2025-08-21 00:00:13 -04:00
389 changed files with 3616 additions and 19666 deletions
--- a/.cirrus.yml
+++ b/.cirrus.yml
@ -1,11 +1,11 @@
 freebsd_task:
  matrix:
-    - name: FreeBSD 14.2
+    - name: FreeBSD 14.1
      freebsd_instance:
-        image_family: freebsd-14-2
+        image_family: freebsd-14-1
-    - name: FreeBSD 13.4
+    - name: FreeBSD 13.3
      freebsd_instance:
-        image_family: freebsd-13-4
+        image_family: freebsd-13-3
  env:
    TESTS_REDUCED_KEYLENGTHS: yes
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@ -2,7 +2,6 @@
 name: "🐛 Bug report"
 about: Report a reproducible bug or regression
 labels: bug, new
 type: Bug
 ---
 <!--
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@ -2,7 +2,6 @@
 name: Feature request
 about: Suggest an idea for this project
 labels: enhancement, new
 type: Feature
 ---
 <!--
--- a/.github/actions/default/action.yml
+++ b/.github/actions/default/action.yml
@ -5,6 +5,9 @@ runs:
    - name: "Install Dependencies"
      run: ./scripts/test.sh deps
      shell: bash
    - name: "Install Python Dependencies"
      run: ./scripts/test.sh pydeps
      shell: bash
    - name: "Build Dependencies"
      run: ./scripts/test.sh build-deps
      shell: bash
--- a/.github/workflows/android.yml
+++ b/.github/workflows/android.yml
@ -18,7 +18,7 @@ jobs:
      - id: skip-check
        uses: fkirc/skip-duplicate-actions@master
        with:
-          concurrent_skipping: 'same_content_newer'
+          concurrent_skipping: 'same_content'
  android:
    needs: pre-check
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@ -19,7 +19,7 @@ jobs:
      - id: skip-check
        uses: fkirc/skip-duplicate-actions@master
        with:
-          concurrent_skipping: 'same_content_newer'
+          concurrent_skipping: 'same_content'
  analyze:
    needs: pre-check
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@ -21,7 +21,7 @@ jobs:
      - id: skip-check
        uses: fkirc/skip-duplicate-actions@master
        with:
-          concurrent_skipping: 'same_content_newer'
+          concurrent_skipping: 'same_content'
  latest:
    needs: pre-check
@ -48,9 +48,6 @@ jobs:
          - test: no-dbg
          - test: no-dbg
            compiler: clang
          - test: no-testable-ke
          - test: no-testable-ke
            compiler: clang
          - test: fuzzing
            compiler: clang
            monolithic: yes
@ -93,25 +90,33 @@ jobs:
          path: config.log
          retention-days: 5
-  crypto:
+  crypto-plugins:
    needs: pre-check
    if: ${{ needs.pre-check.outputs.should_skip != 'true' }}
    runs-on: ${{ matrix.os }}
    strategy:
      matrix:
        os: [ ubuntu-latest, ubuntu-22.04, ubuntu-20.04 ]
        test: [ botan, wolfssl, openssl, openssl-3, openssl-awslc, gcrypt ]
        os: [ ubuntu-latest, ubuntu-22.04 ]
        leak-detective: [ no, yes ]
        exclude:
          # test custom-built libs only on the latest platform
          - os: ubuntu-22.04
            test: botan
          - os: ubuntu-20.04
            test: botan
          - os: ubuntu-22.04
            test: wolfssl
          - os: ubuntu-20.04
            test: wolfssl
          - os: ubuntu-22.04
            test: openssl-3
          - os: ubuntu-20.04
            test: openssl-3
          - os: ubuntu-22.04
            test: openssl-awslc
          - os: ubuntu-20.04
            test: openssl-awslc
    env:
      LEAK_DETECTIVE: ${{ matrix.leak-detective || 'no' }}
      CC: ${{ matrix.compiler || 'gcc' }}
@ -135,12 +140,6 @@ jobs:
          echo "PATH=/usr/lib/ccache:$PATH" >> $GITHUB_ENV
          ccache -z
      - uses: ./.github/actions/default
      - name: Test Vectors (detailed)
        env:
          TESTS_SUITES: vectors
          TESTS_VERBOSITY: 1
        run:
          ./scripts/test.sh
      - run: ccache -s
      - if: ${{ failure() }}
        uses: actions/upload-artifact@v4
@ -155,7 +154,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    strategy:
      matrix:
-        os: [ ubuntu-22.04 ]
+        os: [ ubuntu-22.04, ubuntu-20.04 ]
        test: [ all, nm ]
        compiler: [ gcc, clang ]
        exclude:
@ -165,6 +164,8 @@ jobs:
      LEAK_DETECTIVE: ${{ matrix.leak-detective || 'no' }}
      CC: ${{ matrix.compiler || 'gcc' }}
      TEST: ${{ matrix.test }}
      # LSan causes spurious SIGSEGV after tests due to DTLS handling by glibc (on 20.04)
      ASAN_OPTIONS: intercept_tls_get_addr=0
    steps:
      - uses: actions/checkout@v4
      - uses: actions/cache@v4
--- a/.github/workflows/macos.yml
+++ b/.github/workflows/macos.yml
@ -18,7 +18,7 @@ jobs:
      - id: skip-check
        uses: fkirc/skip-duplicate-actions@master
        with:
-          concurrent_skipping: 'same_content_newer'
+          concurrent_skipping: 'same_content'
  macos:
    strategy:
--- a/.github/workflows/sonarcloud.yml
+++ b/.github/workflows/sonarcloud.yml
@ -17,7 +17,7 @@ jobs:
      - id: skip-check
        uses: fkirc/skip-duplicate-actions@master
        with:
-          concurrent_skipping: 'same_content_newer'
+          concurrent_skipping: 'same_content'
  sonarcloud:
    needs: pre-check
@ -33,6 +33,7 @@ jobs:
        with:
          path: |
            ~/.cache/ccache
            ~/.sonar-cache
          key: ccache-sonarcloud-${{ github.sha }}
          restore-keys: |
            ccache-sonarcloud-
@ -40,17 +41,24 @@ jobs:
          sudo apt-get install -qq ccache
          echo "PATH=/usr/lib/ccache:$PATH" >> $GITHUB_ENV
          ccache -z
-      - uses: SonarSource/sonarqube-scan-action/install-build-wrapper@v4
+      # using SonarSource/sonarcloud-github-action is currently not recommended
-      - run: |
+      # for C builds, so we follow the "any CI" instructions
-          echo "BUILD_WRAPPER_OUT_DIR=$HOME/bw-output" >> $GITHUB_ENV
+      - name: Install sonar-scanner
      - uses: ./.github/actions/default
      - uses: SonarSource/sonarqube-scan-action@v4
        env:
          SONAR_SCANNER_VERSION: 5.0.1.3006
        run: |
          export SONAR_SCANNER_HOME=$HOME/.sonar/sonar-scanner-$SONAR_SCANNER_VERSION-linux
          curl --create-dirs -sSLo $HOME/.sonar/sonar-scanner.zip https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-$SONAR_SCANNER_VERSION-linux.zip
          unzip -o $HOME/.sonar/sonar-scanner.zip -d $HOME/.sonar/
          echo "SONAR_SCANNER_OPTS=-server" >> $GITHUB_ENV
          curl --create-dirs -sSLo $HOME/.sonar/build-wrapper-linux-x86.zip https://sonarcloud.io/static/cpp/build-wrapper-linux-x86.zip
          unzip -o $HOME/.sonar/build-wrapper-linux-x86.zip -d $HOME/.sonar/
          echo "PATH=$HOME/.sonar/build-wrapper-linux-x86:$SONAR_SCANNER_HOME/bin:$PATH" >> $GITHUB_ENV
      - env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          BUILD_NUMBER: ${{ github.run_id }}
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-        with:
+          SONAR_PROJECT: ${{ secrets.SONAR_PROJECT }}
-          args: >
+          SONAR_ORGANIZATION: ${{ secrets.SONAR_ORGANIZATION }}
-            -Dsonar.projectKey=${{ secrets.SONAR_PROJECT }}
+        uses: ./.github/actions/default
            -Dsonar.organization=${{ secrets.SONAR_ORGANIZATION }}
            -Dsonar.cfamily.threads=2
            -Dsonar.cfamily.compile-commands=${{ env.BUILD_WRAPPER_OUT_DIR }}/compile_commands.json
      - run: ccache -s
--- a/.github/workflows/tkm.yml
+++ b/.github/workflows/tkm.yml
@ -18,7 +18,7 @@ jobs:
      - id: skip-check
        uses: fkirc/skip-duplicate-actions@master
        with:
-          concurrent_skipping: 'same_content_newer'
+          concurrent_skipping: 'same_content'
  tkm:
    needs: pre-check
--- a/.github/workflows/windows.yml
+++ b/.github/workflows/windows.yml
@ -21,7 +21,7 @@ jobs:
      - id: skip-check
        uses: fkirc/skip-duplicate-actions@master
        with:
-          concurrent_skipping: 'same_content_newer'
+          concurrent_skipping: 'same_content'
  cross-compile:
    needs: pre-check
--- a/.gitignore
+++ b/.gitignore
@ -55,4 +55,3 @@ coverage/
 /*.includes
 test-driver
 nbproject/
 *.[si]
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -1,3 +1,3 @@
-Please refer to the [developer documentation](https://docs.strongswan.org/docs/latest/devs/devs.html)
+Please refer to the [developer documentation](https://docs.strongswan.org/docs/5.9/devs/devs.html)
 in our documentation for details regarding **code style** and
-[**contribution requirements**](https://docs.strongswan.org/docs/latest/devs/contributions.html).
+[**contribution requirements**](https://docs.strongswan.org/docs/5.9/devs/contributions.html).
--- a/Doxyfile.in
+++ b/Doxyfile.in
@ -991,8 +991,7 @@ RECURSIVE              = YES
 # Note that relative paths are relative to the directory from which doxygen is
 # run.
-EXCLUDE                = @SRC_DIR@/src/include \
+EXCLUDE                = @SRC_DIR@/src/include
                         @SRC_DIR@/src/frontends/android/app/src/main/jni/openssl
 # The EXCLUDE_SYMLINKS tag can be used to select whether or not files or
 # directories that are symbolic links (a Unix file system feature) are excluded
@ -2376,7 +2375,6 @@ INCLUDE_FILE_PATTERNS  =
 # This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
 PREDEFINED             = LEAK_DETECTIVE \
 						 TESTABLE_KE \
                         __attribute__(x)=
 # If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then this
--- a/1
+++ b/1
@ -14,6 +14,7 @@ the code, you need the following tools:
    - autoconf
    - libtool
    - pkg-config
    - gettext
    - perl
    - python
    - lex/flex
--- a/2
+++ b/2
@ -144,4 +144,4 @@ Contents
    For a more up-to-date list of recommended modules refer to:
-      * https://docs.strongswan.org/docs/latest/install/kernelModules.html
+      * https://docs.strongswan.org/docs/5.9/install/kernelModules.html
--- a/68
+++ b/68
@ -1,71 +1,3 @@
 strongswan-6.0.2
 ----------------
 - Support for per-CPU SAs (RFC 9611) has been added (Linux 6.13+).
 - Basic support for AGGFRAG mode (RFC 9347) has been added (Linux 6.14+).
 - POSIX regular expressions can be used to match remote identities.
 - Switching configs based on EAP-Identities is supported. Setting
  `remote.eap_id` now always initiates an EAP-Identity exchange.
 - On Linux, sequence numbers from acquires are used when installing SAs. This
  allows handling narrowing properly.
 - During rekeying, the narrowed traffic selectors are now proposed instead of
  the configured ones.
 - The default AH/ESP proposals contain all supported key exchange methods plus
  `none` to make PFS optional and accept proposals of older peers.
 - GRO for ESP in enabled for NAT-T UDP sockets, which can improve performance
  if the esp4|6_offload modules are loaded.
 - charon-nm sets the VPN connection as persistent, preventing NetworkManager
  from tearing down the connection if the network connectivity changes.
 - ML-KEM is supported via OpenSSL 3.5+.
 - The wolfssl plugin is now compatible to wolfSSL's FIPS module.
 - The libsoup plugin has been migrated to libsoup 3, libsoup 2 is not supported
  anymore.
 - The long defunct uci plugin has been removed.
 - Log messages by watcher_t are now logged in a separate log group (`wch`).
 strongswan-6.0.1
 ----------------
 - The ha plugin supports IKE and Child SAs with multiple key exchanges.
  Incomplete IKE_SAs are now destroyed during a failover.
 - The new `interface_receive` option for the dhcp plugin allows binding the
  receive socket to a different interface than the send socket. Also fixed a
  regression if the DHCP server is running on the same host.
 - The new `source` option for the eap-radius plugin allows sending RADIUS
  messages from a specific IP address.
 - Self-signed root CAs without policies are now excluded from policy validation.
 - Inbound traffic on IPsec SAs is now ignored when sending DPDs unless
  UDP-encapsulation is used.
 - Send IKE_SA_INIT from NAT-T socket if not connecting to port 500.
 - Local traffic selectors can be configured for charon-nm. Its default
  retransmission settings have been set to those of the Android app.
 - The vici Python wheel is now built via `build` frontend instead of calling
  setup.py directly if --enable-python-wheels is used (the option to build eggs
  has been removed). There is no option to automatically install the wheel (use
  pip instead) and the --enable-python-eggs-install option has been removed.
 strongswan-6.0.0
 ----------------
--- a/README.md
+++ b/README.md
@ -566,7 +566,7 @@ to generate a traditional 3072 bit RSA key and store it in binary DER format.
 As an alternative a **TPM 2.0** *Trusted Platform Module* available on every
 recent Intel platform could be used as a virtual smartcard to securely store an
 RSA or ECDSA private key. For details, refer to the TPM 2.0
-[HOWTO](https://docs.strongswan.org/docs/latest/tpm/tpm2.html).
+[HOWTO](https://docs.strongswan.org/docs/5.9/tpm/tpm2.html).
 In a next step the command
--- a/conf/Makefile.am
+++ b/conf/Makefile.am
@ -16,7 +16,6 @@ options = \
 	options/charon-systemd.opt \
 	options/imcv.opt \
 	options/imv_policy_manager.opt \
 	options/iptfs.opt \
 	options/manager.opt \
 	options/medsrv.opt \
 	options/pki.opt \
--- a/conf/format-options.py
+++ b/conf/format-options.py
@ -241,7 +241,6 @@ class GroffTagReplacer(TagReplacer):
 			if not punct:
 				punct = ''
 			text = re.sub(r'[\r\n\t]', ' ', m.group('text'))
 			text = re.sub(r'"', '""', text)
 			return '{0}.R{1} "{2}" "{3}" "{4}"\n'.format(nl, format, brack, text, punct)
 		return replacer
@ -306,8 +305,7 @@ class ManFormatter:
 	def __groffize(self, text):
 		"""Encode text as groff text"""
 		text = self.__tags.replace(text)
-		text = re.sub(r'\\(?!-)', '\\[rs]', text)
+		text = re.sub(r'(?<!\\)-', r'\\-', text)
 		text = re.sub(r'(?<!\\)-', '\\-', text)
 		# remove any leading whitespace
 		return re.sub(r'^\s+', '', text, flags = re.MULTILINE)
--- a/conf/options/charon-nm.opt
+++ b/conf/options/charon-nm.opt
@ -1,55 +1,6 @@
 charon-nm {}
 	Section with settings specific to the NetworkManager backend `charon-nm`.
 	Settings from the `charon` section are not inherited, but many can be used
 	here as well. Defaults for some settings are chosen very deliberately and
 	should only be changed in case of conflicts.
 charon-nm.ca_dir = <default>
 	Directory from which to load CA certificates if no certificate is
 	configured.
 charon-nm.install_virtual_ip_on = lo
 	Interface on which virtual IP addresses are installed. Note that NM
 	also installs the virtual IPs on the XFRM interface.
 charon-nm.mtu = 1400
 	MTU for XFRM interfaces created by the NM plugin.
 charon-nm.port = 0
 	Source port when sending packets to port 500. Defaults to an ephemeral
 	port. May be set to 500 if firewall rules require a static port.
 charon-nm.port_nat_t = 0
 	Source port when sending packets to port 4500 or a custom server port.
 	Defaults to an ephemeral port. May be set to e.g. 4500 if firewall rules
 	require a static port.
 charon-nm.retransmit_base = 1.4
 	Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION
 	in **strongswan.conf**(5). Default retransmission settings for charon-nm are
 	deliberately lower to fail and possibly reestablish SAs more quickly.
 charon-nm.retransmit_timeout = 2.0
 	Timeout in seconds before sending first retransmit.
 charon-nm.retransmit_tries = 3
 	Number of times to retransmit a packet before giving up.
 charon-nm.routing_table = 210
 	Table where routes via XFRM interface are installed. Should be different
 	than the table used for the regular IKE daemon due to the mark.
 charon-nm.routing_table_prio = 210
 	Priority of the routing table. Higher than the default priority used for the
 	regular IKE daemon.
 charon-nm.plugins.kernel-netlink.fwmark = !210
 	Make packets with this mark ignore the routing table. Must be the same mark
 	set in charon-nm.plugins.socket-default.fwmark.
 charon-nm.plugins.socket-default.fwmark = 210
 	Mark applied to IKE and ESP packets to ignore the routing table and avoid
 	routing loops when using XFRM interfaces.
 charon-nm.syslog.daemon.default = 1
 	Default to logging via syslog's daemon facility on level 1.
--- a/conf/options/iptfs.opt
+++ b/conf/options/iptfs.opt
@ -1,38 +0,0 @@
 charon.iptfs {}
 	Global settings for IP-TFS (RFC 9347). The Linux kernel supports this mode
 	since 6.14. However, it currently only supports aggregation/fragmentation of
 	tunneled IP packets in ESP/AGGFRAG packets. It doesn't yet support other
 	IP-TFS features like sending packets at a constant rate or congestion control.
 charon.iptfs.drop_time = 1000000
 	Time in microseconds to wait for out-of-order packets when processing
 	inbound traffic.
 charon.iptfs.reorder_window = 3
 	Number of packets that may arrive out of order when processing inbound
 	traffic.
 charon.iptfs.init_delay = 0
 	Time in microseconds to wait for subsequent packets to aggregate together
 	when sending outbound traffic. Only relevant if no packets are already
 	queued to be sent.
 charon.iptfs.max_queue_size = 1048576
 	Maximum number of bytes allowed to be queued for sending on the tunnel
 	(default 1 MiB). If the queue is full, packets are dropped.
 charon.iptfs.packet_size = 0
 	Maximum outer packet size (layer 3) when sending packets. The default of 0
 	will use the PMTU as packet size. Note that the kernel currently doesn't
 	pad smaller packets.
 charon.iptfs.accept_fragments = yes
 	Whether fragments of inner packets across multiple AGGFRAG payloads are
 	accepted. This is an IKEv2 option, so if the peer doesn't adhere to this
 	request and still sends such fragments, they will be processed by the
 	kernel.
 charon.iptfs.dont_frag = no
 	Force disabling fragmenting inner packets across multiple AGGFRAG payloads
 	when sending outbound traffic (fragmentation is automatically disabled if
 	the peer indicates that it doesn't support handling such packets).
--- a/conf/plugins/eap-radius.opt
+++ b/conf/plugins/eap-radius.opt
@ -84,9 +84,6 @@ charon.plugins.eap-radius.secret =
 charon.plugins.eap-radius.server =
 	IP/Hostname of RADIUS server.
 charon.plugins.eap-radius.source =
 	Optional specific source IP to use.
 charon.plugins.eap-radius.retransmit_base = 1.4
 	Base to use for calculating exponential back off.
@ -99,12 +96,12 @@ charon.plugins.eap-radius.retransmit_tries = 4
 charon.plugins.eap-radius.servers {}
 	Section to specify multiple RADIUS servers.
-	Section to specify multiple RADIUS servers. The **source**,
+	Section to specify multiple RADIUS servers. The **nas_identifier**,
-	**nas_identifier**,	**secret**, **sockets** and **port** (or **auth_port**)
+	**secret**, **sockets** and **port** (or **auth_port**) options can be
-	options can be specified for each server. A server's IP/Hostname can be
+	specified for each server. A server's IP/Hostname can be configured using
-	configured using the **address** option. The **acct_port** [1813] option can
+	the **address** option. The **acct_port** [1813] option can be used to
-	be used to specify the port used for RADIUS accounting. For each RADIUS
+	specify the port used for RADIUS accounting. For each RADIUS server a
-	server a priority can be specified using the **preference** [0] option. The
+	priority can be specified using the **preference** [0] option. The
 	retransmission time for each server can set set using **retransmit_base**,
 	**retransmit_timeout** and **retransmit_tries**.
--- a/configure.ac
+++ b/configure.ac
@ -20,7 +20,7 @@
 #  initialize & set some vars
 # ============================
-AC_INIT([strongSwan],[6.0.2])
+AC_INIT([strongSwan],[6.0.0])
 AM_INIT_AUTOMAKE(m4_esyscmd([
 	echo tar-ustar
 	echo subdir-objects
@ -33,18 +33,21 @@ AM_INIT_AUTOMAKE(m4_esyscmd([
 	esac
 ]))
 m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES])
-AC_CONFIG_MACRO_DIRS([m4/config m4/macros])
+AC_CONFIG_MACRO_DIR([m4/config])
 AC_CONFIG_HEADERS([config.h])
 AC_DEFINE([CONFIG_H_INCLUDED], [], [defined if config.h included])
 AC_DISABLE_STATIC
 PKG_PROG_PKG_CONFIG
 m4_include(m4/macros/split-package-version.m4)
 SPLIT_PACKAGE_VERSION
 # =================================
 #  check --enable-xxx & --with-xxx
 # =================================
 m4_include(m4/macros/with.m4)
 ARG_WITH_SUBST([random-device],      [/dev/random], [set the device to read real random data from])
 ARG_WITH_SUBST([urandom-device],     [/dev/urandom], [set the device to read pseudo random data from])
 ARG_WITH_SUBST([strongswan-conf],    [${sysconfdir}/strongswan.conf], [set the strongswan.conf file location])
@ -67,7 +70,6 @@ ARG_WITH_SET([mpz_powm_sec],         [yes], [use the more side-channel resistant
 ARG_WITH_SET([dev-headers],          [no], [install strongSwan development headers to directory.])
 ARG_WITH_SET([printf-hooks],         [auto], [force the use of a specific printf hook implementation (auto, builtin, glibc, vstr).])
 ARG_WITH_SET([rubygemdir],           ["gem environment gemdir"], [path to install ruby gems to])
 ARG_WITH_SET([testable-ke],          [yes], [make key exchange implementations testable by providing a set_seed() method])
 if test -n "$PKG_CONFIG"; then
 	systemdsystemunitdir_default=$($PKG_CONFIG --variable=systemdsystemunitdir systemd)
@ -126,6 +128,8 @@ fi
 # convert script name to uppercase
 AC_SUBST(ipsec_script_upper, [`echo -n "$ipsec_script" | tr a-z A-Z`])
 m4_include(m4/macros/enable-disable.m4)
 # crypto plugins
 ARG_ENABL_SET([aes],            [enable AES software implementation plugin.])
 ARG_ENABL_SET([af-alg],         [enable AF_ALG crypto interface to Linux Crypto API.])
@ -233,6 +237,7 @@ ARG_ENABL_SET([socket-win],     [enable Winsock2 based socket implementation for
 ARG_ENABL_SET([stroke],         [enable the stroke configuration backend.])
 ARG_ENABL_SET([smp],            [enable SMP configuration and control interface. Requires libxml.])
 ARG_ENABL_SET([sql],            [enable SQL database configuration backend.])
 ARG_ENABL_SET([uci],            [enable OpenWRT UCI configuration plugin.])
 ARG_DISBL_SET([vici],           [disable strongSwan IKE generic IPC interface plugin.])
 # attribute provider/consumer plugins
 ARG_ENABL_SET([android-dns],    [enable Android specific DNS handler.])
@ -604,10 +609,6 @@ AC_LINK_IFELSE(
 AC_SUBST(ATOMICLIB)
 LIBS=$saved_LIBS
 # Some platforms require explicit linking to use POSIX regular expressions
 AC_SEARCH_LIBS([regcomp], [regex], [AC_DEFINE([HAVE_REGEX], [], [have regcomp() etc.])])
 # ------------------------------------------------------
 AC_MSG_CHECKING(for dladdr)
@ -1044,7 +1045,7 @@ if test x$unbound = xtrue; then
 fi
 if test x$soup = xtrue; then
-	PKG_CHECK_MODULES(soup, [libsoup-3.0])
+	PKG_CHECK_MODULES(soup, [libsoup-2.4])
 	AC_SUBST(soup_CFLAGS)
 	AC_SUBST(soup_LIBS)
 fi
@ -1238,6 +1239,11 @@ if test x$botan = xtrue; then
 	LIBS=$saved_LIBS
 fi
 if test x$uci = xtrue; then
 	AC_CHECK_LIB([uci],[uci_alloc_context],[LIBS="$LIBS"],[AC_MSG_ERROR([UCI library libuci not found])],[])
 	AC_CHECK_HEADER([uci.h],,[AC_MSG_ERROR([UCI header uci.h not found!])])
 fi
 if test x$android_dns = xtrue; then
 	AC_CHECK_LIB([cutils],[property_get],[LIBS="$LIBS"],[AC_MSG_ERROR([Android library libcutils not found])],[])
 	AC_CHECK_HEADER([cutils/properties.h],,[AC_MSG_ERROR([Android header cutils/properties.h not found!])])
@ -1345,10 +1351,6 @@ if test x$unwind_backtraces = xtrue; then
 	AC_SUBST(UNWINDLIB)
 fi
 if test "x$testable_ke" = xyes; then
 	AC_DEFINE([TESTABLE_KE], [1], [Define to 1 if key exchange methods should be testable.])
 fi
 AM_CONDITIONAL(USE_DEV_HEADERS, [test "x$dev_headers" != xno])
 if test x$dev_headers = xyes; then
 	dev_headers="$includedir/strongswan"
@ -1515,6 +1517,8 @@ CFLAGS="$WARN_CFLAGS $CFLAGS"
 #  collect plugin list for strongSwan components
 # ===============================================
 m4_include(m4/macros/add-plugin.m4)
 # plugin lists for all components
 charon_plugins=
 pool_plugins=
@ -1670,6 +1674,7 @@ ADD_PLUGIN([led],                  [c charon])
 ADD_PLUGIN([duplicheck],           [c charon])
 ADD_PLUGIN([coupling],             [c charon])
 ADD_PLUGIN([radattr],              [c charon])
 ADD_PLUGIN([uci],                  [c charon])
 ADD_PLUGIN([addrblock],            [c charon])
 ADD_PLUGIN([unity],                [c charon])
 ADD_PLUGIN([counters],             [c charon])
@ -1764,6 +1769,7 @@ AM_CONDITIONAL(USE_STROKE, test x$stroke = xtrue)
 AM_CONDITIONAL(USE_VICI, test x$vici = xtrue)
 AM_CONDITIONAL(USE_MEDSRV, test x$medsrv = xtrue)
 AM_CONDITIONAL(USE_MEDCLI, test x$medcli = xtrue)
 AM_CONDITIONAL(USE_UCI, test x$uci = xtrue)
 AM_CONDITIONAL(USE_OSX_ATTR, test x$osx_attr = xtrue)
 AM_CONDITIONAL(USE_P_CSCF, test x$p_cscf = xtrue)
 AM_CONDITIONAL(USE_ANDROID_DNS, test x$android_dns = xtrue)
@ -1949,16 +1955,14 @@ strongswan_options=
 AM_COND_IF([USE_AIKGEN], [strongswan_options=${strongswan_options}" aikgen"])
 AM_COND_IF([USE_ATTR_SQL], [strongswan_options=${strongswan_options}" pool"])
-AM_COND_IF([USE_CHARON], [strongswan_options=${strongswan_options}" charon charon-logging iptfs"])
+AM_COND_IF([USE_CHARON], [strongswan_options=${strongswan_options}" charon charon-logging"])
 AM_COND_IF([USE_FILE_CONFIG], [strongswan_options=${strongswan_options}" starter"])
 AM_COND_IF([USE_IMV_ATTESTATION], [strongswan_options=${strongswan_options}" attest"])
-AM_COND_IF([USE_IMCV], [strongswan_options=${strongswan_options}" imcv imv_policy_manager"])
+AM_COND_IF([USE_IMCV], [strongswan_options=${strongswan_options}" imcv"])
 AM_COND_IF([USE_IMC_SWIMA], [strongswan_options=${strongswan_options}" sw-collector"])
 AM_COND_IF([USE_IMV_SWIMA], [strongswan_options=${strongswan_options}" sec-updater"])
 AM_COND_IF([USE_LIBTNCCS], [strongswan_options=${strongswan_options}" tnc"])
 AM_COND_IF([USE_MANAGER], [strongswan_options=${strongswan_options}" manager"])
 AM_COND_IF([USE_MEDSRV], [strongswan_options=${strongswan_options}" medsrv"])
 AM_COND_IF([USE_NM], [strongswan_options=${strongswan_options}" charon-nm"])
 AM_COND_IF([USE_PKI], [strongswan_options=${strongswan_options}" pki"])
 AM_COND_IF([USE_SWANCTL], [strongswan_options=${strongswan_options}" swanctl"])
 AM_COND_IF([USE_SYSTEMD], [strongswan_options=${strongswan_options}" charon-systemd"])
@ -2118,6 +2122,7 @@ AC_CONFIG_FILES([
 	src/libcharon/plugins/medcli/Makefile
 	src/libcharon/plugins/addrblock/Makefile
 	src/libcharon/plugins/unity/Makefile
 	src/libcharon/plugins/uci/Makefile
 	src/libcharon/plugins/ha/Makefile
 	src/libcharon/plugins/kernel_netlink/Makefile
 	src/libcharon/plugins/kernel_pfkey/Makefile
--- a/init/Makefile.am
+++ b/init/Makefile.am
@ -2,12 +2,10 @@
 SUBDIRS =
 if USE_LEGACY_SYSTEMD
 if USE_FILE_CONFIG
 if USE_CHARON
  SUBDIRS += systemd-starter
 endif
 endif
 endif
 if USE_SYSTEMD
 if USE_SWANCTL
--- a/m4/macros/host-cpu-c-abi.m4
+++ b/m4/macros/host-cpu-c-abi.m4
@ -1,532 +0,0 @@
 # host-cpu-c-abi.m4
 # serial 20
 dnl Copyright (C) 2002-2025 Free Software Foundation, Inc.
 dnl This file is free software; the Free Software Foundation
 dnl gives unlimited permission to copy and/or distribute it,
 dnl with or without modifications, as long as this notice is preserved.
 dnl This file is offered as-is, without any warranty.
 dnl From Bruno Haible and Sam Steingold.
 dnl Sets the HOST_CPU variable to the canonical name of the CPU.
 dnl Sets the HOST_CPU_C_ABI variable to the canonical name of the CPU with its
 dnl C language ABI (application binary interface).
 dnl Also defines __${HOST_CPU}__ and __${HOST_CPU_C_ABI}__ as C macros in
 dnl config.h.
 dnl
 dnl This canonical name can be used to select a particular assembly language
 dnl source file that will interoperate with C code on the given host.
 dnl
 dnl For example:
 dnl * 'i386' and 'sparc' are different canonical names, because code for i386
 dnl   will not run on SPARC CPUs and vice versa. They have different
 dnl   instruction sets.
 dnl * 'sparc' and 'sparc64' are different canonical names, because code for
 dnl   'sparc' and code for 'sparc64' cannot be linked together: 'sparc' code
 dnl   contains 32-bit instructions, whereas 'sparc64' code contains 64-bit
 dnl   instructions. A process on a SPARC CPU can be in 32-bit mode or in 64-bit
 dnl   mode, but not both.
 dnl * 'mips' and 'mipsn32' are different canonical names, because they use
 dnl   different argument passing and return conventions for C functions, and
 dnl   although the instruction set of 'mips' is a large subset of the
 dnl   instruction set of 'mipsn32'.
 dnl * 'mipsn32' and 'mips64' are different canonical names, because they use
 dnl   different sizes for the C types like 'int' and 'void *', and although
 dnl   the instruction sets of 'mipsn32' and 'mips64' are the same.
 dnl * The same canonical name is used for different endiannesses. You can
 dnl   determine the endianness through preprocessor symbols:
 dnl   - 'arm': test __ARMEL__.
 dnl   - 'mips', 'mipsn32', 'mips64': test _MIPSEB vs. _MIPSEL.
 dnl   - 'powerpc64': test __BIG_ENDIAN__ vs. __LITTLE_ENDIAN__.
 dnl * The same name 'i386' is used for CPUs of type i386, i486, i586
 dnl   (Pentium), AMD K7, Pentium II, Pentium IV, etc., because
 dnl   - Instructions that do not exist on all of these CPUs (cmpxchg,
 dnl     MMX, SSE, SSE2, 3DNow! etc.) are not frequently used. If your
 dnl     assembly language source files use such instructions, you will
 dnl     need to make the distinction.
 dnl   - Speed of execution of the common instruction set is reasonable across
 dnl     the entire family of CPUs. If you have assembly language source files
 dnl     that are optimized for particular CPU types (like GNU gmp has), you
 dnl     will need to make the distinction.
 dnl   See <https://en.wikipedia.org/wiki/X86_instruction_listings>.
 AC_DEFUN([gl_HOST_CPU_C_ABI],
 [
  AC_REQUIRE([AC_CANONICAL_HOST])
  AC_REQUIRE([gl_C_ASM])
  AC_CACHE_CHECK([host CPU and C ABI], [gl_cv_host_cpu_c_abi],
    [case "$host_cpu" in
 changequote(,)dnl
       i[34567]86 )
 changequote([,])dnl
         gl_cv_host_cpu_c_abi=i386
         ;;
       x86_64 )
         # On x86_64 systems, the C compiler may be generating code in one of
         # these ABIs:
         # - 64-bit instruction set, 64-bit pointers, 64-bit 'long': x86_64.
         # - 64-bit instruction set, 64-bit pointers, 32-bit 'long': x86_64
         #   with native Windows (mingw, MSVC).
         # - 64-bit instruction set, 32-bit pointers, 32-bit 'long': x86_64-x32.
         # - 32-bit instruction set, 32-bit pointers, 32-bit 'long': i386.
         AC_COMPILE_IFELSE(
           [AC_LANG_SOURCE(
              [[#if (defined __x86_64__ || defined __amd64__ \
                     || defined _M_X64 || defined _M_AMD64)
                 int ok;
                #else
                 error fail
                #endif
              ]])],
           [AC_COMPILE_IFELSE(
              [AC_LANG_SOURCE(
                 [[#if defined __ILP32__ || defined _ILP32
                    int ok;
                   #else
                    error fail
                   #endif
                 ]])],
              [gl_cv_host_cpu_c_abi=x86_64-x32],
              [gl_cv_host_cpu_c_abi=x86_64])],
           [gl_cv_host_cpu_c_abi=i386])
         ;;
 changequote(,)dnl
       alphaev[4-8] | alphaev56 | alphapca5[67] | alphaev6[78] )
 changequote([,])dnl
         gl_cv_host_cpu_c_abi=alpha
         ;;
       arm* | aarch64 )
         # Assume arm with EABI.
         # On arm64 systems, the C compiler may be generating code in one of
         # these ABIs:
         # - aarch64 instruction set, 64-bit pointers, 64-bit 'long': arm64.
         # - aarch64 instruction set, 32-bit pointers, 32-bit 'long': arm64-ilp32.
         # - 32-bit instruction set, 32-bit pointers, 32-bit 'long': arm or armhf.
         AC_COMPILE_IFELSE(
           [AC_LANG_SOURCE(
              [[#ifdef __aarch64__
                 int ok;
                #else
                 error fail
                #endif
              ]])],
           [AC_COMPILE_IFELSE(
              [AC_LANG_SOURCE(
                [[#if defined __ILP32__ || defined _ILP32
                   int ok;
                  #else
                   error fail
                  #endif
                ]])],
              [gl_cv_host_cpu_c_abi=arm64-ilp32],
              [gl_cv_host_cpu_c_abi=arm64])],
           [# Don't distinguish little-endian and big-endian arm, since they
            # don't require different machine code for simple operations and
            # since the user can distinguish them through the preprocessor
            # defines __ARMEL__ vs. __ARMEB__.
            # But distinguish arm which passes floating-point arguments and
            # return values in integer registers (r0, r1, ...) - this is
            # gcc -mfloat-abi=soft or gcc -mfloat-abi=softfp - from arm which
            # passes them in float registers (s0, s1, ...) and double registers
            # (d0, d1, ...) - this is gcc -mfloat-abi=hard. GCC 4.6 or newer
            # sets the preprocessor defines __ARM_PCS (for the first case) and
            # __ARM_PCS_VFP (for the second case), but older GCC does not.
            echo 'double ddd; void func (double dd) { ddd = dd; }' > conftest.c
            # Look for a reference to the register d0 in the .s file.
            AC_TRY_COMMAND(${CC-cc} $CFLAGS $CPPFLAGS $gl_c_asm_opt conftest.c) >/dev/null 2>&1
            if LC_ALL=C grep 'd0,' conftest.$gl_asmext >/dev/null; then
              gl_cv_host_cpu_c_abi=armhf
            else
              gl_cv_host_cpu_c_abi=arm
            fi
            rm -fr conftest*
           ])
         ;;
       hppa1.0 | hppa1.1 | hppa2.0* | hppa64 )
         # On hppa, the C compiler may be generating 32-bit code or 64-bit
         # code. In the latter case, it defines _LP64 and __LP64__.
         AC_COMPILE_IFELSE(
           [AC_LANG_SOURCE(
              [[#ifdef __LP64__
                 int ok;
                #else
                 error fail
                #endif
              ]])],
           [gl_cv_host_cpu_c_abi=hppa64],
           [gl_cv_host_cpu_c_abi=hppa])
         ;;
       ia64* )
         # On ia64 on HP-UX, the C compiler may be generating 64-bit code or
         # 32-bit code. In the latter case, it defines _ILP32.
         AC_COMPILE_IFELSE(
           [AC_LANG_SOURCE(
              [[#ifdef _ILP32
                 int ok;
                #else
                 error fail
                #endif
              ]])],
           [gl_cv_host_cpu_c_abi=ia64-ilp32],
           [gl_cv_host_cpu_c_abi=ia64])
         ;;
       mips* )
         # We should also check for (_MIPS_SZPTR == 64), but gcc keeps this
         # at 32.
         AC_COMPILE_IFELSE(
           [AC_LANG_SOURCE(
              [[#if defined _MIPS_SZLONG && (_MIPS_SZLONG == 64)
                 int ok;
                #else
                 error fail
                #endif
              ]])],
           [gl_cv_host_cpu_c_abi=mips64],
           [# In the n32 ABI, _ABIN32 is defined, _ABIO32 is not defined (but
            # may later get defined by <sgidefs.h>), and _MIPS_SIM == _ABIN32.
            # In the 32 ABI, _ABIO32 is defined, _ABIN32 is not defined (but
            # may later get defined by <sgidefs.h>), and _MIPS_SIM == _ABIO32.
            AC_COMPILE_IFELSE(
              [AC_LANG_SOURCE(
                 [[#if (_MIPS_SIM == _ABIN32)
                    int ok;
                   #else
                    error fail
                   #endif
                 ]])],
              [gl_cv_host_cpu_c_abi=mipsn32],
              [gl_cv_host_cpu_c_abi=mips])])
         ;;
       powerpc* )
         # Different ABIs are in use on AIX vs. Mac OS X vs. Linux,*BSD.
         # No need to distinguish them here; the caller may distinguish
         # them based on the OS.
         # On powerpc64 systems, the C compiler may still be generating
         # 32-bit code. And on powerpc-ibm-aix systems, the C compiler may
         # be generating 64-bit code.
         AC_COMPILE_IFELSE(
           [AC_LANG_SOURCE(
              [[#if defined __powerpc64__ || defined __LP64__
                 int ok;
                #else
                 error fail
                #endif
              ]])],
           [# On powerpc64, there are two ABIs on Linux: The AIX compatible
            # one and the ELFv2 one. The latter defines _CALL_ELF=2.
            AC_COMPILE_IFELSE(
              [AC_LANG_SOURCE(
                 [[#if defined _CALL_ELF && _CALL_ELF == 2
                    int ok;
                   #else
                    error fail
                   #endif
                 ]])],
              [gl_cv_host_cpu_c_abi=powerpc64-elfv2],
              [gl_cv_host_cpu_c_abi=powerpc64])
           ],
           [gl_cv_host_cpu_c_abi=powerpc])
         ;;
       rs6000 )
         gl_cv_host_cpu_c_abi=powerpc
         ;;
       riscv32 | riscv64 )
         # There are 2 architectures (with variants): rv32* and rv64*.
         AC_COMPILE_IFELSE(
           [AC_LANG_SOURCE(
              [[#if __riscv_xlen == 64
                  int ok;
                #else
                  error fail
                #endif
              ]])],
           [cpu=riscv64],
           [cpu=riscv32])
         # There are 6 ABIs: ilp32, ilp32f, ilp32d, lp64, lp64f, lp64d.
         # Size of 'long' and 'void *':
         AC_COMPILE_IFELSE(
           [AC_LANG_SOURCE(
              [[#if defined __LP64__
                  int ok;
                #else
                  error fail
                #endif
              ]])],
           [main_abi=lp64],
           [main_abi=ilp32])
         # Float ABIs:
         # __riscv_float_abi_double:
         #   'float' and 'double' are passed in floating-point registers.
         # __riscv_float_abi_single:
         #   'float' are passed in floating-point registers.
         # __riscv_float_abi_soft:
         #   No values are passed in floating-point registers.
         AC_COMPILE_IFELSE(
           [AC_LANG_SOURCE(
              [[#if defined __riscv_float_abi_double
                  int ok;
                #else
                  error fail
                #endif
              ]])],
           [float_abi=d],
           [AC_COMPILE_IFELSE(
              [AC_LANG_SOURCE(
                 [[#if defined __riscv_float_abi_single
                     int ok;
                   #else
                     error fail
                   #endif
                 ]])],
              [float_abi=f],
              [float_abi=''])
           ])
         gl_cv_host_cpu_c_abi="${cpu}-${main_abi}${float_abi}"
         ;;
       s390* )
         # On s390x, the C compiler may be generating 64-bit (= s390x) code
         # or 31-bit (= s390) code.
         AC_COMPILE_IFELSE(
           [AC_LANG_SOURCE(
              [[#if defined __LP64__ || defined __s390x__
                  int ok;
                #else
                  error fail
                #endif
              ]])],
           [gl_cv_host_cpu_c_abi=s390x],
           [gl_cv_host_cpu_c_abi=s390])
         ;;
       sparc | sparc64 )
         # UltraSPARCs running Linux have `uname -m` = "sparc64", but the
         # C compiler still generates 32-bit code.
         AC_COMPILE_IFELSE(
           [AC_LANG_SOURCE(
              [[#if defined __sparcv9 || defined __arch64__
                 int ok;
                #else
                 error fail
                #endif
              ]])],
           [gl_cv_host_cpu_c_abi=sparc64],
           [gl_cv_host_cpu_c_abi=sparc])
         ;;
       *)
         gl_cv_host_cpu_c_abi="$host_cpu"
         ;;
     esac
    ])
  dnl In most cases, $HOST_CPU and $HOST_CPU_C_ABI are the same.
  HOST_CPU=`echo "$gl_cv_host_cpu_c_abi" | sed -e 's/-.*//'`
  HOST_CPU_C_ABI="$gl_cv_host_cpu_c_abi"
  AC_SUBST([HOST_CPU])
  AC_SUBST([HOST_CPU_C_ABI])
  # This was
  #   AC_DEFINE_UNQUOTED([__${HOST_CPU}__])
  #   AC_DEFINE_UNQUOTED([__${HOST_CPU_C_ABI}__])
  # earlier, but KAI C++ 3.2d doesn't like this.
  sed -e 's/-/_/g' >> confdefs.h <<EOF
 #ifndef __${HOST_CPU}__
 #define __${HOST_CPU}__ 1
 #endif
 #ifndef __${HOST_CPU_C_ABI}__
 #define __${HOST_CPU_C_ABI}__ 1
 #endif
 EOF
  AH_TOP([/* CPU and C ABI indicator */
 #ifndef __i386__
 #undef __i386__
 #endif
 #ifndef __x86_64_x32__
 #undef __x86_64_x32__
 #endif
 #ifndef __x86_64__
 #undef __x86_64__
 #endif
 #ifndef __alpha__
 #undef __alpha__
 #endif
 #ifndef __arm__
 #undef __arm__
 #endif
 #ifndef __armhf__
 #undef __armhf__
 #endif
 #ifndef __arm64_ilp32__
 #undef __arm64_ilp32__
 #endif
 #ifndef __arm64__
 #undef __arm64__
 #endif
 #ifndef __hppa__
 #undef __hppa__
 #endif
 #ifndef __hppa64__
 #undef __hppa64__
 #endif
 #ifndef __ia64_ilp32__
 #undef __ia64_ilp32__
 #endif
 #ifndef __ia64__
 #undef __ia64__
 #endif
 #ifndef __loongarch32__
 #undef __loongarch32__
 #endif
 #ifndef __loongarch64__
 #undef __loongarch64__
 #endif
 #ifndef __m68k__
 #undef __m68k__
 #endif
 #ifndef __mips__
 #undef __mips__
 #endif
 #ifndef __mipsn32__
 #undef __mipsn32__
 #endif
 #ifndef __mips64__
 #undef __mips64__
 #endif
 #ifndef __powerpc__
 #undef __powerpc__
 #endif
 #ifndef __powerpc64__
 #undef __powerpc64__
 #endif
 #ifndef __powerpc64_elfv2__
 #undef __powerpc64_elfv2__
 #endif
 #ifndef __riscv32__
 #undef __riscv32__
 #endif
 #ifndef __riscv64__
 #undef __riscv64__
 #endif
 #ifndef __riscv32_ilp32__
 #undef __riscv32_ilp32__
 #endif
 #ifndef __riscv32_ilp32f__
 #undef __riscv32_ilp32f__
 #endif
 #ifndef __riscv32_ilp32d__
 #undef __riscv32_ilp32d__
 #endif
 #ifndef __riscv64_ilp32__
 #undef __riscv64_ilp32__
 #endif
 #ifndef __riscv64_ilp32f__
 #undef __riscv64_ilp32f__
 #endif
 #ifndef __riscv64_ilp32d__
 #undef __riscv64_ilp32d__
 #endif
 #ifndef __riscv64_lp64__
 #undef __riscv64_lp64__
 #endif
 #ifndef __riscv64_lp64f__
 #undef __riscv64_lp64f__
 #endif
 #ifndef __riscv64_lp64d__
 #undef __riscv64_lp64d__
 #endif
 #ifndef __s390__
 #undef __s390__
 #endif
 #ifndef __s390x__
 #undef __s390x__
 #endif
 #ifndef __sh__
 #undef __sh__
 #endif
 #ifndef __sparc__
 #undef __sparc__
 #endif
 #ifndef __sparc64__
 #undef __sparc64__
 #endif
 ])
 ])
 dnl Sets the HOST_CPU_C_ABI_32BIT variable to 'yes' if the C language ABI
 dnl (application binary interface) is a 32-bit one, to 'no' if it is a 64-bit
 dnl one.
 dnl This is a simplified variant of gl_HOST_CPU_C_ABI.
 AC_DEFUN([gl_HOST_CPU_C_ABI_32BIT],
 [
  AC_REQUIRE([AC_CANONICAL_HOST])
  AC_CACHE_CHECK([32-bit host C ABI], [gl_cv_host_cpu_c_abi_32bit],
    [case "$host_cpu" in
       # CPUs that only support a 32-bit ABI.
       arc \
       | bfin \
       | cris* \
       | csky \
       | epiphany \
       | ft32 \
       | h8300 \
       | m68k \
       | microblaze | microblazeel \
       | nds32 | nds32le | nds32be \
       | nios2 | nios2eb | nios2el \
       | or1k* \
       | or32 \
       | sh | sh[1234] | sh[1234]e[lb] \
       | tic6x \
       | xtensa* )
         gl_cv_host_cpu_c_abi_32bit=yes
         ;;
       # CPUs that only support a 64-bit ABI.
 changequote(,)dnl
       alpha | alphaev[4-8] | alphaev56 | alphapca5[67] | alphaev6[78] \
       | mmix )
 changequote([,])dnl
         gl_cv_host_cpu_c_abi_32bit=no
         ;;
       *)
         if test -n "$gl_cv_host_cpu_c_abi"; then
           dnl gl_HOST_CPU_C_ABI has already been run. Use its result.
           case "$gl_cv_host_cpu_c_abi" in
             i386 | x86_64-x32 | arm | armhf | arm64-ilp32 | hppa | ia64-ilp32 | loongarch32 | mips | mipsn32 | powerpc | riscv*-ilp32* | s390 | sparc)
               gl_cv_host_cpu_c_abi_32bit=yes ;;
             x86_64 | alpha | arm64 | aarch64c | hppa64 | ia64 | loongarch64 | mips64 | powerpc64 | powerpc64-elfv2 | riscv*-lp64* | s390x | sparc64 )
               gl_cv_host_cpu_c_abi_32bit=no ;;
             *)
               gl_cv_host_cpu_c_abi_32bit=unknown ;;
           esac
         else
           gl_cv_host_cpu_c_abi_32bit=unknown
         fi
         if test $gl_cv_host_cpu_c_abi_32bit = unknown; then
           AC_COMPILE_IFELSE(
             [AC_LANG_SOURCE(
                [[int test_pointer_size[sizeof (void *) - 5];
                ]])],
             [gl_cv_host_cpu_c_abi_32bit=no],
             [gl_cv_host_cpu_c_abi_32bit=yes])
         fi
         ;;
     esac
    ])
  HOST_CPU_C_ABI_32BIT="$gl_cv_host_cpu_c_abi_32bit"
 ])
--- a/m4/macros/lib-prefix.m4
+++ b/m4/macros/lib-prefix.m4
@ -1,334 +0,0 @@
 # lib-prefix.m4
 # serial 23
 dnl Copyright (C) 2001-2005, 2008-2025 Free Software Foundation, Inc.
 dnl This file is free software; the Free Software Foundation
 dnl gives unlimited permission to copy and/or distribute it,
 dnl with or without modifications, as long as this notice is preserved.
 dnl This file is offered as-is, without any warranty.
 dnl From Bruno Haible.
 dnl AC_LIB_PREFIX adds to the CPPFLAGS and LDFLAGS the flags that are needed
 dnl to access previously installed libraries. The basic assumption is that
 dnl a user will want packages to use other packages he previously installed
 dnl with the same --prefix option.
 dnl This macro is not needed if only AC_LIB_LINKFLAGS is used to locate
 dnl libraries, but is otherwise very convenient.
 AC_DEFUN([AC_LIB_PREFIX],
 [
  AC_BEFORE([$0], [AC_LIB_LINKFLAGS])
  AC_REQUIRE([AC_PROG_CC])
  AC_REQUIRE([AC_CANONICAL_HOST])
  AC_REQUIRE([AC_LIB_PREPARE_MULTILIB])
  AC_REQUIRE([AC_LIB_PREPARE_PREFIX])
  dnl By default, look in $includedir and $libdir.
  use_additional=yes
  AC_LIB_WITH_FINAL_PREFIX([
    eval additional_includedir=\"$includedir\"
    eval additional_libdir=\"$libdir\"
  ])
  AC_ARG_WITH([lib-prefix],
 [[  --with-lib-prefix[=DIR] search for libraries in DIR/include and DIR/lib
  --without-lib-prefix    don't search for libraries in includedir and libdir]],
 [
    if test "X$withval" = "Xno"; then
      use_additional=no
    else
      if test "X$withval" = "X"; then
        AC_LIB_WITH_FINAL_PREFIX([
          eval additional_includedir=\"$includedir\"
          eval additional_libdir=\"$libdir\"
        ])
      else
        additional_includedir="$withval/include"
        additional_libdir="$withval/$acl_libdirstem"
      fi
    fi
 ])
  if test $use_additional = yes; then
    dnl Potentially add $additional_includedir to $CPPFLAGS.
    dnl But don't add it
    dnl   1. if it's the standard /usr/include,
    dnl   2. if it's already present in $CPPFLAGS,
    dnl   3. if it's /usr/local/include and we are using GCC on Linux,
    dnl   4. if it doesn't exist as a directory.
    if test "X$additional_includedir" != "X/usr/include"; then
      haveit=
      for x in $CPPFLAGS; do
        AC_LIB_WITH_FINAL_PREFIX([eval x=\"$x\"])
        if test "X$x" = "X-I$additional_includedir"; then
          haveit=yes
          break
        fi
      done
      if test -z "$haveit"; then
        if test "X$additional_includedir" = "X/usr/local/include"; then
          if test -n "$GCC"; then
            case $host_os in
              linux* | gnu* | k*bsd*-gnu) haveit=yes;;
            esac
          fi
        fi
        if test -z "$haveit"; then
          if test -d "$additional_includedir"; then
            dnl Really add $additional_includedir to $CPPFLAGS.
            CPPFLAGS="${CPPFLAGS}${CPPFLAGS:+ }-I$additional_includedir"
          fi
        fi
      fi
    fi
    dnl Potentially add $additional_libdir to $LDFLAGS.
    dnl But don't add it
    dnl   1. if it's the standard /usr/lib,
    dnl   2. if it's already present in $LDFLAGS,
    dnl   3. if it's /usr/local/lib and we are using GCC on Linux,
    dnl   4. if it doesn't exist as a directory.
    if test "X$additional_libdir" != "X/usr/$acl_libdirstem"; then
      haveit=
      for x in $LDFLAGS; do
        AC_LIB_WITH_FINAL_PREFIX([eval x=\"$x\"])
        if test "X$x" = "X-L$additional_libdir"; then
          haveit=yes
          break
        fi
      done
      if test -z "$haveit"; then
        if test "X$additional_libdir" = "X/usr/local/$acl_libdirstem"; then
          if test -n "$GCC"; then
            case $host_os in
              linux*) haveit=yes;;
            esac
          fi
        fi
        if test -z "$haveit"; then
          if test -d "$additional_libdir"; then
            dnl Really add $additional_libdir to $LDFLAGS.
            LDFLAGS="${LDFLAGS}${LDFLAGS:+ }-L$additional_libdir"
          fi
        fi
      fi
    fi
  fi
 ])
 dnl AC_LIB_PREPARE_PREFIX creates variables acl_final_prefix,
 dnl acl_final_exec_prefix, containing the values to which $prefix and
 dnl $exec_prefix will expand at the end of the configure script.
 AC_DEFUN([AC_LIB_PREPARE_PREFIX],
 [
  dnl Unfortunately, prefix and exec_prefix get only finally determined
  dnl at the end of configure.
  if test "X$prefix" = "XNONE"; then
    acl_final_prefix="$ac_default_prefix"
  else
    acl_final_prefix="$prefix"
  fi
  if test "X$exec_prefix" = "XNONE"; then
    acl_final_exec_prefix='${prefix}'
  else
    acl_final_exec_prefix="$exec_prefix"
  fi
  acl_saved_prefix="$prefix"
  prefix="$acl_final_prefix"
  eval acl_final_exec_prefix=\"$acl_final_exec_prefix\"
  prefix="$acl_saved_prefix"
 ])
 dnl AC_LIB_WITH_FINAL_PREFIX([statement]) evaluates statement, with the
 dnl variables prefix and exec_prefix bound to the values they will have
 dnl at the end of the configure script.
 AC_DEFUN([AC_LIB_WITH_FINAL_PREFIX],
 [
  acl_saved_prefix="$prefix"
  prefix="$acl_final_prefix"
  acl_saved_exec_prefix="$exec_prefix"
  exec_prefix="$acl_final_exec_prefix"
  $1
  exec_prefix="$acl_saved_exec_prefix"
  prefix="$acl_saved_prefix"
 ])
 dnl AC_LIB_PREPARE_MULTILIB creates
 dnl - a function acl_is_expected_elfclass, that tests whether standard input
 dnl;   has a 32-bit or 64-bit ELF header, depending on the host CPU ABI,
 dnl - 3 variables acl_libdirstem, acl_libdirstem2, acl_libdirstem3, containing
 dnl   the basename of the libdir to try in turn, either "lib" or "lib64" or
 dnl   "lib/64" or "lib32" or "lib/sparcv9" or "lib/amd64" or similar.
 AC_DEFUN([AC_LIB_PREPARE_MULTILIB],
 [
  dnl There is no formal standard regarding lib, lib32, and lib64.
  dnl On most glibc systems, the current practice is that on a system supporting
  dnl 32-bit and 64-bit instruction sets or ABIs, 64-bit libraries go under
  dnl $prefix/lib64 and 32-bit libraries go under $prefix/lib. However, on
  dnl Arch Linux based distributions, it's the opposite: 32-bit libraries go
  dnl under $prefix/lib32 and 64-bit libraries go under $prefix/lib.
  dnl We determine the compiler's default mode by looking at the compiler's
  dnl library search path. If at least one of its elements ends in /lib64 or
  dnl points to a directory whose absolute pathname ends in /lib64, we use that
  dnl for 64-bit ABIs. Similarly for 32-bit ABIs. Otherwise we use the default,
  dnl namely "lib".
  dnl On Solaris systems, the current practice is that on a system supporting
  dnl 32-bit and 64-bit instruction sets or ABIs, 64-bit libraries go under
  dnl $prefix/lib/64 (which is a symlink to either $prefix/lib/sparcv9 or
  dnl $prefix/lib/amd64) and 32-bit libraries go under $prefix/lib.
  AC_REQUIRE([AC_CANONICAL_HOST])
  AC_REQUIRE([gl_HOST_CPU_C_ABI_32BIT])
  AC_CACHE_CHECK([for ELF binary format], [gl_cv_elf],
    [AC_EGREP_CPP([Extensible Linking Format],
       [#if defined __ELF__ || (defined __linux__ && (defined __EDG__ || defined __SUNPRO_C))
        Extensible Linking Format
        #endif
       ],
       [gl_cv_elf=yes],
       [gl_cv_elf=no])
    ])
  if test $gl_cv_elf = yes; then
    # Extract the ELF class of a file (5th byte) in decimal.
    # Cf. https://en.wikipedia.org/wiki/Executable_and_Linkable_Format#File_header
    if od -A x < /dev/null >/dev/null 2>/dev/null; then
      # Use POSIX od.
      func_elfclass ()
      {
        od -A n -t d1 -j 4 -N 1
      }
    else
      # Use BSD hexdump.
      func_elfclass ()
      {
        dd bs=1 count=1 skip=4 2>/dev/null | hexdump -e '1/1 "%3d "'
        echo
      }
    fi
    # Use 'expr', not 'test', to compare the values of func_elfclass, because on
    # Solaris 11 OpenIndiana and Solaris 11 OmniOS, the result is 001 or 002,
    # not 1 or 2.
 changequote(,)dnl
    case $HOST_CPU_C_ABI_32BIT in
      yes)
        # 32-bit ABI.
        acl_is_expected_elfclass ()
        {
          expr "`func_elfclass | sed -e 's/[ 	]//g'`" = 1 > /dev/null
        }
        ;;
      no)
        # 64-bit ABI.
        acl_is_expected_elfclass ()
        {
          expr "`func_elfclass | sed -e 's/[ 	]//g'`" = 2 > /dev/null
        }
        ;;
      *)
        # Unknown.
        acl_is_expected_elfclass ()
        {
          :
        }
        ;;
    esac
 changequote([,])dnl
  else
    acl_is_expected_elfclass ()
    {
      :
    }
  fi
  dnl Allow the user to override the result by setting acl_cv_libdirstems.
  AC_CACHE_CHECK([for the common suffixes of directories in the library search path],
    [acl_cv_libdirstems],
    [dnl Try 'lib' first, because that's the default for libdir in GNU, see
     dnl <https://www.gnu.org/prep/standards/html_node/Directory-Variables.html>.
     acl_libdirstem=lib
     acl_libdirstem2=
     acl_libdirstem3=
     case "$host_os" in
       solaris*)
         dnl See Solaris 10 Software Developer Collection > Solaris 64-bit Developer's Guide > The Development Environment
         dnl <https://docs.oracle.com/cd/E19253-01/816-5138/dev-env/index.html>.
         dnl "Portable Makefiles should refer to any library directories using the 64 symbolic link."
         dnl But we want to recognize the sparcv9 or amd64 subdirectory also if the
         dnl symlink is missing, so we set acl_libdirstem2 too.
         if test $HOST_CPU_C_ABI_32BIT = no; then
           acl_libdirstem2=lib/64
           case "$host_cpu" in
             sparc*)        acl_libdirstem3=lib/sparcv9 ;;
             i*86 | x86_64) acl_libdirstem3=lib/amd64 ;;
           esac
         fi
         ;;
       netbsd*)
         dnl On NetBSD/sparc64, there is a 'sparc' subdirectory that contains
         dnl 32-bit libraries.
         if test $HOST_CPU_C_ABI_32BIT != no; then
           case "$host_cpu" in
             sparc*) acl_libdirstem2=lib/sparc ;;
           esac
         fi
         ;;
       *)
         dnl If $CC generates code for a 32-bit ABI, the libraries are
         dnl surely under $prefix/lib or $prefix/lib32, not $prefix/lib64.
         dnl Similarly, if $CC generates code for a 64-bit ABI, the libraries
         dnl are surely under $prefix/lib or $prefix/lib64, not $prefix/lib32.
         dnl Find the compiler's search path. However, non-system compilers
         dnl sometimes have odd library search paths. But we can't simply invoke
         dnl '/usr/bin/gcc -print-search-dirs' because that would not take into
         dnl account the -m32/-m31 or -m64 options from the $CC or $CFLAGS.
         searchpath=`(LC_ALL=C $CC $CPPFLAGS $CFLAGS -print-search-dirs) 2>/dev/null \
                     | sed -n -e 's,^libraries: ,,p' | sed -e 's,^=,,'`
         if test $HOST_CPU_C_ABI_32BIT != no; then
           # 32-bit or unknown ABI.
           if test -d /usr/lib32; then
             acl_libdirstem2=lib32
           fi
         fi
         if test $HOST_CPU_C_ABI_32BIT != yes; then
           # 64-bit or unknown ABI.
           if test -d /usr/lib64; then
             acl_libdirstem3=lib64
           fi
         fi
         if test -n "$searchpath"; then
           acl_saved_IFS="${IFS= 	}"; IFS=":"
           for searchdir in $searchpath; do
             if test -d "$searchdir"; then
               case "$searchdir" in
                 */lib32/ | */lib32 ) acl_libdirstem2=lib32 ;;
                 */lib64/ | */lib64 ) acl_libdirstem3=lib64 ;;
                 */../ | */.. )
                   # Better ignore directories of this form. They are misleading.
                   ;;
                 *) searchdir=`cd "$searchdir" && pwd`
                    case "$searchdir" in
                      */lib32 ) acl_libdirstem2=lib32 ;;
                      */lib64 ) acl_libdirstem3=lib64 ;;
                    esac ;;
               esac
             fi
           done
           IFS="$acl_saved_IFS"
           if test $HOST_CPU_C_ABI_32BIT = yes; then
             # 32-bit ABI.
             acl_libdirstem3=
           fi
           if test $HOST_CPU_C_ABI_32BIT = no; then
             # 64-bit ABI.
             acl_libdirstem2=
           fi
         fi
         ;;
     esac
     test -n "$acl_libdirstem2" || acl_libdirstem2="$acl_libdirstem"
     test -n "$acl_libdirstem3" || acl_libdirstem3="$acl_libdirstem"
     acl_cv_libdirstems="$acl_libdirstem,$acl_libdirstem2,$acl_libdirstem3"
    ])
  dnl Decompose acl_cv_libdirstems into acl_libdirstem, acl_libdirstem2, and
  dnl acl_libdirstem3.
 changequote(,)dnl
  acl_libdirstem=`echo "$acl_cv_libdirstems" | sed -e 's/,.*//'`
  acl_libdirstem2=`echo "$acl_cv_libdirstems" | sed -e 's/^[^,]*,//' -e 's/,.*//'`
  acl_libdirstem3=`echo "$acl_cv_libdirstems" | sed -e 's/^[^,]*,[^,]*,//' -e 's/,.*//'`
 changequote([,])dnl
 ])
--- a/scripts/test.sh
+++ b/scripts/test.sh
@ -28,8 +28,8 @@ build_botan()
 	git clone https://github.com/randombit/botan.git $BOTAN_DIR &&
 	cd $BOTAN_DIR &&
 	git checkout -qf $BOTAN_REV &&
-	./configure.py --amalgamation $BOTAN_CONFIG &&
+	python ./configure.py --amalgamation $BOTAN_CONFIG &&
-	make -j$(nproc) libs >/dev/null &&
+	make -j4 libs >/dev/null &&
 	sudo make install >/dev/null &&
 	sudo ldconfig || exit $?
 	cd -
@ -37,7 +37,7 @@ build_botan()
 build_wolfssl()
 {
-	WOLFSSL_REV=v5.8.2-stable
+	WOLFSSL_REV=v5.7.4-stable
 	WOLFSSL_DIR=$DEPS_BUILD_DIR/wolfssl
 	if test -d "$WOLFSSL_DIR"; then
@ -54,7 +54,7 @@ build_wolfssl()
 					--enable-aesccm --enable-aesctr --enable-camellia
 					--enable-curve25519 --enable-curve448 --enable-des3
 					--enable-ecccustcurves --enable-ed25519 --enable-ed448
-					--enable-keygen --enable-mlkem --with-max-rsa-bits=8192
+					--enable-keygen --enable-kyber --with-max-rsa-bits=8192
 					--enable-md4 --enable-rsapss --enable-sha3 --enable-shake256"
 	git clone https://github.com/wolfSSL/wolfssl.git $WOLFSSL_DIR &&
@ -62,7 +62,7 @@ build_wolfssl()
 	git checkout -qf $WOLFSSL_REV &&
 	./autogen.sh &&
 	./configure C_EXTRA_FLAGS="$WOLFSSL_CFLAGS" $WOLFSSL_CONFIG &&
-	make -j$(nproc) >/dev/null &&
+	make -j4 >/dev/null &&
 	sudo make install >/dev/null &&
 	sudo ldconfig || exit $?
 	cd -
@ -84,7 +84,7 @@ build_tss2()
 	curl -L $TSS2_SRC | tar xz -C $DEPS_BUILD_DIR &&
 	cd $TSS2_DIR &&
 	./configure --prefix=$DEPS_PREFIX --disable-doxygen-doc &&
-	make -j$(nproc) >/dev/null &&
+	make -j4 >/dev/null &&
 	sudo make install >/dev/null &&
 	sudo ldconfig || exit $?
 	cd -
@ -92,8 +92,10 @@ build_tss2()
 build_openssl()
 {
-	SSL_REV=openssl-3.5.1
+	SSL_REV=3.1.1
-	SSL_DIR=$DEPS_BUILD_DIR/openssl
+	SSL_PKG=openssl-$SSL_REV
 	SSL_DIR=$DEPS_BUILD_DIR/$SSL_PKG
 	SSL_SRC=https://www.openssl.org/source/$SSL_PKG.tar.gz
 	SSL_INS=$DEPS_PREFIX/ssl
 	SSL_OPT="-d shared no-dtls no-ssl3 no-zlib no-idea no-psk
 			 no-tests enable-rfc3779 enable-ec_nistp_64_gcc_128"
@ -115,7 +117,7 @@ build_openssl()
 	echo "$ build_openssl()"
-	git clone https://github.com/openssl/openssl.git --depth 1 -b $SSL_REV $SSL_DIR || exit $?
+	curl -L $SSL_SRC | tar xz -C $DEPS_BUILD_DIR || exit $?
 	if [ "$TEST" = "android" ]; then
 		OPENSSL_SRC=${SSL_DIR} \
@ -123,7 +125,7 @@ build_openssl()
 	else
 		cd $SSL_DIR &&
 		./config --prefix=$SSL_INS --openssldir=$SSL_INS --libdir=lib $SSL_OPT &&
-		make -j$(nproc) >/dev/null &&
+		make -j4 >/dev/null &&
 		sudo make install_sw >/dev/null &&
 		sudo ldconfig || exit $?
 		cd -
@ -132,7 +134,7 @@ build_openssl()
 build_awslc()
 {
-	LC_REV=1.55.0
+	LC_REV=1.45.0
 	LC_PKG=aws-lc-$LC_REV
 	LC_DIR=$DEPS_BUILD_DIR/$LC_PKG
 	LC_SRC=https://github.com/aws/aws-lc/archive/refs/tags/v${LC_REV}.tar.gz
@ -202,7 +204,6 @@ prepare_system_openssl()
 	fi
 }
 : ${SRC_DIR=$PWD}
 : ${BUILD_DIR=$PWD}
 : ${DEPS_BUILD_DIR=$BUILD_DIR/..}
 : ${DEPS_PREFIX=/usr/local}
@ -272,7 +273,14 @@ printf-builtin)
 		prepare_system_openssl $1
 	fi
 	;;
-all|alpine|codeql|coverage|sonarcloud|no-dbg|no-testable-ke)
+all|alpine|codeql|coverage|sonarcloud|no-dbg)
 	if [ "$TEST" = "sonarcloud" ]; then
 		if [ -z "$SONAR_PROJECT" -o -z "$SONAR_ORGANIZATION" -o -z "$SONAR_TOKEN" ]; then
 			echo "The SONAR_PROJECT, SONAR_ORGANIZATION and SONAR_TOKEN" \
 				 "environment variables are required to run this test"
 			exit 1
 		fi
 	fi
 	if [ "$TEST" = "codeql" ]; then
 		# don't run tests, only analyze built code
 		TARGET=
@ -283,39 +291,34 @@ all|alpine|codeql|coverage|sonarcloud|no-dbg|no-testable-ke)
 	CONFIG="--enable-all --disable-android-dns --disable-android-log
 			--disable-kernel-pfroute --disable-keychain
 			--disable-lock-profiler --disable-padlock --disable-fuzzing
-			--disable-osx-attr --disable-tkm
+			--disable-osx-attr --disable-tkm --disable-uci
 			--disable-unwind-backtraces
 			--disable-svc --disable-dbghelp-backtraces --disable-socket-win
 			--disable-kernel-wfp --disable-kernel-iph --disable-winhttp"
 	# not enabled on the build server
 	CONFIG="$CONFIG --disable-af-alg"
 	# unable to build Botan on Ubuntu 20.04
 	if [ "$ID" = "ubuntu" -a "$VERSION_ID" = "20.04" ]; then
 		CONFIG="$CONFIG --disable-botan"
 	fi
 	if test "$TEST" != "coverage"; then
 		CONFIG="$CONFIG --disable-coverage"
 	else
 		DEPS="$DEPS lcov"
 		TARGET="coverage"
 	fi
-	if [ "$TEST" = "no-testable-ke" ]; then
+	DEPS="$DEPS libcurl4-gnutls-dev libsoup2.4-dev libunbound-dev libldns-dev
 		CONFIG="$CONFIG --without-testable-ke"
 	fi
 	DEPS="$DEPS libcurl4-gnutls-dev libsoup-3.0-dev libunbound-dev libldns-dev
 		  libmysqlclient-dev libsqlite3-dev clearsilver-dev libfcgi-dev
 		  libldap2-dev libpcsclite-dev libpam0g-dev binutils-dev libnm-dev
-		  libgcrypt20-dev libjson-c-dev libtspi-dev libsystemd-dev
+		  libgcrypt20-dev libjson-c-dev python3-pip libtspi-dev libsystemd-dev
-		  libselinux1-dev libiptc-dev ruby-rubygems python3-build tox"
+		  libselinux1-dev libiptc-dev"
 	if [ "$ID" = "ubuntu" -a "$VERSION_ID" = "22.04" -a "$1" = "build-deps" ]; then
 		# python3-build is broken on 22.04 with venv (https://bugs.launchpad.net/ubuntu/+source/python-build/+bug/1992108)
 		# while installing python3-virtualenv should help, it doesn't. as even
 		# after uninstalling python3-venv, build prefers the latter
 		sudo python3 -m pip install --upgrade build
 	fi
 	if [ "$TEST" = "alpine" ]; then
 		# override the whole list for alpine
-		DEPS="git gmp-dev openldap-dev curl-dev ldns-dev unbound-dev libsoup3-dev
+		DEPS="git gmp-dev openldap-dev curl-dev ldns-dev unbound-dev libsoup-dev
-			  libxml2-dev tpm2-tss-dev tpm2-tss-sys mariadb-dev wolfssl-dev
+			  tpm2-tss-dev tpm2-tss-sys mariadb-dev wolfssl-dev libgcrypt-dev
-			  libgcrypt-dev botan3-dev pcsc-lite-dev networkmanager-dev
+			  botan3-dev pcsc-lite-dev networkmanager-dev linux-pam-dev
-			  linux-pam-dev iptables-dev libselinux-dev binutils-dev libunwind-dev
+			  iptables-dev libselinux-dev binutils-dev libunwind-dev ruby
-			  ruby py3-setuptools py3-build py3-tox"
+			  py3-setuptools py3-build py3-tox"
 		# musl does not provide backtrace(), so use libunwind
 		CONFIG="$CONFIG --enable-unwind-backtraces"
 		# alpine doesn't have systemd
@ -325,8 +328,11 @@ all|alpine|codeql|coverage|sonarcloud|no-dbg|no-testable-ke)
 		# and no Clearsilver
 		CONFIG="$CONFIG --disable-fast --disable-manager --disable-medsrv"
 	fi
 	PYDEPS="build tox"
 	if test "$1" = "build-deps"; then
-		build_botan
+		if [ "$ID" = "ubuntu" -a "$VERSION_ID" != "20.04" ]; then
 			build_botan
 		fi
 		build_wolfssl
 		build_tss2
 	fi
@ -394,9 +400,10 @@ macos)
 			--enable-socket-default --enable-sshkey --enable-stroke
 			--enable-swanctl --enable-unity --enable-updown
 			--enable-x509 --enable-xauth-generic"
-	DEPS="automake autoconf libtool bison gperf pkgconf openssl@1.1 curl"
+	DEPS="automake autoconf libtool bison gettext gperf pkgconf openssl@1.1 curl"
 	BREW_PREFIX=$(brew --prefix)
 	export PATH=$BREW_PREFIX/opt/bison/bin:$PATH
 	export ACLOCAL_PATH=$BREW_PREFIX/opt/gettext/share/aclocal:$ACLOCAL_PATH
 	for pkg in openssl@1.1 curl
 	do
 		PKG_CONFIG_PATH=$BREW_PREFIX/opt/$pkg/lib/pkgconfig:$PKG_CONFIG_PATH
@ -450,11 +457,11 @@ fuzzing)
 	;;
 nm)
 	DEPS="gnome-common libsecret-1-dev libgtk-3-dev libnm-dev libnma-dev"
-	ORIG_SRC_DIR="$SRC_DIR"
+	# Ubuntu 20.04 requires this package explicitly for the ITS rules for the .metainfo.xml file
-	SRC_DIR="$ORIG_SRC_DIR/src/frontends/gnome"
+	if [ "$ID" = "ubuntu" -a "$VERSION_ID" = "20.04" ]; then
-	if [ "$ORIG_SRC_DIR" = "$BUILD_DIR" ]; then
+		DEPS="$DEPS appstream"
 		BUILD_DIR="$SRC_DIR"
 	fi
 	cd src/frontends/gnome
 	# don't run ./configure with ./autogen.sh
 	export NOCONFIGURE=1
 	;;
@ -477,11 +484,11 @@ deps)
 	case "$OS_NAME" in
 	linux)
 		sudo apt-get update -y && \
-		sudo apt-get install -y automake autoconf libtool pkgconf bison flex gperf $DEPS
+		sudo apt-get install -y bison flex gperf gettext $DEPS
 		;;
 	alpine)
 		apk add --no-cache build-base automake autoconf libtool pkgconfig && \
-		apk add --no-cache bison flex gperf tzdata $DEPS
+		apk add --no-cache bison flex gperf gettext-dev tzdata $DEPS
 		;;
 	macos)
 		brew update && \
@ -489,11 +496,15 @@ deps)
 		;;
 	freebsd)
 		pkg install -y automake autoconf libtool pkgconf && \
-		pkg install -y bison flex gperf $DEPS
+		pkg install -y bison flex gperf gettext $DEPS
 		;;
 	esac
 	exit $?
 	;;
 pydeps)
 	test -z "$PYDEPS" || pip3 -q install --user $PYDEPS
 	exit $?
 	;;
 build-deps)
 	exit
 	;;
@ -522,15 +533,10 @@ case "$TEST" in
 		;;
 esac
-cd $SRC_DIR
+echo "$ ./autogen.sh"
-if [ ! -f ./configure ]; then
+./autogen.sh || exit $?
 	echo "$ ./autogen.sh"
 	./autogen.sh || exit $?
 fi
 cd $BUILD_DIR
 echo "$ CC=$CC CFLAGS=\"$CFLAGS\" ./configure $CONFIG"
-CC="$CC" CFLAGS="$CFLAGS" $SRC_DIR/configure $CONFIG || exit $?
+CC="$CC" CFLAGS="$CFLAGS" ./configure $CONFIG || exit $?
 case "$TEST" in
 apidoc)
@ -545,10 +551,10 @@ case "$TEST" in
 sonarcloud)
 	# without target, coverage is currently not supported anyway because
 	# sonarqube only supports gcov, not lcov
-	build-wrapper-linux-x86-64 --out-dir $BUILD_WRAPPER_OUT_DIR make -j$(nproc) || exit $?
+	build-wrapper-linux-x86-64 --out-dir bw-output make -j4 || exit $?
 	;;
 *)
-	make -j$(nproc) $TARGET || exit $?
+	make -j4 $TARGET || exit $?
 	;;
 esac
@ -560,9 +566,23 @@ apidoc)
 	fi
 	rm make.warnings
 	;;
 sonarcloud)
 	sonar-scanner \
 		-Dsonar.host.url=https://sonarcloud.io \
 		-Dsonar.projectKey=${SONAR_PROJECT} \
 		-Dsonar.organization=${SONAR_ORGANIZATION} \
 		-Dsonar.token=${SONAR_TOKEN} \
 		-Dsonar.projectVersion=$(git describe --exclude 'android-*')+${BUILD_NUMBER} \
 		-Dsonar.sources=. \
 		-Dsonar.cfamily.threads=2 \
 		-Dsonar.cfamily.analysisCache.mode=fs \
 		-Dsonar.cfamily.analysisCache.path=$HOME/.sonar-cache \
 		-Dsonar.cfamily.build-wrapper-output=bw-output || exit $?
 	rm -r bw-output .scannerwork
 	;;
 android)
 	rm -r strongswan-*
-	cd $SRC_DIR/src/frontends/android
+	cd src/frontends/android
 	echo "$ ./gradlew build"
 	NDK_CCACHE=ccache ./gradlew build --info || exit $?
 	;;
@ -570,7 +590,6 @@ android)
 	;;
 esac
 cd $SRC_DIR
 # ensure there are no unignored build artifacts (or other changes) in the Git repo
 unclean="$(git status --porcelain)"
 if test -n "$unclean"; then
--- a/sonar-project.properties
+++ b/sonar-project.properties
@ -1,5 +1,3 @@
 sonar.sources=.
 # exclude these files completely
 sonar.exclusions=\
 	src/manager/templates/static/jquery.js, \
--- a/src/charon-cmd/cmd/cmd_connection.c
+++ b/src/charon-cmd/cmd/cmd_connection.c
@ -170,7 +170,7 @@ static peer_cfg_t* create_peer_cfg(private_cmd_connection_t *this)
 		case PROF_V1_XAUTH_AM:
 		case PROF_V1_XAUTH_PSK_AM:
 		case PROF_V1_HYBRID_AM:
-			peer.options |= OPT_IKEV1_AGGRESSIVE;
+			peer.aggressive = TRUE;
 			/* FALL */
 		case PROF_V1_PUB:
 		case PROF_V1_XAUTH:
@ -585,7 +585,7 @@ cmd_connection_t *cmd_connection_create()
 	lib->processor->queue_job(lib->processor,
 		(job_t*)callback_job_create_with_prio(
 			(callback_job_cb_t)initiate, this, NULL,
-			callback_job_cancel_thread, JOB_PRIO_CRITICAL));
+			(callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
 	return &this->public;
 }
--- a/src/charon-nm/charon-nm.c
+++ b/src/charon-nm/charon-nm.c
@ -217,18 +217,6 @@ int main(int argc, char *argv[])
 	lib->settings->set_default_str(lib->settings,
 				"charon-nm.plugins.kernel-netlink.fwmark", "!210");
 	/* trigger a DPD to verify the current path is working */
 	lib->settings->set_default_str(lib->settings,
 				"charon-nm.check_current_path", "yes");
 	/* fail more quickly so users don't have to wait too long for a new SA */
 	lib->settings->set_default_str(lib->settings,
 				"charon-nm.retransmit_tries", "3");
 	lib->settings->set_default_str(lib->settings,
 				"charon-nm.retransmit_timeout", "2.0");
 	lib->settings->set_default_str(lib->settings,
 				"charon-nm.retransmit_base", "1.4");
 	DBG1(DBG_DMN, "Starting charon NetworkManager backend (strongSwan "VERSION")");
 	if (lib->integrity)
 	{
--- a/src/charon-nm/nm/nm_backend.c
+++ b/src/charon-nm/nm/nm_backend.c
@ -78,8 +78,7 @@ static job_requeue_t run(nm_backend_t *this)
 /**
 * Cancel the GLib Main Event Loop
 */
-CALLBACK(cancel, bool,
+static bool cancel(nm_backend_t *this)
 	nm_backend_t *this)
 {
 	if (this->loop)
 	{
@ -153,7 +152,7 @@ static bool nm_backend_init()
 	lib->processor->queue_job(lib->processor,
 		(job_t*)callback_job_create_with_prio((callback_job_cb_t)run, this,
-				NULL, cancel, JOB_PRIO_CRITICAL));
+				NULL, (callback_job_cancel_t)cancel, JOB_PRIO_CRITICAL));
 	return TRUE;
 }
--- a/src/charon-nm/nm/nm_handler.c
+++ b/src/charon-nm/nm/nm_handler.c
@ -195,7 +195,7 @@ nm_handler_t *nm_handler_create()
 		.public = {
 			.handler = {
 				.handle = _handle,
-				.release = (void*)nop,
+				.release = nop,
 				.create_attribute_enumerator = _create_attribute_enumerator,
 			},
 			.create_enumerator = _create_enumerator,
--- a/src/charon-nm/nm/nm_service.c
+++ b/src/charon-nm/nm/nm_service.c
@ -214,10 +214,6 @@ static void signal_ip_config(NMVpnServicePlugin *plugin,
 	handler = priv->handler;
 	/* we can reconnect automatically if interfaces change */
 	g_variant_builder_add (&builder, "{sv}", NM_VPN_PLUGIN_CAN_PERSIST,
 						   g_variant_new_boolean (TRUE));
 	/* NM apparently requires to know the gateway (it uses it to install a
 	 * direct route via physical interface if conflicting routes are passed) */
 	other = ike_sa->get_other_host(ike_sa);
--- a/src/charon-tkm/src/ees/ees_callbacks.c
+++ b/src/charon-tkm/src/ees/ees_callbacks.c
@ -25,9 +25,7 @@
 void charon_esa_acquire(result_type *res, const sp_id_type sp_id)
 {
-	kernel_acquire_data_t data = {
+	kernel_acquire_data_t data = {};
 		.cpu = CPU_ID_MAX,
 	};
 	DBG1(DBG_KNL, "ees: acquire received for reqid %u", sp_id);
 	charon->kernel->acquire(charon->kernel, sp_id, &data);
--- a/src/conftest/config.c
+++ b/src/conftest/config.c
@ -265,7 +265,7 @@ static peer_cfg_t *load_peer_config(private_config_t *this,
 		.cert_policy = CERT_ALWAYS_SEND,
 		.unique = UNIQUE_NO,
 		.keyingtries = 1,
-		.options = OPT_NO_MOBIKE,
+		.no_mobike = TRUE,
 	};
 	ike_cfg = load_ike_config(this, settings, config);
--- a/src/frontends/android/app/build.gradle
+++ b/src/frontends/android/app/build.gradle
@ -9,8 +9,8 @@ android {
        minSdkVersion 21
        targetSdkVersion 34
-        versionCode 91
+        versionCode 87
-        versionName "2.5.6"
+        versionName "2.5.3"
        externalNativeBuild {
            ndkBuild {
@ -45,8 +45,8 @@ android {
 }
 dependencies {
-    implementation 'androidx.appcompat:appcompat:1.7.1'
+    implementation 'androidx.appcompat:appcompat:1.7.0'
-    implementation 'androidx.lifecycle:lifecycle-process:2.9.1'
+    implementation 'androidx.lifecycle:lifecycle-process:2.8.3'
    implementation 'androidx.preference:preference:1.2.1'
    implementation 'com.google.android.material:material:1.12.0'
    testImplementation 'junit:junit:4.13.2'
--- a/src/frontends/android/app/src/main/java/org/strongswan/android/data/DatabaseHelper.java
+++ b/src/frontends/android/app/src/main/java/org/strongswan/android/data/DatabaseHelper.java
@ -1,6 +1,6 @@
 /*
 * Copyright (C) 2023 Relution GmbH
- * Copyright (C) 2012-2025 Tobias Brunner
+ * Copyright (C) 2012-2024 Tobias Brunner
 * Copyright (C) 2012 Giuliano Grassi
 * Copyright (C) 2012 Ralf Sager
 *
@ -67,9 +67,6 @@ public class DatabaseHelper extends SQLiteOpenHelper
 		new DbColumn(VpnProfileDataSource.KEY_IKE_PROPOSAL, "TEXT", 15),
 		new DbColumn(VpnProfileDataSource.KEY_ESP_PROPOSAL, "TEXT", 15),
 		new DbColumn(VpnProfileDataSource.KEY_DNS_SERVERS, "TEXT", 17),
 		new DbColumn(VpnProfileDataSource.KEY_PROXY_HOST, "TEXT", 19),
 		new DbColumn(VpnProfileDataSource.KEY_PROXY_PORT, "INTEGER", 19),
 		new DbColumn(VpnProfileDataSource.KEY_PROXY_EXCLUSIONS, "TEXT", 19),
 	});
 	public static final DbTable TABLE_TRUSTED_CERTIFICATE = new DbTable(TABLE_NAME_TRUSTED_CERTIFICATE, 18, new DbColumn[]{
@ -87,7 +84,7 @@ public class DatabaseHelper extends SQLiteOpenHelper
 		new DbColumn(ManagedUserCertificate.KEY_PASSWORD, "TEXT", 18),
 	});
-	private static final int DATABASE_VERSION = 19;
+	private static final int DATABASE_VERSION = 18;
 	private static final Set<DbTable> TABLES;
--- a/src/frontends/android/app/src/main/java/org/strongswan/android/data/ManagedVpnProfile.java
+++ b/src/frontends/android/app/src/main/java/org/strongswan/android/data/ManagedVpnProfile.java
@ -83,14 +83,6 @@ public class ManagedVpnProfile extends VpnProfile
 			setIncludedSubnets(getString(splitTunneling, VpnProfileDataSource.KEY_INCLUDED_SUBNETS));
 		}
 		final Bundle proxyServer = bundle.getBundle(VpnProfileDataSource.KEY_PROXY_SERVER);
 		if (proxyServer != null)
 		{
 			setProxyHost(getString(proxyServer, VpnProfileDataSource.KEY_PROXY_HOST));
 			setProxyPort(getInt(proxyServer, VpnProfileDataSource.KEY_PROXY_PORT, 1, 65_535));
 			setProxyExclusions(getString(proxyServer, VpnProfileDataSource.KEY_PROXY_EXCLUSIONS));
 		}
 		setSplitTunneling(splitFlags);
 		setFlags(flags);
 	}
--- a/src/frontends/android/app/src/main/java/org/strongswan/android/data/VpnProfile.java
+++ b/src/frontends/android/app/src/main/java/org/strongswan/android/data/VpnProfile.java
@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012-2025 Tobias Brunner
+ * Copyright (C) 2012-2019 Tobias Brunner
 * Copyright (C) 2012 Giuliano Grassi
 * Copyright (C) 2012 Ralf Sager
 *
@ -42,8 +42,8 @@ public class VpnProfile implements Cloneable
 	private String mName, mGateway, mUsername, mPassword, mCertificate, mUserCertificate;
 	private String mRemoteId, mLocalId, mExcludedSubnets, mIncludedSubnets, mSelectedApps;
-	private String mIkeProposal, mEspProposal, mDnsServers, mProxyHost, mProxyExclusions;
+	private String mIkeProposal, mEspProposal, mDnsServers;
-	private Integer mMTU, mPort, mProxyPort, mSplitTunneling, mNATKeepAlive, mFlags;
+	private Integer mMTU, mPort, mSplitTunneling, mNATKeepAlive, mFlags;
 	private SelectedAppsHandling mSelectedAppsHandling = SelectedAppsHandling.SELECTED_APPS_DISABLE;
 	private VpnType mVpnType;
 	private UUID mUUID;
@ -313,36 +313,6 @@ public class VpnProfile implements Cloneable
 		return mSelectedAppsHandling;
 	}
 	public String getProxyHost()
 	{
 		return mProxyHost;
 	}
 	public void setProxyHost(String proxy)
 	{
 		this.mProxyHost = proxy;
 	}
 	public Integer getProxyPort()
 	{
 		return mProxyPort;
 	}
 	public void setProxyPort(Integer port)
 	{
 		this.mProxyPort = port;
 	}
 	public String getProxyExclusions()
 	{
 		return mProxyExclusions;
 	}
 	public void setProxyExclusions(String exclusions)
 	{
 		this.mProxyExclusions = exclusions;
 	}
 	public Integer getSplitTunneling()
 	{
 		return mSplitTunneling;
--- a/src/frontends/android/app/src/main/java/org/strongswan/android/data/VpnProfileDataSource.java
+++ b/src/frontends/android/app/src/main/java/org/strongswan/android/data/VpnProfileDataSource.java
@ -50,10 +50,6 @@ public interface VpnProfileDataSource
 	String KEY_IKE_PROPOSAL = "ike_proposal";
 	String KEY_ESP_PROPOSAL = "esp_proposal";
 	String KEY_DNS_SERVERS = "dns_servers";
 	String KEY_PROXY_SERVER = "proxy_server";
 	String KEY_PROXY_HOST = "proxy_host";
 	String KEY_PROXY_PORT = "proxy_port";
 	String KEY_PROXY_EXCLUSIONS = "proxy_exclusions";
 	String KEY_READ_ONLY = "read_only";
 	/**
--- a/src/frontends/android/app/src/main/java/org/strongswan/android/data/VpnProfileSqlDataSource.java
+++ b/src/frontends/android/app/src/main/java/org/strongswan/android/data/VpnProfileSqlDataSource.java
@ -151,9 +151,6 @@ public class VpnProfileSqlDataSource implements VpnProfileDataSource
 		profile.setIkeProposal(cursor.getString(cursor.getColumnIndexOrThrow(KEY_IKE_PROPOSAL)));
 		profile.setEspProposal(cursor.getString(cursor.getColumnIndexOrThrow(KEY_ESP_PROPOSAL)));
 		profile.setDnsServers(cursor.getString(cursor.getColumnIndexOrThrow(KEY_DNS_SERVERS)));
 		profile.setProxyHost(cursor.getString(cursor.getColumnIndexOrThrow(KEY_PROXY_HOST)));
 		profile.setProxyPort(getInt(cursor, cursor.getColumnIndexOrThrow(KEY_PROXY_PORT)));
 		profile.setProxyExclusions(cursor.getString(cursor.getColumnIndexOrThrow(KEY_PROXY_EXCLUSIONS)));
 		return profile;
 	}
@ -182,9 +179,6 @@ public class VpnProfileSqlDataSource implements VpnProfileDataSource
 		values.put(KEY_IKE_PROPOSAL, profile.getIkeProposal());
 		values.put(KEY_ESP_PROPOSAL, profile.getEspProposal());
 		values.put(KEY_DNS_SERVERS, profile.getDnsServers());
 		values.put(KEY_PROXY_HOST, profile.getProxyHost());
 		values.put(KEY_PROXY_PORT, profile.getProxyPort());
 		values.put(KEY_PROXY_EXCLUSIONS, profile.getProxyExclusions());
 		return values;
 	}
--- a/src/frontends/android/app/src/main/java/org/strongswan/android/logic/CharonVpnService.java
+++ b/src/frontends/android/app/src/main/java/org/strongswan/android/logic/CharonVpnService.java
@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012-2025 Tobias Brunner
+ * Copyright (C) 2012-2018 Tobias Brunner
 * Copyright (C) 2012 Giuliano Grassi
 * Copyright (C) 2012 Ralf Sager
 *
@ -30,7 +30,6 @@ import android.content.Intent;
 import android.content.ServiceConnection;
 import android.content.SharedPreferences;
 import android.content.pm.PackageManager;
 import android.net.ProxyInfo;
 import android.net.VpnService;
 import android.os.Build;
 import android.os.Bundle;
@ -73,8 +72,6 @@ import java.security.PrivateKey;
 import java.security.cert.CertificateEncodingException;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
 import java.util.Locale;
 import java.util.SortedSet;
@ -1119,7 +1116,6 @@ public class CharonVpnService extends VpnService implements Runnable, VpnStateSe
 		private final List<InetAddress> mDnsServers = new ArrayList<>();
 		private int mMtu;
 		private boolean mIPv4Seen, mIPv6Seen, mDnsServersConfigured;
 		private ProxyInfo mProxyServer;
 		public BuilderCache(VpnProfile profile)
 		{
@ -1173,17 +1169,6 @@ public class CharonVpnService extends VpnService implements Runnable, VpnStateSe
 				}
 			}
 			if (profile.getProxyHost() != null)
 			{
 				int port = profile.getProxyPort() != null ? profile.getProxyPort() : Constants.PROXY_PORT_DEFAULT;
 				List<String> exclusions = new ArrayList<>();
 				if (profile.getProxyExclusions() != null)
 				{
 					Collections.addAll(exclusions, profile.getProxyExclusions().split("\\s+"));
 				}
 				mProxyServer = ProxyInfo.buildDirectProxy(profile.getProxyHost(), port, exclusions);
 			}
 			/* set a default MTU, will be set by the daemon for regular interfaces */
 			Integer mtu = profile.getMTU();
 			mMtu = mtu == null ? Constants.MTU_MAX : mtu;
@ -1264,7 +1249,7 @@ public class CharonVpnService extends VpnService implements Runnable, VpnStateSe
 			}
 		}
-		public void applyData(Builder builder)
+		public void applyData(VpnService.Builder builder)
 		{
 			for (IPRange address : mAddresses)
 			{
@ -1390,10 +1375,6 @@ public class CharonVpnService extends VpnService implements Runnable, VpnStateSe
 						break;
 				}
 			}
 			if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.Q && mProxyServer != null)
 			{
 				builder.setHttpProxy(mProxyServer);
 			}
 			builder.setMtu(mMtu);
 		}
--- a/src/frontends/android/app/src/main/java/org/strongswan/android/logic/SimpleFetcher.java
+++ b/src/frontends/android/app/src/main/java/org/strongswan/android/logic/SimpleFetcher.java
@ -22,7 +22,6 @@ import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
 import java.net.HttpURLConnection;
 import java.net.Proxy;
 import java.net.SocketTimeoutException;
 import java.net.URL;
 import java.util.ArrayList;
@ -56,7 +55,7 @@ public class SimpleFetcher
 			}
 			future = mExecutor.submit(() -> {
 				URL url = new URL(uri);
-				HttpURLConnection conn = (HttpURLConnection) url.openConnection(Proxy.NO_PROXY);
+				HttpURLConnection conn = (HttpURLConnection) url.openConnection();
 				conn.setConnectTimeout(10000);
 				conn.setReadTimeout(10000);
 				conn.setRequestProperty("Connection", "close");
--- a/src/frontends/android/app/src/main/java/org/strongswan/android/logic/StrongSwanApplication.java
+++ b/src/frontends/android/app/src/main/java/org/strongswan/android/logic/StrongSwanApplication.java
@ -1,6 +1,6 @@
 /*
 * Copyright (C) 2023 Relution GmbH
- * Copyright (C) 2014-2025 Tobias Brunner
+ * Copyright (C) 2014-2024 Tobias Brunner
 *
 * Copyright (C) secunet Security Networks AG
 *
@ -38,10 +38,14 @@ import java.util.concurrent.Executor;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Executors;
 import androidx.annotation.NonNull;
 import androidx.core.os.HandlerCompat;
 import androidx.lifecycle.DefaultLifecycleObserver;
 import androidx.lifecycle.LifecycleOwner;
 import androidx.lifecycle.ProcessLifecycleOwner;
 import androidx.localbroadcastmanager.content.LocalBroadcastManager;
-public class StrongSwanApplication extends Application
+public class StrongSwanApplication extends Application implements DefaultLifecycleObserver
 {
 	private static final String TAG = StrongSwanApplication.class.getSimpleName();
@ -76,7 +80,6 @@ public class StrongSwanApplication extends Application
 	public void onCreate()
 	{
 		super.onCreate();
 		StrongSwanApplication.mContext = getApplicationContext();
 		StrongSwanApplication.mInstance = this;
@ -89,12 +92,24 @@ public class StrongSwanApplication extends Application
 		mUserCertificateManager = new ManagedUserCertificateManager(mContext, mManagedConfigurationService, mDatabaseHelper);
 		ProcessLifecycleOwner.get().getLifecycle().addObserver(this);
 	}
 	@Override
 	public void onResume(@NonNull LifecycleOwner owner)
 	{
 		reloadManagedConfigurationAndNotifyListeners();
 		final IntentFilter restrictionsFilter = new IntentFilter(Intent.ACTION_APPLICATION_RESTRICTIONS_CHANGED);
 		registerReceiver(mRestrictionsReceiver, restrictionsFilter);
 	}
 	@Override
 	public void onPause(@NonNull LifecycleOwner owner)
 	{
 		unregisterReceiver(mRestrictionsReceiver);
 	}
 	private void reloadManagedConfigurationAndNotifyListeners()
 	{
 		final Set<String> uuids = new HashSet<>(mManagedConfigurationService.getManagedProfiles().keySet());
--- a/src/frontends/android/app/src/main/java/org/strongswan/android/ui/VpnProfileDetailActivity.java
+++ b/src/frontends/android/app/src/main/java/org/strongswan/android/ui/VpnProfileDetailActivity.java
@ -1,6 +1,6 @@
 /*
 * Copyright (C) 2023 Relution GmbH
- * Copyright (C) 2012-2025 Tobias Brunner
+ * Copyright (C) 2012-2020 Tobias Brunner
 * Copyright (C) 2012 Giuliano Grassi
 * Copyright (C) 2012 Ralf Sager
 *
@ -147,10 +147,6 @@ public class VpnProfileDetailActivity extends AppCompatActivity
 	private TextView mProfileId;
 	private EditText mDnsServers;
 	private TextInputLayoutHelper mDnsServersWrap;
 	private EditText mProxyHost;
 	private EditText mProxyPort;
 	private TextInputLayoutHelper mProxyPortWrap;
 	private EditText mProxyExclusions;
 	private final ActivityResultLauncher<Intent> mInstallPKCS12 = registerForActivityResult(
 		new ActivityResultContracts.StartActivityForResult(),
@ -258,11 +254,6 @@ public class VpnProfileDetailActivity extends AppCompatActivity
 		/* make the link clickable */
 		((TextView)findViewById(R.id.proposal_intro)).setMovementMethod(LinkMovementMethod.getInstance());
 		mProxyHost = findViewById(R.id.proxy_host);
 		mProxyPort = findViewById(R.id.proxy_port);
 		mProxyPortWrap = findViewById(R.id.proxy_port_wrap);
 		mProxyExclusions = findViewById(R.id.proxy_exclusions);
 		mProfileIdLabel = findViewById(R.id.profile_id_label);
 		mProfileId = findViewById(R.id.profile_id);
@ -593,9 +584,7 @@ public class VpnProfileDetailActivity extends AppCompatActivity
 				   mProfile.getIncludedSubnets() != null || mProfile.getExcludedSubnets() != null ||
 				   mProfile.getSelectedAppsHandling() != SelectedAppsHandling.SELECTED_APPS_DISABLE ||
 				   mProfile.getIkeProposal() != null || mProfile.getEspProposal() != null ||
-				   mProfile.getDnsServers() != null || mProfile.getLocalId() != null ||
+				   mProfile.getDnsServers() != null || mProfile.getLocalId() != null;
 				   mProfile.getProxyHost() != null || mProfile.getProxyPort() != null ||
 				   mProfile.getProxyExclusions() != null;
 		}
 		mShowAdvanced.setVisibility(!show ? View.VISIBLE : View.GONE);
 		mAdvancedSettings.setVisibility(show ? View.VISIBLE : View.GONE);
@ -711,11 +700,6 @@ public class VpnProfileDetailActivity extends AppCompatActivity
 			mDnsServersWrap.setError(getString(R.string.alert_text_no_ips));
 			valid = false;
 		}
 		if (!validateInteger(mProxyPort, 1, 65535))
 		{
 			mProxyPortWrap.setError(String.format(getString(R.string.alert_text_out_of_range), 1, 65535));
 			valid = false;
 		}
 		return valid;
 	}
@ -765,9 +749,6 @@ public class VpnProfileDetailActivity extends AppCompatActivity
 		mProfile.setIkeProposal(getString(mIkeProposal));
 		mProfile.setEspProposal(getString(mEspProposal));
 		mProfile.setDnsServers(getString(mDnsServers));
 		mProfile.setProxyHost(getString(mProxyHost));
 		mProfile.setProxyPort(getInteger(mProxyPort));
 		mProfile.setProxyExclusions(getString(mProxyExclusions));
 	}
 	/**
@ -805,9 +786,6 @@ public class VpnProfileDetailActivity extends AppCompatActivity
 				mIkeProposal.setText(mProfile.getIkeProposal());
 				mEspProposal.setText(mProfile.getEspProposal());
 				mDnsServers.setText(mProfile.getDnsServers());
 				mProxyHost.setText(mProfile.getProxyHost());
 				mProxyPort.setText(mProfile.getProxyPort() != null ? mProfile.getProxyPort().toString() : null);
 				mProxyExclusions.setText(mProfile.getProxyExclusions());
 				mProfileId.setText(mProfile.getUUID().toString());
 				flags = mProfile.getFlags();
 				useralias = mProfile.getUserCertificateAlias();
@ -899,9 +877,6 @@ public class VpnProfileDetailActivity extends AppCompatActivity
 		mIkeProposal.setEnabled(!readOnly);
 		mEspProposal.setEnabled(!readOnly);
 		mDnsServers.setEnabled(!readOnly);
 		mProxyHost.setEnabled(!readOnly);
 		mProxyPort.setEnabled(!readOnly);
 		mProxyExclusions.setEnabled(!readOnly);
 		mSelectVpnType.setEnabled(!readOnly);
 		mCertReq.setEnabled(!readOnly);
--- a/src/frontends/android/app/src/main/java/org/strongswan/android/ui/VpnProfileImportActivity.java
+++ b/src/frontends/android/app/src/main/java/org/strongswan/android/ui/VpnProfileImportActivity.java
@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2016-2025 Tobias Brunner
+ * Copyright (C) 2016-2020 Tobias Brunner
 *
 * Copyright (C) secunet Security Networks AG
 *
@ -556,14 +556,6 @@ public class VpnProfileImportActivity extends AppCompatActivity
 			flags |= VpnProfile.FLAGS_IPv6_TRANSPORT;
 		}
 		JSONObject proxy = obj.optJSONObject("proxy");
 		if (proxy != null)
 		{
 			profile.setProxyHost(proxy.optString("host"));
 			profile.setProxyPort(getInteger(proxy, "port", 1, 65535));
 			profile.setProxyExclusions(getFlatStringList(proxy, "exclusions"));
 		}
 		JSONObject split = obj.optJSONObject("split-tunneling");
 		if (split != null)
 		{
@ -577,8 +569,8 @@ public class VpnProfileImportActivity extends AppCompatActivity
 			profile.setSplitTunneling(st == 0 ? null : st);
 		}
 		/* only one of these can be set, prefer specific apps */
-		String selectedApps = getFlatStringList(obj, "apps");
+		String selectedApps = getApps(obj.optJSONArray("apps"));
-		String excludedApps = getFlatStringList(obj, "excluded-apps");
+		String excludedApps = getApps(obj.optJSONArray("excluded-apps"));
 		if (!TextUtils.isEmpty(selectedApps))
 		{
 			profile.setSelectedApps(selectedApps);
@ -614,8 +606,24 @@ public class VpnProfileImportActivity extends AppCompatActivity
 	private String getSubnets(JSONObject split, String key) throws JSONException
 	{
-		ArrayList<String> subnets = getStringList(split, key);
+		ArrayList<String> subnets = new ArrayList<>();
-		if (!subnets.isEmpty())
+		JSONArray arr = split.optJSONArray(key);
 		if (arr != null)
 		{
 			for (int i = 0; i < arr.length(); i++)
 			{	/* replace all spaces, e.g. in "192.168.1.1 - 192.168.1.10" */
 				subnets.add(arr.getString(i).replace(" ", ""));
 			}
 		}
 		else
 		{
 			String value = split.optString(key, null);
 			if (!TextUtils.isEmpty(value))
 			{
 				subnets.add(value);
 			}
 		}
 		if (subnets.size() > 0)
 		{
 			String joined = TextUtils.join(" ", subnets);
 			IPRangeSet ranges = IPRangeSet.fromString(joined);
@ -631,8 +639,25 @@ public class VpnProfileImportActivity extends AppCompatActivity
 	private String getAddressList(JSONObject obj, String key) throws JSONException
 	{
-		ArrayList<String> addrs = getStringList(obj, key);
+		ArrayList<String> addrs = new ArrayList<>();
-		if (!addrs.isEmpty())
+		JSONArray arr = obj.optJSONArray(key);
 		if (arr != null)
 		{
 			for (int i = 0; i < arr.length(); i++)
 			{
 				String addr = arr.getString(i).replace(" ", "");
 				addrs.add(addr);
 			}
 		}
 		else
 		{
 			String value = obj.optString(key, null);
 			if (!TextUtils.isEmpty(value))
 			{
 				Collections.addAll(addrs, value.split("\\s+"));
 			}
 		}
 		if (addrs.size() > 0)
 		{
 			for (String addr : addrs)
 			{
@ -650,39 +675,17 @@ public class VpnProfileImportActivity extends AppCompatActivity
 		return null;
 	}
-	private String getFlatStringList(JSONObject obj, String key) throws JSONException
+	private String getApps(JSONArray arr) throws JSONException
 	{
-		ArrayList<String> list = getStringList(obj, key);
+		ArrayList<String> apps = new ArrayList<>();
 		if (!list.isEmpty())
 		{
 			return TextUtils.join(" ", list);
 		}
 		return null;
 	}
 	/**
 	 * Return a list of strings, either retrieved from an array or from a space-separated string.
 	 */
 	private ArrayList<String> getStringList(JSONObject obj, String key) throws JSONException
 	{
 		ArrayList<String> list = new ArrayList<>();
 		JSONArray arr = obj.optJSONArray(key);
 		if (arr != null)
 		{
 			for (int i = 0; i < arr.length(); i++)
 			{	/* replace all spaces, including e.g. in "192.168.1.1 - 192.168.1.10" */
 				list.add(arr.getString(i).replace(" ", ""));
 			}
 		}
 		else
 		{
 			String value = obj.optString(key, null);
 			if (!TextUtils.isEmpty(value))
 			{
-				Collections.addAll(list, value.split("\\s+"));
+				apps.add(arr.getString(i));
 			}
 		}
-		return list;
+		return TextUtils.join(" ", apps);
 	}
 	/**
--- a/src/frontends/android/app/src/main/java/org/strongswan/android/ui/VpnTileService.java
+++ b/src/frontends/android/app/src/main/java/org/strongswan/android/ui/VpnTileService.java
@ -130,6 +130,7 @@ public class VpnTileService extends TileService implements VpnStateService.VpnSt
 		return mDataSource != null ? mDataSource.getVpnProfile(uuid) : null;
 	}
 	@SuppressLint("StartActivityAndCollapseDeprecated")
 	@Override
 	public void onClick()
 	{
@ -218,7 +219,6 @@ public class VpnTileService extends TileService implements VpnStateService.VpnSt
 	}
 	@SuppressWarnings("deprecation")
 	@SuppressLint("StartActivityAndCollapseDeprecated")
 	private void startActivityAndCollapseCompat(Intent intent)
 	{
 		startActivityAndCollapse(intent);
--- a/src/frontends/android/app/src/main/java/org/strongswan/android/utils/Constants.java
+++ b/src/frontends/android/app/src/main/java/org/strongswan/android/utils/Constants.java
@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2016-2025 Tobias Brunner
+ * Copyright (C) 2016-2020 Tobias Brunner
 *
 * Copyright (C) secunet Security Networks AG
 *
@ -45,11 +45,6 @@ public final class Constants
 	public static final int NAT_KEEPALIVE_MAX = 120;
 	public static final int NAT_KEEPALIVE_MIN = 10;
 	/**
 	 * Default port for proxy servers
 	 */
 	public static final int PROXY_PORT_DEFAULT = 8080;
 	/**
 	 * Preference key for default VPN profile
 	 */
--- a/src/frontends/android/app/src/main/jni/libandroidbridge/android_jni.h
+++ b/src/frontends/android/app/src/main/jni/libandroidbridge/android_jni.h
@ -48,11 +48,17 @@ extern jclass *android_charonvpnservice_builder_class;
 extern jclass *android_simple_fetcher_class;
 /**
- * SDK versions for which we need some special handling.
+ * Currently known (supported) SDK versions
 *
 * see android.os.Build.VERSION_CODES for definitions
 */
 typedef enum {
 	ANDROID_ICE_CREAM_SANDWICH = 14,
 	ANDROID_ICE_CREAM_SANDWICH_MR1 = 15,
 	ANDROID_JELLY_BEAN = 16,
 	ANDROID_JELLY_BEAN_MR1 = 17,
 	ANDROID_JELLY_BEAN_MR2 = 18,
 	ANDROID_LOLLIPOP = 21,
 	ANDROID_MARSHMALLOW = 23,
 } android_sdk_version_t;
--- a/src/frontends/android/app/src/main/jni/libandroidbridge/backend/android_dns_proxy.c
+++ b/src/frontends/android/app/src/main/jni/libandroidbridge/backend/android_dns_proxy.c
@ -340,7 +340,7 @@ METHOD(android_dns_proxy_t, handle, bool,
 						  skt);
 		lib->scheduler->schedule_job(lib->scheduler,
 			(job_t*)callback_job_create(handle_timeout, skt,
-					NULL, callback_job_cancel_thread), SOCKET_TIMEOUT);
+					NULL, (callback_job_cancel_t)return_false), SOCKET_TIMEOUT);
 	}
 	skt->last_use = time_monotonic(NULL);
 	if (sendto(skt->fd, data.ptr, data.len, 0, dst->get_sockaddr(dst),
--- a/src/frontends/android/app/src/main/jni/libandroidbridge/backend/android_private_key.c
+++ b/src/frontends/android/app/src/main/jni/libandroidbridge/backend/android_private_key.c
@ -435,7 +435,16 @@ METHOD(private_key_t, destroy, void,
 		JNIEnv *env;
 		androidjni_attach_thread(&env);
-		(*env)->DeleteGlobalRef(env, this->key);
+		if (android_sdk_version == ANDROID_JELLY_BEAN)
 		{	/* there is a bug in JB that causes a SIGSEGV if the key object is
 			 * garbage collected so we intentionally leak the reference to it */
 			DBG1(DBG_LIB, "intentionally leaking private key reference due to "
 				 "a bug in the framework");
 		}
 		else
 		{
 			(*env)->DeleteGlobalRef(env, this->key);
 		}
 		(*env)->DeleteGlobalRef(env, this->signature_class);
 		androidjni_detach_thread();
 		this->pubkey->destroy(this->pubkey);
--- a/src/frontends/android/app/src/main/jni/libandroidbridge/backend/android_service.c
+++ b/src/frontends/android/app/src/main/jni/libandroidbridge/backend/android_service.c
@ -359,7 +359,7 @@ static bool setup_tun_device(private_android_service_t *this,
 		lib->processor->queue_job(lib->processor,
 			(job_t*)callback_job_create((callback_job_cb_t)handle_plain, this,
-									NULL, callback_job_cancel_thread));
+									NULL, (callback_job_cancel_t)return_false));
 	}
 	return TRUE;
 }
@ -600,7 +600,7 @@ METHOD(listener_t, alert, bool,
 				lib->processor->queue_job(lib->processor,
 					(job_t*)callback_job_create_with_prio(
 						(callback_job_cb_t)reestablish, id, free,
-						callback_job_cancel_thread, JOB_PRIO_HIGH));
+						(callback_job_cancel_t)return_false, JOB_PRIO_HIGH));
 				break;
 			}
 			case ALERT_PEER_INIT_UNREACHABLE:
@ -619,7 +619,7 @@ METHOD(listener_t, alert, bool,
 					lib->processor->queue_job(lib->processor,
 						(job_t*)callback_job_create_with_prio(
 							(callback_job_cb_t)terminate, id, free,
-							callback_job_cancel_thread, JOB_PRIO_HIGH));
+							(callback_job_cancel_t)return_false, JOB_PRIO_HIGH));
 					stay_registered = FALSE;
 				}
 				else
@ -792,9 +792,10 @@ static job_requeue_t initiate(private_android_service_t *this)
 	};
 	char *type, *remote_id;
-	/* only try once and notify the GUI since Android 5+ where we have a
+	if (android_sdk_version >= ANDROID_LOLLIPOP)
-	 * blocking TUN device */
+	{   /* only try once and notify the GUI on Android 5+ where we have a blocking TUN device */
-	peer.keyingtries = 1;
+		peer.keyingtries = 1;
 	}
 	ike.remote = this->settings->get_str(this->settings, "connection.server",
 										 NULL);
--- a/src/frontends/android/app/src/main/jni/libandroidbridge/charonservice.c
+++ b/src/frontends/android/app/src/main/jni/libandroidbridge/charonservice.c
@ -256,14 +256,11 @@ CALLBACK(bypass_single_socket_cb, void,
 }
 METHOD(charonservice_t, bypass_socket, bool,
-	private_charonservice_t *this, int fd, bool track_fd)
+	private_charonservice_t *this, int fd, int family)
 {
 	if (fd >= 0)
 	{
-		if (track_fd)
+		this->sockets->insert_last(this->sockets, (void*)(intptr_t)fd);
 		{
 			this->sockets->insert_last(this->sockets, (void*)(intptr_t)fd);
 		}
 		return bypass_single_socket(this, fd);
 	}
 	this->sockets->invoke_function(this->sockets, bypass_single_socket_cb, this);
@ -507,11 +504,6 @@ static void set_options(char *logfile, jboolean ipv6)
 					"charon.retransmit_base", ANDROID_RETRANSMIT_BASE);
 	lib->settings->set_bool(lib->settings,
 					"charon.initiator_only", TRUE);
 	/* the service currently can't handle make-before-break reauth and assumes
 	 * the old SA is deleted before the replacement and installs a special
 	 * replacement TUN device in-between */
 	lib->settings->set_bool(lib->settings,
 					"charon.make_before_break", FALSE);
 	lib->settings->set_bool(lib->settings,
 					"charon.close_ike_on_child_failure", TRUE);
 	lib->settings->set_bool(lib->settings,
--- a/src/frontends/android/app/src/main/jni/libandroidbridge/charonservice.h
+++ b/src/frontends/android/app/src/main/jni/libandroidbridge/charonservice.h
@ -109,14 +109,13 @@ struct charonservice_t {
 	 * Install a bypass policy for the given socket using the protect() Method
 	 * of the Android VpnService interface.
 	 *
-	 * If track_fd is TRUE, the fd is kept track of. Use -1 as fd to re-bypass
+	 * Use -1 as fd to re-bypass previously bypassed sockets.
 	 * all of those sockets.
 	 *
 	 * @param fd			socket file descriptor
-	 * @param track_fd		TRUE to keep track of fd
+	 * @param family		socket protocol family
 	 * @return				TRUE if operation successful
 	 */
-	bool (*bypass_socket)(charonservice_t *this, int fd, bool track_fd);
+	bool (*bypass_socket)(charonservice_t *this, int fd, int family);
 	/**
 	 * Get a list of trusted certificates via JNI
--- a/src/frontends/android/app/src/main/jni/libandroidbridge/kernel/android_ipsec.c
+++ b/src/frontends/android/app/src/main/jni/libandroidbridge/kernel/android_ipsec.c
@ -159,7 +159,7 @@ METHOD(kernel_ipsec_t, flush_policies, status_t,
 METHOD(kernel_ipsec_t, bypass_socket, bool,
 	private_kernel_android_ipsec_t *this, int fd, int family)
 {
-	return charonservice->bypass_socket(charonservice, fd, TRUE);
+	return charonservice->bypass_socket(charonservice, fd, family);
 }
 METHOD(kernel_ipsec_t, enable_udp_decap, bool,
--- a/src/frontends/android/app/src/main/jni/libandroidbridge/kernel/android_net.c
+++ b/src/frontends/android/app/src/main/jni/libandroidbridge/kernel/android_net.c
@ -70,7 +70,7 @@ struct private_android_net_t {
 static job_requeue_t roam_event()
 {
 	/* this will fail if no connection is up */
-	charonservice->bypass_socket(charonservice, -1, FALSE);
+	charonservice->bypass_socket(charonservice, -1, 0);
 	charon->kernel->roam(charon->kernel, TRUE);
 	return JOB_REQUEUE_NONE;
 }
@ -122,8 +122,13 @@ METHOD(kernel_net_t, get_source_addr, host_t*,
 			 strerror(errno));
 		return NULL;
 	}
-	charonservice->bypass_socket(charonservice, skt, FALSE);
+	charonservice->bypass_socket(charonservice, skt, dst->get_family(dst));
 	if (android_sdk_version <= ANDROID_JELLY_BEAN_MR2)
 	{	/* this seems to help avoiding the VIP, unless there is no connectivity
 		 * at all */
 		charonservice->bypass_socket(charonservice, -1, 0);
 	}
 	if (connect(skt, dst->get_sockaddr(dst), addrlen) < 0)
 	{
 		/* don't report an error if we are not connected (ENETUNREACH) */
@ -174,6 +179,28 @@ CALLBACK(vip_equals, bool,
 	return host->ip_equals(host, vip);
 }
 METHOD(kernel_net_t, get_source_addr_old, host_t*,
 	private_android_net_t *this, host_t *dest, host_t *src)
 {
 	host_t *host;
 	/* on older Android versions we might get the virtual IP back because
 	 * the protect() implementation there and connect() don't properly work
 	 * together, on newer releases (using fwmarks) that's not a problem */
 	host = get_source_addr(this, dest, src);
 	if (host)
 	{
 		this->mutex->lock(this->mutex);
 		if (this->vips->find_first(this->vips, vip_equals, NULL, host))
 		{
 			host->destroy(host);
 			host = NULL;
 		}
 		this->mutex->unlock(this->mutex);
 	}
 	return host;
 }
 METHOD(kernel_net_t, get_nexthop, host_t*,
 	private_android_net_t *this, host_t *dest, int prefix, host_t *src,
 	char **iface)
@ -276,6 +303,11 @@ kernel_net_t *kernel_android_net_create()
 	);
 	timerclear(&this->next_roam);
 	if (android_sdk_version <= ANDROID_JELLY_BEAN_MR2)
 	{
 		this->public.get_source_addr = _get_source_addr_old;
 	}
 	this->mutex->lock(this->mutex);
 	this->network_manager->add_connectivity_cb(
 						this->network_manager, (void*)connectivity_cb, this);
--- a/src/frontends/android/app/src/main/play/listings/de-DE/full-description.txt
+++ b/src/frontends/android/app/src/main/play/listings/de-DE/full-description.txt
@ -4,8 +4,8 @@ Dies ist die offizielle Android-Portierung der populären strongSwan VPN-Lösung
 <ul>
 <li>Verwendet die VpnService API von Android 4+. Geräte von einigen Herstellern scheinen diese nicht zu unterstützen - strongSwan wird auf diesen Geräten nicht funktionieren!</li>
- <li>Verwendet das IKEv2 Schlüsselaustausch-Protokoll</li>
+ <li>Verwendet das IKEv2 Schlüsselaustausch-Protokoll (IKEv1 wird nicht unterstützt)</li>
- <li>Verwendet IPsec für den Datenkanal</li>
+ <li>Verwendet IPsec für den Datenkanal (L2TP wird nicht unterstützt)</li>
 <li>Volle Unterstützung für Konnektivitätsänderungen und Mobilität via MOBIKE (oder Re-Authentisierung)</li>
 <li>Zur Authentisierung der Nutzer wird sowohl einfache auf Benutzername und Passwort basierende EAP-Authentisierung (namentlich EAP-MSCHAPv2, EAP-MD5 und EAP-GTC), sowie zertifikatsbasierte RSA/ECSA-Authentisierung unterstützt, EAP-TLS mit Benutzer-Zertifikaten wird ebenfalls unterstützt</li>
 <li>Kombinierte Authentisierung mit RSA/ECDSA und EAP wird über zwei Authentisierungsrunden nach RFC 4739 unterstützt</li>
@ -19,7 +19,7 @@ Dies ist die offizielle Android-Portierung der populären strongSwan VPN-Lösung
 <li>Unterstützt verwaltete Konfigurationen via Enterprise Mobility Management (EMM)</li>
 </ul>
-Details und ein Changelog sind in unserer Dokumentation zu finden: https://docs.strongswan.org/docs/latest/os/androidVpnClient.html
+Details und ein Changelog sind in unserer Dokumentation zu finden: https://docs.strongswan.org/docs/5.9/os/androidVpnClient.html
 # PERMISSIONS #
@ -30,7 +30,7 @@ Details und ein Changelog sind in unserer Dokumentation zu finden: https://docs.
 # BEISPIEL-SERVERKONFIGURATION #
-Sie finden in unserer Dokumentation Beispiel-Serverkonfigurationen: https://docs.strongswan.org/docs/latest/os/androidVpnClient.html#_server_configuration
+Sie finden in unserer Dokumentation Beispiel-Serverkonfigurationen: https://docs.strongswan.org/docs/5.9/os/androidVpnClient.html#_server_configuration
 Beachten Sie bitte, dass der im VPN Profil konfigurierte Hostname (bzw. die IP-Adresse) *zwingend* als subjectAltName-Extension im Server-Zertifikat vorhanden sein muss.
--- a/src/frontends/android/app/src/main/play/listings/en-US/full-description.txt
+++ b/src/frontends/android/app/src/main/play/listings/en-US/full-description.txt
@ -4,8 +4,8 @@ Official Android port of the popular strongSwan VPN solution.
 <ul>
 <li>Uses the VpnService API featured by Android 4+. Devices by some manufacturers seem to lack support for this - strongSwan VPN Client won't work on these devices!</li>
- <li>Uses the IKEv2 key exchange protocol</li>
+ <li>Uses the IKEv2 key exchange protocol (IKEv1 is not supported)</li>
- <li>Uses IPsec for data traffic</li>
+ <li>Uses IPsec for data traffic (L2TP is not supported)</li>
 <li>Full support for changed connectivity and mobility through MOBIKE (or reauthentication)</li>
 <li>Supports username/password EAP authentication (namely EAP-MSCHAPv2, EAP-MD5 and EAP-GTC) as well as RSA/ECDSA private key/certificate authentication to authenticate users, EAP-TLS with client certificates is also supported</li>
 <li>Combined RSA/ECDSA and EAP authentication is supported by using two authentication rounds as defined in RFC 4739</li>
@ -19,7 +19,7 @@ Official Android port of the popular strongSwan VPN solution.
 <li>Supports managed configurations via enterprise mobility management (EMM)</li>
 </ul>
-Details and a changelog can be found in our documentation: https://docs.strongswan.org/docs/latest/os/androidVpnClient.html
+Details and a changelog can be found in our documentation: https://docs.strongswan.org/docs/5.9/os/androidVpnClient.html
 # PERMISSIONS #
@ -30,7 +30,7 @@ Details and a changelog can be found in our documentation: https://docs.strongsw
 # EXAMPLE SERVER CONFIGURATION #
-Example server configurations may be found in our documentation: https://docs.strongswan.org/docs/latest/os/androidVpnClient.html#_server_configuration
+Example server configurations may be found in our documentation: https://docs.strongswan.org/docs/5.9/os/androidVpnClient.html#_server_configuration
 Please note that the host name (or IP address) configured with a VPN profile in the app *must be* contained in the server certificate as subjectAltName extension.
--- a/src/frontends/android/app/src/main/play/release-notes/de-DE/default.txt
+++ b/src/frontends/android/app/src/main/play/release-notes/de-DE/default.txt
@ -1,15 +1,3 @@
 # 2.5.6 #
 - Unterstützt benutzerdefinierte HTTP Proxy-Server (Android 10+)
 # 2.5.5 #
 - Fixt den Start von verwalteten Profilen als Always-on VPN
 # 2.5.4 #
 - Fixt Probleme beim Wiederherstellen der Verbindung
 # 2.5.3 #
 - Unterstützt die Verteilung von Passwörtern in verwalteten Profilen
--- a/src/frontends/android/app/src/main/play/release-notes/en-US/default.txt
+++ b/src/frontends/android/app/src/main/play/release-notes/en-US/default.txt
@ -1,15 +1,3 @@
 # 2.5.6 #
 - Add support for custom HTTP proxy server (Android 10+)
 # 2.5.5 #
 - Fix initiating managed profiles as Always-on VPN
 # 2.5.4 #
 - Fix issues when reestablishing the connection
 # 2.5.3 #
 - Add support for distributing passwords in managed profiles
--- a/src/frontends/android/app/src/main/res/layout/profile_detail_view.xml
+++ b/src/frontends/android/app/src/main/res/layout/profile_detail_view.xml
@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!--
-    Copyright (C) 2012-2025 Tobias Brunner
+    Copyright (C) 2012-2019 Tobias Brunner
    Copyright (C) 2012 Giuliano Grassi
    Copyright (C) 2012 Ralf Sager
@ -538,72 +538,6 @@
                </org.strongswan.android.ui.widget.TextInputLayoutHelper>
                <TextView
                    android:layout_width="match_parent"
                    android:layout_height="wrap_content"
                    android:layout_marginStart="4dp"
                    android:layout_marginTop="10dp"
                    android:layout_marginBottom="10dp"
                    android:text="@string/profile_proxy_server_label"
                    android:textSize="20sp" />
                <TextView
                    android:layout_width="match_parent"
                    android:layout_height="wrap_content"
                    android:layout_marginStart="4dp"
                    android:layout_marginTop="10dp"
                    android:layout_marginBottom="10dp"
                    android:text="@string/profile_proxy_server_intro"
                    android:textSize="12sp" />
                <org.strongswan.android.ui.widget.TextInputLayoutHelper
                    android:id="@+id/proxy_host_wrap"
                    android:layout_width="match_parent"
                    android:layout_height="wrap_content"
                    android:hint="@string/profile_proxy_host_label"
                    app:helper_text="@string/profile_proxy_host_hint">
                    <com.google.android.material.textfield.TextInputEditText
                        android:id="@+id/proxy_host"
                        android:layout_width="match_parent"
                        android:layout_height="wrap_content"
                        android:inputType="textNoSuggestions"
                        android:singleLine="true" />
                </org.strongswan.android.ui.widget.TextInputLayoutHelper>
                <org.strongswan.android.ui.widget.TextInputLayoutHelper
                    android:id="@+id/proxy_port_wrap"
                    android:layout_width="match_parent"
                    android:layout_height="wrap_content"
                    android:hint="@string/profile_proxy_port_label"
                    app:helper_text="@string/profile_proxy_port_hint">
                    <com.google.android.material.textfield.TextInputEditText
                        android:id="@+id/proxy_port"
                        android:layout_width="match_parent"
                        android:layout_height="wrap_content"
                        android:inputType="number|textNoSuggestions"
                        android:singleLine="true" />
                </org.strongswan.android.ui.widget.TextInputLayoutHelper>
                <org.strongswan.android.ui.widget.TextInputLayoutHelper
                    android:id="@+id/proxy_exclusions_wrap"
                    android:layout_width="match_parent"
                    android:layout_height="wrap_content"
                    android:hint="@string/profile_proxy_exclusions_label"
                    app:helper_text="@string/profile_proxy_exclusions_hint">
                    <com.google.android.material.textfield.TextInputEditText
                        android:id="@+id/proxy_exclusions"
                        android:layout_width="match_parent"
                        android:layout_height="wrap_content"
                        android:inputType="textNoSuggestions"
                        android:singleLine="true" />
                </org.strongswan.android.ui.widget.TextInputLayoutHelper>
                <TextView
                    android:id="@+id/profile_id_label"
                    android:layout_width="match_parent"
--- a/src/frontends/android/app/src/main/res/values-de/strings.xml
+++ b/src/frontends/android/app/src/main/res/values-de/strings.xml
@ -123,19 +123,11 @@
    <string name="profile_select_one_app">Eine App ausgewählt</string>
    <string name="profile_select_x_apps">%1$d Apps ausgewählt</string>
    <string name="profile_proposals_label">Algorithmen</string>
-    <string name="profile_proposals_intro">Optionale spezifische Algorithmen für IKEv2 und/oder IPsec/ESP die statt der Standardwerte verwendet werden sollen. Eine <a href="https://docs.strongswan.org/docs/latest/config/IKEv2CipherSuites.html">Liste gültiger Algorithmen</a> kann unserem Wiki entnommen werden (nicht alle werden von dieser App unterstützt). Beide Felder erwarten eine Liste von Algorithmen, jeweils mit einem Bindestrich getrennt.</string>
+    <string name="profile_proposals_intro">Optionale spezifische Algorithmen für IKEv2 und/oder IPsec/ESP die statt der Standardwerte verwendet werden sollen. Eine <a href="https://docs.strongswan.org/docs/5.9/config/IKEv2CipherSuites.html">Liste gültiger Algorithmen</a> kann unserem Wiki entnommen werden (nicht alle werden von dieser App unterstützt). Beide Felder erwarten eine Liste von Algorithmen, jeweils mit einem Bindestrich getrennt.</string>
    <string name="profile_proposals_ike_label">IKEv2 Algorithmen</string>
    <string name="profile_proposals_ike_hint">Für non-AEAD/klassische Verschlüsselungsalgorithmen wird ein Integritätsalgorithmus, eine pseudozufällige Funktion (PRF, optional, ansonsten wird eine auf dem Integritätsalgorithmus basierende verwendet) und eine Diffie-Hellman Gruppe benötigt (z.B. aes256-sha256-ecp256). Für kombinierte/AEAD Algorithmen wird der Integritätsalgorithmus weggelassen aber eine PRF wird benötigt (z.B. aes256gcm16-prfsha256-ecp256).</string>
    <string name="profile_proposals_esp_label">IPsec/ESP Algorithmen</string>
    <string name="profile_proposals_esp_hint">Für non-AEAD/klassische Verschlüsselungsalgorithmen wird ein Integritätsalgorithmus benötigt, eine Diffie-Hellman Gruppe ist optional (z.B. aes256-sha256 oder aes256-sha256-ecp256). Für kombinierte/AEAD Algorithmen wird der Integritätsalgorithmus weggelassen (z.B. aes256gcm16 oder aes256gcm16-ecp256). Falls eine DH Gruppe angegeben wird, kommt während dem IPsec SA Rekeying ein DH Schlüsselaustausch zur Anwendung. Beim initialen Verbindungsaufbau hat eine DH Gruppe hier keinen Einfluss, weil die Schlüssel dort von der IKE SA abgeleitet werden. Deshalb wird eine Fehlkonfiguration mit dem Server erst später während dem Rekeying zu einem Fehler führen.</string>
    <string name="profile_proxy_server_label">HTTP Proxy-Server</string>
    <string name="profile_proxy_server_intro">Optionaler HTTP Proxy-Server bei Verbindung zum VPN. Dies ist nur eine Empfehlung und kann von Apps ignoriert werden. Bitte beachten, dass Apps, die den Proxy verwenden, unabhängig vom Ziel alle HTTP-Ressourcen darüber abrufen, so dass Split-Tunneling-Einstellungen möglicherweise keine Auswirkungen haben. Um die Verwendung des Proxys für bestimmte Hosts zu vermeiden, kann die Ausschlussliste unten verwendet werden.</string>
    <string name="profile_proxy_host_label">Proxy-Host</string>
    <string name="profile_proxy_host_hint">IP-Adresse oder Hostname des HTTP Proxy-Servers, der bei Verbindung zum VPN verwendet werden soll</string>
    <string name="profile_proxy_port_label">Proxy-Port</string>
    <string name="profile_proxy_port_hint">Port um auf den HTTP Proxy-Server zuzugreifen, Standardwert ist 8080</string>
    <string name="profile_proxy_exclusions_label">Proxy-Ausschlussliste</string>
    <string name="profile_proxy_exclusions_hint">Optionale Liste von Hosts für die der HTTP Proxy-Server nicht verwendet werden soll (mit Leerzeichen getrennt und Platzhalter können verwendet werden, z.B. \"direct.example.net *.example.com\")</string>
    <string name="profile_import">VPN Profil importieren</string>
    <string name="profile_import_failed">VPN Profil-Import fehlgeschlagen</string>
    <string name="profile_import_failed_detail">VPN Profil-Import fehlgeschlagen: %1$s</string>
--- a/src/frontends/android/app/src/main/res/values-de/strings_managed_configuration.xml
+++ b/src/frontends/android/app/src/main/res/values-de/strings_managed_configuration.xml
@ -108,13 +108,4 @@
    <string name="managed_config_split_tunneling_block_ipv6_title">@string/profile_split_tunnelingv6_title</string>
    <string name="managed_config_split_tunneling_block_ipv6_description">Specifies whether to block IPv6 traffic that\'s not destined for the VPN. Forces all IPv6 traffic via VPN (traffic that does not match the negotiated traffic selector is then just dropped). Thus this is basically equivalent to including ::/0 in subnets</string>
    <!-- Managed configuration, VPN profile, proxy server -->
    <string name="managed_config_proxy_server_bundle_title">@string/profile_proxy_server_label</string>
    <string name="managed_config_proxy_server_bundle_description">@string/profile_proxy_server_intro</string>
    <string name="managed_config_proxy_host_title">@string/profile_proxy_host_label</string>
    <string name="managed_config_proxy_host_description">@string/profile_proxy_host_hint</string>
    <string name="managed_config_proxy_port_title">@string/profile_proxy_port_label</string>
    <string name="managed_config_proxy_port_description">@string/profile_proxy_port_hint</string>
    <string name="managed_config_proxy_exclusions_title">@string/profile_proxy_exclusions_label</string>
    <string name="managed_config_proxy_exclusions_description">@string/profile_proxy_exclusions_hint</string>
 </resources>
--- a/src/frontends/android/app/src/main/res/values-pl/strings.xml
+++ b/src/frontends/android/app/src/main/res/values-pl/strings.xml
@ -125,19 +125,11 @@
    <string name="profile_select_one_app">One application selected</string>
    <string name="profile_select_x_apps">%1$d applications selected</string>
    <string name="profile_proposals_label">Algorithms</string>
-    <string name="profile_proposals_intro">Optionally configure specific algorithms to use for IKEv2 and/or IPsec/ESP instead of the defaults. Refer to our wiki for a <a href="https://docs.strongswan.org/docs/latest/config/IKEv2CipherSuites.html">list of algorithm identifiers</a> (note that not all are supported by this app). Both fields take a list of algorithms, each separated by a hyphen.</string>
+    <string name="profile_proposals_intro">Optionally configure specific algorithms to use for IKEv2 and/or IPsec/ESP instead of the defaults. Refer to our wiki for a <a href="https://docs.strongswan.org/docs/5.9/config/IKEv2CipherSuites.html">list of algorithm identifiers</a> (note that not all are supported by this app). Both fields take a list of algorithms, each separated by a hyphen.</string>
    <string name="profile_proposals_ike_label">IKEv2 Algorithms</string>
    <string name="profile_proposals_ike_hint">For non-AEAD/classic encryption algorithms, an integrity algorithm, a pseudo random function (optional, defaults to one based on the integrity algorithm) and a Diffie-Hellman group are required (e.g. aes256-sha256-ecp256). For combined-mode/AEAD algorithms, the integrity algorithm is omitted but a PRF is required (e.g. aes256gcm16-prfsha256-ecp256).</string>
    <string name="profile_proposals_esp_label">IPsec/ESP Algorithms</string>
    <string name="profile_proposals_esp_hint">For non-AEAD/classic encryption algorithms, an integrity algorithm is required, a Diffie-Hellman group is optional (e.g. aes256-sha256 or aes256-sha256-ecp256). For combined-mode/AEAD algorithms, the integrity algorithm is omitted (e.g. aes256gcm16 or aes256gcm16-ecp256). If a DH group is specified IPsec SA rekeying will use a DH key exchange. However, DH groups specified here are not used when the connection is established initially because the keys there are derived from the IKE SA key material. Therefore, any configuration mismatch with the server will only cause errors later during rekeying.</string>
    <string name="profile_proxy_server_label">HTTP proxy server</string>
    <string name="profile_proxy_server_intro">Optional HTTP proxy server to use when connected to the VPN. This is only a recommendation and may be ignored by apps. Note that apps using the proxy will access all HTTP resources through it regardless of the destination, so split-tunneling settings might not have any effect. To avoid using the proxy server for specific hosts, use the exclusion list below.</string>
    <string name="profile_proxy_host_label">Proxy host</string>
    <string name="profile_proxy_host_hint">IP address or hostname of the HTTP proxy server to use when connected to the VPN</string>
    <string name="profile_proxy_port_label">Proxy port</string>
    <string name="profile_proxy_port_hint">Port to access the HTTP proxy server, defaults to 8080</string>
    <string name="profile_proxy_exclusions_label">Proxy exclusion list</string>
    <string name="profile_proxy_exclusions_hint">Optional list of hosts for which the HTTP proxy server is not used (separated by spaces, and wildcards are possible, e.g. \"direct.example.net *.example.com\")</string>
    <string name="profile_import">Import VPN profile</string>
    <string name="profile_import_failed">Failed to import VPN profile</string>
    <string name="profile_import_failed_detail">Failed to import VPN profile: %1$s</string>
--- a/src/frontends/android/app/src/main/res/values-pl/strings_managed_configuration.xml
+++ b/src/frontends/android/app/src/main/res/values-pl/strings_managed_configuration.xml
@ -108,13 +108,4 @@
    <string name="managed_config_split_tunneling_block_ipv6_title">@string/profile_split_tunnelingv6_title</string>
    <string name="managed_config_split_tunneling_block_ipv6_description">Specifies whether to block IPv6 traffic that\'s not destined for the VPN. Forces all IPv6 traffic via VPN (traffic that does not match the negotiated traffic selector is then just dropped). Thus this is basically equivalent to including ::/0 in subnets</string>
    <!-- Managed configuration, VPN profile, proxy server -->
    <string name="managed_config_proxy_server_bundle_title">@string/profile_proxy_server_label</string>
    <string name="managed_config_proxy_server_bundle_description">@string/profile_proxy_server_intro</string>
    <string name="managed_config_proxy_host_title">@string/profile_proxy_host_label</string>
    <string name="managed_config_proxy_host_description">@string/profile_proxy_host_hint</string>
    <string name="managed_config_proxy_port_title">@string/profile_proxy_port_label</string>
    <string name="managed_config_proxy_port_description">@string/profile_proxy_port_hint</string>
    <string name="managed_config_proxy_exclusions_title">@string/profile_proxy_exclusions_label</string>
    <string name="managed_config_proxy_exclusions_description">@string/profile_proxy_exclusions_hint</string>
 </resources>
--- a/src/frontends/android/app/src/main/res/values-ru/strings.xml
+++ b/src/frontends/android/app/src/main/res/values-ru/strings.xml
@ -119,19 +119,11 @@
    <string name="profile_select_one_app">One application selected</string>
    <string name="profile_select_x_apps">%1$d applications selected</string>
    <string name="profile_proposals_label">Algorithms</string>
-    <string name="profile_proposals_intro">Optionally configure specific algorithms to use for IKEv2 and/or IPsec/ESP instead of the defaults. Refer to our wiki for a <a href="https://docs.strongswan.org/docs/latest/config/IKEv2CipherSuites.html">list of algorithm identifiers</a> (note that not all are supported by this app). Both fields take a list of algorithms, each separated by a hyphen.</string>
+    <string name="profile_proposals_intro">Optionally configure specific algorithms to use for IKEv2 and/or IPsec/ESP instead of the defaults. Refer to our wiki for a <a href="https://docs.strongswan.org/docs/5.9/config/IKEv2CipherSuites.html">list of algorithm identifiers</a> (note that not all are supported by this app). Both fields take a list of algorithms, each separated by a hyphen.</string>
    <string name="profile_proposals_ike_label">IKEv2 Algorithms</string>
    <string name="profile_proposals_ike_hint">For non-AEAD/classic encryption algorithms, an integrity algorithm, a pseudo random function (optional, defaults to one based on the integrity algorithm) and a Diffie-Hellman group are required (e.g. aes256-sha256-ecp256). For combined-mode/AEAD algorithms, the integrity algorithm is omitted but a PRF is required (e.g. aes256gcm16-prfsha256-ecp256).</string>
    <string name="profile_proposals_esp_label">IPsec/ESP Algorithms</string>
    <string name="profile_proposals_esp_hint">For non-AEAD/classic encryption algorithms, an integrity algorithm is required, a Diffie-Hellman group is optional (e.g. aes256-sha256 or aes256-sha256-ecp256). For combined-mode/AEAD algorithms, the integrity algorithm is omitted (e.g. aes256gcm16 or aes256gcm16-ecp256). If a DH group is specified IPsec SA rekeying will use a DH key exchange. However, DH groups specified here are not used when the connection is established initially because the keys there are derived from the IKE SA key material. Therefore, any configuration mismatch with the server will only cause errors later during rekeying.</string>
    <string name="profile_proxy_server_label">HTTP proxy server</string>
    <string name="profile_proxy_server_intro">Optional HTTP proxy server to use when connected to the VPN. This is only a recommendation and may be ignored by apps. Note that apps using the proxy will access all HTTP resources through it regardless of the destination, so split-tunneling settings might not have any effect. To avoid using the proxy server for specific hosts, use the exclusion list below.</string>
    <string name="profile_proxy_host_label">Proxy host</string>
    <string name="profile_proxy_host_hint">IP address or hostname of the HTTP proxy server to use when connected to the VPN</string>
    <string name="profile_proxy_port_label">Proxy port</string>
    <string name="profile_proxy_port_hint">Port to access the HTTP proxy server, defaults to 8080</string>
    <string name="profile_proxy_exclusions_label">Proxy exclusion list</string>
    <string name="profile_proxy_exclusions_hint">Optional list of hosts for which the HTTP proxy server is not used (separated by spaces, and wildcards are possible, e.g. \"direct.example.net *.example.com\")</string>
    <string name="profile_import">Import VPN profile</string>
    <string name="profile_import_failed">Failed to import VPN profile</string>
    <string name="profile_import_failed_detail">Failed to import VPN profile: %1$s</string>
--- a/src/frontends/android/app/src/main/res/values-ru/strings_managed_configuration.xml
+++ b/src/frontends/android/app/src/main/res/values-ru/strings_managed_configuration.xml
@ -108,13 +108,4 @@
    <string name="managed_config_split_tunneling_block_ipv6_title">@string/profile_split_tunnelingv6_title</string>
    <string name="managed_config_split_tunneling_block_ipv6_description">Specifies whether to block IPv6 traffic that\'s not destined for the VPN. Forces all IPv6 traffic via VPN (traffic that does not match the negotiated traffic selector is then just dropped). Thus this is basically equivalent to including ::/0 in subnets</string>
    <!-- Managed configuration, VPN profile, proxy server -->
    <string name="managed_config_proxy_server_bundle_title">@string/profile_proxy_server_label</string>
    <string name="managed_config_proxy_server_bundle_description">@string/profile_proxy_server_intro</string>
    <string name="managed_config_proxy_host_title">@string/profile_proxy_host_label</string>
    <string name="managed_config_proxy_host_description">@string/profile_proxy_host_hint</string>
    <string name="managed_config_proxy_port_title">@string/profile_proxy_port_label</string>
    <string name="managed_config_proxy_port_description">@string/profile_proxy_port_hint</string>
    <string name="managed_config_proxy_exclusions_title">@string/profile_proxy_exclusions_label</string>
    <string name="managed_config_proxy_exclusions_description">@string/profile_proxy_exclusions_hint</string>
 </resources>
--- a/src/frontends/android/app/src/main/res/values-uk/strings.xml
+++ b/src/frontends/android/app/src/main/res/values-uk/strings.xml
@ -120,19 +120,11 @@
    <string name="profile_select_one_app">One application selected</string>
    <string name="profile_select_x_apps">%1$d applications selected</string>
    <string name="profile_proposals_label">Algorithms</string>
-    <string name="profile_proposals_intro">Optionally configure specific algorithms to use for IKEv2 and/or IPsec/ESP instead of the defaults. Refer to our wiki for a <a href="https://docs.strongswan.org/docs/latest/config/IKEv2CipherSuites.html">list of algorithm identifiers</a> (note that not all are supported by this app). Both fields take a list of algorithms, each separated by a hyphen.</string>
+    <string name="profile_proposals_intro">Optionally configure specific algorithms to use for IKEv2 and/or IPsec/ESP instead of the defaults. Refer to our wiki for a <a href="https://docs.strongswan.org/docs/5.9/config/IKEv2CipherSuites.html">list of algorithm identifiers</a> (note that not all are supported by this app). Both fields take a list of algorithms, each separated by a hyphen.</string>
    <string name="profile_proposals_ike_label">IKEv2 Algorithms</string>
    <string name="profile_proposals_ike_hint">For non-AEAD/classic encryption algorithms, an integrity algorithm, a pseudo random function (optional, defaults to one based on the integrity algorithm) and a Diffie-Hellman group are required (e.g. aes256-sha256-ecp256). For combined-mode/AEAD algorithms, the integrity algorithm is omitted but a PRF is required (e.g. aes256gcm16-prfsha256-ecp256).</string>
    <string name="profile_proposals_esp_label">IPsec/ESP Algorithms</string>
    <string name="profile_proposals_esp_hint">For non-AEAD/classic encryption algorithms, an integrity algorithm is required, a Diffie-Hellman group is optional (e.g. aes256-sha256 or aes256-sha256-ecp256). For combined-mode/AEAD algorithms, the integrity algorithm is omitted (e.g. aes256gcm16 or aes256gcm16-ecp256). If a DH group is specified IPsec SA rekeying will use a DH key exchange. However, DH groups specified here are not used when the connection is established initially because the keys there are derived from the IKE SA key material. Therefore, any configuration mismatch with the server will only cause errors later during rekeying.</string>
    <string name="profile_proxy_server_label">HTTP proxy server</string>
    <string name="profile_proxy_server_intro">Optional HTTP proxy server to use when connected to the VPN. This is only a recommendation and may be ignored by apps. Note that apps using the proxy will access all HTTP resources through it regardless of the destination, so split-tunneling settings might not have any effect. To avoid using the proxy server for specific hosts, use the exclusion list below.</string>
    <string name="profile_proxy_host_label">Proxy host</string>
    <string name="profile_proxy_host_hint">IP address or hostname of the HTTP proxy server to use when connected to the VPN</string>
    <string name="profile_proxy_port_label">Proxy port</string>
    <string name="profile_proxy_port_hint">Port to access the HTTP proxy server, defaults to 8080</string>
    <string name="profile_proxy_exclusions_label">Proxy exclusion list</string>
    <string name="profile_proxy_exclusions_hint">Optional list of hosts for which the HTTP proxy server is not used (separated by spaces, and wildcards are possible, e.g. \"direct.example.net *.example.com\")</string>
    <string name="profile_import">Import VPN profile</string>
    <string name="profile_import_failed">Failed to import VPN profile</string>
    <string name="profile_import_failed_detail">Failed to import VPN profile: %1$s</string>
--- a/src/frontends/android/app/src/main/res/values-uk/strings_managed_configuration.xml
+++ b/src/frontends/android/app/src/main/res/values-uk/strings_managed_configuration.xml
@ -108,13 +108,4 @@
    <string name="managed_config_split_tunneling_block_ipv6_title">@string/profile_split_tunnelingv6_title</string>
    <string name="managed_config_split_tunneling_block_ipv6_description">Specifies whether to block IPv6 traffic that\'s not destined for the VPN. Forces all IPv6 traffic via VPN (traffic that does not match the negotiated traffic selector is then just dropped). Thus this is basically equivalent to including ::/0 in subnets</string>
    <!-- Managed configuration, VPN profile, proxy server -->
    <string name="managed_config_proxy_server_bundle_title">@string/profile_proxy_server_label</string>
    <string name="managed_config_proxy_server_bundle_description">@string/profile_proxy_server_intro</string>
    <string name="managed_config_proxy_host_title">@string/profile_proxy_host_label</string>
    <string name="managed_config_proxy_host_description">@string/profile_proxy_host_hint</string>
    <string name="managed_config_proxy_port_title">@string/profile_proxy_port_label</string>
    <string name="managed_config_proxy_port_description">@string/profile_proxy_port_hint</string>
    <string name="managed_config_proxy_exclusions_title">@string/profile_proxy_exclusions_label</string>
    <string name="managed_config_proxy_exclusions_description">@string/profile_proxy_exclusions_hint</string>
 </resources>
--- a/src/frontends/android/app/src/main/res/values-zh-rCN/strings.xml
+++ b/src/frontends/android/app/src/main/res/values-zh-rCN/strings.xml
@ -119,19 +119,11 @@
    <string name="profile_select_one_app">已选择一个应用程序</string>
    <string name="profile_select_x_apps">%1$d 应用程序被选择</string>
    <string name="profile_proposals_label">算法</string>
-    <string name="profile_proposals_intro">（可选）配置用于IKEv2和/或IPsec/ESP的特定算法，而不是默认算法。请参阅我们的wiki以了解<a href="https://docs.strongswan.org/docs/latest/config/IKEv2CipherSuites.html">算法标识符列表</a>（请注意，此应用程序并不支持所有标识符）。这两个字段都包含一个算法列表，每个算法用连字符分隔。</string>
+    <string name="profile_proposals_intro">（可选）配置用于IKEv2和/或IPsec/ESP的特定算法，而不是默认算法。请参阅我们的wiki以了解<a href="https://docs.strongswan.org/docs/5.9/config/IKEv2CipherSuites.html">算法标识符列表</a>（请注意，此应用程序并不支持所有标识符）。这两个字段都包含一个算法列表，每个算法用连字符分隔。</string>
    <string name="profile_proposals_ike_label">IKEv2算法</string>
    <string name="profile_proposals_ike_hint">对于非AEAD/经典加密算法，需要完整性算法、伪随机函数（可选，默认为基于完整性算法的函数）和Diffie-Hellman组（例如aes256-sha256-ecp256）。对于组合模式/AEAD算法，省略完整性算法，但需要PRF（例如aes256gcm16-prfsha256-ecp256）。</string>
    <string name="profile_proposals_esp_label">IPsec/ESP 算法</string>
    <string name="profile_proposals_esp_hint">对于非AEAD/经典加密算法，需要完整性算法，Diffie-Hellman组是可选的（例如aes256-sha256或aes256-sha256-ecp256）。对于组合模式/AEAD算法，省略完整性算法（例如aes256gcm16或aes256gcm16-ecp256）。如果指定了DH组，IPsec SA密钥更新将使用DH密钥交换。但是，在最初建立连接时，不使用此处指定的DH组，因为其中的密钥来自IKE SA密钥材料。因此，与服务器的任何配置不匹配只会在稍后重新设置密钥时导致错误。</string>
    <string name="profile_proxy_server_label">HTTP proxy server</string>
    <string name="profile_proxy_server_intro">Optional HTTP proxy server to use when connected to the VPN. This is only a recommendation and may be ignored by apps. Note that apps using the proxy will access all HTTP resources through it regardless of the destination, so split-tunneling settings might not have any effect. To avoid using the proxy server for specific hosts, use the exclusion list below.</string>
    <string name="profile_proxy_host_label">Proxy host</string>
    <string name="profile_proxy_host_hint">IP address or hostname of the HTTP proxy server to use when connected to the VPN</string>
    <string name="profile_proxy_port_label">Proxy port</string>
    <string name="profile_proxy_port_hint">Port to access the HTTP proxy server, defaults to 8080</string>
    <string name="profile_proxy_exclusions_label">Proxy exclusion list</string>
    <string name="profile_proxy_exclusions_hint">Optional list of hosts for which the HTTP proxy server is not used (separated by spaces, and wildcards are possible, e.g. \"direct.example.net *.example.com\")</string>
    <string name="profile_import">导入VPN配置</string>
    <string name="profile_import_failed">导入VPN配置失败</string>
    <string name="profile_import_failed_detail">导入VPN配置失败: %1$s</string>
--- a/src/frontends/android/app/src/main/res/values-zh-rCN/strings_managed_configuration.xml
+++ b/src/frontends/android/app/src/main/res/values-zh-rCN/strings_managed_configuration.xml
@ -108,13 +108,4 @@
    <string name="managed_config_split_tunneling_block_ipv6_title">@string/profile_split_tunnelingv6_title</string>
    <string name="managed_config_split_tunneling_block_ipv6_description">Specifies whether to block IPv6 traffic that\'s not destined for the VPN. Forces all IPv6 traffic via VPN (traffic that does not match the negotiated traffic selector is then just dropped). Thus this is basically equivalent to including ::/0 in subnets</string>
    <!-- Managed configuration, VPN profile, proxy server -->
    <string name="managed_config_proxy_server_bundle_title">@string/profile_proxy_server_label</string>
    <string name="managed_config_proxy_server_bundle_description">@string/profile_proxy_server_intro</string>
    <string name="managed_config_proxy_host_title">@string/profile_proxy_host_label</string>
    <string name="managed_config_proxy_host_description">@string/profile_proxy_host_hint</string>
    <string name="managed_config_proxy_port_title">@string/profile_proxy_port_label</string>
    <string name="managed_config_proxy_port_description">@string/profile_proxy_port_hint</string>
    <string name="managed_config_proxy_exclusions_title">@string/profile_proxy_exclusions_label</string>
    <string name="managed_config_proxy_exclusions_description">@string/profile_proxy_exclusions_hint</string>
 </resources>
--- a/src/frontends/android/app/src/main/res/values-zh-rTW/strings.xml
+++ b/src/frontends/android/app/src/main/res/values-zh-rTW/strings.xml
@ -119,19 +119,11 @@
    <string name="profile_select_one_app">One application selected</string>
    <string name="profile_select_x_apps">%1$d applications selected</string>
    <string name="profile_proposals_label">Algorithms</string>
-    <string name="profile_proposals_intro">Optionally configure specific algorithms to use for IKEv2 and/or IPsec/ESP instead of the defaults. Refer to our wiki for a <a href="https://docs.strongswan.org/docs/latest/config/IKEv2CipherSuites.html">list of algorithm identifiers</a> (note that not all are supported by this app). Both fields take a list of algorithms, each separated by a hyphen.</string>
+    <string name="profile_proposals_intro">Optionally configure specific algorithms to use for IKEv2 and/or IPsec/ESP instead of the defaults. Refer to our wiki for a <a href="https://docs.strongswan.org/docs/5.9/config/IKEv2CipherSuites.html">list of algorithm identifiers</a> (note that not all are supported by this app). Both fields take a list of algorithms, each separated by a hyphen.</string>
    <string name="profile_proposals_ike_label">IKEv2 Algorithms</string>
    <string name="profile_proposals_ike_hint">For non-AEAD/classic encryption algorithms, an integrity algorithm, a pseudo random function (optional, defaults to one based on the integrity algorithm) and a Diffie-Hellman group are required (e.g. aes256-sha256-ecp256). For combined-mode/AEAD algorithms, the integrity algorithm is omitted but a PRF is required (e.g. aes256gcm16-prfsha256-ecp256).</string>
    <string name="profile_proposals_esp_label">IPsec/ESP Algorithms</string>
    <string name="profile_proposals_esp_hint">For non-AEAD/classic encryption algorithms, an integrity algorithm is required, a Diffie-Hellman group is optional (e.g. aes256-sha256 or aes256-sha256-ecp256). For combined-mode/AEAD algorithms, the integrity algorithm is omitted (e.g. aes256gcm16 or aes256gcm16-ecp256). If a DH group is specified IPsec SA rekeying will use a DH key exchange. However, DH groups specified here are not used when the connection is established initially because the keys there are derived from the IKE SA key material. Therefore, any configuration mismatch with the server will only cause errors later during rekeying.</string>
    <string name="profile_proxy_server_label">HTTP proxy server</string>
    <string name="profile_proxy_server_intro">Optional HTTP proxy server to use when connected to the VPN. This is only a recommendation and may be ignored by apps. Note that apps using the proxy will access all HTTP resources through it regardless of the destination, so split-tunneling settings might not have any effect. To avoid using the proxy server for specific hosts, use the exclusion list below.</string>
    <string name="profile_proxy_host_label">Proxy host</string>
    <string name="profile_proxy_host_hint">IP address or hostname of the HTTP proxy server to use when connected to the VPN</string>
    <string name="profile_proxy_port_label">Proxy port</string>
    <string name="profile_proxy_port_hint">Port to access the HTTP proxy server, defaults to 8080</string>
    <string name="profile_proxy_exclusions_label">Proxy exclusion list</string>
    <string name="profile_proxy_exclusions_hint">Optional list of hosts for which the HTTP proxy server is not used (separated by spaces, and wildcards are possible, e.g. \"direct.example.net *.example.com\")</string>
    <string name="profile_import">匯入VPN設定檔</string>
    <string name="profile_import_failed">匯入VPN設定檔失敗</string>
    <string name="profile_import_failed_detail">匯入VPN設定檔失敗: %1$s</string>
--- a/src/frontends/android/app/src/main/res/values-zh-rTW/strings_managed_configuration.xml
+++ b/src/frontends/android/app/src/main/res/values-zh-rTW/strings_managed_configuration.xml
@ -108,13 +108,4 @@
    <string name="managed_config_split_tunneling_block_ipv6_title">@string/profile_split_tunnelingv6_title</string>
    <string name="managed_config_split_tunneling_block_ipv6_description">Specifies whether to block IPv6 traffic that\'s not destined for the VPN. Forces all IPv6 traffic via VPN (traffic that does not match the negotiated traffic selector is then just dropped). Thus this is basically equivalent to including ::/0 in subnets</string>
    <!-- Managed configuration, VPN profile, proxy server -->
    <string name="managed_config_proxy_server_bundle_title">@string/profile_proxy_server_label</string>
    <string name="managed_config_proxy_server_bundle_description">@string/profile_proxy_server_intro</string>
    <string name="managed_config_proxy_host_title">@string/profile_proxy_host_label</string>
    <string name="managed_config_proxy_host_description">@string/profile_proxy_host_hint</string>
    <string name="managed_config_proxy_port_title">@string/profile_proxy_port_label</string>
    <string name="managed_config_proxy_port_description">@string/profile_proxy_port_hint</string>
    <string name="managed_config_proxy_exclusions_title">@string/profile_proxy_exclusions_label</string>
    <string name="managed_config_proxy_exclusions_description">@string/profile_proxy_exclusions_hint</string>
 </resources>
--- a/src/frontends/android/app/src/main/res/values/strings.xml
+++ b/src/frontends/android/app/src/main/res/values/strings.xml
@ -123,19 +123,11 @@
    <string name="profile_select_one_app">One application selected</string>
    <string name="profile_select_x_apps">%1$d applications selected</string>
    <string name="profile_proposals_label">Algorithms</string>
-    <string name="profile_proposals_intro">Optionally configure specific algorithms to use for IKEv2 and/or IPsec/ESP instead of the defaults. Refer to our wiki for a <a href="https://docs.strongswan.org/docs/latest/config/IKEv2CipherSuites.html">list of algorithm identifiers</a> (note that not all are supported by this app). Both fields take a list of algorithms, each separated by a hyphen.</string>
+    <string name="profile_proposals_intro">Optionally configure specific algorithms to use for IKEv2 and/or IPsec/ESP instead of the defaults. Refer to our wiki for a <a href="https://docs.strongswan.org/docs/5.9/config/IKEv2CipherSuites.html">list of algorithm identifiers</a> (note that not all are supported by this app). Both fields take a list of algorithms, each separated by a hyphen.</string>
    <string name="profile_proposals_ike_label">IKEv2 Algorithms</string>
    <string name="profile_proposals_ike_hint">For non-AEAD/classic encryption algorithms, an integrity algorithm, a pseudo random function (optional, defaults to one based on the integrity algorithm) and a Diffie-Hellman group are required (e.g. aes256-sha256-ecp256). For combined-mode/AEAD algorithms, the integrity algorithm is omitted but a PRF is required (e.g. aes256gcm16-prfsha256-ecp256).</string>
    <string name="profile_proposals_esp_label">IPsec/ESP Algorithms</string>
    <string name="profile_proposals_esp_hint">For non-AEAD/classic encryption algorithms, an integrity algorithm is required, a Diffie-Hellman group is optional (e.g. aes256-sha256 or aes256-sha256-ecp256). For combined-mode/AEAD algorithms, the integrity algorithm is omitted (e.g. aes256gcm16 or aes256gcm16-ecp256). If a DH group is specified IPsec SA rekeying will use a DH key exchange. However, DH groups specified here are not used when the connection is established initially because the keys there are derived from the IKE SA key material. Therefore, any configuration mismatch with the server will only cause errors later during rekeying.</string>
    <string name="profile_proxy_server_label">HTTP proxy server</string>
    <string name="profile_proxy_server_intro">Optional HTTP proxy server to use when connected to the VPN. This is only a recommendation and may be ignored by apps. Note that apps using the proxy will access all HTTP resources through it regardless of the destination, so split-tunneling settings might not have any effect. To avoid using the proxy server for specific hosts, use the exclusion list below.</string>
    <string name="profile_proxy_host_label">Proxy host</string>
    <string name="profile_proxy_host_hint">IP address or hostname of the HTTP proxy server to use when connected to the VPN</string>
    <string name="profile_proxy_port_label">Proxy port</string>
    <string name="profile_proxy_port_hint">Port to access the HTTP proxy server, defaults to 8080</string>
    <string name="profile_proxy_exclusions_label">Proxy exclusion list</string>
    <string name="profile_proxy_exclusions_hint">Optional list of hosts for which the HTTP proxy server is not used (separated by spaces, and wildcards are possible, e.g. \"direct.example.net *.example.com\")</string>
    <string name="profile_import">Import VPN profile</string>
    <string name="profile_import_failed">Failed to import VPN profile</string>
    <string name="profile_import_failed_detail">Failed to import VPN profile: %1$s</string>
--- a/src/frontends/android/app/src/main/res/values/strings_managed_configuration.xml
+++ b/src/frontends/android/app/src/main/res/values/strings_managed_configuration.xml
@ -1,6 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!--
    Copyright (C) 2025 Tobias Brunner
    Copyright (C) 2023 Relution GmbH
    Copyright (C) secunet Security Networks AG
@ -109,13 +108,4 @@
    <string name="managed_config_split_tunneling_block_ipv6_title">@string/profile_split_tunnelingv6_title</string>
    <string name="managed_config_split_tunneling_block_ipv6_description">Specifies whether to block IPv6 traffic that\'s not destined for the VPN. Forces all IPv6 traffic via VPN (traffic that does not match the negotiated traffic selector is then just dropped). Thus this is basically equivalent to including ::/0 in subnets</string>
    <!-- Managed configuration, VPN profile, proxy server -->
    <string name="managed_config_proxy_server_bundle_title">@string/profile_proxy_server_label</string>
    <string name="managed_config_proxy_server_bundle_description">@string/profile_proxy_server_intro</string>
    <string name="managed_config_proxy_host_title">@string/profile_proxy_host_label</string>
    <string name="managed_config_proxy_host_description">@string/profile_proxy_host_hint</string>
    <string name="managed_config_proxy_port_title">@string/profile_proxy_port_label</string>
    <string name="managed_config_proxy_port_description">@string/profile_proxy_port_hint</string>
    <string name="managed_config_proxy_exclusions_title">@string/profile_proxy_exclusions_label</string>
    <string name="managed_config_proxy_exclusions_description">@string/profile_proxy_exclusions_hint</string>
 </resources>
--- a/src/frontends/android/app/src/main/res/xml/managed_configuration.xml
+++ b/src/frontends/android/app/src/main/res/xml/managed_configuration.xml
@ -1,6 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!--
    Copyright (C) 2025 Tobias Brunner
    Copyright (C) 2023 Relution GmbH
    Copyright (C) secunet Security Networks AG
@ -306,35 +305,6 @@
            </restriction>
            <restriction
                android:description="@string/managed_config_proxy_server_bundle_description"
                android:key="proxy_server"
                android:restrictionType="bundle"
                android:title="@string/managed_config_proxy_server_bundle_title">
                <restriction
                    android:defaultValue=""
                    android:description="@string/managed_config_proxy_host_description"
                    android:key="proxy_host"
                    android:restrictionType="string"
                    android:title="@string/managed_config_proxy_host_title" />
                <restriction
                    android:defaultValue="-1"
                    android:description="@string/managed_config_proxy_port_description"
                    android:key="proxy_port"
                    android:restrictionType="integer"
                    android:title="@string/managed_config_proxy_port_description" />
                <restriction
                    android:defaultValue=""
                    android:description="@string/managed_config_proxy_exclusions_description"
                    android:key="proxy_exclusions"
                    android:restrictionType="string"
                    android:title="@string/managed_config_proxy_exclusions_title" />
            </restriction>
        </restriction>
    </restriction>
 </restrictions>
--- a/src/frontends/android/openssl/compile.sh
+++ b/src/frontends/android/openssl/compile.sh
@ -12,7 +12,7 @@ export PATH=${ANDROID_NDK_ROOT}/toolchains/llvm/prebuilt/linux-x86_64/bin:$PATH
 export ANDROID_NDK_HOME=${ANDROID_NDK_ROOT}
 # automatically determine the ABIs supported by the NDK
-: ${ABIS=$(jq -r 'map_values(select(.default == true)) | keys | join(" ")' ${ANDROID_NDK_ROOT}/meta/abis.json)}
+: ${ABIS=$(jq -r 'keys | join(" ")' ${ANDROID_NDK_ROOT}/meta/abis.json)}
 # this should match APP_PLATFORM
 : ${MIN_SDK=21}
@ -35,10 +35,6 @@ x86)
 x86_64)
 	OPTIONS="android-x86_64"
 	;;
 *)
 	echo "!! Skipping unknown ABI '${ABI}'"
 	continue
 	;;
 esac
 OPTIONS="${OPTIONS} \
--- a/src/frontends/gnome/NEWS
+++ b/src/frontends/gnome/NEWS
@ -1,14 +1,3 @@
 NetworkManager-strongswan-1.6.3
 -------------------------------
 - Fix configure/linker issue when not using GNU libtool
 - Update URL in metainfo
 NetworkManager-strongswan-1.6.2
 -------------------------------
 - Add support to configure local and remote traffic selectors
 NetworkManager-strongswan-1.6.1
 -------------------------------
--- a/src/frontends/gnome/NetworkManager-strongswan.metainfo.xml.in
+++ b/src/frontends/gnome/NetworkManager-strongswan.metainfo.xml.in
@ -31,7 +31,7 @@
    </screenshot>
  </screenshots>
-  <url type="homepage">https://docs.strongswan.org/docs/latest/features/networkManager.html</url>
+  <url type="homepage">https://docs.strongswan.org/docs/5.9/features/networkManager.html</url>
  <url type="bugtracker">https://github.com/strongswan/strongswan/issues</url>
  <url type="help">https://www.strongswan.org/support.html</url>
  <update_contact>info_AT_strongswan.org</update_contact>
--- a/src/frontends/gnome/configure.ac
+++ b/src/frontends/gnome/configure.ac
@ -1,6 +1,6 @@
 AC_PREREQ([2.69])
-AC_INIT([NetworkManager-strongswan],[1.6.3],[info@strongswan.org],[NetworkManager-strongswan])
+AC_INIT([NetworkManager-strongswan],[1.6.1],[info@strongswan.org],[NetworkManager-strongswan])
 AM_INIT_AUTOMAKE([subdir-objects])
 AM_MAINTAINER_MODE
@ -35,9 +35,8 @@ AC_PROG_GCC_TRADITIONAL
 AC_FUNC_MEMCMP
 AC_CHECK_FUNCS(select socket uname)
-LIBS=""
+AC_SEARCH_LIBS([dlopen], [dl dld], [], [ac_cv_search_dlopen=])
-AC_SEARCH_LIBS([dlopen], [dl dld], [DL_LIBS=$LIBS])
+AC_SUBST([DL_LIBS], "$ac_cv_search_dlopen")
 AC_SUBST([DL_LIBS])
 AM_GNU_GETTEXT_VERSION([0.19])
 AM_GNU_GETTEXT([external])
--- a/src/include/linux/udp.h
+++ b/src/include/linux/udp.h
@ -29,7 +29,6 @@ struct udphdr {
 /* UDP socket options */
 #define UDP_CORK	1	/* Never send partially complete segments */
 #define UDP_ENCAP	100	/* Set the socket to accept encapsulated packets */
 #define UDP_GRO		104	/* This socket can receive UDP GRO packets */
 /* UDP encapsulation types */
 #define UDP_ENCAP_ESPINUDP_NON_IKE	1 /* draft-ietf-ipsec-nat-t-ike-00/01 */
--- a/src/include/linux/xfrm.h
+++ b/src/include/linux/xfrm.h
@ -154,8 +154,7 @@ enum {
 #define XFRM_MODE_ROUTEOPTIMIZATION 2
 #define XFRM_MODE_IN_TRIGGER 3
 #define XFRM_MODE_BEET 4
-#define XFRM_MODE_IPTFS 5
+#define XFRM_MODE_MAX 5
 #define XFRM_MODE_MAX 6
 /* Netlink configuration messages.  */
 enum {
@ -318,14 +317,6 @@ enum xfrm_attr_type_t {
 	XFRMA_IF_ID,		/* __u32 */
 	XFRMA_MTIMER_THRESH,	/* __u32 in seconds for input SA */
 	XFRMA_SA_DIR,		/* __u8 */
 	XFRMA_NAT_KEEPALIVE_INTERVAL,	/* __u32 in seconds for NAT keepalive */
 	XFRMA_SA_PCPU,		/* __u32 */
 	XFRMA_IPTFS_DROP_TIME,	/* __u32 in: usec to wait for next seq */
 	XFRMA_IPTFS_REORDER_WINDOW, /* __u16 in: reorder window size (pkts) */
 	XFRMA_IPTFS_DONT_FRAG,	/* out: don't use fragmentation */
 	XFRMA_IPTFS_INIT_DELAY,	/* __u32 out: initial packet wait delay (usec) */
 	XFRMA_IPTFS_MAX_QSIZE,	/* __u32 out: max ingress queue size (octets) */
 	XFRMA_IPTFS_PKT_SIZE,	/* __u32 out: size of outer packet, 0 for PMTU */
 	__XFRMA_MAX
 #define XFRMA_OUTPUT_MARK XFRMA_SET_MARK	/* Compatibility */
@ -441,7 +432,6 @@ struct xfrm_userpolicy_info {
 #define XFRM_POLICY_LOCALOK	1	/* Allow user to override global policy */
 	/* Automatically expand selector to include matching ICMP payloads. */
 #define XFRM_POLICY_ICMP	2
 #define XFRM_POLICY_CPU_ACQUIRE	4
 	__u8				share;
 };
--- a/src/libcharon/Android.mk
+++ b/src/libcharon/Android.mk
@ -50,8 +50,7 @@ encoding/payloads/fragment_payload.c encoding/payloads/fragment_payload.h \
 kernel/kernel_interface.c kernel/kernel_interface.h \
 kernel/kernel_ipsec.c kernel/kernel_ipsec.h \
 kernel/kernel_net.c kernel/kernel_net.h \
-kernel/kernel_listener.c kernel/kernel_listener.h \
+kernel/kernel_listener.h kernel/kernel_handler.c kernel/kernel_handler.h \
 kernel/kernel_handler.c kernel/kernel_handler.h \
 network/receiver.c network/receiver.h network/sender.c network/sender.h \
 network/socket.c network/socket.h \
 network/socket_manager.c network/socket_manager.h \
--- a/src/libcharon/Makefile.am
+++ b/src/libcharon/Makefile.am
@ -48,8 +48,7 @@ encoding/payloads/fragment_payload.c encoding/payloads/fragment_payload.h \
 kernel/kernel_interface.c kernel/kernel_interface.h \
 kernel/kernel_ipsec.c kernel/kernel_ipsec.h \
 kernel/kernel_net.c kernel/kernel_net.h \
-kernel/kernel_listener.c kernel/kernel_listener.h \
+kernel/kernel_listener.h kernel/kernel_handler.c kernel/kernel_handler.h \
 kernel/kernel_handler.c kernel/kernel_handler.h \
 network/receiver.c network/receiver.h network/sender.c network/sender.h \
 network/socket.c network/socket.h \
 network/socket_manager.c network/socket_manager.h \
@ -670,6 +669,13 @@ if MONOLITHIC
 endif
 endif
 if USE_UCI
  SUBDIRS += plugins/uci
 if MONOLITHIC
  libcharon_la_LIBADD += plugins/uci/libstrongswan-uci.la
 endif
 endif
 if USE_ADDRBLOCK
  SUBDIRS += plugins/addrblock
 if MONOLITHIC
--- a/src/libcharon/bus/listeners/listener.h
+++ b/src/libcharon/bus/listeners/listener.h
@ -182,9 +182,6 @@ struct listener_t {
 	 * peer_cfg (and the old hosts), but before resolving the hosts anew.
 	 * It is not invoked on the responder.
 	 *
 	 * If this is called during a reauthentication, COND_REAUTHENTICATING is
 	 * set on the old IKE_SA and the hosts are not resolved anew.
 	 *
 	 * @param old		IKE_SA getting reestablished (is destroyed)
 	 * @param new		new IKE_SA replacing old (gets established)
 	 * @return			TRUE to stay registered, FALSE to unregister
--- a/src/libcharon/config/child_cfg.c
+++ b/src/libcharon/config/child_cfg.c
@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2025 Tobias Brunner
+ * Copyright (C) 2008-2019 Tobias Brunner
 * Copyright (C) 2016 Andreas Steffen
 * Copyright (C) 2005-2007 Martin Willi
 * Copyright (C) 2005 Jan Hutter
@ -67,12 +67,12 @@ struct private_child_cfg_t {
 	/**
 	 * list for traffic selectors for my site
 	 */
-	traffic_selector_list_t *my_ts;
+	linked_list_t *my_ts;
 	/**
 	 * list for traffic selectors for others site
 	 */
-	traffic_selector_list_t *other_ts;
+	linked_list_t *other_ts;
 	/**
 	 * updown script
@ -258,64 +258,163 @@ METHOD(child_cfg_t, add_traffic_selector, void,
 {
 	if (local)
 	{
-		this->my_ts->add(this->my_ts, ts);
+		this->my_ts->insert_last(this->my_ts, ts);
 	}
 	else
 	{
-		this->other_ts->add(this->other_ts, ts);
+		this->other_ts->insert_last(this->other_ts, ts);
 	}
 }
 /**
 * Check whether the config is for regular transport mode.
 */
 static bool is_transport_mode(private_child_cfg_t *this)
 {
 	return this->mode == MODE_TRANSPORT && !has_option(this, OPT_PROXY_MODE);
 }
 METHOD(child_cfg_t, get_traffic_selectors, linked_list_t*,
 	private_child_cfg_t *this, bool local, linked_list_t *hosts)
 {
 	traffic_selector_list_t *ts = local ? this->my_ts : this->other_ts;
 	/* force replacing non-dynamic TS to the IPs in transport mode */
 	return ts->get(ts, hosts, is_transport_mode(this));
 }
 /*
 * Described in header
 */
 linked_list_t *child_cfg_select_ts(child_cfg_t *cfg, bool local,
 								   traffic_selector_list_t *list,
 								   linked_list_t *supplied, linked_list_t *hosts)
 {
 	private_child_cfg_t *this = (private_child_cfg_t*)cfg;
 	traffic_selector_list_t *ts = list ?: (local ? this->my_ts : this->other_ts);
 	linked_list_t *result;
 	bool force, narrowed = FALSE;
 	DBG2(DBG_CFG, "%s traffic selectors for %s:",
 		 supplied ? "selecting" : "proposing", local ? "us" : "other");
 	/* force replacing non-dynamic TS to the IPs in transport mode, but only
 	 * when proposing as initiator */
 	force = !supplied && is_transport_mode(this);
 	result = ts->select(ts, supplied, hosts, force, &narrowed);
 	if (narrowed)
 	{
 		charon->bus->alert(charon->bus, ALERT_TS_NARROWED,
 						   local, result, this);
 	}
 	return result;
 }
 METHOD(child_cfg_t, select_traffic_selectors, linked_list_t*,
 	private_child_cfg_t *this, bool local, linked_list_t *supplied,
-	linked_list_t *hosts)
+	linked_list_t *hosts, bool log)
 {
-	return child_cfg_select_ts(&this->public, local, NULL, supplied, hosts);
+	enumerator_t *e1, *e2;
 	traffic_selector_t *ts1, *ts2, *selected;
 	linked_list_t *result, *derived;
 	host_t *host;
 	result = linked_list_create();
 	derived = linked_list_create();
 	if (local)
 	{
 		e1 = this->my_ts->create_enumerator(this->my_ts);
 	}
 	else
 	{
 		e1 = this->other_ts->create_enumerator(this->other_ts);
 	}
 	/* in a first step, replace "dynamic" TS with the host list */
 	while (e1->enumerate(e1, &ts1))
 	{
 		if (hosts && hosts->get_count(hosts))
 		{	/* set hosts if TS is dynamic or as initiator in transport mode */
 			bool dynamic = ts1->is_dynamic(ts1),
 				 proxy_mode = has_option(this, OPT_PROXY_MODE);
 			if (dynamic || (this->mode == MODE_TRANSPORT && !proxy_mode &&
 							!supplied))
 			{
 				e2 = hosts->create_enumerator(hosts);
 				while (e2->enumerate(e2, &host))
 				{
 					if (!dynamic && !host->is_anyaddr(host) &&
 						!ts1->includes(ts1, host))
 					{	/* for transport mode, we skip TS that don't match
 						 * specific IPs */
 						continue;
 					}
 					ts2 = ts1->clone(ts1);
 					if (dynamic || !host->is_anyaddr(host))
 					{	/* don't make regular TS larger than they were */
 						ts2->set_address(ts2, host);
 					}
 					derived->insert_last(derived, ts2);
 				}
 				e2->destroy(e2);
 				continue;
 			}
 		}
 		derived->insert_last(derived, ts1->clone(ts1));
 	}
 	e1->destroy(e1);
 	if (log)
 	{
 		DBG2(DBG_CFG, "%s traffic selectors for %s:",
 			 supplied ? "selecting" : "proposing", local ? "us" : "other");
 	}
 	if (!supplied)
 	{
 		while (derived->remove_first(derived, (void**)&ts1) == SUCCESS)
 		{
 			if (log)
 			{
 				DBG2(DBG_CFG, " %R", ts1);
 			}
 			result->insert_last(result, ts1);
 		}
 		derived->destroy(derived);
 	}
 	else
 	{
 		e1 = derived->create_enumerator(derived);
 		e2 = supplied->create_enumerator(supplied);
 		/* enumerate all configured/derived selectors */
 		while (e1->enumerate(e1, &ts1))
 		{
 			/* enumerate all supplied traffic selectors */
 			while (e2->enumerate(e2, &ts2))
 			{
 				selected = ts1->get_subset(ts1, ts2);
 				if (selected)
 				{
 					if (log)
 					{
 						DBG2(DBG_CFG, " config: %R, received: %R => match: %R",
 							 ts1, ts2, selected);
 					}
 					result->insert_last(result, selected);
 				}
 				else if (log)
 				{
 					DBG2(DBG_CFG, " config: %R, received: %R => no match",
 						 ts1, ts2);
 				}
 			}
 			supplied->reset_enumerator(supplied, e2);
 		}
 		e1->destroy(e1);
 		e2->destroy(e2);
 		/* check if we/peer did any narrowing, raise alert */
 		e1 = derived->create_enumerator(derived);
 		e2 = result->create_enumerator(result);
 		while (e1->enumerate(e1, &ts1))
 		{
 			if (!e2->enumerate(e2, &ts2) || !ts1->equals(ts1, ts2))
 			{
 				charon->bus->alert(charon->bus, ALERT_TS_NARROWED,
 								   local, result, this);
 				break;
 			}
 		}
 		e1->destroy(e1);
 		e2->destroy(e2);
 		derived->destroy_offset(derived, offsetof(traffic_selector_t, destroy));
 	}
 	/* remove any redundant traffic selectors in the list */
 	e1 = result->create_enumerator(result);
 	e2 = result->create_enumerator(result);
 	while (e1->enumerate(e1, &ts1))
 	{
 		while (e2->enumerate(e2, &ts2))
 		{
 			if (ts1 != ts2)
 			{
 				if (ts2->is_contained_in(ts2, ts1))
 				{
 					result->remove_at(result, e2);
 					ts2->destroy(ts2);
 					result->reset_enumerator(result, e1);
 					break;
 				}
 				if (ts1->is_contained_in(ts1, ts2))
 				{
 					result->remove_at(result, e1);
 					ts1->destroy(ts1);
 					break;
 				}
 			}
 		}
 		result->reset_enumerator(result, e2);
 	}
 	e1->destroy(e1);
 	e2->destroy(e2);
 	return result;
 }
 METHOD(child_cfg_t, get_updown, char*,
@ -582,8 +681,13 @@ METHOD(child_cfg_t, equals, bool,
 	{
 		return FALSE;
 	}
-	if (!this->my_ts->equals(this->my_ts, other->my_ts) ||
+	if (!this->my_ts->equals_offset(this->my_ts, other->my_ts,
-		!this->other_ts->equals(this->other_ts, other->other_ts))
+									offsetof(traffic_selector_t, equals)))
 	{
 		return FALSE;
 	}
 	if (!this->other_ts->equals_offset(this->other_ts, other->other_ts,
 									   offsetof(traffic_selector_t, equals)))
 	{
 		return FALSE;
 	}
@ -629,8 +733,8 @@ METHOD(child_cfg_t, destroy, void,
 	if (ref_put(&this->refcount))
 	{
 		this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
-		this->my_ts->destroy(this->my_ts);
+		this->my_ts->destroy_offset(this->my_ts, offsetof(traffic_selector_t, destroy));
-		this->other_ts->destroy(this->other_ts);
+		this->other_ts->destroy_offset(this->other_ts, offsetof(traffic_selector_t, destroy));
 		DESTROY_IF(this->label);
 		free(this->updown);
 		free(this->interface);
@ -651,7 +755,6 @@ child_cfg_t *child_cfg_create(char *name, child_cfg_create_t *data)
 			.get_name = _get_name,
 			.add_traffic_selector = _add_traffic_selector,
 			.get_traffic_selectors = _get_traffic_selectors,
 			.select_traffic_selectors = _select_traffic_selectors,
 			.add_proposal = _add_proposal,
 			.get_proposals = _get_proposals,
 			.select_proposal = _select_proposal,
@ -706,8 +809,8 @@ child_cfg_t *child_cfg_create(char *name, child_cfg_create_t *data)
 		.interface = strdupnull(data->interface),
 		.refcount = 1,
 		.proposals = linked_list_create(),
-		.my_ts = traffic_selector_list_create(),
+		.my_ts = linked_list_create(),
-		.other_ts = traffic_selector_list_create(),
+		.other_ts = linked_list_create(),
 		.replay_window = lib->settings->get_int(lib->settings,
 							"%s.replay_window", DEFAULT_REPLAY_WINDOW, lib->ns),
 		.hw_offload = data->hw_offload,
--- a/src/libcharon/config/child_cfg.h
+++ b/src/libcharon/config/child_cfg.h
@ -32,7 +32,6 @@ typedef struct child_cfg_create_t child_cfg_create_t;
 #include <library.h>
 #include <selectors/traffic_selector.h>
 #include <selectors/traffic_selector_list.h>
 #include <crypto/proposal/proposal.h>
 #include <kernel/kernel_ipsec.h>
@ -120,53 +119,26 @@ struct child_cfg_t {
 								 traffic_selector_t *ts);
 	/**
-	 * Get a list of configured traffic selectors to use for the CHILD_SA.
+	 * Get a list of traffic selectors to use for the CHILD_SA.
 	 *
-	 * The config contains two sets of traffic selectors, one for the local
+	 * The config contains two set of traffic selectors, one for the local
 	 * side, one for the remote side.
 	 *
 	 * Some traffic selectors may be "dynamic", meaning they are narrowed down
 	 * to a specific address (host-to-host or virtual-IP setups). Use the
 	 * \p hosts parameter to narrow such traffic selectors to an address.
 	 *
 	 * Returned list and its traffic selectors must be destroyed after use.
 	 *
 	 * Note that this method does not log anything. If logging is required, use
 	 * select_traffic_selectors() without passing supplied traffic selectors.
 	 *
 	 * @param local			TRUE for TS on local side, FALSE for remote
 	 * @param hosts			addresses to use for narrowing "dynamic" TS', host_t
 	 * @return				list containing the traffic selectors
 	 */
 	linked_list_t *(*get_traffic_selectors)(child_cfg_t *this, bool local,
 											linked_list_t *hosts);
 	/**
 	 * Select a list of traffic selectors to use for the CHILD_SA.
 	 *
 	 * The config contains two sets of traffic selectors, one for the local
 	 * side, one for the remote side.
 	 *
 	 * If a list with traffic selectors is supplied, these are used to narrow
-	 * down the traffic selector list to the greatest common subset.
+	 * down the traffic selector list to the greatest common divisor.
-	 *
+	 * Some traffic selector may be "dynamic", meaning they are narrowed down
-	 * Some traffic selectors may be "dynamic", meaning they are narrowed down
+	 * to a specific address (host-to-host or virtual-IP setups). Use
-	 * to a specific address (host-to-host or virtual-IP setups). Use the
+	 * the "host" parameter to narrow such traffic selectors to that address.
-	 * \p hosts parameter to narrow such traffic selectors to an address.
+	 * Resulted list and its traffic selectors must be destroyed after use.
 	 *
 	 * Returned list and its traffic selectors must be destroyed after use.
 	 *
 	 * Details about the selection process are logged and an alert is triggered
 	 * if narrowing occurred.
 	 *
 	 * @param local			TRUE for TS on local side, FALSE for remote
 	 * @param supplied		list with TS to select from, or NULL
 	 * @param hosts			addresses to use for narrowing "dynamic" TS', host_t
 	 * @param log			FALSE to avoid logging details about the selection
 	 * @return				list containing the traffic selectors
 	 */
-	linked_list_t *(*select_traffic_selectors)(child_cfg_t *this, bool local,
+	linked_list_t *(*get_traffic_selectors)(child_cfg_t *this, bool local,
-											   linked_list_t *supplied,
+											linked_list_t *supplied,
-											   linked_list_t *hosts);
+											linked_list_t *hosts, bool log);
 	/**
 	 * Get the updown script to run for the CHILD_SA.
@ -414,12 +386,6 @@ enum child_cfg_option_t {
 	/** Disable copying the ECN header field in tunnel mode */
 	OPT_NO_COPY_ECN = (1<<8),
 	/** Enable per-CPU CHILD_SAs */
 	OPT_PER_CPU_SAS = (1<<9),
 	/** Enable UDP encapsulation for per-CPU CHILD_SAs */
 	OPT_PER_CPU_SAS_ENCAP = (1<<10),
 };
 /**
@ -483,21 +449,4 @@ struct child_cfg_create_t {
 */
 child_cfg_t *child_cfg_create(char *name, child_cfg_create_t *data);
 /**
 * Select and narrow traffic selectors in the given traffic selector list.
 * Refer to child_cfg_t::select_traffic_selectors() for details, the difference
 * is that this can work with external traffic selector lists.
 *
 * @param this				config to use
 * @param local				TRUE for TS on local side, FALSE for remote (also
 *							used for logging)
 * @param list				traffic selectors to use instead of those in config
 * @param supplied			list with TS to select from, or NULL
 * @param hosts				addresses to use for narrowing "dynamic" TS', host_t
 * @return					list containing the traffic selectors
 */
 linked_list_t *child_cfg_select_ts(child_cfg_t *this, bool local,
 								   traffic_selector_list_t *list,
 								   linked_list_t *supplied, linked_list_t *hosts);
 #endif /** CHILD_CFG_H_ @}*/
--- a/src/libcharon/config/peer_cfg.c
+++ b/src/libcharon/config/peer_cfg.c
@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007-2025 Tobias Brunner
+ * Copyright (C) 2007-2019 Tobias Brunner
 * Copyright (C) 2005-2009 Martin Willi
 * Copyright (C) 2005 Jan Hutter
 *
@ -68,11 +68,6 @@ struct private_peer_cfg_t {
 	 */
 	char *name;
 	/**
 	 * Options
 	 */
 	peer_cfg_option_t options;
 	/**
 	 * IKE config associated to this peer config
 	 */
@ -108,6 +103,21 @@ struct private_peer_cfg_t {
 	 */
 	uint32_t keyingtries;
 	/**
 	 * enable support for MOBIKE
 	 */
 	bool use_mobike;
 	/**
 	 * Use aggressive mode?
 	 */
 	bool aggressive;
 	/**
 	 * Use pull or push in mode config?
 	 */
 	bool pull_mode;
 	/**
 	 * Time before starting rekeying
 	 */
@ -173,6 +183,11 @@ struct private_peer_cfg_t {
 	 */
 	identification_t *ppk_id;
 	/**
 	 * Whether a PPK is required
 	 */
 	bool ppk_required;
 #ifdef ME
 	/**
 	 * Is this a mediation connection?
@ -198,12 +213,6 @@ METHOD(peer_cfg_t, get_name, char*,
 	return this->name;
 }
 METHOD(peer_cfg_t, has_option, bool,
 	private_peer_cfg_t *this, peer_cfg_option_t option)
 {
 	return this->options & option;
 }
 METHOD(peer_cfg_t, get_ike_version, ike_version_t,
 	private_peer_cfg_t *this)
 {
@ -414,7 +423,7 @@ static u_int get_ts_match(child_cfg_t *cfg, bool local,
 	}
 	/* fetch configured TS list, narrowing dynamic TS */
-	cfg_list = cfg->select_traffic_selectors(cfg, local, NULL, hosts);
+	cfg_list = cfg->get_traffic_selectors(cfg, local, NULL, hosts, TRUE);
 	/* use a round counter to rate leading TS with higher priority */
 	round = sup_list->get_count(sup_list);
@ -550,6 +559,24 @@ METHOD(peer_cfg_t, get_over_time, uint32_t,
 	return this->over_time;
 }
 METHOD(peer_cfg_t, use_mobike, bool,
 	private_peer_cfg_t *this)
 {
 	return this->use_mobike;
 }
 METHOD(peer_cfg_t, use_aggressive, bool,
 	private_peer_cfg_t *this)
 {
 	return this->aggressive;
 }
 METHOD(peer_cfg_t, use_pull_mode, bool,
 	private_peer_cfg_t *this)
 {
 	return this->pull_mode;
 }
 METHOD(peer_cfg_t, get_dpd, uint32_t,
 	private_peer_cfg_t *this)
 {
@ -621,6 +648,12 @@ METHOD(peer_cfg_t, get_ppk_id, identification_t*,
 	return this->ppk_id;
 }
 METHOD(peer_cfg_t, ppk_required, bool,
 	private_peer_cfg_t *this)
 {
 	return this->ppk_required;
 }
 #ifdef ME
 METHOD(peer_cfg_t, is_mediation, bool,
 	private_peer_cfg_t *this)
@ -724,20 +757,23 @@ METHOD(peer_cfg_t, equals, bool,
 		return FALSE;
 	}
 	return (
 		this->options == other->options &&
 		get_ike_version(this) == get_ike_version(other) &&
 		this->cert_policy == other->cert_policy &&
 		this->ocsp_policy == other->ocsp_policy &&
 		this->unique == other->unique &&
 		this->keyingtries == other->keyingtries &&
 		this->use_mobike == other->use_mobike &&
 		this->rekey_time == other->rekey_time &&
 		this->reauth_time == other->reauth_time &&
 		this->jitter_time == other->jitter_time &&
 		this->over_time == other->over_time &&
 		this->dpd == other->dpd &&
 		this->aggressive == other->aggressive &&
 		this->pull_mode == other->pull_mode &&
 		auth_cfg_equal(this, other) &&
 		this->if_id_in == other->if_id_in &&
 		this->if_id_out == other->if_id_out &&
 		this->ppk_required == other->ppk_required &&
 		id_equal(this->ppk_id, other->ppk_id)
 #ifdef ME
 		&& this->mediation == other->mediation &&
@ -803,7 +839,6 @@ peer_cfg_t *peer_cfg_create(char *name, ike_cfg_t *ike_cfg,
 	INIT(this,
 		.public = {
 			.get_name = _get_name,
 			.has_option = _has_option,
 			.get_ike_version = _get_ike_version,
 			.get_ike_cfg = _get_ike_cfg,
 			.add_child_cfg = _add_child_cfg,
@ -818,6 +853,9 @@ peer_cfg_t *peer_cfg_create(char *name, ike_cfg_t *ike_cfg,
 			.get_rekey_time = _get_rekey_time,
 			.get_reauth_time = _get_reauth_time,
 			.get_over_time = _get_over_time,
 			.use_mobike = _use_mobike,
 			.use_aggressive = _use_aggressive,
 			.use_pull_mode = _use_pull_mode,
 			.get_dpd = _get_dpd,
 			.get_dpd_timeout = _get_dpd_timeout,
 			.add_virtual_ip = _add_virtual_ip,
@ -828,6 +866,7 @@ peer_cfg_t *peer_cfg_create(char *name, ike_cfg_t *ike_cfg,
 			.create_auth_cfg_enumerator = _create_auth_cfg_enumerator,
 			.get_if_id = _get_if_id,
 			.get_ppk_id = _get_ppk_id,
 			.ppk_required = _ppk_required,
 			.equals = (void*)_equals,
 			.get_ref = _get_ref,
 			.destroy = _destroy,
@ -838,7 +877,6 @@ peer_cfg_t *peer_cfg_create(char *name, ike_cfg_t *ike_cfg,
 #endif /* ME */
 		},
 		.name = strdup(name),
 		.options = data->options,
 		.ike_cfg = ike_cfg,
 		.child_cfgs = linked_list_create(),
 		.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
@ -850,11 +888,15 @@ peer_cfg_t *peer_cfg_create(char *name, ike_cfg_t *ike_cfg,
 		.reauth_time = data->reauth_time,
 		.jitter_time = data->jitter_time,
 		.over_time = data->over_time,
 		.use_mobike = !data->no_mobike,
 		.aggressive = data->aggressive,
 		.pull_mode = !data->push_mode,
 		.dpd = data->dpd,
 		.dpd_timeout = data->dpd_timeout,
 		.if_id_in = data->if_id_in,
 		.if_id_out = data->if_id_out,
 		.ppk_id = data->ppk_id,
 		.ppk_required = data->ppk_required,
 		.vips = linked_list_create(),
 		.pools = linked_list_create(),
 		.local_auth = linked_list_create(),
--- a/src/libcharon/config/peer_cfg.h
+++ b/src/libcharon/config/peer_cfg.h
@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007-2025 Tobias Brunner
+ * Copyright (C) 2007-2019 Tobias Brunner
 * Copyright (C) 2005-2009 Martin Willi
 * Copyright (C) 2005 Jan Hutter
 *
@ -27,7 +27,6 @@
 typedef enum cert_policy_t cert_policy_t;
 typedef enum ocsp_policy_t ocsp_policy_t;
 typedef enum unique_policy_t unique_policy_t;
 typedef enum peer_cfg_option_t peer_cfg_option_t;
 typedef struct peer_cfg_t peer_cfg_t;
 typedef struct peer_cfg_create_t peer_cfg_create_t;
@ -148,14 +147,6 @@ struct peer_cfg_t {
 	 */
 	char* (*get_name) (peer_cfg_t *this);
 	/**
 	 * Check if an option flag is set.
 	 *
 	 * @param option		option flag to check
 	 * @return				TRUE if option flag set, FALSE otherwise
 	 */
 	bool (*has_option)(peer_cfg_t *this, peer_cfg_option_t option);
 	/**
 	 * Get the IKE version to use for initiating.
 	 *
@ -286,6 +277,27 @@ struct peer_cfg_t {
 	 */
 	uint32_t (*get_over_time)(peer_cfg_t *this);
 	/**
 	 * Use MOBIKE (RFC4555) if peer supports it?
 	 *
 	 * @return			TRUE to enable MOBIKE support
 	 */
 	bool (*use_mobike) (peer_cfg_t *this);
 	/**
 	 * Use/Accept aggressive mode with IKEv1?.
 	 *
 	 * @return			TRUE to use aggressive mode
 	 */
 	bool (*use_aggressive)(peer_cfg_t *this);
 	/**
 	 * Use pull or push mode for mode config?
 	 *
 	 * @return			TRUE to use pull, FALSE to use push mode
 	 */
 	bool (*use_pull_mode)(peer_cfg_t *this);
 	/**
 	 * Get the DPD check interval.
 	 *
@ -345,6 +357,13 @@ struct peer_cfg_t {
 	 */
 	identification_t *(*get_ppk_id)(peer_cfg_t *this);
 	/**
 	 * Whether a PPK is required with this peer.
 	 *
 	 * @return				TRUE, if a PPK is required
 	 */
 	bool (*ppk_required)(peer_cfg_t *this);
 #ifdef ME
 	/**
 	 * Is this a mediation connection?
@ -399,30 +418,10 @@ struct peer_cfg_t {
 	void (*destroy) (peer_cfg_t *this);
 };
 /**
 * Option flags that may be set on a peer_cfg_t object.
 */
 enum peer_cfg_option_t {
 	/** Disable MOBIKE (RFC 4555) */
 	OPT_NO_MOBIKE = (1<<0),
 	/** Use/accept aggressive mode with IKEv1 */
 	OPT_IKEV1_AGGRESSIVE = (1<<1),
 	/** Use IKEv1 modeconfig in push mode (otherwise, pull mode is used) */
 	OPT_IKEV1_PUSH_MODE = (1<<2),
 	/** Require a PPK (otherwise, it's optional) */
 	OPT_PPK_REQUIRED = (1<<3),
 };
 /**
 * Data passed to the constructor of a peer_cfg_t object.
 */
 struct peer_cfg_create_t {
 	/** Options set for peer_cfg_t */
 	peer_cfg_option_t options;
 	/** Whether to send a certificate payload */
 	cert_policy_t cert_policy;
 	/** Whether to send OCSP status request/response */
@ -439,6 +438,12 @@ struct peer_cfg_create_t {
 	uint32_t jitter_time;
 	/** Maximum overtime in seconds before closing a rekeying/reauth SA */
 	uint32_t over_time;
 	/** Disable MOBIKE (RFC4555) */
 	bool no_mobike;
 	/** Use/accept aggressive mode with IKEv1 */
 	bool aggressive;
 	/** TRUE to use modeconfig push, FALSE for pull */
 	bool push_mode;
 	/** DPD check interval, 0 to disable */
 	uint32_t dpd;
 	/** DPD timeout interval (IKEv1 only), if 0 default applies */
@ -449,6 +454,8 @@ struct peer_cfg_create_t {
 	uint32_t if_id_out;
 	/** Postquantum Preshared Key ID (adopted) */
 	identification_t *ppk_id;
 	/** TRUE if a PPK is required, FALSE if it's optional */
 	bool ppk_required;
 #ifdef ME
 	/** TRUE if this is a mediation connection */
 	bool mediation;
--- a/src/libcharon/control/controller.c
+++ b/src/libcharon/control/controller.c
@ -400,8 +400,6 @@ METHOD(job_t, destroy_job, void,
 	{
 		this->listener.lock->destroy(this->listener.lock);
 		DESTROY_IF(this->listener.done);
 		DESTROY_IF(this->listener.child_cfg);
 		DESTROY_IF(this->listener.peer_cfg);
 		free(this);
 	}
 }
@ -418,11 +416,14 @@ METHOD(job_t, initiate_execute, job_requeue_t,
 {
 	ike_sa_t *ike_sa;
 	interface_listener_t *listener = &job->listener;
 	peer_cfg_t *peer_cfg = listener->peer_cfg;
 	ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
-														listener->peer_cfg);
+														peer_cfg);
 	peer_cfg->destroy(peer_cfg);
 	if (!ike_sa)
 	{
 		DESTROY_IF(listener->child_cfg);
 		listener->status = FAILED;
 		listener_done(listener);
 		return JOB_REQUEUE_NONE;
@ -448,6 +449,7 @@ METHOD(job_t, initiate_execute, job_requeue_t,
 				 "%d exceeds limit of %d", half_open, limit_half_open);
 			charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
 														ike_sa);
 			DESTROY_IF(listener->child_cfg);
 			listener->status = INVALID_STATE;
 			listener_done(listener);
 			return JOB_REQUEUE_NONE;
@ -466,6 +468,7 @@ METHOD(job_t, initiate_execute, job_requeue_t,
 					 "limit of %d", jobs, limit_job_load);
 				charon->ike_sa_manager->checkin_and_destroy(
 												charon->ike_sa_manager, ike_sa);
 				DESTROY_IF(listener->child_cfg);
 				listener->status = INVALID_STATE;
 				listener_done(listener);
 				return JOB_REQUEUE_NONE;
@ -473,10 +476,6 @@ METHOD(job_t, initiate_execute, job_requeue_t,
 		}
 	}
 	if (listener->child_cfg)
 	{
 		listener->child_cfg->get_ref(listener->child_cfg);
 	}
 	if (ike_sa->initiate(ike_sa, listener->child_cfg, NULL) == SUCCESS)
 	{
 		if (!listener->logger.callback ||
--- a/src/libcharon/daemon.c
+++ b/src/libcharon/daemon.c
@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2025 Tobias Brunner
+ * Copyright (C) 2006-2017 Tobias Brunner
 * Copyright (C) 2005-2009 Martin Willi
 * Copyright (C) 2006 Daniel Roethlisberger
 * Copyright (C) 2005 Jan Hutter
@ -106,9 +106,9 @@ struct private_daemon_t {
 	mutex_t *mutex;
 	/**
-	 * Initialization (e.g. integrity check) failed?
+	 * Integrity check failed?
 	 */
-	bool init_failed;
+	bool integrity_failed;
 	/**
 	 * Number of times we have been initialized
@ -193,30 +193,6 @@ void register_custom_logger(char *name,
 	}
 }
 #define MAX_LIBCHARON_INIT_FUNCTIONS 10
 /**
 * Static array for init function registration using __attribute__((constructor))
 */
 static library_init_t init_functions[MAX_LIBCHARON_INIT_FUNCTIONS];
 static int init_function_count;
 /**
 * Described in header
 */
 void libcharon_init_register(library_init_t init)
 {
 	if (init_function_count < MAX_LIBCHARON_INIT_FUNCTIONS - 1)
 	{
 		init_functions[init_function_count++] = init;
 	}
 	else
 	{
 		fprintf(stderr, "failed to register init function, please increase "
 				"MAX_LIBCHARON_INIT_FUNCTIONS");
 	}
 }
 /**
 * Types of supported loggers
 */
@ -392,7 +368,7 @@ static logger_entry_t *get_logger_entry(char *target, logger_type_t type,
 												get_syslog_facility(target));
 				break;
 #else
-				logger_entry_destroy(entry);
+				free(entry);
 				return NULL;
 #endif /* HAVE_SYSLOG */
 			case CUSTOM_LOGGER:
@ -402,7 +378,7 @@ static logger_entry_t *get_logger_entry(char *target, logger_type_t type,
 				}
 				if (!entry->logger.custom)
 				{
-					logger_entry_destroy(entry);
+					free(entry);
 					return NULL;
 				}
 				break;
@ -1004,7 +980,6 @@ private_daemon_t *daemon_create()
 void libcharon_deinit()
 {
 	private_daemon_t *this = (private_daemon_t*)charon;
 	int i;
 	if (!this || !ref_put(&this->ref))
 	{	/* have more users */
@ -1013,11 +988,6 @@ void libcharon_deinit()
 	run_scripts(this, "stop");
 	for (i = 0; i < init_function_count; ++i)
 	{
 		init_functions[i](FALSE);
 	}
 	destroy(this);
 	charon = NULL;
 }
@ -1028,13 +998,12 @@ void libcharon_deinit()
 bool libcharon_init()
 {
 	private_daemon_t *this;
 	int i;
 	if (charon)
 	{	/* already initialized, increase refcount */
 		this = (private_daemon_t*)charon;
 		ref_get(&this->ref);
-		return !this->init_failed;
+		return !this->integrity_failed;
 	}
 	this = daemon_create();
@ -1050,15 +1019,7 @@ bool libcharon_init()
 		!lib->integrity->check(lib->integrity, "libcharon", libcharon_init))
 	{
 		dbg(DBG_DMN, 1, "integrity check of libcharon failed");
-		this->init_failed = TRUE;
+		this->integrity_failed = TRUE;
 	}
-
+	return !this->integrity_failed;
 	for (i = 0; i < init_function_count; ++i)
 	{
 		if (!init_functions[i](TRUE))
 		{
 			this->init_failed = TRUE;
 		}
 	}
 	return !this->init_failed;
 }
--- a/src/libcharon/daemon.h
+++ b/src/libcharon/daemon.h
@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2025 Tobias Brunner
+ * Copyright (C) 2006-2017 Tobias Brunner
 * Copyright (C) 2005-2009 Martin Willi
 * Copyright (C) 2006 Daniel Roethlisberger
 * Copyright (C) 2005 Jan Hutter
@ -391,16 +391,6 @@ bool libcharon_init();
 */
 void libcharon_deinit();
 /**
 * Register a custom init function that's called at the end of libcharon_init()
 * and the start of libcharon_deinit().
 *
 * To be called from __attribute__((constructor)) functions.
 *
 * @param init				init function
 */
 void libcharon_init_register(library_init_t init);
 /**
 * Register a custom logger constructor.
 *
--- a/src/libcharon/encoding/message.c
+++ b/src/libcharon/encoding/message.c
@ -2100,7 +2100,7 @@ static message_t *create_fragment(private_message_t *this, payload_type_t next,
 		 * or transaction messages. */
 		ike_sa = charon->bus->get_sa(charon->bus);
 		if (ike_sa && (peer_cfg = ike_sa->get_peer_cfg(ike_sa)) &&
-			peer_cfg->has_option(peer_cfg, OPT_IKEV1_AGGRESSIVE))
+			peer_cfg->use_aggressive(peer_cfg))
 		{
 			message->set_exchange_type(message, AGGRESSIVE);
 		}
--- a/src/libcharon/encoding/payloads/encrypted_payload.c
+++ b/src/libcharon/encoding/payloads/encrypted_payload.c
@ -1023,7 +1023,7 @@ encrypted_fragment_payload_t *encrypted_fragment_payload_create()
 				.get_length = _frag_get_length,
 				.add_payload = _frag_add_payload,
 				.remove_payload = (void*)return_null,
-				.generate_payloads = (void*)nop,
+				.generate_payloads = nop,
 				.set_transform = _frag_set_transform,
 				.get_transform = _frag_get_transform,
 				.encrypt = _frag_encrypt,
--- a/src/libcharon/encoding/payloads/notify_payload.c
+++ b/src/libcharon/encoding/payloads/notify_payload.c
@ -61,10 +61,9 @@ ENUM_NEXT(notify_type_names, SINGLE_PAIR_REQUIRED, CHILD_SA_NOT_FOUND, AUTHENTIC
 	"USE_ASSIGNED_HoA",
 	"TEMPORARY_FAILURE",
 	"CHILD_SA_NOT_FOUND");
-ENUM_NEXT(notify_type_names, STATE_NOT_FOUND, TS_MAX_QUEUE, CHILD_SA_NOT_FOUND,
+ENUM_NEXT(notify_type_names, STATE_NOT_FOUND, STATE_NOT_FOUND, CHILD_SA_NOT_FOUND,
-	"STATE_NOT_FOUND",
+	"STATE_NOT_FOUND");
-	"TS_MAX_QUEUE");
+ENUM_NEXT(notify_type_names, ME_CONNECT_FAILED, ME_CONNECT_FAILED, STATE_NOT_FOUND,
 ENUM_NEXT(notify_type_names, ME_CONNECT_FAILED, ME_CONNECT_FAILED, TS_MAX_QUEUE,
 	"ME_CONNECT_FAILED");
 ENUM_NEXT(notify_type_names, MS_NOTIFY_STATUS, MS_NOTIFY_STATUS, ME_CONNECT_FAILED,
 	"MS_NOTIFY_STATUS");
@ -122,12 +121,9 @@ ENUM_NEXT(notify_type_names, USE_PPK, INTERMEDIATE_EXCHANGE_SUPPORTED, SIGNATURE
 	"PPK_IDENTITY",
 	"NO_PPK_AUTH",
 	"INTERMEDIATE_EXCHANGE_SUPPORTED");
-ENUM_NEXT(notify_type_names, ADDITIONAL_KEY_EXCHANGE, USE_AGGFRAG, INTERMEDIATE_EXCHANGE_SUPPORTED,
+ENUM_NEXT(notify_type_names, ADDITIONAL_KEY_EXCHANGE, ADDITIONAL_KEY_EXCHANGE, INTERMEDIATE_EXCHANGE_SUPPORTED,
-	"ADDITIONAL_KEY_EXCHANGE",
+	"ADDITIONAL_KEY_EXCHANGE");
-	"USE_AGGFRAG");
+ENUM_NEXT(notify_type_names, INITIAL_CONTACT_IKEV1, INITIAL_CONTACT_IKEV1, ADDITIONAL_KEY_EXCHANGE,
 ENUM_NEXT(notify_type_names, SA_RESOURCE_INFO, SA_RESOURCE_INFO, USE_AGGFRAG,
 	"SA_RESOURCE_INFO");
 ENUM_NEXT(notify_type_names, INITIAL_CONTACT_IKEV1, INITIAL_CONTACT_IKEV1, SA_RESOURCE_INFO,
 	"INITIAL_CONTACT");
 ENUM_NEXT(notify_type_names, DPD_R_U_THERE, DPD_R_U_THERE_ACK, INITIAL_CONTACT_IKEV1,
 	"DPD_R_U_THERE",
@ -184,10 +180,9 @@ ENUM_NEXT(notify_type_short_names, SINGLE_PAIR_REQUIRED, CHILD_SA_NOT_FOUND, AUT
 	"ASSIGNED_HoA",
 	"TEMP_FAIL",
 	"NO_CHILD_SA");
-ENUM_NEXT(notify_type_short_names, STATE_NOT_FOUND, TS_MAX_QUEUE, CHILD_SA_NOT_FOUND,
+ENUM_NEXT(notify_type_short_names, STATE_NOT_FOUND, STATE_NOT_FOUND, CHILD_SA_NOT_FOUND,
-	"NO_STATE",
+	"NO_STATE");
-	"MAX_QUEUE");
+ENUM_NEXT(notify_type_short_names, ME_CONNECT_FAILED, ME_CONNECT_FAILED, STATE_NOT_FOUND,
 ENUM_NEXT(notify_type_short_names, ME_CONNECT_FAILED, ME_CONNECT_FAILED, TS_MAX_QUEUE,
 	"ME_CONN_FAIL");
 ENUM_NEXT(notify_type_short_names, MS_NOTIFY_STATUS, MS_NOTIFY_STATUS, ME_CONNECT_FAILED,
 	"MS_STATUS");
@ -245,12 +240,9 @@ ENUM_NEXT(notify_type_short_names, USE_PPK, INTERMEDIATE_EXCHANGE_SUPPORTED, SIG
 	"PPK_ID",
 	"NO_PPK",
 	"IKE_INT_SUP");
-ENUM_NEXT(notify_type_short_names, ADDITIONAL_KEY_EXCHANGE, USE_AGGFRAG, INTERMEDIATE_EXCHANGE_SUPPORTED,
+ENUM_NEXT(notify_type_short_names, ADDITIONAL_KEY_EXCHANGE, ADDITIONAL_KEY_EXCHANGE, INTERMEDIATE_EXCHANGE_SUPPORTED,
-	"ADD_KE",
+	"ADD_KE");
-	"AGGFRAG");
+ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT_IKEV1, INITIAL_CONTACT_IKEV1, ADDITIONAL_KEY_EXCHANGE,
 ENUM_NEXT(notify_type_short_names, SA_RESOURCE_INFO, SA_RESOURCE_INFO, USE_AGGFRAG,
 	"RES_INFO");
 ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT_IKEV1, INITIAL_CONTACT_IKEV1, SA_RESOURCE_INFO,
 	"INITIAL_CONTACT");
 ENUM_NEXT(notify_type_short_names, DPD_R_U_THERE, DPD_R_U_THERE_ACK, INITIAL_CONTACT_IKEV1,
 	"DPD",
@ -562,12 +554,6 @@ METHOD(payload_t, verify, status_t,
 				bad_length = TRUE;
 			}
 			break;
 		case USE_AGGFRAG:
 			if (this->notify_data.len != 1)
 			{
 				bad_length = TRUE;
 			}
 			break;
 		default:
 			/* TODO: verify */
 			break;
--- a/src/libcharon/encoding/payloads/notify_payload.h
+++ b/src/libcharon/encoding/payloads/notify_payload.h
@ -82,8 +82,6 @@ enum notify_type_t {
 	/* multiple key exchanges, RFC 9370 */
 	STATE_NOT_FOUND = 47,
 	/* No more per-resource CHILD_SAs, RFC 9611 */
 	TS_MAX_QUEUE = 48,
 	/* IKE-ME, private use */
 	ME_CONNECT_FAILED = 8192,
@ -171,11 +169,6 @@ enum notify_type_t {
 	/* multiple key exchanges, RFC 9370 */
 	ADDITIONAL_KEY_EXCHANGE = 16441,
 	/* IP-TFS/AGGFRAG, RFC 9347 */
 	USE_AGGFRAG = 16442,
 	/* Resource info for CHILD_SAs, RFC 9611 */
 	SA_RESOURCE_INFO = 16444,
 	/* IKEv1 initial contact */
 	INITIAL_CONTACT_IKEV1 = 24578,
--- a/src/libcharon/kernel/kernel_handler.c
+++ b/src/libcharon/kernel/kernel_handler.c
@ -56,30 +56,22 @@ static inline protocol_id_t proto_ip2ike(uint8_t protocol)
 METHOD(kernel_listener_t, acquire, bool,
 	private_kernel_handler_t *this, uint32_t reqid, kernel_acquire_data_t *data)
 {
-	char lbuf[BUF_LEN] = "", cbuf[32] = "", sbuf[32] = "";
+	char buf[BUF_LEN] = "";
 	if (data->label)
 	{
-		snprintf(lbuf, sizeof(lbuf), ", label {%s}",
+		snprintf(buf, sizeof(buf), ", label {%s}",
 				 data->label->get_string(data->label));
 	}
 	if (data->cpu != CPU_ID_MAX)
 	{
 		snprintf(cbuf, sizeof(cbuf), ", cpu {%u}", data->cpu);
 	}
 	if (data->seq)
 	{
 		snprintf(sbuf, sizeof(sbuf), ", seq {%u}", data->seq);
 	}
 	if (data->src && data->dst)
 	{
 		DBG1(DBG_KNL, "creating acquire job for policy %R === %R with "
-			 "reqid {%u}%s%s%s", data->src, data->dst, reqid, lbuf, cbuf, sbuf);
+			 "reqid {%u}%s", data->src, data->dst, reqid, buf);
 	}
 	else
 	{
-		DBG1(DBG_KNL, "creating acquire job for policy with reqid {%u}%s%s%s",
+		DBG1(DBG_KNL, "creating acquire job for policy with reqid {%u}%s",
-			 reqid, lbuf, cbuf, sbuf);
+			 reqid, buf);
 	}
 	lib->processor->queue_job(lib->processor,
 							  (job_t*)acquire_job_create(reqid, data));
--- a/src/libcharon/kernel/kernel_interface.c
+++ b/src/libcharon/kernel/kernel_interface.c
@ -392,19 +392,12 @@ METHOD(kernel_interface_t, alloc_reqid, status_t,
 		/* search by reqid if given */
 		entry = this->reqids->get(this->reqids, tmpl);
 	}
-
+	if (entry && entry_equals_selectors(entry, tmpl))
 	/* if the IPsec stack supports sequence numbers for acquires, we can
 	 * allocate a new reqid if narrowing occurred (otherwise, we get the same
 	 * reqid back anyway).  if not, we want to reuse the existing reqid of
 	 * the trap polices and explicitly don't want to match the traffic
 	 * selectors.  another case where we want to reuse an existing reqid is
 	 * when labels are used.  because we currently only install policies once
 	 * with the generic label, the reqid has to stay the same even if narrowing
 	 * occurs.  however, in either case we don't want to reuse the reqid if the
 	 * additional selectors (e.g. marks) are different */
 	if (entry && (label || !(get_features(this) & KERNEL_ACQUIRE_SEQ)) &&
 		entry_equals_selectors(entry, tmpl))
 	{
 		/* we don't require a traffic selector match for existing reqids,
 		 * as we want to reuse a reqid for trap-triggered policies that
 		 * got narrowed during negotiation, but we don't want to reuse the
 		 * reqid if the additional selectors (e.g. marks) are different */
 		reqid_entry_destroy(tmpl);
 	}
 	else
--- a/src/libcharon/kernel/kernel_interface.h
+++ b/src/libcharon/kernel/kernel_interface.h
@ -81,8 +81,6 @@ enum kernel_feature_t {
 	KERNEL_POLICY_SPI = (1<<4),
 	/** IPsec backend reports use time per SA via query_sa() */
 	KERNEL_SA_USE_TIME = (1<<5),
 	/** IPsec backend associates acquires and SAs with a sequence number */
 	KERNEL_ACQUIRE_SEQ = (1<<6),
 };
 /**
--- a/Show More
+++ b/Show More
`@ -144,4 +144,4 @@ Contents`

	`For a more up-to-date list of recommended modules refer to:`	`For a more up-to-date list of recommended modules refer to:`

	`* https://docs.strongswan.org/docs/latest/install/kernelModules.html`	`* https://docs.strongswan.org/docs/5.9/install/kernelModules.html`