diff --git a/security/openvpn/Makefile b/security/openvpn/Makefile index 690ac26738d8..4a04c1934186 100644 --- a/security/openvpn/Makefile +++ b/security/openvpn/Makefile @@ -1,172 +1,171 @@ PORTNAME= openvpn -DISTVERSION= 2.6.14 -PORTREVISION?= 3 +DISTVERSION= 2.6.15 +PORTREVISION?= 0 CATEGORIES= security net net-vpn MASTER_SITES= https://swupdate.openvpn.org/community/releases/ \ https://build.openvpn.net/downloads/releases/ \ LOCAL/mandree MAINTAINER= mandree@FreeBSD.org COMMENT?= Secure IP/Ethernet tunnel daemon WWW= https://openvpn.net/community/ LICENSE= GPLv2 LICENSE_FILE= ${WRKSRC}/COPYRIGHT.GPL BUILD_DEPENDS+= cmocka>=0:sysutils/cmocka \ rst2man:textproc/py-docutils@${PY_FLAVOR} USES= cpe libtool localbase:ldflags pkgconfig python:build shebangfix ssl USE_RC_SUBR= openvpn SHEBANG_FILES= sample/sample-scripts/auth-pam.pl \ sample/sample-scripts/totpauth.py \ sample/sample-scripts/ucn.pl \ sample/sample-scripts/verify-cn GNU_CONFIGURE= yes GNU_CONFIGURE_MANPREFIX= ${PREFIX}/share CONFIGURE_ARGS+= --enable-strict --with-crypto-library=openssl # set PLUGIN_LIBDIR so that unqualified plugin paths are found: CONFIGURE_ENV+= PLUGINDIR="${PREFIX}/lib/openvpn/plugins" CONFLICTS_INSTALL?= openvpn-devel SUB_FILES= pkg-message openvpn-client USERS= openvpn GROUPS= openvpn PORTDOCS= * PORTEXAMPLES= * OPTIONS_DEFINE= ASYNC_PUSH DCO DOCS EASYRSA EXAMPLES LZ4 LZO PKCS11 SMALL \ TEST UNITTESTS X509ALTUSERNAME OPTIONS_DEFAULT= DCO EASYRSA LZ4 LZO PKCS11 TEST OPTIONS_EXCLUDE_FreeBSD_13= DCO # FreeBSD 14 only ASYNC_PUSH_DESC= Enable async-push support DCO_DESC= Data Channel Offload/ovpn(4) support->README.dco.md EASYRSA_DESC= Install security/easy-rsa RSA helper package LZO_DESC= LZO compression (incompatible with LibreSSL) PKCS11_DESC= Use security/pkcs11-helper, needs same SSL lib! SMALL_DESC= Build a smaller executable with fewer features UNITTESTS_DESC= Enable unit tests X509ALTUSERNAME_DESC= Enable --x509-username-field ASYNC_PUSH_LIB_DEPENDS= libinotify.so:devel/libinotify ASYNC_PUSH_CONFIGURE_ENABLE= async-push DCO_CONFIGURE_ENABLE= dco EASYRSA_RUN_DEPENDS= easy-rsa>=0:security/easy-rsa LZ4_LIB_DEPENDS+= liblz4.so:archivers/liblz4 LZ4_CONFIGURE_ENABLE= lz4 LZO_LIB_DEPENDS+= liblzo2.so:archivers/lzo2 LZO_CONFIGURE_ENABLE= lzo PKCS11_LIB_DEPENDS= libpkcs11-helper.so:security/pkcs11-helper PKCS11_CONFIGURE_ENABLE= pkcs11 SMALL_CONFIGURE_ENABLE= small TEST_ALL_TARGET= check TEST_TEST_TARGET_OFF= check UNITTESTS_BUILD_DEPENDS= cmocka>=0:sysutils/cmocka UNITTESTS_CONFIGURE_ENABLE= unit-tests X509ALTUSERNAME_CONFIGURE_ENABLE= x509-alt-username .ifdef (LOG_OPENVPN) CFLAGS+= -DLOG_OPENVPN=${LOG_OPENVPN} .endif .include .if ${PORT_OPTIONS:MLZO} IGNORE_SSL=libressl libressl-devel IGNORE_SSL_REASON=OpenVPN does not have permission to include LZO with LibreSSL. Compile against OpenSSL, or if your setups support it, disable LZO support .endif .if ! ${PORT_OPTIONS:MLZ4} && ! ${PORT_OPTIONS:MLZO} CONFIGURE_ARGS+= --enable-comp-stub .endif .include .if !empty(PORT_OPTIONS:MLZO) && !empty(SSL_DEFAULT:Nbase:Nopenssl*) # in-depth security net if Mk/Uses/ssl.mk changes pre-everything:: @${ECHO_CMD} >&2 "ERROR: OpenVPN is not licensed to combine LZO with other OpenSSL-licensed libraries than OpenSSL. Compile against OpenSSL, or if your setups support it, disable LZO support." @${SHELL} -c 'exit 1' .endif post-patch: - ${RM} sample/sample-keys/dh2048.pem # no longer needed ${REINPLACE_CMD} -E -i '' -e 's/(user|group) nobody/\1 openvpn/' \ -e 's/"nobody"( after init)/"openvpn" \1/' \ ${WRKSRC}/sample/sample-config-files/*.conf \ ${WRKSRC}/doc/man-sections/generic-options.rst pre-configure: # just too many of sign-compare; bitwise-instead-of-logical was audited and is intentional, # and unused-function affects test---these are developer-side warnings, not relevant on end systems ${REINPLACE_CMD} 's/-Wsign-compare/-Wno-unknown-warning-option -Wno-sign-compare -Wno-bitwise-instead-of-logical -Wno-unused-function/' ${WRKSRC}/configure .ifdef (LOG_OPENVPN) @${ECHO} "Building with LOG_OPENVPN=${LOG_OPENVPN}" .else @${ECHO} "" @${ECHO} "You may use the following build options:" @${ECHO} "" @${ECHO} " LOG_OPENVPN={Valid syslog facility, default LOG_DAEMON}" @${ECHO} " EXAMPLE: make LOG_OPENVPN=LOG_LOCAL6" @${ECHO} "" .endif .if !empty(SSL_DEFAULT:Mlibressl*) @${ECHO} "### --------------------------------------------------------- ###" @${ECHO} "### NOTE that libressl is not primarily supported by OpenVPN ###" @${ECHO} "### Do not report bugs without fixes/patches unless the issue ###" @${ECHO} "### can be reproduced with a released OpenSSL version. ###" @${ECHO} "### --------------------------------------------------------- ###" @sleep 10 .endif post-configure: ${REINPLACE_CMD} '/^CFLAGS =/s/$$/ -fPIC/' \ ${WRKSRC}/src/plugins/auth-pam/Makefile \ ${WRKSRC}/src/plugins/down-root/Makefile # sanity check that we don't inherit incompatible SSL libs through, # for instance, pkcs11-helper: _tlslibs=libssl libcrypto post-build: @a=$$(LC_ALL=C ldd -f '%o\n' ${WRKSRC}/src/openvpn/openvpn \ | ${SORT} -u) ; set -- $$(for i in ${_tlslibs} ; do ${PRINTF} '%s\n' "$$a" | ${GREP} $${i}.so | wc -l ; done | ${SORT} -u) ;\ if test "$$*" != "1" ; then ( set -x ; ldd -a ${WRKSRC}/src/openvpn/openvpn ) ; ${PRINTF} '%s\n' "$$a" ; ${ECHO_CMD} >&2 "${.CURDIR} FAILED: either of ${_tlslibs} libraries linked multiple times" ; ${RM} ${BUILD_COOKIE} ; exit 1 ; fi post-install: ${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-auth-pam.so ${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-down-root.so ${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.up ${STAGEDIR}${PREFIX}/libexec/openvpn-client.up ${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.down ${STAGEDIR}${PREFIX}/libexec/openvpn-client.down ${INSTALL_SCRIPT} ${WRKDIR}/openvpn-client ${STAGEDIR}${PREFIX}/sbin/openvpn-client ${MKDIR} ${STAGEDIR}${PREFIX}/include post-install-DOCS-on: ${MKDIR} ${STAGEDIR}${DOCSDIR}/ .for i in AUTHORS ChangeLog Changes.rst CONTRIBUTING.rst PORTS README README.ec ${INSTALL_MAN} ${WRKSRC}/${i} ${STAGEDIR}${DOCSDIR}/ .endfor .if !empty(PORT_OPTIONS:MDCO) ${INSTALL_MAN} ${WRKSRC}/README.dco.md ${STAGEDIR}${DOCSDIR}/ .endif post-install-EXAMPLES-on: (cd ${WRKSRC}/sample && ${COPYTREE_SHARE} \* ${STAGEDIR}${EXAMPLESDIR}/) ${CHMOD} ${BINMODE} ${STAGEDIR}${EXAMPLESDIR}/sample-scripts/* ${RM} ${STAGEDIR}${EXAMPLESDIR}/sample-config-files/*.orig .include diff --git a/security/openvpn/distinfo b/security/openvpn/distinfo index 9274b1ed493c..514208b4bb7b 100644 --- a/security/openvpn/distinfo +++ b/security/openvpn/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1743554391 -SHA256 (openvpn-2.6.14.tar.gz) = 9eb6a6618352f9e7b771a9d38ae1631b5edfeed6d40233e243e602ddf2195e7a -SIZE (openvpn-2.6.14.tar.gz) = 1926343 +TIMESTAMP = 1758657418 +SHA256 (openvpn-2.6.15.tar.gz) = e35513ee15995e3c71adfd8891b9f33522896c70b3baa2ed9a23c7a42c4d7bde +SIZE (openvpn-2.6.15.tar.gz) = 1917742 diff --git a/security/openvpn/files/patch-doc_man-sections_generic-options.rst b/security/openvpn/files/patch-doc_man-sections_generic-options.rst index 28c93860b329..ccb2493991c4 100644 --- a/security/openvpn/files/patch-doc_man-sections_generic-options.rst +++ b/security/openvpn/files/patch-doc_man-sections_generic-options.rst @@ -1,11 +1,11 @@ ---- doc/man-sections/generic-options.rst.orig 2025-04-02 06:53:10 UTC +--- doc/man-sections/generic-options.rst.orig 2025-09-22 09:50:37 UTC +++ doc/man-sections/generic-options.rst -@@ -514,5 +514,8 @@ --user user +@@ -513,5 +513,8 @@ --user user since it is usually used by other system services already. Always create a dedicated user for openvpn. + The FreeBSD port creates a group and user named :code:`openvpn` + for this purpose. + --writepid file Write OpenVPN's main process ID to ``file``. diff --git a/security/openvpn/files/patch-doc_tests_authentication-plugins.md b/security/openvpn/files/patch-doc_tests_authentication-plugins.md deleted file mode 100644 index d680c64019f7..000000000000 --- a/security/openvpn/files/patch-doc_tests_authentication-plugins.md +++ /dev/null @@ -1,11 +0,0 @@ ---- doc/tests/authentication-plugins.md.orig 2025-04-02 06:53:10 UTC -+++ doc/tests/authentication-plugins.md -@@ -36,7 +36,7 @@ To build the needed authentication plug-in, run: - verb 4 - dev tun - server 10.8.0.0 255.255.255.0 -- dh sample/sample-keys/dh2048.pem -+ dh none - ca sample/sample-keys/ca.crt - cert sample/sample-keys/server.crt - key sample/sample-keys/server.key diff --git a/security/openvpn/files/patch-sample__sample-config-files__loopback-server b/security/openvpn/files/patch-sample__sample-config-files__loopback-server index 3eac712d9054..06b3eb9f184d 100644 --- a/security/openvpn/files/patch-sample__sample-config-files__loopback-server +++ b/security/openvpn/files/patch-sample__sample-config-files__loopback-server @@ -1,21 +1,13 @@ ---- sample/sample-config-files/loopback-server.orig 2025-04-02 06:53:10 UTC +--- sample/sample-config-files/loopback-server.orig 2025-09-22 09:50:37 UTC +++ sample/sample-config-files/loopback-server -@@ -9,15 +9,15 @@ +@@ -9,8 +9,8 @@ # ./openvpn --config sample-config-files/loopback-client (In one window) # ./openvpn --config sample-config-files/loopback-server (Simultaneously in another window) -rport 16001 -lport 16000 +rport 16101 +lport 16100 remote localhost local localhost dev null - verb 3 - reneg-sec 10 - tls-server --dh sample-keys/dh2048.pem -+dh none - ca sample-keys/ca.crt - key sample-keys/server.key - cert sample-keys/server.crt diff --git a/security/openvpn/files/patch-sample_sample-config-files_server.conf b/security/openvpn/files/patch-sample_sample-config-files_server.conf deleted file mode 100644 index ba2194589405..000000000000 --- a/security/openvpn/files/patch-sample_sample-config-files_server.conf +++ /dev/null @@ -1,21 +0,0 @@ ---- sample/sample-config-files/server.conf.orig 2025-04-02 06:53:10 UTC -+++ sample/sample-config-files/server.conf -@@ -87,11 +87,6 @@ key server.key # This file should be kept secret - cert server.crt - key server.key # This file should be kept secret - --# Diffie hellman parameters. --# Generate your own with: --# openssl dhparam -out dh2048.pem 2048 --dh dh2048.pem -- - # Allow to connect to really old OpenVPN versions - # without AEAD support (OpenVPN 2.3.x or older) - # This adds AES-256-CBC as fallback cipher and -@@ -307,4 +302,4 @@ verb 3 - - # Notify the client that when the server restarts so it - # can automatically reconnect. --explicit-exit-notify 1 -\ No newline at end of file -+explicit-exit-notify 1 diff --git a/security/openvpn/files/patch-sample_sample-plugins_keying-material-exporter-demo_server.ovpn b/security/openvpn/files/patch-sample_sample-plugins_keying-material-exporter-demo_server.ovpn deleted file mode 100644 index 2ff14e611905..000000000000 --- a/security/openvpn/files/patch-sample_sample-plugins_keying-material-exporter-demo_server.ovpn +++ /dev/null @@ -1,11 +0,0 @@ ---- sample/sample-plugins/keying-material-exporter-demo/server.ovpn.orig 2025-04-02 06:53:10 UTC -+++ sample/sample-plugins/keying-material-exporter-demo/server.ovpn -@@ -8,7 +8,7 @@ key ../../sample-keys/server.key - ca ../../sample-keys/ca.crt - cert ../../sample-keys/server.crt - key ../../sample-keys/server.key --dh ../../sample-keys/dh2048.pem -+dh none - - server 10.8.0.0 255.255.255.0 - port 1194 diff --git a/security/openvpn/files/patch-src_openvpn_dco__freebsd.c b/security/openvpn/files/patch-src_openvpn_dco__freebsd.c deleted file mode 100644 index 686fc6584be7..000000000000 --- a/security/openvpn/files/patch-src_openvpn_dco__freebsd.c +++ /dev/null @@ -1,90 +0,0 @@ ---- src/openvpn/dco_freebsd.c.orig 2025-04-02 06:53:10 UTC -+++ src/openvpn/dco_freebsd.c -@@ -72,6 +72,61 @@ sockaddr_to_nvlist(const struct sockaddr *sa) - return (nvl); - } - -+static bool -+nvlist_to_sockaddr(const nvlist_t *nvl, struct sockaddr_storage *ss) -+{ -+ if (!nvlist_exists_number(nvl, "af")) -+ { -+ return (false); -+ } -+ if (!nvlist_exists_binary(nvl, "address")) -+ { -+ return (false); -+ } -+ if (!nvlist_exists_number(nvl, "port")) -+ { -+ return (false); -+ } -+ -+ ss->ss_family = nvlist_get_number(nvl, "af"); -+ -+ switch (ss->ss_family) -+ { -+ case AF_INET: -+ { -+ struct sockaddr_in *in = (struct sockaddr_in *)ss; -+ const void *data; -+ size_t len; -+ -+ in->sin_len = sizeof(*in); -+ data = nvlist_get_binary(nvl, "address", &len); -+ ASSERT(len == sizeof(in->sin_addr)); -+ memcpy(&in->sin_addr, data, sizeof(in->sin_addr)); -+ in->sin_port = nvlist_get_number(nvl, "port"); -+ break; -+ } -+ -+ case AF_INET6: -+ { -+ struct sockaddr_in6 *in6 = (struct sockaddr_in6 *)ss; -+ const void *data; -+ size_t len; -+ -+ in6->sin6_len = sizeof(*in6); -+ data = nvlist_get_binary(nvl, "address", &len); -+ ASSERT(len == sizeof(in6->sin6_addr)); -+ memcpy(&in6->sin6_addr, data, sizeof(in6->sin6_addr)); -+ in6->sin6_port = nvlist_get_number(nvl, "port"); -+ break; -+ } -+ -+ default: -+ return (false); -+ } -+ -+ return (true); -+} -+ - int - dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd, - struct sockaddr *localaddr, struct sockaddr *remoteaddr, -@@ -570,6 +625,25 @@ dco_do_read(dco_context_t *dco) - case OVPN_NOTIF_ROTATE_KEY: - dco->dco_message_type = OVPN_CMD_SWAP_KEYS; - break; -+ -+ case OVPN_NOTIF_FLOAT: { -+ const nvlist_t *address; -+ -+ if (!nvlist_exists_nvlist(nvl, "address")) -+ { -+ msg(M_WARN, "Float notification without address"); -+ break; -+ } -+ -+ address = nvlist_get_nvlist(nvl, "address"); -+ if (!nvlist_to_sockaddr(address, &dco->dco_float_peer_ss)) -+ { -+ msg(M_WARN, "Failed to parse float notification"); -+ break; -+ } -+ dco->dco_message_type = OVPN_CMD_FLOAT_PEER; -+ break; -+ } - - default: - msg(M_WARN, "Unknown kernel notification %d", type); diff --git a/security/openvpn/files/patch-src_openvpn_dco__freebsd.h b/security/openvpn/files/patch-src_openvpn_dco__freebsd.h deleted file mode 100644 index 32dd08563f27..000000000000 --- a/security/openvpn/files/patch-src_openvpn_dco__freebsd.h +++ /dev/null @@ -1,18 +0,0 @@ ---- src/openvpn/dco_freebsd.h.orig 2025-04-02 06:53:10 UTC -+++ src/openvpn/dco_freebsd.h -@@ -36,6 +36,7 @@ enum ovpn_message_type_t { - OVPN_CMD_DEL_PEER, - OVPN_CMD_PACKET, - OVPN_CMD_SWAP_KEYS, -+ OVPN_CMD_FLOAT_PEER, - }; - - enum ovpn_del_reason_t { -@@ -55,6 +56,7 @@ typedef struct dco_context { - int dco_message_type; - int dco_message_peer_id; - int dco_del_peer_reason; -+ struct sockaddr_storage dco_float_peer_ss; - uint64_t dco_read_bytes; - uint64_t dco_write_bytes; - } dco_context_t; diff --git a/security/openvpn/files/patch-src_openvpn_forward.c b/security/openvpn/files/patch-src_openvpn_forward.c deleted file mode 100644 index 0734167f6636..000000000000 --- a/security/openvpn/files/patch-src_openvpn_forward.c +++ /dev/null @@ -1,44 +0,0 @@ ---- src/openvpn/forward.c.orig 2025-04-02 06:53:10 UTC -+++ src/openvpn/forward.c -@@ -1234,6 +1234,41 @@ process_incoming_link(struct context *c) - perf_pop(); - } - -+void -+extract_dco_float_peer_addr(const sa_family_t socket_family, -+ struct openvpn_sockaddr *out_osaddr, -+ const struct sockaddr *float_sa) -+{ -+ if (float_sa->sa_family == AF_INET) -+ { -+ struct sockaddr_in *float4 = (struct sockaddr_in *)float_sa; -+ /* DCO treats IPv4-mapped IPv6 addresses as pure IPv4. However, on a -+ * dual-stack socket, we need to preserve the mapping otherwise openvpn -+ * will not be able to find the peer by its transport address. -+ */ -+ if (socket_family == AF_INET6) -+ { -+ out_osaddr->addr.in6.sin6_family = AF_INET6; -+ out_osaddr->addr.in6.sin6_port = float4->sin_port; -+ -+ memset(&out_osaddr->addr.in6.sin6_addr.s6_addr, 0, 10); -+ out_osaddr->addr.in6.sin6_addr.s6_addr[10] = 0xff; -+ out_osaddr->addr.in6.sin6_addr.s6_addr[11] = 0xff; -+ memcpy(&out_osaddr->addr.in6.sin6_addr.s6_addr[12], -+ &float4->sin_addr.s_addr, sizeof(in_addr_t)); -+ } -+ else -+ { -+ memcpy(&out_osaddr->addr.in4, float4, sizeof(struct sockaddr_in)); -+ } -+ } -+ else -+ { -+ struct sockaddr_in6 *float6 = (struct sockaddr_in6 *)float_sa; -+ memcpy(&out_osaddr->addr.in6, float6, sizeof(struct sockaddr_in6)); -+ } -+} -+ - static void - process_incoming_dco(struct context *c) - { diff --git a/security/openvpn/files/patch-src_openvpn_forward.h b/security/openvpn/files/patch-src_openvpn_forward.h deleted file mode 100644 index 050343949c03..000000000000 --- a/security/openvpn/files/patch-src_openvpn_forward.h +++ /dev/null @@ -1,24 +0,0 @@ ---- src/openvpn/forward.h.orig 2025-04-02 06:53:10 UTC -+++ src/openvpn/forward.h -@@ -189,6 +189,21 @@ void process_incoming_link_part2(struct context *c, st - void process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf); - - /** -+ * Transfers \c float_sa data extracted from an incoming DCO -+ * PEER_FLOAT_NTF to \c out_osaddr for later processing. -+ * -+ * @param socket_family - The address family of the socket -+ * @param out_osaddr - openvpn_sockaddr struct that will be filled the new -+ * address data -+ * @param float_sa - The sockaddr struct containing the data received from the -+ * DCO notification -+ */ -+void -+extract_dco_float_peer_addr(sa_family_t socket_family, -+ struct openvpn_sockaddr *out_osaddr, -+ const struct sockaddr *float_sa); -+ -+/** - * Write a packet to the external network interface. - * @ingroup external_multiplexer - * diff --git a/security/openvpn/files/patch-src_openvpn_init.c b/security/openvpn/files/patch-src_openvpn_init.c deleted file mode 100644 index 0d09e6050236..000000000000 --- a/security/openvpn/files/patch-src_openvpn_init.c +++ /dev/null @@ -1,22 +0,0 @@ ---- src/openvpn/init.c.orig 2025-04-02 06:53:10 UTC -+++ src/openvpn/init.c -@@ -330,7 +330,7 @@ management_callback_remote_entry_count(void *arg) - static unsigned int - management_callback_remote_entry_count(void *arg) - { -- assert(arg); -+ ASSERT(arg); - struct context *c = (struct context *) arg; - struct connection_list *l = c->options.connection_list; - -@@ -340,8 +340,8 @@ management_callback_remote_entry_get(void *arg, unsign - static bool - management_callback_remote_entry_get(void *arg, unsigned int index, char **remote) - { -- assert(arg); -- assert(remote); -+ ASSERT(arg); -+ ASSERT(remote); - - struct context *c = (struct context *) arg; - struct connection_list *l = c->options.connection_list; diff --git a/security/openvpn/files/patch-src_openvpn_multi.c b/security/openvpn/files/patch-src_openvpn_multi.c deleted file mode 100644 index 22995fb45caf..000000000000 --- a/security/openvpn/files/patch-src_openvpn_multi.c +++ /dev/null @@ -1,39 +0,0 @@ ---- src/openvpn/multi.c.orig 2025-04-02 06:53:10 UTC -+++ src/openvpn/multi.c -@@ -3169,6 +3169,18 @@ multi_process_float(struct multi_context *m, struct mu - goto done; - } - -+ /* It doesn't make sense to let a peer float to the address it already -+ * has, so we disallow it. This can happen if a DCO netlink notification -+ * gets lost and we miss a floating step. -+ */ -+ if (m1->peer_id == m2->peer_id) -+ { -+ msg(M_WARN, "disallowing peer %" PRIu32 " (%s) from floating to " -+ "its own address (%s)", -+ m1->peer_id, tls_common_name(mi->context.c2.tls_multi, false), -+ mroute_addr_print(&mi->real, &gc)); -+ goto done; -+ } - msg(D_MULTI_MEDIUM, "closing instance %s", multi_instance_string(ex_mi, false, &gc)); - multi_close_instance(m, ex_mi, false); - } -@@ -3301,6 +3313,17 @@ multi_process_incoming_dco(struct multi_context *m) - { - process_incoming_del_peer(m, mi, dco); - } -+#if defined(TARGET_FREEBSD) -+ else if (dco->dco_message_type == OVPN_CMD_FLOAT_PEER) -+ { -+ ASSERT(mi->context.c2.link_socket); -+ extract_dco_float_peer_addr(mi->context.c2.link_socket->info.af, -+ &m->top.c2.from.dest, -+ (struct sockaddr *)&dco->dco_float_peer_ss); -+ multi_process_float(m, mi); -+ CLEAR(dco->dco_float_peer_ss); -+ } -+#endif /* if defined(TARGET_LINUX) || defined(TARGET_WIN32) */ - else if (dco->dco_message_type == OVPN_CMD_SWAP_KEYS) - { - tls_session_soft_reset(mi->context.c2.tls_multi); diff --git a/security/openvpn/files/patch-src_openvpn_ovpn__dco__freebsd.h b/security/openvpn/files/patch-src_openvpn_ovpn__dco__freebsd.h deleted file mode 100644 index 1d1ff16e5d8e..000000000000 --- a/security/openvpn/files/patch-src_openvpn_ovpn__dco__freebsd.h +++ /dev/null @@ -1,10 +0,0 @@ ---- src/openvpn/ovpn_dco_freebsd.h.orig 2025-04-02 06:53:10 UTC -+++ src/openvpn/ovpn_dco_freebsd.h -@@ -37,6 +37,7 @@ enum ovpn_notif_type { - enum ovpn_notif_type { - OVPN_NOTIF_DEL_PEER, - OVPN_NOTIF_ROTATE_KEY, -+ OVPN_NOTIF_FLOAT, - }; - - enum ovpn_del_reason {