From owner-svn-ports-head@FreeBSD.ORG Mon May 4 23:08:06 2015 Return-Path: Delivered-To: svn-ports-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4C0D0911; Mon, 4 May 2015 23:08:06 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3846F14DE; Mon, 4 May 2015 23:08:06 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id t44N86P1001440; Mon, 4 May 2015 23:08:06 GMT (envelope-from mandree@FreeBSD.org) Received: (from mandree@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id t44N83CP001428; Mon, 4 May 2015 23:08:03 GMT (envelope-from mandree@FreeBSD.org) Message-Id: <201505042308.t44N83CP001428@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: mandree set sender to mandree@FreeBSD.org using -f From: Matthias Andree Date: Mon, 4 May 2015 23:08:03 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r385432 - in head/security/openvpn: . files X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 May 2015 23:08:06 -0000 Author: mandree Date: Mon May 4 23:08:02 2015 New Revision: 385432 URL: https://svnweb.freebsd.org/changeset/ports/385432 Log: + Update patch set for crypto engine fix [1]. Change option name so it is presented anew, default disabled. + Add openvpn-client wrapper script and up/down scripts to trigger resolvconf, with minor edits. [2] + Set proper PLUGIN_LIBDIR so that plugins in the default directory can be found with relative paths. + Compile shipped plugins with -fPIC. PR: 195004 [1] PR: 199529 [2] Submitted by: yuri@rawbw.com [2] Obtained from: https://community.openvpn.net/openvpn/ticket/480#comment:21 Added: head/security/openvpn/files/EF1.patch (contents, props changed) head/security/openvpn/files/EF2.patch (contents, props changed) head/security/openvpn/files/EF3.patch (contents, props changed) head/security/openvpn/files/openvpn-client.in (contents, props changed) Deleted: head/security/openvpn/files/150322-Reload-OpenSSL-engines-after-forking.patch Modified: head/security/openvpn/Makefile head/security/openvpn/files/patch-sample__sample-config-files__loopback-client head/security/openvpn/files/patch-sample__sample-config-files__loopback-server head/security/openvpn/files/patch-tests__t_cltsrv.sh head/security/openvpn/files/pkg-message.in head/security/openvpn/pkg-plist Modified: head/security/openvpn/Makefile ============================================================================== --- head/security/openvpn/Makefile Mon May 4 22:02:29 2015 (r385431) +++ head/security/openvpn/Makefile Mon May 4 23:08:02 2015 (r385432) @@ -3,7 +3,7 @@ PORTNAME= openvpn DISTVERSION= 2.3.6 -PORTREVISION= 3 +PORTREVISION= 4 CATEGORIES= security net MASTER_SITES= http://swupdate.openvpn.net/community/releases/ \ http://build.openvpn.net/downloads/releases/ @@ -25,7 +25,10 @@ SHEBANG_FILES= sample/sample-scripts/ve CPPFLAGS+= -I${LOCALBASE}/include LDFLAGS+= -L${LOCALBASE}/lib -OPTIONS_DEFINE= PW_SAVE PKCS11 EASYRSA DOCS EXAMPLES X509ALTUSERNAME ENGINEFIX +# set PLUGIN_LIBDIR so that unqualified plugin paths are found: +CPPFLAGS+= -DPLUGIN_LIBDIR=\\\"${PREFIX}/lib/openvpn/plugins\\\" + +OPTIONS_DEFINE= PW_SAVE PKCS11 EASYRSA DOCS EXAMPLES X509ALTUSERNAME ENGINEFIX2 OPTIONS_DEFAULT= EASYRSA OPENSSL OPTIONS_SINGLE= SSL OPTIONS_SINGLE_SSL= OPENSSL POLARSSL @@ -34,7 +37,7 @@ PKCS11_DESC= Use security/pkcs11-helper EASYRSA_DESC= Install security/easy-rsa RSA helper package POLARSSL_DESC= SSL/TLS support via PolarSSL X509ALTUSERNAME_DESC= Enable --x509-username-field (only with OpenSSL) -ENGINEFIX_DESC= EXPERIMENTAL patch to fix SSL engine use +ENGINEFIX2_DESC= New EXPERIMENTAL patchset for SSL engine use (OpenSSL) EASYRSA_RUN_DEPENDS= easy-rsa>=0:${PORTSDIR}/security/easy-rsa @@ -47,15 +50,18 @@ X509ALTUSERNAME_CONFIGURE_ENABLE= x509-a .include -.if ${PORT_OPTIONS:MENGINEFIX} -EXTRA_PATCHES+= ${FILESDIR}/150322-Reload-OpenSSL-engines-after-forking.patch:-p1 +# patches to fix PR 195004, https://community.openvpn.net/openvpn/ticket/480 +.if ${PORT_OPTIONS:MENGINEFIX2} +EXTRA_PATCHES+= ${FILESDIR}/EF1.patch:-p1 \ + ${FILESDIR}/EF2.patch:-p1 \ + ${FILESDIR}/EF3.patch:-p1 .endif .if ${PORT_OPTIONS:MPOLARSSL} . if ${PORT_OPTIONS:MX509ALTUSERNAME} BROKEN= OpenVPN ${DISTVERSION} cannot use --x509-username-field with PolarSSL. Disable X509ALTUSERNAME, or use OpenSSL instead . else -LIB_DEPENDS+= libpolarssl.so.5:${PORTSDIR}/security/polarssl +LIB_DEPENDS+= libpolarssl.so:${PORTSDIR}/security/polarssl CONFIGURE_ARGS+= --with-crypto-library=polarssl . endif .else @@ -66,7 +72,7 @@ CONFIGURE_ARGS+= --with-crypto-library=o USE_RC_SUBR= openvpn USE_LDCONFIG= ${PREFIX}/lib -SUB_FILES= pkg-message +SUB_FILES= pkg-message openvpn-client .include @@ -91,6 +97,11 @@ pre-configure: @${ECHO} "" .endif +post-configure: + ${REINPLACE_CMD} '/^CFLAGS =/s/$$/ -fPIC/' \ + ${WRKSRC}/src/plugins/auth-pam/Makefile \ + ${WRKSRC}/src/plugins/down-root/Makefile + post-build: @# self-tests here .if !defined(WITHOUT_CHECK) @@ -101,6 +112,10 @@ post-build: post-install: ${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-auth-pam.so ${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-down-root.so + ${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.up ${STAGEDIR}${PREFIX}/libexec/openvpn-client.up + ${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.down ${STAGEDIR}${PREFIX}/libexec/openvpn-client.down + @${REINPLACE_CMD} 's|resolvconf -p -a|resolvconf -a|' ${STAGEDIR}${PREFIX}/libexec/openvpn-client.up + ${INSTALL_SCRIPT} ${WRKDIR}/openvpn-client ${STAGEDIR}${PREFIX}/sbin/openvpn-client ${MKDIR} ${STAGEDIR}${PREFIX}/include .if ${PORT_OPTIONS:MDOCS} ${MKDIR} ${STAGEDIR}${DOCSDIR}/ Added: head/security/openvpn/files/EF1.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/openvpn/files/EF1.patch Mon May 4 23:08:02 2015 (r385432) @@ -0,0 +1,43 @@ +commit c7f3fd9c603bfd9cef600316d5e76210e6cf54a7 +Author: Steffan Karger +Date: Thu Mar 26 01:01:29 2015 +0100 + + Remove unneeded parameter 'first_time' from possibly_become_daemon() + + The static helper function possibly_become_daemon() is called only once, + by do_init_first_time(), which checks 'first_time' to be true before + calling possibly_become_daemon(). This makes the parameter useless. + + Signed-off-by: Steffan Karger + Acked-by: Gert Doering + Message-Id: <1427328089-886-1-git-send-email-steffan@karger.me> + URL: http://article.gmane.org/gmane.network.openvpn.devel/9555 + Signed-off-by: Gert Doering + (cherry picked from commit 857c04ef06cd13d59c5b45332f07996e71372576) + +diff --git a/src/openvpn/init.c b/src/openvpn/init.c +index 48b28fc..3a67a50 100644 +--- a/src/openvpn/init.c ++++ b/src/openvpn/init.c +@@ -942,10 +942,10 @@ do_persist_tuntap (const struct options *options) + * Return true if we did it. + */ + static bool +-possibly_become_daemon (const struct options *options, const bool first_time) ++possibly_become_daemon (const struct options *options) + { + bool ret = false; +- if (first_time && options->daemon) ++ if (options->daemon) + { + ASSERT (!options->inetd); + if (daemon (options->cd_dir != NULL, options->log) < 0) +@@ -2776,7 +2776,7 @@ do_init_first_time (struct context *c) + get_pid_file (c->options.writepid, &c0->pid_state); + + /* become a daemon if --daemon */ +- c->did_we_daemonize = possibly_become_daemon (&c->options, c->first_time); ++ c->did_we_daemonize = possibly_become_daemon (&c->options); + + /* should we disable paging? */ + if (c->options.mlock && c->did_we_daemonize) Added: head/security/openvpn/files/EF2.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/openvpn/files/EF2.patch Mon May 4 23:08:02 2015 (r385432) @@ -0,0 +1,186 @@ + +[Openvpn-devel] [PATCH] Call daemon() before initializing crypto library +From: Steffan Karger - 2015-04-27 14:29:09 + +But keep the chdir to / at the place where deamon() was before, to preserve +the current behaviour wrt relative paths in the config. + +This should fix the issue reported in trac #480, without changing the +behaviour visible to the end user. + +Note that by moving the daemon() call to an earlier stage of the init +process, we no longer have to call platform_mlockall() again, or do a +pkcs11_forkFixup(). + +Signed-off-by: Steffan Karger +--- + src/openvpn/init.c | 32 +++++++++++--------------------- + src/openvpn/init.h | 2 ++ + src/openvpn/openvpn.c | 4 ++++ + src/openvpn/pkcs11.c | 5 ----- + src/openvpn/pkcs11.h | 3 --- + 5 files changed, 17 insertions(+), 29 deletions(-) + +diff --git a/src/openvpn/init.c b/src/openvpn/init.c +index 73c6aff..5b22c38 100644 +--- a/src/openvpn/init.c ++++ b/src/openvpn/init.c +@@ -916,23 +916,20 @@ do_persist_tuntap (const struct options *options) + * Should we become a daemon? + * Return true if we did it. + */ +-static bool ++bool + possibly_become_daemon (const struct options *options) + { + bool ret = false; + if (options->daemon) + { + ASSERT (!options->inetd); +- if (daemon (options->cd_dir != NULL, options->log) < 0) ++ /* Don't chdir immediately, but the end of the init sequence, if needed */ ++ if (daemon (1, options->log) < 0) + msg (M_ERR, "daemon() failed or unsupported"); + restore_signal_state (); + if (options->log) + set_std_files_to_null (true); + +-#if defined(ENABLE_PKCS11) +- pkcs11_forkFixup (); +-#endif +- + ret = true; + } + return ret; +@@ -1809,15 +1806,11 @@ do_deferred_options (struct context *c, const unsigned int found) + * Possible hold on initialization + */ + static bool +-do_hold (struct context *c) ++do_hold (void) + { + #ifdef ENABLE_MANAGEMENT + if (management) + { +- /* if c is defined, daemonize before hold */ +- if (c && c->options.daemon && management_should_daemonize (management)) +- do_init_first_time (c); +- + /* block until management hold is released */ + if (management_hold (management)) + return true; +@@ -1867,7 +1860,7 @@ socket_restart_pause (struct context *c) + c->persist.restart_sleep_seconds = 0; + + /* do managment hold on context restart, i.e. second, third, fourth, etc. initialization */ +- if (do_hold (NULL)) ++ if (do_hold ()) + sec = 0; + + if (sec) +@@ -1886,7 +1879,7 @@ do_startup_pause (struct context *c) + if (!c->first_time) + socket_restart_pause (c); + else +- do_hold (NULL); /* do management hold on first context initialization */ ++ do_hold (); /* do management hold on first context initialization */ + } + + /* +@@ -2743,7 +2736,7 @@ do_compute_occ_strings (struct context *c) + static void + do_init_first_time (struct context *c) + { +- if (c->first_time && !c->did_we_daemonize && !c->c0) ++ if (c->first_time && !c->c0) + { + struct context_0 *c0; + +@@ -2758,12 +2751,9 @@ do_init_first_time (struct context *c) + /* get --writepid file descriptor */ + get_pid_file (c->options.writepid, &c0->pid_state); + +- /* become a daemon if --daemon */ +- c->did_we_daemonize = possibly_become_daemon (&c->options); +- +- /* should we disable paging? */ +- if (c->options.mlock && c->did_we_daemonize) +- platform_mlockall (true); /* call again in case we daemonized */ ++ /* perform postponed chdir if --daemon */ ++ if (c->did_we_daemonize && c->options.cd_dir == NULL) ++ platform_chdir("/"); + + /* save process ID in a file */ + write_pid (&c0->pid_state); +@@ -3221,7 +3211,7 @@ open_management (struct context *c) + } + + /* initial management hold, called early, before first context initialization */ +- do_hold (c); ++ do_hold (); + if (IS_SIG (c)) + { + msg (M_WARN, "Signal received from management interface, exiting"); +diff --git a/src/openvpn/init.h b/src/openvpn/init.h +index 5a1d1dc..d1908ed 100644 +--- a/src/openvpn/init.h ++++ b/src/openvpn/init.h +@@ -55,6 +55,8 @@ bool do_genkey (const struct options *options); + + bool do_persist_tuntap (const struct options *options); + ++bool possibly_become_daemon (const struct options *options); ++ + void pre_setup (const struct options *options); + + void init_instance_handle_signals (struct context *c, const struct env_set *env, const unsigned int flags); +diff --git a/src/openvpn/openvpn.c b/src/openvpn/openvpn.c +index fd87fc1..2f327f3 100644 +--- a/src/openvpn/openvpn.c ++++ b/src/openvpn/openvpn.c +@@ -229,6 +229,10 @@ openvpn_main (int argc, char *argv[]) + if (do_test_crypto (&c.options)) + break; + ++ /* become a daemon if --daemon */ ++ if (c.first_time) ++ c.did_we_daemonize = possibly_become_daemon (&c.options); ++ + #ifdef ENABLE_MANAGEMENT + /* open management subsystem */ + if (!open_management (&c)) +diff --git a/src/openvpn/pkcs11.c b/src/openvpn/pkcs11.c +index 3a15ef6..a1f13c5 100644 +--- a/src/openvpn/pkcs11.c ++++ b/src/openvpn/pkcs11.c +@@ -336,11 +336,6 @@ pkcs11_terminate () { + ); + } + +-void +-pkcs11_forkFixup () { +- pkcs11h_forkFixup (); +-} +- + bool + pkcs11_addProvider ( + const char * const provider, +diff --git a/src/openvpn/pkcs11.h b/src/openvpn/pkcs11.h +index 4261871..b49401c 100644 +--- a/src/openvpn/pkcs11.h ++++ b/src/openvpn/pkcs11.h +@@ -38,9 +38,6 @@ pkcs11_initialize ( + void + pkcs11_terminate (); + +-void +-pkcs11_forkFixup (); +- + bool + pkcs11_addProvider ( + const char * const provider, +-- +2.1.4 + + + Added: head/security/openvpn/files/EF3.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/openvpn/files/EF3.patch Mon May 4 23:08:02 2015 (r385432) @@ -0,0 +1,38 @@ +commit ac1c2f259b44d1229a65a3e639b09d57a4e2a53b +Author: Arne Schwabe +Date: Fri Mar 21 14:18:35 2014 +0100 + + Move the initialization of the environment to the top so c2.es is initialized + + Acked-by: Gert Doering + Message-Id: <1395407925-25518-3-git-send-email-arne@rfc2549.org> + URL: http://article.gmane.org/gmane.network.openvpn.devel/8372 + + Signed-off-by: Gert Doering + +diff --git a/src/openvpn/init.c b/src/openvpn/init.c +index 3b72b96..c50b5c2 100644 +--- a/src/openvpn/init.c ++++ b/src/openvpn/init.c +@@ -3339,6 +3339,10 @@ init_instance (struct context *c, const struct env_set *env, const unsigned int + /* init garbage collection level */ + gc_init (&c->c2.gc); + ++ /* inherit environmental variables */ ++ if (env) ++ do_inherit_env (c, env); ++ + /* signals caught here will abort */ + c->sig->signal_received = 0; + c->sig->signal_text = NULL; +@@ -3390,10 +3394,6 @@ init_instance (struct context *c, const struct env_set *env, const unsigned int + if (c->mode == CM_P2P || c->mode == CM_TOP) + do_option_warnings (c); + +- /* inherit environmental variables */ +- if (env) +- do_inherit_env (c, env); +- + #ifdef ENABLE_PLUGIN + /* initialize plugins */ + if (c->mode == CM_P2P || c->mode == CM_TOP) Added: head/security/openvpn/files/openvpn-client.in ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/openvpn/files/openvpn-client.in Mon May 4 23:08:02 2015 (r385432) @@ -0,0 +1,6 @@ +#!/bin/sh + +exec %%PREFIX%%/sbin/openvpn --script-security 2 \ + --up %%PREFIX%%/libexec/openvpn-client.up \ + --plugin openvpn-plugin-down-root.so %%PREFIX%%/libexec/openvpn-client.down \ + --config "$@" Modified: head/security/openvpn/files/patch-sample__sample-config-files__loopback-client ============================================================================== --- head/security/openvpn/files/patch-sample__sample-config-files__loopback-client Mon May 4 22:02:29 2015 (r385431) +++ head/security/openvpn/files/patch-sample__sample-config-files__loopback-client Mon May 4 23:08:02 2015 (r385432) @@ -1,5 +1,5 @@ ---- ./sample/sample-config-files/loopback-client.orig 2012-09-10 17:01:08.000000000 +0200 -+++ ./sample/sample-config-files/loopback-client 2013-01-11 21:30:07.000000000 +0100 +--- sample/sample-config-files/loopback-client.orig 2014-11-29 14:59:45 UTC ++++ sample/sample-config-files/loopback-client @@ -9,8 +9,8 @@ # ./openvpn --config sample-config-files/loopback-client (In one window) # ./openvpn --config sample-config-files/loopback-server (Simultaneously in another window) Modified: head/security/openvpn/files/patch-sample__sample-config-files__loopback-server ============================================================================== --- head/security/openvpn/files/patch-sample__sample-config-files__loopback-server Mon May 4 22:02:29 2015 (r385431) +++ head/security/openvpn/files/patch-sample__sample-config-files__loopback-server Mon May 4 23:08:02 2015 (r385432) @@ -1,5 +1,5 @@ ---- ./sample/sample-config-files/loopback-server.orig 2012-09-10 17:01:08.000000000 +0200 -+++ ./sample/sample-config-files/loopback-server 2013-01-11 21:30:07.000000000 +0100 +--- sample/sample-config-files/loopback-server.orig 2014-11-29 14:59:45 UTC ++++ sample/sample-config-files/loopback-server @@ -9,8 +9,8 @@ # ./openvpn --config sample-config-files/loopback-client (In one window) # ./openvpn --config sample-config-files/loopback-server (Simultaneously in another window) Modified: head/security/openvpn/files/patch-tests__t_cltsrv.sh ============================================================================== --- head/security/openvpn/files/patch-tests__t_cltsrv.sh Mon May 4 22:02:29 2015 (r385431) +++ head/security/openvpn/files/patch-tests__t_cltsrv.sh Mon May 4 23:08:02 2015 (r385432) @@ -1,5 +1,5 @@ ---- ./tests/t_cltsrv.sh.orig 2013-05-31 14:00:07.000000000 +0200 -+++ ./tests/t_cltsrv.sh 2014-01-27 18:51:13.000000000 +0100 +--- tests/t_cltsrv.sh.orig 2014-11-29 14:59:46 UTC ++++ tests/t_cltsrv.sh @@ -1,7 +1,7 @@ #! /bin/sh # @@ -9,7 +9,7 @@ # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License -@@ -22,8 +22,9 @@ +@@ -22,8 +22,9 @@ set -e srcdir="${srcdir:-.}" top_srcdir="${top_srcdir:-..}" top_builddir="${top_builddir:-..}" @@ -21,7 +21,7 @@ addopts= case `uname -s` in FreeBSD) -@@ -45,18 +46,38 @@ +@@ -45,18 +46,38 @@ esac # make sure that the --down script is executable -- fail (rather than # skip) test if it isn't. downscript="../tests/t_cltsrv-down.sh" Modified: head/security/openvpn/files/pkg-message.in ============================================================================== --- head/security/openvpn/files/pkg-message.in Mon May 4 22:02:29 2015 (r385431) +++ head/security/openvpn/files/pkg-message.in Mon May 4 23:08:02 2015 (r385432) @@ -2,6 +2,10 @@ ### Edit /etc/rc.conf[.local] to start OpenVPN automatically at system ### startup. See %%PREFIX%%/etc/rc.d/openvpn for details. ### ------------------------------------------------------------------------ +### Connect to VPN server as a client with this command to include +### the client.up/down scripts in the initialization: +### openvpn-client .ovpn +### ------------------------------------------------------------------------ ### For compatibility notes when interoperating with older OpenVPN ### versions, please, see ### ------------------------------------------------------------------------ Modified: head/security/openvpn/pkg-plist ============================================================================== --- head/security/openvpn/pkg-plist Mon May 4 22:02:29 2015 (r385431) +++ head/security/openvpn/pkg-plist Mon May 4 23:08:02 2015 (r385432) @@ -3,3 +3,6 @@ lib/openvpn/plugins/openvpn-plugin-auth- lib/openvpn/plugins/openvpn-plugin-down-root.so man/man8/openvpn.8.gz sbin/openvpn +sbin/openvpn-client +libexec/openvpn-client.up +libexec/openvpn-client.down