git: 5b06fb3b7d7d - main - security/openvpn: update to v2.6.15
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 24 Sep 2025 07:47:17 UTC
The branch main has been updated by mandree:
URL: https://cgit.FreeBSD.org/ports/commit/?id=5b06fb3b7d7d1d553a2006c532db3be1305d464a
commit 5b06fb3b7d7d1d553a2006c532db3be1305d464a
Author: Matthias Andree <mandree@FreeBSD.org>
AuthorDate: 2025-09-23 20:12:12 +0000
Commit: Matthias Andree <mandree@FreeBSD.org>
CommitDate: 2025-09-23 21:10:58 +0000
security/openvpn: update to v2.6.15
ChangeLog: https://github.com/OpenVPN/openvpn/blob/v2.6.15/Changes.rst#overview-of-changes-in-2615
FreeBSD relevant changes:
(note the DCO float notifications had previously been backported
for the FreeBSD port already in 2.6.14_3, and we're not currently
building with mbedTLS support for 2.6.x)
New features / User visible changes
-----------------------------------
- Apply more checks to incoming TLS handshake packets before creating
new state - namely, verify message ID / acked ID for "valid range for
an initial packet". This fixes a problem with clients that float
very early but send control channel packet from the pre-float IP
(Github: OpenVPN/openvpn#704), backported from 2.7_beta1.
- update GPL license text to latest version from FSF
Code maintenance
----------------
- remove a few extra newline characters at the end of rarely-seen log lines
- replace assert() calls in the code with OpenVPN ASSERT() calls
(not subject to -DNDEBUG, plus better logging on the actual cause)
- remove "dh dh2048.pem" from all sample configurations, remove "dh2048.pem"
file from source tree - OpenSSL 3.5 Seclevel=3 considers this "not
secure enough" and OpenVPN has not needed an explit DH file in a long while.
Documentation Updates
---------------------
- improve ``--tmp-dir`` documentation
---
security/openvpn/Makefile | 5 +-
security/openvpn/distinfo | 6 +-
.../patch-doc_man-sections_generic-options.rst | 4 +-
.../patch-doc_tests_authentication-plugins.md | 11 ---
...ch-sample__sample-config-files__loopback-server | 12 +--
.../patch-sample_sample-config-files_server.conf | 21 -----
...ugins_keying-material-exporter-demo_server.ovpn | 11 ---
.../openvpn/files/patch-src_openvpn_dco__freebsd.c | 90 ----------------------
.../openvpn/files/patch-src_openvpn_dco__freebsd.h | 18 -----
security/openvpn/files/patch-src_openvpn_forward.c | 44 -----------
security/openvpn/files/patch-src_openvpn_forward.h | 24 ------
security/openvpn/files/patch-src_openvpn_init.c | 22 ------
security/openvpn/files/patch-src_openvpn_multi.c | 39 ----------
.../files/patch-src_openvpn_ovpn__dco__freebsd.h | 10 ---
14 files changed, 9 insertions(+), 308 deletions(-)
diff --git a/security/openvpn/Makefile b/security/openvpn/Makefile
index 690ac26738d8..4a04c1934186 100644
--- a/security/openvpn/Makefile
+++ b/security/openvpn/Makefile
@@ -1,6 +1,6 @@
PORTNAME= openvpn
-DISTVERSION= 2.6.14
-PORTREVISION?= 3
+DISTVERSION= 2.6.15
+PORTREVISION?= 0
CATEGORIES= security net net-vpn
MASTER_SITES= https://swupdate.openvpn.org/community/releases/ \
https://build.openvpn.net/downloads/releases/ \
@@ -105,7 +105,6 @@ pre-everything::
.endif
post-patch:
- ${RM} sample/sample-keys/dh2048.pem # no longer needed
${REINPLACE_CMD} -E -i '' -e 's/(user|group) nobody/\1 openvpn/' \
-e 's/"nobody"( after init)/"openvpn" \1/' \
${WRKSRC}/sample/sample-config-files/*.conf \
diff --git a/security/openvpn/distinfo b/security/openvpn/distinfo
index 9274b1ed493c..514208b4bb7b 100644
--- a/security/openvpn/distinfo
+++ b/security/openvpn/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1743554391
-SHA256 (openvpn-2.6.14.tar.gz) = 9eb6a6618352f9e7b771a9d38ae1631b5edfeed6d40233e243e602ddf2195e7a
-SIZE (openvpn-2.6.14.tar.gz) = 1926343
+TIMESTAMP = 1758657418
+SHA256 (openvpn-2.6.15.tar.gz) = e35513ee15995e3c71adfd8891b9f33522896c70b3baa2ed9a23c7a42c4d7bde
+SIZE (openvpn-2.6.15.tar.gz) = 1917742
diff --git a/security/openvpn/files/patch-doc_man-sections_generic-options.rst b/security/openvpn/files/patch-doc_man-sections_generic-options.rst
index 28c93860b329..ccb2493991c4 100644
--- a/security/openvpn/files/patch-doc_man-sections_generic-options.rst
+++ b/security/openvpn/files/patch-doc_man-sections_generic-options.rst
@@ -1,6 +1,6 @@
---- doc/man-sections/generic-options.rst.orig 2025-04-02 06:53:10 UTC
+--- doc/man-sections/generic-options.rst.orig 2025-09-22 09:50:37 UTC
+++ doc/man-sections/generic-options.rst
-@@ -514,5 +514,8 @@ --user user
+@@ -513,5 +513,8 @@ --user user
since it is usually used by other system services already. Always
create a dedicated user for openvpn.
diff --git a/security/openvpn/files/patch-doc_tests_authentication-plugins.md b/security/openvpn/files/patch-doc_tests_authentication-plugins.md
deleted file mode 100644
index d680c64019f7..000000000000
--- a/security/openvpn/files/patch-doc_tests_authentication-plugins.md
+++ /dev/null
@@ -1,11 +0,0 @@
---- doc/tests/authentication-plugins.md.orig 2025-04-02 06:53:10 UTC
-+++ doc/tests/authentication-plugins.md
-@@ -36,7 +36,7 @@ To build the needed authentication plug-in, run:
- verb 4
- dev tun
- server 10.8.0.0 255.255.255.0
-- dh sample/sample-keys/dh2048.pem
-+ dh none
- ca sample/sample-keys/ca.crt
- cert sample/sample-keys/server.crt
- key sample/sample-keys/server.key
diff --git a/security/openvpn/files/patch-sample__sample-config-files__loopback-server b/security/openvpn/files/patch-sample__sample-config-files__loopback-server
index 3eac712d9054..06b3eb9f184d 100644
--- a/security/openvpn/files/patch-sample__sample-config-files__loopback-server
+++ b/security/openvpn/files/patch-sample__sample-config-files__loopback-server
@@ -1,6 +1,6 @@
---- sample/sample-config-files/loopback-server.orig 2025-04-02 06:53:10 UTC
+--- sample/sample-config-files/loopback-server.orig 2025-09-22 09:50:37 UTC
+++ sample/sample-config-files/loopback-server
-@@ -9,15 +9,15 @@
+@@ -9,8 +9,8 @@
# ./openvpn --config sample-config-files/loopback-client (In one window)
# ./openvpn --config sample-config-files/loopback-server (Simultaneously in another window)
@@ -11,11 +11,3 @@
remote localhost
local localhost
dev null
- verb 3
- reneg-sec 10
- tls-server
--dh sample-keys/dh2048.pem
-+dh none
- ca sample-keys/ca.crt
- key sample-keys/server.key
- cert sample-keys/server.crt
diff --git a/security/openvpn/files/patch-sample_sample-config-files_server.conf b/security/openvpn/files/patch-sample_sample-config-files_server.conf
deleted file mode 100644
index ba2194589405..000000000000
--- a/security/openvpn/files/patch-sample_sample-config-files_server.conf
+++ /dev/null
@@ -1,21 +0,0 @@
---- sample/sample-config-files/server.conf.orig 2025-04-02 06:53:10 UTC
-+++ sample/sample-config-files/server.conf
-@@ -87,11 +87,6 @@ key server.key # This file should be kept secret
- cert server.crt
- key server.key # This file should be kept secret
-
--# Diffie hellman parameters.
--# Generate your own with:
--# openssl dhparam -out dh2048.pem 2048
--dh dh2048.pem
--
- # Allow to connect to really old OpenVPN versions
- # without AEAD support (OpenVPN 2.3.x or older)
- # This adds AES-256-CBC as fallback cipher and
-@@ -307,4 +302,4 @@ verb 3
-
- # Notify the client that when the server restarts so it
- # can automatically reconnect.
--explicit-exit-notify 1
-\ No newline at end of file
-+explicit-exit-notify 1
diff --git a/security/openvpn/files/patch-sample_sample-plugins_keying-material-exporter-demo_server.ovpn b/security/openvpn/files/patch-sample_sample-plugins_keying-material-exporter-demo_server.ovpn
deleted file mode 100644
index 2ff14e611905..000000000000
--- a/security/openvpn/files/patch-sample_sample-plugins_keying-material-exporter-demo_server.ovpn
+++ /dev/null
@@ -1,11 +0,0 @@
---- sample/sample-plugins/keying-material-exporter-demo/server.ovpn.orig 2025-04-02 06:53:10 UTC
-+++ sample/sample-plugins/keying-material-exporter-demo/server.ovpn
-@@ -8,7 +8,7 @@ key ../../sample-keys/server.key
- ca ../../sample-keys/ca.crt
- cert ../../sample-keys/server.crt
- key ../../sample-keys/server.key
--dh ../../sample-keys/dh2048.pem
-+dh none
-
- server 10.8.0.0 255.255.255.0
- port 1194
diff --git a/security/openvpn/files/patch-src_openvpn_dco__freebsd.c b/security/openvpn/files/patch-src_openvpn_dco__freebsd.c
deleted file mode 100644
index 686fc6584be7..000000000000
--- a/security/openvpn/files/patch-src_openvpn_dco__freebsd.c
+++ /dev/null
@@ -1,90 +0,0 @@
---- src/openvpn/dco_freebsd.c.orig 2025-04-02 06:53:10 UTC
-+++ src/openvpn/dco_freebsd.c
-@@ -72,6 +72,61 @@ sockaddr_to_nvlist(const struct sockaddr *sa)
- return (nvl);
- }
-
-+static bool
-+nvlist_to_sockaddr(const nvlist_t *nvl, struct sockaddr_storage *ss)
-+{
-+ if (!nvlist_exists_number(nvl, "af"))
-+ {
-+ return (false);
-+ }
-+ if (!nvlist_exists_binary(nvl, "address"))
-+ {
-+ return (false);
-+ }
-+ if (!nvlist_exists_number(nvl, "port"))
-+ {
-+ return (false);
-+ }
-+
-+ ss->ss_family = nvlist_get_number(nvl, "af");
-+
-+ switch (ss->ss_family)
-+ {
-+ case AF_INET:
-+ {
-+ struct sockaddr_in *in = (struct sockaddr_in *)ss;
-+ const void *data;
-+ size_t len;
-+
-+ in->sin_len = sizeof(*in);
-+ data = nvlist_get_binary(nvl, "address", &len);
-+ ASSERT(len == sizeof(in->sin_addr));
-+ memcpy(&in->sin_addr, data, sizeof(in->sin_addr));
-+ in->sin_port = nvlist_get_number(nvl, "port");
-+ break;
-+ }
-+
-+ case AF_INET6:
-+ {
-+ struct sockaddr_in6 *in6 = (struct sockaddr_in6 *)ss;
-+ const void *data;
-+ size_t len;
-+
-+ in6->sin6_len = sizeof(*in6);
-+ data = nvlist_get_binary(nvl, "address", &len);
-+ ASSERT(len == sizeof(in6->sin6_addr));
-+ memcpy(&in6->sin6_addr, data, sizeof(in6->sin6_addr));
-+ in6->sin6_port = nvlist_get_number(nvl, "port");
-+ break;
-+ }
-+
-+ default:
-+ return (false);
-+ }
-+
-+ return (true);
-+}
-+
- int
- dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd,
- struct sockaddr *localaddr, struct sockaddr *remoteaddr,
-@@ -570,6 +625,25 @@ dco_do_read(dco_context_t *dco)
- case OVPN_NOTIF_ROTATE_KEY:
- dco->dco_message_type = OVPN_CMD_SWAP_KEYS;
- break;
-+
-+ case OVPN_NOTIF_FLOAT: {
-+ const nvlist_t *address;
-+
-+ if (!nvlist_exists_nvlist(nvl, "address"))
-+ {
-+ msg(M_WARN, "Float notification without address");
-+ break;
-+ }
-+
-+ address = nvlist_get_nvlist(nvl, "address");
-+ if (!nvlist_to_sockaddr(address, &dco->dco_float_peer_ss))
-+ {
-+ msg(M_WARN, "Failed to parse float notification");
-+ break;
-+ }
-+ dco->dco_message_type = OVPN_CMD_FLOAT_PEER;
-+ break;
-+ }
-
- default:
- msg(M_WARN, "Unknown kernel notification %d", type);
diff --git a/security/openvpn/files/patch-src_openvpn_dco__freebsd.h b/security/openvpn/files/patch-src_openvpn_dco__freebsd.h
deleted file mode 100644
index 32dd08563f27..000000000000
--- a/security/openvpn/files/patch-src_openvpn_dco__freebsd.h
+++ /dev/null
@@ -1,18 +0,0 @@
---- src/openvpn/dco_freebsd.h.orig 2025-04-02 06:53:10 UTC
-+++ src/openvpn/dco_freebsd.h
-@@ -36,6 +36,7 @@ enum ovpn_message_type_t {
- OVPN_CMD_DEL_PEER,
- OVPN_CMD_PACKET,
- OVPN_CMD_SWAP_KEYS,
-+ OVPN_CMD_FLOAT_PEER,
- };
-
- enum ovpn_del_reason_t {
-@@ -55,6 +56,7 @@ typedef struct dco_context {
- int dco_message_type;
- int dco_message_peer_id;
- int dco_del_peer_reason;
-+ struct sockaddr_storage dco_float_peer_ss;
- uint64_t dco_read_bytes;
- uint64_t dco_write_bytes;
- } dco_context_t;
diff --git a/security/openvpn/files/patch-src_openvpn_forward.c b/security/openvpn/files/patch-src_openvpn_forward.c
deleted file mode 100644
index 0734167f6636..000000000000
--- a/security/openvpn/files/patch-src_openvpn_forward.c
+++ /dev/null
@@ -1,44 +0,0 @@
---- src/openvpn/forward.c.orig 2025-04-02 06:53:10 UTC
-+++ src/openvpn/forward.c
-@@ -1234,6 +1234,41 @@ process_incoming_link(struct context *c)
- perf_pop();
- }
-
-+void
-+extract_dco_float_peer_addr(const sa_family_t socket_family,
-+ struct openvpn_sockaddr *out_osaddr,
-+ const struct sockaddr *float_sa)
-+{
-+ if (float_sa->sa_family == AF_INET)
-+ {
-+ struct sockaddr_in *float4 = (struct sockaddr_in *)float_sa;
-+ /* DCO treats IPv4-mapped IPv6 addresses as pure IPv4. However, on a
-+ * dual-stack socket, we need to preserve the mapping otherwise openvpn
-+ * will not be able to find the peer by its transport address.
-+ */
-+ if (socket_family == AF_INET6)
-+ {
-+ out_osaddr->addr.in6.sin6_family = AF_INET6;
-+ out_osaddr->addr.in6.sin6_port = float4->sin_port;
-+
-+ memset(&out_osaddr->addr.in6.sin6_addr.s6_addr, 0, 10);
-+ out_osaddr->addr.in6.sin6_addr.s6_addr[10] = 0xff;
-+ out_osaddr->addr.in6.sin6_addr.s6_addr[11] = 0xff;
-+ memcpy(&out_osaddr->addr.in6.sin6_addr.s6_addr[12],
-+ &float4->sin_addr.s_addr, sizeof(in_addr_t));
-+ }
-+ else
-+ {
-+ memcpy(&out_osaddr->addr.in4, float4, sizeof(struct sockaddr_in));
-+ }
-+ }
-+ else
-+ {
-+ struct sockaddr_in6 *float6 = (struct sockaddr_in6 *)float_sa;
-+ memcpy(&out_osaddr->addr.in6, float6, sizeof(struct sockaddr_in6));
-+ }
-+}
-+
- static void
- process_incoming_dco(struct context *c)
- {
diff --git a/security/openvpn/files/patch-src_openvpn_forward.h b/security/openvpn/files/patch-src_openvpn_forward.h
deleted file mode 100644
index 050343949c03..000000000000
--- a/security/openvpn/files/patch-src_openvpn_forward.h
+++ /dev/null
@@ -1,24 +0,0 @@
---- src/openvpn/forward.h.orig 2025-04-02 06:53:10 UTC
-+++ src/openvpn/forward.h
-@@ -189,6 +189,21 @@ void process_incoming_link_part2(struct context *c, st
- void process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf);
-
- /**
-+ * Transfers \c float_sa data extracted from an incoming DCO
-+ * PEER_FLOAT_NTF to \c out_osaddr for later processing.
-+ *
-+ * @param socket_family - The address family of the socket
-+ * @param out_osaddr - openvpn_sockaddr struct that will be filled the new
-+ * address data
-+ * @param float_sa - The sockaddr struct containing the data received from the
-+ * DCO notification
-+ */
-+void
-+extract_dco_float_peer_addr(sa_family_t socket_family,
-+ struct openvpn_sockaddr *out_osaddr,
-+ const struct sockaddr *float_sa);
-+
-+/**
- * Write a packet to the external network interface.
- * @ingroup external_multiplexer
- *
diff --git a/security/openvpn/files/patch-src_openvpn_init.c b/security/openvpn/files/patch-src_openvpn_init.c
deleted file mode 100644
index 0d09e6050236..000000000000
--- a/security/openvpn/files/patch-src_openvpn_init.c
+++ /dev/null
@@ -1,22 +0,0 @@
---- src/openvpn/init.c.orig 2025-04-02 06:53:10 UTC
-+++ src/openvpn/init.c
-@@ -330,7 +330,7 @@ management_callback_remote_entry_count(void *arg)
- static unsigned int
- management_callback_remote_entry_count(void *arg)
- {
-- assert(arg);
-+ ASSERT(arg);
- struct context *c = (struct context *) arg;
- struct connection_list *l = c->options.connection_list;
-
-@@ -340,8 +340,8 @@ management_callback_remote_entry_get(void *arg, unsign
- static bool
- management_callback_remote_entry_get(void *arg, unsigned int index, char **remote)
- {
-- assert(arg);
-- assert(remote);
-+ ASSERT(arg);
-+ ASSERT(remote);
-
- struct context *c = (struct context *) arg;
- struct connection_list *l = c->options.connection_list;
diff --git a/security/openvpn/files/patch-src_openvpn_multi.c b/security/openvpn/files/patch-src_openvpn_multi.c
deleted file mode 100644
index 22995fb45caf..000000000000
--- a/security/openvpn/files/patch-src_openvpn_multi.c
+++ /dev/null
@@ -1,39 +0,0 @@
---- src/openvpn/multi.c.orig 2025-04-02 06:53:10 UTC
-+++ src/openvpn/multi.c
-@@ -3169,6 +3169,18 @@ multi_process_float(struct multi_context *m, struct mu
- goto done;
- }
-
-+ /* It doesn't make sense to let a peer float to the address it already
-+ * has, so we disallow it. This can happen if a DCO netlink notification
-+ * gets lost and we miss a floating step.
-+ */
-+ if (m1->peer_id == m2->peer_id)
-+ {
-+ msg(M_WARN, "disallowing peer %" PRIu32 " (%s) from floating to "
-+ "its own address (%s)",
-+ m1->peer_id, tls_common_name(mi->context.c2.tls_multi, false),
-+ mroute_addr_print(&mi->real, &gc));
-+ goto done;
-+ }
- msg(D_MULTI_MEDIUM, "closing instance %s", multi_instance_string(ex_mi, false, &gc));
- multi_close_instance(m, ex_mi, false);
- }
-@@ -3301,6 +3313,17 @@ multi_process_incoming_dco(struct multi_context *m)
- {
- process_incoming_del_peer(m, mi, dco);
- }
-+#if defined(TARGET_FREEBSD)
-+ else if (dco->dco_message_type == OVPN_CMD_FLOAT_PEER)
-+ {
-+ ASSERT(mi->context.c2.link_socket);
-+ extract_dco_float_peer_addr(mi->context.c2.link_socket->info.af,
-+ &m->top.c2.from.dest,
-+ (struct sockaddr *)&dco->dco_float_peer_ss);
-+ multi_process_float(m, mi);
-+ CLEAR(dco->dco_float_peer_ss);
-+ }
-+#endif /* if defined(TARGET_LINUX) || defined(TARGET_WIN32) */
- else if (dco->dco_message_type == OVPN_CMD_SWAP_KEYS)
- {
- tls_session_soft_reset(mi->context.c2.tls_multi);
diff --git a/security/openvpn/files/patch-src_openvpn_ovpn__dco__freebsd.h b/security/openvpn/files/patch-src_openvpn_ovpn__dco__freebsd.h
deleted file mode 100644
index 1d1ff16e5d8e..000000000000
--- a/security/openvpn/files/patch-src_openvpn_ovpn__dco__freebsd.h
+++ /dev/null
@@ -1,10 +0,0 @@
---- src/openvpn/ovpn_dco_freebsd.h.orig 2025-04-02 06:53:10 UTC
-+++ src/openvpn/ovpn_dco_freebsd.h
-@@ -37,6 +37,7 @@ enum ovpn_notif_type {
- enum ovpn_notif_type {
- OVPN_NOTIF_DEL_PEER,
- OVPN_NOTIF_ROTATE_KEY,
-+ OVPN_NOTIF_FLOAT,
- };
-
- enum ovpn_del_reason {