Index: head/security/openvpn/Makefile
===================================================================
--- head/security/openvpn/Makefile	(revision 382704)
+++ head/security/openvpn/Makefile	(revision 382705)
@@ -1,111 +1,116 @@
 # Created by: Matthias Andree <mandree@FreeBSD.org>
 # $FreeBSD$
 
 PORTNAME=		openvpn
 DISTVERSION=		2.3.6
-PORTREVISION=		2
+PORTREVISION=		3
 CATEGORIES=		security net
 MASTER_SITES=		http://swupdate.openvpn.net/community/releases/ \
 			http://build.openvpn.net/downloads/releases/
 
 MAINTAINER=		mandree@FreeBSD.org
 COMMENT=		Secure IP/Ethernet tunnel daemon
 
 LICENSE=		GPLv2
 
 CONFLICTS_INSTALL=	openvpn-2.[!3].* openvpn-[!2].* openvpn-beta-[0-9]* openvpn-devel-[0-9]*
 
 GNU_CONFIGURE=		yes
 USES=			cpe libtool pkgconfig shebangfix tar:xz
 SHEBANG_FILES=		sample/sample-scripts/verify-cn \
 			sample/sample-scripts/auth-pam.pl \
 			sample/sample-scripts/ucn.pl
 
 # let OpenVPN's configure script pick up the requisite libraries:
 CPPFLAGS+=		-I${LOCALBASE}/include
 LDFLAGS+=		-L${LOCALBASE}/lib
 
-OPTIONS_DEFINE=		PW_SAVE PKCS11 EASYRSA DOCS EXAMPLES X509ALTUSERNAME
+OPTIONS_DEFINE=		PW_SAVE PKCS11 EASYRSA DOCS EXAMPLES X509ALTUSERNAME ENGINEFIX
 OPTIONS_DEFAULT=	EASYRSA OPENSSL
 OPTIONS_SINGLE=		SSL
 OPTIONS_SINGLE_SSL=	OPENSSL POLARSSL
 PW_SAVE_DESC=		Interactive passwords may be read from a file
 PKCS11_DESC=		Use security/pkcs11-helper
 EASYRSA_DESC=		Install security/easy-rsa RSA helper package
 POLARSSL_DESC=		SSL/TLS support via PolarSSL
 X509ALTUSERNAME_DESC=	Enable --x509-username-field (only with OpenSSL)
+ENGINEFIX_DESC=		EXPERIMENTAL patch to fix SSL engine use
 
 EASYRSA_RUN_DEPENDS=	easy-rsa>=0:${PORTSDIR}/security/easy-rsa
 
 PKCS11_LIB_DEPENDS=	libpkcs11-helper.so:${PORTSDIR}/security/pkcs11-helper
 PKCS11_CONFIGURE_ENABLE=	pkcs11
 
 PW_SAVE_CONFIGURE_ENABLE=	password-save
 
 X509ALTUSERNAME_CONFIGURE_ENABLE=	x509-alt-username
 
 .include <bsd.port.options.mk>
+
+.if ${PORT_OPTIONS:MENGINEFIX}
+EXTRA_PATCHES+=		${FILESDIR}/150322-Reload-OpenSSL-engines-after-forking.patch:-p1
+.endif
 
 .if ${PORT_OPTIONS:MPOLARSSL}
 . if ${PORT_OPTIONS:MX509ALTUSERNAME}
 BROKEN=	OpenVPN ${DISTVERSION} cannot use --x509-username-field with PolarSSL. Disable X509ALTUSERNAME, or use OpenSSL instead
 . else
 LIB_DEPENDS+=		libpolarssl.so:${PORTSDIR}/security/polarssl
 CONFIGURE_ARGS+=	--with-crypto-library=polarssl
 . endif
 .else
 USE_OPENSSL=		yes
 CONFIGURE_ARGS+=	--with-crypto-library=openssl
 .endif
 
 USE_RC_SUBR=		openvpn
 USE_LDCONFIG=		${PREFIX}/lib
 
 SUB_FILES=		pkg-message
 
 .include <bsd.port.pre.mk>
 
 .ifdef (LOG_OPENVPN)
 CFLAGS+=		-DLOG_OPENVPN=${LOG_OPENVPN}
 .endif
 
 LIB_DEPENDS+=		liblzo2.so:${PORTSDIR}/archivers/lzo2
 
 PORTDOCS=		*
 PORTEXAMPLES=		*
 
 pre-configure:
 .ifdef (LOG_OPENVPN)
 	@${ECHO} "Building with LOG_OPENVPN=${LOG_OPENVPN}"
 .else
 	@${ECHO} ""
 	@${ECHO} "You may use the following build options:"
 	@${ECHO} ""
 	@${ECHO} "      LOG_OPENVPN={Valid syslog facility, default LOG_DAEMON}"
 	@${ECHO} "      EXAMPLE:  make LOG_OPENVPN=LOG_LOCAL6"
 	@${ECHO} ""
 .endif
 
 post-build:
 	@# self-tests here
 .if !defined(WITHOUT_CHECK)
 	@${ECHO} ; ${ECHO} "### Note that you can skip these lengthy selftests with WITHOUT_CHECK=yes ###" ; ${ECHO}
 	cd ${WRKSRC} && ${SETENV} ${MAKE_ENV} ${MAKE} ${MAKE_FLAGS} ${MAKEFILE} ${_MAKE_JOBS} ${MAKE_ARGS} check
 .endif
 
 post-install:
 	${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-auth-pam.so
 	${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-down-root.so
 	${MKDIR} ${STAGEDIR}${PREFIX}/include
 .if ${PORT_OPTIONS:MDOCS}
 	${MKDIR} ${STAGEDIR}${DOCSDIR}/
 .for i in AUTHORS ChangeLog PORTS
 	${INSTALL_MAN} ${WRKSRC}/${i} ${STAGEDIR}${DOCSDIR}/
 .endfor
 .endif
 .if ${PORT_OPTIONS:MEXAMPLES}
 	(cd ${WRKSRC}/sample && ${COPYTREE_SHARE} \* ${STAGEDIR}${EXAMPLESDIR}/)
 	${CHMOD} ${BINMODE} ${STAGEDIR}${EXAMPLESDIR}/sample-scripts/*
 .endif
 
 .include <bsd.port.post.mk>
Index: head/security/openvpn/files/150322-Reload-OpenSSL-engines-after-forking.patch
===================================================================
--- head/security/openvpn/files/150322-Reload-OpenSSL-engines-after-forking.patch	(nonexistent)
+++ head/security/openvpn/files/150322-Reload-OpenSSL-engines-after-forking.patch	(revision 382705)
@@ -0,0 +1,171 @@
+From 37816d2fbb3e66fa1eb09d0e8f4dadd3f376324f Mon Sep 17 00:00:00 2001
+From: Steffan Karger <steffan@karger.me>
+Date: Sun, 22 Mar 2015 19:51:25 +0100
+Subject: [PATCH] Reload OpenSSL engines after forking
+
+As reported in trac ticket #480, the cryptodev OpenSSL engine opens
+/dev/crypto on load, but runs into trouble when the pid changes due to a
+call to daemon().  We cannot simply call daemon() before intilializing,
+because that will change the interpretation of relative paths in the config
+file.  To work around that, not only fixup the PKCS#11 state after calling
+daemon(), but also reload the OpenSSL engines.
+
+Signed-off-by: Steffan Karger <steffan@karger.me>
+---
+ src/openvpn/crypto.c          | 17 +++++++++++++++++
+ src/openvpn/crypto.h          |  7 +++++++
+ src/openvpn/crypto_backend.h  |  8 +++++++-
+ src/openvpn/crypto_openssl.c  | 21 +++++++++++++--------
+ src/openvpn/crypto_polarssl.c |  5 +++++
+ src/openvpn/init.c            |  4 +---
+ 6 files changed, 50 insertions(+), 12 deletions(-)
+
+diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
+index c1b9df3..5353479 100644
+--- a/src/openvpn/crypto.c
++++ b/src/openvpn/crypto.c
+@@ -36,6 +36,7 @@
+ #include "crypto.h"
+ #include "error.h"
+ #include "misc.h"
++#include "pkcs11.h"
+ 
+ #include "memdbg.h"
+ 
+@@ -426,6 +427,22 @@ crypto_adjust_frame_parameters(struct frame *frame,
+       __func__, crypto_overhead);
+ }
+ 
++void
++crypto_fork_fixup(const char *crypto_engine)
++{
++#if defined(ENABLE_PKCS11)
++  pkcs11_forkFixup ();
++#endif
++
++  if (crypto_engine)
++    {
++      /* Reload crypto engines, because a cryptodev engine opens file
++       * descriptors, which might no longer be usable after forking. */
++      crypto_uninit_lib_engine();
++      crypto_init_lib_engine(crypto_engine);
++    }
++}
++
+ /*
+  * Build a struct key_type.
+  */
+diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h
+index 82158f9..2e57765 100644
+--- a/src/openvpn/crypto.h
++++ b/src/openvpn/crypto.h
+@@ -354,6 +354,13 @@ void crypto_adjust_frame_parameters(struct frame *frame,
+ 				    bool packet_id,
+ 				    bool packet_id_long_form);
+ 
++/**
++ * Try to fixup crypto stuff that breaks after forking.
++ *
++ * @param crypto_engine		Name of the crypto engine to reload.
++ */
++void crypto_fork_fixup(const char *crypto_engine);
++
+ 
+ /* Minimum length of the nonce used by the PRNG */
+ #define NONCE_SECRET_LEN_MIN 16
+diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h
+index 4e45df0..db6421a 100644
+--- a/src/openvpn/crypto_backend.h
++++ b/src/openvpn/crypto_backend.h
+@@ -49,11 +49,17 @@ void crypto_uninit_lib (void);
+ 
+ void crypto_clear_error (void);
+ 
+-/*
++/**
+  * Initialise the given named crypto engine.
+  */
+ void crypto_init_lib_engine (const char *engine_name);
+ 
++/**
++ * Uninitialise previously loaded crypto engines.
++ */
++void crypto_uninit_lib_engine (void);
++
++
+ #ifdef DMALLOC
+ /*
+  * OpenSSL memory debugging.  If dmalloc debugging is enabled, tell
+diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
+index 2d81a6d..5e91752 100644
+--- a/src/openvpn/crypto_openssl.c
++++ b/src/openvpn/crypto_openssl.c
+@@ -138,6 +138,18 @@ crypto_init_lib_engine (const char *engine_name)
+ #endif
+ }
+ 
++void
++crypto_uninit_lib_engine (void) {
++#if HAVE_OPENSSL_ENGINE
++  if (engine_initialized)
++    {
++      ENGINE_cleanup ();
++      engine_persist = NULL;
++      engine_initialized = false;
++    }
++#endif
++}
++
+ /*
+  *
+  * Functions related to the core crypto library
+@@ -168,14 +180,7 @@ crypto_uninit_lib (void)
+   fclose (fp);
+ #endif
+ 
+-#if HAVE_OPENSSL_ENGINE
+-  if (engine_initialized)
+-    {
+-      ENGINE_cleanup ();
+-      engine_persist = NULL;
+-      engine_initialized = false;
+-    }
+-#endif
++  crypto_uninit_lib_engine();
+ }
+ 
+ void
+diff --git a/src/openvpn/crypto_polarssl.c b/src/openvpn/crypto_polarssl.c
+index c038f8e..900a98a 100644
+--- a/src/openvpn/crypto_polarssl.c
++++ b/src/openvpn/crypto_polarssl.c
+@@ -66,6 +66,11 @@ crypto_init_lib_engine (const char *engine_name)
+       "available");
+ }
+ 
++void
++crypto_uninit_lib_engine (void)
++{
++}
++
+ /*
+  *
+  * Functions related to the core crypto library
+diff --git a/src/openvpn/init.c b/src/openvpn/init.c
+index b97d2da..2680c59 100644
+--- a/src/openvpn/init.c
++++ b/src/openvpn/init.c
+@@ -929,9 +929,7 @@ possibly_become_daemon (const struct options *options)
+       if (options->log)
+ 	set_std_files_to_null (true);
+ 
+-#if defined(ENABLE_PKCS11)
+-      pkcs11_forkFixup ();
+-#endif
++      crypto_fork_fixup (options->engine);
+ 
+       ret = true;
+     }
+-- 
+2.1.0
+

Property changes on: head/security/openvpn/files/150322-Reload-OpenSSL-engines-after-forking.patch
___________________________________________________________________
Added: fbsd:nokeywords
## -0,0 +1 ##
+yes
\ No newline at end of property
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property