commit 2adbb6c46b98a8871892df53ba3ec7a0f187b415 Author: MSVSphere Packaging Team Date: Wed Mar 20 02:13:16 2024 +0300 import openvpn-2.4.12-2.el8 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..121ecb7 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +SOURCES/openvpn-2.4.12.tar.xz +SOURCES/openvpn-2.4.12.tar.xz.asc diff --git a/.openvpn.metadata b/.openvpn.metadata new file mode 100644 index 0000000..71d457d --- /dev/null +++ b/.openvpn.metadata @@ -0,0 +1,2 @@ +6a2b67d4f56da70ebdfc32340ba554af1f211d67 SOURCES/openvpn-2.4.12.tar.xz +2852ec59f46c9f8c85209062f9c6c1c8372fed6f SOURCES/openvpn-2.4.12.tar.xz.asc diff --git a/SOURCES/.rpmlint b/SOURCES/.rpmlint new file mode 100644 index 0000000..04c5cff --- /dev/null +++ b/SOURCES/.rpmlint @@ -0,0 +1,11 @@ +addFilter("E: non-standard-dir-perm /etc/openvpn/client 0750L") +addFilter("E: non-standard-dir-perm /etc/openvpn/server 0750L") +addFilter("E: non-standard-dir-perm /run/openvpn-client 0750L") +addFilter("E: non-standard-dir-perm /run/openvpn-server 0750L") +addFilter("E: non-standard-dir-perm /var/lib/openvpn 0770L") +addFilter("W: non-standard-gid /etc/openvpn/client openvpn") +addFilter("W: non-standard-gid /etc/openvpn/server openvpn") +addFilter("W: non-standard-gid /run/openvpn-client openvpn") +addFilter("W: non-standard-gid /run/openvpn-server openvpn") +addFilter("W: non-standard-gid /var/lib/openvpn openvpn") +addFilter("W: non-standard-uid /var/lib/openvpn openvpn") diff --git a/SOURCES/0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch b/SOURCES/0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch new file mode 100644 index 0000000..7e11fe8 --- /dev/null +++ b/SOURCES/0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch @@ -0,0 +1,32 @@ +From b56d52fa409c62720791e189e501efb86df0aff4 Mon Sep 17 00:00:00 2001 +From: David Sommerseth +Date: Tue, 4 Jul 2017 16:06:24 +0200 +Subject: [PATCH] Change the default cipher to AES-256-GCM for server + configurations + +This change makes the server use AES-256-GCM instead of BF-CBC as the default +cipher for the VPN tunnel. To avoid breaking existing running configurations +defaulting to BF-CBC, the Negotiable Crypto Parameters (NCP) list contains +the BF-CBC in addition to AES-CBC. This makes it possible to migrate +existing older client configurations one-by-one to use at least AES-CBC unless +the client is updated to v2.4 (which defaults to upgrade to AES-GCM automatically) +--- + distro/systemd/openvpn-server@.service.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/distro/systemd/openvpn-server@.service.in b/distro/systemd/openvpn-server@.service.in +index 9a8a2c7..0ecda08 100644 +--- a/distro/systemd/openvpn-server@.service.in ++++ b/distro/systemd/openvpn-server@.service.in +@@ -10,7 +10,7 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO + Type=notify + PrivateTmp=true + WorkingDirectory=/etc/openvpn/server +-ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf ++ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC --config %i.conf + CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE + LimitNPROC=10 + DeviceAllow=/dev/null rw +-- +2.11.0 + diff --git a/SOURCES/gpgkey-F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7.gpg b/SOURCES/gpgkey-F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7.gpg new file mode 100644 index 0000000..8272cee Binary files /dev/null and b/SOURCES/gpgkey-F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7.gpg differ diff --git a/SOURCES/openvpn-2.4-change-tmpfiles-permissions.patch b/SOURCES/openvpn-2.4-change-tmpfiles-permissions.patch new file mode 100644 index 0000000..8adb700 --- /dev/null +++ b/SOURCES/openvpn-2.4-change-tmpfiles-permissions.patch @@ -0,0 +1,9 @@ +diff --git a/distro/systemd/tmpfiles-openvpn.conf b/distro/systemd/tmpfiles-openvpn.conf +index bb79671e..9258f5c6 100644 +--- a/distro/systemd/tmpfiles-openvpn.conf ++++ b/distro/systemd/tmpfiles-openvpn.conf +@@ -1,2 +1,2 @@ +-d /run/openvpn-client 0710 root root - +-d /run/openvpn-server 0710 root root - ++d /run/openvpn-client 0750 root openvpn - ++d /run/openvpn-server 0750 root openvpn - diff --git a/SOURCES/roadwarrior-client.conf b/SOURCES/roadwarrior-client.conf new file mode 100644 index 0000000..dd12fdb --- /dev/null +++ b/SOURCES/roadwarrior-client.conf @@ -0,0 +1,38 @@ +######################################### +# Sample client-side OpenVPN config file +# for connecting to multi-client server. +# +# Adapted from http://openvpn.sourceforge.net/20notes.html +# +# The server can be pinged at 10.8.0.1. +# +# This configuration can be used by multiple +# clients, however each client should have +# its own cert and key files. +# +# tun-style tunnel + +port 1194 +dev tun +remote [my server hostname or IP address] + +# TLS parms + +tls-client +ca sample-keys/tmp-ca.crt +cert sample-keys/client.crt +key sample-keys/client.key + +# This parm is required for connecting +# to a multi-client server. It tells +# the client to accept options which +# the server pushes to us. +pull + +# Scripts can be used to do various +# things (change nameservers, for +# example. +#up scripts/ifup-post +#down scripts/ifdown-post + +verb 4 diff --git a/SOURCES/roadwarrior-server.conf b/SOURCES/roadwarrior-server.conf new file mode 100644 index 0000000..be3db15 --- /dev/null +++ b/SOURCES/roadwarrior-server.conf @@ -0,0 +1,67 @@ +######################################## +# Sample OpenVPN config file for +# 2.0-style multi-client udp server +# +# Adapted from http://openvpn.sourceforge.net/20notes.html +# +# tun-style tunnel + +port 1194 +dev tun + +# Use "local" to set the source address on multi-homed hosts +#local [IP address] + +# TLS parms +tls-server +ca sample-keys/tmp-ca.crt +cert sample-keys/server.crt +key sample-keys/server.key +dh sample-keys/dh1024.pem + +# Tell OpenVPN to be a multi-client udp server +mode server + +# The server's virtual endpoints +ifconfig 10.8.0.1 10.8.0.2 + +# Pool of /30 subnets to be allocated to clients. +# When a client connects, an --ifconfig command +# will be automatically generated and pushed back to +# the client. +ifconfig-pool 10.8.0.4 10.8.0.255 + +# Push route to client to bind it to our local +# virtual endpoint. +push "route 10.8.0.1 255.255.255.255" + +# Push any routes the client needs to get in +# to the local network. +push "route 192.168.0.0 255.255.255.0" + +# Push DHCP options to Windows clients. +push "dhcp-option DOMAIN example.com" +push "dhcp-option DNS 192.168.0.1" +push "dhcp-option WINS 192.168.0.1" + +# Client should attempt reconnection on link +# failure. +keepalive 10 60 + +# Delete client instances after some period +# of inactivity. +inactive 600 + +# Route the --ifconfig pool range into the +# OpenVPN server. +route 10.8.0.0 255.255.255.0 + +# The server doesn't need privileges +user openvpn +group openvpn + +# Keep TUN devices and keys open across restarts. +persist-tun +persist-key + +verb 4 diff --git a/SPECS/openvpn.spec b/SPECS/openvpn.spec new file mode 100644 index 0000000..4bc918d --- /dev/null +++ b/SPECS/openvpn.spec @@ -0,0 +1,312 @@ +%define _hardened_build 1 +#define prerelease rc22 + +# Build conditionals +# tests_long - Enabled by default, enables long running tests in %%check +%bcond_without tests_long + +Name: openvpn +Version: 2.4.12 +Release: 2%{?prerelease:.%{prerelease}}%{?dist} +Summary: A full-featured SSL VPN solution +URL: https://community.openvpn.net/ +Source0: https://build.openvpn.net/downloads/releases/%{name}-%{version}%{?prerelease:_%{prerelease}}.tar.xz +Source1: https://build.openvpn.net/downloads/releases/%{name}-%{version}%{?prerelease:_%{prerelease}}.tar.xz.asc +Source2: roadwarrior-server.conf +Source3: roadwarrior-client.conf +# Upstream signing key +Source6: gpgkey-F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7.gpg +Patch1: 0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch +Patch50: openvpn-2.4-change-tmpfiles-permissions.patch +License: GPLv2 +BuildRequires: gnupg2 +BuildRequires: gcc +BuildRequires: systemd-devel +BuildRequires: lzo-devel +BuildRequires: lz4-devel +BuildRequires: openssl-devel +BuildRequires: pkcs11-helper-devel >= 1.11 +BuildRequires: pam-devel +BuildRequires: libselinux-devel +# For the perl_default_filter macro +BuildRequires: perl-macros +BuildRequires: systemd +%{?systemd_requires} +# For /sbin/ip. +BuildRequires: iproute +Requires: iproute +Requires(pre): /usr/sbin/useradd + +# Filter out the perl(Authen::PAM) dependency. +# No perl dependency is really needed at all. +%{?perl_default_filter} + +%description +OpenVPN is a robust and highly flexible tunneling application that uses all +of the encryption, authentication, and certification features of the +OpenSSL library to securely tunnel IP networks over a single UDP or TCP +port. It can use the Marcus Franz Xaver Johannes Oberhumers LZO library +for compression. + +%package devel +Summary: Development headers and examples for OpenVPN plug-ins + +%description devel +OpenVPN can be extended through the --plugin option, which provides +possibilities to add specialized authentication, user accounting, +packet filtering and related features. These plug-ins need to be +written in C and provides a more low-level and information rich access +to similar features as the various script-hooks. + + +%prep +gpgv2 --quiet --keyring %{SOURCE6} %{SOURCE1} %{SOURCE0} +%setup -q -n %{name}-%{version}%{?prerelease:_%{prerelease}} +%patch1 -p1 -b .ch_default_cipher +%patch50 -p1 + +sed -i -e 's,%{_datadir}/openvpn/plugin,%{_libdir}/openvpn/plugin,' doc/openvpn.8 + +# %%doc items shouldn't be executable. +find contrib sample -type f -perm /100 \ + -exec chmod a-x {} \; + +%build +%configure \ + --enable-iproute2 \ + --with-crypto-library=openssl \ + --enable-pkcs11 \ + --enable-selinux \ + --enable-systemd \ + --enable-x509-alt-username \ + --enable-async-push \ + --docdir=%{_pkgdocdir} \ + SYSTEMD_UNIT_DIR=%{_unitdir} \ + TMPFILES_DIR=%{_tmpfilesdir} \ + IPROUTE=/sbin/ip +%{__make} %{?_smp_mflags} + +%check +# Test Crypto: +./src/openvpn/openvpn --genkey --secret key +./src/openvpn/openvpn --cipher aes-128-cbc --test-crypto --secret key +./src/openvpn/openvpn --cipher aes-256-cbc --test-crypto --secret key +./src/openvpn/openvpn --cipher aes-128-gcm --test-crypto --secret key +./src/openvpn/openvpn --cipher aes-256-gcm --test-crypto --secret key + +%if %{with tests_long} +# Randomize ports for tests to avoid conflicts on the build servers. +cport=$[ 50000 + ($RANDOM % 15534) ] +sport=$[ $cport + 1 ] +sed -e 's/^\(rport\) .*$/\1 '$sport'/' \ + -e 's/^\(lport\) .*$/\1 '$cport'/' \ + < sample/sample-config-files/loopback-client \ + > %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client +sed -e 's/^\(rport\) .*$/\1 '$cport'/' \ + -e 's/^\(lport\) .*$/\1 '$sport'/' \ + < sample/sample-config-files/loopback-server \ + > %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server + +pushd sample +# Test SSL/TLS negotiations (runs for 2 minutes): +../src/openvpn/openvpn --config \ + %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client & +../src/openvpn/openvpn --config \ + %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server +wait +popd + +rm -f %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client \ + %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server +%endif + +%install +%{__make} install DESTDIR=$RPM_BUILD_ROOT +find $RPM_BUILD_ROOT -name '*.la' | xargs rm -f +mkdir -p -m 0750 $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/client $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/server +cp %{SOURCE2} %{SOURCE3} sample/sample-config-files/ + +# Create some directories the OpenVPN package should own +mkdir -m 0750 -p $RPM_BUILD_ROOT%{_rundir}/%{name}-{client,server} +mkdir -m 0770 -p $RPM_BUILD_ROOT%{_sharedstatedir}/%{name} + +# Package installs into %%{_pkgdocdir} directly +# Add various additional files +cp -a AUTHORS ChangeLog contrib sample distro/systemd/README.systemd $RPM_BUILD_ROOT%{_pkgdocdir} + +# Remove some files which does not really belong here +rm -f $RPM_BUILD_ROOT%{_pkgdocdir}/sample/Makefile{,.in,.am} +rm -f $RPM_BUILD_ROOT%{_pkgdocdir}/contrib/multilevel-init.patch +rm -rf $RPM_BUILD_ROOT%{_pkgdocdir}/sample/sample-keys + +%pre +getent group openvpn &>/dev/null || groupadd -r openvpn +getent passwd openvpn &>/dev/null || \ + /usr/sbin/useradd -r -g openvpn -s /sbin/nologin -c OpenVPN \ + -d /etc/openvpn openvpn +exit 0 + +%post +for srv in `systemctl | awk '/openvpn-client@.*\.service/{print $1} /openvpn-server@.*\.service/{print $1}'`; +do + %systemd_post $srv +done + +%preun +for srv in `systemctl | awk '/openvpn-client@.*\.service/{print $1} /openvpn-server@.*\.service/{print $1}'`; +do + %systemd_preun $srv +done + +%postun +for srv in `systemctl | awk '/openvpn-client@.*\.service/{print $1} /openvpn-server@.*\.service/{print $1}'`; +do + %systemd_postun_with_restart $srv +done + +%files +%{_pkgdocdir} +%exclude %{_pkgdocdir}/README.IPv6 +%exclude %{_pkgdocdir}/README.mbedtls +%exclude %{_pkgdocdir}/sample/sample-plugins +%{_mandir}/man8/%{name}.8* +%{_sbindir}/%{name} +%{_libdir}/%{name}/ +%{_unitdir}/%{name}-client@.service +%{_unitdir}/%{name}-server@.service +%{_tmpfilesdir}/%{name}.conf +%config %dir %{_sysconfdir}/%{name}/ +%config %dir %attr(-,-,openvpn) %{_sysconfdir}/%{name}/client +%config %dir %attr(-,-,openvpn) %{_sysconfdir}/%{name}/server +%attr(0750,-,openvpn) %{_rundir}/%{name}-client +%attr(0750,-,openvpn) %{_rundir}/%{name}-server +%attr(0770,openvpn,openvpn) %{_sharedstatedir}/%{name} + +%files devel +%{_pkgdocdir}/sample/sample-plugins +%{_includedir}/openvpn-plugin.h +%{_includedir}/openvpn-msg.h + + +%changelog +* Wed Mar 20 2024 MSVSphere Packaging Team - 2.4.12-2 +- Rebuilt for MSVSphere 8.9 + +* Thu Nov 9 2023 David Sommerseth - 2.4.12-2 +- Fix false exit status on pre runtime scriptlet (Elkhan Mammadli , RHBZ#2239722) +- Misbehaving systemctl scriptlet globbing issues (RHBZ#1887984) + +* Thu Mar 17 2022 David Sommerseth - 2.4.12-1 +- Update to upstream OpenVPN 2.4.12 +- Fixes CVE-2022-0547 + +* Wed Apr 21 2021 David Sommerseth - 2.4.11-1 +- Update to upstream OpenVPN 2.4.11 +- Fixes CVE-2020-15078 + +* Wed Dec 9 2020 David Sommerseth - 2.4.10-1 +- Update to upstream OpenVPN 2.4.10 + +* Sun Apr 19 2020 David Sommerseth - 2.4.9-1 +- Update to upstream OpenVPN 2.4.9 + +* Fri Nov 1 2019 David Sommerseth - 2.4.8-1 +- Updating to upstream OpenVPN 2.4.8 + +* Wed Feb 20 2019 David Sommerseth - 2.4.7-1 +- Updating to upstream OpenVPN 2.4.7 + +* Fri Feb 01 2019 Fedora Release Engineering - 2.4.6-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Sat Oct 6 2018 David Sommerseth - 2.4.6-3 +- Enable the asynchronous push feature, which can improve connect speeds with slow authentication backends + +* Fri Jul 13 2018 Fedora Release Engineering - 2.4.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Thu Apr 26 2018 David Sommerseth - 2.4.6-1 +- Updating to upstream, openvpn-2.4.6 + +* Thu Mar 1 2018 David Sommerseth - 2.4.5-1 +- Updating to upstream, openvpn-2.4.5 +- Package upstream ChangeLog, which contains a bit more details than Changes.rst +- Cleaned up spec file further, removed Group: tag, trimmed changelog section, + added gcc to BuildRequires. +- Excluded not relevant file, README.mbedtls +- Package upstream version of README.systemd +- Fix wrong group owner of /etc/openvpn/{client,server} (rhbz#1526743) +- Changed crypto self-test to test AES-{128,256}-{CBC,GCM} instead of only BF-CBC (deprecated) +- Change /run/openvpn-{client,server} permissions to be 0750 instead of 0710, with group set to openvpn + +* Thu Feb 08 2018 Fedora Release Engineering - 2.4.4-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Jan 25 2018 Igor Gnatenko - 2.4.4-2 +- Fix systemd executions/requirements + +* Tue Sep 26 2017 David Sommerseth - 2.4.4-1 +- Update to upstream openvpn-2.4.4 +- Includes fix for possible stack overflow if --key-method 1 is used {CVE-2017-12166} + +* Fri Aug 4 2017 David Sommerseth - 2.4.3-4 +- Change to AES-GCM as the default cipher for server configurations (rhbz#1479270) + +* Thu Aug 03 2017 Fedora Release Engineering - 2.4.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 2.4.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Wed Jun 21 2017 David Sommerseth - 2.4.3-1 +- Updating to upstream openvpn-2.4.3 +- Fix remotely-triggerable ASSERT() on malformed IPv6 packet {CVE-2017-7508} +- Prevent two kinds of stack buffer OOB reads and a crash for invalid input data {CVE-2017-7520} +- Fix potential double-free in --x509-alt-username {CVE-2017-7521} +- Fix remote-triggerable memory leaks {CVE-2017-7521} +- Ensure OpenVPN systemd services are restarted upon upgrades +- Verify PGP signature of source tarball as part of package building +- Build against system lz4 library + +* Fri May 12 2017 David Sommerseth - 2.4.2-2 +- Install and take ownership of /run/openvpn-{client,server} (rhbz#1444601) +- Install and take ownership of /var/lib/openvpn (rhbz#922786) + +* Thu May 11 2017 David Sommerseth - 2.4.2-1 +- Updating to upstream openvpn-2.4.2 +- Switching back to OpenSSL, using compat-openssl10 (rhbz#1443749, rhbz#1432125, rhbz#1440468) +- Re-enabling --enable-x509-alt-username (rhbz#1443942) +- Add --enable-selinux +- Build with lz4 library from Fedora + +* Wed Mar 29 2017 David Sommerseth - 2.4.1-3 +- Splitting out -devel files into a separate package +- Removed several contrib and sample files which makes is not + strictly needed in this package. +- build: Enable tests runs by default, long running tests can + be disabled with "--without tests_long" +- build: Removed defined %%{plugins} macro not in use + +* Fri Mar 24 2017 David Sommerseth - 2.4.1-2 +- Various cleanups +- Use systemd-rpm macros (rhbz #850257) +- Removed the deprecated openvpn@.service unit. Replaced by openvpn-{client,server}@.service +- Added README.systemd describing new systemd unit files + +* Thu Mar 23 2017 David Sommerseth - 2.4.1-1 +- Updating to upstream release, v2.4.1 +- Added mbed TLS patch to allow RSA keys down to 1024 bits plus SHA1 + and RIPE-160 hasing algorithms (based on OpenVPN 3 legacy profile) +- Removed no-functional ./configure options +- Use upstream tmfiles.d/openvpn +- Package newer openvpn-client/server@.service unit files + +* Thu Feb 09 2017 Jon Ciesla 2.4.0-2 +- Move to mbedtls to resolve FTBFS. +- Dropped, re-add once openvpn supports openssl 1.1.x +- --enable-pkcs11 \ +- --enable-x509-alt-username \ + +* Tue Dec 27 2016 Jon Ciesla 2.4.0-1 +- 2.4.0. +