security/openvpn: sync with upstream

Taken from: FreeBSD
snape7997 · Nov 10, 2016 · 0001f01 · 0001f01
1 parent 659e20e
commit 0001f01
Show file tree

Hide file tree

Showing 2 changed files with 96 additions and 2 deletions.
diff --git a/security/openvpn/Makefile b/security/openvpn/Makefile
@@ -3,6 +3,7 @@
 
 PORTNAME=		openvpn
 DISTVERSION=		2.3.13
+PORTREVISION=		1
 CATEGORIES=		security net
 MASTER_SITES=		http://swupdate.openvpn.net/community/releases/ \
 			http://build.openvpn.net/downloads/releases/
@@ -31,8 +32,8 @@ LDFLAGS+=		-L${LOCALBASE}/lib
 CPPFLAGS+=		-DPLUGIN_LIBDIR=\\\"${PREFIX}/lib/openvpn/plugins\\\"
 
 OPTIONS_DEFINE=		PKCS11 EASYRSA DOCS EXAMPLES X509ALTUSERNAME \
-			TUNNELBLICK TEST
-OPTIONS_DEFAULT=	EASYRSA OPENSSL TEST
+			TUNNELBLICK TEST FIXSUBNET
+OPTIONS_DEFAULT=	EASYRSA OPENSSL TEST FIXSUBNET
 OPTIONS_SINGLE=		SSL
 OPTIONS_SINGLE_SSL=	OPENSSL POLARSSL
 # The following feature is always enabled since 2.3.9 and no longer optional.
@@ -42,6 +43,7 @@ EASYRSA_DESC=		Install security/easy-rsa RSA helper package
 POLARSSL_DESC=		SSL/TLS via mbedTLS 1.3.X (not 2.x)
 TUNNELBLICK_DESC=	Tunnelblick XOR scramble patch (READ HELP!)
 X509ALTUSERNAME_DESC=	Enable --x509-username-field (OpenSSL only)
+FIXSUBNET_DESC=		Enable 'topology subnet' fix (experimental)
 
 EASYRSA_RUN_DEPENDS=	easy-rsa>=0:security/easy-rsa
 
@@ -50,6 +52,8 @@ PKCS11_CONFIGURE_ENABLE=	pkcs11
 
 TUNNELBLICK_EXTRA_PATCHES=	${FILESDIR}/extra-tunnelblick-openvpn_xorpatch
 
+FIXSUBNET_EXTRA_PATCHES=	${FILESDIR}/extra-patch-fix-subnet
+
 X509ALTUSERNAME_CONFIGURE_ENABLE=	x509-alt-username
 
 X509ALTUSERNAME_PREVENTS=	POLARSSL

diff --git a/security/openvpn/files/extra-patch-fix-subnet b/security/openvpn/files/extra-patch-fix-subnet
@@ -0,0 +1,90 @@
+commit 446ef5bda4cdc75d4cb955e274846faff0181fd3
+Author: Gert Doering <[email protected]>
+Date:   Tue Nov 8 13:45:06 2016 +0100
+
+    Repair topology subnet on FreeBSD 11
+
+    We used to add "route for this subnet" by using our own address as
+    the gateway address, which used to mean "connected to the interface,
+    no gateway".  FreeBSD commit 293159 changed the kernel side of that
+    assumption so "my address" is now always bound to "lo0" - thus, our
+    subnet route also ended up pointing to "lo0", breaking connectivity
+    for all hosts in the subnet except the one we used as "remote".
+
+    commit 60fd44e501f200 already introduced a "remote address" we use
+    for the "ifconfig tunX <us> <remote>" part - extend that to be used
+    as gateway address for the "tunX subnet" as well, and things will
+    work more robustly.
+
+    Tested on FreeBSD 11.0-RELEASE and 7.4-RELEASE (client and server)
+    (this particular issue is not present before 11.0, but "adding the
+    subnet route" never worked right, not even in 7.4 - 11.0 just made
+    the problem manifest more clearly)
+
+    Trac #425
+    URL: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207831
+
+    Signed-off-by: Gert Doering <[email protected]>
+    Acked-by: Steffan Karger <[email protected]>
+    Message-Id: <[email protected]>
+    URL: https://www.mail-archive.com/[email protected]/msg12950.html
+    Signed-off-by: Gert Doering <[email protected]>
+    (cherry picked from commit a433b3813d8c38b491d2baa7b433973f2d6cd7c6)
+
+diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c
+index 11027dd..9bb586d 100644
+--- ./src/openvpn/tun.c
++++ ./src/openvpn/tun.c
+@@ -635,8 +635,8 @@ void delete_route_connected_v6_net(struct tuntap * tt,
+  * is still point to point and no layer 2 resolution is done...
+  */
+
+-const char *
+-create_arbitrary_remote( struct tuntap *tt, struct gc_arena * gc )
++in_addr_t
++create_arbitrary_remote( struct tuntap *tt )
+ {
+   in_addr_t remote;
+
+@@ -644,7 +644,7 @@ create_arbitrary_remote( struct tuntap *tt, struct gc_arena * gc )
+
+   if ( remote == tt->local ) remote ++;
+
+-  return print_in_addr_t (remote, 0, gc);
++  return remote;
+ }
+ #endif
+
+@@ -1126,6 +1126,8 @@ do_ifconfig (struct tuntap *tt,
+
+ #elif defined(TARGET_FREEBSD)||defined(TARGET_DRAGONFLY)
+
++      in_addr_t remote_end;		/* for "virtual" subnet topology */
++
+       /* example: ifconfig tun2 10.2.0.2 10.2.0.1 mtu 1450 netmask 255.255.255.255 up */
+       if (tun)
+ 	argv_printf (&argv,
+@@ -1138,12 +1140,13 @@ do_ifconfig (struct tuntap *tt,
+ 			  );
+       else if ( tt->topology == TOP_SUBNET )
+ 	{
++	    remote_end = create_arbitrary_remote( tt );
+ 	    argv_printf (&argv,
+ 			  "%s %s %s %s mtu %d netmask %s up",
+ 			  IFCONFIG_PATH,
+ 			  actual,
+ 			  ifconfig_local,
+-			  create_arbitrary_remote( tt, &gc ),
++			  print_in_addr_t (remote_end, 0, &gc),
+ 			  tun_mtu,
+ 			  ifconfig_remote_netmask
+ 			  );
+@@ -1170,7 +1173,7 @@ do_ifconfig (struct tuntap *tt,
+           r.flags = RT_DEFINED;
+           r.network = tt->local & tt->remote_netmask;
+           r.netmask = tt->remote_netmask;
+-          r.gateway = tt->local;
++          r.gateway = remote_end;
+           add_route (&r, tt, 0, NULL, es);
+         }
+