forked from freebsd/freebsd-ports
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
security/openvpn: fix regressions and some documentation bits
Add two patches cherry-picked from upstream Git repository: OpenVPN 2.6.7 regressed and experienced crashes in some situations, OpenVPN/openvpn#449 Reported by: Vladimir Druzenko (vvd@) Reported by: Patrick Cable (upstream) Obtained from: OpenVPN/openvpn@b90ec6d Also, some typos in the documentation are fixed, Obtained from: OpenVPN/openvpn@457f468 Bump PORTREVISION. PR: 275055 MFH: 2023Q4
- Loading branch information
Showing
3 changed files
with
138 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
89 changes: 89 additions & 0 deletions
89
security/openvpn/files/patch-git-457f468a76f324a14b1236988cc5f5a95f14abf5
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,89 @@ | ||
From 457f468a76f324a14b1236988cc5f5a95f14abf5 Mon Sep 17 00:00:00 2001 | ||
From: Aquila Macedo <[email protected]> | ||
Date: Thu, 19 Oct 2023 16:40:49 -0300 | ||
Subject: [PATCH] doc: Correct typos in multiple documentation files | ||
|
||
Fixed typographical errors in various documentation files for improved clarity and readability. | ||
|
||
Signed-off-by: Aquila Macedo <[email protected]> | ||
Acked-by: Frank Lichtenheld <[email protected]> | ||
Message-Id: <[email protected]> | ||
URL: https://www.mail-archive.com/[email protected]/msg27320.html | ||
Signed-off-by: Gert Doering <[email protected]> | ||
(cherry picked from commit 20c42b89f6d38a4426b5fe67f59acaadcb9ac314) | ||
--- | ||
doc/man-sections/client-options.rst | 4 ++-- | ||
doc/man-sections/generic-options.rst | 2 +- | ||
doc/man-sections/server-options.rst | 2 +- | ||
doc/man-sections/vpn-network-options.rst | 2 +- | ||
src/openvpn/options.c | 2 +- | ||
5 files changed, 6 insertions(+), 6 deletions(-) | ||
|
||
diff --git a/doc/man-sections/client-options.rst b/doc/man-sections/client-options.rst | ||
index 3616ed7f3f8..54c4ec63073 100644 | ||
--- ./doc/man-sections/client-options.rst | ||
+++ b/doc/man-sections/client-options.rst | ||
@@ -51,9 +51,9 @@ configuration. | ||
react according to ``--auth-retry`` | ||
|
||
--auth-token-user base64username | ||
- Companion option to ``--auth-token``. This options allows to override | ||
+ Companion option to ``--auth-token``. This options allows one to override | ||
the username used by the client when reauthenticating with the ``auth-token``. | ||
- It also allows to use ``--auth-token`` in setups that normally do not use | ||
+ It also allows one to use ``--auth-token`` in setups that normally do not use | ||
username and password. | ||
|
||
The username has to be base64 encoded. | ||
diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst | ||
index 97e1b5aa610..95e4ca233bd 100644 | ||
--- ./doc/man-sections/generic-options.rst | ||
+++ b/doc/man-sections/generic-options.rst | ||
@@ -483,7 +483,7 @@ which mode OpenVPN is configured as. | ||
|
||
* :code:`OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY` plug-in hooks returns | ||
success/failure via :code:`auth_control_file` when using deferred auth | ||
- method and pending authentification via :code:`pending_auth_file`. | ||
+ method and pending authentication via :code:`pending_auth_file`. | ||
|
||
--use-prediction-resistance | ||
Enable prediction resistance on mbed TLS's RNG. | ||
diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst | ||
index 6b9ad21b816..e7a7b2dba43 100644 | ||
--- ./doc/man-sections/server-options.rst | ||
+++ b/doc/man-sections/server-options.rst | ||
@@ -739,7 +739,7 @@ fast hardware. SSL/TLS authentication must be used in this mode. | ||
|
||
--vlan-pvid v | ||
Specifies which VLAN identifier a "port" is associated with. Only valid | ||
- when ``--vlan-tagging`` is speficied. | ||
+ when ``--vlan-tagging`` is specified. | ||
|
||
In the client context, the setting specifies which VLAN ID a client is | ||
associated with. In the global context, the VLAN ID of the server TAP | ||
diff --git a/doc/man-sections/vpn-network-options.rst b/doc/man-sections/vpn-network-options.rst | ||
index 3fa3ccf1073..41d367bfd0e 100644 | ||
--- ./doc/man-sections/vpn-network-options.rst | ||
+++ b/doc/man-sections/vpn-network-options.rst | ||
@@ -548,7 +548,7 @@ routing. | ||
It's best to use the ``--fragment`` and/or ``--mssfix`` options to deal | ||
with MTU sizing issues. | ||
|
||
- Note: Depending on the platform, the operating system allows to receive | ||
+ Note: Depending on the platform, the operating system allows one to receive | ||
packets larger than ``tun-mtu`` (e.g. Linux and FreeBSD) but other platforms | ||
(like macOS) limit received packets to the same size as the MTU. | ||
|
||
diff --git a/src/openvpn/options.c b/src/openvpn/options.c | ||
index 631ac73db8f..895ce830f6a 100644 | ||
--- ./src/openvpn/options.c | ||
+++ b/src/openvpn/options.c | ||
@@ -598,7 +598,7 @@ static const char usage_message[] = | ||
" Windows Certificate System Store.\n" | ||
#endif | ||
"--tls-cipher l : A list l of allowable TLS ciphers separated by : (optional).\n" | ||
- "--tls-ciphersuites l: A list of allowed TLS 1.3 cipher suites seperated by : (optional)\n" | ||
+ "--tls-ciphersuites l: A list of allowed TLS 1.3 cipher suites separated by : (optional)\n" | ||
" : Use --show-tls to see a list of supported TLS ciphers (suites).\n" | ||
"--tls-cert-profile p : Set the allowed certificate crypto algorithm profile\n" | ||
" (default=legacy).\n" |
48 changes: 48 additions & 0 deletions
48
security/openvpn/files/patch-git-a903ebe9361d451daee71c225e141f4e1b67107d
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
From a903ebe9361d451daee71c225e141f4e1b67107d Mon Sep 17 00:00:00 2001 | ||
From: Arne Schwabe <[email protected]> | ||
Date: Wed, 15 Nov 2023 11:33:31 +0100 | ||
Subject: [PATCH] Do not check key_state buffers that are in S_UNDEF state | ||
|
||
When a key_state is in S_UNDEF the send_reliable is not initialised. So | ||
checking it might access invalid memory or null pointers. | ||
|
||
Github: fixes OpenVPN/openvpn#449 | ||
|
||
Change-Id: I226a73d47a2b1b29f7ec175ce23a806593abc2ac | ||
[[email protected]: add check for !send_reliable and message] | ||
Signed-off-by: Arne Schwabe <[email protected]> | ||
Acked-by: Gert Doering <[email protected]> | ||
Message-Id: <[email protected]> | ||
URL: https://www.mail-archive.com/[email protected]/msg27401.html | ||
Signed-off-by: Gert Doering <[email protected]> | ||
--- | ||
src/openvpn/ssl.c | 16 ++++++++++++++++ | ||
1 file changed, 16 insertions(+) | ||
|
||
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c | ||
index cee4afe19f3..b4cd8f5a567 100644 | ||
--- ./src/openvpn/ssl.c | ||
+++ b/src/openvpn/ssl.c | ||
@@ -3189,6 +3189,22 @@ check_session_buf_not_used(struct buffer *to_link, struct tls_session *session) | ||
for (int i = 0; i < KS_SIZE; i++) | ||
{ | ||
struct key_state *ks = &session->key[i]; | ||
+ if (ks->state == S_UNDEF) | ||
+ { | ||
+ continue; | ||
+ } | ||
+ | ||
+ /* we don't expect send_reliable to be NULL when state is | ||
+ * not S_UNDEF, but people have reported crashes nonetheless, | ||
+ * therefore we better catch this event, report and exit. | ||
+ */ | ||
+ if (!ks->send_reliable) | ||
+ { | ||
+ msg(M_FATAL, "ERROR: session->key[%d]->send_reliable is NULL " | ||
+ "while key state is %s. Exiting.", | ||
+ i, state_name(ks->state)); | ||
+ } | ||
+ | ||
for (int j = 0; j < ks->send_reliable->size; j++) | ||
{ | ||
if (ks->send_reliable->array[i].buf.data == dataptr) |