Patch vici for NHRP

Key should be tracked by git. It is small and should not change very
often. Ensure signature has trust anchor.

.gitignore

@@ -1,3 +1,11 @@
 /strongswan-5.8.4.tar.bz2
 /strongswan-5.9.0.tar.bz2
 /strongswan-5.9.1.tar.bz2
+/strongswan-5.9.2.tar.bz2
+/strongswan-5.9.3.tar.bz2
+/strongswan-5.9.4.tar.bz2
+/948F158A4E76A27BF3D07532DF42C170B34DBA77
+/strongswan-5.9.5.tar.bz2
+/strongswan-5.9.5.tar.bz2.sig
+/strongswan-5.9.6.tar.bz2
+/strongswan-5.9.6.tar.bz2.sig

0001-charon-add-optional-source-and-remote-overrides-for-.patch

@@ -1,7 +1,7 @@
-From a83557d6cef7334b95d8f9be2a2d7af319010497 Mon Sep 17 00:00:00 2001
+From 84b1ee5c075b731618ff342ba4df94c3f9f2eaef Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
 Date: Mon, 21 Sep 2015 13:41:58 +0300
-Subject: [PATCH 1/4] charon: add optional source and remote overrides for
+Subject: [PATCH 1/3] charon: add optional source and remote overrides for
  initiate
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@@ -19,9 +19,7 @@ Signed-off-by: Timo Teräs <timo.teras@iki.fi>
  src/charon-cmd/cmd/cmd_connection.c           |  2 +-
  src/charon-nm/nm/nm_service.c                 |  2 +-
  src/conftest/actions.c                        |  2 +-
- .../backend/android_service.c                 |  2 +-
- src/frontends/osx/charon-xpc/xpc_dispatch.c   |  1 +
- src/libcharon/control/controller.c            | 44 ++++++++++++-
+ src/libcharon/control/controller.c            | 43 ++++++++++++-
  src/libcharon/control/controller.h            |  3 +
  .../plugins/load_tester/load_tester_control.c |  1 +
  .../plugins/load_tester/load_tester_plugin.c  |  1 +
@@ -35,15 +33,15 @@ Signed-off-by: Timo Teräs <timo.teras@iki.fi>
  .../processing/jobs/start_action_job.c        |  2 +-
  src/libcharon/sa/ike_sa_manager.c             | 49 ++++++++++++++-
  src/libcharon/sa/ike_sa_manager.h             |  8 ++-
- src/libcharon/sa/trap_manager.c               | 45 ++++++--------
+ src/libcharon/sa/trap_manager.c               | 44 ++++++-------
  src/swanctl/commands/initiate.c               | 40 +++++++++++-
- 21 files changed, 228 insertions(+), 50 deletions(-)
+ 21 files changed, 226 insertions(+), 50 deletions(-)
 
 diff --git a/src/charon-cmd/cmd/cmd_connection.c b/src/charon-cmd/cmd/cmd_connection.c
-index 0481d78d4..805d6f198 100644
+index 37d951951..d91eb951c 100644
 --- a/src/charon-cmd/cmd/cmd_connection.c
 +++ b/src/charon-cmd/cmd/cmd_connection.c
-@@ -438,7 +438,7 @@ static job_requeue_t initiate(private_cmd_connection_t *this)
+@@ -440,7 +440,7 @@ static job_requeue_t initiate(private_cmd_connection_t *this)
  	child_cfg = create_child_cfg(this, peer_cfg);
  
  	if (charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
@@ -53,18 +51,18 @@ index 0481d78d4..805d6f198 100644
  		terminate(pid);
  	}
 diff --git a/src/charon-nm/nm/nm_service.c b/src/charon-nm/nm/nm_service.c
-index 83fcaf898..187953b29 100644
+index 09107a76b..0b15a1835 100644
 --- a/src/charon-nm/nm/nm_service.c
 +++ b/src/charon-nm/nm/nm_service.c
-@@ -864,7 +864,7 @@ static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection,
+@@ -883,7 +883,7 @@ static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection,
  	 * Prepare IKE_SA
  	 */
  	ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
 -														peer_cfg);
 +														peer_cfg, NULL, NULL);
+ 	peer_cfg->destroy(peer_cfg);
  	if (!ike_sa)
  	{
- 		peer_cfg->destroy(peer_cfg);
 diff --git a/src/conftest/actions.c b/src/conftest/actions.c
 index 66e41f743..64ef8e9ee 100644
 --- a/src/conftest/actions.c
@@ -79,7 +77,7 @@ index 66e41f743..64ef8e9ee 100644
  	else
  	{
 diff --git a/src/libcharon/control/controller.c b/src/libcharon/control/controller.c
-index 3baa9342a..d545a4b63 100644
+index cd25b28fe..36d6cd7be 100644
 --- a/src/libcharon/control/controller.c
 +++ b/src/libcharon/control/controller.c
 @@ -15,6 +15,28 @@
@@ -128,7 +126,7 @@ index 3baa9342a..d545a4b63 100644
  	/**
  	 * unique ID, used for various methods
  	 */
-@@ -414,9 +446,15 @@ METHOD(job_t, initiate_execute, job_requeue_t,
+@@ -414,10 +446,16 @@ METHOD(job_t, initiate_execute, job_requeue_t,
  	ike_sa_t *ike_sa;
  	interface_listener_t *listener = &job->listener;
  	peer_cfg_t *peer_cfg = listener->peer_cfg;
@@ -138,6 +136,7 @@ index 3baa9342a..d545a4b63 100644
  	ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
 -														peer_cfg);
 +														peer_cfg, my_host, other_host);
+ 	peer_cfg->destroy(peer_cfg);
 +
 +	if (my_host) my_host->destroy(my_host);
 +	if (other_host) other_host->destroy(other_host);
@@ -145,15 +144,7 @@ index 3baa9342a..d545a4b63 100644
  	if (!ike_sa)
  	{
  		DESTROY_IF(listener->child_cfg);
-@@ -425,6 +463,7 @@ METHOD(job_t, initiate_execute, job_requeue_t,
- 		listener_done(listener);
- 		return JOB_REQUEUE_NONE;
- 	}
-+
- 	listener->lock->lock(listener->lock);
- 	listener->ike_sa = ike_sa;
- 	listener->lock->unlock(listener->lock);
-@@ -497,6 +536,7 @@ METHOD(job_t, initiate_execute, job_requeue_t,
+@@ -492,6 +530,7 @@ METHOD(job_t, initiate_execute, job_requeue_t,
  
  METHOD(controller_t, initiate, status_t,
  	private_controller_t *this, peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
@@ -161,7 +152,7 @@ index 3baa9342a..d545a4b63 100644
  	controller_cb_t callback, void *param, u_int timeout, bool limits)
  {
  	interface_job_t *job;
-@@ -519,6 +559,8 @@ METHOD(controller_t, initiate, status_t,
+@@ -514,6 +553,8 @@ METHOD(controller_t, initiate, status_t,
  			.status = FAILED,
  			.child_cfg = child_cfg,
  			.peer_cfg = peer_cfg,
@@ -279,18 +270,18 @@ index b6cfda082..115e0a82e 100644
  		{
  			write_fifo(this, "connection '%s' established\n", name);
 diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
-index 2a4d58eab..0e9d24d11 100644
+index 3a783b822..ea9a5c6b2 100644
 --- a/src/libcharon/plugins/vici/vici_config.c
 +++ b/src/libcharon/plugins/vici/vici_config.c
-@@ -2149,7 +2149,7 @@ static void run_start_action(private_vici_config_t *this, peer_cfg_t *peer_cfg,
- 			DBG1(DBG_CFG, "initiating '%s'", child_cfg->get_name(child_cfg));
- 			charon->controller->initiate(charon->controller,
+@@ -2216,7 +2216,7 @@ static void run_start_action(private_vici_config_t *this, peer_cfg_t *peer_cfg,
+ 		DBG1(DBG_CFG, "initiating '%s'", child_cfg->get_name(child_cfg));
+ 		charon->controller->initiate(charon->controller,
  					peer_cfg->get_ref(peer_cfg), child_cfg->get_ref(child_cfg),
 -					NULL, NULL, 0, FALSE);
 +					NULL, NULL, NULL, NULL, 0, FALSE);
- 			break;
- 		case ACTION_ROUTE:
- 			DBG1(DBG_CFG, "installing '%s'", child_cfg->get_name(child_cfg));
+ 	}
+ }
+ 
 diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c
 index 4c09b578d..4c00c2be5 100644
 --- a/src/libcharon/plugins/vici/vici_control.c
@@ -415,20 +406,20 @@ index 6a72499d3..eb0ad3846 100644
  		{
  			mediation_cfg->destroy(mediation_cfg);
 diff --git a/src/libcharon/processing/jobs/start_action_job.c b/src/libcharon/processing/jobs/start_action_job.c
-index 3a0ed879f..e3399007b 100644
+index 31e154a77..0371293b1 100644
 --- a/src/libcharon/processing/jobs/start_action_job.c
 +++ b/src/libcharon/processing/jobs/start_action_job.c
-@@ -61,7 +61,7 @@ METHOD(job_t, execute, job_requeue_t,
- 					charon->controller->initiate(charon->controller,
- 												 peer_cfg->get_ref(peer_cfg),
- 												 child_cfg->get_ref(child_cfg),
--												 NULL, NULL, 0, FALSE);
-+												 NULL, NULL, NULL, NULL, 0, FALSE);
- 					break;
- 				case ACTION_ROUTE:
- 					DBG1(DBG_JOB, "start action: route '%s'", name);
+@@ -83,7 +83,7 @@ METHOD(job_t, execute, job_requeue_t,
+ 				charon->controller->initiate(charon->controller,
+ 											 peer_cfg->get_ref(peer_cfg),
+ 											 child_cfg->get_ref(child_cfg),
+-											 NULL, NULL, 0, FALSE);
++											 NULL, NULL, NULL, NULL, 0, FALSE);
+ 			}
+ 		}
+ 		children->destroy(children);
 diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
-index f95ff19af..82cae6e4b 100644
+index fe615a6bc..5839f8827 100644
 --- a/src/libcharon/sa/ike_sa_manager.c
 +++ b/src/libcharon/sa/ike_sa_manager.c
 @@ -17,6 +17,28 @@
@@ -460,8 +451,8 @@ index f95ff19af..82cae6e4b 100644
  #include <string.h>
  #include <inttypes.h>
  
-@@ -1423,7 +1445,8 @@ out:
- }
+@@ -1495,7 +1517,8 @@ typedef struct {
+ } config_entry_t;
  
  METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
 -	private_ike_sa_manager_t *this, peer_cfg_t *peer_cfg)
@@ -470,9 +461,9 @@ index f95ff19af..82cae6e4b 100644
  {
  	enumerator_t *enumerator;
  	entry_t *entry;
-@@ -1432,7 +1455,16 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
- 	ike_cfg_t *current_ike;
+@@ -1506,7 +1529,16 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
  	u_int segment;
+ 	int i;
  
 -	DBG2(DBG_MGR, "checkout IKE_SA by config");
 +	if (my_host && my_host->get_port(my_host) == 0)
@@ -488,7 +479,7 @@ index f95ff19af..82cae6e4b 100644
  
  	if (!this->reuse_ikesa && peer_cfg->get_ike_version(peer_cfg) != IKEV1)
  	{	/* IKE_SA reuse disabled by config (not possible for IKEv1) */
-@@ -1455,6 +1487,15 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
+@@ -1564,6 +1596,15 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
  			continue;
  		}
  
@@ -504,22 +495,22 @@ index f95ff19af..82cae6e4b 100644
  		current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa);
  		if (current_peer && current_peer->equals(current_peer, peer_cfg))
  		{
-@@ -1477,6 +1518,10 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
- 	if (!ike_sa)
- 	{	/* no IKE_SA using such a config, hand out a new */
- 		ike_sa = checkout_new(this, peer_cfg->get_ike_version(peer_cfg), TRUE);
-+		if (my_host || other_host)
-+		{
-+			ike_sa->update_hosts(ike_sa, my_host, other_host, TRUE);
-+		}
+@@ -1590,6 +1631,10 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
+ 		{
+ 			ike_sa->set_peer_cfg(ike_sa, peer_cfg);
+ 			checkout_new(this, ike_sa);
++			if (my_host || other_host)
++			{
++				ike_sa->update_hosts(ike_sa, my_host, other_host, TRUE);
++			}
+ 		}
  	}
  	charon->bus->set_sa(charon->bus, ike_sa);
- 
 diff --git a/src/libcharon/sa/ike_sa_manager.h b/src/libcharon/sa/ike_sa_manager.h
-index efad2e4d6..c43edabbb 100644
+index d87ba2d68..ba4f2c7e7 100644
 --- a/src/libcharon/sa/ike_sa_manager.h
 +++ b/src/libcharon/sa/ike_sa_manager.h
-@@ -93,7 +93,8 @@ struct ike_sa_manager_t {
+@@ -122,7 +122,8 @@ struct ike_sa_manager_t {
  	ike_sa_t* (*checkout_by_message) (ike_sa_manager_t* this, message_t *message);
  
  	/**
@@ -529,26 +520,25 @@ index efad2e4d6..c43edabbb 100644
  	 *
  	 * To initiate, a CHILD_SA may be established within an existing IKE_SA.
  	 * This call checks for an existing IKE_SA by comparing the configuration.
-@@ -103,10 +104,13 @@ struct ike_sa_manager_t {
- 	 * the found IKE_SA is in the DELETING state.
+@@ -135,9 +136,12 @@ struct ike_sa_manager_t {
+ 	 * @note The peer_config is always set on the returned IKE_SA.
  	 *
  	 * @param peer_cfg			configuration used to find an existing IKE_SA
 +	 * @param my_host			source host address for wildcard peer_cfg
 +	 * @param other_host		remote host address for wildcard peer_cfg
  	 * @return					checked out/created IKE_SA
  	 */
- 	ike_sa_t* (*checkout_by_config) (ike_sa_manager_t* this,
--									 peer_cfg_t *peer_cfg);
-+									 peer_cfg_t *peer_cfg,
+-	ike_sa_t *(*checkout_by_config)(ike_sa_manager_t* this, peer_cfg_t *peer_cfg);
++	ike_sa_t *(*checkout_by_config)(ike_sa_manager_t* this, peer_cfg_t *peer_cfg,
 +									 host_t *my_host, host_t *other_host);
  
  	/**
  	 * Reset initiator SPI.
 diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c
-index 2bc531b38..ca4855811 100644
+index e45c8ff3f..58a956a78 100644
 --- a/src/libcharon/sa/trap_manager.c
 +++ b/src/libcharon/sa/trap_manager.c
-@@ -432,7 +432,7 @@ METHOD(trap_manager_t, acquire, void,
+@@ -522,7 +522,7 @@ METHOD(trap_manager_t, acquire, void,
  	peer_cfg_t *peer;
  	child_cfg_t *child;
  	ike_sa_t *ike_sa;
@@ -557,12 +547,12 @@ index 2bc531b38..ca4855811 100644
  	bool wildcard, ignore = FALSE;
  
  	this->lock->read_lock(this->lock);
-@@ -508,36 +508,27 @@ METHOD(trap_manager_t, acquire, void,
+@@ -599,36 +599,26 @@ METHOD(trap_manager_t, acquire, void,
  	this->lock->unlock(this->lock);
  
  	if (wildcard)
 -	{	/* the peer config would match IKE_SAs with other peers */
--		ike_sa = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
+-		ike_sa = charon->ike_sa_manager->create_new(charon->ike_sa_manager,
 -											peer->get_ike_version(peer), TRUE);
 -		if (ike_sa)
 -		{
@@ -578,17 +568,17 @@ index 2bc531b38..ca4855811 100644
 +		uint8_t mask;
  
 -			port = ike_cfg->get_other_port(ike_cfg);
--			dst->to_subnet(dst, &host, &mask);
+-			data->dst->to_subnet(data->dst, &host, &mask);
 -			host->set_port(host, port);
 -			ike_sa->set_other_host(ike_sa, host);
 +		ike_cfg = peer->get_ike_cfg(peer);
  
 -			port = ike_cfg->get_my_port(ike_cfg);
--			src->to_subnet(src, &host, &mask);
+-			data->src->to_subnet(data->src, &host, &mask);
 -			host->set_port(host, port);
 -			ike_sa->set_my_host(ike_sa, host);
 +		port = ike_cfg->get_other_port(ike_cfg);
-+		dst->to_subnet(dst, &other_host, &mask);
++		data->dst->to_subnet(data->dst, &other_host, &mask);
 +		other_host->set_port(other_host, port);
  
 -			charon->bus->set_sa(charon->bus, ike_sa);
@@ -599,7 +589,7 @@ index 2bc531b38..ca4855811 100644
 -		ike_sa = charon->ike_sa_manager->checkout_by_config(
 -											charon->ike_sa_manager, peer);
 +		port = ike_cfg->get_my_port(ike_cfg);
-+		src->to_subnet(src, &my_host, &mask);
++		data->src->to_subnet(data->src, &my_host, &mask);
 +		my_host->set_port(my_host, port);
  	}
 +	ike_sa = charon->ike_sa_manager->checkout_by_config(
@@ -607,10 +597,9 @@ index 2bc531b38..ca4855811 100644
 +											my_host, other_host);
 +	if (my_host) my_host->destroy(my_host);
 +	if (other_host) other_host->destroy(other_host);
-+
+ 	peer->destroy(peer);
+ 
  	if (ike_sa)
- 	{
- 		if (ike_sa->get_peer_cfg(ike_sa) == NULL)
 diff --git a/src/swanctl/commands/initiate.c b/src/swanctl/commands/initiate.c
 index 8ade8bf41..03b2cb0f4 100644
 --- a/src/swanctl/commands/initiate.c
@@ -691,5 +680,5 @@ index 8ade8bf41..03b2cb0f4 100644
  			{"raw",			'r', 0, "dump raw response message"},
  			{"pretty",		'P', 0, "dump raw response message in pretty print"},
 -- 
-2.30.2
+2.36.1
 

0002-vici-send-certificates-for-ike-sa-events.patch

@@ -1,21 +1,21 @@
-From 767392d01da960ec8c6b3b14e67eee2111864630 Mon Sep 17 00:00:00 2001
+From d357d62bf0661294e063cec94d48ca929f119351 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
 Date: Mon, 21 Sep 2015 13:42:05 +0300
-Subject: [PATCH 2/4] vici: send certificates for ike-sa events
+Subject: [PATCH 2/3] vici: send certificates for ike-sa events
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 
 Signed-off-by: Timo Teräs <timo.teras@iki.fi>
 ---
- src/libcharon/plugins/vici/vici_query.c | 48 +++++++++++++++++++++----
- 1 file changed, 41 insertions(+), 7 deletions(-)
+ src/libcharon/plugins/vici/vici_query.c | 50 +++++++++++++++++++++----
+ 1 file changed, 42 insertions(+), 8 deletions(-)
 
 diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
-index ad07ff12d..e3f6a0d26 100644
+index c35f4e1a9..001631e99 100644
 --- a/src/libcharon/plugins/vici/vici_query.c
 +++ b/src/libcharon/plugins/vici/vici_query.c
-@@ -379,7 +379,7 @@ static void list_vips(private_vici_query_t *this, vici_builder_t *b,
+@@ -403,7 +403,7 @@ static void list_vips(private_vici_query_t *this, vici_builder_t *b,
   * List details of an IKE_SA
   */
  static void list_ike(private_vici_query_t *this, vici_builder_t *b,
@@ -24,7 +24,7 @@ index ad07ff12d..e3f6a0d26 100644
  {
  	time_t t;
  	ike_sa_id_t *id;
-@@ -388,6 +388,8 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
+@@ -412,6 +412,8 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
  	uint32_t if_id;
  	uint16_t alg, ks;
  	host_t *host;
@@ -33,7 +33,7 @@ index ad07ff12d..e3f6a0d26 100644
  
  	b->add_kv(b, "uniqueid", "%u", ike_sa->get_unique_id(ike_sa));
  	b->add_kv(b, "version", "%u", ike_sa->get_version(ike_sa));
-@@ -397,11 +399,43 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
+@@ -421,11 +423,43 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
  	b->add_kv(b, "local-host", "%H", host);
  	b->add_kv(b, "local-port", "%d", host->get_port(host));
  	b->add_kv(b, "local-id", "%Y", ike_sa->get_my_id(ike_sa));
@@ -77,7 +77,7 @@ index ad07ff12d..e3f6a0d26 100644
  
  	eap = ike_sa->get_other_eap_id(ike_sa);
  
-@@ -531,7 +565,7 @@ CALLBACK(list_sas, vici_message_t*,
+@@ -557,7 +591,7 @@ CALLBACK(list_sas, vici_message_t*,
  		b = vici_builder_create();
  		b->begin_section(b, ike_sa->get_name(ike_sa));
  
@@ -86,7 +86,7 @@ index ad07ff12d..e3f6a0d26 100644
  
  		b->begin_section(b, "child-sas");
  		csas = ike_sa->create_child_sa_enumerator(ike_sa);
-@@ -1717,7 +1751,7 @@ METHOD(listener_t, ike_updown, bool,
+@@ -1775,7 +1809,7 @@ METHOD(listener_t, ike_updown, bool,
  	}
  
  	b->begin_section(b, ike_sa->get_name(ike_sa));
@@ -95,7 +95,7 @@ index ad07ff12d..e3f6a0d26 100644
  	b->end_section(b);
  
  	this->dispatcher->raise_event(this->dispatcher,
-@@ -1742,10 +1776,10 @@ METHOD(listener_t, ike_rekey, bool,
+@@ -1800,10 +1834,10 @@ METHOD(listener_t, ike_rekey, bool,
  	b = vici_builder_create();
  	b->begin_section(b, old->get_name(old));
  	b->begin_section(b, "old");
@@ -108,7 +108,16 @@ index ad07ff12d..e3f6a0d26 100644
  	b->end_section(b);
  	b->end_section(b);
  
-@@ -1776,7 +1810,7 @@ METHOD(listener_t, child_updown, bool,
+@@ -1834,7 +1868,7 @@ METHOD(listener_t, ike_update, bool,
+ 	b->add_kv(b, "remote-port", "%d", remote->get_port(remote));
+ 
+ 	b->begin_section(b, ike_sa->get_name(ike_sa));
+-	list_ike(this, b, ike_sa, now);
++	list_ike(this, b, ike_sa, now, TRUE);
+ 	b->end_section(b);
+ 
+ 	this->dispatcher->raise_event(this->dispatcher,
+@@ -1864,7 +1898,7 @@ METHOD(listener_t, child_updown, bool,
  	}
  
  	b->begin_section(b, ike_sa->get_name(ike_sa));
@@ -117,7 +126,7 @@ index ad07ff12d..e3f6a0d26 100644
  	b->begin_section(b, "child-sas");
  
  	snprintf(buf, sizeof(buf), "%s-%u", child_sa->get_name(child_sa),
-@@ -1811,7 +1845,7 @@ METHOD(listener_t, child_rekey, bool,
+@@ -1899,7 +1933,7 @@ METHOD(listener_t, child_rekey, bool,
  	b = vici_builder_create();
  
  	b->begin_section(b, ike_sa->get_name(ike_sa));
@@ -127,5 +136,5 @@ index ad07ff12d..e3f6a0d26 100644
  
  	b->begin_section(b, old->get_name(old));
 -- 
-2.30.2
+2.36.1
 

0003-vici-add-support-for-individual-sa-state-changes.patch

@@ -1,7 +1,7 @@
-From 668264e3159ba8143a30fde32beba7a39774942c Mon Sep 17 00:00:00 2001
+From 0a5809a8807c5160ee86da2c1c1586b23d98f04e Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
 Date: Mon, 21 Sep 2015 13:42:11 +0300
-Subject: [PATCH 3/4] vici: add support for individual sa state changes
+Subject: [PATCH 3/3] vici: add support for individual sa state changes
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -10,17 +10,17 @@ Useful for monitoring and tracking full SA.
 
 Signed-off-by: Timo Teräs <timo.teras@iki.fi>
 ---
- src/libcharon/plugins/vici/vici_query.c | 105 ++++++++++++++++++++++++
- 1 file changed, 105 insertions(+)
+ src/libcharon/plugins/vici/vici_query.c | 106 ++++++++++++++++++++++++
+ 1 file changed, 106 insertions(+)
 
 diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
-index e3f6a0d26..9968cdd3c 100644
+index 001631e99..8010d8da8 100644
 --- a/src/libcharon/plugins/vici/vici_query.c
 +++ b/src/libcharon/plugins/vici/vici_query.c
-@@ -1717,8 +1717,16 @@ static void manage_commands(private_vici_query_t *this, bool reg)
- 	this->dispatcher->manage_event(this->dispatcher, "list-cert", reg);
+@@ -1775,8 +1775,16 @@ static void manage_commands(private_vici_query_t *this, bool reg)
  	this->dispatcher->manage_event(this->dispatcher, "ike-updown", reg);
  	this->dispatcher->manage_event(this->dispatcher, "ike-rekey", reg);
+ 	this->dispatcher->manage_event(this->dispatcher, "ike-update", reg);
 +	this->dispatcher->manage_event(this->dispatcher, "ike-state-established", reg);
 +	this->dispatcher->manage_event(this->dispatcher, "ike-state-destroying", reg);
  	this->dispatcher->manage_event(this->dispatcher, "child-updown", reg);
@@ -34,10 +34,11 @@ index e3f6a0d26..9968cdd3c 100644
  	manage_command(this, "list-sas", list_sas, reg);
  	manage_command(this, "list-policies", list_policies, reg);
  	manage_command(this, "list-conns", list_conns, reg);
-@@ -1789,6 +1797,45 @@ METHOD(listener_t, ike_rekey, bool,
+@@ -1877,6 +1885,46 @@ METHOD(listener_t, ike_update, bool,
  	return TRUE;
  }
  
++
 +METHOD(listener_t, ike_state_change, bool,
 +	private_vici_query_t *this, ike_sa_t *ike_sa, ike_sa_state_t state)
 +{
@@ -80,7 +81,7 @@ index e3f6a0d26..9968cdd3c 100644
  METHOD(listener_t, child_updown, bool,
  	private_vici_query_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, bool up)
  {
-@@ -1868,6 +1915,62 @@ METHOD(listener_t, child_rekey, bool,
+@@ -1956,6 +2004,62 @@ METHOD(listener_t, child_rekey, bool,
  	return TRUE;
  }
  
@@ -143,10 +144,10 @@ index e3f6a0d26..9968cdd3c 100644
  METHOD(vici_query_t, destroy, void,
  	private_vici_query_t *this)
  {
-@@ -1887,8 +1990,10 @@ vici_query_t *vici_query_create(vici_dispatcher_t *dispatcher)
- 			.listener = {
+@@ -1976,8 +2080,10 @@ vici_query_t *vici_query_create(vici_dispatcher_t *dispatcher)
  				.ike_updown = _ike_updown,
  				.ike_rekey = _ike_rekey,
+ 				.ike_update = _ike_update,
 +				.ike_state_change = _ike_state_change,
  				.child_updown = _child_updown,
  				.child_rekey = _child_rekey,
@@ -155,5 +156,5 @@ index e3f6a0d26..9968cdd3c 100644
  			.destroy = _destroy,
  		},
 -- 
-2.30.2
+2.36.1
 

0004-vyos-terminate-connections-source-dest.patch

@@ -1,124 +0,0 @@
-From d22bf07af4bd67862ebe9bdaf315dc0a63676084 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= <zpericic@netst.org>
-Date: Wed, 22 Jan 2020 13:12:39 +0100
-Subject: [PATCH 4/4] vyos-terminate-connections-source-dest
-
----
- src/libcharon/plugins/vici/vici_control.c | 27 ++++++++++++++++++++---
- src/swanctl/commands/terminate.c          | 18 ++++++++++++++-
- 2 files changed, 41 insertions(+), 4 deletions(-)
-
-diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c
-index 4c00c2be5..8936e93ae 100644
---- a/src/libcharon/plugins/vici/vici_control.c
-+++ b/src/libcharon/plugins/vici/vici_control.c
-@@ -278,12 +278,13 @@ CALLBACK(terminate, vici_message_t*,
- 	private_vici_control_t *this, char *name, u_int id, vici_message_t *request)
- {
- 	enumerator_t *enumerator, *isas, *csas;
--	char *child, *ike, *errmsg = NULL;
-+	char *child, *ike, *errmsg = NULL, *my_host_str, *other_host_str;
- 	u_int child_id, ike_id, current, *del, done = 0;
- 	bool force;
- 	int timeout;
- 	ike_sa_t *ike_sa;
- 	child_sa_t *child_sa;
-+	host_t *my_host = NULL, *other_host = NULL;
- 	array_t *ids;
- 	vici_builder_t *builder;
- 	controller_cb_t log_cb = NULL;
-@@ -299,12 +300,23 @@ CALLBACK(terminate, vici_message_t*,
- 	force = request->get_bool(request, FALSE, "force");
- 	timeout = request->get_int(request, 0, "timeout");
- 	log.level = request->get_int(request, 1, "loglevel");
-+	my_host_str = request->get_str(request, NULL, "my-host");
-+	other_host_str = request->get_str(request, NULL, "other-host");
- 
--	if (!child && !ike && !ike_id && !child_id)
-+	if (!child && !ike && !ike_id && !child_id && !my_host_str &&!other_host_str)
- 	{
- 		return send_reply(this, "missing terminate selector");
- 	}
--
-+	if (my_host_str && !other_host_str || other_host_str && !my_host_str)
-+	{
-+		return send_reply(this, "missing source or remote");
-+	}
-+	else
-+	{
-+		my_host = host_create_from_string(my_host_str, 0);
-+		other_host = host_create_from_string(other_host_str, 0);
-+		DBG1(DBG_CFG, "vici terminate with source me %H and other %H", my_host, other_host);
-+	}
- 	if (ike_id)
- 	{
- 		DBG1(DBG_CFG, "vici terminate IKE_SA #%d", ike_id);
-@@ -367,6 +379,15 @@ CALLBACK(terminate, vici_message_t*,
- 		{
- 			array_insert(ids, ARRAY_TAIL, &ike_id);
- 		}
-+		else if (my_host && other_host)
-+		{
-+			if (!my_host->ip_equals(my_host, ike_sa->get_my_host(ike_sa)) || !other_host->ip_equals(other_host, ike_sa->get_other_host(ike_sa)))
-+			{
-+				continue;
-+			}
-+			current = ike_sa->get_unique_id(ike_sa);
-+			array_insert(ids, ARRAY_TAIL, &current);
-+		}
- 	}
- 	isas->destroy(isas);
- 
-diff --git a/src/swanctl/commands/terminate.c b/src/swanctl/commands/terminate.c
-index 2309843b2..37d0bde3f 100644
---- a/src/swanctl/commands/terminate.c
-+++ b/src/swanctl/commands/terminate.c
-@@ -37,7 +37,7 @@ static int terminate(vici_conn_t *conn)
- 	vici_req_t *req;
- 	vici_res_t *res;
- 	command_format_options_t format = COMMAND_FORMAT_NONE;
--	char *arg, *child = NULL, *ike = NULL;
-+	char *arg, *child = NULL, *ike = NULL, *my_host = NULL, *other_host = NULL;
- 	int ret = 0, timeout = 0, level = 1, child_id = 0, ike_id = 0;
- 	bool force = FALSE;
- 
-@@ -74,6 +74,12 @@ static int terminate(vici_conn_t *conn)
- 			case 'l':
- 				level = atoi(arg);
- 				continue;
-+			case 'S':
-+				my_host = arg;
-+				continue;
-+			case 'R':
-+				other_host = arg;
-+				continue;
- 			case EOF:
- 				break;
- 			default:
-@@ -109,6 +115,14 @@ static int terminate(vici_conn_t *conn)
- 	{
- 		vici_add_key_valuef(req, "force", "yes");
- 	}
-+	if (my_host)
-+	{
-+		vici_add_key_valuef(req, "my-host", "%s", my_host);
-+	}
-+	if (other_host)
-+	{
-+		vici_add_key_valuef(req, "other-host", "%s", other_host);
-+	}
- 	if (timeout)
- 	{
- 		vici_add_key_valuef(req, "timeout", "%d", timeout * 1000);
-@@ -155,6 +169,8 @@ static void __attribute__ ((constructor))reg()
- 		{
- 			{"help",		'h', 0, "show usage information"},
- 			{"child",		'c', 1, "terminate by CHILD_SA name"},
-+			{"source",		'S', 1, "override source address"},
-+			{"remote",		'R', 1, "override remote address"},
- 			{"ike",			'i', 1, "terminate by IKE_SA name"},
- 			{"child-id",	'C', 1, "terminate by CHILD_SA reqid"},
- 			{"ike-id",		'I', 1, "terminate by IKE_SA unique identifier"},
--- 
-2.30.2
-

STRONGSWAN-RELEASE-PGP-KEY

@@ -0,0 +1,48 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQGNBEoycP0BDACzL8ymURD7gnaNbGx2VGieNQr/gNISWhqgHaeUxuSkrInxl89A
+ClvN7DoF2cD7slEqIMQh/8t6xVzmh9teu5uyeV1eyG/CuFMUqawXqpn/sYa2SkgX
+C/qHB2hIbFg2K4k5LJHxzqHb1OdtOcU6lHg9yrvYcoO+FTVR+rYaVgYbbbziTB/v
+hAAzvdTdgwMgoQMSXA7FsJ0mALny4IeiCoi6S6qRVDm4zcu11UFT9g1VmhmeHqtU
+SQso72bPKKhYvu7ZaQrLhkvY9inWr6m9dxV8Zgb1ivZGhzsNzrhGAsz9jmiB5POF
+Mfph0hREMiS33ph/YMJducGQHYGEza9mKBdUaaAAEL3fCpde7vRa+c5Gc/Y5RUB7
+iUsb2KQY+7xTiSUnCHbsMwhndG0dJspVXcz6X+2S3Ty4GaiqkvxI9KLiwiECNl0I
+oLX5s/FIW6KW+GnxJTp/3h6vvqm8i0+yIwk+ETM4XfhHMwuPkDyf6km1ag3nIUw6
+pSSfnQMPhj5rXIMAEQEAAbQwQW5kcmVhcyBTdGVmZmVuIDxhbmRyZWFzLnN0ZWZm
+ZW5Ac3Ryb25nc3dhbi5vcmc+iQG3BBMBAgAhBQJKMnD9AhsDBwsJCAcDAgEEFQII
+AwQWAgMBAh4BAheAAAoJEN9CwXCzTbp3t5AL/jrXnnGIHLn8M9rmyoeNe7JQUE5A
+GSV3UFaZHgHmjbvIHA+dRvh1MPlHuWbaZkHVPtRFvFtEgksc944+XcKoNoExKGKr
+wLQcUExUiQ0IyNwH70u7f1uFNcbY85Oue5ASzm+wAntnmIlNsN+MHewRWC6f6gYn
+1aHwsvh09fz0A34v9wdtim2ek/Voxe3AIDIw2MTNmwF61pXEsrH0wqYnGhYLZ7Qb
+thnDnHQaUd3IPSa6uAgOOiCoCbKCvP4u/iVm0rmXN9uzmm/i4Y0cE3DopGsqrR5D
+fWYJjgP4KBCln0LgWtYI8pcYcmA5E+l+fijNcMidtzWHMW2Mj0oZZsO+wlRUYLGh
+/jRASgq7rXuxV+oGKcBn4RqSHlZ5/BYlvowUxnNFC4tLLlneHidS8TurjacM3fwR
+MP5NMmcS5d9sVLG1uxl+/g2cRMtphHiziz+79jDc+tSxqRO5lhqyItAD6LC2GxB3
+iC5afnMx49+YWzhUTeL/KfkrD9w3/n7O00kLtLkDDQRKjOHDEAwAxdh8W7j/QhE3
+KZNmJGsK/QtJ72zZRGRcdUPH6GG//GaAG5hSCjM8q+0MR/G+31uk32RbzRIj1sHQ
+8fY0znxPmaeD1wow0hCbDTq+Ep3K8ouaqoqjlP4rd+I94OtxNfXgmllf7BDOZ6lI
+wUY8ba8cFCPYsv8ZvRXo82XfwFYevQ9kTLqkJT52mMyPZLwYx4DNwuqFtQQEBLKg
+IVXVgpK6SE72MFP8vyFsdrL0ORgxoWI6PIHbnIRY1KiWUzOSrqirZUHH9MPuzFuB
+R0+jEAajeKoxycn0ILLM5PBAEFXFgBdtNNCtshe1fR5aPsXcGZsZRjc7mbAHLRqa
+pVhk7oX31WrGqGHkSM/GAnf3aAzsnCkO5+Tje2iyuoG5OhQbHsvMBOtdvQrwnorl
+56EguzuK1mGDsczNsuAYRcKiasCWpsjoytDH+dGEQmKXydD9r06cxPx+mWmWKLo4
+w+k4mMC0lFRYKi83cwTpaMpHOeW4+3d1tJfkCQy+vjUz4aZJ/WSXAAMFDACqmeXA
+Al7WssHkjVZ/vwQfHLHNMZsGEEucvV7KNqMF4Fe6nRbbE6GJOuz6taeFkJIppBqV
+xhSNOsf5soOXfGp0IgYoC37GPI6AAb4UnG5GVcaAMQAXUYcwfDGGuV/EO5pPrEyP
+jy++GvjhxcKV3HmUuAfcgyhTGhDOVPxU28Roz3+8Eig085v+lyqAsgFduBrf+ZV+
+lHjIOSXSWmTiT8EVSA3fpN14/qhltudhdGIZ/pCW303H9Bd9c4Uc9OzYhRr1VpO6
+lpYfTFNey8KQL4z9Kjt0RPscz2hYDOJ1cTFWs/4Z+9mBJODwrnIiORLlgV2NlP5E
+ZY4MccVFd9K7E/OPQdt3Uv6+6BjYRntY7wsX617T5Rmj8n6AhbpngmWg2D6wRfm7
+TyI0Wtz5icCoJIEHQwB/3EhBzQl7tBc0cClwCYm7nTYRt+SL2tfylWy9Leail+ay
+M6zwMW0klV42E4u8DCy/aJrwmEiVwuwGbXL6z46M9EZguof38MTEmLsHls+JAZ8E
+GAECAAkFAkqM4cMCGwwACgkQ30LBcLNNunffBgv/b/v3eQoZTWgOB5MnXhIrg/Ki
+kYTYbnEG9wWM7XIST8bpP7f/UKyD44CCVJH7SVTGAXeyjglnuYXy4FwaTdFmm6al
+W0sCp4rnmADi5BLLzQlCUa5J0iZ+oAZnAH60BezUM+CYz/QBW3NJmP3323PeM4H4
+MZ0vLv3wgaLkFlaK/eASBoC7KuZWAnvsNOdLQ29L4BYgW2Jwk1+PxszjT369DsMU
+Y3iY6gM9rM71Ajd8x98hd1r26LILGntAEEXxs+13Kka7J4GCqf8/J9ZR01dDp8QM
++M9EHFLnthpAyUuSXm5Qlglavnf7tU6AA0SFuA0pP5CXVLG1DLT1fJvNOqjdzPsf
+u/48AM2Lpxj0gKt1yDQc890GxwnOL1iZ6+XMh9/ujWy7Q7dI4M2mthwYFXldWrPS
+CmMToWfl62BxPdY5FIECXeRwTIO9sI0LQVc2eAG8lDsge05q1nJFxo9WKr7ewAdF
+b/fMIr7XMwoMj2SQSy/tZVCBnDXR5Gw5HSxRnIAS
+=ze82
+-----END PGP PUBLIC KEY BLOCK-----

sources

@@ -1 +1,2 @@
-SHA512 (strongswan-5.9.1.tar.bz2) = 222625e77bd86959da6dd7346cfa9f92569fc396a494bb95ddf2c8e0680b7e8041541e8a14320517a0c735d713ae0fdc0d0c4694215e812817814b0b4efc3497
+SHA512 (strongswan-5.9.6.tar.bz2.sig) = c5f863eb1f504033aec2ab48f802584f97bb39650e55e829e31f36ea1594428caab84ea559ba82b56b060019598aada02df09311b583b098e32f5abad9fab29b
+SHA512 (strongswan-5.9.6.tar.bz2) = 8efb7a55b074485b874e941e42462e97a404b4f84e2f90ed18ef66274731b22d167a571f6fd028dccc1f199f2e591c82616d0a832a5084e1981c6b867fe5bb6a

strongswan-5.6.2-CVE-2018-5388.patch

@@ -1,15 +0,0 @@
-diff -Naur strongswan-5.6.2-orig/src/libcharon/plugins/stroke/stroke_socket.c strongswan-5.6.2/src/libcharon/plugins/stroke/stroke_socket.c
---- strongswan-5.6.2-orig/src/libcharon/plugins/stroke/stroke_socket.c	2017-11-09 10:57:30.000000000 -0500
-+++ strongswan-5.6.2/src/libcharon/plugins/stroke/stroke_socket.c	2018-05-24 00:00:32.382953618 -0400
-@@ -628,6 +628,11 @@
- 		return FALSE;
- 	}
- 
-+	if (len < offsetof(stroke_msg_t, buffer))
-+	{
-+		DBG1(DBG_CFG, "invalid stroke message length %d", len);
-+		return FALSE;
-+	}
- 	/* read message (we need an additional byte to terminate the buffer) */
- 	msg = malloc(len + 1);
- 	msg->length = len;

strongswan-5.8.4-runtime-dir.patch

@@ -1,24 +0,0 @@
-diff -ur strongswan-5.8.4.orig/init/systemd/strongswan.service.in strongswan-5.8.4/init/systemd/strongswan.service.in
---- strongswan-5.8.4.orig/init/systemd/strongswan.service.in	2019-08-27 16:26:53.000000000 +0300
-+++ strongswan-5.8.4/init/systemd/strongswan.service.in	2020-04-12 12:05:57.383596844 +0300
-@@ -9,6 +9,8 @@
- ExecReload=@SBINDIR@/swanctl --reload
- ExecReload=@SBINDIR@/swanctl --load-all --noprompt
- Restart=on-abnormal
-+RuntimeDirectory=strongswan
-+RuntimeDirectoryMode=0755
- 
- [Install]
- WantedBy=multi-user.target
-diff -ur strongswan-5.8.4.orig/init/systemd-starter/strongswan-starter.service.in strongswan-5.8.4/init/systemd-starter/strongswan-starter.service.in
---- strongswan-5.8.4.orig/init/systemd-starter/strongswan-starter.service.in	2019-08-27 16:26:53.000000000 +0300
-+++ strongswan-5.8.4/init/systemd-starter/strongswan-starter.service.in	2020-04-12 12:05:51.810559482 +0300
-@@ -6,6 +6,8 @@
- ExecStart=@SBINDIR@/@IPSEC_SCRIPT@ start --nofork
- StandardOutput=syslog
- Restart=on-abnormal
-+RuntimeDirectory=strongswan
-+RuntimeDirectoryMode=0755
- 
- [Install]
- WantedBy=multi-user.target

strongswan-5.9.1-runtime-dir.patch

@@ -1,12 +0,0 @@
-diff -Naur strongswan-5.9.1-orig/init/systemd-starter/strongswan-starter.service.in strongswan-5.9.1/init/systemd-starter/strongswan-starter.service.in
---- strongswan-5.9.1-orig/init/systemd-starter/strongswan-starter.service.in	2020-10-16 08:36:37.000000000 -0400
-+++ strongswan-5.9.1/init/systemd-starter/strongswan-starter.service.in	2021-02-12 14:06:09.985042362 -0500
-@@ -5,6 +5,8 @@
- [Service]
- ExecStart=@SBINDIR@/@IPSEC_SCRIPT@ start --nofork
- Restart=on-abnormal
-+RuntimeDirectory=strongswan
-+RuntimeDirectoryMode=0755
- 
- [Install]
- WantedBy=multi-user.target

strongswan-5.9.4-test-socket.patch

@@ -0,0 +1,31 @@
+From 377039d24648f82dac35dcf22a2b43de81f2fb96 Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Thu, 11 Nov 2021 05:48:38 +0100
+Subject: [PATCH] Skip test case, which always hangs
+
+It just stops and does not continue. Avoid that test.
+---
+ src/libtls/tests/suites/test_socket.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/libtls/tests/suites/test_socket.c b/src/libtls/tests/suites/test_socket.c
+index 9e26e91..5296680 100644
+--- a/src/libtls/tests/suites/test_socket.c
++++ b/src/libtls/tests/suites/test_socket.c
+@@ -804,11 +804,13 @@ Suite *socket_suite_create()
+ 	add_tls_versions_test(test_tls_12_server, TLS_1_0, TLS_1_3);
+ 	suite_add_tcase(s, tc);
+ 
++#if 0
+ 	tc = tcase_create("TLS 1.3/key exchange groups");
+ 	tcase_add_checked_fixture(tc, setup_creds, teardown_creds);
+ 	tcase_add_loop_test(tc, test_tls13_ke_groups, 0,
+ 						tls_crypto_get_supported_groups(NULL));
+ 	suite_add_tcase(s, tc);
++#endif
+ 
+ 	tc = tcase_create("TLS 1.3/signature schemes");
+ 	tcase_add_checked_fixture(tc, setup_all_creds, teardown_creds);
+-- 
+2.31.1
+

strongswan-5.9.5-atexit-handlers.patch

@@ -0,0 +1,71 @@
+--- strongswan-5.9.5-orig/src/libstrongswan/plugins/openssl/openssl_plugin.c	2022-01-08 12:54:02.000000000 +0100
++++ strongswan-5.9.5/src/libstrongswan/plugins/openssl/openssl_plugin.c	2022-02-23 23:12:03.685111475 +0100
+@@ -16,7 +16,6 @@
+ 
+ #include <library.h>
+ #include <utils/debug.h>
+-#include <collections/array.h>
+ #include <threading/thread.h>
+ #include <threading/mutex.h>
+ #include <threading/thread_value.h>
+@@ -74,13 +73,6 @@
+ 	 * public functions
+ 	 */
+ 	openssl_plugin_t public;
+-
+-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+-	/**
+-	 * Loaded providers
+-	 */
+-	array_t *providers;
+-#endif
+ };
+ 
+ /**
+@@ -881,21 +873,12 @@
+ #endif
+ 	}
+ 	*features = f;
+-	return countof(f);
++	return count;
+ }
+ 
+ METHOD(plugin_t, destroy, void,
+ 	private_openssl_plugin_t *this)
+ {
+-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+-	OSSL_PROVIDER *provider;
+-	while (array_remove(this->providers, ARRAY_TAIL, &provider))
+-	{
+-		OSSL_PROVIDER_unload(provider);
+-	}
+-	array_destroy(this->providers);
+-#endif /* OPENSSL_VERSION_NUMBER */
+-
+ /* OpenSSL 1.1.0 cleans up itself at exit and while OPENSSL_cleanup() exists we
+  * can't call it as we couldn't re-initialize the library (as required by the
+  * unit tests and the Android app) */
+@@ -1009,20 +992,16 @@
+ 			DBG1(DBG_LIB, "unable to load OpenSSL FIPS provider");
+ 			return NULL;
+ 		}
+-		array_insert_create(&this->providers, ARRAY_TAIL, fips);
+ 		/* explicitly load the base provider containing encoding functions */
+-		array_insert_create(&this->providers, ARRAY_TAIL,
+-							OSSL_PROVIDER_load(NULL, "base"));
++		OSSL_PROVIDER_load(NULL, "base");
+ 	}
+ 	else if (lib->settings->get_bool(lib->settings, "%s.plugins.openssl.load_legacy",
+ 									 TRUE, lib->ns))
+ 	{
+ 		/* load the legacy provider for algorithms like MD4, DES, BF etc. */
+-		array_insert_create(&this->providers, ARRAY_TAIL,
+-							OSSL_PROVIDER_load(NULL, "legacy"));
++		OSSL_PROVIDER_load(NULL, "legacy");
+ 		/* explicitly load the default provider, as mentioned by crypto(7) */
+-		array_insert_create(&this->providers, ARRAY_TAIL,
+-							OSSL_PROVIDER_load(NULL, "default"));
++		OSSL_PROVIDER_load(NULL, "default");
+ 	}
+ 	ossl_provider_names_t data = {};
+ 	OSSL_PROVIDER_do_all(NULL, concat_ossl_providers, &data);

strongswan-5.9.6-error-format-security.patch

@@ -0,0 +1,11 @@
+--- strongswan-5.9.6-orig/src/libstrongswan/utils/enum.c	2022-04-16 10:08:07.000000000 +0200
++++ strongswan-5.9.6/src/libstrongswan/utils/enum.c	2022-06-20 23:21:47.408857710 +0200
+@@ -97,7 +97,7 @@
+ 		return buf;
+ 	}
+ 
+-	if (snprintf(buf, len, e->names[0]) >= len)
++	if (snprintf(buf, len, "%s", e->names[0]) >= len)
+ 	{
+ 		return NULL;
+ 	}

strongswan.spec

@@ -1,28 +1,41 @@
 %global _hardened_build 1
 #%%define prerelease dr1
-%global dist .nhrp.8%{?dist}
+%global dist .nhrp.9%{?dist}
+
+%bcond_without python3
+%bcond_without perl
+%bcond_with    check
+
+%if (0%{?fedora} && 0%{?fedora} < 36) || (0%{?rhel} && 0%{?rhel} < 9)
+# trousers was retired for F36+ and no longer available in RHEL with 9+
+%bcond_without tss_trousers
+%else
+%bcond_with tss_trousers
+%endif
 
 Name:           strongswan
-Version:        5.9.1
+Version:        5.9.6
 Release:        1%{?dist}
 Summary:        An OpenSource IPsec-based VPN and TNC solution
 License:        GPLv2+
 URL:            http://www.strongswan.org/
-Source0:        http://download.strongswan.org/%{name}-%{version}%{?prerelease}.tar.bz2
-Source1:        tmpfiles-strongswan.conf
-Patch0:         strongswan-5.9.1-runtime-dir.patch
-Patch1:         strongswan-5.6.0-uintptr_t.patch
-Patch3:         strongswan-5.6.2-CVE-2018-5388.patch
+Source0:        http://download.strongswan.org/strongswan-%{version}%{?prerelease}.tar.bz2
+Source1:        http://download.strongswan.org/strongswan-%{version}%{?prerelease}.tar.bz2.sig
+Source2:        https://download.strongswan.org/STRONGSWAN-RELEASE-PGP-KEY
+Source3:        tmpfiles-strongswan.conf
+Patch0:         strongswan-5.6.0-uintptr_t.patch
+# https://github.com/strongswan/strongswan/issues/1025
+Patch1:         strongswan-5.9.6-error-format-security.patch
 
 Patch10:        0001-charon-add-optional-source-and-remote-overrides-for-.patch
 Patch11:        0002-vici-send-certificates-for-ike-sa-events.patch
 Patch12:        0003-vici-add-support-for-individual-sa-state-changes.patch
-Patch13:        0004-vyos-terminate-connections-source-dest.patch
 
 # only needed for pre-release versions
 #BuildRequires:  autoconf automake
 
-BuildRequires: make
+BuildRequires:  gnupg2
+BuildRequires:  make
 BuildRequires:  gcc
 BuildRequires:  systemd-devel
 BuildRequires:  gmp-devel
@@ -31,7 +44,6 @@ BuildRequires:  openldap-devel
 BuildRequires:  openssl-devel
 BuildRequires:  sqlite-devel
 BuildRequires:  gettext-devel
-BuildRequires:  trousers-devel
 BuildRequires:  libxml2-devel
 BuildRequires:  pam-devel
 BuildRequires:  json-c-devel
@@ -39,6 +51,23 @@ BuildRequires:  libgcrypt-devel
 BuildRequires:  systemd-devel
 BuildRequires:  iptables-devel
 BuildRequires:  libcap-devel
+BuildRequires:  tpm2-tss-devel
+Recommends:     tpm2-tools
+
+%if %{with python3}
+BuildRequires:  python3-devel
+BuildRequires:  python3-setuptools
+BuildRequires:  python3-pytest
+%endif
+
+%if %{with perl}
+BuildRequires:  perl-devel perl-macros
+BuildRequires:  perl(ExtUtils::MakeMaker)
+%endif
+
+%if %{with tss_trousers}
+BuildRequires:  trousers-devel
+%endif
 
 BuildRequires:  NetworkManager-libnm-devel
 Requires(post): systemd
@@ -59,8 +88,8 @@ in userland, using TUN devices and its own IPsec implementation libipsec.
 %package charon-nm
 Summary:        NetworkManager plugin for Strongswan
 Requires:       dbus
-Obsoletes:      %{name}-NetworkManager < 0:5.0.4-5
-Conflicts:      %{name}-NetworkManager < 0:5.0.4-5
+Obsoletes:      strongswan-NetworkManager < 0:5.0.4-5
+Conflicts:      strongswan-NetworkManager < 0:5.0.4-5
 Conflicts:      NetworkManager-strongswan < 1.4.2-1
 %description charon-nm
 NetworkManager plugin integrates a subset of Strongswan capabilities
@@ -68,14 +97,14 @@ to NetworkManager.
 
 %package sqlite
 Summary: SQLite support for strongSwan
-Requires: %{name} = %{version}-%{release}
+Requires: strongswan = %{version}-%{release}
 %description sqlite
 The sqlite plugin adds an SQLite database backend to strongSwan.
 
 %package tnc-imcvs
 Summary: Trusted network connect (TNC)'s IMC/IMV functionality
-Requires: %{name} = %{version}-%{release}
-Requires: %{name}-sqlite = %{version}-%{release}
+Requires: strongswan = %{version}-%{release}
+Requires: strongswan-sqlite = %{version}-%{release}
 %description tnc-imcvs
 This package provides Trusted Network Connect's (TNC) architecture support.
 It includes support for TNC client and server (IF-TNCCS), IMC and IMV message
@@ -86,16 +115,39 @@ modules can be used by any third party TNC Client/Server implementation
 possessing a standard IF-IMC/IMV interface. In addition, it implements
 PT-TLS to support TNC over TLS.
 
-%prep
-%setup -q -n %{name}-%{version}%{?prerelease}
-%patch0 -p1
-%patch1 -p1
-%patch3 -p1
+%if %{with python3}
+%package -n python3-vici
+Summary: Strongswan Versatile IKE Configuration Interface python bindings
+BuildArch: noarch
+%description -n python3-vici
+VICI is an attempt to improve the situation for system integrators by providing
+a stable IPC interface, allowing external tools to query, configure
+and control the IKE daemon.
 
-%patch10 -p1
-%patch11 -p1
-%patch12 -p1
-%patch13 -p1
+The Versatile IKE Configuration Interface (VICI) python bindings provides module
+for Strongswan runtime configuration from python applications.
+
+%endif
+
+%if %{with perl}
+%package -n perl-vici
+Summary: Strongswan Versatile IKE Configuration Interface perl bindings
+BuildArch: noarch
+%description -n perl-vici
+VICI is an attempt to improve the situation for system integrators by providing
+a stable IPC interface, allowing external tools to query, configure
+and control the IKE daemon.
+
+The Versatile IKE Configuration Interface (VICI) perl bindings provides module
+for Strongswan runtime configuration from perl applications.
+%endif
+
+# TODO: make also ruby-vici
+
+
+%prep
+%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
+%autosetup -n %{name}-%{version}%{?prerelease} -p1
 
 %build
 # only for snapshots
@@ -114,7 +166,7 @@ PT-TLS to support TNC over TLS.
     --with-piddir=%{_rundir}/strongswan \
     --with-nm-ca-dir=%{_sysconfdir}/strongswan/ipsec.d/cacerts/ \
     --enable-bypass-lan \
-    --enable-tss-trousers \
+    --enable-tss-tss2 \
     --enable-nm \
     --enable-systemd \
     --enable-openssl \
@@ -178,26 +230,74 @@ PT-TLS to support TNC over TLS.
     --enable-curl \
     --enable-cmd \
     --enable-acert \
-    --enable-aikgen \
     --enable-vici \
     --enable-swanctl \
     --enable-duplicheck \
 %ifarch x86_64 %{ix86}
     --enable-aesni \
+%endif
+%if %{with python3}
+    PYTHON=%{python3} --enable-python-eggs \
+%endif
+%if %{with perl}
+    --enable-perl-cpan \
+%endif
+%if %{with check}
+    --enable-test-vectors \
+%endif
+%if %{with tss_trousers}
+    --enable-tss-trousers \
+    --enable-aikgen \
 %endif
     --enable-kernel-libipsec \
     --with-capabilities=libcap \
     CPPFLAGS="-DSTARTER_ALLOW_NON_ROOT"
+# TODO: --enable-python-eggs-install not python3 ready
 
 # disable certain plugins in the daemon configuration by default
 for p in bypass-lan; do
     echo -e "\ncharon.plugins.${p}.load := no" >> conf/plugins/${p}.opt
 done
 
-make %{?_smp_mflags}
+%make_build
+
+pushd src/libcharon/plugins/vici
+
+%if %{with python3}
+  pushd python
+    %make_build
+    sed -e "s,/var/run/charon.vici,%{_rundir}/strongswan/charon.vici," -i vici/session.py
+    #py3_build
+  popd
+%endif
+
+%if %{with perl}
+  pushd perl/Vici-Session/
+    perl Makefile.PL INSTALLDIRS=vendor
+    %make_build
+  popd
+%endif
+
+popd
 
 %install
-make install DESTDIR=%{buildroot}
+%make_install
+
+
+pushd src/libcharon/plugins/vici
+%if %{with python3}
+  pushd python
+    # TODO: --enable-python-eggs breaks our previous build. Do it now
+    # propose better way to upstream
+    %py3_build
+    %py3_install
+  popd
+%endif
+%if %{with perl}
+  %make_install -C perl/Vici-Session
+  rm -f %{buildroot}{%{perl_archlib}/perllocal.pod,%{perl_vendorarch}/auto/Vici/Session/.packlist}
+%endif
+popd
 # prefix man pages
 for i in %{buildroot}%{_mandir}/*/*; do
     if echo "$i" | grep -vq '/strongswan[^\/]*$'; then
@@ -216,21 +316,36 @@ for i in aacerts acerts certs cacerts crls ocspcerts private reqs; do
     install -d -m 700 %{buildroot}%{_sysconfdir}/strongswan/ipsec.d/${i}
 done
 install -d -m 0700 %{buildroot}%{_rundir}/strongswan
-install -D -m 0644 %{SOURCE1} %{buildroot}/%{_tmpfilesdir}/strongswan.conf
+install -D -m 0644 %{SOURCE3} %{buildroot}/%{_tmpfilesdir}/strongswan.conf
+install -D -m 0644 %{SOURCE3} %{buildroot}/%{_tmpfilesdir}/strongswan-starter.conf
+
+
+%check
+%if %{with check}
+  # Seen some tests hang. Ensure we do not block builder forever
+  export TESTS_VERBOSITY=1
+  timeout 600 %make_build check
+%endif
+%if %{with python}
+  pushd src/libcharon/plugins/vici
+    %pytest
+  popd
+%endif
+:
 
 %post
-%systemd_post %{name}.service
+%systemd_post strongswan.service strongswan-starter.service
 
 %preun
-%systemd_preun %{name}.service
+%systemd_preun strongswan.service strongswan-starter.service
 
 %postun
-%systemd_postun_with_restart %{name}.service
+%systemd_postun_with_restart strongswan.service strongswan-starter.service
 
 %files
 %doc README NEWS TODO ChangeLog
 %license COPYING
-%dir %attr(0700,root,root) %{_sysconfdir}/strongswan
+%dir %attr(0755,root,root) %{_sysconfdir}/strongswan
 %config(noreplace) %{_sysconfdir}/strongswan/*
 %dir %{_libdir}/strongswan
 %exclude %{_libdir}/strongswan/imcvs
@@ -260,6 +375,7 @@ install -D -m 0644 %{SOURCE1} %{buildroot}/%{_tmpfilesdir}/strongswan.conf
 %{_datadir}/strongswan/templates/database/
 %attr(0755,root,root) %dir %{_rundir}/strongswan
 %attr(0644,root,root) %{_tmpfilesdir}/strongswan.conf
+%attr(0644,root,root) %{_tmpfilesdir}/strongswan-starter.conf
 
 %files sqlite
 %{_libdir}/strongswan/plugins/libstrongswan-sqlite.so
@@ -286,9 +402,78 @@ install -D -m 0644 %{SOURCE1} %{buildroot}/%{_tmpfilesdir}/strongswan.conf
 %{_datadir}/dbus-1/system.d/nm-strongswan-service.conf
 %{_libexecdir}/strongswan/charon-nm
 
+%if %{with python3}
+%files -n python3-vici
+%license COPYING
+%doc src/libcharon/plugins/vici/python/README.rst
+%{python3_sitelib}/vici
+%{python3_sitelib}/vici-%{version}-py*.egg-info
+%endif
+
+%if %{with perl}
+%license COPYING
+%files -n perl-vici
+%{perl_vendorlib}/Vici
+%endif
+
 %changelog
+* Wed Jun 22 2022 Arne Reiter <redhat@arnereiter.de> - 5.9.6-1
+- Resolves rhbz#2080070 strongswan-5.9.6 is available
+- Fixed missing format string in enum_flags_to_string()
+
+* Fri Feb 25 2022 Arne Reiter <redhat@arnereiter.de> - 5.9.5-3
+- Resolves: rhbz#2048108 - segfault at 18 ip 00007f4c7c0d841c sp 00007ffe49f61b70 error 4 in libc.so.6
+
+* Tue Jan 25 2022 Paul Wouters <paul.wouters@aiven.io> - 5.9.5-2
+- Use newly published/cleaned strongswan gpg key
+
+* Mon Jan 24 2022 Paul Wouters <paul.wouters@aiven.io> - 5.9.5-1
+- Resolves rhbz#2044361 strongswan-5.9.5 is available (CVE-2021-45079)
+
+* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.4-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Thu Dec 16 2021 Neal Gompa <ngompa@datto.com> - 5.9.4-4
+- Disable TPM/TSS 1.2 support for F36+ / RHEL9+
+- Resolves: rhbz#2033299 Drop TPM/TSS 1.2 support (trousers)
+
+* Thu Nov 11 2021 Petr Menšík <pemensik@redhat.com> - 5.9.4-3
+- Resolves rhbz#1419441 Add python and perl vici bindings
+- Adds optional tests run
+
+* Tue Nov 09 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.4-2
+- Resolves rhbz#2018547 'strongswan restart' breaks ipsec started with strongswan-starter
+- Return to using tmpfiles, but extend to cover strongswan-starter service too
+- Cleanup old patches
+
+* Wed Oct 20 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.4-1
+- Resolves: rhbz#2015165 strongswan-5.9.4 is available
+- Resolves: rhbz#2015611 CVE-2021-41990 strongswan: gmp plugin: integer overflow via a crafted certificate with an RSASSA-PSS signature
+- Resolves: rhbz#2015614 CVE-2021-41991 strongswan: integer overflow when replacing certificates in cache
+- Add BuildRequire for tpm2-tss-devel and weak dependency for tpm2-tools
+
+* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 5.9.3-4
+- Rebuilt with OpenSSL 3.0.0
+
+* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Sat Jul 10 2021 Björn Esser <besser82@fedoraproject.org> - 5.9.3-2
+- Rebuild for versioned symbols in json-c
+
+* Tue Jul 06 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.3-1
+- Resolves: rhbz#1979574 strongswan-5.9.3 is available
+- Make strongswan main dir world readable so apps can find strongswan.conf
+
+* Thu Jun 03 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.2-1
+- Resolves: rhbz#1896545 strongswan-5.9.2 is available
+
+* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 5.9.1-2
+- Rebuilt for updated systemd-rpm-macros
+  See https://pagure.io/fesco/issue/2583.
+
 * Fri Feb 12 2021 Paul Wouters <pwouters@redhat.com> - 5.9.1-1
-- Resolves: rhbz# 1896545 strongswan-5.9.1 is available
+- Resolves: rhbz#1896545 strongswan-5.9.1 is available
 
 * Thu Feb 11 2021 Davide Cavalca <dcavalca@fedoraproject.org> - 5.9.0-4
 - Build with with capabilities support