00 Message-Id: <69d437ed.186f8.700c0c5f@gitrepo.freebsd.org> The branch 2026Q2 has been updated by vvd: URL: https://cgit.FreeBSD.org/ports/commit/?id=6ef9481671f2f4ceb594804abf722df97e9fa9b0 commit 6ef9481671f2f4ceb594804abf722df97e9fa9b0 Author: Vladimir Druzenko AuthorDate: 2026-04-06 22:35:07 +0000 Commit: Vladimir Druzenko CommitDate: 2026-04-06 22:47:03 +0000 security/strongswan: Update 6.0.4 => 6.0.5 (CVE-2026-25075) Changelog: https://github.com/strongswan/strongswan/releases/tag/6.0.5 While here: - Switch from post-install + "if PORT_OPTIONS:MVICI" to post-install-VICI-on. - Add option FIPS_PRF - software implementation plugin. - Improve plist. - Refresh patches. Reported by: Mike Bressem (via email) Approved by: blanket (fix CVE) Security: CVE-2026-25075 Sponsored by: UNIS Labs MFH: 2026Q2 (cherry picked from commit 2d6221ae7df33419e639c439a12c78fdea84e748) --- security/strongswan/Makefile | 10 ++--- security/strongswan/distinfo | 6 +-- security/strongswan/files/patch-conf_Makefile.in | 24 +++++++--- .../files/patch-src_libcharon_plugins_smp_smp.c | 8 ++-- ...libstrongswan_plugins_openssl_openssl__plugin.c | 4 +- .../strongswan/files/patch-src_swanctl_Makefile.in | 4 +- security/strongswan/pkg-plist | 52 ++++++++++++++++++++-- 7 files changed, 82 insertions(+), 26 deletions(-) diff --git a/security/strongswan/Makefile b/security/strongswan/Makefile index e1ca503716ff..32d8925fc022 100644 --- a/security/strongswan/Makefile +++ b/security/strongswan/Makefile @@ -1,5 +1,5 @@ PORTNAME= strongswan -DISTVERSION= 6.0.4 +DISTVERSION= 6.0.5 CATEGORIES= security net-vpn MASTER_SITES= https://download.strongswan.org/ \ https://download2.strongswan.org/ @@ -41,7 +41,7 @@ INSTALL_TARGET= install-strip TEST_TARGET= check OPTIONS_DEFINE= CTR CURL DHCP EAPAKA3GPP2 EAPDYNAMIC EAPRADIUS \ - EAPSIMFILE FARP GCM IKEV1 IPSECKEY KDF \ + EAPSIMFILE FARP FIPS_PRF GCM IKEV1 IPSECKEY KDF \ KERNELLIBIPSEC LDAP LOADTESTER MEDIATION ML MYSQL \ PKCS11 PKI PYTHON SMP SQLITE STROKE SWANCTL \ TESTVECTOR TPM TSS2 UNBOUND UNITY VICI XAUTH @@ -61,6 +61,7 @@ EAPDYNAMIC_DESC= Enable EAP dynamic proxy module EAPRADIUS_DESC= Enable EAP Radius proxy authentication EAPSIMFILE_DESC= Enable EAP SIM with file backend FARP_DESC= Enable farp plugin +FIPS_PRF_DESC= Enable FIPS PRF software implementation plugin GCM_DESC= Enable GCM AEAD wrapper crypto plugin IKEV1_DESC= Enable IKEv1 support IPSECKEY_DESC= Enable authentication with IPSECKEY resource records with DNSSEC @@ -100,6 +101,7 @@ EAPRADIUS_CONFIGURE_ON= --enable-eap-radius EAPSIMFILE_CONFIGURE_ON= --enable-eap-sim \ --enable-eap-sim-file FARP_CONFIGURE_ON= --enable-farp +FIPS_PRF_CONFIGURE_ON= --enable-fips-prf GCM_CONFIGURE_ON= --enable-gcm IKEV1_CONFIGURE_OFF= --disable-ikev1 IPSECKEY_CONFIGURE_ON= --enable-ipseckey @@ -172,10 +174,8 @@ PLIST_SUB+= VIA="@comment " .else .endif -post-install: -.if ${PORT_OPTIONS:MVICI} +post-install-VICI-on: ${INSTALL_DATA} ${WRKSRC}/src/libcharon/plugins/vici/libvici.h \ ${STAGEDIR}${PREFIX}/include -.endif .include diff --git a/security/strongswan/distinfo b/security/strongswan/distinfo index 2ca2f09706ae..a104380e2297 100644 --- a/security/strongswan/distinfo +++ b/security/strongswan/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1770718903 -SHA256 (strongswan-6.0.4.tar.bz2) = 79576bb61b9a406cea9eb73d0c565cc6254a6b6d2e7198f44758d2d7c61a7aec -SIZE (strongswan-6.0.4.tar.bz2) = 4915290 +TIMESTAMP = 1775505500 +SHA256 (strongswan-6.0.5.tar.bz2) = 437460893655d6cfbc2def79d2da548cb5175b865520c507201ab2ec2e7895d9 +SIZE (strongswan-6.0.5.tar.bz2) = 4925249 diff --git a/security/strongswan/files/patch-conf_Makefile.in b/security/strongswan/files/patch-conf_Makefile.in index 0f9f1851c691..53d4283d3e94 100644 --- a/security/strongswan/files/patch-conf_Makefile.in +++ b/security/strongswan/files/patch-conf_Makefile.in @@ -1,9 +1,9 @@ ---- conf/Makefile.in.orig 2024-03-19 10:57:29 UTC +--- conf/Makefile.in.orig 2026-03-23 12:42:09 UTC +++ conf/Makefile.in -@@ -917,15 +917,15 @@ install-data-local: $(plugins_install_src) - test -e "$(DESTDIR)${strongswanconfdir}" || $(INSTALL) -d "$(DESTDIR)$(strongswanconfdir)" || true - test -e "$(DESTDIR)${strongswanddir}" || $(INSTALL) -d "$(DESTDIR)$(strongswanddir)" || true - test -e "$(DESTDIR)${charonconfdir}" || $(INSTALL) -d "$(DESTDIR)$(charonconfdir)" || true +@@ -931,25 +931,25 @@ install-data-local: $(plugins_install_src) + test -e "$(DESTDIR)${charonconfdir}" || test -z "${charon_install_src}" || $(INSTALL) -d "$(DESTDIR)$(charonconfdir)" || true + test -e "$(DESTDIR)${cmdconfdir}" || test -z "${cmd_install_src}" || $(INSTALL) -d "$(DESTDIR)$(cmdconfdir)" || true + test -e "$(DESTDIR)${nmconfdir}" || test -z "${nm_install_src}" || $(INSTALL) -d "$(DESTDIR)$(nmconfdir)" || true - test -e "$(DESTDIR)$(strongswan_conf)" || $(INSTALL) -m 644 $(srcdir)/strongswan.conf $(DESTDIR)$(strongswan_conf) || true + test -e "$(DESTDIR)$(strongswan_conf)" || $(INSTALL) -m 644 $(srcdir)/strongswan.conf $(DESTDIR)$(strongswan_conf).sample || true for f in $(options_install_src); do \ @@ -11,11 +11,23 @@ - test -f "$(DESTDIR)$(strongswanddir)/$$name" || $(INSTALL) -m 644 "$(srcdir)/$$f" "$(DESTDIR)$(strongswanddir)/$$name" || true; \ + test -f "$(DESTDIR)$(strongswanddir)/$$name" || $(INSTALL) -m 644 "$(srcdir)/$$f" "$(DESTDIR)$(strongswanddir)/$${name}.sample" || true; \ done - for f in $(plugins_install_src); do \ + for f in $(charon_install_src); do \ name=`basename $$f`; \ if test -f "$$f"; then dir=; else dir="$(srcdir)/"; fi; \ - test -f "$(DESTDIR)$(charonconfdir)/$$name" || $(INSTALL) -m 644 "$$dir$$f" "$(DESTDIR)$(charonconfdir)/$$name" || true; \ + test -f "$(DESTDIR)$(charonconfdir)/$$name" || $(INSTALL) -m 644 "$$dir$$f" "$(DESTDIR)$(charonconfdir)/$${name}.sample" || true; \ done + for f in $(cmd_install_src); do \ + name=`basename $$f`; \ + if test -f "$$f"; then dir=; else dir="$(srcdir)/"; fi; \ +- test -f "$(DESTDIR)$(cmdconfdir)/$$name" || $(INSTALL) -m 644 "$$dir$$f" "$(DESTDIR)$(cmdconfdir)/$$name" || true; \ ++ test -f "$(DESTDIR)$(cmdconfdir)/$$name" || $(INSTALL) -m 644 "$$dir$$f" "$(DESTDIR)$(cmdconfdir)/$${name}.sample" || true; \ + done + for f in $(nm_install_src); do \ + name=`basename $$f`; \ + if test -f "$$f"; then dir=; else dir="$(srcdir)/"; fi; \ +- test -f "$(DESTDIR)$(nmconfdir)/$$name" || $(INSTALL) -m 644 "$$dir$$f" "$(DESTDIR)$(nmconfdir)/$$name" || true; \ ++ test -f "$(DESTDIR)$(nmconfdir)/$$name" || $(INSTALL) -m 644 "$$dir$$f" "$(DESTDIR)$(nmconfdir)/$${name}.sample" || true; \ + done # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/security/strongswan/files/patch-src_libcharon_plugins_smp_smp.c b/security/strongswan/files/patch-src_libcharon_plugins_smp_smp.c index c2dd9fcd8388..0c57dc92e0cc 100644 --- a/security/strongswan/files/patch-src_libcharon_plugins_smp_smp.c +++ b/security/strongswan/files/patch-src_libcharon_plugins_smp_smp.c @@ -1,15 +1,15 @@ ---- src/libcharon/plugins/smp/smp.c.orig 2024-03-19 10:25:55 UTC +--- src/libcharon/plugins/smp/smp.c.orig 2025-11-07 19:05:36 UTC +++ src/libcharon/plugins/smp/smp.c -@@ -745,7 +745,7 @@ plugin_t *smp_plugin_create() +@@ -743,7 +743,7 @@ PLUGIN_DEFINE(smp) */ - plugin_t *smp_plugin_create() + PLUGIN_DEFINE(smp) { - struct sockaddr_un unix_addr = { AF_UNIX, IPSEC_PIDDIR "/charon.xml"}; + struct sockaddr_un unix_addr; private_smp_t *this; mode_t old; -@@ -773,6 +773,11 @@ plugin_t *smp_plugin_create() +@@ -771,6 +771,11 @@ PLUGIN_DEFINE(smp) free(this); return NULL; } diff --git a/security/strongswan/files/patch-src_libstrongswan_plugins_openssl_openssl__plugin.c b/security/strongswan/files/patch-src_libstrongswan_plugins_openssl_openssl__plugin.c index 07ff587133e4..94eecf68c2a2 100644 --- a/security/strongswan/files/patch-src_libstrongswan_plugins_openssl_openssl__plugin.c +++ b/security/strongswan/files/patch-src_libstrongswan_plugins_openssl_openssl__plugin.c @@ -1,6 +1,6 @@ ---- src/libstrongswan/plugins/openssl/openssl_plugin.c.orig 2024-02-21 15:54:00 UTC +--- src/libstrongswan/plugins/openssl/openssl_plugin.c.orig 2025-11-07 19:05:36 UTC +++ src/libstrongswan/plugins/openssl/openssl_plugin.c -@@ -814,7 +814,7 @@ plugin_t *openssl_plugin_create() +@@ -808,7 +808,7 @@ PLUGIN_DEFINE(openssl) }, ); diff --git a/security/strongswan/files/patch-src_swanctl_Makefile.in b/security/strongswan/files/patch-src_swanctl_Makefile.in index 2e6eaecbf6de..811962dc6b46 100644 --- a/security/strongswan/files/patch-src_swanctl_Makefile.in +++ b/security/strongswan/files/patch-src_swanctl_Makefile.in @@ -1,7 +1,7 @@ ---- src/swanctl/Makefile.in.orig 2024-03-19 10:57:37 UTC +--- src/swanctl/Makefile.in.orig 2026-03-23 12:42:13 UTC +++ src/swanctl/Makefile.in @@ -1151,7 +1151,7 @@ install-data-local: swanctl.conf - test -e "$(DESTDIR)$(swanctldir)/bliss" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/bliss" || true + test -e "$(DESTDIR)$(swanctldir)/ecdsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/ecdsa" || true test -e "$(DESTDIR)$(swanctldir)/pkcs8" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/pkcs8" || true test -e "$(DESTDIR)$(swanctldir)/pkcs12" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/pkcs12" || true - test -e "$(DESTDIR)$(swanctldir)/swanctl.conf" || $(INSTALL) -m 640 $(srcdir)/swanctl.conf $(DESTDIR)$(swanctldir)/swanctl.conf || true diff --git a/security/strongswan/pkg-plist b/security/strongswan/pkg-plist index d7b01dc2bc80..d7cb7ca22130 100644 --- a/security/strongswan/pkg-plist +++ b/security/strongswan/pkg-plist @@ -1,6 +1,47 @@ %%PKI%%bin/pki %%TPM%%bin/tpm_extendpcr @sample %%ETCDIR%%.conf.sample +@sample %%ETCDIR%%.d/charon-cmd.conf.sample +@sample %%ETCDIR%%.d/charon-cmd/blowfish.conf.sample +@sample %%ETCDIR%%.d/charon-cmd/cmac.conf.sample +@sample %%ETCDIR%%.d/charon-cmd/constraints.conf.sample +%%CTR%%@sample %%ETCDIR%%.d/charon-cmd/ctr.conf.sample +%%CURL%%@sample %%ETCDIR%%.d/charon-cmd/curl.conf.sample +@sample %%ETCDIR%%.d/charon-cmd/drbg.conf.sample +@sample %%ETCDIR%%.d/charon-cmd/eap-identity.conf.sample +@sample %%ETCDIR%%.d/charon-cmd/eap-md5.conf.sample +@sample %%ETCDIR%%.d/charon-cmd/eap-mschapv2.conf.sample +@sample %%ETCDIR%%.d/charon-cmd/eap-peap.conf.sample +@sample %%ETCDIR%%.d/charon-cmd/eap-tls.conf.sample +@sample %%ETCDIR%%.d/charon-cmd/eap-ttls.conf.sample +%%FIPS_PRF%%@sample %%ETCDIR%%.d/charon-cmd/fips-prf.conf.sample +%%GCM%%@sample %%ETCDIR%%.d/charon-cmd/gcm.conf.sample +%%EAPAKA3GPP2%%@sample %%ETCDIR%%.d/charon-cmd/gmp.conf.sample +@sample %%ETCDIR%%.d/charon-cmd/kdf.conf.sample +%%KERNELLIBIPSEC%%@sample %%ETCDIR%%.d/charon-cmd/kernel-libipsec.conf.sample +@sample %%ETCDIR%%.d/charon-cmd/kernel-pfkey.conf.sample +@sample %%ETCDIR%%.d/charon-cmd/kernel-pfroute.conf.sample +%%LDAP%%@sample %%ETCDIR%%.d/charon-cmd/ldap.conf.sample +@sample %%ETCDIR%%.d/charon-cmd/md4.conf.sample +%%EAPAKA3GPP2%%@sample %%ETCDIR%%.d/charon-cmd/mgf1.conf.sample +%%ML%%@sample %%ETCDIR%%.d/charon-cmd/ml.conf.sample +@sample %%ETCDIR%%.d/charon-cmd/nonce.conf.sample +@sample %%ETCDIR%%.d/charon-cmd/openssl.conf.sample +@sample %%ETCDIR%%.d/charon-cmd/pem.conf.sample +@sample %%ETCDIR%%.d/charon-cmd/pkcs1.conf.sample +%%PKCS11%%@sample %%ETCDIR%%.d/charon-cmd/pkcs11.conf.sample +@sample %%ETCDIR%%.d/charon-cmd/pkcs7.conf.sample +@sample %%ETCDIR%%.d/charon-cmd/pkcs8.conf.sample +@sample %%ETCDIR%%.d/charon-cmd/pubkey.conf.sample +@sample %%ETCDIR%%.d/charon-cmd/random.conf.sample +@sample %%ETCDIR%%.d/charon-cmd/resolve.conf.sample +@sample %%ETCDIR%%.d/charon-cmd/revocation.conf.sample +@sample %%ETCDIR%%.d/charon-cmd/socket-default.conf.sample +@sample %%ETCDIR%%.d/charon-cmd/sshkey.conf.sample +%%TPM%%@sample %%ETCDIR%%.d/charon-cmd/tpm.conf.sample +@sample %%ETCDIR%%.d/charon-cmd/x509.conf.sample +%%XAUTH%%@sample %%ETCDIR%%.d/charon-cmd/xauth-generic.conf.sample +@sample %%ETCDIR%%.d/charon-cmd/xcbc.conf.sample @sample %%ETCDIR%%.d/charon-logging.conf.sample @sample %%ETCDIR%%.d/charon.conf.sample @sample %%ETCDIR%%.d/charon/addrblock.conf.sample @@ -29,6 +70,7 @@ @sample %%ETCDIR%%.d/charon/eap-tls.conf.sample @sample %%ETCDIR%%.d/charon/eap-ttls.conf.sample %%FARP%%@sample %%ETCDIR%%.d/charon/farp.conf.sample +%%FIPS_PRF%%@sample %%ETCDIR%%.d/charon/fips-prf.conf.sample %%GCM%%@sample %%ETCDIR%%.d/charon/gcm.conf.sample %%EAPAKA3GPP2%%@sample %%ETCDIR%%.d/charon/gmp.conf.sample %%IPSECKEY%%@sample %%ETCDIR%%.d/charon/ipseckey.conf.sample @@ -147,10 +189,8 @@ lib/ipsec/plugins/libstrongswan-eap-identity.la lib/ipsec/plugins/libstrongswan-eap-identity.so lib/ipsec/plugins/libstrongswan-eap-md5.la lib/ipsec/plugins/libstrongswan-eap-md5.so -%%ML%%lib/ipsec/plugins/libstrongswan-ml.la -%%ML%%lib/ipsec/plugins/libstrongswan-ml.so -%%ML%%lib/ipsec/plugins/libstrongswan-ml.so.0 -%%ML%%lib/ipsec/plugins/libstrongswan-ml.so.0.0.0 +%%FIPS_PRF%%lib/ipsec/plugins/libstrongswan-fips-prf.la +%%FIPS_PRF%%lib/ipsec/plugins/libstrongswan-fips-prf.so lib/ipsec/plugins/libstrongswan-eap-mschapv2.la lib/ipsec/plugins/libstrongswan-eap-mschapv2.so lib/ipsec/plugins/libstrongswan-eap-peap.la @@ -189,6 +229,8 @@ lib/ipsec/plugins/libstrongswan-md4.la lib/ipsec/plugins/libstrongswan-md4.so %%EAPAKA3GPP2%%lib/ipsec/plugins/libstrongswan-mgf1.la %%EAPAKA3GPP2%%lib/ipsec/plugins/libstrongswan-mgf1.so +%%ML%%lib/ipsec/plugins/libstrongswan-ml.la +%%ML%%lib/ipsec/plugins/libstrongswan-ml.so %%MYSQL%%lib/ipsec/plugins/libstrongswan-mysql.la %%MYSQL%%lib/ipsec/plugins/libstrongswan-mysql.so lib/ipsec/plugins/libstrongswan-nonce.la @@ -313,6 +355,7 @@ sbin/charon-cmd %%DATADIR%%/templates/config/plugins/eap-tls.conf %%DATADIR%%/templates/config/plugins/eap-ttls.conf %%FARP%%%%DATADIR%%/templates/config/plugins/farp.conf +%%FIPS_PRF%%%%DATADIR%%/templates/config/plugins/fips-prf.conf %%GCM%%%%DATADIR%%/templates/config/plugins/gcm.conf %%EAPAKA3GPP2%%%%DATADIR%%/templates/config/plugins/gmp.conf %%IPSECKEY%%%%DATADIR%%/templates/config/plugins/ipseckey.conf @@ -359,6 +402,7 @@ sbin/charon-cmd %%XAUTH%%%%DATADIR%%/templates/config/plugins/xauth-pam.conf %%DATADIR%%/templates/config/plugins/xcbc.conf %%DATADIR%%/templates/config/strongswan.conf +%%DATADIR%%/templates/config/strongswan.d/charon-cmd.conf %%DATADIR%%/templates/config/strongswan.d/charon-logging.conf %%DATADIR%%/templates/config/strongswan.d/charon.conf %%DATADIR%%/templates/config/strongswan.d/iptfs.conf