strongswan 6.0.6

Changelog:
https://github.com/strongswan/strongswan/releases/tag/6.0.6

PR:		294718
Approved by:	blanket (fix CVEs)
Security:	CVE-2026-35328
Security:	CVE-2026-35329
Security:	CVE-2026-35330
Security:	CVE-2026-35331
Security:	CVE-2026-35332
Security:	CVE-2026-35333
Security:	CVE-2026-35334
Sponsored by:	UNIS Labs
MFH:		2026Q2

Currently ML-DSA (used for Digital Signatures) is a draft in strongswan
(ETA Version 6.1.0 or later). So CNSA 2.0 cannot be fully supported yet.
https://linux-ipsec.org/slides/2025/steffen-pqc-auth-for-ikev2.pdf
But most firewalls (Palo Alto / Fortigate) already support ML-KEM Key
Exchange in addition to standard proposals.
E.g. aes128gcm16-ecp256-ke1_mlkem512.

More details:
https://docs.strongswan.org/docs/latest/config/proposals.html

PR:		294305
Approved by:	strongswan@Nanoteq.com (maintainer, timeout 2 weeks)
Sponsored by:	UNIS Labs

Changelog:
https://github.com/strongswan/strongswan/releases/tag/6.0.5

While here:
- Switch from post-install + "if PORT_OPTIONS:MVICI" to
  post-install-VICI-on.
- Add option FIPS_PRF - software implementation plugin.
- Improve plist.
- Refresh patches.

Reported by:	Mike Bressem <mike@bressem.com> (via email)
Approved by:	blanket (fix CVE)
Security:	CVE-2026-25075
Sponsored by:	UNIS Labs
MFH:		2026Q2

Changelog:
https://github.com/strongswan/strongswan/releases/tag/6.0.4

PR:		293003
Approved by:	strongswan@Nanoteq.com (maintainer, timeout > 3 weeks)
MFH:		2026Q1

Error: Orphaned: %%ETCDIR%%.d/iptfs.conf.sample
Error: Orphaned: %%DATADIR%%/templates/config/strongswan.d/iptfs.conf

PR:		290828
Approved by:	blanket, just fix it

ChangeLog:
https://github.com/strongswan/strongswan/releases/tag/6.0.3

PR:		290578
Reviewed by:	brd
MFH:		2025Q4
Security:	CVE-2025-62291
Sponsored by:	Rubicon Communications, LLC ("Netgate")

PR:		286928
Changes:	https://github.com/strongswan/strongswan/releases/tag/6.0.1
Approved by:	strongswan@Nanoteq.com (maintainer timeout)

Note that strongSwan has deprecated the stroke management interface for
years, and it is recommended to migrate the configuration to vici before
it is removed.

PR:	285049

Changelog:
https://github.com/strongswan/strongswan/releases/tag/6.0.0

Remove GNU_CONFIGURE_MANPREFIX.

PR:	284947

Backport upstream commit a7f617ab3328153939cb757a5cf9001071ef8720

PR:		280435
Approved by:	kwf@nanoteq.com (maintainer)

ChangeLog: https://github.com/strongswan/strongswan/releases/tag/5.9.14

PR:		278137
Reported by:	jlduran@gmail.com
Approved by:	strongswan@Nanoteq.com (maintainer, timeout > 2 weeks)

Approved by:    portmgr (blanket)

ChangeLog: https://github.com/strongswan/strongswan/releases/tag/5.9.13

PR:		275620
Reported by:	jlduran@gmail.com
MFH:		2023Q4 (security fix)
Security:	CVE-2023-41913

This is urgent change adding official patch
https://download.strongswan.org/security/CVE-2023-41913/strongswan-5.9.7-5.9.11_charon_tkm_dh_len.patch
that is identical to the change made for strongswan-5.9.12:
https://github.com/strongswan/strongswan/commit/96d793718955820dfe5e6d8aa6127a34795ae39e

It is upto port maintainer to review and maybe upgrade the port to 5.9.12

Obtained from:	strongSwan
Security:	CVE-2023-41913

This allows for proper substitution in manual pages.

PR:		273138
Reported by:	jlduran@gmail.com
Reviewed by:	strongswan@Nanoteq.com (maintainer timeout > 2 weeks)

cherry-pick upstream commit a619356 to fix route installation on FreeBSD

PR:		272841
Reported by:	matteo@FreeBSD.org
Approved by:	strongswan@Nanoteq.com (maintainer)

ChangeLog: https://github.com/strongswan/strongswan/releases/tag/5.9.11

PR:		272739
Reported by:	matteo@FreeBSD.org
Approved by:	strongswan@Nanoteq.com (maintainer)

Cherry pick commit from upstream.

PR:		270380
Reported by:	dronmbi@gtn.ru
Approved by:	strongswan@Nanoteq.com (maintainer)

See also:
  https://www.strongswan.org/blog/2023/03/02/strongswan-vulnerability-(cve-2023-26463).html

PR:		269976
Approved-by:	Francois ten Krooden <strongswan@Nanoteq.com> (maintainer)
Changelog:	https://github.com/strongswan/strongswan/releases/tag/5.9.10

This is urgent change adding official patch
https://download.strongswan.org/security/CVE-2023-26463/strongswan-5.9.8-5.9.9_tls_auth_bypass_exp_pointer.patch

It is upto port maintainer to review and maybe upgrade
the port to 5.9.10.

Obtained from:	strongSwan
Security:	CVE-2023-26463

Convert the USE_LDAP=yes to USES=ldap and adds the following features:

- Adds the argument USES=ldap:server to add openldap2{4|5|6}-server as
  RUN_DEPENDS
- Adds the argument USES=ldap<version> and replaces WANT_OPENLDAP_VER
- Adds OPENLDAP versions in bsd.default-versions.mk
- Adds USE_OPENLDAP/WANT_OPENLDAP_VER in Mk/bsd.sanity.mk
- Changes consumers to use the features

Reviewed by:	delphij
Approved by:	portmgr
Differential Revision: https://reviews.freebsd.org/D38233

Remove flag already in the default option.

PR:		268918
Reported by:	jlduran@gmail.com
Approved by:	strongswan@Nanoteq.com (maintainer, implicit in PR)

ChangeLog: https://github.com/strongswan/strongswan/releases/tag/5.9.9

PR:		268918 262743
Reported by:	jlduran@gmail.com
Approved by:	strongswan@Nanoteq.com (maintainer)

Avoid the message:

 "plugin 'gcm': failed to load - gcm_plugin_create not found and no
 plugin file available"

 According to strongSwan's 5.9.8 release notes[1]:

 The gcm plugin has been enabled by default, so that the TLS 1.3 unit
 tests (now indirectly enabled if the pki tool is built due to the
 implementation of EST) can be completed successfully with just the
 default plugins.

 Let's also enable it by default.

 [1]: https://github.com/strongswan/strongswan/releases/tag/5.9.8

PR:		267352

ChangeLog: https://github.com/strongswan/strongswan/releases/tag/5.9.8

Fixes CVE-2022-40617.

PR:		267037
Reported by:	franco@opnsense.org
Approved by:	strongswan@Nanoteq.com (maintainer, implicit)
MFH:		2022Q4	(security update)
Security:	CVE-2022-40617 DoS attack vulnerability

Commit b7f05445c00f has added WWW entries to port Makefiles based on
WWW: lines in pkg-descr files.

This commit removes the WWW: lines of moved-over URLs from these
pkg-descr files.

Approved by:		portmgr (tcberner)

It has been common practice to have one or more URLs at the end of the
ports' pkg-descr files, one per line and prefixed with "WWW:". These
URLs should point at a project website or other relevant resources.

Access to these URLs required processing of the pkg-descr files, and
they have often become stale over time. If more than one such URL was
present in a pkg-descr file, only the first one was tarnsfered into
the port INDEX, but for many ports only the last line did contain the
port specific URL to further information.

There have been several proposals to make a project URL available as
a macro in the ports' Makefiles, over time.

This commit implements such a proposal and moves one of the WWW: entries
of each pkg-descr file into the respective port's Makefile. A heuristic
attempts to identify the most relevant URL in case there is more than
one WWW: entry in some pkg-descr file. URLs that are not moved into the
Makefile are prefixed with "See also:" instead of "WWW:" in the pkg-descr
files in order to preserve them.

There are 1256 ports that had no WWW: entries in pkg-descr files. These
ports will not be touched in this commit.

The portlint port has been adjusted to expect a WWW entry in each port
Makefile, and to flag any remaining "WWW:" lines in pkg-descr files as
deprecated.

Approved by:		portmgr (tcberner)

An issue in the upstream port causes key derivation to fail in version 5.9.6.
A work around is to enable the KDF pluging by default.

PR:	264667
Reported by:	strongswan@Nanoteq.com (maintainer)

PR:		264354
Approved by:	Francois ten Krooden (maintainer)

Changes:	https://github.com/strongswan/strongswan/releases/tag/5.9.6

PR:		263748
Approved by:	Francois ten Krooden (maintainer)

Changes:	https://github.com/strongswan/strongswan/releases/tag/5.9.5
PR:		261462
Approved by:	Francois ten Krooden <strongswan@Nanoteq.com> (maintainer)
MFH:		2022Q1
Security:	CVE-2021-45079

Security & Bugfix Update to 5.9.4:
- Changelog: https://github.com/strongswan/strongswan/releases/tag/5.9.4
- While here change repos to https
- Fix CVE-2021-41990: https://www.strongswan.org/blog/2021/10/18/strongswan-vulnerability-(cve-2021-41990).html
- Fix CVE-2021-41991: https://www.strongswan.org/blog/2021/10/18/strongswan-vulnerability-(cve-2021-41991).html

PR:		259267
Approved by:	strongswan@Nanoteq.com (maintainer)
MFH:		2021Q4

Changelog:	https://github.com/strongswan/strongswan/releases/tag/5.9.3

PR:		257564
Approved by:	strongswan@Nanoteq.com (maintainer)

Fix default control-interface in rc.d script and also
make it user-selectable at build time, defaulting to VICI.

Also mention this change in pkg-message, as previously the
default was "stroke" and it was changed to "vici" with
only a short notice in UPDATING, that was not displayed
when using binary upgrades.

Committing a portfmt'd version.

PR:		255952
Approved by:	strongswan@Nanoteq.com (maintainer)

Add UPDATING entry with migration instruction.

PR:		249865
Submitted by:	driesm.michiels@gmail.com
Approved by:	strongswan@nanoteq.com (maintainer)

ChangeLog: https://wiki.strongswan.org/versions/80

While here, pet linters

PR:	254047
Submitted by:	jlduran@gmail.com
Approved by:	strongswan@Nanoteq.com (maintainer)

Changelog: https://wiki.strongswan.org/versions/79

PR:		252202
Submitted by:	Jose Luis Duran <jlduran@gmail.com>
Approved by:	strongswan@nanoteq.com (maintainer)

- Also link the tpm2-tss package for testing with the TPM plugin:
  https://wiki.strongswan.org/projects/strongswan/wiki/TpmPlugin

PR:		249470
Submitted by:	Jose Luis Duran <jlduran@gmail.com>
Approved by:	strongswan@Nanoteq.com (maintainer)
Relnotes:	https://wiki.strongswan.org/versions/78

make test passes OK

PR:	246535
Submitted by:	jlduran@gmail.com
Reviewed by:	strongswan@Nanoteq.com (maintainer)

PR:		245199
Submitted by:	Jose Luis Duran <jlduran@gmail.com>
Approved by:	strongswan@Nanoteq.com (maintainer)
Sponsored by:	Rubicon Communications, LLC (Netgate)

PR:		245087
Sponsored by:	Netzkommune GmbH

PR:		243254
Submitted by:	Dries Michiels <driesm.michiels@gmail.com>
Approved by:	maintainer
Event:		Brussels DevSummit 2020

From the following discussion: https://reviews.freebsd.org/D20163
It makes sense to add ipsec as required module for the rc script
of strongSwan.

PR:		243316
Submitted by:	Dries Michiels <driesm.michiels@gmail.com>
Approved by:	maintainer

PR:		242687
Approved by:	maintainer
Obtained from:	pfSense
Sponsored by:	Rubicon Communications, LLC (Netgate)

PR:		240684
Approved by:	strongswan@Nanoteq.com (maintainer)
Obtained from:	pfSense
Sponsored by:	Rubicon Communications, LLC (Netgate)

PR:		240316
Submitted by:	Jose Luis Duran <jlduran@gmail.com>
Approved by:	strongswan@Nanoteq.com (maintainer)

PR:		239458
Submitted by:	Evgeny <mojolicious@yandex.com> (initial revision)
		strongswan@Nanoteq.com (maintainer, brushed-up revision)
Approved by:	strongswan@Nanoteq.com (maintainer)

based on discussion at ports@ [1]. As VPN softwares are put in different
physical category net and security. This is a little bit confusing. Let's
give them new virtual category net-vpn.

[1] https://lists.freebsd.org/pipermail/freebsd-ports/2019-April/115915.html

PR:		239395
Submitted by:	myself
Approved by:	portmgr (mat)
Differential Revision:	https://reviews.freebsd.org/D21174