Sync changes to SLFO-1.2 branch

- /usr/sbin/ipsec is deprecated since 5.2.0 and will be removed
  in the future.
- Update to release 6.0.0

OBS-URL: https://build.opensuse.org/request/show/1230634
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=98

harden_strongswan.service.patch

@@ -1,9 +1,13 @@
-Index: strongswan-5.9.5/init/systemd/strongswan.service.in
+---
+ init/systemd/strongswan.service.in |   11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+Index: strongswan-6.0.0/init/systemd/strongswan.service.in
 ===================================================================
---- strongswan-5.9.5.orig/init/systemd/strongswan.service.in
-+++ strongswan-5.9.5/init/systemd/strongswan.service.in
-@@ -3,6 +3,17 @@ Description=strongSwan IPsec IKEv1/IKEv2
- After=network-online.target
+--- strongswan-6.0.0.orig/init/systemd/strongswan.service.in
++++ strongswan-6.0.0/init/systemd/strongswan.service.in
+@@ -4,6 +4,17 @@ After=network-online.target
+ Wants=network-online.target
  
  [Service]
 +# added automatically, for details please see

init.patch

@@ -0,0 +1,31 @@
+From c58507ff186ae9cf014c0b54082c8bf74aef3219 Mon Sep 17 00:00:00 2001
+From: Jan Engelhardt <jengelh@inai.de>
+Date: Tue, 3 Dec 2024 21:56:33 +0100
+Subject: [PATCH] init: put strongswan-starter.service behind USE_FILE_CONFIG
+References: https://github.com/strongswan/strongswan/pull/2553
+
+stroke is no longer enabled by default, but the systemd unit
+still is copied on `make install`. Fix that.
+---
+ init/Makefile.am | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/init/Makefile.am b/init/Makefile.am
+index 54c090cea..824ebd695 100644
+--- a/init/Makefile.am
++++ b/init/Makefile.am
+@@ -3,9 +3,11 @@ SUBDIRS =
+ 
+ if USE_LEGACY_SYSTEMD
+ if USE_CHARON
++if USE_FILE_CONFIG
+   SUBDIRS += systemd-starter
+ endif
+ endif
++endif
+ 
+ if USE_SYSTEMD
+ if USE_SWANCTL
+-- 
+2.47.1
+

strongswan-5.9.14.tar.bz2.sig

@@ -1,14 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQGzBAABCgAdFiEElI8Vik52onvz0HUy30LBcLNNuncFAmX5cHAACgkQ30LBcLNN
-une5oAwAiNFc9r4zuuJ9+Qd3q4AYTiCa7g4j6OhneQwY7Y6fzYOROfKKDzPoDhwJ
-juU5vj+5d9yKVLEEueACCY2hM9cmAZL3mWMy5s86FmrNQcPRJ24cU19ZkyoxKGZ9
-8lvEtPzb5r5aTrdJnSu3rydGK7nSVysxA5ZyamviUndx1lWUkGYlz3lKMl8xm2qa
-QNCnBQiUcwm9mADl4txlxkCvSDPb1Ez7Y40K5lVTpKa/awaM9e9JuKXSgOJmBUBY
-C/E8pCzC8lENEoq5EZI/eV7VNwlc1ussqp2iSj0Nhy45cmXvCHpCIslkhPuReQzW
-nNDFbuMGiDzCvD2RNdi+l1z+74oLPFeC7663K2/VYMMobqwYVhdC4hg/PMOzDa1x
-L18Y7Pffna4gNa/jarx1U7fMFLW4c0q5DVvM8qoLtnc7Q9zFw4A+EU6i3sFa5EF+
-aVNbmHTIBXnf0YVoHmuOgjRH9kjjshnl/kSszOeW+wkoZzhuJkTzz/gllc9YWQNG
-y+PFcIVK
-=dVex
------END PGP SIGNATURE-----

strongswan-6.0.1.tar.bz2.sig

@@ -0,0 +1,14 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQGzBAABCgAdFiEElI8Vik52onvz0HUy30LBcLNNuncFAmfPLskACgkQ30LBcLNN
+undnTgv/QKNJydFuLb5lmgU0TcbMJ+KXdUVA+b0phh+846mR4Ys4TGLqk1zmoA0e
+/l216xZeCDGzbGoZtZKJYzY+rwkB25hgjTXHOWcz6wPN4CzEA3szWLi6j+ZGQ40C
+JUUEy4m42iGJRQoSmWdLMrIxzWnPO4SViwZkMSiyRuUGMObRq4+utOIeK9Y8mw9x
+mrrzknvXKO7FUjErgY1a/CiZi2STGq9Ilz17LQ4uaIypTUj7Mfc2UJcAR3PdVaa9
+E6DW8wXYiDG9+RA9lGiEsSamciFaQDsA/MwT3Ys3zpr1o/24O39/CxscnUKFHgCN
+backowMyOykAhSXZf+tuGfPMWkYK5B3TO7vuJPpu9FXCkKJgKGCcoPb1IFDAxnkT
+F/hYsOrCNQrbJGKqNXiP+9RWa993p7B0y72bqbBSes2ciGpolIF1ZxDbHRHOejr/
+R9R/VE8UCiqFFuFmQJv4p9El+Ap6opuCLukmSb/XFsz3x59+elIwkN+k55Z0WTf8
+EPSTgay4
+=b+qt
+-----END PGP SIGNATURE-----

strongswan-gcc15-part1.patch

@@ -0,0 +1,416 @@
+From d5d2568ff0e88d364dadf50b67bf17050763cf98 Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Fri, 21 Feb 2025 16:45:57 +0100
+Subject: [PATCH] callback-job: Replace return_false() in constructors with
+ dedicated function
+
+Besides being clearer, this fixes issues with GCC 15.  The latter uses
+C23 by default, which changes the meaning of function declarations
+without parameters such as
+
+	bool return false();
+
+Instead of "this function takes an unknown number of arguments", this
+now equals (void), that is, "this function takes no arguments".  So we
+run into incompatible pointer type warnings all over when using such
+functions.  They could be cast to (void*) but this seems the cleaner
+solution for this use case.
+---
+ src/charon-cmd/cmd/cmd_connection.c                   |  2 +-
+ .../jni/libandroidbridge/backend/android_dns_proxy.c  |  2 +-
+ .../jni/libandroidbridge/backend/android_service.c    |  6 +++---
+ src/libcharon/network/receiver.c                      |  2 +-
+ src/libcharon/network/sender.c                        |  2 +-
+ .../plugins/bypass_lan/bypass_lan_listener.c          |  4 ++--
+ .../plugins/eap_radius/eap_radius_accounting.c        |  2 +-
+ src/libcharon/plugins/eap_radius/eap_radius_plugin.c  |  2 +-
+ src/libcharon/plugins/ha/ha_ctl.c                     |  2 +-
+ src/libcharon/plugins/ha/ha_dispatcher.c              |  2 +-
+ src/libcharon/plugins/ha/ha_segments.c                |  6 +++---
+ .../kernel_libipsec/kernel_libipsec_esp_handler.c     |  2 +-
+ .../plugins/kernel_libipsec/kernel_libipsec_router.c  |  2 +-
+ src/libcharon/plugins/smp/smp.c                       |  4 ++--
+ src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c   |  2 +-
+ src/libcharon/plugins/uci/uci_control.c               |  2 +-
+ src/libipsec/ipsec_event_relay.c                      |  2 +-
+ src/libipsec/ipsec_processor.c                        |  4 ++--
+ src/libpttls/pt_tls_dispatcher.c                      |  2 +-
+ src/libstrongswan/networking/streams/stream_service.c |  2 +-
+ src/libstrongswan/processing/jobs/callback_job.c      | 10 +++++++++-
+ src/libstrongswan/processing/jobs/callback_job.h      | 11 ++++++++++-
+ src/libstrongswan/processing/scheduler.c              |  3 ++-
+ src/libstrongswan/processing/watcher.c                |  4 ++--
+ src/libtls/tests/suites/test_socket.c                 |  2 +-
+ 25 files changed, 51 insertions(+), 33 deletions(-)
+
+diff --git a/src/charon-cmd/cmd/cmd_connection.c b/src/charon-cmd/cmd/cmd_connection.c
+index 8e8d8236e52..e220e33a62a 100644
+--- a/src/charon-cmd/cmd/cmd_connection.c
++++ b/src/charon-cmd/cmd/cmd_connection.c
+@@ -585,7 +585,7 @@ cmd_connection_t *cmd_connection_create()
+ 	lib->processor->queue_job(lib->processor,
+ 		(job_t*)callback_job_create_with_prio(
+ 			(callback_job_cb_t)initiate, this, NULL,
+-			(callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
++			callback_job_cancel_thread, JOB_PRIO_CRITICAL));
+ 
+ 	return &this->public;
+ }
+diff --git a/src/libcharon/network/receiver.c b/src/libcharon/network/receiver.c
+index e79d5974409..480d1d622d5 100644
+--- a/src/libcharon/network/receiver.c
++++ b/src/libcharon/network/receiver.c
+@@ -737,7 +737,7 @@ receiver_t *receiver_create()
+ 
+ 	lib->processor->queue_job(lib->processor,
+ 		(job_t*)callback_job_create_with_prio((callback_job_cb_t)receive_packets,
+-			this, NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
++			this, NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL));
+ 
+ 	return &this->public;
+ }
+diff --git a/src/libcharon/network/sender.c b/src/libcharon/network/sender.c
+index 4543766d62e..3fcd17f1b63 100644
+--- a/src/libcharon/network/sender.c
++++ b/src/libcharon/network/sender.c
+@@ -216,7 +216,7 @@ sender_t * sender_create()
+ 
+ 	lib->processor->queue_job(lib->processor,
+ 		(job_t*)callback_job_create_with_prio((callback_job_cb_t)send_packets,
+-			this, NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
++			this, NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL));
+ 
+ 	return &this->public;
+ }
+diff --git a/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c b/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c
+index db7abd8146b..c9aed3666fc 100644
+--- a/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c
++++ b/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c
+@@ -227,7 +227,7 @@ METHOD(kernel_listener_t, roam, bool,
+ {
+ 	lib->processor->queue_job(lib->processor,
+ 			(job_t*)callback_job_create((callback_job_cb_t)update_bypass, this,
+-									NULL, (callback_job_cancel_t)return_false));
++									NULL, callback_job_cancel_thread));
+ 	return TRUE;
+ }
+ 
+@@ -269,7 +269,7 @@ METHOD(bypass_lan_listener_t, reload_interfaces, void,
+ 	this->mutex->unlock(this->mutex);
+ 	lib->processor->queue_job(lib->processor,
+ 			(job_t*)callback_job_create((callback_job_cb_t)update_bypass, this,
+-									NULL, (callback_job_cancel_t)return_false));
++									NULL, callback_job_cancel_thread));
+ }
+ 
+ METHOD(bypass_lan_listener_t, destroy, void,
+diff --git a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
+index f833dc3c0b4..2f29d080764 100644
+--- a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
++++ b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
+@@ -706,7 +706,7 @@ static void schedule_interim(private_eap_radius_accounting_t *this,
+ 			(job_t*)callback_job_create_with_prio(
+ 				(callback_job_cb_t)send_interim,
+ 				data, (void*)destroy_interim_data,
+-				(callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL), tv);
++				callback_job_cancel_thread, JOB_PRIO_CRITICAL), tv);
+ 	}
+ }
+ 
+diff --git a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
+index 5051542615a..55d5e032cea 100644
+--- a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
++++ b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
+@@ -445,7 +445,7 @@ void eap_radius_handle_timeout(ike_sa_id_t *id)
+ 		lib->processor->queue_job(lib->processor,
+ 				(job_t*)callback_job_create_with_prio(
+ 						(callback_job_cb_t)delete_all_async, NULL, NULL,
+-						(callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
++						callback_job_cancel_thread, JOB_PRIO_CRITICAL));
+ 	}
+ 	else if (id)
+ 	{
+diff --git a/src/libcharon/plugins/ha/ha_ctl.c b/src/libcharon/plugins/ha/ha_ctl.c
+index 8859bae166b..3d2ac7de84d 100644
+--- a/src/libcharon/plugins/ha/ha_ctl.c
++++ b/src/libcharon/plugins/ha/ha_ctl.c
+@@ -199,6 +199,6 @@ ha_ctl_t *ha_ctl_create(ha_segments_t *segments, ha_cache_t *cache)
+ 
+ 	lib->processor->queue_job(lib->processor,
+ 		(job_t*)callback_job_create_with_prio((callback_job_cb_t)dispatch_fifo,
+-			this, NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
++			this, NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL));
+ 	return &this->public;
+ }
+diff --git a/src/libcharon/plugins/ha/ha_dispatcher.c b/src/libcharon/plugins/ha/ha_dispatcher.c
+index 5de26a65a27..83be91ab159 100644
+--- a/src/libcharon/plugins/ha/ha_dispatcher.c
++++ b/src/libcharon/plugins/ha/ha_dispatcher.c
+@@ -1184,7 +1184,7 @@ ha_dispatcher_t *ha_dispatcher_create(ha_socket_t *socket,
+ 	);
+ 	lib->processor->queue_job(lib->processor,
+ 		(job_t*)callback_job_create_with_prio((callback_job_cb_t)dispatch, this,
+-				NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
++				NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL));
+ 
+ 	return &this->public;
+ }
+diff --git a/src/libcharon/plugins/ha/ha_segments.c b/src/libcharon/plugins/ha/ha_segments.c
+index afb76b39ea2..32d9ee40717 100644
+--- a/src/libcharon/plugins/ha/ha_segments.c
++++ b/src/libcharon/plugins/ha/ha_segments.c
+@@ -316,7 +316,7 @@ static void start_watchdog(private_ha_segments_t *this)
+ 	this->heartbeat_active = TRUE;
+ 	lib->processor->queue_job(lib->processor,
+ 		(job_t*)callback_job_create_with_prio((callback_job_cb_t)watchdog, this,
+-				NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
++				NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL));
+ }
+ 
+ METHOD(ha_segments_t, handle_status, void,
+@@ -404,7 +404,7 @@ static void start_heartbeat(private_ha_segments_t *this)
+ {
+ 	lib->processor->queue_job(lib->processor,
+ 		(job_t*)callback_job_create_with_prio((callback_job_cb_t)send_status,
+-			this, NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
++			this, NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL));
+ }
+ 
+ /**
+@@ -451,7 +451,7 @@ static void start_autobalance(private_ha_segments_t *this)
+ 	DBG1(DBG_CFG, "scheduling HA autobalance every %ds", this->autobalance);
+ 	lib->scheduler->schedule_job(lib->scheduler,
+ 		(job_t*)callback_job_create_with_prio((callback_job_cb_t)autobalance,
+-			this, NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL),
++			this, NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL),
+ 		this->autobalance);
+ }
+ 
+diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_esp_handler.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_esp_handler.c
+index 095ad67b4b0..c18e266e4d1 100644
+--- a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_esp_handler.c
++++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_esp_handler.c
+@@ -337,7 +337,7 @@ kernel_libipsec_esp_handler_t *kernel_libipsec_esp_handler_create()
+ 	}
+ 	lib->processor->queue_job(lib->processor,
+ 			(job_t*)callback_job_create(send_esp, this, NULL,
+-										(callback_job_cancel_t)return_false));
++										callback_job_cancel_thread));
+ 	return &this->public;
+ }
+ 
+diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c
+index 74746e251de..07adc70be3e 100644
+--- a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c
++++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c
+@@ -364,7 +364,7 @@ kernel_libipsec_router_t *kernel_libipsec_router_create()
+ 	charon->receiver->add_esp_cb(charon->receiver, receiver_esp_cb, NULL);
+ 	lib->processor->queue_job(lib->processor,
+ 			(job_t*)callback_job_create((callback_job_cb_t)handle_plain, this,
+-									NULL, (callback_job_cancel_t)return_false));
++										NULL, callback_job_cancel_thread));
+ 
+ 	router = &this->public;
+ 	return &this->public;
+diff --git a/src/libcharon/plugins/smp/smp.c b/src/libcharon/plugins/smp/smp.c
+index 6ca9f13997e..85ff5830bc5 100644
+--- a/src/libcharon/plugins/smp/smp.c
++++ b/src/libcharon/plugins/smp/smp.c
+@@ -710,7 +710,7 @@ static job_requeue_t dispatch(private_smp_t *this)
+ 	fdp = malloc_thing(int);
+ 	*fdp = fd;
+ 	job = callback_job_create((callback_job_cb_t)process, fdp, free,
+-							  (callback_job_cancel_t)return_false);
++							  callback_job_cancel_thread);
+ 	lib->processor->queue_job(lib->processor, (job_t*)job);
+ 
+ 	return JOB_REQUEUE_DIRECT;
+@@ -800,7 +800,7 @@ plugin_t *smp_plugin_create()
+ 
+ 	lib->processor->queue_job(lib->processor,
+ 		(job_t*)callback_job_create_with_prio((callback_job_cb_t)dispatch, this,
+-				NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
++				NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL));
+ 
+ 	return &this->public.plugin;
+ }
+diff --git a/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c b/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c
+index 30aeb116dec..da317a894d9 100644
+--- a/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c
++++ b/src/libcharon/plugins/tnc_pdp/tnc_pdp_connections.c
+@@ -210,7 +210,7 @@ METHOD(tnc_pdp_connections_t, add, void,
+ 	/* schedule timeout checking */
+ 	lib->scheduler->schedule_job_ms(lib->scheduler,
+ 				(job_t*)callback_job_create((callback_job_cb_t)check_timeouts,
+-					this, NULL, (callback_job_cancel_t)return_false),
++					this, NULL, callback_job_cancel_thread),
+ 				this->timeout * 1000);
+ 
+ 	dbg_nas_user(nas_id, user_name, FALSE, "created");
+diff --git a/src/libcharon/plugins/uci/uci_control.c b/src/libcharon/plugins/uci/uci_control.c
+index b033c832c8c..8074005ee57 100644
+--- a/src/libcharon/plugins/uci/uci_control.c
++++ b/src/libcharon/plugins/uci/uci_control.c
+@@ -296,7 +296,7 @@ uci_control_t *uci_control_create()
+ 	{
+ 		lib->processor->queue_job(lib->processor,
+ 			(job_t*)callback_job_create_with_prio((callback_job_cb_t)receive,
+-							this, NULL, (callback_job_cancel_t)return_false,
++							this, NULL, callback_job_cancel_thread,
+ 							JOB_PRIO_CRITICAL));
+ 	}
+ 	return &this->public;
+diff --git a/src/libipsec/ipsec_event_relay.c b/src/libipsec/ipsec_event_relay.c
+index 0f10795d168..802146eef21 100644
+--- a/src/libipsec/ipsec_event_relay.c
++++ b/src/libipsec/ipsec_event_relay.c
+@@ -230,7 +230,7 @@ ipsec_event_relay_t *ipsec_event_relay_create()
+ 
+ 	lib->processor->queue_job(lib->processor,
+ 		(job_t*)callback_job_create((callback_job_cb_t)handle_events, this,
+-			NULL, (callback_job_cancel_t)return_false));
++			NULL, callback_job_cancel_thread));
+ 
+ 	return &this->public;
+ }
+diff --git a/src/libipsec/ipsec_processor.c b/src/libipsec/ipsec_processor.c
+index 2572b088089..8549fefe261 100644
+--- a/src/libipsec/ipsec_processor.c
++++ b/src/libipsec/ipsec_processor.c
+@@ -336,9 +336,9 @@ ipsec_processor_t *ipsec_processor_create()
+ 
+ 	lib->processor->queue_job(lib->processor,
+ 		(job_t*)callback_job_create((callback_job_cb_t)process_inbound, this,
+-									NULL, (callback_job_cancel_t)return_false));
++									NULL, callback_job_cancel_thread));
+ 	lib->processor->queue_job(lib->processor,
+ 		(job_t*)callback_job_create((callback_job_cb_t)process_outbound, this,
+-									NULL, (callback_job_cancel_t)return_false));
++									NULL, callback_job_cancel_thread));
+ 	return &this->public;
+ }
+diff --git a/src/libpttls/pt_tls_dispatcher.c b/src/libpttls/pt_tls_dispatcher.c
+index a134bee238f..c7e42b277e1 100644
+--- a/src/libpttls/pt_tls_dispatcher.c
++++ b/src/libpttls/pt_tls_dispatcher.c
+@@ -156,7 +156,7 @@ METHOD(pt_tls_dispatcher_t, dispatch, void,
+ 		lib->processor->queue_job(lib->processor,
+ 				(job_t*)callback_job_create_with_prio((callback_job_cb_t)handle,
+ 										connection, (void*)cleanup,
+-										(callback_job_cancel_t)return_false,
++										callback_job_cancel_thread,
+ 										JOB_PRIO_CRITICAL));
+ 	}
+ }
+diff --git a/src/libstrongswan/networking/streams/stream_service.c b/src/libstrongswan/networking/streams/stream_service.c
+index 5b709a2247d..c85a0664351 100644
+--- a/src/libstrongswan/networking/streams/stream_service.c
++++ b/src/libstrongswan/networking/streams/stream_service.c
+@@ -221,7 +221,7 @@ static bool watch(private_stream_service_t *this, int fd, watcher_event_t event)
+ 
+ 		lib->processor->queue_job(lib->processor,
+ 			(job_t*)callback_job_create_with_prio((void*)accept_async, data,
+-				(void*)destroy_async_data, (callback_job_cancel_t)return_false,
++				(void*)destroy_async_data, callback_job_cancel_thread,
+ 				this->prio));
+ 	}
+ 	else
+diff --git a/src/libstrongswan/processing/jobs/callback_job.c b/src/libstrongswan/processing/jobs/callback_job.c
+index cb2a0aba5b9..3ab40b947c9 100644
+--- a/src/libstrongswan/processing/jobs/callback_job.c
++++ b/src/libstrongswan/processing/jobs/callback_job.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (C) 2009-2012 Tobias Brunner
++ * Copyright (C) 2009-2025 Tobias Brunner
+  * Copyright (C) 2007-2011 Martin Willi
+  *
+  * Copyright (C) secunet Security Networks AG
+@@ -131,3 +131,11 @@ callback_job_t *callback_job_create(callback_job_cb_t cb, void *data,
+ 	return callback_job_create_with_prio(cb, data, cleanup, cancel,
+ 										 JOB_PRIO_MEDIUM);
+ }
++
++/*
++ * Described in header
++ */
++bool callback_job_cancel_thread(void *data)
++{
++	return FALSE;
++}
+diff --git a/src/libstrongswan/processing/jobs/callback_job.h b/src/libstrongswan/processing/jobs/callback_job.h
+index 0f1ae212d87..fda86887944 100644
+--- a/src/libstrongswan/processing/jobs/callback_job.h
++++ b/src/libstrongswan/processing/jobs/callback_job.h
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (C) 2012 Tobias Brunner
++ * Copyright (C) 2012-2025 Tobias Brunner
+  * Copyright (C) 2007-2011 Martin Willi
+  *
+  * Copyright (C) secunet Security Networks AG
+@@ -62,6 +62,15 @@ typedef void (*callback_job_cleanup_t)(void *data);
+  */
+ typedef bool (*callback_job_cancel_t)(void *data);
+ 
++/**
++ * Default implementation of callback_job_cancel_t that simply returns FALSE
++ * to force cancellation of the thread by the processor.
++ *
++ * @param data			ignored argument
++ * @return				always returns FALSE
++ */
++bool callback_job_cancel_thread(void *data);
++
+ /**
+  * Class representing an callback Job.
+  *
+diff --git a/src/libstrongswan/processing/scheduler.c b/src/libstrongswan/processing/scheduler.c
+index c5e5dd83e70..76d98ddff51 100644
+--- a/src/libstrongswan/processing/scheduler.c
++++ b/src/libstrongswan/processing/scheduler.c
+@@ -329,7 +329,8 @@ scheduler_t * scheduler_create()
+ 	this->heap = (event_t**)calloc(this->heap_size + 1, sizeof(event_t*));
+ 
+ 	job = callback_job_create_with_prio((callback_job_cb_t)schedule, this,
+-										NULL, return_false, JOB_PRIO_CRITICAL);
++										NULL, callback_job_cancel_thread,
++										JOB_PRIO_CRITICAL);
+ 	lib->processor->queue_job(lib->processor, (job_t*)job);
+ 
+ 	return &this->public;
+diff --git a/src/libstrongswan/processing/watcher.c b/src/libstrongswan/processing/watcher.c
+index 1200d670959..a86ec0910d1 100644
+--- a/src/libstrongswan/processing/watcher.c
++++ b/src/libstrongswan/processing/watcher.c
+@@ -291,7 +291,7 @@ static void notify(private_watcher_t *this, entry_t *entry,
+ 
+ 	this->jobs->insert_last(this->jobs,
+ 					callback_job_create_with_prio((void*)notify_async, data,
+-						(void*)notify_end, (callback_job_cancel_t)return_false,
++						(void*)notify_end, callback_job_cancel_thread,
+ 						JOB_PRIO_CRITICAL));
+ }
+ 
+@@ -559,7 +559,7 @@ METHOD(watcher_t, add, void,
+ 
+ 		lib->processor->queue_job(lib->processor,
+ 			(job_t*)callback_job_create_with_prio((void*)watch, this,
+-				NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
++				NULL, callback_job_cancel_thread, JOB_PRIO_CRITICAL));
+ 	}
+ 	else
+ 	{
+diff --git a/src/libtls/tests/suites/test_socket.c b/src/libtls/tests/suites/test_socket.c
+index 91ee58b975f..c17d0a8873e 100644
+--- a/src/libtls/tests/suites/test_socket.c
++++ b/src/libtls/tests/suites/test_socket.c
+@@ -587,7 +587,7 @@ static void start_echo_server(echo_server_config_t *config)
+ 
+ 	lib->processor->queue_job(lib->processor, (job_t*)
+ 				callback_job_create((void*)serve_echo, config, NULL,
+-									(callback_job_cancel_t)return_false));
++									callback_job_cancel_thread));
+ }
+ 
+ /**

strongswan-gcc15-part2.patch

@@ -0,0 +1,115 @@
+From 11978ddd39e800b5f35f721d726e8a4cb7e4ec0f Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Fri, 21 Feb 2025 17:00:44 +0100
+Subject: [PATCH] Cast uses of return_*(), nop() and enumerator_create_empty()
+
+As described in the previous commit, GCC 15 uses C23 by default and that
+changes the meaning of such argument-less function declarations.  So
+whenever we assign such a function to a pointer that expects a function
+with arguments it causes an incompatible pointer type warning.  We
+could define dedicated functions/callbacks whenever necessary, but this
+seems like the simpler approach for now (especially since most uses of
+these functions have already been cast).
+---
+ src/charon-nm/nm/nm_handler.c                           | 2 +-
+ src/libcharon/encoding/payloads/encrypted_payload.c     | 2 +-
+ src/libcharon/plugins/android_dns/android_dns_handler.c | 2 +-
+ src/libcharon/plugins/ha/ha_attribute.c                 | 2 +-
+ src/libcharon/plugins/updown/updown_handler.c           | 2 +-
+ src/libstrongswan/utils/identification.c                | 6 +++---
+ 6 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/src/charon-nm/nm/nm_handler.c b/src/charon-nm/nm/nm_handler.c
+index d7331ad72f6..39d0190ac9e 100644
+--- a/src/charon-nm/nm/nm_handler.c
++++ b/src/charon-nm/nm/nm_handler.c
+@@ -195,7 +195,7 @@ nm_handler_t *nm_handler_create()
+ 		.public = {
+ 			.handler = {
+ 				.handle = _handle,
+-				.release = nop,
++				.release = (void*)nop,
+ 				.create_attribute_enumerator = _create_attribute_enumerator,
+ 			},
+ 			.create_enumerator = _create_enumerator,
+diff --git a/src/libcharon/encoding/payloads/encrypted_payload.c b/src/libcharon/encoding/payloads/encrypted_payload.c
+index 676d00b7a29..4821c6108ed 100644
+--- a/src/libcharon/encoding/payloads/encrypted_payload.c
++++ b/src/libcharon/encoding/payloads/encrypted_payload.c
+@@ -1023,7 +1023,7 @@ encrypted_fragment_payload_t *encrypted_fragment_payload_create()
+ 				.get_length = _frag_get_length,
+ 				.add_payload = _frag_add_payload,
+ 				.remove_payload = (void*)return_null,
+-				.generate_payloads = nop,
++				.generate_payloads = (void*)nop,
+ 				.set_transform = _frag_set_transform,
+ 				.get_transform = _frag_get_transform,
+ 				.encrypt = _frag_encrypt,
+diff --git a/src/libcharon/plugins/android_dns/android_dns_handler.c b/src/libcharon/plugins/android_dns/android_dns_handler.c
+index 78f4f702aec..14d2ff99aa3 100644
+--- a/src/libcharon/plugins/android_dns/android_dns_handler.c
++++ b/src/libcharon/plugins/android_dns/android_dns_handler.c
+@@ -191,7 +191,7 @@ METHOD(enumerator_t, enumerate_dns, bool,
+ 	VA_ARGS_VGET(args, type, data);
+ 	*type = INTERNAL_IP4_DNS;
+ 	*data = chunk_empty;
+-	this->venumerate = return_false;
++	this->venumerate = (void*)return_false;
+ 	return TRUE;
+ }
+ 
+diff --git a/src/libcharon/plugins/ha/ha_attribute.c b/src/libcharon/plugins/ha/ha_attribute.c
+index b865a4b829b..103d1a93784 100644
+--- a/src/libcharon/plugins/ha/ha_attribute.c
++++ b/src/libcharon/plugins/ha/ha_attribute.c
+@@ -381,7 +381,7 @@ ha_attribute_t *ha_attribute_create(ha_kernel_t *kernel, ha_segments_t *segments
+ 			.provider = {
+ 				.acquire_address = _acquire_address,
+ 				.release_address = _release_address,
+-				.create_attribute_enumerator = enumerator_create_empty,
++				.create_attribute_enumerator = (void*)enumerator_create_empty,
+ 			},
+ 			.reserve = _reserve,
+ 			.destroy = _destroy,
+diff --git a/src/libcharon/plugins/updown/updown_handler.c b/src/libcharon/plugins/updown/updown_handler.c
+index 36eb15615a4..3707e1e658c 100644
+--- a/src/libcharon/plugins/updown/updown_handler.c
++++ b/src/libcharon/plugins/updown/updown_handler.c
+@@ -220,7 +220,7 @@ updown_handler_t *updown_handler_create()
+ 			.handler = {
+ 				.handle = _handle,
+ 				.release = _release,
+-				.create_attribute_enumerator = enumerator_create_empty,
++				.create_attribute_enumerator = (void*)enumerator_create_empty,
+ 			},
+ 			.create_dns_enumerator = _create_dns_enumerator,
+ 			.destroy = _destroy,
+diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c
+index d31955b3806..58a05052dc1 100644
+--- a/src/libstrongswan/utils/identification.c
++++ b/src/libstrongswan/utils/identification.c
+@@ -1625,7 +1625,7 @@ static private_identification_t *identification_create(id_type_t type)
+ 			this->public.hash = _hash_binary;
+ 			this->public.equals = _equals_binary;
+ 			this->public.matches = _matches_any;
+-			this->public.contains_wildcards = return_true;
++			this->public.contains_wildcards = (void*)return_true;
+ 			break;
+ 		case ID_FQDN:
+ 		case ID_RFC822_ADDR:
+@@ -1660,13 +1660,13 @@ static private_identification_t *identification_create(id_type_t type)
+ 			this->public.hash = _hash_binary;
+ 			this->public.equals = _equals_binary;
+ 			this->public.matches = _matches_range;
+-			this->public.contains_wildcards = return_false;
++			this->public.contains_wildcards = (void*)return_false;
+ 			break;
+ 		default:
+ 			this->public.hash = _hash_binary;
+ 			this->public.equals = _equals_binary;
+ 			this->public.matches = _matches_binary;
+-			this->public.contains_wildcards = return_false;
++			this->public.contains_wildcards = (void*)return_false;
+ 			break;
+ 	}
+ 	return this;

strongswan-gcc15-part3.patch

@@ -0,0 +1,23 @@
+From a7b5de569082398a14b7e571498e55d005903aaf Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Fri, 21 Feb 2025 17:18:35 +0100
+Subject: [PATCH] pki: Fix signature of help() to match that of a callback in
+ command_t
+
+---
+ src/pki/command.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/pki/command.c b/src/pki/command.c
+index accec5fe51b..6e6bf041e18 100644
+--- a/src/pki/command.c
++++ b/src/pki/command.c
+@@ -265,7 +265,7 @@ int command_usage(char *error)
+ /**
+  * Show usage information
+  */
+-static int help(int c, char *v[])
++static int help()
+ {
+ 	return command_usage(NULL);
+ }

strongswan.changes

@@ -1,3 +1,79 @@
+-------------------------------------------------------------------
+Thu Jun  5 07:41:56 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
+
+- Add pkgconfig(libxml-2.0) BuildRequire which was previously
+  implicitly pulled in through SOUP. Move everything else to
+  pkgconfig() symbols as well.
+
+-------------------------------------------------------------------
+Tue Jun  3 17:45:03 UTC 2025 - Michael Gorse <mgorse@suse.com>
+
+- Disable soup fetcher. It is redundant with the curl fetcher, and
+  this allows us to drop the dependency on libsoup2.
+
+-------------------------------------------------------------------
+Tue May  6 14:01:21 UTC 2025 - Friedrich Haubensak <hsk17@mail.de>
+
+- Add patches from upstream github.com/strongswan/strongswan
+  to fix gcc-15 compile-time errors:
+  * strongswan-gcc15-part1.patch
+  * strongswan-gcc15-part2.patch
+  * strongswan-gcc15-part3.patch
+
+-------------------------------------------------------------------
+Tue Mar 11 18:54:30 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
+
+- Update to release 6.0.1
+  * The `dhcp` plugin has gained a new `interface_receive` option
+  * The `eap-radius` plugin hsa gained a new `source` option
+  * The NetworkManager plugin (charon-nm) received an option to
+    configure the local traffic selectors.
+  * The `ha` plugin now supports synchronizing IKE and Child SAs
+    with multiple key exchanges
+  * Self-signed root CAs that do not contain policies are now
+    excluded from policy validation.
+  * When deciding whether to send a DPD, inbound traffic on Child
+    SAs is now ignored unless UDP-encapsulation is used.
+  * When connecting to port 4500 or a custom server port, the
+    initial IKE_SA_INIT request is now sent from the NAT-T
+    socket.
+  * The NetworkManager backend (charon-nm) now enables
+    charon-nm.check_current_path to force a DPD after
+    connectivity changes without IP change.
+- Ensure build recipe is POSIX sh compatible
+
+-------------------------------------------------------------------
+Tue Dec  3 15:59:06 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
+
+- /usr/sbin/ipsec is deprecated since 5.2.0 and will be removed
+  in the future.
+- Update to release 6.0.0
+  * Support for multiple IKEv2 key exchanges (RFC 9370)
+  * Support for the Module-Lattice-Based Key-Encapsulation
+    Mechanism (ML-KEM, FIPS 203)
+  * AF_VSOCK socket support
+  * The file logger can optionally log messages as JSON objects
+  * Handling of CHILD_SA rekey collisions has been improved
+  * The kernel-netlink plugin explicitly configures the direction
+    of IPsec SAs when running on 6.10+ kernels
+  * The NetworkManager plugin (charon-nm) now uses a different
+    routing table than the regular IKE daemon to avoid conflicts
+    if both are running
+  * The following crypto plugins are no longer built:
+    aes, curve25519, des, fips-prf, gmp, hmac, md5, pkcs12, rc2,
+    sha1, sha2. (Their replacement is the "openssl" plugin.)
+  * The following deprecated plugins have been removed: bliss
+    (signature scheme), newhope (key exchange method), ntru (key
+    exchange method).
+- Add init.patch
+
+-------------------------------------------------------------------
+Tue Nov 26 12:02:16 UTC 2024 - Dirk Müller <dmueller@suse.com>
+
+- rename -hmac subpackage to -fips because it isn't providing
+  the hmac files, it provides the configuration drop in to
+  enforce fips mode.
+
 -------------------------------------------------------------------
 Thu Jun 20 12:10:36 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
 
@@ -104,7 +180,7 @@ Wed Apr  5 01:34:28 UTC 2023 - Mohd Saquib <mohd.saquib@suse.com>
   vici aka swanctl interface which is current upstream's default.
   strongswan.service which enables swanctl interface is masked to
   stop interfering with the ipsec interface (bsc#1184144)
-- Removes deprecated SysV support 
+- Removes deprecated SysV support
 
 -------------------------------------------------------------------
 Thu Mar  2 13:34:37 UTC 2023 - Jan Engelhardt <jengelh@inai.de>
@@ -225,7 +301,7 @@ Wed Mar 16 12:57:46 UTC 2022 - Marcus Meissner <meissner@suse.com>
 -------------------------------------------------------------------
 Thu Mar  3 14:49:26 UTC 2022 - Marcus Meissner <meissner@suse.com>
 
-- Added prf-plus-modularization.patch that outsources the IKE 
+- Added prf-plus-modularization.patch that outsources the IKE
   key derivation to openssl. (will be merged to 5.9.6)
 - package the kdf config, template and plugin
 
@@ -415,9 +491,9 @@ Tue Mar 31 16:42:23 UTC 2020 - Madhu Mohan Nelemane <mmnelemane@suse.com>
 -------------------------------------------------------------------
 Mon Feb 17 20:26:37 UTC 2020 - Johannes Kastl <kastl@b1-systems.de>
 
-- move file %{_datadir}/dbus-1/system.d/nm-strongswan-service.conf 
-  to strongswan-nm subpackage, as it is needed for the 
-  NetworkManager plugin that uses strongswan-nm, not 
+- move file %{_datadir}/dbus-1/system.d/nm-strongswan-service.conf
+  to strongswan-nm subpackage, as it is needed for the
+  NetworkManager plugin that uses strongswan-nm, not
   strongswan-ipsec
   This fixes the following error:
   ```
@@ -624,7 +700,7 @@ Tue Apr 17 13:24:38 UTC 2018 - bjorn.lie@gmail.com
 -------------------------------------------------------------------
 Fri Mar 16 08:55:10 UTC 2018 - mmnelemane@suse.com
 
-- Removed unused requires and macro calls(bsc#1083261) 
+- Removed unused requires and macro calls(bsc#1083261)
 
 -------------------------------------------------------------------
 Tue Oct 17 11:27:54 UTC 2017 - jengelh@inai.de
@@ -657,7 +733,7 @@ Tue Sep  5 17:10:11 CEST 2017 - ndas@suse.de
 
     *By default the /etc/swanctl/conf.d directory is created and *.conf files in it are included in the default
     swanctl.conf file.
-    
+
     *The curl plugin now follows HTTP redirects (configurable via strongswan.conf).
 
     *The CHILD_SA rekeying was fixed in charon-tkm and the behavior is refined a bit more since 5.5.3
@@ -786,7 +862,7 @@ Mon Jul 4 12:00:00 UTC 2016 - doug@uq.edu.au
     based random oracle has been fixed, generalized and
     standardized by employing the MGF1 mask generation function
     with SHA-512. As a consequence BLISS signatures unsing the
-    improved oracle are not compatible with the earlier 
+    improved oracle are not compatible with the earlier
     implementation.
   * Support for auto=route with right=%any for transport mode
     connections has been added (the ikev2/trap-any scenario
@@ -806,7 +882,7 @@ Mon Jul 4 12:00:00 UTC 2016 - doug@uq.edu.au
     rightauth=any, which prevented it from using this same config
     as responder).
   * The initiator flag in the IKEv2 header is compared again
-    (wasn't the case since 5.0.0) and packets that have the flag 
+    (wasn't the case since 5.0.0) and packets that have the flag
     set incorrectly are again ignored.
   * Implemented a demo Hardcopy Device IMC/IMV pair based on the
     "Hardcopy Device Health Assessment Trusted Network Connect
@@ -852,8 +928,8 @@ Mon Jul 4 12:00:00 UTC 2016 - doug@uq.edu.au
     are chosen based on the strength of the signature key, but
     specific hash algorithms may be configured in leftauth.
   * Key types and hash algorithms specified in rightauth are now
-    also checked against IKEv2 signature schemes. If such 
-    constraints are used for certificate chain validation in 
+    also checked against IKEv2 signature schemes. If such
+    constraints are used for certificate chain validation in
     existing configurations, in particular with peers that don't
     support RFC 7427, it may be necessary to disable this feature
     with the charon.signature_authentication_constraints setting,
@@ -862,7 +938,7 @@ Mon Jul 4 12:00:00 UTC 2016 - doug@uq.edu.au
   * The new connmark plugin allows a host to bind conntrack flows
     to a specific CHILD_SA by applying and restoring the SA mark
     to conntrack entries. This allows a peer to handle multiple
-    transport mode connections coming over the same NAT device for 
+    transport mode connections coming over the same NAT device for
     client-initiated flows. A common use case is to protect
     L2TP/IPsec, as supported by some systems.
   * The forecast plugin can forward broadcast and multicast
@@ -870,13 +946,13 @@ Mon Jul 4 12:00:00 UTC 2016 - doug@uq.edu.au
     using unique marks, it sets up the required Netfilter rules
     and uses a multicast/broadcast listener that forwards such
     messages to all connected clients. This plugin is designed for
-    Windows 7 IKEv2 clients, which announces its services over the 
+    Windows 7 IKEv2 clients, which announces its services over the
     tunnel if the negotiated IPsec policy allows it.
-  * For the vici plugin a Python Egg has been added to allow 
-    Python applications to control or monitor the IKE daemon using 
+  * For the vici plugin a Python Egg has been added to allow
+    Python applications to control or monitor the IKE daemon using
     the VICI interface, similar to the existing ruby gem. The
     Python library has been contributed by Björn Schuberg.
-  * EAP server methods now can fulfill public key constraints, 
+  * EAP server methods now can fulfill public key constraints,
     such as rightcert or rightca. Additionally, public key and
     signature constraints can be specified for EAP methods in the
     rightauth keyword. Currently the EAP-TLS and EAP-TTLS methods
@@ -1077,7 +1153,7 @@ Thu Jul  3 13:39:45 UTC 2014 - meissner@suse.com
 -------------------------------------------------------------------
 Fri Jun 20 17:38:07 UTC 2014 - crrodriguez@opensuse.org
 
-- Fix build in factory 
+- Fix build in factory
 * Do not include var/run directories in package
 * Move runtime data to /run and provide tmpfiles.d snippet
 * Add proper systemd macros to rpm scriptlets.
@@ -1324,7 +1400,7 @@ Thu Nov 29 19:13:40 CET 2012 - sbrabec@suse.cz
 -------------------------------------------------------------------
 Fri Nov 16 04:02:32 UTC 2012 - crrodriguez@opensuse.org
 
-- Fix systemd unit dir 
+- Fix systemd unit dir
 
 -------------------------------------------------------------------
 Wed Oct 31 15:25:16 UTC 2012 - mt@suse.de
@@ -2007,7 +2083,7 @@ Wed Jun 10 11:04:44 CEST 2009 - mt@suse.de
 Mon Jun  8 00:21:13 CEST 2009 - ro@suse.de
 
 - rename getline to my_getline to avoid collision with function
-  from glibc 
+  from glibc
 
 -------------------------------------------------------------------
 Tue Jun  2 09:56:16 CEST 2009 - mt@suse.de
@@ -2048,7 +2124,7 @@ Tue Mar 31 11:19:03 CEST 2009 - mt@suse.de
     As a workaround such dates are set to the maximum representable
     time, i.e. Jan 19 03:14:07 UTC 2038.
   * Distinguished Names containing wildcards (*) are not sent in the
-    IDr payload anymore. 
+    IDr payload anymore.
 
 -------------------------------------------------------------------
 Mon Oct 20 09:27:06 CEST 2008 - mt@suse.de
@@ -2114,7 +2190,7 @@ Thu Aug 28 09:48:14 CEST 2008 - mt@suse.de
   several hundred tunnels concurrently.
   * Fixed the --enable-integrity-test configure option which
   computes a SHA-1 checksum over the libstrongswan library.
-  * Consistent logging of IKE and CHILD SAs at the audit (AUD) level. 
+  * Consistent logging of IKE and CHILD SAs at the audit (AUD) level.
   * Improved the performance of the SQL-based virtual IP address pool
   by introducing an additional addresses table. The leases table
   storing only history information has become optional and can be
@@ -2218,7 +2294,7 @@ Tue Feb 19 11:44:03 CET 2008 - mt@suse.de
   to the rekeyed IKE_SA so that the UDP encapsulation was lost with
   the next CHILD_SA rekeying.
   * Wrong type definition of the next_payload variable in id_payload.c
-  caused an INVALID_SYNTAX error on PowerPC platforms. 
+  caused an INVALID_SYNTAX error on PowerPC platforms.
   * Implemented IKEv2 EAP-SIM server and client test modules that use
   triplets stored in a file. For details on the configuration see
   the scenario 'ikev2/rw-eap-sim-rsa'.
@@ -2250,5 +2326,5 @@ Mon Nov 26 10:19:40 CET 2007 - mt@suse.de
 -------------------------------------------------------------------
 Thu Nov 22 10:25:56 CET 2007 - mt@suse.de
 
-- Initial, unfinished package                            
+- Initial, unfinished package
 

strongswan.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package strongswan
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -16,21 +16,14 @@
 #
 
 
-Name:           strongswan
-Version:        5.9.14
-Release:        0
-%define         upstream_version     %{version}
 %define         strongswan_docdir    %{_docdir}/%{name}
 %define         strongswan_libdir    %{_libdir}/ipsec
 %define         strongswan_configs   %{_sysconfdir}/strongswan.d
 %define         strongswan_datadir   %{_datadir}/strongswan
 %define         strongswan_plugins   %{strongswan_libdir}/plugins
 %define         strongswan_templates %{strongswan_datadir}/templates
-%if 0
-%bcond_without  tests
-%else
+%bcond_without  stroke
 %bcond_with     tests
-%endif
 %bcond_without  fipscheck
 %ifarch %{ix86} ppc64le
 %bcond_without  integrity
@@ -44,70 +37,76 @@ Release:        0
 %bcond_without  gcrypt
 %bcond_without  nm
 %bcond_without  systemd
+
+Name:           strongswan
+Version:        6.0.1
+Release:        0
 Summary:        IPsec-based VPN solution
 License:        GPL-2.0-or-later
 Group:          Productivity/Networking/Security
 URL:            https://www.strongswan.org/
-Source0:        http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2
-Source1:        http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2.sig
+Source0:        http://download.strongswan.org/strongswan-%version.tar.bz2
+Source1:        http://download.strongswan.org/strongswan-%version.tar.bz2.sig
 Source2:        %{name}.init.in
 Source3:        %{name}-rpmlintrc
 Source4:        README.SUSE
 Source5:        %{name}.keyring
-%if %{with fipscheck}
 Source7:        fips-enforce.conf
-%endif
 Patch2:         %{name}_ipsec_service.patch
 Patch5:         0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch
 Patch6:         harden_strongswan.service.patch
+Patch7:         init.patch
+Patch11:        strongswan-gcc15-part1.patch
+Patch12:        strongswan-gcc15-part2.patch
+Patch13:        strongswan-gcc15-part3.patch
+BuildRequires:  autoconf
+BuildRequires:  automake
 BuildRequires:  bison
-BuildRequires:  curl-devel
 BuildRequires:  flex
 BuildRequires:  gmp-devel
 BuildRequires:  gperf
-BuildRequires:  libcap-devel
-BuildRequires:  libopenssl-devel
-BuildRequires:  openldap2-devel
-BuildRequires:  pam-devel
-BuildRequires:  pcsc-lite-devel
+BuildRequires:  iptables
+BuildRequires:  libtool
 BuildRequires:  pkg-config
-BuildRequires:  pkgconfig(libsoup-2.4)
+BuildRequires:  pkgconfig(ldap)
+BuildRequires:  pkgconfig(libcap)
+BuildRequires:  pkgconfig(libcrypto)
+BuildRequires:  pkgconfig(libcurl)
+BuildRequires:  pkgconfig(libpcsclite)
+BuildRequires:  pkgconfig(libsystemd)
+BuildRequires:  pkgconfig(libxml-2.0)
+BuildRequires:  pkgconfig(pam)
 %if %{with mysql}
 BuildRequires:  libmysqlclient-devel
 %endif
 %if %{with sqlite}
-BuildRequires:  sqlite3-devel
+BuildRequires:  pkgconfig(sqlite3)
 %endif
 %if %{with gcrypt}
-BuildRequires:  libgcrypt-devel
+BuildRequires:  pkgconfig(libgcrypt)
 %endif
 %if %{with nm}
 BuildRequires:  pkgconfig(libnm)
 %endif
+Obsoletes:      strongswan-libs0 < %version-%release
+Provides:       strongswan-libs0 = %version-%release
 %{?systemd_requires}
-BuildRequires:  iptables
-BuildRequires:  pkgconfig(libsystemd)
 %{!?_rundir: %global _rundir /run}
 %{!?_tmpfilesdir: %global _tmpfilesdir /usr/lib/tmpfiles.d}
-BuildRequires:  autoconf
-BuildRequires:  automake
-BuildRequires:  libtool
-Requires:       strongswan-ipsec = %{version}
 
 %description
 StrongSwan is an IPsec-based VPN solution for Linux.
 
-* Implements both the IKEv1 and IKEv2 (RFC 4306) key exchange protocols
-* Fully tested support of IPv6 IPsec tunnel and transport connections
+* IKEv1 and IKEv2 (RFC 4306, 9370) key exchange protocol support
+* Support of IPv6 IPsec tunnel and transport connections
 * Dynamic IP address and interface update with IKEv2 MOBIKE (RFC 4555)
 * Automatic insertion and deletion of IPsec-policy-based firewall rules
-* Strong 128/192/256 bit AES or Camellia encryption, 3DES support
+* 128/192/256-bit AES encryption
 * NAT Traversal via UDP encapsulation and port floating (RFC 3947)
-* Dead Peer Detection (DPD, RFC 3706) takes care of dangling tunnels
-* Static virtual IP addresses and IKEv1 ModeConfig pull and push modes
+* Dead Peer Detection (DPD, RFC 3706) to detect dangling tunnels
 * XAUTH server and client functionality on top of IKEv1 Main Mode authentication
 * Virtual IP address pool managed by IKE daemon or SQL database
-* Secure IKEv2 EAP user authentication (EAP-SIM, EAP-AKA, EAP-MSCHAPv2, etc.)
+* IKEv2 EAP user authentication (EAP-SIM, EAP-AKA, EAP-MSCHAPv2, etc.)
 * Optional relaying of EAP messages to AAA server via EAP-RADIUS plugin
 * Support of IKEv2 Multiple Authentication Exchanges (RFC 4739)
 * Authentication based on X.509 certificates or preshared keys
@@ -115,12 +114,11 @@ StrongSwan is an IPsec-based VPN solution for Linux.
 * Retrieval and local caching of Certificate Revocation Lists via HTTP or LDAP
 * Full support of the Online Certificate Status Protocol (OCSP, RCF 2560).
 * CA management (OCSP and CRL URIs, default LDAP server)
-* Powerful IPsec policies based on wildcards or intermediate CAs
+* IPsec policies based on wildcards or intermediate CAs
 * Group policies based on X.509 attribute certificates (RFC 3281)
-* Storage of RSA private keys and certificates on a smartcard (PKCS #11 interface)
+* Storage of RSA private keys and certificates on a smartcard (PKCS#11 interface)
 * Modular plugins for crypto algorithms and relational database interfaces
 * Support of elliptic curve DH groups and ECDSA certificates (Suite B, RFC 4869)
-* Optional built-in integrity and crypto tests for plugins and libraries
 * Linux desktop integration via the strongSwan NetworkManager applet
 
 This package triggers the installation of both, IKEv1 and IKEv2 daemons.
@@ -135,48 +133,39 @@ StrongSwan is an IPsec-based VPN solution for Linux.
 
 This package provides the StrongSwan documentation.
 
-%package libs0
-Summary:        strongSwan core libraries and basic plugins
-Group:          Productivity/Networking/Security
-Conflicts:      strongswan < %{version}
-
-%description libs0
-StrongSwan is an IPsec-based VPN solution for Linux.
-
-This package provides the strongswan library and plugins.
-
-%package hmac
+%package fips
 Summary:        Config file to disable non FIPS-140-2 algos in strongSwan
 Group:          Productivity/Networking/Security
-Requires:       strongswan-ipsec = %{version}
-Requires:       strongswan-libs0 = %{version}
+Requires:       strongswan = %version
+Provides:       strongswan-hmac = %{version}-%{release}
+Obsoletes:      strongswan-hmac < %{version}-%{release}
 
-%description hmac
+%description fips
 The package provides a config file disabling alternative algorithm
 implementation when FIPS-140-2 compliant operation mode is enabled.
 
 %package ipsec
-Summary:        IPsec-based VPN solution
+Summary:        Old-style "ipsec" interface (stroke/starter) for strongSwan
 Group:          Productivity/Networking/Security
-Requires:       strongswan-libs0 = %{version}
+Requires:       strongswan = %version
 Provides:       VPN
 Provides:       ipsec
-Provides:       strongswan = %{version}
-Obsoletes:      strongswan < %{version}
 Conflicts:      freeswan
 Conflicts:      openswan
 
 %description ipsec
 StrongSwan is an IPsec-based VPN solution for Linux.
 
-This package provides the systemd service definition and allows
-to maintain both IKEv1 and IKEv2 using the /etc/ipsec.conf and the
-/etc/ipsec.secrets files.
+This package provides an ipsec(8) command-line interface and
+configuration mechanism (/etc/ipsec.conf, ipsec.secrets).
+
+Old-style ipsec(8) management of strongSwan is deprecated since
+version 5.2.0.
 
 %package mysql
 Summary:        MySQL plugin for strongSwan
 Group:          Productivity/Networking/Security
-Requires:       strongswan-libs0 = %{version}
+Requires:       strongswan = %version
 
 %description mysql
 StrongSwan is an IPsec-based VPN solution for Linux.
@@ -186,20 +175,20 @@ This package provides the strongswan mysql plugin.
 %package sqlite
 Summary:        SQLite plugin for strongSwan
 Group:          Productivity/Networking/Security
-Requires:       strongswan-libs0 = %{version}
+Requires:       strongswan = %version
 
 %description sqlite
-StrongSwan is an OpenSource IPsec-based VPN solution for Linux.
+StrongSwan is an IPsec-based VPN solution for Linux.
 
 This package provides the strongswan sqlite plugin.
 
 %package nm
 Summary:        NetworkManager plugin for strongSwan
 Group:          Productivity/Networking/Security
-Requires:       strongswan-libs0 = %{version}
+Requires:       strongswan = %version
 
 %description nm
-StrongSwan is an OpenSource IPsec-based VPN solution for Linux.
+StrongSwan is an IPsec-based VPN solution for Linux.
 
 This package provides the NetworkManager plugin to control the
 charon IKEv2 daemon through D-Bus, designed to work using the
@@ -208,28 +197,24 @@ NetworkManager-strongswan graphical user interface.
 %package tests
 Summary:        Testing plugins for strongSwan
 Group:          Productivity/Networking/Security
-Requires:       strongswan-libs0 = %{version}
+Requires:       strongswan = %version
 
 %description tests
-StrongSwan is an OpenSource IPsec-based VPN solution for Linux.
+StrongSwan is an IPsec-based VPN solution for Linux.
 
 This package provides the strongswan crypto test vectors plugin
 and the load testing plugin for IKEv2 daemon.
 
 %prep
-%setup -q -n %{name}-%{upstream_version}
-%patch -P 2 -p1
-%patch -P 5 -p1
+%autosetup -p1
 sed -e 's|@libexecdir@|%_libexecdir|g'    \
      < %{_sourcedir}/strongswan.init.in \
      > strongswan.init
-%patch -P 6 -p1
 
 %build
-CFLAGS="%{optflags} -W -Wall -Wno-pointer-sign -Wno-strict-aliasing -Wno-unused-parameter"
-export CFLAGS
 autoreconf --force --install
 %configure \
+	CFLAGS="%optflags -W -Wall -Wno-pointer-sign -Wno-strict-aliasing -Wno-unused-parameter" \
 %if %{with integrity}
 	--enable-integrity-test \
 %endif
@@ -312,13 +297,15 @@ autoreconf --force --install
 %else
 	--disable-nm \
 %endif
+%if %{with stroke}
+	--enable-stroke \
+%endif
 %if %{with tests}
 	--enable-conftest \
 	--enable-load-tester \
 	--enable-test-vectors \
 %endif
 	--enable-ldap \
-	--enable-soup \
 	--enable-curl \
 	--enable-bypass-lan \
 	--disable-static
@@ -348,7 +335,7 @@ LD_LIBRARY_PATH="%{buildroot}-$$/%{strongswan_libdir}" \
 		%{_rpmconfigdir}/find-debuginfo.sh  \
 			%{?_find_debuginfo_opts} "%{buildroot}-$$"
 		make -C src/checksum clean
-		rm -f   src/checksum/checksum_builder
+		rm -f src/checksum/checksum_builder
 		LD_LIBRARY_PATH="%{buildroot}-$$/%{strongswan_libdir}" \
 		make -C src/checksum install DESTDIR="%{buildroot}-$$"
 		mv "%{buildroot}-$$/%{strongswan_libdir}/libchecksum.so" \
@@ -358,7 +345,7 @@ LD_LIBRARY_PATH="%{buildroot}-$$/%{strongswan_libdir}" \
 }
 %endif
 #
-rm -f %{buildroot}/%{_sysconfdir}/ipsec.secrets
+%if %{with stroke}
 cat << EOT > %{buildroot}/%{_sysconfdir}/ipsec.secrets
 #
 # ipsec.secrets
@@ -368,16 +355,17 @@ cat << EOT > %{buildroot}/%{_sysconfdir}/ipsec.secrets
 #
 EOT
 #
+%endif
 %if ! %{with mysql}
 rm -f %{buildroot}/%{strongswan_templates}/database/sql/mysql.sql
 %endif
 %if ! %{with sqlite}
 rm -f %{buildroot}/%{strongswan_templates}/database/sql/sqlite.sql
 %endif
-rm -f %{buildroot}/%{strongswan_libdir}/lib{charon,hydra,strongswan,pttls}.so
-rm -f %{buildroot}/%{strongswan_libdir}/lib{radius,simaka,tls,tnccs,imcv}.so
+for i in charon hydra strongswan pttls radius simaka tls tnccs imcv; do
+	rm -fv %{buildroot}/%{strongswan_libdir}/lib$i.so
+done
 find %{buildroot}/%{strongswan_libdir} -type f -name "*.la" -delete
-#
 install -d -m755 %{buildroot}/%{strongswan_docdir}/
 install -c -m644 TODO NEWS README COPYING LICENSE \
 		 AUTHORS ChangeLog \
@@ -393,36 +381,37 @@ install -c -m644 %{_sourcedir}/fips-enforce.conf \
 sed -i 's/\(load[ ]*=[ ]*\)yes/\1no/g' %{buildroot}/%{strongswan_configs}/charon/bypass-lan.conf
 %endif
 
-%post libs0
+%post
 /sbin/ldconfig
 %{?tmpfiles_create:%tmpfiles_create %{_tmpfilesdir}/%{name}.conf}
 %{!?tmpfiles_create:test -d %{_rundir}/%{name} || mkdir -p %{_rundir}/%{name}}
 
-%postun libs0 -p /sbin/ldconfig
+%postun -p /sbin/ldconfig
 
 %pre ipsec
 %service_add_pre %{name}-starter.service
 
 %post ipsec
+%service_add_post %{name}-starter.service
 # Following code does the migration from strongwan.service (ver < 5.8.0) to
 # strongswan-starter.service (ver >= 5.8.0) during update. The systemd service
 # units have been renamed. The modern unit, which was called strongswan-swanctl,
 # is now called strongswan (the previous name is configured as alias in the unit,
 # for which a symlink is created when the unit is enabled). The legacy unit is now
 # called strongswan-starter.
-_ipsec_active=`/usr/bin/systemctl is-active %{name}-starter.service 2>/dev/null` || :
-_swanctl_active=`/usr/bin/systemctl is-active %{name}.service 2>/dev/null` || :
-_ipsec_enable=`/usr/bin/systemctl is-enabled %{name}-starter.service 2>/dev/null` || :
-_swanctl_enable=`/usr/bin/systemctl is-enabled %{name}.service 2>/dev/null` || :
-if [[ "$_swanctl_enable" == "enabled" || "$_swanctl_active" == "active" ]]; then
+_ipsec_active=$(/usr/bin/systemctl is-active %{name}-starter.service 2>/dev/null) || :
+_swanctl_active=$(/usr/bin/systemctl is-active %{name}.service 2>/dev/null) || :
+_ipsec_enable=$(/usr/bin/systemctl is-enabled %{name}-starter.service 2>/dev/null) || :
+_swanctl_enable=$(/usr/bin/systemctl is-enabled %{name}.service 2>/dev/null) || :
+if [ "$_swanctl_enable" = "enabled" ] || [ "$_swanctl_active" = "active" ]; then
         /usr/bin/systemctl disable --now %{name}.service || :
         /usr/bin/systemctl mask %{name}.service || :
 fi
-if [[ "$_swanctl_enable" == "enabled" || "$_ipsec_enable" == "enabled" ]]; then
+if [ "$_swanctl_enable" = "enabled" ] || [ "$_ipsec_enable" = "enabled" ]; then
         /usr/bin/systemctl daemon-reload
         /usr/bin/systemctl enable %{name}-starter.service || :
 fi
-if [[ "$_swanctl_active" == "active" || "$_ipsec_active" == "active" ]]; then
+if [ "$_swanctl_active" = "active" ] || [ "$_ipsec_active" = "active" ]; then
         /usr/bin/systemctl start %{name}-starter.service || :
 fi
 
@@ -440,45 +429,26 @@ fi
 %postun ipsec
 %service_del_postun %{name}-starter.service
 
-%files
-%dir %{strongswan_docdir}
-%{strongswan_docdir}/README.SUSE
-
 %if %{with fipscheck}
-
-%files hmac
+%files fips
 %dir %{strongswan_configs}
 %dir %{strongswan_configs}/charon
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/zzz_fips-enforce.conf
 %endif
 
-%files ipsec
-%config(noreplace) %attr(600,root,root) %{_sysconfdir}/ipsec.conf
-%config(noreplace) %attr(600,root,root) %{_sysconfdir}/ipsec.secrets
+%files
+%dir %{strongswan_docdir}
+%{strongswan_docdir}/README.SUSE
 %config(noreplace) %attr(600,root,root) %{_sysconfdir}/swanctl/swanctl.conf
 %dir %{_sysconfdir}/swanctl
-%dir %{_sysconfdir}/ipsec.d
-%dir %{_sysconfdir}/ipsec.d/crls
-%dir %{_sysconfdir}/ipsec.d/reqs
-%dir %{_sysconfdir}/ipsec.d/certs
-%dir %{_sysconfdir}/ipsec.d/acerts
-%dir %{_sysconfdir}/ipsec.d/aacerts
-%dir %{_sysconfdir}/ipsec.d/cacerts
-%dir %{_sysconfdir}/ipsec.d/ocspcerts
-%dir %attr(700,root,root) %{_sysconfdir}/ipsec.d/private
-%{_unitdir}/strongswan-starter.service
 %{_unitdir}/strongswan.service
 %{_sbindir}/charon-systemd
 %{_bindir}/pki
 %{_bindir}/pt-tls-client
 %{_bindir}/tpm_extendpcr
-%{_sbindir}/ipsec
 %{_sbindir}/swanctl
 %{_mandir}/man1/pki*.1*
 %{_mandir}/man1/pt-tls-client.1*
-%{_mandir}/man8/ipsec.8*
-%{_mandir}/man5/ipsec.conf.5*
-%{_mandir}/man5/ipsec.secrets.5*
 %{_mandir}/man5/strongswan.conf.5*
 %dir %{_libexecdir}/ipsec
 %{_libexecdir}/ipsec/_updown
@@ -488,46 +458,30 @@ fi
 %{_libexecdir}/ipsec/xfrmi
 %{_libexecdir}/ipsec/duplicheck
 %{_libexecdir}/ipsec/pool
-%{_libexecdir}/ipsec/starter
-%{_libexecdir}/ipsec/stroke
 %{_libexecdir}/ipsec/charon
 %{_libexecdir}/ipsec/_imv_policy
 %{_libexecdir}/ipsec/imv_policy_manager
 %dir %{strongswan_plugins}
 %{strongswan_plugins}/libstrongswan-drbg.so
-%{strongswan_plugins}/libstrongswan-stroke.so
 %{strongswan_plugins}/libstrongswan-updown.so
-
-%files doc
-%dir %{strongswan_docdir}
-%{strongswan_docdir}/TODO
-%{strongswan_docdir}/NEWS
-%{strongswan_docdir}/README
-%{strongswan_docdir}/COPYING
-%{strongswan_docdir}/LICENSE
-%{strongswan_docdir}/AUTHORS
-%{strongswan_docdir}/ChangeLog
-%{_mandir}/man5/swanctl.conf.5.*
-%{_mandir}/man8/swanctl.8.*
-
-%files libs0
+%_mandir/man5/swanctl.conf.5.*
+%_mandir/man8/swanctl.8.*
 %{_tmpfilesdir}/%{name}.conf
 %config(noreplace) %attr(600,root,root) %{_sysconfdir}/strongswan.conf
 %dir %{strongswan_configs}
 %dir %{strongswan_configs}/charon
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon-nm.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon-systemd.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon-logging.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/imcv.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/imv_policy_manager.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/pki.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/pool.conf
-%config(noreplace) %attr(600,root,root) %{strongswan_configs}/starter.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/tnc.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/swanctl.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/addrblock.conf
-%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/aes.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/counters.conf
-%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/curve25519.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/drbg.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/vici.conf
 %if %{with afalg}
@@ -544,7 +498,6 @@ fi
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/coupling.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/ctr.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/curl.conf
-%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/des.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/dhcp.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/dnskey.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/duplicheck.conf
@@ -576,37 +529,29 @@ fi
 %endif
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/gmp.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/ha.conf
-%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/hmac.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/kdf.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/kernel-netlink.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/ldap.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/led.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/md4.conf
-%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/md5.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/mgf1.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/nonce.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/openssl.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pem.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pgp.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs11.conf
-%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs12.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs1.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs7.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs8.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pubkey.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/radattr.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/random.conf
-%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/rc2.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/resolve.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/revocation.conf
-%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/sha1.conf
-%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/sha2.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/smp.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/socket-default.conf
-%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/soup.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/sql.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/sshkey.conf
-%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/stroke.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnccs-11.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnccs-20.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnccs-dynamic.conf
@@ -645,7 +590,6 @@ fi
 %{strongswan_libdir}/imcvs/imv-test.so
 %dir %{strongswan_plugins}
 %{strongswan_plugins}/libstrongswan-addrblock.so
-%{strongswan_plugins}/libstrongswan-aes.so
 %if %{with afalg}
 %{strongswan_plugins}/libstrongswan-af-alg.so
 %endif
@@ -661,7 +605,6 @@ fi
 %{strongswan_plugins}/libstrongswan-coupling.so
 %{strongswan_plugins}/libstrongswan-ctr.so
 %{strongswan_plugins}/libstrongswan-curl.so
-%{strongswan_plugins}/libstrongswan-des.so
 %{strongswan_plugins}/libstrongswan-dhcp.so
 %{strongswan_plugins}/libstrongswan-dnskey.so
 %{strongswan_plugins}/libstrongswan-duplicheck.so
@@ -693,13 +636,11 @@ fi
 %endif
 %{strongswan_plugins}/libstrongswan-gmp.so
 %{strongswan_plugins}/libstrongswan-ha.so
-%{strongswan_plugins}/libstrongswan-hmac.so
 %{strongswan_plugins}/libstrongswan-kdf.so
 %{strongswan_plugins}/libstrongswan-kernel-netlink.so
 %{strongswan_plugins}/libstrongswan-ldap.so
 %{strongswan_plugins}/libstrongswan-led.so
 %{strongswan_plugins}/libstrongswan-md4.so
-%{strongswan_plugins}/libstrongswan-md5.so
 %{strongswan_plugins}/libstrongswan-mgf1.so
 %{strongswan_plugins}/libstrongswan-nonce.so
 %{strongswan_plugins}/libstrongswan-openssl.so
@@ -707,20 +648,15 @@ fi
 %{strongswan_plugins}/libstrongswan-pgp.so
 %{strongswan_plugins}/libstrongswan-pkcs1.so
 %{strongswan_plugins}/libstrongswan-pkcs11.so
-%{strongswan_plugins}/libstrongswan-pkcs12.so
 %{strongswan_plugins}/libstrongswan-pkcs7.so
 %{strongswan_plugins}/libstrongswan-pkcs8.so
 %{strongswan_plugins}/libstrongswan-pubkey.so
 %{strongswan_plugins}/libstrongswan-radattr.so
 %{strongswan_plugins}/libstrongswan-random.so
-%{strongswan_plugins}/libstrongswan-rc2.so
 %{strongswan_plugins}/libstrongswan-resolve.so
 %{strongswan_plugins}/libstrongswan-revocation.so
-%{strongswan_plugins}/libstrongswan-sha1.so
-%{strongswan_plugins}/libstrongswan-sha2.so
 %{strongswan_plugins}/libstrongswan-smp.so
 %{strongswan_plugins}/libstrongswan-socket-default.so
-%{strongswan_plugins}/libstrongswan-soup.so
 %{strongswan_plugins}/libstrongswan-sql.so
 %{strongswan_plugins}/libstrongswan-sshkey.so
 %{strongswan_plugins}/libstrongswan-tnc-imc.so
@@ -736,7 +672,6 @@ fi
 %{strongswan_plugins}/libstrongswan-xauth-generic.so
 %{strongswan_plugins}/libstrongswan-xauth-pam.so
 %{strongswan_plugins}/libstrongswan-xcbc.so
-%{strongswan_plugins}/libstrongswan-curve25519.so
 %{strongswan_plugins}/libstrongswan-vici.so
 %{strongswan_plugins}/libstrongswan-bypass-lan.so
 %dir %{strongswan_datadir}
@@ -749,7 +684,6 @@ fi
 %dir %{strongswan_templates}/database/sql
 %{strongswan_templates}/config/strongswan.conf
 %{strongswan_templates}/config/plugins/addrblock.conf
-%{strongswan_templates}/config/plugins/aes.conf
 %if %{with afalg}
 %{strongswan_templates}/config/plugins/af-alg.conf
 %endif
@@ -765,7 +699,6 @@ fi
 %{strongswan_templates}/config/plugins/coupling.conf
 %{strongswan_templates}/config/plugins/ctr.conf
 %{strongswan_templates}/config/plugins/curl.conf
-%{strongswan_templates}/config/plugins/des.conf
 %{strongswan_templates}/config/plugins/dhcp.conf
 %{strongswan_templates}/config/plugins/dnskey.conf
 %{strongswan_templates}/config/plugins/drbg.conf
@@ -798,13 +731,11 @@ fi
 %endif
 %{strongswan_templates}/config/plugins/gmp.conf
 %{strongswan_templates}/config/plugins/ha.conf
-%{strongswan_templates}/config/plugins/hmac.conf
 %{strongswan_templates}/config/plugins/kdf.conf
 %{strongswan_templates}/config/plugins/kernel-netlink.conf
 %{strongswan_templates}/config/plugins/ldap.conf
 %{strongswan_templates}/config/plugins/led.conf
 %{strongswan_templates}/config/plugins/md4.conf
-%{strongswan_templates}/config/plugins/md5.conf
 %{strongswan_templates}/config/plugins/mgf1.conf
 %{strongswan_templates}/config/plugins/nonce.conf
 %{strongswan_templates}/config/plugins/openssl.conf
@@ -812,23 +743,17 @@ fi
 %{strongswan_templates}/config/plugins/pgp.conf
 %{strongswan_templates}/config/plugins/pkcs1.conf
 %{strongswan_templates}/config/plugins/pkcs11.conf
-%{strongswan_templates}/config/plugins/pkcs12.conf
 %{strongswan_templates}/config/plugins/pkcs7.conf
 %{strongswan_templates}/config/plugins/pkcs8.conf
 %{strongswan_templates}/config/plugins/pubkey.conf
 %{strongswan_templates}/config/plugins/radattr.conf
 %{strongswan_templates}/config/plugins/random.conf
-%{strongswan_templates}/config/plugins/rc2.conf
 %{strongswan_templates}/config/plugins/resolve.conf
 %{strongswan_templates}/config/plugins/revocation.conf
-%{strongswan_templates}/config/plugins/sha1.conf
-%{strongswan_templates}/config/plugins/sha2.conf
 %{strongswan_templates}/config/plugins/smp.conf
 %{strongswan_templates}/config/plugins/socket-default.conf
-%{strongswan_templates}/config/plugins/soup.conf
 %{strongswan_templates}/config/plugins/sql.conf
 %{strongswan_templates}/config/plugins/sshkey.conf
-%{strongswan_templates}/config/plugins/stroke.conf
 %{strongswan_templates}/config/plugins/tnc-imc.conf
 %{strongswan_templates}/config/plugins/tnc-imv.conf
 %{strongswan_templates}/config/plugins/tnc-pdp.conf
@@ -843,23 +768,22 @@ fi
 %{strongswan_templates}/config/plugins/xauth-generic.conf
 %{strongswan_templates}/config/plugins/xauth-pam.conf
 %{strongswan_templates}/config/plugins/xcbc.conf
-%{strongswan_templates}/config/plugins/curve25519.conf
 %{strongswan_templates}/config/plugins/vici.conf
 %{strongswan_templates}/config/plugins/bypass-lan.conf
 %{strongswan_templates}/config/strongswan.d/charon-systemd.conf
 %{strongswan_templates}/config/strongswan.d/charon-logging.conf
 %{strongswan_templates}/config/strongswan.d/charon.conf
+%{strongswan_templates}/config/strongswan.d/charon-nm.conf
 %{strongswan_templates}/config/strongswan.d/imcv.conf
+%{strongswan_templates}/config/strongswan.d/imv_policy_manager.conf
 %{strongswan_templates}/config/strongswan.d/pki.conf
 %{strongswan_templates}/config/strongswan.d/pool.conf
-%{strongswan_templates}/config/strongswan.d/starter.conf
 %{strongswan_templates}/config/strongswan.d/tnc.conf
 %{strongswan_templates}/config/strongswan.d/swanctl.conf
 %{strongswan_templates}/database/imv/data.sql
 %{strongswan_templates}/database/imv/tables.sql
 
 %if %{with nm}
-
 %files nm
 %dir %{_libexecdir}/ipsec
 %dir %{strongswan_plugins}
@@ -868,7 +792,6 @@ fi
 %endif
 
 %if %{with mysql}
-
 %files mysql
 %dir %{strongswan_libdir}
 %dir %{strongswan_plugins}
@@ -888,7 +811,6 @@ fi
 %endif
 
 %if %{with sqlite}
-
 %files sqlite
 %dir %{strongswan_libdir}
 %dir %{strongswan_plugins}
@@ -907,7 +829,6 @@ fi
 %endif
 
 %if %{with tests}
-
 %files tests
 %dir %{strongswan_configs}
 %dir %{strongswan_configs}/charon
@@ -927,4 +848,49 @@ fi
 %{strongswan_plugins}/libstrongswan-test-vectors.so
 %endif
 
+%if %{with stroke}
+%files ipsec
+%config(noreplace) %attr(600,root,root) %_sysconfdir/ipsec.conf
+%config(noreplace) %attr(600,root,root) %_sysconfdir/ipsec.secrets
+%dir %_sysconfdir/ipsec.d
+%dir %_sysconfdir/ipsec.d/crls
+%dir %_sysconfdir/ipsec.d/reqs
+%dir %_sysconfdir/ipsec.d/certs
+%dir %_sysconfdir/ipsec.d/acerts
+%dir %_sysconfdir/ipsec.d/aacerts
+%dir %_sysconfdir/ipsec.d/cacerts
+%dir %_sysconfdir/ipsec.d/ocspcerts
+%dir %attr(700,root,root) %_sysconfdir/ipsec.d/private
+%_sbindir/ipsec
+%_mandir/man8/ipsec.8*
+%_mandir/man5/ipsec.conf.5*
+%_mandir/man5/ipsec.secrets.5*
+%dir %_libexecdir/ipsec/
+%_libexecdir/ipsec/starter
+%_libexecdir/ipsec/stroke
+%_unitdir/strongswan-starter.service
+%dir %strongswan_plugins/
+%strongswan_plugins/libstrongswan-stroke.so
+%dir %strongswan_configs/
+%dir %strongswan_configs/charon/
+%config(noreplace) %attr(600,root,root) %strongswan_configs/starter.conf
+%config(noreplace) %attr(600,root,root) %strongswan_configs/charon/stroke.conf
+%dir %strongswan_templates/
+%dir %strongswan_templates/config/
+%dir %strongswan_templates/config/plugins/
+%strongswan_templates/config/plugins/stroke.conf
+%dir %strongswan_templates/config/strongswan.d/
+%strongswan_templates/config/strongswan.d/starter.conf
+%endif
+
+%files doc
+%dir %strongswan_docdir
+%strongswan_docdir/TODO
+%strongswan_docdir/NEWS
+%strongswan_docdir/README
+%strongswan_docdir/COPYING
+%strongswan_docdir/LICENSE
+%strongswan_docdir/AUTHORS
+%strongswan_docdir/ChangeLog
+
 %changelog