The NetBSD Project

CVS log for pkgsrc/net/openvpn/Makefile

[BACK] Up to [cvs.NetBSD.org] / pkgsrc / net / openvpn

Request diff between arbitrary revisions


Default branch: MAIN


Revision 1.96 / (download) - annotate - [select for diffs], Sun Mar 19 19:11:20 2023 UTC (3 days, 12 hours ago) by tnn
Branch: MAIN
CVS Tags: HEAD
Changes since 1.95: +2 -1 lines
Diff to previous 1.95 (colored)

openvpn: --disable-dco. Needs kernel support.

Revision 1.95 / (download) - annotate - [select for diffs], Wed Nov 23 08:02:57 2022 UTC (3 months, 4 weeks ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2022Q4-base, pkgsrc-2022Q4
Changes since 1.94: +1 -2 lines
Diff to previous 1.94 (colored)

openvpn: updated to 2.5.8

Overview of changes in 2.5.8

New features

allow running a default configuration with TLS libraries without BF-CBC (even if TLS cipher negotiation would not actually use BF-CBC, the long-term compatibility "default cipher BF-CBC" would trigger an error on such TLS libraries)

User-visible Changes

add git branch name + commit ID to OpenVPN version string on MSVC builds (windows)

Testing Enhancements

t_client.sh: if fping is found and fping6 is not, assume we have fping 4.0 and up, and call "fping -6" for IPv6 ping tests
t_client.sh: allow to force FAIL on prerequisite fails, so a CI environment will no longer "silently skip" t_client runs if fping (etc) can not be found, but will error out

Bugfixes

``--auth-nocache'' was not always correctly clearing username+password after a renegotiation
ensure that auth-token received from server is cleared if requested by the management interface ("forget password" or automatically via ``--management-forget-disconnect'')
in a setup without username+password, but with auth-token and auth-token-username pushed by the server, OpenVPN would start asking for username+password on token expiry. Fix.
using --auth-token together with --management-client-auth (on the server) would lead to TLS keys getting out of sync and client being disconnected. Fix.
management interface would sometimes get stuck if client and server try to write something simultaneously. Fix by allowing a limited level of recursion in virtual_output_callback()
fix management interface not returning ERROR:/SUCCESS: response on "signal SIGxxx" commands when in HOLD state
tls-crypt-v2: abort connection if client-key is too short
make man page agree with actual code on replay-window backtrag log message
remove useless empty line from CR_RESPONSE message

Revision 1.94 / (download) - annotate - [select for diffs], Wed Oct 26 10:31:50 2022 UTC (4 months, 3 weeks ago) by wiz
Branch: MAIN
Changes since 1.93: +2 -2 lines
Diff to previous 1.93 (colored)

*: bump PKGREVISION for libunistring shlib major bump

Revision 1.93 / (download) - annotate - [select for diffs], Thu Aug 11 06:41:58 2022 UTC (7 months, 1 week ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2022Q3-base, pkgsrc-2022Q3
Changes since 1.92: +2 -1 lines
Diff to previous 1.92 (colored)

*: recursive PKGREVISION bump for mbedtls shlib major increases

Revision 1.92 / (download) - annotate - [select for diffs], Thu Mar 17 07:50:17 2022 UTC (12 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2022Q2-base, pkgsrc-2022Q2, pkgsrc-2022Q1-base, pkgsrc-2022Q1
Changes since 1.91: +1 -2 lines
Diff to previous 1.91 (colored)

openvpn: updated to 2.5.6

OpenVPN 2.5.6.
This is mostly a bugfix release including one security fix ("Disallow multiple deferred authentication plug-ins.", CVE: 2022-0547).

Revision 1.91 / (download) - annotate - [select for diffs], Wed Dec 15 20:11:51 2021 UTC (15 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2021Q4-base, pkgsrc-2021Q4
Changes since 1.90: +1 -2 lines
Diff to previous 1.90 (colored)

openvpn: updated to 2.5.5

Overview of changes in 2.5.5
============================

User-visible Changes
--------------------
- SWEET32/64bit cipher deprecation change was postponed to 2.7

- Windows: use network address for emulated DHCP server as default
  this enables use of a /30 subnet, which is needed when connecting
  to OpenVPN Cloud.

- require EC support in windows builds
  (this means it's no longer possible to build a Windows OpenVPN binary
  with an OpenSSL lib without EC support)

New features
------------
- Windows build: use CFG and Spectre mitigations on MSVC builds

- bring back OpenSSL config loading to Windows builds.
  OpenSSL config is loaded from %installdir%\SSL\openssl.cfg
  (typically: c:\program files\openvpn\SSL\openssl.cfg) if it exists.

  This is important for some hardware tokens which need special
  OpenSSL config for correct operation.

Bugfixes
--------
- Windows build: enable EKM

- Windows build: improve various vcpkg related build issues

- Windows build: fix regression related to non-writeable status files

- Windows build: fix regression that broke OpenSSL EC support

- Windows build: fix "product version" display (2.5..4 -> 2.5.4)

- Windows build: fix regression preventing use of PKCS12 files

- improve "make check" to notice if "openvpn --show-cipher" crashes

- improve argv unit tests

- ensure unit tests work with mbedTLS builds without BF-CBC ciphers

- include "--push-remove" in the output of "openvpn --help"

- fix error in iptables syntax in example firewall.sh script

- fix "resolvconf -p" invocation in example "up" script

- fix "common_name" environment for script calls when
  "--username-as-common-name" is in effect

Documentation
-------------
- move "push-peer-info" documentation from "server options" to "client"
  (where it belongs)

- correct "foreign_option_{n}" typo in manpage

- update IRC information in CONTRIBUTING.rst (libera.chat)

- README.down-root: fix plugin module name

Revision 1.90 / (download) - annotate - [select for diffs], Wed Dec 8 16:06:05 2021 UTC (15 months, 1 week ago) by adam
Branch: MAIN
Changes since 1.89: +2 -1 lines
Diff to previous 1.89 (colored)

revbump for icu and libffi

Revision 1.89 / (download) - annotate - [select for diffs], Fri Oct 8 17:58:05 2021 UTC (17 months, 1 week ago) by leot
Branch: MAIN
Changes since 1.88: +3 -1 lines
Diff to previous 1.88 (colored)

openvpn: Avoid to accidentally build HTML man pages

rst2html.py and rst2man.py are accidentally recognized if installed and used
leading to generation of HTML man pages and PLIST mismatch.

Revision 1.88 / (download) - annotate - [select for diffs], Tue Oct 5 19:25:41 2021 UTC (17 months, 2 weeks ago) by adam
Branch: MAIN
Changes since 1.87: +1 -2 lines
Diff to previous 1.87 (colored)

openvpn: updated to 2.5.4

Overview of changes in 2.5.4
============================
Bugfixes
--------
- fix prompting for password on windows console if stderr redirection
  is in use - this breaks 2.5.x on Win11/ARM, and might also break
  on Win11/adm64 when released.

- fix setting MAC address on TAP adapters (--lladdr) to use sitnl
  (was overlooked, and still used "ifconfig" calls)

- various improvements for man page building (rst2man/rst2html etc)

- minor bugfix with IN6_IS_ADDR_UNSPECIFIED() use (breaks build on
  at least one platform strictly checking this)

- fix minor memory leak under certain conditions in add_route() and
  add_route_ipv6()

User-visible Changes
--------------------
- documentation improvements

- copyright updates where needed

- better error reporting when win32 console access fails

New features
------------
- also build man page on Windows builds

Revision 1.87 / (download) - annotate - [select for diffs], Wed Sep 29 19:01:10 2021 UTC (17 months, 3 weeks ago) by adam
Branch: MAIN
Changes since 1.86: +2 -1 lines
Diff to previous 1.86 (colored)

revbump for boost-libs

Revision 1.86 / (download) - annotate - [select for diffs], Tue Jul 27 07:35:05 2021 UTC (19 months, 3 weeks ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2021Q3-base, pkgsrc-2021Q3
Changes since 1.85: +1 -2 lines
Diff to previous 1.85 (colored)

openvpn: updated to 2.5.3

Version 2.5.3
* Add missing free_key_ctx for auth_token
* Add github actions
* Implement auth-token-user
* Update copyrights
* openvpnmsica: properly schedule reboot in the end of installation
* msvc: add ARM64 configuration
* msvc: standalone building
* contrib/vcpkg-ports: add pkcs11-helper port
* vcpkg-ports: restore trailing whitespaces in .patch files
* GitHub actions: add MSVC build
* crypto_openssl.c: disable explicit initialization on Windows (CVE-2121-3606)
* contrib/vcpkg-ports: add openssl port with --no-autoload-config option set (CVE-2121-3606)
* Fix SIGSEGV (NULL deref) receiving push "echo"
* Fix build with mbedtls w/o SSL renegotiation support
* Improve documentation of AUTH_PENDING related directives
* Apply the connect-retry backoff to only one side of a connection

Revision 1.85 / (download) - annotate - [select for diffs], Sun May 2 08:16:40 2021 UTC (22 months, 2 weeks ago) by nia
Branch: MAIN
CVS Tags: pkgsrc-2021Q2-base, pkgsrc-2021Q2
Changes since 1.84: +2 -1 lines
Diff to previous 1.84 (colored)

Recursive revbump for security/mbedtls

Revision 1.84 / (download) - annotate - [select for diffs], Thu Apr 22 13:53:15 2021 UTC (23 months ago) by adam
Branch: MAIN
Changes since 1.83: +1 -2 lines
Diff to previous 1.83 (colored)

openvpn: updated to 2.5.2

The OpenVPN community project team is proud to release OpenVPN 2.5.2. It fixes two related security vulnerabilities (CVE-2020-15078) which under very specific circumstances allow tricking a server using delayed authentication (plugin or management) into returning a PUSH_REPLY before the AUTH_FAILED message, which can possibly be used to gather information about a VPN setup. In combination with „ŗōšauth-gen-token„ŗor a user-specific token auth solution it can be possible to get access to a VPN with an otherwise-invalid account. OpenVPN 2.5.2 also includes other bug fixes and improvements. Updated OpenSSL and OpenVPN GUI are included in Windows installers.

Revision 1.83 / (download) - annotate - [select for diffs], Wed Apr 21 13:25:12 2021 UTC (23 months ago) by adam
Branch: MAIN
Changes since 1.82: +2 -2 lines
Diff to previous 1.82 (colored)

revbump for boost-libs

Revision 1.82 / (download) - annotate - [select for diffs], Thu Apr 15 11:23:09 2021 UTC (23 months, 1 week ago) by ryoon
Branch: MAIN
Changes since 1.81: +2 -2 lines
Diff to previous 1.81 (colored)

*: Recursive revbump from devel/nss

Revision 1.81 / (download) - annotate - [select for diffs], Fri Apr 9 06:55:02 2021 UTC (23 months, 1 week ago) by wiz
Branch: MAIN
Changes since 1.80: +2 -1 lines
Diff to previous 1.80 (colored)

*: bump PKGREVISION for nss linking fix

Revision 1.80 / (download) - annotate - [select for diffs], Wed Feb 24 19:13:50 2021 UTC (2 years ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2021Q1-base, pkgsrc-2021Q1
Changes since 1.79: +1 -2 lines
Diff to previous 1.79 (colored)

openvpn: updated to 2.5.1

Version 2.5.1
* Fix auth-token not being updated if auth-nocache is set
* Remove auth_user_pass.wait_for_push variable
* Fix port-share option with TLS-Crypt v2
* Zero initialise msghdr prior to calling sendmesg
* Fix tls-auth mismatch OCC message when tls-cryptv2 is used.
* build: Fix missing install of man page in certain environments
* Fix too early argv freeing when registering DNS
* Remove 1 second delay before running netsh
* Skip DHCP renew with Wintun adapter
* Change travis build scripts to use https when fetching prerequisites.
* Fix line number reporting on config file errors after <inline> segments
* Clarify --block-ipv6 intent and direction.
* Document common uses of 'echo' directive, re-enable logging for 'echo'.
* Make OPENVPN_PLUGIN_ENABLE_PF failures FATAL
* clean up / rewrite sample-plugins/defer/simple.c
* Fix naming error in sample-plugins/defer/simple.c
* Documentation fixes around openvpn_plugin_func_v3 in openvpn-plugin.h.in
* Update openvpn_plugin_func_v2 to _v3 in sample-plugins/defer/simple.c
* More explicit versioning compatibility in sample-plugins/defer/simple.c
* Explain structver usage in sample defer plugin.
* Man page sections corrections
* Quote the domain name argument passed to the wmic command
* tls-crypt-v2: fix server memory leak
* tls-crypt-v2: also preload tls-crypt-v2 keys (if --persist-key)

Revision 1.79 / (download) - annotate - [select for diffs], Fri Feb 5 09:21:00 2021 UTC (2 years, 1 month ago) by wiz
Branch: MAIN
Changes since 1.78: +2 -1 lines
Diff to previous 1.78 (colored)

openvpn: fix installation of man page.

Bump PKGREVISION.

Revision 1.78 / (download) - annotate - [select for diffs], Tue Nov 17 12:13:01 2020 UTC (2 years, 4 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2020Q4-base, pkgsrc-2020Q4
Changes since 1.77: +1 -2 lines
Diff to previous 1.77 (colored)

openvpn: updated to 2.5.0

Overview of changes in 2.5
==========================

New features
------------
Client-specific tls-crypt keys (``--tls-crypt-v2``)
    ``tls-crypt-v2`` adds the ability to supply each client with a unique
    tls-crypt key.  This allows large organisations and VPN providers to profit
    from the same DoS and TLS stack protection that small deployments can
    already achieve using ``tls-auth`` or ``tls-crypt``.

ChaCha20-Poly1305 cipher support
    Added support for using the ChaCha20-Poly1305 cipher in the OpenVPN data
    channel.

Improved Data channel cipher negotiation
    The option ``ncp-ciphers`` has been renamed to ``data-ciphers``.
    The old name is still accepted. The change in name signals that
    ``data-ciphers`` is the preferred way to configure data channel
    ciphers and the data prefix is chosen to avoid the ambiguity that
    exists with ``--cipher`` for the data cipher and ``tls-cipher``
    for the TLS ciphers.

    OpenVPN clients will now signal all supported ciphers from the
    ``data-ciphers`` option to the server via ``IV_CIPHERS``. OpenVPN
    servers will select the first common cipher from the ``data-ciphers``
    list instead of blindly pushing the first cipher of the list. This
    allows to use a configuration like
    ``data-ciphers ChaCha20-Poly1305:AES-256-GCM`` on the server that
    prefers ChaCha20-Poly1305 but uses it only if the client supports it.

    See the data channel negotiation section in the manual for more details.

Removal of BF-CBC support in default configuration:
    By default OpenVPN 2.5 will only accept AES-256-GCM and AES-128-GCM as
    data ciphers. OpenVPN 2.4 allows AES-256-GCM,AES-128-GCM and BF-CBC when
    no --cipher and --ncp-ciphers options are present. Accepting BF-CBC can be
    enabled by adding

        data-ciphers AES-256-GCM:AES-128-GCM:BF-CBC

    and when you need to support very old peers also

        data-ciphers-fallback BF-CBC

    To offer backwards compatibility with older configs an *explicit*

        cipher BF-CBC

    in the configuration will be automatically translated into adding BF-CBC
    to the data-ciphers option and setting data-ciphers-fallback to BF-CBC
    (as in the example commands above). We strongly recommend to switching
    away from BF-CBC to a more secure cipher.

Asynchronous (deferred) authentication support for auth-pam plugin.
    See src/plugins/auth-pam/README.auth-pam for details.

Deferred client-connect
    The ``--client-connect`` option and the connect plugin API allow
    asynchronous/deferred return of the configuration file in the same way
    as the auth-plugin.

Faster connection setup
    A client will signal in the ``IV_PROTO`` variable that it is in pull
    mode. This allows the server to push the configuration options to
    the client without waiting for a ``PULL_REQUEST`` message. The feature
    is automatically enabled if both client and server support it and
    significantly reduces the connection setup time by avoiding one
    extra packet round-trip and 1s of internal event delays.

Netlink support
    On Linux, if configured without ``--enable-iproute2``, configuring IP
    addresses and adding/removing routes is now done via the netlink(3)
    kernel interface.  This is much faster than calling ``ifconfig`` or
    ``route`` and also enables OpenVPN to run with less privileges.

    If configured with --enable-iproute2, the ``ip`` command is used
    (as in 2.4).  Support for ``ifconfig`` and ``route`` is gone.

Wintun support
    On Windows, OpenVPN can now use ``wintun`` devices.  They are faster
    than the traditional ``tap9`` tun/tap devices, but do not provide
    ``--dev tap`` mode - so the official installers contain both.  To use
    a wintun device, add ``--windows-driver wintun`` to your config
    (and use of the interactive service is required as wintun needs
    SYSTEM privileges to enable access).

IPv6-only operation
    It is now possible to have only IPv6 addresses inside the VPN tunnel,
    and IPv6-only address pools (2.4 always required IPv4 config/pools
    and IPv6 was the "optional extra").

Improved Windows 10 detection
    Correctly log OS on Windows 10 now.

Linux VRF support
    Using the new ``--bind-dev`` option, the OpenVPN outside socket can
    now be put into a Linux VRF.  See the "Virtual Routing and Forwarding"
    documentation in the man page.

TLS 1.3 support
    TLS 1.3 support has been added to OpenVPN.  Currently, this requires
    OpenSSL 1.1.1+.
    The options ``--tls-ciphersuites`` and ``--tls-groups`` have been
    added to fine tune TLS protocol options.  Most of the improvements
    were also backported to OpenVPN 2.4 as part of the maintainance
    releases.

Support setting DHCP search domain
    A new option ``--dhcp-option DOMAIN-SEARCH my.example.com`` has been
    defined, and Windows support for it is implemented (tun/tap only, no
    wintun support yet).  Other platforms need to support this via ``--up``
    script (Linux) or GUI (OSX/Tunnelblick).

per-client changing of ``--data-ciphers`` or ``data-ciphers-fallback``
    from client-connect script/dir (NOTE: this only changes preference of
    ciphers for NCP, but can not override what the client announces as
    "willing to accept")

Handle setting of tun/tap interface MTU on Windows
    If IPv6 is in use, MTU must be >= 1280 (Windows enforces IETF requirements)

Add support for OpenSSL engines to access private key material (like TPM).

HMAC based auth-token support
    The ``--auth-gen-token`` support has been improved and now generates HMAC
    based user token. If the optional ``--auth-gen-token-secret`` option is
    used clients will be able to seamlessly reconnect to a different server
    using the same secret file or to the same server after a server restart.

Improved support for pending authentication
    The protocol has been enhanced to be able to signal that
    the authentication should use a secondary authentication
    via web (like SAML) or a two factor authentication without
    disconnecting the OpenVPN session with AUTH_FAILED. The
    session will instead be stay in a authenticated state and
    wait for the second factor authentication to complete.

    This feature currently requires usage of the managent interface
    on both client and server side. See the `management-notes.txt`
    ``client-pending-auth`` and ``cr-response`` commands for more
    details.

VLAN support
    OpenVPN servers in TAP mode can now use 802.1q tagged VLANs
    on the TAP interface to separate clients into different groups
    that can then be handled differently (different subnets / DHCP,
    firewall zones, ...) further down the network.  See the new
    options ``--vlan-tagging``, ``--vlan-accept``, ``--vlan-pvid``.

    802.1q tagging on the client side TAP interface is not handled
    today (= tags are just forwarded transparently to the server).

Support building of .msi installers for Windows

Allow unicode search string in ``--cryptoapicert`` option (Windows)

Support IPv4 configs with /31 netmasks now
    (By no longer trying to configure ``broadcast x.x.x.x'' in
    ifconfig calls, /31 support "just works")

New option ``--block-ipv6`` to reject all IPv6 packets (ICMPv6)
    this is useful if the VPN service has no IPv6, but the clients
    might have (LAN), to avoid client connections to IPv6-enabled
    servers leaking "around" the IPv4-only VPN.

``--ifconfig-ipv6`` and ``--ifconfig-ipv6-push`` will now accept
    hostnames and do a DNS lookup to get the IPv6 address to use


Deprecated features
-------------------
For an up-to-date list of all deprecated options, see this wiki page:
https://community.openvpn.net/openvpn/wiki/DeprecatedOptions

- ``ncp-disable`` has been deprecated
    With the improved and matured data channel cipher negotiation, the use
    of ``ncp-disable`` should not be necessary anymore.

- ``inetd`` has been deprecated
  This is a very limited and not-well-tested way to run OpenVPN, on TCP
  and TAP mode only, which complicates the code quite a bit for little gain.
  To be removed in OpenVPN 2.6 (unless users protest).

- ``no-iv`` has been removed
  This option was made into a NOOP option with OpenVPN 2.4.  This has now
  been completely removed.

- ``--client-cert-not-required`` has been removed
  This option will now cause server configurations to not start.  Use
  ``--verify-client-cert none`` instead.

- ``--ifconfig-pool-linear`` has been removed
  This option is removed.  Use ``--topology p2p`` or ``--topology subnet``
  instead.

- ``--compress xxx`` is considered risky and is warned against, see below.

- ``--key-method 1`` has been removed


User-visible Changes
--------------------
- If multiple connect handlers are used (client-connect, ccd, connect
  plugin) and one of the handler succeeds but a subsequent fails, the
  client-disconnect-script is now called immediately. Previously it
  was called, when the VPN session was terminated.

- Support for building with OpenSSL 1.0.1 has been removed. The minimum
  supported OpenSSL version is now 1.0.2.

- The GET_CONFIG management state is omitted if the server pushes
  the client configuration almost immediately as result of the
  faster connection setup feature.

- ``--compress`` is nowadays considered risky, because attacks exist
  leveraging compression-inside-crypto to reveal plaintext (VORACLE).  So
  by default, ``--compress xxx`` will now accept incoming compressed
  packets (for compatibility with peers that have not been upgraded yet),
  but will not use compression outgoing packets.  This can be controlled with
  the new option ``--allow-compression yes|no|asym``.

- Stop changing ``--txlen`` aways from OS defaults unless explicitly specified
  in config file.  OS defaults nowadays are actually larger then what we used
  to configure, so our defaults sometimes caused packet drops = bad performance.

- remove ``--writepid`` pid file on exit now

- plugin-auth-pam now logs via OpenVPN logging method, no longer to stderr
  (this means you'll have log messages in syslog or openvpn log file now)

- use ISO 8601 time format for file based logging now (YYYY-MM-DD hh:mm:dd)
  (syslog is not affected, nor is ``--machine-readable-output``)

- ``--clr-verify`` now loads all CRLs if more than one CRL is in the same
  file (OpenSSL backend only, mbedTLS always did that)

- when ``--auth-user-pass file`` has no password, and the management interface
  is active, query management interface (instead of trying console query,
  which does not work on windows)

- skip expired certificates in Windows certificate store (``--cryptoapicert``)

- ``--socks-proxy`` + ``--proto udp*`` will now allways use IPv4, even if
  IPv6 is requested and available.  Our SOCKS code does not handle IPv6+UDP,
  and before that change it would just fail in non-obvious ways.

- TCP listen() backlog queue is now set to 32 - this helps TCP servers that
  receive lots of "invalid" connects by TCP port scanners

- do no longer print OCC warnings ("option mismatch") about ``key-method``,
  ``keydir``, ``tls-auth`` and ``cipher`` - these are either gone now, or
  negotiated, and the warnings do not serve a useful purpose.

- ``dhcp-option DNS`` and ``dhcp-option DNS6`` are now treated identically
  (= both accept an IPv4 or IPv6 address for the nameserver)


Maintainer-visible changes
--------------------------
- the man page is now in maintained in .rst format, so building the openvpn.8
  manpage from a git checkout now requires python-docutils (if this is missing,
  the manpage will not be built - which is not considered an error generally,
  but for package builders or ``make distcheck`` it is).  Release tarballs
  contain the openvpn.8 file, so unless some .rst is changed, doc-utils are
  not needed for building.

- OCC support can no longer be disabled

- AEAD support is now required in the crypto library

- ``--disable-server`` has been removed from configure (so it is no longer
  possible to build a client-/p2p-only OpenVPN binary) - the saving in code
  size no longer outweighs the extra maintenance effort.

- ``--enable-iproute2`` will disable netlink(3) support, so maybe remove
  that from package building configs (see above)

- support building with MSVC 2019

- cmocka based unit tests are now only run if cmocka is installed externally
  (2.4 used to ship a local git submodule which was painful to maintain)

- ``--disable-crypto`` configure option has been removed.  OpenVPN is now always
  built with crypto support, which makes the code much easier to maintain.
  This does not affect ``--cipher none`` to do a tunnel without encryption.

- ``--disable-multi`` configure option has been removed

Revision 1.77 / (download) - annotate - [select for diffs], Fri May 22 10:56:30 2020 UTC (2 years, 10 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2020Q3-base, pkgsrc-2020Q3, pkgsrc-2020Q2-base, pkgsrc-2020Q2
Changes since 1.76: +2 -1 lines
Diff to previous 1.76 (colored)

revbump after updating security/nettle

Revision 1.76 / (download) - annotate - [select for diffs], Fri Apr 17 20:14:22 2020 UTC (2 years, 11 months ago) by adam
Branch: MAIN
Changes since 1.75: +1 -2 lines
Diff to previous 1.75 (colored)

openvpn: updated to 2.4.9

OpenVPN 2.4.9
* socks: use the right function when printing struct openvpn_sockaddr
* Fetch OpenSSL versions via source/old links
* Fix OpenSSL error stack handling of tls_ctx_add_extra_certs
* Fix OpenSSL 1.1.1 not using auto elliptic curve selection
* Fix broken fragmentation logic when using NCP
* Fix building with --enable-async-push in FreeBSD
* Fix broken async push with NCP is used
* Fix illegal client float (CVE-2020-11810)
* OpenSSL: Fix --crl-verify not loading multiple CRLs in one file
* Fix OpenSSL private key passphrase notices
* Swap the order of checks for validating interactive service user
* Move querying username/password from management interface to a function
* When auth-user-pass file has no password query the management interface (if available).
* Fix possibly uninitialized return value in GetOpenvpnSettings()
* Fix possible access of uninitialized pipe handles
* Skip expired certificates in Windows certificate store
* Allow unicode search string in --cryptoapicert option
* mbedTLS: Make sure TLS session survives move
* docs: Add reference to X509_LOOKUP_hash_dir(3)

Revision 1.75 / (download) - annotate - [select for diffs], Sun Mar 8 16:50:57 2020 UTC (3 years ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2020Q1-base, pkgsrc-2020Q1
Changes since 1.74: +2 -2 lines
Diff to previous 1.74 (colored)

*: recursive bump for libffi

Revision 1.74 / (download) - annotate - [select for diffs], Sun Jan 26 17:31:53 2020 UTC (3 years, 1 month ago) by rillig
Branch: MAIN
Changes since 1.73: +2 -2 lines
Diff to previous 1.73 (colored)

all: migrate homepages from http to https

pkglint -r --network --only "migrate"

As a side-effect of migrating the homepages, pkglint also fixed a few
indentations in unrelated lines. These and the new homepages have been
checked manually.

Revision 1.73 / (download) - annotate - [select for diffs], Sat Jan 18 21:50:22 2020 UTC (3 years, 2 months ago) by jperkin
Branch: MAIN
Changes since 1.72: +2 -1 lines
Diff to previous 1.72 (colored)

*: Recursive revision bump for openssl 1.1.1.

Revision 1.72 / (download) - annotate - [select for diffs], Thu Jan 16 13:33:51 2020 UTC (3 years, 2 months ago) by jperkin
Branch: MAIN
Changes since 1.71: +1 -2 lines
Diff to previous 1.71 (colored)

*: Remove USE_OLD_DES_API.

OpenSSL 1.1.1d no longer ships des_old.h, and the time for this being
necessary appears to be behind us.

Revision 1.71 / (download) - annotate - [select for diffs], Mon Nov 4 12:52:13 2019 UTC (3 years, 4 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2019Q4-base, pkgsrc-2019Q4
Changes since 1.70: +4 -5 lines
Diff to previous 1.70 (colored)

openvpn: updated to 2.4.8

Version 2.4.8

This is primarily a maintenance release with minor bugfixes and improvements.

New features
Support compiling with OpenSSL 1.1 without deprecated APIs
handle PSS padding in cryptoapicert (necessary for TLS >= 1.2)

User visible changes
do not abort when hitting the combination of "--pull-filter" and "--mode server" (this got hit when starting OpenVPN servers using the windows GUI which installs a pull-filter to force ip-win32)
increase listen() backlog queue to 32 (improve response behaviour on openvpn servers using TCP that get portscanned)
fix and enhance documentation (INSTALL, man page, ...)

Bug fixes
the combination "IPv6 and proto UDP and SOCKS proxy" did not work - as a workaround, force IPv4 in this case until a full implementation for IPv6-UDP-SOCKS can be made.
fix IPv6 routes on tap interfaces on OpenSolaris/OpenIndiana
fix building with LibreSSL
do not set pkcs11-helper 'safe fork mode' (should fix PIN querying in systemd environments)
repair windows builds
repair Darwin builds (remove -no-cpp-precomp flag)

Revision 1.70 / (download) - annotate - [select for diffs], Sun Nov 3 11:45:46 2019 UTC (3 years, 4 months ago) by rillig
Branch: MAIN
Changes since 1.69: +2 -2 lines
Diff to previous 1.69 (colored)

net: align variable assignments

pkglint -Wall -F --only aligned --only indent -r

No manual corrections.

Revision 1.69 / (download) - annotate - [select for diffs], Sat Jul 20 22:46:40 2019 UTC (3 years, 8 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2019Q3-base, pkgsrc-2019Q3
Changes since 1.68: +2 -2 lines
Diff to previous 1.68 (colored)

*: recursive bump for nettle 3.5.1

Revision 1.68 / (download) - annotate - [select for diffs], Sun May 5 22:49:50 2019 UTC (3 years, 10 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2019Q2-base, pkgsrc-2019Q2
Changes since 1.67: +2 -1 lines
Diff to previous 1.67 (colored)

Recursive rebvump from devel/nss

Revision 1.67 / (download) - annotate - [select for diffs], Thu Feb 21 16:22:54 2019 UTC (4 years, 1 month ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2019Q1-base, pkgsrc-2019Q1
Changes since 1.66: +1 -2 lines
Diff to previous 1.66 (colored)

openvpn: updated to 2.4.7

OpenVPN 2.4.7
- Fix subnet topology on NetBSD (2.4).
- add support for %lu in argv_printf and prevent ASSERT
- buffer_list: add functions documentation
- ifconfig-ipv6(-push): allow using hostnames
- Properly free tuntap struct on android when emulating persist-tun
- Add OpenSSL compat definition for RSA_meth_set_sign
- Add support for tls-ciphersuites for TLS 1.3
- Add better support for showing TLS 1.3 ciphersuites in --show-tls
- Use right function to set TLS1.3 restrictions in show-tls
- Add message explaining early TLS client hello failure
- Fallback to password authentication when auth-token fails
- systemd: extend CapabilityBoundingSet for auth_pam
- plugin: Export base64 encode and decode functions
- Add %d, %u and %lu tests to test_argv unit tests.
- Fix combination of --dev tap and --topology subnet across multiple platforms.
- Add 'printing of port number' to mroute_addr_print_ex() for v4-mapped v6.
- preparing release v2.4.7 (ChangeLog, version.m4, Changes.rst)
- Minor reliability layer documentation fixes
- Resolves small IV_GUI_VER typo in the documentation.
- Clarify and expand management interface documentation
- Refactor NCP-negotiable options handling
- init.c: refine functions names and description
- interactive.c: fix usage of potentially uninitialized variable
- options.c: fix broken unary minus usage
- Remove extra token after #endif
- Fix error message when using RHEL init script
- man: correct a --redirection-gateway option flag
- Replace M_DEBUG with D_LOW as the former is too verbose
- Correct the declaration of handle in 'struct openvpn_plugin_args_open_return'
- Bump version of openvpn plugin argument structs to 5
- Move get system directory to a separate function
- Enable dhcp on tap adapter using interactive service
- Pass the hash without the DigestInfo header to NCryptSignHash()
- White-list pull-filter and script-security in interactive service
- Add Interactive Service developer documentation
- Detect TAP interfaces with root-enumerated hardware ID
- man: add security considerations to --compress section
- mbedtls: print warning if random personalisation fails
- Fix memory leak after sighup
- travis: add OpenSSL 1.1 Windows build
- Fix --disable-crypto build
- Don't print OCC warnings about 'key-method', 'keydir' and 'tls-auth'
- buffer_list_aggregate_separator(): simplify code

Revision 1.66 / (download) - annotate - [select for diffs], Sun Jun 24 09:26:12 2018 UTC (4 years, 8 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2018Q4-base, pkgsrc-2018Q4, pkgsrc-2018Q3-base, pkgsrc-2018Q3, pkgsrc-2018Q2-base, pkgsrc-2018Q2
Changes since 1.65: +2 -3 lines
Diff to previous 1.65 (colored)

openvpn: fix for NetBSD with subnet topology; remove empty DIST_SUBDIR

Revision 1.65 / (download) - annotate - [select for diffs], Fri Apr 27 06:40:28 2018 UTC (4 years, 10 months ago) by adam
Branch: MAIN
Changes since 1.64: +1 -2 lines
Diff to previous 1.64 (colored)

openvpn: 2.4.6

OpenVPN 2.4.6
management: Warn if TCP port is used without password

Correct version in ChangeLog - should be 2.4.5, was mistyped as 2.4.4
Fix potential double-free() in Interactive Service (CVE-2018-9336)
preparing release v2.4.6 (ChangeLog, version.m4, Changes.rst)

manpage: improve description of --status and --status-version

Make return code external tls key match docs

Delete the IPv6 route to the "connected" network on tun close
Management: warn about password only when the option is in use
Avoid overflow in wakeup time computation

Add missing #ifdef SSL_OP_NO_TLSv1_1/2

Check for more data in control channel

Revision 1.64 / (download) - annotate - [select for diffs], Tue Apr 17 22:29:46 2018 UTC (4 years, 11 months ago) by wiz
Branch: MAIN
Changes since 1.63: +2 -1 lines
Diff to previous 1.63 (colored)

Add p11-kit to gnutls/bl3.mk and bump dependencies.

Revision 1.63 / (download) - annotate - [select for diffs], Mon Jun 26 07:21:21 2017 UTC (5 years, 8 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2018Q1-base, pkgsrc-2018Q1, pkgsrc-2017Q4-base, pkgsrc-2017Q4, pkgsrc-2017Q3-base, pkgsrc-2017Q3, pkgsrc-2017Q2-base, pkgsrc-2017Q2
Changes since 1.62: +3 -1 lines
Diff to previous 1.62 (colored)

Distfile has been changed upstream

Revision 1.62 / (download) - annotate - [select for diffs], Wed May 24 20:35:12 2017 UTC (5 years, 9 months ago) by adam
Branch: MAIN
Changes since 1.61: +5 -7 lines
Diff to previous 1.61 (colored)

OpenVPN 2.4.2

Compared to OpenVPN 2.3 this is a major update with a large number of new features, improvements and fixes. Some of the major features are AEAD (GCM) cipher and Elliptic Curve DH key exchange support, improved IPv4/IPv6 dual stack support and more seamless connection migration when client's IP address changes (Peer-ID). Also, the new --tls-crypt feature can be used to increase users' connection privacy.

Compared to OpenVPN 2.4.1 there are several bugfixes and small enhancements. A summary of the changes is available in Changes.rst.

Revision 1.61 / (download) - annotate - [select for diffs], Fri May 19 18:11:04 2017 UTC (5 years, 10 months ago) by spz
Branch: MAIN
Changes since 1.60: +1 -2 lines
Diff to previous 1.60 (colored)

update openvpn to 2.3.15
fixes DoSses: CVE-2017-7478 CVE-2017-7479
fixes PR pkg/52044

relevant excerpt of ChangeLog:
OpenVPN Change Log
Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>

2017.05.11 -- Version 2.3.15
David Sommerseth (5):
      dev-tools: Added script for updating copyright years in files
      Update copyrights
      docs: Further improve --reneg-bytes and SWEET32 information
      git: Merge .gitignore files into a single file
      Make --cipher/--auth none more explicit on the risks

Gert Doering (1):
      Document --proto udp6, tcp6, etc.

Julien Muchembled (1):
      Fix implicit declarations when HAVE_OPENSSL_ENGINE is unset

Steffan Karger (6):
      Add missing includes in error.h
      cleanup: merge packet_id_alloc_outgoing() into packet_id_write()
      Document that OpenVPN 2.3 does not check the CRL signature
      Introduce and use secure_memzero() to erase secrets
      Drop packets instead of assert out if packet id rolls over (CVE-2017-7479)
      Don't assert out on receiving too-large control packets (CVE-2017-7478)


2016.12.06 -- Version 2.3.14
Christian Hesse (1):
      update year in copyright message

David Sommerseth (1):
      Document the --auth-token option

Gert Doering (2):
      Repair topology subnet on FreeBSD 11
      Repair topology subnet on OpenBSD

Lev Stipakov (1):
      Drop recursively routed packets

Selva Nair (4):
      Support --block-outside-dns on multiple tunnels
      When parsing '--setenv opt xx ..' make sure a third parameter is present
      Map restart signals from event loop to SIGTERM during exit-notification wait
      Correctly state the default dhcp server address in man page

Steffan Karger (1):
      Clean up format_hex_ex()


2016.11.02 -- Version 2.3.13
Arne Schwabe (2):
      Use AES ciphers in our sample configuration files and add a few modern 2.4 examples
      Incorporate the Debian typo fixes where appropriate and make show_opt default message clearer

David Sommerseth (4):
      t_client.sh: Make OpenVPN write PID file to avoid various sudo issues
      t_client.sh: Add support for Kerberos/ksu
      t_client.sh: Improve detection if the OpenVPN process did start during tests
      t_client.sh: Add prepare/cleanup possibilties for each test case

Gert Doering (5):
      Do not abort t_client run if OpenVPN instance does not start.
      Fix t_client runs on OpenSolaris
      make t_client robust against sudoers misconfiguration
      add POSTINIT_CMD_suf to t_client.sh and sample config
      Fix --multihome for IPv6 on 64bit BSD systems.

Ilya Shipitsin (1):
      skip t_lpback.sh and t_cltsrv.sh if openvpn configured --disable-crypto

Lev Stipakov (2):
      Exclude peer-id from pulled options digest
      Fix compilation in pedantic mode

Samuli Seppänen (1):
      Automatically cache expected IPs for t_client.sh on the first run

Steffan Karger (6):
      Fix unittests for out-of-source builds
      Make gnu89 support explicit
      cleanup: remove code duplication in msg_test()
      Update cipher-related man page text
      Limit --reneg-bytes to 64MB when using small block ciphers
      Add a revoked cert to the sample keys


2016.08.23 -- Version 2.3.12
Arne Schwabe (2):
      Complete push-peer-info documentation and allow IV_PLAT_VER for other platforms than Windows if the client UI supplies it.
      Move ASSERT so external-key with OpenSSL works again

David Sommerseth (3):
      Only build and run cmocka unit tests if its submodule is initialized
      Another fix related to unit test framework
      Remove NOP function and callers

Dorian Harmans (1):
      Add CHACHA20-POLY1305 ciphersuite IANA name translations.

Ivo Manca (1):
      Plug memory leak in mbedTLS backend

Jeffrey Cutter (1):
      Update contrib/pull-resolv-conf/client.up for no DOMAIN

Jens Neuhalfen (2):
      Add unit testing support via cmocka
      Add a test for auth-pam searchandreplace

Josh Cepek (1):
      Push an IPv6 CIDR mask used by the server, not the pool's size

Leon Klingele (1):
      Add link to bug tracker

Samuli Seppänen (2):
      Update CONTRIBUTING.rst to allow GitHub PRs for code review purposes
      Clarify the fact that build instructions in README are for release tarballs

Selva Nair (4):
      Make error non-fatal while deleting address using netsh
      Make block-outside-dns work with persist-tun
      Ignore SIGUSR1/SIGHUP during exit notification
      Promptly close the netcmd_semaphore handle after use

Steffan Karger (4):
      Fix polarssl / mbedtls builds
      Don't limit max incoming message size based on c2->frame
      Fix '--cipher none --cipher' crash
      Discourage using 64-bit block ciphers

Revision 1.60 / (download) - annotate - [select for diffs], Mon Sep 19 13:04:25 2016 UTC (6 years, 6 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2017Q1-base, pkgsrc-2017Q1, pkgsrc-2016Q4-base, pkgsrc-2016Q4, pkgsrc-2016Q3-base, pkgsrc-2016Q3
Changes since 1.59: +2 -1 lines
Diff to previous 1.59 (colored)

Recursive PKGREVISION bump for gnutls shlib major bump.

Revision 1.59 / (download) - annotate - [select for diffs], Fri Jul 8 08:49:41 2016 UTC (6 years, 8 months ago) by jperkin
Branch: MAIN
Changes since 1.58: +1 -2 lines
Diff to previous 1.58 (colored)

Update net/openvpn to 2.3.11.  Changes since 2.3.6:

2016.05.09 -- Version 2.3.11
      Fixed port-share bug with DoS potential
      Make intent of utun device name validation clear
      Fix buffer overflow by user supplied data
      Correctly report TCP connection timeout on windows.
      Report Windows bitness
      Fix undefined signed shift overflow
      Fix build with libressl
      Improve LZO, PAM and OpenSSL documentation
      Ensure input read using systemd-ask-password is null terminated
      Support reading the challenge-response from console
      openssl: improve logging
      polarssl: improve logging
      Update manpage: OpenSSL might also need /dev/urandom inside chroot
      socks.c: fix check on get_user_pass() return value(s)
      Fix OCSP_check.sh
      hardening: add safe FD_SET() wrapper openvpn_fd_set()
      Fix memory leak in argv_extract_cmd_name()
      Replace MSG_TEST() macro for static inline msg_test()
      Restrict default TLS cipher list
      Various Changes.rst fixes
      Clarify mssfix documentation
      Clarify --block-outside-dns documentation
      Update --block-outside-dns to work on Windows Vista

2016.01.04 -- Version 2.3.10
      Prepare for v2.3.10 release, list PolarSSL 1.2 to 1.3 upgrade
      Make certificate expiry warning patch (091edd8e299686) work on OpenSSL 1.0.1 and earlier.
      Repair IPv6 netsh calls if Win XP is detected
      Use bob.example.com and alice.example.com to improve clarity of documentation
      Remove unused variables from ssl_verify_polarssl.c's x509_get_serial()
      Upgrade OpenVPN 2.3 to PolarSSL 1.3
      Warn user if their certificate has expired
      Make assert_failed() print the failed condition
      cleanup: get rid of httpdigest.c type warnings
      Fix regression in setups without a client certificate
      polarssl: fix unreachable code

2015.12.15 -- Version 2.3.9
      Show extra-certs in current parameters.
      Fix commit a3160fc1bd7368395745b9cee6e40fb819f5564c
      Do not set the buffer size by default but rely on the operation system default.
      Remove --enable-password-save option
      Reflect enable-password-save change in documentation
      Also remove second instance of enable-password-save in the man page
      Detect config lines that are too long and give a warning/error
      Log serial number of revoked certificate
      Adjust server-ipv6 documentation
      Avoid partial authentication state when using --disabled in CCD configs
      Make "block-outside-dns" option platform agnostic
      Un-break --auth-user-pass on windows
      Replace unaligned 16bit access to TCP MSS value with bytewise access
      Repair test_local_addr() on WIN32
      Fix possible heap overflow on read accessing getaddrinfo() result.
      Fix FreeBSD-specific mishandling of gc arena pointer in create_arbitrary_remote()
      remove unused gc_arena in FreeBSD close_tun()
      Fix isatty() check for good.
      put virtual IPv6 addresses into env
      Use adapter index instead of name for windows IPv6 interface config
      Client-side part for server restart notification
      Use adapter index for add/delete_route_ipv6
      Pass adapter index to up/down scripts
      Fix VS2013 compilation
      Fix privilege drop if first connection attempt fails
      Support for username-only auth file.
      Add CONTRIBUTING.rst
      Updates to Changes.rst
      Fix termination when windows suspends/sleeps
      Do not hard-code windows systemroot in env_block
      Handle ctrl-C and ctrl-break events on Windows
      Unbreak read username password from management
      Replace strdup() calls for string_alloc() calls
      Check return value of ms_error_text()
      Increase control channel packet size for faster handshakes
      hardening: add insurance to exit on a failed ASSERT()
      Fix memory leak in auth-pam plugin
      Fix (potential) memory leak in init_route_list()
      Fix unintialized variable in plugin_vlog()
      Add macro to ensure we exit on fatal errors
      Fix memory leak in add_option() by simplifying get_ipv6_addr
      openssl: properly check return value of RAND_bytes()
      Fix rand_bytes return value checking
      Add Windows DNS Leak fix using WFP ('block-outside-dns')
      Fix "White space before end tags can break the config parser"

2015.08.03 -- Version 2.3.8
      Report missing endtags of inline files as warnings
      Fix commit e473b7c if an inline file happens to have a line break exactly at buffer limit
      Produce a meaningful error message if --daemon gets in the way of asking for passwords.
      Document --daemon changes and consequences (--askpass, --auth-nocache).
      Del ipv6 addr on close of linux tun interface
      Fix --askpass not allowing for password input via stdin
      write pid file immediately after daemonizing
      Make __func__ work with Visual Studio too
      fix regression: query password before becoming daemon
      Fix using management interface to get passwords.
      Fix overflow check in openvpn_decrypt()

2015.06.02 -- Version 2.3.7
      Default gateway can't be determined on illumos/Solaris platforms
      Warn that tls-auth with free form files is going to be removed from OpenVPN 2.4
      autotools: Fix wrong ./configure help screen default values
      down-root plugin: Replaced system() calls with execve()
      down-root: Improve error messages
      plugin, down-root: Fix compiler warnings
      sockets: Remove the limitation of --tcp-nodelay to be server-only
      plugins, down-root: Code style clean-up
      pkcs11: Load p11-kit-proxy.so module by default
      Make 'provider' option to --show-pkcs11-ids optional where p11-kit is present
      Use OPENVPN_ETH_P_* so that <netinet/if_ether.h> is unecessary
      New approach to handle peer-id related changes to link-mtu (2.3 version)
      Fix incorrect use of get_ipv6_addr() for iroute options.
      Print helpful error message on --mktun/--rmtun if not available.
      explain effect of --topology subnet on --ifconfig
      Add note about file permissions and --crl-verify to manpage.
      repair --dev null breakage caused by db950be85d37
      assume res_init() is always there.
      Correct note about DNS randomization in openvpn.8
      Disallow usage of --server-poll-timeout in --secret key mode.
      slightly enhance documentation about --cipher
      Enforce "serial-tests" behaviour for tests/Makefile
      Revert "Enforce "serial-tests" behaviour for tests/Makefile"
      On signal reception, return EAI_SYSTEM from openvpn_getaddrinfo().
      Use configure.ac hack to apply serial_test AM option only if supported.
      Use EAI_AGAIN instead of EAI_SYSTEM for openvpn_getaddrinfo().
      Move res_init() call to inner openvpn_getaddrinfo() loop
      Fix FreeBSD ifconfig for topology subnet tunnels.
      Fix --redirect-private in --dev tap mode.
      include ifconfig_ environment variables in --up-restart env set
      Fix null pointer dereference in options.c
      Fix mssfix default value in connection_list context
      Manual page update for Re-enabled TLS version negotiation.
      Include systemd units in the source tarball (make dist)
      Updated manpage for --rport and --lport
      Properly escape dashes on the man-page
      Improve documentation in --script-security section of the man-page
      Really fix '--cipher none' regression
      Update doxygen (a bit)
      Set tls-version-max to 1.1 if cryptoapicert is used
      Account for peer-id in frame size calculation
      Disable SSL compression
      Fix frame size calculation for non-CBC modes.
      Allow for CN/username of 64 characters (fixes off-by-one)
      Remove unneeded parameter 'first_time' from possibly_become_daemon()
      Re-enable TLS version negotiation by default
      Remove size limit for files inlined in config
      Improve --tls-cipher and --show-tls man page description
      Re-read auth-user-pass file on (re)connect if required
      Clarify --capath option in manpage
      Call daemon() before initializing crypto library

Revision 1.58 / (download) - annotate - [select for diffs], Sat Mar 5 11:29:09 2016 UTC (7 years ago) by jperkin
Branch: MAIN
CVS Tags: pkgsrc-2016Q2-base, pkgsrc-2016Q2, pkgsrc-2016Q1-base, pkgsrc-2016Q1
Changes since 1.57: +2 -2 lines
Diff to previous 1.57 (colored)

Bump PKGREVISION for security/openssl ABI bump.

Revision 1.57 / (download) - annotate - [select for diffs], Tue Sep 22 02:38:32 2015 UTC (7 years, 6 months ago) by tnn
Branch: MAIN
CVS Tags: pkgsrc-2015Q4-base, pkgsrc-2015Q4, pkgsrc-2015Q3-base, pkgsrc-2015Q3
Changes since 1.56: +2 -2 lines
Diff to previous 1.56 (colored)

use the correct version in solaris-tap's bl3.mk.
Revbump dependees.

Revision 1.56 / (download) - annotate - [select for diffs], Sun Aug 23 14:30:40 2015 UTC (7 years, 7 months ago) by wiz
Branch: MAIN
Changes since 1.55: +2 -1 lines
Diff to previous 1.55 (colored)

Bump PKGREVISION for nettle shlib major bump.

Revision 1.55 / (download) - annotate - [select for diffs], Wed Dec 3 10:09:01 2014 UTC (8 years, 3 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2015Q2-base, pkgsrc-2015Q2, pkgsrc-2015Q1-base, pkgsrc-2015Q1, pkgsrc-2014Q4-base, pkgsrc-2014Q4
Changes since 1.54: +1 -2 lines
Diff to previous 1.54 (colored)

Update to 2.3.6:

2014.11.28 -- Version 2.3.6
David Sommerseth (1):
      systemd: Reworked the systemd unit file to handle server and client configs better

Gert Doering (1):
      Add client-only support for peer-id.

Samuli Seppänen (1):
      Fix to --shaper documentation on the man-page

Steffan Karger (4):
      Fix assertion error when using --cipher none
      Add --tls-version-max
      Modernize sample keys and sample configs
      Drop too-short control channel packets instead of asserting out.


2014.10.24 -- Version 2.3.5
Andris Kalnozols (2):
      Fix some typos in the man page.
      Do not upcase x509-username-field for mixed-case arguments.

Arne Schwabe (1):
      Fix server routes not working in topology subnet with --server [v3]

David Sommerseth (4):
      Improve error reporting on file access to --client-config-dir and --ccd-exclusive
      Don't let openvpn_popen() keep zombies around
      Add systemd unit file for OpenVPN
      systemd: Use systemd functions to consider systemd availability

Gert Doering (3):
      Drop incoming fe80:: packets silently now.
      Fix t_lpback.sh platform-dependent failures
      Call init script helpers with explicit path (./)

Heiko Hund (1):
      refine assertion to allow other modes than CBC

Hubert Kario (2):
      ocsp_check - signature verification and cert staus results are separate
      ocsp_check - double check if ocsp didn't report any errors in execution

James Bekkema (1):
      Fix socket-flag/TCP_NODELAY on Mac OS X

James Yonan (6):
      Fixed several instances of declarations after statements.
      In socket.c, fixed issue where uninitialized value (err) is being passed to to gai_strerror.
      Explicitly cast the third parameter of setsockopt to const void * to avoid warning.
      MSVC 2008 doesn't support dimensioning an array with a const var nor using %z as a printf format specifier.
      Define PATH_SEPARATOR for MSVC builds.
      Fixed some compile issues with show_library_versions()

Jann Horn (1):
      Remove quadratic complexity from openvpn_base64_decode()

Mike Gilbert (1):
      Add configure check for the path to systemd-ask-password

Philipp Hagemeister (2):
      Add topology in sample server configuration file
      Implement on-link route adding for iproute2

Samuel Thibault (1):
      Ensure that client-connect files are always deleted

Steffan Karger (13):
      Remove function without effect (cipher_ok() always returned true).
      Remove unneeded wrapper functions in crypto_openssl.c
      Fix bug that incorrectly refuses oid representation eku's in polar builds
      Update README.polarssl
      Rename ALLOW_NON_CBC_CIPHERS to ENABLE_OFB_CFB_MODE, and add to configure.
      Add proper check for crypto modes (CBC or OFB/CFB)
      Improve --show-ciphers to show if a cipher can be used in static key mode
      Extend t_lpback tests to test all ciphers reported by --show-ciphers
      Don't exit daemon if opening or parsing the CRL fails.
      Fix typo in cipher_kt_mode_{cbc, ofb_cfb}() doxygen.
      Fix regression with password protected private keys (polarssl)
      ssl_polarssl.c: fix includes and make casts explicit
      Remove unused variables from ssl_verify_openssl.c extract_x509_extension()

TDivine (1):
      Fix "code=995" bug with windows NDIS6 tap driver.

Revision 1.54 / (download) - annotate - [select for diffs], Mon Sep 8 16:57:01 2014 UTC (8 years, 6 months ago) by wiedi
Branch: MAIN
CVS Tags: pkgsrc-2014Q3-base, pkgsrc-2014Q3
Changes since 1.53: +4 -1 lines
Diff to previous 1.53 (colored)

Add SMF manifest for openvpn.
Provided by Ernst Glatz in https://github.com/joyent/pkgsrc/pull/218

Revision 1.53 / (download) - annotate - [select for diffs], Sun Jul 20 17:43:29 2014 UTC (8 years, 8 months ago) by adam
Branch: MAIN
Changes since 1.52: +3 -4 lines
Diff to previous 1.52 (colored)

Changes 2.3.4:
The most important change in this release is that TLS version negotiation is no longer used unless it's explicitly turned on in the configuration files, thus reverting back to the 2.3.2 behaviour as interoperability issues were encountered in 2.3.3. Other notable changes include addition of SSL library version reporting, fixing of SOCKSv5 authentication logic and making serial env exporting consistent between OpenSSL and PolarSSL. This release also contains a number of other bug fixes and small enhancements.

Revision 1.52 / (download) - annotate - [select for diffs], Wed Feb 12 23:18:24 2014 UTC (9 years, 1 month ago) by tron
Branch: MAIN
CVS Tags: pkgsrc-2014Q2-base, pkgsrc-2014Q2, pkgsrc-2014Q1-base, pkgsrc-2014Q1
Changes since 1.51: +2 -1 lines
Diff to previous 1.51 (colored)

Recursive PKGREVISION bump for OpenSSL API version bump.

Revision 1.51 / (download) - annotate - [select for diffs], Wed Jul 31 06:53:21 2013 UTC (9 years, 7 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2013Q4-base, pkgsrc-2013Q4, pkgsrc-2013Q3-base, pkgsrc-2013Q3
Changes since 1.50: +2 -3 lines
Diff to previous 1.50 (colored)

Changes 2.3.2:
      Only print script warnings when a script is used. Remove stray mention of script-security system.
      Move settings of user script into set_user_script function
      Move checking of script file access into set_user_script
      Provide more accurate warning message
      Fix NULL-pointer crash in route_list_add_vpn_gateway().
      Fix problem with UDP tunneling due to mishandled pktinfo structures.
      Always push basic set of peer info values to server.
      make 'explicit-exit-notify' pullable again
      Fix proto tcp6 for server & non-P2MP modes
      Fix Windows script execution when called from script hooks
      Fixed tls-cipher translation bug in openssl-build
      Fixed usage of stale define USE_SSL to ENABLE_SSL
      Fix segfault when enabling pf plug-ins

Revision 1.50 / (download) - annotate - [select for diffs], Fri Jul 12 10:45:00 2013 UTC (9 years, 8 months ago) by jperkin
Branch: MAIN
Changes since 1.49: +2 -1 lines
Diff to previous 1.49 (colored)

Bump PKGREVISION of all packages which create users, to pick up change of
sysutils/user_* packages.

Revision 1.49 / (download) - annotate - [select for diffs], Sun Feb 10 05:55:07 2013 UTC (10 years, 1 month ago) by manu
Branch: MAIN
CVS Tags: pkgsrc-2013Q2-base, pkgsrc-2013Q2, pkgsrc-2013Q1-base, pkgsrc-2013Q1
Changes since 1.48: +16 -31 lines
Diff to previous 1.48 (colored)

Upgrade OpenVPN to 2.3.0
Bump openvpn-acct-wtmpx to add its licence and to take into account the
new location of plugin directory

Significant changes since 2.2.x:
 * Full IPv6 support
 * SSL layer modularised, enabling easier implementation for other SSL
   libraries
 * PolarSSL support as a drop-in replacement for OpenSSL
 * New plug-in API providing direct certificate access, improved logging API
   and easier to extend in the future
 * Added 'dev_type' environment variable to scripts and plug-ins - which
   is set to 'TUN' or 'TAP'
 * New feature: --management-external-key - to provide access to the
   encryption keys via the management interface
 * New feature: --x509-track option, more fine grained access to X.509
   fields in scripts and plug-ins
 * New feature: --client-nat support
 * New feature: --mark which can mark encrypted packets from the tunnel,
   suitable for more advanced routing and firewalling
 * New feature: --management-query-proxy - manage proxy settings via the
   management interface (supercedes --http-proxy-fallback)
 * New feature: --stale-routes-check, which cleans up the internal
   routing table
 * New feature: --x509-username-field, where other X.509v3 fields can be
   used for the authentication instead of Common Name
 * Improved client-kill management interface command
 * Improved UTF-8 support - and added --compat-names to provide backwards
   compatibility with older scripts/plug-ins
 * Improved auth-pam with COMMONNAME support, passing the certificate's
   common name in the PAM conversation
 * More options can now be used inside <connection> blocks
 * Completely new build system, enabling easier cross-compilation and
   Windows builds
 * Much of the code has been better documented
 * Many documentation updates
 * Plenty of bug fixes and other code clean-ups

Revision 1.48 / (download) - annotate - [select for diffs], Wed Feb 6 23:23:21 2013 UTC (10 years, 1 month ago) by jperkin
Branch: MAIN
Changes since 1.47: +2 -2 lines
Diff to previous 1.47 (colored)

PKGREVISION bumps for the security/openssl 1.0.1d update.

Revision 1.47 / (download) - annotate - [select for diffs], Sat Dec 15 10:36:30 2012 UTC (10 years, 3 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2012Q4-base, pkgsrc-2012Q4
Changes since 1.46: +2 -2 lines
Diff to previous 1.46 (colored)

Bump PKGREVISION from devel/nss 3.14.0.

Revision 1.46 / (download) - annotate - [select for diffs], Tue Oct 23 17:18:44 2012 UTC (10 years, 5 months ago) by asau
Branch: MAIN
Changes since 1.45: +1 -3 lines
Diff to previous 1.45 (colored)

Drop superfluous PKG_DESTDIR_SUPPORT, "user-destdir" is default these days.

Revision 1.45 / (download) - annotate - [select for diffs], Tue Mar 6 17:39:00 2012 UTC (11 years ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2012Q3-base, pkgsrc-2012Q3, pkgsrc-2012Q2-base, pkgsrc-2012Q2, pkgsrc-2012Q1-base, pkgsrc-2012Q1
Changes since 1.44: +2 -1 lines
Diff to previous 1.44 (colored)

Recursive PKGREVISION bump for xulrunner, nss, and nspr.

Revision 1.44 / (download) - annotate - [select for diffs], Thu Jan 19 13:26:55 2012 UTC (11 years, 2 months ago) by adam
Branch: MAIN
Changes since 1.43: +2 -3 lines
Diff to previous 1.43 (colored)

Changes 2.2.2:
* Only warn about non-tackled IPv6 packets once
* add missing break between "case IPv4" and "case IPv6"
* bump tap driver version from 9.8 to 9.9
* log error message and exit for "win32, tun mode, tap driver version 9.8"
* Backported pkcs11-related parts of 7a8d707237bb18 to 2.2 branch

Revision 1.43 / (download) - annotate - [select for diffs], Wed Aug 3 08:33:32 2011 UTC (11 years, 7 months ago) by cheusov
Branch: MAIN
CVS Tags: pkgsrc-2011Q4-base, pkgsrc-2011Q4, pkgsrc-2011Q3-base, pkgsrc-2011Q3
Changes since 1.42: +10 -1 lines
Diff to previous 1.42 (colored)


rc.d script improvements:
  - openvpn_chrootdir variable was introduced for running openvpn in chroot
  - openvpn_flags variable was introduced for extra flag passed to openvpn
++pkgrevision

Revision 1.42 / (download) - annotate - [select for diffs], Fri Jul 8 10:15:31 2011 UTC (11 years, 8 months ago) by adam
Branch: MAIN
Changes since 1.41: +3 -3 lines
Diff to previous 1.41 (colored)

Changes 2.2.1:
* Don't define ENABLE_PUSH_PEER_INFO if SSL is not available
* Fix compiling issues with pkcs11 when --disable-management is configured
* Remove support for Linux 2.2 configuration fallback
* Fix compile issues when using --enable-small and
  --disable-ssl/--disable-crypto
* Fix 2.2.0 build failure when management interface disabled
* Added info about --show-proxy-settings
* Documented --x509-username-field option
* Updated "easy-rsa" for OpenSSL 1.0.0
* Fixes to easy-rsa/2.0
* Made domake-win builds to use easy-rsa/2.0/openssl-1.0.0.cnf
* Fix a build-ca issue on Windows
* Fix issues with some older GCC compilers

Revision 1.41 / (download) - annotate - [select for diffs], Thu Apr 28 07:27:24 2011 UTC (11 years, 10 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2011Q2-base, pkgsrc-2011Q2
Changes since 1.40: +26 -29 lines
Diff to previous 1.40 (colored)

Changes 2.2.0:
* Several man-page updates
* Several buildsystem fixes
* Fixed a bug with GUI icon deletion on upgrade from 2.2-RC or earlier
* Change the default --tmp-dir path to a more suitable path
* Improve the mysprintf() issue in openvpnserv.c
* Fixed bug in port-share that could cause port share process to crash
* Fix the --client-cert-not-required feature

Revision 1.40 / (download) - annotate - [select for diffs], Fri Apr 22 14:40:44 2011 UTC (11 years, 11 months ago) by obache
Branch: MAIN
Changes since 1.39: +2 -1 lines
Diff to previous 1.39 (colored)

recursive bump from gettext-lib shlib bump.

Revision 1.39 / (download) - annotate - [select for diffs], Tue Nov 30 08:50:17 2010 UTC (12 years, 3 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2011Q1-base, pkgsrc-2011Q1, pkgsrc-2010Q4-base, pkgsrc-2010Q4
Changes since 1.38: +3 -4 lines
Diff to previous 1.38 (colored)

Changes 2.1.4:
* Fix problem with special case route targets ('remote_host')
  The init_route() function will leave &netlist untouched for
  get_special_addr() routes ("remote_host" being one of them).
  netlist is on stack,  contains random garbage, and
  netlist.len will not be 0 - thus, random stack data is copied from
  netlist.data[] until the route_list is full.

Revision 1.38 / (download) - annotate - [select for diffs], Sun Sep 5 20:33:48 2010 UTC (12 years, 6 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2010Q3-base, pkgsrc-2010Q3
Changes since 1.37: +13 -16 lines
Diff to previous 1.37 (colored)

Changes 2.1.3:
* Fixed potential local privilege escalation vulnerability in
  Windows service.
* Added Python-based based alternative build system for Windows using
  Visual Studio 2008 (in win directory).
* When aborting in a non-graceful way, try to execute do_close_tun in
  init.c prior to daemon exit to ensure that the tun/tap interface is
  closed and any added routes are deleted.
* Fixed an issue where AUTH_FAILED was not being properly delivered
  to the client when a bad password is given for mid-session reauth,
  causing the connection to fail without an error indication.
* Don't advance to the next connection profile on AUTH_FAILED errors.
* Fixed an issue in the Management Interface that could cause
  a process hang with 100% CPU utilization in --management-client
  mode if the management interface client disconnected at the
  point where credentials are queried.
* Fixed an issue where if reneg-sec was set to 0 on the client,
  so that the server-side value would take precedence,
  the auth_deferred_expire_window function would incorrectly
  return a window period of 0 seconds.  In this case, the
  correct window period should be the handshake window period.
* Modified ">PASSWORD:Verification Failed" management interface
  notification to include a client reason string:
    >PASSWORD:Verification Failed: 'AUTH_TYPE' ['REASON_STRING']
* Enable exponential backoff in reliability layer retransmits.
* Set socket buffers (SO_SNDBUF and SO_RCVBUF) immediately after
  socket is created rather than waiting until after connect/listen.
* Management interface performance optimizations:
  1. Added env-filter MI command to perform filtering on env vars
     passed through as a part of --management-client-auth
  2. man_write will now try to aggregate output into larger blocks
     (up to 1024 bytes) for more efficient i/o
* Fixed minor issue in Windows TAP driver DEBUG builds
  where non-null-terminated unicode strings were being
  printed incorrectly.
* Fixed issue on Windows with MSVC compiler, where TCP_NODELAY support
  was not being compiled in.
* Proxy improvements:
* Implemented http-proxy-override and http-proxy-fallback directives to make it
  easier for OpenVPN client UIs to start a pre-existing client config file with
  proxy options, or to adaptively fall back to a proxy connection if a direct
  connection fails.
* Implemented a key/value auth channel from client to server.
* Fixed issue where bad creds provided by the management interface
  for HTTP Proxy Basic Authentication would go into an infinite
  retry-fail loop instead of requerying the management interface for
  new creds.

Revision 1.37 / (download) - annotate - [select for diffs], Wed Jun 16 07:30:26 2010 UTC (12 years, 9 months ago) by tnn
Branch: MAIN
CVS Tags: pkgsrc-2010Q2-base, pkgsrc-2010Q2
Changes since 1.36: +1 -2 lines
Diff to previous 1.36 (colored)

- fix PLIST
- kill some pkglint warnings

Revision 1.36 / (download) - annotate - [select for diffs], Tue Jun 15 12:05:28 2010 UTC (12 years, 9 months ago) by sborrill
Branch: MAIN
Changes since 1.35: +2 -3 lines
Diff to previous 1.35 (colored)

Updated to 2.1.1.

Changes:

2009.12.11 -- Version 2.1.1

* Fixed some breakage in openvpn.spec (which is required to build an
  RPM distribution) where it was referencing a non-existent
  subdirectory in the tarball, causing it to fail (patch from
  David Sommerseth).

2009.12.11 -- Version 2.1.0

* Fixed a couple issues in sample plugins auth-pam.c and down-root.c.
  (1) Fail gracefully rather than segfault if calloc returns NULL.
  (2) The openvpn_plugin_abort_v1 function can potentially be called
  with handle == NULL.  Add code to detect this case, and if  so, avoid
  dereferencing pointers derived from handle  (Thanks to David
  Sommerseth for finding this bug).

* Documented "multihome" option in the man page.

2009.11.20 -- Version 2.1_rc22

* Fixed a client-side bug on Windows that occurred when the
  "dhcp-pre-release" or "dhcp-renew" options were combined with
  "route-gateway dhcp".  The release/renew would not occur
  because the Windows DHCP renew function is blocking and
  therefore must be called from another process or thread
  so as not to stall the tunnel.

* Added a hard failure when peer provides a certificate chain
  with depth > 16.  Previously, a warning was issued.

Revision 1.35 / (download) - annotate - [select for diffs], Sun Jan 17 12:02:34 2010 UTC (13 years, 2 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2010Q1-base, pkgsrc-2010Q1
Changes since 1.34: +2 -1 lines
Diff to previous 1.34 (colored)

Recursive PKGREVISION bump for jpeg update to 8.

Revision 1.34 / (download) - annotate - [select for diffs], Wed Nov 18 08:10:15 2009 UTC (13 years, 4 months ago) by manu
Branch: MAIN
CVS Tags: pkgsrc-2009Q4-base, pkgsrc-2009Q4
Changes since 1.33: +2 -3 lines
Diff to previous 1.33 (colored)

Update to 2.1rc21. From Changelog:
* Rebuilt OpenVPN Windows installer with OpenSSL 0.9.8l to address
  CVE-2009-3555.  Note that OpenVPN has never relied on the session
  renegotiation capabilities that are built into the SSL/TLS protocol,
  therefore the fix in OpenSSL 0.9.8l (disable SSL/TLS renegotiation
  completely) will not adversely affect OpenVPN mid-session SSL/TLS
  renegotation or any other OpenVPN capabilities.

* Added additional session renegotiation hardening.  OpenVPN has always
  required that mid-session renegotiations build up a new SSL/TLS
  session from scratch.  While the client certificate common name is
  already locked against changes in mid-session TLS renegotiations, we
  now extend this locking to the auth-user-pass username as well as all
  certificate content in the full client certificate chain.

Revision 1.33 / (download) - annotate - [select for diffs], Thu Nov 12 08:41:10 2009 UTC (13 years, 4 months ago) by manu
Branch: MAIN
Changes since 1.32: +2 -2 lines
Diff to previous 1.32 (colored)

NetBSD's tun driver has no broadcast support. When configured with
a tun device and subnet topology, OpenVPN insisted on setting a broadcast
address on the tun device, causing a fatal error. This patch fixes that,
and has been submitted upstream

Revision 1.32 / (download) - annotate - [select for diffs], Fri Oct 30 19:06:06 2009 UTC (13 years, 4 months ago) by manu
Branch: MAIN
Changes since 1.31: +3 -2 lines
Diff to previous 1.31 (colored)

Add a pam option for the PAM plugin

Revision 1.31 / (download) - annotate - [select for diffs], Sun Oct 11 17:32:00 2009 UTC (13 years, 5 months ago) by jmmv
Branch: MAIN
Changes since 1.30: +2 -3 lines
Diff to previous 1.30 (colored)

Update to 2.1_rc20 from 2.1_rc13:

2009.10.01 -- Version 2.1_rc20

* Fixed a bug introduced in 2.1_rc17 (svn r4436) where using the
  redirect-gateway option by itself, without any extra parameters,
  would cause the option to be ignored.

* Fixed build problem when ./configure --disable-server is used.

* Fixed ifconfig command for "topology subnet" on FreeBSD (Stefan Bethke).

* Added --remote-random-hostname option.

* Added "load-stats" management interface command to get global server
  load statistics.

* Added new ./configure flags:

  --disable-def-auth      Disable deferred authentication
  --disable-pf            Disable internal packet filter

* Added "setcon" directive for interoperability with SELinux (Sebastien
  Raveau).

* Optimized PUSH_REQUEST handshake sequence to shave several seconds
  off of a typical client connection initiation.

* The maximum number of "route" directives (specified in the config
  file or pulled from a server) can now be configured via the new
  "max-routes" directive.

* Eliminated the limitation on the number of options that can be pushed
  to clients, including routes.  Previously, all pushed options needed
  to fit within a 1024 byte options string.

* Added --server-poll-timeout option : when polling possible remote
  servers to connect to in a round-robin fashion, spend no more than
  n seconds waiting for a response before trying the next server.

* Added the ability for the server to provide a custom reason string
  when an AUTH_FAILED message is returned to the client.  This
  string can be set by the server-side managment interface and read
  by the client-side management interface.

* client-kill management interface command, when issued on server, will
  now send a RESTART message to client.
  This feature is intended to make UDP clients respond the same as TCP
  clients in the case where the server issues a RESTART message in
  order to force the client to reconnect and pull a new options/route
  list.

2009.07.16 -- Version 2.1_rc19

* In Windows TAP driver, refactor DHCP/ARP packet injection code to
  use a DPC (deferred procedure call) to defer packet injection until
  IRQL < DISPATCH_LEVEL, rather than calling NdisMEthIndicateReceive
  in the context of AdapterTransmit.  This is an attempt to reduce kernel
  stack usage, and prevent EXCEPTION_DOUBLE_FAULT BSODs that have been
  observed on Vista.  Updated TAP driver version number to 9.6.

* In configure.ac, use datadir instead of datarootdir for compatibility
  with <autoconf-2.60.

2009.06.07 -- Version 2.1_rc18

* Fixed compile error on ./configure --enable-small

* Fixed issue introduced in r4475 (2.1-rc17) where cryptoapi.c change
  does not build on Windows on non-MINGW32.

2009.05.30 -- Version 2.1_rc17

* Reduce the debug level (--verb) at which received management interface
  commands are echoed from 7 to 3.  Passwords will be filtered.

* Fixed race condition in management interface recv code on
  Windows, where sending a set of several commands to the
  management interface in quick succession might cause the
  latter commands in the set to be ignored.

* Increased management interface input command buffer size
  from 256 to 1024 bytes.

* Minor tweaks to Windows build system.

* Added "redirect-private" option which allows private subnets
  to be pushed to the client in such a way that they don't accidently
  obscure critical local addresses such as the DHCP server address and
  DNS server addresses.

* Added new 'autolocal' redirect-gateway flag.  When enabled, the OpenVPN
  client will examine the routing table and determine whether (a) the
  OpenVPN server is reachable via a locally connected interface, or (b)
  traffic to the server must be forwarded through the default router.
  Only add a special bypass route for the OpenVPN server if (b) is true.
  If (a) is true, behave as if the 'local' flag is specified, and do not
  add a bypass route.

  The new 'autolocal' flag depends on the non-portable test_local_addr()
  function in route.c, which is currently only implemented for Windows.
  The 'autolocal' flag will act as a no-op on platforms that have not
  yet defined a test_local_addr() function.

* Increased TLS_CHANNEL_BUF_SIZE to 2048 from 1024 (this will allow for
  more option content to be pushed from server to client).

* Raised D_MULTI_DROPPED debug level to 4 from 3 to filter out (at debug
  levels <=3) a common and usually innocuous warning.

* Fixed issue of symbol conflicts interfering with Windows CryptoAPI
  functionality (Alon Bar-Lev).

* Fixed bug where the remote_X environmental variables were not being
  set correctly when the 'local' option is specifed.

2009.05.17 -- Version 2.1_rc16

* Windows installer changes:

  1. ifdefed out the check Windows version code which is causing
  problems on Windows 7

  2. don't define SF_SELECTED if it is already defined

  3. Use LZMA instead of BZIP2 compression for better compression

  4. Upgraded OpenSSL to 0.9.8k

* Added the ability to read the configuration file
  from stdin, when "stdin" is given as the config
  file name.

* Allow "management-client" directive to be used
  with unix domain sockets.

* Added errors-to-stderr option.  When enabled, fatal errors
  that result in the termination of the daemon will be written
  to stderr.

* Added optional "nogw" (no gateway) flag to --server-bridge
  to inhibit the pushing of the route-gateway parameter to
  clients.

* Added new management interface command "pid" to show the
  process ID of the current OpenVPN process (Angelo Laub).

* Fixed issue where SIGUSR1 restarts would fail if private
  key was specified as an inline file.

* Added daemon_start_time and daemon_pid environmental variables.

* In management interface, added new ">CLIENT:ESTABLISHED" notification.

* Build fixes:

  1. Fixed some issues with C++ style comments that leaked into the code.

  2. Updated configure.ac to work on MinGW64.

  3. Updated common.h types for _WIN64.

  4. Fixed issue involving an #ifdef in a macro reference that breaks early gcc
     compilers.

  5. In cryptoapi.c, renamed CryptAcquireCertificatePrivateKey to
     OpenVPNCryptAcquireCertificatePrivateKey to work around
     a symbol conflict in MinGW-5.1.4.

2008.11.19 -- Version 2.1_rc15

* Fixed issue introduced in 2.1_rc14 that may cause a
  segfault when a --plugin module is used.

* Added server-side --opt-verify option: clients that connect
  with options that are incompatible with those of the server
  will be disconnected (without this option, incompatible
  clients would trigger a warning message in the server log
  but would not be disconnected).

* Added --tcp-nodelay option: Macro that sets TCP_NODELAY socket
  flag on the server as well as pushes it to connecting clients.

* Minor options check fix: --no-name-remapping is a
  server-only option and should therefore generate an
  error when used on the client.

* Added --prng option to control PRNG (pseudo-random
  number generator) parameters.  In previous OpenVPN
  versions, the PRNG was hardcoded to use the SHA1
  hash.  Now any OpenSSL hash may be used.  This is
  part of an effort to remove hardcoded references to
  a specific cipher or cryptographic hash algorithm.

* Cleaned up man page synopsis.

2008.11.16 -- Version 2.1_rc14

* Added AC_GNU_SOURCE to configure.ac to enable struct ucred,
  with the goal of fixing a build issue on Fedora 9 that was
  introduced in 2.1_rc13.

* Added additional method parameter to --script-security to preserve
  backward compatibility with system() call semantics used in OpenVPN
  2.1_rc8 and earlier.  To preserve backward compatibility use:

    script-security 3 system

* Added additional warning messages about --script-security 2
  or higher being required to execute user-defined scripts or
  executables.

* Windows build system changes:

  Modified Windows domake-win build system to write all openvpn.nsi
  input files to gen, so that gen can be disconnected from
  the rest of the source tree and makensis openvpn.nsi will
  still function correctly.

  Added additional SAMPCONF_(CA|CRT|KEY) macros to settings.in
  (commented out by default).

  Added optional files SAMPCONF_CONF2 (second sample configuration
  file) and SAMPCONF_DH (Diffie-Helman parameters) to Windows
  build system, and may be defined in settings.in.

* Extended Management Interface "bytecount" command
  to work when OpenVPN is running as a server.
  Documented Management Interface "bytecount" command in
  management/management-notes.txt.

* Fixed informational message in ssl.c to properly indicate
  deferred authentication.

* Added server-side --auth-user-pass-optional directive, to allow
  connections by clients that do not specify a username/password, when a
  user-defined authentication script/module is in place (via
  --auth-user-pass-verify, --management-client-auth, or a plugin module).

* Changes to easy-rsa/2.0/pkitool and related openssl.cnf:

  Calling scripts can set the KEY_NAME environmental variable to set
  the "name" X509 subject field in generated certificates.

  Modified pkitool to allow flexibility in separating the Common Name
  convention from the cert/key filename convention.

  For example:

  KEY_CN="James's Laptop" KEY_NAME="james" ./pkitool james

  will create a client certificate/key pair of james.crt/james.key
  having a Common Name of "James's Laptop" and a Name of "james".

* Added --no-name-remapping option to allow Common Name, X509 Subject,
  and username strings to include any printable character including
  space, but excluding control characters such as tab, newline, and
  carriage-return (this is important for compatibility with external
  authentication systems).

  As a related change, added --status-version 3 format (and "status 3"
  in the management interface) which uses the version 2 format except
  that tabs are used as delimiters instead of commas so that there
  is no ambiguity when parsing a Common Name that contains a comma.

  Also, save X509 Subject fields to environment, using the naming
  convention:

  X509_{cert_depth}_{name}={value}

  This is to avoid ambiguities when parsing out the X509 subject string
  since "/" characters could potentially be used in the common name.

* Fixed some ifconfig-pool issues that precluded it from being combined
  with --server directive.

  Now, for example, we can configure thusly:

    server 10.8.0.0 255.255.255.0 nopool
    ifconfig-pool 10.8.0.2 10.8.0.99 255.255.255.0

  to have ifconfig-pool manage only a subset
  of the VPN subnet.

* Added config file option "setenv FORWARD_COMPATIBLE 1" to relax
  config file syntax checking to allow directives for future OpenVPN
  versions to be ignored.

Revision 1.30 / (download) - annotate - [select for diffs], Mon Sep 21 12:33:31 2009 UTC (13 years, 6 months ago) by spz
Branch: MAIN
CVS Tags: pkgsrc-2009Q3-base, pkgsrc-2009Q3
Changes since 1.29: +4 -4 lines
Diff to previous 1.29 (colored)

add an option to openvpn to enable using certificates on USB sticks
or cards (etc) that are using the PKCS11 protocol

Revision 1.29 / (download) - annotate - [select for diffs], Tue May 19 08:59:27 2009 UTC (13 years, 10 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2009Q2-base, pkgsrc-2009Q2
Changes since 1.28: +2 -2 lines
Diff to previous 1.28 (colored)

Use standard location for LICENSE line (in MAINTAINER/HOMEPAGE/COMMENT
block). Uncomment some commented out LICENSE lines while here.

Revision 1.28 / (download) - annotate - [select for diffs], Fri Dec 5 08:13:35 2008 UTC (14 years, 3 months ago) by hasso
Branch: MAIN
CVS Tags: pkgsrc-2009Q1-base, pkgsrc-2009Q1, pkgsrc-2008Q4-base, pkgsrc-2008Q4
Changes since 1.27: +2 -2 lines
Diff to previous 1.27 (colored)

Make it work on DragonFly 2.0 and up. Bump PKGREVISION.

Revision 1.27 / (download) - annotate - [select for diffs], Sun Nov 23 15:16:42 2008 UTC (14 years, 4 months ago) by wiz
Branch: MAIN
Changes since 1.26: +4 -5 lines
Diff to previous 1.26 (colored)

Do not unnecessarily create share/doc/openvpn, and remove it from PLIST.
It wasn't created when installing the binary package.

Bump PKGREVISION.

Revision 1.26 / (download) - annotate - [select for diffs], Thu Oct 9 10:57:23 2008 UTC (14 years, 5 months ago) by sborrill
Branch: MAIN
Changes since 1.25: +3 -6 lines
Diff to previous 1.25 (colored)

Update to 2.1rc13. Changes include:

2008.10.07 -- Version 2.1_rc13

* Bundled OpenSSL 0.9.8i with Windows installer.

* Management interface can now listen on a unix
  domain socket, for example:

    management /tmp/openvpn unix

  Also added management-client-user and management-client-group
  directives to control which processes are allowed to connect
  to the socket.

* Copyright change to OpenVPN Technologies, Inc.

2008.09.23 -- Version 2.1_rc12

* Patched Makefile.am so that the new t_cltsrv-down.sh script becomes
  part of the tarball (Matthias Andree).

* Fixed --lladdr bug introduced in 2.1-rc9 where input validation code
  was incorrectly expecting the lladdr parameter to be an IP address
  when it is actually a MAC address (HoverHell).

2008.09.14 -- Version 2.1_rc11

* Fixed a bug that can cause SSL/TLS negotiations in UDP mode
  to fail if UDP packets are dropped.

2008.09.10 -- Version 2.1_rc10

* Added "--server-bridge" (without parameters) to enable
  DHCP proxy mode:  Configure server mode for ethernet
  bridging using a DHCP-proxy, where clients talk to the
  OpenVPN server-side DHCP server to receive their IP address
  allocation and DNS server addresses.

* Added "--route-gateway dhcp", to enable the extraction
  of the gateway address from a DHCP negotiation with the
  OpenVPN server-side LAN.

* Fixed minor issue with --redirect-gateway bypass-dhcp or bypass-dns
  on Windows.  If the bypass IP address is 0.0.0.0 or 255.255.255.255,
  ignore it.

* Warn when ethernet bridging that the IP address of the bridge adapter
  is probably not the same address that the LAN adapter was set to
  previously.

* When running as a server, warn if the LAN network address is
  the all-popular 192.168.[0|1].x, since this condition commonly
  leads to subnet conflicts down the road.

* Primarily on the client, check for subnet conflicts between
  the local LAN and the VPN subnet.

* Added a 'netmask' parameter to get_default_gateway, to return
  the netmask of the adapter containing the default gateway.
  Only implemented on Windows so far.  Other platforms will
  return 255.255.255.0.  Currently the netmask information is
  only used to warn about subnet conflicts.

* Minor fix to cryptoapi.c to not compile itself unless USE_CRYPTO
  and USE_SSL flags are enabled (Alon Bar-Lev).

* Updated openvpn/t_cltsrv.sh (used by "make check") to conform to new
  --script-security rules.  Also adds retrying if the addresses are in
  use (Matthias Andree).

* Fixed build issue with ./configure --disable-socks --disable-http.

* Fixed separate compile errors in options.c and ntlm.c that occur
  on strict C compilers (such as old versions of gcc) that require
  that C variable declarations occur at the start of a {} block,
  not in the middle.

* Workaround bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8, which
  the new implementation of extract_x509_field_ssl depends on.

* LZO compression buffer overflow errors will now invalidate
  the packet rather than trigger a fatal assertion.

* Fixed minor compile issue in ntlm.c (mid-block declaration).

* Added --allow-pull-fqdn option which allows client to pull DNS names
  from server (rather than only IP address) for --ifconfig, --route, and
  --route-gateway.  OpenVPN versions 2.1_rc7 and earlier allowed DNS names
  for these options to be pulled and translated to IP addresses by default.
  Now --allow-pull-fqdn will be explicitly required on the client to enable
  DNS-name-to-IP-address translation of pulled options.

* 2.1_rc8 and earlier did implicit shell expansion on script
  arguments since all scripts were called by system().
  The security hardening changes made to 2.1_rc9 no longer
  use system(), but rather use the safer execve or CreateProcess
  system calls.  The security hardening also introduced a
  backward incompatibility with 2.1_rc8 and earlier in that
  script parameters were no longer shell-expanded, so
  for example:

    client-connect "docc CLIENT-CONNECT"

  would fail to work because execve would try to execute
  a script called "docc CLIENT-CONNECT" instead of "docc"
  with "CLIENT-CONNECT" as the first argument.

  This patch fixes the issue, bringing the script argument
  semantics back to pre 2.1_rc9 behavior in order to preserve
  backward compatibility while still using execve or CreateProcess
  to execute the script/executable.

* Modified ip_or_dns_addr_safe, which validates pulled DNS names,
  to more closely conform to RFC 3696:

  (1) DNS name length must not exceed 255 characters

  (2) DNS name characters must be limited to alphanumeric,
      dash ('-'), and dot ('.')

* Fixed bug in intra-session TLS key rollover that was introduced with
  deferred authentication features in 2.1_rc8.

008.07.31 -- Version 2.1_rc9

* Security Fix -- affects non-Windows OpenVPN clients running
  OpenVPN 2.1-beta14 through 2.1-rc8 (OpenVPN 2.0.x clients are NOT
  vulnerable nor are any versions of the OpenVPN server vulnerable).
  An OpenVPN client connecting to a malicious or compromised
  server could potentially receive an "lladdr" or "iproute" configuration
  directive from the server which could cause arbitrary code execution on
  the client. A successful attack requires that (a) the client has agreed
  to allow the server to push configuration directives to it by including
  "pull" or the macro "client" in its configuration file, (b) the client
  succesfully authenticates the server, (c) the server is malicious or has
  been compromised and is under the control of the attacker, and (d) the
  client is running a non-Windows OS.  Credit: David Wagner.

* Miscellaneous defensive programming changes to multiple
  areas of the code.  In particular, use of the system() call
  for calling executables such as ifconfig, route, and
  user-defined scripts has been completely revamped in favor
  of execve() on unix and CreateProcess() on Windows.

* In Windows build, package a statically linked openssl.exe to work around
  observed instabilities in the dynamic build since the migration to
  OpenSSL 0.9.8h.

2008.06.11 -- Version 2.1_rc8

* Added client authentication and packet filtering capability
  to management interface.  In addition, allow OpenVPN plugins
  to take advantage of deferred authentication and packet
  filtering capability.

* Added support for client-side connection profiles.

* Fixed unbounded memory growth bug in environmental variable
  code that could have caused long-running OpenVPN sessions
  with many TLS renegotiations to incrementally
  increase memory usage over time.

* Windows release now packages openssl-0.9.8h.

* Build system changes -- allow building on Windows using
  autoconf/automake scripts (Alon Bar-Lev).

* Changes to Windows build system to make it easier to do
  partial builds, with a reduced set of prerequisites,
  where only a subset of OpenVPN installer
  components are built.  See ./domake-win comments.

* Cleanup IP address for persistence interfaces for tap and also
  using ifconfig, gentoo#209055 (Alon Bar-Lev).

* Fall back to old version of extract_x509_field for OpenSSL 0.9.6.

* Clarified tcp-queue-limit man page entry (Matti Linnanvuori).

* Added new OpenVPN icon and installer graphic.

* Minor pkitool changes.

* Added --pkcs11-id-management option, which will cause OpenVPN to
  query the management interface via the new NEED-STR asynchronous
  notification query to get additional PKCS#11 options (Alon Bar-Lev).

* Added NEED-STR management interface asynchronous query and
  "needstr" management interface command to respond to the query
  (Alon Bar-Lev).

* Added Dragonfly BSD support (Francis-Gudin).

* Quote device names before passing to up/down script (Josh Cepek).

* Bracketed struct openvpn_pktinfo with #pragma pack(1) to
  prevent structure padding from causing an incorrect length
  to be returned by sizeof (struct openvpn_pktinfo) on 64-bit
  platforms.

* On systems that support res_init, always call it
  before calling gethostbyname to ensure that
  resolver configuration state is current.

* Added NTLMv2 proxy support (Miroslav Zajic).

* Fixed an issue in extract_x509_field_ssl where the extraction
  would fail on the first field of the subject name, such as
  the common name in:  /CN=foo/emailAddress=
 foo@bar.comThis e-mail address is being protected from spambots. You need
JavaScript enabled to view it


* Made "Linux ip addr del failed" error nonfatal.

* Amplified --client-cert-not-required warning.

* Added #pragma pack to proto.h.

Revision 1.25 / (download) - annotate - [select for diffs], Wed Feb 20 04:24:17 2008 UTC (15 years, 1 month ago) by jlam
Branch: MAIN
CVS Tags: pkgsrc-2008Q3-base, pkgsrc-2008Q3, pkgsrc-2008Q2-base, pkgsrc-2008Q2, pkgsrc-2008Q1-base, pkgsrc-2008Q1, cwrapper, cube-native-xorg-base, cube-native-xorg
Changes since 1.24: +12 -8 lines
Diff to previous 1.24 (colored)

+ Add full DESTDIR support.

+ Replace unnecessary /bin/bash in easy-rsa scripts with /bin/sh.

Bump the PKGREVISION to 1.

Revision 1.24 / (download) - annotate - [select for diffs], Wed Feb 13 12:07:24 2008 UTC (15 years, 1 month ago) by martti
Branch: MAIN
Changes since 1.23: +5 -5 lines
Diff to previous 1.23 (colored)

Updated net/openvpn to 2.1rc7

* Added a few extra files that exist in the svn repo but were
  not being copied into the tarball by make dist.

* Fixup null interface on close, don't use ip addr flush (Alon Bar-Lev).

* Fixed options checking bug introduced in rc5 where legitimate configuration
  files might elicit the error: "Options error: Parameter pkcs11_private_mode
  can only be specified in TLS-mode, i.e. where --tls-server or --tls-client
  is also specified."

* Added "forget-passwords" command to the management interface
  (Alon Bar-Lev).

* Added --management-signal option to signal SIGUSR1 when the
  management interface disconnects (Alon Bar-Lev).

* Modified command line and config file parser to allow
  quoted strings using single quotes ('') (Alon Bar-Lev).

* Use pkcs11-helper as external library, can be downloaded from
  https://www.opensc-project.org/pkcs11-helper (Alon Bar-Lev).

* Fixed interim memory growth issue in TCP connect loop where
  "TCP: connect to %s failed, will try again in %d seconds: %s"
  is output.

* Fixed bug in epoll driver in event.c, where the lack of a
  handler for EPOLLHUP could cause 99% CPU usage.

* Defined ALLOW_NON_CBC_CIPHERS for people who don't
  want to use a CBC cipher for OpenVPN's data channel.

* Added PLUGIN_LIBDIR preprocessor string to prepend a default
  plugin directory to the dlopen search list when the user
  specifies the basename of the plugin only (Marius Tomaschewski).

* Rewrote extract_x509_field and modified COMMON_NAME_CHAR_CLASS
  to allow forward slash characters ("/") in the X509 common name
  (Pavel Shramov).

* Allow OpenVPN to run completely unprivileged under Linux
  by allowing openvpn --mktun to be used with --user and --group
  to set the UID/GID of the tun device node.  Also added --iproute
  option to allow an alternative command to be executed in place
  of the default iproute2 command (Alon Bar-Lev).

* Fixed --disable-iproute2 in ./configure to actually disable
  iproute2 usage (Alon Bar-Lev).

* Added --management-forget-disconnect option -- forget
  passwords when management session disconnects (Alon Bar-Lev).

Revision 1.23 / (download) - annotate - [select for diffs], Fri Jan 18 05:08:48 2008 UTC (15 years, 2 months ago) by tnn
Branch: MAIN
Changes since 1.22: +2 -1 lines
Diff to previous 1.22 (colored)

Per the process outlined in revbump(1), perform a recursive revbump
on packages that are affected by the switch from the openssl 0.9.7
branch to the 0.9.8 branch. ok jlam@

Revision 1.22 / (download) - annotate - [select for diffs], Sun Jul 1 01:11:38 2007 UTC (15 years, 8 months ago) by tnn
Branch: MAIN
CVS Tags: pkgsrc-2007Q4-base, pkgsrc-2007Q4, pkgsrc-2007Q3-base, pkgsrc-2007Q3
Changes since 1.21: +6 -1 lines
Diff to previous 1.21 (colored)

On SunOS, depend on net/solaris-tap to get the <net/if_tun.h> header.

Revision 1.21 / (download) - annotate - [select for diffs], Thu Jun 21 21:44:42 2007 UTC (15 years, 9 months ago) by jlam
Branch: MAIN
CVS Tags: pkgsrc-2007Q2-base, pkgsrc-2007Q2
Changes since 1.20: +28 -26 lines
Diff to previous 1.20 (colored)

Update net/openvpn to 2.1rc4.  Changes from version 2.1rc2 include:

* Fixed 64-bit portability bug in time_string function
  (Thomas Habets).

* Clean up configure on FreeBSD for recent autotool versions
  that require that all .h files have to be compiled.
  Also, FreeBSD install does not support GNU long options
  which the Makefile in easy-rsa/2.0 uses (not checked the
  others as we don't install those on Gentoo) (Roy Marples).

Revision 1.20 / (download) - annotate - [select for diffs], Wed Feb 28 11:06:21 2007 UTC (16 years ago) by sborrill
Branch: MAIN
CVS Tags: pkgsrc-2007Q1-base, pkgsrc-2007Q1
Changes since 1.19: +3 -3 lines
Diff to previous 1.19 (colored)

Update to 2.1rc2. Mainly bug fixes and improvements to management interface

Revision 1.19 / (download) - annotate - [select for diffs], Tue Feb 20 09:40:49 2007 UTC (16 years, 1 month ago) by sborrill
Branch: MAIN
Changes since 1.18: +7 -5 lines
Diff to previous 1.18 (colored)

Update to 2.1_rc1. Many, many improvements including:
Added optional minimum-number-of-bytes parameter to --inactive directive.
Added --route-metric option to set a default route metric for --route
Added --lladdr option to specify the link layer (MAC) address
  for the tap interface on non-Windows platforms
Security Vulnerability CVE-2006-1629
Extended tun device configure code to support ethernet bridging on NetBSD
Added --port-share option for allowing OpenVPN and HTTPS
  server to share the same port number.
Added --management-client option to connect as a client to management GUI app
  rather than be connected to as a server.
Added "bytecount" command to management interface.
Added --connect-timeout option to control the timeout on TCP client
  connection attempts (doesn't work on all OSes).  This patch also
  makes OpenVPN signalable during TCP connection attempts.
Allow ca, cert, key, and dh files to be specified inline via XML-like syntax
  without needing to reference an explicit file.
Allow plugin and push directives to have multi-line parameter lists
Added connect-retry-max option
Added a backtrack-hardened system time algorithm.
Added --remote-cert-ku, --remote-cert-eku, and
  --remote-cert-tls options for verifying certificate attributes
Added PKCS#11 support
Added --bind option for TCP client connections
Made LZO setting pushable

Plus numerous bug fixes.

Revision 1.18 / (download) - annotate - [select for diffs], Wed Jul 5 15:50:05 2006 UTC (16 years, 8 months ago) by jlam
Branch: MAIN
CVS Tags: pkgsrc-2006Q4-base, pkgsrc-2006Q4, pkgsrc-2006Q3-base, pkgsrc-2006Q3
Changes since 1.17: +2 -3 lines
Diff to previous 1.17 (colored)

Update net/openvpn to 2.0.7.  Changes from version 2.0.6 include fixing
a Windows bug with 64bit counters which could cause intermittent
crashes.

Revision 1.15.2.2 / (download) - annotate - [select for diffs], Thu Apr 13 16:08:25 2006 UTC (16 years, 11 months ago) by salo
Branch: pkgsrc-2006Q1
Changes since 1.15.2.1: +2 -1 lines
Diff to previous 1.15.2.1 (colored) to branchpoint 1.15 (colored) next main 1.16 (colored)

Pullup ticket 1364 - requested by jlam
NetBSD tap(4) support for openvpn

Revisions pulled up:
- pkgsrc/net/openvpn/Makefile			1.17
- pkgsrc/net/openvpn/distinfo			1.8
- pkgsrc/net/openvpn/patches/patch-ab		1.4
- pkgsrc/net/openvpn/patches/patch-ac		1.3
- pkgsrc/net/openvpn/patches/patch-ad		1.1
- pkgsrc/net/openvpn/patches/patch-ae		1.1
- pkgsrc/net/openvpn/patches/patch-af		1.1

   Module Name:		pkgsrc
   Committed By:	jlam
   Date:		Tue Apr 11 20:09:52 UTC 2006

   Modified Files:
   	pkgsrc/net/openvpn: Makefile distinfo
   Added Files:
   	pkgsrc/net/openvpn/patches: patch-ab patch-ac patch-ad patch-ae
   	    patch-af

   Log Message:
   Add support for NetBSD's cloning tap device to support "device tap"
   configurations.  Changes supplied in PR pkg/32929 by Alan Barrett.
   Bump PKGREVISION to 1.

Revision 1.17 / (download) - annotate - [select for diffs], Tue Apr 11 20:09:52 2006 UTC (16 years, 11 months ago) by jlam
Branch: MAIN
CVS Tags: pkgsrc-2006Q2-base, pkgsrc-2006Q2
Changes since 1.16: +2 -1 lines
Diff to previous 1.16 (colored)

Add support for NetBSD's cloning tap device to support "device tap"
configurations.  Changes supplied in PR pkg/32929 by Alan Barrett.
Bump PKGREVISION to 1.

Revision 1.15.2.1 / (download) - annotate - [select for diffs], Wed Apr 5 14:09:36 2006 UTC (16 years, 11 months ago) by salo
Branch: pkgsrc-2006Q1
Changes since 1.15: +7 -9 lines
Diff to previous 1.15 (colored)

Pullup ticket 1327 - requested by jlam
Security update for openvpn

Revisions pulled up:
- pkgsrc/net/openvpn/Makefile		1.16
- pkgsrc/net/openvpn/distinfo		1.7

   Module Name:		pkgsrc
   Committed By:	jlam
   Date:		Wed Apr  5 13:49:26 UTC 2006

   Modified Files:
   	pkgsrc/net/openvpn: Makefile distinfo

   Log Message:
   Update net/openvpn to 2.0.6.  Changes from version 2.0.5 include:

   * [security] An OpenVPN client connecting to a malicious or compromised
     server could potentially receive "setenv" configuration directives
     from the server which could cause arbitrary code execution on the
     client via a LD_PRELOAD attack.  A successful attack appears to
     require that (a) the client has agreed to allow the server to push
     configuration directives to it by including "pull" or the macro
     "client" in its configuration file, (b) the client configuration
     file uses a scripting directive such as "up" or "down", (c) the
     client succesfully authenticates the server, (d) the server is
     malicious or has been compromised and is under the control of the
     attacker, and (e) the attacker has at least some level of pre-existing
     control over files on the client (this might be accomplished by
     having the server respond to a client web request with a specially
     crafted file).  The fix is to disallow "setenv" to be pushed to
     clients from the server.  For those who need this capability, OpenVPN
     2.1 supports a new "setenv-safe" directive which is free of this
     vulnerability.

   * When deleting routes under Linux, use the route metric as a
     differentiator to ensure that the route teardown process only deletes
     the identical route which was originally added via the "route"
     directive (Roy Marples).

   * Fix the t_cltsrv.sh file in FreeBSD 4 jails (Matthias Andree, Dirk
     Meyer, Vasil Dimov).

   * Extended tun device configure code to support ethernet bridging on
     NetBSD (Emmanuel Kasper).

Revision 1.16 / (download) - annotate - [select for diffs], Wed Apr 5 13:49:26 2006 UTC (16 years, 11 months ago) by jlam
Branch: MAIN
Changes since 1.15: +7 -9 lines
Diff to previous 1.15 (colored)

Update net/openvpn to 2.0.6.  Changes from version 2.0.5 include:

* [security] An OpenVPN client connecting to a malicious or compromised
  server could potentially receive "setenv" configuration directives
  from the server which could cause arbitrary code execution on the
  client via a LD_PRELOAD attack.  A successful attack appears to
  require that (a) the client has agreed to allow the server to push
  configuration directives to it by including "pull" or the macro
  "client" in its configuration file, (b) the client configuration
  file uses a scripting directive such as "up" or "down", (c) the
  client succesfully authenticates the server, (d) the server is
  malicious or has been compromised and is under the control of the
  attacker, and (e) the attacker has at least some level of pre-existing
  control over files on the client (this might be accomplished by
  having the server respond to a client web request with a specially
  crafted file).  The fix is to disallow "setenv" to be pushed to
  clients from the server.  For those who need this capability, OpenVPN
  2.1 supports a new "setenv-safe" directive which is free of this
  vulnerability.

* When deleting routes under Linux, use the route metric as a
  differentiator to ensure that the route teardown process only deletes
  the identical route which was originally added via the "route"
  directive (Roy Marples).

* Fix the t_cltsrv.sh file in FreeBSD 4 jails (Matthias Andree, Dirk
  Meyer, Vasil Dimov).

* Extended tun device configure code to support ethernet bridging on
  NetBSD (Emmanuel Kasper).

Revision 1.15 / (download) - annotate - [select for diffs], Sat Mar 4 21:30:22 2006 UTC (17 years ago) by jlam
Branch: MAIN
CVS Tags: pkgsrc-2006Q1-base
Branch point for: pkgsrc-2006Q1
Changes since 1.14: +2 -2 lines
Diff to previous 1.14 (colored)

Point MAINTAINER to pkgsrc-users@NetBSD.org in the case where no
developer is officially maintaining the package.

The rationale for changing this from "tech-pkg" to "pkgsrc-users" is
that it implies that any user can try to maintain the package (by
submitting patches to the mailing list).  Since the folks most likely
to care about the package are the folks that want to use it or are
already using it, this would leverage the energy of users who aren't
developers.

Revision 1.14 / (download) - annotate - [select for diffs], Thu Dec 29 06:22:01 2005 UTC (17 years, 2 months ago) by jlam
Branch: MAIN
Changes since 1.13: +1 -2 lines
Diff to previous 1.13 (colored)

Remove USE_PKGINSTALL from pkgsrc now that mk/install/pkginstall.mk
automatically detects whether we want the pkginstall machinery to be
used by the package Makefile.

Revision 1.13 / (download) - annotate - [select for diffs], Mon Dec 5 23:55:14 2005 UTC (17 years, 3 months ago) by rillig
Branch: MAIN
CVS Tags: pkgsrc-2005Q4-base, pkgsrc-2005Q4
Changes since 1.12: +2 -2 lines
Diff to previous 1.12 (colored)

Ran "pkglint --autofix", which corrected some of the quoting issues in
CONFIGURE_ARGS.

Revision 1.12 / (download) - annotate - [select for diffs], Mon Dec 5 20:50:48 2005 UTC (17 years, 3 months ago) by rillig
Branch: MAIN
Changes since 1.11: +2 -2 lines
Diff to previous 1.11 (colored)

Fixed pkglint warnings. The warnings are mostly quoting issues, for
example MAKE_ENV+=FOO=${BAR} is changed to MAKE_ENV+=FOO=${BAR:Q}. Some
other changes are outlined in

    http://mail-index.netbsd.org/tech-pkg/2005/12/02/0034.html

Revision 1.10.2.1 / (download) - annotate - [select for diffs], Sat Nov 5 20:17:18 2005 UTC (17 years, 4 months ago) by seb
Branch: pkgsrc-2005Q3
Changes since 1.10: +2 -4 lines
Diff to previous 1.10 (colored) next main 1.11 (colored)

Pullup ticket 884 - requested by Lubomir Sedlacik
security update of net/openvpn

Revisions pulled up:
- pkgsrc/net/openvpn/Makefile                                 1.11
- pkgsrc/net/openvpn/distinfo                                 1.6
- pkgsrc/net/openvpn/files/openvpn.sh                         1.3

   Module Name:	pkgsrc
   Committed By:	salo
   Date:		Thu Nov  3 14:31:19 UTC 2005

   Modified Files:
   	pkgsrc/net/openvpn: Makefile distinfo
   	pkgsrc/net/openvpn/files: openvpn.sh

   Log Message:
   Security update to version 2.0.5.

   Changes:

   2.0.5:
   ======
   - Fixed bug in Linux get_default_gateway function
     introduced in 2.0.4, which would cause redirect-gateway
     on Linux clients to fail.
   - Restored easy-rsa/2.0 tree (backported from 2.1 beta
     series) which accidentally disappeared in
     2.0.2 -> 2.0.4 transition.

   2.0.4:
   ======
   - Security fix -- Affects non-Windows OpenVPN clients of
     version 2.0 or higher which connect to a malicious or
     compromised server.  A format string vulnerability
     in the foreign_option function in options.c could
     potentially allow a malicious or compromised server
     to execute arbitrary code on the client.  Only
     non-Windows clients are affected.  The vulnerability
     only exists if (a) the client's TLS negotiation with
     the server succeeds, (b) the server is malicious or
     has been compromised such that it is configured to
     push a maliciously crafted options string to the client,
     and (c) the client indicates its willingness to accept
     pushed options from the server by having "pull" or
     "client" in its configuration file (Credit: Vade79).
     CVE-2005-3393
   - Security fix -- Potential DoS vulnerability on the
     server in TCP mode.  If the TCP server accept() call
     returns an error status, the resulting exception handler
     may attempt to indirect through a NULL pointer, causing
     a segfault.  Affects all OpenVPN 2.0 versions.
     CVE-2005-3409
   - Fix attempt of assertion at multi.c:1586 (note that
     this precise line number will vary across different
     versions of OpenVPN).
   - Added ".PHONY: plugin" to Makefile.am to work around
     "make dist" issue.
   - Fixed double fork issue that occurs when --management-hold
     is used.
   - Moved TUN/TAP read/write log messages from --verb 8 to 6.
   - Warn when multiple clients having the same common name or
     username usurp each other when --duplicate-cn is not used.
   - Modified Windows and Linux versions of get_default_gateway
     to return the route with the smallest metric
     if multiple 0.0.0.0/0.0.0.0 entries are present.

   2.0.3:
   ======
   - openvpn_plugin_abort_v1 function wasn't being properly
     registered on Windows.
   - Fixed a bug where --mode server --proto tcp-server --cipher none
     operation could cause tunnel packet truncation.

Revision 1.11 / (download) - annotate - [select for diffs], Thu Nov 3 14:31:19 2005 UTC (17 years, 4 months ago) by salo
Branch: MAIN
Changes since 1.10: +2 -4 lines
Diff to previous 1.10 (colored)

Security update to version 2.0.5.

Changes:

2.0.5:
======
- Fixed bug in Linux get_default_gateway function
  introduced in 2.0.4, which would cause redirect-gateway
  on Linux clients to fail.
- Restored easy-rsa/2.0 tree (backported from 2.1 beta
  series) which accidentally disappeared in
  2.0.2 -> 2.0.4 transition.

2.0.4:
======
- Security fix -- Affects non-Windows OpenVPN clients of
  version 2.0 or higher which connect to a malicious or
  compromised server.  A format string vulnerability
  in the foreign_option function in options.c could
  potentially allow a malicious or compromised server
  to execute arbitrary code on the client.  Only
  non-Windows clients are affected.  The vulnerability
  only exists if (a) the client's TLS negotiation with
  the server succeeds, (b) the server is malicious or
  has been compromised such that it is configured to
  push a maliciously crafted options string to the client,
  and (c) the client indicates its willingness to accept
  pushed options from the server by having "pull" or
  "client" in its configuration file (Credit: Vade79).
  CVE-2005-3393
- Security fix -- Potential DoS vulnerability on the
  server in TCP mode.  If the TCP server accept() call
  returns an error status, the resulting exception handler
  may attempt to indirect through a NULL pointer, causing
  a segfault.  Affects all OpenVPN 2.0 versions.
  CVE-2005-3409
- Fix attempt of assertion at multi.c:1586 (note that
  this precise line number will vary across different
  versions of OpenVPN).
- Added ".PHONY: plugin" to Makefile.am to work around
  "make dist" issue.
- Fixed double fork issue that occurs when --management-hold
  is used.
- Moved TUN/TAP read/write log messages from --verb 8 to 6.
- Warn when multiple clients having the same common name or
  username usurp each other when --duplicate-cn is not used.
- Modified Windows and Linux versions of get_default_gateway
  to return the route with the smallest metric
  if multiple 0.0.0.0/0.0.0.0 entries are present.

2.0.3:
======
- openvpn_plugin_abort_v1 function wasn't being properly
  registered on Windows.
- Fixed a bug where --mode server --proto tcp-server --cipher none
  operation could cause tunnel packet truncation.

Revision 1.10 / (download) - annotate - [select for diffs], Sun Sep 18 03:11:39 2005 UTC (17 years, 6 months ago) by jlam
Branch: MAIN
CVS Tags: pkgsrc-2005Q3-base
Branch point for: pkgsrc-2005Q3
Changes since 1.9: +2 -1 lines
Diff to previous 1.9 (colored)

Add a "reset" action to the openvpn rc.d script which triggers a
SIGUSR1 reset of the openvpn process.  This is useful for simplifying
dhclient-exit-hooks hook scripts that need to tell the openvpn process
to reset and re-run its "up" script.

Bump the PKGREVISION of net/openvpn to 1.

Revision 1.9 / (download) - annotate - [select for diffs], Thu Sep 1 03:40:42 2005 UTC (17 years, 6 months ago) by jlam
Branch: MAIN
Changes since 1.8: +2 -2 lines
Diff to previous 1.8 (colored)

Update net/openvpn to 2.0.2.  Changes from version 2.0.1 include:

* Fixed bug in route.c in FreeBSD, Darwin, OpenBSD and NetBSD
  version of get_default_gateway.  Allocated socket for route
  manipulation is never freed so number of mbufs continuously
  grow and exhaust system resources after a while (Jaroslav Klaus).

* Fixed bug where "--proto tcp-server --mode p2p --management
  host port" would cause the management port to not respond until
  the OpenVPN peer connects.

Revision 1.8 / (download) - annotate - [select for diffs], Wed Aug 17 19:55:57 2005 UTC (17 years, 7 months ago) by jlam
Branch: MAIN
Changes since 1.7: +69 -21 lines
Diff to previous 1.7 (colored)

Update net/openvpn to version 2.0.1.  Major changes from version 1.6.0
include:

    Adding a highly scalable server for handling multiple TCP/UDP
    clients over point-to-point TUN interfaces, all using a single
    port number.  The server has been designed so that it can run with
    reduced privilege.

    On the client side, "pull" has been added, which basically says
    "accept certain config file options which the server pushes back
    to you." The major win of the push/pull capability is that the
    same client configuration file can be used on each client provided
    each client has its own set of SSL/TLS keys which have been signed
    by the master CA.

    A management interface has been developed which can be used to
    remotely control or centrally manage an OpenVPN daemon.

    "remote" can now specify a set of machines, or a hostname can be
    configured with multiple addresses in DNS.  A server will be
    randomly chosen from the list, and if the connect fails, another
    will be tried (see the "remote-random" option)

    A package for easy RSA key management (easy-rsa-2.0rc1) has been
    included to aid in generating SSL keys and certificates for use
    with OpenVPN.

Revision 1.7 / (download) - annotate - [select for diffs], Mon Apr 11 21:46:53 2005 UTC (17 years, 11 months ago) by tv
Branch: MAIN
CVS Tags: pkgsrc-2005Q2-base, pkgsrc-2005Q2
Changes since 1.6: +1 -2 lines
Diff to previous 1.6 (colored)

Remove USE_BUILDLINK3 and NO_BUILDLINK; these are no longer used.

Revision 1.6 / (download) - annotate - [select for diffs], Mon Feb 21 23:26:24 2005 UTC (18 years, 1 month ago) by bad
Branch: MAIN
CVS Tags: pkgsrc-2005Q1-base, pkgsrc-2005Q1
Changes since 1.5: +2 -3 lines
Diff to previous 1.5 (colored)

Update openvpn to 1.6.0.
While here port it properly so that the route statements in the configuration
file work.  Also add patches so that der Mouse's if_tap driver can be used.

Changes since 1.5.0:

2004.05.09 -- Version 1.6.0

* Unchanged from 1.6-rc4 except for version number
  upgrade.

2004.04.01 -- Version 1.6-rc4

* Made minor customizations to devcon and
  renamed as tapinstall.exe for Windows version.
* Fixed "storage size of `iv' isn't known" build
  problem on FreeBSD.
* OpenSSL 0.9.7d bundled with Windows self-install.

2004.03.13 -- Version 1.6-rc3

* Minor Windows fixes for --ip-win32 dynamic, relating to
  the way the TAP-Win32 driver responds to a DHCP request
  from the Windows DHCP client.
* The net_gateway environmental variable wasn't being
  set correctly for called scripts (Paul Zuber).
* Added code to determine the default gateway on FreeBSD,
  allowing the --redirect-gateway option to work
  (Juan Rodriguez Hervella).

2004.03.04 -- Version 1.6-rc2

* Fixed bug in Windows version where the NetBIOS node-type
  DHCP option might have been passed even if it was not
  specified.
* Fixed bug in Windows version introduced in 1.6-rc1, where
  DHCP timeout would be set to 0 seconds if --ifconfig option
  was used and --ip-win32 option was not explicitly specified.
* Added some new --dhcp-option types for Windows version.

2004.03.02 -- Version 1.6-rc1

* For Windows, make "--ip-win32 dynamic" the default.
* For Windows, make "--route-delay 10" the default
  unless --ip-win32 dynamic is not used or --route-delay
  is explicitly specified.
* L_TLS mutex could have been left in a locked state
  for certain kinds of TLS errors.

2004.02.22 -- Version 1.6-beta7

* Allow scheduling priority increase (--nice) together
  with UID/GID downgrade (--user/--group).
* Code that causes SIGUSR1 restart on TLS errors in TCP
  mode was not activated in pthread builds.
* Save the certificate serial number in an environmental
  variable called tls_serial_{n} prior to calling the
  --tls-verify script.  n is the current cert chain level.
* Added NetBSD IPv6 tunnel capability (also requires
  a kernel patch) (Horst Laschinsky).
* Fixed bug in checking the return value of the nice()
  function (Ian Pilcher).
* Bug fix in new FreeBSD IPv6 over TUN code which was
  originally added in 1.6-beta5 (Nathanael Rensen).
* More Socks5 fixes -- extended the struct frame
  infrastructure to accomodate proxy-based encapsulation
  overhead.
* Added --dhcp-option to Windows version for setting
  adapter properties such as WINS & DNS servers.
* Use a default route-delay of 5 seconds when
  --ip-win32 dynamic is specified (only applicable when
  --route-delay is not explicitly specified).
* Added "log_append" registry variable to control
  whether the OpenVPN service wrapper on Windows
  opens log files in append (log_append="1") or
  truncate (log_append="0") mode.  The default
  is truncate.

2004.02.05 -- Version 1.6-beta6

* UDP over Socks5 fix to accomodate Socks5 encapsulation
  overhead (Christof Meerwald).
* Minor --ip-win32 dynamic tweaks (use long lease time,
  invalidate existing lease with DHCPNAK).

2004.02.01 -- Version 1.6-beta5

* Added Socks5 proxy support (Christof Meerwald).
* IPv6 tun support for FreeBSD (Thomas Glanzmann).
* Special TAP-Win32 debug mode for Windows self-install that was
  enabled in beta4 is now turned off.
* Added some new Solaris notes to INSTALL (Koen Maris).
* More work on --ip-win32 dynamic.

2004.01.27 -- Version 1.6-beta4

* For this beta, the Windows self-install is a debug version
  and will run slower -- use only for testing.
* Reverted the --ip-win32 default back to 'ipapi'
  from 'dynamic'.
* Added the offset parameter to '--ip-win32 dynamic' which
  can be used to control the address of the masqueraded
  DHCP server which replies to Windows DHCP requests.
* Added a wait/nowait option to --inetd (nowait can only
  be used with TCP sockets, TLS authentication, and over
  a bridged configuration -- see FAQ for more info)
  (Stefan `Sec` Zehl).
* Added a build-time capability where TAP-Win32 driver
  debug messages can be output by OpenVPN at --verb 6
  or higher.

2004.01.20 -- Version 1.6-beta2

* Added ./configure --enable-iproute2 flag which
  uses iproute2 instead of route + ifconfig --
  this is necessary for the LEAF Linux distro
  (Martin Hejl).
* Added renewal-time and rebind-time to set of
  DHCP options returned by the TAP-Win32 driver when
  "--ip-win32 dynamic" is used.

2004.01.14 -- Version 1.6-beta1

* Fixed --proxy bug that sometimes caused plaintext
  control info generated by the proxy prior to http
  CONNECT method establishment to be incorrectly
  parsed as OpenVPN data.
* For Windows version, implemented the
  "--ip-win32 dynamic" method and made it the default.
  This method sets the TAP-Win32 adapter IP address
  and netmask by replying to the kernel's DHCP queries.
  See the man page for more detailed info.
* Added --connect-retry parameter which controls
  the time interval (in seconds) between connect()
  retries when --proto tcp-client is used.  Previously,
  this value was hardcoded to 5 seconds, and still
  defaults as such.
* --resolv-retry can now be used with a parameter
  of "infinite" to retry indefinitely.
* Added SSL_CTX_use_certificate_chain_file() to ssl.c
  for support of multi-level certificate chains
  (Sten Kalenda).
* Fixed --tls-auth incompatibility with 1.4.x and earlier
  versions of OpenVPN when the passphrase file is an
  OpenVPN static key file (as generated by --genkey).
* Added shell-escape support in config files using
  the backslash character ("\") so that (for example)
  double quotes can be passed to the shell.
* Added "contrib" subdirectory on tarball, source zip,
  and CVS containing user-submitted contributions.
* Added an optional patch to the Redhat init script to
  allow the configuration file directory to be a
  multi-level directory hierarchy (Farkas Levente).
  See contrib/multilevel-init.patch
* Added some scripts and documentation on using
  Linux "fwmark" iptables rules to enable
  fine-grained routing control over the VPN
  (Sean Reifschneider, <jafo@tummy.com>).
  See contrib/openvpn-fwmarkroute-1.00

Revision 1.5 / (download) - annotate - [select for diffs], Sun Oct 3 00:17:57 2004 UTC (18 years, 5 months ago) by tv
Branch: MAIN
CVS Tags: pkgsrc-2004Q4-base, pkgsrc-2004Q4
Changes since 1.4: +2 -2 lines
Diff to previous 1.4 (colored)

Libtool fix for PR pkg/26633, and other issues.  Update libtool to 1.5.10
in the process.  (More information on tech-pkg.)

Bump PKGREVISION and BUILDLINK_DEPENDS of all packages using libtool and
installing .la files.

Bump PKGREVISION (only) of all packages depending directly on the above
via a buildlink3 include.

Revision 1.4 / (download) - annotate - [select for diffs], Sun Apr 11 07:23:57 2004 UTC (18 years, 11 months ago) by snj
Branch: MAIN
CVS Tags: pkgsrc-2004Q3-base, pkgsrc-2004Q3, pkgsrc-2004Q2-base, pkgsrc-2004Q2
Changes since 1.3: +4 -4 lines
Diff to previous 1.3 (colored)

Convert to buildlink3.

Revision 1.3 / (download) - annotate - [select for diffs], Fri Mar 26 02:27:48 2004 UTC (19 years ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2004Q1-base, pkgsrc-2004Q1
Changes since 1.2: +2 -1 lines
Diff to previous 1.2 (colored)

PKGREVISION bump after openssl-security-fix-update to 0.9.6m.
Buildlink files: RECOMMENDED version changed to current version.

Revision 1.2 / (download) - annotate - [select for diffs], Thu Feb 12 23:11:12 2004 UTC (19 years, 1 month ago) by xtraeme
Branch: MAIN
Changes since 1.1: +2 -2 lines
Diff to previous 1.1 (colored)

MAINTAINER should be tech-pkg@ not packages@...

Revision 1.1.1.1 / (download) - annotate - [select for diffs] (vendor branch), Tue Feb 10 12:39:17 2004 UTC (19 years, 1 month ago) by wulf
Branch: TNF
CVS Tags: pkgsrc-base
Changes since 1.1: +0 -0 lines
Diff to previous 1.1 (colored)

Initial commit of openvpn-1.5.0: A robust and highly configurable VPN

Revision 1.1 / (download) - annotate - [select for diffs], Tue Feb 10 12:39:17 2004 UTC (19 years, 1 month ago) by wulf
Branch: MAIN

Initial revision

This form allows you to request diff's between any two revisions of a file. You may select a symbolic revision name using the selection box or you may type in a numeric name using the type-in text box.




CVSweb <webmaster@jp.NetBSD.org>