Update to new upstream release 2.3.7.

Fixes
PR:		194745

6 files changed, 4 insertions, 350 deletions

diff --git a/security/openvpn/Makefile b/security/openvpn/Makefile
index ff4774b164bc..2f037d8d87df 100644
--- a/security/openvpn/Makefile
+++ b/security/openvpn/Makefile
@@ -2,8 +2,7 @@
 # $FreeBSD$
 
 PORTNAME=		openvpn
-DISTVERSION=		2.3.6
-PORTREVISION=		5
+DISTVERSION=		2.3.7
 CATEGORIES=		security net
 MASTER_SITES=		http://swupdate.openvpn.net/community/releases/ \
 			http://build.openvpn.net/downloads/releases/
@@ -28,8 +27,7 @@ LDFLAGS+=		-L${LOCALBASE}/lib
 # set PLUGIN_LIBDIR so that unqualified plugin paths are found:
 CPPFLAGS+=		-DPLUGIN_LIBDIR=\\\"${PREFIX}/lib/openvpn/plugins\\\"
 
-OPTIONS_DEFINE=		PW_SAVE PKCS11 EASYRSA DOCS EXAMPLES X509ALTUSERNAME \
-			ENGINEFIX2 SUBNETFIX
+OPTIONS_DEFINE=		PW_SAVE PKCS11 EASYRSA DOCS EXAMPLES X509ALTUSERNAME
 OPTIONS_DEFAULT=	EASYRSA OPENSSL
 OPTIONS_SINGLE=		SSL
 OPTIONS_SINGLE_SSL=	OPENSSL POLARSSL
@@ -38,8 +36,6 @@ PKCS11_DESC=		Use security/pkcs11-helper
 EASYRSA_DESC=		Install security/easy-rsa RSA helper package
 POLARSSL_DESC=		SSL/TLS support via PolarSSL
 X509ALTUSERNAME_DESC=	Enable --x509-username-field (only with OpenSSL)
-ENGINEFIX2_DESC=	New EXPERIMENTAL patchset for SSL engine use (OpenSSL)
-SUBNETFIX_DESC=		EXPERIMENTAL patch to fix subnet mode (tkt \#481)
 
 EASYRSA_RUN_DEPENDS=	easy-rsa>=0:${PORTSDIR}/security/easy-rsa
 
@@ -52,18 +48,6 @@ X509ALTUSERNAME_CONFIGURE_ENABLE=	x509-alt-username
 
 .include <bsd.port.options.mk>
 
-# patches to fix PR 195004, https://community.openvpn.net/openvpn/ticket/480
-.if ${PORT_OPTIONS:MENGINEFIX2}
-EXTRA_PATCHES+=		${FILESDIR}/EF1.patch:-p1 \
-			${FILESDIR}/EF2.patch:-p1 \
-			${FILESDIR}/EF3.patch:-p1
-.endif
-
-# patch to fix PR 194745, https://community.openvpn.net/openvpn/ticket/481
-.if ${PORT_OPTIONS:MSUBNETFIX}
-EXTRA_PATCHES+=		${FILESDIR}/EF-subnet.patch:-p1
-.endif
-
 .if ${PORT_OPTIONS:MPOLARSSL}
 . if ${PORT_OPTIONS:MX509ALTUSERNAME}
 BROKEN=	OpenVPN ${DISTVERSION} cannot use --x509-username-field with PolarSSL. Disable X509ALTUSERNAME, or use OpenSSL instead
diff --git a/security/openvpn/distinfo b/security/openvpn/distinfo
index eddb992cc0ef..d7eb92d37eb2 100644
--- a/security/openvpn/distinfo
+++ b/security/openvpn/distinfo
@@ -1,2 +1,2 @@
-SHA256 (openvpn-2.3.6.tar.xz) = adae2ef34c9225347a844683b88caa87cde0979b7f2390fd1776db0eb51510ed
-SIZE (openvpn-2.3.6.tar.xz) = 809348
+SHA256 (openvpn-2.3.7.tar.xz) = 4062ce972500f98988e9c6e9dd1040be25582f0d49aa7e69f3f4cff96e9aebee
+SIZE (openvpn-2.3.7.tar.xz) = 812104
diff --git a/security/openvpn/files/EF-subnet.patch b/security/openvpn/files/EF-subnet.patch
deleted file mode 100644
index 82b48c5081dc..000000000000
--- a/security/openvpn/files/EF-subnet.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From b8f70b0f25c44e6d6a17b9f76756de87146a55d9 Mon Sep 17 00:00:00 2001
-From: Gert Doering <gert@greenie.muc.de>
-Date: Sun, 26 Apr 2015 18:16:39 +0200
-Subject: [PATCH] Fix FreeBSD ifconfig for topology subnet tunnels.
-
-For "topology subnet", we only pretend to have a subnet and keep
-using the tun if in point-to-point mode - but for that to fully
-work, the "remote" address needs to be different from the "local"
-address.  So just arbitrarily construct one from the on-link
-subnet - base+1, if "that is not us", base+2, otherwise.
-
-Fix trac #481
-
-Signed-off-by: Gert Doering <gert@greenie.muc.de>
----
- src/openvpn/tun.c | 24 +++++++++++++++++++++++-
- 1 file changed, 23 insertions(+), 1 deletion(-)
-
-diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c
-index 11a6d71..aa7a9f0 100644
---- a/src/openvpn/tun.c
-+++ b/src/openvpn/tun.c
-@@ -626,6 +626,28 @@ void delete_route_connected_v6_net(struct tuntap * tt,
- }
- #endif
- 
-+#if defined(TARGET_FREEBSD)||defined(TARGET_DRAGONFLY)
-+/* we can't use true subnet mode on tun on all platforms, as that
-+ * conflicts with IPv6 (wants to use ND then, which we don't do),
-+ * but the OSes want "a remote address that is different from ours"
-+ * - so we construct one, normally the first in the subnet, but if
-+ * this is the same as ours, use the second one.
-+ * The actual address does not matter at all, as the tun interface
-+ * is still point to point and no layer 2 resolution is done...
-+ */
-+
-+char *
-+create_arbitrary_remote( struct tuntap *tt, struct gc_arena * gc )
-+{
-+  in_addr_t remote;
-+
-+  remote = (tt->local & tt->remote_netmask) +1;
-+
-+  if ( remote == tt->local ) remote ++;
-+
-+  return print_in_addr_t (remote, 0, &gc);
-+}
-+#endif
- 
- /* execute the ifconfig command through the shell */
- void
-@@ -1150,7 +1172,7 @@ do_ifconfig (struct tuntap *tt,
- 			  IFCONFIG_PATH,
- 			  actual,
- 			  ifconfig_local,
--			  ifconfig_local,
-+			  create_arbitrary_remote( tt, &gc ),
- 			  tun_mtu,
- 			  ifconfig_remote_netmask
- 			  );
--- 
-2.2.2
-
diff --git a/security/openvpn/files/EF1.patch b/security/openvpn/files/EF1.patch
deleted file mode 100644
index 9326c8053e08..000000000000
--- a/security/openvpn/files/EF1.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-commit c7f3fd9c603bfd9cef600316d5e76210e6cf54a7
-Author: Steffan Karger <steffan@karger.me>
-Date:   Thu Mar 26 01:01:29 2015 +0100
-
-    Remove unneeded parameter 'first_time' from possibly_become_daemon()
-    
-    The static helper function possibly_become_daemon() is called only once,
-    by do_init_first_time(), which checks 'first_time' to be true before
-    calling possibly_become_daemon().  This makes the parameter useless.
-    
-    Signed-off-by: Steffan Karger <steffan@karger.me>
-    Acked-by: Gert Doering <gert@greenie.muc.de>
-    Message-Id: <1427328089-886-1-git-send-email-steffan@karger.me>
-    URL: http://article.gmane.org/gmane.network.openvpn.devel/9555
-    Signed-off-by: Gert Doering <gert@greenie.muc.de>
-    (cherry picked from commit 857c04ef06cd13d59c5b45332f07996e71372576)
-
-diff --git a/src/openvpn/init.c b/src/openvpn/init.c
-index 48b28fc..3a67a50 100644
---- a/src/openvpn/init.c
-+++ b/src/openvpn/init.c
-@@ -942,10 +942,10 @@ do_persist_tuntap (const struct options *options)
-  * Return true if we did it.
-  */
- static bool
--possibly_become_daemon (const struct options *options, const bool first_time)
-+possibly_become_daemon (const struct options *options)
- {
-   bool ret = false;
--  if (first_time && options->daemon)
-+  if (options->daemon)
-     {
-       ASSERT (!options->inetd);
-       if (daemon (options->cd_dir != NULL, options->log) < 0)
-@@ -2776,7 +2776,7 @@ do_init_first_time (struct context *c)
-       get_pid_file (c->options.writepid, &c0->pid_state);
- 
-       /* become a daemon if --daemon */
--      c->did_we_daemonize = possibly_become_daemon (&c->options, c->first_time);
-+      c->did_we_daemonize = possibly_become_daemon (&c->options);
- 
-       /* should we disable paging? */
-       if (c->options.mlock && c->did_we_daemonize)
diff --git a/security/openvpn/files/EF2.patch b/security/openvpn/files/EF2.patch
deleted file mode 100644
index cd983cfc84e4..000000000000
--- a/security/openvpn/files/EF2.patch
+++ /dev/null
@@ -1,186 +0,0 @@
-
-[Openvpn-devel] [PATCH] Call daemon() before initializing crypto library
-From: Steffan Karger <steffan@ka...> - 2015-04-27 14:29:09
-
-But keep the chdir to / at the place where deamon() was before, to preserve
-the current behaviour wrt relative paths in the config.
-
-This should fix the issue reported in trac #480, without changing the
-behaviour visible to the end user.
-
-Note that by moving the daemon() call to an earlier stage of the init
-process, we no longer have to call platform_mlockall() again, or do a
-pkcs11_forkFixup().
-
-Signed-off-by: Steffan Karger <steffan@...>
----
- src/openvpn/init.c    | 32 +++++++++++---------------------
- src/openvpn/init.h    |  2 ++
- src/openvpn/openvpn.c |  4 ++++
- src/openvpn/pkcs11.c  |  5 -----
- src/openvpn/pkcs11.h  |  3 ---
- 5 files changed, 17 insertions(+), 29 deletions(-)
-
-diff --git a/src/openvpn/init.c b/src/openvpn/init.c
-index 73c6aff..5b22c38 100644
---- a/src/openvpn/init.c
-+++ b/src/openvpn/init.c
-@@ -916,23 +916,20 @@ do_persist_tuntap (const struct options *options)
-  * Should we become a daemon?
-  * Return true if we did it.
-  */
--static bool
-+bool
- possibly_become_daemon (const struct options *options)
- {
-   bool ret = false;
-   if (options->daemon)
-     {
-       ASSERT (!options->inetd);
--      if (daemon (options->cd_dir != NULL, options->log) < 0)
-+      /* Don't chdir immediately, but the end of the init sequence, if needed */
-+      if (daemon (1, options->log) < 0)
- 	msg (M_ERR, "daemon() failed or unsupported");
-       restore_signal_state ();
-       if (options->log)
- 	set_std_files_to_null (true);
- 
--#if defined(ENABLE_PKCS11)
--      pkcs11_forkFixup ();
--#endif
--
-       ret = true;
-     }
-   return ret;
-@@ -1809,15 +1806,11 @@ do_deferred_options (struct context *c, const unsigned int found)
-  * Possible hold on initialization
-  */
- static bool
--do_hold (struct context *c)
-+do_hold (void)
- {
- #ifdef ENABLE_MANAGEMENT
-   if (management)
-     {
--      /* if c is defined, daemonize before hold */
--      if (c && c->options.daemon && management_should_daemonize (management))
--	do_init_first_time (c);
--
-       /* block until management hold is released */
-       if (management_hold (management))
- 	return true;
-@@ -1867,7 +1860,7 @@ socket_restart_pause (struct context *c)
-   c->persist.restart_sleep_seconds = 0;
- 
-   /* do managment hold on context restart, i.e. second, third, fourth, etc. initialization */
--  if (do_hold (NULL))
-+  if (do_hold ())
-     sec = 0;
- 
-   if (sec)
-@@ -1886,7 +1879,7 @@ do_startup_pause (struct context *c)
-   if (!c->first_time)
-     socket_restart_pause (c);
-   else
--    do_hold (NULL); /* do management hold on first context initialization */
-+    do_hold (); /* do management hold on first context initialization */
- }
- 
- /*
-@@ -2743,7 +2736,7 @@ do_compute_occ_strings (struct context *c)
- static void
- do_init_first_time (struct context *c)
- {
--  if (c->first_time && !c->did_we_daemonize && !c->c0)
-+  if (c->first_time && !c->c0)
-     {
-       struct context_0 *c0;
- 
-@@ -2758,12 +2751,9 @@ do_init_first_time (struct context *c)
-       /* get --writepid file descriptor */
-       get_pid_file (c->options.writepid, &c0->pid_state);
- 
--      /* become a daemon if --daemon */
--      c->did_we_daemonize = possibly_become_daemon (&c->options);
--
--      /* should we disable paging? */
--      if (c->options.mlock && c->did_we_daemonize)
--	platform_mlockall (true);	/* call again in case we daemonized */
-+      /* perform postponed chdir if --daemon */
-+      if (c->did_we_daemonize && c->options.cd_dir == NULL)
-+	platform_chdir("/");
- 
-       /* save process ID in a file */
-       write_pid (&c0->pid_state);
-@@ -3221,7 +3211,7 @@ open_management (struct context *c)
- 	    }
- 
- 	  /* initial management hold, called early, before first context initialization */
--	  do_hold (c);
-+	  do_hold ();
- 	  if (IS_SIG (c))
- 	    {
- 	      msg (M_WARN, "Signal received from management interface, exiting");
-diff --git a/src/openvpn/init.h b/src/openvpn/init.h
-index 5a1d1dc..d1908ed 100644
---- a/src/openvpn/init.h
-+++ b/src/openvpn/init.h
-@@ -55,6 +55,8 @@ bool do_genkey (const struct options *options);
- 
- bool do_persist_tuntap (const struct options *options);
- 
-+bool possibly_become_daemon (const struct options *options);
-+
- void pre_setup (const struct options *options);
- 
- void init_instance_handle_signals (struct context *c, const struct env_set *env, const unsigned int flags);
-diff --git a/src/openvpn/openvpn.c b/src/openvpn/openvpn.c
-index fd87fc1..2f327f3 100644
---- a/src/openvpn/openvpn.c
-+++ b/src/openvpn/openvpn.c
-@@ -229,6 +229,10 @@ openvpn_main (int argc, char *argv[])
- 	  if (do_test_crypto (&c.options))
- 	    break;
- 	  
-+	  /* become a daemon if --daemon */
-+	  if (c.first_time)
-+	    c.did_we_daemonize = possibly_become_daemon (&c.options);
-+
- #ifdef ENABLE_MANAGEMENT
- 	  /* open management subsystem */
- 	  if (!open_management (&c))
-diff --git a/src/openvpn/pkcs11.c b/src/openvpn/pkcs11.c
-index 3a15ef6..a1f13c5 100644
---- a/src/openvpn/pkcs11.c
-+++ b/src/openvpn/pkcs11.c
-@@ -336,11 +336,6 @@ pkcs11_terminate () {
- 	);
- }
- 
--void
--pkcs11_forkFixup () {
--	pkcs11h_forkFixup ();
--}
--
- bool
- pkcs11_addProvider (
- 	const char * const provider,
-diff --git a/src/openvpn/pkcs11.h b/src/openvpn/pkcs11.h
-index 4261871..b49401c 100644
---- a/src/openvpn/pkcs11.h
-+++ b/src/openvpn/pkcs11.h
-@@ -38,9 +38,6 @@ pkcs11_initialize (
- void
- pkcs11_terminate ();
- 
--void
--pkcs11_forkFixup ();
--
- bool
- pkcs11_addProvider (
- 	const char * const provider,
--- 
-2.1.4
-
-
-
diff --git a/security/openvpn/files/EF3.patch b/security/openvpn/files/EF3.patch
deleted file mode 100644
index cb261ef90b09..000000000000
--- a/security/openvpn/files/EF3.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-commit ac1c2f259b44d1229a65a3e639b09d57a4e2a53b
-Author: Arne Schwabe <arne@rfc2549.org>
-Date:   Fri Mar 21 14:18:35 2014 +0100
-
-    Move the initialization of the environment to the top so c2.es is initialized
-    
-    Acked-by: Gert Doering <gert@greenie.muc.de>
-    Message-Id: <1395407925-25518-3-git-send-email-arne@rfc2549.org>
-    URL: http://article.gmane.org/gmane.network.openvpn.devel/8372
-    
-    Signed-off-by: Gert Doering <gert@greenie.muc.de>
-
-diff --git a/src/openvpn/init.c b/src/openvpn/init.c
-index 3b72b96..c50b5c2 100644
---- a/src/openvpn/init.c
-+++ b/src/openvpn/init.c
-@@ -3339,6 +3339,10 @@ init_instance (struct context *c, const struct env_set *env, const unsigned int
-   /* init garbage collection level */
-   gc_init (&c->c2.gc);
- 
-+  /* inherit environmental variables */
-+  if (env)
-+     do_inherit_env (c, env);
-+
-   /* signals caught here will abort */
-   c->sig->signal_received = 0;
-   c->sig->signal_text = NULL;
-@@ -3390,10 +3394,6 @@ init_instance (struct context *c, const struct env_set *env, const unsigned int
-   if (c->mode == CM_P2P || c->mode == CM_TOP)
-     do_option_warnings (c);
- 
--  /* inherit environmental variables */
--  if (env)
--    do_inherit_env (c, env);
--
- #ifdef ENABLE_PLUGIN
-   /* initialize plugins */
-   if (c->mode == CM_P2P || c->mode == CM_TOP)