diff options
author | mandree <mandree@FreeBSD.org> | 2016-12-28 07:16:57 +0800 |
---|---|---|
committer | mandree <mandree@FreeBSD.org> | 2016-12-28 07:16:57 +0800 |
commit | e9208642c153c7a37a0d0b957223a8d52ba9be19 (patch) | |
tree | 0a1cc68681bd1b68e4446adb8872265601b33d99 | |
parent | fe7aba2658775c7b536178f259ed6df88330ca2c (diff) | |
download | freebsd-ports-gnome-e9208642c153c7a37a0d0b957223a8d52ba9be19.tar.gz freebsd-ports-gnome-e9208642c153c7a37a0d0b957223a8d52ba9be19.tar.zst freebsd-ports-gnome-e9208642c153c7a37a0d0b957223a8d52ba9be19.zip |
OpenVPN update to v2.4.0, old version in openvpn23*.
OpenVPN has been updated to v2.4.0.
Changes: <https://github.com/OpenVPN/openvpn/blob/v2.4.0/Changes.rst>
openvpn-polarssl has been renamed to openvpn-mbedtls to match the TLS
library's change of name.
The prior versions of the openvpn ports have been preserved in openvpn23
and openvpn23-polarssl, respectively, and are set to expire 2017-03-31.
23 files changed, 982 insertions, 207 deletions
@@ -8852,3 +8852,4 @@ net-mgmt/ccnet|net-mgmt/ccnet-client|2016-12-26|Split into -client and -server p net-mgmt/seafile|net-mgmt/seafile-client|2016-12-26|Split into -client and -server parts comms/libcodec2|audio/codec2|2016-12-26|Removed: Duplicate port use `audio/codec2` instead databases/py-sqlalchemy07|databases/py-sqlalchemy10|2016-12-27|Has expired: Upstream has declared this version EoL: please migrate to databases/py-sqlalchemy10 +security/openvpn-polarssl|security/openvpn-mbedtls|2016-12-27|Slave port renamed to match the TLS library's new name. @@ -5,6 +5,16 @@ they are unavoidable. You should get into the habit of checking this file for changes each time you update your ports collection, before attempting any port upgrades. +20161227: + AFFECTS: users of security/openvpn, security/openvpn-polarssl + AUTHOR: Matthias Andree <mandree@FreeBSD.org> + + The OpenVPN ports have been updated to the new upstream release v2.4, + and their predecessors preserved as openvpn23 and openvpn23-polarssl, + respectively. Note that for the new v2.4 release, the + openvpn-polarssl port has been renamed to openvpn-mbedtls to match the + upstream library's new name. + 20161218: AFFECTS: users of www/nghttp2 AUTHOR: sunpoet@FreeBSD.org diff --git a/security/Makefile b/security/Makefile index 185c38348e84..898e8576f4cf 100644 --- a/security/Makefile +++ b/security/Makefile @@ -436,7 +436,9 @@ SUBDIR += openvpn-auth-ldap SUBDIR += openvpn-auth-radius SUBDIR += openvpn-devel - SUBDIR += openvpn-polarssl + SUBDIR += openvpn-mbedtls + SUBDIR += openvpn23 + SUBDIR += openvpn23-polarssl SUBDIR += ophcrack SUBDIR += orthrus SUBDIR += osiris diff --git a/security/openvpn-mbedtls/Makefile b/security/openvpn-mbedtls/Makefile new file mode 100644 index 000000000000..4fc1536e35c5 --- /dev/null +++ b/security/openvpn-mbedtls/Makefile @@ -0,0 +1,13 @@ +# Created by: Matthias Andree <mandree@FreeBSD.org> +# $FreeBSD$ + +PKGNAMESUFFIX= -mbedtls + +COMMENT= Secure IP/Ethernet tunnel daemon, mbedTLS-based build + +OPTIONS_EXCLUDE= OPENSSL PKCS11 X509ALTUSERNAME +OPTIONS_SLAVE= MBEDTLS + +MASTERDIR= ${.CURDIR}/../../security/openvpn + +.include "${MASTERDIR}/Makefile" diff --git a/security/openvpn/Makefile b/security/openvpn/Makefile index 3e64bb08071b..48f35a1fa149 100644 --- a/security/openvpn/Makefile +++ b/security/openvpn/Makefile @@ -2,7 +2,8 @@ # $FreeBSD$ PORTNAME= openvpn -DISTVERSION= 2.3.14 +DISTVERSION= 2.4.0 +PORTREVISION?= 0 CATEGORIES= security net MASTER_SITES= http://swupdate.openvpn.net/community/releases/ \ http://build.openvpn.net/downloads/releases/ @@ -12,14 +13,15 @@ COMMENT?= Secure IP/Ethernet tunnel daemon LICENSE= GPLv2 -CONFLICTS_INSTALL= openvpn-2.[!3].* openvpn-[!2].* openvpn-beta-[0-9]* openvpn-devel-[0-9]* +CONFLICTS_INSTALL= openvpn-2.[!4].* openvpn-[!2].* openvpn-beta-[0-9]* openvpn-devel-[0-9]* GNU_CONFIGURE= yes USES= cpe libtool pkgconfig shebangfix tar:xz SHEBANG_FILES= sample/sample-scripts/verify-cn \ sample/sample-scripts/auth-pam.pl \ sample/sample-scripts/ucn.pl -# avoid picking up CMAKE, we don't have cmocka anyways. +CONFIGURE_ARGS+= --enable-strict +# avoid picking up CMAKE, we don't have cmocka in the tarballs.. CONFIGURE_ENV+= ac_cv_prog_CMAKE= CMAKE= # let OpenVPN's configure script pick up the requisite libraries, @@ -31,17 +33,16 @@ LDFLAGS+= -L${LOCALBASE}/lib CPPFLAGS+= -DPLUGIN_LIBDIR=\\\"${PREFIX}/lib/openvpn/plugins\\\" OPTIONS_DEFINE= PKCS11 EASYRSA DOCS EXAMPLES X509ALTUSERNAME \ - TUNNELBLICK TEST -OPTIONS_DEFAULT= EASYRSA OPENSSL TEST + TEST LZ4 SMALL TUNNELBLICK +OPTIONS_DEFAULT= EASYRSA OPENSSL TEST LZ4 OPTIONS_SINGLE= SSL -OPTIONS_SINGLE_SSL= OPENSSL POLARSSL -# The following feature is always enabled since 2.3.9 and no longer optional. -# PW_SAVE_DESC= Interactive passwords may be read from a file +OPTIONS_SINGLE_SSL= OPENSSL MBEDTLS PKCS11_DESC= Use security/pkcs11-helper EASYRSA_DESC= Install security/easy-rsa RSA helper package -POLARSSL_DESC= SSL/TLS via mbedTLS 1.3.X (not 2.x) +MBEDTLS_DESC= SSL/TLS via mbedTLS TUNNELBLICK_DESC= Tunnelblick XOR scramble patch (READ HELP!) X509ALTUSERNAME_DESC= Enable --x509-username-field (OpenSSL only) +SMALL_DESC= Build a smaller executable with fewer features EASYRSA_RUN_DEPENDS= easy-rsa>=0:security/easy-rsa @@ -52,17 +53,18 @@ TUNNELBLICK_EXTRA_PATCHES= ${FILESDIR}/extra-tunnelblick-openvpn_xorpatch X509ALTUSERNAME_CONFIGURE_ENABLE= x509-alt-username -X509ALTUSERNAME_PREVENTS= POLARSSL -X509ALTUSERNAME_PREVENTS_MSG= OpenVPN ${DISTVERSION} cannot use --x509-username-field with PolarSSL. Disable X509ALTUSERNAME, or use OpenSSL instead +X509ALTUSERNAME_PREVENTS= MBEDTLS +X509ALTUSERNAME_PREVENTS_MSG= OpenVPN ${DISTVERSION} cannot use --x509-username-field with mbedTLS. Disable X509ALTUSERNAME, or use OpenSSL instead OPENSSL_USES= ssl OPENSSL_CONFIGURE_ON= --with-crypto-library=openssl -# Pin the libmbedtls version because the 2.3.x port can't work with .so.10 or -# newer from the security/mbedtls package. Upstream works in progress -# for OpenVPN 2.4 to use mbedTLS 2.X. -POLARSSL_LIB_DEPENDS= libmbedtls.so.9:security/polarssl13 -POLARSSL_CONFIGURE_ON= --with-crypto-library=polarssl +LZ4_CONFIGURE_OFF= --disable-lz4 + +SMALL_CONFIGURE_ON= --enable-small + +MBEDTLS_LIB_DEPENDS= libmbedtls.so:security/mbedtls +MBEDTLS_CONFIGURE_ON= --with-crypto-library=mbedtls USE_RC_SUBR= openvpn USE_LDCONFIG= ${PREFIX}/lib @@ -75,6 +77,8 @@ CFLAGS+= -DLOG_OPENVPN=${LOG_OPENVPN} LIB_DEPENDS+= liblzo2.so:archivers/lzo2 +LZ4_LIB_DEPENDS+= liblz4.so:archivers/liblz4 + PORTDOCS= * PORTEXAMPLES= * diff --git a/security/openvpn/distinfo b/security/openvpn/distinfo index fb9730e32aba..9aa8e110ef26 100644 --- a/security/openvpn/distinfo +++ b/security/openvpn/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1481159357 -SHA256 (openvpn-2.3.14.tar.xz) = f3a0d0eaf8d544409f76a9f2a238a0cd3dde9e1a9c1f98ac732a8b572bcdee98 -SIZE (openvpn-2.3.14.tar.xz) = 831404 +TIMESTAMP = 1482879037 +SHA256 (openvpn-2.4.0.tar.xz) = 6f23ba49a1dbeb658f49c7ae17d9ea979de6d92c7357de3d55cd4525e1b2f87e +SIZE (openvpn-2.4.0.tar.xz) = 930948 diff --git a/security/openvpn/files/extra-tunnelblick-openvpn_xorpatch b/security/openvpn/files/extra-tunnelblick-openvpn_xorpatch index 690b86b83e16..63e73bae2b08 100644 --- a/security/openvpn/files/extra-tunnelblick-openvpn_xorpatch +++ b/security/openvpn/files/extra-tunnelblick-openvpn_xorpatch @@ -10,128 +10,129 @@ detail on the following wiki page: https://tunnelblick.net/cOpenvpn_xorpatch.html +The patch was ported to OpenVPN 2.4 by OPNsense. ---- src/openvpn/forward.c.orig 2016-08-23 14:16:28 UTC +--- src/openvpn/forward.c.orig 2016-12-22 07:25:18 UTC +++ src/openvpn/forward.c -@@ -674,7 +674,10 @@ read_incoming_link (struct context *c) +@@ -730,7 +730,10 @@ read_incoming_link(struct context *c) - status = link_socket_read (c->c2.link_socket, - &c->c2.buf, -- &c->c2.from); -+ &c->c2.from, -+ c->options.ce.xormethod, -+ c->options.ce.xormask, -+ c->options.ce.xormasklen); + status = link_socket_read(c->c2.link_socket, + &c->c2.buf, +- &c->c2.from); ++ &c->c2.from, ++ c->options.ce.xormethod, ++ c->options.ce.xormask, ++ c->options.ce.xormasklen); - if (socket_connection_reset (c->c2.link_socket, status)) + if (socket_connection_reset(c->c2.link_socket, status)) { -@@ -1151,7 +1154,10 @@ process_outgoing_link (struct context *c - /* Send packet */ - size = link_socket_write (c->c2.link_socket, - &c->c2.to_link, -- to_addr); -+ to_addr, -+ c->options.ce.xormethod, -+ c->options.ce.xormask, -+ c->options.ce.xormasklen); +@@ -1368,7 +1371,10 @@ process_outgoing_link(struct context *c) + /* Send packet */ + size = link_socket_write(c->c2.link_socket, + &c->c2.to_link, +- to_addr); ++ to_addr, ++ c->options.ce.xormethod, ++ c->options.ce.xormask, ++ c->options.ce.xormasklen); - #ifdef ENABLE_SOCKS - /* Undo effect of prepend */ ---- src/openvpn/options.c.orig 2016-08-23 14:16:22 UTC + /* Undo effect of prepend */ + link_socket_write_post_size_adjust(&size, size_delta, &c->c2.to_link); +--- src/openvpn/options.c.orig 2016-12-22 07:25:18 UTC +++ src/openvpn/options.c -@@ -792,6 +792,9 @@ init_options (struct options *o, const b - o->max_routes = MAX_ROUTES_DEFAULT; - o->resolve_retry_seconds = RESOLV_RETRY_INFINITE; - o->proto_force = -1; -+ o->ce.xormethod = 0; -+ o->ce.xormask = "\0"; -+ o->ce.xormasklen = 0; +@@ -811,6 +811,9 @@ init_options(struct options *o, const bo + o->resolve_retry_seconds = RESOLV_RETRY_INFINITE; + o->resolve_in_advance = false; + o->proto_force = -1; ++ o->ce.xormethod = 0; ++ o->ce.xormask = "\0"; ++ o->ce.xormasklen = 0; #ifdef ENABLE_OCC - o->occ = true; + o->occ = true; #endif -@@ -907,6 +910,9 @@ setenv_connection_entry (struct env_set - setenv_int_i (es, "local_port", e->local_port, i); - setenv_str_i (es, "remote", e->remote, i); - setenv_int_i (es, "remote_port", e->remote_port, i); -+ setenv_int_i (es, "xormethod", e->xormethod, i); -+ setenv_str_i (es, "xormask", e->xormask, i); -+ setenv_int_i (es, "xormasklen", e->xormasklen, i); +@@ -972,6 +975,9 @@ setenv_connection_entry(struct env_set * + setenv_str_i(es, "local_port", e->local_port, i); + setenv_str_i(es, "remote", e->remote, i); + setenv_str_i(es, "remote_port", e->remote_port, i); ++ setenv_int_i(es, "xormethod", e->xormethod, i); ++ setenv_str_i(es, "xormask", e->xormask, i); ++ setenv_int_i(es, "xormasklen", e->xormasklen, i); - #ifdef ENABLE_HTTP_PROXY - if (e->http_proxy_options) -@@ -1366,6 +1372,9 @@ show_connection_entry (const struct conn - SHOW_INT (connect_retry_seconds); - SHOW_INT (connect_timeout); - SHOW_INT (connect_retry_max); -+ SHOW_INT (xormethod); -+ SHOW_STR (xormask); -+ SHOW_INT (xormasklen); + if (e->http_proxy_options) + { +@@ -1474,6 +1480,9 @@ show_connection_entry(const struct conne + SHOW_BOOL(bind_ipv6_only); + SHOW_INT(connect_retry_seconds); + SHOW_INT(connect_timeout); ++ SHOW_INT(xormethod); ++ SHOW_STR(xormask); ++ SHOW_INT(xormasklen); - #ifdef ENABLE_HTTP_PROXY - if (o->http_proxy_options) -@@ -5131,6 +5140,46 @@ add_option (struct options *options, - options->proto_force = proto_force; - options->force_connection_list = true; + if (o->http_proxy_options) + { +@@ -5915,6 +5924,46 @@ add_option(struct options *options, + } + options->proto_force = proto_force; } -+ else if (streq (p[0], "scramble") && p[1]) ++ else if (streq (p[0], "scramble") && p[1]) + { -+ VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); -+ if (streq (p[1], "xormask") && p[2] && (!p[3])) -+ { -+ options->ce.xormethod = 1; -+ options->ce.xormask = p[2]; -+ options->ce.xormasklen = strlen(options->ce.xormask); -+ } -+ else if (streq (p[1], "xorptrpos") && (!p[2])) -+ { -+ options->ce.xormethod = 2; -+ options->ce.xormask = NULL; -+ options->ce.xormasklen = 0; -+ } -+ else if (streq (p[1], "reverse") && (!p[2])) -+ { -+ options->ce.xormethod = 3; -+ options->ce.xormask = NULL; -+ options->ce.xormasklen = 0; -+ } -+ else if (streq (p[1], "obfuscate") && p[2] && (!p[3])) -+ { -+ options->ce.xormethod = 4; -+ options->ce.xormask = p[2]; -+ options->ce.xormasklen = strlen(options->ce.xormask); -+ } -+ else if (!p[2]) -+ { -+ msg (M_WARN, "WARNING: No recognized 'scramble' method specified; using 'scramble xormask \"%s\"'", p[1]); -+ options->ce.xormethod = 1; -+ options->ce.xormask = p[1]; -+ options->ce.xormasklen = strlen(options->ce.xormask); -+ } -+ else -+ { -+ msg (msglevel, "No recognized 'scramble' method specified or extra parameters for 'scramble'"); -+ goto err; -+ } ++ VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); ++ if (streq (p[1], "xormask") && p[2] && (!p[3])) ++ { ++ options->ce.xormethod = 1; ++ options->ce.xormask = p[2]; ++ options->ce.xormasklen = strlen(options->ce.xormask); ++ } ++ else if (streq (p[1], "xorptrpos") && (!p[2])) ++ { ++ options->ce.xormethod = 2; ++ options->ce.xormask = NULL; ++ options->ce.xormasklen = 0; ++ } ++ else if (streq (p[1], "reverse") && (!p[2])) ++ { ++ options->ce.xormethod = 3; ++ options->ce.xormask = NULL; ++ options->ce.xormasklen = 0; ++ } ++ else if (streq (p[1], "obfuscate") && p[2] && (!p[3])) ++ { ++ options->ce.xormethod = 4; ++ options->ce.xormask = p[2]; ++ options->ce.xormasklen = strlen(options->ce.xormask); ++ } ++ else if (!p[2]) ++ { ++ msg(M_WARN, "WARNING: No recognized 'scramble' method specified; using 'scramble xormask \"%s\"'", p[1]); ++ options->ce.xormethod = 1; ++ options->ce.xormask = p[1]; ++ options->ce.xormasklen = strlen(options->ce.xormask); ++ } ++ else ++ { ++ msg(msglevel, "No recognized 'scramble' method specified or extra parameters for 'scramble'"); ++ goto err; ++ } + } - #ifdef ENABLE_HTTP_PROXY - else if (streq (p[0], "http-proxy") && p[1]) + else if (streq(p[0], "http-proxy") && p[1] && !p[5]) { ---- src/openvpn/options.h.orig 2016-08-23 14:16:22 UTC + struct http_proxy_options *ho; +--- src/openvpn/options.h.orig 2016-12-22 07:25:18 UTC +++ src/openvpn/options.h -@@ -100,6 +100,9 @@ struct connection_entry - int connect_retry_max; - int connect_timeout; - bool connect_timeout_defined; -+ int xormethod; -+ const char *xormask; -+ int xormasklen; - #ifdef ENABLE_HTTP_PROXY - struct http_proxy_options *http_proxy_options; - #endif ---- src/openvpn/socket.c.orig 2016-08-23 14:16:22 UTC +@@ -98,6 +98,9 @@ struct connection_entry + int connect_retry_seconds; + int connect_retry_seconds_max; + int connect_timeout; ++ int xormethod; ++ const char *xormask; ++ int xormasklen; + struct http_proxy_options *http_proxy_options; + const char *socks_proxy_server; + const char *socks_proxy_port; +--- src/openvpn/socket.c.orig 2016-12-22 07:25:18 UTC +++ src/openvpn/socket.c -@@ -52,6 +52,53 @@ const int proto_overhead[] = { /* indexe - IPv6_TCP_HEADER_SIZE, +@@ -55,6 +55,53 @@ const int proto_overhead[] = { /* indexe + IPv6_TCP_HEADER_SIZE, }; +int buffer_mask (struct buffer *buf, const char *mask, int xormasklen) { @@ -184,9 +185,9 @@ https://tunnelblick.net/cOpenvpn_xorpatch.html /* * Convert sockflags/getaddr_flags into getaddr_flags */ ---- src/openvpn/socket.h.orig 2016-08-23 14:16:22 UTC +--- src/openvpn/socket.h.orig 2016-12-22 07:25:18 UTC +++ src/openvpn/socket.h -@@ -245,6 +245,10 @@ struct link_socket +@@ -249,6 +249,10 @@ struct link_socket #endif }; @@ -197,100 +198,99 @@ https://tunnelblick.net/cOpenvpn_xorpatch.html /* * Some Posix/Win32 differences. */ -@@ -873,30 +877,56 @@ int link_socket_read_udp_posix (struct l +@@ -1046,30 +1050,55 @@ int link_socket_read_udp_posix(struct li static inline int - link_socket_read (struct link_socket *sock, - struct buffer *buf, -- struct link_socket_actual *from) -+ struct link_socket_actual *from, -+ int xormethod, -+ const char *xormask, -+ int xormasklen) + link_socket_read(struct link_socket *sock, + struct buffer *buf, +- struct link_socket_actual *from) ++ struct link_socket_actual *from, ++ int xormethod, ++ const char *xormask, ++ int xormasklen) { -+ int res; - if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */ ++ int res; ++ + if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */ { -- int res; - - #ifdef WIN32 - res = link_socket_read_udp_win32 (sock, buf, from); +- int res; +- + #ifdef _WIN32 + res = link_socket_read_udp_win32(sock, buf, from); #else - res = link_socket_read_udp_posix (sock, buf, from); + res = link_socket_read_udp_posix(sock, buf, from); #endif -- return res; +- return res; } - else if (proto_is_tcp(sock->info.proto)) /* unified TCPv4 and TCPv6 */ + else if (proto_is_tcp(sock->info.proto)) /* unified TCPv4 and TCPv6 */ { - /* from address was returned by accept */ - addr_copy_sa(&from->dest, &sock->info.lsa->actual.dest); -- return link_socket_read_tcp (sock, buf); -+ res = link_socket_read_tcp (sock, buf); + /* from address was returned by accept */ + addr_copy_sa(&from->dest, &sock->info.lsa->actual.dest); +- return link_socket_read_tcp(sock, buf); ++ res = link_socket_read_tcp(sock, buf); } - else + else { - ASSERT (0); - return -1; /* NOTREACHED */ + ASSERT(0); + return -1; /* NOTREACHED */ } -+ switch(xormethod) -+ { -+ case 0: -+ break; -+ case 1: -+ buffer_mask(buf,xormask,xormasklen); -+ break; -+ case 2: -+ buffer_xorptrpos(buf); -+ break; -+ case 3: -+ buffer_reverse(buf); -+ break; -+ case 4: -+ buffer_mask(buf,xormask,xormasklen); -+ buffer_xorptrpos(buf); -+ buffer_reverse(buf); -+ buffer_xorptrpos(buf); -+ break; -+ default: -+ ASSERT (0); -+ return -1; /* NOTREACHED */ ++ switch (xormethod) { ++ case 0: ++ break; ++ case 1: ++ buffer_mask(buf,xormask,xormasklen); ++ break; ++ case 2: ++ buffer_xorptrpos(buf); ++ break; ++ case 3: ++ buffer_reverse(buf); ++ break; ++ case 4: ++ buffer_mask(buf,xormask,xormasklen); ++ buffer_xorptrpos(buf); ++ buffer_reverse(buf); ++ buffer_xorptrpos(buf); ++ break; ++ default: ++ ASSERT (0); ++ return -1; /* NOTREACHED */ + } -+ return res; ++ return res; } /* -@@ -980,8 +1010,34 @@ link_socket_write_udp (struct link_socke +@@ -1159,8 +1188,33 @@ link_socket_write_udp(struct link_socket static inline int - link_socket_write (struct link_socket *sock, - struct buffer *buf, -- struct link_socket_actual *to) -+ struct link_socket_actual *to, -+ int xormethod, -+ const char *xormask, -+ int xormasklen) + link_socket_write(struct link_socket *sock, + struct buffer *buf, +- struct link_socket_actual *to) ++ struct link_socket_actual *to, ++ int xormethod, ++ const char *xormask, ++ int xormasklen) { -+ switch(xormethod) -+ { -+ case 0: -+ break; -+ case 1: -+ buffer_mask(buf,xormask,xormasklen); -+ break; -+ case 2: -+ buffer_xorptrpos(buf); -+ break; -+ case 3: -+ buffer_reverse(buf); -+ break; -+ case 4: -+ buffer_xorptrpos(buf); -+ buffer_reverse(buf); -+ buffer_xorptrpos(buf); -+ buffer_mask(buf,xormask,xormasklen); -+ break; -+ default: -+ ASSERT (0); -+ return -1; /* NOTREACHED */ ++ switch (xormethod) { ++ case 0: ++ break; ++ case 1: ++ buffer_mask(buf,xormask,xormasklen); ++ break; ++ case 2: ++ buffer_xorptrpos(buf); ++ break; ++ case 3: ++ buffer_reverse(buf); ++ break; ++ case 4: ++ buffer_xorptrpos(buf); ++ buffer_reverse(buf); ++ buffer_xorptrpos(buf); ++ buffer_mask(buf,xormask,xormasklen); ++ break; ++ default: ++ ASSERT (0); ++ return -1; /* NOTREACHED */ + } - if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */ + if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */ { - return link_socket_write_udp (sock, buf, to); + return link_socket_write_udp(sock, buf, to); diff --git a/security/openvpn/pkg-plist b/security/openvpn/pkg-plist index 2069cc44c6e4..da156194eb1f 100644 --- a/security/openvpn/pkg-plist +++ b/security/openvpn/pkg-plist @@ -1,4 +1,5 @@ include/openvpn-plugin.h +include/openvpn-msg.h lib/openvpn/plugins/openvpn-plugin-auth-pam.so lib/openvpn/plugins/openvpn-plugin-down-root.so man/man8/openvpn.8.gz diff --git a/security/openvpn-polarssl/Makefile b/security/openvpn23-polarssl/Makefile index a54de6b2ec92..0b229d4aaf0c 100644 --- a/security/openvpn-polarssl/Makefile +++ b/security/openvpn23-polarssl/Makefile @@ -8,6 +8,6 @@ COMMENT= Secure IP/Ethernet tunnel daemon, PolarSSL-based build OPTIONS_EXCLUDE= OPENSSL PKCS11 X509ALTUSERNAME OPTIONS_SLAVE= POLARSSL -MASTERDIR= ${.CURDIR}/../../security/openvpn +MASTERDIR= ${.CURDIR}/../../security/openvpn23 .include "${MASTERDIR}/Makefile" diff --git a/security/openvpn23/Makefile b/security/openvpn23/Makefile new file mode 100644 index 000000000000..927320aecd25 --- /dev/null +++ b/security/openvpn23/Makefile @@ -0,0 +1,129 @@ +# Created by: Matthias Andree <mandree@FreeBSD.org> +# $FreeBSD$ + +PORTNAME= openvpn +DISTVERSION= 2.3.14 +CATEGORIES= security net +MASTER_SITES= http://swupdate.openvpn.net/community/releases/ \ + http://build.openvpn.net/downloads/releases/ + +MAINTAINER= mandree@FreeBSD.org +COMMENT?= Secure IP/Ethernet tunnel daemon + +DEPRECATED= Replaced by new upstream relesae 2.4.x +EXPIRATION_DATE= 2017-03-31 + +LICENSE= GPLv2 + +CONFLICTS_INSTALL= openvpn-2.[!3].* openvpn-[!2].* openvpn-beta-[0-9]* openvpn-devel-[0-9]* + +GNU_CONFIGURE= yes +USES= cpe libtool pkgconfig shebangfix tar:xz +SHEBANG_FILES= sample/sample-scripts/verify-cn \ + sample/sample-scripts/auth-pam.pl \ + sample/sample-scripts/ucn.pl +# avoid picking up CMAKE, we don't have cmocka anyways. +CONFIGURE_ENV+= ac_cv_prog_CMAKE= CMAKE= + +# let OpenVPN's configure script pick up the requisite libraries, +# but do not break the plugin build if an older version is installed +CPPFLAGS+= -I${WRKSRC}/include -I${LOCALBASE}/include +LDFLAGS+= -L${LOCALBASE}/lib + +# set PLUGIN_LIBDIR so that unqualified plugin paths are found: +CPPFLAGS+= -DPLUGIN_LIBDIR=\\\"${PREFIX}/lib/openvpn/plugins\\\" + +OPTIONS_DEFINE= PKCS11 EASYRSA DOCS EXAMPLES X509ALTUSERNAME \ + TUNNELBLICK TEST +OPTIONS_DEFAULT= EASYRSA OPENSSL TEST +OPTIONS_SINGLE= SSL +OPTIONS_SINGLE_SSL= OPENSSL POLARSSL +# The following feature is always enabled since 2.3.9 and no longer optional. +# PW_SAVE_DESC= Interactive passwords may be read from a file +PKCS11_DESC= Use security/pkcs11-helper +EASYRSA_DESC= Install security/easy-rsa RSA helper package +POLARSSL_DESC= SSL/TLS via mbedTLS 1.3.X (not 2.x) +TUNNELBLICK_DESC= Tunnelblick XOR scramble patch (READ HELP!) +X509ALTUSERNAME_DESC= Enable --x509-username-field (OpenSSL only) + +EASYRSA_RUN_DEPENDS= easy-rsa>=0:security/easy-rsa + +PKCS11_LIB_DEPENDS= libpkcs11-helper.so:security/pkcs11-helper +PKCS11_CONFIGURE_ENABLE= pkcs11 + +TUNNELBLICK_EXTRA_PATCHES= ${FILESDIR}/extra-tunnelblick-openvpn_xorpatch + +X509ALTUSERNAME_CONFIGURE_ENABLE= x509-alt-username + +X509ALTUSERNAME_PREVENTS= POLARSSL +X509ALTUSERNAME_PREVENTS_MSG= OpenVPN ${DISTVERSION} cannot use --x509-username-field with PolarSSL. Disable X509ALTUSERNAME, or use OpenSSL instead + +OPENSSL_USES= ssl +OPENSSL_CONFIGURE_ON= --with-crypto-library=openssl + +# Pin the libmbedtls version because the 2.3.x port can't work with .so.10 or +# newer from the security/mbedtls package. Upstream works in progress +# for OpenVPN 2.4 to use mbedTLS 2.X. +POLARSSL_LIB_DEPENDS= libmbedtls.so.9:security/polarssl13 +POLARSSL_CONFIGURE_ON= --with-crypto-library=polarssl + +USE_RC_SUBR= openvpn +USE_LDCONFIG= ${PREFIX}/lib + +SUB_FILES= pkg-message openvpn-client + +.ifdef (LOG_OPENVPN) +CFLAGS+= -DLOG_OPENVPN=${LOG_OPENVPN} +.endif + +LIB_DEPENDS+= liblzo2.so:archivers/lzo2 + +PORTDOCS= * +PORTEXAMPLES= * + +TEST_ALL_TARGET= check +TEST_TEST_TARGET_OFF= check + +# XXX Please remove this compatibility wrapper after 2017Q2 is branched. +.ifdef(WITHOUT_CHECK) +WARNING+= "${.CURDIR}: WITHOUT_CHECK is deprecated, please use WITHOUT=TEST or OPTIONS_UNSET=TEST." +WITHOUT+= TEST +.endif + +pre-configure: +.ifdef (LOG_OPENVPN) + @${ECHO} "Building with LOG_OPENVPN=${LOG_OPENVPN}" +.else + @${ECHO} "" + @${ECHO} "You may use the following build options:" + @${ECHO} "" + @${ECHO} " LOG_OPENVPN={Valid syslog facility, default LOG_DAEMON}" + @${ECHO} " EXAMPLE: make LOG_OPENVPN=LOG_LOCAL6" + @${ECHO} "" +.endif + +post-configure: + ${REINPLACE_CMD} '/^CFLAGS =/s/$$/ -fPIC/' \ + ${WRKSRC}/src/plugins/auth-pam/Makefile \ + ${WRKSRC}/src/plugins/down-root/Makefile + +post-install: + ${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-auth-pam.so + ${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-down-root.so + ${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.up ${STAGEDIR}${PREFIX}/libexec/openvpn-client.up + ${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.down ${STAGEDIR}${PREFIX}/libexec/openvpn-client.down + @${REINPLACE_CMD} 's|resolvconf -p -a|resolvconf -a|' ${STAGEDIR}${PREFIX}/libexec/openvpn-client.up + ${INSTALL_SCRIPT} ${WRKDIR}/openvpn-client ${STAGEDIR}${PREFIX}/sbin/openvpn-client + ${MKDIR} ${STAGEDIR}${PREFIX}/include + +post-install-DOCS-on: + ${MKDIR} ${STAGEDIR}${DOCSDIR}/ +.for i in AUTHORS ChangeLog PORTS + ${INSTALL_MAN} ${WRKSRC}/${i} ${STAGEDIR}${DOCSDIR}/ +.endfor + +post-install-EXAMPLES-on: + (cd ${WRKSRC}/sample && ${COPYTREE_SHARE} \* ${STAGEDIR}${EXAMPLESDIR}/) + ${CHMOD} ${BINMODE} ${STAGEDIR}${EXAMPLESDIR}/sample-scripts/* + +.include <bsd.port.mk> diff --git a/security/openvpn23/distinfo b/security/openvpn23/distinfo new file mode 100644 index 000000000000..fb9730e32aba --- /dev/null +++ b/security/openvpn23/distinfo @@ -0,0 +1,3 @@ +TIMESTAMP = 1481159357 +SHA256 (openvpn-2.3.14.tar.xz) = f3a0d0eaf8d544409f76a9f2a238a0cd3dde9e1a9c1f98ac732a8b572bcdee98 +SIZE (openvpn-2.3.14.tar.xz) = 831404 diff --git a/security/openvpn23/files/extra-tunnelblick-openvpn_xorpatch b/security/openvpn23/files/extra-tunnelblick-openvpn_xorpatch new file mode 100644 index 000000000000..690b86b83e16 --- /dev/null +++ b/security/openvpn23/files/extra-tunnelblick-openvpn_xorpatch @@ -0,0 +1,296 @@ +This work allows obfuscation of the OpenVPN header to make it harder for +layer 7 inspection to identify such traffic, which may come with blocking +or recording actions in certain territories of the world. This patch, in +a nutshell, can increase privacy and range of communication for its users. + +The `scramble' option introduced hereby is off by default. + +The option's usage, history and controversy of the patch is explained in +detail on the following wiki page: + +https://tunnelblick.net/cOpenvpn_xorpatch.html + + +--- src/openvpn/forward.c.orig 2016-08-23 14:16:28 UTC ++++ src/openvpn/forward.c +@@ -674,7 +674,10 @@ read_incoming_link (struct context *c) + + status = link_socket_read (c->c2.link_socket, + &c->c2.buf, +- &c->c2.from); ++ &c->c2.from, ++ c->options.ce.xormethod, ++ c->options.ce.xormask, ++ c->options.ce.xormasklen); + + if (socket_connection_reset (c->c2.link_socket, status)) + { +@@ -1151,7 +1154,10 @@ process_outgoing_link (struct context *c + /* Send packet */ + size = link_socket_write (c->c2.link_socket, + &c->c2.to_link, +- to_addr); ++ to_addr, ++ c->options.ce.xormethod, ++ c->options.ce.xormask, ++ c->options.ce.xormasklen); + + #ifdef ENABLE_SOCKS + /* Undo effect of prepend */ +--- src/openvpn/options.c.orig 2016-08-23 14:16:22 UTC ++++ src/openvpn/options.c +@@ -792,6 +792,9 @@ init_options (struct options *o, const b + o->max_routes = MAX_ROUTES_DEFAULT; + o->resolve_retry_seconds = RESOLV_RETRY_INFINITE; + o->proto_force = -1; ++ o->ce.xormethod = 0; ++ o->ce.xormask = "\0"; ++ o->ce.xormasklen = 0; + #ifdef ENABLE_OCC + o->occ = true; + #endif +@@ -907,6 +910,9 @@ setenv_connection_entry (struct env_set + setenv_int_i (es, "local_port", e->local_port, i); + setenv_str_i (es, "remote", e->remote, i); + setenv_int_i (es, "remote_port", e->remote_port, i); ++ setenv_int_i (es, "xormethod", e->xormethod, i); ++ setenv_str_i (es, "xormask", e->xormask, i); ++ setenv_int_i (es, "xormasklen", e->xormasklen, i); + + #ifdef ENABLE_HTTP_PROXY + if (e->http_proxy_options) +@@ -1366,6 +1372,9 @@ show_connection_entry (const struct conn + SHOW_INT (connect_retry_seconds); + SHOW_INT (connect_timeout); + SHOW_INT (connect_retry_max); ++ SHOW_INT (xormethod); ++ SHOW_STR (xormask); ++ SHOW_INT (xormasklen); + + #ifdef ENABLE_HTTP_PROXY + if (o->http_proxy_options) +@@ -5131,6 +5140,46 @@ add_option (struct options *options, + options->proto_force = proto_force; + options->force_connection_list = true; + } ++ else if (streq (p[0], "scramble") && p[1]) ++ { ++ VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); ++ if (streq (p[1], "xormask") && p[2] && (!p[3])) ++ { ++ options->ce.xormethod = 1; ++ options->ce.xormask = p[2]; ++ options->ce.xormasklen = strlen(options->ce.xormask); ++ } ++ else if (streq (p[1], "xorptrpos") && (!p[2])) ++ { ++ options->ce.xormethod = 2; ++ options->ce.xormask = NULL; ++ options->ce.xormasklen = 0; ++ } ++ else if (streq (p[1], "reverse") && (!p[2])) ++ { ++ options->ce.xormethod = 3; ++ options->ce.xormask = NULL; ++ options->ce.xormasklen = 0; ++ } ++ else if (streq (p[1], "obfuscate") && p[2] && (!p[3])) ++ { ++ options->ce.xormethod = 4; ++ options->ce.xormask = p[2]; ++ options->ce.xormasklen = strlen(options->ce.xormask); ++ } ++ else if (!p[2]) ++ { ++ msg (M_WARN, "WARNING: No recognized 'scramble' method specified; using 'scramble xormask \"%s\"'", p[1]); ++ options->ce.xormethod = 1; ++ options->ce.xormask = p[1]; ++ options->ce.xormasklen = strlen(options->ce.xormask); ++ } ++ else ++ { ++ msg (msglevel, "No recognized 'scramble' method specified or extra parameters for 'scramble'"); ++ goto err; ++ } ++ } + #ifdef ENABLE_HTTP_PROXY + else if (streq (p[0], "http-proxy") && p[1]) + { +--- src/openvpn/options.h.orig 2016-08-23 14:16:22 UTC ++++ src/openvpn/options.h +@@ -100,6 +100,9 @@ struct connection_entry + int connect_retry_max; + int connect_timeout; + bool connect_timeout_defined; ++ int xormethod; ++ const char *xormask; ++ int xormasklen; + #ifdef ENABLE_HTTP_PROXY + struct http_proxy_options *http_proxy_options; + #endif +--- src/openvpn/socket.c.orig 2016-08-23 14:16:22 UTC ++++ src/openvpn/socket.c +@@ -52,6 +52,53 @@ const int proto_overhead[] = { /* indexe + IPv6_TCP_HEADER_SIZE, + }; + ++int buffer_mask (struct buffer *buf, const char *mask, int xormasklen) { ++ int i; ++ uint8_t *b; ++ if ( xormasklen > 0 ) { ++ for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) { ++ *b = *b ^ mask[i % xormasklen]; ++ } ++ } ++ return BLEN (buf); ++} ++ ++int buffer_xorptrpos (struct buffer *buf) { ++ int i; ++ uint8_t *b; ++ for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) { ++ *b = *b ^ i+1; ++ } ++ return BLEN (buf); ++} ++ ++int buffer_reverse (struct buffer *buf) { ++/* This function has been rewritten for Tunnelblick. The buffer_reverse function at ++ * https://github.com/clayface/openvpn_xorpatch ++ * makes a copy of the buffer and it writes to the byte **after** the ++ * buffer contents, so if the buffer is full then it writes outside of the buffer. ++ * This rewritten version does neither. ++ * ++ * For interoperability, this rewritten version preserves the behavior of the original ++ * function: it does not modify the first character of the buffer. So it does not ++ * actually reverse the contents of the buffer. Instead, it changes 'abcde' to 'aedcb'. ++ * (Of course, the actual buffer contents are bytes, and not necessarily characters.) ++ */ ++ int len = BLEN(buf); ++ if ( len > 2 ) { /* Leave '', 'a', and 'ab' alone */ ++ int i; ++ uint8_t *b_start = BPTR (buf) + 1; /* point to first byte to swap */ ++ uint8_t *b_end = BPTR (buf) + (len - 1); /* point to last byte to swap */ ++ uint8_t tmp; ++ for (i = 0; i < (len-1)/2; i++, b_start++, b_end--) { ++ tmp = *b_start; ++ *b_start = *b_end; ++ *b_end = tmp; ++ } ++ } ++ return len; ++} ++ + /* + * Convert sockflags/getaddr_flags into getaddr_flags + */ +--- src/openvpn/socket.h.orig 2016-08-23 14:16:22 UTC ++++ src/openvpn/socket.h +@@ -245,6 +245,10 @@ struct link_socket + #endif + }; + ++int buffer_mask (struct buffer *buf, const char *xormask, int xormasklen); ++int buffer_xorptrpos (struct buffer *buf); ++int buffer_reverse (struct buffer *buf); ++ + /* + * Some Posix/Win32 differences. + */ +@@ -873,30 +877,56 @@ int link_socket_read_udp_posix (struct l + static inline int + link_socket_read (struct link_socket *sock, + struct buffer *buf, +- struct link_socket_actual *from) ++ struct link_socket_actual *from, ++ int xormethod, ++ const char *xormask, ++ int xormasklen) + { ++ int res; + if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */ + { +- int res; + + #ifdef WIN32 + res = link_socket_read_udp_win32 (sock, buf, from); + #else + res = link_socket_read_udp_posix (sock, buf, from); + #endif +- return res; + } + else if (proto_is_tcp(sock->info.proto)) /* unified TCPv4 and TCPv6 */ + { + /* from address was returned by accept */ + addr_copy_sa(&from->dest, &sock->info.lsa->actual.dest); +- return link_socket_read_tcp (sock, buf); ++ res = link_socket_read_tcp (sock, buf); + } + else + { + ASSERT (0); + return -1; /* NOTREACHED */ + } ++ switch(xormethod) ++ { ++ case 0: ++ break; ++ case 1: ++ buffer_mask(buf,xormask,xormasklen); ++ break; ++ case 2: ++ buffer_xorptrpos(buf); ++ break; ++ case 3: ++ buffer_reverse(buf); ++ break; ++ case 4: ++ buffer_mask(buf,xormask,xormasklen); ++ buffer_xorptrpos(buf); ++ buffer_reverse(buf); ++ buffer_xorptrpos(buf); ++ break; ++ default: ++ ASSERT (0); ++ return -1; /* NOTREACHED */ ++ } ++ return res; + } + + /* +@@ -980,8 +1010,34 @@ link_socket_write_udp (struct link_socke + static inline int + link_socket_write (struct link_socket *sock, + struct buffer *buf, +- struct link_socket_actual *to) ++ struct link_socket_actual *to, ++ int xormethod, ++ const char *xormask, ++ int xormasklen) + { ++ switch(xormethod) ++ { ++ case 0: ++ break; ++ case 1: ++ buffer_mask(buf,xormask,xormasklen); ++ break; ++ case 2: ++ buffer_xorptrpos(buf); ++ break; ++ case 3: ++ buffer_reverse(buf); ++ break; ++ case 4: ++ buffer_xorptrpos(buf); ++ buffer_reverse(buf); ++ buffer_xorptrpos(buf); ++ buffer_mask(buf,xormask,xormasklen); ++ break; ++ default: ++ ASSERT (0); ++ return -1; /* NOTREACHED */ ++ } + if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */ + { + return link_socket_write_udp (sock, buf, to); diff --git a/security/openvpn23/files/openvpn-client.in b/security/openvpn23/files/openvpn-client.in new file mode 100644 index 000000000000..471757811795 --- /dev/null +++ b/security/openvpn23/files/openvpn-client.in @@ -0,0 +1,6 @@ +#!/bin/sh + +exec %%PREFIX%%/sbin/openvpn --script-security 2 \ + --up %%PREFIX%%/libexec/openvpn-client.up \ + --plugin openvpn-plugin-down-root.so %%PREFIX%%/libexec/openvpn-client.down \ + --config "$@" diff --git a/security/openvpn23/files/openvpn.in b/security/openvpn23/files/openvpn.in new file mode 100644 index 000000000000..6eab55e69ea6 --- /dev/null +++ b/security/openvpn23/files/openvpn.in @@ -0,0 +1,145 @@ +#!/bin/sh +# +# openvpn.sh - load tun/tap driver and start OpenVPN daemon +# +# (C) Copyright 2005 - 2008, 2010 by Matthias Andree +# based on suggestions by Matthias Grimm and Dirk Gouders +# with multi-instance contribution from Denis Shaposhnikov, Gleb Kozyrev +# and Vasil Dimov +# softrestart feature suggested by Nick Hibma +# +# $FreeBSD$ +# +# This program is free software; you can redistribute it and/or modify it under +# the terms of the GNU General Public License as published by the Free Software +# Foundation; either version 2 of the License, or (at your option) any later +# version. +# +# This program is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more +# details. +# +# You should have received a copy of the GNU General Public License along with +# this program; if not, write to the Free Software Foundation, Inc., 51 Franklin +# Street, Fifth Floor, Boston, MA 02110-1301, USA. + +# PROVIDE: openvpn +# REQUIRE: DAEMON +# KEYWORD: shutdown + +# ----------------------------------------------------------------------------- +# +# This script supports running multiple instances of openvpn. +# To run additional instances link this script to something like +# % ln -s openvpn openvpn_foo +# and define additional openvpn_foo_* variables in one of +# /etc/rc.conf, /etc/rc.conf.local or /etc/rc.conf.d/openvpn_foo +# +# Below NAME should be substituted with the name of this script. By default +# it is openvpn, so read as openvpn_enable. If you linked the script to +# openvpn_foo, then read as openvpn_foo_enable etc. +# +# The following variables are supported (defaults are shown). +# You can place them in any of +# /etc/rc.conf, /etc/rc.conf.local or /etc/rc.conf.d/NAME +# +# NAME_enable="NO" # set to YES to enable openvpn +# NAME_if= # driver(s) to load, set to "tun", "tap" or "tun tap" +# # it is OK to specify the if_ prefix. +# +# # optional: +# NAME_flags= # additional command line arguments +# NAME_configfile="%%PREFIX%%/etc/openvpn/NAME.conf" # --config file +# NAME_dir="%%PREFIX%%/etc/openvpn" # --cd directory +# +# You also need to set NAME_configfile and NAME_dir, if the configuration +# file and directory where keys and certificates reside differ from the above +# settings. +# +# Note that we deliberately refrain from unloading drivers. +# +# For further documentation, please see openvpn(8). +# + +. /etc/rc.subr + +# service(8) does not create an authentic environment, try to guess, +# and as of 10.3-RELEASE-p0, it will not find the indented name= +# assignments below. So give it a default. +# Trailing semicolon also for service(8)'s benefit: +name="$file" ; + +case "$0" in +/etc/rc*) + # during boot (shutdown) $0 is /etc/rc (/etc/rc.shutdown), + # so get the name of the script from $_file + name="$_file" + ;; +*/service) + # do not use this as $0 + ;; +*) + name="$0" + ;; +esac + +# default name to "openvpn" if guessing failed +# Trailing semicolon also for service(8)'s benefit: +name="${name:-openvpn}" ; +name="${name##*/}" +rcvar=${name}_enable + +stop_postcmd() +{ + rm -f "$pidfile" || warn "Could not remove $pidfile." +} + +softrestart() +{ + sig_reload=USR1 run_rc_command reload + exit $? +} + +openvpn_stats() +{ + sig_reload=USR2 + run_rc_command ${rc_prefix}reload $rc_extra_args +} + +# reload: support SIGHUP to reparse configuration file +# softrestart: support SIGUSR1 to reconnect without superuser privileges +# stats: support SIGUSR2 to write statistics to the syslog +extra_commands="reload softrestart stats" +softrestart_cmd="softrestart" +stats_cmd="openvpn_stats" + +# pidfile +pidfile="/var/run/${name}.pid" + +# command and arguments +command="%%PREFIX%%/sbin/openvpn" + +# run this last +stop_postcmd="stop_postcmd" + +load_rc_config ${name} + +eval ": \${${name}_enable:=\"NO\"}" +eval ": \${${name}_configfile:=\"%%PREFIX%%/etc/openvpn/${name}.conf\"}" +eval ": \${${name}_dir:=\"%%PREFIX%%/etc/openvpn\"}" + +configfile="$(eval echo \${${name}_configfile})" +dir="$(eval echo \${${name}_dir})" +interfaces="$(eval echo \${${name}_if})" + +required_modules= +for i in $interfaces ; do + required_modules="$required_modules${required_modules:+" "}if_${i#if_}" +done + +required_files=${configfile} + +command_args="--cd ${dir} --daemon ${name} --config ${configfile} --writepid ${pidfile}" + +run_rc_command "$1" diff --git a/security/openvpn23/files/patch-configure b/security/openvpn23/files/patch-configure new file mode 100644 index 000000000000..226436314279 --- /dev/null +++ b/security/openvpn23/files/patch-configure @@ -0,0 +1,11 @@ +--- configure.orig 2016-08-23 14:19:07 UTC ++++ configure +@@ -17160,8 +17160,6 @@ fi + $as_echo "!! WARNING !! The cmoka git submodule has not been initialized or updated. Unit testing cannot be performed." >&6; } + fi + else +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: !! WARNING !! CMake is NOT available. Unit testing cannot be performed." >&5 +-$as_echo "!! WARNING !! CMake is NOT available. Unit testing cannot be performed." >&6; } + if false; then + CMOCKA_INITIALIZED_TRUE= + CMOCKA_INITIALIZED_FALSE='#' diff --git a/security/openvpn23/files/patch-sample__sample-config-files__loopback-client b/security/openvpn23/files/patch-sample__sample-config-files__loopback-client new file mode 100644 index 000000000000..0b485a641d8a --- /dev/null +++ b/security/openvpn23/files/patch-sample__sample-config-files__loopback-client @@ -0,0 +1,13 @@ +--- sample/sample-config-files/loopback-client.orig 2016-08-23 14:16:22 UTC ++++ sample/sample-config-files/loopback-client +@@ -9,8 +9,8 @@ + # ./openvpn --config sample-config-files/loopback-client (In one window) + # ./openvpn --config sample-config-files/loopback-server (Simultaneously in another window) + +-rport 16000 +-lport 16001 ++rport 16100 ++lport 16101 + remote localhost + local localhost + dev null diff --git a/security/openvpn23/files/patch-sample__sample-config-files__loopback-server b/security/openvpn23/files/patch-sample__sample-config-files__loopback-server new file mode 100644 index 000000000000..58691b133de7 --- /dev/null +++ b/security/openvpn23/files/patch-sample__sample-config-files__loopback-server @@ -0,0 +1,13 @@ +--- sample/sample-config-files/loopback-server.orig 2016-08-23 14:16:22 UTC ++++ sample/sample-config-files/loopback-server +@@ -9,8 +9,8 @@ + # ./openvpn --config sample-config-files/loopback-client (In one window) + # ./openvpn --config sample-config-files/loopback-server (Simultaneously in another window) + +-rport 16001 +-lport 16000 ++rport 16101 ++lport 16100 + remote localhost + local localhost + dev null diff --git a/security/openvpn23/files/patch-tests__t_cltsrv.sh b/security/openvpn23/files/patch-tests__t_cltsrv.sh new file mode 100644 index 000000000000..e1dcb3cab046 --- /dev/null +++ b/security/openvpn23/files/patch-tests__t_cltsrv.sh @@ -0,0 +1,65 @@ +--- tests/t_cltsrv.sh.orig 2016-08-23 13:10:22 UTC ++++ tests/t_cltsrv.sh +@@ -1,7 +1,7 @@ + #! /bin/sh + # + # t_cltsrv.sh - script to test OpenVPN's crypto loopback +-# Copyright (C) 2005, 2006, 2008 Matthias Andree ++# Copyright (C) 2005 - 2014 Matthias Andree + # + # This program is free software; you can redistribute it and/or + # modify it under the terms of the GNU General Public License +@@ -22,8 +22,9 @@ set -e + srcdir="${srcdir:-.}" + top_srcdir="${top_srcdir:-..}" + top_builddir="${top_builddir:-..}" +-trap "rm -f log.$$ log.$$.signal ; trap 0 ; exit 77" 1 2 15 +-trap "rm -f log.$$ log.$$.signal ; exit 1" 0 3 ++root="${top_srcdir}/sample" ++trap "rm -f ${root}/sample-config-files/loopback-*.test log.$$ log.$$.signal ; trap 0 ; exit 77" 1 2 15 ++trap "a=\$? ; rm -f ${root}/sample-config-files/loopback-*.test log.$$ log.$$.signal ; test \$a = 0 && exit 1 || exit \$a" 0 3 + addopts= + case `uname -s` in + FreeBSD) +@@ -45,18 +46,38 @@ esac + # make sure that the --down script is executable -- fail (rather than + # skip) test if it isn't. + downscript="../tests/t_cltsrv-down.sh" +-root="${top_srcdir}/sample" + test -x "${root}/${downscript}" || chmod +x "${root}/${downscript}" || { echo >&2 "${root}/${downscript} is not executable, failing." ; exit 1 ; } + echo "The following test will take about two minutes." >&2 + echo "If the addresses are in use, this test will retry up to two times." >&2 + ++set -- $(ifconfig lo0 | grep -E '\<inet' | head -n1) ++add= ++if [ "x$1$2" = "x" ] ; then ++ echo >&2 "### NO ADDRESSES ON LOOPBACK INTERFACE lo0, SKIPPING TEST ###" ++ exit 77 ++fi ++if [ "inet6" = "$1" ] ; then ++ add='proto udp6 ' ++fi ++for i in server client ; do ++ sed -e "s/localhost/$2/" -e "/^remote /a\\ ++$add" ${root}/sample-config-files/loopback-$i \ ++ >${root}/sample-config-files/loopback-$i.test ++done ++ + # go + success=0 + for i in 1 2 3 ; do + set +e + ( +- "${top_builddir}/src/openvpn/openvpn" --script-security 2 --cd "${root}" ${addopts} --setenv role srv --down "${downscript}" --tls-exit --ping-exit 180 --config "sample-config-files/loopback-server" & +- "${top_builddir}/src/openvpn/openvpn" --script-security 2 --cd "${top_srcdir}/sample" ${addopts} --setenv role clt --down "${downscript}" --tls-exit --ping-exit 180 --config "sample-config-files/loopback-client" ++ "${top_builddir}/src/openvpn/openvpn" --script-security 2 \ ++ --cd "${root}" ${addopts} --setenv role srv \ ++ --down "${downscript}" --tls-exit --ping-exit 180 \ ++ --config "sample-config-files/loopback-server.test" & ++ "${top_builddir}/src/openvpn/openvpn" --script-security 2 \ ++ --cd "${top_srcdir}/sample" ${addopts} --setenv role clt \ ++ --down "${downscript}" --tls-exit --ping-exit 180 \ ++ --config "sample-config-files/loopback-client.test" + ) 3>log.$$.signal >log.$$ 2>&1 + e1=$? + wait $! diff --git a/security/openvpn23/files/pkg-message.in b/security/openvpn23/files/pkg-message.in new file mode 100644 index 000000000000..8c1eaa14b3b2 --- /dev/null +++ b/security/openvpn23/files/pkg-message.in @@ -0,0 +1,11 @@ +### ------------------------------------------------------------------------ +### Edit /etc/rc.conf[.local] to start OpenVPN automatically at system +### startup. See %%PREFIX%%/etc/rc.d/openvpn for details. +### ------------------------------------------------------------------------ +### Connect to VPN server as a client with this command to include +### the client.up/down scripts in the initialization: +### openvpn-client <spec>.ovpn +### ------------------------------------------------------------------------ +### For compatibility notes when interoperating with older OpenVPN +### versions, please, see <http://openvpn.net/relnotes.html> +### ------------------------------------------------------------------------ diff --git a/security/openvpn23/files/up-script.sample b/security/openvpn23/files/up-script.sample new file mode 100644 index 000000000000..2b9acee3dc85 --- /dev/null +++ b/security/openvpn23/files/up-script.sample @@ -0,0 +1,27 @@ +#!/bin/sh +# OpenVPN simple up/down script for openresolvconf integration. +# (C) Copyright 2016 Baptiste Daroussin +# BSD 2-clause license. + +set -e +u +: ${script_type:=down} +case "${script_type}" in +up) + i=1 + while :; do + eval option=\"\$foreign_option_${i}\" || break + [ "${option}" ] || break + set -- ${option} + i=$((i + 1)) + [ "$1" = "dhcp-option" ] || continue + case "$2" in + DNS) echo "nameserver ${3}" ;; + DOMAIN) echo "domain ${3}" ;; + DOMAIN-SEARCH) echo "search ${3}" ;; + esac + done | /sbin/resolvconf -a "${dev}" + ;; +down) + /sbin/resolvconf -d "${dev}" -f + ;; +esac diff --git a/security/openvpn23/pkg-descr b/security/openvpn23/pkg-descr new file mode 100644 index 000000000000..751e62d362d1 --- /dev/null +++ b/security/openvpn23/pkg-descr @@ -0,0 +1,7 @@ +OpenVPN is a robust, scalable and highly configurable VPN (Virtual Private +Network) daemon which can be used to securely link two or more private networks +using an encrypted tunnel over the internet. It can operate over UDP or TCP, +can use SSL or a pre-shared secret to authenticate peers, and in SSL mode, one +server can handle many clients. + +WWW: http://openvpn.net/index.php/open-source.html diff --git a/security/openvpn23/pkg-help b/security/openvpn23/pkg-help new file mode 100644 index 000000000000..9fd1cd9567bd --- /dev/null +++ b/security/openvpn23/pkg-help @@ -0,0 +1,10 @@ +Note that "Tunnelblick" is a controversial option. +It is included for compatibility, not enabled by default, +and should only be used with due consideration, and it should not +replace proper cryptography use in OpenVPN. + +Note that this patch does NOT add documentation for the new --scramble +option, neither to the --help output, nor the manual page. + +Please see this website for a more detailed discussion: +https://tunnelblick.net/cOpenvpn_xorpatch.html diff --git a/security/openvpn23/pkg-plist b/security/openvpn23/pkg-plist new file mode 100644 index 000000000000..2069cc44c6e4 --- /dev/null +++ b/security/openvpn23/pkg-plist @@ -0,0 +1,8 @@ +include/openvpn-plugin.h +lib/openvpn/plugins/openvpn-plugin-auth-pam.so +lib/openvpn/plugins/openvpn-plugin-down-root.so +man/man8/openvpn.8.gz +sbin/openvpn +sbin/openvpn-client +libexec/openvpn-client.up +libexec/openvpn-client.down |