- Security update to version 2.0.1, fixing four denial of service bugs,

CAN-2005-2531, CAN-2005-2532, CAN-2005-2533, CAN-2005-2534 - Drop old init script and add a modern rcNG script in its place, requested by Matthias Grimm and Dirk Gouders (although the script below is one I, Matthias Andree, wrote). It can automatically load tun/tap drivers. - move pkg-message to files/pkg-message.in, revise it, list it in SUB_FILES to expand ${PREFIX}. - print pkg-message after installation from port - switch to official "make check" as smoke-test, rather than wiring our own. - prefer LZO2 in most situations, as OpenVPN will pick up LZO2 rather than LZO1 if both are installed. PR: ports/85109 Submitted by: maintainer Approved by: portmgr (krion)
author: Renato Botelho <garga@FreeBSD.org> 2005-08-19 18:48:34 +0000
committer: Renato Botelho <garga@FreeBSD.org> 2005-08-19 18:48:34 +0000
commit: 0f64e52705d69159d709754fd9a48a6623a6cd96 (patch)
tree: 59b40faa77773bf366e51b65a76c5fb31234cb4d /security
parent: c8adfc87dbf37ec4b430fbd74910f1126323f9f4 (diff)
download: ports-0f64e52705d69159d709754fd9a48a6623a6cd96.tar.gz
ports-0f64e52705d69159d709754fd9a48a6623a6cd96.zip
21 files changed, 471 insertions, 168 deletions
diff --git a/security/openvpn-devel/Makefile b/security/openvpn-devel/Makefile
index b39638afd95c..aa1e99cb11af 100644
--- a/security/openvpn-devel/Makefile
+++ b/security/openvpn-devel/Makefile
@@ -1,21 +1,18 @@
 # New ports collection makefile for:	openvpn
 # Date created:		2002-06-23
-# Whom:			Matthias Andree <matthias.andree@web.de>
+# Whom:			Matthias Andree <matthias.andree@gmx.de>
 #
 # $FreeBSD$
 #
 
 PORTNAME=	openvpn
-DISTVERSION=	2.0
-PORTREVISION=	3
+DISTVERSION=	2.0.1
 CATEGORIES=	security
 MASTER_SITES=	http://openvpn.net/release/
 
 MAINTAINER=	matthias.andree@gmx.de
 COMMENT=	Secure IP/Ethernet tunnel daemon
 
-LIB_DEPENDS=	lzo.1:${PORTSDIR}/archivers/lzo
-
 GNU_CONFIGURE=	yes
 USE_OPENSSL=	yes
 CONFIGURE_TARGET=	--build=${ARCH}-portbld-freebsd${OSREL}
@@ -26,25 +23,31 @@ MAN8=		openvpn.8
 
 OPTIONS=	PW_SAVE "Interactive passwords may be read from a file" off
 
+USE_RC_SUBR=	openvpn.sh
+
+SUB_FILES=	pkg-message
+
 .include <bsd.port.pre.mk>
 
+# NOTE: there is no way to explicitly specify the LZO version to OpenVPN,
+# if LZO2 and LZO1 are installed, OpenVPN will pick LZO2.
+# So depend on LZO1 only if it's already there and LZO2 isn't.
+# PACKAGE_BUILDING will also force LZO2.
+.if exists(${LOCALBASE}/lib/liblzo2.so.2) || !exists(${LOCALBASE}/lib/liblzo.so.1) || defined(PACKAGE_BUILDING)
+LIB_DEPENDS=	lzo2.2:${PORTSDIR}/archivers/lzo2
+.else
+LIB_DEPENDS=	lzo.1:${PORTSDIR}/archivers/lzo
+.endif
+
 .if defined(WITH_PW_SAVE)
 CONFIGURE_ARGS+=	--enable-password-save
 .endif
 
 # self-tests here
 post-build:
-	( set -e ; cd ${WRKSRC} && \
-	./openvpn --genkey --secret key && \
-	./openvpn --test-crypto --secret key && ${RM} key )
-	( set -e ; cd ${WRKSRC} && { \
-	./openvpn --config sample-config-files/loopback-server & \
-	./openvpn --config sample-config-files/loopback-client ; \
-	wait ; })
+	cd ${WRKSRC} && ${MAKE} check
 
 post-install:
-	${INSTALL_SCRIPT} ${FILESDIR}/openvpn.sh.sample \
-		${PREFIX}/etc/rc.d/openvpn.sh.sample
 .if !defined(NOPORTDOCS)
 	${MKDIR} ${DOCSDIR}
 .for docs in AUTHORS COPYING COPYRIGHT.GPL ChangeLog INSTALL NEWS \
@@ -56,5 +59,6 @@ post-install:
 	| ${GREP} -v easy-rsa/Windows \
 	| ${CPIO} -pdmu ${DOCSDIR} )
 .endif
+	@${CAT} ${PKGMESSAGE}
 
 .include <bsd.port.post.mk>
diff --git a/security/openvpn-devel/distinfo b/security/openvpn-devel/distinfo
index dd29196f185e..f52db739a88b 100644
--- a/security/openvpn-devel/distinfo
+++ b/security/openvpn-devel/distinfo
@@ -1,2 +1,2 @@
-MD5 (openvpn-2.0.tar.gz) = 7401faebc6baee9add32608709c54eec
-SIZE (openvpn-2.0.tar.gz) = 639201
+MD5 (openvpn-2.0.1.tar.gz) = fad7a08c0d68371c2c0e6428bcb98fa5
+SIZE (openvpn-2.0.1.tar.gz) = 662428
diff --git a/security/openvpn-devel/files/openvpn.sh.in b/security/openvpn-devel/files/openvpn.sh.in
new file mode 100644
index 000000000000..37d8ba5129de
--- /dev/null
+++ b/security/openvpn-devel/files/openvpn.sh.in
@@ -0,0 +1,99 @@
+#!/bin/sh
+#
+# openvpn.sh - load tun/tap driver and start OpenVPN daemon
+#
+# (C) Copyright 2005 by Matthias Andree
+# based on suggestions by Matthias Grimm and Dirk Gouders
+#
+# Made in Northrhine-Westphalia, Germany
+#
+# $FreeBSD$
+# 
+# This program is free software; you can redistribute it and/or modify it under
+# the terms of the GNU General Public License as published by the Free Software
+# Foundation; either version 2 of the License, or (at your option) any later
+# version.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+# FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
+# details.
+#
+# You should have received a copy of the GNU General Public License along with
+# this program; if not, write to the Free Software Foundation, Inc., 51 Franklin
+# Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+# PROVIDE: openvpn
+# REQUIRE: DAEMON
+# BEFORE:
+# KEYWORD: FreeBSD shutdown
+
+# -----------------------------------------------------------------------------
+#
+# Add the following lines to /etc/rc.conf to enable openvpn at boot-up time:
+#
+# openvpn_enable="YES"	# YES or NO
+# openvpn_if="tun" 	# driver(s) to load, set to "tun", "tap" or "tun tap"
+#
+# # optional:
+# openvpn_flags=""	# openvpn command line flags
+# openvpn_config="%%PREFIX%%/etc/openvpn/openvpn.conf" 	# --config file
+# openvpn_dir="%%PREFIX%%/etc/openvpn"			# --cd directory
+#
+# You also need to set openvpn_configfile and openvpn_dir, if the configuration
+# file and directory where keys and certificates reside differ from the above
+# settings.
+#
+# Note that we deliberately refrain from unloading drivers.
+#
+# For further documentation, please see openvpn(8).
+#
+
+. %%RC_SUBR%%
+
+name=openvpn
+rcvar=`set_rcvar`
+
+prefix="%%PREFIX%%"
+
+openvpn_precmd()
+{
+	for i in $openvpn_if ; do
+		if ! sysctl debug.if_${i}_debug >/dev/null 2>&1 ; then
+			if ! kldload if_${i} ; then
+				warn "Could not load $i module."
+				return 1
+			fi
+		fi
+	done
+	return 0
+}
+
+stop_postcmd()
+{
+	rm -f "$pidfile" || warn "Could not remove $pidfile."
+}
+
+# support SIGHUP to reparse configuration file
+extra_commands="reload"
+
+# pidfile
+pidfile="/var/run/${name}.pid"
+
+# command and arguments
+command="%%PREFIX%%/sbin/${name}"
+
+# run this first
+start_precmd="openvpn_precmd"
+# and this last
+stop_postcmd="stop_postcmd"
+
+load_rc_config ${name}
+: ${openvpn_enable="NO"}
+: ${openvpn_flags=""}
+: ${openvpn_if=""}
+: ${openvpn_configfile="${prefix}/etc/openvpn/openvpn.conf"}
+: ${openvpn_dir="${prefix}/etc/openvpn"}
+required_files="${openvpn_configfile}"
+command_args="--cd ${openvpn_dir} --daemon --config ${openvpn_configfile} --writepid ${pidfile}"
+run_rc_command "$1"
diff --git a/security/openvpn-devel/files/openvpn.sh.sample b/security/openvpn-devel/files/openvpn.sh.sample
deleted file mode 100644
index a906ecf44425..000000000000
--- a/security/openvpn-devel/files/openvpn.sh.sample
+++ /dev/null
@@ -1,19 +0,0 @@
-#! /bin/sh
-# (C) 2002 by Matthias Andree
-
-# This file may be redistributed according to the terms of the GNU General
-# Public License, version 2 (two).
-
-# To use this script, rename it to openvpn.sh and make sure it is
-# executable for the owner.
-
-# This file rouses a security warning at port install time. However, this
-# file itself does not start network services, but it loads a kernel driver.
-# The security of this file therefore depends on the security of kldload and
-# the if_tap driver.
-
-case x$1 in
-  xstart) echo -n ' if_tap' ; exec kldload if_tap ;;
-  xstop)  echo -n ' if_tap' ; exec kldunload if_tap ;;
-  *)      echo >&2 "Usage: $0 {start|stop}"
-esac
diff --git a/security/openvpn-devel/files/pkg-message.in b/security/openvpn-devel/files/pkg-message.in
new file mode 100644
index 000000000000..0bf579b261d3
--- /dev/null
+++ b/security/openvpn-devel/files/pkg-message.in
@@ -0,0 +1,18 @@
+### ------------------------------------------------------------------------
+###  The OpenVPN port, since v2.0.1, uses rcNG to start OpenVPN.
+###  Edit /etc/rc.conf to start OpenVPN automatically at system startup.
+###  See %%PREFIX%%/etc/rc.d/openvpn.sh for details.
+### ------------------------------------------------------------------------
+###  To get OpenVPN 2.0 to talk with the 1.5/1.6 versions, you may need to
+###  edit the 1.X configuration file by adding these lines:
+###    tun-mtu 1500
+###    tun-mtu-extra 32
+###    mssfix 1450
+###    key-method 2       <- this key-method line only for TLS setups
+### - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+###  WARNING: THE DEFAULT PORT HAS CHANGED AND IS NOW 1194!
+###  OpenVPN 1.6 and older used 5000 rather than 1194 as their default
+###  port, so add the proper port options to your configuration file!
+### ------------------------------------------------------------------------
+###  For further compatibility, see <http://openvpn.net/relnotes.html>
+### ------------------------------------------------------------------------
diff --git a/security/openvpn-devel/pkg-message b/security/openvpn-devel/pkg-message
deleted file mode 100644
index 9edb877e624c..000000000000
--- a/security/openvpn-devel/pkg-message
+++ /dev/null
@@ -1,20 +0,0 @@
-### ---------------------------------------------------------------------- ###
-###  To use the tap driver, you may need to do: kldload if_tap             ###
-###  See ${PREFIX}/etc/rc.d/openvpn.sh.sample for how to do this  	   ###
-###  automatically at system boot-up time.                                 ###
-### ---------------------------------------------------------------------- ###
-###  To get OpenVPN 2.0 to talk with the 1.5/1.6 versions, you may need to ###
-###  edit the 1.X configuration file by adding these lines:                ###
-###                                                                        ###
-###    tun-mtu 1500							   ###
-###    tun-mtu-extra 32							   ###
-###    mssfix 1450							   ###
-###                                                                        ###
-###    key-method 2       <- this key-method line only for TLS setups	   ###
-### - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  ###
-###  WARNING: THE DEFAULT PORT HAS CHANGED AND IS NOW 1194!                ###
-###  OpenVPN 1.6 and older used 5000 rather than 1194 as their default     ###
-###  port, so add the proper port options to your configuration file!      ###
-### ---------------------------------------------------------------------- ###
-###  For further compatibility, see <http://openvpn.net/relnotes.html>     ###
-### ---------------------------------------------------------------------- ###
diff --git a/security/openvpn-devel/pkg-plist b/security/openvpn-devel/pkg-plist
index 9fb4fbf7a7dc..00cd2a6e9435 100644
--- a/security/openvpn-devel/pkg-plist
+++ b/security/openvpn-devel/pkg-plist
@@ -1,5 +1,4 @@
 sbin/openvpn
-etc/rc.d/openvpn.sh.sample
 %%PORTDOCS%%%%DOCSDIR%%/AUTHORS
 %%PORTDOCS%%%%DOCSDIR%%/COPYING
 %%PORTDOCS%%%%DOCSDIR%%/COPYRIGHT.GPL
@@ -26,6 +25,25 @@ etc/rc.d/openvpn.sh.sample
 %%PORTDOCS%%%%DOCSDIR%%/easy-rsa/revoke-full
 %%PORTDOCS%%%%DOCSDIR%%/easy-rsa/sign-req
 %%PORTDOCS%%%%DOCSDIR%%/easy-rsa/vars
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/README
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-ca
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-dh
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-inter
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-key
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-key-pass
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-key-pkcs12
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-key-server
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-req
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-req-pass
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/clean-all
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/inherit-inter
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/list-crl
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/openssl.cnf
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/pkitool
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/revoke-full
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/scripts
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/sign-req
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/vars
 %%PORTDOCS%%%%DOCSDIR%%/sample-config-files/README
 %%PORTDOCS%%%%DOCSDIR%%/sample-config-files/client.conf
 %%PORTDOCS%%%%DOCSDIR%%/sample-config-files/firewall.sh
@@ -49,5 +67,6 @@ etc/rc.d/openvpn.sh.sample
 %%PORTDOCS%%%%DOCSDIR%%/sample-scripts/verify-cn
 %%PORTDOCS%%@dirrm %%DOCSDIR%%/sample-scripts
 %%PORTDOCS%%@dirrm %%DOCSDIR%%/sample-config-files
+%%PORTDOCS%%@dirrm %%DOCSDIR%%/easy-rsa/2.0
 %%PORTDOCS%%@dirrm %%DOCSDIR%%/easy-rsa
 %%PORTDOCS%%@dirrm %%DOCSDIR%%
diff --git a/security/openvpn/Makefile b/security/openvpn/Makefile
index b39638afd95c..aa1e99cb11af 100644
--- a/security/openvpn/Makefile
+++ b/security/openvpn/Makefile
@@ -1,21 +1,18 @@
 # New ports collection makefile for:	openvpn
 # Date created:		2002-06-23
-# Whom:			Matthias Andree <matthias.andree@web.de>
+# Whom:			Matthias Andree <matthias.andree@gmx.de>
 #
 # $FreeBSD$
 #
 
 PORTNAME=	openvpn
-DISTVERSION=	2.0
-PORTREVISION=	3
+DISTVERSION=	2.0.1
 CATEGORIES=	security
 MASTER_SITES=	http://openvpn.net/release/
 
 MAINTAINER=	matthias.andree@gmx.de
 COMMENT=	Secure IP/Ethernet tunnel daemon
 
-LIB_DEPENDS=	lzo.1:${PORTSDIR}/archivers/lzo
-
 GNU_CONFIGURE=	yes
 USE_OPENSSL=	yes
 CONFIGURE_TARGET=	--build=${ARCH}-portbld-freebsd${OSREL}
@@ -26,25 +23,31 @@ MAN8=		openvpn.8
 
 OPTIONS=	PW_SAVE "Interactive passwords may be read from a file" off
 
+USE_RC_SUBR=	openvpn.sh
+
+SUB_FILES=	pkg-message
+
 .include <bsd.port.pre.mk>
 
+# NOTE: there is no way to explicitly specify the LZO version to OpenVPN,
+# if LZO2 and LZO1 are installed, OpenVPN will pick LZO2.
+# So depend on LZO1 only if it's already there and LZO2 isn't.
+# PACKAGE_BUILDING will also force LZO2.
+.if exists(${LOCALBASE}/lib/liblzo2.so.2) || !exists(${LOCALBASE}/lib/liblzo.so.1) || defined(PACKAGE_BUILDING)
+LIB_DEPENDS=	lzo2.2:${PORTSDIR}/archivers/lzo2
+.else
+LIB_DEPENDS=	lzo.1:${PORTSDIR}/archivers/lzo
+.endif
+
 .if defined(WITH_PW_SAVE)
 CONFIGURE_ARGS+=	--enable-password-save
 .endif
 
 # self-tests here
 post-build:
-	( set -e ; cd ${WRKSRC} && \
-	./openvpn --genkey --secret key && \
-	./openvpn --test-crypto --secret key && ${RM} key )
-	( set -e ; cd ${WRKSRC} && { \
-	./openvpn --config sample-config-files/loopback-server & \
-	./openvpn --config sample-config-files/loopback-client ; \
-	wait ; })
+	cd ${WRKSRC} && ${MAKE} check
 
 post-install:
-	${INSTALL_SCRIPT} ${FILESDIR}/openvpn.sh.sample \
-		${PREFIX}/etc/rc.d/openvpn.sh.sample
 .if !defined(NOPORTDOCS)
 	${MKDIR} ${DOCSDIR}
 .for docs in AUTHORS COPYING COPYRIGHT.GPL ChangeLog INSTALL NEWS \
@@ -56,5 +59,6 @@ post-install:
 	| ${GREP} -v easy-rsa/Windows \
 	| ${CPIO} -pdmu ${DOCSDIR} )
 .endif
+	@${CAT} ${PKGMESSAGE}
 
 .include <bsd.port.post.mk>
diff --git a/security/openvpn/distinfo b/security/openvpn/distinfo
index dd29196f185e..f52db739a88b 100644
--- a/security/openvpn/distinfo
+++ b/security/openvpn/distinfo
@@ -1,2 +1,2 @@
-MD5 (openvpn-2.0.tar.gz) = 7401faebc6baee9add32608709c54eec
-SIZE (openvpn-2.0.tar.gz) = 639201
+MD5 (openvpn-2.0.1.tar.gz) = fad7a08c0d68371c2c0e6428bcb98fa5
+SIZE (openvpn-2.0.1.tar.gz) = 662428
diff --git a/security/openvpn/files/openvpn.sh.in b/security/openvpn/files/openvpn.sh.in
new file mode 100644
index 000000000000..37d8ba5129de
--- /dev/null
+++ b/security/openvpn/files/openvpn.sh.in
@@ -0,0 +1,99 @@
+#!/bin/sh
+#
+# openvpn.sh - load tun/tap driver and start OpenVPN daemon
+#
+# (C) Copyright 2005 by Matthias Andree
+# based on suggestions by Matthias Grimm and Dirk Gouders
+#
+# Made in Northrhine-Westphalia, Germany
+#
+# $FreeBSD$
+# 
+# This program is free software; you can redistribute it and/or modify it under
+# the terms of the GNU General Public License as published by the Free Software
+# Foundation; either version 2 of the License, or (at your option) any later
+# version.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+# FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
+# details.
+#
+# You should have received a copy of the GNU General Public License along with
+# this program; if not, write to the Free Software Foundation, Inc., 51 Franklin
+# Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+# PROVIDE: openvpn
+# REQUIRE: DAEMON
+# BEFORE:
+# KEYWORD: FreeBSD shutdown
+
+# -----------------------------------------------------------------------------
+#
+# Add the following lines to /etc/rc.conf to enable openvpn at boot-up time:
+#
+# openvpn_enable="YES"	# YES or NO
+# openvpn_if="tun" 	# driver(s) to load, set to "tun", "tap" or "tun tap"
+#
+# # optional:
+# openvpn_flags=""	# openvpn command line flags
+# openvpn_config="%%PREFIX%%/etc/openvpn/openvpn.conf" 	# --config file
+# openvpn_dir="%%PREFIX%%/etc/openvpn"			# --cd directory
+#
+# You also need to set openvpn_configfile and openvpn_dir, if the configuration
+# file and directory where keys and certificates reside differ from the above
+# settings.
+#
+# Note that we deliberately refrain from unloading drivers.
+#
+# For further documentation, please see openvpn(8).
+#
+
+. %%RC_SUBR%%
+
+name=openvpn
+rcvar=`set_rcvar`
+
+prefix="%%PREFIX%%"
+
+openvpn_precmd()
+{
+	for i in $openvpn_if ; do
+		if ! sysctl debug.if_${i}_debug >/dev/null 2>&1 ; then
+			if ! kldload if_${i} ; then
+				warn "Could not load $i module."
+				return 1
+			fi
+		fi
+	done
+	return 0
+}
+
+stop_postcmd()
+{
+	rm -f "$pidfile" || warn "Could not remove $pidfile."
+}
+
+# support SIGHUP to reparse configuration file
+extra_commands="reload"
+
+# pidfile
+pidfile="/var/run/${name}.pid"
+
+# command and arguments
+command="%%PREFIX%%/sbin/${name}"
+
+# run this first
+start_precmd="openvpn_precmd"
+# and this last
+stop_postcmd="stop_postcmd"
+
+load_rc_config ${name}
+: ${openvpn_enable="NO"}
+: ${openvpn_flags=""}
+: ${openvpn_if=""}
+: ${openvpn_configfile="${prefix}/etc/openvpn/openvpn.conf"}
+: ${openvpn_dir="${prefix}/etc/openvpn"}
+required_files="${openvpn_configfile}"
+command_args="--cd ${openvpn_dir} --daemon --config ${openvpn_configfile} --writepid ${pidfile}"
+run_rc_command "$1"
diff --git a/security/openvpn/files/openvpn.sh.sample b/security/openvpn/files/openvpn.sh.sample
deleted file mode 100644
index a906ecf44425..000000000000
--- a/security/openvpn/files/openvpn.sh.sample
+++ /dev/null
@@ -1,19 +0,0 @@
-#! /bin/sh
-# (C) 2002 by Matthias Andree
-
-# This file may be redistributed according to the terms of the GNU General
-# Public License, version 2 (two).
-
-# To use this script, rename it to openvpn.sh and make sure it is
-# executable for the owner.
-
-# This file rouses a security warning at port install time. However, this
-# file itself does not start network services, but it loads a kernel driver.
-# The security of this file therefore depends on the security of kldload and
-# the if_tap driver.
-
-case x$1 in
-  xstart) echo -n ' if_tap' ; exec kldload if_tap ;;
-  xstop)  echo -n ' if_tap' ; exec kldunload if_tap ;;
-  *)      echo >&2 "Usage: $0 {start|stop}"
-esac
diff --git a/security/openvpn/files/pkg-message.in b/security/openvpn/files/pkg-message.in
new file mode 100644
index 000000000000..0bf579b261d3
--- /dev/null
+++ b/security/openvpn/files/pkg-message.in
@@ -0,0 +1,18 @@
+### ------------------------------------------------------------------------
+###  The OpenVPN port, since v2.0.1, uses rcNG to start OpenVPN.
+###  Edit /etc/rc.conf to start OpenVPN automatically at system startup.
+###  See %%PREFIX%%/etc/rc.d/openvpn.sh for details.
+### ------------------------------------------------------------------------
+###  To get OpenVPN 2.0 to talk with the 1.5/1.6 versions, you may need to
+###  edit the 1.X configuration file by adding these lines:
+###    tun-mtu 1500
+###    tun-mtu-extra 32
+###    mssfix 1450
+###    key-method 2       <- this key-method line only for TLS setups
+### - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+###  WARNING: THE DEFAULT PORT HAS CHANGED AND IS NOW 1194!
+###  OpenVPN 1.6 and older used 5000 rather than 1194 as their default
+###  port, so add the proper port options to your configuration file!
+### ------------------------------------------------------------------------
+###  For further compatibility, see <http://openvpn.net/relnotes.html>
+### ------------------------------------------------------------------------
diff --git a/security/openvpn/pkg-message b/security/openvpn/pkg-message
deleted file mode 100644
index 9edb877e624c..000000000000
--- a/security/openvpn/pkg-message
+++ /dev/null
@@ -1,20 +0,0 @@
-### ---------------------------------------------------------------------- ###
-###  To use the tap driver, you may need to do: kldload if_tap             ###
-###  See ${PREFIX}/etc/rc.d/openvpn.sh.sample for how to do this  	   ###
-###  automatically at system boot-up time.                                 ###
-### ---------------------------------------------------------------------- ###
-###  To get OpenVPN 2.0 to talk with the 1.5/1.6 versions, you may need to ###
-###  edit the 1.X configuration file by adding these lines:                ###
-###                                                                        ###
-###    tun-mtu 1500							   ###
-###    tun-mtu-extra 32							   ###
-###    mssfix 1450							   ###
-###                                                                        ###
-###    key-method 2       <- this key-method line only for TLS setups	   ###
-### - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  ###
-###  WARNING: THE DEFAULT PORT HAS CHANGED AND IS NOW 1194!                ###
-###  OpenVPN 1.6 and older used 5000 rather than 1194 as their default     ###
-###  port, so add the proper port options to your configuration file!      ###
-### ---------------------------------------------------------------------- ###
-###  For further compatibility, see <http://openvpn.net/relnotes.html>     ###
-### ---------------------------------------------------------------------- ###
diff --git a/security/openvpn/pkg-plist b/security/openvpn/pkg-plist
index 9fb4fbf7a7dc..00cd2a6e9435 100644
--- a/security/openvpn/pkg-plist
+++ b/security/openvpn/pkg-plist
@@ -1,5 +1,4 @@
 sbin/openvpn
-etc/rc.d/openvpn.sh.sample
 %%PORTDOCS%%%%DOCSDIR%%/AUTHORS
 %%PORTDOCS%%%%DOCSDIR%%/COPYING
 %%PORTDOCS%%%%DOCSDIR%%/COPYRIGHT.GPL
@@ -26,6 +25,25 @@ etc/rc.d/openvpn.sh.sample
 %%PORTDOCS%%%%DOCSDIR%%/easy-rsa/revoke-full
 %%PORTDOCS%%%%DOCSDIR%%/easy-rsa/sign-req
 %%PORTDOCS%%%%DOCSDIR%%/easy-rsa/vars
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/README
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-ca
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-dh
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-inter
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-key
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-key-pass
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-key-pkcs12
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-key-server
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-req
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-req-pass
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/clean-all
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/inherit-inter
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/list-crl
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/openssl.cnf
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/pkitool
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/revoke-full
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/scripts
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/sign-req
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/vars
 %%PORTDOCS%%%%DOCSDIR%%/sample-config-files/README
 %%PORTDOCS%%%%DOCSDIR%%/sample-config-files/client.conf
 %%PORTDOCS%%%%DOCSDIR%%/sample-config-files/firewall.sh
@@ -49,5 +67,6 @@ etc/rc.d/openvpn.sh.sample
 %%PORTDOCS%%%%DOCSDIR%%/sample-scripts/verify-cn
 %%PORTDOCS%%@dirrm %%DOCSDIR%%/sample-scripts
 %%PORTDOCS%%@dirrm %%DOCSDIR%%/sample-config-files
+%%PORTDOCS%%@dirrm %%DOCSDIR%%/easy-rsa/2.0
 %%PORTDOCS%%@dirrm %%DOCSDIR%%/easy-rsa
 %%PORTDOCS%%@dirrm %%DOCSDIR%%
diff --git a/security/openvpn20/Makefile b/security/openvpn20/Makefile
index b39638afd95c..aa1e99cb11af 100644
--- a/security/openvpn20/Makefile
+++ b/security/openvpn20/Makefile
@@ -1,21 +1,18 @@
 # New ports collection makefile for:	openvpn
 # Date created:		2002-06-23
-# Whom:			Matthias Andree <matthias.andree@web.de>
+# Whom:			Matthias Andree <matthias.andree@gmx.de>
 #
 # $FreeBSD$
 #
 
 PORTNAME=	openvpn
-DISTVERSION=	2.0
-PORTREVISION=	3
+DISTVERSION=	2.0.1
 CATEGORIES=	security
 MASTER_SITES=	http://openvpn.net/release/
 
 MAINTAINER=	matthias.andree@gmx.de
 COMMENT=	Secure IP/Ethernet tunnel daemon
 
-LIB_DEPENDS=	lzo.1:${PORTSDIR}/archivers/lzo
-
 GNU_CONFIGURE=	yes
 USE_OPENSSL=	yes
 CONFIGURE_TARGET=	--build=${ARCH}-portbld-freebsd${OSREL}
@@ -26,25 +23,31 @@ MAN8=		openvpn.8
 
 OPTIONS=	PW_SAVE "Interactive passwords may be read from a file" off
 
+USE_RC_SUBR=	openvpn.sh
+
+SUB_FILES=	pkg-message
+
 .include <bsd.port.pre.mk>
 
+# NOTE: there is no way to explicitly specify the LZO version to OpenVPN,
+# if LZO2 and LZO1 are installed, OpenVPN will pick LZO2.
+# So depend on LZO1 only if it's already there and LZO2 isn't.
+# PACKAGE_BUILDING will also force LZO2.
+.if exists(${LOCALBASE}/lib/liblzo2.so.2) || !exists(${LOCALBASE}/lib/liblzo.so.1) || defined(PACKAGE_BUILDING)
+LIB_DEPENDS=	lzo2.2:${PORTSDIR}/archivers/lzo2
+.else
+LIB_DEPENDS=	lzo.1:${PORTSDIR}/archivers/lzo
+.endif
+
 .if defined(WITH_PW_SAVE)
 CONFIGURE_ARGS+=	--enable-password-save
 .endif
 
 # self-tests here
 post-build:
-	( set -e ; cd ${WRKSRC} && \
-	./openvpn --genkey --secret key && \
-	./openvpn --test-crypto --secret key && ${RM} key )
-	( set -e ; cd ${WRKSRC} && { \
-	./openvpn --config sample-config-files/loopback-server & \
-	./openvpn --config sample-config-files/loopback-client ; \
-	wait ; })
+	cd ${WRKSRC} && ${MAKE} check
 
 post-install:
-	${INSTALL_SCRIPT} ${FILESDIR}/openvpn.sh.sample \
-		${PREFIX}/etc/rc.d/openvpn.sh.sample
 .if !defined(NOPORTDOCS)
 	${MKDIR} ${DOCSDIR}
 .for docs in AUTHORS COPYING COPYRIGHT.GPL ChangeLog INSTALL NEWS \
@@ -56,5 +59,6 @@ post-install:
 	| ${GREP} -v easy-rsa/Windows \
 	| ${CPIO} -pdmu ${DOCSDIR} )
 .endif
+	@${CAT} ${PKGMESSAGE}
 
 .include <bsd.port.post.mk>
diff --git a/security/openvpn20/distinfo b/security/openvpn20/distinfo
index dd29196f185e..f52db739a88b 100644
--- a/security/openvpn20/distinfo
+++ b/security/openvpn20/distinfo
@@ -1,2 +1,2 @@
-MD5 (openvpn-2.0.tar.gz) = 7401faebc6baee9add32608709c54eec
-SIZE (openvpn-2.0.tar.gz) = 639201
+MD5 (openvpn-2.0.1.tar.gz) = fad7a08c0d68371c2c0e6428bcb98fa5
+SIZE (openvpn-2.0.1.tar.gz) = 662428
diff --git a/security/openvpn20/files/openvpn.sh.in b/security/openvpn20/files/openvpn.sh.in
new file mode 100644
index 000000000000..37d8ba5129de
--- /dev/null
+++ b/security/openvpn20/files/openvpn.sh.in
@@ -0,0 +1,99 @@
+#!/bin/sh
+#
+# openvpn.sh - load tun/tap driver and start OpenVPN daemon
+#
+# (C) Copyright 2005 by Matthias Andree
+# based on suggestions by Matthias Grimm and Dirk Gouders
+#
+# Made in Northrhine-Westphalia, Germany
+#
+# $FreeBSD$
+# 
+# This program is free software; you can redistribute it and/or modify it under
+# the terms of the GNU General Public License as published by the Free Software
+# Foundation; either version 2 of the License, or (at your option) any later
+# version.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+# FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
+# details.
+#
+# You should have received a copy of the GNU General Public License along with
+# this program; if not, write to the Free Software Foundation, Inc., 51 Franklin
+# Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+# PROVIDE: openvpn
+# REQUIRE: DAEMON
+# BEFORE:
+# KEYWORD: FreeBSD shutdown
+
+# -----------------------------------------------------------------------------
+#
+# Add the following lines to /etc/rc.conf to enable openvpn at boot-up time:
+#
+# openvpn_enable="YES"	# YES or NO
+# openvpn_if="tun" 	# driver(s) to load, set to "tun", "tap" or "tun tap"
+#
+# # optional:
+# openvpn_flags=""	# openvpn command line flags
+# openvpn_config="%%PREFIX%%/etc/openvpn/openvpn.conf" 	# --config file
+# openvpn_dir="%%PREFIX%%/etc/openvpn"			# --cd directory
+#
+# You also need to set openvpn_configfile and openvpn_dir, if the configuration
+# file and directory where keys and certificates reside differ from the above
+# settings.
+#
+# Note that we deliberately refrain from unloading drivers.
+#
+# For further documentation, please see openvpn(8).
+#
+
+. %%RC_SUBR%%
+
+name=openvpn
+rcvar=`set_rcvar`
+
+prefix="%%PREFIX%%"
+
+openvpn_precmd()
+{
+	for i in $openvpn_if ; do
+		if ! sysctl debug.if_${i}_debug >/dev/null 2>&1 ; then
+			if ! kldload if_${i} ; then
+				warn "Could not load $i module."
+				return 1
+			fi
+		fi
+	done
+	return 0
+}
+
+stop_postcmd()
+{
+	rm -f "$pidfile" || warn "Could not remove $pidfile."
+}
+
+# support SIGHUP to reparse configuration file
+extra_commands="reload"
+
+# pidfile
+pidfile="/var/run/${name}.pid"
+
+# command and arguments
+command="%%PREFIX%%/sbin/${name}"
+
+# run this first
+start_precmd="openvpn_precmd"
+# and this last
+stop_postcmd="stop_postcmd"
+
+load_rc_config ${name}
+: ${openvpn_enable="NO"}
+: ${openvpn_flags=""}
+: ${openvpn_if=""}
+: ${openvpn_configfile="${prefix}/etc/openvpn/openvpn.conf"}
+: ${openvpn_dir="${prefix}/etc/openvpn"}
+required_files="${openvpn_configfile}"
+command_args="--cd ${openvpn_dir} --daemon --config ${openvpn_configfile} --writepid ${pidfile}"
+run_rc_command "$1"
diff --git a/security/openvpn20/files/openvpn.sh.sample b/security/openvpn20/files/openvpn.sh.sample
deleted file mode 100644
index a906ecf44425..000000000000
--- a/security/openvpn20/files/openvpn.sh.sample
+++ /dev/null
@@ -1,19 +0,0 @@
-#! /bin/sh
-# (C) 2002 by Matthias Andree
-
-# This file may be redistributed according to the terms of the GNU General
-# Public License, version 2 (two).
-
-# To use this script, rename it to openvpn.sh and make sure it is
-# executable for the owner.
-
-# This file rouses a security warning at port install time. However, this
-# file itself does not start network services, but it loads a kernel driver.
-# The security of this file therefore depends on the security of kldload and
-# the if_tap driver.
-
-case x$1 in
-  xstart) echo -n ' if_tap' ; exec kldload if_tap ;;
-  xstop)  echo -n ' if_tap' ; exec kldunload if_tap ;;
-  *)      echo >&2 "Usage: $0 {start|stop}"
-esac
diff --git a/security/openvpn20/files/pkg-message.in b/security/openvpn20/files/pkg-message.in
new file mode 100644
index 000000000000..0bf579b261d3
--- /dev/null
+++ b/security/openvpn20/files/pkg-message.in
@@ -0,0 +1,18 @@
+### ------------------------------------------------------------------------
+###  The OpenVPN port, since v2.0.1, uses rcNG to start OpenVPN.
+###  Edit /etc/rc.conf to start OpenVPN automatically at system startup.
+###  See %%PREFIX%%/etc/rc.d/openvpn.sh for details.
+### ------------------------------------------------------------------------
+###  To get OpenVPN 2.0 to talk with the 1.5/1.6 versions, you may need to
+###  edit the 1.X configuration file by adding these lines:
+###    tun-mtu 1500
+###    tun-mtu-extra 32
+###    mssfix 1450
+###    key-method 2       <- this key-method line only for TLS setups
+### - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+###  WARNING: THE DEFAULT PORT HAS CHANGED AND IS NOW 1194!
+###  OpenVPN 1.6 and older used 5000 rather than 1194 as their default
+###  port, so add the proper port options to your configuration file!
+### ------------------------------------------------------------------------
+###  For further compatibility, see <http://openvpn.net/relnotes.html>
+### ------------------------------------------------------------------------
diff --git a/security/openvpn20/pkg-message b/security/openvpn20/pkg-message
deleted file mode 100644
index 9edb877e624c..000000000000
--- a/security/openvpn20/pkg-message
+++ /dev/null
@@ -1,20 +0,0 @@
-### ---------------------------------------------------------------------- ###
-###  To use the tap driver, you may need to do: kldload if_tap             ###
-###  See ${PREFIX}/etc/rc.d/openvpn.sh.sample for how to do this  	   ###
-###  automatically at system boot-up time.                                 ###
-### ---------------------------------------------------------------------- ###
-###  To get OpenVPN 2.0 to talk with the 1.5/1.6 versions, you may need to ###
-###  edit the 1.X configuration file by adding these lines:                ###
-###                                                                        ###
-###    tun-mtu 1500							   ###
-###    tun-mtu-extra 32							   ###
-###    mssfix 1450							   ###
-###                                                                        ###
-###    key-method 2       <- this key-method line only for TLS setups	   ###
-### - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  ###
-###  WARNING: THE DEFAULT PORT HAS CHANGED AND IS NOW 1194!                ###
-###  OpenVPN 1.6 and older used 5000 rather than 1194 as their default     ###
-###  port, so add the proper port options to your configuration file!      ###
-### ---------------------------------------------------------------------- ###
-###  For further compatibility, see <http://openvpn.net/relnotes.html>     ###
-### ---------------------------------------------------------------------- ###
diff --git a/security/openvpn20/pkg-plist b/security/openvpn20/pkg-plist
index 9fb4fbf7a7dc..00cd2a6e9435 100644
--- a/security/openvpn20/pkg-plist
+++ b/security/openvpn20/pkg-plist
@@ -1,5 +1,4 @@
 sbin/openvpn
-etc/rc.d/openvpn.sh.sample
 %%PORTDOCS%%%%DOCSDIR%%/AUTHORS
 %%PORTDOCS%%%%DOCSDIR%%/COPYING
 %%PORTDOCS%%%%DOCSDIR%%/COPYRIGHT.GPL
@@ -26,6 +25,25 @@ etc/rc.d/openvpn.sh.sample
 %%PORTDOCS%%%%DOCSDIR%%/easy-rsa/revoke-full
 %%PORTDOCS%%%%DOCSDIR%%/easy-rsa/sign-req
 %%PORTDOCS%%%%DOCSDIR%%/easy-rsa/vars
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/README
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-ca
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-dh
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-inter
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-key
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-key-pass
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-key-pkcs12
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-key-server
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-req
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/build-req-pass
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/clean-all
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/inherit-inter
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/list-crl
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/openssl.cnf
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/pkitool
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/revoke-full
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/scripts
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/sign-req
+%%PORTDOCS%%%%DOCSDIR%%/easy-rsa/2.0/vars
 %%PORTDOCS%%%%DOCSDIR%%/sample-config-files/README
 %%PORTDOCS%%%%DOCSDIR%%/sample-config-files/client.conf
 %%PORTDOCS%%%%DOCSDIR%%/sample-config-files/firewall.sh
@@ -49,5 +67,6 @@ etc/rc.d/openvpn.sh.sample
 %%PORTDOCS%%%%DOCSDIR%%/sample-scripts/verify-cn
 %%PORTDOCS%%@dirrm %%DOCSDIR%%/sample-scripts
 %%PORTDOCS%%@dirrm %%DOCSDIR%%/sample-config-files
+%%PORTDOCS%%@dirrm %%DOCSDIR%%/easy-rsa/2.0
 %%PORTDOCS%%@dirrm %%DOCSDIR%%/easy-rsa
 %%PORTDOCS%%@dirrm %%DOCSDIR%%
author	Renato Botelho <garga@FreeBSD.org>	2005-08-19 18:48:34 +0000
committer	Renato Botelho <garga@FreeBSD.org>	2005-08-19 18:48:34 +0000
commit	0f64e52705d69159d709754fd9a48a6623a6cd96 (patch)
tree	59b40faa77773bf366e51b65a76c5fb31234cb4d /security
parent	c8adfc87dbf37ec4b430fbd74910f1126323f9f4 (diff)
download	ports-0f64e52705d69159d709754fd9a48a6623a6cd96.tar.gz ports-0f64e52705d69159d709754fd9a48a6623a6cd96.zip