openvpn: updated to 2.6.1

Overview of changes in 2.6.1

New features

Dynamic TLS Crypt When both peers are OpenVPN 2.6.1+, OpenVPN will dynamically create a tls-crypt key that is used for renegotiation. This ensure that only the previously authenticated peer can do trigger renegotiation and complete renegotiations.
CryptoAPI (Windows): support issuer name as a selector. Certificate selection string can now specify a partial issuer name string as "--cryptoapicert ISSUER:<string>" where <string> is matched as a substring of the issuer (CA) name in the certificate.

User visible changes

on crypto initialization, move old "quite verbose" messages to --verb 4 and only print a more compact summary about crypto and timing parameters by default
configure now enables DCO build by default on FreeBSD and Linux, which brings in a default dependency for libnl-genl (for Linux distributions that are too old to have this library, use "configure --disable-dco")
make "configure --help" output more consistent
CryptoAPI (Windows): remove support code for OpenSSL before 3.0.1 (this will not affect official OpenVPN for Windows installers, as they will always be built with OpenSSL 3.0.x)
CryptoAPI (Windows): log the selected certificate's name
"configure" now uses "subdir-objects", for automake >= 1.16 (less warnings for recent-enough automake versions, will change the way .o files are created)

Bugfixes / minor improvements

fixed old IPv6 ifconfig race condition for FreeBSD 12.4
fix compile-time breakage related to DCO defines on FreeBSD 14
enforce minimum packet size for "--fragment" (avoid division by zero)
some alignment fixes to avoid unaligned memory accesses, which will bring problems on some architectures (Sparc64, some ARM versions) - found by USAN clang checker
windows source code fixes to reduce number of compile time warnings (eventual goal is to be able to compile with -Werror on MinGW), mostly related to signed/unsigned char * conversions, printf() format specifiers and unused variables.
avoid endless loop on logging with --management + --verb 6+
build (but not run) unit tests on MinGW cross compiles, and run them when building with GitHub Actions.
add unit test for parts of cryptoapi.c
add debug logging to help with diagnosing windows driver selection
disable DCO if proxy config is set via management interface
do not crash on Android if run without --management
improve documentation about cipher negotiation and OpenVPN3
for x86 windows builds, use proper calling conventions for dco-win (__stdcall)
differentiate "dhcp-option ..." options into "needs an interface with true DHCP service" (tap-windows) and "can also be installed by IPAPI or service, and can be used on non-DHCP interfaces" (wintun, dco-win)
windows interactive service: fix possible double-free if "--block-dns" installation fails due to "security products" interfering
"make dist": package ovpn_dco_freebsd.h to permit building from tarballs on FreeBSD 14

net/openvpn-acct-wtmpx/Makefile

@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.10 2020/01/26 17:31:53 rillig Exp $
+# $NetBSD: Makefile,v 1.11 2023/03/14 06:31:38 adam Exp $
 
 .include "../../net/openvpn/Makefile.common"
 
@@ -28,4 +28,5 @@ SPECIAL_PERMS+=	bin/logwtmpx ${SETUID_ROOT_PERMS}
 
 DEPENDS+=	openvpn>=2.4.2:../../net/openvpn
 
+.include "../../security/openssl/buildlink3.mk"
 .include "../../mk/bsd.pkg.mk"

net/openvpn-acct-wtmpx/distinfo

@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.33 2022/11/23 08:02:57 adam Exp $
+$NetBSD: distinfo,v 1.34 2023/03/14 06:31:38 adam Exp $
 
-BLAKE2s (openvpn-2.5.8.tar.gz) = 7af26d7da32f771a6b34a5c25e4c0ffc6084a776c0c9f5dbd920f05a47810224
-SHA512 (openvpn-2.5.8.tar.gz) = 9cb0e79f26e7021141213d241fffaaa899575fa1640cb02d5f2a7b71f1ae12faac762ac26c2e4ddc4822550aa12cb81bab7a5b259d81230983e9b098e0f14091
-Size (openvpn-2.5.8.tar.gz) = 1875551 bytes
+BLAKE2s (openvpn-2.6.1.tar.gz) = 8645f53378fadbfdb0106e95c5375995e7f7557acd28c0de248fbdf555cae40c
+SHA512 (openvpn-2.6.1.tar.gz) = f848abc1d3ab99111b852fa52d12cb93734137acf3319b704c65cf8d1ef8abbf3cd3dbbe32b59687945e7dbd7ac7e8fc97bee57667f97700ba03d1ced4b40c31
+Size (openvpn-2.6.1.tar.gz) = 1852147 bytes
 BLAKE2s (openvpn-acct-wtmpx-20130210.tgz) = 2bb02a4e6adb7ce1d189271a6fbb6cbffd6a37d7b5e75cccebfc8dfac6dbaddd
 SHA512 (openvpn-acct-wtmpx-20130210.tgz) = 7b8fd4929e65d8d84158f62e5a17ff3adb3b4a6cff63b29038acfb368750719f2f593786ed9b02402824c19d872b188d2a46740a5c5f853e8873a71481b13aaf
 Size (openvpn-acct-wtmpx-20130210.tgz) = 2778 bytes

net/openvpn-nagios/distinfo

@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.30 2022/11/23 08:02:58 adam Exp $
+$NetBSD: distinfo,v 1.31 2023/03/14 06:31:38 adam Exp $
 
-BLAKE2s (openvpn-2.5.8.tar.gz) = 7af26d7da32f771a6b34a5c25e4c0ffc6084a776c0c9f5dbd920f05a47810224
-SHA512 (openvpn-2.5.8.tar.gz) = 9cb0e79f26e7021141213d241fffaaa899575fa1640cb02d5f2a7b71f1ae12faac762ac26c2e4ddc4822550aa12cb81bab7a5b259d81230983e9b098e0f14091
-Size (openvpn-2.5.8.tar.gz) = 1875551 bytes
+BLAKE2s (openvpn-2.6.1.tar.gz) = 8645f53378fadbfdb0106e95c5375995e7f7557acd28c0de248fbdf555cae40c
+SHA512 (openvpn-2.6.1.tar.gz) = f848abc1d3ab99111b852fa52d12cb93734137acf3319b704c65cf8d1ef8abbf3cd3dbbe32b59687945e7dbd7ac7e8fc97bee57667f97700ba03d1ced4b40c31
+Size (openvpn-2.6.1.tar.gz) = 1852147 bytes
 BLAKE2s (openvpn-nagios-20130210.tgz) = 713b55e865350c44a314aa3b48694695f4d82b50883d1fae919f01e9545c7c34
 SHA512 (openvpn-nagios-20130210.tgz) = 80e565f32379c39eb6c7f3b4744af221ae882ff07dce9dae5bd7feb73b0edcfc7c7ac7f70d23fdcd4f492b66f095f09833deb122449840b36ea606ce91900358
 Size (openvpn-nagios-20130210.tgz) = 3034 bytes

net/openvpn/Makefile.common

@@ -1,9 +1,9 @@
-# $NetBSD: Makefile.common,v 1.27 2022/11/23 08:02:57 adam Exp $
+# $NetBSD: Makefile.common,v 1.28 2023/03/14 06:31:38 adam Exp $
 # used by net/openvpn/Makefile
 # used by net/openvpn-acct-wtmpx/Makefile
 # used by net/openvpn-nagios/Makefile
 
-OPENVPN_DISTNAME=		openvpn-2.5.8
+OPENVPN_DISTNAME=		openvpn-2.6.1
 OPENVPN_DISTFILE=		${OPENVPN_DISTNAME}.tar.gz
 OPENVPN_MASTER_SITES=		https://swupdate.openvpn.org/community/releases/
 SITES.${OPENVPN_DISTFILE}=	${OPENVPN_MASTER_SITES}

net/openvpn/PLIST

@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.24 2021/10/05 19:25:41 adam Exp $
+@comment $NetBSD: PLIST,v 1.25 2023/03/14 06:31:38 adam Exp $
 include/openvpn-msg.h
 include/openvpn-plugin.h
 ${PLIST.pam}lib/openvpn/plugins/openvpn-plugin-auth-pam.la
@@ -10,7 +10,6 @@ share/doc/openvpn/COPYING
 share/doc/openvpn/COPYRIGHT.GPL
 share/doc/openvpn/Changes.rst
 share/doc/openvpn/README
-share/doc/openvpn/README.IPv6
 ${PLIST.pam}share/doc/openvpn/README.auth-pam
 share/doc/openvpn/README.down-root
 share/doc/openvpn/README.mbedtls
@@ -28,8 +27,6 @@ share/examples/openvpn/config/openvpn-startup.sh
 share/examples/openvpn/config/server.conf
 share/examples/openvpn/config/tls-home.conf
 share/examples/openvpn/config/tls-office.conf
-share/examples/openvpn/config/xinetd-client-config
-share/examples/openvpn/config/xinetd-server-config
 share/examples/openvpn/keys/README
 share/examples/openvpn/keys/ca.crt
 share/examples/openvpn/keys/ca.key
@@ -50,5 +47,6 @@ share/examples/openvpn/keys/ta.key
 share/examples/openvpn/scripts/auth-pam.pl
 share/examples/openvpn/scripts/bridge-start
 share/examples/openvpn/scripts/bridge-stop
+share/examples/openvpn/scripts/totpauth.py
 share/examples/openvpn/scripts/ucn.pl
 share/examples/openvpn/scripts/verify-cn

net/openvpn/distinfo

@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.58 2022/11/23 08:02:57 adam Exp $
+$NetBSD: distinfo,v 1.59 2023/03/14 06:31:38 adam Exp $
 
-BLAKE2s (openvpn-2.5.8.tar.gz) = 7af26d7da32f771a6b34a5c25e4c0ffc6084a776c0c9f5dbd920f05a47810224
-SHA512 (openvpn-2.5.8.tar.gz) = 9cb0e79f26e7021141213d241fffaaa899575fa1640cb02d5f2a7b71f1ae12faac762ac26c2e4ddc4822550aa12cb81bab7a5b259d81230983e9b098e0f14091
-Size (openvpn-2.5.8.tar.gz) = 1875551 bytes
+BLAKE2s (openvpn-2.6.1.tar.gz) = 8645f53378fadbfdb0106e95c5375995e7f7557acd28c0de248fbdf555cae40c
+SHA512 (openvpn-2.6.1.tar.gz) = f848abc1d3ab99111b852fa52d12cb93734137acf3319b704c65cf8d1ef8abbf3cd3dbbe32b59687945e7dbd7ac7e8fc97bee57667f97700ba03d1ced4b40c31
+Size (openvpn-2.6.1.tar.gz) = 1852147 bytes
 SHA1 (patch-src_compat_compat-basename.c) = 45a58ef2e05f6e0265f229da8540760e60e65143