import OL NetworkManager-libreswan-1.2.27-2.el10_1

.NetworkManager-libreswan.metadata

@@ -1 +0,0 @@
-a3ec22a8e76f3358d9f69dc505d22267e936dbae SOURCES/NetworkManager-libreswan-1.2.10.tar.xz

.gitignore

@@ -1 +1 @@
-SOURCES/NetworkManager-libreswan-1.2.10.tar.xz
+NetworkManager-libreswan-1.2.27.tar.xz

0001-Export-esp-option.patch

@@ -0,0 +1,43 @@
+From ce3b4049ce916d23b7c8e57d43765e7eb044779b Mon Sep 17 00:00:00 2001
+From: Gris Ge <fge@redhat.com>
+Date: Mon, 13 Oct 2025 17:48:07 +0800
+Subject: [PATCH] Export `esp` option
+
+Unit test case updated.
+
+Resolves: https://issues.redhat.com/browse/RHEL-119653
+
+Signed-off-by: Gris Ge <fge@redhat.com>
+---
+ shared/test-utils.c | 1 +
+ shared/utils.c      | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/shared/test-utils.c b/shared/test-utils.c
+index 76c903e..16a96d1 100644
+--- a/shared/test-utils.c
++++ b/shared/test-utils.c
+@@ -199,6 +199,7 @@ test_config_write (void)
+ 	                 " salifetime=24h\n"
+ 	                 " rightsubnet=0.0.0.0/0\n"
+ 	                 " rekey=yes\n"
++	                 " esp=aes_gcm256\n"
+ 	                 " phase2alg=aes_gcm256\n"
+ 	                 " keyingtries=1\n"
+ 	                 " leftxauthclient=yes\n"
+diff --git a/shared/utils.c b/shared/utils.c
+index cdaaaf0..ac735a5 100644
+--- a/shared/utils.c
++++ b/shared/utils.c
+@@ -338,7 +338,7 @@ static const struct LibreswanParam params[] = {
+ 
+ 	/* Special. */
+ 	{ NM_LIBRESWAN_KEY_REKEY,                      add_rekey,             PARAM_PRINTABLE },
+-	{ NM_LIBRESWAN_KEY_ESP,                        add                    },
++	{ NM_LIBRESWAN_KEY_ESP,                        add,                   PARAM_PRINTABLE },
+ 
+ 	/* Used internally or just ignored altogether. */
+ 	{ NM_LIBRESWAN_KEY_VENDOR,                     add,                   PARAM_IGNORE },
+-- 
+2.51.0
+

0002-fix-psk-auth-when-leftid-starts-with-at.patch

@@ -0,0 +1,425 @@
+From 50d0fc5a265b63fe14eac8e82560012ad112e4b7 Mon Sep 17 00:00:00 2001
+From: Gris Ge <fge@redhat.com>
+Date: Wed, 15 Oct 2025 16:06:19 +0800
+Subject: [PATCH 1/2] Fix PSK authentication when leftid starts with `@`
+
+When `leftid` starts with `@`, the
+`/etc/ipsec.d/ipsec-<$connection_uuid>.secrets` file created will
+contains content like:
+
+```
+@@cli-a.example.org: PSK "LONG_PSK_STRING"
+```
+
+To fix that issue, change both `nm_libreswan_get_ipsec_conf()` and
+`nm_libreswan_config_psk_write()` to accept sanitized NmSettingVPN only.
+
+The `nm_libreswan_config_psk_write()` will not adding any leading `@`
+anymore since the leftid is already sanitized.
+
+Signed-off-by: Gris Ge <fge@redhat.com>
+---
+ shared/test-utils.c        | 65 ++++++++++++++++++++++++++------------
+ shared/utils.c             | 14 +++-----
+ shared/utils.h             |  3 ++
+ src/nm-libreswan-service.c |  8 ++---
+ 4 files changed, 57 insertions(+), 33 deletions(-)
+
+diff --git a/shared/test-utils.c b/shared/test-utils.c
+index 16a96d1..8bf5888 100644
+--- a/shared/test-utils.c
++++ b/shared/test-utils.c
+@@ -30,11 +30,14 @@ test_config_write (void)
+ {
+ 	GError *error = NULL;
+ 	NMSettingVpn *s_vpn;
++	NMSettingVpn *s_vpn_sanitized;
+ 	char *str;
+ 
+ 	s_vpn = NM_SETTING_VPN (nm_setting_vpn_new ());
+ 	nm_setting_vpn_add_data_item (s_vpn, "right", "11.12.13.14");
+-	str = nm_libreswan_get_ipsec_conf (4, s_vpn, "con_name", NULL, FALSE, TRUE, &error);
++	s_vpn_sanitized = sanitize_setting_vpn (s_vpn, &error);
++	g_assert_no_error (error);
++	str = nm_libreswan_get_ipsec_conf (4, s_vpn_sanitized, "con_name", NULL, FALSE, TRUE, &error);
+ 	g_assert_no_error (error);
+ 	g_assert_cmpstr (str, ==,
+ 	                 "conn con_name\n"
+@@ -55,11 +58,14 @@ test_config_write (void)
+ 	                 " modecfgpull=yes\n");
+ 	g_free (str);
+ 	g_object_unref (s_vpn);
++	g_object_unref (s_vpn_sanitized);
+ 
+ 	s_vpn = NM_SETTING_VPN (nm_setting_vpn_new ());
+ 	nm_setting_vpn_add_data_item (s_vpn, "right", "11.12.13.14");
+ 	nm_setting_vpn_add_data_item (s_vpn, "dhgroup", "ignored");
+-	str = nm_libreswan_get_ipsec_conf (4, s_vpn, "con_name", NULL, FALSE, TRUE, &error);
++	s_vpn_sanitized = sanitize_setting_vpn (s_vpn, &error);
++	g_assert_no_error (error);
++	str = nm_libreswan_get_ipsec_conf (4, s_vpn_sanitized, "con_name", NULL, FALSE, TRUE, &error);
+ 	g_assert_no_error (error);
+ 	g_assert_cmpstr (str, ==,
+ 	                 "conn con_name\n"
+@@ -81,13 +87,16 @@ test_config_write (void)
+ 
+ 	g_free (str);
+ 	g_object_unref (s_vpn);
++	g_object_unref (s_vpn_sanitized);
+ 
+ 	s_vpn = NM_SETTING_VPN (nm_setting_vpn_new ());
+ 	nm_setting_vpn_add_data_item (s_vpn, "ikev2", "insist");
+ 	nm_setting_vpn_add_data_item (s_vpn, "leftcert", "LibreswanClient");
+ 	nm_setting_vpn_add_data_item (s_vpn, "leftid", "%fromcert");
+ 	nm_setting_vpn_add_data_item (s_vpn, "right", "11.12.13.14");
+-	str = nm_libreswan_get_ipsec_conf (4, s_vpn,
++	s_vpn_sanitized = sanitize_setting_vpn (s_vpn, &error);
++	g_assert_no_error (error);
++	str = nm_libreswan_get_ipsec_conf (4, s_vpn_sanitized,
+ 	                                   "f0008435-07af-4836-a53d-b43e8730e68f",
+ 			                   NULL, FALSE, TRUE, &error);
+ 	g_assert_no_error (error);
+@@ -108,13 +117,16 @@ test_config_write (void)
+ 	                 " modecfgpull=yes\n");
+ 	g_free (str);
+ 	g_object_unref (s_vpn);
++	g_object_unref (s_vpn_sanitized);
+ 
+ 	s_vpn = NM_SETTING_VPN (nm_setting_vpn_new ());
+ 	nm_setting_vpn_add_data_item (s_vpn, "ikev2", "insist");
+ 	nm_setting_vpn_add_data_item (s_vpn, "leftrsasigkey", "hello");
+ 	nm_setting_vpn_add_data_item (s_vpn, "rightrsasigkey", "world");
+ 	nm_setting_vpn_add_data_item (s_vpn, "right", "11.12.13.14");
+-	str = nm_libreswan_get_ipsec_conf (4, s_vpn, "conn", NULL, FALSE, TRUE, &error);
++	s_vpn_sanitized = sanitize_setting_vpn (s_vpn, &error);
++	g_assert_no_error (error);
++	str = nm_libreswan_get_ipsec_conf (4, s_vpn_sanitized, "conn", NULL, FALSE, TRUE, &error);
+ 	g_assert_no_error (error);
+ 	g_assert_cmpstr (str, ==,
+ 	                 "conn conn\n"
+@@ -131,10 +143,13 @@ test_config_write (void)
+ 	                 " modecfgpull=yes\n");
+ 	g_free (str);
+ 	g_object_unref (s_vpn);
++	g_object_unref (s_vpn_sanitized);
+ 
+ 	s_vpn = NM_SETTING_VPN (nm_setting_vpn_new ());
+ 	nm_setting_vpn_add_data_item (s_vpn, "right", "11.12.13.14");
+-	str = nm_libreswan_get_ipsec_conf (3, s_vpn,
++	s_vpn_sanitized = sanitize_setting_vpn (s_vpn, &error);
++	g_assert_no_error (error);
++	str = nm_libreswan_get_ipsec_conf (3, s_vpn_sanitized,
+ 	                                   "my_con",
+ 			                   "/foo/bar/ifupdown hello 123 456",
+ 	                                   TRUE, FALSE, &error);
+@@ -161,6 +176,7 @@ test_config_write (void)
+ 	                 " nm-configured=yes");
+ 	g_free (str);
+ 	g_object_unref (s_vpn);
++	g_object_unref (s_vpn_sanitized);
+ 
+ 	s_vpn = NM_SETTING_VPN (nm_setting_vpn_new ());
+ 	nm_setting_vpn_add_data_item (s_vpn, "ikev2", "insist");
+@@ -170,7 +186,9 @@ test_config_write (void)
+ 	nm_setting_vpn_add_data_item (s_vpn, "nm-auto-defaults", "false");
+ 	nm_setting_vpn_add_data_item (s_vpn, "leftsendcert", "always");
+ 	nm_setting_vpn_add_data_item (s_vpn, "rightca", "%same");
+-	str = nm_libreswan_get_ipsec_conf (4, s_vpn, "conn", NULL, FALSE, TRUE, &error);
++	s_vpn_sanitized = sanitize_setting_vpn (s_vpn, &error);
++	g_assert_no_error (error);
++	str = nm_libreswan_get_ipsec_conf (4, s_vpn_sanitized, "conn", NULL, FALSE, TRUE, &error);
+ 	g_assert_no_error (error);
+ 	g_assert_cmpstr (str, ==,
+                          "conn conn\n"
+@@ -182,11 +200,14 @@ test_config_write (void)
+                          " rightca=\"%same\"\n");
+ 	g_free (str);
+ 	g_object_unref (s_vpn);
++	g_object_unref (s_vpn_sanitized);
+ 
+ 	s_vpn = NM_SETTING_VPN (nm_setting_vpn_new ());
+ 	nm_setting_vpn_add_data_item (s_vpn, "right", "11.12.13.14");
+ 	nm_setting_vpn_add_data_item (s_vpn, "esp", "aes_gcm256");
+-	str = nm_libreswan_get_ipsec_conf (4, s_vpn, "con_name", NULL, FALSE, TRUE, &error);
++	s_vpn_sanitized = sanitize_setting_vpn (s_vpn, &error);
++	g_assert_no_error (error);
++	str = nm_libreswan_get_ipsec_conf (4, s_vpn_sanitized, "con_name", NULL, FALSE, TRUE, &error);
+ 	g_assert_no_error (error);
+ 	g_assert_cmpstr (str, ==,
+ 	                 "conn con_name\n"
+@@ -209,11 +230,14 @@ test_config_write (void)
+ 	                 " modecfgpull=yes\n");
+ 	g_free (str);
+ 	g_object_unref (s_vpn);
++	g_object_unref (s_vpn_sanitized);
+ 
+ 	s_vpn = NM_SETTING_VPN (nm_setting_vpn_new ());
+ 	nm_setting_vpn_add_data_item (s_vpn, "right", "11.12.13.14");
+ 	nm_setting_vpn_add_data_item (s_vpn, "vendor", "Cisco");
+-	str = nm_libreswan_get_ipsec_conf (4, s_vpn, "con_name", NULL, FALSE, TRUE, &error);
++	s_vpn_sanitized = sanitize_setting_vpn (s_vpn, &error);
++	g_assert_no_error (error);
++	str = nm_libreswan_get_ipsec_conf (4, s_vpn_sanitized, "con_name", NULL, FALSE, TRUE, &error);
+ 	g_assert_no_error (error);
+ 	g_assert_cmpstr (str, ==,
+ 	                 "conn con_name\n"
+@@ -235,53 +259,54 @@ test_config_write (void)
+ 	                 " modecfgpull=yes\n");
+ 	g_free (str);
+ 	g_object_unref (s_vpn);
++	g_object_unref (s_vpn_sanitized);
+ 
+ 	s_vpn = NM_SETTING_VPN (nm_setting_vpn_new ());
+-	str = nm_libreswan_get_ipsec_conf (4, s_vpn, "conn", NULL, FALSE, TRUE, &error);
++	s_vpn_sanitized = sanitize_setting_vpn (s_vpn, &error);
+ 	g_assert_error (error, NM_UTILS_ERROR, NM_UTILS_ERROR_INVALID_ARGUMENT);
+-	g_assert_null (str);
+ 	g_clear_error (&error);
+ 	g_object_unref (s_vpn);
++	g_assert_null (s_vpn_sanitized);
+ 
+ 	s_vpn = NM_SETTING_VPN (nm_setting_vpn_new ());
+ 	nm_setting_vpn_add_data_item (s_vpn, "right", "11.12.13.14");
+ 	nm_setting_vpn_add_data_item (s_vpn, "ikev2", "hello world");
+-	str = nm_libreswan_get_ipsec_conf (4, s_vpn, "conn", NULL, FALSE, TRUE, &error);
++	s_vpn_sanitized = sanitize_setting_vpn (s_vpn, &error);
+ 	g_assert_error (error, NM_UTILS_ERROR, NM_UTILS_ERROR_INVALID_ARGUMENT);
+-	g_assert_null (str);
+ 	g_clear_error (&error);
+ 	g_object_unref (s_vpn);
++	g_assert_null (s_vpn_sanitized);
+ 
+ 	s_vpn = NM_SETTING_VPN (nm_setting_vpn_new ());
+ 	nm_setting_vpn_add_data_item (s_vpn, "right", "11.12\n13.14");
+-	str = nm_libreswan_get_ipsec_conf (4, s_vpn, "conn", NULL, FALSE, TRUE, &error);
++	s_vpn_sanitized = sanitize_setting_vpn (s_vpn, &error);
+ 	g_assert_error (error, NM_UTILS_ERROR, NM_UTILS_ERROR_INVALID_ARGUMENT);
+-	g_assert_null (str);
++	g_assert_null (s_vpn_sanitized);
+ 	g_clear_error (&error);
+ 	g_object_unref (s_vpn);
+ 
+ 	s_vpn = NM_SETTING_VPN (nm_setting_vpn_new ());
+ 	nm_setting_vpn_add_data_item (s_vpn, "rightcert", "\"cert\"");
+-	str = nm_libreswan_get_ipsec_conf (4, s_vpn, "conn", NULL, FALSE, TRUE, &error);
++	s_vpn_sanitized = sanitize_setting_vpn (s_vpn, &error);
+ 	g_assert_error (error, NM_UTILS_ERROR, NM_UTILS_ERROR_INVALID_ARGUMENT);
+-	g_assert_null (str);
++	g_assert_null (s_vpn_sanitized);
+ 	g_clear_error (&error);
+ 	g_object_unref (s_vpn);
+ 
+ 	s_vpn = NM_SETTING_VPN (nm_setting_vpn_new ());
+ 	nm_setting_vpn_add_data_item (s_vpn, "nm-auto-defaults", "false");
+ 	nm_setting_vpn_add_data_item (s_vpn, "rightcert", "\"cert\"");
+-	str = nm_libreswan_get_ipsec_conf (4, s_vpn, "conn", NULL, FALSE, TRUE, &error);
++	s_vpn_sanitized = sanitize_setting_vpn (s_vpn, &error);
+ 	g_assert_error (error, NM_UTILS_ERROR, NM_UTILS_ERROR_INVALID_ARGUMENT);
+-	g_assert_null (str);
++	g_assert_null (s_vpn_sanitized);
+ 	g_clear_error (&error);
+ 	g_object_unref (s_vpn);
+ 
+ 	s_vpn = NM_SETTING_VPN (nm_setting_vpn_new ());
+ 	nm_setting_vpn_add_data_item (s_vpn, "nm-auto-defaults", "false");
+-	str = nm_libreswan_get_ipsec_conf (4, s_vpn, "conn", NULL, FALSE, TRUE, &error);
++	s_vpn_sanitized = sanitize_setting_vpn (s_vpn, &error);
+ 	g_assert_error (error, NM_UTILS_ERROR, NM_UTILS_ERROR_INVALID_ARGUMENT);
+-	g_assert_null (str);
++	g_assert_null (s_vpn_sanitized);
+ 	g_clear_error (&error);
+ 	g_object_unref (s_vpn);
+ }
+diff --git a/shared/utils.c b/shared/utils.c
+index ac735a5..8dab313 100644
+--- a/shared/utils.c
++++ b/shared/utils.c
+@@ -384,7 +384,7 @@ check_val (const char *val, gboolean allow_spaces, GError **error)
+ 	return TRUE;
+ }
+ 
+-static NMSettingVpn *
++NMSettingVpn *
+ sanitize_setting_vpn (NMSettingVpn *s_vpn,
+                       GError **error)
+ {
+@@ -458,34 +458,30 @@ sanitize_setting_vpn (NMSettingVpn *s_vpn,
+ 
+ char *
+ nm_libreswan_get_ipsec_conf (int ipsec_version,
+-                             NMSettingVpn *s_vpn,
++                             NMSettingVpn *s_vpn_sanitized,
+                              const char *con_name,
+                              const char *leftupdown_script,
+                              gboolean openswan,
+                              gboolean trailing_newline,
+                              GError **error)
+ {
+-	gs_unref_object NMSettingVpn *sanitized = NULL;
+ 	nm_auto_free_gstring GString *ipsec_conf = NULL;
+ 	const char *val;
+ 	int i;
+ 
+-	g_return_val_if_fail (NM_IS_SETTING_VPN (s_vpn), NULL);
++	g_return_val_if_fail (NM_IS_SETTING_VPN (s_vpn_sanitized), NULL);
+ 	g_return_val_if_fail (!error || !*error, NULL);
+ 	g_return_val_if_fail (con_name && *con_name, NULL);
+ 
+ 	if (!check_val (con_name, FALSE, error))
+ 		return NULL;
+ 
+-	sanitized = sanitize_setting_vpn (s_vpn, error);
+-	if (!sanitized)
+-		return NULL;
+-
+ 	ipsec_conf = g_string_sized_new (1024);
+ 	g_string_append_printf (ipsec_conf, "conn %s\n", con_name);
+ 
+ 	for (i = 0; params[i].name != NULL; i++) {
+-		val = nm_setting_vpn_get_data_item (sanitized, params[i].name);
++		val = nm_setting_vpn_get_data_item (s_vpn_sanitized,
++						    params[i].name);
+ 		if (val == NULL)
+ 			continue;
+ 
+diff --git a/shared/utils.h b/shared/utils.h
+index 67718e9..7832966 100644
+--- a/shared/utils.h
++++ b/shared/utils.h
+@@ -64,4 +64,7 @@ const char *nm_libreswan_find_helper_libexec (const char *progname, GError **err
+ gboolean nm_libreswan_parse_subnets (const char *str, GPtrArray *arr, GError **error);
+ char *nm_libreswan_normalize_subnets (const char *str, GError **error);
+ 
++NMSettingVpn *sanitize_setting_vpn (NMSettingVpn *s_vpn, GError **error);
++
++
+ #endif /* __UTILS_H__ */
+diff --git a/src/nm-libreswan-service.c b/src/nm-libreswan-service.c
+index 7987ada..58ada03 100644
+--- a/src/nm-libreswan-service.c
++++ b/src/nm-libreswan-service.c
+@@ -522,8 +522,7 @@ nm_libreswan_config_psk_write (NMSettingVpn *s_vpn,
+ 		/* nm_libreswan_get_ipsec_conf() in _connect_common should've checked these. */
+ 		g_return_val_if_fail (strchr (leftid, '"') == NULL, FALSE);
+ 		g_return_val_if_fail (strchr (leftid, '\n') == NULL, FALSE);
+-
+-		secrets = g_strdup_printf ("@%s: PSK \"%s\"", leftid, psk);
++		secrets = g_strdup_printf ("%s: PSK \"%s\"", leftid, psk);
+ 	} else {
+ 		right = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_RIGHT);
+ 
+@@ -1757,7 +1756,7 @@ _connect_common (NMVpnServicePlugin   *plugin,
+ {
+ 	NMLibreswanPlugin *self = NM_LIBRESWAN_PLUGIN (plugin);
+ 	NMLibreswanPluginPrivate *priv = NM_LIBRESWAN_PLUGIN_GET_PRIVATE (self);
+-	NMSettingVpn *s_vpn;
++	gs_unref_object NMSettingVpn *s_vpn = NULL;
+ 	const char *con_name = nm_connection_get_uuid (connection);
+ 	gs_free char *ipsec_banner = NULL;
+ 	gs_free char *ifupdown_script = NULL;
+@@ -1795,7 +1794,8 @@ _connect_common (NMVpnServicePlugin   *plugin,
+ 			return FALSE;
+ 	}
+ 
+-	s_vpn = nm_connection_get_setting_vpn (connection);
++	s_vpn = sanitize_setting_vpn(nm_connection_get_setting_vpn (connection),
++				     error);
+ 	g_assert (s_vpn);
+ 
+ 	g_object_get (self, NM_VPN_SERVICE_PLUGIN_DBUS_SERVICE_NAME, &bus_name, NULL);
+-- 
+2.51.0
+
+
+From 55aa9f0e48acfe1ff5ee06825139bc6bdd59b4cc Mon Sep 17 00:00:00 2001
+From: Gris Ge <fge@redhat.com>
+Date: Fri, 17 Oct 2025 16:58:30 +0800
+Subject: [PATCH 2/2] Copy secrets when sanitizing
+
+The PSK authentication is not wkring because the
+`sanitize_setting_vpn()` never copy secrets.
+
+Fixed by introduce `PARAM_SECRET` and change `sanitize_setting_vpn()` to
+copy secrets.
+
+Signed-off-by: Gris Ge <fge@redhat.com>
+---
+ shared/utils.c | 46 +++++++++++++++++++++++++++++++---------------
+ 1 file changed, 31 insertions(+), 15 deletions(-)
+
+diff --git a/shared/utils.c b/shared/utils.c
+index 8dab313..9cb36be 100644
+--- a/shared/utils.c
++++ b/shared/utils.c
+@@ -38,6 +38,7 @@ enum LibreswanParamFlags {
+ 	PARAM_OLD	= 0x0010, /* Only include for libreswan < 4. */
+ 	PARAM_NEW	= 0x0020, /* Only include for libreswan >= 4. */
+ 	PARAM_IGNORE	= 0x0040, /* Not passed to or from Libreswan. */
++	PARAM_SECRET	= 0x0080, /* For secrets */
+ };
+ 
+ struct LibreswanParam {
+@@ -347,7 +348,9 @@ static const struct LibreswanParam params[] = {
+ 	{ NM_LIBRESWAN_KEY_PFSGROUP,                   add,                   PARAM_IGNORE },
+ 	{ NM_LIBRESWAN_KEY_PSK_INPUT_MODES,            add,                   PARAM_IGNORE },
+ 	{ NM_LIBRESWAN_KEY_XAUTH_PASSWORD_INPUT_MODES, add,                   PARAM_IGNORE },
++	{ NM_LIBRESWAN_KEY_PSK_VALUE,                  add,                   PARAM_IGNORE | PARAM_SECRET},
+ 	{ NM_LIBRESWAN_KEY_PSK_VALUE "-flags",         add,                   PARAM_IGNORE },
++	{ NM_LIBRESWAN_KEY_XAUTH_PASSWORD,             add,                   PARAM_IGNORE | PARAM_SECRET},
+ 	{ NM_LIBRESWAN_KEY_XAUTH_PASSWORD "-flags",    add,                   PARAM_IGNORE },
+ 	{ NM_LIBRESWAN_KEY_NM_AUTO_DEFAULTS,           add,                   PARAM_IGNORE },
+ 
+@@ -407,22 +410,35 @@ sanitize_setting_vpn (NMSettingVpn *s_vpn,
+ 		TRUE);
+ 
+ 	for (i = 0; params[i].name != NULL; i++) {
+-		val = nm_setting_vpn_get_data_item (s_vpn, params[i].name);
+-		if (val != NULL) {
+-			handled_items++;
+-		} else if (params[i].flags & PARAM_REQUIRED) {
+-			g_set_error (error,
+-			             NM_UTILS_ERROR,
+-			             NM_UTILS_ERROR_INVALID_ARGUMENT,
+-			             _("'%s' key needs to be present"),
+-			             params[i].name);
+-			return NULL;
+-		}
+-
+-		if (auto_defaults) {
+-			params[i].add_sanitized (sanitized, params[i].name, val);
++		if (params[i].flags & PARAM_SECRET)  {
++			val = nm_setting_vpn_get_secret(s_vpn, params[i].name);
++			if (val != NULL) {
++				nm_setting_vpn_add_secret(sanitized,
++							  params[i].name,
++							  val);
++			}
+ 		} else {
+-			nm_setting_vpn_add_data_item (sanitized, params[i].name, val);
++			val = nm_setting_vpn_get_data_item (s_vpn,
++							    params[i].name);
++			if (val != NULL) {
++				handled_items++;
++			} else if (params[i].flags & PARAM_REQUIRED) {
++				g_set_error (error,
++					     NM_UTILS_ERROR,
++					     NM_UTILS_ERROR_INVALID_ARGUMENT,
++					     _("'%s' key needs to be present"),
++					     params[i].name);
++				return NULL;
++			}
++
++			if (auto_defaults) {
++				params[i].add_sanitized (sanitized,
++							 params[i].name, val);
++			} else {
++				nm_setting_vpn_add_data_item (sanitized,
++							      params[i].name,
++							      val);
++			}
+ 		}
+ 
+ 		val = nm_setting_vpn_get_data_item (sanitized, params[i].name);
+-- 
+2.51.0
+

0003-import-export-nm-auto-defaults-no.patch

@@ -0,0 +1,228 @@
+From a304902564b3f27080da30c0e5c9adfe6f1071c0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=C3=8D=C3=B1igo=20Huguet?= <ihuguet@riseup.net>
+Date: Thu, 16 Oct 2025 12:45:41 +0200
+Subject: [PATCH] import/export: add special comment for nm-auto-defaults
+ detection
+
+In commit 3ea80883fef we added the nm-auto-defaults property to allow
+interpreting configurations just like Libreswan, without assumptions
+like setting leftmodecfgclient=yes by default, which is different to
+what Libreswan would do.
+
+This means that with nm-auto-defaults=no the behaviour is slightly
+different. When we export a connection with nm-auto-defaults=no, we
+cannot reflect it in the exported file, as it is not a valid option in
+Libreswan. If we import back the same file, it will be imported as
+nm-auto-defaults=yes (by default), thus it will have different
+behaviour. This is wrong, export & import should be symetric.
+
+Make the "write" function to emit a `# nm-auto-defaults=no` comment in
+the exported file. When importing, make the "parse" function to
+interpret this special comment as `nm-auto-defaults=no`. This will
+ensure that we can export & import symetrically.
+
+The comment can also be added manually to any file that users want to
+import.
+
+Note: increase the minimum GLib version to 2.44 to use g_autoptr. It was
+released more than 10 years ago, so we're quite safe.
+---
+ configure.ac        |  6 ++---
+ shared/test-utils.c | 57 ++++++++++++++++++++++++++++++++++++++++++---
+ shared/utils.c      | 25 ++++++++++++++++++--
+ 3 files changed, 80 insertions(+), 8 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 9b9677a..f87ffdf 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -116,9 +116,9 @@ AC_DEFINE_UNQUOTED(GETTEXT_PACKAGE,"$GETTEXT_PACKAGE", [Gettext package])
+ IT_PROG_INTLTOOL([0.35])
+ AM_GLIB_GNU_GETTEXT
+ 
+-PKG_CHECK_MODULES(GLIB, gio-unix-2.0 >= 2.36)
+-GLIB_CFLAGS="$GLIB_CFLAGS -DGLIB_VERSION_MIN_REQUIRED=GLIB_VERSION_2_36"
+-GLIB_CFLAGS="$GLIB_CFLAGS -DGLIB_VERSION_MAX_ALLOWED=GLIB_VERSION_2_36"
++PKG_CHECK_MODULES(GLIB, gio-unix-2.0 >= 2.44)
++GLIB_CFLAGS="$GLIB_CFLAGS -DGLIB_VERSION_MIN_REQUIRED=GLIB_VERSION_2_44"
++GLIB_CFLAGS="$GLIB_CFLAGS -DGLIB_VERSION_MAX_ALLOWED=GLIB_VERSION_2_44"
+ 
+ PKG_CHECK_MODULES(LIBNL, libnl-3.0 >= 3.2.8)
+ 
+diff --git a/shared/test-utils.c b/shared/test-utils.c
+index 8bf5888..c523c9c 100644
+--- a/shared/test-utils.c
++++ b/shared/test-utils.c
+@@ -183,7 +183,7 @@ test_config_write (void)
+ 	nm_setting_vpn_add_data_item (s_vpn, "leftrsasigkey", "hello");
+ 	nm_setting_vpn_add_data_item (s_vpn, "rightrsasigkey", "world");
+ 	nm_setting_vpn_add_data_item (s_vpn, "right", "11.12.13.14");
+-	nm_setting_vpn_add_data_item (s_vpn, "nm-auto-defaults", "false");
++	nm_setting_vpn_add_data_item (s_vpn, "nm-auto-defaults", "no");
+ 	nm_setting_vpn_add_data_item (s_vpn, "leftsendcert", "always");
+ 	nm_setting_vpn_add_data_item (s_vpn, "rightca", "%same");
+ 	s_vpn_sanitized = sanitize_setting_vpn (s_vpn, &error);
+@@ -191,6 +191,9 @@ test_config_write (void)
+ 	str = nm_libreswan_get_ipsec_conf (4, s_vpn_sanitized, "conn", NULL, FALSE, TRUE, &error);
+ 	g_assert_no_error (error);
+ 	g_assert_cmpstr (str, ==,
++                         "# NetworkManager specific configs, don't remove:\n"
++                         "# nm-auto-defaults=no\n"
++                         "\n"
+                          "conn conn\n"
+                          " ikev2=insist\n"
+                          " right=11.12.13.14\n"
+@@ -294,7 +297,7 @@ test_config_write (void)
+ 	g_object_unref (s_vpn);
+ 
+ 	s_vpn = NM_SETTING_VPN (nm_setting_vpn_new ());
+-	nm_setting_vpn_add_data_item (s_vpn, "nm-auto-defaults", "false");
++	nm_setting_vpn_add_data_item (s_vpn, "nm-auto-defaults", "no");
+ 	nm_setting_vpn_add_data_item (s_vpn, "rightcert", "\"cert\"");
+ 	s_vpn_sanitized = sanitize_setting_vpn (s_vpn, &error);
+ 	g_assert_error (error, NM_UTILS_ERROR, NM_UTILS_ERROR_INVALID_ARGUMENT);
+@@ -303,7 +306,7 @@ test_config_write (void)
+ 	g_object_unref (s_vpn);
+ 
+ 	s_vpn = NM_SETTING_VPN (nm_setting_vpn_new ());
+-	nm_setting_vpn_add_data_item (s_vpn, "nm-auto-defaults", "false");
++	nm_setting_vpn_add_data_item (s_vpn, "nm-auto-defaults", "no");
+ 	s_vpn_sanitized = sanitize_setting_vpn (s_vpn, &error);
+ 	g_assert_error (error, NM_UTILS_ERROR, NM_UTILS_ERROR_INVALID_ARGUMENT);
+ 	g_assert_null (s_vpn_sanitized);
+@@ -612,6 +615,54 @@ test_config_read (void)
+ 	g_object_unref (s_vpn);
+ 	g_clear_pointer (&con_name, g_free);
+ 
++	/* With the '# nm-auto-defaults=no' special comment */
++	s_vpn = nm_libreswan_parse_ipsec_conf (
++		"# nm-auto-defaults=no\n"
++		"conn conn\n"
++		" ikev2=insist\n"
++		" right=11.12.13.14\n"
++		" rightrsasigkey=\"world\"\n"
++		" leftrsasigkey=\"hello\"\n"
++		" leftsendcert=always\n"
++		" rightca=\"%same\"\n",
++		&con_name,
++		&error);
++	g_assert_no_error (error);
++	g_assert_cmpstr (nm_setting_vpn_get_data_item (s_vpn, "ikev2"), ==, "insist");
++	g_assert_cmpstr (nm_setting_vpn_get_data_item (s_vpn, "leftrsasigkey"), == , "hello");
++	g_assert_cmpstr (nm_setting_vpn_get_data_item (s_vpn, "rightrsasigkey"), == , "world");
++	g_assert_cmpstr (nm_setting_vpn_get_data_item (s_vpn, "right"), == , "11.12.13.14");
++	g_assert_cmpstr (nm_setting_vpn_get_data_item (s_vpn, "nm-auto-defaults"), == , "no");
++	g_assert_cmpstr (nm_setting_vpn_get_data_item (s_vpn, "leftsendcert"), == , "always");
++	g_assert_cmpstr (nm_setting_vpn_get_data_item (s_vpn, "rightca"), == , "%same");
++	g_assert_cmpstr (nm_setting_vpn_get_data_item (s_vpn, "rightca"), == , "%same");
++	g_object_unref (s_vpn);
++	g_clear_pointer (&con_name, g_free);
++
++	/* With the '# nm-auto-defaults=no' special comment, different spacing */
++	s_vpn = nm_libreswan_parse_ipsec_conf (
++		"#nm-auto-defaults  	= 	 no  	 \n"
++		"conn conn\n"
++		" ikev2=insist\n"
++		" right=11.12.13.14\n"
++		" rightrsasigkey=\"world\"\n"
++		" leftrsasigkey=\"hello\"\n"
++		" leftsendcert=always\n"
++		" rightca=\"%same\"\n",
++		&con_name,
++		&error);
++	g_assert_no_error (error);
++	g_assert_cmpstr (nm_setting_vpn_get_data_item (s_vpn, "ikev2"), ==, "insist");
++	g_assert_cmpstr (nm_setting_vpn_get_data_item (s_vpn, "leftrsasigkey"), == , "hello");
++	g_assert_cmpstr (nm_setting_vpn_get_data_item (s_vpn, "rightrsasigkey"), == , "world");
++	g_assert_cmpstr (nm_setting_vpn_get_data_item (s_vpn, "right"), == , "11.12.13.14");
++	g_assert_cmpstr (nm_setting_vpn_get_data_item (s_vpn, "nm-auto-defaults"), == , "no");
++	g_assert_cmpstr (nm_setting_vpn_get_data_item (s_vpn, "leftsendcert"), == , "always");
++	g_assert_cmpstr (nm_setting_vpn_get_data_item (s_vpn, "rightca"), == , "%same");
++	g_assert_cmpstr (nm_setting_vpn_get_data_item (s_vpn, "rightca"), == , "%same");
++	g_object_unref (s_vpn);
++	g_clear_pointer (&con_name, g_free);
++
+ 	s_vpn = nm_libreswan_parse_ipsec_conf (
+ 		"conn my_con\n",
+ 		&con_name,
+diff --git a/shared/utils.c b/shared/utils.c
+index 9cb36be..c188e5b 100644
+--- a/shared/utils.c
++++ b/shared/utils.c
+@@ -482,6 +482,7 @@ nm_libreswan_get_ipsec_conf (int ipsec_version,
+                              GError **error)
+ {
+ 	nm_auto_free_gstring GString *ipsec_conf = NULL;
++	gboolean auto_defaults;
+ 	const char *val;
+ 	int i;
+ 
+@@ -493,6 +494,16 @@ nm_libreswan_get_ipsec_conf (int ipsec_version,
+ 		return NULL;
+ 
+ 	ipsec_conf = g_string_sized_new (1024);
++
++	auto_defaults = _nm_utils_ascii_str_to_bool (
++		nm_setting_vpn_get_data_item (s_vpn_sanitized, NM_LIBRESWAN_KEY_NM_AUTO_DEFAULTS),
++		TRUE);
++	if (!auto_defaults) {
++		g_string_append(ipsec_conf, "# NetworkManager specific configs, don't remove:\n");
++		g_string_append(ipsec_conf, "# nm-auto-defaults=no\n");
++		g_string_append(ipsec_conf, "\n");
++	}
++
+ 	g_string_append_printf (ipsec_conf, "conn %s\n", con_name);
+ 
+ 	for (i = 0; params[i].name != NULL; i++) {
+@@ -573,6 +584,8 @@ static const char line_match[] =
+ 	")?"					/* (or just blank line) */
+ 	"\\s*(?:#.*)?$";			/* optional comment */
+ 
++static const char no_auto_match[] = "#\\s*nm-auto-defaults\\s*=\\s*no";
++
+ NMSettingVpn *
+ nm_libreswan_parse_ipsec_conf (const char *ipsec_conf,
+                                char **out_con_name,
+@@ -584,7 +597,8 @@ nm_libreswan_parse_ipsec_conf (const char *ipsec_conf,
+ 	gs_free char *con_name = NULL;
+ 	GMatchInfo *match_info = NULL;
+ 	GError *parse_error = NULL;
+-	GRegex *line_regex;
++	g_autoptr(GRegex) line_regex = NULL;
++	g_autoptr(GRegex) no_auto_regex = NULL;
+ 	const char *old, *new;
+ 	const char *rekey;
+ 	char *key, *val;
+@@ -596,6 +610,8 @@ nm_libreswan_parse_ipsec_conf (const char *ipsec_conf,
+ 
+ 	line_regex = g_regex_new (line_match, G_REGEX_RAW, 0, NULL);
+ 	g_return_val_if_fail (line_regex, NULL);
++	no_auto_regex = g_regex_new (no_auto_match, G_REGEX_RAW, 0, NULL);
++	g_return_val_if_fail (no_auto_regex, NULL);
+ 
+ 	s_vpn = NM_SETTING_VPN (nm_setting_vpn_new ());
+ 
+@@ -611,6 +627,11 @@ nm_libreswan_parse_ipsec_conf (const char *ipsec_conf,
+ 			break;
+ 		}
+ 
++		if (g_regex_match(no_auto_regex, lines[i], 0, NULL)) {
++			nm_setting_vpn_add_data_item(s_vpn, NM_LIBRESWAN_KEY_NM_AUTO_DEFAULTS, "no");
++			continue;
++		}
++
+ 		key = g_match_info_fetch (match_info, 1); /* Key */
+ 		val = g_match_info_fetch (match_info, 2); /* Unquoted value */
+ 		/* Without fix from
+@@ -666,7 +687,7 @@ nm_libreswan_parse_ipsec_conf (const char *ipsec_conf,
+ 		if (parse_error)
+ 			break;
+ 	}
+-	g_regex_unref (line_regex);
++
+ 	if (parse_error) {
+ 		g_propagate_error (error, parse_error);
+ 		return NULL;
+-- 
+2.51.0
+

0004-sanitize-before-exporting-RHEL-only.patch

@@ -0,0 +1,54 @@
+From 15946667c771ba88d38f82cc467fd52d268e44bb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=C3=8D=C3=B1igo=20Huguet?= <ihuguet@riseup.net>
+Date: Tue, 21 Oct 2025 08:37:35 +0200
+Subject: [PATCH] export: sanitize before exporting (RHEL only)
+
+The commit referenced below moved the responsibility of sanitizing the
+connection from nm_libreswan_get_ipsec_conf to its caller, but it forgot
+to sanitize in export_to_file(). Fix it.
+
+This is a RHEL-only patch, as this is fixed by a later commit that we
+didn't want to backport yet. When we rebase, this patch can be dropped.
+
+Fixes: 50d0fc5a265b ('Fix PSK authentication when leftid starts with `@`')
+---
+ properties/nm-libreswan-editor-plugin.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/properties/nm-libreswan-editor-plugin.c b/properties/nm-libreswan-editor-plugin.c
+index 2b455ba..7a75e09 100644
+--- a/properties/nm-libreswan-editor-plugin.c
++++ b/properties/nm-libreswan-editor-plugin.c
+@@ -91,6 +91,7 @@ export_to_file (NMVpnEditorPlugin *self,
+                 GError **error)
+ {
+ 	NMSettingVpn *s_vpn;
++	gs_unref_object NMSettingVpn *s_vpn_sanitized = NULL;
+ 	gboolean openswan = FALSE;
+ 	gs_free_error GError *local = NULL;
+ 	gs_free char *ipsec_conf = NULL;
+@@ -98,8 +99,19 @@ export_to_file (NMVpnEditorPlugin *self,
+ 	int version;
+ 
+ 	s_vpn = nm_connection_get_setting_vpn (connection);
+-	if (s_vpn)
+-		openswan = nm_streq (nm_setting_vpn_get_service_type (s_vpn), NM_VPN_SERVICE_TYPE_OPENSWAN);
++	if (!s_vpn) {
++		g_set_error_literal (error,
++		                     NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_INVALID_CONNECTION,
++		                     _("Empty VPN setting."));
++		return FALSE;
++	}
++
++	s_vpn_sanitized = sanitize_setting_vpn (s_vpn, error);
++	if (!s_vpn_sanitized)
++		return FALSE;
++
++	s_vpn = s_vpn_sanitized;
++	openswan = nm_streq (nm_setting_vpn_get_service_type (s_vpn), NM_VPN_SERVICE_TYPE_OPENSWAN);
+ 
+ 	nm_libreswan_detect_version (nm_libreswan_find_helper_bin ("ipsec", NULL),
+ 	                             &is_openswan, &version, NULL);
+-- 
+2.51.0
+

0005-service-don-t-crash-with-malformed-connections.patch

@@ -0,0 +1,61 @@
+From 397096f85c155d18834e8f7b90b1ea439344cd32 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=C3=8D=C3=B1igo=20Huguet?= <ihuguet@riseup.net>
+Date: Thu, 23 Oct 2025 11:54:46 +0200
+Subject: [PATCH] service: don't crash with malformed connections
+
+If a connection is malformed, i.e. by having incorrect values, a crash
+(or something worse) could happen in _connect_common because we were
+assuming that the value returned from sanitize_setting_vpn() must be
+non-NULL. If the connection is malformed, it will be NULL.
+
+Fix it by gracefully handling this scenario.
+
+This is a RHEL-only patch, as this is fixed by a later commit that we
+didn't want to backport yet. When we rebase, this patch can be dropped.
+
+Fixes: 50d0fc5a265b ('Fix PSK authentication when leftid starts with `@`')
+---
+ src/nm-libreswan-service.c | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+diff --git a/src/nm-libreswan-service.c b/src/nm-libreswan-service.c
+index 58ada03..a093547 100644
+--- a/src/nm-libreswan-service.c
++++ b/src/nm-libreswan-service.c
+@@ -1756,7 +1756,8 @@ _connect_common (NMVpnServicePlugin   *plugin,
+ {
+ 	NMLibreswanPlugin *self = NM_LIBRESWAN_PLUGIN (plugin);
+ 	NMLibreswanPluginPrivate *priv = NM_LIBRESWAN_PLUGIN_GET_PRIVATE (self);
+-	gs_unref_object NMSettingVpn *s_vpn = NULL;
++	NMSettingVpn *s_vpn;
++	gs_unref_object NMSettingVpn *s_vpn_sanitized = NULL;
+ 	const char *con_name = nm_connection_get_uuid (connection);
+ 	gs_free char *ipsec_banner = NULL;
+ 	gs_free char *ifupdown_script = NULL;
+@@ -1794,9 +1795,20 @@ _connect_common (NMVpnServicePlugin   *plugin,
+ 			return FALSE;
+ 	}
+ 
+-	s_vpn = sanitize_setting_vpn(nm_connection_get_setting_vpn (connection),
+-				     error);
+-	g_assert (s_vpn);
++	s_vpn = nm_connection_get_setting_vpn(connection);
++	if (!s_vpn) {
++		g_set_error_literal(error,
++		                    NM_VPN_PLUGIN_ERROR,
++		                    NM_VPN_PLUGIN_ERROR_INVALID_CONNECTION,
++		                    _("Empty VPN setting."));
++		return FALSE;
++	}
++
++	s_vpn_sanitized = sanitize_setting_vpn(s_vpn, error);
++	if (!s_vpn_sanitized)
++		return FALSE;
++
++	s_vpn = s_vpn_sanitized;
+ 
+ 	g_object_get (self, NM_VPN_SERVICE_PLUGIN_DBUS_SERVICE_NAME, &bus_name, NULL);
+ 
+-- 
+2.51.0
+

NetworkManager-libreswan.spec

@@ -1,26 +1,33 @@
 %if 0%{?fedora} < 28 && 0%{?rhel} < 8
 %bcond_without libnm_glib
 %else
-# Disable the legacy version by default
 %bcond_with libnm_glib
 %endif
+%if 0%{?fedora} < 36 && 0%{?rhel} < 10
+%bcond_with gtk4
+%else
+%bcond_without gtk4
+%endif
 
-%global nm_version        1:1.2.0
-%global nma_version       1.2.0
+%global nm_version       1:1.2.0
+%global nma_version      1.2.0
 
 Summary:   NetworkManager VPN plug-in for IPsec VPN
 Name:      NetworkManager-libreswan
-Version:   1.2.10
-Release:   7%{?dist}
-License:   GPLv2+
-URL:       http://www.gnome.org/projects/NetworkManager/
-Group:     System Environment/Base
+Version:   1.2.27
+Release:   2%{?dist}
+License:   GPL-2.0-or-later
+URL:       https://gitlab.gnome.org/GNOME/NetworkManager-libreswan
 Source0:   https://download.gnome.org/sources/NetworkManager-libreswan/1.2/%{name}-%{version}.tar.xz
-Patch0:    0001-po-import-translations-from-Red-Hat-translators.patch
-Patch1:    0002-properties-set-advanced-dialog-modal.patch
-Patch2:    0003-service-fix-wrong-refcounting-in-D-Bus-handler-for-C.patch
-Patch3:    0004-ipsec-conf-escaping-cve-2024-9050.patch
 
+Patch0:    0001-Export-esp-option.patch
+Patch1:    0002-fix-psk-auth-when-leftid-starts-with-at.patch
+Patch2:    0003-import-export-nm-auto-defaults-no.patch
+Patch3:    0004-sanitize-before-exporting-RHEL-only.patch
+Patch4:    0005-service-don-t-crash-with-malformed-connections.patch
+
+BuildRequires: make
+BuildRequires: gcc
 BuildRequires: gtk3-devel
 BuildRequires: libnl3-devel
 BuildRequires: NetworkManager-libnm-devel >= %{nm_version}
@@ -34,8 +41,12 @@ BuildRequires: NetworkManager-glib-devel >= %{nm_version}
 BuildRequires: libnm-gtk-devel >= %{nma_version}
 %endif
 
+%if %with gtk4
+BuildRequires: libnma-gtk4-devel
+%endif
+
 Requires: NetworkManager >= %{nm_version}
-Requires: dbus
+Requires: dbus-common
 Requires: /usr/sbin/ipsec
 
 Provides: NetworkManager-openswan = %{version}-%{release}
@@ -45,13 +56,14 @@ Obsoletes: NetworkManager-openswan < %{version}-%{release}
 %global __provides_exclude ^(%{_privatelibs})$
 %global __requires_exclude ^(%{_privatelibs})$
 
+
 %description
 This package contains software for integrating the libreswan VPN software
 with NetworkManager and the GNOME desktop
 
+
 %package -n NetworkManager-libreswan-gnome
 Summary: NetworkManager VPN plugin for libreswan - GNOME files
-Group:   System Environment/Base
 
 Requires: %{name}%{?_isa} = %{version}-%{release}
 Requires: shared-mime-info
@@ -63,87 +75,168 @@ Obsoletes: NetworkManager-openswan-gnome < %{version}-%{release}
 This package contains software for integrating VPN capabilities with
 the libreswan server with NetworkManager (GNOME files).
 
+
 %prep
-%autosetup -p1 -n %{name}-%{version}
+%autosetup -p1
+
 
 %build
 %configure \
         --disable-static \
+%if %with gtk4
+        --with-gtk4 \
+%endif
 %if %without libnm_glib
         --without-libnm-glib \
 %endif
         --enable-more-warnings=yes \
         --with-dist-version=%{version}-%{release}
-make %{?_smp_mflags}
+%make_build
+
+
 
 %install
-make install DESTDIR=%{buildroot}
+%make_install
 rm -f %{buildroot}%{_libdir}/NetworkManager/lib*.la
+mv %{buildroot}%{_sysconfdir}/dbus-1 %{buildroot}%{_datadir}/
 
 %find_lang %{name}
 
-%post
-update-desktop-database &> /dev/null || :
-
-%postun
-update-desktop-database &> /dev/null || :
-
 %files -f %{name}.lang
 %{_libdir}/NetworkManager/libnm-vpn-plugin-libreswan.so
-%{_sysconfdir}/dbus-1/system.d/nm-libreswan-service.conf
+%{_datadir}/dbus-1/system.d/nm-libreswan-service.conf
 %{_prefix}/lib/NetworkManager/VPN/nm-libreswan-service.name
 %{_libexecdir}/nm-libreswan-service
 %{_libexecdir}/nm-libreswan-service-helper
 %{_mandir}/man5/nm-settings-libreswan.5.gz
-%doc AUTHORS ChangeLog NEWS
+%doc AUTHORS NEWS
 %license COPYING
 
+
 %files -n NetworkManager-libreswan-gnome
 %{_libexecdir}/nm-libreswan-auth-dialog
 %{_libdir}/NetworkManager/libnm-vpn-plugin-libreswan-editor.so
-%dir %{_datadir}/gnome-vpn-properties/libreswan
-%{_datadir}/gnome-vpn-properties/libreswan/nm-libreswan-dialog.ui
-%{_datadir}/appdata/network-manager-libreswan.metainfo.xml
+%{_metainfodir}/network-manager-libreswan.metainfo.xml
 
 %if %with libnm_glib
 %{_libdir}/NetworkManager/libnm-*-properties.so
 %{_sysconfdir}/NetworkManager/VPN/nm-libreswan-service.name
 %endif
 
-%changelog
-* Thu Oct 03 2024 Lubomir Rintel <lkundrak@v3.sk> - 1.2.10-7
-- Unbreak validation of unknown keys
+%if %with gtk4
+%{_libdir}/NetworkManager/libnm-gtk4-vpn-plugin-libreswan-editor.so
+%endif
 
-* Wed Sep 25 2024 Lubomir Rintel <lkundrak@v3.sk> - 1.2.10-6
+
+%changelog
+* Thu Oct 23 2025 Vladimír Beneš <vbenes@redhat.com 1.2.27-2
+- Fix potentional crash in malformed imports
+
+* Wed Oct 22 2025 Vladimír Beneš <vbenes@redhat.com 1.2.27-1
+- Update to 1.2.27 version
+- Support leftsendcert in X.509-Based VPN (RHEL-110774)
+- Add support for nm-auto-defaults + symetric import/export (RHEL-118845)
+- Support rightca in ipsec section
+- Esp param properly exported
+
+* Mon May 12 2025 Lubomir Rintel <lkundrak@v3.sk> - 1.2.26-2
+- Add support for nm-auto-defaults (RHEL-85768)
+
+* Tue Jan 28 2025 Lubomir Rintel <lkundrak@v3.sk> - 1.2.26-1
+- Update to 1.2.26 release
+- Add support for leftsubnets/rightsubnets (RHEL-56553)
+
+* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 1.2.24-2
+- Bump release for October 2024 mass rebuild:
+  Resolves: RHEL-64018
+
+* Tue Oct 22 2024 Lubomir Rintel <lkundrak@v3.sk> - 1.2.24-1
+- Update to 1.2.24 release
 - Fix improper escaping of Libreswan configuration (CVE-2024-9050)
 
-* Mon Feb  5 2024 Wen Liang <wenliang@redhat.com> - 1.2.10-5
-- Fix crash in libreswan_add_profile_wrong_password (RHEL-13123)
+* Thu Sep 12 2024 Íñigo Huguet <ihuguet@redhat.com> - 1.2.22-3
+- Support require-id-on-certificate (RHEL-58812)
 
-* Tue Jul  9 2019 Francesco Giudici <fgiudici@redhat.com> - 1.2.10-4
-- Fix Gnome IPsec advanced options dialog (rh #1697329)
+* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 1.2.22-2
+- Bump release for June 2024 mass rebuild
 
-* Mon Dec 10 2018 Lubomir Rintel <lkundrak@v3.sk> - 1.2.10-3
-- Update the translations (rh #1608329)
+* Wed May 22 2024 Beniamino Galvani <bgalvani@redhat.com> - 1.2.22-1
+- Add IPv6 support (RHEL-21875)
 
-* Thu Oct 16 2018 Lubomir Rintel <lkundrak@v3.sk> - 1.2.10-2
-- Import the translations (rh #1608329)
+* Fri Apr 19 2024 Íñigo Huguet <ihuguet@redhat.com> - 1.2.20-2
+- Added gating.yaml
 
-* Mon Oct 15 2018 Francesco Giudici <fgiudici@redhat.com> - 1.2.10-1
-- Update to 1.2.10 release (rh #1637867)
-- Fix import functionality (rh #1633174)
+* Wed Apr 17 2024 Íñigo Huguet <ihuguet@redhat.com> - 1.2.20-1
+- Update to 1.2.20 release
 
-* Wed Oct  3 2018 Beniamino Galvani <bgalvani@redhat.com> - 1.2.8-2
-- Rebuild with updated annobin (rh #1630605)
+* Mon Jan 22 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.18-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
 
-* Mon Sep 17 2018 Francesco Giudici <fgiudici@redhat.com> - 1.2.8-1
-- Update to 1.2.8 release
+* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.18-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
 
-* Mon Aug 13 2018 Francesco Giudici <fgiudici@redhat.com> - 1.2.8-0.1
-- Update to latest development snapshot of NetworkManager-libreswan 1.2.8
-- Introduced IKEv2 support (rh #1557035)
-- Introduced support to more Libreswan properties (rh #1557035)
-- Updated translations
+* Fri Dec 15 2023 Beniamino Galvani <bgalvani@redhat.com> - 1.2.18-1
+- Update to 1.2.18 release
+
+* Fri Sep 08 2023 Till Maas <opensource@till.name> - 1.2.16-5
+- Migrate to spdx license
+- Cleanup whitespace
+- Use make macros
+- Fix changelog
+- Update URL
+
+* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.16-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Wed Jan 18 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.16-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.16-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Fri Mar 11 2022 Lubomir Rintel <lkundrak@v3.sk> - 1.2.16-1
+- Update to 1.2.16 release
+
+* Wed Jan 19 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.14-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.14-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Mon Feb 15 2021 Lubomir Rintel <lkundrak@v3.sk> - 1.2.14-2
+- Move dbus service file into /usr/share/dbus-1
+
+* Mon Jan 25 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.14-1.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Tue Jan 12 2021 Beniamino Galvani <bgalvani@redhat.com> - 1.2.14-1
+- Update to 1.2.14 release
+
+* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.12-1.2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.12-1.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Wed Jul 31 2019 Francesco Giudici <fgiudici@redhat.com> - 1.2.12-1
+- Updated to 1.2.12
+
+* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.10-1.2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.10-1.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Thu Oct 18 2018 Francesco Giudici <fgiudici@redhat.com> - 1.2.10-1
+- Updated to 1.2.10
+- Import latest translations from upstream
+
+* Wed Aug 22 2018 Paul Wouters <pwouters@redhat.com> - 1.2.6-1
+- Updated to 1.2.6
+- Upstream patches for IKEv2 support
+
+* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.4-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 
 * Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.4-6
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild

SOURCES/0002-properties-set-advanced-dialog-modal.patch

@@ -1,26 +0,0 @@
-From eaf501ab7cb732a152097d2af5636b03fd3f029d Mon Sep 17 00:00:00 2001
-From: Francesco Giudici <fgiudici@redhat.com>
-Date: Mon, 15 Apr 2019 14:51:26 +0200
-Subject: [PATCH] properties: set advanced dialog modal
-
-https://bugzilla.redhat.com/show_bug.cgi?id=1697329
----
- properties/nm-libreswan-dialog.ui | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/properties/nm-libreswan-dialog.ui b/properties/nm-libreswan-dialog.ui
-index 73522d4..e355c08 100644
---- a/properties/nm-libreswan-dialog.ui
-+++ b/properties/nm-libreswan-dialog.ui
-@@ -451,6 +451,8 @@
-     <property name="can_focus">False</property>
-     <property name="border_width">12</property>
-     <property name="title" translatable="yes">IPsec Advanced Options</property>
-+    <property name="modal">True</property>
-+    <property name="destroy_with_parent">True</property>
-     <property name="type_hint">dialog</property>
-     <child internal-child="vbox">
-       <object class="GtkBox" id="dialog-vbox1">
--- 
-2.20.1
-

SOURCES/0003-service-fix-wrong-refcounting-in-D-Bus-handler-for-C.patch

@@ -1,68 +0,0 @@
-From 4be4c56b4f8a52b1cd5f8aadee273706c28ae332 Mon Sep 17 00:00:00 2001
-From: Beniamino Galvani <bgalvani@redhat.com>
-Date: Sat, 13 Jan 2024 18:10:02 +0100
-Subject: [PATCH 1/1] service: fix wrong refcounting in D-Bus handler for
- Callback()
-
-The Callback() D-Bus method is handled via a GDBus-generated skeleton
-code in nm-libreswan-helper-service-dbus.c, function
-_nmdbus_libreswan_helper_skeleton_handle_method_call(). The function
-emits signal "handle-callback" to let the program handle the incoming
-method. As documented in the GDoc comments, the signal handler must
-return TRUE if it handles the call.
-
-```
-  /**
-   * NMDBusLibreswanHelper::handle-callback:
-   * @object: A #NMDBusLibreswanHelper.
-   * @invocation: A #GDBusMethodInvocation.
-   * @arg_environment: Argument passed by remote caller.
-
-   * Signal emitted when a remote caller is invoking the Callback()
-     D-Bus method.
-
-   * If a signal handler returns %TRUE, it means the signal handler
-     will handle the invocation (e.g. take a reference to @invocation
-     and eventually call nmdbus_libreswan_helper_complete_callback()
-     or e.g. g_dbus_method_invocation_return_error() on it) and no
-     other signal handlers will run. If no signal handler handles the
-     invocation, the %G_DBUS_ERROR_UNKNOWN_METHOD error is returned.
-
-   * Returns: %G_DBUS_METHOD_INVOCATION_HANDLED or %TRUE if the
-     invocation was handled, %G_DBUS_METHOD_INVOCATION_UNHANDLED or
-     %FALSE to let other signal handlers run.
-   */
-```
-
-At the moment, in case of error the handler first calls
-nmdbus_libreswan_helper_complete_callback() which decreases the
-refcount of "invocation", and then returns FALSE which tells the
-skeleton code to return an error, also unreferencing the
-invocation. This causes a crash.
-
-Since the G_DBUS_METHOD_INVOCATION_HANDLED alias for TRUE is only
-available since GLib 2.68 (while we target 2.36), just return TRUE.
-
-Fixes: acb9eb9de50b ('service: process the configuration in the service, not the helper')
-(cherry picked from commit 8ceb901719acac3778e1d76779d9c14289185157)
----
- src/nm-libreswan-service.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/src/nm-libreswan-service.c b/src/nm-libreswan-service.c
-index fc470a6..4850729 100644
---- a/src/nm-libreswan-service.c
-+++ b/src/nm-libreswan-service.c
-@@ -1379,7 +1379,8 @@ out:
- 	}
- 
- 	nmdbus_libreswan_helper_complete_callback (object, invocation);
--	return success;
-+
-+	return TRUE;
- }
- 
- /****************************************************************/
--- 
-2.43.0
-

sources

@@ -0,0 +1 @@
+SHA512 (NetworkManager-libreswan-1.2.27.tar.xz) = e2a8be105bd839a7aba72ef265609b7ddea5fae0f30deac08c2ea205c5455974012ee5d93e5f3fc9575c9ee33d42f5f3f52d1ed4f28a38c9685c71272035f129