ziggi/bsdports
1
0
Fork 0
mirror of https://github.com/beard7n/bsdports.git synced 2026-04-10 02:21:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

updated openvpn

Browse Source
This commit is contained in:
Oleg Borodin
2022-02-26 11:49:27 +02:00
parent ec50cc1a5d
commit 9365045657
15 changed files with 75 additions and 582 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
net/openvpn/Makefile
View File

@@ -2,7 +2,7 @@
# $Id$
#
PORTNAME= openvpn
PORTVERSION= 2.4.9
PORTVERSION= 2.5.5
CATEGORIES= security net
#MASTER_SITES= http://openvpn.net/release/
MASTER_SITES+= http://swupdate.openvpn.net/community/releases/

6
net/openvpn/distinfo
View File

@@ -1,3 +1,3 @@
TIMESTAMP = 1591166889
SHA256 (openvpn-2.4.9.tar.xz) = 641f3add8694b2ccc39fd4fd92554e4f089ad16a8db6d2b473ec284839a5ebe2
SIZE (openvpn-2.4.9.tar.xz) = 954264
TIMESTAMP = 1645868736
SHA256 (openvpn-2.5.5.tar.xz) = 119bd69fa0210838f6cdaa273696dc738efa200f454dbe11eb6dfb75dfb6003b
SIZE (openvpn-2.5.5.tar.xz) = 1147184

11
net/openvpn/files/patch-configure
View File

@@ -1,11 +0,0 @@
--- configure.orig 2016-08-23 14:19:07 UTC
+++ configure
@@ -17160,8 +17160,6 @@ fi
$as_echo "!! WARNING !! The cmoka git submodule has not been initialized or updated. Unit testing cannot be performed." >&6; }
fi
else
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: !! WARNING !! CMake is NOT available. Unit testing cannot be performed." >&5
-$as_echo "!! WARNING !! CMake is NOT available. Unit testing cannot be performed." >&6; }
if false; then
CMOCKA_INITIALIZED_TRUE=
CMOCKA_INITIALIZED_FALSE='#'

11
net/openvpn/files/patch-doc_man-sections_generic-options.rst Normal file
View File

@@ -0,0 +1,11 @@
--- doc/man-sections/generic-options.rst.orig 2021-10-31 16:17:17 UTC
+++ doc/man-sections/generic-options.rst
@@ -431,7 +431,7 @@ which mode OpenVPN is configured as.
able to gain control of an OpenVPN session. Though OpenVPN's security
features make this unlikely, it is provided as a second line of defense.
- By setting ``user`` to :code:`nobody` or somebody similarly unprivileged,
+ By setting ``user`` to :code:`openvpn` or somebody similarly unprivileged,
the hostile party would be limited in what damage they could cause. Of
course once you take away privileges, you cannot return them to an
OpenVPN session. This means, for example, that if you want to reset an

20
net/openvpn/files/patch-doc_openvpn.8 Normal file
View File

@@ -0,0 +1,20 @@
--- doc/openvpn.8.orig 2021-10-05 05:57:01 UTC
+++ doc/openvpn.8
@@ -358,7 +358,7 @@ lower priority, \fBn\fP less than zero is higher prior
.B \-\-persist\-key
Don\(aqt re\-read key files across \fBSIGUSR1\fP or \fB\-\-ping\-restart\fP\&.
.sp
-This option can be combined with \fB\-\-user nobody\fP to allow restarts
+This option can be combined with \fB\-\-user openvpn\fP to allow restarts
triggered by the \fBSIGUSR1\fP signal. Normally if you drop root
privileges in OpenVPN, the daemon cannot be restarted since it will now
be unable to re\-read protected key files.
@@ -577,7 +577,7 @@ useful to protect the system in the event that some ho
able to gain control of an OpenVPN session. Though OpenVPN\(aqs security
features make this unlikely, it is provided as a second line of defense.
.sp
-By setting \fBuser\fP to \fBnobody\fP or somebody similarly unprivileged,
+By setting \fBuser\fP to \fBopenvpn\fP or somebody similarly unprivileged,
the hostile party would be limited in what damage they could cause. Of
course once you take away privileges, you cannot return them to an
OpenVPN session. This means, for example, that if you want to reset an

20
net/openvpn/files/patch-doc_openvpn.8.html Normal file
View File

@@ -0,0 +1,20 @@
--- doc/openvpn.8.html.orig 2021-10-05 05:57:01 UTC
+++ doc/openvpn.8.html
@@ -650,7 +650,7 @@ lower priority, <tt class="docutils literal">n</tt> le
<tr><td class="option-group">
<kbd><span class="option">--persist-key</span></kbd></td>
<td><p class="first">Don't re-read key files across <code>SIGUSR1</code> or <tt class="docutils literal"><span class="pre">--ping-restart</span></tt>.</p>
-<p>This option can be combined with <tt class="docutils literal"><span class="pre">--user</span> nobody</tt> to allow restarts
+<p>This option can be combined with <tt class="docutils literal"><span class="pre">--user</span> openvpn</tt> to allow restarts
triggered by the <code>SIGUSR1</code> signal. Normally if you drop root
privileges in OpenVPN, the daemon cannot be restarted since it will now
be unable to re-read protected key files.</p>
@@ -824,7 +824,7 @@ initialization, dropping privileges in the process. Th
useful to protect the system in the event that some hostile party was
able to gain control of an OpenVPN session. Though OpenVPN's security
features make this unlikely, it is provided as a second line of defense.</p>
-<p class="last">By setting <tt class="docutils literal">user</tt> to <code>nobody</code> or somebody similarly unprivileged,
+<p class="last">By setting <tt class="docutils literal">user</tt> to <code>openvpn</code> or somebody similarly unprivileged,
the hostile party would be limited in what damage they could cause. Of
course once you take away privileges, you cannot return them to an
OpenVPN session. This means, for example, that if you want to reset an

136
net/openvpn/files/patch-git-098edbb1f5a2e1360fd6a4ae0642b63bec12e992
View File

@@ -1,136 +0,0 @@
From 098edbb1f5a2e1360fd6a4ae0642b63bec12e992 Mon Sep 17 00:00:00 2001
From: Jeremy Evans <code@jeremyevans.net>
Date: Wed, 20 May 2020 11:34:04 -0700
Subject: [PATCH] Switch assertion failure to returning false
This assertion failure can be hit in production, which causes the
openvpn server process to stop and all clients to be disconnected.
Bug #1270 has been filed for this issue on Trac by another user
who has experienced the issue, and this patch attempts to address it.
Tracing callers, it appears that some callers check ks->authenticated
before calling, but others do not. It may be possible to add the check
for the callers that do not check, but this seems to be a simpler
solution.
To give some background, we hit this assertion failure, with the
following log output:
```
Tue May 19 15:57:05 2020 username/73.135.141.11:1194 PUSH: Received
control message: 'PUSH_REQUEST'
Tue May 19 15:57:05 2020 username/73.135.141.11:1194 SENT CONTROL
[username]: 'PUSH_REPLY,redirect-gateway
def1,comp-lzo,persist-key,persist-tun,route-gateway 10.28.47.1,topology
subnet,ping 10,ping-restart 120,ifconfig 10.28.47.38 255.255.255.0,peer-id
89' (status=1)
Tue May 19 15:57:05 2020 username/73.135.141.11:1194 Assertion failed at
/path/to/openvpn-2.4.7/src/openvpn/ssl.c:1944 (ks->authenticated)
Tue May 19 15:57:05 2020 username/73.135.141.11:1194 Exiting due to fatal
error
Tue May 19 15:57:05 2020 username/73.135.141.11:1194 Closing TUN/TAP
interface
```
using the following OpenVPN server configuration:
```
port 1194
proto udp
dev-type tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
topology subnet
push "redirect-gateway def1"
push "comp-lzo"
push "persist-key"
push "persist-tun"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
cd /home/openvpn/server
chroot /var/empty
daemon
verb 3
crl-verify crl.pem
tls-auth ta.key 0
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher ECDHE-RSA-AES256-GCM-SHA384
ncp-disable
mute-replay-warnings
script-security 3
auth-user-pass-verify "ldap-auth/ldap-auth" via-env
auth-user-pass-optional
```
and the following command line options:
```
--config openvpn.conf --dev tun1 --local 206.131.72.52 \
--log-append openvpn.log --status openvpn-status.log \
--server 10.28.47.0 255.255.255.0
```
The failed assertion is inside the function
`tls_session_generate_data_channel_keys`, which is called 3 other places
in `ssl.c.`:
* `key_method_2_write`: checks for `ks->authenticated` before calling
* `key_method_2_read`: appears to run in client mode but not in server
mode
* `tls_session_update_crypto_params`: runs in server mode and does not
check before calling
That leads me to believe the problem caller is
`tls_session_update_crypto_params`. There.s three callers of
`tls_session_update_crypto_params`:.
* `incoming_push_message` (`push.c`): Probably this caller, since the
server pushes configuration to clients, and the log shows the
assertion failure right after the push reply.
* `multi_process_file_closed` (`multi.c`): Not this caller. NCP is
disabled in config, and async push was not enabled when compiling.
* `do_deferred_options` (`init.c`): Not this caller. The server
configuration doesn't pull.
Changing the assertion to returning false appears to be the simplest
fix. Another approach would be changing callers to check
`ks->authenticated` before calling, either
`tls_session_update_crypto_params` or `incoming_push_message`.
Signed-off-by: Jeremy Evans <code@jeremyevans.net>
Acked-by: Steffan Karger <steffan.karger@foxcrypto.com>
Message-Id: <20200520183404.54822-1-code@jeremyevans.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19914.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 984bd1e1601e4b9562dbc88b02a8db60b884286f)
---
src/openvpn/ssl.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index cf6689982..215147f37 100644
--- ./src/openvpn/ssl.c
+++ ./src/openvpn/ssl.c
@@ -1941,7 +1941,10 @@ tls_session_generate_data_channel_keys(struct tls_session *session)
const struct session_id *server_sid = !session->opt->server ?
&ks->session_id_remote : &session->session_id;
- ASSERT(ks->authenticated);
+ if (!ks->authenticated) {
+ msg(D_TLS_ERRORS, "TLS Error: key_state not authenticated");
+ goto cleanup;
+ }
ks->crypto_options.flags = session->opt->crypto_flags;
if (!generate_key_expansion(&ks->crypto_options.key_ctx_bi,

61
net/openvpn/files/patch-git-38b46e6bf65489c2c5d75da1c02a3a1c33e6da88
View File

@@ -1,61 +0,0 @@
From 38b46e6bf65489c2c5d75da1c02a3a1c33e6da88 Mon Sep 17 00:00:00 2001
From: Selva Nair <selva.nair@gmail.com>
Date: Thu, 20 Feb 2020 22:00:28 -0500
Subject: [PATCH] Persist management-query-remote and proxy prompts
Currently this prompt is only output once, not re-written to the
management interface when the management client connects. It is thus
not seen by a client that connects after the prompt is output or one that
disconnects and reconnects. This leads to a deadlock: the daemon waiting
for the "remote" command from the client, the latter not aware of it.
Resolve by adding the ">REMOTE" and ">PROXY" prompt to
man.persist.special_state_msg as done for other persisted prompts such
as ">PASSWORD"
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1582254028-7763-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19497.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 93ba6ccddafcc87f336f50dadde144ea4f6178ad)
---
src/openvpn/init.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 8bac74f97..e153682ed 100644
--- ./src/openvpn/init.c
+++ ./src/openvpn/init.c
@@ -269,6 +269,7 @@ ce_management_query_proxy(struct context *c)
buf_printf(&out, ">PROXY:%u,%s,%s", (l ? l->current : 0) + 1,
(proto_is_udp(ce->proto) ? "UDP" : "TCP"), np(ce->remote));
management_notify_generic(management, BSTR(&out));
+ management->persist.special_state_msg = BSTR(&out);
}
ce->flags |= CE_MAN_QUERY_PROXY;
while (ce->flags & CE_MAN_QUERY_PROXY)
@@ -280,6 +281,7 @@ ce_management_query_proxy(struct context *c)
break;
}
}
+ management->persist.special_state_msg = NULL;
gc_free(&gc);
}
@@ -349,6 +351,7 @@ ce_management_query_remote(struct context *c)
buf_printf(&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port,
proto2ascii(ce->proto, ce->af, false));
management_notify_generic(management, BSTR(&out));
+ management->persist.special_state_msg = BSTR(&out);
ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK << CE_MAN_QUERY_REMOTE_SHIFT);
ce->flags |= (CE_MAN_QUERY_REMOTE_QUERY << CE_MAN_QUERY_REMOTE_SHIFT);
@@ -362,6 +365,7 @@ ce_management_query_remote(struct context *c)
break;
}
}
+ management->persist.special_state_msg = NULL;
}
gc_free(&gc);

214
net/openvpn/files/patch-git-b89e48b015e581a4a0f5c306e2ab20da34c862ea
View File

@@ -1,214 +0,0 @@
From b89e48b015e581a4a0f5c306e2ab20da34c862ea Mon Sep 17 00:00:00 2001
From: Selva Nair <selva.nair@gmail.com>
Date: Tue, 24 Jul 2018 22:34:53 -0400
Subject: [PATCH] Parse static challenge response in auth-pam plugin
If static challenge is in use, the password passed to the plugin by openvpn
is of the form "SCRV1:base64-pass:base64-response". Parse this string to
separate it into password and response and use them to respond to queries
in the pam conversation function.
On the plugin parameters line the substitution keyword for the static
challenge response is "OTP". For example, for pam config named "test" that
prompts for "user", "password" and "pin", use
plugin openvpn-auth-pam.so "test user USERNAME password PASSWORD pin OTP"
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1532486093-24793-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17307.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 7369d01bf360bcfa02f26c05b86dde5496d120f6)
---
src/plugins/auth-pam/README.auth-pam | 15 ++++--
src/plugins/auth-pam/auth-pam.c | 75 +++++++++++++++++++++++++++-
2 files changed, 84 insertions(+), 6 deletions(-)
diff --git a/src/plugins/auth-pam/README.auth-pam b/src/plugins/auth-pam/README.auth-pam
index e12369021..908156542 100644
--- a/src/plugins/auth-pam/README.auth-pam
+++ ./src/plugins/auth-pam/README.auth-pam
@@ -36,19 +36,20 @@ pairs to answer PAM module queries.
For example:
- plugin openvpn-auth-pam.so "login login USERNAME password PASSWORD"
+ plugin openvpn-auth-pam.so "login login USERNAME password PASSWORD pin OTP"
tells auth-pam to (a) use the "login" PAM module, (b) answer a
-"login" query with the username given by the OpenVPN client, and
-(c) answer a "password" query with the password given by the
-OpenVPN client. This provides flexibility in dealing with the different
+"login" query with the username given by the OpenVPN client,
+(c) answer a "password" query with the password, and (d) answer a
+"pin" query with the OTP given by the OpenVPN client.
+This provides flexibility in dealing with different
types of query strings which different PAM modules might generate.
For example, suppose you were using a PAM module called
"test" which queried for "name" rather than "login":
plugin openvpn-auth-pam.so "test name USERNAME password PASSWORD"
-While "USERNAME" "COMMONNAME" and "PASSWORD" are special strings which substitute
+While "USERNAME" "COMMONNAME" "PASSWORD" and "OTP" are special strings which substitute
to client-supplied values, it is also possible to name literal values
to use as PAM module query responses. For example, suppose that the
login module queried for a third parameter, "domain" which
@@ -61,6 +62,10 @@ the operation of this plugin:
client-cert-not-required
username-as-common-name
+ static-challenge
+
+Use of --static challenege is required to pass a pin (represented by "OTP" in
+parameter substituion) or a second password.
Run OpenVPN with --verb 7 or higher to get debugging output from
this plugin, including the list of queries presented by the
diff --git a/src/plugins/auth-pam/auth-pam.c b/src/plugins/auth-pam/auth-pam.c
index 5ba4dc4cb..1324307f1 100644
--- a/src/plugins/auth-pam/auth-pam.c
+++ ./src/plugins/auth-pam/auth-pam.c
@@ -6,6 +6,7 @@
* packet compression.
*
* Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
+ * Copyright (C) 2016-2018 Selva Nair <selva.nair@gmail.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2
@@ -64,6 +65,7 @@
/* Pointers to functions exported from openvpn */
static plugin_secure_memzero_t plugin_secure_memzero = NULL;
+static plugin_base64_decode_t plugin_base64_decode = NULL;
/*
* Plugin state, used by foreground
@@ -87,6 +89,7 @@ struct auth_pam_context
* "USERNAME" -- substitute client-supplied username
* "PASSWORD" -- substitute client-specified password
* "COMMONNAME" -- substitute client certificate common name
+ * "OTP" -- substitute static challenge response if available
*/
#define N_NAME_VALUE 16
@@ -111,6 +114,7 @@ struct user_pass {
char username[128];
char password[128];
char common_name[128];
+ char response[128];
const struct name_value_list *name_value_list;
};
@@ -276,6 +280,66 @@ name_value_match(const char *query, const char *match)
return strncasecmp(match, query, strlen(match)) == 0;
}
+/*
+ * Split and decode up->password in the form SCRV1:base64_pass:base64_response
+ * into pass and response and save in up->password and up->response.
+ * If the password is not in the expected format, input is not changed.
+ */
+static void
+split_scrv1_password(struct user_pass *up)
+{
+ const int skip = strlen("SCRV1:");
+ if (strncmp(up->password, "SCRV1:", skip) != 0)
+ {
+ return;
+ }
+
+ char *tmp = strdup(up->password);
+ if (!tmp)
+ {
+ fprintf(stderr, "AUTH-PAM: out of memory parsing static challenge password\n");
+ goto out;
+ }
+
+ char *pass = tmp + skip;
+ char *resp = strchr(pass, ':');
+ if (!resp) /* string not in SCRV1:xx:yy format */
+ {
+ goto out;
+ }
+ *resp++ = '\0';
+
+ int n = plugin_base64_decode(pass, up->password, sizeof(up->password)-1);
+ if (n > 0)
+ {
+ up->password[n] = '\0';
+ n = plugin_base64_decode(resp, up->response, sizeof(up->response)-1);
+ if (n > 0)
+ {
+ up->response[n] = '\0';
+ if (DEBUG(up->verb))
+ {
+ fprintf(stderr, "AUTH-PAM: BACKGROUND: parsed static challenge password\n");
+ }
+ goto out;
+ }
+ }
+
+ /* decode error: reinstate original value of up->password and return */
+ plugin_secure_memzero(up->password, sizeof(up->password));
+ plugin_secure_memzero(up->response, sizeof(up->response));
+ strcpy(up->password, tmp); /* tmp is guaranteed to fit in up->password */
+
+ fprintf(stderr, "AUTH-PAM: base64 decode error while parsing static challenge password\n");
+
+out:
+ if (tmp)
+ {
+ plugin_secure_memzero(tmp, strlen(tmp));
+ free(tmp);
+ }
+}
+
OPENVPN_EXPORT int
openvpn_plugin_open_v3(const int v3structver,
struct openvpn_plugin_args_open_in const *args,
@@ -316,6 +380,7 @@ openvpn_plugin_open_v3(const int v3structver,
/* Save global pointers to functions exported from openvpn */
plugin_secure_memzero = args->callbacks->plugin_secure_memzero;
+ plugin_base64_decode = args->callbacks->plugin_base64_decode;
/*
* Make sure we have two string arguments: the first is the .so name,
@@ -599,6 +664,10 @@ my_conv(int n, const struct pam_message **msg_array,
{
aresp[i].resp = searchandreplace(match_value, "COMMONNAME", up->common_name);
}
+ else if (strstr(match_value, "OTP"))
+ {
+ aresp[i].resp = searchandreplace(match_value, "OTP", up->response);
+ }
else
{
aresp[i].resp = strdup(match_value);
@@ -787,6 +856,9 @@ pam_server(int fd, const char *service, int verb, const struct name_value_list *
#endif
}
+ /* If password is of the form SCRV1:base64:base64 split it up */
+ split_scrv1_password(&up);
+
if (pam_auth(service, &up)) /* Succeeded */
{
if (send_control(fd, RESPONSE_VERIFY_SUCCEEDED) == -1)
@@ -818,10 +890,11 @@ pam_server(int fd, const char *service, int verb, const struct name_value_list *
command);
goto done;
}
+ plugin_secure_memzero(up.response, sizeof(up.response));
}
done:
-
plugin_secure_memzero(up.password, sizeof(up.password));
+ plugin_secure_memzero(up.response, sizeof(up.response));
#ifdef USE_PAM_DLOPEN
dlclose_pam();
#endif

40
net/openvpn/files/patch-git-cab48ad43eaba51c54fa23e55b0b2eb436dd921f
View File

@@ -1,40 +0,0 @@
From cab48ad43eaba51c54fa23e55b0b2eb436dd921f Mon Sep 17 00:00:00 2001
From: Selva Nair <selva.nair@gmail.com>
Date: Tue, 7 Aug 2018 22:44:31 -0400
Subject: [PATCH] Accept empty password and/or response in auth-pam plugin
In the auth-pam plugin correctly parse the static challenge string
even when password or challenge response is empty.
Whether an empty user input is an error is determined by the PAM
conversation function depending on whether the PAM module queries
for it or not.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1533696271-21799-2-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17382.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 7a8109023f4c345fe12f23421c5fa7e88e1ea85b)
---
src/plugins/auth-pam/auth-pam.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/plugins/auth-pam/auth-pam.c b/src/plugins/auth-pam/auth-pam.c
index 1324307f1..88b53204b 100644
--- a/src/plugins/auth-pam/auth-pam.c
+++ ./src/plugins/auth-pam/auth-pam.c
@@ -310,11 +310,11 @@ split_scrv1_password(struct user_pass *up)
*resp++ = '\0';
int n = plugin_base64_decode(pass, up->password, sizeof(up->password)-1);
- if (n > 0)
+ if (n >= 0)
{
up->password[n] = '\0';
n = plugin_base64_decode(resp, up->response, sizeof(up->response)-1);
- if (n > 0)
+ if (n >= 0)
{
up->response[n] = '\0';
if (DEBUG(up->verb))

28
net/openvpn/files/patch-git-fc0297143494e0a0f08564d90dbb210669d0abf5
View File

@@ -1,28 +0,0 @@
From fc0297143494e0a0f08564d90dbb210669d0abf5 Mon Sep 17 00:00:00 2001
From: Antonio Quartulli <a@unstable.cc>
Date: Sat, 30 May 2020 02:05:54 +0200
Subject: [PATCH] pool: prevent IPv6 pools to be larger than 2^16 addresses
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200530000600.1680-2-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19945.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 81d66a1f14d4be3282dd648ecc2049658e3a65ed)
---
src/openvpn/pool.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/openvpn/pool.c b/src/openvpn/pool.c
index da28bc06b..e45bf88a2 100644
--- ./src/openvpn/pool.c
+++ ./src/openvpn/pool.c
@@ -183,7 +183,7 @@ ifconfig_pool_init(int type, in_addr_t start, in_addr_t end,
if (pool->ipv6)
{
pool->base_ipv6 = ipv6_base;
- pool->size_ipv6 = ipv6_netbits>96 ? ( 1<<(128-ipv6_netbits) )
+ pool->size_ipv6 = ipv6_netbits > 112 ? (1 << (128 - ipv6_netbits))
: IFCONFIG_POOL_MAX;
msg( D_IFCONFIG_POOL, "IFCONFIG POOL IPv6: (IPv4) size=%d, size_ipv6=%d, netbits=%d, base_ipv6=%s",

69
net/openvpn/files/patch-src_openvpn_ssl__openssl.c
View File

@@ -1,69 +0,0 @@
In the corner case that the global OpenSSL has an invalid command like
MinProtocol = TLSv1.0
(Due to OpenSSL's idiosyncrasies MinProtocol = TLSv1 would be correct)
the SSL_ctx_new function leaves the errors for parsing the config file
on the stack.
OpenSSL: error:14187180:SSL routines:ssl_do_config:bad value
Since the later functions, especially the one of loading the
certificates expected a clean error this error got reported at the
wrong place.
Print the warnings with crypto_msg when we detect that we are in this
situation (this also clears the stack).
---
src/openvpn/ssl_openssl.c | 10 ++++++++++
1 file changed, 10 insertions(+)
Acked-by: Gert Doering <gert@greenie.muc.de>
"Explanation and Code make sense, Debian testing confirmed it fixes
the problem observed" (which was a user error in the end, but led to an
unexpected error in openvpn).
Basic client test run with openssl 1.1.1 on Linux/Gentoo.
Your patch has been applied to the master and release/2.4 branch.
commit 75aa88af774abaa168bf72e43e1dbb57be14c044 (master)
commit 125654bfa6f99a251b581522182e85748dd8043a (release/2.4)
Author: Arne Schwabe
Date: Tue Apr 21 12:11:22 2020 +0200
Fix tls_ctx_client/server_new leaving error on OpenSSL error stack
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200421101122.24284-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19802.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
--- src/openvpn/ssl_openssl.c.orig 2020-04-16 13:26:45 UTC
+++ src/openvpn/ssl_openssl.c
@@ -110,6 +110,11 @@ tls_ctx_server_new(struct tls_root_ctx *ctx)
{
crypto_msg(M_FATAL, "SSL_CTX_new SSLv23_server_method");
}
+ if (ERR_peek_error() != 0)
+ {
+ crypto_msg(M_WARN, "Warning: TLS server context initialisation "
+ "has warnings.");
+ }
}
void
@@ -122,6 +127,11 @@ tls_ctx_client_new(struct tls_root_ctx *ctx)
if (ctx->ctx == NULL)
{
crypto_msg(M_FATAL, "SSL_CTX_new SSLv23_client_method");
+ }
+ if (ERR_peek_error() != 0)
+ {
+ crypto_msg(M_WARN, "Warning: TLS client context initialisation "
+ "has warnings.");
}
}

10
net/openvpn/files/patch-src_plugins_auth-pam_auth-pam.c Normal file
View File

@@ -0,0 +1,10 @@
--- src/plugins/auth-pam/auth-pam.c.orig 2021-06-21 04:44:39 UTC
+++ src/plugins/auth-pam/auth-pam.c
@@ -39,6 +39,7 @@
#include <stdio.h>
#include <string.h>
#include <ctype.h>
+#include <limits.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>

2
net/openvpn/files/patch-tests__t_cltsrv.sh
View File

@@ -40,7 +40,7 @@
+ add='proto udp6 '
+fi
+for i in server client ; do
+ sed -e "s/localhost/$2/" -e "/^remote /a\\
+ sed -e "s|localhost|${2%/*}|" -e "/^remote /a\\
+$add" ${root}/sample-config-files/loopback-$i \
+ >${root}/sample-config-files/loopback-$i.test
+done

27
net/openvpn/pkg-plist
View File

@@ -1,25 +1,16 @@
sbin/openvpn
include/openvpn-msg.h
include/openvpn-plugin.h
lib/openvpn/plugins/openvpn-plugin-auth-pam.la
lib/openvpn/plugins/openvpn-plugin-auth-pam.so
lib/openvpn/plugins/openvpn-plugin-down-root.la
lib/openvpn/plugins/openvpn-plugin-down-root.so
share/doc/openvpn/README.auth-pam
share/doc/openvpn/README.down-root
share/doc/openvpn/management-notes.txt
man/man5/openvpn-examples.5.gz
man/man8/openvpn.8.gz
sbin/openvpn
share/examples/openvpn/client.conf
share/examples/openvpn/server.conf
share/examples/openvpn/tls-home.conf
share/examples/openvpn/tls-office.conf
@dir lib/openvpn/plugins
@dir lib/openvpn
@dir share/doc/openvpn
@dir share/doc
%%EXAMPLESDIR%%/client.conf
%%EXAMPLESDIR%%/server.conf
%%EXAMPLESDIR%%/static-home.conf
%%EXAMPLESDIR%%/static-office.conf
%%EXAMPLESDIR%%/tls-home.conf
%%EXAMPLESDIR%%/tls-office.conf
@dir %%EXAMPLESDIR%%
@dir share/examples/openvpn