From 983199849d12238af61b331a125abea5b61aab69 Mon Sep 17 00:00:00 2001 From: David Sommerseth Date: Thu, 23 Mar 2017 02:08:49 +0100 Subject: [PATCH] Update to upstream v2.4.1, plus ... - Added mbed TLS patch to allow RSA keys down to 1024 bits plus SHA1 and RIPE-160 hasing algorithms (based on OpenVPN 3 legacy profile) - Removed no-functional ./configure options - Use upstream tmfiles.d/openvpn - Package newer openvpn-client/server@.service unit files --- ...-weaker-RSA-keys-and-MD-algorithms-i.patch | 50 +++++++++++++++++++ openvpn-tmpfile.conf | 1 - openvpn.spec | 39 ++++++++------- 3 files changed, 72 insertions(+), 18 deletions(-) create mode 100644 0001-workaround-Allow-weaker-RSA-keys-and-MD-algorithms-i.patch delete mode 100644 openvpn-tmpfile.conf diff --git a/0001-workaround-Allow-weaker-RSA-keys-and-MD-algorithms-i.patch b/0001-workaround-Allow-weaker-RSA-keys-and-MD-algorithms-i.patch new file mode 100644 index 0000000..5b3f24c --- /dev/null +++ b/0001-workaround-Allow-weaker-RSA-keys-and-MD-algorithms-i.patch @@ -0,0 +1,50 @@ +From 9e2c742b2d8ffc31db7590cfc4f29d2012dd8de1 Mon Sep 17 00:00:00 2001 +From: David Sommerseth +Date: Thu, 23 Mar 2017 01:34:06 +0100 +Subject: [PATCH] workaround: Allow weaker RSA keys and MD algorithms in Fedora + +This patch hard codes an alternative mbed TLS profile to allow +RSA keys >= 1024 bits as well as SHA1 and RIPEMD160 hashing. + +Signed-off-by: David Sommerseth +--- + src/openvpn/ssl_mbedtls.c | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c +index ba8dadf..05f8a48 100644 +--- a/src/openvpn/ssl_mbedtls.c ++++ b/src/openvpn/ssl_mbedtls.c +@@ -932,6 +932,29 @@ key_state_ssl_init(struct key_state_ssl *ks_ssl, + MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED); + #endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */ + ++ /* Fedora adoption - allow legacy certificates ++ * Taken from the OpenVPN 3 Core code base ++ */ ++ const static mbedtls_x509_crt_profile crt_profile_legacy = { ++ MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ) | ++ MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_RIPEMD160 ) | ++ MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 ) | ++ MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) | ++ MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) | ++ MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ), ++ -1, /* Any PK alg */ ++ -1, /* Any curve */ ++ 1024, /* Minimum size for RSA keys */ ++ }; ++ mbedtls_ssl_conf_cert_profile(&ks_ssl->ssl_config, &crt_profile_legacy); ++ static bool fedora_mod_info = false; ++ if (!fedora_mod_info) { ++ msg(M_INFO, "[Fedora modification] Switched mbed TLS certificate profile to legacy mode"); ++ fedora_mod_info = true; ++ } ++ ++ /* End of Fedora adoption */ ++ + /* Initialise authentication information */ + if (is_server) + { +-- +2.11.0 + diff --git a/openvpn-tmpfile.conf b/openvpn-tmpfile.conf deleted file mode 100644 index d5fca71..0000000 --- a/openvpn-tmpfile.conf +++ /dev/null @@ -1 +0,0 @@ -D /var/run/openvpn 0710 root openvpn - diff --git a/openvpn.spec b/openvpn.spec index 12b4983..1ed7d7e 100644 --- a/openvpn.spec +++ b/openvpn.spec @@ -4,28 +4,24 @@ %define plugins down-root auth-pam Name: openvpn -Version: 2.4.0 -Release: 2%{?prerelease:.%{prerelease}}%{?dist} +Version: 2.4.1 +Release: 1%{?prerelease:.%{prerelease}}%{?dist} Summary: A full-featured SSL VPN solution -URL: http://openvpn.net/ -#Source0: http://openvpn.net/beta/%{name}-%{version}%{?prerelease:_%{prerelease}}.tar.gz -#Source0: https://secure.openvpn.net/beta/%{name}-%{version}%{?prerelease:_%{prerelease}}.tar.gz -Source0: http://openvpn.net/release/%{name}-%{version}%{?prerelease:_%{prerelease}}.tar.gz -#Source1: https://secure.openvpn.net/beta/signatures/%{name}-%{version}%{?prerelease:_%{prerelease}}.tar.gz.asc -Source1: http://openvpn.net/signatures/%{name}-%{version}%{?prerelease:_%{prerelease}}.tar.gz.asc +URL: https://community.openvpn.net/ +Source0: https://swupdate.openvpn.org/community/releases/%{name}-%{version}%{?prerelease:_%{prerelease}}.tar.xz +Source1: https://swupdate.openvpn.org/community/releases/%{name}-%{version}%{?prerelease:_%{prerelease}}.tar.xz.asc # Sample 2.0 config files Source2: roadwarrior-server.conf Source3: roadwarrior-client.conf -# Systemd service +# Systemd service (deprecated) Source4: openvpn@.service -# Tmpfile.d config -Source5: %{name}-tmpfile.conf # Don't start openvpn by default. #Patch0: openvpn-init.patch #Patch1: openvpn-script-security.patch #Patch2: openvpn-2.1.1-init.patch #Patch3: openvpn-2.1.1-initinfo.patch +Patch4: 0001-workaround-Allow-weaker-RSA-keys-and-MD-algorithms-i.patch License: GPLv2 Group: Applications/Internet BuildRequires: systemd-devel @@ -64,6 +60,7 @@ for compression. #%patch1 -p1 #%patch2 -p0 #%patch3 -p0 +%patch4 -p1 sed -i -e 's,%{_datadir}/openvpn/plugin,%{_libdir}/openvpn/plugin,' doc/openvpn.8 @@ -80,8 +77,6 @@ find contrib sample -type f -perm /100 \ # --with-iproute-path=PATH Path to iproute tool # --with-route-path=PATH Path to route tool %configure \ - --enable-pthread \ - --enable-password-save \ --enable-iproute2 \ --with-iproute-path=/sbin/ip \ --enable-plugins \ @@ -89,7 +84,9 @@ find contrib sample -type f -perm /100 \ --enable-plugin-auth-pam \ --with-crypto-library=mbedtls \ --enable-systemd \ - --docdir=%{_pkgdocdir} + --docdir=%{_pkgdocdir} \ + SYSTEMD_UNIT_DIR=%{_unitdir} \ + TMPFILES_DIR=%{_tmpfilesdir} %{__make} #%check @@ -143,8 +140,6 @@ find $RPM_BUILD_ROOT -name '*.la' | xargs rm -f cp -a AUTHORS PORTS INSTALL contrib sample $RPM_BUILD_ROOT%{_pkgdocdir} # tmpfiles.d -mkdir -p %{buildroot}%{_prefix}/lib/tmpfiles.d -install -m 0644 %{SOURCE5} %{buildroot}%{_prefix}/lib/tmpfiles.d/%{name}.conf mkdir -p %{buildroot}%{_localstatedir}/run/ install -d -m 0710 %{buildroot}%{_localstatedir}/run/%{name}/ @@ -196,11 +191,21 @@ fi %{_includedir}/openvpn-msg.h %{_libdir}/%{name}/ %{_unitdir}/%{name}@.service +%{_unitdir}/%{name}-client@.service +%{_unitdir}/%{name}-server@.service +%{_tmpfilesdir}/%{name}.conf %attr(0710,root,openvpn) %dir %{_localstatedir}/run/%{name}/ -%{_prefix}/lib/tmpfiles.d/%{name}.conf %config %dir %{_sysconfdir}/%{name}/ %changelog +* Thu Mar 23 2017 David Sommerseth - 2.4.1-1 +- Updating to upstream release, v2.4.1 +- Added mbed TLS patch to allow RSA keys down to 1024 bits plus SHA1 + and RIPE-160 hasing algorithms (based on OpenVPN 3 legacy profile) +- Removed no-functional ./configure options +- Use upstream tmfiles.d/openvpn +- Package newer openvpn-client/server@.service unit files + * Thu Feb 09 2017 Jon Ciesla 2.4.0-2 - Move to mbedtls to resolve FTBFS. - Dropped, re-add once openvpn supports openssl 1.1.x