[pkgsrc/trunk]: pkgsrc/net update openvpn to 2.3.15

[spz <spz%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/1d667db74042
branches:  trunk
changeset: 362616:1d667db74042
user:      spz <spz%pkgsrc.org@localhost>
date:      Fri May 19 18:11:04 2017 +0000

description:
update openvpn to 2.3.15
fixes DoSses: CVE-2017-7478 CVE-2017-7479
fixes PR pkg/52044

relevant excerpt of ChangeLog:
OpenVPN Change Log
Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales%openvpn.net@localhost>

2017.05.11 -- Version 2.3.15
David Sommerseth (5):
      dev-tools: Added script for updating copyright years in files
      Update copyrights
      docs: Further improve --reneg-bytes and SWEET32 information
      git: Merge .gitignore files into a single file
      Make --cipher/--auth none more explicit on the risks

Gert Doering (1):
      Document --proto udp6, tcp6, etc.

Julien Muchembled (1):
      Fix implicit declarations when HAVE_OPENSSL_ENGINE is unset

Steffan Karger (6):
      Add missing includes in error.h
      cleanup: merge packet_id_alloc_outgoing() into packet_id_write()
      Document that OpenVPN 2.3 does not check the CRL signature
      Introduce and use secure_memzero() to erase secrets
      Drop packets instead of assert out if packet id rolls over (CVE-2017-7479)
      Don't assert out on receiving too-large control packets (CVE-2017-7478)


2016.12.06 -- Version 2.3.14
Christian Hesse (1):
      update year in copyright message

David Sommerseth (1):
      Document the --auth-token option

Gert Doering (2):
      Repair topology subnet on FreeBSD 11
      Repair topology subnet on OpenBSD

Lev Stipakov (1):
      Drop recursively routed packets

Selva Nair (4):
      Support --block-outside-dns on multiple tunnels
      When parsing '--setenv opt xx ..' make sure a third parameter is present
      Map restart signals from event loop to SIGTERM during exit-notification wait
      Correctly state the default dhcp server address in man page

Steffan Karger (1):
      Clean up format_hex_ex()


2016.11.02 -- Version 2.3.13
Arne Schwabe (2):
      Use AES ciphers in our sample configuration files and add a few modern 2.4 examples
      Incorporate the Debian typo fixes where appropriate and make show_opt default message clearer

David Sommerseth (4):
      t_client.sh: Make OpenVPN write PID file to avoid various sudo issues
      t_client.sh: Add support for Kerberos/ksu
      t_client.sh: Improve detection if the OpenVPN process did start during tests
      t_client.sh: Add prepare/cleanup possibilties for each test case

Gert Doering (5):
      Do not abort t_client run if OpenVPN instance does not start.
      Fix t_client runs on OpenSolaris
      make t_client robust against sudoers misconfiguration
      add POSTINIT_CMD_suf to t_client.sh and sample config
      Fix --multihome for IPv6 on 64bit BSD systems.

Ilya Shipitsin (1):
      skip t_lpback.sh and t_cltsrv.sh if openvpn configured --disable-crypto

Lev Stipakov (2):
      Exclude peer-id from pulled options digest
      Fix compilation in pedantic mode

Samuli Sepp?nen (1):
      Automatically cache expected IPs for t_client.sh on the first run

Steffan Karger (6):
      Fix unittests for out-of-source builds
      Make gnu89 support explicit
      cleanup: remove code duplication in msg_test()
      Update cipher-related man page text
      Limit --reneg-bytes to 64MB when using small block ciphers
      Add a revoked cert to the sample keys


2016.08.23 -- Version 2.3.12
Arne Schwabe (2):
      Complete push-peer-info documentation and allow IV_PLAT_VER for other platforms than Windows if the client UI supplies it.
      Move ASSERT so external-key with OpenSSL works again

David Sommerseth (3):
      Only build and run cmocka unit tests if its submodule is initialized
      Another fix related to unit test framework
      Remove NOP function and callers

Dorian Harmans (1):
      Add CHACHA20-POLY1305 ciphersuite IANA name translations.

Ivo Manca (1):
      Plug memory leak in mbedTLS backend

Jeffrey Cutter (1):
      Update contrib/pull-resolv-conf/client.up for no DOMAIN

Jens Neuhalfen (2):
      Add unit testing support via cmocka
      Add a test for auth-pam searchandreplace

Josh Cepek (1):
      Push an IPv6 CIDR mask used by the server, not the pool's size

Leon Klingele (1):
      Add link to bug tracker

Samuli Sepp?nen (2):
      Update CONTRIBUTING.rst to allow GitHub PRs for code review purposes
      Clarify the fact that build instructions in README are for release tarballs

Selva Nair (4):
      Make error non-fatal while deleting address using netsh
      Make block-outside-dns work with persist-tun
      Ignore SIGUSR1/SIGHUP during exit notification
      Promptly close the netcmd_semaphore handle after use

Steffan Karger (4):
      Fix polarssl / mbedtls builds
      Don't limit max incoming message size based on c2->frame
      Fix '--cipher none --cipher' crash
      Discourage using 64-bit block ciphers

diffstat:

 net/openvpn-acct-wtmpx/Makefile                |   3 +-
 net/openvpn-acct-wtmpx/distinfo                |  10 +++---
 net/openvpn-nagios/Makefile                    |   5 +-
 net/openvpn-nagios/distinfo                    |  10 +++---
 net/openvpn/Makefile                           |   3 +-
 net/openvpn/Makefile.common                    |   4 +-
 net/openvpn/distinfo                           |  12 +++---
 net/openvpn/patches/patch-src_openvpn_socket.c |  40 +++++++------------------
 8 files changed, 33 insertions(+), 54 deletions(-)

diffs (199 lines):

diff -r 2e33b01d5699 -r 1d667db74042 net/openvpn-acct-wtmpx/Makefile
--- a/net/openvpn-acct-wtmpx/Makefile   Fri May 19 18:00:38 2017 +0000
+++ b/net/openvpn-acct-wtmpx/Makefile   Fri May 19 18:11:04 2017 +0000
@@ -1,10 +1,9 @@
-# $NetBSD: Makefile,v 1.7 2016/07/08 08:50:25 jperkin Exp $
+# $NetBSD: Makefile,v 1.8 2017/05/19 18:11:04 spz Exp $
 
 .include "../../net/openvpn/Makefile.common"
 
 DISTNAME=      openvpn-acct-wtmpx-20130210
 DISTFILES=     ${DISTNAME}${EXTRACT_SUFX} ${OPENVPN_DISTFILE}
-PKGREVISION=   3
 CATEGORIES=    net
 MASTER_SITES=  http://ftp.espci.fr/pub/openvpn-acct-wtmpx/
 EXTRACT_SUFX=  .tgz
diff -r 2e33b01d5699 -r 1d667db74042 net/openvpn-acct-wtmpx/distinfo
--- a/net/openvpn-acct-wtmpx/distinfo   Fri May 19 18:00:38 2017 +0000
+++ b/net/openvpn-acct-wtmpx/distinfo   Fri May 19 18:11:04 2017 +0000
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.10 2016/07/08 08:50:25 jperkin Exp $
+$NetBSD: distinfo,v 1.11 2017/05/19 18:11:04 spz Exp $
 
-SHA1 (openvpn-2.3.11.tar.xz) = 48ba3ada2da84be4cf66ffbd35a66d4ce30e0e5b
-RMD160 (openvpn-2.3.11.tar.xz) = cfaf087bfb9d562b6028a225c43000fbe96041ce
-SHA512 (openvpn-2.3.11.tar.xz) = 1fd2798beca074f0a094efbd4a9260f8a62d488afacb023b3f867698e6177bfc02702209e8c7f300ba8c662d292c65dc05d3f2cf615ebb91b90d4798fd3b99cd
-Size (openvpn-2.3.11.tar.xz) = 833496 bytes
+SHA1 (openvpn-2.3.15.tar.xz) = 3f74ee6baab32306c131a6e63f0d77e92d12d4ec
+RMD160 (openvpn-2.3.15.tar.xz) = 5cf7f6ef9ffea3f7c804f37c851f5a693f5f869a
+SHA512 (openvpn-2.3.15.tar.xz) = 749f1ca86923287c7e28dcea182e98b3a78648c0df8cf831f5fe41d859a0d822ba4691eb8587c24ae5078325c87c8397921a3655b2207d5b1fecc177ad560dec
+Size (openvpn-2.3.15.tar.xz) = 863384 bytes
 SHA1 (openvpn-acct-wtmpx-20130210.tgz) = cf7bc26b12a65493cdf5db93b03bbb938a2f0f33
 RMD160 (openvpn-acct-wtmpx-20130210.tgz) = d9000789f04606bfa17db1597a45a4235b1119ea
 SHA512 (openvpn-acct-wtmpx-20130210.tgz) = 7b8fd4929e65d8d84158f62e5a17ff3adb3b4a6cff63b29038acfb368750719f2f593786ed9b02402824c19d872b188d2a46740a5c5f853e8873a71481b13aaf
diff -r 2e33b01d5699 -r 1d667db74042 net/openvpn-nagios/Makefile
--- a/net/openvpn-nagios/Makefile       Fri May 19 18:00:38 2017 +0000
+++ b/net/openvpn-nagios/Makefile       Fri May 19 18:11:04 2017 +0000
@@ -1,10 +1,9 @@
-# $NetBSD: Makefile,v 1.6 2016/07/08 08:50:55 jperkin Exp $
+# $NetBSD: Makefile,v 1.7 2017/05/19 18:11:04 spz Exp $
 
 .include "../../net/openvpn/Makefile.common"
 
 DISTNAME=      openvpn-nagios-20130210
 DISTFILES=     ${DISTNAME}${EXTRACT_SUFX} ${OPENVPN_DISTFILE}
-PKGREVISION=   4
 CATEGORIES=    net
 MASTER_SITES=  http://ftp.espci.fr/pub/openvpn-nagios/
 EXTRACT_SUFX=  .tgz
@@ -25,7 +24,7 @@
 PLIST_SUBST+=  OPENVPN_PLUGINSDIR=${OPENVPN_PLUGINSDIR:Q}
 MESSAGE_SUBST+=        OPENVPN_PLUGINSDIR=${PREFIX:Q}/${OPENVPN_PLUGINSDIR:Q}
 
-DEPENDS+=      openvpn>=2.3.0:../../net/openvpn
+DEPENDS+=      openvpn>=2.3.0<2.4:../../net/openvpn
 
 .include "../../security/openssl/buildlink3.mk"
 .include "../../mk/bsd.pkg.mk"
diff -r 2e33b01d5699 -r 1d667db74042 net/openvpn-nagios/distinfo
--- a/net/openvpn-nagios/distinfo       Fri May 19 18:00:38 2017 +0000
+++ b/net/openvpn-nagios/distinfo       Fri May 19 18:11:04 2017 +0000
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.7 2016/07/08 08:50:55 jperkin Exp $
+$NetBSD: distinfo,v 1.8 2017/05/19 18:11:04 spz Exp $
 
-SHA1 (openvpn-2.3.11.tar.xz) = 48ba3ada2da84be4cf66ffbd35a66d4ce30e0e5b
-RMD160 (openvpn-2.3.11.tar.xz) = cfaf087bfb9d562b6028a225c43000fbe96041ce
-SHA512 (openvpn-2.3.11.tar.xz) = 1fd2798beca074f0a094efbd4a9260f8a62d488afacb023b3f867698e6177bfc02702209e8c7f300ba8c662d292c65dc05d3f2cf615ebb91b90d4798fd3b99cd
-Size (openvpn-2.3.11.tar.xz) = 833496 bytes
+SHA1 (openvpn-2.3.15.tar.xz) = 3f74ee6baab32306c131a6e63f0d77e92d12d4ec
+RMD160 (openvpn-2.3.15.tar.xz) = 5cf7f6ef9ffea3f7c804f37c851f5a693f5f869a
+SHA512 (openvpn-2.3.15.tar.xz) = 749f1ca86923287c7e28dcea182e98b3a78648c0df8cf831f5fe41d859a0d822ba4691eb8587c24ae5078325c87c8397921a3655b2207d5b1fecc177ad560dec
+Size (openvpn-2.3.15.tar.xz) = 863384 bytes
 SHA1 (openvpn-nagios-20130210.tgz) = 8a0fd4e3eba27584aa53c5589c13d4b38af43ba2
 RMD160 (openvpn-nagios-20130210.tgz) = 2a47893ec2db2c280adc7b9fbbea97794ec1a6f4
 SHA512 (openvpn-nagios-20130210.tgz) = 80e565f32379c39eb6c7f3b4744af221ae882ff07dce9dae5bd7feb73b0edcfc7c7ac7f70d23fdcd4f492b66f095f09833deb122449840b36ea606ce91900358
diff -r 2e33b01d5699 -r 1d667db74042 net/openvpn/Makefile
--- a/net/openvpn/Makefile      Fri May 19 18:00:38 2017 +0000
+++ b/net/openvpn/Makefile      Fri May 19 18:11:04 2017 +0000
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.60 2016/09/19 13:04:25 wiz Exp $
+# $NetBSD: Makefile,v 1.61 2017/05/19 18:11:04 spz Exp $
 
 DISTNAME=      ${OPENVPN_DISTNAME}
-PKGREVISION=   1
 CATEGORIES=    net
 MASTER_SITES=  ${OPENVPN_MASTER_SITES}
 EXTRACT_SUFX=  .tar.xz
diff -r 2e33b01d5699 -r 1d667db74042 net/openvpn/Makefile.common
--- a/net/openvpn/Makefile.common       Fri May 19 18:00:38 2017 +0000
+++ b/net/openvpn/Makefile.common       Fri May 19 18:11:04 2017 +0000
@@ -1,10 +1,10 @@
-# $NetBSD: Makefile.common,v 1.5 2016/07/08 08:49:41 jperkin Exp $
+# $NetBSD: Makefile.common,v 1.6 2017/05/19 18:11:04 spz Exp $
 
 # used by net/openvpn/Makefile
 # used by net/openvpn-acct-wtmpx/Makefile
 # used by net/openvpn-nagios/Makefile
 
-OPENVPN_DISTNAME=      openvpn-2.3.11
+OPENVPN_DISTNAME=      openvpn-2.3.15
 OPENVPN_DISTFILE=      ${OPENVPN_DISTNAME}.tar.xz
 OPENVPN_MASTER_SITES=  http://swupdate.openvpn.net/community/releases/
 SITES.${OPENVPN_DISTFILE}=     ${OPENVPN_MASTER_SITES}
diff -r 2e33b01d5699 -r 1d667db74042 net/openvpn/distinfo
--- a/net/openvpn/distinfo      Fri May 19 18:00:38 2017 +0000
+++ b/net/openvpn/distinfo      Fri May 19 18:11:04 2017 +0000
@@ -1,13 +1,13 @@
-$NetBSD: distinfo,v 1.33 2016/07/08 08:49:41 jperkin Exp $
+$NetBSD: distinfo,v 1.34 2017/05/19 18:11:04 spz Exp $
 
-SHA1 (openvpn-2.3.11.tar.xz) = 48ba3ada2da84be4cf66ffbd35a66d4ce30e0e5b
-RMD160 (openvpn-2.3.11.tar.xz) = cfaf087bfb9d562b6028a225c43000fbe96041ce
-SHA512 (openvpn-2.3.11.tar.xz) = 1fd2798beca074f0a094efbd4a9260f8a62d488afacb023b3f867698e6177bfc02702209e8c7f300ba8c662d292c65dc05d3f2cf615ebb91b90d4798fd3b99cd
-Size (openvpn-2.3.11.tar.xz) = 833496 bytes
+SHA1 (openvpn-2.3.15.tar.xz) = 3f74ee6baab32306c131a6e63f0d77e92d12d4ec
+RMD160 (openvpn-2.3.15.tar.xz) = 5cf7f6ef9ffea3f7c804f37c851f5a693f5f869a
+SHA512 (openvpn-2.3.15.tar.xz) = 749f1ca86923287c7e28dcea182e98b3a78648c0df8cf831f5fe41d859a0d822ba4691eb8587c24ae5078325c87c8397921a3655b2207d5b1fecc177ad560dec
+Size (openvpn-2.3.15.tar.xz) = 863384 bytes
 SHA1 (patch-ac) = 3071423ae978dd7d1d79cb140325bde96ba8d21b
 SHA1 (patch-ad) = 1e2c34a37157ff9c091e0120817a8c8bae9aef4e
 SHA1 (patch-ae) = fce5d2b7c8ef830cba3df4408af79301f347cafd
 SHA1 (patch-af) = 8d728c36a6eccdebf6c7e5a02d457903b255f4fb
 SHA1 (patch-src_compat_compat-basename.c) = 45a58ef2e05f6e0265f229da8540760e60e65143
-SHA1 (patch-src_openvpn_socket.c) = 74668d39f5e6fdab64825d38d4b287c8004f5af3
+SHA1 (patch-src_openvpn_socket.c) = d091fdf614c7673755b9f1fdbdd11ce33276cfda
 SHA1 (patch-src_openvpn_socket.h) = b4b952af347e0f2d0aff307a5025b3d27a2e6ee5
diff -r 2e33b01d5699 -r 1d667db74042 net/openvpn/patches/patch-src_openvpn_socket.c
--- a/net/openvpn/patches/patch-src_openvpn_socket.c    Fri May 19 18:00:38 2017 +0000
+++ b/net/openvpn/patches/patch-src_openvpn_socket.c    Fri May 19 18:11:04 2017 +0000
@@ -1,10 +1,10 @@
-$NetBSD: patch-src_openvpn_socket.c,v 1.2 2014/07/20 17:43:29 adam Exp $
+$NetBSD: patch-src_openvpn_socket.c,v 1.3 2017/05/19 18:11:04 spz Exp $
 
 Fix for systems without ipi_spec_dst in struct in_pktinfo.
 
---- src/openvpn/socket.c.orig  2014-05-01 11:12:22.000000000 +0000
+--- src/openvpn/socket.c.orig  2017-05-11 10:34:40.000000000 +0000
 +++ src/openvpn/socket.c
-@@ -654,7 +654,7 @@ create_socket_udp (const unsigned int fl
+@@ -650,7 +650,7 @@ create_socket_udp (const unsigned int fl
    else if (flags & SF_USE_IP_PKTINFO)
      {
        int pad = 1;
@@ -13,7 +13,7 @@
        if (setsockopt (sd, SOL_IP, IP_PKTINFO,
                      (void*)&pad, sizeof(pad)) < 0)
          msg(M_ERR, "UDP: failed setsockopt for IP_PKTINFO");
-@@ -2254,7 +2254,7 @@ print_link_socket_actual_ex (const struc
+@@ -2263,7 +2263,7 @@ print_link_socket_actual_ex (const struc
                  struct openvpn_sockaddr sa;
                  CLEAR (sa);
                  sa.addr.in4.sin_family = AF_INET;
@@ -22,39 +22,21 @@
                  sa.addr.in4.sin_addr = act->pi.in4.ipi_spec_dst;
                  if_indextoname(act->pi.in4.ipi_ifindex, ifname);
  #elif defined(IP_RECVDSTADDR)
-@@ -2651,7 +2651,7 @@ link_socket_read_tcp (struct link_socket
- struct openvpn_in4_pktinfo
- {
-   struct cmsghdr cmsghdr;
--#ifdef HAVE_IN_PKTINFO
-+#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
-   struct in_pktinfo pi4;
- #elif defined(IP_RECVDSTADDR)
-   struct in_addr pi4;
-@@ -2696,7 +2696,7 @@ link_socket_read_udp_posix_recvmsg (stru
-       cmsg = CMSG_FIRSTHDR (&mesg);
-       if (cmsg != NULL
-         && CMSG_NXTHDR (&mesg, cmsg) == NULL
--#ifdef IP_PKTINFO
-+#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
-         && cmsg->cmsg_level == SOL_IP 
-         && cmsg->cmsg_type == IP_PKTINFO
- #elif defined(IP_RECVDSTADDR)
-@@ -2707,7 +2707,7 @@ link_socket_read_udp_posix_recvmsg (stru
+@@ -2721,7 +2721,7 @@ link_socket_read_udp_posix_recvmsg (stru
+ #error ENABLE_IP_PKTINFO is set without IP_PKTINFO xor IP_RECVDSTADDR (fix syshead.h)
  #endif
-         && cmsg->cmsg_len >= sizeof (struct openvpn_in4_pktinfo))
        {
 -#ifdef IP_PKTINFO
-+#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
++#if defined(IP_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
          struct in_pktinfo *pkti = (struct in_pktinfo *) CMSG_DATA (cmsg);
          from->pi.in4.ipi_ifindex = pkti->ipi_ifindex;
          from->pi.in4.ipi_spec_dst = pkti->ipi_spec_dst;
-@@ -2802,7 +2802,7 @@ link_socket_write_udp_posix_sendmsg (str
+@@ -2814,7 +2814,7 @@ link_socket_write_udp_posix_sendmsg (str
          mesg.msg_namelen = sizeof (struct sockaddr_in);
-         mesg.msg_control = &opi;
+         mesg.msg_control = pktinfo_buf;
          mesg.msg_flags = 0;
 -#ifdef HAVE_IN_PKTINFO
 +#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
-         mesg.msg_controllen = sizeof (struct openvpn_in4_pktinfo);
+         mesg.msg_controllen = CMSG_SPACE(sizeof (struct in_pktinfo));
          cmsg = CMSG_FIRSTHDR (&mesg);
-         cmsg->cmsg_len = sizeof (struct openvpn_in4_pktinfo);
+         cmsg->cmsg_len = CMSG_LEN(sizeof (struct in_pktinfo));