rpms
/
openvpn
21
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update to upstream v2.4.1, plus ...

Browse Source 
- Added mbed TLS patch to allow RSA keys down to 1024 bits plus SHA1
  and RIPE-160 hasing algorithms (based on OpenVPN 3 legacy profile)
- Removed no-functional ./configure options
- Use upstream tmfiles.d/openvpn
- Package newer openvpn-client/server@.service unit files
epel8
David Sommerseth 8 years ago
parent ee26d4439f
commit 983199849d
3 changed files with 72 additions and 18 deletions
Show Stats Download Patch File Download Diff File

50
0001-workaround-Allow-weaker-RSA-keys-and-MD-algorithms-i.patch
Unescape View File

@ -0,0 +1,50 @@
From 9e2c742b2d8ffc31db7590cfc4f29d2012dd8de1 Mon Sep 17 00:00:00 2001
From: David Sommerseth <davids@openvpn.net>
Date: Thu, 23 Mar 2017 01:34:06 +0100
Subject: [PATCH] workaround: Allow weaker RSA keys and MD algorithms in Fedora
This patch hard codes an alternative mbed TLS profile to allow
RSA keys >= 1024 bits as well as SHA1 and RIPEMD160 hashing.
Signed-off-by: David Sommerseth <davids@openvpn.net>
---
src/openvpn/ssl_mbedtls.c | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index ba8dadf..05f8a48 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -932,6 +932,29 @@ key_state_ssl_init(struct key_state_ssl *ks_ssl,
MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED);
#endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */
+ /* Fedora adoption - allow legacy certificates
+ * Taken from the OpenVPN 3 Core code base
+ */
+ const static mbedtls_x509_crt_profile crt_profile_legacy = {
+ MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ) |
+ MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_RIPEMD160 ) |
+ MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 ) |
+ MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) |
+ MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) |
+ MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ),
+ -1, /* Any PK alg */
+ -1, /* Any curve */
+ 1024, /* Minimum size for RSA keys */
+ };
+ mbedtls_ssl_conf_cert_profile(&ks_ssl->ssl_config, &crt_profile_legacy);
+ static bool fedora_mod_info = false;
+ if (!fedora_mod_info) {
+ msg(M_INFO, "[Fedora modification] Switched mbed TLS certificate profile to legacy mode");
+ fedora_mod_info = true;
+ }
+
+ /* End of Fedora adoption */
+
/* Initialise authentication information */
if (is_server)
{
--
2.11.0

1
openvpn-tmpfile.conf
Unescape View File

@ -1 +0,0 @@
D /var/run/openvpn 0710 root openvpn -

39
openvpn.spec
Unescape View File

@ -4,28 +4,24 @@
%define plugins down-root auth-pam
Name: openvpn
Version: 2.4.0
Release: 2%{?prerelease:.%{prerelease}}%{?dist}
Version: 2.4.1
Release: 1%{?prerelease:.%{prerelease}}%{?dist}
Summary: A full-featured SSL VPN solution
URL: http://openvpn.net/
#Source0: http://openvpn.net/beta/%{name}-%{version}%{?prerelease:_%{prerelease}}.tar.gz
#Source0: https://secure.openvpn.net/beta/%{name}-%{version}%{?prerelease:_%{prerelease}}.tar.gz
Source0: http://openvpn.net/release/%{name}-%{version}%{?prerelease:_%{prerelease}}.tar.gz
#Source1: https://secure.openvpn.net/beta/signatures/%{name}-%{version}%{?prerelease:_%{prerelease}}.tar.gz.asc
Source1: http://openvpn.net/signatures/%{name}-%{version}%{?prerelease:_%{prerelease}}.tar.gz.asc
URL: https://community.openvpn.net/
Source0: https://swupdate.openvpn.org/community/releases/%{name}-%{version}%{?prerelease:_%{prerelease}}.tar.xz
Source1: https://swupdate.openvpn.org/community/releases/%{name}-%{version}%{?prerelease:_%{prerelease}}.tar.xz.asc
# Sample 2.0 config files
Source2: roadwarrior-server.conf
Source3: roadwarrior-client.conf
# Systemd service
# Systemd service (deprecated)
Source4: openvpn@.service
# Tmpfile.d config
Source5: %{name}-tmpfile.conf
# Don't start openvpn by default.
#Patch0: openvpn-init.patch
#Patch1: openvpn-script-security.patch
#Patch2: openvpn-2.1.1-init.patch
#Patch3: openvpn-2.1.1-initinfo.patch
Patch4: 0001-workaround-Allow-weaker-RSA-keys-and-MD-algorithms-i.patch
License: GPLv2
Group: Applications/Internet
BuildRequires: systemd-devel
@ -64,6 +60,7 @@ for compression.
#%patch1 -p1
#%patch2 -p0
#%patch3 -p0
%patch4 -p1
sed -i -e 's,%{_datadir}/openvpn/plugin,%{_libdir}/openvpn/plugin,' doc/openvpn.8
@ -80,8 +77,6 @@ find contrib sample -type f -perm /100 \
# --with-iproute-path=PATH Path to iproute tool
# --with-route-path=PATH Path to route tool
%configure \
--enable-pthread \
--enable-password-save \
--enable-iproute2 \
--with-iproute-path=/sbin/ip \
--enable-plugins \
@ -89,7 +84,9 @@ find contrib sample -type f -perm /100 \
--enable-plugin-auth-pam \
--with-crypto-library=mbedtls \
--enable-systemd \
--docdir=%{_pkgdocdir}
--docdir=%{_pkgdocdir} \
SYSTEMD_UNIT_DIR=%{_unitdir} \
TMPFILES_DIR=%{_tmpfilesdir}
%{__make}
#%check
@ -143,8 +140,6 @@ find $RPM_BUILD_ROOT -name '*.la' | xargs rm -f
cp -a AUTHORS PORTS INSTALL contrib sample $RPM_BUILD_ROOT%{_pkgdocdir}
# tmpfiles.d
mkdir -p %{buildroot}%{_prefix}/lib/tmpfiles.d
install -m 0644 %{SOURCE5} %{buildroot}%{_prefix}/lib/tmpfiles.d/%{name}.conf
mkdir -p %{buildroot}%{_localstatedir}/run/
install -d -m 0710 %{buildroot}%{_localstatedir}/run/%{name}/
@ -196,11 +191,21 @@ fi
%{_includedir}/openvpn-msg.h
%{_libdir}/%{name}/
%{_unitdir}/%{name}@.service
%{_unitdir}/%{name}-client@.service
%{_unitdir}/%{name}-server@.service
%{_tmpfilesdir}/%{name}.conf
%attr(0710,root,openvpn) %dir %{_localstatedir}/run/%{name}/
%{_prefix}/lib/tmpfiles.d/%{name}.conf
%config %dir %{_sysconfdir}/%{name}/
%changelog
* Thu Mar 23 2017 David Sommerseth <dazo@eurephia.org> - 2.4.1-1
- Updating to upstream release, v2.4.1
- Added mbed TLS patch to allow RSA keys down to 1024 bits plus SHA1
and RIPE-160 hasing algorithms (based on OpenVPN 3 legacy profile)
- Removed no-functional ./configure options
- Use upstream tmfiles.d/openvpn
- Package newer openvpn-client/server@.service unit files
* Thu Feb 09 2017 Jon Ciesla <limburgher@gmail.com> 2.4.0-2
- Move to mbedtls to resolve FTBFS.
- Dropped, re-add once openvpn supports openssl 1.1.x

Write Preview
Loading…
Cancel
Save