diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 0000000000000000000000000000000000000000..7e1ef7361c0c425300666c33c07b395359100e58
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1 @@
+*.bz2 filter=lfs diff=lfs merge=lfs -text
diff --git a/.lfsconfig b/.lfsconfig
new file mode 100644
index 0000000000000000000000000000000000000000..37ec1caafc9180ab4d4890fe4657a2b10c840aab
--- /dev/null
+++ b/.lfsconfig
@@ -0,0 +1,2 @@
+[lfs]
+	url = https://artlfs.openeuler.openatom.cn/src-openEuler/strongswan
diff --git a/CVE-2023-41913.patch b/CVE-2023-41913.patch
deleted file mode 100644
index 8c8af92aae4645cbbc3979702e11e4d2f063e4bc..0000000000000000000000000000000000000000
--- a/CVE-2023-41913.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 027421cbd2e6e628f5f959c74d722afadc477485 Mon Sep 17 00:00:00 2001
-From: Tobias Brunner <tobias@strongswan.org>
-Date: Tue, 11 Jul 2023 12:12:25 +0200
-Subject: [PATCH] charon-tkm: Validate DH public key to fix potential buffer
- overflow
-
-Seems this was forgotten in the referenced commit and actually could lead
-to a buffer overflow.  Since charon-tkm is untrusted this isn't that
-much of an issue but could at least be easily exploited for a DoS attack
-as DH public values are set when handling IKE_SA_INIT requests.
-
-Fixes: 0356089d0f94 ("diffie-hellman: Verify public DH values in backends")
-Fixes: CVE-2023-41913
----
- src/charon-tkm/src/tkm/tkm_diffie_hellman.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
-index 2b2d103d03e9..6999ad360d7e 100644
---- a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
-+++ b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
-@@ -70,11 +70,16 @@ METHOD(key_exchange_t, get_shared_secret, bool,
- 	return TRUE;
- }
- 
--
- METHOD(key_exchange_t, set_public_key, bool,
- 	private_tkm_diffie_hellman_t *this, chunk_t value)
- {
- 	dh_pubvalue_type othervalue;
-+
-+	if (!key_exchange_verify_pubkey(this->group, value) ||
-+		value.len > sizeof(othervalue.data))
-+	{
-+		return FALSE;
-+	}
- 	othervalue.size = value.len;
- 	memcpy(&othervalue.data, value.ptr, value.len);
- 
--- 
-2.34.1
-
diff --git a/strongswan-5.9.10.tar.bz2 b/strongswan-5.9.10.tar.bz2
deleted file mode 100644
index 4457f4ccedc08f183d5d2166c557645cd1f453d8..0000000000000000000000000000000000000000
Binary files a/strongswan-5.9.10.tar.bz2 and /dev/null differ
diff --git a/strongswan-5.9.14-harden-strongswan.service.patch b/strongswan-5.9.14-harden-strongswan.service.patch
new file mode 100644
index 0000000000000000000000000000000000000000..d9595acf2ed09a064fac54a1eacf94d8245eb26e
--- /dev/null
+++ b/strongswan-5.9.14-harden-strongswan.service.patch
@@ -0,0 +1,20 @@
+--- strongswan-5.9.14/init/systemd/strongswan.service.in.orig	2024-11-02 16:34:23.610091000 +0800
++++ strongswan-5.9.14/init/systemd/strongswan.service.in	2024-11-02 16:34:58.120059900 +0800
+@@ -3,6 +3,17 @@
+ After=network-online.target
+ 
+ [Service]
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectSystem=full
++ProtectHome=true
++ProtectHostname=true
++ProtectKernelTunables=true
++ProtectKernelModules=true
++ProtectKernelLogs=true
++ProtectControlGroups=true
++RestrictRealtime=true
++# end of automatic additions
+ Type=notify
+ ExecStart=@SBINDIR@/charon-systemd
+ ExecStartPost=@SBINDIR@/swanctl --load-all --noprompt
diff --git a/strongswan-5.9.14.tar.bz2 b/strongswan-5.9.14.tar.bz2
new file mode 100644
index 0000000000000000000000000000000000000000..fc35a0147680b65616a168e89cb26323d58596ed
--- /dev/null
+++ b/strongswan-5.9.14.tar.bz2
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:728027ddda4cb34c67c4cec97d3ddb8c274edfbabdaeecf7e74693b54fc33678
+size 4869709
diff --git a/strongswan.spec b/strongswan.spec
index 841622897c69d5d528426d0d609139ecc3399647..dab33d612dd9808cccf7d5cfadf7ed1dc6f43639 100644
--- a/strongswan.spec
+++ b/strongswan.spec
@@ -1,23 +1,20 @@
 Name:             strongswan
-Version:          5.9.10
-Release:          5
+Version:          5.9.14
+Release:          1
 Summary:          An OpenSource IPsec-based VPN and TNC solution
-License:          GPLv2+
-URL:              http://www.strongswan.org/
-Source0:          http://download.strongswan.org/strongswan-%{version}.tar.bz2
+License:          GPL-2.0-or-later
+URL:              https://www.strongswan.org/
+Source0:          https://download.strongswan.org/old/5.x/strongswan-%{version}.tar.bz2
 
 Patch0:           remove-warning-no-format.patch
 Patch1:           aes-crypter-support-sw64-arch.patch
-# https://download.strongswan.org/security/CVE-2023-41913/strongswan-5.9.7-5.9.11_charon_tkm_dh_len.patch
-Patch2:           CVE-2023-41913.patch
+Patch2:           strongswan-5.9.14-harden-strongswan.service.patch
 
 BuildRequires:    gcc chrpath autoconf automake libtool tpm2-abrmd
 BuildRequires:    systemd-devel gmp-devel libcurl-devel NetworkManager-libnm-devel openldap-devel
-BuildRequires:    compat-openssl11-devel sqlite-devel gettext-devel trousers-devel libxml2-devel pam-devel
+BuildRequires:    openssl-devel sqlite-devel gettext-devel trousers-devel libxml2-devel pam-devel
 BuildRequires:    json-c-devel libgcrypt-devel systemd-devel iptables-devel tpm2-tss-devel tpm2-abrmd-devel
-Requires(post):   systemd
-Requires(preun):  systemd
-Requires(postun): systemd
+%{?systemd_requires}
 Requires:         tpm2-abrmd
 Requires:         %{name}-sqlite = %{version}-%{release}
 Requires:         %{name}-tnc-imcvs = %{version}-%{release}
@@ -68,7 +65,7 @@ PT-TLS to support TNC over TLS.
 %autosetup -n %{name}-%{version} -p1
 
 %build
-autoreconf -i
+autoreconf -fi -I%{_datadir}/gettext/m4
 %configure --bindir=%{_libexecdir}/strongswan --sysconfdir=%{_sysconfdir}/strongswan \
            --with-ipsecdir=%{_libexecdir}/strongswan --with-ipseclibdir=%{_libdir}/strongswan \
            --with-ipsec-script=strongswan \
@@ -95,7 +92,7 @@ for p in bypass-lan; do
     echo -e "\ncharon.plugins.${p}.load := no" >> conf/plugins/${p}.opt
 done
 
-make %{?_smp_mflags}
+%make_build
 
 %install
 %make_install
@@ -122,6 +119,7 @@ do
 chrpath -d $i
 done
 cd -
+
 mkdir -p %{buildroot}/etc/ld.so.conf.d
 echo "%{_libdir}/strongswan" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf
 
@@ -164,7 +162,7 @@ echo "%{_libdir}/strongswan" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.co
 %exclude %{_libexecdir}/strongswan/pt-tls-client
 %exclude %{_libexecdir}/strongswan/charon-nm
 %exclude %dir %{_datadir}/strongswan/swidtag
-%{_mandir}/man?/*.gz
+%{_mandir}/man?/*
 %{_datadir}/strongswan/templates/config/
 %{_datadir}/strongswan/templates/database/
 %config(noreplace) /etc/ld.so.conf.d/*
@@ -195,7 +193,12 @@ echo "%{_libdir}/strongswan" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.co
 %{_libexecdir}/strongswan/charon-nm
 
 %changelog
-* Thu Oct 29 2024 Wang Jinchao <wangjinchao@xfusion.com> - 5.9.10-5
+* Sat Nov 02 2024 Funda Wang <fundawang@yeah.net> - 5.9.14-1
+- update to 5.9.14
+- harden strongswan.service with openSUSE effort
+- build with openssl 3.0
+
+* Tue Oct 29 2024 Wang Jinchao <wangjinchao@xfusion.com> - 5.9.10-5
 - Fix bogus date in %changelog
 
 * Thu Dec 14 2023 yaoxin <yao_xin001@hoperun.com> - 5.9.10-4