summaryrefslogtreecommitdiff
path: root/security/openvpn
diff options
context:
space:
mode:
Diffstat (limited to 'security/openvpn')
-rw-r--r--security/openvpn/Makefile3
-rw-r--r--security/openvpn/files/patch-doc_man-sections_generic-options.rst4
-rw-r--r--security/openvpn/files/patch-doc_tests_authentication-plugins.md11
-rw-r--r--security/openvpn/files/patch-sample__sample-config-files__loopback-client13
-rw-r--r--security/openvpn/files/patch-sample__sample-config-files__loopback-server12
-rw-r--r--security/openvpn/files/patch-sample_sample-config-files_loopback-client13
-rw-r--r--security/openvpn/files/patch-sample_sample-config-files_server.conf21
-rw-r--r--security/openvpn/files/patch-sample_sample-plugins_keying-material-exporter-demo_server.ovpn11
-rw-r--r--security/openvpn/files/patch-src_openvpn_dco__freebsd.c96
-rw-r--r--security/openvpn/files/patch-src_openvpn_dco__freebsd.h18
-rw-r--r--security/openvpn/files/patch-src_openvpn_forward.c44
-rw-r--r--security/openvpn/files/patch-src_openvpn_forward.h24
-rw-r--r--security/openvpn/files/patch-src_openvpn_multi.c39
-rw-r--r--security/openvpn/files/patch-src_openvpn_ovpn__dco__freebsd.h10
-rw-r--r--security/openvpn/files/patch-src_plugins_auth-pam_auth-pam.c10
15 files changed, 301 insertions, 28 deletions
diff --git a/security/openvpn/Makefile b/security/openvpn/Makefile
index c771eea03b22..44f30253b5b2 100644
--- a/security/openvpn/Makefile
+++ b/security/openvpn/Makefile
@@ -1,6 +1,6 @@
PORTNAME= openvpn
DISTVERSION= 2.6.14
-PORTREVISION?= 0
+PORTREVISION?= 2
CATEGORIES= security net net-vpn
MASTER_SITES= https://swupdate.openvpn.org/community/releases/ \
https://build.openvpn.net/downloads/releases/ \
@@ -105,6 +105,7 @@ pre-everything::
.endif
post-patch:
+ ${RM} sample/sample-keys/dh2048.pem # no longer needed
${REINPLACE_CMD} -E -i '' -e 's/(user|group) nobody/\1 openvpn/' \
-e 's/"nobody"( after init)/"openvpn" \1/' \
${WRKSRC}/sample/sample-config-files/*.conf \
diff --git a/security/openvpn/files/patch-doc_man-sections_generic-options.rst b/security/openvpn/files/patch-doc_man-sections_generic-options.rst
index 295f20cd7f1f..28c93860b329 100644
--- a/security/openvpn/files/patch-doc_man-sections_generic-options.rst
+++ b/security/openvpn/files/patch-doc_man-sections_generic-options.rst
@@ -1,6 +1,6 @@
---- doc/man-sections/generic-options.rst.orig 2023-01-25 10:00:58 UTC
+--- doc/man-sections/generic-options.rst.orig 2025-04-02 06:53:10 UTC
+++ doc/man-sections/generic-options.rst
-@@ -507,5 +507,8 @@ which mode OpenVPN is configured as.
+@@ -514,5 +514,8 @@ --user user
since it is usually used by other system services already. Always
create a dedicated user for openvpn.
diff --git a/security/openvpn/files/patch-doc_tests_authentication-plugins.md b/security/openvpn/files/patch-doc_tests_authentication-plugins.md
new file mode 100644
index 000000000000..d680c64019f7
--- /dev/null
+++ b/security/openvpn/files/patch-doc_tests_authentication-plugins.md
@@ -0,0 +1,11 @@
+--- doc/tests/authentication-plugins.md.orig 2025-04-02 06:53:10 UTC
++++ doc/tests/authentication-plugins.md
+@@ -36,7 +36,7 @@ To build the needed authentication plug-in, run:
+ verb 4
+ dev tun
+ server 10.8.0.0 255.255.255.0
+- dh sample/sample-keys/dh2048.pem
++ dh none
+ ca sample/sample-keys/ca.crt
+ cert sample/sample-keys/server.crt
+ key sample/sample-keys/server.key
diff --git a/security/openvpn/files/patch-sample__sample-config-files__loopback-client b/security/openvpn/files/patch-sample__sample-config-files__loopback-client
deleted file mode 100644
index 0b485a641d8a..000000000000
--- a/security/openvpn/files/patch-sample__sample-config-files__loopback-client
+++ /dev/null
@@ -1,13 +0,0 @@
---- sample/sample-config-files/loopback-client.orig 2016-08-23 14:16:22 UTC
-+++ sample/sample-config-files/loopback-client
-@@ -9,8 +9,8 @@
- # ./openvpn --config sample-config-files/loopback-client (In one window)
- # ./openvpn --config sample-config-files/loopback-server (Simultaneously in another window)
-
--rport 16000
--lport 16001
-+rport 16100
-+lport 16101
- remote localhost
- local localhost
- dev null
diff --git a/security/openvpn/files/patch-sample__sample-config-files__loopback-server b/security/openvpn/files/patch-sample__sample-config-files__loopback-server
index 58691b133de7..3eac712d9054 100644
--- a/security/openvpn/files/patch-sample__sample-config-files__loopback-server
+++ b/security/openvpn/files/patch-sample__sample-config-files__loopback-server
@@ -1,6 +1,6 @@
---- sample/sample-config-files/loopback-server.orig 2016-08-23 14:16:22 UTC
+--- sample/sample-config-files/loopback-server.orig 2025-04-02 06:53:10 UTC
+++ sample/sample-config-files/loopback-server
-@@ -9,8 +9,8 @@
+@@ -9,15 +9,15 @@
# ./openvpn --config sample-config-files/loopback-client (In one window)
# ./openvpn --config sample-config-files/loopback-server (Simultaneously in another window)
@@ -11,3 +11,11 @@
remote localhost
local localhost
dev null
+ verb 3
+ reneg-sec 10
+ tls-server
+-dh sample-keys/dh2048.pem
++dh none
+ ca sample-keys/ca.crt
+ key sample-keys/server.key
+ cert sample-keys/server.crt
diff --git a/security/openvpn/files/patch-sample_sample-config-files_loopback-client b/security/openvpn/files/patch-sample_sample-config-files_loopback-client
new file mode 100644
index 000000000000..5726f12af605
--- /dev/null
+++ b/security/openvpn/files/patch-sample_sample-config-files_loopback-client
@@ -0,0 +1,13 @@
+--- sample/sample-config-files/loopback-client.orig 2025-04-02 06:53:10 UTC
++++ sample/sample-config-files/loopback-client
+@@ -12,8 +12,8 @@
+ # this config file has the crypto material (cert, key, ..) "inlined",
+ # while the "server" config has it as external reference - test both paths
+
+-rport 16000
+-lport 16001
++rport 16100
++lport 16101
+ remote localhost
+ local localhost
+ dev null
diff --git a/security/openvpn/files/patch-sample_sample-config-files_server.conf b/security/openvpn/files/patch-sample_sample-config-files_server.conf
new file mode 100644
index 000000000000..ba2194589405
--- /dev/null
+++ b/security/openvpn/files/patch-sample_sample-config-files_server.conf
@@ -0,0 +1,21 @@
+--- sample/sample-config-files/server.conf.orig 2025-04-02 06:53:10 UTC
++++ sample/sample-config-files/server.conf
+@@ -87,11 +87,6 @@ key server.key # This file should be kept secret
+ cert server.crt
+ key server.key # This file should be kept secret
+
+-# Diffie hellman parameters.
+-# Generate your own with:
+-# openssl dhparam -out dh2048.pem 2048
+-dh dh2048.pem
+-
+ # Allow to connect to really old OpenVPN versions
+ # without AEAD support (OpenVPN 2.3.x or older)
+ # This adds AES-256-CBC as fallback cipher and
+@@ -307,4 +302,4 @@ verb 3
+
+ # Notify the client that when the server restarts so it
+ # can automatically reconnect.
+-explicit-exit-notify 1
+\ No newline at end of file
++explicit-exit-notify 1
diff --git a/security/openvpn/files/patch-sample_sample-plugins_keying-material-exporter-demo_server.ovpn b/security/openvpn/files/patch-sample_sample-plugins_keying-material-exporter-demo_server.ovpn
new file mode 100644
index 000000000000..2ff14e611905
--- /dev/null
+++ b/security/openvpn/files/patch-sample_sample-plugins_keying-material-exporter-demo_server.ovpn
@@ -0,0 +1,11 @@
+--- sample/sample-plugins/keying-material-exporter-demo/server.ovpn.orig 2025-04-02 06:53:10 UTC
++++ sample/sample-plugins/keying-material-exporter-demo/server.ovpn
+@@ -8,7 +8,7 @@ key ../../sample-keys/server.key
+ ca ../../sample-keys/ca.crt
+ cert ../../sample-keys/server.crt
+ key ../../sample-keys/server.key
+-dh ../../sample-keys/dh2048.pem
++dh none
+
+ server 10.8.0.0 255.255.255.0
+ port 1194
diff --git a/security/openvpn/files/patch-src_openvpn_dco__freebsd.c b/security/openvpn/files/patch-src_openvpn_dco__freebsd.c
new file mode 100644
index 000000000000..22c24baa9ec3
--- /dev/null
+++ b/security/openvpn/files/patch-src_openvpn_dco__freebsd.c
@@ -0,0 +1,96 @@
+--- src/openvpn/dco_freebsd.c.orig 2025-04-02 06:53:10 UTC
++++ src/openvpn/dco_freebsd.c
+@@ -72,6 +72,67 @@ sockaddr_to_nvlist(const struct sockaddr *sa)
+ return (nvl);
+ }
+
++static bool
++nvlist_to_sockaddr(const nvlist_t *nvl, struct sockaddr_storage *ss)
++{
++ if (!nvlist_exists_number(nvl, "af"))
++ {
++ return (false);
++ }
++ if (!nvlist_exists_binary(nvl, "address"))
++ {
++ return (false);
++ }
++ if (!nvlist_exists_number(nvl, "port"))
++ {
++ return (false);
++ }
++
++ ss->ss_family = nvlist_get_number(nvl, "af");
++
++ switch (ss->ss_family)
++ {
++ case AF_INET:
++ {
++ struct sockaddr_in *in = (struct sockaddr_in *)ss;
++ const void *data;
++ size_t len;
++
++ in->sin_len = sizeof(*in);
++ data = nvlist_get_binary(nvl, "address", &len);
++ if (len != sizeof(in->sin_addr))
++ {
++ return (false);
++ }
++ memcpy(&in->sin_addr, data, sizeof(in->sin_addr));
++ in->sin_port = nvlist_get_number(nvl, "port");
++ break;
++ }
++
++ case AF_INET6:
++ {
++ struct sockaddr_in6 *in6 = (struct sockaddr_in6 *)ss;
++ const void *data;
++ size_t len;
++
++ in6->sin6_len = sizeof(*in6);
++ data = nvlist_get_binary(nvl, "address", &len);
++ if (len != sizeof(in6->sin6_addr))
++ {
++ return (false);
++ }
++ memcpy(&in6->sin6_addr, data, sizeof(in6->sin6_addr));
++ in6->sin6_port = nvlist_get_number(nvl, "port");
++ break;
++ }
++
++ default:
++ return (false);
++ }
++
++ return (true);
++}
++
+ int
+ dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd,
+ struct sockaddr *localaddr, struct sockaddr *remoteaddr,
+@@ -570,6 +631,25 @@ dco_do_read(dco_context_t *dco)
+ case OVPN_NOTIF_ROTATE_KEY:
+ dco->dco_message_type = OVPN_CMD_SWAP_KEYS;
+ break;
++
++ case OVPN_NOTIF_FLOAT: {
++ const nvlist_t *address;
++
++ if (!nvlist_exists_nvlist(nvl, "address"))
++ {
++ msg(M_WARN, "Float notification without address");
++ break;
++ }
++
++ address = nvlist_get_nvlist(nvl, "address");
++ if (!nvlist_to_sockaddr(address, &dco->dco_float_peer_ss))
++ {
++ msg(M_WARN, "Failed to parse float notification");
++ break;
++ }
++ dco->dco_message_type = OVPN_CMD_FLOAT_PEER;
++ break;
++ }
+
+ default:
+ msg(M_WARN, "Unknown kernel notification %d", type);
diff --git a/security/openvpn/files/patch-src_openvpn_dco__freebsd.h b/security/openvpn/files/patch-src_openvpn_dco__freebsd.h
new file mode 100644
index 000000000000..32dd08563f27
--- /dev/null
+++ b/security/openvpn/files/patch-src_openvpn_dco__freebsd.h
@@ -0,0 +1,18 @@
+--- src/openvpn/dco_freebsd.h.orig 2025-04-02 06:53:10 UTC
++++ src/openvpn/dco_freebsd.h
+@@ -36,6 +36,7 @@ enum ovpn_message_type_t {
+ OVPN_CMD_DEL_PEER,
+ OVPN_CMD_PACKET,
+ OVPN_CMD_SWAP_KEYS,
++ OVPN_CMD_FLOAT_PEER,
+ };
+
+ enum ovpn_del_reason_t {
+@@ -55,6 +56,7 @@ typedef struct dco_context {
+ int dco_message_type;
+ int dco_message_peer_id;
+ int dco_del_peer_reason;
++ struct sockaddr_storage dco_float_peer_ss;
+ uint64_t dco_read_bytes;
+ uint64_t dco_write_bytes;
+ } dco_context_t;
diff --git a/security/openvpn/files/patch-src_openvpn_forward.c b/security/openvpn/files/patch-src_openvpn_forward.c
new file mode 100644
index 000000000000..0734167f6636
--- /dev/null
+++ b/security/openvpn/files/patch-src_openvpn_forward.c
@@ -0,0 +1,44 @@
+--- src/openvpn/forward.c.orig 2025-04-02 06:53:10 UTC
++++ src/openvpn/forward.c
+@@ -1234,6 +1234,41 @@ process_incoming_link(struct context *c)
+ perf_pop();
+ }
+
++void
++extract_dco_float_peer_addr(const sa_family_t socket_family,
++ struct openvpn_sockaddr *out_osaddr,
++ const struct sockaddr *float_sa)
++{
++ if (float_sa->sa_family == AF_INET)
++ {
++ struct sockaddr_in *float4 = (struct sockaddr_in *)float_sa;
++ /* DCO treats IPv4-mapped IPv6 addresses as pure IPv4. However, on a
++ * dual-stack socket, we need to preserve the mapping otherwise openvpn
++ * will not be able to find the peer by its transport address.
++ */
++ if (socket_family == AF_INET6)
++ {
++ out_osaddr->addr.in6.sin6_family = AF_INET6;
++ out_osaddr->addr.in6.sin6_port = float4->sin_port;
++
++ memset(&out_osaddr->addr.in6.sin6_addr.s6_addr, 0, 10);
++ out_osaddr->addr.in6.sin6_addr.s6_addr[10] = 0xff;
++ out_osaddr->addr.in6.sin6_addr.s6_addr[11] = 0xff;
++ memcpy(&out_osaddr->addr.in6.sin6_addr.s6_addr[12],
++ &float4->sin_addr.s_addr, sizeof(in_addr_t));
++ }
++ else
++ {
++ memcpy(&out_osaddr->addr.in4, float4, sizeof(struct sockaddr_in));
++ }
++ }
++ else
++ {
++ struct sockaddr_in6 *float6 = (struct sockaddr_in6 *)float_sa;
++ memcpy(&out_osaddr->addr.in6, float6, sizeof(struct sockaddr_in6));
++ }
++}
++
+ static void
+ process_incoming_dco(struct context *c)
+ {
diff --git a/security/openvpn/files/patch-src_openvpn_forward.h b/security/openvpn/files/patch-src_openvpn_forward.h
new file mode 100644
index 000000000000..050343949c03
--- /dev/null
+++ b/security/openvpn/files/patch-src_openvpn_forward.h
@@ -0,0 +1,24 @@
+--- src/openvpn/forward.h.orig 2025-04-02 06:53:10 UTC
++++ src/openvpn/forward.h
+@@ -189,6 +189,21 @@ void process_incoming_link_part2(struct context *c, st
+ void process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf);
+
+ /**
++ * Transfers \c float_sa data extracted from an incoming DCO
++ * PEER_FLOAT_NTF to \c out_osaddr for later processing.
++ *
++ * @param socket_family - The address family of the socket
++ * @param out_osaddr - openvpn_sockaddr struct that will be filled the new
++ * address data
++ * @param float_sa - The sockaddr struct containing the data received from the
++ * DCO notification
++ */
++void
++extract_dco_float_peer_addr(sa_family_t socket_family,
++ struct openvpn_sockaddr *out_osaddr,
++ const struct sockaddr *float_sa);
++
++/**
+ * Write a packet to the external network interface.
+ * @ingroup external_multiplexer
+ *
diff --git a/security/openvpn/files/patch-src_openvpn_multi.c b/security/openvpn/files/patch-src_openvpn_multi.c
new file mode 100644
index 000000000000..22995fb45caf
--- /dev/null
+++ b/security/openvpn/files/patch-src_openvpn_multi.c
@@ -0,0 +1,39 @@
+--- src/openvpn/multi.c.orig 2025-04-02 06:53:10 UTC
++++ src/openvpn/multi.c
+@@ -3169,6 +3169,18 @@ multi_process_float(struct multi_context *m, struct mu
+ goto done;
+ }
+
++ /* It doesn't make sense to let a peer float to the address it already
++ * has, so we disallow it. This can happen if a DCO netlink notification
++ * gets lost and we miss a floating step.
++ */
++ if (m1->peer_id == m2->peer_id)
++ {
++ msg(M_WARN, "disallowing peer %" PRIu32 " (%s) from floating to "
++ "its own address (%s)",
++ m1->peer_id, tls_common_name(mi->context.c2.tls_multi, false),
++ mroute_addr_print(&mi->real, &gc));
++ goto done;
++ }
+ msg(D_MULTI_MEDIUM, "closing instance %s", multi_instance_string(ex_mi, false, &gc));
+ multi_close_instance(m, ex_mi, false);
+ }
+@@ -3301,6 +3313,17 @@ multi_process_incoming_dco(struct multi_context *m)
+ {
+ process_incoming_del_peer(m, mi, dco);
+ }
++#if defined(TARGET_FREEBSD)
++ else if (dco->dco_message_type == OVPN_CMD_FLOAT_PEER)
++ {
++ ASSERT(mi->context.c2.link_socket);
++ extract_dco_float_peer_addr(mi->context.c2.link_socket->info.af,
++ &m->top.c2.from.dest,
++ (struct sockaddr *)&dco->dco_float_peer_ss);
++ multi_process_float(m, mi);
++ CLEAR(dco->dco_float_peer_ss);
++ }
++#endif /* if defined(TARGET_LINUX) || defined(TARGET_WIN32) */
+ else if (dco->dco_message_type == OVPN_CMD_SWAP_KEYS)
+ {
+ tls_session_soft_reset(mi->context.c2.tls_multi);
diff --git a/security/openvpn/files/patch-src_openvpn_ovpn__dco__freebsd.h b/security/openvpn/files/patch-src_openvpn_ovpn__dco__freebsd.h
new file mode 100644
index 000000000000..1d1ff16e5d8e
--- /dev/null
+++ b/security/openvpn/files/patch-src_openvpn_ovpn__dco__freebsd.h
@@ -0,0 +1,10 @@
+--- src/openvpn/ovpn_dco_freebsd.h.orig 2025-04-02 06:53:10 UTC
++++ src/openvpn/ovpn_dco_freebsd.h
+@@ -37,6 +37,7 @@ enum ovpn_notif_type {
+ enum ovpn_notif_type {
+ OVPN_NOTIF_DEL_PEER,
+ OVPN_NOTIF_ROTATE_KEY,
++ OVPN_NOTIF_FLOAT,
+ };
+
+ enum ovpn_del_reason {
diff --git a/security/openvpn/files/patch-src_plugins_auth-pam_auth-pam.c b/security/openvpn/files/patch-src_plugins_auth-pam_auth-pam.c
deleted file mode 100644
index 633bc0f0204d..000000000000
--- a/security/openvpn/files/patch-src_plugins_auth-pam_auth-pam.c
+++ /dev/null
@@ -1,10 +0,0 @@
---- src/plugins/auth-pam/auth-pam.c.orig 2021-06-21 04:44:39 UTC
-+++ src/plugins/auth-pam/auth-pam.c
-@@ -39,6 +39,7 @@
- #include <stdio.h>
- #include <string.h>
- #include <ctype.h>
-+#include <limits.h>
- #include <unistd.h>
- #include <stdlib.h>
- #include <sys/types.h>
generated by cgit v1.2.3 (git 2.25.1) at 2025-09-06 14:02:01 +0000