summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAnthony G. Basile <blueness@gentoo.org>2015-05-22 07:40:42 -0400
committerAnthony G. Basile <blueness@gentoo.org>2015-05-22 07:40:42 -0400
commite114ec7d2cbb740f029a5d7cb9c1457f45c129eb (patch)
tree7dc816168512efed036d9eab661c25d6d2b26082
parent217a36b6a1e15413bee0f5a7a816a5e38223d824 (diff)
downloadhardened-dev-e114ec7d2cbb740f029a5d7cb9c1457f45c129eb.tar.gz
hardened-dev-e114ec7d2cbb740f029a5d7cb9c1457f45c129eb.tar.bz2
hardened-dev-e114ec7d2cbb740f029a5d7cb9c1457f45c129eb.tar.xz
hardened-dev-e114ec7d2cbb740f029a5d7cb9c1457f45c129eb.zip
net-misc/openvpn: bug #548886.
Package-Manager: portage-2.2.18 RepoMan-Options: --force Manifest-Sign-Key: 0xF52D4BBA
-rw-r--r--net-misc/openvpn/Manifest15
-rw-r--r--net-misc/openvpn/files/2.3.6-disable-compression.patch18
-rw-r--r--net-misc/openvpn/files/2.3.6-musl-compat.patch14
-rw-r--r--net-misc/openvpn/files/2.3.6-null-cipher.patch46
-rw-r--r--net-misc/openvpn/files/65openvpn1
-rwxr-xr-xnet-misc/openvpn/files/down.sh33
-rw-r--r--net-misc/openvpn/files/openvpn-2.1.conf18
-rwxr-xr-xnet-misc/openvpn/files/openvpn-2.1.init133
-rw-r--r--net-misc/openvpn/files/openvpn.init63
-rw-r--r--net-misc/openvpn/files/openvpn.service12
-rw-r--r--net-misc/openvpn/files/openvpn.tmpfile1
-rwxr-xr-xnet-misc/openvpn/files/up.sh100
-rw-r--r--net-misc/openvpn/metadata.xml22
-rw-r--r--net-misc/openvpn/openvpn-2.3.6-r99.ebuild137
-rw-r--r--net-misc/openvpn/openvpn-9999.ebuild126
15 files changed, 739 insertions, 0 deletions
diff --git a/net-misc/openvpn/Manifest b/net-misc/openvpn/Manifest
new file mode 100644
index 0000000..4c4ace6
--- /dev/null
+++ b/net-misc/openvpn/Manifest
@@ -0,0 +1,15 @@
+AUX 2.3.6-disable-compression.patch 579 SHA256 644068d1925a7b2866a4afaef15ebb27f5bbf1b55eed0894d34f7603c230bd9a SHA512 56acdd4716df4f6a0367fd583296718e30d3fa4b6b129159f61f913eba97769943a2354e9b51572314a206f68a20def091a89aec12bc942d94b05369128d3a97 WHIRLPOOL 1fb293d49f63a75cb772c262d9a55a6cb00be0f154387bf4fb3e9be1602038bd70348fad5f1a2b714fa7b45cbcd36a4db2c6f1441f3a00aff7d51732b3629708
+AUX 2.3.6-musl-compat.patch 433 SHA256 5837eef6d66b56ce9c0cb5fe93dac1a27900c085ab8a2e295c5a7b8fcae52e60 SHA512 ef002c1bff131924d8ca1ee41f10c3f274788c85fa122d2b9839bb571579fa836f1bcf865bcb8b825db21681ea7dd9290d796f7005690a2070f32439da105e0f WHIRLPOOL 482e1717c27b89ebd3d2294eea16d588a892ef984e947c0a06eb9c4924247af4a81f4877d6cd89d65840ff28ac8badd4bf5d7ee7b44889b4b8e465d3be1ca8fa
+AUX 2.3.6-null-cipher.patch 1531 SHA256 a3f8ac3630c9887d18d21e0ac9781d615cf8dff277c070306b36c5d0faa8a1ac SHA512 0aa288af3c0b43977bf84b099ea28dbf7ab9a1096d76e8f706989570984c70a4c298430eac35b0c80eab8bc05e6072d965c20a9e3689e7448e759abb92c93fb2 WHIRLPOOL cbefb2a1b6d63373890a76d3a6153335f8d05b07e4546893e7a8871c653d39f06941615181308fbf41a07cf702b2a730dfacc6a01840efdbfbeaf301a58362bb
+AUX 65openvpn 45 SHA256 d5758e39fdc75dcbb5a788b1afa743c3c1f08c63c535aa32c300b965474d765c SHA512 713345092b60d1322d3fa96fd72d69ed82dbfee5031a675114bc60acfdacaf0811f6bf4530cf937ca5a86b3f2665b28951b9087ec91c2c0faf75bdaf1e25bdbb WHIRLPOOL 534e7dcf2ac953e9ec5de05810022471cb26a16806cd036f25d02550e20f8aaa91410bd005bc7a5e4a549d8a40d01ae317be1d1e1e25d91ed989bbbea7ede9d2
+AUX down.sh 943 SHA256 39debebcd8c899f20e6d355cbc8eaab46e28b83a9f6c33a94c065688a4f3d2c7 SHA512 5defd61edf11cc63f3f8f60bef7fa730c4bcdd2545d664bd94666dd3aea80bd9d190263d8835a555e4287a594f6fce0f52426aed49c60233ff637a2a6164a997 WHIRLPOOL c66fd1e016656fe83d7f55b77bf232058397f9cd3054abe13ec006c227afe6746ee4ada310ff43761ec95510f736b8e542f136711d648642eecafe055975c57e
+AUX openvpn-2.1.conf 892 SHA256 330149a83684ddabe413d134d4c8efad4c88b18c2ab67165014deff5f7fffad2 SHA512 982ade883afbe2e656a9cbbe36c31c0e8b4f7bbbe5b63df9f7b834f02a9153032fb7445c85d3e91f62c68a7ddd13c3afbf420fb71cdd13d9c4b69f867bdd9f37 WHIRLPOOL 6ef644826e1e9e2a100e0fa20b5c9190e92c9e08a366dee28dccf3f70fa0593f3c4d271e42db3920630f03704aa2aef8e84d9efbb2b4b6a0d08e74bb340fb0a5
+AUX openvpn-2.1.init 4186 SHA256 d1b1f8a00935d77521bceb62535350444df3470fa45f4d33c3934051a1bb595b SHA512 7ecd0b4dc7341ea0df598752bec8ae6011bea7973ed9dbf17a12c308aed46362e1507fcb3a3bb26049619747f2f819deec1a42c6dce2c13d2a769f1e37735a2f WHIRLPOOL 9d34c438b7d9e45678e2aa48ab42a68b9e2801423688c6280cbb4934a8ef04cbf8a7953a061659f57fb02adf535596ac9313268c29e2dc18cffbf7315681da82
+AUX openvpn.init 1486 SHA256 c4b9e0899fa5ee0b90c5100da7711dc7a6a5658f10042b0feda9e7efb90a11cf SHA512 450595b9ec82ded74c26ed9f73182122e05f53655262a342b195dcedfe63a06a5d9927a3bbe50d0d04f810cc786ac3eb78843877f426c893e165b967bc8ac012 WHIRLPOOL e549221283b4b92c9ada312a746c4ad4c645493c1c844ddaddefecee4c31e17bd4bd8555618408e065c83143e157aaf7e75b44f01abe43f507835df2aa1149d3
+AUX openvpn.service 335 SHA256 a63a6e1505f2b3e20f2c82588dd0c23da9d8c750e1f36fec2ba20a8b5b0c9de1 SHA512 fbd41b80253aaae6750301ac95d8b3bf09e3a70556cc0513792c8e06faa70a716233d134d4928295f381f0f235fcde0eeac9cfa074924b6666a4b46ff7cf91a9 WHIRLPOOL 16f44d10ab03110a21a69716fbac2e64e5376426edd26783d7946d928dd0cc106810126436488843da8e16277d3aa83d208fe50c4aebd9cff86526ce1762b215
+AUX openvpn.tmpfile 39 SHA256 ef3453056a26487d27908d5ced124285403d8e88deb843fccdba9f6724966826 SHA512 659713b35eee340f2b6578796f4335dda391aa635892e802e3f2531f31c9470460b4e4b3be45457f81f3b08b7d60ce15d16f8d70b968fbf24f846ef5f8611a58 WHIRLPOOL 19e4611ffda68a99851921ccaf3a99d04350cd3e0d8833136da151119c267edc383ff96162aa47a2f77171ae908ad011e4119a7a18961ed0bddcbf38d997b976
+AUX up.sh 2865 SHA256 d887ee065261affd849227fa27e092cf66549d824a698f302312d15f787dd840 SHA512 35201b0e60ad20358080007e595eb4f96d186ba8e88f0485c55d164c28e3d78a12f3e09347ba3d76abb9b8b03fb4a53664bd74ab484be1548090022b956925fd WHIRLPOOL 8d25a66d192a6710466d149aec7a1719dfe91558205e8ba7e25b93e58869c8fedc96ba4ce2aedb0595b7e0b63299e6e41be1ba82c6b93ae6bbbb26d409c9bf51
+DIST openvpn-2.3.6.tar.gz 1213272 SHA256 7baed2ff39c12e1a1a289ec0b46fcc49ff094ca58b8d8d5f29b36ac649ee5b26 SHA512 70e0045ea41f6588769ab8b98d8f550b69148adbf7fedcdc36900e25950df43379950492652e243ec6e7965bf9c7dcc86a56ba5dfdc44523aaa81cfc508b1c6e WHIRLPOOL 737f2d1d69ee1c7700d5cd5a4e7d5d1b2f55d8b2229f7c2565fcb8c731ebb719ec8d6bad3b76f763f36e5c70c6e40a666db3508f3024f8e4637c0659061dba48
+EBUILD openvpn-2.3.6-r99.ebuild 4426 SHA256 3f1264eced8d351e4e179b1d7b7522e8c1e3d440b3a608d914d8fe99d4f2ab79 SHA512 0fa7ea5f00d81d83a26b88ff4e7a8944357c85d1df023b76857b53a4b486b926c51efe73082ecc0b0c9d4dd17ae90ebbe02798493f494db95458bf1021b681df WHIRLPOOL 47500eb883a0e077f4a249570c4ebaab0fa033d9051f1e56a0c0d36e97023320ef77f889a9ce81e7a81ca06a4ca7aca826433394c04181f22b19944c532f27b2
+EBUILD openvpn-9999.ebuild 3941 SHA256 ef975ee9157e25b16aa4c59144b1fc0814c67def458a71e5166c70e7c41e5081 SHA512 7030ee666c7372b86a198f3780797a4253baed6e61e4bbb3f1bb166b95268b4ee00992c770c689ab6bb9326eb2d66a6c52cec65739e887ef39e6da1da6ce49b6 WHIRLPOOL 174bee3dc113263b7ebc24048613cc3039cd49f52cee4c9eff55d80d9436cead408d3c09cb6dad1318a4812fb00f7eb22b286f329499346240db2f38a066b2ff
+MISC metadata.xml 937 SHA256 3dfcc28012f2c92f044882c39d56b6ef82bb80749ce688b75d526cc6c8836dd3 SHA512 ad3f218ccc64249fda19d87fe79494280eb880841f2d1e69757e7093e62b446f273fecd074ccac02c28894924b02d6a9c9fbbc1bd12ab13493f7f77e50e5b1ce WHIRLPOOL 65bf683e35f44c306c9ed3297cd954eb490f658f97a2d03af2cba0484030b1eccdf401fdc867a5c35a602bd67bf7052d555c2a48b7bebb4469158e26a530a742
diff --git a/net-misc/openvpn/files/2.3.6-disable-compression.patch b/net-misc/openvpn/files/2.3.6-disable-compression.patch
new file mode 100644
index 0000000..d9d1c76
--- /dev/null
+++ b/net-misc/openvpn/files/2.3.6-disable-compression.patch
@@ -0,0 +1,18 @@
+https://community.openvpn.net/openvpn/changeset/5d5233778868ddd568140c394adfcfc8e3453245/
+
+--- openvpn-2.3.6/src/openvpn/ssl_openssl.c.orig 2014-11-29 23:00:35.000000000 +0800
++++ openvpn-2.3.6/src/openvpn/ssl_openssl.c 2015-01-12 21:14:30.186993686 +0800
+@@ -238,6 +238,13 @@
+ if (tls_ver_min > TLS_VER_1_2 || tls_ver_max < TLS_VER_1_2)
+ sslopt |= SSL_OP_NO_TLSv1_2;
+ #endif
++
++#ifdef SSL_OP_NO_COMPRESSION
++ msg (M_WARN, "[Workaround] disable SSL compression");
++ sslopt |= SSL_OP_NO_COMPRESSION;
++#endif
++
++
+ SSL_CTX_set_options (ctx->ctx, sslopt);
+ }
+
diff --git a/net-misc/openvpn/files/2.3.6-musl-compat.patch b/net-misc/openvpn/files/2.3.6-musl-compat.patch
new file mode 100644
index 0000000..9b1289b
--- /dev/null
+++ b/net-misc/openvpn/files/2.3.6-musl-compat.patch
@@ -0,0 +1,14 @@
+diff -Naur openvpn-2.3.6.orig/src/openvpn/syshead.h openvpn-2.3.6/src/openvpn/syshead.h
+--- openvpn-2.3.6.orig/src/openvpn/syshead.h 2014-11-29 16:00:35.000000000 +0100
++++ openvpn-2.3.6/src/openvpn/syshead.h 2015-05-08 00:42:34.171634884 +0200
+@@ -214,10 +214,6 @@
+
+ #ifdef TARGET_LINUX
+
+-#if defined(HAVE_NETINET_IF_ETHER_H)
+-#include <netinet/if_ether.h>
+-#endif
+-
+ #ifdef HAVE_LINUX_IF_TUN_H
+ #include <linux/if_tun.h>
+ #endif
diff --git a/net-misc/openvpn/files/2.3.6-null-cipher.patch b/net-misc/openvpn/files/2.3.6-null-cipher.patch
new file mode 100644
index 0000000..1e831cf
--- /dev/null
+++ b/net-misc/openvpn/files/2.3.6-null-cipher.patch
@@ -0,0 +1,46 @@
+The "really fix cipher none" patch has been merged to release/2.3 and master:
+
+commit 785838614afc20d362b64907b0212e9a779e2287 (release/2.3)
+commit 98156e90e1e83133a6a6a020db8e7333ada6156b (master)
+
+diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h
+index 8749878..4e45df0 100644
+--- a/src/openvpn/crypto_backend.h
++++ b/src/openvpn/crypto_backend.h
+@@ -237,8 +237,7 @@ int cipher_kt_mode (const cipher_kt_t *cipher_kt);
+ *
+ * @return true iff the cipher is a CBC mode cipher.
+ */
+-bool cipher_kt_mode_cbc(const cipher_kt_t *cipher)
+- __attribute__((nonnull));
++bool cipher_kt_mode_cbc(const cipher_kt_t *cipher);
+
+ /**
+ * Check if the supplied cipher is a supported OFB or CFB mode cipher.
+@@ -247,8 +246,7 @@ bool cipher_kt_mode_cbc(const cipher_kt_t *cipher)
+ *
+ * @return true iff the cipher is a OFB or CFB mode cipher.
+ */
+-bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher)
+- __attribute__((nonnull));
++bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher);
+
+
+ /**
+diff --git a/tests/t_lpback.sh b/tests/t_lpback.sh
+index 8f88ad9..d7792cd 100755
+--- a/tests/t_lpback.sh
++++ b/tests/t_lpback.sh
+@@ -35,6 +35,9 @@ CIPHERS=$(${top_builddir}/src/openvpn/openvpn --show-ciphers | \
+ # GD, 2014-07-06 do not test RC5-* either (fails on NetBSD w/o libcrypto_rc5)
+ CIPHERS=$(echo "$CIPHERS" | egrep -v '^(DES-EDE3-CFB1|DES-CFB1|RC5-)' )
+
++# Also test cipher 'none'
++CIPHERS=${CIPHERS}$(printf "\nnone")
++
+ "${top_builddir}/src/openvpn/openvpn" --genkey --secret key.$$
+ set +e
+
+--
+1.9.1
+
diff --git a/net-misc/openvpn/files/65openvpn b/net-misc/openvpn/files/65openvpn
new file mode 100644
index 0000000..4ddb034
--- /dev/null
+++ b/net-misc/openvpn/files/65openvpn
@@ -0,0 +1 @@
+CONFIG_PROTECT="/usr/share/openvpn/easy-rsa"
diff --git a/net-misc/openvpn/files/down.sh b/net-misc/openvpn/files/down.sh
new file mode 100755
index 0000000..1c70db0
--- /dev/null
+++ b/net-misc/openvpn/files/down.sh
@@ -0,0 +1,33 @@
+#!/bin/sh
+# Copyright (c) 2006-2007 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# Contributed by Roy Marples (uberlord@gentoo.org)
+
+# If we have a service specific script, run this now
+if [ -x /etc/openvpn/"${SVCNAME}"-down.sh ] ; then
+ /etc/openvpn/"${SVCNAME}"-down.sh "$@"
+fi
+
+# Restore resolv.conf to how it was
+if [ "${PEER_DNS}" != "no" ]; then
+ if [ -x /sbin/resolvconf ] ; then
+ /sbin/resolvconf -d "${dev}"
+ elif [ -e /etc/resolv.conf-"${dev}".sv ] ; then
+ # Important that we copy instead of move incase resolv.conf is
+ # a symlink and not an actual file
+ cp /etc/resolv.conf-"${dev}".sv /etc/resolv.conf
+ rm -f /etc/resolv.conf-"${dev}".sv
+ fi
+fi
+
+if [ -n "${SVCNAME}" ]; then
+ # Re-enter the init script to start any dependant services
+ if /etc/init.d/"${SVCNAME}" --quiet status ; then
+ export IN_BACKGROUND=true
+ /etc/init.d/"${SVCNAME}" --quiet stop
+ fi
+fi
+
+exit 0
+
+# vim: ts=4 :
diff --git a/net-misc/openvpn/files/openvpn-2.1.conf b/net-misc/openvpn/files/openvpn-2.1.conf
new file mode 100644
index 0000000..72510c3
--- /dev/null
+++ b/net-misc/openvpn/files/openvpn-2.1.conf
@@ -0,0 +1,18 @@
+# OpenVPN automatically creates an /etc/resolv.conf (or sends it to
+# resolvconf) if given DNS information by the OpenVPN server.
+# Set PEER_DNS="no" to stop this.
+PEER_DNS="yes"
+
+# OpenVPN can run in many modes. Most people will want the init script
+# to automatically detect the mode and try and apply a good default
+# configuration and setup scripts. However, there are cases where the
+# OpenVPN configuration looks like a client, but it's really a peer or
+# something else. DETECT_CLIENT controls this behaviour.
+DETECT_CLIENT="yes"
+
+# If DETECT_CLIENT is no and you have your own scripts to re-enter the openvpn
+# init script (ie, it first becomes "inactive" and the script then starts the
+# script again to make it "started") then you can state this below.
+# In other words, unless you understand service dependencies and are a
+# competent shell scripter, don't set this.
+RE_ENTER="no"
diff --git a/net-misc/openvpn/files/openvpn-2.1.init b/net-misc/openvpn/files/openvpn-2.1.init
new file mode 100755
index 0000000..d65e6f8
--- /dev/null
+++ b/net-misc/openvpn/files/openvpn-2.1.init
@@ -0,0 +1,133 @@
+#!/sbin/runscript
+# Copyright 1999-2007 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+VPNDIR=${VPNDIR:-/etc/openvpn}
+VPN=${SVCNAME#*.}
+if [ -n "${VPN}" ] && [ ${SVCNAME} != "openvpn" ]; then
+ VPNPID="/var/run/openvpn.${VPN}.pid"
+else
+ VPNPID="/var/run/openvpn.pid"
+fi
+VPNCONF="${VPNDIR}/${VPN}.conf"
+
+depend() {
+ need localmount net
+ use dns
+ after bootmisc
+}
+
+checkconfig() {
+ # Linux has good dynamic tun/tap creation
+ if [ $(uname -s) = "Linux" ] ; then
+ if [ ! -e /dev/net/tun ]; then
+ if ! modprobe tun ; then
+ eerror "TUN/TAP support is not available" \
+ "in this kernel"
+ return 1
+ fi
+ fi
+ if [ -h /dev/net/tun ] && [ -c /dev/misc/net/tun ]; then
+ ebegin "Detected broken /dev/net/tun symlink, fixing..."
+ rm -f /dev/net/tun
+ ln -s /dev/misc/net/tun /dev/net/tun
+ eend $?
+ fi
+ return 0
+ fi
+
+ # Other OS's don't, so we rely on a pre-configured interface
+ # per vpn instance
+ local ifname=$(sed -n -e 's/[[:space:]]*dev[[:space:]][[:space:]]*\([^[:space:]]*\).*/\1/p' "${VPNCONF}")
+ if [ -z ${ifname} ] ; then
+ eerror "You need to specify the interface that this openvpn" \
+ "instance should use" \
+ "by using the dev option in ${VPNCONF}"
+ return 1
+ fi
+
+ if ! ifconfig "${ifname}" >/dev/null 2>/dev/null ; then
+ # Try and create it
+ echo > /dev/"${ifname}" >/dev/null
+ fi
+ if ! ifconfig "${ifname}" >/dev/null 2>/dev/null ; then
+ eerror "${VPNCONF} requires interface ${ifname}" \
+ "but that does not exist"
+ return 1
+ fi
+}
+
+start() {
+ # If we are re-called by the openvpn gentoo-up.sh script
+ # then we don't actually want to start openvpn
+ [ "${IN_BACKGROUND}" = "true" ] && return 0
+
+ ebegin "Starting ${SVCNAME}"
+
+ checkconfig || return 1
+
+ local args="" reenter=${RE_ENTER:-no}
+ # If the config file does not specify the cd option, we do
+ # But if we specify it, we override the config option which we do not want
+ if ! grep -q "^[ ]*cd[ ].*" "${VPNCONF}" ; then
+ args="${args} --cd ${VPNDIR}"
+ fi
+
+ # We mark the service as inactive and then start it.
+ # When we get an authenticated packet from the peer then we run our script
+ # which configures our DNS if any and marks us as up.
+ if [ "${DETECT_CLIENT:-yes}" = "yes" ] && \
+ grep -q "^[ ]*remote[ ].*" "${VPNCONF}" ; then
+ reenter="yes"
+ args="${args} --up-delay --up-restart"
+ args="${args} --script-security 2"
+ args="${args} --up /etc/openvpn/up.sh"
+ args="${args} --down-pre --down /etc/openvpn/down.sh"
+
+ # Warn about setting scripts as we override them
+ if grep -Eq "^[ ]*(up|down)[ ].*" "${VPNCONF}" ; then
+ ewarn "WARNING: You have defined your own up/down scripts"
+ ewarn "As you're running as a client, we now force Gentoo specific"
+ ewarn "scripts to be run for up and down events."
+ ewarn "These scripts will call /etc/openvpn/${SVCNAME}-{up,down}.sh"
+ ewarn "where you can put your own code."
+ fi
+
+ # Warn about the inability to change ip/route/dns information when
+ # dropping privs
+ if grep -q "^[ ]*user[ ].*" "${VPNCONF}" ; then
+ ewarn "WARNING: You are dropping root privileges!"
+ ewarn "As such openvpn may not be able to change ip, routing"
+ ewarn "or DNS configuration."
+ fi
+ else
+ # So we're a server. Run as openvpn unless otherwise specified
+ grep -q "^[ ]*user[ ].*" "${VPNCONF}" || args="${args} --user openvpn"
+ grep -q "^[ ]*group[ ].*" "${VPNCONF}" || args="${args} --group openvpn"
+ fi
+
+ # Ensure that our scripts get the PEER_DNS variable
+ [ -n "${PEER_DNS}" ] && args="${args} --setenv PEER_DNS ${PEER_DNS}"
+
+ [ "${reenter}" = "yes" ] && mark_service_inactive "${SVCNAME}"
+ start-stop-daemon --start --exec /usr/sbin/openvpn --pidfile "${VPNPID}" \
+ -- --config "${VPNCONF}" --writepid "${VPNPID}" --daemon \
+ --setenv SVCNAME "${SVCNAME}" ${args}
+ eend $? "Check your logs to see why startup failed"
+}
+
+stop() {
+ # If we are re-called by the openvpn gentoo-down.sh script
+ # then we don't actually want to stop openvpn
+ if [ "${IN_BACKGROUND}" = "true" ] ; then
+ mark_service_inactive "${SVCNAME}"
+ return 0
+ fi
+
+ ebegin "Stopping ${SVCNAME}"
+ start-stop-daemon --stop --quiet \
+ --exec /usr/sbin/openvpn --pidfile "${VPNPID}"
+ eend $?
+}
+
+# vim: set ts=4 :
diff --git a/net-misc/openvpn/files/openvpn.init b/net-misc/openvpn/files/openvpn.init
new file mode 100644
index 0000000..489ab49
--- /dev/null
+++ b/net-misc/openvpn/files/openvpn.init
@@ -0,0 +1,63 @@
+#!/sbin/runscript
+# Copyright 1999-2007 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+VPNDIR="/etc/openvpn"
+VPN="${SVCNAME#*.}"
+if [ -n "${VPN}" ] && [ "${SVCNAME}" != "openvpn" ]; then
+ VPNPID="/var/run/openvpn.${VPN}.pid"
+else
+ VPNPID="/var/run/openvpn.pid"
+fi
+VPNCONF="${VPNDIR}/${VPN}.conf"
+
+depend() {
+ need localmount net
+ before netmount
+ after bootmisc
+}
+
+checktundevice() {
+ if [ ! -e /dev/net/tun ]; then
+ if ! modprobe tun ; then
+ eerror "TUN/TAP support is not available in this kernel"
+ return 1
+ fi
+ fi
+ if [ -h /dev/net/tun ] && [ -c /dev/misc/net/tun ]; then
+ ebegin "Detected broken /dev/net/tun symlink, fixing..."
+ rm -f /dev/net/tun
+ ln -s /dev/misc/net/tun /dev/net/tun
+ eend $?
+ fi
+}
+
+start() {
+ ebegin "Starting ${SVCNAME}"
+
+ checktundevice || return 1
+
+ if [ ! -e "${VPNCONF}" ]; then
+ eend 1 "${VPNCONF} does not exist"
+ return 1
+ fi
+
+ local args=""
+ # If the config file does not specify the cd option, we do
+ # But if we specify it, we override the config option which we do not want
+ if ! grep -q "^[ ]*cd[ ].*" "${VPNCONF}" ; then
+ args="${args} --cd ${VPNDIR}"
+ fi
+
+ start-stop-daemon --start --exec /usr/sbin/openvpn --pidfile "${VPNPID}" \
+ -- --config "${VPNCONF}" --writepid "${VPNPID}" --daemon ${args}
+ eend $? "Check your logs to see why startup failed"
+}
+
+stop() {
+ ebegin "Stopping ${SVCNAME}"
+ start-stop-daemon --stop --exec /usr/sbin/openvpn --pidfile "${VPNPID}"
+ eend $?
+}
+
+# vim: ts=4
diff --git a/net-misc/openvpn/files/openvpn.service b/net-misc/openvpn/files/openvpn.service
new file mode 100644
index 0000000..358dcb7
--- /dev/null
+++ b/net-misc/openvpn/files/openvpn.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I
+After=syslog.target network.target
+
+[Service]
+PrivateTmp=true
+Type=forking
+PIDFile=/var/run/openvpn/%i.pid
+ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf
+
+[Install]
+WantedBy=multi-user.target
diff --git a/net-misc/openvpn/files/openvpn.tmpfile b/net-misc/openvpn/files/openvpn.tmpfile
new file mode 100644
index 0000000..d5fca71
--- /dev/null
+++ b/net-misc/openvpn/files/openvpn.tmpfile
@@ -0,0 +1 @@
+D /var/run/openvpn 0710 root openvpn -
diff --git a/net-misc/openvpn/files/up.sh b/net-misc/openvpn/files/up.sh
new file mode 100755
index 0000000..6ce82d6
--- /dev/null
+++ b/net-misc/openvpn/files/up.sh
@@ -0,0 +1,100 @@
+#!/bin/sh
+# Copyright (c) 2006-2007 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# Contributed by Roy Marples (uberlord@gentoo.org)
+
+# Setup our resolv.conf
+# Vitally important that we use the domain entry in resolv.conf so we
+# can setup the nameservers are for the domain ONLY in resolvconf if
+# we're using a decent dns cache/forwarder like dnsmasq and NOT nscd/libc.
+# nscd/libc users will get the VPN nameservers before their other ones
+# and will use the first one that responds - maybe the LAN ones?
+# non resolvconf users just the the VPN resolv.conf
+
+# FIXME:- if we have >1 domain, then we have to use search :/
+# We need to add a flag to resolvconf to say
+# "these nameservers should only be used for the listed search domains
+# if other global nameservers are present on other interfaces"
+# This however, will break compatibility with Debians resolvconf
+# A possible workaround would be to just list multiple domain lines
+# and try and let resolvconf handle it
+
+min_route() {
+ local n=1
+ local m
+ local r
+
+ eval m="\$route_metric_$n"
+ while [ -n "${m}" ]; do
+ if [ -z "$r" ] || [ "$r" -gt "$m" ]; then
+ r="$m"
+ fi
+ n="$(($n+1))"
+ eval m="\$route_metric_$n"
+ done
+
+ echo "$r"
+}
+
+if [ "${PEER_DNS}" != "no" ]; then
+ NS=
+ DOMAIN=
+ SEARCH=
+ i=1
+ while true ; do
+ eval opt=\$foreign_option_${i}
+ [ -z "${opt}" ] && break
+ if [ "${opt}" != "${opt#dhcp-option DOMAIN *}" ] ; then
+ if [ -z "${DOMAIN}" ] ; then
+ DOMAIN="${opt#dhcp-option DOMAIN *}"
+ else
+ SEARCH="${SEARCH}${SEARCH:+ }${opt#dhcp-option DOMAIN *}"
+ fi
+ elif [ "${opt}" != "${opt#dhcp-option DNS *}" ] ; then
+ NS="${NS}nameserver ${opt#dhcp-option DNS *}\n"
+ fi
+ i=$((${i} + 1))
+ done
+
+ if [ -n "${NS}" ] ; then
+ DNS="# Generated by openvpn for interface ${dev}\n"
+ if [ -n "${SEARCH}" ] ; then
+ DNS="${DNS}search ${DOMAIN} ${SEARCH}\n"
+ elif [ -n "${DOMAIN}" ]; then
+ DNS="${DNS}domain ${DOMAIN}\n"
+ fi
+ DNS="${DNS}${NS}"
+ if [ -x /sbin/resolvconf ] ; then
+ metric="$(min_route)"
+ printf "${DNS}" | /sbin/resolvconf -a "${dev}" ${metric:+-m ${metric}}
+ else
+ # Preserve the existing resolv.conf
+ if [ -e /etc/resolv.conf ] ; then
+ cp /etc/resolv.conf /etc/resolv.conf-"${dev}".sv
+ fi
+ printf "${DNS}" > /etc/resolv.conf
+ chmod 644 /etc/resolv.conf
+ fi
+ fi
+fi
+
+# Below section is Gentoo specific
+# Quick summary - our init scripts are re-entrant and set the SVCNAME env var
+# as we could have >1 openvpn service
+
+if [ -n "${SVCNAME}" ]; then
+ # If we have a service specific script, run this now
+ if [ -x /etc/openvpn/"${SVCNAME}"-up.sh ] ; then
+ /etc/openvpn/"${SVCNAME}"-up.sh "$@"
+ fi
+
+ # Re-enter the init script to start any dependant services
+ if ! /etc/init.d/"${SVCNAME}" --quiet status ; then
+ export IN_BACKGROUND=true
+ /etc/init.d/${SVCNAME} --quiet start
+ fi
+fi
+
+exit 0
+
+# vim: ts=4 :
diff --git a/net-misc/openvpn/metadata.xml b/net-misc/openvpn/metadata.xml
new file mode 100644
index 0000000..ef30850
--- /dev/null
+++ b/net-misc/openvpn/metadata.xml
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+ <maintainer>
+ <email>djc@gentoo.org</email>
+ <name>Dirkjan Ochtman</name>
+ </maintainer>
+ <longdescription>OpenVPN is an easy-to-use, robust and highly
+configurable VPN daemon which can be used to securely link two or more
+networks using an encrypted tunnel.</longdescription>
+ <use>
+ <flag name="down-root">Enable the down-root plugin</flag>
+ <flag name="iproute2">Enabled iproute2 support instead of net-tools</flag>
+ <flag name="passwordsave">Enables openvpn to save passwords</flag>
+ <flag name="polarssl">Use PolarSSL instead of OpenSSL</flag>
+ <flag name="pkcs11">Enable PKCS#11 smartcard support</flag>
+ <flag name="plugins">Enable the OpenVPN plugin system</flag>
+ </use>
+ <upstream>
+ <remote-id type="cpe">cpe:/a:openvpn:openvpn</remote-id>
+ </upstream>
+</pkgmetadata>
diff --git a/net-misc/openvpn/openvpn-2.3.6-r99.ebuild b/net-misc/openvpn/openvpn-2.3.6-r99.ebuild
new file mode 100644
index 0000000..ebb4c70
--- /dev/null
+++ b/net-misc/openvpn/openvpn-2.3.6-r99.ebuild
@@ -0,0 +1,137 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-misc/openvpn/openvpn-2.3.6-r2.ebuild,v 1.1 2015/02/17 18:46:07 djc Exp $
+
+EAPI=4
+
+inherit multilib autotools flag-o-matic user systemd
+
+DESCRIPTION="Robust and highly flexible tunneling application compatible with many OSes"
+SRC_URI="http://swupdate.openvpn.net/community/releases/${P}.tar.gz"
+HOMEPAGE="http://openvpn.net/"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="amd64 arm ~mips ppc x86"
+IUSE="examples down-root iproute2 pam passwordsave pkcs11 +plugins +polarssl selinux +ssl systemd +lzo static userland_BSD"
+
+REQUIRED_USE="static? ( !plugins !pkcs11 )
+ polarssl? ( ssl )
+ pkcs11? ( ssl )
+ !plugins? ( !pam !down-root )"
+
+DEPEND="
+ kernel_linux? (
+ iproute2? ( sys-apps/iproute2[-minimal] ) !iproute2? ( sys-apps/net-tools )
+ )
+ pam? ( virtual/pam )
+ ssl? (
+ !polarssl? ( >=dev-libs/openssl-0.9.7 ) polarssl? ( >=net-libs/polarssl-1.2.10 )
+ )
+ lzo? ( >=dev-libs/lzo-1.07 )
+ pkcs11? ( >=dev-libs/pkcs11-helper-1.11 )"
+RDEPEND="${DEPEND}
+ selinux? ( sec-policy/selinux-openvpn )
+"
+
+src_prepare() {
+ # Set correct pass to systemd-ask-password binary
+ sed -i "s:\(/bin/systemd-ask-password\):/usr\1:" ./src/openvpn/console.c || die
+ epatch "${FILESDIR}/2.3.6-null-cipher.patch" || die
+ epatch "${FILESDIR}/2.3.6-disable-compression.patch" || die
+ epatch "${FILESDIR}/2.3.6-musl-compat.patch" || die
+ eautoreconf
+}
+
+src_configure() {
+ use static && LDFLAGS="${LDFLAGS} -Xcompiler -static"
+ local myconf
+ echo "DROPPY"
+ use polarssl && echo "FLOZZY"
+ use polarssl && myconf="--with-crypto-library=polarssl"
+ econf \
+ ${myconf} \
+ --docdir="${EPREFIX}/usr/share/doc/${PF}" \
+ --with-plugindir="${ROOT}/usr/$(get_libdir)/$PN" \
+ $(use_enable passwordsave password-save) \
+ $(use_enable ssl) \
+ $(use_enable ssl crypto) \
+ $(use_enable lzo) \
+ $(use_enable pkcs11) \
+ $(use_enable plugins) \
+ $(use_enable iproute2) \
+ $(use_enable pam plugin-auth-pam) \
+ $(use_enable down-root plugin-down-root) \
+ $(use_enable systemd)
+}
+
+src_install() {
+ default
+ find "${ED}/usr" -name '*.la' -delete
+ # install documentation
+ dodoc AUTHORS ChangeLog PORTS README README.IPv6
+
+ # Install some helper scripts
+ keepdir /etc/openvpn
+ exeinto /etc/openvpn
+ doexe "${FILESDIR}/up.sh"
+ doexe "${FILESDIR}/down.sh"
+
+ # Install the init script and config file
+ newinitd "${FILESDIR}/${PN}-2.1.init" openvpn
+ newconfd "${FILESDIR}/${PN}-2.1.conf" openvpn
+
+ # install examples, controlled by the respective useflag
+ if use examples ; then
+ # dodoc does not supportly support directory traversal, #15193
+ insinto /usr/share/doc/${PF}/examples
+ doins -r sample contrib
+ fi
+
+ systemd_newtmpfilesd "${FILESDIR}"/${PN}.tmpfile ${PN}.conf
+ systemd_newunit "${FILESDIR}"/${PN}.service 'openvpn@.service'
+}
+
+pkg_postinst() {
+ # Add openvpn user so openvpn servers can drop privs
+ # Clients should run as root so they can change ip addresses,
+ # dns information and other such things.
+ enewgroup openvpn
+ enewuser openvpn "" "" "" openvpn
+
+ if [ path_exists -o "${ROOT}/etc/openvpn/*/local.conf" ] ; then
+ ewarn "WARNING: The openvpn init script has changed"
+ ewarn ""
+ fi
+
+ elog "The openvpn init script expects to find the configuration file"
+ elog "openvpn.conf in /etc/openvpn along with any extra files it may need."
+ elog ""
+ elog "To create more VPNs, simply create a new .conf file for it and"
+ elog "then create a symlink to the openvpn init script from a link called"
+ elog "openvpn.newconfname - like so"
+ elog " cd /etc/openvpn"
+ elog " ${EDITOR##*/} foo.conf"
+ elog " cd /etc/init.d"
+ elog " ln -s openvpn openvpn.foo"
+ elog ""
+ elog "You can then treat openvpn.foo as any other service, so you can"
+ elog "stop one vpn and start another if you need to."
+
+ if grep -Eq "^[ \t]*(up|down)[ \t].*" "${ROOT}/etc/openvpn"/*.conf 2>/dev/null ; then
+ ewarn ""
+ ewarn "WARNING: If you use the remote keyword then you are deemed to be"
+ ewarn "a client by our init script and as such we force up,down scripts."
+ ewarn "These scripts call /etc/openvpn/\$SVCNAME-{up,down}.sh where you"
+ ewarn "can move your scripts to."
+ fi
+
+ if use plugins ; then
+ einfo ""
+ einfo "plugins have been installed into /usr/$(get_libdir)/${PN}"
+ fi
+
+ einfo ""
+ einfo "OpenVPN 2.3.x no longer includes the easy-rsa suite of utilities."
+ einfo "They can now be emerged via app-crypt/easy-rsa."
+}
diff --git a/net-misc/openvpn/openvpn-9999.ebuild b/net-misc/openvpn/openvpn-9999.ebuild
new file mode 100644
index 0000000..408b395
--- /dev/null
+++ b/net-misc/openvpn/openvpn-9999.ebuild
@@ -0,0 +1,126 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-misc/openvpn/openvpn-9999.ebuild,v 1.8 2014/11/02 09:13:00 swift Exp $
+
+EAPI=4
+
+inherit multilib autotools flag-o-matic user git-2
+
+DESCRIPTION="Robust and highly flexible tunneling application compatible with many OSes"
+EGIT_REPO_URI="https://github.com/OpenVPN/${PN}.git"
+HOMEPAGE="http://openvpn.net/"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS=""
+IUSE="examples down-root iproute2 pam passwordsave pkcs11 +plugins polarssl selinux +ssl +lzo static userland_BSD"
+
+REQUIRED_USE="static? ( !plugins !pkcs11 )
+ polarssl? ( ssl )
+ !plugins? ( !pam !down-root )"
+
+DEPEND="
+ kernel_linux? (
+ iproute2? ( sys-apps/iproute2[-minimal] ) !iproute2? ( sys-apps/net-tools )
+ )
+ pam? ( virtual/pam )
+ ssl? (
+ !polarssl? ( >=dev-libs/openssl-0.9.7 ) polarssl? ( >=net-libs/polarssl-1.1.0 )
+ )
+ lzo? ( >=dev-libs/lzo-1.07 )
+ pkcs11? ( >=dev-libs/pkcs11-helper-1.05 )"
+RDEPEND="${DEPEND}
+ selinux? ( sec-policy/selinux-openvpn )
+"
+
+src_prepare() {
+ eautoreconf
+}
+
+src_configure() {
+ use static && LDFLAGS="${LDFLAGS} -Xcompiler -static"
+ local myconf
+ use polarssl && myconf="--with-crypto-library=polarssl"
+ econf \
+ ${myconf} \
+ --docdir="${EPREFIX}/usr/share/doc/${PF}" \
+ --with-plugindir="${ROOT}/usr/$(get_libdir)/$PN" \
+ $(use_enable passwordsave password-save) \
+ $(use_enable ssl) \
+ $(use_enable ssl crypto) \
+ $(use_enable lzo) \
+ $(use_enable pkcs11) \
+ $(use_enable plugins) \
+ $(use_enable iproute2) \
+ $(use_enable pam plugin-auth-pam) \
+ $(use_enable down-root plugin-down-root)
+}
+
+src_install() {
+ default
+ find "${ED}/usr" -name '*.la' -delete
+ # install documentation
+ dodoc AUTHORS ChangeLog PORTS README README.IPv6
+
+ # Install some helper scripts
+ keepdir /etc/openvpn
+ exeinto /etc/openvpn
+ doexe "${FILESDIR}/up.sh"
+ doexe "${FILESDIR}/down.sh"
+
+ # Install the init script and config file
+ newinitd "${FILESDIR}/${PN}-2.1.init" openvpn
+ newconfd "${FILESDIR}/${PN}-2.1.conf" openvpn
+
+ # install examples, controlled by the respective useflag
+ if use examples ; then
+ # dodoc does not supportly support directory traversal, #15193
+ insinto /usr/share/doc/${PF}/examples
+ doins -r sample contrib
+ fi
+}
+
+pkg_postinst() {
+ # Add openvpn user so openvpn servers can drop privs
+ # Clients should run as root so they can change ip addresses,
+ # dns information and other such things.
+ enewgroup openvpn
+ enewuser openvpn "" "" "" openvpn
+
+ if [ path_exists -o "${ROOT}/etc/openvpn/*/local.conf" ] ; then
+ ewarn "WARNING: The openvpn init script has changed"
+ ewarn ""
+ fi
+
+ elog "The openvpn init script expects to find the configuration file"
+ elog "openvpn.conf in /etc/openvpn along with any extra files it may need."
+ elog ""
+ elog "To create more VPNs, simply create a new .conf file for it and"
+ elog "then create a symlink to the openvpn init script from a link called"
+ elog "openvpn.newconfname - like so"
+ elog " cd /etc/openvpn"
+ elog " ${EDITOR##*/} foo.conf"
+ elog " cd /etc/init.d"
+ elog " ln -s openvpn openvpn.foo"
+ elog ""
+ elog "You can then treat openvpn.foo as any other service, so you can"
+ elog "stop one vpn and start another if you need to."
+
+ if grep -Eq "^[ \t]*(up|down)[ \t].*" "${ROOT}/etc/openvpn"/*.conf 2>/dev/null ; then
+ ewarn ""
+ ewarn "WARNING: If you use the remote keyword then you are deemed to be"
+ ewarn "a client by our init script and as such we force up,down scripts."
+ ewarn "These scripts call /etc/openvpn/\$SVCNAME-{up,down}.sh where you"
+ ewarn "can move your scripts to."
+ fi
+
+ if use plugins ; then
+ einfo ""
+ einfo "plugins have been installed into /usr/$(get_libdir)/${PN}"
+ fi
+
+ ewarn ""
+ ewarn "You are using a live ebuild building from the sources of openvpn"
+ ewarn "repository from http://openvpn.git.sourceforge.net. For reporting"
+ ewarn "bugs please contact: openvpn-devel@lists.sourceforge.net."
+}