From ff39f51bd2b8c4d26bed4d10b8c0d68c8916998b Mon Sep 17 00:00:00 2001
From: eabdullin <ed.abdullin.1@gmail.com>
Date: Wed, 20 Nov 2024 13:22:26 +0000
Subject: [PATCH] import RHEL 10 Beta libreswan-4.15-5.el10

---
 .gitignore                                    |   8 +-
 .libreswan.metadata                           |   4 -
 LIBRESWAN-OpenPGP-KEY.txt                     |  51 +++
 ...eswan-3.32-1861360-nodefault-rsa-pss.patch |  31 --
 ...eswan-4.1-maintain-obsolete-keywords.patch | 136 ------
 ...an-4.12-ikev1-compute-keymat-default.patch |  92 ----
 ...breswan-4.12-ikev2-auth-delete-state.patch |  54 ---
 SOURCES/libreswan-4.3-1934186-config.patch    |  11 -
 ...an-4.3-maintain-different-v1v2-split.patch |  85 ----
 .../libreswan-4.9-2176248-authby-rsasig.patch |  52 ---
 libreswan-4.15-ipsec_import.patch             |  20 +
 libreswan-4.15-netlink-extack.patch           | 153 +++++++
 libreswan-4.15-ondemand-tcp.patch             |  52 +++
 libreswan-4.15.tar.gz.asc                     |  17 +
 ...an-4.6-ikev1-policy-defaults-to-drop.patch |  63 +++
 SPECS/libreswan.spec => libreswan.spec        | 422 ++++++++++--------
 sources                                       |   4 +
 17 files changed, 605 insertions(+), 650 deletions(-)
 delete mode 100644 .libreswan.metadata
 create mode 100644 LIBRESWAN-OpenPGP-KEY.txt
 delete mode 100644 SOURCES/libreswan-3.32-1861360-nodefault-rsa-pss.patch
 delete mode 100644 SOURCES/libreswan-4.1-maintain-obsolete-keywords.patch
 delete mode 100644 SOURCES/libreswan-4.12-ikev1-compute-keymat-default.patch
 delete mode 100644 SOURCES/libreswan-4.12-ikev2-auth-delete-state.patch
 delete mode 100644 SOURCES/libreswan-4.3-1934186-config.patch
 delete mode 100644 SOURCES/libreswan-4.3-maintain-different-v1v2-split.patch
 delete mode 100644 SOURCES/libreswan-4.9-2176248-authby-rsasig.patch
 create mode 100644 libreswan-4.15-ipsec_import.patch
 create mode 100644 libreswan-4.15-netlink-extack.patch
 create mode 100644 libreswan-4.15-ondemand-tcp.patch
 create mode 100644 libreswan-4.15.tar.gz.asc
 create mode 100644 libreswan-4.6-ikev1-policy-defaults-to-drop.patch
 rename SPECS/libreswan.spec => libreswan.spec (51%)
 create mode 100644 sources

diff --git a/.gitignore b/.gitignore
index 13bd332..fd00a72 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,4 @@
-SOURCES/ikev1_dsa.fax.bz2
-SOURCES/ikev1_psk.fax.bz2
-SOURCES/ikev2.fax.bz2
-SOURCES/libreswan-4.12.tar.gz
+ikev1_dsa.fax.bz2
+ikev1_psk.fax.bz2
+ikev2.fax.bz2
+libreswan-4.15.tar.gz
diff --git a/.libreswan.metadata b/.libreswan.metadata
deleted file mode 100644
index 0dc2bf4..0000000
--- a/.libreswan.metadata
+++ /dev/null
@@ -1,4 +0,0 @@
-b35cd50b8bc0a08b9c07713bf19c72d53bfe66bb SOURCES/ikev1_dsa.fax.bz2
-861d97bf488f9e296cad8c43ab72f111a5b1a848 SOURCES/ikev1_psk.fax.bz2
-fcaf77f3deae3d8e99cdb3b1f8abea63167a0633 SOURCES/ikev2.fax.bz2
-786c14a4755311ea3103683a3294e1536b1e44a6 SOURCES/libreswan-4.12.tar.gz
diff --git a/LIBRESWAN-OpenPGP-KEY.txt b/LIBRESWAN-OpenPGP-KEY.txt
new file mode 100644
index 0000000..6862700
--- /dev/null
+++ b/LIBRESWAN-OpenPGP-KEY.txt
@@ -0,0 +1,51 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFDjilcBEAChkfasfBKTzGys9DwgBsmDVsPConW60uyKnu16+wO1kIKMFWi6
+wGllwKUJmCBY2FSQHbOBy5eHPPT1ijJhYt4j7WU+YJVh5Ca5RE3trFt31FX0vzp+
+KMqdQ8HOofA7jO6bgyHUwOJ539YkqYj1jHKfrdRqOnzB9fFyEb7485sq1F8j/rHk
+cSar1Hd9QfGAZHxXqgncgHFobB/xXEGRJIi+4kNL5SYasbw9tfYUGPrUXVol1+pn
+tsG92736O5Qe5K+wH2nAS4hwPJ1Xr4XIKeNNwxQW25wWqn4mLa4Vly+PA2uSE7ZP
+RcxE3yBCaLFMlw4rLhFAzd6TeslQONZ+9K51yfBYm7m0vWM3Ixq8yuD8E49OkKr8
+QRMaA2g89NW3AuNLExiTE0zQzAs/g6eX8WZdeWCvKxhRTAUYkw0QTimFgv6LXIeS
+//5DOAAO9WwzlseTGmUgek3BbnnJJiGHVLBgnLaqWLOZ1Y8ON1uC8lQnbIeYbTQq
+EE5R0cbVLVXBJoKakBF8gwHF51HC2pSBYmHNZsSbjMuHpJWJM4fVldNWPNaqriKC
+OkL8QgvNoapgk20k1ajLl/ibv32k7QBKy3cTMtbQYPdreXcoZuMw38ysQcgFxPCs
+Zh92aaWW0ceWowkJ7CFnes2jdPcMSOYE37wodmV3/VV7cusmTD8wikyUdQARAQAB
+tCxMaWJyZXN3YW4gKFNpZ25pbmcgS2V5KSA8dGVhbUBsaWJyZXN3YW4ub3JnPokC
+TgQTAQoAOBYhBJB+eQ8lwejlYc1ztYX/S0OzD8b5BQJi4cg4AhsDBQsJCAcDBRUK
+CQgLBRYCAwEAAh4FAheAAAoJEIX/S0OzD8b5zNcP/RuDb05Xr+IpuGWtJ38yGMWG
+mZglLHrzCAOXNAr/QXt6Kz3sThJoZFIh2E4Ab5yW59iFLFpW3VuZIGVCyh7vsuVw
+MuKoJtrZtdbHSdLbE+FHpY7osQDrcuodTv5b7STfG2Wje18iG/dCATVIDDgbPmuJ
+FpNLcR3scuoIlgxmP3Y1AFgufLR5MiN60PKnS2Husyj0f5Gqc3USLofWKgEQ4wFa
+gT1iIjkf4zkFcVlJ5K0SE1ULn8K7umkOUvLcKg6ji+1sEwEM1kCNmxI8HkiNt296
+9Z/TLK1h8McFGwG7x1p8fZ7Kjmzwnv1TSxAt1wHMoa0m9LntQOXnn3hVJaC74AzX
+heFtqDHmATpcGtQLR0zutrZ+ohUb6AEt+hAPfyDDYIR5y3oNdSLozJkJ1wlrhsYh
+SR1Hv4b3fdD6XgyUPggituOYm+yv1PuHrSEaoznnlX2z0MaVJyJIN0zUHlPBmWKC
+LmzQX2A7l9bHhkXYgHoSdeBHdwvcQQGWwkVmN2WUwsM/m9Abk8OdLdE13nI8824R
+0+b6XzJ2g4L+RIsVseerX2WIMHSMvkbFuLpEE4ILOrL+9Lq5bdx9MvZPtsZ/ZutY
+QVVvJ+nJtmPp0HpybnJdXzB7Za02A0r2gXIUrund32K97qe8XblCwxkZbZCeLcSL
+5+mb8O1XPGD39S6CCZbRuQINBFDjilcBEADXDN9o3icyDy+ity45CsQfo1f84xL6
+oJIgCLGGwm3RFPgOzdgxaE7TiLzW2NBui+yHyw48WRTxZ9XC6HtGKjH6XPvP5nF4
+8wss7tjzRNzmNgTp7G47HkW3lD0VYX4NqfCmxQK9gTXob1+JFmWkEXkXmZYg2dbn
+1REtHb03x370Z547rjvdpopQW6jaSw0C556DOxb9weJqLqAd2uZO4nwhuDs/VM+Q
+yy+/MlHTbnsmnYIMozDLMmHZ1PMeJlTFPMfapaux9UDTgQ5dwLj2FiQ/uEMzvfVv
+W23hxlpWVHsccwZR77PMDt4Nbj/7QlOIKpgid2r8SyBmhjET2u/USSzFYzK8J2Wj
+oLcxiuMTwrnM6b3bqiuSDUMAEoNN814Cbpz6yLB2wyKs5N7ZA/lVLNE8MV7to8OD
+ww1nS2bDDf5/JMNt5aWu/iO2bBrYE30LqHR3bSV6QP57JnzunM9Y4V1BnEKYW14A
+9+rRH1k1e5CuS5tqxpSubniF80AdUyPjF8rXOY0URD6zY0s4843Nf9TNr8ke/1ma
+qLEkUAF03AwBR8oz247ylu75q94ytpYUFJAkNeqpk8XypqKJMVcl4NfEP930JR82
+sGjNylVu/b4EsqKfmkoU8VFM1lfuaqX1u2ZDoUpG2Io/zpeV07RQ0KTHdKBejzix
+2IN0T7W4G0JXcwARAQABiQIfBBgBAgAJBQJQ44pXAhsMAAoJEIX/S0OzD8b5KR8P
+/jdWNVVw74/oCPtt79V1r0XN4I0ZBTQZgKp3JmZdcZlS2Uzx4u1VhxcevDQ7fh/Z
+5Y1xDBh+IKwF83hJKXy56+PJBlYIGjc2GTEmU1yo4E9iudPq56FFb6eelX1qBfxI
+0ZHdWgzWmrtnCF65zGTmeYMpck4ZuKdJAX2AM6kWcBikt4jT/SqrcS8t/duWRSSV
+iikwXD8aPexAz9XuezI+y3Exupt/lqUyVtCV3t0/gWRAMuwrMH/RABEPTaQdmxKz
+i0OkMDlHhweXZWg0/t32XLhhmy4f/30NhKYnntN6/pdNDb8vin5OP2MRyJDHIykA
+2HZcYvjdZS43+PbiuqDCTILMvxUDYjxHszgEheLariRvmRwE1HRjZWNTzGTjUgyv
+83XUhrIoAlgMVy2tQAatKbNVYAn5dmA0NCDKnSszas43gApSSjh2UXmq/owwpVj6
+zYHcoV0gdCuLJ1BPLstN0ZGO+g+eRpTI97+/04sgz/hImDsm7G3Diners/FDaebt
+pMRzVshh5lIgVBnCT36hdHW8buyiAgRQtjq7bX8JLN4Ermxlq4a33OYc7TGNC3jF
+Rm4XSY6RUDMd6uhRD5hKZB2N8az079603K7nc93x32CualHCJD+M7Z2/j9r3T3Tc
+y69oM+pgP48wySo+XEGHCM5OG7YNNiJ8xQ/J+CKCyLQV
+=ZaKB
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/SOURCES/libreswan-3.32-1861360-nodefault-rsa-pss.patch b/SOURCES/libreswan-3.32-1861360-nodefault-rsa-pss.patch
deleted file mode 100644
index 631bfee..0000000
--- a/SOURCES/libreswan-3.32-1861360-nodefault-rsa-pss.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 1dddaa3226fe1b71b68ec9665d93864a5ec69801 Mon Sep 17 00:00:00 2001
-From: rpm-build <rpm-build>
-Date: Mon, 9 Jan 2023 23:26:10 +0900
-Subject: [PATCH] libreswan-3.32-1861360-nodefault-rsa-pss.patch
-
----
- lib/libipsecconf/confread.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/lib/libipsecconf/confread.c b/lib/libipsecconf/confread.c
-index 0444118..ec87646 100644
---- a/lib/libipsecconf/confread.c
-+++ b/lib/libipsecconf/confread.c
-@@ -1501,9 +1501,14 @@ static bool load_conn(struct starter_conn *conn,
- 				   hunk_streq(val, "rsa")) {
- 				conn->authby.rsasig = true;
- 				conn->authby.rsasig_v1_5 = true;
-+				/*
-+				 * These cause failure with RSA 1024 bits because it uses RSA-PSS
-+				 */
-+#if 0
- 				conn->sighash_policy |= POL_SIGHASH_SHA2_256;
- 				conn->sighash_policy |= POL_SIGHASH_SHA2_384;
- 				conn->sighash_policy |= POL_SIGHASH_SHA2_512;
-+#endif
- 			} else if (hunk_streq(val, "never")) {
- 				conn->authby.never = true;
- 			/* everything else is only supported for IKEv2 */
--- 
-2.39.0
-
diff --git a/SOURCES/libreswan-4.1-maintain-obsolete-keywords.patch b/SOURCES/libreswan-4.1-maintain-obsolete-keywords.patch
deleted file mode 100644
index 497dd3e..0000000
--- a/SOURCES/libreswan-4.1-maintain-obsolete-keywords.patch
+++ /dev/null
@@ -1,136 +0,0 @@
-From a2cc5f8c80e8cb9be0b65f8e8544689e8b093c09 Mon Sep 17 00:00:00 2001
-From: rpm-build <rpm-build>
-Date: Tue, 10 Jan 2023 00:18:48 +0900
-Subject: [PATCH] libreswan-4.1-maintain-obsolete-keywords.patch
-
----
- lib/libipsecconf/keywords.c | 28 ++++++++++++++++++++++++++++
- 1 file changed, 28 insertions(+)
-
-diff --git a/lib/libipsecconf/keywords.c b/lib/libipsecconf/keywords.c
-index fa8f0e0..03fb863 100644
---- a/lib/libipsecconf/keywords.c
-+++ b/lib/libipsecconf/keywords.c
-@@ -343,6 +343,8 @@ const struct keyword_def ipsec_conf_keywords[] = {
-   { "ikev1-policy",  kv_config,  kt_enum,  KBF_GLOBAL_IKEv1,  kw_global_ikev1_list, NULL, },
-   { "curl-iface",  kv_config,  kt_string,  KSF_CURLIFACE, NULL, NULL, },
-   { "curl-timeout",  kv_config,  kt_time,  KBF_CURLTIMEOUT_MS, NULL, NULL, },
-+  { "curl_iface",  kv_config | kv_alias,  kt_string,  KSF_CURLIFACE, NULL, NULL, },  /* obsolete _ */
-+  { "curl_timeout",  kv_config | kv_alias,  kt_time,  KBF_CURLTIMEOUT_MS, NULL, NULL, },  /* obsolete _ */
- 
-   { "myvendorid",  kv_config,  kt_string,  KSF_MYVENDORID, NULL, NULL, },
-   { "syslog",  kv_config,  kt_string,  KSF_SYSLOG, NULL, NULL, },
-@@ -350,6 +352,7 @@ const struct keyword_def ipsec_conf_keywords[] = {
-   { "logfile",  kv_config,  kt_filename,  KSF_LOGFILE, NULL, NULL, },
-   { "plutostderrlog",  kv_config,  kt_filename,  KSF_LOGFILE, NULL, NULL, }, /* obsolete name, but very common :/ */
-   { "logtime",  kv_config,  kt_bool,  KBF_LOGTIME, NULL, NULL, },
-+  { "plutostderrlogtime",  kv_config | kv_alias,  kt_bool,  KBF_LOGTIME, NULL, NULL, },  /* obsolete */
-   { "logappend",  kv_config,  kt_bool,  KBF_LOGAPPEND, NULL, NULL, },
-   { "logip",  kv_config,  kt_bool,  KBF_LOGIP, NULL, NULL, },
-   { "audit-log",  kv_config,  kt_bool,  KBF_AUDIT_LOG, NULL, NULL, },
-@@ -369,13 +372,20 @@ const struct keyword_def ipsec_conf_keywords[] = {
-   { "global-redirect-to", kv_config, kt_string, KSF_GLOBAL_REDIRECT_TO, NULL, NULL, },
- 
-   { "crl-strict",  kv_config,  kt_bool,  KBF_CRL_STRICT, NULL, NULL, },
-+  { "crl_strict",  kv_config | kv_alias,  kt_bool,  KBF_CRL_STRICT, NULL, NULL, },  /* obsolete _ */
-   { "crlcheckinterval",  kv_config,  kt_time,  KBF_CRL_CHECKINTERVAL_MS, NULL, NULL, },
-+  { "strictcrlpolicy",  kv_config | kv_alias,  kt_bool,  KBF_CRL_STRICT, NULL, NULL, },  /* obsolete; used on openswan */
- 
-   { "ocsp-strict",  kv_config,  kt_bool,  KBF_OCSP_STRICT, NULL, NULL, },
-+  { "ocsp_strict",  kv_config | kv_alias,  kt_bool,  KBF_OCSP_STRICT, NULL, NULL, },  /* obsolete _ */
-   { "ocsp-enable",  kv_config,  kt_bool,  KBF_OCSP_ENABLE, NULL, NULL, },
-+  { "ocsp_enable",  kv_config | kv_alias,  kt_bool,  KBF_OCSP_ENABLE, NULL, NULL, },  /* obsolete _ */
-   { "ocsp-uri",  kv_config,  kt_string,  KSF_OCSP_URI, NULL, NULL, },
-+  { "ocsp_uri",  kv_config | kv_alias,  kt_string,  KSF_OCSP_URI, NULL, NULL, },  /* obsolete _ */
-   { "ocsp-timeout",  kv_config,  kt_number,  KBF_OCSP_TIMEOUT, NULL, NULL, },
-+  { "ocsp_timeout",  kv_config | kv_alias,  kt_number,  KBF_OCSP_TIMEOUT, NULL, NULL, },  /* obsolete _ */
-   { "ocsp-trustname",  kv_config,  kt_string,  KSF_OCSP_TRUSTNAME, NULL, NULL, },
-+  { "ocsp_trust_name",  kv_config | kv_alias,  kt_string,  KSF_OCSP_TRUSTNAME, NULL, NULL, },  /* obsolete _ */
-   { "ocsp-cache-size",  kv_config,  kt_number,  KBF_OCSP_CACHE_SIZE, NULL, NULL, },
-   { "ocsp-cache-min-age",  kv_config,  kt_time,  KBF_OCSP_CACHE_MIN_AGE_MS, NULL, NULL, },
-   { "ocsp-cache-max-age",  kv_config,  kt_time,  KBF_OCSP_CACHE_MAX_AGE_MS, NULL, NULL, },
-@@ -399,6 +409,7 @@ const struct keyword_def ipsec_conf_keywords[] = {
-   { "virtual_private",  kv_config,  kt_string,  KSF_VIRTUALPRIVATE, NULL, NULL, }, /* obsolete variant, very common */
-   { "seedbits",  kv_config,  kt_number,  KBF_SEEDBITS, NULL, NULL, },
-   { "keep-alive",  kv_config,  kt_number,  KBF_KEEPALIVE, NULL, NULL, },
-+  { "keep_alive",  kv_config | kv_alias,  kt_number,  KBF_KEEPALIVE, NULL, NULL, },  /* obsolete _ */
- 
-   { "listen-tcp", kv_config, kt_bool, KBF_LISTEN_TCP, NULL, NULL },
-   { "listen-udp", kv_config, kt_bool, KBF_LISTEN_UDP, NULL, NULL },
-@@ -410,6 +421,8 @@ const struct keyword_def ipsec_conf_keywords[] = {
- #ifdef HAVE_LABELED_IPSEC
-   { "ikev1-secctx-attr-type",  kv_config,  kt_number,  KBF_SECCTX, NULL, NULL, },  /* obsolete: not a value, a type */
-   { "secctx-attr-type",  kv_config | kv_alias,  kt_number,  KBF_SECCTX, NULL, NULL, },
-+  { "secctx_attr_value",  kv_config | kv_alias,  kt_number,  KBF_SECCTX, NULL, NULL, },  /* obsolete _ */
-+  { "secctx-attr-value",  kv_config,  kt_number,  KBF_SECCTX, NULL, NULL, },  /* obsolete: not a value, a type */
- #endif
-   { "interfaces",  kv_config, kt_obsolete, KNCF_WARNIGNORE, NULL, NULL, }, /* obsoleted but often present keyword */
- 
-@@ -446,6 +459,7 @@ const struct keyword_def ipsec_conf_keywords[] = {
-   { "username",  kv_conn | kv_leftright,  kt_string,  KSCF_USERNAME, NULL, NULL, },
-   /* xauthusername is still used in NetworkManager-libreswan :/ */
-   { "xauthusername",  kv_conn | kv_leftright,  kt_string,  KSCF_USERNAME, NULL, NULL, }, /* old alias */
-+  { "xauthname",  kv_conn | kv_leftright,  kt_string,  KSCF_USERNAME, NULL, NULL, }, /* old alias */
-   { "addresspool",  kv_conn | kv_leftright,  kt_range,  KSCF_ADDRESSPOOL, NULL, NULL, },
-   { "auth",  kv_conn | kv_leftright, kt_enum,  KNCF_AUTH,  kw_auth_list, NULL, },
- #ifdef HAVE_IPTABLES
-@@ -471,6 +485,8 @@ const struct keyword_def ipsec_conf_keywords[] = {
-   { "esn",  kv_conn | kv_processed,  kt_enum,  KNCF_ESN,  kw_esn_list, NULL, },
-   { "decap-dscp",  kv_conn | kv_processed,  kt_bool,  KNCF_DECAP_DSCP,  NULL, NULL, },
-   { "nopmtudisc",  kv_conn | kv_processed,  kt_bool,  KNCF_NOPMTUDISC,  NULL, NULL, },
-+  { "ike_frag",  kv_conn | kv_processed | kv_alias,  kt_enum,  KNCF_IKE_FRAG,  kw_ynf_list, NULL, },  /* obsolete _ */
-+  { "ike-frag",  kv_conn | kv_processed | kv_alias,  kt_enum,  KNCF_IKE_FRAG,  kw_ynf_list, NULL, },  /* obsolete name */
-   { "fragmentation",  kv_conn | kv_processed,  kt_enum,  KNCF_IKE_FRAG,  kw_ynf_list, NULL, },
-   { "mobike",  kv_conn,  kt_bool,  KNCF_MOBIKE, NULL, NULL, },
-   { "narrowing",  kv_conn,  kt_bool,  KNCF_IKEv2_ALLOW_NARROWING, NULL, NULL, },
-@@ -481,13 +497,18 @@ const struct keyword_def ipsec_conf_keywords[] = {
-   { "accept-redirect-to",  kv_conn,  kt_string, KSCF_ACCEPT_REDIRECT_TO, NULL, NULL, },
-   { "pfs",  kv_conn,  kt_bool,  KNCF_PFS, NULL, NULL, },
- 
-+  { "nat_keepalive",  kv_conn | kv_alias,  kt_bool,  KNCF_NAT_KEEPALIVE, NULL, NULL, },  /* obsolete _ */
-   { "nat-keepalive",  kv_conn,  kt_bool,  KNCF_NAT_KEEPALIVE, NULL, NULL, },
- 
-+  { "initial_contact",  kv_conn | kv_alias,  kt_bool,  KNCF_INITIAL_CONTACT, NULL, NULL, },  /* obsolete _ */
-   { "initial-contact",  kv_conn,  kt_bool,  KNCF_INITIAL_CONTACT, NULL, NULL, },
-+  { "cisco_unity",  kv_conn | kv_alias,  kt_bool,  KNCF_CISCO_UNITY, NULL, NULL, },  /* obsolete _ */
-   { "cisco-unity",  kv_conn,  kt_bool,  KNCF_CISCO_UNITY, NULL, NULL, },
-   { "send-no-esp-tfc",  kv_conn,  kt_bool,  KNCF_NO_ESP_TFC, NULL, NULL, },
-   { "fake-strongswan",  kv_conn,  kt_bool,  KNCF_VID_STRONGSWAN, NULL, NULL, },
-+  { "send_vendorid",  kv_conn | kv_alias,  kt_bool,  KNCF_SEND_VENDORID, NULL, NULL, },  /* obsolete _ */
-   { "send-vendorid",  kv_conn,  kt_bool,  KNCF_SEND_VENDORID, NULL, NULL, },
-+  { "sha2_truncbug",  kv_conn | kv_alias,  kt_bool,  KNCF_SHA2_TRUNCBUG, NULL, NULL, },  /* obsolete _ */
-   { "sha2-truncbug",  kv_conn,  kt_bool,  KNCF_SHA2_TRUNCBUG, NULL, NULL, },
-   { "ms-dh-downgrade",  kv_conn,  kt_bool,  KNCF_MSDH_DOWNGRADE, NULL, NULL, },
-   { "require-id-on-certificate",  kv_conn,  kt_bool,  KNCF_SAN_ON_CERT, NULL, NULL, },
-@@ -505,7 +526,10 @@ const struct keyword_def ipsec_conf_keywords[] = {
-   {"ikepad",  kv_conn,  kt_bool,  KNCF_IKEPAD, NULL, NULL, },
-   { "nat-ikev1-method",  kv_conn | kv_processed,  kt_enum,  KNCF_IKEV1_NATT,  kw_ikev1natt_list, NULL, },
- 
-+  { "labeled_ipsec",  kv_conn, kt_obsolete, KNCF_WARNIGNORE, NULL, NULL, }, /* obsolete */
-+  { "labeled-ipsec",  kv_conn, kt_obsolete, KNCF_WARNIGNORE, NULL, NULL, }, /* obsolete */
-   { "policy-label",  kv_conn,  kt_string,  KSCF_SA_SEC_LABEL, NULL, NULL, }, /* obsolete variant */
-+  { "policy_label",  kv_conn,  kt_string,  KSCF_SA_SEC_LABEL, NULL, NULL, }, /* obsolete variant */
-   { "sec-label",  kv_conn,  kt_string,  KSCF_SA_SEC_LABEL, NULL, NULL, }, /* really stored into struct end */
- 
-   /* Cisco interop: remote peer type */
-@@ -516,13 +540,17 @@ const struct keyword_def ipsec_conf_keywords[] = {
-   /* Network Manager support */
- #ifdef HAVE_NM
-   { "nm-configured",  kv_conn,  kt_bool,  KNCF_NMCONFIGURED, NULL, NULL, },
-+  { "nm_configured",  kv_conn,  kt_bool,  KNCF_NMCONFIGURED, NULL, NULL, }, /* obsolete _ */
- #endif
- 
-   { "xauthby",  kv_conn,  kt_enum,  KNCF_XAUTHBY,  kw_xauthby_list, NULL, },
-   { "xauthfail",  kv_conn,  kt_enum,  KNCF_XAUTHFAIL,  kw_xauthfail_list, NULL, },
-   { "modecfgpull",  kv_conn,  kt_invertbool,  KNCF_MODECONFIGPULL, NULL, NULL, },
-   { "modecfgdns",  kv_conn,  kt_string,  KSCF_MODECFGDNS, NULL, NULL, },
-+  { "modecfgdns1",  kv_conn | kv_alias, kt_string, KSCF_MODECFGDNS, NULL, NULL, }, /* obsolete */
-+  { "modecfgdns2",  kv_conn, kt_obsolete, KNCF_WARNIGNORE, NULL, NULL, }, /* obsolete */
-   { "modecfgdomains",  kv_conn,  kt_string,  KSCF_MODECFGDOMAINS, NULL, NULL, },
-+  { "modecfgdomain",  kv_conn | kv_alias,  kt_string,  KSCF_MODECFGDOMAINS, NULL, NULL, }, /* obsolete */
-   { "modecfgbanner",  kv_conn,  kt_string,  KSCF_MODECFGBANNER, NULL, NULL, },
-   { "ignore-peer-dns",  kv_conn,  kt_bool,  KNCF_IGNORE_PEER_DNS, NULL, NULL, },
-   { "mark",  kv_conn,  kt_string,  KSCF_CONN_MARK_BOTH, NULL, NULL, },
--- 
-2.39.0
-
diff --git a/SOURCES/libreswan-4.12-ikev1-compute-keymat-default.patch b/SOURCES/libreswan-4.12-ikev1-compute-keymat-default.patch
deleted file mode 100644
index 7f283f0..0000000
--- a/SOURCES/libreswan-4.12-ikev1-compute-keymat-default.patch
+++ /dev/null
@@ -1,92 +0,0 @@
-From 5101913b1e623121a9222f11eefa18f0a2708b00 Mon Sep 17 00:00:00 2001
-From: Andrew Cagney <cagney@gnu.org>
-Date: Wed, 27 Mar 2024 10:43:19 -0400
-Subject: [PATCH] ikev1: in compute_proto_keymat() only allow explicitly
- handled ESP algorithms
-
----
- programs/pluto/ikev1_quick.c | 41 ++++++++++++++----------------------
- 1 file changed, 16 insertions(+), 25 deletions(-)
-
-diff --git a/programs/pluto/ikev1_quick.c b/programs/pluto/ikev1_quick.c
-index 81c522c148..22c346afb4 100644
---- a/programs/pluto/ikev1_quick.c
-+++ b/programs/pluto/ikev1_quick.c
-@@ -203,7 +203,7 @@ static bool emit_subnet_id(enum perspective perspective,
-  * RFC 2409 "IKE" section 5.5
-  * specifies how this is to be done.
-  */
--static void compute_proto_keymat(struct state *st,
-+static bool compute_proto_keymat(struct state *st,
- 				 uint8_t protoid,
- 				 struct ipsec_proto_info *pi,
- 				 const char *satypename)
-@@ -297,27 +297,13 @@ static void compute_proto_keymat(struct state *st,
- 			}
- 			break;
- 
--		case ESP_CAST:
--		case ESP_TWOFISH:
--		case ESP_SERPENT:
--		/* ESP_SEED is for IKEv1 only and not supported. Its number in IKEv2 has been re-used */
--			bad_case(pi->attrs.transattrs.ta_ikev1_encrypt);
--
- 		default:
--			/* bytes */
--			needed_len = encrypt_max_key_bit_length(pi->attrs.transattrs.ta_encrypt) / BITS_PER_BYTE;
--			if (needed_len > 0) {
--				/* XXX: check key_len coupling with kernel.c's */
--				if (pi->attrs.transattrs.enckeylen) {
--					needed_len =
--						pi->attrs.transattrs.enckeylen
--						/ BITS_PER_BYTE;
--					dbg("compute_proto_keymat: key_len=%d from peer",
--					    (int)needed_len);
--				}
--				break;
--			}
--			bad_case(pi->attrs.transattrs.ta_ikev1_encrypt);
-+		{
-+			enum_buf eb;
-+			llog(RC_LOG, st->st_logger, "rejecting request for keymat for %s",
-+			     str_enum(&esp_transformid_names, protoid, &eb));
-+			return false;
-+		}
- 		}
- 		dbg("compute_proto_keymat: needed_len (after ESP enc)=%d", (int)needed_len);
- 		needed_len += pi->attrs.transattrs.ta_integ->integ_keymat_size;
-@@ -359,14 +345,17 @@ static void compute_proto_keymat(struct state *st,
- 		DBG_dump_hunk("  inbound:", pi->inbound.keymat);
- 		DBG_dump_hunk("  outbound:", pi->outbound.keymat);
- 	}
-+
-+	return true;
- }
- 
--static void compute_keymats(struct state *st)
-+static bool compute_keymats(struct state *st)
- {
- 	if (st->st_ah.present)
--		compute_proto_keymat(st, PROTO_IPSEC_AH, &st->st_ah, "AH");
-+		return compute_proto_keymat(st, PROTO_IPSEC_AH, &st->st_ah, "AH");
- 	if (st->st_esp.present)
--		compute_proto_keymat(st, PROTO_IPSEC_ESP, &st->st_esp, "ESP");
-+		return compute_proto_keymat(st, PROTO_IPSEC_ESP, &st->st_esp, "ESP");
-+	return false;
- }
- 
- /*
-@@ -1460,7 +1449,9 @@ static stf_status quick_inI1_outR1_continue12_tail(struct state *st, struct msg_
- 	fixup_v1_HASH(st, &hash_fixup, st->st_v1_msgid.id, rbody.cur);
- 
- 	/* Derive new keying material */
--	compute_keymats(st);
-+	if (!compute_keymats(st)) {
-+		return STF_FATAL;
-+	}
- 
- 	/* Tell the kernel to establish the new inbound SA
- 	 * (unless the commit bit is set -- which we don't support).
--- 
-2.45.0
-
diff --git a/SOURCES/libreswan-4.12-ikev2-auth-delete-state.patch b/SOURCES/libreswan-4.12-ikev2-auth-delete-state.patch
deleted file mode 100644
index c17b457..0000000
--- a/SOURCES/libreswan-4.12-ikev2-auth-delete-state.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From 2ec448884a7467743699803f8a36ee28d237666c Mon Sep 17 00:00:00 2001
-From: Andrew Cagney <cagney@gnu.org>
-Date: Wed, 28 Feb 2024 08:29:53 -0500
-Subject: [PATCH] ikev2: return STF_FATAL when initiator fails to emit AUTH
- packet
-
----
- programs/pluto/ikev2_ike_auth.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/programs/pluto/ikev2_ike_auth.c b/programs/pluto/ikev2_ike_auth.c
-index 192eb1b3b6..a54a109699 100644
---- a/programs/pluto/ikev2_ike_auth.c
-+++ b/programs/pluto/ikev2_ike_auth.c
-@@ -1267,7 +1267,7 @@ static stf_status process_v2_IKE_AUTH_request_auth_signature_continue(struct ike
- 	/* now send AUTH payload */
- 
- 	if (!emit_local_v2AUTH(ike, auth_sig, &ike->sa.st_v2_id_payload.mac, response.pbs)) {
--		return STF_INTERNAL_ERROR;
-+		return STF_FATAL;
- 	}
- 	ike->sa.st_v2_ike_intermediate.used = false;
- 
--- 
-2.44.0
-
-From 16272f2475d25baab58fbed2af7c67cfb459137f Mon Sep 17 00:00:00 2001
-From: Andrew Cagney <cagney@gnu.org>
-Date: Thu, 29 Feb 2024 12:19:20 -0500
-Subject: [PATCH] ikev2: always return STF_FATAL if emitting AUTH fails
-
-Fix:
-  ikev2: return STF_FATAL when initiator fails to emit AUTH packet
-which really fixed the responder.
----
- programs/pluto/ikev2_ike_auth.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/programs/pluto/ikev2_ike_auth.c b/programs/pluto/ikev2_ike_auth.c
-index a54a109699..491053fb10 100644
---- a/programs/pluto/ikev2_ike_auth.c
-+++ b/programs/pluto/ikev2_ike_auth.c
-@@ -397,7 +397,7 @@ stf_status initiate_v2_IKE_AUTH_request_signature_continue(struct ike_sa *ike,
- 	/* send out the AUTH payload */
- 
- 	if (!emit_local_v2AUTH(ike, auth_sig, &ike->sa.st_v2_id_payload.mac, request.pbs)) {
--		return STF_INTERNAL_ERROR;
-+		return STF_FATAL;
- 	}
- 
- 	if (LIN(POLICY_MOBIKE, ike->sa.st_connection->policy)) {
--- 
-2.44.0
-
diff --git a/SOURCES/libreswan-4.3-1934186-config.patch b/SOURCES/libreswan-4.3-1934186-config.patch
deleted file mode 100644
index 022fb47..0000000
--- a/SOURCES/libreswan-4.3-1934186-config.patch
+++ /dev/null
@@ -1,11 +0,0 @@
-diff -Naur libreswan-4.3-orig/configs/ipsec.conf.in libreswan-4.3/configs/ipsec.conf.in
---- libreswan-4.3-orig/configs/ipsec.conf.in	2021-03-04 14:29:50.591912834 -0500
-+++ libreswan-4.3/configs/ipsec.conf.in	2021-03-04 14:30:27.227389433 -0500
-@@ -32,6 +32,7 @@
- 	# listen-tcp=yes
- 	# To enable IKE and IPsec over TCP for VPN client, also specify
- 	# tcp-remote-port=4500 in the client's conn section.
-+	virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
- 
- # if it exists, include system wide crypto-policy defaults
- # include /etc/crypto-policies/back-ends/libreswan.config
diff --git a/SOURCES/libreswan-4.3-maintain-different-v1v2-split.patch b/SOURCES/libreswan-4.3-maintain-different-v1v2-split.patch
deleted file mode 100644
index 68c94eb..0000000
--- a/SOURCES/libreswan-4.3-maintain-different-v1v2-split.patch
+++ /dev/null
@@ -1,85 +0,0 @@
-From 83487373fdd77437e51cfccd41532e270e279e05 Mon Sep 17 00:00:00 2001
-From: rpm-build <rpm-build>
-Date: Tue, 10 Jan 2023 00:11:26 +0900
-Subject: [PATCH] libreswan-4.3-maintain-different-v1v2-split.patch
-
----
- configs/d.ipsec.conf/ikev2.xml | 14 +++++++-------
- lib/libipsecconf/confread.c    |  8 +++++++-
- programs/whack/whack.c         |  4 ++--
- 3 files changed, 16 insertions(+), 10 deletions(-)
-
-diff --git a/configs/d.ipsec.conf/ikev2.xml b/configs/d.ipsec.conf/ikev2.xml
-index 3d03825..285db1b 100644
---- a/configs/d.ipsec.conf/ikev2.xml
-+++ b/configs/d.ipsec.conf/ikev2.xml
-@@ -2,14 +2,14 @@
-   <term><emphasis remap='B'>ikev2</emphasis></term>
-   <listitem>
- <para>Whether to use IKEv2 (RFC 7296) or IKEv1 (RFC 4301).
--Currently the accepted values are <emphasis remap='B'>yes</emphasis> (the default),
--signifying only IKEv2 is accepted, or <emphasis remap='B'>no</emphasis>,
-+Currently the accepted values are <emphasis remap='B'>insist</emphasis> (the default),
-+signifying only IKEv2 is accepted, or <emphasis remap='B'>no</emphasis> (or <emphasis remap='B'>never</emphasis>),
- signifying only IKEv1 is accepted. Previous versions allowed the keywords
--<emphasis remap='B'>propose</emphasis> or <emphasis remap='B'>permit</emphasis>
--that would allow either IKEv1 or IKEv2, but this is no longer supported. The
--permit option is interpreted as no and the propose option is interpreted as
--yes. Older versions also supported keyword
--<emphasis remap='B'>insist</emphasis> which is now interpreted as yes.
-+<emphasis remap='B'>propose</emphasis>, <emphasis remap='B'>yes</emphasis> or <emphasis remap='B'>permit</emphasis>
-+that would allow either IKEv1 or IKEv2, but this is no longer supported and both options
-+now cause the connection to fail to load. <emphasis remap='B'>WARNING:</emphasis> This behaviour differs from upstream
-+libreswan, which only accepts <emphasis remap='B'>yes</emphasis> or <emphasis remap='B'>no</emphasis> where yes means
-+the same as insist.
- </para>
-   </listitem>
-   </varlistentry>
-diff --git a/lib/libipsecconf/confread.c b/lib/libipsecconf/confread.c
-index b95c90a..e752441 100644
---- a/lib/libipsecconf/confread.c
-+++ b/lib/libipsecconf/confread.c
-@@ -1340,11 +1340,17 @@ static bool load_conn(struct starter_conn *conn,
- 
- 		switch (conn->options[KNCF_IKEv2]) {
- 		case fo_never:
--		case fo_permit:
- 			conn->ike_version = IKEv1;
- 			break;
- 
-+		case fo_permit:
-+			starter_error_append(perrl, "ikev2=permit is no longer accepted. Use ikev2=insist or ikev2=no|never");
-+			return true;
-+
- 		case fo_propose:
-+			starter_error_append(perrl, "ikev2=propose or ikev2=yes is no longer accepted. Use ikev2=insist or ikev2=no|never");
-+			return true;
-+
- 		case fo_insist:
- 			conn->ike_version = IKEv2;
- 			break;
-diff --git a/programs/whack/whack.c b/programs/whack/whack.c
-index b512b04..3de020e 100644
---- a/programs/whack/whack.c
-+++ b/programs/whack/whack.c
-@@ -815,7 +815,7 @@ static const struct option long_opts[] = {
- 	{ "ikev1-allow", no_argument, NULL, CD_IKEv1 + OO }, /* obsolete name */
- 	{ "ikev2", no_argument, NULL, CD_IKEv2 +OO },
- 	{ "ikev2-allow", no_argument, NULL, CD_IKEv2 +OO }, /* obsolete name */
--	{ "ikev2-propose", no_argument, NULL, CD_IKEv2 +OO }, /* obsolete, map onto allow */
-+	/* not in RHEL8 { "ikev2-propose", no_argument, NULL, CD_IKEv2 +OO }, */
- 
- 	PS("allow-narrowing", IKEV2_ALLOW_NARROWING),
- #ifdef AUTH_HAVE_PAM
-@@ -1802,7 +1802,7 @@ int main(int argc, char **argv)
- 			end_seen = LEMPTY;
- 			continue;
- 
--		/* --ikev1 --ikev2 --ikev2-propose */
-+		/* --ikev1 --ikev2  */
- 		case CD_IKEv1:
- 		case CD_IKEv2:
- 		{
--- 
-2.39.0
-
diff --git a/SOURCES/libreswan-4.9-2176248-authby-rsasig.patch b/SOURCES/libreswan-4.9-2176248-authby-rsasig.patch
deleted file mode 100644
index 9569e86..0000000
--- a/SOURCES/libreswan-4.9-2176248-authby-rsasig.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 000b230258dd272ab15b384c330c31f996d0ba18 Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <dueno@redhat.com>
-Date: Fri, 14 Apr 2023 14:10:47 +0900
-Subject: [PATCH] Ignore system crypto-policies for SHA-1 for legacy
- authby=rsa-sha1
-
-Signed-off-by: Daiki Ueno <dueno@redhat.com>
----
- lib/libswan/pubkey_rsa.c | 24 ++++++++++++++++++++++++
- 1 file changed, 24 insertions(+)
-
-diff --git a/lib/libswan/pubkey_rsa.c b/lib/libswan/pubkey_rsa.c
-index 38b44ab61d..9a7c0bc6a8 100644
---- a/lib/libswan/pubkey_rsa.c
-+++ b/lib/libswan/pubkey_rsa.c
-@@ -501,9 +501,33 @@ static struct hash_signature RSA_sign_hash_pkcs1_1_5_rsa(const struct secret_stu
- 	 * used to generate the signature.
- 	 */
- 	SECItem signature_result = {0};
-+
-+	/* ignore system crypto-policies for the hash algorithm */
-+	PRUint32 saved_policy;
-+
-+	if (NSS_GetAlgorithmPolicy(hash_algo->nss.oid_tag, &saved_policy) != SECSuccess) {
-+		/* PR_GetError() returns the thread-local error */
-+		enum_buf tb;
-+		llog_nss_error(RC_LOG_SERIOUS, logger,
-+			       "NSS_SetAlgorithmPolicy(%s) function failed",
-+			       str_nss_oid(hash_algo->nss.oid_tag, &tb));
-+		return (struct hash_signature) { .len = 0, };
-+	}
-+
-+	if (!(saved_policy & NSS_USE_ALG_IN_SIGNATURE)) {
-+		(void)NSS_SetAlgorithmPolicy(hash_algo->nss.oid_tag,
-+					     NSS_USE_ALG_IN_SIGNATURE, 0);
-+	}
-+
- 	SECStatus s = SGN_Digest(pks->u.pubkey.private_key,
- 				 hash_algo->nss.oid_tag,
- 				 &signature_result, &digest);
-+
-+	if (!(saved_policy & NSS_USE_ALG_IN_SIGNATURE)) {
-+		(void)NSS_SetAlgorithmPolicy(hash_algo->nss.oid_tag,
-+					     saved_policy, ~saved_policy);
-+	}
-+
- 	if (s != SECSuccess) {
- 		/* PR_GetError() returns the thread-local error */
- 		enum_buf tb;
--- 
-2.40.0
-
diff --git a/libreswan-4.15-ipsec_import.patch b/libreswan-4.15-ipsec_import.patch
new file mode 100644
index 0000000..129fbfd
--- /dev/null
+++ b/libreswan-4.15-ipsec_import.patch
@@ -0,0 +1,20 @@
+diff --git a/programs/ipsec/ipsec.in b/programs/ipsec/ipsec.in
+index 40ff9f4138..41813b5258 100755
+--- a/programs/ipsec/ipsec.in
++++ b/programs/ipsec/ipsec.in
+@@ -758,7 +758,14 @@ ipsec_import() {
+ 	    exit 1
+ 	fi
+ 
+-	pk12util -i "${pkcs12bundle}" -d "${IPSEC_NSSDIR_SQL}"
++	# First try blanc password to avoid uselessly prompting interactively
++	pk12util -i "${pkcs12bundle}" -d "${IPSEC_NSSDIR_SQL}" -W '' 2>/dev/null
++	# check for SEC_ERROR_BAD_PASSWORD
++	if [ $? -eq 18 ]; then
++	    # Not the empty password
++	    pk12util -i "${pkcs12bundle}" -d "${IPSEC_NSSDIR_SQL}"
++	fi
++
+ 	# check and correct trust bits
+ 	set_nss_db_trusts
+ 	exit 0
diff --git a/libreswan-4.15-netlink-extack.patch b/libreswan-4.15-netlink-extack.patch
new file mode 100644
index 0000000..92cf5e7
--- /dev/null
+++ b/libreswan-4.15-netlink-extack.patch
@@ -0,0 +1,153 @@
+From 4f2af7c8c3afaaa63e8e16467de3441622a5314d Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <dueno@redhat.com>
+Date: Tue, 21 May 2024 20:12:17 +0900
+Subject: [PATCH] kernel_xfrm: record extended ack from netlink response
+
+This enables pluto to log any error message reported through extended
+ACK attributes[1] in a netlink response, to make diagnostic easier
+when an error occurs.  Suggested by Sabrina Dubroca.
+
+1. https://docs.kernel.org/userspace-api/netlink/intro.html#ext-ack
+
+Signed-off-by: Daiki Ueno <dueno@redhat.com>
+Signed-off-by: Andrew Cagney <cagney@gnu.org>
+---
+ include/netlink_attrib.h     |  4 +++
+ lib/libswan/netlink_attrib.c | 29 +++++++++++++++++++++
+ programs/pluto/kernel_xfrm.c | 49 ++++++++++++++++++++++++++++++++++++
+ 3 files changed, 82 insertions(+)
+
+diff --git a/include/netlink_attrib.h b/include/netlink_attrib.h
+index 4c952ae3e9..fff35d83f1 100644
+--- a/include/netlink_attrib.h
++++ b/include/netlink_attrib.h
+@@ -46,4 +46,8 @@ void nl_addattrstrz(struct nlmsghdr *n, int maxlen, int type,
+ 		const char *str);
+ void nl_addattr32(struct nlmsghdr *n, int maxlen, int type, const uint32_t data);
+ 
++const struct nlattr *nl_getattr(const struct nlmsghdr *n, size_t *offset);
++const char *nl_getattrvalstrz(const struct nlmsghdr *n,
++			      const struct nlattr *attr);
++
+ #endif
+diff --git a/lib/libswan/netlink_attrib.c b/lib/libswan/netlink_attrib.c
+index 34bb4bec83..ccc08cba8f 100644
+--- a/lib/libswan/netlink_attrib.c
++++ b/lib/libswan/netlink_attrib.c
+@@ -66,3 +66,32 @@ void nl_addattr32(struct nlmsghdr *n, int maxlen, int type, const uint32_t data)
+ {
+ 	nl_addattr_l(n, maxlen, type, &data, sizeof(uint32_t));
+ }
++
++const struct nlattr *nl_getattr(const struct nlmsghdr *n, size_t *offset)
++{
++	struct nlattr *attr = (void *)n + NLMSG_HDRLEN + NLMSG_ALIGN(*offset);
++	struct nlattr *tail = (void *)n + NLMSG_ALIGN(n->nlmsg_len);
++
++	if (attr == tail) {
++		return NULL;
++	}
++
++	*offset += NLA_ALIGN(attr->nla_len);
++	return attr;
++}
++
++const char *nl_getattrvalstrz(const struct nlmsghdr *n,
++			      const struct nlattr *attr)
++{
++	struct nlattr *tail = (void *)n + NLMSG_ALIGN(n->nlmsg_len);
++
++	ptrdiff_t len = (void *)tail - (void *)attr;
++	if (len < (ptrdiff_t)sizeof(struct nlattr) ||
++	    attr->nla_len <= sizeof(struct nlattr) ||
++	    attr->nla_len > len ||
++	    !memchr(attr + NLA_HDRLEN, '\0', attr->nla_len - NLA_HDRLEN)) {
++		return NULL;
++	}
++
++	return (void *)attr + NLA_HDRLEN;
++}
+diff --git a/programs/pluto/kernel_xfrm.c b/programs/pluto/kernel_xfrm.c
+index eed307f42b..25d1b16bc9 100644
+--- a/programs/pluto/kernel_xfrm.c
++++ b/programs/pluto/kernel_xfrm.c
+@@ -260,6 +260,22 @@ static void init_netlink(struct logger *logger)
+ 			    "socket() in init_netlink()");
+ 	}
+ 
++#ifdef SOL_NETLINK
++	const int on = true;
++	if (setsockopt(nl_send_fd, SOL_NETLINK, NETLINK_CAP_ACK,
++		       (const void *)&on, sizeof(on)) < 0) {
++		llog_errno(RC_LOG, logger, errno, "xfrm: setsockopt(NETLINK_CAP_ACK) failed: ");
++	} else {
++		ldbg(logger, "xfrm: setsockopt(NETLINK_CAP_ACK) ok");
++	}
++	if (setsockopt(nl_send_fd, SOL_NETLINK, NETLINK_EXT_ACK,
++		       (const void *)&on, sizeof(on)) < 0) {
++		llog_errno(RC_LOG, logger, errno, "xfrm: setsockopt(NETLINK_EXT_ACK) failed: ");
++	} else {
++		ldbg(logger, "xfrm: setsockopt(NETLINK_EXT_ACK) ok");
++	}
++#endif
++
+ 	nl_xfrm_fd = cloexec_socket(AF_NETLINK, SOCK_DGRAM|SOCK_NONBLOCK, NETLINK_XFRM);
+ 	if (nl_xfrm_fd < 0) {
+ 		fatal_errno(PLUTO_EXIT_FAIL, logger, errno,
+@@ -301,6 +317,37 @@ static void init_netlink(struct logger *logger)
+ 	}
+ }
+ 
++static void llog_ext_ack(lset_t rc_flags, struct logger *logger,
++			 const struct nlmsghdr *n)
++{
++#ifdef SOL_NETLINK
++	if (n->nlmsg_type != NLMSG_ERROR ||
++	    !(n->nlmsg_flags & NLM_F_ACK_TLVS)) {
++		return;
++	}
++
++	struct nlmsgerr *err = (void *)n + NLMSG_HDRLEN;
++	size_t offset = sizeof(*err);
++	if (!(n->nlmsg_flags & NLM_F_CAPPED)) {
++		offset += err->msg.nlmsg_len - NLMSG_HDRLEN;
++	}
++
++	for (const struct nlattr *attr = nl_getattr(n, &offset);
++	     attr != NULL; attr = nl_getattr(n, &offset)) {
++		if ((attr->nla_type & NLA_TYPE_MASK) == NLMSGERR_ATTR_MSG) {
++			const char *msg = nl_getattrvalstrz(n, attr);
++			if (msg) {
++				llog(rc_flags, logger, "netlink ext_ack: %s",
++				     msg);
++			}
++		}
++	}
++#else
++	/* use the arguments */
++	ldbg(logger, "ignoring "PRI_LSET" %p", rc_flags, n);
++#endif
++}
++
+ /*
+  * sendrecv_xfrm_msg()
+  *
+@@ -403,6 +450,7 @@ static bool sendrecv_xfrm_msg(struct nlmsghdr *hdr,
+ 		if (rsp.u.e.error != 0) {
+ 			llog_error(logger, -rsp.u.e.error,
+ 				   "netlink response for %s %s", description, story);
++			llog_ext_ack(RC_LOG, logger, &rsp.n);
+ 			return false;
+ 		}
+ 		/*
+@@ -413,6 +461,7 @@ static bool sendrecv_xfrm_msg(struct nlmsghdr *hdr,
+ 		 */
+ 		dbg("netlink response for %s %s included non-error error",
+ 		    description, story);
++		llog_ext_ack(DEBUG_STREAM, logger, &rsp.n);
+ 		/* ignore */
+ 	}
+ 	if (rbuf == NULL) {
+-- 
+2.45.2
+
diff --git a/libreswan-4.15-ondemand-tcp.patch b/libreswan-4.15-ondemand-tcp.patch
new file mode 100644
index 0000000..11689a6
--- /dev/null
+++ b/libreswan-4.15-ondemand-tcp.patch
@@ -0,0 +1,52 @@
+From 0b91406427cf7292d61900991fd665f076b6d43f Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <dueno@redhat.com>
+Date: Tue, 2 Jul 2024 20:37:07 +0900
+Subject: [PATCH] tcp: call kernel_ops->poke_ipsec_policy_hole before connect
+
+This fixes ondemand initiation with TCP.  Without the policy hole, a
+TCP handshake will not complete, as it cannot receive SYN-ACK packet
+in plaintext and thus connect blocks until timeout.
+
+Signed-off-by: Daiki Ueno <dueno@redhat.com>
+Signed-off-by: Andrew Cagney <cagney@gnu.org>
+---
+ programs/pluto/iface_tcp.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/programs/pluto/iface_tcp.c b/programs/pluto/iface_tcp.c
+index c63e8bfe4d..55fe639174 100644
+--- a/programs/pluto/iface_tcp.c
++++ b/programs/pluto/iface_tcp.c
+@@ -473,6 +473,15 @@ struct iface_endpoint *connect_to_tcp_endpoint(struct iface_dev *local_dev,
+ 		return NULL;
+ 	}
+ 
++	/* This needs to be called before connect, so TCP handshake
++	 * (in plaintext) completes. */
++	if (kernel_ops->poke_ipsec_policy_hole != NULL &&
++	    !kernel_ops->poke_ipsec_policy_hole(fd, afi, logger)) {
++		/* already logged */
++		close(fd);
++		return NULL;
++	}
++
+ 	/*
+ 	 * Connect
+ 	 *
+@@ -551,13 +560,6 @@ struct iface_endpoint *connect_to_tcp_endpoint(struct iface_dev *local_dev,
+ 		}
+ 	}
+ 
+-	if (kernel_ops->poke_ipsec_policy_hole != NULL &&
+-	    !kernel_ops->poke_ipsec_policy_hole(fd, afi, logger)) {
+-		/* already logged */
+-		close(fd);
+-		return NULL;
+-	}
+-
+ 	struct iface_endpoint *ifp =
+ 		alloc_iface_endpoint(fd, local_dev, &iketcp_iface_io,
+ 				     /*esp_encapsulation_enabled*/true,
+-- 
+2.45.2
+
diff --git a/libreswan-4.15.tar.gz.asc b/libreswan-4.15.tar.gz.asc
new file mode 100644
index 0000000..c7efe26
--- /dev/null
+++ b/libreswan-4.15.tar.gz.asc
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQJHBAABCgAxFiEEkH55DyXB6OVhzXO1hf9LQ7MPxvkFAmYXR8ETHHRlYW1AbGli
+cmVzd2FuLm9yZwAKCRCF/0tDsw/G+WmID/46LnJ04rvj7RBZDzZg1nUnZyquuWd+
+vqGSFG54Ku5p62/JqL3+8Eu6dQ2o8DI1SJwMJFdaSFIwxNHTvZSr1wOwaSa+NQrI
+y/zTSAdZP04P0SqqJyOQxqYFMAEoRZhRE1gD4+1KGlQwPKzAtHi+2sHlfVryZEuF
+ZRRpuEcYrsdRneWxzRHKguDLb58b159yvt/HIQNOe7/BGnlq1rkBMgT0rD98A8Qb
+EOeZh6TcV9OnW2qm4QcJ5fm0ihvZpO/h3gih4KopwZQa7fUJYUPVRrS2AO40MVIM
+peq9/V+wD/+gthVh2eqtNzghGWxxwpZgBDQCmAUTr60QdCYeR2XsB/MGG5BJBs4m
+zFgXqsSHnEVJisUxnynNIFhUECo2A0CbVTAZnqBWgGkSO82VLu7506eaxJcJW84s
+QpNM7shHVdmV3lroqbJU2zBMKEHvCldFTDO2YTvfOV0Twytyn5gmT1sVqGiwdGpR
+XhfoRWILy+ViExhv6ZTubIYc1c8yo5wCG1tAq2iYfdLIcZVvqZIWB5LCv0rN2iPl
+0OrKo7bOQEmf7C+AL/LoAKWPpQeS79CYzwSKDfYHzE559yks0KPiTE5nLu8VrWH9
+zDTJ+2Ket3Ve93cz7zdqWcD7+HfKN7CxBW/bfCrysldsEjDBmvMiUI46kwPI99Y2
+w08DOHUAwSUgDg==
+=nCeA
+-----END PGP SIGNATURE-----
diff --git a/libreswan-4.6-ikev1-policy-defaults-to-drop.patch b/libreswan-4.6-ikev1-policy-defaults-to-drop.patch
new file mode 100644
index 0000000..40073d5
--- /dev/null
+++ b/libreswan-4.6-ikev1-policy-defaults-to-drop.patch
@@ -0,0 +1,63 @@
+From 13720e0dedcab1eaf3334a73a42b68581acd9f3b Mon Sep 17 00:00:00 2001
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Fri, 7 Jan 2022 18:36:47 -0500
+Subject: [PATCH] ikev1-policy defaults to drop
+
+IKEv2 has been available for 16 years (RFC 4306 was published December
+2005).  At some point, we should be discouraging IKEv1 adoption.
+
+To the extent that a user needs IKEv1, they can manually add
+ikev1-policy=accept to /etc/ipsec.conf.
+---
+ configs/d.ipsec.conf/ikev1-policy.xml | 7 ++++---
+ include/ipsecconf/keywords.h          | 2 +-
+ lib/libipsecconf/confread.c           | 1 +
+ programs/pluto/server.c               | 5 -----
+ 4 files changed, 6 insertions(+), 9 deletions(-)
+
+diff --git a/configs/d.ipsec.conf/ikev1-policy.xml b/configs/d.ipsec.conf/ikev1-policy.xml
+index 17d1747e3b..3bd6702564 100644
+--- a/configs/d.ipsec.conf/ikev1-policy.xml
++++ b/configs/d.ipsec.conf/ikev1-policy.xml
+@@ -3,9 +3,10 @@
+   <listitem>
+ <para>
+ What to do with received IKEv1 packets. Valid options are
+-<emphasis remap='B'>accept</emphasis> (default), <emphasis remap='B'>reject</emphasis> which
+-will reply with an error, and <emphasis remap='B'>drop</emphasis> which will silently drop
+-any received IKEv1 packet. If this option is set to drop or reject, an attempt to load an
++<emphasis remap='B'>drop</emphasis> (default) which will silently drop
++any received IKEv1 packet, <emphasis remap='B'>accept</emphasis>, and
++<emphasis remap='B'>reject</emphasis> which will reply with an error.
++If this option is set to drop or reject, an attempt to load an
+ IKEv1 connection will fail, as these connections would never be able to receive a packet
+ for processing.
+ </para>
+diff --git a/include/ipsecconf/keywords.h b/include/ipsecconf/keywords.h
+index 660847733c..31b519242a 100644
+--- a/include/ipsecconf/keywords.h
++++ b/include/ipsecconf/keywords.h
+@@ -111,7 +111,7 @@ enum keyword_numeric_config_field {
+ 
+ 	KBF_LISTEN_TCP,		/* listen on TCP port 4500 - default no */
+ 	KBF_LISTEN_UDP,		/* listen on UDP port 500/4500 - default yes */
+-	KBF_GLOBAL_IKEv1,	/* global ikev1 policy - default accept */
++	KBF_GLOBAL_IKEv1,	/* global ikev1 policy - default drop */
+ 	KBF_ROOF
+ };
+ 
+diff --git a/lib/libipsecconf/confread.c b/lib/libipsecconf/confread.c
+index 5b5aba723f..68fbccf442 100644
+--- a/lib/libipsecconf/confread.c
++++ b/lib/libipsecconf/confread.c
+@@ -95,6 +95,7 @@ static void ipsecconf_default_values(struct starter_config *cfg)
+ 	/* Don't inflict BSI requirements on everyone */
+ 	SOPT(KBF_SEEDBITS, 0);
+ 	SOPT(KBF_DROP_OPPO_NULL, false);
++	SOPT(KBF_GLOBAL_IKEv1, GLOBAL_IKEv1_DROP);
+ 
+ #ifdef HAVE_LABELED_IPSEC
+ 	SOPT(KBF_SECCTX, SECCTX);
+-- 
+2.34.1
+
diff --git a/SPECS/libreswan.spec b/libreswan.spec
similarity index 51%
rename from SPECS/libreswan.spec
rename to libreswan.spec
index d0ff40a..673bc1a 100644
--- a/SPECS/libreswan.spec
+++ b/libreswan.spec
@@ -1,80 +1,86 @@
+## START: Set by rpmautospec
+## (rpmautospec version 0.6.5)
+## RPMAUTOSPEC: autorelease, autochangelog
+%define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
+    release_number = 5;
+    base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
+    print(release_number + base_release_number - 1);
+}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
+## END: Set by rpmautospec
+
 %global _hardened_build 1
 # These are rpm macros and are 0 or 1
 %global with_efence 0
 %global with_development 0
 %global with_cavstests 1
-# minimum version for support for rhbz#1651314
-# should prob update for nss with IKEv1 quick mode support
-%global nss_version 3.53.1
+%global nss_version 3.52
 %global unbound_version 1.6.6
+# Libreswan config options
 %global libreswan_config \\\
     FINALLIBEXECDIR=%{_libexecdir}/ipsec \\\
     FINALMANDIR=%{_mandir} \\\
-    FINALNSSDIR=%{_sysconfdir}/ipsec.d \\\
-    INITSYSTEM=systemd \\\
-    NSS_HAS_IPSEC_PROFILE=true \\\
-    NSS_REQ_AVA_COPY=false \\\
     PREFIX=%{_prefix} \\\
-    PYTHON_BINARY=%{__python3} \\\
+    INITSYSTEM=systemd \\\
     SHELL_BINARY=%{_bindir}/sh \\\
     USE_DNSSEC=true \\\
-    USE_FIPSCHECK=false \\\
     USE_LABELED_IPSEC=true \\\
     USE_LDAP=true \\\
     USE_LIBCAP_NG=true \\\
     USE_LIBCURL=true \\\
     USE_LINUX_AUDIT=true \\\
     USE_NM=true \\\
-    USE_NSS_KDF=true \\\
+    USE_NSS_IPSEC_PROFILE=true \\\
     USE_SECCOMP=true \\\
     USE_AUTHPAM=true \\\
-    USE_DH2=true \\\
 %{nil}
 
-#global prever rc1
+#global prever dr1
 
 Name: libreswan
-Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols
+Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec
 # version is generated in the release script
-Version: 4.12
-Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist}.4
-License: GPLv2
+Version: 4.15
+Release: %autorelease
+# The code in lib/libswan/nss_copies.c is under MPL-2.0, while the
+# rest is under GPL-2.0-or-later
+License: GPL-2.0-or-later AND MPL-2.0
 Url: https://libreswan.org/
-
-Source0: https://download.libreswan.org/%{?prever:with_development/}%{name}-%{version}%{?prever}.tar.gz
+Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz
+Source1: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz.asc
+Source2: https://download.libreswan.org/LIBRESWAN-OpenPGP-KEY.txt
 %if 0%{with_cavstests}
-Source1: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2
-Source2: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2
-Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2
+Source3: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2
+Source4: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2
+Source5: https://download.libreswan.org/cavs/ikev2.fax.bz2
 %endif
 
-Patch1: libreswan-4.3-maintain-different-v1v2-split.patch
-Patch2: libreswan-3.32-1861360-nodefault-rsa-pss.patch
-Patch3: libreswan-4.1-maintain-obsolete-keywords.patch
-Patch6: libreswan-4.3-1934186-config.patch
-Patch7: libreswan-4.9-2176248-authby-rsasig.patch
-Patch8: libreswan-4.12-ikev2-auth-delete-state.patch
-Patch9: libreswan-4.12-ikev1-compute-keymat-default.patch
+Patch1: libreswan-4.15-ipsec_import.patch
+Patch2: libreswan-4.6-ikev1-policy-defaults-to-drop.patch
+Patch3: libreswan-4.15-ondemand-tcp.patch
+Patch4: libreswan-4.15-netlink-extack.patch
 
 BuildRequires: audit-libs-devel
 BuildRequires: bison
 BuildRequires: curl-devel
 BuildRequires: flex
-BuildRequires: gcc make
+BuildRequires: gcc
+BuildRequires: gnupg2
+BuildRequires: hostname
 BuildRequires: ldns-devel
 BuildRequires: libcap-ng-devel
 BuildRequires: libevent-devel
 BuildRequires: libseccomp-devel
 BuildRequires: libselinux-devel
+BuildRequires: make
 BuildRequires: nspr-devel
 BuildRequires: nss-devel >= %{nss_version}
-BuildRequires: nss-tools
+BuildRequires: nss-tools >= %{nss_version}
 BuildRequires: openldap-devel
 BuildRequires: pam-devel
 BuildRequires: pkgconfig
-BuildRequires: hostname
-BuildRequires: redhat-rpm-config
+BuildRequires: systemd
 BuildRequires: systemd-devel
+BuildRequires: systemd-rpm-macros
 BuildRequires: unbound-devel >= %{unbound_version}
 BuildRequires: xmlto
 %if 0%{with_efence}
@@ -85,6 +91,11 @@ Requires: nss >= %{nss_version}
 Requires: nss-softokn
 Requires: nss-tools
 Requires: unbound-libs >= %{unbound_version}
+Requires: logrotate
+# for pidof
+Requires: procps-ng
+
+
 Requires(post): bash
 Requires(post): coreutils
 Requires(post): systemd
@@ -92,7 +103,7 @@ Requires(preun): systemd
 Requires(postun): systemd
 
 %description
-Libreswan is a free implementation of IKE/IPsec for Linux.  IPsec is
+Libreswan is a free implementation of IPsec & IKE for Linux.  IPsec is
 the Internet Protocol Security and uses strong cryptography to provide
 both authentication and encryption services.  These services allow you
 to build secure tunnels through untrusted networks.  Everything passing
@@ -108,63 +119,60 @@ Libreswan also supports IKEv2 (RFC7296) and Secure Labeling
 Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04
 
 %prep
+%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
 %setup -q -n libreswan-%{version}%{?prever}
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch6 -p1
-%patch7 -p1
-%patch8 -p1
-%patch9 -p1
-
-# linking to freebl is not needed
-sed -i "s/-lfreebl //" mk/config.mk
-
 # enable crypto-policies support
 sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" configs/ipsec.conf.in
+%ifarch s390x
+# throws error on s390x
+sed -i "s/SUBDIRS += hunkcheck/#SUBDIRS += hunkcheck/" testing/programs/Makefile
+%endif
+%autopatch -p1
 
 %build
-make %{?_smp_mflags} \
+%make_build \
 %if 0%{with_development}
     OPTIMIZE_CFLAGS="%{?_hardened_cflags}" \
 %else
     OPTIMIZE_CFLAGS="%{optflags}" \
 %endif
+    WERROR_CFLAGS="-Werror -Wno-missing-field-initializers -Wno-lto-type-mismatch -Wno-maybe-uninitialized" \
 %if 0%{with_efence}
     USE_EFENCE=true \
 %endif
-    WERROR_CFLAGS="-Werror -Wno-missing-field-initializers" \
-    USERLINK="%{?__global_ldflags}" \
+    USERLINK="%{?__global_ldflags} -Wl,-z,relro -Wl,--as-needed  -Wl,-z,now -flto --no-lto" \
     %{libreswan_config} \
     programs
 FS=$(pwd)
 
+
 %install
-make \
-  DESTDIR=%{buildroot} \
-  %{libreswan_config} \
-  install
+%make_install \
+    %{libreswan_config} \
 FS=$(pwd)
 rm -rf %{buildroot}/usr/share/doc/libreswan
 rm -rf %{buildroot}%{_libexecdir}/ipsec/*check
+# avoids python depency and are old / aging tools that are not very useful
+rm -rf %{buildroot}%{_libexecdir}/ipsec/show
+rm -rf %{buildroot}%{_libexecdir}/ipsec/verify
 
 install -d -m 0755 %{buildroot}%{_rundir}/pluto
 install -d %{buildroot}%{_sbindir}
 
-install -d %{buildroot}%{_sysconfdir}/sysctl.d
+install -d %{buildroot}%{_sysctldir}
 install -m 0644 packaging/fedora/libreswan-sysctl.conf \
-  %{buildroot}%{_sysconfdir}/sysctl.d/50-libreswan.conf
+    %{buildroot}%{_sysctldir}/50-libreswan.conf
 
 echo "include %{_sysconfdir}/ipsec.d/*.secrets" \
-     > %{buildroot}%{_sysconfdir}/ipsec.secrets
+    > %{buildroot}%{_sysconfdir}/ipsec.secrets
 rm -fr %{buildroot}%{_sysconfdir}/rc.d/rc*
 
 %if 0%{with_cavstests}
 %check
 # There is an elaborate upstream testing infrastructure which we do not
 # run here - it takes hours and uses kvm
-# We only run the CAVS tests.
-cp %{SOURCE1} %{SOURCE2} %{SOURCE3} .
+# We only run the CAVS tests and startup selftest
+cp %{SOURCE3} %{SOURCE4} %{SOURCE5} .
 bunzip2 *.fax.bz2
 
 : starting CAVS test for IKEv2
@@ -177,6 +185,7 @@ bunzip2 *.fax.bz2
 %{buildroot}%{_libexecdir}/ipsec/cavp -v1psk ikev1_psk.fax | \
     diff -u ikev1_psk.fax - > /dev/null
 : CAVS tests passed
+%endif
 
 # Some of these tests will show ERROR for negative testing - it will exit on real errors
 %{buildroot}%{_libexecdir}/ipsec/algparse -tp || { echo prooposal test failed; exit 1; }
@@ -189,10 +198,9 @@ certutil -N -d sql:$tmpdir --empty-password
 %{buildroot}%{_libexecdir}/ipsec/pluto --selftest --nssdir $tmpdir --rundir $tmpdir
 : pluto self-test passed - verify FIPS algorithms allowed is still compliant with NIST
 
-%endif
-
 %post
 %systemd_post ipsec.service
+%sysctl_apply 50-libreswan.conf
 
 %preun
 %systemd_preun ipsec.service
@@ -208,177 +216,227 @@ certutil -N -d sql:$tmpdir --empty-password
 %attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d
 %attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/policies
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/*
-%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysctl.d/50-libreswan.conf
+%attr(0644,root,root) %config(noreplace) %{_sysctldir}/50-libreswan.conf
 %attr(0755,root,root) %dir %{_rundir}/pluto
+%attr(0700,root,root) %dir %{_sharedstatedir}/ipsec
+%attr(0700,root,root) %dir %{_sharedstatedir}/ipsec/nss
 %attr(0644,root,root) %{_tmpfilesdir}/libreswan.conf
 %attr(0644,root,root) %{_unitdir}/ipsec.service
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto
 %config(noreplace) %{_sysconfdir}/logrotate.d/libreswan
 %{_sbindir}/ipsec
 %{_libexecdir}/ipsec
-%attr(0644,root,root) %doc %{_mandir}/*/*
+%doc %{_mandir}/*/*
 
 %changelog
-* Thu Jun  6 2024 Daiki Ueno <dueno@redhat.com> - 4.12-2.4
-- Fix CVE-2024-3652 (RHEL-32482)
+## START: Generated by rpmautospec
+* Tue Aug 06 2024 Daiki Ueno <dueno@redhat.com> - 4.15-5
+- Make use of Netlink extack for additional error reporting
 
-* Wed Apr 17 2024 Daiki Ueno <dueno@redhat.com> - 4.12-2.3
-- Bump release to ensure el8 package is greater than el8_* packages
+* Tue Aug 06 2024 Daiki Ueno <dueno@redhat.com> - 4.15-4
+- Fix auto=ondemand connection initialization with TCP
 
-* Tue Apr 16 2024 Daiki Ueno <dueno@redhat.com> - 4.12-2.2
-- Fix patch application in the previous change
+* Tue Aug 06 2024 Daiki Ueno <dueno@redhat.com> - 4.15-3
+- Re-introduce libreswan-4.6-ikev1-policy-defaults-to-drop.patch
 
-* Mon Apr 15 2024 Daiki Ueno <dueno@redhat.com> - 4.12-2.1
-- Fix CVE-2024-2357 (RHEL-28742)
+* Thu Jun 27 2024 Paul Wouters <paul.wouters@aiven.io> - 4.15-2
+- Add libreswan-4.15-ipsec_import.patch
 
-* Fri Aug 25 2023 Daiki Ueno <dueno@redhat.com> - 4.12-2
-- Resolves: rhbz#2234731 authby=rsasig fails in FIPS policy
+* Thu Jun 27 2024 Paul Wouters <paul.wouters@aiven.io> - 4.15-1
+- Update libreswan to 4.15 for CVE-2024-3652
+- Resolves rhbz#2274448 CVE-2024-3652 libreswan: IKEv1 default AH/ESP
+  responder can crash and restart
+- Allow "ipsec import" to try importing PKCS#12 non-interactively if there
+  is no password
 
-* Wed Aug  9 2023 Daiki Ueno <dueno@redhat.com> - 4.12-1
-- Update to 4.12 to fix CVE-2023-38710, CVE-2023-38711, CVE-2023-38712
-- Resolves: rhbz#2215955
+* Thu Jun 27 2024 Paul Wouters <paul.wouters@aiven.io> - 4.14-1
+- Update to 4.14 for CVE-2024-2357
 
-* Thu May 04 2023 Sahana Prasad <sahana@redhat.com> - 4.9-2
-- Fix CVE-2023-30570 Malicious IKEv1 Aggressive Mode packets can crash libreswan
-- Resolves: rhbz#2187179
+* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 4.12-3.3
+- Bump release for June 2024 mass rebuild
 
-* Mon Jan  9 2023 Daiki Ueno <dueno@redhat.com> - 4.9-1
-- Resolves: rhbz#2128672 Rebase libreswan to 4.9
-- Remove libreswan-4.4-ikev1-disable-diagnostics.patch no longer necessary
+* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 4.12-3.2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
 
-* Thu Jan 13 2022 Daiki Ueno <dueno@redhat.com> - 4.5-1
-- Resolves: rhbz#2017352 Rebase libreswan to 4.5
-- Resolves: rhbz#2036903 ikev1: disable diagnostics logging on receiving malformed packets
+* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 4.12-3.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
 
-* Wed May 26 2021 Daiki Ueno <dueno@redhat.com> - 4.4-1
-- Resolves: rhbz#1958968 Rebase libreswan to 4.4
-- Resolves: rhbz#1954423 Libreswan: TS_UNACCEPTABLE on multiple connections between the same peers
+* Fri Sep 08 2023 Paul Wouters <paul.wouters@aiven.io> - 4.12-3
+- Update libcap-ng patch, fix email addresses in changelog
 
-* Thu Mar 04 2021 Paul Wouters <pwouters@redhat.com> - 4.3-3
-- Resolves: rhbz#1933064 - IKEv2 support for Labeled IPsec
-- Resolves: rhbz#1935150 RFE: Support IKE and ESP over TCP: RFC 8229
-- Resolves: rhbz#1935339 virtual_private setting is missing in the default config
+* Tue Sep 05 2023 Paul Wouters <paul.wouters@aiven.io> - 4.12-2
+- Remove ipsec show and ipsec verify sub commands (not very useful, causes python requirement)
+- Patch for handling libcap-ng return values and fix capng_apply() call
+
+* Fri Aug 11 2023 Paul Wouters <paul.wouters@aiven.io> - 4.12-1
+- Update to 4.12 for CVE-2023-38710, CVE-2023-38711 and CVE-2023-38712
+- Resolves: rhbz#2230225 libreswan-4.12 is available
+
+* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 4.11-1.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Thu May 04 2023 Paul Wouters <paul.wouters@aiven.io> - 4.11-1
+- Update to 4.11 for CVE-2023-30570
+
+* Wed Mar 01 2023 Paul Wouters <paul.wouters@aiven.io> - 4.10-1
+- Update to 4.10 for CVE-2023-23009
+
+* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 4.9-2.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Tue Jan 10 2023 Paul Wouters <paul.wouters@aiven.io> - 4.9-2
+- Use new GPG key location.
+
+* Thu Oct 13 2022 Paul Wouters <paul.wouters@aiven.io> - 4.9-1
+- Update to 4.9 (maxbytes/maxpackets support, raw ECDSA support, misc fixes)
+
+* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 4.7-1.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Tue May 24 2022 Paul Wouters <paul.wouters@aiven.io> - 4.7-1
+- Updated to 4.7 (EAPTLS support, bugfixes)
+
+* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 4.6-2.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Thu Jan 13 2022 Paul Wouters <paul.wouters@aiven.io> - 4.6-2
+- Re-enable USE_DNSSEC again with patch to resolve header conflicts
+
+* Wed Jan 12 2022 Paul Wouters <paul.wouters@aiven.io> - 4.6-1
+- Resolves: CVE-2022-23094
+- Resolves: rhbz#2039604 libreswan-4.6 is available
+- Add gpg key and signature check for build
+- Temporarilly disable USE_DNSSEC in rawhide while we figure out openssl vs nss include clash
+
+* Thu Aug 26 2021 Paul Wouters <paul.wouters@aiven.io> - 4.5-1
+- Resolves rhbz#1996250 libreswan-4.5 is available
+
+* Tue Aug 03 2021 Paul Wouters <paul.wouters@aiven.io> - 4.4-3
+- Resolves rhbz#1989198 libreswan should depend on procps-ng or pidof
+
+* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 4.4-2.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Mon Jun 07 2021 Paul Wouters <paul.wouters@aiven.io> - 4.4-2
+- Properly handle rpm sysctl config
+
+* Wed May 12 2021 Paul Wouters <paul.wouters@aiven.io> - 4.4-1
+- Resolves: rhbz#1952602 libreswan-4.4 is available
+
+* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 4.3-1.1
+- Rebuilt for updated systemd-rpm-macros
+  See https://pagure.io/fesco/issue/2583.
 
 * Sun Feb 21 2021 Paul Wouters <pwouters@redhat.com> - 4.3-1
-- Resolves: rhbz#1025061 - IKEv2 support for Labeled IPsec [update]
+- update to 4.3 (minor bugfix release)
 
-* Thu Feb 04 2021 Paul Wouters <pwouters@redhat.com> - 4.2-1
-- Resolves: rhbz#1891128 [Rebase] rebase libreswan to 4.2
-- Resolves: rhbz#1025061 - IKEv2 support for Labeled IPsec
+* Wed Feb 03 2021 Paul Wouters <pwouters@redhat.com> - 4.2-1
+- Update to 4.2
 
-* Tue Oct 27 22:11:42 EDT 2020 Paul Wouters <pwouters@redhat.com> - 4.1-1
-- Resolves: rhbz#1891128 [Rebase] rebase libreswan to 4.1
-- Resolves: rhbz#1889836 libreswan: add 3.x compat patches for obsoleted/removed keywords of 4.0 and re-port ikev2= patch
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 4.2-0.1.rc1.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 
-* Wed Jul 29 2020 Paul Wouters <pwouters@redhat.com> - 3.32-6
-- Resolves: rhbz#1861360 authby=rsasig must not imply usage of rsa-pss
+* Sat Dec 19 19:59:55 EST 2020 Paul Wouters <pwouters@redhat.com> - 4.2-0.1.rc1
+- Resolves: rhbz#1867580 pluto process frequently dumps core
+  (disable USE_NSS_KDF until nss fixes have propagated)
 
-* Wed Jul 22 2020 Paul Wouters <pwouters@redhat.com> - 3.32-5
-- Resolves: rhbz#1820206 Rebase to libreswan 3.32 [rebuild for USE_NSS_PRF]
+* Sat Dec 19 2020 Adam Williamson <awilliam@redhat.com> - 4.1-4
+- Rebuild for ldns soname bump
 
-* Wed Jul 01 2020 Paul Wouters <pwouters@redhat.com> - 3.32-4
-- Resolves: rhbz#1544463 ipsec service does not work correctly when seccomp filtering is enabled
+* Mon Nov 23 11:50:41 EST 2020 Paul Wouters <pwouters@redhat.com> - 4.1-3
+- Resolves: rhbz#1894381 Libreswan 4.1-2 breaks l2tp connection to Windows VPN server
 
-* Wed Jun 17 2020 Paul Wouters <pwouters@redhat.com> - 3.32-3
-- Resolves: rhbz#1842597 regression: libreswan does not send PLUTO_BYTES env variables to updown script
-- Resolves: rhbz#1847766 subsequent xfrmi interfaces configured outside of libreswan are not recognised properly
-- Resolves: rhbz#1840212 protect libreswan against unannounced nss ABI change
+* Mon Oct 26 10:21:57 EDT 2020 Paul Wouters <pwouters@redhat.com> - 4.1-2
+- Resolves: rhbz#1889538 libreswan's /var/lib/ipsec/nss missing
 
-* Thu Jun 11 2020 Paul Wouters <pwouters@redhat.com> - 3.32-2
-- Resolves: rhbz#1820206 Rebase to libreswan 3.32 [addconn fix]
+* Sun Oct 18 21:49:39 EDT 2020 Paul Wouters <pwouters@redhat.com> - 4.1-1
+- Updated to 4.1 - interop fix for Cisco
 
-* Thu Apr 30 2020 Paul Wouters <pwouters@redhat.com> - 3.32-1
-- Resolves: rhbz#1820206 Rebase to libreswan 3.32
-- Resolves: rhbz#1816265 Use NSS to check whether FIPS mode is enabled
-- Resolves: rhbz#1826337 libreswan in FIPS mode rejects ECDSA keys based on faulty RSA key size check being applied
+* Thu Oct 15 10:27:14 EDT 2020 Paul Wouters <pwouters@redhat.com> - 4.0-1
+- Resolves: rhbz#1888448 libreswan-4.0 is available
 
-* Tue Aug 13 2019 Paul Wouters <pwouters@redhat.com> - 3.29-6
-- Resolves: rhbz#1714331 support NSS based IKE KDF's [require updated nss for rhbz 1738689, memleak fix]
+* Wed Sep 30 14:05:58 EDT 2020 Paul Wouters <pwouters@redhat.com> - 4.0-0.2.rc1
+- Rebuild for libevent 2.1.12 with a soname bump
 
-* Thu Aug 08 2019 Paul Wouters <pwouters@redhat.com> - 3.29-5
-- Resolves: rhbz#1714331 support NSS based IKE KDF's so libreswan does not need FIPS certification
+* Sun Sep 27 22:49:40 EDT 2020 Paul Wouters <pwouters@redhat.com> - 4.0-0.1.rc1
+- Updated to 4.0rc1
 
-* Thu Aug 01 2019 Paul Wouters <pwouters@redhat.com> - 3.29-4
-- Resolves: rhbz#1699318 'ipsec show' has python3 invalid syntax
+* Thu Aug 27 2020 Paul Wouters <pwouters@redhat.com> - 3.32-4
+- Resolves: rhbz#1864043 libreswan: FTBFS in Fedora rawhide/f33
 
-* Thu Jul 04 2019 Paul Wouters <pwouters@redhat.com> - 3.29-3
-- Resolves: rhbz#1725205 XFRM policy for OE/32 peer is deleted when shunts for previous half-open state expire
+* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.32-3.2
+- Second attempt - Rebuilt for
+  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 
-* Thu Jun 27 2019 Paul Wouters <pwouters@redhat.com> - 3.29-2
-- Resolves: rhbz#1723957 libreswan is missing linux audit calls for failed IKE SAs and failed IPsec SAs required for Common Criteria
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.32-3.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jun 30 2020 Jeff Law <law@redhat.com> - 3.32-3
+- Initialize ppk_id_p in ikev2_parent_inR1outI2_tail to avoid uninitialized
+  object
+
+* Tue May 26 2020 Paul Wouters <pwouters@redhat.com> - 3.32-2
+- Backport NSS guarding fix for unannounced changed api in NSS causing segfault
+
+* Mon May 11 2020 Paul Wouters <pwouters@redhat.com> - 3.32-1
+- Resolves: rhbz#1809770 libreswan-3.32 is available
+
+* Tue Apr 14 2020 Paul Wouters <pwouters@redhat.com> - 3.31-2
+- Resolves: rhbz#1823823 Please drop the dependency on fipscheck
+
+* Tue Mar 03 2020 Paul Wouters <pwouters@redhat.com> - 3.31-1
+- Resolves: rhbz#1809770 libreswan-3.31 is available (fixes rekey regression)
+
+* Fri Feb 14 2020 Paul Wouters <pwouters@redhat.com> - 3.30-1
+- Resolves: rhbz#1802896 libreswan-3.30 is available
+- Resolves: rhbz#1799598 libreswan: FTBFS in Fedora rawhide/f32
+- Resolves: rhbz#1760571 [abrt] libreswan: configsetupcheck(): verify:366:configsetupcheck:TypeError:
+
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.29-2.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Thu Jan 09 2020 Paul Wouters <pwouters@redhat.com> - 3.29-2
+- _updown.netkey: fix syntax error in checking routes
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.29-1.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 
 * Mon Jun 10 2019 Paul Wouters <pwouters@redhat.com> - 3.29-1
-- Resolves: rhbz#1712555 libreswan rebase to 3.29
-
-* Tue May 28 2019 Paul Wouters <pwouters@redhat.com> - 3.28-2
-- Resolves: rhbz#1713734: barf: shell syntax error in barf diagnostic tool
+- Resolves: rhbz#1718986 Updated to 3.29 for CVE-2019-10155
 
 * Tue May 21 2019 Paul Wouters <pwouters@redhat.com> - 3.28-1
-- Resolves: rhbz#1712555 libreswan rebase to 3.28
-- Resolves: rhbz#1683706 Libreswan shows incorrect error messages
-- Resolves: rhbz#1706180 Remove last usage of old (unused) PF_KEY API
-- Resolves: rhbz#1677045 Opportunistic IPsec instances of /32 groups or auto=start that receive delete won't restart
-- Resolves: rhbz#1686990 IKEv1 traffic interruption when responder deletes SAs 60 seconds before EVENT_SA_REPLACE
-- Resolves: rhbz#1608353 /usr/sbin/ipsec part of the libreswan packages still invokes commands that were deprecated a decade ago
-- Resolves: rhbz#1699318 'ipsec show' has python3 invalid syntax
-- Resolves: rhbz#1679394 libreswan using NSS IPsec profiles regresses when critical flags are set causing validation failure
+- Updated to 3.28 (many imported bugfixes, including CVE-2019-12312)
 
-* Thu Feb 21 2019 Paul Wouters <pwouters@redhat.com> - 3.27-9
-- Resolves: rhbz#1648776 limit connections to be ikev1only or ikev2only and make ikev2only the default [man page update]
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.27-1.2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
 
-* Fri Feb 15 2019 Paul Wouters <pwouters@redhat.com> - 3.27-8
-- Resolves: rhbz#1664101 system wide crypto policies causing IKE_INIT packet fragmentation
-
-* Tue Feb 05 2019 Paul Wouters <pwouters@redhat.com> - 3.27-7
-- Resolves: rhbz#1671793 proessing ISAKMP_NEXT_D with additional payloads causes dangling pointer to deleted state
-
-* Fri Feb 01 2019 Paul Wouters <pwouters@redhat.com> - 3.27-6
-- Resolves: rhbz#1668342 SELinux prevents libreswan from using some outbound ports causing DNS resolution failures at connection at load time
-
-* Thu Jan 10 2019 Paul Wouters <pwouters@redhat.com> - 3.27-5
-- Resolves: rhbz#1664522 libreswan 3.25 in FIPS mode is incorrectly rejecting X.509 public keys that are >= 3072 bits
-
-* Mon Dec 10 2018 Paul Wouters <pwouters@redhat.com> - 3.27-4
-- Resolves: rhbz#1657846 libreswan no longer needs to provide openswan in rhel8
-- Resolves: rhbz#1643388 libreswan: Unable to verify certificate with non-empty Extended Key Usage which does not include serverAuth or clientAuth
-- Resolves: rhbz#1657854 remove userland support for deprecated KLIPS IPsec stack support
-
-* Sun Dec 09 2018 Paul Wouters <pwouters@redhat.com> - 3.27-3
-- Resolves: rhbz#1648776 limit connections to be ikev1only or ikev2only and make ikev2only the default
-
-* Thu Nov 08 2018 Paul Wouters <pwouters@redhat.com> - 3.27-2
-- Resolves: rhbz#1645137 Libreswan segfaults when it loads configuration file with more then 5 connections
+* Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 3.27-1.1
+- Rebuilt for libcrypt.so.2 (#1666033)
 
 * Mon Oct 08 2018 Paul Wouters <pwouters@redhat.com> - 3.27-1
-- Resolves: rhbz#1566574 Rebase to libreswan 3.27
+- Updated to 3.27 (various bugfixes)
+
+* Thu Sep 27 2018 Paul Wouters <pwouters@redhat.com> - 3.26-3
+- Add fedora python fixup for _unbound-hook
+
+* Mon Sep 17 2018 Paul Wouters <pwouters@redhat.com> - 3.26-2
+- linking against freebl is no longer needed (and wasn't done in 3.25)
 
 * Mon Sep 17 2018 Paul Wouters <pwouters@redhat.com> - 3.26-1
-- Resolves: rhbz#1566574 Rebase to libreswan 3.26
-- Resolves: rhbz#1527037 libreswan IPSEC implementation: should follow the policies of system-wide crypto policy
-- Resolves: rhbz#1375779 [IKEv2 Conformance] Test IKEv2.EN.R.1.1.6.7: Sending INVALID_KE_PAYLOAD failed
-- Resolves: rhbz#1085758 [TAHI][IKEv2] IKEv2.EN.I.1.2.1.1: Can't observe CREATE_CHILD_SA request for rekey
-- Resolves: rhbz#1053048 [TAHI][IKEv2] IKEv2.EN.I.1.2.4.1-7: libreswan doesn't sent CREATE_CHILD_SA after IKE_SA Lifetime timeout
+- Updated to 3.26 (CHACHA20POLY1305, ECDSA and RSA-PSS support)
 
-* Mon Aug 13 2018 Paul Wouters <pwouters@redhat.com> - 3.25-4
-- Resolves: rhbz#1590823 libreswan: Use Python 3 in RHEL 8
-
-* Wed Aug 01 2018 Charalampos Stratakis <cstratak@redhat.com> - 3.25-3.1
-- Rebuild for platform-python
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.25-3.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 
 * Mon Jul 09 2018 Paul Wouters <pwouters@redhat.com> - 3.25-3
-- Cleanup shebangs for python3
-- Use the same options via macro for make programs and make install
-- Remove old ifdefs
-- Sync up patches to new upstream version
-- Add Requires: for unbound-libs >= 1.6.6
-- Enable crypto-policies support
-- Make rundir world readable for easier permission granting for socket
+- Fix Opportunistic IPsec _unbound-hook argument parsing
+- Make rundir readable for all (so we can hand out permissions later)
 
-* Tue Jun 26 2018 Charalampos Stratakis <cstratak@redhat.com> - 3.23-2.2
-- Make python shebangs point to python3
+* Mon Jul 02 2018 Paul Wouters <pwouters@redhat.com> - 3.25-2
+- Relax deleting IKE SA's and IPsec SA's to avoid interop issues with third party VPN vendors
 
-* Fri Jun 22 2018 Troy Dawson <tdawson@redhat.com> - 3.23-2.1
-- Fix python shebangs (#1580773)
+* Wed Jun 27 2018 Paul Wouters <pwouters@redhat.com> - 3.25-1
+- Updated to 3.25
 
 * Mon Feb 19 2018 Paul Wouters <pwouters@redhat.com> - 3.23-2
 - Support crypto-policies package
@@ -432,7 +490,7 @@ certutil -N -d sql:$tmpdir --empty-password
 - Remove support for /etc/sysconfig/pluto (use native systemd instead)
 
 * Thu May 05 2016 Paul Wouters <pwouters@redhat.com> - 3.17-2
-- Resolves: rhbz#1324956 prelink is gone, /etc/prelink.conf.d/* is no longer used 
+- Resolves: rhbz#1324956 prelink is gone, /etc/prelink.conf.d/* is no longer used
 
 * Thu Apr 07 2016 Paul Wouters <pwouters@redhat.com> - 3.17-1
 - Updated to 3.17 for CVE-2016-3071
@@ -526,3 +584,5 @@ certutil -N -d sql:$tmpdir --empty-password
 
 * Sat Apr 13 2013 Paul Wouters <pwouters@redhat.com> - 3.2-1
 - Initial package for Fedora
+
+## END: Generated by rpmautospec
diff --git a/sources b/sources
new file mode 100644
index 0000000..53b545c
--- /dev/null
+++ b/sources
@@ -0,0 +1,4 @@
+SHA512 (ikev1_dsa.fax.bz2) = 627cbac14248bd68e8d22fbca247668a7749ef0c2e41df8d776d62df9a21403d3a246c0bd82c3faedce62de90b9f91a87f753e17b056319000bba7d2038461ac
+SHA512 (ikev1_psk.fax.bz2) = 1b2daec32edc56b410c036db2688c92548a9bd9914994bc7e555b301dd6db4497a6b3e89dc12ddf36826ae90b40fcde501a5a45c0d59098e07839073d219d467
+SHA512 (ikev2.fax.bz2) = 0d3748d1bd574f6f1f3e4db847eca126ce649566ea710ef227426f433122752b80d1d6b8acf9d0df07b5597c1e45447e3a2fcb3391756e834e8e75f99df8e51e
+SHA512 (libreswan-4.15.tar.gz) = 49a60688bb4a5241dbd791bdde0c71ae80cfb7383bb841ea0788a9d0237569d7ad79e59985c700526e3807817ddae77ebd57521897526fbb8fb93ffbea631efe