security/openvpn/Makefile


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170

PORTNAME=		openvpn
DISTVERSION=		2.6.0
PORTREVISION?=		0
CATEGORIES=		security net net-vpn
MASTER_SITES=		https://swupdate.openvpn.org/community/releases/ \
			https://build.openvpn.net/downloads/releases/ \
			LOCAL/mandree

MAINTAINER=		mandree@FreeBSD.org
COMMENT?=		Secure IP/Ethernet tunnel daemon
WWW=			https://openvpn.net/community/

LICENSE=		GPLv2
LICENSE_FILE=		${WRKSRC}/COPYRIGHT.GPL

BUILD_DEPENDS+=		cmocka>=0:sysutils/cmocka \
			rst2man:textproc/py-docutils@${PY_FLAVOR}

USES=			cpe libtool localbase:ldflags pkgconfig python:build shebangfix ssl
USE_RC_SUBR=		openvpn

SHEBANG_FILES=		sample/sample-scripts/auth-pam.pl \
			sample/sample-scripts/totpauth.py \
			sample/sample-scripts/ucn.pl \
			sample/sample-scripts/verify-cn

GNU_CONFIGURE=		yes
CONFIGURE_ARGS+=	--enable-strict --with-crypto-library=openssl
# set PLUGIN_LIBDIR so that unqualified plugin paths are found:
CONFIGURE_ENV+=		PLUGINDIR="${PREFIX}/lib/openvpn/plugins"

CONFLICTS_INSTALL?=	openvpn-2* openvpn-devel openvpn-mbedtls

SUB_FILES=		pkg-message openvpn-client

USERS=			openvpn
GROUPS=			openvpn

PORTDOCS=		*
PORTEXAMPLES=		*

OPTIONS_DEFINE=		ASYNC_PUSH DCO DOCS EASYRSA EXAMPLES LZ4 LZO PKCS11 SMALL \
			TEST UNITTESTS X509ALTUSERNAME
OPTIONS_DEFAULT=	EASYRSA LZ4 LZO PKCS11 TEST
OPTIONS_EXCLUDE_FreeBSD_12=	DCO # FreeBSD 14 only
OPTIONS_EXCLUDE_FreeBSD_13=	DCO # FreeBSD 14 only

ASYNC_PUSH_DESC=	Enable async-push support
DCO_DESC=			Build with Data Channel Offload (ovpn(4)) support
EASYRSA_DESC=		Install security/easy-rsa RSA helper package
LZO_DESC=		LZO compression (incompatible with LibreSSL)
PKCS11_DESC=		Use security/pkcs11-helper, needs same SSL lib!
SMALL_DESC=		Build a smaller executable with fewer features
UNITTESTS_DESC=		Enable unit tests
X509ALTUSERNAME_DESC=	Enable --x509-username-field

ASYNC_PUSH_LIB_DEPENDS=	libinotify.so:devel/libinotify
ASYNC_PUSH_CONFIGURE_ENABLE=	async-push

DCO_CONFIGURE_ENABLE=	dco

EASYRSA_RUN_DEPENDS=	easy-rsa>=0:security/easy-rsa

LZ4_LIB_DEPENDS+=	liblz4.so:archivers/liblz4
LZ4_CONFIGURE_ENABLE=	lz4

LZO_LIB_DEPENDS+=	liblzo2.so:archivers/lzo2
LZO_CONFIGURE_ENABLE=	lzo

PKCS11_LIB_DEPENDS=	libpkcs11-helper.so:security/pkcs11-helper
PKCS11_CONFIGURE_ENABLE=	pkcs11

SMALL_CONFIGURE_ENABLE=	small

TEST_ALL_TARGET=	check
TEST_TEST_TARGET_OFF=	check

UNITTESTS_BUILD_DEPENDS=	cmocka>=0:sysutils/cmocka
UNITTESTS_CONFIGURE_ENABLE=	unit-tests

X509ALTUSERNAME_CONFIGURE_ENABLE=	x509-alt-username

.ifdef (LOG_OPENVPN)
CFLAGS+=		-DLOG_OPENVPN=${LOG_OPENVPN}
.endif

.include <bsd.port.options.mk>

.if ${PORT_OPTIONS:MLZO}
IGNORE_SSL=libressl libressl-devel
IGNORE_SSL_REASON=OpenVPN does not have permission to include LZO with LibreSSL. Compile against OpenSSL, or if your setups support it, disable LZO support
.endif

.if ! ${PORT_OPTIONS:MLZ4} && ! ${PORT_OPTIONS:MLZO}
CONFIGURE_ARGS+=	--enable-comp-stub
.endif

.include <bsd.port.pre.mk>

.if !empty(PORT_OPTIONS:MLZO) && !empty(SSL_DEFAULT:Nbase:Nopenssl*)
# in-depth security net if Mk/Uses/ssl.mk changes
pre-everything::
	@${ECHO_CMD} >&2 "ERROR: OpenVPN is not licensed to combine LZO with other OpenSSL-licensed libraries than OpenSSL. Compile against OpenSSL, or if your setups support it, disable LZO support."
	@${SHELL} -c 'exit 1'
.endif

post-patch:
	${REINPLACE_CMD} -E -i '' -e 's/(user|group) nobody/\1 openvpn/' \
		-e 's/"nobody"( after init)/"openvpn" \1/' \
		${WRKSRC}/sample/sample-config-files/*.conf \
		${WRKSRC}/doc/man-sections/generic-options.rst
	# this header file was missed from the 2.6.0 tarball
	${CP} ${FILESDIR}/ovpn_dco_freebsd.h ${WRKSRC}/src/openvpn/ # FIXME remove for 2.6.1

pre-configure:
	# just too many of sign-compare; bitwise-instead-of-logical was audited and is intentional,
	# and unused-function affects test---these are developer-side warnings, not relevant on end systems
	${REINPLACE_CMD} 's/-Wsign-compare/-Wno-unknown-warning-option -Wno-sign-compare -Wno-bitwise-instead-of-logical -Wno-unused-function/' ${WRKSRC}/configure
.ifdef (LOG_OPENVPN)
	@${ECHO} "Building with LOG_OPENVPN=${LOG_OPENVPN}"
.else
	@${ECHO} ""
	@${ECHO} "You may use the following build options:"
	@${ECHO} ""
	@${ECHO} "      LOG_OPENVPN={Valid syslog facility, default LOG_DAEMON}"
	@${ECHO} "      EXAMPLE:  make LOG_OPENVPN=LOG_LOCAL6"
	@${ECHO} ""
.endif
.if !empty(SSL_DEFAULT:Mlibressl*)
	@${ECHO} "### --------------------------------------------------------- ###"
	@${ECHO} "### NOTE that libressl is not primarily supported by OpenVPN  ###"
	@${ECHO} "### Do not report bugs without fixes/patches unless the issue ###"
	@${ECHO} "### can be reproduced with a released OpenSSL version.        ###"
	@${ECHO} "### --------------------------------------------------------- ###"
	@sleep 10
.endif

post-configure:
	${REINPLACE_CMD} '/^CFLAGS =/s/$$/ -fPIC/' \
	 	${WRKSRC}/src/plugins/auth-pam/Makefile \
	 	${WRKSRC}/src/plugins/down-root/Makefile

# sanity check that we don't inherit incompatible SSL libs through,
# for instance, pkcs11-helper:
_tlslibs=libssl libcrypto
post-build:
	@a=$$(LC_ALL=C ldd -f '%o\n' ${WRKSRC}/src/openvpn/openvpn \
	|	${SORT} -u) ; set -- $$(for i in ${_tlslibs} ; do ${PRINTF} '%s\n' "$$a" | ${GREP} $${i}.so | wc -l ; done | ${SORT} -u) ;\
	if test "$$*" != "1" ; then ( set -x ; ldd -a ${WRKSRC}/src/openvpn/openvpn ) ; ${PRINTF} '%s\n' "$$a" ; ${ECHO_CMD} >&2 "${.CURDIR} FAILED: either of ${_tlslibs} libraries linked multiple times" ; ${RM} ${BUILD_COOKIE} ; exit 1 ; fi

post-install:
	${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-auth-pam.so
	${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-down-root.so
	${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.up ${STAGEDIR}${PREFIX}/libexec/openvpn-client.up
	${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.down ${STAGEDIR}${PREFIX}/libexec/openvpn-client.down
	${INSTALL_SCRIPT} ${WRKDIR}/openvpn-client ${STAGEDIR}${PREFIX}/sbin/openvpn-client
	${MKDIR} ${STAGEDIR}${PREFIX}/include

post-install-DOCS-on:
	${MKDIR} ${STAGEDIR}${DOCSDIR}/
.for i in AUTHORS ChangeLog PORTS
	${INSTALL_MAN} ${WRKSRC}/${i} ${STAGEDIR}${DOCSDIR}/
.endfor

post-install-EXAMPLES-on:
	(cd ${WRKSRC}/sample && ${COPYTREE_SHARE} \* ${STAGEDIR}${EXAMPLESDIR}/)
	${CHMOD} ${BINMODE} ${STAGEDIR}${EXAMPLESDIR}/sample-scripts/*
	${RM} ${STAGEDIR}${EXAMPLESDIR}/sample-config-files/*.orig

.include <bsd.port.post.mk>