Bump version

.gitignore

@@ -1,2 +1,3 @@
-/strongswan-5.8.4.tar.bz2
-/strongswan-5.9.0.tar.bz2
+/strongswan-5.7.2.tar.bz2
+/strongswan-5.8.1.tar.bz2
+/strongswan-5.8.2.tar.bz2

0001-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch

@@ -1,7 +1,7 @@
-From ffc2fc151cf78204bd482340dee7c5e7d0c24e51 Mon Sep 17 00:00:00 2001
+From 27de580084d02f6ef92c048ea60a3861fba03e4b Mon Sep 17 00:00:00 2001
 From: Tobias Brunner <tobias@strongswan.org>
 Date: Fri, 17 Jul 2015 11:53:58 +0200
-Subject: [PATCH 1/5] ike: Adhere to IKE_SA limit when checking out by config
+Subject: [PATCH 1/7] ike: Adhere to IKE_SA limit when checking out by config
 
 This prevents new SAs from getting created if we hit the global IKE_SA
 limit (we still allow checkout_new(), which is used for rekeying).
@@ -10,7 +10,7 @@ limit (we still allow checkout_new(), which is used for rekeying).
  1 file changed, 37 insertions(+), 34 deletions(-)
 
 diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
-index f95ff19af..1e0ae42fe 100644
+index 1de410d6c..440894e9b 100644
 --- a/src/libcharon/sa/ike_sa_manager.c
 +++ b/src/libcharon/sa/ike_sa_manager.c
 @@ -1434,48 +1434,51 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
@@ -100,5 +100,5 @@ index f95ff19af..1e0ae42fe 100644
  	}
  	charon->bus->set_sa(charon->bus, ike_sa);
 -- 
-2.30.2
+2.24.1
 

0002-charon-add-optional-source-and-remote-overrides-for-.patch

@@ -1,7 +1,7 @@
-From 07e7ae0c9a9cac8c16361dc73412867d7a303054 Mon Sep 17 00:00:00 2001
+From 59aad0f83614fb7ade337e853947b4f43b3e9ef3 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
 Date: Mon, 21 Sep 2015 13:41:58 +0300
-Subject: [PATCH 2/5] charon: add optional source and remote overrides for
+Subject: [PATCH 2/7] charon: add optional source and remote overrides for
  initiate
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@@ -31,10 +31,10 @@ Signed-off-by: Timo Teräs <timo.teras@iki.fi>
  12 files changed, 217 insertions(+), 45 deletions(-)
 
 diff --git a/src/charon-cmd/cmd/cmd_connection.c b/src/charon-cmd/cmd/cmd_connection.c
-index 0481d78d4..805d6f198 100644
+index b91c89830..55f8d224f 100644
 --- a/src/charon-cmd/cmd/cmd_connection.c
 +++ b/src/charon-cmd/cmd/cmd_connection.c
-@@ -438,7 +438,7 @@ static job_requeue_t initiate(private_cmd_connection_t *this)
+@@ -439,7 +439,7 @@ static job_requeue_t initiate(private_cmd_connection_t *this)
  	child_cfg = create_child_cfg(this, peer_cfg);
  
  	if (charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
@@ -44,10 +44,10 @@ index 0481d78d4..805d6f198 100644
  		terminate(pid);
  	}
 diff --git a/src/charon-nm/nm/nm_service.c b/src/charon-nm/nm/nm_service.c
-index 83fcaf898..187953b29 100644
+index 1b07230fd..e4379e612 100644
 --- a/src/charon-nm/nm/nm_service.c
 +++ b/src/charon-nm/nm/nm_service.c
-@@ -864,7 +864,7 @@ static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection,
+@@ -735,7 +735,7 @@ static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection,
  	 * Prepare IKE_SA
  	 */
  	ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
@@ -192,10 +192,10 @@ index 8d84b934e..b00d0e62d 100644
  		switch (status)
  		{
 diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
-index 2a4d58eab..0e9d24d11 100644
+index eb679290d..81f2970ae 100644
 --- a/src/libcharon/plugins/vici/vici_config.c
 +++ b/src/libcharon/plugins/vici/vici_config.c
-@@ -2149,7 +2149,7 @@ static void run_start_action(private_vici_config_t *this, peer_cfg_t *peer_cfg,
+@@ -2136,7 +2136,7 @@ static void run_start_action(private_vici_config_t *this, peer_cfg_t *peer_cfg,
  			DBG1(DBG_CFG, "initiating '%s'", child_cfg->get_name(child_cfg));
  			charon->controller->initiate(charon->controller,
  					peer_cfg->get_ref(peer_cfg), child_cfg->get_ref(child_cfg),
@@ -325,7 +325,7 @@ index 3a0ed879f..e3399007b 100644
  				case ACTION_ROUTE:
  					DBG1(DBG_JOB, "start action: route '%s'", name);
 diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
-index 1e0ae42fe..52a18e3c2 100644
+index 440894e9b..493599413 100644
 --- a/src/libcharon/sa/ike_sa_manager.c
 +++ b/src/libcharon/sa/ike_sa_manager.c
 @@ -17,6 +17,28 @@
@@ -590,5 +590,5 @@ index 8ade8bf41..03b2cb0f4 100644
  			{"raw",			'r', 0, "dump raw response message"},
  			{"pretty",		'P', 0, "dump raw response message in pretty print"},
 -- 
-2.30.2
+2.24.1
 

0003-vici-send-certificates-for-ike-sa-events.patch

@@ -1,7 +1,7 @@
-From 42dc827df278ff1304fe7414c68fae756a9863f1 Mon Sep 17 00:00:00 2001
+From 871c5f7158b13d847156ced924a82c8ef25a9b28 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
 Date: Mon, 21 Sep 2015 13:42:05 +0300
-Subject: [PATCH 3/5] vici: send certificates for ike-sa events
+Subject: [PATCH 3/7] vici: send certificates for ike-sa events
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -127,5 +127,5 @@ index ad07ff12d..e3f6a0d26 100644
  
  	b->begin_section(b, old->get_name(old));
 -- 
-2.30.2
+2.24.1
 

0004-vici-add-support-for-individual-sa-state-changes.patch

@@ -1,7 +1,7 @@
-From c4e25fe6bb5338a2c5067ba74808d68183226420 Mon Sep 17 00:00:00 2001
+From 50501301f9b4749916778082a176d9932ea8b32b Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
 Date: Mon, 21 Sep 2015 13:42:11 +0300
-Subject: [PATCH 4/5] vici: add support for individual sa state changes
+Subject: [PATCH 4/7] vici: add support for individual sa state changes
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -155,5 +155,5 @@ index e3f6a0d26..9968cdd3c 100644
  			.destroy = _destroy,
  		},
 -- 
-2.30.2
+2.24.1
 

0005-vici-add-deprecated-async-parameter.patch

@@ -0,0 +1,49 @@
+From c48f8ff36eca91f652ae3bdd88b93a7a2b879d54 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
+Date: Mon, 21 Sep 2015 13:42:15 +0300
+Subject: [PATCH 5/7] vici: add (deprecated) async parameter
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This is obsoleted by the new "timeout=-1" option that achieves
+the same. Only for compatibility with old versions of quagga-nhrp.
+
+Signed-off-by: Timo Teräs <timo.teras@iki.fi>
+---
+ src/libcharon/plugins/vici/vici_control.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c
+index 1e8e788c3..12ef92334 100644
+--- a/src/libcharon/plugins/vici/vici_control.c
++++ b/src/libcharon/plugins/vici/vici_control.c
+@@ -203,7 +203,7 @@ CALLBACK(initiate, vici_message_t*,
+ 	vici_message_t* msg;
+ 	host_t *my_host = NULL, *other_host = NULL;
+ 	int timeout;
+-	bool limits;
++	bool limits, async;
+ 	controller_cb_t log_cb = NULL;
+ 	log_info_t log = {
+ 		.dispatcher = this->dispatcher,
+@@ -214,6 +214,7 @@ CALLBACK(initiate, vici_message_t*,
+ 	ike = request->get_str(request, NULL, "ike");
+ 	timeout = request->get_int(request, 0, "timeout");
+ 	limits = request->get_bool(request, FALSE, "init-limits");
++	async = request->get_bool(request, FALSE, "async");
+ 	log.level = request->get_int(request, 1, "loglevel");
+ 	my_host_str = request->get_str(request, NULL, "my-host");
+ 	other_host_str = request->get_str(request, NULL, "other-host");
+@@ -222,7 +223,7 @@ CALLBACK(initiate, vici_message_t*,
+ 	{
+ 		return send_reply(this, "missing configuration name");
+ 	}
+-	if (timeout >= 0)
++	if (timeout >= 0 && !async)
+ 	{
+ 		log_cb = (controller_cb_t)log_vici;
+ 	}
+-- 
+2.24.1
+

0006-support-gre-key-in-ikev1.patch

@@ -0,0 +1,507 @@
+From 3385fb7d3fd2dff73f22d2e51c9e7454b723f2ef Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
+Date: Mon, 21 Sep 2015 13:42:18 +0300
+Subject: [PATCH 6/7] support gre key in ikev1
+
+this implements gre key negotiation in ikev1 similarly to the
+ipsec-tools patch in alpine.
+
+the from/to port pair is internally used as gre key for gre
+protocol traffic selectors. since from/to pairs 0/0xffff and
+0xffff/0 have special meaning, the gre keys 0xffff and 0xffff0000
+will not work.
+
+this is not standard compliant, and should probably not be upstreamed
+or used widely, but it is applied for interoperability with alpine
+racoon for the time being.
+---
+ src/libcharon/encoding/payloads/id_payload.c  | 68 ++++++++++++++-----
+ src/libcharon/encoding/payloads/id_payload.h  |  6 +-
+ .../kernel_netlink/kernel_netlink_ipsec.c     | 40 ++++++++---
+ src/libcharon/plugins/stroke/stroke_config.c  |  5 ++
+ src/libcharon/plugins/unity/unity_narrow.c    |  2 +-
+ src/libcharon/plugins/vici/vici_config.c      |  9 ++-
+ src/libcharon/sa/ikev1/tasks/quick_mode.c     | 16 +++--
+ .../selectors/traffic_selector.c              | 33 ++++++++-
+ .../selectors/traffic_selector.h              | 31 +++++++++
+ 9 files changed, 171 insertions(+), 39 deletions(-)
+
+diff --git a/src/libcharon/encoding/payloads/id_payload.c b/src/libcharon/encoding/payloads/id_payload.c
+index b2f1adbbc..6b44d0cf6 100644
+--- a/src/libcharon/encoding/payloads/id_payload.c
++++ b/src/libcharon/encoding/payloads/id_payload.c
+@@ -245,18 +245,20 @@ METHOD(id_payload_t, get_identification, identification_t*,
+  * Create a traffic selector from an range ID
+  */
+ static traffic_selector_t *get_ts_from_range(private_id_payload_t *this,
+-											 ts_type_t type)
++											 ts_type_t type,
++											 uint16_t from_port, uint16_t to_port)
+ {
+ 	return traffic_selector_create_from_bytes(this->protocol_id, type,
+-		chunk_create(this->id_data.ptr, this->id_data.len / 2), this->port,
+-		chunk_skip(this->id_data, this->id_data.len / 2), this->port ?: 65535);
++		chunk_create(this->id_data.ptr, this->id_data.len / 2), from_port,
++		chunk_skip(this->id_data, this->id_data.len / 2), to_port);
+ }
+ 
+ /**
+  * Create a traffic selector from an subnet ID
+  */
+ static traffic_selector_t *get_ts_from_subnet(private_id_payload_t *this,
+-											  ts_type_t type)
++											  ts_type_t type,
++											  uint16_t from_port, uint16_t to_port)
+ {
+ 	traffic_selector_t *ts;
+ 	chunk_t net, netmask;
+@@ -269,7 +271,7 @@ static traffic_selector_t *get_ts_from_subnet(private_id_payload_t *this,
+ 		netmask.ptr[i] = (netmask.ptr[i] ^ 0xFF) | net.ptr[i];
+ 	}
+ 	ts = traffic_selector_create_from_bytes(this->protocol_id, type,
+-								net, this->port, netmask, this->port ?: 65535);
++								net, from_port, netmask, to_port);
+ 	chunk_free(&netmask);
+ 	return ts;
+ }
+@@ -278,51 +280,76 @@ static traffic_selector_t *get_ts_from_subnet(private_id_payload_t *this,
+  * Create a traffic selector from an IP ID
+  */
+ static traffic_selector_t *get_ts_from_ip(private_id_payload_t *this,
+-										  ts_type_t type)
++										  ts_type_t type,
++										  uint16_t from_port, uint16_t to_port)
+ {
+ 	return traffic_selector_create_from_bytes(this->protocol_id, type,
+-				this->id_data, this->port, this->id_data, this->port ?: 65535);
++				this->id_data, from_port, this->id_data, to_port);
+ }
+ 
+ METHOD(id_payload_t, get_ts, traffic_selector_t*,
+-	private_id_payload_t *this)
++	private_id_payload_t *this, id_payload_t *other_, bool initiator)
+ {
++	private_id_payload_t *other = (private_id_payload_t *) other_;
++	uint16_t from_port, to_port;
++
++	if (other && this->protocol_id == IPPROTO_GRE && other->protocol_id == IPPROTO_GRE)
++	{
++		if (initiator)
++		{
++			from_port = this->port;
++			to_port = other->port;
++		}
++		else
++		{
++			from_port = other->port;
++			to_port = this->port;
++		}
++		if (from_port == 0 && to_port == 0)
++			to_port = 0xffff;
++	}
++	else
++	{
++		from_port = this->port;
++		to_port = this->port ?: 0xffff;
++	}
++
+ 	switch (this->id_type)
+ 	{
+ 		case ID_IPV4_ADDR_SUBNET:
+ 			if (this->id_data.len == 8)
+ 			{
+-				return get_ts_from_subnet(this, TS_IPV4_ADDR_RANGE);
++				return get_ts_from_subnet(this, TS_IPV4_ADDR_RANGE, from_port, to_port);
+ 			}
+ 			break;
+ 		case ID_IPV6_ADDR_SUBNET:
+ 			if (this->id_data.len == 32)
+ 			{
+-				return get_ts_from_subnet(this, TS_IPV6_ADDR_RANGE);
++				return get_ts_from_subnet(this, TS_IPV6_ADDR_RANGE, from_port, to_port);
+ 			}
+ 			break;
+ 		case ID_IPV4_ADDR_RANGE:
+ 			if (this->id_data.len == 8)
+ 			{
+-				return get_ts_from_range(this, TS_IPV4_ADDR_RANGE);
++				return get_ts_from_range(this, TS_IPV4_ADDR_RANGE, from_port, to_port);
+ 			}
+ 			break;
+ 		case ID_IPV6_ADDR_RANGE:
+ 			if (this->id_data.len == 32)
+ 			{
+-				return get_ts_from_range(this, TS_IPV6_ADDR_RANGE);
++				return get_ts_from_range(this, TS_IPV6_ADDR_RANGE, from_port, to_port);
+ 			}
+ 			break;
+ 		case ID_IPV4_ADDR:
+ 			if (this->id_data.len == 4)
+ 			{
+-				return get_ts_from_ip(this, TS_IPV4_ADDR_RANGE);
++				return get_ts_from_ip(this, TS_IPV4_ADDR_RANGE, from_port, to_port);
+ 			}
+ 			break;
+ 		case ID_IPV6_ADDR:
+ 			if (this->id_data.len == 16)
+ 			{
+-				return get_ts_from_ip(this, TS_IPV6_ADDR_RANGE);
++				return get_ts_from_ip(this, TS_IPV6_ADDR_RANGE, from_port, to_port);
+ 			}
+ 			break;
+ 		default:
+@@ -397,7 +424,7 @@ id_payload_t *id_payload_create_from_identification(payload_type_t type,
+ /*
+  * Described in header.
+  */
+-id_payload_t *id_payload_create_from_ts(traffic_selector_t *ts)
++id_payload_t *id_payload_create_from_ts(traffic_selector_t *ts, bool initiator)
+ {
+ 	private_id_payload_t *this;
+ 	uint8_t mask;
+@@ -460,8 +487,17 @@ id_payload_t *id_payload_create_from_ts(traffic_selector_t *ts)
+ 							ts->get_from_address(ts), ts->get_to_address(ts));
+ 		net->destroy(net);
+ 	}
+-	this->port = ts->get_from_port(ts);
+ 	this->protocol_id = ts->get_protocol(ts);
++	if (initiator || this->protocol_id != IPPROTO_GRE)
++	{
++		this->port = ts->get_from_port(ts);
++	}
++	else
++	{
++		this->port = ts->get_to_port(ts);
++		if (this->port == 0xffff && ts->get_from_port(ts) == 0)
++			this->port = 0;
++	}
+ 	this->payload_length += this->id_data.len;
+ 
+ 	return &this->public;
+diff --git a/src/libcharon/encoding/payloads/id_payload.h b/src/libcharon/encoding/payloads/id_payload.h
+index 283780624..fafeca8bc 100644
+--- a/src/libcharon/encoding/payloads/id_payload.h
++++ b/src/libcharon/encoding/payloads/id_payload.h
+@@ -48,11 +48,11 @@ struct id_payload_t {
+ 	identification_t *(*get_identification) (id_payload_t *this);
+ 
+ 	/**
+-	 * Creates a traffic selector form a ID_ADDR_SUBNET/RANGE identity.
++	 * Creates a traffic selector form a ID_ADDR_SUBNET/RANGE identity pair.
+ 	 *
+ 	 * @return				traffic selector, NULL on failure
+ 	 */
+-	traffic_selector_t* (*get_ts)(id_payload_t *this);
++	traffic_selector_t* (*get_ts)(id_payload_t *this, id_payload_t *other, bool initiator);
+ 
+ 	/**
+ 	 * Get encoded payload without fixed payload header (used for IKEv1).
+@@ -91,6 +91,6 @@ id_payload_t *id_payload_create_from_identification(payload_type_t type,
+  * @param ts		traffic selector
+  * @return			PLV1_ID id_paylad_t object.
+  */
+-id_payload_t *id_payload_create_from_ts(traffic_selector_t *ts);
++id_payload_t *id_payload_create_from_ts(traffic_selector_t *ts, bool initiator);
+ 
+ #endif /** ID_PAYLOAD_H_ @}*/
+diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+index 327854ff4..2b204c273 100644
+--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
++++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+@@ -863,7 +863,18 @@ static struct xfrm_selector ts2selector(traffic_selector_t *src,
+ 	ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
+ 	ts2ports(dst, &sel.dport, &sel.dport_mask);
+ 	ts2ports(src, &sel.sport, &sel.sport_mask);
+-	if ((sel.proto == IPPROTO_ICMP || sel.proto == IPPROTO_ICMPV6) &&
++	if (sel.proto == IPPROTO_GRE)
++	{
++		sel.sport = htons(src->get_from_port(src));
++		sel.dport = htons(src->get_to_port(src));
++		sel.sport_mask = ~0;
++		sel.dport_mask = ~0;
++		if (sel.sport == htons(0) && sel.dport == htons(0xffff))
++		{
++			sel.sport = sel.dport = sel.sport_mask = sel.dport_mask = 0;
++		}
++	}
++	else if ((sel.proto == IPPROTO_ICMP || sel.proto == IPPROTO_ICMPV6) &&
+ 		(sel.dport || sel.sport))
+ 	{
+ 		/* the kernel expects the ICMP type and code in the source and
+@@ -887,7 +898,7 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
+ {
+ 	u_char *addr;
+ 	uint8_t prefixlen;
+-	uint16_t port = 0;
++	uint16_t from_port = 0, to_port = 65535;
+ 	host_t *host = NULL;
+ 
+ 	if (src)
+@@ -896,7 +907,7 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
+ 		prefixlen = sel->prefixlen_s;
+ 		if (sel->sport_mask)
+ 		{
+-			port = ntohs(sel->sport);
++			from_port = to_port = ntohs(sel->sport);
+ 		}
+ 	}
+ 	else
+@@ -905,14 +916,27 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
+ 		prefixlen = sel->prefixlen_d;
+ 		if (sel->dport_mask)
+ 		{
+-			port = ntohs(sel->dport);
++			from_port = to_port = ntohs(sel->dport);
++		}
++	}
++	if (sel->proto == IPPROTO_GRE)
++	{
++		if (sel->sport_mask)
++		{
++			from_port = ntohs(sel->sport);
++			to_port = ntohs(sel->dport);
++		}
++		else
++		{
++			from_port = 0;
++			to_port = 0xffff;
+ 		}
+ 	}
+-	if (sel->proto == IPPROTO_ICMP || sel->proto == IPPROTO_ICMPV6)
++	else if (sel->proto == IPPROTO_ICMP || sel->proto == IPPROTO_ICMPV6)
+ 	{	/* convert ICMP[v6] message type and code as supplied by the kernel in
+ 		 * source and destination ports (both in network order) */
+-		port = (sel->sport >> 8) | (sel->dport & 0xff00);
+-		port = ntohs(port);
++		from_port = (sel->sport >> 8) | (sel->dport & 0xff00);
++		from_port = to_port = ntohs(from_port);
+ 	}
+ 	/* The Linux 2.6 kernel does not set the selector's family field,
+ 	 * so as a kludge we additionally test the prefix length.
+@@ -929,7 +953,7 @@ static traffic_selector_t* selector2ts(struct xfrm_selector *sel, bool src)
+ 	if (host)
+ 	{
+ 		return traffic_selector_create_from_subnet(host, prefixlen,
+-											sel->proto, port, port ?: 65535);
++											sel->proto, from_port, to_port);
+ 	}
+ 	return NULL;
+ }
+diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
+index fe5c1a542..775fa0565 100644
+--- a/src/libcharon/plugins/stroke/stroke_config.c
++++ b/src/libcharon/plugins/stroke/stroke_config.c
+@@ -936,6 +936,11 @@ static bool parse_protoport(char *token, uint16_t *from_port,
+ 		*from_port = 0xffff;
+ 		*to_port = 0;
+ 	}
++	else if (*port && *protocol == IPPROTO_GRE)
++	{
++		p = strtol(port, &endptr, 0);
++		traffic_selector_split_grekey(p, from_port, to_port);
++	}
+ 	else if (*port)
+ 	{
+ 		svc = getservbyname(port, NULL);
+diff --git a/src/libcharon/plugins/unity/unity_narrow.c b/src/libcharon/plugins/unity/unity_narrow.c
+index afbd6cc7e..911fe70c6 100644
+--- a/src/libcharon/plugins/unity/unity_narrow.c
++++ b/src/libcharon/plugins/unity/unity_narrow.c
+@@ -248,7 +248,7 @@ METHOD(listener_t, message, bool,
+ 			if (!first)
+ 			{
+ 				id_payload = (id_payload_t*)payload;
+-				tsr = id_payload->get_ts(id_payload);
++				tsr = id_payload->get_ts(id_payload, NULL, FALSE);
+ 				break;
+ 			}
+ 			first = FALSE;
+diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
+index 81f2970ae..92ab77a00 100644
+--- a/src/libcharon/plugins/vici/vici_config.c
++++ b/src/libcharon/plugins/vici/vici_config.c
+@@ -709,8 +709,13 @@ CALLBACK(parse_ts, bool,
+ 		}
+ 		else if (*port && !streq(port, "any"))
+ 		{
+-			svc = getservbyname(port, NULL);
+-			if (svc)
++			if (proto == IPPROTO_GRE)
++			{
++				p = strtol(port, &end, 0);
++				if (*end) return FALSE;
++				traffic_selector_split_grekey(p, &from, &to);
++			}
++			else if ((svc = getservbyname(port, NULL)) != NULL)
+ 			{
+ 				from = to = ntohs(svc->s_port);
+ 			}
+diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c
+index 9ded2dd53..8a5351001 100644
+--- a/src/libcharon/sa/ikev1/tasks/quick_mode.c
++++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c
+@@ -552,9 +552,9 @@ static void add_ts(private_quick_mode_t *this, message_t *message)
+ {
+ 	id_payload_t *id_payload;
+ 
+-	id_payload = id_payload_create_from_ts(this->tsi);
++	id_payload = id_payload_create_from_ts(this->tsi, TRUE);
+ 	message->add_payload(message, &id_payload->payload_interface);
+-	id_payload = id_payload_create_from_ts(this->tsr);
++	id_payload = id_payload_create_from_ts(this->tsr, FALSE);
+ 	message->add_payload(message, &id_payload->payload_interface);
+ }
+ 
+@@ -565,7 +565,7 @@ static bool get_ts(private_quick_mode_t *this, message_t *message)
+ {
+ 	traffic_selector_t *tsi = NULL, *tsr = NULL;
+ 	enumerator_t *enumerator;
+-	id_payload_t *id_payload;
++	id_payload_t *idi = NULL, *idr = NULL;
+ 	payload_t *payload;
+ 	host_t *hsi, *hsr;
+ 	bool first = TRUE;
+@@ -575,20 +575,22 @@ static bool get_ts(private_quick_mode_t *this, message_t *message)
+ 	{
+ 		if (payload->get_type(payload) == PLV1_ID)
+ 		{
+-			id_payload = (id_payload_t*)payload;
+-
+ 			if (first)
+ 			{
+-				tsi = id_payload->get_ts(id_payload);
++				idi = (id_payload_t*)payload;
+ 				first = FALSE;
+ 			}
+ 			else
+ 			{
+-				tsr = id_payload->get_ts(id_payload);
++				idr = (id_payload_t*)payload;
+ 				break;
+ 			}
+ 		}
+ 	}
++	if (idi && idr) {
++		tsi = idi->get_ts(idi, idr, TRUE);
++		tsr = idr->get_ts(idr, idi, FALSE);
++	}
+ 	enumerator->destroy(enumerator);
+ 
+ 	/* create host2host selectors if ID payloads missing */
+diff --git a/src/libstrongswan/selectors/traffic_selector.c b/src/libstrongswan/selectors/traffic_selector.c
+index cfd2b029d..d01e2ccec 100644
+--- a/src/libstrongswan/selectors/traffic_selector.c
++++ b/src/libstrongswan/selectors/traffic_selector.c
+@@ -198,6 +198,14 @@ static int print_icmp(printf_hook_data_t *data, uint16_t port)
+ 	return print_in_hook(data, "%d", type);
+ }
+ 
++/**
++ * Print GRE key
++ */
++static int print_grekey(printf_hook_data_t *data, uint16_t from_port, uint16_t to_port)
++{
++	return print_in_hook(data, "%d", traffic_selector_grekey(from_port, to_port));
++}
++
+ /**
+  * Described in header.
+  */
+@@ -303,7 +311,11 @@ int traffic_selector_printf_hook(printf_hook_data_t *data,
+ 	{
+ 		written += print_in_hook(data, "/");
+ 
+-		if (this->from_port == this->to_port)
++		if (this->protocol == IPPROTO_GRE)
++		{
++			written += print_grekey(data, this->from_port, this->to_port);
++		}
++		else if (this->from_port == this->to_port)
+ 		{
+ 			struct servent *serv;
+ 
+@@ -377,7 +389,24 @@ METHOD(traffic_selector_t, get_subset, traffic_selector_t*,
+ 	/* select protocol, which is not zero */
+ 	protocol = max(this->protocol, other->protocol);
+ 
+-	if ((is_opaque(this) && is_opaque(other)) ||
++	if (this->protocol == IPPROTO_GRE)
++	{
++		if (is_any(this))
++		{
++			from_port = other->from_port;
++			to_port = other->to_port;
++		}
++		else if (is_any(other) ||
++			 (this->from_port == other->from_port &&
++			  this->to_port == other->to_port))
++		{
++			from_port = this->from_port;
++			to_port = this->to_port;
++		}
++		else
++			return NULL;
++	}
++	else if ((is_opaque(this) && is_opaque(other)) ||
+ 		(is_opaque(this) && is_any(other)) ||
+ 		(is_opaque(other) && is_any(this)))
+ 	{
+diff --git a/src/libstrongswan/selectors/traffic_selector.h b/src/libstrongswan/selectors/traffic_selector.h
+index 03f7a6d8c..b27ca4ad1 100644
+--- a/src/libstrongswan/selectors/traffic_selector.h
++++ b/src/libstrongswan/selectors/traffic_selector.h
+@@ -120,6 +120,9 @@ struct traffic_selector_t {
+ 	 * 8 bits and the code in the least significant 8 bits.  Use the utility
+ 	 * functions to extract them.
+ 	 *
++	 * If the protocol is GRE, the high 16-bits of the 32-bit GRE key is stored
++	 * in the from port. Use the utility function to merge and split them.
++	 *
+ 	 * @return			port
+ 	 */
+ 	uint16_t (*get_from_port)(traffic_selector_t *this);
+@@ -134,6 +137,9 @@ struct traffic_selector_t {
+ 	 * 8 bits and the code in the least significant 8 bits.  Use the utility
+ 	 * functions to extract them.
+ 	 *
++	 * If the protocol is GRE, the low 16-bits of the 32-bit GRE key is stored
++	 * in the to port. Use the utility function to merge and split them.
++	 *
+ 	 * @return			port
+ 	 */
+ 	uint16_t (*get_to_port)(traffic_selector_t *this);
+@@ -277,6 +283,31 @@ static inline uint8_t traffic_selector_icmp_code(uint16_t port)
+ int traffic_selector_cmp(traffic_selector_t *a, traffic_selector_t *b,
+ 						 void *opts);
+ 
++/**
++ * Reconstruct the 32-bit GRE KEY in host order from a from/to ports.
++ *
++ * @param from_port			port number in host order
++ * @param to_port			port number in host order
++ * @return				GRE KEY in host order
++ */
++static inline uint32_t traffic_selector_grekey(uint16_t from_port, uint16_t to_port)
++{
++	return (from_port << 16) | to_port;
++}
++
++/**
++ * Split 32-bit GRE KEY in host order to from/to ports.
++ *
++ * @param grekey			grekey in host order
++ * @param from_port			from port in host order
++ * @param to_port			to port in host order
++ */
++static inline void traffic_selector_split_grekey(uint32_t grekey, uint16_t *from_port, uint16_t *to_port)
++{
++	*from_port = grekey >> 16;
++	*to_port = grekey & 0xffff;
++}
++
+ /**
+  * Create a new traffic selector using human readable params.
+  *
+-- 
+2.24.1
+

0007-vyos-terminate-connections-source-dest.patch

@@ -1,7 +1,7 @@
-From 2f864ddad4c36726427cd0d4f19b00e226d2b2f9 Mon Sep 17 00:00:00 2001
+From a73ae5cce094eaab9ac01482fbea320bfa4eed16 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= <zpericic@netst.org>
 Date: Wed, 22 Jan 2020 13:12:39 +0100
-Subject: [PATCH 5/5] vyos-terminate-connections-source-dest
+Subject: [PATCH 7/7] vyos-terminate-connections-source-dest
 
 ---
  src/libcharon/plugins/vici/vici_control.c | 27 ++++++++++++++++++++---
@@ -9,10 +9,10 @@ Subject: [PATCH 5/5] vyos-terminate-connections-source-dest
  2 files changed, 41 insertions(+), 4 deletions(-)
 
 diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c
-index 1e8e788c3..914574ac3 100644
+index 12ef92334..d9cf1add5 100644
 --- a/src/libcharon/plugins/vici/vici_control.c
 +++ b/src/libcharon/plugins/vici/vici_control.c
-@@ -278,12 +278,13 @@ CALLBACK(terminate, vici_message_t*,
+@@ -279,12 +279,13 @@ CALLBACK(terminate, vici_message_t*,
  	private_vici_control_t *this, char *name, u_int id, vici_message_t *request)
  {
  	enumerator_t *enumerator, *isas, *csas;
@@ -27,7 +27,7 @@ index 1e8e788c3..914574ac3 100644
  	array_t *ids;
  	vici_builder_t *builder;
  	controller_cb_t log_cb = NULL;
-@@ -299,12 +300,23 @@ CALLBACK(terminate, vici_message_t*,
+@@ -300,12 +301,23 @@ CALLBACK(terminate, vici_message_t*,
  	force = request->get_bool(request, FALSE, "force");
  	timeout = request->get_int(request, 0, "timeout");
  	log.level = request->get_int(request, 1, "loglevel");
@@ -53,7 +53,7 @@ index 1e8e788c3..914574ac3 100644
  	if (ike_id)
  	{
  		DBG1(DBG_CFG, "vici terminate IKE_SA #%d", ike_id);
-@@ -367,6 +379,15 @@ CALLBACK(terminate, vici_message_t*,
+@@ -368,6 +380,15 @@ CALLBACK(terminate, vici_message_t*,
  		{
  			array_insert(ids, ARRAY_TAIL, &ike_id);
  		}
@@ -120,5 +120,5 @@ index 2309843b2..37d0bde3f 100644
  			{"child-id",	'C', 1, "terminate by CHILD_SA reqid"},
  			{"ike-id",		'I', 1, "terminate by IKE_SA unique identifier"},
 -- 
-2.30.2
+2.24.1
 

sources

@@ -1 +1 @@
-SHA512 (strongswan-5.9.0.tar.bz2) = b982ce7c3e940ad75ab71b02ce3e2813b41c6b098cde5b6f3f3513d095f409fe989ae6e38a31eff51c57423bf452c3610cd5cd8cd7f45ff932581d9859df1821
+SHA512 (strongswan-5.8.2.tar.bz2) = 423e7924acfe8a03ad7d4359ae9086fd516798fcf5eb948a27b52ea719f4d8954b83ea30ce94191ea1647616611df8a1215cb4d5c7ec48676624df6c41853e1d

strongswan-5.8.2-extern-global.patch

@@ -1,11 +0,0 @@
---- strongswan-5.8.2/src/swanctl/swanctl.h.orig	2020-02-23 00:35:39.051000000 +0200
-+++ strongswan-5.8.2/src/swanctl/swanctl.h	2020-02-23 00:35:51.930355656 +0200
-@@ -30,7 +30,7 @@
- /**
-  * Base directory for credentials and config
-  */
--char *swanctl_dir;
-+extern char *swanctl_dir;
- 
- /**
-  * Configuration file for connections, etc.

strongswan-5.8.4-runtime-dir.patch

@@ -1,24 +0,0 @@
-diff -ur strongswan-5.8.4.orig/init/systemd/strongswan.service.in strongswan-5.8.4/init/systemd/strongswan.service.in
---- strongswan-5.8.4.orig/init/systemd/strongswan.service.in	2019-08-27 16:26:53.000000000 +0300
-+++ strongswan-5.8.4/init/systemd/strongswan.service.in	2020-04-12 12:05:57.383596844 +0300
-@@ -9,6 +9,8 @@
- ExecReload=@SBINDIR@/swanctl --reload
- ExecReload=@SBINDIR@/swanctl --load-all --noprompt
- Restart=on-abnormal
-+RuntimeDirectory=strongswan
-+RuntimeDirectoryMode=0755
- 
- [Install]
- WantedBy=multi-user.target
-diff -ur strongswan-5.8.4.orig/init/systemd-starter/strongswan-starter.service.in strongswan-5.8.4/init/systemd-starter/strongswan-starter.service.in
---- strongswan-5.8.4.orig/init/systemd-starter/strongswan-starter.service.in	2019-08-27 16:26:53.000000000 +0300
-+++ strongswan-5.8.4/init/systemd-starter/strongswan-starter.service.in	2020-04-12 12:05:51.810559482 +0300
-@@ -6,6 +6,8 @@
- ExecStart=@SBINDIR@/@IPSEC_SCRIPT@ start --nofork
- StandardOutput=syslog
- Restart=on-abnormal
-+RuntimeDirectory=strongswan
-+RuntimeDirectoryMode=0755
- 
- [Install]
- WantedBy=multi-user.target

strongswan.spec

@@ -1,16 +1,18 @@
 %global _hardened_build 1
 #%%define prerelease dr1
-%global dist .nhrp.4%{?dist}
+%global dist nhrp.3%{?dist}
 
 Name:           strongswan
-Version:        5.9.0
+Version:        5.8.2
 Release:        2%{?dist}
 Summary:        An OpenSource IPsec-based VPN and TNC solution
 License:        GPLv2+
 URL:            http://www.strongswan.org/
 Source0:        http://download.strongswan.org/%{name}-%{version}%{?prerelease}.tar.bz2
-Source1:        tmpfiles-strongswan.conf
-Patch0:         strongswan-5.8.4-runtime-dir.patch
+
+# tmpfiles.d configuration for the /run directory
+Source1:        %{name}-tmpfiles.conf
+
 Patch1:         strongswan-5.6.0-uintptr_t.patch
 Patch3:         strongswan-5.6.2-CVE-2018-5388.patch
 
@@ -18,7 +20,9 @@ Patch10:        0001-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch
 Patch11:        0002-charon-add-optional-source-and-remote-overrides-for-.patch
 Patch12:        0003-vici-send-certificates-for-ike-sa-events.patch
 Patch13:        0004-vici-add-support-for-individual-sa-state-changes.patch
-Patch14:        0005-vyos-terminate-connections-source-dest.patch
+Patch14:        0005-vici-add-deprecated-async-parameter.patch
+Patch15:        0006-support-gre-key-in-ikev1.patch
+Patch16:        0007-vyos-terminate-connections-source-dest.patch
 
 # only needed for pre-release versions
 #BuildRequires:  autoconf automake
@@ -87,7 +91,6 @@ PT-TLS to support TNC over TLS.
 
 %prep
 %setup -q -n %{name}-%{version}%{?prerelease}
-%patch0 -p1
 %patch1 -p1
 %patch3 -p1
 
@@ -96,6 +99,8 @@ PT-TLS to support TNC over TLS.
 %patch12 -p1
 %patch13 -p1
 %patch14 -p1
+%patch15 -p1
+%patch16 -p1
 
 %build
 # only for snapshots
@@ -112,7 +117,7 @@ PT-TLS to support TNC over TLS.
     --bindir=%{_libexecdir}/strongswan \
     --with-ipseclibdir=%{_libdir}/strongswan \
     --with-piddir=%{_rundir}/strongswan \
-    --with-nm-ca-dir=%{_sysconfdir}/strongswan/ipsec.d/cacerts/ \
+    --with-fips-mode=2 \
     --enable-bypass-lan \
     --enable-tss-trousers \
     --enable-nm \
@@ -214,7 +219,9 @@ for i in aacerts acerts certs cacerts crls ocspcerts private reqs; do
     install -d -m 700 %{buildroot}%{_sysconfdir}/strongswan/ipsec.d/${i}
 done
 install -d -m 0700 %{buildroot}%{_rundir}/strongswan
-install -D -m 0644 %{SOURCE1} %{buildroot}/%{_tmpfilesdir}/strongswan.conf
+
+mkdir -p %{buildroot}%{_tmpfilesdir}
+install -m 0644 %{SOURCE1} %{buildroot}%{_tmpfilesdir}/%{name}.conf
 
 %post
 %systemd_post %{name}.service
@@ -257,7 +264,8 @@ install -D -m 0644 %{SOURCE1} %{buildroot}/%{_tmpfilesdir}/strongswan.conf
 %{_datadir}/strongswan/templates/config/
 %{_datadir}/strongswan/templates/database/
 %attr(0755,root,root) %dir %{_rundir}/strongswan
-%attr(0644,root,root) %{_tmpfilesdir}/strongswan.conf
+
+%{_tmpfilesdir}/%{name}.conf
 
 %files sqlite
 %{_libdir}/strongswan/plugins/libstrongswan-sqlite.so
@@ -285,33 +293,6 @@ install -D -m 0644 %{SOURCE1} %{buildroot}/%{_tmpfilesdir}/strongswan.conf
 %{_libexecdir}/strongswan/charon-nm
 
 %changelog
-* Thu Oct 22 12:43:48 EDT 2020 Paul Wouters <pwouters@redhat.com> - 5.9.0-2
-- Resolves: rhbz#1886759 charon looking for certificates in the wrong place
-
-* Mon Sep 28 12:36:45 EDT 2020 Paul Wouters <pwouters@redhat.com> - 5.9.0-1
-- Resolves: rhbz#1861747 strongswan-5.9.0 is available
-- Remove --enable-fips-mode=2, which defaults strongswan to FIPS only.
-  (use fips_mode = 2 in plugins {} openssl {} in strongswan.conf to enable FIPS)
-
-* Sun Apr 12 2020 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.4-2
-- Patch0: Add RuntimeDirectory options to service files (#1789263)
-
-* Sun Apr 12 2020 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.4-1
-- Updated to 5.8.4
-- Patch4 has been applied upstream
-
-* Sun Apr 12 2020 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.2-6
-- Patch0: Add RuntimeDirectory options to service files (#1789263)
-
-* Sat Feb 22 2020 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.2-5
-- Patch to declare a global variable with extern (#1800117)
-
-* Mon Feb 10 2020 Paul Wouters <pwouters@redhat.com> - 5.8.2-4
-- use tmpfile to ensure rundir is present
-
-* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.8.2-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-
 * Sat Dec 28 2019 Paul Wouters <pwouters@redhat.com> - 5.8.2-2
 - Use /run/strongswan as rundir to support strongswans in namespaces
 

tmpfiles-strongswan.conf

@@ -1 +0,0 @@
-D /run/strongswan 0755 root root -