diff options
-rw-r--r-- | net-misc/openvpn/ChangeLog | 8 | ||||
-rw-r--r-- | net-misc/openvpn/files/digest-openvpn-2.1_rc4-r2 | 6 | ||||
-rw-r--r-- | net-misc/openvpn/files/openvpn-2.1_rc4-ip6-mss.patch | 311 | ||||
-rw-r--r-- | net-misc/openvpn/openvpn-2.1_rc4-r2.ebuild | 159 |
4 files changed, 483 insertions, 1 deletions
diff --git a/net-misc/openvpn/ChangeLog b/net-misc/openvpn/ChangeLog index 7e31afe87ca1..cd0b792f93cd 100644 --- a/net-misc/openvpn/ChangeLog +++ b/net-misc/openvpn/ChangeLog @@ -1,6 +1,12 @@ # ChangeLog for net-misc/openvpn # Copyright 2002-2007 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/net-misc/openvpn/ChangeLog,v 1.114 2007/07/09 15:37:47 uberlord Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-misc/openvpn/ChangeLog,v 1.115 2007/08/16 15:06:56 uberlord Exp $ + +*openvpn-2.1_rc4-r2 (16 Aug 2007) + + 16 Aug 2007; Roy Marples <uberlord@gentoo.org> + +files/openvpn-2.1_rc4-ip6-mss.patch, +openvpn-2.1_rc4-r2.ebuild: + Add a patch to fix mss for IPv6. 09 Jul 2007; Roy Marples <uberlord@gentoo.org> openvpn-2.1_rc4.ebuild, openvpn-2.1_rc4-r1.ebuild: diff --git a/net-misc/openvpn/files/digest-openvpn-2.1_rc4-r2 b/net-misc/openvpn/files/digest-openvpn-2.1_rc4-r2 new file mode 100644 index 000000000000..56dcf25ffe7f --- /dev/null +++ b/net-misc/openvpn/files/digest-openvpn-2.1_rc4-r2 @@ -0,0 +1,6 @@ +MD5 225d07591c239977d874fa3e7b495506 openvpn-2.1-udp6.patch.bz2 16625 +RMD160 58f7fa1e9eebdfb267782f409b162e84f227faf8 openvpn-2.1-udp6.patch.bz2 16625 +SHA256 e98bd77e3098a203b23dde34847ba9647f8f0c75d432559d1c3fb1e9ada66322 openvpn-2.1-udp6.patch.bz2 16625 +MD5 9fffc0aa0f797b612fa4f52b1e92197b openvpn-2.1_rc4.tar.gz 803125 +RMD160 d9843c2fb6fda64b5cf9474f42b36068bb4cd845 openvpn-2.1_rc4.tar.gz 803125 +SHA256 5d14e101c40e396250727fae7ee9ab734edd4e6e7f55b8209e0e215423775ff3 openvpn-2.1_rc4.tar.gz 803125 diff --git a/net-misc/openvpn/files/openvpn-2.1_rc4-ip6-mss.patch b/net-misc/openvpn/files/openvpn-2.1_rc4-ip6-mss.patch new file mode 100644 index 000000000000..596bacf84ee3 --- /dev/null +++ b/net-misc/openvpn/files/openvpn-2.1_rc4-ip6-mss.patch @@ -0,0 +1,311 @@ +diff -ur a/forward.c b/forward.c +--- a/forward.c 2007-04-25 22:38:46 +0100 ++++ b/forward.c 2007-08-01 17:55:20 +0100 +@@ -942,7 +942,7 @@ + * The --passtos and --mssfix options require + * us to examine the IPv4 header. + */ +- process_ipv4_header (c, PIPV4_PASSTOS|PIPV4_MSSFIX, &c->c2.buf); ++ process_ip_header (c, PIPV4_PASSTOS|PIPV4_MSSFIX, &c->c2.buf); + + #ifdef PACKET_TRUNCATION_CHECK + /* if (c->c2.buf.len > 1) --c->c2.buf.len; */ +@@ -964,7 +964,7 @@ + } + + void +-process_ipv4_header (struct context *c, unsigned int flags, struct buffer *buf) ++process_ip_header (struct context *c, unsigned int flags, struct buffer *buf) + { + if (!c->options.mssfix) + flags &= ~PIPV4_MSSFIX; +@@ -986,17 +986,22 @@ + #endif + { + struct buffer ipbuf = *buf; +- if (is_ipv4 (TUNNEL_TYPE (c->c1.tuntap), &ipbuf)) ++ switch (get_ipversion(TUNNEL_TYPE (c->c1.tuntap), &ipbuf)) + { ++ case OPENVPN_PROTO_IPV4: + #if PASSTOS_CAPABILITY +- /* extract TOS from IP header */ +- if (flags & PIPV4_PASSTOS) +- link_socket_extract_tos (c->c2.link_socket, &ipbuf); +-#endif +- +- /* possibly alter the TCP MSS */ +- if (flags & PIPV4_MSSFIX) +- mss_fixup (&ipbuf, MTU_TO_MSS (TUN_MTU_SIZE_DYNAMIC (&c->c2.frame))); ++ /* extract TOS from IP header */ ++ if (flags & PIPV4_PASSTOS) ++ link_socket_extract_tos (c->c2.link_socket, &ipbuf); ++#endif ++ /* possibly alter the TCP MSS */ ++ if (flags & PIPV4_MSSFIX) ++ mss_fixup_ipv4 (&ipbuf, MTU_TO_MSS (TUN_MTU_SIZE_DYNAMIC (&c->c2.frame))); ++ break; ++ case OPENVPN_PROTO_IPV6: ++ if (flags & PIPV4_MSSFIX) ++ mss_fixup_ipv6 (&ipbuf, MTU_TO_MSS (TUN_MTU_SIZE_DYNAMIC (&c->c2.frame))); ++ + } + } + } +@@ -1145,7 +1150,7 @@ + * The --mssfix option requires + * us to examine the IPv4 header. + */ +- process_ipv4_header (c, PIPV4_MSSFIX|PIPV4_OUTGOING, &c->c2.to_tun); ++ process_ip_header (c, PIPV4_MSSFIX|PIPV4_OUTGOING, &c->c2.to_tun); + + if (c->c2.to_tun.len <= MAX_RW_SIZE_TUN (&c->c2.frame)) + { +diff -ur a/forward.h b/forward.h +--- a/forward.h 2007-04-25 22:38:46 +0100 ++++ b/forward.h 2007-08-01 17:54:10 +0100 +@@ -76,7 +76,7 @@ + #define PIPV4_MSSFIX (1<<1) + #define PIPV4_OUTGOING (1<<2) + +-void process_ipv4_header (struct context *c, unsigned int flags, struct buffer *buf); ++void process_ip_header (struct context *c, unsigned int flags, struct buffer *buf); + + #if P2MP + void schedule_exit (struct context *c, const int n_seconds); +diff -ur a/mroute.c b/mroute.c +--- a/mroute.c 2007-08-01 17:57:36 +0100 ++++ b/mroute.c 2007-08-01 17:54:10 +0100 +@@ -101,9 +101,9 @@ + switch (OPENVPN_IPH_GET_VER (*BPTR(buf))) + { + case 4: +- if (BLEN (buf) >= (int) sizeof (struct openvpn_iphdr)) ++ if (BLEN (buf) >= (int) sizeof (struct openvpn_ip4hdr)) + { +- const struct openvpn_iphdr *ip = (const struct openvpn_iphdr *) BPTR (buf); ++ const struct openvpn_ip4hdr *ip = (const struct openvpn_ip4hdr *) BPTR (buf); + if (src) + { + src->type = MR_ADDR_IPV4; +diff -ur a/mss.c b/mss.c +--- a/mss.c 2007-04-25 22:38:46 +0100 ++++ b/mss.c 2007-08-01 17:54:10 +0100 +@@ -39,16 +39,16 @@ + * encapsulation. + */ + void +-mss_fixup (struct buffer *buf, int maxmss) ++mss_fixup_ipv4 (struct buffer *buf, int maxmss) + { +- const struct openvpn_iphdr *pip; ++ const struct openvpn_ip4hdr *pip; + int hlen; + +- if (BLEN (buf) < (int) sizeof (struct openvpn_iphdr)) ++ if (BLEN (buf) < (int) sizeof (struct openvpn_ip4hdr)) + return; + + verify_align_4 (buf); +- pip = (struct openvpn_iphdr *) BPTR (buf); ++ pip = (struct openvpn_ip4hdr *) BPTR (buf); + + hlen = OPENVPN_IPH_GET_LEN (pip->version_len); + +@@ -70,6 +70,31 @@ + } + + void ++mss_fixup_ipv6 (struct buffer *buf, int maxmss) ++{ ++ const struct openvpn_ip6hdr *pip; ++ if (BLEN (buf) < (int) sizeof (struct openvpn_ip6hdr)) ++ return; ++ ++ verify_align_4 (buf); ++ pip = (struct openvpn_ip6hdr *) BPTR (buf); ++ if (pip->ip6_ctlun.ip6_un1.ip6_un1_nxt == OPENVPN_IPPROTO_TCP ++ && ntohs (pip->ip6_ctlun.ip6_un1.ip6_un1_plen) ++ == BLEN (buf) - sizeof(struct openvpn_ip6hdr) ++ && BLEN(buf) - sizeof(struct openvpn_ip6hdr) ++ >= (int) sizeof (struct openvpn_tcphdr)) ++ { ++ struct buffer newbuf = *buf; ++ if (buf_advance (&newbuf, sizeof(struct openvpn_ip6hdr))) ++ { ++ struct openvpn_tcphdr *tc = (struct openvpn_tcphdr *) BPTR (&newbuf); ++ if (tc->flags & OPENVPN_TCPH_SYN_MASK) ++ mss_fixup_dowork (&newbuf, (uint16_t) maxmss); ++ } ++ } ++} ++ ++void + mss_fixup_dowork (struct buffer *buf, uint16_t maxmss) + { + int hlen, olen, optlen; +@@ -118,3 +143,4 @@ + } + } + } ++ +diff -ur a/mss.h b/mss.h +--- a/mss.h 2007-04-25 22:38:46 +0100 ++++ b/mss.h 2007-08-01 17:54:10 +0100 +@@ -28,7 +28,8 @@ + #include "proto.h" + #include "error.h" + +-void mss_fixup (struct buffer *buf, int maxmss); ++void mss_fixup_ipv4 (struct buffer *buf, int maxmss); ++void mss_fixup_ipv6 (struct buffer *buf, int maxmss); + void mss_fixup_dowork (struct buffer *buf, uint16_t maxmss); + + #endif +diff -ur a/multi.c b/multi.c +--- a/multi.c 2007-08-01 17:57:36 +0100 ++++ b/multi.c 2007-08-01 17:54:10 +0100 +@@ -1984,7 +1984,7 @@ + item.instance->context.c2.buf = item.buffer->buf; + if (item.buffer->flags & MF_UNICAST) /* --mssfix doesn't make sense for broadcast or multicast */ + pipv4_flags |= PIPV4_MSSFIX; +- process_ipv4_header (&item.instance->context, pipv4_flags, &item.instance->context.c2.buf); ++ process_ip_header (&item.instance->context, pipv4_flags, &item.instance->context.c2.buf); + encrypt_sign (&item.instance->context, true); + mbuf_free_buf (item.buffer); + +diff -ur a/proto.c b/proto.c +--- a/proto.c 2007-04-25 22:38:46 +0100 ++++ b/proto.c 2007-08-01 17:54:10 +0100 +@@ -39,39 +39,43 @@ + * If raw tunnel packet is IPv4, return true and increment + * buffer offset to start of IP header. + */ +-bool +-is_ipv4 (int tunnel_type, struct buffer *buf) ++int ++get_ipversion (int tunnel_type, struct buffer *buf) + { + int offset; +- const struct openvpn_iphdr *ih; ++ uint8_t version; + + verify_align_4 (buf); + if (tunnel_type == DEV_TYPE_TUN) + { +- if (BLEN (buf) < (int) sizeof (struct openvpn_iphdr)) +- return false; ++ if (BLEN (buf) < (int) sizeof (struct openvpn_ip4hdr)) ++ return OPENVPN_PROTO_UNK; + offset = 0; + } + else if (tunnel_type == DEV_TYPE_TAP) + { + const struct openvpn_ethhdr *eh; + if (BLEN (buf) < (int)(sizeof (struct openvpn_ethhdr) +- + sizeof (struct openvpn_iphdr))) ++ + sizeof (struct openvpn_ip4hdr))) + return false; + eh = (const struct openvpn_ethhdr *) BPTR (buf); +- if (ntohs (eh->proto) != OPENVPN_ETH_P_IPV4) +- return false; ++ if (!(ntohs (eh->proto) == OPENVPN_ETH_P_IPV4 || ++ ntohs (eh->proto) == OPENVPN_ETH_P_IPV6 )) ++ return OPENVPN_PROTO_UNK; + offset = sizeof (struct openvpn_ethhdr); + } + else +- return false; +- +- ih = (const struct openvpn_iphdr *) (BPTR (buf) + offset); ++ return OPENVPN_PROTO_UNK; + +- if (OPENVPN_IPH_GET_VER (ih->version_len) == 4) +- return buf_advance (buf, offset); ++ version = (*((uint8_t *)(BPTR (buf) + offset)) >> 4) & 0xf; ++ if (version == OPENVPN_PROTO_IPV4 || version == OPENVPN_PROTO_IPV6) ++ { ++ if (!buf_advance (buf, offset)) ++ return OPENVPN_PROTO_UNK; ++ return version; ++ } + else +- return false; ++ return OPENVPN_PROTO_UNK; + } + + #ifdef PACKET_TRUNCATION_CHECK +diff -ur a/proto.h b/proto.h +--- a/proto.h 2007-04-25 22:38:46 +0100 ++++ b/proto.h 2007-08-01 17:54:10 +0100 +@@ -62,7 +62,7 @@ + uint16_t proto; /* packet type ID field */ + }; + +-struct openvpn_iphdr { ++struct openvpn_ip4hdr { + # define OPENVPN_IPH_GET_VER(v) (((v) >> 4) & 0x0F) + # define OPENVPN_IPH_GET_LEN(v) (((v) & 0x0F) << 2) + uint8_t version_len; +@@ -87,6 +87,27 @@ + /*The options start here. */ + }; + ++struct openvpn_in6_addr { ++ union { ++ uint8_t __u6_addr8[16]; ++ uint16_t __u6_addr16[8]; ++ uint32_t __u6_addr32[4]; ++ } __u6_addr; /* 128-bit IP6 address */ ++}; ++struct openvpn_ip6hdr { ++ union { ++ struct ip6_hdrctl { ++ uint32_t ip6_un1_flow; /* 20 bits of flow-ID */ ++ uint16_t ip6_un1_plen; /* payload length */ ++ uint8_t ip6_un1_nxt; /* next header */ ++ uint8_t ip6_un1_hlim; /* hop limit */ ++ } ip6_un1; ++ uint8_t ip6_un2_vfc; /* 4 bits version, top 4 bits class */ ++ } ip6_ctlun; ++ struct openvpn_in6_addr ip6_src; /* source address */ ++ struct openvpn_in6_addr ip6_dst; /* destination address */ ++}; ++ + /* + * UDP header + */ +@@ -159,14 +180,19 @@ + * + * (RFC 879, section 7). + */ +-#define MTU_TO_MSS(mtu) (mtu - sizeof(struct openvpn_iphdr) \ ++#define MTU_TO_MSS(mtu) (mtu - sizeof(struct openvpn_ip4hdr) \ + - sizeof(struct openvpn_tcphdr)) + + /* +- * If raw tunnel packet is IPv4, return true and increment ++ * Check if raw tunnel packet is IPv4 or IPv6, ++ * return the version and increment + * buffer offset to start of IP header. + */ +-bool is_ipv4 (int tunnel_type, struct buffer *buf); ++ ++#define OPENVPN_PROTO_IPV6 6 ++#define OPENVPN_PROTO_IPV4 4 ++#define OPENVPN_PROTO_UNK 0 ++int get_ipversion(int tunnel_type, struct buffer *buf); + + #ifdef PACKET_TRUNCATION_CHECK + void ipv4_packet_size_verify (const uint8_t *data, +diff -ur a/socket.h b/socket.h +--- a/socket.h 2007-08-01 17:57:36 +0100 ++++ b/socket.h 2007-08-01 17:54:10 +0100 +@@ -1009,7 +1009,7 @@ + { + if (ls && ipbuf) + { +- struct openvpn_iphdr *iph = (struct openvpn_iphdr *) BPTR (ipbuf); ++ struct openvpn_ip4hdr *iph = (struct openvpn_ip4hdr *) BPTR (ipbuf); + ls->ptos = iph->tos; + ls->ptos_defined = true; + } diff --git a/net-misc/openvpn/openvpn-2.1_rc4-r2.ebuild b/net-misc/openvpn/openvpn-2.1_rc4-r2.ebuild new file mode 100644 index 000000000000..5e76df3d5504 --- /dev/null +++ b/net-misc/openvpn/openvpn-2.1_rc4-r2.ebuild @@ -0,0 +1,159 @@ +# Copyright 1999-2007 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-misc/openvpn/openvpn-2.1_rc4-r2.ebuild,v 1.1 2007/08/16 15:06:56 uberlord Exp $ + +inherit autotools eutils multilib + +DESCRIPTION="OpenVPN is a robust and highly flexible tunneling application compatible with many OSes." +SRC_URI="http://openvpn.net/release/${P}.tar.gz + ipv6? ( mirror://gentoo/${PN}-2.1-udp6.patch.bz2 )" +HOMEPAGE="http://openvpn.net/" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~hppa ~ppc ~ppc-macos ~ppc64 ~sh ~sparc ~sparc-fbsd ~x86 ~x86-fbsd" +IUSE="examples iproute2 ipv6 minimal pam passwordsave selinux ssl static threads userland_BSD" + +DEPEND=">=dev-libs/lzo-1.07 + kernel_linux? ( + iproute2? ( sys-apps/iproute2 ) !iproute2? ( sys-apps/net-tools ) + ) + !minimal? ( pam? ( virtual/pam ) ) + selinux? ( sec-policy/selinux-openvpn ) + ssl? ( >=dev-libs/openssl-0.9.6 )" + +pkg_setup() { + if use iproute2 ; then + if built_with_use sys-apps/iproute2 minimal ; then + eerror "iproute2 support requires that sys-apps/iproute2 was not" + eerror "built with the minimal USE flag" + die "iproute2 support not available" + fi + fi +} + +src_unpack() { + unpack ${A} + cd "${S}" + + epatch "${FILESDIR}/${PN}"-2.0.4-darwin.patch + epatch "${FILESDIR}/${P}"-ip6-mss.patch + + use ipv6 && epatch "${WORKDIR}/${PN}"-2.1-udp6.patch + + eautoreconf +} + +src_compile() { + local myconf="" + # We cannot use use_enable with iproute2 as the Makefile stupidly + # enables it with --disable-iproute2 + use iproute2 && myconf="${myconf} --enable-iproute2" + if use minimal ; then + myconf="${myconf} --disable-plugins" + myconf="${myconf} --disable-pkcs11" + fi + + econf ${myconf} \ + $(use_enable ipv6) \ + $(use_enable passwordsave password-save) \ + $(use_enable ssl) \ + $(use_enable ssl crypto) \ + $(use_enable threads pthread) \ + || die "configure failed" + + use static && sed -i -e '/^LIBS/s/LIBS = /LIBS = -static /' Makefile + + emake || die "make failed" + + if ! use minimal ; then + cd plugin + for i in $( ls 2>/dev/null ); do + [[ ${i} == "README" || ${i} == "examples" ]] && continue + [[ ${i} == "auth-pam" ]] && ! use pam && continue + einfo "Building ${i} plugin" + cd "${i}" + emake || die "make failed" + cd .. + done + cd .. + fi +} + +src_install() { + make DESTDIR="${D}" install || die "make install failed" + + # install documentation + dodoc AUTHORS ChangeLog PORTS README + + # Empty dir + dodir /etc/openvpn + keepdir /etc/openvpn + + # Install some helper scripts + exeinto /etc/openvpn + doexe "${FILESDIR}/up.sh" + doexe "${FILESDIR}/down.sh" + + # Install the init script and config file + newinitd "${FILESDIR}/${PN}-2.1.init" openvpn + newconfd "${FILESDIR}/${PN}-2.1.conf" openvpn + + # install examples, controlled by the respective useflag + if use examples ; then + # dodoc does not supportly support directory traversal, #15193 + insinto /usr/share/doc/${PF}/examples + doins -r sample-{config-files,keys,scripts} contrib + prepalldocs + fi + + # Install plugins and easy-rsa + if ! use minimal ; then + cd easy-rsa/2.0 + make install "DESTDIR=${D}/usr/share/${PN}/easy-rsa" + cd ../.. + + exeinto "/usr/$(get_libdir)/${PN}" + doexe plugin/*/*.so + fi +} + +pkg_postinst() { + # Add openvpn user so openvpn servers can drop privs + # Clients should run as root so they can change ip addresses, + # dns information and other such things. + enewgroup openvpn + enewuser openvpn "" "" "" openvpn + + if [[ -n $(ls /etc/openvpn/*/local.conf 2>/dev/null) ]] ; then + ewarn "WARNING: The openvpn init script has changed" + ewarn "" + fi + + einfo "The openvpn init script expects to find the configuration file" + einfo "openvpn.conf in /etc/openvpn along with any extra files it may need." + einfo "" + einfo "To create more VPNs, simply create a new .conf file for it and" + einfo "then create a symlink to the openvpn init script from a link called" + einfo "openvpn.newconfname - like so" + einfo " cd /etc/openvpn" + einfo " ${EDITOR##*/} foo.conf" + einfo " cd /etc/init.d" + einfo " ln -s openvpn openvpn.foo" + einfo "" + einfo "You can then treat openvpn.foo as any other service, so you can" + einfo "stop one vpn and start another if you need to." + + if grep -Eq "^[ \t]*(up|down)[ \t].*" ${ROOT}/etc/openvpn/*.conf 2>/dev/null ; then + ewarn "" + ewarn "WARNING: If you use the remote keyword then you are deemed to be" + ewarn "a client by our init script and as such we force up,down scripts." + ewarn "These scripts call /etc/openvpn/\$SVCNAME-{up,down}.sh where you" + ewarn "can move your scripts to." + fi + + if ! use minimal ; then + einfo "" + einfo "plugins have been installed into /usr/$(get_libdir)/${PN}" + fi +} |