nhrp: Remove unused patches

- Resolves: rhbz#1886759 charon looking for certificates in the wrong place

.gitignore

@@ -1,2 +1,2 @@
-/strongswan-5.7.1.tar.bz2
+/strongswan-5.8.4.tar.bz2
-/strongswan-5.7.2.tar.bz2
+/strongswan-5.9.0.tar.bz2

0001-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch

@@ -1,7 +1,7 @@
-From 4904344754c2884e36b40532a8b65229c3355ff6 Mon Sep 17 00:00:00 2001
+From ffc2fc151cf78204bd482340dee7c5e7d0c24e51 Mon Sep 17 00:00:00 2001
 From: Tobias Brunner <tobias@strongswan.org>
 Date: Fri, 17 Jul 2015 11:53:58 +0200
-Subject: [PATCH 1/7] ike: Adhere to IKE_SA limit when checking out by config
+Subject: [PATCH 1/5] ike: Adhere to IKE_SA limit when checking out by config
 
 This prevents new SAs from getting created if we hit the global IKE_SA
 limit (we still allow checkout_new(), which is used for rekeying).
@@ -10,10 +10,10 @@ limit (we still allow checkout_new(), which is used for rekeying).
  1 file changed, 37 insertions(+), 34 deletions(-)
 
 diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
-index 3bac4b109..8a3178674 100644
+index f95ff19af..1e0ae42fe 100644
 --- a/src/libcharon/sa/ike_sa_manager.c
 +++ b/src/libcharon/sa/ike_sa_manager.c
-@@ -1419,48 +1419,51 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
+@@ -1434,48 +1434,51 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
  
  	DBG2(DBG_MGR, "checkout IKE_SA by config");
  
@@ -100,5 +100,5 @@ index 3bac4b109..8a3178674 100644
  	}
  	charon->bus->set_sa(charon->bus, ike_sa);
 -- 
-2.24.1
+2.30.2
 

0002-charon-add-optional-source-and-remote-overrides-for-.patch

@@ -1,7 +1,7 @@
-From bc5cee05ee42b7566ed3539546757c3183aa7053 Mon Sep 17 00:00:00 2001
+From 07e7ae0c9a9cac8c16361dc73412867d7a303054 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
 Date: Mon, 21 Sep 2015 13:41:58 +0300
-Subject: [PATCH 2/7] charon: add optional source and remote overrides for
+Subject: [PATCH 2/5] charon: add optional source and remote overrides for
  initiate
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@@ -18,23 +18,23 @@ Signed-off-by: Timo Teräs <timo.teras@iki.fi>
 ---
  src/charon-cmd/cmd/cmd_connection.c           |  2 +-
  src/charon-nm/nm/nm_service.c                 |  2 +-
- src/libcharon/control/controller.c            | 43 ++++++++++++-
+ src/libcharon/control/controller.c            | 43 +++++++++++++-
  src/libcharon/control/controller.h            |  3 +
  src/libcharon/plugins/stroke/stroke_control.c |  5 +-
  src/libcharon/plugins/vici/vici_config.c      |  2 +-
- src/libcharon/plugins/vici/vici_control.c     | 63 ++++++++++++++++---
+ src/libcharon/plugins/vici/vici_control.c     | 59 +++++++++++++++++--
  .../processing/jobs/start_action_job.c        |  2 +-
- src/libcharon/sa/ike_sa_manager.c             | 51 ++++++++++++++-
+ src/libcharon/sa/ike_sa_manager.c             | 51 +++++++++++++++-
  src/libcharon/sa/ike_sa_manager.h             |  8 ++-
- src/libcharon/sa/trap_manager.c               | 45 ++++++-------
+ src/libcharon/sa/trap_manager.c               | 45 ++++++--------
- src/swanctl/commands/initiate.c               | 40 +++++++++++-
+ src/swanctl/commands/initiate.c               | 40 ++++++++++++-
- 12 files changed, 218 insertions(+), 48 deletions(-)
+ 12 files changed, 217 insertions(+), 45 deletions(-)
 
 diff --git a/src/charon-cmd/cmd/cmd_connection.c b/src/charon-cmd/cmd/cmd_connection.c
-index 1cf431ff2..ae406393f 100644
+index 0481d78d4..805d6f198 100644
 --- a/src/charon-cmd/cmd/cmd_connection.c
 +++ b/src/charon-cmd/cmd/cmd_connection.c
-@@ -436,7 +436,7 @@ static job_requeue_t initiate(private_cmd_connection_t *this)
+@@ -438,7 +438,7 @@ static job_requeue_t initiate(private_cmd_connection_t *this)
  	child_cfg = create_child_cfg(this, peer_cfg);
  
  	if (charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
@@ -44,10 +44,10 @@ index 1cf431ff2..ae406393f 100644
  		terminate(pid);
  	}
 diff --git a/src/charon-nm/nm/nm_service.c b/src/charon-nm/nm/nm_service.c
-index fb9044d29..b47a0c7f5 100644
+index 83fcaf898..187953b29 100644
 --- a/src/charon-nm/nm/nm_service.c
 +++ b/src/charon-nm/nm/nm_service.c
-@@ -622,7 +622,7 @@ static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection,
+@@ -864,7 +864,7 @@ static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection,
  	 * Prepare IKE_SA
  	 */
  	ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
@@ -57,7 +57,7 @@ index fb9044d29..b47a0c7f5 100644
  	{
  		peer_cfg->destroy(peer_cfg);
 diff --git a/src/libcharon/control/controller.c b/src/libcharon/control/controller.c
-index 589c536d2..037e6a72d 100644
+index 0c86275e2..baa83f440 100644
 --- a/src/libcharon/control/controller.c
 +++ b/src/libcharon/control/controller.c
 @@ -15,6 +15,28 @@
@@ -106,7 +106,7 @@ index 589c536d2..037e6a72d 100644
  	/**
  	 * unique ID, used for various methods
  	 */
-@@ -409,9 +441,14 @@ METHOD(job_t, initiate_execute, job_requeue_t,
+@@ -414,9 +446,14 @@ METHOD(job_t, initiate_execute, job_requeue_t,
  	ike_sa_t *ike_sa;
  	interface_listener_t *listener = &job->listener;
  	peer_cfg_t *peer_cfg = listener->peer_cfg;
@@ -121,8 +121,8 @@ index 589c536d2..037e6a72d 100644
 +
  	if (!ike_sa)
  	{
- 		listener->child_cfg->destroy(listener->child_cfg);
+ 		DESTROY_IF(listener->child_cfg);
-@@ -420,6 +457,7 @@ METHOD(job_t, initiate_execute, job_requeue_t,
+@@ -425,6 +462,7 @@ METHOD(job_t, initiate_execute, job_requeue_t,
  		listener_done(listener);
  		return JOB_REQUEUE_NONE;
  	}
@@ -130,7 +130,7 @@ index 589c536d2..037e6a72d 100644
  	listener->lock->lock(listener->lock);
  	listener->ike_sa = ike_sa;
  	listener->lock->unlock(listener->lock);
-@@ -492,6 +530,7 @@ METHOD(job_t, initiate_execute, job_requeue_t,
+@@ -497,6 +535,7 @@ METHOD(job_t, initiate_execute, job_requeue_t,
  
  METHOD(controller_t, initiate, status_t,
  	private_controller_t *this, peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
@@ -138,7 +138,7 @@ index 589c536d2..037e6a72d 100644
  	controller_cb_t callback, void *param, u_int timeout, bool limits)
  {
  	interface_job_t *job;
-@@ -514,6 +553,8 @@ METHOD(controller_t, initiate, status_t,
+@@ -519,6 +558,8 @@ METHOD(controller_t, initiate, status_t,
  			.status = FAILED,
  			.child_cfg = child_cfg,
  			.peer_cfg = peer_cfg,
@@ -148,13 +148,13 @@ index 589c536d2..037e6a72d 100644
  			.options.limits = limits,
  		},
 diff --git a/src/libcharon/control/controller.h b/src/libcharon/control/controller.h
-index af9baca01..02f17a8e3 100644
+index b4ccfced2..9945b78ad 100644
 --- a/src/libcharon/control/controller.h
 +++ b/src/libcharon/control/controller.h
 @@ -79,6 +79,8 @@ struct controller_t {
  	 *
  	 * @param peer_cfg		peer_cfg to use for IKE_SA setup
- 	 * @param child_cfg		child_cfg to set up CHILD_SA from
+ 	 * @param child_cfg		optional child_cfg to set up CHILD_SA from
 +	 * @param my_host		optional address hint for source
 +	 * @param other_host	optional address hint for destination
  	 * @param cb			logging callback
@@ -192,10 +192,10 @@ index 8d84b934e..b00d0e62d 100644
  		switch (status)
  		{
 diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
-index ace7a4528..f0fd8a989 100644
+index 2a4d58eab..0e9d24d11 100644
 --- a/src/libcharon/plugins/vici/vici_config.c
 +++ b/src/libcharon/plugins/vici/vici_config.c
-@@ -2057,7 +2057,7 @@ static void run_start_action(private_vici_config_t *this, peer_cfg_t *peer_cfg,
+@@ -2149,7 +2149,7 @@ static void run_start_action(private_vici_config_t *this, peer_cfg_t *peer_cfg,
  			DBG1(DBG_CFG, "initiating '%s'", child_cfg->get_name(child_cfg));
  			charon->controller->initiate(charon->controller,
  					peer_cfg->get_ref(peer_cfg), child_cfg->get_ref(child_cfg),
@@ -205,7 +205,7 @@ index ace7a4528..f0fd8a989 100644
  		case ACTION_ROUTE:
  			DBG1(DBG_CFG, "installing '%s'", child_cfg->get_name(child_cfg));
 diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c
-index 16e49fdbc..9c6b86741 100644
+index 4c09b578d..1e8e788c3 100644
 --- a/src/libcharon/plugins/vici/vici_control.c
 +++ b/src/libcharon/plugins/vici/vici_control.c
 @@ -16,6 +16,28 @@
@@ -237,33 +237,29 @@ index 16e49fdbc..9c6b86741 100644
  #include "vici_control.h"
  #include "vici_builder.h"
  
-@@ -169,9 +191,11 @@ static child_cfg_t* find_child_cfg(char *name, char *pname, peer_cfg_t **out)
+@@ -177,6 +199,9 @@ CALLBACK(initiate, vici_message_t*,
- CALLBACK(initiate, vici_message_t*,
+ 	peer_cfg_t *peer_cfg = NULL;
- 	private_vici_control_t *this, char *name, u_int id, vici_message_t *request)
+ 	child_cfg_t *child_cfg;
- {
+ 	char *child, *ike, *type, *sa;
++	char *my_host_str, *other_host_str;
 +	vici_message_t* msg;
- 	child_cfg_t *child_cfg = NULL;
- 	peer_cfg_t *peer_cfg;
--	char *child, *ike;
 +	host_t *my_host = NULL, *other_host = NULL;
-+	char *child, *ike, *my_host_str, *other_host_str;
  	int timeout;
  	bool limits;
  	controller_cb_t log_cb = NULL;
-@@ -185,6 +209,8 @@ CALLBACK(initiate, vici_message_t*,
+@@ -190,6 +215,8 @@ CALLBACK(initiate, vici_message_t*,
  	timeout = request->get_int(request, 0, "timeout");
  	limits = request->get_bool(request, FALSE, "init-limits");
  	log.level = request->get_int(request, 1, "loglevel");
 +	my_host_str = request->get_str(request, NULL, "my-host");
 +	other_host_str = request->get_str(request, NULL, "other-host");
  
- 	if (!child)
+ 	if (!child && !ike)
  	{
-@@ -195,28 +221,47 @@ CALLBACK(initiate, vici_message_t*,
+@@ -203,6 +230,17 @@ CALLBACK(initiate, vici_message_t*,
- 		log_cb = (controller_cb_t)log_vici;
+ 	type = child ? "CHILD_SA" : "IKE_SA";
- 	}
+ 	sa = child ?: ike;
  
--	DBG1(DBG_CFG, "vici initiate '%s'", child);
 +	if (my_host_str)
 +	{
 +		my_host = host_create_from_string(my_host_str, 0);
@@ -274,13 +270,13 @@ index 16e49fdbc..9c6b86741 100644
 +	}
 +
 +	DBG1(DBG_CFG, "vici initiate '%s', me %H, other %H, limits %d", child, my_host, other_host, limits);
- 
++
  	child_cfg = find_child_cfg(child, ike, &peer_cfg);
- 	if (!child_cfg)
+ 
+ 	DBG1(DBG_CFG, "vici initiate %s '%s'", type, sa);
+@@ -210,21 +248,30 @@ CALLBACK(initiate, vici_message_t*,
  	{
--		return send_reply(this, "CHILD_SA config '%s' not found", child);
+ 		return send_reply(this, "%s config '%s' not found", type, sa);
-+		msg = send_reply(this, "CHILD_SA config '%s' not found", child);
-+		goto ret;
  	}
 -	switch (charon->controller->initiate(charon->controller, peer_cfg,
 -									child_cfg, log_cb, &log, timeout, limits))
@@ -293,22 +289,22 @@ index 16e49fdbc..9c6b86741 100644
 +			msg = send_reply(this, NULL);
 +			break;
  		case OUT_OF_RES:
--			return send_reply(this, "CHILD_SA '%s' not established after %dms",
+-			return send_reply(this, "%s '%s' not established after %dms", type,
-+			msg = send_reply(this, "CHILD_SA '%s' not established after %dms",
++			msg = send_reply(this, "%s '%s' not established after %dms", type,
- 							  child, timeout);
+ 							  sa, timeout);
 +			break;
  		case INVALID_STATE:
--			return send_reply(this, "establishing CHILD_SA '%s' not possible "
+-			return send_reply(this, "establishing %s '%s' not possible at the "
-+			msg = send_reply(this, "establishing CHILD_SA '%s' not possible "
++			msg = send_reply(this, "establishing %s '%s' not possible at the "
- 							  "at the moment due to limits", child);
+ 							  "moment due to limits", type, sa);
 +			break;
  		case FAILED:
  		default:
--			return send_reply(this, "establishing CHILD_SA '%s' failed", child);
+-			return send_reply(this, "establishing %s '%s' failed", type, sa);
-+			msg = send_reply(this, "establishing CHILD_SA '%s' failed", child);
++			msg = send_reply(this, "establishing %s '%s' failed", type, sa);
 +			break;
  	}
-+ret:
++
 +	if (my_host) my_host->destroy(my_host);
 +	if (other_host) other_host->destroy(other_host);
 +	return msg;
@@ -329,7 +325,7 @@ index 3a0ed879f..e3399007b 100644
  				case ACTION_ROUTE:
  					DBG1(DBG_JOB, "start action: route '%s'", name);
 diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
-index 8a3178674..ad338b04c 100644
+index 1e0ae42fe..52a18e3c2 100644
 --- a/src/libcharon/sa/ike_sa_manager.c
 +++ b/src/libcharon/sa/ike_sa_manager.c
 @@ -17,6 +17,28 @@
@@ -361,7 +357,7 @@ index 8a3178674..ad338b04c 100644
  #include <string.h>
  #include <inttypes.h>
  
-@@ -1408,7 +1430,8 @@ out:
+@@ -1423,7 +1445,8 @@ out:
  }
  
  METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
@@ -371,7 +367,7 @@ index 8a3178674..ad338b04c 100644
  {
  	enumerator_t *enumerator;
  	entry_t *entry;
-@@ -1417,7 +1440,17 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
+@@ -1432,7 +1455,17 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
  	ike_cfg_t *current_ike;
  	u_int segment;
  
@@ -390,7 +386,7 @@ index 8a3178674..ad338b04c 100644
  
  	if (this->reuse_ikesa || peer_cfg->get_ike_version(peer_cfg) == IKEV1)
  	{
-@@ -1434,6 +1467,16 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
+@@ -1449,6 +1482,16 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
  				entry->condvar->signal(entry->condvar);
  				continue;
  			}
@@ -407,7 +403,7 @@ index 8a3178674..ad338b04c 100644
  			current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa);
  			if (current_peer && current_peer->equals(current_peer, peer_cfg))
  			{
-@@ -1465,6 +1508,10 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
+@@ -1480,6 +1523,10 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
  			return NULL;
  		}
  		ike_sa = checkout_new(this, peer_cfg->get_ike_version(peer_cfg), TRUE);
@@ -448,10 +444,10 @@ index efad2e4d6..c43edabbb 100644
  	/**
  	 * Reset initiator SPI.
 diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c
-index 148df3923..901a8ba10 100644
+index 2bc531b38..7220ea597 100644
 --- a/src/libcharon/sa/trap_manager.c
 +++ b/src/libcharon/sa/trap_manager.c
-@@ -421,7 +421,7 @@ METHOD(trap_manager_t, acquire, void,
+@@ -432,7 +432,7 @@ METHOD(trap_manager_t, acquire, void,
  	peer_cfg_t *peer;
  	child_cfg_t *child;
  	ike_sa_t *ike_sa;
@@ -460,7 +456,7 @@ index 148df3923..901a8ba10 100644
  	bool wildcard, ignore = FALSE;
  
  	this->lock->read_lock(this->lock);
-@@ -497,36 +497,27 @@ METHOD(trap_manager_t, acquire, void,
+@@ -508,36 +508,27 @@ METHOD(trap_manager_t, acquire, void,
  	this->lock->unlock(this->lock);
  
  	if (wildcard)
@@ -515,7 +511,7 @@ index 148df3923..901a8ba10 100644
  	{
  		if (ike_sa->get_peer_cfg(ike_sa) == NULL)
 diff --git a/src/swanctl/commands/initiate.c b/src/swanctl/commands/initiate.c
-index bf8d2cd79..29d95d85c 100644
+index 8ade8bf41..03b2cb0f4 100644
 --- a/src/swanctl/commands/initiate.c
 +++ b/src/swanctl/commands/initiate.c
 @@ -13,6 +13,28 @@
@@ -587,12 +583,12 @@ index bf8d2cd79..29d95d85c 100644
 @@ -133,6 +169,8 @@ static void __attribute__ ((constructor))reg()
  			{"help",		'h', 0, "show usage information"},
  			{"child",		'c', 1, "initiate a CHILD_SA configuration"},
- 			{"ike",			'i', 1, "name of the connection to which the child belongs"},
+ 			{"ike",			'i', 1, "initiate an IKE_SA, or name of child's parent"},
 +			{"source",		'S', 1, "override source address"},
 +			{"remote",		'R', 1, "override remote address"},
  			{"timeout",		't', 1, "timeout in seconds before detaching"},
  			{"raw",			'r', 0, "dump raw response message"},
  			{"pretty",		'P', 0, "dump raw response message in pretty print"},
 -- 
-2.24.1
+2.30.2
 

0003-vici-send-certificates-for-ike-sa-events.patch

@@ -1,7 +1,7 @@
-From 0220ba579f8df26f90a1152f115f2a339a755708 Mon Sep 17 00:00:00 2001
+From 42dc827df278ff1304fe7414c68fae756a9863f1 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
 Date: Mon, 21 Sep 2015 13:42:05 +0300
-Subject: [PATCH 3/7] vici: send certificates for ike-sa events
+Subject: [PATCH 3/5] vici: send certificates for ike-sa events
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -12,10 +12,10 @@ Signed-off-by: Timo Teräs <timo.teras@iki.fi>
  1 file changed, 41 insertions(+), 7 deletions(-)
 
 diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
-index d7b61ca72..f986ef8ab 100644
+index ad07ff12d..e3f6a0d26 100644
 --- a/src/libcharon/plugins/vici/vici_query.c
 +++ b/src/libcharon/plugins/vici/vici_query.c
-@@ -337,7 +337,7 @@ static void list_vips(private_vici_query_t *this, vici_builder_t *b,
+@@ -379,7 +379,7 @@ static void list_vips(private_vici_query_t *this, vici_builder_t *b,
   * List details of an IKE_SA
   */
  static void list_ike(private_vici_query_t *this, vici_builder_t *b,
@@ -24,8 +24,8 @@ index d7b61ca72..f986ef8ab 100644
  {
  	time_t t;
  	ike_sa_id_t *id;
-@@ -345,6 +345,8 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
+@@ -388,6 +388,8 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
- 	proposal_t *proposal;
+ 	uint32_t if_id;
  	uint16_t alg, ks;
  	host_t *host;
 +	auth_cfg_t *auth_cfg;
@@ -33,7 +33,7 @@ index d7b61ca72..f986ef8ab 100644
  
  	b->add_kv(b, "uniqueid", "%u", ike_sa->get_unique_id(ike_sa));
  	b->add_kv(b, "version", "%u", ike_sa->get_version(ike_sa));
-@@ -354,11 +356,43 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
+@@ -397,11 +399,43 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
  	b->add_kv(b, "local-host", "%H", host);
  	b->add_kv(b, "local-port", "%d", host->get_port(host));
  	b->add_kv(b, "local-id", "%Y", ike_sa->get_my_id(ike_sa));
@@ -77,7 +77,7 @@ index d7b61ca72..f986ef8ab 100644
  
  	eap = ike_sa->get_other_eap_id(ike_sa);
  
-@@ -477,7 +511,7 @@ CALLBACK(list_sas, vici_message_t*,
+@@ -531,7 +565,7 @@ CALLBACK(list_sas, vici_message_t*,
  		b = vici_builder_create();
  		b->begin_section(b, ike_sa->get_name(ike_sa));
  
@@ -86,7 +86,7 @@ index d7b61ca72..f986ef8ab 100644
  
  		b->begin_section(b, "child-sas");
  		csas = ike_sa->create_child_sa_enumerator(ike_sa);
-@@ -1650,7 +1684,7 @@ METHOD(listener_t, ike_updown, bool,
+@@ -1717,7 +1751,7 @@ METHOD(listener_t, ike_updown, bool,
  	}
  
  	b->begin_section(b, ike_sa->get_name(ike_sa));
@@ -95,7 +95,7 @@ index d7b61ca72..f986ef8ab 100644
  	b->end_section(b);
  
  	this->dispatcher->raise_event(this->dispatcher,
-@@ -1675,10 +1709,10 @@ METHOD(listener_t, ike_rekey, bool,
+@@ -1742,10 +1776,10 @@ METHOD(listener_t, ike_rekey, bool,
  	b = vici_builder_create();
  	b->begin_section(b, old->get_name(old));
  	b->begin_section(b, "old");
@@ -108,7 +108,7 @@ index d7b61ca72..f986ef8ab 100644
  	b->end_section(b);
  	b->end_section(b);
  
-@@ -1708,7 +1742,7 @@ METHOD(listener_t, child_updown, bool,
+@@ -1776,7 +1810,7 @@ METHOD(listener_t, child_updown, bool,
  	}
  
  	b->begin_section(b, ike_sa->get_name(ike_sa));
@@ -116,8 +116,8 @@ index d7b61ca72..f986ef8ab 100644
 +	list_ike(this, b, ike_sa, now, up);
  	b->begin_section(b, "child-sas");
  
- 	b->begin_section(b, child_sa->get_name(child_sa));
+ 	snprintf(buf, sizeof(buf), "%s-%u", child_sa->get_name(child_sa),
-@@ -1740,7 +1774,7 @@ METHOD(listener_t, child_rekey, bool,
+@@ -1811,7 +1845,7 @@ METHOD(listener_t, child_rekey, bool,
  	b = vici_builder_create();
  
  	b->begin_section(b, ike_sa->get_name(ike_sa));
@@ -127,5 +127,5 @@ index d7b61ca72..f986ef8ab 100644
  
  	b->begin_section(b, old->get_name(old));
 -- 
-2.24.1
+2.30.2
 

0004-vici-add-support-for-individual-sa-state-changes.patch

@@ -1,7 +1,7 @@
-From 5ad4fd199b718d8281021a6e31d682872b59a34c Mon Sep 17 00:00:00 2001
+From c4e25fe6bb5338a2c5067ba74808d68183226420 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
 Date: Mon, 21 Sep 2015 13:42:11 +0300
-Subject: [PATCH 4/7] vici: add support for individual sa state changes
+Subject: [PATCH 4/5] vici: add support for individual sa state changes
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -14,10 +14,10 @@ Signed-off-by: Timo Teräs <timo.teras@iki.fi>
  1 file changed, 105 insertions(+)
 
 diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
-index f986ef8ab..c7b07fca0 100644
+index e3f6a0d26..9968cdd3c 100644
 --- a/src/libcharon/plugins/vici/vici_query.c
 +++ b/src/libcharon/plugins/vici/vici_query.c
-@@ -1650,8 +1650,16 @@ static void manage_commands(private_vici_query_t *this, bool reg)
+@@ -1717,8 +1717,16 @@ static void manage_commands(private_vici_query_t *this, bool reg)
  	this->dispatcher->manage_event(this->dispatcher, "list-cert", reg);
  	this->dispatcher->manage_event(this->dispatcher, "ike-updown", reg);
  	this->dispatcher->manage_event(this->dispatcher, "ike-rekey", reg);
@@ -34,7 +34,7 @@ index f986ef8ab..c7b07fca0 100644
  	manage_command(this, "list-sas", list_sas, reg);
  	manage_command(this, "list-policies", list_policies, reg);
  	manage_command(this, "list-conns", list_conns, reg);
-@@ -1722,6 +1730,45 @@ METHOD(listener_t, ike_rekey, bool,
+@@ -1789,6 +1797,45 @@ METHOD(listener_t, ike_rekey, bool,
  	return TRUE;
  }
  
@@ -80,7 +80,7 @@ index f986ef8ab..c7b07fca0 100644
  METHOD(listener_t, child_updown, bool,
  	private_vici_query_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, bool up)
  {
-@@ -1797,6 +1844,62 @@ METHOD(listener_t, child_rekey, bool,
+@@ -1868,6 +1915,62 @@ METHOD(listener_t, child_rekey, bool,
  	return TRUE;
  }
  
@@ -143,7 +143,7 @@ index f986ef8ab..c7b07fca0 100644
  METHOD(vici_query_t, destroy, void,
  	private_vici_query_t *this)
  {
-@@ -1816,8 +1919,10 @@ vici_query_t *vici_query_create(vici_dispatcher_t *dispatcher)
+@@ -1887,8 +1990,10 @@ vici_query_t *vici_query_create(vici_dispatcher_t *dispatcher)
  			.listener = {
  				.ike_updown = _ike_updown,
  				.ike_rekey = _ike_rekey,
@@ -155,5 +155,5 @@ index f986ef8ab..c7b07fca0 100644
  			.destroy = _destroy,
  		},
 -- 
-2.24.1
+2.30.2
 

0005-vici-add-deprecated-async-parameter.patch

@@ -1,49 +0,0 @@
-From b251c17bfba838ee565a4f4af35b249024e35e77 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
-Date: Mon, 21 Sep 2015 13:42:15 +0300
-Subject: [PATCH 5/7] vici: add (deprecated) async parameter
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This is obsoleted by the new "timeout=-1" option that achieves
-the same. Only for compatibility with old versions of quagga-nhrp.
-
-Signed-off-by: Timo Teräs <timo.teras@iki.fi>
----
- src/libcharon/plugins/vici/vici_control.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c
-index 9c6b86741..718d14b3c 100644
---- a/src/libcharon/plugins/vici/vici_control.c
-+++ b/src/libcharon/plugins/vici/vici_control.c
-@@ -197,7 +197,7 @@ CALLBACK(initiate, vici_message_t*,
- 	host_t *my_host = NULL, *other_host = NULL;
- 	char *child, *ike, *my_host_str, *other_host_str;
- 	int timeout;
--	bool limits;
-+	bool limits, async;
- 	controller_cb_t log_cb = NULL;
- 	log_info_t log = {
- 		.dispatcher = this->dispatcher,
-@@ -208,6 +208,7 @@ CALLBACK(initiate, vici_message_t*,
- 	ike = request->get_str(request, NULL, "ike");
- 	timeout = request->get_int(request, 0, "timeout");
- 	limits = request->get_bool(request, FALSE, "init-limits");
-+	async = request->get_bool(request, FALSE, "async");
- 	log.level = request->get_int(request, 1, "loglevel");
- 	my_host_str = request->get_str(request, NULL, "my-host");
- 	other_host_str = request->get_str(request, NULL, "other-host");
-@@ -216,7 +217,7 @@ CALLBACK(initiate, vici_message_t*,
- 	{
- 		return send_reply(this, "missing configuration name");
- 	}
--	if (timeout >= 0)
-+	if (timeout >= 0 && !async)
- 	{
- 		log_cb = (controller_cb_t)log_vici;
- 	}
--- 
-2.24.1
-

0005-vyos-terminate-connections-source-dest.patch

@@ -1,7 +1,7 @@
-From 4e0a88132b5e3e99b250d044f4434702cae2abaa Mon Sep 17 00:00:00 2001
+From 2f864ddad4c36726427cd0d4f19b00e226d2b2f9 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= <zpericic@netst.org>
 Date: Wed, 22 Jan 2020 13:12:39 +0100
-Subject: [PATCH 7/7] vyos-terminate-connections-source-dest
+Subject: [PATCH 5/5] vyos-terminate-connections-source-dest
 
 ---
  src/libcharon/plugins/vici/vici_control.c | 27 ++++++++++++++++++++---
@@ -9,10 +9,10 @@ Subject: [PATCH 7/7] vyos-terminate-connections-source-dest
  2 files changed, 41 insertions(+), 4 deletions(-)
 
 diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c
-index 718d14b3c..39da4a10d 100644
+index 1e8e788c3..914574ac3 100644
 --- a/src/libcharon/plugins/vici/vici_control.c
 +++ b/src/libcharon/plugins/vici/vici_control.c
-@@ -269,12 +269,13 @@ CALLBACK(terminate, vici_message_t*,
+@@ -278,12 +278,13 @@ CALLBACK(terminate, vici_message_t*,
  	private_vici_control_t *this, char *name, u_int id, vici_message_t *request)
  {
  	enumerator_t *enumerator, *isas, *csas;
@@ -27,7 +27,7 @@ index 718d14b3c..39da4a10d 100644
  	array_t *ids;
  	vici_builder_t *builder;
  	controller_cb_t log_cb = NULL;
-@@ -290,12 +291,23 @@ CALLBACK(terminate, vici_message_t*,
+@@ -299,12 +300,23 @@ CALLBACK(terminate, vici_message_t*,
  	force = request->get_bool(request, FALSE, "force");
  	timeout = request->get_int(request, 0, "timeout");
  	log.level = request->get_int(request, 1, "loglevel");
@@ -53,7 +53,7 @@ index 718d14b3c..39da4a10d 100644
  	if (ike_id)
  	{
  		DBG1(DBG_CFG, "vici terminate IKE_SA #%d", ike_id);
-@@ -358,6 +370,15 @@ CALLBACK(terminate, vici_message_t*,
+@@ -367,6 +379,15 @@ CALLBACK(terminate, vici_message_t*,
  		{
  			array_insert(ids, ARRAY_TAIL, &ike_id);
  		}
@@ -120,5 +120,5 @@ index 2309843b2..37d0bde3f 100644
  			{"child-id",	'C', 1, "terminate by CHILD_SA reqid"},
  			{"ike-id",		'I', 1, "terminate by IKE_SA unique identifier"},
 -- 
-2.24.1
+2.30.2
 

0006-support-gre-key-in-ikev1.patch

@@ -1,507 +0,0 @@
-From b2e130f8ce765d5bd0f12ad16ef2434c820c11b1 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
-Date: Mon, 21 Sep 2015 13:42:18 +0300
-Subject: [PATCH 6/7] support gre key in ikev1
-
-this implements gre key negotiation in ikev1 similarly to the
-ipsec-tools patch in alpine.
-
-the from/to port pair is internally used as gre key for gre
-protocol traffic selectors. since from/to pairs 0/0xffff and
-0xffff/0 have special meaning, the gre keys 0xffff and 0xffff0000
-will not work.
-
-this is not standard compliant, and should probably not be upstreamed
-or used widely, but it is applied for interoperability with alpine
-racoon for the time being.
----
- src/libcharon/encoding/payloads/id_payload.c  | 68 ++++++++++++++-----
- src/libcharon/encoding/payloads/id_payload.h  |  6 +-
- .../kernel_netlink/kernel_netlink_ipsec.c     | 40 ++++++++---
- src/libcharon/plugins/stroke/stroke_config.c  |  5 ++
- src/libcharon/plugins/unity/unity_narrow.c    |  2 +-
- src/libcharon/plugins/vici/vici_config.c      |  9 ++-
- src/libcharon/sa/ikev1/tasks/quick_mode.c     | 16 +++--
- .../selectors/traffic_selector.c              | 33 ++++++++-
- .../selectors/traffic_selector.h              | 31 +++++++++
- 9 files changed, 171 insertions(+), 39 deletions(-)
-
-diff --git a/src/libcharon/encoding/payloads/id_payload.c b/src/libcharon/encoding/payloads/id_payload.c
-index b2f1adbbc..6b44d0cf6 100644
---- a/src/libcharon/encoding/payloads/id_payload.c
-+++ b/src/libcharon/encoding/payloads/id_payload.c
-@@ -245,18 +245,20 @@ METHOD(id_payload_t, get_identification, identification_t*,
-  * Create a traffic selector from an range ID
-  */
- static traffic_selector_t *get_ts_from_range(private_id_payload_t *this,
--											 ts_type_t type)
-+											 ts_type_t type,
-+											 uint16_t from_port, uint16_t to_port)
- {
- 	return traffic_selector_create_from_bytes(this->protocol_id, type,
--		chunk_create(this->id_data.ptr, this->id_data.len / 2), this->port,
--		chunk_skip(this->id_data, this->id_data.len / 2), this->port ?: 65535);
-+		chunk_create(this->id_data.ptr, this->id_data.len / 2), from_port,
-+		chunk_skip(this->id_data, this->id_data.len / 2), to_port);
- }
- 
- /**
-  * Create a traffic selector from an subnet ID
-  */
- static traffic_selector_t *get_ts_from_subnet(private_id_payload_t *this,
--											  ts_type_t type)
-+											  ts_type_t type,
-+											  uint16_t from_port, uint16_t to_port)
- {
- 	traffic_selector_t *ts;
- 	chunk_t net, netmask;
-@@ -269,7 +271,7 @@ static traffic_selector_t *get_ts_from_subnet(private_id_payload_t *this,
- 		netmask.ptr[i] = (netmask.ptr[i] ^ 0xFF) | net.ptr[i];
- 	}
- 	ts = traffic_selector_create_from_bytes(this->protocol_id, type,
--								net, this->port, netmask, this->port ?: 65535);
-+								net, from_port, netmask, to_port);
- 	chunk_free(&netmask);
- 	return ts;
- }
-@@ -278,51 +280,76 @@ static traffic_selector_t *get_ts_from_subnet(private_id_payload_t *this,
-  * Create a traffic selector from an IP ID
-  */
- static traffic_selector_t *get_ts_from_ip(private_id_payload_t *this,
--										  ts_type_t type)
-+										  ts_type_t type,
-+										  uint16_t from_port, uint16_t to_port)
- {
- 	return traffic_selector_create_from_bytes(this->protocol_id, type,
--				this->id_data, this->port, this->id_data, this->port ?: 65535);
-+				this->id_data, from_port, this->id_data, to_port);
- }
- 
- METHOD(id_payload_t, get_ts, traffic_selector_t*,
--	private_id_payload_t *this)
-+	private_id_payload_t *this, id_payload_t *other_, bool initiator)
- {
-+	private_id_payload_t *other = (private_id_payload_t *) other_;
-+	uint16_t from_port, to_port;
-+
-+	if (other && this->protocol_id == IPPROTO_GRE && other->protocol_id == IPPROTO_GRE)
-+	{
-+		if (initiator)
-+		{
-+			from_port = this->port;
-+			to_port = other->port;
-+		}
-+		else
-+		{
-+			from_port = other->port;
-+			to_port = this->port;
-+		}
-+		if (from_port == 0 && to_port == 0)
-+			to_port = 0xffff;
-+	}
-+	else
-+	{
-+		from_port = this->port;
-+		to_port = this->port ?: 0xffff;
-+	}
-+
- 	switch (this->id_type)
- 	{
- 		case ID_IPV4_ADDR_SUBNET:
- 			if (this->id_data.len == 8)
- 			{
--				return get_ts_from_subnet(this, TS_IPV4_ADDR_RANGE);
-+				return get_ts_from_subnet(this, TS_IPV4_ADDR_RANGE, from_port, to_port);
- 			}
- 			break;
- 		case ID_IPV6_ADDR_SUBNET:
- 			if (this->id_data.len == 32)
- 			{
--				return get_ts_from_subnet(this, TS_IPV6_ADDR_RANGE);
-+				return get_ts_from_subnet(this, TS_IPV6_ADDR_RANGE, from_port, to_port);
- 			}
- 			break;
- 		case ID_IPV4_ADDR_RANGE:
- 			if (this->id_data.len == 8)
- 			{
--				return get_ts_from_range(this, TS_IPV4_ADDR_RANGE);
-+				return get_ts_from_range(this, TS_IPV4_ADDR_RANGE, from_port, to_port);
- 			}
- 			break;
- 		case ID_IPV6_ADDR_RANGE:
- 			if (this->id_data.len == 32)
- 			{
--				return get_ts_from_range(this, TS_IPV6_ADDR_RANGE);
-+				return get_ts_from_range(this, TS_IPV6_ADDR_RANGE, from_port, to_port);
- 			}
- 			break;
- 		case ID_IPV4_ADDR:
- 			if (this->id_data.len == 4)
- 			{
--				return get_ts_from_ip(this, TS_IPV4_ADDR_RANGE);
-+				return get_ts_from_ip(this, TS_IPV4_ADDR_RANGE, from_port, to_port);
- 			}
- 			break;
- 		case ID_IPV6_ADDR:
- 			if (this->id_data.len == 16)
- 			{
--				return get_ts_from_ip(this, TS_IPV6_ADDR_RANGE);
-+				return get_ts_from_ip(this, TS_IPV6_ADDR_RANGE, from_port, to_port);
- 			}
- 			break;
- 		default:
-@@ -397,7 +424,7 @@ id_payload_t *id_payload_create_from_identification(payload_type_t type,
- /*
-  * Described in header.
-  */
--id_payload_t *id_payload_create_from_ts(traffic_selector_t *ts)
-+id_payload_t *id_payload_create_from_ts(traffic_selector_t *ts, bool initiator)
- {
- 	private_id_payload_t *this;
- 	uint8_t mask;
-@@ -460,8 +487,17 @@ id_payload_t *id_payload_create_from_ts(traffic_selector_t *ts)
- 							ts->get_from_address(ts), ts->get_to_address(ts));
- 		net->destroy(net);
- 	}
--	this->port = ts->get_from_port(ts);
- 	this->protocol_id = ts->get_protocol(ts);
-+	if (initiator || this->protocol_id != IPPROTO_GRE)
-+	{
-+		this->port = ts->get_from_port(ts);
-+	}
-+	else
-+	{
-+		this->port = ts->get_to_port(ts);
-+		if (this->port == 0xffff && ts->get_from_port(ts) == 0)
-+			this->port = 0;
-+	}
- 	this->payload_length += this->id_data.len;
- 
- 	return &this->public;
-diff --git a/src/libcharon/encoding/payloads/id_payload.h b/src/libcharon/encoding/payloads/id_payload.h
-index 283780624..fafeca8bc 100644
---- a/src/libcharon/encoding/payloads/id_payload.h
-+++ b/src/libcharon/encoding/payloads/id_payload.h
-@@ -48,11 +48,11 @@ struct id_payload_t {
- 	identification_t *(*get_identification) (id_payload_t *this);
- 
- 	/**
--	 * Creates a traffic selector form a ID_ADDR_SUBNET/RANGE identity.
-+	 * Creates a traffic selector form a ID_ADDR_SUBNET/RANGE identity pair.
- 	 *
- 	 * @return				traffic selector, NULL on failure
- 	 */
--	traffic_selector_t* (*get_ts)(id_payload_t *this);
-+	traffic_selector_t* (*get_ts)(id_payload_t *this, id_payload_t *other, bool initiator);
- 
- 	/**
- 	 * Get encoded payload without fixed payload header (used for IKEv1).
-@@ -91,6 +91,6 @@ id_payload_t *id_payload_create_from_identification(payload_type_t type,
-  * @param ts		traffic selector
-  * @return			PLV1_ID id_paylad_t object.
-  */
--id_payload_t *id_payload_create_from_ts(traffic_selector_t *ts);
-+id_payload_t *id_payload_create_from_ts(traffic_selector_t *ts, bool initiator);
- 
- #endif /** ID_PAYLOAD_H_ @}*/
-diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
-index 40fff7e05..0743f7a95 100644
---- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
-+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
-@@ -869,7 +869,18 @@ static struct xfrm_selector ts2selector(traffic_selector_t *src,
- 	ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
- 	ts2ports(dst, &sel.dport, &sel.dport_mask);
- 	ts2ports(src, &sel.sport, &sel.sport_mask);
--	if ((sel.proto == IPPROTO_ICMP || sel.proto == IPPROTO_ICMPV6) &&
-+	if (sel.proto == IPPROTO_GRE)
-+	{
-+		sel.sport = htons(src->get_from_port(src));
-+		sel.dport = htons(src->get_to_port(src));
-+		sel.sport_mask = ~0;
-+		sel.dport_mask = ~0;
-+		if (sel.sport == htons(0) && sel.dport == htons(0xffff))
-+		{
-+			sel.sport = sel.dport = sel.sport_mask = sel.dport_mask = 0;
-+		}
-+	}
-+	else if ((sel.proto == IPPROTO_ICMP || sel.proto == IPPROTO_ICMPV6) &&
- 		(sel.dport || sel.sport))
- 	{
- 		/* the kernel expects the ICMP type and code in the source and
-@@ -893,7 +904,7 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
- {
- 	u_char *addr;
- 	uint8_t prefixlen;
--	uint16_t port = 0;
-+	uint16_t from_port = 0, to_port = 65535;
- 	host_t *host = NULL;
- 
- 	if (src)
-@@ -902,7 +913,7 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
- 		prefixlen = sel->prefixlen_s;
- 		if (sel->sport_mask)
- 		{
--			port = ntohs(sel->sport);
-+			from_port = to_port = ntohs(sel->sport);
- 		}
- 	}
- 	else
-@@ -911,14 +922,27 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
- 		prefixlen = sel->prefixlen_d;
- 		if (sel->dport_mask)
- 		{
--			port = ntohs(sel->dport);
-+			from_port = to_port = ntohs(sel->dport);
-+		}
-+	}
-+	if (sel->proto == IPPROTO_GRE)
-+	{
-+		if (sel->sport_mask)
-+		{
-+			from_port = ntohs(sel->sport);
-+			to_port = ntohs(sel->dport);
-+		}
-+		else
-+		{
-+			from_port = 0;
-+			to_port = 0xffff;
- 		}
- 	}
--	if (sel->proto == IPPROTO_ICMP || sel->proto == IPPROTO_ICMPV6)
-+	else if (sel->proto == IPPROTO_ICMP || sel->proto == IPPROTO_ICMPV6)
- 	{	/* convert ICMP[v6] message type and code as supplied by the kernel in
- 		 * source and destination ports (both in network order) */
--		port = (sel->sport >> 8) | (sel->dport & 0xff00);
--		port = ntohs(port);
-+		from_port = (sel->sport >> 8) | (sel->dport & 0xff00);
-+		from_port = to_port = ntohs(from_port);
- 	}
- 	/* The Linux 2.6 kernel does not set the selector's family field,
- 	 * so as a kludge we additionally test the prefix length.
-@@ -935,7 +959,7 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
- 	if (host)
- 	{
- 		return traffic_selector_create_from_subnet(host, prefixlen,
--											sel->proto, port, port ?: 65535);
-+											sel->proto, from_port, to_port);
- 	}
- 	return NULL;
- }
-diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
-index 8cdb5ef48..a81949c09 100644
---- a/src/libcharon/plugins/stroke/stroke_config.c
-+++ b/src/libcharon/plugins/stroke/stroke_config.c
-@@ -936,6 +936,11 @@ static bool parse_protoport(char *token, uint16_t *from_port,
- 		*from_port = 0xffff;
- 		*to_port = 0;
- 	}
-+	else if (*port && *protocol == IPPROTO_GRE)
-+	{
-+		p = strtol(port, &endptr, 0);
-+		traffic_selector_split_grekey(p, from_port, to_port);
-+	}
- 	else if (*port)
- 	{
- 		svc = getservbyname(port, NULL);
-diff --git a/src/libcharon/plugins/unity/unity_narrow.c b/src/libcharon/plugins/unity/unity_narrow.c
-index afbd6cc7e..911fe70c6 100644
---- a/src/libcharon/plugins/unity/unity_narrow.c
-+++ b/src/libcharon/plugins/unity/unity_narrow.c
-@@ -248,7 +248,7 @@ METHOD(listener_t, message, bool,
- 			if (!first)
- 			{
- 				id_payload = (id_payload_t*)payload;
--				tsr = id_payload->get_ts(id_payload);
-+				tsr = id_payload->get_ts(id_payload, NULL, FALSE);
- 				break;
- 			}
- 			first = FALSE;
-diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
-index f0fd8a989..9f9dcfa45 100644
---- a/src/libcharon/plugins/vici/vici_config.c
-+++ b/src/libcharon/plugins/vici/vici_config.c
-@@ -691,8 +691,13 @@ CALLBACK(parse_ts, bool,
- 		}
- 		else if (*port && !streq(port, "any"))
- 		{
--			svc = getservbyname(port, NULL);
--			if (svc)
-+			if (proto == IPPROTO_GRE)
-+			{
-+				p = strtol(port, &end, 0);
-+				if (*end) return FALSE;
-+				traffic_selector_split_grekey(p, &from, &to);
-+			}
-+			else if ((svc = getservbyname(port, NULL)) != NULL)
- 			{
- 				from = to = ntohs(svc->s_port);
- 			}
-diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c
-index b0a42b8bd..4ef4bf324 100644
---- a/src/libcharon/sa/ikev1/tasks/quick_mode.c
-+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c
-@@ -567,9 +567,9 @@ static void add_ts(private_quick_mode_t *this, message_t *message)
- {
- 	id_payload_t *id_payload;
- 
--	id_payload = id_payload_create_from_ts(this->tsi);
-+	id_payload = id_payload_create_from_ts(this->tsi, TRUE);
- 	message->add_payload(message, &id_payload->payload_interface);
--	id_payload = id_payload_create_from_ts(this->tsr);
-+	id_payload = id_payload_create_from_ts(this->tsr, FALSE);
- 	message->add_payload(message, &id_payload->payload_interface);
- }
- 
-@@ -580,7 +580,7 @@ static bool get_ts(private_quick_mode_t *this, message_t *message)
- {
- 	traffic_selector_t *tsi = NULL, *tsr = NULL;
- 	enumerator_t *enumerator;
--	id_payload_t *id_payload;
-+	id_payload_t *idi = NULL, *idr = NULL;
- 	payload_t *payload;
- 	host_t *hsi, *hsr;
- 	bool first = TRUE;
-@@ -590,20 +590,22 @@ static bool get_ts(private_quick_mode_t *this, message_t *message)
- 	{
- 		if (payload->get_type(payload) == PLV1_ID)
- 		{
--			id_payload = (id_payload_t*)payload;
--
- 			if (first)
- 			{
--				tsi = id_payload->get_ts(id_payload);
-+				idi = (id_payload_t*)payload;
- 				first = FALSE;
- 			}
- 			else
- 			{
--				tsr = id_payload->get_ts(id_payload);
-+				idr = (id_payload_t*)payload;
- 				break;
- 			}
- 		}
- 	}
-+	if (idi && idr) {
-+		tsi = idi->get_ts(idi, idr, TRUE);
-+		tsr = idr->get_ts(idr, idi, FALSE);
-+	}
- 	enumerator->destroy(enumerator);
- 
- 	/* create host2host selectors if ID payloads missing */
-diff --git a/src/libstrongswan/selectors/traffic_selector.c b/src/libstrongswan/selectors/traffic_selector.c
-index cfd2b029d..d01e2ccec 100644
---- a/src/libstrongswan/selectors/traffic_selector.c
-+++ b/src/libstrongswan/selectors/traffic_selector.c
-@@ -198,6 +198,14 @@ static int print_icmp(printf_hook_data_t *data, uint16_t port)
- 	return print_in_hook(data, "%d", type);
- }
- 
-+/**
-+ * Print GRE key
-+ */
-+static int print_grekey(printf_hook_data_t *data, uint16_t from_port, uint16_t to_port)
-+{
-+	return print_in_hook(data, "%d", traffic_selector_grekey(from_port, to_port));
-+}
-+
- /**
-  * Described in header.
-  */
-@@ -303,7 +311,11 @@ int traffic_selector_printf_hook(printf_hook_data_t *data,
- 	{
- 		written += print_in_hook(data, "/");
- 
--		if (this->from_port == this->to_port)
-+		if (this->protocol == IPPROTO_GRE)
-+		{
-+			written += print_grekey(data, this->from_port, this->to_port);
-+		}
-+		else if (this->from_port == this->to_port)
- 		{
- 			struct servent *serv;
- 
-@@ -377,7 +389,24 @@ METHOD(traffic_selector_t, get_subset, traffic_selector_t*,
- 	/* select protocol, which is not zero */
- 	protocol = max(this->protocol, other->protocol);
- 
--	if ((is_opaque(this) && is_opaque(other)) ||
-+	if (this->protocol == IPPROTO_GRE)
-+	{
-+		if (is_any(this))
-+		{
-+			from_port = other->from_port;
-+			to_port = other->to_port;
-+		}
-+		else if (is_any(other) ||
-+			 (this->from_port == other->from_port &&
-+			  this->to_port == other->to_port))
-+		{
-+			from_port = this->from_port;
-+			to_port = this->to_port;
-+		}
-+		else
-+			return NULL;
-+	}
-+	else if ((is_opaque(this) && is_opaque(other)) ||
- 		(is_opaque(this) && is_any(other)) ||
- 		(is_opaque(other) && is_any(this)))
- 	{
-diff --git a/src/libstrongswan/selectors/traffic_selector.h b/src/libstrongswan/selectors/traffic_selector.h
-index 03f7a6d8c..b27ca4ad1 100644
---- a/src/libstrongswan/selectors/traffic_selector.h
-+++ b/src/libstrongswan/selectors/traffic_selector.h
-@@ -120,6 +120,9 @@ struct traffic_selector_t {
- 	 * 8 bits and the code in the least significant 8 bits.  Use the utility
- 	 * functions to extract them.
- 	 *
-+	 * If the protocol is GRE, the high 16-bits of the 32-bit GRE key is stored
-+	 * in the from port. Use the utility function to merge and split them.
-+	 *
- 	 * @return			port
- 	 */
- 	uint16_t (*get_from_port)(traffic_selector_t *this);
-@@ -134,6 +137,9 @@ struct traffic_selector_t {
- 	 * 8 bits and the code in the least significant 8 bits.  Use the utility
- 	 * functions to extract them.
- 	 *
-+	 * If the protocol is GRE, the low 16-bits of the 32-bit GRE key is stored
-+	 * in the to port. Use the utility function to merge and split them.
-+	 *
- 	 * @return			port
- 	 */
- 	uint16_t (*get_to_port)(traffic_selector_t *this);
-@@ -277,6 +283,31 @@ static inline uint8_t traffic_selector_icmp_code(uint16_t port)
- int traffic_selector_cmp(traffic_selector_t *a, traffic_selector_t *b,
- 						 void *opts);
- 
-+/**
-+ * Reconstruct the 32-bit GRE KEY in host order from a from/to ports.
-+ *
-+ * @param from_port			port number in host order
-+ * @param to_port			port number in host order
-+ * @return				GRE KEY in host order
-+ */
-+static inline uint32_t traffic_selector_grekey(uint16_t from_port, uint16_t to_port)
-+{
-+	return (from_port << 16) | to_port;
-+}
-+
-+/**
-+ * Split 32-bit GRE KEY in host order to from/to ports.
-+ *
-+ * @param grekey			grekey in host order
-+ * @param from_port			from port in host order
-+ * @param to_port			to port in host order
-+ */
-+static inline void traffic_selector_split_grekey(uint32_t grekey, uint16_t *from_port, uint16_t *to_port)
-+{
-+	*from_port = grekey >> 16;
-+	*to_port = grekey & 0xffff;
-+}
-+
- /**
-  * Create a new traffic selector using human readable params.
-  *
--- 
-2.24.1
-

sources

@@ -1 +1 @@
-SHA512 (strongswan-5.7.2.tar.bz2) = e2169dbbc0c03737e34af90d7bc07e444408c5e2ac1f81764eeccbac8b142b984ce9ed512a89071075a930e0997632267f6912aa5b352eee2edbd551b5a64e7e
+SHA512 (strongswan-5.9.0.tar.bz2) = b982ce7c3e940ad75ab71b02ce3e2813b41c6b098cde5b6f3f3513d095f409fe989ae6e38a31eff51c57423bf452c3610cd5cd8cd7f45ff932581d9859df1821

strongswan-5.8.2-extern-global.patch

@@ -0,0 +1,11 @@
+--- strongswan-5.8.2/src/swanctl/swanctl.h.orig	2020-02-23 00:35:39.051000000 +0200
++++ strongswan-5.8.2/src/swanctl/swanctl.h	2020-02-23 00:35:51.930355656 +0200
+@@ -30,7 +30,7 @@
+ /**
+  * Base directory for credentials and config
+  */
+-char *swanctl_dir;
++extern char *swanctl_dir;
+ 
+ /**
+  * Configuration file for connections, etc.

strongswan-5.8.4-runtime-dir.patch

@@ -0,0 +1,24 @@
+diff -ur strongswan-5.8.4.orig/init/systemd/strongswan.service.in strongswan-5.8.4/init/systemd/strongswan.service.in
+--- strongswan-5.8.4.orig/init/systemd/strongswan.service.in	2019-08-27 16:26:53.000000000 +0300
++++ strongswan-5.8.4/init/systemd/strongswan.service.in	2020-04-12 12:05:57.383596844 +0300
+@@ -9,6 +9,8 @@
+ ExecReload=@SBINDIR@/swanctl --reload
+ ExecReload=@SBINDIR@/swanctl --load-all --noprompt
+ Restart=on-abnormal
++RuntimeDirectory=strongswan
++RuntimeDirectoryMode=0755
+ 
+ [Install]
+ WantedBy=multi-user.target
+diff -ur strongswan-5.8.4.orig/init/systemd-starter/strongswan-starter.service.in strongswan-5.8.4/init/systemd-starter/strongswan-starter.service.in
+--- strongswan-5.8.4.orig/init/systemd-starter/strongswan-starter.service.in	2019-08-27 16:26:53.000000000 +0300
++++ strongswan-5.8.4/init/systemd-starter/strongswan-starter.service.in	2020-04-12 12:05:51.810559482 +0300
+@@ -6,6 +6,8 @@
+ ExecStart=@SBINDIR@/@IPSEC_SCRIPT@ start --nofork
+ StandardOutput=syslog
+ Restart=on-abnormal
++RuntimeDirectory=strongswan
++RuntimeDirectoryMode=0755
+ 
+ [Install]
+ WantedBy=multi-user.target

strongswan.spec

@@ -1,13 +1,16 @@
 %global _hardened_build 1
 #%%define prerelease dr1
+%global dist .nhrp.4%{?dist}
 
 Name:           strongswan
-Version:        5.7.2
+Version:        5.9.0
-Release:        3.nhrp.2%{?dist}
+Release:        2%{?dist}
 Summary:        An OpenSource IPsec-based VPN and TNC solution
 License:        GPLv2+
 URL:            http://www.strongswan.org/
 Source0:        http://download.strongswan.org/%{name}-%{version}%{?prerelease}.tar.bz2
+Source1:        tmpfiles-strongswan.conf
+Patch0:         strongswan-5.8.4-runtime-dir.patch
 Patch1:         strongswan-5.6.0-uintptr_t.patch
 Patch3:         strongswan-5.6.2-CVE-2018-5388.patch
 
@@ -15,9 +18,7 @@ Patch10:        0001-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch
 Patch11:        0002-charon-add-optional-source-and-remote-overrides-for-.patch
 Patch12:        0003-vici-send-certificates-for-ike-sa-events.patch
 Patch13:        0004-vici-add-support-for-individual-sa-state-changes.patch
-Patch14:        0005-vici-add-deprecated-async-parameter.patch
+Patch14:        0005-vyos-terminate-connections-source-dest.patch
-Patch15:        0006-support-gre-key-in-ikev1.patch
-Patch16:        0007-vyos-terminate-connections-source-dest.patch
 
 # only needed for pre-release versions
 #BuildRequires:  autoconf automake
@@ -86,6 +87,7 @@ PT-TLS to support TNC over TLS.
 
 %prep
 %setup -q -n %{name}-%{version}%{?prerelease}
+%patch0 -p1
 %patch1 -p1
 %patch3 -p1
 
@@ -94,8 +96,6 @@ PT-TLS to support TNC over TLS.
 %patch12 -p1
 %patch13 -p1
 %patch14 -p1
-%patch15 -p1
-%patch16 -p1
 
 %build
 # only for snapshots
@@ -111,7 +111,8 @@ PT-TLS to support TNC over TLS.
     --with-ipsecdir=%{_libexecdir}/strongswan \
     --bindir=%{_libexecdir}/strongswan \
     --with-ipseclibdir=%{_libdir}/strongswan \
-    --with-fips-mode=2 \
+    --with-piddir=%{_rundir}/strongswan \
+    --with-nm-ca-dir=%{_sysconfdir}/strongswan/ipsec.d/cacerts/ \
     --enable-bypass-lan \
     --enable-tss-trousers \
     --enable-nm \
@@ -195,7 +196,6 @@ make %{?_smp_mflags}
 
 %install
 make install DESTDIR=%{buildroot}
-mv %{buildroot}%{_sysconfdir}/strongswan/dbus-1 %{buildroot}%{_sysconfdir}/
 # prefix man pages
 for i in %{buildroot}%{_mandir}/*/*; do
     if echo "$i" | grep -vq '/strongswan[^\/]*$'; then
@@ -213,6 +213,8 @@ install -d -m 700 %{buildroot}%{_sysconfdir}/strongswan/ipsec.d
 for i in aacerts acerts certs cacerts crls ocspcerts private reqs; do
     install -d -m 700 %{buildroot}%{_sysconfdir}/strongswan/ipsec.d/${i}
 done
+install -d -m 0700 %{buildroot}%{_rundir}/strongswan
+install -D -m 0644 %{SOURCE1} %{buildroot}/%{_tmpfilesdir}/strongswan.conf
 
 %post
 %systemd_post %{name}.service
@@ -233,7 +235,7 @@ done
 %dir %{_libdir}/strongswan/plugins
 %dir %{_libexecdir}/strongswan
 %{_unitdir}/strongswan.service
-%{_unitdir}/strongswan-swanctl.service
+%{_unitdir}/strongswan-starter.service
 %{_sbindir}/charon-cmd
 %{_sbindir}/charon-systemd
 %{_sbindir}/strongswan
@@ -254,6 +256,8 @@ done
 %{_mandir}/man?/*.gz
 %{_datadir}/strongswan/templates/config/
 %{_datadir}/strongswan/templates/database/
+%attr(0755,root,root) %dir %{_rundir}/strongswan
+%attr(0644,root,root) %{_tmpfilesdir}/strongswan.conf
 
 %files sqlite
 %{_libdir}/strongswan/plugins/libstrongswan-sqlite.so
@@ -277,10 +281,49 @@ done
 
 %files charon-nm
 %doc COPYING
-%{_sysconfdir}/dbus-1/system.d/nm-strongswan-service.conf
+%{_datadir}/dbus-1/system.d/nm-strongswan-service.conf
 %{_libexecdir}/strongswan/charon-nm
 
 %changelog
+* Thu Oct 22 12:43:48 EDT 2020 Paul Wouters <pwouters@redhat.com> - 5.9.0-2
+- Resolves: rhbz#1886759 charon looking for certificates in the wrong place
+
+* Mon Sep 28 12:36:45 EDT 2020 Paul Wouters <pwouters@redhat.com> - 5.9.0-1
+- Resolves: rhbz#1861747 strongswan-5.9.0 is available
+- Remove --enable-fips-mode=2, which defaults strongswan to FIPS only.
+  (use fips_mode = 2 in plugins {} openssl {} in strongswan.conf to enable FIPS)
+
+* Sun Apr 12 2020 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.4-2
+- Patch0: Add RuntimeDirectory options to service files (#1789263)
+
+* Sun Apr 12 2020 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.4-1
+- Updated to 5.8.4
+- Patch4 has been applied upstream
+
+* Sun Apr 12 2020 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.2-6
+- Patch0: Add RuntimeDirectory options to service files (#1789263)
+
+* Sat Feb 22 2020 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.2-5
+- Patch to declare a global variable with extern (#1800117)
+
+* Mon Feb 10 2020 Paul Wouters <pwouters@redhat.com> - 5.8.2-4
+- use tmpfile to ensure rundir is present
+
+* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.8.2-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Sat Dec 28 2019 Paul Wouters <pwouters@redhat.com> - 5.8.2-2
+- Use /run/strongswan as rundir to support strongswans in namespaces
+
+* Tue Dec 17 2019 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.2-1
+- Update to 5.8.2 (#1784457)
+- The D-Bus config file moved under datadir
+
+* Mon Sep 02 2019 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.1-1
+- Update to 5.8.1 (#1711920)
+- No more separate strongswan-swanctl.service to start out of order (#1775548)
+- Added strongswan-starter.service
+
 * Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 5.7.2-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 
@@ -642,10 +685,10 @@ done
 * Mon Mar 11 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.0.2-1
 - Update to upstream release 5.0.2
 - Created sub package strongswan-tnc-imcvs that provides trusted network
-  connect's IMC and IMV funtionality. Specifically it includes PTS 
+  connect's IMC and IMV funtionality. Specifically it includes PTS
-  based IMC/IMV for TPM based remote attestation and scanner and test 
+  based IMC/IMV for TPM based remote attestation and scanner and test
-  IMCs and IMVs. The Strongswan's IMC/IMV dynamic libraries can be used 
+  IMCs and IMVs. The Strongswan's IMC/IMV dynamic libraries can be used
-  by any third party TNC Client/Server implementation possessing a 
+  by any third party TNC Client/Server implementation possessing a
   standard IF-IMC/IMV interface.
 
 * Fri Feb 15 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.0.1-2

tmpfiles-strongswan.conf

@@ -0,0 +1 @@
+D /run/strongswan 0755 root root -