|
|
b871210 |
%define _hardened_build 1
|
|
|
b466ea7 |
#define prerelease rc22
|
|
|
38a33b7 |
|
|
|
ba1a3a7 |
# Build conditionals
|
|
|
ba1a3a7 |
# tests_long - Enabled by default, enables long running tests in %%check
|
|
|
ba1a3a7 |
%bcond_without tests_long
|
|
|
5994929 |
|
|
|
5994929 |
Name: openvpn
|
|
|
29b5c37 |
Version: 2.4.9
|
|
|
bdd157e |
Release: 1%{?prerelease:.%{prerelease}}%{?dist}
|
|
|
5994929 |
Summary: A full-featured SSL VPN solution
|
|
|
9831998 |
URL: https://community.openvpn.net/
|
|
|
bdd157e |
Source0: https://build.openvpn.net/downloads/releases/%{name}-%{version}%{?prerelease:_%{prerelease}}.tar.xz
|
|
|
bdd157e |
Source1: https://build.openvpn.net/downloads/releases/%{name}-%{version}%{?prerelease:_%{prerelease}}.tar.xz.asc
|
|
|
5994929 |
Source2: roadwarrior-server.conf
|
|
|
5994929 |
Source3: roadwarrior-client.conf
|
|
|
31847e1 |
# Upstream signing key
|
|
|
31847e1 |
Source6: gpgkey-F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7.gpg
|
|
|
b931012 |
Patch1: 0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch
|
|
|
b97c97b |
Patch50: openvpn-2.4-change-tmpfiles-permissions.patch
|
|
|
6fa9826 |
License: GPLv2
|
|
|
2b76cca |
BuildRequires: gnupg2
|
|
|
b97c97b |
BuildRequires: gcc
|
|
|
ef86d1d |
BuildRequires: systemd-devel
|
|
|
5994929 |
BuildRequires: lzo-devel
|
|
|
6d9dbb8 |
BuildRequires: lz4-devel
|
|
|
31847e1 |
BuildRequires: openssl-devel
|
|
|
31847e1 |
BuildRequires: pkcs11-helper-devel >= 1.11
|
|
|
5994929 |
BuildRequires: pam-devel
|
|
|
b97c97b |
BuildRequires: libselinux-devel
|
|
|
58e2bd8 |
# For the perl_default_filter macro
|
|
|
58e2bd8 |
BuildRequires: perl-macros
|
|
|
31847e1 |
BuildRequires: systemd
|
|
|
5fd6cc8 |
%{?systemd_requires}
|
|
|
69624a3 |
# For /sbin/ip.
|
|
|
69624a3 |
BuildRequires: iproute
|
|
|
69624a3 |
Requires: iproute
|
|
|
5994929 |
Requires(pre): /usr/sbin/useradd
|
|
|
5994929 |
|
|
|
5994929 |
# Filter out the perl(Authen::PAM) dependency.
|
|
|
5994929 |
# No perl dependency is really needed at all.
|
|
|
58e2bd8 |
%{?perl_default_filter}
|
|
|
5994929 |
|
|
|
5994929 |
%description
|
|
|
5994929 |
OpenVPN is a robust and highly flexible tunneling application that uses all
|
|
|
5994929 |
of the encryption, authentication, and certification features of the
|
|
|
5994929 |
OpenSSL library to securely tunnel IP networks over a single UDP or TCP
|
|
|
ba1a3a7 |
port. It can use the Marcus Franz Xaver Johannes Oberhumers LZO library
|
|
|
5994929 |
for compression.
|
|
|
5994929 |
|
|
|
ba1a3a7 |
%package devel
|
|
|
ba1a3a7 |
Summary: Development headers and examples for OpenVPN plug-ins
|
|
|
ba1a3a7 |
|
|
|
ba1a3a7 |
%description devel
|
|
|
ba1a3a7 |
OpenVPN can be extended through the --plugin option, which provides
|
|
|
ba1a3a7 |
possibilities to add specialized authentication, user accounting,
|
|
|
ba1a3a7 |
packet filtering and related features. These plug-ins need to be
|
|
|
ba1a3a7 |
written in C and provides a more low-level and information rich access
|
|
|
ba1a3a7 |
to similar features as the various script-hooks.
|
|
|
ba1a3a7 |
|
|
|
ba1a3a7 |
|
|
|
5994929 |
%prep
|
|
|
31847e1 |
gpgv2 --quiet --keyring %{SOURCE6} %{SOURCE1} %{SOURCE0}
|
|
|
38a33b7 |
%setup -q -n %{name}-%{version}%{?prerelease:_%{prerelease}}
|
|
|
b931012 |
%patch1 -p1 -b .ch_default_cipher
|
|
|
b97c97b |
%patch50 -p1
|
|
|
a0543cc |
|
|
|
f3eed52 |
sed -i -e 's,%{_datadir}/openvpn/plugin,%{_libdir}/openvpn/plugin,' doc/openvpn.8
|
|
|
5994929 |
|
|
|
2fc8e30 |
# %%doc items shouldn't be executable.
|
|
|
f0c58f1 |
find contrib sample -type f -perm /100 \
|
|
|
2fc8e30 |
-exec chmod a-x {} \;
|
|
|
2fc8e30 |
|
|
|
5994929 |
%build
|
|
|
fe724ad |
%configure \
|
|
|
fe724ad |
--enable-iproute2 \
|
|
|
6d9dbb8 |
--with-crypto-library=openssl \
|
|
|
6d9dbb8 |
--enable-pkcs11 \
|
|
|
a9b2582 |
--enable-selinux \
|
|
|
035df29 |
--enable-systemd \
|
|
|
6d9dbb8 |
--enable-x509-alt-username \
|
|
|
2bb4f27 |
--enable-async-push \
|
|
|
9831998 |
--docdir=%{_pkgdocdir} \
|
|
|
9831998 |
SYSTEMD_UNIT_DIR=%{_unitdir} \
|
|
|
a9b2582 |
TMPFILES_DIR=%{_tmpfilesdir} \
|
|
|
a9b2582 |
IPROUTE=/sbin/ip
|
|
|
5994929 |
%{__make}
|
|
|
5994929 |
|
|
|
ba1a3a7 |
%check
|
|
|
ba1a3a7 |
# Test Crypto:
|
|
|
ba1a3a7 |
./src/openvpn/openvpn --genkey --secret key
|
|
|
b97c97b |
./src/openvpn/openvpn --cipher aes-128-cbc --test-crypto --secret key
|
|
|
b97c97b |
./src/openvpn/openvpn --cipher aes-256-cbc --test-crypto --secret key
|
|
|
b97c97b |
./src/openvpn/openvpn --cipher aes-128-gcm --test-crypto --secret key
|
|
|
b97c97b |
./src/openvpn/openvpn --cipher aes-256-gcm --test-crypto --secret key
|
|
|
ba1a3a7 |
|
|
|
ba1a3a7 |
%if %{with tests_long}
|
|
|
ba1a3a7 |
# Randomize ports for tests to avoid conflicts on the build servers.
|
|
|
ba1a3a7 |
cport=$[ 50000 + ($RANDOM % 15534) ]
|
|
|
ba1a3a7 |
sport=$[ $cport + 1 ]
|
|
|
ba1a3a7 |
sed -e 's/^\(rport\) .*$/\1 '$sport'/' \
|
|
|
ba1a3a7 |
-e 's/^\(lport\) .*$/\1 '$cport'/' \
|
|
|
ba1a3a7 |
< sample/sample-config-files/loopback-client \
|
|
|
ba1a3a7 |
> %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client
|
|
|
ba1a3a7 |
sed -e 's/^\(rport\) .*$/\1 '$cport'/' \
|
|
|
ba1a3a7 |
-e 's/^\(lport\) .*$/\1 '$sport'/' \
|
|
|
ba1a3a7 |
< sample/sample-config-files/loopback-server \
|
|
|
ba1a3a7 |
> %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server
|
|
|
ba1a3a7 |
|
|
|
ba1a3a7 |
pushd sample
|
|
|
ba1a3a7 |
# Test SSL/TLS negotiations (runs for 2 minutes):
|
|
|
ba1a3a7 |
../src/openvpn/openvpn --config \
|
|
|
ba1a3a7 |
%{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client &
|
|
|
ba1a3a7 |
../src/openvpn/openvpn --config \
|
|
|
ba1a3a7 |
%{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server
|
|
|
ba1a3a7 |
wait
|
|
|
ba1a3a7 |
popd
|
|
|
ba1a3a7 |
|
|
|
ba1a3a7 |
rm -f %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client \
|
|
|
ba1a3a7 |
%{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server
|
|
|
ba1a3a7 |
%endif
|
|
|
7995a20 |
|
|
|
5994929 |
%install
|
|
|
f3eed52 |
%{__make} install DESTDIR=$RPM_BUILD_ROOT
|
|
|
f3eed52 |
find $RPM_BUILD_ROOT -name '*.la' | xargs rm -f
|
|
|
a9b2582 |
mkdir -p -m 0750 $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/client $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/server
|
|
|
a9b2582 |
cp %{SOURCE2} %{SOURCE3} sample/sample-config-files/
|
|
|
5994929 |
|
|
|
28587b8 |
# Create some directories the OpenVPN package should own
|
|
|
b97c97b |
mkdir -m 0750 -p $RPM_BUILD_ROOT%{_rundir}/%{name}-{client,server}
|
|
|
28587b8 |
mkdir -m 0770 -p $RPM_BUILD_ROOT%{_sharedstatedir}/%{name}
|
|
|
28587b8 |
|
|
|
035df29 |
# Package installs into %%{_pkgdocdir} directly
|
|
|
b97c97b |
# Add various additional files
|
|
|
b97c97b |
cp -a AUTHORS ChangeLog contrib sample distro/systemd/README.systemd $RPM_BUILD_ROOT%{_pkgdocdir}
|
|
|
035df29 |
|
|
|
ba1a3a7 |
# Remove some files which does not really belong here
|
|
|
ba1a3a7 |
rm -f $RPM_BUILD_ROOT%{_pkgdocdir}/sample/Makefile{,.in,.am}
|
|
|
ba1a3a7 |
rm -f $RPM_BUILD_ROOT%{_pkgdocdir}/contrib/multilevel-init.patch
|
|
|
ba1a3a7 |
rm -rf $RPM_BUILD_ROOT%{_pkgdocdir}/sample/sample-keys
|
|
|
5994929 |
|
|
|
5994929 |
%pre
|
|
|
03e60ef |
getent group openvpn &>/dev/null || groupadd -r openvpn
|
|
|
03e60ef |
getent passwd openvpn &>/dev/null || \
|
|
|
03e60ef |
/usr/sbin/useradd -r -g openvpn -s /sbin/nologin -c OpenVPN \
|
|
|
03e60ef |
-d /etc/openvpn openvpn
|
|
|
5994929 |
|
|
|
5994929 |
%post
|
|
|
a9b2582 |
%systemd_post openvpn-client@\*.service
|
|
|
a9b2582 |
%systemd_post openvpn-server@\*.service
|
|
|
5994929 |
|
|
|
5994929 |
%preun
|
|
|
a9b2582 |
%systemd_preun openvpn-client@\*.service
|
|
|
a9b2582 |
%systemd_preun openvpn-server@\*.service
|
|
|
5994929 |
|
|
|
5994929 |
%postun
|
|
|
31847e1 |
%systemd_postun_with_restart openvpn-client@\*.service
|
|
|
31847e1 |
%systemd_postun_with_restart openvpn-server@\*.service
|
|
|
31847e1 |
%systemd_postun_with_restart openvpn@\*.service
|
|
|
8b3e151 |
|
|
|
5994929 |
%files
|
|
|
035df29 |
%{_pkgdocdir}
|
|
|
035df29 |
%exclude %{_pkgdocdir}/README.IPv6
|
|
|
b97c97b |
%exclude %{_pkgdocdir}/README.mbedtls
|
|
|
ba1a3a7 |
%exclude %{_pkgdocdir}/sample/sample-plugins
|
|
|
5994929 |
%{_mandir}/man8/%{name}.8*
|
|
|
5994929 |
%{_sbindir}/%{name}
|
|
|
170f728 |
%{_libdir}/%{name}/
|
|
|
9831998 |
%{_unitdir}/%{name}-client@.service
|
|
|
9831998 |
%{_unitdir}/%{name}-server@.service
|
|
|
9831998 |
%{_tmpfilesdir}/%{name}.conf
|
|
|
5994929 |
%config %dir %{_sysconfdir}/%{name}/
|
|
|
b97c97b |
%config %dir %attr(-,-,openvpn) %{_sysconfdir}/%{name}/client
|
|
|
b97c97b |
%config %dir %attr(-,-,openvpn) %{_sysconfdir}/%{name}/server
|
|
|
b97c97b |
%attr(0750,-,openvpn) %{_rundir}/%{name}-client
|
|
|
b97c97b |
%attr(0750,-,openvpn) %{_rundir}/%{name}-server
|
|
|
28587b8 |
%attr(0770,openvpn,openvpn) %{_sharedstatedir}/%{name}
|
|
|
a9b2582 |
|
|
|
ba1a3a7 |
%files devel
|
|
|
ba1a3a7 |
%{_pkgdocdir}/sample/sample-plugins
|
|
|
ba1a3a7 |
%{_includedir}/openvpn-plugin.h
|
|
|
ba1a3a7 |
%{_includedir}/openvpn-msg.h
|
|
|
ba1a3a7 |
|
|
|
5994929 |
|
|
|
5994929 |
%changelog
|
|
|
29b5c37 |
* Sun Apr 19 2020 David Sommerseth <dazo@eurephia.org> - 2.4.9-1
|
|
|
29b5c37 |
- Update to upstream OpenVPN 2.4.9
|
|
|
29b5c37 |
|
|
|
e1fba55 |
* Fri Nov 1 2019 David Sommerseth <dazo@eurephia.org> - 2.4.8-1
|
|
|
e1fba55 |
- Updating to upstream OpenVPN 2.4.8
|
|
|
e1fba55 |
|
|
|
bdd157e |
* Wed Feb 20 2019 David Sommerseth <dazo@eurephia.org> - 2.4.7-1
|
|
|
bdd157e |
- Updating to upstream OpenVPN 2.4.7
|
|
|
bdd157e |
|
|
|
f9b0e35 |
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.6-4
|
|
|
f9b0e35 |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
|
|
f9b0e35 |
|
|
|
2bb4f27 |
* Sat Oct 6 2018 David Sommerseth <dazo@eurephia.org> - 2.4.6-3
|
|
|
2bb4f27 |
- Enable the asynchronous push feature, which can improve connect speeds with slow authentication backends
|
|
|
2bb4f27 |
|
|
|
a312456 |
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.6-2
|
|
|
a312456 |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
|
|
a312456 |
|
|
|
fb44c29 |
* Thu Apr 26 2018 David Sommerseth <dazo@eurephia.org> - 2.4.6-1
|
|
|
fb44c29 |
- Updating to upstream, openvpn-2.4.6
|
|
|
fb44c29 |
|
|
|
2b76cca |
* Thu Mar 1 2018 David Sommerseth <dazo@eurephia.org> - 2.4.5-1
|
|
|
b97c97b |
- Updating to upstream, openvpn-2.4.5
|
|
|
b97c97b |
- Package upstream ChangeLog, which contains a bit more details than Changes.rst
|
|
|
b97c97b |
- Cleaned up spec file further, removed Group: tag, trimmed changelog section,
|
|
|
b97c97b |
added gcc to BuildRequires.
|
|
|
b97c97b |
- Excluded not relevant file, README.mbedtls
|
|
|
b97c97b |
- Package upstream version of README.systemd
|
|
|
b97c97b |
- Fix wrong group owner of /etc/openvpn/{client,server} (rhbz#1526743)
|
|
|
b97c97b |
- Changed crypto self-test to test AES-{128,256}-{CBC,GCM} instead of only BF-CBC (deprecated)
|
|
|
b97c97b |
- Change /run/openvpn-{client,server} permissions to be 0750 instead of 0710, with group set to openvpn
|
|
|
b97c97b |
|
|
|
2fbbe11 |
* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.4-3
|
|
|
2fbbe11 |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
|
|
2fbbe11 |
|
|
|
5fd6cc8 |
* Thu Jan 25 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.4.4-2
|
|
|
5fd6cc8 |
- Fix systemd executions/requirements
|
|
|
5fd6cc8 |
|
|
|
95cb196 |
* Tue Sep 26 2017 David Sommerseth <dazo@eurephia.org> - 2.4.4-1
|
|
|
b97c97b |
- Update to upstream openvpn-2.4.4
|
|
|
95cb196 |
- Includes fix for possible stack overflow if --key-method 1 is used {CVE-2017-12166}
|
|
|
95cb196 |
|
|
|
b931012 |
* Fri Aug 4 2017 David Sommerseth <dazo@eurephia.org> - 2.4.3-4
|
|
|
a8edf31 |
- Change to AES-GCM as the default cipher for server configurations (rhbz#1479270)
|
|
|
b931012 |
|
|
|
ab274d2 |
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.3-3
|
|
|
ab274d2 |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
|
|
|
ab274d2 |
|
|
|
fd5576f |
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.3-2
|
|
|
fd5576f |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
|
|
|
fd5576f |
|
|
|
31847e1 |
* Wed Jun 21 2017 David Sommerseth <dazo@eurephia.org> - 2.4.3-1
|
|
|
31847e1 |
- Updating to upstream openvpn-2.4.3
|
|
|
31847e1 |
- Fix remotely-triggerable ASSERT() on malformed IPv6 packet {CVE-2017-7508}
|
|
|
b931012 |
- Prevent two kinds of stack buffer OOB reads and a crash for invalid input data {CVE-2017-7520}
|
|
|
31847e1 |
- Fix potential double-free in --x509-alt-username {CVE-2017-7521}
|
|
|
31847e1 |
- Fix remote-triggerable memory leaks {CVE-2017-7521}
|
|
|
31847e1 |
- Ensure OpenVPN systemd services are restarted upon upgrades
|
|
|
31847e1 |
- Verify PGP signature of source tarball as part of package building
|
|
|
31847e1 |
- Build against system lz4 library
|
|
|
31847e1 |
|
|
|
28587b8 |
* Fri May 12 2017 David Sommerseth <dazo@eurephia.org> - 2.4.2-2
|
|
|
28587b8 |
- Install and take ownership of /run/openvpn-{client,server} (rhbz#1444601)
|
|
|
28587b8 |
- Install and take ownership of /var/lib/openvpn (rhbz#922786)
|
|
|
28587b8 |
|
|
|
6d9dbb8 |
* Thu May 11 2017 David Sommerseth <dazo@eurephia.org> - 2.4.2-1
|
|
|
b97c97b |
- Updating to upstream openvpn-2.4.2
|
|
|
6d9dbb8 |
- Switching back to OpenSSL, using compat-openssl10 (rhbz#1443749, rhbz#1432125, rhbz#1440468)
|
|
|
6d9dbb8 |
- Re-enabling --enable-x509-alt-username (rhbz#1443942)
|
|
|
6d9dbb8 |
- Add --enable-selinux
|
|
|
6d9dbb8 |
- Build with lz4 library from Fedora
|
|
|
6d9dbb8 |
|
|
|
ba1a3a7 |
* Wed Mar 29 2017 David Sommerseth <dazo@eurephia.org> - 2.4.1-3
|
|
|
ba1a3a7 |
- Splitting out -devel files into a separate package
|
|
|
ba1a3a7 |
- Removed several contrib and sample files which makes is not
|
|
|
ba1a3a7 |
strictly needed in this package.
|
|
|
ba1a3a7 |
- build: Enable tests runs by default, long running tests can
|
|
|
ba1a3a7 |
be disabled with "--without tests_long"
|
|
|
ba1a3a7 |
- build: Removed defined %%{plugins} macro not in use
|
|
|
ba1a3a7 |
|
|
|
a9b2582 |
* Fri Mar 24 2017 David Sommerseth <dazo@eurephia.org> - 2.4.1-2
|
|
|
a9b2582 |
- Various cleanups
|
|
|
a9b2582 |
- Use systemd-rpm macros (rhbz #850257)
|
|
|
a9b2582 |
- Removed the deprecated openvpn@.service unit. Replaced by openvpn-{client,server}@.service
|
|
|
a9b2582 |
- Added README.systemd describing new systemd unit files
|
|
|
a9b2582 |
|
|
|
9831998 |
* Thu Mar 23 2017 David Sommerseth <dazo@eurephia.org> - 2.4.1-1
|
|
|
9831998 |
- Updating to upstream release, v2.4.1
|
|
|
9831998 |
- Added mbed TLS patch to allow RSA keys down to 1024 bits plus SHA1
|
|
|
9831998 |
and RIPE-160 hasing algorithms (based on OpenVPN 3 legacy profile)
|
|
|
9831998 |
- Removed no-functional ./configure options
|
|
|
9831998 |
- Use upstream tmfiles.d/openvpn
|
|
|
9831998 |
- Package newer openvpn-client/server@.service unit files
|
|
|
9831998 |
|
|
|
9c007f5 |
* Thu Feb 09 2017 Jon Ciesla <limburgher@gmail.com> 2.4.0-2
|
|
|
9c007f5 |
- Move to mbedtls to resolve FTBFS.
|
|
|
9c007f5 |
- Dropped, re-add once openvpn supports openssl 1.1.x
|
|
|
9c007f5 |
- --enable-pkcs11 \
|
|
|
9c007f5 |
- --enable-x509-alt-username \
|
|
|
9c007f5 |
|
|
|
c58337e |
* Tue Dec 27 2016 Jon Ciesla <limburgher@gmail.com> 2.4.0-1
|
|
|
c58337e |
- 2.4.0.
|
|
|
c58337e |
|