security/strongswan: Update to 5.9.13

ChangeLog: https://github.com/strongswan/strongswan/releases/tag/5.9.13 PR: 275620 Reported by: jlduran@gmail.com MFH: 2023Q4 (security fix) Security: CVE-2023-41913
2023-12-10 17:59:53 +01:00 · 2023-12-10 17:59:53 +01:00 · 9d8accbe0c
commit 9d8accbe0c
parent cafdb7f634
4 changed files with 12 additions and 58 deletions
--- a/security/strongswan/Makefile
+++ b/security/strongswan/Makefile
@ -1,11 +1,8 @@
 PORTNAME=	strongswan
-DISTVERSION=	5.9.11
-PORTREVISION=	3
+DISTVERSION=	5.9.13
 CATEGORIES=	security net-vpn
 MASTER_SITES=	https://download.strongswan.org/ \
 		https://download2.strongswan.org/
-PATCH_SITES=	https://github.com/strongswan/strongswan/commit/
-PATCHFILES=	a619356b5f21bfe3c13f1576eb1d16c015532ceb.patch:-p1

 MAINTAINER=	strongswan@nanoteq.com
 COMMENT=	Open Source IKEv2 IPsec-based VPN solution
--- a/security/strongswan/distinfo
+++ b/security/strongswan/distinfo
@ -1,5 +1,3 @@
-TIMESTAMP = 1690493412
-SHA256 (strongswan-5.9.11.tar.bz2) = ddf53f1f26ad26979d5f55e8da95bd389552f5de3682e35593f9a70b2584ed2d
-SIZE (strongswan-5.9.11.tar.bz2) = 4786552
-SHA256 (a619356b5f21bfe3c13f1576eb1d16c015532ceb.patch) = 31ba77932b88b611f1f1d54478b7d3a024f40e0bcea0b3249f2d62274e1df19f
-SIZE (a619356b5f21bfe3c13f1576eb1d16c015532ceb.patch) = 3344
+TIMESTAMP = 1702006969
+SHA256 (strongswan-5.9.13.tar.bz2) = 56e30effb578fd9426d8457e3b76c8c3728cd8a5589594b55649b2719308ba55
+SIZE (strongswan-5.9.13.tar.bz2) = 4825644
--- a/security/strongswan/files/patch-src_swanctl_charon-tkm_src_tkm_tkm_diffie_hellman.c
+++ b/security/strongswan/files/patch-src_swanctl_charon-tkm_src_tkm_tkm_diffie_hellman.c
@ -1,42 +0,0 @@
-From 027421cbd2e6e628f5f959c74d722afadc477485 Mon Sep 17 00:00:00 2001
-From: Tobias Brunner <tobias@strongswan.org>
-Date: Tue, 11 Jul 2023 12:12:25 +0200
-Subject: [PATCH] charon-tkm: Validate DH public key to fix potential buffer
- overflow
-
-Seems this was forgotten in the referenced commit and actually could lead
-to a buffer overflow.  Since charon-tkm is untrusted this isn't that
-much of an issue but could at least be easily exploited for a DoS attack
-as DH public values are set when handling IKE_SA_INIT requests.
-
-Fixes: 0356089d0f94 ("diffie-hellman: Verify public DH values in backends")
-Fixes: CVE-2023-41913
---
- src/charon-tkm/src/tkm/tkm_diffie_hellman.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
-index 2b2d103d03e9..6999ad360d7e 100644
--- src/charon-tkm/src/tkm/tkm_diffie_hellman.c
-+++ src/charon-tkm/src/tkm/tkm_diffie_hellman.c
-@@ -70,11 +70,16 @@ METHOD(key_exchange_t, get_shared_secret, bool,
- 	return TRUE;
- }
- 
-
- METHOD(key_exchange_t, set_public_key, bool,
- 	private_tkm_diffie_hellman_t *this, chunk_t value)
- {
- 	dh_pubvalue_type othervalue;
-+
-+	if (!key_exchange_verify_pubkey(this->group, value) ||
-+		value.len > sizeof(othervalue.data))
-+	{
-+		return FALSE;
-+	}
- 	othervalue.size = value.len;
- 	memcpy(&othervalue.data, value.ptr, value.len);
- 
-- 
-2.34.1
-
--- a/security/strongswan/pkg-plist
+++ b/security/strongswan/pkg-plist
@ -36,8 +36,8 @@
 %%GCM%%@sample %%ETCDIR%%.d/charon/gcm.conf.sample
 %%EAPAKA3GPP2%%@sample %%ETCDIR%%.d/charon/gmp.conf.sample
@sample %%ETCDIR%%.d/charon/hmac.conf.sample
-%%KDF%%@sample %%ETCDIR%%.d/charon/kdf.conf.sample
 %%IPSECKEY%%@sample %%ETCDIR%%.d/charon/ipseckey.conf.sample
+%%KDF%%@sample %%ETCDIR%%.d/charon/kdf.conf.sample
 %%KERNELLIBIPSEC%%@sample %%ETCDIR%%.d/charon/kernel-libipsec.conf.sample
@sample %%ETCDIR%%.d/charon/kernel-pfkey.conf.sample
@sample %%ETCDIR%%.d/charon/kernel-pfroute.conf.sample
@ -49,6 +49,7 @@
 %%MYSQL%%@sample %%ETCDIR%%.d/charon/mysql.conf.sample
@sample %%ETCDIR%%.d/charon/nonce.conf.sample
@sample %%ETCDIR%%.d/charon/openssl.conf.sample
+%%VIA%%@sample %%ETCDIR%%.d/charon/padlock.conf.sample
@sample %%ETCDIR%%.d/charon/pem.conf.sample
@sample %%ETCDIR%%.d/charon/pgp.conf.sample
@sample %%ETCDIR%%.d/charon/pkcs1.conf.sample
@ -207,6 +208,8 @@ lib/ipsec/plugins/libstrongswan-nonce.la
 lib/ipsec/plugins/libstrongswan-nonce.so
 lib/ipsec/plugins/libstrongswan-openssl.la
 lib/ipsec/plugins/libstrongswan-openssl.so
+%%VIA%%lib/ipsec/plugins/libstrongswan-padlock.la
+%%VIA%%lib/ipsec/plugins/libstrongswan-padlock.so
 lib/ipsec/plugins/libstrongswan-pem.la
 lib/ipsec/plugins/libstrongswan-pem.so
 lib/ipsec/plugins/libstrongswan-pgp.la
@ -285,6 +288,7 @@ libexec/ipsec/whitelist
 %%PKI%%man/man1/pki---gen.1.gz
 %%PKI%%man/man1/pki---issue.1.gz
 %%PKI%%man/man1/pki---keyid.1.gz
+%%PKI%%man/man1/pki---ocsp.1.gz
 %%PKI%%man/man1/pki---pkcs7.1.gz
 %%PKI%%man/man1/pki---print.1.gz
 %%PKI%%man/man1/pki---pub.1.gz
@ -313,6 +317,7 @@ sbin/ipsec
 %%DATADIR%%/templates/config/plugins/cmac.conf
 %%DATADIR%%/templates/config/plugins/constraints.conf
 %%DATADIR%%/templates/config/plugins/counters.conf
+%%CTR%%%%DATADIR%%/templates/config/plugins/ctr.conf
 %%CURL%%%%DATADIR%%/templates/config/plugins/curl.conf
 %%DATADIR%%/templates/config/plugins/curve25519.conf
 %%DATADIR%%/templates/config/plugins/des.conf
@ -335,8 +340,8 @@ sbin/ipsec
 %%GCM%%%%DATADIR%%/templates/config/plugins/gcm.conf
 %%EAPAKA3GPP2%%%%DATADIR%%/templates/config/plugins/gmp.conf
 %%DATADIR%%/templates/config/plugins/hmac.conf
-%%KDF%%%%DATADIR%%/templates/config/plugins/kdf.conf
 %%IPSECKEY%%%%DATADIR%%/templates/config/plugins/ipseckey.conf
+%%KDF%%%%DATADIR%%/templates/config/plugins/kdf.conf
 %%KERNELLIBIPSEC%%%%DATADIR%%/templates/config/plugins/kernel-libipsec.conf
 %%DATADIR%%/templates/config/plugins/kernel-pfkey.conf
 %%DATADIR%%/templates/config/plugins/kernel-pfroute.conf
@ -348,11 +353,11 @@ sbin/ipsec
 %%MYSQL%%%%DATADIR%%/templates/config/plugins/mysql.conf
 %%DATADIR%%/templates/config/plugins/nonce.conf
 %%DATADIR%%/templates/config/plugins/openssl.conf
+%%VIA%%%%DATADIR%%/templates/config/plugins/padlock.conf
 %%DATADIR%%/templates/config/plugins/pem.conf
 %%DATADIR%%/templates/config/plugins/pgp.conf
 %%DATADIR%%/templates/config/plugins/pkcs1.conf
 %%PKCS11%%%%DATADIR%%/templates/config/plugins/pkcs11.conf
-%%CTR%%%%DATADIR%%/templates/config/plugins/ctr.conf
 %%DATADIR%%/templates/config/plugins/pkcs12.conf
 %%DATADIR%%/templates/config/plugins/pkcs7.conf
 %%DATADIR%%/templates/config/plugins/pkcs8.conf
@ -412,7 +417,3 @@ sbin/ipsec
 %%SWANCTL%%@dir etc/swanctl/x509ca
 %%SWANCTL%%@dir etc/swanctl/x509crl
 %%SWANCTL%%@dir etc/swanctl/x509ocsp
-%%VIA%%%%DATADIR%%/templates/config/plugins/padlock.conf
-%%VIA%%lib/ipsec/plugins/libstrongswan-padlock.la
-%%VIA%%lib/ipsec/plugins/libstrongswan-padlock.so
-%%VIA%%@sample %%ETCDIR%%.d/charon/padlock.conf.sample