diff options
| author | Matthias Andree <mandree@FreeBSD.org> | 2025-09-06 02:25:05 +0200 |
|---|---|---|
| committer | Matthias Andree <mandree@FreeBSD.org> | 2025-09-06 14:52:09 +0200 |
| commit | 5ecf19f0371f4ca71c5dc89d133442c8dd0e7a00 (patch) | |
| tree | 1dafdcadca6cad3f1006879a8e9b3edaab73c7dc /security/openvpn/files/patch-src_openvpn_multi.c | |
| parent | security/vuls: Update to 0.34.0 (diff) | |
security/openvpn: support DCO float notifications
The FreeBSD kernel added "if_ovpn: support floating clients"
on main on 2025-07-28, and merged it to 14/stable on 2025-08-13.
https://reviews.freebsd.org/D51468
https://cgit.freebsd.org/src/commit/?id=9c52600a5a150117b4396df3b868cf2516e1674c&h=main
https://cgit.freebsd.org/src/commit/?h=stable/14&id=fc387ed68f3c7b0b8da9bab13492b7bbafecb5bf
This adds a new notification from the kernel module to user space
named OVPN_NOTIF_FLOAT, which OpenVPN 2.6.14 does not support.
Backport support into OpenVPN 2.6.
Reported by: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl>
Obtained from: Kristof Provost <kp@FreeBSD.org>
Obtained from: Ralf Lici <ralf@mandelbit.com>
- modified to avoid assert() in nvlist_to_sockaddr()
in src/openvpn/dco_freebsd.c
Obtained from: Gert Doering <gert@greenie.muc.de>
Tested by: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl>
PR: 289303
MFH: 2025Q3 (suggestion after 10 days)
Diffstat (limited to 'security/openvpn/files/patch-src_openvpn_multi.c')
| -rw-r--r-- | security/openvpn/files/patch-src_openvpn_multi.c | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/security/openvpn/files/patch-src_openvpn_multi.c b/security/openvpn/files/patch-src_openvpn_multi.c new file mode 100644 index 000000000000..22995fb45caf --- /dev/null +++ b/security/openvpn/files/patch-src_openvpn_multi.c @@ -0,0 +1,39 @@ +--- src/openvpn/multi.c.orig 2025-04-02 06:53:10 UTC ++++ src/openvpn/multi.c +@@ -3169,6 +3169,18 @@ multi_process_float(struct multi_context *m, struct mu + goto done; + } + ++ /* It doesn't make sense to let a peer float to the address it already ++ * has, so we disallow it. This can happen if a DCO netlink notification ++ * gets lost and we miss a floating step. ++ */ ++ if (m1->peer_id == m2->peer_id) ++ { ++ msg(M_WARN, "disallowing peer %" PRIu32 " (%s) from floating to " ++ "its own address (%s)", ++ m1->peer_id, tls_common_name(mi->context.c2.tls_multi, false), ++ mroute_addr_print(&mi->real, &gc)); ++ goto done; ++ } + msg(D_MULTI_MEDIUM, "closing instance %s", multi_instance_string(ex_mi, false, &gc)); + multi_close_instance(m, ex_mi, false); + } +@@ -3301,6 +3313,17 @@ multi_process_incoming_dco(struct multi_context *m) + { + process_incoming_del_peer(m, mi, dco); + } ++#if defined(TARGET_FREEBSD) ++ else if (dco->dco_message_type == OVPN_CMD_FLOAT_PEER) ++ { ++ ASSERT(mi->context.c2.link_socket); ++ extract_dco_float_peer_addr(mi->context.c2.link_socket->info.af, ++ &m->top.c2.from.dest, ++ (struct sockaddr *)&dco->dco_float_peer_ss); ++ multi_process_float(m, mi); ++ CLEAR(dco->dco_float_peer_ss); ++ } ++#endif /* if defined(TARGET_LINUX) || defined(TARGET_WIN32) */ + else if (dco->dco_message_type == OVPN_CMD_SWAP_KEYS) + { + tls_session_soft_reset(mi->context.c2.tls_multi); |