git: 6853ab171eff - main - security/openvpn*: update to 2.6.0, keep openvpn25
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 27 Jan 2023 21:32:25 UTC
The branch main has been updated by mandree:
URL: https://cgit.FreeBSD.org/ports/commit/?id=6853ab171eff406db8b2451117bae397f926f4d2
commit 6853ab171eff406db8b2451117bae397f926f4d2
Author: Matthias Andree <mandree@FreeBSD.org>
AuthorDate: 2023-01-25 22:29:50 +0000
Commit: Matthias Andree <mandree@FreeBSD.org>
CommitDate: 2023-01-27 21:32:22 +0000
security/openvpn*: update to 2.6.0, keep openvpn25
- copy openvpn to openvpn25, mark as deprecated and to expire March 31
- update openvpn to openvpn 2.6.0, highlights from Frank Lichtenheld's
release announcement e-mail, slightly edited:
* Data Channel Offload (DCO) kernel acceleration support for Windows,
Linux, and FreeBSD [14].
* OpenSSL 3 support
* Improved handling of tunnel MTU, including support for pushable MTU.
* Outdated cryptographic algorithms disabled by default, but there are
options to override if necessary.
* Reworked TLS handshake, making OpenVPN immune to replay-packet state
exhaustion attacks.
* Added --peer-fingerprint mode for a more simplistic certificate setup
and verification.
* Improved protocol negotiation, leading to faster connection setup.
ChangeLog: https://github.com/OpenVPN/openvpn/blob/v2.6.0/Changes.rst
---
UPDATING | 10 ++
security/Makefile | 1 +
security/openvpn/Makefile | 30 ++--
security/openvpn/distinfo | 6 +-
security/openvpn/files/ovpn_dco_freebsd.h | 71 +++++++++
.../patch-doc_man-sections_generic-options.rst | 11 ++
security/openvpn25/Makefile | 164 +++++++++++++++++++++
security/openvpn25/distinfo | 3 +
security/openvpn25/files/openvpn-client.in | 6 +
security/openvpn25/files/openvpn.in | 144 ++++++++++++++++++
.../files/patch-doc_openvpn.8 | 0
.../files/patch-doc_openvpn.8.html | 0
...ch-sample__sample-config-files__loopback-client | 13 ++
...ch-sample__sample-config-files__loopback-server | 13 ++
.../files/patch-src_openvpn_openssl__compat.h | 0
.../files/patch-src_plugins_auth-pam_auth-pam.c | 10 ++
security/openvpn25/files/patch-tests__t_cltsrv.sh | 65 ++++++++
security/openvpn25/files/pkg-message.in | 34 +++++
security/openvpn25/files/up-script.sample | 27 ++++
security/openvpn25/pkg-descr | 5 +
security/openvpn25/pkg-plist | 10 ++
21 files changed, 610 insertions(+), 13 deletions(-)
diff --git a/UPDATING b/UPDATING
index 5a3589afcb62..da07f5911da4 100644
--- a/UPDATING
+++ b/UPDATING
@@ -5,6 +5,16 @@ they are unavoidable.
You should get into the habit of checking this file for changes each time
you update your ports collection, before attempting any port upgrades.
+20230127:
+ AFFECTS: users of security/openvpn
+ AUTHOR: mandree@freebsd.org
+
+ OpenVPN has been updated to the new upstream release v2.6.0, which
+ is quite compatible with v2.5 versions.
+
+ A copy of the latest v2.5.8 port is being kept as security/openvpn25 (or
+ openvpn25 package) until end of March 2023.
+
20230116:
AFFECTS: users of sysutils/nut and sysutils/nut-devel
AUTHOR: cy@freebsd.org
diff --git a/security/Makefile b/security/Makefile
index a45295338dd3..9024548d290a 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -419,6 +419,7 @@
SUBDIR += openvpn-auth-radius
SUBDIR += openvpn-auth-script
SUBDIR += openvpn-devel
+ SUBDIR += openvpn25
SUBDIR += opie
SUBDIR += ophcrack
SUBDIR += ossec-hids
diff --git a/security/openvpn/Makefile b/security/openvpn/Makefile
index e14df3d594dc..409693652e0b 100644
--- a/security/openvpn/Makefile
+++ b/security/openvpn/Makefile
@@ -1,5 +1,5 @@
PORTNAME= openvpn
-DISTVERSION= 2.5.8
+DISTVERSION= 2.6.0
PORTREVISION?= 0
CATEGORIES= security net net-vpn
MASTER_SITES= https://swupdate.openvpn.org/community/releases/ \
@@ -8,24 +8,28 @@ MASTER_SITES= https://swupdate.openvpn.org/community/releases/ \
MAINTAINER= mandree@FreeBSD.org
COMMENT?= Secure IP/Ethernet tunnel daemon
-WWW= https://openvpn.net/community/
+WWW= https://openvpn.net/community/
LICENSE= GPLv2
LICENSE_FILE= ${WRKSRC}/COPYRIGHT.GPL
-USES= cpe libtool localbase:ldflags pkgconfig shebangfix ssl tar:xz
+BUILD_DEPENDS+= cmocka>=0:sysutils/cmocka \
+ rst2man:textproc/py-docutils@${PY_FLAVOR}
+
+USES= cpe libtool localbase:ldflags pkgconfig python:build shebangfix ssl
USE_RC_SUBR= openvpn
-SHEBANG_FILES= sample/sample-scripts/verify-cn \
- sample/sample-scripts/auth-pam.pl \
- sample/sample-scripts/ucn.pl
+SHEBANG_FILES= sample/sample-scripts/auth-pam.pl \
+ sample/sample-scripts/totpauth.py \
+ sample/sample-scripts/ucn.pl \
+ sample/sample-scripts/verify-cn
GNU_CONFIGURE= yes
CONFIGURE_ARGS+= --enable-strict --with-crypto-library=openssl
# set PLUGIN_LIBDIR so that unqualified plugin paths are found:
CONFIGURE_ENV+= PLUGINDIR="${PREFIX}/lib/openvpn/plugins"
-CONFLICTS_INSTALL?= openvpn-2.[!5].* openvpn-devel openvpn-mbedtls
+CONFLICTS_INSTALL?= openvpn-2* openvpn-devel openvpn-mbedtls
SUB_FILES= pkg-message openvpn-client
@@ -35,10 +39,14 @@ GROUPS= openvpn
PORTDOCS= *
PORTEXAMPLES= *
-OPTIONS_DEFINE= ASYNC_PUSH DOCS EASYRSA EXAMPLES LZ4 LZO PKCS11 SMALL \
+OPTIONS_DEFINE= ASYNC_PUSH DCO DOCS EASYRSA EXAMPLES LZ4 LZO PKCS11 SMALL \
TEST UNITTESTS X509ALTUSERNAME
OPTIONS_DEFAULT= EASYRSA LZ4 LZO PKCS11 TEST
+OPTIONS_EXCLUDE_FreeBSD_12= DCO # FreeBSD 14 only
+OPTIONS_EXCLUDE_FreeBSD_13= DCO # FreeBSD 14 only
+
ASYNC_PUSH_DESC= Enable async-push support
+DCO_DESC= Build with Data Channel Offload (ovpn(4)) support
EASYRSA_DESC= Install security/easy-rsa RSA helper package
LZO_DESC= LZO compression (incompatible with LibreSSL)
PKCS11_DESC= Use security/pkcs11-helper, needs same SSL lib!
@@ -49,6 +57,8 @@ X509ALTUSERNAME_DESC= Enable --x509-username-field
ASYNC_PUSH_LIB_DEPENDS= libinotify.so:devel/libinotify
ASYNC_PUSH_CONFIGURE_ENABLE= async-push
+DCO_CONFIGURE_ENABLE= dco
+
EASYRSA_RUN_DEPENDS= easy-rsa>=0:security/easy-rsa
LZ4_LIB_DEPENDS+= liblz4.so:archivers/liblz4
@@ -98,8 +108,9 @@ post-patch:
${REINPLACE_CMD} -E -i '' -e 's/(user|group) nobody/\1 openvpn/' \
-e 's/"nobody"( after init)/"openvpn" \1/' \
${WRKSRC}/sample/sample-config-files/*.conf \
- ${WRKSRC}/sample/sample-config-files/xinetd-*-config \
${WRKSRC}/doc/man-sections/generic-options.rst
+ # this header file was missed from the 2.6.0 tarball
+ ${CP} ${FILESDIR}/ovpn_dco_freebsd.h ${WRKSRC}/src/openvpn/ # FIXME remove for 2.6.1
pre-configure:
# just too many of sign-compare; bitwise-instead-of-logical was audited and is intentional,
@@ -142,7 +153,6 @@ post-install:
${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-down-root.so
${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.up ${STAGEDIR}${PREFIX}/libexec/openvpn-client.up
${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.down ${STAGEDIR}${PREFIX}/libexec/openvpn-client.down
- @${REINPLACE_CMD} 's|resolvconf -p -a|resolvconf -a|' ${STAGEDIR}${PREFIX}/libexec/openvpn-client.up
${INSTALL_SCRIPT} ${WRKDIR}/openvpn-client ${STAGEDIR}${PREFIX}/sbin/openvpn-client
${MKDIR} ${STAGEDIR}${PREFIX}/include
diff --git a/security/openvpn/distinfo b/security/openvpn/distinfo
index b411c3f73145..7ba3f3c977d1 100644
--- a/security/openvpn/distinfo
+++ b/security/openvpn/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1666977762
-SHA256 (openvpn-2.5.8.tar.xz) = 2bbd0026469902037ee6499b68283d5ab36c74e36cae3112082cfdf6c77a0c57
-SIZE (openvpn-2.5.8.tar.xz) = 1161288
+TIMESTAMP = 1674848325
+SHA256 (openvpn-2.6.0.tar.gz) = ebec933263c9850ef6f7ce125e2f22214be60b1cbb8ccff18892643fe083ae8f
+SIZE (openvpn-2.6.0.tar.gz) = 1840792
diff --git a/security/openvpn/files/ovpn_dco_freebsd.h b/security/openvpn/files/ovpn_dco_freebsd.h
new file mode 100644
index 000000000000..fec33835f007
--- /dev/null
+++ b/security/openvpn/files/ovpn_dco_freebsd.h
@@ -0,0 +1,71 @@
+/*-
+ * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
+ *
+ * Copyright (c) 2021 Rubicon Communications, LLC (Netgate)
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef _NET_IF_OVPN_H_
+#define _NET_IF_OVPN_H_
+
+#include <sys/types.h>
+#include <netinet/in.h>
+
+/* Maximum size of an ioctl request. */
+#define OVPN_MAX_REQUEST_SIZE 4096
+
+enum ovpn_notif_type {
+ OVPN_NOTIF_DEL_PEER,
+};
+
+enum ovpn_del_reason {
+ OVPN_DEL_REASON_REQUESTED = 0,
+ OVPN_DEL_REASON_TIMEOUT = 1
+};
+
+enum ovpn_key_slot {
+ OVPN_KEY_SLOT_PRIMARY = 0,
+ OVPN_KEY_SLOT_SECONDARY = 1
+};
+
+enum ovpn_key_cipher {
+ OVPN_CIPHER_ALG_NONE = 0,
+ OVPN_CIPHER_ALG_AES_GCM = 1,
+ OVPN_CIPHER_ALG_CHACHA20_POLY1305 = 2
+};
+
+#define OVPN_NEW_PEER _IO('D', 1)
+#define OVPN_DEL_PEER _IO('D', 2)
+#define OVPN_GET_STATS _IO('D', 3)
+#define OVPN_NEW_KEY _IO('D', 4)
+#define OVPN_SWAP_KEYS _IO('D', 5)
+#define OVPN_DEL_KEY _IO('D', 6)
+#define OVPN_SET_PEER _IO('D', 7)
+#define OVPN_START_VPN _IO('D', 8)
+#define OVPN_SEND_PKT _IO('D', 9)
+#define OVPN_POLL_PKT _IO('D', 10)
+#define OVPN_GET_PKT _IO('D', 11)
+#define OVPN_SET_IFMODE _IO('D', 12)
+#define OVPN_GET_PEER_STATS _IO('D', 13)
+
+#endif /* ifndef _NET_IF_OVPN_H_ */
diff --git a/security/openvpn/files/patch-doc_man-sections_generic-options.rst b/security/openvpn/files/patch-doc_man-sections_generic-options.rst
new file mode 100644
index 000000000000..295f20cd7f1f
--- /dev/null
+++ b/security/openvpn/files/patch-doc_man-sections_generic-options.rst
@@ -0,0 +1,11 @@
+--- doc/man-sections/generic-options.rst.orig 2023-01-25 10:00:58 UTC
++++ doc/man-sections/generic-options.rst
+@@ -507,5 +507,8 @@ which mode OpenVPN is configured as.
+ since it is usually used by other system services already. Always
+ create a dedicated user for openvpn.
+
++ The FreeBSD port creates a group and user named :code:`openvpn`
++ for this purpose.
++
+ --writepid file
+ Write OpenVPN's main process ID to ``file``.
diff --git a/security/openvpn25/Makefile b/security/openvpn25/Makefile
new file mode 100644
index 000000000000..565e30bd381c
--- /dev/null
+++ b/security/openvpn25/Makefile
@@ -0,0 +1,164 @@
+PORTNAME= openvpn
+DISTVERSION= 2.5.8
+PORTREVISION?= 0
+CATEGORIES= security net net-vpn
+MASTER_SITES= https://swupdate.openvpn.org/community/releases/ \
+ https://build.openvpn.net/downloads/releases/ \
+ LOCAL/mandree
+PKGNAMESUFFIX= 25
+
+MAINTAINER= mandree@FreeBSD.org
+COMMENT?= Secure IP/Ethernet tunnel daemon
+WWW= https://openvpn.net/community/
+
+LICENSE= GPLv2
+LICENSE_FILE= ${WRKSRC}/COPYRIGHT.GPL
+
+DEPRECATED= replaced by new upstream release 2.6.0
+EXPIRATION_DATE= 2023-03-31
+
+USES= cpe libtool localbase:ldflags pkgconfig shebangfix ssl tar:xz
+USE_RC_SUBR= openvpn
+
+SHEBANG_FILES= sample/sample-scripts/verify-cn \
+ sample/sample-scripts/auth-pam.pl \
+ sample/sample-scripts/ucn.pl
+
+GNU_CONFIGURE= yes
+CONFIGURE_ARGS+= --enable-strict --with-crypto-library=openssl
+# set PLUGIN_LIBDIR so that unqualified plugin paths are found:
+CONFIGURE_ENV+= PLUGINDIR="${PREFIX}/lib/openvpn/plugins"
+
+CONFLICTS_INSTALL?= openvpn-2* openvpn-devel openvpn-mbedtls
+
+SUB_FILES= pkg-message openvpn-client
+
+USERS= openvpn
+GROUPS= openvpn
+
+PORTDOCS= *
+PORTEXAMPLES= *
+
+OPTIONS_DEFINE= ASYNC_PUSH DOCS EASYRSA EXAMPLES LZ4 LZO PKCS11 SMALL \
+ TEST UNITTESTS X509ALTUSERNAME
+OPTIONS_DEFAULT= EASYRSA LZ4 LZO PKCS11 TEST
+ASYNC_PUSH_DESC= Enable async-push support
+EASYRSA_DESC= Install security/easy-rsa RSA helper package
+LZO_DESC= LZO compression (incompatible with LibreSSL)
+PKCS11_DESC= Use security/pkcs11-helper, needs same SSL lib!
+SMALL_DESC= Build a smaller executable with fewer features
+UNITTESTS_DESC= Enable unit tests
+X509ALTUSERNAME_DESC= Enable --x509-username-field
+
+ASYNC_PUSH_LIB_DEPENDS= libinotify.so:devel/libinotify
+ASYNC_PUSH_CONFIGURE_ENABLE= async-push
+
+EASYRSA_RUN_DEPENDS= easy-rsa>=0:security/easy-rsa
+
+LZ4_LIB_DEPENDS+= liblz4.so:archivers/liblz4
+LZ4_CONFIGURE_ENABLE= lz4
+
+LZO_LIB_DEPENDS+= liblzo2.so:archivers/lzo2
+LZO_CONFIGURE_ENABLE= lzo
+
+PKCS11_LIB_DEPENDS= libpkcs11-helper.so:security/pkcs11-helper
+PKCS11_CONFIGURE_ENABLE= pkcs11
+
+SMALL_CONFIGURE_ENABLE= small
+
+TEST_ALL_TARGET= check
+TEST_TEST_TARGET_OFF= check
+
+UNITTESTS_BUILD_DEPENDS= cmocka>=0:sysutils/cmocka
+UNITTESTS_CONFIGURE_ENABLE= unit-tests
+
+X509ALTUSERNAME_CONFIGURE_ENABLE= x509-alt-username
+
+.ifdef (LOG_OPENVPN)
+CFLAGS+= -DLOG_OPENVPN=${LOG_OPENVPN}
+.endif
+
+.include <bsd.port.options.mk>
+
+.if ${PORT_OPTIONS:MLZO}
+IGNORE_SSL=libressl libressl-devel
+IGNORE_SSL_REASON=OpenVPN does not have permission to include LZO with LibreSSL. Compile against OpenSSL, or if your setups support it, disable LZO support
+.endif
+
+.if ! ${PORT_OPTIONS:MLZ4} && ! ${PORT_OPTIONS:MLZO}
+CONFIGURE_ARGS+= --enable-comp-stub
+.endif
+
+.include <bsd.port.pre.mk>
+
+.if !empty(PORT_OPTIONS:MLZO) && !empty(SSL_DEFAULT:Nbase:Nopenssl*)
+# in-depth security net if Mk/Uses/ssl.mk changes
+pre-everything::
+ @${ECHO_CMD} >&2 "ERROR: OpenVPN is not licensed to combine LZO with other OpenSSL-licensed libraries than OpenSSL. Compile against OpenSSL, or if your setups support it, disable LZO support."
+ @${SHELL} -c 'exit 1'
+.endif
+
+post-patch:
+ ${REINPLACE_CMD} -E -i '' -e 's/(user|group) nobody/\1 openvpn/' \
+ -e 's/"nobody"( after init)/"openvpn" \1/' \
+ ${WRKSRC}/sample/sample-config-files/*.conf \
+ ${WRKSRC}/sample/sample-config-files/xinetd-*-config \
+ ${WRKSRC}/doc/man-sections/generic-options.rst
+
+pre-configure:
+ # just too many of sign-compare; bitwise-instead-of-logical was audited and is intentional,
+ # and unused-function affects test---these are developer-side warnings, not relevant on end systems
+ ${REINPLACE_CMD} 's/-Wsign-compare/-Wno-unknown-warning-option -Wno-sign-compare -Wno-bitwise-instead-of-logical -Wno-unused-function/' ${WRKSRC}/configure
+.ifdef (LOG_OPENVPN)
+ @${ECHO} "Building with LOG_OPENVPN=${LOG_OPENVPN}"
+.else
+ @${ECHO} ""
+ @${ECHO} "You may use the following build options:"
+ @${ECHO} ""
+ @${ECHO} " LOG_OPENVPN={Valid syslog facility, default LOG_DAEMON}"
+ @${ECHO} " EXAMPLE: make LOG_OPENVPN=LOG_LOCAL6"
+ @${ECHO} ""
+.endif
+.if !empty(SSL_DEFAULT:Mlibressl*)
+ @${ECHO} "### --------------------------------------------------------- ###"
+ @${ECHO} "### NOTE that libressl is not primarily supported by OpenVPN ###"
+ @${ECHO} "### Do not report bugs without fixes/patches unless the issue ###"
+ @${ECHO} "### can be reproduced with a released OpenSSL version. ###"
+ @${ECHO} "### --------------------------------------------------------- ###"
+ @sleep 10
+.endif
+
+post-configure:
+ ${REINPLACE_CMD} '/^CFLAGS =/s/$$/ -fPIC/' \
+ ${WRKSRC}/src/plugins/auth-pam/Makefile \
+ ${WRKSRC}/src/plugins/down-root/Makefile
+
+# sanity check that we don't inherit incompatible SSL libs through,
+# for instance, pkcs11-helper:
+_tlslibs=libssl libcrypto
+post-build:
+ @a=$$(LC_ALL=C ldd -f '%o\n' ${WRKSRC}/src/openvpn/openvpn \
+ | ${SORT} -u) ; set -- $$(for i in ${_tlslibs} ; do ${PRINTF} '%s\n' "$$a" | ${GREP} $${i}.so | wc -l ; done | ${SORT} -u) ;\
+ if test "$$*" != "1" ; then ( set -x ; ldd -a ${WRKSRC}/src/openvpn/openvpn ) ; ${PRINTF} '%s\n' "$$a" ; ${ECHO_CMD} >&2 "${.CURDIR} FAILED: either of ${_tlslibs} libraries linked multiple times" ; ${RM} ${BUILD_COOKIE} ; exit 1 ; fi
+
+post-install:
+ ${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-auth-pam.so
+ ${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-down-root.so
+ ${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.up ${STAGEDIR}${PREFIX}/libexec/openvpn-client.up
+ ${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.down ${STAGEDIR}${PREFIX}/libexec/openvpn-client.down
+ @${REINPLACE_CMD} 's|resolvconf -p -a|resolvconf -a|' ${STAGEDIR}${PREFIX}/libexec/openvpn-client.up
+ ${INSTALL_SCRIPT} ${WRKDIR}/openvpn-client ${STAGEDIR}${PREFIX}/sbin/openvpn-client
+ ${MKDIR} ${STAGEDIR}${PREFIX}/include
+
+post-install-DOCS-on:
+ ${MKDIR} ${STAGEDIR}${DOCSDIR}/
+.for i in AUTHORS ChangeLog PORTS
+ ${INSTALL_MAN} ${WRKSRC}/${i} ${STAGEDIR}${DOCSDIR}/
+.endfor
+
+post-install-EXAMPLES-on:
+ (cd ${WRKSRC}/sample && ${COPYTREE_SHARE} \* ${STAGEDIR}${EXAMPLESDIR}/)
+ ${CHMOD} ${BINMODE} ${STAGEDIR}${EXAMPLESDIR}/sample-scripts/*
+ ${RM} ${STAGEDIR}${EXAMPLESDIR}/sample-config-files/*.orig
+
+.include <bsd.port.post.mk>
diff --git a/security/openvpn25/distinfo b/security/openvpn25/distinfo
new file mode 100644
index 000000000000..b411c3f73145
--- /dev/null
+++ b/security/openvpn25/distinfo
@@ -0,0 +1,3 @@
+TIMESTAMP = 1666977762
+SHA256 (openvpn-2.5.8.tar.xz) = 2bbd0026469902037ee6499b68283d5ab36c74e36cae3112082cfdf6c77a0c57
+SIZE (openvpn-2.5.8.tar.xz) = 1161288
diff --git a/security/openvpn25/files/openvpn-client.in b/security/openvpn25/files/openvpn-client.in
new file mode 100644
index 000000000000..471757811795
--- /dev/null
+++ b/security/openvpn25/files/openvpn-client.in
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+exec %%PREFIX%%/sbin/openvpn --script-security 2 \
+ --up %%PREFIX%%/libexec/openvpn-client.up \
+ --plugin openvpn-plugin-down-root.so %%PREFIX%%/libexec/openvpn-client.down \
+ --config "$@"
diff --git a/security/openvpn25/files/openvpn.in b/security/openvpn25/files/openvpn.in
new file mode 100644
index 000000000000..9a59ed6f011e
--- /dev/null
+++ b/security/openvpn25/files/openvpn.in
@@ -0,0 +1,144 @@
+#!/bin/sh
+#
+# openvpn.sh - load tun/tap driver and start OpenVPN daemon
+#
+# (C) Copyright 2005 - 2008, 2010 by Matthias Andree
+# based on suggestions by Matthias Grimm and Dirk Gouders
+# with multi-instance contribution from Denis Shaposhnikov, Gleb Kozyrev
+# and Vasil Dimov
+# softrestart feature suggested by Nick Hibma
+#
+# This program is free software; you can redistribute it and/or modify it under
+# the terms of the GNU General Public License as published by the Free Software
+# Foundation; either version 2 of the License, or (at your option) any later
+# version.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+# details.
+#
+# You should have received a copy of the GNU General Public License along with
+# this program; if not, write to the Free Software Foundation, Inc., 51 Franklin
+# Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+# PROVIDE: openvpn
+# REQUIRE: DAEMON
+# KEYWORD: shutdown
+
+# -----------------------------------------------------------------------------
+#
+# This script supports running multiple instances of openvpn.
+# To run additional instances link this script to something like
+# % ln -s openvpn openvpn_foo
+# and define additional openvpn_foo_* variables in one of
+# /etc/rc.conf, /etc/rc.conf.local or /etc/rc.conf.d/openvpn_foo
+#
+# Below NAME should be substituted with the name of this script. By default
+# it is openvpn, so read as openvpn_enable. If you linked the script to
+# openvpn_foo, then read as openvpn_foo_enable etc.
+#
+# The following variables are supported (defaults are shown).
+# You can place them in any of
+# /etc/rc.conf, /etc/rc.conf.local or /etc/rc.conf.d/NAME
+#
+# NAME_enable="NO" # set to YES to enable openvpn
+# NAME_if= # driver(s) to load, set to "tun", "tap" or "tun tap"
+# # it is OK to specify the if_ prefix.
+#
+# # optional:
+# NAME_flags= # additional command line arguments
+# NAME_configfile="%%PREFIX%%/etc/openvpn/NAME.conf" # --config file
+# NAME_dir="%%PREFIX%%/etc/openvpn" # --cd directory
+#
+# You also need to set NAME_configfile and NAME_dir, if the configuration
+# file and directory where keys and certificates reside differ from the above
+# settings.
+#
+# Note that we deliberately refrain from unloading drivers.
+#
+# For further documentation, please see openvpn(8).
+#
+
+. /etc/rc.subr
+
+# service(8) does not create an authentic environment, try to guess,
+# and as of 10.3-RELEASE-p0, it will not find the indented name=
+# assignments below. So give it a default.
+# Trailing semicolon also for service(8)'s benefit:
+name="$file" ;
+
+case "$0" in
+/etc/rc*)
+ # during boot (shutdown) $0 is /etc/rc (/etc/rc.shutdown),
+ # so get the name of the script from $_file
+ name="$_file"
+ ;;
+*/service)
+ # do not use this as $0
+ ;;
+*)
+ name="$0"
+ ;;
+esac
+
+# default name to "openvpn" if guessing failed
+# Trailing semicolon also for service(8)'s benefit:
+name="${name:-openvpn}" ;
+name="${name##*/}"
+rcvar=${name}_enable
+
+stop_postcmd()
+{
+ rm -f "$pidfile" || warn "Could not remove $pidfile."
+}
+
+softrestart()
+{
+ sig_reload=USR1 run_rc_command reload
+ exit $?
+}
+
+openvpn_stats()
+{
+ sig_reload=USR2
+ run_rc_command ${rc_prefix}reload $rc_extra_args
+}
+
+# reload: support SIGHUP to reparse configuration file
+# softrestart: support SIGUSR1 to reconnect without superuser privileges
+# stats: support SIGUSR2 to write statistics to the syslog
+extra_commands="reload softrestart stats"
+softrestart_cmd="softrestart"
+stats_cmd="openvpn_stats"
+
+# pidfile
+pidfile="/var/run/${name}.pid"
+
+# command and arguments
+command="%%PREFIX%%/sbin/openvpn"
+
+# run this last
+stop_postcmd="stop_postcmd"
+
+load_rc_config ${name}
+
+eval ": \${${name}_enable:=\"NO\"}"
+eval ": \${${name}_configfile:=\"%%PREFIX%%/etc/openvpn/${name}.conf\"}"
+eval ": \${${name}_dir:=\"%%PREFIX%%/etc/openvpn\"}"
+
+configfile="$(eval echo \${${name}_configfile})"
+dir="$(eval echo \${${name}_dir})"
+interfaces="$(eval echo \${${name}_if})"
+flags="$(eval echo \${${name}_flags})"
+
+required_modules=
+for i in $interfaces ; do
+ required_modules="$required_modules${required_modules:+" "}if_${i#if_}"
+done
+
+required_files=${configfile}
+
+command_args="--cd ${dir} --daemon ${name} --config ${configfile} --writepid ${pidfile} ${flags}"
+
+run_rc_command "$1"
diff --git a/security/openvpn/files/patch-doc_openvpn.8 b/security/openvpn25/files/patch-doc_openvpn.8
similarity index 100%
rename from security/openvpn/files/patch-doc_openvpn.8
rename to security/openvpn25/files/patch-doc_openvpn.8
diff --git a/security/openvpn/files/patch-doc_openvpn.8.html b/security/openvpn25/files/patch-doc_openvpn.8.html
similarity index 100%
rename from security/openvpn/files/patch-doc_openvpn.8.html
rename to security/openvpn25/files/patch-doc_openvpn.8.html
diff --git a/security/openvpn25/files/patch-sample__sample-config-files__loopback-client b/security/openvpn25/files/patch-sample__sample-config-files__loopback-client
new file mode 100644
index 000000000000..0b485a641d8a
--- /dev/null
+++ b/security/openvpn25/files/patch-sample__sample-config-files__loopback-client
@@ -0,0 +1,13 @@
+--- sample/sample-config-files/loopback-client.orig 2016-08-23 14:16:22 UTC
++++ sample/sample-config-files/loopback-client
+@@ -9,8 +9,8 @@
+ # ./openvpn --config sample-config-files/loopback-client (In one window)
+ # ./openvpn --config sample-config-files/loopback-server (Simultaneously in another window)
+
+-rport 16000
+-lport 16001
++rport 16100
++lport 16101
+ remote localhost
+ local localhost
+ dev null
diff --git a/security/openvpn25/files/patch-sample__sample-config-files__loopback-server b/security/openvpn25/files/patch-sample__sample-config-files__loopback-server
new file mode 100644
index 000000000000..58691b133de7
--- /dev/null
+++ b/security/openvpn25/files/patch-sample__sample-config-files__loopback-server
@@ -0,0 +1,13 @@
+--- sample/sample-config-files/loopback-server.orig 2016-08-23 14:16:22 UTC
++++ sample/sample-config-files/loopback-server
+@@ -9,8 +9,8 @@
+ # ./openvpn --config sample-config-files/loopback-client (In one window)
+ # ./openvpn --config sample-config-files/loopback-server (Simultaneously in another window)
+
+-rport 16001
+-lport 16000
++rport 16101
++lport 16100
+ remote localhost
+ local localhost
+ dev null
diff --git a/security/openvpn/files/patch-src_openvpn_openssl__compat.h b/security/openvpn25/files/patch-src_openvpn_openssl__compat.h
similarity index 100%
rename from security/openvpn/files/patch-src_openvpn_openssl__compat.h
rename to security/openvpn25/files/patch-src_openvpn_openssl__compat.h
diff --git a/security/openvpn25/files/patch-src_plugins_auth-pam_auth-pam.c b/security/openvpn25/files/patch-src_plugins_auth-pam_auth-pam.c
new file mode 100644
index 000000000000..633bc0f0204d
--- /dev/null
+++ b/security/openvpn25/files/patch-src_plugins_auth-pam_auth-pam.c
@@ -0,0 +1,10 @@
+--- src/plugins/auth-pam/auth-pam.c.orig 2021-06-21 04:44:39 UTC
++++ src/plugins/auth-pam/auth-pam.c
+@@ -39,6 +39,7 @@
+ #include <stdio.h>
+ #include <string.h>
+ #include <ctype.h>
++#include <limits.h>
+ #include <unistd.h>
+ #include <stdlib.h>
+ #include <sys/types.h>
diff --git a/security/openvpn25/files/patch-tests__t_cltsrv.sh b/security/openvpn25/files/patch-tests__t_cltsrv.sh
new file mode 100644
index 000000000000..9d0af3691c87
--- /dev/null
+++ b/security/openvpn25/files/patch-tests__t_cltsrv.sh
@@ -0,0 +1,65 @@
+--- tests/t_cltsrv.sh.orig 2016-08-23 13:10:22 UTC
++++ tests/t_cltsrv.sh
+@@ -1,7 +1,7 @@
+ #! /bin/sh
+ #
+ # t_cltsrv.sh - script to test OpenVPN's crypto loopback
+-# Copyright (C) 2005, 2006, 2008 Matthias Andree
++# Copyright (C) 2005 - 2014 Matthias Andree
+ #
+ # This program is free software; you can redistribute it and/or
+ # modify it under the terms of the GNU General Public License
+@@ -22,8 +22,9 @@ set -e
+ srcdir="${srcdir:-.}"
+ top_srcdir="${top_srcdir:-..}"
+ top_builddir="${top_builddir:-..}"
+-trap "rm -f log.$$ log.$$.signal ; trap 0 ; exit 77" 1 2 15
+-trap "rm -f log.$$ log.$$.signal ; exit 1" 0 3
++root="${top_srcdir}/sample"
++trap "rm -f ${root}/sample-config-files/loopback-*.test log.$$ log.$$.signal ; trap 0 ; exit 77" 1 2 15
++trap "a=\$? ; rm -f ${root}/sample-config-files/loopback-*.test log.$$ log.$$.signal ; test \$a = 0 && exit 1 || exit \$a" 0 3
+ addopts=
+ case `uname -s` in
+ FreeBSD)
+@@ -45,18 +46,38 @@ esac
+ # make sure that the --down script is executable -- fail (rather than
+ # skip) test if it isn't.
+ downscript="../tests/t_cltsrv-down.sh"
+-root="${top_srcdir}/sample"
+ test -x "${root}/${downscript}" || chmod +x "${root}/${downscript}" || { echo >&2 "${root}/${downscript} is not executable, failing." ; exit 1 ; }
+ echo "The following test will take about two minutes." >&2
+ echo "If the addresses are in use, this test will retry up to two times." >&2
+
++set -- $(ifconfig lo0 | grep -E '\<inet' | head -n1)
++add=
++if [ "x$1$2" = "x" ] ; then
++ echo >&2 "### NO ADDRESSES ON LOOPBACK INTERFACE lo0, SKIPPING TEST ###"
++ exit 77
++fi
++if [ "inet6" = "$1" ] ; then
++ add='proto udp6 '
++fi
++for i in server client ; do
++ sed -e "s|localhost|${2%/*}|" -e "/^remote /a\\
++$add" ${root}/sample-config-files/loopback-$i \
++ >${root}/sample-config-files/loopback-$i.test
++done
++
+ # go
+ success=0
+ for i in 1 2 3 ; do
+ set +e
+ (
+- "${top_builddir}/src/openvpn/openvpn" --script-security 2 --cd "${root}" ${addopts} --setenv role srv --down "${downscript}" --tls-exit --ping-exit 180 --config "sample-config-files/loopback-server" &
+- "${top_builddir}/src/openvpn/openvpn" --script-security 2 --cd "${top_srcdir}/sample" ${addopts} --setenv role clt --down "${downscript}" --tls-exit --ping-exit 180 --config "sample-config-files/loopback-client"
++ "${top_builddir}/src/openvpn/openvpn" --script-security 2 \
++ --cd "${root}" ${addopts} --setenv role srv \
++ --down "${downscript}" --tls-exit --ping-exit 180 \
++ --config "sample-config-files/loopback-server.test" &
++ "${top_builddir}/src/openvpn/openvpn" --script-security 2 \
++ --cd "${top_srcdir}/sample" ${addopts} --setenv role clt \
++ --down "${downscript}" --tls-exit --ping-exit 180 \
++ --config "sample-config-files/loopback-client.test"
+ ) 3>log.$$.signal >log.$$ 2>&1
+ e1=$?
+ wait $!
diff --git a/security/openvpn25/files/pkg-message.in b/security/openvpn25/files/pkg-message.in
new file mode 100644
index 000000000000..c527aec28683
--- /dev/null
+++ b/security/openvpn25/files/pkg-message.in
@@ -0,0 +1,34 @@
+[
+{ type: install
+ message: <<EOM
+Edit /etc/rc.conf[.local] to start OpenVPN automatically at system
+startup. See %%PREFIX%%/etc/rc.d/openvpn for details.
+
+Connect to VPN server as a client with this command to include
+the client.up/down scripts in the initialization:
+openvpn-client <spec>.ovpn
+
+For compatibility notes when interoperating with older OpenVPN
+versions, please see <http://openvpn.net/relnotes.html>
+
+Note that OpenVPN does not officially support LibreSSL.
+
+Note that OpenVPN configures a separate user and group "openvpn",
+which should be used instead of the NFS user "nobody"
+when an unprivileged user account is desired.
+
+You may want to add user openvpn and group openvpn when creating your
+configuration files, the example configuration shows this only as comments.
+EOM
+}
+{ type: upgrade
+ message: <<EOM
+Note that OpenVPN now configures a separate user and group "openvpn",
+which should be used instead of the NFS user "nobody"
+when an unprivileged user account is desired.
+
+It is advisable to review existing configuration files and
+to consider adding/changing user openvpn and group openvpn.
+EOM
+}
+]
diff --git a/security/openvpn25/files/up-script.sample b/security/openvpn25/files/up-script.sample
new file mode 100644
index 000000000000..2b9acee3dc85
--- /dev/null
+++ b/security/openvpn25/files/up-script.sample
@@ -0,0 +1,27 @@
+#!/bin/sh
+# OpenVPN simple up/down script for openresolvconf integration.
+# (C) Copyright 2016 Baptiste Daroussin
+# BSD 2-clause license.
+
+set -e +u
+: ${script_type:=down}
+case "${script_type}" in
+up)
+ i=1
+ while :; do
+ eval option=\"\$foreign_option_${i}\" || break
+ [ "${option}" ] || break
+ set -- ${option}
+ i=$((i + 1))
+ [ "$1" = "dhcp-option" ] || continue
+ case "$2" in
+ DNS) echo "nameserver ${3}" ;;
+ DOMAIN) echo "domain ${3}" ;;
+ DOMAIN-SEARCH) echo "search ${3}" ;;
+ esac
+ done | /sbin/resolvconf -a "${dev}"
+ ;;
+down)
+ /sbin/resolvconf -d "${dev}" -f
+ ;;
+esac
diff --git a/security/openvpn25/pkg-descr b/security/openvpn25/pkg-descr
new file mode 100644
index 000000000000..716b69051b64
--- /dev/null
+++ b/security/openvpn25/pkg-descr
@@ -0,0 +1,5 @@
+OpenVPN is a robust, scalable and highly configurable VPN (Virtual Private
+Network) daemon which can be used to securely link two or more private networks
+using an encrypted tunnel over the internet. It can operate over UDP or TCP,
+can use SSL or a pre-shared secret to authenticate peers, and in SSL mode, one
+server can handle many clients.
diff --git a/security/openvpn25/pkg-plist b/security/openvpn25/pkg-plist
new file mode 100644
index 000000000000..d247b39c1eed
--- /dev/null
+++ b/security/openvpn25/pkg-plist
@@ -0,0 +1,10 @@
+include/openvpn-msg.h
+include/openvpn-plugin.h
+lib/openvpn/plugins/openvpn-plugin-auth-pam.so
+lib/openvpn/plugins/openvpn-plugin-down-root.so
+libexec/openvpn-client.down
+libexec/openvpn-client.up
+man/man5/openvpn-examples.5.gz
+man/man8/openvpn.8.gz
+sbin/openvpn
+sbin/openvpn-client