Import opevpn-2.5.9

.gitignore

@@ -0,0 +1 @@
+SOURCES/openvpn-2.5.9.tar.gz

.openvpn.metadata

@@ -0,0 +1 @@
+aaea4f2aba173ae2a7d5599e78252778af277390 SOURCES/openvpn-2.5.9.tar.gz

SOURCES/0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch

@@ -0,0 +1,38 @@
+From: David Sommerseth <dazo@eurephia.org>
+Subject: [PATCH] Change the default cipher to AES-256-GCM for server
+ configurations
+
+This change makes the server use AES-256-GCM instead of BF-CBC as the default
+cipher for the VPN tunnel.  To avoid breaking existing running configurations
+defaulting to BF-CBC, the Negotiable Crypto Parameters (NCP) list contains
+the BF-CBC in addition to AES-CBC.  This makes it possible to migrate
+existing older client configurations one-by-one to use at least AES-CBC unless
+the client is updated to v2.4 (which defaults to upgrade to AES-GCM automatically)
+
+[Update 2022-06-10]
+The BF-CBC reference is now removed as of Fedora 36 and newer.  The Blowfish
+cipher is no longer available by default in OpenSSL 3.0.  It can be enabled
+via the legacy provider in OpenSSL 3.0, but BF-CBC is deprecated and should
+not be used any more.  OpenVPN 2.4 and newer will always negotiate a stronger
+cipher by default and older OpenVPN releases are no longer supported upstream.
+
+---
+ distro/systemd/openvpn-server@.service.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/distro/systemd/openvpn-server@.service.in b/distro/systemd/openvpn-server@.service.in
+index 9a8a2c7..0ecda08 100644
+--- a/distro/systemd/openvpn-server@.service.in
++++ b/distro/systemd/openvpn-server@.service.in
+@@ -10,7 +10,7 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
+ Type=notify
+ PrivateTmp=true
+ WorkingDirectory=/etc/openvpn/server
+-ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf
++ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --cipher AES-256-GCM --data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC --config %i.conf
+ CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
+ LimitNPROC=10
+ DeviceAllow=/dev/null rw
+-- 
+2.11.0
+

SOURCES/openvpn-2.4-change-tmpfiles-permissions.patch

@@ -0,0 +1,9 @@
+diff --git a/distro/systemd/tmpfiles-openvpn.conf b/distro/systemd/tmpfiles-openvpn.conf
+index bb79671e..9258f5c6 100644
+--- a/distro/systemd/tmpfiles-openvpn.conf
++++ b/distro/systemd/tmpfiles-openvpn.conf
+@@ -1,2 +1,2 @@
+-d /run/openvpn-client 0710 root root -
+-d /run/openvpn-server 0710 root root -
++d /run/openvpn-client 0750 root openvpn -
++d /run/openvpn-server 0750 root openvpn -

SOURCES/openvpn-2.5.9.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEVmH/adZUFVhLcg/Ai3QXs+uzswkFAmPsuVsACgkQi3QXs+uz
+swmCnA/9HZonTX9ShsdohsrxMmFk0PwgOKWabjm82rFPLqcIx/3UOhEBJsmKwUnX
++aT/6qEgLTDc8O2YNofk3J+RPLbUoAf42orbCYYcz86AVKnqjBQ4Lmeo1GzkZM4F
+8KqmovYGMR0taOHd/qVLOWsczYofrnDcc2gAjGJUhcrhGqajL4MX7zXMgiL/rMeZ
+AsaGi95WbJaw17oWKgNb2XW2iQ1/LNtJPyB9E8L/1tIEolYrXAMrWn4L4A6h51j/
+Lo+HqRS85gawWR48g6nlP/sGmCamoQFF0SH7YX07qGL180i+ouDzH+WCGolKgJAW
+V6s6TAJzXIGc7KV5Wvz6uWn0zjqXJQzXFhkWatjO+HbPKn7wnvgRFnzElTTh9Tdt
+EkwtGek+/I8iQXOsLf+bk8bqv17C/6B84X52ZKxMCZU5mKF9es0SxKZK5tIR6J3q
+6K/ILMLC5EFT5Vr55Ls4+upKZtcs+yvs1bo1QhM1pYJglwak1ZFDMZcXSU88I0k8
+ThGD1WGSvlHJTPu7LfRGMv57oUEJ9/5RE6ehcX/i5mg9O32ICtfS/kzKoJTAN61a
+msVzBbamQafq92ZgtkCIk3v/0MXPwSHL/xIBckKM5foAVw/+zyG3kOYiMf3h1ho7
+TjiCJV1fySbazFkKEQKnHWoLSOPcpy0NWwEyNLwPmQGmANhZaLo=
+=0TR5
+-----END PGP SIGNATURE-----

SOURCES/openvpn.spec

@@ -0,0 +1,381 @@
+%define _hardened_build 1
+
+# Build conditionals
+# tests_long - Enabled by default, enables long running tests in %%check
+%bcond_without tests_long
+
+Name:              openvpn
+Version:           2.5.9
+Release:           1%{?dist}
+Summary:           A full-featured TLS VPN solution
+URL:               https://community.openvpn.net/
+Source0:           https://build.openvpn.net/downloads/releases/%{name}-%{version}.tar.gz
+Source1:           https://build.openvpn.net/downloads/releases/%{name}-%{version}.tar.gz.asc
+Source2:           roadwarrior-server.conf
+Source3:           roadwarrior-client.conf
+# Upstream signing key
+Source10:          gpgkey-F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7.gpg
+Patch1:            0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch
+Patch50:           openvpn-2.4-change-tmpfiles-permissions.patch
+License:           GPLv2
+BuildRequires:     gnupg2
+BuildRequires:     gcc
+BuildRequires:     automake
+BuildRequires:     autoconf
+BuildRequires:     autoconf-archive
+BuildRequires:     libtool
+BuildRequires:     gettext
+BuildRequires:     lzo-devel
+BuildRequires:     lz4-devel
+BuildRequires:     make
+BuildRequires:     openssl-devel
+BuildRequires:     pkcs11-helper-devel >= 1.11
+BuildRequires:     pam-devel
+BuildRequires:     libselinux-devel
+BuildRequires:     libcmocka-devel
+BuildRequires:     systemd
+BuildRequires:     systemd-devel
+
+%{?systemd_requires}
+Requires(pre):     /usr/sbin/useradd
+
+%if 0%{?rhel} > 7 || 0%{?fedora} > 29
+BuildRequires:  python3-docutils
+%else
+# We cannot use python36-docutils on RHEL-7 as
+# the ./configure script does not currently find
+# the rst2man-3 executable, it only looks for rst2man
+BuildRequires:  python-docutils
+%endif
+
+# For the perl_default_filter macro
+BuildRequires:     perl-macros
+
+# Filter out the perl(Authen::PAM) dependency.
+# No perl dependency is really needed at all.
+%{?perl_default_filter}
+
+%description
+OpenVPN is a robust and highly flexible tunneling application that uses all
+of the encryption, authentication, and certification features of the
+OpenSSL library to securely tunnel IP networks over a single UDP or TCP
+port.  It can use the Marcus Franz Xaver Johannes Oberhumers LZO library
+for compression.
+
+%package devel
+Summary:           Development headers and examples for OpenVPN plug-ins
+
+%description devel
+OpenVPN can be extended through the --plugin option, which provides
+possibilities to add specialized authentication, user accounting,
+packet filtering and related features.  These plug-ins need to be
+written in C and provides a more low-level and information rich access
+to similar features as the various script-hooks.
+
+
+%prep
+gpgv2 --quiet --keyring %{SOURCE10} %{SOURCE1} %{SOURCE0}
+%setup -q -n %{name}-%{version}
+%patch1 -p1 -b .ch_default_cipher
+%patch50 -p1
+
+# %%doc items shouldn't be executable.
+find contrib sample -type f -perm /100 \
+    -exec chmod a-x {} \;
+
+%build
+%configure \
+    --enable-silent-rules \
+    --with-crypto-library=openssl \
+    --enable-pkcs11 \
+    --enable-selinux \
+    --enable-systemd \
+    --enable-x509-alt-username \
+    --enable-async-push \
+    --docdir=%{_pkgdocdir} \
+    SYSTEMD_UNIT_DIR=%{_unitdir} \
+    TMPFILES_DIR=%{_tmpfilesdir}
+%{__make}
+
+%check
+# Test Crypto:
+./src/openvpn/openvpn --genkey --secret key
+./src/openvpn/openvpn --cipher aes-128-cbc --test-crypto --secret key
+./src/openvpn/openvpn --cipher aes-256-cbc --test-crypto --secret key
+./src/openvpn/openvpn --cipher aes-128-gcm --test-crypto --secret key
+./src/openvpn/openvpn --cipher aes-256-gcm --test-crypto --secret key
+
+%if %{with tests_long}
+# Randomize ports for tests to avoid conflicts on the build servers.
+cport=$[ 50000 + ($RANDOM % 15534) ]
+sport=$[ $cport + 1 ]
+sed -e 's/^\(rport\) .*$/\1 '$sport'/' \
+    -e 's/^\(lport\) .*$/\1 '$cport'/' \
+    < sample/sample-config-files/loopback-client \
+    > %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client
+sed -e 's/^\(rport\) .*$/\1 '$cport'/' \
+    -e 's/^\(lport\) .*$/\1 '$sport'/' \
+    < sample/sample-config-files/loopback-server \
+    > %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server
+
+pushd sample
+# Test SSL/TLS negotiations (runs for 2 minutes):
+../src/openvpn/openvpn --config \
+    %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client &
+../src/openvpn/openvpn --config \
+    %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server
+wait
+popd
+
+rm -f %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client \
+    %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server
+%endif
+
+%install
+%{__make} install DESTDIR=$RPM_BUILD_ROOT
+find $RPM_BUILD_ROOT -name '*.la' | xargs rm -f
+mkdir -p -m 0750 $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/client $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/server
+cp %{SOURCE2} %{SOURCE3} sample/sample-config-files/
+
+# Create some directories the OpenVPN package should own
+mkdir -m 0750 -p $RPM_BUILD_ROOT%{_rundir}/%{name}-{client,server}
+mkdir -m 0770 -p $RPM_BUILD_ROOT%{_sharedstatedir}/%{name}
+
+# Package installs into %%{_pkgdocdir} directly
+# Add various additional files
+cp -a AUTHORS ChangeLog contrib sample distro/systemd/README.systemd $RPM_BUILD_ROOT%{_pkgdocdir}
+
+# Remove some files which does not really belong here
+rm -f  $RPM_BUILD_ROOT%{_pkgdocdir}/sample/Makefile{,.in,.am}
+rm -f  $RPM_BUILD_ROOT%{_pkgdocdir}/contrib/multilevel-init.patch
+rm -rf $RPM_BUILD_ROOT%{_pkgdocdir}/sample/sample-keys
+
+%pre
+getent group openvpn &>/dev/null || groupadd -r openvpn
+getent passwd openvpn &>/dev/null || \
+    /usr/sbin/useradd -r -g openvpn -s /sbin/nologin -c OpenVPN \
+        -d /etc/openvpn openvpn
+
+%post
+for srv in `systemctl | awk '/openvpn-client@.*\.service/{print $1} /openvpn-server@.*\.service/{print $1}'`;
+do
+    %systemd_post $srv
+done
+
+%preun
+for srv in `systemctl | awk '/openvpn-client@.*\.service/{print $1} /openvpn-server@.*\.service/{print $1}'`;
+do
+    %systemd_preun $srv
+done
+
+%postun
+for srv in `systemctl | awk '/openvpn-client@.*\.service/{print $1} /openvpn-server@.*\.service/{print $1}'`;
+do
+    %systemd_postun_with_restart $srv
+done
+
+
+%files
+%{_pkgdocdir}
+%exclude %{_pkgdocdir}/README.IPv6
+%exclude %{_pkgdocdir}/README.mbedtls
+%exclude %{_pkgdocdir}/sample/sample-plugins
+%{_mandir}/man8/%{name}.8*
+%{_mandir}/man5/%{name}-*.5*
+%{_sbindir}/%{name}
+%{_libdir}/%{name}/
+%{_unitdir}/%{name}-client@.service
+%{_unitdir}/%{name}-server@.service
+%{_tmpfilesdir}/%{name}.conf
+%config %dir %{_sysconfdir}/%{name}/
+%config %dir %attr(-,-,openvpn) %{_sysconfdir}/%{name}/client
+%config %dir %attr(-,-,openvpn) %{_sysconfdir}/%{name}/server
+%attr(0750,-,openvpn) %{_rundir}/%{name}-client
+%attr(0750,-,openvpn) %{_rundir}/%{name}-server
+%attr(0770,openvpn,openvpn) %{_sharedstatedir}/%{name}
+
+%files devel
+%{_pkgdocdir}/sample/sample-plugins
+%{_includedir}/openvpn-plugin.h
+%{_includedir}/openvpn-msg.h
+
+
+%changelog
+* Thu Feb 16 2023 David Sommerseth <davids@openvpn.net> - 2.5.9-1
+- Update to upstream OpenVPN 2.5.9
+
+* Tue Nov 1 2022 David Sommerseth <davids@openvpn.net> - 2.5.8-1
+- Update to upstream OpenVPN 2.5.8
+
+* Tue May 31 2022 David Sommerseth <davids@openvpn.net> - 2.5.7-2
+- Added additional upstream patch resolving BF-CBC issues (to be removed with 2.5.8)
+  https://patchwork.openvpn.net/patch/2504/
+- Removed BF-CBC from the --data-ciphers list.  This is no longer available by default
+  in OpenSSL 3.0
+
+* Tue May 31 2022 David Sommerseth <davids@openvpn.net> - 2.5.7-1
+- Update to upstream OpenVPN 2.5.7
+
+* Wed Mar 16 2022 David Sommerseth <davids@openvpn.net> - 2.5.6-1
+- Update to upstream OpenVPN 2.5.6
+- Fixes CVE-2022-0547
+
+* Thu Jan 27 2022 David Sommerseth <davids@openvpn.net> - 2.5.5-4
+- Fix systemd related scriptlet error (#1887984)
+
+* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.5.5-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Wed Dec 15 2021 David Sommerseth <davids@openvpn.net> - 2.5.5-2
+- Rebuild of 2.5.5
+
+* Wed Dec 15 2021 David Sommerseth <davids@openvpn.net> - 2.5.5-1
+- Update to upstream OpenVPN 2.5.5 (#2032844)
+
+* Tue Oct 5 2021 David Sommerseth <davids@openvpn.net> - 2.5.4-1
+- Update to upstream OpenVPN 2.5.4
+- Added new man page: openvpn-examples(5)
+
+* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 2.5.3-3
+- Rebuilt with OpenSSL 3.0.0
+
+* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.5.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Fri Jun 18 2021 David Sommerseth <davids@openvpn.net> - 2.5.3-1
+- Update to upstream OpenVPN 2.5.3
+- Fixes CVE-2021-3606
+
+* Wed Apr 21 2021 David Sommerseth <davids@openvpn.net> - 2.5.2-1
+- Update to upstream OpenVPN 2.5.2
+- Fixes CVE-2020-15078
+- Replaces --ncp-ciphers with --data-ciphers in the server systemd service unit
+
+* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 2.5.1-2
+- Rebuilt for updated systemd-rpm-macros
+  See https://pagure.io/fesco/issue/2583.
+
+* Wed Feb 24 2021 David Sommerseth <dazo@eurephia.org> - 2.5.1-1
+- Update to upstream OpenVPN 2.5.1
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.5.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Wed Oct 28 2020 David Sommerseth <dazo@eurephia.org> - 2.5.0-1
+- Update to upstream OpenVPN 2.5.0
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.9-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Sun Apr 19 2020 David Sommerseth <dazo@eurephia.org> - 2.4.9-1
+- Update to upstream OpenVPN 2.4.9
+
+* Wed Feb 12 2020 David Sommerseth <dazo@eurephia.org> - 2.4.8-3
+- Rebuilt to be linked against latest lzo (RHBZ#1802299)
+
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.8-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Fri Nov 1 2019 David Sommerseth <dazo@eurephia.org> - 2.4.8-1
+- Updating to upstream OpenVPN 2.4.8
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.7-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Wed Feb 20 2019 David Sommerseth <dazo@eurephia.org> - 2.4.7-1
+- Updating to upstream OpenVPN 2.4.7
+
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.6-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Sat Oct 6 2018 David Sommerseth <dazo@eurephia.org> - 2.4.6-3
+- Enable the asynchronous push feature, which can improve connect speeds with slow authentication backends
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.6-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Thu Apr 26 2018 David Sommerseth <dazo@eurephia.org> - 2.4.6-1
+- Updating to upstream, openvpn-2.4.6
+
+* Thu Mar 1 2018 David Sommerseth <dazo@eurephia.org> - 2.4.5-1
+- Updating to upstream, openvpn-2.4.5
+- Package upstream ChangeLog, which contains a bit more details than Changes.rst
+- Cleaned up spec file further, removed Group: tag, trimmed changelog section,
+  added gcc to BuildRequires.
+- Excluded not relevant file, README.mbedtls
+- Package upstream version of README.systemd
+- Fix wrong group owner of /etc/openvpn/{client,server} (rhbz#1526743)
+- Changed crypto self-test to test AES-{128,256}-{CBC,GCM} instead of only BF-CBC (deprecated)
+- Change /run/openvpn-{client,server} permissions to be 0750 instead of 0710, with group set to openvpn
+
+* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.4-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Thu Jan 25 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.4.4-2
+- Fix systemd executions/requirements
+
+* Tue Sep 26 2017 David Sommerseth <dazo@eurephia.org> - 2.4.4-1
+- Update to upstream openvpn-2.4.4
+- Includes fix for possible stack overflow if --key-method 1 is used {CVE-2017-12166}
+
+* Fri Aug  4 2017 David Sommerseth <dazo@eurephia.org> - 2.4.3-4
+- Change to AES-GCM as the default cipher for server configurations (rhbz#1479270)
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Wed Jun 21 2017 David Sommerseth <dazo@eurephia.org> - 2.4.3-1
+- Updating to upstream openvpn-2.4.3
+- Fix remotely-triggerable ASSERT() on malformed IPv6 packet {CVE-2017-7508}
+- Prevent two kinds of stack buffer OOB reads and a crash for invalid input data {CVE-2017-7520}
+- Fix potential double-free in --x509-alt-username {CVE-2017-7521}
+- Fix remote-triggerable memory leaks {CVE-2017-7521}
+- Ensure OpenVPN systemd services are restarted upon upgrades
+- Verify PGP signature of source tarball as part of package building
+- Build against system lz4 library
+
+* Fri May 12 2017 David Sommerseth <dazo@eurephia.org> - 2.4.2-2
+- Install and take ownership of /run/openvpn-{client,server} (rhbz#1444601)
+- Install and take ownership of /var/lib/openvpn (rhbz#922786)
+
+* Thu May 11 2017 David Sommerseth <dazo@eurephia.org> - 2.4.2-1
+- Updating to upstream openvpn-2.4.2
+- Switching back to OpenSSL, using compat-openssl10 (rhbz#1443749, rhbz#1432125, rhbz#1440468)
+- Re-enabling --enable-x509-alt-username (rhbz#1443942)
+- Add --enable-selinux
+- Build with lz4 library from Fedora
+
+* Wed Mar 29 2017 David Sommerseth <dazo@eurephia.org> - 2.4.1-3
+- Splitting out -devel files into a separate package
+- Removed several contrib and sample files which makes is not
+  strictly needed in this package.
+- build: Enable tests runs by default, long running tests can
+  be disabled with "--without tests_long"
+- build: Removed defined %%{plugins} macro not in use
+
+* Fri Mar 24 2017 David Sommerseth <dazo@eurephia.org> - 2.4.1-2
+- Various cleanups
+- Use systemd-rpm macros (rhbz #850257)
+- Removed the deprecated openvpn@.service unit.  Replaced by openvpn-{client,server}@.service
+- Added README.systemd describing new systemd unit files
+
+* Thu Mar 23 2017 David Sommerseth <dazo@eurephia.org> - 2.4.1-1
+- Updating to upstream release, v2.4.1
+- Added mbed TLS patch to allow RSA keys down to 1024 bits plus SHA1
+  and RIPE-160 hasing algorithms (based on OpenVPN 3 legacy profile)
+- Removed no-functional ./configure options
+- Use upstream tmfiles.d/openvpn
+- Package newer openvpn-client/server@.service unit files
+
+* Thu Feb 09 2017 Jon Ciesla <limburgher@gmail.com> 2.4.0-2
+- Move to mbedtls to resolve FTBFS.
+- Dropped, re-add once openvpn supports openssl 1.1.x
+-    --enable-pkcs11 \
+-    --enable-x509-alt-username \
+
+* Tue Dec 27 2016 Jon Ciesla <limburgher@gmail.com> 2.4.0-1
+- 2.4.0.
+

SOURCES/roadwarrior-client.conf

@@ -0,0 +1,38 @@
+#########################################
+# Sample client-side OpenVPN config file
+# for connecting to multi-client server.
+#
+# Adapted from http://openvpn.sourceforge.net/20notes.html
+#
+# The server can be pinged at 10.8.0.1.
+#
+# This configuration can be used by multiple
+# clients, however each client should have
+# its own cert and key files.
+#
+# tun-style tunnel
+
+port 1194
+dev tun
+remote [my server hostname or IP address]
+
+# TLS parms
+
+tls-client
+ca sample-keys/tmp-ca.crt
+cert sample-keys/client.crt
+key sample-keys/client.key
+
+# This parm is required for connecting
+# to a multi-client server.  It tells
+# the client to accept options which
+# the server pushes to us.
+pull
+
+# Scripts can be used to do various
+# things (change nameservers, for
+# example.
+#up scripts/ifup-post
+#down scripts/ifdown-post
+
+verb 4

SOURCES/roadwarrior-server.conf

@@ -0,0 +1,67 @@
+########################################
+# Sample OpenVPN config file for
+# 2.0-style multi-client udp server
+#
+# Adapted from http://openvpn.sourceforge.net/20notes.html
+#
+# tun-style tunnel
+
+port 1194
+dev tun
+
+# Use "local" to set the source address on multi-homed hosts
+#local [IP address]
+
+# TLS parms
+tls-server 
+ca sample-keys/tmp-ca.crt
+cert sample-keys/server.crt
+key sample-keys/server.key
+dh sample-keys/dh1024.pem
+
+# Tell OpenVPN to be a multi-client udp server
+mode server
+
+# The server's virtual endpoints
+ifconfig 10.8.0.1 10.8.0.2
+
+# Pool of /30 subnets to be allocated to clients.
+# When a client connects, an --ifconfig command
+# will be automatically generated and pushed back to
+# the client.
+ifconfig-pool 10.8.0.4 10.8.0.255
+
+# Push route to client to bind it to our local
+# virtual endpoint.
+push "route 10.8.0.1 255.255.255.255"
+
+# Push any routes the client needs to get in
+# to the local network.
+push "route 192.168.0.0 255.255.255.0"
+
+# Push DHCP options to Windows clients.
+push "dhcp-option DOMAIN example.com"
+push "dhcp-option DNS 192.168.0.1"
+push "dhcp-option WINS 192.168.0.1"
+
+# Client should attempt reconnection on link
+# failure.
+keepalive 10 60
+
+# Delete client instances after some period
+# of inactivity.
+inactive 600
+
+# Route the --ifconfig pool range into the
+# OpenVPN server.
+route 10.8.0.0 255.255.255.0
+
+# The server doesn't need privileges
+user openvpn
+group openvpn
+
+# Keep TUN devices and keys open across restarts.
+persist-tun
+persist-key
+
+verb 4

SPECS/openvpn.spec

@@ -0,0 +1,387 @@
+%define _hardened_build 1
+
+# Build conditionals
+# tests_long - Enabled by default, enables long running tests in %%check
+%bcond_without tests_long
+
+Name:              openvpn
+Version:           2.5.9
+Release:           1%{?dist}
+Summary:           A full-featured TLS VPN solution
+URL:               https://community.openvpn.net/
+Source0:           https://build.openvpn.net/downloads/releases/%{name}-%{version}.tar.gz
+Source1:           https://build.openvpn.net/downloads/releases/%{name}-%{version}.tar.gz.asc
+Source2:           roadwarrior-server.conf
+Source3:           roadwarrior-client.conf
+# Upstream signing key
+Source10:          gpgkey-F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7.gpg
+Patch1:            0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch
+Patch50:           openvpn-2.4-change-tmpfiles-permissions.patch
+License:           GPLv2
+BuildRequires:     gnupg2
+BuildRequires:     gcc
+BuildRequires:     automake
+BuildRequires:     autoconf
+BuildRequires:     autoconf-archive
+BuildRequires:     libtool
+BuildRequires:     gettext
+BuildRequires:     lzo-devel
+BuildRequires:     lz4-devel
+BuildRequires:     make
+BuildRequires:     openssl-devel
+BuildRequires:     pkcs11-helper-devel >= 1.11
+BuildRequires:     pam-devel
+BuildRequires:     libselinux-devel
+BuildRequires:     libcmocka-devel
+BuildRequires:     systemd
+BuildRequires:     systemd-devel
+
+%{?systemd_requires}
+Requires(pre):     /usr/sbin/useradd
+Requires(pre):     /usr/bin/getent
+
+%if 0%{?rhel} > 7 || 0%{?fedora} > 29
+BuildRequires:  python3-docutils
+%else
+# We cannot use python36-docutils on RHEL-7 as
+# the ./configure script does not currently find
+# the rst2man-3 executable, it only looks for rst2man
+BuildRequires:  python-docutils
+%endif
+
+# For the perl_default_filter macro
+BuildRequires:     perl-macros
+
+# Filter out the perl(Authen::PAM) dependency.
+# No perl dependency is really needed at all.
+%{?perl_default_filter}
+
+%description
+OpenVPN is a robust and highly flexible tunneling application that uses all
+of the encryption, authentication, and certification features of the
+OpenSSL library to securely tunnel IP networks over a single UDP or TCP
+port.  It can use the Marcus Franz Xaver Johannes Oberhumers LZO library
+for compression.
+
+%package devel
+Summary:           Development headers and examples for OpenVPN plug-ins
+
+%description devel
+OpenVPN can be extended through the --plugin option, which provides
+possibilities to add specialized authentication, user accounting,
+packet filtering and related features.  These plug-ins need to be
+written in C and provides a more low-level and information rich access
+to similar features as the various script-hooks.
+
+
+%prep
+gpgv2 --quiet --keyring %{SOURCE10} %{SOURCE1} %{SOURCE0}
+%setup -q -n %{name}-%{version}
+%patch1 -p1 -b .ch_default_cipher
+%patch50 -p1
+
+# %%doc items shouldn't be executable.
+find contrib sample -type f -perm /100 \
+    -exec chmod a-x {} \;
+
+%build
+%configure \
+    --enable-silent-rules \
+    --with-crypto-library=openssl \
+    --enable-pkcs11 \
+    --enable-selinux \
+    --enable-systemd \
+    --enable-x509-alt-username \
+    --enable-async-push \
+    --docdir=%{_pkgdocdir} \
+    SYSTEMD_UNIT_DIR=%{_unitdir} \
+    TMPFILES_DIR=%{_tmpfilesdir}
+%{__make}
+
+%check
+# Test Crypto:
+./src/openvpn/openvpn --genkey --secret key
+./src/openvpn/openvpn --cipher aes-128-cbc --test-crypto --secret key
+./src/openvpn/openvpn --cipher aes-256-cbc --test-crypto --secret key
+./src/openvpn/openvpn --cipher aes-128-gcm --test-crypto --secret key
+./src/openvpn/openvpn --cipher aes-256-gcm --test-crypto --secret key
+
+%if %{with tests_long}
+# Randomize ports for tests to avoid conflicts on the build servers.
+cport=$[ 50000 + ($RANDOM % 15534) ]
+sport=$[ $cport + 1 ]
+sed -e 's/^\(rport\) .*$/\1 '$sport'/' \
+    -e 's/^\(lport\) .*$/\1 '$cport'/' \
+    < sample/sample-config-files/loopback-client \
+    > %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client
+sed -e 's/^\(rport\) .*$/\1 '$cport'/' \
+    -e 's/^\(lport\) .*$/\1 '$sport'/' \
+    < sample/sample-config-files/loopback-server \
+    > %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server
+
+pushd sample
+# Test SSL/TLS negotiations (runs for 2 minutes):
+../src/openvpn/openvpn --config \
+    %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client &
+../src/openvpn/openvpn --config \
+    %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server
+wait
+popd
+
+rm -f %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client \
+    %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server
+%endif
+
+%install
+%{__make} install DESTDIR=$RPM_BUILD_ROOT
+find $RPM_BUILD_ROOT -name '*.la' | xargs rm -f
+mkdir -p -m 0750 $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/client $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/server
+cp %{SOURCE2} %{SOURCE3} sample/sample-config-files/
+
+# Create some directories the OpenVPN package should own
+mkdir -m 0750 -p $RPM_BUILD_ROOT%{_rundir}/%{name}-{client,server}
+mkdir -m 0770 -p $RPM_BUILD_ROOT%{_sharedstatedir}/%{name}
+
+# Package installs into %%{_pkgdocdir} directly
+# Add various additional files
+cp -a AUTHORS ChangeLog contrib sample distro/systemd/README.systemd $RPM_BUILD_ROOT%{_pkgdocdir}
+
+# Remove some files which does not really belong here
+rm -f  $RPM_BUILD_ROOT%{_pkgdocdir}/sample/Makefile{,.in,.am}
+rm -f  $RPM_BUILD_ROOT%{_pkgdocdir}/contrib/multilevel-init.patch
+rm -rf $RPM_BUILD_ROOT%{_pkgdocdir}/sample/sample-keys
+
+%pre
+getent group openvpn &>/dev/null || groupadd -r openvpn
+getent passwd openvpn &>/dev/null || \
+    /usr/sbin/useradd -r -g openvpn -s /sbin/nologin -c OpenVPN \
+        -d /etc/openvpn openvpn
+exit 0
+
+%post
+for srv in `systemctl | awk '/openvpn-client@.*\.service/{print $1} /openvpn-server@.*\.service/{print $1}'`;
+do
+    %systemd_post $srv
+done
+
+%preun
+for srv in `systemctl | awk '/openvpn-client@.*\.service/{print $1} /openvpn-server@.*\.service/{print $1}'`;
+do
+    %systemd_preun $srv
+done
+
+%postun
+for srv in `systemctl | awk '/openvpn-client@.*\.service/{print $1} /openvpn-server@.*\.service/{print $1}'`;
+do
+    %systemd_postun_with_restart $srv
+done
+
+
+%files
+%{_pkgdocdir}
+%exclude %{_pkgdocdir}/README.IPv6
+%exclude %{_pkgdocdir}/README.mbedtls
+%exclude %{_pkgdocdir}/sample/sample-plugins
+%{_mandir}/man8/%{name}.8*
+%{_mandir}/man5/%{name}-*.5*
+%{_sbindir}/%{name}
+%{_libdir}/%{name}/
+%{_unitdir}/%{name}-client@.service
+%{_unitdir}/%{name}-server@.service
+%{_tmpfilesdir}/%{name}.conf
+%config %dir %{_sysconfdir}/%{name}/
+%config %dir %attr(-,-,openvpn) %{_sysconfdir}/%{name}/client
+%config %dir %attr(-,-,openvpn) %{_sysconfdir}/%{name}/server
+%attr(0750,-,openvpn) %{_rundir}/%{name}-client
+%attr(0750,-,openvpn) %{_rundir}/%{name}-server
+%attr(0770,openvpn,openvpn) %{_sharedstatedir}/%{name}
+
+%files devel
+%{_pkgdocdir}/sample/sample-plugins
+%{_includedir}/openvpn-plugin.h
+%{_includedir}/openvpn-msg.h
+
+
+%changelog
+
+* Thu Sep 7 2023 Elkhan Mammadli <elkhan.mammadli@protonmail.com> - 2.5.9-1
+- Added Requires(pre): /usr/bin/getent, added exit 0 to %%prep
+
+* Thu Feb 16 2023 David Sommerseth <davids@openvpn.net> - 2.5.9-1
+- Update to upstream OpenVPN 2.5.9
+
+* Tue Nov 1 2022 David Sommerseth <davids@openvpn.net> - 2.5.8-1
+- Update to upstream OpenVPN 2.5.8
+
+* Tue May 31 2022 David Sommerseth <davids@openvpn.net> - 2.5.7-2
+- Added additional upstream patch resolving BF-CBC issues (to be removed with 2.5.8)
+  https://patchwork.openvpn.net/patch/2504/
+- Removed BF-CBC from the --data-ciphers list.  This is no longer available by default
+  in OpenSSL 3.0
+
+* Tue May 31 2022 David Sommerseth <davids@openvpn.net> - 2.5.7-1
+- Update to upstream OpenVPN 2.5.7
+
+* Wed Mar 16 2022 David Sommerseth <davids@openvpn.net> - 2.5.6-1
+- Update to upstream OpenVPN 2.5.6
+- Fixes CVE-2022-0547
+
+* Thu Jan 27 2022 David Sommerseth <davids@openvpn.net> - 2.5.5-4
+- Fix systemd related scriptlet error (#1887984)
+
+* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.5.5-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Wed Dec 15 2021 David Sommerseth <davids@openvpn.net> - 2.5.5-2
+- Rebuild of 2.5.5
+
+* Wed Dec 15 2021 David Sommerseth <davids@openvpn.net> - 2.5.5-1
+- Update to upstream OpenVPN 2.5.5 (#2032844)
+
+* Tue Oct 5 2021 David Sommerseth <davids@openvpn.net> - 2.5.4-1
+- Update to upstream OpenVPN 2.5.4
+- Added new man page: openvpn-examples(5)
+
+* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 2.5.3-3
+- Rebuilt with OpenSSL 3.0.0
+
+* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.5.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Fri Jun 18 2021 David Sommerseth <davids@openvpn.net> - 2.5.3-1
+- Update to upstream OpenVPN 2.5.3
+- Fixes CVE-2021-3606
+
+* Wed Apr 21 2021 David Sommerseth <davids@openvpn.net> - 2.5.2-1
+- Update to upstream OpenVPN 2.5.2
+- Fixes CVE-2020-15078
+- Replaces --ncp-ciphers with --data-ciphers in the server systemd service unit
+
+* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 2.5.1-2
+- Rebuilt for updated systemd-rpm-macros
+  See https://pagure.io/fesco/issue/2583.
+
+* Wed Feb 24 2021 David Sommerseth <dazo@eurephia.org> - 2.5.1-1
+- Update to upstream OpenVPN 2.5.1
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.5.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Wed Oct 28 2020 David Sommerseth <dazo@eurephia.org> - 2.5.0-1
+- Update to upstream OpenVPN 2.5.0
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.9-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Sun Apr 19 2020 David Sommerseth <dazo@eurephia.org> - 2.4.9-1
+- Update to upstream OpenVPN 2.4.9
+
+* Wed Feb 12 2020 David Sommerseth <dazo@eurephia.org> - 2.4.8-3
+- Rebuilt to be linked against latest lzo (RHBZ#1802299)
+
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.8-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Fri Nov 1 2019 David Sommerseth <dazo@eurephia.org> - 2.4.8-1
+- Updating to upstream OpenVPN 2.4.8
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.7-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Wed Feb 20 2019 David Sommerseth <dazo@eurephia.org> - 2.4.7-1
+- Updating to upstream OpenVPN 2.4.7
+
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.6-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Sat Oct 6 2018 David Sommerseth <dazo@eurephia.org> - 2.4.6-3
+- Enable the asynchronous push feature, which can improve connect speeds with slow authentication backends
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.6-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Thu Apr 26 2018 David Sommerseth <dazo@eurephia.org> - 2.4.6-1
+- Updating to upstream, openvpn-2.4.6
+
+* Thu Mar 1 2018 David Sommerseth <dazo@eurephia.org> - 2.4.5-1
+- Updating to upstream, openvpn-2.4.5
+- Package upstream ChangeLog, which contains a bit more details than Changes.rst
+- Cleaned up spec file further, removed Group: tag, trimmed changelog section,
+  added gcc to BuildRequires.
+- Excluded not relevant file, README.mbedtls
+- Package upstream version of README.systemd
+- Fix wrong group owner of /etc/openvpn/{client,server} (rhbz#1526743)
+- Changed crypto self-test to test AES-{128,256}-{CBC,GCM} instead of only BF-CBC (deprecated)
+- Change /run/openvpn-{client,server} permissions to be 0750 instead of 0710, with group set to openvpn
+
+* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.4-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Thu Jan 25 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.4.4-2
+- Fix systemd executions/requirements
+
+* Tue Sep 26 2017 David Sommerseth <dazo@eurephia.org> - 2.4.4-1
+- Update to upstream openvpn-2.4.4
+- Includes fix for possible stack overflow if --key-method 1 is used {CVE-2017-12166}
+
+* Fri Aug  4 2017 David Sommerseth <dazo@eurephia.org> - 2.4.3-4
+- Change to AES-GCM as the default cipher for server configurations (rhbz#1479270)
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Wed Jun 21 2017 David Sommerseth <dazo@eurephia.org> - 2.4.3-1
+- Updating to upstream openvpn-2.4.3
+- Fix remotely-triggerable ASSERT() on malformed IPv6 packet {CVE-2017-7508}
+- Prevent two kinds of stack buffer OOB reads and a crash for invalid input data {CVE-2017-7520}
+- Fix potential double-free in --x509-alt-username {CVE-2017-7521}
+- Fix remote-triggerable memory leaks {CVE-2017-7521}
+- Ensure OpenVPN systemd services are restarted upon upgrades
+- Verify PGP signature of source tarball as part of package building
+- Build against system lz4 library
+
+* Fri May 12 2017 David Sommerseth <dazo@eurephia.org> - 2.4.2-2
+- Install and take ownership of /run/openvpn-{client,server} (rhbz#1444601)
+- Install and take ownership of /var/lib/openvpn (rhbz#922786)
+
+* Thu May 11 2017 David Sommerseth <dazo@eurephia.org> - 2.4.2-1
+- Updating to upstream openvpn-2.4.2
+- Switching back to OpenSSL, using compat-openssl10 (rhbz#1443749, rhbz#1432125, rhbz#1440468)
+- Re-enabling --enable-x509-alt-username (rhbz#1443942)
+- Add --enable-selinux
+- Build with lz4 library from Fedora
+
+* Wed Mar 29 2017 David Sommerseth <dazo@eurephia.org> - 2.4.1-3
+- Splitting out -devel files into a separate package
+- Removed several contrib and sample files which makes is not
+  strictly needed in this package.
+- build: Enable tests runs by default, long running tests can
+  be disabled with "--without tests_long"
+- build: Removed defined %%{plugins} macro not in use
+
+* Fri Mar 24 2017 David Sommerseth <dazo@eurephia.org> - 2.4.1-2
+- Various cleanups
+- Use systemd-rpm macros (rhbz #850257)
+- Removed the deprecated openvpn@.service unit.  Replaced by openvpn-{client,server}@.service
+- Added README.systemd describing new systemd unit files
+
+* Thu Mar 23 2017 David Sommerseth <dazo@eurephia.org> - 2.4.1-1
+- Updating to upstream release, v2.4.1
+- Added mbed TLS patch to allow RSA keys down to 1024 bits plus SHA1
+  and RIPE-160 hasing algorithms (based on OpenVPN 3 legacy profile)
+- Removed no-functional ./configure options
+- Use upstream tmfiles.d/openvpn
+- Package newer openvpn-client/server@.service unit files
+
+* Thu Feb 09 2017 Jon Ciesla <limburgher@gmail.com> 2.4.0-2
+- Move to mbedtls to resolve FTBFS.
+- Dropped, re-add once openvpn supports openssl 1.1.x
+-    --enable-pkcs11 \
+-    --enable-x509-alt-username \
+
+* Tue Dec 27 2016 Jon Ciesla <limburgher@gmail.com> 2.4.0-1
+- 2.4.0.
+