Index: branches/2020Q2/security/openvpn/Makefile =================================================================== --- branches/2020Q2/security/openvpn/Makefile (revision 531962) +++ branches/2020Q2/security/openvpn/Makefile (revision 531963) @@ -1,153 +1,151 @@ # Created by: Matthias Andree # $FreeBSD$ PORTNAME= openvpn -DISTVERSION= 2.4.8 -# FIXME XXX check if 2.4.9 still needs ASYNC_PUSH_LIBS, see -# https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=244286#c6 and #c7 -PORTREVISION?= 3 +DISTVERSION= 2.4.9 +PORTREVISION?= 0 CATEGORIES= security net net-vpn MASTER_SITES= https://swupdate.openvpn.org/community/releases/ \ - https://build.openvpn.net/downloads/releases/ + https://build.openvpn.net/downloads/releases/ \ + LOCAL/mandree MAINTAINER= mandree@FreeBSD.org COMMENT?= Secure IP/Ethernet tunnel daemon LICENSE= GPLv2 LICENSE_FILE= ${WRKSRC}/COPYRIGHT.GPL USES= cpe libtool pkgconfig shebangfix tar:xz CONFLICTS_INSTALL?= openvpn-2.[!4].* openvpn-[!2].* openvpn-beta-[0-9]* openvpn-devel-[0-9]* openvpn-mbedtls-[0-9]* GNU_CONFIGURE= yes SHEBANG_FILES= sample/sample-scripts/verify-cn \ sample/sample-scripts/auth-pam.pl \ sample/sample-scripts/ucn.pl CONFIGURE_ARGS+= --enable-strict # avoid picking up CMAKE, we don't have cmocka in the tarballs. CONFIGURE_ENV+= ac_cv_prog_CMAKE= CMAKE= # let OpenVPN's configure script pick up the requisite libraries, # but do not break the plugin build if an older version is installed CPPFLAGS+= -I${WRKSRC}/include -I${LOCALBASE}/include LDFLAGS+= -L${LOCALBASE}/lib -Wl,--as-needed # set PLUGIN_LIBDIR so that unqualified plugin paths are found: CPPFLAGS+= -DPLUGIN_LIBDIR=\\\"${PREFIX}/lib/openvpn/plugins\\\" OPTIONS_DEFINE= PKCS11 EASYRSA DOCS EXAMPLES X509ALTUSERNAME \ TEST LZ4 LZO SMALL TUNNELBLICK ASYNC_PUSH OPTIONS_DEFAULT= EASYRSA OPENSSL TEST LZ4 LZO OPTIONS_SINGLE= SSL OPTIONS_SINGLE_SSL= OPENSSL MBEDTLS ASYNC_PUSH_DESC= Enable async-push support PKCS11_DESC= Use security/pkcs11-helper (OpenSSL only) EASYRSA_DESC= Install security/easy-rsa RSA helper package MBEDTLS_DESC= SSL/TLS via mbedTLS (lacks TLS v1.3) TUNNELBLICK_DESC= Tunnelblick XOR scramble patch (READ HELP!) X509ALTUSERNAME_DESC= Enable --x509-username-field (OpenSSL only) SMALL_DESC= Build a smaller executable with fewer features ASYNC_PUSH_CONFIGURE_ENABLE= async-push ASYNC_PUSH_LIB_DEPENDS= libinotify.so:devel/libinotify -ASYNC_PUSH_LIBS= -linotify EASYRSA_RUN_DEPENDS= easy-rsa>=0:security/easy-rsa PKCS11_LIB_DEPENDS= libpkcs11-helper.so:security/pkcs11-helper PKCS11_CONFIGURE_ENABLE= pkcs11 PKCS11_PREVENTS= MBEDTLS PKCS11_PREVENTS_MSG= OpenVPN cannot use pkcs11-helper with mbedTLS. Disable PKCS11, or use OpenSSL instead TUNNELBLICK_EXTRA_PATCHES= ${FILESDIR}/extra-tunnelblick-openvpn_xorpatch X509ALTUSERNAME_CONFIGURE_ENABLE= x509-alt-username X509ALTUSERNAME_PREVENTS= MBEDTLS X509ALTUSERNAME_PREVENTS_MSG= OpenVPN ${DISTVERSION} cannot use --x509-username-field with mbedTLS. Disable X509ALTUSERNAME, or use OpenSSL instead OPENSSL_USES= ssl OPENSSL_CONFIGURE_ON= --with-crypto-library=openssl MBEDTLS_LIB_DEPENDS= libmbedtls.so:security/mbedtls MBEDTLS_CONFIGURE_ON= --with-crypto-library=mbedtls LZO_CONFIGURE_ENABLE= lzo LZO_LIB_DEPENDS+= liblzo2.so:archivers/lzo2 LZ4_CONFIGURE_ENABLE= lz4 LZ4_LIB_DEPENDS+= liblz4.so:archivers/liblz4 SMALL_CONFIGURE_ENABLE= small USE_RC_SUBR= openvpn SUB_FILES= pkg-message openvpn-client .ifdef (LOG_OPENVPN) CFLAGS+= -DLOG_OPENVPN=${LOG_OPENVPN} .endif PORTDOCS= * PORTEXAMPLES= * TEST_ALL_TARGET= check TEST_TEST_TARGET_OFF= check .include .if ${PORT_OPTIONS:MMBEDTLS} _tlslibs=libmbedtls libmbedx509 libmbedcrypto .else # OpenSSL _tlslibs=libssl libcrypto .endif .if ! ${PORT_OPTIONS:MLZ4} && ! ${PORT_OPTIONS:MLZO} CONFIGURE_ARGS+= --enable-comp-stub .endif pre-configure: .ifdef (LOG_OPENVPN) @${ECHO} "Building with LOG_OPENVPN=${LOG_OPENVPN}" .else @${ECHO} "" @${ECHO} "You may use the following build options:" @${ECHO} "" @${ECHO} " LOG_OPENVPN={Valid syslog facility, default LOG_DAEMON}" @${ECHO} " EXAMPLE: make LOG_OPENVPN=LOG_LOCAL6" @${ECHO} "" .endif post-configure: ${REINPLACE_CMD} '/^CFLAGS =/s/$$/ -fPIC/' \ ${WRKSRC}/src/plugins/auth-pam/Makefile \ ${WRKSRC}/src/plugins/down-root/Makefile # sanity check that we don't inherit incompatible SSL libs through, # for instance, pkcs11-helper: post-build: @a=$$(LC_ALL=C ldd -f '%o\n' ${WRKSRC}/src/openvpn/openvpn \ | ${SORT} -u) ; set -- $$(for i in ${_tlslibs} ; do ${PRINTF} '%s\n' "$$a" | ${GREP} $${i}.so | wc -l ; done | ${SORT} -u) ;\ if test "$$*" != "1" ; then ${ECHO_CMD} >&2 "${.CURDIR} FAILED: either of ${_tlslibs} libraries linked multiple times" ; ${PRINTF} '%s\n' "$$a"; ${RM} ${BUILD_COOKIE} ; exit 1 ; fi post-install: ${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-auth-pam.so ${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-down-root.so ${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.up ${STAGEDIR}${PREFIX}/libexec/openvpn-client.up ${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.down ${STAGEDIR}${PREFIX}/libexec/openvpn-client.down @${REINPLACE_CMD} 's|resolvconf -p -a|resolvconf -a|' ${STAGEDIR}${PREFIX}/libexec/openvpn-client.up ${INSTALL_SCRIPT} ${WRKDIR}/openvpn-client ${STAGEDIR}${PREFIX}/sbin/openvpn-client ${MKDIR} ${STAGEDIR}${PREFIX}/include post-install-DOCS-on: ${MKDIR} ${STAGEDIR}${DOCSDIR}/ .for i in AUTHORS ChangeLog PORTS ${INSTALL_DATA} ${WRKSRC}/${i} ${STAGEDIR}${DOCSDIR}/ .endfor post-install-EXAMPLES-on: (cd ${WRKSRC}/sample && ${COPYTREE_SHARE} \* ${STAGEDIR}${EXAMPLESDIR}/) ${CHMOD} ${BINMODE} ${STAGEDIR}${EXAMPLESDIR}/sample-scripts/* .include Index: branches/2020Q2/security/openvpn/distinfo =================================================================== --- branches/2020Q2/security/openvpn/distinfo (revision 531962) +++ branches/2020Q2/security/openvpn/distinfo (revision 531963) @@ -1,3 +1,3 @@ -TIMESTAMP = 1572606331 -SHA256 (openvpn-2.4.8.tar.xz) = fb8ca66bb7807fff595fbdf2a0afd085c02a6aa47715c9aa3171002f9f1a3f91 -SIZE (openvpn-2.4.8.tar.xz) = 952444 +TIMESTAMP = 1587146198 +SHA256 (openvpn-2.4.9.tar.xz) = 641f3add8694b2ccc39fd4fd92554e4f089ad16a8db6d2b473ec284839a5ebe2 +SIZE (openvpn-2.4.9.tar.xz) = 954264 Index: branches/2020Q2/security/openvpn/files/patch-CVE-2020-11810 =================================================================== --- branches/2020Q2/security/openvpn/files/patch-CVE-2020-11810 (revision 531962) +++ branches/2020Q2/security/openvpn/files/patch-CVE-2020-11810 (nonexistent) @@ -1,64 +0,0 @@ -commit f7b318f811bb43c0d3aa7f337ec6242ed2c33881 -Author: Lev Stipakov -Date: Wed Apr 15 10:30:17 2020 +0300 - - Fix illegal client float (CVE-2020-11810) - - There is a time frame between allocating peer-id and initializing data - channel key (which is performed on receiving push request or on async - push-reply) in which the existing peer-id float checks do not work right. - - If a "rogue" data channel packet arrives during that time frame from - another address and with same peer-id, this would cause client to float - to that new address. This is because: - - - tls_pre_decrypt() sets packet length to zero if - data channel key has not been initialized, which leads to - - - openvpn_decrypt() returns true if packet length is zero, - which leads to - - - process_incoming_link_part1() returns true, which - calls multi_process_float(), which commits float - - Note that problem doesn't happen when data channel key is initialized, - since in this case openvpn_decrypt() returns false. - - The net effect of this behaviour is that the VPN session for the - "victim client" is broken. Since the "attacker client" does not have - suitable keys, it can not inject or steal VPN traffic from the other - session. The time window is small and it can not be used to attack - a specific client's session, unless some other way is found to make it - disconnect and reconnect first. - - CVE-2020-11810 has been assigned to acknowledge this risk. - - Fix illegal float by adding buffer length check ("is this packet still - considered valid") before calling multi_process_float(). - - Trac: #1272 - CVE: 2020-11810 - - Signed-off-by: Lev Stipakov - Acked-by: Arne Schwabe - Acked-by: Antonio Quartulli - Acked-by: Gert Doering - Message-Id: <20200415073017.22839-1-lstipakov@gmail.com> - URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19720.html - Signed-off-by: Gert Doering - (cherry picked from commit 37bc691e7d26ea4eb61a8a434ebd7a9ae76225ab) - -diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c -index 58607730..c8c9a40e 100644 ---- ./src/openvpn/multi.c~ -+++ ./src/openvpn/multi.c -@@ -2562,7 +2562,8 @@ multi_process_incoming_link(struct multi_context *m, struct multi_instance *inst - orig_buf = c->c2.buf.data; - if (process_incoming_link_part1(c, lsi, floated)) - { -- if (floated) -+ /* nonzero length means that we have a valid, decrypted packed */ -+ if (floated && c->c2.buf.len > 0) - { - multi_process_float(m, m->pending); - } Property changes on: branches/2020Q2/security/openvpn/files/patch-CVE-2020-11810 ___________________________________________________________________ Deleted: fbsd:nokeywords ## -1 +0,0 ## -yes \ No newline at end of property Deleted: svn:eol-style ## -1 +0,0 ## -native \ No newline at end of property Deleted: svn:mime-type ## -1 +0,0 ## -text/plain \ No newline at end of property Index: branches/2020Q2/security/openvpn/files/patch-g3bd91cd-Fix-broken-fragmentation-logic-when-using-NCP =================================================================== --- branches/2020Q2/security/openvpn/files/patch-g3bd91cd-Fix-broken-fragmentation-logic-when-using-NCP (revision 531962) +++ branches/2020Q2/security/openvpn/files/patch-g3bd91cd-Fix-broken-fragmentation-logic-when-using-NCP (nonexistent) @@ -1,195 +0,0 @@ -From 3bd91cd0e68762b861c57cf37f144d8a11704e9d Mon Sep 17 00:00:00 2001 -From: Lev Stipakov -Date: Wed, 30 Oct 2019 14:44:59 +0200 -Subject: [PATCH] Fix broken fragmentation logic when using NCP - -This is the 2.4 backport of master patch (commit d22ba6b). - -NCP negotiation replaces worst case crypto overhead -with actual one in data channel frame. That frame -params are used by mssfix. Fragment frame still contains -worst case overhead. - -Without this patch, fragmentation logic incorrectly uses -max crypto overhead when calculating packet size. It exceeds -fragment size and openvpn peforms fragmentation: - -> sudo tcpdump port 1194 -13:59:06.956394 IP server.fi.openvpn > nat2.panoulu.net.openvpn: UDP, -length 652 -13:59:06.956489 IP server.fi.openvpn > nat2.panoulu.net.openvpn: UDP, -length 648 - -This patch fixes fragmentation calculation by -setting actual crypto overhead, and no unnecessary -fragmentation is performed: - -> sudo tcpdump port 1194 -13:58:08.685915 IP server.fi.openvpn > nat2.panoulu.net.openvpn: UDP, -length 1272 -13:58:08.686007 IP server.fi.openvpn > nat2.panoulu.net.openvpn: UDP, -length 1272 - -Trac #1140 - -Signed-off-by: Lev Stipakov -Acked-by: Gert Doering -Message-Id: <1572439499-16276-1-git-send-email-lstipakov@gmail.com> -URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18975.html -Signed-off-by: Gert Doering ---- - src/openvpn/forward.c | 3 +++ - src/openvpn/init.c | 12 +++++++++++- - src/openvpn/openvpn.h | 1 + - src/openvpn/push.c | 9 ++++++++- - src/openvpn/ssl.c | 19 ++++++++++++++++++- - src/openvpn/ssl.h | 13 ++++++++----- - 6 files changed, 49 insertions(+), 8 deletions(-) - -diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c -index 65f790fda..84bb58447 100644 ---- ./src/openvpn/forward.c -+++ b/src/openvpn/forward.c -@@ -873,6 +873,9 @@ process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, boo - if (is_hard_reset(opcode, c->options.key_method)) - { - c->c2.frame = c->c2.frame_initial; -+#ifdef ENABLE_FRAGMENT -+ c->c2.frame_fragment = c->c2.frame_fragment_initial; -+#endif - } - - interval_action(&c->c2.tmp_int); -diff --git a/src/openvpn/init.c b/src/openvpn/init.c -index d3785cabd..37b832ab0 100644 ---- ./src/openvpn/init.c -+++ b/src/openvpn/init.c -@@ -2294,9 +2294,18 @@ do_deferred_options(struct context *c, const unsigned int found) - { - tls_poor_mans_ncp(&c->options, c->c2.tls_multi->remote_ciphername); - } -+ struct frame *frame_fragment = NULL; -+#ifdef ENABLE_FRAGMENT -+ if (c->options.ce.fragment) -+ { -+ frame_fragment = &c->c2.frame_fragment; -+ } -+#endif -+ - /* Do not regenerate keys if server sends an extra push reply */ - if (!session->key[KS_PRIMARY].crypto_options.key_ctx_bi.initialized -- && !tls_session_update_crypto_params(session, &c->options, &c->c2.frame)) -+ && !tls_session_update_crypto_params(session, &c->options, &c->c2.frame, -+ frame_fragment)) - { - msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options"); - return false; -@@ -3035,6 +3044,7 @@ do_init_frame(struct context *c) - */ - c->c2.frame_fragment = c->c2.frame; - frame_subtract_extra(&c->c2.frame_fragment, &c->c2.frame_fragment_omit); -+ c->c2.frame_fragment_initial = c->c2.frame_fragment; - #endif - - #if defined(ENABLE_FRAGMENT) && defined(ENABLE_OCC) -diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h -index 77361833d..ed7975c35 100644 ---- ./src/openvpn/openvpn.h -+++ b/src/openvpn/openvpn.h -@@ -269,6 +269,7 @@ struct context_2 - /* Object to handle advanced MTU negotiation and datagram fragmentation */ - struct fragment_master *fragment; - struct frame frame_fragment; -+ struct frame frame_fragment_initial; - struct frame frame_fragment_omit; - #endif - -diff --git a/src/openvpn/push.c b/src/openvpn/push.c -index dd5bd4163..ba2fbe404 100644 ---- ./src/openvpn/push.c -+++ b/src/openvpn/push.c -@@ -287,11 +287,18 @@ incoming_push_message(struct context *c, const struct buffer *buffer) - { - if (c->options.mode == MODE_SERVER) - { -+ struct frame *frame_fragment = NULL; -+#ifdef ENABLE_FRAGMENT -+ if (c->options.ce.fragment) -+ { -+ frame_fragment = &c->c2.frame_fragment; -+ } -+#endif - struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE]; - /* Do not regenerate keys if client send a second push request */ - if (!session->key[KS_PRIMARY].crypto_options.key_ctx_bi.initialized - && !tls_session_update_crypto_params(session, &c->options, -- &c->c2.frame)) -+ &c->c2.frame, frame_fragment)) - { - msg(D_TLS_ERRORS, "TLS Error: initializing data channel failed"); - goto error; -diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c -index 9696e9bab..7dcd9622f 100644 ---- ./src/openvpn/ssl.c -+++ b/src/openvpn/ssl.c -@@ -1962,7 +1962,8 @@ tls_session_generate_data_channel_keys(struct tls_session *session) - - bool - tls_session_update_crypto_params(struct tls_session *session, -- struct options *options, struct frame *frame) -+ struct options *options, struct frame *frame, -+ struct frame *frame_fragment) - { - if (!session->opt->server - && 0 != strcmp(options->ciphername, session->opt->config_ciphername) -@@ -2006,6 +2007,22 @@ tls_session_update_crypto_params(struct tls_session *session, - frame_init_mssfix(frame, options); - frame_print(frame, D_MTU_INFO, "Data Channel MTU parms"); - -+ /* -+ * mssfix uses data channel framing, which at this point contains -+ * actual overhead. Fragmentation logic uses frame_fragment, which -+ * still contains worst case overhead. Replace it with actual overhead -+ * to prevent unneeded fragmentation. -+ */ -+ -+ if (frame_fragment) -+ { -+ frame_remove_from_extra_frame(frame_fragment, crypto_max_overhead()); -+ crypto_adjust_frame_parameters(frame_fragment, &session->opt->key_type, -+ options->use_iv, options->replay, packet_id_long_form); -+ frame_set_mtu_dynamic(frame_fragment, options->ce.fragment, SET_MTU_UPPER_BOUND); -+ frame_print(frame_fragment, D_MTU_INFO, "Fragmentation MTU parms"); -+ } -+ - return tls_session_generate_data_channel_keys(session); - } - -diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h -index 8066789b6..6672d43fb 100644 ---- ./src/openvpn/ssl.h -+++ b/src/openvpn/ssl.h -@@ -475,15 +475,18 @@ void tls_update_remote_addr(struct tls_multi *multi, - * Update TLS session crypto parameters (cipher and auth) and derive data - * channel keys based on the supplied options. - * -- * @param session The TLS session to update. -- * @param options The options to use when updating session. -- * @param frame The frame options for this session (frame overhead is -- * adjusted based on the selected cipher/auth). -+ * @param session The TLS session to update. -+ * @param options The options to use when updating session. -+ * @param frame The frame options for this session (frame overhead is -+ * adjusted based on the selected cipher/auth). -+ * @param frame_fragment The fragment frame options. - * - * @return true if updating succeeded, false otherwise. - */ - bool tls_session_update_crypto_params(struct tls_session *session, -- struct options *options, struct frame *frame); -+ struct options *options, -+ struct frame *frame, -+ struct frame *frame_fragment); - - /** - * "Poor man's NCP": Use peer cipher if it is an allowed (NCP) cipher. Property changes on: branches/2020Q2/security/openvpn/files/patch-g3bd91cd-Fix-broken-fragmentation-logic-when-using-NCP ___________________________________________________________________ Deleted: fbsd:nokeywords ## -1 +0,0 ## -yes \ No newline at end of property Deleted: svn:eol-style ## -1 +0,0 ## -native \ No newline at end of property Deleted: svn:mime-type ## -1 +0,0 ## -text/plain \ No newline at end of property Index: branches/2020Q2 =================================================================== --- branches/2020Q2 (revision 531962) +++ branches/2020Q2 (revision 531963) Property changes on: branches/2020Q2 ___________________________________________________________________ Modified: svn:mergeinfo ## -0,0 +0,1 ## Merged /head:r531957