NetBSD Problem Report #52044
From www@NetBSD.org Tue Mar 7 07:40:16 2017
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
by mollari.NetBSD.org (Postfix) with ESMTPS id D6A287A168
for <gnats-bugs@gnats.NetBSD.org>; Tue, 7 Mar 2017 07:40:15 +0000 (UTC)
Message-Id: <20170307074014.9CAD67A276@mollari.NetBSD.org>
Date: Tue, 7 Mar 2017 07:40:14 +0000 (UTC)
From: gert@greenie.muc.de
Reply-To: gert@greenie.muc.de
To: gnats-bugs@NetBSD.org
Subject: please bump net/openvpn port to new version
X-Send-Pr-Version: www-1.0
>Number: 52044
>Category: pkg
>Synopsis: please bump net/openvpn port to new version
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: manu
>State: closed
>Class: change-request
>Submitter-Id: net
>Arrival-Date: Tue Mar 07 07:45:00 +0000 2017
>Closed-Date: Wed May 24 20:37:35 +0000 2017
>Last-Modified: Thu May 25 04:05:00 +0000 2017
>Originator: Gert Doering
>Release: HEAD, 2017/03/07
>Organization:
>Environment:
NetBSD nbsd70.ov.greenie.net 7.0.1 NetBSD 7.0.1 (GENERIC.201605221355Z) i386
>Description:
net/openvpn is at 2.3.11 right now.
Current upstream version is 2.3.14 in the "old stable" branch, or 2.4.0 in the "new stable" branch.
FreeBSD moved to 2.4.0 (plus added an net/openvpn23), but which version you choose depends a bit on how conservative NetBSD's pkgsrc regime is. 2.4.0 has lots of important enhancements, like AEAD crypto.
In any case, when working on that port, please remove patches/patch-ac - this adds code that already exists in upstream sources (since years ago), just a few lines earlier in tun.c - so it's a complicated way to do a no-op.
When going to 2.4.0, patches/patch-ad, patch-ae, patch-af and patch-src_openvpn_socket.[ch] can be dropped as well as the necessary adjustments have been made to upstream source - so it won't apply, and is not needed anymore. 2.4.0 compiles and passes all tests on NetBSD "out of the box", no patches needed :-)
>How-To-Repeat:
"checkout pkgsrc"
>Fix:
bump OPENVPN_DISTNAME to openvpn-2.3.14 or openvpn-2.4.0
(since this is coming from "Makefile.common", used by openvpn-nagios and openvpn-acct-wtmx, double-checking sounds like a good idea when going to 2.4.0 - 2.3.14 should be a drop-in replacement)
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: pkg-manager->manu
Responsible-Changed-By: spz@NetBSD.org
Responsible-Changed-When: Wed, 08 Mar 2017 06:58:53 +0000
Responsible-Changed-Why:
manu@ is maintainer of two of the impacted packages
From: "S.P.Zeidler" <spz@NetBSD.org>
To: gnats-bugs@NetBSD.org
Cc: manu@NetBSD.org
Subject: Re: pkg/52044: please bump net/openvpn port to new version
Date: Wed, 8 Mar 2017 06:57:28 +0000
Hi Gert! Hi Manu! :)
Thus wrote gert@greenie.muc.de (gert@greenie.muc.de):
> >Fix:
> bump OPENVPN_DISTNAME to openvpn-2.3.14 or openvpn-2.4.0
for 2.4.0:
----- snip -----
===================================================================
RCS file: /cvsroot/pkgsrc/net/openvpn/Makefile,v
retrieving revision 1.60
diff -u -u -r1.60 Makefile
--- openvpn/Makefile 19 Sep 2016 13:04:25 -0000 1.60
+++ openvpn/Makefile 8 Mar 2017 06:48:39 -0000
@@ -1,7 +1,6 @@
# $NetBSD: Makefile,v 1.60 2016/09/19 13:04:25 wiz Exp $
DISTNAME= ${OPENVPN_DISTNAME}
-PKGREVISION= 1
CATEGORIES= net
MASTER_SITES= ${OPENVPN_MASTER_SITES}
EXTRACT_SUFX= .tar.xz
@@ -31,6 +30,7 @@
INSTALLATION_DIRS+= ${EGDIR}/config
INSTALLATION_DIRS+= ${EGDIR}/keys
+INSTALLATION_DIRS+= ${EGDIR}/keys/ca
INSTALLATION_DIRS+= ${EGDIR}/scripts
SMF_METHODS+= openvpn
@@ -51,7 +51,10 @@
${INSTALL_DATA} $$file ${DESTDIR}${EGDIR}/scripts; \
done
set -e; cd ${WRKSRC}/sample/sample-keys; for file in *; do \
- ${INSTALL_DATA} $$file ${DESTDIR}${EGDIR}/keys; \
+ if [ -f $$file ] ; then ${INSTALL_DATA} $$file ${DESTDIR}${EGDIR}/keys; fi \
+ done
+ set -e; cd ${WRKSRC}/sample/sample-keys/sample-ca; for file in *; do \
+ ${INSTALL_DATA} $$file ${DESTDIR}${EGDIR}/keys/ca; \
done
.include "options.mk"
Index: openvpn/Makefile.common
===================================================================
RCS file: /cvsroot/pkgsrc/net/openvpn/Makefile.common,v
retrieving revision 1.5
:cvs diff: Diffing openvpn/patches
cvs diff: Diffing openvpn-acct-wtmpx
cvs diff: Diffing openvpn-acct-wtmpx/patches
diff -u -u -r1.5 Makefile.common
--- openvpn/Makefile.common 8 Jul 2016 08:49:41 -0000 1.5
+++ openvpn/Makefile.common 8 Mar 2017 06:48:39 -0000
@@ -4,7 +4,7 @@
# used by net/openvpn-acct-wtmpx/Makefile
# used by net/openvpn-nagios/Makefile
-OPENVPN_DISTNAME= openvpn-2.3.11
+OPENVPN_DISTNAME= openvpn-2.4.0
OPENVPN_DISTFILE= ${OPENVPN_DISTNAME}.tar.xz
OPENVPN_MASTER_SITES= http://swupdate.openvpn.net/community/releases/
SITES.${OPENVPN_DISTFILE}= ${OPENVPN_MASTER_SITES}
Index: openvpn/PLIST
===================================================================
RCS file: /cvsroot/pkgsrc/net/openvpn/PLIST,v
retrieving revision 1.18
diff -u -u -r1.18 PLIST
--- openvpn/PLIST 3 Dec 2014 10:09:01 -0000 1.18
+++ openvpn/PLIST 8 Mar 2017 06:48:39 -0000
@@ -1,4 +1,5 @@
@comment $NetBSD: PLIST,v 1.18 2014/12/03 10:09:01 wiz Exp $
+include/openvpn-msg.h
include/openvpn-plugin.h
${PLIST.pam}lib/openvpn/plugins/openvpn-plugin-auth-pam.la
lib/openvpn/plugins/openvpn-plugin-down-root.la
@@ -6,6 +7,7 @@
sbin/openvpn
share/doc/openvpn/COPYING
share/doc/openvpn/COPYRIGHT.GPL
+share/doc/openvpn/Changes.rst
share/doc/openvpn/README
share/doc/openvpn/README.IPv6
${PLIST.pam}share/doc/openvpn/README.auth-pam
@@ -31,6 +33,30 @@
share/examples/openvpn/keys/README
share/examples/openvpn/keys/ca.crt
share/examples/openvpn/keys/ca.key
+share/examples/openvpn/keys/ca/01.pem
+share/examples/openvpn/keys/ca/02.pem
+share/examples/openvpn/keys/ca/03.pem
+share/examples/openvpn/keys/ca/ca.crl
+share/examples/openvpn/keys/ca/ca.crt
+share/examples/openvpn/keys/ca/ca.key
+share/examples/openvpn/keys/ca/client-pass.key
+share/examples/openvpn/keys/ca/client-revoked.crt
+share/examples/openvpn/keys/ca/client-revoked.csr
+share/examples/openvpn/keys/ca/client-revoked.key
+share/examples/openvpn/keys/ca/client.crt
+share/examples/openvpn/keys/ca/client.csr
+share/examples/openvpn/keys/ca/client.key
+share/examples/openvpn/keys/ca/client.p12
+share/examples/openvpn/keys/ca/index.txt
+share/examples/openvpn/keys/ca/index.txt.attr
+share/examples/openvpn/keys/ca/index.txt.attr.old
+share/examples/openvpn/keys/ca/index.txt.old
+share/examples/openvpn/keys/ca/secp256k1.pem
+share/examples/openvpn/keys/ca/serial
+share/examples/openvpn/keys/ca/serial.old
+share/examples/openvpn/keys/ca/server.crt
+share/examples/openvpn/keys/ca/server.csr
+share/examples/openvpn/keys/ca/server.key
share/examples/openvpn/keys/client-ec.crt
share/examples/openvpn/keys/client-ec.key
share/examples/openvpn/keys/client-pass.key
@@ -44,6 +70,7 @@
share/examples/openvpn/keys/server-ec.key
share/examples/openvpn/keys/server.crt
share/examples/openvpn/keys/server.key
+share/examples/openvpn/keys/ta.key
share/examples/openvpn/scripts/auth-pam.pl
share/examples/openvpn/scripts/bridge-start
share/examples/openvpn/scripts/bridge-stop
Index: openvpn/distinfo
===================================================================
RCS file: /cvsroot/pkgsrc/net/openvpn/distinfo,v
retrieving revision 1.33
diff -u -u -r1.33 distinfo
--- openvpn/distinfo 8 Jul 2016 08:49:41 -0000 1.33
+++ openvpn/distinfo 8 Mar 2017 06:48:39 -0000
@@ -1,13 +1,7 @@
$NetBSD: distinfo,v 1.33 2016/07/08 08:49:41 jperkin Exp $
-SHA1 (openvpn-2.3.11.tar.xz) = 48ba3ada2da84be4cf66ffbd35a66d4ce30e0e5b
-RMD160 (openvpn-2.3.11.tar.xz) = cfaf087bfb9d562b6028a225c43000fbe96041ce
-SHA512 (openvpn-2.3.11.tar.xz) = 1fd2798beca074f0a094efbd4a9260f8a62d488afacb023b3f867698e6177bfc02702209e8c7f300ba8c662d292c65dc05d3f2cf615ebb91b90d4798fd3b99cd
-Size (openvpn-2.3.11.tar.xz) = 833496 bytes
-SHA1 (patch-ac) = 3071423ae978dd7d1d79cb140325bde96ba8d21b
-SHA1 (patch-ad) = 1e2c34a37157ff9c091e0120817a8c8bae9aef4e
-SHA1 (patch-ae) = fce5d2b7c8ef830cba3df4408af79301f347cafd
-SHA1 (patch-af) = 8d728c36a6eccdebf6c7e5a02d457903b255f4fb
+SHA1 (openvpn-2.4.0.tar.xz) = 704658db39e95ae8d63bb7847e9eb7f638e76631
+RMD160 (openvpn-2.4.0.tar.xz) = d74c5aa854a65d97034023fe8daba1d765e39234
+SHA512 (openvpn-2.4.0.tar.xz) = a6dcd9eb04f9ddd8bb2700fbcb1e532b3fff779fa11b1cb84c3e00d3e25b1011ff0670065d39bbcb0b57160887cce5e136865462b3cc6f673c5d365facbe8d64
+Size (openvpn-2.4.0.tar.xz) = 930948 bytes
SHA1 (patch-src_compat_compat-basename.c) = 45a58ef2e05f6e0265f229da8540760e60e65143
-SHA1 (patch-src_openvpn_socket.c) = 74668d39f5e6fdab64825d38d4b287c8004f5af3
-SHA1 (patch-src_openvpn_socket.h) = b4b952af347e0f2d0aff307a5025b3d27a2e6ee5
Index: openvpn/patches/patch-ac
===================================================================
RCS file: openvpn/patches/patch-ac
diff -N openvpn/patches/patch-ac
--- openvpn/patches/patch-ac 8 Jul 2016 08:49:41 -0000 1.11
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,64 +0,0 @@
-$NetBSD: patch-ac,v 1.11 2016/07/08 08:49:41 jperkin Exp $
-
-Support clone devices.
-
---- src/openvpn/tun.c.orig 2011-04-06 16:05:52.000000000 +0000
-+++ src/openvpn/tun.c
-@@ -805,15 +805,15 @@ do_ifconfig (struct tuntap *tt,
- * NetBSD has distinct tun and tap devices
- * so we don't need the "link0" extra parameter to specify we want to do
- * tunneling at the ethernet level
-+ * NB: The tun driver has no broadcast capability.
- */
- argv_printf (&argv,
-- "%s %s %s netmask %s mtu %d broadcast %s",
-+ "%s %s %s netmask %s mtu %d",
- IFCONFIG_PATH,
- actual,
- ifconfig_local,
- ifconfig_remote_netmask,
-- tun_mtu,
-- ifconfig_broadcast
-+ tun_mtu
- );
- argv_msg (M_INFO, &argv);
- openvpn_execve_check (&argv, es, S_FATAL, "NetBSD ifconfig failed");
-@@ -1023,7 +1023,37 @@ open_tun_generic (const char *dev, const
- if (dynamic && !has_digit((unsigned char *)dev))
- {
- int i;
-- for (i = 0; i < 256; ++i)
-+#if defined(TAPGIFNAME)
-+ /*
-+ * Perhaps we have a cloning device. Try opening
-+ * the device without any appended digits,
-+ * and use ioctl(,TAPGIFNAME,) to get the resulting
-+ * interface name.
-+ */
-+ openvpn_snprintf (tunname, sizeof (tunname), "/dev/%s", dev);
-+ if ((tt->fd = open (tunname, O_RDWR)) > 0)
-+ {
-+ struct ifreq ifr;
-+ if (ioctl (tt->fd, TAPGIFNAME, (void*)&ifr) < 0)
-+ {
-+ msg (D_READ_WRITE | M_ERRNO,
-+ "ioctl(,TAPGIFNAME,) failed for %s", tunname);
-+ close(tt->fd);
-+ }
-+ else
-+ {
-+ strlcpy (dynamic_name, ifr.ifr_name,
-+ sizeof (dynamic_name));
-+ dynamic_opened = true;
-+ msg (M_INFO, "TUN/TAP dynamic interface %s opened",
-+ dynamic_name);
-+ }
-+ }
-+ if (!dynamic_opened)
-+ msg (D_READ_WRITE | M_ERRNO, "Tried opening %s (failed)",
-+ tunname);
-+#endif /* TAPGIFNAME */
-+ for (i = 0; i < 256 && !dynamic_opened; ++i)
- {
- openvpn_snprintf (tunname, sizeof (tunname),
- "/dev/%s%d", dev, i);
Index: openvpn/patches/patch-ad
===================================================================
RCS file: openvpn/patches/patch-ad
diff -N openvpn/patches/patch-ad
--- openvpn/patches/patch-ad 8 Jul 2016 08:49:41 -0000 1.6
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,26 +0,0 @@
-$NetBSD: patch-ad,v 1.6 2016/07/08 08:49:41 jperkin Exp $
-
-Support IP_PKTINFO and net/if_tap.h
-
---- config.h.in.orig 2016-05-10 06:02:53.000000000 +0000
-+++ config.h.in
-@@ -286,6 +286,9 @@
- /* struct iphdr needed for IPv6 support */
- #undef HAVE_IPHDR
-
-+/* struct in_pktinfo.ipi_spec_dst needed for IP_PKTINFO support */
-+#undef HAVE_IPI_SPEC_DST
-+
- /* Define to 1 if you have the <libgen.h> header file. */
- #undef HAVE_LIBGEN_H
-
-@@ -349,6 +352,9 @@
- /* Define to 1 if you have the <net/if.h> header file. */
- #undef HAVE_NET_IF_H
-
-+/* Define to 1 if you have the <net/if_tap.h> header file. */
-+#undef HAVE_NET_IF_TAP_H
-+
- /* Define to 1 if you have the <net/if_tun.h> header file. */
- #undef HAVE_NET_IF_TUN_H
-
Index: openvpn/patches/patch-ae
===================================================================
RCS file: openvpn/patches/patch-ae
diff -N openvpn/patches/patch-ae
--- openvpn/patches/patch-ae 8 Jul 2016 08:49:41 -0000 1.8
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,37 +0,0 @@
-$NetBSD: patch-ae,v 1.8 2016/07/08 08:49:41 jperkin Exp $
-
-Support IP_PKTINFO and net/if_tap.h
-
---- configure.ac.orig 2013-05-31 12:00:25.000000000 +0000
-+++ configure.ac
-@@ -419,6 +419,7 @@ AC_CHECK_HEADERS([ \
- sys/mman.h sys/file.h sys/wait.h \
- unistd.h signal.h libgen.h stropts.h \
- syslog.h pwd.h grp.h \
-+ net/if_tap.h \
- sys/sockio.h sys/uio.h linux/sockios.h \
- linux/types.h sys/poll.h sys/epoll.h err.h \
- ])
-@@ -433,6 +434,9 @@ SOCKET_INCLUDES="
- #ifdef HAVE_SYS_SOCKET_H
- #include <sys/socket.h>
- #endif
-+#ifdef HAVE_NET_IF_H
-+#include <net/if.h>
-+#endif
- #ifdef HAVE_NETINET_IN_H
- #include <netinet/in.h>
- #endif
-@@ -496,6 +500,12 @@ AC_CHECK_TYPE(
- ,
- [[${SOCKET_INCLUDES}]]
- )
-+AC_CHECK_MEMBER(
-+ [struct in_pktinfo.ipi_spec_dst],
-+ [AC_DEFINE([HAVE_IPI_SPEC_DST], [1], [struct in_pktinfo.ipi_spec_dst needed for IP_PKTINFO support])],
-+ ,
-+ [[${SOCKET_INCLUDES}]]
-+)
- AC_CHECK_TYPE(
- [struct sockaddr_in6],
- ,
Index: openvpn/patches/patch-af
===================================================================
RCS file: openvpn/patches/patch-af
diff -N openvpn/patches/patch-af
--- openvpn/patches/patch-af 8 Jul 2016 08:49:41 -0000 1.9
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,104 +0,0 @@
-$NetBSD: patch-af,v 1.9 2016/07/08 08:49:41 jperkin Exp $
-
-Support IP_PKTINFO and net/if_tap.h
-
---- configure.orig 2013-05-31 12:00:58.000000000 +0000
-+++ configure
-@@ -2405,6 +2405,63 @@ rm -f conftest.val
-
- } # ac_fn_c_compute_int
-
-+# ac_fn_c_check_member LINENO AGGR MEMBER ax_cv_socklen_t_equiv INCLUDES
-+# ----------------------------------------------------------------------
-+# Tries to find if the field MEMBER exists in type AGGR, after including
-+# INCLUDES, setting cache variable VAR accordingly.
-+ac_fn_c_check_member ()
-+{
-+ as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2.$3" >&5
-+$as_echo_n "checking for $2.$3... " >&6; }
-+if eval \${$4+:} false; then :
-+ $as_echo_n "(cached) " >&6
-+else
-+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-+/* end confdefs.h. */
-+$5
-+int
-+main ()
-+{
-+static $2 ac_aggr;
-+if (ac_aggr.$3)
-+return 0;
-+ ;
-+ return 0;
-+}
-+_ACEOF
-+if ac_fn_c_try_compile "$LINENO"; then :
-+ eval "$4=yes"
-+else
-+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-+/* end confdefs.h. */
-+$5
-+int
-+main ()
-+{
-+static $2 ac_aggr;
-+if (sizeof ac_aggr.$3)
-+return 0;
-+ ;
-+ return 0;
-+}
-+_ACEOF
-+if ac_fn_c_try_compile "$LINENO"; then :
-+ eval "$4=yes"
-+else
-+ eval "$4=no"
-+fi
-+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-+fi
-+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-+fi
-+eval ac_res=\$$4
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
-+$as_echo "$ac_res" >&6; }
-+ eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
-+
-+} # ac_fn_c_check_member
-+
- # ac_fn_c_check_decl LINENO SYMBOL ax_cv_socklen_t_equiv INCLUDES
- # ---------------------------------------------------------------
- # Tests whether SYMBOL is declared in INCLUDES, setting cache variable VAR
-@@ -14182,6 +14239,7 @@ for ac_header in \
- sys/mman.h sys/file.h sys/wait.h \
- unistd.h signal.h libgen.h stropts.h \
- syslog.h pwd.h grp.h \
-+ net/if_tap.h \
- sys/sockio.h sys/uio.h linux/sockios.h \
- linux/types.h sys/poll.h sys/epoll.h err.h \
-
-@@ -14208,6 +14266,9 @@ SOCKET_INCLUDES="
- #ifdef HAVE_SYS_SOCKET_H
- #include <sys/socket.h>
- #endif
-+#ifdef HAVE_NET_IF_H
-+#include <net/if.h>
-+#endif
- #ifdef HAVE_NETINET_IN_H
- #include <netinet/in.h>
- #endif
-@@ -14305,6 +14366,15 @@ $as_echo "#define HAVE_IN_PKTINFO 1" >>c
-
- fi
-
-+ac_fn_c_check_member "$LINENO" "struct in_pktinfo" "ipi_spec_dst" "ac_cv_member_struct_in_pktinfo_ipi_spec_dst" "${SOCKET_INCLUDES}
-+
-+"
-+if test "x$ac_cv_member_struct_in_pktinfo_ipi_spec_dst" = xyes; then :
-+
-+$as_echo "#define HAVE_IPI_SPEC_DST 1" >>confdefs.h
-+
-+fi
-+
- ac_fn_c_check_type "$LINENO" "struct sockaddr_in6" "ac_cv_type_struct_sockaddr_in6" "${SOCKET_INCLUDES}
-
- "
Index: openvpn/patches/patch-src_openvpn_socket.c
===================================================================
RCS file: openvpn/patches/patch-src_openvpn_socket.c
diff -N openvpn/patches/patch-src_openvpn_socket.c
--- openvpn/patches/patch-src_openvpn_socket.c 20 Jul 2014 17:43:29 -0000 1.2
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,60 +0,0 @@
-$NetBSD: patch-src_openvpn_socket.c,v 1.2 2014/07/20 17:43:29 adam Exp $
-
-Fix for systems without ipi_spec_dst in struct in_pktinfo.
-
---- src/openvpn/socket.c.orig 2014-05-01 11:12:22.000000000 +0000
-+++ src/openvpn/socket.c
-@@ -654,7 +654,7 @@ create_socket_udp (const unsigned int fl
- else if (flags & SF_USE_IP_PKTINFO)
- {
- int pad = 1;
--#ifdef IP_PKTINFO
-+#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
- if (setsockopt (sd, SOL_IP, IP_PKTINFO,
- (void*)&pad, sizeof(pad)) < 0)
- msg(M_ERR, "UDP: failed setsockopt for IP_PKTINFO");
-@@ -2254,7 +2254,7 @@ print_link_socket_actual_ex (const struc
- struct openvpn_sockaddr sa;
- CLEAR (sa);
- sa.addr.in4.sin_family = AF_INET;
--#ifdef IP_PKTINFO
-+#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
- sa.addr.in4.sin_addr = act->pi.in4.ipi_spec_dst;
- if_indextoname(act->pi.in4.ipi_ifindex, ifname);
- #elif defined(IP_RECVDSTADDR)
-@@ -2651,7 +2651,7 @@ link_socket_read_tcp (struct link_socket
- struct openvpn_in4_pktinfo
- {
- struct cmsghdr cmsghdr;
--#ifdef HAVE_IN_PKTINFO
-+#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
- struct in_pktinfo pi4;
- #elif defined(IP_RECVDSTADDR)
- struct in_addr pi4;
-@@ -2696,7 +2696,7 @@ link_socket_read_udp_posix_recvmsg (stru
- cmsg = CMSG_FIRSTHDR (&mesg);
- if (cmsg != NULL
- && CMSG_NXTHDR (&mesg, cmsg) == NULL
--#ifdef IP_PKTINFO
-+#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
- && cmsg->cmsg_level == SOL_IP
- && cmsg->cmsg_type == IP_PKTINFO
- #elif defined(IP_RECVDSTADDR)
-@@ -2707,7 +2707,7 @@ link_socket_read_udp_posix_recvmsg (stru
- #endif
- && cmsg->cmsg_len >= sizeof (struct openvpn_in4_pktinfo))
- {
--#ifdef IP_PKTINFO
-+#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
- struct in_pktinfo *pkti = (struct in_pktinfo *) CMSG_DATA (cmsg);
- from->pi.in4.ipi_ifindex = pkti->ipi_ifindex;
- from->pi.in4.ipi_spec_dst = pkti->ipi_spec_dst;
-@@ -2802,7 +2802,7 @@ link_socket_write_udp_posix_sendmsg (str
- mesg.msg_namelen = sizeof (struct sockaddr_in);
- mesg.msg_control = &opi;
- mesg.msg_flags = 0;
--#ifdef HAVE_IN_PKTINFO
-+#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
- mesg.msg_controllen = sizeof (struct openvpn_in4_pktinfo);
- cmsg = CMSG_FIRSTHDR (&mesg);
- cmsg->cmsg_len = sizeof (struct openvpn_in4_pktinfo);
Index: openvpn/patches/patch-src_openvpn_socket.h
===================================================================
RCS file: openvpn/patches/patch-src_openvpn_socket.h
diff -N openvpn/patches/patch-src_openvpn_socket.h
--- openvpn/patches/patch-src_openvpn_socket.h 31 Jul 2013 06:53:21 -0000 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,24 +0,0 @@
-$NetBSD: patch-src_openvpn_socket.h,v 1.1 2013/07/31 06:53:21 adam Exp $
-
-Fix for systems without ipi_spec_dst in struct in_pktinfo.
-
---- src/openvpn/socket.h.orig 2013-07-31 06:03:30.000000000 +0000
-+++ src/openvpn/socket.h
-@@ -84,7 +84,7 @@ struct link_socket_actual
- struct openvpn_sockaddr dest;
- #if ENABLE_IP_PKTINFO
- union {
--#ifdef HAVE_IN_PKTINFO
-+#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
- struct in_pktinfo in4;
- #elif defined(IP_RECVDSTADDR)
- struct in_addr in4;
-@@ -580,7 +580,7 @@ addr_defined_ipi (const struct link_sock
- #if ENABLE_IP_PKTINFO
- if (!lsa) return 0;
- switch (lsa->dest.addr.sa.sa_family) {
--#ifdef HAVE_IN_PKTINFO
-+#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
- case AF_INET: return lsa->pi.in4.ipi_spec_dst.s_addr != 0;
- #elif defined(IP_RECVDSTADDR)
- case AF_INET: return lsa->pi.in4.s_addr != 0;
Index: openvpn-acct-wtmpx/distinfo
===================================================================
RCS file: /cvsroot/pkgsrc/net/openvpn-acct-wtmpx/distinfo,v
retrieving revision 1.10
diff -u -u -r1.10 distinfo
--- openvpn-acct-wtmpx/distinfo 8 Jul 2016 08:50:25 -0000 1.10
+++ openvpn-acct-wtmpx/distinfo 8 Mar 2017 06:48:39 -0000
@@ -1,9 +1,9 @@
$NetBSD: distinfo,v 1.10 2016/07/08 08:50:25 jperkin Exp $
-SHA1 (openvpn-2.3.11.tar.xz) = 48ba3ada2da84be4cf66ffbd35a66d4ce30e0e5b
-RMD160 (openvpn-2.3.11.tar.xz) = cfaf087bfb9d562b6028a225c43000fbe96041ce
-SHA512 (openvpn-2.3.11.tar.xz) = 1fd2798beca074f0a094efbd4a9260f8a62d488afacb023b3f867698e6177bfc02702209e8c7f300ba8c662d292c65dc05d3f2cf615ebb91b90d4798fd3b99cd
-Size (openvpn-2.3.11.tar.xz) = 833496 bytes
+SHA1 (openvpn-2.4.0.tar.xz) = 704658db39e95ae8d63bb7847e9eb7f638e76631
+RMD160 (openvpn-2.4.0.tar.xz) = d74c5aa854a65d97034023fe8daba1d765e39234
+SHA512 (openvpn-2.4.0.tar.xz) = a6dcd9eb04f9ddd8bb2700fbcb1e532b3fff779fa11b1cb84c3e00d3e25b1011ff0670065d39bbcb0b57160887cce5e136865462b3cc6f673c5d365facbe8d64
+Size (openvpn-2.4.0.tar.xz) = 930948 bytes
SHA1 (openvpn-acct-wtmpx-20130210.tgz) = cf7bc26b12a65493cdf5db93b03bbb938a2f0f33
RMD160 (openvpn-acct-wtmpx-20130210.tgz) = d9000789f04606bfa17db1597a45a4235b1119ea
SHA512 (openvpn-acct-wtmpx-20130210.tgz) = 7b8fd4929e65d8d84158f62e5a17ff3adb3b4a6cff63b29038acfb368750719f2f593786ed9b02402824c19d872b188d2a46740a5c5f853e8873a71481b13aaf
--- snap ---
openvpn and openvpn-acct-wtmpx compile with that,
openvpn-nagios doesn't since it wants struct members that don't exist
in 2.4.0. I've done no function tests whatsoever.
regards,
spz
From: Gert Doering <gert@greenie.muc.de>
To: gnats-bugs@NetBSD.org
Cc: Gert Doering <gert@greenie.muc.de>
Subject: Re: pkg/52044 (please bump net/openvpn port to new version)
Date: Thu, 18 May 2017 08:49:06 +0200
Hi,
"bump!" - we're at OpenVPN 2.4.2 (or 2.3.15) now, and that fixes a
remotely-exploitable crash bug. So it would be good to move forward.
(The bug itself is annoying but not devasting - read: you can make the
server ASSERT() and exit, but no way to execute code, steal keys, decrypt
other people's stuff, etc.)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert@greenie.muc.de
fax: +49-89-35655025 gert@net.informatik.tu-muenchen.de
From: "S.P.Zeidler" <spz@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/52044 CVS commit: pkgsrc/net
Date: Fri, 19 May 2017 18:11:04 +0000
Module Name: pkgsrc
Committed By: spz
Date: Fri May 19 18:11:04 UTC 2017
Modified Files:
pkgsrc/net/openvpn: Makefile Makefile.common distinfo
pkgsrc/net/openvpn-acct-wtmpx: Makefile distinfo
pkgsrc/net/openvpn-nagios: Makefile distinfo
pkgsrc/net/openvpn/patches: patch-src_openvpn_socket.c
Log Message:
update openvpn to 2.3.15
fixes DoSses: CVE-2017-7478 CVE-2017-7479
fixes PR pkg/52044
relevant excerpt of ChangeLog:
OpenVPN Change Log
Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
2017.05.11 -- Version 2.3.15
David Sommerseth (5):
dev-tools: Added script for updating copyright years in files
Update copyrights
docs: Further improve --reneg-bytes and SWEET32 information
git: Merge .gitignore files into a single file
Make --cipher/--auth none more explicit on the risks
Gert Doering (1):
Document --proto udp6, tcp6, etc.
Julien Muchembled (1):
Fix implicit declarations when HAVE_OPENSSL_ENGINE is unset
Steffan Karger (6):
Add missing includes in error.h
cleanup: merge packet_id_alloc_outgoing() into packet_id_write()
Document that OpenVPN 2.3 does not check the CRL signature
Introduce and use secure_memzero() to erase secrets
Drop packets instead of assert out if packet id rolls over (CVE-2017-7479)
Don't assert out on receiving too-large control packets (CVE-2017-7478)
2016.12.06 -- Version 2.3.14
Christian Hesse (1):
update year in copyright message
David Sommerseth (1):
Document the --auth-token option
Gert Doering (2):
Repair topology subnet on FreeBSD 11
Repair topology subnet on OpenBSD
Lev Stipakov (1):
Drop recursively routed packets
Selva Nair (4):
Support --block-outside-dns on multiple tunnels
When parsing '--setenv opt xx ..' make sure a third parameter is present
Map restart signals from event loop to SIGTERM during exit-notification wait
Correctly state the default dhcp server address in man page
Steffan Karger (1):
Clean up format_hex_ex()
2016.11.02 -- Version 2.3.13
Arne Schwabe (2):
Use AES ciphers in our sample configuration files and add a few modern 2.4 examples
Incorporate the Debian typo fixes where appropriate and make show_opt default message clearer
David Sommerseth (4):
t_client.sh: Make OpenVPN write PID file to avoid various sudo issues
t_client.sh: Add support for Kerberos/ksu
t_client.sh: Improve detection if the OpenVPN process did start during tests
t_client.sh: Add prepare/cleanup possibilties for each test case
Gert Doering (5):
Do not abort t_client run if OpenVPN instance does not start.
Fix t_client runs on OpenSolaris
make t_client robust against sudoers misconfiguration
add POSTINIT_CMD_suf to t_client.sh and sample config
Fix --multihome for IPv6 on 64bit BSD systems.
Ilya Shipitsin (1):
skip t_lpback.sh and t_cltsrv.sh if openvpn configured --disable-crypto
Lev Stipakov (2):
Exclude peer-id from pulled options digest
Fix compilation in pedantic mode
Samuli Seppänen (1):
Automatically cache expected IPs for t_client.sh on the first run
Steffan Karger (6):
Fix unittests for out-of-source builds
Make gnu89 support explicit
cleanup: remove code duplication in msg_test()
Update cipher-related man page text
Limit --reneg-bytes to 64MB when using small block ciphers
Add a revoked cert to the sample keys
2016.08.23 -- Version 2.3.12
Arne Schwabe (2):
Complete push-peer-info documentation and allow IV_PLAT_VER for other platforms than Windows if the client UI supplies it.
Move ASSERT so external-key with OpenSSL works again
David Sommerseth (3):
Only build and run cmocka unit tests if its submodule is initialized
Another fix related to unit test framework
Remove NOP function and callers
Dorian Harmans (1):
Add CHACHA20-POLY1305 ciphersuite IANA name translations.
Ivo Manca (1):
Plug memory leak in mbedTLS backend
Jeffrey Cutter (1):
Update contrib/pull-resolv-conf/client.up for no DOMAIN
Jens Neuhalfen (2):
Add unit testing support via cmocka
Add a test for auth-pam searchandreplace
Josh Cepek (1):
Push an IPv6 CIDR mask used by the server, not the pool's size
Leon Klingele (1):
Add link to bug tracker
Samuli Seppänen (2):
Update CONTRIBUTING.rst to allow GitHub PRs for code review purposes
Clarify the fact that build instructions in README are for release tarballs
Selva Nair (4):
Make error non-fatal while deleting address using netsh
Make block-outside-dns work with persist-tun
Ignore SIGUSR1/SIGHUP during exit notification
Promptly close the netcmd_semaphore handle after use
Steffan Karger (4):
Fix polarssl / mbedtls builds
Don't limit max incoming message size based on c2->frame
Fix '--cipher none --cipher' crash
Discourage using 64-bit block ciphers
To generate a diff of this commit:
cvs rdiff -u -r1.60 -r1.61 pkgsrc/net/openvpn/Makefile
cvs rdiff -u -r1.5 -r1.6 pkgsrc/net/openvpn/Makefile.common
cvs rdiff -u -r1.33 -r1.34 pkgsrc/net/openvpn/distinfo
cvs rdiff -u -r1.7 -r1.8 pkgsrc/net/openvpn-acct-wtmpx/Makefile
cvs rdiff -u -r1.10 -r1.11 pkgsrc/net/openvpn-acct-wtmpx/distinfo
cvs rdiff -u -r1.6 -r1.7 pkgsrc/net/openvpn-nagios/Makefile
cvs rdiff -u -r1.7 -r1.8 pkgsrc/net/openvpn-nagios/distinfo
cvs rdiff -u -r1.2 -r1.3 \
pkgsrc/net/openvpn/patches/patch-src_openvpn_socket.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: manu@netbsd.org (Emmanuel Dreyfus)
To: gnats-bugs@NetBSD.org, gnats-admin@netbsd.org, pkgsrc-bugs@netbsd.org,
gert@greenie.muc.de
Cc:
Subject: Re: PR/52044 CVS commit: pkgsrc/net
Date: Sun, 21 May 2017 04:39:19 +0200
S.P.Zeidler <spz@netbsd.org> wrote:
> update openvpn to 2.3.15
Hi
I was going to test it, but the size and hash in distinfo does not match
what I get from:
http://swupdate.openvpn.net/community/releases/openvpn-2.3.15.tar.xz
Is it an error in the distinfo, or should this archive be treated with
suspicion?
--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@netbsd.org
From: Gert Doering <gert@greenie.muc.de>
To: Emmanuel Dreyfus <manu@netbsd.org>
Cc: gnats-bugs@NetBSD.org, gnats-admin@netbsd.org, pkgsrc-bugs@netbsd.org,
gert@greenie.muc.de
Subject: Re: PR/52044 CVS commit: pkgsrc/net
Date: Sun, 21 May 2017 09:56:00 +0200
Hi,
On Sun, May 21, 2017 at 04:39:19AM +0200, Emmanuel Dreyfus wrote:
> S.P.Zeidler <spz@netbsd.org> wrote:
>
> > update openvpn to 2.3.15
>
> I was going to test it, but the size and hash in distinfo does not match
> what I get from:
> http://swupdate.openvpn.net/community/releases/openvpn-2.3.15.tar.xz
>
> Is it an error in the distinfo, or should this archive be treated with
> suspicion?
This archive is actually good, but the way there was thorny.
2.3.15 was prepared "in the close" (due to the two CVEs and the embargo
on details and patches) and the colleagues managed to produce two different
tar balls, both of them not "really" correct (one was missing a patch,
the other one contained erroneous .so files).
We've released 2.3.16 last Thursday with the normal release process
("everything in the open, taking public git with the published tag to
build tarballs from it"). It has a few small fixes 2.3.15, but most
important, it's one single tarball with one single GPG signature.
While at it, we decided to re-package 2.3.15 into a proper tarball that
matches the git tag, *and* has no extra garbage in it - so there's three
different 2.3.15 tarballs floating around now. I think distinfo has
the checksum of the "good source, but extra files in" tarball, while
swupdate has the new one now.
Long story cut short: please bump to 2.3.16.
Apologies again...
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert@greenie.muc.de
fax: +49-89-35655025 gert@net.informatik.tu-muenchen.de
From: manu@netbsd.org (Emmanuel Dreyfus)
To: gert@greenie.muc.de (Gert Doering)
Cc: gnats-bugs@NetBSD.org, gnats-admin@netbsd.org, pkgsrc-bugs@netbsd.org
Subject: Re: PR/52044 CVS commit: pkgsrc/net
Date: Mon, 22 May 2017 13:12:42 +0200
Gert Doering <gert@greenie.muc.de> wrote:
> Long story cut short: please bump to 2.3.16.
I have to 2.3.16 packages ready, I will be testing tomorrow before
committing (if tests are good!)
--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@netbsd.org
From: manu@netbsd.org (Emmanuel Dreyfus)
To: gnats-bugs@NetBSD.org, gnats-admin@netbsd.org, pkgsrc-bugs@netbsd.org,
gert@greenie.muc.de
Cc:
Subject: Re: PR/52044 CVS commit: pkgsrc/net
Date: Tue, 23 May 2017 06:07:04 +0200
Emmanuel Dreyfus <manu@netbsd.org> wrote:
> I have to 2.3.16 packages ready, I will be testing tomorrow before
> committing (if tests are good!)
It works fine. I will commit in a few hours if nobody complain.
--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@netbsd.org
From: Emmanuel Dreyfus <manu@netbsd.org>
To: gnats-bugs@NetBSD.org
Cc: manu@NetBSD.org, gnats-admin@netbsd.org, pkgsrc-bugs@netbsd.org,
gert@greenie.muc.de
Subject: Re: PR/52044 CVS commit: pkgsrc/net
Date: Wed, 24 May 2017 07:29:11 +0000
On Tue, May 23, 2017 at 04:10:00AM +0000, Emmanuel Dreyfus wrote:
> It works fine. I will commit in a few hours if nobody complain.
But I did not notice the update 3 days ago by Petra. Now I need to
merge the patches again and restest.
--
Emmanuel Dreyfus
manu@netbsd.org
State-Changed-From-To: open->closed
State-Changed-By: adam@NetBSD.org
State-Changed-When: Wed, 24 May 2017 20:37:35 +0000
State-Changed-Why:
The package has been updated.
From: manu@netbsd.org (Emmanuel Dreyfus)
To: gnats-bugs@NetBSD.org, pkgsrc-bugs@netbsd.org, gnats-admin@netbsd.org,
adam@NetBSD.org, gert@greenie.muc.de
Cc:
Subject: Re: pkg/52044 (please bump net/openvpn port to new version)
Date: Thu, 25 May 2017 06:03:49 +0200
<adam@NetBSD.org> wrote:
> The package has been updated.
To 2.3.15, but they have a 2.3.16 now.
--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@netbsd.org
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.