec file
-
-* Wed Aug 7 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.1.0-1
-- rhbz#981429: New upstream release
-- Fixes CVE-2013-5018: rhbz#991216, rhbz#991215
-- Fixes rhbz#991859 failed to build in rawhide
-- Updated local patches and removed which are not needed
-- Fixed errors around charon-nm
-- Added plugins libstrongswan-pkcs12.so, libstrongswan-rc2.so,
-  libstrongswan-sshkey.so
-- Added utility imv_policy_manager
-
-* Thu Jul 25 2013 Jamie Nguyen <jamielinux@fedoraproject.org> - 5.0.4-5
-- rename strongswan-NetworkManager to strongswan-charon-nm
-- fix enable_nm macro
-
-* Mon Jul 15 2013 Jamie Nguyen <jamielinux@fedoraproject.org> - 5.0.4-4
-- %%files tries to package some of the shared objects as directories (#984437)
-- fix broken systemd unit file (#984300)
-- fix rpmlint error: description-line-too-long
-- fix rpmlint error: macro-in-comment
-- fix rpmlint error: spelling-error Summary(en_US) fuctionality
-- depend on 'systemd' instead of 'systemd-units'
-- use new systemd scriptlet macros
-- NetworkManager subpackage should have a copy of the license (#984490)
-- enable hardened_build as this package meets the PIE criteria (#984429)
-- invocation of "ipsec _updown iptables" is broken as ipsec is renamed
-  to strongswan in this package (#948306)
-- invocation of "ipsec scepclient" is broken as ipsec is renamed
-  to strongswan in this package
-- add /etc/strongswan/ipsec.d and missing subdirectories
-- conditionalize building of strongswan-NetworkManager subpackage as the
-  version of NetworkManager in EL6 is too old (#984497)
-
-* Fri Jun 28 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.0.4-3
-- Patch to fix a major crash issue when Freeradius loads
-  attestatiom-imv and does not initialize libstrongswan which
-  causes crash due to calls to PTS algorithms probing APIs.
-  So this patch fixes the order of initialization. This issues
-  does not occur with charon because libstrongswan gets
-  initialized earlier.
-- Patch that allows to outputs errors when there are permission
-  issues when accessing strongswan.conf.
-- Patch to make loading of modules configurable when libimcv
-  is used in stand alone mode without charon with freeradius
-  and wpa_supplicant.
-
-* Tue Jun 11 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.0.4-2
-- Enabled TNCCS 1.1 protocol
-- Fixed libxm2-devel build dependency
-- Patch to fix the issue with loading of plugins
-
-* Wed May 1 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.0.4-1
-- New upstream release
-- Fixes for CVE-2013-2944
-- Enabled support for OS IMV/IMC
-- Created and applied a patch to disable ECP in fedora, because
-  Openssl in Fedora does not allow ECP_256 and ECP_384. It makes
-  it non-compliant to TCG's PTS standard, but there is no choice
-  right now. see redhat bz # 319901.
-- Enabled Trousers support for TPM based operations.
-
-* Sat Apr 20 2013 Pavel Šimerda <psimerda@redhat.com> - 5.0.3-2
-- Rebuilt for a single specfile for rawhide/f19/f18/el6
-
-* Fri Apr 19 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.0.3-1
-- New upstream release
-- Enabled curl and eap-identity plugins
-- Enabled support for eap-radius plugin.
-
-* Thu Apr 18 2013 Pavel Šimerda <psimerda@redhat.com> - 5.0.2-3
-- Add gettext-devel to BuildRequires because of epel6
-- Remove unnecessary comments
-
-* Tue Mar 19 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.0.2-2
-- Enabled support for eap-radius plugin.
-
-* Mon Mar 11 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.0.2-1
-- Update to upstream release 5.0.2
-- Created sub package strongswan-tnc-imcvs that provides trusted network
-  connect's IMC and IMV funtionality. Specifically it includes PTS 
-  based IMC/IMV for TPM based remote attestation and scanner and test 
-  IMCs and IMVs. The Strongswan's IMC/IMV dynamic libraries can be used 
-  by any third party TNC Client/Server implementation possessing a 
-  standard IF-IMC/IMV interface.
-
-* Fri Feb 15 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.0.1-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
-
-* Thu Oct 04 2012 Pavel Šimerda <psimerda@redhat.com> - 5.0.1-1
-- Update to release 5.0.1
-
-* Thu Oct 04 2012 Pavel Šimerda <psimerda@redhat.com> - 5.0.0-4.git20120619
-- Add plugins to interoperate with Windows 7 and Android (#862472)
-  (contributed by Haim Gelfenbeyn)
-
-* Sat Jul 21 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.0.0-3.git20120619
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
-
-* Sun Jul 08 2012 Pavel Šimerda <pavlix@pavlix.net> - 5.0.0-2.git20120619
-- Fix configure substitutions in initscripts
-
-* Wed Jul 04 2012 Pavel Šimerda <psimerda@redhat.com> - 5.0.0-1.git20120619
-- Update to current upstream release
-- Comment out all stuff that is only needed for git builds
-- Remove renaming patch from git
-- Improve init patch used for EPEL
-
-* Thu Jun 21 2012 Pavel Šimerda <psimerda@redhat.com> - 5.0.0-0.3.git20120619
-- Build with openssl plugin enabled
-
-* Wed Jun 20 2012 Pavel Šimerda <psimerda@redhat.com> - 5.0.0-0.2.git20120619
-- Add README.Fedora with link to 4.6 to 5.0 migration information
-
-* Tue Jun 19 2012 Pavel Šimerda - 5.0.0-0.1.git20120619
-- Snapshot of upcoming major release
-- Move patches and renaming upstream
-  http://wiki.strongswan.org/issues/194
-  http://wiki.strongswan.org/issues/195
-- Notified upstream about manpage issues
-
-* Tue Jun 19 2012 Pavel Šimerda - 4.6.4-2
-- Make initscript patch more distro-neutral
-- Add links to bugreports for patches
-
-* Fri Jun 01 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.4-1
-- New upstream version (CVE-2012-2388)
-
-* Sat May 26 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.3-2
-- Add --enable-nm to configure
-- Add NetworkManager-devel to BuildRequires
-- Add NetworkManager-glib-devel to BuildRequires
-- Add strongswan-NetworkManager package
-
-* Sat May 26 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.3-1
-- New version of Strongswan
-- Support for RFC 3110 DNSKEY (see upstream changelog)
-- Fix corrupt scriptlets
-
-* Fri Mar 30 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.2-2
-- #808612 - strongswan binary renaming side-effect
-
-* Sun Feb 26 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.2-1
-- New upstream version
-- Changed from .tar.gz to .tar.bz2
-- Added libstrongswan-pkcs8.so
-
-* Wed Feb 15 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-8
-- Fix initscript's status function
-
-* Wed Feb 15 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-7
-- Expand tabs in config files for better readability
-- Add sysvinit script for epel6
-
-* Wed Feb 15 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-6
-- Fix program name in systemd unit file
-
-* Tue Feb 14 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-5
-- Improve fedora/epel conditionals
-
-* Sat Jan 21 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-4
-- Protect configuration directory from ordinary users
-- Add still missing directory /etc/strongswan
-
-* Fri Jan 20 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-3
-- Change directory structure to avoid clashes with Openswan
-- Prefixed all manpages with 'strongswan_'
-- Every file now includes 'strongswan' somewhere in its path
-- Removed conflict with Openswan
-- Finally fix permissions on strongswan.conf
-
-* Fri Jan 20 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-2
-- Change license tag from GPL to GPLv2+
-- Change permissions on /etc/strongswan.conf to 644
-- Rename ipsec.8 manpage to strongswan.8
-- Fix empty scriptlets for non-fedora builds
-- Add ldconfig scriptlet
-- Add missing directories and files
-
-* Sun Jan 01 2012 Pavel Šimerda <pavlix@pavlix.net - 4.6.1-1
-- Bump to version 4.6.1
-
-* Sun Jan 01 2012 Pavel Šimerda <pavlix@pavlix.net - 4.6.0-3
-- Add systemd scriptlets
-- Add conditions to also support EPEL6
-
-* Sat Dec 10 2011 Pavel Šimerda <pavlix@pavlix.net> - 4.6.0-2
-- Experimental build for development
+%autochangelog

tmpfiles-strongswan.conf

@@ -0,0 +1 @@
+D /run/strongswan 0755 root root -