freebsd/ports
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update security/openvpn 2.5. For 2.3 peers, update your configuration,

Browse Source 
...see ports/UPDATING or the
ChangeLog: https://github.com/OpenVPN/openvpn/blob/release/2.5/Changes.rst#overview-of-changes-in-25

Avoid LibreSSL (IGNORE_SSL).
INSTALL_DATA -> INSTALL_MAN for documentation.
Rearrange Makefile according to portclippy.
This commit is contained in:
Matthias Andree
2020-10-30 20:36:01 +00:00
parent a833490b4b
commit dec3c81ea9
12 changed files with 175 additions and 721 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
UPDATING
View File

@@ -5,6 +5,18 @@ they are unavoidable.
You should get into the habit of checking this file for changes each time
you update your ports collection, before attempting any port upgrades.
20201030:
AFFECTS: users of security/openvpn
AUTHOR: mandree@FreeBSD.org
The security/openvpn port has been updated to v2.5.0, which brings a
change to the default ciphersuite, which no longer contains BF-CBC.
Some options have been removed. Also, if you need to support very old (v2.3)
and unsupported clients or servers, you will need to adjust the
configuration. For details, see:
https://github.com/OpenVPN/openvpn/blob/release/2.5/Changes.rst#overview-of-changes-in-25
20201029:
AFFECTS: users of www/node
AUTHOR: bhughes@FreeBSD.org

79
security/openvpn/Makefile
View File

@@ -2,8 +2,8 @@
# $FreeBSD$
PORTNAME= openvpn
DISTVERSION= 2.4.9
PORTREVISION?= 3
DISTVERSION= 2.5.0
PORTREVISION?= 0
CATEGORIES= security net net-vpn
MASTER_SITES= https://swupdate.openvpn.org/community/releases/ \
https://build.openvpn.net/downloads/releases/ \
@@ -15,86 +15,79 @@ COMMENT?= Secure IP/Ethernet tunnel daemon
LICENSE= GPLv2
LICENSE_FILE= ${WRKSRC}/COPYRIGHT.GPL
USES= cpe libtool pkgconfig shebangfix tar:xz
USES= cpe libtool localbase:ldflags pkgconfig shebangfix tar:xz
IGNORE_SSL= libressl libressl-devel
USE_RC_SUBR= openvpn
CONFLICTS_INSTALL?= openvpn-2.[!4].* openvpn-[!2].* openvpn-beta-[0-9]* openvpn-devel-[0-9]* openvpn-mbedtls-[0-9]*
GNU_CONFIGURE= yes
SHEBANG_FILES= sample/sample-scripts/verify-cn \
sample/sample-scripts/auth-pam.pl \
sample/sample-scripts/ucn.pl
GNU_CONFIGURE= yes
CONFIGURE_ARGS+= --enable-strict
# set PLUGIN_LIBDIR so that unqualified plugin paths are found:
CONFIGURE_ENV+= PLUGINDIR="${PREFIX}/lib/openvpn/plugins"
CONFLICTS_INSTALL?= openvpn-2.[!5].* openvpn-[!2].* openvpn-beta-[0-9]* openvpn-devel-[0-9]* openvpn-mbedtls-[0-9]*
SUB_FILES= pkg-message openvpn-client
PORTDOCS= *
PORTEXAMPLES= *
# avoid picking up CMAKE, we don't have cmocka in the tarballs.
CONFIGURE_ENV+= ac_cv_prog_CMAKE= CMAKE=
# let OpenVPN's configure script pick up the requisite libraries,
# but do not break the plugin build if an older version is installed
# XXX FIXME: once there is an opportunity for testing with older
# versions with incompatible plugins again, try USES+=localbase:ldflags,
# suggested by Mateusz Piotrowski 0mp@ 2020-07-17
CPPFLAGS+= -I${WRKSRC}/include -I${LOCALBASE}/include
LDFLAGS+= -L${LOCALBASE}/lib -Wl,--as-needed
OPTIONS_DEFINE= PKCS11 EASYRSA DOCS EXAMPLES X509ALTUSERNAME \
TEST LZ4 LZO SMALL TUNNELBLICK ASYNC_PUSH
OPTIONS_DEFAULT= EASYRSA OPENSSL TEST LZ4 LZO
OPTIONS_SINGLE= SSL
OPTIONS_SINGLE_SSL= OPENSSL MBEDTLS
ASYNC_PUSH_DESC= Enable async-push support
PKCS11_DESC= Use security/pkcs11-helper (OpenSSL only)
EASYRSA_DESC= Install security/easy-rsa RSA helper package
MBEDTLS_DESC= SSL/TLS via mbedTLS (lacks TLS v1.3)
PKCS11_DESC= Use security/pkcs11-helper (OpenSSL only)
SMALL_DESC= Build a smaller executable with fewer features
TUNNELBLICK_DESC= Tunnelblick XOR scramble patch (READ HELP!)
X509ALTUSERNAME_DESC= Enable --x509-username-field (OpenSSL only)
SMALL_DESC= Build a smaller executable with fewer features
ASYNC_PUSH_CONFIGURE_ENABLE= async-push
ASYNC_PUSH_LIB_DEPENDS= libinotify.so:devel/libinotify
ASYNC_PUSH_CONFIGURE_ENABLE= async-push
EASYRSA_RUN_DEPENDS= easy-rsa>=0:security/easy-rsa
PKCS11_LIB_DEPENDS= libpkcs11-helper.so:security/pkcs11-helper
PKCS11_CONFIGURE_ENABLE= pkcs11
PKCS11_PREVENTS= MBEDTLS
PKCS11_PREVENTS_MSG= OpenVPN cannot use pkcs11-helper with mbedTLS. Disable PKCS11, or use OpenSSL instead
LZ4_LIB_DEPENDS+= liblz4.so:archivers/liblz4
LZ4_CONFIGURE_ENABLE= lz4
TUNNELBLICK_EXTRA_PATCHES= ${FILESDIR}/extra-tunnelblick-openvpn_xorpatch
X509ALTUSERNAME_CONFIGURE_ENABLE= x509-alt-username
X509ALTUSERNAME_PREVENTS= MBEDTLS
X509ALTUSERNAME_PREVENTS_MSG= OpenVPN ${DISTVERSION} cannot use --x509-username-field with mbedTLS. Disable X509ALTUSERNAME, or use OpenSSL instead
OPENSSL_USES= ssl
OPENSSL_CONFIGURE_ON= --with-crypto-library=openssl
LZO_LIB_DEPENDS+= liblzo2.so:archivers/lzo2
LZO_CONFIGURE_ENABLE= lzo
MBEDTLS_LIB_DEPENDS= libmbedtls.so:security/mbedtls
MBEDTLS_CONFIGURE_ON= --with-crypto-library=mbedtls
LZO_CONFIGURE_ENABLE= lzo
LZO_LIB_DEPENDS+= liblzo2.so:archivers/lzo2
OPENSSL_USES= ssl
OPENSSL_CONFIGURE_ON= --with-crypto-library=openssl
LZ4_CONFIGURE_ENABLE= lz4
LZ4_LIB_DEPENDS+= liblz4.so:archivers/liblz4
PKCS11_PREVENTS= MBEDTLS
PKCS11_PREVENTS_MSG= OpenVPN cannot use pkcs11-helper with mbedTLS. Disable PKCS11, or use OpenSSL instead
PKCS11_LIB_DEPENDS= libpkcs11-helper.so:security/pkcs11-helper
PKCS11_CONFIGURE_ENABLE= pkcs11
SMALL_CONFIGURE_ENABLE= small
USE_RC_SUBR= openvpn
TEST_ALL_TARGET= check
TEST_TEST_TARGET_OFF= check
SUB_FILES= pkg-message openvpn-client
TUNNELBLICK_EXTRA_PATCHES= ${FILESDIR}/extra-tunnelblick-openvpn_xorpatch:-p1
X509ALTUSERNAME_PREVENTS= MBEDTLS
X509ALTUSERNAME_PREVENTS_MSG= OpenVPN ${DISTVERSION} cannot use --x509-username-field with mbedTLS. Disable X509ALTUSERNAME, or use OpenSSL instead
X509ALTUSERNAME_CONFIGURE_ENABLE= x509-alt-username
.ifdef (LOG_OPENVPN)
CFLAGS+= -DLOG_OPENVPN=${LOG_OPENVPN}
.endif
PORTDOCS= *
PORTEXAMPLES= *
TEST_ALL_TARGET= check
TEST_TEST_TARGET_OFF= check
.include <bsd.port.options.mk>
.if ${PORT_OPTIONS:MMBEDTLS}
@@ -140,11 +133,13 @@ post-install:
@${REINPLACE_CMD} 's|resolvconf -p -a|resolvconf -a|' ${STAGEDIR}${PREFIX}/libexec/openvpn-client.up
${INSTALL_SCRIPT} ${WRKDIR}/openvpn-client ${STAGEDIR}${PREFIX}/sbin/openvpn-client
${MKDIR} ${STAGEDIR}${PREFIX}/include
@: # workaround for 2.5.0 only XXX FIXME remove after 2.5.0
${INSTALL_MAN} ${WRKSRC}/doc/openvpn.8 ${STAGEDIR}${MANPREFIX}/man/man8
post-install-DOCS-on:
${MKDIR} ${STAGEDIR}${DOCSDIR}/
.for i in AUTHORS ChangeLog PORTS
${INSTALL_DATA} ${WRKSRC}/${i} ${STAGEDIR}${DOCSDIR}/
${INSTALL_MAN} ${WRKSRC}/${i} ${STAGEDIR}${DOCSDIR}/
.endfor
post-install-EXAMPLES-on:

6
security/openvpn/distinfo
View File

@@ -1,3 +1,3 @@
TIMESTAMP = 1587146198
SHA256 (openvpn-2.4.9.tar.xz) = 641f3add8694b2ccc39fd4fd92554e4f089ad16a8db6d2b473ec284839a5ebe2
SIZE (openvpn-2.4.9.tar.xz) = 954264
TIMESTAMP = 1604077828
SHA256 (openvpn-2.5.0.tar.xz) = 029a426e44d656cb4e1189319c95fe6fc9864247724f5599d99df9c4c3478fbd
SIZE (openvpn-2.5.0.tar.xz) = 1126928

234
security/openvpn/files/extra-tunnelblick-openvpn_xorpatch
View File

@@ -10,47 +10,47 @@ detail on the following wiki page:
https://tunnelblick.net/cOpenvpn_xorpatch.html
The patch was ported to OpenVPN 2.4 by OPNsense.
--- src/openvpn/forward.c.orig 2016-12-22 07:25:18 UTC
+++ src/openvpn/forward.c
@@ -730,7 +730,10 @@ read_incoming_link(struct context *c)
diff -u -r -x .DS_Store openvpn-2.5_beta1.old/src/openvpn/forward.c openvpn-2.5_beta1.new/src/openvpn/forward.c
--- openvpn-2.5_beta1.old/src/openvpn/forward.c 2020-08-16 11:57:15.000000000 -0400
+++ openvpn-2.5_beta1.new/src/openvpn/forward.c 2020-08-16 11:57:15.000000000 -0400
@@ -811,7 +811,10 @@
status = link_socket_read(c->c2.link_socket,
&c->c2.buf,
- &c->c2.from);
+ &c->c2.from,
+ c->options.ce.xormethod,
+ c->options.ce.xormask,
+ c->options.ce.xormasklen);
+ &c->c2.from,
+ c->options.ce.xormethod,
+ c->options.ce.xormask,
+ c->options.ce.xormasklen);
if (socket_connection_reset(c->c2.link_socket, status))
{
@@ -1368,7 +1371,10 @@ process_outgoing_link(struct context *c)
@@ -1621,7 +1624,10 @@
/* Send packet */
size = link_socket_write(c->c2.link_socket,
&c->c2.to_link,
- to_addr);
+ to_addr,
+ c->options.ce.xormethod,
+ c->options.ce.xormask,
+ c->options.ce.xormasklen);
+ c->options.ce.xormethod,
+ c->options.ce.xormask,
+ c->options.ce.xormasklen);
/* Undo effect of prepend */
link_socket_write_post_size_adjust(&size, size_delta, &c->c2.to_link);
--- src/openvpn/options.c.orig 2016-12-22 07:25:18 UTC
+++ src/openvpn/options.c
@@ -811,6 +811,9 @@ init_options(struct options *o, const bo
diff -u -r -x .DS_Store openvpn-2.5_rc3.old/src/openvpn/options.c openvpn-2.5_rc3.new/src/openvpn/options.c
--- openvpn-2.5_rc3.old/src/openvpn/options.c 2020-10-19 13:38:17.000000000 -0400
+++ openvpn-2.5_rc3.new/src/openvpn/options.c 2020-10-19 13:38:17.000000000 -0400
@@ -821,6 +821,9 @@
o->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
o->resolve_in_advance = false;
o->proto_force = -1;
+ o->ce.xormethod = 0;
+ o->ce.xormask = "\0";
+ o->ce.xormasklen = 0;
#ifdef ENABLE_OCC
o->occ = true;
#endif
@@ -972,6 +975,9 @@ setenv_connection_entry(struct env_set *
#ifdef ENABLE_MANAGEMENT
o->management_log_history_cache = 250;
@@ -973,6 +976,9 @@
setenv_str_i(es, "local_port", e->local_port, i);
setenv_str_i(es, "remote", e->remote, i);
setenv_str_i(es, "remote_port", e->remote_port, i);
@@ -60,17 +60,17 @@ The patch was ported to OpenVPN 2.4 by OPNsense.
if (e->http_proxy_options)
{
@@ -1474,6 +1480,9 @@ show_connection_entry(const struct conne
@@ -1452,6 +1458,9 @@
SHOW_BOOL(bind_ipv6_only);
SHOW_INT(connect_retry_seconds);
SHOW_INT(connect_timeout);
+ SHOW_INT(xormethod);
+ SHOW_STR(xormask);
+ SHOW_INT(xormasklen);
+ SHOW_INT (xormethod);
+ SHOW_STR (xormask);
+ SHOW_INT (xormasklen);
if (o->http_proxy_options)
{
@@ -5915,6 +5924,46 @@ add_option(struct options *options,
@@ -6260,6 +6269,46 @@
}
options->proto_force = proto_force;
}
@@ -103,23 +103,24 @@ The patch was ported to OpenVPN 2.4 by OPNsense.
+ }
+ else if (!p[2])
+ {
+ msg(M_WARN, "WARNING: No recognized 'scramble' method specified; using 'scramble xormask \"%s\"'", p[1]);
+ msg (M_WARN, "WARNING: No recognized 'scramble' method specified; using 'scramble xormask \"%s\"'", p[1]);
+ options->ce.xormethod = 1;
+ options->ce.xormask = p[1];
+ options->ce.xormasklen = strlen(options->ce.xormask);
+ }
+ else
+ {
+ msg(msglevel, "No recognized 'scramble' method specified or extra parameters for 'scramble'");
+ msg (msglevel, "No recognized 'scramble' method specified or extra parameters for 'scramble'");
+ goto err;
+ }
+ }
else if (streq(p[0], "http-proxy") && p[1] && !p[5])
{
struct http_proxy_options *ho;
--- src/openvpn/options.h.orig 2016-12-22 07:25:18 UTC
+++ src/openvpn/options.h
@@ -98,6 +98,9 @@ struct connection_entry
diff -u -r -x .DS_Store openvpn-2.5_git_57d6f10.old/src/openvpn/options.h openvpn-2.5_git_57d6f10.new/src/openvpn/options.h
--- openvpn-2.5_git_57d6f10.old/src/openvpn/options.h 2018-07-28 06:02:27.000000000 -0400
+++ openvpn-2.5_git_57d6f10.new/src/openvpn/options.h 2018-07-28 06:02:27.000000000 -0400
@@ -99,6 +99,9 @@
int connect_retry_seconds;
int connect_retry_seconds_max;
int connect_timeout;
@@ -129,33 +130,36 @@ The patch was ported to OpenVPN 2.4 by OPNsense.
struct http_proxy_options *http_proxy_options;
const char *socks_proxy_server;
const char *socks_proxy_port;
--- src/openvpn/socket.c.orig 2016-12-22 07:25:18 UTC
+++ src/openvpn/socket.c
@@ -55,6 +55,53 @@ const int proto_overhead[] = { /* indexe
--- openvpn-2.5_git_974513e/src/openvpn/socket.c 2017-08-17 11:27:23.000000000 -0400
+++ openvpn-2.5_git_974513e_patched/src/openvpn/socket.c 2017-08-18 18:37:11.000000000 -0400
@@ -54,6 +54,56 @@
IPv6_TCP_HEADER_SIZE,
};
+int buffer_mask (struct buffer *buf, const char *mask, int xormasklen) {
+ int i;
+ uint8_t *b;
+ if ( xormasklen > 0 ) {
+ for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) {
+ *b = *b ^ mask[i % xormasklen];
+ }
+ }
+ return BLEN (buf);
+int buffer_mask(struct buffer *buf, const char *mask, int xormasklen)
+{
+ int i;
+ uint8_t *b;
+ if ( xormasklen > 0 ) {
+ for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) {
+ *b = *b ^ mask[i % xormasklen];
+ }
+ }
+ return BLEN (buf);
+}
+
+int buffer_xorptrpos (struct buffer *buf) {
+ int i;
+ uint8_t *b;
+ for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) {
+ *b = *b ^ i+1;
+ }
+ return BLEN (buf);
+int buffer_xorptrpos(struct buffer *buf)
+{
+ int i;
+ uint8_t *b;
+ for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) {
+ *b = *b ^ i+1;
+ }
+ return BLEN (buf);
+}
+
+int buffer_reverse (struct buffer *buf) {
+int buffer_reverse(struct buffer *buf)
+{
+/* This function has been rewritten for Tunnelblick. The buffer_reverse function at
+ * https://github.com/clayface/openvpn_xorpatch
+ * makes a copy of the buffer and it writes to the byte **after** the
@@ -167,38 +171,39 @@ The patch was ported to OpenVPN 2.4 by OPNsense.
+ * actually reverse the contents of the buffer. Instead, it changes 'abcde' to 'aedcb'.
+ * (Of course, the actual buffer contents are bytes, and not necessarily characters.)
+ */
+ int len = BLEN(buf);
+ if ( len > 2 ) { /* Leave '', 'a', and 'ab' alone */
+ int i;
+ uint8_t *b_start = BPTR (buf) + 1; /* point to first byte to swap */
+ uint8_t *b_end = BPTR (buf) + (len - 1); /* point to last byte to swap */
+ uint8_t tmp;
+ for (i = 0; i < (len-1)/2; i++, b_start++, b_end--) {
+ tmp = *b_start;
+ *b_start = *b_end;
+ *b_end = tmp;
+ int len = BLEN(buf);
+ if ( len > 2 ) { /* Leave '', 'a', and 'ab' alone */
+ int i;
+ uint8_t *b_start = BPTR (buf) + 1; /* point to first byte to swap */
+ uint8_t *b_end = BPTR (buf) + (len - 1); /* point to last byte to swap */
+ uint8_t tmp;
+ for (i = 0; i < (len-1)/2; i++, b_start++, b_end--) {
+ tmp = *b_start;
+ *b_start = *b_end;
+ *b_end = tmp;
+ }
+ }
+ }
+ return len;
+ return len;
+}
+
/*
* Convert sockflags/getaddr_flags into getaddr_flags
*/
--- src/openvpn/socket.h.orig 2016-12-22 07:25:18 UTC
+++ src/openvpn/socket.h
@@ -249,6 +249,10 @@ struct link_socket
diff -u -r -x .DS_Store openvpn-2.5_beta1.old/src/openvpn/socket.h openvpn-2.5_beta1.new/src/openvpn/socket.h
--- openvpn-2.5_beta1.old/src/openvpn/socket.h 2020-08-16 11:57:17.000000000 -0400
+++ openvpn-2.5_beta1.new/src/openvpn/socket.h 2020-08-16 11:57:17.000000000 -0400
@@ -249,6 +249,10 @@
#endif
};
+int buffer_mask (struct buffer *buf, const char *xormask, int xormasklen);
+int buffer_xorptrpos (struct buffer *buf);
+int buffer_reverse (struct buffer *buf);
+int buffer_mask(struct buffer *buf, const char *xormask, int xormasklen);
+int buffer_xorptrpos(struct buffer *buf);
+int buffer_reverse(struct buffer *buf);
+
/*
* Some Posix/Win32 differences.
*/
@@ -1046,30 +1050,55 @@ int link_socket_read_udp_posix(struct li
@@ -1049,30 +1053,56 @@
static inline int
link_socket_read(struct link_socket *sock,
struct buffer *buf,
@@ -209,11 +214,10 @@ The patch was ported to OpenVPN 2.4 by OPNsense.
+ int xormasklen)
{
+ int res;
+
if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */
{
- int res;
-
#ifdef _WIN32
res = link_socket_read_udp_win32(sock, buf, from);
#else
@@ -233,33 +237,34 @@ The patch was ported to OpenVPN 2.4 by OPNsense.
ASSERT(0);
return -1; /* NOTREACHED */
}
+ switch (xormethod) {
+ case 0:
+ break;
+ case 1:
+ buffer_mask(buf,xormask,xormasklen);
+ break;
+ case 2:
+ buffer_xorptrpos(buf);
+ break;
+ case 3:
+ buffer_reverse(buf);
+ break;
+ case 4:
+ buffer_mask(buf,xormask,xormasklen);
+ buffer_xorptrpos(buf);
+ buffer_reverse(buf);
+ buffer_xorptrpos(buf);
+ break;
+ default:
+ ASSERT (0);
+ return -1; /* NOTREACHED */
+ switch(xormethod)
+ {
+ case 0:
+ break;
+ case 1:
+ buffer_mask(buf,xormask,xormasklen);
+ break;
+ case 2:
+ buffer_xorptrpos(buf);
+ break;
+ case 3:
+ buffer_reverse(buf);
+ break;
+ case 4:
+ buffer_mask(buf,xormask,xormasklen);
+ buffer_xorptrpos(buf);
+ buffer_reverse(buf);
+ buffer_xorptrpos(buf);
+ break;
+ default:
+ ASSERT (0);
+ return -1; /* NOTREACHED */
+ }
+ return res;
}
/*
@@ -1159,8 +1188,33 @@ link_socket_write_udp(struct link_socket
@@ -1163,8 +1193,34 @@
static inline int
link_socket_write(struct link_socket *sock,
struct buffer *buf,
@@ -269,27 +274,28 @@ The patch was ported to OpenVPN 2.4 by OPNsense.
+ const char *xormask,
+ int xormasklen)
{
+ switch (xormethod) {
+ case 0:
+ break;
+ case 1:
+ buffer_mask(buf,xormask,xormasklen);
+ break;
+ case 2:
+ buffer_xorptrpos(buf);
+ break;
+ case 3:
+ buffer_reverse(buf);
+ break;
+ case 4:
+ buffer_xorptrpos(buf);
+ buffer_reverse(buf);
+ buffer_xorptrpos(buf);
+ buffer_mask(buf,xormask,xormasklen);
+ break;
+ default:
+ ASSERT (0);
+ return -1; /* NOTREACHED */
+ switch(xormethod)
+ {
+ case 0:
+ break;
+ case 1:
+ buffer_mask(buf,xormask,xormasklen);
+ break;
+ case 2:
+ buffer_xorptrpos(buf);
+ break;
+ case 3:
+ buffer_reverse(buf);
+ break;
+ case 4:
+ buffer_xorptrpos(buf);
+ buffer_reverse(buf);
+ buffer_xorptrpos(buf);
+ buffer_mask(buf,xormask,xormasklen);
+ break;
+ default:
+ ASSERT (0);
+ return -1; /* NOTREACHED */
+ }
if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */
{

11
security/openvpn/files/patch-configure
View File

@@ -1,11 +0,0 @@
--- configure.orig 2020-04-16 13:26:53 UTC
+++ configure
@@ -18226,8 +18226,6 @@ fi
$as_echo "!! WARNING !! The cmoka git submodule has not been initialized or updated. Unit testing cannot be performed." >&6; }
fi
else
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: !! WARNING !! CMake is NOT available. Unit testing cannot be performed." >&5
-$as_echo "!! WARNING !! CMake is NOT available. Unit testing cannot be performed." >&6; }
if false; then
CMOCKA_INITIALIZED_TRUE=
CMOCKA_INITIALIZED_FALSE='#'

136
security/openvpn/files/patch-git-098edbb1f5a2e1360fd6a4ae0642b63bec12e992
View File

@@ -1,136 +0,0 @@
From 098edbb1f5a2e1360fd6a4ae0642b63bec12e992 Mon Sep 17 00:00:00 2001
From: Jeremy Evans <code@jeremyevans.net>
Date: Wed, 20 May 2020 11:34:04 -0700
Subject: [PATCH] Switch assertion failure to returning false
This assertion failure can be hit in production, which causes the
openvpn server process to stop and all clients to be disconnected.
Bug #1270 has been filed for this issue on Trac by another user
who has experienced the issue, and this patch attempts to address it.
Tracing callers, it appears that some callers check ks->authenticated
before calling, but others do not. It may be possible to add the check
for the callers that do not check, but this seems to be a simpler
solution.
To give some background, we hit this assertion failure, with the
following log output:
```
Tue May 19 15:57:05 2020 username/73.135.141.11:1194 PUSH: Received
control message: 'PUSH_REQUEST'
Tue May 19 15:57:05 2020 username/73.135.141.11:1194 SENT CONTROL
[username]: 'PUSH_REPLY,redirect-gateway
def1,comp-lzo,persist-key,persist-tun,route-gateway 10.28.47.1,topology
subnet,ping 10,ping-restart 120,ifconfig 10.28.47.38 255.255.255.0,peer-id
89' (status=1)
Tue May 19 15:57:05 2020 username/73.135.141.11:1194 Assertion failed at
/path/to/openvpn-2.4.7/src/openvpn/ssl.c:1944 (ks->authenticated)
Tue May 19 15:57:05 2020 username/73.135.141.11:1194 Exiting due to fatal
error
Tue May 19 15:57:05 2020 username/73.135.141.11:1194 Closing TUN/TAP
interface
```
using the following OpenVPN server configuration:
```
port 1194
proto udp
dev-type tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
topology subnet
push "redirect-gateway def1"
push "comp-lzo"
push "persist-key"
push "persist-tun"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
cd /home/openvpn/server
chroot /var/empty
daemon
verb 3
crl-verify crl.pem
tls-auth ta.key 0
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher ECDHE-RSA-AES256-GCM-SHA384
ncp-disable
mute-replay-warnings
script-security 3
auth-user-pass-verify "ldap-auth/ldap-auth" via-env
auth-user-pass-optional
```
and the following command line options:
```
--config openvpn.conf --dev tun1 --local 206.131.72.52 \
--log-append openvpn.log --status openvpn-status.log \
--server 10.28.47.0 255.255.255.0
```
The failed assertion is inside the function
`tls_session_generate_data_channel_keys`, which is called 3 other places
in `ssl.c.`:
* `key_method_2_write`: checks for `ks->authenticated` before calling
* `key_method_2_read`: appears to run in client mode but not in server
mode
* `tls_session_update_crypto_params`: runs in server mode and does not
check before calling
That leads me to believe the problem caller is
`tls_session_update_crypto_params`. There.s three callers of
`tls_session_update_crypto_params`:.
* `incoming_push_message` (`push.c`): Probably this caller, since the
server pushes configuration to clients, and the log shows the
assertion failure right after the push reply.
* `multi_process_file_closed` (`multi.c`): Not this caller. NCP is
disabled in config, and async push was not enabled when compiling.
* `do_deferred_options` (`init.c`): Not this caller. The server
configuration doesn't pull.
Changing the assertion to returning false appears to be the simplest
fix. Another approach would be changing callers to check
`ks->authenticated` before calling, either
`tls_session_update_crypto_params` or `incoming_push_message`.
Signed-off-by: Jeremy Evans <code@jeremyevans.net>
Acked-by: Steffan Karger <steffan.karger@foxcrypto.com>
Message-Id: <20200520183404.54822-1-code@jeremyevans.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19914.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 984bd1e1601e4b9562dbc88b02a8db60b884286f)
---
src/openvpn/ssl.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index cf6689982..215147f37 100644
--- ./src/openvpn/ssl.c
+++ ./src/openvpn/ssl.c
@@ -1941,7 +1941,10 @@ tls_session_generate_data_channel_keys(struct tls_session *session)
const struct session_id *server_sid = !session->opt->server ?
&ks->session_id_remote : &session->session_id;
- ASSERT(ks->authenticated);
+ if (!ks->authenticated) {
+ msg(D_TLS_ERRORS, "TLS Error: key_state not authenticated");
+ goto cleanup;
+ }
ks->crypto_options.flags = session->opt->crypto_flags;
if (!generate_key_expansion(&ks->crypto_options.key_ctx_bi,

61
security/openvpn/files/patch-git-38b46e6bf65489c2c5d75da1c02a3a1c33e6da88
View File

@@ -1,61 +0,0 @@
From 38b46e6bf65489c2c5d75da1c02a3a1c33e6da88 Mon Sep 17 00:00:00 2001
From: Selva Nair <selva.nair@gmail.com>
Date: Thu, 20 Feb 2020 22:00:28 -0500
Subject: [PATCH] Persist management-query-remote and proxy prompts
Currently this prompt is only output once, not re-written to the
management interface when the management client connects. It is thus
not seen by a client that connects after the prompt is output or one that
disconnects and reconnects. This leads to a deadlock: the daemon waiting
for the "remote" command from the client, the latter not aware of it.
Resolve by adding the ">REMOTE" and ">PROXY" prompt to
man.persist.special_state_msg as done for other persisted prompts such
as ">PASSWORD"
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1582254028-7763-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19497.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 93ba6ccddafcc87f336f50dadde144ea4f6178ad)
---
src/openvpn/init.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 8bac74f97..e153682ed 100644
--- ./src/openvpn/init.c
+++ ./src/openvpn/init.c
@@ -269,6 +269,7 @@ ce_management_query_proxy(struct context *c)
buf_printf(&out, ">PROXY:%u,%s,%s", (l ? l->current : 0) + 1,
(proto_is_udp(ce->proto) ? "UDP" : "TCP"), np(ce->remote));
management_notify_generic(management, BSTR(&out));
+ management->persist.special_state_msg = BSTR(&out);
}
ce->flags |= CE_MAN_QUERY_PROXY;
while (ce->flags & CE_MAN_QUERY_PROXY)
@@ -280,6 +281,7 @@ ce_management_query_proxy(struct context *c)
break;
}
}
+ management->persist.special_state_msg = NULL;
gc_free(&gc);
}
@@ -349,6 +351,7 @@ ce_management_query_remote(struct context *c)
buf_printf(&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port,
proto2ascii(ce->proto, ce->af, false));
management_notify_generic(management, BSTR(&out));
+ management->persist.special_state_msg = BSTR(&out);
ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK << CE_MAN_QUERY_REMOTE_SHIFT);
ce->flags |= (CE_MAN_QUERY_REMOTE_QUERY << CE_MAN_QUERY_REMOTE_SHIFT);
@@ -362,6 +365,7 @@ ce_management_query_remote(struct context *c)
break;
}
}
+ management->persist.special_state_msg = NULL;
}
gc_free(&gc);

214
security/openvpn/files/patch-git-b89e48b015e581a4a0f5c306e2ab20da34c862ea
View File

@@ -1,214 +0,0 @@
From b89e48b015e581a4a0f5c306e2ab20da34c862ea Mon Sep 17 00:00:00 2001
From: Selva Nair <selva.nair@gmail.com>
Date: Tue, 24 Jul 2018 22:34:53 -0400
Subject: [PATCH] Parse static challenge response in auth-pam plugin
If static challenge is in use, the password passed to the plugin by openvpn
is of the form "SCRV1:base64-pass:base64-response". Parse this string to
separate it into password and response and use them to respond to queries
in the pam conversation function.
On the plugin parameters line the substitution keyword for the static
challenge response is "OTP". For example, for pam config named "test" that
prompts for "user", "password" and "pin", use
plugin openvpn-auth-pam.so "test user USERNAME password PASSWORD pin OTP"
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1532486093-24793-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17307.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 7369d01bf360bcfa02f26c05b86dde5496d120f6)
---
src/plugins/auth-pam/README.auth-pam | 15 ++++--
src/plugins/auth-pam/auth-pam.c | 75 +++++++++++++++++++++++++++-
2 files changed, 84 insertions(+), 6 deletions(-)
diff --git a/src/plugins/auth-pam/README.auth-pam b/src/plugins/auth-pam/README.auth-pam
index e12369021..908156542 100644
--- a/src/plugins/auth-pam/README.auth-pam
+++ ./src/plugins/auth-pam/README.auth-pam
@@ -36,19 +36,20 @@ pairs to answer PAM module queries.
For example:
- plugin openvpn-auth-pam.so "login login USERNAME password PASSWORD"
+ plugin openvpn-auth-pam.so "login login USERNAME password PASSWORD pin OTP"
tells auth-pam to (a) use the "login" PAM module, (b) answer a
-"login" query with the username given by the OpenVPN client, and
-(c) answer a "password" query with the password given by the
-OpenVPN client. This provides flexibility in dealing with the different
+"login" query with the username given by the OpenVPN client,
+(c) answer a "password" query with the password, and (d) answer a
+"pin" query with the OTP given by the OpenVPN client.
+This provides flexibility in dealing with different
types of query strings which different PAM modules might generate.
For example, suppose you were using a PAM module called
"test" which queried for "name" rather than "login":
plugin openvpn-auth-pam.so "test name USERNAME password PASSWORD"
-While "USERNAME" "COMMONNAME" and "PASSWORD" are special strings which substitute
+While "USERNAME" "COMMONNAME" "PASSWORD" and "OTP" are special strings which substitute
to client-supplied values, it is also possible to name literal values
to use as PAM module query responses. For example, suppose that the
login module queried for a third parameter, "domain" which
@@ -61,6 +62,10 @@ the operation of this plugin:
client-cert-not-required
username-as-common-name
+ static-challenge
+
+Use of --static challenege is required to pass a pin (represented by "OTP" in
+parameter substituion) or a second password.
Run OpenVPN with --verb 7 or higher to get debugging output from
this plugin, including the list of queries presented by the
diff --git a/src/plugins/auth-pam/auth-pam.c b/src/plugins/auth-pam/auth-pam.c
index 5ba4dc4cb..1324307f1 100644
--- a/src/plugins/auth-pam/auth-pam.c
+++ ./src/plugins/auth-pam/auth-pam.c
@@ -6,6 +6,7 @@
* packet compression.
*
* Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
+ * Copyright (C) 2016-2018 Selva Nair <selva.nair@gmail.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2
@@ -64,6 +65,7 @@
/* Pointers to functions exported from openvpn */
static plugin_secure_memzero_t plugin_secure_memzero = NULL;
+static plugin_base64_decode_t plugin_base64_decode = NULL;
/*
* Plugin state, used by foreground
@@ -87,6 +89,7 @@ struct auth_pam_context
* "USERNAME" -- substitute client-supplied username
* "PASSWORD" -- substitute client-specified password
* "COMMONNAME" -- substitute client certificate common name
+ * "OTP" -- substitute static challenge response if available
*/
#define N_NAME_VALUE 16
@@ -111,6 +114,7 @@ struct user_pass {
char username[128];
char password[128];
char common_name[128];
+ char response[128];
const struct name_value_list *name_value_list;
};
@@ -276,6 +280,66 @@ name_value_match(const char *query, const char *match)
return strncasecmp(match, query, strlen(match)) == 0;
}
+/*
+ * Split and decode up->password in the form SCRV1:base64_pass:base64_response
+ * into pass and response and save in up->password and up->response.
+ * If the password is not in the expected format, input is not changed.
+ */
+static void
+split_scrv1_password(struct user_pass *up)
+{
+ const int skip = strlen("SCRV1:");
+ if (strncmp(up->password, "SCRV1:", skip) != 0)
+ {
+ return;
+ }
+
+ char *tmp = strdup(up->password);
+ if (!tmp)
+ {
+ fprintf(stderr, "AUTH-PAM: out of memory parsing static challenge password\n");
+ goto out;
+ }
+
+ char *pass = tmp + skip;
+ char *resp = strchr(pass, ':');
+ if (!resp) /* string not in SCRV1:xx:yy format */
+ {
+ goto out;
+ }
+ *resp++ = '\0';
+
+ int n = plugin_base64_decode(pass, up->password, sizeof(up->password)-1);
+ if (n > 0)
+ {
+ up->password[n] = '\0';
+ n = plugin_base64_decode(resp, up->response, sizeof(up->response)-1);
+ if (n > 0)
+ {
+ up->response[n] = '\0';
+ if (DEBUG(up->verb))
+ {
+ fprintf(stderr, "AUTH-PAM: BACKGROUND: parsed static challenge password\n");
+ }
+ goto out;
+ }
+ }
+
+ /* decode error: reinstate original value of up->password and return */
+ plugin_secure_memzero(up->password, sizeof(up->password));
+ plugin_secure_memzero(up->response, sizeof(up->response));
+ strcpy(up->password, tmp); /* tmp is guaranteed to fit in up->password */
+
+ fprintf(stderr, "AUTH-PAM: base64 decode error while parsing static challenge password\n");
+
+out:
+ if (tmp)
+ {
+ plugin_secure_memzero(tmp, strlen(tmp));
+ free(tmp);
+ }
+}
+
OPENVPN_EXPORT int
openvpn_plugin_open_v3(const int v3structver,
struct openvpn_plugin_args_open_in const *args,
@@ -316,6 +380,7 @@ openvpn_plugin_open_v3(const int v3structver,
/* Save global pointers to functions exported from openvpn */
plugin_secure_memzero = args->callbacks->plugin_secure_memzero;
+ plugin_base64_decode = args->callbacks->plugin_base64_decode;
/*
* Make sure we have two string arguments: the first is the .so name,
@@ -599,6 +664,10 @@ my_conv(int n, const struct pam_message **msg_array,
{
aresp[i].resp = searchandreplace(match_value, "COMMONNAME", up->common_name);
}
+ else if (strstr(match_value, "OTP"))
+ {
+ aresp[i].resp = searchandreplace(match_value, "OTP", up->response);
+ }
else
{
aresp[i].resp = strdup(match_value);
@@ -787,6 +856,9 @@ pam_server(int fd, const char *service, int verb, const struct name_value_list *
#endif
}
+ /* If password is of the form SCRV1:base64:base64 split it up */
+ split_scrv1_password(&up);
+
if (pam_auth(service, &up)) /* Succeeded */
{
if (send_control(fd, RESPONSE_VERIFY_SUCCEEDED) == -1)
@@ -818,10 +890,11 @@ pam_server(int fd, const char *service, int verb, const struct name_value_list *
command);
goto done;
}
+ plugin_secure_memzero(up.response, sizeof(up.response));
}
done:
-
plugin_secure_memzero(up.password, sizeof(up.password));
+ plugin_secure_memzero(up.response, sizeof(up.response));
#ifdef USE_PAM_DLOPEN
dlclose_pam();
#endif

40
security/openvpn/files/patch-git-cab48ad43eaba51c54fa23e55b0b2eb436dd921f
View File

@@ -1,40 +0,0 @@
From cab48ad43eaba51c54fa23e55b0b2eb436dd921f Mon Sep 17 00:00:00 2001
From: Selva Nair <selva.nair@gmail.com>
Date: Tue, 7 Aug 2018 22:44:31 -0400
Subject: [PATCH] Accept empty password and/or response in auth-pam plugin
In the auth-pam plugin correctly parse the static challenge string
even when password or challenge response is empty.
Whether an empty user input is an error is determined by the PAM
conversation function depending on whether the PAM module queries
for it or not.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1533696271-21799-2-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17382.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 7a8109023f4c345fe12f23421c5fa7e88e1ea85b)
---
src/plugins/auth-pam/auth-pam.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/plugins/auth-pam/auth-pam.c b/src/plugins/auth-pam/auth-pam.c
index 1324307f1..88b53204b 100644
--- a/src/plugins/auth-pam/auth-pam.c
+++ ./src/plugins/auth-pam/auth-pam.c
@@ -310,11 +310,11 @@ split_scrv1_password(struct user_pass *up)
*resp++ = '\0';
int n = plugin_base64_decode(pass, up->password, sizeof(up->password)-1);
- if (n > 0)
+ if (n >= 0)
{
up->password[n] = '\0';
n = plugin_base64_decode(resp, up->response, sizeof(up->response)-1);
- if (n > 0)
+ if (n >= 0)
{
up->response[n] = '\0';
if (DEBUG(up->verb))

28
security/openvpn/files/patch-git-fc0297143494e0a0f08564d90dbb210669d0abf5
View File

@@ -1,28 +0,0 @@
From fc0297143494e0a0f08564d90dbb210669d0abf5 Mon Sep 17 00:00:00 2001
From: Antonio Quartulli <a@unstable.cc>
Date: Sat, 30 May 2020 02:05:54 +0200
Subject: [PATCH] pool: prevent IPv6 pools to be larger than 2^16 addresses
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200530000600.1680-2-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19945.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 81d66a1f14d4be3282dd648ecc2049658e3a65ed)
---
src/openvpn/pool.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/openvpn/pool.c b/src/openvpn/pool.c
index da28bc06b..e45bf88a2 100644
--- ./src/openvpn/pool.c
+++ ./src/openvpn/pool.c
@@ -183,7 +183,7 @@ ifconfig_pool_init(int type, in_addr_t start, in_addr_t end,
if (pool->ipv6)
{
pool->base_ipv6 = ipv6_base;
- pool->size_ipv6 = ipv6_netbits>96 ? ( 1<<(128-ipv6_netbits) )
+ pool->size_ipv6 = ipv6_netbits > 112 ? (1 << (128 - ipv6_netbits))
: IFCONFIG_POOL_MAX;
msg( D_IFCONFIG_POOL, "IFCONFIG POOL IPv6: (IPv4) size=%d, size_ipv6=%d, netbits=%d, base_ipv6=%s",

69
security/openvpn/files/patch-src_openvpn_ssl__openssl.c
View File

@@ -1,69 +0,0 @@
In the corner case that the global OpenSSL has an invalid command like
MinProtocol = TLSv1.0
(Due to OpenSSL's idiosyncrasies MinProtocol = TLSv1 would be correct)
the SSL_ctx_new function leaves the errors for parsing the config file
on the stack.
OpenSSL: error:14187180:SSL routines:ssl_do_config:bad value
Since the later functions, especially the one of loading the
certificates expected a clean error this error got reported at the
wrong place.
Print the warnings with crypto_msg when we detect that we are in this
situation (this also clears the stack).
---
src/openvpn/ssl_openssl.c | 10 ++++++++++
1 file changed, 10 insertions(+)
Acked-by: Gert Doering <gert@greenie.muc.de>
"Explanation and Code make sense, Debian testing confirmed it fixes
the problem observed" (which was a user error in the end, but led to an
unexpected error in openvpn).
Basic client test run with openssl 1.1.1 on Linux/Gentoo.
Your patch has been applied to the master and release/2.4 branch.
commit 75aa88af774abaa168bf72e43e1dbb57be14c044 (master)
commit 125654bfa6f99a251b581522182e85748dd8043a (release/2.4)
Author: Arne Schwabe
Date: Tue Apr 21 12:11:22 2020 +0200
Fix tls_ctx_client/server_new leaving error on OpenSSL error stack
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200421101122.24284-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19802.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
--- src/openvpn/ssl_openssl.c.orig 2020-04-16 13:26:45 UTC
+++ src/openvpn/ssl_openssl.c
@@ -110,6 +110,11 @@ tls_ctx_server_new(struct tls_root_ctx *ctx)
{
crypto_msg(M_FATAL, "SSL_CTX_new SSLv23_server_method");
}
+ if (ERR_peek_error() != 0)
+ {
+ crypto_msg(M_WARN, "Warning: TLS server context initialisation "
+ "has warnings.");
+ }
}
void
@@ -122,6 +127,11 @@ tls_ctx_client_new(struct tls_root_ctx *ctx)
if (ctx->ctx == NULL)
{
crypto_msg(M_FATAL, "SSL_CTX_new SSLv23_client_method");
+ }
+ if (ERR_peek_error() != 0)
+ {
+ crypto_msg(M_WARN, "Warning: TLS client context initialisation "
+ "has warnings.");
}
}

6
security/openvpn/pkg-plist
View File

@@ -1,9 +1,9 @@
include/openvpn-plugin.h
include/openvpn-msg.h
include/openvpn-plugin.h
lib/openvpn/plugins/openvpn-plugin-auth-pam.so
lib/openvpn/plugins/openvpn-plugin-down-root.so
libexec/openvpn-client.down
libexec/openvpn-client.up
man/man8/openvpn.8.gz
sbin/openvpn
sbin/openvpn-client
libexec/openvpn-client.up
libexec/openvpn-client.down