nhrp: Remove unused patches

- Resolves: rhbz#1886759 charon looking for certificates in the wrong place

.gitignore

@@ -1,6 +1,2 @@
 /strongswan-5.8.4.tar.bz2
 /strongswan-5.9.0.tar.bz2
-/strongswan-5.9.1.tar.bz2
-/strongswan-5.9.2.tar.bz2
-/strongswan-5.9.3.tar.bz2
-/strongswan-5.9.4.tar.bz2

0001-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch

@@ -0,0 +1,104 @@
+From ffc2fc151cf78204bd482340dee7c5e7d0c24e51 Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Fri, 17 Jul 2015 11:53:58 +0200
+Subject: [PATCH 1/5] ike: Adhere to IKE_SA limit when checking out by config
+
+This prevents new SAs from getting created if we hit the global IKE_SA
+limit (we still allow checkout_new(), which is used for rekeying).
+---
+ src/libcharon/sa/ike_sa_manager.c | 71 ++++++++++++++++---------------
+ 1 file changed, 37 insertions(+), 34 deletions(-)
+
+diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
+index f95ff19af..1e0ae42fe 100644
+--- a/src/libcharon/sa/ike_sa_manager.c
++++ b/src/libcharon/sa/ike_sa_manager.c
+@@ -1434,48 +1434,51 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
+ 
+ 	DBG2(DBG_MGR, "checkout IKE_SA by config");
+ 
+-	if (!this->reuse_ikesa && peer_cfg->get_ike_version(peer_cfg) != IKEV1)
+-	{	/* IKE_SA reuse disabled by config (not possible for IKEv1) */
+-		ike_sa = checkout_new(this, peer_cfg->get_ike_version(peer_cfg), TRUE);
+-		charon->bus->set_sa(charon->bus, ike_sa);
+-		goto out;
+-	}
+-
+-	enumerator = create_table_enumerator(this);
+-	while (enumerator->enumerate(enumerator, &entry, &segment))
++	if (this->reuse_ikesa || peer_cfg->get_ike_version(peer_cfg) == IKEV1)
+ 	{
+-		if (!wait_for_entry(this, entry, segment))
++		enumerator = create_table_enumerator(this);
++		while (enumerator->enumerate(enumerator, &entry, &segment))
+ 		{
+-			continue;
+-		}
+-		if (entry->ike_sa->get_state(entry->ike_sa) == IKE_DELETING ||
+-			entry->ike_sa->get_state(entry->ike_sa) == IKE_REKEYED)
+-		{	/* skip IKE_SAs which are not usable, wake other waiting threads */
+-			entry->condvar->signal(entry->condvar);
+-			continue;
+-		}
+-
+-		current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa);
+-		if (current_peer && current_peer->equals(current_peer, peer_cfg))
+-		{
+-			current_ike = current_peer->get_ike_cfg(current_peer);
+-			if (current_ike->equals(current_ike, peer_cfg->get_ike_cfg(peer_cfg)))
++			if (!wait_for_entry(this, entry, segment))
+ 			{
+-				entry->checked_out = thread_current();
+-				ike_sa = entry->ike_sa;
+-				DBG2(DBG_MGR, "found existing IKE_SA %u with a '%s' config",
+-						ike_sa->get_unique_id(ike_sa),
+-						current_peer->get_name(current_peer));
+-				break;
++				continue;
+ 			}
++			if (entry->ike_sa->get_state(entry->ike_sa) == IKE_DELETING ||
++				entry->ike_sa->get_state(entry->ike_sa) == IKE_REKEYED)
++			{	/* skip IKE_SAs which are not usable, wake other waiting threads */
++				entry->condvar->signal(entry->condvar);
++				continue;
++			}
++			current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa);
++			if (current_peer && current_peer->equals(current_peer, peer_cfg))
++			{
++				current_ike = current_peer->get_ike_cfg(current_peer);
++				if (current_ike->equals(current_ike,
++										peer_cfg->get_ike_cfg(peer_cfg)))
++				{
++					entry->checked_out = thread_current();
++					ike_sa = entry->ike_sa;
++					DBG2(DBG_MGR, "found existing IKE_SA %u with a '%s' config",
++							ike_sa->get_unique_id(ike_sa),
++							current_peer->get_name(current_peer));
++					break;
++				}
++			}
++			/* other threads might be waiting for this entry */
++			entry->condvar->signal(entry->condvar);
+ 		}
+-		/* other threads might be waiting for this entry */
+-		entry->condvar->signal(entry->condvar);
++		enumerator->destroy(enumerator);
+ 	}
+-	enumerator->destroy(enumerator);
+ 
+ 	if (!ike_sa)
+-	{	/* no IKE_SA using such a config, hand out a new */
++	{	/* no IKE_SA using such a config, or reuse disabled, hand out a new */
++		if (this->ikesa_limit &&
++			this->public.get_count(&this->public) >= this->ikesa_limit)
++		{
++			DBG1(DBG_MGR, "IKE_SA creation failed, hitting IKE_SA limit (%u)",
++				 this->ikesa_limit);
++			return NULL;
++		}
+ 		ike_sa = checkout_new(this, peer_cfg->get_ike_version(peer_cfg), TRUE);
+ 	}
+ 	charon->bus->set_sa(charon->bus, ike_sa);
+-- 
+2.30.2
+

0002-charon-add-optional-source-and-remote-overrides-for-.patch

@@ -1,7 +1,7 @@
-From c2e02e7aa1aead5f5c9c6ceef7f3569d90deb20f Mon Sep 17 00:00:00 2001
+From 07e7ae0c9a9cac8c16361dc73412867d7a303054 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
 Date: Mon, 21 Sep 2015 13:41:58 +0300
-Subject: [PATCH 1/4] charon: add optional source and remote overrides for
+Subject: [PATCH 2/5] charon: add optional source and remote overrides for
  initiate
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@@ -18,26 +18,17 @@ Signed-off-by: Timo Teräs <timo.teras@iki.fi>
 ---
  src/charon-cmd/cmd/cmd_connection.c           |  2 +-
  src/charon-nm/nm/nm_service.c                 |  2 +-
- src/conftest/actions.c                        |  2 +-
+ src/libcharon/control/controller.c            | 43 +++++++++++++-
- .../backend/android_service.c                 |  2 +-
- src/frontends/osx/charon-xpc/xpc_dispatch.c   |  1 +
- src/libcharon/control/controller.c            | 44 ++++++++++++-
  src/libcharon/control/controller.h            |  3 +
- .../plugins/load_tester/load_tester_control.c |  1 +
- .../plugins/load_tester/load_tester_plugin.c  |  1 +
- src/libcharon/plugins/medcli/medcli_config.c  |  3 +-
- src/libcharon/plugins/smp/smp.c               |  3 +-
  src/libcharon/plugins/stroke/stroke_control.c |  5 +-
- src/libcharon/plugins/uci/uci_control.c       |  1 +
  src/libcharon/plugins/vici/vici_config.c      |  2 +-
- src/libcharon/plugins/vici/vici_control.c     | 61 ++++++++++++++++---
+ src/libcharon/plugins/vici/vici_control.c     | 59 +++++++++++++++++--
- .../processing/jobs/initiate_mediation_job.c  |  1 +
  .../processing/jobs/start_action_job.c        |  2 +-
- src/libcharon/sa/ike_sa_manager.c             | 49 ++++++++++++++-
+ src/libcharon/sa/ike_sa_manager.c             | 51 +++++++++++++++-
  src/libcharon/sa/ike_sa_manager.h             |  8 ++-
- src/libcharon/sa/trap_manager.c               | 44 ++++++-------
+ src/libcharon/sa/trap_manager.c               | 45 ++++++--------
- src/swanctl/commands/initiate.c               | 40 +++++++++++-
+ src/swanctl/commands/initiate.c               | 40 ++++++++++++-
- 21 files changed, 227 insertions(+), 50 deletions(-)
+ 12 files changed, 217 insertions(+), 45 deletions(-)
 
 diff --git a/src/charon-cmd/cmd/cmd_connection.c b/src/charon-cmd/cmd/cmd_connection.c
 index 0481d78d4..805d6f198 100644
@@ -53,33 +44,20 @@ index 0481d78d4..805d6f198 100644
  		terminate(pid);
  	}
 diff --git a/src/charon-nm/nm/nm_service.c b/src/charon-nm/nm/nm_service.c
-index 2d93b2fae..482170d76 100644
+index 83fcaf898..187953b29 100644
 --- a/src/charon-nm/nm/nm_service.c
 +++ b/src/charon-nm/nm/nm_service.c
-@@ -883,7 +883,7 @@ static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection,
+@@ -864,7 +864,7 @@ static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection,
  	 * Prepare IKE_SA
  	 */
  	ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
 -														peer_cfg);
 +														peer_cfg, NULL, NULL);
- 	peer_cfg->destroy(peer_cfg);
  	if (!ike_sa)
  	{
-diff --git a/src/conftest/actions.c b/src/conftest/actions.c
+ 		peer_cfg->destroy(peer_cfg);
-index 66e41f743..64ef8e9ee 100644
---- a/src/conftest/actions.c
-+++ b/src/conftest/actions.c
-@@ -65,7 +65,7 @@ static job_requeue_t initiate(char *config)
- 	{
- 		DBG1(DBG_CFG, "initiating IKE_SA for CHILD_SA config '%s'", config);
- 		charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
--									 NULL, NULL, 0, FALSE);
-+									 NULL, NULL, NULL, NULL, 0, FALSE);
- 	}
- 	else
- 	{
 diff --git a/src/libcharon/control/controller.c b/src/libcharon/control/controller.c
-index 46b065e3f..fbaff8730 100644
+index 0c86275e2..baa83f440 100644
 --- a/src/libcharon/control/controller.c
 +++ b/src/libcharon/control/controller.c
 @@ -15,6 +15,28 @@
@@ -128,7 +106,7 @@ index 46b065e3f..fbaff8730 100644
  	/**
  	 * unique ID, used for various methods
  	 */
-@@ -414,10 +446,16 @@ METHOD(job_t, initiate_execute, job_requeue_t,
+@@ -414,9 +446,14 @@ METHOD(job_t, initiate_execute, job_requeue_t,
  	ike_sa_t *ike_sa;
  	interface_listener_t *listener = &job->listener;
  	peer_cfg_t *peer_cfg = listener->peer_cfg;
@@ -138,15 +116,13 @@ index 46b065e3f..fbaff8730 100644
  	ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
 -														peer_cfg);
 +														peer_cfg, my_host, other_host);
- 	peer_cfg->destroy(peer_cfg);
++	DESTROY_IF(my_host);
-+
++	DESTROY_IF(other_host);
-+	if (my_host) my_host->destroy(my_host);
-+	if (other_host) other_host->destroy(other_host);
 +
  	if (!ike_sa)
  	{
  		DESTROY_IF(listener->child_cfg);
-@@ -425,6 +463,7 @@ METHOD(job_t, initiate_execute, job_requeue_t,
+@@ -425,6 +462,7 @@ METHOD(job_t, initiate_execute, job_requeue_t,
  		listener_done(listener);
  		return JOB_REQUEUE_NONE;
  	}
@@ -154,7 +130,7 @@ index 46b065e3f..fbaff8730 100644
  	listener->lock->lock(listener->lock);
  	listener->ike_sa = ike_sa;
  	listener->lock->unlock(listener->lock);
-@@ -492,6 +531,7 @@ METHOD(job_t, initiate_execute, job_requeue_t,
+@@ -497,6 +535,7 @@ METHOD(job_t, initiate_execute, job_requeue_t,
  
  METHOD(controller_t, initiate, status_t,
  	private_controller_t *this, peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
@@ -162,7 +138,7 @@ index 46b065e3f..fbaff8730 100644
  	controller_cb_t callback, void *param, u_int timeout, bool limits)
  {
  	interface_job_t *job;
-@@ -514,6 +554,8 @@ METHOD(controller_t, initiate, status_t,
+@@ -519,6 +558,8 @@ METHOD(controller_t, initiate, status_t,
  			.status = FAILED,
  			.child_cfg = child_cfg,
  			.peer_cfg = peer_cfg,
@@ -172,7 +148,7 @@ index 46b065e3f..fbaff8730 100644
  			.options.limits = limits,
  		},
 diff --git a/src/libcharon/control/controller.h b/src/libcharon/control/controller.h
-index b4ccfced2..7a088b122 100644
+index b4ccfced2..9945b78ad 100644
 --- a/src/libcharon/control/controller.h
 +++ b/src/libcharon/control/controller.h
 @@ -79,6 +79,8 @@ struct controller_t {
@@ -192,58 +168,6 @@ index b4ccfced2..7a088b122 100644
  						 controller_cb_t callback, void *param, u_int timeout,
  						 bool limits);
  
-diff --git a/src/libcharon/plugins/load_tester/load_tester_control.c b/src/libcharon/plugins/load_tester/load_tester_control.c
-index 8e89ab435..9dfd415ca 100644
---- a/src/libcharon/plugins/load_tester/load_tester_control.c
-+++ b/src/libcharon/plugins/load_tester/load_tester_control.c
-@@ -239,6 +239,7 @@ static bool on_accept(private_load_tester_control_t *this, stream_t *io)
- 
- 		switch (charon->controller->initiate(charon->controller,
- 										peer_cfg, child_cfg->get_ref(child_cfg),
-+										NULL, NULL,
- 										(void*)initiate_cb, listener, 0, FALSE))
- 		{
- 			case NEED_MORE:
-diff --git a/src/libcharon/plugins/load_tester/load_tester_plugin.c b/src/libcharon/plugins/load_tester/load_tester_plugin.c
-index 961c10406..f59294d88 100644
---- a/src/libcharon/plugins/load_tester/load_tester_plugin.c
-+++ b/src/libcharon/plugins/load_tester/load_tester_plugin.c
-@@ -151,6 +151,7 @@ static job_requeue_t do_load_test(private_load_tester_plugin_t *this)
- 
- 		charon->controller->initiate(charon->controller,
- 					peer_cfg, child_cfg->get_ref(child_cfg),
-+					NULL, NULL,
- 					NULL, NULL, 0, FALSE);
- 		if (s)
- 		{
-diff --git a/src/libcharon/plugins/medcli/medcli_config.c b/src/libcharon/plugins/medcli/medcli_config.c
-index e88c11d3a..d4ce4f203 100644
---- a/src/libcharon/plugins/medcli/medcli_config.c
-+++ b/src/libcharon/plugins/medcli/medcli_config.c
-@@ -349,7 +349,8 @@ static job_requeue_t initiate_config(peer_cfg_t *peer_cfg)
- 		peer_cfg->get_ref(peer_cfg);
- 		enumerator->destroy(enumerator);
- 		charon->controller->initiate(charon->controller,
--									 peer_cfg, child_cfg, NULL, NULL, 0, FALSE);
-+									 peer_cfg, child_cfg, NULL, NULL,
-+									 NULL, NULL, 0, FALSE);
- 	}
- 	else
- 	{
-diff --git a/src/libcharon/plugins/smp/smp.c b/src/libcharon/plugins/smp/smp.c
-index 2953a603b..f028406fb 100644
---- a/src/libcharon/plugins/smp/smp.c
-+++ b/src/libcharon/plugins/smp/smp.c
-@@ -493,7 +493,8 @@ static void request_control_initiate(xmlTextReaderPtr reader,
- 			if (child)
- 			{
- 				status = charon->controller->initiate(charon->controller,
--							peer, child, (controller_cb_t)xml_callback,
-+							peer, child, NULL, NULL,
-+							(controller_cb_t)xml_callback,
- 							writer, 0, FALSE);
- 			}
- 			else
 diff --git a/src/libcharon/plugins/stroke/stroke_control.c b/src/libcharon/plugins/stroke/stroke_control.c
 index 8d84b934e..b00d0e62d 100644
 --- a/src/libcharon/plugins/stroke/stroke_control.c
@@ -267,18 +191,6 @@ index 8d84b934e..b00d0e62d 100644
  							&info, this->timeout, FALSE);
  		switch (status)
  		{
-diff --git a/src/libcharon/plugins/uci/uci_control.c b/src/libcharon/plugins/uci/uci_control.c
-index b6cfda082..115e0a82e 100644
---- a/src/libcharon/plugins/uci/uci_control.c
-+++ b/src/libcharon/plugins/uci/uci_control.c
-@@ -147,6 +147,7 @@ static void initiate(private_uci_control_t *this, char *name)
- 		if (enumerator->enumerate(enumerator, &child_cfg) &&
- 			charon->controller->initiate(charon->controller, peer_cfg,
- 								child_cfg->get_ref(child_cfg),
-+								NULL, NULL,
- 								controller_cb_empty, NULL, 0, FALSE) == SUCCESS)
- 		{
- 			write_fifo(this, "connection '%s' established\n", name);
 diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
 index 2a4d58eab..0e9d24d11 100644
 --- a/src/libcharon/plugins/vici/vici_config.c
@@ -293,7 +205,7 @@ index 2a4d58eab..0e9d24d11 100644
  		case ACTION_ROUTE:
  			DBG1(DBG_CFG, "installing '%s'", child_cfg->get_name(child_cfg));
 diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c
-index 4c09b578d..4c00c2be5 100644
+index 4c09b578d..1e8e788c3 100644
 --- a/src/libcharon/plugins/vici/vici_control.c
 +++ b/src/libcharon/plugins/vici/vici_control.c
 @@ -16,6 +16,28 @@
@@ -325,16 +237,13 @@ index 4c09b578d..4c00c2be5 100644
  #include "vici_control.h"
  #include "vici_builder.h"
  
-@@ -174,9 +196,12 @@ static child_cfg_t* find_child_cfg(char *name, char *pname, peer_cfg_t **out)
+@@ -177,6 +199,9 @@ CALLBACK(initiate, vici_message_t*,
- CALLBACK(initiate, vici_message_t*,
- 	private_vici_control_t *this, char *name, u_int id, vici_message_t *request)
- {
-+	vici_message_t* msg;
  	peer_cfg_t *peer_cfg = NULL;
  	child_cfg_t *child_cfg;
  	char *child, *ike, *type, *sa;
-+	host_t *my_host = NULL, *other_host = NULL;
 +	char *my_host_str, *other_host_str;
++	vici_message_t* msg;
++	host_t *my_host = NULL, *other_host = NULL;
  	int timeout;
  	bool limits;
  	controller_cb_t log_cb = NULL;
@@ -347,7 +256,7 @@ index 4c09b578d..4c00c2be5 100644
  
  	if (!child && !ike)
  	{
-@@ -203,28 +230,48 @@ CALLBACK(initiate, vici_message_t*,
+@@ -203,6 +230,17 @@ CALLBACK(initiate, vici_message_t*,
  	type = child ? "CHILD_SA" : "IKE_SA";
  	sa = child ?: ike;
  
@@ -360,20 +269,19 @@ index 4c09b578d..4c00c2be5 100644
 +		other_host = host_create_from_string(other_host_str, 0);
 +	}
 +
-+	DBG1(DBG_CFG, "vici initiate %s '%s', me %H, other %H, limits %d", type, sa, my_host, other_host, limits);
++	DBG1(DBG_CFG, "vici initiate '%s', me %H, other %H, limits %d", child, my_host, other_host, limits);
 +
  	child_cfg = find_child_cfg(child, ike, &peer_cfg);
  
--	DBG1(DBG_CFG, "vici initiate %s '%s'", type, sa);
+ 	DBG1(DBG_CFG, "vici initiate %s '%s'", type, sa);
- 	if (!peer_cfg)
+@@ -210,21 +248,30 @@ CALLBACK(initiate, vici_message_t*,
  	{
--		return send_reply(this, "%s config '%s' not found", type, sa);
+ 		return send_reply(this, "%s config '%s' not found", type, sa);
-+		msg = send_reply(this, "%s config '%s' not found", type, sa);
-+		goto ret;
  	}
- 	switch (charon->controller->initiate(charon->controller, peer_cfg,
+-	switch (charon->controller->initiate(charon->controller, peer_cfg,
 -									child_cfg, log_cb, &log, timeout, limits))
-+				 child_cfg, my_host, other_host,
++	switch (charon->controller->initiate(charon->controller,
++				peer_cfg, child_cfg, my_host, other_host,
 +				log_cb, &log, timeout, limits))
  	{
  		case SUCCESS:
@@ -396,25 +304,13 @@ index 4c09b578d..4c00c2be5 100644
 +			msg = send_reply(this, "establishing %s '%s' failed", type, sa);
 +			break;
  	}
-+ret:
++
 +	if (my_host) my_host->destroy(my_host);
 +	if (other_host) other_host->destroy(other_host);
 +	return msg;
  }
  
  CALLBACK(terminate, vici_message_t*,
-diff --git a/src/libcharon/processing/jobs/initiate_mediation_job.c b/src/libcharon/processing/jobs/initiate_mediation_job.c
-index 6a72499d3..eb0ad3846 100644
---- a/src/libcharon/processing/jobs/initiate_mediation_job.c
-+++ b/src/libcharon/processing/jobs/initiate_mediation_job.c
-@@ -137,6 +137,7 @@ METHOD(job_t, initiate, job_requeue_t,
- 		mediation_cfg->get_ref(mediation_cfg);
- 
- 		if (charon->controller->initiate(charon->controller, mediation_cfg, NULL,
-+				NULL, NULL,
- 				(controller_cb_t)initiate_callback, this, 0, FALSE) != SUCCESS)
- 		{
- 			mediation_cfg->destroy(mediation_cfg);
 diff --git a/src/libcharon/processing/jobs/start_action_job.c b/src/libcharon/processing/jobs/start_action_job.c
 index 3a0ed879f..e3399007b 100644
 --- a/src/libcharon/processing/jobs/start_action_job.c
@@ -429,7 +325,7 @@ index 3a0ed879f..e3399007b 100644
  				case ACTION_ROUTE:
  					DBG1(DBG_JOB, "start action: route '%s'", name);
 diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
-index b6321cf16..a889b90ab 100644
+index 1e0ae42fe..52a18e3c2 100644
 --- a/src/libcharon/sa/ike_sa_manager.c
 +++ b/src/libcharon/sa/ike_sa_manager.c
 @@ -17,6 +17,28 @@
@@ -461,8 +357,8 @@ index b6321cf16..a889b90ab 100644
  #include <string.h>
  #include <inttypes.h>
  
-@@ -1485,7 +1507,8 @@ typedef struct {
+@@ -1423,7 +1445,8 @@ out:
- } config_entry_t;
+ }
  
  METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
 -	private_ike_sa_manager_t *this, peer_cfg_t *peer_cfg)
@@ -471,9 +367,9 @@ index b6321cf16..a889b90ab 100644
  {
  	enumerator_t *enumerator;
  	entry_t *entry;
-@@ -1496,7 +1519,16 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
+@@ -1432,7 +1455,17 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
+ 	ike_cfg_t *current_ike;
  	u_int segment;
- 	int i;
  
 -	DBG2(DBG_MGR, "checkout IKE_SA by config");
 +	if (my_host && my_host->get_port(my_host) == 0)
@@ -484,15 +380,17 @@ index b6321cf16..a889b90ab 100644
 +	{
 +		other_host->set_port(other_host, IKEV2_UDP_PORT);
 +	}
++
 +	DBG2(DBG_MGR, "checkout IKE_SA by config '%s', me %H, other %H",
 +		 peer_cfg->get_name(peer_cfg), my_host, other_host);
  
- 	if (!this->reuse_ikesa && peer_cfg->get_ike_version(peer_cfg) != IKEV1)
+ 	if (this->reuse_ikesa || peer_cfg->get_ike_version(peer_cfg) == IKEV1)
- 	{	/* IKE_SA reuse disabled by config (not possible for IKEv1) */
+ 	{
-@@ -1554,6 +1586,15 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
+@@ -1449,6 +1482,16 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
+ 				entry->condvar->signal(entry->condvar);
  				continue;
  			}
- 
++
 +			if (my_host && !my_host->ip_equals(my_host, entry->ike_sa->get_my_host(entry->ike_sa)))
 +			{
 +				continue;
@@ -505,22 +403,22 @@ index b6321cf16..a889b90ab 100644
  			current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa);
  			if (current_peer && current_peer->equals(current_peer, peer_cfg))
  			{
-@@ -1580,6 +1621,10 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
+@@ -1480,6 +1523,10 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
- 		{
+ 			return NULL;
- 			ike_sa->set_peer_cfg(ike_sa, peer_cfg);
+ 		}
- 			checkout_new(this, ike_sa);
+ 		ike_sa = checkout_new(this, peer_cfg->get_ike_version(peer_cfg), TRUE);
 +		if (my_host || other_host)
 +		{
 +			ike_sa->update_hosts(ike_sa, my_host, other_host, TRUE);
 +		}
  	}
- 	}
  	charon->bus->set_sa(charon->bus, ike_sa);
+ 
 diff --git a/src/libcharon/sa/ike_sa_manager.h b/src/libcharon/sa/ike_sa_manager.h
-index 318620be0..f40eeb74e 100644
+index efad2e4d6..c43edabbb 100644
 --- a/src/libcharon/sa/ike_sa_manager.h
 +++ b/src/libcharon/sa/ike_sa_manager.h
-@@ -109,7 +109,8 @@ struct ike_sa_manager_t {
+@@ -93,7 +93,8 @@ struct ike_sa_manager_t {
  	ike_sa_t* (*checkout_by_message) (ike_sa_manager_t* this, message_t *message);
  
  	/**
@@ -530,22 +428,23 @@ index 318620be0..f40eeb74e 100644
  	 *
  	 * To initiate, a CHILD_SA may be established within an existing IKE_SA.
  	 * This call checks for an existing IKE_SA by comparing the configuration.
-@@ -122,9 +123,12 @@ struct ike_sa_manager_t {
+@@ -103,10 +104,13 @@ struct ike_sa_manager_t {
- 	 * @note The peer_config is always set on the returned IKE_SA.
+ 	 * the found IKE_SA is in the DELETING state.
  	 *
  	 * @param peer_cfg			configuration used to find an existing IKE_SA
 +	 * @param my_host			source host address for wildcard peer_cfg
 +	 * @param other_host		remote host address for wildcard peer_cfg
  	 * @return					checked out/created IKE_SA
  	 */
--	ike_sa_t *(*checkout_by_config)(ike_sa_manager_t* this, peer_cfg_t *peer_cfg);
+ 	ike_sa_t* (*checkout_by_config) (ike_sa_manager_t* this,
-+	ike_sa_t *(*checkout_by_config)(ike_sa_manager_t* this, peer_cfg_t *peer_cfg,
+-									 peer_cfg_t *peer_cfg);
++									 peer_cfg_t *peer_cfg,
 +									 host_t *my_host, host_t *other_host);
  
  	/**
  	 * Reset initiator SPI.
 diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c
-index f9f78acab..555e28ab6 100644
+index 2bc531b38..7220ea597 100644
 --- a/src/libcharon/sa/trap_manager.c
 +++ b/src/libcharon/sa/trap_manager.c
 @@ -432,7 +432,7 @@ METHOD(trap_manager_t, acquire, void,
@@ -557,12 +456,12 @@ index f9f78acab..555e28ab6 100644
  	bool wildcard, ignore = FALSE;
  
  	this->lock->read_lock(this->lock);
-@@ -508,36 +508,26 @@ METHOD(trap_manager_t, acquire, void,
+@@ -508,36 +508,27 @@ METHOD(trap_manager_t, acquire, void,
  	this->lock->unlock(this->lock);
  
  	if (wildcard)
 -	{	/* the peer config would match IKE_SAs with other peers */
--		ike_sa = charon->ike_sa_manager->create_new(charon->ike_sa_manager,
+-		ike_sa = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
 -											peer->get_ike_version(peer), TRUE);
 -		if (ike_sa)
 -		{
@@ -605,11 +504,12 @@ index f9f78acab..555e28ab6 100644
 +	ike_sa = charon->ike_sa_manager->checkout_by_config(
 +											charon->ike_sa_manager, peer,
 +											my_host, other_host);
-+	if (my_host) my_host->destroy(my_host);
++	DESTROY_IF(my_host);
-+	if (other_host) other_host->destroy(other_host);
++	DESTROY_IF(other_host);
- 	peer->destroy(peer);
++
- 
  	if (ike_sa)
+ 	{
+ 		if (ike_sa->get_peer_cfg(ike_sa) == NULL)
 diff --git a/src/swanctl/commands/initiate.c b/src/swanctl/commands/initiate.c
 index 8ade8bf41..03b2cb0f4 100644
 --- a/src/swanctl/commands/initiate.c
@@ -690,5 +590,5 @@ index 8ade8bf41..03b2cb0f4 100644
  			{"raw",			'r', 0, "dump raw response message"},
  			{"pretty",		'P', 0, "dump raw response message in pretty print"},
 -- 
-2.31.1
+2.30.2
 

0003-vici-send-certificates-for-ike-sa-events.patch

@@ -1,18 +1,18 @@
-From e5589f7a7ddeac0de425783275d38327279eff4f Mon Sep 17 00:00:00 2001
+From 42dc827df278ff1304fe7414c68fae756a9863f1 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
 Date: Mon, 21 Sep 2015 13:42:05 +0300
-Subject: [PATCH 2/4] vici: send certificates for ike-sa events
+Subject: [PATCH 3/5] vici: send certificates for ike-sa events
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 
 Signed-off-by: Timo Teräs <timo.teras@iki.fi>
 ---
- src/libcharon/plugins/vici/vici_query.c | 50 +++++++++++++++++++++----
+ src/libcharon/plugins/vici/vici_query.c | 48 +++++++++++++++++++++----
- 1 file changed, 42 insertions(+), 8 deletions(-)
+ 1 file changed, 41 insertions(+), 7 deletions(-)
 
 diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
-index fb65b1447..9a0dc1c8b 100644
+index ad07ff12d..e3f6a0d26 100644
 --- a/src/libcharon/plugins/vici/vici_query.c
 +++ b/src/libcharon/plugins/vici/vici_query.c
 @@ -379,7 +379,7 @@ static void list_vips(private_vici_query_t *this, vici_builder_t *b,
@@ -77,7 +77,7 @@ index fb65b1447..9a0dc1c8b 100644
  
  	eap = ike_sa->get_other_eap_id(ike_sa);
  
-@@ -532,7 +566,7 @@ CALLBACK(list_sas, vici_message_t*,
+@@ -531,7 +565,7 @@ CALLBACK(list_sas, vici_message_t*,
  		b = vici_builder_create();
  		b->begin_section(b, ike_sa->get_name(ike_sa));
  
@@ -86,7 +86,7 @@ index fb65b1447..9a0dc1c8b 100644
  
  		b->begin_section(b, "child-sas");
  		csas = ike_sa->create_child_sa_enumerator(ike_sa);
-@@ -1719,7 +1753,7 @@ METHOD(listener_t, ike_updown, bool,
+@@ -1717,7 +1751,7 @@ METHOD(listener_t, ike_updown, bool,
  	}
  
  	b->begin_section(b, ike_sa->get_name(ike_sa));
@@ -95,7 +95,7 @@ index fb65b1447..9a0dc1c8b 100644
  	b->end_section(b);
  
  	this->dispatcher->raise_event(this->dispatcher,
-@@ -1744,10 +1778,10 @@ METHOD(listener_t, ike_rekey, bool,
+@@ -1742,10 +1776,10 @@ METHOD(listener_t, ike_rekey, bool,
  	b = vici_builder_create();
  	b->begin_section(b, old->get_name(old));
  	b->begin_section(b, "old");
@@ -108,16 +108,7 @@ index fb65b1447..9a0dc1c8b 100644
  	b->end_section(b);
  	b->end_section(b);
  
-@@ -1778,7 +1812,7 @@ METHOD(listener_t, ike_update, bool,
+@@ -1776,7 +1810,7 @@ METHOD(listener_t, child_updown, bool,
- 	b->add_kv(b, "remote-port", "%d", remote->get_port(remote));
- 
- 	b->begin_section(b, ike_sa->get_name(ike_sa));
--	list_ike(this, b, ike_sa, now);
-+	list_ike(this, b, ike_sa, now, TRUE);
- 	b->end_section(b);
- 
- 	this->dispatcher->raise_event(this->dispatcher,
-@@ -1808,7 +1842,7 @@ METHOD(listener_t, child_updown, bool,
  	}
  
  	b->begin_section(b, ike_sa->get_name(ike_sa));
@@ -126,7 +117,7 @@ index fb65b1447..9a0dc1c8b 100644
  	b->begin_section(b, "child-sas");
  
  	snprintf(buf, sizeof(buf), "%s-%u", child_sa->get_name(child_sa),
-@@ -1843,7 +1877,7 @@ METHOD(listener_t, child_rekey, bool,
+@@ -1811,7 +1845,7 @@ METHOD(listener_t, child_rekey, bool,
  	b = vici_builder_create();
  
  	b->begin_section(b, ike_sa->get_name(ike_sa));
@@ -136,5 +127,5 @@ index fb65b1447..9a0dc1c8b 100644
  
  	b->begin_section(b, old->get_name(old));
 -- 
-2.31.1
+2.30.2
 

0004-vici-add-support-for-individual-sa-state-changes.patch

@@ -1,7 +1,7 @@
-From faa75e58ec73dc70ba296a2ec534f2f87550c960 Mon Sep 17 00:00:00 2001
+From c4e25fe6bb5338a2c5067ba74808d68183226420 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
 Date: Mon, 21 Sep 2015 13:42:11 +0300
-Subject: [PATCH 3/4] vici: add support for individual sa state changes
+Subject: [PATCH 4/5] vici: add support for individual sa state changes
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -10,17 +10,17 @@ Useful for monitoring and tracking full SA.
 
 Signed-off-by: Timo Teräs <timo.teras@iki.fi>
 ---
- src/libcharon/plugins/vici/vici_query.c | 106 ++++++++++++++++++++++++
+ src/libcharon/plugins/vici/vici_query.c | 105 ++++++++++++++++++++++++
- 1 file changed, 106 insertions(+)
+ 1 file changed, 105 insertions(+)
 
 diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
-index 9a0dc1c8b..b213ba432 100644
+index e3f6a0d26..9968cdd3c 100644
 --- a/src/libcharon/plugins/vici/vici_query.c
 +++ b/src/libcharon/plugins/vici/vici_query.c
-@@ -1719,8 +1719,16 @@ static void manage_commands(private_vici_query_t *this, bool reg)
+@@ -1717,8 +1717,16 @@ static void manage_commands(private_vici_query_t *this, bool reg)
+ 	this->dispatcher->manage_event(this->dispatcher, "list-cert", reg);
  	this->dispatcher->manage_event(this->dispatcher, "ike-updown", reg);
  	this->dispatcher->manage_event(this->dispatcher, "ike-rekey", reg);
- 	this->dispatcher->manage_event(this->dispatcher, "ike-update", reg);
 +	this->dispatcher->manage_event(this->dispatcher, "ike-state-established", reg);
 +	this->dispatcher->manage_event(this->dispatcher, "ike-state-destroying", reg);
  	this->dispatcher->manage_event(this->dispatcher, "child-updown", reg);
@@ -34,11 +34,10 @@ index 9a0dc1c8b..b213ba432 100644
  	manage_command(this, "list-sas", list_sas, reg);
  	manage_command(this, "list-policies", list_policies, reg);
  	manage_command(this, "list-conns", list_conns, reg);
-@@ -1821,6 +1829,46 @@ METHOD(listener_t, ike_update, bool,
+@@ -1789,6 +1797,45 @@ METHOD(listener_t, ike_rekey, bool,
  	return TRUE;
  }
  
-+
 +METHOD(listener_t, ike_state_change, bool,
 +	private_vici_query_t *this, ike_sa_t *ike_sa, ike_sa_state_t state)
 +{
@@ -81,7 +80,7 @@ index 9a0dc1c8b..b213ba432 100644
  METHOD(listener_t, child_updown, bool,
  	private_vici_query_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, bool up)
  {
-@@ -1900,6 +1948,62 @@ METHOD(listener_t, child_rekey, bool,
+@@ -1868,6 +1915,62 @@ METHOD(listener_t, child_rekey, bool,
  	return TRUE;
  }
  
@@ -144,10 +143,10 @@ index 9a0dc1c8b..b213ba432 100644
  METHOD(vici_query_t, destroy, void,
  	private_vici_query_t *this)
  {
-@@ -1920,8 +2024,10 @@ vici_query_t *vici_query_create(vici_dispatcher_t *dispatcher)
+@@ -1887,8 +1990,10 @@ vici_query_t *vici_query_create(vici_dispatcher_t *dispatcher)
+ 			.listener = {
  				.ike_updown = _ike_updown,
  				.ike_rekey = _ike_rekey,
- 				.ike_update = _ike_update,
 +				.ike_state_change = _ike_state_change,
  				.child_updown = _child_updown,
  				.child_rekey = _child_rekey,
@@ -156,5 +155,5 @@ index 9a0dc1c8b..b213ba432 100644
  			.destroy = _destroy,
  		},
 -- 
-2.31.1
+2.30.2
 

0005-vyos-terminate-connections-source-dest.patch

@@ -1,7 +1,7 @@
-From 1057ecaa416c81b0e3fd4b26e1c8c301d1749ecb Mon Sep 17 00:00:00 2001
+From 2f864ddad4c36726427cd0d4f19b00e226d2b2f9 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= <zpericic@netst.org>
 Date: Wed, 22 Jan 2020 13:12:39 +0100
-Subject: [PATCH 4/4] vyos-terminate-connections-source-dest
+Subject: [PATCH 5/5] vyos-terminate-connections-source-dest
 
 ---
  src/libcharon/plugins/vici/vici_control.c | 27 ++++++++++++++++++++---
@@ -9,7 +9,7 @@ Subject: [PATCH 4/4] vyos-terminate-connections-source-dest
  2 files changed, 41 insertions(+), 4 deletions(-)
 
 diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c
-index 4c00c2be5..8936e93ae 100644
+index 1e8e788c3..914574ac3 100644
 --- a/src/libcharon/plugins/vici/vici_control.c
 +++ b/src/libcharon/plugins/vici/vici_control.c
 @@ -278,12 +278,13 @@ CALLBACK(terminate, vici_message_t*,
@@ -120,5 +120,5 @@ index 2309843b2..37d0bde3f 100644
  			{"child-id",	'C', 1, "terminate by CHILD_SA reqid"},
  			{"ike-id",		'I', 1, "terminate by IKE_SA unique identifier"},
 -- 
-2.31.1
+2.30.2
 

sources

@@ -1 +1 @@
-SHA512 (strongswan-5.9.4.tar.bz2) = 796356c1d5c1ad410f0ed944ab4a131076d26f120ec6fa57796fe4060b0741201199625883ddc9ebd8a7ad299495f073cec76a6780ebd8f375605aae16750cf3
+SHA512 (strongswan-5.9.0.tar.bz2) = b982ce7c3e940ad75ab71b02ce3e2813b41c6b098cde5b6f3f3513d095f409fe989ae6e38a31eff51c57423bf452c3610cd5cd8cd7f45ff932581d9859df1821

strongswan-5.6.2-CVE-2018-5388.patch

@@ -0,0 +1,15 @@
+diff -Naur strongswan-5.6.2-orig/src/libcharon/plugins/stroke/stroke_socket.c strongswan-5.6.2/src/libcharon/plugins/stroke/stroke_socket.c
+--- strongswan-5.6.2-orig/src/libcharon/plugins/stroke/stroke_socket.c	2017-11-09 10:57:30.000000000 -0500
++++ strongswan-5.6.2/src/libcharon/plugins/stroke/stroke_socket.c	2018-05-24 00:00:32.382953618 -0400
+@@ -628,6 +628,11 @@
+ 		return FALSE;
+ 	}
+ 
++	if (len < offsetof(stroke_msg_t, buffer))
++	{
++		DBG1(DBG_CFG, "invalid stroke message length %d", len);
++		return FALSE;
++	}
+ 	/* read message (we need an additional byte to terminate the buffer) */
+ 	msg = malloc(len + 1);
+ 	msg->length = len;

strongswan-5.8.2-extern-global.patch

@@ -0,0 +1,11 @@
+--- strongswan-5.8.2/src/swanctl/swanctl.h.orig	2020-02-23 00:35:39.051000000 +0200
++++ strongswan-5.8.2/src/swanctl/swanctl.h	2020-02-23 00:35:51.930355656 +0200
+@@ -30,7 +30,7 @@
+ /**
+  * Base directory for credentials and config
+  */
+-char *swanctl_dir;
++extern char *swanctl_dir;
+ 
+ /**
+  * Configuration file for connections, etc.

strongswan-5.8.4-runtime-dir.patch

@@ -0,0 +1,24 @@
+diff -ur strongswan-5.8.4.orig/init/systemd/strongswan.service.in strongswan-5.8.4/init/systemd/strongswan.service.in
+--- strongswan-5.8.4.orig/init/systemd/strongswan.service.in	2019-08-27 16:26:53.000000000 +0300
++++ strongswan-5.8.4/init/systemd/strongswan.service.in	2020-04-12 12:05:57.383596844 +0300
+@@ -9,6 +9,8 @@
+ ExecReload=@SBINDIR@/swanctl --reload
+ ExecReload=@SBINDIR@/swanctl --load-all --noprompt
+ Restart=on-abnormal
++RuntimeDirectory=strongswan
++RuntimeDirectoryMode=0755
+ 
+ [Install]
+ WantedBy=multi-user.target
+diff -ur strongswan-5.8.4.orig/init/systemd-starter/strongswan-starter.service.in strongswan-5.8.4/init/systemd-starter/strongswan-starter.service.in
+--- strongswan-5.8.4.orig/init/systemd-starter/strongswan-starter.service.in	2019-08-27 16:26:53.000000000 +0300
++++ strongswan-5.8.4/init/systemd-starter/strongswan-starter.service.in	2020-04-12 12:05:51.810559482 +0300
+@@ -6,6 +6,8 @@
+ ExecStart=@SBINDIR@/@IPSEC_SCRIPT@ start --nofork
+ StandardOutput=syslog
+ Restart=on-abnormal
++RuntimeDirectory=strongswan
++RuntimeDirectoryMode=0755
+ 
+ [Install]
+ WantedBy=multi-user.target

strongswan-5.9.4-test-socket.patch

@@ -1,31 +0,0 @@
-From 377039d24648f82dac35dcf22a2b43de81f2fb96 Mon Sep 17 00:00:00 2001
-From: Petr Mensik <pemensik@redhat.com>
-Date: Thu, 11 Nov 2021 05:48:38 +0100
-Subject: [PATCH] Skip test case, which always hangs
-
-It just stops and does not continue. Avoid that test.
----
- src/libtls/tests/suites/test_socket.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/src/libtls/tests/suites/test_socket.c b/src/libtls/tests/suites/test_socket.c
-index 9e26e91..5296680 100644
---- a/src/libtls/tests/suites/test_socket.c
-+++ b/src/libtls/tests/suites/test_socket.c
-@@ -804,11 +804,13 @@ Suite *socket_suite_create()
- 	add_tls_versions_test(test_tls_12_server, TLS_1_0, TLS_1_3);
- 	suite_add_tcase(s, tc);
- 
-+#if 0
- 	tc = tcase_create("TLS 1.3/key exchange groups");
- 	tcase_add_checked_fixture(tc, setup_creds, teardown_creds);
- 	tcase_add_loop_test(tc, test_tls13_ke_groups, 0,
- 						tls_crypto_get_supported_groups(NULL));
- 	suite_add_tcase(s, tc);
-+#endif
- 
- 	tc = tcase_create("TLS 1.3/signature schemes");
- 	tcase_add_checked_fixture(tc, setup_all_creds, teardown_creds);
--- 
-2.31.1
-

strongswan.spec

@@ -1,39 +1,28 @@
 %global _hardened_build 1
 #%%define prerelease dr1
-%global dist .nhrp.9%{?dist}
+%global dist .nhrp.4%{?dist}
-
-%bcond_without python3
-%bcond_without perl
-%bcond_with    check
-
-%if (0%{?fedora} && 0%{?fedora} < 36) || (0%{?rhel} && 0%{?rhel} < 9)
-# trousers was retired for F36+ and no longer available in RHEL with 9+
-%bcond_without tss_trousers
-%else
-%bcond_with tss_trousers
-%endif
 
 Name:           strongswan
-Version:        5.9.4
+Version:        5.9.0
-Release:        4%{?dist}
+Release:        2%{?dist}
 Summary:        An OpenSource IPsec-based VPN and TNC solution
 License:        GPLv2+
 URL:            http://www.strongswan.org/
-Source0:        http://download.strongswan.org/strongswan-%{version}%{?prerelease}.tar.bz2
+Source0:        http://download.strongswan.org/%{name}-%{version}%{?prerelease}.tar.bz2
 Source1:        tmpfiles-strongswan.conf
-Patch0:         strongswan-5.6.0-uintptr_t.patch
+Patch0:         strongswan-5.8.4-runtime-dir.patch
-# https://github.com/strongswan/strongswan/issues/752
+Patch1:         strongswan-5.6.0-uintptr_t.patch
-Patch1:         strongswan-5.9.4-test-socket.patch
+Patch3:         strongswan-5.6.2-CVE-2018-5388.patch
 
-Patch10:        0001-charon-add-optional-source-and-remote-overrides-for-.patch
+Patch10:        0001-ike-Adhere-to-IKE_SA-limit-when-checking-out-by-conf.patch
-Patch11:        0002-vici-send-certificates-for-ike-sa-events.patch
+Patch11:        0002-charon-add-optional-source-and-remote-overrides-for-.patch
-Patch12:        0003-vici-add-support-for-individual-sa-state-changes.patch
+Patch12:        0003-vici-send-certificates-for-ike-sa-events.patch
-Patch13:        0004-vyos-terminate-connections-source-dest.patch
+Patch13:        0004-vici-add-support-for-individual-sa-state-changes.patch
+Patch14:        0005-vyos-terminate-connections-source-dest.patch
 
 # only needed for pre-release versions
 #BuildRequires:  autoconf automake
 
-BuildRequires: make
 BuildRequires:  gcc
 BuildRequires:  systemd-devel
 BuildRequires:  gmp-devel
@@ -42,30 +31,13 @@ BuildRequires:  openldap-devel
 BuildRequires:  openssl-devel
 BuildRequires:  sqlite-devel
 BuildRequires:  gettext-devel
+BuildRequires:  trousers-devel
 BuildRequires:  libxml2-devel
 BuildRequires:  pam-devel
 BuildRequires:  json-c-devel
 BuildRequires:  libgcrypt-devel
 BuildRequires:  systemd-devel
 BuildRequires:  iptables-devel
-BuildRequires:  libcap-devel
-BuildRequires:  tpm2-tss-devel
-Recommends:     tpm2-tools
-
-%if %{with python3}
-BuildRequires:  python3-devel
-BuildRequires:  python3-setuptools
-BuildRequires:  python3-pytest
-%endif
-
-%if %{with perl}
-BuildRequires:  perl-devel perl-macros
-BuildRequires:  perl(ExtUtils::MakeMaker)
-%endif
-
-%if %{with tss_trousers}
-BuildRequires:  trousers-devel
-%endif
 
 BuildRequires:  NetworkManager-libnm-devel
 Requires(post): systemd
@@ -86,8 +58,8 @@ in userland, using TUN devices and its own IPsec implementation libipsec.
 %package charon-nm
 Summary:        NetworkManager plugin for Strongswan
 Requires:       dbus
-Obsoletes:      strongswan-NetworkManager < 0:5.0.4-5
+Obsoletes:      %{name}-NetworkManager < 0:5.0.4-5
-Conflicts:      strongswan-NetworkManager < 0:5.0.4-5
+Conflicts:      %{name}-NetworkManager < 0:5.0.4-5
 Conflicts:      NetworkManager-strongswan < 1.4.2-1
 %description charon-nm
 NetworkManager plugin integrates a subset of Strongswan capabilities
@@ -95,14 +67,14 @@ to NetworkManager.
 
 %package sqlite
 Summary: SQLite support for strongSwan
-Requires: strongswan = %{version}-%{release}
+Requires: %{name} = %{version}-%{release}
 %description sqlite
 The sqlite plugin adds an SQLite database backend to strongSwan.
 
 %package tnc-imcvs
 Summary: Trusted network connect (TNC)'s IMC/IMV functionality
-Requires: strongswan = %{version}-%{release}
+Requires: %{name} = %{version}-%{release}
-Requires: strongswan-sqlite = %{version}-%{release}
+Requires: %{name}-sqlite = %{version}-%{release}
 %description tnc-imcvs
 This package provides Trusted Network Connect's (TNC) architecture support.
 It includes support for TNC client and server (IF-TNCCS), IMC and IMV message
@@ -113,38 +85,17 @@ modules can be used by any third party TNC Client/Server implementation
 possessing a standard IF-IMC/IMV interface. In addition, it implements
 PT-TLS to support TNC over TLS.
 
-%if %{with python3}
-%package -n python3-vici
-Summary: Strongswan Versatile IKE Configuration Interface python bindings
-BuildArch: noarch
-%description -n python3-vici
-VICI is an attempt to improve the situation for system integrators by providing
-a stable IPC interface, allowing external tools to query, configure
-and control the IKE daemon.
-
-The Versatile IKE Configuration Interface (VICI) python bindings provides module
-for Strongswan runtime configuration from python applications.
-
-%endif
-
-%if %{with perl}
-%package -n perl-vici
-Summary: Strongswan Versatile IKE Configuration Interface perl bindings
-BuildArch: noarch
-%description -n perl-vici
-VICI is an attempt to improve the situation for system integrators by providing
-a stable IPC interface, allowing external tools to query, configure
-and control the IKE daemon.
-
-The Versatile IKE Configuration Interface (VICI) perl bindings provides module
-for Strongswan runtime configuration from perl applications.
-%endif
-
-# TODO: make also ruby-vici
-
-
 %prep
-%autosetup -n %{name}-%{version}%{?prerelease} -p1
+%setup -q -n %{name}-%{version}%{?prerelease}
+%patch0 -p1
+%patch1 -p1
+%patch3 -p1
+
+%patch10 -p1
+%patch11 -p1
+%patch12 -p1
+%patch13 -p1
+%patch14 -p1
 
 %build
 # only for snapshots
@@ -163,7 +114,7 @@ for Strongswan runtime configuration from perl applications.
     --with-piddir=%{_rundir}/strongswan \
     --with-nm-ca-dir=%{_sysconfdir}/strongswan/ipsec.d/cacerts/ \
     --enable-bypass-lan \
-    --enable-tss-tss2 \
+    --enable-tss-trousers \
     --enable-nm \
     --enable-systemd \
     --enable-openssl \
@@ -227,74 +178,24 @@ for Strongswan runtime configuration from perl applications.
     --enable-curl \
     --enable-cmd \
     --enable-acert \
+    --enable-aikgen \
     --enable-vici \
     --enable-swanctl \
     --enable-duplicheck \
 %ifarch x86_64 %{ix86}
     --enable-aesni \
 %endif
-%if %{with python3}
+    --enable-kernel-libipsec
-    PYTHON=%{python3} --enable-python-eggs \
-%endif
-%if %{with perl}
-    --enable-perl-cpan \
-%endif
-%if %{with check}
-    --enable-test-vectors \
-%endif
-%if %{with tss_trousers}
-    --enable-tss-trousers \
-    --enable-aikgen \
-%endif
-    --enable-kernel-libipsec \
-    --with-capabilities=libcap \
-    CPPFLAGS="-DSTARTER_ALLOW_NON_ROOT"
-# TODO: --enable-python-eggs-install not python3 ready
 
 # disable certain plugins in the daemon configuration by default
 for p in bypass-lan; do
     echo -e "\ncharon.plugins.${p}.load := no" >> conf/plugins/${p}.opt
 done
 
-%make_build
+make %{?_smp_mflags}
-
-pushd src/libcharon/plugins/vici
-
-%if %{with python3}
-  pushd python
-    %make_build
-    sed -e "s,/var/run/charon.vici,%{_rundir}/strongswan/charon.vici," -i vici/session.py
-    #py3_build
-  popd
-%endif
-
-%if %{with perl}
-  pushd perl/Vici-Session/
-    perl Makefile.PL INSTALLDIRS=vendor
-    %make_build
-  popd
-%endif
-
-popd
 
 %install
-%make_install
+make install DESTDIR=%{buildroot}
-
-
-pushd src/libcharon/plugins/vici
-%if %{with python3}
-  pushd python
-    # TODO: --enable-python-eggs breaks our previous build. Do it now
-    # propose better way to upstream
-    %py3_build
-    %py3_install
-  popd
-%endif
-%if %{with perl}
-  %make_install -C perl/Vici-Session
-  rm -f %{buildroot}{%{perl_archlib}/perllocal.pod,%{perl_vendorarch}/auto/Vici/Session/.packlist}
-%endif
-popd
 # prefix man pages
 for i in %{buildroot}%{_mandir}/*/*; do
     if echo "$i" | grep -vq '/strongswan[^\/]*$'; then
@@ -314,35 +215,20 @@ for i in aacerts acerts certs cacerts crls ocspcerts private reqs; do
 done
 install -d -m 0700 %{buildroot}%{_rundir}/strongswan
 install -D -m 0644 %{SOURCE1} %{buildroot}/%{_tmpfilesdir}/strongswan.conf
-install -D -m 0644 %{SOURCE1} %{buildroot}/%{_tmpfilesdir}/strongswan-starter.conf
-
-
-%check
-%if %{with check}
-  # Seen some tests hang. Ensure we do not block builder forever
-  export TESTS_VERBOSITY=1
-  timeout 600 %make_build check
-%endif
-%if %{with python}
-  pushd src/libcharon/plugins/vici
-    %pytest
-  popd
-%endif
-:
 
 %post
-%systemd_post strongswan.service strongswan-starter.service
+%systemd_post %{name}.service
 
 %preun
-%systemd_preun strongswan.service strongswan-starter.service
+%systemd_preun %{name}.service
 
 %postun
-%systemd_postun_with_restart strongswan.service strongswan-starter.service
+%systemd_postun_with_restart %{name}.service
 
 %files
 %doc README NEWS TODO ChangeLog
 %license COPYING
-%dir %attr(0755,root,root) %{_sysconfdir}/strongswan
+%dir %attr(0700,root,root) %{_sysconfdir}/strongswan
 %config(noreplace) %{_sysconfdir}/strongswan/*
 %dir %{_libdir}/strongswan
 %exclude %{_libdir}/strongswan/imcvs
@@ -372,7 +258,6 @@ install -D -m 0644 %{SOURCE1} %{buildroot}/%{_tmpfilesdir}/strongswan-starter.co
 %{_datadir}/strongswan/templates/database/
 %attr(0755,root,root) %dir %{_rundir}/strongswan
 %attr(0644,root,root) %{_tmpfilesdir}/strongswan.conf
-%attr(0644,root,root) %{_tmpfilesdir}/strongswan-starter.conf
 
 %files sqlite
 %{_libdir}/strongswan/plugins/libstrongswan-sqlite.so
@@ -399,70 +284,7 @@ install -D -m 0644 %{SOURCE1} %{buildroot}/%{_tmpfilesdir}/strongswan-starter.co
 %{_datadir}/dbus-1/system.d/nm-strongswan-service.conf
 %{_libexecdir}/strongswan/charon-nm
 
-%if %{with python3}
-%files -n python3-vici
-%license COPYING
-%doc src/libcharon/plugins/vici/python/README.rst
-%{python3_sitelib}/vici
-%{python3_sitelib}/vici-%{version}-py*.egg-info
-%endif
-
-%if %{with perl}
-%license COPYING
-%files -n perl-vici
-%{perl_vendorlib}/Vici
-%endif
-
 %changelog
-* Thu Dec 16 2021 Neal Gompa <ngompa@datto.com> - 5.9.4-4
-- Disable TPM/TSS 1.2 support for F36+ / RHEL9+
-- Resolves: rhbz#2033299 Drop TPM/TSS 1.2 support (trousers)
-
-* Thu Nov 11 2021 Petr Menšík <pemensik@redhat.com> - 5.9.4-3
-- Resolves rhbz#1419441 Add python and perl vici bindings
-- Adds optional tests run
-
-* Tue Nov 09 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.4-2
-- Resolves rhbz#2018547 'strongswan restart' breaks ipsec started with strongswan-starter
-- Return to using tmpfiles, but extend to cover strongswan-starter service too
-- Cleanup old patches
-
-* Wed Oct 20 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.4-1
-- Resolves: rhbz#2015165 strongswan-5.9.4 is available
-- Resolves: rhbz#2015611 CVE-2021-41990 strongswan: gmp plugin: integer overflow via a crafted certificate with an RSASSA-PSS signature
-- Resolves: rhbz#2015614 CVE-2021-41991 strongswan: integer overflow when replacing certificates in cache
-- Add BuildRequire for tpm2-tss-devel and weak dependency for tpm2-tools
-
-* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 5.9.3-4
-- Rebuilt with OpenSSL 3.0.0
-
-* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.3-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
-
-* Sat Jul 10 2021 Björn Esser <besser82@fedoraproject.org> - 5.9.3-2
-- Rebuild for versioned symbols in json-c
-
-* Tue Jul 06 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.3-1
-- Resolves: rhbz#1979574 strongswan-5.9.3 is available
-- Make strongswan main dir world readable so apps can find strongswan.conf
-
-* Thu Jun 03 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.2-1
-- Resolves: rhbz#1896545 strongswan-5.9.2 is available
-
-* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 5.9.1-2
-- Rebuilt for updated systemd-rpm-macros
-  See https://pagure.io/fesco/issue/2583.
-
-* Fri Feb 12 2021 Paul Wouters <pwouters@redhat.com> - 5.9.1-1
-- Resolves: rhbz#1896545 strongswan-5.9.1 is available
-
-* Thu Feb 11 2021 Davide Cavalca <dcavalca@fedoraproject.org> - 5.9.0-4
-- Build with with capabilities support
-- Resolves: rhbz#1911572 StrongSwan not configured with libcap support
-
-* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.0-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
-
 * Thu Oct 22 12:43:48 EDT 2020 Paul Wouters <pwouters@redhat.com> - 5.9.0-2
 - Resolves: rhbz#1886759 charon looking for certificates in the wrong place
 
@@ -471,16 +293,6 @@ install -D -m 0644 %{SOURCE1} %{buildroot}/%{_tmpfilesdir}/strongswan-starter.co
 - Remove --enable-fips-mode=2, which defaults strongswan to FIPS only.
   (use fips_mode = 2 in plugins {} openssl {} in strongswan.conf to enable FIPS)
 
-* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.8.4-5
-- Second attempt - Rebuilt for
-  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.8.4-4
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Tue Apr 21 2020 Björn Esser <besser82@fedoraproject.org> - 5.8.4-3
-- Rebuild (json-c)
-
 * Sun Apr 12 2020 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.4-2
 - Patch0: Add RuntimeDirectory options to service files (#1789263)
 
@@ -488,6 +300,9 @@ install -D -m 0644 %{SOURCE1} %{buildroot}/%{_tmpfilesdir}/strongswan-starter.co
 - Updated to 5.8.4
 - Patch4 has been applied upstream
 
+* Sun Apr 12 2020 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.2-6
+- Patch0: Add RuntimeDirectory options to service files (#1789263)
+
 * Sat Feb 22 2020 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.2-5
 - Patch to declare a global variable with extern (#1800117)