+ Update patch set for crypto engine fix [1].

  Change option name so it is presented anew, default disabled.

+ Add openvpn-client wrapper script and up/down scripts to trigger
  resolvconf, with minor edits. [2]

+ Set proper PLUGIN_LIBDIR so that plugins in the default directory can
  be found with relative paths.

+ Compile shipped plugins with -fPIC.

PR:		195004 [1]
PR:		199529 [2]
Submitted by:	yuri@rawbw.com [2]
Obtained from:	https://community.openvpn.net/openvpn/ticket/480#comment:21

1 files changed, 186 insertions, 0 deletions

diff --git a/security/openvpn/files/EF2.patch b/security/openvpn/files/EF2.patch
new file mode 100644
index 000000000000..cd983cfc84e4
--- /dev/null
+++ b/security/openvpn/files/EF2.patch
@@ -0,0 +1,186 @@
+
+[Openvpn-devel] [PATCH] Call daemon() before initializing crypto library
+From: Steffan Karger <steffan@ka...> - 2015-04-27 14:29:09
+
+But keep the chdir to / at the place where deamon() was before, to preserve
+the current behaviour wrt relative paths in the config.
+
+This should fix the issue reported in trac #480, without changing the
+behaviour visible to the end user.
+
+Note that by moving the daemon() call to an earlier stage of the init
+process, we no longer have to call platform_mlockall() again, or do a
+pkcs11_forkFixup().
+
+Signed-off-by: Steffan Karger <steffan@...>
+---
+ src/openvpn/init.c    | 32 +++++++++++---------------------
+ src/openvpn/init.h    |  2 ++
+ src/openvpn/openvpn.c |  4 ++++
+ src/openvpn/pkcs11.c  |  5 -----
+ src/openvpn/pkcs11.h  |  3 ---
+ 5 files changed, 17 insertions(+), 29 deletions(-)
+
+diff --git a/src/openvpn/init.c b/src/openvpn/init.c
+index 73c6aff..5b22c38 100644
+--- a/src/openvpn/init.c
++++ b/src/openvpn/init.c
+@@ -916,23 +916,20 @@ do_persist_tuntap (const struct options *options)
+  * Should we become a daemon?
+  * Return true if we did it.
+  */
+-static bool
++bool
+ possibly_become_daemon (const struct options *options)
+ {
+   bool ret = false;
+   if (options->daemon)
+     {
+       ASSERT (!options->inetd);
+-      if (daemon (options->cd_dir != NULL, options->log) < 0)
++      /* Don't chdir immediately, but the end of the init sequence, if needed */
++      if (daemon (1, options->log) < 0)
+ 	msg (M_ERR, "daemon() failed or unsupported");
+       restore_signal_state ();
+       if (options->log)
+ 	set_std_files_to_null (true);
+ 
+-#if defined(ENABLE_PKCS11)
+-      pkcs11_forkFixup ();
+-#endif
+-
+       ret = true;
+     }
+   return ret;
+@@ -1809,15 +1806,11 @@ do_deferred_options (struct context *c, const unsigned int found)
+  * Possible hold on initialization
+  */
+ static bool
+-do_hold (struct context *c)
++do_hold (void)
+ {
+ #ifdef ENABLE_MANAGEMENT
+   if (management)
+     {
+-      /* if c is defined, daemonize before hold */
+-      if (c && c->options.daemon && management_should_daemonize (management))
+-	do_init_first_time (c);
+-
+       /* block until management hold is released */
+       if (management_hold (management))
+ 	return true;
+@@ -1867,7 +1860,7 @@ socket_restart_pause (struct context *c)
+   c->persist.restart_sleep_seconds = 0;
+ 
+   /* do managment hold on context restart, i.e. second, third, fourth, etc. initialization */
+-  if (do_hold (NULL))
++  if (do_hold ())
+     sec = 0;
+ 
+   if (sec)
+@@ -1886,7 +1879,7 @@ do_startup_pause (struct context *c)
+   if (!c->first_time)
+     socket_restart_pause (c);
+   else
+-    do_hold (NULL); /* do management hold on first context initialization */
++    do_hold (); /* do management hold on first context initialization */
+ }
+ 
+ /*
+@@ -2743,7 +2736,7 @@ do_compute_occ_strings (struct context *c)
+ static void
+ do_init_first_time (struct context *c)
+ {
+-  if (c->first_time && !c->did_we_daemonize && !c->c0)
++  if (c->first_time && !c->c0)
+     {
+       struct context_0 *c0;
+ 
+@@ -2758,12 +2751,9 @@ do_init_first_time (struct context *c)
+       /* get --writepid file descriptor */
+       get_pid_file (c->options.writepid, &c0->pid_state);
+ 
+-      /* become a daemon if --daemon */
+-      c->did_we_daemonize = possibly_become_daemon (&c->options);
+-
+-      /* should we disable paging? */
+-      if (c->options.mlock && c->did_we_daemonize)
+-	platform_mlockall (true);	/* call again in case we daemonized */
++      /* perform postponed chdir if --daemon */
++      if (c->did_we_daemonize && c->options.cd_dir == NULL)
++	platform_chdir("/");
+ 
+       /* save process ID in a file */
+       write_pid (&c0->pid_state);
+@@ -3221,7 +3211,7 @@ open_management (struct context *c)
+ 	    }
+ 
+ 	  /* initial management hold, called early, before first context initialization */
+-	  do_hold (c);
++	  do_hold ();
+ 	  if (IS_SIG (c))
+ 	    {
+ 	      msg (M_WARN, "Signal received from management interface, exiting");
+diff --git a/src/openvpn/init.h b/src/openvpn/init.h
+index 5a1d1dc..d1908ed 100644
+--- a/src/openvpn/init.h
++++ b/src/openvpn/init.h
+@@ -55,6 +55,8 @@ bool do_genkey (const struct options *options);
+ 
+ bool do_persist_tuntap (const struct options *options);
+ 
++bool possibly_become_daemon (const struct options *options);
++
+ void pre_setup (const struct options *options);
+ 
+ void init_instance_handle_signals (struct context *c, const struct env_set *env, const unsigned int flags);
+diff --git a/src/openvpn/openvpn.c b/src/openvpn/openvpn.c
+index fd87fc1..2f327f3 100644
+--- a/src/openvpn/openvpn.c
++++ b/src/openvpn/openvpn.c
+@@ -229,6 +229,10 @@ openvpn_main (int argc, char *argv[])
+ 	  if (do_test_crypto (&c.options))
+ 	    break;
+ 	  
++	  /* become a daemon if --daemon */
++	  if (c.first_time)
++	    c.did_we_daemonize = possibly_become_daemon (&c.options);
++
+ #ifdef ENABLE_MANAGEMENT
+ 	  /* open management subsystem */
+ 	  if (!open_management (&c))
+diff --git a/src/openvpn/pkcs11.c b/src/openvpn/pkcs11.c
+index 3a15ef6..a1f13c5 100644
+--- a/src/openvpn/pkcs11.c
++++ b/src/openvpn/pkcs11.c
+@@ -336,11 +336,6 @@ pkcs11_terminate () {
+ 	);
+ }
+ 
+-void
+-pkcs11_forkFixup () {
+-	pkcs11h_forkFixup ();
+-}
+-
+ bool
+ pkcs11_addProvider (
+ 	const char * const provider,
+diff --git a/src/openvpn/pkcs11.h b/src/openvpn/pkcs11.h
+index 4261871..b49401c 100644
+--- a/src/openvpn/pkcs11.h
++++ b/src/openvpn/pkcs11.h
+@@ -38,9 +38,6 @@ pkcs11_initialize (
+ void
+ pkcs11_terminate ();
+ 
+-void
+-pkcs11_forkFixup ();
+-
+ bool
+ pkcs11_addProvider (
+ 	const char * const provider,
+-- 
+2.1.4
+
+
+