| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
* 098edbb1 2020-05-20 | Switch assertion failure to returning false [Jeremy Evans]
* fc029714 2020-05-30 | pool: prevent IPv6 pools to be larger than 2^16 addresses [Antonio Quartulli]
* 38b46e6b 2020-02-20 | Persist management-query-remote and proxy prompts [Selva Nair]
MFH: 2020Q2 (blanket approval for stability fixes)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Arne Schwabe's OpenSSL fix for Debian Bug#958296
"Fix tls_ctx_client/server_new leaving error on OpenSSL error stack"
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=958296> [1]
Selva Nair's auth-pam fixes
"Parse static challenge response in auth-pam plugin"
"Accept empty password and/or response in auth-pam plugin"
Re-diff (with make makepatch) older patches.
Reported by: Jonas Andradas via Debian BTS
Obtained from: Arne Schwabe, Selva Nair <https://github.com/OpenVPN/openvpn/tree/release/2.4>
MFH: 2020Q2 (blanket for backporting reliability fixes)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
At the same time, remove ASYNC_PUSH_LIBS workaround from [1].
Changelog (high-level):
https://github.com/OpenVPN/openvpn/blob/release/2.4/Changes.rst#version-249
Git changelog, marking the three fixes that were already in 2.4.8_3
as cherry-picks with a 1, 2, or 3 instead of "*" to correspond
with the PORTREVISION, and those with "-" that are specific to other systems,
say, Windows.
* 9b0dafca 2020-04-16 | Preparing release v2.4.9 (ChangeLog, version.m4, Changes.rst) (tag: v2.4.9) [Gert Doering]
3 f7b318f8 2020-04-15 | Fix illegal client float (CVE-2020-11810) [Lev Stipakov]
* 9bb285e3 2020-03-13 | Fix broken async push with NCP is used [Lev Stipakov]
- 5f8a9df1 2020-02-12 | Allow unicode search string in --cryptoapicert option [Selva Nair]
- 4658b3b6 2020-02-12 | Skip expired certificates in Windows certificate store [Selva Nair]
* df5ea7f1 2020-02-19 | Fix possible access of uninitialized pipe handles [Selva Nair]
* 1d9e0be2 2020-02-19 | Fix possibly uninitialized return value in GetOpenvpnSettings() [Selva Nair]
* 5ee76a8f 2020-03-28 | Fix OpenSSL 1.1.1 not using auto elliptic curve selection [Arne Schwabe]
* ed925c0a 2020-04-07 | OpenSSL: Fix --crl-verify not loading multiple CRLs in one file [Maxim Plotnikov]
* 2fe84732 2020-03-30 | When auth-user-pass file has no password query the management interface (if available). [Selva Nair]
* 908eae5c 2020-04-03 | Move querying username/password from management interface to a function [Selva Nair]
* 15bc476f 2020-04-02 | Fix OpenSSL error stack handling of tls_ctx_add_extra_certs [Arne Schwabe]
* 22df79bb 2020-04-01 | Fetch OpenSSL versions via source/old links [Arne Schwabe]
* 0efbd8e9 2020-03-31 | mbedTLS: Make sure TLS session survives move [Tom van Leeuwen]
* 33395693 2020-03-25 | docs: Add reference to X509_LOOKUP_hash_dir(3) [WGH]
* 7d19b2bb 2019-10-21 | Fix OpenSSL private key passphrase notices [Santtu Lakkala]
2 8484f37a 2020-03-14 | Fix building with --enable-async-push in FreeBSD [Lev Stipakov]
* 69bbfbdf 2020-02-18 | Swap the order of checks for validating interactive service user [Selva Nair]
* 0ba4f916 2019-11-09 | socks: use the right function when printing struct openvpn_sockaddr [Antonio Quartulli]
1 3bd91cd0 2019-10-30 | Fix broken fragmentation logic when using NCP [Lev Stipakov]
PR: 244286 [1]
MFH: 2020Q2 (patchlevel bugfix release)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There is a time frame between allocating peer-id and initializing data
channel key (which is performed on receiving push request or on async
push-reply) in which the existing peer-id float checks do not work right.
If a "rogue" data channel packet arrives during that time frame from another
address and with same peer-id, this would cause client to float to that new
address.
The net effect of this behaviour is that the VPN session for the "victim
client" is broken. Since the "attacker client" does not have suitable keys,
it can not inject or steal VPN traffic from the other session. The time
window is small and it can not be used to attack a specific client's session,
unless some other way is found to make it disconnect and reconnect first.
This fix is inherited by the openvpn-mbedtls slave port.
Obtained from: Lev Stipakov (OpenVPN)
MFH: 2020Q2 (blanket security patch)
Security: CVE-2020-11810
Security: 8604121c-7fc2-11ea-bcac-7781e90b0c8f
|
| |
|
|
|
| |
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18975.html
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This upstream release integrated two FreeBSD patches by Kyle Evans and me,
which are herewith dropped from the port.
Upstream release banner
"This is primarily a maintenance release with minor bugfixes and improvements."
High-level changes:
<https://github.com/OpenVPN/openvpn/blob/release/2.4/Changes.rst#version-248>
Manually filtered FreeBSD-related excerpt from Git log: v2.4.7..v2.4.8:
- mbedtls: fix segfault by calling mbedtls_cipher_free() in cipher_ctx_free() [Antonio Quartulli]
- openssl: Fix compilation without deprecated OpenSSL 1.1 APIs [Rosen Penev]
- Force combinationation of --socks-proxy and --proto UDP to use IPv4. [Gert Doering]
- Ignore --pull-filter for --mode server [Richard Bonhomme]
- Fix typo in NTLM proxy debug message [Mykola Baibuz]
- tests/t_lpback.sh: Switch sed(1) to POSIX-compatible regex. [Kyle Evans]
- Handle PSS padding in cryptoapicert [Selva Nair]
- Fix regression, reinstate LibreSSL support. [Matthias Andree]
- Increase listen() backlog queue to 32 [Gert Doering]
- Wrong FILETYPE in .rc files [Gisle Vanem]
- Do not set pkcs11-helper 'safe fork mode' [Hilko Bengen]
- man: correct the description of --capath and --crl-verify regarding CRLs [Michal Soltys]
- Fix various compiler warnings [Lev Stipakov]
- build: Package missing mock_msg.h [David Sommerseth]
- cmocka: use relative paths [Steffan Karger]
- docs: Update INSTALL [David Sommerseth]
- Better error message when script fails due to script-security setting [Selva Nair]
- Fix documentation of tls-verify script argument [Thomas Quinot]
Detailed changes:
<https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.8>
Build tests in poudriere and in a live system succeeded on:
11.2-RELEASE 1102000 arm64.aarch64
11.2-RELEASE 1102000 mips.mips64
11.2-RELEASE-p14 i386
11.3-RELEASE-p3 amd64
12.0-RELEASE-p10 i386
12.0-RELEASE-p6 amd64
12.0-RELEASE-p10 amd64 (live)
MFH: 2019Q4
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
(I use a different patch than what was submitted by pizzamig@,
and have sent our patch upstream.)
Remove IGNORE_SSL.
While here, remove USE_LDCONFIG to fix a portlint complaint,
and fix a typo in a Makefile comment.
PR: 238382
Reported by: pizzamig@
|
| |
|
|
|
|
|
|
|
|
|
| |
Thanks!
Also sent upstream for inclusion today,
https://sourceforge.net/p/openvpn/mailman/message/36757480/ and
https://sourceforge.net/p/openvpn/mailman/message/36757481/
PR: 240306
Submitted by: kevans@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
While here, warn and sleep for 10 s when building against LibreSSL.
Remove some cruft.
Change summary:
<https://github.com/OpenVPN/openvpn/blob/release/2.4/Changes.rst#version-246>
Changelog:
<https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.6>
Reported by: portscout
|
| |
|
|
|
|
| |
PR: 226568
Reported by: Ralf van der Enden
Obtained from: faminebadger <https://community.openvpn.net/openvpn/ticket/1038>
|
| |
|
|
|
|
|
|
|
|
|
| |
This contains predominently bugfixes and compatibility with
newer OpenSSL/LibreSSL.
Remove one patch that had been cherry-picked from upstream, no longer
needed.
Summary: https://github.com/OpenVPN/openvpn/blob/release/2.4/Changes.rst#version-241
Changes: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24
|
| |
|
|
|
|
| |
PR: 217140
Submitted by: brnrd@
Obtained from: Olivier Wahrenberger, via upstream maintainers review
|
| |
|
|
|
|
|
|
|
|
|
| |
OpenVPN has been updated to v2.4.0.
Changes: <https://github.com/OpenVPN/openvpn/blob/v2.4.0/Changes.rst>
openvpn-polarssl has been renamed to openvpn-mbedtls to match the TLS
library's change of name.
The prior versions of the openvpn ports have been preserved in openvpn23
and openvpn23-polarssl, respectively, and are set to expire 2017-03-31.
|
| |
|
|
|
|
|
| |
Drop files/extra-patch-fix-subnet and corresponding OPTION, since this
is now part of the upstream release.
Changelog: <https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.14>
|
| |
|
|
|
|
|
|
|
| |
Added as an extra patch behind an option that defaults to ON so people
can still opt out, this is slated for an upcoming 2.3.14 release that
is, however, not yet scheduled.
PR: 207831 (related)
Obtained from: Gert Doering, via upstream Git repository 446ef5bda4cdc75d
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The self-tests used to fail in poudriere with dependency cycles in
Makefile that weren't visible earlier. Conditionally change ALL_TARGET
to check (do not use all check, that would require gmake) if the TEST
option is set (default), or set TEST_TARGET if the TEST option is unset.
While I am unable to reproduce 212146 claiming the self-tests fail on an
IPv6-disabled host, and I believe it's a red herring masking a local
configuration issue, doubt sed(1) and add blanks, and be sure to add the
"proto" earlier. The reporter didn't mention his OS version.
No PORTREVISION bump since the default build is unaffected.
PR: 212146 [1]
|
| |
|
|
|
| |
PR: 212136
Submitted by: Franco Fichtner
|
| |
|
|
| |
Sponsored by: Absolight
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* Upstream changes: <https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.12>
* The cmocka-based unit tests are currently disabled, too much hassle
and deps to get them running.
* Add patch-configure to drop the unit-test related warnings.
* Extend run control script to understand the "stats" argument, to send
SIGUSR2 to the process, contributed by Anton Yuzhaninov (with one
additional line fold).
* Drop patch-629baad8, no longer needed.
* Refresh other patches with make clean extract do-patch makepatch
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The upstream backported a change from the master branch that fixes the
PolarSSL-based builds to go with the PolarSSL 1.3.X built-in defaults.
Add a patch picked from the upstream's release/2.3 branch.
Remove the BROKEN= line and conditional.
No PORTREVISION bump because the patch only affects an option that was
formerly marked BROKEN.
(TRYBROKEN users need to force a rebuild and reinstallation manually.)
|
| | |
|
| |
|
|
|
| |
PR: 208534
Reported by: allan@saddi.com
|
| |
|
|
|
|
| |
contributed by Bapt@, but not yet touched up.
Needs proper license notice and documentation.
Therefore not yet linked to the build/install.
|
| |
|
|
|
|
|
|
|
| |
Adds a --scramble method to the executable but not documentation.
Requires careful review of implications before enabling, and has not
been accepted upstream. https://tunnelblick.net/cOpenvpn_xorpatch.html
PR: 200215
Submitted by: Franco Fichtner
|
| |
|
|
|
| |
Fixes
PR: 194745
|
| |
|
|
|
|
| |
Must be enabled through the options framework ("make config").
PR: 194745
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change option name so it is presented anew, default disabled.
+ Add openvpn-client wrapper script and up/down scripts to trigger
resolvconf, with minor edits. [2]
+ Set proper PLUGIN_LIBDIR so that plugins in the default directory can
be found with relative paths.
+ Compile shipped plugins with -fPIC.
PR: 195004 [1]
PR: 199529 [2]
Submitted by: yuri@rawbw.com [2]
Obtained from: https://community.openvpn.net/openvpn/ticket/480#comment:21
|
| |
|
|
|
|
| |
Needs to be enabled through a port option.
PR: 195004
|
| |
|
|
|
|
| |
Approved by: so
MFH: 2014Q4
Security: 23ab5c3e-79c3-11e4-8b1e-d050992ecde8
|
| |
|
|
|
|
|
|
| |
and two other fixes (bumping PORTREVISION):
44294568 Fix assertion error when using --cipher none
e9b07dc9 Fix to --shaper documentation on the man-page
b77c27a1 Modernize sample keys and sample configs
|
| |
|
|
|
|
|
|
|
|
| |
Add patch-tests__t_cltsrv.sh to properly skip self-tests when no
inet/inet6 addresses are available, and to properly use udp6 when only
inet6 is available (for instance, on RedPorts).
Drop patch-src__openvpn__syshead.h, had already been integrated upstream.
PR: ports/185439 (related)
|
| |
|
|
|
|
|
|
|
|
|
| |
- Upgrade security/openvpn to v2.3.0 (changes installed layout a bit),
splitting and re-diffing patches.
- Retain v2.2.2 as security/openvpn22
- Mark security/openvpn20 as deprecated and to expire 6 months from now
- Fix TCP_NODELAY option (openvpn 2.3, 2.2), see
<http://community.openvpn.net/openvpn/ticket/158>
- Fix PassTOS option (openvpn 2.2, 2.0), see
http://community.openvpn.net/openvpn/ticket/135
|
| |
|
|
|
|
| |
Where necessary add $FreeBSD$ to the file
No PORTREVISION bump necessary because this is a no-op
|
| |
|
|
|
|
|
|
|
|
|
| |
literal name_enable wherever possible, and ${name}_enable
when it's not, to prepare for the demise of set_rcvar().
In cases where I had to hand-edit unusual instances also
modify formatting slightly to be more uniform (and in
some cases, correct). This includes adding some $FreeBSD$
tags, and most importantly moving rcvar= to right after
name= so it's clear that one is derived from the other.
|
| |
|
|
|
|
| |
To fix failures with 'restart'.
Reported by: Miroslav Lachman
|
| |
|
|
|
| |
Cause was a trap "... ; exit 1" 0 shell construct that needs to be
cancelled for the exit 77 to take effect. trap 0 inserted to that end.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
constructions that parse out to [ -z "$foo" ] && foo=""
These are bad examples that get copied and pasted into new code, so the
hope is that with less bad examples there will be less need for me to
bring this up in review.
In a few of these files all that were changed were comments so that next
time I search for these patterns I won't trip on the file for no reason.
In a few places, add $FreeBSD$
No functional changes, so no PORTREVISION bumps
|
| |
|
|
|
|
|
|
|
| |
- remove subshell to use basename, and use ## substitution [1]
- remove FreeBSD 5.X compatibility comment [1]
- remove FreeBSD 5.X compatibility code
The parts marked with [1] above were
Submitted by: dougb (Doug Barton)
|
| |
|
|
|
|
| |
to send SIGUSR1 (rather than SIGHUP) to OpenVPN processes.
Suggested by: Nick Hibma (in private email)
|
| |
|
|
|
| |
versions of FreeBSD now use /etc/rc.subr and rc.d scripts without .sh
appended to the script name.
|
| |
|
|
| |
s#. %%RC_SUBR%%#. /etc/rc.subr#
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update security/openvpn20 to 2.0.9, revising pkg-message.
Move security/openvpn-devel to security/openvpn and
update security/openvpn to 2.1.1.
Remove security/openvpn-devel, adding a MOVED entry.
Update security/Makefile to remove openvpn-devel and add openvpn20 to
SUBDIRS.
Add a UPDATING entry for this shuffle. Currently without upgrade
instructions since neither portupgrade nor portmaster are up to the
task (because of the CONFLICTS).
Approved by: garga@ (mentor)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
propogated by copy and paste.
1. Primarily the "empty variable" default assignment, which is mostly
${name}_flags="", but fix a few others as well.
2. Where they are not already documented, add the existence of the _flags
(or other deleted empties) option to the comments, and in some cases add
comments from scratch.
3. Replace things that look like:
prefix=%%PREFIX%%
command=${prefix}/sbin/foo
to just use %%PREFIX%%. In many cases the $prefix variable is only used
once, and in some cases it is not used at all.
4. In a few cases remove ${name}_flags from command_args
5. Remove a long-stale comment about putting the port's rc.d script in
/etc/rc.d (which is no longer necessary).
No PORTREVISION bumps because all of these changes are noops.
|
| |
|
|
|
|
|
| |
useful syslog tags
PR: ports/120862
Submitted by: Matthias Andree <matthias.andree at gmx.de> (maintainer)
|
| |
|
|
| |
Approved by: maintainer
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
- fix for FreeBSD releases before rcorder integration
- update copyright notice
- replace shell backticks by $().
Port:
- bump revision
- reformat comment
PR: ports/109856
Submitted by: Matthias Andree <matthias.andree@gmx.de> (maintainer)
Approved by: miwi (mentor)
|
| |
|
|
|
|
|
|
| |
being started during boot. The reason for this is that at boot $0 is not
/usr/local/etc/rc.d/openvpn but /etc/rc. The fix is a bit hackish because
it retrieves the script name from $_file - variable used in run_rc_script().
Reported by: bazzoola <bazzoola@gmail.com>
|
