Support GRE key in selectors

- patch to use --no-isolation with python by Carlos Rodriguez-Fernandez
- python dependencies fixed so pip no longer tries to download items
- apply upstream patch to remove md2 support - now all tests pass again

.gitignore

@@ -19,3 +19,5 @@
 /strongswan-5.9.11.tar.bz2.sig
 /strongswan-5.9.14.tar.bz2
 /strongswan-5.9.14.tar.bz2.sig
+/strongswan-6.0.2.tar.bz2
+/strongswan-6.0.2.tar.bz2.sig

0001-charon-add-optional-source-and-remote-overrides-for-.patch

@@ -1,4 +1,4 @@
-From d917774f73954cc6367e73b775ff9ea115d6fd28 Mon Sep 17 00:00:00 2001
+From 8ca99fb0a9d0027d08937bc2b198dc74bd5bb7a2 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= <zpericic@netst.org>
 Date: Tue, 9 Jul 2024 19:07:57 +0200
 Subject: [PATCH 1/4] charon: add optional source and remote overrides for
@@ -11,17 +11,17 @@ to initiate wildcard connection for known address via vici.
 In addition this allows simpler implementation of trap-any patches
 and is a prerequisite for dmvpn support.
 ---
- src/libcharon/control/controller.c        | 34 ++++++++++++++++--
- src/libcharon/control/controller.h        | 28 +++++++++++++++
- src/libcharon/plugins/vici/vici_control.c | 41 +++++++++++++++++----
- src/libcharon/sa/ike_sa_manager.c         | 34 +++++++++++++++++-
- src/libcharon/sa/ike_sa_manager.h         | 25 ++++++++++++-
- src/libcharon/sa/trap_manager.c           | 44 +++++++++--------------
+ src/libcharon/control/controller.c        | 36 +++++++++++++++++-
+ src/libcharon/control/controller.h        | 28 ++++++++++++++
+ src/libcharon/plugins/vici/vici_control.c | 41 ++++++++++++++++----
+ src/libcharon/sa/ike_sa_manager.c         | 34 ++++++++++++++++-
+ src/libcharon/sa/ike_sa_manager.h         | 25 +++++++++++-
+ src/libcharon/sa/trap_manager.c           | 46 +++++++++--------------
  src/swanctl/commands/initiate.c           | 19 +++++++++-
- 7 files changed, 186 insertions(+), 39 deletions(-)
+ 7 files changed, 189 insertions(+), 40 deletions(-)
 
 diff --git a/src/libcharon/control/controller.c b/src/libcharon/control/controller.c
-index 027f48e937..ac4661a323 100644
+index 4e778ed63d..2b8a75e2c1 100644
 --- a/src/libcharon/control/controller.c
 +++ b/src/libcharon/control/controller.c
 @@ -1,4 +1,6 @@
@@ -48,26 +48,27 @@ index 027f48e937..ac4661a323 100644
  	/**
  	 * unique ID, used for various methods
  	 */
-@@ -417,10 +429,16 @@ METHOD(job_t, initiate_execute, job_requeue_t,
+@@ -418,9 +430,17 @@ METHOD(job_t, initiate_execute, job_requeue_t,
+ {
  	ike_sa_t *ike_sa;
  	interface_listener_t *listener = &job->listener;
- 	peer_cfg_t *peer_cfg = listener->peer_cfg;
++	peer_cfg_t *peer_cfg = listener->peer_cfg;
 +	host_t *my_host = listener->my_host;
 +	host_t *other_host = listener->other_host;
- 
--	ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
--														peer_cfg);
++
 +	ike_sa = charon->ike_sa_manager->checkout_by_config2(charon->ike_sa_manager,
 +														peer_cfg, my_host, other_host);
- 	peer_cfg->destroy(peer_cfg);
++	peer_cfg->destroy(peer_cfg);
 +
 +	if (my_host) my_host->destroy(my_host);
 +	if (other_host) other_host->destroy(other_host);
-+
+ 
+-	ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
+-														listener->peer_cfg);
  	if (!ike_sa)
  	{
- 		DESTROY_IF(listener->child_cfg);
-@@ -501,6 +519,15 @@ METHOD(controller_t, initiate, status_t,
+ 		listener->status = FAILED;
+@@ -502,6 +522,15 @@ METHOD(controller_t, initiate, status_t,
  	private_controller_t *this, peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
  	controller_cb_t callback, void *param, level_t max_level, u_int timeout,
  	bool limits)
@@ -83,7 +84,7 @@ index 027f48e937..ac4661a323 100644
  {
  	interface_job_t *job;
  	status_t status;
-@@ -523,6 +550,8 @@ METHOD(controller_t, initiate, status_t,
+@@ -524,6 +553,8 @@ METHOD(controller_t, initiate, status_t,
  			.status = FAILED,
  			.child_cfg = child_cfg,
  			.peer_cfg = peer_cfg,
@@ -92,7 +93,7 @@ index 027f48e937..ac4661a323 100644
  			.lock = spinlock_create(),
  			.options.limits = limits,
  		},
-@@ -770,6 +799,7 @@ controller_t *controller_create(void)
+@@ -771,6 +802,7 @@ controller_t *controller_create(void)
  		.public = {
  			.create_ike_sa_enumerator = _create_ike_sa_enumerator,
  			.initiate = _initiate,
@@ -229,18 +230,18 @@ index 1c236d2491..932d0cb5a8 100644
  
  /**
 diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
-index 7763ae844e..cf53e9ae00 100644
+index c128cc0787..bf4e125c84 100644
 --- a/src/libcharon/sa/ike_sa_manager.c
 +++ b/src/libcharon/sa/ike_sa_manager.c
 @@ -1,5 +1,7 @@
  /*
-  * Copyright (C) 2008-2022 Tobias Brunner
+  * Copyright (C) 2008-2024 Tobias Brunner
 + * Copyright (C) 2023 Zoran Peričić <zpericic@netst.org>
 + * Copyright (C) 2014 Timo Teräs <timo.teras@iki.fi>
   * Copyright (C) 2005-2011 Martin Willi
   * Copyright (C) 2005 Jan Hutter
   *
-@@ -1499,6 +1501,13 @@ typedef struct {
+@@ -1500,6 +1502,13 @@ typedef struct {
  
  METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
  	private_ike_sa_manager_t *this, peer_cfg_t *peer_cfg)
@@ -254,7 +255,7 @@ index 7763ae844e..cf53e9ae00 100644
  {
  	enumerator_t *enumerator;
  	entry_t *entry;
-@@ -1509,7 +1518,16 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
+@@ -1510,7 +1519,16 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
  	u_int segment;
  	int i;
  
@@ -272,7 +273,7 @@ index 7763ae844e..cf53e9ae00 100644
  
  	if (!this->reuse_ikesa && peer_cfg->get_ike_version(peer_cfg) != IKEV1)
  	{	/* IKE_SA reuse disabled by config (not possible for IKEv1) */
-@@ -1567,6 +1585,15 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
+@@ -1569,6 +1587,15 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
  			continue;
  		}
  
@@ -288,7 +289,7 @@ index 7763ae844e..cf53e9ae00 100644
  		current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa);
  		if (current_peer && current_peer->equals(current_peer, peer_cfg))
  		{
-@@ -1593,6 +1620,10 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
+@@ -1595,6 +1622,10 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
  		{
  			ike_sa->set_peer_cfg(ike_sa, peer_cfg);
  			checkout_new(this, ike_sa);
@@ -299,7 +300,7 @@ index 7763ae844e..cf53e9ae00 100644
  		}
  	}
  	charon->bus->set_sa(charon->bus, ike_sa);
-@@ -2558,6 +2589,7 @@ ike_sa_manager_t *ike_sa_manager_create()
+@@ -2560,6 +2591,7 @@ ike_sa_manager_t *ike_sa_manager_create()
  			.checkout = _checkout,
  			.checkout_by_message = _checkout_by_message,
  			.checkout_by_config = _checkout_by_config,
@@ -351,19 +352,22 @@ index 004cc22168..d001f5a802 100644
  	 * Reset initiator SPI.
  	 *
 diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c
-index 1b85c66a5b..bbc480c0cd 100644
+index 17953010a1..c316eea213 100644
 --- a/src/libcharon/sa/trap_manager.c
 +++ b/src/libcharon/sa/trap_manager.c
-@@ -523,7 +523,7 @@ METHOD(trap_manager_t, acquire, void,
+@@ -532,9 +532,9 @@ METHOD(trap_manager_t, acquire, void,
  	peer_cfg_t *peer;
  	child_cfg_t *child;
  	ike_sa_t *ike_sa;
--	host_t *host;
-+	host_t *host, *my_host = NULL, *other_host = NULL;
- 	uint32_t allocated_reqid;
- 	bool wildcard, ignore = FALSE;
+-	host_t *host = NULL;
++	host_t *host = NULL, *my_host = NULL, *other_host = NULL;
+ 	uint32_t allocated_reqid, seq = 0;
+-	bool wildcard;
++	bool wildcard, ignore = FALSE;
  
-@@ -603,36 +603,26 @@ METHOD(trap_manager_t, acquire, void,
+ 	this->lock->read_lock(this->lock);
+ 	enumerator = this->traps->create_enumerator(this->traps);
+@@ -609,36 +609,26 @@ METHOD(trap_manager_t, acquire, void,
  	this->lock->unlock(this->lock);
  
  	if (wildcard)
@@ -473,5 +477,5 @@ index e0fffb907d..c0fc8c5952 100644
  			{"raw",			'r', 0, "dump raw response message"},
  			{"pretty",		'P', 0, "dump raw response message in pretty print"},
 -- 
-2.49.0
+2.51.0
 

0002-vici-send-certificates-for-ike-sa-events.patch

@@ -1,4 +1,4 @@
-From f6210f6ab72ead26a24a8f231eee67948d3ca543 Mon Sep 17 00:00:00 2001
+From 59e1a0469bbd50704f777835c0fcd7013f7841c7 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
 Date: Mon, 21 Sep 2015 13:42:05 +0300
 Subject: [PATCH 2/4] vici: send certificates for ike-sa events
@@ -12,10 +12,10 @@ Signed-off-by: Timo Teräs <timo.teras@iki.fi>
  1 file changed, 42 insertions(+), 8 deletions(-)
 
 diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
-index bacb7b101e..19acc0789b 100644
+index 43e3f44137..5e49cb8a0b 100644
 --- a/src/libcharon/plugins/vici/vici_query.c
 +++ b/src/libcharon/plugins/vici/vici_query.c
-@@ -402,7 +402,7 @@ static void list_vips(private_vici_query_t *this, vici_builder_t *b,
+@@ -433,7 +433,7 @@ static void list_vips(private_vici_query_t *this, vici_builder_t *b,
   * List details of an IKE_SA
   */
  static void list_ike(private_vici_query_t *this, vici_builder_t *b,
@@ -24,7 +24,7 @@ index bacb7b101e..19acc0789b 100644
  {
  	time_t t;
  	ike_sa_id_t *id;
-@@ -411,6 +411,8 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
+@@ -442,6 +442,8 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
  	uint32_t if_id;
  	uint16_t alg, ks;
  	host_t *host;
@@ -33,7 +33,7 @@ index bacb7b101e..19acc0789b 100644
  
  	b->add_kv(b, "uniqueid", "%u", ike_sa->get_unique_id(ike_sa));
  	b->add_kv(b, "version", "%u", ike_sa->get_version(ike_sa));
-@@ -420,11 +422,43 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
+@@ -451,11 +453,43 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
  	b->add_kv(b, "local-host", "%H", host);
  	b->add_kv(b, "local-port", "%d", host->get_port(host));
  	b->add_kv(b, "local-id", "%Y", ike_sa->get_my_id(ike_sa));
@@ -77,7 +77,7 @@ index bacb7b101e..19acc0789b 100644
  
  	eap = ike_sa->get_other_eap_id(ike_sa);
  
-@@ -556,7 +590,7 @@ CALLBACK(list_sas, vici_message_t*,
+@@ -588,7 +622,7 @@ CALLBACK(list_sas, vici_message_t*,
  		b = vici_builder_create();
  		b->begin_section(b, ike_sa->get_name(ike_sa));
  
@@ -86,7 +86,7 @@ index bacb7b101e..19acc0789b 100644
  
  		b->begin_section(b, "child-sas");
  		csas = ike_sa->create_child_sa_enumerator(ike_sa);
-@@ -1774,7 +1808,7 @@ METHOD(listener_t, ike_updown, bool,
+@@ -1805,7 +1839,7 @@ METHOD(listener_t, ike_updown, bool,
  	}
  
  	b->begin_section(b, ike_sa->get_name(ike_sa));
@@ -95,7 +95,7 @@ index bacb7b101e..19acc0789b 100644
  	b->end_section(b);
  
  	this->dispatcher->raise_event(this->dispatcher,
-@@ -1799,10 +1833,10 @@ METHOD(listener_t, ike_rekey, bool,
+@@ -1830,10 +1864,10 @@ METHOD(listener_t, ike_rekey, bool,
  	b = vici_builder_create();
  	b->begin_section(b, old->get_name(old));
  	b->begin_section(b, "old");
@@ -108,7 +108,7 @@ index bacb7b101e..19acc0789b 100644
  	b->end_section(b);
  	b->end_section(b);
  
-@@ -1833,7 +1867,7 @@ METHOD(listener_t, ike_update, bool,
+@@ -1864,7 +1898,7 @@ METHOD(listener_t, ike_update, bool,
  	b->add_kv(b, "remote-port", "%d", remote->get_port(remote));
  
  	b->begin_section(b, ike_sa->get_name(ike_sa));
@@ -117,7 +117,7 @@ index bacb7b101e..19acc0789b 100644
  	b->end_section(b);
  
  	this->dispatcher->raise_event(this->dispatcher,
-@@ -1863,7 +1897,7 @@ METHOD(listener_t, child_updown, bool,
+@@ -1894,7 +1928,7 @@ METHOD(listener_t, child_updown, bool,
  	}
  
  	b->begin_section(b, ike_sa->get_name(ike_sa));
@@ -126,7 +126,7 @@ index bacb7b101e..19acc0789b 100644
  	b->begin_section(b, "child-sas");
  
  	snprintf(buf, sizeof(buf), "%s-%u", child_sa->get_name(child_sa),
-@@ -1898,7 +1932,7 @@ METHOD(listener_t, child_rekey, bool,
+@@ -1929,7 +1963,7 @@ METHOD(listener_t, child_rekey, bool,
  	b = vici_builder_create();
  
  	b->begin_section(b, ike_sa->get_name(ike_sa));
@@ -136,5 +136,5 @@ index bacb7b101e..19acc0789b 100644
  
  	b->begin_section(b, old->get_name(old));
 -- 
-2.49.0
+2.51.0
 

0003-vici-add-support-for-individual-sa-state-changes.patch

@@ -1,4 +1,4 @@
-From effc140ed0ed5c7f1897c8abb6364d2d4789a4ee Mon Sep 17 00:00:00 2001
+From 17118385d600eeb9814af4106b690c8e2b285971 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
 Date: Mon, 21 Sep 2015 13:42:11 +0300
 Subject: [PATCH 3/4] vici: add support for individual sa state changes
@@ -14,10 +14,10 @@ Signed-off-by: Timo Teräs <timo.teras@iki.fi>
  1 file changed, 106 insertions(+)
 
 diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
-index 19acc0789b..fa1aca9536 100644
+index 5e49cb8a0b..1115161f6b 100644
 --- a/src/libcharon/plugins/vici/vici_query.c
 +++ b/src/libcharon/plugins/vici/vici_query.c
-@@ -1774,8 +1774,16 @@ static void manage_commands(private_vici_query_t *this, bool reg)
+@@ -1805,8 +1805,16 @@ static void manage_commands(private_vici_query_t *this, bool reg)
  	this->dispatcher->manage_event(this->dispatcher, "ike-updown", reg);
  	this->dispatcher->manage_event(this->dispatcher, "ike-rekey", reg);
  	this->dispatcher->manage_event(this->dispatcher, "ike-update", reg);
@@ -34,7 +34,7 @@ index 19acc0789b..fa1aca9536 100644
  	manage_command(this, "list-sas", list_sas, reg);
  	manage_command(this, "list-policies", list_policies, reg);
  	manage_command(this, "list-conns", list_conns, reg);
-@@ -1876,6 +1884,46 @@ METHOD(listener_t, ike_update, bool,
+@@ -1907,6 +1915,46 @@ METHOD(listener_t, ike_update, bool,
  	return TRUE;
  }
  
@@ -81,7 +81,7 @@ index 19acc0789b..fa1aca9536 100644
  METHOD(listener_t, child_updown, bool,
  	private_vici_query_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, bool up)
  {
-@@ -1955,6 +2003,62 @@ METHOD(listener_t, child_rekey, bool,
+@@ -1986,6 +2034,62 @@ METHOD(listener_t, child_rekey, bool,
  	return TRUE;
  }
  
@@ -144,7 +144,7 @@ index 19acc0789b..fa1aca9536 100644
  METHOD(vici_query_t, destroy, void,
  	private_vici_query_t *this)
  {
-@@ -1975,8 +2079,10 @@ vici_query_t *vici_query_create(vici_dispatcher_t *dispatcher)
+@@ -2006,8 +2110,10 @@ vici_query_t *vici_query_create(vici_dispatcher_t *dispatcher)
  				.ike_updown = _ike_updown,
  				.ike_rekey = _ike_rekey,
  				.ike_update = _ike_update,
@@ -156,5 +156,5 @@ index 19acc0789b..fa1aca9536 100644
  			.destroy = _destroy,
  		},
 -- 
-2.49.0
+2.51.0
 

0004-Support-GRE-key-in-selectors-with-kernel-netlink.patch

@@ -1,4 +1,4 @@
-From 7f32aed540533e50fa05486df471ef3c19879324 Mon Sep 17 00:00:00 2001
+From 30238c949e7c1ba2df4f8adfaefdc205f7ddb98f Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= <zoran.pericic@infomaas.com>
 Date: Sun, 21 Jan 2024 03:11:32 +0100
 Subject: [PATCH 4/4] Support GRE key in selectors with kernel-netlink.
@@ -17,10 +17,10 @@ similar to ICMP.
  8 files changed, 145 insertions(+), 4 deletions(-)
 
 diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
-index db0b2ac37a..d4f9571817 100644
+index d951aa0737..dd279c24aa 100644
 --- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
 +++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
-@@ -864,6 +864,7 @@ static struct xfrm_selector ts2selector(traffic_selector_t *src,
+@@ -893,6 +893,7 @@ static struct xfrm_selector ts2selector(traffic_selector_t *src,
  {
  	struct xfrm_selector sel;
  	uint16_t port;
@@ -28,7 +28,7 @@ index db0b2ac37a..d4f9571817 100644
  
  	memset(&sel, 0, sizeof(sel));
  	sel.family = (src->get_type(src) == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6;
-@@ -884,6 +885,24 @@ static struct xfrm_selector ts2selector(traffic_selector_t *src,
+@@ -913,6 +914,24 @@ static struct xfrm_selector ts2selector(traffic_selector_t *src,
  		sel.dport = htons(traffic_selector_icmp_code(port));
  		sel.dport_mask = sel.dport ? ~0 : 0;
  	}
@@ -54,10 +54,10 @@ index db0b2ac37a..d4f9571817 100644
  	sel.user = 0;
  
 diff --git a/src/libcharon/plugins/load_tester/load_tester_config.c b/src/libcharon/plugins/load_tester/load_tester_config.c
-index 58e1cd98a0..f20fdae522 100644
+index 2a440aa630..bc9a1e40b9 100644
 --- a/src/libcharon/plugins/load_tester/load_tester_config.c
 +++ b/src/libcharon/plugins/load_tester/load_tester_config.c
-@@ -498,7 +498,27 @@ static bool parse_protoport(char *token, uint16_t *from_port,
+@@ -507,7 +507,27 @@ static bool parse_protoport(char *token, uint16_t *from_port,
  			*protocol = (uint8_t)p;
  		}
  	}
@@ -87,10 +87,10 @@ index 58e1cd98a0..f20fdae522 100644
  		*from_port = 0;
  		*to_port = 0xffff;
 diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
-index 55db379ffe..b4340b8d1b 100644
+index b6e700fa9c..017e6b4766 100644
 --- a/src/libcharon/plugins/stroke/stroke_config.c
 +++ b/src/libcharon/plugins/stroke/stroke_config.c
-@@ -927,7 +927,27 @@ static bool parse_protoport(char *token, uint16_t *from_port,
+@@ -926,7 +926,27 @@ static bool parse_protoport(char *token, uint16_t *from_port,
  			*protocol = (uint8_t)p;
  		}
  	}
@@ -120,10 +120,10 @@ index 55db379ffe..b4340b8d1b 100644
  		*from_port = 0;
  		*to_port = 0xffff;
 diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
-index c858e9945c..24a254689b 100644
+index 6ea239f0a1..96c2d1276e 100644
 --- a/src/libcharon/plugins/vici/vici_config.c
 +++ b/src/libcharon/plugins/vici/vici_config.c
-@@ -715,7 +715,27 @@ CALLBACK(parse_ts, bool,
+@@ -749,7 +749,27 @@ CALLBACK(parse_ts, bool,
  				proto = (uint8_t)p;
  			}
  		}
@@ -152,7 +152,7 @@ index c858e9945c..24a254689b 100644
  		{
  			from = 0xffff;
  			to = 0;
-@@ -752,6 +772,11 @@ CALLBACK(parse_ts, bool,
+@@ -786,6 +806,11 @@ CALLBACK(parse_ts, bool,
  			}
  		}
  	}
@@ -165,7 +165,7 @@ index c858e9945c..24a254689b 100644
  	{
  		ts = traffic_selector_create_dynamic(proto, from, to);
 diff --git a/src/libstrongswan/selectors/traffic_selector.c b/src/libstrongswan/selectors/traffic_selector.c
-index fe61e3768b..09757ec36f 100644
+index 4022c45c13..ae07e02995 100644
 --- a/src/libstrongswan/selectors/traffic_selector.c
 +++ b/src/libstrongswan/selectors/traffic_selector.c
 @@ -205,6 +205,18 @@ static int print_icmp(printf_hook_data_t *data, uint16_t port)
@@ -268,12 +268,12 @@ index 5065bc369f..039b6f402b 100644
  				end->from_port = 0;
  				end->to_port = 0xffff;
 diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt
-index d9fd949ed1..1d63dadb89 100644
+index 8336735fff..be185bc056 100644
 --- a/src/swanctl/swanctl.opt
 +++ b/src/swanctl/swanctl.opt
-@@ -765,6 +765,9 @@ connections.<conn>.children.<child>.local_ts = dynamic
- 	value _opaque_ for RFC 4301 OPAQUE selectors. Port ranges may be specified
- 	as well, none of the kernel backends currently support port ranges, though.
+@@ -805,6 +805,9 @@ connections.<conn>.children.<child>.local_ts = dynamic
+ 	equal to 256, with the type in the most significant 8 bits and the code in
+ 	the least significant 8 bits.
  
 +	If protocol is restricted to GRE, port restriction specifies GRE key
 +	in 32 bit numeric form eg. dynamic[gre/100].
@@ -282,5 +282,5 @@ index d9fd949ed1..1d63dadb89 100644
  	the Cisco Unity extension plugin is used. This is due to a limitation of the
  	IKEv1 protocol, which only allows a single pair of selectors per CHILD_SA.
 -- 
-2.49.0
+2.51.0
 

changelog

@@ -0,0 +1,659 @@
+* Mon Aug 25 2025 Carlos Rodriguez-Fernandez <carlosrodrifernandez@gmail.com> - 5.9.14-12
+- Fix ipsec.d cacerts removing system ca
+
+* Fri Aug 22 2025 Carlos Rodriguez-Fernandez <carlosrodrifernandez@gmail.com> - 5.9.14-11
+- Link new system ca bundle in the ipsec.d cacerts
+
+* Fri Aug 15 2025 Python Maint <python-maint@redhat.com> - 5.9.14-10
+- Rebuilt for Python 3.14.0rc2 bytecode
+
+* Thu Aug 14 2025 Carlos Rodriguez-Fernandez <carlosrodrifernandez@gmail.com> - 5.9.14-9
+- Fix build issue (rhbz#2368971)
+
+* Fri Jul 25 2025 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.14-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
+
+* Mon Jun 02 2025 Python Maint <python-maint@redhat.com> - 5.9.14-7
+- Rebuilt for Python 3.14
+
+* Sun Jan 19 2025 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.14-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
+
+* Sat Jul 27 2024 Michel Lind <salimma@fedoraproject.org> - 5.9.14-5
+- Depend on openssl-devel-engine since we still use this deprecated feature (rhbz#2295335)
+
+* Fri Jul 26 2024 Miroslav Suchý <msuchy@redhat.com> - 5.9.14-4
+- convert license to SPDX
+
+* Sat Jul 20 2024 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.14-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
+
+* Fri Jun 07 2024 Python Maint <python-maint@redhat.com> - 5.9.14-2
+- Rebuilt for Python 3.13
+
+* Fri May 31 2024 Paul Wouters <paul.wouters@aiven.io> - 5.9.14-1
+- Resolves: rhbz#2254560 CVE-2023-41913 buffer overflow and possible RCE
+- Resolved: rhbz#2250666 Update to 5.9.14 (IKEv2 OCSP extensions, seqno/regno overflow handling
+- Update to 5.9.13 (OCSP nonce set regression configuration option charon.ocsp_nonce_len)
+- Update to 5.9.12 (CVE-2023-41913 fix, various IKEv2 fixes)
+
+* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.11-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.11-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Fri Jul 14 2023 Paul Wouters <paul.wouters@aiven.io - 5.9.11-1
+- Resolves: rhbz#2214186 strongswan-5.9.11 is available
+
+* Tue Jun 13 2023 Python Maint <python-maint@redhat.com> - 5.9.10-2
+- Rebuilt for Python 3.12
+
+* Thu Mar 02 2023 Paul Wouters <paul.wouters@aiven.io - 5.9.10-1
+- Update to 5.9.10
+
+* Tue Feb 28 2023 Paul Wouters <paul.wouters@aiven.io - 5.9.9-3
+- Resolves: CVE-2023-26463 authorization bypass in TLS-based EAP methods
+
+* Mon Jan 16 2023 Petr Menšík <pemensik@redhat.com> - 5.9.9-2
+- Use configure paths in manual pages (#2106120)
+
+* Sun Jan 15 2023 Petr Menšík <pemensik@redhat.com> - 5.9.9-1
+- Update to 5.9.9 (#2157850)
+
+* Thu Dec 08 2022 Jitka Plesnikova <jplesnik@redhat.com> - 5.9.8-2
+- Add BR perl-generators to automatically generates run-time dependencies
+  for installed Perl files
+
+* Sun Oct 16 2022 Arne Reiter <redhat@arnereiter.de> - 5.9.8-1
+- Resolves rhbz#2112274 strongswan-5.9.8 is available
+- Patch1 removes CFLAGS -Wno-format which interferes with -Werror=format-security
+- Add BuildRequire for autoconf and automake, now required for release
+- Remove obsolete patches
+
+* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.6-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Wed Jun 22 2022 Arne Reiter <redhat@arnereiter.de> - 5.9.6-1
+- Resolves rhbz#2080070 strongswan-5.9.6 is available
+- Fixed missing format string in enum_flags_to_string()
+
+* Mon Jun 13 2022 Python Maint <python-maint@redhat.com> - 5.9.5-4
+- Rebuilt for Python 3.11
+
+* Fri Feb 25 2022 Arne Reiter <redhat@arnereiter.de> - 5.9.5-3
+- Resolves: rhbz#2048108 - segfault at 18 ip 00007f4c7c0d841c sp 00007ffe49f61b70 error 4 in libc.so.6
+
+* Tue Jan 25 2022 Paul Wouters <paul.wouters@aiven.io> - 5.9.5-2
+- Use newly published/cleaned strongswan gpg key
+
+* Mon Jan 24 2022 Paul Wouters <paul.wouters@aiven.io> - 5.9.5-1
+- Resolves rhbz#2044361 strongswan-5.9.5 is available (CVE-2021-45079)
+
+* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.4-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Thu Dec 16 2021 Neal Gompa <ngompa@datto.com> - 5.9.4-4
+- Disable TPM/TSS 1.2 support for F36+ / RHEL9+
+- Resolves: rhbz#2033299 Drop TPM/TSS 1.2 support (trousers)
+
+* Thu Nov 11 2021 Petr Menšík <pemensik@redhat.com> - 5.9.4-3
+- Resolves rhbz#1419441 Add python and perl vici bindings
+- Adds optional tests run
+
+* Tue Nov 09 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.4-2
+- Resolves rhbz#2018547 'strongswan restart' breaks ipsec started with strongswan-starter
+- Return to using tmpfiles, but extend to cover strongswan-starter service too
+- Cleanup old patches
+
+* Wed Oct 20 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.4-1
+- Resolves: rhbz#2015165 strongswan-5.9.4 is available
+- Resolves: rhbz#2015611 CVE-2021-41990 strongswan: gmp plugin: integer overflow via a crafted certificate with an RSASSA-PSS signature
+- Resolves: rhbz#2015614 CVE-2021-41991 strongswan: integer overflow when replacing certificates in cache
+- Add BuildRequire for tpm2-tss-devel and weak dependency for tpm2-tools
+
+* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 5.9.3-4
+- Rebuilt with OpenSSL 3.0.0
+
+* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Sat Jul 10 2021 Björn Esser <besser82@fedoraproject.org> - 5.9.3-2
+- Rebuild for versioned symbols in json-c
+
+* Tue Jul 06 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.3-1
+- Resolves: rhbz#1979574 strongswan-5.9.3 is available
+- Make strongswan main dir world readable so apps can find strongswan.conf
+
+* Thu Jun 03 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.2-1
+- Resolves: rhbz#1896545 strongswan-5.9.2 is available
+
+* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 5.9.1-2
+- Rebuilt for updated systemd-rpm-macros
+  See https://pagure.io/fesco/issue/2583.
+
+* Fri Feb 12 2021 Paul Wouters <pwouters@redhat.com> - 5.9.1-1
+- Resolves: rhbz#1896545 strongswan-5.9.1 is available
+
+* Thu Feb 11 2021 Davide Cavalca <dcavalca@fedoraproject.org> - 5.9.0-4
+- Build with with capabilities support
+- Resolves: rhbz#1911572 StrongSwan not configured with libcap support
+
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Thu Oct 22 12:43:48 EDT 2020 Paul Wouters <pwouters@redhat.com> - 5.9.0-2
+- Resolves: rhbz#1886759 charon looking for certificates in the wrong place
+
+* Mon Sep 28 12:36:45 EDT 2020 Paul Wouters <pwouters@redhat.com> - 5.9.0-1
+- Resolves: rhbz#1861747 strongswan-5.9.0 is available
+- Remove --enable-fips-mode=2, which defaults strongswan to FIPS only.
+  (use fips_mode = 2 in plugins {} openssl {} in strongswan.conf to enable FIPS)
+
+* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.8.4-5
+- Second attempt - Rebuilt for
+  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.8.4-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Apr 21 2020 Björn Esser <besser82@fedoraproject.org> - 5.8.4-3
+- Rebuild (json-c)
+
+* Sun Apr 12 2020 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.4-2
+- Patch0: Add RuntimeDirectory options to service files (#1789263)
+
+* Sun Apr 12 2020 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.4-1
+- Updated to 5.8.4
+- Patch4 has been applied upstream
+
+* Sat Feb 22 2020 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.2-5
+- Patch to declare a global variable with extern (#1800117)
+
+* Mon Feb 10 2020 Paul Wouters <pwouters@redhat.com> - 5.8.2-4
+- use tmpfile to ensure rundir is present
+
+* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.8.2-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Sat Dec 28 2019 Paul Wouters <pwouters@redhat.com> - 5.8.2-2
+- Use /run/strongswan as rundir to support strongswans in namespaces
+
+* Tue Dec 17 2019 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.2-1
+- Update to 5.8.2 (#1784457)
+- The D-Bus config file moved under datadir
+
+* Mon Sep 02 2019 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.1-1
+- Update to 5.8.1 (#1711920)
+- No more separate strongswan-swanctl.service to start out of order (#1775548)
+- Added strongswan-starter.service
+
+* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 5.7.2-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 5.7.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Wed Jan 09 2019 Paul Wouters <pwouters@redhat.com> - 5.7.2-1
+- Updated to 5.7.2
+
+* Thu Oct 04 2018 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.7.1-1
+- Updated to 5.7.1
+- Resolves rhbz#1635872 CVE-2018-16152
+- Resolves rhbz#1635875 CVE-2018-16151
+
+* Thu Aug 23 2018 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.6.3-3
+- Add plugin bypass-lan, disabled by default
+- Resolves rhbz#1554479 Update to strongswan-charon-nm fails
+
+* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 5.6.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Tue May 29 2018 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.6.3-1
+- New version 5.6.3
+
+* Thu May 24 2018 Paul Wouters <pwouters@redhat.com> - 5.6.2-6
+- Resolves rhbz#1581868 CVE-2018-5388 strongswan: buffer underflow in stroke_socket.c
+
+* Thu May 24 2018 Paul Wouters <pwouters@redhat.com> - 5.6.2-5
+- Resolves rhbz#1574939 IKEv2 VPN connections fail to use DNS servers provided by the server
+- Resolves rhbz#1449875 Strongswan on epel built without the sql plugin but with the sqlite plugin
+
+* Sun May 20 2018 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.6.2-3
+- Move eap-radius, sqlite, and pkcs7 plugins out of tnc-imcvs, added package
+  sqlite (#1579945)
+
+* Tue Mar 06 2018 Björn Esser <besser82@fedoraproject.org> - 5.6.2-2
+- Rebuilt for libjson-c.so.4 (json-c v0.13.1)
+
+* Wed Feb 21 2018 Lubomir Rintel <lkundrak@v3.sk> - 5.6.2-1
+- Updated to 5.6.2 (Dropped libnm-glib use in charon-nm)
+
+* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 5.6.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Fri Dec 22 2017 Paul Wouters <pwouters@redhat.com> - 5.6.1-1
+- Updated to 5.6.1 (RSA-PSS support)
+
+* Sun Dec 10 2017 Björn Esser <besser82@fedoraproject.org> - 5.6.0-3
+- Rebuilt for libjson-c.so.3
+
+* Fri Dec 01 2017 Lubomir Rintel <lkundrak@v3.sk> - 5.6.0-2
+- Fix the placement of charon-nm D-Bus policy
+
+* Sat Sep 09 2017 Paul Wouters <pwouters@redhat.com> - 5.6.0-1
+- Updated to 5.6.0
+- Fixup configure arguments, enabled a bunch of new features
+- Added new BuildRequires:
+- Fixup Obsolete/Conflicts, use license macro
+- Don't require autoconf/autotools for non-snapshots
+- Remove macro overuse, remove fedora/rhel checks and sysvinit support
+- Make listings/grouping of all plugins/libs to reduce file listing
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 5.5.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 5.5.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Mon Jun 12 2017 Paul Wouters <pwouters@redhat.com> - 5.5.3-1
+- Updated to 5.5.3
+
+* Sat May 27 2017 Paul Wouters <pwouters@redhat.com> - 5.5.2-1
+- Updated to 5.5.2
+
+* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 5.5.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Thu Sep 15 2016 Pavel Šimerda <psimerda@redhat.com> - 5.5.0-2
+- Resolves: #1367796 - Enable the unity plugin
+
+* Mon Aug 08 2016 Pavel Šimerda <psimerda@redhat.com> - 5.5.0-1
+- New version 5.5.0
+
+* Wed Jun 22 2016 Pavel Šimerda <psimerda@redhat.com>
+- Enable IKEv2 GCM (requires gcrypt module as well) - merged from f22 by Paul Wouters
+
+* Wed Jun 22 2016 Pavel Šimerda <psimerda@redhat.com> - 5.4.0-1
+- New version 5.4.0
+
+* Thu Mar 03 2016 Pavel Šimerda <psimerda@redhat.com> - 5.3.5-1
+- New version 5.3.5
+
+* Fri Feb 05 2016 Fedora Release Engineering <releng@fedoraproject.org> - 5.3.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Fri Jan 15 2016 Paul Wouters <pwouters@redhat.com> - 5.3.3-2
+- Enable IKEv2 GCM (requires gcrypt module as well)
+
+* Tue Sep 29 2015 Pavel Šimerda <psimerda@redhat.com> - 5.3.3-1
+- new version 5.3.3
+
+* Thu Sep 24 2015 Pavel Šimerda <psimerda@redhat.com> - 5.3.2-3
+- Resolves: #1264598 - strongswan: many configuration files are not protected
+
+* Fri Jun 19 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.3.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Tue Jun 09 2015 Pavel Šimerda <psimerda@redhat.com>
+- new version 5.3.2
+
+* Fri Jun 05 2015 Pavel Šimerda <psimerda@redhat.com> - 5.3.1-1
+- new version 5.3.1
+
+* Tue Mar 31 2015 Pavel Šimerda <psimerda@redhat.com> - 5.3.0-1
+- new version 5.3.0
+
+* Fri Feb 20 2015 Avesh Agarwal <avagarwa@redhat.com> - 5.2.2-2
+- Fixes strongswan swanctl service issue rhbz#1193106
+
+* Tue Jan 06 2015 Pavel Šimerda <psimerda@redhat.com> - 5.2.2-1
+- new version 5.2.2
+
+* Thu Dec 18 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.2-0.2.dr1
+- Enabled ccm, and ctr plugins as it seems enabling just openssl does
+  not work for using ccm and ctr algos.
+
+* Mon Dec 8 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.2-0.1.dr1
+- New strongswan developer release 5.2.2dr1
+
+* Mon Nov 24 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.1-2
+- 1167331: Enabled native systemd support.
+- Does not disable old systemd, starter, ipsec.conf support yet.
+
+* Thu Oct 30 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.1-1
+- New upstream release 5.2.1
+
+* Thu Oct 16 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.1-0.2.rc1
+- New upstream release candidate 5.2.1rc1
+
+* Fri Oct 10 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.1-1
+- new version 5.2.1dr1
+
+* Thu Sep 25 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-7
+- use upstream patch for json/json-c dependency
+
+* Thu Sep 25 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-6
+- Resolves: #1146145 - Strongswan is compiled without xauth-noauth plugin
+
+* Mon Aug 18 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.2.0-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Tue Aug 05 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-4
+- Resolves: #1081804 - enable Kernel IPSec support
+
+* Wed Jul 30 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-3
+- rebuilt
+
+* Tue Jul 29 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-2
+- fix json-c dependency
+
+* Tue Jul 15 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.0-1
+- New upstream release 5.2.0
+- The Attestation IMC/IMV pair supports the IMA-NG
+  measurement format
+- Aikgen tool to generate an Attestation Identity Key bound
+  to a TPM
+- Swanctl tool to provide a portable, complete IKE
+  configuration and control interface for the command
+  line using vici interface with libvici library
+- PT-EAP transport protocol (RFC 7171) for TNC
+- Enabled support for acert for checking X509 attribute certificate
+- Updated patches, removed selinux patch as upstream has fixed it
+  in this release.
+- Updated spec file with minor cleanups
+
+* Thu Jun 26 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-0.4.dr6
+- improve prerelease macro
+
+* Thu Jun 26 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-0.3
+- Resolves: #1111895 - bump to 5.2.0dr6
+
+* Thu Jun 12 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-0.2
+- Related: #1087437 - remove or upstream all patches not specific to fedora/epel
+
+* Thu Jun 12 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-0.1.dr5
+- fix the pre-release version according to guidelines before it gets branched
+
+* Fri Jun 06 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0dr5-1
+- new version 5.2.0dr5
+- add json-c-devel to build deps
+
+* Mon May 26 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0dr4-3
+- merge two related patches
+
+* Mon May 26 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0dr4-2
+- clean up the patches a bit
+
+* Thu May 22 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.0dr4-1
+- New upstream developer release 5.2.0dr4
+- Attestation IMV/IMC supports IMA-NG measurement format now
+- Aikgen tool to generate an Attestation Identity Key bound
+  to a TPM
+- PT-EAP transport protocol (RFC 7171) for TNC
+- vici plugin provides IKE Configuration Interface for charon
+- Enabled support for acert for checking X509 attribute certificate
+- Updated patches
+- Updated spec file with minor cleanups
+
+* Tue Apr 15 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.3-1
+- new version 5.1.3
+
+* Mon Apr 14 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.3rc1-1
+- new version 5.1.3rc1
+
+* Mon Mar 24 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.2-4
+- #1069928 - updated libexec patch.
+
+* Tue Mar 18 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.2-3
+- fixed el6 initscript
+- fixed pki directory location
+
+* Fri Mar 14 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.2-2
+- clean up the specfile a bit
+- replace the initscript patch with an individual initscript
+- patch to build for epel6
+
+* Mon Mar 03 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.2-1
+- #1071353 - bump to 5.1.2
+- #1071338 - strongswan is compiled without xauth-pam plugin
+- remove obsolete patches
+- sent all patches upstream
+- added comments to all patches
+- don't touch the config with sed
+
+* Thu Feb 20 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.1.1-6
+- Fixed full hardening for strongswan (full relro and PIE).
+  The previous macros had a typo and did not work
+  (see bz#1067119).
+- Fixed tnc package description to reflect the current state of
+  the package.
+- Fixed pki binary and moved it to /usr/libexece/strongswan as
+  others binaries are there too.
+
+* Wed Feb 19 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.1-5
+- #903638 - SELinux is preventing /usr/sbin/xtables-multi from 'read' accesses on the chr_file /dev/random
+
+* Thu Jan 09 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.1-4
+- Removed redundant patches and *.spec commands caused by branch merging
+
+* Wed Jan 08 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.1-3
+- rebuilt
+
+* Mon Dec 2 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.1.1-2
+- Resolves: 973315
+- Resolves: 1036844
+
+* Fri Nov 1 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.1.1-1
+- Support for PT-TLS  (RFC 6876)
+- Support for SWID IMC/IMV
+- Support for command line IKE client charon-cmd
+- Changed location of pki to /usr/bin
+- Added swid tags files
+- Added man pages for pki and charon-cmd
+- Renamed pki to strongswan-pki to avoid conflict with
+  pki-core/pki-tools package.
+- Update local patches
+- Fixes CVE-2013-6075
+- Fixes CVE-2013-6076
+- Fixed autoconf/automake issue as configure.ac got changed
+  and it required running autoreconf during the build process.
+- added strongswan signature file to the sources.
+
+* Thu Sep 12 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.1.0-3
+- Fixed initialization crash of IMV and IMC particularly
+  attestation imv/imc as libstrongswas was not getting
+  initialized.
+
+* Fri Aug 30 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.1.0-2
+- Enabled fips support
+- Enabled TNC's ifmap support
+- Enabled TNC's pdp support
+- Fixed hardocded package name in this spec file
+
+* Wed Aug 7 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.1.0-1
+- rhbz#981429: New upstream release
+- Fixes CVE-2013-5018: rhbz#991216, rhbz#991215
+- Fixes rhbz#991859 failed to build in rawhide
+- Updated local patches and removed which are not needed
+- Fixed errors around charon-nm
+- Added plugins libstrongswan-pkcs12.so, libstrongswan-rc2.so,
+  libstrongswan-sshkey.so
+- Added utility imv_policy_manager
+
+* Thu Jul 25 2013 Jamie Nguyen <jamielinux@fedoraproject.org> - 5.0.4-5
+- rename strongswan-NetworkManager to strongswan-charon-nm
+- fix enable_nm macro
+
+* Mon Jul 15 2013 Jamie Nguyen <jamielinux@fedoraproject.org> - 5.0.4-4
+- %%files tries to package some of the shared objects as directories (#984437)
+- fix broken systemd unit file (#984300)
+- fix rpmlint error: description-line-too-long
+- fix rpmlint error: macro-in-comment
+- fix rpmlint error: spelling-error Summary(en_US) fuctionality
+- depend on 'systemd' instead of 'systemd-units'
+- use new systemd scriptlet macros
+- NetworkManager subpackage should have a copy of the license (#984490)
+- enable hardened_build as this package meets the PIE criteria (#984429)
+- invocation of "ipsec _updown iptables" is broken as ipsec is renamed
+  to strongswan in this package (#948306)
+- invocation of "ipsec scepclient" is broken as ipsec is renamed
+  to strongswan in this package
+- add /etc/strongswan/ipsec.d and missing subdirectories
+- conditionalize building of strongswan-NetworkManager subpackage as the
+  version of NetworkManager in EL6 is too old (#984497)
+
+* Fri Jun 28 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.0.4-3
+- Patch to fix a major crash issue when Freeradius loads
+  attestatiom-imv and does not initialize libstrongswan which
+  causes crash due to calls to PTS algorithms probing APIs.
+  So this patch fixes the order of initialization. This issues
+  does not occur with charon because libstrongswan gets
+  initialized earlier.
+- Patch that allows to outputs errors when there are permission
+  issues when accessing strongswan.conf.
+- Patch to make loading of modules configurable when libimcv
+  is used in stand alone mode without charon with freeradius
+  and wpa_supplicant.
+
+* Tue Jun 11 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.0.4-2
+- Enabled TNCCS 1.1 protocol
+- Fixed libxm2-devel build dependency
+- Patch to fix the issue with loading of plugins
+
+* Wed May 1 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.0.4-1
+- New upstream release
+- Fixes for CVE-2013-2944
+- Enabled support for OS IMV/IMC
+- Created and applied a patch to disable ECP in fedora, because
+  Openssl in Fedora does not allow ECP_256 and ECP_384. It makes
+  it non-compliant to TCG's PTS standard, but there is no choice
+  right now. see redhat bz # 319901.
+- Enabled Trousers support for TPM based operations.
+
+* Sat Apr 20 2013 Pavel Šimerda <psimerda@redhat.com> - 5.0.3-2
+- Rebuilt for a single specfile for rawhide/f19/f18/el6
+
+* Fri Apr 19 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.0.3-1
+- New upstream release
+- Enabled curl and eap-identity plugins
+- Enabled support for eap-radius plugin.
+
+* Thu Apr 18 2013 Pavel Šimerda <psimerda@redhat.com> - 5.0.2-3
+- Add gettext-devel to BuildRequires because of epel6
+- Remove unnecessary comments
+
+* Tue Mar 19 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.0.2-2
+- Enabled support for eap-radius plugin.
+
+* Mon Mar 11 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.0.2-1
+- Update to upstream release 5.0.2
+- Created sub package strongswan-tnc-imcvs that provides trusted network
+  connect's IMC and IMV funtionality. Specifically it includes PTS
+  based IMC/IMV for TPM based remote attestation and scanner and test
+  IMCs and IMVs. The Strongswan's IMC/IMV dynamic libraries can be used
+  by any third party TNC Client/Server implementation possessing a
+  standard IF-IMC/IMV interface.
+
+* Fri Feb 15 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.0.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Thu Oct 04 2012 Pavel Šimerda <psimerda@redhat.com> - 5.0.1-1
+- Update to release 5.0.1
+
+* Thu Oct 04 2012 Pavel Šimerda <psimerda@redhat.com> - 5.0.0-4.git20120619
+- Add plugins to interoperate with Windows 7 and Android (#862472)
+  (contributed by Haim Gelfenbeyn)
+
+* Sat Jul 21 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.0.0-3.git20120619
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Sun Jul 08 2012 Pavel Šimerda <pavlix@pavlix.net> - 5.0.0-2.git20120619
+- Fix configure substitutions in initscripts
+
+* Wed Jul 04 2012 Pavel Šimerda <psimerda@redhat.com> - 5.0.0-1.git20120619
+- Update to current upstream release
+- Comment out all stuff that is only needed for git builds
+- Remove renaming patch from git
+- Improve init patch used for EPEL
+
+* Thu Jun 21 2012 Pavel Šimerda <psimerda@redhat.com> - 5.0.0-0.3.git20120619
+- Build with openssl plugin enabled
+
+* Wed Jun 20 2012 Pavel Šimerda <psimerda@redhat.com> - 5.0.0-0.2.git20120619
+- Add README.Fedora with link to 4.6 to 5.0 migration information
+
+* Tue Jun 19 2012 Pavel Šimerda - 5.0.0-0.1.git20120619
+- Snapshot of upcoming major release
+- Move patches and renaming upstream
+  http://wiki.strongswan.org/issues/194
+  http://wiki.strongswan.org/issues/195
+- Notified upstream about manpage issues
+
+* Tue Jun 19 2012 Pavel Šimerda - 4.6.4-2
+- Make initscript patch more distro-neutral
+- Add links to bugreports for patches
+
+* Fri Jun 01 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.4-1
+- New upstream version (CVE-2012-2388)
+
+* Sat May 26 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.3-2
+- Add --enable-nm to configure
+- Add NetworkManager-devel to BuildRequires
+- Add NetworkManager-glib-devel to BuildRequires
+- Add strongswan-NetworkManager package
+
+* Sat May 26 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.3-1
+- New version of Strongswan
+- Support for RFC 3110 DNSKEY (see upstream changelog)
+- Fix corrupt scriptlets
+
+* Fri Mar 30 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.2-2
+- #808612 - strongswan binary renaming side-effect
+
+* Sun Feb 26 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.2-1
+- New upstream version
+- Changed from .tar.gz to .tar.bz2
+- Added libstrongswan-pkcs8.so
+
+* Wed Feb 15 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-8
+- Fix initscript's status function
+
+* Wed Feb 15 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-7
+- Expand tabs in config files for better readability
+- Add sysvinit script for epel6
+
+* Wed Feb 15 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-6
+- Fix program name in systemd unit file
+
+* Tue Feb 14 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-5
+- Improve fedora/epel conditionals
+
+* Sat Jan 21 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-4
+- Protect configuration directory from ordinary users
+- Add still missing directory /etc/strongswan
+
+* Fri Jan 20 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-3
+- Change directory structure to avoid clashes with Openswan
+- Prefixed all manpages with 'strongswan_'
+- Every file now includes 'strongswan' somewhere in its path
+- Removed conflict with Openswan
+- Finally fix permissions on strongswan.conf
+
+* Fri Jan 20 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-2
+- Change license tag from GPL to GPLv2+
+- Change permissions on /etc/strongswan.conf to 644
+- Rename ipsec.8 manpage to strongswan.8
+- Fix empty scriptlets for non-fedora builds
+- Add ldconfig scriptlet
+- Add missing directories and files
+
+* Sun Jan 01 2012 Pavel Šimerda <pavlix@pavlix.net - 4.6.1-1
+- Bump to version 4.6.1
+
+* Sun Jan 01 2012 Pavel Šimerda <pavlix@pavlix.net - 4.6.0-3
+- Add systemd scriptlets
+- Add conditions to also support EPEL6
+
+* Sat Dec 10 2011 Pavel Šimerda <pavlix@pavlix.net> - 4.6.0-2
+- Experimental build for development

sources

@@ -1,2 +1,2 @@
-SHA512 (strongswan-5.9.14.tar.bz2) = e48bc9d215f9de6b54e24f7b4765d59aec4c615291d5c1f24f6a6d7da45dc8b17b2e0e150faf5fabb35e5d465abc5e6f6efa06cd002467067c5d7844ead359f6
-SHA512 (strongswan-5.9.14.tar.bz2.sig) = 1b3d57448caab91060fe3d209d90708c57dbf35ae62c97574107b32677cff73f13f7545dc91682ef84400bb8a2f105a1761aba8334763dc8c35d97be7921c242
+SHA512 (strongswan-6.0.2.tar.bz2) = b1ee61b7d0eab40a9fcb5a7e28cfea9050f5f894fa66032edf9511b1e260104870e23fc19329b48be01f03eb491bfc27c9b74838722c80ba0284a48596a68d71
+SHA512 (strongswan-6.0.2.tar.bz2.sig) = 374e16baf4b3ee24966abdb872890eb29da4aa6fc4e8a5e2a67d6099e2a72bad195257e505765cecbfae3a77ea42942fc3cea543b954f1f7b3e415ad536321ff

strongswan-6.0.2-no-isolation.patch

@@ -0,0 +1,12 @@
+diff -Naur strongswan-6.0.2-orig/src/libcharon/plugins/vici/python/Makefile.am strongswan-6.0.2/src/libcharon/plugins/vici/python/Makefile.am
+--- strongswan-6.0.2-orig/src/libcharon/plugins/vici/python/Makefile.am	2025-07-12 02:36:20.000000000 -0400
++++ strongswan-6.0.2/src/libcharon/plugins/vici/python/Makefile.am	2025-09-10 15:31:43.217806666 -0400
+@@ -19,7 +19,7 @@
+ all-local: dist/vici-$(PYTHON_PACKAGE_VERSION)-py3-none-any.whl
+ 
+ dist/vici-$(PYTHON_PACKAGE_VERSION)-py3-none-any.whl: $(EXTRA_DIST) $(srcdir)/setup.py
+-	(cd $(srcdir); $(PYTHON) -m build -o $(abs_builddir)/dist)
++	(cd $(srcdir); $(PYTHON) -m build --no-isolation -o $(abs_builddir)/dist) 
+ 
+ clean-local:
+ 	rm -rf $(srcdir)/setup.py $(srcdir)/vici.egg-info $(builddir)/dist

strongswan-6.0.2-no-md5-b3011e8e.patch

@@ -0,0 +1,514 @@
+From b3011e8e87a1fad1bfb026448fc37b80b7cfc007 Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Tue, 23 Sep 2025 14:59:37 +0200
+Subject: [PATCH] Remove support for MD2
+
+No part of IKE/IPsec or X.509 uses MD2 anymore, so there really is no
+reason to still support it (unlike MD4 that is used in EAP-MSCHAPv2,
+MD5 that's used in EAP-MD5, or SHA-1 that's used for e.g. NAT-D hashes).
+
+It caused test vectors to fail on systems where OpenSSL is built with
+MD2 support but has it disabled at runtime.
+---
+ src/libstrongswan/asn1/oid.txt                |   4 +-
+ .../credentials/containers/pkcs12.c           |   1 -
+ src/libstrongswan/crypto/hashers/hasher.c     |  15 ---
+ src/libstrongswan/crypto/hashers/hasher.h     |  16 +--
+ src/libstrongswan/crypto/xofs/xof.c           |   1 -
+ .../plugins/gcrypt/gcrypt_hasher.c            |   3 -
+ .../plugins/openssl/openssl_plugin.c          |   3 -
+ .../plugins/pkcs11/pkcs11_hasher.c            |   1 -
+ .../plugins/pkcs11/pkcs11_plugin.c            |   1 -
+ .../plugins/test_vectors/Makefile.am          |   1 -
+ .../plugins/test_vectors/test_vectors.h       |   7 -
+ .../plugins/test_vectors/test_vectors/md2.c   |  64 ---------
+ src/libstrongswan/tests/suites/test_hasher.c  | 127 +++++++++---------
+ 13 files changed, 71 insertions(+), 173 deletions(-)
+ delete mode 100644 src/libstrongswan/plugins/test_vectors/test_vectors/md2.c
+
+diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt
+index f58a44d326..b9c3189cd2 100644
+--- a/src/libstrongswan/asn1/oid.txt
++++ b/src/libstrongswan/asn1/oid.txt
+@@ -94,7 +94,7 @@
+             0x01             "PKCS"
+               0x01           "PKCS-1"
+                 0x01         "rsaEncryption"			OID_RSA_ENCRYPTION
+-                0x02         "md2WithRSAEncryption"		OID_MD2_WITH_RSA
++                0x02         "md2WithRSAEncryption"
+                 0x04         "md5WithRSAEncryption"		OID_MD5_WITH_RSA
+                 0x05         "sha-1WithRSAEncryption"	OID_SHA1_WITH_RSA
+                 0x07         "id-RSAES-OAEP"			OID_RSAES_OAEP
+@@ -148,7 +148,7 @@
+                     0x05     "secretBag"
+                     0x06     "safeContentsBag"
+             0x02             "digestAlgorithm"
+-              0x02           "md2"						OID_MD2
++              0x02           "md2"
+               0x05           "md5"						OID_MD5
+               0x07           "hmacWithSHA1"				OID_HMAC_SHA1
+               0x08           "hmacWithSHA224"			OID_HMAC_SHA224
+diff --git a/src/libstrongswan/credentials/containers/pkcs12.c b/src/libstrongswan/credentials/containers/pkcs12.c
+index d738910077..be0c750393 100644
+--- a/src/libstrongswan/credentials/containers/pkcs12.c
++++ b/src/libstrongswan/credentials/containers/pkcs12.c
+@@ -83,7 +83,6 @@ static bool derive_key(hash_algorithm_t hash, chunk_t unicode, chunk_t salt,
+ 	}
+ 	switch (hash)
+ 	{
+-		case HASH_MD2:
+ 		case HASH_MD5:
+ 		case HASH_SHA1:
+ 		case HASH_SHA224:
+diff --git a/src/libstrongswan/crypto/hashers/hasher.c b/src/libstrongswan/crypto/hashers/hasher.c
+index 2fed3b4133..444a59c5f0 100644
+--- a/src/libstrongswan/crypto/hashers/hasher.c
++++ b/src/libstrongswan/crypto/hashers/hasher.c
+@@ -30,7 +30,6 @@ ENUM_BEGIN(hash_algorithm_names, HASH_SHA1, HASH_IDENTITY,
+ 	"HASH_IDENTITY");
+ ENUM_NEXT(hash_algorithm_names, HASH_UNKNOWN, HASH_SHA3_512, HASH_IDENTITY,
+ 	"HASH_UNKNOWN",
+-	"HASH_MD2",
+ 	"HASH_MD4",
+ 	"HASH_MD5",
+ 	"HASH_SHA2_224",
+@@ -48,7 +47,6 @@ ENUM_BEGIN(hash_algorithm_short_names, HASH_SHA1, HASH_IDENTITY,
+ 	"identity");
+ ENUM_NEXT(hash_algorithm_short_names, HASH_UNKNOWN, HASH_SHA3_512, HASH_IDENTITY,
+ 	"unknown",
+-	"md2",
+ 	"md4",
+ 	"md5",
+ 	"sha224",
+@@ -66,7 +64,6 @@ ENUM_BEGIN(hash_algorithm_short_names_upper, HASH_SHA1, HASH_IDENTITY,
+ 	"IDENTITY");
+ ENUM_NEXT(hash_algorithm_short_names_upper, HASH_UNKNOWN, HASH_SHA3_512, HASH_IDENTITY,
+ 	"UNKNOWN",
+-	"MD2",
+ 	"MD4",
+ 	"MD5",
+ 	"SHA2_224",
+@@ -91,8 +88,6 @@ size_t hasher_hash_size(hash_algorithm_t alg)
+ 			return HASH_SIZE_SHA384;
+ 		case HASH_SHA512:
+ 			return HASH_SIZE_SHA512;
+-		case HASH_MD2:
+-			return HASH_SIZE_MD2;
+ 		case HASH_MD4:
+ 			return HASH_SIZE_MD4;
+ 		case HASH_MD5:
+@@ -121,9 +116,6 @@ hash_algorithm_t hasher_algorithm_from_oid(int oid)
+ {
+ 	switch (oid)
+ 	{
+-		case OID_MD2:
+-		case OID_MD2_WITH_RSA:
+-			return HASH_MD2;
+ 		case OID_MD5:
+ 		case OID_MD5_WITH_RSA:
+ 			return HASH_MD5;
+@@ -323,7 +315,6 @@ integrity_algorithm_t hasher_algorithm_to_integrity(hash_algorithm_t alg,
+ 					return AUTH_HMAC_SHA2_512_512;
+ 			}
+ 			break;
+-		case HASH_MD2:
+ 		case HASH_MD4:
+ 		case HASH_SHA224:
+ 		case HASH_SHA3_224:
+@@ -350,7 +341,6 @@ bool hasher_algorithm_for_ikev2(hash_algorithm_t alg)
+ 		case HASH_SHA512:
+ 			return TRUE;
+ 		case HASH_UNKNOWN:
+-		case HASH_MD2:
+ 		case HASH_MD4:
+ 		case HASH_MD5:
+ 		case HASH_SHA1:
+@@ -373,9 +363,6 @@ int hasher_algorithm_to_oid(hash_algorithm_t alg)
+ 
+ 	switch (alg)
+ 	{
+-		case HASH_MD2:
+-			oid = OID_MD2;
+-			break;
+ 		case HASH_MD5:
+ 			oid = OID_MD5;
+ 			break;
+@@ -422,8 +409,6 @@ int hasher_signature_algorithm_to_oid(hash_algorithm_t alg, key_type_t key)
+ 		case KEY_RSA:
+ 			switch (alg)
+ 			{
+-				case HASH_MD2:
+-					return OID_MD2_WITH_RSA;
+ 				case HASH_MD5:
+ 					return OID_MD5_WITH_RSA;
+ 				case HASH_SHA1:
+diff --git a/src/libstrongswan/crypto/hashers/hasher.h b/src/libstrongswan/crypto/hashers/hasher.h
+index ad434035da..0a4237cd93 100644
+--- a/src/libstrongswan/crypto/hashers/hasher.h
++++ b/src/libstrongswan/crypto/hashers/hasher.h
+@@ -45,17 +45,15 @@ enum hash_algorithm_t {
+ 	HASH_IDENTITY		= 5,
+ 	/* use private use range for algorithms not defined/permitted by RFC 7427 */
+ 	HASH_UNKNOWN 		= 1024,
+-	HASH_MD2 			= 1025,
+-	HASH_MD4			= 1026,
+-	HASH_MD5 			= 1027,
+-	HASH_SHA224			= 1028,
+-	HASH_SHA3_224		= 1029,
+-	HASH_SHA3_256		= 1030,
+-	HASH_SHA3_384		= 1031,
+-	HASH_SHA3_512		= 1032
++	HASH_MD4			= 1025,
++	HASH_MD5 			= 1026,
++	HASH_SHA224			= 1027,
++	HASH_SHA3_224		= 1028,
++	HASH_SHA3_256		= 1029,
++	HASH_SHA3_384		= 1030,
++	HASH_SHA3_512		= 1031
+ };
+ 
+-#define HASH_SIZE_MD2		16
+ #define HASH_SIZE_MD4		16
+ #define HASH_SIZE_MD5		16
+ #define HASH_SIZE_SHA1		20
+diff --git a/src/libstrongswan/crypto/xofs/xof.c b/src/libstrongswan/crypto/xofs/xof.c
+index 7c1eb37e42..f21e037a5a 100644
+--- a/src/libstrongswan/crypto/xofs/xof.c
++++ b/src/libstrongswan/crypto/xofs/xof.c
+@@ -60,7 +60,6 @@ ext_out_function_t xof_mgf1_from_hash_algorithm(hash_algorithm_t alg)
+ 			return XOF_MGF1_SHA3_384;
+ 		case HASH_IDENTITY:
+ 		case HASH_UNKNOWN:
+-		case HASH_MD2:
+ 		case HASH_MD4:
+ 		case HASH_MD5:
+ 			break;
+diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
+index 29f86a5139..5e30ac7dc3 100644
+--- a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
++++ b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
+@@ -92,9 +92,6 @@ gcrypt_hasher_t *gcrypt_hasher_create(hash_algorithm_t algo)
+ 
+ 	switch (algo)
+ 	{
+-		case HASH_MD2:
+-			gcrypt_alg = GCRY_MD_MD2;
+-			break;
+ 		case HASH_MD4:
+ 			gcrypt_alg = GCRY_MD_MD4;
+ 			break;
+diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
+index c3e1d2e173..ef7fe8908f 100644
+--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
++++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
+@@ -400,9 +400,6 @@ METHOD(plugin_t, get_features, int,
+ 			PLUGIN_PROVIDE(CRYPTER, ENCR_NULL, 0),
+ 		/* hashers */
+ 		PLUGIN_REGISTER(HASHER, openssl_hasher_create),
+-#ifndef OPENSSL_NO_MD2
+-			PLUGIN_PROVIDE(HASHER, HASH_MD2),
+-#endif
+ #ifndef OPENSSL_NO_MD4
+ 			PLUGIN_PROVIDE(HASHER, HASH_MD4),
+ #endif
+diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.c b/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.c
+index e5ac18ed8c..409a05a2ab 100644
+--- a/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.c
++++ b/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.c
+@@ -234,7 +234,6 @@ static CK_MECHANISM_PTR algo_to_mechanism(hash_algorithm_t algo, size_t *size)
+ 		CK_MECHANISM mechanism;
+ 		size_t size;
+ 	} mappings[] = {
+-		{HASH_MD2,		{CKM_MD2,		NULL, 0},	HASH_SIZE_MD2},
+ 		{HASH_MD5,		{CKM_MD5,		NULL, 0},	HASH_SIZE_MD5},
+ 		{HASH_SHA1,		{CKM_SHA_1,		NULL, 0},	HASH_SIZE_SHA1},
+ 		{HASH_SHA256,	{CKM_SHA256,	NULL, 0},	HASH_SIZE_SHA256},
+diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
+index 5510db99f4..aa27f1e384 100644
+--- a/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
++++ b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
+@@ -189,7 +189,6 @@ METHOD(plugin_t, get_features, int,
+ {
+ 	static plugin_feature_t f_hash[] = {
+ 		PLUGIN_REGISTER(HASHER, pkcs11_hasher_create),
+-			PLUGIN_PROVIDE(HASHER, HASH_MD2),
+ 			PLUGIN_PROVIDE(HASHER, HASH_MD5),
+ 			PLUGIN_PROVIDE(HASHER, HASH_SHA1),
+ 			PLUGIN_PROVIDE(HASHER, HASH_SHA256),
+diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.am b/src/libstrongswan/plugins/test_vectors/Makefile.am
+index 6074027f7d..eaf6485abc 100644
+--- a/src/libstrongswan/plugins/test_vectors/Makefile.am
++++ b/src/libstrongswan/plugins/test_vectors/Makefile.am
+@@ -37,7 +37,6 @@ libstrongswan_test_vectors_la_SOURCES = \
+ 	test_vectors/rc5.c \
+ 	test_vectors/serpent_cbc.c \
+ 	test_vectors/twofish_cbc.c \
+-	test_vectors/md2.c \
+ 	test_vectors/md4.c \
+ 	test_vectors/md5.c \
+ 	test_vectors/md5_hmac.c \
+diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors.h b/src/libstrongswan/plugins/test_vectors/test_vectors.h
+index bf8609cb62..85436ff74a 100644
+--- a/src/libstrongswan/plugins/test_vectors/test_vectors.h
++++ b/src/libstrongswan/plugins/test_vectors/test_vectors.h
+@@ -160,13 +160,6 @@ TEST_VECTOR_SIGNER(sha512_hmac_s1)
+ TEST_VECTOR_SIGNER(sha512_hmac_s2)
+ TEST_VECTOR_SIGNER(sha512_hmac_s3)
+ 
+-TEST_VECTOR_HASHER(md2_1)
+-TEST_VECTOR_HASHER(md2_2)
+-TEST_VECTOR_HASHER(md2_3)
+-TEST_VECTOR_HASHER(md2_4)
+-TEST_VECTOR_HASHER(md2_5)
+-TEST_VECTOR_HASHER(md2_6)
+-TEST_VECTOR_HASHER(md2_7)
+ TEST_VECTOR_HASHER(md4_1)
+ TEST_VECTOR_HASHER(md4_2)
+ TEST_VECTOR_HASHER(md4_3)
+diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/md2.c b/src/libstrongswan/plugins/test_vectors/test_vectors/md2.c
+deleted file mode 100644
+index b2707a1317..0000000000
+--- a/src/libstrongswan/plugins/test_vectors/test_vectors/md2.c
++++ /dev/null
+@@ -1,64 +0,0 @@
+-/*
+- * Copyright (C) 2009 Martin Willi
+- *
+- * Copyright (C) secunet Security Networks AG
+- *
+- * This program is free software; you can redistribute it and/or modify it
+- * under the terms of the GNU General Public License as published by the
+- * Free Software Foundation; either version 2 of the Licenseor (at your
+- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+- *
+- * This program is distributed in the hope that it will be usefulbut
+- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+- * for more details.
+- */
+-
+-#include <crypto/crypto_tester.h>
+-
+-/**
+- * MD2 vectors from RFC 1319
+- */
+-hasher_test_vector_t md2_1 = {
+-	.alg = HASH_MD2, .len = 0,
+-	.data	= "",
+-	.hash	= "\x83\x50\xe5\xa3\xe2\x4c\x15\x3d\xf2\x27\x5c\x9f\x80\x69\x27\x73"
+-};
+-
+-hasher_test_vector_t md2_2 = {
+-	.alg = HASH_MD2, .len = 1,
+-	.data	= "a",
+-	.hash	= "\x32\xec\x01\xec\x4a\x6d\xac\x72\xc0\xab\x96\xfb\x34\xc0\xb5\xd1"
+-};
+-
+-hasher_test_vector_t md2_3 = {
+-	.alg = HASH_MD2, .len = 3,
+-	.data	= "abc",
+-	.hash	= "\xda\x85\x3b\x0d\x3f\x88\xd9\x9b\x30\x28\x3a\x69\xe6\xde\xd6\xbb"
+-};
+-
+-hasher_test_vector_t md2_4 = {
+-	.alg = HASH_MD2, .len = 14,
+-	.data	= "message digest",
+-	.hash	= "\xab\x4f\x49\x6b\xfb\x2a\x53\x0b\x21\x9f\xf3\x30\x31\xfe\x06\xb0"
+-};
+-
+-hasher_test_vector_t md2_5 = {
+-	.alg = HASH_MD2, .len = 26,
+-	.data	= "abcdefghijklmnopqrstuvwxyz",
+-	.hash	= "\x4e\x8d\xdf\xf3\x65\x02\x92\xab\x5a\x41\x08\xc3\xaa\x47\x94\x0b"
+-};
+-
+-hasher_test_vector_t md2_6 = {
+-	.alg = HASH_MD2, .len = 62,
+-	.data	= "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
+-	.hash	= "\xda\x33\xde\xf2\xa4\x2d\xf1\x39\x75\x35\x28\x46\xc3\x03\x38\xcd"
+-};
+-
+-hasher_test_vector_t md2_7 = {
+-	.alg = HASH_MD2, .len = 80,
+-	.data	= "1234567890123456789012345678901234567890"
+-			  "1234567890123456789012345678901234567890",
+-	.hash	= "\xd5\x97\x6f\x79\xd8\x3d\x3a\x0d\xc9\x80\x6c\x3c\x66\xf3\xef\xd8"
+-};
+-
+diff --git a/src/libstrongswan/tests/suites/test_hasher.c b/src/libstrongswan/tests/suites/test_hasher.c
+index c07eed8d93..3bdcc7e3d7 100644
+--- a/src/libstrongswan/tests/suites/test_hasher.c
++++ b/src/libstrongswan/tests/suites/test_hasher.c
+@@ -28,41 +28,39 @@ typedef struct {
+ 	key_type_t key;
+ }hasher_oid_t;
+ 
++/* make sure to adjust offsets in constructor when changing this array */
+ static hasher_oid_t oids[] = {
+-	{ OID_MD2, HASH_MD2, KEY_ANY },                                /*  0 */
+-	{ OID_MD5, HASH_MD5, KEY_ANY },                                /*  1 */
+-	{ OID_SHA1, HASH_SHA1, KEY_ANY },                              /*  2 */
+-	{ OID_SHA224, HASH_SHA224, KEY_ANY },                          /*  3 */
+-	{ OID_SHA256, HASH_SHA256, KEY_ANY },                          /*  4 */
+-	{ OID_SHA384, HASH_SHA384, KEY_ANY },                          /*  5 */
+-	{ OID_SHA512, HASH_SHA512, KEY_ANY },                          /*  6 */
+-	{ OID_SHA3_224, HASH_SHA3_224, KEY_ANY },                      /*  7 */
+-	{ OID_SHA3_256, HASH_SHA3_256, KEY_ANY },                      /*  8 */
+-	{ OID_SHA3_384, HASH_SHA3_384, KEY_ANY },                      /*  9 */
+-	{ OID_SHA3_512, HASH_SHA3_512, KEY_ANY },                      /* 10 */
+-	{ OID_UNKNOWN, HASH_UNKNOWN, KEY_ANY },                        /* 11 */
+-	{ OID_MD2_WITH_RSA, HASH_MD2, KEY_RSA },                       /* 12 */
+-	{ OID_MD5_WITH_RSA, HASH_MD5, KEY_RSA },                       /* 13 */
+-	{ OID_SHA1_WITH_RSA, HASH_SHA1, KEY_RSA },                     /* 14 */
+-	{ OID_SHA224_WITH_RSA, HASH_SHA224, KEY_RSA },                 /* 15 */
+-	{ OID_SHA256_WITH_RSA, HASH_SHA256, KEY_RSA },                 /* 16 */
+-	{ OID_SHA384_WITH_RSA, HASH_SHA384, KEY_RSA },                 /* 17 */
+-	{ OID_SHA512_WITH_RSA, HASH_SHA512, KEY_RSA },                 /* 18 */
+-	{ OID_RSASSA_PKCS1V15_WITH_SHA3_224, HASH_SHA3_224, KEY_RSA }, /* 19 */
+-	{ OID_RSASSA_PKCS1V15_WITH_SHA3_256, HASH_SHA3_256, KEY_RSA }, /* 20 */
+-	{ OID_RSASSA_PKCS1V15_WITH_SHA3_384, HASH_SHA3_384, KEY_RSA }, /* 21 */
+-	{ OID_RSASSA_PKCS1V15_WITH_SHA3_512, HASH_SHA3_512, KEY_RSA }, /* 22 */
+-	{ OID_UNKNOWN, HASH_UNKNOWN, KEY_RSA },                        /* 23 */
+-	{ OID_ED25519, HASH_IDENTITY, KEY_ED25519 },                   /* 24 */
+-	{ OID_UNKNOWN, HASH_UNKNOWN, KEY_ED25519 },                    /* 25 */
+-	{ OID_ED448, HASH_IDENTITY, KEY_ED448 },                       /* 26 */
+-	{ OID_UNKNOWN, HASH_UNKNOWN, KEY_ED448 },                      /* 27 */
+-	{ OID_ECDSA_WITH_SHA1, HASH_SHA1, KEY_ECDSA },                 /* 28 */
+-	{ OID_ECDSA_WITH_SHA256, HASH_SHA256, KEY_ECDSA },             /* 29 */
+-	{ OID_ECDSA_WITH_SHA384, HASH_SHA384, KEY_ECDSA },             /* 30 */
+-	{ OID_ECDSA_WITH_SHA512, HASH_SHA512, KEY_ECDSA },             /* 31 */
+-	{ OID_UNKNOWN, HASH_UNKNOWN, KEY_ECDSA },                      /* 32 */
+-
++	{ OID_MD5, HASH_MD5, KEY_ANY },                                /*  0 */
++	{ OID_SHA1, HASH_SHA1, KEY_ANY },                              /*  1 */
++	{ OID_SHA224, HASH_SHA224, KEY_ANY },                          /*  2 */
++	{ OID_SHA256, HASH_SHA256, KEY_ANY },                          /*  3 */
++	{ OID_SHA384, HASH_SHA384, KEY_ANY },                          /*  4 */
++	{ OID_SHA512, HASH_SHA512, KEY_ANY },                          /*  5 */
++	{ OID_SHA3_224, HASH_SHA3_224, KEY_ANY },                      /*  6 */
++	{ OID_SHA3_256, HASH_SHA3_256, KEY_ANY },                      /*  7 */
++	{ OID_SHA3_384, HASH_SHA3_384, KEY_ANY },                      /*  8 */
++	{ OID_SHA3_512, HASH_SHA3_512, KEY_ANY },                      /*  9 */
++	{ OID_UNKNOWN, HASH_UNKNOWN, KEY_ANY },                        /* 10 */
++	{ OID_MD5_WITH_RSA, HASH_MD5, KEY_RSA },                       /* 11 */
++	{ OID_SHA1_WITH_RSA, HASH_SHA1, KEY_RSA },                     /* 12 */
++	{ OID_SHA224_WITH_RSA, HASH_SHA224, KEY_RSA },                 /* 13 */
++	{ OID_SHA256_WITH_RSA, HASH_SHA256, KEY_RSA },                 /* 14 */
++	{ OID_SHA384_WITH_RSA, HASH_SHA384, KEY_RSA },                 /* 15 */
++	{ OID_SHA512_WITH_RSA, HASH_SHA512, KEY_RSA },                 /* 16 */
++	{ OID_RSASSA_PKCS1V15_WITH_SHA3_224, HASH_SHA3_224, KEY_RSA }, /* 17 */
++	{ OID_RSASSA_PKCS1V15_WITH_SHA3_256, HASH_SHA3_256, KEY_RSA }, /* 18 */
++	{ OID_RSASSA_PKCS1V15_WITH_SHA3_384, HASH_SHA3_384, KEY_RSA }, /* 19 */
++	{ OID_RSASSA_PKCS1V15_WITH_SHA3_512, HASH_SHA3_512, KEY_RSA }, /* 20 */
++	{ OID_UNKNOWN, HASH_UNKNOWN, KEY_RSA },                        /* 21 */
++	{ OID_ED25519, HASH_IDENTITY, KEY_ED25519 },                   /* 22 */
++	{ OID_UNKNOWN, HASH_UNKNOWN, KEY_ED25519 },                    /* 23 */
++	{ OID_ED448, HASH_IDENTITY, KEY_ED448 },                       /* 24 */
++	{ OID_UNKNOWN, HASH_UNKNOWN, KEY_ED448 },                      /* 25 */
++	{ OID_ECDSA_WITH_SHA1, HASH_SHA1, KEY_ECDSA },                 /* 26 */
++	{ OID_ECDSA_WITH_SHA256, HASH_SHA256, KEY_ECDSA },             /* 27 */
++	{ OID_ECDSA_WITH_SHA384, HASH_SHA384, KEY_ECDSA },             /* 28 */
++	{ OID_ECDSA_WITH_SHA512, HASH_SHA512, KEY_ECDSA },             /* 29 */
++	{ OID_UNKNOWN, HASH_UNKNOWN, KEY_ECDSA },                      /* 30 */
+ };
+ 
+ START_TEST(test_hasher_from_oid)
+@@ -174,32 +172,32 @@ typedef struct {
+ 	size_t length;
+ }hasher_auth_t;
+ 
++/* make sure to adjust offsets in constructor when changing this array */
+ static hasher_auth_t auths[] = {
+-	{ AUTH_UNDEFINED, HASH_MD2, 0 },
+-	{ AUTH_UNDEFINED, HASH_MD4, 0 },
+-	{ AUTH_UNDEFINED, HASH_SHA224, 0 },
+-	{ AUTH_UNDEFINED, 9, 0 },
+-	{ AUTH_UNDEFINED, HASH_UNKNOWN, 0 },
+-	{ AUTH_HMAC_MD5_96, HASH_MD5, 12 },
+-	{ AUTH_HMAC_SHA1_96, HASH_SHA1, 12 },
+-	{ AUTH_HMAC_SHA2_256_96, HASH_SHA256, 12 },
+-	{ AUTH_HMAC_MD5_128, HASH_MD5, 16 },
+-	{ AUTH_HMAC_SHA1_128, HASH_SHA1, 16 },
+-	{ AUTH_HMAC_SHA2_256_128, HASH_SHA256, 16 },
+-	{ AUTH_HMAC_SHA1_160, HASH_SHA1, 20 },
+-	{ AUTH_HMAC_SHA2_384_192, HASH_SHA384, 24 },
+-	{ AUTH_HMAC_SHA2_256_256, HASH_SHA256, 32 },
+-	{ AUTH_HMAC_SHA2_512_256, HASH_SHA512, 32 },
+-	{ AUTH_HMAC_SHA2_384_384, HASH_SHA384, 48 },
+-	{ AUTH_HMAC_SHA2_512_512, HASH_SHA512, 64 },
+-	{ AUTH_AES_CMAC_96, HASH_UNKNOWN, 0 },
+-	{ AUTH_AES_128_GMAC, HASH_UNKNOWN, 0 },
+-	{ AUTH_AES_192_GMAC, HASH_UNKNOWN, 0 },
+-	{ AUTH_AES_256_GMAC, HASH_UNKNOWN, 0 },
+-	{ AUTH_AES_XCBC_96, HASH_UNKNOWN, 0 },
+-	{ AUTH_DES_MAC, HASH_UNKNOWN, 0 },
+-	{ AUTH_CAMELLIA_XCBC_96, HASH_UNKNOWN, 0 },
+-	{ 0, HASH_UNKNOWN, 0 }
++	{ AUTH_UNDEFINED, HASH_MD4, 0 },             /*  0 */
++	{ AUTH_UNDEFINED, HASH_SHA224, 0 },          /*  1 */
++	{ AUTH_UNDEFINED, 9, 0 },                    /*  2 */
++	{ AUTH_UNDEFINED, HASH_UNKNOWN, 0 },         /*  3 */
++	{ AUTH_HMAC_MD5_96, HASH_MD5, 12 },          /*  4 */
++	{ AUTH_HMAC_SHA1_96, HASH_SHA1, 12 },        /*  5 */
++	{ AUTH_HMAC_SHA2_256_96, HASH_SHA256, 12 },  /*  6 */
++	{ AUTH_HMAC_MD5_128, HASH_MD5, 16 },         /*  7 */
++	{ AUTH_HMAC_SHA1_128, HASH_SHA1, 16 },       /*  8 */
++	{ AUTH_HMAC_SHA2_256_128, HASH_SHA256, 16 }, /*  9 */
++	{ AUTH_HMAC_SHA1_160, HASH_SHA1, 20 },       /* 10 */
++	{ AUTH_HMAC_SHA2_384_192, HASH_SHA384, 24 }, /* 11 */
++	{ AUTH_HMAC_SHA2_256_256, HASH_SHA256, 32 }, /* 12 */
++	{ AUTH_HMAC_SHA2_512_256, HASH_SHA512, 32 }, /* 13 */
++	{ AUTH_HMAC_SHA2_384_384, HASH_SHA384, 48 }, /* 14 */
++	{ AUTH_HMAC_SHA2_512_512, HASH_SHA512, 64 }, /* 15 */
++	{ AUTH_AES_CMAC_96, HASH_UNKNOWN, 0 },       /* 16 */
++	{ AUTH_AES_128_GMAC, HASH_UNKNOWN, 0 },      /* 17 */
++	{ AUTH_AES_192_GMAC, HASH_UNKNOWN, 0 },      /* 18 */
++	{ AUTH_AES_256_GMAC, HASH_UNKNOWN, 0 },      /* 19 */
++	{ AUTH_AES_XCBC_96, HASH_UNKNOWN, 0 },       /* 20 */
++	{ AUTH_DES_MAC, HASH_UNKNOWN, 0 },           /* 21 */
++	{ AUTH_CAMELLIA_XCBC_96, HASH_UNKNOWN, 0 },  /* 22 */
++	{ 0, HASH_UNKNOWN, 0 }                       /* 23 */
+ };
+ 
+ START_TEST(test_hasher_from_integrity)
+@@ -237,7 +235,6 @@ static hasher_ikev2_t ikev2[] = {
+ 	{ HASH_SHA384,   TRUE  },
+ 	{ HASH_SHA512,   TRUE  },
+ 	{ HASH_UNKNOWN,  FALSE },
+-	{ HASH_MD2,      FALSE },
+ 	{ HASH_MD4,      FALSE },
+ 	{ HASH_MD5,      FALSE },
+ 	{ HASH_SHA224,   FALSE },
+@@ -262,15 +259,15 @@ Suite *hasher_suite_create()
+ 	s = suite_create("hasher");
+ 
+ 	tc = tcase_create("from_oid");
+-	tcase_add_loop_test(tc, test_hasher_from_oid, 0, 28);
++	tcase_add_loop_test(tc, test_hasher_from_oid, 0, 26);
+ 	suite_add_tcase(s, tc);
+ 
+ 	tc = tcase_create("to_oid");
+-	tcase_add_loop_test(tc, test_hasher_to_oid, 0, 12);
++	tcase_add_loop_test(tc, test_hasher_to_oid, 0, 11);
+ 	suite_add_tcase(s, tc);
+ 
+ 	tc = tcase_create("sig_to_oid");
+-	tcase_add_loop_test(tc, test_hasher_sig_to_oid, 11, countof(oids));
++	tcase_add_loop_test(tc, test_hasher_sig_to_oid, 10, countof(oids));
+ 	suite_add_tcase(s, tc);
+ 
+ 	tc = tcase_create("from_sig_scheme");
+@@ -283,11 +280,11 @@ Suite *hasher_suite_create()
+ 	suite_add_tcase(s, tc);
+ 
+ 	tc = tcase_create("from_integrity");
+-	tcase_add_loop_test(tc, test_hasher_from_integrity, 4, countof(auths));
++	tcase_add_loop_test(tc, test_hasher_from_integrity, 3, countof(auths));
+ 	suite_add_tcase(s, tc);
+ 
+ 	tc = tcase_create("to_integrity");
+-	tcase_add_loop_test(tc, test_hasher_to_integrity, 0, 17);
++	tcase_add_loop_test(tc, test_hasher_to_integrity, 0, 16);
+ 	suite_add_tcase(s, tc);
+ 
+ 	tc = tcase_create("for_ikev2");

strongswan.spec

@@ -2,22 +2,17 @@
 #%%define prerelease dr1
 %global dist .nhrp.11%{?dist}
 
-%bcond_without python3
+# pytho vici bindings cannot build without network, so temp. disabled
+%bcond_with python3
 %bcond_without perl
+# checks fail for test_params_parse_rsa_pss
 %bcond_with    check
 
-%if (0%{?fedora} && 0%{?fedora} < 36) || (0%{?rhel} && 0%{?rhel} < 9)
-# trousers was retired for F36+ and no longer available in RHEL with 9+
-%bcond_without tss_trousers
-%else
-%bcond_with tss_trousers
-%endif
-
 %global forgeurl0 https://github.com/strongswan/strongswan
 
 Name:           strongswan
-Version:        5.9.14
-Release:        5%{?dist}
+Version:        6.0.2
+Release:        4%{?dist}
 Summary:        An OpenSource IPsec-based VPN and TNC solution
 # Automatically converted from old format: GPLv2+ - review is highly recommended.
 License:        GPL-2.0-or-later
@@ -27,11 +22,13 @@ Source0:        https://download.strongswan.org/strongswan-%{version}%{?prerelea
 Source1:        https://download.strongswan.org/strongswan-%{version}%{?prerelease}.tar.bz2.sig
 Source2:        https://download.strongswan.org/STRONGSWAN-RELEASE-PGP-KEY
 Source3:        tmpfiles-strongswan.conf
-Patch0:         strongswan-5.6.0-uintptr_t.patch
-# https://github.com/strongswan/strongswan/issues/1198
+# https://github.com/strongswan/strongswan/issues/1198  (also pinged upstream via email)
 Patch1:         strongswan-5.9.7-error-no-format.patch
-Patch2:         strongswan-6.0.0-gcc15.patch
-Patch3:         strongswan-6.0.1-gcc15.patch
+# Use isolation to prevent pip attempting to download during build
+Patch2:         strongswan-6.0.2-no-isolation.patch
+# Remove MD2, which causes test case failures due to fedora crypto policies
+# https://github.com/strongswan/strongswan/commit/b3011e8e87a1fad1bfb026448fc37b80b7cfc007
+Patch3:         strongswan-6.0.2-no-md5-b3011e8e.patch
 
 Patch10:        0001-charon-add-optional-source-and-remote-overrides-for-.patch
 Patch11:        0002-vici-send-certificates-for-ike-sa-events.patch
@@ -41,6 +38,7 @@ Patch13:        0004-Support-GRE-key-in-selectors-with-kernel-netlink.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  gnupg2
+BuildRequires:  libtool
 BuildRequires:  make
 BuildRequires:  gcc
 BuildRequires:  systemd
@@ -67,7 +65,9 @@ Recommends:     tpm2-tools
 
 %if %{with python3}
 BuildRequires:  python3-devel
+BuildRequires:  python3-build
 BuildRequires:  python3-setuptools
+BuildRequires:  python3-daemon
 BuildRequires:  python3-pytest
 %endif
 
@@ -76,10 +76,6 @@ BuildRequires:  perl-devel perl-generators
 BuildRequires:  perl(ExtUtils::MakeMaker)
 %endif
 
-%if %{with tss_trousers}
-BuildRequires:  trousers-devel
-%endif
-
 BuildRequires:  NetworkManager-libnm-devel
 Requires(post): systemd
 Requires(preun): systemd
@@ -162,7 +158,8 @@ for Strongswan runtime configuration from perl applications.
 
 %build
 # only for snapshots
-autoreconf
+export ACLOCAL_PATH=/usr/share/gettext/m4:$ACLOCAL_PATH
+autoreconf -fiv
 
 # --with-ipsecdir moves internal commands to /usr/libexec/strongswan
 # --bindir moves 'pki' command to /usr/libexec/strongswan
@@ -187,6 +184,7 @@ autoreconf
     --enable-gcm \
     --enable-chapoly \
     --enable-md4 \
+    --enable-ml \
     --enable-gcrypt \
     --enable-newhope \
     --enable-xauth-eap \
@@ -242,26 +240,23 @@ autoreconf
     --enable-vici \
     --enable-swanctl \
     --enable-duplicheck \
+    --enable-selinux \
+    --enable-stroke \
 %ifarch x86_64 %{ix86}
     --enable-aesni \
 %endif
 %if %{with python3}
-    PYTHON=%{python3} --enable-python-eggs \
+    PYTHON=%{python3} --enable-python-wheels \
 %endif
 %if %{with perl}
     --enable-perl-cpan \
 %endif
 %if %{with check}
     --enable-test-vectors \
-%endif
-%if %{with tss_trousers}
-    --enable-tss-trousers \
-    --enable-aikgen \
 %endif
     --enable-kernel-libipsec \
     --with-capabilities=libcap \
     CPPFLAGS="-DSTARTER_ALLOW_NON_ROOT"
-# TODO: --enable-python-eggs-install not python3 ready
 
 # disable certain plugins in the daemon configuration by default
 for p in bypass-lan; do
@@ -301,8 +296,8 @@ pushd src/libcharon/plugins/vici
   pushd python
     # TODO: --enable-python-eggs breaks our previous build. Do it now
     # propose better way to upstream
-    %py3_build
-    %py3_install
+    %pyproject_wheel
+    %pyproject_install
   popd
 %endif
 %if %{with perl}
@@ -331,7 +326,6 @@ install -d -m 0700 %{buildroot}%{_rundir}/strongswan
 install -D -m 0644 %{SOURCE3} %{buildroot}/%{_tmpfilesdir}/strongswan.conf
 install -D -m 0644 %{SOURCE3} %{buildroot}/%{_tmpfilesdir}/strongswan-starter.conf
 
-
 %check
 %if %{with check}
   # Seen some tests hang. Ensure we do not block builder forever
@@ -370,6 +364,7 @@ install -D -m 0644 %{SOURCE3} %{buildroot}/%{_tmpfilesdir}/strongswan-starter.co
 %{_sbindir}/strongswan
 %{_sbindir}/swanctl
 %{_libdir}/strongswan/*.so.*
+%{_libdir}/strongswan/plugins/*.so.*
 %exclude %{_libdir}/strongswan/libimcv.so.*
 %exclude %{_libdir}/strongswan/libtnccs.so.*
 %exclude %{_libdir}/strongswan/libipsec.so.*
@@ -419,7 +414,7 @@ install -D -m 0644 %{SOURCE3} %{buildroot}/%{_tmpfilesdir}/strongswan-starter.co
 %license COPYING
 %doc src/libcharon/plugins/vici/python/README.rst
 %{python3_sitelib}/vici
-%{python3_sitelib}/vici-%{version}-py*.egg-info
+%{python3_sitelib}/vici-%{version}.dist-info
 %endif
 
 %if %{with perl}
@@ -429,641 +424,4 @@ install -D -m 0644 %{SOURCE3} %{buildroot}/%{_tmpfilesdir}/strongswan-starter.co
 %endif
 
 %changelog
-* Sat Jul 27 2024 Michel Lind <salimma@fedoraproject.org> - 5.9.14-5
-- Depend on openssl-devel-engine since we still use this deprecated feature (rhbz#2295335)
-
-* Fri Jul 26 2024 Miroslav Suchý <msuchy@redhat.com> - 5.9.14-4
-- convert license to SPDX
-
-* Sat Jul 20 2024 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.14-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
-
-* Fri Jun 07 2024 Python Maint <python-maint@redhat.com> - 5.9.14-2
-- Rebuilt for Python 3.13
-
-* Fri May 31 2024 Paul Wouters <paul.wouters@aiven.io> - 5.9.14-1
-- Resolves: rhbz#2254560 CVE-2023-41913 buffer overflow and possible RCE
-- Resolved: rhbz#2250666 Update to 5.9.14 (IKEv2 OCSP extensions, seqno/regno overflow handling
-- Update to 5.9.13 (OCSP nonce set regression configuration option charon.ocsp_nonce_len)
-- Update to 5.9.12 (CVE-2023-41913 fix, various IKEv2 fixes)
-
-* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.11-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
-
-* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.11-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
-
-* Fri Jul 14 2023 Paul Wouters <paul.wouters@aiven.io - 5.9.11-1
-- Resolves: rhbz#2214186 strongswan-5.9.11 is available
-
-* Tue Jun 13 2023 Python Maint <python-maint@redhat.com> - 5.9.10-2
-- Rebuilt for Python 3.12
-
-* Thu Mar 02 2023 Paul Wouters <paul.wouters@aiven.io - 5.9.10-1
-- Update to 5.9.10
-
-* Tue Feb 28 2023 Paul Wouters <paul.wouters@aiven.io - 5.9.9-3
-- Resolves: CVE-2023-26463 authorization bypass in TLS-based EAP methods
-
-* Mon Jan 16 2023 Petr Menšík <pemensik@redhat.com> - 5.9.9-2
-- Use configure paths in manual pages (#2106120)
-
-* Sun Jan 15 2023 Petr Menšík <pemensik@redhat.com> - 5.9.9-1
-- Update to 5.9.9 (#2157850)
-
-* Thu Dec 08 2022 Jitka Plesnikova <jplesnik@redhat.com> - 5.9.8-2
-- Add BR perl-generators to automatically generates run-time dependencies
-  for installed Perl files
-
-* Sun Oct 16 2022 Arne Reiter <redhat@arnereiter.de> - 5.9.8-1
-- Resolves rhbz#2112274 strongswan-5.9.8 is available
-- Patch1 removes CFLAGS -Wno-format which interferes with -Werror=format-security
-- Add BuildRequire for autoconf and automake, now required for release
-- Remove obsolete patches
-
-* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.6-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
-
-* Wed Jun 22 2022 Arne Reiter <redhat@arnereiter.de> - 5.9.6-1
-- Resolves rhbz#2080070 strongswan-5.9.6 is available
-- Fixed missing format string in enum_flags_to_string()
-
-* Mon Jun 13 2022 Python Maint <python-maint@redhat.com> - 5.9.5-4
-- Rebuilt for Python 3.11
-
-* Fri Feb 25 2022 Arne Reiter <redhat@arnereiter.de> - 5.9.5-3
-- Resolves: rhbz#2048108 - segfault at 18 ip 00007f4c7c0d841c sp 00007ffe49f61b70 error 4 in libc.so.6
-
-* Tue Jan 25 2022 Paul Wouters <paul.wouters@aiven.io> - 5.9.5-2
-- Use newly published/cleaned strongswan gpg key
-
-* Mon Jan 24 2022 Paul Wouters <paul.wouters@aiven.io> - 5.9.5-1
-- Resolves rhbz#2044361 strongswan-5.9.5 is available (CVE-2021-45079)
-
-* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.4-5
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
-
-* Thu Dec 16 2021 Neal Gompa <ngompa@datto.com> - 5.9.4-4
-- Disable TPM/TSS 1.2 support for F36+ / RHEL9+
-- Resolves: rhbz#2033299 Drop TPM/TSS 1.2 support (trousers)
-
-* Thu Nov 11 2021 Petr Menšík <pemensik@redhat.com> - 5.9.4-3
-- Resolves rhbz#1419441 Add python and perl vici bindings
-- Adds optional tests run
-
-* Tue Nov 09 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.4-2
-- Resolves rhbz#2018547 'strongswan restart' breaks ipsec started with strongswan-starter
-- Return to using tmpfiles, but extend to cover strongswan-starter service too
-- Cleanup old patches
-
-* Wed Oct 20 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.4-1
-- Resolves: rhbz#2015165 strongswan-5.9.4 is available
-- Resolves: rhbz#2015611 CVE-2021-41990 strongswan: gmp plugin: integer overflow via a crafted certificate with an RSASSA-PSS signature
-- Resolves: rhbz#2015614 CVE-2021-41991 strongswan: integer overflow when replacing certificates in cache
-- Add BuildRequire for tpm2-tss-devel and weak dependency for tpm2-tools
-
-* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 5.9.3-4
-- Rebuilt with OpenSSL 3.0.0
-
-* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.3-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
-
-* Sat Jul 10 2021 Björn Esser <besser82@fedoraproject.org> - 5.9.3-2
-- Rebuild for versioned symbols in json-c
-
-* Tue Jul 06 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.3-1
-- Resolves: rhbz#1979574 strongswan-5.9.3 is available
-- Make strongswan main dir world readable so apps can find strongswan.conf
-
-* Thu Jun 03 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.2-1
-- Resolves: rhbz#1896545 strongswan-5.9.2 is available
-
-* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 5.9.1-2
-- Rebuilt for updated systemd-rpm-macros
-  See https://pagure.io/fesco/issue/2583.
-
-* Fri Feb 12 2021 Paul Wouters <pwouters@redhat.com> - 5.9.1-1
-- Resolves: rhbz#1896545 strongswan-5.9.1 is available
-
-* Thu Feb 11 2021 Davide Cavalca <dcavalca@fedoraproject.org> - 5.9.0-4
-- Build with with capabilities support
-- Resolves: rhbz#1911572 StrongSwan not configured with libcap support
-
-* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.0-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
-
-* Thu Oct 22 12:43:48 EDT 2020 Paul Wouters <pwouters@redhat.com> - 5.9.0-2
-- Resolves: rhbz#1886759 charon looking for certificates in the wrong place
-
-* Mon Sep 28 12:36:45 EDT 2020 Paul Wouters <pwouters@redhat.com> - 5.9.0-1
-- Resolves: rhbz#1861747 strongswan-5.9.0 is available
-- Remove --enable-fips-mode=2, which defaults strongswan to FIPS only.
-  (use fips_mode = 2 in plugins {} openssl {} in strongswan.conf to enable FIPS)
-
-* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.8.4-5
-- Second attempt - Rebuilt for
-  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.8.4-4
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Tue Apr 21 2020 Björn Esser <besser82@fedoraproject.org> - 5.8.4-3
-- Rebuild (json-c)
-
-* Sun Apr 12 2020 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.4-2
-- Patch0: Add RuntimeDirectory options to service files (#1789263)
-
-* Sun Apr 12 2020 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.4-1
-- Updated to 5.8.4
-- Patch4 has been applied upstream
-
-* Sat Feb 22 2020 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.2-5
-- Patch to declare a global variable with extern (#1800117)
-
-* Mon Feb 10 2020 Paul Wouters <pwouters@redhat.com> - 5.8.2-4
-- use tmpfile to ensure rundir is present
-
-* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.8.2-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-
-* Sat Dec 28 2019 Paul Wouters <pwouters@redhat.com> - 5.8.2-2
-- Use /run/strongswan as rundir to support strongswans in namespaces
-
-* Tue Dec 17 2019 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.2-1
-- Update to 5.8.2 (#1784457)
-- The D-Bus config file moved under datadir
-
-* Mon Sep 02 2019 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.1-1
-- Update to 5.8.1 (#1711920)
-- No more separate strongswan-swanctl.service to start out of order (#1775548)
-- Added strongswan-starter.service
-
-* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 5.7.2-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 5.7.2-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-
-* Wed Jan 09 2019 Paul Wouters <pwouters@redhat.com> - 5.7.2-1
-- Updated to 5.7.2
-
-* Thu Oct 04 2018 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.7.1-1
-- Updated to 5.7.1
-- Resolves rhbz#1635872 CVE-2018-16152
-- Resolves rhbz#1635875 CVE-2018-16151
-
-* Thu Aug 23 2018 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.6.3-3
-- Add plugin bypass-lan, disabled by default
-- Resolves rhbz#1554479 Update to strongswan-charon-nm fails
-
-* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 5.6.3-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
-
-* Tue May 29 2018 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.6.3-1
-- New version 5.6.3
-
-* Thu May 24 2018 Paul Wouters <pwouters@redhat.com> - 5.6.2-6
-- Resolves rhbz#1581868 CVE-2018-5388 strongswan: buffer underflow in stroke_socket.c
-
-* Thu May 24 2018 Paul Wouters <pwouters@redhat.com> - 5.6.2-5
-- Resolves rhbz#1574939 IKEv2 VPN connections fail to use DNS servers provided by the server
-- Resolves rhbz#1449875 Strongswan on epel built without the sql plugin but with the sqlite plugin
-
-* Sun May 20 2018 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.6.2-3
-- Move eap-radius, sqlite, and pkcs7 plugins out of tnc-imcvs, added package
-  sqlite (#1579945)
-
-* Tue Mar 06 2018 Björn Esser <besser82@fedoraproject.org> - 5.6.2-2
-- Rebuilt for libjson-c.so.4 (json-c v0.13.1)
-
-* Wed Feb 21 2018 Lubomir Rintel <lkundrak@v3.sk> - 5.6.2-1
-- Updated to 5.6.2 (Dropped libnm-glib use in charon-nm)
-
-* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 5.6.1-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
-
-* Fri Dec 22 2017 Paul Wouters <pwouters@redhat.com> - 5.6.1-1
-- Updated to 5.6.1 (RSA-PSS support)
-
-* Sun Dec 10 2017 Björn Esser <besser82@fedoraproject.org> - 5.6.0-3
-- Rebuilt for libjson-c.so.3
-
-* Fri Dec 01 2017 Lubomir Rintel <lkundrak@v3.sk> - 5.6.0-2
-- Fix the placement of charon-nm D-Bus policy
-
-* Sat Sep 09 2017 Paul Wouters <pwouters@redhat.com> - 5.6.0-1
-- Updated to 5.6.0
-- Fixup configure arguments, enabled a bunch of new features
-- Added new BuildRequires:
-- Fixup Obsolete/Conflicts, use license macro
-- Don't require autoconf/autotools for non-snapshots
-- Remove macro overuse, remove fedora/rhel checks and sysvinit support
-- Make listings/grouping of all plugins/libs to reduce file listing
-
-* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 5.5.3-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
-
-* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 5.5.3-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
-
-* Mon Jun 12 2017 Paul Wouters <pwouters@redhat.com> - 5.5.3-1
-- Updated to 5.5.3
-
-* Sat May 27 2017 Paul Wouters <pwouters@redhat.com> - 5.5.2-1
-- Updated to 5.5.2
-
-* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 5.5.0-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
-
-* Thu Sep 15 2016 Pavel Šimerda <psimerda@redhat.com> - 5.5.0-2
-- Resolves: #1367796 - Enable the unity plugin
-
-* Mon Aug 08 2016 Pavel Šimerda <psimerda@redhat.com> - 5.5.0-1
-- New version 5.5.0
-
-* Wed Jun 22 2016 Pavel Šimerda <psimerda@redhat.com>
-- Enable IKEv2 GCM (requires gcrypt module as well) - merged from f22 by Paul Wouters
-
-* Wed Jun 22 2016 Pavel Šimerda <psimerda@redhat.com> - 5.4.0-1
-- New version 5.4.0
-
-* Thu Mar 03 2016 Pavel Šimerda <psimerda@redhat.com> - 5.3.5-1
-- New version 5.3.5
-
-* Fri Feb 05 2016 Fedora Release Engineering <releng@fedoraproject.org> - 5.3.3-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
-
-* Fri Jan 15 2016 Paul Wouters <pwouters@redhat.com> - 5.3.3-2
-- Enable IKEv2 GCM (requires gcrypt module as well)
-
-* Tue Sep 29 2015 Pavel Šimerda <psimerda@redhat.com> - 5.3.3-1
-- new version 5.3.3
-
-* Thu Sep 24 2015 Pavel Šimerda <psimerda@redhat.com> - 5.3.2-3
-- Resolves: #1264598 - strongswan: many configuration files are not protected
-
-* Fri Jun 19 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.3.2-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
-
-* Tue Jun 09 2015 Pavel Šimerda <psimerda@redhat.com>
-- new version 5.3.2
-
-* Fri Jun 05 2015 Pavel Šimerda <psimerda@redhat.com> - 5.3.1-1
-- new version 5.3.1
-
-* Tue Mar 31 2015 Pavel Šimerda <psimerda@redhat.com> - 5.3.0-1
-- new version 5.3.0
-
-* Fri Feb 20 2015 Avesh Agarwal <avagarwa@redhat.com> - 5.2.2-2
-- Fixes strongswan swanctl service issue rhbz#1193106
-
-* Tue Jan 06 2015 Pavel Šimerda <psimerda@redhat.com> - 5.2.2-1
-- new version 5.2.2
-
-* Thu Dec 18 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.2-0.2.dr1
-- Enabled ccm, and ctr plugins as it seems enabling just openssl does
-  not work for using ccm and ctr algos.
-
-* Mon Dec 8 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.2-0.1.dr1
-- New strongswan developer release 5.2.2dr1
-
-* Mon Nov 24 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.1-2
-- 1167331: Enabled native systemd support.
-- Does not disable old systemd, starter, ipsec.conf support yet.
-
-* Thu Oct 30 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.1-1
-- New upstream release 5.2.1
-
-* Thu Oct 16 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.1-0.2.rc1
-- New upstream release candidate 5.2.1rc1
-
-* Fri Oct 10 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.1-1
-- new version 5.2.1dr1
-
-* Thu Sep 25 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-7
-- use upstream patch for json/json-c dependency
-
-* Thu Sep 25 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-6
-- Resolves: #1146145 - Strongswan is compiled without xauth-noauth plugin
-
-* Mon Aug 18 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.2.0-5
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
-
-* Tue Aug 05 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-4
-- Resolves: #1081804 - enable Kernel IPSec support
-
-* Wed Jul 30 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-3
-- rebuilt
-
-* Tue Jul 29 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-2
-- fix json-c dependency
-
-* Tue Jul 15 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.0-1
-- New upstream release 5.2.0
-- The Attestation IMC/IMV pair supports the IMA-NG
-  measurement format
-- Aikgen tool to generate an Attestation Identity Key bound
-  to a TPM
-- Swanctl tool to provide a portable, complete IKE
-  configuration and control interface for the command
-  line using vici interface with libvici library
-- PT-EAP transport protocol (RFC 7171) for TNC
-- Enabled support for acert for checking X509 attribute certificate
-- Updated patches, removed selinux patch as upstream has fixed it
-  in this release.
-- Updated spec file with minor cleanups
-
-* Thu Jun 26 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-0.4.dr6
-- improve prerelease macro
-
-* Thu Jun 26 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-0.3
-- Resolves: #1111895 - bump to 5.2.0dr6
-
-* Thu Jun 12 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-0.2
-- Related: #1087437 - remove or upstream all patches not specific to fedora/epel
-
-* Thu Jun 12 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-0.1.dr5
-- fix the pre-release version according to guidelines before it gets branched
-
-* Fri Jun 06 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0dr5-1
-- new version 5.2.0dr5
-- add json-c-devel to build deps
-
-* Mon May 26 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0dr4-3
-- merge two related patches
-
-* Mon May 26 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0dr4-2
-- clean up the patches a bit
-
-* Thu May 22 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.0dr4-1
-- New upstream developer release 5.2.0dr4
-- Attestation IMV/IMC supports IMA-NG measurement format now
-- Aikgen tool to generate an Attestation Identity Key bound
-  to a TPM
-- PT-EAP transport protocol (RFC 7171) for TNC
-- vici plugin provides IKE Configuration Interface for charon
-- Enabled support for acert for checking X509 attribute certificate
-- Updated patches
-- Updated spec file with minor cleanups
-
-* Tue Apr 15 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.3-1
-- new version 5.1.3
-
-* Mon Apr 14 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.3rc1-1
-- new version 5.1.3rc1
-
-* Mon Mar 24 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.2-4
-- #1069928 - updated libexec patch.
-
-* Tue Mar 18 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.2-3
-- fixed el6 initscript
-- fixed pki directory location
-
-* Fri Mar 14 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.2-2
-- clean up the specfile a bit
-- replace the initscript patch with an individual initscript
-- patch to build for epel6
-
-* Mon Mar 03 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.2-1
-- #1071353 - bump to 5.1.2
-- #1071338 - strongswan is compiled without xauth-pam plugin
-- remove obsolete patches
-- sent all patches upstream
-- added comments to all patches
-- don't touch the config with sed
-
-* Thu Feb 20 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.1.1-6
-- Fixed full hardening for strongswan (full relro and PIE).
-  The previous macros had a typo and did not work
-  (see bz#1067119).
-- Fixed tnc package description to reflect the current state of
-  the package.
-- Fixed pki binary and moved it to /usr/libexece/strongswan as
-  others binaries are there too.
-
-* Wed Feb 19 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.1-5
-- #903638 - SELinux is preventing /usr/sbin/xtables-multi from 'read' accesses on the chr_file /dev/random
-
-* Thu Jan 09 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.1-4
-- Removed redundant patches and *.spec commands caused by branch merging
-
-* Wed Jan 08 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.1-3
-- rebuilt
-
-* Mon Dec 2 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.1.1-2
-- Resolves: 973315
-- Resolves: 1036844
-
-* Fri Nov 1 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.1.1-1
-- Support for PT-TLS  (RFC 6876)
-- Support for SWID IMC/IMV
-- Support for command line IKE client charon-cmd
-- Changed location of pki to /usr/bin
-- Added swid tags files
-- Added man pages for pki and charon-cmd
-- Renamed pki to strongswan-pki to avoid conflict with
-  pki-core/pki-tools package.
-- Update local patches
-- Fixes CVE-2013-6075
-- Fixes CVE-2013-6076
-- Fixed autoconf/automake issue as configure.ac got changed
-  and it required running autoreconf during the build process.
-- added strongswan signature file to the sources.
-
-* Thu Sep 12 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.1.0-3
-- Fixed initialization crash of IMV and IMC particularly
-  attestation imv/imc as libstrongswas was not getting
-  initialized.
-
-* Fri Aug 30 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.1.0-2
-- Enabled fips support
-- Enabled TNC's ifmap support
-- Enabled TNC's pdp support
-- Fixed hardocded package name in this spec file
-
-* Wed Aug 7 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.1.0-1
-- rhbz#981429: New upstream release
-- Fixes CVE-2013-5018: rhbz#991216, rhbz#991215
-- Fixes rhbz#991859 failed to build in rawhide
-- Updated local patches and removed which are not needed
-- Fixed errors around charon-nm
-- Added plugins libstrongswan-pkcs12.so, libstrongswan-rc2.so,
-  libstrongswan-sshkey.so
-- Added utility imv_policy_manager
-
-* Thu Jul 25 2013 Jamie Nguyen <jamielinux@fedoraproject.org> - 5.0.4-5
-- rename strongswan-NetworkManager to strongswan-charon-nm
-- fix enable_nm macro
-
-* Mon Jul 15 2013 Jamie Nguyen <jamielinux@fedoraproject.org> - 5.0.4-4
-- %%files tries to package some of the shared objects as directories (#984437)
-- fix broken systemd unit file (#984300)
-- fix rpmlint error: description-line-too-long
-- fix rpmlint error: macro-in-comment
-- fix rpmlint error: spelling-error Summary(en_US) fuctionality
-- depend on 'systemd' instead of 'systemd-units'
-- use new systemd scriptlet macros
-- NetworkManager subpackage should have a copy of the license (#984490)
-- enable hardened_build as this package meets the PIE criteria (#984429)
-- invocation of "ipsec _updown iptables" is broken as ipsec is renamed
-  to strongswan in this package (#948306)
-- invocation of "ipsec scepclient" is broken as ipsec is renamed
-  to strongswan in this package
-- add /etc/strongswan/ipsec.d and missing subdirectories
-- conditionalize building of strongswan-NetworkManager subpackage as the
-  version of NetworkManager in EL6 is too old (#984497)
-
-* Fri Jun 28 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.0.4-3
-- Patch to fix a major crash issue when Freeradius loads
-  attestatiom-imv and does not initialize libstrongswan which
-  causes crash due to calls to PTS algorithms probing APIs.
-  So this patch fixes the order of initialization. This issues
-  does not occur with charon because libstrongswan gets
-  initialized earlier.
-- Patch that allows to outputs errors when there are permission
-  issues when accessing strongswan.conf.
-- Patch to make loading of modules configurable when libimcv
-  is used in stand alone mode without charon with freeradius
-  and wpa_supplicant.
-
-* Tue Jun 11 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.0.4-2
-- Enabled TNCCS 1.1 protocol
-- Fixed libxm2-devel build dependency
-- Patch to fix the issue with loading of plugins
-
-* Wed May 1 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.0.4-1
-- New upstream release
-- Fixes for CVE-2013-2944
-- Enabled support for OS IMV/IMC
-- Created and applied a patch to disable ECP in fedora, because
-  Openssl in Fedora does not allow ECP_256 and ECP_384. It makes
-  it non-compliant to TCG's PTS standard, but there is no choice
-  right now. see redhat bz # 319901.
-- Enabled Trousers support for TPM based operations.
-
-* Sat Apr 20 2013 Pavel Šimerda <psimerda@redhat.com> - 5.0.3-2
-- Rebuilt for a single specfile for rawhide/f19/f18/el6
-
-* Fri Apr 19 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.0.3-1
-- New upstream release
-- Enabled curl and eap-identity plugins
-- Enabled support for eap-radius plugin.
-
-* Thu Apr 18 2013 Pavel Šimerda <psimerda@redhat.com> - 5.0.2-3
-- Add gettext-devel to BuildRequires because of epel6
-- Remove unnecessary comments
-
-* Tue Mar 19 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.0.2-2
-- Enabled support for eap-radius plugin.
-
-* Mon Mar 11 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.0.2-1
-- Update to upstream release 5.0.2
-- Created sub package strongswan-tnc-imcvs that provides trusted network
-  connect's IMC and IMV funtionality. Specifically it includes PTS
-  based IMC/IMV for TPM based remote attestation and scanner and test
-  IMCs and IMVs. The Strongswan's IMC/IMV dynamic libraries can be used
-  by any third party TNC Client/Server implementation possessing a
-  standard IF-IMC/IMV interface.
-
-* Fri Feb 15 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.0.1-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
-
-* Thu Oct 04 2012 Pavel Šimerda <psimerda@redhat.com> - 5.0.1-1
-- Update to release 5.0.1
-
-* Thu Oct 04 2012 Pavel Šimerda <psimerda@redhat.com> - 5.0.0-4.git20120619
-- Add plugins to interoperate with Windows 7 and Android (#862472)
-  (contributed by Haim Gelfenbeyn)
-
-* Sat Jul 21 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.0.0-3.git20120619
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
-
-* Sun Jul 08 2012 Pavel Šimerda <pavlix@pavlix.net> - 5.0.0-2.git20120619
-- Fix configure substitutions in initscripts
-
-* Wed Jul 04 2012 Pavel Šimerda <psimerda@redhat.com> - 5.0.0-1.git20120619
-- Update to current upstream release
-- Comment out all stuff that is only needed for git builds
-- Remove renaming patch from git
-- Improve init patch used for EPEL
-
-* Thu Jun 21 2012 Pavel Šimerda <psimerda@redhat.com> - 5.0.0-0.3.git20120619
-- Build with openssl plugin enabled
-
-* Wed Jun 20 2012 Pavel Šimerda <psimerda@redhat.com> - 5.0.0-0.2.git20120619
-- Add README.Fedora with link to 4.6 to 5.0 migration information
-
-* Tue Jun 19 2012 Pavel Šimerda - 5.0.0-0.1.git20120619
-- Snapshot of upcoming major release
-- Move patches and renaming upstream
-  http://wiki.strongswan.org/issues/194
-  http://wiki.strongswan.org/issues/195
-- Notified upstream about manpage issues
-
-* Tue Jun 19 2012 Pavel Šimerda - 4.6.4-2
-- Make initscript patch more distro-neutral
-- Add links to bugreports for patches
-
-* Fri Jun 01 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.4-1
-- New upstream version (CVE-2012-2388)
-
-* Sat May 26 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.3-2
-- Add --enable-nm to configure
-- Add NetworkManager-devel to BuildRequires
-- Add NetworkManager-glib-devel to BuildRequires
-- Add strongswan-NetworkManager package
-
-* Sat May 26 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.3-1
-- New version of Strongswan
-- Support for RFC 3110 DNSKEY (see upstream changelog)
-- Fix corrupt scriptlets
-
-* Fri Mar 30 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.2-2
-- #808612 - strongswan binary renaming side-effect
-
-* Sun Feb 26 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.2-1
-- New upstream version
-- Changed from .tar.gz to .tar.bz2
-- Added libstrongswan-pkcs8.so
-
-* Wed Feb 15 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-8
-- Fix initscript's status function
-
-* Wed Feb 15 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-7
-- Expand tabs in config files for better readability
-- Add sysvinit script for epel6
-
-* Wed Feb 15 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-6
-- Fix program name in systemd unit file
-
-* Tue Feb 14 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-5
-- Improve fedora/epel conditionals
-
-* Sat Jan 21 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-4
-- Protect configuration directory from ordinary users
-- Add still missing directory /etc/strongswan
-
-* Fri Jan 20 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-3
-- Change directory structure to avoid clashes with Openswan
-- Prefixed all manpages with 'strongswan_'
-- Every file now includes 'strongswan' somewhere in its path
-- Removed conflict with Openswan
-- Finally fix permissions on strongswan.conf
-
-* Fri Jan 20 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-2
-- Change license tag from GPL to GPLv2+
-- Change permissions on /etc/strongswan.conf to 644
-- Rename ipsec.8 manpage to strongswan.8
-- Fix empty scriptlets for non-fedora builds
-- Add ldconfig scriptlet
-- Add missing directories and files
-
-* Sun Jan 01 2012 Pavel Šimerda <pavlix@pavlix.net - 4.6.1-1
-- Bump to version 4.6.1
-
-* Sun Jan 01 2012 Pavel Šimerda <pavlix@pavlix.net - 4.6.0-3
-- Add systemd scriptlets
-- Add conditions to also support EPEL6
-
-* Sat Dec 10 2011 Pavel Šimerda <pavlix@pavlix.net> - 4.6.0-2
-- Experimental build for development
+%autochangelog