Patch vici for NHRP

.gitignore

@@ -3,4 +3,3 @@
 /strongswan-5.9.1.tar.bz2
 /strongswan-5.9.2.tar.bz2
 /strongswan-5.9.3.tar.bz2
-/strongswan-5.9.4.tar.bz2

sources

@@ -1 +1 @@
-SHA512 (strongswan-5.9.4.tar.bz2) = 796356c1d5c1ad410f0ed944ab4a131076d26f120ec6fa57796fe4060b0741201199625883ddc9ebd8a7ad299495f073cec76a6780ebd8f375605aae16750cf3
+SHA512 (strongswan-5.9.3.tar.bz2) = 09bd78225415422c8f55c9f0dea2ca70111f42f0deacfaaac30c422109ff64180f6a6a47c6bc54238e8403f0b2f8520122c1eabbeda3f915427fadb838a5df51

strongswan-5.6.2-CVE-2018-5388.patch

@@ -0,0 +1,15 @@
+diff -Naur strongswan-5.6.2-orig/src/libcharon/plugins/stroke/stroke_socket.c strongswan-5.6.2/src/libcharon/plugins/stroke/stroke_socket.c
+--- strongswan-5.6.2-orig/src/libcharon/plugins/stroke/stroke_socket.c	2017-11-09 10:57:30.000000000 -0500
++++ strongswan-5.6.2/src/libcharon/plugins/stroke/stroke_socket.c	2018-05-24 00:00:32.382953618 -0400
+@@ -628,6 +628,11 @@
+ 		return FALSE;
+ 	}
+ 
++	if (len < offsetof(stroke_msg_t, buffer))
++	{
++		DBG1(DBG_CFG, "invalid stroke message length %d", len);
++		return FALSE;
++	}
+ 	/* read message (we need an additional byte to terminate the buffer) */
+ 	msg = malloc(len + 1);
+ 	msg->length = len;

strongswan-5.8.4-runtime-dir.patch

@@ -0,0 +1,24 @@
+diff -ur strongswan-5.8.4.orig/init/systemd/strongswan.service.in strongswan-5.8.4/init/systemd/strongswan.service.in
+--- strongswan-5.8.4.orig/init/systemd/strongswan.service.in	2019-08-27 16:26:53.000000000 +0300
++++ strongswan-5.8.4/init/systemd/strongswan.service.in	2020-04-12 12:05:57.383596844 +0300
+@@ -9,6 +9,8 @@
+ ExecReload=@SBINDIR@/swanctl --reload
+ ExecReload=@SBINDIR@/swanctl --load-all --noprompt
+ Restart=on-abnormal
++RuntimeDirectory=strongswan
++RuntimeDirectoryMode=0755
+ 
+ [Install]
+ WantedBy=multi-user.target
+diff -ur strongswan-5.8.4.orig/init/systemd-starter/strongswan-starter.service.in strongswan-5.8.4/init/systemd-starter/strongswan-starter.service.in
+--- strongswan-5.8.4.orig/init/systemd-starter/strongswan-starter.service.in	2019-08-27 16:26:53.000000000 +0300
++++ strongswan-5.8.4/init/systemd-starter/strongswan-starter.service.in	2020-04-12 12:05:51.810559482 +0300
+@@ -6,6 +6,8 @@
+ ExecStart=@SBINDIR@/@IPSEC_SCRIPT@ start --nofork
+ StandardOutput=syslog
+ Restart=on-abnormal
++RuntimeDirectory=strongswan
++RuntimeDirectoryMode=0755
+ 
+ [Install]
+ WantedBy=multi-user.target

strongswan-5.9.1-runtime-dir.patch

@@ -0,0 +1,12 @@
+diff -Naur strongswan-5.9.1-orig/init/systemd-starter/strongswan-starter.service.in strongswan-5.9.1/init/systemd-starter/strongswan-starter.service.in
+--- strongswan-5.9.1-orig/init/systemd-starter/strongswan-starter.service.in	2020-10-16 08:36:37.000000000 -0400
++++ strongswan-5.9.1/init/systemd-starter/strongswan-starter.service.in	2021-02-12 14:06:09.985042362 -0500
+@@ -5,6 +5,8 @@
+ [Service]
+ ExecStart=@SBINDIR@/@IPSEC_SCRIPT@ start --nofork
+ Restart=on-abnormal
++RuntimeDirectory=strongswan
++RuntimeDirectoryMode=0755
+ 
+ [Install]
+ WantedBy=multi-user.target

strongswan.spec

@@ -3,14 +3,16 @@
 %global dist .nhrp.9%{?dist}
 
 Name:           strongswan
-Version:        5.9.4
+Version:        5.9.3
-Release:        2%{?dist}
+Release:        1%{?dist}
 Summary:        An OpenSource IPsec-based VPN and TNC solution
 License:        GPLv2+
 URL:            http://www.strongswan.org/
-Source0:        http://download.strongswan.org/strongswan-%{version}%{?prerelease}.tar.bz2
+Source0:        http://download.strongswan.org/%{name}-%{version}%{?prerelease}.tar.bz2
 Source1:        tmpfiles-strongswan.conf
-Patch0:         strongswan-5.6.0-uintptr_t.patch
+Patch0:         strongswan-5.9.1-runtime-dir.patch
+Patch1:         strongswan-5.6.0-uintptr_t.patch
+Patch3:         strongswan-5.6.2-CVE-2018-5388.patch
 
 Patch10:        0001-charon-add-optional-source-and-remote-overrides-for-.patch
 Patch11:        0002-vici-send-certificates-for-ike-sa-events.patch
@@ -37,8 +39,6 @@ BuildRequires:  libgcrypt-devel
 BuildRequires:  systemd-devel
 BuildRequires:  iptables-devel
 BuildRequires:  libcap-devel
-BuildRequires:  tpm2-tss-devel
-Recommends:     tpm2-tools
 
 BuildRequires:  NetworkManager-libnm-devel
 Requires(post): systemd
@@ -59,8 +59,8 @@ in userland, using TUN devices and its own IPsec implementation libipsec.
 %package charon-nm
 Summary:        NetworkManager plugin for Strongswan
 Requires:       dbus
-Obsoletes:      strongswan-NetworkManager < 0:5.0.4-5
+Obsoletes:      %{name}-NetworkManager < 0:5.0.4-5
-Conflicts:      strongswan-NetworkManager < 0:5.0.4-5
+Conflicts:      %{name}-NetworkManager < 0:5.0.4-5
 Conflicts:      NetworkManager-strongswan < 1.4.2-1
 %description charon-nm
 NetworkManager plugin integrates a subset of Strongswan capabilities
@@ -68,14 +68,14 @@ to NetworkManager.
 
 %package sqlite
 Summary: SQLite support for strongSwan
-Requires: strongswan = %{version}-%{release}
+Requires: %{name} = %{version}-%{release}
 %description sqlite
 The sqlite plugin adds an SQLite database backend to strongSwan.
 
 %package tnc-imcvs
 Summary: Trusted network connect (TNC)'s IMC/IMV functionality
-Requires: strongswan = %{version}-%{release}
+Requires: %{name} = %{version}-%{release}
-Requires: strongswan-sqlite = %{version}-%{release}
+Requires: %{name}-sqlite = %{version}-%{release}
 %description tnc-imcvs
 This package provides Trusted Network Connect's (TNC) architecture support.
 It includes support for TNC client and server (IF-TNCCS), IMC and IMV message
@@ -89,6 +89,8 @@ PT-TLS to support TNC over TLS.
 %prep
 %setup -q -n %{name}-%{version}%{?prerelease}
 %patch0 -p1
+%patch1 -p1
+%patch3 -p1
 
 %patch10 -p1
 %patch11 -p1
@@ -215,16 +217,15 @@ for i in aacerts acerts certs cacerts crls ocspcerts private reqs; do
 done
 install -d -m 0700 %{buildroot}%{_rundir}/strongswan
 install -D -m 0644 %{SOURCE1} %{buildroot}/%{_tmpfilesdir}/strongswan.conf
-install -D -m 0644 %{SOURCE1} %{buildroot}/%{_tmpfilesdir}/strongswan-starter.conf
 
 %post
-%systemd_post strongswan.service strongswan-starter.service
+%systemd_post %{name}.service
 
 %preun
-%systemd_preun strongswan.service strongswan-starter.service
+%systemd_preun %{name}.service
 
 %postun
-%systemd_postun_with_restart strongswan.service strongswan-starter.service
+%systemd_postun_with_restart %{name}.service
 
 %files
 %doc README NEWS TODO ChangeLog
@@ -259,7 +260,6 @@ install -D -m 0644 %{SOURCE1} %{buildroot}/%{_tmpfilesdir}/strongswan-starter.co
 %{_datadir}/strongswan/templates/database/
 %attr(0755,root,root) %dir %{_rundir}/strongswan
 %attr(0644,root,root) %{_tmpfilesdir}/strongswan.conf
-%attr(0644,root,root) %{_tmpfilesdir}/strongswan-starter.conf
 
 %files sqlite
 %{_libdir}/strongswan/plugins/libstrongswan-sqlite.so
@@ -287,26 +287,6 @@ install -D -m 0644 %{SOURCE1} %{buildroot}/%{_tmpfilesdir}/strongswan-starter.co
 %{_libexecdir}/strongswan/charon-nm
 
 %changelog
-* Tue Nov 09 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.4-2
-- Resolves rhbz#2018547 'strongswan restart' breaks ipsec started with strongswan-starter
-- Return to using tmpfiles, but extend to cover strongswan-starter service too
-- Cleanup old patches
-
-* Wed Oct 20 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.4-1
-- Resolves: rhbz#2015165 strongswan-5.9.4 is available
-- Resolves: rhbz#2015611 CVE-2021-41990 strongswan: gmp plugin: integer overflow via a crafted certificate with an RSASSA-PSS signature
-- Resolves: rhbz#2015614 CVE-2021-41991 strongswan: integer overflow when replacing certificates in cache
-- Add BuildRequire for tpm2-tss-devel and weak dependency for tpm2-tools
-
-* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 5.9.3-4
-- Rebuilt with OpenSSL 3.0.0
-
-* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.3-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
-
-* Sat Jul 10 2021 Björn Esser <besser82@fedoraproject.org> - 5.9.3-2
-- Rebuild for versioned symbols in json-c
-
 * Tue Jul 06 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.3-1
 - Resolves: rhbz#1979574 strongswan-5.9.3 is available
 - Make strongswan main dir world readable so apps can find strongswan.conf