security/openvpn: sync with upstream

Taken from: FreeBSD
2016-11-10 06:56:58 +01:00 · 2016-11-10 06:56:58 +01:00 · 0001f010ee
commit 0001f010ee
parent 659e20e45a
2 changed files with 96 additions and 2 deletions
--- a/security/openvpn/Makefile
+++ b/security/openvpn/Makefile
@ -3,6 +3,7 @@

 PORTNAME=		openvpn
 DISTVERSION=		2.3.13
+PORTREVISION=		1
 CATEGORIES=		security net
 MASTER_SITES=		http://swupdate.openvpn.net/community/releases/ \
 			http://build.openvpn.net/downloads/releases/
@ -31,8 +32,8 @@ LDFLAGS+=		-L${LOCALBASE}/lib
 CPPFLAGS+=		-DPLUGIN_LIBDIR=\\\"${PREFIX}/lib/openvpn/plugins\\\"

 OPTIONS_DEFINE=		PKCS11 EASYRSA DOCS EXAMPLES X509ALTUSERNAME \
-			TUNNELBLICK TEST
-OPTIONS_DEFAULT=	EASYRSA OPENSSL TEST
+			TUNNELBLICK TEST FIXSUBNET
+OPTIONS_DEFAULT=	EASYRSA OPENSSL TEST FIXSUBNET
 OPTIONS_SINGLE=		SSL
 OPTIONS_SINGLE_SSL=	OPENSSL POLARSSL
 # The following feature is always enabled since 2.3.9 and no longer optional.
@ -42,6 +43,7 @@ EASYRSA_DESC=		Install security/easy-rsa RSA helper package
 POLARSSL_DESC=		SSL/TLS via mbedTLS 1.3.X (not 2.x)
 TUNNELBLICK_DESC=	Tunnelblick XOR scramble patch (READ HELP!)
 X509ALTUSERNAME_DESC=	Enable --x509-username-field (OpenSSL only)
+FIXSUBNET_DESC=		Enable 'topology subnet' fix (experimental)

 EASYRSA_RUN_DEPENDS=	easy-rsa>=0:security/easy-rsa

@ -50,6 +52,8 @@ PKCS11_CONFIGURE_ENABLE=	pkcs11

 TUNNELBLICK_EXTRA_PATCHES=	${FILESDIR}/extra-tunnelblick-openvpn_xorpatch

+FIXSUBNET_EXTRA_PATCHES=	${FILESDIR}/extra-patch-fix-subnet
+
 X509ALTUSERNAME_CONFIGURE_ENABLE=	x509-alt-username

 X509ALTUSERNAME_PREVENTS=	POLARSSL
--- a/security/openvpn/files/extra-patch-fix-subnet
+++ b/security/openvpn/files/extra-patch-fix-subnet
@ -0,0 +1,90 @@
+commit 446ef5bda4cdc75d4cb955e274846faff0181fd3
+Author: Gert Doering <gert@greenie.muc.de>
+Date:   Tue Nov 8 13:45:06 2016 +0100
+
+    Repair topology subnet on FreeBSD 11
+    
+    We used to add "route for this subnet" by using our own address as
+    the gateway address, which used to mean "connected to the interface,
+    no gateway".  FreeBSD commit 293159 changed the kernel side of that
+    assumption so "my address" is now always bound to "lo0" - thus, our
+    subnet route also ended up pointing to "lo0", breaking connectivity
+    for all hosts in the subnet except the one we used as "remote".
+    
+    commit 60fd44e501f200 already introduced a "remote address" we use
+    for the "ifconfig tunX <us> <remote>" part - extend that to be used
+    as gateway address for the "tunX subnet" as well, and things will
+    work more robustly.
+    
+    Tested on FreeBSD 11.0-RELEASE and 7.4-RELEASE (client and server)
+    (this particular issue is not present before 11.0, but "adding the
+    subnet route" never worked right, not even in 7.4 - 11.0 just made
+    the problem manifest more clearly)
+    
+    Trac #425
+    URL: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207831
+    
+    Signed-off-by: Gert Doering <gert@greenie.muc.de>
+    Acked-by: Steffan Karger <steffan.karger@fox-it.com>
+    Message-Id: <20161108124506.32559-1-gert@greenie.muc.de>
+    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12950.html
+    Signed-off-by: Gert Doering <gert@greenie.muc.de>
+    (cherry picked from commit a433b3813d8c38b491d2baa7b433973f2d6cd7c6)
+
+diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c
+index 11027dd..9bb586d 100644
+--- ./src/openvpn/tun.c
+++ ./src/openvpn/tun.c
+@@ -635,8 +635,8 @@ void delete_route_connected_v6_net(struct tuntap * tt,
+  * is still point to point and no layer 2 resolution is done...
+  */
+ 
+-const char *
+-create_arbitrary_remote( struct tuntap *tt, struct gc_arena * gc )
+in_addr_t
+create_arbitrary_remote( struct tuntap *tt )
+ {
+   in_addr_t remote;
+ 
+@@ -644,7 +644,7 @@ create_arbitrary_remote( struct tuntap *tt, struct gc_arena * gc )
+ 
+   if ( remote == tt->local ) remote ++;
+ 
+-  return print_in_addr_t (remote, 0, gc);
+  return remote;
+ }
+ #endif
+ 
+@@ -1126,6 +1126,8 @@ do_ifconfig (struct tuntap *tt,
+ 
+ #elif defined(TARGET_FREEBSD)||defined(TARGET_DRAGONFLY)
+ 
+      in_addr_t remote_end;		/* for "virtual" subnet topology */
+
+       /* example: ifconfig tun2 10.2.0.2 10.2.0.1 mtu 1450 netmask 255.255.255.255 up */
+       if (tun)
+ 	argv_printf (&argv,
+@@ -1138,12 +1140,13 @@ do_ifconfig (struct tuntap *tt,
+ 			  );
+       else if ( tt->topology == TOP_SUBNET )
+ 	{
+	    remote_end = create_arbitrary_remote( tt );
+ 	    argv_printf (&argv,
+ 			  "%s %s %s %s mtu %d netmask %s up",
+ 			  IFCONFIG_PATH,
+ 			  actual,
+ 			  ifconfig_local,
+-			  create_arbitrary_remote( tt, &gc ),
+			  print_in_addr_t (remote_end, 0, &gc),
+ 			  tun_mtu,
+ 			  ifconfig_remote_netmask
+ 			  );
+@@ -1170,7 +1173,7 @@ do_ifconfig (struct tuntap *tt,
+           r.flags = RT_DEFINED;
+           r.network = tt->local & tt->remote_netmask;
+           r.netmask = tt->remote_netmask;
+-          r.gateway = tt->local;
+          r.gateway = remote_end;
+           add_route (&r, tt, 0, NULL, es);
+         }
+