From bd1ac08c0b71ae3bd6dff8f465eb0cdd29976401dcc939f1a6c7df58fbc7de2c Mon Sep 17 00:00:00 2001 From: Alexandre Vicenzi Date: Fri, 14 Jun 2024 08:55:43 +0000 Subject: [PATCH 1/2] Accepting request 1174409 from home:bmwiedemann:branches:network:vpn Enable Data-Channel-Offloading (DCO) for better performance (jsc#PED-8305) if libnl >= 3.4 is available now recommends ovpn-dco kmp still needs testing OBS-URL: https://build.opensuse.org/request/show/1174409 OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=207 --- .gitattributes | 23 + .gitignore | 1 + client-netconfig.down | 37 + client-netconfig.up | 77 ++ openvpn-2.3-plugin-man.dif | 17 + openvpn-2.6.10.tar.gz | 3 + openvpn-2.6.10.tar.gz.asc | 16 + openvpn-tmpfile.conf | 1 + openvpn.README.SUSE | 28 + openvpn.changes | 1798 ++++++++++++++++++++++++++++++++++++ openvpn.keyring | 496 ++++++++++ openvpn.service | 16 + openvpn.spec | 230 +++++ openvpn.target | 3 + rcopenvpn | 34 + 15 files changed, 2780 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 client-netconfig.down create mode 100644 client-netconfig.up create mode 100644 openvpn-2.3-plugin-man.dif create mode 100644 openvpn-2.6.10.tar.gz create mode 100644 openvpn-2.6.10.tar.gz.asc create mode 100644 openvpn-tmpfile.conf create mode 100644 openvpn.README.SUSE create mode 100644 openvpn.changes create mode 100644 openvpn.keyring create mode 100644 openvpn.service create mode 100644 openvpn.spec create mode 100644 openvpn.target create mode 100644 rcopenvpn diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/client-netconfig.down b/client-netconfig.down new file mode 100644 index 0000000..29ab6e2 --- /dev/null +++ b/client-netconfig.down @@ -0,0 +1,37 @@ +#!/bin/bash + +# Copyright (c) 2010 Andreas Schneider +# Marius Tomaschewski +# Licensed under the GPL version 2 + +# PURPOSE: This script automatically removes the /etc/resolv.conf +# and another settings applied before via netconfig. + +# INSTALL NOTES: +# Place this file in /etc/openvpn/client.down +# Then, add the following to your /etc/openvpn/.conf: +# client +# pull dhcp-options +# up /etc/openvpn/client.up +# down /etc/openvpn/client.down +# Finally, "chmod +x /etc/openvpn/client.{up,down}" + +# disable pathname expansion +shopt -o -s noglob + +# --up/--down patametes are: +# +# tun_dev tun_mtu link_mtu ifconfig_local_ip +# ifconfig_remote_ip [ init | restart ] +# +# tap_dev tap_mtu link_mtu ifconfig_local_ip +# ifconfig_netmask [ init | restart ] +dev=$1 + +# skip, when there is no interface parameter or netconfig +if test -a /sbin/netconfig -a "x${dev}" != x ; then + /sbin/netconfig remove -s openvpn -i "${dev}" +fi + +# all done... +exit 0 diff --git a/client-netconfig.up b/client-netconfig.up new file mode 100644 index 0000000..7857ad3 --- /dev/null +++ b/client-netconfig.up @@ -0,0 +1,77 @@ +#!/bin/bash + +# Copyright (c) 2010 Andreas Schneider +# Marius Tomaschewski +# Licensed under the GPL version 2 + +# PURPOSE: This script sets the proper /etc/resolv.conf and another +# settings as pulled down from an OpenVPN server using a +# netconfig modify call. + +# INSTALL NOTES: +# Place this file in /etc/openvpn/client.up +# Then, add the following to your /etc/openvpn/.conf: +# client +# pull dhcp-options +# up /etc/openvpn/client.up +# down /etc/openvpn/client.down +# Finally, "chmod +x /etc/openvpn/client.{up,down}" + +# disable pathname expansion +shopt -o -s noglob + +# --up/--down patametes are: +# +# tun_dev tun_mtu link_mtu ifconfig_local_ip +# ifconfig_remote_ip [ init | restart ] +# +# tap_dev tap_mtu link_mtu ifconfig_local_ip +# ifconfig_netmask [ init | restart ] +dev=$1 + +# skip, when there is no interface parameter or netconfig +if test -x /sbin/netconfig -a "x${dev}" != x ; then + + # init variables + dns_domain=() + dns_server=() + ntp_server=() + wins_server=() + nbdd_server=() + nb_typeid="" + nb_scopeid="" + nb_disable="" + + # collect settings data + for fopt in ${!foreign_option_*} ; do + test "x${!fopt}" != x || continue + data=(${!fopt}) + test "x${data[0]}" = "xdhcp-option" && \ + case "${data[1]}" in + DOMAIN) dns_domain+=("${data[2]}") ;; + DNS) dns_server+=("${data[2]}") ;; + NTP) ntp_server+=("${data[2]}") ;; + WINS) wins_server+=("${data[2]}") ;; + NBDD) nbdd_server+=("${data[2]}") ;; + NBT) nb_typeid="${data[2]}" ;; + NBS) nb_scopeid="${data[2]}" ;; + DISABLE-NBT) nb_disable="yes" ;; + esac + done + + # call netconfig modify + { + echo "DNSSEARCH='${dns_domain[*]}'" + echo "DNSSERVERS='${dns_server[*]}'" + echo "NTPSERVERS='${ntp_server[*]}'" + # currently unused / no netconfig module for: + echo "NETBIOSNAMESERVER='${wins_server[*]}'" + echo "NETBIOSDDSERVER='${nbdd_server[*]}'" + echo "NETBIOSNODETYPE='$nb_typeid'" + echo "NETBIOSSCOPE='$nb_scopeid'" + # nb_disable ? + } | /sbin/netconfig modify -s openvpn -i "$dev" +fi + +# all done... +exit 0 diff --git a/openvpn-2.3-plugin-man.dif b/openvpn-2.3-plugin-man.dif new file mode 100644 index 0000000..363ff6c --- /dev/null +++ b/openvpn-2.3-plugin-man.dif @@ -0,0 +1,17 @@ +Index: doc/openvpn.8 +=================================================================== +--- doc/openvpn.8.orig ++++ doc/openvpn.8 +@@ -6690,9 +6690,9 @@ For more information and examples on how + modules, see the README file in the \fBplugin\fP folder of the OpenVPN + source distribution. + .sp +-If you are using an RPM install of OpenVPN, see +-\fB/usr/share/openvpn/plugin\fP\&. The documentation is in \fBdoc\fP and +-the actual plugin modules are in \fBlib\fP\&. ++If you are using an RPM install of OpenVPN, the actual plugin modules ++are in \fB@PLUGIN_LIBDIR@\fP\& and the documentation is in ++\fB@PLUGIN_DOCDIR@/README.\fP\&. + .sp + Multiple plugin modules can be cascaded, and modules can be used in + tandem with scripts. The modules will be called by OpenVPN in the order diff --git a/openvpn-2.6.10.tar.gz b/openvpn-2.6.10.tar.gz new file mode 100644 index 0000000..87f9d30 --- /dev/null +++ b/openvpn-2.6.10.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1993bbb7b9edb430626eaa24573f881fd3df642f427fcb824b1aed1fca1bcc9b +size 1907280 diff --git a/openvpn-2.6.10.tar.gz.asc b/openvpn-2.6.10.tar.gz.asc new file mode 100644 index 0000000..d2b7f82 --- /dev/null +++ b/openvpn-2.6.10.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEEvlj1OdBZuAYxwSlKQdIJZcLoLccFAmX6sakACgkQQdIJZcLo +LcemTxAA5fwUDLHWQjE9Mf86NZbRup6aSo5S751pou/bcVYWQVbYqjFJIgdJEY7r +HS4cKlOmJ74S5SqALwqmD4lqUP1LfGocvHUR1ACXppm/rtebWa3upRRI3/svBhp2 +6IqQjW0gkiDib56mKn2RFkyLkUiWpBOW15gqe/NgRjoVlIaCCQuvZhii8fAHMHzS +HeJrTmdmbINTyVr6Ag4hZS+rKivVXR3j8z2YTuTwH1NPmCuclyoODRSv7rL3A1tU +wiol0go/aLaDXx1EEnGtHrPtWjA6Gti1pDbteQBKn4Q9v2svuhFncyeux0R9a2Jk +FLWXLZGI5JOQOTvuIrRnGBuUCpbhJalHQHtgKgNzhIqfToHfIYgc+2gQYSh4pDYi +rZVMdws9lNqWctSLAeyCyojpYGiL3YU4tnORGzsqypszzznk/JtlkTb6rjGxrh3w +Ejg5rE7cwgNstGqEaHihJaHG7mnnazZ9US3J1DFcg9NgpDD2Y7Gate6E2GEtmSFg +BoLUK1tRRl9GayEc8mKN+ThzcW9U1YOzMdZTIRQX9ToaqHdMdpeOGV1+dwYqMT+e +dYrmEO1COqvfp5Qxk+Q+fFBvUluMM7PQ1w0ncyTRn7jdlxdDu4XB9CfBP5fvXvwl +teabifAm0iglOeCEYdUWtgYSkvebu1FaIhh1w3I1uQwrKOF7ZXM= +=6sO3 +-----END PGP SIGNATURE----- diff --git a/openvpn-tmpfile.conf b/openvpn-tmpfile.conf new file mode 100644 index 0000000..e0dc7e6 --- /dev/null +++ b/openvpn-tmpfile.conf @@ -0,0 +1 @@ +D /run/openvpn 0750 root root - diff --git a/openvpn.README.SUSE b/openvpn.README.SUSE new file mode 100644 index 0000000..86d3b66 --- /dev/null +++ b/openvpn.README.SUSE @@ -0,0 +1,28 @@ + +Notes about the OpenVPN package + +In a fresh installation, you will find an empty directory /etc/openvpn. +The directory is meant to contain *.conf files. + +With openSUSE post-12.3 either all enabled instances are handled by +calling + + 'systemctl openvpn.target' + +or each one tunnel/config separately using openvpn service template: + + 'systemctl openvpn@.service' + +while is the name of the configuration file /etc/openvpn/.conf. + +The OPENVPN_AUTOSTART sysconfig variable, which were specifying the +list of enabled configs is migrated to systemctl enable on update. + +Alternatively, you can also use the rcopenvpn compatiblity wrapper: + + rcopenvpn + +or per config/tunnel: + + rcopenvpn + diff --git a/openvpn.changes b/openvpn.changes new file mode 100644 index 0000000..3f65c6f --- /dev/null +++ b/openvpn.changes @@ -0,0 +1,1798 @@ +------------------------------------------------------------------- +Thu May 16 06:42:54 UTC 2024 - Bernhard Wiedemann + +- Enable Data-Channel-Offloading (DCO) for better performance (jsc#PED-8305) + if libnl >= 3.4 is available + +------------------------------------------------------------------- +Thu Mar 21 08:33:45 UTC 2024 - Mohd Saquib + +- update to 2.6.10: + * t_client.sh can now run pre-tests and skip a test block if needed + (e.g. skip NTLM proxy tests if SSL library does not support MD4) + * Compression: minor bugfix in checking option consistency vs. + compiled-in algorithm support + * systemd unit files: remove obsolete syslog.target + +------------------------------------------------------------------- +Mon Feb 26 12:50:07 UTC 2024 - Dominique Leuenberger + +- Use %autosetup macro. Allows to eliminate the usage of deprecated + PatchN. + +------------------------------------------------------------------- +Mon Feb 12 18:00:47 UTC 2024 - Mohd Saquib + +- update to 2.6.9: + * Remove unused function prototype crypto_adjust_frame_parameters + * Log SSL alerts more prominently + * Document tls-exit option mainly as test option + * Remove TEST_GET_DEFAULT_GATEWAY as it duplicates --show-gateway + * Fix check_session_buf_not_used using wrong index + * Add missing check for nl_socket_alloc failure + * Add check for nice in cmake config + * Remove compat versionhelpers.h and remove cmake/configure check for it + * Extend the error message when TLS 1.0 PRF fails + * Fix unaligned access in macOS, FreeBSD, Solaris hwaddr + * Check PRF availability on initialisation and add --force-tls-key-material-export + * Make it more explicit and visible when pkg-config is not found + * Clarify that the tls-crypt-v2-verify has a very limited env set + * Implement the --tls-export-cert feature + * Remove conditional text for Apache2 linking exception + * Remove --tls-export-cert + * Remove superfluous x509_write_pem() + * sample-keys: renew for the next 10 years + * GHA: clean up libressl builds with newer libressl + * configure.ac: Remove unused AC_TYPE_SIGNAL macro + * documentation: remove reference to removed option --show-proxy-settings + * unit_tests: remove includes for mock_msg.h + * documentation: improve documentation of --x509-track + * NTLM: add length check to add_security_buffer + * NTLM: increase size of phase 2 response we can handle + * proxy-options.rst: Add proper documentation for --http-proxy-user-pass + * buf_string_match_head_str: Fix Coverity issue 'Unsigned compared against 0' + * --http-proxy-user-pass: allow to specify in either order with --http-proxy + * README.cmake.md: Document minimum required CMake version for --preset + * documentation: Update and fix documentation for --push-peer-info + * documentation: Fixes for previous fixes to --push-peer-info + * OpenBSD: repair --show-gateway + * get_default_gateway() HWADDR overhaul + * fix uncrustify complaints about previous patch + * preparing release 2.6.9 + * dco-freebsd: dynamically re-allocate buffer if it's too small + * tun.c: don't attempt to delete DNS and WINS servers if they're not set + * vcpkg-ports/pkcs11-helper: bump to version 1.30 + * Add support for mbedtls 3.X.Y + * Update README.mbedtls + * Disable TLS 1.3 support with mbed TLS + * Enable key export with mbed TLS 3.x.y + * protocol_dump: tls-crypt support + * Fix IPv6 route add/delete message log level + * fix(ssl): init peer_id when init tls_multi + +------------------------------------------------------------------- +Mon Nov 20 07:15:13 UTC 2023 - Mohd Saquib + +- update to 2.6.8: + * SIGSEGV crash: Do not check key_state buffers that are in S_UNDEF + state - the new sanity check function introduced in 2.6.7 sometimes + tried to use a NULL pointer after an unsuccessful TLS handshake + * CVE-2023-46850 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly + use a send buffer after it has been free()d in some circumstances, + causing some free()d memory to be sent to the peer. All configurations + using TLS (e.g. not using --secret) are affected by this issue. + * CVE-2023-46849 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly + restore --fragment configuration in some circumstances, leading to a + division by zero when --fragment is used. On platforms where division + by zero is fatal, this will cause an OpenVPN crash. + * DCO: warn if DATA_V1 packets are sent by the other side - this a hard + incompatibility between a 2.6.x client connecting to a 2.4.0-2.4.4 + server, and the only fix is to use --disable-dco. + * Remove OpenSSL Engine method for loading a key. This had to be removed + because the original author did not agree to relicensing the code with + the new linking exception added. This was a somewhat obsolete feature + anyway as it only worked with OpenSSL 1.x, which is end-of-support. + * add warning if p2p NCP client connects to a p2mp server - this is a + combination that used to work without cipher negotiation (pre 2.6 on + both ends), but would fail in non-obvious ways with 2.6 to 2.6. + * add warning to --show-groups that not all supported groups are listed + (this is due the internal enumeration in OpenSSL being a bit weird, + omitting X448 and X25519 curves). + * --dns: remove support for exclude-domains argument (this was a new 2.6 + option, with no backend support implemented yet on any platform, and it + turns out that no platform supported it at all - so remove option again) + * warn user if INFO control message too long, do not forward to management + client (safeguard against protocol-violating server implementations) + * DCO-WIN: get and log driver version (for easier debugging). + * print "peer temporary key details" in TLS handshake + * log OpenSSL errors on failure to set certificate, for example if the + algorithms used are in acceptable to OpenSSL (misleading message would be + printed in cryptoapi / pkcs11 scenarios) + * add CMake build system for MinGW and MSVC builds + * remove old MSVC build system + * improve cmocka unit test building for Windows + +------------------------------------------------------------------- +Wed Aug 16 18:56:40 UTC 2023 - Mohd Saquib + +- update to 2.6.6: + * configure.ac: fix typ0 in LIBCAPNG_CFALGS + * Avoid unused function warning/error on FreeBSD (and potientially others) + * fix warning with gcc 12.2.0 (compiler bug?) + * Fix CR_RESPONSE mangaement message using wrong key_id + * Print a more user-friendly error when tls-crypt-v2 client auth fails + * Ignore Ipv6 route delete request on Android and set ipv4 verbosity to 7 + * Revert commit 423ced962d + * Implement using --peer-fingerprint without CA certificates + * show extra info for OpenSSL errors + * dist: add more missing files only used in the MSVC build + * dist: Include all documentation in distribution + * unit_tests: Add missing cert_data.h to source list for unit tests + * test_tls_crypt: Improve mock() usage to be more portable + * Remove old Travis CI related files + * options: Do not hide variables from parent scope + * pkcs11_openssl: Disable unused code + * route: Fix overriding return value of add_route3 + +------------------------------------------------------------------- +Wed Jun 14 06:42:58 UTC 2023 - Mohd Saquib + +- update to 2.6.5: + * apctl (windows): generate driver-specific names (if using tapctl + to create additional tap/wintun/dco devices, and not using + --name) (Github #337) + * interactive service (windows): do not force target desktop for + openvpn.exe - this has no impact for normal use, but enables + running of OpenVPN in a scripted way when no user is logged on + (for example, via task scheduler) (Github OpenVPN/openvpn-gui#626) + * fix use-after-free with EVP_CIPHER_free + * fix building with MSVC from release tarball (missing version.m4.in) + * dco-win: repair use of --dev-node to select specific DCO drivers + (Github #336) + * fix missing malloc() return check in dco_freebsd.c + * windows: correctly handle unicode names for "exit event" + * fix memleak in client-connect example plugin + * fix fortify build problem in keying-material-exporter-demo plugin + * fix memleak in dco_linux.c/dco_get_peer_stats_multi() - this will + leak a small amount of memory every 15s on DCO enabled servers, + leading to noticeable memory waste for long-running processes. + * dco_linux.c: properly close dco version file (fd leak) + +------------------------------------------------------------------- +Fri May 12 12:16:54 UTC 2023 - Paolo Stivanin + +- Update to 2.6.4: + * DCO: support kernel-triggered key rotation (avoid IV reuse after + 2^32 packets). This is the userland side, accepting a message + from kernel, and initiating a TLS renegotiation. As of release, + * fix pkcs#11 usage with OpenSSL 3.x and PSS signing (Github #323) + * fix compile error on TARGET_ANDROID + * fix typo in help text + * manpage updates (--topology) + * encoding of non-ASCII windows error messages in log + management fixed +- Update openvpn.keyring + +------------------------------------------------------------------- +Tue Apr 25 14:02:08 UTC 2023 - Mohd Saquib + +- update to 2.6.3: + * For full changelog please refer to: + https://github.com/OpenVPN/openvpn/blob/v2.6.3/Changes.rst + * implement byte counter statistics for DCO Linux (p2mp server + and client) + * implement byte counter statistics for DCO Windows (client only) + * '--dns server address ...' now permits up to 8 v4 or v6 + addresses + * fix a few cases of possibly undefined behaviour detected by ASAN + * add more unit tests for Windows cryptoapi interface + * Dynamic TLS Crypt When both peers are OpenVPN 2.6.1+, OpenVPN + will dynamically create a tls-crypt key that is used for + renegotiation. This ensure that only the previously authenticated + peer can do trigger renegotiation and complete renegotiations. + * Keying Material Exporters (RFC 5705) based key generation + * As part of the cipher negotiation OpenVPN will automatically prefer + the RFC5705 based key material generation to the current custom + OpenVPN PRF. This feature requires OpenSSL or mbed TLS 2.18+. + * OpenVPN will now work with OpenSSL in FIPS mode. Note, no effort + has been made to check or implement all the requirements/ + recommendation of FIPS 140-2. This just allows OpenVPN to be run on + a system that be configured OpenSSL in FIPS mode. + * mlock will now check if enough memlock-able memory has been reserved, + and if less than 100MB RAM are available, use setrlimit() to upgrade + the limit. See Trac #1390. Not available on OpenSolaris. + * The --peer-fingerprint option has been introduced to give users an + easy to use alternative to the tls-verify for matching the fingerprint + of the peer. The option takes use a number of allowed SHA256 + certificate fingerprints. + * When --peer-fingerprint is used, the --ca and --capath option become + optional. This allows for small OpenVPN setups without setting up a + PKI with Easy-RSA or similar software. + * The --auth-user-pass-verify script supports now deferred authentication. + * Both auth plugin and script can now signal pending authentication to + the client when using deferred authentication. The new client-crresponse + script option and OPENVPN_PLUGIN_CLIENT_CRRESPONSE plugin function can + be used to parse a client response to a CR_TEXT two factor challenge. + * The modernisation of defaults can impact the compatibility of OpenVPN + 2.6.0 with older peers. The options --compat-mode allows UIs to provide + users with an easy way to still connect to older servers. + * OpenSSL 3.0 has been added. Most of OpenSSL 3.0 changes are not user + visible but improve general compatibility with OpenSSL 3.0. + --tls-cert-profile insecure has been added to allow selecting the lowest + OpenSSL security level (not recommended, use only if you must). OpenSSL + 3.0 no longer supports the Blowfish (and other deprecated) algorithm by + default and the new option --providers allows loading the legacy provider + to renable these algorithms. + * Ciphers in --data-ciphers can now be prefixed with a ? to mark those as + optional and only use them if the SSL library supports them. + * The --mssfix and --fragment options now allow an optional mtu parameter to + specify that different overhead for IPv4/IPv6 should taken into account + and the resulting size is specified as the total size of the VPN packets + including IP and UDP headers. + * Instead of allocating a connection for each client on the initial packet + OpenVPN server will now use an HMAC based cookie as its session id. This way + the server can verify it on completing the handshake without keeping state. + This eliminates the amplification and resource exhaustion attacks. + For tls-crypt-v2 clients, this requires OpenVPN 2.6 clients or later because + the client needs to resend its client key on completing the hand shake. + The tls-crypt-v2 option allows controlling if older clients are accepted. +- Removed openvpn-fips140-2.3.2.patch +------------------------------------------------------------------- +Thu Mar 2 07:34:31 UTC 2023 - Mohd Saquib + +- update to 2.5.9: + * Optional ciphers in --data-ciphers Ciphers in --data-ciphers + can now be prefixed with a ? to mark those as optional and only + use them if the SSL library supports them. + * when compiling from a git checkout, put proper branch names into + windows builds + * do not include auth-token in pulled-option digest (interferes + with persist-tun when auth-token is in use, GH #200). + * fix corner case that might lead to leaked file descriptor + * fix parser bug (parse_line()) that can lead to buffer overflows + on malformed command line or server ccd file handling. + Not exploitable. + * pull-filter: ignore leading spaces in option names (work around + server side bug with erroneous extra spaces) + * push: do not add leading spaces to "out of renegotiations" pushed + auth-token fix NULL pointer crash on "openvpn --show-tls" with + mbedtls + +------------------------------------------------------------------- +Mon Feb 13 11:26:45 UTC 2023 - Thorsten Kukuk + +- Remove migration from openvpn.service to openvpn@.service and + depending requires, this is from pre SLE12 times and not supported + anymore. + +------------------------------------------------------------------- +Mon Jan 9 13:29:36 UTC 2023 - Reinhard Max + +- bsc#1123557: --suppress-timestamps isn't needed by default. + +------------------------------------------------------------------- +Fri Nov 18 21:40:05 UTC 2022 - Dirk Müller + +- update to 2.5.8: + * allow running a default configuration with TLS libraries without BF-CBC + (even if TLS cipher negotiation would not actually use BF-CBC, the + long-term compatibility "default cipher BF-CBC" would trigger an error + on such TLS libraries) + * ``--auth-nocache'' was not always correctly clearing username+password + after a renegotiation + * ensure that auth-token received from server is cleared if requested + by the management interface ("forget password" or automatically + via ``--management-forget-disconnect'') + * in a setup without username+password, but with auth-token and + auth-token-username pushed by the server, OpenVPN would start asking + for username+password on token expiry. Fix. + * using ``--auth-token`` together with ``--management-client-auth`` + (on the server) would lead to TLS keys getting out of sync and client + being disconnected. Fix. + * management interface would sometimes get stuck if client and server + try to write something simultaneously. Fix by allowing a limited + level of recursion in virtual_output_callback() + * fix management interface not returning ERROR:/SUCCESS: response + on "signal SIGxxx" commands when in HOLD state + * tls-crypt-v2: abort connection if client-key is too short + * make man page agree with actual code on replay-window backtrag log message + * remove useless empty line from CR_RESPONSE message + +------------------------------------------------------------------- +Mon Sep 12 15:31:52 UTC 2022 - Dirk Müller + +- build with enable-iproute2 again to have root-less mode working (bsc#1202792) + +------------------------------------------------------------------- +Sun Jun 5 00:08:13 UTC 2022 - Dirk Müller + +- update to 2.5.7: + * Limited OpenSSL 3.0 support + * print OpenSSL error stack if decoding PKCS12 file fails + * fix omission of cipher-negotiation.rst in tarballs + * fix errno handling on Windows (Windows has different classes of + error codes, GetLastError() and C runtime errno, these should now + be handled correctly) + * fix PATH_MAX build failure in auth-pam.c + * fix t_net.sh self-test leaving around stale "ovpn-dummy0" interface + * fix overlong path names, leading to missing pkcs11-helper patch + in tarball + +------------------------------------------------------------------- +Wed Mar 23 09:10:31 UTC 2022 - Reinhard Max + +- update to 2.5.6: + * bsc#1197341, CVE-2022-0547: possible authentication bypass in + external authentication plug-in + * Fix "--mtu-disc maybe|yes" on Linux + * Fix $common_name variable passed to scripts when + username-as-common-name is in effect. + * Fix potential memory leaks in add_route() and add_route_ipv6(). + * Apply connect-retry backoff only to one side of the connection + in p2p mode. + * repair "--inactive" handling with a 'bytes' parameter larger + than 2 Gbytes. + * new plugin (sample-plugin/defer/multi-auth.c) to help testing + with multiple parallel plugins that succeed/fail in + direct/deferred mode. + +------------------------------------------------------------------- +Thu Feb 10 13:36:16 UTC 2022 - Reinhard Max + +- Fix license tag in spec file. + +------------------------------------------------------------------- +Wed Dec 15 21:21:35 UTC 2021 - Dirk Müller + +- update to 2.5.5: + * SWEET32/64bit cipher deprecation change was postponed to 2.7 + * improve "make check" to notice if "openvpn --show-cipher" crashes + * improve argv unit tests + * ensure unit tests work with mbedTLS builds without BF-CBC ciphers + * include "--push-remove" in the output of "openvpn --help" + * fix error in iptables syntax in example firewall.sh script + * fix "resolvconf -p" invocation in example "up" script + * fix "common_name" environment for script calls when + "--username-as-common-name" is in effect (Trac #1434) + * move "push-peer-info" documentation from "server options" to "client" + * correct "foreign_option_{n}" typo in manpage + * README.down-root: fix plugin module name + +------------------------------------------------------------------- +Wed Dec 8 14:40:22 UTC 2021 - Reinhard Max + +- Drop 0001-preform-deferred-authentication-in-the-background.patch + Upstream has meanwhile solved this differently and the two + implementations interfere (boo#1193017). +- Obsoleted SLE patches up to this point: + * openvpn-CVE-2020-15078.patch + * openvpn-CVE-2020-11810.patch + * openvpn-CVE-2018-7544.patch + * openvpn-CVE-2018-9336.patch + +------------------------------------------------------------------- +Sat Dec 4 15:52:46 UTC 2021 - Jan Engelhardt + +- Avoid bashisms and use POSIX sh syntax. +- Use more efficient find commands. +- Trim marketing filler words from description. + +------------------------------------------------------------------- +Sat Oct 16 10:05:25 UTC 2021 - Dirk Müller + +- update to 2.5.4: + * fix prompting for password on windows console if stderr redirection + is in use - this breaks 2.5.x on Win11/ARM, and might also break + on Win11/adm64 when released. + * fix setting MAC address on TAP adapters (--lladdr) to use sitnl + (was overlooked, and still used "ifconfig" calls) + * various improvements for man page building (rst2man/rst2html etc) + * minor bugfix with IN6_IS_ADDR_UNSPECIFIED() use (breaks build on + at least one platform strictly checking this) + * fix minor memory leak under certain conditions in add_route() and + add_route_ipv6() + * documentation improvements + * copyright updates where needed + * better error reporting when win32 console access fails + +------------------------------------------------------------------- +Thu Aug 5 14:07:14 UTC 2021 - Reinhard Max + +- Update to 2.5.3: + + * Removal of BF-CBC support in default configuration + *** POSSIBLE INCOMPATIBILITY *** + See section "DATA CHANNEL CIPHER NEGOTIATION" in openvpn(8). + + * Connections setup is now much faster + * Support ChaCha20-Poly1305 cipher in the OpenVPN data channel + * Improved TLS 1.3 support when using OpenSSL 1.1.1 or newer + * Client-specific tls-crypt keys (--tls-crypt-v2) + * Improved Data channel cipher negotiation + * HMAC based auth-token support for seamless reconnects to + standalone servers or a group of servers + * Asynchronous (deferred) authentication support for auth-pam + plugin + * Asynchronous (deferred) support for client-connect scripts and + plugins + * Support IPv4 configs with /31 netmasks + * 802.1q VLAN support on TAP servers + * Support IPv6-only tunnels + * New option --block-ipv6 to reject all IPv6 packets (ICMPv6) + * Support Virtual Routing and Forwarding (VRF) + * Netlink integration (OpenVPN no longer needs to execute + ifconfig/route or ip commands) + * Obsoletes openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch + +- bsc#1062157: The fix for bsc#934237 causes problems with the + crypto self-test of newer openvpn versions. + Remove openvpn-2.3.x-fixed-multiple-low-severity-issues.patch . + +------------------------------------------------------------------- +Mon May 31 15:29:08 UTC 2021 - Dirk Müller + +- update to 2.4.11 (bsc#1185279): + * CVE-2020-15078 see https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements + + * This bug allows - under very specific circumstances - to trick a server using + delayed authentication (plugin or management) into returning a PUSH_REPLY + before the AUTH_FAILED message, which can possibly be used to gather + information about a VPN setup. + * In combination with "--auth-gen-token" or an user-specific token auth + solution it can be possible to get access to a VPN with an + otherwise-invalid account. + * Fix potential NULL ptr crash if compiled with DMALLOC +- drop sysv init support, it hasn't build successfully in ages + and is build-disabled in devel project + +------------------------------------------------------------------- +Sun Apr 25 19:24:56 UTC 2021 - Christian Boltz + +- update 'rcopenvpn' to work without /etc/rc.status (boo#1185273) + +------------------------------------------------------------------- +Wed Jan 6 17:15:13 UTC 2021 - Dirk Müller + +- update to 2.4.10: + - OpenVPN client will now announce the acceptable ciphers to the server + (IV_CIPHER=...), so NCP cipher negotiation works better + - Parse static challenge response in auth-pam plugin + - Accept empty password and/or response in auth-pam plugin + - Log serial number of revoked certificate + - Fix tls_ctx_client/server_new leaving error on OpenSSL error stack + - Fix auth-token not being updated if auth-nocache is set + (this should fix all remaining client-side bugs for the combination + "auth-nocache in client-config" + "auth-token in use on the server") + - Fix stack overflow in OpenSolaris and *BSD NEXTADDR() + - Fix error detection / abort in --inetd corner case (#350) + - Fix TUNSETGROUP compatibility with very old Linux systems (#1152) + - Fix handling of 'route remote_host' for IPv6 transport case + (#1247 and #1332) + - Fix --show-gateway for IPv6 on NetBSD/i386 (#734) + - A number of documentation improvements / clarification fixes. + - Fix line number reporting on config file errors after segments + - Fix fatal error at switching remotes (#629) + - socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes (#848) + - Switch "ks->authenticated" assertion failure to returning false (#1270) + +- refresh 0001-preform-deferred-authentication-in-the-background.patch + openvpn-2.3.x-fixed-multiple-low-severity-issues.patch against 2.4.10 + +------------------------------------------------------------------- +Fri Sep 11 11:52:54 UTC 2020 - Dirk Mueller + +- update to 2.4.9 (CVE-2020-11810, bsc#1169925O): + * Allow unicode search string in --cryptoapicert option (Windows) + * Skip expired certificates in Windows certificate store (Windows) (trac #966) + * OpenSSL: Fix --crl-verify not loading multiple CRLs in one file (trac #623) + * fix condition where a client's session could "float" to a new IP address that is not authorized ("fix illegal client float"). + This can be used to disrupt service to a freshly connected client (no session + keys negotiated yet). It can not be used to inject or steal VPN traffic. + CVE-2020-11810). + * fix combination of async push (deferred auth) and NCP (trac #1259) + * Fix OpenSSL 1.1.1 not using auto elliptic curve selection (trac #1228) + * Fix OpenSSL error stack handling of tls_ctx_add_extra_certs + * mbedTLS: Make sure TLS session survives move (trac #880) + * Fix OpenSSL private key passphrase notices + * Fix building with --enable-async-push in FreeBSD (trac #1256) + * Fix broken fragmentation logic when using NCP (trac #1140) + +------------------------------------------------------------------- +Wed Aug 26 17:12:44 UTC 2020 - Franck Bui + +- Modernize openvpn.service + * /var/run has been obsoleted since a long time. + * on reload, send HUP signal directly rather than relying on + killproc to look for the main process. + +------------------------------------------------------------------- +Wed Aug 26 17:00:43 UTC 2020 - Franck Bui + +- Explicitly requires sysvinit-tools as some of the tools shipped by + this package are used in various places regardless of whether + openvpn is built for systemd or non systemd systems. + + For the context: sysvinit-tools was pulled in by systemd since 2014 + but it's no longer the case so better to be safe than sorry. + +------------------------------------------------------------------- +Wed Mar 4 07:30:38 UTC 2020 - Fabian Vogt + +- Fix inconsistency in openvpn.service: + * It uses the unescape instance name as config file basename, + so use that in the description as well + +------------------------------------------------------------------- +Fri Jan 24 11:22:01 UTC 2020 - Dominique Leuenberger + +- BuildRequire pkgconfig(systemd) instead of systemd: allow OBS to + shortcut through the -mini flavors. +- Use %systemd_ordering instead of systemd_requires: in fact, + systemd is not a hard requirement for openvpn. But in case a + system is being installed with systemd, we want systemd to be + there before openvpn is being installed. + +------------------------------------------------------------------- +Tue Jan 7 21:28:42 UTC 2020 - Bjørn Lie + +- Update to version 2.4.8: + * mbedtls: fix segfault by calling mbedtls_cipher_free() in + cipher_ctx_free() + * cleanup: Remove RPM openvpn.spec build approach + * docs: Update INSTALL + * build: Package missing mock_msg.h + * Increase listen() backlog queue to 32 + * Force combinationation of --socks-proxy and --proto UDP to use + IPv4. + * Wrong FILETYPE in .rc files + * Do not set pkcs11-helper 'safe fork mode' + * tests/t_lpback.sh: Switch sed(1) to POSIX-compatible regex. + * Fix various compiler warnings + * Fix regression, reinstate LibreSSL support. + * man: correct the description of --capath and --crl-verify + regarding CRLs + * Fix typo in NTLM proxy debug message + * Ignore --pull-filter for --mode server + * openssl: Fix compilation without deprecated OpenSSL 1.1 APIs + * Better error message when script fails due to script-security + setting + * Correct the return value of cryptoapi RSA signature callbacks + * Handle PSS padding in cryptoapicert + * cmocka: use relative paths + * Fix documentation of tls-verify script argument + +------------------------------------------------------------------- +Thu Dec 19 15:30:15 UTC 2019 - Dominique Leuenberger + +- BuildRequire pkgconfig(libsystemd) instead of systemd-devel: + Allow OBS to shortcut through the -mini flavors. + +------------------------------------------------------------------- +Wed Sep 18 06:52:56 UTC 2019 - Michal Hrusecky + +- Add p11kit build time dependency for pkcs providers autodetection + +------------------------------------------------------------------- +Mon Jul 29 07:43:00 UTC 2019 - Reinhard Max + +- Clarify in the service file that the reload action doesn't work + when dropping root privileges (boo#1142830). + +------------------------------------------------------------------- +Tue Jun 25 19:15:00 UTC 2019 - Michael Ströder + +- Updated openvpn.keyring with public key downloaded from + https://swupdate.openvpn.net/community/keys/security-key-2019.asc + +------------------------------------------------------------------- +Thu Feb 21 18:26:42 UTC 2019 - Franck Bui + +- Drop use of $FIRST_ARG in openvpn.spec + + The use of $FIRST_ARG was probably required because of the + %service_* rpm macros were playing tricks with the shell positional + parameters. This is bad practice and error prones so let's assume + that no macros should do that anymore and hence it's safe to assume + that positional parameters remains unchanged after any rpm macro + call. + +------------------------------------------------------------------- +Wed Feb 20 21:22:25 UTC 2019 - Michael Ströder + +- Update to 2.4.7: + Adam Ciarcin?ski (1): + * Fix subnet topology on NetBSD (2.4). + Antonio Quartulli (3): + * add support for %lu in argv_printf and prevent ASSERT + * buffer_list: add functions documentation + * ifconfig-ipv6(-push): allow using hostnames + Arne Schwabe (7): + * Properly free tuntap struct on android when emulating persist-tun + * Add OpenSSL compat definition for RSA_meth_set_sign + * Add support for tls-ciphersuites for TLS 1.3 + * Add better support for showing TLS 1.3 ciphersuites in --show-tls + * Use right function to set TLS1.3 restrictions in show-tls + * Add message explaining early TLS client hello failure + * Fallback to password authentication when auth-token fails + Christian Ehrhardt (1): + * systemd: extend CapabilityBoundingSet for auth_pam + David Sommerseth (1): + * plugin: Export base64 encode and decode functions + Gert Doering (3): + * Add %d, %u and %lu tests to test_argv unit tests. + * Fix combination of --dev tap and --topology subnet across multiple platforms. + * Add 'printing of port number' to mroute_addr_print_ex() for v4-mapped v6. + Gert van Dijk (1): + * Minor reliability layer documentation fixes + James Bekkema (1): + * Resolves small IV_GUI_VER typo in the documentation. + Jonathan K. Bullard (1): + * Clarify and expand management interface documentation + Lev Stipakov (5): + * Refactor NCP-negotiable options handling + * init.c: refine functions names and description + * interactive.c: fix usage of potentially uninitialized variable + * options.c: fix broken unary minus usage + * Remove extra token after #endif + Richard van den Berg via Openvpn-devel (1): + * Fix error message when using RHEL init script + Samy Mahmoudi (1): + * man: correct a --redirection-gateway option flag + Selva Nair (7): + * Replace M_DEBUG with D_LOW as the former is too verbose + * Correct the declaration of handle in 'struct openvpn_plugin_args_open_return' + * Bump version of openvpn plugin argument structs to 5 + * Move get system directory to a separate function + * Enable dhcp on tap adapter using interactive service + * Pass the hash without the DigestInfo header to NCryptSignHash() + * White-list pull-filter and script-security in interactive service + Simon Rozman (2): + * Add Interactive Service developer documentation + * Detect TAP interfaces with root-enumerated hardware ID + Steffan Karger (7): + * man: add security considerations to --compress section + * mbedtls: print warning if random personalisation fails + * Fix memory leak after sighup + * travis: add OpenSSL 1.1 Windows build + * Fix --disable-crypto build + * Don't print OCC warnings about 'key-method', 'keydir' and 'tls-auth' + * buffer_list_aggregate_separator(): simplify code + +------------------------------------------------------------------- +Fri Apr 27 12:25:19 UTC 2018 - max@suse.com + +- Update to 2.4.6: + * CVE-2018-9336, bsc#1090839: Fix potential double-free() in + Interactive Service + * Delete the IPv6 route to the "connected" network on tun close + * Management: warn about password only when the option is in use + * Avoid overflow in wakeup time computation + +------------------------------------------------------------------- +Tue Apr 10 14:29:18 UTC 2018 - max@suse.com + +- Remove --askpass again, because it was also asking for a password + when none was needed. As a workaround for keys that need a + password, the "askpass" statement should be added to the config + file (bsc#1078026). +- Use Type=notify in openvpn.service to reflect what openvpn is + actually doing. +- Import the new signing key from upstream. +- Remove obsolete configure switch --enable-password-save . + +------------------------------------------------------------------- +Tue Mar 13 01:32:52 UTC 2018 - avindra@opensuse.org + +- Update to 2.4.5 + * New features + + The new option --tls-cert-profile can be used to restrict the + set of allowed crypto algorithms in TLS certificates in mbed + TLS builds. The default profile is 'legacy' for now, which + allows SHA1+, RSA-1024+ and any elliptic curve certificates. + The default will be changed to the 'preferred' profile in the + future, which requires SHA2+, RSA-2048+ and any curve. + + openvpnserv: Add support for multi-instances (to support + multiple parallel OpenVPN installations, like EduVPN and + regular OpenVPN) + + Use P_DATA_V2 for server->client packets too (better packet + alignment) + + improve management interface documentation + (bsc#1085803, CVE-2018-7544) + + rework registry key handling for OpenVPN service, notably + making most registry values optional, falling back to + reasonable defaults + + accept IPv6 address for pushed "dhcp-option DNS ..." (make + OpenVPN 2 option compatible with OpenVPN 3 iOS and Android + clients) + * Bug fixes + + Fix --tls-version-min and --tls-version-max for OpenSSL 1.1+ + + Fix lots of compiler warnings (format string, type casts, ...) + + reload HTTP proxy credentials when moving to the next + connection profile + + Fix build with LibreSSL (multiple times) + + Remove non-useful warning on pushed tun-ipv6 option. + + autoconf: Fix engine checks for openssl 1.1 + + lz4: Rebase compat-lz4 against upstream v1.7.5 + + lz4: Fix broken builds when pkg-config is not present but + system library is + + Fix '--bind ipv6only' + + Allow learning iroutes with network made up of all 0s +- Includes 2.4.4 + * Bug fixes + + Fix issues when a pushed cipher via the Negotiable Crypto + Parameters (NCP) is rejected by the remote side + + Ignore --keysize when NCP have resulted in a changed cipher + + Configurations using --auth-nocache and the management + interface to provide user credentials (like NetworkManager) + on client side with servers implementing authentication + tokens (for example, using --auth-gen-token) will now behave + correctly and not query the user for an, to them, unknown + authentication token on renegotiations of the tunnel. + + Invalid or corrupt SOCKS port number when changing the proxy + via the management interface. + + man page should now have proper escaping of hyphen/minus + characters and other minor corrections. + * User-visible Changes + + Linux servers with systemd which use the openvpn-server@.service + unit file for server configurations will now utilize the + automatic restart feature in systemd. If the OpenVPN server + process dies unexpectedly, systemd will ensure the OpenVPN + configuration will be restarted automatically. + * Deprecated + + --no-replay (will be removed in 2.5) + + --keysize (will be removed in 2.6) + * Security + + CVE-2017-12166: Fix bounds check for configurations using + --key-method 1. Before this fix, attackers could send a + malformed packet to trigger a stack overflow. This is + considered to be a low risk issue, as --key-method 2 has + been the default since 2.0 (released on 2005-04-17). This + option is already deprecated in v2.4 and will be completely + removed in v2.5. +- Rebase openvpn-fips140-2.3.2.patch +- Drop 0002-Fix-bounds-check-in-read_key.patch + * upstreamed in c7e259160b28e94e4ea7f0ef767f8134283af255 +- Partial cleanup with spec-cleaner + +------------------------------------------------------------------- +Tue Feb 13 17:49:09 UTC 2018 - max@suse.com + +- Add --askpass to ExecStart, so that the user name and password + are correctly being queried from the user. + (bsc#1078026, boo#985798, boo#1031748) +- Use %service_add/del macros throughout (bsc#1038406). + +------------------------------------------------------------------- +Thu Nov 23 13:52:15 UTC 2017 - rbrown@suse.com + +- Replace references to /var/adm/fillup-templates with new + %_fillupdir macro (boo#1069468) + +------------------------------------------------------------------- +Tue Oct 10 14:10:30 CEST 2017 - ndas@suse.de + +- Do bound check in read_key before using values(CVE-2017-12166 bsc#1060877). + [+ 0002-Fix-bounds-check-in-read_key.patch] + +------------------------------------------------------------------- +Fri Aug 11 13:43:39 UTC 2017 - sebix+novell.com@sebix.at + +- Do not package empty /usr/lib64/tmpfiles.d + +------------------------------------------------------------------- +Fri Jun 23 11:47:38 CEST 2017 - ndas@suse.de + +- Update to 2.4.3 (bsc#1045489) + - Ignore auth-nocache for auth-user-pass if auth-token is pushed + - crypto: Enable SHA256 fingerprint checking in --verify-hash + - copyright: Update GPLv2 license texts + - auth-token with auth-nocache fix broke --disable-crypto builds + - OpenSSL: don't use direct access to the internal of X509 + - OpenSSL: don't use direct access to the internal of EVP_PKEY + - OpenSSL: don't use direct access to the internal of RSA + - OpenSSL: don't use direct access to the internal of DSA + - OpenSSL: force meth->name as non-const when we free() it + - OpenSSL: don't use direct access to the internal of EVP_MD_CTX + - OpenSSL: don't use direct access to the internal of EVP_CIPHER_CTX + - OpenSSL: don't use direct access to the internal of HMAC_CTX + - Fix NCP behaviour on TLS reconnect. + - Remove erroneous limitation on max number of args for --plugin + - Fix edge case with clients failing to set up cipher on empty PUSH_REPLY. + - Fix potential 1-byte overread in TCP option parsing. + - Fix remotely-triggerable ASSERT() on malformed IPv6 packet. + - Preparing for release v2.4.3 (ChangeLog, version.m4, Changes.rst) + - refactor my_strupr + - Fix 2 memory leaks in proxy authentication routine + - Fix memory leak in add_option() for option 'connection' + - Ensure option array p[] is always NULL-terminated + - Fix a null-pointer dereference in establish_http_proxy_passthru() + - Prevent two kinds of stack buffer OOB reads and a crash for invalid input data + - Fix an unaligned access on OpenBSD/sparc64 + - Missing include for socket-flags TCP_NODELAY on OpenBSD + - Make openvpn-plugin.h self-contained again. + - Pass correct buffer size to GetModuleFileNameW() + - Log the negotiated (NCP) cipher + - Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c) + - Skip tls-crypt unit tests if required crypto mode not supported + - openssl: fix overflow check for long --tls-cipher option + - Add a DSA test key/cert pair to sample-keys + - Fix mbedtls fingerprint calculation + - mbedtls: fix --x509-track post-authentication remote DoS (CVE-2017-7522) + - mbedtls: require C-string compatible types for --x509-username-field + - Fix remote-triggerable memory leaks (CVE-2017-7521) + - Restrict --x509-alt-username extension types + - Fix potential double-free in --x509-alt-username (CVE-2017-7521) + - Fix gateway detection with OpenBSD routing domains + +------------------------------------------------------------------- +Wed Jun 14 12:05:14 CEST 2017 - ndas@suse.de + +- use %{_tmpfilesdir} for tmpfiles.d/openvpn.conf (bsc#1044223) + +------------------------------------------------------------------- +Tue Jun 6 14:59:29 CEST 2017 - ndas@suse.de + +- Update to 2.4.2 + - auth-token: Ensure tokens are always wiped on de-auth + - Make --cipher/--auth none more explicit on the risks + - Use SHA256 for the internal digest, instead of MD5 + - Deprecate --ns-cert-type + - Deprecate --no-iv + - Support --block-outside-dns on multiple tunnels + - Limit --reneg-bytes to 64MB when using small block ciphers + - Fix --tls-version-max in mbed TLS builds + Details changelogs are avilable in + https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24 + [*0001-preform-deferred-authentication-in-the-background.patch + *openvpn-2.3.x-fixed-multiple-low-severity-issues.patch + *openvpn-fips140-2.3.2.patch] +- pkcs11-helper-devel >= 1.11 is needed for openvpn-2.4.2 +- cleanup the spec file + +------------------------------------------------------------------- +Fri Apr 21 14:55:09 CEST 2017 - ndas@suse.de + +- Preform deferred authentication in the background to not + cause main daemon processing delays when the underlying pam mechanism (e.g. + ldap) needs longer to response (bsc#959511). + [+ 0001-preform-deferred-authentication-in-the-background.patch] +- Added fix for possible heap overflow on read accessing getaddrinfo + result (bsc#959714). + [+openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch] +- Added a patch to fix multiple low severity issues (bsc#934237). + [+openvpn-2.3.x-fixed-multiple-low-severity-issues.patch] + +------------------------------------------------------------------- +Sun Jan 22 15:21:17 UTC 2017 - mrueckert@suse.de + +- silence warning about %{_rundir}/openvpn + - for non systemd case: just package the %{_rundir}/openvpn in + the package + - for systemd case: call systemd-tmpfiles and own the dir as + %ghost in the filelist + +------------------------------------------------------------------- +Sun Jan 22 14:51:44 UTC 2017 - mrueckert@suse.de + +- refreshed patches to apply cleanly again + openvpn-2.3-plugin-man.dif + openvpn-fips140-2.3.2.patch + +------------------------------------------------------------------- +Sun Jan 22 14:47:39 UTC 2017 - mrueckert@suse.de + +- update to 2.3.14 + - update year in copyright message + - Document the --auth-token option + - Repair topology subnet on FreeBSD 11 + - Repair topology subnet on OpenBSD + - Drop recursively routed packets + - Support --block-outside-dns on multiple tunnels + - When parsing '--setenv opt xx ..' make sure a third parameter + is present + - Map restart signals from event loop to SIGTERM during + exit-notification wait + - Correctly state the default dhcp server address in man page + - Clean up format_hex_ex() +- enabled pkcs11 support + +------------------------------------------------------------------- +Sat Dec 3 21:26:52 UTC 2016 - michael@stroeder.com + +- update to 2.3.13 +- removed obsolete patch files openvpn-2.3.0-man-dot.diff and + openvpn-fips140-AES-cipher-in-config-template.patch + +2016.11.02 -- Version 2.3.13 + Arne Schwabe (2): + * Use AES ciphers in our sample configuration files and add a few modern 2.4 examples + * Incorporate the Debian typo fixes where appropriate and make show_opt default message clearer + David Sommerseth (4): + * t_client.sh: Make OpenVPN write PID file to avoid various sudo issues + * t_client.sh: Add support for Kerberos/ksu + * t_client.sh: Improve detection if the OpenVPN process did start during tests + * t_client.sh: Add prepare/cleanup possibilties for each test case + Gert Doering (5): + * Do not abort t_client run if OpenVPN instance does not start. + * Fix t_client runs on OpenSolaris + * make t_client robust against sudoers misconfiguration + * add POSTINIT_CMD_suf to t_client.sh and sample config + * Fix --multihome for IPv6 on 64bit BSD systems. + Ilya Shipitsin (1): + * skip t_lpback.sh and t_cltsrv.sh if openvpn configured --disable-crypto + Lev Stipakov (2): + * Exclude peer-id from pulled options digest + * Fix compilation in pedantic mode + Samuli Seppänen (1): + * Automatically cache expected IPs for t_client.sh on the first run + Steffan Karger (6): + * Fix unittests for out-of-source builds + * Make gnu89 support explicit + * cleanup: remove code duplication in msg_test() + * Update cipher-related man page text + * Limit --reneg-bytes to 64MB when using small block ciphers + * Add a revoked cert to the sample keys + +2016.08.23 -- Version 2.3.12 + Arne Schwabe (2): + * Complete push-peer-info documentation and allow IV_PLAT_VER for other platforms than Windows if the client UI supplies it. + * Move ASSERT so external-key with OpenSSL works again + David Sommerseth (3): + * Only build and run cmocka unit tests if its submodule is initialized + * Another fix related to unit test framework + * Remove NOP function and callers + Dorian Harmans (1): + * Add CHACHA20-POLY1305 ciphersuite IANA name translations. + Ivo Manca (1): + * Plug memory leak in mbedTLS backend + Jeffrey Cutter (1): + * Update contrib/pull-resolv-conf/client.up for no DOMAIN + Jens Neuhalfen (2): + * Add unit testing support via cmocka + * Add a test for auth-pam searchandreplace + Josh Cepek (1): + * Push an IPv6 CIDR mask used by the server, not the pool's size + Leon Klingele (1): + * Add link to bug tracker + Samuli Seppänen (2): + * Update CONTRIBUTING.rst to allow GitHub PRs for code review purposes + * Clarify the fact that build instructions in README are for release tarballs + Selva Nair (4): + * Make error non-fatal while deleting address using netsh + * Make block-outside-dns work with persist-tun + * Ignore SIGUSR1/SIGHUP during exit notification + * Promptly close the netcmd_semaphore handle after use + Steffan Karger (4): + * Fix polarssl / mbedtls builds + * Don't limit max incoming message size based on c2->frame + * Fix '--cipher none --cipher' crash + * Discourage using 64-bit block ciphers + +------------------------------------------------------------------- +Mon Nov 28 16:33:34 UTC 2016 - matwey.kornilov@gmail.com + +- Require iproute2 explicitly. openvpn uses /bin/ip from iproute2, + so it should be installed + +------------------------------------------------------------------- +Thu Sep 8 13:26:16 UTC 2016 - astieger@suse.com + +- Add an example for a FIPS 140-2 approved cipher configuration to + the sample configuration files. Fixes bsc#988522 + adding openvpn-fips140-AES-cipher-in-config-template.patch +- remove gpg-offline signature verification, now a source service + +------------------------------------------------------------------- +Tue May 10 16:16:02 UTC 2016 - idonmez@suse.com + +- Update to version 2.3.11 + * Fixed port-share bug with DoS potential + * Fix buffer overflow by user supplied data + * Fix undefined signed shift overflow + * Ensure input read using systemd-ask-password is null terminated + * Support reading the challenge-response from console + * hardening: add safe FD_SET() wrapper openvpn_fd_set() + * Restrict default TLS cipher list +- Add BuildRequires on xz for SLE11 + +------------------------------------------------------------------- +Mon Jan 4 17:22:37 UTC 2016 - idonmez@suse.com + +- Update to version 2.3.10 + * Warn user if their certificate has expired + * Fix regression in setups without a client certificate + +------------------------------------------------------------------- +Wed Dec 16 14:30:49 UTC 2015 - idonmez@suse.com + +- Update to version 2.3.9 + * Show extra-certs in current parameters. + * Do not set the buffer size by default but rely on the operation system default. + * Remove --enable-password-save option + * Detect config lines that are too long and give a warning/error + * Log serial number of revoked certificate + * Avoid partial authentication state when using --disabled in CCD configs + * Replace unaligned 16bit access to TCP MSS value with bytewise access + * Fix possible heap overflow on read accessing getaddrinfo() result. + * Fix isatty() check for good. (obsoletes revert-daemonize.patch) + * Client-side part for server restart notification + * Fix privilege drop if first connection attempt fails + * Support for username-only auth file. + * Increase control channel packet size for faster handshakes + * hardening: add insurance to exit on a failed ASSERT() + * Fix memory leak in auth-pam plugin + * Fix (potential) memory leak in init_route_list() + * Fix unintialized variable in plugin_vlog() + * Add macro to ensure we exit on fatal errors + * Fix memory leak in add_option() by simplifying get_ipv6_addr + * openssl: properly check return value of RAND_bytes() + * Fix rand_bytes return value checking + * Fix "White space before end tags can break the config parser" + +------------------------------------------------------------------- +Thu Dec 3 14:07:17 UTC 2015 - mt@suse.com + +- Adjust /var/run to _rundir macro value in openvpn@.service too. + +------------------------------------------------------------------- +Thu Aug 20 08:43:33 UTC 2015 - mt@suse.com + +- Removed obsolete --with-lzo-headers option, readded LFS_CFLAGS. +- Moved openvpn-plugin.h into a devel package, removed .gitignore + +------------------------------------------------------------------- +Thu Aug 13 08:29:35 UTC 2015 - idonmez@suse.com + +- Add revert-daemonize.patch, looks like under systemd the stdin + and stdout are not TTYs by default. This reverts to previous + behaviour fixing bsc#941569 + +------------------------------------------------------------------- +Wed Aug 5 12:03:33 UTC 2015 - idonmez@suse.com + +- Update to version 2.3.8 + * Report missing endtags of inline files as warnings + * Fix commit e473b7c if an inline file happens to have a + line break exactly at buffer limit + * Produce a meaningful error message if --daemon gets in the way of + asking for passwords. + * Document --daemon changes and consequences (--askpass, --auth-nocache) + * Del ipv6 addr on close of linux tun interface + * Fix --askpass not allowing for password input via stdin + * Write pid file immediately after daemonizing + * Fix regression: query password before becoming daemon + * Fix using management interface to get passwords + * Fix overflow check in openvpn_decrypt() + +------------------------------------------------------------------- +Tue Jun 9 15:51:06 UTC 2015 - idonmez@suse.com + +- Update to version 2.3.7 + * down-root plugin: Replaced system() calls with execve() + * sockets: Remove the limitation of --tcp-nodelay to be server-only + * pkcs11: Load p11-kit-proxy.so module by default + * New approach to handle peer-id related changes to link-mtu + * Fix incorrect use of get_ipv6_addr() for iroute options + * Print helpful error message on --mktun/--rmtun if not available + * Explain effect of --topology subnet on --ifconfig + * Add note about file permissions and --crl-verify to manpage + * Repair --dev null breakage caused by db950be85d37 + * Correct note about DNS randomization in openvpn.8 + * Disallow usage of --server-poll-timeout in --secret key mode + * Slightly enhance documentation about --cipher + * On signal reception, return EAI_SYSTEM from openvpn_getaddrinfo() + * Use EAI_AGAIN instead of EAI_SYSTEM for openvpn_getaddrinfo() + * Fix --redirect-private in --dev tap mode + * Updated manpage for --rport and --lport + * Properly escape dashes on the man-page + * Improve documentation in --script-security section of the man-page + * Really fix '--cipher none' regression + * Set tls-version-max to 1.1 if cryptoapicert is used + * Account for peer-id in frame size calculation + * Disable SSL compression + * Fix frame size calculation for non-CBC modes. + * Allow for CN/username of 64 characters (fixes off-by-one) + * Re-enable TLS version negotiation by default + * Remove size limit for files inlined in config + * Improve --tls-cipher and --show-tls man page description + * Re-read auth-user-pass file on (re)connect if required + * Clarify --capath option in manpage + * Call daemon() before initializing crypto library + +------------------------------------------------------------------- +Mon Mar 2 08:26:08 UTC 2015 - mt@suse.de + +- Fixed to use correct sha digest data length and in fips mode, + use aes instead of the disallowed blowfish crypto (boo#914166). +- Fixed to provide actual plugin/doc dirs in openvpn(8) man page. + +------------------------------------------------------------------- +Mon Dec 1 19:37:29 UTC 2014 - mt@suse.de + +- Update to version 2.3.6 fixing a denial-of-service vulnerability + where an authenticated client could stop the server by triggering + a server-side ASSERT (bnc#907764,CVE-2014-8104). + See ChangeLog file for a complete list of changes. + +------------------------------------------------------------------- +Thu Oct 30 12:28:48 UTC 2014 - idonmez@suse.com + +- Update to version 2.3.5 + * See included changelog +- Depend on systemd-devel for the daemon check functionality + +------------------------------------------------------------------- +Mon Aug 25 09:12:08 UTC 2014 - idonmez@suse.com + +- Update to version 2.3.4 + * Add support for client-cert-not-required for PolarSSL. + * Introduce safety check for http proxy options. + +------------------------------------------------------------------- +Mon May 26 15:41:34 UTC 2014 - crrodriguez@opensuse.org + +- Build with large file support in 32 bit systems. + +------------------------------------------------------------------- +Sun May 11 07:58:52 UTC 2014 - coolo@suse.com + +- use %_rundir for %ghost directory - leaving /var/run everywhere + else + +------------------------------------------------------------------- +Tue Jan 14 10:43:19 UTC 2014 - mt@suse.de + +- Updated README.SUSE, documented also the rcopenvpn compatibility + wrapper script (bnc#848070). + +------------------------------------------------------------------- +Thu Jan 9 14:14:19 UTC 2014 - meissner@suse.com + +- openvpn-fips140-2.3.2.patch: Allow usage of SHA1 instead of MD5 in + some internal checking routines. This allows operation in FIPS 140-2 + mode. + +------------------------------------------------------------------- +Tue Dec 17 15:26:16 UTC 2013 - mt@suse.de + +- Readded rcopenvpn helper script under systemd (bnc#848070) + +------------------------------------------------------------------- +Thu Oct 31 18:45:02 UTC 2013 - mt@suse.de + +- Fixed invalid mode in exec bit removal call from doc files + +------------------------------------------------------------------- +Tue Aug 27 16:28:52 UTC 2013 - lmuelle@suse.com + +- Add a section about how to control all or a named configuration with the + help of systemctl to the README.SUSE file. + +------------------------------------------------------------------- +Mon Jun 3 22:09:09 UTC 2013 - mrdocs@opensuse.org + +- Update to 2.3.2 + +Fixes since 2.3.0 +- Remove dead code path and putenv functionality +- Remove unused function xor +- Move static prototype definition from header into c file +- Remove unused function no_tap_ifconfig +- fix build with automake 1.13(.1) +- Fix corner case in NTLM authentication (trac #172) +- Update README.IPv6 to match what is in 2.3.0 +- Repair "tcp server queue overflow" brokenness, more fallout. +- Permit pool size of /64.../112 for ifconfig-ipv6-pool +- Add MIN() compatibility macro +- Fix directly connected routes for "topology subnet" on Solaris. +- close more file descriptors on exec +- Ignore UTF-8 byte order mark +- reintroduce --no-name-remapping option +- make --tls-remote compatible with pre 2.3 configs +- add new option for X.509 name verification +- add man page patch for missing options +- Fix parameter listing in non-debug builds at verb 4 +- (updated) [PATCH] Warn when using verb levels >=7 without debug +- Enable TCP_NODELAY configuration on FreeBSD. +- Updated README +- Cleaned up and updated INSTALL +- PolarSSL-1.2 support +- Improve PolarSSL key_state_read_{cipher, plain}text messages +- Improve verify_callback messages +- Config compatibility patch. Added translate_cipher_name. +- Switch to IANA names for TLS ciphers. +- Fixed autoconf script to properly detect missing pkcs11 with polarssl. +- Use constant time memcmp when comparing HMACs in openvpn_decrypt. + +------------------------------------------------------------------- +Mon May 6 11:13:49 UTC 2013 - mt@suse.de + +- Try to migrate openvpn.service autostart to openvpn@.service + instance enablement. + +------------------------------------------------------------------- +Tue Apr 23 13:20:48 UTC 2013 - mt@suse.de + +- Fixed to enable systemd support in configure +- Fixed openvpn-tmpfile.conf to use GID root, there is no openvpn group. +- Added openvpn.target file allowing to handle all instances at once. +- Fixed to install the service template correctly as openvpn@.service. + Use "systemctl enable openvpn@foo.service" to enable instance using + /etc/openvpn/foo.conf. +- Disabled systemd variant of restart on update rpm macro, adopted other + macros to use openvpn.target to e.g. stop all instances on uninstall. + +------------------------------------------------------------------- +Tue Mar 26 14:38:48 UTC 2013 - aj@suse.com + +- Remove _unitdir definition, it is provided by systemd. +- Install service file without x permissions + +------------------------------------------------------------------- +Mon Mar 25 14:55:35 UTC 2013 - p.drouand@gmail.com + +Update to version 2.3.0: + * Full IPv6 support + * SSL layer modularised, enabling easier implementation for other SSL libraries + * PolarSSL support as a drop-in replacement for OpenSSL + * New plug-in API providing direct certificate access, improved logging API + and easier to extend in the future + * Added 'dev_type' environment variable to scripts and plug-ins - which is + set to 'TUN' or 'TAP' + * New feature: --management-external-key - to provide access to the encryption + keys via the management interface + * New feature: --x509-track option, more fine grained access to X.509 fields + in scripts and plug-ins + * New feature: --client-nat support + * New feature: --mark which can mark encrypted packets from the tunnel, suitable + for more advanced routing and firewalling + * New feature: --management-query-proxy - manage proxy settings via the management + interface (supercedes --http-proxy-fallback) + * New feature: --stale-routes-check, which cleans up the internal routing table + * New feature: --x509-username-field, where other X.509v3 fields can be used for + the authentication instead of Common Name + * Improved client-kill management interface command + * Improved UTF-8 support - and added --compat-names to provide backwards compatibility + with older scripts/plug-ins + * Improved auth-pam with COMMONNAME support, passing the certificate's common + name in the PAM conversation + * More options can now be used inside blocks + * Completely new build system, enabling easier cross-compilation and Windows builds + * Much of the code has been better documented + * Many documentation updates + * Plenty of bug fixes and other code clean-ups +- Add systemd native support for OpenSUSE > 12.1 +- Adapt patchs to upstream release: + * openvpn-2.1-plugin-man.dif > openvpn-2.3-plugin-man.dif + * openvpn-2.1.0-man-dot.diff > openvpn-2.3.0-man-dot.diff +- Remove obsolete patchs; fixed or merged on upstream release: + * 0001-Use-SSL_MODE_RELEASE_BUFFERS-if-available.patch + * openvpn-2.1-plugin-build.dif + * openvpn-2.1-systemd-passwd.patch +- Rebase specfile to upstream changes: + * easy-rsa is not provided anymore with main package + * remove %clean section + * autoreconf -fi is no needed +- Update openvpn.keyring file for upstream release asc key + +------------------------------------------------------------------- +Mon Jan 28 13:59:07 UTC 2013 - mt@suse.com + +- Join openvpn.service systemd cgroup in start when needed, e.g. + when starting with further parameters. (bnc#781106) + +------------------------------------------------------------------- +Thu Nov 29 18:19:40 CET 2012 - sbrabec@suse.cz + +- Verify GPG signature. + +------------------------------------------------------------------- +Fri Sep 21 12:18:32 UTC 2012 - coolo@suse.com + +- fix ciaran's previous license entry. the license has a SUSE prefix + +------------------------------------------------------------------- +Thu Sep 20 10:50:23 UTC 2012 - mt@suse.com + +- Fixed openvpn init script to not map reopen to reload so the + reopen code is without any effect (bnc#781106). +- Added requested OPENVPN_AUTOSTART variable allowing to provide + an optional list of config names started by default (bnc#692440). + +------------------------------------------------------------------- +Wed Aug 22 14:50:39 UTC 2012 - cfarrell@suse.com + +- license update: GPL-2.0-with-openssl-exception and LGPL-2.1 + openssl has an openssl exception (also, it is GPL-2.0 only) + +------------------------------------------------------------------- +Thu Mar 29 09:45:56 UTC 2012 - mt@suse.com + +- Fixed SLES build readding Group tags to sub-packages in spec, + not require libselinux-devel on SLE-10 and datadir/doc cleanup. + +------------------------------------------------------------------- +Wed Feb 15 15:21:32 UTC 2012 - mt@suse.com + +- Updated to openvpn-2.2.2: + - Warn once, that IPv6 in tun mode is not supported in OpenVPN 2.2 + - Pkcs11 support built into the Windows version + - Fixed a bug in the Windows TAP-driver + +------------------------------------------------------------------- +Thu Dec 8 08:40:17 UTC 2011 - aj@suse.de + +- Fix source URLs. + +------------------------------------------------------------------- +Fri Dec 2 16:24:00 UTC 2011 - coolo@suse.com + +- add automake as buildrequire to avoid implicit dependency + +------------------------------------------------------------------- +Mon Aug 29 18:05:30 UTC 2011 - mt@suse.com + +- Marked /var/run/openvpn as ghost (bnc#710270), man page and + other rpmlint warning fixes + +------------------------------------------------------------------- +Tue Aug 23 15:41:00 UTC 2011 - crrodriguez@opensuse.org + +- BuildRequires libselinux-devel +- Use SSL_MODE_RELEASE_BUFFERS to keep memory usage low, sent + upstream as https://community.openvpn.net/openvpn/ticket/157 + +------------------------------------------------------------------- +Mon Aug 22 09:55:44 UTC 2011 - fcrozat@novell.com + +- Add openvpn-2.1-systemd-passwd.patch / modify openvpn.init to + support systemd password query (bnc#675406) + +------------------------------------------------------------------- +Mon Jul 11 14:38:45 UTC 2011 - mt@suse.de + +- Updated to openvpn-2.2.1, a new version series providing several + new features. This version fixes build issues and provides + updated easy-rsa for OpenSSL 1.0.0 (fixes Trac ticket #125), +- Adopted spec file, enabled saving password in a file and to + specify an alternative username in x509 cert. +- Removed X-Interactive from init script again, as systemd isn't + able to use it correctly [any more?] (bnc#675406). We will + address it later and probably use /bin/systemd-ask-password. + +------------------------------------------------------------------- +Tue Mar 15 21:05:23 UTC 2011 - crrodriguez@opensuse.org + +- KVPNC is unable to parse openvpn version [bnc#679153] + +------------------------------------------------------------------- +Thu Feb 17 10:59:23 UTC 2011 - mt@suse.de + +- Added X-Interactive: true LSB tag to the init script. + +------------------------------------------------------------------- +Tue Nov 16 09:45:46 UTC 2010 - mt@suse.de + +- Updated to openvpn 2.1.4, providing several bug fixes and + improvements, such as: + * Fix of a problem with special case route targets + * Try to ensure, that the tun/tap interface gets closed on + non-graceful aborts. + * Several AUTH_FAILED reporting fixes causing the connection + to fail without any error indication. + * Enable exponential backoff in reliability layer retransmits. + * Proxy improvements + Please review the ChangeLog file for a complete and exact list. + +------------------------------------------------------------------- +Wed Sep 8 16:34:21 UTC 2010 - cristian.rodriguez@opensuse.org + +- Do not include build date in binaries + +------------------------------------------------------------------- +Tue Jun 15 09:31:56 UTC 2010 - mt@suse.de + +- Improved netconfig based client up and down sample scripts. + +------------------------------------------------------------------- +Fri Jun 11 17:07:11 CEST 2010 - anschneider@exsuse.de + +- Added netconfig based client up and down scripts to samples. + +------------------------------------------------------------------- +Thu Mar 11 08:51:39 UTC 2010 - mt@suse.de + +- Updated to openvpn 2.1.1; linux related changes since 2.1_rc20: + * Fixed a couple issues in sample plugins auth-pam.c and + down-root.c. + (1) Fail gracefully rather than segfault if calloc returns NULL. + (2) The openvpn_plugin_abort_v1 function can potentially be + called with handle == NULL. Add code to detect this case, + and if so, avoid dereferencing pointers derived from handle + (Thanks to David Sommerseth for finding this bug). + * Documented "multihome" option in the man page. + * Added a hard failure when peer provides a certificate chain + with depth > 16. Previously, a warning was issued. + * Added additional session renegotiation hardening. OpenVPN has + always required that mid-session renegotiations build up a new + SSL/TLS session from scratch. While the client certificate + common name is already locked against changes in mid-session + TLS renegotiations, we now extend this locking to the + auth-user-pass username as well as all certificate content in + the full client certificate chain. +- Improved openvpn init script adding messages giving a hint about + pid write failure and to look into the log messages (bnc#559041). +- Added -fno-strict-aliasing to compile flags in the spec file. + +------------------------------------------------------------------- +Fri Dec 17 23:00:46 CET 2009 - mt@suse.de + +- Updated to openvpn 2.1 2.1_rc20, fixing problems in route and + option handling provided by the from server (bnc#552440). + For complete list of changes, see ChangeLog file, here just + the IMO most important: + * Fixed a bug introduced in 2.1_rc17 (svn r4436) where using + the redirect-gateway option by itself, without any extra + parameters, would cause the option to be ignored. + * Optimized PUSH_REQUEST handshake sequence to shave several + seconds off of a typical client connection initiation. + * The maximum number of "route" directives (specified in the + config file or pulled from a server) can now be configured + via the new "max-routes" directive. + * Eliminated the limitation on the number of options that can + be pushed to clients, including routes. Previously, all + pushed options needed to fit within a 1024 byte options + string. + * Added --server-poll-timeout option : when polling possible + remote servers to connect to in a round-robin fashion, + spend no more than n seconds waiting for a response before + trying the next server. + * Added the ability for the server to provide a custom reason + string when an AUTH_FAILED message is returned to the client. + This string can be set by the server-side managment interface + and read by the client-side management interface. + * client-kill management interface command, when issued on server, + will now send a RESTART message to client. This feature is + intended to make UDP clients respond the same as TCP clients + in the case where the server issues a RESTART message in order + to force the client to reconnect and pull a new options/route + list. + +------------------------------------------------------------------- +Fri Oct 2 15:14:51 CEST 2009 - mt@suse.de + +- Added network-remotefs to init script dependencies (bnc#522279). + +------------------------------------------------------------------- +Wed Jun 10 10:24:06 CEST 2009 - mt@suse.de + +- Updated to openvpn 2.1 [2.1_rc18] series (fate#305289). +- Enabled pkcs11-helper for openSUSE > 10.3 (bnc#487558). +- Adopted spec file and patches, improved init script. +- Disabled installation of easy-rsa for Windows. + +------------------------------------------------------------------- +Tue Feb 17 18:22:23 CET 2009 - mt@suse.de + +- Improved init script to show config name in action messages + and allow to specify a config name in the second argument. + +------------------------------------------------------------------- +Mon Dec 1 10:58:12 CET 2008 - mt@suse.de + +- Removed restart_on_update rpm install hook that may break the + update process, e.g. when openvpn asks for auth data or the + update process is running over the tunnel (bnc#450390). + +------------------------------------------------------------------- +Tue Oct 28 12:13:45 CET 2008 - mt@suse.de + +- Fixed init script to handle pid files correctly (bnc#435421). + +------------------------------------------------------------------- +Thu May 29 15:16:03 CEST 2008 - mt@suse.de + +- Added $time $named to Should-Start in the init script to avoid + time related certificate errors and name resolving problems. +- Added iproute2 to BuildRequires to avoid openvpn rely on PATH. + +------------------------------------------------------------------- +Mon May 26 07:53:38 CEST 2008 - mt@suse.de + +- Reverted init script changes adding startproc, since they break + user auth query and multiple tunnels (bnc#394360, bnc#394353). + +------------------------------------------------------------------- +Thu May 22 18:21:59 CEST 2008 - mt@suse.de + +- Added -lpam to LDFLAGS of openvpn, because linking the openvpn + auth-pam plugin against pam is not sufficient. Many pam modules + that are loaded by pam during the authentication process are not + linked against pam and contain undefined symbols, causing the + authentication to fail (bnc#334773). +- Replaced patch loading plugins from /usr/%_lib/openvpn/plugin/lib + with -rpath linker flags (bnc#334773). +- Fixed init script to use startproc to return 0 when started twice. + +------------------------------------------------------------------- +Tue Feb 19 11:32:55 CET 2008 - mt@suse.de + +- Fixed spec file to not set pie flags when building plugins + +------------------------------------------------------------------- +Thu Jan 17 19:44:41 CET 2008 - mt@suse.de + +- Bug #334773: Enabled build of down-root and auth-pam plugins, + sub-packaged as openvpn-auth-pam-plugin/down-root-plugin. +- Added patch to load plugins from /usr/%_lib/openvpn/plugin/lib + first, when the plugin name is specified as basename only. +- Added patch adoptiong plugin path informations in openvpn.8. +- Added patch to build plugins with RPM_OPT_FLAGS. +- Fixed init script to use Should-Start/Stop LSB info tags. +- Bug #343106: Enabled iproute2 support / usage + +------------------------------------------------------------------- +Mon Jun 4 10:14:03 CEST 2007 - mt@suse.de + +- fixed easy-rsa installation (no exec in doc directory) +- improved spec to use configure directory variables and + cleaned up macro calls in RPM pre/post scripts. +- fixed openvpn binary check in the init script. + +------------------------------------------------------------------- +Fri Oct 27 10:40:59 CEST 2006 - mt@suse.de + +- upstream 2.0.9, Windows related fixes only + * Windows installer updated with OpenSSL 0.9.7l DLLs to fix + published vulnerabilities. + * Fixed TAP-Win32 bug that caused BSOD on Windows Vista + (Henry Nestler). The TAP-Win32 driver has now been + upgraded to version 8.4. + +------------------------------------------------------------------- +Wed Sep 27 14:34:48 CEST 2006 - poeml@suse.de + +- upstream 2.0.8 + * Windows installer updated with OpenSSL 0.9.7k DLLs to fix + RSA Signature Forgery (CVE-2006-4339). + * No changes to OpenVPN source code between 2.0.7 and 2.0.8. + +------------------------------------------------------------------- +Fri Jun 23 11:55:10 CEST 2006 - poeml@suse.de + +- upstream 2.0.7, with bug fixes: +* When deleting routes under Linux, use the route metric + as a differentiator to ensure that the route teardown + process only deletes the identical route which was originally + added via the "route" directive (Roy Marples). +* Fixed bug where --server directive in --dev tap mode + claimed that it would support subnets of /30 or less + but actually would only accept /29 or less. +* Extend byte counters to 64 bits (M. van Cuijk). +* Better sanity checking of --server and --server-bridge + IP pool ranges, so as not to hit the assertion at + pool.c:119 (2.0.5). +* Fixed bug where --daemon and --management-query-passwords + used together would cause OpenVPN to block prior to + daemonization. +* Fixed client/server race condition which could occur + when --auth-retry interact is set and the initially + provided auth-user-pass credentials are incorrect, + forcing a username/password re-query. +* Fixed bug where if --daemon and --management-hold are + used together, --user or --group options would be ignored. +* fix for CVE-2006-1629 integrated (disallow "setenv" to be pushed + to clients from the server) +- build with fPIE/pie on SUSE 10.0 or newer, or on any other platform + +------------------------------------------------------------------- +Wed Apr 19 13:10:56 CEST 2006 - poeml@suse.de + +- security fix (CVE-2006-1629): disallow "setenv" to be pushed to + clients from the server [#165123] + +------------------------------------------------------------------- +Wed Jan 25 21:39:08 CET 2006 - mls@suse.de + +- converted neededforbuild to BuildRequires + +------------------------------------------------------------------- +Thu Nov 3 15:25:01 CET 2005 - poeml@suse.de + +- update to 2.0.5, with two security fixes -- see below. [#132003] + 2005.11.02 -- Version 2.0.5 + * Fixed bug in Linux get_default_gateway function + introduced in 2.0.4, which would cause redirect-gateway + on Linux clients to fail. + * Restored easy-rsa/2.0 tree (backported from 2.1 beta + series) which accidentally disappeared in + 2.0.2 -> 2.0.4 transition. + 2005.11.01 -- Version 2.0.4 + * Security fix -- Affects non-Windows OpenVPN clients of + version 2.0 or higher which connect to a malicious or + compromised server. A format string vulnerability + in the foreign_option function in options.c could + potentially allow a malicious or compromised server + to execute arbitrary code on the client. Only + non-Windows clients are affected. The vulnerability + only exists if (a) the client's TLS negotiation with + the server succeeds, (b) the server is malicious or + has been compromised such that it is configured to + push a maliciously crafted options string to the client, + and (c) the client indicates its willingness to accept + pushed options from the server by having "pull" or + "client" in its configuration file (Credit: Vade79). + CVE-2005-3393 + * Security fix -- Potential DoS vulnerability on the + server in TCP mode. If the TCP server accept() call + returns an error status, the resulting exception handler + may attempt to indirect through a NULL pointer, causing + a segfault. Affects all OpenVPN 2.0 versions. + CVE-2005-3409 + * Fix attempt of assertion at multi.c:1586 (note that + this precise line number will vary across different + versions of OpenVPN). + * Added ".PHONY: plugin" to Makefile.am to work around + "make dist" issue. + * Fixed double fork issue that occurs when --management-hold + is used. + * Moved TUN/TAP read/write log messages from --verb 8 to 6. + * Warn when multiple clients having the same common name or + username usurp each other when --duplicate-cn is not used. + * Modified Windows and Linux versions of get_default_gateway + to return the route with the smallest metric + if multiple 0.0.0.0/0.0.0.0 entries are present. + 2005.09.25 -- Version 2.0.3-rc1 + * openvpn_plugin_abort_v1 function wasn't being properly + registered on Windows. + * Fixed a bug where --mode server --proto tcp-server --cipher none + operation could cause tunnel packet truncation. + +------------------------------------------------------------------- +Tue Aug 30 15:05:08 CEST 2005 - poeml@suse.de + +- update to 2.0.2 [#106258] relevant changes: + * Fixed bug where "--proto tcp-server --mode p2p --management + host port" would cause the management port to not respond until + the OpenVPN peer connects. + * Modified pkitool script to be /bin/sh compatible (Johnny Lam). + +------------------------------------------------------------------- +Tue Aug 23 13:56:27 CEST 2005 - poeml@suse.de + +- update to 2.0.1 [#106258] + * Security Fix -- DoS attack against server when run with "verb 0" and + without "tls-auth". If a client connection to the server fails + certificate verification, the OpenSSL error queue is not properly + flushed, which can result in another unrelated client instance on the + server seeing the error and responding to it, resulting in disconnection + of the unrelated client (CAN-2005-2531). + * Security Fix -- DoS attack against server by authenticated client. + This bug presents a potential DoS attack vector against the server + which can only be initiated by a connected and authenticated client. + If the client sends a packet which fails to decrypt on the server, + the OpenSSL error queue is not properly flushed, which can result in + another unrelated client instance on the server seeing the error and + responding to it, resulting in disconnection of the unrelated client + (CAN-2005-2532). + * Security Fix -- DoS attack against server by authenticated client. + A malicious client in "dev tap" ethernet bridging mode could + theoretically flood the server with packets appearing to come from + hundreds of thousands of different MAC addresses, causing the OpenVPN + process to deplete system virtual memory as it expands its internal + routing table. A --max-routes-per-client directive has been added + (default=256) to limit the maximum number of routes in OpenVPN's + internal routing table which can be associated with a given client + (CAN-2005-2533). + * Security Fix -- DoS attack against server by authenticated client. + If two or more client machines try to connect to the server at the + same time via TCP, using the same client certificate, and when + --duplicate-cn is not enabled on the server, a race condition can + crash the server with "Assertion failed at mtcp.c:411" + (CAN-2005-2534). + * Fixed server bug where under certain circumstances, the client instance + object deletion function would try to delete iroutes which had never been + added in the first place, triggering "Assertion failed at mroute.c:349". + * Added --auth-retry option to prevent auth errors from being fatal + on the client side, and to permit username/password requeries in case + of error. Also controllable via new "auth-retry" management interface + command. See man page for more info. + * Added easy-rsa 2.0 scripts to the tarball in easy-rsa/2.0 + * Fixed bug in openvpn.spec where rpmbuild --define 'without_pam 1' + would fail to build. + * Implement "make check" to perform loopback tests (Matthias Andree). +- drop obsolete patch which fixed finding lzo libraries + +------------------------------------------------------------------- +Tue Jun 28 14:27:17 CEST 2005 - mrueckert@suse.de + +- The previous patch didnt work with lzo1 based distros. Fixed. + +------------------------------------------------------------------- +Tue Jun 28 11:25:32 CEST 2005 - cthiel@suse.de + +- fixed build with lzo2 (added lzo2.diff) + +------------------------------------------------------------------- +Thu Jun 23 01:48:38 CEST 2005 - ro@suse.de + +- build with fPIE/pie + +------------------------------------------------------------------- +Thu Jun 2 18:01:18 CEST 2005 - hvogel@suse.de + +- lzo headers are in a subdirectory now + +------------------------------------------------------------------- +Tue Apr 19 10:28:32 CEST 2005 - cthiel@suse.de + +- update to 2.0 + +------------------------------------------------------------------- +Thu Feb 17 21:57:20 CET 2005 - poeml@suse.de + +- update to 2.0_rc14 +- add README.SUSE + +------------------------------------------------------------------- +Fri Jan 28 10:52:55 CET 2005 - poeml@suse.de + +- update to 2.0_rc10 + +------------------------------------------------------------------- +Wed Dec 29 14:10:20 CET 2004 - poeml@suse.de + +- update to 2.0_rc6 + +------------------------------------------------------------------- +Wed Dec 29 10:35:28 CET 2004 - poeml@suse.de + +- update to 2.0_rc1 (closing #45979) + IMPORTANT: OpenVPN's default port number is now 1194, based on an + official port number assignment by IANA. OpenVPN 2.0-beta16 and + earlier used 5000 as the default port. + -> see http://openvpn.net/20notes.html +- remove lzo sources, which come in a separate package since 9.2 + +------------------------------------------------------------------- +Mon Jul 26 15:43:00 CEST 2004 - poeml@suse.de + +- update to 1.6_rc4 +- bzip2 sources + +------------------------------------------------------------------- +Sun Jan 11 11:33:35 CET 2004 - adrian@suse.de + +- build as user + +------------------------------------------------------------------- +Tue Dec 16 16:07:29 CET 2003 - wengel@suse.de + +- update to version 1.5.0 + +------------------------------------------------------------------- +Sun Sep 7 18:41:23 CEST 2003 - poeml@suse.de + +- add an init script +- use RPM_OPT_FLAGS +- add /var/run/openvpn directory for pid files + +------------------------------------------------------------------- +Thu Jul 31 14:24:14 CEST 2003 - wengel@suse.de + +- update to new version -> 1.4.2 + +------------------------------------------------------------------- +Tue May 27 10:45:35 CEST 2003 - coolo@suse.de + +- use BuildRoot +- package a bit more straightforward + +------------------------------------------------------------------- +Mon May 19 08:41:42 CEST 2003 - wengel@suse.de + +- update to version 1.4.1 + +------------------------------------------------------------------- +Mon Jan 20 17:05:53 CET 2003 - wengel@suse.de + +- initial package + diff --git a/openvpn.keyring b/openvpn.keyring new file mode 100644 index 0000000..05764a9 --- /dev/null +++ b/openvpn.keyring @@ -0,0 +1,496 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Comment: F554 A368 7412 CFFE BDEF E0A3 12F5 F7B4 2F2B 01E7 + +xsFNBFicXUkBEAC9j2L+kJxqetXfslRL/UOqZUNpfNGUjpP2yb+j9UYdZbS3dq67 +i0oYINqKRO4fZEg0VLpW611fTUL3qhKADmSlrktY8p26T79I/TYAUuwlijTFKUVw +3RGpMsfuldnk007uhx7Go5Ss6y7fPzwWxhvwuRhNdh8I+vswrsBMp08dQ36sIjnv +5QQ1MekBiIiOnMwQBgUUSG7rsbGtrIlW0mlScO3fOAI2CtT2J4s3uGnktKsGSuoe +s3qmRVrKceLygEJE9nB3vV7JhCfQWR97HCGrORcq6lBzi4dC0l9Mp28npQ/mcEtg +B2oKA4Gs8qyhhhVLC6lBF38z9gfoLVqA+d9dY1l33atTyNfvA6swiA9hjklAzL3P +zUqabmRzKalhVwhNKnua3Zw21OphLUk6vzZPZ6VB/Xddmenu0MCLx8mubKr+H+cj +2YRgn9Np2NR7J6reSWD/WbG12DKa84rTrCw3bpUDR3PvB3IztRfDGlBonDaL1i62 +bav3zvqEia7kQiR6qLd6KMk4dcpE5UAdLii8yGNBF93aU4UPJg4zhTl4hBANp8jf +tCd4LfxB1aurGfqSlwfE3c1wYXOAplzG/CAbvHch0mA1ckKKb9MYvmInYj/cnPxT +ZBhjT5qBq91qiqNbStVquyBwuyEsa3FpeUopTZWxeO6Ik6hz89g3+Mu2awARAQAB +zTZPcGVuVlBOIC0gU2VjdXJpdHkgTWFpbGluZyBMaXN0IDxzZWN1cml0eUBvcGVu +dnBuLm5ldD7CwZIEEwECACUCGwMFCRLMAwACHgECF4AFAlicy64ECwkIBwQVCgkI +BRYCAwEAACEJEBL197QvKwHnFiEE9VSjaHQSz/697+CjEvX3tC8rAecE3A/+LCiw +UH30gbauYFlk6tWL8GfEKmGqjyYVIJAmmkdlHXg/oiP96Xjrg6aOHLm/QNIvNIM2 +Z8u+0i/UxpPcnXp1qxy6YEl2rgbib0njCC2L23ziEVQniPBrZCWvp5wQdMy3BG+1 +cvYV+H84YlW3IZm/P6mqgKNU1U1jY4zpIVe6oF+WhM7ijZGQFOYzaFBK3kZw5TNg +uXiQEdisDZF25zHBcz7aR1WtYsd6Zm/Tfeaoaa8SW23GdhueruDpIEsEAcMrwfsY +nUPTuIQ/NsiQoQWVKHRMxONuJB53o07/1T8C8GPBL3t5xVZZK2Go0XQryUWuW380 +IrT120B+patIpdySOTzBlDeX75nNdM2epY8mBmlR6Jx1RTAAY1ImYD1myv2+kYZY +czfThpN04G2L2LXbnOJ99UmAxGIvabPYawYriEYI1r7+WeQXHoHS8SxZex7tSzuV +kYYE3mxT0YaPD9FGjbcu/79GYF8OqouKUcjFTDOzL3yBZIbJSXlxgXD+AjIOjV54 +F9+xkmT0GAC55QbCPmvgMLhAbl8b+maKw0MORCTqhzpF5jOVPjhT36ZJXpCNCZ4M +A0U1qWY5v/qKKpaP14CXV/rT8VR67MgEBdIMUtRM0uMYQHYvHh2Am3BU/Oee4ns3 +s7OCVhhMeWQ85UEYKQ894fRwOANGNlSPHWw+LvLCwZYEEwECACkFAlicXUkCGwMF +CRLMAwAHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAhCRAS9fe0LysB5xYhBPVU +o2h0Es/+ve/goxL197QvKwHnpygP/j/PVZo7pLoxb0YlQedALTHKbplbcDFz6JFP +YzUWcEERgRld0+1CDp2S4CjOKn9Xsyxi3/TGjRtHRWITxIDndH4Tcpbn/NaV5sAX +0T9BkyhtVTdPZ9swMdyRHKtJd+NNadSLgQqtdsLjVrHCJEmKxsUw8Bj1o09IeE8O +9i8oI2+5VgHVw85nSkljN64ZKK/gUZpRgp01A5mGKdUZxx6//6WX+DXJb9jaoWdA ++H/PQsmdPCTg8DGu23qxz4BRejQIUCcZVh/DjZMWo1vbeiw7wgUcQ1JLlShdqQxv +D4Rlh3aAKdSm1FQwssfaZR7FVBoVoh2L2P7OqE5+Bn0xFr06GYLuyr4+jPpLGZDP +pb/9NzPKWleLFEmwryt0hgynvXvJxKFfyY6pJZfncSFzaryRIKivXE6ENe2gGQpg +e5xfff/41LqX1ePJbpEwmDWxXhdK+7oN/D+qdQWP7PTQ3yVBSIzso9ToSE3+Hk97 +IsrGmmSmd2UG4dn1i+mJA2d89GV/A+LWjn03+uE3pd63mRsPl7zI+c1dmVyDBqck +GTAXKuAgqr3OgYPTxN9WFrjiwiyryLL7dDAWnUGCME0W2GXUlhZUemczmeIUjHzt +FpGnkJAlnj499ngH+iKxfg+v1CQSEbGojL/fjM4ae/+TVMMg/BhVdLHTOwpDgZ3G +bEHRBFNtzsFNBFicXUkBEACjthQU6l5IgGHrq+Fs6jmpEgz5PKnlRmhs1iJHocuZ +fyVd56WnKoES2nz7zk3VA7o3dfqQGkQAVKwOS/i5SffAGYC88VssCG03ZC1RPuuY +HRk3IRlPeVsak/R2AczkTHV6XN2r1m519ACeQ32wRo95z7McE03soPBrrfKeQRlG +CYNr72dlyYz0KxVKqTe9RS18JauI+n0MBvK6efywl0MANSjyaDZulvB09lfNdmXC +l5n1dGyvPKiPbpL4TOnv9jpjgoX5tu4EdPgN4hpOhMfSoQNB4X1jwciNeD7BRwup +koNZyQYzeBeyGOXXT924NhCC8+g8dHMnYfxc52RzP4lxx3kFrtb5FFJw2di6fkFL +vGGh41GxaH9IBMZ1Ok/yAMVI0XzQX/tf+TuG3qN4A+3Xly8FEOVKhVIxHYhq/e80 +bXi7xOgXDEFxL+fYG1oL1yhLeO6AOYkgguvysZNb3fdFqz1kj/BRs/Fv72Q2C7x6 +iwGdC3TNo1a2lceRdREo7Ml0PPbPQX1mljNpfFpaRgpz7/8+7AJM30yGbqgVAd0Z +L0jXhToZMnal8QitZqBNdwnaP2CRAGAaEn9vMNBcZn4llFbqu9ZaTF21G0GUYPgM +hxv20k4ouK4mTysLPpN/GuKKhzXwXCB6JFo/Wy4e5onplvBAJvojM5YOEHOl2Lrz +ewARAQABwsGwBCgBAgBDBQJcWKJFPB0BS2V5IGhhcyBiZWVuIHN1cGVyc2VkZWQg +YnkgMHg1QUNGRUFDNiAoUykgLyAweDNGRUE3OERCIChFKQAhCRAS9fe0LysB5xYh +BPVUo2h0Es/+ve/goxL197QvKwHnKicP/ibAW15nJ2Uktuf2+1g1sSmGVfE82CiV +bSQU4vnIvuzbjE3RHgHONEE+30Q3XuKWdX1iiS6MSFw5depgwpO4tT2SedNppkSP +iEZarlZY2rpWxEFm2JNAAP9SxXZlhNs7sO/z+06TXSNlch0DZlZUSMOB+WXoro6Y +FaJ8Hc7qeyAAO7XVlsT32a48E2PutkDbb970n7N8zv0XdX33L0r3MyhDPgmqSWF7 +hx9S2SpTzah0CaT/TT4tmpxNJBIKCg6kQQSJhQUDOi0IebchVr+hSWLGO0RLDuC/ +ClttOsXuDgfvciZGrg4vXCMkiF1hxyrGPim8KUhWvCL95zm13aoGDDQR16Zmb43i +nLAsM6vnbjbfM3/YzmxONMlcyxKKv0QuLBmr6gmGsV5/GcC1DpouyPZWUtvM4nG6 +MBwF57UwVhhrvqQh3utBRW1nT/g3yJTfECTu3UH6awRXMCy2XT0QfWb1OlhBAMhe +P+KZqa1ndgsYLuvXywnE3Tiusf+A9kx6zMyzHSjnJIYO5pR9z1pAkZl/OxNIcA7q +5djOLUN6RDTXlmI3OTdkmYCCLFn/BFOIOweGP7l1QpNDs2u6p7g0M1xdhqDUByY4 +uip/lcpWSj4WlOuXfBI1VlD1Q/mGJhjxu2CLgYRhMt6Gt/ZVLOlyrgok20HH+7wJ +mM5YSvX0Dw/4wsF8BBgBAgAPAhsMBQJYo4tEBQkCAr97ACEJEBL197QvKwHnFiEE +9VSjaHQSz/697+CjEvX3tC8rAefqWg/+Jp2z1PSfQvAcTzrDgGfssQQRDhH8p5KP +lbQnjdc54Oz5gF2qvJNBVnGEJqMq8HyuyXaGND5PlptV6NTulxgX2U6d7g667ad6 +aqufO8EAzOj7EUxaONVH/jGcRi95g2LTR4CJ9mzS7M1VZ4oUWfx785uhyyyxHuiu +FRfMq1zZYOucxJ3fI3zIUJMHt6HKzxB14YtwPfyJ5RD/VViaq/Agck9GCaAeDm0d +qZnlQf5yx6R4xuEpfp+9CK9iuaPGXui5KQsYaIqS2xqFakGKQ02JrrhQgHTP7BRI +jzXv4gv94EivN48L5jaoNk1eHKHFD20XMT2honheB/KXCzdYzz4bIlfNossHpcRa +hcqMOAud57AgCmO/X8husUfc38rJUMlrcvsTEMFoWoNXkhKko/hdRdYG0CiAAsRh +CpY+b43NUPgGM549KDyJtHLi8jczBy1FYWd73HK95EgS+suTdWN/JIbzYE2PHNW+ +4CfT2WPBiUxkoV0ZuzAecjmsffYZDKZgT3+WVmewxyVQGNyGmeRQ2iNDxfntkgL4 +DRHJkB/ryDsSlltRmqwOMbI0unMt1j0CQLllzY3TQvWIiYRcMBESFREgxWrv5kJK +ZMze0+BNwCMSiEkwNvm2Jz50EZmOTiNGl5d0SqYgQyw8/i1uxBSs80WA1E60JlI7 +EqTJHT2Dgs7OwU0EYnzLsgEQAK186afsn/tp1ZTJXjf6UuBahBdSgbtZATJxMEvC +cNq7ZEaH0Hb3vF9jNCR9R+HfMQAMaI8FBW1HjROc447atEdBQIcDcOgG6GvvapwY +owWc16tfvA6bENXBfvqQLNWMT4dOMBIfDqI3weSW6Ax/NGwrF/AZ5TbEivtXZLBC +OLL5Pn8mJGvR54onQBgcu/I3ky1tkEqE70BuKyMxwfwrMxKmUKgks200qkb5hudp +tcB+xA9LNiWjaSJv/fRMcdcuW4fdUe//6/e3Mf1L8q1YjRQi46paQsyZkCE4zjbb +m/AyA59ux35TBZVQzjI2MnmkJVZSK2eEZs4jwUaTU51PJ6HskxFaplptWJKH37xy +8n7eftt9njz+Sy80y9X0BbSEVJSzDh1Hbh/rPPLLar0UHKHHMYBYcW0MwIxA11Ew +gSMJa5weceeQIUHzHM2eNA7PLyBxOuZRa0S1ykfqe71jL4w2zDHXzDFMEIMpSFJx +t32Tu65eKTPRKBMMLTdi+AukzpB0aopCKZIU1MsqbvFQ7VHTIwaRda9g7a/VjEXQ +5Pfu2VWaXwZB04rTxhW3++rCMnO/kWTA8YiFKZsIdWC/XNTYFjhupBbITWXUMY3z +tm7FqKS1/2m/PGViJ1J9qWbm2ri2OhOKa0U88mbcav2QPops3QeKoi/pPZEtWoR3 +ym4tABEBAAHCwZoEKAEIAEQWIQT1VKNodBLP/r3v4KMS9fe0LysB5wUCZC3XfCYd +AUNoYW5nZXMgaW4gbWFpbGluZyBsaXN0IGRpc3RyaWJ1dGlvbgAKCRAS9fe0LysB +55IoD/9jARjxM4rtVMOlSq27Og+cIXTRFS/feAkGxBe7e2K6vgbBz94GwTKONFrz +r5P7d+L056QeSc7OPn8RijPlJcwtEcurLYW3nNgvJTlX8x84hHFxKnu58WmJ2VFa +8QSAFw+v7WCU4Zy5qyhJAr+ivD98Bx3S61AmnrDl7O/P+JKltOgdtcPkng+2ixeK +iqfHjXg2hnBlaSMx5fI4IiLBS99MmAExU87D667RZcard4qsQZNKmBoF4QUa4Iac +PbQ4zaMr1OxpkADfTFIZ1QYtE8BvHaDmrBdsK7zQ8w4BEQ25s+ZYNz3IZ/efkTBY +siUG9XwCEbP2LzKhxGWmRDYGvvlPpKYF7+d7/A9lydnOv7vmeSQ/bAXLO8ooYN6m +FsE2bxPLZwUmbaiNcSiJjjQkSR3FscMYHKwiWtl1TmHGjF5wltVOjNwHQT1zebjE +5XJW1lrkXdgMxpHF7vFCkLgEpfjqYjKGCx5HHpAV4r5saOcKVXZQqFOpe8Z68kB0 +nvrI/A0sX4rBS2TFUOiu+bs8AqslBoTgsHLxWEKaG3S78qkvfQxqaEd8xAJ2/eTj +JxD7NQ1X8XOiBq0wdd7VAakiJiWNjlppiyd7EdVBO3li9BghpuehHacmLKXdEtjl +0TTxcYQcAy+qBwDs/GhnEdvv95tYMoAn87o1O1uPnz3JFpgHUcLDsgQYAQgAJhYh +BPVUo2h0Es/+ve/goxL197QvKwHnBQJifMuyAhsCBQkB4TOAAkAJEBL197QvKwHn +wXQgBBkBCAAdFiEEVmH/adZUFVhLcg/Ai3QXs+uzswkFAmJ8y7IACgkQi3QXs+uz +swktUhAAmox4YeLtb6IpRoP8xB5yG/Juu1cL/Xrqm46CNrf73sRoD1gN342T5gIA +gEZZf+T3+8Yq0wKqDX0XnVt8xbaLN99Ir55voOARgvY1Ztz4DrS1Ji1n8aYr2HKC +4op11OCOtjmzUD6B15YMDDuNGwqddjp5zlo2GUcdoZV9ZDhR/mPvaW9wwsg06COs +MILPdoKePxDcGC1X5/RKcZEwr7KD5iuBQJg5Ap1P88CSldRV9Pl9daai1lGny5vt +A1t3/u5DscBLDpEO/6SICkiKxzM4EBqiw5fUS5h5QGmjx1JdOYGZqF4ift+OVNbd +xkXKmxedYmXMOcOFmNjc6zbPN4Jo/qdDXJD1G+wsnR390VLr/GEXnlXu3a49MiV/ +/9tjEp91cBqQuagLph6d+ZuInylFYMHGtaI7RifGR6105BpTFpvezxWcjrSLGFcj +Klq78bwC45zY5uXw802SuwdwspkWkTOTe6htYogDyOAjmTqSGts3JlgIZvrbrzGH +p01yWGe1LnLmPuP98TLCDjBRoBzR8Y3U7mglZiSaErHixSTgyKXOethyeeChXkLS +WqejXqCmpvg6wLIeOevwHzR8gNDzdhuAK0C9OmBk/olA3jq5M1ltVewkCdDNPwuc +xqubLPNjyi1SqskS/0V7tLzdDtHilbDCoZGLh/ZRZ4XzJyoKYiwIIA/+KHpooRtp +XVlY4xCIHSCkEscaFPqQtJkvDjTjwv5uxoi+R6FfIfrkCOojuRIAJa31ol6qSzgK +vP8BFg6VPbVYQ3QWr9mhq0AOrFv413RgmCxUXvxjedv8Legqctz9mdx3vB/uWc6P +cD+QNc9nFd8fsq5c5h9RNo3xTYnYHT9n1j3JCM+gfyGixZhHecq9mC//PpgncqvB +MJcA0e2O97TAsZYHbQWwm5gmNiL0sAKdrS1JM83bCJvruX2cz08jLSa970Q9RNWx +WZ4oGE0B3NlHSiQ/3UNh1YRrlXhiN1L9JVrJn8utyBZ70g2IGKXaKr/ga4wdP7iY +nTunNqnQziUUtwxrI/2cOvGP9GBIT9zocdmP1KD0TF1nM/sG3UMvFpBT2x7HsGvm +YHZjs0ht9nsLGyG/tovSHVTOpzNnUsvo0ancnLHs7pAxNl7eR7hBILq8UXaQw8Il ++5J1DIqz0vp9K/xfuJLy6Zp+LMcBuiRUJH1tkBpiq3k2nt4faX4mXcWWMlhrdQwn +K0Y4zbqwX+We1yM0SZFdGaR7W+4g0gVd6+oUlKrAXYr6eftGohyVH+DLHSw4+LD1 +clLgBcXsH5ZHP9wFKYgms58lKL9ku16XtM8CmGR4hbJnU6WdSkO0B9YvROK31VMO +UuO0U9NlktscXC/oOx0KUOlZ9uSbIKqHiuLOwU0EWJxd7gEQAK/OTSfxwn91jNGT +y2D29/pIPAR9Q2aYV+AZ1V8sprXwg5XeFvHgMsc47wCHSihu3oNGZR2XF5O+gXE6 +k4/BZpBgBxdijGtb+P3aYHjr0xUNmMWw1VdJODh6f2t+1r/GLUUF38GUYL6Hjy54 +sTF8CHTu5afm4DugxU1bDwOfH1QXMOYC7tInQ1y9JWoowKItCcRKfG3DvHfgfnB8 +jfbGOdyUcLMNIuxCXcAt9rPh1QRCbK+OBBomS9pNwXVi6AtGbkw4LNemhspk1rm+ +kZOMJALKpz2nOc+VA9Ci+6oHkXaUTJt5rJm9llqD49p0Tt/wtIWPyr0ThJXoTwuu +1aeSiT22vtDO8LoJrognRuxzbDs05pT68W3iwBc8P8F8jNJim5Fzu9U0hkqkJv0w +HP4Ap/MCDGZ36BMSAE8oQXBsTjHydVye/YL28cg3GRckL4C1E8kY1Bn2hmHA9QQb +K3iCNduISBmN8abYX9RDJjqrCkrspRefIkbB5WUo0f6hW+7+UVhQUCD23GA5qPza +6Ue2HjSEW2Y8RPXbcBGk0pgX3ee+yRbp9izNjn5zb/tSYx5GneMaTwDrbDeB0P0p +ow9NoH2ONGs+hkXvsKL+pc7crkuFZqRETAfINOvQDvUF/eto2vfArNW4hxcosrMB +78pUQ8LOgtFxjJBR4EHEC25gwXlJABEBAAHCwbAEKAECAEMFAlxYokY8HQFLZXkg +aGFzIGJlZW4gc3VwZXJzZWRlZCBieSAweDVBQ0ZFQUM2IChTKSAvIDB4M0ZFQTc4 +REIgKEUpACEJEBL197QvKwHnFiEE9VSjaHQSz/697+CjEvX3tC8rAedo8g/9EV/V +JUBMps3Gg6037kSlfTmeZsXjyiNe8wtvAAxJazNyCW2ldEyBfYpOCVNe10vlbRvU +qXsotN4V2VBll26FfudNta51DlSA758cDsP0FtVPQ2vhat2dL6YS7bnQBCWKSxIC +CS/gU+6tuBEiTDaB13hWPbeUAvlvRlcDrR7dUWwqg5fDC1QsobR5Kl3NsMtbUMYU +jEpfQCwCj5Y8CbYyqT2k0XO994T9s3OYLTGKuCp63VoNsfdYnDQZjaBF36WlkXCt +vUiVSlwL0WF1hHTNnCpAFuLkL6oCYFEK0IVaou82yFpSyD0Wsdqge0L4K31lv0g8 +ARScZlzLsizNHKpy5juYlXMtSwfSQHjSFixYTJhU9jeVotz9m+kPly4zG6OdvkrQ +a2Af5vl0cdI8mkeIXF4kpar2ivb3qrlo+rMfkT9sdXO667n7CepQGWVfjEPiASeG +MpwfEQFYzcOwe9NOgaRjG+IIgxOGkAVPrxGfdTillTvpoDKlNWTzy/bDsCCsybBT +LGvFkWLs/W62U0dsDNoEyPmnUI7vW/MDAZpG4vhTWc/Y642/PX9Si5ekhYs9TMvh +5jQ4xJPDJG8Cymd5Ff/PHd7TcJoLFteMsCgJEAeQJzEnKydQGlwBTMKbB1VHUD+B +CCmBiWT0q1zeUmZyk8zpZsV5DUJ9xeusrp7SiGjCw5sEGAECAA8FAlicXe4CGwIF +CQICKQACQAkQEvX3tC8rAefBXSAEGQECAAYFAlicXe4ACgkQ1yrzRIzCsDSaeg/+ +Pr9O9qKYgfmg8nE0M43P5bWO6ootkaf/Uc2LQDuXqiS8WXmzK8S5zIujxnBH9B4z +8nrwCvTZ6JZHUygyhdkvnkDXBtO+MTWPugalxmMWAaGK/V1M2ZXWHdQpwAfK7dqf +uAP9Tse1SoQJVsLFjJ7L33lHAygKG24zJhowQCRGHc1N491MvbgsEdCCiaIQByVk +o8itJxLlOa5A7jDJy6I1L5YcoBFY5i5Cm0y/8TRXkfCLhwtslXeltPDpHBqd7iKH +Bc2OYZz9clZNgr1oQFnlntCS9HlnuSPVS50xg4RdidyyNvR7tm8LKx0Ptm4Aj8q6 ++2s1zUVY1yZbyd8vLqZ/QwN7pZhAhiGZXr/e+PrclL5BalQR2FndYrGY77HAcubW +pTkzXC+iGizPSa1nni562rwHdQWXWPt3R5KBmcdJKirNfeF2WiHP77gFnyCg7o9X +zvWsqni7XTm+HGDq+E/RMFYdeSzYJ0wL/kWavpbSkdCN4FBQ4HAc3hypsSHG3Vui +an4kykJ0i5uDtgdeLxJmtgQ9PpNZScSrMC1lGBdE36cRCvAR3wwf7nzD1F1voTfe +5MMx7k7IVdyfs1Ajnjrrm/hlShFifl8hQ2UIyhNM+bQ/YeHvL1OjpDTmIvxuelJc +PmM9+g+gGrV8DYw+ZPrFDOTfEPgRqPze1608JQp1P7EWIQT1VKNodBLP/r3v4KMS +9fe0LysB527MD/9l3qIsMvsSZWXHewmzvnpKSJR9LViP29Ns1FU/8Zf4PuuodAv+ +9EdCVzivGqlAh/9PWOFqepcH40IgbBXj3E7U4OwORJm4mqM9TJbwGmqyRH+X45ds +JrTigLJEGuIy1YVRRDS6q5qB2+17h0SjqALiXvdzPx6ZScHps4oKr9DG+2OhBJr9 +WxauzcPEijBA4JOT15b1g6SnCGtJKeSy6ZhLRX5VDk2mBh6xHugffp3tKHlE0ST3 +u/1P45ByMO09cEPZ8Pl7ufCj5RXSnHTL6kDPN/obCHbQP+Ccgmhs4CAWXm7+XcsZ +phmdS8vjEhopU0fGOV1fwGYeizX7vELSLkkfQh02gIcZcXwGaRPPu30LC4RJl4Wn +q5yy9O0t8uwlbvcTlXXLjJYsTYFq5ymPf5YXBAFUzfXX9faYYxMXoU7uflSIETnZ +2bLvyRITJ+k3B1Mng1umJlp5EW6xYT0nfNU/4ApeXIA2OKX8XvGSBuorfYKsPo4t +38CPKhJB6oG4WTQogRaePwVxGdJkJPLRXmKrH+C4G/L2AfIYezf3FEfhqbJuaf/A +df29Qt0olj1iNV2O0fo6lDD7slz3Efj60iccEH4wStf1DVMJ6D+QA1k8APRoeBSt +trDI0dBC9XLowkN9ZKzHq39IDBQcXqso+I3ed9ZMI3wlBxw+PD5mK74Lwc7BTQRe +T81CARAAuq/RGMoM8mZ5wuLNbmP2/VM2xX3hzWO7R2YyY0NuT3fERhVrZ31j8P0l +2gQRKAgbl7IAJaNcBgzGjPVaGcE7WzE5Lwr5OYiK3sQYv38Nt+533yCecFcVFLN9 +FoQrRvsX+q8/0hz0pZjYbZCh12OK03PsGUPkKIMQRJJhCctKn4tl5b/tIbRBM8Xk +zmLwyYhFxb0zyYf0SvuXG574xJddAd+3Oj56445Spw0sQoDupB0yMNVMTKdbW4fo +aIQwkaxe+LkwjS1dfLAfA+XkcU9dpY4RJ1U7hmZaNODcf5C3GxXOEUXCE/DJMUEb +NV0ff7U8a6wClxmNHG2wOfrdGRWMt/OAbXfsZb9iBbN4vuEOPi0KwtiLogp1ekNt +6DIANz1PleDfhTKYMI75ypuNIw/6p2vjyX6EHB4XMgFlutVmksKIqnePwF0WrosB +CV416tzV52lWCRtpJKPxSFMt3RqHDWAgCAKRNjOF6BvOQmzOp6Dgqrm7qHGh8qDb +c6sTLLO20LNHK1uyZXNfdEqMD6OrfWGdFqU7FVJcJrtmQWzcmwmzuHfhRTXwzM/b +TvYG2N1dS7IBB3cnnMQDpI5clLbEB2I9fr9tEQ0Ga0kOgYWg7XEqV1tmPDAOgz7a +h1jzX7McwAsOjymvTX/RsFM5I8Wbw1kupsXSSbj2u/K/5g6LdWsAEQEAAcLDmwQY +AQIADwUCXk/NQgIbAgUJAfJXAAJACRAS9fe0LysB58FdIAQZAQIABgUCXk/NQgAK +CRCWrsQIAF1rtJzPEACxoNF7dIEaqTtETNbo/kdltKwRtWSHXoX3/WFc1B8rN0oF +zH9XuBAG/mzI1EwQalIUAq5yyhRUj4UERTBHgq4DQPtMeNOcfkJLGrLrSGT3enRp +2M0gJJ90deFpHfu3lYAE2XeD1902PKVTpRpJMuflmzd4Zm/F2Omgn7U96UfLSF7f +32NryGj3KN8OOX8HlKD428Um8HhpOPfwtA8jK3MN/hxrxC1ZlwKPtU2Z8cy8fGlJ +yUrLlOpq5O3lhGtHYM3VVkf6NfE4wMx8F+ZgZAk+pce87y6uFgVgf9IZsnUdB1qf ++aeWthqYH6IEdg2eb3pbpdKSFGVu5DSoBFHZpjFG4mwNeQWrL3siFE9qJI37clgY +9GNPuKkzCX4HdXEThgNV99jg1OSFstG3BWzVqYQOIh2klcRMMT/PmcLOeMJbYM7D +ArRNR685L8RNfOszBdNx3fk9y8z8S+LBwP3e1C0p04Aw/97tpB55wm8xJaQgxW3h +jyL+XV6mkEAAtIttzYe4jSO3ZdwPml2KN8GBlOgBPa6oH1s4RCUc0bpZpKeKJjS5 +OF6cXHJW4qMTZdZ7otVTraEBYQDbIIuXPZ1d+FexQu9QCwFmGiIOKcTDR/wdQ4Mc +FJO58yC+G/wo+u0IULcXvCLQUOji2Zi68+fTRRoBXG6MP7W6VVsyfd2KXz2UOBYh +BPVUo2h0Es/+ve/goxL197QvKwHnkfkP/RvkOScmMPcjXVFnwE5LfzKYdEQtKmtJ +230zs6GegJh/s4VkHYG2LKwTYPsWvwtJEncc5HT5ePWC8uK/Iy2FfYcrfHSdzpK4 +tenaQW0Yo94TkGt/+o0QaNrl/idStQQ3kgpTHEe3lqWWahDayXhej/D+9tGLfWDi +YVN09WEMR4iTQiynVGeD47NrVLX/rFtKu8dQnOp68zLfusCguf5GFJjdMCbDaUJ4 +u/AxbjvWqvq2jeT5EhEoR2VGhrQP/9swxD6qMtXYR4gXBaohY3ZNtGyrBRugUupT +Eoh1JnDdNAnyPWdgMfQTMHyCtaZrOEUcX+ZozAhwhBNhyoRsiiw99PrT3bZv45ZR +4EOp6jUymmxEKkVErsMDmW6rcfyI35POWJ0iPPqInnd1H2SAasp9NMf1yzmyfwVR +mwBZr6t0kc/bVx+Yrn9MbxVXzkNL0MOFIqmdhSEXyoyc/fUMvYO4Tmzrl0+vo7aO +lS3hDOIikCqPmvbP9aXO6BOxj3DM42K+B++H7NJP+0BCuv1Y4noFrh95Wq6lp4Ar +lmoAsVBaS1olswtTiE+vhUcemtYvHLoavZe2u795lD/7RV+451kW8+D0rWKXA+Zt +R1p2aSBYVVd8f31vv4/tyA0bujzaI4MTvuwhSSeugov13dJhVJ2AZjr3o6KqKwEu +Xz/dI7pQPhfCzsFNBGQt2iEBEAC7Z/zus4FhpUsFm21j1v/0yo2O9d5uTJRqtv8u +yUFbHG64KbIchgKGNbYZeWVaT/FKvdSxXQDJrauwAZyRe4tPghhFzGCrKBZJjB6z +teBsSQ8s5QDfe5v/vPmNKXLNRjp6zUXNDLEuG7Rg8IiLPKXOOg3rVnBp6PWaiwOU +6/3+VilQTyS0C2ANhMDwg+hV5/iPVG6Rfyu5bWxG0Dln2KKxffgEbLs2i9YPyPzP +3frhkd8FEDFUJ/ylLklAq71uNipQDKdjuFdpY9Kz1o5EvrwXdvT/wyzFF0XPh8xf +q+kjmoz8C5xghSwQsqtu0yrEUMHzf/LHbUhfrPLZoaM+VtzqfoGAxDSuS7mpRPws +iU24Tw4MwiaWnUM1rPGeD7jPho23iNFkcwd9NbccxCOPDRyMV8CFMgXgk0fnJvWj +76TcIHu6NiA3+ts0jjkZeTqA+vr0Pb10qdDvjELkemt0fbuAaUGBp5c/kU61PRyl +OVcRpUvPtS+iNjWkcDCio2VtyU4b9SDBzRZELLGVtL4PrEJZQ0eox5P8A+zAMc4c +/r5nwPEdy2EDe/je6M4vlyDiN7m7McWw6DncdXoc5JjPMwBPEzjJFiIlvSzVaO6f +jpuGwYQm+FwXt2Y63mSlcOm4O0iG3Rkx3KScicqEaAp8K+cW6BapxCuQFlTDeIj6 +InQHnQARAQABwsF8BBgBCAAmFiEE9VSjaHQSz/697+CjEvX3tC8rAecFAmQt2iEC +GwwFCQIEOHQACgkQEvX3tC8rAeesxg/6A95acTRP/YC5CG9m8e/TWpRN2QgDLV4p +bsrrtBFmJJ7//GP2J2zym/fPRn5UQ4NplTEPjB8+A7n7iT27lMtYlbJiRy0qdyQb +lZ555K8gROGOJXRuF3DskP3FdCSPnHFirWQYsCTOsQH4NtKRkiK6lUBq77ni0hW8 +flYEBH0gamO8lKLpu8p7WvEORAcMiC6InXPhOtReDAuDa1z/FgaGklSC+QfEpi2G +kmBRXduWGDBLdWm38gQweQ2lBLb3bJ9jMK0jlyfzsxY3ml1UhwBIHGdOBP16pZyr +YsHVTwI6HvTWpwoIZavwsK2m0xWDsExPhJ+0hJqPx29sNJdRYtWIYgfSeTR6EnXF +bykVsfkKPrPx2GqaXRZdz36u9JvVb3W1yBPtloxJQ6u/3UE+Nx6aJlAVmEpoBv4Y +GXjBEWtXPr3w4lHnGGiZ5MTEhwTR/9cZhzXBIC7QJxVlY8YhrF/ks6ZrsoMB58ex +ByeRscxX0rWUzMJXcWxmW1d6WoKvjOY6IkjgKZr3kPAXwOmmyshXldY5l0YQwYmN +pHFTQAy3S+Tz/3+tsmpTOkOLze/rHiYv6Cy6t+sCVbqaedZyHHkbRppRzl3St4+5 +CoNAx6Lf5A+nHCvOGWePKUsPFfTova5SV07vj5Cl/nVmeQXafsNl0uGx+4r8pbet +gp5VZLsork/OwU0EXFiftgEQAL1iLNE+5T9Cdig67S11ERiHkdVXB9Y1iKFIisrz +6jvhW7isuU+QPB2zkHSIAI4LOarhUk2Tf6ihTaHfHJq9SSxHuGSnJR2Bj8o9OWij +OTKtip8PSUEEv8O4KhrjBqIWxV3UpnE/cpMm5EvK7C5SPQjiG8aFYCV5iZEpobg+ +6HiHKKEYG8kC229yMU/HXtC3ucWOiBwpci6GXaduVhzioR/+qN7PP2gpepK3d5rX +SYLCB6UJFIvQ5DvCSVlXEPlMV/8gvhzZV1XygdPW4DybEwvbTr5A2IMieoiAi88v +SDpMDvZuvfp87TWamtiY3ac8+cP2KsTFp4w9gSdgaN86K3R8i3sVazuuGjUKHTUv +sRNY0EfcGF4oNQH1glN2azltbe7oNGN4U0nGcMMFZ5GPb/UH+OK/d6NVDcxtrlDg +4NFa324/yW0cnn2b+yb23ntMOpBurbd+TXpujdSuNHeKTr9Qj2Pkkj680m4eJVSK +R9kEDWcXeuNjVF4v7gvFCb2TvACy+H4xvXHkL7gSkxy7oEV2R+l2LN9YNPpOm53T +NCJQflBG3UTZviwFDkeK1YobD1ReUChCPaXngUXS3cS80Xx48mCDDmtc850DsWdY +RTTlKB01zYtvevlZW07/80kr2C+ZN2R0ZJPET+HZ1UAVcqwoHkcPCYmgOyvu1LD7 +vBWnABEBAAHCw5sEGAECAA8FAlxYn7YCGwIFCQIOBoACQAkQEvX3tC8rAefBXSAE +GQECAAYFAlxYn7YACgkQXcNRgFrP6sb6Iw//TkHK3iG3DARFdGid7fFPDFDo+riW +LtpDCx99FIK0UHGwdrU6t/+45SXbc+DlJH2uhiFoANwCvPh81ow5MKZEc01jYfpP +wkniKnHl5+VPka2swMLoHryn65mIPFj/7wa5FDbxu/Y3fbP+GJxYsB6W/6VQFLAQ +4m794VHUtAOkYTvd0AYUPeOcdRI1PabijP3D5WDyn0RrcHgmjlq1tDGYRUqAGGcs +eotB5o5vOsQx/IhKfRpkDcCVLWGc4yw5MquU93/CDd96CIDQVQEs2tfGiNj1CJdp +DiZDUrlhXl14s1rEEFnDusBwRt8HtG7tjdwvwgaP6+vWJG7kArB5tmdPT4uWkGYm +0vckQuSHZKo3KqOhc6MgPVwrMO6lOrmFLflonv6eE46wxWLgvBC+gdnNw0neYrO5 +e06HZdzXw+gNSa2g8JO/MjJzrrf/MczPKCONExoNx/zIm6cqfMAMIkHL+0NMPGS3 +WMz+yqvKWEs9zTkw3pUW8rfI5PSDE6nbdyIsNj/xaG1rlgttxF8zbG1IOdlIXyMs +6Sov/wB1HdxcF0CtcV2FkiAeE3zexXhxE7EBLiLXrbcIm9EXh/1lU78gQMm58ZHB +FPke70I7YNCAinxvBFv5xxYM98/ipBz2GZOpV3ZHSfbxrH3esbj5Nemj3pW/BtcY +jgEcHLgJUKHqblAWIQT1VKNodBLP/r3v4KMS9fe0LysB5/K0D/4gyeCmPYD+G3Q5 +9+diVux3Ykj1Ifvx+dvfsHMSm1H2E2hs8d0FjQNzsZxfZGGq0UAvDf2QTZ3hg0O1 +DDIrmWuU359kYwcggBT70s+7PhKUT/l8srP+eT5kZtDHo7HCAEEJ18iC3TXsYgJn +OjoPmjp7kLDMESsxdJ7JO/pp88i9f4fZT+zUIgs3/OAM/eEkChjVwFvIr0rrW+bM +wZtLo+TCz5sWGglLd1+9jNNfkQXR+w1rCYBugzQYl+gD7yOmFpMKS+EnFgL3osPE +tP+9AJm6qE5icadeUjbL5I4P7NDHFVFPF+JjQd40kXzI9V0GrITdnYO6Txj/fOCQ +4twvxqAfezeF8aH60x6zcNRZ0DeMOPgFgayrFXf5+m9OaFPz2uUTetWhIe8OoW+o +j+ilv4F1yH8IWAYSBNibaCjgzROnEdicMg9CfVZN4acnRH8VMW8Rn6uplI+SAoUS +rMr9Ozr3AmjwYab3rfofqVA3qNaOrq0JzqDmXDcfF3erKm5MxGptP684pFP71VOx +Yfr4NX0GELDLcVCvbTwOEOxpSR1e7aUIUURpycuU6vHl9f62L3CA4zi7hcJKoA6N +sTtn9LjTWomRJSebDioMcvvsj5CxxtYIbvyGNDMYdfcwn4Ev0Upn3nG72P9gyvco +MRm7Uuhfox03XGDvobFJO5qZexFEKs7BTQRifNIPARAAw7R6WTjj0V9yWmmeGxde +uDx2GH5R7EpXgpvU6IkMVBq4ErquEcXp05yVWiJVPUawywQ+/+8BCR2C8+n0scmp +TzQvnHhU7pMSonRWQYkfIGKa6vuH9+xTXqBXZ0ISKbwDa3fqvhfp7KcJSmxcrUzk +3l/5ZSAdFqAj4ezTagfXWXKu3D7lHRyUYoc0UZT/XuhVWcdZtNpK2I8ySyDvNKnI +6ERXtZ/NtTWl5T400GtGNFpqpd1LjS8IyfTLLHdbRJjLGd1uxX4vEZuyucdITniD +zWjCkhsyCA0H/mRfX9q530GcLi2qHQ1OcA2VLSBlGJIZi83UISXPn3OQ4WfniVev +592WAHXO8D9X7LuN3kkPSQEIdOVEtEmijIgZM1dpZzJqHD+E63XabeSNhTRi3Xwk +6s5Hz5cRhJuyS9FlUQNCT/wj22JBX7F4WYV7taolgTB3kv/h8TWBnjgGBzu3HWP7 +5GGMvuIZb8IQwFf58ehQK6FX2DUzM6xVSCT82oEByRhJ6HEay90w1meDZkmCQINY +IYAwjWasDt8yHDCq6XlkIxIiEheRTwER1KSsdUdhBlvW9q5+UxjH9q6uVxcZHu08 +CWa9skjuMC2+hWzM+bqNWEqgTI4oOEFWdLLLs1m7E7ALMwpJSfh0A6e5ZVbHh0Fo +g9A6acmPJ4oJCS81bkDUkqUAEQEAAcLBmgQoAQgARBYhBPVUo2h0Es/+ve/goxL1 +97QvKwHnBQJkLdeKJh0BQ2hhbmdlcyBpbiBtYWlsaW5nIGxpc3QgZGlzdHJpYnV0 +aW9uAAoJEBL197QvKwHnrVgQAIeH5QlIDtY76t5KWDh9pBuYiwrDoOZ6AznADWuB +/ahcU0zkTV0aBwsbV7Vo+w/+rd8U6z38ZTxgXAvl8XEptuYRLFLTW4VGuqHCWlGY +yybE2L3DFBChJWggPpK62Mw8P38+WHcPlkAHU0N3cmX8HFC1imYAVt5JuFFcF/2K +kYZ9J4Vq6NsU9gAUcpNdGWoVjbZxGvjSJIgNe7ronQ8NRXvofieNEDFJFG8/V7CE +ETtjkbmT0JDumdib65Khe1+bzxV/36elnCvW6YD7/vFpxyAGWj/uL2dSYdpmijpa +y01Klx2X9dtedpNskAFR5oLLw0HlMBvY6CMdCsQ9WzfJD83WN0iHMzVmM8I7Za6x +dzDl+cW5gpgbXctrvGiF8vgc1eQ5xppf/5GfJCM8OUfTq9gNdLOl72oMJbjuRcnw +7hbJLYJ02R1VxDWF3q07bERCurQwFcKYgv2+HNZsQAvZvvZGq22JwWB3kFhd3tEt +E0FGC+jtOXhANpLbObj4Evuc3q4TnRu7viifXd4xmTUNMpHiGH9fFedfOExvmVER +gFCCVdBxsJu5SBZgZbXJqemEcb6EGDTkdy9/V519iB/wV3rVoj4kOLlWWBPHsoqc +vYzObldx2VpNsiAhiPcx/AmwAUQj2/MV+QNDfd/SUkrN0LcmGsCL37JYhewqsmuZ +LiFOwsF8BBgBCAAmFiEE9VSjaHQSz/697+CjEvX3tC8rAecFAmJ80g8CGwwFCQHh +M4AACgkQEvX3tC8rAedD5g//QeNVOe149IQfyQM/HnCnuYsc6FpYWXCh/qfcrhit +oeJwN2XTzt4Bg3DCcafDLWNrV82dReVdH8m+PlFpLyucGscFWAhnCtz96Gzo2Rzp +0vo6/7uyEuvLb0Lf6ShfiFrfukagJqNCRo+Y8NumWJWKL7KFxVi5GLIA92x+d1kM +00c0++UJcm1Hr7P9VHBHbwn4AV1Xg330vMpzn1Pz+SeDACSnZNHMZsnzXk5y/YFh +ebTktAsyla2GbdByqRZ2FuU04y8/emgLdum/r3VdUYXzvIMTIvMwJTFVkaoaqxFX +JflWtmUrVrs4QlyXpj2dkFmvfuhQ/Va7329EMV4TBR4sFCg7N+rw3p/AnVFLwV4Y +mkAOwzMwcVqPc0Mj6zENG34HL0pGyqVEZKDBSCa778m12KrBL+9E77UY719pLI4c +N8fibvCToT0seVEMuP3WpgbV4TQqS0kJFaNNpf6CvbZL9ufXOz94OLoXNzRGLaD6 +ik+AYyPGCnUUydtNAuQmFDmOWdE2ehXb6OhIqfsiVFeoNTStd3eJvvJe4p3V4woE +p8/zoEK701eeEeSO/DS+mKdGVqKLGDqy2gSd7iq7KY32N9tWAanlrfB3/mWbc7u7 +3yBddsOPHUkHG+BcO4KhrW6YQZkF/YA6woGRTs1NmKEkyd9O7wxrA5HRQ2qPDN49 +sqvOwU0EXFigNgEQAMkjaRJSYy6TqVCs/xzk0j/r7iWY+Ft3g+0XUMyiQtSGKoZX +eihjtyNLdJtMR0OUjft0+442tf+3g5YhHVRZiLziKSVoND9zvXQrdqQap/80i0fB +VBEWv6Ht5q57JFihB1r5nhBSUSPJ0jd2wtF6nSNoohCEfKUMWMOMfOYXvPyHXfQb +ktdgYEFjPGdrXycgLknHhiP43FG1QuD4zVnULCJjwgR6rLlM+40ChZ8ZVkZrEmP6 +ijtcynrHBBqOxxy2qnZftrSkq3jyVMdwaTBb4L4Wd/OBiptQfHYRLhnxs5qbWSG0 +gNx1czZdouqoyf9oSVvDbTy96jmxzJRPxS40UvWbAcMmxPj8x6EI6Q/IsTbjHXNo +sXK+LRz8ntj4pdBrh9vpWHLee5IdPzu4LSZrqL8aEkinYsiYnEe5Q6araY0C4jFR +zHOEK0PhFjDvh+638Ti31LdyXj77BAhTjpEYQIh5sE08AWATyCl6LA4C+B7KKyGQ +W1JKL1yCaSm3p5khnQxkmHLb2qcjbVleU6nP1hRRvy6c86mKxzmPWFLrfcZE097l +KQUWmefMoZOs/9vgD6xCqLBb3cwUJ0M/C1UUyKQWRn000fyEpU0bKQ1PbcpITw/L +GVYraizBag9PmbR11L3lqSFMx9bG/Zjv3HkGg4LKGHqvu1f/8/RjDyU9MsvDABEB +AAHCwXwEGAECAA8FAlxYoDYCGwwFCQIOBoAAIQkQEvX3tC8rAecWIQT1VKNodBLP +/r3v4KMS9fe0LysB5yyvD/0S2QBuEeLBrG0wy0ljwSb234OdDEPagRYlGzn5wzbq +X+1AZqJzCJsmGWkCV4sbmSEMgKohXZ4E7tKlkbcwvdUeAAsjTY/rn/+1iE9Sc8M/ +Aav8MOyMxFYzsLh7A8YUwjdFGXM5FXereWxD1Y9JCidCYT3xitCHk/ZepA4teb8w +80k2hAx0JG+7KATsIybHtXEh0sfmmyNZJ7bAGOTW0D/U5SH78UxUM1w8FEbuvhvM +aUzLbOyO29zesYUg4TzIzS30E9o/wNcw18R72binp5yGfUWp/gBcIyaPUvj/gfRr +9MaEC92picv2DvnupDeOT/tS7qc8qynMVMDRcc/RaeqW/epLmpUrNAR2dyyRn8HL +CwcEgjJH4QtDYpsjLQQ7sdGODskeU2u01//h+q1RgN+R9sM8CR7IO7lxdNeSW2DU +bTHEktPrSBb5WrKAPqMy4B3010K1FaMZ7ctCEJlaBl7XPw9N143czxvJ6VZHLpzp +z4PVWeNAR97aa/wjPzEdnW8gVjwFVs6PXFWTPVM6NAAFQJ/+lDSrpPopZiZg9T/B +zURp3zr/zePcCKvOZpfq3SqVAZ+fGNEXoivLFUC+YvqbCyiz1MHciYvpcenQ6B8n +2CUvV6ssuxtBPMyRAJX0SIO6h7hyR3I2FKGqKh6WaFt+aJ7PQAHUDxo1A6Fe+8DS +cs7BTQReT82nARAAyS3ALiLBEkkMYf/BunVBo/2ZERhhnsiJ82LuVno902innUL+ +vGnujHN3pPkptSZq3PlsxbUiVvcZ/58YFTijotuuSeB4bjqj97G7rfzM2EhnnD/x +oCKB8Up5yCME0+qc8iq1AKN51EAY0+dXyZ8/k10JsHCNOPwKZWrb9s3FcGgt6Ojx +KdQ+ugP98G0qHsWzAMzDBRb9JxuI0sqO9JvUS675GpDG2f6zYqk31jxEbmC2G7Yf +GTGKuOYv58wDF4KZY9P0VdwUjgmsuO540npqOyAEOMZ+iOReL5nRaccHyJOCuBVK +cI2Si+KTkLnDRsYycH1Uh4WlcEWxWn7oDBI79MBJviO3GkdOIYIoNX4U+i5VEl50 +ffpDRISvu76RsuhoEy/lmYazcEOymDaC7WDeiCjeEQ71U37DWEjd4BozKB0SkVq6 +EVbuLoeEEndMI3Q6egk8T2V30RH5LXhRQeotpFfg4CC2Hexzgxcf96ldvgJMF8Ax +2tAZNyRFge8yrxGJzkTdEBTY6SYOQKydebyhTK1y5kjhJneWtYm6aVqSOwA3+tHi +tpd13i0aV4ynZwgwNPK8jliDiC/aenmX0LikSPG0HANSHHjvum1xJs7ZD0tdA2Tv +3hA5Zjp4+l9R/q7MGxMOVvHxOuQeAgoAmcl4L5E4c028JgF2o6VOqt0e/XEAEQEA +AcLBfAQYAQIADwUCXk/NpwIbDAUJAfJXAAAhCRAS9fe0LysB5xYhBPVUo2h0Es/+ +ve/goxL197QvKwHnjJAP/17/ukw6l1apFUZNknyfdrFiTdGs38fhHUXK3DfPUbOW +w6Sjcsmrplb5ich2QZ6KNE637C6Rd2wjlR4AjahTDt23guZYhciNAE+WTByn94Zj +POwMuc3gKRQSWTEStd8vR9az47b7p1XFHeTvgAdiLRN4NGYzUDx+zgV/ItngoBEQ +EJGzQhDTUgpPylu6LtkiCbg/3Be/WaIeQ8PK43YSj1erg0hJbhOrCifGLJaHssZb +Kvs5iozlQ0+8W5/q6LK9J9lENVRBDAWa4Ht1gcfeS7jshl9XNLgQQgp6u+rWMdsb +XYL0CiPg/0g4ZFbAfIEuA/m7PhXb+HTSO9hztMklcxk6LPu4RoJi7G6UVhah6eMU +PeKWL34EXXL892MlLyDSsiqyVwmiGGuTcF5Lr9zWD0yUwQbnoSHZ3T5ZXozAQfhz +GwaA6+Cc+r3r2vsJlN/VHsEwyC3a6Mh9JwSE1XGtVZt6VKoGs4uyzgLyz8jz2WaE +mcIFZNjorx2dc1zwkXmcbpLmPL1GSLXIcNMW9UytLWSJ28+iLdyodQgsUI4/Mprd +qV83P6EYkx3P3y8xgvgMMKamW3SDvGNrIz4BpG/fe9z44Zwe6UQU7Ap+/NRUAdLe +Cb69dYC2rdR70kOzGMD6RGqCC5En5F2Pwn3TFdWwYN9F4BsRrxENwDhDDYXCVjTG +zsFNBFqgQQcBEADPVquej+jmKwI7TVFgcsNGjJG92IQr27+1soFTzIvK7KceG603 ++LzJAqUi5gCgz9qNwCV3C83iAPMhwJlJEQiNTJpHHOLw06MgD/A1BJEv+IAgNxGJ +EPxMeBmENqzxGJBu27l4F7xfybN7jRRIy1sCyeuO+onaL9Z4ig0YMKYqMJQncA2N +jZk23ABB5PSMmUUxJ5ZimuLGhJ6qOUoZGsEKtMk2D3rgD6otng44ATakOHJ8cTJv +fhPuqdJrIUeE6VslR0B61NW5wy2HfmEGyS4ZyBZZGKwxDHYMuBwIDnBf6ed9/8/V +8z6R5J286vQzMy5DDTp9gRhvogDaX9lp+/RWAylFsZtFJquJ0GFyMkl48fA3CQ59 +HAXjLn5//BWH3WJMQu6oJGOm2it3LwasyYT5OlbxbPyxEG3htWB5aN5iFYHKMUoG +cFkGhxMeIOYUvLYk8Esk5v8FH74R3ar5dd39sXdSbq1ZSoFy9A/kYBTQXc/OjnXl +hzDcEbozSPNwfyxzED52ftFG74ZiJbaKZb2cJSsJlcx+KvWLr+2DEC/VBSmYjUTv +VtSWJ2xBqomspYcHZvTk2J8T5+LUf7HoXCDMTfLQp4nvcFN5Kz7wfbbrAWmjZ4pp +EYzbRWMY4aiNtcPTrFAwhkfSWc2gGEZgETItbncrdfRzVw4cB3EVDBlThwARAQAB +wsF8BBgBAgAPBQJaoEEHAhsMBQkB4TOAACEJEBL197QvKwHnFiEE9VSjaHQSz/69 +7+CjEvX3tC8rAeeicRAAhjqdYz8YSn94R3SCaVxQz0LK/2bk9sBFK6bQIXdfmnPB +udjVySD1kAVRMjaiDvajRIo9SByhS8UXFlZX/7jXx99k/r/NYML2E5mOSAszdHe4 +hUM3wd2MAL/Jt/WBNCkQzQ9+yWwqCqiatcHwvD6irGQrxSTQt73MOxoV1kL+2nMa +dNCi66joH2AdNunAeu01OSQepmHq3v4mH2mGBUHFWDHpPWoo/ifHTHSp8DK/x0BW +ana5TFU7u2wrmlfCNPTXb3ckpNDEt/IkjX/3TJ212x9UmhtTxPZNyKf4Qgy5p/s9 +9hv7txOQJTzZJr8LZ7u3yStdg3ceTf+3t11F5wlI+bCE6KOvk+64ZB6sXjui9wfd +fLJ5Yrt85KqJfuNLcwgr0do3WKXXwzaplaVPNlDrXgVmH8DAk3i41M7Yx3EdepVK +C+an5AJg2iLJgGXioTbovvZcRUhxfGIwaVfBYlAjr4/Sv4KOEnJj68119rHLgdp0 +PWHXcp+ws1lzj7IqzFd6spmYIMgRP7AV7Vs8WxE0V/AouMH4IIOpOkXiXTdiU/Bn +CyCFpDyD41l+XirJHw1eiyka6/tLuAGmyDohzLTwtTi7KWYUeZUI8lJhdi2ORhFk +zITLwEQ6LBBPZsuZ4+qpFLUY3m7PrK1fjURT1yhU8Jx0F9ZQDGg+g4I8f9426DjO +wU0EWqBA2AEQAM+qCaPgB0yEdqTlhfGWMBi6I3p3Ln7rnctvJap77Mm866jngwVc +YzBWEcVhioNqTAoE3wawIX0MajSMoeosIN9gmBxOV4X09lC2OfmXzQx0Wob/7yL5 +MwOHq+l7Zj28cO7tEJjN3f5ElZSGqMTi636VuCqv+kuM68i2TuJRJHBgCtL8DHid +VG6RBW1S+Wg0obAQIrqevc+Y54p8mJ5nBp6xtsECyu2SpDRCtEHJuleonrWdLO2o +LKoeaZGdQA01bOOYvkBITBqgmzfIy3s2Pj8isp3/Y/SoGmOeRye8Hc0dRPKwfWPa +dyICzs+46fI/6bxDIORUr68Cc7zBRykw5IHGoaTbU5qk9lgCAjIfyNlJ2eVOHMDo +vIjsq6G37kqB0MZxMdgFXMQotcS6x6iRNr4IW8uNlOz7DLoqA05FqGSeIqhAhOml +bSX39uHYa83F5BpbkofOyYZY9fSY08VllQSRQ6+ivgxxACbW7U0501LhUWhAT+bi +NillhtpBqZ1jeorSbuCY+j5UMUH7T/OsFR9ZH88DvPOKggKWQ4n8vE10MpofeI9a +6XSRa74LmrzFbRTpIGP3rcycX5DSXt9HFLdPukzr64qMAdQCgqK12NID3AfsBEJg +gkqiC/6ToHlzsWTDt5JX9uJFX6PmCA3xOtJikY+WPKPQ0mLXFaz4D8hnABEBAAHC +w5sEGAECAA8FAlqgQNgCGwIFCQHhM4ACQAkQEvX3tC8rAefBXSAEGQECAAYFAlqg +QNgACgkQ8TKxy68THK77dg//T0P9d6xoGGc+zfEyPJMcMOKfMnDpd47tbJJ6aVIN +wiwqFutFVtI1G5sxOMHH+OVLhd83RHtKAysvA3PmzxyXiJbTVmWJbH/8h7evJ89S +aGeXqZZdQNLHwE9XDIY0fSeKMGHQLncN+NUfF3QCWX6isuYanuWimAqtl47xYFsr +8cXCf49Nkqv79K5slCyZDnkbnKzhshRWLzB6doj2M12JrTlgFfE83jHEOoFgjNDb +weeSK8fpLrOvtvpLjmCJrzSXv/YJI+6g3B7zWeezanM+KAIqzdoUGwwoFf6SRJGS +0SNvIOyVIbNcKFafChHUi/9eXCFAIVGTsrcwuuqxSh/yr+NaoEMD6VMrmPzVH2nq +h5vsWeH/yo1hwa8SAd+j5lXWKG6yEj1rfzW+5irrpE2GgHB1kmWLCMhHpnVRY/aN +eF/IBxSHFyvI7N0Y9uP4uYqsNcaDjrBeh3nA0AwDSDQliheu4zY7a2mAe0JVb9Hd +FIPTuKm5tUcBbZHAILuaFR+tRk/pYyTKEaw1qzTNxE+32/rphdzQxymKVuHeDWFy +BvkfnlgnJlb0gxUVZmrLd7BsjgMjItCetRb/KGG2WWgF8Rp6cQS+d+hJbKvWjhb3 +SWTcKOMcapDuw8bryXC1LEoJ2sBHr1xv8S1iXmGWWqB6iTvnM5clfoeRIOneAp5q +vVkWIQT1VKNodBLP/r3v4KMS9fe0LysB52bnD/0XSBBprkBEwP+y82RdYG0Mf5bl +oF1CXJoqgwzdM5TflawKo3Jlq5CQAgxdYAP6e3APpgtto9RDSS11nTovazb6CcRz +9mXJ3XNxB/1JECc6eSpzb/YHnagBq85Zmoofbkrh/T7pHqefrTCXSWl6tLz3LTPI +hXcvvYr/KHIpAQxnP5og6l4NlQ8qVAsjqggJVaQBqq8VV5HkjVHHlc2hAEIIwvno +V4A7cx4bZIALUyz82q7nwHI7dpGyxXWxC0fBXn6vYxl6AqFn1UFJcSxyD0YdS/td +WOk/QwDBoveJAMVsVJ9aEDd9lED6zfPAnjz6zp4Gd4L/Qixm2NjJf15U9aOnZNtP +RmrsvHcY62iaF6uFkPoR7yUltKkfp/RP2p/2qbyG53VAjs6gU8wqCBuS6nxIixAA +3s+1dWCAmqH2aS+0VuBqGD2yyTJ3z6uj4B7U+UGVU0DvfHWXmcJnpDIcAewkyxkT +qf/yqPxSfYahPKWfjeza3b/ljf8KvXVI5khwxG4U0zTCcHEWnZWuw4XKuBr295Qa +aMtaPg2y7BKA7kN74rxGj1+uHjPSxmJHgSA9M7/y1kKGMAYeZKg8n8Uy3joa+lZb +nhlp9ozRGqPXvUp+KbIinO95XMjnnEj4SdWN1ic+aapFPPD9yqBR8Ls7c8cf/fe1 +xhFPL3FEEpkpnq7/ps7BTQRkLdenARAA58Z1SUPfK99GwuqjYoe1ObvVmbKE2TzR +Uyw0Zxr69kbHN5EWclER3PPaOqP+FgbVTvI9hU7vu9rEwRoi91zbwQKuZlsvQXY+ +iTfGX5b+U4ueETz8tDl2Bd5e1R+RArvDQckZOUaJYfpiykx7BL6NzsfLa3hu7Sda +7wt1WNIIIe3r7pgHWrhTpJr9GCpRlu8ulnQK7FJasjOID5KX0MB1k/P5Wvby4wo3 +X3Txio+L/zefPSvC3jgaB28E1wH7sPLv8N+t+eDEhCqzXTgs2G1KANzg0S7DtWF0 +wJnVMrBpBEQcMDpkEyzLnogah9+LGzrHcZ40BpI2Ha6Po/hGkzdo5H29XrlN9RFA +taDBDTrvh8bwtrAeYwfww/J2xEzTuniCBB57sxPvU/y1vZmuj5yhyCUTX0HHuK/n +4qqS6MD3UoWVKUacdGP6cukJu5IulxybmgDdh+hfagOVfJSf93Js4VuxPR8CF46U +0xMBYM8iMYhURAQfjRODCxCUADyQSJ5XvOYNUefzMDnVDi0YhyrulVf3W/z7SKpA +i6F/y/YkE+xFwDt951PTtEMz7TqjfMtjrStpgafRj9I5MM/Ea8zQOZePbSFeWkjA +158RLHDeon3ZQgsMKbO3x/oZ2Z5+Pvmc7FoyvL8BFKGy/WYdS7qzPUKudY2PaTEv +TKZgQxQnvncAEQEAAcLDsgQYAQgAJhYhBPVUo2h0Es/+ve/goxL197QvKwHnBQJk +LdenAhsCBQkCBDqPAkAJEBL197QvKwHnwXQgBBkBCAAdFiEEvlj1OdBZuAYxwSlK +QdIJZcLoLccFAmQt16cACgkQQdIJZcLoLcf1zw//bkZNmundySuMuwsxQHvtZBcc +y+eht4gCXPzQfbjg84Duv43T8RYIEOaHZuAn7D0jkJsPWLr3wX4d/gTIIT9WLomX +b5QTp358RdmvhV4Uodj6/UyUN+NbmNgHmquDj/N35vWEYcIhEE5Y0qmAEAtvB5VB +oFSTXzHmd9GKgCKT8/J0jTN9x0F6G3dgySK3QfmO20N7/Wzl3gCgIXAUCc6Wm9vA +2SR6scKtkVkGoMRxJC2ZGlxFJZk1YHzuNrHtZz36CHs+GjQN6/B8NzGYbB5txnRs +iiT1/Grq6r+0gZ72b6XsNzURljBrGOtJqfUh6leUlEUs/GNyc7IgFpKVCTlIPsKh +IgIF2HoJRYV+lusMIH/hxk51oOnu1ych4C3XzmdPXJfu7b4f8Q4PP9x9KtlDXhJ9 +U1/WQ48Vq6Q15BiaQplP9TRoRRn/gRiRZNnrALp0/kxiSGW7AbEsB4QzhtCiAlnq +rR3BAmivnDlFt/cL02GGvAOw3lNL1e9DsuxTFezJ4ohYx9eAK0PaK5caoB5GG8W2 +yzQOWziCoJsUAOfNRCX6+A4hVqjJLjO5bIuNSEitTI0Y10NM3NyhPaYrzHviysFw +rHhNT5mvEMuJP89PClG9BF9QizUEWLxiqw1+6jgZMyIuV/SXHIbRcvoeN8qSaT/8 +byOklOQomtVZfUzO22nY+A//WIJi/yI2SqEqPQKVC0Aft/zVi9QqiuLHKiI3SP2Z +VPohPqFONt5EkmU8AicTzy57T5OySOhI7h/l3orXp+k/eDKQ161Wy/2rJczp8i9s +rQJne2CjVOQzDWTYi4XHJi29VZ4cm/kbzQ/Qv6cicmpJd8vFklWQmPnu3lb7MaMX +Z3Bz0mddw6xUg/rN5TlwkVyPj/jtfZJS18L62aMoERGCiTVY7/uBDWFnJlvm+Ney +JtkHMcdBxvCqrhaLecSzJQ0sVU+9P3kD2zwIqQEZqu9jf5vLi9bAOuzU0SQkqlKg +7xQtO6MojgtO0x9r8p6yx38pxizg/3Z4Ax5t87Gy5VELkOKOsMl80i9LbsPTI0Hy +qj1ecy1E168mojrsjgOsWHIJz7Oy9FXNkFPuR03oCwbM9fQ2/njT6NBwtYYT7aN8 +JXJaRU1vX9s7xvTHfz23YQ2t6WH6VOpfzfkmCHdED4BPPatQNay13+URzhQCWTLa +pou1OHfq+vNuMBWVFaXzN/He0NAXOMdNS9hwpio4zXILfJOCbBE6yuuyUC32amKp +oEf4lBJ68X7PcrKn3IT9w7xQpafHo82SJ/D2kw/PFBlkwqVLOFzGisF45WdwvXXH +0Ej6vJM++ruqe9dFYtnxIeghLGjzs5/Fht34wGlDT9SiYqHgKd9RR+Q4Q/Xwr//u +nb/OwU0EYEY8CAEQAOv+KDiMlmMyIpLv+fmcE0DAM2ilffVggPGXHK1h84xamXtR +16HqjQpadWwFpozj2bk8XrdyxMkGzNZhAT2eWXNUeLHZ5vJ3FMv3LL1i8cdFyQYX +iSVvCmMqc7skIyZqZWHUOw/YEtbp02WDE/CPB9JWqK99Z4rNClJ4zJQ5mrMSROZj +2QrSAZoR1tbXVVeand8gkj0sDlYa4yhNH14ERPdLrcPCUJ9EkcSDa/XI3a0fVgC1 +rfL0pW5RRVrW3EOsQKhDWUuW7+ERWTH7ud1u785X1uKQE+0W8PjA+WsKwWSwzT6H +Etg/qadkDxz1eAM0Jqw04BIiGaoFbXPWeDHotr5xl0cSY38vR67qY3ijsvlBefOn +GM+ZMc4dyw8lExampu6n/1LFEg8NRWiuSHfNJ2kME9z5B4QQ3Zjxidwjbfo7uC/v +Zed9ubrXfdbe19g+i1YIhg0yxK/UwdTWkHHJZuBgWRKd+f/ezAV81xlEmEWx039Z +bdTPUVbvwBqk9iaoXVxUfq5x/dfQpY8D2DM9msYPFUy5vd3Tb2roBoug5HjBtLUn +JbFOpyooDXTyUWLHHkNaxmyRGWDFQpsZpp2gxmoh2scwP71E+kMyry7U5fSRRFmF +ZeLR/PlBRgAq5pgtNgKFypkxwzi9Chd8kGzbI8EtA0d3UmJm1KPRPno7CuWvABEB +AAHCwXwEGAEIACYWIQT1VKNodBLP/r3v4KMS9fe0LysB5wUCYEY8CAIbDAUJAf+G +AAAKCRAS9fe0LysB57WJD/0bt/E4Hz3m3Zyyf81qbYkmub4PbmDNFnuVGVcRzRli +kd7g63wolugC070SXKvHf5qhJwQKw3f8kAghbMs/3REbE9kPXtCOkQCsxm1XAl4F +Nv1s6Wtdz8M5wqAdIa1UoVPgGq6MjXTRU4wlpEdlllNbozW6+VWjgaxkDiXpUT/5 +s/Dnx2YUadbF21r3I/fJEdhWT7+X0asYWVr6pqjaPWa9czh4DNSyz0qC5DWmZZ5/ +G6iXGfNbrhJsYEPIO0tiTU5gzG9OGsrgCh4uZIBF30v6HVDNq9fq3KTHm9iZ5Fg6 +ISU7wSmyhRIzQifcC6phcOaQjT8mk1zJ0Mt9ODoCfWB1vS0PNSPGJRBvZTKPj17o +2njvIMnYJc3sZOWUqS1/thgOK7z8C/21fEF9aI/H++jr2XSL6CMnOiizt5o+hRhb +gzTPEQPbtGT65Tdo+0G26Vhze3TJICHwsK0LRb7n1YLLKsG8ODjV+ry7ddZxOQD5 +vwnV76LdJCHrbATBiFnuYVuGjyqaKsqq/RJFfZvWyZwvId+fj/ktZTmegIonn61y +pIls34XUeQtPZXgfv3OurbOusaeuyT5xEXYMPc3LxA3+/xpR/HJeX98hsTmH3KtD +HSels7T8VhH5VWCmRAQdAgodQajvsUElOOwhsuRGRrTVzIEAvCgVJPb3JG3gF632 +Rc7BTQRgRjtWARAA9edmud0C3lhpayeYnr8caR/ctAqLHPOgX8EMPzYVDOxLxwis +9eTEZzXp2u85avvCKHP8qo5lUU4+JHtG3Jcv+NYMNIeMJ+QMJnAtTxshAAqaVbq0 +5cScURDOCaTfcpuLFpR87KOKt7xLgRXjtLTbk6Meqbbdlqg97Z5J38RSEBBnDnr8 +7CX7W0BLMHHoL/58k77JFkW6l0tZ2iKEBlbOSDdMBC/qORpsCG+hs5zR3JebLyFG +r2VeWD8wTz/866srYqfOZukJfxIvwn0/PvOXSBmAPIen1YP/ZWb7E84UIuL6rlNE +pLydA1/fG1YJQDD2fxKieJqH+GQ83bjsgxKz4AVJ5qPYsQadWFywOC4OyuKgIW3L +KQ+aRIR1gahU/DQ5BlE+bM0UBbUbU0hz9IJdpskcn8fxylonAIlMKA5nLOTRlZmP +2yZ3PWDcZ7xOW+0aoEeaiuiQxK0R7AKxcmoUQVsuG0SkG3AVZcWGkWc0hRjOowqG +AS7TOfeA8EF09oRkO+IxmOBuyJe4WhpT0RUQ4cEIz72xSO7LT72R6ISj+dMAjLcE +g4LNPVgEnCOBY3jLqi3c6/gHfPrTanFHx02iIwiklL0TS78tN/r43tjjRI/2SXkk +Aphq2C/2hnAUj2b1ur6Cj6d+N/4IX18shulkq92IydfxVeMoKFxTZ0huSpcAEQEA +AcLDsgQYAQgAJhYhBPVUo2h0Es/+ve/goxL197QvKwHnBQJgRjtWAhsCBQkB/4YA +AkAJEBL197QvKwHnwXQgBBkBCAAdFiEE/DZ4Imbv9iQMR50nEco5yCwF7okFAmBG +O1YACgkQEco5yCwF7omsZxAAygmvDIG2gnX4VCoeVpzQRWOzSZf0hmLwmQTrgdnp +PpvfprDTVQj7Ig6FJC+z2C/0DudxSToB7hW6OsHmCwrXYgo81NMByS2HzMK2Ityp +NSP1eHJR6hlLMtMWXrM4zxvSjzowDqmNVivQ7MJaIP2ftqLCMen4GqzBOm76OITV +hSrTMhPZqEql6vgXzKVlEfLO1Jy1TmejU3FBu1j6kC7wv195uSlQll6eztJqd6ov +/aB6QDLrNZen4N0Ow3M7TNOkEniIE6DIVm2pr+n8bqk15yiy6AKuN4amgOL7ZCGw +5eYdyG4TeyexhG/7vuolDikbNKNDdHngJEEQ2lyVGkz6iBMv1c2uzblLvi4FiZkT +S6csTliN3vgYMycKf3IBpcCWwLrGy9DgoerFvy4FvqrqqtVEiIZbXDyfqInPRRkH +Ut+9TAb/x8CbfQO0za41XqV2EAuJMPPM3KIPuR3zOBbHG7pNmxImo5QQYdbVN5f9 +iBEUcSG6bMc9MG8l7hXgSvZPVsZmq8+qh63lk6HUof667iIbZxUpFWMtnUtdUdAY +U/mu8IxJVOo988eKkTiI8tBNfKmnVA1fVS5fJXd26Iz+ul6WsTTNt2vpJ6acQOPb +sPUY1ojlTuWgx8uSyVo9TIZnzTVZtl7zpjHaW8x7AcgFOJXokgYImkRNgSBY562x +VTpMHg/9FbcdZ4Lqr30OxmipCITBvddK5sjulLQ8Xq0z2wlonaBA73wiIhwJ5gIb +RTHeY/2aAwmEkIgKzHJLW4vb5mceLuKxLLv1+tmOMjCpK6PKDk311bqgstCZllu8 +0Y1YCJXYznuJzsAY9vXQnEV2VkYvl4492O+D7Wcb94l8UbHhRqpb9vSk4+mXIEcG +CohV4VPB3lnhSj2/SXZCIPyyAt/Nx3wB4qAg9pZepmR+ZNHpNKoOYwiNM1ZUWj62 +j3Ux0LiWG3bQnCetqDdaGrbks6Wn06wb847Ueha4QB3tTrWlR5F+RKIFS4jQU1rv +nGWK5ameYhPRGJm8+e1bbc/q20BDt+0k2k+CkF96cFuJIiwFH4k79zHKmaZbABHq +jUIRILSUXfoAwMFeScRXzVlbuEBgTjMsiJPEKpqOJCWg4rq9FCLzYcZ25WgCuV8d +/dcVqPErTJB/JD2aRul6gfIL57kgjOXCYSdAETv/Y8UXjLRcJH5GUy0D6tprb+Zk +grUoHmoLO4vUpx654ItOXfoYOoJhdpaFnkZX5Cxfy9fIY+XIPDLdyt0BUB8OauD6 +/HLrSlgPCHHt2AHBLyuArWbJ2llKF5/AC2IEZrkQT+nLUou3ymETTSXPIMUgtU4Y +4+u3Y6dbfceoqc0j1CgxYGUVixmO66cvG08Avzjrs0MhvldckGU= +=YkB4 +-----END PGP PUBLIC KEY BLOCK----- diff --git a/openvpn.service b/openvpn.service new file mode 100644 index 0000000..45496d2 --- /dev/null +++ b/openvpn.service @@ -0,0 +1,16 @@ +[Unit] +Description=OpenVPN tunneling daemon instance using /etc/openvpn/%i.conf +After=network.target +PartOf=openvpn.target + +[Service] +Type=notify +PrivateTmp=true +PIDFile=/run/openvpn/%i.pid +ExecStart=/usr/sbin/openvpn --daemon openvpn@%i --writepid /run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf +# boo#1142830: "reload" does not work if openvpn drops root privileges after startup. +ExecReload=/usr/bin/kill -HUP $MAINPID + +[Install] +WantedBy=multi-user.target openvpn.target + diff --git a/openvpn.spec b/openvpn.spec new file mode 100644 index 0000000..80e573c --- /dev/null +++ b/openvpn.spec @@ -0,0 +1,230 @@ +# +# spec file for package openvpn +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%if ! %{defined _rundir} +%define _rundir %{_localstatedir}/run +%endif +Name: openvpn +Version: 2.6.10 +Release: 0 +Summary: Full-featured SSL VPN solution using a TUN/TAP Interface +License: GPL-2.0-only WITH openvpn-openssl-exception +Group: Productivity/Networking/Security +URL: https://openvpn.net/ +Source: https://swupdate.openvpn.org/community/releases/openvpn-%{version}.tar.gz +Source1: https://swupdate.openvpn.org/community/releases/openvpn-%{version}.tar.gz.asc +Source3: %{name}.README.SUSE +Source4: client-netconfig.up +Source5: client-netconfig.down +Source7: %{name}.keyring +Source8: %{name}.service +Source9: %{name}.target +Source10: %{name}-tmpfile.conf +Source11: rc%{name} +Patch1: %{name}-2.3-plugin-man.dif +BuildRequires: iproute2 +BuildRequires: libcap-ng-devel +BuildRequires: liblz4-devel +BuildRequires: libselinux-devel +BuildRequires: lz4 +BuildRequires: lzo-devel +BuildRequires: openssl-devel +BuildRequires: p11-kit-devel +BuildRequires: pam-devel +BuildRequires: pkcs11-helper-devel >= 1.11 +BuildRequires: pkgconfig +BuildRequires: xz +BuildRequires: pkgconfig(libnl-genl-3.0) +BuildRequires: pkgconfig(libsystemd) +BuildRequires: pkgconfig(systemd) +Requires: iproute2 +Requires: pkcs11-helper >= 1.11 +Recommends: ovpn-dco-kmp +%systemd_ordering + +%description +OpenVPN is an SSL VPN solution which can accommodate a wide +range of configurations, including remote access, site-to-site VPNs, +WiFi security, and remote access solutions with load +balancing, failover, and fine-grained access-controls. + +OpenVPN implements OSI layer 2 or 3 secure network extension using the +SSL/TLS protocol, supports flexible client +authentication methods based on certificates, smart cards, and/or +2-factor authentication, and allows user or group-specific access +control policies using firewall rules applied to the VPN virtual +interface. + +OpenVPN is not a web application proxy and does not operate through a +web browser. + +%package down-root-plugin +Summary: OpenVPN down-root plugin +Group: Productivity/Networking/Security +Requires: %{name} = %{version} + +%description down-root-plugin +The OpenVPN down-root plugin allows an OpenVPN configuration to call a +down script with root privileges, even when privileges have been +dropped using --user/--group/--chroot. + +This module uses a split privilege execution model which will fork() +before OpenVPN drops root privileges, at the point where the --up +script is usually called. The plugin will then remain in a wait state +until it receives a message from OpenVPN via pipe to execute the down +script. Thus, the down script will be run in the same execution +environment as the up script. + +%package auth-pam-plugin +Summary: OpenVPN auth-pam plugin +Group: Productivity/Networking/Security +Requires: %{name} = %{version} + +%description auth-pam-plugin +The OpenVPN auth-pam plugin implements username/password authentication +via PAM, and essentially allows any authentication method supported by +PAM (such as LDAP, RADIUS, or Linux Shadow passwords) to be used with +OpenVPN. + +While PAM supports username/password authentication, this can be +combined with X509 certificates to provide two indepedent levels of +authentication. + +This plugin uses a split privilege execution model which will function +even if you drop openvpn daemon privileges using the user, group, or +chroot directives. + +%package devel +Summary: OpenVPN plugin header +Group: Development/Libraries/C and C++ +Requires: %{name} = %{version} + +%description devel +This package provides the header file to build external plugins. + +%prep +%autosetup -p0 + +sed -e "s|\" __DATE__|$(date '+%%b %%e %%Y' -r version.m4)\"|g" \ + -i src/openvpn/options.c +sed -e "s|@PLUGIN_LIBDIR@|%{_libdir}/openvpn/plugins|g" \ + -e "s|@PLUGIN_DOCDIR@|%{_defaultdocdir}/%{name}|g" \ + -i doc/openvpn.8 +sed -e "s|%{_localstatedir}/run|%{_rundir}|g" < %{SOURCE8} > %{name}.service + +# %%doc items shouldn't be executable. +find contrib sample -type f -exec chmod a-x \{\} + + +%build +export CFLAGS="%{optflags} $(getconf LFS_CFLAGS) -W -Wall -fno-strict-aliasing" +export LDFLAGS +%if 0%{?suse_version} >= 1550 +# usrmerge +export IPROUTE="%{_sbindir}/ip" +%endif +libnlversion=$(rpm -q --qf "%%{version}" libnl3-devel) +if [[ $libnlversion == 3.[0-3].* ]] ; then + confopt=--enable-iproute2 +else + confopt=--enable-dco +fi +%configure \ + $confopt \ + --enable-x509-alt-username \ + --enable-pkcs11 \ + --enable-systemd \ + --enable-plugins \ + --enable-plugin-down-root \ + --enable-plugin-auth-pam \ + CFLAGS="$CFLAGS $(getconf LFS_CFLAGS) -fPIE $PLUGIN_DEFS" \ + LDFLAGS="$LDFLAGS -pie -lpam -rdynamic -Wl,-rpath,%{_libdir}/%{name}/plugins" +%make_build + +%install +%make_install +find %{buildroot} -type f -name "*.la" -print -exec rm -f {} + +mkdir -p %{buildroot}/%{_sysconfdir}/openvpn +mkdir -p %{buildroot}/%{_rundir}/openvpn +mkdir -p %{buildroot}/%{_datadir}/openvpn +rm %{buildroot}%{_libdir}/systemd/system/openvpn-client@.service +rm %{buildroot}%{_libdir}/systemd/system/openvpn-server@.service +#use one proveded by suse +rm %{buildroot}%{_libdir}/tmpfiles.d/openvpn.conf +install -D -m 644 %{name}.service %{buildroot}/%{_unitdir}/%{name}@.service +install -D -m 644 %{SOURCE9} %{buildroot}/%{_unitdir}/%{name}.target +install -D -m 755 %{SOURCE11} %{buildroot}%{_sbindir}/rc%{name} +# tmpfiles.d +mkdir -p %{buildroot}%{_tmpfilesdir} +install -m 0644 %{SOURCE10} %{buildroot}%{_tmpfilesdir}/%{name}.conf +cp -p %{SOURCE3} README.SUSE +install -m 755 %{SOURCE4} sample/sample-scripts/client-netconfig.up +install -m 755 %{SOURCE5} sample/sample-scripts/client-netconfig.down + +# we install docs via spec into _defaultdocdir/name/management-notes.txt +rm -rf %{buildroot}%{_datadir}/doc/{OpenVPN,%{name}} +find sample -name .gitignore -exec rm -f {} + + +%pre +%service_add_pre %{name}.target + +%post +%tmpfiles_create %{_tmpfilesdir}/%{name}.conf +%service_add_post %{name}.target + +%preun +%service_del_preun %{name}.target + +%postun +%service_del_postun %{name}.target + +%files +%license COPYING +%doc AUTHORS COPYRIGHT.GPL ChangeLog PORTS README +%doc src/plugins/{auth-pam/README.auth-pam,down-root/README.down-root} +%doc README.* +%doc contrib +%doc sample/sample-config-files +%doc sample/sample-keys +%doc sample/sample-scripts +%doc doc/management-notes.txt +%{_mandir}/man5/openvpn-examples.5%{?ext_man} +%{_mandir}/man8/openvpn.8%{?ext_man} +%config(noreplace) %{_sysconfdir}/openvpn/ +%dir %{_tmpfilesdir} +%{_unitdir}/%{name}@.service +%{_unitdir}/%{name}.target +%{_tmpfilesdir}/%{name}.conf +%dir %attr(0750,root,root) %ghost %{_rundir}/openvpn/ +%{_sbindir}/rcopenvpn +%{_sbindir}/openvpn + +%files down-root-plugin +%dir %{_libdir}/%{name} +%dir %{_libdir}/%{name}/plugins +%{_libdir}/%{name}/plugins/%{name}-plugin-down-root.so + +%files auth-pam-plugin +%dir %{_libdir}/%{name} +%dir %{_libdir}/%{name}/plugins +%{_libdir}/%{name}/plugins/%{name}-plugin-auth-pam.so + +%files devel +%{_includedir}/%{name}-plugin.h +%{_includedir}/%{name}-msg.h + +%changelog diff --git a/openvpn.target b/openvpn.target new file mode 100644 index 0000000..632256d --- /dev/null +++ b/openvpn.target @@ -0,0 +1,3 @@ +[Unit] +Description=OpenVPN target allowing to start/stop all openvpn@.service instances at once + diff --git a/rcopenvpn b/rcopenvpn new file mode 100644 index 0000000..04ba070 --- /dev/null +++ b/rcopenvpn @@ -0,0 +1,34 @@ +#! /bin/bash + +action=$1 ; shift +config=$1 ; shift + +retcode=0 + +if test -n "$config" ; then + systemctl "${action}" "openvpn@${config}.service" || retcode=$? +else + case $action in + status) + n=0 + l=`systemctl show -p ConsistsOf openvpn.target 2>/dev/null` + for s in ${l#ConsistsOf=} ; do + case $s in + openvpn@*.service) + systemctl status "$s" || retcode=$? + ((++n)) + ;; + esac + done + if test $n -eq 0 ; then + echo 'unused' >&2 + exit 3 + fi + ;; + *) + systemctl "${action}" "openvpn.target" + ;; + esac +fi + +exit $retcode From c1302e0b012b0a2566ecc44b5b9659084a3e5fe32655d9987831fa2e4391f57d Mon Sep 17 00:00:00 2001 From: Rahul Jain Date: Mon, 28 Oct 2024 14:18:16 +0000 Subject: [PATCH 2/2] bugowner:rjain Patch applied for the submission by rjain OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=208 --- openvpn-CVE-2024-28882.patch | 87 ++++++++++++++++++++++++++++++++++++ openvpn.changes | 7 +++ openvpn.spec | 2 + 3 files changed, 96 insertions(+) create mode 100644 openvpn-CVE-2024-28882.patch diff --git a/openvpn-CVE-2024-28882.patch b/openvpn-CVE-2024-28882.patch new file mode 100644 index 0000000..547eb65 --- /dev/null +++ b/openvpn-CVE-2024-28882.patch @@ -0,0 +1,87 @@ +diff -Naurp src.orig/openvpn/forward.c src/openvpn/forward.c +--- src.orig/openvpn/forward.c 2024-10-17 14:19:53.719827337 +0200 ++++ src/openvpn/forward.c 2024-10-18 08:52:38.695704757 +0200 +@@ -514,17 +514,24 @@ check_server_poll_timeout(struct context + } + + /* +- * Schedule a signal n_seconds from now. ++ * Schedule a SIGTERM signal c->options.scheduled_exit_interval seconds from now. + */ +-void +-schedule_exit(struct context *c, const int n_seconds, const int signal) ++bool ++schedule_exit(struct context *c) + { ++ const int n_seconds = c->options.scheduled_exit_interval; ++ /* don't reschedule if already scheduled. */ ++ if (event_timeout_defined(&c->c2.scheduled_exit)) ++ { ++ return false; ++ } + tls_set_single_session(c->c2.tls_multi); + update_time(); + reset_coarse_timers(c); + event_timeout_init(&c->c2.scheduled_exit, n_seconds, now); +- c->c2.scheduled_exit_signal = signal; ++ c->c2.scheduled_exit_signal = SIGTERM; + msg(D_SCHED_EXIT, "Delayed exit in %d seconds", n_seconds); ++ return true; + } + + /* +diff -Naurp src.orig/openvpn/forward.h src/openvpn/forward.h +--- src.orig/openvpn/forward.h 2024-10-17 14:19:53.719827337 +0200 ++++ src/openvpn/forward.h 2024-10-18 08:53:26.223161629 +0200 +@@ -302,7 +302,7 @@ void reschedule_multi_process(struct con + + void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf); + +-void schedule_exit(struct context *c, const int n_seconds, const int signal); ++bool schedule_exit(struct context *c); + + static inline struct link_socket_info * + get_link_socket_info(struct context *c) +diff -Naurp src.orig/openvpn/push.c src/openvpn/push.c +--- src.orig/openvpn/push.c 2024-10-17 14:19:53.719827337 +0200 ++++ src/openvpn/push.c 2024-10-18 09:18:53.861388522 +0200 +@@ -204,7 +204,11 @@ receive_exit_message(struct context *c) + * */ + if (c->options.mode == MODE_SERVER) + { +- schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM); ++ if(!schedule_exit(c)) ++ { ++ /* Return early when we don't need to notify management */ ++ return; ++ } + } + else + { +@@ -391,7 +395,7 @@ __attribute__ ((format(__printf__, 4, 5) + void + send_auth_failed(struct context *c, const char *client_reason) + { +- if (event_timeout_defined(&c->c2.scheduled_exit)) ++ if (!schedule_exit(c)) + { + msg(D_TLS_DEBUG, "exit already scheduled for context"); + return; +@@ -401,8 +405,6 @@ send_auth_failed(struct context *c, cons + static const char auth_failed[] = "AUTH_FAILED"; + size_t len; + +- schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM); +- + len = (client_reason ? strlen(client_reason)+1 : 0) + sizeof(auth_failed); + if (len > PUSH_BUNDLE_SIZE) + { +@@ -492,7 +494,7 @@ send_auth_pending_messages(struct tls_mu + void + send_restart(struct context *c, const char *kill_msg) + { +- schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM); ++ schedule_exit(c); + send_control_channel_string(c, kill_msg ? kill_msg : "RESTART", D_PUSH); + } + diff --git a/openvpn.changes b/openvpn.changes index 3f65c6f..1490952 100644 --- a/openvpn.changes +++ b/openvpn.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Thu Oct 10 08:13:54 UTC 2024 - Rahul Jain + +- Fix multiple exit notifications from authenticated clients will + extend the validity of a closing session (bsc#1227546 CVE-2024-28882) + Patchname:openvpn-CVE-2024-28882.patch + ------------------------------------------------------------------- Thu May 16 06:42:54 UTC 2024 - Bernhard Wiedemann diff --git a/openvpn.spec b/openvpn.spec index 80e573c..18956d1 100644 --- a/openvpn.spec +++ b/openvpn.spec @@ -37,6 +37,7 @@ Source9: %{name}.target Source10: %{name}-tmpfile.conf Source11: rc%{name} Patch1: %{name}-2.3-plugin-man.dif +Patch2: openvpn-CVE-2024-28882.patch BuildRequires: iproute2 BuildRequires: libcap-ng-devel BuildRequires: liblz4-devel @@ -119,6 +120,7 @@ This package provides the header file to build external plugins. %prep %autosetup -p0 + sed -e "s|\" __DATE__|$(date '+%%b %%e %%Y' -r version.m4)\"|g" \ -i src/openvpn/options.c