diff --git a/harden_strongswan.service.patch b/harden_strongswan.service.patch
index 08c57b5..7820dda 100644
--- a/harden_strongswan.service.patch
+++ b/harden_strongswan.service.patch
@@ -1,7 +1,7 @@
-Index: strongswan-5.9.3/init/systemd/strongswan.service.in
+Index: strongswan-5.9.5/init/systemd/strongswan.service.in
 ===================================================================
---- strongswan-5.9.3.orig/init/systemd/strongswan.service.in
-+++ strongswan-5.9.3/init/systemd/strongswan.service.in
+--- strongswan-5.9.5.orig/init/systemd/strongswan.service.in
++++ strongswan-5.9.5/init/systemd/strongswan.service.in
 @@ -3,6 +3,17 @@ Description=strongSwan IPsec IKEv1/IKEv2
  After=network-online.target
  
diff --git a/prf-plus-modularization.patch b/prf-plus-modularization.patch
new file mode 100644
index 0000000..e9a9c7a
--- /dev/null
+++ b/prf-plus-modularization.patch
@@ -0,0 +1,15368 @@
+Index: strongswan-5.9.5/Android.mk
+===================================================================
+--- strongswan-5.9.5.orig/Android.mk
++++ strongswan-5.9.5/Android.mk
+@@ -17,7 +17,7 @@ include $(CLEAR_VARS)
+ # this is the list of plugins that are built into libstrongswan and charon
+ # also these plugins are loaded by default (if not changed in strongswan.conf)
+ strongswan_CHARON_PLUGINS := android-log openssl fips-prf random nonce pubkey \
+-	pkcs1 pkcs8 pem xcbc hmac kernel-netlink socket-default android-dns \
++	pkcs1 pkcs8 pem xcbc hmac kdf kernel-netlink socket-default android-dns \
+ 	stroke eap-identity eap-mschapv2 eap-md5 eap-gtc
+ 
+ ifneq ($(strongswan_BUILD_SCEPCLIENT),)
+Index: strongswan-5.9.5/configure.ac
+===================================================================
+--- strongswan-5.9.5.orig/configure.ac
++++ strongswan-5.9.5/configure.ac
+@@ -148,6 +148,7 @@ ARG_ENABL_SET([gcrypt],         [enables
+ ARG_DISBL_SET([gmp],            [disable GNU MP (libgmp) based crypto implementation plugin.])
+ ARG_DISBL_SET([curve25519],     [disable Curve25519 Diffie-Hellman plugin.])
+ ARG_DISBL_SET([hmac],           [disable HMAC crypto implementation plugin.])
++ARG_DISBL_SET([kdf],            [disable KDF (prf+) implementation plugin.])
+ ARG_ENABL_SET([md4],            [enable MD4 software implementation plugin.])
+ ARG_DISBL_SET([md5],            [disable MD5 software implementation plugin.])
+ ARG_ENABL_SET([mgf1],           [enable the MGF1 software implementation plugin.])
+@@ -1494,6 +1495,7 @@ ADD_PLUGIN([chapoly],              [s ch
+ ADD_PLUGIN([xcbc],                 [s charon nm cmd])
+ ADD_PLUGIN([cmac],                 [s charon nm cmd])
+ ADD_PLUGIN([hmac],                 [s charon pki scripts nm cmd])
++ADD_PLUGIN([kdf],                  [s charon pki scripts nm cmd])
+ ADD_PLUGIN([ctr],                  [s charon scripts nm cmd])
+ ADD_PLUGIN([ccm],                  [s charon scripts nm cmd])
+ ADD_PLUGIN([gcm],                  [s charon scripts nm cmd])
+@@ -1647,6 +1649,7 @@ AM_CONDITIONAL(USE_DNSKEY, test x$dnskey
+ AM_CONDITIONAL(USE_SSHKEY, test x$sshkey = xtrue)
+ AM_CONDITIONAL(USE_PEM, test x$pem = xtrue)
+ AM_CONDITIONAL(USE_HMAC, test x$hmac = xtrue)
++AM_CONDITIONAL(USE_KDF, test x$kdf = xtrue)
+ AM_CONDITIONAL(USE_CMAC, test x$cmac = xtrue)
+ AM_CONDITIONAL(USE_XCBC, test x$xcbc = xtrue)
+ AM_CONDITIONAL(USE_MYSQL, test x$mysql = xtrue)
+@@ -1911,6 +1914,7 @@ AC_CONFIG_FILES([
+ 	src/libstrongswan/plugins/random/Makefile
+ 	src/libstrongswan/plugins/nonce/Makefile
+ 	src/libstrongswan/plugins/hmac/Makefile
++	src/libstrongswan/plugins/kdf/Makefile
+ 	src/libstrongswan/plugins/xcbc/Makefile
+ 	src/libstrongswan/plugins/x509/Makefile
+ 	src/libstrongswan/plugins/revocation/Makefile
+Index: strongswan-5.9.5/src/libcharon/kernel/kernel_interface.h
+===================================================================
+--- strongswan-5.9.5.orig/src/libcharon/kernel/kernel_interface.h
++++ strongswan-5.9.5/src/libcharon/kernel/kernel_interface.h
+@@ -50,7 +50,6 @@ typedef struct kernel_interface_t kernel
+ typedef enum kernel_feature_t kernel_feature_t;
+ 
+ #include <networking/host.h>
+-#include <crypto/prf_plus.h>
+ 
+ #include <kernel/kernel_listener.h>
+ #include <kernel/kernel_ipsec.h>
+Index: strongswan-5.9.5/src/libcharon/plugins/stroke/stroke_list.c
+===================================================================
+--- strongswan-5.9.5.orig/src/libcharon/plugins/stroke/stroke_list.c
++++ strongswan-5.9.5/src/libcharon/plugins/stroke/stroke_list.c
+@@ -849,6 +849,7 @@ static void list_algs(FILE *out)
+ 	hash_algorithm_t hash;
+ 	pseudo_random_function_t prf;
+ 	ext_out_function_t xof;
++	key_derivation_function_t kdf;
+ 	drbg_type_t drbg;
+ 	diffie_hellman_group_t group;
+ 	rng_quality_t quality;
+@@ -905,6 +906,14 @@ static void list_algs(FILE *out)
+ 		print_alg(out, &len, ext_out_function_names, xof, plugin_name);
+ 	}
+ 	enumerator->destroy(enumerator);
++	fprintf(out, "\n  kdf:       ");
++	len = 13;
++	enumerator = lib->crypto->create_kdf_enumerator(lib->crypto);
++	while (enumerator->enumerate(enumerator, &kdf, &plugin_name))
++	{
++		print_alg(out, &len, key_derivation_function_names, kdf, plugin_name);
++	}
++	enumerator->destroy(enumerator);
+ 	fprintf(out, "\n  drbg:      ");
+ 	len = 13;
+ 	enumerator = lib->crypto->create_drbg_enumerator(lib->crypto);
+Index: strongswan-5.9.5/src/libcharon/plugins/vici/vici_query.c
+===================================================================
+--- strongswan-5.9.5.orig/src/libcharon/plugins/vici/vici_query.c
++++ strongswan-5.9.5/src/libcharon/plugins/vici/vici_query.c
+@@ -1266,6 +1266,7 @@ CALLBACK(get_algorithms, vici_message_t*
+ 	hash_algorithm_t hash;
+ 	pseudo_random_function_t prf;
+ 	ext_out_function_t xof;
++	key_derivation_function_t kdf;
+ 	drbg_type_t drbg;
+ 	diffie_hellman_group_t group;
+ 	rng_quality_t quality;
+@@ -1326,6 +1327,15 @@ CALLBACK(get_algorithms, vici_message_t*
+ 	}
+ 	enumerator->destroy(enumerator);
+ 	b->end_section(b);
++
++	b->begin_section(b, "kdf");
++	enumerator = lib->crypto->create_kdf_enumerator(lib->crypto);
++	while (enumerator->enumerate(enumerator, &kdf, &plugin_name))
++	{
++		add_algorithm(b, key_derivation_function_names, kdf, plugin_name);
++	}
++	enumerator->destroy(enumerator);
++	b->end_section(b);
+ 
+ 	b->begin_section(b, "drbg");
+ 	enumerator = lib->crypto->create_drbg_enumerator(lib->crypto);
+Index: strongswan-5.9.5/src/libcharon/sa/child_sa.h
+===================================================================
+--- strongswan-5.9.5.orig/src/libcharon/sa/child_sa.h
++++ strongswan-5.9.5/src/libcharon/sa/child_sa.h
+@@ -29,7 +29,6 @@ typedef struct child_sa_t child_sa_t;
+ typedef struct child_sa_create_t child_sa_create_t;
+ 
+ #include <library.h>
+-#include <crypto/prf_plus.h>
+ #include <encoding/payloads/proposal_substructure.h>
+ #include <crypto/proposal/proposal.h>
+ #include <config/child_cfg.h>
+Index: strongswan-5.9.5/src/libcharon/sa/ikev1/keymat_v1.c
+===================================================================
+--- strongswan-5.9.5.orig/src/libcharon/sa/ikev1/keymat_v1.c
++++ strongswan-5.9.5/src/libcharon/sa/ikev1/keymat_v1.c
+@@ -507,6 +507,36 @@ METHOD(keymat_v1_t, derive_ike_keys, boo
+ 										this->aead->get_block_size(this->aead));
+ }
+ 
++/**
++ * Derive key material for CHILD_SAs according to section 5.5. in RFC 2409.
++ */
++static bool derive_child_keymat(private_keymat_v1_t *this, chunk_t seed,
++								uint16_t enc_size, chunk_t *encr,
++								uint16_t int_size, chunk_t *integ)
++{
++	size_t block_size, i;
++	chunk_t keymat, prev = chunk_empty;
++
++	block_size = this->prf->get_block_size(this->prf);
++	keymat = chunk_alloc(round_up(enc_size + int_size, block_size));
++	keymat.len = enc_size + int_size;
++
++	for (i = 0; i < keymat.len; i += block_size)
++	{
++		if (!this->prf->get_bytes(this->prf, prev, NULL) ||
++			!this->prf->get_bytes(this->prf, seed, keymat.ptr + i))
++		{
++			chunk_clear(&keymat);
++			return FALSE;
++		}
++		prev = chunk_create(keymat.ptr + i, block_size);
++	}
++
++	chunk_split(keymat, "aa", enc_size, encr, int_size, integ);
++	chunk_clear(&keymat);
++	return TRUE;
++}
++
+ METHOD(keymat_v1_t, derive_child_keys, bool,
+ 	private_keymat_v1_t *this, proposal_t *proposal, diffie_hellman_t *dh,
+ 	uint32_t spi_i, uint32_t spi_r, chunk_t nonce_i, chunk_t nonce_r,
+@@ -514,8 +544,7 @@ METHOD(keymat_v1_t, derive_child_keys, b
+ {
+ 	uint16_t enc_alg, int_alg, enc_size = 0, int_size = 0;
+ 	uint8_t protocol;
+-	prf_plus_t *prf_plus;
+-	chunk_t seed, secret = chunk_empty;
++	chunk_t seed = chunk_empty, secret = chunk_empty;
+ 	bool success = FALSE;
+ 
+ 	if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM,
+@@ -599,11 +628,7 @@ METHOD(keymat_v1_t, derive_child_keys, b
+ 	seed = chunk_cata("ccccc", secret, chunk_from_thing(protocol),
+ 					  chunk_from_thing(spi_r), nonce_i, nonce_r);
+ 	DBG4(DBG_CHD, "initiator SA seed %B", &seed);
+-
+-	prf_plus = prf_plus_create(this->prf, FALSE, seed);
+-	if (!prf_plus ||
+-		!prf_plus->allocate_bytes(prf_plus, enc_size, encr_i) ||
+-		!prf_plus->allocate_bytes(prf_plus, int_size, integ_i))
++	if (!derive_child_keymat(this, seed, enc_size, encr_i, int_size, integ_i))
+ 	{
+ 		goto failure;
+ 	}
+@@ -611,11 +636,7 @@ METHOD(keymat_v1_t, derive_child_keys, b
+ 	seed = chunk_cata("ccccc", secret, chunk_from_thing(protocol),
+ 					  chunk_from_thing(spi_i), nonce_i, nonce_r);
+ 	DBG4(DBG_CHD, "responder SA seed %B", &seed);
+-	prf_plus->destroy(prf_plus);
+-	prf_plus = prf_plus_create(this->prf, FALSE, seed);
+-	if (!prf_plus ||
+-		!prf_plus->allocate_bytes(prf_plus, enc_size, encr_r) ||
+-		!prf_plus->allocate_bytes(prf_plus, int_size, integ_r))
++	if (!derive_child_keymat(this, seed, enc_size, encr_r, int_size, integ_r))
+ 	{
+ 		goto failure;
+ 	}
+@@ -640,7 +661,7 @@ failure:
+ 		chunk_clear(encr_r);
+ 		chunk_clear(integ_r);
+ 	}
+-	DESTROY_IF(prf_plus);
++	memwipe(seed.ptr, seed.len);
+ 	chunk_clear(&secret);
+ 
+ 	return success;
+Index: strongswan-5.9.5/src/libcharon/sa/ikev2/keymat_v2.c
+===================================================================
+--- strongswan-5.9.5.orig/src/libcharon/sa/ikev2/keymat_v2.c
++++ strongswan-5.9.5/src/libcharon/sa/ikev2/keymat_v2.c
+@@ -17,7 +17,6 @@
+ #include "keymat_v2.h"
+ 
+ #include <daemon.h>
+-#include <crypto/prf_plus.h>
+ #include <crypto/hashers/hash_algorithm_set.h>
+ 
+ typedef struct private_keymat_v2_t private_keymat_v2_t;
+@@ -97,13 +96,12 @@ METHOD(keymat_t, create_nonce_gen, nonce
+ }
+ 
+ /**
+- * Derive IKE keys for a combined AEAD algorithm
++ * Create aead_t objects for a combined-mode AEAD algorithm, sets the length of
++ * sk_ei and sk_er
+  */
+-static bool derive_ike_aead(private_keymat_v2_t *this, uint16_t alg,
+-							uint16_t key_size, prf_plus_t *prf_plus,
+-							chunk_t *sk_ei, chunk_t *sk_er)
++static bool create_ike_aead(private_keymat_v2_t *this, uint16_t alg,
++							uint16_t key_size, chunk_t *sk_ei, chunk_t *sk_er)
+ {
+-	aead_t *aead_i, *aead_r;
+ 	u_int salt_size;
+ 
+ 	switch (alg)
+@@ -131,201 +129,178 @@ static bool derive_ike_aead(private_keym
+ 			return FALSE;
+ 	}
+ 
+-	/* SK_ei/SK_er used for encryption */
+-	aead_i = lib->crypto->create_aead(lib->crypto, alg, key_size / 8, salt_size);
+-	aead_r = lib->crypto->create_aead(lib->crypto, alg, key_size / 8, salt_size);
+-	if (aead_i == NULL || aead_r == NULL)
++	this->aead_in = lib->crypto->create_aead(lib->crypto, alg, key_size / 8,
++											 salt_size);
++	this->aead_out = lib->crypto->create_aead(lib->crypto, alg, key_size / 8,
++											  salt_size);
++	if (!this->aead_in || !this->aead_out)
+ 	{
+ 		DBG1(DBG_IKE, "%N %N (key size %d) not supported!",
+ 			 transform_type_names, ENCRYPTION_ALGORITHM,
+ 			 encryption_algorithm_names, alg, key_size);
+-		goto failure;
+-	}
+-	key_size = aead_i->get_key_size(aead_i);
+-	if (key_size != aead_r->get_key_size(aead_r))
+-	{
+-		goto failure;
+-	}
+-	if (!prf_plus->allocate_bytes(prf_plus, key_size, sk_ei))
+-	{
+-		goto failure;
+-	}
+-	DBG4(DBG_IKE, "Sk_ei secret %B", sk_ei);
+-	if (!aead_i->set_key(aead_i, *sk_ei))
+-	{
+-		goto failure;
+-	}
+-
+-	if (!prf_plus->allocate_bytes(prf_plus, key_size, sk_er))
+-	{
+-		goto failure;
+-	}
+-	DBG4(DBG_IKE, "Sk_er secret %B", sk_er);
+-	if (!aead_r->set_key(aead_r, *sk_er))
+-	{
+-		goto failure;
+-	}
+-
+-	if (this->initiator)
+-	{
+-		this->aead_in = aead_r;
+-		this->aead_out = aead_i;
++		return FALSE;
+ 	}
+-	else
++	sk_ei->len = this->aead_in->get_key_size(this->aead_in);
++	sk_er->len = this->aead_out->get_key_size(this->aead_out);
++	if (sk_ei->len != sk_er->len)
+ 	{
+-		this->aead_in = aead_i;
+-		this->aead_out = aead_r;
++		return FALSE;
+ 	}
+-	aead_i = aead_r = NULL;
+-
+-failure:
+-	DESTROY_IF(aead_i);
+-	DESTROY_IF(aead_r);
+-	return this->aead_in && this->aead_out;
++	return TRUE;
+ }
+ 
+ /**
+- * Derive IKE keys for traditional encryption and MAC algorithms
++ * Create aead_t objects for traditional encryption and MAC algorithms, sets the
++ * length of key chunks
+  */
+-static bool derive_ike_traditional(private_keymat_v2_t *this, uint16_t enc_alg,
+-					uint16_t enc_size, uint16_t int_alg, prf_plus_t *prf_plus,
+-					chunk_t *sk_ai, chunk_t *sk_ar, chunk_t *sk_ei,
+-					chunk_t *sk_er)
+-{
+-	crypter_t *crypter_i = NULL, *crypter_r = NULL;
+-	signer_t *signer_i, *signer_r;
+-	iv_gen_t *ivg_i, *ivg_r;
+-	size_t key_size;
++static bool create_ike_traditional(private_keymat_v2_t *this, uint16_t enc_alg,
++					uint16_t enc_size, uint16_t int_alg, chunk_t *sk_ai,
++					chunk_t *sk_ar, chunk_t *sk_ei, chunk_t *sk_er)
++{
++	crypter_t *crypter_i = NULL, *crypter_o = NULL;
++	signer_t *signer_i, *signer_o;
++	iv_gen_t *ivg_i, *ivg_o;
+ 
+ 	signer_i = lib->crypto->create_signer(lib->crypto, int_alg);
+-	signer_r = lib->crypto->create_signer(lib->crypto, int_alg);
+-	crypter_i = lib->crypto->create_crypter(lib->crypto, enc_alg, enc_size / 8);
+-	crypter_r = lib->crypto->create_crypter(lib->crypto, enc_alg, enc_size / 8);
+-	if (signer_i == NULL || signer_r == NULL)
++	signer_o = lib->crypto->create_signer(lib->crypto, int_alg);
++	if (!signer_i || !signer_o)
+ 	{
+ 		DBG1(DBG_IKE, "%N %N not supported!",
+ 			 transform_type_names, INTEGRITY_ALGORITHM,
+ 			 integrity_algorithm_names, int_alg);
+ 		goto failure;
+ 	}
+-	if (crypter_i == NULL || crypter_r == NULL)
++	crypter_i = lib->crypto->create_crypter(lib->crypto, enc_alg, enc_size / 8);
++	crypter_o = lib->crypto->create_crypter(lib->crypto, enc_alg, enc_size / 8);
++	if (!crypter_i || !crypter_o)
+ 	{
+ 		DBG1(DBG_IKE, "%N %N (key size %d) not supported!",
+ 			 transform_type_names, ENCRYPTION_ALGORITHM,
+ 			 encryption_algorithm_names, enc_alg, enc_size);
+ 		goto failure;
+ 	}
+-
+-	/* SK_ai/SK_ar used for integrity protection */
+-	key_size = signer_i->get_key_size(signer_i);
+-
+-	if (!prf_plus->allocate_bytes(prf_plus, key_size, sk_ai))
+-	{
+-		goto failure;
+-	}
+-	DBG4(DBG_IKE, "Sk_ai secret %B", sk_ai);
+-	if (!signer_i->set_key(signer_i, *sk_ai))
+-	{
+-		goto failure;
+-	}
+-
+-	if (!prf_plus->allocate_bytes(prf_plus, key_size, sk_ar))
+-	{
+-		goto failure;
+-	}
+-	DBG4(DBG_IKE, "Sk_ar secret %B", sk_ar);
+-	if (!signer_r->set_key(signer_r, *sk_ar))
+-	{
+-		goto failure;
+-	}
+-
+-	/* SK_ei/SK_er used for encryption */
+-	key_size = crypter_i->get_key_size(crypter_i);
+-
+-	if (!prf_plus->allocate_bytes(prf_plus, key_size, sk_ei))
+-	{
+-		goto failure;
+-	}
+-	DBG4(DBG_IKE, "Sk_ei secret %B", sk_ei);
+-	if (!crypter_i->set_key(crypter_i, *sk_ei))
+-	{
+-		goto failure;
+-	}
+-
+-	if (!prf_plus->allocate_bytes(prf_plus, key_size, sk_er))
++	sk_ai->len = signer_i->get_key_size(signer_i);
++	sk_ar->len = signer_o->get_key_size(signer_o);
++	if (sk_ai->len != sk_ar->len)
+ 	{
+ 		goto failure;
+ 	}
+-	DBG4(DBG_IKE, "Sk_er secret %B", sk_er);
+-	if (!crypter_r->set_key(crypter_r, *sk_er))
++	sk_ei->len = crypter_i->get_key_size(crypter_i);
++	sk_er->len = crypter_o->get_key_size(crypter_o);
++	if (sk_ei->len != sk_er->len)
+ 	{
+ 		goto failure;
+ 	}
+-
+ 	ivg_i = iv_gen_create_for_alg(enc_alg);
+-	ivg_r = iv_gen_create_for_alg(enc_alg);
+-	if (!ivg_i || !ivg_r)
++	ivg_o = iv_gen_create_for_alg(enc_alg);
++	if (!ivg_i || !ivg_o)
+ 	{
+ 		goto failure;
+ 	}
+-	if (this->initiator)
+-	{
+-		this->aead_in = aead_create(crypter_r, signer_r, ivg_r);
+-		this->aead_out = aead_create(crypter_i, signer_i, ivg_i);
+-	}
+-	else
+-	{
+-		this->aead_in = aead_create(crypter_i, signer_i, ivg_i);
+-		this->aead_out = aead_create(crypter_r, signer_r, ivg_r);
+-	}
+-	signer_i = signer_r = NULL;
+-	crypter_i = crypter_r = NULL;
++	this->aead_in = aead_create(crypter_i, signer_i, ivg_i);
++	this->aead_out = aead_create(crypter_o, signer_o, ivg_o);
++	signer_i = signer_o = NULL;
++	crypter_i = crypter_o = NULL;
+ 
+ failure:
+ 	DESTROY_IF(signer_i);
+-	DESTROY_IF(signer_r);
++	DESTROY_IF(signer_o);
+ 	DESTROY_IF(crypter_i);
+-	DESTROY_IF(crypter_r);
++	DESTROY_IF(crypter_o);
+ 	return this->aead_in && this->aead_out;
+ }
+ 
++/**
++ * Set keys on AEAD objects
++ */
++static bool set_aead_keys(private_keymat_v2_t *this, uint16_t enc_alg,
++						  chunk_t sk_ai, chunk_t sk_ar,
++						  chunk_t sk_ei, chunk_t sk_er)
++{
++	aead_t *aead_i, *aead_r;
++	chunk_t sk_i, sk_r;
++	bool success;
++
++	aead_i = this->initiator ? this->aead_out : this->aead_in;
++	aead_r = this->initiator ? this->aead_in : this->aead_out;
++
++	sk_i = chunk_cat("cc", sk_ai, sk_ei);
++	sk_r = chunk_cat("cc", sk_ar, sk_er);
++
++	success = aead_i->set_key(aead_i, sk_i) &&
++			  aead_r->set_key(aead_r, sk_r);
++
++	chunk_clear(&sk_i);
++	chunk_clear(&sk_r);
++	return success;
++}
++
+ METHOD(keymat_v2_t, derive_ike_keys, bool,
+ 	private_keymat_v2_t *this, proposal_t *proposal, diffie_hellman_t *dh,
+ 	chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id,
+ 	pseudo_random_function_t rekey_function, chunk_t rekey_skd)
+ {
+ 	chunk_t skeyseed = chunk_empty, secret, full_nonce, fixed_nonce;
+-	chunk_t prf_plus_seed, spi_i, spi_r;
++	chunk_t prf_plus_seed, spi_i, spi_r, keymat = chunk_empty;
+ 	chunk_t sk_ei = chunk_empty, sk_er = chunk_empty;
+ 	chunk_t sk_ai = chunk_empty, sk_ar = chunk_empty, sk_pi, sk_pr;
+-	prf_plus_t *prf_plus = NULL;
+-	uint16_t alg, key_size, int_alg;
++	kdf_t *prf_plus = NULL;
++	uint16_t prf_alg, key_size, enc_alg, enc_size, int_alg;
+ 	prf_t *rekey_prf = NULL;
++	bool success = FALSE;
+ 
+ 	spi_i = chunk_alloca(sizeof(uint64_t));
+ 	spi_r = chunk_alloca(sizeof(uint64_t));
+ 
+-	if (!dh->get_shared_secret(dh, &secret))
++	/* create SA's general purpose PRF first, we may use it here */
++	if (!proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &prf_alg,
++								 NULL))
+ 	{
++		DBG1(DBG_IKE, "no %N selected",
++			 transform_type_names, PSEUDO_RANDOM_FUNCTION);
+ 		return FALSE;
+ 	}
++	this->prf_alg = prf_alg;
++	this->prf = lib->crypto->create_prf(lib->crypto, this->prf_alg);
++	if (!this->prf)
++	{
++		DBG1(DBG_IKE, "%N %N not supported!", transform_type_names,
++			 PSEUDO_RANDOM_FUNCTION, pseudo_random_function_names,
++			 this->prf_alg);
++		return FALSE;
++	}
++	key_size = this->prf->get_key_size(this->prf);
+ 
+-	/* Create SAs general purpose PRF first, we may use it here */
+-	if (!proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &alg, NULL))
++	/* create SA's AEAD instances to determine key sizes */
++	if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &enc_alg,
++								 &enc_size))
+ 	{
+-		DBG1(DBG_IKE, "no %N selected",
+-			 transform_type_names, PSEUDO_RANDOM_FUNCTION);
+-		chunk_clear(&secret);
++		DBG1(DBG_IKE, "no %N selected", transform_type_names,
++			 ENCRYPTION_ALGORITHM);
+ 		return FALSE;
+ 	}
+-	this->prf_alg = alg;
+-	this->prf = lib->crypto->create_prf(lib->crypto, alg);
+-	if (this->prf == NULL)
++	if (!encryption_algorithm_is_aead(enc_alg))
++	{
++		if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &int_alg,
++									 NULL))
++		{
++			DBG1(DBG_IKE, "no %N selected", transform_type_names,
++				 INTEGRITY_ALGORITHM);
++			return FALSE;
++		}
++		if (!create_ike_traditional(this, enc_alg, enc_size, int_alg,
++									&sk_ai, &sk_ar, &sk_ei, &sk_er))
++		{
++			return FALSE;
++		}
++	}
++	else if (!create_ike_aead(this, enc_alg, enc_size, &sk_ei, &sk_er))
++	{
++		return FALSE;
++	}
++
++	if (!dh->get_shared_secret(dh, &secret))
+ 	{
+-		DBG1(DBG_IKE, "%N %N not supported!",
+-			 transform_type_names, PSEUDO_RANDOM_FUNCTION,
+-			 pseudo_random_function_names, alg);
+-		chunk_clear(&secret);
+ 		return FALSE;
+ 	}
+ 	DBG4(DBG_IKE, "shared Diffie Hellman secret %B", &secret);
+@@ -333,7 +308,7 @@ METHOD(keymat_v2_t, derive_ike_keys, boo
+ 	full_nonce = chunk_cat("cc", nonce_i, nonce_r);
+ 	/* but the PRF may need a fixed key which only uses the first bytes of
+ 	 * the nonces. */
+-	switch (alg)
++	switch (prf_alg)
+ 	{
+ 		case PRF_AES128_CMAC:
+ 			/* while variable keys may be used according to RFC 4615, RFC 7296
+@@ -345,9 +320,8 @@ METHOD(keymat_v2_t, derive_ike_keys, boo
+ 		case PRF_CAMELLIA128_XCBC:
+ 			/* draft-kanno-ipsecme-camellia-xcbc refers to rfc 4434, we
+ 			 * assume fixed key length. */
+-			key_size = this->prf->get_key_size(this->prf)/2;
+-			nonce_i.len = min(nonce_i.len, key_size);
+-			nonce_r.len = min(nonce_r.len, key_size);
++			nonce_i.len = min(nonce_i.len, key_size / 2);
++			nonce_r.len = min(nonce_r.len, key_size / 2);
+ 			break;
+ 		default:
+ 			/* all other algorithms use variable key length, full nonce */
+@@ -366,10 +340,10 @@ METHOD(keymat_v2_t, derive_ike_keys, boo
+ 	{
+ 		/* SKEYSEED = prf(Ni | Nr, g^ir) */
+ 		if (this->prf->set_key(this->prf, fixed_nonce) &&
+-			this->prf->allocate_bytes(this->prf, secret, &skeyseed) &&
+-			this->prf->set_key(this->prf, skeyseed))
++			this->prf->allocate_bytes(this->prf, secret, &skeyseed))
+ 		{
+-			prf_plus = prf_plus_create(this->prf, TRUE, prf_plus_seed);
++			prf_plus = lib->crypto->create_kdf(lib->crypto, KDF_PRF_PLUS,
++											   this->prf_alg);
+ 		}
+ 	}
+ 	else
+@@ -389,117 +363,96 @@ METHOD(keymat_v2_t, derive_ike_keys, boo
+ 		}
+ 		secret = chunk_cat("sc", secret, full_nonce);
+ 		if (rekey_prf->set_key(rekey_prf, rekey_skd) &&
+-			rekey_prf->allocate_bytes(rekey_prf, secret, &skeyseed) &&
+-			rekey_prf->set_key(rekey_prf, skeyseed))
++			rekey_prf->allocate_bytes(rekey_prf, secret, &skeyseed))
+ 		{
+-			prf_plus = prf_plus_create(rekey_prf, TRUE, prf_plus_seed);
++			prf_plus = lib->crypto->create_kdf(lib->crypto, KDF_PRF_PLUS,
++											   rekey_function);
+ 		}
+ 	}
+ 	DBG4(DBG_IKE, "SKEYSEED %B", &skeyseed);
+ 
++	if (prf_plus &&
++		(!prf_plus->set_param(prf_plus, KDF_PARAM_KEY, skeyseed) ||
++		 !prf_plus->set_param(prf_plus, KDF_PARAM_SALT, prf_plus_seed)))
++	{
++		prf_plus->destroy(prf_plus);
++		prf_plus = NULL;
++	}
++
+ 	chunk_clear(&skeyseed);
+ 	chunk_clear(&secret);
+ 	chunk_free(&full_nonce);
+ 	chunk_free(&fixed_nonce);
+ 	chunk_clear(&prf_plus_seed);
++	DESTROY_IF(rekey_prf);
+ 
+ 	if (!prf_plus)
+ 	{
+ 		goto failure;
+ 	}
+ 
+-	/* KEYMAT = SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr */
+-
+-	/* SK_d is used for generating CHILD_SA key mat => store for later use */
+-	key_size = this->prf->get_key_size(this->prf);
+-	if (!prf_plus->allocate_bytes(prf_plus, key_size, &this->skd))
+-	{
+-		goto failure;
+-	}
+-	DBG4(DBG_IKE, "Sk_d secret %B", &this->skd);
+-
+-	if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &alg, &key_size))
++	/* KEYMAT = SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr
++	 *
++	 * SK_d, SK_pi and SK_pr have the size of the PRF key
++	 */
++	keymat.len = 3 * key_size + sk_ai.len + sk_ar.len + sk_ei.len + sk_er.len;
++	if (!prf_plus->allocate_bytes(prf_plus, keymat.len, &keymat))
+ 	{
+-		DBG1(DBG_IKE, "no %N selected",
+-			 transform_type_names, ENCRYPTION_ALGORITHM);
+ 		goto failure;
+ 	}
++	chunk_split(keymat, "ammmmaa", key_size, &this->skd, sk_ai.len, &sk_ai,
++				sk_ar.len, &sk_ar, sk_ei.len, &sk_ei, sk_er.len, &sk_er,
++				key_size, &sk_pi, key_size, &sk_pr);
+ 
+-	if (encryption_algorithm_is_aead(alg))
+-	{
+-		if (!derive_ike_aead(this, alg, key_size, prf_plus, &sk_ei, &sk_er))
+-		{
+-			goto failure;
+-		}
+-	}
+-	else
+-	{
+-		if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM,
+-									 &int_alg, NULL))
+-		{
+-			DBG1(DBG_IKE, "no %N selected",
+-				 transform_type_names, INTEGRITY_ALGORITHM);
+-			goto failure;
+-		}
+-		if (!derive_ike_traditional(this, alg, key_size, int_alg, prf_plus,
+-									&sk_ai, &sk_ar, &sk_ei, &sk_er))
+-		{
+-			goto failure;
+-		}
++	/* SK_d is used for generating CHILD_SA key mat => store for later use */
++	DBG4(DBG_IKE, "Sk_d secret %B", &this->skd);
++	if (!encryption_algorithm_is_aead(enc_alg))
++	{	/* SK_ai/SK_ar used for integrity protection */
++		DBG4(DBG_IKE, "Sk_ai secret %B", &sk_ai);
++		DBG4(DBG_IKE, "Sk_ar secret %B", &sk_ar);
+ 	}
+-
+-	/* SK_pi/SK_pr used for authentication => stored for later */
+-	key_size = this->prf->get_key_size(this->prf);
+-	if (!prf_plus->allocate_bytes(prf_plus, key_size, &sk_pi))
++	/* SK_ei/SK_er used for encryption */
++	DBG4(DBG_IKE, "Sk_ei secret %B", &sk_ei);
++	DBG4(DBG_IKE, "Sk_er secret %B", &sk_er);
++	if (!set_aead_keys(this, enc_alg, sk_ai, sk_ar, sk_ei, sk_er))
+ 	{
+ 		goto failure;
+ 	}
++	/* SK_pi/SK_pr used for authentication => stored for later */
+ 	DBG4(DBG_IKE, "Sk_pi secret %B", &sk_pi);
+-	if (this->initiator)
+-	{
+-		this->skp_build = sk_pi;
+-	}
+-	else
+-	{
+-		this->skp_verify = sk_pi;
+-	}
+-	if (!prf_plus->allocate_bytes(prf_plus, key_size, &sk_pr))
+-	{
+-		goto failure;
+-	}
+ 	DBG4(DBG_IKE, "Sk_pr secret %B", &sk_pr);
+ 	if (this->initiator)
+ 	{
++		this->skp_build = sk_pi;
+ 		this->skp_verify = sk_pr;
+ 	}
+ 	else
+ 	{
+ 		this->skp_build = sk_pr;
++		this->skp_verify = sk_pi;
+ 	}
+-	charon->bus->ike_derived_keys(charon->bus,this->skd, sk_ai, sk_ar, sk_ei,
+-								  sk_er, sk_pi, sk_pr);
++	charon->bus->ike_derived_keys(charon->bus, this->skd, sk_ai, sk_ar,
++								  sk_ei, sk_er, sk_pi, sk_pr);
++	success = TRUE;
+ 
+ failure:
+-	chunk_clear(&sk_ai);
+-	chunk_clear(&sk_ar);
+-	chunk_clear(&sk_ei);
+-	chunk_clear(&sk_er);
++	chunk_clear(&keymat);
+ 	DESTROY_IF(prf_plus);
+-	DESTROY_IF(rekey_prf);
+-
+-	return this->skp_build.len && this->skp_verify.len;
++	return success;
+ }
+ 
+ /**
+- * Derives a key from the given key and a PRF that was initialized with a PPK
++ * Derives a new key from the given PPK and old key
+  */
+-static bool derive_ppk_key(prf_t *prf, char *name, chunk_t key,
+-						   chunk_t *new_key)
++static bool derive_ppk_key(private_keymat_v2_t *this, char *name, chunk_t ppk,
++						   chunk_t key, chunk_t *new_key)
+ {
+-	prf_plus_t *prf_plus;
++	kdf_t *prf_plus;
+ 
+-	prf_plus = prf_plus_create(prf, TRUE, key);
++	prf_plus = lib->crypto->create_kdf(lib->crypto, KDF_PRF_PLUS, this->prf_alg);
+ 	if (!prf_plus ||
++		!prf_plus->set_param(prf_plus, KDF_PARAM_KEY, ppk) ||
++		!prf_plus->set_param(prf_plus, KDF_PARAM_SALT, key) ||
+ 		!prf_plus->allocate_bytes(prf_plus, key.len, new_key))
+ 	{
+ 		DBG1(DBG_IKE, "unable to derive %s with PPK", name);
+@@ -510,20 +463,6 @@ static bool derive_ppk_key(prf_t *prf, c
+ 	return TRUE;
+ }
+ 
+-/**
+- * Use the given PPK to derive a new SK_pi/r
+- */
+-static bool derive_skp_ppk(private_keymat_v2_t *this, chunk_t ppk, chunk_t skp,
+-						   chunk_t *new_skp)
+-{
+-	if (!this->prf->set_key(this->prf, ppk))
+-	{
+-		DBG1(DBG_IKE, "unable to set PPK in PRF");
+-		return FALSE;
+-	}
+-	return derive_ppk_key(this->prf, "SK_p", skp, new_skp);
+-}
+-
+ METHOD(keymat_v2_t, derive_ike_keys_ppk, bool,
+ 	private_keymat_v2_t *this, chunk_t ppk)
+ {
+@@ -548,14 +487,9 @@ METHOD(keymat_v2_t, derive_ike_keys_ppk,
+ 
+ 	DBG4(DBG_IKE, "derive keys using PPK %B", &ppk);
+ 
+-	if (!this->prf->set_key(this->prf, ppk))
+-	{
+-		DBG1(DBG_IKE, "unable to set PPK in PRF");
+-		return FALSE;
+-	}
+-	if (!derive_ppk_key(this->prf, "Sk_d", this->skd, &skd) ||
+-		!derive_ppk_key(this->prf, "Sk_pi", *skpi, &new_skpi) ||
+-		!derive_ppk_key(this->prf, "Sk_pr", *skpr, &new_skpr))
++	if (!derive_ppk_key(this, "Sk_d", ppk, this->skd, &skd) ||
++		!derive_ppk_key(this, "Sk_pi", ppk, *skpi, &new_skpi) ||
++		!derive_ppk_key(this, "Sk_pr", ppk, *skpr, &new_skpr))
+ 	{
+ 		chunk_clear(&skd);
+ 		chunk_clear(&new_skpi);
+@@ -583,8 +517,8 @@ METHOD(keymat_v2_t, derive_child_keys, b
+ 	chunk_t *encr_r, chunk_t *integ_r)
+ {
+ 	uint16_t enc_alg, int_alg, enc_size = 0, int_size = 0;
+-	chunk_t seed, secret = chunk_empty;
+-	prf_plus_t *prf_plus;
++	chunk_t seed, secret = chunk_empty, keymat = chunk_empty;
++	kdf_t *prf_plus;
+ 
+ 	if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM,
+ 								&enc_alg, &enc_size))
+@@ -650,11 +584,6 @@ METHOD(keymat_v2_t, derive_child_keys, b
+ 		int_size /= 8;
+ 	}
+ 
+-	if (!this->prf->set_key(this->prf, this->skd))
+-	{
+-		return FALSE;
+-	}
+-
+ 	if (dh)
+ 	{
+ 		if (!dh->get_shared_secret(dh, &secret))
+@@ -666,30 +595,30 @@ METHOD(keymat_v2_t, derive_child_keys, b
+ 	seed = chunk_cata("scc", secret, nonce_i, nonce_r);
+ 	DBG4(DBG_CHD, "seed %B", &seed);
+ 
+-	prf_plus = prf_plus_create(this->prf, TRUE, seed);
+-	memwipe(seed.ptr, seed.len);
+-
+-	if (!prf_plus)
++	prf_plus = lib->crypto->create_kdf(lib->crypto, KDF_PRF_PLUS, this->prf_alg);
++	if (!prf_plus ||
++		!prf_plus->set_param(prf_plus, KDF_PARAM_KEY, this->skd) ||
++		!prf_plus->set_param(prf_plus, KDF_PARAM_SALT, seed))
+ 	{
++		DESTROY_IF(prf_plus);
++		memwipe(seed.ptr, seed.len);
+ 		return FALSE;
+ 	}
++	memwipe(seed.ptr, seed.len);
+ 
+ 	*encr_i = *integ_i = *encr_r = *integ_r = chunk_empty;
+-	if (!prf_plus->allocate_bytes(prf_plus, enc_size, encr_i) ||
+-		!prf_plus->allocate_bytes(prf_plus, int_size, integ_i) ||
+-		!prf_plus->allocate_bytes(prf_plus, enc_size, encr_r) ||
+-		!prf_plus->allocate_bytes(prf_plus, int_size, integ_r))
+-	{
+-		chunk_free(encr_i);
+-		chunk_free(integ_i);
+-		chunk_free(encr_r);
+-		chunk_free(integ_r);
++	keymat.len = 2 * enc_size + 2 * int_size;
++	if (!prf_plus->allocate_bytes(prf_plus, keymat.len, &keymat))
++	{
+ 		prf_plus->destroy(prf_plus);
+ 		return FALSE;
+ 	}
+-
+ 	prf_plus->destroy(prf_plus);
+ 
++	chunk_split(keymat, "aaaa", enc_size, encr_i, int_size, integ_i,
++				enc_size, encr_r, int_size, integ_r);
++	chunk_clear(&keymat);
++
+ 	if (enc_size)
+ 	{
+ 		DBG4(DBG_CHD, "encryption initiator key %B", encr_i);
+@@ -729,7 +658,7 @@ METHOD(keymat_v2_t, get_auth_octets, boo
+ 	if (ppk.ptr)
+ 	{
+ 		DBG4(DBG_IKE, "PPK %B", &ppk);
+-		if (!derive_skp_ppk(this, ppk, skp, &skp_ppk))
++		if (!derive_ppk_key(this, "SK_p", ppk, skp, &skp_ppk))
+ 		{
+ 			return FALSE;
+ 		}
+@@ -775,7 +704,7 @@ METHOD(keymat_v2_t, get_psk_sig, bool,
+ 		secret = verify ? this->skp_verify : this->skp_build;
+ 		if (ppk.ptr)
+ 		{
+-			if (!derive_skp_ppk(this, ppk, secret, &skp_ppk))
++			if (!derive_ppk_key(this, "SK_p", ppk, secret, &skp_ppk))
+ 			{
+ 				return FALSE;
+ 			}
+Index: strongswan-5.9.5/src/libstrongswan/Android.mk
+===================================================================
+--- strongswan-5.9.5.orig/src/libstrongswan/Android.mk
++++ strongswan-5.9.5/src/libstrongswan/Android.mk
+@@ -13,11 +13,11 @@ crypto/hashers/hash_algorithm_set.c cryp
+ crypto/proposal/proposal_keywords.c crypto/proposal/proposal_keywords_static.c \
+ crypto/prfs/prf.c crypto/prfs/mac_prf.c crypto/pkcs5.c \
+ crypto/rngs/rng.c crypto/rngs/rng_tester.c \
+-crypto/prf_plus.c crypto/signers/signer.c \
++crypto/signers/signer.c \
+ crypto/signers/mac_signer.c crypto/crypto_factory.c crypto/crypto_tester.c \
+ crypto/diffie_hellman.c crypto/aead.c crypto/transform.c \
+ crypto/iv/iv_gen.c crypto/iv/iv_gen_rand.c crypto/iv/iv_gen_seq.c \
+-crypto/iv/iv_gen_null.c \
++crypto/iv/iv_gen_null.c crypto/kdfs/kdf.c \
+ crypto/xofs/xof.c crypto/xofs/xof_bitspender.c \
+ credentials/credential_factory.c credentials/builder.c \
+ credentials/cred_encoding.c credentials/keys/private_key.c \
+@@ -91,6 +91,8 @@ endif
+ 
+ LOCAL_SRC_FILES += $(call add_plugin, hmac)
+ 
++LOCAL_SRC_FILES += $(call add_plugin, kdf)
++
+ LOCAL_SRC_FILES += $(call add_plugin, md4)
+ 
+ LOCAL_SRC_FILES += $(call add_plugin, md5)
+Index: strongswan-5.9.5/src/libstrongswan/Makefile.am
+===================================================================
+--- strongswan-5.9.5.orig/src/libstrongswan/Makefile.am
++++ strongswan-5.9.5/src/libstrongswan/Makefile.am
+@@ -11,11 +11,11 @@ crypto/hashers/hash_algorithm_set.c cryp
+ crypto/proposal/proposal_keywords.c crypto/proposal/proposal_keywords_static.c \
+ crypto/prfs/prf.c crypto/prfs/mac_prf.c crypto/pkcs5.c \
+ crypto/rngs/rng.c crypto/rngs/rng_tester.c \
+-crypto/prf_plus.c crypto/signers/signer.c \
++crypto/signers/signer.c \
+ crypto/signers/mac_signer.c crypto/crypto_factory.c crypto/crypto_tester.c \
+ crypto/diffie_hellman.c crypto/aead.c crypto/transform.c \
+ crypto/iv/iv_gen.c crypto/iv/iv_gen_rand.c crypto/iv/iv_gen_seq.c \
+-crypto/iv/iv_gen_null.c \
++crypto/iv/iv_gen_null.c crypto/kdfs/kdf.c \
+ crypto/xofs/xof.c crypto/xofs/xof_bitspender.c \
+ credentials/credential_factory.c credentials/builder.c \
+ credentials/cred_encoding.c credentials/keys/private_key.c \
+@@ -77,11 +77,12 @@ crypto/hashers/hash_algorithm_set.h cryp
+ crypto/proposal/proposal_keywords.h crypto/proposal/proposal_keywords_static.h \
+ crypto/rngs/rng.h crypto/rngs/rng_tester.h \
+ crypto/prfs/prf.h crypto/prfs/mac_prf.h crypto/nonce_gen.h \
+-crypto/prf_plus.h crypto/signers/signer.h crypto/signers/mac_signer.h \
++crypto/signers/signer.h crypto/signers/mac_signer.h \
+ crypto/crypto_factory.h crypto/crypto_tester.h crypto/diffie_hellman.h \
+ crypto/aead.h crypto/transform.h crypto/pkcs5.h crypto/iv/iv_gen.h \
+ crypto/iv/iv_gen_rand.h crypto/iv/iv_gen_seq.h crypto/iv/iv_gen_null.h \
+ crypto/xofs/xof.h crypto/xofs/xof_bitspender.h crypto/xofs/mgf1.h \
++crypto/kdfs/kdf.h \
+ credentials/credential_factory.h credentials/builder.h \
+ credentials/cred_encoding.h credentials/keys/private_key.h \
+ credentials/keys/public_key.h credentials/keys/shared_key.h \
+@@ -390,6 +391,13 @@ if MONOLITHIC
+ endif
+ endif
+ 
++if USE_KDF
++  SUBDIRS += plugins/kdf
++if MONOLITHIC
++  libstrongswan_la_LIBADD += plugins/kdf/libstrongswan-kdf.la
++endif
++endif
++
+ if USE_CMAC
+   SUBDIRS += plugins/cmac
+ if MONOLITHIC
+Index: strongswan-5.9.5/src/libstrongswan/crypto/crypto_factory.c
+===================================================================
+--- strongswan-5.9.5.orig/src/libstrongswan/crypto/crypto_factory.c
++++ strongswan-5.9.5/src/libstrongswan/crypto/crypto_factory.c
+@@ -23,8 +23,6 @@
+ #include <crypto/crypto_tester.h>
+ #include <utils/test.h>
+ 
+-const char *default_plugin_name = "default";
+-
+ typedef struct entry_t entry_t;
+ 
+ struct entry_t {
+@@ -53,6 +51,7 @@ struct entry_t {
+ 		hasher_constructor_t create_hasher;
+ 		prf_constructor_t create_prf;
+ 		xof_constructor_t create_xof;
++		kdf_constructor_t create_kdf;
+ 		drbg_constructor_t create_drbg;
+ 		rng_constructor_t create_rng;
+ 		nonce_gen_constructor_t create_nonce_gen;
+@@ -104,6 +103,11 @@ struct private_crypto_factory_t {
+ 	linked_list_t *xofs;
+ 
+ 	/**
++	 * registered kdfs, as entry_t
++	 */
++	linked_list_t *kdfs;
++
++	/**
+ 	 * registered drbgs, as entry_t
+ 	 */
+ 	linked_list_t *drbgs;
+@@ -171,7 +175,7 @@ METHOD(crypto_factory_t, create_crypter,
+ 			if (this->test_on_create &&
+ 				!this->tester->test_crypter(this->tester, algo, key_size,
+ 											entry->create_crypter, NULL,
+-											default_plugin_name))
++											entry->plugin_name))
+ 			{
+ 				continue;
+ 			}
+@@ -204,7 +208,7 @@ METHOD(crypto_factory_t, create_aead, ae
+ 			if (this->test_on_create &&
+ 				!this->tester->test_aead(this->tester, algo, key_size,
+ 										 salt_size, entry->create_aead, NULL,
+-										 default_plugin_name))
++										 entry->plugin_name))
+ 			{
+ 				continue;
+ 			}
+@@ -236,7 +240,7 @@ METHOD(crypto_factory_t, create_signer,
+ 			if (this->test_on_create &&
+ 				!this->tester->test_signer(this->tester, algo,
+ 										   entry->create_signer, NULL,
+-										   default_plugin_name))
++										   entry->plugin_name))
+ 			{
+ 				continue;
+ 			}
+@@ -268,7 +272,7 @@ METHOD(crypto_factory_t, create_hasher,
+ 			if (this->test_on_create &&
+ 				!this->tester->test_hasher(this->tester, algo,
+ 										   entry->create_hasher, NULL,
+-										   default_plugin_name))
++										   entry->plugin_name))
+ 			{
+ 				continue;
+ 			}
+@@ -300,7 +304,7 @@ METHOD(crypto_factory_t, create_prf, prf
+ 			if (this->test_on_create &&
+ 				!this->tester->test_prf(this->tester, algo,
+ 										entry->create_prf, NULL,
+-										default_plugin_name))
++										entry->plugin_name))
+ 			{
+ 				continue;
+ 			}
+@@ -332,7 +336,7 @@ METHOD(crypto_factory_t, create_xof, xof
+ 			if (this->test_on_create &&
+ 				!this->tester->test_xof(this->tester, algo,
+ 										entry->create_xof, NULL,
+-										default_plugin_name))
++										entry->plugin_name))
+ 			{
+ 				continue;
+ 			}
+@@ -348,6 +352,48 @@ METHOD(crypto_factory_t, create_xof, xof
+ 	return xof;
+ }
+ 
++METHOD(crypto_factory_t, create_kdf, kdf_t*,
++	private_crypto_factory_t *this, key_derivation_function_t algo, ...)
++{
++	enumerator_t *enumerator;
++	entry_t *entry;
++	va_list args;
++	kdf_t *kdf = NULL;
++
++	this->lock->read_lock(this->lock);
++	enumerator = this->kdfs->create_enumerator(this->kdfs);
++	while (enumerator->enumerate(enumerator, &entry))
++	{
++		if (entry->algo == algo)
++		{
++			if (this->test_on_create)
++			{
++				kdf_test_args_t test_args = {};
++
++				va_start(test_args.args, algo);
++				if (!this->tester->test_kdf(this->tester, algo,
++											entry->create_kdf, &test_args, NULL,
++											entry->plugin_name))
++				{
++					va_end(test_args.args);
++					continue;
++				}
++				va_end(test_args.args);
++			}
++			va_start(args, algo);
++			kdf = entry->create_kdf(algo, args);
++			va_end(args);
++			if (kdf)
++			{
++				break;
++			}
++		}
++	}
++	enumerator->destroy(enumerator);
++	this->lock->unlock(this->lock);
++	return kdf;
++}
++
+ METHOD(crypto_factory_t, create_drbg, drbg_t*,
+ 	private_crypto_factory_t *this, drbg_type_t type, uint32_t strength,
+ 	rng_t *entropy, chunk_t personalization_str)
+@@ -365,7 +411,7 @@ METHOD(crypto_factory_t, create_drbg, dr
+ 			if (this->test_on_create &&
+ 				!this->tester->test_drbg(this->tester, type,
+ 										 entry->create_drbg, NULL,
+-										 default_plugin_name))
++										 entry->plugin_name))
+ 			{
+ 				continue;
+ 			}
+@@ -398,7 +444,7 @@ METHOD(crypto_factory_t, create_rng, rng
+ 			if (this->test_on_create &&
+ 				!this->tester->test_rng(this->tester, quality,
+ 										entry->create_rng, NULL,
+-										default_plugin_name))
++										entry->plugin_name))
+ 			{
+ 				continue;
+ 			}
+@@ -462,7 +508,7 @@ METHOD(crypto_factory_t, create_dh, diff
+ 		{
+ 			if (this->test_on_create && group != MODP_CUSTOM &&
+ 				!this->tester->test_dh(this->tester, group,
+-								entry->create_dh, NULL, default_plugin_name))
++								entry->create_dh, NULL, entry->plugin_name))
+ 			{
+ 				continue;
+ 			}
+@@ -749,6 +795,43 @@ METHOD(crypto_factory_t, remove_xof, voi
+ 	this->lock->unlock(this->lock);
+ }
+ 
++METHOD(crypto_factory_t, add_kdf, bool,
++	private_crypto_factory_t *this, key_derivation_function_t algo,
++	const char *plugin_name, kdf_constructor_t create)
++{
++	u_int speed = 0;
++
++	if (!this->test_on_add ||
++		this->tester->test_kdf(this->tester, algo, create, NULL,
++							   this->bench ? &speed : NULL, plugin_name))
++	{
++		add_entry(this, this->kdfs, algo, plugin_name, 0, create);
++		return TRUE;
++	}
++	this->test_failures++;
++	return FALSE;
++}
++
++METHOD(crypto_factory_t, remove_kdf, void,
++	private_crypto_factory_t *this, kdf_constructor_t create)
++{
++	entry_t *entry;
++	enumerator_t *enumerator;
++
++	this->lock->write_lock(this->lock);
++	enumerator = this->kdfs->create_enumerator(this->kdfs);
++	while (enumerator->enumerate(enumerator, &entry))
++	{
++		if (entry->create_kdf == create)
++		{
++			this->kdfs->remove_at(this->kdfs, enumerator);
++			free(entry);
++		}
++	}
++	enumerator->destroy(enumerator);
++	this->lock->unlock(this->lock);
++}
++
+ METHOD(crypto_factory_t, add_drbg, bool,
+ 	private_crypto_factory_t *this, drbg_type_t type,
+ 	const char *plugin_name, drbg_constructor_t create)
+@@ -1058,6 +1141,30 @@ METHOD(crypto_factory_t, create_xof_enum
+ 	return create_enumerator(this, this->xofs, xof_filter);
+ }
+ 
++CALLBACK(kdf_filter, bool,
++	void *n, enumerator_t *orig, va_list args)
++{
++	entry_t *entry;
++	key_derivation_function_t *algo;
++	const char **plugin_name;
++
++	VA_ARGS_VGET(args, algo, plugin_name);
++
++	if (orig->enumerate(orig, &entry))
++	{
++		*algo = entry->algo;
++		*plugin_name = entry->plugin_name;
++		return TRUE;
++	}
++	return FALSE;
++}
++
++METHOD(crypto_factory_t, create_kdf_enumerator, enumerator_t*,
++	private_crypto_factory_t *this)
++{
++	return create_enumerator(this, this->kdfs, kdf_filter);
++}
++
+ CALLBACK(drbg_filter, bool,
+ 	void *n, enumerator_t *orig, va_list args)
+ {
+@@ -1169,6 +1276,8 @@ METHOD(crypto_factory_t, add_test_vector
+ 			return this->tester->add_prf_vector(this->tester, vector);
+ 		case EXTENDED_OUTPUT_FUNCTION:
+ 			return this->tester->add_xof_vector(this->tester, vector);
++		case KEY_DERIVATION_FUNCTION:
++			return this->tester->add_kdf_vector(this->tester, vector);
+ 		case DETERMINISTIC_RANDOM_BIT_GENERATOR:
+ 			return this->tester->add_drbg_vector(this->tester, vector);
+ 		case RANDOM_NUMBER_GENERATOR:
+@@ -1232,6 +1341,10 @@ METHOD(enumerator_t, verify_enumerate, b
+ 			*valid = this->tester->test_xof(this->tester, entry->algo,
+ 							entry->create_xof, NULL, entry->plugin_name);
+ 			break;
++		case KEY_DERIVATION_FUNCTION:
++			*valid = this->tester->test_kdf(this->tester, entry->algo,
++							entry->create_kdf, NULL, NULL, entry->plugin_name);
++			break;
+ 		case DETERMINISTIC_RANDOM_BIT_GENERATOR:
+ 			*valid = this->tester->test_drbg(this->tester, entry->algo,
+ 							entry->create_drbg, NULL, entry->plugin_name);
+@@ -1287,6 +1400,9 @@ METHOD(crypto_factory_t, create_verify_e
+ 		case EXTENDED_OUTPUT_FUNCTION:
+ 			inner = this->xofs->create_enumerator(this->xofs);
+ 			break;
++		case KEY_DERIVATION_FUNCTION:
++			inner = this->kdfs->create_enumerator(this->kdfs);
++			break;
+ 		case DETERMINISTIC_RANDOM_BIT_GENERATOR:
+ 			inner = this->drbgs->create_enumerator(this->drbgs);
+ 			break;
+@@ -1323,6 +1439,7 @@ METHOD(crypto_factory_t, destroy, void,
+ 	this->hashers->destroy(this->hashers);
+ 	this->prfs->destroy(this->prfs);
+ 	this->xofs->destroy(this->xofs);
++	this->kdfs->destroy(this->kdfs);
+ 	this->drbgs->destroy(this->drbgs);
+ 	this->rngs->destroy(this->rngs);
+ 	this->nonce_gens->destroy(this->nonce_gens);
+@@ -1347,6 +1464,7 @@ crypto_factory_t *crypto_factory_create(
+ 			.create_hasher = _create_hasher,
+ 			.create_prf = _create_prf,
+ 			.create_xof = _create_xof,
++			.create_kdf = _create_kdf,
+ 			.create_drbg = _create_drbg,
+ 			.create_rng = _create_rng,
+ 			.create_nonce_gen = _create_nonce_gen,
+@@ -1363,6 +1481,8 @@ crypto_factory_t *crypto_factory_create(
+ 			.remove_prf = _remove_prf,
+ 			.add_xof = _add_xof,
+ 			.remove_xof = _remove_xof,
++			.add_kdf = _add_kdf,
++			.remove_kdf = _remove_kdf,
+ 			.add_drbg = _add_drbg,
+ 			.remove_drbg = _remove_drbg,
+ 			.add_rng = _add_rng,
+@@ -1377,6 +1497,7 @@ crypto_factory_t *crypto_factory_create(
+ 			.create_hasher_enumerator = _create_hasher_enumerator,
+ 			.create_prf_enumerator = _create_prf_enumerator,
+ 			.create_xof_enumerator = _create_xof_enumerator,
++			.create_kdf_enumerator = _create_kdf_enumerator,
+ 			.create_drbg_enumerator = _create_drbg_enumerator,
+ 			.create_dh_enumerator = _create_dh_enumerator,
+ 			.create_rng_enumerator = _create_rng_enumerator,
+@@ -1391,6 +1512,7 @@ crypto_factory_t *crypto_factory_create(
+ 		.hashers = linked_list_create(),
+ 		.prfs = linked_list_create(),
+ 		.xofs = linked_list_create(),
++		.kdfs = linked_list_create(),
+ 		.drbgs = linked_list_create(),
+ 		.rngs = linked_list_create(),
+ 		.nonce_gens = linked_list_create(),
+Index: strongswan-5.9.5/src/libstrongswan/crypto/crypto_factory.h
+===================================================================
+--- strongswan-5.9.5.orig/src/libstrongswan/crypto/crypto_factory.h
++++ strongswan-5.9.5/src/libstrongswan/crypto/crypto_factory.h
+@@ -33,6 +33,7 @@ typedef struct crypto_factory_t crypto_f
+ #include <crypto/prfs/prf.h>
+ #include <crypto/rngs/rng.h>
+ #include <crypto/xofs/xof.h>
++#include <crypto/kdfs/kdf.h>
+ #include <crypto/drbgs/drbg.h>
+ #include <crypto/nonce_gen.h>
+ #include <crypto/diffie_hellman.h>
+@@ -71,6 +72,14 @@ typedef prf_t* (*prf_constructor_t)(pseu
+ typedef xof_t* (*xof_constructor_t)(ext_out_function_t algo);
+ 
+ /**
++ * Constructor function for key derivation functions
++ *
++ * The additional arguments depend on the algorithm, see comments
++ * for key_derivation_function_t.
++ */
++typedef kdf_t* (*kdf_constructor_t)(key_derivation_function_t algo, va_list args);
++
++/**
+  * Constructor function for deterministic random bit generators
+  */
+ typedef drbg_t* (*drbg_constructor_t)(drbg_type_t type, uint32_t strength,
+@@ -154,6 +163,20 @@ struct crypto_factory_t {
+ 	 */
+ 	xof_t* (*create_xof)(crypto_factory_t *this, ext_out_function_t algo);
+ 
++
++	/**
++	 * Create a key derivation function instance.
++	 *
++	 * Additional arguments depend on the KDF, please refer to the comments in
++	 * key_derivation_function_t.
++	 *
++	 * @param algo			KDF to create
++	 * @param ...			arguments depending on algo
++	 * @return				kdf_t instance, NULL if not supported
++	 */
++	kdf_t* (*create_kdf)(crypto_factory_t *this,
++						 key_derivation_function_t algo, ...);
++
+ 	/**
+ 	 * Create a deterministic random bit generator instance.
+ 	 *
+@@ -306,6 +329,24 @@ struct crypto_factory_t {
+ 	void (*remove_xof)(crypto_factory_t *this, xof_constructor_t create);
+ 
+ 	/**
++	 * Register a kdf constructor.
++	 *
++	 * @param algo			algorithm to constructor
++	 * @param plugin_name	plugin that registered this algorithm
++	 * @param create		constructor function for that algorithm
++	 * @return				TRUE if registered, FALSE if test vector failed
++	 */
++	bool (*add_kdf)(crypto_factory_t *this, key_derivation_function_t algo,
++					const char *plugin_name, kdf_constructor_t create);
++
++	/**
++	 * Unregister a kdf constructor.
++	 *
++	 * @param create		constructor function to unregister
++	 */
++	void (*remove_kdf)(crypto_factory_t *this, kdf_constructor_t create);
++
++	/**
+ 	 * Register a drbg constructor.
+ 	 *
+ 	 * @param type			type to constructor
+@@ -420,6 +461,13 @@ struct crypto_factory_t {
+ 	enumerator_t* (*create_xof_enumerator)(crypto_factory_t *this);
+ 
+ 	/**
++	 * Create an enumerator over all registered KDFs.
++	 *
++	 * @return				enumerator over key_derivation_function_t, plugin
++	 */
++	enumerator_t* (*create_kdf_enumerator)(crypto_factory_t *this);
++
++	/**
+ 	 * Create an enumerator over all registered DRBGs.
+ 	 *
+ 	 * @return				enumerator over drbg_type_t, plugin
+Index: strongswan-5.9.5/src/libstrongswan/crypto/crypto_tester.c
+===================================================================
+--- strongswan-5.9.5.orig/src/libstrongswan/crypto/crypto_tester.c
++++ strongswan-5.9.5/src/libstrongswan/crypto/crypto_tester.c
+@@ -70,6 +70,11 @@ struct private_crypto_tester_t {
+ 	linked_list_t *xof;
+ 
+ 	/**
++	 * List of KDF test vectors
++	 */
++	linked_list_t *kdf;
++
++	/**
+ 	 * List of DRBG test vectors
+ 	 */
+ 	linked_list_t *drbg;
+@@ -1186,6 +1191,185 @@ failure:
+ 	return !failed;
+ }
+ 
++
++
++/**
++ * Create a KDF using the given arguments
++ */
++static kdf_t *create_kdf_args(kdf_constructor_t create,
++							  key_derivation_function_t alg, ...)
++{
++	va_list args;
++	kdf_t *kdf;
++
++	va_start(args, alg);
++	kdf = create(alg, args);
++	va_end(args);
++	return kdf;
++}
++
++/**
++ * Create a KDF using arguments from the given test vector
++ */
++static kdf_t *create_kdf_vector(kdf_constructor_t create,
++								key_derivation_function_t alg,
++								kdf_test_vector_t *vector)
++{
++	switch (alg)
++	{
++		case KDF_PRF_PLUS:
++			return create_kdf_args(create, alg, vector->arg.prf);
++		case KDF_UNDEFINED:
++			break;
++	}
++	return NULL;
++}
++
++/**
++ * Check if the given test vector applies to the passed arguments
++ */
++static bool kdf_vector_applies(key_derivation_function_t alg,
++							   kdf_test_args_t *args, kdf_test_vector_t *vector)
++{
++	bool applies = FALSE;
++
++	switch (alg)
++	{
++		case KDF_PRF_PLUS:
++		{
++			pseudo_random_function_t prf;
++			VA_ARGS_VGET(args->args, prf);
++			applies = (prf == vector->arg.prf);
++			break;
++		}
++		case KDF_UNDEFINED:
++			break;
++	}
++	return applies;
++}
++
++METHOD(crypto_tester_t, test_kdf, bool,
++	private_crypto_tester_t *this, key_derivation_function_t alg,
++	kdf_constructor_t create, kdf_test_args_t *args, u_int *speed,
++	const char *plugin_name)
++{
++	enumerator_t *enumerator;
++	kdf_test_vector_t *vector;
++	va_list copy;
++	bool failed = FALSE;
++	u_int tested = 0, construction_failed = 0;
++
++	enumerator = this->kdf->create_enumerator(this->kdf);
++	while (enumerator->enumerate(enumerator, &vector))
++	{
++		kdf_t *kdf;
++		chunk_t out = chunk_empty;
++
++		if (vector->alg != alg ||
++			(args && !kdf_vector_applies(alg, args, vector)))
++		{
++			continue;
++		}
++
++		tested++;
++		failed = TRUE;
++		if (args)
++		{
++			va_copy(copy, args->args);
++			kdf = create(alg, copy);
++			va_end(copy);
++		}
++		else
++		{
++			kdf = create_kdf_vector(create, alg, vector);
++		}
++		if (!kdf)
++		{
++			if (args)
++			{
++				DBG1(DBG_LIB, "disabled %N[%s]: creating instance failed",
++					 key_derivation_function_names, alg, plugin_name);
++				break;
++			}
++			/* while there could be a problem, the constructor might just not
++			 * be able to create an instance for this test vector, we check
++			 * for that at the end */
++			construction_failed++;
++			failed = FALSE;
++			continue;
++		}
++
++		if (vector->key.len &&
++			!kdf->set_param(kdf, KDF_PARAM_KEY, vector->key))
++		{
++			goto failure;
++		}
++		if (vector->salt.len &&
++			!kdf->set_param(kdf, KDF_PARAM_SALT, vector->salt))
++		{
++			goto failure;
++		}
++		/* allocated bytes */
++		if (!kdf->allocate_bytes(kdf, vector->out.len, &out))
++		{
++			goto failure;
++		}
++		if (!chunk_equals(out, vector->out))
++		{
++			goto failure;
++		}
++		/* bytes to existing buffer */
++		memset(out.ptr, 0, out.len);
++		if (!kdf->get_bytes(kdf, out.len, out.ptr))
++		{
++			goto failure;
++		}
++		if (!chunk_equals(out, vector->out))
++		{
++			goto failure;
++		}
++
++		failed = FALSE;
++failure:
++		kdf->destroy(kdf);
++		chunk_free(&out);
++		if (failed)
++		{
++			DBG1(DBG_LIB, "disabled %N[%s]: %s test vector failed",
++				 key_derivation_function_names, alg, plugin_name,
++				 get_name(vector));
++			break;
++		}
++	}
++	enumerator->destroy(enumerator);
++	if (!tested)
++	{
++		DBG1(DBG_LIB, "%s %N[%s]: no test vectors found",
++			 this->required ? "disabled" : "enabled ",
++			 key_derivation_function_names, alg, plugin_name);
++		return !this->required;
++	}
++	tested -= construction_failed;
++	if (!tested)
++	{
++		DBG1(DBG_LIB, "%s %N[%s]: unable to apply any available test vectors",
++			 this->required ? "disabled" : "enabled ",
++			 key_derivation_function_names, alg, plugin_name);
++		return !this->required;
++	}
++	if (!failed)
++	{
++		if (speed)
++		{
++			DBG2(DBG_LIB, "benchmarking for %N is currently not supported",
++				 key_derivation_function_names, alg);
++		}
++		DBG1(DBG_LIB, "enabled  %N[%s]: passed %u test vectors",
++			 key_derivation_function_names, alg, plugin_name, tested);
++	}
++	return !failed;
++}
++
+ /**
+  * Benchmark a DRBG
+  */
+@@ -1622,6 +1806,12 @@ METHOD(crypto_tester_t, add_xof_vector,
+ 	this->xof->insert_last(this->xof, vector);
+ }
+ 
++METHOD(crypto_tester_t, add_kdf_vector, void,
++	private_crypto_tester_t *this, kdf_test_vector_t *vector)
++{
++	this->kdf->insert_last(this->kdf, vector);
++}
++
+ METHOD(crypto_tester_t, add_drbg_vector, void,
+ 	private_crypto_tester_t *this, drbg_test_vector_t *vector)
+ {
+@@ -1649,6 +1839,7 @@ METHOD(crypto_tester_t, destroy, void,
+ 	this->hasher->destroy(this->hasher);
+ 	this->prf->destroy(this->prf);
+ 	this->xof->destroy(this->xof);
++	this->kdf->destroy(this->kdf);
+ 	this->drbg->destroy(this->drbg);
+ 	this->rng->destroy(this->rng);
+ 	this->dh->destroy(this->dh);
+@@ -1670,6 +1861,7 @@ crypto_tester_t *crypto_tester_create()
+ 			.test_hasher = _test_hasher,
+ 			.test_prf = _test_prf,
+ 			.test_xof = _test_xof,
++			.test_kdf = _test_kdf,
+ 			.test_drbg = _test_drbg,
+ 			.test_rng = _test_rng,
+ 			.test_dh = _test_dh,
+@@ -1679,6 +1871,7 @@ crypto_tester_t *crypto_tester_create()
+ 			.add_hasher_vector = _add_hasher_vector,
+ 			.add_prf_vector = _add_prf_vector,
+ 			.add_xof_vector = _add_xof_vector,
++			.add_kdf_vector = _add_kdf_vector,
+ 			.add_drbg_vector = _add_drbg_vector,
+ 			.add_rng_vector = _add_rng_vector,
+ 			.add_dh_vector = _add_dh_vector,
+@@ -1690,6 +1883,7 @@ crypto_tester_t *crypto_tester_create()
+ 		.hasher = linked_list_create(),
+ 		.prf = linked_list_create(),
+ 		.xof = linked_list_create(),
++		.kdf = linked_list_create(),
+ 		.drbg = linked_list_create(),
+ 		.rng = linked_list_create(),
+ 		.dh = linked_list_create(),
+Index: strongswan-5.9.5/src/libstrongswan/crypto/crypto_tester.h
+===================================================================
+--- strongswan-5.9.5.orig/src/libstrongswan/crypto/crypto_tester.h
++++ strongswan-5.9.5/src/libstrongswan/crypto/crypto_tester.h
+@@ -32,6 +32,8 @@ typedef struct signer_test_vector_t sign
+ typedef struct hasher_test_vector_t hasher_test_vector_t;
+ typedef struct prf_test_vector_t prf_test_vector_t;
+ typedef struct xof_test_vector_t xof_test_vector_t;
++typedef struct kdf_test_vector_t kdf_test_vector_t;
++typedef struct kdf_test_args_t kdf_test_args_t;
+ typedef struct drbg_test_vector_t drbg_test_vector_t;
+ typedef struct rng_test_vector_t rng_test_vector_t;
+ typedef struct dh_test_vector_t dh_test_vector_t;
+@@ -130,6 +132,26 @@ struct xof_test_vector_t {
+ 	u_char *out;
+ };
+ 
++struct kdf_test_vector_t {
++	/** kdf algorithm this test vector tests */
++	key_derivation_function_t alg;
++	/** argument passed to constructor, type depends on alg */
++	union {
++		pseudo_random_function_t prf;
++	} arg;
++	/** optional key */
++	chunk_t key;
++	/** optional salt */
++	chunk_t salt;
++	/** expected output */
++	chunk_t out;
++};
++
++struct kdf_test_args_t {
++	/** the arguments used to construct the KDF */
++	va_list args;
++};
++
+ struct drbg_test_vector_t {
+ 	/** drbg type this test vector tests */
+ 	drbg_type_t type;
+@@ -257,6 +279,22 @@ struct crypto_tester_t {
+ 					 xof_constructor_t create,
+ 					 u_int *speed, const char *plugin_name);
+ 	/**
++	 * Test a KDF algorithm.
++	 *
++	 * If constructor arguments are passed, only matching test vectors are
++	 * tried. Otherwise, all are tried and implementations are allowed to fail
++	 * construction with unsupported arguments.
++	 *
++	 * @param alg			algorithm to test
++	 * @param create		constructor function for the XOF
++	 * @param args			optional arguments to pass to constructor
++	 * @param speed			speed test result, NULL to omit
++	 * @return				TRUE if test passed
++	 */
++	bool (*test_kdf)(crypto_tester_t *this, key_derivation_function_t alg,
++					 kdf_constructor_t create, kdf_test_args_t *args,
++					 u_int *speed, const char *plugin_name);
++	/**
+ 	 * Test a DRBG type.
+ 	 *
+ 	 * @param type			DRBG type to test
+@@ -333,6 +371,13 @@ struct crypto_tester_t {
+ 	void (*add_xof_vector)(crypto_tester_t *this, xof_test_vector_t *vector);
+ 
+ 	/**
++	 * Add a test vector to test a KDF.
++	 *
++	 * @param vector		pointer to test vector
++	 */
++	void (*add_kdf_vector)(crypto_tester_t *this, kdf_test_vector_t *vector);
++
++	/**
+ 	 * Add a test vector to test a DRBG.
+ 	 *
+ 	 * @param vector		pointer to test vector
+Index: strongswan-5.9.5/src/libstrongswan/crypto/kdfs/kdf.c
+===================================================================
+--- /dev/null
++++ strongswan-5.9.5/src/libstrongswan/crypto/kdfs/kdf.c
+@@ -0,0 +1,28 @@
++/*
++ * Copyright (C) 2022 Tobias Brunner, codelabs GmbH
++ *
++ * Permission is hereby granted, free of charge, to any person obtaining a copy
++ * of this software and associated documentation files (the "Software"), to deal
++ * in the Software without restriction, including without limitation the rights
++ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
++ * copies of the Software, and to permit persons to whom the Software is
++ * furnished to do so, subject to the following conditions:
++ *
++ * The above copyright notice and this permission notice shall be included in
++ * all copies or substantial portions of the Software.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
++ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
++ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
++ * THE SOFTWARE.
++ */
++
++#include "kdf.h"
++
++ENUM(key_derivation_function_names, KDF_UNDEFINED, KDF_PRF_PLUS,
++	"KDF_UNDEFINED",
++	"KDF_PRF_PLUS",
++);
+Index: strongswan-5.9.5/src/libstrongswan/crypto/kdfs/kdf.h
+===================================================================
+--- /dev/null
++++ strongswan-5.9.5/src/libstrongswan/crypto/kdfs/kdf.h
+@@ -0,0 +1,124 @@
++/*
++ * Copyright (C) 2022 Tobias Brunner, codelabs GmbH
++ *
++ * Permission is hereby granted, free of charge, to any person obtaining a copy
++ * of this software and associated documentation files (the "Software"), to deal
++ * in the Software without restriction, including without limitation the rights
++ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
++ * copies of the Software, and to permit persons to whom the Software is
++ * furnished to do so, subject to the following conditions:
++ *
++ * The above copyright notice and this permission notice shall be included in
++ * all copies or substantial portions of the Software.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
++ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
++ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
++ * THE SOFTWARE.
++ */
++
++/**
++ * @defgroup kdf kdf
++ * @{ @ingroup crypto
++ */
++
++#ifndef KDF_H_
++#define KDF_H_
++
++typedef enum key_derivation_function_t key_derivation_function_t;
++typedef enum kdf_param_t kdf_param_t;
++typedef struct kdf_t kdf_t;
++
++#include <library.h>
++
++/**
++ * Key Derivation Functions (KDF).
++ */
++enum key_derivation_function_t {
++
++	KDF_UNDEFINED,
++
++	/**
++	 * RFC 7296 prf+, expects a pseudo_random_function_t in the constructor,
++	 * parameters are KEY and SALT.
++	 */
++	KDF_PRF_PLUS,
++};
++
++/**
++ * enum name for key_derivation_function_t.
++ */
++extern enum_name_t *key_derivation_function_names;
++
++/**
++ * Parameters for KDFs.
++ */
++enum kdf_param_t {
++
++	/**
++	 * Key used for the key derivation (chunk_t).
++	 */
++	KDF_PARAM_KEY,
++
++	/**
++	 * Salt used for the key derivation (chunk_t).
++	 */
++	KDF_PARAM_SALT,
++};
++
++/**
++ * Generic interface for Key Derivation Functions (KDF).
++ *
++ * Note that in comparison to xof_t, this interface does not support streaming.
++ * That is, calling get_bytes() or allocate_bytes() multiple times without
++ * changing the input parameters will result in the same output.
++ */
++struct kdf_t {
++
++	/**
++	 * Return the type of KDF.
++	 *
++	 * @return			KDF type
++	 */
++	key_derivation_function_t (*get_type)(kdf_t *this);
++
++	/**
++	 * Derives a key of the given length and writes it to the buffer.
++	 *
++	 * @param out_len	number of key bytes requested
++	 * @param buffer	pointer where the derived key will be written
++	 * @return			TRUE if key derived successfully
++	 */
++	bool (*get_bytes)(kdf_t *this, size_t out_len,
++					  uint8_t *buffer) __attribute__((warn_unused_result));
++
++	/**
++	 * Derives a key of the given length and allocates space for it.
++	 *
++	 * @param out_len	number of key bytes requested
++	 * @param chunk		chunk which will hold the derived key
++	 * @return			TRUE if key derived successfully
++	 */
++	bool (*allocate_bytes)(kdf_t *this, size_t out_len,
++						   chunk_t *chunk) __attribute__((warn_unused_result));
++
++	/**
++	 * Set a parameter for this KDF.
++	 *
++	 * @param param		parameter to set
++	 * @param ...		parameter values
++	 * @return			TRUE if parameter set successfully
++	 */
++	bool (*set_param)(kdf_t *this, kdf_param_t param,
++					 ...) __attribute__((warn_unused_result));
++
++	/**
++	 * Destroys this KDF object.
++	 */
++	void (*destroy)(kdf_t *this);
++};
++
++#endif /** KDF_H_ @}*/
+Index: strongswan-5.9.5/src/libstrongswan/crypto/pkcs5.c
+===================================================================
+--- strongswan-5.9.5.orig/src/libstrongswan/crypto/pkcs5.c
++++ strongswan-5.9.5/src/libstrongswan/crypto/pkcs5.c
+@@ -131,7 +131,7 @@ static bool verify_padding(crypter_t *cr
+ /**
+  * Prototype for key derivation functions.
+  */
+-typedef bool (*kdf_t)(private_pkcs5_t *this, chunk_t password, chunk_t key);
++typedef bool (*derive_t)(private_pkcs5_t *this, chunk_t password, chunk_t key);
+ 
+ /**
+  * Try to decrypt the given data with the given password using the given
+@@ -139,7 +139,7 @@ typedef bool (*kdf_t)(private_pkcs5_t *t
+  * to, key and iv point to the actual keys and initialization vectors resp.
+  */
+ static bool decrypt_generic(private_pkcs5_t *this, chunk_t password,
+-							chunk_t data, chunk_t *decrypted, kdf_t kdf,
++							chunk_t data, chunk_t *decrypted, derive_t kdf,
+ 							chunk_t keymat, chunk_t key, chunk_t iv)
+ {
+ 	if (!kdf(this, password, keymat))
+@@ -341,7 +341,7 @@ METHOD(pkcs5_t, decrypt, bool,
+ 	private_pkcs5_t *this, chunk_t password, chunk_t data, chunk_t *decrypted)
+ {
+ 	chunk_t keymat, key, iv;
+-	kdf_t kdf;
++	derive_t kdf;
+ 
+ 	if (!ensure_crypto_primitives(this, data) || !decrypted)
+ 	{
+Index: strongswan-5.9.5/src/libstrongswan/crypto/prf_plus.c
+===================================================================
+--- strongswan-5.9.5.orig/src/libstrongswan/crypto/prf_plus.c
++++ /dev/null
+@@ -1,170 +0,0 @@
+-/*
+- * Copyright (C) 2005-2006 Martin Willi
+- * Copyright (C) 2005 Jan Hutter
+- * HSR Hochschule fuer Technik Rapperswil
+- *
+- * This program is free software; you can redistribute it and/or modify it
+- * under the terms of the GNU General Public License as published by the
+- * Free Software Foundation; either version 2 of the License, or (at your
+- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+- *
+- * This program is distributed in the hope that it will be useful, but
+- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+- * for more details.
+- */
+-
+-#include <string.h>
+-
+-#include "prf_plus.h"
+-
+-typedef struct private_prf_plus_t private_prf_plus_t;
+-
+-typedef bool (*apply_prf_t)(private_prf_plus_t *this);
+-
+-/**
+- * Private data of an prf_plus_t object.
+- *
+- */
+-struct private_prf_plus_t {
+-
+-	/**
+-	 * Public interface of prf_plus_t.
+-	 */
+-	prf_plus_t public;
+-
+-	/**
+-	 * PRF to use.
+-	 */
+-	prf_t *prf;
+-
+-	/**
+-	 * Initial seed.
+-	 */
+-	chunk_t seed;
+-
+-	/**
+-	 * Octet which will be appended to the seed if a counter is used.
+-	 */
+-	uint8_t counter;
+-
+-	/**
+-	 * Already given out bytes in current buffer.
+-	 */
+-	size_t used;
+-
+-	/**
+-	 * Buffer to store current PRF result.
+-	 */
+-	chunk_t buffer;
+-
+-	/**
+-	 * The prf application method depending on whether a counter is used.
+-	 */
+-	apply_prf_t apply_prf;
+-};
+-
+-/**
+- * Apply the PRF using the running counter
+- */
+-static bool apply_prf_counter(private_prf_plus_t *this)
+-{
+-	if (!this->prf->get_bytes(this->prf, this->seed, NULL) ||
+-		!this->prf->get_bytes(this->prf, chunk_from_thing(this->counter),
+-							  this->buffer.ptr))
+-	{
+-		return FALSE;
+-	}
+-	this->counter++;
+-	if (!this->counter)
+-	{	/* according to RFC 7296, section 2.13, prf+ is undefined once the
+-		 * counter wrapped, so let's fail for future calls */
+-		this->apply_prf = (void*)return_false;
+-	}
+-	return TRUE;
+-}
+-
+-/**
+- * Apply the PRF using the running counter
+- */
+-static bool apply_prf(private_prf_plus_t *this)
+-{
+-	return this->prf->get_bytes(this->prf, this->seed, this->buffer.ptr);
+-}
+-
+-METHOD(prf_plus_t, get_bytes, bool,
+-	private_prf_plus_t *this, size_t length, uint8_t *buffer)
+-{
+-	size_t round, written = 0;
+-
+-	while (length > 0)
+-	{
+-		if (this->buffer.len == this->used)
+-		{	/* buffer used, get next round */
+-			if (!this->prf->get_bytes(this->prf, this->buffer, NULL))
+-			{
+-				return FALSE;
+-			}
+-			if (!this->apply_prf(this))
+-			{
+-				return FALSE;
+-			}
+-			this->used = 0;
+-		}
+-		round = min(length, this->buffer.len - this->used);
+-		memcpy(buffer + written, this->buffer.ptr + this->used, round);
+-
+-		length -= round;
+-		this->used += round;
+-		written += round;
+-	}
+-	return TRUE;
+-}
+-
+-METHOD(prf_plus_t, allocate_bytes, bool,
+-	private_prf_plus_t *this, size_t length, chunk_t *chunk)
+-{
+-	*chunk = chunk_alloc(length);
+-	if (!get_bytes(this, length, chunk->ptr))
+-	{
+-		chunk_free(chunk);
+-		return FALSE;
+-	}
+-	return TRUE;
+-}
+-
+-METHOD(prf_plus_t, destroy, void,
+-	private_prf_plus_t *this)
+-{
+-	chunk_clear(&this->buffer);
+-	chunk_clear(&this->seed);
+-	free(this);
+-}
+-
+-/*
+- * Description in header.
+- */
+-prf_plus_t *prf_plus_create(prf_t *prf, bool counter, chunk_t seed)
+-{
+-	private_prf_plus_t *this;
+-
+-	INIT(this,
+-		.public = {
+-			.get_bytes = _get_bytes,
+-			.allocate_bytes = _allocate_bytes,
+-			.destroy = _destroy,
+-		},
+-		.prf = prf,
+-		.seed = chunk_clone(seed),
+-		.buffer = chunk_alloc(prf->get_block_size(prf)),
+-		.apply_prf = counter ? apply_prf_counter : apply_prf,
+-		.counter = 0x01,
+-	);
+-
+-	if (!this->apply_prf(this))
+-	{
+-		destroy(this);
+-		return NULL;
+-	}
+-	return &this->public;
+-}
+Index: strongswan-5.9.5/src/libstrongswan/crypto/prf_plus.h
+===================================================================
+--- strongswan-5.9.5.orig/src/libstrongswan/crypto/prf_plus.h
++++ /dev/null
+@@ -1,70 +0,0 @@
+-/*
+- * Copyright (C) 2005-2006 Martin Willi
+- * Copyright (C) 2005 Jan Hutter
+- * HSR Hochschule fuer Technik Rapperswil
+- *
+- * This program is free software; you can redistribute it and/or modify it
+- * under the terms of the GNU General Public License as published by the
+- * Free Software Foundation; either version 2 of the License, or (at your
+- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+- *
+- * This program is distributed in the hope that it will be useful, but
+- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+- * for more details.
+- */
+-
+-/**
+- * @defgroup prf_plus prf_plus
+- * @{ @ingroup crypto
+- */
+-
+-#ifndef PRF_PLUS_H_
+-#define PRF_PLUS_H_
+-
+-typedef struct prf_plus_t prf_plus_t;
+-
+-#include <crypto/prfs/prf.h>
+-
+-/**
+- * Implementation of the prf+ function used in IKEv1/IKEv2 keymat extension.
+- */
+-struct prf_plus_t {
+-
+-	/**
+-	 * Get pseudo random bytes.
+-	 *
+-	 * @param length	number of bytes to get
+-	 * @param buffer	pointer where the generated bytes will be written
+-	 * @return			TRUE if bytes generated successfully
+-	 */
+-	bool (*get_bytes)(prf_plus_t *this, size_t length,
+-					  uint8_t *buffer) __attribute__((warn_unused_result));
+-
+-	/**
+-	 * Allocate pseudo random bytes.
+-	 *
+-	 * @param length	number of bytes to get
+-	 * @param chunk		chunk which will hold generated bytes
+-	 * @return			TRUE if bytes allocated successfully
+-	 */
+-	bool (*allocate_bytes)(prf_plus_t *this, size_t length,
+-						   chunk_t *chunk) __attribute__((warn_unused_result));
+-
+-	/**
+-	 * Destroys a prf_plus_t object.
+-	 */
+-	void (*destroy)(prf_plus_t *this);
+-};
+-
+-/**
+- * Creates a new prf_plus_t object.
+- *
+- * @param prf				prf object to use, must be destroyed after prf+.
+- * @param counter			use an appending counter byte (for IKEv2 variant)
+- * @param seed				input seed for prf
+- * @return					prf_plus_t object, NULL on failure
+- */
+-prf_plus_t *prf_plus_create(prf_t *prf, bool counter, chunk_t seed);
+-
+-#endif /** PRF_PLUS_H_ @}*/
+Index: strongswan-5.9.5/src/libstrongswan/crypto/transform.c
+===================================================================
+--- strongswan-5.9.5.orig/src/libstrongswan/crypto/transform.c
++++ strongswan-5.9.5/src/libstrongswan/crypto/transform.c
+@@ -16,6 +16,7 @@
+ #include <crypto/transform.h>
+ #include <crypto/hashers/hasher.h>
+ #include <crypto/rngs/rng.h>
++#include <crypto/kdfs/kdf.h>
+ 
+ ENUM_BEGIN(transform_type_names, ENCRYPTION_ALGORITHM, EXTENDED_SEQUENCE_NUMBERS,
+ 	"ENCRYPTION_ALGORITHM",
+@@ -23,16 +24,16 @@ ENUM_BEGIN(transform_type_names, ENCRYPT
+ 	"INTEGRITY_ALGORITHM",
+ 	"DIFFIE_HELLMAN_GROUP",
+ 	"EXTENDED_SEQUENCE_NUMBERS");
+-ENUM_NEXT(transform_type_names, HASH_ALGORITHM, DETERMINISTIC_RANDOM_BIT_GENERATOR,
++ENUM_NEXT(transform_type_names, HASH_ALGORITHM, KEY_DERIVATION_FUNCTION,
+ 		  EXTENDED_SEQUENCE_NUMBERS,
+ 	"HASH_ALGORITHM",
+ 	"RANDOM_NUMBER_GENERATOR",
+ 	"AEAD_ALGORITHM",
+ 	"COMPRESSION_ALGORITHM",
+ 	"EXTENDED OUTPUT FUNCTION",
+-	"DETERMINISTIC RANDOM BIT GENERATOR");
+-ENUM_END(transform_type_names, DETERMINISTIC_RANDOM_BIT_GENERATOR);
+-
++	"DETERMINISTIC RANDOM BIT GENERATOR",
++	"KEY_DERIVATION_FUNCTION");
++ENUM_END(transform_type_names, KEY_DERIVATION_FUNCTION);
+ 
+ ENUM(extended_sequence_numbers_names, NO_EXT_SEQ_NUMBERS, EXT_SEQ_NUMBERS,
+ 	"NO_EXT_SEQ",
+@@ -65,6 +66,8 @@ enum_name_t* transform_get_enum_names(tr
+ 			return ext_out_function_names;
+ 		case DETERMINISTIC_RANDOM_BIT_GENERATOR:
+ 			return drbg_type_names;
++		case KEY_DERIVATION_FUNCTION:
++			return key_derivation_function_names;
+ 		case COMPRESSION_ALGORITHM:
+ 			break;
+ 	}
+Index: strongswan-5.9.5/src/libstrongswan/crypto/transform.h
+===================================================================
+--- strongswan-5.9.5.orig/src/libstrongswan/crypto/transform.h
++++ strongswan-5.9.5/src/libstrongswan/crypto/transform.h
+@@ -40,6 +40,7 @@ enum transform_type_t {
+ 	COMPRESSION_ALGORITHM = 259,
+ 	EXTENDED_OUTPUT_FUNCTION = 260,
+ 	DETERMINISTIC_RANDOM_BIT_GENERATOR = 261,
++	KEY_DERIVATION_FUNCTION = 262,
+ };
+ 
+ /**
+Index: strongswan-5.9.5/src/libstrongswan/plugins/botan/Makefile.am
+===================================================================
+--- strongswan-5.9.5.orig/src/libstrongswan/plugins/botan/Makefile.am
++++ strongswan-5.9.5/src/libstrongswan/plugins/botan/Makefile.am
+@@ -16,6 +16,7 @@ libstrongswan_botan_la_SOURCES = \
+ 	botan_rng.h botan_rng.c \
+ 	botan_hasher.h botan_hasher.c \
+ 	botan_hmac.h botan_hmac.c \
++	botan_kdf.h botan_kdf.c \
+ 	botan_crypter.h botan_crypter.c \
+ 	botan_rsa_public_key.h botan_rsa_public_key.c \
+ 	botan_rsa_private_key.h botan_rsa_private_key.c \
+Index: strongswan-5.9.5/src/libstrongswan/plugins/botan/botan_kdf.c
+===================================================================
+--- /dev/null
++++ strongswan-5.9.5/src/libstrongswan/plugins/botan/botan_kdf.c
+@@ -0,0 +1,185 @@
++/*
++ * Copyright (C) 2022 Tobias Brunner, codelabs GmbH
++ *
++ * Permission is hereby granted, free of charge, to any person obtaining a copy
++ * of this software and associated documentation files (the "Software"), to deal
++ * in the Software without restriction, including without limitation the rights
++ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
++ * copies of the Software, and to permit persons to whom the Software is
++ * furnished to do so, subject to the following conditions:
++ *
++ * The above copyright notice and this permission notice shall be included in
++ * all copies or substantial portions of the Software.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
++ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
++ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
++ * THE SOFTWARE.
++ */
++
++#define _GNU_SOURCE
++#include "botan_kdf.h"
++#include "botan_util.h"
++
++#include <botan/build.h>
++
++#ifdef BOTAN_HAS_HKDF
++
++#include <botan/ffi.h>
++
++typedef struct private_kdf_t private_kdf_t;
++
++/**
++ * Private data.
++ */
++struct private_kdf_t {
++
++	/**
++	 * Public interface.
++	 */
++	kdf_t public;
++
++	/**
++	 * Name of the KDF algorithm in Botan.
++	 */
++	char *name;
++
++	/**
++	 * Key for KDF.
++	 */
++	chunk_t key;
++
++	/**
++	 * Salt for KDF.
++	 */
++	chunk_t salt;
++
++#if BOTAN_VERSION_MAJOR == 2
++	/**
++	 * Used for a manual length check in get_bytes().
++	 */
++	size_t hash_size;
++#endif
++};
++
++METHOD(kdf_t, get_type, key_derivation_function_t,
++	private_kdf_t *this)
++{
++	return KDF_PRF_PLUS;
++}
++
++METHOD(kdf_t, get_bytes, bool,
++	private_kdf_t *this, size_t out_len, uint8_t *buffer)
++{
++#if BOTAN_VERSION_MAJOR == 2
++	/* Botan 2 doesn't check the length, just silently prevents wrapping the
++	 * counter and returns truncated output, so do this manually */
++	if (out_len > this->hash_size * 255)
++	{
++		return FALSE;
++	}
++#endif
++	if (botan_kdf(this->name, buffer, out_len, this->key.ptr, this->key.len,
++				  NULL, 0, this->salt.ptr, this->salt.len))
++	{
++		return FALSE;
++	}
++	return TRUE;
++}
++
++METHOD(kdf_t, allocate_bytes, bool,
++	private_kdf_t *this, size_t out_len, chunk_t *chunk)
++{
++	*chunk = chunk_alloc(out_len);
++
++	if (!get_bytes(this, out_len, chunk->ptr))
++	{
++		chunk_free(chunk);
++		return FALSE;
++	}
++	return TRUE;
++}
++
++METHOD(kdf_t, set_param, bool,
++	private_kdf_t *this, kdf_param_t param, ...)
++{
++	chunk_t chunk;
++
++	switch (param)
++	{
++		case KDF_PARAM_KEY:
++			VA_ARGS_GET(param, chunk);
++			chunk_clear(&this->key);
++			this->key = chunk_clone(chunk);
++			break;
++		case KDF_PARAM_SALT:
++			VA_ARGS_GET(param, chunk);
++			chunk_clear(&this->salt);
++			this->salt = chunk_clone(chunk);
++			break;
++	}
++	return TRUE;
++}
++
++METHOD(kdf_t, destroy, void,
++	private_kdf_t *this)
++{
++	chunk_clear(&this->salt);
++	chunk_clear(&this->key);
++	free(this->name);
++	free(this);
++}
++
++/*
++ * Described in header
++ */
++kdf_t *botan_kdf_create(key_derivation_function_t algo, va_list args)
++{
++	private_kdf_t *this;
++	pseudo_random_function_t prf_alg;
++	const char *hash_name;
++	char *name, buf[8];
++
++	if (algo != KDF_PRF_PLUS)
++	{
++		return NULL;
++	}
++
++	VA_ARGS_VGET(args, prf_alg);
++	hash_name = botan_get_hash(hasher_algorithm_from_prf(prf_alg));
++	if (!hash_name)
++	{
++		return NULL;
++	}
++	if (asprintf(&name, "HKDF-Expand(%s)", hash_name) <= 0)
++	{
++		return NULL;
++	}
++
++	INIT(this,
++		.public = {
++			.get_type = _get_type,
++			.get_bytes = _get_bytes,
++			.allocate_bytes = _allocate_bytes,
++			.set_param = _set_param,
++			.destroy = _destroy,
++		},
++		.name = name,
++#if BOTAN_VERSION_MAJOR == 2
++		.hash_size = hasher_hash_size(hasher_algorithm_from_prf(prf_alg)),
++#endif
++	);
++
++	/* test if we can actually use the algorithm */
++	if (!get_bytes(this, sizeof(buf), buf))
++	{
++		destroy(this);
++		return NULL;
++	}
++	return &this->public;
++}
++
++#endif
+Index: strongswan-5.9.5/src/libstrongswan/plugins/botan/botan_kdf.h
+===================================================================
+--- /dev/null
++++ strongswan-5.9.5/src/libstrongswan/plugins/botan/botan_kdf.h
+@@ -0,0 +1,45 @@
++/*
++ * Copyright (C) 2022 Tobias Brunner, codelabs GmbH
++ *
++ * Permission is hereby granted, free of charge, to any person obtaining a copy
++ * of this software and associated documentation files (the "Software"), to deal
++ * in the Software without restriction, including without limitation the rights
++ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
++ * copies of the Software, and to permit persons to whom the Software is
++ * furnished to do so, subject to the following conditions:
++ *
++ * The above copyright notice and this permission notice shall be included in
++ * all copies or substantial portions of the Software.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
++ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
++ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
++ * THE SOFTWARE.
++ */
++
++/**
++ * Implements key derivation functions (KDF) using Botan, in particular prf+,
++ * which is implemented via Botan's HKDF implementation.
++ *
++ * @defgroup botan_kdf botan_kdf
++ * @{ @ingroup botan_p
++ */
++
++#ifndef BOTAN_KDF_H_
++#define BOTAN_KDF_H_
++
++#include <crypto/kdfs/kdf.h>
++
++/**
++ * Creates a new kdf_t object.
++ *
++ * @param algo		algorithm to instantiate
++ * @param args		algorithm-specific arguments
++ * @return			kdf_t object, NULL if not supported
++ */
++kdf_t *botan_kdf_create(key_derivation_function_t algo, va_list args);
++
++#endif /** BOTAN_KDF_H_ @}*/
+Index: strongswan-5.9.5/src/libstrongswan/plugins/botan/botan_plugin.c
+===================================================================
+--- strongswan-5.9.5.orig/src/libstrongswan/plugins/botan/botan_plugin.c
++++ strongswan-5.9.5/src/libstrongswan/plugins/botan/botan_plugin.c
+@@ -32,6 +32,7 @@
+ #include "botan_crypter.h"
+ #include "botan_diffie_hellman.h"
+ #include "botan_hmac.h"
++#include "botan_kdf.h"
+ #include "botan_rsa_public_key.h"
+ #include "botan_rsa_private_key.h"
+ #include "botan_ec_diffie_hellman.h"
+@@ -209,6 +210,12 @@ METHOD(plugin_t, get_features, int,
+ #endif
+ #endif /* BOTAN_HAS_HMAC */
+ 
++		/* kdfs */
++#ifdef BOTAN_HAS_HKDF
++		PLUGIN_REGISTER(SIGNER, botan_kdf_create),
++			PLUGIN_PROVIDE(KDF, KDF_PRF_PLUS),
++#endif /* BOTAN_HAS_HKDF */
++
+ 		/* generic key loaders */
+ #if defined (BOTAN_HAS_RSA) || defined(BOTAN_HAS_ECDSA) || \
+ 	defined(BOTAN_HAS_ED25519)
+Index: strongswan-5.9.5/src/libstrongswan/plugins/kdf/Makefile.am
+===================================================================
+--- /dev/null
++++ strongswan-5.9.5/src/libstrongswan/plugins/kdf/Makefile.am
+@@ -0,0 +1,17 @@
++AM_CPPFLAGS = \
++	-I$(top_srcdir)/src/libstrongswan
++
++AM_CFLAGS = \
++	$(PLUGIN_CFLAGS)
++
++if MONOLITHIC
++noinst_LTLIBRARIES = libstrongswan-kdf.la
++else
++plugin_LTLIBRARIES = libstrongswan-kdf.la
++endif
++
++libstrongswan_kdf_la_SOURCES = \
++	kdf_plugin.h kdf_plugin.c \
++	kdf_prf_plus.h kdf_prf_plus.c
++
++libstrongswan_kdf_la_LDFLAGS = -module -avoid-version
+Index: strongswan-5.9.5/src/libstrongswan/plugins/kdf/kdf_plugin.c
+===================================================================
+--- /dev/null
++++ strongswan-5.9.5/src/libstrongswan/plugins/kdf/kdf_plugin.c
+@@ -0,0 +1,88 @@
++/*
++ * Copyright (C) 2022 Tobias Brunner, codelabs GmbH
++ *
++ * Permission is hereby granted, free of charge, to any person obtaining a copy
++ * of this software and associated documentation files (the "Software"), to deal
++ * in the Software without restriction, including without limitation the rights
++ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
++ * copies of the Software, and to permit persons to whom the Software is
++ * furnished to do so, subject to the following conditions:
++ *
++ * The above copyright notice and this permission notice shall be included in
++ * all copies or substantial portions of the Software.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
++ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
++ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
++ * THE SOFTWARE.
++ */
++
++#include "kdf_plugin.h"
++#include "kdf_prf_plus.h"
++
++#include <library.h>
++
++typedef struct private_kdf_plugin_t private_kdf_plugin_t;
++
++/**
++ * Private data
++ */
++struct private_kdf_plugin_t {
++
++	/**
++	 * Public interface
++	 */
++	kdf_plugin_t public;
++};
++
++METHOD(plugin_t, get_name, char*,
++	private_kdf_plugin_t *this)
++{
++	return "kdf";
++}
++
++METHOD(plugin_t, get_features, int,
++	private_kdf_plugin_t *this, plugin_feature_t *features[])
++{
++	static plugin_feature_t f[] = {
++		PLUGIN_REGISTER(KDF, kdf_prf_plus_create),
++			PLUGIN_PROVIDE(KDF, KDF_PRF_PLUS),
++				PLUGIN_SDEPEND(PRF, PRF_HMAC_SHA1),
++				PLUGIN_SDEPEND(PRF, PRF_HMAC_SHA2_256),
++				PLUGIN_SDEPEND(PRF, PRF_HMAC_SHA2_384),
++				PLUGIN_SDEPEND(PRF, PRF_HMAC_SHA2_512),
++				PLUGIN_SDEPEND(PRF, PRF_AES128_XCBC),
++				PLUGIN_SDEPEND(PRF, PRF_AES128_CMAC),
++	};
++	*features = f;
++	return countof(f);
++}
++
++METHOD(plugin_t, destroy, void,
++	private_kdf_plugin_t *this)
++{
++	free(this);
++}
++
++/*
++ * Described in header
++ */
++plugin_t *kdf_plugin_create()
++{
++	private_kdf_plugin_t *this;
++
++	INIT(this,
++		.public = {
++			.plugin = {
++				.get_name = _get_name,
++				.get_features = _get_features,
++				.destroy = _destroy,
++			},
++		},
++	);
++
++	return &this->public.plugin;
++}
+Index: strongswan-5.9.5/src/libstrongswan/plugins/kdf/kdf_plugin.h
+===================================================================
+--- /dev/null
++++ strongswan-5.9.5/src/libstrongswan/plugins/kdf/kdf_plugin.h
+@@ -0,0 +1,49 @@
++/*
++ * Copyright (C) 2022 Tobias Brunner, codelabs GmbH
++ *
++ * Permission is hereby granted, free of charge, to any person obtaining a copy
++ * of this software and associated documentation files (the "Software"), to deal
++ * in the Software without restriction, including without limitation the rights
++ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
++ * copies of the Software, and to permit persons to whom the Software is
++ * furnished to do so, subject to the following conditions:
++ *
++ * The above copyright notice and this permission notice shall be included in
++ * all copies or substantial portions of the Software.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
++ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
++ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
++ * THE SOFTWARE.
++ */
++
++/**
++ * @defgroup kdf_p kdf
++ * @ingroup plugins
++ *
++ * @defgroup kdf_plugin kdf_plugin
++ * @{ @ingroup kdf_p
++ */
++
++#ifndef KDF_PLUGIN_H_
++#define KDF_PLUGIN_H_
++
++#include <plugins/plugin.h>
++
++typedef struct kdf_plugin_t kdf_plugin_t;
++
++/**
++ * Plugin implementing the key derivation functions (KDF) in software.
++ */
++struct kdf_plugin_t {
++
++	/**
++	 * implements plugin interface
++	 */
++	plugin_t plugin;
++};
++
++#endif /** KDF_PLUGIN_H_ @}*/
+Index: strongswan-5.9.5/src/libstrongswan/plugins/kdf/kdf_prf_plus.c
+===================================================================
+--- /dev/null
++++ strongswan-5.9.5/src/libstrongswan/plugins/kdf/kdf_prf_plus.c
+@@ -0,0 +1,168 @@
++/*
++ * Copyright (C) 2022 Tobias Brunner, codelabs GmbH
++ *
++ * Permission is hereby granted, free of charge, to any person obtaining a copy
++ * of this software and associated documentation files (the "Software"), to deal
++ * in the Software without restriction, including without limitation the rights
++ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
++ * copies of the Software, and to permit persons to whom the Software is
++ * furnished to do so, subject to the following conditions:
++ *
++ * The above copyright notice and this permission notice shall be included in
++ * all copies or substantial portions of the Software.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
++ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
++ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
++ * THE SOFTWARE.
++ */
++
++#include "kdf_prf_plus.h"
++
++typedef struct private_kdf_t private_kdf_t;
++
++/**
++ * Private data.
++ */
++struct private_kdf_t {
++
++	/**
++	 * Public interface.
++	 */
++	kdf_t public;
++
++	/**
++	 * Underlying PRF.
++	 */
++	prf_t *prf;
++
++	/**
++	 * Salt value.
++	 */
++	chunk_t salt;
++};
++
++METHOD(kdf_t, get_type, key_derivation_function_t,
++	private_kdf_t *this)
++{
++	return KDF_PRF_PLUS;
++}
++
++METHOD(kdf_t, get_bytes, bool,
++	private_kdf_t *this, size_t out_len, uint8_t *buffer)
++{
++	chunk_t block, previous = chunk_empty;
++	uint8_t counter = 1, *out = buffer;
++	size_t len;
++	bool success = TRUE;
++
++	block = chunk_alloca(this->prf->get_block_size(this->prf));
++	if (out_len > block.len * 255)
++	{
++		return FALSE;
++	}
++
++	while (out_len)
++	{
++		if (!this->prf->get_bytes(this->prf, previous, NULL) ||
++			!this->prf->get_bytes(this->prf, this->salt, NULL) ||
++			!this->prf->get_bytes(this->prf, chunk_from_thing(counter),
++								  block.ptr))
++		{
++			success = FALSE;
++			break;
++		}
++		len = min(out_len, block.len);
++		memcpy(out, block.ptr, len);
++		previous = chunk_create(out, block.len);
++
++		out_len -= len;
++		out += len;
++		counter++;
++	}
++	memwipe(block.ptr, block.len);
++	return success;
++}
++
++METHOD(kdf_t, allocate_bytes, bool,
++	private_kdf_t *this, size_t out_len, chunk_t *chunk)
++{
++	*chunk = chunk_alloc(out_len);
++
++	if (!get_bytes(this, out_len, chunk->ptr))
++	{
++		chunk_free(chunk);
++		return FALSE;
++	}
++	return TRUE;
++}
++
++METHOD(kdf_t, set_param, bool,
++	private_kdf_t *this, kdf_param_t param, ...)
++{
++	chunk_t chunk;
++	bool success = FALSE;
++
++	switch (param)
++	{
++		case KDF_PARAM_KEY:
++			VA_ARGS_GET(param, chunk);
++			success = this->prf->set_key(this->prf, chunk);
++			break;
++		case KDF_PARAM_SALT:
++			VA_ARGS_GET(param, chunk);
++			chunk_clear(&this->salt);
++			this->salt = chunk_clone(chunk);
++			success = TRUE;
++			break;
++	}
++	return success;
++}
++
++METHOD(kdf_t, destroy, void,
++	private_kdf_t *this)
++{
++	this->prf->destroy(this->prf);
++	chunk_clear(&this->salt);
++	free(this);
++}
++
++/*
++ * Described in header
++ */
++kdf_t *kdf_prf_plus_create(key_derivation_function_t algo, va_list args)
++{
++	private_kdf_t *this;
++	pseudo_random_function_t prf_alg;
++	prf_t *prf;
++
++	if (algo != KDF_PRF_PLUS)
++	{
++		return NULL;
++	}
++
++	VA_ARGS_VGET(args, prf_alg);
++	prf = lib->crypto->create_prf(lib->crypto, prf_alg);
++	if (!prf)
++	{
++		DBG1(DBG_LIB, "failed to create %N for prf+",
++			 pseudo_random_function_names, prf_alg);
++		return NULL;
++	}
++
++	INIT(this,
++		.public = {
++			.get_type = _get_type,
++			.get_bytes = _get_bytes,
++			.allocate_bytes = _allocate_bytes,
++			.set_param = _set_param,
++			.destroy = _destroy,
++		},
++		.prf = prf,
++	);
++
++	return &this->public;
++}
+Index: strongswan-5.9.5/src/libstrongswan/plugins/kdf/kdf_prf_plus.h
+===================================================================
+--- /dev/null
++++ strongswan-5.9.5/src/libstrongswan/plugins/kdf/kdf_prf_plus.h
+@@ -0,0 +1,55 @@
++/*
++ * Copyright (C) 2022 Tobias Brunner, codelabs GmbH
++ *
++ * Permission is hereby granted, free of charge, to any person obtaining a copy
++ * of this software and associated documentation files (the "Software"), to deal
++ * in the Software without restriction, including without limitation the rights
++ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
++ * copies of the Software, and to permit persons to whom the Software is
++ * furnished to do so, subject to the following conditions:
++ *
++ * The above copyright notice and this permission notice shall be included in
++ * all copies or substantial portions of the Software.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
++ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
++ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
++ * THE SOFTWARE.
++ */
++
++/**
++ * Implements prf+ as defined in RFC 7296, section 2.13:
++ *
++ * @verbatim
++     prf+ (K,S) = T1 | T2 | T3 | T4 | ...
++
++     where:
++     T1 = prf (K, S | 0x01)
++     T2 = prf (K, T1 | S | 0x02)
++     T3 = prf (K, T2 | S | 0x03)
++     T4 = prf (K, T3 | S | 0x04)
++     ...
++ * @endverbatim
++ *
++ * @defgroup kdf_prf_plus kdf_prf_plus
++ * @{ @ingroup kdf_p
++ */
++
++#ifndef KDF_PRF_PLUS_H_
++#define KDF_PRF_PLUS_H_
++
++#include <crypto/kdfs/kdf.h>
++
++/**
++ * Create a kdf_t object
++ *
++ * @param algo			KDF_PRF_PLUS
++ * @param args			pseudo_random_function_t of the underlying PRF
++ * @return				kdf_t object, NULL if not supported
++ */
++kdf_t *kdf_prf_plus_create(key_derivation_function_t algo, va_list args);
++
++#endif /** KDF_PRF_PLUS_H_ @}*/
+Index: strongswan-5.9.5/src/libstrongswan/plugins/openssl/Makefile.am
+===================================================================
+--- strongswan-5.9.5.orig/src/libstrongswan/plugins/openssl/Makefile.am
++++ strongswan-5.9.5/src/libstrongswan/plugins/openssl/Makefile.am
+@@ -33,6 +33,7 @@ libstrongswan_openssl_la_SOURCES = \
+ 	openssl_pkcs12.c openssl_pkcs12.h \
+ 	openssl_rng.c openssl_rng.h \
+ 	openssl_hmac.c openssl_hmac.h \
++	openssl_kdf.c openssl_kdf.h \
+ 	openssl_aead.c openssl_aead.h \
+ 	openssl_x_diffie_hellman.c openssl_x_diffie_hellman.h \
+ 	openssl_ed_private_key.c openssl_ed_private_key.h \
+Index: strongswan-5.9.5/src/libstrongswan/plugins/openssl/openssl_kdf.c
+===================================================================
+--- /dev/null
++++ strongswan-5.9.5/src/libstrongswan/plugins/openssl/openssl_kdf.c
+@@ -0,0 +1,175 @@
++/*
++ * Copyright (C) 2022 Tobias Brunner, codelabs GmbH
++ *
++ * Permission is hereby granted, free of charge, to any person obtaining a copy
++ * of this software and associated documentation files (the "Software"), to deal
++ * in the Software without restriction, including without limitation the rights
++ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
++ * copies of the Software, and to permit persons to whom the Software is
++ * furnished to do so, subject to the following conditions:
++ *
++ * The above copyright notice and this permission notice shall be included in
++ * all copies or substantial portions of the Software.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
++ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
++ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
++ * THE SOFTWARE.
++ */
++
++#include <openssl/opensslv.h>
++#include <openssl/opensslconf.h>
++
++#if !defined(OPENSSL_NO_HMAC) && OPENSSL_VERSION_NUMBER >= 0x10101000L
++
++#include <openssl/evp.h>
++#include <openssl/kdf.h>
++
++#include "openssl_kdf.h"
++
++typedef struct private_kdf_t private_kdf_t;
++
++/**
++ * Private data.
++ */
++struct private_kdf_t {
++
++	/**
++	 * Public interface.
++	 */
++	kdf_t public;
++
++	/**
++	 * Hasher to use for underlying PRF.
++	 */
++	const EVP_MD *hasher;
++
++	/**
++	 * Key for KDF. Stored here because OpenSSL's HKDF API does not provide a
++	 * way to clear the "info" field in the context, new data is always
++	 * appended (up to 1024 bytes).
++	 */
++	chunk_t key;
++
++	/**
++	 * Salt for prf+ (see above).
++	 */
++	chunk_t salt;
++};
++
++METHOD(kdf_t, get_type, key_derivation_function_t,
++	private_kdf_t *this)
++{
++	return KDF_PRF_PLUS;
++}
++
++METHOD(kdf_t, get_bytes, bool,
++	private_kdf_t *this, size_t out_len, uint8_t *buffer)
++{
++	EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
++
++	if (!ctx ||
++		EVP_PKEY_derive_init(ctx) <= 0 ||
++		EVP_PKEY_CTX_set_hkdf_md(ctx, this->hasher) <= 0 ||
++		EVP_PKEY_CTX_hkdf_mode(ctx, EVP_PKEY_HKDEF_MODE_EXPAND_ONLY) <= 0 ||
++		EVP_PKEY_CTX_set1_hkdf_key(ctx, this->key.ptr, this->key.len) <= 0 ||
++		EVP_PKEY_CTX_add1_hkdf_info(ctx, this->salt.ptr, this->salt.len) <= 0 ||
++		EVP_PKEY_derive(ctx, buffer, &out_len) <= 0)
++	{
++		EVP_PKEY_CTX_free(ctx);
++		return FALSE;
++	}
++	EVP_PKEY_CTX_free(ctx);
++	return TRUE;
++}
++
++METHOD(kdf_t, allocate_bytes, bool,
++	private_kdf_t *this, size_t out_len, chunk_t *chunk)
++{
++	*chunk = chunk_alloc(out_len);
++
++	if (!get_bytes(this, out_len, chunk->ptr))
++	{
++		chunk_free(chunk);
++		return FALSE;
++	}
++	return TRUE;
++}
++
++METHOD(kdf_t, set_param, bool,
++	private_kdf_t *this, kdf_param_t param, ...)
++{
++	chunk_t chunk;
++
++	switch (param)
++	{
++		case KDF_PARAM_KEY:
++			VA_ARGS_GET(param, chunk);
++			chunk_clear(&this->key);
++			this->key = chunk_clone(chunk);
++			break;
++		case KDF_PARAM_SALT:
++			VA_ARGS_GET(param, chunk);
++			chunk_clear(&this->salt);
++			this->salt = chunk_clone(chunk);
++			break;
++	}
++	return TRUE;
++}
++
++METHOD(kdf_t, destroy, void,
++	private_kdf_t *this)
++{
++	chunk_clear(&this->salt);
++	chunk_clear(&this->key);
++	free(this);
++}
++
++/*
++ * Described in header
++ */
++kdf_t *openssl_kdf_create(key_derivation_function_t algo, va_list args)
++{
++	private_kdf_t *this;
++	pseudo_random_function_t prf_alg;
++	char *name, buf[8];
++
++	if (algo != KDF_PRF_PLUS)
++	{
++		return NULL;
++	}
++
++	VA_ARGS_VGET(args, prf_alg);
++	name = enum_to_name(hash_algorithm_short_names,
++						hasher_algorithm_from_prf(prf_alg));
++	if (!name)
++	{
++		return NULL;
++	}
++
++	INIT(this,
++		.public = {
++			.get_type = _get_type,
++			.get_bytes = _get_bytes,
++			.allocate_bytes = _allocate_bytes,
++			.set_param = _set_param,
++			.destroy = _destroy,
++		},
++		.hasher = EVP_get_digestbyname(name),
++		/* use a lengthy key to test the implementation below to make sure the
++		 * algorithms are usable, see openssl_hmac.c for details */
++		.key = chunk_clone(chunk_from_str("00000000000000000000000000000000")),
++	);
++
++	if (!this->hasher || !get_bytes(this, sizeof(buf), buf))
++	{
++		destroy(this);
++		return NULL;
++	}
++	return &this->public;
++}
++
++#endif /* OPENSSL_NO_HMAC && OPENSSL_VERSION_NUMBER */
+Index: strongswan-5.9.5/src/libstrongswan/plugins/openssl/openssl_kdf.h
+===================================================================
+--- /dev/null
++++ strongswan-5.9.5/src/libstrongswan/plugins/openssl/openssl_kdf.h
+@@ -0,0 +1,45 @@
++/*
++ * Copyright (C) 2022 Tobias Brunner, codelabs GmbH
++ *
++ * Permission is hereby granted, free of charge, to any person obtaining a copy
++ * of this software and associated documentation files (the "Software"), to deal
++ * in the Software without restriction, including without limitation the rights
++ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
++ * copies of the Software, and to permit persons to whom the Software is
++ * furnished to do so, subject to the following conditions:
++ *
++ * The above copyright notice and this permission notice shall be included in
++ * all copies or substantial portions of the Software.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
++ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
++ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
++ * THE SOFTWARE.
++ */
++
++/**
++ * Implements key derivation functions (KDF) via OpenSSL, in particular prf+,
++ * which is implemented via OpenSSL's HKDF implementation.
++ *
++ * @defgroup openssl_kdf openssl_kdf
++ * @{ @ingroup openssl_p
++ */
++
++#ifndef OPENSSL_KDF_H_
++#define OPENSSL_KDF_H_
++
++#include <crypto/kdfs/kdf.h>
++
++/**
++ * Creates a new kdf_t object.
++ *
++ * @param algo		algorithm to instantiate
++ * @param args		algorithm-specific arguments
++ * @return			kdf_t object, NULL if not supported
++ */
++kdf_t *openssl_kdf_create(key_derivation_function_t algo, va_list args);
++
++#endif /** OPENSSL_KDF_H_ @}*/
+Index: strongswan-5.9.5/src/libstrongswan/plugins/openssl/openssl_plugin.c
+===================================================================
+--- strongswan-5.9.5.orig/src/libstrongswan/plugins/openssl/openssl_plugin.c
++++ strongswan-5.9.5/src/libstrongswan/plugins/openssl/openssl_plugin.c
+@@ -16,7 +16,6 @@
+ 
+ #include <library.h>
+ #include <utils/debug.h>
+-#include <collections/array.h>
+ #include <threading/thread.h>
+ #include <threading/mutex.h>
+ #include <threading/thread_value.h>
+@@ -53,6 +52,7 @@
+ #include "openssl_pkcs12.h"
+ #include "openssl_rng.h"
+ #include "openssl_hmac.h"
++#include "openssl_kdf.h"
+ #include "openssl_aead.h"
+ #include "openssl_x_diffie_hellman.h"
+ #include "openssl_ed_public_key.h"
+@@ -74,13 +74,6 @@ struct private_openssl_plugin_t {
+ 	 * public functions
+ 	 */
+ 	openssl_plugin_t public;
+-
+-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+-	/**
+-	 * Loaded providers
+-	 */
+-	array_t *providers;
+-#endif
+ };
+ 
+ /**
+@@ -662,6 +655,11 @@ METHOD(plugin_t, get_features, int,
+ 			PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_512_256),
+ 			PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_512_512),
+ #endif
++#if OPENSSL_VERSION_NUMBER >= 0x10101000L
++		/* HKDF is available since 1.1.0, expand-only mode only since 1.1.1 */
++		PLUGIN_REGISTER(KDF, openssl_kdf_create),
++			PLUGIN_PROVIDE(KDF, KDF_PRF_PLUS),
++#endif
+ #endif /* OPENSSL_NO_HMAC */
+ #if (OPENSSL_VERSION_NUMBER >= 0x1000100fL && !defined(OPENSSL_NO_AES)) || \
+ 	(OPENSSL_VERSION_NUMBER >= 0x1010000fL && !defined(OPENSSL_NO_CHACHA))
+@@ -887,15 +885,6 @@ METHOD(plugin_t, get_features, int,
+ METHOD(plugin_t, destroy, void,
+ 	private_openssl_plugin_t *this)
+ {
+-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+-	OSSL_PROVIDER *provider;
+-	while (array_remove(this->providers, ARRAY_TAIL, &provider))
+-	{
+-		OSSL_PROVIDER_unload(provider);
+-	}
+-	array_destroy(this->providers);
+-#endif /* OPENSSL_VERSION_NUMBER */
+-
+ /* OpenSSL 1.1.0 cleans up itself at exit and while OPENSSL_cleanup() exists we
+  * can't call it as we couldn't re-initialize the library (as required by the
+  * unit tests and the Android app) */
+@@ -1009,20 +998,16 @@ plugin_t *openssl_plugin_create()
+ 			DBG1(DBG_LIB, "unable to load OpenSSL FIPS provider");
+ 			return NULL;
+ 		}
+-		array_insert_create(&this->providers, ARRAY_TAIL, fips);
+ 		/* explicitly load the base provider containing encoding functions */
+-		array_insert_create(&this->providers, ARRAY_TAIL,
+-							OSSL_PROVIDER_load(NULL, "base"));
++		OSSL_PROVIDER_load(NULL, "base");
+ 	}
+ 	else if (lib->settings->get_bool(lib->settings, "%s.plugins.openssl.load_legacy",
+ 									 TRUE, lib->ns))
+ 	{
+ 		/* load the legacy provider for algorithms like MD4, DES, BF etc. */
+-		array_insert_create(&this->providers, ARRAY_TAIL,
+-							OSSL_PROVIDER_load(NULL, "legacy"));
++		OSSL_PROVIDER_load(NULL, "legacy");
+ 		/* explicitly load the default provider, as mentioned by crypto(7) */
+-		array_insert_create(&this->providers, ARRAY_TAIL,
+-							OSSL_PROVIDER_load(NULL, "default"));
++		OSSL_PROVIDER_load(NULL, "default");
+ 	}
+ 	ossl_provider_names_t data = {};
+ 	OSSL_PROVIDER_do_all(NULL, concat_ossl_providers, &data);
+Index: strongswan-5.9.5/src/libstrongswan/plugins/plugin_feature.c
+===================================================================
+--- strongswan-5.9.5.orig/src/libstrongswan/plugins/plugin_feature.c
++++ strongswan-5.9.5/src/libstrongswan/plugins/plugin_feature.c
+@@ -32,6 +32,7 @@ ENUM(plugin_feature_names, FEATURE_NONE,
+ 	"HASHER",
+ 	"PRF",
+ 	"XOF",
++	"KDF",
+ 	"DRBG",
+ 	"DH",
+ 	"RNG",
+@@ -93,6 +94,9 @@ uint32_t plugin_feature_hash(plugin_feat
+ 		case FEATURE_XOF:
+ 			data = chunk_from_thing(feature->arg.xof);
+ 			break;
++		case FEATURE_KDF:
++			data = chunk_from_thing(feature->arg.kdf);
++			break;
+ 		case FEATURE_DRBG:
+ 			data = chunk_from_thing(feature->arg.drbg);
+ 			break;
+@@ -171,6 +175,8 @@ bool plugin_feature_matches(plugin_featu
+ 				return a->arg.prf == b->arg.prf;
+ 			case FEATURE_XOF:
+ 				return a->arg.xof == b->arg.xof;
++			case FEATURE_KDF:
++				return a->arg.kdf == b->arg.kdf;
+ 			case FEATURE_DRBG:
+ 				return a->arg.drbg == b->arg.drbg;
+ 			case FEATURE_DH:
+@@ -232,6 +238,7 @@ bool plugin_feature_equals(plugin_featur
+ 			case FEATURE_HASHER:
+ 			case FEATURE_PRF:
+ 			case FEATURE_XOF:
++			case FEATURE_KDF:
+ 			case FEATURE_DRBG:
+ 			case FEATURE_DH:
+ 			case FEATURE_NONCE_GEN:
+@@ -327,6 +334,13 @@ char* plugin_feature_get_string(plugin_f
+ 				return str;
+ 			}
+ 			break;
++		case FEATURE_KDF:
++			if (asprintf(&str, "%N:%N", plugin_feature_names, feature->type,
++					key_derivation_function_names, feature->arg.kdf) > 0)
++			{
++				return str;
++			}
++			break;
+ 		case FEATURE_DRBG:
+ 			if (asprintf(&str, "%N:%N", plugin_feature_names, feature->type,
+ 					drbg_type_names, feature->arg.drbg) > 0)
+@@ -472,6 +486,17 @@ bool plugin_feature_load(plugin_t *plugi
+ 	name = plugin->get_name(plugin);
+ 	switch (feature->type)
+ 	{
++		case FEATURE_NONE:
++		case FEATURE_PRIVKEY_SIGN:
++		case FEATURE_PRIVKEY_DECRYPT:
++		case FEATURE_PUBKEY_VERIFY:
++		case FEATURE_PUBKEY_ENCRYPT:
++		case FEATURE_EAP_SERVER:
++		case FEATURE_EAP_PEER:
++		case FEATURE_XAUTH_SERVER:
++		case FEATURE_XAUTH_PEER:
++		case FEATURE_CUSTOM:
++			break;
+ 		case FEATURE_CRYPTER:
+ 			lib->crypto->add_crypter(lib->crypto, feature->arg.crypter.alg,
+ 								feature->arg.crypter.key_size,
+@@ -498,6 +523,10 @@ bool plugin_feature_load(plugin_t *plugi
+ 			lib->crypto->add_xof(lib->crypto, feature->arg.xof,
+ 								name, reg->arg.reg.f);
+ 			break;
++		case FEATURE_KDF:
++			lib->crypto->add_kdf(lib->crypto, feature->arg.kdf,
++								name, reg->arg.reg.f);
++			break;
+ 		case FEATURE_DRBG:
+ 			lib->crypto->add_drbg(lib->crypto, feature->arg.drbg,
+ 								name, reg->arg.reg.f);
+@@ -547,8 +576,6 @@ bool plugin_feature_load(plugin_t *plugi
+ 		case FEATURE_RESOLVER:
+ 			lib->resolver->add_resolver(lib->resolver, reg->arg.reg.f);
+ 			break;
+-		default:
+-			break;
+ 	}
+ 	return TRUE;
+ }
+@@ -574,6 +601,17 @@ bool plugin_feature_unload(plugin_t *plu
+ 	}
+ 	switch (feature->type)
+ 	{
++		case FEATURE_NONE:
++		case FEATURE_PRIVKEY_SIGN:
++		case FEATURE_PRIVKEY_DECRYPT:
++		case FEATURE_PUBKEY_VERIFY:
++		case FEATURE_PUBKEY_ENCRYPT:
++		case FEATURE_EAP_SERVER:
++		case FEATURE_EAP_PEER:
++		case FEATURE_XAUTH_SERVER:
++		case FEATURE_XAUTH_PEER:
++		case FEATURE_CUSTOM:
++			break;
+ 		case FEATURE_CRYPTER:
+ 			lib->crypto->remove_crypter(lib->crypto, reg->arg.reg.f);
+ 			break;
+@@ -592,6 +630,9 @@ bool plugin_feature_unload(plugin_t *plu
+ 		case FEATURE_XOF:
+ 			lib->crypto->remove_xof(lib->crypto, reg->arg.reg.f);
+ 			break;
++		case FEATURE_KDF:
++			lib->crypto->remove_kdf(lib->crypto, reg->arg.reg.f);
++			break;
+ 		case FEATURE_DRBG:
+ 			lib->crypto->remove_drbg(lib->crypto, reg->arg.reg.f);
+ 			break;
+@@ -628,8 +669,6 @@ bool plugin_feature_unload(plugin_t *plu
+ 		case FEATURE_RESOLVER:
+ 			lib->resolver->remove_resolver(lib->resolver, reg->arg.reg.f);
+ 			break;
+-		default:
+-			break;
+ 	}
+ 	return TRUE;
+ }
+Index: strongswan-5.9.5/src/libstrongswan/plugins/plugin_feature.h
+===================================================================
+--- strongswan-5.9.5.orig/src/libstrongswan/plugins/plugin_feature.h
++++ strongswan-5.9.5/src/libstrongswan/plugins/plugin_feature.h
+@@ -113,6 +113,8 @@ struct plugin_feature_t {
+ 		FEATURE_PRF,
+ 		/** xof_t */
+ 		FEATURE_XOF,
++		/** kdf_t */
++		FEATURE_KDF,
+ 		/** drbg_t */
+ 		FEATURE_DRBG,
+ 		/** diffie_hellman_t */
+@@ -176,8 +178,10 @@ struct plugin_feature_t {
+ 		integrity_algorithm_t signer;
+ 		/** FEATURE_PRF */
+ 		pseudo_random_function_t prf;
+-		/** FEATURE_XOFF */
++		/** FEATURE_XOF */
+ 		ext_out_function_t xof;
++		/** FEATURE_KDF */
++		key_derivation_function_t kdf;
+ 		/** FEATURE_DRBG */
+ 		drbg_type_t drbg;
+ 		/** FEATURE_HASHER */
+@@ -288,6 +292,7 @@ struct plugin_feature_t {
+ #define _PLUGIN_FEATURE_HASHER(kind, alg)					__PLUGIN_FEATURE(kind, HASHER, .hasher = alg)
+ #define _PLUGIN_FEATURE_PRF(kind, alg)						__PLUGIN_FEATURE(kind, PRF, .prf = alg)
+ #define _PLUGIN_FEATURE_XOF(kind, alg)						__PLUGIN_FEATURE(kind, XOF, .xof = alg)
++#define _PLUGIN_FEATURE_KDF(kind, alg)						__PLUGIN_FEATURE(kind, KDF, .kdf = alg)
+ #define _PLUGIN_FEATURE_DRBG(kind, type)					__PLUGIN_FEATURE(kind, DRBG, .drbg = type)
+ #define _PLUGIN_FEATURE_DH(kind, group)						__PLUGIN_FEATURE(kind, DH, .dh_group = group)
+ #define _PLUGIN_FEATURE_RNG(kind, quality)					__PLUGIN_FEATURE(kind, RNG, .rng_quality = quality)
+@@ -322,6 +327,7 @@ struct plugin_feature_t {
+ #define _PLUGIN_FEATURE_REGISTER_HASHER(type, f)			__PLUGIN_FEATURE_REGISTER(type, f)
+ #define _PLUGIN_FEATURE_REGISTER_PRF(type, f)				__PLUGIN_FEATURE_REGISTER(type, f)
+ #define _PLUGIN_FEATURE_REGISTER_XOF(type, f)				__PLUGIN_FEATURE_REGISTER(type, f)
++#define _PLUGIN_FEATURE_REGISTER_KDF(type, f)				__PLUGIN_FEATURE_REGISTER(type, f)
+ #define _PLUGIN_FEATURE_REGISTER_DRBG(type, f)				__PLUGIN_FEATURE_REGISTER(type, f)
+ #define _PLUGIN_FEATURE_REGISTER_DH(type, f)				__PLUGIN_FEATURE_REGISTER(type, f)
+ #define _PLUGIN_FEATURE_REGISTER_RNG(type, f)				__PLUGIN_FEATURE_REGISTER(type, f)
+Index: strongswan-5.9.5/src/libstrongswan/plugins/test_vectors/Makefile.am
+===================================================================
+--- strongswan-5.9.5.orig/src/libstrongswan/plugins/test_vectors/Makefile.am
++++ strongswan-5.9.5/src/libstrongswan/plugins/test_vectors/Makefile.am
+@@ -30,6 +30,7 @@ libstrongswan_test_vectors_la_SOURCES =
+ 	test_vectors/cast.c \
+ 	test_vectors/des.c \
+ 	test_vectors/idea.c \
++	test_vectors/kdf_prf_plus.c \
+ 	test_vectors/null.c \
+ 	test_vectors/rc2.c \
+ 	test_vectors/rc5.c \
+Index: strongswan-5.9.5/src/libstrongswan/plugins/test_vectors/test_vectors.h
+===================================================================
+--- strongswan-5.9.5.orig/src/libstrongswan/plugins/test_vectors/test_vectors.h
++++ strongswan-5.9.5/src/libstrongswan/plugins/test_vectors/test_vectors.h
+@@ -220,6 +220,14 @@ TEST_VECTOR_HASHER(sha3_256_255)
+ TEST_VECTOR_HASHER(sha3_384_255)
+ TEST_VECTOR_HASHER(sha3_512_255)
+ 
++TEST_VECTOR_KDF(prf_plus_sha256_old)
++TEST_VECTOR_KDF(prf_plus_sha256_1)
++TEST_VECTOR_KDF(prf_plus_sha256_2)
++TEST_VECTOR_KDF(prf_plus_sha384_1)
++TEST_VECTOR_KDF(prf_plus_sha384_2)
++TEST_VECTOR_KDF(prf_plus_sha512_1)
++TEST_VECTOR_KDF(prf_plus_sha512_2)
++
+ TEST_VECTOR_PRF(aes_xcbc_p1)
+ TEST_VECTOR_PRF(aes_xcbc_p2)
+ TEST_VECTOR_PRF(aes_xcbc_p3)
+Index: strongswan-5.9.5/src/libstrongswan/plugins/test_vectors/test_vectors/kdf_prf_plus.c
+===================================================================
+--- /dev/null
++++ strongswan-5.9.5/src/libstrongswan/plugins/test_vectors/test_vectors/kdf_prf_plus.c
+@@ -0,0 +1,290 @@
++/*
++ * Copyright (C) 2022 Tobias Brunner, codelabs GmbH
++ *
++ * Permission is hereby granted, free of charge, to any person obtaining a copy
++ * of this software and associated documentation files (the "Software"), to deal
++ * in the Software without restriction, including without limitation the rights
++ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
++ * copies of the Software, and to permit persons to whom the Software is
++ * furnished to do so, subject to the following conditions:
++ *
++ * The above copyright notice and this permission notice shall be included in
++ * all copies or substantial portions of the Software.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
++ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
++ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
++ * THE SOFTWARE.
++ */
++
++#include <crypto/crypto_tester.h>
++
++/**
++ * This is an old test vector derived from one in RFC 4868.
++ */
++kdf_test_vector_t prf_plus_sha256_old = {
++	.alg = KDF_PRF_PLUS, .arg.prf = PRF_HMAC_SHA2_256,
++	.key = chunk_from_chars(
++		0x0b,0x0b,0x0b,0x0b,0x0b,0x0b,0x0b,0x0b,0x0b,0x0b,0x0b,0x0b,0x0b,0x0b,0x0b,0x0b,
++		0x0b,0x0b,0x0b,0x0b),
++	.salt = chunk_from_chars(
++		0x48,0x69,0x20,0x54,0x68,0x65,0x72,0x65),
++	.out = chunk_from_chars(
++		0xb9,0xbd,0xc0,0x89,0x88,0xb4,0xc2,0xb7,0x5a,0xa9,0x3e,0x59,0x6a,0xc8,0x42,0x05,
++		0xfa,0x2d,0xdd,0xe1,0xbf,0x7a,0x25,0x72,0x06,0x7b,0x00,0xe1,0x4b,0x23,0x77,0x32,
++		0x83,0x05,0x09,0x98,0x1a,0xd2,0xf9,0x4a,0x8c,0x32,0xa4,0x7d,0xaa,0x22,0x55,0xb6,
++		0x60,0xc4,0x36,0x34,0x7a,0xe7,0x56,0xa6,0xed,0xc0,0x23,0x47,0x7d,0x80,0x95,0x90,
++		0xe6,0x82,0xf6,0x1d,0x9c,0x04,0xb0,0x6b,0x4a,0xd9,0x71,0xa3,0x4c,0x81,0x47,0xfa,
++		0x66,0x79,0x2f,0xf1,0x43,0x4b,0x93,0xc7,0x22,0xb3,0x2e,0x12,0xf4,0x88,0x32,0xeb,
++		0xc1,0x5c,0xe2,0x36,0x9c,0xe7,0x1f,0xe9,0xb7,0xb8,0x1e,0x57,0x04,0xc1,0x4d,0x0f,
++		0x52,0x80,0xa6,0xec,0x62,0x6e,0x99,0x2d,0x7a,0x9f),
++};
++
++/**
++ * The following test vectors are from CAVP/SP 800-135 for IKEv2.
++ *
++ * key = SKEYSEED, salt = Ni | Nr | SPIi | SPIr (one vector with min. and one
++ * with max. size for nonces)
++ */
++kdf_test_vector_t prf_plus_sha256_1 = {
++	.alg = KDF_PRF_PLUS, .arg.prf = PRF_HMAC_SHA2_256,
++	.key = chunk_from_chars(
++		0x37,0xfd,0xe9,0x0b,0x81,0xd6,0x36,0x92,0x62,0x0f,0x67,0x36,0x7b,0x62,0x09,0x2e,
++		0x3e,0xfd,0xc6,0xa0,0x35,0x09,0x13,0x7d,0x73,0x10,0x04,0x76,0x7f,0xf3,0x50,0x10),
++	.salt = chunk_from_chars(
++		0xed,0x80,0xdc,0x79,0x91,0x2c,0x32,0xa9,0x35,0xfb,0x6d,0x1a,0x3f,0xea,0xc0,0x78,
++		0x47,0xc1,0x85,0x8e,0xfc,0x93,0x2e,0xa4,0x60,0x6f,0xd0,0x56,0x09,0x62,0x40,0x02),
++	.out = chunk_from_chars(
++		0x63,0xd0,0x18,0xa0,0x8f,0x7a,0x29,0xda,0xa7,0xd1,0xf9,0x2c,0xb6,0x3f,0x45,0xfa,
++		0x39,0xbb,0xaf,0x5e,0x5f,0x1a,0x78,0x13,0x96,0x13,0xbb,0x89,0x1e,0x3e,0x6b,0xf9,
++		0xd0,0x44,0x8f,0x7c,0x74,0xe0,0x5b,0x4c,0x1a,0x25,0xc0,0xb6,0x1e,0x62,0xc8,0x75,
++		0xe8,0x52,0xf2,0x87,0xe1,0x92,0xd4,0xae,0x53,0x61,0x12,0xdb,0x51,0x97,0x21,0x64,
++		0x00,0xbd,0x5e,0x12,0x34,0x70,0xef,0xc1,0x5f,0x53,0x16,0x18,0x65,0xfe,0x8b,0x19,
++		0xa1,0x41,0x65,0x18,0xa1,0x57,0xd6,0x51,0xec,0xd2,0xca,0xdd,0xab,0x6a,0x9e,0xae,
++		0x6a,0x27,0xa5,0x5a,0xf0,0x88,0x21,0x8d,0x51,0x56,0xed,0xaa,0x97,0x89,0xf9,0x34,
++		0xd9,0x83,0x6e,0xd4,0x3e,0xdf,0xfd,0xa5,0x53,0x82,0x22,0x02,0xff,0x9f,0x7d,0x48,
++		0x60,0xca,0x72,0xe0),
++};
++
++kdf_test_vector_t prf_plus_sha256_2 = {
++	.alg = KDF_PRF_PLUS, .arg.prf = PRF_HMAC_SHA2_256,
++	.key = chunk_from_chars(
++		0x29,0xbd,0x11,0x55,0x68,0xae,0x09,0x88,0x27,0x0f,0xc3,0x86,0xd3,0x95,0xfe,0x37,
++		0x07,0xa4,0xd0,0x62,0x89,0xf3,0x52,0xbb,0xa4,0xc0,0x0a,0x9a,0xd8,0x55,0xa0,0x8d),
++	.salt = chunk_from_chars(
++		0xef,0xa7,0x29,0x13,0x18,0x22,0x78,0xff,0xbd,0x14,0xe7,0x89,0x20,0xc0,0x62,0x51,
++		0x9a,0xba,0xb8,0xc1,0x6e,0x5e,0xd7,0x0c,0x08,0x41,0xa4,0x8c,0xdb,0x98,0x23,0x7e,
++		0xe9,0x3f,0x73,0x5f,0xb2,0xdf,0x18,0x43,0x58,0xaa,0xdc,0x13,0xd8,0x3f,0x43,0xfe,
++		0x8d,0x87,0x05,0x17,0x6c,0x8c,0xa3,0x13,0x82,0x5a,0x1b,0xcd,0xf7,0x79,0x11,0xc5,
++		0x98,0x00,0x16,0x71,0xff,0xbf,0x01,0x4e,0x37,0xa8,0xc0,0x4d,0x49,0xa7,0x83,0x9d,
++		0xfe,0xa6,0xcd,0xc5,0x87,0x68,0x8d,0x45,0x88,0xfe,0x43,0x23,0x5b,0x71,0x69,0x3f,
++		0xfd,0x07,0x29,0x33,0x86,0xb6,0xbf,0x4c,0x19,0x9e,0x33,0x61,0x65,0xb2,0x60,0x78,
++		0x77,0x36,0xf5,0x4b,0xe9,0x5d,0xb6,0x91,0x16,0x38,0x8b,0xc2,0xec,0xa2,0xb3,0xb2,
++		0x94,0x84,0x71,0x74,0x17,0xbb,0x3c,0x71,0x81,0x4c,0xe1,0x3b,0x84,0x44,0x6d,0xc3,
++		0x96,0x4c,0x30,0x29,0x84,0xf9,0x77,0x81,0xf6,0x31,0x66,0x24,0x08,0x90,0x10,0x7c,
++		0x2e,0x75,0x1a,0x00,0x43,0x6f,0x7c,0x3c,0x9f,0xf1,0x27,0x60,0xe4,0x9d,0x91,0x56,
++		0x3b,0xe6,0x03,0xfd,0x96,0x41,0xa0,0xa6,0x49,0x18,0xa9,0x32,0x91,0xed,0x11,0x3d,
++		0xb1,0x2f,0x97,0x07,0x60,0x9d,0x17,0x20,0x96,0xeb,0x58,0xf9,0x15,0x44,0x74,0xda,
++		0x40,0xc1,0xf5,0xc0,0x90,0x3e,0x9c,0xa2,0xf9,0x1b,0xa6,0x60,0x07,0x75,0xdf,0x71,
++		0x66,0xca,0xf8,0xe3,0x27,0x85,0x9e,0x67,0x62,0x32,0xd3,0x40,0x46,0x04,0x4c,0xee,
++		0x43,0xf9,0x01,0x9f,0x04,0x68,0x56,0x12,0x63,0x5b,0x99,0xcb,0xeb,0xcb,0x36,0x3d,
++		0x56,0x5e,0xaf,0x0e,0x54,0x7e,0xec,0xb9,0x41,0xc9,0x94,0xdf,0xd4,0x71,0xed,0x56,
++		0x43,0xc0,0x87,0x74,0x4f,0x77,0x09,0xcc,0x3e,0x25,0x10,0xf2,0x74,0x26,0xc6,0x2c,
++		0x0f,0xf3,0xac,0xb3,0xc2,0x76,0x61,0xd2,0x6a,0x6d,0x83,0xc2,0xa2,0x5e,0x13,0xa6,
++		0xd4,0x65,0xbd,0x04,0x7f,0x90,0x55,0x00,0xe5,0xeb,0xbe,0x42,0x66,0x43,0x0d,0x56,
++		0x67,0x14,0x0f,0x77,0xe7,0x97,0x71,0x2a,0x8c,0x8f,0x63,0xc5,0x83,0xf4,0xb4,0x64,
++		0x9b,0x72,0x89,0x9e,0xa3,0x4a,0xbf,0xdb,0x17,0x61,0x7c,0x46,0x0c,0x35,0xf2,0x50,
++		0x64,0x94,0x49,0x4f,0x22,0x3e,0x25,0x1a,0xc7,0x1a,0x5b,0x9b,0x7e,0xea,0x87,0xf4,
++		0xf5,0xe3,0x33,0xa3,0xc1,0xbb,0xb4,0xbb,0x09,0x25,0x8b,0x6a,0x4b,0x5f,0x8c,0x9f,
++		0xb8,0x2b,0xf4,0x2d,0xa9,0xd4,0xa4,0x65,0x43,0xc6,0xa9,0xeb,0x9a,0xa3,0x0e,0xa9,
++		0xda,0x80,0x19,0x15,0xab,0xcc,0x17,0x12,0xd0,0x82,0xf2,0x92,0xa6,0x3f,0xd9,0xaf,
++		0x71,0x54,0xa9,0x7c,0xc7,0x38,0x59,0xa4,0xbe,0x3c,0xba,0x35,0x9d,0x32,0x18,0x00,
++		0x4e,0x14,0xdf,0x02,0xd0,0x9e,0xdf,0x0a,0xd5,0x79,0x6b,0xb0,0x10,0x99,0x52,0x93,
++		0xab,0x5d,0x04,0x2c,0x31,0x05,0x53,0x80,0xcc,0x9c,0xb2,0xe3,0x61,0x79,0x82,0xc4,
++		0x5f,0x6b,0xce,0x1f,0xb8,0xa4,0x0e,0xf9,0xea,0xc4,0x8a,0xe1,0x77,0x20,0xdf,0xec,
++		0xc7,0x1e,0xc8,0x57,0xea,0x33,0xf3,0x2e,0xb3,0x46,0xba,0x60,0x36,0xe8,0xf9,0xcc,
++		0xd7,0xbc,0xad,0xc6,0xc1,0xab,0x92,0xa8,0x0c,0x57,0xe7,0x89,0x59,0xd8,0xb8,0x28,
++		0x57,0xe9,0x1d,0xf9,0xc5,0xff,0xb8,0x42,0x4d,0x5e,0xad,0xac,0x0e,0x57,0x0f,0x7c),
++	.out = chunk_from_chars(
++		0xd5,0x03,0x3d,0x08,0x79,0x34,0xc6,0x15,0x38,0xb2,0x3d,0xff,0x87,0x5b,0x3b,0xa9,
++		0x20,0xe0,0x5c,0x1b,0x42,0xac,0x7f,0x97,0x93,0x99,0x5e,0x76,0xba,0x3e,0x46,0x1d,
++		0x6e,0x83,0xb2,0xfb,0xe0,0xfa,0x68,0x1b,0xa2,0x85,0x69,0x6d,0x53,0xb1,0x75,0xe0,
++		0x70,0xc4,0xc1,0xcb,0xc7,0x40,0x43,0xf7,0xca,0xc5,0x58,0xc4,0x94,0xac,0xd2,0x3a,
++		0xab,0xfc,0x7a,0x68,0x5b,0x62,0x74,0x13,0x44,0x08,0xca,0xfc,0x16,0x92,0x85,0x2a,
++		0xca,0x66,0x3c,0xef,0xd7,0xdd,0x0c,0x8a,0x87,0x2a,0x36,0xa1,0x41,0x4d,0xb4,0xb7,
++		0xf3,0x14,0xad,0x0e,0x49,0xf2,0xc1,0x87,0x16,0x2e,0x28,0x76,0xc6,0x05,0x3d,0xbe,
++		0xf5,0xa2,0xea,0x8c,0x33,0xdc,0xd3,0xdd,0x91,0x68,0x76,0x44,0x37,0x7c,0x45,0xf4,
++		0xb5,0xc4,0x18,0xe1,0xe1,0x0b,0xec,0x22,0xba,0xac,0x31,0x3b,0x90,0x2b,0xdf,0xfc,
++		0xfb,0x69,0xc6,0x8e,0xf4,0xe7,0x1c,0x5a,0xcc,0x39,0xa9,0xf0,0x7a,0xcb,0x1f,0xc3,
++		0xba,0x8e,0x92,0xc6,0xdc,0xa8,0x61,0xa6,0x41,0x63,0xb0,0x68,0x9d,0xa4,0xa9,0x7f,
++		0x12,0x40,0x26,0x36,0x09,0x90,0xc9,0xf1,0xae,0x4e,0x8d,0x02,0x98,0xf0,0x77,0xfc,
++		0xbb,0x0c,0x20,0x3f,0xd2,0xca,0x82,0x1d,0xea,0xb0,0x59,0x1a,0x22,0x1d,0x9d,0x0a,
++		0x79,0x8d,0x02,0xf0,0x78,0xd8,0xfb,0x6e,0x93,0x1c,0xa4,0x46,0xa1,0x3f,0x11,0x63,
++		0x8c,0x6b,0x6a,0xfb,0x82,0x25,0xa0,0x08,0xf9,0x38,0xa6,0x87,0x8c,0x5b,0x57,0x7e,
++		0x03,0xae,0xcf,0xa7,0x31,0x41,0x01,0xed,0xd0,0xfd,0xa3,0xbd,0xbe,0xa4,0x98,0x5c),
++};
++
++kdf_test_vector_t prf_plus_sha384_1 = {
++	.alg = KDF_PRF_PLUS, .arg.prf = PRF_HMAC_SHA2_384,
++	.key = chunk_from_chars(
++		0x54,0x43,0x6a,0x9e,0xa9,0x5d,0x6f,0xf7,0x9b,0x96,0x7f,0x4b,0x07,0xf6,0xde,0x97,
++		0x6a,0x37,0x6e,0x8e,0xa2,0x6a,0xa9,0x57,0x47,0x09,0xaf,0xc6,0x02,0x43,0xc9,0xc1,
++		0x41,0xda,0x4c,0xa0,0xe1,0x58,0xe6,0x27,0xa7,0x5e,0xa8,0x7f,0x6f,0xeb,0x07,0xef),
++	.salt = chunk_from_chars(
++		0xd6,0x72,0xb0,0xbc,0x85,0x28,0x29,0xb9,0x35,0x09,0xf3,0xb7,0x24,0x70,0x63,0x64,
++		0x0f,0x9a,0x01,0x6d,0x7b,0x22,0x22,0x3c,0x85,0xf7,0x10,0xda,0xf8,0xb9,0x82,0xd8),
++	.out = chunk_from_chars(
++		0x10,0xb0,0x0a,0x65,0x46,0x43,0xb3,0xb9,0x85,0x76,0x4f,0x86,0xe2,0x3e,0xf6,0x24,
++		0x31,0x12,0x2f,0xcc,0x96,0xde,0x16,0xe3,0x38,0xa3,0x72,0xbe,0xe4,0x93,0x91,0xdb,
++		0x1f,0x83,0xa7,0x35,0x8c,0x08,0x03,0x80,0xab,0xbf,0x4a,0xf4,0x7c,0xdb,0x83,0xb9,
++		0x53,0x03,0x43,0x16,0x8f,0x7d,0xbc,0x92,0x21,0x26,0x0e,0x15,0x46,0xc6,0xb3,0x83,
++		0xe2,0x23,0x5d,0x27,0x05,0xa7,0x27,0xf0,0xb4,0x1a,0xeb,0xf6,0xa1,0xb4,0xc6,0x1c,
++		0xb4,0x60,0x66,0x01,0x52,0xa1,0x7b,0xa7,0x4c,0x20,0xd5,0x19,0x1b,0xa6,0x84,0x17,
++		0x94,0x94,0x52,0x70,0xd8,0x29,0x58,0x7b,0x7f,0x32,0x94,0x63,0x9e,0xa7,0xb7,0x71,
++		0x49,0xe1,0xd0,0x72,0x30,0xac,0x16,0xe0,0xcd,0x5a,0xb2,0x36,0xfa,0x32,0x12,0xbd,
++		0x56,0x9e,0xe7,0x0f),
++};
++
++kdf_test_vector_t prf_plus_sha384_2 = {
++	.alg = KDF_PRF_PLUS, .arg.prf = PRF_HMAC_SHA2_384,
++	.key = chunk_from_chars(
++		0xff,0x66,0xe9,0xd0,0x92,0xdc,0x01,0xe0,0xb8,0x1f,0x93,0x9f,0x52,0xf5,0xc0,0x7d,
++		0x38,0xd8,0x05,0xb9,0x86,0x28,0xce,0x1a,0xc5,0xfe,0x94,0xc0,0x98,0x57,0x76,0x47,
++		0x33,0x9f,0xad,0x68,0x94,0x1f,0xfe,0x21,0xe0,0x1e,0xfb,0x4e,0x70,0x50,0x21,0x3b),
++	.salt = chunk_from_chars(
++		0x9e,0x2a,0x62,0xf9,0x36,0x28,0x93,0xdd,0xf8,0x47,0x16,0xfe,0xc2,0xf2,0x3f,0x9d,
++		0xcb,0xd9,0x01,0x0d,0xf6,0xfe,0x9e,0x0e,0xb4,0x6d,0x03,0xd9,0x14,0xf3,0x04,0xd8,
++		0xfe,0x4d,0x3e,0xe2,0xd6,0xa0,0x3b,0x40,0xe5,0x6a,0x32,0x5e,0x82,0x2a,0x17,0x36,
++		0x19,0x29,0x18,0x4a,0xde,0x09,0xea,0xa4,0x45,0x27,0x8d,0x38,0x70,0x41,0x7a,0x7c,
++		0xf5,0x65,0x58,0x4f,0x57,0x2a,0xd3,0x4f,0xf7,0x2b,0xc7,0x78,0x1a,0x39,0xa4,0x8b,
++		0x54,0xb5,0x5d,0x6e,0xb0,0xed,0x68,0x55,0x1b,0x22,0x2c,0x7a,0xfa,0xda,0x0b,0xc8,
++		0x22,0x36,0xec,0x31,0xce,0x6c,0x04,0x6b,0x3b,0x2e,0xdb,0x2d,0xef,0x61,0xf4,0xd2,
++		0xd8,0x57,0xb2,0xd1,0xcb,0x36,0x96,0xc0,0x23,0xe0,0x8c,0x08,0xd6,0xab,0xd0,0x4d,
++		0x4f,0x69,0x09,0x2b,0x14,0x58,0x37,0x35,0xb9,0xe9,0x18,0xae,0xe5,0xa3,0x99,0x9d,
++		0xcb,0xf5,0x8f,0xda,0xd6,0xfc,0xd4,0x7c,0x95,0x92,0x98,0x77,0x03,0x0e,0x54,0xb7,
++		0x08,0x23,0x5f,0x2a,0x2e,0x11,0xe7,0xc5,0x85,0x84,0x61,0x9a,0xa2,0xfa,0x69,0x31,
++		0x53,0x44,0xd3,0x65,0x7b,0x55,0x72,0x0a,0x25,0xeb,0xe8,0x8e,0xa0,0x77,0x69,0x72,
++		0xc9,0xe2,0x24,0x69,0xb7,0xed,0x5d,0xa9,0x6b,0x3c,0x76,0x85,0xf7,0xb0,0x56,0x99,
++		0x60,0xbd,0x64,0x4f,0x13,0x0b,0x44,0xa0,0xd5,0x51,0xbb,0x0e,0x90,0x2e,0xd6,0x8a,
++		0xb3,0x84,0xfd,0xc2,0xfa,0xca,0xf7,0x9b,0xbf,0x8d,0x6d,0x37,0x36,0xdf,0xa9,0x52,
++		0xcd,0x70,0xf4,0x74,0x6f,0x1a,0x4a,0xea,0xc2,0xbd,0xbe,0xca,0x97,0xb7,0x8f,0xc1,
++		0x77,0x78,0x78,0xc1,0x28,0x59,0x43,0x35,0x52,0xa7,0x7d,0x7f,0x94,0x2e,0x5b,0x60,
++		0x47,0x69,0x91,0xa1,0xe3,0xd0,0x42,0x7c,0xd6,0x77,0x34,0x5a,0x1c,0xe2,0x06,0x3a,
++		0x2e,0x0e,0xc5,0x47,0xa9,0xd8,0x21,0xda,0x75,0x9f,0x1a,0x91,0xb5,0x88,0x17,0xbd,
++		0x0d,0xc4,0xef,0xfc,0x12,0x6f,0x6f,0x4e,0xb0,0xb9,0x11,0xe9,0x04,0xed,0x21,0xdc,
++		0x43,0x9d,0x65,0x8a,0x77,0x3f,0x97,0xe1,0x79,0xad,0x20,0xbc,0x3c,0x63,0x60,0x9f,
++		0x28,0x74,0x06,0x2e,0x83,0x5f,0x6a,0xe0,0x8d,0x59,0x65,0x4f,0x9c,0x88,0x61,0xe5,
++		0x27,0x03,0x9e,0xea,0xc3,0x2b,0x9e,0xed,0x29,0x3b,0xd8,0xb1,0xe0,0xe7,0xc6,0x7b,
++		0xf1,0xd7,0x55,0x24,0x6a,0x1b,0x06,0x3f,0xf0,0x06,0x32,0xa4,0x6d,0xd5,0xcf,0x69,
++		0x48,0xf0,0xee,0xd9,0xb6,0x5c,0x59,0x39,0xdf,0xd2,0x14,0x80,0xa6,0x3d,0xf0,0xca,
++		0xb0,0xa7,0x50,0x9c,0x42,0x45,0xa1,0xbe,0x75,0x47,0xcc,0xc6,0xf7,0x3c,0x72,0x4b,
++		0x48,0xb7,0x86,0x70,0x12,0xe0,0xca,0x3e,0x47,0x2e,0x0d,0x55,0x06,0x49,0xa7,0x34,
++		0x44,0x0f,0xef,0xfc,0x8e,0x73,0x68,0x2c,0xb6,0x04,0x53,0xe7,0xa4,0x7e,0x72,0xfe,
++		0x08,0x74,0xeb,0x40,0xac,0xd0,0xd4,0x8e,0x4e,0x57,0x19,0x74,0x16,0x11,0x2b,0xcd,
++		0xc8,0xbb,0x7a,0x58,0xbe,0xa7,0x45,0xfd,0xd6,0x4c,0x16,0xf6,0x66,0xc8,0x8d,0x9e,
++		0x3b,0xd2,0x35,0xb1,0x37,0x20,0x6f,0x6c,0xdb,0xa1,0x90,0xbe,0x65,0xec,0x03,0x3c,
++		0x19,0x1f,0x67,0x6b,0x42,0x8e,0xc1,0x20,0x5d,0xc5,0xe9,0x45,0x82,0x85,0x08,0xd8,
++		0x6f,0xd4,0xbc,0x62,0x54,0x02,0xaa,0x68,0x5f,0x60,0x72,0x5e,0xfd,0xb4,0x25,0x96),
++	.out = chunk_from_chars(
++		0x28,0x10,0x28,0x8a,0x45,0xa5,0x02,0x21,0x1f,0xea,0xde,0x99,0x43,0xb4,0x22,0x4a,
++		0x3f,0x54,0xcf,0x97,0xf1,0x91,0xb6,0x21,0xd8,0x0a,0x19,0xf3,0xf1,0xb0,0x36,0x6d,
++		0x5e,0xd7,0x3d,0x19,0x5b,0x73,0x2a,0x15,0xb5,0x99,0x05,0x1a,0x13,0xb7,0xc5,0x84,
++		0x17,0x55,0x21,0xe3,0xa9,0x7c,0xdb,0x22,0x0c,0x89,0x24,0xb0,0xec,0x23,0x4a,0x94,
++		0x2e,0x05,0x79,0x67,0x5f,0x19,0x39,0x26,0xab,0x33,0x29,0x70,0x58,0x55,0x53,0xe2,
++		0x30,0xe3,0x42,0x9c,0x6e,0x8b,0xa7,0x1b,0x93,0x74,0xbd,0x4a,0x8d,0xf9,0x69,0x45,
++		0x68,0x40,0x52,0x7f,0x2c,0xf6,0x35,0x39,0x2b,0xe9,0xc1,0x7c,0xa8,0x47,0x4c,0xf0,
++		0x1b,0x33,0x2b,0x81,0x08,0xb5,0x4c,0x48,0xaa,0xfc,0x86,0xac,0x4c,0xfc,0xe7,0x05,
++		0x8e,0xe1,0x14,0x54,0x0e,0x5a,0x1b,0x95,0x22,0x01,0xee,0x3d,0x0a,0xc9,0xd3,0xe3,
++		0x3f,0x01,0x80,0x75,0x84,0x33,0x9a,0xc3,0xf4,0x3c,0xcd,0xd3,0x95,0xc5,0x8b,0xb3,
++		0xf4,0xa4,0xcc,0x5c,0x57,0x87,0x1e,0xa1,0xd3,0xea,0xa8,0xd0,0x30,0x2b,0xb3,0x08,
++		0xd1,0xd2,0x03,0xaf,0x13,0x14,0x7e,0x87,0xab,0x2b,0x91,0x59,0xae,0x36,0x1e,0xc0,
++		0x11,0xd6,0x73,0xfe,0x3f,0x16,0x2b,0x39,0x89,0xda,0x34,0x88,0xd8,0xff,0xea,0x2b,
++		0x51,0xe7,0x46,0x5f,0xad,0xdc,0xa6,0x7d,0x1d,0x54,0xc8,0x94,0x0a,0x8a,0xb6,0x2e,
++		0x8a,0xbe,0x41,0x45,0xcb,0x25,0x15,0x91,0x25,0x95,0x01,0x19,0xe3,0xc0,0x1a,0x81,
++		0x35,0x75,0xf0,0xa9,0x59,0xb1,0x43,0xbc,0x31,0xf6,0x2b,0x47,0x34,0xaa,0x45,0xe2),
++};
++
++kdf_test_vector_t prf_plus_sha512_1 = {
++	.alg = KDF_PRF_PLUS, .arg.prf = PRF_HMAC_SHA2_512,
++	.key = chunk_from_chars(
++		0xda,0xf9,0xbd,0x6f,0x2f,0x91,0x2d,0xa5,0x53,0x86,0x79,0x66,0xaf,0x38,0x6e,0x67,
++		0x90,0x9a,0x8d,0xf0,0xca,0x7e,0x84,0xb8,0x3b,0x35,0x5c,0xb7,0xd7,0xf1,0x02,0x6f,
++		0x17,0xd8,0xea,0x34,0xb5,0xd5,0x7f,0xd0,0xd1,0xba,0x38,0x95,0x28,0xfc,0xa1,0xe8,
++		0x1d,0x1c,0x8c,0xe5,0x11,0xb2,0x8a,0x24,0x58,0x24,0x11,0x43,0xfe,0xe3,0x0c,0xcc),
++	.salt = chunk_from_chars(
++		0xdf,0x79,0x31,0xdb,0x9b,0x42,0x9e,0x10,0xb8,0xaa,0x8e,0x4d,0x46,0x04,0x23,0x93,
++		0x9b,0xa4,0x0a,0xf9,0x15,0x7f,0x47,0x92,0x53,0x83,0xc7,0xcd,0x3d,0x10,0x46,0xe6),
++	.out = chunk_from_chars(
++		0x91,0x9a,0x75,0xde,0xae,0xcc,0xbd,0x39,0x3b,0xeb,0xc8,0x96,0x15,0xf8,0xa2,0x15,
++		0xed,0xb7,0x07,0x3b,0x23,0x19,0xd8,0x67,0x40,0x22,0x1e,0xee,0x7a,0x2d,0xeb,0x92,
++		0x50,0x90,0x44,0xd7,0xe6,0x1f,0xcb,0x1b,0xf9,0x67,0x6b,0x38,0x81,0xc7,0xce,0xd4,
++		0x9e,0x6b,0xba,0x15,0x49,0xda,0x31,0x13,0x60,0x16,0x77,0xa2,0x44,0x5d,0x91,0xac,
++		0x13,0xa5,0x97,0x33,0x57,0x82,0xdd,0x3a,0x9c,0xf4,0x96,0xd9,0xe1,0x9b,0x93,0x2f,
++		0x27,0xdd,0x35,0xe3,0x6f,0x80,0x70,0xd2,0x32,0xd0,0xa3,0xb3,0xf4,0xc4,0xa0,0xb4,
++		0xba,0x44,0x70,0x77,0x8d,0xc0,0x90,0xf3,0x1f,0x52,0xab,0x1b,0x6d,0x81,0xe4,0xc7,
++		0xdf,0xb3,0x50,0x63,0xad,0x96,0xc3,0x27,0xad,0xcd,0xbd,0xe7,0x14,0xcc,0x9a,0x6b,
++		0x5e,0xf0,0x49,0xb8),
++};
++
++kdf_test_vector_t prf_plus_sha512_2 = {
++	.alg = KDF_PRF_PLUS, .arg.prf = PRF_HMAC_SHA2_512,
++	.key = chunk_from_chars(
++		0xe5,0x70,0xe7,0x48,0x46,0x34,0x30,0x0d,0x7a,0xdd,0xf5,0xa8,0x52,0x7c,0x13,0x8b,
++		0x76,0x96,0xdb,0xc3,0xd8,0xbe,0x09,0x69,0xb7,0x52,0x15,0x31,0x8a,0x11,0xad,0xa2,
++		0x13,0x53,0x8f,0x62,0x93,0xb0,0xee,0xe5,0xb3,0x09,0xad,0x8f,0x5d,0x8d,0x94,0xdb,
++		0xe5,0x73,0x61,0x27,0xe0,0xd2,0x56,0x0f,0x28,0x1c,0x9c,0x58,0x6b,0xf7,0xc8,0x6f),
++	.salt = chunk_from_chars(
++		0xd8,0x96,0x84,0xe3,0xcb,0x17,0xf3,0xaa,0xbd,0x85,0x3a,0x78,0xdb,0x3e,0xcd,0x5a,
++		0xac,0xc1,0xed,0x71,0xc7,0x0b,0x88,0xa2,0x97,0x56,0xf4,0x6f,0xc7,0x19,0x7c,0x80,
++		0x4e,0xc0,0x01,0x54,0x40,0x02,0xa8,0xae,0xa3,0x60,0x68,0x4b,0x18,0x00,0x6d,0xef,
++		0x0d,0xbd,0x86,0x33,0xb1,0x01,0x9f,0xbc,0xfa,0x85,0xb9,0x4c,0xac,0x2b,0xb8,0x21,
++		0x25,0x84,0xbe,0x62,0xad,0xab,0x0e,0xe4,0xbb,0x8a,0x36,0xae,0xe2,0x52,0x75,0xef,
++		0x07,0x13,0x90,0x48,0x0e,0xef,0xa2,0x09,0x2e,0xb3,0x08,0xaa,0x73,0x37,0xc5,0xce,
++		0xb6,0x06,0x9a,0xb6,0x90,0xe8,0x96,0x2f,0xbf,0xe0,0x98,0x6e,0x4f,0x5c,0x18,0xf4,
++		0x86,0x86,0x1e,0xd3,0xf1,0xdc,0xbe,0xe4,0xc9,0xe4,0xa7,0x66,0x9d,0x74,0x0c,0xa2,
++		0xb0,0xe8,0xed,0x40,0x31,0xb0,0xa4,0x99,0xdc,0x31,0x5c,0xed,0xe7,0xef,0x03,0x39,
++		0x9c,0xbc,0x33,0xdc,0xd6,0x29,0x70,0x34,0x9f,0x12,0x20,0x88,0x1b,0x55,0x45,0x2e,
++		0x0c,0x6c,0x9b,0x52,0xa8,0x8b,0x67,0xf5,0x97,0x58,0x67,0x95,0xb2,0x25,0x70,0x73,
++		0x3f,0xd4,0xff,0x2c,0xc2,0xad,0x93,0x1d,0x83,0x30,0x16,0x5a,0x9e,0x45,0x0e,0x38,
++		0x88,0x59,0xce,0x62,0x4f,0x01,0xdb,0x17,0xc2,0x50,0x2b,0x4e,0x66,0xad,0xf9,0x65,
++		0x27,0x36,0x3d,0x6f,0x90,0x6b,0x20,0x23,0xe8,0xed,0x74,0xd5,0xaf,0x0a,0xa6,0x02,
++		0x46,0xb0,0xb9,0x2f,0x49,0xc4,0x93,0x3e,0xf3,0x12,0xf8,0xa2,0x54,0x34,0xee,0x96,
++		0x98,0xd6,0xd9,0x20,0x43,0x45,0xbd,0x10,0xbb,0x11,0xaa,0x39,0x86,0x56,0x16,0xd5,
++		0xad,0x1b,0x57,0x44,0x70,0x6c,0xfd,0x4e,0xa1,0x40,0x8e,0x20,0xc8,0xfd,0xcf,0x85,
++		0x51,0xee,0xe8,0x81,0x4b,0x7b,0x37,0x33,0x0b,0x05,0x26,0xf0,0xbc,0x5e,0xe1,0x5d,
++		0x4e,0xcd,0xa7,0xa1,0xbd,0x25,0xaa,0x97,0xf2,0x45,0x84,0xd8,0x5d,0x3f,0x52,0x49,
++		0x69,0x4b,0x9f,0x43,0x53,0x9e,0x69,0xea,0x35,0xbf,0xe7,0xfd,0x44,0x07,0xbc,0x8e,
++		0x9d,0xca,0x8a,0x9f,0xae,0x4b,0xdc,0x6b,0x7b,0xb3,0x8c,0x6d,0x68,0xf8,0x99,0xe1,
++		0xd3,0x2c,0x85,0xbc,0xd6,0x17,0xa5,0x67,0x67,0x8c,0xf8,0x5d,0x22,0x17,0xa4,0xe8,
++		0x6a,0x75,0x56,0x24,0xb6,0x40,0x02,0x35,0x4c,0x02,0x68,0x42,0xbc,0x95,0x42,0x49,
++		0x1a,0xf1,0xc3,0xd6,0x29,0x09,0x70,0x55,0x9a,0xf1,0x1b,0xdc,0x2c,0x83,0xb5,0x4c,
++		0x74,0x14,0x49,0x05,0xc0,0xa3,0x58,0xf3,0x15,0x3d,0xb7,0x67,0xa5,0xda,0x2a,0x86,
++		0x27,0xf6,0x96,0x27,0xe1,0xd4,0x1e,0xde,0x9c,0x90,0x7c,0x79,0xb5,0x1f,0xf8,0x15,
++		0xe4,0x64,0x5c,0x33,0x75,0xe0,0xf6,0x3f,0x84,0xfc,0xf5,0xd7,0xc3,0x40,0x7a,0x1d,
++		0xd6,0x83,0x9e,0x19,0x06,0xa1,0xe3,0x80,0x2c,0xcf,0x5e,0x82,0x30,0xd9,0x5c,0xf4,
++		0xb8,0x27,0xb4,0x1c,0x48,0x34,0x25,0xa8,0xa6,0x0b,0xfa,0x51,0x89,0xda,0xc4,0x38,
++		0x06,0x0f,0x2f,0x5c,0xd5,0x26,0x66,0x2f,0x29,0x06,0xc1,0xdd,0x64,0xf4,0x84,0x4e,
++		0x94,0x2c,0xa8,0x4d,0xae,0xce,0x6d,0xd7,0xbb,0xf7,0x19,0x4d,0x8c,0xe5,0x6b,0xc2,
++		0x83,0x10,0x85,0xa7,0xd3,0x10,0xe4,0x94,0x4c,0xfa,0xe7,0x62,0x60,0xaa,0xbf,0x6b,
++		0x60,0x9d,0x88,0x78,0x9b,0x8a,0x1a,0xbf,0x50,0x01,0x86,0xc3,0xd9,0x7e,0xd2,0xab),
++	.out = chunk_from_chars(
++		0x98,0x7f,0xad,0xd8,0x04,0x99,0x45,0x67,0xd5,0x7f,0x98,0x9b,0x6c,0xda,0x66,0xef,
++		0xbf,0xfc,0xab,0x28,0xac,0x3e,0x3b,0xc6,0x10,0x78,0x05,0x95,0x4e,0xb1,0xea,0xd0,
++		0xce,0xa6,0xfb,0x49,0xaa,0x96,0x1c,0xbe,0x98,0xfd,0xad,0x57,0xdd,0x9c,0x45,0x56,
++		0x7c,0xe4,0x96,0x74,0x78,0x62,0xf8,0x8b,0xcd,0x9f,0xc5,0x75,0x59,0xa0,0x7e,0xa9,
++		0x27,0xa4,0x20,0x82,0xba,0x87,0xe0,0xf5,0x1b,0x3d,0x5b,0x8c,0xbd,0xea,0xdd,0xed,
++		0xa3,0xae,0x4c,0x73,0xb1,0xa5,0x1d,0xd0,0xdc,0xe3,0xcc,0x8e,0xb3,0xb1,0x41,0x9b,
++		0x93,0xf2,0x9d,0xc6,0x52,0x2b,0x2f,0x5e,0x93,0x75,0x23,0x82,0x03,0xec,0xa9,0x8e,
++		0xd8,0x6b,0xf1,0xe6,0x86,0x8a,0xb4,0x28,0xd8,0x63,0xa5,0xf3,0xb9,0x87,0xd6,0xc0,
++		0xf9,0x57,0xaf,0x08,0xa1,0x63,0x1f,0x7c,0xdc,0x00,0x8c,0xbb,0xff,0xc2,0x4b,0x02,
++		0x93,0x1a,0x02,0x01,0x94,0xe3,0x68,0xd6,0xb5,0x70,0x2e,0x7f,0x8b,0x96,0x0d,0xbc,
++		0x93,0xca,0x56,0xed,0x5a,0x68,0xda,0xe0,0x20,0x69,0x94,0xed,0xf1,0x47,0x6f,0x5f,
++		0xa3,0x4e,0xfb,0xda,0xa9,0x73,0xd2,0x7b,0xa3,0x68,0xce,0xdc,0xc6,0x66,0xd7,0x63,
++		0xbd,0x6a,0xd5,0x60,0x57,0x38,0x51,0xbf,0xfb,0x70,0x99,0xaf,0x58,0x8f,0x34,0xff,
++		0x2e,0x59,0x9b,0x0e,0x87,0xf7,0x0a,0x7f,0x4a,0xa4,0x8e,0x95,0x1d,0x0c,0x5c,0x30,
++		0xdd,0xfc,0x1f,0x98,0xc1,0x28,0x63,0x15,0x90,0xcd,0xe0,0x0a,0x7c,0x93,0x15,0x8d,
++		0xbf,0x4c,0xaa,0x53,0x7b,0x31,0x59,0x31,0xb7,0x14,0xd7,0x2f,0x4d,0x2a,0x01,0xc9),
++};
+Index: strongswan-5.9.5/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c
+===================================================================
+--- strongswan-5.9.5.orig/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c
++++ strongswan-5.9.5/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c
+@@ -25,6 +25,7 @@
+ #define TEST_VECTOR_HASHER(x) extern hasher_test_vector_t x;
+ #define TEST_VECTOR_PRF(x) extern prf_test_vector_t x;
+ #define TEST_VECTOR_XOF(x) extern xof_test_vector_t x;
++#define TEST_VECTOR_KDF(x) extern kdf_test_vector_t x;
+ #define TEST_VECTOR_DRBG(x) extern drbg_test_vector_t x;
+ #define TEST_VECTOR_RNG(x) extern rng_test_vector_t x;
+ #define TEST_VECTOR_DH(x) extern dh_test_vector_t x;
+@@ -37,6 +38,7 @@
+ #undef TEST_VECTOR_HASHER
+ #undef TEST_VECTOR_PRF
+ #undef TEST_VECTOR_XOF
++#undef TEST_VECTOR_KDF
+ #undef TEST_VECTOR_DRBG
+ #undef TEST_VECTOR_RNG
+ #undef TEST_VECTOR_DH
+@@ -47,6 +49,7 @@
+ #define TEST_VECTOR_HASHER(x)
+ #define TEST_VECTOR_PRF(x)
+ #define TEST_VECTOR_XOF(x)
++#define TEST_VECTOR_KDF(x)
+ #define TEST_VECTOR_DRBG(x)
+ #define TEST_VECTOR_RNG(x)
+ #define TEST_VECTOR_DH(x)
+@@ -100,6 +103,14 @@ static xof_test_vector_t *xof[] = {
+ #undef TEST_VECTOR_XOF
+ #define TEST_VECTOR_XOF(x)
+ 
++#undef TEST_VECTOR_KDF
++#define TEST_VECTOR_KDF(x) &x,
++static kdf_test_vector_t *kdf[] = {
++#include "test_vectors.h"
++};
++#undef TEST_VECTOR_KDF
++#define TEST_VECTOR_KDF(x)
++
+ #undef TEST_VECTOR_DRBG
+ #define TEST_VECTOR_DRBG(x) &x,
+ static drbg_test_vector_t *drbg[] = {
+@@ -208,6 +219,11 @@ plugin_t *test_vectors_plugin_create()
+ 		lib->crypto->add_test_vector(lib->crypto,
+ 									 EXTENDED_OUTPUT_FUNCTION, xof[i]);
+ 	}
++	for (i = 0; i < countof(kdf); i++)
++	{
++		lib->crypto->add_test_vector(lib->crypto,
++									 KEY_DERIVATION_FUNCTION, kdf[i]);
++	}
+ 	for (i = 0; i < countof(drbg); i++)
+ 	{
+ 		lib->crypto->add_test_vector(lib->crypto,
+Index: strongswan-5.9.5/src/libstrongswan/plugins/wolfssl/Makefile.am
+===================================================================
+--- strongswan-5.9.5.orig/src/libstrongswan/plugins/wolfssl/Makefile.am
++++ strongswan-5.9.5/src/libstrongswan/plugins/wolfssl/Makefile.am
+@@ -24,6 +24,7 @@ libstrongswan_wolfssl_la_SOURCES = \
+ 	wolfssl_ed_public_key.h wolfssl_ed_public_key.c \
+ 	wolfssl_hasher.h wolfssl_hasher.c \
+ 	wolfssl_hmac.h wolfssl_hmac.c \
++	wolfssl_kdf.h wolfssl_kdf.c \
+ 	wolfssl_rsa_public_key.h wolfssl_rsa_public_key.c \
+ 	wolfssl_rsa_private_key.h wolfssl_rsa_private_key.c \
+ 	wolfssl_rng.h wolfssl_rng.c \
+Index: strongswan-5.9.5/src/libstrongswan/plugins/wolfssl/wolfssl_kdf.c
+===================================================================
+--- /dev/null
++++ strongswan-5.9.5/src/libstrongswan/plugins/wolfssl/wolfssl_kdf.c
+@@ -0,0 +1,161 @@
++/*
++ * Copyright (C) 2022 Tobias Brunner, codelabs GmbH
++ *
++ * Permission is hereby granted, free of charge, to any person obtaining a copy
++ * of this software and associated documentation files (the "Software"), to deal
++ * in the Software without restriction, including without limitation the rights
++ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
++ * copies of the Software, and to permit persons to whom the Software is
++ * furnished to do so, subject to the following conditions:
++ *
++ * The above copyright notice and this permission notice shall be included in
++ * all copies or substantial portions of the Software.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
++ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
++ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
++ * THE SOFTWARE.
++ */
++
++#include "wolfssl_common.h"
++
++#if !defined(NO_HMAC) && defined(HAVE_HKDF)
++
++#include <wolfssl/wolfcrypt/hmac.h>
++
++#define _GNU_SOURCE
++#include "wolfssl_kdf.h"
++#include "wolfssl_util.h"
++
++typedef struct private_kdf_t private_kdf_t;
++
++/**
++ * Private data.
++ */
++struct private_kdf_t {
++
++	/**
++	 * Public interface.
++	 */
++	kdf_t public;
++
++	/**
++	 * Hash algorithm type.
++	 */
++	int type;
++
++	/**
++	 * Key for KDF.
++	 */
++	chunk_t key;
++
++	/**
++	 * Salt for KDF.
++	 */
++	chunk_t salt;
++};
++
++METHOD(kdf_t, get_type, key_derivation_function_t,
++	private_kdf_t *this)
++{
++	return KDF_PRF_PLUS;
++}
++
++METHOD(kdf_t, get_bytes, bool,
++	private_kdf_t *this, size_t out_len, uint8_t *buffer)
++{
++	if (wc_HKDF_Expand(this->type, this->key.ptr, this->key.len,
++					   this->salt.ptr, this->salt.len, buffer, out_len))
++	{
++		return FALSE;
++	}
++	return TRUE;
++}
++
++METHOD(kdf_t, allocate_bytes, bool,
++	private_kdf_t *this, size_t out_len, chunk_t *chunk)
++{
++	*chunk = chunk_alloc(out_len);
++
++	if (!get_bytes(this, out_len, chunk->ptr))
++	{
++		chunk_free(chunk);
++		return FALSE;
++	}
++	return TRUE;
++}
++
++METHOD(kdf_t, set_param, bool,
++	private_kdf_t *this, kdf_param_t param, ...)
++{
++	chunk_t chunk;
++
++	switch (param)
++	{
++		case KDF_PARAM_KEY:
++			VA_ARGS_GET(param, chunk);
++			chunk_clear(&this->key);
++			this->key = chunk_clone(chunk);
++			break;
++		case KDF_PARAM_SALT:
++			VA_ARGS_GET(param, chunk);
++			chunk_clear(&this->salt);
++			this->salt = chunk_clone(chunk);
++			break;
++	}
++	return TRUE;
++}
++
++METHOD(kdf_t, destroy, void,
++	private_kdf_t *this)
++{
++	chunk_clear(&this->salt);
++	chunk_clear(&this->key);
++	free(this);
++}
++
++/*
++ * Described in header
++ */
++kdf_t *wolfssl_kdf_create(key_derivation_function_t algo, va_list args)
++{
++	private_kdf_t *this;
++	pseudo_random_function_t prf_alg;
++	enum wc_HashType type;
++	char buf[8];
++
++	if (algo != KDF_PRF_PLUS)
++	{
++		return NULL;
++	}
++
++	VA_ARGS_VGET(args, prf_alg);
++	if (!wolfssl_hash2type(hasher_algorithm_from_prf(prf_alg), &type))
++	{
++		return NULL;
++	}
++
++	INIT(this,
++		.public = {
++			.get_type = _get_type,
++			.get_bytes = _get_bytes,
++			.allocate_bytes = _allocate_bytes,
++			.set_param = _set_param,
++			.destroy = _destroy,
++		},
++		.type = type,
++	);
++
++	/* test if we can actually use the algorithm */
++	if (!get_bytes(this, sizeof(buf), buf))
++	{
++		destroy(this);
++		return NULL;
++	}
++	return &this->public;
++}
++
++#endif /* !NO_HMAC && HAVE_HKDF */
+Index: strongswan-5.9.5/src/libstrongswan/plugins/wolfssl/wolfssl_kdf.h
+===================================================================
+--- /dev/null
++++ strongswan-5.9.5/src/libstrongswan/plugins/wolfssl/wolfssl_kdf.h
+@@ -0,0 +1,45 @@
++/*
++ * Copyright (C) 2022 Tobias Brunner, codelabs GmbH
++ *
++ * Permission is hereby granted, free of charge, to any person obtaining a copy
++ * of this software and associated documentation files (the "Software"), to deal
++ * in the Software without restriction, including without limitation the rights
++ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
++ * copies of the Software, and to permit persons to whom the Software is
++ * furnished to do so, subject to the following conditions:
++ *
++ * The above copyright notice and this permission notice shall be included in
++ * all copies or substantial portions of the Software.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
++ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
++ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
++ * THE SOFTWARE.
++ */
++
++/**
++ * Implements key derivation functions (KDF) using wolfSSL, in particular prf+,
++ * which is implemented via wolfSSL's HKDF implementation.
++ *
++ * @defgroup wolfssl_kdf wolfssl_kdf
++ * @{ @ingroup wolfssl_p
++ */
++
++#ifndef WOLFSSL_KDF_H_
++#define WOLFSSL_KDF_H_
++
++#include <crypto/kdfs/kdf.h>
++
++/**
++ * Creates a new kdf_t object.
++ *
++ * @param algo		algorithm to instantiate
++ * @param args		algorithm-specific arguments
++ * @return			kdf_t object, NULL if not supported
++ */
++kdf_t *wolfssl_kdf_create(key_derivation_function_t algo, va_list args);
++
++#endif /** WOLFSSL_KDF_H_ @}*/
+Index: strongswan-5.9.5/src/libstrongswan/plugins/wolfssl/wolfssl_plugin.c
+===================================================================
+--- strongswan-5.9.5.orig/src/libstrongswan/plugins/wolfssl/wolfssl_plugin.c
++++ strongswan-5.9.5/src/libstrongswan/plugins/wolfssl/wolfssl_plugin.c
+@@ -36,6 +36,7 @@
+ #include "wolfssl_ed_public_key.h"
+ #include "wolfssl_hasher.h"
+ #include "wolfssl_hmac.h"
++#include "wolfssl_kdf.h"
+ #include "wolfssl_rsa_private_key.h"
+ #include "wolfssl_rsa_public_key.h"
+ #include "wolfssl_rng.h"
+@@ -185,6 +186,10 @@ METHOD(plugin_t, get_features, int,
+ 			PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_512_256),
+ 			PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_512_512),
+ #endif
++#ifdef HAVE_HKDF
++		PLUGIN_REGISTER(KDF, wolfssl_kdf_create),
++			PLUGIN_PROVIDE(KDF, KDF_PRF_PLUS),
++#endif
+ #endif /* NO_HMAC */
+ #if (!defined(NO_AES) && (defined(HAVE_AESGCM) || defined(HAVE_AESCCM))) || \
+ 								(defined(HAVE_CHACHA) && defined(HAVE_POLY1305))
+Index: strongswan-5.9.5/src/libstrongswan/tests/suites/test_prf_plus.c
+===================================================================
+--- strongswan-5.9.5.orig/src/libstrongswan/tests/suites/test_prf_plus.c
++++ strongswan-5.9.5/src/libstrongswan/tests/suites/test_prf_plus.c
+@@ -15,129 +15,138 @@
+ 
+ #include "test_suite.h"
+ 
+-#include <crypto/prf_plus.h>
++#include <library.h>
+ 
+ static struct {
+ 	chunk_t key;
+ 	chunk_t seed;
+-	chunk_t iterations[10];
+-} counter_data[] = {
++	chunk_t expected;
++} test_data[] = {
+ 	{ .key = chunk_from_chars(0x0b,0x0b,0x0b,0x0b,0x0b,0x0b,0x0b,0x0b,
+ 							  0x0b,0x0b,0x0b,0x0b,0x0b,0x0b,0x0b,0x0b,
+ 							  0x0b,0x0b,0x0b,0x0b),
+ 	  .seed = chunk_from_chars(0x48,0x69,0x20,0x54,0x68,0x65,0x72,0x65),
+-	  .iterations = {
+-		chunk_from_chars(0xb9,0xbd,0xc0),
+-		chunk_from_chars(0x89,0x88,0xb4,0xc2,0xb7,0x5a),
+-		chunk_from_chars(0xa9,0x3e,0x59,0x6a,0xc8,0x42,0x05),
+-		chunk_from_chars(0xfa,0x2d,0xdd,0xe1,0xbf,0x7a,0x25,0x72,
+-						 0x06,0x7b,0x00,0xe1,0x4b,0x23,0x77,0x32),
+-		chunk_from_chars(0x83,0x05,0x09,0x98,0x1a,0xd2,0xf9,0x4a),
+-		chunk_from_chars(0x8c,0x32,0xa4,0x7d,0xaa,0x22,0x55,0xb6),
+-		chunk_from_chars(0x60,0xc4,0x36,0x34,0x7a,0xe7,0x56,0xa6,
+-						 0xed,0xc0,0x23,0x47,0x7d,0x80),
+-		chunk_from_chars(0x95,0x90,0xe6,0x82,0xf6,0x1d,0x9c,0x04,
+-						 0xb0,0x6b,0x4a,0xd9,0x71,0xa3,0x4c,0x81,
+-						 0x47,0xfa,0x66,0x79),
+-		chunk_from_chars(0x2f,0xf1,0x43,0x4b,0x93,0xc7,0x22,0xb3,
+-						 0x2e,0x12,0xf4,0x88,0x32,0xeb,0xc1,0x5c,
+-						 0xe2,0x36,0x9c,0xe7,0x1f,0xe9,0xb7,0xb8,
+-						 0x1e,0x57,0x04,0xc1,0x4d,0x0f,0x52,0x80,
+-						 0xa6,0xec,0x62,0x6e,0x99,0x2d,0x7a,0x9f),
+-	  },
++	  .expected = chunk_from_chars(0xb9,0xbd,0xc0,0x89,0x88,0xb4,0xc2,0xb7,
++								   0x5a,0xa9,0x3e,0x59,0x6a,0xc8,0x42,0x05,
++								   0xfa,0x2d,0xdd,0xe1,0xbf,0x7a,0x25,0x72,
++								   0x06,0x7b,0x00,0xe1,0x4b,0x23,0x77,0x32,
++								   0x83,0x05,0x09,0x98,0x1a,0xd2,0xf9,0x4a,
++								   0x8c,0x32,0xa4,0x7d,0xaa,0x22,0x55,0xb6,
++								   0x60,0xc4,0x36,0x34,0x7a,0xe7,0x56,0xa6,
++								   0xed,0xc0,0x23,0x47,0x7d,0x80,0x95,0x90,
++								   0xe6,0x82,0xf6,0x1d,0x9c,0x04,0xb0,0x6b,
++								   0x4a,0xd9,0x71,0xa3,0x4c,0x81,0x47,0xfa,
++								   0x66,0x79,0x2f,0xf1,0x43,0x4b,0x93,0xc7,
++								   0x22,0xb3,0x2e,0x12,0xf4,0x88,0x32,0xeb,
++								   0xc1,0x5c,0xe2,0x36,0x9c,0xe7,0x1f,0xe9,
++								   0xb7,0xb8,0x1e,0x57,0x04,0xc1,0x4d,0x0f,
++								   0x52,0x80,0xa6,0xec,0x62,0x6e,0x99,0x2d,
++								   0x7a,0x9f),
++	},
++	/* change the key, keep the seed */
++	{ .key = chunk_from_chars(0x0a,0x0a,0x0a,0x0a,0x0a,0x0a,0x0a,0x0a,
++							  0x0a,0x0a,0x0a,0x0a,0x0a,0x0a,0x0a,0x0a,
++							  0x0a,0x0a,0x0a,0x0a),
++	  .expected = chunk_from_chars(0x1a,0x2f,0xc7,0x4a,0x06,0x8c,0xae,0x76,
++								   0xfa,0xb3,0xd6,0x34,0xae,0xe9,0x81,0x55,
++								   0x11,0x6a,0x4b,0x21,0xe1,0x0d,0x1b,0x16,
++								   0x45,0x7a,0x06,0xd9,0x42,0x27,0x93,0x98,
++								   0xf7,0x4d,0xf1,0x59,0xc1,0x25,0x21,0xae,
++								   0xe6,0xf4,0x80,0x01,0xe5,0x86,0x8e,0xa7,
++								   0x4b,0x1e,0x13,0xd1,0xcf,0xdc,0xb7,0x7b,
++								   0xf8,0xcf,0x75,0x2c,0x67,0x13,0x18,0x7a,
++								   0x38,0x55,0xba,0x4b,0xf2,0x57,0x55,0xcd,
++								   0x96,0x20,0xcb,0xe3,0xc4,0x8a,0x7f,0xa3,
++								   0x86,0xa5,0xc6,0x26,0x8e,0x57,0xd8,0xe0,
++								   0xb6,0xf9,0x8a,0x41,0x16,0x82,0x64,0x8a),
++	},
++	/* change the seed, keep the key */
++	{ .seed = chunk_from_chars(0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,
++							   0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,0x10),
++	  .expected = chunk_from_chars(0x8b,0x90,0x9c,0xbc,0xbb,0xf1,0x72,0x63,
++								   0x6b,0x4e,0x63,0xcd,0x7e,0xc5,0xe3,0x45,
++								   0x57,0x3e,0xbf,0x72,0x8f,0x62,0xa4,0x9b,
++								   0x83,0x7b,0xd9,0x53,0xc0,0x0c,0xad,0x3d,
++								   0x19,0x16,0x28,0x81,0x85,0xf9,0x27,0xb6,
++								   0xc4,0x0c,0x48,0x31,0x45,0x12,0x3b,0x5a,
++								   0xb8,0x47,0xd0,0x19,0x6e,0x6b,0x1c,0x5a,
++								   0x2a,0xc1,0xe5,0x1e,0xc5,0x43,0xcc,0xd4,
++								   0x28,0xba,0x30,0x4b,0x5e,0xad,0x97,0xa7,
++								   0xc0,0x9d,0x13,0xdd,0xfb,0x4a,0x42,0x43,
++								   0x87,0xd6,0x22,0xf6,0x03,0x19,0x21,0x31,
++								   0x6a,0xa6,0x38,0x44,0xa5,0x61,0xf6,0x23,
++								   0x0c,0x50,0x14,0xcc,0xce,0x09,0x5f,0xb3,
++								   0xcc,0xe4,0xcb,0x8f,0x43,0xdc,0x2b,0x65,
++								   0xfd,0x42,0xcc,0xeb,0x49,0x0e,0xcb,0xeb,
++								   0x47,0x30,0xb5,0x18,0x6d,0x34,0x7a,0xea,
++								   0xad,0xfd,0x66,0xa7,0x7e,0xd3,0x3f,0x42,
++								   0xdf,0x75,0x54,0xef,0x5f,0x4f,0x7e,0x26,
++								   0xf9,0x38,0x73,0x26,0x92,0x7a,0xc7,0x80),
+ 	},
+ };
+ 
+-START_TEST(test_vectors_counter)
++START_TEST(test_params)
+ {
+-	prf_plus_t *prf_plus;
+-	prf_t *prf;
+-	chunk_t *iter = counter_data[_i].iterations, out;
+-
+-	prf = lib->crypto->create_prf(lib->crypto, PRF_HMAC_SHA2_256);
+-	ck_assert(prf->set_key(prf, counter_data[_i].key));
+-	prf_plus = prf_plus_create(prf, TRUE, counter_data[_i].seed);
+-	while (iter->ptr)
++	kdf_t *kdf;
++	chunk_t out;
++	int i;
++
++	kdf = lib->crypto->create_kdf(lib->crypto, KDF_PRF_PLUS, PRF_HMAC_SHA2_256);
++	if (!kdf)
+ 	{
+-		ck_assert(prf_plus->allocate_bytes(prf_plus, iter->len, &out));
+-		ck_assert_chunk_eq(*iter, out);
++		warn("%N (%N) not supported", key_derivation_function_names,
++			 KDF_PRF_PLUS, pseudo_random_function_names, PRF_HMAC_SHA2_256);
++		return;
++	}
++	for (i = 0; i < countof(test_data); i++)
++	{
++		if (test_data[i].key.len)
++		{
++			ck_assert(kdf->set_param(kdf, KDF_PARAM_KEY, test_data[i].key));
++		}
++		if (test_data[i].seed.len)
++		{
++			ck_assert(kdf->set_param(kdf, KDF_PARAM_SALT, test_data[i].seed));
++		}
++		ck_assert(kdf->allocate_bytes(kdf, test_data[i].expected.len, &out));
++		ck_assert_chunk_eq(test_data[i].expected, out);
++		chunk_free(&out);
++		/* same output the second time */
++		ck_assert(kdf->allocate_bytes(kdf, test_data[i].expected.len, &out));
++		ck_assert_chunk_eq(test_data[i].expected, out);
+ 		chunk_free(&out);
+-		iter++;
+ 	}
+-	prf_plus->destroy(prf_plus);
+-	prf->destroy(prf);
++	kdf->destroy(kdf);
+ }
+ END_TEST
+ 
+ START_TEST(test_wrap)
+ {
+-	prf_plus_t *prf_plus;
+-	prf_t *prf;
+-	u_char buf[32];
+-	int i;
++	kdf_t *kdf;
++	chunk_t out;
+ 
+-	prf = lib->crypto->create_prf(lib->crypto, PRF_HMAC_SHA2_256);
+-	ck_assert(prf->set_key(prf, counter_data[0].key));
+-	prf_plus = prf_plus_create(prf, TRUE, counter_data[0].seed);
+-	for (i = 1; i < 256; i++)
++	kdf = lib->crypto->create_kdf(lib->crypto, KDF_PRF_PLUS, PRF_HMAC_SHA2_256);
++	if (!kdf)
+ 	{
+-		ck_assert(prf_plus->get_bytes(prf_plus, sizeof(buf), buf));
++		warn("%N (%N) not supported", key_derivation_function_names,
++			 KDF_PRF_PLUS, pseudo_random_function_names, PRF_HMAC_SHA2_256);
++		return;
+ 	}
+-	ck_assert(!prf_plus->get_bytes(prf_plus, sizeof(buf), buf));
+-	prf_plus->destroy(prf_plus);
+-	prf->destroy(prf);
+-}
+-END_TEST
++	ck_assert(kdf->set_param(kdf, KDF_PARAM_KEY, test_data[0].key));
++	ck_assert(kdf->set_param(kdf, KDF_PARAM_SALT, test_data[0].seed));
+ 
+-static struct {
+-	chunk_t key;
+-	chunk_t seed;
+-	chunk_t iterations[10];
+-} classic_data[] = {
+-	{ .key = chunk_from_chars(0x0b,0x0b,0x0b,0x0b,0x0b,0x0b,0x0b,0x0b,
+-							  0x0b,0x0b,0x0b,0x0b,0x0b,0x0b,0x0b,0x0b,
+-							  0x0b,0x0b,0x0b,0x0b),
+-	  .seed = chunk_from_chars(0x48,0x69,0x20,0x54,0x68,0x65,0x72,0x65),
+-	  .iterations = {
+-		chunk_from_chars(0xb0,0x34,0x4c),
+-		chunk_from_chars(0x61,0xd8,0xdb,0x38,0x53,0x5c),
+-		chunk_from_chars(0xa8,0xaf,0xce,0xaf,0x0b,0xf1,0x2b),
+-		chunk_from_chars(0x88,0x1d,0xc2,0x00,0xc9,0x83,0x3d,0xa7,
+-						 0x26,0xe9,0x37,0x6c,0x2e,0x32,0xcf,0xf7),
+-		chunk_from_chars(0xd0,0x9a,0xe2,0x4b,0x3a,0x83,0xff,0xd4),
+-		chunk_from_chars(0xb1,0xef,0xa5,0x94,0x5c,0xc5,0xed,0x85),
+-		chunk_from_chars(0xb0,0xb2,0xcc,0x56,0xfc,0xf7,0x5d,0x23,
+-						 0xa0,0xa3,0x4c,0xa4,0xdb,0xff,),
+-		chunk_from_chars(0xea,0xfd,0xaa,0x6a,0x3b,0xf4,0x11,0x34,
+-						 0x24,0xe4,0x50,0x2d,0xf9,0x7a,0x76,0x93,
+-						 0x24,0xf6,0x11,0x24),
+-		chunk_from_chars(0x24,0x3b,0x99,0x6e,0x7d,0x0f,0x35,0x99,
+-						 0x88,0x79,0x73,0x6b,0xdb,0x70,0x65,0x9a,
+-						 0x6e,0xfa,0xd2,0x39,0x94,0x10,0xe6,0xce,
+-						 0x80,0x45,0x6e,0xb6,0x07,0x07,0x8f,0xe1,
+-						 0xc4,0x7c,0x6b,0x5e,0x81,0x65,0x47,0x8a),
+-	  },
+-	},
+-};
+-
+-START_TEST(test_vectors_classic)
+-{
+-	prf_plus_t *prf_plus;
+-	prf_t *prf;
+-	chunk_t *iter = classic_data[_i].iterations, out;
+-
+-	prf = lib->crypto->create_prf(lib->crypto, PRF_HMAC_SHA2_256);
+-	ck_assert(prf->set_key(prf, classic_data[_i].key));
+-	prf_plus = prf_plus_create(prf, FALSE, classic_data[_i].seed);
+-	while (iter->ptr)
+-	{
+-		ck_assert(prf_plus->allocate_bytes(prf_plus, iter->len, &out));
+-		ck_assert_chunk_eq(*iter, out);
+-		chunk_free(&out);
+-		iter++;
++	/* the 1-byte counter overflows after 255 blocks of the underlying PRF */
++	out = chunk_alloc(32 * 255 + 1);
++	ck_assert(kdf->get_bytes(kdf, out.len - 2, out.ptr));
++	if (!kdf->get_bytes(kdf, out.len - 1, out.ptr))
++	{	/* Botan 3.x has a check for (len/bs) >= 255 blocks, so we allow this */
++		warn("unable to generate maximum-sized key for %N (%N) but maximum-1 "
++			 "is fine", key_derivation_function_names, KDF_PRF_PLUS,
++			 pseudo_random_function_names, PRF_HMAC_SHA2_256);
+ 	}
+-	prf_plus->destroy(prf_plus);
+-	prf->destroy(prf);
++	ck_assert(!kdf->get_bytes(kdf, out.len, out.ptr));
++	chunk_free(&out);
++	kdf->destroy(kdf);
+ }
+ END_TEST
+ 
+@@ -148,13 +157,12 @@ Suite *prf_plus_suite_create()
+ 
+ 	s = suite_create("prf_plus");
+ 
+-	tc = tcase_create("counter");
+-	tcase_add_loop_test(tc, test_vectors_counter, 0, countof(counter_data));
+-	tcase_add_test(tc, test_wrap);
++	tc = tcase_create("params");
++	tcase_add_test(tc, test_params);
+ 	suite_add_tcase(s, tc);
+ 
+-	tc = tcase_create("no counter");
+-	tcase_add_loop_test(tc, test_vectors_classic, 0, countof(classic_data));
++	tc = tcase_create("wrap");
++	tcase_add_test(tc, test_wrap);
+ 	suite_add_tcase(s, tc);
+ 
+ 	return s;
+Index: strongswan-5.9.5/src/libstrongswan/tests/suites/test_vectors.c
+===================================================================
+--- strongswan-5.9.5.orig/src/libstrongswan/tests/suites/test_vectors.c
++++ strongswan-5.9.5/src/libstrongswan/tests/suites/test_vectors.c
+@@ -29,6 +29,7 @@ static transform_type_t tfs[] = {
+ 	HASH_ALGORITHM,
+ 	PSEUDO_RANDOM_FUNCTION,
+ 	EXTENDED_OUTPUT_FUNCTION,
++	KEY_DERIVATION_FUNCTION,
+ 	DETERMINISTIC_RANDOM_BIT_GENERATOR,
+ 	RANDOM_NUMBER_GENERATOR,
+ 	DIFFIE_HELLMAN_GROUP,
+Index: strongswan-5.9.5/src/libstrongswan/tests/tests.h
+===================================================================
+--- strongswan-5.9.5.orig/src/libstrongswan/tests/tests.h
++++ strongswan-5.9.5/src/libstrongswan/tests/tests.h
+@@ -55,7 +55,7 @@ TEST_SUITE(asn1_parser_suite_create)
+ TEST_SUITE(rng_tester_suite_create)
+ TEST_SUITE_DEPEND(mgf1_sha1_suite_create, XOF, XOF_MGF1_SHA1)
+ TEST_SUITE_DEPEND(mgf1_sha256_suite_create, XOF, XOF_MGF1_SHA256)
+-TEST_SUITE_DEPEND(prf_plus_suite_create, PRF, PRF_HMAC_SHA2_256)
++TEST_SUITE_DEPEND(prf_plus_suite_create, KDF, KDF_PRF_PLUS)
+ TEST_SUITE_DEPEND(ntru_suite_create, DH, NTRU_112_BIT)
+ TEST_SUITE_DEPEND(fetch_http_suite_create, FETCHER, "http://")
+ TEST_SUITE_DEPEND(ed25519_suite_create, PRIVKEY_GEN, KEY_ED25519)
+Index: strongswan-5.9.5/src/libstrongswan/utils/leak_detective.c
+===================================================================
+--- strongswan-5.9.5.orig/src/libstrongswan/utils/leak_detective.c
++++ strongswan-5.9.5/src/libstrongswan/utils/leak_detective.c
+@@ -636,6 +636,7 @@ static char *whitelist[] = {
+ 	"botan_privkey_create",
+ 	"botan_privkey_load_ecdh",
+ 	"botan_privkey_load",
++	"botan_kdf",
+ };
+ 
+ /**
+Index: strongswan-5.9.5/src/libtls/tls_hkdf.c
+===================================================================
+--- strongswan-5.9.5.orig/src/libtls/tls_hkdf.c
++++ strongswan-5.9.5/src/libtls/tls_hkdf.c
+@@ -18,7 +18,6 @@
+ #include "tls_hkdf.h"
+ 
+ #include <bio/bio_writer.h>
+-#include <crypto/prf_plus.h>
+ 
+ typedef struct private_tls_hkdf_t private_tls_hkdf_t;
+ 
+@@ -52,6 +51,11 @@ struct private_tls_hkdf_t {
+ 	prf_t *prf;
+ 
+ 	/**
++	 * prf+ implementation.
++	 */
++	kdf_t *prf_plus;
++
++	/**
+ 	 * Hasher used.
+ 	 */
+ 	hasher_t *hasher;
+@@ -115,7 +119,6 @@ static bool extract(private_tls_hkdf_t *
+ 	}
+ 
+ 	DBG4(DBG_TLS, "PRK: %B", prk);
+-
+ 	return TRUE;
+ }
+ 
+@@ -126,24 +129,15 @@ static bool extract(private_tls_hkdf_t *
+ static bool expand(private_tls_hkdf_t *this, chunk_t prk, chunk_t info,
+ 				   size_t length, chunk_t *okm)
+ {
+-	prf_plus_t *prf_plus;
+-
+-	if (!this->prf->set_key(this->prf, prk))
+-	{
+-		DBG1(DBG_TLS, "unable to set PRF secret to PRK");
+-		return FALSE;
+-	}
+-	prf_plus = prf_plus_create(this->prf, TRUE, info);
+-	if (!prf_plus || !prf_plus->allocate_bytes(prf_plus, length, okm))
++	if (!this->prf_plus->set_param(this->prf_plus, KDF_PARAM_KEY, prk) ||
++		!this->prf_plus->set_param(this->prf_plus, KDF_PARAM_SALT, info) ||
++		!this->prf_plus->allocate_bytes(this->prf_plus, length, okm))
+ 	{
+ 		DBG1(DBG_TLS, "unable to allocate PRF+ result");
+-		DESTROY_IF(prf_plus);
+ 		return FALSE;
+ 	}
+-	prf_plus->destroy(prf_plus);
+ 
+ 	DBG4(DBG_TLS, "OKM: %B", okm);
+-
+ 	return TRUE;
+ }
+ 
+@@ -681,6 +675,7 @@ METHOD(tls_hkdf_t, destroy, void,
+ 	destroy_secrets(&this->handshake_traffic_secrets);
+ 	destroy_secrets(&this->traffic_secrets);
+ 	DESTROY_IF(this->prf);
++	DESTROY_IF(this->prf_plus);
+ 	DESTROY_IF(this->hasher);
+ 	free(this);
+ }
+@@ -720,16 +715,23 @@ tls_hkdf_t *tls_hkdf_create(hash_algorit
+ 		.phase = HKDF_PHASE_0,
+ 		.psk = psk.ptr ? chunk_clone(psk) : chunk_empty,
+ 		.prf = lib->crypto->create_prf(lib->crypto, prf_algorithm),
++		.prf_plus = lib->crypto->create_kdf(lib->crypto, KDF_PRF_PLUS,
++											prf_algorithm),
+ 		.hasher = lib->crypto->create_hasher(lib->crypto, hash_algorithm),
+ 	);
+ 
+-	if (!this->prf || !this->hasher)
++	if (!this->prf || !this->prf_plus || !this->hasher)
+ 	{
+ 		if (!this->prf)
+ 		{
+ 			DBG1(DBG_TLS, "%N not supported", pseudo_random_function_names,
+ 				 prf_algorithm);
+ 		}
++		if (!this->prf_plus)
++		{
++			DBG1(DBG_TLS, "%N (%N) not supported", key_derivation_function_names,
++				 KDF_PRF_PLUS, pseudo_random_function_names, prf_algorithm);
++		}
+ 		if (!this->hasher)
+ 		{
+ 			DBG1(DBG_TLS, "%N not supported", hash_algorithm_names,
+Index: strongswan-5.9.5/testing/hosts/alice/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/hosts/alice/etc/strongswan.conf
++++ strongswan-5.9.5/testing/hosts/alice/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints curve25519 pubkey gmp random nonce curl kernel-netlink socket-default updown stroke vici
++  load = sha1 sha2 md5 aes des hmac kdf pem pkcs1 x509 revocation constraints curve25519 pubkey gmp random nonce curl kernel-netlink socket-default updown stroke vici
+ }
+Index: strongswan-5.9.5/testing/hosts/bob/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/hosts/bob/etc/strongswan.conf
++++ strongswan-5.9.5/testing/hosts/bob/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints curve25519 pubkey gmp random nonce curl kernel-netlink socket-default updown stroke vici
++  load = sha1 sha2 md5 aes des hmac kdf pem pkcs1 x509 revocation constraints curve25519 pubkey gmp random nonce curl kernel-netlink socket-default updown stroke vici
+ }
+Index: strongswan-5.9.5/testing/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints curve25519 pubkey gmp random nonce curl kernel-netlink socket-default updown stroke vici
++  load = sha1 sha2 md5 aes des hmac kdf pem pkcs1 x509 revocation constraints curve25519 pubkey gmp random nonce curl kernel-netlink socket-default updown stroke vici
+ }
+Index: strongswan-5.9.5/testing/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/hosts/dave/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints curve25519 pubkey gmp random nonce curl kernel-netlink socket-default updown stroke vici
++  load = sha1 sha2 md5 aes des hmac kdf pem pkcs1 x509 revocation constraints curve25519 pubkey gmp random nonce curl kernel-netlink socket-default updown stroke vici
+ }
+Index: strongswan-5.9.5/testing/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints curve25519 pubkey gmp random nonce curl kernel-netlink socket-default updown stroke vici
++  load = sha1 sha2 md5 aes des hmac kdf pem pkcs1 x509 revocation constraints curve25519 pubkey gmp random nonce curl kernel-netlink socket-default updown stroke vici
+ }
+Index: strongswan-5.9.5/testing/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/hosts/sun/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints curve25519 pubkey gmp random nonce curl kernel-netlink socket-default updown stroke vici
++  load = sha1 sha2 md5 aes des hmac kdf pem pkcs1 x509 revocation constraints curve25519 pubkey gmp random nonce curl kernel-netlink socket-default updown stroke vici
+ }
+Index: strongswan-5.9.5/testing/hosts/venus/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/hosts/venus/etc/strongswan.conf
++++ strongswan-5.9.5/testing/hosts/venus/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints curve25519 pubkey gmp random nonce curl kernel-netlink socket-default updown stroke vici
++  load = sha1 sha2 md5 aes des hmac kdf pem pkcs1 x509 revocation constraints curve25519 pubkey gmp random nonce curl kernel-netlink socket-default updown stroke vici
+ }
+Index: strongswan-5.9.5/testing/scripts/recipes/012_wolfssl.mk
+===================================================================
+--- strongswan-5.9.5.orig/testing/scripts/recipes/012_wolfssl.mk
++++ strongswan-5.9.5/testing/scripts/recipes/012_wolfssl.mk
+@@ -2,7 +2,7 @@
+ 
+ PKG = wolfssl
+ SRC = https://github.com/wolfSSL/$(PKG).git
+-REV = v5.1.1-stable
++REV = v5.2.0-stable
+ 
+ NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN)
+ 
+Index: strongswan-5.9.5/testing/tests/af-alg/alg-camellia/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/af-alg/alg-camellia/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/af-alg/alg-camellia/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce pem pkcs1 af-alg gmp x509 revocation kernel-netlink curl socket-default updown vici
++  load = random nonce kdf pem pkcs1 af-alg gmp x509 revocation kernel-netlink curl socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/af-alg/alg-camellia/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/af-alg/alg-camellia/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/af-alg/alg-camellia/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce pem pkcs1 af-alg gmp x509 revocation kernel-netlink curl socket-default updown vici
++  load = random nonce kdf pem pkcs1 af-alg gmp x509 revocation kernel-netlink curl socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/af-alg/rw-cert/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/af-alg/rw-cert/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/af-alg/rw-cert/hosts/carol/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce test-vectors pem pkcs1 af-alg gmp x509 revocation curl ctr ccm gcm kernel-netlink socket-default updown vici
++  load = random nonce kdf test-vectors pem pkcs1 af-alg gmp x509 revocation curl ctr ccm gcm kernel-netlink socket-default updown vici
+   integrity_test = yes
+   crypto_test {
+     on_add = yes
+Index: strongswan-5.9.5/testing/tests/af-alg/rw-cert/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/af-alg/rw-cert/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/af-alg/rw-cert/hosts/dave/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp x509 revocation curl hmac xcbc ctr ccm gcm kernel-netlink socket-default updown vici
++  load = random nonce kdf test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp x509 revocation curl hmac kdf xcbc ctr ccm gcm kernel-netlink socket-default updown vici
+   integrity_test = yes
+   crypto_test {
+     on_add = yes
+Index: strongswan-5.9.5/testing/tests/af-alg/rw-cert/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/af-alg/rw-cert/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/af-alg/rw-cert/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce test-vectors pem pkcs1 af-alg gmp x509 revocation curl ctr ccm gcm kernel-netlink socket-default updown vici
++  load = random nonce kdf test-vectors pem pkcs1 af-alg gmp x509 revocation curl ctr ccm gcm kernel-netlink socket-default updown vici
+   integrity_test = yes
+   crypto_test {
+     on_add = yes
+Index: strongswan-5.9.5/testing/tests/botan/net2net-ed25519/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/botan/net2net-ed25519/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/botan/net2net-ed25519/hosts/sun/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 pkcs8 x509 revocation constraints curve25519 curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 pkcs8 x509 revocation constraints curve25519 curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/botan/rw-cert/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/botan/rw-cert/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/botan/rw-cert/hosts/dave/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce sha1 sha2 aes curve25519 hmac mgf1 pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default updown vici
++  load = random nonce sha1 sha2 aes curve25519 hmac kdf mgf1 pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default updown vici
+ 
+   rsa_pss = yes
+ }
+Index: strongswan-5.9.5/testing/tests/botan/rw-modp3072/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/botan/rw-modp3072/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/botan/rw-modp3072/hosts/dave/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce sha1 sha2 aes hmac mgf1 pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default updown vici
++  load = random nonce sha1 sha2 aes hmac kdf mgf1 pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default updown vici
+ 
+   rsa_pss = yes
+ }
+Index: strongswan-5.9.5/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf
+@@ -5,6 +5,6 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = nonce pem pkcs1 gcrypt hmac x509 revocation curl vici kernel-netlink socket-default
++  load = nonce pem pkcs1 gcrypt hmac kdf x509 revocation curl vici kernel-netlink socket-default
+   send_vendor_id = yes
+ }
+Index: strongswan-5.9.5/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf
+@@ -5,6 +5,6 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = nonce pem pkcs1 gcrypt hmac x509 revocation vici kernel-netlink socket-default
++  load = nonce pem pkcs1 gcrypt hmac kdf x509 revocation vici kernel-netlink socket-default
+   send_vendor_id = yes
+ }
+Index: strongswan-5.9.5/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf
+@@ -5,6 +5,6 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = nonce pem pkcs1 gcrypt hmac x509 revocation curl vici kernel-netlink socket-default
++  load = nonce pem pkcs1 gcrypt hmac kdf x509 revocation curl vici kernel-netlink socket-default
+   send_vendor_id = yes
+ }
+Index: strongswan-5.9.5/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf
+@@ -5,6 +5,6 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = nonce pem pkcs1 gcrypt hmac x509 revocation vici kernel-netlink socket-default
++  load = nonce pem pkcs1 gcrypt hmac kdf x509 revocation vici kernel-netlink socket-default
+   send_vendor_id = yes
+ }
+Index: strongswan-5.9.5/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce pem pkcs1 gcrypt hmac x509 revocation kernel-netlink curl socket-default updown vici
++  load = random nonce pem pkcs1 gcrypt hmac kdf x509 revocation kernel-netlink curl socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce pem pkcs1 gcrypt hmac x509 revocation kernel-netlink curl socket-default updown vici
++  load = random nonce pem pkcs1 gcrypt hmac kdf x509 revocation kernel-netlink curl socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = curl test-vectors pem pkcs1 gcrypt nonce x509 revocation hmac xcbc ctr ccm gcm vici kernel-netlink socket-default updown
++  load = curl test-vectors pem pkcs1 gcrypt nonce x509 revocation hmac kdf xcbc ctr ccm gcm vici kernel-netlink socket-default updown
+   integrity_test = yes
+   crypto_test {
+     on_add = yes
+Index: strongswan-5.9.5/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc ctr ccm vici stroke kernel-netlink socket-default updown
++  load = test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac kdf xcbc ctr ccm vici stroke kernel-netlink socket-default updown
+   integrity_test = yes
+   crypto_test {
+     required = yes
+Index: strongswan-5.9.5/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = curl test-vectors pem pkcs1 gcrypt nonce x509 revocation hmac xcbc ctr ccm gcm vici kernel-netlink socket-default updown
++  load = curl test-vectors pem pkcs1 gcrypt nonce x509 revocation hmac kdf xcbc ctr ccm gcm vici kernel-netlink socket-default updown
+   integrity_test = yes
+   crypto_test {
+     on_add = yes
+Index: strongswan-5.9.5/testing/tests/ha/active-passive/hosts/alice/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ha/active-passive/hosts/alice/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ha/active-passive/hosts/alice/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default ha
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default ha
+ 
+   plugins {
+     ha {
+Index: strongswan-5.9.5/testing/tests/ha/active-passive/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ha/active-passive/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ha/active-passive/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ha/active-passive/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ha/active-passive/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ha/active-passive/hosts/dave/etc/strongswan.conf
+@@ -1,6 +1,6 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+ 
+Index: strongswan-5.9.5/testing/tests/ha/active-passive/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ha/active-passive/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ha/active-passive/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default ha
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default ha
+ 
+   plugins {
+     ha {
+Index: strongswan-5.9.5/testing/tests/ha/both-active/hosts/alice/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ha/both-active/hosts/alice/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ha/both-active/hosts/alice/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default ha
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default ha
+ 
+   plugins {
+     ha {
+Index: strongswan-5.9.5/testing/tests/ha/both-active/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ha/both-active/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ha/both-active/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ha/both-active/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ha/both-active/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ha/both-active/hosts/dave/etc/strongswan.conf
+@@ -1,6 +1,6 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+ 
+Index: strongswan-5.9.5/testing/tests/ha/both-active/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ha/both-active/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ha/both-active/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default ha
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default ha
+ 
+   plugins {
+     ha {
+Index: strongswan-5.9.5/testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ike/rw_v1-net_v2/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ike/rw_v1-net_v2/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ike/rw_v1-net_v2/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp hmac x509 curl revocation stroke kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp hmac kdf x509 curl revocation stroke kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp hmac x509 curl revocation stroke kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp hmac kdf x509 curl revocation stroke kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp hmac x509 curl revocation stroke kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp hmac kdf x509 curl revocation stroke kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-algs/alg-3des-md5/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-algs/alg-3des-md5/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-algs/alg-3des-md5/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce des md5 sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce des md5 sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-algs/alg-3des-md5/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-algs/alg-3des-md5/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-algs/alg-3des-md5/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce des md5 sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce des md5 sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-algs/alg-blowfish/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-algs/alg-blowfish/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-algs/alg-blowfish/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce blowfish sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce blowfish sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-algs/alg-blowfish/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-algs/alg-blowfish/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-algs/alg-blowfish/hosts/dave/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce blowfish sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce blowfish sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-algs/alg-blowfish/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-algs/alg-blowfish/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-algs/alg-blowfish/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce blowfish sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce blowfish sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-algs/alg-modp-subgroup/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-algs/alg-modp-subgroup/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-algs/alg-modp-subgroup/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-algs/alg-modp-subgroup/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-algs/alg-modp-subgroup/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-algs/alg-modp-subgroup/hosts/dave/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-algs/alg-modp-subgroup/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-algs/alg-modp-subgroup/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-algs/alg-modp-subgroup/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-algs/alg-sha256/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-algs/alg-sha256/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-algs/alg-sha256/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-algs/alg-sha256/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-algs/alg-sha256/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-algs/alg-sha256/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-algs/alg-sha384/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-algs/alg-sha384/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-algs/alg-sha384/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-algs/alg-sha384/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-algs/alg-sha384/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-algs/alg-sha384/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-algs/alg-sha512/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-algs/alg-sha512/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-algs/alg-sha512/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-algs/alg-sha512/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-algs/alg-sha512/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-algs/alg-sha512/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-algs/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-algs/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-algs/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-algs/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-algs/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-algs/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-algs/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-algs/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-algs/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-algs/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-algs/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-algs/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-algs/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-algs/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-algs/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-algs/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-algs/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-algs/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-algs/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-algs/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-algs/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-algs/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-algs/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-algs/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-algs/esp-alg-aes-xcbc/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-algs/esp-alg-aes-xcbc/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-algs/esp-alg-aes-xcbc/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-algs/esp-alg-aes-xcbc/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-algs/esp-alg-aes-xcbc/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-algs/esp-alg-aes-xcbc/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-algs/esp-alg-null/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-algs/esp-alg-null/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-algs/esp-alg-null/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-algs/esp-alg-null/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-algs/esp-alg-null/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-algs/esp-alg-null/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-stroke/config-payload-push/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-stroke/config-payload-push/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-stroke/config-payload-push/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown resolve
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-stroke/config-payload-push/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-stroke/config-payload-push/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-stroke/config-payload-push/hosts/dave/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown resolve
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-stroke/config-payload-push/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-stroke/config-payload-push/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-stroke/config-payload-push/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown attr
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown attr
+ 
+   dns1 = PH_IP_WINNETOU
+   dns2 = PH_IP_VENUS
+Index: strongswan-5.9.5/testing/tests/ikev1-stroke/config-payload/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-stroke/config-payload/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-stroke/config-payload/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown resolve
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-stroke/config-payload/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-stroke/config-payload/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-stroke/config-payload/hosts/dave/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown resolve
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-stroke/config-payload/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-stroke/config-payload/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-stroke/config-payload/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown attr
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown attr
+ 
+   dns1 = PH_IP_WINNETOU
+   dns2 = PH_IP_VENUS
+Index: strongswan-5.9.5/testing/tests/ikev1-stroke/host2host-cert/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-stroke/host2host-cert/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-stroke/host2host-cert/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-stroke/host2host-cert/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-stroke/host2host-cert/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-stroke/host2host-cert/hosts/sun/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-stroke/host2host-transport/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-stroke/host2host-transport/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-stroke/host2host-transport/hosts/moon/etc/strongswan.conf
+@@ -1,6 +1,6 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+   multiple_authentication = no
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-stroke/host2host-transport/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-stroke/host2host-transport/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-stroke/host2host-transport/hosts/sun/etc/strongswan.conf
+@@ -1,6 +1,6 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+   multiple_authentication = no
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-stroke/ip-pool-db/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-stroke/ip-pool-db/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-stroke/ip-pool-db/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown resolve
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-stroke/ip-pool-db/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-stroke/ip-pool-db/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-stroke/ip-pool-db/hosts/dave/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown resolve
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-stroke/ip-pool-db/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-stroke/ip-pool-db/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-stroke/ip-pool-db/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default sqlite attr-sql updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default sqlite attr-sql updown
+ 
+   plugins {
+     attr-sql {
+Index: strongswan-5.9.5/testing/tests/ikev1-stroke/ip-pool/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-stroke/ip-pool/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-stroke/ip-pool/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-stroke/ip-pool/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-stroke/ip-pool/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-stroke/ip-pool/hosts/dave/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-stroke/ip-pool/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-stroke/ip-pool/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-stroke/ip-pool/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-stroke/nat-rw/hosts/alice/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-stroke/nat-rw/hosts/alice/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-stroke/nat-rw/hosts/alice/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ 
+   keep_alive = 5
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-stroke/nat-rw/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-stroke/nat-rw/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-stroke/nat-rw/hosts/sun/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-stroke/nat-rw/hosts/venus/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-stroke/nat-rw/hosts/venus/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-stroke/nat-rw/hosts/venus/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ 
+   keep_alive = 5
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-stroke/net2net-cert/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-stroke/net2net-cert/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-stroke/net2net-cert/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-stroke/net2net-cert/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-stroke/net2net-cert/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-stroke/net2net-cert/hosts/sun/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-stroke/net2net-psk/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-stroke/net2net-psk/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-stroke/net2net-psk/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 curve25519 hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-stroke/net2net-psk/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-stroke/net2net-psk/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-stroke/net2net-psk/hosts/sun/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 curve25519 hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-stroke/protoport-dual/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-stroke/protoport-dual/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-stroke/protoport-dual/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-stroke/protoport-dual/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-stroke/protoport-dual/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-stroke/protoport-dual/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-stroke/rw-cert/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-stroke/rw-cert/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-stroke/rw-cert/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random drbg nonce aes des md5 sha1 sha2 sha3 chapoly pem pkcs1 pkcs8 curve25519 gmp newhope mgf1 ntru x509 curl revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
++  load = random drbg nonce aes des md5 sha1 sha2 sha3 chapoly pem pkcs1 pkcs8 curve25519 gmp newhope mgf1 ntru x509 curl revocation hmac kdf xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-stroke/rw-cert/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-stroke/rw-cert/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-stroke/rw-cert/hosts/dave/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random drbg nonce aes des md5 sha1 sha2 sha3 chapoly pem pkcs1 pkcs8 curve25519 gmp newhope mgf1 ntru x509 curl revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
++  load = random drbg nonce aes des md5 sha1 sha2 sha3 chapoly pem pkcs1 pkcs8 curve25519 gmp newhope mgf1 ntru x509 curl revocation hmac kdf xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-stroke/rw-cert/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-stroke/rw-cert/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-stroke/rw-cert/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random drbg nonce test-vectors aes des md5 sha1 sha2 sha3 chapoly pem pkcs1 pkcs8 curve25519 gmp newhope mgf1 ntru x509 curl revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
++  load = random drbg nonce test-vectors aes des md5 sha1 sha2 sha3 chapoly pem pkcs1 pkcs8 curve25519 gmp newhope mgf1 ntru x509 curl revocation hmac kdf xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+ 
+   integrity_test = yes
+ 
+Index: strongswan-5.9.5/testing/tests/ikev1-stroke/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-stroke/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-stroke/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 curve25519 hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-stroke/rw-psk-fqdn/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-stroke/rw-psk-fqdn/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-stroke/rw-psk-fqdn/hosts/dave/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 curve25519 hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-stroke/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-stroke/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-stroke/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 curve25519 hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-stroke/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-stroke/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-stroke/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 curve25519 hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-stroke/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-stroke/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-stroke/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 curve25519 hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-stroke/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-stroke/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-stroke/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 curve25519 hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-stroke/virtual-ip/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-stroke/virtual-ip/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-stroke/virtual-ip/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-stroke/virtual-ip/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-stroke/virtual-ip/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-stroke/virtual-ip/hosts/dave/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-stroke/virtual-ip/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-stroke/virtual-ip/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-stroke/virtual-ip/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-stroke/xauth-id-psk-config/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-stroke/xauth-id-psk-config/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-stroke/xauth-id-psk-config/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 hmac curve25519 xauth-generic resolve kernel-netlink socket-default stroke updown
++  load = random nonce aes sha1 sha2 hmac kdf curve25519 xauth-generic resolve kernel-netlink socket-default stroke updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-stroke/xauth-id-psk-config/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-stroke/xauth-id-psk-config/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-stroke/xauth-id-psk-config/hosts/dave/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 hmac curve25519 xauth-generic resolve kernel-netlink socket-default stroke updown
++  load = random nonce aes sha1 sha2 hmac kdf curve25519 xauth-generic resolve kernel-netlink socket-default stroke updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-stroke/xauth-id-psk-config/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-stroke/xauth-id-psk-config/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-stroke/xauth-id-psk-config/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 hmac curve25519 xauth-generic attr kernel-netlink socket-default stroke updown
++  load = random nonce aes sha1 sha2 hmac kdf curve25519 xauth-generic attr kernel-netlink socket-default stroke updown
+ 
+   dns1 = 192.168.0.150
+   dns2 = 10.1.0.20
+Index: strongswan-5.9.5/testing/tests/ikev1-stroke/xauth-id-rsa-config/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-stroke/xauth-id-rsa-config/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-stroke/xauth-id-rsa-config/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 md5 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
++  load = random nonce aes sha1 sha2 md5 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-stroke/xauth-id-rsa-config/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-stroke/xauth-id-rsa-config/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-stroke/xauth-id-rsa-config/hosts/dave/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-stroke/xauth-id-rsa-config/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-stroke/xauth-id-rsa-config/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-stroke/xauth-id-rsa-config/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 md5 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
++  load = random nonce aes sha1 sha2 md5 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/hosts/dave/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-stroke/xauth-id-rsa-hybrid/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-stroke/xauth-psk/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-stroke/xauth-psk/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-stroke/xauth-psk/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 hmac curve25519 xauth-generic kernel-netlink socket-default updown stroke
++  load = random nonce aes sha1 sha2 hmac kdf curve25519 xauth-generic kernel-netlink socket-default updown stroke
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-stroke/xauth-psk/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-stroke/xauth-psk/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-stroke/xauth-psk/hosts/dave/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 hmac curve25519 xauth-generic kernel-netlink socket-default updown stroke
++  load = random nonce aes sha1 sha2 hmac kdf curve25519 xauth-generic kernel-netlink socket-default updown stroke
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-stroke/xauth-psk/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-stroke/xauth-psk/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-stroke/xauth-psk/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 hmac curve25519 xauth-generic kernel-netlink socket-default updown stroke
++  load = random nonce aes sha1 sha2 hmac kdf curve25519 xauth-generic kernel-netlink socket-default updown stroke
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-stroke/xauth-rsa/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-stroke/xauth-rsa/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-stroke/xauth-rsa/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 md5 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
++  load = random nonce aes sha1 sha2 md5 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-stroke/xauth-rsa/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-stroke/xauth-rsa/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-stroke/xauth-rsa/hosts/dave/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1-stroke/xauth-rsa/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1-stroke/xauth-rsa/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1-stroke/xauth-rsa/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/compress/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/compress/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/compress/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/compress/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/compress/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/compress/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/config-payload-push/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/config-payload-push/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/config-payload-push/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/config-payload-push/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/config-payload-push/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/config-payload-push/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/config-payload-push/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/config-payload-push/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/config-payload-push/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/config-payload/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/config-payload/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/config-payload/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/config-payload/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/config-payload/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/config-payload/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/config-payload/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/config-payload/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/config-payload/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/double-nat-net/hosts/alice/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/double-nat-net/hosts/alice/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/double-nat-net/hosts/alice/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/double-nat-net/hosts/bob/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/double-nat-net/hosts/bob/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/double-nat-net/hosts/bob/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/double-nat/hosts/alice/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/double-nat/hosts/alice/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/double-nat/hosts/alice/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/double-nat/hosts/bob/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/double-nat/hosts/bob/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/double-nat/hosts/bob/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/dpd-clear/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/dpd-clear/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/dpd-clear/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/dpd-clear/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/dpd-clear/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/dpd-clear/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/dpd-restart/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/dpd-restart/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/dpd-restart/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/dpd-restart/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/dpd-restart/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/dpd-restart/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/host2host-ah/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/host2host-ah/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/host2host-ah/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/host2host-ah/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/host2host-ah/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/host2host-ah/hosts/sun/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/host2host-cert/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/host2host-cert/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/host2host-cert/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/host2host-cert/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/host2host-cert/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/host2host-cert/hosts/sun/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/host2host-transport/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/host2host-transport/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/host2host-transport/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/host2host-transport/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/host2host-transport/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/host2host-transport/hosts/sun/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default resolve updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default resolve updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default resolve updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default resolve updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown sqlite attr-sql vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown sqlite attr-sql vici
+ 
+   plugins {
+     attr-sql {
+Index: strongswan-5.9.5/testing/tests/ikev1/ip-pool/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/ip-pool/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/ip-pool/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/ip-pool/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/ip-pool/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/ip-pool/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/ip-pool/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/ip-pool/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/ip-pool/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/nat-rw/hosts/alice/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/nat-rw/hosts/alice/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/nat-rw/hosts/alice/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ 
+   keep_alive = 5
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/nat-rw/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/nat-rw/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/nat-rw/hosts/sun/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/nat-rw/hosts/venus/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/nat-rw/hosts/venus/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/nat-rw/hosts/venus/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ 
+   keep_alive = 5
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/net2net-ah/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/net2net-ah/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/net2net-ah/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/net2net-ah/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/net2net-ah/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/net2net-ah/hosts/sun/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/net2net-cert/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/net2net-cert/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/net2net-cert/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/net2net-cert/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/net2net-cert/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/net2net-cert/hosts/sun/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/net2net-esn/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/net2net-esn/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/net2net-esn/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/net2net-esn/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/net2net-esn/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/net2net-esn/hosts/sun/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/protoport-dual/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/protoport-dual/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/protoport-dual/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/protoport-dual/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/protoport-dual/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/protoport-dual/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default unity
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default unity
+ 
+   cisco_unity = yes
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default attr unity
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default attr unity
+ 
+   cisco_unity = yes
+   plugins {
+Index: strongswan-5.9.5/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random drbg nonce aes des md5 sha1 sha2 sha3 chapoly pem pkcs1 pkcs8 curve25519 gmp newhope mgf1 ntru x509 curl revocation hmac xcbc ctr ccm gcm vici kernel-netlink socket-default updown
++  load = random drbg nonce aes des md5 sha1 sha2 sha3 chapoly pem pkcs1 pkcs8 curve25519 gmp newhope mgf1 ntru x509 curl revocation hmac kdf xcbc ctr ccm gcm vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/rw-cert/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/rw-cert/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/rw-cert/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random drbg nonce aes des md5 sha1 sha2 sha3 chapoly pem pkcs1 pkcs8 curve25519 gmp newhope mgf1 ntru x509 curl revocation hmac xcbc ctr ccm gcm vici kernel-netlink socket-default updown
++  load = random drbg nonce aes des md5 sha1 sha2 sha3 chapoly pem pkcs1 pkcs8 curve25519 gmp newhope mgf1 ntru x509 curl revocation hmac kdf xcbc ctr ccm gcm vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random drbg nonce test-vectors aes des md5 sha1 sha2 sha3 chapoly pem pkcs1 pkcs8 curve25519 gmp newhope mgf1 ntru x509 curl revocation hmac xcbc ctr ccm gcm vici kernel-netlink socket-default updown
++  load = random drbg nonce test-vectors aes des md5 sha1 sha2 sha3 chapoly pem pkcs1 pkcs8 curve25519 gmp newhope mgf1 ntru x509 curl revocation hmac kdf xcbc ctr ccm gcm vici kernel-netlink socket-default updown
+ 
+   integrity_test = yes
+ 
+Index: strongswan-5.9.5/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ 
+   initiator_only = yes
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/rw-multi-ciphers/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/rw-multi-ciphers/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/rw-multi-ciphers/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pkcs1 pem x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pkcs1 pem x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/rw-multi-ciphers/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/rw-multi-ciphers/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/rw-multi-ciphers/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce des sha1 sha2 hmac pkcs1 pem x509 revocation gmp curl kernel-netlink socket-default updown vici
++  load = random nonce des sha1 sha2 hmac kdf pkcs1 pem x509 revocation gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/rw-multi-ciphers/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/rw-multi-ciphers/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/rw-multi-ciphers/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes des sha1 sha2 hmac pkcs1 pem x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes des sha1 sha2 hmac kdf pkcs1 pem x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf curve25519 kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf curve25519 kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf curve25519 kernel-netlink socket-default updown vici
+ 
+   i_dont_care_about_security_and_use_aggressive_mode_psk = yes
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf curve25519 kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf curve25519 kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf curve25519 kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/rw-psk-ip-ranges/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/rw-psk-ip-ranges/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/rw-psk-ip-ranges/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf curve25519 kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/rw-psk-ip-ranges/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/rw-psk-ip-ranges/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/rw-psk-ip-ranges/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac gmp kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf gmp kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/rw-psk-ip-ranges/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/rw-psk-ip-ranges/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/rw-psk-ip-ranges/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac curve25519 gmp kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf curve25519 gmp kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf curve25519 kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf curve25519 kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 hmac curve25519 kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 md5 hmac kdf curve25519 kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes md5 sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl eap-md5 eap-radius xauth-eap kernel-netlink socket-default updown vici
++  load = random nonce aes md5 sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl eap-md5 eap-radius xauth-eap kernel-netlink socket-default updown vici
+ 
+   plugins {
+     eap-radius {
+Index: strongswan-5.9.5/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes md5 sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl eap-radius kernel-netlink socket-default updown vici
++  load = random nonce aes md5 sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl eap-radius kernel-netlink socket-default updown vici
+ 
+   plugins {
+     eap-radius {
+Index: strongswan-5.9.5/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-algs/alg-3des-md5/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-algs/alg-3des-md5/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-algs/alg-3des-md5/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce des md5 sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce des md5 sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-algs/alg-3des-md5/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-algs/alg-3des-md5/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-algs/alg-3des-md5/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce des md5 sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce des md5 sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-algs/alg-aes-ccm/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-algs/alg-aes-ccm/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-algs/alg-aes-ccm/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 xcbc ccm gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 xcbc ccm gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-algs/alg-aes-ccm/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-algs/alg-aes-ccm/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-algs/alg-aes-ccm/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 xcbc ccm gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 xcbc ccm gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-algs/alg-aes-ctr/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-algs/alg-aes-ctr/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-algs/alg-aes-ctr/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 xcbc ctr gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 xcbc ctr gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-algs/alg-aes-ctr/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-algs/alg-aes-ctr/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-algs/alg-aes-ctr/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 xcbc ctr gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 xcbc ctr gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-algs/alg-aes-gcm/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-algs/alg-aes-gcm/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-algs/alg-aes-gcm/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 xcbc gcm gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 xcbc gcm gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-algs/alg-aes-gcm/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-algs/alg-aes-gcm/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-algs/alg-aes-gcm/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 xcbc gcm gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 xcbc gcm gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-algs/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-algs/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-algs/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 xcbc gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 xcbc gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-algs/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-algs/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-algs/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 xcbc gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 xcbc gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-algs/alg-blowfish/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-algs/alg-blowfish/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-algs/alg-blowfish/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce blowfish sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce blowfish sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-algs/alg-blowfish/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-algs/alg-blowfish/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-algs/alg-blowfish/hosts/dave/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce blowfish sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce blowfish sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-algs/alg-blowfish/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-algs/alg-blowfish/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-algs/alg-blowfish/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce blowfish sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce blowfish sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-algs/alg-chacha20poly1305/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-algs/alg-chacha20poly1305/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-algs/alg-chacha20poly1305/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce sha1 sha2 pem pkcs1 curve25519 chapoly gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce sha1 sha2 pem pkcs1 curve25519 chapoly gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-algs/alg-chacha20poly1305/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-algs/alg-chacha20poly1305/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-algs/alg-chacha20poly1305/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce sha1 sha2 pem pkcs1 curve25519 chapoly gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce sha1 sha2 pem pkcs1 curve25519 chapoly gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-algs/alg-modp-subgroup/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-algs/alg-modp-subgroup/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-algs/alg-modp-subgroup/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-algs/alg-modp-subgroup/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-algs/alg-modp-subgroup/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-algs/alg-modp-subgroup/hosts/dave/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-algs/alg-modp-subgroup/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-algs/alg-modp-subgroup/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-algs/alg-modp-subgroup/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-algs/alg-sha256/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-algs/alg-sha256/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-algs/alg-sha256/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-algs/alg-sha256/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-algs/alg-sha256/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-algs/alg-sha256/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-algs/alg-sha384/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-algs/alg-sha384/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-algs/alg-sha384/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-algs/alg-sha384/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-algs/alg-sha384/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-algs/alg-sha384/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-algs/alg-sha512/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-algs/alg-sha512/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-algs/alg-sha512/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-algs/alg-sha512/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-algs/alg-sha512/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-algs/alg-sha512/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-algs/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-algs/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-algs/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gcm gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gcm gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-algs/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-algs/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-algs/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gcm gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gcm gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-algs/esp-alg-md5-128/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-algs/esp-alg-md5-128/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-algs/esp-alg-md5-128/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce des md5 sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce des md5 sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-algs/esp-alg-md5-128/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-algs/esp-alg-md5-128/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-algs/esp-alg-md5-128/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce des md5 sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce des md5 sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-algs/esp-alg-null/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-algs/esp-alg-null/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-algs/esp-alg-null/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-algs/esp-alg-null/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-algs/esp-alg-null/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-algs/esp-alg-null/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-algs/esp-alg-sha1-160/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-algs/esp-alg-sha1-160/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-algs/esp-alg-sha1-160/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce des sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce des sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-algs/esp-alg-sha1-160/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-algs/esp-alg-sha1-160/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-algs/esp-alg-sha1-160/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce des sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce des sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-algs/esp-alg-sha256-96/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-algs/esp-alg-sha256-96/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-algs/esp-alg-sha256-96/hosts/carol/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ 
+   send_vendor_id = yes
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-algs/esp-alg-sha256-96/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-algs/esp-alg-sha256-96/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-algs/esp-alg-sha256-96/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ 
+   send_vendor_id = yes
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/config-payload-swapped/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/config-payload-swapped/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/config-payload-swapped/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/config-payload-swapped/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/config-payload-swapped/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/config-payload-swapped/hosts/dave/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/config-payload-swapped/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/config-payload-swapped/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/config-payload-swapped/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/config-payload/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/config-payload/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/config-payload/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown resolve
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/config-payload/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/config-payload/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/config-payload/hosts/dave/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown resolve
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/config-payload/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/config-payload/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/config-payload/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown attr
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown attr
+ 
+   dns1 = PH_IP_WINNETOU
+   dns2 = PH_IP_VENUS
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/host2host-cert/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/host2host-cert/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/host2host-cert/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/host2host-cert/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/host2host-cert/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/host2host-cert/hosts/sun/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/host2host-swapped/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/host2host-swapped/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/host2host-swapped/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/host2host-swapped/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/host2host-swapped/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/host2host-swapped/hosts/sun/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/host2host-transport/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/host2host-transport/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/host2host-transport/hosts/moon/etc/strongswan.conf
+@@ -1,6 +1,6 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+   multiple_authentication = no
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/host2host-transport/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/host2host-transport/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/host2host-transport/hosts/sun/etc/strongswan.conf
+@@ -1,6 +1,6 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+   multiple_authentication = no
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/ip-pool-db/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/ip-pool-db/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/ip-pool-db/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown resolve
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/ip-pool-db/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/ip-pool-db/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/ip-pool-db/hosts/dave/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown resolve
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/ip-pool-db/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/ip-pool-db/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/ip-pool-db/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default sqlite attr-sql updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default sqlite attr-sql updown
+ 
+   plugins {
+     attr-sql {
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/ip-pool-wish/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/ip-pool-wish/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/ip-pool-wish/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/ip-pool-wish/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/ip-pool-wish/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/ip-pool-wish/hosts/dave/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/ip-pool-wish/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/ip-pool-wish/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/ip-pool-wish/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/ip-pool/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/ip-pool/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/ip-pool/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/ip-pool/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/ip-pool/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/ip-pool/hosts/dave/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/ip-pool/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/ip-pool/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/ip-pool/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/alice/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/alice/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/alice/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown resolve
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
++  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown resolve
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/dave/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown resolve
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke sqlite attr-sql kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke sqlite attr-sql kernel-netlink socket-default updown
+ 
+   plugins {
+     attr-sql {
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/venus/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/venus/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/ip-two-pools-db/hosts/venus/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown resolve
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/ip-two-pools/hosts/alice/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/ip-two-pools/hosts/alice/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/ip-two-pools/hosts/alice/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/ip-two-pools/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/ip-two-pools/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/ip-two-pools/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/ip-two-pools/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/ip-two-pools/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/ip-two-pools/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/nat-rw-psk/hosts/alice/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/nat-rw-psk/hosts/alice/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/nat-rw-psk/hosts/alice/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/nat-rw-psk/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/nat-rw-psk/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/nat-rw-psk/hosts/sun/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/nat-rw-psk/hosts/venus/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/nat-rw-psk/hosts/venus/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/nat-rw-psk/hosts/venus/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/nat-rw/hosts/alice/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/nat-rw/hosts/alice/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/nat-rw/hosts/alice/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ 
+   keep_alive = 5
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/nat-rw/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/nat-rw/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/nat-rw/hosts/sun/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/nat-rw/hosts/venus/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/nat-rw/hosts/venus/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/nat-rw/hosts/venus/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ 
+   keep_alive = 5
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/net2net-cert/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/net2net-cert/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/net2net-cert/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+   multiple_authentication = no
+   signature_authentication = no
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/net2net-cert/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/net2net-cert/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/net2net-cert/hosts/sun/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+   multiple_authentication = no
+   signature_authentication = no
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/net2net-pgp-v3/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/net2net-pgp-v3/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/net2net-pgp-v3/hosts/moon/etc/strongswan.conf
+@@ -1,6 +1,6 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes md5 sha1 sha2 hmac pem pkcs1 pgp curve25519 gmp stroke kernel-netlink socket-default updown
++  load = random nonce aes md5 sha1 sha2 hmac kdf pem pkcs1 pgp curve25519 gmp stroke kernel-netlink socket-default updown
+ }
+ 
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/net2net-pgp-v3/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/net2net-pgp-v3/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/net2net-pgp-v3/hosts/sun/etc/strongswan.conf
+@@ -1,6 +1,6 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes md5 sha1 sha2 hmac pem pkcs1 pgp curve25519 gmp stroke kernel-netlink socket-default updown
++  load = random nonce aes md5 sha1 sha2 hmac kdf pem pkcs1 pgp curve25519 gmp stroke kernel-netlink socket-default updown
+ }
+ 
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/net2net-pgp-v4/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/net2net-pgp-v4/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/net2net-pgp-v4/hosts/moon/etc/strongswan.conf
+@@ -1,6 +1,6 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 pgp curve25519 gmp stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 pgp curve25519 gmp stroke kernel-netlink socket-default updown
+ }
+ 
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/net2net-pgp-v4/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/net2net-pgp-v4/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/net2net-pgp-v4/hosts/sun/etc/strongswan.conf
+@@ -1,6 +1,6 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 pgp curve25519 gmp stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 pgp curve25519 gmp stroke kernel-netlink socket-default updown
+ }
+ 
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/net2net-psk/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/net2net-psk/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/net2net-psk/hosts/moon/etc/strongswan.conf
+@@ -1,6 +1,6 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 curve25519 hmac kdf stroke kernel-netlink socket-default updown
+   multiple_authentication = no
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/net2net-psk/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/net2net-psk/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/net2net-psk/hosts/sun/etc/strongswan.conf
+@@ -1,6 +1,6 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 curve25519 hmac kdf stroke kernel-netlink socket-default updown
+   multiple_authentication = no
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/net2net-route/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/net2net-route/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/net2net-route/hosts/moon/etc/strongswan.conf
+@@ -1,6 +1,6 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+   multiple_authentication = no
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/net2net-route/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/net2net-route/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/net2net-route/hosts/sun/etc/strongswan.conf
+@@ -1,6 +1,6 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+   multiple_authentication = no
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/net2net-rsa/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/net2net-rsa/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/net2net-rsa/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 hmac curve25519 gmp dnskey pem pkcs1 pubkey curl kernel-netlink socket-default stroke updown
++  load = random nonce aes sha1 sha2 hmac kdf curve25519 gmp dnskey pem pkcs1 pubkey curl kernel-netlink socket-default stroke updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/net2net-rsa/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/net2net-rsa/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/net2net-rsa/hosts/sun/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 hmac curve25519 gmp dnskey pem pkcs1 pubkey curl kernel-netlink socket-default stroke updown
++  load = random nonce aes sha1 sha2 hmac kdf curve25519 gmp dnskey pem pkcs1 pubkey curl kernel-netlink socket-default stroke updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/net2net-start/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/net2net-start/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/net2net-start/hosts/moon/etc/strongswan.conf
+@@ -1,6 +1,6 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+   multiple_authentication = no
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/net2net-start/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/net2net-start/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/net2net-start/hosts/sun/etc/strongswan.conf
+@@ -1,6 +1,6 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+   multiple_authentication = no
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/protoport-dual/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/protoport-dual/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/protoport-dual/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/protoport-dual/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/protoport-dual/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/protoport-dual/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/rw-cert/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/rw-cert/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/rw-cert/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random drbg nonce aes des sha1 sha2 sha3 md5 chapoly mgf1 curve25519 ntru newhope pem pkcs1 pkcs8 gmp x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
++  load = random drbg nonce aes des sha1 sha2 sha3 md5 chapoly mgf1 curve25519 ntru newhope pem pkcs1 pkcs8 gmp x509 curl revocation hmac kdf xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/rw-cert/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/rw-cert/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/rw-cert/hosts/dave/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random drbg nonce aes des sha1 sha2 sha3 md5 chapoly mgf1 curve25519 ntru newhope pem pkcs1 pkcs8 gmp x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
++  load = random drbg nonce aes des sha1 sha2 sha3 md5 chapoly mgf1 curve25519 ntru newhope pem pkcs1 pkcs8 gmp x509 curl revocation hmac kdf xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/rw-cert/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/rw-cert/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/rw-cert/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random drbg nonce test-vectors aes des sha1 sha2 sha3 md5 chapoly mgf1 curve25519 ntru newhope pem pkcs1 pkcs8 gmp x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
++  load = random drbg nonce test-vectors aes des sha1 sha2 sha3 md5 chapoly mgf1 curve25519 ntru newhope pem pkcs1 pkcs8 gmp x509 curl revocation hmac kdf xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+ 
+   integrity_test = yes
+   crypto_test {
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 eap-identity updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 eap-identity updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 eap-identity updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 eap-identity updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 updown
+ 
+   integrity_test = yes
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 updown
+ 
+   integrity_test = yes
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-md5-id-prompt/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/rw-eap-md5-id-prompt/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-md5-id-prompt/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-md5 eap-identity updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default eap-md5 eap-identity updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-md5-id-prompt/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/rw-eap-md5-id-prompt/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-md5-id-prompt/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-md5 eap-identity updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default eap-md5 eap-identity updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-md5 eap-identity updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default eap-md5 eap-identity updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius eap-identity updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default eap-radius eap-identity updown
+ 
+   plugins {
+     eap-radius {
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-md5 updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default eap-md5 updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default eap-radius updown
+ 
+   plugins {
+     eap-radius {
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-md5 updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default eap-md5 updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-md5 updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default eap-md5 updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes des sha1 sha2 md4 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-identity updown
++  load = random nonce aes des sha1 sha2 md4 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-identity updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes des sha1 sha2 md4 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-identity updown
++  load = random nonce aes des sha1 sha2 md4 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-identity updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf
+@@ -1,6 +1,6 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+   multiple_authentication=no
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf
+@@ -1,6 +1,6 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+   multiple_authentication=no
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+   multiple_authentication=no
+ 
+   plugins {
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf
+@@ -1,6 +1,6 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes des sha1 sha2 md4 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
++  load = random nonce aes des sha1 sha2 md4 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
+   multiple_authentication=no
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf
+@@ -1,6 +1,6 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes des sha1 sha2 md4 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
++  load = random nonce aes des sha1 sha2 md4 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
+   multiple_authentication=no
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes des sha1 sha2 md4 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
++  load = random nonce aes des sha1 sha2 md4 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
+   multiple_authentication=no
+   plugins {
+     eap-peap {
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf
+@@ -1,6 +1,6 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+   multiple_authentication=no
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf
+@@ -1,6 +1,6 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+   multiple_authentication=no
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default eap-radius updown
+   multiple_authentication=no
+ 
+   plugins {
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius eap-identity updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default eap-radius eap-identity updown
+ 
+   plugins {
+     eap-radius {
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
++  load = random nonce aes sha1 sha2 curve25519 hmac kdf stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
++  load = random nonce aes sha1 sha2 curve25519 hmac kdf stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 md5 curve25519 hmac stroke kernel-netlink socket-default eap-radius updown
++  load = random nonce aes sha1 sha2 md5 curve25519 hmac kdf stroke kernel-netlink socket-default eap-radius updown
+ 
+   plugins {
+     eap-radius {
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default eap-radius updown
+ 
+   plugins {
+     eap-radius {
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
+ 
+   integrity_test = yes
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
+ 
+   integrity_test = yes
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac gcm stroke kernel-netlink socket-default eap-tls updown
++  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac kdf gcm stroke kernel-netlink socket-default eap-tls updown
+ 
+   multiple_authentication=no
+   syslog {
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac gcm stroke kernel-netlink socket-default eap-tls updown
++  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac kdf gcm stroke kernel-netlink socket-default eap-tls updown
+ 
+   multiple_authentication=no
+   syslog {
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-tls updown
++  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default eap-tls updown
+   multiple_authentication=no
+   syslog {
+     daemon {
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown
++  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default eap-radius updown
+   multiple_authentication=no
+ 
+   plugins {
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+   multiple_authentication=no
+   syslog {
+     daemon {
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+   multiple_authentication=no
+   syslog {
+     daemon {
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+   multiple_authentication=no
+ 
+   syslog {
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
++  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+   multiple_authentication=no
+   syslog {
+     daemon {
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
++  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+   multiple_authentication=no
+   syslog {
+     daemon {
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default eap-radius updown
+   multiple_authentication=no
+ 
+   plugins {
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 curve25519 hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/rw-psk-fqdn/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/rw-psk-fqdn/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/rw-psk-fqdn/hosts/dave/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 curve25519 hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 curve25519 hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 curve25519 hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 curve25519 hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 curve25519 hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/virtual-ip-override/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/virtual-ip-override/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/virtual-ip-override/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/virtual-ip-override/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/virtual-ip-override/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/virtual-ip-override/hosts/dave/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/virtual-ip-override/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/virtual-ip-override/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/virtual-ip-override/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/virtual-ip/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/virtual-ip/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/virtual-ip/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/virtual-ip/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/virtual-ip/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/virtual-ip/hosts/dave/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2-stroke/virtual-ip/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2-stroke/virtual-ip/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2-stroke/virtual-ip/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/acert-cached/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/acert-cached/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/acert-cached/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/acert-cached/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/acert-cached/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/acert-cached/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/acert-cached/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/acert-cached/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/acert-cached/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 acert revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 acert revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/acert-fallback/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/acert-fallback/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/acert-fallback/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp curve25519 x509 curl revocation hmac kernel-netlink socket-default vici
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp curve25519 x509 curl revocation hmac kdf kernel-netlink socket-default vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/acert-fallback/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/acert-fallback/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/acert-fallback/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp curve25519 x509 acert curl revocation hmac kernel-netlink socket-default vici
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp curve25519 x509 acert curl revocation hmac kdf kernel-netlink socket-default vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/acert-inline/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/acert-inline/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/acert-inline/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/acert-inline/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/acert-inline/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/acert-inline/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/acert-inline/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/acert-inline/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/acert-inline/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 acert revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 acert revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/compress-nat/hosts/alice/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/compress-nat/hosts/alice/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/compress-nat/hosts/alice/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/compress-nat/hosts/bob/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/compress-nat/hosts/bob/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/compress-nat/hosts/bob/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/compress-nat/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/compress-nat/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/compress-nat/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ 
+   multiple_authentication = no
+ 
+Index: strongswan-5.9.5/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ 
+   multiple_authentication = no
+ }
+\ No newline at end of file
+Index: strongswan-5.9.5/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf kernel-netlink socket-default vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf kernel-netlink socket-default vici
+ 
+   cache_crls = yes
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 ldap revocation hmac kernel-netlink socket-default vici
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 ldap revocation hmac kdf kernel-netlink socket-default vici
+ 
+   cache_crls = yes
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 ldap revocation hmac kernel-netlink socket-default vici
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 ldap revocation hmac kdf kernel-netlink socket-default vici
+ 
+   cache_crls = yes
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf kernel-netlink socket-default vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf kernel-netlink socket-default vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf kernel-netlink socket-default vici
+ 
+   cache_crls = yes
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf kernel-netlink socket-default vici
+ 
+   cache_crls = yes
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici
++  load = random nonce sha1 sha2 aes hmac kdf pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici
++  load = random nonce sha1 sha2 aes hmac kdf pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown attr farp dhcp
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown attr farp dhcp
+ 
+   plugins {
+     dhcp {
+Index: strongswan-5.9.5/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici
++  load = random nonce sha1 sha2 aes hmac kdf pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici
++  load = random nonce sha1 sha2 aes hmac kdf pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown attr farp dhcp
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown attr farp dhcp
+ 
+   plugins {
+     dhcp {
+Index: strongswan-5.9.5/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici
++  load = random nonce sha1 sha2 aes hmac kdf pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici
++  load = random nonce sha1 sha2 aes hmac kdf pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown attr farp dhcp
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown attr farp dhcp
+ 
+   plugins {
+     dhcp {
+Index: strongswan-5.9.5/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/dpd-trap/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/dpd-trap/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/dpd-trap/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/dpd-trap/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/dpd-trap/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/dpd-trap/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/farp/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/farp/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/farp/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/farp/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/farp/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/farp/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/farp/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/farp/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/farp/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici attr farp
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici attr farp
+   dns1 = PH_IP_WINNETOU
+   dns2 = PH_IP_VENUS
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/force-udp-encap/hosts/alice/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/force-udp-encap/hosts/alice/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/force-udp-encap/hosts/alice/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/force-udp-encap/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/force-udp-encap/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/force-udp-encap/hosts/sun/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/forecast/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/forecast/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/forecast/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown resolve
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown resolve
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/forecast/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/forecast/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/forecast/hosts/dave/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown resolve
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown resolve
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/forecast/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/forecast/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/forecast/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown attr forecast
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown attr forecast
+ 
+   syslog {
+     daemon {
+Index: strongswan-5.9.5/testing/tests/ikev2/host2host-ah/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/host2host-ah/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/host2host-ah/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation xcbc gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation xcbc gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/host2host-ah/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/host2host-ah/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/host2host-ah/hosts/sun/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation xcbc gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation xcbc gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/host2host-transport-connmark/hosts/alice/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/host2host-transport-connmark/hosts/alice/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/host2host-transport-connmark/hosts/alice/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default connmark
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default connmark
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/host2host-transport-connmark/hosts/venus/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/host2host-transport-connmark/hosts/venus/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/host2host-transport-connmark/hosts/venus/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/host2host-transport-nat/hosts/alice/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/host2host-transport-nat/hosts/alice/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/host2host-transport-nat/hosts/alice/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/host2host-transport-nat/hosts/venus/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/host2host-transport-nat/hosts/venus/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/host2host-transport-nat/hosts/venus/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default resolve updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default resolve updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default resolve updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default resolve updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown sqlite attr-sql vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown sqlite attr-sql vici
+ 
+   plugins {
+     attr-sql {
+Index: strongswan-5.9.5/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default sqlite attr-sql vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default sqlite attr-sql vici
+ 
+   plugins {
+     attr-sql {
+Index: strongswan-5.9.5/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl sqlite attr-sql kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl sqlite attr-sql kernel-netlink socket-default updown vici
+ 
+   plugins {
+     attr-sql {
+Index: strongswan-5.9.5/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici resolve
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl sqlite attr-sql kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl sqlite attr-sql kernel-netlink socket-default updown vici
+ 
+   plugins {
+     attr-sql {
+Index: strongswan-5.9.5/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default vici sqlite attr-sql
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default vici sqlite attr-sql
+ 
+   plugins {
+     attr-sql {
+Index: strongswan-5.9.5/testing/tests/ikev2/ip-two-pools-v4v6/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/ip-two-pools-v4v6/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/ip-two-pools-v4v6/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/ip-two-pools-v4v6/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/ip-two-pools-v4v6/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/ip-two-pools-v4v6/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/lookip/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/lookip/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/lookip/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/lookip/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/lookip/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/lookip/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/lookip/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/lookip/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/lookip/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl vici kernel-netlink socket-default updown lookip
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl vici kernel-netlink socket-default updown lookip
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/mobike-nat-mappings/hosts/alice/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/mobike-nat-mappings/hosts/alice/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/mobike-nat-mappings/hosts/alice/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici
++  load = random nonce sha1 sha2 aes hmac kdf pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/mobike-nat-mappings/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/mobike-nat-mappings/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/mobike-nat-mappings/hosts/sun/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici
++  load = random nonce sha1 sha2 aes hmac kdf pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/mobike-virtual-ip-nat/hosts/alice/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/mobike-virtual-ip-nat/hosts/alice/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/mobike-virtual-ip-nat/hosts/alice/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici
++  load = random nonce sha1 sha2 aes hmac kdf pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici
+   prefer_best_path = yes
+ 
+   syslog {
+Index: strongswan-5.9.5/testing/tests/ikev2/mobike-virtual-ip-nat/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/mobike-virtual-ip-nat/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/mobike-virtual-ip-nat/hosts/sun/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici
++  load = random nonce sha1 sha2 aes hmac kdf pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici
+ 
+   syslog {
+     daemon {
+Index: strongswan-5.9.5/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici
++  load = random nonce sha1 sha2 aes hmac kdf pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici
++  load = random nonce sha1 sha2 aes hmac kdf pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici
++  load = random nonce sha1 sha2 aes hmac kdf pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici
++  load = random nonce sha1 sha2 aes hmac kdf pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac xcbc vici kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf xcbc vici kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac xcbc vici kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf xcbc vici kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac xcbc vici kernel-netlink socket-default fips-prf eap-radius eap-identity updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf xcbc vici kernel-netlink socket-default fips-prf eap-radius eap-identity updown
+ 
+   plugins {
+     eap-radius {
+Index: strongswan-5.9.5/testing/tests/ikev2/nat-rw-mark/hosts/alice/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/nat-rw-mark/hosts/alice/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/nat-rw-mark/hosts/alice/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+   syslog {
+     daemon {
+       knl = 2
+Index: strongswan-5.9.5/testing/tests/ikev2/nat-rw-mark/hosts/venus/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/nat-rw-mark/hosts/venus/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/nat-rw-mark/hosts/venus/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/nat-rw-psk/hosts/alice/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/nat-rw-psk/hosts/alice/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/nat-rw-psk/hosts/alice/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ 
+   keep_alive = 5
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/nat-rw-psk/hosts/venus/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/nat-rw-psk/hosts/venus/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/nat-rw-psk/hosts/venus/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ 
+   keep_alive = 5
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/nat-rw/hosts/alice/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/nat-rw/hosts/alice/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/nat-rw/hosts/alice/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ 
+   keep_alive = 5
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/nat-rw/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/nat-rw/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/nat-rw/hosts/sun/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/nat-rw/hosts/venus/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/nat-rw/hosts/venus/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/nat-rw/hosts/venus/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ 
+   keep_alive = 5
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/net2net-ah/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/net2net-ah/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/net2net-ah/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/net2net-ah/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/net2net-ah/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/net2net-ah/hosts/sun/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/net2net-childless/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/net2net-childless/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/net2net-childless/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/net2net-childless/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/net2net-childless/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/net2net-childless/hosts/sun/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac curve25519 gmp dnskey pem pkcs1 pubkey unbound dnscert x509 curl kernel-netlink socket-default vici updown
++  load = random nonce aes sha1 sha2 hmac kdf curve25519 gmp dnskey pem pkcs1 pubkey unbound dnscert x509 curl kernel-netlink socket-default vici updown
+ 
+   plugins {
+     dnscert {
+Index: strongswan-5.9.5/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac curve25519 gmp dnskey pem pkcs1 pubkey unbound dnscert x509 curl kernel-netlink socket-default vici updown
++  load = random nonce aes sha1 sha2 hmac kdf curve25519 gmp dnskey pem pkcs1 pubkey unbound dnscert x509 curl kernel-netlink socket-default vici updown
+ 
+   plugins {
+     dnscert {
+Index: strongswan-5.9.5/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac curve25519 gmp dnskey pem pkcs1 pubkey unbound ipseckey curl kernel-netlink socket-default vici updown
++  load = random nonce aes sha1 sha2 hmac kdf curve25519 gmp dnskey pem pkcs1 pubkey unbound ipseckey curl kernel-netlink socket-default vici updown
+ 
+   plugins {
+     ipseckey {
+Index: strongswan-5.9.5/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac curve25519 gmp dnskey pem pkcs1 pubkey unbound ipseckey curl kernel-netlink socket-default vici updown
++  load = random nonce aes sha1 sha2 hmac kdf curve25519 gmp dnskey pem pkcs1 pubkey unbound ipseckey curl kernel-netlink socket-default vici updown
+ 
+   plugins {
+     ipseckey {
+Index: strongswan-5.9.5/testing/tests/ikev2/net2net-ed25519/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/net2net-ed25519/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/net2net-ed25519/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 pkcs8 x509 revocation curve25519 curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 pkcs8 x509 revocation curve25519 curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/net2net-ed25519/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/net2net-ed25519/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/net2net-ed25519/hosts/sun/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 pkcs8 x509 revocation curve25519 curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 pkcs8 x509 revocation curve25519 curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/net2net-esn/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/net2net-esn/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/net2net-esn/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/net2net-esn/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/net2net-esn/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/net2net-esn/hosts/sun/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/net2net-gw/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/net2net-gw/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/net2net-gw/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/net2net-gw/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/net2net-gw/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/net2net-gw/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/net2net-gw/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/net2net-gw/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/net2net-gw/hosts/sun/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/net2net-multicast/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/net2net-multicast/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/net2net-multicast/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kernel-netlink socket-default forecast vici
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf kernel-netlink socket-default forecast vici
+ 
+   multiple_authentication = no
+ 
+Index: strongswan-5.9.5/testing/tests/ikev2/net2net-multicast/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/net2net-multicast/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/net2net-multicast/hosts/sun/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kernel-netlink socket-default forecast vici
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf kernel-netlink socket-default forecast vici
+ 
+   multiple_authentication = no
+ 
+Index: strongswan-5.9.5/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random drbg nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl mgf1 ntru revocation hmac vici kernel-netlink socket-default updown
++  load = random drbg nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl mgf1 ntru revocation hmac kdf vici kernel-netlink socket-default updown
+ 
+   multiple_authentication = no
+   send_vendor_id = yes
+Index: strongswan-5.9.5/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random drbg nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl mgf1 ntru revocation hmac vici kernel-netlink socket-default updown
++  load = random drbg nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl mgf1 ntru revocation hmac kdf vici kernel-netlink socket-default updown
+ 
+   multiple_authentication = no
+   send_vendor_id = yes
+Index: strongswan-5.9.5/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf
+@@ -1,9 +1,9 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ swanctl {
+-  load = random aes sha1 sha2 hmac pem pkcs1 pkcs7 pkcs8 pkcs12 gmp x509 revocation constraints
++  load = random aes sha1 sha2 hmac kdf pem pkcs1 pkcs7 pkcs8 pkcs12 gmp x509 revocation constraints
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 gmp x509 revocation curve25519 curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 gmp x509 revocation curve25519 curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf
+@@ -1,9 +1,9 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ swanctl {
+-  load = random aes sha1 sha2 hmac pem pkcs1 pkcs7 pkcs8 pkcs12 gmp x509 revocation constraints
++  load = random aes sha1 sha2 hmac kdf pem pkcs1 pkcs7 pkcs8 pkcs12 gmp x509 revocation constraints
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 gmp x509 revocation curve25519 curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 gmp x509 revocation curve25519 curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 curve25519 hmac curl vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 curve25519 hmac kdf curl vici kernel-netlink socket-default updown
+   syslog {
+     daemon {
+       knl = 2
+Index: strongswan-5.9.5/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 curve25519 hmac curl vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 curve25519 hmac kdf curl vici kernel-netlink socket-default updown
+   multiple_authentication = no
+   syslog {
+     daemon {
+Index: strongswan-5.9.5/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/net2net-rekey/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/net2net-rekey/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/net2net-rekey/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+   # remove rekeyed inbound SA a bit quicker for the test scenario
+   delete_rekeyed_delay = 2
+   syslog {
+Index: strongswan-5.9.5/testing/tests/ikev2/net2net-rekey/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/net2net-rekey/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/net2net-rekey/hosts/sun/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation addrblock curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation addrblock curve25519 gmp curl kernel-netlink socket-default updown vici
+   syslog {
+     daemon {
+       cfg = 2
+Index: strongswan-5.9.5/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation addrblock curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation addrblock curve25519 gmp curl kernel-netlink socket-default updown vici
+   syslog {
+     daemon {
+       cfg = 2
+Index: strongswan-5.9.5/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce sha1 sha2 sha3 aes hmac kdf pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce sha1 sha2 sha3 aes hmac kdf pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/ocsp-disabled/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/ocsp-disabled/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/ocsp-disabled/hosts/carol/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ 
+   plugins {
+     revocation {
+Index: strongswan-5.9.5/testing/tests/ikev2/ocsp-disabled/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/ocsp-disabled/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/ocsp-disabled/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ 
+   plugins {
+     revocation {
+Index: strongswan-5.9.5/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf kernel-netlink socket-default vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf kernel-netlink socket-default vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf kernel-netlink socket-default vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf kernel-netlink socket-default vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp curve25519 x509 curl revocation hmac kernel-netlink socket-default vici
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp curve25519 x509 curl revocation hmac kdf kernel-netlink socket-default vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp curve25519 x509 curl revocation hmac kernel-netlink socket-default vici
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp curve25519 x509 curl revocation hmac kdf kernel-netlink socket-default vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/protoport-range/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/protoport-range/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/protoport-range/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/protoport-range/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/protoport-range/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/protoport-range/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/protoport-trap/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/protoport-trap/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/protoport-trap/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/protoport-trap/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/protoport-trap/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/protoport-trap/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown md5 eap-tls
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown md5 eap-tls
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown md5 eap-tls
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown md5 eap-tls
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/reauth-mbb-revoked/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/reauth-mbb-revoked/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/reauth-mbb-revoked/hosts/carol/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce sha1 sha2 aes hmac kdf pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
+ 
+   make_before_break = yes
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/reauth-mbb-revoked/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/reauth-mbb-revoked/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/reauth-mbb-revoked/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce sha1 sha2 aes hmac kdf pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce sha1 sha2 aes hmac kdf pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
+ 
+   make_before_break = yes
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce sha1 sha2 aes hmac kdf pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/reauth-mbb/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/reauth-mbb/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/reauth-mbb/hosts/carol/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce sha1 sha2 aes hmac kdf pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
+ 
+   make_before_break = yes
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/reauth-mbb/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/reauth-mbb/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/reauth-mbb/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce sha1 sha2 aes hmac kdf pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/redirect-active/hosts/alice/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/redirect-active/hosts/alice/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/redirect-active/hosts/alice/etc/strongswan.conf
+@@ -1,6 +1,6 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown vici
+ }
+ 
+Index: strongswan-5.9.5/testing/tests/ikev2/redirect-active/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/redirect-active/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/redirect-active/hosts/carol/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+   syslog {
+     daemon {
+       knl = 2
+Index: strongswan-5.9.5/testing/tests/ikev2/redirect-active/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/redirect-active/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/redirect-active/hosts/dave/etc/strongswan.conf
+@@ -1,6 +1,6 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+ 
+Index: strongswan-5.9.5/testing/tests/ikev2/redirect-active/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/redirect-active/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/redirect-active/hosts/moon/etc/strongswan.conf
+@@ -1,6 +1,6 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+ 
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-cert-ppk/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-cert-ppk/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-cert-ppk/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce sha1 sha2 aes hmac kdf pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-cert-ppk/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-cert-ppk/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-cert-ppk/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce sha1 sha2 aes hmac kdf pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-cert-ppk/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-cert-ppk/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-cert-ppk/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce sha1 sha2 aes hmac kdf pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-cert-pss/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-cert-pss/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-cert-pss/hosts/carol/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce sha1 sha2 mgf1 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce sha1 sha2 mgf1 aes hmac kdf pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
+ 
+   syslog {
+     daemon {
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-cert-pss/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-cert-pss/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-cert-pss/hosts/dave/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce sha1 sha2 mgf1 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce sha1 sha2 mgf1 aes hmac kdf pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
+ 
+   syslog {
+     daemon {
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-cert-pss/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-cert-pss/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-cert-pss/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce sha1 sha2 mgf1 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce sha1 sha2 mgf1 aes hmac kdf pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
+ 
+   rsa_pss = yes
+ 
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random drbg nonce aes des md5 sha1 sha2 sha3 chapoly pem pkcs1 pkcs8 curve25519 gmp newhope mgf1 ntru x509 curl revocation hmac xcbc ctr ccm gcm vici kernel-netlink socket-default updown
++  load = random drbg nonce aes des md5 sha1 sha2 sha3 chapoly pem pkcs1 pkcs8 curve25519 gmp newhope mgf1 ntru x509 curl revocation hmac kdf xcbc ctr ccm gcm vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random drbg nonce aes des md5 sha1 sha2 sha3 chapoly pem pkcs1 pkcs8 curve25519 gmp newhope mgf1 ntru x509 curl revocation hmac xcbc ctr ccm gcm vici kernel-netlink socket-default updown
++  load = random drbg nonce aes des md5 sha1 sha2 sha3 chapoly pem pkcs1 pkcs8 curve25519 gmp newhope mgf1 ntru x509 curl revocation hmac kdf xcbc ctr ccm gcm vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random drbg nonce test-vectors aes des md5 sha1 sha2 sha3 chapoly pem pkcs1 pkcs8 curve25519 gmp newhope mgf1 ntru x509 curl revocation hmac xcbc ctr ccm gcm vici kernel-netlink socket-default updown
++  load = random drbg nonce test-vectors aes des md5 sha1 sha2 sha3 chapoly pem pkcs1 pkcs8 curve25519 gmp newhope mgf1 ntru x509 curl revocation hmac kdf xcbc ctr ccm gcm vici kernel-netlink socket-default updown
+ 
+   integrity_test = yes
+ 
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp dnskey pubkey unbound ipseckey hmac vici kernel-netlink socket-default updown resolve
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp dnskey pubkey unbound ipseckey hmac kdf vici kernel-netlink socket-default updown resolve
+ 
+   plugins {
+     ipseckey {
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp dnskey pubkey unbound ipseckey hmac vici kernel-netlink socket-default updown resolve
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp dnskey pubkey unbound ipseckey hmac kdf vici kernel-netlink socket-default updown resolve
+ 
+   plugins {
+     ipseckey {
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 dnskey pubkey unbound ipseckey curve25519 gmp hmac vici kernel-netlink socket-default updown attr
++  load = random nonce aes sha1 sha2 pem pkcs1 dnskey pubkey unbound ipseckey curve25519 gmp hmac kdf vici kernel-netlink socket-default updown attr
+ 
+   dns1 = PH_IP_WINNETOU
+   dns2 = PH_IP_VENUS
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-aka eap-aka-3gpp2 updown
++  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default eap-identity eap-aka eap-aka-3gpp2 updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-aka eap-aka-3gpp2 updown
++  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default eap-identity eap-aka eap-aka-3gpp2 updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-aka eap-aka-3gpp2 updown
++  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default eap-aka eap-aka-3gpp2 updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-aka eap-aka-3gpp2 updown
++  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default eap-aka eap-aka-3gpp2 updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default sqlite fips-prf eap-aka eap-simaka-sql updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default sqlite fips-prf eap-aka eap-simaka-sql updown
+ 
+   plugins {
+     eap-simaka-sql {
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default sqlite fips-prf eap-aka eap-simaka-sql updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default sqlite fips-prf eap-aka eap-simaka-sql updown
+ 
+   plugins {
+     eap-simaka-sql {
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-md5 updown
++  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac kdf gcm vici kernel-netlink socket-default eap-md5 updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-dynamic/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-dynamic/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-dynamic/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes md5 sha1 sha2 mgf1 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-tls updown
++  load = random nonce aes md5 sha1 sha2 mgf1 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac kdf gcm vici kernel-netlink socket-default eap-tls updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-dynamic/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-dynamic/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-dynamic/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 mgf1 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-md5 eap-tls eap-dynamic updown
++  load = random nonce aes sha1 sha2 md5 mgf1 pem pkcs1 curve25519 mfg1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default eap-md5 eap-tls eap-dynamic updown
+ 
+   plugins {
+     eap-dynamic {
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
++  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 eap updown
++  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default eap-identity eap-md5 eap updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-radius updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default eap-identity eap-radius updown
+ 
+   plugins {
+     eap-radius {
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 updown
++  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default eap-identity eap-md5 updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 updown
++  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default eap-identity eap-md5 updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-radius updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default eap-identity eap-radius updown
+ 
+   plugins {
+     eap-radius {
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 updown
++  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default eap-identity eap-md5 updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-radius updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default eap-identity eap-radius updown
+ 
+   plugins {
+     eap-radius {
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-md5-id-rsa-ppk/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-md5-id-rsa-ppk/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-md5-id-rsa-ppk/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 updown
++  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default eap-identity eap-md5 updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-md5-id-rsa-ppk/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-md5-id-rsa-ppk/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-md5-id-rsa-ppk/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 updown
++  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default eap-identity eap-md5 updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-md5-id-rsa-ppk/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-md5-id-rsa-ppk/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-md5-id-rsa-ppk/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 updown
++  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default eap-identity eap-md5 updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-md5-id-rsa/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-md5-id-rsa/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-md5-id-rsa/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 updown
++  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default eap-identity eap-md5 updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-md5-id-rsa/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-md5-id-rsa/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-md5-id-rsa/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 updown
++  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default eap-identity eap-md5 updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-md5 updown
++  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default eap-md5 updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default eap-radius updown
+ 
+   plugins {
+     eap-radius {
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-md5 updown
++  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default eap-md5 updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-md5 updown
++  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default eap-md5 updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes des md4 sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-mschapv2 updown
++  load = random nonce aes des md4 sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default eap-identity eap-mschapv2 updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes des md4 sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-mschapv2 updown
++  load = random nonce aes des md4 sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default eap-identity eap-mschapv2 updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
++  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac kdf gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+ 
+   multiple_authentication=no
+   syslog {
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
++  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac kdf gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+ 
+   multiple_authentication=no
+   syslog {
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
++  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac kdf gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+ 
+   multiple_authentication=no
+   syslog {
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes des md4 md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
++  load = random nonce aes des md4 md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac kdf gcm vici kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
+ 
+   multiple_authentication=no
+   syslog {
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes des md4 md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
++  load = random nonce aes des md4 md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac kdf gcm vici kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
+ 
+   multiple_authentication=no
+   syslog {
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes des md4 md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
++  load = random nonce aes des md4 md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac kdf gcm vici kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
+ 
+   multiple_authentication=no
+   syslog {
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
++  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
++  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default eap-radius updown
+ 
+   plugins {
+     eap-radius {
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-sim eap-sim-file updown
++  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default eap-identity eap-sim eap-sim-file updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-radius updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default eap-identity eap-radius updown
+ 
+   plugins {
+     eap-radius {
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown
++  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default eap-sim eap-sim-file updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown
++  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default eap-sim eap-sim-file updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default eap-radius updown
+ 
+   plugins {
+     eap-radius {
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown
++  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default eap-sim eap-sim-file updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown
++  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default eap-sim eap-sim-file updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default eap-radius updown
+ 
+   plugins {
+     eap-radius {
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown
++  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default eap-sim eap-sim-file updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-sim eap-sim-file updown
++  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default eap-sim eap-sim-file updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-tls updown
++  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac kdf gcm vici kernel-netlink socket-default eap-tls updown
+ 
+   multiple_authentication=no
+   syslog {
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-tls updown
++  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac kdf gcm vici kernel-netlink socket-default eap-tls updown
+ 
+   multiple_authentication=no
+   syslog {
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-tls updown
++  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac kdf gcm vici kernel-netlink socket-default eap-tls updown
+ 
+   multiple_authentication=no
+   syslog {
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-tls updown
++  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac kdf gcm vici kernel-netlink socket-default eap-tls updown
+ 
+   multiple_authentication=no
+   syslog {
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-tls updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default eap-tls updown
+ 
+   multiple_authentication = no
+   syslog {
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default eap-radius updown
+ 
+   plugins {
+     eap-radius {
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-tls-sha3-rsa/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-tls-sha3-rsa/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-tls-sha3-rsa/hosts/carol/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce md5 sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 mgf1 gmp curl eap-tls kernel-netlink socket-default updown vici
++  load = random nonce md5 sha1 sha2 sha3 aes hmac kdf pem pkcs1 x509 revocation constraints pubkey curve25519 mgf1 gmp curl eap-tls kernel-netlink socket-default updown vici
+ }
+ 
+ libtls {
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-tls-sha3-rsa/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-tls-sha3-rsa/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-tls-sha3-rsa/hosts/dave/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce md5 sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 mgf1 gmp curl eap-tls kernel-netlink socket-default updown vici
++  load = random nonce md5 sha1 sha2 sha3 aes hmac kdf pem pkcs1 x509 revocation constraints pubkey curve25519 mgf1 gmp curl eap-tls kernel-netlink socket-default updown vici
+ }
+ 
+ libtls {
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-tls-sha3-rsa/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-tls-sha3-rsa/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-tls-sha3-rsa/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce md5 sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 mgf1 gmp curl eap-tls kernel-netlink socket-default updown vici
++  load = random nonce md5 sha1 sha2 sha3 aes hmac kdf pem pkcs1 x509 revocation constraints pubkey curve25519 mgf1 gmp curl eap-tls kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
++  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac kdf gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+ 
+   multiple_authentication=no
+   syslog {
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
++  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac kdf gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+ 
+   multiple_authentication=no
+   syslog {
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
++  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 mgf1 gmp x509 curl revocation hmac kdf gcm vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+ 
+   multiple_authentication=no
+   syslog {
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
++  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
++  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default eap-radius updown
+ 
+   plugins {
+     eap-radius {
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-ed25519-certpol/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-ed25519-certpol/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-ed25519-certpol/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce sha1 sha2 aes hmac pem pkcs1 pkcs8 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce sha1 sha2 aes hmac kdf pem pkcs1 pkcs8 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-ed25519-certpol/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-ed25519-certpol/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-ed25519-certpol/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce sha1 sha2 aes hmac pem pkcs1 pkcs8 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce sha1 sha2 aes hmac kdf pem pkcs1 pkcs8 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-ed25519-certpol/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-ed25519-certpol/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-ed25519-certpol/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce sha1 sha2 aes hmac pem pkcs1 pkcs8 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce sha1 sha2 aes hmac kdf pem pkcs1 pkcs8 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
+   syslog {
+     daemon {
+       default = 1    }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ 
+   hash_and_url = yes
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ 
+   hash_and_url = yes
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ 
+   hash_and_url = yes
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ 
+   initiator_only = yes
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+   syslog {
+     daemon {
+       knl = 2
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce sha1 sha2 sha3 aes chapoly newhope mgf1 bliss hmac pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default updown vici
++  load = random nonce sha1 sha2 sha3 aes chapoly newhope mgf1 bliss hmac kdf pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default updown vici
+ 
+   send_vendor_id = yes
+   fragment_size = 1500
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce sha1 sha2 sha3 aes chapoly newhope mgf1 bliss hmac pem pkcs1 x509 revocation pubkey gmp curl kernel-netlink socket-default updown vici
++  load = random nonce sha1 sha2 sha3 aes chapoly newhope mgf1 bliss hmac kdf pem pkcs1 x509 revocation pubkey gmp curl kernel-netlink socket-default updown vici
+ 
+   send_vendor_id = yes
+   fragment_size = 1500
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce sha1 sha2 sha3 aes chapoly newhope mgf1 bliss hmac pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default updown vici
++  load = random nonce sha1 sha2 sha3 aes chapoly newhope mgf1 bliss hmac kdf pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default updown vici
+ 
+   send_vendor_id = yes
+   fragment_size = 1500
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random drbg nonce aes sha1 sha2 sha3 hmac mgf1 ntru bliss x509 revocation pem pkcs1 curl vici kernel-netlink socket-default updown
++  load = random drbg nonce aes sha1 sha2 sha3 hmac kdf mgf1 ntru bliss x509 revocation pem pkcs1 curl vici kernel-netlink socket-default updown
+ 
+   send_vendor_id = yes
+   fragment_size = 1500
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random drbg nonce aes sha1 sha2 sha3 hmac mgf1 ntru bliss x509 revocation pem pkcs1 curl vici kernel-netlink socket-default updown
++  load = random drbg nonce aes sha1 sha2 sha3 hmac kdf mgf1 ntru bliss x509 revocation pem pkcs1 curl vici kernel-netlink socket-default updown
+ 
+   send_vendor_id = yes
+   fragment_size = 1500
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random drbg nonce aes sha1 sha2 sha3 hmac mgf1 ntru bliss x509 revocation pem pkcs1 curl vici kernel-netlink socket-default updown
++  load = random drbg nonce aes sha1 sha2 sha3 hmac kdf mgf1 ntru bliss x509 revocation pem pkcs1 curl vici kernel-netlink socket-default updown
+ 
+   send_vendor_id = yes
+   fragment_size = 1500
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-ntru-psk/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-ntru-psk/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-ntru-psk/hosts/carol/etc/strongswan.conf
+@@ -5,6 +5,6 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random drbg nonce aes sha1 sha2 mgf1 ntru hmac vici kernel-netlink socket-default updown
++  load = random drbg nonce aes sha1 sha2 mgf1 ntru hmac kdf vici kernel-netlink socket-default updown
+   send_vendor_id = yes
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-ntru-psk/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-ntru-psk/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-ntru-psk/hosts/dave/etc/strongswan.conf
+@@ -5,6 +5,6 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random drbg nonce aes sha1 sha2 mgf1 ntru hmac vici kernel-netlink socket-default updown
++  load = random drbg nonce aes sha1 sha2 mgf1 ntru hmac kdf vici kernel-netlink socket-default updown
+   send_vendor_id = yes
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-ntru-psk/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-ntru-psk/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-ntru-psk/hosts/moon/etc/strongswan.conf
+@@ -5,6 +5,6 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random drbg nonce aes sha1 sha2 mgf1 ntru hmac vici kernel-netlink socket-default updown
++  load = random drbg nonce aes sha1 sha2 mgf1 ntru hmac kdf vici kernel-netlink socket-default updown
+   send_vendor_id = yes
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 gmp x509 revocation curve25519 curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 gmp x509 revocation curve25519 curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 gmp x509 revocation curve25519 curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 gmp x509 revocation curve25519 curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 pkcs8 gmp x509 revocation curve25519 curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 pkcs8 gmp x509 revocation curve25519 curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf curve25519 kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf curve25519 kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf curve25519 kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf curve25519 kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf curve25519 kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 hmac curve25519 kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 md5 hmac kdf curve25519 kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf curve25519 kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf curve25519 kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf curve25519 kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-psk-ppk/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-psk-ppk/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-psk-ppk/hosts/carol/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf curve25519 kernel-netlink socket-default updown vici
+   syslog {
+   	daemon {
+   		ike = 4
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-psk-ppk/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-psk-ppk/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-psk-ppk/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf curve25519 kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-psk-ppk/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-psk-ppk/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-psk-ppk/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf curve25519 kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf curve25519 kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 updown
++  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default eap-identity eap-md5 updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-radius updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default eap-identity eap-radius updown
+ 
+   plugins {
+     eap-radius {
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce sha1 sha2 mgf1 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce sha1 sha2 mgf1 aes hmac kdf pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce sha1 sha2 mgf1 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce sha1 sha2 mgf1 aes hmac kdf pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce sha1 sha2 mgf1 aes hmac pem pkcs1 x509 revocation constraints whitelist pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce sha1 sha2 mgf1 aes hmac kdf pem pkcs1 x509 revocation constraints whitelist pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
+ 
+   plugins {
+     whitelist {
+Index: strongswan-5.9.5/testing/tests/ikev2/shunt-manual-prio/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/shunt-manual-prio/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/shunt-manual-prio/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/shunt-manual-prio/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/shunt-manual-prio/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/shunt-manual-prio/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/shunt-manual-prio/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/shunt-manual-prio/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/shunt-manual-prio/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ 
+   keep_alive = 5
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ 
+   keep_alive = 5
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random drbg nonce aes des md5 sha1 sha2 sha3 chapoly pem pkcs1 pkcs8 curve25519 gmp newhope mgf1 ntru x509 curl revocation hmac xcbc ctr ccm gcm vici kernel-netlink socket-default updown
++  load = random drbg nonce aes des md5 sha1 sha2 sha3 chapoly pem pkcs1 pkcs8 curve25519 gmp newhope mgf1 ntru x509 curl revocation hmac kdf xcbc ctr ccm gcm vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/trap-any/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/trap-any/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/trap-any/hosts/carol/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+   syslog {
+     daemon {
+       knl = 2
+Index: strongswan-5.9.5/testing/tests/ikev2/trap-any/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/trap-any/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/trap-any/hosts/dave/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+   syslog {
+     daemon {
+       knl = 2
+Index: strongswan-5.9.5/testing/tests/ikev2/trap-any/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/trap-any/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/trap-any/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+   syslog {
+     daemon {
+       knl = 2
+Index: strongswan-5.9.5/testing/tests/ikev2/trap-any/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/trap-any/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/trap-any/hosts/sun/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+   syslog {
+     daemon {
+       knl = 2
+Index: strongswan-5.9.5/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf kernel-netlink socket-default vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf kernel-netlink socket-default vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default vici
++  load = random nonce sha1 sha2 aes hmac kdf pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default vici
++  load = random nonce sha1 sha2 aes hmac kdf pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default vici
+ }
+Index: strongswan-5.9.5/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce sha1 sha2 aes hmac kdf pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6-stroke/host2host-ikev1/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6-stroke/host2host-ikev1/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6-stroke/host2host-ikev1/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-   load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++   load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6-stroke/host2host-ikev1/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6-stroke/host2host-ikev1/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6-stroke/host2host-ikev1/hosts/sun/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6-stroke/host2host-ikev2/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6-stroke/host2host-ikev2/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6-stroke/host2host-ikev2/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6-stroke/host2host-ikev2/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6-stroke/host2host-ikev2/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6-stroke/host2host-ikev2/hosts/sun/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6-stroke/net2net-ikev1/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6-stroke/net2net-ikev1/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6-stroke/net2net-ikev1/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ 
+   fragment_size = 1400
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6-stroke/net2net-ikev1/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6-stroke/net2net-ikev1/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6-stroke/net2net-ikev1/hosts/sun/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ 
+   fragment_size = 1400
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6-stroke/net2net-ikev2/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6-stroke/net2net-ikev2/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6-stroke/net2net-ikev2/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ 
+   fragment_size = 1400
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6-stroke/net2net-ikev2/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6-stroke/net2net-ikev2/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6-stroke/net2net-ikev2/hosts/sun/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ 
+   fragment_size = 1400
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ 
+   fragment_size = 1400
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ 
+   fragment_size = 1400
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ 
+   fragment_size = 1400
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6-stroke/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ 
+   fragment_size = 1400
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+   install_routes = no
+   fragment_size = 1400
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+   install_routes=no
+   fragment_size = 1400
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf
+@@ -1,6 +1,6 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+   install_routes = no
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6-stroke/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf
+@@ -1,6 +1,6 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+   install_routes=no
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6-stroke/rw-ikev1/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6-stroke/rw-ikev1/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6-stroke/rw-ikev1/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6-stroke/rw-ikev1/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6-stroke/rw-ikev1/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6-stroke/rw-ikev1/hosts/dave/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6-stroke/rw-ikev1/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6-stroke/rw-ikev1/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6-stroke/rw-ikev1/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6-stroke/rw-ikev2/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6-stroke/rw-ikev2/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6-stroke/rw-ikev2/hosts/carol/etc/strongswan.conf
+@@ -2,5 +2,5 @@
+ 
+ charon {
+   hash_and_url = yes
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6-stroke/rw-ikev2/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6-stroke/rw-ikev2/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6-stroke/rw-ikev2/hosts/dave/etc/strongswan.conf
+@@ -2,5 +2,5 @@
+ 
+ charon {
+   hash_and_url = yes
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6-stroke/rw-ikev2/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6-stroke/rw-ikev2/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6-stroke/rw-ikev2/hosts/moon/etc/strongswan.conf
+@@ -2,5 +2,5 @@
+ 
+ charon {
+   hash_and_url = yes
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-   load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++   load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/dave/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/carol/etc/strongswan.conf
+@@ -2,5 +2,5 @@
+ 
+ charon {
+   hash_and_url = yes
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/dave/etc/strongswan.conf
+@@ -2,5 +2,5 @@
+ 
+ charon {
+   hash_and_url = yes
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6-stroke/rw-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf
+@@ -2,5 +2,5 @@
+ 
+ charon {
+   hash_and_url = yes
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 curve25519 hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/dave/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 curve25519 hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6-stroke/rw-psk-ikev1/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 curve25519 hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 curve25519 hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/dave/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 curve25519 hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6-stroke/rw-psk-ikev2/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 curve25519 hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6-stroke/transport-ikev1/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6-stroke/transport-ikev1/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6-stroke/transport-ikev1/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6-stroke/transport-ikev1/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6-stroke/transport-ikev1/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6-stroke/transport-ikev1/hosts/sun/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6-stroke/transport-ikev2/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6-stroke/transport-ikev2/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6-stroke/transport-ikev2/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6-stroke/transport-ikev2/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6-stroke/transport-ikev2/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6-stroke/transport-ikev2/hosts/sun/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/strongswan.conf
+@@ -5,6 +5,6 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+   fragment_size = 1400
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/strongswan.conf
+@@ -5,6 +5,6 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+   fragment_size = 1400
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf
+@@ -5,6 +5,6 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+   fragment_size = 1400
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf
+@@ -5,6 +5,6 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+   fragment_size = 1400
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/strongswan.conf
+@@ -5,6 +5,6 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+   fragment_size = 1400
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/strongswan.conf
+@@ -5,6 +5,6 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+   fragment_size = 1400
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf
+@@ -5,6 +5,6 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+   fragment_size = 1400
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf
+@@ -5,6 +5,6 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+   fragment_size = 1400
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+   fragment_size = 1400
+   install_routes = no
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+   fragment_size = 1400
+   install_routes = no
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+   fragment_size = 1400
+   install_routes = no
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+   fragment_size = 1400
+   install_routes = no
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 curve25519 hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 curve25519 hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 curve25519 hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 curve25519 hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 curve25519 hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 curve25519 hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 curve25519 hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 curve25519 hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 curve25519 hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 curve25519 hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 curve25519 hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 curve25519 hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/libipsec/host2host-cert/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/libipsec/host2host-cert/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/libipsec/host2host-cert/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-libipsec kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-libipsec kernel-netlink socket-default updown
+ 
+   multiple_authentication = no
+ 
+Index: strongswan-5.9.5/testing/tests/libipsec/host2host-cert/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/libipsec/host2host-cert/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/libipsec/host2host-cert/hosts/sun/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-libipsec kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-libipsec kernel-netlink socket-default updown
+ 
+   multiple_authentication = no
+ 
+Index: strongswan-5.9.5/testing/tests/libipsec/net2net-3des/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/libipsec/net2net-3des/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/libipsec/net2net-3des/hosts/moon/etc/strongswan.conf
+@@ -5,6 +5,6 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce des sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-libipsec kernel-netlink socket-default updown
++  load = random nonce des sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-libipsec kernel-netlink socket-default updown
+   multiple_authentication = no
+ }
+Index: strongswan-5.9.5/testing/tests/libipsec/net2net-3des/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/libipsec/net2net-3des/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/libipsec/net2net-3des/hosts/sun/etc/strongswan.conf
+@@ -5,6 +5,6 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce des sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-libipsec kernel-netlink socket-default updown
++  load = random nonce des sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-libipsec kernel-netlink socket-default updown
+   multiple_authentication = no
+ }
+Index: strongswan-5.9.5/testing/tests/libipsec/net2net-cert/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/libipsec/net2net-cert/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/libipsec/net2net-cert/hosts/moon/etc/strongswan.conf
+@@ -5,6 +5,6 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 gcm pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-libipsec kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 gcm pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-libipsec kernel-netlink socket-default updown
+   multiple_authentication = no
+ }
+Index: strongswan-5.9.5/testing/tests/libipsec/net2net-cert/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/libipsec/net2net-cert/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/libipsec/net2net-cert/hosts/sun/etc/strongswan.conf
+@@ -5,6 +5,6 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 gcm pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-libipsec kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 gcm pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-libipsec kernel-netlink socket-default updown
+   multiple_authentication = no
+ }
+Index: strongswan-5.9.5/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 gmp pem pkcs1 hmac x509 openssl curl revocation vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 gmp pem pkcs1 hmac kdf x509 openssl curl revocation vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes des sha1 sha2 gmp pem pkcs1 hmac x509 openssl curl revocation vici kernel-netlink socket-default updown
++  load = random nonce aes des sha1 sha2 gmp pem pkcs1 hmac kdf x509 openssl curl revocation vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 gmp pem pkcs1 hmac x509 openssl curl revocation vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 gmp pem pkcs1 hmac kdf x509 openssl curl revocation vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes des sha1 sha2 gmp pem pkcs1 hmac x509 openssl curl revocation vici kernel-netlink socket-default updown
++  load = random nonce aes des sha1 sha2 gmp pem pkcs1 hmac kdf x509 openssl curl revocation vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 gmp pem pkcs1 hmac x509 openssl curl revocation vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 gmp pem pkcs1 hmac kdf x509 openssl curl revocation vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes des sha1 sha2 gmp pem pkcs1 hmac x509 openssl curl revocation vici kernel-netlink socket-default updown
++  load = random nonce aes des sha1 sha2 gmp pem pkcs1 hmac kdf x509 openssl curl revocation vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm vici kernel-netlink socket-default updown
++  load = test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac kdf xcbc cmac ctr ccm gcm vici kernel-netlink socket-default updown
+ 
+   integrity_test = yes
+   crypto_test {
+Index: strongswan-5.9.5/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp x509 curl revocation xcbc stroke kernel-pfkey kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 md5 kdf pem pkcs1 gmp x509 curl revocation xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation xcbc stroke kernel-pfkey kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 kdf pem pkcs1 gmp x509 curl revocation xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/pfkey/alg-sha384/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/pfkey/alg-sha384/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/pfkey/alg-sha384/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp x509 curl revocation hmac kdf stroke kernel-pfkey kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/pfkey/alg-sha384/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/pfkey/alg-sha384/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/pfkey/alg-sha384/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf stroke kernel-pfkey kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/pfkey/alg-sha512/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/pfkey/alg-sha512/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/pfkey/alg-sha512/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp x509 curl revocation hmac kdf stroke kernel-pfkey kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/pfkey/alg-sha512/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/pfkey/alg-sha512/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/pfkey/alg-sha512/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf stroke kernel-pfkey kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/pfkey/compress/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/pfkey/compress/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/pfkey/compress/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-pfkey kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/pfkey/compress/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/pfkey/compress/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/pfkey/compress/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-pfkey kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/pfkey/esp-alg-null/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/pfkey/esp-alg-null/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/pfkey/esp-alg-null/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-pfkey kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/pfkey/esp-alg-null/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/pfkey/esp-alg-null/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/pfkey/esp-alg-null/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-pfkey kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/pfkey/host2host-transport/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/pfkey/host2host-transport/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/pfkey/host2host-transport/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-pfkey kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/pfkey/host2host-transport/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/pfkey/host2host-transport/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/pfkey/host2host-transport/hosts/sun/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-pfkey kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/pfkey/nat-rw/hosts/alice/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/pfkey/nat-rw/hosts/alice/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/pfkey/nat-rw/hosts/alice/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-pfkey kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/pfkey/nat-rw/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/pfkey/nat-rw/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/pfkey/nat-rw/hosts/sun/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-pfkey kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/pfkey/nat-rw/hosts/venus/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/pfkey/nat-rw/hosts/venus/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/pfkey/nat-rw/hosts/venus/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-pfkey kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/pfkey/net2net-rekey/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/pfkey/net2net-rekey/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/pfkey/net2net-rekey/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-pfkey kernel-netlink socket-default updown
+   # remove rekeyed inbound SA a bit quicker for the test scenario
+   delete_rekeyed_delay = 2
+   syslog {
+Index: strongswan-5.9.5/testing/tests/pfkey/net2net-rekey/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/pfkey/net2net-rekey/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/pfkey/net2net-rekey/hosts/sun/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-pfkey kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/pfkey/net2net-route/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/pfkey/net2net-route/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/pfkey/net2net-route/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-pfkey kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/pfkey/net2net-route/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/pfkey/net2net-route/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/pfkey/net2net-route/hosts/sun/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-pfkey kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/pfkey/protoport-dual/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/pfkey/protoport-dual/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/pfkey/protoport-dual/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-pfkey kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/pfkey/protoport-dual/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/pfkey/protoport-dual/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/pfkey/protoport-dual/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-pfkey kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/pfkey/protoport-route/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/pfkey/protoport-route/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/pfkey/protoport-route/hosts/carol/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-pfkey kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/pfkey/protoport-route/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/pfkey/protoport-route/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/pfkey/protoport-route/hosts/moon/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-pfkey kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce test-vectors aes des sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
++  load = random nonce test-vectors aes des sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+ 
+   integrity_test = yes
+   crypto_test {
+Index: strongswan-5.9.5/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce test-vectors aes des sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
++  load = random nonce test-vectors aes des sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+ 
+   integrity_test = yes
+   crypto_test {
+Index: strongswan-5.9.5/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce test-vectors aes des sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
++  load = random nonce test-vectors aes des sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+ 
+   integrity_test = yes
+   crypto_test {
+Index: strongswan-5.9.5/testing/tests/pfkey/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/pfkey/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/pfkey/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-pfkey kernel-netlink socket-default updown
+ 
+   keep_alive = 5
+ }
+Index: strongswan-5.9.5/testing/tests/pfkey/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/pfkey/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/pfkey/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf
+@@ -1,5 +1,5 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-pfkey kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/pfkey/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/pfkey/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/pfkey/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf stroke kernel-pfkey kernel-netlink socket-default updown
+ 
+   keep_alive = 5
+ }
+Index: strongswan-5.9.5/testing/tests/route-based/net2net-gre/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/route-based/net2net-gre/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/route-based/net2net-gre/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+ 
+ charon {
+Index: strongswan-5.9.5/testing/tests/route-based/net2net-gre/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/route-based/net2net-gre/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/route-based/net2net-gre/hosts/sun/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+ 
+ charon {
+Index: strongswan-5.9.5/testing/tests/route-based/net2net-vti/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/route-based/net2net-vti/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/route-based/net2net-vti/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+ 
+ charon {
+Index: strongswan-5.9.5/testing/tests/route-based/net2net-vti/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/route-based/net2net-vti/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/route-based/net2net-vti/hosts/sun/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+ 
+ charon {
+Index: strongswan-5.9.5/testing/tests/route-based/net2net-xfrmi-ike/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/route-based/net2net-xfrmi-ike/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/route-based/net2net-xfrmi-ike/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/route-based/net2net-xfrmi-ike/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/route-based/net2net-xfrmi-ike/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/route-based/net2net-xfrmi-ike/hosts/sun/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default
+   start-scripts {
+     updown = /usr/bin/python3 /etc/updown.py
+   }
+Index: strongswan-5.9.5/testing/tests/route-based/net2net-xfrmi-netns/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/route-based/net2net-xfrmi-netns/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/route-based/net2net-xfrmi-netns/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/route-based/net2net-xfrmi-netns/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/route-based/net2net-xfrmi-netns/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/route-based/net2net-xfrmi-netns/hosts/sun/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/route-based/net2net-xfrmi/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/route-based/net2net-xfrmi/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/route-based/net2net-xfrmi/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/route-based/net2net-xfrmi/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/route-based/net2net-xfrmi/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/route-based/net2net-xfrmi/hosts/sun/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+ 
+ charon {
+Index: strongswan-5.9.5/testing/tests/route-based/rw-shared-vti/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/route-based/rw-shared-vti/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/route-based/rw-shared-vti/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/route-based/rw-shared-vti/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/route-based/rw-shared-vti/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/route-based/rw-shared-vti/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/route-based/rw-shared-vti/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/route-based/rw-shared-vti/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/route-based/rw-shared-vti/hosts/moon/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+ 
+ charon {
+Index: strongswan-5.9.5/testing/tests/route-based/rw-shared-xfrmi/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/route-based/rw-shared-xfrmi/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/route-based/rw-shared-xfrmi/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/route-based/rw-shared-xfrmi/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/route-based/rw-shared-xfrmi/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/route-based/rw-shared-xfrmi/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/route-based/rw-shared-xfrmi/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/route-based/rw-shared-xfrmi/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/route-based/rw-shared-xfrmi/hosts/moon/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
++  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf
+@@ -6,5 +6,5 @@ charon {
+       database = sqlite:///etc/db.d/ipsec.db
+     }
+   }
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown sqlite sql
+ }
+Index: strongswan-5.9.5/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf
+@@ -6,5 +6,5 @@ charon {
+       database = sqlite:///etc/db.d/ipsec.db
+     }
+   }
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown sqlite sql
+ }
+Index: strongswan-5.9.5/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql attr-sql
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown sqlite sql attr-sql
+ 
+   plugins {
+     sql {
+Index: strongswan-5.9.5/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf
+@@ -6,5 +6,5 @@ charon {
+       database = sqlite:///etc/db.d/ipsec.db
+     }
+   }
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown sqlite sql
+ }
+Index: strongswan-5.9.5/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf
+@@ -6,5 +6,5 @@ charon {
+       database = sqlite:///etc/db.d/ipsec.db
+     }
+   }
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown sqlite sql
+ }
+Index: strongswan-5.9.5/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql attr-sql
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown sqlite sql attr-sql
+ 
+   plugins {
+     sql {
+Index: strongswan-5.9.5/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf
+@@ -6,5 +6,5 @@ charon {
+       database = sqlite:///etc/db.d/ipsec.db
+     }
+   }
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql resolve
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown sqlite sql resolve
+ }
+Index: strongswan-5.9.5/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf
+@@ -6,5 +6,5 @@ charon {
+       database = sqlite:///etc/db.d/ipsec.db
+     }
+   }
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql resolve
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown sqlite sql resolve
+ }
+Index: strongswan-5.9.5/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql attr-sql
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown sqlite sql attr-sql
+ 
+   plugins {
+     sql {
+Index: strongswan-5.9.5/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf
+@@ -6,5 +6,5 @@ charon {
+       database = sqlite:///etc/db.d/ipsec.db
+     }
+   }
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown sqlite sql
+ }
+Index: strongswan-5.9.5/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf
+@@ -6,5 +6,5 @@ charon {
+       database = sqlite:///etc/db.d/ipsec.db
+     }
+   }
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown sqlite sql
+ }
+Index: strongswan-5.9.5/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql attr-sql
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown sqlite sql attr-sql
+ 
+   plugins {
+     sql {
+Index: strongswan-5.9.5/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf
+@@ -6,5 +6,5 @@ charon {
+       database = sqlite:///etc/db.d/ipsec.db
+     }
+   }
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown sqlite sql
+ }
+Index: strongswan-5.9.5/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf
+@@ -6,5 +6,5 @@ charon {
+       database = sqlite:///etc/db.d/ipsec.db
+     }
+   }
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown sqlite sql
+ }
+Index: strongswan-5.9.5/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon {
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql attr-sql
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown sqlite sql attr-sql
+ 
+   plugins {
+     sql {
+Index: strongswan-5.9.5/testing/tests/sql/multi-level-ca/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/sql/multi-level-ca/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/sql/multi-level-ca/hosts/carol/etc/strongswan.conf
+@@ -6,5 +6,5 @@ charon {
+       database = sqlite:///etc/db.d/ipsec.db
+     }
+   }
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown sqlite sql
+ }
+Index: strongswan-5.9.5/testing/tests/sql/multi-level-ca/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/sql/multi-level-ca/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/sql/multi-level-ca/hosts/dave/etc/strongswan.conf
+@@ -6,5 +6,5 @@ charon {
+       database = sqlite:///etc/db.d/ipsec.db
+     }
+   }
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown sqlite sql
+ }
+Index: strongswan-5.9.5/testing/tests/sql/multi-level-ca/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/sql/multi-level-ca/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/sql/multi-level-ca/hosts/moon/etc/strongswan.conf
+@@ -6,5 +6,5 @@ charon {
+       database = sqlite:///etc/db.d/ipsec.db
+     }
+   }
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown sqlite sql
+ }
+Index: strongswan-5.9.5/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf
+@@ -6,5 +6,5 @@ charon {
+       database = sqlite:///etc/db.d/ipsec.db
+     }
+   }
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown sqlite sql
+ }
+Index: strongswan-5.9.5/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf
+@@ -6,5 +6,5 @@ charon {
+       database = sqlite:///etc/db.d/ipsec.db
+     }
+   }
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown sqlite sql
+ }
+Index: strongswan-5.9.5/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf
+@@ -6,5 +6,5 @@ charon {
+       database = sqlite:///etc/db.d/ipsec.db
+     }
+   }
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp hmac vici kernel-netlink socket-default updown sqlite sql
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp hmac kdf vici kernel-netlink socket-default updown sqlite sql
+ }
+Index: strongswan-5.9.5/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf
+@@ -6,5 +6,5 @@ charon {
+       database = sqlite:///etc/db.d/ipsec.db
+     }
+   }
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp hmac vici kernel-netlink socket-default updown sqlite sql
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp hmac kdf vici kernel-netlink socket-default updown sqlite sql
+ }
+Index: strongswan-5.9.5/testing/tests/sql/net2net-route-pem/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/sql/net2net-route-pem/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/sql/net2net-route-pem/hosts/moon/etc/strongswan.conf
+@@ -6,5 +6,5 @@ charon {
+       database = sqlite:///etc/db.d/ipsec.db
+     }
+   }
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown sqlite sql
+ }
+Index: strongswan-5.9.5/testing/tests/sql/net2net-route-pem/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/sql/net2net-route-pem/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/sql/net2net-route-pem/hosts/sun/etc/strongswan.conf
+@@ -6,5 +6,5 @@ charon {
+       database = sqlite:///etc/db.d/ipsec.db
+     }
+   }
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown sqlite sql
+ }
+Index: strongswan-5.9.5/testing/tests/sql/net2net-start-pem/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/sql/net2net-start-pem/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/sql/net2net-start-pem/hosts/moon/etc/strongswan.conf
+@@ -6,5 +6,5 @@ charon {
+       database = sqlite:///etc/db.d/ipsec.db
+     }
+   }
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown sqlite sql
+ }
+Index: strongswan-5.9.5/testing/tests/sql/net2net-start-pem/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/sql/net2net-start-pem/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/sql/net2net-start-pem/hosts/sun/etc/strongswan.conf
+@@ -6,5 +6,5 @@ charon {
+       database = sqlite:///etc/db.d/ipsec.db
+     }
+   }
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown sqlite sql
+ }
+Index: strongswan-5.9.5/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf
+@@ -6,7 +6,7 @@ charon {
+       database = sqlite:///etc/db.d/ipsec.db
+     }
+   }
+-  load = test-vectors random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql
++  load = test-vectors random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown sqlite sql
+ 
+   integrity_test = yes
+   crypto_test {
+Index: strongswan-5.9.5/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf
+@@ -6,7 +6,7 @@ charon {
+       database = sqlite:///etc/db.d/ipsec.db
+     }
+   }
+-  load = test-vectors random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql
++  load = test-vectors random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown sqlite sql
+ 
+   integrity_test = yes
+   crypto_test {
+Index: strongswan-5.9.5/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf
+@@ -6,7 +6,7 @@ charon {
+       database = sqlite:///etc/db.d/ipsec.db
+     }
+   }
+-  load = test-vectors random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql
++  load = test-vectors random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown sqlite sql
+ 
+   integrity_test = yes
+ }
+Index: strongswan-5.9.5/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
+@@ -6,5 +6,5 @@ charon {
+       database = sqlite:///etc/db.d/ipsec.db
+     }
+   }
+-  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql eap-aka eap-aka-3gpp2
++  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown sqlite sql eap-aka eap-aka-3gpp2
+ }
+Index: strongswan-5.9.5/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
+@@ -6,5 +6,5 @@ charon {
+       database = sqlite:///etc/db.d/ipsec.db
+     }
+   }
+-  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 gmp x509 revocation hmac vici kernel-netlink socket-default updown sqlite sql eap-aka eap-aka-3gpp2
++  load = random nonce aes sha1 sha2 fips-prf pem pkcs1 gmp x509 revocation hmac kdf vici kernel-netlink socket-default updown sqlite sql eap-aka eap-aka-3gpp2
+ }
+Index: strongswan-5.9.5/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
+@@ -6,5 +6,5 @@ charon {
+       database = sqlite:///etc/db.d/ipsec.db
+     }
+   }
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp hmac vici kernel-netlink socket-default updown sqlite sql
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp hmac kdf vici kernel-netlink socket-default updown sqlite sql
+ }
+Index: strongswan-5.9.5/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
+@@ -6,5 +6,5 @@ charon {
+       database = sqlite:///etc/db.d/ipsec.db
+     }
+   }
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp hmac vici kernel-netlink socket-default updown sqlite sql
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp hmac kdf vici kernel-netlink socket-default updown sqlite sql
+ }
+Index: strongswan-5.9.5/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
+@@ -6,5 +6,5 @@ charon {
+       database = sqlite:///etc/db.d/ipsec.db
+     }
+   }
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp hmac vici kernel-netlink socket-default updown sqlite sql
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp hmac kdf vici kernel-netlink socket-default updown sqlite sql
+ }
+Index: strongswan-5.9.5/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf
+@@ -6,5 +6,5 @@ charon {
+       database = sqlite:///etc/db.d/ipsec.db
+     }
+   }
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp hmac vici kernel-netlink socket-default updown sqlite sql
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp hmac kdf vici kernel-netlink socket-default updown sqlite sql
+ }
+Index: strongswan-5.9.5/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf
+@@ -6,5 +6,5 @@ charon {
+       database = sqlite:///etc/db.d/ipsec.db
+     }
+   }
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp hmac vici kernel-netlink socket-default updown sqlite sql
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp hmac kdf vici kernel-netlink socket-default updown sqlite sql
+ }
+Index: strongswan-5.9.5/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf
+@@ -6,5 +6,5 @@ charon {
+       database = sqlite:///etc/db.d/ipsec.db
+     }
+   }
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp hmac vici kernel-netlink socket-default updown sqlite sql
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp hmac kdf vici kernel-netlink socket-default updown sqlite sql
+ }
+Index: strongswan-5.9.5/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
+@@ -6,5 +6,5 @@ charon {
+       database = sqlite:///etc/db.d/ipsec.db
+     }
+   }
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown sqlite sql
+ }
+Index: strongswan-5.9.5/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
+@@ -6,5 +6,5 @@ charon {
+       database = sqlite:///etc/db.d/ipsec.db
+     }
+   }
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown sqlite sql
+ }
+Index: strongswan-5.9.5/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
+@@ -6,5 +6,5 @@ charon {
+       database = sqlite:///etc/db.d/ipsec.db
+     }
+   }
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown sqlite sql
+ }
+Index: strongswan-5.9.5/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf
+@@ -6,5 +6,5 @@ charon {
+       database = sqlite:///etc/db.d/ipsec.db
+     }
+   }
+-  load = random nonce aes sha1 sha2 pem pkcs1 pubkey gmp hmac vici kernel-netlink socket-default updown sqlite sql
++  load = random nonce aes sha1 sha2 pem pkcs1 pubkey gmp hmac kdf vici kernel-netlink socket-default updown sqlite sql
+ }
+Index: strongswan-5.9.5/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf
+@@ -6,5 +6,5 @@ charon {
+       database = sqlite:///etc/db.d/ipsec.db
+     }
+   }
+-  load = random nonce aes sha1 sha2 pem pkcs1 pubkey gmp hmac vici kernel-netlink socket-default updown sqlite sql
++  load = random nonce aes sha1 sha2 pem pkcs1 pubkey gmp hmac kdf vici kernel-netlink socket-default updown sqlite sql
+ }
+Index: strongswan-5.9.5/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf
+@@ -6,5 +6,5 @@ charon {
+       database = sqlite:///etc/db.d/ipsec.db
+     }
+   }
+-  load = random nonce aes sha1 sha2 pem pkcs1 pubkey gmp hmac vici kernel-netlink socket-default updown sqlite sql
++  load = random nonce aes sha1 sha2 pem pkcs1 pubkey gmp hmac kdf vici kernel-netlink socket-default updown sqlite sql
+ }
+Index: strongswan-5.9.5/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf
+@@ -6,5 +6,5 @@ charon {
+       database = sqlite:///etc/db.d/ipsec.db
+     }
+   }
+-  load = random nonce aes sha1 sha2 pem pkcs1 pubkey gmp hmac vici kernel-netlink socket-default updown sqlite sql
++  load = random nonce aes sha1 sha2 pem pkcs1 pubkey gmp hmac kdf vici kernel-netlink socket-default updown sqlite sql
+ }
+Index: strongswan-5.9.5/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf
+@@ -6,5 +6,5 @@ charon {
+       database = sqlite:///etc/db.d/ipsec.db
+     }
+   }
+-  load = random nonce aes sha1 sha2 pem pkcs1 pubkey gmp hmac vici kernel-netlink socket-default updown sqlite sql
++  load = random nonce aes sha1 sha2 pem pkcs1 pubkey gmp hmac kdf vici kernel-netlink socket-default updown sqlite sql
+ }
+Index: strongswan-5.9.5/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf
+@@ -6,5 +6,5 @@ charon {
+       database = sqlite:///etc/db.d/ipsec.db
+     }
+   }
+-  load = random nonce aes sha1 sha2 pem pkcs1 pubkey gmp hmac vici kernel-netlink socket-default updown sqlite sql
++  load = random nonce aes sha1 sha2 pem pkcs1 pubkey gmp hmac kdf vici kernel-netlink socket-default updown sqlite sql
+ }
+Index: strongswan-5.9.5/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf
+@@ -6,7 +6,7 @@ charon {
+       database = sqlite:///etc/db.d/ipsec.db
+     }
+   }
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown sqlite sql
+ 
+   keep_alive = 5
+ }
+Index: strongswan-5.9.5/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf
+@@ -9,5 +9,5 @@ charon {
+       database = sqlite:///etc/db.d/ipsec.db
+     }
+   }
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql attr-sql
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown sqlite sql attr-sql
+ }
+Index: strongswan-5.9.5/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf
+@@ -6,7 +6,7 @@ charon {
+       database = sqlite:///etc/db.d/ipsec.db
+     }
+   }
+-  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown sqlite sql
++  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kdf vici kernel-netlink socket-default updown sqlite sql
+ 
+   keep_alive = 5
+ }
+Index: strongswan-5.9.5/testing/tests/tkm/host2host-initiator/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/tkm/host2host-initiator/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/tkm/host2host-initiator/hosts/sun/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = aes sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc vici kernel-netlink socket-default updown
++  load = aes sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac kdf xcbc vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/tkm/host2host-responder/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/tkm/host2host-responder/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/tkm/host2host-responder/hosts/sun/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = aes sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc vici kernel-netlink socket-default updown
++  load = aes sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac kdf xcbc vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = aes sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc vici kernel-netlink socket-default updown
++  load = aes sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac kdf xcbc vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/tkm/multiple-clients/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/tkm/multiple-clients/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/tkm/multiple-clients/hosts/carol/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = aes sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc vici kernel-netlink socket-default updown
++  load = aes sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac kdf xcbc vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/tkm/multiple-clients/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/tkm/multiple-clients/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/tkm/multiple-clients/hosts/dave/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = aes sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc vici kernel-netlink socket-default updown
++  load = aes sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac kdf xcbc vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/tkm/net2net-initiator/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/tkm/net2net-initiator/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/tkm/net2net-initiator/hosts/sun/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = aes sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc vici kernel-netlink socket-default updown
++  load = aes sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac kdf xcbc vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/tkm/net2net-xfrmproxy/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/tkm/net2net-xfrmproxy/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/tkm/net2net-xfrmproxy/hosts/sun/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = aes sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc vici kernel-netlink socket-default updown
++  load = aes sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac kdf xcbc vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = aes sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc vici kernel-netlink socket-default updown
++  load = aes sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac kdf xcbc vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/tkm/xfrmproxy-rekey/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/tkm/xfrmproxy-rekey/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/tkm/xfrmproxy-rekey/hosts/sun/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = aes sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc vici kernel-netlink socket-default updown
++  load = aes sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac kdf xcbc vici kernel-netlink socket-default updown
+ }
+Index: strongswan-5.9.5/testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+ 
+   multiple_authentication=no
+ 
+Index: strongswan-5.9.5/testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 mgf1 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
++  load = random nonce aes sha1 sha2 md5 mgf1 gmp hmac kdf pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+ 
+   multiple_authentication=no
+ 
+Index: strongswan-5.9.5/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown
+ 
+   multiple_authentication = no
+ 
+Index: strongswan-5.9.5/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+ 
+   multiple_authentication = no
+ 
+Index: strongswan-5.9.5/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+ 
+   multiple_authentication=no
+ 
+Index: strongswan-5.9.5/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
+ 
+   multiple_authentication = no
+ 
+Index: strongswan-5.9.5/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+ 
+   multiple_authentication = no
+ 
+Index: strongswan-5.9.5/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+ 
+   multiple_authentication = no
+ 
+Index: strongswan-5.9.5/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
+ 
+   multiple_authentication = no
+ 
+Index: strongswan-5.9.5/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
+ 
+   multiple_authentication = no
+ 
+Index: strongswan-5.9.5/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+ 
+   multiple_authentication = no
+ 
+Index: strongswan-5.9.5/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
+ 
+   multiple_authentication = no
+ 
+Index: strongswan-5.9.5/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
+ 
+   multiple_authentication = no
+ 
+Index: strongswan-5.9.5/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
+ 
+   multiple_authentication = no
+ 
+Index: strongswan-5.9.5/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac x509 revocation curl vici socket-default kernel-netlink eap-identity eap-ttls eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici socket-default kernel-netlink eap-identity eap-ttls eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite
+ 
+   syslog {
+     daemon {
+Index: strongswan-5.9.5/testing/tests/tnc/tnccs-20-hcd-eap/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/tnc/tnccs-20-hcd-eap/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/tnc/tnccs-20-hcd-eap/hosts/carol/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+ 
+   syslog {
+     daemon {
+Index: strongswan-5.9.5/testing/tests/tnc/tnccs-20-hcd-eap/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/tnc/tnccs-20-hcd-eap/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/tnc/tnccs-20-hcd-eap/hosts/dave/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+ 
+   syslog {
+     daemon {
+Index: strongswan-5.9.5/testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-radius updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-radius updown
+   multiple_authentication=no
+ 
+   plugins {
+Index: strongswan-5.9.5/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
+ 
+   multiple_authentication = no
+ 
+Index: strongswan-5.9.5/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+ 
+   multiple_authentication = no
+ 
+Index: strongswan-5.9.5/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite
+ 
+   multiple_authentication = no
+ 
+Index: strongswan-5.9.5/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac x509 revocation curl vici socket-default kernel-netlink eap-identity eap-ttls eap-md5 eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici socket-default kernel-netlink eap-identity eap-ttls eap-md5 eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite
+ 
+   syslog {
+     daemon {
+Index: strongswan-5.9.5/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+ 
+   syslog {
+     daemon {
+Index: strongswan-5.9.5/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+ 
+   syslog {
+     daemon {
+Index: strongswan-5.9.5/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-radius updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-radius updown
+ 
+   multiple_authentication=no
+ 
+Index: strongswan-5.9.5/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 mgf1 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
++  load = random nonce aes sha1 sha2 md5 mgf1 gmp hmac kdf pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
+ 
+   multiple_authentication = no
+ 
+Index: strongswan-5.9.5/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 mgf1 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
++  load = random nonce aes sha1 sha2 md5 mgf1 gmp hmac kdf pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+ 
+   multiple_authentication = no
+ 
+Index: strongswan-5.9.5/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 mgf1 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite
++  load = random nonce aes sha1 sha2 md5 mgf1 gmp hmac kdf pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite
+ 
+   multiple_authentication = no
+ 
+Index: strongswan-5.9.5/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+ 
+   multiple_authentication = no
+ 
+Index: strongswan-5.9.5/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+ 
+   multiple_authentication = no
+ 
+Index: strongswan-5.9.5/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
+ 
+   multiple_authentication = no
+ 
+Index: strongswan-5.9.5/testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
+ 
+   multiple_authentication = no
+ 
+Index: strongswan-5.9.5/testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+ 
+   multiple_authentication = no
+ 
+Index: strongswan-5.9.5/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
+ 
+   multiple_authentication = no
+ 
+Index: strongswan-5.9.5/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+ 
+   multiple_authentication=no
+   integrity_test = yes
+Index: strongswan-5.9.5/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+ 
+   multiple_authentication=no
+   integrity_test = yes
+Index: strongswan-5.9.5/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf
+@@ -1,7 +1,7 @@
+ # /etc/strongswan.conf - strongSwan configuration file
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-dynamic tnccs-11 tnccs-20 tnc-imv updown
++  load = random nonce aes sha1 sha2 md5 pem pkcs1 mgf1 gmp hmac kdf x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-dynamic tnccs-11 tnccs-20 tnc-imv updown
+ 
+   multiple_authentication=no
+   integrity_test = yes
+Index: strongswan-5.9.5/testing/tests/wolfssl/net2net-ed25519/hosts/sun/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/wolfssl/net2net-ed25519/hosts/sun/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/wolfssl/net2net-ed25519/hosts/sun/etc/strongswan.conf
+@@ -5,5 +5,5 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce aes sha1 sha2 hmac pem pkcs1 pkcs8 x509 revocation curve25519 curl kernel-netlink socket-default updown vici
++  load = random nonce aes sha1 sha2 hmac kdf pem pkcs1 pkcs8 x509 revocation curve25519 curl kernel-netlink socket-default updown vici
+ }
+Index: strongswan-5.9.5/testing/tests/wolfssl/rw-cert/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/wolfssl/rw-cert/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/wolfssl/rw-cert/hosts/dave/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce sha1 sha2 sha3 aes curve25519 hmac mgf1 pem pkcs1 x509 revocation constraints gmp curl kernel-netlink socket-default updown vici
++  load = random nonce sha1 sha2 sha3 aes curve25519 hmac kdf mgf1 pem pkcs1 x509 revocation constraints gmp curl kernel-netlink socket-default updown vici
+ 
+   rsa_pss = yes
+ }
+Index: strongswan-5.9.5/testing/tests/wolfssl/rw-modp3072/hosts/dave/etc/strongswan.conf
+===================================================================
+--- strongswan-5.9.5.orig/testing/tests/wolfssl/rw-modp3072/hosts/dave/etc/strongswan.conf
++++ strongswan-5.9.5/testing/tests/wolfssl/rw-modp3072/hosts/dave/etc/strongswan.conf
+@@ -5,7 +5,7 @@ swanctl {
+ }
+ 
+ charon-systemd {
+-  load = random nonce sha1 sha2 aes hmac mgf1 pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default updown vici
++  load = random nonce sha1 sha2 aes hmac kdf mgf1 pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default updown vici
+ 
+   rsa_pss = yes
+ }
diff --git a/strongswan.changes b/strongswan.changes
index 77ec9ac..2cfec7b 100644
--- a/strongswan.changes
+++ b/strongswan.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Thu Mar  3 14:49:26 UTC 2022 - Marcus Meissner <meissner@suse.com>
+
+- Added prf-plus-modularization.patch that outsources the IKE 
+  key derivation to openssl. (will be merged to 5.9.6)
+- package the kdf config, template and plugin
+
 -------------------------------------------------------------------
 Wed Jan 26 12:25:35 UTC 2022 - Jan Engelhardt <jengelh@inai.de>
 
diff --git a/strongswan.spec b/strongswan.spec
index a22c6df..fce0e5b 100644
--- a/strongswan.spec
+++ b/strongswan.spec
@@ -81,6 +81,7 @@ Patch3:         %{name}_fipscheck.patch
 %endif
 Patch5:         0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch
 Patch6:		harden_strongswan.service.patch
+Patch7:		prf-plus-modularization.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  bison
 BuildRequires:  curl-devel
@@ -269,6 +270,7 @@ sed -e 's|@IPSEC_DIR@|%{_libexecdir}/ipsec|g' \
      > _fipscheck
 %endif
 %patch6 -p1
+%patch7 -p1
 
 %build
 CFLAGS="%{optflags} -W -Wall -Wno-pointer-sign -Wno-strict-aliasing -Wno-unused-parameter"
@@ -676,6 +678,7 @@ fi
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/gmp.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/ha.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/hmac.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/kdf.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/kernel-netlink.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/ldap.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/led.conf
@@ -792,6 +795,7 @@ fi
 %{strongswan_plugins}/libstrongswan-gmp.so
 %{strongswan_plugins}/libstrongswan-ha.so
 %{strongswan_plugins}/libstrongswan-hmac.so
+%{strongswan_plugins}/libstrongswan-kdf.so
 %{strongswan_plugins}/libstrongswan-kernel-netlink.so
 %{strongswan_plugins}/libstrongswan-ldap.so
 %{strongswan_plugins}/libstrongswan-led.so
@@ -896,6 +900,7 @@ fi
 %{strongswan_templates}/config/plugins/gmp.conf
 %{strongswan_templates}/config/plugins/ha.conf
 %{strongswan_templates}/config/plugins/hmac.conf
+%{strongswan_templates}/config/plugins/kdf.conf
 %{strongswan_templates}/config/plugins/kernel-netlink.conf
 %{strongswan_templates}/config/plugins/ldap.conf
 %{strongswan_templates}/config/plugins/led.conf
@@ -957,6 +962,7 @@ fi
 %{strongswan_templates}/database/imv/data.sql
 %{strongswan_templates}/database/imv/tables.sql
 
+
 %if %{with nm}
 
 %files nm