OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openvpn?expand=0&rev=3

openvpn-2.0.9-plugin-build.dif

@@ -0,0 +1,39 @@
+--- plugin/auth-pam/Makefile
++++ plugin/auth-pam/Makefile	2008/01/17 14:23:16
+@@ -4,7 +4,7 @@
+ 
+ # If PAM modules are not linked against libpam.so, set DLOPEN_PAM to 1. This
+ # must be done on SUSE 9.1, at least.
+-DLOPEN_PAM=1
++DLOPEN_PAM=0
+ 
+ ifeq ($(DLOPEN_PAM),1)
+ 	LIBPAM=-ldl
+@@ -15,10 +15,10 @@
+ # This directory is where we will look for openvpn-plugin.h
+ INCLUDE=-I../..
+ 
+-CC_FLAGS=-O2 -Wall -DDLOPEN_PAM=$(DLOPEN_PAM)
++CC_FLAGS=$(CFLAGS) -DDLOPEN_PAM=$(DLOPEN_PAM)
+ 
+ openvpn-auth-pam.so : auth-pam.o pamdl.o
+-	gcc ${CC_FLAGS} -fPIC -shared -Wl,-soname,openvpn-auth-pam.so -o openvpn-auth-pam.so auth-pam.o pamdl.o -lc $(LIBPAM)
++	gcc ${LDFLAGS} -fPIC -shared -Wl,-soname,openvpn-auth-pam.so -o openvpn-auth-pam.so auth-pam.o pamdl.o -lc $(LIBPAM)
+ 
+ auth-pam.o : auth-pam.c pamdl.h
+ 	gcc ${CC_FLAGS} -fPIC -c ${INCLUDE} auth-pam.c
+--- plugin/down-root/Makefile
++++ plugin/down-root/Makefile	2008/01/17 14:23:39
+@@ -5,10 +5,10 @@
+ # This directory is where we will look for openvpn-plugin.h
+ INCLUDE=-I../..
+ 
+-CC_FLAGS=-O2 -Wall
++CC_FLAGS=${CFLAGS}
+ 
+ down-root.so : down-root.o
+-	gcc ${CC_FLAGS} -fPIC -shared -Wl,-soname,openvpn-down-root.so -o openvpn-down-root.so down-root.o -lc
++	gcc ${LDFLAGS} -fPIC -shared -Wl,-soname,openvpn-down-root.so -o openvpn-down-root.so down-root.o -lc
+ 
+ down-root.o : down-root.c
+ 	gcc ${CC_FLAGS} -fPIC -c ${INCLUDE} down-root.c

openvpn-2.0.9-plugin-dir.dif

@@ -0,0 +1,30 @@
+--- plugin.c
++++ plugin.c	2007/11/28 08:58:20
+@@ -182,7 +182,26 @@ plugin_init_item (struct plugin *p, cons
+   p->plugin_type_mask = plugin_supported_types ();
+ 
+ #if defined(USE_LIBDL)
+-  p->handle = dlopen (p->so_pathname, RTLD_NOW);
++  p->handle = NULL;
++#if defined(PLUGIN_LIBDIR)
++  if (!strchr(p->so_pathname, '/'))
++  {
++    char  full[PATH_MAX], *name;
++
++    snprintf(full, sizeof(full), "%s/%s", PLUGIN_LIBDIR, p->so_pathname);
++    p->handle = dlopen (full, RTLD_NOW);
++#if defined(ENABLE_PLUGIN_SEARCH)
++    if (!p->handle)
++    {
++      p->handle = dlopen (p->so_pathname, RTLD_NOW);
++    }
++#endif
++  }
++  else
++#endif
++  {
++    p->handle = dlopen (p->so_pathname, RTLD_NOW);
++  }
+   if (!p->handle)
+     msg (M_ERR, "PLUGIN_INIT: could not load plugin shared object %s: %s", p->so_pathname, dlerror());
+   libdl_resolve_symbol (p->handle, (void*)&p->open,  "openvpn_plugin_open_v1", p->so_pathname, PLUGIN_SYMBOL_REQUIRED);

openvpn-2.0.9-plugin-man.dif

@@ -0,0 +1,18 @@
+--- openvpn.8
++++ openvpn.8	2008/01/17 13:53:02
+@@ -2117,11 +2117,10 @@
+ folder of the OpenVPN source distribution.
+ 
+ If you are using an RPM install of OpenVPN, see
+-/usr/share/openvpn/plugin.  The documentation is
+-in
+-.B doc
+-and the actual plugin modules are in
+-.B lib.
++@PLUGIN_DIR@. The actual plugin modules are in
++.B @PLUGIN_LIBDIR@
++and the documentation is in
++.B @PLUGIN_DOCDIR@.
+ 
+ Multiple plugin modules can be cascaded, and modules can be
+ used in tandem with scripts.  The modules will be called by

openvpn.changes

@@ -1,3 +1,15 @@
+-------------------------------------------------------------------
+Thu Jan 17 19:44:41 CET 2008 - mt@suse.de
+
+- Bug #334773: Enabled build of down-root and auth-pam plugins,
+  sub-packaged as openvpn-auth-pam-plugin/down-root-plugin.
+- Added patch to load plugins from /usr/%_lib/openvpn/plugin/lib
+  first, when the plugin name is specified as basename only.
+- Added patch adoptiong plugin path informations in openvpn.8.
+- Added patch to build plugins with RPM_OPT_FLAGS.
+- Fixed init script to use Should-Start/Stop LSB info tags.
+- Bug #343106: Enabled iproute2 support / usage
+
 -------------------------------------------------------------------
 Mon Jun  4 10:14:03 CEST 2007 - mt@suse.de
 

openvpn.init

@@ -13,9 +13,9 @@
 ### BEGIN INIT INFO
 # Provides:			openvpn
 # Required-Start:		$local_fs $remote_fs $network 
-# X-UnitedLinux-Should-Start:	$syslog
+# Should-Start:			$syslog
 # Required-Stop:		$local_fs $remote_fs $network
-# X-UnitedLinux-Should-Stop:	$syslog 
+# Should-Stop:			$syslog 
 # Default-Start:		3 5
 # Default-Stop:			0 1 2 6
 # Short-Description:		OpenVPN tunnel

openvpn.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package openvpn (Version 2.0.9)
 #
-# Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
 # This file and all modifications and additions to the pristine
 # package are under the same license as the package itself.
 #
@@ -11,25 +11,97 @@
 # norootforbuild
 
 Name:           openvpn
-BuildRequires:  lzo-devel openssl-devel
-URL:            http://openvpn.sourceforge.net/
-License:        GNU General Public License (GPL), GNU Library General Public License v. 2.0 and 2.1 (LGPL)
+Url:            http://openvpn.net/
+License:        GPL v2 or later; LGPL v2.1 or later
 Group:          Productivity/Networking/Security
-Autoreqprov:    on
+AutoReqProv:    on
 %if 0%{?suse_version}
 PreReq:         %insserv_prereq %fillup_prereq
 %endif
 Version:        2.0.9
-Release:        22
-Summary:        Create VPN over Wireless and Ethernet Networks using a Tun Device
+Release:        61
+Summary:        Full-featured SSL VPN solution using a TUN/TAP Interface
 Source:         http://openvpn.net/release/openvpn-%{version}.tar.gz
 Source1:        http://openvpn.net/signatures/openvpn-%{version}.tar.gz.asc
 Source2:        openvpn.init
 Source3:        openvpn.README.SUSE
+Patch1:         %{name}-%{version}-plugin-dir.dif
+Patch2:         %{name}-%{version}-plugin-man.dif
+Patch3:         %{name}-%{version}-plugin-build.dif
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
+BuildRequires:  lzo-devel openssl-devel
+BuildRequires:  pam-devel
+%define         plugin_dir        %{_libdir}/%{name}/plugin
+%define         plugin_libdir     %{plugin_dir}/lib
 
 %description
-Create VPN over wireless and ethernet networks using a tun device.
+OpenVPN is a full-featured SSL VPN solution which can accomodate a wide
+range of configurations, including remote access, site-to-site VPNs,
+WiFi security, and enterprise-scale remote access solutions with load
+balancing, failover, and fine-grained access-controls.
+
+OpenVPN implements OSI layer 2 or 3 secure network extension using the
+industry standard SSL/TLS protocol, supports flexible client
+authentication methods based on certificates, smart cards, and/or
+2-factor authentication, and allows user or group-specific access
+control policies using firewall rules applied to the VPN virtual
+interface.
+
+OpenVPN runs on: Linux, Windows 2000/XP and higher, OpenBSD, FreeBSD,
+NetBSD, Mac OS X, and Solaris.
+
+OpenVPN is not a web application proxy and does not operate through a
+web browser.
+
+
+
+Authors:
+--------
+    James Yonan <jim@yonan.net>
+
+%package down-root-plugin
+Summary:        OpenVPN down-root plugin
+Group:          Productivity/Networking/Security
+AutoReqProv:    on
+Requires:       %{name} = %{version}
+
+%description down-root-plugin
+The OpenVPN down-root plugin allows an OpenVPN configuration to call a
+down script with root privileges, even when privileges have been
+dropped using --user/--group/--chroot.
+
+This module uses a split privilege execution model which will fork()
+before OpenVPN drops root privileges, at the point where the --up
+script is usually called.  The plugin will then remain in a wait state
+until it receives a message from OpenVPN via pipe to execute the down
+script.  Thus, the down script will be run in the same execution
+environment as the up script.
+
+
+
+Authors:
+--------
+    James Yonan <jim@yonan.net>
+
+%package auth-pam-plugin
+Summary:        OpenVPN auth-pam plugin
+Group:          Productivity/Networking/Security
+AutoReqProv:    on
+Requires:       %{name} = %{version}
+
+%description auth-pam-plugin
+The OpenVPN auth-pam plugin implements username/password authentication
+via PAM, and essentially allows any authentication method supported by
+PAM (such as LDAP, RADIUS, or Linux Shadow passwords) to be used with
+OpenVPN.
+
+While PAM supports username/password authentication, this can be
+combined with X509 certificates to provide two indepedent levels of
+authentication.
+
+This plugin uses a split privilege execution model which will function
+even if you drop openvpn daemon privileges using the user, group, or
+chroot directives.
 
 
 
@@ -38,24 +110,43 @@ Authors:
     James Yonan <jim@yonan.net>
 
 %prep
-%setup
+%setup -q
+%patch1 -p0
+%patch2 -p0
+%patch3 -p0
+sed -e "s|@PLUGIN_DIR@|%{plugin_dir}|g" \
+    -e "s|@PLUGIN_LIBDIR@|%{plugin_libdir}|g" \
+    -e "s|@PLUGIN_DOCDIR@|%{_defaultdocdir}/%{name}|g" \
+    -i openvpn.8
 
 %build
 autoreconf -fi
 export CFLAGS="$RPM_OPT_FLAGS -Wall"
-export LDFLAGS=
+export LDFLAGS=""
 # build with fPIE/pie on SUSE 10.0 or newer, or on any other platform
 %if %{?suse_version}%{?!suse_version:99999} > 930
 CFLAGS="$CFLAGS -fPIE"
 LDFLAGS="$LDFLAGS -pie"
 %endif
+CFLAGS="$CFLAGS -DPLUGIN_LIBDIR='\"%{_libdir}/%{name}/plugin/lib\"' -DENABLE_PLUGIN_SEARCH" \
 %configure \
-	--enable-pthread \
+	--enable-pthread --enable-iproute2 \
 	--with-lzo-headers=%_includedir/lzo
 make
+#
+# Build down-root plugin
+#
+pushd plugin/down-root
+make
+popd
+#
+# Build auth-pam plugin
+#
+pushd plugin/auth-pam
+make
+popd
 
 %install
-rm -rf $RPM_BUILD_ROOT
 make DESTDIR=$RPM_BUILD_ROOT install
 mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/openvpn
 mkdir -p $RPM_BUILD_ROOT/%{_localstatedir}/run/openvpn
@@ -72,6 +163,16 @@ chmod +x easy-rsa/revoke-crt
 chmod +x easy-rsa/make-crl
 chmod +x easy-rsa/list-crl
 cp -a easy-rsa $RPM_BUILD_ROOT/%{_datadir}/openvpn/
+#
+# Install the plugins
+#
+install -d -m 755 $RPM_BUILD_ROOT%{plugin_libdir}/
+mv -f plugin/README README.plugins
+for pi in auth-pam down-root; do
+	mv -f plugin/$pi/README README.$pi
+	install -m 755 plugin/$pi/openvpn-$pi.so \
+		$RPM_BUILD_ROOT%{plugin_libdir}/
+done
 
 %clean
 if ! test -f /.buildenv; then rm -rf $RPM_BUILD_ROOT; fi
@@ -89,7 +190,7 @@ if ! test -f /.buildenv; then rm -rf $RPM_BUILD_ROOT; fi
 %files
 %defattr(-,root,root)
 %doc AUTHORS COPYING COPYRIGHT.GPL ChangeLog INSTALL NEWS PORTS README
-%doc README.SUSE
+%doc README.*
 %doc contrib
 %doc management
 %doc sample-config-files
@@ -104,26 +205,46 @@ if ! test -f /.buildenv; then rm -rf $RPM_BUILD_ROOT; fi
 %dir %{_localstatedir}/run/openvpn
 %dir %{_datadir}/openvpn
 %{_datadir}/openvpn/easy-rsa
+%dir %{_libdir}/%{name}
+%dir %{plugin_dir}
+%dir %{plugin_libdir}
+
+%files down-root-plugin
+%defattr(-,root,root)
+%{plugin_libdir}/openvpn-down-root.so
+
+%files auth-pam-plugin
+%defattr(-,root,root)
+%{plugin_libdir}/openvpn-auth-pam.so
 
 %changelog
-* Mon Jun 04 2007 - mt@suse.de
+* Thu Jan 17 2008 mt@suse.de
+- Bug #334773: Enabled build of down-root and auth-pam plugins,
+  sub-packaged as openvpn-auth-pam-plugin/down-root-plugin.
+- Added patch to load plugins from /usr/%%_lib/openvpn/plugin/lib
+  first, when the plugin name is specified as basename only.
+- Added patch adoptiong plugin path informations in openvpn.8.
+- Added patch to build plugins with RPM_OPT_FLAGS.
+- Fixed init script to use Should-Start/Stop LSB info tags.
+- Bug #343106: Enabled iproute2 support / usage
+* Mon Jun 04 2007 mt@suse.de
 - fixed easy-rsa installation (no exec in doc directory)
 - improved spec to use configure directory variables and
   cleaned up macro calls in RPM pre/post scripts.
 - fixed openvpn binary check in the init script.
-* Fri Oct 27 2006 - mt@suse.de
+* Fri Oct 27 2006 mt@suse.de
 - upstream 2.0.9, Windows related fixes only
   * Windows installer updated with OpenSSL 0.9.7l DLLs to fix
   published vulnerabilities.
   * Fixed TAP-Win32 bug that caused BSOD on Windows Vista
   (Henry Nestler).  The TAP-Win32 driver has now been
   upgraded to version 8.4.
-* Wed Sep 27 2006 - poeml@suse.de
+* Wed Sep 27 2006 poeml@suse.de
 - upstream 2.0.8
   * Windows installer updated with OpenSSL 0.9.7k DLLs to fix
   RSA Signature Forgery (CVE-2006-4339).
   * No changes to OpenVPN source code between 2.0.7 and 2.0.8.
-* Fri Jun 23 2006 - poeml@suse.de
+* Fri Jun 23 2006 poeml@suse.de
 - upstream 2.0.7, with bug fixes:
   * When deleting routes under Linux, use the route metric
   as a differentiator to ensure that the route teardown
@@ -148,12 +269,12 @@ if ! test -f /.buildenv; then rm -rf $RPM_BUILD_ROOT; fi
   * fix for CVE-2006-1629 integrated (disallow "setenv" to be pushed
   to clients from the server)
 - build with fPIE/pie on SUSE 10.0 or newer, or on any other platform
-* Wed Apr 19 2006 - poeml@suse.de
+* Wed Apr 19 2006 poeml@suse.de
 - security fix (CVE-2006-1629): disallow "setenv" to be pushed to
   clients from the server [#165123]
-* Wed Jan 25 2006 - mls@suse.de
+* Wed Jan 25 2006 mls@suse.de
 - converted neededforbuild to BuildRequires
-* Thu Nov 03 2005 - poeml@suse.de
+* Thu Nov 03 2005 poeml@suse.de
 - update to 2.0.5, with two security fixes -- see below. [#132003]
   2005.11.02 -- Version 2.0.5
   * Fixed bug in Linux get_default_gateway function
@@ -202,13 +323,13 @@ if ! test -f /.buildenv; then rm -rf $RPM_BUILD_ROOT; fi
   registered on Windows.
   * Fixed a bug where --mode server --proto tcp-server --cipher none
   operation could cause tunnel packet truncation.
-* Tue Aug 30 2005 - poeml@suse.de
+* Tue Aug 30 2005 poeml@suse.de
 - update to 2.0.2 [#106258] relevant changes:
   * Fixed bug where "--proto tcp-server --mode p2p --management
   host port" would cause the management port to not respond until
   the OpenVPN peer connects.
   * Modified pkitool script to be /bin/sh compatible (Johnny Lam).
-* Tue Aug 23 2005 - poeml@suse.de
+* Tue Aug 23 2005 poeml@suse.de
 - update to 2.0.1 [#106258]
   * Security Fix -- DoS attack against server when run with "verb 0" and
   without "tls-auth".  If a client connection to the server fails
@@ -251,47 +372,47 @@ if ! test -f /.buildenv; then rm -rf $RPM_BUILD_ROOT; fi
   would fail to build.
   * Implement "make check" to perform loopback tests (Matthias Andree).
 - drop obsolete patch which fixed finding lzo libraries
-* Tue Jun 28 2005 - mrueckert@suse.de
+* Tue Jun 28 2005 mrueckert@suse.de
 - The previous patch didnt work with lzo1 based distros. Fixed.
-* Tue Jun 28 2005 - cthiel@suse.de
+* Tue Jun 28 2005 cthiel@suse.de
 - fixed build with lzo2 (added lzo2.diff)
-* Thu Jun 23 2005 - ro@suse.de
+* Thu Jun 23 2005 ro@suse.de
 - build with fPIE/pie
-* Thu Jun 02 2005 - hvogel@suse.de
+* Thu Jun 02 2005 hvogel@suse.de
 - lzo headers are in a subdirectory now
-* Tue Apr 19 2005 - cthiel@suse.de
+* Tue Apr 19 2005 cthiel@suse.de
 - update to 2.0
-* Thu Feb 17 2005 - poeml@suse.de
+* Thu Feb 17 2005 poeml@suse.de
 - update to 2.0_rc14
 - add README.SUSE
-* Fri Jan 28 2005 - poeml@suse.de
+* Fri Jan 28 2005 poeml@suse.de
 - update to 2.0_rc10
-* Wed Dec 29 2004 - poeml@suse.de
+* Wed Dec 29 2004 poeml@suse.de
 - update to 2.0_rc6
-* Wed Dec 29 2004 - poeml@suse.de
+* Wed Dec 29 2004 poeml@suse.de
 - update to 2.0_rc1 (closing #45979)
   IMPORTANT: OpenVPN's default port number is now 1194, based on an
   official port number assignment by IANA.  OpenVPN 2.0-beta16 and
   earlier used 5000 as the default port.
   -> see http://openvpn.net/20notes.html
 - remove lzo sources, which come in a separate package since 9.2
-* Mon Jul 26 2004 - poeml@suse.de
+* Mon Jul 26 2004 poeml@suse.de
 - update to 1.6_rc4
 - bzip2 sources
-* Sun Jan 11 2004 - adrian@suse.de
+* Sun Jan 11 2004 adrian@suse.de
 - build as user
-* Tue Dec 16 2003 - wengel@suse.de
+* Tue Dec 16 2003 wengel@suse.de
 - update to version 1.5.0
-* Sun Sep 07 2003 - poeml@suse.de
+* Sun Sep 07 2003 poeml@suse.de
 - add an init script
 - use RPM_OPT_FLAGS
 - add /var/run/openvpn directory for pid files
-* Thu Jul 31 2003 - wengel@suse.de
+* Thu Jul 31 2003 wengel@suse.de
 - update to new version -> 1.4.2
-* Tue May 27 2003 - coolo@suse.de
+* Tue May 27 2003 coolo@suse.de
 - use BuildRoot
 - package a bit more straightforward
-* Mon May 19 2003 - wengel@suse.de
+* Mon May 19 2003 wengel@suse.de
 - update to version 1.4.1
-* Mon Jan 20 2003 - wengel@suse.de
+* Mon Jan 20 2003 wengel@suse.de
 - initial package