git: 7cbf21ebf86d - 2021Q4 - security/openvpn: license incompat mbedTLS, LZO+LibreSSL
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 11 Dec 2021 12:50:55 UTC
The branch 2021Q4 has been updated by mandree:
URL: https://cgit.FreeBSD.org/ports/commit/?id=7cbf21ebf86d3aed14016c1e7fb3060d302352fe
commit 7cbf21ebf86d3aed14016c1e7fb3060d302352fe
Author: Matthias Andree <mandree@FreeBSD.org>
AuthorDate: 2021-12-11 12:38:37 +0000
Commit: Matthias Andree <mandree@FreeBSD.org>
CommitDate: 2021-12-11 12:45:20 +0000
security/openvpn: license incompat mbedTLS, LZO+LibreSSL
After reviewing licenses again,
- mark mbedTLS broken for now, since it uses the Apache License 2.0,
which is incompatible with the GPLv2 (OpenVPN does not employ the
"or any later version" escape hatch). This will be handed to the
OpenVPN-devel mailing list for review.
- block out the combination of LZO with LibreSSL, since OpenVPN
only has a linking exception for OpenSSL itself. Remedy is
to either forgo LibreSSL, or to disable the LZO option, which
requires proper configuration on either end. The maintainer's
recommendation is to compile with OpenSSL instead.
Bump PORTREVISION in spite of unchanged contents to flush out old
packages.
MFH: 2021Q4
(cherry picked from commit 5cc978dcfe58a52b9a163e080d855b022ac22545)
---
security/openvpn/Makefile | 29 ++++++++++++++++++++++++++---
1 file changed, 26 insertions(+), 3 deletions(-)
diff --git a/security/openvpn/Makefile b/security/openvpn/Makefile
index 0c571b012fd6..ff080990626c 100644
--- a/security/openvpn/Makefile
+++ b/security/openvpn/Makefile
@@ -2,7 +2,7 @@
PORTNAME= openvpn
DISTVERSION= 2.5.4
-PORTREVISION?= 1
+PORTREVISION?= 2
CATEGORIES= security net net-vpn
MASTER_SITES= https://swupdate.openvpn.org/community/releases/ \
https://build.openvpn.net/downloads/releases/ \
@@ -43,7 +43,8 @@ OPTIONS_SINGLE= SSL
OPTIONS_SINGLE_SSL= OPENSSL MBEDTLS
ASYNC_PUSH_DESC= Enable async-push support
EASYRSA_DESC= Install security/easy-rsa RSA helper package
-MBEDTLS_DESC= SSL/TLS via mbedTLS (lacks TLS v1.3)
+LZO_DESC= LZO compression support (incompatible with LibreSSL)
+MBEDTLS_DESC= LICENSE BROKEN - SSL/TLS via mbedTLS (lacks TLS v1.3)
PKCS11_DESC= Use security/pkcs11-helper (OpenSSL only)
SMALL_DESC= Build a smaller executable with fewer features
TUNNELBLICK_DESC= Tunnelblick XOR scramble patch (READ HELP!)
@@ -93,16 +94,38 @@ CFLAGS+= -DLOG_OPENVPN=${LOG_OPENVPN}
.include <bsd.port.options.mk>
.if ${PORT_OPTIONS:MMBEDTLS}
+BROKEN_FreeBSD_14= OpenVPN-mbedTLS fails on FreeBSD 14
+BROKEN= License under clarification, OpenVPN is GPLv2-only and mbedTLS under Apache License 2.0, which are incompatible
_tlslibs=libmbedtls libmbedx509 libmbedcrypto
.else
# OpenSSL
_tlslibs=libssl libcrypto
.endif
+.if ${PORT_OPTIONS:MLZO}
+IGNORE_SSL=libressl libressl-devel
+IGNORE_SSL_REASON=OpenVPN does not have permission to include LZO with LibreSSL. Compile against OpenSSL, or if your setups support it, disable LZO support
+.endif
+
.if ! ${PORT_OPTIONS:MLZ4} && ! ${PORT_OPTIONS:MLZO}
CONFIGURE_ARGS+= --enable-comp-stub
.endif
+.include <bsd.port.pre.mk>
+
+.if !empty(PORT_OPTIONS:MLZO) && !empty(SSL_DEFAULT:Nbase:Nopenssl*)
+# in-depth security net if Mk/Uses/ssl.mk changes
+pre-everything::
+ @${ECHO_CMD} >&2 "ERROR: OpenVPN is not licensed to combine LZO with other OpenSSL-licensed libraries than OpenSSL. Compile against OpenSSL, or if your setups support it, disable LZO support."
+ @${SHELL} -c 'exit 1'
+.endif
+
+.if !empty(PORT_OPTIONS:MMBEDTLS)
+pre-everything::
+ @${ECHO_CMD} >&2 "License under clarification, OpenVPN is GPLv2-only and mbedTLS under Apache License 2.0, which are incompatible."
+ @${SHELL} -c 'exit 1'
+.endif
+
post-patch:
${REINPLACE_CMD} -E -i '' -e 's/(user|group) nobody/\1 openvpn/' \
-e 's/"nobody"( after init)/"openvpn" \1/' \
@@ -161,4 +184,4 @@ post-install-EXAMPLES-on:
${CHMOD} ${BINMODE} ${STAGEDIR}${EXAMPLESDIR}/sample-scripts/*
${RM} ${STAGEDIR}${EXAMPLESDIR}/sample-config-files/*.orig
-.include <bsd.port.mk>
+.include <bsd.port.post.mk>