Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 4 Jan 2017 14:38:59 +0000 (UTC)
From:      Matthias Andree <mandree@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Subject:   svn commit: r430558 - in head/security/openvpn-devel: . files
Message-ID:  <201701041438.v04EcxMQ030670@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: mandree
Date: Wed Jan  4 14:38:59 2017
New Revision: 430558
URL: https://svnweb.freebsd.org/changeset/ports/430558

Log:
  Update openvpn-devel to 2016-52 snapshot.
  
  Align with security/openvpn for RC script improvements, dropping the
  TUNNELBLICK patch (integrated upstream) and pkg-help file (no longer
  required).
  
  Note that pkcs11* and mbedTLS currently do not mix (I randomly checked
  different option sets), an issue this port shares with security/openvpn.
  "checking mbedtls pkcs11 support...
  configure: error: mbedtls has no pkcs11 wrapper compiled in"
  
  PR:		215734
  Submitted by:	Eric F. Crist (maintainer)

Added:
  head/security/openvpn-devel/files/extra-tunnelblick-openvpn_xorpatch   (contents, props changed)
  head/security/openvpn-devel/files/openvpn-client.in   (contents, props changed)
  head/security/openvpn-devel/files/patch-configure   (contents, props changed)
  head/security/openvpn-devel/files/patch-sample__sample-config-files__loopback-client   (contents, props changed)
  head/security/openvpn-devel/files/patch-sample__sample-config-files__loopback-server   (contents, props changed)
  head/security/openvpn-devel/files/patch-tests__t_cltsrv.sh   (contents, props changed)
  head/security/openvpn-devel/files/up-script.sample   (contents, props changed)
Modified:
  head/security/openvpn-devel/Makefile
  head/security/openvpn-devel/distinfo
  head/security/openvpn-devel/files/openvpn.in
  head/security/openvpn-devel/files/pkg-message.in
  head/security/openvpn-devel/pkg-plist

Modified: head/security/openvpn-devel/Makefile
==============================================================================
--- head/security/openvpn-devel/Makefile	Wed Jan  4 14:07:10 2017	(r430557)
+++ head/security/openvpn-devel/Makefile	Wed Jan  4 14:38:59 2017	(r430558)
@@ -1,97 +1,129 @@
-# Created by: Eric F Crist <ecrist@secure-computing.net>
+# Created by: Matthias Andree <mandree@FreeBSD.org>
 # $FreeBSD$
 
-PORTNAME=	openvpn
-DISTVERSION=	201647
-CATEGORIES=	security net
-MASTER_SITES=	ftp://ftp.secure-computing.net/pub/FreeBSD/ports/openvpn-devel/ \
-		ftp://ftp2.secure-computing.net/pub/FreeBSD/ports/openvpn-devel/
-PKGNAMESUFFIX=	-devel
+PORTNAME=			openvpn
+DISTVERSION=		201652
+PORTREVISION?=		0
+CATEGORIES=			security net
+MASTER_SITES=		https://secure-computing.net/files/openvpn/ \
+					ftp://ftp2.secure-computing.net/pub/FreeBSD/openvpn-devel/
+PKGNAMESUFFIX=		-devel
 
-MAINTAINER=	ecrist@secure-computing.net
-COMMENT=	Secure IP/Ethernet tunnel daemon
+MAINTAINER=		ecrist@secure-computing.net
+COMMENT?=		Secure IP/Ethernet tunnel daemon
 
-LICENSE=	GPLv2
+LICENSE=		GPLv2
 
-WRKSRC=		${WRKDIR}/${PORTNAME}${PKGNAMESUFFIX}
+CONFLICTS_INSTALL=	openvpn-2.[!4].* openvpn-[!2].* openvpn-beta-[0-9]*
 
-CONFLICTS_INSTALL=	openvpn-[0-9]* openvpn-beta-[0-9]* openvpn-polarssl*
 GNU_CONFIGURE=		yes
-USES=			libtool pkgconfig shebangfix tar:xz
+WRKSRC=				${WRKDIR}/${PORTNAME}${PKGNAMESUFFIX}
+USES=				cpe libtool pkgconfig shebangfix tar:xz
 SHEBANG_FILES=		sample/sample-scripts/verify-cn \
-			sample/sample-scripts/auth-pam.pl \
-			sample/sample-scripts/ucn.pl
-
-# let OpenVPN's configure script pick up the requisite libraries:
-CPPFLAGS+=		-I${LOCALBASE}/include
+					sample/sample-scripts/auth-pam.pl \
+					sample/sample-scripts/ucn.pl
+CONFIGURE_ARGS+=	--enable-strict
+# avoid picking up CMAKE, we don't have cmocka in the tarballs..
+CONFIGURE_ENV+=		ac_cv_prog_CMAKE= CMAKE=
+
+# let OpenVPN's configure script pick up the requisite libraries,
+# but do not break the plugin build if an older version is installed
+CPPFLAGS+=		-I${WRKSRC}/include -I${LOCALBASE}/include
 LDFLAGS+=		-L${LOCALBASE}/lib
 
-OPTIONS_DEFINE=		PKCS11 EASYRSA LZO DOCS EXAMPLES
-OPTIONS_DEFAULT=	EASYRSA OPENSSL LZO
+# set PLUGIN_LIBDIR so that unqualified plugin paths are found:
+CPPFLAGS+=		-DPLUGIN_LIBDIR=\\\"${PREFIX}/lib/openvpn/plugins\\\"
+
+OPTIONS_DEFINE=		PKCS11 EASYRSA DOCS EXAMPLES X509ALTUSERNAME \
+			TEST LZ4 SMALL
+OPTIONS_DEFAULT=	EASYRSA OPENSSL TEST LZ4
 OPTIONS_SINGLE=		SSL
-OPTIONS_SINGLE_SSL=	OPENSSL EMBEDTLS
-LZO_DESC=		Enable the LZO compression library
+OPTIONS_SINGLE_SSL=	OPENSSL MBEDTLS
 PKCS11_DESC=		Use security/pkcs11-helper
 EASYRSA_DESC=		Install security/easy-rsa RSA helper package
-EMBEDTLS_DESC=		SSL/TLS support via mbed TLS
+MBEDTLS_DESC=		SSL/TLS via mbedTLS
+X509ALTUSERNAME_DESC=	Enable --x509-username-field (OpenSSL only)
+SMALL_DESC=		Build a smaller executable with fewer features
 
 EASYRSA_RUN_DEPENDS=	easy-rsa>=0:security/easy-rsa
 
 PKCS11_LIB_DEPENDS=	libpkcs11-helper.so:security/pkcs11-helper
 PKCS11_CONFIGURE_ENABLE=	pkcs11
 
-EMBEDTLS_LIB_DEPENDS=	libmbedtls.so.10:security/mbedtls
-EMBEDTLS_POLARSSL_CONFIGURE_ON=	--with-crypto-library=embedtls
-EMBEDTLS_USE_OFF=	openssl=yes
-EMBEDTLS_CONFIGURE_OFF+=--with-crypto-library=openssl
+X509ALTUSERNAME_CONFIGURE_ENABLE=	x509-alt-username
+
+X509ALTUSERNAME_PREVENTS=	MBEDTLS
+X509ALTUSERNAME_PREVENTS_MSG=	OpenVPN ${DISTVERSION} cannot use --x509-username-field with mbedTLS. Disable X509ALTUSERNAME, or use OpenSSL instead
+
+OPENSSL_USES=		ssl
+OPENSSL_CONFIGURE_ON=	--with-crypto-library=openssl
+
+LZ4_CONFIGURE_OFF=	--disable-lz4
+
+SMALL_CONFIGURE_ON=	--enable-small
 
-LZO_LIB_DEPENDS=	liblzo2.so:archivers/lzo2
-LZO_CONFIGURE_ENABLE=	lzo
+MBEDTLS_LIB_DEPENDS=	libmbedtls.so:security/mbedtls
+MBEDTLS_CONFIGURE_ON=	--with-crypto-library=mbedtls
 
-USE_RC_SUBR=	openvpn
-USE_LDCONFIG=	${PREFIX}/lib
+USE_RC_SUBR=		openvpn
+USE_LDCONFIG=		${PREFIX}/lib
 
-SUB_FILES=	pkg-message
+SUB_FILES=		pkg-message openvpn-client
 
 .ifdef (LOG_OPENVPN)
-CFLAGS+=	-DLOG_OPENVPN=${LOG_OPENVPN}
+CFLAGS+=		-DLOG_OPENVPN=${LOG_OPENVPN}
 .endif
 
-PORTDOCS=	*
-PORTEXAMPLES=	*
+LIB_DEPENDS+=		liblzo2.so:archivers/lzo2
+
+LZ4_LIB_DEPENDS+=	liblz4.so:archivers/liblz4
+
+PORTDOCS=		*
+PORTEXAMPLES=		*
+
+TEST_ALL_TARGET=	check
+TEST_TEST_TARGET_OFF=	check
+
+# XXX Please remove this compatibility wrapper after 2017Q2 is branched.
+.ifdef(WITHOUT_CHECK)
+WARNING+=	"${.CURDIR}: WITHOUT_CHECK is deprecated, please use WITHOUT=TEST or OPTIONS_UNSET=TEST."
+WITHOUT+=	TEST
+.endif
 
 pre-configure:
 .ifdef (LOG_OPENVPN)
-		@${ECHO} "Building with LOG_OPENVPN=${LOG_OPENVPN}"
+	@${ECHO} "Building with LOG_OPENVPN=${LOG_OPENVPN}"
 .else
-		@${ECHO} ""
-		@${ECHO} "You may use the following build options:"
-		@${ECHO} ""
-		@${ECHO} "      LOG_OPENVPN={Valid syslog facility, default LOG_DAEMON}"
-		@${ECHO} "      EXAMPLE:  make LOG_OPENVPN=LOG_LOCAL6"
-		@${ECHO} ""
+	@${ECHO} ""
+	@${ECHO} "You may use the following build options:"
+	@${ECHO} ""
+	@${ECHO} "      LOG_OPENVPN={Valid syslog facility, default LOG_DAEMON}"
+	@${ECHO} "      EXAMPLE:  make LOG_OPENVPN=LOG_LOCAL6"
+	@${ECHO} ""
 .endif
 
-post-build:
-		@# self-tests here
-.if !defined(WITHOUT_CHECK)
-		@${ECHO} ; ${ECHO} "### Note that you can skip these lengthy selftests with WITHOUT_CHECK=yes ###" ; ${ECHO}
-		cd ${WRKSRC} && ${DO_MAKE_BUILD} check
-.endif
+post-configure:
+	${REINPLACE_CMD} '/^CFLAGS =/s/$$/ -fPIC/' \
+	    ${WRKSRC}/src/plugins/auth-pam/Makefile \
+	    ${WRKSRC}/src/plugins/down-root/Makefile
 
 post-install:
-		${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-auth-pam.so
-		${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-down-root.so
-		${MKDIR} ${STAGEDIR}${PREFIX}/include
+	${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-auth-pam.so
+	${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-down-root.so
+	${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.up ${STAGEDIR}${PREFIX}/libexec/openvpn-client.up
+	${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.down ${STAGEDIR}${PREFIX}/libexec/openvpn-client.down
+	@${REINPLACE_CMD} 's|resolvconf -p -a|resolvconf -a|' ${STAGEDIR}${PREFIX}/libexec/openvpn-client.up
+	${INSTALL_SCRIPT} ${WRKDIR}/openvpn-client ${STAGEDIR}${PREFIX}/sbin/openvpn-client
+	${MKDIR} ${STAGEDIR}${PREFIX}/include
 
 post-install-DOCS-on:
-		${MKDIR} ${STAGEDIR}${DOCSDIR}/
+	${MKDIR} ${STAGEDIR}${DOCSDIR}/
 .for i in AUTHORS ChangeLog PORTS
-		${INSTALL_MAN} ${WRKSRC}/${i} ${STAGEDIR}${DOCSDIR}/
+	${INSTALL_MAN} ${WRKSRC}/${i} ${STAGEDIR}${DOCSDIR}/
 .endfor
 
 post-install-EXAMPLES-on:
-		(cd ${WRKSRC}/sample && ${COPYTREE_SHARE} \* ${STAGEDIR}${EXAMPLESDIR}/)
-		${CHMOD} ${BINMODE} ${STAGEDIR}${EXAMPLESDIR}/sample-scripts/*
+	(cd ${WRKSRC}/sample && ${COPYTREE_SHARE} \* ${STAGEDIR}${EXAMPLESDIR}/)
+	${CHMOD} ${BINMODE} ${STAGEDIR}${EXAMPLESDIR}/sample-scripts/*
 
 .include <bsd.port.mk>

Modified: head/security/openvpn-devel/distinfo
==============================================================================
--- head/security/openvpn-devel/distinfo	Wed Jan  4 14:07:10 2017	(r430557)
+++ head/security/openvpn-devel/distinfo	Wed Jan  4 14:38:59 2017	(r430558)
@@ -1,3 +1,3 @@
-TIMESTAMP = 1480428158
-SHA256 (openvpn-201647.tar.xz) = 46ab4ad14bd9ed448599a97f3c9cb016ef052c30bd0b57968743b95ff2c14520
-SIZE (openvpn-201647.tar.xz) = 931696
+TIMESTAMP = 1483453128
+SHA256 (openvpn-201652.tar.xz) = 783c3d5200bd286cc83e5accec075ef7f896a401b9bf550801606d1b76a1d797
+SIZE (openvpn-201652.tar.xz) = 928316

Added: head/security/openvpn-devel/files/extra-tunnelblick-openvpn_xorpatch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/security/openvpn-devel/files/extra-tunnelblick-openvpn_xorpatch	Wed Jan  4 14:38:59 2017	(r430558)
@@ -0,0 +1,296 @@
+This work allows obfuscation of the OpenVPN header to make it harder for
+layer 7 inspection to identify such traffic, which may come with blocking
+or recording actions in certain territories of the world.  This patch, in
+a nutshell, can increase privacy and range of communication for its users.
+
+The `scramble' option introduced hereby is off by default.
+
+The option's usage, history and controversy of the patch is explained in
+detail on the following wiki page:
+
+https://tunnelblick.net/cOpenvpn_xorpatch.html
+
+The patch was ported to OpenVPN 2.4 by OPNsense.
+
+--- src/openvpn/forward.c.orig	2016-12-22 07:25:18 UTC
++++ src/openvpn/forward.c
+@@ -730,7 +730,10 @@ read_incoming_link(struct context *c)
+ 
+     status = link_socket_read(c->c2.link_socket,
+                               &c->c2.buf,
+-                              &c->c2.from);
++                              &c->c2.from,
++                              c->options.ce.xormethod,
++                              c->options.ce.xormask,
++                              c->options.ce.xormasklen);
+ 
+     if (socket_connection_reset(c->c2.link_socket, status))
+     {
+@@ -1368,7 +1371,10 @@ process_outgoing_link(struct context *c)
+                 /* Send packet */
+                 size = link_socket_write(c->c2.link_socket,
+                                          &c->c2.to_link,
+-                                         to_addr);
++                                         to_addr,
++                                         c->options.ce.xormethod,
++                                         c->options.ce.xormask,
++                                         c->options.ce.xormasklen);
+ 
+                 /* Undo effect of prepend */
+                 link_socket_write_post_size_adjust(&size, size_delta, &c->c2.to_link);
+--- src/openvpn/options.c.orig	2016-12-22 07:25:18 UTC
++++ src/openvpn/options.c
+@@ -811,6 +811,9 @@ init_options(struct options *o, const bo
+     o->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
+     o->resolve_in_advance = false;
+     o->proto_force = -1;
++    o->ce.xormethod = 0;
++    o->ce.xormask = "\0";
++    o->ce.xormasklen = 0;
+ #ifdef ENABLE_OCC
+     o->occ = true;
+ #endif
+@@ -972,6 +975,9 @@ setenv_connection_entry(struct env_set *
+     setenv_str_i(es, "local_port", e->local_port, i);
+     setenv_str_i(es, "remote", e->remote, i);
+     setenv_str_i(es, "remote_port", e->remote_port, i);
++    setenv_int_i(es, "xormethod", e->xormethod, i);
++    setenv_str_i(es, "xormask", e->xormask, i);
++    setenv_int_i(es, "xormasklen", e->xormasklen, i);
+ 
+     if (e->http_proxy_options)
+     {
+@@ -1474,6 +1480,9 @@ show_connection_entry(const struct conne
+     SHOW_BOOL(bind_ipv6_only);
+     SHOW_INT(connect_retry_seconds);
+     SHOW_INT(connect_timeout);
++    SHOW_INT(xormethod);
++    SHOW_STR(xormask);
++    SHOW_INT(xormasklen);
+ 
+     if (o->http_proxy_options)
+     {
+@@ -5915,6 +5924,46 @@ add_option(struct options *options,
+         }
+         options->proto_force = proto_force;
+     }
++    else if (streq (p[0], "scramble") && p[1])
++    {
++        VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
++        if (streq (p[1], "xormask") && p[2] && (!p[3]))
++        {
++            options->ce.xormethod = 1;
++            options->ce.xormask = p[2];
++            options->ce.xormasklen = strlen(options->ce.xormask);
++        }
++        else if (streq (p[1], "xorptrpos") && (!p[2]))
++        {
++            options->ce.xormethod = 2;
++            options->ce.xormask = NULL;
++            options->ce.xormasklen = 0;
++        }
++        else if (streq (p[1], "reverse") && (!p[2]))
++        {
++            options->ce.xormethod = 3;
++            options->ce.xormask = NULL;
++            options->ce.xormasklen = 0;
++        }
++        else if (streq (p[1], "obfuscate") && p[2] && (!p[3]))
++        {
++            options->ce.xormethod = 4;
++            options->ce.xormask = p[2];
++            options->ce.xormasklen = strlen(options->ce.xormask);
++        }
++        else if (!p[2])
++        {
++            msg(M_WARN, "WARNING: No recognized 'scramble' method specified; using 'scramble xormask \"%s\"'", p[1]);
++            options->ce.xormethod = 1;
++            options->ce.xormask = p[1];
++            options->ce.xormasklen = strlen(options->ce.xormask);
++        }
++        else
++        {
++            msg(msglevel, "No recognized 'scramble' method specified or extra parameters for 'scramble'");
++            goto err;
++        }
++    }
+     else if (streq(p[0], "http-proxy") && p[1] && !p[5])
+     {
+         struct http_proxy_options *ho;
+--- src/openvpn/options.h.orig	2016-12-22 07:25:18 UTC
++++ src/openvpn/options.h
+@@ -98,6 +98,9 @@ struct connection_entry
+     int connect_retry_seconds;
+     int connect_retry_seconds_max;
+     int connect_timeout;
++    int xormethod;
++    const char *xormask;
++    int xormasklen;
+     struct http_proxy_options *http_proxy_options;
+     const char *socks_proxy_server;
+     const char *socks_proxy_port;
+--- src/openvpn/socket.c.orig	2016-12-22 07:25:18 UTC
++++ src/openvpn/socket.c
+@@ -55,6 +55,53 @@ const int proto_overhead[] = { /* indexe
+     IPv6_TCP_HEADER_SIZE,
+ };
+ 
++int buffer_mask (struct buffer *buf, const char *mask, int xormasklen) {
++	int i;
++	uint8_t *b;
++	if (  xormasklen > 0  ) {
++		for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) {
++			*b = *b ^ mask[i % xormasklen];
++		}
++	}
++	return BLEN (buf);
++}
++
++int buffer_xorptrpos (struct buffer *buf) {
++	int i;
++	uint8_t *b;
++	for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) {
++		*b = *b ^ i+1;
++	}
++	return BLEN (buf);
++}
++
++int buffer_reverse (struct buffer *buf) {
++/* This function has been rewritten for Tunnelblick. The buffer_reverse function at
++ * https://github.com/clayface/openvpn_xorpatch
++ * makes a copy of the buffer and it writes to the byte **after** the
++ * buffer contents, so if the buffer is full then it writes outside of the buffer.
++ * This rewritten version does neither.
++ *
++ * For interoperability, this rewritten version preserves the behavior of the original
++ * function: it does not modify the first character of the buffer. So it does not
++ * actually reverse the contents of the buffer. Instead, it changes 'abcde' to 'aedcb'.
++ * (Of course, the actual buffer contents are bytes, and not necessarily characters.)
++ */
++  int len = BLEN(buf);
++  if (  len > 2  ) {                           /* Leave '', 'a', and 'ab' alone */
++    int i;
++    uint8_t *b_start = BPTR (buf) + 1;	        /* point to first byte to swap */
++    uint8_t *b_end   = BPTR (buf) + (len - 1); /* point to last byte to swap */
++    uint8_t tmp;
++    for (i = 0; i < (len-1)/2; i++, b_start++, b_end--) {
++      tmp = *b_start;
++      *b_start = *b_end;
++      *b_end = tmp;
++    }
++  }
++  return len;
++}
++
+ /*
+  * Convert sockflags/getaddr_flags into getaddr_flags
+  */
+--- src/openvpn/socket.h.orig	2016-12-22 07:25:18 UTC
++++ src/openvpn/socket.h
+@@ -249,6 +249,10 @@ struct link_socket
+ #endif
+ };
+ 
++int buffer_mask (struct buffer *buf, const char *xormask, int xormasklen);
++int buffer_xorptrpos (struct buffer *buf);
++int buffer_reverse (struct buffer *buf);
++
+ /*
+  * Some Posix/Win32 differences.
+  */
+@@ -1046,30 +1050,55 @@ int link_socket_read_udp_posix(struct li
+ static inline int
+ link_socket_read(struct link_socket *sock,
+                  struct buffer *buf,
+-                 struct link_socket_actual *from)
++                 struct link_socket_actual *from,
++                 int xormethod,
++                 const char *xormask,
++                 int xormasklen)
+ {
++    int res;
++
+     if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */
+     {
+-        int res;
+-
+ #ifdef _WIN32
+         res = link_socket_read_udp_win32(sock, buf, from);
+ #else
+         res = link_socket_read_udp_posix(sock, buf, from);
+ #endif
+-        return res;
+     }
+     else if (proto_is_tcp(sock->info.proto)) /* unified TCPv4 and TCPv6 */
+     {
+         /* from address was returned by accept */
+         addr_copy_sa(&from->dest, &sock->info.lsa->actual.dest);
+-        return link_socket_read_tcp(sock, buf);
++        res = link_socket_read_tcp(sock, buf);
+     }
+     else
+     {
+         ASSERT(0);
+         return -1; /* NOTREACHED */
+     }
++    switch (xormethod) {
++    case 0:
++        break;
++    case 1:
++        buffer_mask(buf,xormask,xormasklen);
++        break;
++    case 2:
++        buffer_xorptrpos(buf);
++        break;
++    case 3:
++        buffer_reverse(buf);
++        break;
++    case 4:
++        buffer_mask(buf,xormask,xormasklen);
++        buffer_xorptrpos(buf);
++        buffer_reverse(buf);
++        buffer_xorptrpos(buf);
++        break;
++    default:
++        ASSERT (0);
++        return -1; /* NOTREACHED */
++    }
++    return res;
+ }
+ 
+ /*
+@@ -1159,8 +1188,33 @@ link_socket_write_udp(struct link_socket
+ static inline int
+ link_socket_write(struct link_socket *sock,
+                   struct buffer *buf,
+-                  struct link_socket_actual *to)
++                  struct link_socket_actual *to,
++                  int xormethod,
++                  const char *xormask,
++                  int xormasklen)
+ {
++    switch (xormethod) {
++    case 0:
++        break;
++    case 1:
++        buffer_mask(buf,xormask,xormasklen);
++        break;
++    case 2:
++        buffer_xorptrpos(buf);
++        break;
++    case 3:
++        buffer_reverse(buf);
++        break;
++    case 4:
++        buffer_xorptrpos(buf);
++        buffer_reverse(buf);
++        buffer_xorptrpos(buf);
++        buffer_mask(buf,xormask,xormasklen);
++        break;
++    default:
++        ASSERT (0);
++        return -1; /* NOTREACHED */
++    }
+     if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */
+     {
+         return link_socket_write_udp(sock, buf, to);

Added: head/security/openvpn-devel/files/openvpn-client.in
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/security/openvpn-devel/files/openvpn-client.in	Wed Jan  4 14:38:59 2017	(r430558)
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+exec %%PREFIX%%/sbin/openvpn --script-security 2 \
+    --up %%PREFIX%%/libexec/openvpn-client.up \
+    --plugin openvpn-plugin-down-root.so %%PREFIX%%/libexec/openvpn-client.down \
+    --config "$@"

Modified: head/security/openvpn-devel/files/openvpn.in
==============================================================================
--- head/security/openvpn-devel/files/openvpn.in	Wed Jan  4 14:07:10 2017	(r430557)
+++ head/security/openvpn-devel/files/openvpn.in	Wed Jan  4 14:38:59 2017	(r430558)
@@ -2,10 +2,11 @@
 #
 # openvpn.sh - load tun/tap driver and start OpenVPN daemon
 #
-# (C) Copyright 2005 - 2008 by Matthias Andree
+# (C) Copyright 2005 - 2008, 2010 by Matthias Andree
 # based on suggestions by Matthias Grimm and Dirk Gouders
 # with multi-instance contribution from Denis Shaposhnikov, Gleb Kozyrev
 # and Vasil Dimov
+# softrestart feature suggested by Nick Hibma
 #
 # $FreeBSD$
 # 
@@ -30,7 +31,7 @@
 # -----------------------------------------------------------------------------
 #
 # This script supports running multiple instances of openvpn.
-# To run additional instance link this script to something like
+# To run additional instances link this script to something like
 # % ln -s openvpn openvpn_foo
 # and define additional openvpn_foo_* variables in one of
 # /etc/rc.conf, /etc/rc.conf.local or /etc/rc.conf.d/openvpn_foo
@@ -45,6 +46,7 @@
 #
 # NAME_enable="NO"	# set to YES to enable openvpn
 # NAME_if=		# driver(s) to load, set to "tun", "tap" or "tun tap"
+#			# it is OK to specify the if_ prefix.
 #
 # # optional:
 # NAME_flags=				# additional command line arguments
@@ -62,36 +64,32 @@
 
 . /etc/rc.subr
 
+# service(8) does not create an authentic environment, try to guess,
+# and as of 10.3-RELEASE-p0, it will not find the indented name=
+# assignments below. So give it a default.
+# Trailing semicolon also for service(8)'s benefit:
+name="$file" ;
+
 case "$0" in
 /etc/rc*)
 	# during boot (shutdown) $0 is /etc/rc (/etc/rc.shutdown),
 	# so get the name of the script from $_file
-	name=$(basename "$_file" .sh)
+	name="$_file"
+	;;
+*/service)
+	# do not use this as $0
 	;;
 *)
-	name=$(basename "$0" .sh)
+	name="$0"
 	;;
 esac
 
+# default name to "openvpn" if guessing failed
+# Trailing semicolon also for service(8)'s benefit:
+name="${name:-openvpn}" ;
+name="${name##*/}"
 rcvar=${name}_enable
 
-openvpn_precmd()
-{
-	for i in $interfaces ; do
-		# FreeBSD <= 5.4 does not know kldstat's -m option
-		# FreeBSD >= 6.0 does not add debug.* sysctl information
-		# in the default build - we check both to keep things simple
-		if ! sysctl debug.if_${i}_debug >/dev/null 2>&1 \
-			&& ! kldstat -m if_${i} >/dev/null 2>&1 ; then
-			if ! kldload if_${i} ; then
-				warn "Could not load $i module."
-				return 1
-			fi
-		fi
-	done
-	return 0
-}
-
 stop_postcmd()
 {
 	rm -f "$pidfile" || warn "Could not remove $pidfile."
@@ -103,10 +101,18 @@ softrestart()
     exit $?
 }
 
+openvpn_stats()
+{
+	sig_reload=USR2
+	run_rc_command ${rc_prefix}reload $rc_extra_args
+}
+
 # reload: support SIGHUP to reparse configuration file
-# softrestart: support SIGUSR1 to reconnect without privileges
-extra_commands="reload softrestart"
+# softrestart: support SIGUSR1 to reconnect without superuser privileges
+# stats: support SIGUSR2 to write statistics to the syslog
+extra_commands="reload softrestart stats"
 softrestart_cmd="softrestart"
+stats_cmd="openvpn_stats"
 
 # pidfile
 pidfile="/var/run/${name}.pid"
@@ -114,16 +120,12 @@ pidfile="/var/run/${name}.pid"
 # command and arguments
 command="%%PREFIX%%/sbin/openvpn"
 
-# run this first
-start_precmd="openvpn_precmd"
-# and this last
+# run this last
 stop_postcmd="stop_postcmd"
 
 load_rc_config ${name}
 
 eval ": \${${name}_enable:=\"NO\"}"
-eval ": \${${name}_flags:=\"\"}"
-eval ": \${${name}_if:=\"\"}"
 eval ": \${${name}_configfile:=\"%%PREFIX%%/etc/openvpn/${name}.conf\"}"
 eval ": \${${name}_dir:=\"%%PREFIX%%/etc/openvpn\"}"
 
@@ -131,7 +133,13 @@ configfile="$(eval echo \${${name}_confi
 dir="$(eval echo \${${name}_dir})"
 interfaces="$(eval echo \${${name}_if})"
 
+required_modules=
+for i in $interfaces ; do
+    required_modules="$required_modules${required_modules:+" "}if_${i#if_}"
+done
+
 required_files=${configfile}
+
 command_args="--cd ${dir} --daemon ${name} --config ${configfile} --writepid ${pidfile}"
 
 run_rc_command "$1"

Added: head/security/openvpn-devel/files/patch-configure
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/security/openvpn-devel/files/patch-configure	Wed Jan  4 14:38:59 2017	(r430558)
@@ -0,0 +1,11 @@
+--- configure.orig	2016-08-23 14:19:07 UTC
++++ configure
+@@ -17160,8 +17160,6 @@ fi
+ $as_echo "!! WARNING !! The cmoka git submodule has not been initialized or updated.  Unit testing cannot be performed." >&6; }
+    fi
+ else
+-   { $as_echo "$as_me:${as_lineno-$LINENO}: result: !! WARNING !! CMake is NOT available.  Unit testing cannot be performed." >&5
+-$as_echo "!! WARNING !! CMake is NOT available.  Unit testing cannot be performed." >&6; }
+     if false; then
+   CMOCKA_INITIALIZED_TRUE=
+   CMOCKA_INITIALIZED_FALSE='#'

Added: head/security/openvpn-devel/files/patch-sample__sample-config-files__loopback-client
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/security/openvpn-devel/files/patch-sample__sample-config-files__loopback-client	Wed Jan  4 14:38:59 2017	(r430558)
@@ -0,0 +1,13 @@
+--- sample/sample-config-files/loopback-client.orig	2016-08-23 14:16:22 UTC
++++ sample/sample-config-files/loopback-client
+@@ -9,8 +9,8 @@
+ #  ./openvpn --config sample-config-files/loopback-client  (In one window) 
+ #  ./openvpn --config sample-config-files/loopback-server  (Simultaneously in another window) 
+ 
+-rport 16000
+-lport 16001
++rport 16100
++lport 16101
+ remote localhost
+ local localhost
+ dev null

Added: head/security/openvpn-devel/files/patch-sample__sample-config-files__loopback-server
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/security/openvpn-devel/files/patch-sample__sample-config-files__loopback-server	Wed Jan  4 14:38:59 2017	(r430558)
@@ -0,0 +1,13 @@
+--- sample/sample-config-files/loopback-server.orig	2016-08-23 14:16:22 UTC
++++ sample/sample-config-files/loopback-server
+@@ -9,8 +9,8 @@
+ #  ./openvpn --config sample-config-files/loopback-client  (In one window) 
+ #  ./openvpn --config sample-config-files/loopback-server  (Simultaneously in another window) 
+ 
+-rport 16001
+-lport 16000
++rport 16101
++lport 16100
+ remote localhost
+ local localhost
+ dev null

Added: head/security/openvpn-devel/files/patch-tests__t_cltsrv.sh
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/security/openvpn-devel/files/patch-tests__t_cltsrv.sh	Wed Jan  4 14:38:59 2017	(r430558)
@@ -0,0 +1,65 @@
+--- tests/t_cltsrv.sh.orig	2016-08-23 13:10:22 UTC
++++ tests/t_cltsrv.sh
+@@ -1,7 +1,7 @@
+ #! /bin/sh
+ #
+ # t_cltsrv.sh - script to test OpenVPN's crypto loopback
+-# Copyright (C) 2005, 2006, 2008  Matthias Andree
++# Copyright (C) 2005 - 2014  Matthias Andree
+ #
+ # This program is free software; you can redistribute it and/or
+ # modify it under the terms of the GNU General Public License
+@@ -22,8 +22,9 @@ set -e
+ srcdir="${srcdir:-.}"
+ top_srcdir="${top_srcdir:-..}"
+ top_builddir="${top_builddir:-..}"
+-trap "rm -f log.$$ log.$$.signal ; trap 0 ; exit 77" 1 2 15
+-trap "rm -f log.$$ log.$$.signal ; exit 1" 0 3
++root="${top_srcdir}/sample"
++trap "rm -f ${root}/sample-config-files/loopback-*.test log.$$ log.$$.signal ; trap 0 ; exit 77" 1 2 15
++trap "a=\$? ; rm -f ${root}/sample-config-files/loopback-*.test log.$$ log.$$.signal ; test \$a = 0 && exit 1 || exit \$a" 0 3
+ addopts=
+ case `uname -s` in
+     FreeBSD)
+@@ -45,18 +46,38 @@ esac
+ # make sure that the --down script is executable -- fail (rather than
+ # skip) test if it isn't.
+ downscript="../tests/t_cltsrv-down.sh"
+-root="${top_srcdir}/sample"
+ test -x "${root}/${downscript}" || chmod +x "${root}/${downscript}" || { echo >&2 "${root}/${downscript} is not executable, failing." ; exit 1 ; }
+ echo "The following test will take about two minutes." >&2
+ echo "If the addresses are in use, this test will retry up to two times." >&2
+ 
++set -- $(ifconfig lo0 | grep -E '\<inet' | head -n1)
++add=
++if [ "x$1$2" = "x" ] ; then
++    echo >&2 "### NO ADDRESSES ON LOOPBACK INTERFACE lo0, SKIPPING TEST ###"
++    exit 77
++fi
++if [ "inet6" = "$1" ] ; then
++    add='proto udp6 '
++fi
++for i in server client ; do
++    sed -e "s/localhost/$2/" -e "/^remote /a\\
++$add" ${root}/sample-config-files/loopback-$i \
++    >${root}/sample-config-files/loopback-$i.test
++done
++
+ # go
+ success=0
+ for i in 1 2 3 ; do
+   set +e
+   (
+-  "${top_builddir}/src/openvpn/openvpn" --script-security 2 --cd "${root}" ${addopts} --setenv role srv --down "${downscript}" --tls-exit --ping-exit 180 --config "sample-config-files/loopback-server" &
+-  "${top_builddir}/src/openvpn/openvpn" --script-security 2 --cd "${top_srcdir}/sample" ${addopts} --setenv role clt --down "${downscript}" --tls-exit --ping-exit 180 --config "sample-config-files/loopback-client"
++  "${top_builddir}/src/openvpn/openvpn" --script-security 2 \
++      --cd "${root}" ${addopts} --setenv role srv \
++      --down "${downscript}" --tls-exit --ping-exit 180 \
++      --config "sample-config-files/loopback-server.test" &
++  "${top_builddir}/src/openvpn/openvpn" --script-security 2 \
++      --cd "${top_srcdir}/sample" ${addopts} --setenv role clt \
++      --down "${downscript}" --tls-exit --ping-exit 180 \
++      --config "sample-config-files/loopback-client.test"
+   ) 3>log.$$.signal >log.$$ 2>&1
+   e1=$?
+   wait $!

Modified: head/security/openvpn-devel/files/pkg-message.in
==============================================================================
--- head/security/openvpn-devel/files/pkg-message.in	Wed Jan  4 14:07:10 2017	(r430557)
+++ head/security/openvpn-devel/files/pkg-message.in	Wed Jan  4 14:38:59 2017	(r430558)
@@ -2,22 +2,17 @@
 ###  Edit /etc/rc.conf[.local] to start OpenVPN automatically at system
 ###  startup. See %%PREFIX%%/etc/rc.d/openvpn for details.
 ### ------------------------------------------------------------------------
+###  Connect to VPN server as a client with this command to include
+###  the client.up/down scripts in the initialization:
+###  openvpn-client <spec>.ovpn
+### ------------------------------------------------------------------------
 ###  For compatibility notes when interoperating with older OpenVPN
 ###  versions, please, see <http://openvpn.net/relnotes.html>;
 ### ------------------------------------------------------------------------
-###  NOTE THIS IS AN UNSTABLE BETA VERSION UNDER DEVELOPMENT!
-###  It may or may not be suitable for production. Use at your own risk.
-### ------------------------------------------------------------------------
+###  
 ###
-### PLUGIN LOCATION CHANGED!
-### The following plugin locations have changed.  There is a symlink to the
-### new file for the duration of the 2.3 release.  This will be removed in
-### OpenVPN 2.4+.
-### New Location:
-### %%PREFIX%%/openvpn/plugins/openvpn-plugin-auth-pam.so
-### %%PREFIX%%/openvpn/plugins/openvpn-plugin-down-root.so
+###              THIS IS AN UNSTABLE DEVELOPMENT VERSION!
 ###
-### Old Location:
-### %%PREFIX%%/lib/openvpn-plugin-down-root.so
-### %%PREFIX%%/lib/openvpn-plugin-auth-pam.so
-
+###
+###  It may or may not be suitable for production. Use at your own risk.
+### ------------------------------------------------------------------------

Added: head/security/openvpn-devel/files/up-script.sample
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/security/openvpn-devel/files/up-script.sample	Wed Jan  4 14:38:59 2017	(r430558)
@@ -0,0 +1,27 @@
+#!/bin/sh
+# OpenVPN simple up/down script for openresolvconf integration.
+# (C) Copyright 2016 Baptiste Daroussin
+# BSD 2-clause license.
+
+set -e +u
+: ${script_type:=down}
+case "${script_type}" in
+up)
+        i=1
+        while :; do
+                eval option=\"\$foreign_option_${i}\" || break
+                [ "${option}" ] || break
+                set -- ${option}
+                i=$((i + 1))
+                [ "$1" = "dhcp-option" ] || continue
+                case "$2" in
+                DNS)           echo "nameserver ${3}" ;;
+                DOMAIN)        echo "domain ${3}" ;;
+                DOMAIN-SEARCH) echo "search ${3}" ;;
+                esac
+        done | /sbin/resolvconf -a "${dev}"
+        ;;
+down)
+        /sbin/resolvconf -d "${dev}" -f
+        ;;
+esac

Modified: head/security/openvpn-devel/pkg-plist
==============================================================================
--- head/security/openvpn-devel/pkg-plist	Wed Jan  4 14:07:10 2017	(r430557)
+++ head/security/openvpn-devel/pkg-plist	Wed Jan  4 14:38:59 2017	(r430558)
@@ -4,3 +4,6 @@ lib/openvpn/plugins/openvpn-plugin-auth-
 lib/openvpn/plugins/openvpn-plugin-down-root.so
 man/man8/openvpn.8.gz
 sbin/openvpn
+libexec/openvpn-client.down
+libexec/openvpn-client.up
+sbin/openvpn-client



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201701041438.v04EcxMQ030670>