diff options
| author | Matthias Andree <mandree@FreeBSD.org> | 2015-05-04 23:08:02 +0000 |
|---|---|---|
| committer | Matthias Andree <mandree@FreeBSD.org> | 2015-05-04 23:08:02 +0000 |
| commit | 7649ac1704036feb865fb8514c139e08d33963db (patch) | |
| tree | 6684bc66600f5280971372760d47e9c34d5a179b | |
| parent | 94b4d68eaef9aa4835a22dac58454caa76b866c4 (diff) | |
| download | ports-7649ac1704036feb865fb8514c139e08d33963db.tar.gz ports-7649ac1704036feb865fb8514c139e08d33963db.zip | |
+ Update patch set for crypto engine fix [1].
Change option name so it is presented anew, default disabled.
+ Add openvpn-client wrapper script and up/down scripts to trigger
resolvconf, with minor edits. [2]
+ Set proper PLUGIN_LIBDIR so that plugins in the default directory can
be found with relative paths.
+ Compile shipped plugins with -fPIC.
PR: 195004 [1]
PR: 199529 [2]
Submitted by: yuri@rawbw.com [2]
Obtained from: https://community.openvpn.net/openvpn/ticket/480#comment:21
Notes
Notes:
svn path=/head/; revision=385432
| -rw-r--r-- | security/openvpn/Makefile | 29 | ||||
| -rw-r--r-- | security/openvpn/files/150322-Reload-OpenSSL-engines-after-forking.patch | 171 | ||||
| -rw-r--r-- | security/openvpn/files/EF1.patch | 43 | ||||
| -rw-r--r-- | security/openvpn/files/EF2.patch | 186 | ||||
| -rw-r--r-- | security/openvpn/files/EF3.patch | 38 | ||||
| -rw-r--r-- | security/openvpn/files/openvpn-client.in | 6 | ||||
| -rw-r--r-- | security/openvpn/files/patch-sample__sample-config-files__loopback-client | 4 | ||||
| -rw-r--r-- | security/openvpn/files/patch-sample__sample-config-files__loopback-server | 4 | ||||
| -rw-r--r-- | security/openvpn/files/patch-tests__t_cltsrv.sh | 8 | ||||
| -rw-r--r-- | security/openvpn/files/pkg-message.in | 4 | ||||
| -rw-r--r-- | security/openvpn/pkg-plist | 3 |
11 files changed, 310 insertions, 186 deletions
diff --git a/security/openvpn/Makefile b/security/openvpn/Makefile index 2a0ebed7c991..94728a7d8371 100644 --- a/security/openvpn/Makefile +++ b/security/openvpn/Makefile @@ -3,7 +3,7 @@ PORTNAME= openvpn DISTVERSION= 2.3.6 -PORTREVISION= 3 +PORTREVISION= 4 CATEGORIES= security net MASTER_SITES= http://swupdate.openvpn.net/community/releases/ \ http://build.openvpn.net/downloads/releases/ @@ -25,7 +25,10 @@ SHEBANG_FILES= sample/sample-scripts/verify-cn \ CPPFLAGS+= -I${LOCALBASE}/include LDFLAGS+= -L${LOCALBASE}/lib -OPTIONS_DEFINE= PW_SAVE PKCS11 EASYRSA DOCS EXAMPLES X509ALTUSERNAME ENGINEFIX +# set PLUGIN_LIBDIR so that unqualified plugin paths are found: +CPPFLAGS+= -DPLUGIN_LIBDIR=\\\"${PREFIX}/lib/openvpn/plugins\\\" + +OPTIONS_DEFINE= PW_SAVE PKCS11 EASYRSA DOCS EXAMPLES X509ALTUSERNAME ENGINEFIX2 OPTIONS_DEFAULT= EASYRSA OPENSSL OPTIONS_SINGLE= SSL OPTIONS_SINGLE_SSL= OPENSSL POLARSSL @@ -34,7 +37,7 @@ PKCS11_DESC= Use security/pkcs11-helper EASYRSA_DESC= Install security/easy-rsa RSA helper package POLARSSL_DESC= SSL/TLS support via PolarSSL X509ALTUSERNAME_DESC= Enable --x509-username-field (only with OpenSSL) -ENGINEFIX_DESC= EXPERIMENTAL patch to fix SSL engine use +ENGINEFIX2_DESC= New EXPERIMENTAL patchset for SSL engine use (OpenSSL) EASYRSA_RUN_DEPENDS= easy-rsa>=0:${PORTSDIR}/security/easy-rsa @@ -47,15 +50,18 @@ X509ALTUSERNAME_CONFIGURE_ENABLE= x509-alt-username .include <bsd.port.options.mk> -.if ${PORT_OPTIONS:MENGINEFIX} -EXTRA_PATCHES+= ${FILESDIR}/150322-Reload-OpenSSL-engines-after-forking.patch:-p1 +# patches to fix PR 195004, https://community.openvpn.net/openvpn/ticket/480 +.if ${PORT_OPTIONS:MENGINEFIX2} +EXTRA_PATCHES+= ${FILESDIR}/EF1.patch:-p1 \ + ${FILESDIR}/EF2.patch:-p1 \ + ${FILESDIR}/EF3.patch:-p1 .endif .if ${PORT_OPTIONS:MPOLARSSL} . if ${PORT_OPTIONS:MX509ALTUSERNAME} BROKEN= OpenVPN ${DISTVERSION} cannot use --x509-username-field with PolarSSL. Disable X509ALTUSERNAME, or use OpenSSL instead . else -LIB_DEPENDS+= libpolarssl.so.5:${PORTSDIR}/security/polarssl +LIB_DEPENDS+= libpolarssl.so:${PORTSDIR}/security/polarssl CONFIGURE_ARGS+= --with-crypto-library=polarssl . endif .else @@ -66,7 +72,7 @@ CONFIGURE_ARGS+= --with-crypto-library=openssl USE_RC_SUBR= openvpn USE_LDCONFIG= ${PREFIX}/lib -SUB_FILES= pkg-message +SUB_FILES= pkg-message openvpn-client .include <bsd.port.pre.mk> @@ -91,6 +97,11 @@ pre-configure: @${ECHO} "" .endif +post-configure: + ${REINPLACE_CMD} '/^CFLAGS =/s/$$/ -fPIC/' \ + ${WRKSRC}/src/plugins/auth-pam/Makefile \ + ${WRKSRC}/src/plugins/down-root/Makefile + post-build: @# self-tests here .if !defined(WITHOUT_CHECK) @@ -101,6 +112,10 @@ post-build: post-install: ${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-auth-pam.so ${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-down-root.so + ${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.up ${STAGEDIR}${PREFIX}/libexec/openvpn-client.up + ${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.down ${STAGEDIR}${PREFIX}/libexec/openvpn-client.down + @${REINPLACE_CMD} 's|resolvconf -p -a|resolvconf -a|' ${STAGEDIR}${PREFIX}/libexec/openvpn-client.up + ${INSTALL_SCRIPT} ${WRKDIR}/openvpn-client ${STAGEDIR}${PREFIX}/sbin/openvpn-client ${MKDIR} ${STAGEDIR}${PREFIX}/include .if ${PORT_OPTIONS:MDOCS} ${MKDIR} ${STAGEDIR}${DOCSDIR}/ diff --git a/security/openvpn/files/150322-Reload-OpenSSL-engines-after-forking.patch b/security/openvpn/files/150322-Reload-OpenSSL-engines-after-forking.patch deleted file mode 100644 index 81d95f0bcf93..000000000000 --- a/security/openvpn/files/150322-Reload-OpenSSL-engines-after-forking.patch +++ /dev/null @@ -1,171 +0,0 @@ -From 37816d2fbb3e66fa1eb09d0e8f4dadd3f376324f Mon Sep 17 00:00:00 2001 -From: Steffan Karger <steffan@karger.me> -Date: Sun, 22 Mar 2015 19:51:25 +0100 -Subject: [PATCH] Reload OpenSSL engines after forking - -As reported in trac ticket #480, the cryptodev OpenSSL engine opens -/dev/crypto on load, but runs into trouble when the pid changes due to a -call to daemon(). We cannot simply call daemon() before intilializing, -because that will change the interpretation of relative paths in the config -file. To work around that, not only fixup the PKCS#11 state after calling -daemon(), but also reload the OpenSSL engines. - -Signed-off-by: Steffan Karger <steffan@karger.me> ---- - src/openvpn/crypto.c | 17 +++++++++++++++++ - src/openvpn/crypto.h | 7 +++++++ - src/openvpn/crypto_backend.h | 8 +++++++- - src/openvpn/crypto_openssl.c | 21 +++++++++++++-------- - src/openvpn/crypto_polarssl.c | 5 +++++ - src/openvpn/init.c | 4 +--- - 6 files changed, 50 insertions(+), 12 deletions(-) - -diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c -index c1b9df3..5353479 100644 ---- a/src/openvpn/crypto.c -+++ b/src/openvpn/crypto.c -@@ -36,6 +36,7 @@ - #include "crypto.h" - #include "error.h" - #include "misc.h" -+#include "pkcs11.h" - - #include "memdbg.h" - -@@ -426,6 +427,22 @@ crypto_adjust_frame_parameters(struct frame *frame, - __func__, crypto_overhead); - } - -+void -+crypto_fork_fixup(const char *crypto_engine) -+{ -+#if defined(ENABLE_PKCS11) -+ pkcs11_forkFixup (); -+#endif -+ -+ if (crypto_engine) -+ { -+ /* Reload crypto engines, because a cryptodev engine opens file -+ * descriptors, which might no longer be usable after forking. */ -+ crypto_uninit_lib_engine(); -+ crypto_init_lib_engine(crypto_engine); -+ } -+} -+ - /* - * Build a struct key_type. - */ -diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h -index 82158f9..2e57765 100644 ---- a/src/openvpn/crypto.h -+++ b/src/openvpn/crypto.h -@@ -354,6 +354,13 @@ void crypto_adjust_frame_parameters(struct frame *frame, - bool packet_id, - bool packet_id_long_form); - -+/** -+ * Try to fixup crypto stuff that breaks after forking. -+ * -+ * @param crypto_engine Name of the crypto engine to reload. -+ */ -+void crypto_fork_fixup(const char *crypto_engine); -+ - - /* Minimum length of the nonce used by the PRNG */ - #define NONCE_SECRET_LEN_MIN 16 -diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h -index 4e45df0..db6421a 100644 ---- a/src/openvpn/crypto_backend.h -+++ b/src/openvpn/crypto_backend.h -@@ -49,11 +49,17 @@ void crypto_uninit_lib (void); - - void crypto_clear_error (void); - --/* -+/** - * Initialise the given named crypto engine. - */ - void crypto_init_lib_engine (const char *engine_name); - -+/** -+ * Uninitialise previously loaded crypto engines. -+ */ -+void crypto_uninit_lib_engine (void); -+ -+ - #ifdef DMALLOC - /* - * OpenSSL memory debugging. If dmalloc debugging is enabled, tell -diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c -index 2d81a6d..5e91752 100644 ---- a/src/openvpn/crypto_openssl.c -+++ b/src/openvpn/crypto_openssl.c -@@ -138,6 +138,18 @@ crypto_init_lib_engine (const char *engine_name) - #endif - } - -+void -+crypto_uninit_lib_engine (void) { -+#if HAVE_OPENSSL_ENGINE -+ if (engine_initialized) -+ { -+ ENGINE_cleanup (); -+ engine_persist = NULL; -+ engine_initialized = false; -+ } -+#endif -+} -+ - /* - * - * Functions related to the core crypto library -@@ -168,14 +180,7 @@ crypto_uninit_lib (void) - fclose (fp); - #endif - --#if HAVE_OPENSSL_ENGINE -- if (engine_initialized) -- { -- ENGINE_cleanup (); -- engine_persist = NULL; -- engine_initialized = false; -- } --#endif -+ crypto_uninit_lib_engine(); - } - - void -diff --git a/src/openvpn/crypto_polarssl.c b/src/openvpn/crypto_polarssl.c -index c038f8e..900a98a 100644 ---- a/src/openvpn/crypto_polarssl.c -+++ b/src/openvpn/crypto_polarssl.c -@@ -66,6 +66,11 @@ crypto_init_lib_engine (const char *engine_name) - "available"); - } - -+void -+crypto_uninit_lib_engine (void) -+{ -+} -+ - /* - * - * Functions related to the core crypto library -diff --git a/src/openvpn/init.c b/src/openvpn/init.c -index b97d2da..2680c59 100644 ---- a/src/openvpn/init.c -+++ b/src/openvpn/init.c -@@ -929,9 +929,7 @@ possibly_become_daemon (const struct options *options) - if (options->log) - set_std_files_to_null (true); - --#if defined(ENABLE_PKCS11) -- pkcs11_forkFixup (); --#endif -+ crypto_fork_fixup (options->engine); - - ret = true; - } --- -2.1.0 - diff --git a/security/openvpn/files/EF1.patch b/security/openvpn/files/EF1.patch new file mode 100644 index 000000000000..9326c8053e08 --- /dev/null +++ b/security/openvpn/files/EF1.patch @@ -0,0 +1,43 @@ +commit c7f3fd9c603bfd9cef600316d5e76210e6cf54a7 +Author: Steffan Karger <steffan@karger.me> +Date: Thu Mar 26 01:01:29 2015 +0100 + + Remove unneeded parameter 'first_time' from possibly_become_daemon() + + The static helper function possibly_become_daemon() is called only once, + by do_init_first_time(), which checks 'first_time' to be true before + calling possibly_become_daemon(). This makes the parameter useless. + + Signed-off-by: Steffan Karger <steffan@karger.me> + Acked-by: Gert Doering <gert@greenie.muc.de> + Message-Id: <1427328089-886-1-git-send-email-steffan@karger.me> + URL: http://article.gmane.org/gmane.network.openvpn.devel/9555 + Signed-off-by: Gert Doering <gert@greenie.muc.de> + (cherry picked from commit 857c04ef06cd13d59c5b45332f07996e71372576) + +diff --git a/src/openvpn/init.c b/src/openvpn/init.c +index 48b28fc..3a67a50 100644 +--- a/src/openvpn/init.c ++++ b/src/openvpn/init.c +@@ -942,10 +942,10 @@ do_persist_tuntap (const struct options *options) + * Return true if we did it. + */ + static bool +-possibly_become_daemon (const struct options *options, const bool first_time) ++possibly_become_daemon (const struct options *options) + { + bool ret = false; +- if (first_time && options->daemon) ++ if (options->daemon) + { + ASSERT (!options->inetd); + if (daemon (options->cd_dir != NULL, options->log) < 0) +@@ -2776,7 +2776,7 @@ do_init_first_time (struct context *c) + get_pid_file (c->options.writepid, &c0->pid_state); + + /* become a daemon if --daemon */ +- c->did_we_daemonize = possibly_become_daemon (&c->options, c->first_time); ++ c->did_we_daemonize = possibly_become_daemon (&c->options); + + /* should we disable paging? */ + if (c->options.mlock && c->did_we_daemonize) diff --git a/security/openvpn/files/EF2.patch b/security/openvpn/files/EF2.patch new file mode 100644 index 000000000000..cd983cfc84e4 --- /dev/null +++ b/security/openvpn/files/EF2.patch @@ -0,0 +1,186 @@ + +[Openvpn-devel] [PATCH] Call daemon() before initializing crypto library +From: Steffan Karger <steffan@ka...> - 2015-04-27 14:29:09 + +But keep the chdir to / at the place where deamon() was before, to preserve +the current behaviour wrt relative paths in the config. + +This should fix the issue reported in trac #480, without changing the +behaviour visible to the end user. + +Note that by moving the daemon() call to an earlier stage of the init +process, we no longer have to call platform_mlockall() again, or do a +pkcs11_forkFixup(). + +Signed-off-by: Steffan Karger <steffan@...> +--- + src/openvpn/init.c | 32 +++++++++++--------------------- + src/openvpn/init.h | 2 ++ + src/openvpn/openvpn.c | 4 ++++ + src/openvpn/pkcs11.c | 5 ----- + src/openvpn/pkcs11.h | 3 --- + 5 files changed, 17 insertions(+), 29 deletions(-) + +diff --git a/src/openvpn/init.c b/src/openvpn/init.c +index 73c6aff..5b22c38 100644 +--- a/src/openvpn/init.c ++++ b/src/openvpn/init.c +@@ -916,23 +916,20 @@ do_persist_tuntap (const struct options *options) + * Should we become a daemon? + * Return true if we did it. + */ +-static bool ++bool + possibly_become_daemon (const struct options *options) + { + bool ret = false; + if (options->daemon) + { + ASSERT (!options->inetd); +- if (daemon (options->cd_dir != NULL, options->log) < 0) ++ /* Don't chdir immediately, but the end of the init sequence, if needed */ ++ if (daemon (1, options->log) < 0) + msg (M_ERR, "daemon() failed or unsupported"); + restore_signal_state (); + if (options->log) + set_std_files_to_null (true); + +-#if defined(ENABLE_PKCS11) +- pkcs11_forkFixup (); +-#endif +- + ret = true; + } + return ret; +@@ -1809,15 +1806,11 @@ do_deferred_options (struct context *c, const unsigned int found) + * Possible hold on initialization + */ + static bool +-do_hold (struct context *c) ++do_hold (void) + { + #ifdef ENABLE_MANAGEMENT + if (management) + { +- /* if c is defined, daemonize before hold */ +- if (c && c->options.daemon && management_should_daemonize (management)) +- do_init_first_time (c); +- + /* block until management hold is released */ + if (management_hold (management)) + return true; +@@ -1867,7 +1860,7 @@ socket_restart_pause (struct context *c) + c->persist.restart_sleep_seconds = 0; + + /* do managment hold on context restart, i.e. second, third, fourth, etc. initialization */ +- if (do_hold (NULL)) ++ if (do_hold ()) + sec = 0; + + if (sec) +@@ -1886,7 +1879,7 @@ do_startup_pause (struct context *c) + if (!c->first_time) + socket_restart_pause (c); + else +- do_hold (NULL); /* do management hold on first context initialization */ ++ do_hold (); /* do management hold on first context initialization */ + } + + /* +@@ -2743,7 +2736,7 @@ do_compute_occ_strings (struct context *c) + static void + do_init_first_time (struct context *c) + { +- if (c->first_time && !c->did_we_daemonize && !c->c0) ++ if (c->first_time && !c->c0) + { + struct context_0 *c0; + +@@ -2758,12 +2751,9 @@ do_init_first_time (struct context *c) + /* get --writepid file descriptor */ + get_pid_file (c->options.writepid, &c0->pid_state); + +- /* become a daemon if --daemon */ +- c->did_we_daemonize = possibly_become_daemon (&c->options); +- +- /* should we disable paging? */ +- if (c->options.mlock && c->did_we_daemonize) +- platform_mlockall (true); /* call again in case we daemonized */ ++ /* perform postponed chdir if --daemon */ ++ if (c->did_we_daemonize && c->options.cd_dir == NULL) ++ platform_chdir("/"); + + /* save process ID in a file */ + write_pid (&c0->pid_state); +@@ -3221,7 +3211,7 @@ open_management (struct context *c) + } + + /* initial management hold, called early, before first context initialization */ +- do_hold (c); ++ do_hold (); + if (IS_SIG (c)) + { + msg (M_WARN, "Signal received from management interface, exiting"); +diff --git a/src/openvpn/init.h b/src/openvpn/init.h +index 5a1d1dc..d1908ed 100644 +--- a/src/openvpn/init.h ++++ b/src/openvpn/init.h +@@ -55,6 +55,8 @@ bool do_genkey (const struct options *options); + + bool do_persist_tuntap (const struct options *options); + ++bool possibly_become_daemon (const struct options *options); ++ + void pre_setup (const struct options *options); + + void init_instance_handle_signals (struct context *c, const struct env_set *env, const unsigned int flags); +diff --git a/src/openvpn/openvpn.c b/src/openvpn/openvpn.c +index fd87fc1..2f327f3 100644 +--- a/src/openvpn/openvpn.c ++++ b/src/openvpn/openvpn.c +@@ -229,6 +229,10 @@ openvpn_main (int argc, char *argv[]) + if (do_test_crypto (&c.options)) + break; + ++ /* become a daemon if --daemon */ ++ if (c.first_time) ++ c.did_we_daemonize = possibly_become_daemon (&c.options); ++ + #ifdef ENABLE_MANAGEMENT + /* open management subsystem */ + if (!open_management (&c)) +diff --git a/src/openvpn/pkcs11.c b/src/openvpn/pkcs11.c +index 3a15ef6..a1f13c5 100644 +--- a/src/openvpn/pkcs11.c ++++ b/src/openvpn/pkcs11.c +@@ -336,11 +336,6 @@ pkcs11_terminate () { + ); + } + +-void +-pkcs11_forkFixup () { +- pkcs11h_forkFixup (); +-} +- + bool + pkcs11_addProvider ( + const char * const provider, +diff --git a/src/openvpn/pkcs11.h b/src/openvpn/pkcs11.h +index 4261871..b49401c 100644 +--- a/src/openvpn/pkcs11.h ++++ b/src/openvpn/pkcs11.h +@@ -38,9 +38,6 @@ pkcs11_initialize ( + void + pkcs11_terminate (); + +-void +-pkcs11_forkFixup (); +- + bool + pkcs11_addProvider ( + const char * const provider, +-- +2.1.4 + + + diff --git a/security/openvpn/files/EF3.patch b/security/openvpn/files/EF3.patch new file mode 100644 index 000000000000..cb261ef90b09 --- /dev/null +++ b/security/openvpn/files/EF3.patch @@ -0,0 +1,38 @@ +commit ac1c2f259b44d1229a65a3e639b09d57a4e2a53b +Author: Arne Schwabe <arne@rfc2549.org> +Date: Fri Mar 21 14:18:35 2014 +0100 + + Move the initialization of the environment to the top so c2.es is initialized + + Acked-by: Gert Doering <gert@greenie.muc.de> + Message-Id: <1395407925-25518-3-git-send-email-arne@rfc2549.org> + URL: http://article.gmane.org/gmane.network.openvpn.devel/8372 + + Signed-off-by: Gert Doering <gert@greenie.muc.de> + +diff --git a/src/openvpn/init.c b/src/openvpn/init.c +index 3b72b96..c50b5c2 100644 +--- a/src/openvpn/init.c ++++ b/src/openvpn/init.c +@@ -3339,6 +3339,10 @@ init_instance (struct context *c, const struct env_set *env, const unsigned int + /* init garbage collection level */ + gc_init (&c->c2.gc); + ++ /* inherit environmental variables */ ++ if (env) ++ do_inherit_env (c, env); ++ + /* signals caught here will abort */ + c->sig->signal_received = 0; + c->sig->signal_text = NULL; +@@ -3390,10 +3394,6 @@ init_instance (struct context *c, const struct env_set *env, const unsigned int + if (c->mode == CM_P2P || c->mode == CM_TOP) + do_option_warnings (c); + +- /* inherit environmental variables */ +- if (env) +- do_inherit_env (c, env); +- + #ifdef ENABLE_PLUGIN + /* initialize plugins */ + if (c->mode == CM_P2P || c->mode == CM_TOP) diff --git a/security/openvpn/files/openvpn-client.in b/security/openvpn/files/openvpn-client.in new file mode 100644 index 000000000000..471757811795 --- /dev/null +++ b/security/openvpn/files/openvpn-client.in @@ -0,0 +1,6 @@ +#!/bin/sh + +exec %%PREFIX%%/sbin/openvpn --script-security 2 \ + --up %%PREFIX%%/libexec/openvpn-client.up \ + --plugin openvpn-plugin-down-root.so %%PREFIX%%/libexec/openvpn-client.down \ + --config "$@" diff --git a/security/openvpn/files/patch-sample__sample-config-files__loopback-client b/security/openvpn/files/patch-sample__sample-config-files__loopback-client index 47cac942e0b9..4a0fb8d4594f 100644 --- a/security/openvpn/files/patch-sample__sample-config-files__loopback-client +++ b/security/openvpn/files/patch-sample__sample-config-files__loopback-client @@ -1,5 +1,5 @@ ---- ./sample/sample-config-files/loopback-client.orig 2012-09-10 17:01:08.000000000 +0200 -+++ ./sample/sample-config-files/loopback-client 2013-01-11 21:30:07.000000000 +0100 +--- sample/sample-config-files/loopback-client.orig 2014-11-29 14:59:45 UTC ++++ sample/sample-config-files/loopback-client @@ -9,8 +9,8 @@ # ./openvpn --config sample-config-files/loopback-client (In one window) # ./openvpn --config sample-config-files/loopback-server (Simultaneously in another window) diff --git a/security/openvpn/files/patch-sample__sample-config-files__loopback-server b/security/openvpn/files/patch-sample__sample-config-files__loopback-server index cd55ac640678..b085d7605482 100644 --- a/security/openvpn/files/patch-sample__sample-config-files__loopback-server +++ b/security/openvpn/files/patch-sample__sample-config-files__loopback-server @@ -1,5 +1,5 @@ ---- ./sample/sample-config-files/loopback-server.orig 2012-09-10 17:01:08.000000000 +0200 -+++ ./sample/sample-config-files/loopback-server 2013-01-11 21:30:07.000000000 +0100 +--- sample/sample-config-files/loopback-server.orig 2014-11-29 14:59:45 UTC ++++ sample/sample-config-files/loopback-server @@ -9,8 +9,8 @@ # ./openvpn --config sample-config-files/loopback-client (In one window) # ./openvpn --config sample-config-files/loopback-server (Simultaneously in another window) diff --git a/security/openvpn/files/patch-tests__t_cltsrv.sh b/security/openvpn/files/patch-tests__t_cltsrv.sh index cfbee969db89..390c2134a0ac 100644 --- a/security/openvpn/files/patch-tests__t_cltsrv.sh +++ b/security/openvpn/files/patch-tests__t_cltsrv.sh @@ -1,5 +1,5 @@ ---- ./tests/t_cltsrv.sh.orig 2013-05-31 14:00:07.000000000 +0200 -+++ ./tests/t_cltsrv.sh 2014-01-27 18:51:13.000000000 +0100 +--- tests/t_cltsrv.sh.orig 2014-11-29 14:59:46 UTC ++++ tests/t_cltsrv.sh @@ -1,7 +1,7 @@ #! /bin/sh # @@ -9,7 +9,7 @@ # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License -@@ -22,8 +22,9 @@ +@@ -22,8 +22,9 @@ set -e srcdir="${srcdir:-.}" top_srcdir="${top_srcdir:-..}" top_builddir="${top_builddir:-..}" @@ -21,7 +21,7 @@ addopts= case `uname -s` in FreeBSD) -@@ -45,18 +46,38 @@ +@@ -45,18 +46,38 @@ esac # make sure that the --down script is executable -- fail (rather than # skip) test if it isn't. downscript="../tests/t_cltsrv-down.sh" diff --git a/security/openvpn/files/pkg-message.in b/security/openvpn/files/pkg-message.in index 57da107dbe67..8c1eaa14b3b2 100644 --- a/security/openvpn/files/pkg-message.in +++ b/security/openvpn/files/pkg-message.in @@ -2,6 +2,10 @@ ### Edit /etc/rc.conf[.local] to start OpenVPN automatically at system ### startup. See %%PREFIX%%/etc/rc.d/openvpn for details. ### ------------------------------------------------------------------------ +### Connect to VPN server as a client with this command to include +### the client.up/down scripts in the initialization: +### openvpn-client <spec>.ovpn +### ------------------------------------------------------------------------ ### For compatibility notes when interoperating with older OpenVPN ### versions, please, see <http://openvpn.net/relnotes.html> ### ------------------------------------------------------------------------ diff --git a/security/openvpn/pkg-plist b/security/openvpn/pkg-plist index f3d2222bba66..2069cc44c6e4 100644 --- a/security/openvpn/pkg-plist +++ b/security/openvpn/pkg-plist @@ -3,3 +3,6 @@ lib/openvpn/plugins/openvpn-plugin-auth-pam.so lib/openvpn/plugins/openvpn-plugin-down-root.so man/man8/openvpn.8.gz sbin/openvpn +sbin/openvpn-client +libexec/openvpn-client.up +libexec/openvpn-client.down |