cpet/freebsd-ports
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update openvpn-devel to 2016-52 snapshot.

Browse Source 
Align with security/openvpn for RC script improvements, dropping the
TUNNELBLICK patch (integrated upstream) and pkg-help file (no longer
required).

Note that pkcs11* and mbedTLS currently do not mix (I randomly checked
different option sets), an issue this port shares with security/openvpn.
"checking mbedtls pkcs11 support...
configure: error: mbedtls has no pkcs11 wrapper compiled in"

PR:		215734
Submitted by:	Eric F. Crist (maintainer)
This commit is contained in:
Matthias Andree 2017-01-04 14:38:59 +00:00
parent 189858d917
commit 1a400328a7
Notes: svn2git 2021-03-31 03:12:20 +00:00 
svn path=/head/; revision=430558
12 changed files with 568 additions and 99 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

140
security/openvpn-devel/Makefile
View File

@ -1,97 +1,129 @@
# Created by: Eric F Crist <ecrist@secure-computing.net>
# Created by: Matthias Andree <mandree@FreeBSD.org>
# $FreeBSD$
PORTNAME= openvpn
DISTVERSION= 201647
CATEGORIES= security net
MASTER_SITES= ftp://ftp.secure-computing.net/pub/FreeBSD/ports/openvpn-devel/ \
ftp://ftp2.secure-computing.net/pub/FreeBSD/ports/openvpn-devel/
PKGNAMESUFFIX= -devel
PORTNAME= openvpn
DISTVERSION= 201652
PORTREVISION?= 0
CATEGORIES= security net
MASTER_SITES= https://secure-computing.net/files/openvpn/ \
ftp://ftp2.secure-computing.net/pub/FreeBSD/openvpn-devel/
PKGNAMESUFFIX= -devel
MAINTAINER= ecrist@secure-computing.net
COMMENT= Secure IP/Ethernet tunnel daemon
MAINTAINER= ecrist@secure-computing.net
COMMENT?= Secure IP/Ethernet tunnel daemon
LICENSE= GPLv2
LICENSE= GPLv2
WRKSRC= ${WRKDIR}/${PORTNAME}${PKGNAMESUFFIX}
CONFLICTS_INSTALL= openvpn-2.[!4].* openvpn-[!2].* openvpn-beta-[0-9]*
CONFLICTS_INSTALL= openvpn-[0-9]* openvpn-beta-[0-9]* openvpn-polarssl*
GNU_CONFIGURE= yes
USES= libtool pkgconfig shebangfix tar:xz
WRKSRC= ${WRKDIR}/${PORTNAME}${PKGNAMESUFFIX}
USES= cpe libtool pkgconfig shebangfix tar:xz
SHEBANG_FILES= sample/sample-scripts/verify-cn \
sample/sample-scripts/auth-pam.pl \
sample/sample-scripts/ucn.pl
sample/sample-scripts/auth-pam.pl \
sample/sample-scripts/ucn.pl
CONFIGURE_ARGS+= --enable-strict
# avoid picking up CMAKE, we don't have cmocka in the tarballs..
CONFIGURE_ENV+= ac_cv_prog_CMAKE= CMAKE=
# let OpenVPN's configure script pick up the requisite libraries:
CPPFLAGS+= -I${LOCALBASE}/include
# let OpenVPN's configure script pick up the requisite libraries,
# but do not break the plugin build if an older version is installed
CPPFLAGS+= -I${WRKSRC}/include -I${LOCALBASE}/include
LDFLAGS+= -L${LOCALBASE}/lib
OPTIONS_DEFINE= PKCS11 EASYRSA LZO DOCS EXAMPLES
OPTIONS_DEFAULT= EASYRSA OPENSSL LZO
# set PLUGIN_LIBDIR so that unqualified plugin paths are found:
CPPFLAGS+= -DPLUGIN_LIBDIR=\\\"${PREFIX}/lib/openvpn/plugins\\\"
OPTIONS_DEFINE= PKCS11 EASYRSA DOCS EXAMPLES X509ALTUSERNAME \
TEST LZ4 SMALL
OPTIONS_DEFAULT= EASYRSA OPENSSL TEST LZ4
OPTIONS_SINGLE= SSL
OPTIONS_SINGLE_SSL= OPENSSL EMBEDTLS
LZO_DESC= Enable the LZO compression library
OPTIONS_SINGLE_SSL= OPENSSL MBEDTLS
PKCS11_DESC= Use security/pkcs11-helper
EASYRSA_DESC= Install security/easy-rsa RSA helper package
EMBEDTLS_DESC= SSL/TLS support via mbed TLS
MBEDTLS_DESC= SSL/TLS via mbedTLS
X509ALTUSERNAME_DESC= Enable --x509-username-field (OpenSSL only)
SMALL_DESC= Build a smaller executable with fewer features
EASYRSA_RUN_DEPENDS= easy-rsa>=0:security/easy-rsa
PKCS11_LIB_DEPENDS= libpkcs11-helper.so:security/pkcs11-helper
PKCS11_CONFIGURE_ENABLE= pkcs11
EMBEDTLS_LIB_DEPENDS= libmbedtls.so.10:security/mbedtls
EMBEDTLS_POLARSSL_CONFIGURE_ON= --with-crypto-library=embedtls
EMBEDTLS_USE_OFF= openssl=yes
EMBEDTLS_CONFIGURE_OFF+=--with-crypto-library=openssl
X509ALTUSERNAME_CONFIGURE_ENABLE= x509-alt-username
LZO_LIB_DEPENDS= liblzo2.so:archivers/lzo2
LZO_CONFIGURE_ENABLE= lzo
X509ALTUSERNAME_PREVENTS= MBEDTLS
X509ALTUSERNAME_PREVENTS_MSG= OpenVPN ${DISTVERSION} cannot use --x509-username-field with mbedTLS. Disable X509ALTUSERNAME, or use OpenSSL instead
USE_RC_SUBR= openvpn
USE_LDCONFIG= ${PREFIX}/lib
OPENSSL_USES= ssl
OPENSSL_CONFIGURE_ON= --with-crypto-library=openssl
SUB_FILES= pkg-message
LZ4_CONFIGURE_OFF= --disable-lz4
SMALL_CONFIGURE_ON= --enable-small
MBEDTLS_LIB_DEPENDS= libmbedtls.so:security/mbedtls
MBEDTLS_CONFIGURE_ON= --with-crypto-library=mbedtls
USE_RC_SUBR= openvpn
USE_LDCONFIG= ${PREFIX}/lib
SUB_FILES= pkg-message openvpn-client
.ifdef (LOG_OPENVPN)
CFLAGS+= -DLOG_OPENVPN=${LOG_OPENVPN}
CFLAGS+= -DLOG_OPENVPN=${LOG_OPENVPN}
.endif
PORTDOCS= *
PORTEXAMPLES= *
LIB_DEPENDS+= liblzo2.so:archivers/lzo2
LZ4_LIB_DEPENDS+= liblz4.so:archivers/liblz4
PORTDOCS= *
PORTEXAMPLES= *
TEST_ALL_TARGET= check
TEST_TEST_TARGET_OFF= check
# XXX Please remove this compatibility wrapper after 2017Q2 is branched.
.ifdef(WITHOUT_CHECK)
WARNING+= "${.CURDIR}: WITHOUT_CHECK is deprecated, please use WITHOUT=TEST or OPTIONS_UNSET=TEST."
WITHOUT+= TEST
.endif
pre-configure:
.ifdef (LOG_OPENVPN)
@${ECHO} "Building with LOG_OPENVPN=${LOG_OPENVPN}"
@${ECHO} "Building with LOG_OPENVPN=${LOG_OPENVPN}"
.else
@${ECHO} ""
@${ECHO} "You may use the following build options:"
@${ECHO} ""
@${ECHO} " LOG_OPENVPN={Valid syslog facility, default LOG_DAEMON}"
@${ECHO} " EXAMPLE: make LOG_OPENVPN=LOG_LOCAL6"
@${ECHO} ""
@${ECHO} ""
@${ECHO} "You may use the following build options:"
@${ECHO} ""
@${ECHO} " LOG_OPENVPN={Valid syslog facility, default LOG_DAEMON}"
@${ECHO} " EXAMPLE: make LOG_OPENVPN=LOG_LOCAL6"
@${ECHO} ""
.endif
post-build:
@# self-tests here
.if !defined(WITHOUT_CHECK)
@${ECHO} ; ${ECHO} "### Note that you can skip these lengthy selftests with WITHOUT_CHECK=yes ###" ; ${ECHO}
cd ${WRKSRC} && ${DO_MAKE_BUILD} check
.endif
post-configure:
${REINPLACE_CMD} '/^CFLAGS =/s/$$/ -fPIC/' \
${WRKSRC}/src/plugins/auth-pam/Makefile \
${WRKSRC}/src/plugins/down-root/Makefile
post-install:
${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-auth-pam.so
${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-down-root.so
${MKDIR} ${STAGEDIR}${PREFIX}/include
${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-auth-pam.so
${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-down-root.so
${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.up ${STAGEDIR}${PREFIX}/libexec/openvpn-client.up
${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.down ${STAGEDIR}${PREFIX}/libexec/openvpn-client.down
@${REINPLACE_CMD} 's|resolvconf -p -a|resolvconf -a|' ${STAGEDIR}${PREFIX}/libexec/openvpn-client.up
${INSTALL_SCRIPT} ${WRKDIR}/openvpn-client ${STAGEDIR}${PREFIX}/sbin/openvpn-client
${MKDIR} ${STAGEDIR}${PREFIX}/include
post-install-DOCS-on:
${MKDIR} ${STAGEDIR}${DOCSDIR}/
${MKDIR} ${STAGEDIR}${DOCSDIR}/
.for i in AUTHORS ChangeLog PORTS
${INSTALL_MAN} ${WRKSRC}/${i} ${STAGEDIR}${DOCSDIR}/
${INSTALL_MAN} ${WRKSRC}/${i} ${STAGEDIR}${DOCSDIR}/
.endfor
post-install-EXAMPLES-on:
(cd ${WRKSRC}/sample && ${COPYTREE_SHARE} \* ${STAGEDIR}${EXAMPLESDIR}/)
${CHMOD} ${BINMODE} ${STAGEDIR}${EXAMPLESDIR}/sample-scripts/*
(cd ${WRKSRC}/sample && ${COPYTREE_SHARE} \* ${STAGEDIR}${EXAMPLESDIR}/)
${CHMOD} ${BINMODE} ${STAGEDIR}${EXAMPLESDIR}/sample-scripts/*
.include <bsd.port.mk>

6
security/openvpn-devel/distinfo
View File

@ -1,3 +1,3 @@
TIMESTAMP = 1480428158
SHA256 (openvpn-201647.tar.xz) = 46ab4ad14bd9ed448599a97f3c9cb016ef052c30bd0b57968743b95ff2c14520
SIZE (openvpn-201647.tar.xz) = 931696
TIMESTAMP = 1483453128
SHA256 (openvpn-201652.tar.xz) = 783c3d5200bd286cc83e5accec075ef7f896a401b9bf550801606d1b76a1d797
SIZE (openvpn-201652.tar.xz) = 928316

296
security/openvpn-devel/files/extra-tunnelblick-openvpn_xorpatch Normal file
View File

@ -0,0 +1,296 @@
This work allows obfuscation of the OpenVPN header to make it harder for
layer 7 inspection to identify such traffic, which may come with blocking
or recording actions in certain territories of the world. This patch, in
a nutshell, can increase privacy and range of communication for its users.
The `scramble' option introduced hereby is off by default.
The option's usage, history and controversy of the patch is explained in
detail on the following wiki page:
https://tunnelblick.net/cOpenvpn_xorpatch.html
The patch was ported to OpenVPN 2.4 by OPNsense.
--- src/openvpn/forward.c.orig 2016-12-22 07:25:18 UTC
+++ src/openvpn/forward.c
@@ -730,7 +730,10 @@ read_incoming_link(struct context *c)
status = link_socket_read(c->c2.link_socket,
&c->c2.buf,
- &c->c2.from);
+ &c->c2.from,
+ c->options.ce.xormethod,
+ c->options.ce.xormask,
+ c->options.ce.xormasklen);
if (socket_connection_reset(c->c2.link_socket, status))
{
@@ -1368,7 +1371,10 @@ process_outgoing_link(struct context *c)
/* Send packet */
size = link_socket_write(c->c2.link_socket,
&c->c2.to_link,
- to_addr);
+ to_addr,
+ c->options.ce.xormethod,
+ c->options.ce.xormask,
+ c->options.ce.xormasklen);
/* Undo effect of prepend */
link_socket_write_post_size_adjust(&size, size_delta, &c->c2.to_link);
--- src/openvpn/options.c.orig 2016-12-22 07:25:18 UTC
+++ src/openvpn/options.c
@@ -811,6 +811,9 @@ init_options(struct options *o, const bo
o->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
o->resolve_in_advance = false;
o->proto_force = -1;
+ o->ce.xormethod = 0;
+ o->ce.xormask = "\0";
+ o->ce.xormasklen = 0;
#ifdef ENABLE_OCC
o->occ = true;
#endif
@@ -972,6 +975,9 @@ setenv_connection_entry(struct env_set *
setenv_str_i(es, "local_port", e->local_port, i);
setenv_str_i(es, "remote", e->remote, i);
setenv_str_i(es, "remote_port", e->remote_port, i);
+ setenv_int_i(es, "xormethod", e->xormethod, i);
+ setenv_str_i(es, "xormask", e->xormask, i);
+ setenv_int_i(es, "xormasklen", e->xormasklen, i);
if (e->http_proxy_options)
{
@@ -1474,6 +1480,9 @@ show_connection_entry(const struct conne
SHOW_BOOL(bind_ipv6_only);
SHOW_INT(connect_retry_seconds);
SHOW_INT(connect_timeout);
+ SHOW_INT(xormethod);
+ SHOW_STR(xormask);
+ SHOW_INT(xormasklen);
if (o->http_proxy_options)
{
@@ -5915,6 +5924,46 @@ add_option(struct options *options,
}
options->proto_force = proto_force;
}
+ else if (streq (p[0], "scramble") && p[1])
+ {
+ VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
+ if (streq (p[1], "xormask") && p[2] && (!p[3]))
+ {
+ options->ce.xormethod = 1;
+ options->ce.xormask = p[2];
+ options->ce.xormasklen = strlen(options->ce.xormask);
+ }
+ else if (streq (p[1], "xorptrpos") && (!p[2]))
+ {
+ options->ce.xormethod = 2;
+ options->ce.xormask = NULL;
+ options->ce.xormasklen = 0;
+ }
+ else if (streq (p[1], "reverse") && (!p[2]))
+ {
+ options->ce.xormethod = 3;
+ options->ce.xormask = NULL;
+ options->ce.xormasklen = 0;
+ }
+ else if (streq (p[1], "obfuscate") && p[2] && (!p[3]))
+ {
+ options->ce.xormethod = 4;
+ options->ce.xormask = p[2];
+ options->ce.xormasklen = strlen(options->ce.xormask);
+ }
+ else if (!p[2])
+ {
+ msg(M_WARN, "WARNING: No recognized 'scramble' method specified; using 'scramble xormask \"%s\"'", p[1]);
+ options->ce.xormethod = 1;
+ options->ce.xormask = p[1];
+ options->ce.xormasklen = strlen(options->ce.xormask);
+ }
+ else
+ {
+ msg(msglevel, "No recognized 'scramble' method specified or extra parameters for 'scramble'");
+ goto err;
+ }
+ }
else if (streq(p[0], "http-proxy") && p[1] && !p[5])
{
struct http_proxy_options *ho;
--- src/openvpn/options.h.orig 2016-12-22 07:25:18 UTC
+++ src/openvpn/options.h
@@ -98,6 +98,9 @@ struct connection_entry
int connect_retry_seconds;
int connect_retry_seconds_max;
int connect_timeout;
+ int xormethod;
+ const char *xormask;
+ int xormasklen;
struct http_proxy_options *http_proxy_options;
const char *socks_proxy_server;
const char *socks_proxy_port;
--- src/openvpn/socket.c.orig 2016-12-22 07:25:18 UTC
+++ src/openvpn/socket.c
@@ -55,6 +55,53 @@ const int proto_overhead[] = { /* indexe
IPv6_TCP_HEADER_SIZE,
};
+int buffer_mask (struct buffer *buf, const char *mask, int xormasklen) {
+ int i;
+ uint8_t *b;
+ if ( xormasklen > 0 ) {
+ for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) {
+ *b = *b ^ mask[i % xormasklen];
+ }
+ }
+ return BLEN (buf);
+}
+
+int buffer_xorptrpos (struct buffer *buf) {
+ int i;
+ uint8_t *b;
+ for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) {
+ *b = *b ^ i+1;
+ }
+ return BLEN (buf);
+}
+
+int buffer_reverse (struct buffer *buf) {
+/* This function has been rewritten for Tunnelblick. The buffer_reverse function at
+ * https://github.com/clayface/openvpn_xorpatch
+ * makes a copy of the buffer and it writes to the byte **after** the
+ * buffer contents, so if the buffer is full then it writes outside of the buffer.
+ * This rewritten version does neither.
+ *
+ * For interoperability, this rewritten version preserves the behavior of the original
+ * function: it does not modify the first character of the buffer. So it does not
+ * actually reverse the contents of the buffer. Instead, it changes 'abcde' to 'aedcb'.
+ * (Of course, the actual buffer contents are bytes, and not necessarily characters.)
+ */
+ int len = BLEN(buf);
+ if ( len > 2 ) { /* Leave '', 'a', and 'ab' alone */
+ int i;
+ uint8_t *b_start = BPTR (buf) + 1; /* point to first byte to swap */
+ uint8_t *b_end = BPTR (buf) + (len - 1); /* point to last byte to swap */
+ uint8_t tmp;
+ for (i = 0; i < (len-1)/2; i++, b_start++, b_end--) {
+ tmp = *b_start;
+ *b_start = *b_end;
+ *b_end = tmp;
+ }
+ }
+ return len;
+}
+
/*
* Convert sockflags/getaddr_flags into getaddr_flags
*/
--- src/openvpn/socket.h.orig 2016-12-22 07:25:18 UTC
+++ src/openvpn/socket.h
@@ -249,6 +249,10 @@ struct link_socket
#endif
};
+int buffer_mask (struct buffer *buf, const char *xormask, int xormasklen);
+int buffer_xorptrpos (struct buffer *buf);
+int buffer_reverse (struct buffer *buf);
+
/*
* Some Posix/Win32 differences.
*/
@@ -1046,30 +1050,55 @@ int link_socket_read_udp_posix(struct li
static inline int
link_socket_read(struct link_socket *sock,
struct buffer *buf,
- struct link_socket_actual *from)
+ struct link_socket_actual *from,
+ int xormethod,
+ const char *xormask,
+ int xormasklen)
{
+ int res;
+
if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */
{
- int res;
-
#ifdef _WIN32
res = link_socket_read_udp_win32(sock, buf, from);
#else
res = link_socket_read_udp_posix(sock, buf, from);
#endif
- return res;
}
else if (proto_is_tcp(sock->info.proto)) /* unified TCPv4 and TCPv6 */
{
/* from address was returned by accept */
addr_copy_sa(&from->dest, &sock->info.lsa->actual.dest);
- return link_socket_read_tcp(sock, buf);
+ res = link_socket_read_tcp(sock, buf);
}
else
{
ASSERT(0);
return -1; /* NOTREACHED */
}
+ switch (xormethod) {
+ case 0:
+ break;
+ case 1:
+ buffer_mask(buf,xormask,xormasklen);
+ break;
+ case 2:
+ buffer_xorptrpos(buf);
+ break;
+ case 3:
+ buffer_reverse(buf);
+ break;
+ case 4:
+ buffer_mask(buf,xormask,xormasklen);
+ buffer_xorptrpos(buf);
+ buffer_reverse(buf);
+ buffer_xorptrpos(buf);
+ break;
+ default:
+ ASSERT (0);
+ return -1; /* NOTREACHED */
+ }
+ return res;
}
/*
@@ -1159,8 +1188,33 @@ link_socket_write_udp(struct link_socket
static inline int
link_socket_write(struct link_socket *sock,
struct buffer *buf,
- struct link_socket_actual *to)
+ struct link_socket_actual *to,
+ int xormethod,
+ const char *xormask,
+ int xormasklen)
{
+ switch (xormethod) {
+ case 0:
+ break;
+ case 1:
+ buffer_mask(buf,xormask,xormasklen);
+ break;
+ case 2:
+ buffer_xorptrpos(buf);
+ break;
+ case 3:
+ buffer_reverse(buf);
+ break;
+ case 4:
+ buffer_xorptrpos(buf);
+ buffer_reverse(buf);
+ buffer_xorptrpos(buf);
+ buffer_mask(buf,xormask,xormasklen);
+ break;
+ default:
+ ASSERT (0);
+ return -1; /* NOTREACHED */
+ }
if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */
{
return link_socket_write_udp(sock, buf, to);

6
security/openvpn-devel/files/openvpn-client.in Normal file
View File

@ -0,0 +1,6 @@
#!/bin/sh
exec %%PREFIX%%/sbin/openvpn --script-security 2 \
--up %%PREFIX%%/libexec/openvpn-client.up \
--plugin openvpn-plugin-down-root.so %%PREFIX%%/libexec/openvpn-client.down \
--config "$@"

64
security/openvpn-devel/files/openvpn.in
View File

@ -2,10 +2,11 @@
#
# openvpn.sh - load tun/tap driver and start OpenVPN daemon
#
# (C) Copyright 2005 - 2008 by Matthias Andree
# (C) Copyright 2005 - 2008, 2010 by Matthias Andree
# based on suggestions by Matthias Grimm and Dirk Gouders
# with multi-instance contribution from Denis Shaposhnikov, Gleb Kozyrev
# and Vasil Dimov
# softrestart feature suggested by Nick Hibma
#
# $FreeBSD$
#
@ -30,7 +31,7 @@
# -----------------------------------------------------------------------------
#
# This script supports running multiple instances of openvpn.
# To run additional instance link this script to something like
# To run additional instances link this script to something like
# % ln -s openvpn openvpn_foo
# and define additional openvpn_foo_* variables in one of
# /etc/rc.conf, /etc/rc.conf.local or /etc/rc.conf.d/openvpn_foo
@ -45,6 +46,7 @@
#
# NAME_enable="NO" # set to YES to enable openvpn
# NAME_if= # driver(s) to load, set to "tun", "tap" or "tun tap"
# # it is OK to specify the if_ prefix.
#
# # optional:
# NAME_flags= # additional command line arguments
@ -62,36 +64,32 @@
. /etc/rc.subr
# service(8) does not create an authentic environment, try to guess,
# and as of 10.3-RELEASE-p0, it will not find the indented name=
# assignments below. So give it a default.
# Trailing semicolon also for service(8)'s benefit:
name="$file" ;
case "$0" in
/etc/rc*)
# during boot (shutdown) $0 is /etc/rc (/etc/rc.shutdown),
# so get the name of the script from $_file
name=$(basename "$_file" .sh)
name="$_file"
;;
*/service)
# do not use this as $0
;;
*)
name=$(basename "$0" .sh)
name="$0"
;;
esac
# default name to "openvpn" if guessing failed
# Trailing semicolon also for service(8)'s benefit:
name="${name:-openvpn}" ;
name="${name##*/}"
rcvar=${name}_enable
openvpn_precmd()
{
for i in $interfaces ; do
# FreeBSD <= 5.4 does not know kldstat's -m option
# FreeBSD >= 6.0 does not add debug.* sysctl information
# in the default build - we check both to keep things simple
if ! sysctl debug.if_${i}_debug >/dev/null 2>&1 \
&& ! kldstat -m if_${i} >/dev/null 2>&1 ; then
if ! kldload if_${i} ; then
warn "Could not load $i module."
return 1
fi
fi
done
return 0
}
stop_postcmd()
{
rm -f "$pidfile" || warn "Could not remove $pidfile."
@ -103,10 +101,18 @@ softrestart()
exit $?
}
openvpn_stats()
{
sig_reload=USR2
run_rc_command ${rc_prefix}reload $rc_extra_args
}
# reload: support SIGHUP to reparse configuration file
# softrestart: support SIGUSR1 to reconnect without privileges
extra_commands="reload softrestart"
# softrestart: support SIGUSR1 to reconnect without superuser privileges
# stats: support SIGUSR2 to write statistics to the syslog
extra_commands="reload softrestart stats"
softrestart_cmd="softrestart"
stats_cmd="openvpn_stats"
# pidfile
pidfile="/var/run/${name}.pid"
@ -114,16 +120,12 @@ pidfile="/var/run/${name}.pid"
# command and arguments
command="%%PREFIX%%/sbin/openvpn"
# run this first
start_precmd="openvpn_precmd"
# and this last
# run this last
stop_postcmd="stop_postcmd"
load_rc_config ${name}
eval ": \${${name}_enable:=\"NO\"}"
eval ": \${${name}_flags:=\"\"}"
eval ": \${${name}_if:=\"\"}"
eval ": \${${name}_configfile:=\"%%PREFIX%%/etc/openvpn/${name}.conf\"}"
eval ": \${${name}_dir:=\"%%PREFIX%%/etc/openvpn\"}"
@ -131,7 +133,13 @@ configfile="$(eval echo \${${name}_configfile})"
dir="$(eval echo \${${name}_dir})"
interfaces="$(eval echo \${${name}_if})"
required_modules=
for i in $interfaces ; do
required_modules="$required_modules${required_modules:+" "}if_${i#if_}"
done
required_files=${configfile}
command_args="--cd ${dir} --daemon ${name} --config ${configfile} --writepid ${pidfile}"
run_rc_command "$1"

11
security/openvpn-devel/files/patch-configure Normal file
View File

@ -0,0 +1,11 @@
--- configure.orig 2016-08-23 14:19:07 UTC
+++ configure
@@ -17160,8 +17160,6 @@ fi
$as_echo "!! WARNING !! The cmoka git submodule has not been initialized or updated. Unit testing cannot be performed." >&6; }
fi
else
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: !! WARNING !! CMake is NOT available. Unit testing cannot be performed." >&5
-$as_echo "!! WARNING !! CMake is NOT available. Unit testing cannot be performed." >&6; }
if false; then
CMOCKA_INITIALIZED_TRUE=
CMOCKA_INITIALIZED_FALSE='#'

13
security/openvpn-devel/files/patch-sample__sample-config-files__loopback-client Normal file
View File

@ -0,0 +1,13 @@
--- sample/sample-config-files/loopback-client.orig 2016-08-23 14:16:22 UTC
+++ sample/sample-config-files/loopback-client
@@ -9,8 +9,8 @@
# ./openvpn --config sample-config-files/loopback-client (In one window)
# ./openvpn --config sample-config-files/loopback-server (Simultaneously in another window)
-rport 16000
-lport 16001
+rport 16100
+lport 16101
remote localhost
local localhost
dev null

13
security/openvpn-devel/files/patch-sample__sample-config-files__loopback-server Normal file
View File

@ -0,0 +1,13 @@
--- sample/sample-config-files/loopback-server.orig 2016-08-23 14:16:22 UTC
+++ sample/sample-config-files/loopback-server
@@ -9,8 +9,8 @@
# ./openvpn --config sample-config-files/loopback-client (In one window)
# ./openvpn --config sample-config-files/loopback-server (Simultaneously in another window)
-rport 16001
-lport 16000
+rport 16101
+lport 16100
remote localhost
local localhost
dev null

65
security/openvpn-devel/files/patch-tests__t_cltsrv.sh Normal file
View File

@ -0,0 +1,65 @@
--- tests/t_cltsrv.sh.orig 2016-08-23 13:10:22 UTC
+++ tests/t_cltsrv.sh
@@ -1,7 +1,7 @@
#! /bin/sh
#
# t_cltsrv.sh - script to test OpenVPN's crypto loopback
-# Copyright (C) 2005, 2006, 2008 Matthias Andree
+# Copyright (C) 2005 - 2014 Matthias Andree
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@@ -22,8 +22,9 @@ set -e
srcdir="${srcdir:-.}"
top_srcdir="${top_srcdir:-..}"
top_builddir="${top_builddir:-..}"
-trap "rm -f log.$$ log.$$.signal ; trap 0 ; exit 77" 1 2 15
-trap "rm -f log.$$ log.$$.signal ; exit 1" 0 3
+root="${top_srcdir}/sample"
+trap "rm -f ${root}/sample-config-files/loopback-*.test log.$$ log.$$.signal ; trap 0 ; exit 77" 1 2 15
+trap "a=\$? ; rm -f ${root}/sample-config-files/loopback-*.test log.$$ log.$$.signal ; test \$a = 0 && exit 1 || exit \$a" 0 3
addopts=
case `uname -s` in
FreeBSD)
@@ -45,18 +46,38 @@ esac
# make sure that the --down script is executable -- fail (rather than
# skip) test if it isn't.
downscript="../tests/t_cltsrv-down.sh"
-root="${top_srcdir}/sample"
test -x "${root}/${downscript}" || chmod +x "${root}/${downscript}" || { echo >&2 "${root}/${downscript} is not executable, failing." ; exit 1 ; }
echo "The following test will take about two minutes." >&2
echo "If the addresses are in use, this test will retry up to two times." >&2
+set -- $(ifconfig lo0 | grep -E '\<inet' | head -n1)
+add=
+if [ "x$1$2" = "x" ] ; then
+ echo >&2 "### NO ADDRESSES ON LOOPBACK INTERFACE lo0, SKIPPING TEST ###"
+ exit 77
+fi
+if [ "inet6" = "$1" ] ; then
+ add='proto udp6 '
+fi
+for i in server client ; do
+ sed -e "s/localhost/$2/" -e "/^remote /a\\
+$add" ${root}/sample-config-files/loopback-$i \
+ >${root}/sample-config-files/loopback-$i.test
+done
+
# go
success=0
for i in 1 2 3 ; do
set +e
(
- "${top_builddir}/src/openvpn/openvpn" --script-security 2 --cd "${root}" ${addopts} --setenv role srv --down "${downscript}" --tls-exit --ping-exit 180 --config "sample-config-files/loopback-server" &
- "${top_builddir}/src/openvpn/openvpn" --script-security 2 --cd "${top_srcdir}/sample" ${addopts} --setenv role clt --down "${downscript}" --tls-exit --ping-exit 180 --config "sample-config-files/loopback-client"
+ "${top_builddir}/src/openvpn/openvpn" --script-security 2 \
+ --cd "${root}" ${addopts} --setenv role srv \
+ --down "${downscript}" --tls-exit --ping-exit 180 \
+ --config "sample-config-files/loopback-server.test" &
+ "${top_builddir}/src/openvpn/openvpn" --script-security 2 \
+ --cd "${top_srcdir}/sample" ${addopts} --setenv role clt \
+ --down "${downscript}" --tls-exit --ping-exit 180 \
+ --config "sample-config-files/loopback-client.test"
) 3>log.$$.signal >log.$$ 2>&1
e1=$?
wait $!

23
security/openvpn-devel/files/pkg-message.in
View File

@ -2,22 +2,17 @@
### Edit /etc/rc.conf[.local] to start OpenVPN automatically at system
### startup. See %%PREFIX%%/etc/rc.d/openvpn for details.
### ------------------------------------------------------------------------
### Connect to VPN server as a client with this command to include
### the client.up/down scripts in the initialization:
### openvpn-client <spec>.ovpn
### ------------------------------------------------------------------------
### For compatibility notes when interoperating with older OpenVPN
### versions, please, see <http://openvpn.net/relnotes.html>
### ------------------------------------------------------------------------
### NOTE THIS IS AN UNSTABLE BETA VERSION UNDER DEVELOPMENT!
###
###
### THIS IS AN UNSTABLE DEVELOPMENT VERSION!
###
###
### It may or may not be suitable for production. Use at your own risk.
### ------------------------------------------------------------------------
###
### PLUGIN LOCATION CHANGED!
### The following plugin locations have changed. There is a symlink to the
### new file for the duration of the 2.3 release. This will be removed in
### OpenVPN 2.4+.
### New Location:
### %%PREFIX%%/openvpn/plugins/openvpn-plugin-auth-pam.so
### %%PREFIX%%/openvpn/plugins/openvpn-plugin-down-root.so
###
### Old Location:
### %%PREFIX%%/lib/openvpn-plugin-down-root.so
### %%PREFIX%%/lib/openvpn-plugin-auth-pam.so

27
security/openvpn-devel/files/up-script.sample Normal file
View File

@ -0,0 +1,27 @@
#!/bin/sh
# OpenVPN simple up/down script for openresolvconf integration.
# (C) Copyright 2016 Baptiste Daroussin
# BSD 2-clause license.
set -e +u
: ${script_type:=down}
case "${script_type}" in
up)
i=1
while :; do
eval option=\"\$foreign_option_${i}\" || break
[ "${option}" ] || break
set -- ${option}
i=$((i + 1))
[ "$1" = "dhcp-option" ] || continue
case "$2" in
DNS) echo "nameserver ${3}" ;;
DOMAIN) echo "domain ${3}" ;;
DOMAIN-SEARCH) echo "search ${3}" ;;
esac
done | /sbin/resolvconf -a "${dev}"
;;
down)
/sbin/resolvconf -d "${dev}" -f
;;
esac

3
security/openvpn-devel/pkg-plist
View File

@ -4,3 +4,6 @@ lib/openvpn/plugins/openvpn-plugin-auth-pam.so
lib/openvpn/plugins/openvpn-plugin-down-root.so
man/man8/openvpn.8.gz
sbin/openvpn
libexec/openvpn-client.down
libexec/openvpn-client.up
sbin/openvpn-client