From 6853ab171eff406db8b2451117bae397f926f4d2 Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Wed, 25 Jan 2023 23:29:50 +0100 Subject: security/openvpn*: update to 2.6.0, keep openvpn25 - copy openvpn to openvpn25, mark as deprecated and to expire March 31 - update openvpn to openvpn 2.6.0, highlights from Frank Lichtenheld's release announcement e-mail, slightly edited: * Data Channel Offload (DCO) kernel acceleration support for Windows, Linux, and FreeBSD [14]. * OpenSSL 3 support * Improved handling of tunnel MTU, including support for pushable MTU. * Outdated cryptographic algorithms disabled by default, but there are options to override if necessary. * Reworked TLS handshake, making OpenVPN immune to replay-packet state exhaustion attacks. * Added --peer-fingerprint mode for a more simplistic certificate setup and verification. * Improved protocol negotiation, leading to faster connection setup. ChangeLog: https://github.com/OpenVPN/openvpn/blob/v2.6.0/Changes.rst --- UPDATING | 10 ++ security/Makefile | 1 + security/openvpn/Makefile | 30 ++-- security/openvpn/distinfo | 6 +- security/openvpn/files/ovpn_dco_freebsd.h | 71 +++++++++ .../patch-doc_man-sections_generic-options.rst | 11 ++ security/openvpn/files/patch-doc_openvpn.8 | 20 --- security/openvpn/files/patch-doc_openvpn.8.html | 20 --- .../files/patch-src_openvpn_openssl__compat.h | 20 --- security/openvpn25/Makefile | 164 +++++++++++++++++++++ security/openvpn25/distinfo | 3 + security/openvpn25/files/openvpn-client.in | 6 + security/openvpn25/files/openvpn.in | 144 ++++++++++++++++++ security/openvpn25/files/patch-doc_openvpn.8 | 20 +++ security/openvpn25/files/patch-doc_openvpn.8.html | 20 +++ ...ch-sample__sample-config-files__loopback-client | 13 ++ ...ch-sample__sample-config-files__loopback-server | 13 ++ .../files/patch-src_openvpn_openssl__compat.h | 20 +++ .../files/patch-src_plugins_auth-pam_auth-pam.c | 10 ++ security/openvpn25/files/patch-tests__t_cltsrv.sh | 65 ++++++++ security/openvpn25/files/pkg-message.in | 34 +++++ security/openvpn25/files/up-script.sample | 27 ++++ security/openvpn25/pkg-descr | 5 + security/openvpn25/pkg-plist | 10 ++ 24 files changed, 670 insertions(+), 73 deletions(-) create mode 100644 security/openvpn/files/ovpn_dco_freebsd.h create mode 100644 security/openvpn/files/patch-doc_man-sections_generic-options.rst delete mode 100644 security/openvpn/files/patch-doc_openvpn.8 delete mode 100644 security/openvpn/files/patch-doc_openvpn.8.html delete mode 100644 security/openvpn/files/patch-src_openvpn_openssl__compat.h create mode 100644 security/openvpn25/Makefile create mode 100644 security/openvpn25/distinfo create mode 100644 security/openvpn25/files/openvpn-client.in create mode 100644 security/openvpn25/files/openvpn.in create mode 100644 security/openvpn25/files/patch-doc_openvpn.8 create mode 100644 security/openvpn25/files/patch-doc_openvpn.8.html create mode 100644 security/openvpn25/files/patch-sample__sample-config-files__loopback-client create mode 100644 security/openvpn25/files/patch-sample__sample-config-files__loopback-server create mode 100644 security/openvpn25/files/patch-src_openvpn_openssl__compat.h create mode 100644 security/openvpn25/files/patch-src_plugins_auth-pam_auth-pam.c create mode 100644 security/openvpn25/files/patch-tests__t_cltsrv.sh create mode 100644 security/openvpn25/files/pkg-message.in create mode 100644 security/openvpn25/files/up-script.sample create mode 100644 security/openvpn25/pkg-descr create mode 100644 security/openvpn25/pkg-plist diff --git a/UPDATING b/UPDATING index 5a3589afcb62..da07f5911da4 100644 --- a/UPDATING +++ b/UPDATING @@ -5,6 +5,16 @@ they are unavoidable. You should get into the habit of checking this file for changes each time you update your ports collection, before attempting any port upgrades. +20230127: + AFFECTS: users of security/openvpn + AUTHOR: mandree@freebsd.org + + OpenVPN has been updated to the new upstream release v2.6.0, which + is quite compatible with v2.5 versions. + + A copy of the latest v2.5.8 port is being kept as security/openvpn25 (or + openvpn25 package) until end of March 2023. + 20230116: AFFECTS: users of sysutils/nut and sysutils/nut-devel AUTHOR: cy@freebsd.org diff --git a/security/Makefile b/security/Makefile index a45295338dd3..9024548d290a 100644 --- a/security/Makefile +++ b/security/Makefile @@ -419,6 +419,7 @@ SUBDIR += openvpn-auth-radius SUBDIR += openvpn-auth-script SUBDIR += openvpn-devel + SUBDIR += openvpn25 SUBDIR += opie SUBDIR += ophcrack SUBDIR += ossec-hids diff --git a/security/openvpn/Makefile b/security/openvpn/Makefile index e14df3d594dc..409693652e0b 100644 --- a/security/openvpn/Makefile +++ b/security/openvpn/Makefile @@ -1,5 +1,5 @@ PORTNAME= openvpn -DISTVERSION= 2.5.8 +DISTVERSION= 2.6.0 PORTREVISION?= 0 CATEGORIES= security net net-vpn MASTER_SITES= https://swupdate.openvpn.org/community/releases/ \ @@ -8,24 +8,28 @@ MASTER_SITES= https://swupdate.openvpn.org/community/releases/ \ MAINTAINER= mandree@FreeBSD.org COMMENT?= Secure IP/Ethernet tunnel daemon -WWW= https://openvpn.net/community/ +WWW= https://openvpn.net/community/ LICENSE= GPLv2 LICENSE_FILE= ${WRKSRC}/COPYRIGHT.GPL -USES= cpe libtool localbase:ldflags pkgconfig shebangfix ssl tar:xz +BUILD_DEPENDS+= cmocka>=0:sysutils/cmocka \ + rst2man:textproc/py-docutils@${PY_FLAVOR} + +USES= cpe libtool localbase:ldflags pkgconfig python:build shebangfix ssl USE_RC_SUBR= openvpn -SHEBANG_FILES= sample/sample-scripts/verify-cn \ - sample/sample-scripts/auth-pam.pl \ - sample/sample-scripts/ucn.pl +SHEBANG_FILES= sample/sample-scripts/auth-pam.pl \ + sample/sample-scripts/totpauth.py \ + sample/sample-scripts/ucn.pl \ + sample/sample-scripts/verify-cn GNU_CONFIGURE= yes CONFIGURE_ARGS+= --enable-strict --with-crypto-library=openssl # set PLUGIN_LIBDIR so that unqualified plugin paths are found: CONFIGURE_ENV+= PLUGINDIR="${PREFIX}/lib/openvpn/plugins" -CONFLICTS_INSTALL?= openvpn-2.[!5].* openvpn-devel openvpn-mbedtls +CONFLICTS_INSTALL?= openvpn-2* openvpn-devel openvpn-mbedtls SUB_FILES= pkg-message openvpn-client @@ -35,10 +39,14 @@ GROUPS= openvpn PORTDOCS= * PORTEXAMPLES= * -OPTIONS_DEFINE= ASYNC_PUSH DOCS EASYRSA EXAMPLES LZ4 LZO PKCS11 SMALL \ +OPTIONS_DEFINE= ASYNC_PUSH DCO DOCS EASYRSA EXAMPLES LZ4 LZO PKCS11 SMALL \ TEST UNITTESTS X509ALTUSERNAME OPTIONS_DEFAULT= EASYRSA LZ4 LZO PKCS11 TEST +OPTIONS_EXCLUDE_FreeBSD_12= DCO # FreeBSD 14 only +OPTIONS_EXCLUDE_FreeBSD_13= DCO # FreeBSD 14 only + ASYNC_PUSH_DESC= Enable async-push support +DCO_DESC= Build with Data Channel Offload (ovpn(4)) support EASYRSA_DESC= Install security/easy-rsa RSA helper package LZO_DESC= LZO compression (incompatible with LibreSSL) PKCS11_DESC= Use security/pkcs11-helper, needs same SSL lib! @@ -49,6 +57,8 @@ X509ALTUSERNAME_DESC= Enable --x509-username-field ASYNC_PUSH_LIB_DEPENDS= libinotify.so:devel/libinotify ASYNC_PUSH_CONFIGURE_ENABLE= async-push +DCO_CONFIGURE_ENABLE= dco + EASYRSA_RUN_DEPENDS= easy-rsa>=0:security/easy-rsa LZ4_LIB_DEPENDS+= liblz4.so:archivers/liblz4 @@ -98,8 +108,9 @@ post-patch: ${REINPLACE_CMD} -E -i '' -e 's/(user|group) nobody/\1 openvpn/' \ -e 's/"nobody"( after init)/"openvpn" \1/' \ ${WRKSRC}/sample/sample-config-files/*.conf \ - ${WRKSRC}/sample/sample-config-files/xinetd-*-config \ ${WRKSRC}/doc/man-sections/generic-options.rst + # this header file was missed from the 2.6.0 tarball + ${CP} ${FILESDIR}/ovpn_dco_freebsd.h ${WRKSRC}/src/openvpn/ # FIXME remove for 2.6.1 pre-configure: # just too many of sign-compare; bitwise-instead-of-logical was audited and is intentional, @@ -142,7 +153,6 @@ post-install: ${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-down-root.so ${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.up ${STAGEDIR}${PREFIX}/libexec/openvpn-client.up ${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.down ${STAGEDIR}${PREFIX}/libexec/openvpn-client.down - @${REINPLACE_CMD} 's|resolvconf -p -a|resolvconf -a|' ${STAGEDIR}${PREFIX}/libexec/openvpn-client.up ${INSTALL_SCRIPT} ${WRKDIR}/openvpn-client ${STAGEDIR}${PREFIX}/sbin/openvpn-client ${MKDIR} ${STAGEDIR}${PREFIX}/include diff --git a/security/openvpn/distinfo b/security/openvpn/distinfo index b411c3f73145..7ba3f3c977d1 100644 --- a/security/openvpn/distinfo +++ b/security/openvpn/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1666977762 -SHA256 (openvpn-2.5.8.tar.xz) = 2bbd0026469902037ee6499b68283d5ab36c74e36cae3112082cfdf6c77a0c57 -SIZE (openvpn-2.5.8.tar.xz) = 1161288 +TIMESTAMP = 1674848325 +SHA256 (openvpn-2.6.0.tar.gz) = ebec933263c9850ef6f7ce125e2f22214be60b1cbb8ccff18892643fe083ae8f +SIZE (openvpn-2.6.0.tar.gz) = 1840792 diff --git a/security/openvpn/files/ovpn_dco_freebsd.h b/security/openvpn/files/ovpn_dco_freebsd.h new file mode 100644 index 000000000000..fec33835f007 --- /dev/null +++ b/security/openvpn/files/ovpn_dco_freebsd.h @@ -0,0 +1,71 @@ +/*- + * SPDX-License-Identifier: BSD-2-Clause-FreeBSD + * + * Copyright (c) 2021 Rubicon Communications, LLC (Netgate) + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#ifndef _NET_IF_OVPN_H_ +#define _NET_IF_OVPN_H_ + +#include +#include + +/* Maximum size of an ioctl request. */ +#define OVPN_MAX_REQUEST_SIZE 4096 + +enum ovpn_notif_type { + OVPN_NOTIF_DEL_PEER, +}; + +enum ovpn_del_reason { + OVPN_DEL_REASON_REQUESTED = 0, + OVPN_DEL_REASON_TIMEOUT = 1 +}; + +enum ovpn_key_slot { + OVPN_KEY_SLOT_PRIMARY = 0, + OVPN_KEY_SLOT_SECONDARY = 1 +}; + +enum ovpn_key_cipher { + OVPN_CIPHER_ALG_NONE = 0, + OVPN_CIPHER_ALG_AES_GCM = 1, + OVPN_CIPHER_ALG_CHACHA20_POLY1305 = 2 +}; + +#define OVPN_NEW_PEER _IO('D', 1) +#define OVPN_DEL_PEER _IO('D', 2) +#define OVPN_GET_STATS _IO('D', 3) +#define OVPN_NEW_KEY _IO('D', 4) +#define OVPN_SWAP_KEYS _IO('D', 5) +#define OVPN_DEL_KEY _IO('D', 6) +#define OVPN_SET_PEER _IO('D', 7) +#define OVPN_START_VPN _IO('D', 8) +#define OVPN_SEND_PKT _IO('D', 9) +#define OVPN_POLL_PKT _IO('D', 10) +#define OVPN_GET_PKT _IO('D', 11) +#define OVPN_SET_IFMODE _IO('D', 12) +#define OVPN_GET_PEER_STATS _IO('D', 13) + +#endif /* ifndef _NET_IF_OVPN_H_ */ diff --git a/security/openvpn/files/patch-doc_man-sections_generic-options.rst b/security/openvpn/files/patch-doc_man-sections_generic-options.rst new file mode 100644 index 000000000000..295f20cd7f1f --- /dev/null +++ b/security/openvpn/files/patch-doc_man-sections_generic-options.rst @@ -0,0 +1,11 @@ +--- doc/man-sections/generic-options.rst.orig 2023-01-25 10:00:58 UTC ++++ doc/man-sections/generic-options.rst +@@ -507,5 +507,8 @@ which mode OpenVPN is configured as. + since it is usually used by other system services already. Always + create a dedicated user for openvpn. + ++ The FreeBSD port creates a group and user named :code:`openvpn` ++ for this purpose. ++ + --writepid file + Write OpenVPN's main process ID to ``file``. diff --git a/security/openvpn/files/patch-doc_openvpn.8 b/security/openvpn/files/patch-doc_openvpn.8 deleted file mode 100644 index a536dae76755..000000000000 --- a/security/openvpn/files/patch-doc_openvpn.8 +++ /dev/null @@ -1,20 +0,0 @@ ---- doc/openvpn.8.orig 2021-10-05 05:57:01 UTC -+++ doc/openvpn.8 -@@ -358,7 +358,7 @@ lower priority, \fBn\fP less than zero is higher prior - .B \-\-persist\-key - Don\(aqt re\-read key files across \fBSIGUSR1\fP or \fB\-\-ping\-restart\fP\&. - .sp --This option can be combined with \fB\-\-user nobody\fP to allow restarts -+This option can be combined with \fB\-\-user openvpn\fP to allow restarts - triggered by the \fBSIGUSR1\fP signal. Normally if you drop root - privileges in OpenVPN, the daemon cannot be restarted since it will now - be unable to re\-read protected key files. -@@ -577,7 +577,7 @@ useful to protect the system in the event that some ho - able to gain control of an OpenVPN session. Though OpenVPN\(aqs security - features make this unlikely, it is provided as a second line of defense. - .sp --By setting \fBuser\fP to \fBnobody\fP or somebody similarly unprivileged, -+By setting \fBuser\fP to \fBopenvpn\fP or somebody similarly unprivileged, - the hostile party would be limited in what damage they could cause. Of - course once you take away privileges, you cannot return them to an - OpenVPN session. This means, for example, that if you want to reset an diff --git a/security/openvpn/files/patch-doc_openvpn.8.html b/security/openvpn/files/patch-doc_openvpn.8.html deleted file mode 100644 index 5b1e8e805e13..000000000000 --- a/security/openvpn/files/patch-doc_openvpn.8.html +++ /dev/null @@ -1,20 +0,0 @@ ---- doc/openvpn.8.html.orig 2021-10-05 05:57:01 UTC -+++ doc/openvpn.8.html -@@ -650,7 +650,7 @@ lower priority, n le - - --persist-key -

Don't re-read key files across SIGUSR1 or --ping-restart.

--

This option can be combined with --user nobody to allow restarts -+

This option can be combined with --user openvpn to allow restarts - triggered by the SIGUSR1 signal. Normally if you drop root - privileges in OpenVPN, the daemon cannot be restarted since it will now - be unable to re-read protected key files.

-@@ -824,7 +824,7 @@ initialization, dropping privileges in the process. Th - useful to protect the system in the event that some hostile party was - able to gain control of an OpenVPN session. Though OpenVPN's security - features make this unlikely, it is provided as a second line of defense.

--

By setting user to nobody or somebody similarly unprivileged, -+

By setting user to openvpn or somebody similarly unprivileged, - the hostile party would be limited in what damage they could cause. Of - course once you take away privileges, you cannot return them to an - OpenVPN session. This means, for example, that if you want to reset an diff --git a/security/openvpn/files/patch-src_openvpn_openssl__compat.h b/security/openvpn/files/patch-src_openvpn_openssl__compat.h deleted file mode 100644 index 2d68b96e8580..000000000000 --- a/security/openvpn/files/patch-src_openvpn_openssl__compat.h +++ /dev/null @@ -1,20 +0,0 @@ ---- src/openvpn/openssl_compat.h.orig 2020-04-16 13:26:45 UTC -+++ src/openvpn/openssl_compat.h -@@ -747,7 +747,7 @@ SSL_CTX_get_max_proto_version(SSL_CTX *ctx) - } - #endif /* SSL_CTX_get_max_proto_version */ - --#ifndef SSL_CTX_set_min_proto_version -+#if !defined(SSL_CTX_set_min_proto_version) && !defined(LIBRESSL_VERSION_NUMBER) - /** Mimics SSL_CTX_set_min_proto_version for OpenSSL < 1.1 */ - static inline int - SSL_CTX_set_min_proto_version(SSL_CTX *ctx, long tls_ver_min) -@@ -776,7 +776,7 @@ SSL_CTX_set_min_proto_version(SSL_CTX *ctx, long tls_v - } - #endif /* SSL_CTX_set_min_proto_version */ - --#ifndef SSL_CTX_set_max_proto_version -+#if !defined(SSL_CTX_set_max_proto_version) && !defined(LIBRESSL_VERSION_NUMBER) - /** Mimics SSL_CTX_set_max_proto_version for OpenSSL < 1.1 */ - static inline int - SSL_CTX_set_max_proto_version(SSL_CTX *ctx, long tls_ver_max) diff --git a/security/openvpn25/Makefile b/security/openvpn25/Makefile new file mode 100644 index 000000000000..565e30bd381c --- /dev/null +++ b/security/openvpn25/Makefile @@ -0,0 +1,164 @@ +PORTNAME= openvpn +DISTVERSION= 2.5.8 +PORTREVISION?= 0 +CATEGORIES= security net net-vpn +MASTER_SITES= https://swupdate.openvpn.org/community/releases/ \ + https://build.openvpn.net/downloads/releases/ \ + LOCAL/mandree +PKGNAMESUFFIX= 25 + +MAINTAINER= mandree@FreeBSD.org +COMMENT?= Secure IP/Ethernet tunnel daemon +WWW= https://openvpn.net/community/ + +LICENSE= GPLv2 +LICENSE_FILE= ${WRKSRC}/COPYRIGHT.GPL + +DEPRECATED= replaced by new upstream release 2.6.0 +EXPIRATION_DATE= 2023-03-31 + +USES= cpe libtool localbase:ldflags pkgconfig shebangfix ssl tar:xz +USE_RC_SUBR= openvpn + +SHEBANG_FILES= sample/sample-scripts/verify-cn \ + sample/sample-scripts/auth-pam.pl \ + sample/sample-scripts/ucn.pl + +GNU_CONFIGURE= yes +CONFIGURE_ARGS+= --enable-strict --with-crypto-library=openssl +# set PLUGIN_LIBDIR so that unqualified plugin paths are found: +CONFIGURE_ENV+= PLUGINDIR="${PREFIX}/lib/openvpn/plugins" + +CONFLICTS_INSTALL?= openvpn-2* openvpn-devel openvpn-mbedtls + +SUB_FILES= pkg-message openvpn-client + +USERS= openvpn +GROUPS= openvpn + +PORTDOCS= * +PORTEXAMPLES= * + +OPTIONS_DEFINE= ASYNC_PUSH DOCS EASYRSA EXAMPLES LZ4 LZO PKCS11 SMALL \ + TEST UNITTESTS X509ALTUSERNAME +OPTIONS_DEFAULT= EASYRSA LZ4 LZO PKCS11 TEST +ASYNC_PUSH_DESC= Enable async-push support +EASYRSA_DESC= Install security/easy-rsa RSA helper package +LZO_DESC= LZO compression (incompatible with LibreSSL) +PKCS11_DESC= Use security/pkcs11-helper, needs same SSL lib! +SMALL_DESC= Build a smaller executable with fewer features +UNITTESTS_DESC= Enable unit tests +X509ALTUSERNAME_DESC= Enable --x509-username-field + +ASYNC_PUSH_LIB_DEPENDS= libinotify.so:devel/libinotify +ASYNC_PUSH_CONFIGURE_ENABLE= async-push + +EASYRSA_RUN_DEPENDS= easy-rsa>=0:security/easy-rsa + +LZ4_LIB_DEPENDS+= liblz4.so:archivers/liblz4 +LZ4_CONFIGURE_ENABLE= lz4 + +LZO_LIB_DEPENDS+= liblzo2.so:archivers/lzo2 +LZO_CONFIGURE_ENABLE= lzo + +PKCS11_LIB_DEPENDS= libpkcs11-helper.so:security/pkcs11-helper +PKCS11_CONFIGURE_ENABLE= pkcs11 + +SMALL_CONFIGURE_ENABLE= small + +TEST_ALL_TARGET= check +TEST_TEST_TARGET_OFF= check + +UNITTESTS_BUILD_DEPENDS= cmocka>=0:sysutils/cmocka +UNITTESTS_CONFIGURE_ENABLE= unit-tests + +X509ALTUSERNAME_CONFIGURE_ENABLE= x509-alt-username + +.ifdef (LOG_OPENVPN) +CFLAGS+= -DLOG_OPENVPN=${LOG_OPENVPN} +.endif + +.include + +.if ${PORT_OPTIONS:MLZO} +IGNORE_SSL=libressl libressl-devel +IGNORE_SSL_REASON=OpenVPN does not have permission to include LZO with LibreSSL. Compile against OpenSSL, or if your setups support it, disable LZO support +.endif + +.if ! ${PORT_OPTIONS:MLZ4} && ! ${PORT_OPTIONS:MLZO} +CONFIGURE_ARGS+= --enable-comp-stub +.endif + +.include + +.if !empty(PORT_OPTIONS:MLZO) && !empty(SSL_DEFAULT:Nbase:Nopenssl*) +# in-depth security net if Mk/Uses/ssl.mk changes +pre-everything:: + @${ECHO_CMD} >&2 "ERROR: OpenVPN is not licensed to combine LZO with other OpenSSL-licensed libraries than OpenSSL. Compile against OpenSSL, or if your setups support it, disable LZO support." + @${SHELL} -c 'exit 1' +.endif + +post-patch: + ${REINPLACE_CMD} -E -i '' -e 's/(user|group) nobody/\1 openvpn/' \ + -e 's/"nobody"( after init)/"openvpn" \1/' \ + ${WRKSRC}/sample/sample-config-files/*.conf \ + ${WRKSRC}/sample/sample-config-files/xinetd-*-config \ + ${WRKSRC}/doc/man-sections/generic-options.rst + +pre-configure: + # just too many of sign-compare; bitwise-instead-of-logical was audited and is intentional, + # and unused-function affects test---these are developer-side warnings, not relevant on end systems + ${REINPLACE_CMD} 's/-Wsign-compare/-Wno-unknown-warning-option -Wno-sign-compare -Wno-bitwise-instead-of-logical -Wno-unused-function/' ${WRKSRC}/configure +.ifdef (LOG_OPENVPN) + @${ECHO} "Building with LOG_OPENVPN=${LOG_OPENVPN}" +.else + @${ECHO} "" + @${ECHO} "You may use the following build options:" + @${ECHO} "" + @${ECHO} " LOG_OPENVPN={Valid syslog facility, default LOG_DAEMON}" + @${ECHO} " EXAMPLE: make LOG_OPENVPN=LOG_LOCAL6" + @${ECHO} "" +.endif +.if !empty(SSL_DEFAULT:Mlibressl*) + @${ECHO} "### --------------------------------------------------------- ###" + @${ECHO} "### NOTE that libressl is not primarily supported by OpenVPN ###" + @${ECHO} "### Do not report bugs without fixes/patches unless the issue ###" + @${ECHO} "### can be reproduced with a released OpenSSL version. ###" + @${ECHO} "### --------------------------------------------------------- ###" + @sleep 10 +.endif + +post-configure: + ${REINPLACE_CMD} '/^CFLAGS =/s/$$/ -fPIC/' \ + ${WRKSRC}/src/plugins/auth-pam/Makefile \ + ${WRKSRC}/src/plugins/down-root/Makefile + +# sanity check that we don't inherit incompatible SSL libs through, +# for instance, pkcs11-helper: +_tlslibs=libssl libcrypto +post-build: + @a=$$(LC_ALL=C ldd -f '%o\n' ${WRKSRC}/src/openvpn/openvpn \ + | ${SORT} -u) ; set -- $$(for i in ${_tlslibs} ; do ${PRINTF} '%s\n' "$$a" | ${GREP} $${i}.so | wc -l ; done | ${SORT} -u) ;\ + if test "$$*" != "1" ; then ( set -x ; ldd -a ${WRKSRC}/src/openvpn/openvpn ) ; ${PRINTF} '%s\n' "$$a" ; ${ECHO_CMD} >&2 "${.CURDIR} FAILED: either of ${_tlslibs} libraries linked multiple times" ; ${RM} ${BUILD_COOKIE} ; exit 1 ; fi + +post-install: + ${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-auth-pam.so + ${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-down-root.so + ${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.up ${STAGEDIR}${PREFIX}/libexec/openvpn-client.up + ${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.down ${STAGEDIR}${PREFIX}/libexec/openvpn-client.down + @${REINPLACE_CMD} 's|resolvconf -p -a|resolvconf -a|' ${STAGEDIR}${PREFIX}/libexec/openvpn-client.up + ${INSTALL_SCRIPT} ${WRKDIR}/openvpn-client ${STAGEDIR}${PREFIX}/sbin/openvpn-client + ${MKDIR} ${STAGEDIR}${PREFIX}/include + +post-install-DOCS-on: + ${MKDIR} ${STAGEDIR}${DOCSDIR}/ +.for i in AUTHORS ChangeLog PORTS + ${INSTALL_MAN} ${WRKSRC}/${i} ${STAGEDIR}${DOCSDIR}/ +.endfor + +post-install-EXAMPLES-on: + (cd ${WRKSRC}/sample && ${COPYTREE_SHARE} \* ${STAGEDIR}${EXAMPLESDIR}/) + ${CHMOD} ${BINMODE} ${STAGEDIR}${EXAMPLESDIR}/sample-scripts/* + ${RM} ${STAGEDIR}${EXAMPLESDIR}/sample-config-files/*.orig + +.include diff --git a/security/openvpn25/distinfo b/security/openvpn25/distinfo new file mode 100644 index 000000000000..b411c3f73145 --- /dev/null +++ b/security/openvpn25/distinfo @@ -0,0 +1,3 @@ +TIMESTAMP = 1666977762 +SHA256 (openvpn-2.5.8.tar.xz) = 2bbd0026469902037ee6499b68283d5ab36c74e36cae3112082cfdf6c77a0c57 +SIZE (openvpn-2.5.8.tar.xz) = 1161288 diff --git a/security/openvpn25/files/openvpn-client.in b/security/openvpn25/files/openvpn-client.in new file mode 100644 index 000000000000..471757811795 --- /dev/null +++ b/security/openvpn25/files/openvpn-client.in @@ -0,0 +1,6 @@ +#!/bin/sh + +exec %%PREFIX%%/sbin/openvpn --script-security 2 \ + --up %%PREFIX%%/libexec/openvpn-client.up \ + --plugin openvpn-plugin-down-root.so %%PREFIX%%/libexec/openvpn-client.down \ + --config "$@" diff --git a/security/openvpn25/files/openvpn.in b/security/openvpn25/files/openvpn.in new file mode 100644 index 000000000000..9a59ed6f011e --- /dev/null +++ b/security/openvpn25/files/openvpn.in @@ -0,0 +1,144 @@ +#!/bin/sh +# +# openvpn.sh - load tun/tap driver and start OpenVPN daemon +# +# (C) Copyright 2005 - 2008, 2010 by Matthias Andree +# based on suggestions by Matthias Grimm and Dirk Gouders +# with multi-instance contribution from Denis Shaposhnikov, Gleb Kozyrev +# and Vasil Dimov +# softrestart feature suggested by Nick Hibma +# +# This program is free software; you can redistribute it and/or modify it under +# the terms of the GNU General Public License as published by the Free Software +# Foundation; either version 2 of the License, or (at your option) any later +# version. +# +# This program is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more +# details. +# +# You should have received a copy of the GNU General Public License along with +# this program; if not, write to the Free Software Foundation, Inc., 51 Franklin +# Street, Fifth Floor, Boston, MA 02110-1301, USA. + +# PROVIDE: openvpn +# REQUIRE: DAEMON +# KEYWORD: shutdown + +# ----------------------------------------------------------------------------- +# +# This script supports running multiple instances of openvpn. +# To run additional instances link this script to something like +# % ln -s openvpn openvpn_foo +# and define additional openvpn_foo_* variables in one of +# /etc/rc.conf, /etc/rc.conf.local or /etc/rc.conf.d/openvpn_foo +# +# Below NAME should be substituted with the name of this script. By default +# it is openvpn, so read as openvpn_enable. If you linked the script to +# openvpn_foo, then read as openvpn_foo_enable etc. +# +# The following variables are supported (defaults are shown). +# You can place them in any of +# /etc/rc.conf, /etc/rc.conf.local or /etc/rc.conf.d/NAME +# +# NAME_enable="NO" # set to YES to enable openvpn +# NAME_if= # driver(s) to load, set to "tun", "tap" or "tun tap" +# # it is OK to specify the if_ prefix. +# +# # optional: +# NAME_flags= # additional command line arguments +# NAME_configfile="%%PREFIX%%/etc/openvpn/NAME.conf" # --config file +# NAME_dir="%%PREFIX%%/etc/openvpn" # --cd directory +# +# You also need to set NAME_configfile and NAME_dir, if the configuration +# file and directory where keys and certificates reside differ from the above +# settings. +# +# Note that we deliberately refrain from unloading drivers. +# +# For further documentation, please see openvpn(8). +# + +. /etc/rc.subr + +# service(8) does not create an authentic environment, try to guess, +# and as of 10.3-RELEASE-p0, it will not find the indented name= +# assignments below. So give it a default. +# Trailing semicolon also for service(8)'s benefit: +name="$file" ; + +case "$0" in +/etc/rc*) + # during boot (shutdown) $0 is /etc/rc (/etc/rc.shutdown), + # so get the name of the script from $_file + name="$_file" + ;; +*/service) + # do not use this as $0 + ;; +*) + name="$0" + ;; +esac + +# default name to "openvpn" if guessing failed +# Trailing semicolon also for service(8)'s benefit: +name="${name:-openvpn}" ; +name="${name##*/}" +rcvar=${name}_enable + +stop_postcmd() +{ + rm -f "$pidfile" || warn "Could not remove $pidfile." +} + +softrestart() +{ + sig_reload=USR1 run_rc_command reload + exit $? +} + +openvpn_stats() +{ + sig_reload=USR2 + run_rc_command ${rc_prefix}reload $rc_extra_args +} + +# reload: support SIGHUP to reparse configuration file +# softrestart: support SIGUSR1 to reconnect without superuser privileges +# stats: support SIGUSR2 to write statistics to the syslog +extra_commands="reload softrestart stats" +softrestart_cmd="softrestart" +stats_cmd="openvpn_stats" + +# pidfile +pidfile="/var/run/${name}.pid" + +# command and arguments +command="%%PREFIX%%/sbin/openvpn" + +# run this last +stop_postcmd="stop_postcmd" + +load_rc_config ${name} + +eval ": \${${name}_enable:=\"NO\"}" +eval ": \${${name}_configfile:=\"%%PREFIX%%/etc/openvpn/${name}.conf\"}" +eval ": \${${name}_dir:=\"%%PREFIX%%/etc/openvpn\"}" + +configfile="$(eval echo \${${name}_configfile})" +dir="$(eval echo \${${name}_dir})" +interfaces="$(eval echo \${${name}_if})" +flags="$(eval echo \${${name}_flags})" + +required_modules= +for i in $interfaces ; do + required_modules="$required_modules${required_modules:+" "}if_${i#if_}" +done + +required_files=${configfile} + +command_args="--cd ${dir} --daemon ${name} --config ${configfile} --writepid ${pidfile} ${flags}" + +run_rc_command "$1" diff --git a/security/openvpn25/files/patch-doc_openvpn.8 b/security/openvpn25/files/patch-doc_openvpn.8 new file mode 100644 index 000000000000..a536dae76755 --- /dev/null +++ b/security/openvpn25/files/patch-doc_openvpn.8 @@ -0,0 +1,20 @@ +--- doc/openvpn.8.orig 2021-10-05 05:57:01 UTC ++++ doc/openvpn.8 +@@ -358,7 +358,7 @@ lower priority, \fBn\fP less than zero is higher prior + .B \-\-persist\-key + Don\(aqt re\-read key files across \fBSIGUSR1\fP or \fB\-\-ping\-restart\fP\&. + .sp +-This option can be combined with \fB\-\-user nobody\fP to allow restarts ++This option can be combined with \fB\-\-user openvpn\fP to allow restarts + triggered by the \fBSIGUSR1\fP signal. Normally if you drop root + privileges in OpenVPN, the daemon cannot be restarted since it will now + be unable to re\-read protected key files. +@@ -577,7 +577,7 @@ useful to protect the system in the event that some ho + able to gain control of an OpenVPN session. Though OpenVPN\(aqs security + features make this unlikely, it is provided as a second line of defense. + .sp +-By setting \fBuser\fP to \fBnobody\fP or somebody similarly unprivileged, ++By setting \fBuser\fP to \fBopenvpn\fP or somebody similarly unprivileged, + the hostile party would be limited in what damage they could cause. Of + course once you take away privileges, you cannot return them to an + OpenVPN session. This means, for example, that if you want to reset an diff --git a/security/openvpn25/files/patch-doc_openvpn.8.html b/security/openvpn25/files/patch-doc_openvpn.8.html new file mode 100644 index 000000000000..5b1e8e805e13 --- /dev/null +++ b/security/openvpn25/files/patch-doc_openvpn.8.html @@ -0,0 +1,20 @@ +--- doc/openvpn.8.html.orig 2021-10-05 05:57:01 UTC ++++ doc/openvpn.8.html +@@ -650,7 +650,7 @@ lower priority, n le + + --persist-key +

Don't re-read key files across SIGUSR1 or --ping-restart.

+-

This option can be combined with --user nobody to allow restarts ++

This option can be combined with --user openvpn to allow restarts + triggered by the SIGUSR1 signal. Normally if you drop root + privileges in OpenVPN, the daemon cannot be restarted since it will now + be unable to re-read protected key files.

+@@ -824,7 +824,7 @@ initialization, dropping privileges in the process. Th + useful to protect the system in the event that some hostile party was + able to gain control of an OpenVPN session. Though OpenVPN's security + features make this unlikely, it is provided as a second line of defense.

+-

By setting user to nobody or somebody similarly unprivileged, ++

By setting user to openvpn or somebody similarly unprivileged, + the hostile party would be limited in what damage they could cause. Of + course once you take away privileges, you cannot return them to an + OpenVPN session. This means, for example, that if you want to reset an diff --git a/security/openvpn25/files/patch-sample__sample-config-files__loopback-client b/security/openvpn25/files/patch-sample__sample-config-files__loopback-client new file mode 100644 index 000000000000..0b485a641d8a --- /dev/null +++ b/security/openvpn25/files/patch-sample__sample-config-files__loopback-client @@ -0,0 +1,13 @@ +--- sample/sample-config-files/loopback-client.orig 2016-08-23 14:16:22 UTC ++++ sample/sample-config-files/loopback-client +@@ -9,8 +9,8 @@ + # ./openvpn --config sample-config-files/loopback-client (In one window) + # ./openvpn --config sample-config-files/loopback-server (Simultaneously in another window) + +-rport 16000 +-lport 16001 ++rport 16100 ++lport 16101 + remote localhost + local localhost + dev null diff --git a/security/openvpn25/files/patch-sample__sample-config-files__loopback-server b/security/openvpn25/files/patch-sample__sample-config-files__loopback-server new file mode 100644 index 000000000000..58691b133de7 --- /dev/null +++ b/security/openvpn25/files/patch-sample__sample-config-files__loopback-server @@ -0,0 +1,13 @@ +--- sample/sample-config-files/loopback-server.orig 2016-08-23 14:16:22 UTC ++++ sample/sample-config-files/loopback-server +@@ -9,8 +9,8 @@ + # ./openvpn --config sample-config-files/loopback-client (In one window) + # ./openvpn --config sample-config-files/loopback-server (Simultaneously in another window) + +-rport 16001 +-lport 16000 ++rport 16101 ++lport 16100 + remote localhost + local localhost + dev null diff --git a/security/openvpn25/files/patch-src_openvpn_openssl__compat.h b/security/openvpn25/files/patch-src_openvpn_openssl__compat.h new file mode 100644 index 000000000000..2d68b96e8580 --- /dev/null +++ b/security/openvpn25/files/patch-src_openvpn_openssl__compat.h @@ -0,0 +1,20 @@ +--- src/openvpn/openssl_compat.h.orig 2020-04-16 13:26:45 UTC ++++ src/openvpn/openssl_compat.h +@@ -747,7 +747,7 @@ SSL_CTX_get_max_proto_version(SSL_CTX *ctx) + } + #endif /* SSL_CTX_get_max_proto_version */ + +-#ifndef SSL_CTX_set_min_proto_version ++#if !defined(SSL_CTX_set_min_proto_version) && !defined(LIBRESSL_VERSION_NUMBER) + /** Mimics SSL_CTX_set_min_proto_version for OpenSSL < 1.1 */ + static inline int + SSL_CTX_set_min_proto_version(SSL_CTX *ctx, long tls_ver_min) +@@ -776,7 +776,7 @@ SSL_CTX_set_min_proto_version(SSL_CTX *ctx, long tls_v + } + #endif /* SSL_CTX_set_min_proto_version */ + +-#ifndef SSL_CTX_set_max_proto_version ++#if !defined(SSL_CTX_set_max_proto_version) && !defined(LIBRESSL_VERSION_NUMBER) + /** Mimics SSL_CTX_set_max_proto_version for OpenSSL < 1.1 */ + static inline int + SSL_CTX_set_max_proto_version(SSL_CTX *ctx, long tls_ver_max) diff --git a/security/openvpn25/files/patch-src_plugins_auth-pam_auth-pam.c b/security/openvpn25/files/patch-src_plugins_auth-pam_auth-pam.c new file mode 100644 index 000000000000..633bc0f0204d --- /dev/null +++ b/security/openvpn25/files/patch-src_plugins_auth-pam_auth-pam.c @@ -0,0 +1,10 @@ +--- src/plugins/auth-pam/auth-pam.c.orig 2021-06-21 04:44:39 UTC ++++ src/plugins/auth-pam/auth-pam.c +@@ -39,6 +39,7 @@ + #include + #include + #include ++#include + #include + #include + #include diff --git a/security/openvpn25/files/patch-tests__t_cltsrv.sh b/security/openvpn25/files/patch-tests__t_cltsrv.sh new file mode 100644 index 000000000000..9d0af3691c87 --- /dev/null +++ b/security/openvpn25/files/patch-tests__t_cltsrv.sh @@ -0,0 +1,65 @@ +--- tests/t_cltsrv.sh.orig 2016-08-23 13:10:22 UTC ++++ tests/t_cltsrv.sh +@@ -1,7 +1,7 @@ + #! /bin/sh + # + # t_cltsrv.sh - script to test OpenVPN's crypto loopback +-# Copyright (C) 2005, 2006, 2008 Matthias Andree ++# Copyright (C) 2005 - 2014 Matthias Andree + # + # This program is free software; you can redistribute it and/or + # modify it under the terms of the GNU General Public License +@@ -22,8 +22,9 @@ set -e + srcdir="${srcdir:-.}" + top_srcdir="${top_srcdir:-..}" + top_builddir="${top_builddir:-..}" +-trap "rm -f log.$$ log.$$.signal ; trap 0 ; exit 77" 1 2 15 +-trap "rm -f log.$$ log.$$.signal ; exit 1" 0 3 ++root="${top_srcdir}/sample" ++trap "rm -f ${root}/sample-config-files/loopback-*.test log.$$ log.$$.signal ; trap 0 ; exit 77" 1 2 15 ++trap "a=\$? ; rm -f ${root}/sample-config-files/loopback-*.test log.$$ log.$$.signal ; test \$a = 0 && exit 1 || exit \$a" 0 3 + addopts= + case `uname -s` in + FreeBSD) +@@ -45,18 +46,38 @@ esac + # make sure that the --down script is executable -- fail (rather than + # skip) test if it isn't. + downscript="../tests/t_cltsrv-down.sh" +-root="${top_srcdir}/sample" + test -x "${root}/${downscript}" || chmod +x "${root}/${downscript}" || { echo >&2 "${root}/${downscript} is not executable, failing." ; exit 1 ; } + echo "The following test will take about two minutes." >&2 + echo "If the addresses are in use, this test will retry up to two times." >&2 + ++set -- $(ifconfig lo0 | grep -E '\&2 "### NO ADDRESSES ON LOOPBACK INTERFACE lo0, SKIPPING TEST ###" ++ exit 77 ++fi ++if [ "inet6" = "$1" ] ; then ++ add='proto udp6 ' ++fi ++for i in server client ; do ++ sed -e "s|localhost|${2%/*}|" -e "/^remote /a\\ ++$add" ${root}/sample-config-files/loopback-$i \ ++ >${root}/sample-config-files/loopback-$i.test ++done ++ + # go + success=0 + for i in 1 2 3 ; do + set +e + ( +- "${top_builddir}/src/openvpn/openvpn" --script-security 2 --cd "${root}" ${addopts} --setenv role srv --down "${downscript}" --tls-exit --ping-exit 180 --config "sample-config-files/loopback-server" & +- "${top_builddir}/src/openvpn/openvpn" --script-security 2 --cd "${top_srcdir}/sample" ${addopts} --setenv role clt --down "${downscript}" --tls-exit --ping-exit 180 --config "sample-config-files/loopback-client" ++ "${top_builddir}/src/openvpn/openvpn" --script-security 2 \ ++ --cd "${root}" ${addopts} --setenv role srv \ ++ --down "${downscript}" --tls-exit --ping-exit 180 \ ++ --config "sample-config-files/loopback-server.test" & ++ "${top_builddir}/src/openvpn/openvpn" --script-security 2 \ ++ --cd "${top_srcdir}/sample" ${addopts} --setenv role clt \ ++ --down "${downscript}" --tls-exit --ping-exit 180 \ ++ --config "sample-config-files/loopback-client.test" + ) 3>log.$$.signal >log.$$ 2>&1 + e1=$? + wait $! diff --git a/security/openvpn25/files/pkg-message.in b/security/openvpn25/files/pkg-message.in new file mode 100644 index 000000000000..c527aec28683 --- /dev/null +++ b/security/openvpn25/files/pkg-message.in @@ -0,0 +1,34 @@ +[ +{ type: install + message: <.ovpn + +For compatibility notes when interoperating with older OpenVPN +versions, please see + +Note that OpenVPN does not officially support LibreSSL. + +Note that OpenVPN configures a separate user and group "openvpn", +which should be used instead of the NFS user "nobody" +when an unprivileged user account is desired. + +You may want to add user openvpn and group openvpn when creating your +configuration files, the example configuration shows this only as comments. +EOM +} +{ type: upgrade + message: <