8 files changed, 403 insertions, 0 deletions
diff --git a/debian/patches/auth-pam_libpam_so_filename.patch b/debian/patches/auth-pam_libpam_so_filename.patch
new file mode 100644
index 0000000..f3f5f0c
--- /dev/null
+++ b/debian/patches/auth-pam_libpam_so_filename.patch
@@ -0,0 +1,16 @@
+Description: Fix libpam.so filename to /lib/libpam.so.0 in pam plugin
+Author: Alberto Gonzalez Iniesta <agi@inittab.org>
+Bug-Debian: http://bugs.debian.org/306335
+Index: openvpn/src/plugins/auth-pam/auth-pam.c
+===================================================================
+--- openvpn.orig/src/plugins/auth-pam/auth-pam.c	2016-11-21 09:53:25.512782138 +0100
++++ openvpn/src/plugins/auth-pam/auth-pam.c	2016-11-21 09:53:25.512782138 +0100
+@@ -632,7 +632,7 @@
+   struct user_pass up;
+   int command;
+ #ifdef USE_PAM_DLOPEN
+-  static const char pam_so[] = "libpam.so";
++  static const char pam_so[] = "libpam.so.0";
+ #endif
+ 
+   /*
diff --git a/debian/patches/close_socket_before_scripts.patch b/debian/patches/close_socket_before_scripts.patch
new file mode 100644
index 0000000..6e00c00
--- /dev/null
+++ b/debian/patches/close_socket_before_scripts.patch
@@ -0,0 +1,102 @@
+--- a/src/openvpn/manage.c
++++ b/src/openvpn/manage.c
+@@ -1499,7 +1499,6 @@ man_new_connection_post (struct management *man, const char *description)
+   struct gc_arena gc = gc_new ();
+
+   set_nonblock (man->connection.sd_cli);
+-  set_cloexec (man->connection.sd_cli);
+
+   man_connection_settings_reset (man);
+
+@@ -1640,7 +1639,6 @@ man_listen (struct management *man)
+        * Set misc socket properties
+        */
+       set_nonblock (man->connection.sd_top);
+-      set_cloexec (man->connection.sd_top);
+
+ #if UNIX_SOCK_SUPPORT
+       if (man->settings.flags & MF_UNIX_SOCK)
+--- a/src/openvpn/socket.c
++++ b/src/openvpn/socket.c
+@@ -771,6 +771,10 @@ create_socket_tcp (struct addrinfo* addrinfo)
+   }
+ #endif
+
++  /* set socket file descriptor to not pass across execs, so that
++     scripts don't have access to it */
++  set_cloexec (sd);
++
+   return sd;
+ }
+
+@@ -815,6 +819,11 @@ create_socket_udp (struct addrinfo* addrinfo, const unsigned int flags)
+         }
+     }
+ #endif
++
++  /* set socket file descriptor to not pass across execs, so that
++     scripts don't have access to it */
++  set_cloexec (sd);
++
+   return sd;
+ }
+
+@@ -968,6 +977,12 @@ socket_do_accept (socket_descriptor_t sd,
+       openvpn_close_socket (new_sd);
+       new_sd = SOCKET_UNDEFINED;
+     }
++  else
++    {
++      /* set socket file descriptor to not pass across execs, so that
++        scripts don't have access to it */
++      set_cloexec (sd);
++    }
+   return new_sd;
+ }
+
+@@ -1617,6 +1632,7 @@ link_socket_init_phase1 (struct link_socket *sock,
+       ASSERT (sock->info.proto != PROTO_TCP_CLIENT);
+       ASSERT (socket_defined (inetd_socket_descriptor));
+       sock->sd = inetd_socket_descriptor;
++      set_cloexec (sock->sd);          /* not created by create_socket*() */
+     }
+   else if (mode != LS_MODE_TCP_ACCEPT_FROM)
+     {
+@@ -1677,13 +1693,6 @@ phase2_set_socket_flags (struct link_socket* sock)
+   /* set socket to non-blocking mode */
+   set_nonblock (sock->sd);
+
+-  /* set socket file descriptor to not pass across execs, so that
+-     scripts don't have access to it */
+-  set_cloexec (sock->sd);
+-
+-  if (socket_defined (sock->ctrl_sd))
+-    set_cloexec (sock->ctrl_sd);
+-
+   /* set Path MTU discovery options on the socket */
+   set_mtu_discover_type (sock->sd, sock->mtu_discover_type, sock->info.af);
+
+@@ -3476,6 +3485,11 @@ create_socket_unix (void)
+
+   if ((sd = socket (PF_UNIX, SOCK_STREAM, 0)) < 0)
+     msg (M_ERR, "Cannot create unix domain socket");
++
++  /* set socket file descriptor to not pass across execs, so that
++     scripts don't have access to it */
++  set_cloexec (sd);
++
+   return sd;
+ }
+
+@@ -3516,6 +3530,12 @@ socket_accept_unix (socket_descriptor_t sd,
+
+   CLEAR (*remote);
+   ret = accept (sd, (struct sockaddr *) remote, &remote_len);
++  if ( ret >= 0 )
++    {
++      /* set socket file descriptor to not pass across execs, so that
++        scripts don't have access to it */
++      set_cloexec (ret);
++    }
+   return ret;
+ }
diff --git a/debian/patches/debian_nogroup_for_sample_files.patch b/debian/patches/debian_nogroup_for_sample_files.patch
new file mode 100644
index 0000000..f7dcaaa
--- /dev/null
+++ b/debian/patches/debian_nogroup_for_sample_files.patch
@@ -0,0 +1,81 @@
+Description: Unpriviledged group in Debian is called nogroup instead of nobody
+Author: Alberto Gonzalez Iniesta <agi@inittab.org>
+Bug-Debian: http://bugs.debian.org/317987
+Index: openvpn/sample/sample-config-files/server.conf
+===================================================================
+--- openvpn.orig/sample/sample-config-files/server.conf	2016-11-21 09:53:43.608863207 +0100
++++ openvpn/sample/sample-config-files/server.conf	2016-11-21 09:53:43.604863188 +0100
+@@ -272,7 +272,7 @@
+ # You can uncomment this out on
+ # non-Windows systems.
+ ;user nobody
+-;group nobody
++;group nogroup
+ 
+ # The persist options will try to avoid
+ # accessing certain resources on restart
+Index: openvpn/sample/sample-config-files/tls-home.conf
+===================================================================
+--- openvpn.orig/sample/sample-config-files/tls-home.conf	2016-11-21 09:53:43.608863207 +0100
++++ openvpn/sample/sample-config-files/tls-home.conf	2016-11-21 09:53:43.608863207 +0100
+@@ -51,7 +51,7 @@
+ # "nobody" after initialization
+ # for extra security.
+ ; user nobody
+-; group nobody
++; group nogroup
+ 
+ # If you built OpenVPN with
+ # LZO compression, uncomment
+Index: openvpn/sample/sample-config-files/static-home.conf
+===================================================================
+--- openvpn.orig/sample/sample-config-files/static-home.conf	2016-11-21 09:53:43.608863207 +0100
++++ openvpn/sample/sample-config-files/static-home.conf	2016-11-21 09:53:43.608863207 +0100
+@@ -43,7 +43,7 @@
+ # "nobody" after initialization
+ # for extra security.
+ ; user nobody
+-; group nobody
++; group nogroup
+ 
+ # If you built OpenVPN with
+ # LZO compression, uncomment
+Index: openvpn/sample/sample-config-files/static-office.conf
+===================================================================
+--- openvpn.orig/sample/sample-config-files/static-office.conf	2016-11-21 09:53:43.608863207 +0100
++++ openvpn/sample/sample-config-files/static-office.conf	2016-11-21 09:53:43.608863207 +0100
+@@ -40,7 +40,7 @@
+ # "nobody" after initialization
+ # for extra security.
+ ; user nobody
+-; group nobody
++; group nogroup
+ 
+ # If you built OpenVPN with
+ # LZO compression, uncomment
+Index: openvpn/sample/sample-config-files/client.conf
+===================================================================
+--- openvpn.orig/sample/sample-config-files/client.conf	2016-11-21 09:53:43.608863207 +0100
++++ openvpn/sample/sample-config-files/client.conf	2016-11-21 09:53:43.608863207 +0100
+@@ -59,7 +59,7 @@
+ 
+ # Downgrade privileges after initialization (non-Windows only)
+ ;user nobody
+-;group nobody
++;group nogroup
+ 
+ # Try to preserve some state across restarts.
+ persist-key
+Index: openvpn/sample/sample-config-files/tls-office.conf
+===================================================================
+--- openvpn.orig/sample/sample-config-files/tls-office.conf	2016-11-21 09:53:43.608863207 +0100
++++ openvpn/sample/sample-config-files/tls-office.conf	2016-11-21 09:53:43.608863207 +0100
+@@ -51,7 +51,7 @@
+ # "nobody" after initialization
+ # for extra security.
+ ; user nobody
+-; group nobody
++; group nogroup
+ 
+ # If you built OpenVPN with
+ # LZO compression, uncomment
diff --git a/debian/patches/kfreebsd_support.patch b/debian/patches/kfreebsd_support.patch
new file mode 100644
index 0000000..40db126
--- /dev/null
+++ b/debian/patches/kfreebsd_support.patch
@@ -0,0 +1,141 @@
+Description: Improve kFreeBSD support
+Author: Gonéri Le Bouder <goneri@rulezlan.org>
+Bug-Debian: http://bugs.debian.org/626062
+Index: openvpn/src/openvpn/route.c
+===================================================================
+--- openvpn.orig/src/openvpn/route.c	2016-12-12 20:53:45.298787355 +0100
++++ openvpn/src/openvpn/route.c	2016-12-12 21:03:48.380240093 +0100
+@@ -1532,7 +1532,7 @@
+   argv_msg (D_ROUTE, &argv);
+   status = openvpn_execve_check (&argv, es, 0, "ERROR: Solaris route add command failed");
+ 
+-#elif defined(TARGET_FREEBSD)
++#elif defined(TARGET_FREEBSD) || defined(__FreeBSD_kernel__)
+ 
+   argv_printf (&argv, "%s add",
+ 		ROUTE_PATH);
+@@ -1698,7 +1698,7 @@
+   network = print_in6_addr( r6->network, 0, &gc);
+   gateway = print_in6_addr( r6->gateway, 0, &gc);
+ 
+-#if defined(TARGET_DARWIN) || \
++#if defined(TARGET_DARWIN) || defined(__FreeBSD_kernel__) || \
+ 	defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) || \
+ 	defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
+ 
+@@ -1856,7 +1856,7 @@
+   argv_msg (D_ROUTE, &argv);
+   status = openvpn_execve_check (&argv, es, 0, "ERROR: Solaris route add -inet6 command failed");
+ 
+-#elif defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY)
++#elif defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) || defined(__FreeBSD_kernel__)
+ 
+   argv_printf (&argv, "%s add -inet6 %s/%d",
+ 		ROUTE_PATH,
+@@ -2022,7 +2022,7 @@
+   argv_msg (D_ROUTE, &argv);
+   openvpn_execve_check (&argv, es, 0, "ERROR: Solaris route delete command failed");
+ 
+-#elif defined(TARGET_FREEBSD)
++#elif defined(TARGET_FREEBSD) || defined(__FreeBSD_kernel__)
+ 
+   argv_printf (&argv, "%s delete -net %s %s %s",
+ 		ROUTE_PATH,
+@@ -2127,7 +2127,7 @@
+   network = print_in6_addr( r6->network, 0, &gc);
+   gateway = print_in6_addr( r6->gateway, 0, &gc);
+ 
+-#if defined(TARGET_DARWIN) || \
++#if defined(TARGET_DARWIN) || defined(__FreeBSD_kernel__) || \
+ 	defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) || \
+ 	defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
+ 
+@@ -2248,7 +2248,7 @@
+   argv_msg (D_ROUTE, &argv);
+   openvpn_execve_check (&argv, es, 0, "ERROR: Solaris route delete -inet6 command failed");
+ 
+-#elif defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY)
++#elif defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) || defined(__FreeBSD_kernel__)
+ 
+   argv_printf (&argv, "%s delete -inet6 %s/%d",
+ 		ROUTE_PATH,
+@@ -3206,7 +3206,8 @@
+ 
+ #elif defined(TARGET_DARWIN) || defined(TARGET_SOLARIS) || \
+ 	defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) || \
+-	defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
++	defined(TARGET_OPENBSD) || defined(TARGET_NETBSD) || \
++	defined(__FreeBSD_kernel__)
+ 
+ #include <sys/types.h>
+ #include <sys/socket.h>
+Index: openvpn/src/openvpn/tun.c
+===================================================================
+--- openvpn.orig/src/openvpn/tun.c	2016-12-12 20:53:45.298787355 +0100
++++ openvpn/src/openvpn/tun.c	2016-12-12 21:04:41.156373771 +0100
+@@ -783,7 +783,7 @@
+ #endif
+ 
+ #if defined(TARGET_FREEBSD)||defined(TARGET_DRAGONFLY)||\
+-    defined(TARGET_OPENBSD)
++    defined(TARGET_OPENBSD)||defined(__FreeBSD_kernel__)
+ /* we can't use true subnet mode on tun on all platforms, as that
+  * conflicts with IPv6 (wants to use ND then, which we don't do),
+  * but the OSes want "a remote address that is different from ours"
+@@ -1314,7 +1314,7 @@
+ 	  add_route_connected_v6_net(tt, es);
+ 	}
+ 
+-#elif defined(TARGET_FREEBSD)||defined(TARGET_DRAGONFLY)
++#elif defined(TARGET_FREEBSD)||defined(TARGET_DRAGONFLY)||defined(__FreeBSD_kernel__)
+ 
+       in_addr_t remote_end;		/* for "virtual" subnet topology */
+ 
+@@ -2548,7 +2548,7 @@
+     return read (tt->fd, buf, len);
+ }
+ 
+-#elif defined(TARGET_FREEBSD)
++#elif defined(TARGET_FREEBSD)||defined(__FreeBSD_kernel__)
+ 
+ static inline int
+ freebsd_modify_read_write_return (int len)
+Index: openvpn/src/openvpn/lladdr.c
+===================================================================
+--- openvpn.orig/src/openvpn/lladdr.c	2012-11-05 16:29:30.000000000 +0100
++++ openvpn/src/openvpn/lladdr.c	2016-12-12 21:06:38.372672863 +0100
+@@ -47,7 +47,7 @@
+ 		    "%s %s lladdr %s",
+ 		    IFCONFIG_PATH,
+ 		    ifname, lladdr);
+-#elif defined(TARGET_FREEBSD)
++#elif defined(TARGET_FREEBSD) || defined(__FreeBSD_kernel__)
+   argv_printf (&argv,
+ 		    "%s %s ether %s",
+ 		    IFCONFIG_PATH,
+Index: openvpn/src/openvpn/syshead.h
+===================================================================
+--- openvpn.orig/src/openvpn/syshead.h	2016-12-07 13:14:25.348506036 +0100
++++ openvpn/src/openvpn/syshead.h	2016-12-12 21:12:20.413558149 +0100
+@@ -294,7 +294,7 @@
+ 
+ #endif /* TARGET_OPENBSD */
+ 
+-#ifdef TARGET_FREEBSD
++#if defined(TARGET_FREEBSD) || defined(__FreeBSD_kernel__)
+ 
+ #ifdef HAVE_SYS_UIO_H
+ #include <sys/uio.h>
+Index: openvpn/src/openvpn/ssl.c
+===================================================================
+--- openvpn.orig/src/openvpn/ssl.c	2016-12-07 13:14:25.348506036 +0100
++++ openvpn/src/openvpn/ssl.c	2016-12-12 21:13:44.989779071 +0100
+@@ -2108,7 +2108,7 @@
+       buf_printf (&out, "IV_PLAT=mac\n");
+ #elif defined(TARGET_NETBSD)
+       buf_printf (&out, "IV_PLAT=netbsd\n");
+-#elif defined(TARGET_FREEBSD)
++#elif defined(TARGET_FREEBSD) || defined(__FreeBSD_kernel__)
+       buf_printf (&out, "IV_PLAT=freebsd\n");
+ #elif defined(TARGET_ANDROID)
+       buf_printf (&out, "IV_PLAT=android\n");
diff --git a/debian/patches/manpage_typo.patch b/debian/patches/manpage_typo.patch
new file mode 100644
index 0000000..4d80341
--- /dev/null
+++ b/debian/patches/manpage_typo.patch
@@ -0,0 +1,13 @@
+Index: openvpn/doc/openvpn.8
+===================================================================
+--- openvpn.orig/doc/openvpn.8	2016-12-12 19:36:31.706541262 +0100
++++ openvpn/doc/openvpn.8	2016-12-12 19:42:13.507427481 +0100
+@@ -4572,7 +4572,7 @@
+ Specify the curve to use for elliptic curve Diffie Hellman. Available
+ curves can be listed with
+ .B \-\-show\-curves
+-. The specified curve will only be used for ECDH TLS-ciphers.
++The specified curve will only be used for ECDH TLS-ciphers.
+ .\"*********************************************************
+ .TP
+ .B \-\-cert file
diff --git a/debian/patches/openvpn-pkcs11warn.patch b/debian/patches/openvpn-pkcs11warn.patch
new file mode 100644
index 0000000..758a555
--- /dev/null
+++ b/debian/patches/openvpn-pkcs11warn.patch
@@ -0,0 +1,28 @@
+Description: Warn users about deprecated pkcs11 options
+Author: Florian Kulzer <florian.kulzer+debian@icfo.es>
+Bug-Debian: http://bugs.debian.org/475353
+Index: openvpn/src/openvpn/options.c
+===================================================================
+--- openvpn.orig/src/openvpn/options.c	2016-12-07 13:18:03.856865710 +0100
++++ openvpn/src/openvpn/options.c	2016-12-07 13:18:03.856865710 +0100
+@@ -6647,6 +6647,20 @@
+     {
+       VERIFY_PERMISSION (OPT_P_ROUTE_EXTRAS);
+     }
++  else if (streq (p[0], "pkcs11-id-type") ||
++           streq (p[0], "pkcs11-sign-mode") ||
++           streq (p[0], "pkcs11-slot") ||
++           streq (p[0], "pkcs11-slot-type") ||
++           streq (p[0], "show-pkcs11-objects") ||
++           streq (p[0], "show-pkcs11-slots"))
++    {
++      if (file)
++	msg (msglevel, "You are using an obsolete parameter in %s:%d: %s (%s).\nPlease see /usr/share/doc/openvpn/NEWS.Debian.gz for details.",
++             file, line, p[0], PACKAGE_VERSION);
++      else
++	msg (msglevel, "You are using an obsolete parameter: --%s (%s).\nPlease see /usr/share/doc/openvpn/NEWS.Debian.gz for details.",
++             p[0], PACKAGE_VERSION);
++    }
+ #endif
+ #if PASSTOS_CAPABILITY
+   else if (streq (p[0], "passtos") && !p[1])
diff --git a/debian/patches/route_default_nil.patch b/debian/patches/route_default_nil.patch
new file mode 100644
index 0000000..adda9be
--- /dev/null
+++ b/debian/patches/route_default_nil.patch
@@ -0,0 +1,15 @@
+Description: Fix small wording in man page.
+Author: Alberto Gonzalez Iniesta <agi@inittab.org>
+Index: openvpn/doc/openvpn.8
+===================================================================
+--- openvpn.orig/doc/openvpn.8	2016-11-21 09:54:04.404957249 +0100
++++ openvpn/doc/openvpn.8	2016-11-21 09:54:04.400957231 +0100
+@@ -973,7 +973,7 @@
+ otherwise 0.
+ 
+ The default can be specified by leaving an option blank or setting
+-it to "default".
++it to "nil".
+ 
+ The
+ .B network
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..77c9735
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,7 @@
+auth-pam_libpam_so_filename.patch
+close_socket_before_scripts.patch
+debian_nogroup_for_sample_files.patch
+openvpn-pkcs11warn.patch
+route_default_nil.patch
+manpage_typo.patch
+kfreebsd_support.patch