Index: branches/2020Q2/security/openvpn/Makefile =================================================================== --- branches/2020Q2/security/openvpn/Makefile (revision 537129) +++ branches/2020Q2/security/openvpn/Makefile (revision 537130) @@ -1,151 +1,151 @@ # Created by: Matthias Andree # $FreeBSD$ PORTNAME= openvpn DISTVERSION= 2.4.9 -PORTREVISION?= 1 +PORTREVISION?= 2 CATEGORIES= security net net-vpn MASTER_SITES= https://swupdate.openvpn.org/community/releases/ \ https://build.openvpn.net/downloads/releases/ \ LOCAL/mandree MAINTAINER= mandree@FreeBSD.org COMMENT?= Secure IP/Ethernet tunnel daemon LICENSE= GPLv2 LICENSE_FILE= ${WRKSRC}/COPYRIGHT.GPL USES= cpe libtool pkgconfig shebangfix tar:xz CONFLICTS_INSTALL?= openvpn-2.[!4].* openvpn-[!2].* openvpn-beta-[0-9]* openvpn-devel-[0-9]* openvpn-mbedtls-[0-9]* GNU_CONFIGURE= yes SHEBANG_FILES= sample/sample-scripts/verify-cn \ sample/sample-scripts/auth-pam.pl \ sample/sample-scripts/ucn.pl CONFIGURE_ARGS+= --enable-strict # avoid picking up CMAKE, we don't have cmocka in the tarballs. CONFIGURE_ENV+= ac_cv_prog_CMAKE= CMAKE= # let OpenVPN's configure script pick up the requisite libraries, # but do not break the plugin build if an older version is installed CPPFLAGS+= -I${WRKSRC}/include -I${LOCALBASE}/include LDFLAGS+= -L${LOCALBASE}/lib -Wl,--as-needed # set PLUGIN_LIBDIR so that unqualified plugin paths are found: CPPFLAGS+= -DPLUGIN_LIBDIR=\\\"${PREFIX}/lib/openvpn/plugins\\\" OPTIONS_DEFINE= PKCS11 EASYRSA DOCS EXAMPLES X509ALTUSERNAME \ TEST LZ4 LZO SMALL TUNNELBLICK ASYNC_PUSH OPTIONS_DEFAULT= EASYRSA OPENSSL TEST LZ4 LZO OPTIONS_SINGLE= SSL OPTIONS_SINGLE_SSL= OPENSSL MBEDTLS ASYNC_PUSH_DESC= Enable async-push support PKCS11_DESC= Use security/pkcs11-helper (OpenSSL only) EASYRSA_DESC= Install security/easy-rsa RSA helper package MBEDTLS_DESC= SSL/TLS via mbedTLS (lacks TLS v1.3) TUNNELBLICK_DESC= Tunnelblick XOR scramble patch (READ HELP!) X509ALTUSERNAME_DESC= Enable --x509-username-field (OpenSSL only) SMALL_DESC= Build a smaller executable with fewer features ASYNC_PUSH_CONFIGURE_ENABLE= async-push ASYNC_PUSH_LIB_DEPENDS= libinotify.so:devel/libinotify EASYRSA_RUN_DEPENDS= easy-rsa>=0:security/easy-rsa PKCS11_LIB_DEPENDS= libpkcs11-helper.so:security/pkcs11-helper PKCS11_CONFIGURE_ENABLE= pkcs11 PKCS11_PREVENTS= MBEDTLS PKCS11_PREVENTS_MSG= OpenVPN cannot use pkcs11-helper with mbedTLS. Disable PKCS11, or use OpenSSL instead TUNNELBLICK_EXTRA_PATCHES= ${FILESDIR}/extra-tunnelblick-openvpn_xorpatch X509ALTUSERNAME_CONFIGURE_ENABLE= x509-alt-username X509ALTUSERNAME_PREVENTS= MBEDTLS X509ALTUSERNAME_PREVENTS_MSG= OpenVPN ${DISTVERSION} cannot use --x509-username-field with mbedTLS. Disable X509ALTUSERNAME, or use OpenSSL instead OPENSSL_USES= ssl OPENSSL_CONFIGURE_ON= --with-crypto-library=openssl MBEDTLS_LIB_DEPENDS= libmbedtls.so:security/mbedtls MBEDTLS_CONFIGURE_ON= --with-crypto-library=mbedtls LZO_CONFIGURE_ENABLE= lzo LZO_LIB_DEPENDS+= liblzo2.so:archivers/lzo2 LZ4_CONFIGURE_ENABLE= lz4 LZ4_LIB_DEPENDS+= liblz4.so:archivers/liblz4 SMALL_CONFIGURE_ENABLE= small USE_RC_SUBR= openvpn SUB_FILES= pkg-message openvpn-client .ifdef (LOG_OPENVPN) CFLAGS+= -DLOG_OPENVPN=${LOG_OPENVPN} .endif PORTDOCS= * PORTEXAMPLES= * TEST_ALL_TARGET= check TEST_TEST_TARGET_OFF= check .include .if ${PORT_OPTIONS:MMBEDTLS} _tlslibs=libmbedtls libmbedx509 libmbedcrypto .else # OpenSSL _tlslibs=libssl libcrypto .endif .if ! ${PORT_OPTIONS:MLZ4} && ! ${PORT_OPTIONS:MLZO} CONFIGURE_ARGS+= --enable-comp-stub .endif pre-configure: .ifdef (LOG_OPENVPN) @${ECHO} "Building with LOG_OPENVPN=${LOG_OPENVPN}" .else @${ECHO} "" @${ECHO} "You may use the following build options:" @${ECHO} "" @${ECHO} " LOG_OPENVPN={Valid syslog facility, default LOG_DAEMON}" @${ECHO} " EXAMPLE: make LOG_OPENVPN=LOG_LOCAL6" @${ECHO} "" .endif post-configure: ${REINPLACE_CMD} '/^CFLAGS =/s/$$/ -fPIC/' \ ${WRKSRC}/src/plugins/auth-pam/Makefile \ ${WRKSRC}/src/plugins/down-root/Makefile # sanity check that we don't inherit incompatible SSL libs through, # for instance, pkcs11-helper: post-build: @a=$$(LC_ALL=C ldd -f '%o\n' ${WRKSRC}/src/openvpn/openvpn \ | ${SORT} -u) ; set -- $$(for i in ${_tlslibs} ; do ${PRINTF} '%s\n' "$$a" | ${GREP} $${i}.so | wc -l ; done | ${SORT} -u) ;\ if test "$$*" != "1" ; then ${ECHO_CMD} >&2 "${.CURDIR} FAILED: either of ${_tlslibs} libraries linked multiple times" ; ${PRINTF} '%s\n' "$$a"; ${RM} ${BUILD_COOKIE} ; exit 1 ; fi post-install: ${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-auth-pam.so ${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-down-root.so ${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.up ${STAGEDIR}${PREFIX}/libexec/openvpn-client.up ${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.down ${STAGEDIR}${PREFIX}/libexec/openvpn-client.down @${REINPLACE_CMD} 's|resolvconf -p -a|resolvconf -a|' ${STAGEDIR}${PREFIX}/libexec/openvpn-client.up ${INSTALL_SCRIPT} ${WRKDIR}/openvpn-client ${STAGEDIR}${PREFIX}/sbin/openvpn-client ${MKDIR} ${STAGEDIR}${PREFIX}/include post-install-DOCS-on: ${MKDIR} ${STAGEDIR}${DOCSDIR}/ .for i in AUTHORS ChangeLog PORTS ${INSTALL_DATA} ${WRKSRC}/${i} ${STAGEDIR}${DOCSDIR}/ .endfor post-install-EXAMPLES-on: (cd ${WRKSRC}/sample && ${COPYTREE_SHARE} \* ${STAGEDIR}${EXAMPLESDIR}/) ${CHMOD} ${BINMODE} ${STAGEDIR}${EXAMPLESDIR}/sample-scripts/* .include Index: branches/2020Q2/security/openvpn/files/patch-git-098edbb1f5a2e1360fd6a4ae0642b63bec12e992 =================================================================== --- branches/2020Q2/security/openvpn/files/patch-git-098edbb1f5a2e1360fd6a4ae0642b63bec12e992 (nonexistent) +++ branches/2020Q2/security/openvpn/files/patch-git-098edbb1f5a2e1360fd6a4ae0642b63bec12e992 (revision 537130) @@ -0,0 +1,136 @@ +From 098edbb1f5a2e1360fd6a4ae0642b63bec12e992 Mon Sep 17 00:00:00 2001 +From: Jeremy Evans +Date: Wed, 20 May 2020 11:34:04 -0700 +Subject: [PATCH] Switch assertion failure to returning false + +This assertion failure can be hit in production, which causes the +openvpn server process to stop and all clients to be disconnected. +Bug #1270 has been filed for this issue on Trac by another user +who has experienced the issue, and this patch attempts to address it. + +Tracing callers, it appears that some callers check ks->authenticated +before calling, but others do not. It may be possible to add the check +for the callers that do not check, but this seems to be a simpler +solution. + +To give some background, we hit this assertion failure, with the +following log output: + +``` +Tue May 19 15:57:05 2020 username/73.135.141.11:1194 PUSH: Received +control message: 'PUSH_REQUEST' +Tue May 19 15:57:05 2020 username/73.135.141.11:1194 SENT CONTROL +[username]: 'PUSH_REPLY,redirect-gateway +def1,comp-lzo,persist-key,persist-tun,route-gateway 10.28.47.1,topology +subnet,ping 10,ping-restart 120,ifconfig 10.28.47.38 255.255.255.0,peer-id +89' (status=1) +Tue May 19 15:57:05 2020 username/73.135.141.11:1194 Assertion failed at +/path/to/openvpn-2.4.7/src/openvpn/ssl.c:1944 (ks->authenticated) +Tue May 19 15:57:05 2020 username/73.135.141.11:1194 Exiting due to fatal +error +Tue May 19 15:57:05 2020 username/73.135.141.11:1194 Closing TUN/TAP +interface +``` + +using the following OpenVPN server configuration: + +``` +port 1194 +proto udp +dev-type tun +ca ca.crt +cert server.crt +key server.key +dh dh.pem +topology subnet +push "redirect-gateway def1" +push "comp-lzo" +push "persist-key" +push "persist-tun" +keepalive 10 120 +comp-lzo +user nobody +group nobody +persist-key +persist-tun +cd /home/openvpn/server +chroot /var/empty +daemon +verb 3 +crl-verify crl.pem +tls-auth ta.key 0 +cipher AES-256-CBC +tls-version-min 1.2 +tls-cipher ECDHE-RSA-AES256-GCM-SHA384 +ncp-disable +mute-replay-warnings +script-security 3 +auth-user-pass-verify "ldap-auth/ldap-auth" via-env +auth-user-pass-optional +``` + +and the following command line options: + +``` +--config openvpn.conf --dev tun1 --local 206.131.72.52 \ +--log-append openvpn.log --status openvpn-status.log \ +--server 10.28.47.0 255.255.255.0 +``` + +The failed assertion is inside the function +`tls_session_generate_data_channel_keys`, which is called 3 other places +in `ssl.c.`: + +* `key_method_2_write`: checks for `ks->authenticated` before calling + +* `key_method_2_read`: appears to run in client mode but not in server + mode + +* `tls_session_update_crypto_params`: runs in server mode and does not + check before calling + +That leads me to believe the problem caller is +`tls_session_update_crypto_params`. There.s three callers of +`tls_session_update_crypto_params`:. + +* `incoming_push_message` (`push.c`): Probably this caller, since the + server pushes configuration to clients, and the log shows the + assertion failure right after the push reply. + +* `multi_process_file_closed` (`multi.c`): Not this caller. NCP is + disabled in config, and async push was not enabled when compiling. + +* `do_deferred_options` (`init.c`): Not this caller. The server + configuration doesn't pull. + +Changing the assertion to returning false appears to be the simplest +fix. Another approach would be changing callers to check +`ks->authenticated` before calling, either +`tls_session_update_crypto_params` or `incoming_push_message`. + +Signed-off-by: Jeremy Evans +Acked-by: Steffan Karger +Message-Id: <20200520183404.54822-1-code@jeremyevans.net> +URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19914.html +Signed-off-by: Gert Doering +(cherry picked from commit 984bd1e1601e4b9562dbc88b02a8db60b884286f) +--- + src/openvpn/ssl.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c +index cf6689982..215147f37 100644 +--- ./src/openvpn/ssl.c ++++ ./src/openvpn/ssl.c +@@ -1941,7 +1941,10 @@ tls_session_generate_data_channel_keys(struct tls_session *session) + const struct session_id *server_sid = !session->opt->server ? + &ks->session_id_remote : &session->session_id; + +- ASSERT(ks->authenticated); ++ if (!ks->authenticated) { ++ msg(D_TLS_ERRORS, "TLS Error: key_state not authenticated"); ++ goto cleanup; ++ } + + ks->crypto_options.flags = session->opt->crypto_flags; + if (!generate_key_expansion(&ks->crypto_options.key_ctx_bi, Property changes on: branches/2020Q2/security/openvpn/files/patch-git-098edbb1f5a2e1360fd6a4ae0642b63bec12e992 ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: branches/2020Q2/security/openvpn/files/patch-git-38b46e6bf65489c2c5d75da1c02a3a1c33e6da88 =================================================================== --- branches/2020Q2/security/openvpn/files/patch-git-38b46e6bf65489c2c5d75da1c02a3a1c33e6da88 (nonexistent) +++ branches/2020Q2/security/openvpn/files/patch-git-38b46e6bf65489c2c5d75da1c02a3a1c33e6da88 (revision 537130) @@ -0,0 +1,61 @@ +From 38b46e6bf65489c2c5d75da1c02a3a1c33e6da88 Mon Sep 17 00:00:00 2001 +From: Selva Nair +Date: Thu, 20 Feb 2020 22:00:28 -0500 +Subject: [PATCH] Persist management-query-remote and proxy prompts + +Currently this prompt is only output once, not re-written to the +management interface when the management client connects. It is thus +not seen by a client that connects after the prompt is output or one that +disconnects and reconnects. This leads to a deadlock: the daemon waiting +for the "remote" command from the client, the latter not aware of it. + +Resolve by adding the ">REMOTE" and ">PROXY" prompt to +man.persist.special_state_msg as done for other persisted prompts such +as ">PASSWORD" + +Signed-off-by: Selva Nair +Acked-by: Gert Doering +Message-Id: <1582254028-7763-1-git-send-email-selva.nair@gmail.com> +URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19497.html +Signed-off-by: Gert Doering +(cherry picked from commit 93ba6ccddafcc87f336f50dadde144ea4f6178ad) +--- + src/openvpn/init.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/openvpn/init.c b/src/openvpn/init.c +index 8bac74f97..e153682ed 100644 +--- ./src/openvpn/init.c ++++ ./src/openvpn/init.c +@@ -269,6 +269,7 @@ ce_management_query_proxy(struct context *c) + buf_printf(&out, ">PROXY:%u,%s,%s", (l ? l->current : 0) + 1, + (proto_is_udp(ce->proto) ? "UDP" : "TCP"), np(ce->remote)); + management_notify_generic(management, BSTR(&out)); ++ management->persist.special_state_msg = BSTR(&out); + } + ce->flags |= CE_MAN_QUERY_PROXY; + while (ce->flags & CE_MAN_QUERY_PROXY) +@@ -280,6 +281,7 @@ ce_management_query_proxy(struct context *c) + break; + } + } ++ management->persist.special_state_msg = NULL; + gc_free(&gc); + } + +@@ -349,6 +351,7 @@ ce_management_query_remote(struct context *c) + buf_printf(&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port, + proto2ascii(ce->proto, ce->af, false)); + management_notify_generic(management, BSTR(&out)); ++ management->persist.special_state_msg = BSTR(&out); + + ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK << CE_MAN_QUERY_REMOTE_SHIFT); + ce->flags |= (CE_MAN_QUERY_REMOTE_QUERY << CE_MAN_QUERY_REMOTE_SHIFT); +@@ -362,6 +365,7 @@ ce_management_query_remote(struct context *c) + break; + } + } ++ management->persist.special_state_msg = NULL; + } + gc_free(&gc); + Property changes on: branches/2020Q2/security/openvpn/files/patch-git-38b46e6bf65489c2c5d75da1c02a3a1c33e6da88 ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: branches/2020Q2/security/openvpn/files/patch-git-fc0297143494e0a0f08564d90dbb210669d0abf5 =================================================================== --- branches/2020Q2/security/openvpn/files/patch-git-fc0297143494e0a0f08564d90dbb210669d0abf5 (nonexistent) +++ branches/2020Q2/security/openvpn/files/patch-git-fc0297143494e0a0f08564d90dbb210669d0abf5 (revision 537130) @@ -0,0 +1,28 @@ +From fc0297143494e0a0f08564d90dbb210669d0abf5 Mon Sep 17 00:00:00 2001 +From: Antonio Quartulli +Date: Sat, 30 May 2020 02:05:54 +0200 +Subject: [PATCH] pool: prevent IPv6 pools to be larger than 2^16 addresses + +Signed-off-by: Antonio Quartulli +Acked-by: Gert Doering +Message-Id: <20200530000600.1680-2-a@unstable.cc> +URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19945.html +Signed-off-by: Gert Doering +(cherry picked from commit 81d66a1f14d4be3282dd648ecc2049658e3a65ed) +--- + src/openvpn/pool.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/openvpn/pool.c b/src/openvpn/pool.c +index da28bc06b..e45bf88a2 100644 +--- ./src/openvpn/pool.c ++++ ./src/openvpn/pool.c +@@ -183,7 +183,7 @@ ifconfig_pool_init(int type, in_addr_t start, in_addr_t end, + if (pool->ipv6) + { + pool->base_ipv6 = ipv6_base; +- pool->size_ipv6 = ipv6_netbits>96 ? ( 1<<(128-ipv6_netbits) ) ++ pool->size_ipv6 = ipv6_netbits > 112 ? (1 << (128 - ipv6_netbits)) + : IFCONFIG_POOL_MAX; + + msg( D_IFCONFIG_POOL, "IFCONFIG POOL IPv6: (IPv4) size=%d, size_ipv6=%d, netbits=%d, base_ipv6=%s", Property changes on: branches/2020Q2/security/openvpn/files/patch-git-fc0297143494e0a0f08564d90dbb210669d0abf5 ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: branches/2020Q2 =================================================================== --- branches/2020Q2 (revision 537129) +++ branches/2020Q2 (revision 537130) Property changes on: branches/2020Q2 ___________________________________________________________________ Modified: svn:mergeinfo ## -0,0 +0,1 ## Merged /head:r537129