Changes 2.1.3: * Fixed potential local privilege escalation vulnerability in Windows service. * Added Python-based based alternative build system for Windows using Visual Studio 2008 (in win directory). * When aborting in a non-graceful way, try to execute do_close_tun in init.c prior to daemon exit to ensure that the tun/tap interface is closed and any added routes are deleted. * Fixed an issue where AUTH_FAILED was not being properly delivered to the client when a bad password is given for mid-session reauth, causing the connection to fail without an error indication. * Don't advance to the next connection profile on AUTH_FAILED errors. * Fixed an issue in the Management Interface that could cause a process hang with 100% CPU utilization in --management-client mode if the management interface client disconnected at the point where credentials are queried. * Fixed an issue where if reneg-sec was set to 0 on the client, so that the server-side value would take precedence, the auth_deferred_expire_window function would incorrectly return a window period of 0 seconds. In this case, the correct window period should be the handshake window period. * Modified ">PASSWORD:Verification Failed" management interface notification to include a client reason string: >PASSWORD:Verification Failed: 'AUTH_TYPE' ['REASON_STRING'] * Enable exponential backoff in reliability layer retransmits. * Set socket buffers (SO_SNDBUF and SO_RCVBUF) immediately after socket is created rather than waiting until after connect/listen. * Management interface performance optimizations: 1. Added env-filter MI command to perform filtering on env vars passed through as a part of --management-client-auth 2. man_write will now try to aggregate output into larger blocks (up to 1024 bytes) for more efficient i/o * Fixed minor issue in Windows TAP driver DEBUG builds where non-null-terminated unicode strings were being printed incorrectly. * Fixed issue on Windows with MSVC compiler, where TCP_NODELAY support was not being compiled in. * Proxy improvements: * Implemented http-proxy-override and http-proxy-fallback directives to make it easier for OpenVPN client UIs to start a pre-existing client config file with proxy options, or to adaptively fall back to a proxy connection if a direct connection fails. * Implemented a key/value auth channel from client to server. * Fixed issue where bad creds provided by the management interface for HTTP Proxy Basic Authentication would go into an infinite retry-fail loop instead of requerying the management interface for new creds.diff -r1.37 -r1.38 pkgsrc/net/openvpn/Makefile
(adam)
@@ -1,83 +1,80 @@ | @@ -1,83 +1,80 @@ | |||
1 | # $NetBSD: Makefile,v 1.37 2010/06/16 07:30:26 tnn Exp $ | 1 | # $NetBSD: Makefile,v 1.38 2010/09/05 20:33:48 adam Exp $ | |
2 | # | |||
3 | 2 | |||
4 | DISTNAME= openvpn-2.1.1 | 3 | DISTNAME= openvpn-2.1.3 | |
5 | CATEGORIES= net | 4 | CATEGORIES= net | |
6 | MASTER_SITES= http://openvpn.net/release/ \ | 5 | MASTER_SITES= http://openvpn.net/release/ \ | |
7 | http://openvpn.net/release/old/ | 6 | http://openvpn.net/release/old/ | |
8 | 7 | |||
9 | MAINTAINER= pkgsrc-users@NetBSD.org | 8 | MAINTAINER= pkgsrc-users@NetBSD.org | |
10 | HOMEPAGE= http://openvpn.net/ | 9 | HOMEPAGE= http://openvpn.net/ | |
11 | COMMENT= Easy-to-use SSL VPN daemon | 10 | COMMENT= Easy-to-use SSL VPN daemon | |
12 | LICENSE= gnu-gpl-v2 | 11 | LICENSE= gnu-gpl-v2 | |
13 | 12 | |||
14 | PKG_DESTDIR_SUPPORT= user-destdir | 13 | PKG_DESTDIR_SUPPORT= user-destdir | |
15 | 14 | |||
16 | GNU_CONFIGURE= yes | 15 | GNU_CONFIGURE= yes | |
17 | USE_TOOLS+= grep:run | 16 | USE_TOOLS+= grep:run | |
18 | USE_LIBTOOL= yes | 17 | USE_LIBTOOL= yes | |
19 | USE_OLD_DES_API= yes | 18 | USE_OLD_DES_API= yes | |
20 | TEST_TARGET= check | 19 | TEST_TARGET= check | |
21 | 20 | |||
22 | PKG_SYSCONFSUBDIR= openvpn | 21 | PKG_SYSCONFSUBDIR= openvpn | |
23 | DATADIR= ${PREFIX}/share/${PKGBASE} | 22 | DATADIR= ${PREFIX}/share/${PKGBASE} | |
24 | EGDIR= ${PREFIX}/share/examples/${PKGBASE} | 23 | EGDIR= ${PREFIX}/share/examples/${PKGBASE} | |
25 | EASYRSADIR= ${DATADIR}/easy-rsa | 24 | EASYRSADIR= ${DATADIR}/easy-rsa | |
26 | RCD_SCRIPTS= openvpn | 25 | RCD_SCRIPTS= openvpn | |
27 | 26 | |||
28 | CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFDIR:Q} | 27 | CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFDIR} | |
29 | CONFIGURE_ARGS+= --enable-password-save | 28 | CONFIGURE_ARGS+= --enable-password-save | |
30 | CONFIGURE_ARGS+= --disable-dependency-tracking | 29 | CONFIGURE_ARGS+= --disable-dependency-tracking | |
31 | 30 | |||
32 | # Pthread support is still considered very experimental, so don't enable | 31 | # Pthread support is still considered very experimental, so don't enable | |
33 | # it for the default (production) build. | 32 | # it for the default (production) build. | |
34 | # | |||
35 | #CONFIGURE_ARGS+= --enable-pthread | 33 | #CONFIGURE_ARGS+= --enable-pthread | |
36 | 34 | |||
37 | INSTALLATION_DIRS= ${DATADIR}/easy-rsa ${EGDIR}/config \ | 35 | INSTALLATION_DIRS= ${DATADIR}/easy-rsa ${EGDIR}/config \ | |
38 | ${EGDIR}/keys ${EGDIR}/scripts | 36 | ${EGDIR}/keys ${EGDIR}/scripts | |
39 | 37 | |||
40 | .include "../../mk/bsd.prefs.mk" | 38 | .include "../../mk/bsd.prefs.mk" | |
41 | 39 | |||
42 | # OpenVPN 2.x has a shared module "plugin" architecture that allows | 40 | # OpenVPN 2.x has a shared module "plugin" architecture that allows | |
43 | # inserting callbacks into the server for various tasks. | 41 | # inserting callbacks into the server for various tasks. | |
44 | # | |||
45 | DL_AUTO_VARS= yes | 42 | DL_AUTO_VARS= yes | |
46 | .include "../../mk/dlopen.buildlink3.mk" | 43 | .include "../../mk/dlopen.buildlink3.mk" | |
47 | 44 | |||
48 | .include "../../archivers/lzo/buildlink3.mk" | 45 | .include "../../archivers/lzo/buildlink3.mk" | |
49 | .include "../../security/openssl/buildlink3.mk" | 46 | .include "../../security/openssl/buildlink3.mk" | |
50 | .include "../../mk/pthread.buildlink3.mk" | 47 | .include "../../mk/pthread.buildlink3.mk" | |
51 | .if ${OPSYS} == "SunOS" | 48 | .if ${OPSYS} == "SunOS" | |
52 | .include "../../net/solaris-tap/buildlink3.mk" | 49 | .include "../../net/solaris-tap/buildlink3.mk" | |
53 | .endif | 50 | .endif | |
54 | 51 | |||
55 | REPLACE_SH= easy-rsa/2.0/* | 52 | REPLACE_SH= easy-rsa/2.0/* | |
56 | SUBST_CLASSES+= pkitool | 53 | SUBST_CLASSES+= pkitool | |
57 | SUBST_STAGE.pkitool= post-build | 54 | SUBST_STAGE.pkitool= post-build | |
58 | SUBST_MESSAGE.pkitool= Fixing up default paths to grep & openssl in pkitool. | 55 | SUBST_MESSAGE.pkitool= Fixing up default paths to grep & openssl in pkitool. | |
59 | SUBST_FILES.pkitool= easy-rsa/2.0/pkitool | 56 | SUBST_FILES.pkitool= easy-rsa/2.0/pkitool | |
60 | SUBST_SED.pkitool= -e "s|\\(GREP\\)=.*|\\1=\""${GREP:Q}"\"|" | 57 | SUBST_SED.pkitool= -e "s|\\(GREP\\)=.*|\\1=\""${GREP:Q}"\"|" | |
61 | SUBST_SED.pkitool+= -e "s|\\(OPENSSL\\)=.*|\\1=\""${SSLBASE:Q}/bin/openssl"\"|" | 58 | SUBST_SED.pkitool+= -e "s|\\(OPENSSL\\)=.*|\\1=\""${SSLBASE:Q}/bin/openssl"\"|" | |
62 | 59 | |||
63 | post-install: post-install-pam | 60 | post-install: post-install-pam | |
64 | cd ${WRKSRC:Q}/easy-rsa/2.0; for file in [a-zR]*; do \ | 61 | set -e; cd ${WRKSRC}/easy-rsa/2.0; for file in [a-zR]*; do \ | |
65 | case $$file in \ | 62 | case $$file in \ | |
66 | *.orig) ;; \ | 63 | *.orig) ;; \ | |
67 | [A-Z]*|*.cnf|vars) \ | 64 | [A-Z]*|*.cnf|vars) \ | |
68 | ${INSTALL_DATA} $$file ${DESTDIR}${EASYRSADIR:Q} ;; \ | 65 | ${INSTALL_DATA} $$file ${DESTDIR}${EASYRSADIR} ;; \ | |
69 | *) ${INSTALL_SCRIPT} $$file ${DESTDIR}${EASYRSADIR:Q} ;; \ | 66 | *) ${INSTALL_SCRIPT} $$file ${DESTDIR}${EASYRSADIR} ;; \ | |
70 | esac; \ | 67 | esac; \ | |
71 | done | 68 | done | |
72 | cd ${WRKSRC:Q}/sample-config-files; for file in *; do \ | 69 | set -e; cd ${WRKSRC}/sample-config-files; for file in *; do \ | |
73 | ${INSTALL_DATA} $$file ${DESTDIR}${EGDIR:Q}/config; \ | 70 | ${INSTALL_DATA} $$file ${DESTDIR}${EGDIR}/config; \ | |
74 | done | 71 | done | |
75 | cd ${WRKSRC:Q}/sample-scripts; for file in *; do \ | 72 | set -e; cd ${WRKSRC}/sample-scripts; for file in *; do \ | |
76 | ${INSTALL_DATA} $$file ${DESTDIR}${EGDIR:Q}/scripts; \ | 73 | ${INSTALL_DATA} $$file ${DESTDIR}${EGDIR}/scripts; \ | |
77 | done | 74 | done | |
78 | cd ${WRKSRC:Q}/sample-keys; for file in *; do \ | 75 | set -e; cd ${WRKSRC}/sample-keys; for file in *; do \ | |
79 | ${INSTALL_DATA} $$file ${DESTDIR}${EGDIR:Q}/keys; \ | 76 | ${INSTALL_DATA} $$file ${DESTDIR}${EGDIR}/keys; \ | |
80 | done | 77 | done | |
81 | 78 | |||
82 | .include "options.mk" | 79 | .include "options.mk" | |
83 | .include "../../mk/bsd.pkg.mk" | 80 | .include "../../mk/bsd.pkg.mk" |
@@ -1,14 +1,14 @@ | @@ -1,14 +1,14 @@ | |||
1 | @comment $NetBSD: PLIST,v 1.10 2010/06/16 07:30:26 tnn Exp $ | 1 | @comment $NetBSD: PLIST,v 1.11 2010/09/05 20:33:48 adam Exp $ | |
2 | man/man8/openvpn.8 | 2 | man/man8/openvpn.8 | |
3 | sbin/openvpn | 3 | sbin/openvpn | |
4 | share/examples/openvpn/config/README | 4 | share/examples/openvpn/config/README | |
5 | share/examples/openvpn/config/client.conf | 5 | share/examples/openvpn/config/client.conf | |
6 | share/examples/openvpn/config/firewall.sh | 6 | share/examples/openvpn/config/firewall.sh | |
7 | share/examples/openvpn/config/home.up | 7 | share/examples/openvpn/config/home.up | |
8 | share/examples/openvpn/config/loopback-client | 8 | share/examples/openvpn/config/loopback-client | |
9 | share/examples/openvpn/config/loopback-server | 9 | share/examples/openvpn/config/loopback-server | |
10 | share/examples/openvpn/config/office.up | 10 | share/examples/openvpn/config/office.up | |
11 | share/examples/openvpn/config/openvpn-shutdown.sh | 11 | share/examples/openvpn/config/openvpn-shutdown.sh | |
12 | share/examples/openvpn/config/openvpn-startup.sh | 12 | share/examples/openvpn/config/openvpn-startup.sh | |
13 | share/examples/openvpn/config/server.conf | 13 | share/examples/openvpn/config/server.conf | |
14 | share/examples/openvpn/config/static-home.conf | 14 | share/examples/openvpn/config/static-home.conf | |
@@ -21,27 +21,26 @@ share/examples/openvpn/keys/README | @@ -21,27 +21,26 @@ share/examples/openvpn/keys/README | |||
21 | share/examples/openvpn/keys/ca.crt | 21 | share/examples/openvpn/keys/ca.crt | |
22 | share/examples/openvpn/keys/ca.key | 22 | share/examples/openvpn/keys/ca.key | |
23 | share/examples/openvpn/keys/client.crt | 23 | share/examples/openvpn/keys/client.crt | |
24 | share/examples/openvpn/keys/client.key | 24 | share/examples/openvpn/keys/client.key | |
25 | share/examples/openvpn/keys/dh1024.pem | 25 | share/examples/openvpn/keys/dh1024.pem | |
26 | share/examples/openvpn/keys/pass.crt | 26 | share/examples/openvpn/keys/pass.crt | |
27 | share/examples/openvpn/keys/pass.key | 27 | share/examples/openvpn/keys/pass.key | |
28 | share/examples/openvpn/keys/pkcs12.p12 | 28 | share/examples/openvpn/keys/pkcs12.p12 | |
29 | share/examples/openvpn/keys/server.crt | 29 | share/examples/openvpn/keys/server.crt | |
30 | share/examples/openvpn/keys/server.key | 30 | share/examples/openvpn/keys/server.key | |
31 | share/examples/openvpn/scripts/auth-pam.pl | 31 | share/examples/openvpn/scripts/auth-pam.pl | |
32 | share/examples/openvpn/scripts/bridge-start | 32 | share/examples/openvpn/scripts/bridge-start | |
33 | share/examples/openvpn/scripts/bridge-stop | 33 | share/examples/openvpn/scripts/bridge-stop | |
34 | share/examples/openvpn/scripts/bs | |||
35 | share/examples/openvpn/scripts/openvpn.init | 34 | share/examples/openvpn/scripts/openvpn.init | |
36 | share/examples/openvpn/scripts/ucn.pl | 35 | share/examples/openvpn/scripts/ucn.pl | |
37 | share/examples/openvpn/scripts/verify-cn | 36 | share/examples/openvpn/scripts/verify-cn | |
38 | share/examples/rc.d/openvpn | 37 | share/examples/rc.d/openvpn | |
39 | share/openvpn/easy-rsa/README | 38 | share/openvpn/easy-rsa/README | |
40 | share/openvpn/easy-rsa/build-ca | 39 | share/openvpn/easy-rsa/build-ca | |
41 | share/openvpn/easy-rsa/build-dh | 40 | share/openvpn/easy-rsa/build-dh | |
42 | share/openvpn/easy-rsa/build-inter | 41 | share/openvpn/easy-rsa/build-inter | |
43 | share/openvpn/easy-rsa/build-key | 42 | share/openvpn/easy-rsa/build-key | |
44 | share/openvpn/easy-rsa/build-key-pass | 43 | share/openvpn/easy-rsa/build-key-pass | |
45 | share/openvpn/easy-rsa/build-key-pkcs12 | 44 | share/openvpn/easy-rsa/build-key-pkcs12 | |
46 | share/openvpn/easy-rsa/build-key-server | 45 | share/openvpn/easy-rsa/build-key-server | |
47 | share/openvpn/easy-rsa/build-req | 46 | share/openvpn/easy-rsa/build-req |
@@ -1,13 +1,13 @@ | @@ -1,13 +1,13 @@ | |||
1 | $NetBSD: distinfo,v 1.20 2010/06/15 12:05:28 sborrill Exp $ | 1 | $NetBSD: distinfo,v 1.21 2010/09/05 20:33:48 adam Exp $ | |
2 | 2 | |||
3 | SHA1 (openvpn-2.1.1.tar.gz) = 4b18e71b07236760f3b4defa941661e94b731a5a | 3 | SHA1 (openvpn-2.1.3.tar.gz) = 91058e78c58c2e66298c7132bea1ddba52baaa82 | |
4 | RMD160 (openvpn-2.1.1.tar.gz) = a33ed8ef4ba564103c2d196bbb742dac88d30e80 | 4 | RMD160 (openvpn-2.1.3.tar.gz) = ec0f63d63442eb3a26448747a5b0956e27b09809 | |
5 | Size (openvpn-2.1.1.tar.gz) = 880115 bytes | 5 | Size (openvpn-2.1.3.tar.gz) = 860672 bytes | |
6 | SHA1 (patch-aa) = e27e5a6411c9fb6545a1ad630f165200546b7213 | 6 | SHA1 (patch-aa) = e27e5a6411c9fb6545a1ad630f165200546b7213 | |
7 | SHA1 (patch-ab) = d26cdc9166a8813860f31cb5b11bc5b3643b8aa5 | 7 | SHA1 (patch-ab) = d26cdc9166a8813860f31cb5b11bc5b3643b8aa5 | |
8 | SHA1 (patch-ac) = f59615702208cae2a094306bc5fa7fb96234e55a | 8 | SHA1 (patch-ac) = f59615702208cae2a094306bc5fa7fb96234e55a | |
9 | SHA1 (patch-ad) = 69f5fff5105131dc05ab38a1a717e1b363f88c1c | 9 | SHA1 (patch-ad) = 69f5fff5105131dc05ab38a1a717e1b363f88c1c | |
10 | SHA1 (patch-ae) = 362c881da994608baad7b10667100c39143244b6 | 10 | SHA1 (patch-ae) = 362c881da994608baad7b10667100c39143244b6 | |
11 | SHA1 (patch-af) = dc5dbca74ebbda081e4eaf9a9d5e11b6de11269f | 11 | SHA1 (patch-af) = dc5dbca74ebbda081e4eaf9a9d5e11b6de11269f | |
12 | SHA1 (patch-ag) = fe8e59cf177c99c2fd001e7893df86af961e8e4e | 12 | SHA1 (patch-ag) = fe8e59cf177c99c2fd001e7893df86af961e8e4e | |
13 | SHA1 (patch-ah) = 4e555d0a9dfa78882bf71c1d3496df8813069656 | 13 | SHA1 (patch-ah) = c530376eb68ab8f21c9b3c73149d2c24742aa4c9 |
@@ -1,34 +1,34 @@ | @@ -1,34 +1,34 @@ | |||
1 | # $NetBSD: options.mk,v 1.3 2010/06/16 07:30:26 tnn Exp $ | 1 | # $NetBSD: options.mk,v 1.4 2010/09/05 20:33:48 adam Exp $ | |
2 | 2 | |||
3 | PKG_OPTIONS_VAR= PKG_OPTIONS.openvpn | 3 | PKG_OPTIONS_VAR= PKG_OPTIONS.openvpn | |
4 | PKG_SUPPORTED_OPTIONS= pkcs11 pam | 4 | PKG_SUPPORTED_OPTIONS= pkcs11 pam | |
5 | PKG_SUGGESTED_OPTIONS= | 5 | PKG_SUGGESTED_OPTIONS= | |
6 | 6 | |||
7 | .include "../../mk/bsd.options.mk" | 7 | .include "../../mk/bsd.options.mk" | |
8 | 8 | |||
9 | # include support for certificates on a stick (or card) | 9 | # include support for certificates on a stick (or card) | |
10 | 10 | |||
11 | .if !empty(PKG_OPTIONS:Mpkcs11) | 11 | .if !empty(PKG_OPTIONS:Mpkcs11) | |
12 | .include "../../security/pkcs11-helper/buildlink3.mk" | 12 | .include "../../security/pkcs11-helper/buildlink3.mk" | |
13 | .else | 13 | .else | |
14 | # it would pick it up halfways when installed, and fail building | 14 | # it would pick it up halfways when installed, and fail building | |
15 | CONFIGURE_ARGS+= --disable-pkcs11 | 15 | CONFIGURE_ARGS+= --disable-pkcs11 | |
16 | .endif | 16 | .endif | |
17 | 17 | |||
18 | PLIST_VARS+= pam | 18 | PLIST_VARS+= pam | |
19 | .if !empty(PKG_OPTIONS:Mpam) | 19 | .if !empty(PKG_OPTIONS:Mpam) | |
20 | USE_TOOLS+= gmake | 20 | USE_TOOLS+= gmake | |
21 | BUILD_DIRS+= plugin/auth-pam | 21 | BUILD_DIRS+= plugin/auth-pam | |
22 | BUILD_TARGET= # empty | 22 | BUILD_TARGET= # empty | |
23 | INSTALL_DIRS= . | 23 | INSTALL_DIRS= . | |
24 | INSTALL_TARGET= install | 24 | INSTALL_TARGET= install | |
25 | INSTALLATION_DIRS+= lib/openvpn | |||
25 | PLIST.pam= yes | 26 | PLIST.pam= yes | |
26 | post-install-pam: | 27 | post-install-pam: | |
27 | ${INSTALL_LIB_DIR} ${DESTDIR}${PREFIX}/lib/openvpn && \ | 28 | cd ${WRKSRC}/plugin/auth-pam && \ | |
28 | cd ${WRKSRC:Q}/plugin/auth-pam && \ | |||
29 | ${INSTALL_LIB} openvpn-auth-pam.so \ | 29 | ${INSTALL_LIB} openvpn-auth-pam.so \ | |
30 | ${DESTDIR}${PREFIX}/lib/openvpn || ${TRUE} | 30 | ${DESTDIR}${PREFIX}/lib/openvpn || ${TRUE} | |
31 | .include "../../mk/pam.buildlink3.mk" | 31 | .include "../../mk/pam.buildlink3.mk" | |
32 | .else | 32 | .else | |
33 | post-install-pam: | 33 | post-install-pam: | |
34 | .endif | 34 | .endif |
@@ -1,13 +1,15 @@ | @@ -1,13 +1,15 @@ | |||
1 | $NetBSD: patch-ah,v 1.2 2010/09/05 20:33:48 adam Exp $ | |||
2 | ||||
1 | --- tun.c.orig 2009-11-12 09:22:19.000000000 +0100 | 3 | --- tun.c.orig 2009-11-12 09:22:19.000000000 +0100 | |
2 | +++ tun.c 2009-11-12 09:23:00.000000000 +0100 | 4 | +++ tun.c 2009-11-12 09:23:00.000000000 +0100 | |
3 | @@ -789,17 +789,17 @@ | 5 | @@ -789,17 +789,17 @@ | |
4 | /* | 6 | /* | |
5 | * NetBSD has distinct tun and tap devices | 7 | * NetBSD has distinct tun and tap devices | |
6 | * so we don't need the "link0" extra parameter to specify we want to do | 8 | * so we don't need the "link0" extra parameter to specify we want to do | |
7 | * tunneling at the ethernet level | 9 | * tunneling at the ethernet level | |
8 | + * NB: The tun driver has no broadcast capability. | 10 | + * NB: The tun driver has no broadcast capability. | |
9 | */ | 11 | */ | |
10 | argv_printf (&argv, | 12 | argv_printf (&argv, | |
11 | - "%s %s %s netmask %s mtu %d broadcast %s", | 13 | - "%s %s %s netmask %s mtu %d broadcast %s", | |
12 | + "%s %s %s netmask %s mtu %d", | 14 | + "%s %s %s netmask %s mtu %d", | |
13 | IFCONFIG_PATH, | 15 | IFCONFIG_PATH, |