Sun Sep 5 20:33:48 2010 UTC ()
Changes 2.1.3:
* Fixed potential local privilege escalation vulnerability in
  Windows service.
* Added Python-based based alternative build system for Windows using
  Visual Studio 2008 (in win directory).
* When aborting in a non-graceful way, try to execute do_close_tun in
  init.c prior to daemon exit to ensure that the tun/tap interface is
  closed and any added routes are deleted.
* Fixed an issue where AUTH_FAILED was not being properly delivered
  to the client when a bad password is given for mid-session reauth,
  causing the connection to fail without an error indication.
* Don't advance to the next connection profile on AUTH_FAILED errors.
* Fixed an issue in the Management Interface that could cause
  a process hang with 100% CPU utilization in --management-client
  mode if the management interface client disconnected at the
  point where credentials are queried.
* Fixed an issue where if reneg-sec was set to 0 on the client,
  so that the server-side value would take precedence,
  the auth_deferred_expire_window function would incorrectly
  return a window period of 0 seconds.  In this case, the
  correct window period should be the handshake window period.
* Modified ">PASSWORD:Verification Failed" management interface
  notification to include a client reason string:
    >PASSWORD:Verification Failed: 'AUTH_TYPE' ['REASON_STRING']
* Enable exponential backoff in reliability layer retransmits.
* Set socket buffers (SO_SNDBUF and SO_RCVBUF) immediately after
  socket is created rather than waiting until after connect/listen.
* Management interface performance optimizations:
  1. Added env-filter MI command to perform filtering on env vars
     passed through as a part of --management-client-auth
  2. man_write will now try to aggregate output into larger blocks
     (up to 1024 bytes) for more efficient i/o
* Fixed minor issue in Windows TAP driver DEBUG builds
  where non-null-terminated unicode strings were being
  printed incorrectly.
* Fixed issue on Windows with MSVC compiler, where TCP_NODELAY support
  was not being compiled in.
* Proxy improvements:
* Implemented http-proxy-override and http-proxy-fallback directives to make it
  easier for OpenVPN client UIs to start a pre-existing client config file with
  proxy options, or to adaptively fall back to a proxy connection if a direct
  connection fails.
* Implemented a key/value auth channel from client to server.
* Fixed issue where bad creds provided by the management interface
  for HTTP Proxy Basic Authentication would go into an infinite
  retry-fail loop instead of requerying the management interface for
  new creds.


(adam)
diff -r1.37 -r1.38 pkgsrc/net/openvpn/Makefile
diff -r1.10 -r1.11 pkgsrc/net/openvpn/PLIST
diff -r1.20 -r1.21 pkgsrc/net/openvpn/distinfo
diff -r1.3 -r1.4 pkgsrc/net/openvpn/options.mk
diff -r1.1 -r1.2 pkgsrc/net/openvpn/patches/patch-ah
cvs diff -r1.37 -r1.38 pkgsrc/net/openvpn/Makefile (expand / switch to unified diff)

--- pkgsrc/net/openvpn/Makefile 2010/06/16 07:30:26 1.37
+++ pkgsrc/net/openvpn/Makefile 2010/09/05 20:33:48 1.38
@@ -1,83 +1,80 @@ @@ -1,83 +1,80 @@
1# $NetBSD: Makefile,v 1.37 2010/06/16 07:30:26 tnn Exp $ 1# $NetBSD: Makefile,v 1.38 2010/09/05 20:33:48 adam Exp $
2# 
3 2
4DISTNAME= openvpn-2.1.1 3DISTNAME= openvpn-2.1.3
5CATEGORIES= net 4CATEGORIES= net
6MASTER_SITES= http://openvpn.net/release/ \ 5MASTER_SITES= http://openvpn.net/release/ \
7 http://openvpn.net/release/old/ 6 http://openvpn.net/release/old/
8 7
9MAINTAINER= pkgsrc-users@NetBSD.org 8MAINTAINER= pkgsrc-users@NetBSD.org
10HOMEPAGE= http://openvpn.net/ 9HOMEPAGE= http://openvpn.net/
11COMMENT= Easy-to-use SSL VPN daemon 10COMMENT= Easy-to-use SSL VPN daemon
12LICENSE= gnu-gpl-v2 11LICENSE= gnu-gpl-v2
13 12
14PKG_DESTDIR_SUPPORT= user-destdir 13PKG_DESTDIR_SUPPORT= user-destdir
15 14
16GNU_CONFIGURE= yes 15GNU_CONFIGURE= yes
17USE_TOOLS+= grep:run 16USE_TOOLS+= grep:run
18USE_LIBTOOL= yes 17USE_LIBTOOL= yes
19USE_OLD_DES_API= yes 18USE_OLD_DES_API= yes
20TEST_TARGET= check 19TEST_TARGET= check
21 20
22PKG_SYSCONFSUBDIR= openvpn 21PKG_SYSCONFSUBDIR= openvpn
23DATADIR= ${PREFIX}/share/${PKGBASE} 22DATADIR= ${PREFIX}/share/${PKGBASE}
24EGDIR= ${PREFIX}/share/examples/${PKGBASE} 23EGDIR= ${PREFIX}/share/examples/${PKGBASE}
25EASYRSADIR= ${DATADIR}/easy-rsa 24EASYRSADIR= ${DATADIR}/easy-rsa
26RCD_SCRIPTS= openvpn 25RCD_SCRIPTS= openvpn
27 26
28CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFDIR:Q} 27CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFDIR}
29CONFIGURE_ARGS+= --enable-password-save 28CONFIGURE_ARGS+= --enable-password-save
30CONFIGURE_ARGS+= --disable-dependency-tracking 29CONFIGURE_ARGS+= --disable-dependency-tracking
31 30
32# Pthread support is still considered very experimental, so don't enable 31# Pthread support is still considered very experimental, so don't enable
33# it for the default (production) build. 32# it for the default (production) build.
34# 
35#CONFIGURE_ARGS+= --enable-pthread 33#CONFIGURE_ARGS+= --enable-pthread
36 34
37INSTALLATION_DIRS= ${DATADIR}/easy-rsa ${EGDIR}/config \ 35INSTALLATION_DIRS= ${DATADIR}/easy-rsa ${EGDIR}/config \
38 ${EGDIR}/keys ${EGDIR}/scripts 36 ${EGDIR}/keys ${EGDIR}/scripts
39 37
40.include "../../mk/bsd.prefs.mk" 38.include "../../mk/bsd.prefs.mk"
41 39
42# OpenVPN 2.x has a shared module "plugin" architecture that allows 40# OpenVPN 2.x has a shared module "plugin" architecture that allows
43# inserting callbacks into the server for various tasks. 41# inserting callbacks into the server for various tasks.
44# 
45DL_AUTO_VARS= yes 42DL_AUTO_VARS= yes
46.include "../../mk/dlopen.buildlink3.mk" 43.include "../../mk/dlopen.buildlink3.mk"
47 44
48.include "../../archivers/lzo/buildlink3.mk" 45.include "../../archivers/lzo/buildlink3.mk"
49.include "../../security/openssl/buildlink3.mk" 46.include "../../security/openssl/buildlink3.mk"
50.include "../../mk/pthread.buildlink3.mk" 47.include "../../mk/pthread.buildlink3.mk"
51.if ${OPSYS} == "SunOS" 48.if ${OPSYS} == "SunOS"
52.include "../../net/solaris-tap/buildlink3.mk" 49.include "../../net/solaris-tap/buildlink3.mk"
53.endif 50.endif
54 51
55REPLACE_SH= easy-rsa/2.0/* 52REPLACE_SH= easy-rsa/2.0/*
56SUBST_CLASSES+= pkitool 53SUBST_CLASSES+= pkitool
57SUBST_STAGE.pkitool= post-build 54SUBST_STAGE.pkitool= post-build
58SUBST_MESSAGE.pkitool= Fixing up default paths to grep & openssl in pkitool. 55SUBST_MESSAGE.pkitool= Fixing up default paths to grep & openssl in pkitool.
59SUBST_FILES.pkitool= easy-rsa/2.0/pkitool 56SUBST_FILES.pkitool= easy-rsa/2.0/pkitool
60SUBST_SED.pkitool= -e "s|\\(GREP\\)=.*|\\1=\""${GREP:Q}"\"|" 57SUBST_SED.pkitool= -e "s|\\(GREP\\)=.*|\\1=\""${GREP:Q}"\"|"
61SUBST_SED.pkitool+= -e "s|\\(OPENSSL\\)=.*|\\1=\""${SSLBASE:Q}/bin/openssl"\"|" 58SUBST_SED.pkitool+= -e "s|\\(OPENSSL\\)=.*|\\1=\""${SSLBASE:Q}/bin/openssl"\"|"
62 59
63post-install: post-install-pam 60post-install: post-install-pam
64 cd ${WRKSRC:Q}/easy-rsa/2.0; for file in [a-zR]*; do \ 61 set -e; cd ${WRKSRC}/easy-rsa/2.0; for file in [a-zR]*; do \
65 case $$file in \ 62 case $$file in \
66 *.orig) ;; \ 63 *.orig) ;; \
67 [A-Z]*|*.cnf|vars) \ 64 [A-Z]*|*.cnf|vars) \
68 ${INSTALL_DATA} $$file ${DESTDIR}${EASYRSADIR:Q} ;; \ 65 ${INSTALL_DATA} $$file ${DESTDIR}${EASYRSADIR} ;; \
69 *) ${INSTALL_SCRIPT} $$file ${DESTDIR}${EASYRSADIR:Q} ;; \ 66 *) ${INSTALL_SCRIPT} $$file ${DESTDIR}${EASYRSADIR} ;; \
70 esac; \ 67 esac; \
71 done 68 done
72 cd ${WRKSRC:Q}/sample-config-files; for file in *; do \ 69 set -e; cd ${WRKSRC}/sample-config-files; for file in *; do \
73 ${INSTALL_DATA} $$file ${DESTDIR}${EGDIR:Q}/config; \ 70 ${INSTALL_DATA} $$file ${DESTDIR}${EGDIR}/config; \
74 done 71 done
75 cd ${WRKSRC:Q}/sample-scripts; for file in *; do \ 72 set -e; cd ${WRKSRC}/sample-scripts; for file in *; do \
76 ${INSTALL_DATA} $$file ${DESTDIR}${EGDIR:Q}/scripts; \ 73 ${INSTALL_DATA} $$file ${DESTDIR}${EGDIR}/scripts; \
77 done 74 done
78 cd ${WRKSRC:Q}/sample-keys; for file in *; do \ 75 set -e; cd ${WRKSRC}/sample-keys; for file in *; do \
79 ${INSTALL_DATA} $$file ${DESTDIR}${EGDIR:Q}/keys; \ 76 ${INSTALL_DATA} $$file ${DESTDIR}${EGDIR}/keys; \
80 done 77 done
81 78
82.include "options.mk" 79.include "options.mk"
83.include "../../mk/bsd.pkg.mk" 80.include "../../mk/bsd.pkg.mk"
cvs diff -r1.10 -r1.11 pkgsrc/net/openvpn/PLIST (expand / switch to unified diff)

--- pkgsrc/net/openvpn/PLIST 2010/06/16 07:30:26 1.10
+++ pkgsrc/net/openvpn/PLIST 2010/09/05 20:33:48 1.11
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1@comment $NetBSD: PLIST,v 1.10 2010/06/16 07:30:26 tnn Exp $ 1@comment $NetBSD: PLIST,v 1.11 2010/09/05 20:33:48 adam Exp $
2man/man8/openvpn.8 2man/man8/openvpn.8
3sbin/openvpn 3sbin/openvpn
4share/examples/openvpn/config/README 4share/examples/openvpn/config/README
5share/examples/openvpn/config/client.conf 5share/examples/openvpn/config/client.conf
6share/examples/openvpn/config/firewall.sh 6share/examples/openvpn/config/firewall.sh
7share/examples/openvpn/config/home.up 7share/examples/openvpn/config/home.up
8share/examples/openvpn/config/loopback-client 8share/examples/openvpn/config/loopback-client
9share/examples/openvpn/config/loopback-server 9share/examples/openvpn/config/loopback-server
10share/examples/openvpn/config/office.up 10share/examples/openvpn/config/office.up
11share/examples/openvpn/config/openvpn-shutdown.sh 11share/examples/openvpn/config/openvpn-shutdown.sh
12share/examples/openvpn/config/openvpn-startup.sh 12share/examples/openvpn/config/openvpn-startup.sh
13share/examples/openvpn/config/server.conf 13share/examples/openvpn/config/server.conf
14share/examples/openvpn/config/static-home.conf 14share/examples/openvpn/config/static-home.conf
@@ -21,27 +21,26 @@ share/examples/openvpn/keys/README @@ -21,27 +21,26 @@ share/examples/openvpn/keys/README
21share/examples/openvpn/keys/ca.crt 21share/examples/openvpn/keys/ca.crt
22share/examples/openvpn/keys/ca.key 22share/examples/openvpn/keys/ca.key
23share/examples/openvpn/keys/client.crt 23share/examples/openvpn/keys/client.crt
24share/examples/openvpn/keys/client.key 24share/examples/openvpn/keys/client.key
25share/examples/openvpn/keys/dh1024.pem 25share/examples/openvpn/keys/dh1024.pem
26share/examples/openvpn/keys/pass.crt 26share/examples/openvpn/keys/pass.crt
27share/examples/openvpn/keys/pass.key 27share/examples/openvpn/keys/pass.key
28share/examples/openvpn/keys/pkcs12.p12 28share/examples/openvpn/keys/pkcs12.p12
29share/examples/openvpn/keys/server.crt 29share/examples/openvpn/keys/server.crt
30share/examples/openvpn/keys/server.key 30share/examples/openvpn/keys/server.key
31share/examples/openvpn/scripts/auth-pam.pl 31share/examples/openvpn/scripts/auth-pam.pl
32share/examples/openvpn/scripts/bridge-start 32share/examples/openvpn/scripts/bridge-start
33share/examples/openvpn/scripts/bridge-stop 33share/examples/openvpn/scripts/bridge-stop
34share/examples/openvpn/scripts/bs 
35share/examples/openvpn/scripts/openvpn.init 34share/examples/openvpn/scripts/openvpn.init
36share/examples/openvpn/scripts/ucn.pl 35share/examples/openvpn/scripts/ucn.pl
37share/examples/openvpn/scripts/verify-cn 36share/examples/openvpn/scripts/verify-cn
38share/examples/rc.d/openvpn 37share/examples/rc.d/openvpn
39share/openvpn/easy-rsa/README 38share/openvpn/easy-rsa/README
40share/openvpn/easy-rsa/build-ca 39share/openvpn/easy-rsa/build-ca
41share/openvpn/easy-rsa/build-dh 40share/openvpn/easy-rsa/build-dh
42share/openvpn/easy-rsa/build-inter 41share/openvpn/easy-rsa/build-inter
43share/openvpn/easy-rsa/build-key 42share/openvpn/easy-rsa/build-key
44share/openvpn/easy-rsa/build-key-pass 43share/openvpn/easy-rsa/build-key-pass
45share/openvpn/easy-rsa/build-key-pkcs12 44share/openvpn/easy-rsa/build-key-pkcs12
46share/openvpn/easy-rsa/build-key-server 45share/openvpn/easy-rsa/build-key-server
47share/openvpn/easy-rsa/build-req 46share/openvpn/easy-rsa/build-req
cvs diff -r1.20 -r1.21 pkgsrc/net/openvpn/distinfo (expand / switch to unified diff)

--- pkgsrc/net/openvpn/distinfo 2010/06/15 12:05:28 1.20
+++ pkgsrc/net/openvpn/distinfo 2010/09/05 20:33:48 1.21
@@ -1,13 +1,13 @@ @@ -1,13 +1,13 @@
1$NetBSD: distinfo,v 1.20 2010/06/15 12:05:28 sborrill Exp $ 1$NetBSD: distinfo,v 1.21 2010/09/05 20:33:48 adam Exp $
2 2
3SHA1 (openvpn-2.1.1.tar.gz) = 4b18e71b07236760f3b4defa941661e94b731a5a 3SHA1 (openvpn-2.1.3.tar.gz) = 91058e78c58c2e66298c7132bea1ddba52baaa82
4RMD160 (openvpn-2.1.1.tar.gz) = a33ed8ef4ba564103c2d196bbb742dac88d30e80 4RMD160 (openvpn-2.1.3.tar.gz) = ec0f63d63442eb3a26448747a5b0956e27b09809
5Size (openvpn-2.1.1.tar.gz) = 880115 bytes 5Size (openvpn-2.1.3.tar.gz) = 860672 bytes
6SHA1 (patch-aa) = e27e5a6411c9fb6545a1ad630f165200546b7213 6SHA1 (patch-aa) = e27e5a6411c9fb6545a1ad630f165200546b7213
7SHA1 (patch-ab) = d26cdc9166a8813860f31cb5b11bc5b3643b8aa5 7SHA1 (patch-ab) = d26cdc9166a8813860f31cb5b11bc5b3643b8aa5
8SHA1 (patch-ac) = f59615702208cae2a094306bc5fa7fb96234e55a 8SHA1 (patch-ac) = f59615702208cae2a094306bc5fa7fb96234e55a
9SHA1 (patch-ad) = 69f5fff5105131dc05ab38a1a717e1b363f88c1c 9SHA1 (patch-ad) = 69f5fff5105131dc05ab38a1a717e1b363f88c1c
10SHA1 (patch-ae) = 362c881da994608baad7b10667100c39143244b6 10SHA1 (patch-ae) = 362c881da994608baad7b10667100c39143244b6
11SHA1 (patch-af) = dc5dbca74ebbda081e4eaf9a9d5e11b6de11269f 11SHA1 (patch-af) = dc5dbca74ebbda081e4eaf9a9d5e11b6de11269f
12SHA1 (patch-ag) = fe8e59cf177c99c2fd001e7893df86af961e8e4e 12SHA1 (patch-ag) = fe8e59cf177c99c2fd001e7893df86af961e8e4e
13SHA1 (patch-ah) = 4e555d0a9dfa78882bf71c1d3496df8813069656 13SHA1 (patch-ah) = c530376eb68ab8f21c9b3c73149d2c24742aa4c9
cvs diff -r1.3 -r1.4 pkgsrc/net/openvpn/options.mk (expand / switch to unified diff)

--- pkgsrc/net/openvpn/options.mk 2010/06/16 07:30:26 1.3
+++ pkgsrc/net/openvpn/options.mk 2010/09/05 20:33:48 1.4
@@ -1,34 +1,34 @@ @@ -1,34 +1,34 @@
1# $NetBSD: options.mk,v 1.3 2010/06/16 07:30:26 tnn Exp $ 1# $NetBSD: options.mk,v 1.4 2010/09/05 20:33:48 adam Exp $
2 2
3PKG_OPTIONS_VAR= PKG_OPTIONS.openvpn 3PKG_OPTIONS_VAR= PKG_OPTIONS.openvpn
4PKG_SUPPORTED_OPTIONS= pkcs11 pam 4PKG_SUPPORTED_OPTIONS= pkcs11 pam
5PKG_SUGGESTED_OPTIONS= 5PKG_SUGGESTED_OPTIONS=
6 6
7.include "../../mk/bsd.options.mk" 7.include "../../mk/bsd.options.mk"
8 8
9# include support for certificates on a stick (or card) 9# include support for certificates on a stick (or card)
10 10
11.if !empty(PKG_OPTIONS:Mpkcs11) 11.if !empty(PKG_OPTIONS:Mpkcs11)
12.include "../../security/pkcs11-helper/buildlink3.mk" 12.include "../../security/pkcs11-helper/buildlink3.mk"
13.else 13.else
14# it would pick it up halfways when installed, and fail building 14# it would pick it up halfways when installed, and fail building
15CONFIGURE_ARGS+= --disable-pkcs11 15CONFIGURE_ARGS+= --disable-pkcs11
16.endif 16.endif
17 17
18PLIST_VARS+= pam 18PLIST_VARS+= pam
19.if !empty(PKG_OPTIONS:Mpam) 19.if !empty(PKG_OPTIONS:Mpam)
20USE_TOOLS+= gmake 20USE_TOOLS+= gmake
21BUILD_DIRS+= plugin/auth-pam 21BUILD_DIRS+= plugin/auth-pam
22BUILD_TARGET= # empty 22BUILD_TARGET= # empty
23INSTALL_DIRS= . 23INSTALL_DIRS= .
24INSTALL_TARGET= install 24INSTALL_TARGET= install
 25INSTALLATION_DIRS+= lib/openvpn
25PLIST.pam= yes 26PLIST.pam= yes
26post-install-pam: 27post-install-pam:
27 ${INSTALL_LIB_DIR} ${DESTDIR}${PREFIX}/lib/openvpn && \ 28 cd ${WRKSRC}/plugin/auth-pam && \
28 cd ${WRKSRC:Q}/plugin/auth-pam && \ 
29 ${INSTALL_LIB} openvpn-auth-pam.so \ 29 ${INSTALL_LIB} openvpn-auth-pam.so \
30 ${DESTDIR}${PREFIX}/lib/openvpn || ${TRUE} 30 ${DESTDIR}${PREFIX}/lib/openvpn || ${TRUE}
31.include "../../mk/pam.buildlink3.mk" 31.include "../../mk/pam.buildlink3.mk"
32.else 32.else
33post-install-pam: 33post-install-pam:
34.endif 34.endif
cvs diff -r1.1 -r1.2 pkgsrc/net/openvpn/patches/Attic/patch-ah (expand / switch to unified diff)

--- pkgsrc/net/openvpn/patches/Attic/patch-ah 2009/11/12 08:41:10 1.1
+++ pkgsrc/net/openvpn/patches/Attic/patch-ah 2010/09/05 20:33:48 1.2
@@ -1,13 +1,15 @@ @@ -1,13 +1,15 @@
 1$NetBSD: patch-ah,v 1.2 2010/09/05 20:33:48 adam Exp $
 2
1--- tun.c.orig 2009-11-12 09:22:19.000000000 +0100 3--- tun.c.orig 2009-11-12 09:22:19.000000000 +0100
2+++ tun.c 2009-11-12 09:23:00.000000000 +0100 4+++ tun.c 2009-11-12 09:23:00.000000000 +0100
3@@ -789,17 +789,17 @@ 5@@ -789,17 +789,17 @@
4 /* 6 /*
5 * NetBSD has distinct tun and tap devices 7 * NetBSD has distinct tun and tap devices
6 * so we don't need the "link0" extra parameter to specify we want to do  8 * so we don't need the "link0" extra parameter to specify we want to do
7 * tunneling at the ethernet level 9 * tunneling at the ethernet level
8+ * NB: The tun driver has no broadcast capability. 10+ * NB: The tun driver has no broadcast capability.
9 */ 11 */
10 argv_printf (&argv, 12 argv_printf (&argv,
11- "%s %s %s netmask %s mtu %d broadcast %s", 13- "%s %s %s netmask %s mtu %d broadcast %s",
12+ "%s %s %s netmask %s mtu %d", 14+ "%s %s %s netmask %s mtu %d",
13 IFCONFIG_PATH, 15 IFCONFIG_PATH,