rpms
/
openvpn
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: rpms:a9
Branches Tags
rpms:a9
rpms:a8
rpms:a9-exit
rpms:v2.5.9-3fix2
rpms:v2.5.9-3fix1
rpms:v2.5.9-3
rpms:pre-exit
...
pull from: rpms:a8
Branches Tags
rpms:a9
rpms:a8
rpms:a9-exit
rpms:v2.5.9-3fix2
rpms:v2.5.9-3fix1
rpms:v2.5.9-3
rpms:pre-exit

No commits in common. "a9" and "a8" have entirely different histories.
a9 ... a8

8 changed files with 59 additions and 539 deletions
Show Stats Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/openvpn-2.5.9.tar.gz
SOURCES/openvpn-2.4.12.tar.xz

2
.openvpn.metadata
View File

@ -1 +1 @@
aaea4f2aba173ae2a7d5599e78252778af277390 SOURCES/openvpn-2.5.9.tar.gz
6a2b67d4f56da70ebdfc32340ba554af1f211d67 SOURCES/openvpn-2.4.12.tar.xz

12
SOURCES/0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch
View File

@ -1,4 +1,6 @@
From b56d52fa409c62720791e189e501efb86df0aff4 Mon Sep 17 00:00:00 2001
From: David Sommerseth <dazo@eurephia.org>
Date: Tue, 4 Jul 2017 16:06:24 +0200
Subject: [PATCH] Change the default cipher to AES-256-GCM for server
configurations
@ -8,14 +10,6 @@ defaulting to BF-CBC, the Negotiable Crypto Parameters (NCP) list contains
the BF-CBC in addition to AES-CBC. This makes it possible to migrate
existing older client configurations one-by-one to use at least AES-CBC unless
the client is updated to v2.4 (which defaults to upgrade to AES-GCM automatically)
[Update 2022-06-10]
The BF-CBC reference is now removed as of Fedora 36 and newer. The Blowfish
cipher is no longer available by default in OpenSSL 3.0. It can be enabled
via the legacy provider in OpenSSL 3.0, but BF-CBC is deprecated and should
not be used any more. OpenVPN 2.4 and newer will always negotiate a stronger
cipher by default and older OpenVPN releases are no longer supported upstream.
---
distro/systemd/openvpn-server@.service.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
@ -29,7 +23,7 @@ index 9a8a2c7..0ecda08 100644
PrivateTmp=true
WorkingDirectory=/etc/openvpn/server
-ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf
+ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --cipher AES-256-GCM --data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC --config %i.conf
+ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC --config %i.conf
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
LimitNPROC=10
DeviceAllow=/dev/null rw

BIN
SOURCES/gpgkey-F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7.gpg
View File

Binary file not shown.

16
SOURCES/openvpn-2.4.12.tar.xz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEE/DZ4Imbv9iQMR50nEco5yCwF7okFAmIzIXIACgkQEco5yCwF
7ok0wBAAju3N5vL5JFJotB/w4pmmdHn52qp1vLjvMFNQUldny7rR8v/TiaFq/G7E
YaP65xLmy8Yu7eAfYL/B0xtzcpzuiLpxuyLGZSxq4Ct/b5RzjXXp09ZvlWCRueFg
iJ+kFK2lgvuIi1KUttFwfeEPkYBhbrE4Gd97thCT1zerlvCCa+6BCmNf3oBlUyDM
e3KdkeAp/ywu/sf+jlodTWp2FLHGRFgN9WZC2tA0DGLwUqSN15CQaz95h8d23v8N
veAdoX15I7muHaHyiDhFKAqReZV1f9GoXg6I1nlkBtYY60kHydLucVWjnO3cRasj
o9zX/ga9INltkNkpnppHiMprJxnrrQOeP77s0Wf0Ko2dzmimuNv+CkPPHsueuE2D
AVyrSLHJop7eIbuNM6kZmCJuWgcjeV2SgdVjH8H4n6Mw6zEoc17RVzWhFch7mpJ7
EPpbcXC7PjNWUWTBSujT7akzpppcZJM7YgBFURPpp/URl1oWRFYL2RdcF3hlILz7
SlAWQX7HmL4hc5mxjBCy9OcfsxpXi+MCPKFM5pi1xk1WMJyhjpMI6TigFPu1XoZb
viUrMcJnKiMkMAAqg5AKcVHmRQpNk3iCvFea9kEZ0aSHR8/9S+e5CzHtZLuyOzuF
dvzk5i1j7xZs2oAPR66iLWoK3MxNv0+d2/4JCoXwahbODgL9/Uw=
=Xju/
-----END PGP SIGNATURE-----

16
SOURCES/openvpn-2.5.9.tar.gz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEVmH/adZUFVhLcg/Ai3QXs+uzswkFAmPsuVsACgkQi3QXs+uz
swmCnA/9HZonTX9ShsdohsrxMmFk0PwgOKWabjm82rFPLqcIx/3UOhEBJsmKwUnX
+aT/6qEgLTDc8O2YNofk3J+RPLbUoAf42orbCYYcz86AVKnqjBQ4Lmeo1GzkZM4F
8KqmovYGMR0taOHd/qVLOWsczYofrnDcc2gAjGJUhcrhGqajL4MX7zXMgiL/rMeZ
AsaGi95WbJaw17oWKgNb2XW2iQ1/LNtJPyB9E8L/1tIEolYrXAMrWn4L4A6h51j/
Lo+HqRS85gawWR48g6nlP/sGmCamoQFF0SH7YX07qGL180i+ouDzH+WCGolKgJAW
V6s6TAJzXIGc7KV5Wvz6uWn0zjqXJQzXFhkWatjO+HbPKn7wnvgRFnzElTTh9Tdt
EkwtGek+/I8iQXOsLf+bk8bqv17C/6B84X52ZKxMCZU5mKF9es0SxKZK5tIR6J3q
6K/ILMLC5EFT5Vr55Ls4+upKZtcs+yvs1bo1QhM1pYJglwak1ZFDMZcXSU88I0k8
ThGD1WGSvlHJTPu7LfRGMv57oUEJ9/5RE6ehcX/i5mg9O32ICtfS/kzKoJTAN61a
msVzBbamQafq92ZgtkCIk3v/0MXPwSHL/xIBckKM5foAVw/+zyG3kOYiMf3h1ho7
TjiCJV1fySbazFkKEQKnHWoLSOPcpy0NWwEyNLwPmQGmANhZaLo=
=0TR5
-----END PGP SIGNATURE-----

381
SOURCES/openvpn.spec
View File

@ -1,381 +0,0 @@
%define _hardened_build 1
# Build conditionals
# tests_long - Enabled by default, enables long running tests in %%check
%bcond_without tests_long
Name: openvpn
Version: 2.5.9
Release: 1%{?dist}
Summary: A full-featured TLS VPN solution
URL: https://community.openvpn.net/
Source0: https://build.openvpn.net/downloads/releases/%{name}-%{version}.tar.gz
Source1: https://build.openvpn.net/downloads/releases/%{name}-%{version}.tar.gz.asc
Source2: roadwarrior-server.conf
Source3: roadwarrior-client.conf
# Upstream signing key
Source10: gpgkey-F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7.gpg
Patch1: 0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch
Patch50: openvpn-2.4-change-tmpfiles-permissions.patch
License: GPLv2
BuildRequires: gnupg2
BuildRequires: gcc
BuildRequires: automake
BuildRequires: autoconf
BuildRequires: autoconf-archive
BuildRequires: libtool
BuildRequires: gettext
BuildRequires: lzo-devel
BuildRequires: lz4-devel
BuildRequires: make
BuildRequires: openssl-devel
BuildRequires: pkcs11-helper-devel >= 1.11
BuildRequires: pam-devel
BuildRequires: libselinux-devel
BuildRequires: libcmocka-devel
BuildRequires: systemd
BuildRequires: systemd-devel
%{?systemd_requires}
Requires(pre): /usr/sbin/useradd
%if 0%{?rhel} > 7 || 0%{?fedora} > 29
BuildRequires: python3-docutils
%else
# We cannot use python36-docutils on RHEL-7 as
# the ./configure script does not currently find
# the rst2man-3 executable, it only looks for rst2man
BuildRequires: python-docutils
%endif
# For the perl_default_filter macro
BuildRequires: perl-macros
# Filter out the perl(Authen::PAM) dependency.
# No perl dependency is really needed at all.
%{?perl_default_filter}
%description
OpenVPN is a robust and highly flexible tunneling application that uses all
of the encryption, authentication, and certification features of the
OpenSSL library to securely tunnel IP networks over a single UDP or TCP
port. It can use the Marcus Franz Xaver Johannes Oberhumers LZO library
for compression.
%package devel
Summary: Development headers and examples for OpenVPN plug-ins
%description devel
OpenVPN can be extended through the --plugin option, which provides
possibilities to add specialized authentication, user accounting,
packet filtering and related features. These plug-ins need to be
written in C and provides a more low-level and information rich access
to similar features as the various script-hooks.
%prep
gpgv2 --quiet --keyring %{SOURCE10} %{SOURCE1} %{SOURCE0}
%setup -q -n %{name}-%{version}
%patch1 -p1 -b .ch_default_cipher
%patch50 -p1
# %%doc items shouldn't be executable.
find contrib sample -type f -perm /100 \
-exec chmod a-x {} \;
%build
%configure \
--enable-silent-rules \
--with-crypto-library=openssl \
--enable-pkcs11 \
--enable-selinux \
--enable-systemd \
--enable-x509-alt-username \
--enable-async-push \
--docdir=%{_pkgdocdir} \
SYSTEMD_UNIT_DIR=%{_unitdir} \
TMPFILES_DIR=%{_tmpfilesdir}
%{__make}
%check
# Test Crypto:
./src/openvpn/openvpn --genkey --secret key
./src/openvpn/openvpn --cipher aes-128-cbc --test-crypto --secret key
./src/openvpn/openvpn --cipher aes-256-cbc --test-crypto --secret key
./src/openvpn/openvpn --cipher aes-128-gcm --test-crypto --secret key
./src/openvpn/openvpn --cipher aes-256-gcm --test-crypto --secret key
%if %{with tests_long}
# Randomize ports for tests to avoid conflicts on the build servers.
cport=$[ 50000 + ($RANDOM % 15534) ]
sport=$[ $cport + 1 ]
sed -e 's/^\(rport\) .*$/\1 '$sport'/' \
-e 's/^\(lport\) .*$/\1 '$cport'/' \
< sample/sample-config-files/loopback-client \
> %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client
sed -e 's/^\(rport\) .*$/\1 '$cport'/' \
-e 's/^\(lport\) .*$/\1 '$sport'/' \
< sample/sample-config-files/loopback-server \
> %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server
pushd sample
# Test SSL/TLS negotiations (runs for 2 minutes):
../src/openvpn/openvpn --config \
%{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client &
../src/openvpn/openvpn --config \
%{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server
wait
popd
rm -f %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client \
%{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server
%endif
%install
%{__make} install DESTDIR=$RPM_BUILD_ROOT
find $RPM_BUILD_ROOT -name '*.la' | xargs rm -f
mkdir -p -m 0750 $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/client $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/server
cp %{SOURCE2} %{SOURCE3} sample/sample-config-files/
# Create some directories the OpenVPN package should own
mkdir -m 0750 -p $RPM_BUILD_ROOT%{_rundir}/%{name}-{client,server}
mkdir -m 0770 -p $RPM_BUILD_ROOT%{_sharedstatedir}/%{name}
# Package installs into %%{_pkgdocdir} directly
# Add various additional files
cp -a AUTHORS ChangeLog contrib sample distro/systemd/README.systemd $RPM_BUILD_ROOT%{_pkgdocdir}
# Remove some files which does not really belong here
rm -f $RPM_BUILD_ROOT%{_pkgdocdir}/sample/Makefile{,.in,.am}
rm -f $RPM_BUILD_ROOT%{_pkgdocdir}/contrib/multilevel-init.patch
rm -rf $RPM_BUILD_ROOT%{_pkgdocdir}/sample/sample-keys
%pre
getent group openvpn &>/dev/null || groupadd -r openvpn
getent passwd openvpn &>/dev/null || \
/usr/sbin/useradd -r -g openvpn -s /sbin/nologin -c OpenVPN \
-d /etc/openvpn openvpn
%post
for srv in `systemctl | awk '/openvpn-client@.*\.service/{print $1} /openvpn-server@.*\.service/{print $1}'`;
do
%systemd_post $srv
done
%preun
for srv in `systemctl | awk '/openvpn-client@.*\.service/{print $1} /openvpn-server@.*\.service/{print $1}'`;
do
%systemd_preun $srv
done
%postun
for srv in `systemctl | awk '/openvpn-client@.*\.service/{print $1} /openvpn-server@.*\.service/{print $1}'`;
do
%systemd_postun_with_restart $srv
done
%files
%{_pkgdocdir}
%exclude %{_pkgdocdir}/README.IPv6
%exclude %{_pkgdocdir}/README.mbedtls
%exclude %{_pkgdocdir}/sample/sample-plugins
%{_mandir}/man8/%{name}.8*
%{_mandir}/man5/%{name}-*.5*
%{_sbindir}/%{name}
%{_libdir}/%{name}/
%{_unitdir}/%{name}-client@.service
%{_unitdir}/%{name}-server@.service
%{_tmpfilesdir}/%{name}.conf
%config %dir %{_sysconfdir}/%{name}/
%config %dir %attr(-,-,openvpn) %{_sysconfdir}/%{name}/client
%config %dir %attr(-,-,openvpn) %{_sysconfdir}/%{name}/server
%attr(0750,-,openvpn) %{_rundir}/%{name}-client
%attr(0750,-,openvpn) %{_rundir}/%{name}-server
%attr(0770,openvpn,openvpn) %{_sharedstatedir}/%{name}
%files devel
%{_pkgdocdir}/sample/sample-plugins
%{_includedir}/openvpn-plugin.h
%{_includedir}/openvpn-msg.h
%changelog
* Thu Feb 16 2023 David Sommerseth <davids@openvpn.net> - 2.5.9-1
- Update to upstream OpenVPN 2.5.9
* Tue Nov 1 2022 David Sommerseth <davids@openvpn.net> - 2.5.8-1
- Update to upstream OpenVPN 2.5.8
* Tue May 31 2022 David Sommerseth <davids@openvpn.net> - 2.5.7-2
- Added additional upstream patch resolving BF-CBC issues (to be removed with 2.5.8)
https://patchwork.openvpn.net/patch/2504/
- Removed BF-CBC from the --data-ciphers list. This is no longer available by default
in OpenSSL 3.0
* Tue May 31 2022 David Sommerseth <davids@openvpn.net> - 2.5.7-1
- Update to upstream OpenVPN 2.5.7
* Wed Mar 16 2022 David Sommerseth <davids@openvpn.net> - 2.5.6-1
- Update to upstream OpenVPN 2.5.6
- Fixes CVE-2022-0547
* Thu Jan 27 2022 David Sommerseth <davids@openvpn.net> - 2.5.5-4
- Fix systemd related scriptlet error (#1887984)
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.5.5-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Wed Dec 15 2021 David Sommerseth <davids@openvpn.net> - 2.5.5-2
- Rebuild of 2.5.5
* Wed Dec 15 2021 David Sommerseth <davids@openvpn.net> - 2.5.5-1
- Update to upstream OpenVPN 2.5.5 (#2032844)
* Tue Oct 5 2021 David Sommerseth <davids@openvpn.net> - 2.5.4-1
- Update to upstream OpenVPN 2.5.4
- Added new man page: openvpn-examples(5)
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 2.5.3-3
- Rebuilt with OpenSSL 3.0.0
* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.5.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Fri Jun 18 2021 David Sommerseth <davids@openvpn.net> - 2.5.3-1
- Update to upstream OpenVPN 2.5.3
- Fixes CVE-2021-3606
* Wed Apr 21 2021 David Sommerseth <davids@openvpn.net> - 2.5.2-1
- Update to upstream OpenVPN 2.5.2
- Fixes CVE-2020-15078
- Replaces --ncp-ciphers with --data-ciphers in the server systemd service unit
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 2.5.1-2
- Rebuilt for updated systemd-rpm-macros
See https://pagure.io/fesco/issue/2583.
* Wed Feb 24 2021 David Sommerseth <dazo@eurephia.org> - 2.5.1-1
- Update to upstream OpenVPN 2.5.1
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.5.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Wed Oct 28 2020 David Sommerseth <dazo@eurephia.org> - 2.5.0-1
- Update to upstream OpenVPN 2.5.0
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.9-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Sun Apr 19 2020 David Sommerseth <dazo@eurephia.org> - 2.4.9-1
- Update to upstream OpenVPN 2.4.9
* Wed Feb 12 2020 David Sommerseth <dazo@eurephia.org> - 2.4.8-3
- Rebuilt to be linked against latest lzo (RHBZ#1802299)
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.8-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Fri Nov 1 2019 David Sommerseth <dazo@eurephia.org> - 2.4.8-1
- Updating to upstream OpenVPN 2.4.8
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.7-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Wed Feb 20 2019 David Sommerseth <dazo@eurephia.org> - 2.4.7-1
- Updating to upstream OpenVPN 2.4.7
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.6-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Sat Oct 6 2018 David Sommerseth <dazo@eurephia.org> - 2.4.6-3
- Enable the asynchronous push feature, which can improve connect speeds with slow authentication backends
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Thu Apr 26 2018 David Sommerseth <dazo@eurephia.org> - 2.4.6-1
- Updating to upstream, openvpn-2.4.6
* Thu Mar 1 2018 David Sommerseth <dazo@eurephia.org> - 2.4.5-1
- Updating to upstream, openvpn-2.4.5
- Package upstream ChangeLog, which contains a bit more details than Changes.rst
- Cleaned up spec file further, removed Group: tag, trimmed changelog section,
added gcc to BuildRequires.
- Excluded not relevant file, README.mbedtls
- Package upstream version of README.systemd
- Fix wrong group owner of /etc/openvpn/{client,server} (rhbz#1526743)
- Changed crypto self-test to test AES-{128,256}-{CBC,GCM} instead of only BF-CBC (deprecated)
- Change /run/openvpn-{client,server} permissions to be 0750 instead of 0710, with group set to openvpn
* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.4-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Thu Jan 25 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.4.4-2
- Fix systemd executions/requirements
* Tue Sep 26 2017 David Sommerseth <dazo@eurephia.org> - 2.4.4-1
- Update to upstream openvpn-2.4.4
- Includes fix for possible stack overflow if --key-method 1 is used {CVE-2017-12166}
* Fri Aug 4 2017 David Sommerseth <dazo@eurephia.org> - 2.4.3-4
- Change to AES-GCM as the default cipher for server configurations (rhbz#1479270)
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Wed Jun 21 2017 David Sommerseth <dazo@eurephia.org> - 2.4.3-1
- Updating to upstream openvpn-2.4.3
- Fix remotely-triggerable ASSERT() on malformed IPv6 packet {CVE-2017-7508}
- Prevent two kinds of stack buffer OOB reads and a crash for invalid input data {CVE-2017-7520}
- Fix potential double-free in --x509-alt-username {CVE-2017-7521}
- Fix remote-triggerable memory leaks {CVE-2017-7521}
- Ensure OpenVPN systemd services are restarted upon upgrades
- Verify PGP signature of source tarball as part of package building
- Build against system lz4 library
* Fri May 12 2017 David Sommerseth <dazo@eurephia.org> - 2.4.2-2
- Install and take ownership of /run/openvpn-{client,server} (rhbz#1444601)
- Install and take ownership of /var/lib/openvpn (rhbz#922786)
* Thu May 11 2017 David Sommerseth <dazo@eurephia.org> - 2.4.2-1
- Updating to upstream openvpn-2.4.2
- Switching back to OpenSSL, using compat-openssl10 (rhbz#1443749, rhbz#1432125, rhbz#1440468)
- Re-enabling --enable-x509-alt-username (rhbz#1443942)
- Add --enable-selinux
- Build with lz4 library from Fedora
* Wed Mar 29 2017 David Sommerseth <dazo@eurephia.org> - 2.4.1-3
- Splitting out -devel files into a separate package
- Removed several contrib and sample files which makes is not
strictly needed in this package.
- build: Enable tests runs by default, long running tests can
be disabled with "--without tests_long"
- build: Removed defined %%{plugins} macro not in use
* Fri Mar 24 2017 David Sommerseth <dazo@eurephia.org> - 2.4.1-2
- Various cleanups
- Use systemd-rpm macros (rhbz #850257)
- Removed the deprecated openvpn@.service unit. Replaced by openvpn-{client,server}@.service
- Added README.systemd describing new systemd unit files
* Thu Mar 23 2017 David Sommerseth <dazo@eurephia.org> - 2.4.1-1
- Updating to upstream release, v2.4.1
- Added mbed TLS patch to allow RSA keys down to 1024 bits plus SHA1
and RIPE-160 hasing algorithms (based on OpenVPN 3 legacy profile)
- Removed no-functional ./configure options
- Use upstream tmfiles.d/openvpn
- Package newer openvpn-client/server@.service unit files
* Thu Feb 09 2017 Jon Ciesla <limburgher@gmail.com> 2.4.0-2
- Move to mbedtls to resolve FTBFS.
- Dropped, re-add once openvpn supports openssl 1.1.x
- --enable-pkcs11 \
- --enable-x509-alt-username \
* Tue Dec 27 2016 Jon Ciesla <limburgher@gmail.com> 2.4.0-1
- 2.4.0.

169
SPECS/openvpn.spec
View File

@ -1,57 +1,41 @@
%define _hardened_build 1
#define prerelease rc22
# Build conditionals
# tests_long - Enabled by default, enables long running tests in %%check
%bcond_without tests_long
Name: openvpn
Version: 2.5.9
Release: 3%{?dist}
Summary: A full-featured TLS VPN solution
Version: 2.4.12
Release: 2%{?prerelease:.%{prerelease}}%{?dist}
Summary: A full-featured SSL VPN solution
URL: https://community.openvpn.net/
Source0: https://build.openvpn.net/downloads/releases/%{name}-%{version}.tar.gz
Source1: https://build.openvpn.net/downloads/releases/%{name}-%{version}.tar.gz.asc
Source0: https://build.openvpn.net/downloads/releases/%{name}-%{version}%{?prerelease:_%{prerelease}}.tar.xz
Source1: https://build.openvpn.net/downloads/releases/%{name}-%{version}%{?prerelease:_%{prerelease}}.tar.xz.asc
Source2: roadwarrior-server.conf
Source3: roadwarrior-client.conf
# Upstream signing key
Source10: gpgkey-F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7.gpg
Source6: gpgkey-F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7.gpg
Patch1: 0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch
Patch50: openvpn-2.4-change-tmpfiles-permissions.patch
License: GPLv2
BuildRequires: gnupg2
BuildRequires: gcc
BuildRequires: automake
BuildRequires: autoconf
BuildRequires: autoconf-archive
BuildRequires: libtool
BuildRequires: gettext
BuildRequires: systemd-devel
BuildRequires: lzo-devel
BuildRequires: lz4-devel
BuildRequires: make
BuildRequires: openssl-devel
BuildRequires: pkcs11-helper-devel >= 1.11
BuildRequires: pam-devel
BuildRequires: libselinux-devel
BuildRequires: libcmocka-devel
BuildRequires: systemd
BuildRequires: systemd-devel
%{?systemd_requires}
Requires(pre): /usr/sbin/useradd
Requires(pre): /usr/bin/getent
Requires(pre): /usr/sbin/groupadd
%if 0%{?rhel} > 7 || 0%{?fedora} > 29
BuildRequires: python3-docutils
%else
# We cannot use python36-docutils on RHEL-7 as
# the ./configure script does not currently find
# the rst2man-3 executable, it only looks for rst2man
BuildRequires: python-docutils
%endif
# For the perl_default_filter macro
BuildRequires: perl-macros
BuildRequires: systemd
%{?systemd_requires}
# For /sbin/ip.
BuildRequires: iproute
Requires: iproute
Requires(pre): /usr/sbin/useradd
# Filter out the perl(Authen::PAM) dependency.
# No perl dependency is really needed at all.
@ -76,18 +60,20 @@ to similar features as the various script-hooks.
%prep
gpgv2 --quiet --keyring %{SOURCE10} %{SOURCE1} %{SOURCE0}
%setup -q -n %{name}-%{version}
gpgv2 --quiet --keyring %{SOURCE6} %{SOURCE1} %{SOURCE0}
%setup -q -n %{name}-%{version}%{?prerelease:_%{prerelease}}
%patch1 -p1 -b .ch_default_cipher
%patch50 -p1
sed -i -e 's,%{_datadir}/openvpn/plugin,%{_libdir}/openvpn/plugin,' doc/openvpn.8
# %%doc items shouldn't be executable.
find contrib sample -type f -perm /100 \
-exec chmod a-x {} \;
%build
%configure \
--enable-silent-rules \
--enable-iproute2 \
--with-crypto-library=openssl \
--enable-pkcs11 \
--enable-selinux \
@ -96,8 +82,9 @@ find contrib sample -type f -perm /100 \
--enable-async-push \
--docdir=%{_pkgdocdir} \
SYSTEMD_UNIT_DIR=%{_unitdir} \
TMPFILES_DIR=%{_tmpfilesdir}
%{__make}
TMPFILES_DIR=%{_tmpfilesdir} \
IPROUTE=/sbin/ip
%{__make} %{?_smp_mflags}
%check
# Test Crypto:
@ -148,12 +135,11 @@ mkdir -m 0770 -p $RPM_BUILD_ROOT%{_sharedstatedir}/%{name}
cp -a AUTHORS ChangeLog contrib sample distro/systemd/README.systemd $RPM_BUILD_ROOT%{_pkgdocdir}
# Remove some files which does not really belong here
rm -f $RPM_BUILD_ROOT%{_pkgdocdir}/sample/Makefile{,.in,.am}
rm -f $RPM_BUILD_ROOT%{_pkgdocdir}/sample/Makefile{,.in,.am}
rm -f $RPM_BUILD_ROOT%{_pkgdocdir}/contrib/multilevel-init.patch
rm -rf $RPM_BUILD_ROOT%{_pkgdocdir}/sample/sample-keys
%pre
#!/bin/sh -x
getent group openvpn &>/dev/null || groupadd -r openvpn
getent passwd openvpn &>/dev/null || \
/usr/sbin/useradd -r -g openvpn -s /sbin/nologin -c OpenVPN \
@ -161,23 +147,17 @@ getent passwd openvpn &>/dev/null || \
exit 0
%post
for srv in `systemctl | awk '/openvpn-client@.*\.service/{print $1} /openvpn-server@.*\.service/{print $1}'`;
do
%systemd_post $srv
done
%systemd_post openvpn-client@\*.service
%systemd_post openvpn-server@\*.service
%preun
for srv in `systemctl | awk '/openvpn-client@.*\.service/{print $1} /openvpn-server@.*\.service/{print $1}'`;
do
%systemd_preun $srv
done
%systemd_preun openvpn-client@\*.service
%systemd_preun openvpn-server@\*.service
%postun
for srv in `systemctl | awk '/openvpn-client@.*\.service/{print $1} /openvpn-server@.*\.service/{print $1}'`;
do
%systemd_postun_with_restart $srv
done
%systemd_postun_with_restart openvpn-client@\*.service
%systemd_postun_with_restart openvpn-server@\*.service
%systemd_postun_with_restart openvpn@\*.service
%files
%{_pkgdocdir}
@ -185,7 +165,6 @@ done
%exclude %{_pkgdocdir}/README.mbedtls
%exclude %{_pkgdocdir}/sample/sample-plugins
%{_mandir}/man8/%{name}.8*
%{_mandir}/man5/%{name}-*.5*
%{_sbindir}/%{name}
%{_libdir}/%{name}/
%{_unitdir}/%{name}-client@.service
@ -205,98 +184,26 @@ done
%changelog
* Fri Nov 05 2023 Elkhan Mammadli <elkhan.mammadli@protonmail.com> - 2.4.12-2
- Added exit 0 to %%pre
* Fri Dec 11 2023 Elkhan Mammadli <elkhan.mammadli@protonmail.com> - 2.5.9-3
- Added line to the %%pre section
* Wed Dec 6 2023 Elkhan Mammadli <elkhan.mammadli@protonmail.com> - 2.5.9-3
- Added Requires(pre): /usr/sbin/groupadd
- Added exit 0 to the %%pre section
* Thu Sep 7 2023 Elkhan Mammadli <elkhan.mammadli@protonmail.com> - 2.5.9-2
- Added Requires(pre): /usr/bin/getent
* Thu Feb 16 2023 David Sommerseth <davids@openvpn.net> - 2.5.9-1
- Update to upstream OpenVPN 2.5.9
* Tue Nov 1 2022 David Sommerseth <davids@openvpn.net> - 2.5.8-1
- Update to upstream OpenVPN 2.5.8
* Tue May 31 2022 David Sommerseth <davids@openvpn.net> - 2.5.7-2
- Added additional upstream patch resolving BF-CBC issues (to be removed with 2.5.8)
https://patchwork.openvpn.net/patch/2504/
- Removed BF-CBC from the --data-ciphers list. This is no longer available by default
in OpenSSL 3.0
* Tue May 31 2022 David Sommerseth <davids@openvpn.net> - 2.5.7-1
- Update to upstream OpenVPN 2.5.7
* Wed Mar 16 2022 David Sommerseth <davids@openvpn.net> - 2.5.6-1
- Update to upstream OpenVPN 2.5.6
* Thu Mar 17 2022 David Sommerseth <davids@openvpn.net> - 2.4.12-1
- Update to upstream OpenVPN 2.4.12
- Fixes CVE-2022-0547
* Thu Jan 27 2022 David Sommerseth <davids@openvpn.net> - 2.5.5-4
- Fix systemd related scriptlet error (#1887984)
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.5.5-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Wed Dec 15 2021 David Sommerseth <davids@openvpn.net> - 2.5.5-2
- Rebuild of 2.5.5
* Wed Dec 15 2021 David Sommerseth <davids@openvpn.net> - 2.5.5-1
- Update to upstream OpenVPN 2.5.5 (#2032844)
* Tue Oct 5 2021 David Sommerseth <davids@openvpn.net> - 2.5.4-1
- Update to upstream OpenVPN 2.5.4
- Added new man page: openvpn-examples(5)
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 2.5.3-3
- Rebuilt with OpenSSL 3.0.0
* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.5.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Fri Jun 18 2021 David Sommerseth <davids@openvpn.net> - 2.5.3-1
- Update to upstream OpenVPN 2.5.3
- Fixes CVE-2021-3606
* Wed Apr 21 2021 David Sommerseth <davids@openvpn.net> - 2.5.2-1
- Update to upstream OpenVPN 2.5.2
* Wed Apr 21 2021 David Sommerseth <davids@openvpn.net> - 2.4.11-1
- Update to upstream OpenVPN 2.4.11
- Fixes CVE-2020-15078
- Replaces --ncp-ciphers with --data-ciphers in the server systemd service unit
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 2.5.1-2
- Rebuilt for updated systemd-rpm-macros
See https://pagure.io/fesco/issue/2583.
* Wed Feb 24 2021 David Sommerseth <dazo@eurephia.org> - 2.5.1-1
- Update to upstream OpenVPN 2.5.1
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.5.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Wed Oct 28 2020 David Sommerseth <dazo@eurephia.org> - 2.5.0-1
- Update to upstream OpenVPN 2.5.0
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.9-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Wed Dec 9 2020 David Sommerseth <dazo@eurephia.org> - 2.4.10-1
- Update to upstream OpenVPN 2.4.10
* Sun Apr 19 2020 David Sommerseth <dazo@eurephia.org> - 2.4.9-1
- Update to upstream OpenVPN 2.4.9
* Wed Feb 12 2020 David Sommerseth <dazo@eurephia.org> - 2.4.8-3
- Rebuilt to be linked against latest lzo (RHBZ#1802299)
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.8-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Fri Nov 1 2019 David Sommerseth <dazo@eurephia.org> - 2.4.8-1
- Updating to upstream OpenVPN 2.4.8
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.7-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Wed Feb 20 2019 David Sommerseth <dazo@eurephia.org> - 2.4.7-1
- Updating to upstream OpenVPN 2.4.7