Version in base suite: 2.6.14-1 Base version: openvpn_2.6.14-1 Target version: openvpn_2.6.14-1+deb13u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/o/openvpn/openvpn_2.6.14-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/o/openvpn/openvpn_2.6.14-1+deb13u1.dsc changelog | 14 + gbp.conf | 1 patches/CVE-2025-13086.patch | 155 +++++++++++++++++ patches/check-message-id.patch | 312 ++++++++++++++++++++++++++++++++++++ patches/fix-ftbfs-kernel-6.16.patch | 78 +++++++++ patches/series | 3 6 files changed, 563 insertions(+) diff -Nru openvpn-2.6.14/debian/changelog openvpn-2.6.14/debian/changelog --- openvpn-2.6.14/debian/changelog 2025-04-02 18:56:44.000000000 +0000 +++ openvpn-2.6.14/debian/changelog 2025-11-20 23:45:17.000000000 +0000 @@ -1,3 +1,17 @@ +openvpn (2.6.14-1+deb13u1) trixie-security; urgency=medium + + * Cherry-pick patches for CVE-2025-13086 + - check-message-id.patch: Check message id/acked ids too when doing + sessionid cookie checks - bugfix for floating client problem, code + prequesite for the CVE patch to apply + - CVE-2025-13086.patch: Fix memcmp check for the hmac verification in the + 3way handshake being inverted (Closes: #1121086) + * fix-ftbfs-kernel-6.16.patch: Fix compilation against 6.16+ kernel + headers (Closes: #1114249) + * d/gbp.conf: set debian-branch for trixie + + -- Bernhard Schmidt Fri, 21 Nov 2025 00:45:17 +0100 + openvpn (2.6.14-1) unstable; urgency=medium [ Aquila Macedo ] diff -Nru openvpn-2.6.14/debian/gbp.conf openvpn-2.6.14/debian/gbp.conf --- openvpn-2.6.14/debian/gbp.conf 2025-04-02 18:56:44.000000000 +0000 +++ openvpn-2.6.14/debian/gbp.conf 2025-11-20 23:45:17.000000000 +0000 @@ -1,2 +1,3 @@ [DEFAULT] pristine-tar = True +debian-branch = debian/trixie diff -Nru openvpn-2.6.14/debian/patches/CVE-2025-13086.patch openvpn-2.6.14/debian/patches/CVE-2025-13086.patch --- openvpn-2.6.14/debian/patches/CVE-2025-13086.patch 1970-01-01 00:00:00.000000000 +0000 +++ openvpn-2.6.14/debian/patches/CVE-2025-13086.patch 2025-11-20 23:45:17.000000000 +0000 @@ -0,0 +1,155 @@ +From fa6a1824b0f37bff137204156a74ca28cf5b6f83 Mon Sep 17 00:00:00 2001 +From: Arne Schwabe +Date: Mon, 27 Oct 2025 10:05:55 +0100 +Subject: [PATCH] Fix memcmp check for the hmac verification in the 3way + handshake being inverted + +This is a stupid mistake but causes all hmac cookies to be accepted, +thus breaking source IP address validation. As a consequence, TLS +sessions can be openend and state can be consumed in the server from +IP addresses that did not initiate an initial connection. + +While at it, fix check to only allow [t-2;t] timeslots, disallowing +HMACs coming in from a future timeslot. + +Github: OpenVPN/openvpn-private-issues#56 + +CVE: 2025-13086 + +Reported-By: Joshua Rogers +Found-by: ZeroPath (https://zeropath.com/) +Reported-By: stefan@srlabs.de + +Change-Id: I9cbe2bf535575b47ddd7f34e985c5c1c6953a6fc +Signed-off-by: Arne Schwabe +Acked-by: Max Fillinger +(cherry picked from commit 68ec931e7fb4af11d5ba0d4283df0350083fd373) +--- + src/openvpn/ssl_pkt.c | 7 ++-- + tests/unit_tests/openvpn/test_pkt.c | 58 ++++++++++++++++++++++++++++- + 2 files changed, 61 insertions(+), 4 deletions(-) + +diff --git a/src/openvpn/ssl_pkt.c b/src/openvpn/ssl_pkt.c +index 432bb8b8181..cf1ce172732 100644 +--- a/src/openvpn/ssl_pkt.c ++++ b/src/openvpn/ssl_pkt.c +@@ -576,13 +576,14 @@ check_session_hmac_and_pkt_id(struct tls_pre_decrypt_state *state, + } + + +- /* check adjacent timestamps too */ +- for (int offset = -2; offset <= 1; offset++) ++ /* check adjacent timestamps too, the handwindow is split in 2 for the ++ * offset, so we check the current timeslot and the two before that */ ++ for (int offset = -2; offset <= 0; offset++) + { + struct session_id expected_id = + calculate_session_id_hmac(state->peer_session_id, from, hmac, handwindow, offset); + +- if (memcmp_constant_time(&expected_id, &state->server_session_id, SID_SIZE)) ++ if (memcmp_constant_time(&expected_id, &state->server_session_id, SID_SIZE) == 0) + { + return true; + } +diff --git a/tests/unit_tests/openvpn/test_pkt.c b/tests/unit_tests/openvpn/test_pkt.c +index 27f52cf500d..62abafaac99 100644 +--- a/tests/unit_tests/openvpn/test_pkt.c ++++ b/tests/unit_tests/openvpn/test_pkt.c +@@ -444,6 +444,8 @@ test_verify_hmac_tls_auth(void **ut_state) + hmac_ctx_t *hmac = session_id_hmac_init(); + + struct link_socket_actual from = { 0 }; ++ from.dest.addr.sa.sa_family = AF_INET; ++ from.dest.addr.in4.sin_addr.s_addr = ntohl(0x01020304); + struct tls_auth_standalone tas = { 0 }; + struct tls_pre_decrypt_state state = { 0 }; + +@@ -471,10 +473,12 @@ test_verify_hmac_tls_auth(void **ut_state) + static void + test_verify_hmac_none(void **ut_state) + { ++ now = 1000; + hmac_ctx_t *hmac = session_id_hmac_init(); + + struct link_socket_actual from = { 0 }; + from.dest.addr.sa.sa_family = AF_INET; ++ from.dest.addr.in4.sin_addr.s_addr = ntohl(0x01020304); + + struct tls_auth_standalone tas = { 0 }; + struct tls_pre_decrypt_state state = { 0 }; +@@ -489,9 +493,61 @@ test_verify_hmac_none(void **ut_state) + verdict = tls_pre_decrypt_lite(&tas, &state, &from, &buf); + assert_int_equal(verdict, VERDICT_VALID_ACK_V1); + ++ /* This packet has a random hmac, so it should fail to validate */ + bool valid = check_session_hmac_and_pkt_id(&state, &from.dest, hmac, 30, true); ++ assert_false(valid); ++ ++ struct session_id client_id = { { 0xae, 0xb9, 0xaf, 0xe1, 0xf0, 0x1d, 0x79, 0xc8 } }; ++ assert_memory_equal(&client_id, &state.peer_session_id, sizeof(struct session_id)); ++ ++ struct session_id expected_id = calculate_session_id_hmac(client_id, &from.dest, hmac, 30, 0); ++ ++ free_tls_pre_decrypt_state(&state); ++ buf_reset_len(&buf); ++ ++ /* Write the packet again into the buffer but this time, replacing the peer packet ++ * id with the expected one */ ++ buf_write(&buf, client_ack_none_random_id, sizeof(client_ack_none_random_id) - 8); ++ buf_write(&buf, expected_id.id, 8); ++ ++ verdict = tls_pre_decrypt_lite(&tas, &state, &from, &buf); ++ assert_int_equal(verdict, VERDICT_VALID_ACK_V1); ++ valid = check_session_hmac_and_pkt_id(&state, &from.dest, hmac, 30, true); ++ + assert_true(valid); + ++ /* Our handwindow is 30 so the slices are half of that, so they are ++ * (975,990), (990, 1005), (1005, 1020), (1020, 1035), (1035, 1050) ++ * So setting time to the two future ones should work ++ */ ++ now = 980; ++ assert_false(check_session_hmac_and_pkt_id(&state, &from.dest, hmac, 30, true)); ++ now = 1040; ++ assert_false(check_session_hmac_and_pkt_id(&state, &from.dest, hmac, 30, true)); ++ now = 1002; ++ assert_true(check_session_hmac_and_pkt_id(&state, &from.dest, hmac, 30, true)); ++ now = 1022; ++ assert_true(check_session_hmac_and_pkt_id(&state, &from.dest, hmac, 30, true)); ++ now = 1010; ++ assert_true(check_session_hmac_and_pkt_id(&state, &from.dest, hmac, 30, true)); ++ ++ /* Changing the IP address should make this invalid */ ++ from.dest.addr.in4.sin_addr.s_addr = ntohl(0x01020305); ++ assert_false(check_session_hmac_and_pkt_id(&state, &from.dest, hmac, 30, true)); ++ ++ /* Change to the correct one again */ ++ from.dest.addr.in4.sin_addr.s_addr = ntohl(0x01020304); ++ assert_true(check_session_hmac_and_pkt_id(&state, &from.dest, hmac, 30, true)); ++ ++ /* Modify the peer id, should now fail hmac verification */ ++ buf_inc_len(&buf, -4); ++ buf_write_u32(&buf, 0x12345678); ++ ++ free_tls_pre_decrypt_state(&state); ++ verdict = tls_pre_decrypt_lite(&tas, &state, &from, &buf); ++ assert_int_equal(verdict, VERDICT_VALID_ACK_V1); ++ assert_false(check_session_hmac_and_pkt_id(&state, &from.dest, hmac, 30, true)); ++ + free_tls_pre_decrypt_state(&state); + free_buf(&buf); + hmac_ctx_cleanup(hmac); +@@ -723,12 +779,12 @@ int + main(void) + { + const struct CMUnitTest tests[] = { ++ cmocka_unit_test(test_verify_hmac_none), + cmocka_unit_test(test_tls_decrypt_lite_none), + cmocka_unit_test(test_tls_decrypt_lite_auth), + cmocka_unit_test(test_tls_decrypt_lite_crypt), + cmocka_unit_test(test_parse_ack), + cmocka_unit_test(test_calc_session_id_hmac_static), +- cmocka_unit_test(test_verify_hmac_none), + cmocka_unit_test(test_verify_hmac_tls_auth), + cmocka_unit_test(test_verify_hmac_none_out_of_range_ack), + cmocka_unit_test(test_generate_reset_packet_plain), diff -Nru openvpn-2.6.14/debian/patches/check-message-id.patch openvpn-2.6.14/debian/patches/check-message-id.patch --- openvpn-2.6.14/debian/patches/check-message-id.patch 1970-01-01 00:00:00.000000000 +0000 +++ openvpn-2.6.14/debian/patches/check-message-id.patch 2025-11-20 23:45:17.000000000 +0000 @@ -0,0 +1,312 @@ +From 68c01720eecc1772b3f648b9e043e396d943f632 Mon Sep 17 00:00:00 2001 +From: Arne Schwabe +Date: Tue, 16 Sep 2025 17:52:50 +0200 +Subject: [PATCH] Check message id/acked ids too when doing sessionid cookie + checks + +This fixes that control packets on a floating client can trigger +creating a new session in special circumstances: + +To trigger this circumstance a connection needs to + +- starts on IP A +- successfully floats to IP B by data packet +- then has a control packet from IP A before any + data packet can trigger the float back to IP A + +and all of this needs to happen in the 60s time +that hmac cookie is valid in the default +configuration. + +In this scenario we would trigger a new connection as the HMAC +session id would be valid. + +This patch adds checking also of the message-id and acked ids to +discern packet from the initial three-way handshake where these +ids are 0 or 1 from any later packet. + +This will now trigger (at verb 4 or higher) a messaged like: + + Packet (P_ACK_V1) with invalid or missing SID + +instead. + +Also remove a few duplicated free_tls_pre_decrypt_state in test_ssl. + +Reported-By: Walter Doekes +Tested-By: Walter Doekes + +Change-Id: I6752dcd5aff3e5cea2b439366479e86751a1c403 +Signed-off-by: Arne Schwabe +Acked-by: MaxF +Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1184 +Message-Id: <20250916155258.6864-1-gert@greenie.muc.de> +URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32990.html +Signed-off-by: Gert Doering +(backported from commit 518e122b42739b0dbb54e7169a8a3aadb4773125) +--- + src/openvpn/mudp.c | 6 ++- + src/openvpn/ssl_pkt.c | 39 +++++++++++++-- + src/openvpn/ssl_pkt.h | 15 +++--- + tests/unit_tests/openvpn/test_pkt.c | 77 ++++++++++++++++++++++++++--- + 4 files changed, 117 insertions(+), 20 deletions(-) + +diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c +index cdde0b5c972..0492311669c 100644 +--- a/src/openvpn/mudp.c ++++ b/src/openvpn/mudp.c +@@ -153,7 +153,8 @@ do_pre_decrypt_check(struct multi_context *m, + * need to contain the peer id */ + struct gc_arena gc = gc_new(); + +- bool ret = check_session_id_hmac(state, from, hmac, handwindow); ++ bool pkt_is_ack = (verdict == VERDICT_VALID_ACK_V1); ++ bool ret = check_session_hmac_and_pkt_id(state, from, hmac, handwindow, pkt_is_ack); + + const char *peer = print_link_socket_actual(&m->top.c2.from, &gc); + uint8_t pkt_firstbyte = *BPTR( &m->top.c2.buf); +@@ -161,7 +162,8 @@ do_pre_decrypt_check(struct multi_context *m, + + if (!ret) + { +- msg(D_MULTI_MEDIUM, "Packet (%s) with invalid or missing SID from %s", ++ msg(D_MULTI_MEDIUM, "Packet (%s) with invalid or missing SID from" ++ " %s or wrong packet id", + packet_opcode_name(op), peer); + } + else +diff --git a/src/openvpn/ssl_pkt.c b/src/openvpn/ssl_pkt.c +index 41299f462db..432bb8b8181 100644 +--- a/src/openvpn/ssl_pkt.c ++++ b/src/openvpn/ssl_pkt.c +@@ -527,10 +527,11 @@ calculate_session_id_hmac(struct session_id client_sid, + } + + bool +-check_session_id_hmac(struct tls_pre_decrypt_state *state, +- const struct openvpn_sockaddr *from, +- hmac_ctx_t *hmac, +- int handwindow) ++check_session_hmac_and_pkt_id(struct tls_pre_decrypt_state *state, ++ const struct openvpn_sockaddr *from, ++ hmac_ctx_t *hmac, ++ int handwindow, ++ bool pkt_is_ack) + { + if (!from) + { +@@ -545,6 +546,36 @@ check_session_id_hmac(struct tls_pre_decrypt_state *state, + return false; + } + ++ /* Check if the packet ID of the packet or ACKED packet is <= 1 */ ++ for (int i = 0; i < ack.len; i++) ++ { ++ /* This packet ACKs a packet that has a higher packet id than the ++ * ones expected in the three-way handshake, consider it as invalid ++ * for the session */ ++ if (ack.packet_id[i] > 1) ++ { ++ return false; ++ } ++ } ++ ++ if (!pkt_is_ack) ++ { ++ packet_id_type message_id; ++ /* Extract the packet ID from the packet */ ++ if (!reliable_ack_read_packet_id(&buf, &message_id)) ++ { ++ return false; ++ } ++ ++ /* similar check. Anything larger than 1 is not considered part of the ++ * three-way handshake */ ++ if (message_id > 1) ++ { ++ return false; ++ } ++ } ++ ++ + /* check adjacent timestamps too */ + for (int offset = -2; offset <= 1; offset++) + { +diff --git a/src/openvpn/ssl_pkt.h b/src/openvpn/ssl_pkt.h +index 2033da61ff7..1df691c369a 100644 +--- a/src/openvpn/ssl_pkt.h ++++ b/src/openvpn/ssl_pkt.h +@@ -182,17 +182,20 @@ calculate_session_id_hmac(struct session_id client_sid, + /** + * Checks if a control packet has a correct HMAC server session id + * +- * @param client_sid session id of the client ++ * This will also consider packets that have a packet id higher ++ * than 1 or ack packets higher than 1 to be invalid as they are ++ * not part of the initial three way handshake of OpenVPN and should ++ * not create a new connection. ++ * ++ * @param state session information + * @param from link_socket from the client + * @param hmac the hmac context to use for the calculation + * @param handwindow the quantisation of the current time ++ * @param pkt_is_ack the packet being checked is a P_ACK_V1 + * @return the expected server session id + */ +-bool +-check_session_id_hmac(struct tls_pre_decrypt_state *state, +- const struct openvpn_sockaddr *from, +- hmac_ctx_t *hmac, +- int handwindow); ++bool check_session_hmac_and_pkt_id(struct tls_pre_decrypt_state *state, const struct openvpn_sockaddr *from, ++ hmac_ctx_t *hmac, int handwindow, bool pkt_is_ack); + + /* + * Write a control channel authentication record. +diff --git a/tests/unit_tests/openvpn/test_pkt.c b/tests/unit_tests/openvpn/test_pkt.c +index 74d7311f74d..27f52cf500d 100644 +--- a/tests/unit_tests/openvpn/test_pkt.c ++++ b/tests/unit_tests/openvpn/test_pkt.c +@@ -174,6 +174,27 @@ const uint8_t client_ack_none_random_id[] = { + 0x85, 0xdb, 0x53, 0x56, 0x23, 0xb0, 0x2e + }; + ++/* no tls-auth, P_ACK_V1, acks 0,1, and 2 */ ++const uint8_t client_ack_123_none_random_id[] = { ++ 0x28, ++ 0xae, 0xb9, 0xaf, 0xe1, 0xf0, 0x1d, 0x79, 0xc8, ++ 0x03, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x01, ++ 0x00, 0x00, 0x00, 0x02, ++ 0xdd, 0x85, 0xdb, 0x53, 0x56, 0x23, 0xb0, 0x2e ++}; ++ ++/* no tls-auth, P_CONTROL_V1, acks 0, msg-id 2 */ ++const uint8_t client_control_none_random_id[] = { ++ 0x20, ++ 0xae, 0xb9, 0xaf, 0xe1, 0xf0, 0x1d, 0x79, 0xc8, ++ 0x01, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x02 ++}; ++ ++ + struct tls_auth_standalone + init_tas_auth(int key_direction) + { +@@ -294,12 +315,10 @@ test_tls_decrypt_lite_auth(void **ut_state) + assert_int_equal(verdict, VERDICT_VALID_RESET_V2); + free_tls_pre_decrypt_state(&state); + +- free_tls_pre_decrypt_state(&state); + /* The pre decrypt function should not modify the buffer, so calling it + * again should have the same result */ + verdict = tls_pre_decrypt_lite(&tas, &state, &from, &buf); + assert_int_equal(verdict, VERDICT_VALID_RESET_V2); +- free_tls_pre_decrypt_state(&state); + + /* and buf memory should be equal */ + assert_memory_equal(BPTR(&buf), client_reset_v2_tls_auth, sizeof(client_reset_v2_tls_auth)); +@@ -317,7 +336,6 @@ test_tls_decrypt_lite_auth(void **ut_state) + assert_int_equal(verdict, VERDICT_INVALID); + free_tls_pre_decrypt_state(&state); + +- free_tls_pre_decrypt_state(&state); + /* Wrong key direction gives a wrong hmac key and should not validate */ + free_key_ctx_bi(&tas.tls_wrap.opt.key_ctx_bi); + free_tas(&tas); +@@ -357,15 +375,12 @@ test_tls_decrypt_lite_none(void **ut_state) + assert_int_equal(verdict, VERDICT_VALID_RESET_V2); + free_tls_pre_decrypt_state(&state); + +- free_tls_pre_decrypt_state(&state); + buf_reset_len(&buf); + buf_write(&buf, client_reset_v2_tls_crypt, sizeof(client_reset_v2_none)); + verdict = tls_pre_decrypt_lite(&tas, &state, &from, &buf); + assert_int_equal(verdict, VERDICT_VALID_RESET_V2); + free_tls_pre_decrypt_state(&state); + +- free_tls_pre_decrypt_state(&state); +- + /* This is not a reset packet and should trigger the other response */ + buf_reset_len(&buf); + buf_write(&buf, client_ack_tls_auth_randomid, sizeof(client_ack_tls_auth_randomid)); +@@ -443,7 +458,7 @@ test_verify_hmac_tls_auth(void **ut_state) + assert_int_equal(verdict, VERDICT_VALID_CONTROL_V1); + + /* This is a valid packet but containing a random id instead of an HMAC id*/ +- bool valid = check_session_id_hmac(&state, &from.dest, hmac, 30); ++ bool valid = check_session_hmac_and_pkt_id(&state, &from.dest, hmac, 30, false); + assert_false(valid); + + free_tls_pre_decrypt_state(&state); +@@ -474,7 +489,7 @@ test_verify_hmac_none(void **ut_state) + verdict = tls_pre_decrypt_lite(&tas, &state, &from, &buf); + assert_int_equal(verdict, VERDICT_VALID_ACK_V1); + +- bool valid = check_session_id_hmac(&state, &from.dest, hmac, 30); ++ bool valid = check_session_hmac_and_pkt_id(&state, &from.dest, hmac, 30, true); + assert_true(valid); + + free_tls_pre_decrypt_state(&state); +@@ -483,6 +498,51 @@ test_verify_hmac_none(void **ut_state) + hmac_ctx_free(hmac); + } + ++static void ++test_verify_hmac_none_out_of_range_ack(void **ut_state) ++{ ++ hmac_ctx_t *hmac = session_id_hmac_init(); ++ ++ struct link_socket_actual from = { 0 }; ++ from.dest.addr.sa.sa_family = AF_INET; ++ ++ struct tls_auth_standalone tas = { 0 }; ++ struct tls_pre_decrypt_state state = { 0 }; ++ ++ struct buffer buf = alloc_buf(1024); ++ enum first_packet_verdict verdict; ++ ++ tas.tls_wrap.mode = TLS_WRAP_NONE; ++ ++ buf_reset_len(&buf); ++ buf_write(&buf, client_ack_123_none_random_id, sizeof(client_ack_123_none_random_id)); ++ ++ ++ verdict = tls_pre_decrypt_lite(&tas, &state, &from, &buf); ++ assert_int_equal(verdict, VERDICT_VALID_ACK_V1); ++ ++ /* should fail because it acks 2 */ ++ bool valid = check_session_hmac_and_pkt_id(&state, &from.dest, hmac, 30, true); ++ assert_false(valid); ++ free_tls_pre_decrypt_state(&state); ++ ++ /* Try test with the control with a too high message id now */ ++ buf_reset_len(&buf); ++ buf_write(&buf, client_control_none_random_id, sizeof(client_control_none_random_id)); ++ ++ verdict = tls_pre_decrypt_lite(&tas, &state, &from, &buf); ++ assert_int_equal(verdict, VERDICT_VALID_CONTROL_V1); ++ ++ /* should fail because it has message id 2 */ ++ valid = check_session_hmac_and_pkt_id(&state, &from.dest, hmac, 30, true); ++ assert_false(valid); ++ ++ free_tls_pre_decrypt_state(&state); ++ free_buf(&buf); ++ hmac_ctx_cleanup(hmac); ++ hmac_ctx_free(hmac); ++} ++ + static hmac_ctx_t * + init_static_hmac(void) + { +@@ -670,6 +730,7 @@ main(void) + cmocka_unit_test(test_calc_session_id_hmac_static), + cmocka_unit_test(test_verify_hmac_none), + cmocka_unit_test(test_verify_hmac_tls_auth), ++ cmocka_unit_test(test_verify_hmac_none_out_of_range_ack), + cmocka_unit_test(test_generate_reset_packet_plain), + cmocka_unit_test(test_generate_reset_packet_tls_auth), + cmocka_unit_test(test_extract_control_message) diff -Nru openvpn-2.6.14/debian/patches/fix-ftbfs-kernel-6.16.patch openvpn-2.6.14/debian/patches/fix-ftbfs-kernel-6.16.patch --- openvpn-2.6.14/debian/patches/fix-ftbfs-kernel-6.16.patch 1970-01-01 00:00:00.000000000 +0000 +++ openvpn-2.6.14/debian/patches/fix-ftbfs-kernel-6.16.patch 2025-11-20 23:45:17.000000000 +0000 @@ -0,0 +1,78 @@ +From 1fbbe91d292fb925f5af73b512d7d1c83abfe714 Mon Sep 17 00:00:00 2001 +From: Frank Lichtenheld +Date: Fri, 1 Aug 2025 15:03:02 +0200 +Subject: [PATCH] dco linux: avoid redefining ovpn enums (2.6) + +Starting with Linux kernel version 6.16, a couple of ovpn-related enum +definitions were introduced in the `include/uapi/linux/if_link.h` +header. Redefining them in openvpn when they are already present in the +system headers can lead to conflicts or build issues. + +This commit ensures that enum redefinitions are avoided by conditionally +using the existing definitions from the system header when available. + +This is the port to release/2.6 based on commit +1d3c2b67a73a0aa011c13e62f876d24e49d41df0. + +Change-Id: I41c5dfc7489352a9534ff6b1585a5a81e0623ab1 +Signed-off-by: Frank Lichtenheld +Acked-by: Antonio Quartulli +Message-Id: <20250801130302.372311-1-frank@lichtenheld.com> +URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32470.html +Signed-off-by: Gert Doering +--- + src/openvpn/dco_linux.h | 6 ++++-- + src/openvpn/ovpn_dco_linux.h | 9 +++++++-- + 2 files changed, 11 insertions(+), 4 deletions(-) + +diff --git a/src/openvpn/dco_linux.h b/src/openvpn/dco_linux.h +index 511519aece4..5179912b522 100644 +--- a/src/openvpn/dco_linux.h ++++ b/src/openvpn/dco_linux.h +@@ -26,11 +26,13 @@ + + #include "event.h" + +-#include "ovpn_dco_linux.h" +- + #include + #include + ++/* include last since we need to behave differently if the kernel headers ++ * are from 6.16+ */ ++#include "ovpn_dco_linux.h" ++ + typedef enum ovpn_key_slot dco_key_slot_t; + typedef enum ovpn_cipher_alg dco_cipher_t; + +diff --git a/src/openvpn/ovpn_dco_linux.h b/src/openvpn/ovpn_dco_linux.h +index 73e19b591cb..34abc6ab79d 100644 +--- a/src/openvpn/ovpn_dco_linux.h ++++ b/src/openvpn/ovpn_dco_linux.h +@@ -237,14 +237,17 @@ enum ovpn_netlink_packet_attrs { + OVPN_PACKET_ATTR_MAX = __OVPN_PACKET_ATTR_AFTER_LAST - 1, + }; + ++#ifndef IFLA_OVPN_MAX ++ + enum ovpn_ifla_attrs { + IFLA_OVPN_UNSPEC = 0, + IFLA_OVPN_MODE, + +- __IFLA_OVPN_AFTER_LAST, +- IFLA_OVPN_MAX = __IFLA_OVPN_AFTER_LAST - 1, ++ __IFLA_OVPN_MAX, + }; + ++#define IFLA_OVPN_MAX (__IFLA_OVPN_MAX - 1) ++ + enum ovpn_mode { + __OVPN_MODE_FIRST = 0, + OVPN_MODE_P2P = __OVPN_MODE_FIRST, +@@ -253,4 +256,6 @@ enum ovpn_mode { + __OVPN_MODE_AFTER_LAST, + }; + ++#endif /* ifndef IFLA_OVPN_MAX */ ++ + #endif /* _UAPI_LINUX_OVPN_DCO_H_ */ diff -Nru openvpn-2.6.14/debian/patches/series openvpn-2.6.14/debian/patches/series --- openvpn-2.6.14/debian/patches/series 2025-04-02 18:56:44.000000000 +0000 +++ openvpn-2.6.14/debian/patches/series 2025-11-20 23:45:17.000000000 +0000 @@ -2,3 +2,6 @@ auth-pam_libpam_so_filename.patch #debian_nogroup_for_sample_files.patch openvpn-pkcs11warn.patch +fix-ftbfs-kernel-6.16.patch +check-message-id.patch +CVE-2025-13086.patch