Changes 2.1.3:

* Fixed potential local privilege escalation vulnerability in
  Windows service.
* Added Python-based based alternative build system for Windows using
  Visual Studio 2008 (in win directory).
* When aborting in a non-graceful way, try to execute do_close_tun in
  init.c prior to daemon exit to ensure that the tun/tap interface is
  closed and any added routes are deleted.
* Fixed an issue where AUTH_FAILED was not being properly delivered
  to the client when a bad password is given for mid-session reauth,
  causing the connection to fail without an error indication.
* Don't advance to the next connection profile on AUTH_FAILED errors.
* Fixed an issue in the Management Interface that could cause
  a process hang with 100% CPU utilization in --management-client
  mode if the management interface client disconnected at the
  point where credentials are queried.
* Fixed an issue where if reneg-sec was set to 0 on the client,
  so that the server-side value would take precedence,
  the auth_deferred_expire_window function would incorrectly
  return a window period of 0 seconds.  In this case, the
  correct window period should be the handshake window period.
* Modified ">PASSWORD:Verification Failed" management interface
  notification to include a client reason string:
    >PASSWORD:Verification Failed: 'AUTH_TYPE' ['REASON_STRING']
* Enable exponential backoff in reliability layer retransmits.
* Set socket buffers (SO_SNDBUF and SO_RCVBUF) immediately after
  socket is created rather than waiting until after connect/listen.
* Management interface performance optimizations:
  1. Added env-filter MI command to perform filtering on env vars
     passed through as a part of --management-client-auth
  2. man_write will now try to aggregate output into larger blocks
     (up to 1024 bytes) for more efficient i/o
* Fixed minor issue in Windows TAP driver DEBUG builds
  where non-null-terminated unicode strings were being
  printed incorrectly.
* Fixed issue on Windows with MSVC compiler, where TCP_NODELAY support
  was not being compiled in.
* Proxy improvements:
* Implemented http-proxy-override and http-proxy-fallback directives to make it
  easier for OpenVPN client UIs to start a pre-existing client config file with
  proxy options, or to adaptively fall back to a proxy connection if a direct
  connection fails.
* Implemented a key/value auth channel from client to server.
* Fixed issue where bad creds provided by the management interface
  for HTTP Proxy Basic Authentication would go into an infinite
  retry-fail loop instead of requerying the management interface for
  new creds.

net/openvpn/Makefile

@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.37 2010/06/16 07:30:26 tnn Exp $
-#
+# $NetBSD: Makefile,v 1.38 2010/09/05 20:33:48 adam Exp $
 
-DISTNAME=	openvpn-2.1.1
+DISTNAME=	openvpn-2.1.3
 CATEGORIES=	net
 MASTER_SITES=	http://openvpn.net/release/ \
 		http://openvpn.net/release/old/
@@ -25,13 +24,12 @@ EGDIR=			${PREFIX}/share/examples/${PKGBASE}
 EASYRSADIR=		${DATADIR}/easy-rsa
 RCD_SCRIPTS=		openvpn
 
-CONFIGURE_ARGS+=	--sysconfdir=${PKG_SYSCONFDIR:Q}
+CONFIGURE_ARGS+=	--sysconfdir=${PKG_SYSCONFDIR}
 CONFIGURE_ARGS+=	--enable-password-save
 CONFIGURE_ARGS+=	--disable-dependency-tracking
 
 # Pthread support is still considered very experimental, so don't enable
 # it for the default (production) build.
-#
 #CONFIGURE_ARGS+=	--enable-pthread
 
 INSTALLATION_DIRS=	${DATADIR}/easy-rsa	${EGDIR}/config		\
@@ -41,7 +39,6 @@ INSTALLATION_DIRS=	${DATADIR}/easy-rsa	${EGDIR}/config		\
 
 # OpenVPN 2.x has a shared module "plugin" architecture that allows
 # inserting callbacks into the server for various tasks.
-#
 DL_AUTO_VARS=		yes
 .include "../../mk/dlopen.buildlink3.mk"
 
@@ -58,25 +55,25 @@ SUBST_STAGE.pkitool=	post-build
 SUBST_MESSAGE.pkitool=	Fixing up default paths to grep & openssl in pkitool.
 SUBST_FILES.pkitool=	easy-rsa/2.0/pkitool
 SUBST_SED.pkitool=	-e "s|\\(GREP\\)=.*|\\1=\""${GREP:Q}"\"|"
-SUBST_SED.pkitool+=  -e "s|\\(OPENSSL\\)=.*|\\1=\""${SSLBASE:Q}/bin/openssl"\"|"
+SUBST_SED.pkitool+=	-e "s|\\(OPENSSL\\)=.*|\\1=\""${SSLBASE:Q}/bin/openssl"\"|"
 
 post-install: post-install-pam
-	cd ${WRKSRC:Q}/easy-rsa/2.0; for file in [a-zR]*; do		\
+	set -e; cd ${WRKSRC}/easy-rsa/2.0; for file in [a-zR]*; do	\
 		case $$file in						\
 		*.orig)	;;						\
 		[A-Z]*|*.cnf|vars)					\
-			${INSTALL_DATA} $$file ${DESTDIR}${EASYRSADIR:Q} ;;	\
-		*)	${INSTALL_SCRIPT} $$file ${DESTDIR}${EASYRSADIR:Q} ;;	\
+			${INSTALL_DATA} $$file ${DESTDIR}${EASYRSADIR} ;; \
+		*)	${INSTALL_SCRIPT} $$file ${DESTDIR}${EASYRSADIR} ;; \
 		esac;							\
 	done
-	cd ${WRKSRC:Q}/sample-config-files; for file in *; do		\
-		${INSTALL_DATA} $$file ${DESTDIR}${EGDIR:Q}/config;	\
+	set -e; cd ${WRKSRC}/sample-config-files; for file in *; do	\
+		${INSTALL_DATA} $$file ${DESTDIR}${EGDIR}/config;	\
 	done
-	cd ${WRKSRC:Q}/sample-scripts; for file in *; do		\
-		${INSTALL_DATA} $$file ${DESTDIR}${EGDIR:Q}/scripts;	\
+	set -e; cd ${WRKSRC}/sample-scripts; for file in *; do		\
+		${INSTALL_DATA} $$file ${DESTDIR}${EGDIR}/scripts;	\
 	done
-	cd ${WRKSRC:Q}/sample-keys; for file in *; do			\
-		${INSTALL_DATA} $$file ${DESTDIR}${EGDIR:Q}/keys;	\
+	set -e; cd ${WRKSRC}/sample-keys; for file in *; do		\
+		${INSTALL_DATA} $$file ${DESTDIR}${EGDIR}/keys;		\
 	done
 
 .include "options.mk"

net/openvpn/PLIST

@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.10 2010/06/16 07:30:26 tnn Exp $
+@comment $NetBSD: PLIST,v 1.11 2010/09/05 20:33:48 adam Exp $
 man/man8/openvpn.8
 sbin/openvpn
 share/examples/openvpn/config/README
@@ -31,7 +31,6 @@ share/examples/openvpn/keys/server.key
 share/examples/openvpn/scripts/auth-pam.pl
 share/examples/openvpn/scripts/bridge-start
 share/examples/openvpn/scripts/bridge-stop
-share/examples/openvpn/scripts/bs
 share/examples/openvpn/scripts/openvpn.init
 share/examples/openvpn/scripts/ucn.pl
 share/examples/openvpn/scripts/verify-cn

net/openvpn/distinfo

@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.20 2010/06/15 12:05:28 sborrill Exp $
+$NetBSD: distinfo,v 1.21 2010/09/05 20:33:48 adam Exp $
 
-SHA1 (openvpn-2.1.1.tar.gz) = 4b18e71b07236760f3b4defa941661e94b731a5a
-RMD160 (openvpn-2.1.1.tar.gz) = a33ed8ef4ba564103c2d196bbb742dac88d30e80
-Size (openvpn-2.1.1.tar.gz) = 880115 bytes
+SHA1 (openvpn-2.1.3.tar.gz) = 91058e78c58c2e66298c7132bea1ddba52baaa82
+RMD160 (openvpn-2.1.3.tar.gz) = ec0f63d63442eb3a26448747a5b0956e27b09809
+Size (openvpn-2.1.3.tar.gz) = 860672 bytes
 SHA1 (patch-aa) = e27e5a6411c9fb6545a1ad630f165200546b7213
 SHA1 (patch-ab) = d26cdc9166a8813860f31cb5b11bc5b3643b8aa5
 SHA1 (patch-ac) = f59615702208cae2a094306bc5fa7fb96234e55a
@@ -10,4 +10,4 @@ SHA1 (patch-ad) = 69f5fff5105131dc05ab38a1a717e1b363f88c1c
 SHA1 (patch-ae) = 362c881da994608baad7b10667100c39143244b6
 SHA1 (patch-af) = dc5dbca74ebbda081e4eaf9a9d5e11b6de11269f
 SHA1 (patch-ag) = fe8e59cf177c99c2fd001e7893df86af961e8e4e
-SHA1 (patch-ah) = 4e555d0a9dfa78882bf71c1d3496df8813069656
+SHA1 (patch-ah) = c530376eb68ab8f21c9b3c73149d2c24742aa4c9

net/openvpn/options.mk

@@ -1,7 +1,7 @@
-# $NetBSD: options.mk,v 1.3 2010/06/16 07:30:26 tnn Exp $
+# $NetBSD: options.mk,v 1.4 2010/09/05 20:33:48 adam Exp $
 
-PKG_OPTIONS_VAR=        PKG_OPTIONS.openvpn
-PKG_SUPPORTED_OPTIONS=  pkcs11 pam
+PKG_OPTIONS_VAR=	PKG_OPTIONS.openvpn
+PKG_SUPPORTED_OPTIONS=	pkcs11 pam
 PKG_SUGGESTED_OPTIONS=
 
 .include "../../mk/bsd.options.mk"
@@ -22,10 +22,10 @@ BUILD_DIRS+=	plugin/auth-pam
 BUILD_TARGET=	# empty
 INSTALL_DIRS=	.
 INSTALL_TARGET=	install
+INSTALLATION_DIRS+=	lib/openvpn
 PLIST.pam=	yes
 post-install-pam:
-	${INSTALL_LIB_DIR} ${DESTDIR}${PREFIX}/lib/openvpn && 	\
-	cd ${WRKSRC:Q}/plugin/auth-pam &&			\
+	cd ${WRKSRC}/plugin/auth-pam &&				\
 	${INSTALL_LIB} openvpn-auth-pam.so 			\
 		       ${DESTDIR}${PREFIX}/lib/openvpn || ${TRUE}
 .include "../../mk/pam.buildlink3.mk"

net/openvpn/patches/patch-ah

@@ -1,3 +1,5 @@
+$NetBSD: patch-ah,v 1.2 2010/09/05 20:33:48 adam Exp $
+
 --- tun.c.orig	2009-11-12 09:22:19.000000000 +0100
 +++ tun.c	2009-11-12 09:23:00.000000000 +0100
 @@ -789,17 +789,17 @@