Patch vici for NHRP

new sources
- Resolves: rhbz#2214186 strongswan-5.9.11 is available
2023-08-25 15:09:27 +02:00 · 2023-07-17 11:26:05 -04:00 · 2023-07-14 13:45:25 -04:00 · 2023-06-13 23:05:47 +02:00 · 2023-03-02 11:02:38 -05:00 · 2023-03-02 10:24:58 -05:00
7 changed files with 145 additions and 476 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -13,3 +13,7 @@
 /strongswan-5.9.8.tar.bz2.sig
 /strongswan-5.9.9.tar.bz2
 /strongswan-5.9.9.tar.bz2.sig
+/strongswan-5.9.10.tar.bz2
+/strongswan-5.9.10.tar.bz2.sig
+/strongswan-5.9.11.tar.bz2
+/strongswan-5.9.11.tar.bz2.sig
--- a/0001-charon-add-optional-source-and-remote-overrides-for-.patch
+++ b/0001-charon-add-optional-source-and-remote-overrides-for-.patch
@@ -1,4 +1,4 @@
-From 84b1ee5c075b731618ff342ba4df94c3f9f2eaef Mon Sep 17 00:00:00 2001
+From ec53b2914730f08d151d14e9b48557196ec0cc49 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
 Date: Mon, 21 Sep 2015 13:41:58 +0300
 Subject: [PATCH 1/3] charon: add optional source and remote overrides for
@@ -19,42 +19,42 @@ Signed-off-by: Timo Teräs <timo.teras@iki.fi>
 src/charon-cmd/cmd/cmd_connection.c           |  2 +-
 src/charon-nm/nm/nm_service.c                 |  2 +-
 src/conftest/actions.c                        |  2 +-
- src/libcharon/control/controller.c            | 43 ++++++++++++-
+ src/libcharon/control/controller.c            | 43 +++++++++++++-
 src/libcharon/control/controller.h            |  3 +
 .../plugins/load_tester/load_tester_control.c |  1 +
 .../plugins/load_tester/load_tester_plugin.c  |  1 +
- src/libcharon/plugins/medcli/medcli_config.c  |  3 +-
+ src/libcharon/plugins/medcli/medcli_config.c  |  2 +-
 src/libcharon/plugins/smp/smp.c               |  3 +-
 src/libcharon/plugins/stroke/stroke_control.c |  5 +-
- src/libcharon/plugins/uci/uci_control.c       |  1 +
+ src/libcharon/plugins/uci/uci_control.c       |  3 +-
 src/libcharon/plugins/vici/vici_config.c      |  2 +-
- src/libcharon/plugins/vici/vici_control.c     | 61 ++++++++++++++++---
+ src/libcharon/plugins/vici/vici_control.c     | 59 +++++++++++++++++--
 .../processing/jobs/initiate_mediation_job.c  |  1 +
 .../processing/jobs/start_action_job.c        |  2 +-
 src/libcharon/sa/ike_sa_manager.c             | 49 ++++++++++++++-
 src/libcharon/sa/ike_sa_manager.h             |  8 ++-
- src/libcharon/sa/trap_manager.c               | 44 ++++++-------
- src/swanctl/commands/initiate.c               | 40 +++++++++++-
- 21 files changed, 226 insertions(+), 50 deletions(-)
+ src/libcharon/sa/trap_manager.c               | 44 ++++++--------
+ src/swanctl/commands/initiate.c               | 40 ++++++++++++-
+ 21 files changed, 225 insertions(+), 50 deletions(-)

 diff --git a/src/charon-cmd/cmd/cmd_connection.c b/src/charon-cmd/cmd/cmd_connection.c
-index 37d951951..d91eb951c 100644
+index 2e2cb3ca2..b9369a8a2 100644
 --- a/src/charon-cmd/cmd/cmd_connection.c
 +++ b/src/charon-cmd/cmd/cmd_connection.c
-@@ -440,7 +440,7 @@ static job_requeue_t initiate(private_cmd_connection_t *this)
+@@ -439,7 +439,7 @@ static job_requeue_t initiate(private_cmd_connection_t *this)
 	child_cfg = create_child_cfg(this, peer_cfg);
 
 	if (charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
-								controller_cb_empty, NULL, 0, FALSE) != SUCCESS)
-+								NULL, NULL, controller_cb_empty, NULL, 0, FALSE) != SUCCESS)
+-				controller_cb_empty, NULL, LEVEL_SILENT, 0, FALSE) != SUCCESS)
+				NULL, NULL, controller_cb_empty, NULL, LEVEL_SILENT, 0, FALSE) != SUCCESS)
 	{
 		terminate(pid);
 	}
 diff --git a/src/charon-nm/nm/nm_service.c b/src/charon-nm/nm/nm_service.c
-index 09107a76b..0b15a1835 100644
+index 7f88514a7..4c3491984 100644
 --- a/src/charon-nm/nm/nm_service.c
 +++ b/src/charon-nm/nm/nm_service.c
-@@ -883,7 +883,7 @@ static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection,
+@@ -942,7 +942,7 @@ static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection,
 	 * Prepare IKE_SA
 	 */
 	ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
@@ -64,20 +64,20 @@ index 09107a76b..0b15a1835 100644
 	if (!ike_sa)
 	{
 diff --git a/src/conftest/actions.c b/src/conftest/actions.c
-index 66e41f743..64ef8e9ee 100644
+index b6b186117..21e329e3e 100644
 --- a/src/conftest/actions.c
 +++ b/src/conftest/actions.c
-@@ -65,7 +65,7 @@ static job_requeue_t initiate(char *config)
+@@ -66,7 +66,7 @@ static job_requeue_t initiate(char *config)
 	{
 		DBG1(DBG_CFG, "initiating IKE_SA for CHILD_SA config '%s'", config);
 		charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
-									 NULL, NULL, 0, FALSE);
-+									 NULL, NULL, NULL, NULL, 0, FALSE);
+-									 NULL, NULL, 0, 0, FALSE);
+									 NULL, NULL, NULL, NULL, 0, 0, FALSE);
 	}
 	else
 	{
 diff --git a/src/libcharon/control/controller.c b/src/libcharon/control/controller.c
-index cd25b28fe..36d6cd7be 100644
+index 027f48e93..9109b20e4 100644
 --- a/src/libcharon/control/controller.c
 +++ b/src/libcharon/control/controller.c
@@ -15,6 +15,28 @@
@@ -109,7 +109,7 @@ index cd25b28fe..36d6cd7be 100644
 #include "controller.h"
 
 #include <sys/types.h>
-@@ -102,6 +124,16 @@ struct interface_listener_t {
+@@ -107,6 +129,16 @@ struct interface_listener_t {
 	 */
 	ike_sa_t *ike_sa;
 
@@ -126,7 +126,7 @@ index cd25b28fe..36d6cd7be 100644
 	/**
 	 * unique ID, used for various methods
 	 */
-@@ -414,10 +446,16 @@ METHOD(job_t, initiate_execute, job_requeue_t,
+@@ -417,10 +449,16 @@ METHOD(job_t, initiate_execute, job_requeue_t,
 	ike_sa_t *ike_sa;
 	interface_listener_t *listener = &job->listener;
 	peer_cfg_t *peer_cfg = listener->peer_cfg;
@@ -144,15 +144,15 @@ index cd25b28fe..36d6cd7be 100644
 	if (!ike_sa)
 	{
 		DESTROY_IF(listener->child_cfg);
-@@ -492,6 +530,7 @@ METHOD(job_t, initiate_execute, job_requeue_t,
+@@ -499,6 +537,7 @@ METHOD(job_t, initiate_execute, job_requeue_t,
 
 METHOD(controller_t, initiate, status_t,
 	private_controller_t *this, peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
 +	host_t *my_host, host_t *other_host,
- 	controller_cb_t callback, void *param, u_int timeout, bool limits)
+ 	controller_cb_t callback, void *param, level_t max_level, u_int timeout,
+ 	bool limits)
 {
- 	interface_job_t *job;
-@@ -514,6 +553,8 @@ METHOD(controller_t, initiate, status_t,
+@@ -523,6 +562,8 @@ METHOD(controller_t, initiate, status_t,
 			.status = FAILED,
 			.child_cfg = child_cfg,
 			.peer_cfg = peer_cfg,
@@ -162,10 +162,10 @@ index cd25b28fe..36d6cd7be 100644
 			.options.limits = limits,
 		},
 diff --git a/src/libcharon/control/controller.h b/src/libcharon/control/controller.h
-index b4ccfced2..7a088b122 100644
+index 36a1d4631..a130fbb6b 100644
 --- a/src/libcharon/control/controller.h
 +++ b/src/libcharon/control/controller.h
-@@ -79,6 +79,8 @@ struct controller_t {
+@@ -81,6 +81,8 @@ struct controller_t {
 	 *
 	 * @param peer_cfg		peer_cfg to use for IKE_SA setup
 	 * @param child_cfg		optional child_cfg to set up CHILD_SA from
@@ -173,120 +173,121 @@ index b4ccfced2..7a088b122 100644
 +	 * @param other_host		optional address hint for destination
 	 * @param cb			logging callback
 	 * @param param			parameter to include in each call of cb
- 	 * @param timeout		timeout in ms to wait for callbacks, 0 to disable
-@@ -92,6 +94,7 @@ struct controller_t {
+ 	 * @param max_level		maximum log level for which cb is invoked
+@@ -95,6 +97,7 @@ struct controller_t {
 	 */
 	status_t (*initiate)(controller_t *this,
 						 peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
 +						 host_t *my_host, host_t *other_host,
- 						 controller_cb_t callback, void *param, u_int timeout,
- 						 bool limits);
+ 						 controller_cb_t callback, void *param,
+ 						 level_t max_level, u_int timeout, bool limits);
 
 diff --git a/src/libcharon/plugins/load_tester/load_tester_control.c b/src/libcharon/plugins/load_tester/load_tester_control.c
-index 8e89ab435..9dfd415ca 100644
+index b5356289a..ddef85b4a 100644
 --- a/src/libcharon/plugins/load_tester/load_tester_control.c
 +++ b/src/libcharon/plugins/load_tester/load_tester_control.c
-@@ -239,6 +239,7 @@ static bool on_accept(private_load_tester_control_t *this, stream_t *io)
+@@ -240,6 +240,7 @@ static bool on_accept(private_load_tester_control_t *this, stream_t *io)
 
 		switch (charon->controller->initiate(charon->controller,
- 										peer_cfg, child_cfg->get_ref(child_cfg),
-+										NULL, NULL,
- 										(void*)initiate_cb, listener, 0, FALSE))
+ 							peer_cfg, child_cfg->get_ref(child_cfg),
+							NULL, NULL,
+ 							(void*)initiate_cb, listener, LEVEL_CTRL, 0, FALSE))
 		{
 			case NEED_MORE:
 diff --git a/src/libcharon/plugins/load_tester/load_tester_plugin.c b/src/libcharon/plugins/load_tester/load_tester_plugin.c
-index 961c10406..f59294d88 100644
+index 695e75b83..e3f740281 100644
 --- a/src/libcharon/plugins/load_tester/load_tester_plugin.c
 +++ b/src/libcharon/plugins/load_tester/load_tester_plugin.c
-@@ -151,6 +151,7 @@ static job_requeue_t do_load_test(private_load_tester_plugin_t *this)
+@@ -152,6 +152,7 @@ static job_requeue_t do_load_test(private_load_tester_plugin_t *this)
 
 		charon->controller->initiate(charon->controller,
 					peer_cfg, child_cfg->get_ref(child_cfg),
 +					NULL, NULL,
- 					NULL, NULL, 0, FALSE);
+ 					NULL, NULL, 0, 0, FALSE);
 		if (s)
 		{
 diff --git a/src/libcharon/plugins/medcli/medcli_config.c b/src/libcharon/plugins/medcli/medcli_config.c
-index e88c11d3a..d4ce4f203 100644
+index 3211a49f1..f98b3eac8 100644
 --- a/src/libcharon/plugins/medcli/medcli_config.c
 +++ b/src/libcharon/plugins/medcli/medcli_config.c
-@@ -349,7 +349,8 @@ static job_requeue_t initiate_config(peer_cfg_t *peer_cfg)
+@@ -350,7 +350,7 @@ static job_requeue_t initiate_config(peer_cfg_t *peer_cfg)
 		peer_cfg->get_ref(peer_cfg);
 		enumerator->destroy(enumerator);
- 		charon->controller->initiate(charon->controller,
-									 peer_cfg, child_cfg, NULL, NULL, 0, FALSE);
-+									 peer_cfg, child_cfg, NULL, NULL,
-+									 NULL, NULL, 0, FALSE);
+ 		charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
+-									 NULL, NULL, 0, 0, FALSE);
+									 NULL, NULL, NULL, NULL, 0, 0, FALSE);
 	}
 	else
 	{
 diff --git a/src/libcharon/plugins/smp/smp.c b/src/libcharon/plugins/smp/smp.c
-index 2953a603b..f028406fb 100644
+index 91dddfeaa..1e9326822 100644
 --- a/src/libcharon/plugins/smp/smp.c
 +++ b/src/libcharon/plugins/smp/smp.c
-@@ -493,7 +493,8 @@ static void request_control_initiate(xmlTextReaderPtr reader,
+@@ -494,7 +494,8 @@ static void request_control_initiate(xmlTextReaderPtr reader,
 			if (child)
 			{
 				status = charon->controller->initiate(charon->controller,
 -							peer, child, (controller_cb_t)xml_callback,
 +							peer, child, NULL, NULL,
 +							(controller_cb_t)xml_callback,
- 							writer, 0, FALSE);
+ 							writer, LEVEL_CTRL, 0, FALSE);
 			}
 			else
 diff --git a/src/libcharon/plugins/stroke/stroke_control.c b/src/libcharon/plugins/stroke/stroke_control.c
-index 8d84b934e..b00d0e62d 100644
+index 2824c93cb..21ff6b31f 100644
 --- a/src/libcharon/plugins/stroke/stroke_control.c
 +++ b/src/libcharon/plugins/stroke/stroke_control.c
-@@ -108,7 +108,7 @@ static void charon_initiate(private_stroke_control_t *this, peer_cfg_t *peer_cfg
+@@ -109,7 +109,7 @@ static void charon_initiate(private_stroke_control_t *this, peer_cfg_t *peer_cfg
 	if (msg->output_verbosity < 0)
 	{
 		charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
-									 NULL, NULL, 0, FALSE);
-+									 NULL, NULL, NULL, NULL, 0, FALSE);
+-									 NULL, NULL, 0, 0, FALSE);
+									 NULL, NULL, NULL, NULL, 0, 0, FALSE);
 	}
 	else
 	{
-@@ -116,7 +116,8 @@ static void charon_initiate(private_stroke_control_t *this, peer_cfg_t *peer_cfg
+@@ -117,7 +117,8 @@ static void charon_initiate(private_stroke_control_t *this, peer_cfg_t *peer_cfg
 		status_t status;
 
 		status = charon->controller->initiate(charon->controller,
 -							peer_cfg, child_cfg, (controller_cb_t)stroke_log,
 +							peer_cfg, child_cfg, NULL, NULL,
 +							(controller_cb_t)stroke_log,
- 							&info, this->timeout, FALSE);
+ 							&info, msg->output_verbosity, this->timeout, FALSE);
 		switch (status)
 		{
 diff --git a/src/libcharon/plugins/uci/uci_control.c b/src/libcharon/plugins/uci/uci_control.c
-index b6cfda082..115e0a82e 100644
+index b033c832c..f8d1be745 100644
 --- a/src/libcharon/plugins/uci/uci_control.c
 +++ b/src/libcharon/plugins/uci/uci_control.c
-@@ -147,6 +147,7 @@ static void initiate(private_uci_control_t *this, char *name)
+@@ -147,7 +147,8 @@ static void initiate(private_uci_control_t *this, char *name)
+ 		enumerator = peer_cfg->create_child_cfg_enumerator(peer_cfg);
 		if (enumerator->enumerate(enumerator, &child_cfg) &&
 			charon->controller->initiate(charon->controller, peer_cfg,
- 								child_cfg->get_ref(child_cfg),
-+								NULL, NULL,
- 								controller_cb_empty, NULL, 0, FALSE) == SUCCESS)
+-							child_cfg->get_ref(child_cfg), controller_cb_empty,
+							child_cfg->get_ref(child_cfg), NULL, NULL,
+							controller_cb_empty,
+ 							NULL, LEVEL_SILENT, 0, FALSE) == SUCCESS)
 		{
 			write_fifo(this, "connection '%s' established\n", name);
 diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
-index 3a783b822..ea9a5c6b2 100644
+index 522122562..b1486e337 100644
 --- a/src/libcharon/plugins/vici/vici_config.c
 +++ b/src/libcharon/plugins/vici/vici_config.c
-@@ -2216,7 +2216,7 @@ static void run_start_action(private_vici_config_t *this, peer_cfg_t *peer_cfg,
+@@ -2252,7 +2252,7 @@ static void run_start_action(private_vici_config_t *this, peer_cfg_t *peer_cfg,
 		DBG1(DBG_CFG, "initiating '%s'", child_cfg->get_name(child_cfg));
 		charon->controller->initiate(charon->controller,
 					peer_cfg->get_ref(peer_cfg), child_cfg->get_ref(child_cfg),
-					NULL, NULL, 0, FALSE);
-+					NULL, NULL, NULL, NULL, 0, FALSE);
+-					NULL, NULL, 0, 0, FALSE);
+					NULL, NULL, NULL, NULL, 0, 0, FALSE);
 	}
 }
 
 diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c
-index 4c09b578d..4c00c2be5 100644
+index 1c236d249..b3a76efa2 100644
 --- a/src/libcharon/plugins/vici/vici_control.c
 +++ b/src/libcharon/plugins/vici/vici_control.c
-@@ -16,6 +16,28 @@
+@@ -15,6 +15,28 @@
  * for more details.
  */
 
@@ -315,7 +316,7 @@ index 4c09b578d..4c00c2be5 100644
 #include "vici_control.h"
 #include "vici_builder.h"
 
-@@ -174,9 +196,12 @@ static child_cfg_t* find_child_cfg(char *name, char *pname, peer_cfg_t **out)
+@@ -173,9 +195,12 @@ static child_cfg_t* find_child_cfg(char *name, char *pname, peer_cfg_t **out)
 CALLBACK(initiate, vici_message_t*,
 	private_vici_control_t *this, char *name, u_int id, vici_message_t *request)
 {
@@ -328,7 +329,7 @@ index 4c09b578d..4c00c2be5 100644
 	int timeout;
 	bool limits;
 	controller_cb_t log_cb = NULL;
-@@ -190,6 +215,8 @@ CALLBACK(initiate, vici_message_t*,
+@@ -189,6 +214,8 @@ CALLBACK(initiate, vici_message_t*,
 	timeout = request->get_int(request, 0, "timeout");
 	limits = request->get_bool(request, FALSE, "init-limits");
 	log.level = request->get_int(request, 1, "loglevel");
@@ -337,7 +338,7 @@ index 4c09b578d..4c00c2be5 100644
 
 	if (!child && !ike)
 	{
-@@ -203,28 +230,48 @@ CALLBACK(initiate, vici_message_t*,
+@@ -202,28 +229,48 @@ CALLBACK(initiate, vici_message_t*,
 	type = child ? "CHILD_SA" : "IKE_SA";
 	sa = child ?: ike;
 
@@ -361,10 +362,9 @@ index 4c09b578d..4c00c2be5 100644
 +		msg = send_reply(this, "%s config '%s' not found", type, sa);
 +		goto ret;
 	}
- 	switch (charon->controller->initiate(charon->controller, peer_cfg,
-									child_cfg, log_cb, &log, timeout, limits))
-+				 child_cfg, my_host, other_host,
-+				log_cb, &log, timeout, limits))
+ 	switch (charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
+										 my_host, other_host,
+ 										 log_cb, &log, log.level, timeout, limits))
 	{
 		case SUCCESS:
 -			return send_reply(this, NULL);
@@ -392,37 +392,37 @@ index 4c09b578d..4c00c2be5 100644
 +	return msg;
 }
 
- CALLBACK(terminate, vici_message_t*,
+ /**
 diff --git a/src/libcharon/processing/jobs/initiate_mediation_job.c b/src/libcharon/processing/jobs/initiate_mediation_job.c
-index 6a72499d3..eb0ad3846 100644
+index ed493bc76..9a1cdcda4 100644
 --- a/src/libcharon/processing/jobs/initiate_mediation_job.c
 +++ b/src/libcharon/processing/jobs/initiate_mediation_job.c
-@@ -137,6 +137,7 @@ METHOD(job_t, initiate, job_requeue_t,
+@@ -138,6 +138,7 @@ METHOD(job_t, initiate, job_requeue_t,
 		mediation_cfg->get_ref(mediation_cfg);
 
 		if (charon->controller->initiate(charon->controller, mediation_cfg, NULL,
-+				NULL, NULL,
- 				(controller_cb_t)initiate_callback, this, 0, FALSE) != SUCCESS)
+							NULL, NULL,
+ 							(controller_cb_t)initiate_callback, this, LEVEL_CTRL,
+ 							0, FALSE) != SUCCESS)
 		{
- 			mediation_cfg->destroy(mediation_cfg);
 diff --git a/src/libcharon/processing/jobs/start_action_job.c b/src/libcharon/processing/jobs/start_action_job.c
-index 31e154a77..0371293b1 100644
+index 122e5cee9..dec458c84 100644
 --- a/src/libcharon/processing/jobs/start_action_job.c
 +++ b/src/libcharon/processing/jobs/start_action_job.c
-@@ -83,7 +83,7 @@ METHOD(job_t, execute, job_requeue_t,
+@@ -84,7 +84,7 @@ METHOD(job_t, execute, job_requeue_t,
 				charon->controller->initiate(charon->controller,
 											 peer_cfg->get_ref(peer_cfg),
 											 child_cfg->get_ref(child_cfg),
-											 NULL, NULL, 0, FALSE);
-+											 NULL, NULL, NULL, NULL, 0, FALSE);
+-											 NULL, NULL, 0, 0, FALSE);
+											 NULL, NULL, NULL, NULL, 0, 0, FALSE);
 			}
 		}
 		children->destroy(children);
 diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
-index fe615a6bc..5839f8827 100644
+index fc31c2a7c..0836b8c78 100644
 --- a/src/libcharon/sa/ike_sa_manager.c
 +++ b/src/libcharon/sa/ike_sa_manager.c
-@@ -17,6 +17,28 @@
+@@ -16,6 +16,28 @@
  * for more details.
  */
 
@@ -451,7 +451,7 @@ index fe615a6bc..5839f8827 100644
 #include <string.h>
 #include <inttypes.h>
 
-@@ -1495,7 +1517,8 @@ typedef struct {
+@@ -1497,7 +1519,8 @@ typedef struct {
 } config_entry_t;
 
 METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
@@ -461,7 +461,7 @@ index fe615a6bc..5839f8827 100644
 {
 	enumerator_t *enumerator;
 	entry_t *entry;
-@@ -1506,7 +1529,16 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
+@@ -1508,7 +1531,16 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
 	u_int segment;
 	int i;
 
@@ -479,7 +479,7 @@ index fe615a6bc..5839f8827 100644
 
 	if (!this->reuse_ikesa && peer_cfg->get_ike_version(peer_cfg) != IKEV1)
 	{	/* IKE_SA reuse disabled by config (not possible for IKEv1) */
-@@ -1564,6 +1596,15 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
+@@ -1566,6 +1598,15 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
 			continue;
 		}
 
@@ -495,7 +495,7 @@ index fe615a6bc..5839f8827 100644
 		current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa);
 		if (current_peer && current_peer->equals(current_peer, peer_cfg))
 		{
-@@ -1590,6 +1631,10 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
+@@ -1592,6 +1633,10 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
 		{
 			ike_sa->set_peer_cfg(ike_sa, peer_cfg);
 			checkout_new(this, ike_sa);
@@ -507,10 +507,10 @@ index fe615a6bc..5839f8827 100644
 	}
 	charon->bus->set_sa(charon->bus, ike_sa);
 diff --git a/src/libcharon/sa/ike_sa_manager.h b/src/libcharon/sa/ike_sa_manager.h
-index d87ba2d68..ba4f2c7e7 100644
+index 004cc2216..56ef869be 100644
 --- a/src/libcharon/sa/ike_sa_manager.h
 +++ b/src/libcharon/sa/ike_sa_manager.h
-@@ -122,7 +122,8 @@ struct ike_sa_manager_t {
+@@ -123,7 +123,8 @@ struct ike_sa_manager_t {
 	ike_sa_t* (*checkout_by_message) (ike_sa_manager_t* this, message_t *message);
 
 	/**
@@ -520,7 +520,7 @@ index d87ba2d68..ba4f2c7e7 100644
 	 *
 	 * To initiate, a CHILD_SA may be established within an existing IKE_SA.
 	 * This call checks for an existing IKE_SA by comparing the configuration.
-@@ -135,9 +136,12 @@ struct ike_sa_manager_t {
+@@ -136,9 +137,12 @@ struct ike_sa_manager_t {
 	 * @note The peer_config is always set on the returned IKE_SA.
 	 *
 	 * @param peer_cfg			configuration used to find an existing IKE_SA
@@ -535,10 +535,10 @@ index d87ba2d68..ba4f2c7e7 100644
 	/**
 	 * Reset initiator SPI.
 diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c
-index e45c8ff3f..58a956a78 100644
+index d8d8a421a..f458ee0f1 100644
 --- a/src/libcharon/sa/trap_manager.c
 +++ b/src/libcharon/sa/trap_manager.c
-@@ -522,7 +522,7 @@ METHOD(trap_manager_t, acquire, void,
+@@ -523,7 +523,7 @@ METHOD(trap_manager_t, acquire, void,
 	peer_cfg_t *peer;
 	child_cfg_t *child;
 	ike_sa_t *ike_sa;
@@ -547,7 +547,7 @@ index e45c8ff3f..58a956a78 100644
 	bool wildcard, ignore = FALSE;
 
 	this->lock->read_lock(this->lock);
-@@ -599,36 +599,26 @@ METHOD(trap_manager_t, acquire, void,
+@@ -600,36 +600,26 @@ METHOD(trap_manager_t, acquire, void,
 	this->lock->unlock(this->lock);
 
 	if (wildcard)
@@ -601,10 +601,10 @@ index e45c8ff3f..58a956a78 100644
 
 	if (ike_sa)
 diff --git a/src/swanctl/commands/initiate.c b/src/swanctl/commands/initiate.c
-index 8ade8bf41..03b2cb0f4 100644
+index e0fffb907..dcaded59d 100644
 --- a/src/swanctl/commands/initiate.c
 +++ b/src/swanctl/commands/initiate.c
-@@ -13,6 +13,28 @@
+@@ -14,6 +14,28 @@
  * for more details.
  */
 
@@ -633,7 +633,7 @@ index 8ade8bf41..03b2cb0f4 100644
 #include "command.h"
 
 #include <errno.h>
-@@ -37,7 +59,7 @@ static int initiate(vici_conn_t *conn)
+@@ -38,7 +60,7 @@ static int initiate(vici_conn_t *conn)
 	vici_req_t *req;
 	vici_res_t *res;
 	command_format_options_t format = COMMAND_FORMAT_NONE;
@@ -642,7 +642,7 @@ index 8ade8bf41..03b2cb0f4 100644
 	int ret = 0, timeout = 0, level = 1;
 
 	while (TRUE)
-@@ -64,6 +86,12 @@ static int initiate(vici_conn_t *conn)
+@@ -65,6 +87,12 @@ static int initiate(vici_conn_t *conn)
 			case 'l':
 				level = atoi(arg);
 				continue;
@@ -655,7 +655,7 @@ index 8ade8bf41..03b2cb0f4 100644
 			case EOF:
 				break;
 			default:
-@@ -87,6 +115,14 @@ static int initiate(vici_conn_t *conn)
+@@ -88,6 +116,14 @@ static int initiate(vici_conn_t *conn)
 	{
 		vici_add_key_valuef(req, "ike", "%s", ike);
 	}
@@ -670,7 +670,7 @@ index 8ade8bf41..03b2cb0f4 100644
 	if (timeout)
 	{
 		vici_add_key_valuef(req, "timeout", "%d", timeout * 1000);
-@@ -133,6 +169,8 @@ static void __attribute__ ((constructor))reg()
+@@ -134,6 +170,8 @@ static void __attribute__ ((constructor))reg()
 			{"help",		'h', 0, "show usage information"},
 			{"child",		'c', 1, "initiate a CHILD_SA configuration"},
 			{"ike",			'i', 1, "initiate an IKE_SA, or name of child's parent"},
@@ -680,5 +680,5 @@ index 8ade8bf41..03b2cb0f4 100644
 			{"raw",			'r', 0, "dump raw response message"},
 			{"pretty",		'P', 0, "dump raw response message in pretty print"},
 -- 
-2.36.1
+2.41.0

--- a/0002-vici-send-certificates-for-ike-sa-events.patch
+++ b/0002-vici-send-certificates-for-ike-sa-events.patch
@@ -1,4 +1,4 @@
-From d357d62bf0661294e063cec94d48ca929f119351 Mon Sep 17 00:00:00 2001
+From 0a1ee45f16f61cb68f526aeacd58ed275e7d8c48 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
 Date: Mon, 21 Sep 2015 13:42:05 +0300
 Subject: [PATCH 2/3] vici: send certificates for ike-sa events
@@ -12,10 +12,10 @@ Signed-off-by: Timo Teräs <timo.teras@iki.fi>
 1 file changed, 42 insertions(+), 8 deletions(-)

 diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
-index c35f4e1a9..001631e99 100644
+index bacb7b101..19acc0789 100644
 --- a/src/libcharon/plugins/vici/vici_query.c
 +++ b/src/libcharon/plugins/vici/vici_query.c
-@@ -403,7 +403,7 @@ static void list_vips(private_vici_query_t *this, vici_builder_t *b,
+@@ -402,7 +402,7 @@ static void list_vips(private_vici_query_t *this, vici_builder_t *b,
  * List details of an IKE_SA
  */
 static void list_ike(private_vici_query_t *this, vici_builder_t *b,
@@ -24,7 +24,7 @@ index c35f4e1a9..001631e99 100644
 {
 	time_t t;
 	ike_sa_id_t *id;
-@@ -412,6 +412,8 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
+@@ -411,6 +411,8 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
 	uint32_t if_id;
 	uint16_t alg, ks;
 	host_t *host;
@@ -33,7 +33,7 @@ index c35f4e1a9..001631e99 100644
 
 	b->add_kv(b, "uniqueid", "%u", ike_sa->get_unique_id(ike_sa));
 	b->add_kv(b, "version", "%u", ike_sa->get_version(ike_sa));
-@@ -421,11 +423,43 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
+@@ -420,11 +422,43 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
 	b->add_kv(b, "local-host", "%H", host);
 	b->add_kv(b, "local-port", "%d", host->get_port(host));
 	b->add_kv(b, "local-id", "%Y", ike_sa->get_my_id(ike_sa));
@@ -77,7 +77,7 @@ index c35f4e1a9..001631e99 100644
 
 	eap = ike_sa->get_other_eap_id(ike_sa);
 
-@@ -557,7 +591,7 @@ CALLBACK(list_sas, vici_message_t*,
+@@ -556,7 +590,7 @@ CALLBACK(list_sas, vici_message_t*,
 		b = vici_builder_create();
 		b->begin_section(b, ike_sa->get_name(ike_sa));
 
@@ -86,7 +86,7 @@ index c35f4e1a9..001631e99 100644
 
 		b->begin_section(b, "child-sas");
 		csas = ike_sa->create_child_sa_enumerator(ike_sa);
-@@ -1775,7 +1809,7 @@ METHOD(listener_t, ike_updown, bool,
+@@ -1774,7 +1808,7 @@ METHOD(listener_t, ike_updown, bool,
 	}
 
 	b->begin_section(b, ike_sa->get_name(ike_sa));
@@ -95,7 +95,7 @@ index c35f4e1a9..001631e99 100644
 	b->end_section(b);
 
 	this->dispatcher->raise_event(this->dispatcher,
-@@ -1800,10 +1834,10 @@ METHOD(listener_t, ike_rekey, bool,
+@@ -1799,10 +1833,10 @@ METHOD(listener_t, ike_rekey, bool,
 	b = vici_builder_create();
 	b->begin_section(b, old->get_name(old));
 	b->begin_section(b, "old");
@@ -108,7 +108,7 @@ index c35f4e1a9..001631e99 100644
 	b->end_section(b);
 	b->end_section(b);
 
-@@ -1834,7 +1868,7 @@ METHOD(listener_t, ike_update, bool,
+@@ -1833,7 +1867,7 @@ METHOD(listener_t, ike_update, bool,
 	b->add_kv(b, "remote-port", "%d", remote->get_port(remote));
 
 	b->begin_section(b, ike_sa->get_name(ike_sa));
@@ -117,7 +117,7 @@ index c35f4e1a9..001631e99 100644
 	b->end_section(b);
 
 	this->dispatcher->raise_event(this->dispatcher,
-@@ -1864,7 +1898,7 @@ METHOD(listener_t, child_updown, bool,
+@@ -1863,7 +1897,7 @@ METHOD(listener_t, child_updown, bool,
 	}
 
 	b->begin_section(b, ike_sa->get_name(ike_sa));
@@ -126,7 +126,7 @@ index c35f4e1a9..001631e99 100644
 	b->begin_section(b, "child-sas");
 
 	snprintf(buf, sizeof(buf), "%s-%u", child_sa->get_name(child_sa),
-@@ -1899,7 +1933,7 @@ METHOD(listener_t, child_rekey, bool,
+@@ -1898,7 +1932,7 @@ METHOD(listener_t, child_rekey, bool,
 	b = vici_builder_create();
 
 	b->begin_section(b, ike_sa->get_name(ike_sa));
@@ -136,5 +136,5 @@ index c35f4e1a9..001631e99 100644
 
 	b->begin_section(b, old->get_name(old));
 -- 
-2.36.1
+2.41.0

--- a/0003-vici-add-support-for-individual-sa-state-changes.patch
+++ b/0003-vici-add-support-for-individual-sa-state-changes.patch
@@ -1,4 +1,4 @@
-From 0a5809a8807c5160ee86da2c1c1586b23d98f04e Mon Sep 17 00:00:00 2001
+From 39f70df4d1846f9044c270fa8cb6149d42067736 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
 Date: Mon, 21 Sep 2015 13:42:11 +0300
 Subject: [PATCH 3/3] vici: add support for individual sa state changes
@@ -14,10 +14,10 @@ Signed-off-by: Timo Teräs <timo.teras@iki.fi>
 1 file changed, 106 insertions(+)

 diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
-index 001631e99..8010d8da8 100644
+index 19acc0789..fa1aca953 100644
 --- a/src/libcharon/plugins/vici/vici_query.c
 +++ b/src/libcharon/plugins/vici/vici_query.c
-@@ -1775,8 +1775,16 @@ static void manage_commands(private_vici_query_t *this, bool reg)
+@@ -1774,8 +1774,16 @@ static void manage_commands(private_vici_query_t *this, bool reg)
 	this->dispatcher->manage_event(this->dispatcher, "ike-updown", reg);
 	this->dispatcher->manage_event(this->dispatcher, "ike-rekey", reg);
 	this->dispatcher->manage_event(this->dispatcher, "ike-update", reg);
@@ -34,7 +34,7 @@ index 001631e99..8010d8da8 100644
 	manage_command(this, "list-sas", list_sas, reg);
 	manage_command(this, "list-policies", list_policies, reg);
 	manage_command(this, "list-conns", list_conns, reg);
-@@ -1877,6 +1885,46 @@ METHOD(listener_t, ike_update, bool,
+@@ -1876,6 +1884,46 @@ METHOD(listener_t, ike_update, bool,
 	return TRUE;
 }
 
@@ -81,7 +81,7 @@ index 001631e99..8010d8da8 100644
 METHOD(listener_t, child_updown, bool,
 	private_vici_query_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, bool up)
 {
-@@ -1956,6 +2004,62 @@ METHOD(listener_t, child_rekey, bool,
+@@ -1955,6 +2003,62 @@ METHOD(listener_t, child_rekey, bool,
 	return TRUE;
 }
 
@@ -144,7 +144,7 @@ index 001631e99..8010d8da8 100644
 METHOD(vici_query_t, destroy, void,
 	private_vici_query_t *this)
 {
-@@ -1976,8 +2080,10 @@ vici_query_t *vici_query_create(vici_dispatcher_t *dispatcher)
+@@ -1975,8 +2079,10 @@ vici_query_t *vici_query_create(vici_dispatcher_t *dispatcher)
 				.ike_updown = _ike_updown,
 				.ike_rekey = _ike_rekey,
 				.ike_update = _ike_update,
@@ -156,5 +156,5 @@ index 001631e99..8010d8da8 100644
 			.destroy = _destroy,
 		},
 -- 
-2.36.1
+2.41.0

--- a/4
+++ b/4
@@ -1,2 +1,2 @@
-SHA512 (strongswan-5.9.9.tar.bz2) = 7f5d94527193ce7716292f30db75303a0594169647e41e8c9530a7dedd914ad7fecf94885356738fd54d3781a066fa591c621d531923b20780b1fca76ad7bd46
-SHA512 (strongswan-5.9.9.tar.bz2.sig) = b2aba6e7cf1add4cf1c891dbd77e658d338c80abb2a1c6efcf5a23c65ff71d6b63857daa6613fae21b4d23adc0ef0df9d6e245198cd799bdf5534da097050d0e
+SHA512 (strongswan-5.9.11.tar.bz2) = d500523215f5ec5c5550c4d2c49060b350ae396d8c60170792c46775d04fc7a132aa70a6242145477753668351d26ed957e08903683ecc340aa8d84fb2ae5498
+SHA512 (strongswan-5.9.11.tar.bz2.sig) = a434dc338641c808d3461de17c893a0d3b761cdba6cea5db0551fc75df498cfae26db379a86fd2a0a0e7710676a1cd657c01da435054a6814ec4ce6099db2b68
--- a/strongswan-5.9.9-man-paths.patch
+++ b/strongswan-5.9.9-man-paths.patch
@@ -1,348 +0,0 @@
-From 111cbd3d2ca4385d326db333ee86843ada652663 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
-Date: Mon, 16 Jan 2023 19:38:17 +0100
-Subject: [PATCH] Make manual paths follow build configuration
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Use build-configured paths in manual pages instead of default values.
-Makes easier customization to non-default values as done on Fedora for
-example.
-
-Squashed commit of the following:
-
-commit e99de2aee9f26e3ab97d88902308107d9f048acd
-Merge: 8effb06d6 29e324709
-Author: Tobias Brunner <tobias@strongswan.org>
-Date:   Mon Jan 16 11:41:17 2023 +0100
-
-    Merge branch 'man-sysconfdir'
-
-    Closes strongswan/strongswan#1511
-
-commit 29e32470974aea614c2486c2982767bd62670063
-Author: Tobias Brunner <tobias@strongswan.org>
-Date:   Mon Jan 16 11:39:29 2023 +0100
-
-    swanctl: Don't use hard-coded path to sysconfdir
-
-commit 1c0b14baa3c04606ad9357dfc658d11f0f96ca65
-Author: Tobias Brunner <tobias@strongswan.org>
-Date:   Mon Jan 16 11:37:27 2023 +0100
-
-    conf: Add swanctl.conf and swanctl man pages to SEE ALSO
-
-commit 7e43a5f3d28424abfb648b7afd24e25a042efd24
-Author: Tobias Brunner <tobias@strongswan.org>
-Date:   Mon Jan 16 11:35:42 2023 +0100
-
-    conf: Replace hard-coded /etc where appropriate
-
-    Also document the actual value of ${sysconfdir}.
-
-commit ee046552bb1f3c98d89837d58f7da7d83c8fbb82
-Author: Petr Menšík <pemensik@redhat.com>
-Date:   Sun Jan 15 16:55:45 2023 +0100
-
-    man: Use configured path for config files in man pages
-
-commit ab4ed21b5cb28eafbc29b09523b062bee159a0d0
-Author: Petr Menšík <pemensik@redhat.com>
-Date:   Sun Jan 15 16:17:07 2023 +0100
-
-    ipsec: Include IPSEC_CONFDIR variable replacement in man page
-
-    Fedora has chosena different default directory to avoid conflicts with
-    libreswan. Use ${sysconfdir} variable to provide the correct location.
---
- conf/options/charon.opt            |  4 ++--
- conf/plugins/unbound.opt           |  2 +-
- conf/strongswan.conf.5.tail.in     | 10 ++++++----
- man/ipsec.conf.5.in                | 22 +++++++++++-----------
- man/ipsec.secrets.5.in             |  8 ++++----
- src/ipsec/Makefile.am              |  1 +
- src/ipsec/_ipsec.8.in              | 20 ++++++++++----------
- src/swanctl/swanctl.conf.5.tail.in |  2 +-
- 8 files changed, 36 insertions(+), 33 deletions(-)
-
-diff --git a/conf/options/charon.opt b/conf/options/charon.opt
-index 00949222a..72efd17de 100644
--- a/conf/options/charon.opt
-+++ b/conf/options/charon.opt
-@@ -38,8 +38,8 @@ charon.cert_cache = yes
- charon.cache_crls = no
- 	Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP should
- 	be saved under a unique file name derived from the public key of the
-	Certification Authority (CA) to **/etc/ipsec.d/crls** (stroke) or
-	**/etc/swanctl/x509crl** (vici), respectively.
-+	Certification Authority (CA) to **${sysconfdir}/ipsec.d/crls** (stroke) or
-+	**${sysconfdir}/swanctl/x509crl** (vici), respectively.
- 
- charon.check_current_path = no
- 	Whether to use DPD to check if the current path still works after any
-diff --git a/conf/plugins/unbound.opt b/conf/plugins/unbound.opt
-index f8ca9ca12..007797310 100644
--- a/conf/plugins/unbound.opt
-+++ b/conf/plugins/unbound.opt
-@@ -1,7 +1,7 @@
- charon.plugins.unbound.resolv_conf = /etc/resolv.conf
- 	File to read DNS resolver configuration from.
- 
-charon.plugins.unbound.trust_anchors = /etc/ipsec.d/dnssec.keys
-+charon.plugins.unbound.trust_anchors = ${sysconfdir}/ipsec.d/dnssec.keys
- 	File to read DNSSEC trust anchors from (usually root zone KSK).
- 
- 	File to read DNSSEC trust anchors from (usually root zone KSK). The format
-diff --git a/conf/strongswan.conf.5.tail.in b/conf/strongswan.conf.5.tail.in
-index baad476d1..74bbd8eec 100644
--- a/conf/strongswan.conf.5.tail.in
-+++ b/conf/strongswan.conf.5.tail.in
-@@ -458,6 +458,7 @@ The variables used above are configured as follows:
- .na
- ${piddir}               @piddir@
- ${prefix}               @prefix@
-+${sysconfdir}           @sysconfdir@
- ${random_device}        @random_device@
- ${urandom_device}       @urandom_device@
- .ad
-@@ -467,18 +468,19 @@ ${urandom_device}       @urandom_device@
- .
- .nf
- .na
-/etc/strongswan.conf       configuration file
-/etc/strongswan.d/         directory containing included config snippets
-/etc/strongswan.d/charon/  plugin specific config snippets
-+@sysconfdir@/strongswan.conf       configuration file
-+@sysconfdir@/strongswan.d/         directory containing included config snippets
-+@sysconfdir@/strongswan.d/charon/  plugin specific config snippets
- .ad
- .fi
- .
- .SH SEE ALSO
-+\fBswanctl.conf\fR(5), \fBswanctl\fR(8),
- \fBipsec.conf\fR(5), \fBipsec.secrets\fR(5), \fBipsec\fR(8), \fBcharon-cmd\fR(8)
- 
- .SH HISTORY
- Written for the
-.UR http://www.strongswan.org
-+.UR https://www.strongswan.org
- strongSwan project
- .UE
- by Tobias Brunner, Andreas Steffen and Martin Willi.
-diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
-index ced12680f..4e256538e 100644
--- a/man/ipsec.conf.5.in
-+++ b/man/ipsec.conf.5.in
-@@ -690,7 +690,7 @@ but for the second authentication round (IKEv2 only).
- .BR leftcert " = <path>"
- the path to the left participant's X.509 certificate. The file can be encoded
- either in PEM or DER format. OpenPGP certificates are supported as well.
-Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP
-+Both absolute paths or paths relative to \fI@sysconfdir@/ipsec.d/certs\fP
- are accepted. By default
- .B leftcert
- sets
-@@ -871,7 +871,7 @@ prefix in front of 0x or 0s, the public key is expected to be in either
- the RFC 3110 (not the full RR, only RSA key part) or RFC 4253 public key format,
- respectively.
- Also accepted is the path to a file containing the public key in PEM, DER or SSH
-encoding. Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP
-+encoding. Both absolute paths or paths relative to \fI@sysconfdir@/ipsec.d/certs\fP
- are accepted.
- .TP
- .BR leftsendcert " = never | no | " ifasked " | always | yes"
-@@ -1219,7 +1219,7 @@ of this connection will be used as peer ID.
- .SH "CA SECTIONS"
- These are optional sections that can be used to assign special
- parameters to a Certification Authority (CA). Because the daemons
-automatically import CA certificates from \fI/etc/ipsec.d/cacerts\fP,
-+automatically import CA certificates from \fI@sysconfdir@/ipsec.d/cacerts\fP,
- there is no need to explicitly add them with a CA section, unless you
- want to assign special parameters (like a CRL) to a CA.
- .TP
-@@ -1235,7 +1235,7 @@ currently can have either the value
- .TP
- .BR cacert " = <path>"
- defines a path to the CA certificate either relative to
-\fI/etc/ipsec.d/cacerts\fP or as an absolute path.
-+\fI@sysconfdir@/ipsec.d/cacerts\fP or as an absolute path.
- .br
- A value in the form
- .B %smartcard[<slot nr>[@<module>]]:<keyid>
-@@ -1284,7 +1284,7 @@ section are:
- .BR cachecrls " = yes | " no
- if enabled, certificate revocation lists (CRLs) fetched via HTTP or LDAP will
- be cached in
-.I /etc/ipsec.d/crls/
-+.I @sysconfdir@/ipsec.d/crls/
- under a unique file name derived from the certification authority's public key.
- .TP
- .BR charondebug " = <debug list>"
-@@ -1463,12 +1463,12 @@ time equals zero and, thus, rekeying gets disabled.
- 
- .SH FILES
- .nf
-/etc/ipsec.conf
-/etc/ipsec.d/aacerts
-/etc/ipsec.d/acerts
-/etc/ipsec.d/cacerts
-/etc/ipsec.d/certs
-/etc/ipsec.d/crls
-+@sysconfdir@/ipsec.conf
-+@sysconfdir@/ipsec.d/aacerts
-+@sysconfdir@/ipsec.d/acerts
-+@sysconfdir@/ipsec.d/cacerts
-+@sysconfdir@/ipsec.d/certs
-+@sysconfdir@/ipsec.d/crls
- 
- .SH SEE ALSO
- strongswan.conf(5), ipsec.secrets(5), ipsec(8)
-diff --git a/man/ipsec.secrets.5.in b/man/ipsec.secrets.5.in
-index 15e36faff..c54e1a18b 100644
--- a/man/ipsec.secrets.5.in
-+++ b/man/ipsec.secrets.5.in
-@@ -15,7 +15,7 @@ Here is an example.
- .LP
- .RS
- .nf
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-+# @sysconfdir@/ipsec.secrets - strongSwan IPsec secrets file
- 192.168.0.1 %any : PSK "v+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL"
- 
- : RSA moonKey.pem
-@@ -140,7 +140,7 @@ is interpreted as Base64 encoded binary data.
- .TQ
- .B : ECDSA <private key file> [ <passphrase> | %prompt ]
- For the private key file both absolute paths or paths relative to
-\fI/etc/ipsec.d/private\fP are accepted. If the private key file is
-+\fI@sysconfdir@/ipsec.d/private\fP are accepted. If the private key file is
- encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase
- .B %prompt
- can be used which then causes the daemon to ask the user for the password
-@@ -148,7 +148,7 @@ whenever it is required to decrypt the key.
- .TP
- .B : P12 <PKCS#12 file> [ <passphrase> | %prompt ]
- For the PKCS#12 file both absolute paths or paths relative to
-\fI/etc/ipsec.d/private\fP are accepted. If the container is
-+\fI@sysconfdir@/ipsec.d/private\fP are accepted. If the container is
- encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase
- .B %prompt
- can be used which then causes the daemon to ask the user for the password
-@@ -182,7 +182,7 @@ can be specified, which causes the daemon to ask the user for the pin code.
- .LP
- 
- .SH FILES
-/etc/ipsec.secrets
-+@sysconfdir@/ipsec.secrets
- .SH SEE ALSO
- ipsec.conf(5), strongswan.conf(5), ipsec(8)
- .br
-diff --git a/src/ipsec/Makefile.am b/src/ipsec/Makefile.am
-index 0ab9ab27c..656eba49b 100644
--- a/src/ipsec/Makefile.am
-+++ b/src/ipsec/Makefile.am
-@@ -10,6 +10,7 @@ _ipsec.8 : _ipsec.8.in
- 	-e "s:@IPSEC_SCRIPT@:$(ipsec_script):g" \
- 	-e "s:@IPSEC_SCRIPT_UPPER@:$(ipsec_script_upper):g" \
- 	-e "s:@IPSEC_DIR@:$(ipsecdir):" \
-+	-e "s:@IPSEC_CONFDIR@:$(sysconfdir):" \
- 	$(srcdir)/$@.in > $@
- 
- _ipsec : _ipsec.in
-diff --git a/src/ipsec/_ipsec.8.in b/src/ipsec/_ipsec.8.in
-index bfc4d50c2..de00d3075 100644
--- a/src/ipsec/_ipsec.8.in
-+++ b/src/ipsec/_ipsec.8.in
-@@ -145,25 +145,25 @@ locally by the IKE daemon or received via the IKE protocol.
- .TP
- .BI "listcacerts [" --utc ]
- returns a list of X.509 Certification Authority (CA) certificates that were
-loaded locally by the IKE daemon from the \fI/etc/ipsec.d/cacerts/\fP
-+loaded locally by the IKE daemon from the \fI@IPSEC_CONFDIR@/ipsec.d/cacerts/\fP
- directory or received via the IKE protocol.
- .
- .TP
- .BI "listaacerts [" --utc ]
- returns a list of X.509 Authorization Authority (AA) certificates that were
-loaded locally by the IKE daemon from the \fI/etc/ipsec.d/aacerts/\fP
-+loaded locally by the IKE daemon from the \fI@IPSEC_CONFDIR@/ipsec.d/aacerts/\fP
- directory.
- .
- .TP
- .BI "listocspcerts [" --utc ]
- returns a list of X.509 OCSP Signer certificates that were either loaded
-locally by the IKE daemon from the \fI/etc/ipsec.d/ocspcerts/\fP
-+locally by the IKE daemon from the \fI@IPSEC_CONFDIR@/ipsec.d/ocspcerts/\fP
- directory or were sent by an OCSP server.
- .
- .TP
- .BI "listacerts [" --utc ]
- returns a list of X.509 Attribute certificates that were loaded locally by
-the IKE daemon from the \fI/etc/ipsec.d/acerts/\fP directory.
-+the IKE daemon from the \fI@IPSEC_CONFDIR@/ipsec.d/acerts/\fP directory.
- .
- .TP
- .BI "listgroups [" --utc ]
-@@ -179,7 +179,7 @@ sections in \fIipsec.conf\fP.
- .TP
- .BI "listcrls [" --utc ]
- returns a list of Certificate Revocation Lists (CRLs) that were either loaded
-by the IKE daemon from the \fI/etc/ipsec.d/crls\fP directory or fetched from
-+by the IKE daemon from the \fI@IPSEC_CONFDIR@/ipsec.d/crls\fP directory or fetched from
- an HTTP- or LDAP-based CRL distribution point.
- .
- .TP
-@@ -211,7 +211,7 @@ flushes and rereads all secrets defined in \fIipsec.secrets\fP.
- .TP
- .B "rereadcacerts"
- removes previously loaded CA certificates, reads all certificate files
-contained in the \fI/etc/ipsec.d/cacerts\fP directory and adds them to the list
-+contained in the \fI@IPSEC_CONFDIR@/ipsec.d/cacerts\fP directory and adds them to the list
- of Certification Authority (CA) certificates. This does not affect certificates
- explicitly defined in a
- .BR ipsec.conf (5)
-@@ -220,23 +220,23 @@ ca section, which may be separately updated using the \fBupdate\fP command.
- .TP
- .B "rereadaacerts"
- removes previously loaded AA certificates, reads all certificate files
-contained in the \fI/etc/ipsec.d/aacerts\fP directory and adds them to the list
-+contained in the \fI@IPSEC_CONFDIR@/ipsec.d/aacerts\fP directory and adds them to the list
- of Authorization Authority (AA) certificates.
- .
- .TP
- .B "rereadocspcerts"
-reads all certificate files contained in the \fI/etc/ipsec.d/ocspcerts/\fP
-+reads all certificate files contained in the \fI@IPSEC_CONFDIR@/ipsec.d/ocspcerts/\fP
- directory and adds them to the list of OCSP signer certificates.
- .
- .TP
- .B "rereadacerts"
-reads all certificate files contained in the  \fI/etc/ipsec.d/acerts/\fP
-+reads all certificate files contained in the  \fI@IPSEC_CONFDIR@/ipsec.d/acerts/\fP
- directory and adds them to the list of attribute certificates.
- .
- .TP
- .B "rereadcrls"
- reads  all Certificate  Revocation Lists (CRLs) contained in the
-\fI/etc/ipsec.d/crls/\fP directory and adds them to the list of CRLs.
-+\fI@IPSEC_CONFDIR@/ipsec.d/crls/\fP directory and adds them to the list of CRLs.
- .
- .TP
- .B "rereadall"
-diff --git a/src/swanctl/swanctl.conf.5.tail.in b/src/swanctl/swanctl.conf.5.tail.in
-index 4d24608da..036443843 100644
--- a/src/swanctl/swanctl.conf.5.tail.in
-+++ b/src/swanctl/swanctl.conf.5.tail.in
-@@ -2,7 +2,7 @@
- .
- .nf
- .na
-/etc/swanctl/swanctl.conf       configuration file
-+@sysconfdir@/swanctl/swanctl.conf       configuration file
- .ad
- .fi
- .
-- 
-2.39.0
-
--- a/strongswan.spec
+++ b/strongswan.spec
@@ -16,8 +16,8 @@
 %global forgeurl0 https://github.com/strongswan/strongswan

 Name:           strongswan
-Version:        5.9.9
-Release:        2%{?dist}
+Version:        5.9.11
+Release:        1%{?dist}
 Summary:        An OpenSource IPsec-based VPN and TNC solution
 License:        GPLv2+
 URL:            https://www.strongswan.org/
@@ -29,9 +29,6 @@ Source3:        tmpfiles-strongswan.conf
 Patch0:         strongswan-5.6.0-uintptr_t.patch
 # https://github.com/strongswan/strongswan/issues/1198
 Patch1:         strongswan-5.9.7-error-no-format.patch
-# https://github.com/strongswan/strongswan/pull/1511
-# https://github.com/strongswan/strongswan/commit/e99de2aee9f26e3ab97d88902308107d9f048acd
-Patch2:         strongswan-5.9.9-man-paths.patch

 Patch10:        0001-charon-add-optional-source-and-remote-overrides-for-.patch
 Patch11:        0002-vici-send-certificates-for-ike-sa-events.patch
@@ -67,7 +64,7 @@ BuildRequires:  python3-pytest
 %endif

 %if %{with perl}
-BuildRequires:  perl-devel perl-macros
+BuildRequires:  perl-devel perl-generators
 BuildRequires:  perl(ExtUtils::MakeMaker)
 %endif

@@ -424,12 +421,28 @@ install -D -m 0644 %{SOURCE3} %{buildroot}/%{_tmpfilesdir}/strongswan-starter.co
 %endif

 %changelog
+* Fri Jul 14 2023 Paul Wouters <paul.wouters@aiven.io - 5.9.11-1
+- Resolves: rhbz#2214186 strongswan-5.9.11 is available
+
+* Tue Jun 13 2023 Python Maint <python-maint@redhat.com> - 5.9.10-2
+- Rebuilt for Python 3.12
+
+* Thu Mar 02 2023 Paul Wouters <paul.wouters@aiven.io - 5.9.10-1
+- Update to 5.9.10
+
+* Tue Feb 28 2023 Paul Wouters <paul.wouters@aiven.io - 5.9.9-3
+- Resolves: CVE-2023-26463 authorization bypass in TLS-based EAP methods
+
 * Mon Jan 16 2023 Petr Menšík <pemensik@redhat.com> - 5.9.9-2
 - Use configure paths in manual pages (#2106120)

 * Sun Jan 15 2023 Petr Menšík <pemensik@redhat.com> - 5.9.9-1
 - Update to 5.9.9 (#2157850)

+* Thu Dec 08 2022 Jitka Plesnikova <jplesnik@redhat.com> - 5.9.8-2
+- Add BR perl-generators to automatically generates run-time dependencies
+  for installed Perl files
+
 * Sun Oct 16 2022 Arne Reiter <redhat@arnereiter.de> - 5.9.8-1
 - Resolves rhbz#2112274 strongswan-5.9.8 is available
 - Patch1 removes CFLAGS -Wno-format which interferes with -Werror=format-security
Author	SHA1	Message	Date
Zoran Peričić	a73d66bfb3	Patch vici for NHRP	2023-08-25 15:09:27 +02:00
Paul Wouters	d1f70ecd8c	new sources	2023-07-17 11:26:05 -04:00
Paul Wouters	9d159bf0d0	- Resolves: rhbz#2214186 strongswan-5.9.11 is available	2023-07-14 13:45:25 -04:00
Python Maint	f779b6c7bb	Rebuilt for Python 3.12	2023-06-13 23:05:47 +02:00
Paul Wouters	9d642ad352	no longer use patches merged upstream	2023-03-02 11:02:38 -05:00
Paul Wouters	0132cc5668	- Update to 5.9.10	2023-03-02 10:24:58 -05:00
Paul Wouters	33fb3b13a3	- Resolves: CVE-2023-26463 authorization bypass in TLS-based EAP methods	2023-02-28 17:38:50 -05:00
Petr Menšík	6000262f47	Use configure paths in manual pages (#2106120 )	2023-01-16 19:46:37 +01:00
Petr Menšík	d7206ab591	Switch all URLs to https Include also github repository link in package to simplify upstream changes tracking.	2023-01-16 14:04:39 +01:00
Petr Menšík	585aca3015	Update to 5.9.9 (#2157850 )	2023-01-15 15:33:16 +01:00
Jitka Plesnikova	ea8056eb33	Add BR perl-generators to automatically generates run-time dependencies for installed Perl files	2022-12-08 16:46:43 +01:00