Compare commits
1 Commits
Author | SHA1 | Date |
---|---|---|
Arkady L. Shane | 45b32327ed | 3 days ago |
@ -1,86 +1 @@
|
|||||||
openvpn-2.1.1.tar.gz
|
SOURCES/openvpn-baa9192.tar.gz
|
||||||
openvpn-2.1.1.tar.gz.asc
|
|
||||||
openvpn-2.1.2.tar.gz
|
|
||||||
openvpn-2.1.2.tar.gz.asc
|
|
||||||
/openvpn-2.1.3.tar.gz
|
|
||||||
/openvpn-2.1.3.tar.gz.asc
|
|
||||||
/openvpn-2.1.4.tar.gz
|
|
||||||
/openvpn-2.1.4.tar.gz.asc
|
|
||||||
/openvpn-2.2.0.tar.gz
|
|
||||||
/openvpn-2.2.0.tar.gz.asc
|
|
||||||
/openvpn-2.2.1.tar.gz
|
|
||||||
/openvpn-2.2.1.tar.gz.asc
|
|
||||||
/openvpn-2.2.2.tar.gz
|
|
||||||
/openvpn-2.2.2.tar.gz.asc
|
|
||||||
/openvpn-2.3.0.tar.gz
|
|
||||||
/openvpn-2.3.0.tar.gz.asc
|
|
||||||
/openvpn-2.3.1.tar.gz
|
|
||||||
/openvpn-2.3.1.tar.gz.asc
|
|
||||||
/openvpn-2.3.2.tar.gz
|
|
||||||
/openvpn-2.3.2.tar.gz.asc
|
|
||||||
/openvpn-2.3.3.tar.gz
|
|
||||||
/openvpn-2.3.3.tar.gz.asc
|
|
||||||
/openvpn-2.3.4.tar.gz
|
|
||||||
/openvpn-2.3.4.tar.gz.asc
|
|
||||||
/openvpn-2.3.5.tar.gz
|
|
||||||
/openvpn-2.3.5.tar.gz.asc
|
|
||||||
/openvpn-2.3.6.tar.gz
|
|
||||||
/openvpn-2.3.6.tar.gz.asc
|
|
||||||
/openvpn-2.3.7.tar.gz
|
|
||||||
/openvpn-2.3.7.tar.gz.asc
|
|
||||||
/openvpn-2.3.8.tar.gz
|
|
||||||
/openvpn-2.3.8.tar.gz.asc
|
|
||||||
/openvpn-2.3.9.tar.gz
|
|
||||||
/openvpn-2.3.9.tar.gz.asc
|
|
||||||
/openvpn-2.3.10.tar.gz
|
|
||||||
/openvpn-2.3.10.tar.gz.asc
|
|
||||||
/openvpn-2.3.11.tar.gz
|
|
||||||
/openvpn-2.3.11.tar.gz.asc
|
|
||||||
/openvpn-2.3.12.tar.gz
|
|
||||||
/openvpn-2.3.12.tar.gz.asc
|
|
||||||
/openvpn-2.3.13.tar.gz
|
|
||||||
/openvpn-2.3.13.tar.gz.asc
|
|
||||||
/openvpn-2.3.14.tar.gz
|
|
||||||
/openvpn-2.3.14.tar.gz.asc
|
|
||||||
/openvpn-2.4.0.tar.gz
|
|
||||||
/openvpn-2.4.0.tar.gz.asc
|
|
||||||
/openvpn-2.4.1.tar.xz
|
|
||||||
/openvpn-2.4.1.tar.xz.asc
|
|
||||||
/openvpn-2.4.2.tar.xz
|
|
||||||
/openvpn-2.4.2.tar.xz.asc
|
|
||||||
/openvpn-2.4.3.tar.xz.asc
|
|
||||||
/openvpn-2.4.3.tar.xz
|
|
||||||
/openvpn-2.4.4.tar.xz
|
|
||||||
/openvpn-2.4.4.tar.xz.asc
|
|
||||||
/openvpn-2.4.5.tar.xz
|
|
||||||
/openvpn-2.4.5.tar.xz.asc
|
|
||||||
/openvpn-2.4.6.tar.xz
|
|
||||||
/openvpn-2.4.6.tar.xz.asc
|
|
||||||
/openvpn-2.4.7.tar.xz
|
|
||||||
/openvpn-2.4.7.tar.xz.asc
|
|
||||||
/openvpn-2.4.8.tar.xz
|
|
||||||
/openvpn-2.4.8.tar.xz.asc
|
|
||||||
/openvpn-2.4.9.tar.xz
|
|
||||||
/openvpn-2.4.9.tar.xz.asc
|
|
||||||
/openvpn-2.5.0.tar.xz
|
|
||||||
/openvpn-2.5.0.tar.xz.asc
|
|
||||||
/openvpn-2.5.1.tar.xz
|
|
||||||
/openvpn-2.5.1.tar.xz.asc
|
|
||||||
/openvpn-2.5.2.tar.xz
|
|
||||||
/openvpn-2.5.2.tar.xz.asc
|
|
||||||
/openvpn-2.5.3.tar.xz
|
|
||||||
/openvpn-2.5.3.tar.xz.asc
|
|
||||||
/openvpn-2.5.4.tar.xz
|
|
||||||
/openvpn-2.5.4.tar.xz.asc
|
|
||||||
/openvpn-2.5.5.tar.xz
|
|
||||||
/openvpn-2.5.5.tar.xz.asc
|
|
||||||
/openvpn-2.5.6.tar.xz
|
|
||||||
/openvpn-2.5.6.tar.xz.asc
|
|
||||||
/openvpn-2.5.7.tar.xz
|
|
||||||
/openvpn-2.5.7.tar.xz.asc
|
|
||||||
/openvpn-2.5.8.tar.xz
|
|
||||||
/openvpn-2.5.8.tar.xz.asc
|
|
||||||
/openvpn-2.5.9.tar.gz
|
|
||||||
/openvpn-2.5.9.tar.gz.asc
|
|
||||||
/openvpn-2.5.11.tar.gz
|
|
||||||
/openvpn-2.5.11.tar.gz.asc
|
|
||||||
|
@ -0,0 +1 @@
|
|||||||
|
7e9bea43185357756a76383e89354e116cbc457d SOURCES/openvpn-baa9192.tar.gz
|
@ -1,225 +0,0 @@
|
|||||||
From cf5864f5922e4f40357d9f75a35cd448e671dddf Mon Sep 17 00:00:00 2001
|
|
||||||
From: Arne Schwabe <arne@rfc2549.org>
|
|
||||||
Date: Fri, 3 Jun 2022 11:52:19 +0200
|
|
||||||
Subject: [PATCH] Allow running a default configuration with TLS libraries
|
|
||||||
without BF-CBC
|
|
||||||
|
|
||||||
Modern TLS libraries might drop Blowfish by default or distributions
|
|
||||||
might disable Blowfish in OpenSSL/mbed TLS. We still signal OCC
|
|
||||||
options with BF-CBC compatible strings. To avoid requiring BF-CBC
|
|
||||||
for this, special this one usage of BF-CBC enough to avoid a hard
|
|
||||||
requirement on Blowfish in the default configuration.
|
|
||||||
|
|
||||||
This patch is cherry-picked from 79ff3f79 and the missing
|
|
||||||
ciphername = "none"; has been added in the OCC code.
|
|
||||||
|
|
||||||
Due to uncrustify complains, a few extra whitespace fixes had to be
|
|
||||||
done to options.c.
|
|
||||||
|
|
||||||
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
|
|
||||||
Acked-by: Gert Doering <gert@greenie.muc.de>
|
|
||||||
Message-Id: <20220603095219.637361-1-arne@rfc2549.org>
|
|
||||||
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24456.html
|
|
||||||
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
||||||
---
|
|
||||||
src/openvpn/crypto_backend.h | 2 ++
|
|
||||||
src/openvpn/init.c | 37 ++++++++++++++++-----
|
|
||||||
src/openvpn/options.c | 62 ++++++++++++++++++++++++++++--------
|
|
||||||
3 files changed, 80 insertions(+), 21 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h
|
|
||||||
index a9bb38ed..aebda3d6 100644
|
|
||||||
--- a/src/openvpn/crypto_backend.h
|
|
||||||
+++ b/src/openvpn/crypto_backend.h
|
|
||||||
@@ -256,6 +256,8 @@ const cipher_kt_t *cipher_kt_get(const char *ciphername);
|
|
||||||
* The returned name is normalised to the OpenVPN config name in case the
|
|
||||||
* name differs from the name used by the crypto library.
|
|
||||||
*
|
|
||||||
+ * Returns [null-cipher] in case the cipher_kt is NULL.
|
|
||||||
+ *
|
|
||||||
* @param cipher_kt Static cipher parameters
|
|
||||||
*
|
|
||||||
* @return a statically allocated string describing the cipher.
|
|
||||||
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
|
|
||||||
index da4d60af..b1b7b350 100644
|
|
||||||
--- a/src/openvpn/init.c
|
|
||||||
+++ b/src/openvpn/init.c
|
|
||||||
@@ -2764,14 +2764,35 @@ do_init_crypto_tls_c1(struct context *c)
|
|
||||||
#endif /* if P2MP */
|
|
||||||
}
|
|
||||||
|
|
||||||
- /* Do not warn if we only have BF-CBC in options->ciphername
|
|
||||||
- * because it is still the default cipher */
|
|
||||||
- bool warn = !streq(options->ciphername, "BF-CBC")
|
|
||||||
- || options->enable_ncp_fallback;
|
|
||||||
- /* Get cipher & hash algorithms */
|
|
||||||
- init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
|
|
||||||
- options->keysize, true, warn);
|
|
||||||
-
|
|
||||||
+ /*
|
|
||||||
+ * BF-CBC is allowed to be used only when explicitly configured
|
|
||||||
+ * as NCP-fallback or when NCP has been disabled or explicitly
|
|
||||||
+ * allowed in the in ncp_ciphers list.
|
|
||||||
+ * In all other cases do not attempt to initialize BF-CBC as it
|
|
||||||
+ * may not even be supported by the underlying SSL library.
|
|
||||||
+ *
|
|
||||||
+ * Therefore, the key structure has to be initialized when:
|
|
||||||
+ * - any non-BF-CBC cipher was selected; or
|
|
||||||
+ * - BF-CBC is selected and NCP is disabled (explicit request to
|
|
||||||
+ * use the BF-CBC cipher); or
|
|
||||||
+ * - BF-CBC is selected, NCP is enabled and fallback is enabled
|
|
||||||
+ * (BF-CBC will be the fallback).
|
|
||||||
+ * - BF-CBC is in data-ciphers and we negotiate to use BF-CBC:
|
|
||||||
+ * If the negotiated cipher and options->ciphername are the
|
|
||||||
+ * same we do not reinit the cipher
|
|
||||||
+ *
|
|
||||||
+ * Note that BF-CBC will still be part of the OCC string to retain
|
|
||||||
+ * backwards compatibility with older clients.
|
|
||||||
+ */
|
|
||||||
+ if (!streq(options->ciphername, "BF-CBC") || !options->ncp_enabled
|
|
||||||
+ || (options->ncp_enabled && tls_item_in_cipher_list("BF-CBC", options->ncp_ciphers))
|
|
||||||
+ || options->enable_ncp_fallback)
|
|
||||||
+ {
|
|
||||||
+ /* Do not warn if the if the cipher is used only in OCC */
|
|
||||||
+ bool warn = !options->ncp_enabled || options->enable_ncp_fallback;
|
|
||||||
+ init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
|
|
||||||
+ options->keysize, true, warn);
|
|
||||||
+ }
|
|
||||||
/* Initialize PRNG with config-specified digest */
|
|
||||||
prng_init(options->prng_hash, options->prng_nonce_secret_len);
|
|
||||||
|
|
||||||
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
|
|
||||||
index f6ef02ae..2206d9f4 100644
|
|
||||||
--- a/src/openvpn/options.c
|
|
||||||
+++ b/src/openvpn/options.c
|
|
||||||
@@ -1135,7 +1135,7 @@ parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_aren
|
|
||||||
#ifndef ENABLE_SMALL
|
|
||||||
|
|
||||||
static void
|
|
||||||
-show_dhcp_option_list(const char *name, const char * const*array, int len)
|
|
||||||
+show_dhcp_option_list(const char *name, const char *const *array, int len)
|
|
||||||
{
|
|
||||||
int i;
|
|
||||||
for (i = 0; i < len; ++i)
|
|
||||||
@@ -2288,7 +2288,7 @@ options_postprocess_verify_ce(const struct options *options,
|
|
||||||
if (options->mode == MODE_SERVER)
|
|
||||||
{
|
|
||||||
#define USAGE_VALID_SERVER_PROTOS "--mode server currently only supports " \
|
|
||||||
- "--proto values of udp, tcp-server, tcp4-server, or tcp6-server"
|
|
||||||
+ "--proto values of udp, tcp-server, tcp4-server, or tcp6-server"
|
|
||||||
#ifdef TARGET_ANDROID
|
|
||||||
msg(M_FATAL, "--mode server not supported on Android");
|
|
||||||
#endif
|
|
||||||
@@ -3103,7 +3103,7 @@ options_postprocess_cipher(struct options *o)
|
|
||||||
if (!o->ncp_enabled)
|
|
||||||
{
|
|
||||||
msg(M_USAGE, "--ncp-disable needs an explicit --cipher or "
|
|
||||||
- "--data-ciphers-fallback config option");
|
|
||||||
+ "--data-ciphers-fallback config option");
|
|
||||||
}
|
|
||||||
|
|
||||||
msg(M_WARN, "--cipher is not set. Previous OpenVPN version defaulted to "
|
|
||||||
@@ -3681,9 +3681,30 @@ calc_options_string_link_mtu(const struct options *o, const struct frame *frame)
|
|
||||||
{
|
|
||||||
struct frame fake_frame = *frame;
|
|
||||||
struct key_type fake_kt;
|
|
||||||
- init_key_type(&fake_kt, o->ciphername, o->authname, o->keysize, true,
|
|
||||||
- false);
|
|
||||||
+
|
|
||||||
frame_remove_from_extra_frame(&fake_frame, crypto_max_overhead());
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+ /* o->ciphername might be BF-CBC even though the underlying SSL library
|
|
||||||
+ * does not support it. For this reason we workaround this corner case
|
|
||||||
+ * by pretending to have no encryption enabled and by manually adding
|
|
||||||
+ * the required packet overhead to the MTU computation.
|
|
||||||
+ */
|
|
||||||
+ const char *ciphername = o->ciphername;
|
|
||||||
+
|
|
||||||
+ if (strcmp(o->ciphername, "BF-CBC") == 0)
|
|
||||||
+ {
|
|
||||||
+ /* none has no overhead, so use this to later add only --auth
|
|
||||||
+ * overhead */
|
|
||||||
+
|
|
||||||
+ /* overhead of BF-CBC: 64 bit block size, 64 bit IV size */
|
|
||||||
+ frame_add_to_extra_frame(&fake_frame, 64/8 + 64/8);
|
|
||||||
+ ciphername = "none";
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ init_key_type(&fake_kt, ciphername, o->authname, o->keysize, true,
|
|
||||||
+ false);
|
|
||||||
+
|
|
||||||
crypto_adjust_frame_parameters(&fake_frame, &fake_kt, o->replay,
|
|
||||||
cipher_kt_mode_ofb_cfb(fake_kt.cipher));
|
|
||||||
frame_finalize(&fake_frame, o->ce.link_mtu_defined, o->ce.link_mtu,
|
|
||||||
@@ -3853,18 +3874,33 @@ options_string(const struct options *o,
|
|
||||||
+ (TLS_SERVER == true)
|
|
||||||
<= 1);
|
|
||||||
|
|
||||||
- init_key_type(&kt, o->ciphername, o->authname, o->keysize, true,
|
|
||||||
- false);
|
|
||||||
+ /* Skip resolving BF-CBC to allow SSL libraries without BF-CBC
|
|
||||||
+ * to work here in the default configuration */
|
|
||||||
+ const char *ciphername = o->ciphername;
|
|
||||||
+ int keysize;
|
|
||||||
+
|
|
||||||
+ if (strcmp(o->ciphername, "BF-CBC") == 0)
|
|
||||||
+ {
|
|
||||||
+ init_key_type(&kt, "none", o->authname, o->keysize, true,
|
|
||||||
+ false);
|
|
||||||
+ keysize = 128;
|
|
||||||
+ }
|
|
||||||
+ else
|
|
||||||
+ {
|
|
||||||
+ init_key_type(&kt, o->ciphername, o->authname, o->keysize, true,
|
|
||||||
+ false);
|
|
||||||
+ ciphername = cipher_kt_name(kt.cipher);
|
|
||||||
+ keysize = kt.cipher_length * 8;
|
|
||||||
+ }
|
|
||||||
/* Only announce the cipher to our peer if we are willing to
|
|
||||||
* support it */
|
|
||||||
- const char *ciphername = cipher_kt_name(kt.cipher);
|
|
||||||
if (p2p_nopull || !o->ncp_enabled
|
|
||||||
|| tls_item_in_cipher_list(ciphername, o->ncp_ciphers))
|
|
||||||
{
|
|
||||||
buf_printf(&out, ",cipher %s", ciphername);
|
|
||||||
}
|
|
||||||
buf_printf(&out, ",auth %s", md_kt_name(kt.digest));
|
|
||||||
- buf_printf(&out, ",keysize %d", kt.cipher_length * 8);
|
|
||||||
+ buf_printf(&out, ",keysize %d", keysize);
|
|
||||||
if (o->shared_secret_file)
|
|
||||||
{
|
|
||||||
buf_printf(&out, ",secret");
|
|
||||||
@@ -6168,9 +6204,9 @@ add_option(struct options *options,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
#ifdef TARGET_LINUX
|
|
||||||
- else if (streq (p[0], "bind-dev") && p[1])
|
|
||||||
+ else if (streq(p[0], "bind-dev") && p[1])
|
|
||||||
{
|
|
||||||
- VERIFY_PERMISSION (OPT_P_SOCKFLAGS);
|
|
||||||
+ VERIFY_PERMISSION(OPT_P_SOCKFLAGS);
|
|
||||||
options->bind_dev = p[1];
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
@@ -6248,7 +6284,7 @@ add_option(struct options *options,
|
|
||||||
{
|
|
||||||
int64_t val = atoll(p[2]);
|
|
||||||
options->inactivity_minimum_bytes = (val < 0) ? 0 : val;
|
|
||||||
- if ( options->inactivity_minimum_bytes > INT_MAX )
|
|
||||||
+ if (options->inactivity_minimum_bytes > INT_MAX)
|
|
||||||
{
|
|
||||||
msg(M_WARN, "WARNING: '--inactive' with a 'bytes' value"
|
|
||||||
" >2 Gbyte was silently ignored in older versions. If "
|
|
||||||
@@ -8132,7 +8168,7 @@ add_option(struct options *options,
|
|
||||||
#endif
|
|
||||||
else if (streq(p[0], "providers") && p[1])
|
|
||||||
{
|
|
||||||
- for (size_t j = 1; j < MAX_PARMS && p[j] != NULL;j++)
|
|
||||||
+ for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; j++)
|
|
||||||
{
|
|
||||||
options->providers.names[j] = p[j];
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
@ -1,38 +0,0 @@
|
|||||||
From: David Sommerseth <dazo@eurephia.org>
|
|
||||||
Subject: [PATCH] Change the default cipher to AES-256-GCM for server
|
|
||||||
configurations
|
|
||||||
|
|
||||||
This change makes the server use AES-256-GCM instead of BF-CBC as the default
|
|
||||||
cipher for the VPN tunnel. To avoid breaking existing running configurations
|
|
||||||
defaulting to BF-CBC, the Negotiable Crypto Parameters (NCP) list contains
|
|
||||||
the BF-CBC in addition to AES-CBC. This makes it possible to migrate
|
|
||||||
existing older client configurations one-by-one to use at least AES-CBC unless
|
|
||||||
the client is updated to v2.4 (which defaults to upgrade to AES-GCM automatically)
|
|
||||||
|
|
||||||
[Update 2022-06-10]
|
|
||||||
The BF-CBC reference is now removed as of Fedora 36 and newer. The Blowfish
|
|
||||||
cipher is no longer available by default in OpenSSL 3.0. It can be enabled
|
|
||||||
via the legacy provider in OpenSSL 3.0, but BF-CBC is deprecated and should
|
|
||||||
not be used any more. OpenVPN 2.4 and newer will always negotiate a stronger
|
|
||||||
cipher by default and older OpenVPN releases are no longer supported upstream.
|
|
||||||
|
|
||||||
---
|
|
||||||
distro/systemd/openvpn-server@.service.in | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/distro/systemd/openvpn-server@.service.in b/distro/systemd/openvpn-server@.service.in
|
|
||||||
index 9a8a2c7..0ecda08 100644
|
|
||||||
--- a/distro/systemd/openvpn-server@.service.in
|
|
||||||
+++ b/distro/systemd/openvpn-server@.service.in
|
|
||||||
@@ -10,7 +10,7 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
|
|
||||||
Type=notify
|
|
||||||
PrivateTmp=true
|
|
||||||
WorkingDirectory=/etc/openvpn/server
|
|
||||||
-ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf
|
|
||||||
+ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --cipher AES-256-GCM --data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC --config %i.conf
|
|
||||||
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
|
|
||||||
LimitNPROC=10
|
|
||||||
DeviceAllow=/dev/null rw
|
|
||||||
--
|
|
||||||
2.11.0
|
|
||||||
|
|
@ -0,0 +1,13 @@
|
|||||||
|
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
|
||||||
|
index cd6d842..7c04700 100644
|
||||||
|
--- a/src/openvpn/ssl_openssl.c
|
||||||
|
+++ b/src/openvpn/ssl_openssl.c
|
||||||
|
@@ -441,7 +441,7 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
|
||||||
|
/* Use sane default TLS cipher list */
|
||||||
|
if (!SSL_CTX_set_cipher_list(ctx->ctx,
|
||||||
|
/* Use openssl's default list as a basis */
|
||||||
|
- "DEFAULT"
|
||||||
|
+ "PROFILE=SYSTEM"
|
||||||
|
/* Disable export ciphers and openssl's 'low' and 'medium' ciphers */
|
||||||
|
":!EXP:!LOW:!MEDIUM"
|
||||||
|
/* Disable static (EC)DH keys (no forward secrecy) */
|
@ -0,0 +1,38 @@
|
|||||||
|
#########################################
|
||||||
|
# Sample client-side OpenVPN config file
|
||||||
|
# for connecting to multi-client server.
|
||||||
|
#
|
||||||
|
# Adapted from http://openvpn.sourceforge.net/20notes.html
|
||||||
|
#
|
||||||
|
# The server can be pinged at 10.8.0.1.
|
||||||
|
#
|
||||||
|
# This configuration can be used by multiple
|
||||||
|
# clients, however each client should have
|
||||||
|
# its own cert and key files.
|
||||||
|
#
|
||||||
|
# tun-style tunnel
|
||||||
|
|
||||||
|
port 1194
|
||||||
|
dev tun
|
||||||
|
remote [my server hostname or IP address]
|
||||||
|
|
||||||
|
# TLS parms
|
||||||
|
|
||||||
|
tls-client
|
||||||
|
ca sample-keys/tmp-ca.crt
|
||||||
|
cert sample-keys/client.crt
|
||||||
|
key sample-keys/client.key
|
||||||
|
|
||||||
|
# This parm is required for connecting
|
||||||
|
# to a multi-client server. It tells
|
||||||
|
# the client to accept options which
|
||||||
|
# the server pushes to us.
|
||||||
|
pull
|
||||||
|
|
||||||
|
# Scripts can be used to do various
|
||||||
|
# things (change nameservers, for
|
||||||
|
# example.
|
||||||
|
#up scripts/ifup-post
|
||||||
|
#down scripts/ifdown-post
|
||||||
|
|
||||||
|
verb 4
|
@ -0,0 +1,67 @@
|
|||||||
|
########################################
|
||||||
|
# Sample OpenVPN config file for
|
||||||
|
# 2.0-style multi-client udp server
|
||||||
|
#
|
||||||
|
# Adapted from http://openvpn.sourceforge.net/20notes.html
|
||||||
|
#
|
||||||
|
# tun-style tunnel
|
||||||
|
|
||||||
|
port 1194
|
||||||
|
dev tun
|
||||||
|
|
||||||
|
# Use "local" to set the source address on multi-homed hosts
|
||||||
|
#local [IP address]
|
||||||
|
|
||||||
|
# TLS parms
|
||||||
|
tls-server
|
||||||
|
ca sample-keys/tmp-ca.crt
|
||||||
|
cert sample-keys/server.crt
|
||||||
|
key sample-keys/server.key
|
||||||
|
dh sample-keys/dh1024.pem
|
||||||
|
|
||||||
|
# Tell OpenVPN to be a multi-client udp server
|
||||||
|
mode server
|
||||||
|
|
||||||
|
# The server's virtual endpoints
|
||||||
|
ifconfig 10.8.0.1 10.8.0.2
|
||||||
|
|
||||||
|
# Pool of /30 subnets to be allocated to clients.
|
||||||
|
# When a client connects, an --ifconfig command
|
||||||
|
# will be automatically generated and pushed back to
|
||||||
|
# the client.
|
||||||
|
ifconfig-pool 10.8.0.4 10.8.0.255
|
||||||
|
|
||||||
|
# Push route to client to bind it to our local
|
||||||
|
# virtual endpoint.
|
||||||
|
push "route 10.8.0.1 255.255.255.255"
|
||||||
|
|
||||||
|
# Push any routes the client needs to get in
|
||||||
|
# to the local network.
|
||||||
|
push "route 192.168.0.0 255.255.255.0"
|
||||||
|
|
||||||
|
# Push DHCP options to Windows clients.
|
||||||
|
push "dhcp-option DOMAIN example.com"
|
||||||
|
push "dhcp-option DNS 192.168.0.1"
|
||||||
|
push "dhcp-option WINS 192.168.0.1"
|
||||||
|
|
||||||
|
# Client should attempt reconnection on link
|
||||||
|
# failure.
|
||||||
|
keepalive 10 60
|
||||||
|
|
||||||
|
# Delete client instances after some period
|
||||||
|
# of inactivity.
|
||||||
|
inactive 600
|
||||||
|
|
||||||
|
# Route the --ifconfig pool range into the
|
||||||
|
# OpenVPN server.
|
||||||
|
route 10.8.0.0 255.255.255.0
|
||||||
|
|
||||||
|
# The server doesn't need privileges
|
||||||
|
user openvpn
|
||||||
|
group openvpn
|
||||||
|
|
||||||
|
# Keep TUN devices and keys open across restarts.
|
||||||
|
persist-tun
|
||||||
|
persist-key
|
||||||
|
|
||||||
|
verb 4
|
@ -0,0 +1,263 @@
|
|||||||
|
%define _hardened_build 1
|
||||||
|
%global snap_tstamp 20241212
|
||||||
|
%global commit baa9192851006e2dbb90b410011e61ecf2e01870
|
||||||
|
%global shortcommit %(c=%{commit}; echo ${c:0:7})
|
||||||
|
|
||||||
|
# LTO needs to be disabled to avoid issues when linking the unit-test,
|
||||||
|
# which utilizes --wrap in the link process
|
||||||
|
%global _lto_cflags %{nil}
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# Build conditionals
|
||||||
|
#
|
||||||
|
|
||||||
|
# Build with OpenVPN Data Channel Offload (kernel) support?
|
||||||
|
%bcond_without dco
|
||||||
|
|
||||||
|
# Build with PKCS#11/SmartCard support?
|
||||||
|
%bcond_without pkcs11
|
||||||
|
|
||||||
|
# tests_long - Enabled by default, enables long running tests in %%check
|
||||||
|
%bcond_without tests_long
|
||||||
|
|
||||||
|
|
||||||
|
Name: openvpn
|
||||||
|
Version: 2.7
|
||||||
|
Release: 0.%{snap_tstamp}git%{shortcommit}%{?dist}
|
||||||
|
Summary: A full-featured TLS VPN solution
|
||||||
|
URL: https://community.openvpn.net/
|
||||||
|
Source0: https://github.com/OpenVPN/%{name}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz
|
||||||
|
Source2: roadwarrior-server.conf
|
||||||
|
Source3: roadwarrior-client.conf
|
||||||
|
Patch1: fedora-crypto-policy-compliance.patch
|
||||||
|
Patch50: openvpn-2.4-change-tmpfiles-permissions.patch
|
||||||
|
License: GPL-2.0-only
|
||||||
|
|
||||||
|
BuildRequires: gcc
|
||||||
|
BuildRequires: automake
|
||||||
|
BuildRequires: autoconf
|
||||||
|
BuildRequires: autoconf-archive
|
||||||
|
BuildRequires: libcap-ng-devel
|
||||||
|
BuildRequires: libtool
|
||||||
|
BuildRequires: gettext
|
||||||
|
BuildRequires: lzo-devel
|
||||||
|
BuildRequires: lz4-devel
|
||||||
|
BuildRequires: make
|
||||||
|
BuildRequires: openssl-devel >= 1.1.0
|
||||||
|
%if %{with dco}
|
||||||
|
BuildRequires: libnl3-devel
|
||||||
|
%endif
|
||||||
|
%if %{with pkcs11}
|
||||||
|
BuildRequires: pkcs11-helper-devel >= 1.11
|
||||||
|
%endif
|
||||||
|
BuildRequires: pam-devel
|
||||||
|
BuildRequires: libselinux-devel
|
||||||
|
BuildRequires: libcmocka-devel
|
||||||
|
BuildRequires: systemd
|
||||||
|
BuildRequires: systemd-devel
|
||||||
|
|
||||||
|
%{?systemd_requires}
|
||||||
|
Requires(pre): /usr/sbin/useradd
|
||||||
|
|
||||||
|
%if %{with dco}
|
||||||
|
Recommends: kmod-ovpn-dco >= 0.2
|
||||||
|
%endif
|
||||||
|
|
||||||
|
BuildRequires: python3-docutils
|
||||||
|
|
||||||
|
# For the perl_default_filter macro
|
||||||
|
BuildRequires: perl-macros
|
||||||
|
|
||||||
|
# Filter out the perl(Authen::PAM) dependency.
|
||||||
|
# No perl dependency is really needed at all.
|
||||||
|
%{?perl_default_filter}
|
||||||
|
|
||||||
|
|
||||||
|
%description
|
||||||
|
OpenVPN is a robust and highly flexible tunneling application that uses all
|
||||||
|
of the encryption, authentication, and certification features of the
|
||||||
|
OpenSSL library to securely tunnel IP networks over a single UDP or TCP
|
||||||
|
port. It can use the Marcus Franz Xaver Johannes Oberhumers LZO library
|
||||||
|
for compression.
|
||||||
|
|
||||||
|
NOTE: Until the OpenVPN 2.7 release is completed, EPEL-10 builds will
|
||||||
|
ship with git master development snapshots. These snapshots will
|
||||||
|
contain what will be part of the next v2.7 release.
|
||||||
|
|
||||||
|
|
||||||
|
%package devel
|
||||||
|
Summary: Development headers and examples for OpenVPN plug-ins
|
||||||
|
|
||||||
|
%description devel
|
||||||
|
OpenVPN can be extended through the --plugin option, which provides
|
||||||
|
possibilities to add specialized authentication, user accounting,
|
||||||
|
packet filtering and related features. These plug-ins need to be
|
||||||
|
written in C and provides a more low-level and information rich access
|
||||||
|
to similar features as the various script-hooks.
|
||||||
|
|
||||||
|
%prep
|
||||||
|
%setup -q -n openvpn-%{commit}
|
||||||
|
%autopatch -p1
|
||||||
|
|
||||||
|
# Need to generate this on-the-fly to make autoreconf happy
|
||||||
|
# This build is from a git snapshot, not a release source tarball
|
||||||
|
echo "define([PRODUCT_NAME], [OpenVPN])" > version.m4
|
||||||
|
echo "define([PRODUCT_VERSION], [%{version}-%{release}])" >> version.m4
|
||||||
|
echo "define([PRODUCT_GUIVERSION], [copr:%{version}-%{release}])" >> version.m4
|
||||||
|
echo "define([PRODUCT_TARNAME], [openvpn])" >> version.m4
|
||||||
|
echo "define([PRODUCT_BUGREPORT], [openvpn-devel@lists.sourceforge.net])" >> version.m4
|
||||||
|
echo "define([PRODUCT_VERSION_MAJOR], [2])" >> version.m4
|
||||||
|
echo "define([PRODUCT_VERSION_MINOR], [7])" >> version.m4
|
||||||
|
echo "define([PRODUCT_VERSION_PATCH], [_git%{shortcommit}])" >> version.m4
|
||||||
|
|
||||||
|
autoreconf -vi
|
||||||
|
|
||||||
|
# %%doc items shouldn't be executable.
|
||||||
|
find contrib sample -type f -perm /100 \
|
||||||
|
-exec chmod a-x {} \;
|
||||||
|
|
||||||
|
%build
|
||||||
|
%configure \
|
||||||
|
--enable-silent-rules \
|
||||||
|
--with-crypto-library=openssl \
|
||||||
|
%{?with_pkcs11:--enable-pkcs11} \
|
||||||
|
--enable-selinux \
|
||||||
|
--enable-systemd \
|
||||||
|
--enable-x509-alt-username \
|
||||||
|
--enable-async-push \
|
||||||
|
%{?!with_dco:--disable-dco} \
|
||||||
|
--docdir=%{_pkgdocdir} \
|
||||||
|
SYSTEMD_UNIT_DIR=%{_unitdir} \
|
||||||
|
TMPFILES_DIR=%{_tmpfilesdir}
|
||||||
|
|
||||||
|
%{__make} %{?_smp_mflags}
|
||||||
|
|
||||||
|
|
||||||
|
%check
|
||||||
|
# Test Crypto:
|
||||||
|
./src/openvpn/openvpn --genkey secret key
|
||||||
|
./src/openvpn/openvpn --cipher aes-128-cbc --test-crypto --secret key --allow-deprecated-insecure-static-crypto
|
||||||
|
./src/openvpn/openvpn --cipher aes-256-cbc --test-crypto --secret key --allow-deprecated-insecure-static-crypto
|
||||||
|
./src/openvpn/openvpn --cipher aes-128-gcm --test-crypto --secret key --allow-deprecated-insecure-static-crypto
|
||||||
|
./src/openvpn/openvpn --cipher aes-256-gcm --test-crypto --secret key --allow-deprecated-insecure-static-crypto
|
||||||
|
|
||||||
|
# Some of the unit tests does not run on RHEL-7
|
||||||
|
pushd tests/unit_tests
|
||||||
|
%{__make} %{?_smp_mflags} check
|
||||||
|
popd
|
||||||
|
|
||||||
|
%if %{with tests_long}
|
||||||
|
# Randomize ports for tests to avoid conflicts on the build servers.
|
||||||
|
cport=$[ 50000 + ($RANDOM % 15534) ]
|
||||||
|
sport=$[ $cport + 1 ]
|
||||||
|
sed -e 's/^\(rport\) .*$/\1 '$sport'/' \
|
||||||
|
-e 's/^\(lport\) .*$/\1 '$cport'/' \
|
||||||
|
< sample/sample-config-files/loopback-client \
|
||||||
|
> %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client
|
||||||
|
sed -e 's/^\(rport\) .*$/\1 '$cport'/' \
|
||||||
|
-e 's/^\(lport\) .*$/\1 '$sport'/' \
|
||||||
|
< sample/sample-config-files/loopback-server \
|
||||||
|
> %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server
|
||||||
|
|
||||||
|
pushd sample
|
||||||
|
# Test SSL/TLS negotiations (runs for 2 minutes):
|
||||||
|
../src/openvpn/openvpn --config \
|
||||||
|
%{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client &
|
||||||
|
../src/openvpn/openvpn --config \
|
||||||
|
%{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server
|
||||||
|
wait
|
||||||
|
popd
|
||||||
|
|
||||||
|
rm -f %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client \
|
||||||
|
%{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%install
|
||||||
|
%{__make} install DESTDIR=%{buildroot}
|
||||||
|
find %{buildroot} -name '*.la' | xargs rm -f
|
||||||
|
mkdir -p -m 0750 %{buildroot}/%{_sysconfdir}/%{name}/client %{buildroot}/%{_sysconfdir}/%{name}/server
|
||||||
|
cp %{SOURCE2} %{SOURCE3} sample/sample-config-files/
|
||||||
|
|
||||||
|
# Create some directories the OpenVPN package should own
|
||||||
|
mkdir -m 0750 -p %{buildroot}%{_rundir}/%{name}-{client,server}
|
||||||
|
mkdir -m 0770 -p %{buildroot}%{_sharedstatedir}/%{name}
|
||||||
|
|
||||||
|
# Package installs into %%{_pkgdocdir} directly
|
||||||
|
# Add various additional files
|
||||||
|
cp -a AUTHORS ChangeLog contrib sample distro/systemd/README.systemd %{buildroot}%{_pkgdocdir}
|
||||||
|
|
||||||
|
# Fix incorrect she-bang on a python script
|
||||||
|
# https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/#_interpreter_invocation
|
||||||
|
sed -e "s|^#!/usr/bin/env.*python3$|#!%{python3} -%{py3_shebang_flags}|" \
|
||||||
|
-i %{buildroot}%{_pkgdocdir}/contrib/extract-crl/extractcrl.py
|
||||||
|
|
||||||
|
# Remove some files which does not really belong here
|
||||||
|
rm -f %{buildroot}%{_pkgdocdir}/sample/Makefile{,.in,.am}
|
||||||
|
rm -f %{buildroot}%{_pkgdocdir}/sample/sample-plugins/Makefile{,.in,.am}
|
||||||
|
rm -rf %{buildroot}%{_pkgdocdir}/sample/sample-keys
|
||||||
|
rm -f %{buildroot}%{_pkgdocdir}/contrib/multilevel-init.patch
|
||||||
|
rm -rf %{buildroot}%{_pkgdocdir}/contrib/vcpkg-*
|
||||||
|
rm -rf %{buildroot}%{_pkgdocdir}/contrib/cmake*
|
||||||
|
|
||||||
|
|
||||||
|
%pre
|
||||||
|
getent group openvpn &>/dev/null || groupadd -r openvpn
|
||||||
|
getent passwd openvpn &>/dev/null || \
|
||||||
|
/usr/sbin/useradd -r -g openvpn -s /sbin/nologin -c OpenVPN \
|
||||||
|
-d /etc/openvpn openvpn
|
||||||
|
exit 0
|
||||||
|
|
||||||
|
%post
|
||||||
|
for srv in `systemctl | awk '/openvpn-client@.*\.service/{print $1} /openvpn-server@.*\.service/{print $1}'`;
|
||||||
|
do
|
||||||
|
%systemd_post $srv
|
||||||
|
done
|
||||||
|
|
||||||
|
%preun
|
||||||
|
for srv in `systemctl | awk '/openvpn-client@.*\.service/{print $1} /openvpn-server@.*\.service/{print $1}'`;
|
||||||
|
do
|
||||||
|
%systemd_preun $srv
|
||||||
|
done
|
||||||
|
|
||||||
|
%postun
|
||||||
|
for srv in `systemctl | awk '/openvpn-client@.*\.service/{print $1} /openvpn-server@.*\.service/{print $1}'`;
|
||||||
|
do
|
||||||
|
%systemd_postun_with_restart $srv
|
||||||
|
done
|
||||||
|
|
||||||
|
%files
|
||||||
|
%license COPYING COPYRIGHT.GPL
|
||||||
|
%{_pkgdocdir}/
|
||||||
|
%exclude %{_pkgdocdir}/{COPYING,COPYRIGHT.GPL}
|
||||||
|
%exclude %{_pkgdocdir}/README.mbedtls
|
||||||
|
%exclude %{_pkgdocdir}/sample/sample-plugins
|
||||||
|
%{_mandir}/man8/%{name}.8*
|
||||||
|
%{_mandir}/man5/%{name}-*.5*
|
||||||
|
%{_sbindir}/%{name}
|
||||||
|
%{_libdir}/%{name}/
|
||||||
|
%{_unitdir}/%{name}-client@.service
|
||||||
|
%{_unitdir}/%{name}-server@.service
|
||||||
|
%{_tmpfilesdir}/%{name}.conf
|
||||||
|
%config %dir %{_sysconfdir}/%{name}/
|
||||||
|
%config %dir %attr(-,-,openvpn) %{_sysconfdir}/%{name}/client
|
||||||
|
%config %dir %attr(-,-,openvpn) %{_sysconfdir}/%{name}/server
|
||||||
|
%attr(0770,openvpn,openvpn) %{_sharedstatedir}/%{name}
|
||||||
|
%dir %attr(0750,-,openvpn) %{_rundir}/openvpn-client
|
||||||
|
%dir %attr(0750,-,openvpn) %{_rundir}/openvpn-server
|
||||||
|
|
||||||
|
%files devel
|
||||||
|
%{_pkgdocdir}/sample/sample-plugins
|
||||||
|
%exclude %{_pkgdocdir}/sample/sample-{config-files,scripts,windows}
|
||||||
|
%{_includedir}/openvpn-plugin.h
|
||||||
|
%{_includedir}/openvpn-msg.h
|
||||||
|
|
||||||
|
|
||||||
|
%changelog
|
||||||
|
* Tue Dec 24 2024 Arkady L. Shane <tigro@msvsphere-os.ru> - 2.7-0.20241212gitbaa9192
|
||||||
|
- Rebuilt for MSVSphere 10
|
||||||
|
|
||||||
|
* Wed Dec 18 2024 David Sommerseth <davids@openvpn.net> - 2.7-20241212gitbaa9192
|
||||||
|
- First packaging attempt for EPEL-10 - OpenVPN 2.7 git master snapshot build
|
||||||
|
- Update to git master baa9192851006e2dbb90b410011e61ecf2e01870
|
||||||
|
|
@ -1,389 +0,0 @@
|
|||||||
%define _hardened_build 1
|
|
||||||
|
|
||||||
# Build conditionals
|
|
||||||
# tests_long - Enabled by default, enables long running tests in %%check
|
|
||||||
%bcond_without tests_long
|
|
||||||
|
|
||||||
Name: openvpn
|
|
||||||
Version: 2.5.11
|
|
||||||
Release: 1%{?dist}
|
|
||||||
Summary: A full-featured TLS VPN solution
|
|
||||||
URL: https://community.openvpn.net/
|
|
||||||
Source0: https://build.openvpn.net/downloads/releases/%{name}-%{version}.tar.gz
|
|
||||||
Source1: https://build.openvpn.net/downloads/releases/%{name}-%{version}.tar.gz.asc
|
|
||||||
Source2: roadwarrior-server.conf
|
|
||||||
Source3: roadwarrior-client.conf
|
|
||||||
# Upstream signing key
|
|
||||||
Source10: gpgkey-F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7.gpg
|
|
||||||
Patch1: 0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch
|
|
||||||
Patch50: openvpn-2.4-change-tmpfiles-permissions.patch
|
|
||||||
License: GPLv2
|
|
||||||
BuildRequires: gnupg2
|
|
||||||
BuildRequires: gcc
|
|
||||||
BuildRequires: automake
|
|
||||||
BuildRequires: autoconf
|
|
||||||
BuildRequires: autoconf-archive
|
|
||||||
BuildRequires: libtool
|
|
||||||
BuildRequires: gettext
|
|
||||||
BuildRequires: lzo-devel
|
|
||||||
BuildRequires: lz4-devel
|
|
||||||
BuildRequires: make
|
|
||||||
BuildRequires: openssl-devel
|
|
||||||
BuildRequires: pkcs11-helper-devel >= 1.11
|
|
||||||
BuildRequires: pam-devel
|
|
||||||
BuildRequires: libselinux-devel
|
|
||||||
BuildRequires: libcmocka-devel
|
|
||||||
BuildRequires: systemd
|
|
||||||
BuildRequires: systemd-devel
|
|
||||||
|
|
||||||
%{?systemd_requires}
|
|
||||||
Requires(pre): /usr/sbin/useradd
|
|
||||||
|
|
||||||
%if 0%{?rhel} > 7 || 0%{?fedora} > 29
|
|
||||||
BuildRequires: python3-docutils
|
|
||||||
%else
|
|
||||||
# We cannot use python36-docutils on RHEL-7 as
|
|
||||||
# the ./configure script does not currently find
|
|
||||||
# the rst2man-3 executable, it only looks for rst2man
|
|
||||||
BuildRequires: python-docutils
|
|
||||||
%endif
|
|
||||||
|
|
||||||
# For the perl_default_filter macro
|
|
||||||
BuildRequires: perl-macros
|
|
||||||
|
|
||||||
# Filter out the perl(Authen::PAM) dependency.
|
|
||||||
# No perl dependency is really needed at all.
|
|
||||||
%{?perl_default_filter}
|
|
||||||
|
|
||||||
%description
|
|
||||||
OpenVPN is a robust and highly flexible tunneling application that uses all
|
|
||||||
of the encryption, authentication, and certification features of the
|
|
||||||
OpenSSL library to securely tunnel IP networks over a single UDP or TCP
|
|
||||||
port. It can use the Marcus Franz Xaver Johannes Oberhumers LZO library
|
|
||||||
for compression.
|
|
||||||
|
|
||||||
%package devel
|
|
||||||
Summary: Development headers and examples for OpenVPN plug-ins
|
|
||||||
|
|
||||||
%description devel
|
|
||||||
OpenVPN can be extended through the --plugin option, which provides
|
|
||||||
possibilities to add specialized authentication, user accounting,
|
|
||||||
packet filtering and related features. These plug-ins need to be
|
|
||||||
written in C and provides a more low-level and information rich access
|
|
||||||
to similar features as the various script-hooks.
|
|
||||||
|
|
||||||
|
|
||||||
%prep
|
|
||||||
gpgv2 --quiet --keyring %{SOURCE10} %{SOURCE1} %{SOURCE0}
|
|
||||||
%setup -q -n %{name}-%{version}
|
|
||||||
%patch1 -p1 -b .ch_default_cipher
|
|
||||||
%patch50 -p1
|
|
||||||
|
|
||||||
# %%doc items shouldn't be executable.
|
|
||||||
find contrib sample -type f -perm /100 \
|
|
||||||
-exec chmod a-x {} \;
|
|
||||||
|
|
||||||
%build
|
|
||||||
%configure \
|
|
||||||
--enable-silent-rules \
|
|
||||||
--with-crypto-library=openssl \
|
|
||||||
--enable-pkcs11 \
|
|
||||||
--enable-selinux \
|
|
||||||
--enable-systemd \
|
|
||||||
--enable-x509-alt-username \
|
|
||||||
--enable-async-push \
|
|
||||||
--docdir=%{_pkgdocdir} \
|
|
||||||
SYSTEMD_UNIT_DIR=%{_unitdir} \
|
|
||||||
TMPFILES_DIR=%{_tmpfilesdir}
|
|
||||||
%{__make}
|
|
||||||
|
|
||||||
%check
|
|
||||||
# Test Crypto:
|
|
||||||
./src/openvpn/openvpn --genkey --secret key
|
|
||||||
./src/openvpn/openvpn --cipher aes-128-cbc --test-crypto --secret key
|
|
||||||
./src/openvpn/openvpn --cipher aes-256-cbc --test-crypto --secret key
|
|
||||||
./src/openvpn/openvpn --cipher aes-128-gcm --test-crypto --secret key
|
|
||||||
./src/openvpn/openvpn --cipher aes-256-gcm --test-crypto --secret key
|
|
||||||
|
|
||||||
%if %{with tests_long}
|
|
||||||
# Randomize ports for tests to avoid conflicts on the build servers.
|
|
||||||
cport=$[ 50000 + ($RANDOM % 15534) ]
|
|
||||||
sport=$[ $cport + 1 ]
|
|
||||||
sed -e 's/^\(rport\) .*$/\1 '$sport'/' \
|
|
||||||
-e 's/^\(lport\) .*$/\1 '$cport'/' \
|
|
||||||
< sample/sample-config-files/loopback-client \
|
|
||||||
> %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client
|
|
||||||
sed -e 's/^\(rport\) .*$/\1 '$cport'/' \
|
|
||||||
-e 's/^\(lport\) .*$/\1 '$sport'/' \
|
|
||||||
< sample/sample-config-files/loopback-server \
|
|
||||||
> %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server
|
|
||||||
|
|
||||||
pushd sample
|
|
||||||
# Test SSL/TLS negotiations (runs for 2 minutes):
|
|
||||||
../src/openvpn/openvpn --config \
|
|
||||||
%{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client &
|
|
||||||
../src/openvpn/openvpn --config \
|
|
||||||
%{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server
|
|
||||||
wait
|
|
||||||
popd
|
|
||||||
|
|
||||||
rm -f %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client \
|
|
||||||
%{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%install
|
|
||||||
%{__make} install DESTDIR=$RPM_BUILD_ROOT
|
|
||||||
find $RPM_BUILD_ROOT -name '*.la' | xargs rm -f
|
|
||||||
mkdir -p -m 0750 $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/client $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/server
|
|
||||||
cp %{SOURCE2} %{SOURCE3} sample/sample-config-files/
|
|
||||||
|
|
||||||
# Create some directories the OpenVPN package should own
|
|
||||||
mkdir -m 0750 -p $RPM_BUILD_ROOT%{_rundir}/%{name}-{client,server}
|
|
||||||
mkdir -m 0770 -p $RPM_BUILD_ROOT%{_sharedstatedir}/%{name}
|
|
||||||
|
|
||||||
# Package installs into %%{_pkgdocdir} directly
|
|
||||||
# Add various additional files
|
|
||||||
cp -a AUTHORS ChangeLog contrib sample distro/systemd/README.systemd $RPM_BUILD_ROOT%{_pkgdocdir}
|
|
||||||
|
|
||||||
# Remove some files which does not really belong here
|
|
||||||
rm -f $RPM_BUILD_ROOT%{_pkgdocdir}/sample/Makefile{,.in,.am}
|
|
||||||
rm -f $RPM_BUILD_ROOT%{_pkgdocdir}/contrib/multilevel-init.patch
|
|
||||||
rm -rf $RPM_BUILD_ROOT%{_pkgdocdir}/sample/sample-keys
|
|
||||||
|
|
||||||
%pre
|
|
||||||
getent group openvpn &>/dev/null || groupadd -r openvpn
|
|
||||||
getent passwd openvpn &>/dev/null || \
|
|
||||||
/usr/sbin/useradd -r -g openvpn -s /sbin/nologin -c OpenVPN \
|
|
||||||
-d /etc/openvpn openvpn
|
|
||||||
exit 0
|
|
||||||
|
|
||||||
%post
|
|
||||||
for srv in `systemctl | awk '/openvpn-client@.*\.service/{print $1} /openvpn-server@.*\.service/{print $1}'`;
|
|
||||||
do
|
|
||||||
%systemd_post $srv
|
|
||||||
done
|
|
||||||
|
|
||||||
%preun
|
|
||||||
for srv in `systemctl | awk '/openvpn-client@.*\.service/{print $1} /openvpn-server@.*\.service/{print $1}'`;
|
|
||||||
do
|
|
||||||
%systemd_preun $srv
|
|
||||||
done
|
|
||||||
|
|
||||||
%postun
|
|
||||||
for srv in `systemctl | awk '/openvpn-client@.*\.service/{print $1} /openvpn-server@.*\.service/{print $1}'`;
|
|
||||||
do
|
|
||||||
%systemd_postun_with_restart $srv
|
|
||||||
done
|
|
||||||
|
|
||||||
|
|
||||||
%files
|
|
||||||
%{_pkgdocdir}
|
|
||||||
%exclude %{_pkgdocdir}/README.IPv6
|
|
||||||
%exclude %{_pkgdocdir}/README.mbedtls
|
|
||||||
%exclude %{_pkgdocdir}/sample/sample-plugins
|
|
||||||
%{_mandir}/man8/%{name}.8*
|
|
||||||
%{_mandir}/man5/%{name}-*.5*
|
|
||||||
%{_sbindir}/%{name}
|
|
||||||
%{_libdir}/%{name}/
|
|
||||||
%{_unitdir}/%{name}-client@.service
|
|
||||||
%{_unitdir}/%{name}-server@.service
|
|
||||||
%{_tmpfilesdir}/%{name}.conf
|
|
||||||
%config %dir %{_sysconfdir}/%{name}/
|
|
||||||
%config %dir %attr(-,-,openvpn) %{_sysconfdir}/%{name}/client
|
|
||||||
%config %dir %attr(-,-,openvpn) %{_sysconfdir}/%{name}/server
|
|
||||||
%attr(0750,-,openvpn) %{_rundir}/%{name}-client
|
|
||||||
%attr(0750,-,openvpn) %{_rundir}/%{name}-server
|
|
||||||
%attr(0770,openvpn,openvpn) %{_sharedstatedir}/%{name}
|
|
||||||
|
|
||||||
%files devel
|
|
||||||
%{_pkgdocdir}/sample/sample-plugins
|
|
||||||
%{_includedir}/openvpn-plugin.h
|
|
||||||
%{_includedir}/openvpn-msg.h
|
|
||||||
|
|
||||||
|
|
||||||
%changelog
|
|
||||||
* Thu Jul 18 2024 Frank Lichtenheld <frank@lichtenheld.com> - 2.5.11-1
|
|
||||||
- Update to upstream OpenVPN 2.5.11
|
|
||||||
- Fixes CVE-2024-5594
|
|
||||||
|
|
||||||
* Thu Nov 9 2023 David Sommerseth <davids@openvpn.net> - 2.5.9-2
|
|
||||||
- Fix false exit status on pre runtime scriptlet (Elkhan Mammadli <elkhan@almalinux.org>, RHBZ#2239722)
|
|
||||||
|
|
||||||
* Thu Feb 16 2023 David Sommerseth <davids@openvpn.net> - 2.5.9-1
|
|
||||||
- Update to upstream OpenVPN 2.5.9
|
|
||||||
|
|
||||||
* Tue Nov 1 2022 David Sommerseth <davids@openvpn.net> - 2.5.8-1
|
|
||||||
- Update to upstream OpenVPN 2.5.8
|
|
||||||
|
|
||||||
* Tue May 31 2022 David Sommerseth <davids@openvpn.net> - 2.5.7-2
|
|
||||||
- Added additional upstream patch resolving BF-CBC issues (to be removed with 2.5.8)
|
|
||||||
https://patchwork.openvpn.net/patch/2504/
|
|
||||||
- Removed BF-CBC from the --data-ciphers list. This is no longer available by default
|
|
||||||
in OpenSSL 3.0
|
|
||||||
|
|
||||||
* Tue May 31 2022 David Sommerseth <davids@openvpn.net> - 2.5.7-1
|
|
||||||
- Update to upstream OpenVPN 2.5.7
|
|
||||||
|
|
||||||
* Wed Mar 16 2022 David Sommerseth <davids@openvpn.net> - 2.5.6-1
|
|
||||||
- Update to upstream OpenVPN 2.5.6
|
|
||||||
- Fixes CVE-2022-0547
|
|
||||||
|
|
||||||
* Thu Jan 27 2022 David Sommerseth <davids@openvpn.net> - 2.5.5-4
|
|
||||||
- Fix systemd related scriptlet error (#1887984)
|
|
||||||
|
|
||||||
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.5.5-3
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
|
|
||||||
|
|
||||||
* Wed Dec 15 2021 David Sommerseth <davids@openvpn.net> - 2.5.5-2
|
|
||||||
- Rebuild of 2.5.5
|
|
||||||
|
|
||||||
* Wed Dec 15 2021 David Sommerseth <davids@openvpn.net> - 2.5.5-1
|
|
||||||
- Update to upstream OpenVPN 2.5.5 (#2032844)
|
|
||||||
|
|
||||||
* Tue Oct 5 2021 David Sommerseth <davids@openvpn.net> - 2.5.4-1
|
|
||||||
- Update to upstream OpenVPN 2.5.4
|
|
||||||
- Added new man page: openvpn-examples(5)
|
|
||||||
|
|
||||||
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 2.5.3-3
|
|
||||||
- Rebuilt with OpenSSL 3.0.0
|
|
||||||
|
|
||||||
* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.5.3-2
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
|
|
||||||
|
|
||||||
* Fri Jun 18 2021 David Sommerseth <davids@openvpn.net> - 2.5.3-1
|
|
||||||
- Update to upstream OpenVPN 2.5.3
|
|
||||||
- Fixes CVE-2021-3606
|
|
||||||
|
|
||||||
* Wed Apr 21 2021 David Sommerseth <davids@openvpn.net> - 2.5.2-1
|
|
||||||
- Update to upstream OpenVPN 2.5.2
|
|
||||||
- Fixes CVE-2020-15078
|
|
||||||
- Replaces --ncp-ciphers with --data-ciphers in the server systemd service unit
|
|
||||||
|
|
||||||
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 2.5.1-2
|
|
||||||
- Rebuilt for updated systemd-rpm-macros
|
|
||||||
See https://pagure.io/fesco/issue/2583.
|
|
||||||
|
|
||||||
* Wed Feb 24 2021 David Sommerseth <dazo@eurephia.org> - 2.5.1-1
|
|
||||||
- Update to upstream OpenVPN 2.5.1
|
|
||||||
|
|
||||||
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.5.0-2
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
|
||||||
|
|
||||||
* Wed Oct 28 2020 David Sommerseth <dazo@eurephia.org> - 2.5.0-1
|
|
||||||
- Update to upstream OpenVPN 2.5.0
|
|
||||||
|
|
||||||
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.9-2
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
|
||||||
|
|
||||||
* Sun Apr 19 2020 David Sommerseth <dazo@eurephia.org> - 2.4.9-1
|
|
||||||
- Update to upstream OpenVPN 2.4.9
|
|
||||||
|
|
||||||
* Wed Feb 12 2020 David Sommerseth <dazo@eurephia.org> - 2.4.8-3
|
|
||||||
- Rebuilt to be linked against latest lzo (RHBZ#1802299)
|
|
||||||
|
|
||||||
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.8-2
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
|
||||||
|
|
||||||
* Fri Nov 1 2019 David Sommerseth <dazo@eurephia.org> - 2.4.8-1
|
|
||||||
- Updating to upstream OpenVPN 2.4.8
|
|
||||||
|
|
||||||
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.7-2
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
|
||||||
|
|
||||||
* Wed Feb 20 2019 David Sommerseth <dazo@eurephia.org> - 2.4.7-1
|
|
||||||
- Updating to upstream OpenVPN 2.4.7
|
|
||||||
|
|
||||||
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.6-4
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
|
||||||
|
|
||||||
* Sat Oct 6 2018 David Sommerseth <dazo@eurephia.org> - 2.4.6-3
|
|
||||||
- Enable the asynchronous push feature, which can improve connect speeds with slow authentication backends
|
|
||||||
|
|
||||||
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.6-2
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
|
||||||
|
|
||||||
* Thu Apr 26 2018 David Sommerseth <dazo@eurephia.org> - 2.4.6-1
|
|
||||||
- Updating to upstream, openvpn-2.4.6
|
|
||||||
|
|
||||||
* Thu Mar 1 2018 David Sommerseth <dazo@eurephia.org> - 2.4.5-1
|
|
||||||
- Updating to upstream, openvpn-2.4.5
|
|
||||||
- Package upstream ChangeLog, which contains a bit more details than Changes.rst
|
|
||||||
- Cleaned up spec file further, removed Group: tag, trimmed changelog section,
|
|
||||||
added gcc to BuildRequires.
|
|
||||||
- Excluded not relevant file, README.mbedtls
|
|
||||||
- Package upstream version of README.systemd
|
|
||||||
- Fix wrong group owner of /etc/openvpn/{client,server} (rhbz#1526743)
|
|
||||||
- Changed crypto self-test to test AES-{128,256}-{CBC,GCM} instead of only BF-CBC (deprecated)
|
|
||||||
- Change /run/openvpn-{client,server} permissions to be 0750 instead of 0710, with group set to openvpn
|
|
||||||
|
|
||||||
* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.4-3
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
|
||||||
|
|
||||||
* Thu Jan 25 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.4.4-2
|
|
||||||
- Fix systemd executions/requirements
|
|
||||||
|
|
||||||
* Tue Sep 26 2017 David Sommerseth <dazo@eurephia.org> - 2.4.4-1
|
|
||||||
- Update to upstream openvpn-2.4.4
|
|
||||||
- Includes fix for possible stack overflow if --key-method 1 is used {CVE-2017-12166}
|
|
||||||
|
|
||||||
* Fri Aug 4 2017 David Sommerseth <dazo@eurephia.org> - 2.4.3-4
|
|
||||||
- Change to AES-GCM as the default cipher for server configurations (rhbz#1479270)
|
|
||||||
|
|
||||||
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.3-3
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
|
|
||||||
|
|
||||||
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.3-2
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
|
|
||||||
|
|
||||||
* Wed Jun 21 2017 David Sommerseth <dazo@eurephia.org> - 2.4.3-1
|
|
||||||
- Updating to upstream openvpn-2.4.3
|
|
||||||
- Fix remotely-triggerable ASSERT() on malformed IPv6 packet {CVE-2017-7508}
|
|
||||||
- Prevent two kinds of stack buffer OOB reads and a crash for invalid input data {CVE-2017-7520}
|
|
||||||
- Fix potential double-free in --x509-alt-username {CVE-2017-7521}
|
|
||||||
- Fix remote-triggerable memory leaks {CVE-2017-7521}
|
|
||||||
- Ensure OpenVPN systemd services are restarted upon upgrades
|
|
||||||
- Verify PGP signature of source tarball as part of package building
|
|
||||||
- Build against system lz4 library
|
|
||||||
|
|
||||||
* Fri May 12 2017 David Sommerseth <dazo@eurephia.org> - 2.4.2-2
|
|
||||||
- Install and take ownership of /run/openvpn-{client,server} (rhbz#1444601)
|
|
||||||
- Install and take ownership of /var/lib/openvpn (rhbz#922786)
|
|
||||||
|
|
||||||
* Thu May 11 2017 David Sommerseth <dazo@eurephia.org> - 2.4.2-1
|
|
||||||
- Updating to upstream openvpn-2.4.2
|
|
||||||
- Switching back to OpenSSL, using compat-openssl10 (rhbz#1443749, rhbz#1432125, rhbz#1440468)
|
|
||||||
- Re-enabling --enable-x509-alt-username (rhbz#1443942)
|
|
||||||
- Add --enable-selinux
|
|
||||||
- Build with lz4 library from Fedora
|
|
||||||
|
|
||||||
* Wed Mar 29 2017 David Sommerseth <dazo@eurephia.org> - 2.4.1-3
|
|
||||||
- Splitting out -devel files into a separate package
|
|
||||||
- Removed several contrib and sample files which makes is not
|
|
||||||
strictly needed in this package.
|
|
||||||
- build: Enable tests runs by default, long running tests can
|
|
||||||
be disabled with "--without tests_long"
|
|
||||||
- build: Removed defined %%{plugins} macro not in use
|
|
||||||
|
|
||||||
* Fri Mar 24 2017 David Sommerseth <dazo@eurephia.org> - 2.4.1-2
|
|
||||||
- Various cleanups
|
|
||||||
- Use systemd-rpm macros (rhbz #850257)
|
|
||||||
- Removed the deprecated openvpn@.service unit. Replaced by openvpn-{client,server}@.service
|
|
||||||
- Added README.systemd describing new systemd unit files
|
|
||||||
|
|
||||||
* Thu Mar 23 2017 David Sommerseth <dazo@eurephia.org> - 2.4.1-1
|
|
||||||
- Updating to upstream release, v2.4.1
|
|
||||||
- Added mbed TLS patch to allow RSA keys down to 1024 bits plus SHA1
|
|
||||||
and RIPE-160 hasing algorithms (based on OpenVPN 3 legacy profile)
|
|
||||||
- Removed no-functional ./configure options
|
|
||||||
- Use upstream tmfiles.d/openvpn
|
|
||||||
- Package newer openvpn-client/server@.service unit files
|
|
||||||
|
|
||||||
* Thu Feb 09 2017 Jon Ciesla <limburgher@gmail.com> 2.4.0-2
|
|
||||||
- Move to mbedtls to resolve FTBFS.
|
|
||||||
- Dropped, re-add once openvpn supports openssl 1.1.x
|
|
||||||
- --enable-pkcs11 \
|
|
||||||
- --enable-x509-alt-username \
|
|
||||||
|
|
||||||
* Tue Dec 27 2016 Jon Ciesla <limburgher@gmail.com> 2.4.0-1
|
|
||||||
- 2.4.0.
|
|
||||||
|
|
@ -1,2 +0,0 @@
|
|||||||
SHA512 (openvpn-2.5.11.tar.gz) = 5ef80681e71aa84629d48b067b540c0e8169ee3ff4b1129fc0030a55f0f7e2bb9a9cd568aa627828d8adb1366f5b0cfdd37242fb5cb6cec4a50fea9ffe8805bc
|
|
||||||
SHA512 (openvpn-2.5.11.tar.gz.asc) = f8796504341539db4a79ccf26706d2cc7e13b9fc511e0e38a0676b5eb94c0c43174b1cc29b07a51eb0e6c8dc7715a9728cc367166bdafae705381338cca3aead
|
|
Loading…
Reference in new issue