commit 48d3bdb32b9b7e606f926c531b719ef71a6c9da8 Author: Toshaan Bharvani Date: Wed Jul 20 18:08:33 2022 +0200 initial package creation Signed-off-by: Toshaan Bharvani diff --git a/SOURCES/0001-Allow-running-a-default-configuration-with-TLS-libra.patch b/SOURCES/0001-Allow-running-a-default-configuration-with-TLS-libra.patch new file mode 100644 index 0000000..b9218e6 --- /dev/null +++ b/SOURCES/0001-Allow-running-a-default-configuration-with-TLS-libra.patch @@ -0,0 +1,225 @@ +From cf5864f5922e4f40357d9f75a35cd448e671dddf Mon Sep 17 00:00:00 2001 +From: Arne Schwabe +Date: Fri, 3 Jun 2022 11:52:19 +0200 +Subject: [PATCH] Allow running a default configuration with TLS libraries + without BF-CBC + +Modern TLS libraries might drop Blowfish by default or distributions +might disable Blowfish in OpenSSL/mbed TLS. We still signal OCC +options with BF-CBC compatible strings. To avoid requiring BF-CBC +for this, special this one usage of BF-CBC enough to avoid a hard +requirement on Blowfish in the default configuration. + +This patch is cherry-picked from 79ff3f79 and the missing +ciphername = "none"; has been added in the OCC code. + +Due to uncrustify complains, a few extra whitespace fixes had to be +done to options.c. + +Signed-off-by: Arne Schwabe +Acked-by: Gert Doering +Message-Id: <20220603095219.637361-1-arne@rfc2549.org> +URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24456.html +Signed-off-by: Gert Doering +--- + src/openvpn/crypto_backend.h | 2 ++ + src/openvpn/init.c | 37 ++++++++++++++++----- + src/openvpn/options.c | 62 ++++++++++++++++++++++++++++-------- + 3 files changed, 80 insertions(+), 21 deletions(-) + +diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h +index a9bb38ed..aebda3d6 100644 +--- a/src/openvpn/crypto_backend.h ++++ b/src/openvpn/crypto_backend.h +@@ -256,6 +256,8 @@ const cipher_kt_t *cipher_kt_get(const char *ciphername); + * The returned name is normalised to the OpenVPN config name in case the + * name differs from the name used by the crypto library. + * ++ * Returns [null-cipher] in case the cipher_kt is NULL. ++ * + * @param cipher_kt Static cipher parameters + * + * @return a statically allocated string describing the cipher. +diff --git a/src/openvpn/init.c b/src/openvpn/init.c +index da4d60af..b1b7b350 100644 +--- a/src/openvpn/init.c ++++ b/src/openvpn/init.c +@@ -2764,14 +2764,35 @@ do_init_crypto_tls_c1(struct context *c) + #endif /* if P2MP */ + } + +- /* Do not warn if we only have BF-CBC in options->ciphername +- * because it is still the default cipher */ +- bool warn = !streq(options->ciphername, "BF-CBC") +- || options->enable_ncp_fallback; +- /* Get cipher & hash algorithms */ +- init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname, +- options->keysize, true, warn); +- ++ /* ++ * BF-CBC is allowed to be used only when explicitly configured ++ * as NCP-fallback or when NCP has been disabled or explicitly ++ * allowed in the in ncp_ciphers list. ++ * In all other cases do not attempt to initialize BF-CBC as it ++ * may not even be supported by the underlying SSL library. ++ * ++ * Therefore, the key structure has to be initialized when: ++ * - any non-BF-CBC cipher was selected; or ++ * - BF-CBC is selected and NCP is disabled (explicit request to ++ * use the BF-CBC cipher); or ++ * - BF-CBC is selected, NCP is enabled and fallback is enabled ++ * (BF-CBC will be the fallback). ++ * - BF-CBC is in data-ciphers and we negotiate to use BF-CBC: ++ * If the negotiated cipher and options->ciphername are the ++ * same we do not reinit the cipher ++ * ++ * Note that BF-CBC will still be part of the OCC string to retain ++ * backwards compatibility with older clients. ++ */ ++ if (!streq(options->ciphername, "BF-CBC") || !options->ncp_enabled ++ || (options->ncp_enabled && tls_item_in_cipher_list("BF-CBC", options->ncp_ciphers)) ++ || options->enable_ncp_fallback) ++ { ++ /* Do not warn if the if the cipher is used only in OCC */ ++ bool warn = !options->ncp_enabled || options->enable_ncp_fallback; ++ init_key_type(&c->c1.ks.key_type, options->ciphername, options->authname, ++ options->keysize, true, warn); ++ } + /* Initialize PRNG with config-specified digest */ + prng_init(options->prng_hash, options->prng_nonce_secret_len); + +diff --git a/src/openvpn/options.c b/src/openvpn/options.c +index f6ef02ae..2206d9f4 100644 +--- a/src/openvpn/options.c ++++ b/src/openvpn/options.c +@@ -1135,7 +1135,7 @@ parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_aren + #ifndef ENABLE_SMALL + + static void +-show_dhcp_option_list(const char *name, const char * const*array, int len) ++show_dhcp_option_list(const char *name, const char *const *array, int len) + { + int i; + for (i = 0; i < len; ++i) +@@ -2288,7 +2288,7 @@ options_postprocess_verify_ce(const struct options *options, + if (options->mode == MODE_SERVER) + { + #define USAGE_VALID_SERVER_PROTOS "--mode server currently only supports " \ +- "--proto values of udp, tcp-server, tcp4-server, or tcp6-server" ++ "--proto values of udp, tcp-server, tcp4-server, or tcp6-server" + #ifdef TARGET_ANDROID + msg(M_FATAL, "--mode server not supported on Android"); + #endif +@@ -3103,7 +3103,7 @@ options_postprocess_cipher(struct options *o) + if (!o->ncp_enabled) + { + msg(M_USAGE, "--ncp-disable needs an explicit --cipher or " +- "--data-ciphers-fallback config option"); ++ "--data-ciphers-fallback config option"); + } + + msg(M_WARN, "--cipher is not set. Previous OpenVPN version defaulted to " +@@ -3681,9 +3681,30 @@ calc_options_string_link_mtu(const struct options *o, const struct frame *frame) + { + struct frame fake_frame = *frame; + struct key_type fake_kt; +- init_key_type(&fake_kt, o->ciphername, o->authname, o->keysize, true, +- false); ++ + frame_remove_from_extra_frame(&fake_frame, crypto_max_overhead()); ++ ++ ++ /* o->ciphername might be BF-CBC even though the underlying SSL library ++ * does not support it. For this reason we workaround this corner case ++ * by pretending to have no encryption enabled and by manually adding ++ * the required packet overhead to the MTU computation. ++ */ ++ const char *ciphername = o->ciphername; ++ ++ if (strcmp(o->ciphername, "BF-CBC") == 0) ++ { ++ /* none has no overhead, so use this to later add only --auth ++ * overhead */ ++ ++ /* overhead of BF-CBC: 64 bit block size, 64 bit IV size */ ++ frame_add_to_extra_frame(&fake_frame, 64/8 + 64/8); ++ ciphername = "none"; ++ } ++ ++ init_key_type(&fake_kt, ciphername, o->authname, o->keysize, true, ++ false); ++ + crypto_adjust_frame_parameters(&fake_frame, &fake_kt, o->replay, + cipher_kt_mode_ofb_cfb(fake_kt.cipher)); + frame_finalize(&fake_frame, o->ce.link_mtu_defined, o->ce.link_mtu, +@@ -3853,18 +3874,33 @@ options_string(const struct options *o, + + (TLS_SERVER == true) + <= 1); + +- init_key_type(&kt, o->ciphername, o->authname, o->keysize, true, +- false); ++ /* Skip resolving BF-CBC to allow SSL libraries without BF-CBC ++ * to work here in the default configuration */ ++ const char *ciphername = o->ciphername; ++ int keysize; ++ ++ if (strcmp(o->ciphername, "BF-CBC") == 0) ++ { ++ init_key_type(&kt, "none", o->authname, o->keysize, true, ++ false); ++ keysize = 128; ++ } ++ else ++ { ++ init_key_type(&kt, o->ciphername, o->authname, o->keysize, true, ++ false); ++ ciphername = cipher_kt_name(kt.cipher); ++ keysize = kt.cipher_length * 8; ++ } + /* Only announce the cipher to our peer if we are willing to + * support it */ +- const char *ciphername = cipher_kt_name(kt.cipher); + if (p2p_nopull || !o->ncp_enabled + || tls_item_in_cipher_list(ciphername, o->ncp_ciphers)) + { + buf_printf(&out, ",cipher %s", ciphername); + } + buf_printf(&out, ",auth %s", md_kt_name(kt.digest)); +- buf_printf(&out, ",keysize %d", kt.cipher_length * 8); ++ buf_printf(&out, ",keysize %d", keysize); + if (o->shared_secret_file) + { + buf_printf(&out, ",secret"); +@@ -6168,9 +6204,9 @@ add_option(struct options *options, + } + } + #ifdef TARGET_LINUX +- else if (streq (p[0], "bind-dev") && p[1]) ++ else if (streq(p[0], "bind-dev") && p[1]) + { +- VERIFY_PERMISSION (OPT_P_SOCKFLAGS); ++ VERIFY_PERMISSION(OPT_P_SOCKFLAGS); + options->bind_dev = p[1]; + } + #endif +@@ -6248,7 +6284,7 @@ add_option(struct options *options, + { + int64_t val = atoll(p[2]); + options->inactivity_minimum_bytes = (val < 0) ? 0 : val; +- if ( options->inactivity_minimum_bytes > INT_MAX ) ++ if (options->inactivity_minimum_bytes > INT_MAX) + { + msg(M_WARN, "WARNING: '--inactive' with a 'bytes' value" + " >2 Gbyte was silently ignored in older versions. If " +@@ -8132,7 +8168,7 @@ add_option(struct options *options, + #endif + else if (streq(p[0], "providers") && p[1]) + { +- for (size_t j = 1; j < MAX_PARMS && p[j] != NULL;j++) ++ for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; j++) + { + options->providers.names[j] = p[j]; + } +-- +2.31.1 + diff --git a/SOURCES/0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch b/SOURCES/0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch new file mode 100644 index 0000000..0af7115 --- /dev/null +++ b/SOURCES/0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch @@ -0,0 +1,38 @@ +From: David Sommerseth +Subject: [PATCH] Change the default cipher to AES-256-GCM for server + configurations + +This change makes the server use AES-256-GCM instead of BF-CBC as the default +cipher for the VPN tunnel. To avoid breaking existing running configurations +defaulting to BF-CBC, the Negotiable Crypto Parameters (NCP) list contains +the BF-CBC in addition to AES-CBC. This makes it possible to migrate +existing older client configurations one-by-one to use at least AES-CBC unless +the client is updated to v2.4 (which defaults to upgrade to AES-GCM automatically) + +[Update 2022-06-10] +The BF-CBC reference is now removed as of Fedora 36 and newer. The Blowfish +cipher is no longer available by default in OpenSSL 3.0. It can be enabled +via the legacy provider in OpenSSL 3.0, but BF-CBC is deprecated and should +not be used any more. OpenVPN 2.4 and newer will always negotiate a stronger +cipher by default and older OpenVPN releases are no longer supported upstream. + +--- + distro/systemd/openvpn-server@.service.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/distro/systemd/openvpn-server@.service.in b/distro/systemd/openvpn-server@.service.in +index 9a8a2c7..0ecda08 100644 +--- a/distro/systemd/openvpn-server@.service.in ++++ b/distro/systemd/openvpn-server@.service.in +@@ -10,7 +10,7 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO + Type=notify + PrivateTmp=true + WorkingDirectory=/etc/openvpn/server +-ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf ++ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --cipher AES-256-GCM --data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC --config %i.conf + CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE + LimitNPROC=10 + DeviceAllow=/dev/null rw +-- +2.11.0 + diff --git a/SOURCES/gpgkey-F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7.gpg b/SOURCES/gpgkey-F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7.gpg new file mode 100644 index 0000000..8114462 Binary files /dev/null and b/SOURCES/gpgkey-F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7.gpg differ diff --git a/SOURCES/openvpn-2.4-change-tmpfiles-permissions.patch b/SOURCES/openvpn-2.4-change-tmpfiles-permissions.patch new file mode 100644 index 0000000..8adb700 --- /dev/null +++ b/SOURCES/openvpn-2.4-change-tmpfiles-permissions.patch @@ -0,0 +1,9 @@ +diff --git a/distro/systemd/tmpfiles-openvpn.conf b/distro/systemd/tmpfiles-openvpn.conf +index bb79671e..9258f5c6 100644 +--- a/distro/systemd/tmpfiles-openvpn.conf ++++ b/distro/systemd/tmpfiles-openvpn.conf +@@ -1,2 +1,2 @@ +-d /run/openvpn-client 0710 root root - +-d /run/openvpn-server 0710 root root - ++d /run/openvpn-client 0750 root openvpn - ++d /run/openvpn-server 0750 root openvpn - diff --git a/SOURCES/roadwarrior-client.conf b/SOURCES/roadwarrior-client.conf new file mode 100644 index 0000000..dd12fdb --- /dev/null +++ b/SOURCES/roadwarrior-client.conf @@ -0,0 +1,38 @@ +######################################### +# Sample client-side OpenVPN config file +# for connecting to multi-client server. +# +# Adapted from http://openvpn.sourceforge.net/20notes.html +# +# The server can be pinged at 10.8.0.1. +# +# This configuration can be used by multiple +# clients, however each client should have +# its own cert and key files. +# +# tun-style tunnel + +port 1194 +dev tun +remote [my server hostname or IP address] + +# TLS parms + +tls-client +ca sample-keys/tmp-ca.crt +cert sample-keys/client.crt +key sample-keys/client.key + +# This parm is required for connecting +# to a multi-client server. It tells +# the client to accept options which +# the server pushes to us. +pull + +# Scripts can be used to do various +# things (change nameservers, for +# example. +#up scripts/ifup-post +#down scripts/ifdown-post + +verb 4 diff --git a/SOURCES/roadwarrior-server.conf b/SOURCES/roadwarrior-server.conf new file mode 100644 index 0000000..be3db15 --- /dev/null +++ b/SOURCES/roadwarrior-server.conf @@ -0,0 +1,67 @@ +######################################## +# Sample OpenVPN config file for +# 2.0-style multi-client udp server +# +# Adapted from http://openvpn.sourceforge.net/20notes.html +# +# tun-style tunnel + +port 1194 +dev tun + +# Use "local" to set the source address on multi-homed hosts +#local [IP address] + +# TLS parms +tls-server +ca sample-keys/tmp-ca.crt +cert sample-keys/server.crt +key sample-keys/server.key +dh sample-keys/dh1024.pem + +# Tell OpenVPN to be a multi-client udp server +mode server + +# The server's virtual endpoints +ifconfig 10.8.0.1 10.8.0.2 + +# Pool of /30 subnets to be allocated to clients. +# When a client connects, an --ifconfig command +# will be automatically generated and pushed back to +# the client. +ifconfig-pool 10.8.0.4 10.8.0.255 + +# Push route to client to bind it to our local +# virtual endpoint. +push "route 10.8.0.1 255.255.255.255" + +# Push any routes the client needs to get in +# to the local network. +push "route 192.168.0.0 255.255.255.0" + +# Push DHCP options to Windows clients. +push "dhcp-option DOMAIN example.com" +push "dhcp-option DNS 192.168.0.1" +push "dhcp-option WINS 192.168.0.1" + +# Client should attempt reconnection on link +# failure. +keepalive 10 60 + +# Delete client instances after some period +# of inactivity. +inactive 600 + +# Route the --ifconfig pool range into the +# OpenVPN server. +route 10.8.0.0 255.255.255.0 + +# The server doesn't need privileges +user openvpn +group openvpn + +# Keep TUN devices and keys open across restarts. +persist-tun +persist-key + +verb 4 diff --git a/SPECS/openvpn.spec b/SPECS/openvpn.spec new file mode 100644 index 0000000..0f3130d --- /dev/null +++ b/SPECS/openvpn.spec @@ -0,0 +1,377 @@ +%define _hardened_build 1 + +# Build conditionals +# tests_long - Enabled by default, enables long running tests in %%check +%bcond_without tests_long + +Name: openvpn +Version: 2.5.7 +Release: 2%{?dist} +Summary: A full-featured TLS VPN solution +URL: https://community.openvpn.net/ +Source0: https://build.openvpn.net/downloads/releases/%{name}-%{version}.tar.xz +Source1: https://build.openvpn.net/downloads/releases/%{name}-%{version}.tar.xz.asc +Source2: roadwarrior-server.conf +Source3: roadwarrior-client.conf +# Upstream signing key +Source10: gpgkey-F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7.gpg +Patch1: 0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch +Patch2: 0001-Allow-running-a-default-configuration-with-TLS-libra.patch +Patch50: openvpn-2.4-change-tmpfiles-permissions.patch +License: GPLv2 +BuildRequires: gnupg2 +BuildRequires: gcc +BuildRequires: automake +BuildRequires: autoconf +BuildRequires: autoconf-archive +BuildRequires: libtool +BuildRequires: gettext +BuildRequires: lzo-devel +BuildRequires: lz4-devel +BuildRequires: make +BuildRequires: openssl-devel +BuildRequires: pkcs11-helper-devel >= 1.11 +BuildRequires: pam-devel +BuildRequires: libselinux-devel +BuildRequires: libcmocka-devel +BuildRequires: systemd +BuildRequires: systemd-devel + +%{?systemd_requires} +Requires(pre): /usr/sbin/useradd + +%if 0%{?rhel} > 7 || 0%{?fedora} > 29 +BuildRequires: python3-docutils +%else +# We cannot use python36-docutils on RHEL-7 as +# the ./configure script does not currently find +# the rst2man-3 executable, it only looks for rst2man +BuildRequires: python-docutils +%endif + +# For the perl_default_filter macro +BuildRequires: perl-macros + +# Filter out the perl(Authen::PAM) dependency. +# No perl dependency is really needed at all. +%{?perl_default_filter} + +%description +OpenVPN is a robust and highly flexible tunneling application that uses all +of the encryption, authentication, and certification features of the +OpenSSL library to securely tunnel IP networks over a single UDP or TCP +port. It can use the Marcus Franz Xaver Johannes Oberhumers LZO library +for compression. + +%package devel +Summary: Development headers and examples for OpenVPN plug-ins + +%description devel +OpenVPN can be extended through the --plugin option, which provides +possibilities to add specialized authentication, user accounting, +packet filtering and related features. These plug-ins need to be +written in C and provides a more low-level and information rich access +to similar features as the various script-hooks. + + +%prep +gpgv2 --quiet --keyring %{SOURCE10} %{SOURCE1} %{SOURCE0} +%setup -q -n %{name}-%{version} +%patch1 -p1 -b .ch_default_cipher +%patch2 -p1 +%patch50 -p1 + +# %%doc items shouldn't be executable. +find contrib sample -type f -perm /100 \ + -exec chmod a-x {} \; + +%build +%configure \ + --enable-silent-rules \ + --with-crypto-library=openssl \ + --enable-pkcs11 \ + --enable-selinux \ + --enable-systemd \ + --enable-x509-alt-username \ + --enable-async-push \ + --docdir=%{_pkgdocdir} \ + SYSTEMD_UNIT_DIR=%{_unitdir} \ + TMPFILES_DIR=%{_tmpfilesdir} +%{__make} + +%check +# Test Crypto: +./src/openvpn/openvpn --genkey --secret key +./src/openvpn/openvpn --cipher aes-128-cbc --test-crypto --secret key +./src/openvpn/openvpn --cipher aes-256-cbc --test-crypto --secret key +./src/openvpn/openvpn --cipher aes-128-gcm --test-crypto --secret key +./src/openvpn/openvpn --cipher aes-256-gcm --test-crypto --secret key + +%if %{with tests_long} +# Randomize ports for tests to avoid conflicts on the build servers. +cport=$[ 50000 + ($RANDOM % 15534) ] +sport=$[ $cport + 1 ] +sed -e 's/^\(rport\) .*$/\1 '$sport'/' \ + -e 's/^\(lport\) .*$/\1 '$cport'/' \ + < sample/sample-config-files/loopback-client \ + > %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client +sed -e 's/^\(rport\) .*$/\1 '$cport'/' \ + -e 's/^\(lport\) .*$/\1 '$sport'/' \ + < sample/sample-config-files/loopback-server \ + > %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server + +pushd sample +# Test SSL/TLS negotiations (runs for 2 minutes): +../src/openvpn/openvpn --config \ + %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client & +../src/openvpn/openvpn --config \ + %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server +wait +popd + +rm -f %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client \ + %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server +%endif + +%install +%{__make} install DESTDIR=$RPM_BUILD_ROOT +find $RPM_BUILD_ROOT -name '*.la' | xargs rm -f +mkdir -p -m 0750 $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/client $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/server +cp %{SOURCE2} %{SOURCE3} sample/sample-config-files/ + +# Create some directories the OpenVPN package should own +mkdir -m 0750 -p $RPM_BUILD_ROOT%{_rundir}/%{name}-{client,server} +mkdir -m 0770 -p $RPM_BUILD_ROOT%{_sharedstatedir}/%{name} + +# Package installs into %%{_pkgdocdir} directly +# Add various additional files +cp -a AUTHORS ChangeLog contrib sample distro/systemd/README.systemd $RPM_BUILD_ROOT%{_pkgdocdir} + +# Remove some files which does not really belong here +rm -f $RPM_BUILD_ROOT%{_pkgdocdir}/sample/Makefile{,.in,.am} +rm -f $RPM_BUILD_ROOT%{_pkgdocdir}/contrib/multilevel-init.patch +rm -rf $RPM_BUILD_ROOT%{_pkgdocdir}/sample/sample-keys + +%pre +getent group openvpn &>/dev/null || groupadd -r openvpn +getent passwd openvpn &>/dev/null || \ + /usr/sbin/useradd -r -g openvpn -s /sbin/nologin -c OpenVPN \ + -d /etc/openvpn openvpn + +%post +for srv in `systemctl | awk '/openvpn-client@.*\.service/{print $1} /openvpn-server@.*\.service/{print $1}'`; +do + %systemd_post $srv +done + +%preun +for srv in `systemctl | awk '/openvpn-client@.*\.service/{print $1} /openvpn-server@.*\.service/{print $1}'`; +do + %systemd_preun $srv +done + +%postun +for srv in `systemctl | awk '/openvpn-client@.*\.service/{print $1} /openvpn-server@.*\.service/{print $1}'`; +do + %systemd_postun_with_restart $srv +done + + +%files +%{_pkgdocdir} +%exclude %{_pkgdocdir}/README.IPv6 +%exclude %{_pkgdocdir}/README.mbedtls +%exclude %{_pkgdocdir}/sample/sample-plugins +%{_mandir}/man8/%{name}.8* +%{_mandir}/man5/%{name}-*.5* +%{_sbindir}/%{name} +%{_libdir}/%{name}/ +%{_unitdir}/%{name}-client@.service +%{_unitdir}/%{name}-server@.service +%{_tmpfilesdir}/%{name}.conf +%config %dir %{_sysconfdir}/%{name}/ +%config %dir %attr(-,-,openvpn) %{_sysconfdir}/%{name}/client +%config %dir %attr(-,-,openvpn) %{_sysconfdir}/%{name}/server +%attr(0750,-,openvpn) %{_rundir}/%{name}-client +%attr(0750,-,openvpn) %{_rundir}/%{name}-server +%attr(0770,openvpn,openvpn) %{_sharedstatedir}/%{name} + +%files devel +%{_pkgdocdir}/sample/sample-plugins +%{_includedir}/openvpn-plugin.h +%{_includedir}/openvpn-msg.h + + +%changelog +* Tue May 31 2022 David Sommerseth - 2.5.7-2 +- Added additional upstream patch resolving BF-CBC issues (to be removed with 2.5.8) + https://patchwork.openvpn.net/patch/2504/ +- Removed BF-CBC from the --data-ciphers list. This is no longer available by default + in OpenSSL 3.0 + +* Tue May 31 2022 David Sommerseth - 2.5.7-1 +- Update to upstream OpenVPN 2.5.7 + +* Wed Mar 16 2022 David Sommerseth - 2.5.6-1 +- Update to upstream OpenVPN 2.5.6 +- Fixes CVE-2022-0547 + +* Thu Jan 27 2022 David Sommerseth - 2.5.5-4 +- Fix systemd related scriptlet error (#1887984) + +* Thu Jan 20 2022 Fedora Release Engineering - 2.5.5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Wed Dec 15 2021 David Sommerseth - 2.5.5-2 +- Rebuild of 2.5.5 + +* Wed Dec 15 2021 David Sommerseth - 2.5.5-1 +- Update to upstream OpenVPN 2.5.5 (#2032844) + +* Tue Oct 5 2021 David Sommerseth - 2.5.4-1 +- Update to upstream OpenVPN 2.5.4 +- Added new man page: openvpn-examples(5) + +* Tue Sep 14 2021 Sahana Prasad - 2.5.3-3 +- Rebuilt with OpenSSL 3.0.0 + +* Thu Jul 22 2021 Fedora Release Engineering - 2.5.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Fri Jun 18 2021 David Sommerseth - 2.5.3-1 +- Update to upstream OpenVPN 2.5.3 +- Fixes CVE-2021-3606 + +* Wed Apr 21 2021 David Sommerseth - 2.5.2-1 +- Update to upstream OpenVPN 2.5.2 +- Fixes CVE-2020-15078 +- Replaces --ncp-ciphers with --data-ciphers in the server systemd service unit + +* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek - 2.5.1-2 +- Rebuilt for updated systemd-rpm-macros + See https://pagure.io/fesco/issue/2583. + +* Wed Feb 24 2021 David Sommerseth - 2.5.1-1 +- Update to upstream OpenVPN 2.5.1 + +* Tue Jan 26 2021 Fedora Release Engineering - 2.5.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Wed Oct 28 2020 David Sommerseth - 2.5.0-1 +- Update to upstream OpenVPN 2.5.0 + +* Tue Jul 28 2020 Fedora Release Engineering - 2.4.9-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Sun Apr 19 2020 David Sommerseth - 2.4.9-1 +- Update to upstream OpenVPN 2.4.9 + +* Wed Feb 12 2020 David Sommerseth - 2.4.8-3 +- Rebuilt to be linked against latest lzo (RHBZ#1802299) + +* Wed Jan 29 2020 Fedora Release Engineering - 2.4.8-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Fri Nov 1 2019 David Sommerseth - 2.4.8-1 +- Updating to upstream OpenVPN 2.4.8 + +* Thu Jul 25 2019 Fedora Release Engineering - 2.4.7-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Wed Feb 20 2019 David Sommerseth - 2.4.7-1 +- Updating to upstream OpenVPN 2.4.7 + +* Fri Feb 01 2019 Fedora Release Engineering - 2.4.6-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Sat Oct 6 2018 David Sommerseth - 2.4.6-3 +- Enable the asynchronous push feature, which can improve connect speeds with slow authentication backends + +* Fri Jul 13 2018 Fedora Release Engineering - 2.4.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Thu Apr 26 2018 David Sommerseth - 2.4.6-1 +- Updating to upstream, openvpn-2.4.6 + +* Thu Mar 1 2018 David Sommerseth - 2.4.5-1 +- Updating to upstream, openvpn-2.4.5 +- Package upstream ChangeLog, which contains a bit more details than Changes.rst +- Cleaned up spec file further, removed Group: tag, trimmed changelog section, + added gcc to BuildRequires. +- Excluded not relevant file, README.mbedtls +- Package upstream version of README.systemd +- Fix wrong group owner of /etc/openvpn/{client,server} (rhbz#1526743) +- Changed crypto self-test to test AES-{128,256}-{CBC,GCM} instead of only BF-CBC (deprecated) +- Change /run/openvpn-{client,server} permissions to be 0750 instead of 0710, with group set to openvpn + +* Thu Feb 08 2018 Fedora Release Engineering - 2.4.4-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Jan 25 2018 Igor Gnatenko - 2.4.4-2 +- Fix systemd executions/requirements + +* Tue Sep 26 2017 David Sommerseth - 2.4.4-1 +- Update to upstream openvpn-2.4.4 +- Includes fix for possible stack overflow if --key-method 1 is used {CVE-2017-12166} + +* Fri Aug 4 2017 David Sommerseth - 2.4.3-4 +- Change to AES-GCM as the default cipher for server configurations (rhbz#1479270) + +* Thu Aug 03 2017 Fedora Release Engineering - 2.4.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 2.4.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Wed Jun 21 2017 David Sommerseth - 2.4.3-1 +- Updating to upstream openvpn-2.4.3 +- Fix remotely-triggerable ASSERT() on malformed IPv6 packet {CVE-2017-7508} +- Prevent two kinds of stack buffer OOB reads and a crash for invalid input data {CVE-2017-7520} +- Fix potential double-free in --x509-alt-username {CVE-2017-7521} +- Fix remote-triggerable memory leaks {CVE-2017-7521} +- Ensure OpenVPN systemd services are restarted upon upgrades +- Verify PGP signature of source tarball as part of package building +- Build against system lz4 library + +* Fri May 12 2017 David Sommerseth - 2.4.2-2 +- Install and take ownership of /run/openvpn-{client,server} (rhbz#1444601) +- Install and take ownership of /var/lib/openvpn (rhbz#922786) + +* Thu May 11 2017 David Sommerseth - 2.4.2-1 +- Updating to upstream openvpn-2.4.2 +- Switching back to OpenSSL, using compat-openssl10 (rhbz#1443749, rhbz#1432125, rhbz#1440468) +- Re-enabling --enable-x509-alt-username (rhbz#1443942) +- Add --enable-selinux +- Build with lz4 library from Fedora + +* Wed Mar 29 2017 David Sommerseth - 2.4.1-3 +- Splitting out -devel files into a separate package +- Removed several contrib and sample files which makes is not + strictly needed in this package. +- build: Enable tests runs by default, long running tests can + be disabled with "--without tests_long" +- build: Removed defined %%{plugins} macro not in use + +* Fri Mar 24 2017 David Sommerseth - 2.4.1-2 +- Various cleanups +- Use systemd-rpm macros (rhbz #850257) +- Removed the deprecated openvpn@.service unit. Replaced by openvpn-{client,server}@.service +- Added README.systemd describing new systemd unit files + +* Thu Mar 23 2017 David Sommerseth - 2.4.1-1 +- Updating to upstream release, v2.4.1 +- Added mbed TLS patch to allow RSA keys down to 1024 bits plus SHA1 + and RIPE-160 hasing algorithms (based on OpenVPN 3 legacy profile) +- Removed no-functional ./configure options +- Use upstream tmfiles.d/openvpn +- Package newer openvpn-client/server@.service unit files + +* Thu Feb 09 2017 Jon Ciesla 2.4.0-2 +- Move to mbedtls to resolve FTBFS. +- Dropped, re-add once openvpn supports openssl 1.1.x +- --enable-pkcs11 \ +- --enable-x509-alt-username \ + +* Tue Dec 27 2016 Jon Ciesla 2.4.0-1 +- 2.4.0. +