Skip to content

Commit

Permalink
security/openvpn: fix regressions and some documentation bits
Browse files Browse the repository at this point in the history
Add two patches cherry-picked from upstream Git repository:

OpenVPN 2.6.7 regressed and experienced crashes in some situations,
OpenVPN/openvpn#449
Reported by:	Vladimir Druzenko (vvd@)
Reported by:	Patrick Cable (upstream)
Obtained from:	OpenVPN/openvpn@b90ec6d

Also, some typos in the documentation are fixed,
Obtained from:	OpenVPN/openvpn@457f468

Bump PORTREVISION.
PR:		275055
MFH:		2023Q4
  • Loading branch information
mandree committed Nov 15, 2023
1 parent 92d08c5 commit 8d2e9d9
Show file tree
Hide file tree
Showing 3 changed files with 138 additions and 1 deletion.
2 changes: 1 addition & 1 deletion security/openvpn/Makefile
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
PORTNAME= openvpn
DISTVERSION= 2.6.7
PORTREVISION?= 0
PORTREVISION?= 1
CATEGORIES= security net net-vpn
MASTER_SITES= https://swupdate.openvpn.org/community/releases/ \
https://build.openvpn.net/downloads/releases/ \
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,89 @@
From 457f468a76f324a14b1236988cc5f5a95f14abf5 Mon Sep 17 00:00:00 2001
From: Aquila Macedo <[email protected]>
Date: Thu, 19 Oct 2023 16:40:49 -0300
Subject: [PATCH] doc: Correct typos in multiple documentation files

Fixed typographical errors in various documentation files for improved clarity and readability.

Signed-off-by: Aquila Macedo <[email protected]>
Acked-by: Frank Lichtenheld <[email protected]>
Message-Id: <[email protected]>
URL: https://www.mail-archive.com/[email protected]/msg27320.html
Signed-off-by: Gert Doering <[email protected]>
(cherry picked from commit 20c42b89f6d38a4426b5fe67f59acaadcb9ac314)
---
doc/man-sections/client-options.rst | 4 ++--
doc/man-sections/generic-options.rst | 2 +-
doc/man-sections/server-options.rst | 2 +-
doc/man-sections/vpn-network-options.rst | 2 +-
src/openvpn/options.c | 2 +-
5 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/doc/man-sections/client-options.rst b/doc/man-sections/client-options.rst
index 3616ed7f3f8..54c4ec63073 100644
--- ./doc/man-sections/client-options.rst
+++ b/doc/man-sections/client-options.rst
@@ -51,9 +51,9 @@ configuration.
react according to ``--auth-retry``

--auth-token-user base64username
- Companion option to ``--auth-token``. This options allows to override
+ Companion option to ``--auth-token``. This options allows one to override
the username used by the client when reauthenticating with the ``auth-token``.
- It also allows to use ``--auth-token`` in setups that normally do not use
+ It also allows one to use ``--auth-token`` in setups that normally do not use
username and password.

The username has to be base64 encoded.
diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst
index 97e1b5aa610..95e4ca233bd 100644
--- ./doc/man-sections/generic-options.rst
+++ b/doc/man-sections/generic-options.rst
@@ -483,7 +483,7 @@ which mode OpenVPN is configured as.

* :code:`OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY` plug-in hooks returns
success/failure via :code:`auth_control_file` when using deferred auth
- method and pending authentification via :code:`pending_auth_file`.
+ method and pending authentication via :code:`pending_auth_file`.

--use-prediction-resistance
Enable prediction resistance on mbed TLS's RNG.
diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst
index 6b9ad21b816..e7a7b2dba43 100644
--- ./doc/man-sections/server-options.rst
+++ b/doc/man-sections/server-options.rst
@@ -739,7 +739,7 @@ fast hardware. SSL/TLS authentication must be used in this mode.

--vlan-pvid v
Specifies which VLAN identifier a "port" is associated with. Only valid
- when ``--vlan-tagging`` is speficied.
+ when ``--vlan-tagging`` is specified.

In the client context, the setting specifies which VLAN ID a client is
associated with. In the global context, the VLAN ID of the server TAP
diff --git a/doc/man-sections/vpn-network-options.rst b/doc/man-sections/vpn-network-options.rst
index 3fa3ccf1073..41d367bfd0e 100644
--- ./doc/man-sections/vpn-network-options.rst
+++ b/doc/man-sections/vpn-network-options.rst
@@ -548,7 +548,7 @@ routing.
It's best to use the ``--fragment`` and/or ``--mssfix`` options to deal
with MTU sizing issues.

- Note: Depending on the platform, the operating system allows to receive
+ Note: Depending on the platform, the operating system allows one to receive
packets larger than ``tun-mtu`` (e.g. Linux and FreeBSD) but other platforms
(like macOS) limit received packets to the same size as the MTU.

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 631ac73db8f..895ce830f6a 100644
--- ./src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -598,7 +598,7 @@ static const char usage_message[] =
" Windows Certificate System Store.\n"
#endif
"--tls-cipher l : A list l of allowable TLS ciphers separated by : (optional).\n"
- "--tls-ciphersuites l: A list of allowed TLS 1.3 cipher suites seperated by : (optional)\n"
+ "--tls-ciphersuites l: A list of allowed TLS 1.3 cipher suites separated by : (optional)\n"
" : Use --show-tls to see a list of supported TLS ciphers (suites).\n"
"--tls-cert-profile p : Set the allowed certificate crypto algorithm profile\n"
" (default=legacy).\n"
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
From a903ebe9361d451daee71c225e141f4e1b67107d Mon Sep 17 00:00:00 2001
From: Arne Schwabe <[email protected]>
Date: Wed, 15 Nov 2023 11:33:31 +0100
Subject: [PATCH] Do not check key_state buffers that are in S_UNDEF state

When a key_state is in S_UNDEF the send_reliable is not initialised. So
checking it might access invalid memory or null pointers.

Github: fixes OpenVPN/openvpn#449

Change-Id: I226a73d47a2b1b29f7ec175ce23a806593abc2ac
[[email protected]: add check for !send_reliable and message]
Signed-off-by: Arne Schwabe <[email protected]>
Acked-by: Gert Doering <[email protected]>
Message-Id: <[email protected]>
URL: https://www.mail-archive.com/[email protected]/msg27401.html
Signed-off-by: Gert Doering <[email protected]>
---
src/openvpn/ssl.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)

diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index cee4afe19f3..b4cd8f5a567 100644
--- ./src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -3189,6 +3189,22 @@ check_session_buf_not_used(struct buffer *to_link, struct tls_session *session)
for (int i = 0; i < KS_SIZE; i++)
{
struct key_state *ks = &session->key[i];
+ if (ks->state == S_UNDEF)
+ {
+ continue;
+ }
+
+ /* we don't expect send_reliable to be NULL when state is
+ * not S_UNDEF, but people have reported crashes nonetheless,
+ * therefore we better catch this event, report and exit.
+ */
+ if (!ks->send_reliable)
+ {
+ msg(M_FATAL, "ERROR: session->key[%d]->send_reliable is NULL "
+ "while key state is %s. Exiting.",
+ i, state_name(ks->state));
+ }
+
for (int j = 0; j < ks->send_reliable->size; j++)
{
if (ks->send_reliable->array[i].buf.data == dataptr)

0 comments on commit 8d2e9d9

Please sign in to comment.