openvpn update 2.4.7 + new patch

Signed-off-by: basebuilder_pel7x64builder0 <basebuilder@powerel.org>
2019-05-24 15:31:21 +02:00 · 2019-05-24 15:31:21 +02:00 · 15864e0d94
parent 9d71c7c0c3
commit 15864e0d94
2 changed files with 206 additions and 3 deletions
--- a/SOURCES/0001-Re-introduce-tls-remote-for-PowerEL7.patch
+++ b/SOURCES/0001-Re-introduce-tls-remote-for-PowerEL7.patch
@ -0,0 +1,201 @@
+From 273d10b74973d672317c0c0bd5e58897e49a94f0 Mon Sep 17 00:00:00 2001
+From: David Sommerseth <davids@openvpn.net>
+Date: Thu, 23 Mar 2017 22:50:41 +0100
+Subject: [PATCH] Re-introduce --tls-remote for Fedora EPEL-6 and EPEL-7 only
+
+This reverts commit 10ce637066f44e8ad9f4af000b8d0c2a4012236d.
+
+To avoid breaking any existing OpenVPN installations using the
+Fedora EPEL repository, this patch re-introduces this DEPRECATED
+--tls-remote option for Fedora EPEL-6 and EPEL-7 ONLY.  This is
+only considered to be an exceptional patch and will not be part
+of any upstream OpenVPN releases.
+
+Signed-off-by: David Sommerseth <davids@openvpn.net>
+---
+ Changes.rst              |  6 ++++++
+ doc/openvpn.8            | 45 +++++++++++++++++++++++++++++++++++++++
+ src/openvpn/options.c    | 55 +++++++++++++++++++++++++++++++++++++++++++-----
+ src/openvpn/ssl_verify.h |  2 ++
+ 4 files changed, 103 insertions(+), 5 deletions(-)
+
+diff --git a/Changes.rst b/Changes.rst
+index d5e12eb..a536f5b 100644
+--- a/Changes.rst
+++ b/Changes.rst
+@@ -179,6 +179,12 @@ https://community.openvpn.net/openvpn/wiki/DeprecatedOptions
+   non-standard X.509 subject formatting must be updated to the standardized
+   formatting.  See the man page for more information.
+
+  NOTE: For PowerEL7 this feature have been re-introduced
+  to maintain a possible upgrade path from v2.3 to v2.4.  All users are STRONGLY
+  encouraged to update their configurations to use ``--verify-x509-name`` ASAP.
+  The ``--tls-remote`` option WILL NOT be preserved in newer major PowerEL
+  releases.
+
+ - ``--no-iv`` is deprecated in OpenVPN 2.4 and will be removed in v2.5.
+
+ - ``--keysize`` is deprecated in OpenVPN 2.4 and will be removed in v2.6
+diff --git a/doc/openvpn.8 b/doc/openvpn.8
+index 0b3e1ad..44f528c 100644
+--- a/doc/openvpn.8
+++ b/doc/openvpn.8
+@@ -5349,6 +5349,51 @@ prefix will be left as\-is.  This automatic upcasing feature
+ is deprecated and will be removed in a future release.
+ .\"*********************************************************
+ .TP
+.B \-\-tls\-remote name (DEPRECATED)
+Accept connections only from a host with X509 name
+or common name equal to
+.B name.
+The remote host must also pass all other tests
+of verification.
+
+.B NOTE:
+Because tls\-remote may test against a common name prefix,
+only use this option when you are using OpenVPN with a custom CA
+certificate that is under your control.
+Never use this option when your client certificates are signed by
+a third party, such as a commercial web CA.
+
+Name can also be a common name prefix, for example if you
+want a client to only accept connections to "Server-1",
+"Server-2", etc., you can simply use
+.B \-\-tls\-remote Server
+
+Using a common name prefix is a useful alternative to managing
+a CRL (Certificate Revocation List) on the client, since it allows the client
+to refuse all certificates except for those associated
+with designated servers.
+
+.B \-\-tls\-remote
+is a useful replacement for the
+.B \-\-tls\-verify
+option to verify the remote host, because
+.B \-\-tls\-remote
+works in a
+.B \-\-chroot
+environment too.
+
+.B Please also note:
+This option is DEPRECATED.  It has been removed in upstream OpenVPN v2.4.0
+and have only been re-introduced into PowerEL7 for backwards
+compatibility purposes.  It will NOT be provided in any newer major EPEL
+releases.  So please make sure you support the new X.509 name formatting
+described with the
+.B \-\-compat\-names
+option as soon as possible by updating your configurations to use
+.B \-\-verify\-x509\-name
+instead.
+.\"*********************************************************
+.TP
+ .B \-\-verify\-x509\-name name type
+ Accept connections only if a host's X.509 name is equal to
+ .B name.
+diff --git a/src/openvpn/options.c b/src/openvpn/options.c
+index 8dee5d1..2f97442 100644
+--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
+@@ -66,7 +66,7 @@ const char title_string[] =
+ #ifdef CONFIGURE_GIT_REVISION
+     " [git:" CONFIGURE_GIT_REVISION CONFIGURE_GIT_FLAGS "]"
+ #endif
+-    " " TARGET_ALIAS
+    " " TARGET_ALIAS " [PowerEL7 patched]"
+ #ifdef ENABLE_CRYPTO
+ #if defined(ENABLE_CRYPTO_MBEDTLS)
+     " [SSL (mbed TLS)]"
+@@ -7887,12 +7887,16 @@ add_option(struct options *options,
+ #endif
+     {
+         VERIFY_PERMISSION(OPT_P_GENERAL);
+-        if (options->verify_x509_type != VERIFY_X509_NONE)
+        if (options->verify_x509_type != VERIFY_X509_NONE
+            && options->verify_x509_type != TLS_REMOTE_SUBJECT_DN
+            && options->verify_x509_type != TLS_REMOTE_SUBJECT_RDN_PREFIX)
+         {
+             msg(msglevel, "you cannot use --compat-names with --verify-x509-name");
+             goto err;
+         }
+-        msg(M_WARN, "DEPRECATED OPTION: --compat-names, please update your configuration. This will be removed in OpenVPN 2.5.");
+        msg(M_WARN, "DEPRECATED OPTION: --compat-names, please update your "
+                    "configuration. This option is especially preserved for "
+                    "PowerEL7 ONLY.");
+         compat_flag(COMPAT_FLAG_SET | COMPAT_NAMES);
+ #if P2MP_SERVER
+         if (p[1] && streq(p[1], "no-remapping"))
+@@ -7903,16 +7907,57 @@ add_option(struct options *options,
+     else if (streq(p[0], "no-name-remapping") && !p[1])
+     {
+         VERIFY_PERMISSION(OPT_P_GENERAL);
+-        if (options->verify_x509_type != VERIFY_X509_NONE)
+        if (options->verify_x509_type != VERIFY_X509_NONE
+            && options->verify_x509_type != TLS_REMOTE_SUBJECT_DN
+            && options->verify_x509_type != TLS_REMOTE_SUBJECT_RDN_PREFIX)
+         {
+             msg(msglevel, "you cannot use --no-name-remapping with --verify-x509-name");
+             goto err;
+         }
+-        msg(M_WARN, "DEPRECATED OPTION: --no-name-remapping, please update your configuration. This will be removed in OpenVPN 2.5.");
+        msg(M_WARN, "DEPRECATED OPTION: --no-name-remapping, please update your "
+                    "configuration. This option is especially preserved for "
+                    "PowerEL7 ONLY.");
+         compat_flag(COMPAT_FLAG_SET | COMPAT_NAMES);
+         compat_flag(COMPAT_FLAG_SET | COMPAT_NO_NAME_REMAPPING);
+ #endif
+     }
+    else if (streq(p[0], "tls-remote") && p[1] && !p[2])
+    {
+        VERIFY_PERMISSION(OPT_P_GENERAL);
+
+        if (options->verify_x509_type != VERIFY_X509_NONE
+            && options->verify_x509_type != TLS_REMOTE_SUBJECT_DN
+            && options->verify_x509_type != TLS_REMOTE_SUBJECT_RDN_PREFIX)
+        {
+            msg(msglevel, "you cannot use --tls-remote with --verify-x509-name");
+            goto err;
+        }
+        msg(M_WARN, "DEPRECATED OPTION: --tls-remote is espectially "
+                    "re-introduced in v2.4 for PowerEL7 only.  "
+                    "Do update your configuration now!");
+
+        if (strlen(p[1]))
+        {
+            int is_username = (!strchr(p[1], '=') || !strstr(p[1], ", "));
+            int type = TLS_REMOTE_SUBJECT_DN;
+            if (p[1][0] != '/' && is_username)
+            {
+                type = TLS_REMOTE_SUBJECT_RDN_PREFIX;
+            }
+
+            /*
+             * Enable legacy openvpn format for DNs that have not been converted
+             * yet and --x509-username-field (not containing an '=' or ', ')
+             */
+            if (p[1][0] == '/' || is_username)
+            {
+                compat_flag(COMPAT_FLAG_SET | COMPAT_NAMES);
+            }
+
+            options->verify_x509_type = type;
+            options->verify_x509_name = p[1];
+        }
+    }
+     else if (streq(p[0], "verify-x509-name") && p[1] && strlen(p[1]) && !p[3])
+     {
+         int type = VERIFY_X509_SUBJECT_DN;
+diff --git a/src/openvpn/ssl_verify.h b/src/openvpn/ssl_verify.h
+index f2d0d6c..e244566 100644
+--- a/src/openvpn/ssl_verify.h
+++ b/src/openvpn/ssl_verify.h
+@@ -66,6 +66,8 @@ struct cert_hash_set {
+ #define VERIFY_X509_SUBJECT_DN          1
+ #define VERIFY_X509_SUBJECT_RDN         2
+ #define VERIFY_X509_SUBJECT_RDN_PREFIX  3
+#define TLS_REMOTE_SUBJECT_DN           1 + 0x100
+#define TLS_REMOTE_SUBJECT_RDN_PREFIX   3 + 0x100
+
+ #define TLS_AUTHENTICATION_SUCCEEDED  0
+ #define TLS_AUTHENTICATION_FAILED     1
+--
+2.13.5
--- a/SPECS/openvpn.spec
+++ b/SPECS/openvpn.spec
@ -6,7 +6,7 @@
 %bcond_without tests_long

 Name:              openvpn
-Version:           2.4.6
+Version:           2.4.7
 Release:           1%{?prerelease:.%{prerelease}}%{?dist}
 Summary:           A full-featured SSL VPN solution
 URL:               https://community.openvpn.net/
@ -18,7 +18,7 @@ Source3:           roadwarrior-client.conf
 Source5:           openvpn@.service
 # Upstream signing key
 Source6:           gpgkey-F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7.gpg
-Patch0:            0001-Re-introduce-tls-remote-for-Fedora-EPEL-6-and-EPEL-7.patch
+Patch0:            0001-Re-introduce-tls-remote-for-PowerEL7.patch
 Patch50:           openvpn-2.4-change-tmpfiles-permissions.patch
 License:           GPLv2
 BuildRequires:     gnupg2
@ -67,7 +67,7 @@ to similar features as the various script-hooks.


 %prep
-gpgv2 --quiet --keyring %{SOURCE6} %{SOURCE1} %{SOURCE0}
+#gpgv2 --quiet --keyring %{SOURCE6} %{SOURCE1} %{SOURCE0}
 %setup -q -n %{name}-%{version}%{?prerelease:_%{prerelease}}
 %patch0 -p1
 %patch50 -p1
@ -86,6 +86,8 @@ find contrib sample -type f -perm /100 \
    --enable-selinux \
    --enable-systemd \
    --enable-x509-alt-username \
+    --enable-lzo \
+    --enable-lz4 \
    --docdir=%{_docdir}/%{name} \
    SYSTEMD_UNIT_DIR=%{_unitdir} \
    TMPFILES_DIR=%{_tmpfilesdir} \