The conflict checks compare the patterns first against the package
names without version (as reported by "pkg query "%n"), then - if
there was no match - agsinst the full package names including the
version (as reported by "pkg query "%n-%v").
Approved by: portmgr (blanket)
The previous maintainer asked that the port be removed, but
we seem to have found a better solution. Gert Doering volunteered
to take over the port and reference Git directly.
Import security/openvpn fix for leftover .orig files.
PR: 256209
Maintainer change implicitly
Approved by: ecrist@secure-computing.net (removal request)
New contents reviewed and
Approved by: gert@greenie.muc.de (new maintainer, by IRC/mail)
Commit history from 202049 to 202113:
5ac8c3c7 Fix async push broken after auth deferred refactor
8ccce69d log file descriptor in more socket related error messages
c5fec838 Move auth deferred related members into its own struct
6ea62d50 Remove deprecated option '--keysize'
60f5889a Deprecate non TLS mode in OpenVPN
79ff3f79 Allow running a default configuration with TLS libraries without BF-CBC
9e702a5d Always disable TLS renegotiations
203afbe9 reliable: retransmit if 3 follow-up ACKs are received
343b6119 Remove do_init_socket_2 and do_init_socket_1 wrapper function
9fe0b2c2 Extract multi_assign_peer_id into its own function
18b4a838 Remove thread_mode field of multi_context
aba8776e Fix 'compress migrate' for 2.2 clients.
8fa8a175 Implement '--compress migrate' to migrate to non-compression setup
72e1ecb5 Move is_proto function to the socket.h header
9eb285f4 Remove unused variable pass_config_info
c0b36e9f Remove unused function tls_test_auth_deferred_interval
3667df1d Remove unused field txqueuelen from struct tuntap
14061e3e Remove pointless tun_adjust_frame_parameters function
137eb670 Remove code for aligning non-swapped compression
bdc11ae4 Rename tunnel_server_udp_single_threaded to tunnel_server_udp
213fd3ee Remove superflous ifdefs around enum like defines
997b006a Get rid of last PLUGIN_DEF_AUTH #ifdef
76ccc62d Stop using deprecated getpass()
2d5c437f Remove automatic service
d11c273b Fix #elif TARGET_LINUX missing defined() call
f91e2116 Remove support for non ISO C99 vararg support
7975e33b Remove flexible array member autoconf check
ca570706 Cleanup print_details and add signature/ED certificate print
467b16dc Use correct types for OpenSSL and Windows APIs
e756e12a Fix socket related functions using int instead of socket_descriptor_t
7fc608da Make buffer related function conversion explicit when narrowing
5a2ed714 Restore also ping related options on a reconnect
7064ccb9 Move NCP saving and restore to the prepush restore code
528a78fb Move restoring pre pull options to initialising of c2 context
1e938c50 openvpnserv: Cache last error before it is overridden
1b71f859 Remove empty dummy functions
5b8a1231 Deprecate the --verify-hash option
26117a82 Document the simple self-signed certificate setup in examples
423ced96 Support fingerprint authentication without CA certificate
e5e9a07e tapctl: Resolve MSVC C4996 warnings
c3a7065d Implement peer-fingerprint to check fingerprint of peer certificate
d1fe6d52 Extend verify-hash to allow multiple hashes
df471f4d iservice: Resolve MSVC C4996 warnings
709c3810 interactive.c: Resolve MSVC C4996 warning
26540310 tun.c: Remove dead code
6eb28f7c Wipe Socks5 credentials after use
f9d9fe55 Move extract_iv_proto to ssl_util.c/h
45e7d412 Fix multiple problems when compiling with LLVM/Windows (clang-cl)
1480903e README.wolfssl Update
9b2e8034 Remove compat-lz4 references from VS project files
60c18b45 build: Add support for pkg-config < 0.28 for old autoconf versions
f38819b7 Add README.wolfssl documentating the state of WolfSSL in OpenVPN
f6dca235 Support for wolfSSL in OpenVPN
4524feb2 Avoid generating unecessary mbed debug messages
24596b25 build: Remove compat-lz4
4170da07 Do not print Diffie Hellman parameters file to log file
476990d4 EVP_DigestSignFinal siglen parameter correction
b0bff559 Require at least 100MB of mlock()-able memory if --mlock is used.
fdb4f276 Allow pending auth to be send from a auth plugin
d8ed5932 Change parameter of send_auth_pending_messages from context to tls_multi
88664aba Refactor extract_var_peer_info into standalone function and add ssl_util.c
53229047 Implement server side of AUTH_PENDING with extending timeout
4cf01c8e Fix EVP_PKEY_CTX_... compilation with LibreSSL
06f6cf3f Prefer TLS libraries TLS PRF function, fix OpenVPN in FIPS mode
3338f2d5 Quote the domain name argument passed to the wmic command
04876274 Add S_EXITCODE flag for openvpn_run_script to report exit code
b29f7dff Introduce management client state for AUTH_PENDING notifications
3f8fb2b2 Implement client side handling of AUTH_PENDING message
0714ed80 Check return values in md_ctx_init and hmac_ctx_init
fdfbd444 Explain structver usage in sample defer plugin.
413580b6 Change pull request timeout use a timeout rather than a number
ce652e7d Remove inetd support from OpenVPN
a385a3e8 More explicit versioning compatibility in sample-plugins/defer/simple.c
7d1361c1 Update openvpn_plugin_func_v2 to _v3 in sample-plugins/defer/simple.c
595be121 Documentation fixes around openvpn_plugin_func_v3 in openvpn-plugin.h.in
2d7e1954 Fix naming error in sample-plugins/defer/simple.c
452e016c clean up / rewrite sample-plugins/defer/simple.c
6a0c51ba Make OPENVPN_PLUGIN_ENABLE_PF failures FATAL
ef2405a6 Document common uses of 'echo' directive, re-enable logging for 'echo'.
15daa988 Fix tls-auth mismatch OCC message when tls-cryptv2 is used.
3b1ded39 Man page sections corrections
e0e7625c Skip DHCP renew with Wintun adapter
b1a8213e Remove 1 second delay before running netsh
8a8ee283 Clarify --block-ipv6 intent and direction.
aa58035a Zero initialise msghdr prior to calling sendmesg
86d7e990 ssl_common.h: fix 'not all control paths return a value' msvc warning
ab4688e3 Fix too early argv freeing when registering DNS
a686f7e2 Fix line number reporting on config file errors after <inline> segments
PR: 254785
Submitted by: Eric F. Crist (maintainer)
-- Diese und die folgenden Zeilen werden ignoriert --
> Description of fields to fill in above: 76 columns --|
> PR: If and which Problem Report is related.
> Submitted by: If someone else sent in the change.
> Reported by: If someone else reported the issue.
> Reviewed by: If someone else reviewed your modification.
> Approved by: If you needed approval for this commit.
> Obtained from: If the change is from a third party.
> MFC after: N [day[s]|week[s]|month[s]]. Request a reminder email.
> MFH: Ports tree branch name. Request approval for merge.
> Relnotes: Set to 'yes' for mention in release notes.
> Security: Vulnerability reference (one per line) or description.
> Sponsored by: If the change was sponsored by an organization (each collaborator).
> Differential Revision: https://reviews.freebsd.org/D### (*full* phabric URL needed).
> Empty fields above will be automatically removed.
M openvpn-devel/Makefile
M openvpn-devel/distinfo
Update port to 2020-W49 development snapshot.
1387f526 Fix port-share option with TLS-Crypt v2
4d307ed4 tls-crypt-v2: also preload tls-crypt-v2 keys (if --persist-key)
fb169c3b tls-crypt-v2: fix server memory leak
dfd624b5 Remove auth_user_pass.wait_for_push variable
fb789947 Fix auth-token not being updated if auth-nocache is set
88dc4276 Make any auth failure tls_authentication_status return auth failed
55d5eaa3 Send AUTH_FAILED message to clients on renegotiation failures
3ac8e592 Rename DECRYPT_KEY_ENABLED to TLS_AUTHENTICATED
f9d3fbf9 Clean up tls_authentication_status and document it
f1f0f074 Improve keys out of sync message
8292102b Add more documentation about our internal TLS functions
cc5a7163 Replace key_scan array of static pointers with inline function
fc25ca3a build: Fix missing install of man page in certain environments
0d4069e4 Change travis build scripts to use https when fetching prerequisites.
PR: 251761
Submitted by: Eric F. Crist (maintainer)
=== Commit Notes ===
99d217b2 Remove --disable-def-auth configure argument
0d4ca79d Remove explicit setting of peer_id to false
cb70cf51 Remove NULL checks before calling free
2c8a9877 Align reliable_free with other free methods to accept NULL
0d5aab88 Inline function tls_get_peer_info
bbcada8a Avoid passing NULL to argv_printf_cat() in temp_file error case.
a4eeef17 Add function for common env setting of verify user/pass calls
a480eaae Ignore deprecation warning for daemon on macOS
14bd92b7 Fix compilation on pre-EKM mbedTLS libraries.
f0734e49 Simplify key material exporter backend API
6dc09d0d Implement generating data channel keys via EKM/RFC 5705
1e6e083e networking_iproute2: fix memory leak in net_iface_mtu_set()
c018fc00 Allow 'none' cipher being specified in --data-ciphers
3b04c34d Support X509 field list to be username
15d05243 Move openvpn specific key expansion into its own function
23e11e59 Fix redirecting of IPv4 default gateway if connecting over IPv6.
bfb28845 Added 'route_ipv6_metric_NN' environment variable for IPv6 route metric.
b68aa006 Speedup TCP remote hosts connections
a5409c0d Selectively reformat too long lines
0f44a908 compat/lz4: Update to v1.9.2
43cdb0c7 Improve error msg when all TAP adapters are in use 'or disabled'
e9e47f49 Fix update_time() and openvpn_gettimeofday() coexistence
d6720203 Alias ADAPTER_DOMAIN_SUFFIX to DOMAIN
66ad8727 Improve documentation of --username-as-common-name
70882f3e Set DNS Domain using iservice
7f7b0539 openvpnmsica: Simplify find_adapters() to void return
370395b3 netsh: Delete WINS servers on TUN close
dd754221 netsh: Clear existing IPv6 DNS servers before configuring new ones
6020e94b netsh: Specify interfaces by index rather than name
860a7bc7 Fix combination of --dev tap and --topology subnet across multiple platforms.
94cebf82 Add demo plugin that excercises "CLIENT_CONNECT" and "CLIENT_CONNECT_V2" paths
4dff2368 If IPv6 pool specification sets pool start to ::0 address, increment.
3ad86c25 Fix fatal error at switching remotes (#629)
6345cea8 build: Fix make distclean/distcheck
0b5141d8 sample-plugins: Partially autotoolize the sample-plugins build
81b6a7e7 Fix netbits setting (in TAP mode) for IPv6 on Windows.
b8625abb Allow --dhcp-option in config file when windows-driver is wintun
97ff6436 man: Improve --remote entry
eebeaa02 socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes
fb94fbc3 msvc: better support for 32bit architecture
37aab49b Fix --show-gateway for IPv6 on NetBSD/i386.
a61c08a2 Handle NULL returns from calloc() in sample plugins.
8120e1ad man: Add missing --server-ipv6
50c7700d Fix description of --client-disconnect calling convention in manpage.
81f9bb3a Replace 'echo -n' with 'printf' in tests/t_lpback.sh
5b815eb4 Add a remark on dropping privileges when --mlock is used
aa346849 Fix handling of 'route remote_host' for IPv6 transport case.
505d5ad8 Fix best gateway selection over netlink
a4e0ac06 Fix TUNSETGROUP compatibility with very old Linux systems.
a09a2fad Fix error detection / abort in --inetd corner case.
5fd66510 Document that --push-remove is generally more suitable than --push-reset
b341b1c5 openvpnmsica: make adapter renaming non-fatal
f3f09541 In tap.c use DiInstallDevice to install the driver on a new adapter
6ffe64e3 Fix client NCP OCC fallback when server and client cipher are identical
136c5f01 Fix compilation with older mbed TLS versions (mbedtls_tls_prf_types undefined)
PR: 250743
Submitted by: Eric F. Crist (maintainer)
Approved by: Eric F. Crist (maintainer)
This also adds a fix to the optional TUNNELBLICK extra-patch that removes
context now gone from the upstream code.
Here are the changes in the W35 snapshot:
136c5f01 Fix compilation with older mbed TLS versions (mbedtls_tls_prf_types undefined)
5e19cc2c Workaround FreeBSD 12+ race condition on tun/tap open with IPv6.
10abd656 Refactor key_state_export_keying_material functions
62560e2a Fixes a bug in management_callback_send_cc_message, should be strlen instead of sizeof
2ab0a924 Fix client's poor man NCP fallback
ed47c097 tun.c: enable using wintun driver under SYSTEM
2da29362 Improve the documentation for --dhcp-option
bf911882 Changes.rst: fix mistyped option names
e33f4475 doc: fix typos in cipher-negotiation.rst
7e65483d Fix stack overflow in OpenSolaris NEXTADDR()
f7432a97 Change version.m4 to 2.6_git
c1c43d46 Improve sections about older OpenVPN clients in cipher-negotiation.rst
26b658ea Changes.rst updates in preparation to 2.5_beta1
079fca54 Add depreciation notice for --ncp-disable to protocol-options.rst
16249959 Cleanup tls_pre_decrypt_lite and tls_pre_encrypt
a6a15f70 Refactor/Reformat tls_pre_decrypt
Poudriere test builds succeed on:
11.3 i386, amd64
12.1 i386, amd64, arm64
mips64 currently left in the dust because a build req. for py-docutils
winds up requiring gcc9, which isn't available for MIPS64.
PR: 248969
Submitted by: Eric F. Crist (maintainer)
Update to Week 33 snapshot:
e02616d8 Document comp-lzo no and compress being incompatible
c13d20fa Remove S_OP_NORMAL key state.
4b4f5fe2 Move parsing IV_PROTO to separate function
4edcf571 Skip existing interfaces on opening the first available utun on macOS
42b39e98 Merge check_coarse_timers and check_coarse_timers_dowork
cd88d947 Eliminate check_tls wrapper function
eed645b3 Eliminate check_incoming_control_channel wrapper function
b7aebba2 Eliminate check_fragment function
76ea0859 Rename check_ping_restart_dowork to trigger_ping_timeout_signal
ce7ddaaf Split pf_check_reload check and check timer in process_coarse_timers
feacd01c travis: don't run t_net.sh test
e9639044 Remove a number of check/do_work wrapper calls from coarse_timers
60200b9e Remove buf argument from link_socket_set_outgoing_addr
33773a02 Clean up a number of leftover C89 initialisations in ssl.c
2fdd3329 Minor cleanup in push.c
bf42466d Document different behaviour of dynamic cipher negotiation
2c1d8c33 Rework NCP compability logic and drop BF-CBC support by default
dab34fdd Fix compilation with --disable-lzo and --disable-lz4
992e9cec Log serial number of revoked certificate
71d56aea client-connect: Add documentation for the deferred client connect feature
20b39474 Abort client-connect handler loop after first handler sets 'disable'.
08f3c1ca Fix sequence of events for async plugin v1 handler.
0a7af784 Gently push users towards --data-ciphers in --show-ciphers output
5fde831c Fix stack buffer overruns in NEXTADDR() macro:
342f9b78 Add a note that ncp-ciphers is replaced by data-ciphers
30d19c6e Rename ncp-ciphers to data-ciphers
a3b21a76 Avoid sending push request after receving push reply
7cadbe24 Simplify calling logic of check_connection_established_dowork
1d86fae8 Include utun device number in utun error message
PR: 248600
Submitted by: Eric F. Crist (maintainer)
This is from the PR, with the addition of
BUILD_DEPENDS+=rst2man:textproc/py-docutils
such that the manpage gets built (it doesn't ship with
snapshots - which are from Git - any longer).
changes:
08469ca1 Remove --client-cert-not-required
2d5facaa Remove --ifconfig-pool-linear
94edc7c5 Require AEAD support in the crypto library
ec7d0e8e Drop support for OpenSSL 1.0.1
df85950a travis: Fix make distcheck failure
aad16b6c client-connect: Implement deferred connect support for plugin API v2
3658e577 Separate handling of non-deferred return values for client-connect-scripts.
3d2af156 client-connect: Add deferred support to the client-connect v1 plugin handler
290bb269 client-connect: Use inotify for the deferred client-connect status file
529b1ab2 client-connect: Add deferred support to the client-connect script handler
82241468 Remove CAS_PARTIAL state
4cabd28a doc/man: Do not install man *.rst files
4b4b34da Remove --no-iv
19fab1f6 options: don't leak inline'd key material in logfile
83d6da50 Merge Makefile.am's AUTOMAKE_OPTIONS into configure.ac's AM_INIT_AUTOMAKE.
dfb40edc client-connect: Add CC_RET_DEFERRED and cope with deferred client-connect
ee6830c3 doc/man: Add misssing renegotiation.rst to Makefile.am
8d0b1def doc/man: Documentation for --bind-dev / VRFs on Linux
5c5544d4 doc/man: Update --txqueuelen default setting (Now OS default)
ed593e65 doc/man: Adopt compression documentation
850fd5fa doc/man: Mark compression options as deprecated
f500c49c doc/man: convert openvpn.8 to split-up .rst files
c83b197a Add deferred authentication support to plugin-auth-pam
90ed0fd2 reformat multi_client_generate_tls_keys according to uncrustify
708d1694 client-connect: Move adding inotify watch into its own function
4d500451 client-connect: Change cas_context from int to enum
07a69fd2 client-connect: Refactor client-connect handling to calling a bunch of hooks in a loop
4f29b73b client-connect: Refactor to use return values instead of modifying a passed-in flag
380a142a client-connect: Move multi_client_connect_setenv into early_setup
62a840e2 client-connect: Refactor multi_client_connect_source_ccd
78359a04 Added support for DHCP option 119 (dns search suffix list) for Windows.
0c8c50ca client-connect: Split multi_connection_established into separate functions
b15fcceb Handle connecting clients without NCP or OCC without crashing.
PR: 248147
Submitted by: Eric F. Crist (maintainer)
ChangeLog:
<https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=247974#c0>
While here:
* add cmocka as build-time requisite to include the engine test.
* use PLUGINDIR rather than hacking CPPFLAGS for PLUGIN_LIBDIR,
the latter breaks -fPIC detection by configure (breaking the
shared lib build for the engine unit tests)
PR: 247974
Submitted by: Eric F. Crist (maintainer)
This commit updates the port to the latest development snapshot.
Additional changes over PR:
- leave CATEGORIES alone (leaving net-vpn in)
- move IGNORE_SSL upwards and remove USE_LDCONFIG to please portlint -CA
PR: 240376
Submitted by: ecrist@secure-computing.net (maintainer)
Note I didn't take the original patch because it needed to NOT conflict
with itself, and I had to fix indentation - be sure to use TAB, not
blanks, after the VARIABLE= part.
PR: 219305
Submitted by: ecrist@secure-computing.net (maintainer)
Align with security/openvpn for RC script improvements, dropping the
TUNNELBLICK patch (integrated upstream) and pkg-help file (no longer
required).
Note that pkcs11* and mbedTLS currently do not mix (I randomly checked
different option sets), an issue this port shares with security/openvpn.
"checking mbedtls pkcs11 support...
configure: error: mbedtls has no pkcs11 wrapper compiled in"
PR: 215734
Submitted by: Eric F. Crist (maintainer)
Port Changes:
- password-save option is always on now, no longer optional
- LibreSSL has been renamed mbed TLS
Upstream Changes:
- Implement --push-remove option to remove options pushed by server
- Use mbedTLS 2.x now, instead of PolarSSL 1.x
PR: 210259
Submitted by: ecrist@secure-computing.net (maintainer)
<file> on ELF systems, but this doesn't really do what -export-symbols is
meant to do. On GNU ELF systems it converts <file> to a simple version
script first and then uses -version-script instead of -retain-symbols-file.
Let USES=libtool patch libtool scripts to do this on all systems with GNU
ld(1).
Bump PORTREVISION on all ports where the build log contains -export-symbols.
audio/calf: This port builds a module that now exports only one function,
but it also builds a number of executables that link to this module and
expect to see other functions. Because it's already a bit dodgy to link to
a module (libtool warns about this) let the module continue to export only
one function and instead build an ordinary library from the same source that
the executables can link to. Fix a number of other issues in the same
Makefile.am and clean up the port Makefile.
japanese/scim-honoka: Tries to hide all symbols that start with an
underscore, but because this library is written in C++ all symbols start
with _Z so it ends up hiding everything. Just don't hide anything at all
like the textproc/scim configure script does.
multimedia/schroedinger: Apply an upstream patch.
textproc/scim-input-pad: Same as japanese/scim-honoka.
PR: 201922
Approved by: portmgr (antoine)
Exp-run by: antoine
