Patch vici for NHRP

.gitignore

@@ -9,5 +9,3 @@
 /strongswan-5.9.5.tar.bz2.sig
 /strongswan-5.9.6.tar.bz2
 /strongswan-5.9.6.tar.bz2.sig
-/strongswan-5.9.8.tar.bz2
-/strongswan-5.9.8.tar.bz2.sig

sources

@@ -1,2 +1,2 @@
-SHA512 (strongswan-5.9.8.tar.bz2.sig) = bf5c5fbcb6d14381260d1e79f6164170c3d568fbe2f623afb42b59bfa7e085551e26c43e4a41f4d8271d5f46601366f34fb52067bdd4c25a7633fa2fda83d5ae
+SHA512 (strongswan-5.9.6.tar.bz2.sig) = c5f863eb1f504033aec2ab48f802584f97bb39650e55e829e31f36ea1594428caab84ea559ba82b56b060019598aada02df09311b583b098e32f5abad9fab29b
-SHA512 (strongswan-5.9.8.tar.bz2) = 16d3afc80704f896f3f97addf452b4bb29fc1911c54e980f76ac48bdbe2340ce3bd4e79024848cb7961bbe9ad5458d93389343878ca042af658d51b11219666b
+SHA512 (strongswan-5.9.6.tar.bz2) = 8efb7a55b074485b874e941e42462e97a404b4f84e2f90ed18ef66274731b22d167a571f6fd028dccc1f199f2e591c82616d0a832a5084e1981c6b867fe5bb6a

strongswan-5.9.4-test-socket.patch

@@ -0,0 +1,31 @@
+From 377039d24648f82dac35dcf22a2b43de81f2fb96 Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Thu, 11 Nov 2021 05:48:38 +0100
+Subject: [PATCH] Skip test case, which always hangs
+
+It just stops and does not continue. Avoid that test.
+---
+ src/libtls/tests/suites/test_socket.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/libtls/tests/suites/test_socket.c b/src/libtls/tests/suites/test_socket.c
+index 9e26e91..5296680 100644
+--- a/src/libtls/tests/suites/test_socket.c
++++ b/src/libtls/tests/suites/test_socket.c
+@@ -804,11 +804,13 @@ Suite *socket_suite_create()
+ 	add_tls_versions_test(test_tls_12_server, TLS_1_0, TLS_1_3);
+ 	suite_add_tcase(s, tc);
+ 
++#if 0
+ 	tc = tcase_create("TLS 1.3/key exchange groups");
+ 	tcase_add_checked_fixture(tc, setup_creds, teardown_creds);
+ 	tcase_add_loop_test(tc, test_tls13_ke_groups, 0,
+ 						tls_crypto_get_supported_groups(NULL));
+ 	suite_add_tcase(s, tc);
++#endif
+ 
+ 	tc = tcase_create("TLS 1.3/signature schemes");
+ 	tcase_add_checked_fixture(tc, setup_all_creds, teardown_creds);
+-- 
+2.31.1
+

strongswan-5.9.5-atexit-handlers.patch

@@ -0,0 +1,71 @@
+--- strongswan-5.9.5-orig/src/libstrongswan/plugins/openssl/openssl_plugin.c	2022-01-08 12:54:02.000000000 +0100
++++ strongswan-5.9.5/src/libstrongswan/plugins/openssl/openssl_plugin.c	2022-02-23 23:12:03.685111475 +0100
+@@ -16,7 +16,6 @@
+ 
+ #include <library.h>
+ #include <utils/debug.h>
+-#include <collections/array.h>
+ #include <threading/thread.h>
+ #include <threading/mutex.h>
+ #include <threading/thread_value.h>
+@@ -74,13 +73,6 @@
+ 	 * public functions
+ 	 */
+ 	openssl_plugin_t public;
+-
+-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+-	/**
+-	 * Loaded providers
+-	 */
+-	array_t *providers;
+-#endif
+ };
+ 
+ /**
+@@ -881,21 +873,12 @@
+ #endif
+ 	}
+ 	*features = f;
+-	return countof(f);
++	return count;
+ }
+ 
+ METHOD(plugin_t, destroy, void,
+ 	private_openssl_plugin_t *this)
+ {
+-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+-	OSSL_PROVIDER *provider;
+-	while (array_remove(this->providers, ARRAY_TAIL, &provider))
+-	{
+-		OSSL_PROVIDER_unload(provider);
+-	}
+-	array_destroy(this->providers);
+-#endif /* OPENSSL_VERSION_NUMBER */
+-
+ /* OpenSSL 1.1.0 cleans up itself at exit and while OPENSSL_cleanup() exists we
+  * can't call it as we couldn't re-initialize the library (as required by the
+  * unit tests and the Android app) */
+@@ -1009,20 +992,16 @@
+ 			DBG1(DBG_LIB, "unable to load OpenSSL FIPS provider");
+ 			return NULL;
+ 		}
+-		array_insert_create(&this->providers, ARRAY_TAIL, fips);
+ 		/* explicitly load the base provider containing encoding functions */
+-		array_insert_create(&this->providers, ARRAY_TAIL,
+-							OSSL_PROVIDER_load(NULL, "base"));
++		OSSL_PROVIDER_load(NULL, "base");
+ 	}
+ 	else if (lib->settings->get_bool(lib->settings, "%s.plugins.openssl.load_legacy",
+ 									 TRUE, lib->ns))
+ 	{
+ 		/* load the legacy provider for algorithms like MD4, DES, BF etc. */
+-		array_insert_create(&this->providers, ARRAY_TAIL,
+-							OSSL_PROVIDER_load(NULL, "legacy"));
++		OSSL_PROVIDER_load(NULL, "legacy");
+ 		/* explicitly load the default provider, as mentioned by crypto(7) */
+-		array_insert_create(&this->providers, ARRAY_TAIL,
+-							OSSL_PROVIDER_load(NULL, "default"));
++		OSSL_PROVIDER_load(NULL, "default");
+ 	}
+ 	ossl_provider_names_t data = {};
+ 	OSSL_PROVIDER_do_all(NULL, concat_ossl_providers, &data);

strongswan-5.9.7-error-no-format.patch

@@ -1,12 +0,0 @@
-diff --git a/configure.ac b/configure.ac
-index f9e6e55c2..247d055d8 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -1480,7 +1480,6 @@ else
- fi
- # disable some warnings, whether explicitly enabled above or by default
- # these are not compatible with our custom printf specifiers
--WARN_CFLAGS="$WARN_CFLAGS -Wno-format"
- WARN_CFLAGS="$WARN_CFLAGS -Wno-format-security"
- # we generally use comments, but GCC doesn't seem to recognize many of them
- WARN_CFLAGS="$WARN_CFLAGS -Wno-implicit-fallthrough"

strongswan.spec

@@ -14,7 +14,7 @@
 %endif
 
 Name:           strongswan
-Version:        5.9.8
+Version:        5.9.6
 Release:        1%{?dist}
 Summary:        An OpenSource IPsec-based VPN and TNC solution
 License:        GPLv2+
@@ -24,21 +24,20 @@ Source1:        http://download.strongswan.org/strongswan-%{version}%{?prereleas
 Source2:        https://download.strongswan.org/STRONGSWAN-RELEASE-PGP-KEY
 Source3:        tmpfiles-strongswan.conf
 Patch0:         strongswan-5.6.0-uintptr_t.patch
-# https://github.com/strongswan/strongswan/issues/1198
+# https://github.com/strongswan/strongswan/issues/1025
-Patch1:         strongswan-5.9.7-error-no-format.patch
+Patch1:         strongswan-5.9.6-error-format-security.patch
 
 Patch10:        0001-charon-add-optional-source-and-remote-overrides-for-.patch
 Patch11:        0002-vici-send-certificates-for-ike-sa-events.patch
 Patch12:        0003-vici-add-support-for-individual-sa-state-changes.patch
 
-BuildRequires:  autoconf
+# only needed for pre-release versions
-BuildRequires:  automake
+#BuildRequires:  autoconf automake
+
 BuildRequires:  gnupg2
 BuildRequires:  make
 BuildRequires:  gcc
-BuildRequires:  systemd
 BuildRequires:  systemd-devel
-BuildRequires:  systemd-rpm-macros
 BuildRequires:  gmp-devel
 BuildRequires:  libcurl-devel
 BuildRequires:  openldap-devel
@@ -49,6 +48,7 @@ BuildRequires:  libxml2-devel
 BuildRequires:  pam-devel
 BuildRequires:  json-c-devel
 BuildRequires:  libgcrypt-devel
+BuildRequires:  systemd-devel
 BuildRequires:  iptables-devel
 BuildRequires:  libcap-devel
 BuildRequires:  tpm2-tss-devel
@@ -221,6 +221,8 @@ for Strongswan runtime configuration from perl applications.
     --enable-imv-attestation \
     --enable-imv-os \
     --enable-imc-os \
+    --enable-imc-swid \
+    --enable-imv-swid \
     --enable-imc-swima \
     --enable-imv-swima \
     --enable-imc-hcd \
@@ -415,12 +417,6 @@ install -D -m 0644 %{SOURCE3} %{buildroot}/%{_tmpfilesdir}/strongswan-starter.co
 %endif
 
 %changelog
-* Sun Oct 16 2022 Arne Reiter <redhat@arnereiter.de> - 5.9.8-1
-- Resolves rhbz#2112274 strongswan-5.9.8 is available
-- Patch1 removes CFLAGS -Wno-format which interferes with -Werror=format-security
-- Add BuildRequire for autoconf and automake, now required for release
-- Remove obsolete patches
-
 * Wed Jun 22 2022 Arne Reiter <redhat@arnereiter.de> - 5.9.6-1
 - Resolves rhbz#2080070 strongswan-5.9.6 is available
 - Fixed missing format string in enum_flags_to_string()