SLFO-pool/openvpn
SHA256
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: SLFO-pool:main
Branches Tags
SLFO-pool:main SLFO-pool:1.1
..
compare: SLFO-pool:1.1
Branches Tags
SLFO-pool:main SLFO-pool:1.1

1 Commits
main ... 1.1

Author SHA256 Message Date
Adrian Schröter
9d3c8e0e6d Sync from SUSE:SLFO:1.1 openvpn revision f996ae19e997230c9cd097f15109ce41 2025-04-15 22:40:50 +02:00
8 changed files with 26 additions and 438 deletions
Expand all files Collapse all files

BIN
openvpn-2.6.10.tar.gz (Stored with Git LFS)
View File

Binary file not shown.

16
openvpn-2.6.10.tar.gz.asc
View File

@@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEvlj1OdBZuAYxwSlKQdIJZcLoLccFAmX6sakACgkQQdIJZcLo
LcemTxAA5fwUDLHWQjE9Mf86NZbRup6aSo5S751pou/bcVYWQVbYqjFJIgdJEY7r
HS4cKlOmJ74S5SqALwqmD4lqUP1LfGocvHUR1ACXppm/rtebWa3upRRI3/svBhp2
6IqQjW0gkiDib56mKn2RFkyLkUiWpBOW15gqe/NgRjoVlIaCCQuvZhii8fAHMHzS
HeJrTmdmbINTyVr6Ag4hZS+rKivVXR3j8z2YTuTwH1NPmCuclyoODRSv7rL3A1tU
wiol0go/aLaDXx1EEnGtHrPtWjA6Gti1pDbteQBKn4Q9v2svuhFncyeux0R9a2Jk
FLWXLZGI5JOQOTvuIrRnGBuUCpbhJalHQHtgKgNzhIqfToHfIYgc+2gQYSh4pDYi
rZVMdws9lNqWctSLAeyCyojpYGiL3YU4tnORGzsqypszzznk/JtlkTb6rjGxrh3w
Ejg5rE7cwgNstGqEaHihJaHG7mnnazZ9US3J1DFcg9NgpDD2Y7Gate6E2GEtmSFg
BoLUK1tRRl9GayEc8mKN+ThzcW9U1YOzMdZTIRQX9ToaqHdMdpeOGV1+dwYqMT+e
dYrmEO1COqvfp5Qxk+Q+fFBvUluMM7PQ1w0ncyTRn7jdlxdDu4XB9CfBP5fvXvwl
teabifAm0iglOeCEYdUWtgYSkvebu1FaIhh1w3I1uQwrKOF7ZXM=
=6sO3
-----END PGP SIGNATURE-----

BIN
openvpn-2.6.8.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

16
openvpn-2.6.8.tar.gz.asc Normal file
View File

@@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEvlj1OdBZuAYxwSlKQdIJZcLoLccFAmVXQWEACgkQQdIJZcLo
LccHgw/8CluyqqSi46O+YIRBjJ29N7w9LV9Jt/nwwgNsOUbN4FkRRJpoGSMGdbo3
2eOkDVnXisphl9aMiYmO4NDFSVgvFswC/UjZ0EKpyjAezYtN8Q7gj5XXOi7ENvWw
tKQtnjUS/wV6N/ujCVYWo8EpZnh15vIkxo7BTjDjHRWiNjXioa89/AxqzN0vO0h6
yeNJ65RPVp5RFow2DiyzsRdtIh/dP+TfupAUqcpFc2cvRZ2bXMcj5OV+khjsdYh7
y5/xqCHbb41EJwy8d2iK4SXlggVfRDtuyqfJ3hCuPdHOe6NBZRgCZ5FcTqUJckkN
ngYRViC33BHtcRKQQcoxSmhg1tjA1n2Yrt+xsrwCkw/M8OY+AS0ys4uiKYxCDN5I
DcGTc9lE2xHHFur4ZUmOVQofRq8yRAQgik5nxMfur+tNpLGEW44eBjTYR3fzUjhO
oNDxZv8oy0jZEelqvUTK2tRMdzxDlyOV8g7A8nXYcbJpAoaEaZsQ2C2Dbn1SgtZ/
cmWMIXghFTnsTl70pbUZ8saHWAGb3d+AzwhET7BYQ7TBqNQMNzVaJ0O8aFEGPQzK
4CyMzSD2x4Tnsl56BsvdVsihDBFhnfICrpXzO/QzTsbPb5xkooEuUhVWacMgJ74I
Z2jDNGM67aDTOpHtgxluKZh1njes0SSGbLPDJIG6RG7TPcX3nE4=
=kOZ8
-----END PGP SIGNATURE-----

87
openvpn-CVE-2024-28882.patch
View File

@@ -1,87 +0,0 @@
diff -Naurp src.orig/openvpn/forward.c src/openvpn/forward.c
--- src.orig/openvpn/forward.c 2024-10-17 14:19:53.719827337 +0200
+++ src/openvpn/forward.c 2024-10-18 08:52:38.695704757 +0200
@@ -514,17 +514,24 @@ check_server_poll_timeout(struct context
}
/*
- * Schedule a signal n_seconds from now.
+ * Schedule a SIGTERM signal c->options.scheduled_exit_interval seconds from now.
*/
-void
-schedule_exit(struct context *c, const int n_seconds, const int signal)
+bool
+schedule_exit(struct context *c)
{
+ const int n_seconds = c->options.scheduled_exit_interval;
+ /* don't reschedule if already scheduled. */
+ if (event_timeout_defined(&c->c2.scheduled_exit))
+ {
+ return false;
+ }
tls_set_single_session(c->c2.tls_multi);
update_time();
reset_coarse_timers(c);
event_timeout_init(&c->c2.scheduled_exit, n_seconds, now);
- c->c2.scheduled_exit_signal = signal;
+ c->c2.scheduled_exit_signal = SIGTERM;
msg(D_SCHED_EXIT, "Delayed exit in %d seconds", n_seconds);
+ return true;
}
/*
diff -Naurp src.orig/openvpn/forward.h src/openvpn/forward.h
--- src.orig/openvpn/forward.h 2024-10-17 14:19:53.719827337 +0200
+++ src/openvpn/forward.h 2024-10-18 08:53:26.223161629 +0200
@@ -302,7 +302,7 @@ void reschedule_multi_process(struct con
void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf);
-void schedule_exit(struct context *c, const int n_seconds, const int signal);
+bool schedule_exit(struct context *c);
static inline struct link_socket_info *
get_link_socket_info(struct context *c)
diff -Naurp src.orig/openvpn/push.c src/openvpn/push.c
--- src.orig/openvpn/push.c 2024-10-17 14:19:53.719827337 +0200
+++ src/openvpn/push.c 2024-10-18 09:18:53.861388522 +0200
@@ -204,7 +204,11 @@ receive_exit_message(struct context *c)
* */
if (c->options.mode == MODE_SERVER)
{
- schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM);
+ if(!schedule_exit(c))
+ {
+ /* Return early when we don't need to notify management */
+ return;
+ }
}
else
{
@@ -391,7 +395,7 @@ __attribute__ ((format(__printf__, 4, 5)
void
send_auth_failed(struct context *c, const char *client_reason)
{
- if (event_timeout_defined(&c->c2.scheduled_exit))
+ if (!schedule_exit(c))
{
msg(D_TLS_DEBUG, "exit already scheduled for context");
return;
@@ -401,8 +405,6 @@ send_auth_failed(struct context *c, cons
static const char auth_failed[] = "AUTH_FAILED";
size_t len;
- schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM);
-
len = (client_reason ? strlen(client_reason)+1 : 0) + sizeof(auth_failed);
if (len > PUSH_BUNDLE_SIZE)
{
@@ -492,7 +494,7 @@ send_auth_pending_messages(struct tls_mu
void
send_restart(struct context *c, const char *kill_msg)
{
- schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM);
+ schedule_exit(c);
send_control_channel_string(c, kill_msg ? kill_msg : "RESTART", D_PUSH);
}

214
openvpn-CVE-2024-5594.patch
View File

@@ -1,214 +0,0 @@
--- src.orig/openvpn/buffer.c 2025-01-22 09:11:26.945102537 +0100
+++ src/openvpn/buffer.c 2025-01-22 09:15:18.992145494 +0100
@@ -1113,6 +1113,21 @@
return ret;
}
+bool
+string_check_buf(struct buffer *buf, const unsigned int inclusive, const unsigned int exclusive)
+{
+ ASSERT(buf);
+ for (int i = 0; i < BLEN(buf); i++)
+ {
+ char c = BSTR(buf)[i];
+ if (!char_inc_exc(c, inclusive, exclusive))
+ {
+ return false;
+ }
+ }
+ return true;
+}
+
const char *
string_mod_const(const char *str,
const unsigned int inclusive,
--- src.orig/openvpn/buffer.h 2025-01-22 09:11:26.945102537 +0100
+++ src/openvpn/buffer.h 2025-01-22 09:16:50.090383898 +0100
@@ -944,6 +944,17 @@
bool string_class(const char *str, const unsigned int inclusive, const unsigned int exclusive);
bool string_mod(char *str, const unsigned int inclusive, const unsigned int exclusive, const char replace);
+/**
+ * Check a buffer if it only consists of allowed characters.
+ *
+ * @param buf The buffer to be checked.
+ * @param inclusive The character classes that are allowed.
+ * @param exclusive Character classes that are not allowed even if they are also in inclusive.
+ * @return True if the string consists only of allowed characters, false otherwise.
+ */
+bool
+string_check_buf(struct buffer *buf, const unsigned int inclusive, const unsigned int exclusive);
+
const char *string_mod_const(const char *str,
const unsigned int inclusive,
--- src.orig/openvpn/forward.c 2025-01-22 09:11:26.948102576 +0100
+++ src/openvpn/forward.c 2025-01-22 09:27:02.718712050 +0100
@@ -230,6 +230,52 @@
}
}
+static void
+parse_incoming_control_channel_command(struct context *c, struct buffer *buf)
+{
+ if (buf_string_match_head_str(buf, "AUTH_FAILED"))
+ {
+ receive_auth_failed(c, buf);
+ }
+ else if (buf_string_match_head_str(buf, "PUSH_"))
+ {
+ incoming_push_message(c, buf);
+ }
+ else if (buf_string_match_head_str(buf, "RESTART"))
+ {
+ server_pushed_signal(c, buf, true, 7);
+ }
+ else if (buf_string_match_head_str(buf, "HALT"))
+ {
+ server_pushed_signal(c, buf, false, 4);
+ }
+ else if (buf_string_match_head_str(buf, "INFO_PRE"))
+ {
+ server_pushed_info(c, buf, 8);
+ }
+ else if (buf_string_match_head_str(buf, "INFO"))
+ {
+ server_pushed_info(c, buf, 4);
+ }
+ else if (buf_string_match_head_str(buf, "CR_RESPONSE"))
+ {
+ receive_cr_response(c, buf);
+ }
+ else if (buf_string_match_head_str(buf, "AUTH_PENDING"))
+ {
+ receive_auth_pending(c, buf);
+ }
+ else if (buf_string_match_head_str(buf, "EXIT"))
+ {
+ receive_exit_message(c);
+ }
+ else
+ {
+ msg(D_PUSH_ERRORS, "WARNING: Received unknown control message: %s", BSTR(buf));
+ }
+}
+
+
/*
* Handle incoming configuration
* messages on the control channel.
@@ -245,51 +291,37 @@
struct buffer buf = alloc_buf_gc(len, &gc);
if (tls_rec_payload(c->c2.tls_multi, &buf))
{
- /* force null termination of message */
- buf_null_terminate(&buf);
-
- /* enforce character class restrictions */
- string_mod(BSTR(&buf), CC_PRINT, CC_CRLF, 0);
-
- if (buf_string_match_head_str(&buf, "AUTH_FAILED"))
- {
- receive_auth_failed(c, &buf);
- }
- else if (buf_string_match_head_str(&buf, "PUSH_"))
- {
- incoming_push_message(c, &buf);
- }
- else if (buf_string_match_head_str(&buf, "RESTART"))
- {
- server_pushed_signal(c, &buf, true, 7);
- }
- else if (buf_string_match_head_str(&buf, "HALT"))
- {
- server_pushed_signal(c, &buf, false, 4);
- }
- else if (buf_string_match_head_str(&buf, "INFO_PRE"))
- {
- server_pushed_info(c, &buf, 8);
- }
- else if (buf_string_match_head_str(&buf, "INFO"))
- {
- server_pushed_info(c, &buf, 4);
- }
- else if (buf_string_match_head_str(&buf, "CR_RESPONSE"))
- {
- receive_cr_response(c, &buf);
- }
- else if (buf_string_match_head_str(&buf, "AUTH_PENDING"))
- {
- receive_auth_pending(c, &buf);
- }
- else if (buf_string_match_head_str(&buf, "EXIT"))
- {
- receive_exit_message(c);
- }
- else
+ while (BLEN(&buf) > 1)
{
- msg(D_PUSH_ERRORS, "WARNING: Received unknown control message: %s", BSTR(&buf));
+ /* commands on the control channel are seperated by 0x00 bytes.
+ * cmdlen does not include the 0 byte of the string */
+ int cmdlen = (int)strnlen(BSTR(&buf), BLEN(&buf));
+ if (cmdlen < BLEN(&buf))
+ {
+ /* include the NUL byte and ensure NUL termination */
+ int cmdlen = (int)strlen(BSTR(&buf)) + 1;
+ /* Construct a buffer that only holds the current command and
+ * its closing NUL byte */
+ struct buffer cmdbuf = alloc_buf_gc(cmdlen, &gc);
+ buf_write(&cmdbuf, BPTR(&buf), cmdlen);
+ /* check we have only printable characters or null byte in the
+ * command string and no newlines */
+ if (!string_check_buf(&buf, CC_PRINT | CC_NULL, CC_CRLF))
+ {
+ msg(D_PUSH_ERRORS, "WARNING: Received control with invalid characters: %s",
+ format_hex(BPTR(&buf), BLEN(&buf), 256, &gc));
+ }
+ else
+ {
+ parse_incoming_control_channel_command(c, &cmdbuf);
+ }
+ }
+ else
+ {
+ msg(D_PUSH_ERRORS, "WARNING: Ignoring control channel "
+ "message command without NUL termination");
+ }
+ buf_advance(&buf, cmdlen);
}
}
else
--- tests.orig/unit_tests/openvpn/test_buffer.c 2025-01-22 09:11:56.003473042 +0100
+++ tests/unit_tests/openvpn/test_buffer.c 2025-01-22 09:30:26.633484093 +0100
@@ -259,6 +259,22 @@
gc_free(&gc);
}
+static void
+test_character_string_mod_buf(void **state)
+{
+ struct gc_arena gc = gc_new();
+ struct buffer buf = alloc_buf_gc(1024, &gc);
+ const char test1[] = "There is a nice 1234\x00 year old tree!";
+ buf_write(&buf, test1, sizeof(test1));
+ /* allow the null bytes and string but not the ! */
+ assert_false(string_check_buf(&buf, CC_ALNUM | CC_SPACE | CC_NULL, 0));
+ /* remove final ! and null byte to pass */
+ buf_inc_len(&buf, -2);
+ assert_true(string_check_buf(&buf, CC_ALNUM | CC_SPACE | CC_NULL, 0));
+ /* Check excluding digits works */
+ assert_false(string_check_buf(&buf, CC_ALNUM | CC_SPACE | CC_NULL, CC_DIGIT));
+ gc_free(&gc);
+}
int
main(void)
@@ -289,6 +305,7 @@
cmocka_unit_test(test_buffer_free_gc_one),
cmocka_unit_test(test_buffer_free_gc_two),
cmocka_unit_test(test_buffer_gc_realloc),
+ cmocka_unit_test(test_character_string_mod_buf)
};
return cmocka_run_group_tests_name("buffer", tests, NULL, NULL);

97
openvpn.changes
View File

@@ -1,100 +1,3 @@
-------------------------------------------------------------------
Wed Jan 22 16:35:27 UTC 2025 - Dominique Leuenberger <dimstar@opensuse.org>
- Drop rcFOO symlinks for CODE16 (PED-266).
-------------------------------------------------------------------
Wed Jan 22 08:55:44 UTC 2025 - Rahul Jain <rahul.jain@suse.com>
- FIX:VUL-0 CVE-2024-5594: openvpn: properly handle null bytes and
invalid characters in control messages(bsc#1235147 CVE-2024-5594)
Patchname:openvpn-CVE-2024-5594.patch
-------------------------------------------------------------------
Fri Dec 20 08:13:18 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
- Set %_buildshell because of bashisms in build recipe
- Replace over-the-top `find -exec rm` by just -delete
-------------------------------------------------------------------
Thu Oct 10 08:13:54 UTC 2024 - Rahul Jain <rahul.jain@suse.com>
- Fix multiple exit notifications from authenticated clients will
extend the validity of a closing session (bsc#1227546 CVE-2024-28882)
Patchname:openvpn-CVE-2024-28882.patch
-------------------------------------------------------------------
Thu May 16 06:42:54 UTC 2024 - Bernhard Wiedemann <bwiedemann@suse.com>
- Enable Data-Channel-Offloading (DCO) for better performance (jsc#PED-8305)
if libnl >= 3.4 is available
-------------------------------------------------------------------
Thu Mar 21 08:33:45 UTC 2024 - Mohd Saquib <mohd.saquib@suse.com>
- update to 2.6.10:
* t_client.sh can now run pre-tests and skip a test block if needed
(e.g. skip NTLM proxy tests if SSL library does not support MD4)
* Compression: minor bugfix in checking option consistency vs.
compiled-in algorithm support
* systemd unit files: remove obsolete syslog.target
-------------------------------------------------------------------
Mon Feb 26 12:50:07 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
- Use %autosetup macro. Allows to eliminate the usage of deprecated
PatchN.
-------------------------------------------------------------------
Mon Feb 12 18:00:47 UTC 2024 - Mohd Saquib <mohd.saquib@suse.com>
- update to 2.6.9:
* Remove unused function prototype crypto_adjust_frame_parameters
* Log SSL alerts more prominently
* Document tls-exit option mainly as test option
* Remove TEST_GET_DEFAULT_GATEWAY as it duplicates --show-gateway
* Fix check_session_buf_not_used using wrong index
* Add missing check for nl_socket_alloc failure
* Add check for nice in cmake config
* Remove compat versionhelpers.h and remove cmake/configure check for it
* Extend the error message when TLS 1.0 PRF fails
* Fix unaligned access in macOS, FreeBSD, Solaris hwaddr
* Check PRF availability on initialisation and add --force-tls-key-material-export
* Make it more explicit and visible when pkg-config is not found
* Clarify that the tls-crypt-v2-verify has a very limited env set
* Implement the --tls-export-cert feature
* Remove conditional text for Apache2 linking exception
* Remove --tls-export-cert
* Remove superfluous x509_write_pem()
* sample-keys: renew for the next 10 years
* GHA: clean up libressl builds with newer libressl
* configure.ac: Remove unused AC_TYPE_SIGNAL macro
* documentation: remove reference to removed option --show-proxy-settings
* unit_tests: remove includes for mock_msg.h
* documentation: improve documentation of --x509-track
* NTLM: add length check to add_security_buffer
* NTLM: increase size of phase 2 response we can handle
* proxy-options.rst: Add proper documentation for --http-proxy-user-pass
* buf_string_match_head_str: Fix Coverity issue 'Unsigned compared against 0'
* --http-proxy-user-pass: allow to specify in either order with --http-proxy
* README.cmake.md: Document minimum required CMake version for --preset
* documentation: Update and fix documentation for --push-peer-info
* documentation: Fixes for previous fixes to --push-peer-info
* OpenBSD: repair --show-gateway
* get_default_gateway() HWADDR overhaul
* fix uncrustify complaints about previous patch
* preparing release 2.6.9
* dco-freebsd: dynamically re-allocate buffer if it's too small
* tun.c: don't attempt to delete DNS and WINS servers if they're not set
* vcpkg-ports/pkcs11-helper: bump to version 1.30
* Add support for mbedtls 3.X.Y
* Update README.mbedtls
* Disable TLS 1.3 support with mbed TLS
* Enable key export with mbed TLS 3.x.y
* protocol_dump: tls-crypt support
* Fix IPv6 route add/delete message log level
* fix(ssl): init peer_id when init tls_multi
-------------------------------------------------------------------
Mon Nov 20 07:15:13 UTC 2023 - Mohd Saquib <mohd.saquib@suse.com>

28
openvpn.spec
View File

@@ -1,7 +1,7 @@
#
# spec file for package openvpn
#
# Copyright (c) 2025 SUSE LLC
# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -16,12 +16,11 @@
#
%define _buildshell /bin/bash
%if ! %{defined _rundir}
%define _rundir %{_localstatedir}/run
%endif
Name: openvpn
Version: 2.6.10
Version: 2.6.8
Release: 0
Summary: Full-featured SSL VPN solution using a TUN/TAP Interface
License: GPL-2.0-only WITH openvpn-openssl-exception
@@ -38,8 +37,6 @@ Source9: %{name}.target
Source10: %{name}-tmpfile.conf
Source11: rc%{name}
Patch1: %{name}-2.3-plugin-man.dif
Patch2: openvpn-CVE-2024-28882.patch
Patch3: openvpn-CVE-2024-5594.patch
BuildRequires: iproute2
BuildRequires: libcap-ng-devel
BuildRequires: liblz4-devel
@@ -52,12 +49,10 @@ BuildRequires: pam-devel
BuildRequires: pkcs11-helper-devel >= 1.11
BuildRequires: pkgconfig
BuildRequires: xz
BuildRequires: pkgconfig(libnl-genl-3.0)
BuildRequires: pkgconfig(libsystemd)
BuildRequires: pkgconfig(systemd)
Requires: iproute2
Requires: pkcs11-helper >= 1.11
Recommends: ovpn-dco-kmp
%systemd_ordering
%description
@@ -121,7 +116,8 @@ Requires: %{name} = %{version}
This package provides the header file to build external plugins.
%prep
%autosetup -p0
%setup -q
%patch1
sed -e "s|\" __DATE__|$(date '+%%b %%e %%Y' -r version.m4)\"|g" \
-i src/openvpn/options.c
@@ -140,14 +136,8 @@ export LDFLAGS
# usrmerge
export IPROUTE="%{_sbindir}/ip"
%endif
libnlversion=$(rpm -q --qf "%%{version}" libnl3-devel)
if [[ $libnlversion == 3.[0-3].* ]] ; then
confopt=--enable-iproute2
else
confopt=--enable-dco
fi
%configure \
$confopt \
--enable-iproute2 \
--enable-x509-alt-username \
--enable-pkcs11 \
--enable-systemd \
@@ -160,7 +150,7 @@ fi
%install
%make_install
find %{buildroot} -type f -name "*.la" -print -delete
find %{buildroot} -type f -name "*.la" -print -exec rm -f {} +
mkdir -p %{buildroot}/%{_sysconfdir}/openvpn
mkdir -p %{buildroot}/%{_rundir}/openvpn
mkdir -p %{buildroot}/%{_datadir}/openvpn
@@ -170,9 +160,7 @@ rm %{buildroot}%{_libdir}/systemd/system/openvpn-server@.service
rm %{buildroot}%{_libdir}/tmpfiles.d/openvpn.conf
install -D -m 644 %{name}.service %{buildroot}/%{_unitdir}/%{name}@.service
install -D -m 644 %{SOURCE9} %{buildroot}/%{_unitdir}/%{name}.target
%if 0%{?suse_version} < 1600
install -D -m 755 %{SOURCE11} %{buildroot}%{_sbindir}/rc%{name}
%endif
# tmpfiles.d
mkdir -p %{buildroot}%{_tmpfilesdir}
install -m 0644 %{SOURCE10} %{buildroot}%{_tmpfilesdir}/%{name}.conf
@@ -182,7 +170,7 @@ install -m 755 %{SOURCE5} sample/sample-scripts/client-netconfig.down
# we install docs via spec into _defaultdocdir/name/management-notes.txt
rm -rf %{buildroot}%{_datadir}/doc/{OpenVPN,%{name}}
find sample -name .gitignore -delete
find sample -name .gitignore -exec rm -f {} +
%pre
%service_add_pre %{name}.target
@@ -215,9 +203,7 @@ find sample -name .gitignore -delete
%{_unitdir}/%{name}.target
%{_tmpfilesdir}/%{name}.conf
%dir %attr(0750,root,root) %ghost %{_rundir}/openvpn/
%if 0%{?suse_version} < 1600
%{_sbindir}/rcopenvpn
%endif
%{_sbindir}/openvpn
%files down-root-plugin