libreswan: update to 4.13nb1; fix CVE-2024-2357

To: pkgsrc-wip-changes%NetBSD.org@localhost
Subject: libreswan: update to 4.13nb1; fix CVE-2024-2357
From: Andrew Cagney <andrew.cagney%gmail.com@localhost>
Date: Mon, 11 Mar 2024 22:14:01 +0000
Module Name:	pkgsrc-wip
Committed By:	Andrew Cagney <andrew.cagney%gmail.com@localhost>
Pushed By:	cagney
Date:		Mon Mar 11 22:14:01 2024 +0000
Changeset:	6a61a16f4a8a369fb3b2d07c9f100b31ec6b507a

Modified Files:
	libreswan/Makefile
	libreswan/distinfo
Added Files:
	libreswan/patches/patch-include_ip_index.h
	libreswan/patches/patch-include_ip_info.h
	libreswan/patches/patch-lib_libswan_ip_info.c
Removed Files:
	libreswan/patches/patch-lib_libswan_x509.c
	libreswan/patches/patch-programs_pluto_kernel_pfkeyv2.c

Log Message:
libreswan: update to 4.13nb1; fix CVE-2024-2357

Technical nit.  There's going to be a 4.14 real soon
now to fix the build problem.

* Security: Fixes http://libreswan.org/security/CVE-2024-2357
* Linux: make libcap-ng failures non-fatal [Andrew]
* BSD: fix esp=aes_gcm [Andrew]
* NetBSD: fix compiler warning in lib/libswan/x509.c [Andrew]
* x509: unpack IPv6 general names based on length [Andrew]
* pluto: TFC padding was not set for AEAD algorithms [SaiKumarCholleti@github]

To see a diff of this commit:
https://wip.pkgsrc.org/cgi-bin/gitweb.cgi?p=pkgsrc-wip.git;a=commitdiff;h=6a61a16f4a8a369fb3b2d07c9f100b31ec6b507a

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

diffstat:
 libreswan/Makefile                                 |  4 +--
 libreswan/distinfo                                 | 11 ++++---
 libreswan/patches/patch-include_ip_index.h         | 33 +++++++++++++++++++
 libreswan/patches/patch-include_ip_info.h          | 25 +++++++++++++++
 libreswan/patches/patch-lib_libswan_ip_info.c      | 37 ++++++++++++++++++++++
 libreswan/patches/patch-lib_libswan_x509.c         | 13 --------
 .../patches/patch-programs_pluto_kernel_pfkeyv2.c  | 22 -------------
 7 files changed, 103 insertions(+), 42 deletions(-)

diffs:
diff --git a/libreswan/Makefile b/libreswan/Makefile
index fb200b0034..8ac803b10d 100644
--- a/libreswan/Makefile
+++ b/libreswan/Makefile
@@ -6,8 +6,8 @@
 # specific overides in mk/default/*.mk (for instance,
 # mk/default/netbsd.mk).
 
-DISTNAME=	libreswan-4.12
-PKGREVISION=	2
+DISTNAME=	libreswan-4.13
+PKGREVISION=	1
 MASTER_SITES=	https://download.libreswan.org/
 
 CATEGORIES=	security
diff --git a/libreswan/distinfo b/libreswan/distinfo
index 00fd1977e0..9ee0014d03 100644
--- a/libreswan/distinfo
+++ b/libreswan/distinfo
@@ -1,7 +1,8 @@
 $NetBSD$
 
-BLAKE2s (libreswan-4.12.tar.gz) = 397c455b67e112d0407b2b6e0fbe1f6e4bec4422c747a51dda3fd4bc0a87b2b7
-SHA512 (libreswan-4.12.tar.gz) = 3a7f5ea5d97da357a8979a8807694a316d42ccc5f9c7b5867041abf2b9316ff8428f24cf307b6b6073c191896c0417f137abf78f9903aecde5e1ee1182577ce0
-Size (libreswan-4.12.tar.gz) = 3718440 bytes
-SHA1 (patch-lib_libswan_x509.c) = 5f660e6186232be02c4c8ecadb905fcb5a1801be
-SHA1 (patch-programs_pluto_kernel_pfkeyv2.c) = 1daad00223d30d409b62a2d4dc932f6d1f91f9d6
+BLAKE2s (libreswan-4.13.tar.gz) = a35e41668cfdf79b8806dc231bd180e22230de60748b991b6d08d3dd3561bac3
+SHA512 (libreswan-4.13.tar.gz) = 551bd4e86f6642b2f4c2fae340f73b3fd5c36953a60ce89e37938cd4fcf7131470d3819100577f86baf75214d8b632067a066348620a3fe48d8ed3c26d9897a8
+Size (libreswan-4.13.tar.gz) = 3720846 bytes
+SHA1 (patch-include_ip_index.h) = 1da2e85a193b3fafac600ed3a2baf0faf243808d
+SHA1 (patch-include_ip_info.h) = c69dadb1252c3e2159a1a07a04a348972b32cda9
+SHA1 (patch-lib_libswan_ip_info.c) = 50d5b1a01a3f9ce71d4e6182e93262f1115e6549
diff --git a/libreswan/patches/patch-include_ip_index.h b/libreswan/patches/patch-include_ip_index.h
new file mode 100644
index 0000000000..112dbfb5a0
--- /dev/null
+++ b/libreswan/patches/patch-include_ip_index.h
@@ -0,0 +1,33 @@
+diff --git a/include/ip_index.h b/include/ip_index.h
+new file mode 100644
+index 0000000000..508589b05e
+--- /dev/null
++++ include/ip_index.h
+@@ -0,0 +1,27 @@
++/* ip address type index, for libreswan
++ *
++ * Copyright (C) 2022 Andrew Cagney
++ *
++ * This library is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU Library General Public License as published by
++ * the Free Software Foundation; either version 2 of the License, or (at your
++ * option) any later version.  See <https://www.gnu.org/licenses/lgpl-2.1.txt>.
++ *
++ * This library is distributed in the hope that it will be useful, but
++ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
++ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
++ * License for more details.
++ *
++ */
++
++#ifndef IP_INDEX_H
++#define IP_INDEX_H
++
++enum ip_index {
++	IPv4_INDEX,
++	IPv6_INDEX,
++};
++
++#define IP_INDEX_ROOF (IPv6_INDEX+1)
++
++#endif
diff --git a/libreswan/patches/patch-include_ip_info.h b/libreswan/patches/patch-include_ip_info.h
new file mode 100644
index 0000000000..283cea766b
--- /dev/null
+++ b/libreswan/patches/patch-include_ip_info.h
@@ -0,0 +1,25 @@
+diff --git a/include/ip_info.h b/include/ip_info.h
+index 40e99ef687..c1329a8569 100644
+--- include/ip_info.h.dist
++++ include/ip_info.h
+@@ -9,6 +9,7 @@
+ #include "ip_subnet.h"
+ #include "ip_selector.h"
+ #include "ip_sockaddr.h"
++#include "ip_index.h"
+ 
+ struct ip_info {
+ 	/*
+@@ -113,8 +114,10 @@ struct ip_info {
+ 
+ };
+ 
+-extern const struct ip_info ipv4_info;
+-extern const struct ip_info ipv6_info;
++extern const struct ip_info ip_families[IP_INDEX_ROOF];
++
++#define ipv4_info ip_families[IPv4_INDEX]
++#define ipv6_info ip_families[IPv6_INDEX]
+ 
+ extern const struct ip_info *aftoinfo(int af);
+ 
diff --git a/libreswan/patches/patch-lib_libswan_ip_info.c b/libreswan/patches/patch-lib_libswan_ip_info.c
new file mode 100644
index 0000000000..e179c67382
--- /dev/null
+++ b/libreswan/patches/patch-lib_libswan_ip_info.c
@@ -0,0 +1,37 @@
+diff --git a/lib/libswan/ip_info.c b/lib/libswan/ip_info.c
+index 70cd6a368f..97296d3a11 100644
+--- lib/libswan/ip_info.c.dist
++++ lib/libswan/ip_info.c
+@@ -158,7 +158,9 @@ static ip_port port_from_ipv6_sockaddr(const ip_sockaddr sa)
+ 
+ #define IPv4_FF { { 255, 255, 255, 255, }, }
+ 
+-const struct ip_info ipv4_info = {
++const struct ip_info ip_families[IP_INDEX_ROOF] = {
++
++	[IPv4_INDEX] = {
+ 
+ 	.ip_version = IPv4,
+ 	.ip_size = sizeof(struct in_addr),
+@@ -210,11 +212,11 @@ const struct ip_info ipv4_info = {
+ 	.id_ip_addr = ID_IPV4_ADDR,
+ 	.id_ip_addr_subnet = ID_IPV4_ADDR_SUBNET,
+ 	.id_ip_addr_range = ID_IPV4_ADDR_RANGE,
+-};
++	},
+ 
+ #define IPv6_FF { { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, }, }
+ 
+-const struct ip_info ipv6_info = {
++	[IPv6_INDEX] = {
+ 
+ 	.ip_version = IPv6,
+ 	.ip_size = sizeof(struct in6_addr),
+@@ -266,6 +268,7 @@ const struct ip_info ipv6_info = {
+ 	.id_ip_addr = ID_IPV6_ADDR,
+ 	.id_ip_addr_subnet = ID_IPV6_ADDR_SUBNET,
+ 	.id_ip_addr_range = ID_IPV6_ADDR_RANGE,
++	}
+ };
+ 
+ const struct ip_info *aftoinfo(int af)
diff --git a/libreswan/patches/patch-lib_libswan_x509.c b/libreswan/patches/patch-lib_libswan_x509.c
deleted file mode 100644
index e48dcd92d6..0000000000
--- a/libreswan/patches/patch-lib_libswan_x509.c
+++ /dev/null
@@ -1,13 +0,0 @@
---- lib/libswan/x509dn.c.dist	2023-08-06 15:38:41.229683426 +0000
-+++ lib/libswan/x509dn.c	2023-08-06 15:39:26.829938849 +0000
-@@ -777,7 +777,9 @@
- 			       /* XXX: where did '/' come from? */
- 			       src[0] != '/') {
- 				/* assume nul termination */
--				if (src[0] == '\\' && isxdigit(src[1]) && isxdigit(src[2])) {
-+				if (src[0] == '\\' &&
-+				    char_isxdigit(src[1]) &&
-+				    char_isxdigit(src[2])) {
- 					char hex[3] = { src[1], src[2], };
- 					uint8_t byte = strtol(hex, NULL, 16);
- 					EXTEND_OBJ(&byte, 1);
diff --git a/libreswan/patches/patch-programs_pluto_kernel_pfkeyv2.c b/libreswan/patches/patch-programs_pluto_kernel_pfkeyv2.c
deleted file mode 100644
index b2dca4392d..0000000000
--- a/libreswan/patches/patch-programs_pluto_kernel_pfkeyv2.c
+++ /dev/null
@@ -1,22 +0,0 @@
---- programs/pluto/kernel_pfkeyv2.c
-+++ programs/pluto/kernel_pfkeyv2.c
-@@ -25,6 +25,7 @@
- #include "ip_encap.h"
- #include "chunk.h"
- #include "hunk.h"
-+#include "ike_alg_integ.h"	/* for ike_alg_integ_none; */
- 
- #include "kernel.h"
- #include "kernel_alg.h"
-@@ -265,8 +266,10 @@ static struct sadb_sa *put_sadb_sa(struct outbuf *msg,
- 				   const struct encrypt_desc *encrypt,
- 				   const struct ipcomp_desc *ipcomp)
- {
--	unsigned aalg = (integ != NULL ? integ->integ_sadb_aalg_id :
-+	unsigned aalg = (integ == &ike_alg_integ_none && encrypt_desc_is_aead(encrypt) ? SADB_AALG_NONE :
-+			 integ != NULL ? integ->integ_sadb_aalg_id :
- 			 0);
-+
- 	unsigned ealg = (encrypt != NULL ? encrypt->encrypt_sadb_ealg_id :
- 			 /* XXX: NetBSD treats IPCOMP like ENCRYPT */
- 			 ipcomp != NULL ? ipcomp->ipcomp_sadb_calg_id : 0);
Prev by Date: speech-dispatcher: Substitute espeak for espeak-ng
Next by Date: libreswan-git: update to v5.0rc2; includes CVE-2024-2357 fix
Previous by Thread: speech-dispatcher: Substitute espeak for espeak-ng
Next by Thread: libreswan-git: update to v5.0rc2; includes CVE-2024-2357 fix
Indexes:
Home | Main Index | Thread Index | Old Index