.gitignore

@@ -1,4 +1,46 @@
-SOURCES/ikev1_dsa.fax.bz2
-SOURCES/ikev1_psk.fax.bz2
-SOURCES/ikev2.fax.bz2
-SOURCES/libreswan-4.12.tar.gz
+/libreswan-3.2.tar.gz
+/libreswan-3.3.tar.gz
+/libreswan-3.4.tar.gz
+/libreswan-3.5.tar.gz
+/libreswan-3.6.tar.gz
+/libreswan-3.7.tar.gz
+/libreswan-3.8.tar.gz
+/libreswan-3.9.tar.gz
+/libreswan-3.10.tar.gz
+/libreswan-3.11.tar.gz
+/libreswan-3.12.tar.gz
+/libreswan-3.13.tar.gz
+/libreswan-3.14.tar.gz
+/ikev1_dsa.fax.bz2
+/ikev1_psk.fax.bz2
+/ikev2.fax.bz2
+/libreswan-3.15.tar.gz
+/libreswan-3.16.tar.gz
+/libreswan-3.17.tar.gz
+/libreswan-3.18.tar.gz
+/libreswan-3.19.tar.gz
+/libreswan-3.20dr4.tar.gz
+/libreswan-3.20.tar.gz
+/libreswan-3.21.tar.gz
+/libreswan-3.22.tar.gz
+/libreswan-3.23.tar.gz
+/libreswan-3.24.tar.gz
+/libreswan-3.25.tar.gz
+/libreswan-3.26.tar.gz
+/libreswan-3.27.tar.gz
+/libreswan-3.28.tar.gz
+/libreswan-3.29.tar.gz
+/libreswan-3.30.tar.gz
+/libreswan-3.31.tar.gz
+/libreswan-3.32.tar.gz
+/libreswan-4.0rc1.tar.gz
+/libreswan-4.0.tar.gz
+/libreswan-4.1.tar.gz
+/libreswan-4.2rc1.tar.gz
+/libreswan-4.2.tar.gz
+/libreswan-4.4.tar.gz
+/libreswan-4.5.tar.gz
+/libreswan-4.6.tar.gz
+/libreswan-4.9.tar.gz
+/libreswan-4.12.tar.gz
+/libreswan-4.15.tar.gz

.libreswan.metadata

@@ -1,4 +0,0 @@
-b35cd50b8bc0a08b9c07713bf19c72d53bfe66bb SOURCES/ikev1_dsa.fax.bz2
-861d97bf488f9e296cad8c43ab72f111a5b1a848 SOURCES/ikev1_psk.fax.bz2
-fcaf77f3deae3d8e99cdb3b1f8abea63167a0633 SOURCES/ikev2.fax.bz2
-786c14a4755311ea3103683a3294e1536b1e44a6 SOURCES/libreswan-4.12.tar.gz

SOURCES/libreswan-3.32-1861360-nodefault-rsa-pss.patch

@@ -1,31 +0,0 @@
-From 1dddaa3226fe1b71b68ec9665d93864a5ec69801 Mon Sep 17 00:00:00 2001
-From: rpm-build <rpm-build>
-Date: Mon, 9 Jan 2023 23:26:10 +0900
-Subject: [PATCH] libreswan-3.32-1861360-nodefault-rsa-pss.patch
-
----
- lib/libipsecconf/confread.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/lib/libipsecconf/confread.c b/lib/libipsecconf/confread.c
-index 0444118..ec87646 100644
---- a/lib/libipsecconf/confread.c
-+++ b/lib/libipsecconf/confread.c
-@@ -1501,9 +1501,14 @@ static bool load_conn(struct starter_conn *conn,
- 				   hunk_streq(val, "rsa")) {
- 				conn->authby.rsasig = true;
- 				conn->authby.rsasig_v1_5 = true;
-+				/*
-+				 * These cause failure with RSA 1024 bits because it uses RSA-PSS
-+				 */
-+#if 0
- 				conn->sighash_policy |= POL_SIGHASH_SHA2_256;
- 				conn->sighash_policy |= POL_SIGHASH_SHA2_384;
- 				conn->sighash_policy |= POL_SIGHASH_SHA2_512;
-+#endif
- 			} else if (hunk_streq(val, "never")) {
- 				conn->authby.never = true;
- 			/* everything else is only supported for IKEv2 */
--- 
-2.39.0
-

SOURCES/libreswan-4.1-maintain-obsolete-keywords.patch

@@ -1,136 +0,0 @@
-From a2cc5f8c80e8cb9be0b65f8e8544689e8b093c09 Mon Sep 17 00:00:00 2001
-From: rpm-build <rpm-build>
-Date: Tue, 10 Jan 2023 00:18:48 +0900
-Subject: [PATCH] libreswan-4.1-maintain-obsolete-keywords.patch
-
----
- lib/libipsecconf/keywords.c | 28 ++++++++++++++++++++++++++++
- 1 file changed, 28 insertions(+)
-
-diff --git a/lib/libipsecconf/keywords.c b/lib/libipsecconf/keywords.c
-index fa8f0e0..03fb863 100644
---- a/lib/libipsecconf/keywords.c
-+++ b/lib/libipsecconf/keywords.c
-@@ -343,6 +343,8 @@ const struct keyword_def ipsec_conf_keywords[] = {
-   { "ikev1-policy",  kv_config,  kt_enum,  KBF_GLOBAL_IKEv1,  kw_global_ikev1_list, NULL, },
-   { "curl-iface",  kv_config,  kt_string,  KSF_CURLIFACE, NULL, NULL, },
-   { "curl-timeout",  kv_config,  kt_time,  KBF_CURLTIMEOUT_MS, NULL, NULL, },
-+  { "curl_iface",  kv_config | kv_alias,  kt_string,  KSF_CURLIFACE, NULL, NULL, },  /* obsolete _ */
-+  { "curl_timeout",  kv_config | kv_alias,  kt_time,  KBF_CURLTIMEOUT_MS, NULL, NULL, },  /* obsolete _ */
- 
-   { "myvendorid",  kv_config,  kt_string,  KSF_MYVENDORID, NULL, NULL, },
-   { "syslog",  kv_config,  kt_string,  KSF_SYSLOG, NULL, NULL, },
-@@ -350,6 +352,7 @@ const struct keyword_def ipsec_conf_keywords[] = {
-   { "logfile",  kv_config,  kt_filename,  KSF_LOGFILE, NULL, NULL, },
-   { "plutostderrlog",  kv_config,  kt_filename,  KSF_LOGFILE, NULL, NULL, }, /* obsolete name, but very common :/ */
-   { "logtime",  kv_config,  kt_bool,  KBF_LOGTIME, NULL, NULL, },
-+  { "plutostderrlogtime",  kv_config | kv_alias,  kt_bool,  KBF_LOGTIME, NULL, NULL, },  /* obsolete */
-   { "logappend",  kv_config,  kt_bool,  KBF_LOGAPPEND, NULL, NULL, },
-   { "logip",  kv_config,  kt_bool,  KBF_LOGIP, NULL, NULL, },
-   { "audit-log",  kv_config,  kt_bool,  KBF_AUDIT_LOG, NULL, NULL, },
-@@ -369,13 +372,20 @@ const struct keyword_def ipsec_conf_keywords[] = {
-   { "global-redirect-to", kv_config, kt_string, KSF_GLOBAL_REDIRECT_TO, NULL, NULL, },
- 
-   { "crl-strict",  kv_config,  kt_bool,  KBF_CRL_STRICT, NULL, NULL, },
-+  { "crl_strict",  kv_config | kv_alias,  kt_bool,  KBF_CRL_STRICT, NULL, NULL, },  /* obsolete _ */
-   { "crlcheckinterval",  kv_config,  kt_time,  KBF_CRL_CHECKINTERVAL_MS, NULL, NULL, },
-+  { "strictcrlpolicy",  kv_config | kv_alias,  kt_bool,  KBF_CRL_STRICT, NULL, NULL, },  /* obsolete; used on openswan */
- 
-   { "ocsp-strict",  kv_config,  kt_bool,  KBF_OCSP_STRICT, NULL, NULL, },
-+  { "ocsp_strict",  kv_config | kv_alias,  kt_bool,  KBF_OCSP_STRICT, NULL, NULL, },  /* obsolete _ */
-   { "ocsp-enable",  kv_config,  kt_bool,  KBF_OCSP_ENABLE, NULL, NULL, },
-+  { "ocsp_enable",  kv_config | kv_alias,  kt_bool,  KBF_OCSP_ENABLE, NULL, NULL, },  /* obsolete _ */
-   { "ocsp-uri",  kv_config,  kt_string,  KSF_OCSP_URI, NULL, NULL, },
-+  { "ocsp_uri",  kv_config | kv_alias,  kt_string,  KSF_OCSP_URI, NULL, NULL, },  /* obsolete _ */
-   { "ocsp-timeout",  kv_config,  kt_number,  KBF_OCSP_TIMEOUT, NULL, NULL, },
-+  { "ocsp_timeout",  kv_config | kv_alias,  kt_number,  KBF_OCSP_TIMEOUT, NULL, NULL, },  /* obsolete _ */
-   { "ocsp-trustname",  kv_config,  kt_string,  KSF_OCSP_TRUSTNAME, NULL, NULL, },
-+  { "ocsp_trust_name",  kv_config | kv_alias,  kt_string,  KSF_OCSP_TRUSTNAME, NULL, NULL, },  /* obsolete _ */
-   { "ocsp-cache-size",  kv_config,  kt_number,  KBF_OCSP_CACHE_SIZE, NULL, NULL, },
-   { "ocsp-cache-min-age",  kv_config,  kt_time,  KBF_OCSP_CACHE_MIN_AGE_MS, NULL, NULL, },
-   { "ocsp-cache-max-age",  kv_config,  kt_time,  KBF_OCSP_CACHE_MAX_AGE_MS, NULL, NULL, },
-@@ -399,6 +409,7 @@ const struct keyword_def ipsec_conf_keywords[] = {
-   { "virtual_private",  kv_config,  kt_string,  KSF_VIRTUALPRIVATE, NULL, NULL, }, /* obsolete variant, very common */
-   { "seedbits",  kv_config,  kt_number,  KBF_SEEDBITS, NULL, NULL, },
-   { "keep-alive",  kv_config,  kt_number,  KBF_KEEPALIVE, NULL, NULL, },
-+  { "keep_alive",  kv_config | kv_alias,  kt_number,  KBF_KEEPALIVE, NULL, NULL, },  /* obsolete _ */
- 
-   { "listen-tcp", kv_config, kt_bool, KBF_LISTEN_TCP, NULL, NULL },
-   { "listen-udp", kv_config, kt_bool, KBF_LISTEN_UDP, NULL, NULL },
-@@ -410,6 +421,8 @@ const struct keyword_def ipsec_conf_keywords[] = {
- #ifdef HAVE_LABELED_IPSEC
-   { "ikev1-secctx-attr-type",  kv_config,  kt_number,  KBF_SECCTX, NULL, NULL, },  /* obsolete: not a value, a type */
-   { "secctx-attr-type",  kv_config | kv_alias,  kt_number,  KBF_SECCTX, NULL, NULL, },
-+  { "secctx_attr_value",  kv_config | kv_alias,  kt_number,  KBF_SECCTX, NULL, NULL, },  /* obsolete _ */
-+  { "secctx-attr-value",  kv_config,  kt_number,  KBF_SECCTX, NULL, NULL, },  /* obsolete: not a value, a type */
- #endif
-   { "interfaces",  kv_config, kt_obsolete, KNCF_WARNIGNORE, NULL, NULL, }, /* obsoleted but often present keyword */
- 
-@@ -446,6 +459,7 @@ const struct keyword_def ipsec_conf_keywords[] = {
-   { "username",  kv_conn | kv_leftright,  kt_string,  KSCF_USERNAME, NULL, NULL, },
-   /* xauthusername is still used in NetworkManager-libreswan :/ */
-   { "xauthusername",  kv_conn | kv_leftright,  kt_string,  KSCF_USERNAME, NULL, NULL, }, /* old alias */
-+  { "xauthname",  kv_conn | kv_leftright,  kt_string,  KSCF_USERNAME, NULL, NULL, }, /* old alias */
-   { "addresspool",  kv_conn | kv_leftright,  kt_range,  KSCF_ADDRESSPOOL, NULL, NULL, },
-   { "auth",  kv_conn | kv_leftright, kt_enum,  KNCF_AUTH,  kw_auth_list, NULL, },
- #ifdef HAVE_IPTABLES
-@@ -471,6 +485,8 @@ const struct keyword_def ipsec_conf_keywords[] = {
-   { "esn",  kv_conn | kv_processed,  kt_enum,  KNCF_ESN,  kw_esn_list, NULL, },
-   { "decap-dscp",  kv_conn | kv_processed,  kt_bool,  KNCF_DECAP_DSCP,  NULL, NULL, },
-   { "nopmtudisc",  kv_conn | kv_processed,  kt_bool,  KNCF_NOPMTUDISC,  NULL, NULL, },
-+  { "ike_frag",  kv_conn | kv_processed | kv_alias,  kt_enum,  KNCF_IKE_FRAG,  kw_ynf_list, NULL, },  /* obsolete _ */
-+  { "ike-frag",  kv_conn | kv_processed | kv_alias,  kt_enum,  KNCF_IKE_FRAG,  kw_ynf_list, NULL, },  /* obsolete name */
-   { "fragmentation",  kv_conn | kv_processed,  kt_enum,  KNCF_IKE_FRAG,  kw_ynf_list, NULL, },
-   { "mobike",  kv_conn,  kt_bool,  KNCF_MOBIKE, NULL, NULL, },
-   { "narrowing",  kv_conn,  kt_bool,  KNCF_IKEv2_ALLOW_NARROWING, NULL, NULL, },
-@@ -481,13 +497,18 @@ const struct keyword_def ipsec_conf_keywords[] = {
-   { "accept-redirect-to",  kv_conn,  kt_string, KSCF_ACCEPT_REDIRECT_TO, NULL, NULL, },
-   { "pfs",  kv_conn,  kt_bool,  KNCF_PFS, NULL, NULL, },
- 
-+  { "nat_keepalive",  kv_conn | kv_alias,  kt_bool,  KNCF_NAT_KEEPALIVE, NULL, NULL, },  /* obsolete _ */
-   { "nat-keepalive",  kv_conn,  kt_bool,  KNCF_NAT_KEEPALIVE, NULL, NULL, },
- 
-+  { "initial_contact",  kv_conn | kv_alias,  kt_bool,  KNCF_INITIAL_CONTACT, NULL, NULL, },  /* obsolete _ */
-   { "initial-contact",  kv_conn,  kt_bool,  KNCF_INITIAL_CONTACT, NULL, NULL, },
-+  { "cisco_unity",  kv_conn | kv_alias,  kt_bool,  KNCF_CISCO_UNITY, NULL, NULL, },  /* obsolete _ */
-   { "cisco-unity",  kv_conn,  kt_bool,  KNCF_CISCO_UNITY, NULL, NULL, },
-   { "send-no-esp-tfc",  kv_conn,  kt_bool,  KNCF_NO_ESP_TFC, NULL, NULL, },
-   { "fake-strongswan",  kv_conn,  kt_bool,  KNCF_VID_STRONGSWAN, NULL, NULL, },
-+  { "send_vendorid",  kv_conn | kv_alias,  kt_bool,  KNCF_SEND_VENDORID, NULL, NULL, },  /* obsolete _ */
-   { "send-vendorid",  kv_conn,  kt_bool,  KNCF_SEND_VENDORID, NULL, NULL, },
-+  { "sha2_truncbug",  kv_conn | kv_alias,  kt_bool,  KNCF_SHA2_TRUNCBUG, NULL, NULL, },  /* obsolete _ */
-   { "sha2-truncbug",  kv_conn,  kt_bool,  KNCF_SHA2_TRUNCBUG, NULL, NULL, },
-   { "ms-dh-downgrade",  kv_conn,  kt_bool,  KNCF_MSDH_DOWNGRADE, NULL, NULL, },
-   { "require-id-on-certificate",  kv_conn,  kt_bool,  KNCF_SAN_ON_CERT, NULL, NULL, },
-@@ -505,7 +526,10 @@ const struct keyword_def ipsec_conf_keywords[] = {
-   {"ikepad",  kv_conn,  kt_bool,  KNCF_IKEPAD, NULL, NULL, },
-   { "nat-ikev1-method",  kv_conn | kv_processed,  kt_enum,  KNCF_IKEV1_NATT,  kw_ikev1natt_list, NULL, },
- 
-+  { "labeled_ipsec",  kv_conn, kt_obsolete, KNCF_WARNIGNORE, NULL, NULL, }, /* obsolete */
-+  { "labeled-ipsec",  kv_conn, kt_obsolete, KNCF_WARNIGNORE, NULL, NULL, }, /* obsolete */
-   { "policy-label",  kv_conn,  kt_string,  KSCF_SA_SEC_LABEL, NULL, NULL, }, /* obsolete variant */
-+  { "policy_label",  kv_conn,  kt_string,  KSCF_SA_SEC_LABEL, NULL, NULL, }, /* obsolete variant */
-   { "sec-label",  kv_conn,  kt_string,  KSCF_SA_SEC_LABEL, NULL, NULL, }, /* really stored into struct end */
- 
-   /* Cisco interop: remote peer type */
-@@ -516,13 +540,17 @@ const struct keyword_def ipsec_conf_keywords[] = {
-   /* Network Manager support */
- #ifdef HAVE_NM
-   { "nm-configured",  kv_conn,  kt_bool,  KNCF_NMCONFIGURED, NULL, NULL, },
-+  { "nm_configured",  kv_conn,  kt_bool,  KNCF_NMCONFIGURED, NULL, NULL, }, /* obsolete _ */
- #endif
- 
-   { "xauthby",  kv_conn,  kt_enum,  KNCF_XAUTHBY,  kw_xauthby_list, NULL, },
-   { "xauthfail",  kv_conn,  kt_enum,  KNCF_XAUTHFAIL,  kw_xauthfail_list, NULL, },
-   { "modecfgpull",  kv_conn,  kt_invertbool,  KNCF_MODECONFIGPULL, NULL, NULL, },
-   { "modecfgdns",  kv_conn,  kt_string,  KSCF_MODECFGDNS, NULL, NULL, },
-+  { "modecfgdns1",  kv_conn | kv_alias, kt_string, KSCF_MODECFGDNS, NULL, NULL, }, /* obsolete */
-+  { "modecfgdns2",  kv_conn, kt_obsolete, KNCF_WARNIGNORE, NULL, NULL, }, /* obsolete */
-   { "modecfgdomains",  kv_conn,  kt_string,  KSCF_MODECFGDOMAINS, NULL, NULL, },
-+  { "modecfgdomain",  kv_conn | kv_alias,  kt_string,  KSCF_MODECFGDOMAINS, NULL, NULL, }, /* obsolete */
-   { "modecfgbanner",  kv_conn,  kt_string,  KSCF_MODECFGBANNER, NULL, NULL, },
-   { "ignore-peer-dns",  kv_conn,  kt_bool,  KNCF_IGNORE_PEER_DNS, NULL, NULL, },
-   { "mark",  kv_conn,  kt_string,  KSCF_CONN_MARK_BOTH, NULL, NULL, },
--- 
-2.39.0
-

SOURCES/libreswan-4.3-1934186-config.patch

@@ -1,11 +0,0 @@
-diff -Naur libreswan-4.3-orig/configs/ipsec.conf.in libreswan-4.3/configs/ipsec.conf.in
---- libreswan-4.3-orig/configs/ipsec.conf.in	2021-03-04 14:29:50.591912834 -0500
-+++ libreswan-4.3/configs/ipsec.conf.in	2021-03-04 14:30:27.227389433 -0500
-@@ -32,6 +32,7 @@
- 	# listen-tcp=yes
- 	# To enable IKE and IPsec over TCP for VPN client, also specify
- 	# tcp-remote-port=4500 in the client's conn section.
-+	virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
- 
- # if it exists, include system wide crypto-policy defaults
- # include /etc/crypto-policies/back-ends/libreswan.config

SOURCES/libreswan-4.3-maintain-different-v1v2-split.patch

@@ -1,85 +0,0 @@
-From 83487373fdd77437e51cfccd41532e270e279e05 Mon Sep 17 00:00:00 2001
-From: rpm-build <rpm-build>
-Date: Tue, 10 Jan 2023 00:11:26 +0900
-Subject: [PATCH] libreswan-4.3-maintain-different-v1v2-split.patch
-
----
- configs/d.ipsec.conf/ikev2.xml | 14 +++++++-------
- lib/libipsecconf/confread.c    |  8 +++++++-
- programs/whack/whack.c         |  4 ++--
- 3 files changed, 16 insertions(+), 10 deletions(-)
-
-diff --git a/configs/d.ipsec.conf/ikev2.xml b/configs/d.ipsec.conf/ikev2.xml
-index 3d03825..285db1b 100644
---- a/configs/d.ipsec.conf/ikev2.xml
-+++ b/configs/d.ipsec.conf/ikev2.xml
-@@ -2,14 +2,14 @@
-   <term><emphasis remap='B'>ikev2</emphasis></term>
-   <listitem>
- <para>Whether to use IKEv2 (RFC 7296) or IKEv1 (RFC 4301).
--Currently the accepted values are <emphasis remap='B'>yes</emphasis> (the default),
--signifying only IKEv2 is accepted, or <emphasis remap='B'>no</emphasis>,
-+Currently the accepted values are <emphasis remap='B'>insist</emphasis> (the default),
-+signifying only IKEv2 is accepted, or <emphasis remap='B'>no</emphasis> (or <emphasis remap='B'>never</emphasis>),
- signifying only IKEv1 is accepted. Previous versions allowed the keywords
--<emphasis remap='B'>propose</emphasis> or <emphasis remap='B'>permit</emphasis>
--that would allow either IKEv1 or IKEv2, but this is no longer supported. The
--permit option is interpreted as no and the propose option is interpreted as
--yes. Older versions also supported keyword
--<emphasis remap='B'>insist</emphasis> which is now interpreted as yes.
-+<emphasis remap='B'>propose</emphasis>, <emphasis remap='B'>yes</emphasis> or <emphasis remap='B'>permit</emphasis>
-+that would allow either IKEv1 or IKEv2, but this is no longer supported and both options
-+now cause the connection to fail to load. <emphasis remap='B'>WARNING:</emphasis> This behaviour differs from upstream
-+libreswan, which only accepts <emphasis remap='B'>yes</emphasis> or <emphasis remap='B'>no</emphasis> where yes means
-+the same as insist.
- </para>
-   </listitem>
-   </varlistentry>
-diff --git a/lib/libipsecconf/confread.c b/lib/libipsecconf/confread.c
-index b95c90a..e752441 100644
---- a/lib/libipsecconf/confread.c
-+++ b/lib/libipsecconf/confread.c
-@@ -1340,11 +1340,17 @@ static bool load_conn(struct starter_conn *conn,
- 
- 		switch (conn->options[KNCF_IKEv2]) {
- 		case fo_never:
--		case fo_permit:
- 			conn->ike_version = IKEv1;
- 			break;
- 
-+		case fo_permit:
-+			starter_error_append(perrl, "ikev2=permit is no longer accepted. Use ikev2=insist or ikev2=no|never");
-+			return true;
-+
- 		case fo_propose:
-+			starter_error_append(perrl, "ikev2=propose or ikev2=yes is no longer accepted. Use ikev2=insist or ikev2=no|never");
-+			return true;
-+
- 		case fo_insist:
- 			conn->ike_version = IKEv2;
- 			break;
-diff --git a/programs/whack/whack.c b/programs/whack/whack.c
-index b512b04..3de020e 100644
---- a/programs/whack/whack.c
-+++ b/programs/whack/whack.c
-@@ -815,7 +815,7 @@ static const struct option long_opts[] = {
- 	{ "ikev1-allow", no_argument, NULL, CD_IKEv1 + OO }, /* obsolete name */
- 	{ "ikev2", no_argument, NULL, CD_IKEv2 +OO },
- 	{ "ikev2-allow", no_argument, NULL, CD_IKEv2 +OO }, /* obsolete name */
--	{ "ikev2-propose", no_argument, NULL, CD_IKEv2 +OO }, /* obsolete, map onto allow */
-+	/* not in RHEL8 { "ikev2-propose", no_argument, NULL, CD_IKEv2 +OO }, */
- 
- 	PS("allow-narrowing", IKEV2_ALLOW_NARROWING),
- #ifdef AUTH_HAVE_PAM
-@@ -1802,7 +1802,7 @@ int main(int argc, char **argv)
- 			end_seen = LEMPTY;
- 			continue;
- 
--		/* --ikev1 --ikev2 --ikev2-propose */
-+		/* --ikev1 --ikev2  */
- 		case CD_IKEv1:
- 		case CD_IKEv2:
- 		{
--- 
-2.39.0
-

SOURCES/libreswan-4.9-2176248-authby-rsasig.patch

@@ -1,52 +0,0 @@
-From 000b230258dd272ab15b384c330c31f996d0ba18 Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <dueno@redhat.com>
-Date: Fri, 14 Apr 2023 14:10:47 +0900
-Subject: [PATCH] Ignore system crypto-policies for SHA-1 for legacy
- authby=rsa-sha1
-
-Signed-off-by: Daiki Ueno <dueno@redhat.com>
----
- lib/libswan/pubkey_rsa.c | 24 ++++++++++++++++++++++++
- 1 file changed, 24 insertions(+)
-
-diff --git a/lib/libswan/pubkey_rsa.c b/lib/libswan/pubkey_rsa.c
-index 38b44ab61d..9a7c0bc6a8 100644
---- a/lib/libswan/pubkey_rsa.c
-+++ b/lib/libswan/pubkey_rsa.c
-@@ -501,9 +501,33 @@ static struct hash_signature RSA_sign_hash_pkcs1_1_5_rsa(const struct secret_stu
- 	 * used to generate the signature.
- 	 */
- 	SECItem signature_result = {0};
-+
-+	/* ignore system crypto-policies for the hash algorithm */
-+	PRUint32 saved_policy;
-+
-+	if (NSS_GetAlgorithmPolicy(hash_algo->nss.oid_tag, &saved_policy) != SECSuccess) {
-+		/* PR_GetError() returns the thread-local error */
-+		enum_buf tb;
-+		llog_nss_error(RC_LOG_SERIOUS, logger,
-+			       "NSS_SetAlgorithmPolicy(%s) function failed",
-+			       str_nss_oid(hash_algo->nss.oid_tag, &tb));
-+		return (struct hash_signature) { .len = 0, };
-+	}
-+
-+	if (!(saved_policy & NSS_USE_ALG_IN_SIGNATURE)) {
-+		(void)NSS_SetAlgorithmPolicy(hash_algo->nss.oid_tag,
-+					     NSS_USE_ALG_IN_SIGNATURE, 0);
-+	}
-+
- 	SECStatus s = SGN_Digest(pks->u.pubkey.private_key,
- 				 hash_algo->nss.oid_tag,
- 				 &signature_result, &digest);
-+
-+	if (!(saved_policy & NSS_USE_ALG_IN_SIGNATURE)) {
-+		(void)NSS_SetAlgorithmPolicy(hash_algo->nss.oid_tag,
-+					     saved_policy, ~saved_policy);
-+	}
-+
- 	if (s != SECSuccess) {
- 		/* PR_GetError() returns the thread-local error */
- 		enum_buf tb;
--- 
-2.40.0
-

gating.yaml

@@ -0,0 +1,7 @@
+--- !Policy
+product_versions:
+  - rhel-9
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.singlehost.functional}
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.multihost.functional}

libreswan-3.23-crypto-policies.patch

@@ -0,0 +1,66 @@
+diff --git a/lib/libipsecconf/parser.l b/lib/libipsecconf/parser.l
+index c41dd8048..cc2faf5c9 100644
+--- a/lib/libipsecconf/parser.l
++++ b/lib/libipsecconf/parser.l
+@@ -160,7 +160,9 @@ static int parser_y_nextglobfile(struct ic_inputsource *iis)
+ 		char ebuf[128];
+ 
+ 		snprintf(ebuf, sizeof(ebuf),
+-			"cannot open include filename: '%s': %s",
++			(strstr(iis->filename, "crypto-policies/back-ends/libreswan.config") == NULL) ?
++				"cannot open include filename: '%s': %s" :
++				"ignored loading default system-wide crypto-policies file '%s': %s",
+ 			iis->fileglob.gl_pathv[fcnt],
+ 			strerror(errno));
+ 		yyerror(ebuf);
+diff --git a/programs/configs/ipsec.conf.in b/programs/configs/ipsec.conf.in
+index 7374efc3c..974699f01 100644
+--- a/programs/configs/ipsec.conf.in
++++ b/programs/configs/ipsec.conf.in
+@@ -1,27 +1,18 @@
+ # @FINALCONFDIR@/ipsec.conf - Libreswan IPsec configuration file
+ #
+-# Manual:     ipsec.conf.5
++# see 'man ipsec.conf' and 'man pluto' for more information
++#
++# For example configurations and documentation, see https://libreswan.org/wiki/
+ 
+ config setup
+-	# Normally, pluto logs via syslog. If you want to log to a file,
+-	# specify below or to disable logging, eg for embedded systems, use
+-	# the file name /dev/null
+-	# Note: SElinux policies might prevent pluto writing to a log file at
+-	#       an unusual location.
++	# Normally, pluto logs via syslog.
+ 	#logfile=/var/log/pluto.log
+ 	#
+ 	# Do not enable debug options to debug configuration issues!
+ 	#
+-	# plutodebug "all", "none" or a combation from below:
+-	# "raw crypt parsing emitting control controlmore kernel pfkey
+-	#  natt x509 dpd dns oppo oppoinfo private".
+-	# Note: "private" is not included with "all", as it can show confidential
+-	#       information. It must be specifically specified
+-	# examples:
+ 	# plutodebug="control parsing"
+ 	# plutodebug="all crypt"
+-	# Again: only enable plutodebug when asked by a developer
+-	#plutodebug=none
++	plutodebug=none
+ 	#
+ 	# NAT-TRAVERSAL support
+ 	# exclude networks used on server side by adding %v4:!a.b.c.0/24
+@@ -30,10 +21,8 @@ config setup
+ 	# This range has never been announced via BGP (at least up to 2015)
+ 	virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
+ 
+-# For example connections, see your distribution's documentation directory,
+-# or https://libreswan.org/wiki/
+-#
+-# There is also a lot of information in the manual page, "man ipsec.conf"
+-#
++# if it exists, include system wide crypto-policy defaults
++include /etc/crypto-policies/back-ends/libreswan.config
++
+ # It is best to add your IPsec connections as separate files in @IPSEC_CONFDDIR@/
+ include @IPSEC_CONFDDIR@/*.conf

libreswan-3.23-fixups.patch

@@ -0,0 +1,507 @@
+diff -Naur libreswan-3.23-orig/programs/pluto/connections.c libreswan-3.23/programs/pluto/connections.c
+--- libreswan-3.23-orig/programs/pluto/connections.c	2018-01-25 15:19:46.000000000 -0500
++++ libreswan-3.23/programs/pluto/connections.c	2018-02-05 14:38:49.372280712 -0500
+@@ -3158,10 +3158,8 @@
+ 					matching_peer_id && matching_peer_ca && matching_requested_ca,
+ 					matching_peer_id, matching_peer_ca, matching_requested_ca);});
+ 
+-			/* Ignore template from which we instantiated - this should never happen */
+ 			if (c->kind == CK_INSTANCE && d->kind == CK_TEMPLATE && streq(c->name, d->name)) {
+-				libreswan_log("Warning: not switching back to template of current instance (FIXME)");
+-				continue;
++				DBG(DBG_CONTROLMORE, DBG_log("template conn fits better than instance of it - different client on same IP/port requires new instance"));
+ 			}
+ 
+ 			/* 'You Tarzan, me Jane' check based on received IDr */
+diff -Naur libreswan-3.23-orig/programs/pluto/hostpair.c libreswan-3.23/programs/pluto/hostpair.c
+--- libreswan-3.23-orig/programs/pluto/hostpair.c	2018-01-25 15:19:46.000000000 -0500
++++ libreswan-3.23/programs/pluto/hostpair.c	2018-02-05 14:38:57.865635032 -0500
+@@ -144,17 +144,6 @@
+ 		hisport = pluto_port;
+ 
+ 	for (prev = NULL, p = host_pairs; p != NULL; prev = p, p = p->next) {
+-		if (p->connections != NULL && (p->connections->kind == CK_INSTANCE) &&
+-				(p->connections->spd.that.id.kind == ID_NULL))
+-		{
+-			DBG(DBG_CONTROLMORE, {
+-				char ci[CONN_INST_BUF];
+-				DBG_log("find_host_pair: ignore CK_INSTANCE with ID_NULL hp:\"%s\"%s",
+-					p->connections->name,
+-					fmt_conn_instance(p->connections, ci));
+-			});
+-			continue;
+-		}
+ 
+ 		DBG(DBG_CONTROLMORE, {
+ 			ipstr_buf b1;
+diff -Naur libreswan-3.23-orig/programs/pluto/ikev2.h libreswan-3.23/programs/pluto/ikev2.h
+--- libreswan-3.23-orig/programs/pluto/ikev2.h	2018-01-25 15:19:46.000000000 -0500
++++ libreswan-3.23/programs/pluto/ikev2.h	2018-02-05 14:39:11.171190105 -0500
+@@ -162,7 +162,9 @@
+ extern bool ikev2_calculate_rsa_sha1(struct state *st,
+ 				     enum original_role role,
+ 				     unsigned char *idhash,
+-				     pb_stream *a_pbs);
++				     pb_stream *a_pbs,
++				     bool calc_no_ppk_auth,
++				     chunk_t *no_ppk_auth);
+ 
+ extern bool ikev2_create_psk_auth(enum keyword_authby authby,
+ 				     struct state *st,
+diff -Naur libreswan-3.23-orig/programs/pluto/ikev2_parent.c libreswan-3.23/programs/pluto/ikev2_parent.c
+--- libreswan-3.23-orig/programs/pluto/ikev2_parent.c	2018-01-25 15:19:46.000000000 -0500
++++ libreswan-3.23/programs/pluto/ikev2_parent.c	2018-02-05 14:39:11.173190188 -0500
+@@ -2783,7 +2783,9 @@
+ 
+ 	switch (a.isaa_type) {
+ 	case IKEv2_AUTH_RSA:
+-		if (!ikev2_calculate_rsa_sha1(pst, role, idhash_out, &a_pbs)) {
++		if (!ikev2_calculate_rsa_sha1(pst, role, idhash_out, &a_pbs,
++			FALSE, /* store-only not set */
++			NULL /* store-only chunk unused */)) {
+ 			loglog(RC_LOG_SERIOUS, "Failed to find our RSA key");
+ 			return STF_FATAL;
+ 		}
+@@ -2792,7 +2794,7 @@
+ 	case IKEv2_AUTH_PSK:
+ 	case IKEv2_AUTH_NULL:
+ 		if (!ikev2_create_psk_auth(authby, pst, idhash_out, &a_pbs,
+-			FALSE /* store-only not set */,
++			FALSE, /* store-only not set */
+ 			NULL /* store-only chunk unused */)) {
+ 			loglog(RC_LOG_SERIOUS, "Failed to find our PreShared Key");
+ 			return STF_FATAL;
+@@ -2812,7 +2814,9 @@
+ 					return STF_INTERNAL_ERROR;
+ 			}
+ 
+-			if (!ikev2_calculate_rsa_sha1(pst, role, idhash_out, &a_pbs)) {
++			if (!ikev2_calculate_rsa_sha1(pst, role, idhash_out, &a_pbs,
++				FALSE, /* store-only not set */
++				NULL /* store-only chunk unused */)) {
+ 				loglog(RC_LOG_SERIOUS, "DigSig: failed to find our RSA key");
+ 				return STF_FATAL;
+ 			}
+@@ -3224,7 +3228,7 @@
+ 		hmac_update(&id_ctx, id_start, id_len);
+ 		hmac_final(idhash, &id_ctx);
+ 
+-		if (pst->st_sk_pi_no_ppk != NULL) {
++		if (pst->st_seen_ppk && !LIN(POLICY_PPK_INSIST, pc->policy)) {
+ 			struct hmac_ctx id_ctx_npa;
+ 
+ 			hmac_init(&id_ctx_npa, pst->st_oakley.ta_prf, pst->st_sk_pi_no_ppk);
+@@ -3371,7 +3375,7 @@
+ 			notifies++;
+ 
+ 		if (pst->st_seen_ppk)
+-			notifies++; /* used for two payloads */
++			notifies++; /* used for one or two payloads */
+ 
+ 		/* code does not support AH + ESP, not recommend rfc8221 section-4 */
+ 		struct ipsec_proto_info *proto_info
+@@ -3437,21 +3441,24 @@
+ 		}
+ 		if (pst->st_seen_ppk) {
+ 			chunk_t notify_data = create_unified_ppk_id(&ppk_id_p);
++			int np = LIN(POLICY_PPK_INSIST, cc->policy) ? ISAKMP_NEXT_v2NONE : ISAKMP_NEXT_v2N;
+ 
+-			notifies--; /* used for 2 payloads */
+-				if (!ship_v2N(ISAKMP_NEXT_v2N, ISAKMP_PAYLOAD_NONCRITICAL,
+-						PROTO_v2_RESERVED, &empty_chunk,
+-						v2N_PPK_IDENTITY, &notify_data,
+-						&e_pbs_cipher))
+-					return STF_INTERNAL_ERROR;
++			notifies--; /* used for one or two payloads */
++			if (!ship_v2N(np, ISAKMP_PAYLOAD_NONCRITICAL,
++					PROTO_v2_RESERVED, &empty_chunk,
++					v2N_PPK_IDENTITY, &notify_data,
++					&e_pbs_cipher))
++				return STF_INTERNAL_ERROR;
+ 			freeanychunk(notify_data);
+ 
+-			ikev2_calc_no_ppk_auth(cc, pst, idhash_npa, &pst->st_no_ppk_auth);
+-			if (!ship_v2N(ISAKMP_NEXT_v2NONE, ISAKMP_PAYLOAD_NONCRITICAL,
+-				PROTO_v2_RESERVED, &empty_chunk,
+-				v2N_NO_PPK_AUTH, &pst->st_no_ppk_auth,
+-				&e_pbs_cipher))
+-					return STF_INTERNAL_ERROR;
++			if (!LIN(POLICY_PPK_INSIST, cc->policy)) {
++				ikev2_calc_no_ppk_auth(cc, pst, idhash_npa, &pst->st_no_ppk_auth);
++				if (!ship_v2N(ISAKMP_NEXT_v2NONE, ISAKMP_PAYLOAD_NONCRITICAL,
++					PROTO_v2_RESERVED, &empty_chunk,
++					v2N_NO_PPK_AUTH, &pst->st_no_ppk_auth,
++					&e_pbs_cipher))
++						return STF_INTERNAL_ERROR;
++			}
+ 		}
+ 
+ 		passert(notifies == 0);
+diff -Naur libreswan-3.23-orig/programs/pluto/ikev2_ppk.c libreswan-3.23/programs/pluto/ikev2_ppk.c
+--- libreswan-3.23-orig/programs/pluto/ikev2_ppk.c	2018-01-25 15:19:46.000000000 -0500
++++ libreswan-3.23/programs/pluto/ikev2_ppk.c	2018-02-05 14:39:11.173190188 -0500
+@@ -113,7 +113,24 @@
+ 	enum keyword_authby authby = c->spd.this.authby;
+ 	switch (authby) {
+ 	case AUTH_RSASIG:
+-		/* TODO */
++		if (ikev2_calculate_rsa_sha1(st, st->st_original_role, id_hash, NULL, TRUE, no_ppk_auth)) {
++			if (st->st_hash_negotiated & NEGOTIATE_AUTH_HASH_SHA1) {
++				/* make blobs separately, and somehow combine them and no_ppk_auth
++				 * to get an actual no_ppk_auth */
++				int len = ASN1_LEN_ALGO_IDENTIFIER + ASN1_SHA1_RSA_OID_SIZE + no_ppk_auth->len;
++				u_char *blobs = alloc_bytes(len, "bytes for blobs for AUTH_DIGSIG NO_PPK_AUTH");
++				u_char *ret = blobs;
++				memcpy(blobs, len_sha1_rsa_oid_blob, ASN1_LEN_ALGO_IDENTIFIER);
++				blobs += ASN1_LEN_ALGO_IDENTIFIER;
++				memcpy(blobs, sha1_rsa_oid_blob, ASN1_SHA1_RSA_OID_SIZE);
++				blobs += ASN1_SHA1_RSA_OID_SIZE;
++				memcpy(blobs, no_ppk_auth->ptr, no_ppk_auth->len);
++				chunk_t release = *no_ppk_auth;
++				setchunk(*no_ppk_auth, ret, len);
++				freeanychunk(release);
++			}
++		}
++		return STF_OK;
+ 		break;
+ 	case AUTH_PSK:
+ 		if (ikev2_create_psk_auth(AUTH_PSK, st, id_hash, NULL, TRUE, no_ppk_auth))
+diff -Naur libreswan-3.23-orig/programs/pluto/ikev2_rsa.c libreswan-3.23/programs/pluto/ikev2_rsa.c
+--- libreswan-3.23-orig/programs/pluto/ikev2_rsa.c	2018-01-25 15:19:46.000000000 -0500
++++ libreswan-3.23/programs/pluto/ikev2_rsa.c	2018-02-05 14:39:11.173190188 -0500
+@@ -101,7 +101,9 @@
+ bool ikev2_calculate_rsa_sha1(struct state *st,
+ 			      enum original_role role,
+ 			      unsigned char *idhash,
+-			      pb_stream *a_pbs)
++			      pb_stream *a_pbs,
++			      bool calc_no_ppk_auth,
++			      chunk_t *no_ppk_auth)
+ {
+ 	unsigned char signed_octets[SHA1_DIGEST_SIZE + 16];
+ 	size_t signed_len;
+@@ -136,8 +138,13 @@
+ 		if (shr == 0)
+ 			return FALSE;
+ 		passert(shr == (int)sz);
+-		if (!out_raw(sig_val, sz, a_pbs, "rsa signature"))
+-			return FALSE;
++		if (calc_no_ppk_auth == FALSE) {
++			if (!out_raw(sig_val, sz, a_pbs, "rsa signature"))
++				return FALSE;
++		} else {
++			clonetochunk(*no_ppk_auth, sig_val, sz, "NO_PPK_AUTH chunk");
++			DBG(DBG_PRIVATE, DBG_dump_chunk("NO_PPK_AUTH payload", *no_ppk_auth));
++		}
+ 	}
+ 
+ 	return TRUE;
+diff -Naur libreswan-3.23-orig/programs/pluto/nss_cert_verify.c libreswan-3.23/programs/pluto/nss_cert_verify.c
+--- libreswan-3.23-orig/programs/pluto/nss_cert_verify.c	2018-01-25 15:19:46.000000000 -0500
++++ libreswan-3.23/programs/pluto/nss_cert_verify.c	2018-02-05 14:38:52.685418927 -0500
+@@ -498,60 +498,83 @@
+ 
+ bool cert_VerifySubjectAltName(const CERTCertificate *cert, const char *name)
+ {
+-	SECStatus rv;
+ 	SECItem	subAltName;
+-	PLArenaPool *arena = NULL;
+-	CERTGeneralName *nameList = NULL;
+-	CERTGeneralName *current = NULL;
+-	bool san_ip = FALSE;
+-	unsigned int len = strlen(name);
+-	ip_address myip;
+-
+-	rv = CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME,
++	SECStatus rv = CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME,
+ 			&subAltName);
+ 	if (rv != SECSuccess) {
+ 		DBG(DBG_X509, DBG_log("certificate contains no subjectAltName extension"));
+ 		return FALSE;
+ 	}
+ 
+-	if (tnatoaddr(name, 0, AF_UNSPEC, &myip) == NULL)
+-		san_ip = TRUE;
++	ip_address myip;
++	bool san_ip = (tnatoaddr(name, 0, AF_UNSPEC, &myip) == NULL);
+ 
+-	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
++	PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ 	passert(arena != NULL);
+ 
+-	nameList = current = CERT_DecodeAltNameExtension(arena, &subAltName);
+-	passert(current != NULL);
++	CERTGeneralName *nameList = CERT_DecodeAltNameExtension(arena, &subAltName);
+ 
+-	do
+-	{
++	if (nameList == NULL) {
++		loglog(RC_LOG_SERIOUS, "certificate subjectAltName extension failed to decode");
++		PORT_FreeArena(arena, PR_FALSE);
++		return FALSE;
++	}
++
++	/*
++	 * nameList is a pointer into a non-empty circular linked list.
++	 * This loop visits each entry.
++	 * We have visited each when we come back to the start.
++	 * We test only at the end, after we advance, because we want to visit
++	 * the first entry the first time we see it but stop when we get to it
++	 * the second time.
++	 */
++	CERTGeneralName *current = nameList;
++	do {
+ 		switch (current->type) {
+ 		case certDNSName:
+ 		case certRFC822Name:
+-			if (san_ip)
+-				break;
+-			if (current->name.other.len == len) {
+-				if (memcmp(current->name.other.data, name, len) == 0) {
+-					DBG(DBG_X509, DBG_log("subjectAltname %s found in certificate", name));
+-					PORT_FreeArena(arena, PR_FALSE);
+-					return TRUE;
+-				}
+-			}
++		{
++			/*
++			 * Match the parameter name with the name in the certificate.
++			 * The name in the cert may start with "*."; that will match
++			 * any initial component in name (up to the first '.').
++			 */
++			/* we need to cast because name.other.data is unsigned char * */
++			const char *c_ptr = (const void *) current->name.other.data;
++			size_t c_len =  current->name.other.len;
++
++			const char *n_ptr = name;
++			static const char wild[] = "*.";
++			const size_t wild_len = sizeof(wild) - 1;
++
++			if (c_len > wild_len && startswith(c_ptr, wild)) {
++				/* wildcard in cert: ignore first component of name */
++				c_ptr += wild_len;
++				c_len -= wild_len;
++				n_ptr = strchr(n_ptr, '.');
++				if (n_ptr == NULL)
++					break;	/* cannot match */
+ 
+-			if (current->name.other.len != 0 && current->name.other.len < IDTOA_BUF) {
+-				char osan[IDTOA_BUF];
++				n_ptr++;	/* skip . */
++			}
+ 
+-				memcpy(osan,current->name.other.data, current->name.other.len);
+-				osan[current->name.other.len] = '\0';
+-				DBG(DBG_X509, DBG_log("subjectAltname (len=%d) %s not match %s", current->name.other.len, osan, name));
+-			} else {
+-				DBG(DBG_X509, DBG_log("subjectAltname <TOO BIG TO PRINT> does not match %s", name));
++			if (c_len == strlen(n_ptr) && strncaseeq(n_ptr, c_ptr, c_len)) {
++				/*
++				 * ??? if current->name.other.data contains bad characters,
++				 * what prevents them being logged?
++				 */
++				DBG(DBG_X509, DBG_log("subjectAltname %s matched %*s in certificate",
++					name, current->name.other.len, current->name.other.data));
++				PORT_FreeArena(arena, PR_FALSE);
++				return TRUE;
+ 			}
+ 			break;
++		}
+ 
+ 		case certIPAddress:
+ 			if (!san_ip)
+ 				break;
++
+ 			if ((current->name.other.len == 4) && (addrtypeof(&myip) == AF_INET)) {
+ 				if (memcmp(current->name.other.data, &myip.u.v4.sin_addr.s_addr, 4) == 0) {
+ 					DBG(DBG_X509, DBG_log("subjectAltname IPv4 matches %s", name));
+@@ -572,7 +595,7 @@
+ 					break;
+ 				}
+ 			}
+-			DBG(DBG_X509, DBG_log("subjectAltnamea IP address family mismatch for %s", name));
++			DBG(DBG_X509, DBG_log("subjectAltname IP address family mismatch for %s", name));
+ 			break;
+ 
+ 		default:
+diff -Naur libreswan-3.23-orig/programs/_unbound-hook/_unbound-hook.in libreswan-3.23/programs/_unbound-hook/_unbound-hook.in
+--- libreswan-3.23-orig/programs/_unbound-hook/_unbound-hook.in	2018-01-25 15:19:46.000000000 -0500
++++ libreswan-3.23/programs/_unbound-hook/_unbound-hook.in	2018-02-05 14:38:49.373280754 -0500
+@@ -1,31 +1,52 @@
+ #!/usr/bin/python
++#
++# Copyright (C) 2018 Paul Wouters <pwouters@redhat.com>
++#
++# This program is free software; you can redistribute it and/or modify it
++# under the terms of the GNU General Public License as published by the
++# Free Software Foundation; either version 2 of the License, or (at your
++# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
++#
++# This program is distributed in the hope that it will be useful, but
++# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
++# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
++# for more details.
+ 
+ import sys
+-import base64
+-import commands
++import subprocess
+ 
+-log = ""
+-
+-status, myip = commands.getstatusoutput("ip -o route get 1.0.0.1")
++# Get my %defaultroute IP address
++myip = subprocess.check_output("ip -o route get 8.8.8.8", shell=True)
+ myip = myip.split("src")[1].strip().split()[0]
+ 
+ argv = sys.argv
+-argc = len(sys.argv)
++ourself = argv.pop(0)
+ 
+-#log += "Number or arguments is %d\n"%argc
+-#if argc >= 4:
+-#	log += "QNAME:%s\n"%argv[1]
+-#	log += "TTL:%s\n"%argv[2]
+-#	log += "IP:%s\n"%argv[3]
+-#	log += "IPSECKEY:%s\n"%argv[4]
+-#	rr = argv[4]
+-#	pref, gwtype, algo, gw, pubkey = rr.split(" ")
+-#log += "-----------------------------\n"
+-
+-cmdname = "@IPSEC_EXECDIR@/whack --keyid @%s --addkey --pubkeyrsa 0s%s"%(argv[1], pubkey)
+-cmdip = "@IPSEC_EXECDIR@/whack --keyid %s --addkey --pubkeyrsa 0s%s"%(argv[3], pubkey)
+-cmdoe = "@IPSEC_EXECDIR@/whack --oppohere %s --oppothere %s"%(myip, argv[3])
+-ret, output = commands.getstatusoutput(cmdname)
+-ret, output = commands.getstatusoutput(cmdip)
+-ret, output = commands.getstatusoutput(cmdoe)
+-ret, output = commands.getstatusoutput("@IPSEC_EXECDIR@ whack --trafficstatus")
++try:
++    qname = argv.pop(0)
++    ttl = argv.pop(0)
++    ip = argv.pop(0)
++except:
++    sys.exit("Bad arguments to ipsec _unbound")
++
++while (argv != []):
++    try:
++        gwprec = argv.pop(0)
++        gwtype = argv.pop(0)
++        gwalg = argv.pop(0)
++        gwid = argv.pop(0)
++        pubkey = argv.pop(0)
++        addkeyip = "ipsec whack --keyid @%s --addkey --pubkeyrsa 0s%s"%(ip, pubkey)
++        addkeyhostname = "ipsec whack --keyid @%s --addkey --pubkeyrsa 0s%s"%(qname, pubkey)
++        print("processing an IPSECKEY record for Opportunistic IPsec to %s(%s)"%(qname,ip))
++        print(subprocess.call(addkeyip, shell=True))
++        print(subprocess.call(addkeyhostname, shell=True))
++    except:
++        sys.exit("failed to process an IPSECKEY record for Opportunistic IPsec to %s(%s)"%(qname,ip))
++
++# done injecting all IPSECKEY records into pluto - try actual OE now
++cmdoeip = "ipsec whack --oppohere %s --oppothere %s"%(myip, ip)
++print(subprocess.check_output(cmdoeip, shell=True))
++#cmdoeqname = "ipsec whack --oppohere %s --oppothere %s"%(myip, qname)
++#ret, output = commands.getstatusoutput(cmdoeqname)
++print(subprocess.check_output("ipsec whack --trafficstatus", shell=True))
+diff --git a/include/ietf_constants.h b/include/ietf_constants.h
+index 8a1ba5d..38fa4de 100644
+--- a/include/ietf_constants.h
++++ b/include/ietf_constants.h
+@@ -1215,7 +1215,7 @@ enum ikev2_cp_attribute_type {
+ 	IKEv2_EXTERNAL_SOURCE_IP4_NAT_INFO = 23,
+ 	IKEv2_TIMEOUT_PERIOD_FOR_LIVENESS_CHECK = 24,
+ 	IKEv2_INTERNAL_DNS_DOMAIN = 25,
+-	/* IKEv2_INTERNAL_DNSSEC_TA = 26 expected */
++	IKEv2_INTERNAL_DNSSEC_TA = 26
+ };
+ 
+ 
+diff --git a/lib/libswan/constants.c b/lib/libswan/constants.c
+index 9ea9872..ab6db3e 100644
+--- a/lib/libswan/constants.c
++++ b/lib/libswan/constants.c
+@@ -1365,13 +1365,12 @@ static const char *const ikev2_cp_attribute_type_name[] = {
+ 	"IKEv2_EXTERNAL_SOURCE_IP4_NAT_INFO", /* 3gpp */
+ 	"IKEv2_TIMEOUT_PERIOD_FOR_LIVENESS_CHECK", /* 3gpp */
+ 	"IKEv2_INTERNAL_DNS_DOMAIN", /* draft-ietf-ipsecme-split-dns */
+-	/* "IKEv2_INTERNAL_DNSSEC_TA", draft-ietf-ipsecme-split-dns, no Code Point yet */
++	"IKEv2_INTERNAL_DNSSEC_TA", /* draft-ietf-ipsecme-split-dns */
+ };
+ 
+ enum_names ikev2_cp_attribute_type_names = {
+ 	IKEv2_CP_ATTR_RESERVED,
+-	IKEv2_INTERNAL_DNS_DOMAIN,
+-	/* IKEv2_INTERNAL_DNSSEC_TA, */
++	IKEv2_INTERNAL_DNSSEC_TA,
+ 	ARRAY_REF(ikev2_cp_attribute_type_name),
+ 	NULL, /* prefix */
+ 	NULL
+diff --git a/programs/addconn/addconn.c b/programs/addconn/addconn.c
+index ae56972..e818e0e 100644
+--- a/programs/addconn/addconn.c
++++ b/programs/addconn/addconn.c
+@@ -416,12 +416,11 @@ int main(int argc, char *argv[])
+ 		if (verbose)
+ 			printf("  Pass #1: Loading auto=add, auto=route and auto=start connections\n");
+ 
+-		for (conn = cfg->conns.tqh_first;
+-			conn != NULL;
+-			conn = conn->link.tqe_next) {
++		for (conn = cfg->conns.tqh_first; conn != NULL; conn = conn->link.tqe_next) {
+ 			if (conn->desired_state == STARTUP_ADD ||
+ 				conn->desired_state == STARTUP_ONDEMAND ||
+-				conn->desired_state == STARTUP_START) {
++				conn->desired_state == STARTUP_START)
++			{
+ 				if (verbose)
+ 					printf(" %s", conn->name);
+ 				resolve_defaultroute(conn);
+@@ -436,30 +435,22 @@ int main(int argc, char *argv[])
+ 		starter_whack_listen(cfg);
+ 
+ 		if (verbose)
+-			printf("  Pass #2: Routing auto=route and auto=start connections\n");
++			printf("  Pass #2: Routing auto=route connections\n");
+ 
+-		for (conn = cfg->conns.tqh_first;
+-			conn != NULL;
+-			conn = conn->link.tqe_next) {
+-			if (conn->desired_state == STARTUP_ADD ||
+-				conn->desired_state == STARTUP_ONDEMAND ||
+-				conn->desired_state == STARTUP_START) {
++		for (conn = cfg->conns.tqh_first; conn != NULL; conn = conn->link.tqe_next) {
++			if (conn->desired_state == STARTUP_ONDEMAND)
++			{
+ 				if (verbose)
+ 					printf(" %s", conn->name);
+-				resolve_defaultroute(conn);
+-				if (conn->desired_state == STARTUP_ONDEMAND ||
+-				    conn->desired_state == STARTUP_START) {
++				if (conn->desired_state == STARTUP_ONDEMAND)
+ 					starter_whack_route_conn(cfg, conn);
+-				}
+ 			}
+ 		}
+ 
+ 		if (verbose)
+ 			printf("  Pass #3: Initiating auto=start connections\n");
+ 
+-		for (conn = cfg->conns.tqh_first;
+-			conn != NULL;
+-			conn = conn->link.tqe_next) {
++		for (conn = cfg->conns.tqh_first; conn != NULL; conn = conn->link.tqe_next) {
+ 			if (conn->desired_state == STARTUP_START) {
+ 				if (verbose)
+ 					printf(" %s", conn->name);
+diff --git a/programs/_updown.netkey/_updown.netkey.in b/programs/_updown.netkey/_updown.netkey.in
+index 64b2808..b343445 100644
+--- a/programs/_updown.netkey/_updown.netkey.in
++++ b/programs/_updown.netkey/_updown.netkey.in
+@@ -745,6 +745,7 @@ case "${PLUTO_VERB}" in
+     up-client)
+ 	# connection to my client subnet coming up
+ 	# If you are doing a custom version, firewall commands go here.
++	addvtiiface
+ 	updateresolvconf
+ 	addcat
+ 	addsource

libreswan-3.23-gcc8.patch

@@ -0,0 +1,82 @@
+diff -Naur libreswan-3.23-orig/programs/pluto/kernel_netlink.c libreswan-3.23/programs/pluto/kernel_netlink.c
+--- libreswan-3.23-orig/programs/pluto/kernel_netlink.c	2018-01-25 15:19:46.000000000 -0500
++++ libreswan-3.23/programs/pluto/kernel_netlink.c	2018-02-19 18:56:24.433527475 -0500
+@@ -51,8 +51,9 @@
+ #include <linux/if_addr.h>
+ #include <linux/if_link.h>
+ 
+-#include "libreswan.h" /* before xfrm.h otherwise break on F22 */
++//#include <netinet/in.h>
+ #include "linux/xfrm.h" /* local (if configured) or system copy */
++#include "libreswan.h" /* before xfrm.h otherwise break on F22 */
+ 
+ #include "libreswan/pfkeyv2.h"
+ #include "libreswan/pfkey.h"
+diff -Naur libreswan-3.23-orig/programs/pluto/linux_audit.c libreswan-3.23/programs/pluto/linux_audit.c
+--- libreswan-3.23-orig/programs/pluto/linux_audit.c	2018-01-25 15:19:46.000000000 -0500
++++ libreswan-3.23/programs/pluto/linux_audit.c	2018-02-19 18:58:51.356837932 -0500
+@@ -74,6 +74,15 @@
+ 
+ #include "pluto_stats.h"
+ 
++#if __GNUC__ >= 7
++	/*
++	 * GCC 7+ warns about the following calls that truncate a string using
++	 * snprintf().  We are truncating the log message for a reason.
++	 */
++#pragma GCC diagnostic push
++#pragma GCC diagnostic ignored "-Wformat-truncation"
++#endif
++
+ static bool log_to_audit = FALSE;		/* audit log messages for kernel */
+ 
+ void linux_audit_init(void)
+@@ -159,13 +168,13 @@
+ 	char raddr[ADDRTOT_BUF];
+ 	char laddr[ADDRTOT_BUF];
+ 	char audit_str[AUDIT_LOG_SIZE];
+-	char cipher_str[AUDIT_LOG_SIZE];
+-	char spi_str[AUDIT_LOG_SIZE];
++	char cipher_str[20];
++	char spi_str[20];
+ 	struct connection *const c = st->st_connection;
+ 	bool initiator = FALSE;
+ 	char head[IDTOA_BUF];
+-	char integname[IDTOA_BUF];
+-	char prfname[IDTOA_BUF];
++	char integname[20];
++	char prfname[20];
+ 	struct esb_buf esb, esb2;
+ 	/* we need to free() this */
+ 	char *conn_encode = audit_encode_nv_string("conn-name",c->name,0);
+@@ -300,3 +309,6 @@
+ 			AUDIT_CRYPTO_IPSEC_SA : AUDIT_CRYPTO_IKE_SA,
+ 		audit_str, raddr, AUDIT_RESULT_OK);
+ }
++#if __GNUC__ >= 7
++#pragma GCC diagnostic pop
++#endif
+diff -Naur libreswan-3.23-orig/programs/pluto/log.h libreswan-3.23/programs/pluto/log.h
+--- libreswan-3.23-orig/programs/pluto/log.h	2018-01-25 15:19:46.000000000 -0500
++++ libreswan-3.23/programs/pluto/log.h	2018-02-19 18:56:24.433527475 -0500
+@@ -154,7 +154,7 @@
+ 
+ #ifdef USE_LINUX_AUDIT
+ #include <libaudit.h>	/* from audit-libs devel */
+-#define AUDIT_LOG_SIZE 256
++#define AUDIT_LOG_SIZE 512
+ /* should really be in libaudit.h */
+ #define AUDIT_RESULT_FAIL 0
+ #define AUDIT_RESULT_OK 1
+diff -Naur libreswan-3.23-orig/programs/pluto/pluto_constants.c libreswan-3.23/programs/pluto/pluto_constants.c
+--- libreswan-3.23-orig/programs/pluto/pluto_constants.c	2018-01-25 15:19:46.000000000 -0500
++++ libreswan-3.23/programs/pluto/pluto_constants.c	2018-02-19 18:56:24.434527471 -0500
+@@ -478,7 +478,7 @@
+ 				     policy &
+ 				     ~(POLICY_SHUNT_MASK | POLICY_FAIL_MASK),
+ 				     pbitnamesbuf, sizeof(pbitnamesbuf));
+-	static char buf[200]; /* NOT RE-ENTRANT!  I hope that it is big enough! */
++	static char buf[512]; /* NOT RE-ENTRANT!  I hope that it is big enough! */
+ 	lset_t shunt = (policy & POLICY_SHUNT_MASK) >> POLICY_SHUNT_SHIFT;
+ 	lset_t fail = (policy & POLICY_FAIL_MASK) >> POLICY_FAIL_SHIFT;
+ 

libreswan-3.23-ppk-update.patch

@@ -0,0 +1,116 @@
+diff --git a/include/ietf_constants.h b/include/ietf_constants.h
+index 38fa4de..08c8d9e 100644
+--- a/include/ietf_constants.h
++++ b/include/ietf_constants.h
+@@ -1486,12 +1486,14 @@ typedef enum {
+ 	v2N_SENDER_REQUEST_ID = 16429, /* draft-yeung-g-ikev2 */
+ 	v2N_IKEV2_FRAGMENTATION_SUPPORTED = 16430, /* RFC-7383 */
+ 	v2N_SIGNATURE_HASH_ALGORITHMS = 16431, /* RFC-7427 */
+-
+-	v2N_USE_PPK = 40960,            /* draft-ietf-ipsecme-qr-ikev2-01 */
+-	v2N_PPK_IDENTITY = 40961,       /* draft-ietf-ipsecme-qr-ikev2-01 */
+-	v2N_NO_PPK_AUTH = 40962,        /* draft-ietf-ipsecme-qr-ikev2-01 */
+-
+-	/* 16432 - 40969 Unassigned */
++	v2N_CLONE_IKE_SA_SUPPORTED = 16432, /* RFC-7791 */
++	v2N_CLONE_IKE_SA = 16433, /* RFC-7791 */
++	v2N_PUZZLE = 16434, /* RFC-8019 */
++	v2N_USE_PPK = 16435, /* draft-ietf-ipsecme-qr-ikev2 */
++	v2N_PPK_IDENTITY = 16436, /* draft-ietf-ipsecme-qr-ikev2 */
++	v2N_NO_PPK_AUTH = 16437, /* draft-ietf-ipsecme-qr-ikev2 */
++
++	/* 16438 - 40969 Unassigned */
+ 	/* 40960 - 65535 Private Use */
+ } v2_notification_t;
+ 
+diff --git a/lib/libswan/constants.c b/lib/libswan/constants.c
+index ab6db3e..a0dab63 100644
+--- a/lib/libswan/constants.c
++++ b/lib/libswan/constants.c
+@@ -1634,20 +1634,6 @@ static enum_names ikev2_ppk_id_type_names = {
+ };
+ */
+ 
+-static const char *const ikev2_notify_name_private[] = {
+-	"v2N_USE_PPK",
+-	"v2N_PPK_IDENTITY",
+-	"v2N_NO_PPK_AUTH",
+-};
+-
+-static enum_names ikev2_notify_names_private = {
+-	v2N_USE_PPK,
+-	v2N_NO_PPK_AUTH,
+-	ARRAY_REF(ikev2_notify_name_private),
+-	"v2N_", /* prefix */
+-	NULL
+-};
+-
+ /* http://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xml#ikev2-parameters-13 */
+ static const char *const ikev2_notify_name_16384[] = {
+ 	"v2N_INITIAL_CONTACT",    /* 16384 */
+@@ -1698,14 +1684,20 @@ static const char *const ikev2_notify_name_16384[] = {
+ 	"v2N_SENDER_REQUEST_ID",
+ 	"v2N_IKEV2_FRAGMENTATION_SUPPORTED",    /* 16430 */
+ 	"v2N_SIGNATURE_HASH_ALGORITHMS",
++	"v2N_CLONE_IKE_SA_SUPPORTED",
++	"v2N_CLONE_IKE_SA",
++	"v2N_PUZZLE",
++	"v2N_USE_PPK", /* 16435 */
++	"v2N_PPK_IDENTITY",
++	"v2N_NO_PPK_AUTH",
+ };
+ 
+ static enum_names ikev2_notify_names_16384 = {
+ 	v2N_INITIAL_CONTACT,
+-	v2N_SIGNATURE_HASH_ALGORITHMS,
++	v2N_NO_PPK_AUTH,
+ 	ARRAY_REF(ikev2_notify_name_16384),
+ 	"v2N_", /* prefix */
+-	&ikev2_notify_names_private
++	NULL
+ };
+ 
+ static const char *const ikev2_notify_name[] = {
+diff --git a/programs/pluto/ikev2_parent.c b/programs/pluto/ikev2_parent.c
+index 258ba85..b86eea8 100644
+--- a/programs/pluto/ikev2_parent.c
++++ b/programs/pluto/ikev2_parent.c
+@@ -3749,18 +3749,14 @@ stf_status ikev2_parent_inI2outR2_id_tail(struct msg_digest *md)
+ 				break;
+ 			}
+ 
+-			if (LIN(POLICY_PPK_ALLOW, policy)) {
+-				no_ppk_auth = alloc_chunk(len, "NO_PPK_AUTH");
++			no_ppk_auth = alloc_chunk(len, "NO_PPK_AUTH");
+ 
+-				if (!in_raw(no_ppk_auth.ptr, len, &pbs, "NO_PPK_AUTH extract")) {
+-					loglog(RC_LOG_SERIOUS, "Failed to extract %zd bytes of NO_PPK_AUTH from Notify payload", len);
+-					return STF_FATAL;
+-				}
+-				DBG(DBG_PRIVATE, DBG_dump_chunk("NO_PPK_AUTH:", no_ppk_auth));
+-				st->st_no_ppk_auth = no_ppk_auth;
+-			} else {
+-				libreswan_log("ignored received NO_PPK_AUTH - connection does not allow PPK");
++			if (!in_raw(no_ppk_auth.ptr, len, &pbs, "NO_PPK_AUTH extract")) {
++				loglog(RC_LOG_SERIOUS, "Failed to extract %zd bytes of NO_PPK_AUTH from Notify payload", len);
++				return STF_FATAL;
+ 			}
++			DBG(DBG_PRIVATE, DBG_dump_chunk("NO_PPK_AUTH:", no_ppk_auth));
++			st->st_no_ppk_auth = no_ppk_auth;
+ 			break;
+ 		}
+ 		case v2N_MOBIKE_SUPPORTED:
+@@ -3774,8 +3770,11 @@ stf_status ikev2_parent_inI2outR2_id_tail(struct msg_digest *md)
+ 		}
+ 	}
+ 
+-	/* if we found proper PPK ID, we should use that without fallback to no ppk */
+-	if (found_ppk)
++	/*
++	 * If we found proper PPK ID and policy allows PPK, use that.
++	 * Otherwise use NO_PPK_AUTH
++	 */
++	if (found_ppk && LIN(POLICY_PPK_ALLOW, policy))
+ 		freeanychunk(st->st_no_ppk_auth);
+ 
+ 	if (!found_ppk && LIN(POLICY_PPK_INSIST, policy)) {

libreswan-3.23-seccomp.patch

@@ -0,0 +1,24 @@
+diff -Naur libreswan-3.23-orig/programs/addconn/addconn.c libreswan-3.23/programs/addconn/addconn.c
+--- libreswan-3.23-orig/programs/addconn/addconn.c	2018-01-25 15:19:46.000000000 -0500
++++ libreswan-3.23/programs/addconn/addconn.c	2018-02-05 14:13:25.758711788 -0500
+@@ -140,7 +140,9 @@
+ 	rc |= S_RULE_ADD(set_robust_list);
+ 	rc |= S_RULE_ADD(set_tid_address);
+ 	rc |= S_RULE_ADD(socket);
++	rc |= S_RULE_ADD(socketcall);
+ 	rc |= S_RULE_ADD(socketpair);
++	rc |= S_RULE_ADD(stat);
+ 	rc |= S_RULE_ADD(statfs);
+ 	rc |= S_RULE_ADD(uname);
+ 	rc |= S_RULE_ADD(write);
+diff -Naur libreswan-3.23-orig/programs/pluto/pluto_seccomp.c libreswan-3.23/programs/pluto/pluto_seccomp.c
+--- libreswan-3.23-orig/programs/pluto/pluto_seccomp.c	2018-01-25 15:19:46.000000000 -0500
++++ libreswan-3.23/programs/pluto/pluto_seccomp.c	2018-02-05 14:13:38.390239502 -0500
+@@ -109,6 +109,7 @@
+ 		rc |= S_RULE_ADD(set_robust_list);
+ 		rc |= S_RULE_ADD(setsockopt);
+ 		rc |= S_RULE_ADD(socket);
++		rc |= S_RULE_ADD(socketcall);
+ 		rc |= S_RULE_ADD(socketpair);
+ 		rc |= S_RULE_ADD(sysinfo);
+ 		rc |= S_RULE_ADD(uname);

libreswan-3.25-relax-delete.patch

@@ -0,0 +1,62 @@
+diff --git a/programs/pluto/state.c b/programs/pluto/state.c
+index 7b33145..a3bcc3c 100644
+--- a/programs/pluto/state.c
++++ b/programs/pluto/state.c
+@@ -3155,27 +3155,40 @@ void ISAKMP_SA_established(const struct state *pst)
+ 			d = next;
+ 		}
+ 
+-		if (c->newest_isakmp_sa != SOS_NOBODY &&
+-			c->newest_isakmp_sa != pst->st_serialno) {
+-				struct state *old_p1 = state_by_serialno(c->newest_isakmp_sa);
++		/*
++		 * This only affects IKEv2, since we don't store any
++		 * received INITIAL_CONTACT for IKEv1.
++		 * We don't do this on IKEv1, because it seems to
++		 * confuse various third parties (Windows, Cisco VPN 300,
++		 * and juniper
++		 * likely because this would be called before the IPsec SA
++		 * of QuickMode is installed, so the remote endpoints view
++		 * this IKE SA still as the active one?
++		 */
++		if (pst->st_seen_initialc) {
+ 
+-				DBG(DBG_CONTROL, DBG_log("deleting replaced IKE state for %s",
+-					old_p1->st_connection->name));
+-				old_p1->st_suppress_del_notify = TRUE;
+-				event_force(EVENT_SA_EXPIRE, old_p1);
+-		}
++			if (c->newest_isakmp_sa != SOS_NOBODY &&
++				c->newest_isakmp_sa != pst->st_serialno) {
++					struct state *old_p1 = state_by_serialno(c->newest_isakmp_sa);
+ 
+-		if (pst->st_seen_initialc && (c->newest_ipsec_sa != SOS_NOBODY))
+-		{
+-			struct state *old_p2 = state_by_serialno(c->newest_ipsec_sa);
+-			struct connection *d = old_p2 == NULL ? NULL : old_p2->st_connection;
++					DBG(DBG_CONTROL, DBG_log("deleting replaced IKE state for %s",
++						old_p1->st_connection->name));
++					old_p1->st_suppress_del_notify = TRUE;
++					event_force(EVENT_SA_EXPIRE, old_p1);
++			}
+ 
+-			if (c == d && same_id(&c->spd.that.id, &d->spd.that.id))
++			if (c->newest_ipsec_sa != SOS_NOBODY)
+ 			{
+-				DBG(DBG_CONTROL, DBG_log("Initial Contact received, deleting old state #%lu from connection '%s'",
+-					c->newest_ipsec_sa, c->name));
+-				old_p2->st_suppress_del_notify = TRUE;
+-				event_force(EVENT_SA_EXPIRE, old_p2);
++				struct state *old_p2 = state_by_serialno(c->newest_ipsec_sa);
++				struct connection *d = old_p2 == NULL ? NULL : old_p2->st_connection;
++
++				if (c == d && same_id(&c->spd.that.id, &d->spd.that.id))
++				{
++					DBG(DBG_CONTROL, DBG_log("Initial Contact received, deleting old state #%lu from connection '%s'",
++						c->newest_ipsec_sa, c->name));
++					old_p2->st_suppress_del_notify = TRUE;
++					event_force(EVENT_SA_EXPIRE, old_p2);
++				}
+ 			}
+ 		}
+ 

libreswan-3.25-unbound-hook.patch

@@ -0,0 +1,35 @@
+commit 9dce290a0d2df5c278ed9442b10954d65cc238e4
+Author: Paul Wouters <pwouters@redhat.com>
+Date:   Sun Jul 8 22:29:52 2018 -0400
+
+    _unbound-hook: Fixup adding IPv4 pubkey into pluto. Expect unbound to quote argument as 1
+
+diff --git a/programs/_unbound-hook/_unbound-hook.in b/programs/_unbound-hook/_unbound-hook.in
+index 0d266d5..38279de 100755
+--- a/programs/_unbound-hook/_unbound-hook.in
++++ b/programs/_unbound-hook/_unbound-hook.in
+@@ -29,14 +29,17 @@ try:
+ except:
+     sys.exit("Bad arguments to ipsec _unbound")
+ 
+-while (argv != []):
++# unbound now quotes the entire RRDATAs, so it counts as 1 argument in the list
++data = argv.pop(0).split(" ")
++
++while (data != []):
+     try:
+-        gwprec = argv.pop(0)
+-        gwtype = argv.pop(0)
+-        gwalg = argv.pop(0)
+-        gwid = argv.pop(0)
+-        pubkey = argv.pop(0)
+-        addkeyip = "ipsec whack --keyid @%s --addkey --pubkeyrsa 0s%s"%(ip, pubkey)
++        gwprec = data.pop(0)
++        gwtype = data.pop(0)
++        gwalg = data.pop(0)
++        gwid = data.pop(0)
++        pubkey = data.pop(0)
++        addkeyip = "ipsec whack --keyid %s --addkey --pubkeyrsa 0s%s"%(ip, pubkey)
+         addkeyhostname = "ipsec whack --keyid @%s --addkey --pubkeyrsa 0s%s"%(qname, pubkey)
+         print("processing an IPSECKEY record for Opportunistic IPsec to %s(%s)"%(qname,ip))
+         print(subprocess.call(addkeyip, shell=True))

libreswan-3.26-asn1-zu.patch

@@ -0,0 +1,21 @@
+diff -Naur libreswan-3.26-orig/lib/libswan/asn1.c libreswan-3.26/lib/libswan/asn1.c
+--- libreswan-3.26-orig/lib/libswan/asn1.c	2018-09-16 22:45:52.000000000 -0400
++++ libreswan-3.26/lib/libswan/asn1.c	2018-09-17 00:28:06.726985327 -0400
+@@ -164,7 +164,7 @@
+ 		sig_val->len = len_r;
+ 		/* XXX: need to check len_r and len_s fits in this */
+ 	        sig_val->ptr = alloc_bytes(len_r * 2, "ec points");
+-		DBG(DBG_PARSING, DBG_log(" sig_val  len is %ld",sig_val->len));
++		DBG(DBG_PARSING, DBG_log(" sig_val  len is %zu",sig_val->len));
+ 		/* copy the values of r into signature */
+ 		memcpy(sig_val->ptr,blob->ptr,len_r);
+ 
+@@ -184,7 +184,7 @@
+ 			}
+ 			DBG(DBG_PARSING, DBG_log("  len_s is %d",len_s));
+ 			sig_val->len += len_s;
+-			DBG(DBG_PARSING, DBG_log(" sig_val total len is %ld",sig_val->len));
++			DBG(DBG_PARSING, DBG_log(" sig_val total len is %zu",sig_val->len));
+ 			/* copy the values of r into signature */
+ 			memcpy(sig_val->ptr+len_r,blob->ptr,len_s);
+ 		}

libreswan-3.29-updown-syntax.patch

@@ -0,0 +1,13 @@
+diff --git a/programs/_updown.netkey/_updown.netkey.in b/programs/_updown.netkey/_updown.netkey.in
+index 9c76998233..21000b1ea4 100644
+--- a/programs/_updown.netkey/_updown.netkey.in
++++ b/programs/_updown.netkey/_updown.netkey.in
+@@ -446,7 +446,7 @@ delsource() {
+         return ${st}
+     fi
+     # Remove source ip if it's not used any more.
+-    if [ -z $(ip -o route list src ${PLUTO_MY_SOURCEIP}) ]; then
++    if [ -z "$(ip -o route list src ${PLUTO_MY_SOURCEIP})" ]; then
+ 	if [ -n "${VTI_IFACE}" -a "${VTI_ROUTING}" = yes ]; then
+ 	    interface="${VTI_IFACE}"
+ 	fi

libreswan-3.30-s390x.patch

@@ -0,0 +1,21 @@
+commit 8b067b47b1e2306c83bed49ecada1bddfb1c1a38
+Author: Paul Wouters <pwouters@redhat.com>
+Date:   Fri Feb 14 15:22:21 2020 -0500
+
+    pluto: fixup: 'incl' may be used uninitialized in init_virtual_ip()
+    
+    For some reason, only the s390x compiler complains.
+
+diff --git a/programs/pluto/virtual.c b/programs/pluto/virtual.c
+index ce94d5a5ee..74d77a3ab0 100644
+--- a/programs/pluto/virtual.c
++++ b/programs/pluto/virtual.c
+@@ -172,7 +172,7 @@ void init_virtual_ip(const char *private_list)
+ 			if (next == NULL)
+ 				next = str + strlen(str);
+ 
+-			bool incl;
++			bool incl = FALSE;
+ 			if (read_subnet(str, next - str,
+ 					 &(private_net_incl[i_incl]),
+ 					 &(private_net_excl[i_excl]),

libreswan-3.32-nss-api.patch

@@ -0,0 +1,16 @@
+diff -Naur libreswan-3.32-orig/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c libreswan-3.32/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c
+--- libreswan-3.32-orig/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c	2020-05-11 10:13:41.000000000 -0400
++++ libreswan-3.32/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c	2020-05-26 10:23:26.563318038 -0400
+@@ -16,6 +16,12 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ 
++/*
++ * Special advise from Bob Relyea - needs to go before any nss include
++ *
++ */
++#define NSS_PKCS11_2_0_COMPAT 1
++
+ #include "lswlog.h"
+ #include "lswnss.h"
+ #include "prmem.h"

libreswan-3.32-uninitialized.patch

@@ -0,0 +1,13 @@
+diff --git a/programs/pluto/ikev2_parent.c b/programs/pluto/ikev2_parent.c
+index 702c9a8..3772508 100644
+--- a/programs/pluto/ikev2_parent.c
++++ b/programs/pluto/ikev2_parent.c
+@@ -2150,7 +2150,7 @@ static stf_status ikev2_parent_inR1outI2_tail(struct state *pst, struct msg_dige
+ 					      struct pluto_crypto_req *r)
+ {
+ 	struct connection *const pc = pst->st_connection;	/* parent connection */
+-	struct ppk_id_payload ppk_id_p;
++	struct ppk_id_payload ppk_id_p = { };
+ 	struct ike_sa *ike = pexpect_ike_sa(pst);
+ 
+ 	if (!finish_dh_v2(pst, r, FALSE)) {

libreswan-4.12-ipv6-san.patch

@@ -0,0 +1,198 @@
+From 474d75be074799efa9e38f346d3fdb76dec3eead Mon Sep 17 00:00:00 2001
+From: Andrew Cagney <cagney@gnu.org>
+Date: Tue, 5 Dec 2023 13:55:37 -0500
+Subject: [PATCH] x509: unpack IPv6 general names based on length
+
+fix #1321
+---
+ programs/pluto/x509.c | 35 +++++++++++++++++++++++++++++------
+ 1 file changed, 29 insertions(+), 6 deletions(-)
+
+diff --git a/programs/pluto/x509.c b/programs/pluto/x509.c
+index fbbf5a553e..f7e97b9979 100644
+--- a/programs/pluto/x509.c
++++ b/programs/pluto/x509.c
+@@ -336,7 +336,7 @@ generalName_t *collect_rw_ca_candidates(struct msg_digest *md)
+  */
+ static void gntoid(struct id *id, const generalName_t *gn, struct logger *logger)
+ {
+-	*id = empty_id;
++	*id = empty_id; /* aka ID_NONE */
+ 
+ 	switch (gn->kind) {
+ 	case GN_DNS_NAME:	/* ID type: ID_FQDN */
+@@ -345,18 +345,37 @@ static void gntoid(struct id *id, const generalName_t *gn, struct logger *logger
+ 		break;
+ 	case GN_IP_ADDRESS:	/* ID type: ID_IPV4_ADDR */
+ 	{
++		const struct ip_info *afi = NULL;
++		for (enum ip_index i = 0; i < IP_INDEX_ROOF; i++) {
++			if (ip_families[i].ip_size == gn->name.len) {
++				afi = &ip_families[i];
++				break;
++			}
++		}
++		if (afi == NULL) {
++			llog(RC_LOG, logger,
++			     "warning: invalid IP_ADDRESS general name: %zu byte length is not valid",
++			     gn->name.len);
++			PEXPECT(logger, id->kind == ID_NONE);
++			return;
++		}
++
+ 		/*
+ 		 * XXX: why could this fail; and what happens when it
+ 		 * is ignored?
+ 		 */
+-		const struct ip_info *afi = &ipv4_info;
+-		id->kind = afi->id_ip_addr;
+-		err_t ugh = hunk_to_address(gn->name, afi, &id->ip_addr);
++		ip_address addr;
++		err_t ugh = hunk_to_address(gn->name, afi, &addr);
+ 		if (ugh != NULL) {
+ 			llog(RC_LOG, logger,
+-				    "warning: gntoid() failed to initaddr(): %s",
+-				    ugh);
++			     "warning: invalid IP_ADDRESS general name: %s",
++			     ugh);
++			PEXPECT(logger, id->kind == ID_NONE);
++			return;
+ 		}
++
++		id->kind = afi->id_ip_addr;
++		id->ip_addr = addr;
+ 		break;
+ 	}
+ 	case GN_RFC822_NAME:	/* ID type: ID_USER_FQDN */
+@@ -464,14 +483,18 @@ bool add_pubkey_from_nss_cert(struct pubkey_list **pubkey_db,
+ 		return false;
+ 	}
+ 
++	ldbg(logger, "adding cert using subject name");
+ 	replace_public_key(pubkey_db, &pk);
+ 	passert(pk == NULL); /*stolen*/
+ 
++	ldbg(logger, "adding cert using general names");
+ 	add_cert_san_pubkeys(pubkey_db, cert, logger);
+ 
+ 	if (keyid != NULL && keyid->kind != ID_DER_ASN1_DN &&
+ 			     keyid->kind != ID_NONE &&
+ 			     keyid->kind != ID_FROMCERT) {
++		id_buf idb;
++		ldbg(logger, "adding cert using keyid %s", str_id(keyid, &idb));
+ 		struct pubkey *pk2 = NULL;
+ 		diag_t d = create_pubkey_from_cert(keyid, cert, &pk2, logger);
+ 		if (d != NULL) {
+-- 
+2.44.0
+
+From 1e27be95cd710a840681d1a51913e6a32ce75a2a Mon Sep 17 00:00:00 2001
+From: Andrew Cagney <cagney@gnu.org>
+Date: Mon, 11 Mar 2024 17:18:51 -0400
+Subject: [PATCH] building: back-port ip_families[] and ip_index
+
+---
+ include/ip_index.h    | 27 +++++++++++++++++++++++++++
+ include/ip_info.h     |  7 +++++--
+ lib/libswan/ip_info.c |  9 ++++++---
+ 3 files changed, 38 insertions(+), 5 deletions(-)
+ create mode 100644 include/ip_index.h
+
+diff --git a/include/ip_index.h b/include/ip_index.h
+new file mode 100644
+index 0000000000..508589b05e
+--- /dev/null
++++ b/include/ip_index.h
+@@ -0,0 +1,27 @@
++/* ip address type index, for libreswan
++ *
++ * Copyright (C) 2022 Andrew Cagney
++ *
++ * This library is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU Library General Public License as published by
++ * the Free Software Foundation; either version 2 of the License, or (at your
++ * option) any later version.  See <https://www.gnu.org/licenses/lgpl-2.1.txt>.
++ *
++ * This library is distributed in the hope that it will be useful, but
++ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
++ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
++ * License for more details.
++ *
++ */
++
++#ifndef IP_INDEX_H
++#define IP_INDEX_H
++
++enum ip_index {
++	IPv4_INDEX,
++	IPv6_INDEX,
++};
++
++#define IP_INDEX_ROOF (IPv6_INDEX+1)
++
++#endif
+diff --git a/include/ip_info.h b/include/ip_info.h
+index 40e99ef687..c1329a8569 100644
+--- a/include/ip_info.h
++++ b/include/ip_info.h
+@@ -9,6 +9,7 @@
+ #include "ip_subnet.h"
+ #include "ip_selector.h"
+ #include "ip_sockaddr.h"
++#include "ip_index.h"
+ 
+ struct ip_info {
+ 	/*
+@@ -113,8 +114,10 @@ struct ip_info {
+ 
+ };
+ 
+-extern const struct ip_info ipv4_info;
+-extern const struct ip_info ipv6_info;
++extern const struct ip_info ip_families[IP_INDEX_ROOF];
++
++#define ipv4_info ip_families[IPv4_INDEX]
++#define ipv6_info ip_families[IPv6_INDEX]
+ 
+ extern const struct ip_info *aftoinfo(int af);
+ 
+diff --git a/lib/libswan/ip_info.c b/lib/libswan/ip_info.c
+index 70cd6a368f..97296d3a11 100644
+--- a/lib/libswan/ip_info.c
++++ b/lib/libswan/ip_info.c
+@@ -158,7 +158,9 @@ static ip_port port_from_ipv6_sockaddr(const ip_sockaddr sa)
+ 
+ #define IPv4_FF { { 255, 255, 255, 255, }, }
+ 
+-const struct ip_info ipv4_info = {
++const struct ip_info ip_families[IP_INDEX_ROOF] = {
++
++	[IPv4_INDEX] = {
+ 
+ 	.ip_version = IPv4,
+ 	.ip_size = sizeof(struct in_addr),
+@@ -210,11 +212,11 @@ const struct ip_info ipv4_info = {
+ 	.id_ip_addr = ID_IPV4_ADDR,
+ 	.id_ip_addr_subnet = ID_IPV4_ADDR_SUBNET,
+ 	.id_ip_addr_range = ID_IPV4_ADDR_RANGE,
+-};
++	},
+ 
+ #define IPv6_FF { { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, }, }
+ 
+-const struct ip_info ipv6_info = {
++	[IPv6_INDEX] = {
+ 
+ 	.ip_version = IPv6,
+ 	.ip_size = sizeof(struct in6_addr),
+@@ -266,6 +268,7 @@ const struct ip_info ipv6_info = {
+ 	.id_ip_addr = ID_IPV6_ADDR,
+ 	.id_ip_addr_subnet = ID_IPV6_ADDR_SUBNET,
+ 	.id_ip_addr_range = ID_IPV6_ADDR_RANGE,
++	}
+ };
+ 
+ const struct ip_info *aftoinfo(int af)
+-- 
+2.44.0
+

libreswan-4.15-create-child-sa-race-condition.patch

@@ -0,0 +1,57 @@
+From d0a468bc4ca54b3aa941f522afd4ef8ed279e3cd Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Tue, 22 Oct 2024 07:53:20 +0900
+Subject: [PATCH] pluto: ignore CREATE_CHILD_SA request if crypto is in
+ progress
+
+Since commit 1f4cede653c865d84ea4dd045db05670d513d385, both initiator
+and responder drive CREATE_CHILD_SA processing with the same shared
+IKE SA, which may sometimes interleave.  This adds a guard at the
+entry to the responder code, to return STF_IGNORE in case any CRYPTO
+continuation is already in place, so that the initiator could
+retransmit after a timeout on their side.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ programs/pluto/ikev2_create_child_sa.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/programs/pluto/ikev2_create_child_sa.c b/programs/pluto/ikev2_create_child_sa.c
+index 951485d063..504fc58a6b 100644
+--- a/programs/pluto/ikev2_create_child_sa.c
++++ b/programs/pluto/ikev2_create_child_sa.c
+@@ -662,6 +662,15 @@ stf_status process_v2_CREATE_CHILD_SA_rekey_child_request(struct ike_sa *ike,
+ 							  struct child_sa *larval_child,
+ 							  struct msg_digest *md)
+ {
++	/*
++	 * CRYPTO continuation is ongoing as the same IKE SA is shared
++	 * between initiator and responder, ignore it for now and let
++	 * the initiator retransmit.
++	 */
++	if (verbose_state_busy(&ike->sa)) {
++		return STF_IGNORE;
++	}
++
+ 	struct child_sa *predecessor = NULL;
+ 	if (!find_v2N_REKEY_SA_child(ike, md, &predecessor)) {
+ 		record_v2N_response(ike->sa.st_logger, ike, md, v2N_INVALID_SYNTAX,
+@@ -870,6 +879,15 @@ stf_status process_v2_CREATE_CHILD_SA_new_child_request(struct ike_sa *ike,
+ 							struct child_sa *larval_child,
+ 							struct msg_digest *md)
+ {
++	/*
++	 * CRYPTO continuation is ongoing as the same IKE SA is shared
++	 * between initiator and responder, ignore it for now and let
++	 * the initiator retransmit.
++	 */
++	if (verbose_state_busy(&ike->sa)) {
++		return STF_IGNORE;
++	}
++
+ 	pexpect(larval_child == NULL);
+ 	larval_child = new_v2_child_state(ike->sa.st_connection,
+ 					  ike, IPSEC_SA, SA_RESPONDER,
+-- 
+2.47.0
+

libreswan-4.15-netlink-extack.patch

@@ -0,0 +1,153 @@
+From 4f2af7c8c3afaaa63e8e16467de3441622a5314d Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <dueno@redhat.com>
+Date: Tue, 21 May 2024 20:12:17 +0900
+Subject: [PATCH] kernel_xfrm: record extended ack from netlink response
+
+This enables pluto to log any error message reported through extended
+ACK attributes[1] in a netlink response, to make diagnostic easier
+when an error occurs.  Suggested by Sabrina Dubroca.
+
+1. https://docs.kernel.org/userspace-api/netlink/intro.html#ext-ack
+
+Signed-off-by: Daiki Ueno <dueno@redhat.com>
+Signed-off-by: Andrew Cagney <cagney@gnu.org>
+---
+ include/netlink_attrib.h     |  4 +++
+ lib/libswan/netlink_attrib.c | 29 +++++++++++++++++++++
+ programs/pluto/kernel_xfrm.c | 49 ++++++++++++++++++++++++++++++++++++
+ 3 files changed, 82 insertions(+)
+
+diff --git a/include/netlink_attrib.h b/include/netlink_attrib.h
+index 4c952ae3e9..fff35d83f1 100644
+--- a/include/netlink_attrib.h
++++ b/include/netlink_attrib.h
+@@ -46,4 +46,8 @@ void nl_addattrstrz(struct nlmsghdr *n, int maxlen, int type,
+ 		const char *str);
+ void nl_addattr32(struct nlmsghdr *n, int maxlen, int type, const uint32_t data);
+ 
++const struct nlattr *nl_getattr(const struct nlmsghdr *n, size_t *offset);
++const char *nl_getattrvalstrz(const struct nlmsghdr *n,
++			      const struct nlattr *attr);
++
+ #endif
+diff --git a/lib/libswan/netlink_attrib.c b/lib/libswan/netlink_attrib.c
+index 34bb4bec83..ccc08cba8f 100644
+--- a/lib/libswan/netlink_attrib.c
++++ b/lib/libswan/netlink_attrib.c
+@@ -66,3 +66,32 @@ void nl_addattr32(struct nlmsghdr *n, int maxlen, int type, const uint32_t data)
+ {
+ 	nl_addattr_l(n, maxlen, type, &data, sizeof(uint32_t));
+ }
++
++const struct nlattr *nl_getattr(const struct nlmsghdr *n, size_t *offset)
++{
++	struct nlattr *attr = (void *)n + NLMSG_HDRLEN + NLMSG_ALIGN(*offset);
++	struct nlattr *tail = (void *)n + NLMSG_ALIGN(n->nlmsg_len);
++
++	if (attr == tail) {
++		return NULL;
++	}
++
++	*offset += NLA_ALIGN(attr->nla_len);
++	return attr;
++}
++
++const char *nl_getattrvalstrz(const struct nlmsghdr *n,
++			      const struct nlattr *attr)
++{
++	struct nlattr *tail = (void *)n + NLMSG_ALIGN(n->nlmsg_len);
++
++	ptrdiff_t len = (void *)tail - (void *)attr;
++	if (len < (ptrdiff_t)sizeof(struct nlattr) ||
++	    attr->nla_len <= sizeof(struct nlattr) ||
++	    attr->nla_len > len ||
++	    !memchr(attr + NLA_HDRLEN, '\0', attr->nla_len - NLA_HDRLEN)) {
++		return NULL;
++	}
++
++	return (void *)attr + NLA_HDRLEN;
++}
+diff --git a/programs/pluto/kernel_xfrm.c b/programs/pluto/kernel_xfrm.c
+index eed307f42b..25d1b16bc9 100644
+--- a/programs/pluto/kernel_xfrm.c
++++ b/programs/pluto/kernel_xfrm.c
+@@ -260,6 +260,22 @@ static void init_netlink(struct logger *logger)
+ 			    "socket() in init_netlink()");
+ 	}
+ 
++#ifdef SOL_NETLINK
++	const int on = true;
++	if (setsockopt(nl_send_fd, SOL_NETLINK, NETLINK_CAP_ACK,
++		       (const void *)&on, sizeof(on)) < 0) {
++		llog_errno(RC_LOG, logger, errno, "xfrm: setsockopt(NETLINK_CAP_ACK) failed: ");
++	} else {
++		ldbg(logger, "xfrm: setsockopt(NETLINK_CAP_ACK) ok");
++	}
++	if (setsockopt(nl_send_fd, SOL_NETLINK, NETLINK_EXT_ACK,
++		       (const void *)&on, sizeof(on)) < 0) {
++		llog_errno(RC_LOG, logger, errno, "xfrm: setsockopt(NETLINK_EXT_ACK) failed: ");
++	} else {
++		ldbg(logger, "xfrm: setsockopt(NETLINK_EXT_ACK) ok");
++	}
++#endif
++
+ 	nl_xfrm_fd = cloexec_socket(AF_NETLINK, SOCK_DGRAM|SOCK_NONBLOCK, NETLINK_XFRM);
+ 	if (nl_xfrm_fd < 0) {
+ 		fatal_errno(PLUTO_EXIT_FAIL, logger, errno,
+@@ -301,6 +317,37 @@ static void init_netlink(struct logger *logger)
+ 	}
+ }
+ 
++static void llog_ext_ack(lset_t rc_flags, struct logger *logger,
++			 const struct nlmsghdr *n)
++{
++#ifdef SOL_NETLINK
++	if (n->nlmsg_type != NLMSG_ERROR ||
++	    !(n->nlmsg_flags & NLM_F_ACK_TLVS)) {
++		return;
++	}
++
++	struct nlmsgerr *err = (void *)n + NLMSG_HDRLEN;
++	size_t offset = sizeof(*err);
++	if (!(n->nlmsg_flags & NLM_F_CAPPED)) {
++		offset += err->msg.nlmsg_len - NLMSG_HDRLEN;
++	}
++
++	for (const struct nlattr *attr = nl_getattr(n, &offset);
++	     attr != NULL; attr = nl_getattr(n, &offset)) {
++		if ((attr->nla_type & NLA_TYPE_MASK) == NLMSGERR_ATTR_MSG) {
++			const char *msg = nl_getattrvalstrz(n, attr);
++			if (msg) {
++				llog(rc_flags, logger, "netlink ext_ack: %s",
++				     msg);
++			}
++		}
++	}
++#else
++	/* use the arguments */
++	ldbg(logger, "ignoring "PRI_LSET" %p", rc_flags, n);
++#endif
++}
++
+ /*
+  * sendrecv_xfrm_msg()
+  *
+@@ -403,6 +450,7 @@ static bool sendrecv_xfrm_msg(struct nlmsghdr *hdr,
+ 		if (rsp.u.e.error != 0) {
+ 			llog_error(logger, -rsp.u.e.error,
+ 				   "netlink response for %s %s", description, story);
++			llog_ext_ack(RC_LOG, logger, &rsp.n);
+ 			return false;
+ 		}
+ 		/*
+@@ -413,6 +461,7 @@ static bool sendrecv_xfrm_msg(struct nlmsghdr *hdr,
+ 		 */
+ 		dbg("netlink response for %s %s included non-error error",
+ 		    description, story);
++		llog_ext_ack(DEBUG_STREAM, logger, &rsp.n);
+ 		/* ignore */
+ 	}
+ 	if (rbuf == NULL) {
+-- 
+2.45.2
+

libreswan-4.15-ondemand-tcp.patch

@@ -0,0 +1,52 @@
+From 0b91406427cf7292d61900991fd665f076b6d43f Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <dueno@redhat.com>
+Date: Tue, 2 Jul 2024 20:37:07 +0900
+Subject: [PATCH] tcp: call kernel_ops->poke_ipsec_policy_hole before connect
+
+This fixes ondemand initiation with TCP.  Without the policy hole, a
+TCP handshake will not complete, as it cannot receive SYN-ACK packet
+in plaintext and thus connect blocks until timeout.
+
+Signed-off-by: Daiki Ueno <dueno@redhat.com>
+Signed-off-by: Andrew Cagney <cagney@gnu.org>
+---
+ programs/pluto/iface_tcp.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/programs/pluto/iface_tcp.c b/programs/pluto/iface_tcp.c
+index c63e8bfe4d..55fe639174 100644
+--- a/programs/pluto/iface_tcp.c
++++ b/programs/pluto/iface_tcp.c
+@@ -473,6 +473,15 @@ struct iface_endpoint *connect_to_tcp_endpoint(struct iface_dev *local_dev,
+ 		return NULL;
+ 	}
+ 
++	/* This needs to be called before connect, so TCP handshake
++	 * (in plaintext) completes. */
++	if (kernel_ops->poke_ipsec_policy_hole != NULL &&
++	    !kernel_ops->poke_ipsec_policy_hole(fd, afi, logger)) {
++		/* already logged */
++		close(fd);
++		return NULL;
++	}
++
+ 	/*
+ 	 * Connect
+ 	 *
+@@ -551,13 +560,6 @@ struct iface_endpoint *connect_to_tcp_endpoint(struct iface_dev *local_dev,
+ 		}
+ 	}
+ 
+-	if (kernel_ops->poke_ipsec_policy_hole != NULL &&
+-	    !kernel_ops->poke_ipsec_policy_hole(fd, afi, logger)) {
+-		/* already logged */
+-		close(fd);
+-		return NULL;
+-	}
+-
+ 	struct iface_endpoint *ifp =
+ 		alloc_iface_endpoint(fd, local_dev, &iketcp_iface_io,
+ 				     /*esp_encapsulation_enabled*/true,
+-- 
+2.45.2
+

libreswan-4.15-whack-fd-refcount.patch

@@ -0,0 +1,32 @@
+From b09f6edd9148cb08d70f8bad604efa064c9188e0 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Mon, 21 Oct 2024 09:25:06 +0900
+Subject: [PATCH] pluto: fix refcounting of whack FD at CREATE_CHILD_SA request
+
+After commit 6341e0d0257f26a7883bc5d1abff50ac362c625b, whack FD copied
+to a larval Child SA in submit_v2_CREATE_CHILD_SA_new_child is not
+properly closed at the completion of the CREATE_CHILD_SA exchange, as
+new_v2_child_state increases the reference count of the whack FD
+before sharing it with the IKE SA.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ programs/pluto/ikev2_create_child_sa.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/programs/pluto/ikev2_create_child_sa.c b/programs/pluto/ikev2_create_child_sa.c
+index 034266e7a6..951485d063 100644
+--- a/programs/pluto/ikev2_create_child_sa.c
++++ b/programs/pluto/ikev2_create_child_sa.c
+@@ -710,7 +710,7 @@ void submit_v2_CREATE_CHILD_SA_new_child(struct ike_sa *ike,
+ 	struct child_sa *larval_child = new_v2_child_state(c, ike, IPSEC_SA,
+ 							   SA_INITIATOR,
+ 							   STATE_V2_NEW_CHILD_I0,
+-							   whackfd);
++							   null_fd);
+ 
+ 	free_chunk_content(&larval_child->sa.st_ni); /* this is from the parent. */
+ 	free_chunk_content(&larval_child->sa.st_nr); /* this is from the parent. */
+-- 
+2.47.0
+

libreswan-4.2-openssl3.patch

@@ -0,0 +1,31 @@
+diff -up ./programs/pluto/ikev2_ipseckey.c.openssl3 ./programs/pluto/ikev2_ipseckey.c
+--- ./programs/pluto/ikev2_ipseckey.c.openssl3	2021-02-03 02:36:01.000000000 +0100
++++ ./programs/pluto/ikev2_ipseckey.c	2021-06-24 17:55:04.863636517 +0200
+@@ -25,13 +25,25 @@
+ #include <arpa/nameser.h>
+ #include <ldns/ldns.h>	/* from ldns-devel */
+ #include <ldns/rr.h>
++/*
++ * avoid name clash between OpenSSL headers (included through
++ * <ldns/ldns.h>) and NSS headers (included below through <pk11pub.h>)
++ */
++#undef KU_DIGITAL_SIGNATURE
++#undef KU_NON_REPUDIATION
++#undef KU_KEY_ENCIPHERMENT
++#undef KU_DATA_ENCIPHERMENT
++#undef KU_KEY_AGREEMENT
++#undef KU_KEY_CERT_SIGN
++#undef KU_CRL_SIGN
++#undef KU_ENCIPHER_ONLY
+ #include <unbound.h>
+ #include "unbound-event.h"
+ #include "defs.h"
+ #include "log.h"
++#include "state.h"
+ #include "constants.h"	/* for demux.h */
+ #include "demux.h"	/* to get struct msg_digest */
+-#include "state.h"
+ #include "connections.h"
+ #include "dnssec.h"	/* includes unbound.h */
+ #include "id.h"
+diff -up ./programs/pluto/ikev2_rsa.c.openssl3 ./programs/pluto/ikev2_rsa.c

libreswan-4.4-covscan.patch

@@ -0,0 +1,101 @@
+From 835f711502fa07825b27201cb772e911c59d54b0 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <dueno@redhat.com>
+Date: Wed, 21 Jul 2021 10:10:43 +0200
+Subject: [PATCH] ipsec barf: fix shell test expression
+
+Spotted by shellcheck:
+
+  /usr/libexec/ipsec/barf:55:5: error[SC1073]: Couldn't parse this test expression. Fix to allow more checks.
+  #   53|       for f
+  #   54|       do
+  #   55|-> 	if [ -s ${LOGS}/${f} -a \
+  #   56|   	    -f ${LOGS}/${f} -a \
+  #   57|   	    grep -E -q "${s}" ${LOGS}/${f} 2>/dev/null ]
+
+Signed-off-by: Daiki Ueno <dueno@redhat.com>
+---
+ programs/barf/barf.in | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/programs/barf/barf.in b/programs/barf/barf.in
+index e76c62f338..499916da4b 100755
+--- a/programs/barf/barf.in
++++ b/programs/barf/barf.in
+@@ -53,8 +53,8 @@ findlog() {	# findlog string fallbackstring possiblefile ...
+     for f
+     do
+ 	if [ -s ${LOGS}/${f} -a \
+-	    -f ${LOGS}/${f} -a \
+-	    grep -E -q "${s}" ${LOGS}/${f} 2>/dev/null ]
++	    -f ${LOGS}/${f} ] && \
++	    grep -E -q "${s}" ${LOGS}/${f} 2>/dev/null
+ 	then
+ 	    # aha, this one has it
+ 	    findlog_file=${LOGS}/${f}
+@@ -66,8 +66,8 @@ findlog() {	# findlog string fallbackstring possiblefile ...
+     for f
+     do
+ 	if [ -s ${LOGS}/${f} -a \
+-	    -f ${LOGS}/${f} -a \
+-	    grep -E -q "${t}" ${LOGS}/${f} 2>/dev/null ]
++	    -f ${LOGS}/${f} ] && \
++	    grep -E -q "${t}" ${LOGS}/${f} 2>/dev/null
+ 	then
+ 	    # aha, this one has it
+ 	    findlog_file=${LOGS}/${f}
+@@ -80,8 +80,8 @@ findlog() {	# findlog string fallbackstring possiblefile ...
+     for f in $(ls -t ${LOGS} | grep -E -v 'lastlog|tmp|^mail|\.(gz|Z)$')
+ 	do
+ 	if [ -f ${LOGS}/${f} -a \
+-	    ! -d ${LOGS}/${f} -a \
+-	    grep -E -q "${s}" ${LOGS}/${f} 2>/dev/null ]
++	    ! -d ${LOGS}/${f} ] && \
++	    grep -E -q "${s}" ${LOGS}/${f} 2>/dev/null
+ 	then
+ 	    # found it
+ 	    findlog_file=${LOGS}/${f}
+@@ -93,8 +93,8 @@ findlog() {	# findlog string fallbackstring possiblefile ...
+     for f in $(ls -t ${LOGS} | grep -E -v 'lastlog|tmp|^mail|\.(gz|Z)$')
+     do
+ 	if [ -s ${LOGS}/${f} -a \
+-	    -f ${LOGS}/${f} -a \
+-	    grep -E -q "${t}" ${LOGS}/${f} 2>/dev/null ]
++	    -f ${LOGS}/${f} ] && \
++	    grep -E -q "${t}" ${LOGS}/${f} 2>/dev/null
+ 	then
+ 	    # found it
+ 	    findlog_file=${LOGS}/${f}
+-- 
+2.31.1
+
+From 00ee1189626db8dcce084cb481ad0c49b435f4ff Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <dueno@redhat.com>
+Date: Wed, 21 Jul 2021 10:54:58 +0200
+Subject: [PATCH] testing jambufcheck: add missing va_end calls in error path
+
+Signed-off-by: Daiki Ueno <dueno@redhat.com>
+---
+ testing/programs/jambufcheck/jambufcheck.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/testing/programs/jambufcheck/jambufcheck.c b/testing/programs/jambufcheck/jambufcheck.c
+index 72baaa5a1d..23a47b15f6 100644
+--- a/testing/programs/jambufcheck/jambufcheck.c
++++ b/testing/programs/jambufcheck/jambufcheck.c
+@@ -104,11 +104,13 @@ static void check_jambuf(bool ok, const char *expect, ...)
+ 					}
+ 					break;
+ 				default:
++					va_end(ap);
+ 					FAIL("bad case");
+ 					return;
+ 				}
+ 			}
+ 			if (ok && !jambuf_ok(&buf)) {
++				va_end(ap);
+ 				FAIL("unexpectedly failed writing '%s'",
+ 				     str == NULL ? "(null)" : str);
+ 				return;
+-- 
+2.31.1
+

libreswan-4.4-getaddrinfo.patch

@@ -0,0 +1,168 @@
+diff -up ./lib/libswan/ttoaddress.c.getaddrinfo ./lib/libswan/ttoaddress.c
+--- ./lib/libswan/ttoaddress.c.getaddrinfo	2021-04-22 17:24:33.000000000 +0200
++++ ./lib/libswan/ttoaddress.c	2021-07-22 13:16:19.073745043 +0200
+@@ -20,6 +20,7 @@
+ #include <netdb.h>		/* for gethostbyname2() */
+ 
+ #include "ip_address.h"
++#include "ip_sockaddr.h"
+ #include "ip_info.h"
+ #include "lswalloc.h"		/* for alloc_things(), pfree() */
+ #include "lswlog.h"		/* for pexpect() */
+@@ -75,56 +76,6 @@ static err_t ttoaddr_base(shunk_t src,
+ }
+ 
+ /*
+- * tryname - try it as a name
+- *
+- * Error return is intricate because we cannot compose a static string.
+- */
+-static err_t tryname(const char *p,
+-		     int af,
+-		     int suggested_af,	/* kind(s) of numeric addressing tried */
+-		     ip_address *dst)
+-{
+-	struct hostent *h = gethostbyname2(p, af);
+-	if (h != NULL) {
+-		if (h->h_addrtype != af) {
+-			return "address-type mismatch from gethostbyname2!!!";
+-		}
+-
+-		return data_to_address(h->h_addr, h->h_length, aftoinfo(af), dst);
+-	}
+-
+-	if (af == AF_INET6) {
+-		if (suggested_af == AF_INET6) {
+-			return "not a numeric IPv6 address and name lookup failed (no validation performed)";
+-		} else /* AF_UNSPEC */ {
+-			return "not a numeric IPv4 or IPv6 address and name lookup failed (no validation performed)";
+-		}
+-	}
+-
+-	pexpect(af == AF_INET);
+-
+-	/* like, windows even has an /etc/networks? */
+-	struct netent *ne = getnetbyname(p);
+-	if (ne == NULL) {
+-		/* intricate because we cannot compose a static string */
+-		if (suggested_af == AF_INET) {
+-			return "not a numeric IPv4 address and name lookup failed (no validation performed)";
+-		} else {
+-			return "not a numeric IPv4 or IPv6 address and name lookup failed (no validation performed)";
+-		}
+-	}
+-
+-	if (ne->n_addrtype != af) {
+-		return "address-type mismatch from getnetbyname!!!";
+-	}
+-
+-	/* apparently .n_net is in host order */
+-	struct in_addr in = { htonl(ne->n_net), };
+-	*dst = address_from_in_addr(&in);
+-	return NULL;
+-}
+-
+-/*
+  * tryhex - try conversion as an eight-digit hex number (AF_INET only)
+  */
+ 
+@@ -401,57 +352,56 @@ err_t getpiece(const char **srcp,	/* *sr
+ 
+ err_t ttoaddress_dns(shunk_t src, const struct ip_info *afi, ip_address *dst)
+ {
++	char *name = clone_hunk_as_string(src, "ttoaddress_dns"); /* must free */
++	struct addrinfo *res = NULL;
++	const struct addrinfo hints = (struct addrinfo) {
++		.ai_family = afi == NULL ? AF_UNSPEC : afi->af,
++	};
+ 	*dst = unset_address;
+-	if (src.len == 0) {
+-		return "empty string";
+-	}
+-
+-	bool was_numeric = true;
+-	err_t err = ttoaddr_base(src, afi, &was_numeric, dst);
+-	if (was_numeric) {
+-		/* no-point in continuing */
+-		return err;
+-	}
+ 
+-	/* err == non-numeric */
++	int eai = getaddrinfo(name, NULL, &hints, &res);
++	err_t err = NULL;
+ 
+-	for (const char *cp = src.ptr, *end = cp + src.len; cp < end; cp++) {
++	if (eai != 0) {
+ 		/*
+-		 * Legal ASCII characters in a domain name.
+-		 * Underscore technically is not, but is a common
+-		 * misunderstanding.  Non-ASCII characters are simply
+-		 * exempted from checking at the moment, to allow for
+-		 * UTF-8 encoded stuff; the purpose of this check is
+-		 * merely to catch blatant errors.
+-		 *
+-		 * XXX: Suspect the ISASCII() check can be dropped -
+-		 * utf-8 isn't allowed in DNS names and without a
+-		 * utf-8 parser the check is flawed.
++		 * return system-supplied diagnostic
++		 * except where it is particularly confusing.
++		 * "Name or service not unknown." is terrible.
+ 		 */
+-		static const char namechars[] =
+-			"abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ-_.";
+-#define ISASCII(c) (((c) & 0x80) == 0)
+-		if (ISASCII(*cp) && strchr(namechars, *cp) == NULL) {
+-			return "illegal (non-DNS-name) character in name";
++		err = eai == EAI_NONAME ? "NAME is unknown" : gai_strerror(eai);
++	} else if (res == NULL) {
++		err = "not a numeric IP address and name lookup failed (no validation performed)";
++	} else {
++		/* always choose IPv4 result if there is one */
++		struct addrinfo *winner = res;
++
++		for (struct addrinfo *r = res; r!= NULL; r = r->ai_next) {
++			if (r->ai_family == AF_INET) {
++				winner = r;
++				break;
++			}
++ 		}
++
++		ip_port mbz = { .hport = 0 };
++		ip_sockaddr sa = {
++			.len = winner->ai_addrlen,
++		};
++		passert(sizeof(sa.sa) >= winner->ai_addrlen);
++		memcpy(&sa.sa, winner->ai_addr, winner->ai_addrlen);
++		passert(sa.sa.sa.sa_family == winner->ai_family);
++		/* boneheaded getaddrinfo(3) leaves port field uninitialized */
++		if (winner->ai_family == AF_INET) {
++			sa.sa.sin.sin_port = 0;
++		} else if (winner->ai_family == AF_INET6) {
++			sa.sa.sin6.sin6_port = 0;
++		} else {
++			bad_case(winner->ai_family);
+ 		}
++		err = sockaddr_to_address_port(sa, dst, &mbz);
++		passert(hport(mbz) == 0);
+ 	}
+ 
+-	/*
+-	 * need a guarenteed null terminated string
+-	 */
+-	char *name = clone_hunk_as_string(src, "ttoaddress_dns"); /* must free */
+-	int suggested_af = afi == NULL ? AF_UNSPEC : afi->af;
+-	err_t v4err = NULL, v6err = NULL;
+-	if (err && (suggested_af == AF_UNSPEC || suggested_af == AF_INET)) {
+-		err = v4err = tryname(name, AF_INET, suggested_af, dst);
+-	}
+-	if (err && (suggested_af == AF_UNSPEC || suggested_af == AF_INET6)) {
+-		err = v6err = tryname(name, AF_INET6, suggested_af, dst);
+-	}
+-	/* prefer the IPv4 error */
+-	if (err != NULL && v4err != NULL) {
+-		err = v4err;
+-	}
++	freeaddrinfo(res);
+ 	pfree(name);
+ 	return err;
+ }

libreswan-4.4-ipcheck.patch

@@ -0,0 +1,494 @@
+diff --git a/testing/programs/ipcheck/Makefile b/testing/programs/ipcheck/Makefile
+index 4dae8336be..af77a9e9d8 100644
+--- a/testing/programs/ipcheck/Makefile
++++ b/testing/programs/ipcheck/Makefile
+@@ -41,4 +41,4 @@ include ../../../mk/program.mk
+ endif
+ 
+ local-check: $(PROGRAM)
+-	$(builddir)/$(PROGRAM)
++	$(builddir)/$(PROGRAM) --dns=yes
+diff --git a/testing/programs/ipcheck/ip_address_check.c b/testing/programs/ipcheck/ip_address_check.c
+index b80990302a..a84aadaf73 100644
+--- a/testing/programs/ipcheck/ip_address_check.c
++++ b/testing/programs/ipcheck/ip_address_check.c
+@@ -24,79 +24,76 @@
+ #include "ip_address.h"
+ #include "ipcheck.h"
+ 
+-static void check_shunk_to_address(void)
++static void check_ttoaddress_num(void)
+ {
+ 	static const struct test {
+ 		int line;
+ 		int family;
+ 		const char *in;
+ 		const char *str;
+-		bool requires_dns;
+ 	} tests[] = {
+ 
+ 		/* unset */
+-		{ LN, 0, "", NULL, false, },
++		{ LN, 0, "", NULL, },
+ 
+ 		/* any */
+-		{ LN, 4, "0.0.0.0", "0.0.0.0", false, },
+-		{ LN, 6, "::", "::", false, },
+-		{ LN, 6, "0:0:0:0:0:0:0:0", "::", false, },
++		{ LN, 4, "0.0.0.0", "0.0.0.0", },
++		{ LN, 6, "::", "::", },
++		{ LN, 6, "0:0:0:0:0:0:0:0", "::", },
+ 
+ 		/* local (zero's fill) */
+-		{ LN, 4, "127.1", "127.0.0.1", false, },
+-		{ LN, 4, "127.0.1", "127.0.0.1", false, },
+-		{ LN, 4, "127.0.0.1", "127.0.0.1", false, },
+-		{ LN, 6, "::1", "::1", false, },
+-		{ LN, 6, "0:0:0:0:0:0:0:1", "::1", false, },
++		{ LN, 4, "127.1", "127.0.0.1", },
++		{ LN, 4, "127.0.1", "127.0.0.1", },
++		{ LN, 4, "127.0.0.1", "127.0.0.1", },
++		{ LN, 6, "::1", "::1", },
++		{ LN, 6, "0:0:0:0:0:0:0:1", "::1", },
+ 
+ 		/* mask - and buffer overflow */
+-		{ LN, 4, "255.255.255.255", "255.255.255.255", false, },
+-		{ LN, 6, "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", false, },
++		{ LN, 4, "255.255.255.255", "255.255.255.255", },
++		{ LN, 6, "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", },
+ 
+ 		/* all bytes */
+-		{ LN, 4, "1.2.3.4", "1.2.3.4", false, },
+-		{ LN, 6, "1:2:3:4:5:6:7:8", "1:2:3:4:5:6:7:8", false, },
++		{ LN, 4, "1.2.3.4", "1.2.3.4", },
++		{ LN, 6, "1:2:3:4:5:6:7:8", "1:2:3:4:5:6:7:8", },
+ 
+ 		/* last digit is a big num - see wikepedia */
+-		{ LN, 4, "127.254", "127.0.0.254", false, },
+-		{ LN, 4, "127.65534", "127.0.255.254", false, },
+-		{ LN, 4, "127.16777214", "127.255.255.254", false, },
++		{ LN, 4, "127.254", "127.0.0.254", },
++		{ LN, 4, "127.65534", "127.0.255.254", },
++		{ LN, 4, "127.16777214", "127.255.255.254", },
+ 		/* last digit overflow */
+-		{ LN, 4, "127.16777216", NULL, false, },
+-		{ LN, 4, "127.0.65536", NULL, false, },
+-		{ LN, 4, "127.0.0.256", NULL, false, },
++		{ LN, 4, "127.16777216", NULL, },
++		{ LN, 4, "127.0.65536", NULL, },
++		{ LN, 4, "127.0.0.256", NULL, },
+ 
+ 		/* suppress leading zeros - 01 vs 1 */
+-		{ LN, 6, "0001:0012:0003:0014:0005:0016:0007:0018", "1:12:3:14:5:16:7:18", false, },
++		{ LN, 6, "0001:0012:0003:0014:0005:0016:0007:0018", "1:12:3:14:5:16:7:18", },
+ 		/* drop leading 0:0: */
+-		{ LN, 6, "0:0:3:4:5:6:7:8", "::3:4:5:6:7:8", false, },
++		{ LN, 6, "0:0:3:4:5:6:7:8", "::3:4:5:6:7:8", },
+ 		/* drop middle 0:...:0 */
+-		{ LN, 6, "1:2:0:0:0:0:7:8", "1:2::7:8", false, },
++		{ LN, 6, "1:2:0:0:0:0:7:8", "1:2::7:8", },
+ 		/* drop trailing :0..:0 */
+-		{ LN, 6, "1:2:3:4:5:0:0:0", "1:2:3:4:5::", false, },
++		{ LN, 6, "1:2:3:4:5:0:0:0", "1:2:3:4:5::", },
+ 		/* drop first 0:..:0 */
+-		{ LN, 6, "1:2:0:0:5:6:0:0", "1:2::5:6:0:0", false, },
++		{ LN, 6, "1:2:0:0:5:6:0:0", "1:2::5:6:0:0", },
+ 		/* drop logest 0:..:0 */
+-		{ LN, 6, "0:0:3:0:0:0:7:8", "0:0:3::7:8", false, },
++		{ LN, 6, "0:0:3:0:0:0:7:8", "0:0:3::7:8", },
+ 		/* need two 0 */
+-		{ LN, 6, "0:2:0:4:0:6:0:8", "0:2:0:4:0:6:0:8", false, },
+-
+-		{ LN, 4, "www.libreswan.org", "188.127.201.229", .requires_dns = true, },
++		{ LN, 6, "0:2:0:4:0:6:0:8", "0:2:0:4:0:6:0:8", },
+ 
+ 		/* hex/octal */
+-		{ LN, 4, "0x01.0x02.0x03.0x04", "1.2.3.4", false, },
+-		{ LN, 4, "0001.0002.0003.0004", "1.2.3.4", false, },
+-		{ LN, 4, "0x01020304", "1.2.3.4", false, },
++		{ LN, 4, "0x01.0x02.0x03.0x04", "1.2.3.4", },
++		{ LN, 4, "0001.0002.0003.0004", "1.2.3.4", },
++		{ LN, 4, "0x01020304", "1.2.3.4", },
+ 
+ 		/* trailing garbage */
+-		{ LN, 4, "1.2.3.4.", NULL, false, },
+-		{ LN, 4, "1.2.3.4a", NULL, false, },
+-		{ LN, 4, "1.2.3.0a", NULL, false, },
++		{ LN, 4, "1.2.3.4.", NULL, },
++		{ LN, 4, "1.2.3.4a", NULL, },
++		{ LN, 4, "1.2.3.0a", NULL, },
+ 
+ 		/* bad digits */
+-		{ LN, 4, "256.2.3.4", NULL, false, },
+-		{ LN, 4, "0008.2.3.4", NULL, false, },
+-		{ LN, 4, "0x0g.2.3.4", NULL, false, },
++		{ LN, 4, "256.2.3.4", NULL, },
++		{ LN, 4, "0008.2.3.4", NULL, },
++		{ LN, 4, "0x0g.2.3.4", NULL, },
+ 
+ 	};
+ 
+@@ -104,66 +101,146 @@ static void check_shunk_to_address(void)
+ 
+ 	for (size_t ti = 0; ti < elemsof(tests); ti++) {
+ 		const struct test *t = &tests[ti];
+-		PRINT("%s '%s' -> str: '%s' dns: %s", pri_family(t->family), t->in,
+-		      t->str == NULL ? "ERROR" : t->str,
+-		      bool_str(t->requires_dns));
+-
+-		ip_address tmp, *address = &tmp;
+-
+-		/* NUMERIC/NULL */
+ 
+-		FOR_EACH_THING(family, 0, t->family) {
++		/*
++		 * For each address, perform lookups:
++		 *
++		 * - first with a generic family and then with the
++		 *   specified family
++		 *
++		 * - first with ttoaddress_num() and then
++		 *   ttoaddress_dns() (but only when it should work)
++		 */
++
++		FOR_EACH_THING(family, 0, 4, 6) {
+ 			const struct ip_info *afi = IP_TYPE(family);
+-			err = ttoaddress_num(shunk1(t->in), afi, address);
+-			if (err != NULL) {
+-				if (t->str != NULL && !t->requires_dns) {
+-					FAIL("ttoaddress_num(%s, %s) unexpecedly failed: %s",
+-					     t->in, pri_family(family), err);
++			bool err_expected = (t->str == NULL || (family != 0 && family != t->family));
++
++			struct lookup {
++				const char *name;
++				err_t (*ttoaddress)(shunk_t, const struct ip_info *, ip_address *);
++				bool need_dns;
++			} lookups[] = {
++				{
++					"ttoaddress_num",
++					ttoaddress_num,
++					false,
++				},
++				{
++					"ttoaddress_dns",
++					ttoaddress_dns,
++					true,
++				},
++				{
++					.name = NULL,
++				},
++			};
++			for (struct lookup *lookup = lookups; lookup->name != NULL; lookup++) {
++
++				/*
++				 * Without DNS a
++				 * ttoaddress_dns() lookup of
++				 * a bogus IP address will go
++				 * into the weeds.
++				 */
++				bool skip = (lookup->need_dns && have_dns != DNS_YES);
++
++				PRINT("%s('%s', %s) -> '%s'%s",
++				      lookup->name, t->in, pri_family(family),
++				      err_expected ? "ERROR" : t->str,
++				      skip ? "; skipped as no DNS" : "");
++
++				if (skip) {
++					continue;
++				}
++
++				ip_address tmp, *address = &tmp;
++				err = lookup->ttoaddress(shunk1(t->in), afi, address);
++				if (err_expected) {
++					if (err == NULL) {
++						FAIL("%s(%s, %s) unexpecedly succeeded",
++						     lookup->name, t->in, pri_family(family));
++					}
++					PRINT("%s(%s, %s) returned: %s",
++					      lookup->name, t->in, pri_family(family), err);
++				} else if (err != NULL) {
++					FAIL("%s(%s, %s) unexpecedly failed: %s",
++					     lookup->name, t->in, pri_family(family), err);
+ 				} else {
+-					PRINT("ttoaddress_num(%s, %s) returned: %s",
+-					      t->in, pri_family(family), err);
++					CHECK_STR2(address);
+ 				}
+-			} else if (t->requires_dns) {
+-				FAIL("ttoaddress_num(%s, %s) unexpecedly parsed a DNS address",
+-				     t->in, pri_family(family));
+-			} else if (t->str == NULL) {
+-				FAIL("ttoaddress_num(%s, %s) unexpecedly succeeded",
+-				     t->in, pri_family(family));
+-			} else {
+-				CHECK_TYPE(address);
+ 			}
+ 		}
++	}
++}
++
++static void check_ttoaddress_dns(void)
++{
++	static const struct test {
++		int line;
++		int family;
++		const char *in;
++		const char *str;
++		bool need_dns;
++	} tests[] = {
++
++		/* localhost is found in /etc/hosts on all platforms */
++		{ LN, 0, "localhost", "127.0.0.1", false, },
++		{ LN, 4, "localhost", "127.0.0.1", false, },
++		{ LN, 6, "localhost", "::1",       false, },
++
++		{ LN, 0, "www.libreswan.org", "188.127.201.229", true, },
++		{ LN, 4, "www.libreswan.org", "188.127.201.229", true, },
++		{ LN, 6, "www.libreswan.org", "2a00:1190:c00a:f00::229", true, },
+ 
+-		/* DNS/TYPE */
++		{ LN, 0, "nowhere.libreswan.org", NULL, true, },
++		{ LN, 4, "nowhere.libreswan.org", NULL, true, },
++		{ LN, 6, "nowhere.libreswan.org", NULL, true, },
+ 
+-		if (t->requires_dns && !use_dns) {
+-			PRINT("skipping dns_hunk_to_address(type) -- no DNS");
++	};
++
++	err_t err;
++
++	for (size_t ti = 0; ti < elemsof(tests); ti++) {
++		const struct test *t = &tests[ti];
++		const struct ip_info *afi = IP_TYPE(t->family);
++		bool skip = (have_dns == DNS_NO || (have_dns != DNS_YES && t->need_dns));
++
++		PRINT("%s '%s' -> str: '%s' lookup: %s%s",
++		      pri_family(t->family), t->in,
++		      t->str == NULL ? "ERROR" : t->str,
++		      (t->need_dns ? "DNS" : "/etc/hosts"),
++		      (skip ? "; skipped as no DNS" : ""));
++
++		if (skip) {
++			continue;
++		}
++
++		ip_address tmp, *address = &tmp;
++		err = ttoaddress_dns(shunk1(t->in), afi, address);
++		if (err != NULL) {
++			if (t->str != NULL) {
++				FAIL("ttoaddress_dns(%s, %s) unexpecedly failed: %s",
++				     t->in, pri_family(t->family), err);
++			}
++			PRINT("ttoaddress_dns(%s, %s) failed as expected: %s",
++			      t->in, pri_family(t->family), err);
++		} else if (t->str == NULL) {
++			address_buf b;
++			FAIL("ttoaddress_dns(%s, %s) unexpecedly succeeded with %s",
++			     t->in, pri_family(t->family),
++			     str_address(address, &b));
+ 		} else {
+-			const struct ip_info *afi = IP_TYPE(t->family);
+-			err = ttoaddress_dns(shunk1(t->in), afi, address);
+-			if (err != NULL) {
+-				if (t->str != NULL) {
+-					FAIL("ttoaddress_dns(%s, %s) unexpecedly failed: %s",
+-					     t->in, pri_family(t->family), err);
+-				} else {
+-					PRINT("ttoaddress_dns(%s, %s) returned: %s",
+-					      t->in, pri_family(t->family), err);
+-				}
+-			} else if (t->str == NULL) {
+-				FAIL("ttoaddress_dns(%s, %s) unexpecedly succeeded",
+-				     t->in, pri_family(t->family));
+-			} else {
++			address_buf b;
++			PRINT("ttoaddress_dns(%s, %s) succeeded with %s",
++			      t->in, pri_family(t->family),
++			      str_address(address, &b));
++			if (t->family != 0) {
+ 				CHECK_TYPE(address);
+ 			}
+-		}
+-
+-		/* now convert it back cooked */
+-		if (t->requires_dns && !use_dns) {
+-			PRINT("skipping str_*() -- no DNS");
+-		} else if (t->str != NULL) {
++			/* and back */
+ 			CHECK_STR2(address);
+ 		}
+-
+ 	}
+ }
+ 
+@@ -473,7 +550,8 @@ static void check_addresses_to(void)
+ 
+ void ip_address_check(void)
+ {
+-	check_shunk_to_address();
++	check_ttoaddress_num();
++	check_ttoaddress_dns();
+ 	check_str_address_sensitive();
+ 	check_str_address_reversed();
+ 	check_address_is();
+diff --git a/testing/programs/ipcheck/ip_info_check.c b/testing/programs/ipcheck/ip_info_check.c
+index a7553a6029..f1566f4607 100644
+--- a/testing/programs/ipcheck/ip_info_check.c
++++ b/testing/programs/ipcheck/ip_info_check.c
+@@ -31,10 +31,12 @@
+ 		/*hack*/const typeof(L##_tests[0]) *t = &L##_tests[tl];	\
+ 		/*hack*/size_t ti = tl;					\
+ 		const ip_##L *l = L##_tests[tl].L;			\
+-		if (l == NULL) continue;				\
++		if (l == NULL)						\
++			continue;					\
+ 		for (size_t tr = 0; tr < elemsof(R##_tests); tr++) {	\
+ 			const ip_##R *r = R##_tests[tr].R;		\
+-			if (r == NULL) continue;			\
++			if (r == NULL)					\
++				continue;				\
+ 			bool expected = false;				\
+ 			for (size_t to = 0; to < elemsof(L##_op_##R); to++) { \
+ 				const typeof(L##_op_##R[0]) *op = &L##_op_##R[to]; \
+diff --git a/testing/programs/ipcheck/ip_range_check.c b/testing/programs/ipcheck/ip_range_check.c
+index 256cf76c70..9f9a27db58 100644
+--- a/testing/programs/ipcheck/ip_range_check.c
++++ b/testing/programs/ipcheck/ip_range_check.c
+@@ -389,7 +389,7 @@ static void check_range_op_range(void)
+ 				FAIL("ttorange(%s) failed: %s", t->R, oops); \
+ 			}						\
+ 		} else {						\
+-			l = unset_range;				\
++			R = unset_range;				\
+ 		}
+ 		TT(l);
+ 		TT(r);
+diff --git a/testing/programs/ipcheck/ip_sockaddr_check.c b/testing/programs/ipcheck/ip_sockaddr_check.c
+index 538154b6e6..d9affb54f9 100644
+--- a/testing/programs/ipcheck/ip_sockaddr_check.c
++++ b/testing/programs/ipcheck/ip_sockaddr_check.c
+@@ -20,6 +20,8 @@
+ #include "ip_info.h"
+ #include "ip_protocol.h"
+ 
++#include "lswlog.h"		/* for DBG_dump_thing() */
++
+ #include "ipcheck.h"
+ 
+ static void check_sockaddr_as_endpoint(void)
+@@ -52,20 +54,25 @@ static void check_sockaddr_as_endpoint(void)
+ 		PRINT("%s '%s' -> '%s' len=%zd", pri_family(t->family), t->in, expect_out, t->size);
+ 
+ 		/* construct a raw sockaddr */
+-		ip_sockaddr sa = {
+-			.sa.sa = {
+-				.sa_family = SA_FAMILY(t->family),
+-			},
++		ip_sockaddr sa = {	
+ 			.len = t->size,
+ 		};
+ 		switch (t->family) {
+ 		case 4:
+ 			memcpy(&sa.sa.sin.sin_addr, t->addr, sizeof(sa.sa.sin.sin_addr));
++			sa.sa.sin.sin_family = AF_INET;
+ 			sa.sa.sin.sin_port = htons(t->port);
++#ifdef NEED_SIN_LEN
++                	sa.sa.sin.sin_len = sizeof(struct sockaddr_in);
++#endif
+ 			break;
+ 		case 6:
+ 			memcpy(&sa.sa.sin6.sin6_addr, t->addr, sizeof(sa.sa.sin6.sin6_addr));
++			sa.sa.sin6.sin6_family = AF_INET6;
+ 			sa.sa.sin6.sin6_port = htons(t->port);
++#ifdef NEED_SIN_LEN
++                	sa.sa.sin6.sin6_len = sizeof(struct sockaddr_in6);
++#endif
+ 			break;
+ 		}
+ 
+@@ -107,6 +114,8 @@ static void check_sockaddr_as_endpoint(void)
+ 					esa.len, sizeof(esa.sa));
+ 			} else if (!memeq(&esa.sa, &sa.sa, sizeof(esa.sa))) {
+ 				/* compare the entire buffer, not just size */
++				DBG_dump_thing("esa.sa", esa.sa);
++				DBG_dump_thing("sa.sa", sa.sa);
+ 				FAIL("endpoint_to_sockaddr() returned a different value");
+ 			}
+ 		} else {
+diff --git a/testing/programs/ipcheck/ipcheck.c b/testing/programs/ipcheck/ipcheck.c
+index ed13d1ed5c..8df45b5fd4 100644
+--- a/testing/programs/ipcheck/ipcheck.c
++++ b/testing/programs/ipcheck/ipcheck.c
+@@ -25,21 +25,37 @@
+ #include "lswtool.h"
+ 
+ unsigned fails;
+-bool use_dns = true;
++enum have_dns have_dns = DNS_NO;
+ 
+ int main(int argc, char *argv[])
+ {
+-	struct logger *logger = tool_init_log(argv[0]);
++	leak_detective = true;
+ 	log_ip = false; /* force sensitive */
++	struct logger *logger = tool_init_log(argv[0]);
++
++	if (argc != 2) {
++		fprintf(stderr, "usage: %s --dns={no,hosts-file,yes}\n", argv[0]);
++		return 1;
++	}
++
++	/* only one option for now */
++	const char *dns = argv[1];
++	if (!eat(dns, "--dns")) {
++		fprintf(stderr, "%s: unknown option '%s'\n",
++			argv[0], argv[1]);
++		return 1;
++	}
+ 
+-	for (char **argp = argv+1; argp < argv+argc; argp++) {
+-		if (streq(*argp, "--nodns")) {
+-			use_dns = false;
+-		} else {
+-			fprintf(stderr, "%s: unknown option '%s'\n",
+-				argv[0], *argp);
+-			return 1;
+-		}
++	if (streq(dns, "=no")) {
++		have_dns = DNS_NO;
++	} else if (streq(dns, "=hosts-file") || streq(dns, "")) {
++		have_dns = HAVE_HOSTS_FILE;
++	} else if (streq(dns, "=yes")) {
++		have_dns = DNS_YES;
++	} else {
++		fprintf(stderr, "%s: unknown --dns param '%s'\n",
++			argv[0], dns);
++		return 1;
+ 	}
+ 
+ 	ip_address_check();
+@@ -55,6 +71,10 @@ int main(int argc, char *argv[])
+ 	ip_port_range_check();
+ 	ip_cidr_check();
+ 
++	report_leaks(logger);
++		
++	
++
+ 	if (fails > 0) {
+ 		fprintf(stderr, "TOTAL FAILURES: %d\n", fails);
+ 		return 1;
+diff --git a/testing/programs/ipcheck/ipcheck.h b/testing/programs/ipcheck/ipcheck.h
+index 7e7c2a284b..5cfdbf05f7 100644
+--- a/testing/programs/ipcheck/ipcheck.h
++++ b/testing/programs/ipcheck/ipcheck.h
+@@ -44,7 +44,7 @@ extern void ip_cidr_check(void);
+  */
+ 
+ extern unsigned fails;
+-extern bool use_dns;
++extern enum have_dns { DNS_NO, HAVE_HOSTS_FILE, DNS_YES, } have_dns;
+ 
+ #define pri_family(FAMILY) ((FAMILY) == 0 ? "0" :	\
+ 			    (FAMILY) == 4 ? "IPv4" :	\

libreswan-4.5-openssl3.patch

@@ -0,0 +1,88 @@
+From 88b96bba93c97546bd1b7ccdfb1b805d4b209037 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Tue, 11 Jan 2022 11:03:37 +0100
+Subject: [PATCH] libreswan-4.5-openssl3.patch
+
+---
+ programs/pluto/ikev2_ipseckey.h      | 7 +------
+ programs/pluto/ikev2_ipseckey_dnsr.c | 7 ++++++-
+ programs/pluto/ikev2_ipseckey_dnsr.h | 8 ++++++++
+ 3 files changed, 15 insertions(+), 7 deletions(-)
+
+diff --git a/programs/pluto/ikev2_ipseckey.h b/programs/pluto/ikev2_ipseckey.h
+index a1441b0..d364483 100644
+--- a/programs/pluto/ikev2_ipseckey.h
++++ b/programs/pluto/ikev2_ipseckey.h
+@@ -1,4 +1,5 @@
+ #include "state.h"
++#include "ikev2_ipseckey_dnsr.h" /* for dns_status */
+ 
+ #ifndef _IKEV2_IPSECKEY_H
+ #define _IKEV2_IPSECKEY_H
+@@ -11,12 +12,6 @@
+ 
+ #define IS_LIBUNBOUND LSW_LIBUNBOUND_ENABLED
+ 
+-typedef enum {
+-	DNS_OK = STF_OK,
+-	DNS_FATAL = STF_FATAL,
+-	DNS_SUSPEND = STF_SUSPEND,
+-} dns_status;
+-
+ dns_status responder_fetch_idi_ipseckey(struct ike_sa *ike,
+ 					stf_status (*callback)(struct ike_sa *ike,
+ 							       struct msg_digest *md,
+diff --git a/programs/pluto/ikev2_ipseckey_dnsr.c b/programs/pluto/ikev2_ipseckey_dnsr.c
+index be7f20a..60a4b7d 100644
+--- a/programs/pluto/ikev2_ipseckey_dnsr.c
++++ b/programs/pluto/ikev2_ipseckey_dnsr.c
+@@ -19,6 +19,12 @@
+  * for more details.
+  */
+ 
++/* This file has been split from ikev2_ipseckey.c to avoid macro
++ * conflicts between NSS headers and OpenSSL 3.0 headers (included
++ * through <ldns/ldns.h>. Therefore, this file should not include
++ * internal headers that depends on NSS headers.
++ */
++
+ #ifndef USE_DNSSEC
+ # error this file should only be compiled when DNSSEC is defined
+ #endif
+@@ -30,7 +36,6 @@
+ #include <unbound.h>
+ #include "unbound-event.h"
+ #include "dnssec.h"    /* includes unbound.h */
+-#include "ikev2_ipseckey.h" /* for dns_status */
+ #include "ikev2_ipseckey_dnsr.h"
+ 
+ struct p_dns_req *pluto_dns_list = NULL; /* DNS queries linked list */
+diff --git a/programs/pluto/ikev2_ipseckey_dnsr.h b/programs/pluto/ikev2_ipseckey_dnsr.h
+index f73febe..27404ae 100644
+--- a/programs/pluto/ikev2_ipseckey_dnsr.h
++++ b/programs/pluto/ikev2_ipseckey_dnsr.h
+@@ -3,6 +3,12 @@
+ #ifndef _IKEV2_IPSECKEY_DNSR_H
+ #define _IKEV2_IPSECKEY_DNSR_H
+ 
++typedef enum {
++	DNS_OK = STF_OK,
++	DNS_FATAL = STF_FATAL,
++	DNS_SUSPEND = STF_SUSPEND,
++} dns_status;
++
+ struct p_dns_req;
+ 
+ typedef void dnsr_cb_fn(struct p_dns_req *);
+@@ -23,6 +29,8 @@ typedef void dnsr_pubkeys_cb_fn(struct p_dns_req *dnsr,
+ typedef void dnsr_validate_address_cb_fn(struct p_dns_req *dnsr,
+ 					 unsigned char *addr);
+ 
++struct ike_sa;
++
+ struct p_dns_req {
+ 	dns_status dns_status;
+ 
+-- 
+2.31.1
+

libreswan-4.6-ikev1-policy-defaults-to-drop.patch

@@ -0,0 +1,63 @@
+From 13720e0dedcab1eaf3334a73a42b68581acd9f3b Mon Sep 17 00:00:00 2001
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Fri, 7 Jan 2022 18:36:47 -0500
+Subject: [PATCH] ikev1-policy defaults to drop
+
+IKEv2 has been available for 16 years (RFC 4306 was published December
+2005).  At some point, we should be discouraging IKEv1 adoption.
+
+To the extent that a user needs IKEv1, they can manually add
+ikev1-policy=accept to /etc/ipsec.conf.
+---
+ configs/d.ipsec.conf/ikev1-policy.xml | 7 ++++---
+ include/ipsecconf/keywords.h          | 2 +-
+ lib/libipsecconf/confread.c           | 1 +
+ programs/pluto/server.c               | 5 -----
+ 4 files changed, 6 insertions(+), 9 deletions(-)
+
+diff --git a/configs/d.ipsec.conf/ikev1-policy.xml b/configs/d.ipsec.conf/ikev1-policy.xml
+index 17d1747e3b..3bd6702564 100644
+--- a/configs/d.ipsec.conf/ikev1-policy.xml
++++ b/configs/d.ipsec.conf/ikev1-policy.xml
+@@ -3,9 +3,10 @@
+   <listitem>
+ <para>
+ What to do with received IKEv1 packets. Valid options are
+-<emphasis remap='B'>accept</emphasis> (default), <emphasis remap='B'>reject</emphasis> which
+-will reply with an error, and <emphasis remap='B'>drop</emphasis> which will silently drop
+-any received IKEv1 packet. If this option is set to drop or reject, an attempt to load an
++<emphasis remap='B'>drop</emphasis> (default) which will silently drop
++any received IKEv1 packet, <emphasis remap='B'>accept</emphasis>, and
++<emphasis remap='B'>reject</emphasis> which will reply with an error.
++If this option is set to drop or reject, an attempt to load an
+ IKEv1 connection will fail, as these connections would never be able to receive a packet
+ for processing.
+ </para>
+diff --git a/include/ipsecconf/keywords.h b/include/ipsecconf/keywords.h
+index 660847733c..31b519242a 100644
+--- a/include/ipsecconf/keywords.h
++++ b/include/ipsecconf/keywords.h
+@@ -111,7 +111,7 @@ enum keyword_numeric_config_field {
+ 
+ 	KBF_LISTEN_TCP,		/* listen on TCP port 4500 - default no */
+ 	KBF_LISTEN_UDP,		/* listen on UDP port 500/4500 - default yes */
+-	KBF_GLOBAL_IKEv1,	/* global ikev1 policy - default accept */
++	KBF_GLOBAL_IKEv1,	/* global ikev1 policy - default drop */
+ 	KBF_ROOF
+ };
+ 
+diff --git a/lib/libipsecconf/confread.c b/lib/libipsecconf/confread.c
+index 5b5aba723f..68fbccf442 100644
+--- a/lib/libipsecconf/confread.c
++++ b/lib/libipsecconf/confread.c
+@@ -95,6 +95,7 @@ static void ipsecconf_default_values(struct starter_config *cfg)
+ 	/* Don't inflict BSI requirements on everyone */
+ 	SOPT(KBF_SEEDBITS, 0);
+ 	SOPT(KBF_DROP_OPPO_NULL, false);
++	SOPT(KBF_GLOBAL_IKEv1, GLOBAL_IKEv1_DROP);
+ 
+ #ifdef HAVE_LABELED_IPSEC
+ 	SOPT(KBF_SECCTX, SECCTX);
+-- 
+2.34.1
+

libreswan-4.6-openssl3.patch

@@ -0,0 +1,52 @@
+From 0212bc6a7c0ac3aa5d8da82bf22132993d339ffc Mon Sep 17 00:00:00 2001
+From: Paul Wouters <paul.wouters@aiven.io>
+Date: Thu, 13 Jan 2022 15:31:50 -0500
+Subject: [PATCH] building: fix fedora rawhide build
+
+Avoid clashing openssl/nss headers
+
+Patch based on work by Daiki Ueno <dueno@redhat.com>
+
+Resolves: https://github.com/libreswan/libreswan/pull/611
+---
+ programs/pluto/ikev2_ipseckey.h      | 4 ++--
+ programs/pluto/ikev2_ipseckey_dnsr.c | 4 +++-
+ 2 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/programs/pluto/ikev2_ipseckey.h b/programs/pluto/ikev2_ipseckey.h
+index 243e5b1776..5ef3f966ec 100644
+--- a/programs/pluto/ikev2_ipseckey.h
++++ b/programs/pluto/ikev2_ipseckey.h
+@@ -1,5 +1,3 @@
+-#include "state.h"
+-
+ #ifndef _IKEV2_IPSECKEY_H
+ #define _IKEV2_IPSECKEY_H
+ 
+@@ -11,6 +9,8 @@
+ 
+ #define IS_LIBUNBOUND LSW_LIBUNBOUND_ENABLED
+ 
++struct ike_sa;
++
+ typedef enum {
+ 	DNS_OK = STF_OK,
+ 	DNS_FATAL = STF_FATAL,
+diff --git a/programs/pluto/ikev2_ipseckey_dnsr.c b/programs/pluto/ikev2_ipseckey_dnsr.c
+index b07ed72f2b..09767bf65d 100644
+--- a/programs/pluto/ikev2_ipseckey_dnsr.c
++++ b/programs/pluto/ikev2_ipseckey_dnsr.c
+@@ -32,7 +32,9 @@
+ #include "dnssec.h"    /* includes unbound.h */
+ #include "ikev2_ipseckey.h" /* for dns_status */
+ #include "ikev2_ipseckey_dnsr.h"
+-#include "secrets.h"
++
++/* Do not include secrets.h as it will cause conflicts via NSS/OPENSSL headers */
++extern const struct pubkey_type pubkey_type_rsa;
+ 
+ struct p_dns_req *pluto_dns_list = NULL; /* DNS queries linked list */
+ 
+-- 
+2.31.1
+

libreswan-4.9-cve-2023-23009.patch

@@ -0,0 +1,84 @@
+From 7a6c217f47b1ae37e32b173dc6d3ea7fdb86d532 Mon Sep 17 00:00:00 2001
+From: Paul Wouters <paul.wouters@aiven.io>
+Date: Tue, 28 Feb 2023 11:24:22 -0500
+Subject: [PATCH 1/2] pluto: abort processing corrupt TS payloads
+ CVE-2023-23009
+
+Latest updates on this issue at https://libreswan.org/security/CVE-2023-23009
+---
+ programs/pluto/ikev2_ts.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/programs/pluto/ikev2_ts.c b/programs/pluto/ikev2_ts.c
+index 3f7519ca38..f06c40ba46 100644
+--- a/programs/pluto/ikev2_ts.c
++++ b/programs/pluto/ikev2_ts.c
+@@ -437,6 +437,11 @@ static bool v2_parse_tss(struct payload_digest *const ts_pd,
+ 		d = pbs_in_struct(&ts_pd->pbs, &ikev2_ts_header_desc,
+ 			  &ts_h, sizeof(ts_h), &ts_body_pbs);
+ 
++		if (d != NULL) {
++			llog_diag(RC_LOG, logger, &d, "%s", "");
++			return false;
++		}
++
+ 		switch (ts_h.isath_type) {
+ 		case IKEv2_TS_IPV4_ADDR_RANGE:
+ 		case IKEv2_TS_IPV6_ADDR_RANGE:
+-- 
+2.39.2
+
+
+From 52c19ccc9455ccd91fa4946b09f8e11222f1c923 Mon Sep 17 00:00:00 2001
+From: Andrew Cagney <cagney@gnu.org>
+Date: Tue, 28 Feb 2023 14:10:44 -0500
+Subject: [PATCH 2/2] ikev1: only clean up a connection when it isn't deleted
+
+fix #1018 reported by Wolfgang.
+see also ecb9c88910df1fb070488835bf3180096f3ccba3:
+IKEv1: Remove all IPsec SA's of a connection when newest SA is removed.
+---
+ programs/pluto/ikev1_main.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/programs/pluto/ikev1_main.c b/programs/pluto/ikev1_main.c
+index a616c5ccf3..21765d4002 100644
+--- a/programs/pluto/ikev1_main.c
++++ b/programs/pluto/ikev1_main.c
+@@ -2130,15 +2130,16 @@ bool accept_delete(struct msg_digest *md,
+ 						  ntohl(spi));
+ 				}
+ 
+-				struct connection *rc = dst->st_connection;
++				/* save for post delete_state() code */
++				co_serial_t rc_serialno = dst->st_connection->serialno;
+ 
+ 				if (nat_traversal_enabled && dst->st_connection->ikev1_natt != NATT_NONE) {
+ 					nat_traversal_change_port_lookup(md, dst);
+ 					v1_maybe_natify_initiator_endpoints(st, HERE);
+ 				}
+ 
+-				if (rc->newest_ipsec_sa == dst->st_serialno &&
+-					(rc->policy & POLICY_UP)) {
++				if (dst->st_connection->newest_ipsec_sa == dst->st_serialno &&
++				    (dst->st_connection->policy & POLICY_UP)) {
+ 					/*
+ 					 * Last IPsec SA for a permanent
+ 					 * connection that we have initiated.
+@@ -2162,7 +2163,12 @@ bool accept_delete(struct msg_digest *md,
+ 						md->v1_st = NULL;
+ 				}
+ 
+-				if (rc->newest_ipsec_sa == SOS_NOBODY) {
++				/*
++				 * Either .newest_ipsec_sa matches DST
++				 * and is cleared, or was never set.
++				 */
++				struct connection *rc = connection_by_serialno(rc_serialno);
++				if (rc != NULL && rc->newest_ipsec_sa == SOS_NOBODY) {
+ 					dbg("%s() connection '%s' -POLICY_UP", __func__, rc->name);
+ 					rc->policy &= ~POLICY_UP;
+ 					if (!shared_phase1_connection(rc)) {
+-- 
+2.39.2
+

libreswan-4.9-cve-2023-30570.patch

@@ -0,0 +1,129 @@
+diff --git a/programs/pluto/ikev1.c b/programs/pluto/ikev1.c
+index e0615323ed..401618b6dd 100644
+--- a/programs/pluto/ikev1.c
++++ b/programs/pluto/ikev1.c
+@@ -1101,10 +1101,20 @@ void process_v1_packet(struct msg_digest *md)
+ 	struct state *st = NULL;
+ 	enum state_kind from_state = STATE_UNDEFINED;   /* state we started in */
+ 
++	/*
++	 * For the initial responses, don't leak the responder's SPI.
++	 * Hence the use of send_v1_notification_from_md().
++	 *
++	 * AGGR mode is a mess in that the R0->R1 transition happens
++	 * well before the transition succeeds.
++	 */
+ #define SEND_NOTIFICATION(t)						\
+ 	{								\
+ 		pstats(ikev1_sent_notifies_e, t);			\
+-		if (st != NULL)						\
++		if (st != NULL &&					\
++		    st->st_state->kind != STATE_AGGR_R0 &&		\
++		    st->st_state->kind != STATE_AGGR_R1 &&		\
++		    st->st_state->kind != STATE_MAIN_R0)		\
+ 			send_v1_notification_from_state(st, from_state, t); \
+ 		else							\
+ 			send_v1_notification_from_md(md, t);		\
+@@ -1168,17 +1178,26 @@ void process_v1_packet(struct msg_digest *md)
+ 			from_state = (md->hdr.isa_xchg == ISAKMP_XCHG_IDPROT ?
+ 				      STATE_MAIN_R0 : STATE_AGGR_R0);
+ 		} else {
+-			/* not an initial message */
++			/*
++			 * Possibly not an initial message.  Possibly
++			 * from initiator.  Possibly from responder.
++			 *
++			 * Possibly.  Which is probably hopeless.
++			 */
+ 
+ 			st = find_state_ikev1(&md->hdr.isa_ike_spis,
+ 					      md->hdr.isa_msgid);
+ 
+ 			if (st == NULL) {
+ 				/*
+-				 * perhaps this is a first message
++				 * Perhaps this is a first message
+ 				 * from the responder and contains a
+ 				 * responder cookie that we've not yet
+ 				 * seen.
++				 *
++				 * Perhaps this is a random message
++				 * with a bogus non-zero responder IKE
++				 * SPI.
+ 				 */
+ 				st = find_state_ikev1_init(&md->hdr.isa_ike_initiator_spi,
+ 							   md->hdr.isa_msgid);
+@@ -1189,6 +1208,21 @@ void process_v1_packet(struct msg_digest *md)
+ 					/* XXX Could send notification back */
+ 					return;
+ 				}
++				if (st->st_state->kind == STATE_AGGR_R0) {
++					/*
++					 * The only way for this to
++					 * happen is for the attacker
++					 * to guess the responder's
++					 * IKE SPI that hasn't been
++					 * sent over the wire?
++					 *
++					 * Well that or played 1/2^32
++					 * odds.
++					 */
++					llog_pexpect(md->md_logger, HERE,
++						     "phase 1 message matching AGGR_R0 state");
++					return;
++				}
+ 			}
+ 			from_state = st->st_state->kind;
+ 		}
+@@ -2870,7 +2904,28 @@ void complete_v1_state_transition(struct state *st, struct msg_digest *md, stf_s
+ 			delete_state(st);
+ 			/* wipe out dangling pointer to st */
+ 			md->v1_st = NULL;
++		} else if  (st->st_state->kind == STATE_AGGR_R0 ||
++			    st->st_state->kind == STATE_AGGR_R1 ||
++			    st->st_state->kind == STATE_MAIN_R0) {
++			/*
++			 *
++			 * Wipe out the incomplete larval state.
++			 *
++			 * ARGH! In <=v4.10, the aggr code flipped the
++			 * larval state to R1 right at the start of
++			 * the transition and not the end, so using
++			 * state to figure things out is close to
++			 * useless.
++			 *
++			 * Deleting the state means that pluto has no
++			 * way to detect and ignore amplification
++			 * attacks.
++			 */
++			delete_state(st);
++			/* wipe out dangling pointer to st */
++			md->v1_st = NULL;
+ 		}
++
+ 		break;
+ 	}
+ 	}
+diff --git a/programs/pluto/ikev1_aggr.c b/programs/pluto/ikev1_aggr.c
+index 2732951beb..87be80cb6c 100644
+--- a/programs/pluto/ikev1_aggr.c
++++ b/programs/pluto/ikev1_aggr.c
+@@ -169,7 +169,7 @@ stf_status aggr_inI1_outR1(struct state *null_st UNUSED,
+ 	/* Set up state */
+ 	struct ike_sa *ike = new_v1_rstate(c, md);
+ 	md->v1_st = &ike->sa;  /* (caller will reset cur_state) */
+-	change_v1_state(&ike->sa, STATE_AGGR_R1);
++	change_v1_state(&ike->sa, STATE_AGGR_R0);
+ 
+ 	/*
+ 	 * Warn when peer is expected to use especially dangerous
+@@ -197,7 +197,8 @@ stf_status aggr_inI1_outR1(struct state *null_st UNUSED,
+ 
+ 	if (!v1_decode_certs(md)) {
+ 		llog_sa(RC_LOG, ike, "X509: CERT payload bogus or revoked");
+-		return false;
++		/* XXX notification is in order! */
++		return STF_FAIL_v1N + v1N_INVALID_ID_INFORMATION;
+ 	}
+ 
+ 	/*

libreswan.spec

@@ -3,64 +3,55 @@
 %global with_efence 0
 %global with_development 0
 %global with_cavstests 1
-# minimum version for support for rhbz#1651314
-# should prob update for nss with IKEv1 quick mode support
-%global nss_version 3.53.1
+%global nss_version 3.52
 %global unbound_version 1.6.6
+# Libreswan config options
 %global libreswan_config \\\
     FINALLIBEXECDIR=%{_libexecdir}/ipsec \\\
     FINALMANDIR=%{_mandir} \\\
-    FINALNSSDIR=%{_sysconfdir}/ipsec.d \\\
-    INITSYSTEM=systemd \\\
-    NSS_HAS_IPSEC_PROFILE=true \\\
-    NSS_REQ_AVA_COPY=false \\\
     PREFIX=%{_prefix} \\\
+    INITSYSTEM=systemd \\\
     PYTHON_BINARY=%{__python3} \\\
     SHELL_BINARY=%{_bindir}/sh \\\
     USE_DNSSEC=true \\\
-    USE_FIPSCHECK=false \\\
     USE_LABELED_IPSEC=true \\\
     USE_LDAP=true \\\
     USE_LIBCAP_NG=true \\\
     USE_LIBCURL=true \\\
     USE_LINUX_AUDIT=true \\\
     USE_NM=true \\\
-    USE_NSS_KDF=true \\\
+    USE_NSS_IPSEC_PROFILE=true \\\
     USE_SECCOMP=true \\\
     USE_AUTHPAM=true \\\
-    USE_DH2=true \\\
 %{nil}
 
-#global prever rc1
+#global prever dr1
 
 Name: libreswan
-Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols
+Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec
 # version is generated in the release script
-Version: 4.12
-Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist}.4
+Version: 4.15
+Release: %{?prever:0.}4%{?prever:.%{prever}}%{?dist}
 License: GPLv2
 Url: https://libreswan.org/
-
-Source0: https://download.libreswan.org/%{?prever:with_development/}%{name}-%{version}%{?prever}.tar.gz
+Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz
 %if 0%{with_cavstests}
 Source1: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2
 Source2: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2
 Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2
 %endif
-
-Patch1: libreswan-4.3-maintain-different-v1v2-split.patch
-Patch2: libreswan-3.32-1861360-nodefault-rsa-pss.patch
-Patch3: libreswan-4.1-maintain-obsolete-keywords.patch
-Patch6: libreswan-4.3-1934186-config.patch
-Patch7: libreswan-4.9-2176248-authby-rsasig.patch
-Patch8: libreswan-4.12-ikev2-auth-delete-state.patch
-Patch9: libreswan-4.12-ikev1-compute-keymat-default.patch
+Patch: libreswan-4.6-ikev1-policy-defaults-to-drop.patch
+Patch: libreswan-4.15-ondemand-tcp.patch
+Patch: libreswan-4.15-netlink-extack.patch
+Patch: libreswan-4.15-whack-fd-refcount.patch
+Patch: libreswan-4.15-create-child-sa-race-condition.patch
 
 BuildRequires: audit-libs-devel
 BuildRequires: bison
 BuildRequires: curl-devel
 BuildRequires: flex
 BuildRequires: gcc make
+BuildRequires: hostname
 BuildRequires: ldns-devel
 BuildRequires: libcap-ng-devel
 BuildRequires: libevent-devel
@@ -68,12 +59,10 @@ BuildRequires: libseccomp-devel
 BuildRequires: libselinux-devel
 BuildRequires: nspr-devel
 BuildRequires: nss-devel >= %{nss_version}
-BuildRequires: nss-tools
+BuildRequires: nss-tools >= %{nss_version}
 BuildRequires: openldap-devel
 BuildRequires: pam-devel
 BuildRequires: pkgconfig
-BuildRequires: hostname
-BuildRequires: redhat-rpm-config
 BuildRequires: systemd-devel
 BuildRequires: unbound-devel >= %{unbound_version}
 BuildRequires: xmlto
@@ -92,7 +81,7 @@ Requires(preun): systemd
 Requires(postun): systemd
 
 %description
-Libreswan is a free implementation of IKE/IPsec for Linux.  IPsec is
+Libreswan is a free implementation of IPsec & IKE for Linux.  IPsec is
 the Internet Protocol Security and uses strong cryptography to provide
 both authentication and encryption services.  These services allow you
 to build secure tunnels through untrusted networks.  Everything passing
@@ -109,19 +98,9 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04
 
 %prep
 %setup -q -n libreswan-%{version}%{?prever}
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch6 -p1
-%patch7 -p1
-%patch8 -p1
-%patch9 -p1
-
-# linking to freebl is not needed
-sed -i "s/-lfreebl //" mk/config.mk
-
 # enable crypto-policies support
 sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" configs/ipsec.conf.in
+%autopatch -p1
 
 %build
 make %{?_smp_mflags} \
@@ -130,20 +109,21 @@ make %{?_smp_mflags} \
 %else
     OPTIMIZE_CFLAGS="%{optflags}" \
 %endif
+    WERROR_CFLAGS="-Werror -Wno-missing-field-initializers -Wno-lto-type-mismatch -Wno-maybe-uninitialized" \
 %if 0%{with_efence}
     USE_EFENCE=true \
 %endif
-    WERROR_CFLAGS="-Werror -Wno-missing-field-initializers" \
-    USERLINK="%{?__global_ldflags}" \
+    USERLINK="%{?__global_ldflags} -Wl,-z,relro -Wl,--as-needed  -Wl,-z,now -flto --no-lto" \
     %{libreswan_config} \
     programs
 FS=$(pwd)
 
+
 %install
 make \
-  DESTDIR=%{buildroot} \
-  %{libreswan_config} \
-  install
+    DESTDIR=%{buildroot} \
+    %{libreswan_config} \
+    install
 FS=$(pwd)
 rm -rf %{buildroot}/usr/share/doc/libreswan
 rm -rf %{buildroot}%{_libexecdir}/ipsec/*check
@@ -153,10 +133,10 @@ install -d %{buildroot}%{_sbindir}
 
 install -d %{buildroot}%{_sysconfdir}/sysctl.d
 install -m 0644 packaging/fedora/libreswan-sysctl.conf \
-  %{buildroot}%{_sysconfdir}/sysctl.d/50-libreswan.conf
+    %{buildroot}%{_sysconfdir}/sysctl.d/50-libreswan.conf
 
 echo "include %{_sysconfdir}/ipsec.d/*.secrets" \
-     > %{buildroot}%{_sysconfdir}/ipsec.secrets
+    > %{buildroot}%{_sysconfdir}/ipsec.secrets
 rm -fr %{buildroot}%{_sysconfdir}/rc.d/rc*
 
 %if 0%{with_cavstests}
@@ -177,6 +157,7 @@ bunzip2 *.fax.bz2
 %{buildroot}%{_libexecdir}/ipsec/cavp -v1psk ikev1_psk.fax | \
     diff -u ikev1_psk.fax - > /dev/null
 : CAVS tests passed
+%endif
 
 # Some of these tests will show ERROR for negative testing - it will exit on real errors
 %{buildroot}%{_libexecdir}/ipsec/algparse -tp || { echo prooposal test failed; exit 1; }
@@ -189,8 +170,6 @@ certutil -N -d sql:$tmpdir --empty-password
 %{buildroot}%{_libexecdir}/ipsec/pluto --selftest --nssdir $tmpdir --rundir $tmpdir
 : pluto self-test passed - verify FIPS algorithms allowed is still compliant with NIST
 
-%endif
-
 %post
 %systemd_post ipsec.service
 
@@ -210,175 +189,215 @@ certutil -N -d sql:$tmpdir --empty-password
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/*
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysctl.d/50-libreswan.conf
 %attr(0755,root,root) %dir %{_rundir}/pluto
+%attr(0700,root,root) %dir %{_sharedstatedir}/ipsec
+%attr(0700,root,root) %dir %{_sharedstatedir}/ipsec/nss
 %attr(0644,root,root) %{_tmpfilesdir}/libreswan.conf
 %attr(0644,root,root) %{_unitdir}/ipsec.service
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto
 %config(noreplace) %{_sysconfdir}/logrotate.d/libreswan
 %{_sbindir}/ipsec
 %{_libexecdir}/ipsec
-%attr(0644,root,root) %doc %{_mandir}/*/*
+%doc %{_mandir}/*/*
 
 %changelog
-* Thu Jun  6 2024 Daiki Ueno <dueno@redhat.com> - 4.12-2.4
-- Fix CVE-2024-3652 (RHEL-32482)
+* Tue Nov 12 2024 Daiki Ueno <dueno@redhat.com> - 4.15-4
+- pluto: fix refcounting of whack FD at CREATE_CHILD_SA request (RHEL-61461)
+- pluto: ignore CREATE_CHILD_SA request if crypto is in progress (RHEL-61461)
 
-* Wed Apr 17 2024 Daiki Ueno <dueno@redhat.com> - 4.12-2.3
-- Bump release to ensure el8 package is greater than el8_* packages
+* Tue Aug  6 2024 Daiki Ueno <dueno@redhat.com> - 4.15-3
+- Fix release number
 
-* Tue Apr 16 2024 Daiki Ueno <dueno@redhat.com> - 4.12-2.2
-- Fix patch application in the previous change
+* Tue Aug  6 2024 Daiki Ueno <dueno@redhat.com> - 4.15-2
+- Fix auto=ondemand connection initialization with TCP (RHEL-51879)
+- Make use of Netlink extack for additional error reporting (RHEL-51881)
 
-* Mon Apr 15 2024 Daiki Ueno <dueno@redhat.com> - 4.12-2.1
-- Fix CVE-2024-2357 (RHEL-28742)
+* Tue Jul 30 2024 Daiki Ueno <dueno@redhat.com> - 4.15-1
+- Update to 4.15 (RHEL-50006)
 
-* Fri Aug 25 2023 Daiki Ueno <dueno@redhat.com> - 4.12-2
-- Resolves: rhbz#2234731 authby=rsasig fails in FIPS policy
+* Thu Jul 11 2024 Daiki Ueno <dueno@redhat.com> - 4.12-4
+- Bump release to synchronize with el9_5 package
+
+* Wed Jun  5 2024 Daiki Ueno <dueno@redhat.com> - 4.12-3
+- Fix CVE-2024-3652 (RHEL-32483)
+
+* Thu Apr 11 2024 Daiki Ueno <dueno@redhat.com> - 4.12-2
+- Fix CVE-2024-2357 (RHEL-28743)
+- x509: unpack IPv6 general names based on length (RHEL-32720)
 
 * Wed Aug  9 2023 Daiki Ueno <dueno@redhat.com> - 4.12-1
 - Update to 4.12 to fix CVE-2023-38710, CVE-2023-38711, CVE-2023-38712
-- Resolves: rhbz#2215955
+- Resolves: rhbz#2215956
 
-* Thu May 04 2023 Sahana Prasad <sahana@redhat.com> - 4.9-2
-- Fix CVE-2023-30570 Malicious IKEv1 Aggressive Mode packets can crash libreswan
-- Resolves: rhbz#2187179
+* Fri May 05 2023 Sahana Prasad <sahana@redhat.com> - 4.9-5
+- Just bumping up the version to include bugs for CVE-2023-2295. There is no
+  code fix for it. Fix for it is including the code fix for CVE-2023-30570.
+- Fix CVE-2023-2295 Regression of CVE-2023-30570 fixes in the
+  Red Hat Enterprise Linux
+- Resolves: rhbz#2189777, rhbz#2190148
 
-* Mon Jan  9 2023 Daiki Ueno <dueno@redhat.com> - 4.9-1
-- Resolves: rhbz#2128672 Rebase libreswan to 4.9
-- Remove libreswan-4.4-ikev1-disable-diagnostics.patch no longer necessary
+* Thu May 04 2023 Sahana Prasad <sahana@redhat.com> - 4.9-4
+- Just bumping up the version as an incorrect 9.3 build was created.
+- Related: rhbz#2187171
 
-* Thu Jan 13 2022 Daiki Ueno <dueno@redhat.com> - 4.5-1
-- Resolves: rhbz#2017352 Rebase libreswan to 4.5
-- Resolves: rhbz#2036903 ikev1: disable diagnostics logging on receiving malformed packets
+* Thu May 04 2023 Sahana Prasad <sahana@redhat.com> - 4.9-3
+- Fix CVE-2023-30570:Malicious IKEv1 Aggressive Mode packets can crash
+  libreswan
+- Resolves: rhbz#2187171
 
-* Wed May 26 2021 Daiki Ueno <dueno@redhat.com> - 4.4-1
-- Resolves: rhbz#1958968 Rebase libreswan to 4.4
-- Resolves: rhbz#1954423 Libreswan: TS_UNACCEPTABLE on multiple connections between the same peers
+* Tue Apr  4 2023 Daiki Ueno <dueno@redhat.com> - 4.9-2
+- Fix CVE-2023-23009: remote DoS via crafted TS payload with an
+  incorrect selector length (rhbz#2173674)
 
-* Thu Mar 04 2021 Paul Wouters <pwouters@redhat.com> - 4.3-3
-- Resolves: rhbz#1933064 - IKEv2 support for Labeled IPsec
-- Resolves: rhbz#1935150 RFE: Support IKE and ESP over TCP: RFC 8229
-- Resolves: rhbz#1935339 virtual_private setting is missing in the default config
+* Wed Jan  4 2023 Daiki Ueno <dueno@redhat.com> - 4.9-1
+- Update to 4.9. Resolves: rhbz#2128669
+- Switch to using %%autopatch as in Fedora
 
-* Sun Feb 21 2021 Paul Wouters <pwouters@redhat.com> - 4.3-1
-- Resolves: rhbz#1025061 - IKEv2 support for Labeled IPsec [update]
+* Wed Feb  2 2022 Daiki Ueno <dueno@redhat.com> - 4.6-3
+- Drop IKEv1 packets by default, based on the Debian patch
+  by Daniel Kahn Gillmor (rhbz#2039877)
 
-* Thu Feb 04 2021 Paul Wouters <pwouters@redhat.com> - 4.2-1
-- Resolves: rhbz#1891128 [Rebase] rebase libreswan to 4.2
-- Resolves: rhbz#1025061 - IKEv2 support for Labeled IPsec
+* Mon Jan 17 2022 Daiki Ueno <dueno@redhat.com> - 4.6-2
+- Related: rhbz#2017355 rebuild to reflect gating.yaml change
 
-* Tue Oct 27 22:11:42 EDT 2020 Paul Wouters <pwouters@redhat.com> - 4.1-1
-- Resolves: rhbz#1891128 [Rebase] rebase libreswan to 4.1
-- Resolves: rhbz#1889836 libreswan: add 3.x compat patches for obsoleted/removed keywords of 4.0 and re-port ikev2= patch
+* Mon Jan 17 2022 Daiki Ueno <dueno@redhat.com> - 4.6-1
+- Update to 4.6. Resolves: rhbz#2017355
 
-* Wed Jul 29 2020 Paul Wouters <pwouters@redhat.com> - 3.32-6
-- Resolves: rhbz#1861360 authby=rsasig must not imply usage of rsa-pss
+* Mon Jan 10 2022 Daiki Ueno <dueno@redhat.com> - 4.5-1
+- Update to 4.5. Resolves: rhbz#2017355
 
-* Wed Jul 22 2020 Paul Wouters <pwouters@redhat.com> - 3.32-5
-- Resolves: rhbz#1820206 Rebase to libreswan 3.32 [rebuild for USE_NSS_PRF]
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 4.4-3.1
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
 
-* Wed Jul 01 2020 Paul Wouters <pwouters@redhat.com> - 3.32-4
-- Resolves: rhbz#1544463 ipsec service does not work correctly when seccomp filtering is enabled
+* Wed Jul 21 2021 Daiki Ueno <dueno@redhat.com> - 4.4-3
+- Backport removal gethostbyname2 uses from the upstream
+- Fix issues spotted by covscan (rhbz#1938784)
 
-* Wed Jun 17 2020 Paul Wouters <pwouters@redhat.com> - 3.32-3
-- Resolves: rhbz#1842597 regression: libreswan does not send PLUTO_BYTES env variables to updown script
-- Resolves: rhbz#1847766 subsequent xfrmi interfaces configured outside of libreswan are not recognised properly
-- Resolves: rhbz#1840212 protect libreswan against unannounced nss ABI change
+* Tue Jul 13 2021 Daiki Ueno <dueno@redhat.com> - 4.4-2
+- Rebuild with newer GCC to fix annocheck failures
 
-* Thu Jun 11 2020 Paul Wouters <pwouters@redhat.com> - 3.32-2
-- Resolves: rhbz#1820206 Rebase to libreswan 3.32 [addconn fix]
+* Thu Jul  1 2021 Daiki Ueno <dueno@redhat.com> - 4.4-1
+- Update to 4.4. Resolves: rhbz#1975812
+- Port compiler warning suppression by Paul Wouters:
+  https://src.fedoraproject.org/rpms/libreswan/c/8d7f98d41444ac77c562f735b4b93038f5346ce2?branch=rawhide
 
-* Thu Apr 30 2020 Paul Wouters <pwouters@redhat.com> - 3.32-1
-- Resolves: rhbz#1820206 Rebase to libreswan 3.32
-- Resolves: rhbz#1816265 Use NSS to check whether FIPS mode is enabled
-- Resolves: rhbz#1826337 libreswan in FIPS mode rejects ECDSA keys based on faulty RSA key size check being applied
+* Thu Jun 24 2021 Daiki Ueno <dueno@redhat.com> - 4.2-1.3
+- Fix FTBFS with OpenSSL 3.0 (rhbz#1975439)
 
-* Tue Aug 13 2019 Paul Wouters <pwouters@redhat.com> - 3.29-6
-- Resolves: rhbz#1714331 support NSS based IKE KDF's [require updated nss for rhbz 1738689, memleak fix]
+* Tue Jun 22 2021 Mohan Boddu <mboddu@redhat.com> - 4.2-1.2
+- Rebuilt for RHEL 9 BETA for openssl 3.0
+  Related: rhbz#1971065
 
-* Thu Aug 08 2019 Paul Wouters <pwouters@redhat.com> - 3.29-5
-- Resolves: rhbz#1714331 support NSS based IKE KDF's so libreswan does not need FIPS certification
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 4.2-1.1
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
 
-* Thu Aug 01 2019 Paul Wouters <pwouters@redhat.com> - 3.29-4
-- Resolves: rhbz#1699318 'ipsec show' has python3 invalid syntax
+* Wed Feb 03 2021 Paul Wouters <pwouters@redhat.com> - 4.2-1
+- Update to 4.2
 
-* Thu Jul 04 2019 Paul Wouters <pwouters@redhat.com> - 3.29-3
-- Resolves: rhbz#1725205 XFRM policy for OE/32 peer is deleted when shunts for previous half-open state expire
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 4.2-0.1.rc1.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 
-* Thu Jun 27 2019 Paul Wouters <pwouters@redhat.com> - 3.29-2
-- Resolves: rhbz#1723957 libreswan is missing linux audit calls for failed IKE SAs and failed IPsec SAs required for Common Criteria
+* Sat Dec 19 19:59:55 EST 2020 Paul Wouters <pwouters@redhat.com> - 4.2-0.1.rc1
+- Resolves: rhbz#1867580 pluto process frequently dumps core
+  (disable USE_NSS_KDF until nss fixes have propagated)
+
+* Sat Dec 19 2020 Adam Williamson <awilliam@redhat.com> - 4.1-4
+- Rebuild for ldns soname bump
+
+* Mon Nov 23 11:50:41 EST 2020 Paul Wouters <pwouters@redhat.com> - 4.1-3
+- Resolves: rhbz#1894381 Libreswan 4.1-2 breaks l2tp connection to Windows VPN server
+
+* Mon Oct 26 10:21:57 EDT 2020 Paul Wouters <pwouters@redhat.com> - 4.1-2
+- Resolves: rhbz#1889538 libreswan's /var/lib/ipsec/nss missing
+
+* Sun Oct 18 21:49:39 EDT 2020 Paul Wouters <pwouters@redhat.com> - 4.1-1
+- Updated to 4.1 - interop fix for Cisco
+
+* Thu Oct 15 10:27:14 EDT 2020 Paul Wouters <pwouters@redhat.com> - 4.0-1
+- Resolves: rhbz#1888448 libreswan-4.0 is available
+
+* Wed Sep 30 14:05:58 EDT 2020 Paul Wouters <pwouters@redhat.com> - 4.0-0.2.rc1
+- Rebuild for libevent 2.1.12 with a soname bump
+
+* Sun Sep 27 22:49:40 EDT 2020 Paul Wouters <pwouters@redhat.com> - 4.0-0.1.rc1
+- Updated to 4.0rc1
+
+* Thu Aug 27 2020 Paul Wouters <pwouters@redhat.com> - 3.32-4
+- Resolves: rhbz#1864043 libreswan: FTBFS in Fedora rawhide/f33
+
+* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.32-3.2
+- Second attempt - Rebuilt for
+  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.32-3.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jun 30 2020 Jeff Law <law@redhat.com> - 3.32-3
+- Initialize ppk_id_p in ikev2_parent_inR1outI2_tail to avoid uninitialized
+  object
+
+* Tue May 26 2020 Paul Wouters <pwouters@redhat.com> - 3.32-2
+- Backport NSS guarding fix for unannounced changed api in NSS causing segfault
+
+* Mon May 11 2020 Paul Wouters <pwouters@redhat.com> - 3.32-1
+- Resolves: rhbz#1809770 libreswan-3.32 is available
+
+* Tue Apr 14 2020 Paul Wouters <pwouters@redhat.com> - 3.31-2
+- Resolves: rhbz#1823823 Please drop the dependency on fipscheck
+
+* Tue Mar 03 2020 Paul Wouters <pwouters@redhat.com> - 3.31-1
+- Resolves: rhbz#1809770 libreswan-3.31 is available (fixes rekey regression)
+
+* Fri Feb 14 2020 Paul Wouters <pwouters@redhat.com> - 3.30-1
+- Resolves: rhbz#1802896 libreswan-3.30 is available
+- Resolves: rhbz#1799598 libreswan: FTBFS in Fedora rawhide/f32
+- Resolves: rhbz#1760571 [abrt] libreswan: configsetupcheck(): verify:366:configsetupcheck:TypeError:
+
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.29-2.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Thu Jan 09 2020 Paul Wouters <pwouters@redhat.com> - 3.29-2
+- _updown.netkey: fix syntax error in checking routes
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.29-1.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 
 * Mon Jun 10 2019 Paul Wouters <pwouters@redhat.com> - 3.29-1
-- Resolves: rhbz#1712555 libreswan rebase to 3.29
-
-* Tue May 28 2019 Paul Wouters <pwouters@redhat.com> - 3.28-2
-- Resolves: rhbz#1713734: barf: shell syntax error in barf diagnostic tool
+- Resolves: rhbz#1718986 Updated to 3.29 for CVE-2019-10155
 
 * Tue May 21 2019 Paul Wouters <pwouters@redhat.com> - 3.28-1
-- Resolves: rhbz#1712555 libreswan rebase to 3.28
-- Resolves: rhbz#1683706 Libreswan shows incorrect error messages
-- Resolves: rhbz#1706180 Remove last usage of old (unused) PF_KEY API
-- Resolves: rhbz#1677045 Opportunistic IPsec instances of /32 groups or auto=start that receive delete won't restart
-- Resolves: rhbz#1686990 IKEv1 traffic interruption when responder deletes SAs 60 seconds before EVENT_SA_REPLACE
-- Resolves: rhbz#1608353 /usr/sbin/ipsec part of the libreswan packages still invokes commands that were deprecated a decade ago
-- Resolves: rhbz#1699318 'ipsec show' has python3 invalid syntax
-- Resolves: rhbz#1679394 libreswan using NSS IPsec profiles regresses when critical flags are set causing validation failure
+- Updated to 3.28 (many imported bugfixes, including CVE-2019-12312)
 
-* Thu Feb 21 2019 Paul Wouters <pwouters@redhat.com> - 3.27-9
-- Resolves: rhbz#1648776 limit connections to be ikev1only or ikev2only and make ikev2only the default [man page update]
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.27-1.2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
 
-* Fri Feb 15 2019 Paul Wouters <pwouters@redhat.com> - 3.27-8
-- Resolves: rhbz#1664101 system wide crypto policies causing IKE_INIT packet fragmentation
-
-* Tue Feb 05 2019 Paul Wouters <pwouters@redhat.com> - 3.27-7
-- Resolves: rhbz#1671793 proessing ISAKMP_NEXT_D with additional payloads causes dangling pointer to deleted state
-
-* Fri Feb 01 2019 Paul Wouters <pwouters@redhat.com> - 3.27-6
-- Resolves: rhbz#1668342 SELinux prevents libreswan from using some outbound ports causing DNS resolution failures at connection at load time
-
-* Thu Jan 10 2019 Paul Wouters <pwouters@redhat.com> - 3.27-5
-- Resolves: rhbz#1664522 libreswan 3.25 in FIPS mode is incorrectly rejecting X.509 public keys that are >= 3072 bits
-
-* Mon Dec 10 2018 Paul Wouters <pwouters@redhat.com> - 3.27-4
-- Resolves: rhbz#1657846 libreswan no longer needs to provide openswan in rhel8
-- Resolves: rhbz#1643388 libreswan: Unable to verify certificate with non-empty Extended Key Usage which does not include serverAuth or clientAuth
-- Resolves: rhbz#1657854 remove userland support for deprecated KLIPS IPsec stack support
-
-* Sun Dec 09 2018 Paul Wouters <pwouters@redhat.com> - 3.27-3
-- Resolves: rhbz#1648776 limit connections to be ikev1only or ikev2only and make ikev2only the default
-
-* Thu Nov 08 2018 Paul Wouters <pwouters@redhat.com> - 3.27-2
-- Resolves: rhbz#1645137 Libreswan segfaults when it loads configuration file with more then 5 connections
+* Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 3.27-1.1
+- Rebuilt for libcrypt.so.2 (#1666033)
 
 * Mon Oct 08 2018 Paul Wouters <pwouters@redhat.com> - 3.27-1
-- Resolves: rhbz#1566574 Rebase to libreswan 3.27
+- Updated to 3.27 (various bugfixes)
+
+* Thu Sep 27 2018 Paul Wouters <pwouters@redhat.com> - 3.26-3
+- Add fedora python fixup for _unbound-hook
+
+* Mon Sep 17 2018 Paul Wouters <pwouters@redhat.com> - 3.26-2
+- linking against freebl is no longer needed (and wasn't done in 3.25)
 
 * Mon Sep 17 2018 Paul Wouters <pwouters@redhat.com> - 3.26-1
-- Resolves: rhbz#1566574 Rebase to libreswan 3.26
-- Resolves: rhbz#1527037 libreswan IPSEC implementation: should follow the policies of system-wide crypto policy
-- Resolves: rhbz#1375779 [IKEv2 Conformance] Test IKEv2.EN.R.1.1.6.7: Sending INVALID_KE_PAYLOAD failed
-- Resolves: rhbz#1085758 [TAHI][IKEv2] IKEv2.EN.I.1.2.1.1: Can't observe CREATE_CHILD_SA request for rekey
-- Resolves: rhbz#1053048 [TAHI][IKEv2] IKEv2.EN.I.1.2.4.1-7: libreswan doesn't sent CREATE_CHILD_SA after IKE_SA Lifetime timeout
+- Updated to 3.26 (CHACHA20POLY1305, ECDSA and RSA-PSS support)
 
-* Mon Aug 13 2018 Paul Wouters <pwouters@redhat.com> - 3.25-4
-- Resolves: rhbz#1590823 libreswan: Use Python 3 in RHEL 8
-
-* Wed Aug 01 2018 Charalampos Stratakis <cstratak@redhat.com> - 3.25-3.1
-- Rebuild for platform-python
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.25-3.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 
 * Mon Jul 09 2018 Paul Wouters <pwouters@redhat.com> - 3.25-3
-- Cleanup shebangs for python3
-- Use the same options via macro for make programs and make install
-- Remove old ifdefs
-- Sync up patches to new upstream version
-- Add Requires: for unbound-libs >= 1.6.6
-- Enable crypto-policies support
-- Make rundir world readable for easier permission granting for socket
+- Fix Opportunistic IPsec _unbound-hook argument parsing
+- Make rundir readable for all (so we can hand out permissions later)
 
-* Tue Jun 26 2018 Charalampos Stratakis <cstratak@redhat.com> - 3.23-2.2
-- Make python shebangs point to python3
+* Mon Jul 02 2018 Paul Wouters <pwouters@redhat.com> - 3.25-2
+- Relax deleting IKE SA's and IPsec SA's to avoid interop issues with third party VPN vendors
 
-* Fri Jun 22 2018 Troy Dawson <tdawson@redhat.com> - 3.23-2.1
-- Fix python shebangs (#1580773)
+* Wed Jun 27 2018 Paul Wouters <pwouters@redhat.com> - 3.25-1
+- Updated to 3.25
 
 * Mon Feb 19 2018 Paul Wouters <pwouters@redhat.com> - 3.23-2
 - Support crypto-policies package
@@ -432,7 +451,7 @@ certutil -N -d sql:$tmpdir --empty-password
 - Remove support for /etc/sysconfig/pluto (use native systemd instead)
 
 * Thu May 05 2016 Paul Wouters <pwouters@redhat.com> - 3.17-2
-- Resolves: rhbz#1324956 prelink is gone, /etc/prelink.conf.d/* is no longer used 
+- Resolves: rhbz#1324956 prelink is gone, /etc/prelink.conf.d/* is no longer used
 
 * Thu Apr 07 2016 Paul Wouters <pwouters@redhat.com> - 3.17-1
 - Updated to 3.17 for CVE-2016-3071

sources

@@ -0,0 +1,4 @@
+SHA512 (ikev1_dsa.fax.bz2) = 627cbac14248bd68e8d22fbca247668a7749ef0c2e41df8d776d62df9a21403d3a246c0bd82c3faedce62de90b9f91a87f753e17b056319000bba7d2038461ac
+SHA512 (ikev1_psk.fax.bz2) = 1b2daec32edc56b410c036db2688c92548a9bd9914994bc7e555b301dd6db4497a6b3e89dc12ddf36826ae90b40fcde501a5a45c0d59098e07839073d219d467
+SHA512 (ikev2.fax.bz2) = 0d3748d1bd574f6f1f3e4db847eca126ce649566ea710ef227426f433122752b80d1d6b8acf9d0df07b5597c1e45447e3a2fcb3391756e834e8e75f99df8e51e
+SHA512 (libreswan-4.15.tar.gz) = 49a60688bb4a5241dbd791bdde0c71ae80cfb7383bb841ea0788a9d0237569d7ad79e59985c700526e3807817ddae77ebd57521897526fbb8fb93ffbea631efe

tests/tests.yml

@@ -0,0 +1,14 @@
+# Tests for libreswan using NM's tests
+- hosts: localhost
+  roles:
+  - role: standard-test-basic
+    tags:
+    - classic
+    repositories:
+    - repo: "https://gitlab.freedesktop.org/NetworkManager/NetworkManager-ci"
+      dest: "NetworkManager-ci"
+    tests:
+    - sanity-tests:
+        dir: NetworkManager-ci
+        run: run/osci/run-tests libreswan
+