From 15864e0d949d7663a1c8163045b131ae81e06659 Mon Sep 17 00:00:00 2001 From: basebuilder_pel7x64builder0 Date: Fri, 24 May 2019 15:31:21 +0200 Subject: [PATCH] openvpn update 2.4.7 + new patch Signed-off-by: basebuilder_pel7x64builder0 --- ...Re-introduce-tls-remote-for-PowerEL7.patch | 201 ++++++++++++++++++ SPECS/openvpn.spec | 8 +- 2 files changed, 206 insertions(+), 3 deletions(-) create mode 100644 SOURCES/0001-Re-introduce-tls-remote-for-PowerEL7.patch diff --git a/SOURCES/0001-Re-introduce-tls-remote-for-PowerEL7.patch b/SOURCES/0001-Re-introduce-tls-remote-for-PowerEL7.patch new file mode 100644 index 00000000..e84db241 --- /dev/null +++ b/SOURCES/0001-Re-introduce-tls-remote-for-PowerEL7.patch @@ -0,0 +1,201 @@ +From 273d10b74973d672317c0c0bd5e58897e49a94f0 Mon Sep 17 00:00:00 2001 +From: David Sommerseth +Date: Thu, 23 Mar 2017 22:50:41 +0100 +Subject: [PATCH] Re-introduce --tls-remote for Fedora EPEL-6 and EPEL-7 only + +This reverts commit 10ce637066f44e8ad9f4af000b8d0c2a4012236d. + +To avoid breaking any existing OpenVPN installations using the +Fedora EPEL repository, this patch re-introduces this DEPRECATED +--tls-remote option for Fedora EPEL-6 and EPEL-7 ONLY. This is +only considered to be an exceptional patch and will not be part +of any upstream OpenVPN releases. + +Signed-off-by: David Sommerseth +--- + Changes.rst | 6 ++++++ + doc/openvpn.8 | 45 +++++++++++++++++++++++++++++++++++++++ + src/openvpn/options.c | 55 +++++++++++++++++++++++++++++++++++++++++++----- + src/openvpn/ssl_verify.h | 2 ++ + 4 files changed, 103 insertions(+), 5 deletions(-) + +diff --git a/Changes.rst b/Changes.rst +index d5e12eb..a536f5b 100644 +--- a/Changes.rst ++++ b/Changes.rst +@@ -179,6 +179,12 @@ https://community.openvpn.net/openvpn/wiki/DeprecatedOptions + non-standard X.509 subject formatting must be updated to the standardized + formatting. See the man page for more information. + ++ NOTE: For PowerEL7 this feature have been re-introduced ++ to maintain a possible upgrade path from v2.3 to v2.4. All users are STRONGLY ++ encouraged to update their configurations to use ``--verify-x509-name`` ASAP. ++ The ``--tls-remote`` option WILL NOT be preserved in newer major PowerEL ++ releases. ++ + - ``--no-iv`` is deprecated in OpenVPN 2.4 and will be removed in v2.5. + + - ``--keysize`` is deprecated in OpenVPN 2.4 and will be removed in v2.6 +diff --git a/doc/openvpn.8 b/doc/openvpn.8 +index 0b3e1ad..44f528c 100644 +--- a/doc/openvpn.8 ++++ b/doc/openvpn.8 +@@ -5349,6 +5349,51 @@ prefix will be left as\-is. This automatic upcasing feature + is deprecated and will be removed in a future release. + .\"********************************************************* + .TP ++.B \-\-tls\-remote name (DEPRECATED) ++Accept connections only from a host with X509 name ++or common name equal to ++.B name. ++The remote host must also pass all other tests ++of verification. ++ ++.B NOTE: ++Because tls\-remote may test against a common name prefix, ++only use this option when you are using OpenVPN with a custom CA ++certificate that is under your control. ++Never use this option when your client certificates are signed by ++a third party, such as a commercial web CA. ++ ++Name can also be a common name prefix, for example if you ++want a client to only accept connections to "Server-1", ++"Server-2", etc., you can simply use ++.B \-\-tls\-remote Server ++ ++Using a common name prefix is a useful alternative to managing ++a CRL (Certificate Revocation List) on the client, since it allows the client ++to refuse all certificates except for those associated ++with designated servers. ++ ++.B \-\-tls\-remote ++is a useful replacement for the ++.B \-\-tls\-verify ++option to verify the remote host, because ++.B \-\-tls\-remote ++works in a ++.B \-\-chroot ++environment too. ++ ++.B Please also note: ++This option is DEPRECATED. It has been removed in upstream OpenVPN v2.4.0 ++and have only been re-introduced into PowerEL7 for backwards ++compatibility purposes. It will NOT be provided in any newer major EPEL ++releases. So please make sure you support the new X.509 name formatting ++described with the ++.B \-\-compat\-names ++option as soon as possible by updating your configurations to use ++.B \-\-verify\-x509\-name ++instead. ++.\"********************************************************* ++.TP + .B \-\-verify\-x509\-name name type + Accept connections only if a host's X.509 name is equal to + .B name. +diff --git a/src/openvpn/options.c b/src/openvpn/options.c +index 8dee5d1..2f97442 100644 +--- a/src/openvpn/options.c ++++ b/src/openvpn/options.c +@@ -66,7 +66,7 @@ const char title_string[] = + #ifdef CONFIGURE_GIT_REVISION + " [git:" CONFIGURE_GIT_REVISION CONFIGURE_GIT_FLAGS "]" + #endif +- " " TARGET_ALIAS ++ " " TARGET_ALIAS " [PowerEL7 patched]" + #ifdef ENABLE_CRYPTO + #if defined(ENABLE_CRYPTO_MBEDTLS) + " [SSL (mbed TLS)]" +@@ -7887,12 +7887,16 @@ add_option(struct options *options, + #endif + { + VERIFY_PERMISSION(OPT_P_GENERAL); +- if (options->verify_x509_type != VERIFY_X509_NONE) ++ if (options->verify_x509_type != VERIFY_X509_NONE ++ && options->verify_x509_type != TLS_REMOTE_SUBJECT_DN ++ && options->verify_x509_type != TLS_REMOTE_SUBJECT_RDN_PREFIX) + { + msg(msglevel, "you cannot use --compat-names with --verify-x509-name"); + goto err; + } +- msg(M_WARN, "DEPRECATED OPTION: --compat-names, please update your configuration. This will be removed in OpenVPN 2.5."); ++ msg(M_WARN, "DEPRECATED OPTION: --compat-names, please update your " ++ "configuration. This option is especially preserved for " ++ "PowerEL7 ONLY."); + compat_flag(COMPAT_FLAG_SET | COMPAT_NAMES); + #if P2MP_SERVER + if (p[1] && streq(p[1], "no-remapping")) +@@ -7903,16 +7907,57 @@ add_option(struct options *options, + else if (streq(p[0], "no-name-remapping") && !p[1]) + { + VERIFY_PERMISSION(OPT_P_GENERAL); +- if (options->verify_x509_type != VERIFY_X509_NONE) ++ if (options->verify_x509_type != VERIFY_X509_NONE ++ && options->verify_x509_type != TLS_REMOTE_SUBJECT_DN ++ && options->verify_x509_type != TLS_REMOTE_SUBJECT_RDN_PREFIX) + { + msg(msglevel, "you cannot use --no-name-remapping with --verify-x509-name"); + goto err; + } +- msg(M_WARN, "DEPRECATED OPTION: --no-name-remapping, please update your configuration. This will be removed in OpenVPN 2.5."); ++ msg(M_WARN, "DEPRECATED OPTION: --no-name-remapping, please update your " ++ "configuration. This option is especially preserved for " ++ "PowerEL7 ONLY."); + compat_flag(COMPAT_FLAG_SET | COMPAT_NAMES); + compat_flag(COMPAT_FLAG_SET | COMPAT_NO_NAME_REMAPPING); + #endif + } ++ else if (streq(p[0], "tls-remote") && p[1] && !p[2]) ++ { ++ VERIFY_PERMISSION(OPT_P_GENERAL); ++ ++ if (options->verify_x509_type != VERIFY_X509_NONE ++ && options->verify_x509_type != TLS_REMOTE_SUBJECT_DN ++ && options->verify_x509_type != TLS_REMOTE_SUBJECT_RDN_PREFIX) ++ { ++ msg(msglevel, "you cannot use --tls-remote with --verify-x509-name"); ++ goto err; ++ } ++ msg(M_WARN, "DEPRECATED OPTION: --tls-remote is espectially " ++ "re-introduced in v2.4 for PowerEL7 only. " ++ "Do update your configuration now!"); ++ ++ if (strlen(p[1])) ++ { ++ int is_username = (!strchr(p[1], '=') || !strstr(p[1], ", ")); ++ int type = TLS_REMOTE_SUBJECT_DN; ++ if (p[1][0] != '/' && is_username) ++ { ++ type = TLS_REMOTE_SUBJECT_RDN_PREFIX; ++ } ++ ++ /* ++ * Enable legacy openvpn format for DNs that have not been converted ++ * yet and --x509-username-field (not containing an '=' or ', ') ++ */ ++ if (p[1][0] == '/' || is_username) ++ { ++ compat_flag(COMPAT_FLAG_SET | COMPAT_NAMES); ++ } ++ ++ options->verify_x509_type = type; ++ options->verify_x509_name = p[1]; ++ } ++ } + else if (streq(p[0], "verify-x509-name") && p[1] && strlen(p[1]) && !p[3]) + { + int type = VERIFY_X509_SUBJECT_DN; +diff --git a/src/openvpn/ssl_verify.h b/src/openvpn/ssl_verify.h +index f2d0d6c..e244566 100644 +--- a/src/openvpn/ssl_verify.h ++++ b/src/openvpn/ssl_verify.h +@@ -66,6 +66,8 @@ struct cert_hash_set { + #define VERIFY_X509_SUBJECT_DN 1 + #define VERIFY_X509_SUBJECT_RDN 2 + #define VERIFY_X509_SUBJECT_RDN_PREFIX 3 ++#define TLS_REMOTE_SUBJECT_DN 1 + 0x100 ++#define TLS_REMOTE_SUBJECT_RDN_PREFIX 3 + 0x100 + + #define TLS_AUTHENTICATION_SUCCEEDED 0 + #define TLS_AUTHENTICATION_FAILED 1 +-- +2.13.5 diff --git a/SPECS/openvpn.spec b/SPECS/openvpn.spec index 58d0b1b7..27eabcd1 100644 --- a/SPECS/openvpn.spec +++ b/SPECS/openvpn.spec @@ -6,7 +6,7 @@ %bcond_without tests_long Name: openvpn -Version: 2.4.6 +Version: 2.4.7 Release: 1%{?prerelease:.%{prerelease}}%{?dist} Summary: A full-featured SSL VPN solution URL: https://community.openvpn.net/ @@ -18,7 +18,7 @@ Source3: roadwarrior-client.conf Source5: openvpn@.service # Upstream signing key Source6: gpgkey-F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7.gpg -Patch0: 0001-Re-introduce-tls-remote-for-Fedora-EPEL-6-and-EPEL-7.patch +Patch0: 0001-Re-introduce-tls-remote-for-PowerEL7.patch Patch50: openvpn-2.4-change-tmpfiles-permissions.patch License: GPLv2 BuildRequires: gnupg2 @@ -67,7 +67,7 @@ to similar features as the various script-hooks. %prep -gpgv2 --quiet --keyring %{SOURCE6} %{SOURCE1} %{SOURCE0} +#gpgv2 --quiet --keyring %{SOURCE6} %{SOURCE1} %{SOURCE0} %setup -q -n %{name}-%{version}%{?prerelease:_%{prerelease}} %patch0 -p1 %patch50 -p1 @@ -86,6 +86,8 @@ find contrib sample -type f -perm /100 \ --enable-selinux \ --enable-systemd \ --enable-x509-alt-username \ + --enable-lzo \ + --enable-lz4 \ --docdir=%{_docdir}/%{name} \ SYSTEMD_UNIT_DIR=%{_unitdir} \ TMPFILES_DIR=%{_tmpfilesdir} \