Update to upstream openvpn-2.4.2

Also:
  - Switching back to OpenSSL 1.0, via compat-openssl10 and
    compat-openssl10-pkcs11-helper (rhbz#1443749, rhbz#1432125, rhbz#1440468)
  - Re-enable --enable-x509-alt-username which got removed during the clean-up
    patches (rhbz#1443942)
  - Build with lz4 library from Fedora

.gitignore

@@ -46,3 +46,5 @@ openvpn-2.1.2.tar.gz.asc
 /openvpn-2.4.0.tar.gz.asc
 /openvpn-2.4.1.tar.xz
 /openvpn-2.4.1.tar.xz.asc
+/openvpn-2.4.2.tar.xz
+/openvpn-2.4.2.tar.xz.asc

0001-workaround-Allow-weaker-RSA-keys-and-MD-algorithms-i.patch

@@ -1,50 +0,0 @@
-From 9e2c742b2d8ffc31db7590cfc4f29d2012dd8de1 Mon Sep 17 00:00:00 2001
-From: David Sommerseth <davids@openvpn.net>
-Date: Thu, 23 Mar 2017 01:34:06 +0100
-Subject: [PATCH] workaround: Allow weaker RSA keys and MD algorithms in Fedora
-
-This patch hard codes an alternative mbed TLS profile to allow
-RSA keys >= 1024 bits as well as SHA1 and RIPEMD160 hashing.
-
-Signed-off-by: David Sommerseth <davids@openvpn.net>
----
- src/openvpn/ssl_mbedtls.c | 23 +++++++++++++++++++++++
- 1 file changed, 23 insertions(+)
-
-diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
-index ba8dadf..05f8a48 100644
---- a/src/openvpn/ssl_mbedtls.c
-+++ b/src/openvpn/ssl_mbedtls.c
-@@ -932,6 +932,29 @@ key_state_ssl_init(struct key_state_ssl *ks_ssl,
-                                           MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED);
- #endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */
- 
-+    /* Fedora adoption - allow legacy certificates
-+     * Taken from the OpenVPN 3 Core code base
-+     */
-+    const static mbedtls_x509_crt_profile crt_profile_legacy = {
-+	MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ) |
-+	MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_RIPEMD160 ) |
-+	MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 ) |
-+	MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) |
-+	MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) |
-+	MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ),
-+	-1, /* Any PK alg    */
-+	-1, /* Any curve     */
-+	1024,      /* Minimum size for RSA keys */
-+    };
-+    mbedtls_ssl_conf_cert_profile(&ks_ssl->ssl_config, &crt_profile_legacy);
-+    static bool fedora_mod_info = false;
-+    if (!fedora_mod_info) {
-+	msg(M_INFO, "[Fedora modification] Switched mbed TLS certificate profile to legacy mode");
-+	fedora_mod_info = true;
-+    }
-+
-+    /* End of Fedora adoption */
-+
-     /* Initialise authentication information */
-     if (is_server)
-     {
--- 
-2.11.0
-

openvpn.spec

@@ -6,8 +6,8 @@
 %bcond_without tests_long
 
 Name:              openvpn
-Version:           2.4.1
-Release:           3%{?prerelease:.%{prerelease}}%{?dist}
+Version:           2.4.2
+Release:           1%{?prerelease:.%{prerelease}}%{?dist}
 Summary:           A full-featured SSL VPN solution
 URL:               https://community.openvpn.net/
 Source0:           https://swupdate.openvpn.org/community/releases/%{name}-%{version}%{?prerelease:_%{prerelease}}.tar.xz
@@ -15,18 +15,18 @@ Source1:           https://swupdate.openvpn.org/community/releases/%{name}-%{ver
 Source2:           roadwarrior-server.conf
 Source3:           roadwarrior-client.conf
 Source4:           README.systemd
-Patch0:            0001-workaround-Allow-weaker-RSA-keys-and-MD-algorithms-i.patch
 License:           GPLv2
 Group:             Applications/Internet
 BuildRequires:     systemd-devel
 BuildRequires:     lzo-devel
-#BuildRequires:     openssl-devel
-BuildRequires:     mbedtls-devel
+BuildRequires:     lz4-devel
+BuildRequires:     compat-openssl10-devel
+BuildRequires:     compat-openssl10-pkcs11-helper-devel >= 1.11
 BuildRequires:     pam-devel
 # For the perl_default_filter macro
 BuildRequires:     perl-macros
-BuildRequires:     pkcs11-helper-devel >= 1.11
 BuildRequires:     systemd-units
+BuildRequires:     libselinux-devel
 # For /sbin/ip.
 BuildRequires:     iproute
 # For /sbin/ip.
@@ -62,7 +62,6 @@ to similar features as the various script-hooks.
 
 %prep
 %setup -q -n %{name}-%{version}%{?prerelease:_%{prerelease}}
-%patch0 -p1
 
 sed -i -e 's,%{_datadir}/openvpn/plugin,%{_libdir}/openvpn/plugin,' doc/openvpn.8
 
@@ -73,14 +72,15 @@ find contrib sample -type f -perm /100 \
 %build
 %configure \
     --enable-iproute2 \
-    --with-crypto-library=mbedtls \
+    --with-crypto-library=openssl \
+    --enable-pkcs11 \
     --enable-selinux \
     --enable-systemd \
+    --enable-x509-alt-username \
     --docdir=%{_pkgdocdir} \
     SYSTEMD_UNIT_DIR=%{_unitdir} \
     TMPFILES_DIR=%{_tmpfilesdir} \
     IPROUTE=/sbin/ip
-#    --enable-pkcs11 \
 %{__make}
 
 %check
@@ -171,6 +171,12 @@ getent passwd openvpn &>/dev/null || \
 
 
 %changelog
+* Thu May 11 2017 David Sommerseth <dazo@eurephia.org> - 2.4.2-1
+- Switching back to OpenSSL, using compat-openssl10 (rhbz#1443749, rhbz#1432125, rhbz#1440468)
+- Re-enabling --enable-x509-alt-username (rhbz#1443942)
+- Add --enable-selinux
+- Build with lz4 library from Fedora
+
 * Wed Mar 29 2017 David Sommerseth <dazo@eurephia.org> - 2.4.1-3
 - Splitting out -devel files into a separate package
 - Removed several contrib and sample files which makes is not

sources

@@ -1,2 +1,2 @@
-SHA512 (openvpn-2.4.1.tar.xz) = d31ea5740c5aa1083c5f50b344fca0824210ca18ca77f22e08fd1b7866926aa61723545df9a34c12ca81b929efbeb20c43f11b17e1bfeb56c7bfcef67aae82d3
-SHA512 (openvpn-2.4.1.tar.xz.asc) = e9d646d135ea0b137dee05c181b9e89f3904b2c4fddeacf849f5aac1b76ba169fd930b17c130e9ce4e172c4beb7d626d9e086d970d5457e6b62662e49df00151
+SHA512 (openvpn-2.4.2.tar.xz) = 438f16ac2d12dfd9f11ebcddebf709102046c71b4c4608a294da552587ea346d6ebb8c916f717bce992057754d6bc35ca1df5653fc907cc0003d9e34c92da963
+SHA512 (openvpn-2.4.2.tar.xz.asc) = 2deed80ef3b7017b2eb60931810c1902b855e9ba734caa012842227963c1ffe1ecb90b5912123ce0e4001e2dee52b9a735df91137562ed39e0a0bb24ac3f6ba5