9 files changed, 238 insertions, 8 deletions

diff --git a/security/openvpn/Makefile b/security/openvpn/Makefile
index 7c44e64f7dba..44f30253b5b2 100644
--- a/security/openvpn/Makefile
+++ b/security/openvpn/Makefile
@@ -1,6 +1,6 @@
 PORTNAME=		openvpn
 DISTVERSION=		2.6.14
-PORTREVISION?=		1
+PORTREVISION?=		2
 CATEGORIES=		security net net-vpn
 MASTER_SITES=		https://swupdate.openvpn.org/community/releases/ \
 			https://build.openvpn.net/downloads/releases/ \
diff --git a/security/openvpn/files/patch-src_openvpn_dco__freebsd.c b/security/openvpn/files/patch-src_openvpn_dco__freebsd.c
new file mode 100644
index 000000000000..22c24baa9ec3
--- /dev/null
+++ b/security/openvpn/files/patch-src_openvpn_dco__freebsd.c
@@ -0,0 +1,96 @@
+--- src/openvpn/dco_freebsd.c.orig	2025-04-02 06:53:10 UTC
++++ src/openvpn/dco_freebsd.c
+@@ -72,6 +72,67 @@ sockaddr_to_nvlist(const struct sockaddr *sa)
+     return (nvl);
+ }
+ 
++static bool
++nvlist_to_sockaddr(const nvlist_t *nvl, struct sockaddr_storage *ss)
++{
++    if (!nvlist_exists_number(nvl, "af"))
++    {
++        return (false);
++    }
++    if (!nvlist_exists_binary(nvl, "address"))
++    {
++        return (false);
++    }
++    if (!nvlist_exists_number(nvl, "port"))
++    {
++        return (false);
++    }
++
++    ss->ss_family = nvlist_get_number(nvl, "af");
++
++    switch (ss->ss_family)
++    {
++        case AF_INET:
++        {
++            struct sockaddr_in *in = (struct sockaddr_in *)ss;
++            const void *data;
++            size_t len;
++
++            in->sin_len = sizeof(*in);
++            data = nvlist_get_binary(nvl, "address", &len);
++            if (len != sizeof(in->sin_addr))
++	    {
++		return (false);
++	    }
++            memcpy(&in->sin_addr, data, sizeof(in->sin_addr));
++            in->sin_port = nvlist_get_number(nvl, "port");
++            break;
++        }
++
++        case AF_INET6:
++        {
++            struct sockaddr_in6 *in6 = (struct sockaddr_in6 *)ss;
++            const void *data;
++            size_t len;
++
++            in6->sin6_len = sizeof(*in6);
++            data = nvlist_get_binary(nvl, "address", &len);
++            if (len != sizeof(in6->sin6_addr))
++	    {
++		return (false);
++	    }
++            memcpy(&in6->sin6_addr, data, sizeof(in6->sin6_addr));
++            in6->sin6_port = nvlist_get_number(nvl, "port");
++            break;
++        }
++
++        default:
++            return (false);
++    }
++
++    return (true);
++}
++
+ int
+ dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd,
+              struct sockaddr *localaddr, struct sockaddr *remoteaddr,
+@@ -570,6 +631,25 @@ dco_do_read(dco_context_t *dco)
+         case OVPN_NOTIF_ROTATE_KEY:
+             dco->dco_message_type = OVPN_CMD_SWAP_KEYS;
+             break;
++
++        case OVPN_NOTIF_FLOAT: {
++            const nvlist_t *address;
++
++            if (!nvlist_exists_nvlist(nvl, "address"))
++            {
++                msg(M_WARN, "Float notification without address");
++                break;
++            }
++
++            address = nvlist_get_nvlist(nvl, "address");
++            if (!nvlist_to_sockaddr(address, &dco->dco_float_peer_ss))
++            {
++                msg(M_WARN, "Failed to parse float notification");
++                break;
++            }
++            dco->dco_message_type = OVPN_CMD_FLOAT_PEER;
++            break;
++        }
+ 
+         default:
+             msg(M_WARN, "Unknown kernel notification %d", type);
diff --git a/security/openvpn/files/patch-src_openvpn_dco__freebsd.h b/security/openvpn/files/patch-src_openvpn_dco__freebsd.h
new file mode 100644
index 000000000000..32dd08563f27
--- /dev/null
+++ b/security/openvpn/files/patch-src_openvpn_dco__freebsd.h
@@ -0,0 +1,18 @@
+--- src/openvpn/dco_freebsd.h.orig	2025-04-02 06:53:10 UTC
++++ src/openvpn/dco_freebsd.h
+@@ -36,6 +36,7 @@ enum ovpn_message_type_t {
+     OVPN_CMD_DEL_PEER,
+     OVPN_CMD_PACKET,
+     OVPN_CMD_SWAP_KEYS,
++    OVPN_CMD_FLOAT_PEER,
+ };
+ 
+ enum ovpn_del_reason_t {
+@@ -55,6 +56,7 @@ typedef struct dco_context {
+     int dco_message_type;
+     int dco_message_peer_id;
+     int dco_del_peer_reason;
++    struct sockaddr_storage dco_float_peer_ss;
+     uint64_t dco_read_bytes;
+     uint64_t dco_write_bytes;
+ } dco_context_t;
diff --git a/security/openvpn/files/patch-src_openvpn_forward.c b/security/openvpn/files/patch-src_openvpn_forward.c
new file mode 100644
index 000000000000..0734167f6636
--- /dev/null
+++ b/security/openvpn/files/patch-src_openvpn_forward.c
@@ -0,0 +1,44 @@
+--- src/openvpn/forward.c.orig	2025-04-02 06:53:10 UTC
++++ src/openvpn/forward.c
+@@ -1234,6 +1234,41 @@ process_incoming_link(struct context *c)
+     perf_pop();
+ }
+ 
++void
++extract_dco_float_peer_addr(const sa_family_t socket_family,
++                            struct openvpn_sockaddr *out_osaddr,
++                            const struct sockaddr *float_sa)
++{
++    if (float_sa->sa_family == AF_INET)
++    {
++        struct sockaddr_in *float4 = (struct sockaddr_in *)float_sa;
++        /* DCO treats IPv4-mapped IPv6 addresses as pure IPv4. However, on a
++         * dual-stack socket, we need to preserve the mapping otherwise openvpn
++         * will not be able to find the peer by its transport address.
++         */
++        if (socket_family == AF_INET6)
++        {
++            out_osaddr->addr.in6.sin6_family = AF_INET6;
++            out_osaddr->addr.in6.sin6_port = float4->sin_port;
++
++            memset(&out_osaddr->addr.in6.sin6_addr.s6_addr, 0, 10);
++            out_osaddr->addr.in6.sin6_addr.s6_addr[10] = 0xff;
++            out_osaddr->addr.in6.sin6_addr.s6_addr[11] = 0xff;
++            memcpy(&out_osaddr->addr.in6.sin6_addr.s6_addr[12],
++                   &float4->sin_addr.s_addr, sizeof(in_addr_t));
++        }
++        else
++        {
++            memcpy(&out_osaddr->addr.in4, float4, sizeof(struct sockaddr_in));
++        }
++    }
++    else
++    {
++        struct sockaddr_in6 *float6 = (struct sockaddr_in6 *)float_sa;
++        memcpy(&out_osaddr->addr.in6, float6, sizeof(struct sockaddr_in6));
++    }
++}
++
+ static void
+ process_incoming_dco(struct context *c)
+ {
diff --git a/security/openvpn/files/patch-src_openvpn_forward.h b/security/openvpn/files/patch-src_openvpn_forward.h
new file mode 100644
index 000000000000..050343949c03
--- /dev/null
+++ b/security/openvpn/files/patch-src_openvpn_forward.h
@@ -0,0 +1,24 @@
+--- src/openvpn/forward.h.orig	2025-04-02 06:53:10 UTC
++++ src/openvpn/forward.h
+@@ -189,6 +189,21 @@ void process_incoming_link_part2(struct context *c, st
+ void process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf);
+ 
+ /**
++ * Transfers \c float_sa data extracted from an incoming DCO
++ * PEER_FLOAT_NTF to \c out_osaddr for later processing.
++ *
++ * @param socket_family - The address family of the socket
++ * @param out_osaddr - openvpn_sockaddr struct that will be filled the new
++ *      address data
++ * @param float_sa - The sockaddr struct containing the data received from the
++ *      DCO notification
++ */
++void
++extract_dco_float_peer_addr(sa_family_t socket_family,
++                            struct openvpn_sockaddr *out_osaddr,
++                            const struct sockaddr *float_sa);
++
++/**
+  * Write a packet to the external network interface.
+  * @ingroup external_multiplexer
+  *
diff --git a/security/openvpn/files/patch-src_openvpn_multi.c b/security/openvpn/files/patch-src_openvpn_multi.c
new file mode 100644
index 000000000000..22995fb45caf
--- /dev/null
+++ b/security/openvpn/files/patch-src_openvpn_multi.c
@@ -0,0 +1,39 @@
+--- src/openvpn/multi.c.orig	2025-04-02 06:53:10 UTC
++++ src/openvpn/multi.c
+@@ -3169,6 +3169,18 @@ multi_process_float(struct multi_context *m, struct mu
+             goto done;
+         }
+ 
++        /* It doesn't make sense to let a peer float to the address it already
++         * has, so we disallow it. This can happen if a DCO netlink notification
++         * gets lost and we miss a floating step.
++         */
++        if (m1->peer_id == m2->peer_id)
++        {
++            msg(M_WARN, "disallowing peer %" PRIu32 " (%s) from floating to "
++                "its own address (%s)",
++                m1->peer_id, tls_common_name(mi->context.c2.tls_multi, false),
++                mroute_addr_print(&mi->real, &gc));
++            goto done;
++        }
+         msg(D_MULTI_MEDIUM, "closing instance %s", multi_instance_string(ex_mi, false, &gc));
+         multi_close_instance(m, ex_mi, false);
+     }
+@@ -3301,6 +3313,17 @@ multi_process_incoming_dco(struct multi_context *m)
+         {
+             process_incoming_del_peer(m, mi, dco);
+         }
++#if defined(TARGET_FREEBSD)
++        else if (dco->dco_message_type == OVPN_CMD_FLOAT_PEER)
++        {
++            ASSERT(mi->context.c2.link_socket);
++            extract_dco_float_peer_addr(mi->context.c2.link_socket->info.af,
++                                        &m->top.c2.from.dest,
++                                        (struct sockaddr *)&dco->dco_float_peer_ss);
++            multi_process_float(m, mi);
++            CLEAR(dco->dco_float_peer_ss);
++        }
++#endif /* if defined(TARGET_LINUX) || defined(TARGET_WIN32) */
+         else if (dco->dco_message_type == OVPN_CMD_SWAP_KEYS)
+         {
+             tls_session_soft_reset(mi->context.c2.tls_multi);
diff --git a/security/openvpn/files/patch-src_openvpn_ovpn__dco__freebsd.h b/security/openvpn/files/patch-src_openvpn_ovpn__dco__freebsd.h
new file mode 100644
index 000000000000..1d1ff16e5d8e
--- /dev/null
+++ b/security/openvpn/files/patch-src_openvpn_ovpn__dco__freebsd.h
@@ -0,0 +1,10 @@
+--- src/openvpn/ovpn_dco_freebsd.h.orig	2025-04-02 06:53:10 UTC
++++ src/openvpn/ovpn_dco_freebsd.h
+@@ -37,6 +37,7 @@ enum ovpn_notif_type {
+ enum ovpn_notif_type {
+     OVPN_NOTIF_DEL_PEER,
+     OVPN_NOTIF_ROTATE_KEY,
++    OVPN_NOTIF_FLOAT,
+ };
+ 
+ enum ovpn_del_reason {
diff --git a/security/vuls/Makefile b/security/vuls/Makefile
index 0a3bfc140f06..ebe25474a906 100644
--- a/security/vuls/Makefile
+++ b/security/vuls/Makefile
@@ -1,7 +1,6 @@
 PORTNAME=	vuls
 DISTVERSIONPREFIX=v
-DISTVERSION=	0.33.4
-PORTREVISION=	1
+DISTVERSION=	0.34.0
 CATEGORIES=	security
 
 MAINTAINER=	girgen@FreeBSD.org
diff --git a/security/vuls/distinfo b/security/vuls/distinfo
index 79f5d3b3f61b..07044799c86d 100644
--- a/security/vuls/distinfo
+++ b/security/vuls/distinfo
@@ -1,5 +1,5 @@
-TIMESTAMP = 1756275976
-SHA256 (go/security_vuls/vuls-v0.33.4/v0.33.4.mod) = 58bcb90a4067f623c6c3bcb960b6aed4fcf08e6b94014667105f74b66f446da6
-SIZE (go/security_vuls/vuls-v0.33.4/v0.33.4.mod) = 20710
-SHA256 (go/security_vuls/vuls-v0.33.4/v0.33.4.zip) = 434e4e0b86a08cb257c2387d541277474903c5d96998638cb7a014fbc4a3a412
-SIZE (go/security_vuls/vuls-v0.33.4/v0.33.4.zip) = 1398525
+TIMESTAMP = 1757153514
+SHA256 (go/security_vuls/vuls-v0.34.0/v0.34.0.mod) = 0ac637cb17c79cc5ca34bbfcd75d05a6e4458ee66523050a2a15461cad6af2df
+SIZE (go/security_vuls/vuls-v0.34.0/v0.34.0.mod) = 20230
+SHA256 (go/security_vuls/vuls-v0.34.0/v0.34.0.zip) = 08062c74c713c8087c93bcd3f8031947bd0e159d6ab43f39ef0ac4c8e637aa56
+SIZE (go/security_vuls/vuls-v0.34.0/v0.34.0.zip) = 1400840