CVS commit: pkgsrc/net/openvpn

["Julio M. Merino Vidal" <jmmv%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   jmmv
Date:           Sun Oct 11 17:32:00 UTC 2009

Modified Files:
        pkgsrc/net/openvpn: Makefile distinfo

Log Message:
Update to 2.1_rc20 from 2.1_rc13:

2009.10.01 -- Version 2.1_rc20

* Fixed a bug introduced in 2.1_rc17 (svn r4436) where using the
  redirect-gateway option by itself, without any extra parameters,
  would cause the option to be ignored.

* Fixed build problem when ./configure --disable-server is used.

* Fixed ifconfig command for "topology subnet" on FreeBSD (Stefan Bethke).

* Added --remote-random-hostname option.

* Added "load-stats" management interface command to get global server
  load statistics.

* Added new ./configure flags:

  --disable-def-auth      Disable deferred authentication
  --disable-pf            Disable internal packet filter

* Added "setcon" directive for interoperability with SELinux (Sebastien
  Raveau).

* Optimized PUSH_REQUEST handshake sequence to shave several seconds
  off of a typical client connection initiation.

* The maximum number of "route" directives (specified in the config
  file or pulled from a server) can now be configured via the new
  "max-routes" directive.

* Eliminated the limitation on the number of options that can be pushed
  to clients, including routes.  Previously, all pushed options needed
  to fit within a 1024 byte options string.

* Added --server-poll-timeout option : when polling possible remote
  servers to connect to in a round-robin fashion, spend no more than
  n seconds waiting for a response before trying the next server.

* Added the ability for the server to provide a custom reason string
  when an AUTH_FAILED message is returned to the client.  This
  string can be set by the server-side managment interface and read
  by the client-side management interface.

* client-kill management interface command, when issued on server, will
  now send a RESTART message to client.
  This feature is intended to make UDP clients respond the same as TCP
  clients in the case where the server issues a RESTART message in
  order to force the client to reconnect and pull a new options/route
  list.

2009.07.16 -- Version 2.1_rc19

* In Windows TAP driver, refactor DHCP/ARP packet injection code to
  use a DPC (deferred procedure call) to defer packet injection until
  IRQL < DISPATCH_LEVEL, rather than calling NdisMEthIndicateReceive
  in the context of AdapterTransmit.  This is an attempt to reduce kernel
  stack usage, and prevent EXCEPTION_DOUBLE_FAULT BSODs that have been
  observed on Vista.  Updated TAP driver version number to 9.6.

* In configure.ac, use datadir instead of datarootdir for compatibility
  with <autoconf-2.60.

2009.06.07 -- Version 2.1_rc18

* Fixed compile error on ./configure --enable-small

* Fixed issue introduced in r4475 (2.1-rc17) where cryptoapi.c change
  does not build on Windows on non-MINGW32.

2009.05.30 -- Version 2.1_rc17

* Reduce the debug level (--verb) at which received management interface
  commands are echoed from 7 to 3.  Passwords will be filtered.

* Fixed race condition in management interface recv code on
  Windows, where sending a set of several commands to the
  management interface in quick succession might cause the
  latter commands in the set to be ignored.

* Increased management interface input command buffer size
  from 256 to 1024 bytes.

* Minor tweaks to Windows build system.

* Added "redirect-private" option which allows private subnets
  to be pushed to the client in such a way that they don't accidently
  obscure critical local addresses such as the DHCP server address and
  DNS server addresses.

* Added new 'autolocal' redirect-gateway flag.  When enabled, the OpenVPN
  client will examine the routing table and determine whether (a) the
  OpenVPN server is reachable via a locally connected interface, or (b)
  traffic to the server must be forwarded through the default router.
  Only add a special bypass route for the OpenVPN server if (b) is true.
  If (a) is true, behave as if the 'local' flag is specified, and do not
  add a bypass route.

  The new 'autolocal' flag depends on the non-portable test_local_addr()
  function in route.c, which is currently only implemented for Windows.
  The 'autolocal' flag will act as a no-op on platforms that have not
  yet defined a test_local_addr() function.

* Increased TLS_CHANNEL_BUF_SIZE to 2048 from 1024 (this will allow for
  more option content to be pushed from server to client).

* Raised D_MULTI_DROPPED debug level to 4 from 3 to filter out (at debug
  levels <=3) a common and usually innocuous warning.

* Fixed issue of symbol conflicts interfering with Windows CryptoAPI
  functionality (Alon Bar-Lev).

* Fixed bug where the remote_X environmental variables were not being
  set correctly when the 'local' option is specifed.

2009.05.17 -- Version 2.1_rc16

* Windows installer changes:

  1. ifdefed out the check Windows version code which is causing
  problems on Windows 7

  2. don't define SF_SELECTED if it is already defined

  3. Use LZMA instead of BZIP2 compression for better compression

  4. Upgraded OpenSSL to 0.9.8k

* Added the ability to read the configuration file
  from stdin, when "stdin" is given as the config
  file name.

* Allow "management-client" directive to be used
  with unix domain sockets.

* Added errors-to-stderr option.  When enabled, fatal errors
  that result in the termination of the daemon will be written
  to stderr.

* Added optional "nogw" (no gateway) flag to --server-bridge
  to inhibit the pushing of the route-gateway parameter to
  clients.

* Added new management interface command "pid" to show the
  process ID of the current OpenVPN process (Angelo Laub).

* Fixed issue where SIGUSR1 restarts would fail if private
  key was specified as an inline file.

* Added daemon_start_time and daemon_pid environmental variables.

* In management interface, added new ">CLIENT:ESTABLISHED" notification.

* Build fixes:

  1. Fixed some issues with C++ style comments that leaked into the code.

  2. Updated configure.ac to work on MinGW64.

  3. Updated common.h types for _WIN64.

  4. Fixed issue involving an #ifdef in a macro reference that breaks early gcc
     compilers.

  5. In cryptoapi.c, renamed CryptAcquireCertificatePrivateKey to
     OpenVPNCryptAcquireCertificatePrivateKey to work around
     a symbol conflict in MinGW-5.1.4.

2008.11.19 -- Version 2.1_rc15

* Fixed issue introduced in 2.1_rc14 that may cause a
  segfault when a --plugin module is used.

* Added server-side --opt-verify option: clients that connect
  with options that are incompatible with those of the server
  will be disconnected (without this option, incompatible
  clients would trigger a warning message in the server log
  but would not be disconnected).

* Added --tcp-nodelay option: Macro that sets TCP_NODELAY socket
  flag on the server as well as pushes it to connecting clients.

* Minor options check fix: --no-name-remapping is a
  server-only option and should therefore generate an
  error when used on the client.

* Added --prng option to control PRNG (pseudo-random
  number generator) parameters.  In previous OpenVPN
  versions, the PRNG was hardcoded to use the SHA1
  hash.  Now any OpenSSL hash may be used.  This is
  part of an effort to remove hardcoded references to
  a specific cipher or cryptographic hash algorithm.

* Cleaned up man page synopsis.

2008.11.16 -- Version 2.1_rc14

* Added AC_GNU_SOURCE to configure.ac to enable struct ucred,
  with the goal of fixing a build issue on Fedora 9 that was
  introduced in 2.1_rc13.

* Added additional method parameter to --script-security to preserve
  backward compatibility with system() call semantics used in OpenVPN
  2.1_rc8 and earlier.  To preserve backward compatibility use:

    script-security 3 system

* Added additional warning messages about --script-security 2
  or higher being required to execute user-defined scripts or
  executables.

* Windows build system changes:

  Modified Windows domake-win build system to write all openvpn.nsi
  input files to gen, so that gen can be disconnected from
  the rest of the source tree and makensis openvpn.nsi will
  still function correctly.

  Added additional SAMPCONF_(CA|CRT|KEY) macros to settings.in
  (commented out by default).

  Added optional files SAMPCONF_CONF2 (second sample configuration
  file) and SAMPCONF_DH (Diffie-Helman parameters) to Windows
  build system, and may be defined in settings.in.

* Extended Management Interface "bytecount" command
  to work when OpenVPN is running as a server.
  Documented Management Interface "bytecount" command in
  management/management-notes.txt.

* Fixed informational message in ssl.c to properly indicate
  deferred authentication.

* Added server-side --auth-user-pass-optional directive, to allow
  connections by clients that do not specify a username/password, when a
  user-defined authentication script/module is in place (via
  --auth-user-pass-verify, --management-client-auth, or a plugin module).

* Changes to easy-rsa/2.0/pkitool and related openssl.cnf:

  Calling scripts can set the KEY_NAME environmental variable to set
  the "name" X509 subject field in generated certificates.

  Modified pkitool to allow flexibility in separating the Common Name
  convention from the cert/key filename convention.

  For example:

  KEY_CN="James's Laptop" KEY_NAME="james" ./pkitool james

  will create a client certificate/key pair of james.crt/james.key
  having a Common Name of "James's Laptop" and a Name of "james".

* Added --no-name-remapping option to allow Common Name, X509 Subject,
  and username strings to include any printable character including
  space, but excluding control characters such as tab, newline, and
  carriage-return (this is important for compatibility with external
  authentication systems).

  As a related change, added --status-version 3 format (and "status 3"
  in the management interface) which uses the version 2 format except
  that tabs are used as delimiters instead of commas so that there
  is no ambiguity when parsing a Common Name that contains a comma.

  Also, save X509 Subject fields to environment, using the naming
  convention:

  X509_{cert_depth}_{name}={value}

  This is to avoid ambiguities when parsing out the X509 subject string
  since "/" characters could potentially be used in the common name.

* Fixed some ifconfig-pool issues that precluded it from being combined
  with --server directive.

  Now, for example, we can configure thusly:

    server 10.8.0.0 255.255.255.0 nopool
    ifconfig-pool 10.8.0.2 10.8.0.99 255.255.255.0

  to have ifconfig-pool manage only a subset
  of the VPN subnet.

* Added config file option "setenv FORWARD_COMPATIBLE 1" to relax
  config file syntax checking to allow directives for future OpenVPN
  versions to be ignored.


To generate a diff of this commit:
cvs rdiff -u -r1.30 -r1.31 pkgsrc/net/openvpn/Makefile
cvs rdiff -u -r1.16 -r1.17 pkgsrc/net/openvpn/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.