From 45b32327ed2a4b49e281a281bd6b7099d3120da4 Mon Sep 17 00:00:00 2001 From: tigro Date: Tue, 24 Dec 2024 09:39:55 +0300 Subject: [PATCH] import openvpn-2.7-0.20241212gitbaa9192.el10 --- .gitignore | 87 +--- .openvpn.metadata | 1 + ...default-configuration-with-TLS-libra.patch | 225 ---------- ...lt-cipher-to-AES-256-GCM-for-server-.patch | 38 -- SOURCES/fedora-crypto-policy-compliance.patch | 13 + ...nvpn-2.4-change-tmpfiles-permissions.patch | 0 SOURCES/roadwarrior-client.conf | 38 ++ SOURCES/roadwarrior-server.conf | 67 +++ SPECS/openvpn.spec | 263 ++++++++++++ openvpn.spec | 389 ------------------ sources | 2 - 11 files changed, 383 insertions(+), 740 deletions(-) create mode 100644 .openvpn.metadata delete mode 100644 0001-Allow-running-a-default-configuration-with-TLS-libra.patch delete mode 100644 0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch create mode 100644 SOURCES/fedora-crypto-policy-compliance.patch rename openvpn-2.4-change-tmpfiles-permissions.patch => SOURCES/openvpn-2.4-change-tmpfiles-permissions.patch (100%) create mode 100644 SOURCES/roadwarrior-client.conf create mode 100644 SOURCES/roadwarrior-server.conf create mode 100644 SPECS/openvpn.spec delete mode 100644 openvpn.spec delete mode 100644 sources diff --git a/.gitignore b/.gitignore index 83990df..01eaa34 100644 --- a/.gitignore +++ b/.gitignore @@ -1,86 +1 @@ -openvpn-2.1.1.tar.gz -openvpn-2.1.1.tar.gz.asc -openvpn-2.1.2.tar.gz -openvpn-2.1.2.tar.gz.asc -/openvpn-2.1.3.tar.gz -/openvpn-2.1.3.tar.gz.asc -/openvpn-2.1.4.tar.gz -/openvpn-2.1.4.tar.gz.asc -/openvpn-2.2.0.tar.gz -/openvpn-2.2.0.tar.gz.asc -/openvpn-2.2.1.tar.gz -/openvpn-2.2.1.tar.gz.asc -/openvpn-2.2.2.tar.gz -/openvpn-2.2.2.tar.gz.asc -/openvpn-2.3.0.tar.gz -/openvpn-2.3.0.tar.gz.asc -/openvpn-2.3.1.tar.gz -/openvpn-2.3.1.tar.gz.asc -/openvpn-2.3.2.tar.gz -/openvpn-2.3.2.tar.gz.asc -/openvpn-2.3.3.tar.gz -/openvpn-2.3.3.tar.gz.asc -/openvpn-2.3.4.tar.gz -/openvpn-2.3.4.tar.gz.asc -/openvpn-2.3.5.tar.gz -/openvpn-2.3.5.tar.gz.asc -/openvpn-2.3.6.tar.gz -/openvpn-2.3.6.tar.gz.asc -/openvpn-2.3.7.tar.gz -/openvpn-2.3.7.tar.gz.asc -/openvpn-2.3.8.tar.gz -/openvpn-2.3.8.tar.gz.asc -/openvpn-2.3.9.tar.gz -/openvpn-2.3.9.tar.gz.asc -/openvpn-2.3.10.tar.gz -/openvpn-2.3.10.tar.gz.asc -/openvpn-2.3.11.tar.gz -/openvpn-2.3.11.tar.gz.asc -/openvpn-2.3.12.tar.gz -/openvpn-2.3.12.tar.gz.asc -/openvpn-2.3.13.tar.gz -/openvpn-2.3.13.tar.gz.asc -/openvpn-2.3.14.tar.gz -/openvpn-2.3.14.tar.gz.asc -/openvpn-2.4.0.tar.gz -/openvpn-2.4.0.tar.gz.asc -/openvpn-2.4.1.tar.xz -/openvpn-2.4.1.tar.xz.asc -/openvpn-2.4.2.tar.xz -/openvpn-2.4.2.tar.xz.asc -/openvpn-2.4.3.tar.xz.asc -/openvpn-2.4.3.tar.xz -/openvpn-2.4.4.tar.xz -/openvpn-2.4.4.tar.xz.asc -/openvpn-2.4.5.tar.xz -/openvpn-2.4.5.tar.xz.asc -/openvpn-2.4.6.tar.xz -/openvpn-2.4.6.tar.xz.asc -/openvpn-2.4.7.tar.xz -/openvpn-2.4.7.tar.xz.asc -/openvpn-2.4.8.tar.xz -/openvpn-2.4.8.tar.xz.asc -/openvpn-2.4.9.tar.xz -/openvpn-2.4.9.tar.xz.asc -/openvpn-2.5.0.tar.xz -/openvpn-2.5.0.tar.xz.asc -/openvpn-2.5.1.tar.xz -/openvpn-2.5.1.tar.xz.asc -/openvpn-2.5.2.tar.xz -/openvpn-2.5.2.tar.xz.asc -/openvpn-2.5.3.tar.xz -/openvpn-2.5.3.tar.xz.asc -/openvpn-2.5.4.tar.xz -/openvpn-2.5.4.tar.xz.asc -/openvpn-2.5.5.tar.xz -/openvpn-2.5.5.tar.xz.asc -/openvpn-2.5.6.tar.xz -/openvpn-2.5.6.tar.xz.asc -/openvpn-2.5.7.tar.xz -/openvpn-2.5.7.tar.xz.asc -/openvpn-2.5.8.tar.xz -/openvpn-2.5.8.tar.xz.asc -/openvpn-2.5.9.tar.gz -/openvpn-2.5.9.tar.gz.asc -/openvpn-2.5.11.tar.gz -/openvpn-2.5.11.tar.gz.asc +SOURCES/openvpn-baa9192.tar.gz diff --git a/.openvpn.metadata b/.openvpn.metadata new file mode 100644 index 0000000..aa0e74d --- /dev/null +++ b/.openvpn.metadata @@ -0,0 +1 @@ +7e9bea43185357756a76383e89354e116cbc457d SOURCES/openvpn-baa9192.tar.gz diff --git a/0001-Allow-running-a-default-configuration-with-TLS-libra.patch b/0001-Allow-running-a-default-configuration-with-TLS-libra.patch deleted file mode 100644 index b9218e6..0000000 --- a/0001-Allow-running-a-default-configuration-with-TLS-libra.patch +++ /dev/null @@ -1,225 +0,0 @@ -From cf5864f5922e4f40357d9f75a35cd448e671dddf Mon Sep 17 00:00:00 2001 -From: Arne Schwabe -Date: Fri, 3 Jun 2022 11:52:19 +0200 -Subject: [PATCH] Allow running a default configuration with TLS libraries - without BF-CBC - -Modern TLS libraries might drop Blowfish by default or distributions -might disable Blowfish in OpenSSL/mbed TLS. We still signal OCC -options with BF-CBC compatible strings. To avoid requiring BF-CBC -for this, special this one usage of BF-CBC enough to avoid a hard -requirement on Blowfish in the default configuration. - -This patch is cherry-picked from 79ff3f79 and the missing -ciphername = "none"; has been added in the OCC code. - -Due to uncrustify complains, a few extra whitespace fixes had to be -done to options.c. - -Signed-off-by: Arne Schwabe -Acked-by: Gert Doering -Message-Id: <20220603095219.637361-1-arne@rfc2549.org> -URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24456.html -Signed-off-by: Gert Doering ---- - src/openvpn/crypto_backend.h | 2 ++ - src/openvpn/init.c | 37 ++++++++++++++++----- - src/openvpn/options.c | 62 ++++++++++++++++++++++++++++-------- - 3 files changed, 80 insertions(+), 21 deletions(-) - -diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h -index a9bb38ed..aebda3d6 100644 ---- a/src/openvpn/crypto_backend.h -+++ b/src/openvpn/crypto_backend.h -@@ -256,6 +256,8 @@ const cipher_kt_t *cipher_kt_get(const char *ciphername); - * The returned name is normalised to the OpenVPN config name in case the - * name differs from the name used by the crypto library. - * -+ * Returns [null-cipher] in case the cipher_kt is NULL. -+ * - * @param cipher_kt Static cipher parameters - * - * @return a statically allocated string describing the cipher. -diff --git a/src/openvpn/init.c b/src/openvpn/init.c -index da4d60af..b1b7b350 100644 ---- a/src/openvpn/init.c -+++ b/src/openvpn/init.c -@@ -2764,14 +2764,35 @@ do_init_crypto_tls_c1(struct context *c) - #endif /* if P2MP */ - } - -- /* Do not warn if we only have BF-CBC in options->ciphername -- * because it is still the default cipher */ -- bool warn = !streq(options->ciphername, "BF-CBC") -- || options->enable_ncp_fallback; -- /* Get cipher & hash algorithms */ -- init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname, -- options->keysize, true, warn); -- -+ /* -+ * BF-CBC is allowed to be used only when explicitly configured -+ * as NCP-fallback or when NCP has been disabled or explicitly -+ * allowed in the in ncp_ciphers list. -+ * In all other cases do not attempt to initialize BF-CBC as it -+ * may not even be supported by the underlying SSL library. -+ * -+ * Therefore, the key structure has to be initialized when: -+ * - any non-BF-CBC cipher was selected; or -+ * - BF-CBC is selected and NCP is disabled (explicit request to -+ * use the BF-CBC cipher); or -+ * - BF-CBC is selected, NCP is enabled and fallback is enabled -+ * (BF-CBC will be the fallback). -+ * - BF-CBC is in data-ciphers and we negotiate to use BF-CBC: -+ * If the negotiated cipher and options->ciphername are the -+ * same we do not reinit the cipher -+ * -+ * Note that BF-CBC will still be part of the OCC string to retain -+ * backwards compatibility with older clients. -+ */ -+ if (!streq(options->ciphername, "BF-CBC") || !options->ncp_enabled -+ || (options->ncp_enabled && tls_item_in_cipher_list("BF-CBC", options->ncp_ciphers)) -+ || options->enable_ncp_fallback) -+ { -+ /* Do not warn if the if the cipher is used only in OCC */ -+ bool warn = !options->ncp_enabled || options->enable_ncp_fallback; -+ init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname, -+ options->keysize, true, warn); -+ } - /* Initialize PRNG with config-specified digest */ - prng_init(options->prng_hash, options->prng_nonce_secret_len); - -diff --git a/src/openvpn/options.c b/src/openvpn/options.c -index f6ef02ae..2206d9f4 100644 ---- a/src/openvpn/options.c -+++ b/src/openvpn/options.c -@@ -1135,7 +1135,7 @@ parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_aren - #ifndef ENABLE_SMALL - - static void --show_dhcp_option_list(const char *name, const char * const*array, int len) -+show_dhcp_option_list(const char *name, const char *const *array, int len) - { - int i; - for (i = 0; i < len; ++i) -@@ -2288,7 +2288,7 @@ options_postprocess_verify_ce(const struct options *options, - if (options->mode == MODE_SERVER) - { - #define USAGE_VALID_SERVER_PROTOS "--mode server currently only supports " \ -- "--proto values of udp, tcp-server, tcp4-server, or tcp6-server" -+ "--proto values of udp, tcp-server, tcp4-server, or tcp6-server" - #ifdef TARGET_ANDROID - msg(M_FATAL, "--mode server not supported on Android"); - #endif -@@ -3103,7 +3103,7 @@ options_postprocess_cipher(struct options *o) - if (!o->ncp_enabled) - { - msg(M_USAGE, "--ncp-disable needs an explicit --cipher or " -- "--data-ciphers-fallback config option"); -+ "--data-ciphers-fallback config option"); - } - - msg(M_WARN, "--cipher is not set. Previous OpenVPN version defaulted to " -@@ -3681,9 +3681,30 @@ calc_options_string_link_mtu(const struct options *o, const struct frame *frame) - { - struct frame fake_frame = *frame; - struct key_type fake_kt; -- init_key_type(&fake_kt, o->ciphername, o->authname, o->keysize, true, -- false); -+ - frame_remove_from_extra_frame(&fake_frame, crypto_max_overhead()); -+ -+ -+ /* o->ciphername might be BF-CBC even though the underlying SSL library -+ * does not support it. For this reason we workaround this corner case -+ * by pretending to have no encryption enabled and by manually adding -+ * the required packet overhead to the MTU computation. -+ */ -+ const char *ciphername = o->ciphername; -+ -+ if (strcmp(o->ciphername, "BF-CBC") == 0) -+ { -+ /* none has no overhead, so use this to later add only --auth -+ * overhead */ -+ -+ /* overhead of BF-CBC: 64 bit block size, 64 bit IV size */ -+ frame_add_to_extra_frame(&fake_frame, 64/8 + 64/8); -+ ciphername = "none"; -+ } -+ -+ init_key_type(&fake_kt, ciphername, o->authname, o->keysize, true, -+ false); -+ - crypto_adjust_frame_parameters(&fake_frame, &fake_kt, o->replay, - cipher_kt_mode_ofb_cfb(fake_kt.cipher)); - frame_finalize(&fake_frame, o->ce.link_mtu_defined, o->ce.link_mtu, -@@ -3853,18 +3874,33 @@ options_string(const struct options *o, - + (TLS_SERVER == true) - <= 1); - -- init_key_type(&kt, o->ciphername, o->authname, o->keysize, true, -- false); -+ /* Skip resolving BF-CBC to allow SSL libraries without BF-CBC -+ * to work here in the default configuration */ -+ const char *ciphername = o->ciphername; -+ int keysize; -+ -+ if (strcmp(o->ciphername, "BF-CBC") == 0) -+ { -+ init_key_type(&kt, "none", o->authname, o->keysize, true, -+ false); -+ keysize = 128; -+ } -+ else -+ { -+ init_key_type(&kt, o->ciphername, o->authname, o->keysize, true, -+ false); -+ ciphername = cipher_kt_name(kt.cipher); -+ keysize = kt.cipher_length * 8; -+ } - /* Only announce the cipher to our peer if we are willing to - * support it */ -- const char *ciphername = cipher_kt_name(kt.cipher); - if (p2p_nopull || !o->ncp_enabled - || tls_item_in_cipher_list(ciphername, o->ncp_ciphers)) - { - buf_printf(&out, ",cipher %s", ciphername); - } - buf_printf(&out, ",auth %s", md_kt_name(kt.digest)); -- buf_printf(&out, ",keysize %d", kt.cipher_length * 8); -+ buf_printf(&out, ",keysize %d", keysize); - if (o->shared_secret_file) - { - buf_printf(&out, ",secret"); -@@ -6168,9 +6204,9 @@ add_option(struct options *options, - } - } - #ifdef TARGET_LINUX -- else if (streq (p[0], "bind-dev") && p[1]) -+ else if (streq(p[0], "bind-dev") && p[1]) - { -- VERIFY_PERMISSION (OPT_P_SOCKFLAGS); -+ VERIFY_PERMISSION(OPT_P_SOCKFLAGS); - options->bind_dev = p[1]; - } - #endif -@@ -6248,7 +6284,7 @@ add_option(struct options *options, - { - int64_t val = atoll(p[2]); - options->inactivity_minimum_bytes = (val < 0) ? 0 : val; -- if ( options->inactivity_minimum_bytes > INT_MAX ) -+ if (options->inactivity_minimum_bytes > INT_MAX) - { - msg(M_WARN, "WARNING: '--inactive' with a 'bytes' value" - " >2 Gbyte was silently ignored in older versions. If " -@@ -8132,7 +8168,7 @@ add_option(struct options *options, - #endif - else if (streq(p[0], "providers") && p[1]) - { -- for (size_t j = 1; j < MAX_PARMS && p[j] != NULL;j++) -+ for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; j++) - { - options->providers.names[j] = p[j]; - } --- -2.31.1 - diff --git a/0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch b/0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch deleted file mode 100644 index 0af7115..0000000 --- a/0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch +++ /dev/null @@ -1,38 +0,0 @@ -From: David Sommerseth -Subject: [PATCH] Change the default cipher to AES-256-GCM for server - configurations - -This change makes the server use AES-256-GCM instead of BF-CBC as the default -cipher for the VPN tunnel. To avoid breaking existing running configurations -defaulting to BF-CBC, the Negotiable Crypto Parameters (NCP) list contains -the BF-CBC in addition to AES-CBC. This makes it possible to migrate -existing older client configurations one-by-one to use at least AES-CBC unless -the client is updated to v2.4 (which defaults to upgrade to AES-GCM automatically) - -[Update 2022-06-10] -The BF-CBC reference is now removed as of Fedora 36 and newer. The Blowfish -cipher is no longer available by default in OpenSSL 3.0. It can be enabled -via the legacy provider in OpenSSL 3.0, but BF-CBC is deprecated and should -not be used any more. OpenVPN 2.4 and newer will always negotiate a stronger -cipher by default and older OpenVPN releases are no longer supported upstream. - ---- - distro/systemd/openvpn-server@.service.in | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/distro/systemd/openvpn-server@.service.in b/distro/systemd/openvpn-server@.service.in -index 9a8a2c7..0ecda08 100644 ---- a/distro/systemd/openvpn-server@.service.in -+++ b/distro/systemd/openvpn-server@.service.in -@@ -10,7 +10,7 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO - Type=notify - PrivateTmp=true - WorkingDirectory=/etc/openvpn/server --ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf -+ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --cipher AES-256-GCM --data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC --config %i.conf - CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE - LimitNPROC=10 - DeviceAllow=/dev/null rw --- -2.11.0 - diff --git a/SOURCES/fedora-crypto-policy-compliance.patch b/SOURCES/fedora-crypto-policy-compliance.patch new file mode 100644 index 0000000..4dc6fb4 --- /dev/null +++ b/SOURCES/fedora-crypto-policy-compliance.patch @@ -0,0 +1,13 @@ +diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c +index cd6d842..7c04700 100644 +--- a/src/openvpn/ssl_openssl.c ++++ b/src/openvpn/ssl_openssl.c +@@ -441,7 +441,7 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) + /* Use sane default TLS cipher list */ + if (!SSL_CTX_set_cipher_list(ctx->ctx, + /* Use openssl's default list as a basis */ +- "DEFAULT" ++ "PROFILE=SYSTEM" + /* Disable export ciphers and openssl's 'low' and 'medium' ciphers */ + ":!EXP:!LOW:!MEDIUM" + /* Disable static (EC)DH keys (no forward secrecy) */ diff --git a/openvpn-2.4-change-tmpfiles-permissions.patch b/SOURCES/openvpn-2.4-change-tmpfiles-permissions.patch similarity index 100% rename from openvpn-2.4-change-tmpfiles-permissions.patch rename to SOURCES/openvpn-2.4-change-tmpfiles-permissions.patch diff --git a/SOURCES/roadwarrior-client.conf b/SOURCES/roadwarrior-client.conf new file mode 100644 index 0000000..dd12fdb --- /dev/null +++ b/SOURCES/roadwarrior-client.conf @@ -0,0 +1,38 @@ +######################################### +# Sample client-side OpenVPN config file +# for connecting to multi-client server. +# +# Adapted from http://openvpn.sourceforge.net/20notes.html +# +# The server can be pinged at 10.8.0.1. +# +# This configuration can be used by multiple +# clients, however each client should have +# its own cert and key files. +# +# tun-style tunnel + +port 1194 +dev tun +remote [my server hostname or IP address] + +# TLS parms + +tls-client +ca sample-keys/tmp-ca.crt +cert sample-keys/client.crt +key sample-keys/client.key + +# This parm is required for connecting +# to a multi-client server. It tells +# the client to accept options which +# the server pushes to us. +pull + +# Scripts can be used to do various +# things (change nameservers, for +# example. +#up scripts/ifup-post +#down scripts/ifdown-post + +verb 4 diff --git a/SOURCES/roadwarrior-server.conf b/SOURCES/roadwarrior-server.conf new file mode 100644 index 0000000..be3db15 --- /dev/null +++ b/SOURCES/roadwarrior-server.conf @@ -0,0 +1,67 @@ +######################################## +# Sample OpenVPN config file for +# 2.0-style multi-client udp server +# +# Adapted from http://openvpn.sourceforge.net/20notes.html +# +# tun-style tunnel + +port 1194 +dev tun + +# Use "local" to set the source address on multi-homed hosts +#local [IP address] + +# TLS parms +tls-server +ca sample-keys/tmp-ca.crt +cert sample-keys/server.crt +key sample-keys/server.key +dh sample-keys/dh1024.pem + +# Tell OpenVPN to be a multi-client udp server +mode server + +# The server's virtual endpoints +ifconfig 10.8.0.1 10.8.0.2 + +# Pool of /30 subnets to be allocated to clients. +# When a client connects, an --ifconfig command +# will be automatically generated and pushed back to +# the client. +ifconfig-pool 10.8.0.4 10.8.0.255 + +# Push route to client to bind it to our local +# virtual endpoint. +push "route 10.8.0.1 255.255.255.255" + +# Push any routes the client needs to get in +# to the local network. +push "route 192.168.0.0 255.255.255.0" + +# Push DHCP options to Windows clients. +push "dhcp-option DOMAIN example.com" +push "dhcp-option DNS 192.168.0.1" +push "dhcp-option WINS 192.168.0.1" + +# Client should attempt reconnection on link +# failure. +keepalive 10 60 + +# Delete client instances after some period +# of inactivity. +inactive 600 + +# Route the --ifconfig pool range into the +# OpenVPN server. +route 10.8.0.0 255.255.255.0 + +# The server doesn't need privileges +user openvpn +group openvpn + +# Keep TUN devices and keys open across restarts. +persist-tun +persist-key + +verb 4 diff --git a/SPECS/openvpn.spec b/SPECS/openvpn.spec new file mode 100644 index 0000000..c4537f3 --- /dev/null +++ b/SPECS/openvpn.spec @@ -0,0 +1,263 @@ +%define _hardened_build 1 +%global snap_tstamp 20241212 +%global commit baa9192851006e2dbb90b410011e61ecf2e01870 +%global shortcommit %(c=%{commit}; echo ${c:0:7}) + +# LTO needs to be disabled to avoid issues when linking the unit-test, +# which utilizes --wrap in the link process +%global _lto_cflags %{nil} + + +# +# Build conditionals +# + +# Build with OpenVPN Data Channel Offload (kernel) support? +%bcond_without dco + +# Build with PKCS#11/SmartCard support? +%bcond_without pkcs11 + +# tests_long - Enabled by default, enables long running tests in %%check +%bcond_without tests_long + + +Name: openvpn +Version: 2.7 +Release: 0.%{snap_tstamp}git%{shortcommit}%{?dist} +Summary: A full-featured TLS VPN solution +URL: https://community.openvpn.net/ +Source0: https://github.com/OpenVPN/%{name}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz +Source2: roadwarrior-server.conf +Source3: roadwarrior-client.conf +Patch1: fedora-crypto-policy-compliance.patch +Patch50: openvpn-2.4-change-tmpfiles-permissions.patch +License: GPL-2.0-only + +BuildRequires: gcc +BuildRequires: automake +BuildRequires: autoconf +BuildRequires: autoconf-archive +BuildRequires: libcap-ng-devel +BuildRequires: libtool +BuildRequires: gettext +BuildRequires: lzo-devel +BuildRequires: lz4-devel +BuildRequires: make +BuildRequires: openssl-devel >= 1.1.0 +%if %{with dco} +BuildRequires: libnl3-devel +%endif +%if %{with pkcs11} +BuildRequires: pkcs11-helper-devel >= 1.11 +%endif +BuildRequires: pam-devel +BuildRequires: libselinux-devel +BuildRequires: libcmocka-devel +BuildRequires: systemd +BuildRequires: systemd-devel + +%{?systemd_requires} +Requires(pre): /usr/sbin/useradd + +%if %{with dco} +Recommends: kmod-ovpn-dco >= 0.2 +%endif + +BuildRequires: python3-docutils + +# For the perl_default_filter macro +BuildRequires: perl-macros + +# Filter out the perl(Authen::PAM) dependency. +# No perl dependency is really needed at all. +%{?perl_default_filter} + + +%description +OpenVPN is a robust and highly flexible tunneling application that uses all +of the encryption, authentication, and certification features of the +OpenSSL library to securely tunnel IP networks over a single UDP or TCP +port. It can use the Marcus Franz Xaver Johannes Oberhumers LZO library +for compression. + +NOTE: Until the OpenVPN 2.7 release is completed, EPEL-10 builds will +ship with git master development snapshots. These snapshots will +contain what will be part of the next v2.7 release. + + +%package devel +Summary: Development headers and examples for OpenVPN plug-ins + +%description devel +OpenVPN can be extended through the --plugin option, which provides +possibilities to add specialized authentication, user accounting, +packet filtering and related features. These plug-ins need to be +written in C and provides a more low-level and information rich access +to similar features as the various script-hooks. + +%prep +%setup -q -n openvpn-%{commit} +%autopatch -p1 + +# Need to generate this on-the-fly to make autoreconf happy +# This build is from a git snapshot, not a release source tarball +echo "define([PRODUCT_NAME], [OpenVPN])" > version.m4 +echo "define([PRODUCT_VERSION], [%{version}-%{release}])" >> version.m4 +echo "define([PRODUCT_GUIVERSION], [copr:%{version}-%{release}])" >> version.m4 +echo "define([PRODUCT_TARNAME], [openvpn])" >> version.m4 +echo "define([PRODUCT_BUGREPORT], [openvpn-devel@lists.sourceforge.net])" >> version.m4 +echo "define([PRODUCT_VERSION_MAJOR], [2])" >> version.m4 +echo "define([PRODUCT_VERSION_MINOR], [7])" >> version.m4 +echo "define([PRODUCT_VERSION_PATCH], [_git%{shortcommit}])" >> version.m4 + +autoreconf -vi + +# %%doc items shouldn't be executable. +find contrib sample -type f -perm /100 \ + -exec chmod a-x {} \; + +%build +%configure \ + --enable-silent-rules \ + --with-crypto-library=openssl \ + %{?with_pkcs11:--enable-pkcs11} \ + --enable-selinux \ + --enable-systemd \ + --enable-x509-alt-username \ + --enable-async-push \ + %{?!with_dco:--disable-dco} \ + --docdir=%{_pkgdocdir} \ + SYSTEMD_UNIT_DIR=%{_unitdir} \ + TMPFILES_DIR=%{_tmpfilesdir} + +%{__make} %{?_smp_mflags} + + +%check +# Test Crypto: +./src/openvpn/openvpn --genkey secret key +./src/openvpn/openvpn --cipher aes-128-cbc --test-crypto --secret key --allow-deprecated-insecure-static-crypto +./src/openvpn/openvpn --cipher aes-256-cbc --test-crypto --secret key --allow-deprecated-insecure-static-crypto +./src/openvpn/openvpn --cipher aes-128-gcm --test-crypto --secret key --allow-deprecated-insecure-static-crypto +./src/openvpn/openvpn --cipher aes-256-gcm --test-crypto --secret key --allow-deprecated-insecure-static-crypto + +# Some of the unit tests does not run on RHEL-7 +pushd tests/unit_tests +%{__make} %{?_smp_mflags} check +popd + +%if %{with tests_long} +# Randomize ports for tests to avoid conflicts on the build servers. +cport=$[ 50000 + ($RANDOM % 15534) ] +sport=$[ $cport + 1 ] +sed -e 's/^\(rport\) .*$/\1 '$sport'/' \ + -e 's/^\(lport\) .*$/\1 '$cport'/' \ + < sample/sample-config-files/loopback-client \ + > %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client +sed -e 's/^\(rport\) .*$/\1 '$cport'/' \ + -e 's/^\(lport\) .*$/\1 '$sport'/' \ + < sample/sample-config-files/loopback-server \ + > %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server + +pushd sample +# Test SSL/TLS negotiations (runs for 2 minutes): +../src/openvpn/openvpn --config \ + %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client & +../src/openvpn/openvpn --config \ + %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server +wait +popd + +rm -f %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client \ + %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server +%endif + +%install +%{__make} install DESTDIR=%{buildroot} +find %{buildroot} -name '*.la' | xargs rm -f +mkdir -p -m 0750 %{buildroot}/%{_sysconfdir}/%{name}/client %{buildroot}/%{_sysconfdir}/%{name}/server +cp %{SOURCE2} %{SOURCE3} sample/sample-config-files/ + +# Create some directories the OpenVPN package should own +mkdir -m 0750 -p %{buildroot}%{_rundir}/%{name}-{client,server} +mkdir -m 0770 -p %{buildroot}%{_sharedstatedir}/%{name} + +# Package installs into %%{_pkgdocdir} directly +# Add various additional files +cp -a AUTHORS ChangeLog contrib sample distro/systemd/README.systemd %{buildroot}%{_pkgdocdir} + +# Fix incorrect she-bang on a python script +# https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/#_interpreter_invocation +sed -e "s|^#!/usr/bin/env.*python3$|#!%{python3} -%{py3_shebang_flags}|" \ + -i %{buildroot}%{_pkgdocdir}/contrib/extract-crl/extractcrl.py + +# Remove some files which does not really belong here +rm -f %{buildroot}%{_pkgdocdir}/sample/Makefile{,.in,.am} +rm -f %{buildroot}%{_pkgdocdir}/sample/sample-plugins/Makefile{,.in,.am} +rm -rf %{buildroot}%{_pkgdocdir}/sample/sample-keys +rm -f %{buildroot}%{_pkgdocdir}/contrib/multilevel-init.patch +rm -rf %{buildroot}%{_pkgdocdir}/contrib/vcpkg-* +rm -rf %{buildroot}%{_pkgdocdir}/contrib/cmake* + + +%pre +getent group openvpn &>/dev/null || groupadd -r openvpn +getent passwd openvpn &>/dev/null || \ + /usr/sbin/useradd -r -g openvpn -s /sbin/nologin -c OpenVPN \ + -d /etc/openvpn openvpn +exit 0 + +%post +for srv in `systemctl | awk '/openvpn-client@.*\.service/{print $1} /openvpn-server@.*\.service/{print $1}'`; +do + %systemd_post $srv +done + +%preun +for srv in `systemctl | awk '/openvpn-client@.*\.service/{print $1} /openvpn-server@.*\.service/{print $1}'`; +do + %systemd_preun $srv +done + +%postun +for srv in `systemctl | awk '/openvpn-client@.*\.service/{print $1} /openvpn-server@.*\.service/{print $1}'`; +do + %systemd_postun_with_restart $srv +done + +%files +%license COPYING COPYRIGHT.GPL +%{_pkgdocdir}/ +%exclude %{_pkgdocdir}/{COPYING,COPYRIGHT.GPL} +%exclude %{_pkgdocdir}/README.mbedtls +%exclude %{_pkgdocdir}/sample/sample-plugins +%{_mandir}/man8/%{name}.8* +%{_mandir}/man5/%{name}-*.5* +%{_sbindir}/%{name} +%{_libdir}/%{name}/ +%{_unitdir}/%{name}-client@.service +%{_unitdir}/%{name}-server@.service +%{_tmpfilesdir}/%{name}.conf +%config %dir %{_sysconfdir}/%{name}/ +%config %dir %attr(-,-,openvpn) %{_sysconfdir}/%{name}/client +%config %dir %attr(-,-,openvpn) %{_sysconfdir}/%{name}/server +%attr(0770,openvpn,openvpn) %{_sharedstatedir}/%{name} +%dir %attr(0750,-,openvpn) %{_rundir}/openvpn-client +%dir %attr(0750,-,openvpn) %{_rundir}/openvpn-server + +%files devel +%{_pkgdocdir}/sample/sample-plugins +%exclude %{_pkgdocdir}/sample/sample-{config-files,scripts,windows} +%{_includedir}/openvpn-plugin.h +%{_includedir}/openvpn-msg.h + + +%changelog +* Tue Dec 24 2024 Arkady L. Shane - 2.7-0.20241212gitbaa9192 +- Rebuilt for MSVSphere 10 + +* Wed Dec 18 2024 David Sommerseth - 2.7-20241212gitbaa9192 +- First packaging attempt for EPEL-10 - OpenVPN 2.7 git master snapshot build +- Update to git master baa9192851006e2dbb90b410011e61ecf2e01870 + diff --git a/openvpn.spec b/openvpn.spec deleted file mode 100644 index c931405..0000000 --- a/openvpn.spec +++ /dev/null @@ -1,389 +0,0 @@ -%define _hardened_build 1 - -# Build conditionals -# tests_long - Enabled by default, enables long running tests in %%check -%bcond_without tests_long - -Name: openvpn -Version: 2.5.11 -Release: 1%{?dist} -Summary: A full-featured TLS VPN solution -URL: https://community.openvpn.net/ -Source0: https://build.openvpn.net/downloads/releases/%{name}-%{version}.tar.gz -Source1: https://build.openvpn.net/downloads/releases/%{name}-%{version}.tar.gz.asc -Source2: roadwarrior-server.conf -Source3: roadwarrior-client.conf -# Upstream signing key -Source10: gpgkey-F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7.gpg -Patch1: 0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch -Patch50: openvpn-2.4-change-tmpfiles-permissions.patch -License: GPLv2 -BuildRequires: gnupg2 -BuildRequires: gcc -BuildRequires: automake -BuildRequires: autoconf -BuildRequires: autoconf-archive -BuildRequires: libtool -BuildRequires: gettext -BuildRequires: lzo-devel -BuildRequires: lz4-devel -BuildRequires: make -BuildRequires: openssl-devel -BuildRequires: pkcs11-helper-devel >= 1.11 -BuildRequires: pam-devel -BuildRequires: libselinux-devel -BuildRequires: libcmocka-devel -BuildRequires: systemd -BuildRequires: systemd-devel - -%{?systemd_requires} -Requires(pre): /usr/sbin/useradd - -%if 0%{?rhel} > 7 || 0%{?fedora} > 29 -BuildRequires: python3-docutils -%else -# We cannot use python36-docutils on RHEL-7 as -# the ./configure script does not currently find -# the rst2man-3 executable, it only looks for rst2man -BuildRequires: python-docutils -%endif - -# For the perl_default_filter macro -BuildRequires: perl-macros - -# Filter out the perl(Authen::PAM) dependency. -# No perl dependency is really needed at all. -%{?perl_default_filter} - -%description -OpenVPN is a robust and highly flexible tunneling application that uses all -of the encryption, authentication, and certification features of the -OpenSSL library to securely tunnel IP networks over a single UDP or TCP -port. It can use the Marcus Franz Xaver Johannes Oberhumers LZO library -for compression. - -%package devel -Summary: Development headers and examples for OpenVPN plug-ins - -%description devel -OpenVPN can be extended through the --plugin option, which provides -possibilities to add specialized authentication, user accounting, -packet filtering and related features. These plug-ins need to be -written in C and provides a more low-level and information rich access -to similar features as the various script-hooks. - - -%prep -gpgv2 --quiet --keyring %{SOURCE10} %{SOURCE1} %{SOURCE0} -%setup -q -n %{name}-%{version} -%patch1 -p1 -b .ch_default_cipher -%patch50 -p1 - -# %%doc items shouldn't be executable. -find contrib sample -type f -perm /100 \ - -exec chmod a-x {} \; - -%build -%configure \ - --enable-silent-rules \ - --with-crypto-library=openssl \ - --enable-pkcs11 \ - --enable-selinux \ - --enable-systemd \ - --enable-x509-alt-username \ - --enable-async-push \ - --docdir=%{_pkgdocdir} \ - SYSTEMD_UNIT_DIR=%{_unitdir} \ - TMPFILES_DIR=%{_tmpfilesdir} -%{__make} - -%check -# Test Crypto: -./src/openvpn/openvpn --genkey --secret key -./src/openvpn/openvpn --cipher aes-128-cbc --test-crypto --secret key -./src/openvpn/openvpn --cipher aes-256-cbc --test-crypto --secret key -./src/openvpn/openvpn --cipher aes-128-gcm --test-crypto --secret key -./src/openvpn/openvpn --cipher aes-256-gcm --test-crypto --secret key - -%if %{with tests_long} -# Randomize ports for tests to avoid conflicts on the build servers. -cport=$[ 50000 + ($RANDOM % 15534) ] -sport=$[ $cport + 1 ] -sed -e 's/^\(rport\) .*$/\1 '$sport'/' \ - -e 's/^\(lport\) .*$/\1 '$cport'/' \ - < sample/sample-config-files/loopback-client \ - > %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client -sed -e 's/^\(rport\) .*$/\1 '$cport'/' \ - -e 's/^\(lport\) .*$/\1 '$sport'/' \ - < sample/sample-config-files/loopback-server \ - > %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server - -pushd sample -# Test SSL/TLS negotiations (runs for 2 minutes): -../src/openvpn/openvpn --config \ - %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client & -../src/openvpn/openvpn --config \ - %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server -wait -popd - -rm -f %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client \ - %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server -%endif - -%install -%{__make} install DESTDIR=$RPM_BUILD_ROOT -find $RPM_BUILD_ROOT -name '*.la' | xargs rm -f -mkdir -p -m 0750 $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/client $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/server -cp %{SOURCE2} %{SOURCE3} sample/sample-config-files/ - -# Create some directories the OpenVPN package should own -mkdir -m 0750 -p $RPM_BUILD_ROOT%{_rundir}/%{name}-{client,server} -mkdir -m 0770 -p $RPM_BUILD_ROOT%{_sharedstatedir}/%{name} - -# Package installs into %%{_pkgdocdir} directly -# Add various additional files -cp -a AUTHORS ChangeLog contrib sample distro/systemd/README.systemd $RPM_BUILD_ROOT%{_pkgdocdir} - -# Remove some files which does not really belong here -rm -f $RPM_BUILD_ROOT%{_pkgdocdir}/sample/Makefile{,.in,.am} -rm -f $RPM_BUILD_ROOT%{_pkgdocdir}/contrib/multilevel-init.patch -rm -rf $RPM_BUILD_ROOT%{_pkgdocdir}/sample/sample-keys - -%pre -getent group openvpn &>/dev/null || groupadd -r openvpn -getent passwd openvpn &>/dev/null || \ - /usr/sbin/useradd -r -g openvpn -s /sbin/nologin -c OpenVPN \ - -d /etc/openvpn openvpn -exit 0 - -%post -for srv in `systemctl | awk '/openvpn-client@.*\.service/{print $1} /openvpn-server@.*\.service/{print $1}'`; -do - %systemd_post $srv -done - -%preun -for srv in `systemctl | awk '/openvpn-client@.*\.service/{print $1} /openvpn-server@.*\.service/{print $1}'`; -do - %systemd_preun $srv -done - -%postun -for srv in `systemctl | awk '/openvpn-client@.*\.service/{print $1} /openvpn-server@.*\.service/{print $1}'`; -do - %systemd_postun_with_restart $srv -done - - -%files -%{_pkgdocdir} -%exclude %{_pkgdocdir}/README.IPv6 -%exclude %{_pkgdocdir}/README.mbedtls -%exclude %{_pkgdocdir}/sample/sample-plugins -%{_mandir}/man8/%{name}.8* -%{_mandir}/man5/%{name}-*.5* -%{_sbindir}/%{name} -%{_libdir}/%{name}/ -%{_unitdir}/%{name}-client@.service -%{_unitdir}/%{name}-server@.service -%{_tmpfilesdir}/%{name}.conf -%config %dir %{_sysconfdir}/%{name}/ -%config %dir %attr(-,-,openvpn) %{_sysconfdir}/%{name}/client -%config %dir %attr(-,-,openvpn) %{_sysconfdir}/%{name}/server -%attr(0750,-,openvpn) %{_rundir}/%{name}-client -%attr(0750,-,openvpn) %{_rundir}/%{name}-server -%attr(0770,openvpn,openvpn) %{_sharedstatedir}/%{name} - -%files devel -%{_pkgdocdir}/sample/sample-plugins -%{_includedir}/openvpn-plugin.h -%{_includedir}/openvpn-msg.h - - -%changelog -* Thu Jul 18 2024 Frank Lichtenheld - 2.5.11-1 -- Update to upstream OpenVPN 2.5.11 -- Fixes CVE-2024-5594 - -* Thu Nov 9 2023 David Sommerseth - 2.5.9-2 -- Fix false exit status on pre runtime scriptlet (Elkhan Mammadli , RHBZ#2239722) - -* Thu Feb 16 2023 David Sommerseth - 2.5.9-1 -- Update to upstream OpenVPN 2.5.9 - -* Tue Nov 1 2022 David Sommerseth - 2.5.8-1 -- Update to upstream OpenVPN 2.5.8 - -* Tue May 31 2022 David Sommerseth - 2.5.7-2 -- Added additional upstream patch resolving BF-CBC issues (to be removed with 2.5.8) - https://patchwork.openvpn.net/patch/2504/ -- Removed BF-CBC from the --data-ciphers list. This is no longer available by default - in OpenSSL 3.0 - -* Tue May 31 2022 David Sommerseth - 2.5.7-1 -- Update to upstream OpenVPN 2.5.7 - -* Wed Mar 16 2022 David Sommerseth - 2.5.6-1 -- Update to upstream OpenVPN 2.5.6 -- Fixes CVE-2022-0547 - -* Thu Jan 27 2022 David Sommerseth - 2.5.5-4 -- Fix systemd related scriptlet error (#1887984) - -* Thu Jan 20 2022 Fedora Release Engineering - 2.5.5-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild - -* Wed Dec 15 2021 David Sommerseth - 2.5.5-2 -- Rebuild of 2.5.5 - -* Wed Dec 15 2021 David Sommerseth - 2.5.5-1 -- Update to upstream OpenVPN 2.5.5 (#2032844) - -* Tue Oct 5 2021 David Sommerseth - 2.5.4-1 -- Update to upstream OpenVPN 2.5.4 -- Added new man page: openvpn-examples(5) - -* Tue Sep 14 2021 Sahana Prasad - 2.5.3-3 -- Rebuilt with OpenSSL 3.0.0 - -* Thu Jul 22 2021 Fedora Release Engineering - 2.5.3-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild - -* Fri Jun 18 2021 David Sommerseth - 2.5.3-1 -- Update to upstream OpenVPN 2.5.3 -- Fixes CVE-2021-3606 - -* Wed Apr 21 2021 David Sommerseth - 2.5.2-1 -- Update to upstream OpenVPN 2.5.2 -- Fixes CVE-2020-15078 -- Replaces --ncp-ciphers with --data-ciphers in the server systemd service unit - -* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek - 2.5.1-2 -- Rebuilt for updated systemd-rpm-macros - See https://pagure.io/fesco/issue/2583. - -* Wed Feb 24 2021 David Sommerseth - 2.5.1-1 -- Update to upstream OpenVPN 2.5.1 - -* Tue Jan 26 2021 Fedora Release Engineering - 2.5.0-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild - -* Wed Oct 28 2020 David Sommerseth - 2.5.0-1 -- Update to upstream OpenVPN 2.5.0 - -* Tue Jul 28 2020 Fedora Release Engineering - 2.4.9-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild - -* Sun Apr 19 2020 David Sommerseth - 2.4.9-1 -- Update to upstream OpenVPN 2.4.9 - -* Wed Feb 12 2020 David Sommerseth - 2.4.8-3 -- Rebuilt to be linked against latest lzo (RHBZ#1802299) - -* Wed Jan 29 2020 Fedora Release Engineering - 2.4.8-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild - -* Fri Nov 1 2019 David Sommerseth - 2.4.8-1 -- Updating to upstream OpenVPN 2.4.8 - -* Thu Jul 25 2019 Fedora Release Engineering - 2.4.7-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild - -* Wed Feb 20 2019 David Sommerseth - 2.4.7-1 -- Updating to upstream OpenVPN 2.4.7 - -* Fri Feb 01 2019 Fedora Release Engineering - 2.4.6-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild - -* Sat Oct 6 2018 David Sommerseth - 2.4.6-3 -- Enable the asynchronous push feature, which can improve connect speeds with slow authentication backends - -* Fri Jul 13 2018 Fedora Release Engineering - 2.4.6-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild - -* Thu Apr 26 2018 David Sommerseth - 2.4.6-1 -- Updating to upstream, openvpn-2.4.6 - -* Thu Mar 1 2018 David Sommerseth - 2.4.5-1 -- Updating to upstream, openvpn-2.4.5 -- Package upstream ChangeLog, which contains a bit more details than Changes.rst -- Cleaned up spec file further, removed Group: tag, trimmed changelog section, - added gcc to BuildRequires. -- Excluded not relevant file, README.mbedtls -- Package upstream version of README.systemd -- Fix wrong group owner of /etc/openvpn/{client,server} (rhbz#1526743) -- Changed crypto self-test to test AES-{128,256}-{CBC,GCM} instead of only BF-CBC (deprecated) -- Change /run/openvpn-{client,server} permissions to be 0750 instead of 0710, with group set to openvpn - -* Thu Feb 08 2018 Fedora Release Engineering - 2.4.4-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild - -* Thu Jan 25 2018 Igor Gnatenko - 2.4.4-2 -- Fix systemd executions/requirements - -* Tue Sep 26 2017 David Sommerseth - 2.4.4-1 -- Update to upstream openvpn-2.4.4 -- Includes fix for possible stack overflow if --key-method 1 is used {CVE-2017-12166} - -* Fri Aug 4 2017 David Sommerseth - 2.4.3-4 -- Change to AES-GCM as the default cipher for server configurations (rhbz#1479270) - -* Thu Aug 03 2017 Fedora Release Engineering - 2.4.3-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild - -* Thu Jul 27 2017 Fedora Release Engineering - 2.4.3-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild - -* Wed Jun 21 2017 David Sommerseth - 2.4.3-1 -- Updating to upstream openvpn-2.4.3 -- Fix remotely-triggerable ASSERT() on malformed IPv6 packet {CVE-2017-7508} -- Prevent two kinds of stack buffer OOB reads and a crash for invalid input data {CVE-2017-7520} -- Fix potential double-free in --x509-alt-username {CVE-2017-7521} -- Fix remote-triggerable memory leaks {CVE-2017-7521} -- Ensure OpenVPN systemd services are restarted upon upgrades -- Verify PGP signature of source tarball as part of package building -- Build against system lz4 library - -* Fri May 12 2017 David Sommerseth - 2.4.2-2 -- Install and take ownership of /run/openvpn-{client,server} (rhbz#1444601) -- Install and take ownership of /var/lib/openvpn (rhbz#922786) - -* Thu May 11 2017 David Sommerseth - 2.4.2-1 -- Updating to upstream openvpn-2.4.2 -- Switching back to OpenSSL, using compat-openssl10 (rhbz#1443749, rhbz#1432125, rhbz#1440468) -- Re-enabling --enable-x509-alt-username (rhbz#1443942) -- Add --enable-selinux -- Build with lz4 library from Fedora - -* Wed Mar 29 2017 David Sommerseth - 2.4.1-3 -- Splitting out -devel files into a separate package -- Removed several contrib and sample files which makes is not - strictly needed in this package. -- build: Enable tests runs by default, long running tests can - be disabled with "--without tests_long" -- build: Removed defined %%{plugins} macro not in use - -* Fri Mar 24 2017 David Sommerseth - 2.4.1-2 -- Various cleanups -- Use systemd-rpm macros (rhbz #850257) -- Removed the deprecated openvpn@.service unit. Replaced by openvpn-{client,server}@.service -- Added README.systemd describing new systemd unit files - -* Thu Mar 23 2017 David Sommerseth - 2.4.1-1 -- Updating to upstream release, v2.4.1 -- Added mbed TLS patch to allow RSA keys down to 1024 bits plus SHA1 - and RIPE-160 hasing algorithms (based on OpenVPN 3 legacy profile) -- Removed no-functional ./configure options -- Use upstream tmfiles.d/openvpn -- Package newer openvpn-client/server@.service unit files - -* Thu Feb 09 2017 Jon Ciesla 2.4.0-2 -- Move to mbedtls to resolve FTBFS. -- Dropped, re-add once openvpn supports openssl 1.1.x -- --enable-pkcs11 \ -- --enable-x509-alt-username \ - -* Tue Dec 27 2016 Jon Ciesla 2.4.0-1 -- 2.4.0. - diff --git a/sources b/sources deleted file mode 100644 index a1fd5d8..0000000 --- a/sources +++ /dev/null @@ -1,2 +0,0 @@ -SHA512 (openvpn-2.5.11.tar.gz) = 5ef80681e71aa84629d48b067b540c0e8169ee3ff4b1129fc0030a55f0f7e2bb9a9cd568aa627828d8adb1366f5b0cfdd37242fb5cb6cec4a50fea9ffe8805bc -SHA512 (openvpn-2.5.11.tar.gz.asc) = f8796504341539db4a79ccf26706d2cc7e13b9fc511e0e38a0676b5eb94c0c43174b1cc29b07a51eb0e6c8dc7715a9728cc367166bdafae705381338cca3aead