git: 8d2e9d99db3d - main - security/openvpn: fix regressions and some documentation bits
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 15 Nov 2023 21:22:19 UTC
The branch main has been updated by mandree:
URL: https://cgit.FreeBSD.org/ports/commit/?id=8d2e9d99db3d6c0d1f988feaca0cdb7c0e7dca89
commit 8d2e9d99db3d6c0d1f988feaca0cdb7c0e7dca89
Author: Matthias Andree <mandree@FreeBSD.org>
AuthorDate: 2023-11-15 20:40:37 +0000
Commit: Matthias Andree <mandree@FreeBSD.org>
CommitDate: 2023-11-15 21:21:33 +0000
security/openvpn: fix regressions and some documentation bits
Add two patches cherry-picked from upstream Git repository:
OpenVPN 2.6.7 regressed and experienced crashes in some situations,
https://github.com/OpenVPN/openvpn/issues/449
Reported by: Vladimir Druzenko (vvd@)
Reported by: Patrick Cable (upstream)
Obtained from: https://github.com/openvpn/openvpn/commit/b90ec6dabfb151dd93ef00081bbc3f55e7d3450f
Also, some typos in the documentation are fixed,
Obtained from: https://github.com/OpenVPN/openvpn/commit/457f468a76f324a14b1236988cc5f5a95f14abf5
Bump PORTREVISION.
PR: 275055
MFH: 2023Q4
---
security/openvpn/Makefile | 2 +-
...ch-git-457f468a76f324a14b1236988cc5f5a95f14abf5 | 89 ++++++++++++++++++++++
...ch-git-a903ebe9361d451daee71c225e141f4e1b67107d | 48 ++++++++++++
3 files changed, 138 insertions(+), 1 deletion(-)
diff --git a/security/openvpn/Makefile b/security/openvpn/Makefile
index 2fd0f2dcf85f..18f50eac70b2 100644
--- a/security/openvpn/Makefile
+++ b/security/openvpn/Makefile
@@ -1,6 +1,6 @@
PORTNAME= openvpn
DISTVERSION= 2.6.7
-PORTREVISION?= 0
+PORTREVISION?= 1
CATEGORIES= security net net-vpn
MASTER_SITES= https://swupdate.openvpn.org/community/releases/ \
https://build.openvpn.net/downloads/releases/ \
diff --git a/security/openvpn/files/patch-git-457f468a76f324a14b1236988cc5f5a95f14abf5 b/security/openvpn/files/patch-git-457f468a76f324a14b1236988cc5f5a95f14abf5
new file mode 100644
index 000000000000..9939c46f3d36
--- /dev/null
+++ b/security/openvpn/files/patch-git-457f468a76f324a14b1236988cc5f5a95f14abf5
@@ -0,0 +1,89 @@
+From 457f468a76f324a14b1236988cc5f5a95f14abf5 Mon Sep 17 00:00:00 2001
+From: Aquila Macedo <aquilamacedo@riseup.net>
+Date: Thu, 19 Oct 2023 16:40:49 -0300
+Subject: [PATCH] doc: Correct typos in multiple documentation files
+
+Fixed typographical errors in various documentation files for improved clarity and readability.
+
+Signed-off-by: Aquila Macedo <aquilamacedo@riseup.net>
+Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
+Message-Id: <4a3a9f1d691704f25f07653bb0de2583@riseup.net>
+URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27320.html
+Signed-off-by: Gert Doering <gert@greenie.muc.de>
+(cherry picked from commit 20c42b89f6d38a4426b5fe67f59acaadcb9ac314)
+---
+ doc/man-sections/client-options.rst | 4 ++--
+ doc/man-sections/generic-options.rst | 2 +-
+ doc/man-sections/server-options.rst | 2 +-
+ doc/man-sections/vpn-network-options.rst | 2 +-
+ src/openvpn/options.c | 2 +-
+ 5 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/doc/man-sections/client-options.rst b/doc/man-sections/client-options.rst
+index 3616ed7f3f8..54c4ec63073 100644
+--- ./doc/man-sections/client-options.rst
++++ b/doc/man-sections/client-options.rst
+@@ -51,9 +51,9 @@ configuration.
+ react according to ``--auth-retry``
+
+ --auth-token-user base64username
+- Companion option to ``--auth-token``. This options allows to override
++ Companion option to ``--auth-token``. This options allows one to override
+ the username used by the client when reauthenticating with the ``auth-token``.
+- It also allows to use ``--auth-token`` in setups that normally do not use
++ It also allows one to use ``--auth-token`` in setups that normally do not use
+ username and password.
+
+ The username has to be base64 encoded.
+diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst
+index 97e1b5aa610..95e4ca233bd 100644
+--- ./doc/man-sections/generic-options.rst
++++ b/doc/man-sections/generic-options.rst
+@@ -483,7 +483,7 @@ which mode OpenVPN is configured as.
+
+ * :code:`OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY` plug-in hooks returns
+ success/failure via :code:`auth_control_file` when using deferred auth
+- method and pending authentification via :code:`pending_auth_file`.
++ method and pending authentication via :code:`pending_auth_file`.
+
+ --use-prediction-resistance
+ Enable prediction resistance on mbed TLS's RNG.
+diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst
+index 6b9ad21b816..e7a7b2dba43 100644
+--- ./doc/man-sections/server-options.rst
++++ b/doc/man-sections/server-options.rst
+@@ -739,7 +739,7 @@ fast hardware. SSL/TLS authentication must be used in this mode.
+
+ --vlan-pvid v
+ Specifies which VLAN identifier a "port" is associated with. Only valid
+- when ``--vlan-tagging`` is speficied.
++ when ``--vlan-tagging`` is specified.
+
+ In the client context, the setting specifies which VLAN ID a client is
+ associated with. In the global context, the VLAN ID of the server TAP
+diff --git a/doc/man-sections/vpn-network-options.rst b/doc/man-sections/vpn-network-options.rst
+index 3fa3ccf1073..41d367bfd0e 100644
+--- ./doc/man-sections/vpn-network-options.rst
++++ b/doc/man-sections/vpn-network-options.rst
+@@ -548,7 +548,7 @@ routing.
+ It's best to use the ``--fragment`` and/or ``--mssfix`` options to deal
+ with MTU sizing issues.
+
+- Note: Depending on the platform, the operating system allows to receive
++ Note: Depending on the platform, the operating system allows one to receive
+ packets larger than ``tun-mtu`` (e.g. Linux and FreeBSD) but other platforms
+ (like macOS) limit received packets to the same size as the MTU.
+
+diff --git a/src/openvpn/options.c b/src/openvpn/options.c
+index 631ac73db8f..895ce830f6a 100644
+--- ./src/openvpn/options.c
++++ b/src/openvpn/options.c
+@@ -598,7 +598,7 @@ static const char usage_message[] =
+ " Windows Certificate System Store.\n"
+ #endif
+ "--tls-cipher l : A list l of allowable TLS ciphers separated by : (optional).\n"
+- "--tls-ciphersuites l: A list of allowed TLS 1.3 cipher suites seperated by : (optional)\n"
++ "--tls-ciphersuites l: A list of allowed TLS 1.3 cipher suites separated by : (optional)\n"
+ " : Use --show-tls to see a list of supported TLS ciphers (suites).\n"
+ "--tls-cert-profile p : Set the allowed certificate crypto algorithm profile\n"
+ " (default=legacy).\n"
diff --git a/security/openvpn/files/patch-git-a903ebe9361d451daee71c225e141f4e1b67107d b/security/openvpn/files/patch-git-a903ebe9361d451daee71c225e141f4e1b67107d
new file mode 100644
index 000000000000..4c347593ac7a
--- /dev/null
+++ b/security/openvpn/files/patch-git-a903ebe9361d451daee71c225e141f4e1b67107d
@@ -0,0 +1,48 @@
+From a903ebe9361d451daee71c225e141f4e1b67107d Mon Sep 17 00:00:00 2001
+From: Arne Schwabe <arne@rfc2549.org>
+Date: Wed, 15 Nov 2023 11:33:31 +0100
+Subject: [PATCH] Do not check key_state buffers that are in S_UNDEF state
+
+When a key_state is in S_UNDEF the send_reliable is not initialised. So
+checking it might access invalid memory or null pointers.
+
+Github: fixes OpenVPN/openvpn#449
+
+Change-Id: I226a73d47a2b1b29f7ec175ce23a806593abc2ac
+[a@unstable.cc: add check for !send_reliable and message]
+Signed-off-by: Arne Schwabe <arne@rfc2549.org>
+Acked-by: Gert Doering <gert@greenie.muc.de>
+Message-Id: <20231115103331.18050-1-gert@greenie.muc.de>
+URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27401.html
+Signed-off-by: Gert Doering <gert@greenie.muc.de>
+---
+ src/openvpn/ssl.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
+index cee4afe19f3..b4cd8f5a567 100644
+--- ./src/openvpn/ssl.c
++++ b/src/openvpn/ssl.c
+@@ -3189,6 +3189,22 @@ check_session_buf_not_used(struct buffer *to_link, struct tls_session *session)
+ for (int i = 0; i < KS_SIZE; i++)
+ {
+ struct key_state *ks = &session->key[i];
++ if (ks->state == S_UNDEF)
++ {
++ continue;
++ }
++
++ /* we don't expect send_reliable to be NULL when state is
++ * not S_UNDEF, but people have reported crashes nonetheless,
++ * therefore we better catch this event, report and exit.
++ */
++ if (!ks->send_reliable)
++ {
++ msg(M_FATAL, "ERROR: session->key[%d]->send_reliable is NULL "
++ "while key state is %s. Exiting.",
++ i, state_name(ks->state));
++ }
++
+ for (int j = 0; j < ks->send_reliable->size; j++)
+ {
+ if (ks->send_reliable->array[i].buf.data == dataptr)