commit: e114ec7d2cbb740f029a5d7cb9c1457f45c129eb Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org> AuthorDate: Fri May 22 11:40:42 2015 +0000 Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org> CommitDate: Fri May 22 11:40:42 2015 +0000 URL: https://gitweb.gentoo.org/proj/hardened-dev.git/commit/?id=e114ec7d
net-misc/openvpn: bug #548886. Package-Manager: portage-2.2.18 RepoMan-Options: --force Manifest-Sign-Key: 0xF52D4BBA .../openvpn/files/2.3.6-disable-compression.patch | 18 +++ net-misc/openvpn/files/2.3.6-musl-compat.patch | 14 +++ net-misc/openvpn/files/2.3.6-null-cipher.patch | 46 +++++++ net-misc/openvpn/files/65openvpn | 1 + net-misc/openvpn/files/down.sh | 33 +++++ net-misc/openvpn/files/openvpn-2.1.conf | 18 +++ net-misc/openvpn/files/openvpn-2.1.init | 133 ++++++++++++++++++++ net-misc/openvpn/files/openvpn.init | 63 ++++++++++ net-misc/openvpn/files/openvpn.service | 12 ++ net-misc/openvpn/files/openvpn.tmpfile | 1 + net-misc/openvpn/files/up.sh | 100 +++++++++++++++ net-misc/openvpn/metadata.xml | 22 ++++ net-misc/openvpn/openvpn-2.3.6-r99.ebuild | 137 +++++++++++++++++++++ net-misc/openvpn/openvpn-9999.ebuild | 126 +++++++++++++++++++ 14 files changed, 724 insertions(+) diff --git a/net-misc/openvpn/files/2.3.6-disable-compression.patch b/net-misc/openvpn/files/2.3.6-disable-compression.patch new file mode 100644 index 0000000..d9d1c76 --- /dev/null +++ b/net-misc/openvpn/files/2.3.6-disable-compression.patch @@ -0,0 +1,18 @@ +https://community.openvpn.net/openvpn/changeset/5d5233778868ddd568140c394adfcfc8e3453245/ + +--- openvpn-2.3.6/src/openvpn/ssl_openssl.c.orig 2014-11-29 23:00:35.000000000 +0800 ++++ openvpn-2.3.6/src/openvpn/ssl_openssl.c 2015-01-12 21:14:30.186993686 +0800 +@@ -238,6 +238,13 @@ + if (tls_ver_min > TLS_VER_1_2 || tls_ver_max < TLS_VER_1_2) + sslopt |= SSL_OP_NO_TLSv1_2; + #endif ++ ++#ifdef SSL_OP_NO_COMPRESSION ++ msg (M_WARN, "[Workaround] disable SSL compression"); ++ sslopt |= SSL_OP_NO_COMPRESSION; ++#endif ++ ++ + SSL_CTX_set_options (ctx->ctx, sslopt); + } + diff --git a/net-misc/openvpn/files/2.3.6-musl-compat.patch b/net-misc/openvpn/files/2.3.6-musl-compat.patch new file mode 100644 index 0000000..9b1289b --- /dev/null +++ b/net-misc/openvpn/files/2.3.6-musl-compat.patch @@ -0,0 +1,14 @@ +diff -Naur openvpn-2.3.6.orig/src/openvpn/syshead.h openvpn-2.3.6/src/openvpn/syshead.h +--- openvpn-2.3.6.orig/src/openvpn/syshead.h 2014-11-29 16:00:35.000000000 +0100 ++++ openvpn-2.3.6/src/openvpn/syshead.h 2015-05-08 00:42:34.171634884 +0200 +@@ -214,10 +214,6 @@ + + #ifdef TARGET_LINUX + +-#if defined(HAVE_NETINET_IF_ETHER_H) +-#include <netinet/if_ether.h> +-#endif +- + #ifdef HAVE_LINUX_IF_TUN_H + #include <linux/if_tun.h> + #endif diff --git a/net-misc/openvpn/files/2.3.6-null-cipher.patch b/net-misc/openvpn/files/2.3.6-null-cipher.patch new file mode 100644 index 0000000..1e831cf --- /dev/null +++ b/net-misc/openvpn/files/2.3.6-null-cipher.patch @@ -0,0 +1,46 @@ +The "really fix cipher none" patch has been merged to release/2.3 and master: + +commit 785838614afc20d362b64907b0212e9a779e2287 (release/2.3) +commit 98156e90e1e83133a6a6a020db8e7333ada6156b (master) + +diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h +index 8749878..4e45df0 100644 +--- a/src/openvpn/crypto_backend.h ++++ b/src/openvpn/crypto_backend.h +@@ -237,8 +237,7 @@ int cipher_kt_mode (const cipher_kt_t *cipher_kt); + * + * @return true iff the cipher is a CBC mode cipher. + */ +-bool cipher_kt_mode_cbc(const cipher_kt_t *cipher) +- __attribute__((nonnull)); ++bool cipher_kt_mode_cbc(const cipher_kt_t *cipher); + + /** + * Check if the supplied cipher is a supported OFB or CFB mode cipher. +@@ -247,8 +246,7 @@ bool cipher_kt_mode_cbc(const cipher_kt_t *cipher) + * + * @return true iff the cipher is a OFB or CFB mode cipher. + */ +-bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher) +- __attribute__((nonnull)); ++bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher); + + + /** +diff --git a/tests/t_lpback.sh b/tests/t_lpback.sh +index 8f88ad9..d7792cd 100755 +--- a/tests/t_lpback.sh ++++ b/tests/t_lpback.sh +@@ -35,6 +35,9 @@ CIPHERS=$(${top_builddir}/src/openvpn/openvpn --show-ciphers | \ + # GD, 2014-07-06 do not test RC5-* either (fails on NetBSD w/o libcrypto_rc5) + CIPHERS=$(echo "$CIPHERS" | egrep -v '^(DES-EDE3-CFB1|DES-CFB1|RC5-)' ) + ++# Also test cipher 'none' ++CIPHERS=${CIPHERS}$(printf "\nnone") ++ + "${top_builddir}/src/openvpn/openvpn" --genkey --secret key.$$ + set +e + +-- +1.9.1 + diff --git a/net-misc/openvpn/files/65openvpn b/net-misc/openvpn/files/65openvpn new file mode 100644 index 0000000..4ddb034 --- /dev/null +++ b/net-misc/openvpn/files/65openvpn @@ -0,0 +1 @@ +CONFIG_PROTECT="/usr/share/openvpn/easy-rsa" diff --git a/net-misc/openvpn/files/down.sh b/net-misc/openvpn/files/down.sh new file mode 100755 index 0000000..1c70db0 --- /dev/null +++ b/net-misc/openvpn/files/down.sh @@ -0,0 +1,33 @@ +#!/bin/sh +# Copyright (c) 2006-2007 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# Contributed by Roy Marples ([email protected]) + +# If we have a service specific script, run this now +if [ -x /etc/openvpn/"${SVCNAME}"-down.sh ] ; then + /etc/openvpn/"${SVCNAME}"-down.sh "$@" +fi + +# Restore resolv.conf to how it was +if [ "${PEER_DNS}" != "no" ]; then + if [ -x /sbin/resolvconf ] ; then + /sbin/resolvconf -d "${dev}" + elif [ -e /etc/resolv.conf-"${dev}".sv ] ; then + # Important that we copy instead of move incase resolv.conf is + # a symlink and not an actual file + cp /etc/resolv.conf-"${dev}".sv /etc/resolv.conf + rm -f /etc/resolv.conf-"${dev}".sv + fi +fi + +if [ -n "${SVCNAME}" ]; then + # Re-enter the init script to start any dependant services + if /etc/init.d/"${SVCNAME}" --quiet status ; then + export IN_BACKGROUND=true + /etc/init.d/"${SVCNAME}" --quiet stop + fi +fi + +exit 0 + +# vim: ts=4 : diff --git a/net-misc/openvpn/files/openvpn-2.1.conf b/net-misc/openvpn/files/openvpn-2.1.conf new file mode 100644 index 0000000..72510c3 --- /dev/null +++ b/net-misc/openvpn/files/openvpn-2.1.conf @@ -0,0 +1,18 @@ +# OpenVPN automatically creates an /etc/resolv.conf (or sends it to +# resolvconf) if given DNS information by the OpenVPN server. +# Set PEER_DNS="no" to stop this. +PEER_DNS="yes" + +# OpenVPN can run in many modes. Most people will want the init script +# to automatically detect the mode and try and apply a good default +# configuration and setup scripts. However, there are cases where the +# OpenVPN configuration looks like a client, but it's really a peer or +# something else. DETECT_CLIENT controls this behaviour. +DETECT_CLIENT="yes" + +# If DETECT_CLIENT is no and you have your own scripts to re-enter the openvpn +# init script (ie, it first becomes "inactive" and the script then starts the +# script again to make it "started") then you can state this below. +# In other words, unless you understand service dependencies and are a +# competent shell scripter, don't set this. +RE_ENTER="no" diff --git a/net-misc/openvpn/files/openvpn-2.1.init b/net-misc/openvpn/files/openvpn-2.1.init new file mode 100755 index 0000000..d65e6f8 --- /dev/null +++ b/net-misc/openvpn/files/openvpn-2.1.init @@ -0,0 +1,133 @@ +#!/sbin/runscript +# Copyright 1999-2007 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +VPNDIR=${VPNDIR:-/etc/openvpn} +VPN=${SVCNAME#*.} +if [ -n "${VPN}" ] && [ ${SVCNAME} != "openvpn" ]; then + VPNPID="/var/run/openvpn.${VPN}.pid" +else + VPNPID="/var/run/openvpn.pid" +fi +VPNCONF="${VPNDIR}/${VPN}.conf" + +depend() { + need localmount net + use dns + after bootmisc +} + +checkconfig() { + # Linux has good dynamic tun/tap creation + if [ $(uname -s) = "Linux" ] ; then + if [ ! -e /dev/net/tun ]; then + if ! modprobe tun ; then + eerror "TUN/TAP support is not available" \ + "in this kernel" + return 1 + fi + fi + if [ -h /dev/net/tun ] && [ -c /dev/misc/net/tun ]; then + ebegin "Detected broken /dev/net/tun symlink, fixing..." + rm -f /dev/net/tun + ln -s /dev/misc/net/tun /dev/net/tun + eend $? + fi + return 0 + fi + + # Other OS's don't, so we rely on a pre-configured interface + # per vpn instance + local ifname=$(sed -n -e 's/[[:space:]]*dev[[:space:]][[:space:]]*\([^[:space:]]*\).*/\1/p' "${VPNCONF}") + if [ -z ${ifname} ] ; then + eerror "You need to specify the interface that this openvpn" \ + "instance should use" \ + "by using the dev option in ${VPNCONF}" + return 1 + fi + + if ! ifconfig "${ifname}" >/dev/null 2>/dev/null ; then + # Try and create it + echo > /dev/"${ifname}" >/dev/null + fi + if ! ifconfig "${ifname}" >/dev/null 2>/dev/null ; then + eerror "${VPNCONF} requires interface ${ifname}" \ + "but that does not exist" + return 1 + fi +} + +start() { + # If we are re-called by the openvpn gentoo-up.sh script + # then we don't actually want to start openvpn + [ "${IN_BACKGROUND}" = "true" ] && return 0 + + ebegin "Starting ${SVCNAME}" + + checkconfig || return 1 + + local args="" reenter=${RE_ENTER:-no} + # If the config file does not specify the cd option, we do + # But if we specify it, we override the config option which we do not want + if ! grep -q "^[ ]*cd[ ].*" "${VPNCONF}" ; then + args="${args} --cd ${VPNDIR}" + fi + + # We mark the service as inactive and then start it. + # When we get an authenticated packet from the peer then we run our script + # which configures our DNS if any and marks us as up. + if [ "${DETECT_CLIENT:-yes}" = "yes" ] && \ + grep -q "^[ ]*remote[ ].*" "${VPNCONF}" ; then + reenter="yes" + args="${args} --up-delay --up-restart" + args="${args} --script-security 2" + args="${args} --up /etc/openvpn/up.sh" + args="${args} --down-pre --down /etc/openvpn/down.sh" + + # Warn about setting scripts as we override them + if grep -Eq "^[ ]*(up|down)[ ].*" "${VPNCONF}" ; then + ewarn "WARNING: You have defined your own up/down scripts" + ewarn "As you're running as a client, we now force Gentoo specific" + ewarn "scripts to be run for up and down events." + ewarn "These scripts will call /etc/openvpn/${SVCNAME}-{up,down}.sh" + ewarn "where you can put your own code." + fi + + # Warn about the inability to change ip/route/dns information when + # dropping privs + if grep -q "^[ ]*user[ ].*" "${VPNCONF}" ; then + ewarn "WARNING: You are dropping root privileges!" + ewarn "As such openvpn may not be able to change ip, routing" + ewarn "or DNS configuration." + fi + else + # So we're a server. Run as openvpn unless otherwise specified + grep -q "^[ ]*user[ ].*" "${VPNCONF}" || args="${args} --user openvpn" + grep -q "^[ ]*group[ ].*" "${VPNCONF}" || args="${args} --group openvpn" + fi + + # Ensure that our scripts get the PEER_DNS variable + [ -n "${PEER_DNS}" ] && args="${args} --setenv PEER_DNS ${PEER_DNS}" + + [ "${reenter}" = "yes" ] && mark_service_inactive "${SVCNAME}" + start-stop-daemon --start --exec /usr/sbin/openvpn --pidfile "${VPNPID}" \ + -- --config "${VPNCONF}" --writepid "${VPNPID}" --daemon \ + --setenv SVCNAME "${SVCNAME}" ${args} + eend $? "Check your logs to see why startup failed" +} + +stop() { + # If we are re-called by the openvpn gentoo-down.sh script + # then we don't actually want to stop openvpn + if [ "${IN_BACKGROUND}" = "true" ] ; then + mark_service_inactive "${SVCNAME}" + return 0 + fi + + ebegin "Stopping ${SVCNAME}" + start-stop-daemon --stop --quiet \ + --exec /usr/sbin/openvpn --pidfile "${VPNPID}" + eend $? +} + +# vim: set ts=4 : diff --git a/net-misc/openvpn/files/openvpn.init b/net-misc/openvpn/files/openvpn.init new file mode 100644 index 0000000..489ab49 --- /dev/null +++ b/net-misc/openvpn/files/openvpn.init @@ -0,0 +1,63 @@ +#!/sbin/runscript +# Copyright 1999-2007 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +VPNDIR="/etc/openvpn" +VPN="${SVCNAME#*.}" +if [ -n "${VPN}" ] && [ "${SVCNAME}" != "openvpn" ]; then + VPNPID="/var/run/openvpn.${VPN}.pid" +else + VPNPID="/var/run/openvpn.pid" +fi +VPNCONF="${VPNDIR}/${VPN}.conf" + +depend() { + need localmount net + before netmount + after bootmisc +} + +checktundevice() { + if [ ! -e /dev/net/tun ]; then + if ! modprobe tun ; then + eerror "TUN/TAP support is not available in this kernel" + return 1 + fi + fi + if [ -h /dev/net/tun ] && [ -c /dev/misc/net/tun ]; then + ebegin "Detected broken /dev/net/tun symlink, fixing..." + rm -f /dev/net/tun + ln -s /dev/misc/net/tun /dev/net/tun + eend $? + fi +} + +start() { + ebegin "Starting ${SVCNAME}" + + checktundevice || return 1 + + if [ ! -e "${VPNCONF}" ]; then + eend 1 "${VPNCONF} does not exist" + return 1 + fi + + local args="" + # If the config file does not specify the cd option, we do + # But if we specify it, we override the config option which we do not want + if ! grep -q "^[ ]*cd[ ].*" "${VPNCONF}" ; then + args="${args} --cd ${VPNDIR}" + fi + + start-stop-daemon --start --exec /usr/sbin/openvpn --pidfile "${VPNPID}" \ + -- --config "${VPNCONF}" --writepid "${VPNPID}" --daemon ${args} + eend $? "Check your logs to see why startup failed" +} + +stop() { + ebegin "Stopping ${SVCNAME}" + start-stop-daemon --stop --exec /usr/sbin/openvpn --pidfile "${VPNPID}" + eend $? +} + +# vim: ts=4 diff --git a/net-misc/openvpn/files/openvpn.service b/net-misc/openvpn/files/openvpn.service new file mode 100644 index 0000000..358dcb7 --- /dev/null +++ b/net-misc/openvpn/files/openvpn.service @@ -0,0 +1,12 @@ +[Unit] +Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I +After=syslog.target network.target + +[Service] +PrivateTmp=true +Type=forking +PIDFile=/var/run/openvpn/%i.pid +ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf + +[Install] +WantedBy=multi-user.target diff --git a/net-misc/openvpn/files/openvpn.tmpfile b/net-misc/openvpn/files/openvpn.tmpfile new file mode 100644 index 0000000..d5fca71 --- /dev/null +++ b/net-misc/openvpn/files/openvpn.tmpfile @@ -0,0 +1 @@ +D /var/run/openvpn 0710 root openvpn - diff --git a/net-misc/openvpn/files/up.sh b/net-misc/openvpn/files/up.sh new file mode 100755 index 0000000..6ce82d6 --- /dev/null +++ b/net-misc/openvpn/files/up.sh @@ -0,0 +1,100 @@ +#!/bin/sh +# Copyright (c) 2006-2007 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# Contributed by Roy Marples ([email protected]) + +# Setup our resolv.conf +# Vitally important that we use the domain entry in resolv.conf so we +# can setup the nameservers are for the domain ONLY in resolvconf if +# we're using a decent dns cache/forwarder like dnsmasq and NOT nscd/libc. +# nscd/libc users will get the VPN nameservers before their other ones +# and will use the first one that responds - maybe the LAN ones? +# non resolvconf users just the the VPN resolv.conf + +# FIXME:- if we have >1 domain, then we have to use search :/ +# We need to add a flag to resolvconf to say +# "these nameservers should only be used for the listed search domains +# if other global nameservers are present on other interfaces" +# This however, will break compatibility with Debians resolvconf +# A possible workaround would be to just list multiple domain lines +# and try and let resolvconf handle it + +min_route() { + local n=1 + local m + local r + + eval m="\$route_metric_$n" + while [ -n "${m}" ]; do + if [ -z "$r" ] || [ "$r" -gt "$m" ]; then + r="$m" + fi + n="$(($n+1))" + eval m="\$route_metric_$n" + done + + echo "$r" +} + +if [ "${PEER_DNS}" != "no" ]; then + NS= + DOMAIN= + SEARCH= + i=1 + while true ; do + eval opt=\$foreign_option_${i} + [ -z "${opt}" ] && break + if [ "${opt}" != "${opt#dhcp-option DOMAIN *}" ] ; then + if [ -z "${DOMAIN}" ] ; then + DOMAIN="${opt#dhcp-option DOMAIN *}" + else + SEARCH="${SEARCH}${SEARCH:+ }${opt#dhcp-option DOMAIN *}" + fi + elif [ "${opt}" != "${opt#dhcp-option DNS *}" ] ; then + NS="${NS}nameserver ${opt#dhcp-option DNS *}\n" + fi + i=$((${i} + 1)) + done + + if [ -n "${NS}" ] ; then + DNS="# Generated by openvpn for interface ${dev}\n" + if [ -n "${SEARCH}" ] ; then + DNS="${DNS}search ${DOMAIN} ${SEARCH}\n" + elif [ -n "${DOMAIN}" ]; then + DNS="${DNS}domain ${DOMAIN}\n" + fi + DNS="${DNS}${NS}" + if [ -x /sbin/resolvconf ] ; then + metric="$(min_route)" + printf "${DNS}" | /sbin/resolvconf -a "${dev}" ${metric:+-m ${metric}} + else + # Preserve the existing resolv.conf + if [ -e /etc/resolv.conf ] ; then + cp /etc/resolv.conf /etc/resolv.conf-"${dev}".sv + fi + printf "${DNS}" > /etc/resolv.conf + chmod 644 /etc/resolv.conf + fi + fi +fi + +# Below section is Gentoo specific +# Quick summary - our init scripts are re-entrant and set the SVCNAME env var +# as we could have >1 openvpn service + +if [ -n "${SVCNAME}" ]; then + # If we have a service specific script, run this now + if [ -x /etc/openvpn/"${SVCNAME}"-up.sh ] ; then + /etc/openvpn/"${SVCNAME}"-up.sh "$@" + fi + + # Re-enter the init script to start any dependant services + if ! /etc/init.d/"${SVCNAME}" --quiet status ; then + export IN_BACKGROUND=true + /etc/init.d/${SVCNAME} --quiet start + fi +fi + +exit 0 + +# vim: ts=4 : diff --git a/net-misc/openvpn/metadata.xml b/net-misc/openvpn/metadata.xml new file mode 100644 index 0000000..ef30850 --- /dev/null +++ b/net-misc/openvpn/metadata.xml @@ -0,0 +1,22 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd";> +<pkgmetadata> + <maintainer> + <email>[email protected]</email> + <name>Dirkjan Ochtman</name> + </maintainer> + <longdescription>OpenVPN is an easy-to-use, robust and highly +configurable VPN daemon which can be used to securely link two or more +networks using an encrypted tunnel.</longdescription> + <use> + <flag name="down-root">Enable the down-root plugin</flag> + <flag name="iproute2">Enabled iproute2 support instead of net-tools</flag> + <flag name="passwordsave">Enables openvpn to save passwords</flag> + <flag name="polarssl">Use PolarSSL instead of OpenSSL</flag> + <flag name="pkcs11">Enable PKCS#11 smartcard support</flag> + <flag name="plugins">Enable the OpenVPN plugin system</flag> + </use> + <upstream> + <remote-id type="cpe">cpe:/a:openvpn:openvpn</remote-id> + </upstream> +</pkgmetadata> diff --git a/net-misc/openvpn/openvpn-2.3.6-r99.ebuild b/net-misc/openvpn/openvpn-2.3.6-r99.ebuild new file mode 100644 index 0000000..ebb4c70 --- /dev/null +++ b/net-misc/openvpn/openvpn-2.3.6-r99.ebuild @@ -0,0 +1,137 @@ +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-misc/openvpn/openvpn-2.3.6-r2.ebuild,v 1.1 2015/02/17 18:46:07 djc Exp $ + +EAPI=4 + +inherit multilib autotools flag-o-matic user systemd + +DESCRIPTION="Robust and highly flexible tunneling application compatible with many OSes" +SRC_URI="http://swupdate.openvpn.net/community/releases/${P}.tar.gz"; +HOMEPAGE="http://openvpn.net/"; + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="amd64 arm ~mips ppc x86" +IUSE="examples down-root iproute2 pam passwordsave pkcs11 +plugins +polarssl selinux +ssl systemd +lzo static userland_BSD" + +REQUIRED_USE="static? ( !plugins !pkcs11 ) + polarssl? ( ssl ) + pkcs11? ( ssl ) + !plugins? ( !pam !down-root )" + +DEPEND=" + kernel_linux? ( + iproute2? ( sys-apps/iproute2[-minimal] ) !iproute2? ( sys-apps/net-tools ) + ) + pam? ( virtual/pam ) + ssl? ( + !polarssl? ( >=dev-libs/openssl-0.9.7 ) polarssl? ( >=net-libs/polarssl-1.2.10 ) + ) + lzo? ( >=dev-libs/lzo-1.07 ) + pkcs11? ( >=dev-libs/pkcs11-helper-1.11 )" +RDEPEND="${DEPEND} + selinux? ( sec-policy/selinux-openvpn ) +" + +src_prepare() { + # Set correct pass to systemd-ask-password binary + sed -i "s:\(/bin/systemd-ask-password\):/usr\1:" ./src/openvpn/console.c || die + epatch "${FILESDIR}/2.3.6-null-cipher.patch" || die + epatch "${FILESDIR}/2.3.6-disable-compression.patch" || die + epatch "${FILESDIR}/2.3.6-musl-compat.patch" || die + eautoreconf +} + +src_configure() { + use static && LDFLAGS="${LDFLAGS} -Xcompiler -static" + local myconf + echo "DROPPY" + use polarssl && echo "FLOZZY" + use polarssl && myconf="--with-crypto-library=polarssl" + econf \ + ${myconf} \ + --docdir="${EPREFIX}/usr/share/doc/${PF}" \ + --with-plugindir="${ROOT}/usr/$(get_libdir)/$PN" \ + $(use_enable passwordsave password-save) \ + $(use_enable ssl) \ + $(use_enable ssl crypto) \ + $(use_enable lzo) \ + $(use_enable pkcs11) \ + $(use_enable plugins) \ + $(use_enable iproute2) \ + $(use_enable pam plugin-auth-pam) \ + $(use_enable down-root plugin-down-root) \ + $(use_enable systemd) +} + +src_install() { + default + find "${ED}/usr" -name '*.la' -delete + # install documentation + dodoc AUTHORS ChangeLog PORTS README README.IPv6 + + # Install some helper scripts + keepdir /etc/openvpn + exeinto /etc/openvpn + doexe "${FILESDIR}/up.sh" + doexe "${FILESDIR}/down.sh" + + # Install the init script and config file + newinitd "${FILESDIR}/${PN}-2.1.init" openvpn + newconfd "${FILESDIR}/${PN}-2.1.conf" openvpn + + # install examples, controlled by the respective useflag + if use examples ; then + # dodoc does not supportly support directory traversal, #15193 + insinto /usr/share/doc/${PF}/examples + doins -r sample contrib + fi + + systemd_newtmpfilesd "${FILESDIR}"/${PN}.tmpfile ${PN}.conf + systemd_newunit "${FILESDIR}"/${PN}.service '[email protected]' +} + +pkg_postinst() { + # Add openvpn user so openvpn servers can drop privs + # Clients should run as root so they can change ip addresses, + # dns information and other such things. + enewgroup openvpn + enewuser openvpn "" "" "" openvpn + + if [ path_exists -o "${ROOT}/etc/openvpn/*/local.conf" ] ; then + ewarn "WARNING: The openvpn init script has changed" + ewarn "" + fi + + elog "The openvpn init script expects to find the configuration file" + elog "openvpn.conf in /etc/openvpn along with any extra files it may need." + elog "" + elog "To create more VPNs, simply create a new .conf file for it and" + elog "then create a symlink to the openvpn init script from a link called" + elog "openvpn.newconfname - like so" + elog " cd /etc/openvpn" + elog " ${EDITOR##*/} foo.conf" + elog " cd /etc/init.d" + elog " ln -s openvpn openvpn.foo" + elog "" + elog "You can then treat openvpn.foo as any other service, so you can" + elog "stop one vpn and start another if you need to." + + if grep -Eq "^[ \t]*(up|down)[ \t].*" "${ROOT}/etc/openvpn"/*.conf 2>/dev/null ; then + ewarn "" + ewarn "WARNING: If you use the remote keyword then you are deemed to be" + ewarn "a client by our init script and as such we force up,down scripts." + ewarn "These scripts call /etc/openvpn/\$SVCNAME-{up,down}.sh where you" + ewarn "can move your scripts to." + fi + + if use plugins ; then + einfo "" + einfo "plugins have been installed into /usr/$(get_libdir)/${PN}" + fi + + einfo "" + einfo "OpenVPN 2.3.x no longer includes the easy-rsa suite of utilities." + einfo "They can now be emerged via app-crypt/easy-rsa." +} diff --git a/net-misc/openvpn/openvpn-9999.ebuild b/net-misc/openvpn/openvpn-9999.ebuild new file mode 100644 index 0000000..408b395 --- /dev/null +++ b/net-misc/openvpn/openvpn-9999.ebuild @@ -0,0 +1,126 @@ +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-misc/openvpn/openvpn-9999.ebuild,v 1.8 2014/11/02 09:13:00 swift Exp $ + +EAPI=4 + +inherit multilib autotools flag-o-matic user git-2 + +DESCRIPTION="Robust and highly flexible tunneling application compatible with many OSes" +EGIT_REPO_URI="https://github.com/OpenVPN/${PN}.git"; +HOMEPAGE="http://openvpn.net/"; + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="" +IUSE="examples down-root iproute2 pam passwordsave pkcs11 +plugins polarssl selinux +ssl +lzo static userland_BSD" + +REQUIRED_USE="static? ( !plugins !pkcs11 ) + polarssl? ( ssl ) + !plugins? ( !pam !down-root )" + +DEPEND=" + kernel_linux? ( + iproute2? ( sys-apps/iproute2[-minimal] ) !iproute2? ( sys-apps/net-tools ) + ) + pam? ( virtual/pam ) + ssl? ( + !polarssl? ( >=dev-libs/openssl-0.9.7 ) polarssl? ( >=net-libs/polarssl-1.1.0 ) + ) + lzo? ( >=dev-libs/lzo-1.07 ) + pkcs11? ( >=dev-libs/pkcs11-helper-1.05 )" +RDEPEND="${DEPEND} + selinux? ( sec-policy/selinux-openvpn ) +" + +src_prepare() { + eautoreconf +} + +src_configure() { + use static && LDFLAGS="${LDFLAGS} -Xcompiler -static" + local myconf + use polarssl && myconf="--with-crypto-library=polarssl" + econf \ + ${myconf} \ + --docdir="${EPREFIX}/usr/share/doc/${PF}" \ + --with-plugindir="${ROOT}/usr/$(get_libdir)/$PN" \ + $(use_enable passwordsave password-save) \ + $(use_enable ssl) \ + $(use_enable ssl crypto) \ + $(use_enable lzo) \ + $(use_enable pkcs11) \ + $(use_enable plugins) \ + $(use_enable iproute2) \ + $(use_enable pam plugin-auth-pam) \ + $(use_enable down-root plugin-down-root) +} + +src_install() { + default + find "${ED}/usr" -name '*.la' -delete + # install documentation + dodoc AUTHORS ChangeLog PORTS README README.IPv6 + + # Install some helper scripts + keepdir /etc/openvpn + exeinto /etc/openvpn + doexe "${FILESDIR}/up.sh" + doexe "${FILESDIR}/down.sh" + + # Install the init script and config file + newinitd "${FILESDIR}/${PN}-2.1.init" openvpn + newconfd "${FILESDIR}/${PN}-2.1.conf" openvpn + + # install examples, controlled by the respective useflag + if use examples ; then + # dodoc does not supportly support directory traversal, #15193 + insinto /usr/share/doc/${PF}/examples + doins -r sample contrib + fi +} + +pkg_postinst() { + # Add openvpn user so openvpn servers can drop privs + # Clients should run as root so they can change ip addresses, + # dns information and other such things. + enewgroup openvpn + enewuser openvpn "" "" "" openvpn + + if [ path_exists -o "${ROOT}/etc/openvpn/*/local.conf" ] ; then + ewarn "WARNING: The openvpn init script has changed" + ewarn "" + fi + + elog "The openvpn init script expects to find the configuration file" + elog "openvpn.conf in /etc/openvpn along with any extra files it may need." + elog "" + elog "To create more VPNs, simply create a new .conf file for it and" + elog "then create a symlink to the openvpn init script from a link called" + elog "openvpn.newconfname - like so" + elog " cd /etc/openvpn" + elog " ${EDITOR##*/} foo.conf" + elog " cd /etc/init.d" + elog " ln -s openvpn openvpn.foo" + elog "" + elog "You can then treat openvpn.foo as any other service, so you can" + elog "stop one vpn and start another if you need to." + + if grep -Eq "^[ \t]*(up|down)[ \t].*" "${ROOT}/etc/openvpn"/*.conf 2>/dev/null ; then + ewarn "" + ewarn "WARNING: If you use the remote keyword then you are deemed to be" + ewarn "a client by our init script and as such we force up,down scripts." + ewarn "These scripts call /etc/openvpn/\$SVCNAME-{up,down}.sh where you" + ewarn "can move your scripts to." + fi + + if use plugins ; then + einfo "" + einfo "plugins have been installed into /usr/$(get_libdir)/${PN}" + fi + + ewarn "" + ewarn "You are using a live ebuild building from the sources of openvpn" + ewarn "repository from http://openvpn.git.sourceforge.net. For reporting" + ewarn "bugs please contact: [email protected]." +}
