Attachment #207248 for bug #240376

View | Details | Raw Unified | Return to bug 240376
Collapse All | Expand All




# $FreeBSD$

PORTNAME=		openvpn
DISTVERSION=		201935
CATEGORIES=		security net 
MASTER_SITES=		https://secure-computing.net/files/openvpn/ \
			ftp://ftp2.secure-computing.net/pub/FreeBSD/openvpn-devel/
PKGNAMESUFFIX=		-devel

OPTIONS_SINGLE_SSL=	OPENSSL MBEDTLS
PKCS11_DESC=		Use security/pkcs11-helper
EASYRSA_DESC=		Install security/easy-rsa RSA helper package
MBEDTLS_DESC=		SSL/TLS via mbedTLS (lacks TLS v1.3)
TUNNELBLICK_DESC=	Tunnelblick XOR scramble patch (READ HELP!)
X509ALTUSERNAME_DESC=	Enable --x509-username-field (OpenSSL only)
SMALL_DESC=		Build a smaller executable with fewer features


OPENSSL_USES=		ssl
OPENSSL_CONFIGURE_ON=	--with-crypto-library=openssl
IGNORE_SSL=		libressl libressl-devel

LZ4_CONFIGURE_OFF=	--disable-lz4


_tlslibs=libssl libcrypto
.endif

.if ${SSL_DEFAULT:Mlibressl*} && empty(PORT_OPTIONS:MMBEDTLS)
pre-everything::
	@${ECHO_CMD} "WARNING: OpenVPN does not officially support LibreSSL."
	@${ECHO_CMD} "If things break, rebuild with OpenSSL or mbedTLS."
	@${ECHO_CMD} "You may wish to change your default SSL library"
	@${ECHO_CMD} "and press Ctrl+C within the next 10 seconds to abort."
.  if !(defined(PACKAGE_BUILDING) || defined(BATCH))
	@sleep 10
.  endif
.endif

# sanity check that we don't inherit incompatible SSL libs through,
# for instance, pkcs11-helper:
post-build:
	@a=$$(LC_ALL=C ldd -f '%o\n' ${WRKSRC}/src/openvpn/openvpn \
	|	${SORT} -u) ; set -- $$(for i in ${_tlslibs} ; do ${PRINTF} '%s\n' "$$a" | ${GREP} $${i}.so | wc -l ; done | ${SORT} -u) ;\
	if test "$$*" != "1" ; then ${ECHO_CMD} >&2 "${.CURDIR} FAILED: either of ${_tlslibs} libraries linked multiple times" ; ${PRINTF} '%s\n' "$$a"; ${RM} ${BUILD_COOKIE} ; exit 1 ; fi

post-install:

Lines 1-3 Link Here

(-)distinfo (-3 / +3 lines)
1	TIMESTAMP = 1550580278	1	TIMESTAMP = 1567798649
2	SHA256 (openvpn-201907.tar.xz) = 1e2394ca6582877c90fc3d9948cfb1b1c1aaa2383c02af62410d5a51f812ff68	2	SHA256 (openvpn-201935.tar.xz) = a34dc87188ae38f148e99cc129db2ed05e33c7b41237373b34b5d711481cfc5f
3	SIZE (openvpn-201907.tar.xz) = 995288	3	SIZE (openvpn-201935.tar.xz) = 1002220

Lines 1-11 Link Here

(-)files/patch-configure (-11 lines)
1	--- configure.orig 2016-08-23 14:19:07 UTC
2	+++ configure
3	@@ -17160,8 +17160,6 @@ fi
4	$as_echo "!! WARNING !! The cmoka git submodule has not been initialized or updated. Unit testing cannot be performed." >&6; }
5	fi
6	else
7	- { $as_echo "$as_me:${as_lineno-$LINENO}: result: !! WARNING !! CMake is NOT available. Unit testing cannot be performed." >&5
8	-$as_echo "!! WARNING !! CMake is NOT available. Unit testing cannot be performed." >&6; }
9	if false; then
10	CMOCKA_INITIALIZED_TRUE=
11	CMOCKA_INITIALIZED_FALSE='#'




--- src/openvpn/openssl_compat.h.orig	2019-02-20 12:28:23 UTC
+++ src/openvpn/openssl_compat.h
@@ -735,7 +735,7 @@ SSL_CTX_get_max_proto_version(SSL_CTX *ctx)
 }
 #endif /* SSL_CTX_get_max_proto_version */
 
-#ifndef SSL_CTX_set_min_proto_version
+#if !defined(SSL_CTX_set_min_proto_version) && !defined(LIBRESSL_VERSION_NUMBER)
 /** Mimics SSL_CTX_set_min_proto_version for OpenSSL < 1.1 */
 static inline int
 SSL_CTX_set_min_proto_version(SSL_CTX *ctx, long tls_ver_min)
@@ -764,7 +764,7 @@ SSL_CTX_set_min_proto_version(SSL_CTX *ctx, long tls_v
 }
 #endif /* SSL_CTX_set_min_proto_version */
 
-#ifndef SSL_CTX_set_max_proto_version
+#if !defined(SSL_CTX_set_max_proto_version) && !defined(LIBRESSL_VERSION_NUMBER)
 /** Mimics SSL_CTX_set_max_proto_version for OpenSSL < 1.1 */
 static inline int
 SSL_CTX_set_max_proto_version(SSL_CTX *ctx, long tls_ver_max)

Lines 10-13 Link Here

(-)pkg-descr (-1 / +1 lines)
10		10
11	DO NOT USE IN PRODUCTION WITHOUT CAUTION	11	DO NOT USE IN PRODUCTION WITHOUT CAUTION
12		12
13	WWW: http://openvpn.net/	13	WWW: http://openvpn.net/index.php/open-source.html

Line 0 Link Here

(-)pkg-help (+10 lines)
	1	Note that "Tunnelblick" is a controversial option.
	2	It is included for compatibility, not enabled by default,
	3	and should only be used with due consideration, and it should not
	4	replace proper cryptography use in OpenVPN.
	5
	6	Note that this patch does NOT add documentation for the new --scramble
	7	option, neither to the --help output, nor the manual page.
	8
	9	Please see this website for a more detailed discussion:
	10	https://tunnelblick.net/cOpenvpn_xorpatch.html

Return to bug 240376

Lines 2-9 Link Here

(-)Makefile (-16 / +6 lines)
2	# $FreeBSD$	2	# $FreeBSD$
3		3
4	PORTNAME= openvpn	4	PORTNAME= openvpn
5	DISTVERSION= 201907	5	DISTVERSION= 201935
6	CATEGORIES= security net net-vpn	6	CATEGORIES= security net
7	MASTER_SITES= https://secure-computing.net/files/openvpn/ \	7	MASTER_SITES= https://secure-computing.net/files/openvpn/ \
8	ftp://ftp2.secure-computing.net/pub/FreeBSD/openvpn-devel/	8	ftp://ftp2.secure-computing.net/pub/FreeBSD/openvpn-devel/
9	PKGNAMESUFFIX= -devel	9	PKGNAMESUFFIX= -devel
Lines 41-47 Link Here
41	OPTIONS_SINGLE_SSL= OPENSSL MBEDTLS	41	OPTIONS_SINGLE_SSL= OPENSSL MBEDTLS
42	PKCS11_DESC= Use security/pkcs11-helper	42	PKCS11_DESC= Use security/pkcs11-helper
43	EASYRSA_DESC= Install security/easy-rsa RSA helper package	43	EASYRSA_DESC= Install security/easy-rsa RSA helper package
44	MBEDTLS_DESC= SSL/TLS via mbedTLS	44	MBEDTLS_DESC= SSL/TLS via mbedTLS (lacks TLS v1.3)
45	TUNNELBLICK_DESC= Tunnelblick XOR scramble patch (READ HELP!)	45	TUNNELBLICK_DESC= Tunnelblick XOR scramble patch (READ HELP!)
46	X509ALTUSERNAME_DESC= Enable --x509-username-field (OpenSSL only)	46	X509ALTUSERNAME_DESC= Enable --x509-username-field (OpenSSL only)
47	SMALL_DESC= Build a smaller executable with fewer features	47	SMALL_DESC= Build a smaller executable with fewer features
Lines 62-67 Link Here
62		62
63	OPENSSL_USES= ssl	63	OPENSSL_USES= ssl
64	OPENSSL_CONFIGURE_ON= --with-crypto-library=openssl	64	OPENSSL_CONFIGURE_ON= --with-crypto-library=openssl
		65	IGNORE_SSL= libressl libressl-devel
65		66
66	LZ4_CONFIGURE_OFF= --disable-lz4	67	LZ4_CONFIGURE_OFF= --disable-lz4
67		68
Lines 115-136 Link Here
115	_tlslibs=libssl libcrypto	116	_tlslibs=libssl libcrypto
116	.endif	117	.endif
117		118
118	.if ${SSL_DEFAULT:Mlibressl*} && empty(PORT_OPTIONS:MMBEDTLS)
119	pre-everything::
120	@${ECHO_CMD} "WARNING: OpenVPN does not officially support LibreSSL."
121	@${ECHO_CMD} "If things break, rebuild with OpenSSL or mbedTLS."
122	@${ECHO_CMD} "You may wish to change your default SSL library"
123	@${ECHO_CMD} "and press Ctrl+C within the next 10 seconds to abort."
124	. if !(defined(PACKAGE_BUILDING) \|\| defined(BATCH))
125	@sleep 10
126	. endif
127	.endif
128
129	# sanity check that we don't inherit incompatible SSL libs through,	119	# sanity check that we don't inherit incompatible SSL libs through,
130	# for instance, pkcs11-helper:	120	# for instance, pkcs11-helper:
131	post-build:	121	post-build:
132	@a=$$(LC_ALL=C ldd -f '%o\n' ${WRKSRC}/src/openvpn/openvpn \	122	@a=$$(LC_ALL=C ldd -f '%o\n' ${WRKSRC}/src/openvpn/openvpn \
133	\| ${SORT} -u) ; set -- $$(for i in ${_tlslibs} ; do ${PRINTF} '%s\n' "$$a" \| ${GREP} $${i}.so \| wc -l ; done \| ${SORT} -u) ;\	123	\| ${SORT} -u) ; set -- $$(for i in ${_tlslibs} ; do ${PRINTF} '%s\n' "$$a" \| ${GREP} $${i}.so \| wc -l ; done \| ${SORT} -u) ;\
134	if test "$$*" != "1" ; then ${ECHO_CMD} >&2 "${.CURDIR} FAILED: either of ${_tlslibs} libraries linked multiple times" ; ${PRINTF} '%s\n' "$$a"; ${RM} ${BUILD_COOKIE} ; exit 1 ; fi	124	if test "$$*" != "1" ; then ${ECHO_CMD} >&2 "${.CURDIR} FAILED: either of ${_tlslibs} libraries linked multiple times" ; ${PRINTF} '%s\n' "$$a"; ${RM} ${BUILD_COOKIE} ; exit 1 ; fi
135		125
136	post-install:	126	post-install:

Line 0 Link Here

(-)files/patch-src_openvpn_openssl__compat.h (+20 lines)
	1	--- src/openvpn/openssl_compat.h.orig 2019-02-20 12:28:23 UTC
	2	+++ src/openvpn/openssl_compat.h
	3	@@ -735,7 +735,7 @@ SSL_CTX_get_max_proto_version(SSL_CTX *ctx)
	4	}
	5	#endif /* SSL_CTX_get_max_proto_version */
	6
	7	-#ifndef SSL_CTX_set_min_proto_version
	8	+#if !defined(SSL_CTX_set_min_proto_version) && !defined(LIBRESSL_VERSION_NUMBER)
	9	/** Mimics SSL_CTX_set_min_proto_version for OpenSSL < 1.1 */
	10	static inline int
	11	SSL_CTX_set_min_proto_version(SSL_CTX *ctx, long tls_ver_min)
	12	@@ -764,7 +764,7 @@ SSL_CTX_set_min_proto_version(SSL_CTX *ctx, long tls_v
	13	}
	14	#endif /* SSL_CTX_set_min_proto_version */
	15
	16	-#ifndef SSL_CTX_set_max_proto_version
	17	+#if !defined(SSL_CTX_set_max_proto_version) && !defined(LIBRESSL_VERSION_NUMBER)
	18	/** Mimics SSL_CTX_set_max_proto_version for OpenSSL < 1.1 */
	19	static inline int
	20	SSL_CTX_set_max_proto_version(SSL_CTX *ctx, long tls_ver_max)