Compare commits

..

No commits in common. 'epel9' and 'i8ce' have entirely different histories.
epel9 ... i8ce

88
.gitignore vendored

@ -1,86 +1,2 @@
openvpn-2.1.1.tar.gz SOURCES/openvpn-2.4.12.tar.xz
openvpn-2.1.1.tar.gz.asc SOURCES/openvpn-2.4.12.tar.xz.asc
openvpn-2.1.2.tar.gz
openvpn-2.1.2.tar.gz.asc
/openvpn-2.1.3.tar.gz
/openvpn-2.1.3.tar.gz.asc
/openvpn-2.1.4.tar.gz
/openvpn-2.1.4.tar.gz.asc
/openvpn-2.2.0.tar.gz
/openvpn-2.2.0.tar.gz.asc
/openvpn-2.2.1.tar.gz
/openvpn-2.2.1.tar.gz.asc
/openvpn-2.2.2.tar.gz
/openvpn-2.2.2.tar.gz.asc
/openvpn-2.3.0.tar.gz
/openvpn-2.3.0.tar.gz.asc
/openvpn-2.3.1.tar.gz
/openvpn-2.3.1.tar.gz.asc
/openvpn-2.3.2.tar.gz
/openvpn-2.3.2.tar.gz.asc
/openvpn-2.3.3.tar.gz
/openvpn-2.3.3.tar.gz.asc
/openvpn-2.3.4.tar.gz
/openvpn-2.3.4.tar.gz.asc
/openvpn-2.3.5.tar.gz
/openvpn-2.3.5.tar.gz.asc
/openvpn-2.3.6.tar.gz
/openvpn-2.3.6.tar.gz.asc
/openvpn-2.3.7.tar.gz
/openvpn-2.3.7.tar.gz.asc
/openvpn-2.3.8.tar.gz
/openvpn-2.3.8.tar.gz.asc
/openvpn-2.3.9.tar.gz
/openvpn-2.3.9.tar.gz.asc
/openvpn-2.3.10.tar.gz
/openvpn-2.3.10.tar.gz.asc
/openvpn-2.3.11.tar.gz
/openvpn-2.3.11.tar.gz.asc
/openvpn-2.3.12.tar.gz
/openvpn-2.3.12.tar.gz.asc
/openvpn-2.3.13.tar.gz
/openvpn-2.3.13.tar.gz.asc
/openvpn-2.3.14.tar.gz
/openvpn-2.3.14.tar.gz.asc
/openvpn-2.4.0.tar.gz
/openvpn-2.4.0.tar.gz.asc
/openvpn-2.4.1.tar.xz
/openvpn-2.4.1.tar.xz.asc
/openvpn-2.4.2.tar.xz
/openvpn-2.4.2.tar.xz.asc
/openvpn-2.4.3.tar.xz.asc
/openvpn-2.4.3.tar.xz
/openvpn-2.4.4.tar.xz
/openvpn-2.4.4.tar.xz.asc
/openvpn-2.4.5.tar.xz
/openvpn-2.4.5.tar.xz.asc
/openvpn-2.4.6.tar.xz
/openvpn-2.4.6.tar.xz.asc
/openvpn-2.4.7.tar.xz
/openvpn-2.4.7.tar.xz.asc
/openvpn-2.4.8.tar.xz
/openvpn-2.4.8.tar.xz.asc
/openvpn-2.4.9.tar.xz
/openvpn-2.4.9.tar.xz.asc
/openvpn-2.5.0.tar.xz
/openvpn-2.5.0.tar.xz.asc
/openvpn-2.5.1.tar.xz
/openvpn-2.5.1.tar.xz.asc
/openvpn-2.5.2.tar.xz
/openvpn-2.5.2.tar.xz.asc
/openvpn-2.5.3.tar.xz
/openvpn-2.5.3.tar.xz.asc
/openvpn-2.5.4.tar.xz
/openvpn-2.5.4.tar.xz.asc
/openvpn-2.5.5.tar.xz
/openvpn-2.5.5.tar.xz.asc
/openvpn-2.5.6.tar.xz
/openvpn-2.5.6.tar.xz.asc
/openvpn-2.5.7.tar.xz
/openvpn-2.5.7.tar.xz.asc
/openvpn-2.5.8.tar.xz
/openvpn-2.5.8.tar.xz.asc
/openvpn-2.5.9.tar.gz
/openvpn-2.5.9.tar.gz.asc
/openvpn-2.5.11.tar.gz
/openvpn-2.5.11.tar.gz.asc

@ -0,0 +1,2 @@
6a2b67d4f56da70ebdfc32340ba554af1f211d67 SOURCES/openvpn-2.4.12.tar.xz
2852ec59f46c9f8c85209062f9c6c1c8372fed6f SOURCES/openvpn-2.4.12.tar.xz.asc

@ -1,225 +0,0 @@
From cf5864f5922e4f40357d9f75a35cd448e671dddf Mon Sep 17 00:00:00 2001
From: Arne Schwabe <arne@rfc2549.org>
Date: Fri, 3 Jun 2022 11:52:19 +0200
Subject: [PATCH] Allow running a default configuration with TLS libraries
without BF-CBC
Modern TLS libraries might drop Blowfish by default or distributions
might disable Blowfish in OpenSSL/mbed TLS. We still signal OCC
options with BF-CBC compatible strings. To avoid requiring BF-CBC
for this, special this one usage of BF-CBC enough to avoid a hard
requirement on Blowfish in the default configuration.
This patch is cherry-picked from 79ff3f79 and the missing
ciphername = "none"; has been added in the OCC code.
Due to uncrustify complains, a few extra whitespace fixes had to be
done to options.c.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220603095219.637361-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24456.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---
src/openvpn/crypto_backend.h | 2 ++
src/openvpn/init.c | 37 ++++++++++++++++-----
src/openvpn/options.c | 62 ++++++++++++++++++++++++++++--------
3 files changed, 80 insertions(+), 21 deletions(-)
diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h
index a9bb38ed..aebda3d6 100644
--- a/src/openvpn/crypto_backend.h
+++ b/src/openvpn/crypto_backend.h
@@ -256,6 +256,8 @@ const cipher_kt_t *cipher_kt_get(const char *ciphername);
* The returned name is normalised to the OpenVPN config name in case the
* name differs from the name used by the crypto library.
*
+ * Returns [null-cipher] in case the cipher_kt is NULL.
+ *
* @param cipher_kt Static cipher parameters
*
* @return a statically allocated string describing the cipher.
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index da4d60af..b1b7b350 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -2764,14 +2764,35 @@ do_init_crypto_tls_c1(struct context *c)
#endif /* if P2MP */
}
- /* Do not warn if we only have BF-CBC in options->ciphername
- * because it is still the default cipher */
- bool warn = !streq(options->ciphername, "BF-CBC")
- || options->enable_ncp_fallback;
- /* Get cipher & hash algorithms */
- init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
- options->keysize, true, warn);
-
+ /*
+ * BF-CBC is allowed to be used only when explicitly configured
+ * as NCP-fallback or when NCP has been disabled or explicitly
+ * allowed in the in ncp_ciphers list.
+ * In all other cases do not attempt to initialize BF-CBC as it
+ * may not even be supported by the underlying SSL library.
+ *
+ * Therefore, the key structure has to be initialized when:
+ * - any non-BF-CBC cipher was selected; or
+ * - BF-CBC is selected and NCP is disabled (explicit request to
+ * use the BF-CBC cipher); or
+ * - BF-CBC is selected, NCP is enabled and fallback is enabled
+ * (BF-CBC will be the fallback).
+ * - BF-CBC is in data-ciphers and we negotiate to use BF-CBC:
+ * If the negotiated cipher and options->ciphername are the
+ * same we do not reinit the cipher
+ *
+ * Note that BF-CBC will still be part of the OCC string to retain
+ * backwards compatibility with older clients.
+ */
+ if (!streq(options->ciphername, "BF-CBC") || !options->ncp_enabled
+ || (options->ncp_enabled && tls_item_in_cipher_list("BF-CBC", options->ncp_ciphers))
+ || options->enable_ncp_fallback)
+ {
+ /* Do not warn if the if the cipher is used only in OCC */
+ bool warn = !options->ncp_enabled || options->enable_ncp_fallback;
+ init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname,
+ options->keysize, true, warn);
+ }
/* Initialize PRNG with config-specified digest */
prng_init(options->prng_hash, options->prng_nonce_secret_len);
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index f6ef02ae..2206d9f4 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -1135,7 +1135,7 @@ parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_aren
#ifndef ENABLE_SMALL
static void
-show_dhcp_option_list(const char *name, const char * const*array, int len)
+show_dhcp_option_list(const char *name, const char *const *array, int len)
{
int i;
for (i = 0; i < len; ++i)
@@ -2288,7 +2288,7 @@ options_postprocess_verify_ce(const struct options *options,
if (options->mode == MODE_SERVER)
{
#define USAGE_VALID_SERVER_PROTOS "--mode server currently only supports " \
- "--proto values of udp, tcp-server, tcp4-server, or tcp6-server"
+ "--proto values of udp, tcp-server, tcp4-server, or tcp6-server"
#ifdef TARGET_ANDROID
msg(M_FATAL, "--mode server not supported on Android");
#endif
@@ -3103,7 +3103,7 @@ options_postprocess_cipher(struct options *o)
if (!o->ncp_enabled)
{
msg(M_USAGE, "--ncp-disable needs an explicit --cipher or "
- "--data-ciphers-fallback config option");
+ "--data-ciphers-fallback config option");
}
msg(M_WARN, "--cipher is not set. Previous OpenVPN version defaulted to "
@@ -3681,9 +3681,30 @@ calc_options_string_link_mtu(const struct options *o, const struct frame *frame)
{
struct frame fake_frame = *frame;
struct key_type fake_kt;
- init_key_type(&fake_kt, o->ciphername, o->authname, o->keysize, true,
- false);
+
frame_remove_from_extra_frame(&fake_frame, crypto_max_overhead());
+
+
+ /* o->ciphername might be BF-CBC even though the underlying SSL library
+ * does not support it. For this reason we workaround this corner case
+ * by pretending to have no encryption enabled and by manually adding
+ * the required packet overhead to the MTU computation.
+ */
+ const char *ciphername = o->ciphername;
+
+ if (strcmp(o->ciphername, "BF-CBC") == 0)
+ {
+ /* none has no overhead, so use this to later add only --auth
+ * overhead */
+
+ /* overhead of BF-CBC: 64 bit block size, 64 bit IV size */
+ frame_add_to_extra_frame(&fake_frame, 64/8 + 64/8);
+ ciphername = "none";
+ }
+
+ init_key_type(&fake_kt, ciphername, o->authname, o->keysize, true,
+ false);
+
crypto_adjust_frame_parameters(&fake_frame, &fake_kt, o->replay,
cipher_kt_mode_ofb_cfb(fake_kt.cipher));
frame_finalize(&fake_frame, o->ce.link_mtu_defined, o->ce.link_mtu,
@@ -3853,18 +3874,33 @@ options_string(const struct options *o,
+ (TLS_SERVER == true)
<= 1);
- init_key_type(&kt, o->ciphername, o->authname, o->keysize, true,
- false);
+ /* Skip resolving BF-CBC to allow SSL libraries without BF-CBC
+ * to work here in the default configuration */
+ const char *ciphername = o->ciphername;
+ int keysize;
+
+ if (strcmp(o->ciphername, "BF-CBC") == 0)
+ {
+ init_key_type(&kt, "none", o->authname, o->keysize, true,
+ false);
+ keysize = 128;
+ }
+ else
+ {
+ init_key_type(&kt, o->ciphername, o->authname, o->keysize, true,
+ false);
+ ciphername = cipher_kt_name(kt.cipher);
+ keysize = kt.cipher_length * 8;
+ }
/* Only announce the cipher to our peer if we are willing to
* support it */
- const char *ciphername = cipher_kt_name(kt.cipher);
if (p2p_nopull || !o->ncp_enabled
|| tls_item_in_cipher_list(ciphername, o->ncp_ciphers))
{
buf_printf(&out, ",cipher %s", ciphername);
}
buf_printf(&out, ",auth %s", md_kt_name(kt.digest));
- buf_printf(&out, ",keysize %d", kt.cipher_length * 8);
+ buf_printf(&out, ",keysize %d", keysize);
if (o->shared_secret_file)
{
buf_printf(&out, ",secret");
@@ -6168,9 +6204,9 @@ add_option(struct options *options,
}
}
#ifdef TARGET_LINUX
- else if (streq (p[0], "bind-dev") && p[1])
+ else if (streq(p[0], "bind-dev") && p[1])
{
- VERIFY_PERMISSION (OPT_P_SOCKFLAGS);
+ VERIFY_PERMISSION(OPT_P_SOCKFLAGS);
options->bind_dev = p[1];
}
#endif
@@ -6248,7 +6284,7 @@ add_option(struct options *options,
{
int64_t val = atoll(p[2]);
options->inactivity_minimum_bytes = (val < 0) ? 0 : val;
- if ( options->inactivity_minimum_bytes > INT_MAX )
+ if (options->inactivity_minimum_bytes > INT_MAX)
{
msg(M_WARN, "WARNING: '--inactive' with a 'bytes' value"
" >2 Gbyte was silently ignored in older versions. If "
@@ -8132,7 +8168,7 @@ add_option(struct options *options,
#endif
else if (streq(p[0], "providers") && p[1])
{
- for (size_t j = 1; j < MAX_PARMS && p[j] != NULL;j++)
+ for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; j++)
{
options->providers.names[j] = p[j];
}
--
2.31.1

@ -1,4 +1,6 @@
From b56d52fa409c62720791e189e501efb86df0aff4 Mon Sep 17 00:00:00 2001
From: David Sommerseth <dazo@eurephia.org> From: David Sommerseth <dazo@eurephia.org>
Date: Tue, 4 Jul 2017 16:06:24 +0200
Subject: [PATCH] Change the default cipher to AES-256-GCM for server Subject: [PATCH] Change the default cipher to AES-256-GCM for server
configurations configurations
@ -8,14 +10,6 @@ defaulting to BF-CBC, the Negotiable Crypto Parameters (NCP) list contains
the BF-CBC in addition to AES-CBC. This makes it possible to migrate the BF-CBC in addition to AES-CBC. This makes it possible to migrate
existing older client configurations one-by-one to use at least AES-CBC unless existing older client configurations one-by-one to use at least AES-CBC unless
the client is updated to v2.4 (which defaults to upgrade to AES-GCM automatically) the client is updated to v2.4 (which defaults to upgrade to AES-GCM automatically)
[Update 2022-06-10]
The BF-CBC reference is now removed as of Fedora 36 and newer. The Blowfish
cipher is no longer available by default in OpenSSL 3.0. It can be enabled
via the legacy provider in OpenSSL 3.0, but BF-CBC is deprecated and should
not be used any more. OpenVPN 2.4 and newer will always negotiate a stronger
cipher by default and older OpenVPN releases are no longer supported upstream.
--- ---
distro/systemd/openvpn-server@.service.in | 2 +- distro/systemd/openvpn-server@.service.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-) 1 file changed, 1 insertion(+), 1 deletion(-)
@ -29,7 +23,7 @@ index 9a8a2c7..0ecda08 100644
PrivateTmp=true PrivateTmp=true
WorkingDirectory=/etc/openvpn/server WorkingDirectory=/etc/openvpn/server
-ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf -ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf
+ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --cipher AES-256-GCM --data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC --config %i.conf +ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC --config %i.conf
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
LimitNPROC=10 LimitNPROC=10
DeviceAllow=/dev/null rw DeviceAllow=/dev/null rw

@ -1,56 +1,42 @@
%define _hardened_build 1 %define _hardened_build 1
#define prerelease rc22
# Build conditionals # Build conditionals
# tests_long - Enabled by default, enables long running tests in %%check # tests_long - Enabled by default, enables long running tests in %%check
%bcond_without tests_long %bcond_without tests_long
Name: openvpn Name: openvpn
Version: 2.5.11 Version: 2.4.12
Release: 1%{?dist} Release: 2%{?prerelease:.%{prerelease}}%{?dist}
Summary: A full-featured TLS VPN solution Summary: A full-featured SSL VPN solution
URL: https://community.openvpn.net/ URL: https://community.openvpn.net/
Source0: https://build.openvpn.net/downloads/releases/%{name}-%{version}.tar.gz Source0: https://build.openvpn.net/downloads/releases/%{name}-%{version}%{?prerelease:_%{prerelease}}.tar.xz
Source1: https://build.openvpn.net/downloads/releases/%{name}-%{version}.tar.gz.asc Source1: https://build.openvpn.net/downloads/releases/%{name}-%{version}%{?prerelease:_%{prerelease}}.tar.xz.asc
Source2: roadwarrior-server.conf Source2: roadwarrior-server.conf
Source3: roadwarrior-client.conf Source3: roadwarrior-client.conf
# Upstream signing key # Upstream signing key
Source10: gpgkey-F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7.gpg Source6: gpgkey-F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7.gpg
Patch1: 0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch Patch1: 0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch
Patch50: openvpn-2.4-change-tmpfiles-permissions.patch Patch50: openvpn-2.4-change-tmpfiles-permissions.patch
License: GPLv2 License: GPLv2
BuildRequires: gnupg2 BuildRequires: gnupg2
BuildRequires: gcc BuildRequires: gcc
BuildRequires: automake BuildRequires: systemd-devel
BuildRequires: autoconf
BuildRequires: autoconf-archive
BuildRequires: libtool
BuildRequires: gettext
BuildRequires: lzo-devel BuildRequires: lzo-devel
BuildRequires: lz4-devel BuildRequires: lz4-devel
BuildRequires: make
BuildRequires: openssl-devel BuildRequires: openssl-devel
BuildRequires: pkcs11-helper-devel >= 1.11 BuildRequires: pkcs11-helper-devel >= 1.11
BuildRequires: pam-devel BuildRequires: pam-devel
BuildRequires: libselinux-devel BuildRequires: libselinux-devel
BuildRequires: libcmocka-devel # For the perl_default_filter macro
BuildRequires: perl-macros
BuildRequires: systemd BuildRequires: systemd
BuildRequires: systemd-devel
%{?systemd_requires} %{?systemd_requires}
# For /sbin/ip.
BuildRequires: iproute
Requires: iproute
Requires(pre): /usr/sbin/useradd Requires(pre): /usr/sbin/useradd
%if 0%{?rhel} > 7 || 0%{?fedora} > 29
BuildRequires: python3-docutils
%else
# We cannot use python36-docutils on RHEL-7 as
# the ./configure script does not currently find
# the rst2man-3 executable, it only looks for rst2man
BuildRequires: python-docutils
%endif
# For the perl_default_filter macro
BuildRequires: perl-macros
# Filter out the perl(Authen::PAM) dependency. # Filter out the perl(Authen::PAM) dependency.
# No perl dependency is really needed at all. # No perl dependency is really needed at all.
%{?perl_default_filter} %{?perl_default_filter}
@ -74,18 +60,20 @@ to similar features as the various script-hooks.
%prep %prep
gpgv2 --quiet --keyring %{SOURCE10} %{SOURCE1} %{SOURCE0} gpgv2 --quiet --keyring %{SOURCE6} %{SOURCE1} %{SOURCE0}
%setup -q -n %{name}-%{version} %setup -q -n %{name}-%{version}%{?prerelease:_%{prerelease}}
%patch1 -p1 -b .ch_default_cipher %patch1 -p1 -b .ch_default_cipher
%patch50 -p1 %patch50 -p1
sed -i -e 's,%{_datadir}/openvpn/plugin,%{_libdir}/openvpn/plugin,' doc/openvpn.8
# %%doc items shouldn't be executable. # %%doc items shouldn't be executable.
find contrib sample -type f -perm /100 \ find contrib sample -type f -perm /100 \
-exec chmod a-x {} \; -exec chmod a-x {} \;
%build %build
%configure \ %configure \
--enable-silent-rules \ --enable-iproute2 \
--with-crypto-library=openssl \ --with-crypto-library=openssl \
--enable-pkcs11 \ --enable-pkcs11 \
--enable-selinux \ --enable-selinux \
@ -94,8 +82,9 @@ find contrib sample -type f -perm /100 \
--enable-async-push \ --enable-async-push \
--docdir=%{_pkgdocdir} \ --docdir=%{_pkgdocdir} \
SYSTEMD_UNIT_DIR=%{_unitdir} \ SYSTEMD_UNIT_DIR=%{_unitdir} \
TMPFILES_DIR=%{_tmpfilesdir} TMPFILES_DIR=%{_tmpfilesdir} \
%{__make} IPROUTE=/sbin/ip
%{__make} %{?_smp_mflags}
%check %check
# Test Crypto: # Test Crypto:
@ -146,7 +135,7 @@ mkdir -m 0770 -p $RPM_BUILD_ROOT%{_sharedstatedir}/%{name}
cp -a AUTHORS ChangeLog contrib sample distro/systemd/README.systemd $RPM_BUILD_ROOT%{_pkgdocdir} cp -a AUTHORS ChangeLog contrib sample distro/systemd/README.systemd $RPM_BUILD_ROOT%{_pkgdocdir}
# Remove some files which does not really belong here # Remove some files which does not really belong here
rm -f $RPM_BUILD_ROOT%{_pkgdocdir}/sample/Makefile{,.in,.am} rm -f $RPM_BUILD_ROOT%{_pkgdocdir}/sample/Makefile{,.in,.am}
rm -f $RPM_BUILD_ROOT%{_pkgdocdir}/contrib/multilevel-init.patch rm -f $RPM_BUILD_ROOT%{_pkgdocdir}/contrib/multilevel-init.patch
rm -rf $RPM_BUILD_ROOT%{_pkgdocdir}/sample/sample-keys rm -rf $RPM_BUILD_ROOT%{_pkgdocdir}/sample/sample-keys
@ -175,14 +164,12 @@ do
%systemd_postun_with_restart $srv %systemd_postun_with_restart $srv
done done
%files %files
%{_pkgdocdir} %{_pkgdocdir}
%exclude %{_pkgdocdir}/README.IPv6 %exclude %{_pkgdocdir}/README.IPv6
%exclude %{_pkgdocdir}/README.mbedtls %exclude %{_pkgdocdir}/README.mbedtls
%exclude %{_pkgdocdir}/sample/sample-plugins %exclude %{_pkgdocdir}/sample/sample-plugins
%{_mandir}/man8/%{name}.8* %{_mandir}/man8/%{name}.8*
%{_mandir}/man5/%{name}-*.5*
%{_sbindir}/%{name} %{_sbindir}/%{name}
%{_libdir}/%{name}/ %{_libdir}/%{name}/
%{_unitdir}/%{name}-client@.service %{_unitdir}/%{name}-client@.service
@ -202,94 +189,30 @@ done
%changelog %changelog
* Thu Jul 18 2024 Frank Lichtenheld <frank@lichtenheld.com> - 2.5.11-1 * Wed Mar 20 2024 MSVSphere Packaging Team <packager@msvsphere-os.ru> - 2.4.12-2
- Update to upstream OpenVPN 2.5.11 - Rebuilt for MSVSphere 8.9
- Fixes CVE-2024-5594
* Thu Nov 9 2023 David Sommerseth <davids@openvpn.net> - 2.5.9-2 * Thu Nov 9 2023 David Sommerseth <davids@openvpn.net> - 2.4.12-2
- Fix false exit status on pre runtime scriptlet (Elkhan Mammadli <elkhan@almalinux.org>, RHBZ#2239722) - Fix false exit status on pre runtime scriptlet (Elkhan Mammadli <elkhan@almalinux.org>, RHBZ#2239722)
- Misbehaving systemctl scriptlet globbing issues (RHBZ#1887984)
* Thu Feb 16 2023 David Sommerseth <davids@openvpn.net> - 2.5.9-1 * Thu Mar 17 2022 David Sommerseth <davids@openvpn.net> - 2.4.12-1
- Update to upstream OpenVPN 2.5.9 - Update to upstream OpenVPN 2.4.12
* Tue Nov 1 2022 David Sommerseth <davids@openvpn.net> - 2.5.8-1
- Update to upstream OpenVPN 2.5.8
* Tue May 31 2022 David Sommerseth <davids@openvpn.net> - 2.5.7-2
- Added additional upstream patch resolving BF-CBC issues (to be removed with 2.5.8)
https://patchwork.openvpn.net/patch/2504/
- Removed BF-CBC from the --data-ciphers list. This is no longer available by default
in OpenSSL 3.0
* Tue May 31 2022 David Sommerseth <davids@openvpn.net> - 2.5.7-1
- Update to upstream OpenVPN 2.5.7
* Wed Mar 16 2022 David Sommerseth <davids@openvpn.net> - 2.5.6-1
- Update to upstream OpenVPN 2.5.6
- Fixes CVE-2022-0547 - Fixes CVE-2022-0547
* Thu Jan 27 2022 David Sommerseth <davids@openvpn.net> - 2.5.5-4 * Wed Apr 21 2021 David Sommerseth <davids@openvpn.net> - 2.4.11-1
- Fix systemd related scriptlet error (#1887984) - Update to upstream OpenVPN 2.4.11
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.5.5-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Wed Dec 15 2021 David Sommerseth <davids@openvpn.net> - 2.5.5-2
- Rebuild of 2.5.5
* Wed Dec 15 2021 David Sommerseth <davids@openvpn.net> - 2.5.5-1
- Update to upstream OpenVPN 2.5.5 (#2032844)
* Tue Oct 5 2021 David Sommerseth <davids@openvpn.net> - 2.5.4-1
- Update to upstream OpenVPN 2.5.4
- Added new man page: openvpn-examples(5)
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 2.5.3-3
- Rebuilt with OpenSSL 3.0.0
* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.5.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Fri Jun 18 2021 David Sommerseth <davids@openvpn.net> - 2.5.3-1
- Update to upstream OpenVPN 2.5.3
- Fixes CVE-2021-3606
* Wed Apr 21 2021 David Sommerseth <davids@openvpn.net> - 2.5.2-1
- Update to upstream OpenVPN 2.5.2
- Fixes CVE-2020-15078 - Fixes CVE-2020-15078
- Replaces --ncp-ciphers with --data-ciphers in the server systemd service unit
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 2.5.1-2 * Wed Dec 9 2020 David Sommerseth <dazo@eurephia.org> - 2.4.10-1
- Rebuilt for updated systemd-rpm-macros - Update to upstream OpenVPN 2.4.10
See https://pagure.io/fesco/issue/2583.
* Wed Feb 24 2021 David Sommerseth <dazo@eurephia.org> - 2.5.1-1
- Update to upstream OpenVPN 2.5.1
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.5.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Wed Oct 28 2020 David Sommerseth <dazo@eurephia.org> - 2.5.0-1
- Update to upstream OpenVPN 2.5.0
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.9-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Sun Apr 19 2020 David Sommerseth <dazo@eurephia.org> - 2.4.9-1 * Sun Apr 19 2020 David Sommerseth <dazo@eurephia.org> - 2.4.9-1
- Update to upstream OpenVPN 2.4.9 - Update to upstream OpenVPN 2.4.9
* Wed Feb 12 2020 David Sommerseth <dazo@eurephia.org> - 2.4.8-3
- Rebuilt to be linked against latest lzo (RHBZ#1802299)
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.8-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Fri Nov 1 2019 David Sommerseth <dazo@eurephia.org> - 2.4.8-1 * Fri Nov 1 2019 David Sommerseth <dazo@eurephia.org> - 2.4.8-1
- Updating to upstream OpenVPN 2.4.8 - Updating to upstream OpenVPN 2.4.8
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.7-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Wed Feb 20 2019 David Sommerseth <dazo@eurephia.org> - 2.4.7-1 * Wed Feb 20 2019 David Sommerseth <dazo@eurephia.org> - 2.4.7-1
- Updating to upstream OpenVPN 2.4.7 - Updating to upstream OpenVPN 2.4.7

@ -1,2 +0,0 @@
SHA512 (openvpn-2.5.11.tar.gz) = 5ef80681e71aa84629d48b067b540c0e8169ee3ff4b1129fc0030a55f0f7e2bb9a9cd568aa627828d8adb1366f5b0cfdd37242fb5cb6cec4a50fea9ffe8805bc
SHA512 (openvpn-2.5.11.tar.gz.asc) = f8796504341539db4a79ccf26706d2cc7e13b9fc511e0e38a0676b5eb94c0c43174b1cc29b07a51eb0e6c8dc7715a9728cc367166bdafae705381338cca3aead

@ -1,14 +0,0 @@
# Tests for openvpn using NM's tests
- hosts: localhost
roles:
- role: standard-test-basic
tags:
- classic
repositories:
- repo: "https://gitlab.freedesktop.org/NetworkManager/NetworkManager-ci"
dest: "NetworkManager-ci"
tests:
- sanity-tests:
dir: NetworkManager-ci
run: run/osci/run-tests openvpn
Loading…
Cancel
Save