- Security update to version 2.0.1, fixing four denial of service bugs,

  CAN-2005-2531, CAN-2005-2532, CAN-2005-2533, CAN-2005-2534
- Drop old init script and add a modern rcNG script in its place,
  requested by Matthias Grimm and Dirk Gouders (although the script below is
  one I, Matthias Andree, wrote). It can automatically load tun/tap drivers.
- move pkg-message to files/pkg-message.in, revise it, list it in SUB_FILES
  to expand ${PREFIX}.
- print pkg-message after installation from port
- switch to official "make check" as smoke-test, rather than wiring our own.
- prefer LZO2 in most situations, as OpenVPN will pick up LZO2 rather than
  LZO1 if both are installed.

PR:		ports/85109
Submitted by:	maintainer
Approved by:	portmgr (krion)

3 files changed, 117 insertions, 19 deletions

diff --git a/security/openvpn/files/openvpn.sh.in b/security/openvpn/files/openvpn.sh.in
new file mode 100644
index 000000000000..37d8ba5129de
--- /dev/null
+++ b/security/openvpn/files/openvpn.sh.in
@@ -0,0 +1,99 @@
+#!/bin/sh
+#
+# openvpn.sh - load tun/tap driver and start OpenVPN daemon
+#
+# (C) Copyright 2005 by Matthias Andree
+# based on suggestions by Matthias Grimm and Dirk Gouders
+#
+# Made in Northrhine-Westphalia, Germany
+#
+# $FreeBSD$
+# 
+# This program is free software; you can redistribute it and/or modify it under
+# the terms of the GNU General Public License as published by the Free Software
+# Foundation; either version 2 of the License, or (at your option) any later
+# version.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+# FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
+# details.
+#
+# You should have received a copy of the GNU General Public License along with
+# this program; if not, write to the Free Software Foundation, Inc., 51 Franklin
+# Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+# PROVIDE: openvpn
+# REQUIRE: DAEMON
+# BEFORE:
+# KEYWORD: FreeBSD shutdown
+
+# -----------------------------------------------------------------------------
+#
+# Add the following lines to /etc/rc.conf to enable openvpn at boot-up time:
+#
+# openvpn_enable="YES"	# YES or NO
+# openvpn_if="tun" 	# driver(s) to load, set to "tun", "tap" or "tun tap"
+#
+# # optional:
+# openvpn_flags=""	# openvpn command line flags
+# openvpn_config="%%PREFIX%%/etc/openvpn/openvpn.conf" 	# --config file
+# openvpn_dir="%%PREFIX%%/etc/openvpn"			# --cd directory
+#
+# You also need to set openvpn_configfile and openvpn_dir, if the configuration
+# file and directory where keys and certificates reside differ from the above
+# settings.
+#
+# Note that we deliberately refrain from unloading drivers.
+#
+# For further documentation, please see openvpn(8).
+#
+
+. %%RC_SUBR%%
+
+name=openvpn
+rcvar=`set_rcvar`
+
+prefix="%%PREFIX%%"
+
+openvpn_precmd()
+{
+	for i in $openvpn_if ; do
+		if ! sysctl debug.if_${i}_debug >/dev/null 2>&1 ; then
+			if ! kldload if_${i} ; then
+				warn "Could not load $i module."
+				return 1
+			fi
+		fi
+	done
+	return 0
+}
+
+stop_postcmd()
+{
+	rm -f "$pidfile" || warn "Could not remove $pidfile."
+}
+
+# support SIGHUP to reparse configuration file
+extra_commands="reload"
+
+# pidfile
+pidfile="/var/run/${name}.pid"
+
+# command and arguments
+command="%%PREFIX%%/sbin/${name}"
+
+# run this first
+start_precmd="openvpn_precmd"
+# and this last
+stop_postcmd="stop_postcmd"
+
+load_rc_config ${name}
+: ${openvpn_enable="NO"}
+: ${openvpn_flags=""}
+: ${openvpn_if=""}
+: ${openvpn_configfile="${prefix}/etc/openvpn/openvpn.conf"}
+: ${openvpn_dir="${prefix}/etc/openvpn"}
+required_files="${openvpn_configfile}"
+command_args="--cd ${openvpn_dir} --daemon --config ${openvpn_configfile} --writepid ${pidfile}"
+run_rc_command "$1"
diff --git a/security/openvpn/files/openvpn.sh.sample b/security/openvpn/files/openvpn.sh.sample
deleted file mode 100644
index a906ecf44425..000000000000
--- a/security/openvpn/files/openvpn.sh.sample
+++ /dev/null
@@ -1,19 +0,0 @@
-#! /bin/sh
-# (C) 2002 by Matthias Andree
-
-# This file may be redistributed according to the terms of the GNU General
-# Public License, version 2 (two).
-
-# To use this script, rename it to openvpn.sh and make sure it is
-# executable for the owner.
-
-# This file rouses a security warning at port install time. However, this
-# file itself does not start network services, but it loads a kernel driver.
-# The security of this file therefore depends on the security of kldload and
-# the if_tap driver.
-
-case x$1 in
-  xstart) echo -n ' if_tap' ; exec kldload if_tap ;;
-  xstop)  echo -n ' if_tap' ; exec kldunload if_tap ;;
-  *)      echo >&2 "Usage: $0 {start|stop}"
-esac
diff --git a/security/openvpn/files/pkg-message.in b/security/openvpn/files/pkg-message.in
new file mode 100644
index 000000000000..0bf579b261d3
--- /dev/null
+++ b/security/openvpn/files/pkg-message.in
@@ -0,0 +1,18 @@
+### ------------------------------------------------------------------------
+###  The OpenVPN port, since v2.0.1, uses rcNG to start OpenVPN.
+###  Edit /etc/rc.conf to start OpenVPN automatically at system startup.
+###  See %%PREFIX%%/etc/rc.d/openvpn.sh for details.
+### ------------------------------------------------------------------------
+###  To get OpenVPN 2.0 to talk with the 1.5/1.6 versions, you may need to
+###  edit the 1.X configuration file by adding these lines:
+###    tun-mtu 1500
+###    tun-mtu-extra 32
+###    mssfix 1450
+###    key-method 2       <- this key-method line only for TLS setups
+### - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+###  WARNING: THE DEFAULT PORT HAS CHANGED AND IS NOW 1194!
+###  OpenVPN 1.6 and older used 5000 rather than 1194 as their default
+###  port, so add the proper port options to your configuration file!
+### ------------------------------------------------------------------------
+###  For further compatibility, see <http://openvpn.net/relnotes.html>
+### ------------------------------------------------------------------------