Compare commits

...

33 Commits
epel8 ... epel9

Author SHA1 Message Date
Frank Lichtenheld 867f08ccda Update gpg key
6 months ago
Frank Lichtenheld 1b8e79eb8d Update to upstream OpenVPN 2.5.11
6 months ago
David Sommerseth b76e8a4c9d
Fix false exit status on pre runtime scriptlet (Elkhan Mammadli <elkhan@almalinux.org>, RHBZ#2239722)
1 year ago
David Sommerseth 5bfc18d059
Update to upstream OpenVPN 2.5.9
2 years ago
David Sommerseth 7a351506fd
Update to upstream OpenVPN 2.5.8
2 years ago
David Sommerseth eae8a65248
OpenVPN 2.5.7-2 fixing BF-CBC related issues
3 years ago
David Sommerseth 3751b7ae1f
Update to upstream OpenVPN 2.5.7 release
3 years ago
David Sommerseth 9c2a62d8fb
Update to upstream OpenVPN 2.5.6
3 years ago
David Sommerseth c66021082f
Fix incorrect Release tag
3 years ago
David Sommerseth 319722d474
Fix systemd related scriptlet error (#1887984)
3 years ago
Fedora Release Engineering 17755bc969 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
3 years ago
David Sommerseth 115523d4da
Rebuild of 2.5.5
3 years ago
David Sommerseth 0babf7defa
Update to upstream OpenVPN 2.5.5 (#2032844)
3 years ago
David Sommerseth b0362d8141
Update to upstream OpenVPN 2.5.4
3 years ago
Sahana Prasad f277725e6b Rebuilt with OpenSSL 3.0.0
3 years ago
Fedora Release Engineering 41c090a5f6 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
4 years ago
David Sommerseth 7da2216c08
Update to upstream OpenVPN 2.5.3 {CVE-2021-3606}
4 years ago
David Sommerseth 4214b7e799
Update to upstream OpenVPN 2.5.2
4 years ago
Zbigniew Jędrzejewski-Szmek 81b76b938b Rebuilt for updated systemd-rpm-macros
4 years ago
David Sommerseth ddc4a6440e
Update to upstream OpenVPN 2.5.1
4 years ago
Fedora Release Engineering 1210c40ec2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
4 years ago
Tom Stellard 6f1ad806d4 Add BuildRequires: make
4 years ago
David Sommerseth 1abef035ab
Added missing new source files
4 years ago
David Sommerseth fbbe525207
Update to upstream OpenVPN 2.5.0
4 years ago
Orion Poplawski 533cc03efe Remove old sources
4 years ago
Fedora Release Engineering 6321a99faf - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
5 years ago
David Sommerseth 60c2c0a774
Upload the updated source files
5 years ago
David Sommerseth bfb1ec1f13
Update to latest upstream OpenVPN 2.4.9
5 years ago
David Sommerseth 80a500f528
Rebuilt to be linked against latest lzo (RHBZ#1802299)
5 years ago
Fedora Release Engineering 3ac946d388 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
5 years ago
David Sommerseth 8899cb7ced
Update to latest upstream OpenVPN 2.4.8
5 years ago
Vladimír Beneš 77fe21e2ae tests: add Fedora CI tests definition file
5 years ago
Fedora Release Engineering a01f0fd1bb - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
6 years ago

26
.gitignore vendored

@ -58,3 +58,29 @@ openvpn-2.1.2.tar.gz.asc
/openvpn-2.4.6.tar.xz.asc /openvpn-2.4.6.tar.xz.asc
/openvpn-2.4.7.tar.xz /openvpn-2.4.7.tar.xz
/openvpn-2.4.7.tar.xz.asc /openvpn-2.4.7.tar.xz.asc
/openvpn-2.4.8.tar.xz
/openvpn-2.4.8.tar.xz.asc
/openvpn-2.4.9.tar.xz
/openvpn-2.4.9.tar.xz.asc
/openvpn-2.5.0.tar.xz
/openvpn-2.5.0.tar.xz.asc
/openvpn-2.5.1.tar.xz
/openvpn-2.5.1.tar.xz.asc
/openvpn-2.5.2.tar.xz
/openvpn-2.5.2.tar.xz.asc
/openvpn-2.5.3.tar.xz
/openvpn-2.5.3.tar.xz.asc
/openvpn-2.5.4.tar.xz
/openvpn-2.5.4.tar.xz.asc
/openvpn-2.5.5.tar.xz
/openvpn-2.5.5.tar.xz.asc
/openvpn-2.5.6.tar.xz
/openvpn-2.5.6.tar.xz.asc
/openvpn-2.5.7.tar.xz
/openvpn-2.5.7.tar.xz.asc
/openvpn-2.5.8.tar.xz
/openvpn-2.5.8.tar.xz.asc
/openvpn-2.5.9.tar.gz
/openvpn-2.5.9.tar.gz.asc
/openvpn-2.5.11.tar.gz
/openvpn-2.5.11.tar.gz.asc

@ -0,0 +1,225 @@
From cf5864f5922e4f40357d9f75a35cd448e671dddf Mon Sep 17 00:00:00 2001
From: Arne Schwabe <arne@rfc2549.org>
Date: Fri, 3 Jun 2022 11:52:19 +0200
Subject: [PATCH] Allow running a default configuration with TLS libraries
without BF-CBC
Modern TLS libraries might drop Blowfish by default or distributions
might disable Blowfish in OpenSSL/mbed TLS. We still signal OCC
options with BF-CBC compatible strings. To avoid requiring BF-CBC
for this, special this one usage of BF-CBC enough to avoid a hard
requirement on Blowfish in the default configuration.
This patch is cherry-picked from 79ff3f79 and the missing
ciphername = "none"; has been added in the OCC code.
Due to uncrustify complains, a few extra whitespace fixes had to be
done to options.c.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220603095219.637361-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24456.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---
src/openvpn/crypto_backend.h | 2 ++
src/openvpn/init.c | 37 ++++++++++++++++-----
src/openvpn/options.c | 62 ++++++++++++++++++++++++++++--------
3 files changed, 80 insertions(+), 21 deletions(-)
diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h
index a9bb38ed..aebda3d6 100644
--- a/src/openvpn/crypto_backend.h
+++ b/src/openvpn/crypto_backend.h
@@ -256,6 +256,8 @@ const cipher_kt_t *cipher_kt_get(const char *ciphername);
* The returned name is normalised to the OpenVPN config name in case the
* name differs from the name used by the crypto library.
*
+ * Returns [null-cipher] in case the cipher_kt is NULL.
+ *
* @param cipher_kt Static cipher parameters
*
* @return a statically allocated string describing the cipher.
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index da4d60af..b1b7b350 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -2764,14 +2764,35 @@ do_init_crypto_tls_c1(struct context *c)
#endif /* if P2MP */
}
- /* Do not warn if we only have BF-CBC in options->ciphername
- * because it is still the default cipher */
- bool warn = !streq(options->ciphername, "BF-CBC")
- || options->enable_ncp_fallback;
- /* Get cipher & hash algorithms */
- init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
- options->keysize, true, warn);
-
+ /*
+ * BF-CBC is allowed to be used only when explicitly configured
+ * as NCP-fallback or when NCP has been disabled or explicitly
+ * allowed in the in ncp_ciphers list.
+ * In all other cases do not attempt to initialize BF-CBC as it
+ * may not even be supported by the underlying SSL library.
+ *
+ * Therefore, the key structure has to be initialized when:
+ * - any non-BF-CBC cipher was selected; or
+ * - BF-CBC is selected and NCP is disabled (explicit request to
+ * use the BF-CBC cipher); or
+ * - BF-CBC is selected, NCP is enabled and fallback is enabled
+ * (BF-CBC will be the fallback).
+ * - BF-CBC is in data-ciphers and we negotiate to use BF-CBC:
+ * If the negotiated cipher and options->ciphername are the
+ * same we do not reinit the cipher
+ *
+ * Note that BF-CBC will still be part of the OCC string to retain
+ * backwards compatibility with older clients.
+ */
+ if (!streq(options->ciphername, "BF-CBC") || !options->ncp_enabled
+ || (options->ncp_enabled && tls_item_in_cipher_list("BF-CBC", options->ncp_ciphers))
+ || options->enable_ncp_fallback)
+ {
+ /* Do not warn if the if the cipher is used only in OCC */
+ bool warn = !options->ncp_enabled || options->enable_ncp_fallback;
+ init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
+ options->keysize, true, warn);
+ }
/* Initialize PRNG with config-specified digest */
prng_init(options->prng_hash, options->prng_nonce_secret_len);
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index f6ef02ae..2206d9f4 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -1135,7 +1135,7 @@ parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_aren
#ifndef ENABLE_SMALL
static void
-show_dhcp_option_list(const char *name, const char * const*array, int len)
+show_dhcp_option_list(const char *name, const char *const *array, int len)
{
int i;
for (i = 0; i < len; ++i)
@@ -2288,7 +2288,7 @@ options_postprocess_verify_ce(const struct options *options,
if (options->mode == MODE_SERVER)
{
#define USAGE_VALID_SERVER_PROTOS "--mode server currently only supports " \
- "--proto values of udp, tcp-server, tcp4-server, or tcp6-server"
+ "--proto values of udp, tcp-server, tcp4-server, or tcp6-server"
#ifdef TARGET_ANDROID
msg(M_FATAL, "--mode server not supported on Android");
#endif
@@ -3103,7 +3103,7 @@ options_postprocess_cipher(struct options *o)
if (!o->ncp_enabled)
{
msg(M_USAGE, "--ncp-disable needs an explicit --cipher or "
- "--data-ciphers-fallback config option");
+ "--data-ciphers-fallback config option");
}
msg(M_WARN, "--cipher is not set. Previous OpenVPN version defaulted to "
@@ -3681,9 +3681,30 @@ calc_options_string_link_mtu(const struct options *o, const struct frame *frame)
{
struct frame fake_frame = *frame;
struct key_type fake_kt;
- init_key_type(&fake_kt, o->ciphername, o->authname, o->keysize, true,
- false);
+
frame_remove_from_extra_frame(&fake_frame, crypto_max_overhead());
+
+
+ /* o->ciphername might be BF-CBC even though the underlying SSL library
+ * does not support it. For this reason we workaround this corner case
+ * by pretending to have no encryption enabled and by manually adding
+ * the required packet overhead to the MTU computation.
+ */
+ const char *ciphername = o->ciphername;
+
+ if (strcmp(o->ciphername, "BF-CBC") == 0)
+ {
+ /* none has no overhead, so use this to later add only --auth
+ * overhead */
+
+ /* overhead of BF-CBC: 64 bit block size, 64 bit IV size */
+ frame_add_to_extra_frame(&fake_frame, 64/8 + 64/8);
+ ciphername = "none";
+ }
+
+ init_key_type(&fake_kt, ciphername, o->authname, o->keysize, true,
+ false);
+
crypto_adjust_frame_parameters(&fake_frame, &fake_kt, o->replay,
cipher_kt_mode_ofb_cfb(fake_kt.cipher));
frame_finalize(&fake_frame, o->ce.link_mtu_defined, o->ce.link_mtu,
@@ -3853,18 +3874,33 @@ options_string(const struct options *o,
+ (TLS_SERVER == true)
<= 1);
- init_key_type(&kt, o->ciphername, o->authname, o->keysize, true,
- false);
+ /* Skip resolving BF-CBC to allow SSL libraries without BF-CBC
+ * to work here in the default configuration */
+ const char *ciphername = o->ciphername;
+ int keysize;
+
+ if (strcmp(o->ciphername, "BF-CBC") == 0)
+ {
+ init_key_type(&kt, "none", o->authname, o->keysize, true,
+ false);
+ keysize = 128;
+ }
+ else
+ {
+ init_key_type(&kt, o->ciphername, o->authname, o->keysize, true,
+ false);
+ ciphername = cipher_kt_name(kt.cipher);
+ keysize = kt.cipher_length * 8;
+ }
/* Only announce the cipher to our peer if we are willing to
* support it */
- const char *ciphername = cipher_kt_name(kt.cipher);
if (p2p_nopull || !o->ncp_enabled
|| tls_item_in_cipher_list(ciphername, o->ncp_ciphers))
{
buf_printf(&out, ",cipher %s", ciphername);
}
buf_printf(&out, ",auth %s", md_kt_name(kt.digest));
- buf_printf(&out, ",keysize %d", kt.cipher_length * 8);
+ buf_printf(&out, ",keysize %d", keysize);
if (o->shared_secret_file)
{
buf_printf(&out, ",secret");
@@ -6168,9 +6204,9 @@ add_option(struct options *options,
}
}
#ifdef TARGET_LINUX
- else if (streq (p[0], "bind-dev") && p[1])
+ else if (streq(p[0], "bind-dev") && p[1])
{
- VERIFY_PERMISSION (OPT_P_SOCKFLAGS);
+ VERIFY_PERMISSION(OPT_P_SOCKFLAGS);
options->bind_dev = p[1];
}
#endif
@@ -6248,7 +6284,7 @@ add_option(struct options *options,
{
int64_t val = atoll(p[2]);
options->inactivity_minimum_bytes = (val < 0) ? 0 : val;
- if ( options->inactivity_minimum_bytes > INT_MAX )
+ if (options->inactivity_minimum_bytes > INT_MAX)
{
msg(M_WARN, "WARNING: '--inactive' with a 'bytes' value"
" >2 Gbyte was silently ignored in older versions. If "
@@ -8132,7 +8168,7 @@ add_option(struct options *options,
#endif
else if (streq(p[0], "providers") && p[1])
{
- for (size_t j = 1; j < MAX_PARMS && p[j] != NULL;j++)
+ for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; j++)
{
options->providers.names[j] = p[j];
}
--
2.31.1

@ -1,6 +1,4 @@
From b56d52fa409c62720791e189e501efb86df0aff4 Mon Sep 17 00:00:00 2001
From: David Sommerseth <dazo@eurephia.org> From: David Sommerseth <dazo@eurephia.org>
Date: Tue, 4 Jul 2017 16:06:24 +0200
Subject: [PATCH] Change the default cipher to AES-256-GCM for server Subject: [PATCH] Change the default cipher to AES-256-GCM for server
configurations configurations
@ -10,6 +8,14 @@ defaulting to BF-CBC, the Negotiable Crypto Parameters (NCP) list contains
the BF-CBC in addition to AES-CBC. This makes it possible to migrate the BF-CBC in addition to AES-CBC. This makes it possible to migrate
existing older client configurations one-by-one to use at least AES-CBC unless existing older client configurations one-by-one to use at least AES-CBC unless
the client is updated to v2.4 (which defaults to upgrade to AES-GCM automatically) the client is updated to v2.4 (which defaults to upgrade to AES-GCM automatically)
[Update 2022-06-10]
The BF-CBC reference is now removed as of Fedora 36 and newer. The Blowfish
cipher is no longer available by default in OpenSSL 3.0. It can be enabled
via the legacy provider in OpenSSL 3.0, but BF-CBC is deprecated and should
not be used any more. OpenVPN 2.4 and newer will always negotiate a stronger
cipher by default and older OpenVPN releases are no longer supported upstream.
--- ---
distro/systemd/openvpn-server@.service.in | 2 +- distro/systemd/openvpn-server@.service.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-) 1 file changed, 1 insertion(+), 1 deletion(-)
@ -23,7 +29,7 @@ index 9a8a2c7..0ecda08 100644
PrivateTmp=true PrivateTmp=true
WorkingDirectory=/etc/openvpn/server WorkingDirectory=/etc/openvpn/server
-ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf -ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf
+ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC --config %i.conf +ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --cipher AES-256-GCM --data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC --config %i.conf
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
LimitNPROC=10 LimitNPROC=10
DeviceAllow=/dev/null rw DeviceAllow=/dev/null rw

@ -1,42 +1,56 @@
%define _hardened_build 1 %define _hardened_build 1
#define prerelease rc22
# Build conditionals # Build conditionals
# tests_long - Enabled by default, enables long running tests in %%check # tests_long - Enabled by default, enables long running tests in %%check
%bcond_without tests_long %bcond_without tests_long
Name: openvpn Name: openvpn
Version: 2.4.7 Version: 2.5.11
Release: 1%{?prerelease:.%{prerelease}}%{?dist} Release: 1%{?dist}
Summary: A full-featured SSL VPN solution Summary: A full-featured TLS VPN solution
URL: https://community.openvpn.net/ URL: https://community.openvpn.net/
Source0: https://build.openvpn.net/downloads/releases/%{name}-%{version}%{?prerelease:_%{prerelease}}.tar.xz Source0: https://build.openvpn.net/downloads/releases/%{name}-%{version}.tar.gz
Source1: https://build.openvpn.net/downloads/releases/%{name}-%{version}%{?prerelease:_%{prerelease}}.tar.xz.asc Source1: https://build.openvpn.net/downloads/releases/%{name}-%{version}.tar.gz.asc
Source2: roadwarrior-server.conf Source2: roadwarrior-server.conf
Source3: roadwarrior-client.conf Source3: roadwarrior-client.conf
# Upstream signing key # Upstream signing key
Source6: gpgkey-F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7.gpg Source10: gpgkey-F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7.gpg
Patch1: 0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch Patch1: 0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch
Patch50: openvpn-2.4-change-tmpfiles-permissions.patch Patch50: openvpn-2.4-change-tmpfiles-permissions.patch
License: GPLv2 License: GPLv2
BuildRequires: gnupg2 BuildRequires: gnupg2
BuildRequires: gcc BuildRequires: gcc
BuildRequires: systemd-devel BuildRequires: automake
BuildRequires: autoconf
BuildRequires: autoconf-archive
BuildRequires: libtool
BuildRequires: gettext
BuildRequires: lzo-devel BuildRequires: lzo-devel
BuildRequires: lz4-devel BuildRequires: lz4-devel
BuildRequires: make
BuildRequires: openssl-devel BuildRequires: openssl-devel
BuildRequires: pkcs11-helper-devel >= 1.11 BuildRequires: pkcs11-helper-devel >= 1.11
BuildRequires: pam-devel BuildRequires: pam-devel
BuildRequires: libselinux-devel BuildRequires: libselinux-devel
# For the perl_default_filter macro BuildRequires: libcmocka-devel
BuildRequires: perl-macros
BuildRequires: systemd BuildRequires: systemd
BuildRequires: systemd-devel
%{?systemd_requires} %{?systemd_requires}
# For /sbin/ip.
BuildRequires: iproute
Requires: iproute
Requires(pre): /usr/sbin/useradd Requires(pre): /usr/sbin/useradd
%if 0%{?rhel} > 7 || 0%{?fedora} > 29
BuildRequires: python3-docutils
%else
# We cannot use python36-docutils on RHEL-7 as
# the ./configure script does not currently find
# the rst2man-3 executable, it only looks for rst2man
BuildRequires: python-docutils
%endif
# For the perl_default_filter macro
BuildRequires: perl-macros
# Filter out the perl(Authen::PAM) dependency. # Filter out the perl(Authen::PAM) dependency.
# No perl dependency is really needed at all. # No perl dependency is really needed at all.
%{?perl_default_filter} %{?perl_default_filter}
@ -60,20 +74,18 @@ to similar features as the various script-hooks.
%prep %prep
gpgv2 --quiet --keyring %{SOURCE6} %{SOURCE1} %{SOURCE0} gpgv2 --quiet --keyring %{SOURCE10} %{SOURCE1} %{SOURCE0}
%setup -q -n %{name}-%{version}%{?prerelease:_%{prerelease}} %setup -q -n %{name}-%{version}
%patch1 -p1 -b .ch_default_cipher %patch1 -p1 -b .ch_default_cipher
%patch50 -p1 %patch50 -p1
sed -i -e 's,%{_datadir}/openvpn/plugin,%{_libdir}/openvpn/plugin,' doc/openvpn.8
# %%doc items shouldn't be executable. # %%doc items shouldn't be executable.
find contrib sample -type f -perm /100 \ find contrib sample -type f -perm /100 \
-exec chmod a-x {} \; -exec chmod a-x {} \;
%build %build
%configure \ %configure \
--enable-iproute2 \ --enable-silent-rules \
--with-crypto-library=openssl \ --with-crypto-library=openssl \
--enable-pkcs11 \ --enable-pkcs11 \
--enable-selinux \ --enable-selinux \
@ -82,8 +94,7 @@ find contrib sample -type f -perm /100 \
--enable-async-push \ --enable-async-push \
--docdir=%{_pkgdocdir} \ --docdir=%{_pkgdocdir} \
SYSTEMD_UNIT_DIR=%{_unitdir} \ SYSTEMD_UNIT_DIR=%{_unitdir} \
TMPFILES_DIR=%{_tmpfilesdir} \ TMPFILES_DIR=%{_tmpfilesdir}
IPROUTE=/sbin/ip
%{__make} %{__make}
%check %check
@ -135,7 +146,7 @@ mkdir -m 0770 -p $RPM_BUILD_ROOT%{_sharedstatedir}/%{name}
cp -a AUTHORS ChangeLog contrib sample distro/systemd/README.systemd $RPM_BUILD_ROOT%{_pkgdocdir} cp -a AUTHORS ChangeLog contrib sample distro/systemd/README.systemd $RPM_BUILD_ROOT%{_pkgdocdir}
# Remove some files which does not really belong here # Remove some files which does not really belong here
rm -f $RPM_BUILD_ROOT%{_pkgdocdir}/sample/Makefile{,.in,.am} rm -f $RPM_BUILD_ROOT%{_pkgdocdir}/sample/Makefile{,.in,.am}
rm -f $RPM_BUILD_ROOT%{_pkgdocdir}/contrib/multilevel-init.patch rm -f $RPM_BUILD_ROOT%{_pkgdocdir}/contrib/multilevel-init.patch
rm -rf $RPM_BUILD_ROOT%{_pkgdocdir}/sample/sample-keys rm -rf $RPM_BUILD_ROOT%{_pkgdocdir}/sample/sample-keys
@ -144,19 +155,26 @@ getent group openvpn &>/dev/null || groupadd -r openvpn
getent passwd openvpn &>/dev/null || \ getent passwd openvpn &>/dev/null || \
/usr/sbin/useradd -r -g openvpn -s /sbin/nologin -c OpenVPN \ /usr/sbin/useradd -r -g openvpn -s /sbin/nologin -c OpenVPN \
-d /etc/openvpn openvpn -d /etc/openvpn openvpn
exit 0
%post %post
%systemd_post openvpn-client@\*.service for srv in `systemctl | awk '/openvpn-client@.*\.service/{print $1} /openvpn-server@.*\.service/{print $1}'`;
%systemd_post openvpn-server@\*.service do
%systemd_post $srv
done
%preun %preun
%systemd_preun openvpn-client@\*.service for srv in `systemctl | awk '/openvpn-client@.*\.service/{print $1} /openvpn-server@.*\.service/{print $1}'`;
%systemd_preun openvpn-server@\*.service do
%systemd_preun $srv
done
%postun %postun
%systemd_postun_with_restart openvpn-client@\*.service for srv in `systemctl | awk '/openvpn-client@.*\.service/{print $1} /openvpn-server@.*\.service/{print $1}'`;
%systemd_postun_with_restart openvpn-server@\*.service do
%systemd_postun_with_restart openvpn@\*.service %systemd_postun_with_restart $srv
done
%files %files
%{_pkgdocdir} %{_pkgdocdir}
@ -164,6 +182,7 @@ getent passwd openvpn &>/dev/null || \
%exclude %{_pkgdocdir}/README.mbedtls %exclude %{_pkgdocdir}/README.mbedtls
%exclude %{_pkgdocdir}/sample/sample-plugins %exclude %{_pkgdocdir}/sample/sample-plugins
%{_mandir}/man8/%{name}.8* %{_mandir}/man8/%{name}.8*
%{_mandir}/man5/%{name}-*.5*
%{_sbindir}/%{name} %{_sbindir}/%{name}
%{_libdir}/%{name}/ %{_libdir}/%{name}/
%{_unitdir}/%{name}-client@.service %{_unitdir}/%{name}-client@.service
@ -183,6 +202,94 @@ getent passwd openvpn &>/dev/null || \
%changelog %changelog
* Thu Jul 18 2024 Frank Lichtenheld <frank@lichtenheld.com> - 2.5.11-1
- Update to upstream OpenVPN 2.5.11
- Fixes CVE-2024-5594
* Thu Nov 9 2023 David Sommerseth <davids@openvpn.net> - 2.5.9-2
- Fix false exit status on pre runtime scriptlet (Elkhan Mammadli <elkhan@almalinux.org>, RHBZ#2239722)
* Thu Feb 16 2023 David Sommerseth <davids@openvpn.net> - 2.5.9-1
- Update to upstream OpenVPN 2.5.9
* Tue Nov 1 2022 David Sommerseth <davids@openvpn.net> - 2.5.8-1
- Update to upstream OpenVPN 2.5.8
* Tue May 31 2022 David Sommerseth <davids@openvpn.net> - 2.5.7-2
- Added additional upstream patch resolving BF-CBC issues (to be removed with 2.5.8)
https://patchwork.openvpn.net/patch/2504/
- Removed BF-CBC from the --data-ciphers list. This is no longer available by default
in OpenSSL 3.0
* Tue May 31 2022 David Sommerseth <davids@openvpn.net> - 2.5.7-1
- Update to upstream OpenVPN 2.5.7
* Wed Mar 16 2022 David Sommerseth <davids@openvpn.net> - 2.5.6-1
- Update to upstream OpenVPN 2.5.6
- Fixes CVE-2022-0547
* Thu Jan 27 2022 David Sommerseth <davids@openvpn.net> - 2.5.5-4
- Fix systemd related scriptlet error (#1887984)
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.5.5-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Wed Dec 15 2021 David Sommerseth <davids@openvpn.net> - 2.5.5-2
- Rebuild of 2.5.5
* Wed Dec 15 2021 David Sommerseth <davids@openvpn.net> - 2.5.5-1
- Update to upstream OpenVPN 2.5.5 (#2032844)
* Tue Oct 5 2021 David Sommerseth <davids@openvpn.net> - 2.5.4-1
- Update to upstream OpenVPN 2.5.4
- Added new man page: openvpn-examples(5)
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 2.5.3-3
- Rebuilt with OpenSSL 3.0.0
* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.5.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Fri Jun 18 2021 David Sommerseth <davids@openvpn.net> - 2.5.3-1
- Update to upstream OpenVPN 2.5.3
- Fixes CVE-2021-3606
* Wed Apr 21 2021 David Sommerseth <davids@openvpn.net> - 2.5.2-1
- Update to upstream OpenVPN 2.5.2
- Fixes CVE-2020-15078
- Replaces --ncp-ciphers with --data-ciphers in the server systemd service unit
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 2.5.1-2
- Rebuilt for updated systemd-rpm-macros
See https://pagure.io/fesco/issue/2583.
* Wed Feb 24 2021 David Sommerseth <dazo@eurephia.org> - 2.5.1-1
- Update to upstream OpenVPN 2.5.1
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.5.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Wed Oct 28 2020 David Sommerseth <dazo@eurephia.org> - 2.5.0-1
- Update to upstream OpenVPN 2.5.0
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.9-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Sun Apr 19 2020 David Sommerseth <dazo@eurephia.org> - 2.4.9-1
- Update to upstream OpenVPN 2.4.9
* Wed Feb 12 2020 David Sommerseth <dazo@eurephia.org> - 2.4.8-3
- Rebuilt to be linked against latest lzo (RHBZ#1802299)
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.8-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Fri Nov 1 2019 David Sommerseth <dazo@eurephia.org> - 2.4.8-1
- Updating to upstream OpenVPN 2.4.8
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.7-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Wed Feb 20 2019 David Sommerseth <dazo@eurephia.org> - 2.4.7-1 * Wed Feb 20 2019 David Sommerseth <dazo@eurephia.org> - 2.4.7-1
- Updating to upstream OpenVPN 2.4.7 - Updating to upstream OpenVPN 2.4.7

@ -1,2 +1,2 @@
SHA512 (openvpn-2.4.7.tar.xz) = 5398084ad0002b3ed34871375888a1ec5d4d0f0dbc7c979ab12fc16b00559613c0654f1760e84bea77d4fe7284bce25e2e9d3d309fe85ffd1060ced10978ff95 SHA512 (openvpn-2.5.11.tar.gz) = 5ef80681e71aa84629d48b067b540c0e8169ee3ff4b1129fc0030a55f0f7e2bb9a9cd568aa627828d8adb1366f5b0cfdd37242fb5cb6cec4a50fea9ffe8805bc
SHA512 (openvpn-2.4.7.tar.xz.asc) = 4d2097291b46bd521f8a8bfcd3bf94fb334cccb13ee1391b434004068a4754d7e55afff99562487b296c02a24d18c495b69854c9e7d4042e04ba0a079c34cc4c SHA512 (openvpn-2.5.11.tar.gz.asc) = f8796504341539db4a79ccf26706d2cc7e13b9fc511e0e38a0676b5eb94c0c43174b1cc29b07a51eb0e6c8dc7715a9728cc367166bdafae705381338cca3aead

@ -0,0 +1,14 @@
# Tests for openvpn using NM's tests
- hosts: localhost
roles:
- role: standard-test-basic
tags:
- classic
repositories:
- repo: "https://gitlab.freedesktop.org/NetworkManager/NetworkManager-ci"
dest: "NetworkManager-ci"
tests:
- sanity-tests:
dir: NetworkManager-ci
run: run/osci/run-tests openvpn
Loading…
Cancel
Save