diff --git a/security/strongswan/Makefile b/security/strongswan/Makefile index 0870d891ebce..3861de54b247 100644 --- a/security/strongswan/Makefile +++ b/security/strongswan/Makefile @@ -1,176 +1,175 @@ PORTNAME= strongswan -DISTVERSION= 5.9.9 -PORTREVISION= 2 +DISTVERSION= 5.9.10 CATEGORIES= security net-vpn MASTER_SITES= https://download.strongswan.org/ \ https://download2.strongswan.org/ MAINTAINER= strongswan@nanoteq.com COMMENT= Open Source IKEv2 IPsec-based VPN solution WWW= https://www.strongswan.org LICENSE= GPLv2 LICENSE_FILE= ${WRKSRC}/LICENSE USES= cpe libtool:keepla pkgconfig ssl tar:bzip2 USE_LDCONFIG= ${PREFIX}/lib/ipsec USE_RC_SUBR= strongswan GNU_CONFIGURE= yes CONFIGURE_ARGS= --disable-gmp \ --disable-kernel-netlink \ --disable-scripts \ --enable-addrblock \ --enable-blowfish \ --enable-cmd \ --enable-eap-identity \ --enable-eap-md5 \ --enable-eap-mschapv2 \ --enable-eap-peap \ --enable-eap-tls \ --enable-eap-ttls \ --enable-kernel-pfkey \ --enable-kernel-pfroute \ --enable-md4 \ --enable-openssl \ --enable-whitelist \ --with-group=wheel \ --with-lib-prefix=${PREFIX} INSTALL_TARGET= install-strip TEST_TARGET= check OPTIONS_DEFINE= CTR CURL EAPAKA3GPP2 EAPDYNAMIC EAPRADIUS \ EAPSIMFILE FARP GCM IKEV1 IPSECKEY KDF \ KERNELLIBIPSEC LDAP LOADTESTER MEDIATION MYSQL \ PKCS11 PKI PYTHON SCEP SMP SQLITE SWANCTL \ TESTVECTOR TPM TSS2 UNBOUND UNITY VICI XAUTH OPTIONS_DEFINE_i386= VIA OPTIONS_DEFAULT= BUILTIN CURL GCM IKEV1 KDF PKI SWANCTL VICI OPTIONS_SINGLE= PRINTF_HOOKS OPTIONS_SINGLE_PRINTF_HOOKS= BUILTIN LIBC VSTR OPTIONS_SUB= yes # Description of options BUILTIN_DESC= Use builtin printf hooks CTR_DESC= Enable CTR cipher mode wrapper plugin CURL_DESC= Enable CURL to fetch CRL/OCSP EAPAKA3GPP2_DESC= Enable EAP AKA with 3gpp2 backend EAPDYNAMIC_DESC= Enable EAP dynamic proxy module EAPRADIUS_DESC= Enable EAP Radius proxy authentication EAPSIMFILE_DESC= Enable EAP SIM with file backend FARP_DESC= Enable farp plugin GCM_DESC= Enable GCM AEAD wrapper crypto plugin IKEV1_DESC= Enable IKEv1 support IPSECKEY_DESC= Enable authentication with IPSECKEY resource records with DNSSEC KDF_DESC= Enable KDF (prf+) implementation plugin KERNELLIBIPSEC_DESC= Enable IPSec userland backend LIBC_DESC= Use libc printf hooks LOADTESTER_DESC= Enable load testing plugin MEDIATION_DESC= Enable IKEv2 Mediation Extension PKCS11_DESC= Enable PKCS11 token support PKI_DESC= Enable PKI tools PYTHON_DESC= Python VICI protocol plugin SCEP_DESC= Enable Simple Certificate Enrollment Protocol SMP_DESC= Enable XML-based management protocol (DEPRECATED) SWANCTL_DESC= Install swanctl (requires VICI) TESTVECTOR_DESC= Enable crypto test vectors TPM_DESC= Enable TPM plugin TSS2_DESC= Enable TPM 2.0 TSS2 library UNBOUND_DESC= Enable DNSSEC-enabled resolver UNITY_DESC= Enable Cisco Unity extension plugin VIA_DESC= Enable VIA Padlock support VICI_DESC= Enable VICI management protocol VSTR_DESC= Use devel/vstr printf hooks XAUTH_DESC= Enable XAuth password verification # Extra options BUILTIN_CONFIGURE_ON= --with-printf-hooks=builtin CTR_CONFIGURE_ON= --enable-ctr CURL_LIB_DEPENDS= libcurl.so:ftp/curl CURL_CONFIGURE_ON= --enable-curl EAPAKA3GPP2_LIB_DEPENDS= libgmp.so:math/gmp EAPAKA3GPP2_CONFIGURE_ON= --enable-eap-aka \ --enable-eap-aka-3gpp2 EAPDYNAMIC_CONFIGURE_ON= --enable-eap-dynamic EAPRADIUS_CONFIGURE_ON= --enable-eap-radius EAPSIMFILE_CONFIGURE_ON= --enable-eap-sim \ --enable-eap-sim-file FARP_CONFIGURE_ON= --enable-farp GCM_CONFIGURE_ON= --enable-gcm IKEV1_CONFIGURE_OFF= --disable-ikev1 IPSECKEY_CONFIGURE_ON= --enable-ipseckey KDF_CONFIGURE_ON= --enable-kdf KERNELLIBIPSEC_CONFIGURE_ON= --enable-kernel-libipsec LDAP_USES= ldap LDAP_CONFIGURE_ON= --enable-ldap LIBC_CONFIGURE_ON= --with-printf-hooks=glibc LOADTESTER_CONFIGURE_ON= --enable-load-tester MEDIATION_CONFIGURE_ON= --enable-mediation MYSQL_USES= mysql MYSQL_CONFIGURE_ON= --enable-mysql PKCS11_CONFIGURE_ON= --enable-pkcs11 PKI_CONFIGURE_OFF= --disable-pki PYTHON_IMPLIES= VICI PYTHON_RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}vici>0:security/py-vici@${PY_FLAVOR} PYTHON_USES= python SCEP_CONFIGURE_OFF= --disable-scepclient SMP_LIB_DEPENDS= libxml2.so:textproc/libxml2 SMP_CONFIGURE_ON= --enable-smp SQLITE_LIB_DEPENDS= libsqlite3.so:databases/sqlite3 SQLITE_CONFIGURE_ON= --enable-sqlite SWANCTL_IMPLIES= VICI SWANCTL_CONFIGURE_ON= --enable-swanctl TESTVECTOR_CONFIGURE_ON= --enable-test-vectors TPM_CONFIGURE_ON= --enable-tpm TSS2_LIB_DEPENDS= libtss2-sys.so:security/tpm2-tss TSS2_CONFIGURE_ON= --enable-tss-tss2 UNBOUND_LIB_DEPENDS= libldns.so:dns/ldns \ libunbound.so:dns/unbound UNBOUND_CONFIGURE_ON= --enable-unbound UNITY_CONFIGURE_ON= --enable-unity VIA_CONFIGURE_ON= --enable-padlock VICI_CONFIGURE_ON= --enable-vici VICI_SUB_LIST= INTERFACE="vici" VICI_SUB_LIST_OFF= INTERFACE="stroke" VSTR_LIB_DEPENDS= libvstr.so:devel/vstr VSTR_CONFIGURE_ON= --with-printf-hooks=vstr XAUTH_CONFIGURE_ON= --enable-xauth-eap \ --enable-xauth-generic \ --enable-xauth-pam .include .if ${PORT_OPTIONS:MEAPSIMFILE} || ${PORT_OPTIONS:MEAPAKA3GPP2} PLIST_SUB+= SIMAKA="" .else PLIST_SUB+= SIMAKA="@comment " .endif .if ${PORT_OPTIONS:MMYSQL} || ${PORT_OPTIONS:MSQLITE} CONFIGURE_ARGS+= --enable-attr-sql \ --enable-sql PLIST_SUB+= SQL="" .else PLIST_SUB+= SQL="@comment " .endif .if ${PORT_OPTIONS:MIKEV1} || ${PORT_OPTIONS:MXAUTH} PLIST_SUB+= XAUTHGEN="" .else PLIST_SUB+= XAUTHGEN="@comment " .endif # Hack to disable VIA in plist of unsupported architectures .if ! ${OPTIONS_DEFINE:MVIA} PLIST_SUB+= VIA="@comment " .else .endif post-install: .if ${PORT_OPTIONS:MVICI} ${INSTALL_DATA} ${WRKSRC}/src/libcharon/plugins/vici/libvici.h \ ${STAGEDIR}${PREFIX}/include .endif .include diff --git a/security/strongswan/distinfo b/security/strongswan/distinfo index 49cedad3203e..a0375e3819be 100644 --- a/security/strongswan/distinfo +++ b/security/strongswan/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1673591641 -SHA256 (strongswan-5.9.9.tar.bz2) = 5e16580998834658c17cebfb31dd637e728669cf2fdd325460234a4643b8d81d -SIZE (strongswan-5.9.9.tar.bz2) = 4764675 +TIMESTAMP = 1678023733 +SHA256 (strongswan-5.9.10.tar.bz2) = 3b72789e243c9fa6f0a01ccaf4f83766eba96a5e5b1e071d36e997572cf34654 +SIZE (strongswan-5.9.10.tar.bz2) = 4765407 diff --git a/security/strongswan/files/patch-src_libtls_tls_server.c b/security/strongswan/files/patch-src_libtls_tls_server.c deleted file mode 100644 index 5bd53faab6fb..000000000000 --- a/security/strongswan/files/patch-src_libtls_tls_server.c +++ /dev/null @@ -1,48 +0,0 @@ -From 980750bde07136255784d6ef6cdb5c085d30e2f9 Mon Sep 17 00:00:00 2001 -From: Tobias Brunner -Date: Fri, 17 Feb 2023 15:07:20 +0100 -Subject: [PATCH] libtls: Fix authentication bypass and expired pointer - dereference - -`public` is returned, but previously only if a trusted key was found. -We obviously don't want to return untrusted keys. However, since the -reference is released after determining the key type, the returned -object also doesn't have the correct refcount. - -So when the returned reference is released after verifying the TLS -signature, the public key object is actually destroyed. The certificate -object then points to an expired pointer, which is dereferenced once it -itself is destroyed after the authentication is complete. Depending on -whether the pointer is valid (i.e. points to memory allocated to the -process) and what was allocated there after the public key was freed, -this could result in a segmentation fault or even code execution. - -Fixes: 63fd718915b5 ("libtls: call create_public_enumerator() with key_type") -Fixes: CVE-2023-26463 ---- - src/libtls/tls_server.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c -index c9c300917dd6..573893f2efb5 100644 ---- src/libtls/tls_server.c -+++ src/libtls/tls_server.c -@@ -183,11 +183,11 @@ public_key_t *tls_find_public_key(auth_cfg_t *peer_auth, identification_t *id) - cert = peer_auth->get(peer_auth, AUTH_HELPER_SUBJECT_CERT); - if (cert) - { -- public = cert->get_public_key(cert); -- if (public) -+ current = cert->get_public_key(cert); -+ if (current) - { -- key_type = public->get_type(public); -- public->destroy(public); -+ key_type = current->get_type(current); -+ current->destroy(current); - } - enumerator = lib->credmgr->create_public_enumerator(lib->credmgr, - key_type, id, peer_auth, TRUE); --- -2.25.1 -