SHA256
1
0
forked from pool/openvpn

Compare commits

14 Commits

Author SHA256 Message Date
9c133fcaa9 Accepting request 1297937 from network:vpn
OBS-URL: https://build.opensuse.org/request/show/1297937
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openvpn?expand=0&rev=121
2025-08-12 15:03:01 +00:00
87781568f1 - add (bsc#1239783) -- fix build against 6.16
* 0001-dco-linux-avoid-redefining-ovpn-enums.patch

OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=219
2025-08-06 11:05:47 +00:00
5cad75ce5a Patch applied for Don't recommend ovpn-dco-kmp if it is in the kernel already (newer and safer version) Support for ovpn
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=218
2025-08-06 09:27:01 +00:00
af45183e1e Accepting request 1267918 from network:vpn
OBS-URL: https://build.opensuse.org/request/show/1267918
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openvpn?expand=0&rev=120
2025-04-09 19:49:40 +00:00
03d27e8871 - update to 2.6.14:
* CVE-2025-2704: fix possible ASSERT() on OpenVPN servers using --tls-crypt-v2
  * Linux DCO: repair source IP selection for --multihome
- update to 2.6.13:
  * on non-windows clients (MacOS, Linux, Unix) send "release" string from
    uname() call as IV_PLAT_VER to server
  * Linux: pass --timeout=0 argument to systemd-ask-password, to avoid default
    timeout of 90 seconds
  * improve server-side handling of clients sending usernames or passwords
    longer than USER_PASS_LEN
  * purge proxy authentication credentials from memory after use
- update to 2.6.12:
  * the fix for CVE-2024-5594 (refuse control channel messages with
    nonprintable characters) was too strict, breaking user configurations
  * Http-proxy: fix bug preventing proxy credentials caching
- update to 2.6.11:
  * CVE-2024-5594: control channel: refuse control channel messages with
    nonprintable characters in them. Security scope: a malicious openvpn
    peer can send garbage to openvpn log, or cause high CPU load.
  * CVE-2024-28882: only call schedule_exit() once (on a given peer).
    Security scope: an authenticated client can make the server "keep the
    session" even when the server has been told to disconnect this client
  * Fix connect timeout when using SOCKS proxies
  * Add bracket in fingerprint message and do not warn about missing
    verification
  * Remove "experimental" denotation for --fast-io
  * Correctly document ifconfig_* variables passed to scripts
  * Documentation: make section levels consistent
  * Samples: Update sample configurations (remove compression & old cipher
    settings, add more informative comments)

OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=216
2025-04-08 13:58:58 +00:00
6e7beb07f8 Accepting request 1240409 from network:vpn
bugowner:rjain openvpn-CVE-2024-5594 Patch applied for the submission by rjain (forwarded request 1239460 from rjain)

OBS-URL: https://build.opensuse.org/request/show/1240409
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openvpn?expand=0&rev=119
2025-01-28 13:58:05 +00:00
Richard Rahl
7185e7c490 bugowner:rjain openvpn-CVE-2024-5594 Patch applied for the submission by rjain
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=214
2025-01-26 21:41:17 +00:00
8c4bdc3ced Accepting request 1239621 from network:vpn
OBS-URL: https://build.opensuse.org/request/show/1239621
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openvpn?expand=0&rev=118
2025-01-23 17:01:45 +00:00
dcc7786ea5 - Drop rcFOO symlinks for CODE16 (PED-266).
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=212
2025-01-22 16:45:40 +00:00
1cb5b5ef09 Accepting request 1233845 from network:vpn
- Set %_buildshell because of bashisms in build recipe ([[ and =~)
- Replace over-the-top `find -exec rm` by just -delete (forwarded request 1232791 from jengelh)

OBS-URL: https://build.opensuse.org/request/show/1233845
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openvpn?expand=0&rev=117
2024-12-30 11:50:53 +00:00
Richard Rahl
4b21f5f5e6 - Set %_buildshell because of bashisms in build recipe ([[ and =~)
- Replace over-the-top `find -exec rm` by just -delete

OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=210
2024-12-29 23:33:17 +00:00
690bf31ff3 Accepting request 1218829 from network:vpn
OBS-URL: https://build.opensuse.org/request/show/1218829
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openvpn?expand=0&rev=116
2024-10-29 13:32:19 +00:00
c1302e0b01 bugowner:rjain Patch applied for the submission by rjain
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=208
2024-10-28 14:18:16 +00:00
bd1ac08c0b Accepting request 1174409 from home:bmwiedemann:branches:network:vpn
Enable Data-Channel-Offloading (DCO) for better performance (jsc#PED-8305)
  if libnl >= 3.4 is available

now recommends ovpn-dco kmp

still needs testing

OBS-URL: https://build.opensuse.org/request/show/1174409
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=207
2024-06-14 08:55:43 +00:00
16 changed files with 3513 additions and 489 deletions

View File

@@ -0,0 +1,285 @@
From: Ralf Lici <ralf@mandelbit.com>
Date: Wed, 5 Mar 2025 18:17:30 +0100
Subject: Handle missing DCO peer by restarting the session
References: bsc#1239783
Git-repo: https://github.com/OpenVPN/openvpn.git
Git-commit: 6f9ba8bfd259742ee19b173898a9bfd20e22fcf3
Patch-mainline: v2.7
Occasionally, CMD_DEL_PEER is not delivered to userspace, preventing the
openvpn process from registering the event. To handle this case, we
check if calls to the Linux DCO module return an error, and, if so, send
a SIGUSR1 signal to reset the session.
Most DCO commands that return an error already trigger a SIGUSR1 signal
or even call _exit(1). This commit extends that behavior to include
dco_get_peer_stats_multi() and dco_get_peer_stats().
Change-Id: Ib118426c5a69256894040c69856a4003d9f4637c
Signed-off-by: Ralf Lici <ralf@mandelbit.com>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20250305171730.250444-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31022.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
src/openvpn/dco.h | 18 +++++++++++-------
src/openvpn/dco_freebsd.c | 5 +++--
src/openvpn/dco_linux.c | 28 +++++++++++++++++++++++++---
src/openvpn/dco_win.c | 5 +++--
src/openvpn/forward.c | 3 +--
src/openvpn/manage.c | 10 ++++++++--
src/openvpn/multi.c | 10 ++++++++--
src/openvpn/sig.c | 5 ++++-
8 files changed, 63 insertions(+), 21 deletions(-)
diff --git a/src/openvpn/dco.h b/src/openvpn/dco.h
index 35ceace3aac5..ed194cc5017c 100644
--- a/src/openvpn/dco.h
+++ b/src/openvpn/dco.h
@@ -231,17 +231,20 @@ void dco_delete_iroutes(struct multi_context *m, struct multi_instance *mi);
/**
* Update traffic statistics for all peers
*
- * @param dco DCO device context
- * @param m the server context
+ * @param dco DCO device context
+ * @param m the server context
+ * @param raise_sigusr1_on_err whether to raise SIGUSR1 on error
**/
-int dco_get_peer_stats_multi(dco_context_t *dco, struct multi_context *m);
+int dco_get_peer_stats_multi(dco_context_t *dco, struct multi_context *m,
+ const bool raise_sigusr1_on_err);
/**
* Update traffic statistics for single peer
*
- * @param c instance context of the peer
+ * @param c instance context of the peer
+ * @param raise_sigusr1_on_err whether to raise SIGUSR1 on error
**/
-int dco_get_peer_stats(struct context *c);
+int dco_get_peer_stats(struct context *c, const bool raise_sigusr1_on_err);
/**
* Retrieve the list of ciphers supported by the current platform
@@ -373,13 +376,14 @@ dco_delete_iroutes(struct multi_context *m, struct multi_instance *mi)
}
static inline int
-dco_get_peer_stats_multi(dco_context_t *dco, struct multi_context *m)
+dco_get_peer_stats_multi(dco_context_t *dco, struct multi_context *m,
+ const bool raise_sigusr1_on_err)
{
return 0;
}
static inline int
-dco_get_peer_stats(struct context *c)
+dco_get_peer_stats(struct context *c, const bool raise_sigusr1_on_err)
{
return 0;
}
diff --git a/src/openvpn/dco_freebsd.c b/src/openvpn/dco_freebsd.c
index 0e536de80500..b8816c63bd43 100644
--- a/src/openvpn/dco_freebsd.c
+++ b/src/openvpn/dco_freebsd.c
@@ -713,7 +713,8 @@ dco_update_peer_stat(struct multi_context *m, uint32_t peerid, const nvlist_t *n
}
int
-dco_get_peer_stats_multi(dco_context_t *dco, struct multi_context *m)
+dco_get_peer_stats_multi(dco_context_t *dco, struct multi_context *m,
+ const bool raise_sigusr1_on_err)
{
struct ifdrv drv;
@@ -781,7 +782,7 @@ retry:
}
int
-dco_get_peer_stats(struct context *c)
+dco_get_peer_stats(struct context *c, const bool raise_sigusr1_on_err)
{
/* Not implemented. */
return 0;
diff --git a/src/openvpn/dco_linux.c b/src/openvpn/dco_linux.c
index 68c1a8d3271a..b0a85fdaf365 100644
--- a/src/openvpn/dco_linux.c
+++ b/src/openvpn/dco_linux.c
@@ -952,7 +952,8 @@ dco_parse_peer_multi(struct nl_msg *msg, void *arg)
}
int
-dco_get_peer_stats_multi(dco_context_t *dco, struct multi_context *m)
+dco_get_peer_stats_multi(dco_context_t *dco, struct multi_context *m,
+ const bool raise_sigusr1_on_err)
{
msg(D_DCO_DEBUG, "%s", __func__);
@@ -963,6 +964,14 @@ dco_get_peer_stats_multi(dco_context_t *dco, struct multi_context *m)
int ret = ovpn_nl_msg_send(dco, nl_msg, dco_parse_peer_multi, m, __func__);
nlmsg_free(nl_msg);
+
+ if (raise_sigusr1_on_err && ret < 0)
+ {
+ msg(M_WARN, "Error retrieving DCO peer stats: the underlying DCO peer"
+ "may have been deleted from the kernel without notifying "
+ "userspace. Restarting the session");
+ register_signal(m->top.sig, SIGUSR1, "dco peer stats error");
+ }
return ret;
}
@@ -1008,9 +1017,14 @@ dco_parse_peer(struct nl_msg *msg, void *arg)
}
int
-dco_get_peer_stats(struct context *c)
+dco_get_peer_stats(struct context *c, const bool raise_sigusr1_on_err)
{
- uint32_t peer_id = c->c2.tls_multi->dco_peer_id;
+ int peer_id = c->c2.tls_multi->dco_peer_id;
+ if (peer_id == -1)
+ {
+ return 0;
+ }
+
msg(D_DCO_DEBUG, "%s: peer-id %d", __func__, peer_id);
if (!c->c1.tuntap)
@@ -1030,6 +1044,14 @@ dco_get_peer_stats(struct context *c)
nla_put_failure:
nlmsg_free(nl_msg);
+
+ if (raise_sigusr1_on_err && ret < 0)
+ {
+ msg(M_WARN, "Error retrieving DCO peer stats: the underlying DCO peer"
+ "may have been deleted from the kernel without notifying "
+ "userspace. Restarting the session");
+ register_signal(c->sig, SIGUSR1, "dco peer stats error");
+ }
return ret;
}
diff --git a/src/openvpn/dco_win.c b/src/openvpn/dco_win.c
index 45cb919277c6..8b47124631bf 100644
--- a/src/openvpn/dco_win.c
+++ b/src/openvpn/dco_win.c
@@ -712,14 +712,15 @@ dco_do_read(dco_context_t *dco)
}
int
-dco_get_peer_stats_multi(dco_context_t *dco, struct multi_context *m)
+dco_get_peer_stats_multi(dco_context_t *dco, struct multi_context *m,
+ const bool raise_sigusr1_on_err)
{
/* Not implemented. */
return 0;
}
int
-dco_get_peer_stats(struct context *c)
+dco_get_peer_stats(struct context *c, const bool raise_sigusr1_on_err)
{
struct tuntap *tt = c->c1.tuntap;
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index b0253443aa3a..fce7ac8bb5ee 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -488,7 +488,7 @@ check_add_routes(struct context *c)
static void
check_inactivity_timeout(struct context *c)
{
- if (dco_enabled(&c->options) && dco_get_peer_stats(c) == 0)
+ if (dco_enabled(&c->options) && dco_get_peer_stats(c, true) == 0)
{
int64_t tot_bytes = c->c2.tun_read_bytes + c->c2.tun_write_bytes;
int64_t new_bytes = tot_bytes - c->c2.inactivity_bytes;
@@ -497,7 +497,6 @@ check_inactivity_timeout(struct context *c)
{
c->c2.inactivity_bytes = tot_bytes;
event_timeout_reset(&c->c2.inactivity_interval);
-
return;
}
}
diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c
index 484042ada70e..0e73942762af 100644
--- a/src/openvpn/manage.c
+++ b/src/openvpn/manage.c
@@ -4146,8 +4146,13 @@ management_check_bytecount(struct context *c, struct management *man, struct tim
counter_type dco_read_bytes = 0;
counter_type dco_write_bytes = 0;
- if (dco_enabled(&c->options) && (dco_get_peer_stats(c) == 0))
+ if (dco_enabled(&c->options))
{
+ if (dco_get_peer_stats(c, true) < 0)
+ {
+ return;
+ }
+
dco_read_bytes = c->c2.dco_read_bytes;
dco_write_bytes = c->c2.dco_write_bytes;
}
@@ -4166,7 +4171,8 @@ management_check_bytecount(struct context *c, struct management *man, struct tim
void
man_persist_client_stats(struct management *man, struct context *c)
{
- if (dco_enabled(&c->options) && (dco_get_peer_stats(c) == 0))
+ /* no need to raise SIGUSR1 since we are already closing the instance */
+ if (dco_enabled(&c->options) && (dco_get_peer_stats(c, false) == 0))
{
management_bytes_client(man, c->c2.dco_read_bytes, c->c2.dco_write_bytes);
}
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index 85a1712e2334..9d244be6d794 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -548,7 +548,10 @@ setenv_stats(struct multi_context *m, struct context *c)
{
if (dco_enabled(&m->top.options))
{
- dco_get_peer_stats_multi(&m->top.c1.tuntap->dco, m);
+ if (dco_get_peer_stats_multi(&m->top.c1.tuntap->dco, m, false) < 0)
+ {
+ return;
+ }
}
setenv_counter(c->c2.es, "bytes_received", c->c2.link_read_bytes + c->c2.dco_read_bytes);
@@ -856,7 +859,10 @@ multi_print_status(struct multi_context *m, struct status_output *so, const int
if (dco_enabled(&m->top.options))
{
- dco_get_peer_stats_multi(&m->top.c1.tuntap->dco, m);
+ if (dco_get_peer_stats_multi(&m->top.c1.tuntap->dco, m, true) < 0)
+ {
+ return;
+ }
}
if (version == 1)
diff --git a/src/openvpn/sig.c b/src/openvpn/sig.c
index 8323f0d97f21..b0f8935d4302 100644
--- a/src/openvpn/sig.c
+++ b/src/openvpn/sig.c
@@ -489,7 +489,10 @@ print_status(struct context *c, struct status_output *so)
if (dco_enabled(&c->options))
{
- dco_get_peer_stats(c);
+ if (dco_get_peer_stats(c, true) < 0)
+ {
+ return;
+ }
}
status_printf(so, "OpenVPN STATISTICS");
--
2.49.0

View File

@@ -0,0 +1,105 @@
From: Ralf Lici <ralf@mandelbit.com>
Date: Thu, 15 May 2025 17:00:31 +0200
Subject: Implement ovpn version detection
References: bsc#1239783
Git-repo: https://github.com/OpenVPN/openvpn.git
Git-commit: f6c95ac2ffa69a1caaf2785859c48295a3bea199
Patch-mainline: v2.7.0
Add detection of the ovpn kernel module type: if a backported
(out-of-tree) version is loaded, the MODULE_VERSION string is read from
sysfs; otherwise, for the in-tree module, the function reports the
kernel release and version.
Change-Id: I7fc033a7ffee73045316763356a95d75ef23f5ad
Signed-off-by: Ralf Lici <ralf@mandelbit.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250515150038.30097-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31652.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
src/openvpn/dco_linux.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 68 insertions(+), 1 deletion(-)
--- a/src/openvpn/dco_linux.c
+++ b/src/openvpn/dco_linux.c
@@ -1117,10 +1117,77 @@ dco_available(int msglevel)
return true;
}
+/**
+ * There's no version indicator in the ovpn in-tree module, so we return a
+ * string containing info about the kernel version and release.
+ */
+static const char *
+dco_version_string_in_tree(struct gc_arena *gc)
+{
+ struct buffer buf = alloc_buf_gc(256, gc);
+ struct utsname system;
+
+ if (uname(&system))
+ {
+ return "ERR";
+ }
+
+ buf_puts(&buf, system.release);
+ buf_puts(&buf, " ");
+ buf_puts(&buf, system.version);
+ return BSTR(&buf);
+}
+
+/**
+ * When the module is loaded, the backports version of ovpn has a version file
+ * in sysfs. Read it and return the string.
+ *
+ * The caller is responsible for closing the file pointer.
+ */
+static const char *
+dco_version_string_backports(FILE *fp, struct gc_arena *gc)
+{
+ char *str = gc_malloc(PATH_MAX, false, gc);
+
+ if (!fgets(str, PATH_MAX, fp))
+ {
+ return "ERR";
+ }
+
+ /* remove potential newline at the end of the string */
+ char *nl = strchr(str, '\n');
+ if (nl)
+ {
+ *nl = '\0';
+ }
+
+ return str;
+}
+
const char *
dco_version_string(struct gc_arena *gc)
{
- return "Unknown";
+ const char *version;
+ struct stat sb;
+ FILE *fp;
+
+ if (stat("/sys/module/ovpn", &sb) != 0 || !S_ISDIR(sb.st_mode))
+ {
+ return "N/A";
+ }
+
+ /* now that we know for sure that the module is loaded, if there's no
+ * version file it means we're dealing with the in-tree version, otherwise
+ * it's backports */
+ fp = fopen("/sys/module/ovpn/version", "r");
+ if (!fp)
+ {
+ return dco_version_string_in_tree(gc);
+ }
+ version = dco_version_string_backports(fp, gc);
+
+ fclose(fp);
+ return version;
}
void

View File

@@ -0,0 +1,121 @@
From: Lev Stipakov <lev@openvpn.net>
Date: Fri, 27 Sep 2024 11:30:45 +0200
Subject: dco: better naming for function parameters
References: bsc#1239783
Git-repo: https://github.com/OpenVPN/openvpn.git
Git-commit: 95e5a0b4f0f0f45d29a5a995f151677b760ddf76
Patch-mainline: v2.7
Current naming (remote_in4/6) is confusing, since
those are in fact VPN IPv4/v6 addresses and not
related to remote at all.
Change-Id: I101bbc9f682375ec733bca10b52da82f0abfec27
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20240927093045.22753-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29460.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
src/openvpn/dco_freebsd.c | 12 ++++++------
src/openvpn/dco_internal.h | 2 +-
src/openvpn/dco_linux.c | 10 +++++-----
src/openvpn/dco_win.c | 2 +-
4 files changed, 13 insertions(+), 13 deletions(-)
diff --git a/src/openvpn/dco_freebsd.c b/src/openvpn/dco_freebsd.c
index 2bfbda1243c8..d2b8092cb27d 100644
--- a/src/openvpn/dco_freebsd.c
+++ b/src/openvpn/dco_freebsd.c
@@ -75,7 +75,7 @@ sockaddr_to_nvlist(const struct sockaddr *sa)
int
dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd,
struct sockaddr *localaddr, struct sockaddr *remoteaddr,
- struct in_addr *remote_in4, struct in6_addr *remote_in6)
+ struct in_addr *vpn_ipv4, struct in6_addr *vpn_ipv6)
{
struct ifdrv drv;
nvlist_t *nvl, *local_nvl, *remote_nvl;
@@ -97,15 +97,15 @@ dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd,
nvlist_add_nvlist(nvl, "remote", remote_nvl);
}
- if (remote_in4)
+ if (vpn_ipv4)
{
- nvlist_add_binary(nvl, "vpn_ipv4", &remote_in4->s_addr,
- sizeof(remote_in4->s_addr));
+ nvlist_add_binary(nvl, "vpn_ipv4", &vpn_ipv4->s_addr,
+ sizeof(vpn_ipv4->s_addr));
}
- if (remote_in6)
+ if (vpn_ipv6)
{
- nvlist_add_binary(nvl, "vpn_ipv6", remote_in6, sizeof(*remote_in6));
+ nvlist_add_binary(nvl, "vpn_ipv6", vpn_ipv6, sizeof(*vpn_ipv6));
}
nvlist_add_number(nvl, "fd", sd);
diff --git a/src/openvpn/dco_internal.h b/src/openvpn/dco_internal.h
index 624c11050c04..4bbcc82bbb14 100644
--- a/src/openvpn/dco_internal.h
+++ b/src/openvpn/dco_internal.h
@@ -62,7 +62,7 @@ dco_get_cipher(const char *cipher)
int dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd,
struct sockaddr *localaddr, struct sockaddr *remoteaddr,
- struct in_addr *remote_in4, struct in6_addr *remote_in6);
+ struct in_addr *vpn_ipv4, struct in6_addr *vpn_ipv6);
int dco_del_peer(dco_context_t *dco, unsigned int peerid);
diff --git a/src/openvpn/dco_linux.c b/src/openvpn/dco_linux.c
index 1f1907ef830c..9f3c4ca05408 100644
--- a/src/openvpn/dco_linux.c
+++ b/src/openvpn/dco_linux.c
@@ -220,7 +220,7 @@ mapped_v4_to_v6(struct sockaddr *sock, struct gc_arena *gc)
int
dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd,
struct sockaddr *localaddr, struct sockaddr *remoteaddr,
- struct in_addr *remote_in4, struct in6_addr *remote_in6)
+ struct in_addr *vpn_ipv4, struct in6_addr *vpn_ipv6)
{
struct gc_arena gc = gc_new();
const char *remotestr = "[undefined]";
@@ -263,14 +263,14 @@ dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd,
}
/* Set the primary VPN IP addresses of the peer */
- if (remote_in4)
+ if (vpn_ipv4)
{
- NLA_PUT_U32(nl_msg, OVPN_NEW_PEER_ATTR_IPV4, remote_in4->s_addr);
+ NLA_PUT_U32(nl_msg, OVPN_NEW_PEER_ATTR_IPV4, vpn_ipv4->s_addr);
}
- if (remote_in6)
+ if (vpn_ipv6)
{
NLA_PUT(nl_msg, OVPN_NEW_PEER_ATTR_IPV6, sizeof(struct in6_addr),
- remote_in6);
+ vpn_ipv6);
}
nla_nest_end(nl_msg, attr);
diff --git a/src/openvpn/dco_win.c b/src/openvpn/dco_win.c
index b0b13592cdbe..42df1cc5acbe 100644
--- a/src/openvpn/dco_win.c
+++ b/src/openvpn/dco_win.c
@@ -247,7 +247,7 @@ dco_create_socket(HANDLE handle, struct addrinfo *remoteaddr, bool bind_local,
int
dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd,
struct sockaddr *localaddr, struct sockaddr *remoteaddr,
- struct in_addr *remote_in4, struct in6_addr *remote_in6)
+ struct in_addr *vpn_ipv4, struct in6_addr *vpn_ipv6)
{
msg(D_DCO_DEBUG, "%s: peer-id %d, fd %d", __func__, peerid, sd);
return 0;
--
2.49.0

View File

@@ -0,0 +1,58 @@
From: Ralf Lici <ralf@mandelbit.com>
Date: Mon, 23 Jun 2025 16:07:43 +0200
Subject: dco linux: avoid redefining ovpn enums
References: bsc#1239783
Git-repo: https://github.com/OpenVPN/openvpn.git
Git-commit: 1d3c2b67a73a0aa011c13e62f876d24e49d41df0
Patch-mainline: 2.7
Starting with Linux kernel version 6.16, a couple of ovpn-related enum
definitions were introduced in the `include/uapi/linux/if_link.h`
header. Redefining them in openvpn when they are already present in the
system headers can lead to conflicts or build issues.
This commit ensures that enum redefinitions are avoided by conditionally
using the existing definitions from the system header when available.
Change-Id: I4fa2d578f9c0a5a8aa24ca1d396102ef2ed9a425
Signed-off-by: Ralf Lici <ralf@mandelbit.com>
Message-Id: <20250623140748.13960-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31961.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
src/openvpn/dco_linux.h | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/openvpn/dco_linux.h b/src/openvpn/dco_linux.h
index 273a6ada1291..4e441ec77490 100644
--- a/src/openvpn/dco_linux.h
+++ b/src/openvpn/dco_linux.h
@@ -40,6 +40,8 @@ typedef enum ovpn_cipher_alg dco_cipher_t;
/* OVPN section */
+#ifndef IFLA_OVPN_MAX
+
enum ovpn_mode {
OVPN_MODE_P2P,
OVPN_MODE_MP,
@@ -49,10 +51,13 @@ enum ovpn_ifla_attrs {
IFLA_OVPN_UNSPEC = 0,
IFLA_OVPN_MODE,
- __IFLA_OVPN_AFTER_LAST,
- IFLA_OVPN_MAX = __IFLA_OVPN_AFTER_LAST - 1,
+ __IFLA_OVPN_MAX,
};
+#define IFLA_OVPN_MAX (__IFLA_OVPN_MAX - 1)
+
+#endif /* ifndef IFLA_OVPN_MAX */
+
typedef struct
{
struct nl_sock *nl_sock;
--
2.50.1

File diff suppressed because it is too large Load Diff

View File

@@ -0,0 +1,53 @@
From: Antonio Quartulli <antonio@mandelbit.com>
Date: Fri, 23 May 2025 09:38:41 +0200
Subject: dco_linux: avoid bogus text when netlink message is not parsed
References: bsc#1239783
Git-repo: https://github.com/OpenVPN/openvpn.git
Git-commit: 4a48841da2d4179a96348994f841661ec9e5ce1d
Patch-mainline: v2.7.0
We may bail out parsing an incoming DCO message because it may
concern a different interface.
In that case we print the following debug messages:
dco_do_read
ovpn-dco: ignoring message (type=5) for foreign ifindex 313
process_incoming_dco: received message of type 0 - ignoring
However, the last message is confusing, because there is no message
of type 0 being received, but the message_type was simply not
initialized.
Bail out parsing earlier and avoid printing any bogus text.
Change-Id: I568faa12a5960e8b69de23c2df413b70b231592c
Signed-off-by: Antonio Quartulli <antonio@mandelbit.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250523073848.20848-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31763.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
src/openvpn/forward.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index 022afdb929a3..a83b2582e7ac 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -1251,6 +1251,12 @@ process_incoming_dco(struct context *c)
dco_do_read(dco);
+ /* no message for us to handle - platform specific code has logged details */
+ if (dco->dco_message_type == 0)
+ {
+ return;
+ }
+
/* FreeBSD currently sends us removal notifcation with the old peer-id in
* p2p mode with the ping timeout reason, so ignore that one to not shoot
* ourselves in the foot and removing the just established session */
--
2.49.0

View File

@@ -0,0 +1,100 @@
From: Antonio Quartulli <antonio@mandelbit.com>
Date: Tue, 28 Jan 2025 14:44:54 +0100
Subject: dco_linux: extend netlink error cb with extra info
References: bsc#1239783
Git-repo: https://github.com/OpenVPN/openvpn.git
Git-commit: edad5fa42bff2f291d7d416ccb90f4e7cd5b3f39
Patch-mainline: v2.7
A netlink error may contain more specific attributes: i.e.
missing attributes or missing neted objects.
Parse and print this information too.
Note that we are re-defining some enum entries that exist
in netlink.h starting with linux-6.1.
Since we do support distros not shipping an up-to-date
netlink.h, we had to re-define the entries we need for
this patch.
Change-Id: I9e27ff335d892429334137d028f8503da4e4ca5b
Signed-off-by: Antonio Quartulli <antonio@mandelbit.com>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20250128134454.2888-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30658.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
src/openvpn/dco_linux.c | 35 +++++++++++++++++++++++++++++++++--
1 file changed, 33 insertions(+), 2 deletions(-)
diff --git a/src/openvpn/dco_linux.c b/src/openvpn/dco_linux.c
index b03838281a33..fa7abd3fa3c4 100644
--- a/src/openvpn/dco_linux.c
+++ b/src/openvpn/dco_linux.c
@@ -291,6 +291,25 @@ ovpn_nl_cb_finish(struct nl_msg (*msg) __attribute__ ((unused)), void *arg)
return NL_SKIP;
}
+/* The following enum members exist in netlink.h since linux-6.1.
+ * However, some distro we support still ship an old header, thus
+ * failing the OpenVPN compilation.
+ *
+ * For the time being we add the needed defines manually.
+ * We will drop this definition once we stop supporting those old
+ * distros.
+ *
+ * @NLMSGERR_ATTR_MISS_TYPE: type of a missing required attribute,
+ * %NLMSGERR_ATTR_MISS_NEST will not be present if the attribute was
+ * missing at the message level
+ * @NLMSGERR_ATTR_MISS_NEST: offset of the nest where attribute was missing
+ */
+enum ovpn_nlmsgerr_attrs {
+ OVPN_NLMSGERR_ATTR_MISS_TYPE = 5,
+ OVPN_NLMSGERR_ATTR_MISS_NEST = 6,
+ OVPN_NLMSGERR_ATTR_MAX = 6,
+};
+
/* This function is used as error callback on the netlink socket.
* When something goes wrong and the kernel returns an error, this function is
* invoked.
@@ -304,7 +323,7 @@ ovpn_nl_cb_error(struct sockaddr_nl (*nla) __attribute__ ((unused)),
struct nlmsgerr *err, void *arg)
{
struct nlmsghdr *nlh = (struct nlmsghdr *)err - 1;
- struct nlattr *tb_msg[NLMSGERR_ATTR_MAX + 1];
+ struct nlattr *tb_msg[OVPN_NLMSGERR_ATTR_MAX + 1];
int len = nlh->nlmsg_len;
struct nlattr *attrs;
int *ret = arg;
@@ -330,7 +349,7 @@ ovpn_nl_cb_error(struct sockaddr_nl (*nla) __attribute__ ((unused)),
attrs = (void *)((unsigned char *)nlh + ack_len);
len -= ack_len;
- nla_parse(tb_msg, NLMSGERR_ATTR_MAX, attrs, len, NULL);
+ nla_parse(tb_msg, OVPN_NLMSGERR_ATTR_MAX, attrs, len, NULL);
if (tb_msg[NLMSGERR_ATTR_MSG])
{
len = strnlen((char *)nla_data(tb_msg[NLMSGERR_ATTR_MSG]),
@@ -339,6 +358,18 @@ ovpn_nl_cb_error(struct sockaddr_nl (*nla) __attribute__ ((unused)),
(char *)nla_data(tb_msg[NLMSGERR_ATTR_MSG]));
}
+ if (tb_msg[OVPN_NLMSGERR_ATTR_MISS_NEST])
+ {
+ msg(M_WARN, "kernel error: missing required nesting type %u\n",
+ nla_get_u32(tb_msg[OVPN_NLMSGERR_ATTR_MISS_NEST]));
+ }
+
+ if (tb_msg[OVPN_NLMSGERR_ATTR_MISS_TYPE])
+ {
+ msg(M_WARN, "kernel error: missing required attribute type %u\n",
+ nla_get_u32(tb_msg[OVPN_NLMSGERR_ATTR_MISS_TYPE]));
+ }
+
return NL_STOP;
}
--
2.49.0

View File

@@ -0,0 +1,124 @@
From: Antonio Quartulli <antonio@mandelbit.com>
Date: Sat, 17 May 2025 10:32:23 +0200
Subject: dco_linux: fix peer stats parsing with new ovpn kernel module
References: bsc#1239783
Git-repo: https://github.com/OpenVPN/openvpn.git
Git-commit: 6c33e3761ecb476d047bc14e7948ffddba800915
Patch-mainline: v2.7.0
The new ovpn kernel module has changed the netlink attribute
type of the fields containing the pkt/bytes counters in the
peer stats.
We moved from uint64 to uint (a dynamic type can be either
32 or 64 bits), therefore the parsing code must be adapted
accordingly.
While at it, also fix the peer object parsing in the P2P code path.
The fix can be verified by enabling --status with verb 6 and
watching the counters increasing:
2025-05-16 22:23:56 us=649488 dco_get_peer_stats_multi
2025-05-16 22:23:56 us=651008 dco_parse_peer_multi: parsing message...
2025-05-16 22:23:56 us=651734 dco_update_peer_stat / dco_read_bytes: 116280
2025-05-16 22:23:56 us=652682 dco_update_peer_stat / dco_write_bytes: 115776
2025-05-16 22:23:56 us=653467 dco_update_peer_stat / tun_read_bytes: 90048
2025-05-16 22:23:56 us=654110 dco_update_peer_stat / tun_write_bytes: 90048
Change-Id: I104b4adeb9f65cce3487b82f35470174acba92bc
Github: closes OpenVPN/openvpn#746
Signed-off-by: Antonio Quartulli <antonio@mandelbit.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250517083231.27977-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31666.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
src/openvpn/dco_linux.c | 31 +++++++++++++++++++++----------
1 file changed, 21 insertions(+), 10 deletions(-)
--- a/src/openvpn/dco_linux.c
+++ b/src/openvpn/dco_linux.c
@@ -908,12 +908,26 @@ dco_do_read(dco_context_t *dco)
return ovpn_nl_recvmsgs(dco, __func__);
}
+/* libnl < 3.11.0 does not implement nla_get_uint() */
+static uint64_t
+ovpn_nla_get_uint(struct nlattr *attr)
+{
+ if (nla_len(attr) == sizeof(uint32_t))
+ {
+ return nla_get_u32(attr);
+ }
+ else
+ {
+ return nla_get_u64(attr);
+ }
+}
+
static void
dco_update_peer_stat(struct context_2 *c2, struct nlattr *tb[], uint32_t id)
{
if (tb[OVPN_A_PEER_LINK_RX_BYTES])
{
- c2->dco_read_bytes = nla_get_u64(tb[OVPN_A_PEER_LINK_RX_BYTES]);
+ c2->dco_read_bytes = ovpn_nla_get_uint(tb[OVPN_A_PEER_LINK_RX_BYTES]);
msg(D_DCO_DEBUG, "%s / dco_read_bytes: " counter_format, __func__,
c2->dco_read_bytes);
}
@@ -925,7 +939,7 @@ dco_update_peer_stat(struct context_2 *c
if (tb[OVPN_A_PEER_LINK_TX_BYTES])
{
- c2->dco_write_bytes = nla_get_u64(tb[OVPN_A_PEER_LINK_TX_BYTES]);
+ c2->dco_write_bytes = ovpn_nla_get_uint(tb[OVPN_A_PEER_LINK_TX_BYTES]);
msg(D_DCO_DEBUG, "%s / dco_write_bytes: " counter_format, __func__,
c2->dco_write_bytes);
}
@@ -937,7 +951,7 @@ dco_update_peer_stat(struct context_2 *c
if (tb[OVPN_A_PEER_VPN_RX_BYTES])
{
- c2->tun_read_bytes = nla_get_u64(tb[OVPN_A_PEER_VPN_RX_BYTES]);
+ c2->tun_read_bytes = ovpn_nla_get_uint(tb[OVPN_A_PEER_VPN_RX_BYTES]);
msg(D_DCO_DEBUG, "%s / tun_read_bytes: " counter_format, __func__,
c2->tun_read_bytes);
}
@@ -949,7 +963,7 @@ dco_update_peer_stat(struct context_2 *c
if (tb[OVPN_A_PEER_VPN_TX_BYTES])
{
- c2->tun_write_bytes = nla_get_u64(tb[OVPN_A_PEER_VPN_TX_BYTES]);
+ c2->tun_write_bytes = ovpn_nla_get_uint(tb[OVPN_A_PEER_VPN_TX_BYTES]);
msg(D_DCO_DEBUG, "%s / tun_write_bytes: " counter_format, __func__,
c2->tun_write_bytes);
}
@@ -1028,12 +1042,12 @@ static int
dco_parse_peer(struct nl_msg *msg, void *arg)
{
struct context *c = arg;
- struct nlattr *tb[OVPN_A_MAX];
+ struct nlattr *tb[OVPN_A_MAX + 1];
struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg));
msg(D_DCO_DEBUG, "%s: parsing message...", __func__);
- nla_parse(tb, OVPN_A_PEER_MAX, genlmsg_attrdata(gnlh, 0),
+ nla_parse(tb, OVPN_A_MAX, genlmsg_attrdata(gnlh, 0),
genlmsg_attrlen(gnlh, 0), NULL);
if (!tb[OVPN_A_PEER])
@@ -1043,10 +1057,7 @@ dco_parse_peer(struct nl_msg *msg, void
}
struct nlattr *tb_peer[OVPN_A_PEER_MAX + 1];
-
- nla_parse(tb_peer, OVPN_A_PEER,
- nla_data(tb[OVPN_A_PEER]),
- nla_len(tb[OVPN_A_PEER]), NULL);
+ nla_parse_nested(tb_peer, OVPN_A_PEER_MAX, tb[OVPN_A_PEER], NULL);
if (!tb_peer[OVPN_A_PEER_ID])
{

View File

@@ -1,7 +1,7 @@
Index: doc/openvpn.8
===================================================================
--- doc/openvpn.8.orig
+++ doc/openvpn.8
--- a/doc/openvpn.8.orig
+++ b/doc/openvpn.8
@@ -6690,9 +6690,9 @@ For more information and examples on how
modules, see the README file in the \fBplugin\fP folder of the OpenVPN
source distribution.

BIN
openvpn-2.6.10.tar.gz (Stored with Git LFS)

Binary file not shown.

View File

@@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEvlj1OdBZuAYxwSlKQdIJZcLoLccFAmX6sakACgkQQdIJZcLo
LcemTxAA5fwUDLHWQjE9Mf86NZbRup6aSo5S751pou/bcVYWQVbYqjFJIgdJEY7r
HS4cKlOmJ74S5SqALwqmD4lqUP1LfGocvHUR1ACXppm/rtebWa3upRRI3/svBhp2
6IqQjW0gkiDib56mKn2RFkyLkUiWpBOW15gqe/NgRjoVlIaCCQuvZhii8fAHMHzS
HeJrTmdmbINTyVr6Ag4hZS+rKivVXR3j8z2YTuTwH1NPmCuclyoODRSv7rL3A1tU
wiol0go/aLaDXx1EEnGtHrPtWjA6Gti1pDbteQBKn4Q9v2svuhFncyeux0R9a2Jk
FLWXLZGI5JOQOTvuIrRnGBuUCpbhJalHQHtgKgNzhIqfToHfIYgc+2gQYSh4pDYi
rZVMdws9lNqWctSLAeyCyojpYGiL3YU4tnORGzsqypszzznk/JtlkTb6rjGxrh3w
Ejg5rE7cwgNstGqEaHihJaHG7mnnazZ9US3J1DFcg9NgpDD2Y7Gate6E2GEtmSFg
BoLUK1tRRl9GayEc8mKN+ThzcW9U1YOzMdZTIRQX9ToaqHdMdpeOGV1+dwYqMT+e
dYrmEO1COqvfp5Qxk+Q+fFBvUluMM7PQ1w0ncyTRn7jdlxdDu4XB9CfBP5fvXvwl
teabifAm0iglOeCEYdUWtgYSkvebu1FaIhh1w3I1uQwrKOF7ZXM=
=6sO3
-----END PGP SIGNATURE-----

BIN
openvpn-2.6.14.tar.gz (Stored with Git LFS) Normal file

Binary file not shown.

16
openvpn-2.6.14.tar.gz.asc Normal file
View File

@@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEV+lQSddqo5p0Q5YDUzpoYFKfI8UFAmftKAQACgkQUzpoYFKf
I8U6jBAAkE9eRWgXki+826vZtyGNR1WgFrtX6dd3mBd9A9fv+ygWRkuNhDo3OHYj
XGHcgAYjNI+ueOgS0UlVnJE+1P8YCcqNjhakyWO2XhwJwAIydgsMjDrSkefwY4zC
k1OqGK+DAueaAMISFh91MON1HSOAfa4zPB2PvqZ1u5uIFHL+f4Hh2hHj74YV7X+I
rr7jED5XGjvWy2H60JEeZlpNj+jzydz2yWvoZCab4Ae71CDE5GU2q2qt+HsQpdlo
7tzlic97X9pqXN540MDb2pZoxmt+8uTtZn9UOAJ02IbjZRaNf2hmpgfJd6Xh1Wke
m9loEuhjjVDZfO78Tx9a9uLloEQgxYmhftunc7gZbXcBhCrgtrhPNawff7XIA2Qw
fVmJxJejaSG9YL0ecVI4Ef2GY5yxB11gOVIjQMuNLeBRsvd7r3n/Mn0J+3qtobyT
Wr1A4auv+HpeCRwias+OeMmYezCjTsrkq3VLy85r7+KW5kb82b4IjEZkRqJhVxbn
KXvHNhUBNnZ8SfYp5Fb1r+458bZ5nBG/KXexqS0Twe+VQGe70x/p/FarfrBP+NVe
0DXA9RpPY0RQscmqWJK1EZhD3YOtZ8x0RUnRkQKH74JIxElxdUcmKR0kwJcdj0aq
HFit6eAlRzhZukmEa9A0TshBcrNlmQ3BjPg8diIrYB60f5ZW9g8=
=qqV2
-----END PGP SIGNATURE-----

View File

@@ -1,3 +1,92 @@
-------------------------------------------------------------------
Wed Aug 6 10:49:15 UTC 2025 - Jiri Slaby <jslaby@suse.cz>
- add (bsc#1239783) -- fix build against 6.16
* 0001-dco-linux-avoid-redefining-ovpn-enums.patch
-------------------------------------------------------------------
Fri May 30 07:03:28 UTC 2025 - Jiri Slaby <jslaby@suse.cz>
- Don't recommend ovpn-dco-kmp if it is in the kernel already (newer and
safer version):
https://build.opensuse.org/requests/1255536
- add (bsc#1239783)
* 0001-dco-better-naming-for-function-parameters.patch
* 0001-dco_linux-extend-netlink-error-cb-with-extra-info.patch
* 0001-Handle-missing-DCO-peer-by-restarting-the-session.patch
* 0001-dco_linux-Introduce-new-uAPIs.patch
* 0001-Implement-ovpn-version-detection.patch
* 0001-dco_linux-fix-peer-stats-parsing-with-new-ovpn-kerne.patch
* 0001-dco_linux-avoid-bogus-text-when-netlink-message-is-n.patch
-------------------------------------------------------------------
Fri Apr 4 20:24:19 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
- update to 2.6.14:
* CVE-2025-2704: fix possible ASSERT() on OpenVPN servers using --tls-crypt-v2
* Linux DCO: repair source IP selection for --multihome
- update to 2.6.13:
* on non-windows clients (MacOS, Linux, Unix) send "release" string from
uname() call as IV_PLAT_VER to server
* Linux: pass --timeout=0 argument to systemd-ask-password, to avoid default
timeout of 90 seconds
* improve server-side handling of clients sending usernames or passwords
longer than USER_PASS_LEN
* purge proxy authentication credentials from memory after use
- update to 2.6.12:
* the fix for CVE-2024-5594 (refuse control channel messages with
nonprintable characters) was too strict, breaking user configurations
* Http-proxy: fix bug preventing proxy credentials caching
- update to 2.6.11:
* CVE-2024-5594: control channel: refuse control channel messages with
nonprintable characters in them. Security scope: a malicious openvpn
peer can send garbage to openvpn log, or cause high CPU load.
* CVE-2024-28882: only call schedule_exit() once (on a given peer).
Security scope: an authenticated client can make the server "keep the
session" even when the server has been told to disconnect this client
* Fix connect timeout when using SOCKS proxies
* Add bracket in fingerprint message and do not warn about missing
verification
* Remove "experimental" denotation for --fast-io
* Correctly document ifconfig_* variables passed to scripts
* Documentation: make section levels consistent
* Samples: Update sample configurations (remove compression & old cipher
settings, add more informative comments)
- update keyring, as the old one doesn't verify anymore (and attach an url)
- remove openvpn-CVE-2024-28882.patch and openvpn-CVE-2024-5594.patch, as
the latest version include fixes for the CVEs
-------------------------------------------------------------------
Wed Jan 22 16:35:27 UTC 2025 - Dominique Leuenberger <dimstar@opensuse.org>
- Drop rcFOO symlinks for CODE16 (PED-266).
-------------------------------------------------------------------
Wed Jan 22 08:55:44 UTC 2025 - Rahul Jain <rahul.jain@suse.com>
- FIX:VUL-0 CVE-2024-5594: openvpn: properly handle null bytes and
invalid characters in control messages(bsc#1235147 CVE-2024-5594)
Patchname:openvpn-CVE-2024-5594.patch
-------------------------------------------------------------------
Fri Dec 20 08:13:18 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
- Set %_buildshell because of bashisms in build recipe
- Replace over-the-top `find -exec rm` by just -delete
-------------------------------------------------------------------
Thu Oct 10 08:13:54 UTC 2024 - Rahul Jain <rahul.jain@suse.com>
- Fix multiple exit notifications from authenticated clients will
extend the validity of a closing session (bsc#1227546 CVE-2024-28882)
Patchname:openvpn-CVE-2024-28882.patch
-------------------------------------------------------------------
Thu May 16 06:42:54 UTC 2024 - Bernhard Wiedemann <bwiedemann@suse.com>
- Enable Data-Channel-Offloading (DCO) for better performance (jsc#PED-8305)
if libnl >= 3.4 is available
-------------------------------------------------------------------
Thu Mar 21 08:33:45 UTC 2024 - Mohd Saquib <mohd.saquib@suse.com>

File diff suppressed because it is too large Load Diff

View File

@@ -1,7 +1,8 @@
#
# spec file for package openvpn
#
# Copyright (c) 2024 SUSE LLC
# Copyright (c) 2025 SUSE LLC and contributors
# Copyright (c) 2025 SUSE LLC and contributors
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -16,11 +17,12 @@
#
%define _buildshell /bin/bash
%if ! %{defined _rundir}
%define _rundir %{_localstatedir}/run
%endif
Name: openvpn
Version: 2.6.10
Version: 2.6.14
Release: 0
Summary: Full-featured SSL VPN solution using a TUN/TAP Interface
License: GPL-2.0-only WITH openvpn-openssl-exception
@@ -31,12 +33,20 @@ Source1: https://swupdate.openvpn.org/community/releases/openvpn-%{versio
Source3: %{name}.README.SUSE
Source4: client-netconfig.up
Source5: client-netconfig.down
Source7: %{name}.keyring
Source7: https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xf554a3687412cffebdefe0a312f5f7b42f2b01e7#/%{name}.keyring
Source8: %{name}.service
Source9: %{name}.target
Source10: %{name}-tmpfile.conf
Source11: rc%{name}
Patch1: %{name}-2.3-plugin-man.dif
Patch2: 0001-dco-better-naming-for-function-parameters.patch
Patch3: 0001-dco_linux-extend-netlink-error-cb-with-extra-info.patch
Patch4: 0001-Handle-missing-DCO-peer-by-restarting-the-session.patch
Patch5: 0001-dco_linux-Introduce-new-uAPIs.patch
Patch6: 0001-Implement-ovpn-version-detection.patch
Patch7: 0001-dco_linux-fix-peer-stats-parsing-with-new-ovpn-kerne.patch
Patch8: 0001-dco_linux-avoid-bogus-text-when-netlink-message-is-n.patch
Patch9: 0001-dco-linux-avoid-redefining-ovpn-enums.patch
BuildRequires: iproute2
BuildRequires: libcap-ng-devel
BuildRequires: liblz4-devel
@@ -49,10 +59,13 @@ BuildRequires: pam-devel
BuildRequires: pkcs11-helper-devel >= 1.11
BuildRequires: pkgconfig
BuildRequires: xz
BuildRequires: pkgconfig(libnl-genl-3.0)
BuildRequires: pkgconfig(libsystemd)
BuildRequires: pkgconfig(systemd)
Requires: iproute2
Requires: pkcs11-helper >= 1.11
# the former is KMP (for older distros), the latter is kernel-default
Recommends: (kmod(ovpn_dco_v2.ko) or kmod(ovpn.ko))
%systemd_ordering
%description
@@ -116,7 +129,7 @@ Requires: %{name} = %{version}
This package provides the header file to build external plugins.
%prep
%autosetup -p0
%autosetup -p1
sed -e "s|\" __DATE__|$(date '+%%b %%e %%Y' -r version.m4)\"|g" \
-i src/openvpn/options.c
@@ -135,8 +148,14 @@ export LDFLAGS
# usrmerge
export IPROUTE="%{_sbindir}/ip"
%endif
libnlversion=$(rpm -q --qf "%%{version}" libnl3-devel)
if [[ $libnlversion == 3.[0-3].* ]] ; then
confopt=--enable-iproute2
else
confopt=--enable-dco
fi
%configure \
--enable-iproute2 \
$confopt \
--enable-x509-alt-username \
--enable-pkcs11 \
--enable-systemd \
@@ -149,7 +168,7 @@ export IPROUTE="%{_sbindir}/ip"
%install
%make_install
find %{buildroot} -type f -name "*.la" -print -exec rm -f {} +
find %{buildroot} -type f -name "*.la" -print -delete
mkdir -p %{buildroot}/%{_sysconfdir}/openvpn
mkdir -p %{buildroot}/%{_rundir}/openvpn
mkdir -p %{buildroot}/%{_datadir}/openvpn
@@ -159,7 +178,9 @@ rm %{buildroot}%{_libdir}/systemd/system/openvpn-server@.service
rm %{buildroot}%{_libdir}/tmpfiles.d/openvpn.conf
install -D -m 644 %{name}.service %{buildroot}/%{_unitdir}/%{name}@.service
install -D -m 644 %{SOURCE9} %{buildroot}/%{_unitdir}/%{name}.target
%if 0%{?suse_version} < 1600
install -D -m 755 %{SOURCE11} %{buildroot}%{_sbindir}/rc%{name}
%endif
# tmpfiles.d
mkdir -p %{buildroot}%{_tmpfilesdir}
install -m 0644 %{SOURCE10} %{buildroot}%{_tmpfilesdir}/%{name}.conf
@@ -169,7 +190,7 @@ install -m 755 %{SOURCE5} sample/sample-scripts/client-netconfig.down
# we install docs via spec into _defaultdocdir/name/management-notes.txt
rm -rf %{buildroot}%{_datadir}/doc/{OpenVPN,%{name}}
find sample -name .gitignore -exec rm -f {} +
find sample -name .gitignore -delete
%pre
%service_add_pre %{name}.target
@@ -202,7 +223,9 @@ find sample -name .gitignore -exec rm -f {} +
%{_unitdir}/%{name}.target
%{_tmpfilesdir}/%{name}.conf
%dir %attr(0750,root,root) %ghost %{_rundir}/openvpn/
%if 0%{?suse_version} < 1600
%{_sbindir}/rcopenvpn
%endif
%{_sbindir}/openvpn
%files down-root-plugin