7 files changed, 216 insertions, 0 deletions
diff --git a/debian/patches/auth-pam_libpam_so_filename.patch b/debian/patches/auth-pam_libpam_so_filename.patch
new file mode 100644
index 0000000..f3f5f0c
--- /dev/null
+++ b/debian/patches/auth-pam_libpam_so_filename.patch
@@ -0,0 +1,16 @@
+Description: Fix libpam.so filename to /lib/libpam.so.0 in pam plugin
+Author: Alberto Gonzalez Iniesta <agi@inittab.org>
+Bug-Debian: http://bugs.debian.org/306335
+Index: openvpn/src/plugins/auth-pam/auth-pam.c
+===================================================================
+--- openvpn.orig/src/plugins/auth-pam/auth-pam.c	2016-11-21 09:53:25.512782138 +0100
++++ openvpn/src/plugins/auth-pam/auth-pam.c	2016-11-21 09:53:25.512782138 +0100
+@@ -632,7 +632,7 @@
+   struct user_pass up;
+   int command;
+ #ifdef USE_PAM_DLOPEN
+-  static const char pam_so[] = "libpam.so";
++  static const char pam_so[] = "libpam.so.0";
+ #endif
+ 
+   /*
diff --git a/debian/patches/close_socket_before_scripts.patch b/debian/patches/close_socket_before_scripts.patch
new file mode 100644
index 0000000..0b848a0
--- /dev/null
+++ b/debian/patches/close_socket_before_scripts.patch
@@ -0,0 +1,32 @@
+Description: Set socket's FD_CLOEXEC flag before calling up script
+ Moving the set_cloexec() call from link_socket_init_phase2() to
+ link_socket_init_phase1().
+Author: Julien Cristau <jcristau@debian.org>
+Bug-Debian: http://bugs.debian.org/367716
+
+Index: openvpn/src/openvpn/socket.c
+===================================================================
+--- openvpn.orig/src/openvpn/socket.c	2016-11-21 09:58:03.562096178 +0100
++++ openvpn/src/openvpn/socket.c	2016-11-21 10:01:20.143091482 +0100
+@@ -1625,6 +1625,10 @@
+       }
+       resolve_remote (sock, 1, NULL, NULL);
+     }
++
++  /* set socket file descriptor to not pass across execs, so that
++     scripts don't have access to it */
++  set_cloexec (sock->sd);
+ }
+ 
+ static
+@@ -1677,10 +1681,6 @@
+   /* set socket to non-blocking mode */
+   set_nonblock (sock->sd);
+ 
+-  /* set socket file descriptor to not pass across execs, so that
+-     scripts don't have access to it */
+-  set_cloexec (sock->sd);
+-
+   if (socket_defined (sock->ctrl_sd))
+     set_cloexec (sock->ctrl_sd);
+ 
diff --git a/debian/patches/debian_nogroup_for_sample_files.patch b/debian/patches/debian_nogroup_for_sample_files.patch
new file mode 100644
index 0000000..f7dcaaa
--- /dev/null
+++ b/debian/patches/debian_nogroup_for_sample_files.patch
@@ -0,0 +1,81 @@
+Description: Unpriviledged group in Debian is called nogroup instead of nobody
+Author: Alberto Gonzalez Iniesta <agi@inittab.org>
+Bug-Debian: http://bugs.debian.org/317987
+Index: openvpn/sample/sample-config-files/server.conf
+===================================================================
+--- openvpn.orig/sample/sample-config-files/server.conf	2016-11-21 09:53:43.608863207 +0100
++++ openvpn/sample/sample-config-files/server.conf	2016-11-21 09:53:43.604863188 +0100
+@@ -272,7 +272,7 @@
+ # You can uncomment this out on
+ # non-Windows systems.
+ ;user nobody
+-;group nobody
++;group nogroup
+ 
+ # The persist options will try to avoid
+ # accessing certain resources on restart
+Index: openvpn/sample/sample-config-files/tls-home.conf
+===================================================================
+--- openvpn.orig/sample/sample-config-files/tls-home.conf	2016-11-21 09:53:43.608863207 +0100
++++ openvpn/sample/sample-config-files/tls-home.conf	2016-11-21 09:53:43.608863207 +0100
+@@ -51,7 +51,7 @@
+ # "nobody" after initialization
+ # for extra security.
+ ; user nobody
+-; group nobody
++; group nogroup
+ 
+ # If you built OpenVPN with
+ # LZO compression, uncomment
+Index: openvpn/sample/sample-config-files/static-home.conf
+===================================================================
+--- openvpn.orig/sample/sample-config-files/static-home.conf	2016-11-21 09:53:43.608863207 +0100
++++ openvpn/sample/sample-config-files/static-home.conf	2016-11-21 09:53:43.608863207 +0100
+@@ -43,7 +43,7 @@
+ # "nobody" after initialization
+ # for extra security.
+ ; user nobody
+-; group nobody
++; group nogroup
+ 
+ # If you built OpenVPN with
+ # LZO compression, uncomment
+Index: openvpn/sample/sample-config-files/static-office.conf
+===================================================================
+--- openvpn.orig/sample/sample-config-files/static-office.conf	2016-11-21 09:53:43.608863207 +0100
++++ openvpn/sample/sample-config-files/static-office.conf	2016-11-21 09:53:43.608863207 +0100
+@@ -40,7 +40,7 @@
+ # "nobody" after initialization
+ # for extra security.
+ ; user nobody
+-; group nobody
++; group nogroup
+ 
+ # If you built OpenVPN with
+ # LZO compression, uncomment
+Index: openvpn/sample/sample-config-files/client.conf
+===================================================================
+--- openvpn.orig/sample/sample-config-files/client.conf	2016-11-21 09:53:43.608863207 +0100
++++ openvpn/sample/sample-config-files/client.conf	2016-11-21 09:53:43.608863207 +0100
+@@ -59,7 +59,7 @@
+ 
+ # Downgrade privileges after initialization (non-Windows only)
+ ;user nobody
+-;group nobody
++;group nogroup
+ 
+ # Try to preserve some state across restarts.
+ persist-key
+Index: openvpn/sample/sample-config-files/tls-office.conf
+===================================================================
+--- openvpn.orig/sample/sample-config-files/tls-office.conf	2016-11-21 09:53:43.608863207 +0100
++++ openvpn/sample/sample-config-files/tls-office.conf	2016-11-21 09:53:43.608863207 +0100
+@@ -51,7 +51,7 @@
+ # "nobody" after initialization
+ # for extra security.
+ ; user nobody
+-; group nobody
++; group nogroup
+ 
+ # If you built OpenVPN with
+ # LZO compression, uncomment
diff --git a/debian/patches/kfreebsd_support.patch b/debian/patches/kfreebsd_support.patch
new file mode 100644
index 0000000..0e72c12
--- /dev/null
+++ b/debian/patches/kfreebsd_support.patch
@@ -0,0 +1,38 @@
+Description: Improve kFreeBSD support
+Author: Gonéri Le Bouder <goneri@rulezlan.org>
+Bug-Debian: http://bugs.debian.org/626062
+Index: openvpn/src/openvpn/route.c
+===================================================================
+--- openvpn.orig/src/openvpn/route.c	2016-05-10 17:46:23.708838589 +0200
++++ openvpn/src/openvpn/route.c	2016-05-10 17:46:23.704838624 +0200
+@@ -1421,7 +1421,7 @@
+   argv_msg (D_ROUTE, &argv);
+   status = openvpn_execve_check (&argv, es, 0, "ERROR: Solaris route add command failed");
+ 
+-#elif defined(TARGET_FREEBSD)
++#elif defined(TARGET_FREEBSD)||defined(__FreeBSD_kernel__)
+ 
+   argv_printf (&argv, "%s add",
+ 		ROUTE_PATH);
+Index: openvpn/src/openvpn/tun.c
+===================================================================
+--- openvpn.orig/src/openvpn/tun.c	2016-05-10 17:46:23.708838589 +0200
++++ openvpn/src/openvpn/tun.c	2016-05-10 17:46:39.656696603 +0200
+@@ -625,7 +625,7 @@
+ }
+ #endif
+ 
+-#if defined(TARGET_FREEBSD)||defined(TARGET_DRAGONFLY)
++#if defined(TARGET_FREEBSD)||defined(__FreeBSD_kernel__)||defined(TARGET_DRAGONFLY)
+ /* we can't use true subnet mode on tun on all platforms, as that
+  * conflicts with IPv6 (wants to use ND then, which we don't do),
+  * but the OSes want "a remote address that is different from ours"
+@@ -1124,7 +1124,7 @@
+ 	  add_route_connected_v6_net(tt, es);
+ 	}
+ 
+-#elif defined(TARGET_FREEBSD)||defined(TARGET_DRAGONFLY)
++#elif defined(TARGET_FREEBSD)||defined(TARGET_DRAGONFLY)||defined(__FreeBSD_kernel__)
+ 
+       /* example: ifconfig tun2 10.2.0.2 10.2.0.1 mtu 1450 netmask 255.255.255.255 up */
+       if (tun)
diff --git a/debian/patches/openvpn-pkcs11warn.patch b/debian/patches/openvpn-pkcs11warn.patch
new file mode 100644
index 0000000..eae8fe4
--- /dev/null
+++ b/debian/patches/openvpn-pkcs11warn.patch
@@ -0,0 +1,28 @@
+Description: Warn users about deprecated pkcs11 options
+Author: Florian Kulzer <florian.kulzer+debian@icfo.es>
+Bug-Debian: http://bugs.debian.org/475353
+Index: openvpn/src/openvpn/options.c
+===================================================================
+--- openvpn.orig/src/openvpn/options.c	2016-11-21 09:53:53.100906016 +0100
++++ openvpn/src/openvpn/options.c	2016-11-21 09:53:53.096905998 +0100
+@@ -6569,6 +6569,20 @@
+     {
+       VERIFY_PERMISSION (OPT_P_ROUTE_EXTRAS);
+     }
++  else if (streq (p[0], "pkcs11-id-type") ||
++           streq (p[0], "pkcs11-sign-mode") ||
++           streq (p[0], "pkcs11-slot") ||
++           streq (p[0], "pkcs11-slot-type") ||
++           streq (p[0], "show-pkcs11-objects") ||
++           streq (p[0], "show-pkcs11-slots"))
++    {
++      if (file)
++	msg (msglevel, "You are using an obsolete parameter in %s:%d: %s (%s).\nPlease see /usr/share/doc/openvpn/NEWS.Debian.gz for details.",
++             file, line, p[0], PACKAGE_VERSION);
++      else
++	msg (msglevel, "You are using an obsolete parameter: --%s (%s).\nPlease see /usr/share/doc/openvpn/NEWS.Debian.gz for details.",
++             p[0], PACKAGE_VERSION);
++    }
+ #endif
+ #if PASSTOS_CAPABILITY
+   else if (streq (p[0], "passtos") && !p[1])
diff --git a/debian/patches/route_default_nil.patch b/debian/patches/route_default_nil.patch
new file mode 100644
index 0000000..adda9be
--- /dev/null
+++ b/debian/patches/route_default_nil.patch
@@ -0,0 +1,15 @@
+Description: Fix small wording in man page.
+Author: Alberto Gonzalez Iniesta <agi@inittab.org>
+Index: openvpn/doc/openvpn.8
+===================================================================
+--- openvpn.orig/doc/openvpn.8	2016-11-21 09:54:04.404957249 +0100
++++ openvpn/doc/openvpn.8	2016-11-21 09:54:04.400957231 +0100
+@@ -973,7 +973,7 @@
+ otherwise 0.
+ 
+ The default can be specified by leaving an option blank or setting
+-it to "default".
++it to "nil".
+ 
+ The
+ .B network
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..e068c68
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,6 @@
+auth-pam_libpam_so_filename.patch
+close_socket_before_scripts.patch
+debian_nogroup_for_sample_files.patch
+openvpn-pkcs11warn.patch
+route_default_nil.patch
+#kfreebsd_support.patch