File openvpn-CVE-2025-2704.patch of Package openvpn.38226
diff -Naurp openvpn-2.6.8.orig/src/openvpn/socket.h openvpn-2.6.8/src/openvpn/socket.h
--- openvpn-2.6.8.orig/src/openvpn/socket.h 2023-11-17 08:23:51.000000000 +0100
+++ openvpn-2.6.8/src/openvpn/socket.h 2025-04-08 17:46:48.750215046 +0200
@@ -1149,13 +1149,44 @@ link_socket_write_udp_posix(struct link_
if (proto_is_udp(sock->info.proto) && (sock->sockflags & SF_USE_IP_PKTINFO)
&& addr_defined_ipi(to))
{
- return link_socket_write_udp_posix_sendmsg(sock, buf, to);
+ /* super hacky code to duplicate WKC_V1 packet to the normal one
+ * * and a broken second copy */
+ /* CONTROL_WKC_V1 << 4 */
+ uint8_t *bufptr = BPTR(buf);
+ uint8_t header = bufptr[0];
+ if (header == 0x58)
+ {
+ link_socket_write_udp_posix_sendmsg(sock, buf, to);
+ int blen = buf_len(buf);
+ bufptr[blen - 20] = 0x00;
+ return link_socket_write_udp_posix_sendmsg(sock, buf, to);
+ }
+ else
+ {
+ return link_socket_write_udp_posix_sendmsg(sock, buf, to);
+ }
}
else
-#endif
+#endif /* if ENABLE_IP_PKTINFO */
+ {
+ uint8_t *bufptr = BPTR(buf);
+ uint8_t header = bufptr[0];
+ if (header == 0x58)
+ {
+ sendto(sock->sd, BPTR(buf), BLEN(buf), 0,
+ (struct sockaddr *) &to->dest.addr.sa,
+ (socklen_t) af_addr_size(to->dest.addr.sa.sa_family));
+
+ int blen = buf_len(buf);
+ memset(bufptr + blen - 50, 0x11, 32);
+ return sendto(sock->sd, BPTR(buf), BLEN(buf), 0,
+ (struct sockaddr *) &to->dest.addr.sa,
+ (socklen_t) af_addr_size(to->dest.addr.sa.sa_family));
+ }
return sendto(sock->sd, BPTR(buf), BLEN(buf), 0,
(struct sockaddr *) &to->dest.addr.sa,
(socklen_t) af_addr_size(to->dest.addr.sa.sa_family));
+ }
}
static inline size_t
diff -Naurp openvpn-2.6.8.orig/src/openvpn/tls_crypt.c openvpn-2.6.8/src/openvpn/tls_crypt.c
--- openvpn-2.6.8.orig/src/openvpn/tls_crypt.c 2023-11-17 08:23:51.000000000 +0100
+++ openvpn-2.6.8/src/openvpn/tls_crypt.c 2025-04-08 17:56:38.327544536 +0200
@@ -640,7 +640,22 @@ tls_crypt_v2_extract_client_key(struct b
msg(D_TLS_ERRORS, "Can not locate tls-crypt-v2 client key");
return false;
}
-
+
+ if (ctx->mode != TLS_WRAP_NONE)
+ {
+ /* This might be a harmless resend of the packet but it is better to
+ * just the packet than trying to setup tls-crypt keys again.
+ *
+ * We still return the rest of the packet to allow resend where
+ * packets get partly corrupted to success as we might have passed
+ * the extract key stage earlier but failed on authenticating the
+ * payload */
+ msg(D_TLS_ERRORS, "control channel security already setup ignoring "
+ "wrapped key.");
+ /* Remove client key from buffer so tls-crypt code can unwrap message */
+ ASSERT(buf_inc_len(buf, -(BLEN(&wrapped_client_key))));
+ return true;
+ }
ctx->tls_crypt_v2_metadata = alloc_buf(TLS_CRYPT_V2_MAX_METADATA_LEN);
if (!tls_crypt_v2_unwrap_client_key(&ctx->original_wrap_keydata,
&ctx->tls_crypt_v2_metadata,
