From nobody Wed Nov 15 21:56:15 2023 X-Original-To: dev-commits-ports-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SVxnX2Ztdz50n7V; Wed, 15 Nov 2023 21:56:16 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4SVxnX14y8z3FMw; Wed, 15 Nov 2023 21:56:16 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1700085376; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=gKk5z1UOlBnLnz4KcRa6PZfQBNO6Nb6TTTFFrHXrqdw=; b=plrunumrZ3ftSuzGxiAD8yc0+F187CocEXnBebX3w855rmYoRNXc43c0ESq5n7BGWb3eCu YSJCIDIt2lKhdR4Iq+BfDafbkWoadd2dJmI0xOxXe5kfTpNmHutlfmpccZ73FOg/DiuzEX ww7Tf95/Dhuvk0hWd9NhmEs/Khsj/mNDF2BLVzIf4pBcB/UUMJxGZ4gQvqq096t03uW0zd t2itC8eT2jAmF+YpacEtGkJQQVcqwYcmVgAIMREOiHVQ9GL3+Ct6DqlSi2XWBeOlblSndQ 3H3Y9nIIpI6q0kxiBPilegonLjeZ1hxsfzaNgTvP6KmJdakYEOavYt6R2eWopw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1700085376; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=gKk5z1UOlBnLnz4KcRa6PZfQBNO6Nb6TTTFFrHXrqdw=; b=uSAC+caQ8HxQD4lAcslEi3nG0xBNuYW2AaZyzJxY8VmpIcRhffVJ03kK6oLAGil7GGxeJc dCnMBLdKVTawNysMSpQ26lWp9akAnAcia6SK2htL2A2TYC3LOsrNzup7dbgOI2teYATy4i KAxyrl/G+vnqkAq7Ucd3Gqw/UhdGL2MySu2cFZnGbHcqpZlMnabJ5HfX6kVhDRjc4HHeRW 1eqpggSCIBiQRAtuGnq/ECtXKw+2ur/I2UgO1Fn/JKkRKR7RwRbSPN4fCQBXV7hNCoB0un gHAr38IGlplRjJM4r+L2um63F0E39SD8hfqL967gxOxuCEQsEp9z0iRYkmlf7g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1700085376; a=rsa-sha256; cv=none; b=D07Mwq5ipsPc3F4vV7X5Ac7Zsi17l8m/wSMyfauFLtZ7f7V0jOlyvDIZSoP/l3MS8XAA36 lk/1Ruo9LnD3e2Yk2QurZex8SQsWrzTjb9QPU+nAXfbQ7O/pATvzAYIngfm6XXsgn/oX5S LpVqz6SA3ikL7hN14cmogn2iAMB4HmVXI0L6SI2kHbegcTg9TYnKpsn6tJ0hofBZg2IA0e jCh2wJhGeo+TeWtJJLtRw8NgvkclsekYCR8i+L7W3nXZi6Hls4wEWKsZT3eU9bMsn26vVg OJ4CNwbeVQsQU/gDB1rrtFPiJfqgAOsLciWfCbFROK1WU5eF/enJ1vtbX81i7Q== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4SVxnW6pRyzZFf; Wed, 15 Nov 2023 21:56:15 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 3AFLuF57046167; Wed, 15 Nov 2023 21:56:15 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 3AFLuFBH046164; Wed, 15 Nov 2023 21:56:15 GMT (envelope-from git) Date: Wed, 15 Nov 2023 21:56:15 GMT Message-Id: <202311152156.3AFLuFBH046164@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-branches@FreeBSD.org From: Matthias Andree Subject: git: e1e9a05be79d - 2023Q4 - security/openvpn: fix regressions and some documentation bits List-Id: Commits to the quarterly branches of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-branches@freebsd.org X-BeenThere: dev-commits-ports-branches@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: mandree X-Git-Repository: ports X-Git-Refname: refs/heads/2023Q4 X-Git-Reftype: branch X-Git-Commit: e1e9a05be79d47884cdfd6f831b4f591a1bf7ea7 Auto-Submitted: auto-generated The branch 2023Q4 has been updated by mandree: URL: https://cgit.FreeBSD.org/ports/commit/?id=e1e9a05be79d47884cdfd6f831b4f591a1bf7ea7 commit e1e9a05be79d47884cdfd6f831b4f591a1bf7ea7 Author: Matthias Andree AuthorDate: 2023-11-15 20:40:37 +0000 Commit: Matthias Andree CommitDate: 2023-11-15 21:50:34 +0000 security/openvpn: fix regressions and some documentation bits Add two patches cherry-picked from upstream Git repository: OpenVPN 2.6.7 regressed and experienced crashes in some situations, https://github.com/OpenVPN/openvpn/issues/449 Reported by: Vladimir Druzenko (vvd@) Reported by: Patrick Cable (upstream) Obtained from: https://github.com/openvpn/openvpn/commit/b90ec6dabfb151dd93ef00081bbc3f55e7d3450f Also, some typos in the documentation are fixed, Obtained from: https://github.com/OpenVPN/openvpn/commit/457f468a76f324a14b1236988cc5f5a95f14abf5 Bump PORTREVISION. PR: 275055 MFH: 2023Q4 (cherry picked from commit 8d2e9d99db3d6c0d1f988feaca0cdb7c0e7dca89) --- security/openvpn/Makefile | 2 +- ...ch-git-457f468a76f324a14b1236988cc5f5a95f14abf5 | 89 ++++++++++++++++++++++ ...ch-git-a903ebe9361d451daee71c225e141f4e1b67107d | 48 ++++++++++++ 3 files changed, 138 insertions(+), 1 deletion(-) diff --git a/security/openvpn/Makefile b/security/openvpn/Makefile index 2fd0f2dcf85f..18f50eac70b2 100644 --- a/security/openvpn/Makefile +++ b/security/openvpn/Makefile @@ -1,6 +1,6 @@ PORTNAME= openvpn DISTVERSION= 2.6.7 -PORTREVISION?= 0 +PORTREVISION?= 1 CATEGORIES= security net net-vpn MASTER_SITES= https://swupdate.openvpn.org/community/releases/ \ https://build.openvpn.net/downloads/releases/ \ diff --git a/security/openvpn/files/patch-git-457f468a76f324a14b1236988cc5f5a95f14abf5 b/security/openvpn/files/patch-git-457f468a76f324a14b1236988cc5f5a95f14abf5 new file mode 100644 index 000000000000..9939c46f3d36 --- /dev/null +++ b/security/openvpn/files/patch-git-457f468a76f324a14b1236988cc5f5a95f14abf5 @@ -0,0 +1,89 @@ +From 457f468a76f324a14b1236988cc5f5a95f14abf5 Mon Sep 17 00:00:00 2001 +From: Aquila Macedo +Date: Thu, 19 Oct 2023 16:40:49 -0300 +Subject: [PATCH] doc: Correct typos in multiple documentation files + +Fixed typographical errors in various documentation files for improved clarity and readability. + +Signed-off-by: Aquila Macedo +Acked-by: Frank Lichtenheld +Message-Id: <4a3a9f1d691704f25f07653bb0de2583@riseup.net> +URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27320.html +Signed-off-by: Gert Doering +(cherry picked from commit 20c42b89f6d38a4426b5fe67f59acaadcb9ac314) +--- + doc/man-sections/client-options.rst | 4 ++-- + doc/man-sections/generic-options.rst | 2 +- + doc/man-sections/server-options.rst | 2 +- + doc/man-sections/vpn-network-options.rst | 2 +- + src/openvpn/options.c | 2 +- + 5 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/doc/man-sections/client-options.rst b/doc/man-sections/client-options.rst +index 3616ed7f3f8..54c4ec63073 100644 +--- ./doc/man-sections/client-options.rst ++++ b/doc/man-sections/client-options.rst +@@ -51,9 +51,9 @@ configuration. + react according to ``--auth-retry`` + + --auth-token-user base64username +- Companion option to ``--auth-token``. This options allows to override ++ Companion option to ``--auth-token``. This options allows one to override + the username used by the client when reauthenticating with the ``auth-token``. +- It also allows to use ``--auth-token`` in setups that normally do not use ++ It also allows one to use ``--auth-token`` in setups that normally do not use + username and password. + + The username has to be base64 encoded. +diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst +index 97e1b5aa610..95e4ca233bd 100644 +--- ./doc/man-sections/generic-options.rst ++++ b/doc/man-sections/generic-options.rst +@@ -483,7 +483,7 @@ which mode OpenVPN is configured as. + + * :code:`OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY` plug-in hooks returns + success/failure via :code:`auth_control_file` when using deferred auth +- method and pending authentification via :code:`pending_auth_file`. ++ method and pending authentication via :code:`pending_auth_file`. + + --use-prediction-resistance + Enable prediction resistance on mbed TLS's RNG. +diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst +index 6b9ad21b816..e7a7b2dba43 100644 +--- ./doc/man-sections/server-options.rst ++++ b/doc/man-sections/server-options.rst +@@ -739,7 +739,7 @@ fast hardware. SSL/TLS authentication must be used in this mode. + + --vlan-pvid v + Specifies which VLAN identifier a "port" is associated with. Only valid +- when ``--vlan-tagging`` is speficied. ++ when ``--vlan-tagging`` is specified. + + In the client context, the setting specifies which VLAN ID a client is + associated with. In the global context, the VLAN ID of the server TAP +diff --git a/doc/man-sections/vpn-network-options.rst b/doc/man-sections/vpn-network-options.rst +index 3fa3ccf1073..41d367bfd0e 100644 +--- ./doc/man-sections/vpn-network-options.rst ++++ b/doc/man-sections/vpn-network-options.rst +@@ -548,7 +548,7 @@ routing. + It's best to use the ``--fragment`` and/or ``--mssfix`` options to deal + with MTU sizing issues. + +- Note: Depending on the platform, the operating system allows to receive ++ Note: Depending on the platform, the operating system allows one to receive + packets larger than ``tun-mtu`` (e.g. Linux and FreeBSD) but other platforms + (like macOS) limit received packets to the same size as the MTU. + +diff --git a/src/openvpn/options.c b/src/openvpn/options.c +index 631ac73db8f..895ce830f6a 100644 +--- ./src/openvpn/options.c ++++ b/src/openvpn/options.c +@@ -598,7 +598,7 @@ static const char usage_message[] = + " Windows Certificate System Store.\n" + #endif + "--tls-cipher l : A list l of allowable TLS ciphers separated by : (optional).\n" +- "--tls-ciphersuites l: A list of allowed TLS 1.3 cipher suites seperated by : (optional)\n" ++ "--tls-ciphersuites l: A list of allowed TLS 1.3 cipher suites separated by : (optional)\n" + " : Use --show-tls to see a list of supported TLS ciphers (suites).\n" + "--tls-cert-profile p : Set the allowed certificate crypto algorithm profile\n" + " (default=legacy).\n" diff --git a/security/openvpn/files/patch-git-a903ebe9361d451daee71c225e141f4e1b67107d b/security/openvpn/files/patch-git-a903ebe9361d451daee71c225e141f4e1b67107d new file mode 100644 index 000000000000..4c347593ac7a --- /dev/null +++ b/security/openvpn/files/patch-git-a903ebe9361d451daee71c225e141f4e1b67107d @@ -0,0 +1,48 @@ +From a903ebe9361d451daee71c225e141f4e1b67107d Mon Sep 17 00:00:00 2001 +From: Arne Schwabe +Date: Wed, 15 Nov 2023 11:33:31 +0100 +Subject: [PATCH] Do not check key_state buffers that are in S_UNDEF state + +When a key_state is in S_UNDEF the send_reliable is not initialised. So +checking it might access invalid memory or null pointers. + +Github: fixes OpenVPN/openvpn#449 + +Change-Id: I226a73d47a2b1b29f7ec175ce23a806593abc2ac +[a@unstable.cc: add check for !send_reliable and message] +Signed-off-by: Arne Schwabe +Acked-by: Gert Doering +Message-Id: <20231115103331.18050-1-gert@greenie.muc.de> +URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27401.html +Signed-off-by: Gert Doering +--- + src/openvpn/ssl.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c +index cee4afe19f3..b4cd8f5a567 100644 +--- ./src/openvpn/ssl.c ++++ b/src/openvpn/ssl.c +@@ -3189,6 +3189,22 @@ check_session_buf_not_used(struct buffer *to_link, struct tls_session *session) + for (int i = 0; i < KS_SIZE; i++) + { + struct key_state *ks = &session->key[i]; ++ if (ks->state == S_UNDEF) ++ { ++ continue; ++ } ++ ++ /* we don't expect send_reliable to be NULL when state is ++ * not S_UNDEF, but people have reported crashes nonetheless, ++ * therefore we better catch this event, report and exit. ++ */ ++ if (!ks->send_reliable) ++ { ++ msg(M_FATAL, "ERROR: session->key[%d]->send_reliable is NULL " ++ "while key state is %s. Exiting.", ++ i, state_name(ks->state)); ++ } ++ + for (int j = 0; j < ks->send_reliable->size; j++) + { + if (ks->send_reliable->array[i].buf.data == dataptr)