git: 9d8accbe0c0d - main - security/strongswan: Update to 5.9.13

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Fernando Apesteguía <fernape_at_FreeBSD.org>
Date: Sun, 10 Dec 2023 17:16:49 UTC
The branch main has been updated by fernape:

URL: https://cgit.FreeBSD.org/ports/commit/?id=9d8accbe0c0d7c0db16ec9bbb50bded19db8271f

commit 9d8accbe0c0d7c0db16ec9bbb50bded19db8271f
Author:     Jose Luis Duran <jlduran@gmail.com>
AuthorDate: 2023-12-10 16:59:53 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2023-12-10 17:16:32 +0000

    security/strongswan: Update to 5.9.13
    
    ChangeLog: https://github.com/strongswan/strongswan/releases/tag/5.9.13
    
    PR:             275620
    Reported by:    jlduran@gmail.com
    MFH:            2023Q4 (security fix)
    Security:       CVE-2023-41913
---
 security/strongswan/Makefile                       |  5 +--
 security/strongswan/distinfo                       |  8 ++---
 ...swanctl_charon-tkm_src_tkm_tkm_diffie_hellman.c | 42 ----------------------
 security/strongswan/pkg-plist                      | 15 ++++----
 4 files changed, 12 insertions(+), 58 deletions(-)

diff --git a/security/strongswan/Makefile b/security/strongswan/Makefile
index c7972b9ca9b6..b6bf781ef23e 100644
--- a/security/strongswan/Makefile
+++ b/security/strongswan/Makefile
@@ -1,11 +1,8 @@
 PORTNAME=	strongswan
-DISTVERSION=	5.9.11
-PORTREVISION=	3
+DISTVERSION=	5.9.13
 CATEGORIES=	security net-vpn
 MASTER_SITES=	https://download.strongswan.org/ \
 		https://download2.strongswan.org/
-PATCH_SITES=	https://github.com/strongswan/strongswan/commit/
-PATCHFILES=	a619356b5f21bfe3c13f1576eb1d16c015532ceb.patch:-p1
 
 MAINTAINER=	strongswan@nanoteq.com
 COMMENT=	Open Source IKEv2 IPsec-based VPN solution
diff --git a/security/strongswan/distinfo b/security/strongswan/distinfo
index 1cccf5380f46..b24347585614 100644
--- a/security/strongswan/distinfo
+++ b/security/strongswan/distinfo
@@ -1,5 +1,3 @@
-TIMESTAMP = 1690493412
-SHA256 (strongswan-5.9.11.tar.bz2) = ddf53f1f26ad26979d5f55e8da95bd389552f5de3682e35593f9a70b2584ed2d
-SIZE (strongswan-5.9.11.tar.bz2) = 4786552
-SHA256 (a619356b5f21bfe3c13f1576eb1d16c015532ceb.patch) = 31ba77932b88b611f1f1d54478b7d3a024f40e0bcea0b3249f2d62274e1df19f
-SIZE (a619356b5f21bfe3c13f1576eb1d16c015532ceb.patch) = 3344
+TIMESTAMP = 1702006969
+SHA256 (strongswan-5.9.13.tar.bz2) = 56e30effb578fd9426d8457e3b76c8c3728cd8a5589594b55649b2719308ba55
+SIZE (strongswan-5.9.13.tar.bz2) = 4825644
diff --git a/security/strongswan/files/patch-src_swanctl_charon-tkm_src_tkm_tkm_diffie_hellman.c b/security/strongswan/files/patch-src_swanctl_charon-tkm_src_tkm_tkm_diffie_hellman.c
deleted file mode 100644
index f70c02446427..000000000000
--- a/security/strongswan/files/patch-src_swanctl_charon-tkm_src_tkm_tkm_diffie_hellman.c
+++ /dev/null
@@ -1,42 +0,0 @@
-From 027421cbd2e6e628f5f959c74d722afadc477485 Mon Sep 17 00:00:00 2001
-From: Tobias Brunner <tobias@strongswan.org>
-Date: Tue, 11 Jul 2023 12:12:25 +0200
-Subject: [PATCH] charon-tkm: Validate DH public key to fix potential buffer
- overflow
-
-Seems this was forgotten in the referenced commit and actually could lead
-to a buffer overflow.  Since charon-tkm is untrusted this isn't that
-much of an issue but could at least be easily exploited for a DoS attack
-as DH public values are set when handling IKE_SA_INIT requests.
-
-Fixes: 0356089d0f94 ("diffie-hellman: Verify public DH values in backends")
-Fixes: CVE-2023-41913
----
- src/charon-tkm/src/tkm/tkm_diffie_hellman.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
-index 2b2d103d03e9..6999ad360d7e 100644
---- src/charon-tkm/src/tkm/tkm_diffie_hellman.c
-+++ src/charon-tkm/src/tkm/tkm_diffie_hellman.c
-@@ -70,11 +70,16 @@ METHOD(key_exchange_t, get_shared_secret, bool,
- 	return TRUE;
- }
- 
--
- METHOD(key_exchange_t, set_public_key, bool,
- 	private_tkm_diffie_hellman_t *this, chunk_t value)
- {
- 	dh_pubvalue_type othervalue;
-+
-+	if (!key_exchange_verify_pubkey(this->group, value) ||
-+		value.len > sizeof(othervalue.data))
-+	{
-+		return FALSE;
-+	}
- 	othervalue.size = value.len;
- 	memcpy(&othervalue.data, value.ptr, value.len);
- 
--- 
-2.34.1
-
diff --git a/security/strongswan/pkg-plist b/security/strongswan/pkg-plist
index 4a834b334403..84f5c87bc304 100644
--- a/security/strongswan/pkg-plist
+++ b/security/strongswan/pkg-plist
@@ -36,8 +36,8 @@
 %%GCM%%@sample %%ETCDIR%%.d/charon/gcm.conf.sample
 %%EAPAKA3GPP2%%@sample %%ETCDIR%%.d/charon/gmp.conf.sample
 @sample %%ETCDIR%%.d/charon/hmac.conf.sample
-%%KDF%%@sample %%ETCDIR%%.d/charon/kdf.conf.sample
 %%IPSECKEY%%@sample %%ETCDIR%%.d/charon/ipseckey.conf.sample
+%%KDF%%@sample %%ETCDIR%%.d/charon/kdf.conf.sample
 %%KERNELLIBIPSEC%%@sample %%ETCDIR%%.d/charon/kernel-libipsec.conf.sample
 @sample %%ETCDIR%%.d/charon/kernel-pfkey.conf.sample
 @sample %%ETCDIR%%.d/charon/kernel-pfroute.conf.sample
@@ -49,6 +49,7 @@
 %%MYSQL%%@sample %%ETCDIR%%.d/charon/mysql.conf.sample
 @sample %%ETCDIR%%.d/charon/nonce.conf.sample
 @sample %%ETCDIR%%.d/charon/openssl.conf.sample
+%%VIA%%@sample %%ETCDIR%%.d/charon/padlock.conf.sample
 @sample %%ETCDIR%%.d/charon/pem.conf.sample
 @sample %%ETCDIR%%.d/charon/pgp.conf.sample
 @sample %%ETCDIR%%.d/charon/pkcs1.conf.sample
@@ -207,6 +208,8 @@ lib/ipsec/plugins/libstrongswan-nonce.la
 lib/ipsec/plugins/libstrongswan-nonce.so
 lib/ipsec/plugins/libstrongswan-openssl.la
 lib/ipsec/plugins/libstrongswan-openssl.so
+%%VIA%%lib/ipsec/plugins/libstrongswan-padlock.la
+%%VIA%%lib/ipsec/plugins/libstrongswan-padlock.so
 lib/ipsec/plugins/libstrongswan-pem.la
 lib/ipsec/plugins/libstrongswan-pem.so
 lib/ipsec/plugins/libstrongswan-pgp.la
@@ -285,6 +288,7 @@ libexec/ipsec/whitelist
 %%PKI%%man/man1/pki---gen.1.gz
 %%PKI%%man/man1/pki---issue.1.gz
 %%PKI%%man/man1/pki---keyid.1.gz
+%%PKI%%man/man1/pki---ocsp.1.gz
 %%PKI%%man/man1/pki---pkcs7.1.gz
 %%PKI%%man/man1/pki---print.1.gz
 %%PKI%%man/man1/pki---pub.1.gz
@@ -313,6 +317,7 @@ sbin/ipsec
 %%DATADIR%%/templates/config/plugins/cmac.conf
 %%DATADIR%%/templates/config/plugins/constraints.conf
 %%DATADIR%%/templates/config/plugins/counters.conf
+%%CTR%%%%DATADIR%%/templates/config/plugins/ctr.conf
 %%CURL%%%%DATADIR%%/templates/config/plugins/curl.conf
 %%DATADIR%%/templates/config/plugins/curve25519.conf
 %%DATADIR%%/templates/config/plugins/des.conf
@@ -335,8 +340,8 @@ sbin/ipsec
 %%GCM%%%%DATADIR%%/templates/config/plugins/gcm.conf
 %%EAPAKA3GPP2%%%%DATADIR%%/templates/config/plugins/gmp.conf
 %%DATADIR%%/templates/config/plugins/hmac.conf
-%%KDF%%%%DATADIR%%/templates/config/plugins/kdf.conf
 %%IPSECKEY%%%%DATADIR%%/templates/config/plugins/ipseckey.conf
+%%KDF%%%%DATADIR%%/templates/config/plugins/kdf.conf
 %%KERNELLIBIPSEC%%%%DATADIR%%/templates/config/plugins/kernel-libipsec.conf
 %%DATADIR%%/templates/config/plugins/kernel-pfkey.conf
 %%DATADIR%%/templates/config/plugins/kernel-pfroute.conf
@@ -348,11 +353,11 @@ sbin/ipsec
 %%MYSQL%%%%DATADIR%%/templates/config/plugins/mysql.conf
 %%DATADIR%%/templates/config/plugins/nonce.conf
 %%DATADIR%%/templates/config/plugins/openssl.conf
+%%VIA%%%%DATADIR%%/templates/config/plugins/padlock.conf
 %%DATADIR%%/templates/config/plugins/pem.conf
 %%DATADIR%%/templates/config/plugins/pgp.conf
 %%DATADIR%%/templates/config/plugins/pkcs1.conf
 %%PKCS11%%%%DATADIR%%/templates/config/plugins/pkcs11.conf
-%%CTR%%%%DATADIR%%/templates/config/plugins/ctr.conf
 %%DATADIR%%/templates/config/plugins/pkcs12.conf
 %%DATADIR%%/templates/config/plugins/pkcs7.conf
 %%DATADIR%%/templates/config/plugins/pkcs8.conf
@@ -412,7 +417,3 @@ sbin/ipsec
 %%SWANCTL%%@dir etc/swanctl/x509ca
 %%SWANCTL%%@dir etc/swanctl/x509crl
 %%SWANCTL%%@dir etc/swanctl/x509ocsp
-%%VIA%%%%DATADIR%%/templates/config/plugins/padlock.conf
-%%VIA%%lib/ipsec/plugins/libstrongswan-padlock.la
-%%VIA%%lib/ipsec/plugins/libstrongswan-padlock.so
-%%VIA%%@sample %%ETCDIR%%.d/charon/padlock.conf.sample