From 97796423079e5e9ba73b2c2f3b39f0dff278cfaa0113de48894481fb301558be Mon Sep 17 00:00:00 2001
From: Nirmoy Das <ndas@please-enter-an-email-address>
Date: Tue, 24 Jan 2017 10:31:30 +0000
Subject: [PATCH] Accepting request 451851 from home:darix:playground

- silence warning about %{_rundir}/openvpn
  - for non systemd case: just package the %{_rundir}/openvpn in
    the package
  - for systemd case: call systemd-tmpfiles and own the dir as
    %ghost in the filelist

- refreshed patches to apply cleanly again
  openvpn-2.3-plugin-man.dif
  openvpn-fips140-2.3.2.patch

- update to 2.3.14
  - update year in copyright message
  - Document the --auth-token option
  - Repair topology subnet on FreeBSD 11
  - Repair topology subnet on OpenBSD
  - Drop recursively routed packets
  - Support --block-outside-dns on multiple tunnels
  - When parsing '--setenv opt xx ..' make sure a third parameter
    is present
  - Map restart signals from event loop to SIGTERM during
    exit-notification wait
  - Correctly state the default dhcp server address in man page
  - Clean up format_hex_ex()
- enabled pkcs11 support

OBS-URL: https://build.opensuse.org/request/show/451851
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=113
---
 openvpn-2.3-plugin-man.dif  |   8 ++-
 openvpn-2.3.13.tar.xz       |   3 -
 openvpn-2.3.13.tar.xz.asc   |   7 ---
 openvpn-2.3.14.tar.xz       |   3 +
 openvpn-2.3.14.tar.xz.asc   |   7 +++
 openvpn-fips140-2.3.2.patch | 106 ++++++++++++++++++++++--------------
 openvpn-tmpfile.conf        |   2 +-
 openvpn.changes             |  34 ++++++++++++
 openvpn.spec                |  10 ++--
 9 files changed, 121 insertions(+), 59 deletions(-)
 delete mode 100644 openvpn-2.3.13.tar.xz
 delete mode 100644 openvpn-2.3.13.tar.xz.asc
 create mode 100644 openvpn-2.3.14.tar.xz
 create mode 100644 openvpn-2.3.14.tar.xz.asc

diff --git a/openvpn-2.3-plugin-man.dif b/openvpn-2.3-plugin-man.dif
index 2808bfe..7aa3e49 100644
--- a/openvpn-2.3-plugin-man.dif
+++ b/openvpn-2.3-plugin-man.dif
@@ -1,6 +1,8 @@
---- doc/openvpn.8
-+++ doc/openvpn.8	2015/03/02 08:58:02
-@@ -2569,12 +2569,11 @@ plug-in modules, see the README file in
+Index: doc/openvpn.8
+===================================================================
+--- doc/openvpn.8.orig
++++ doc/openvpn.8
+@@ -2690,12 +2690,11 @@ plug-in modules, see the README file in
  .B plugin
  folder of the OpenVPN source distribution.
  
diff --git a/openvpn-2.3.13.tar.xz b/openvpn-2.3.13.tar.xz
deleted file mode 100644
index 7f364f2..0000000
--- a/openvpn-2.3.13.tar.xz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:9cde0c8000fd32d5275adb55f8bb1d8ba429ff3de35f60a36e81f3859b7537e0
-size 829484
diff --git a/openvpn-2.3.13.tar.xz.asc b/openvpn-2.3.13.tar.xz.asc
deleted file mode 100644
index ca1369f..0000000
--- a/openvpn-2.3.13.tar.xz.asc
+++ /dev/null
@@ -1,7 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v1
-
-iEYEABECAAYFAlgbEocACgkQwp2X7RmNIqOSJwCfQVrcS2k/XC71G1H8ABMQpPrS
-MvAAn3TdER/TEpi82whq3SLABg8wTNuz
-=Zf4E
------END PGP SIGNATURE-----
diff --git a/openvpn-2.3.14.tar.xz b/openvpn-2.3.14.tar.xz
new file mode 100644
index 0000000..7fe8e77
--- /dev/null
+++ b/openvpn-2.3.14.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f3a0d0eaf8d544409f76a9f2a238a0cd3dde9e1a9c1f98ac732a8b572bcdee98
+size 831404
diff --git a/openvpn-2.3.14.tar.xz.asc b/openvpn-2.3.14.tar.xz.asc
new file mode 100644
index 0000000..eece48b
--- /dev/null
+++ b/openvpn-2.3.14.tar.xz.asc
@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1
+
+iEYEABECAAYFAlhH9nkACgkQwp2X7RmNIqOYtQCfbRsvCy0r7RnYXEAZJ3nzsaww
+JoMAoIMDSlotKGn/9tey0L+Nj8+8kI+N
+=D64i
+-----END PGP SIGNATURE-----
diff --git a/openvpn-fips140-2.3.2.patch b/openvpn-fips140-2.3.2.patch
index ec91607..344d3fd 100644
--- a/openvpn-fips140-2.3.2.patch
+++ b/openvpn-fips140-2.3.2.patch
@@ -1,6 +1,8 @@
---- openvpn-2.3.2/src/openvpn/crypto_backend.h
-+++ openvpn-2.3.2/src/openvpn/crypto_backend.h	2015/02/19 09:15:02
-@@ -452,10 +452,11 @@ void md_ctx_final (md_ctx_t *ctx, uint8_
+Index: openvpn-2.3.14/src/openvpn/crypto_backend.h
+===================================================================
+--- openvpn-2.3.14.orig/src/openvpn/crypto_backend.h
++++ openvpn-2.3.14/src/openvpn/crypto_backend.h
+@@ -480,10 +480,11 @@ void md_ctx_final (md_ctx_t *ctx, uint8_
   * @param key		The key to use for the HMAC
   * @param key_len	The key length to use
   * @param kt 		Static message digest parameters
@@ -13,9 +15,11 @@
  
  /*
   * Free the given HMAC context.
---- openvpn-2.3.2/src/openvpn/crypto.c
-+++ openvpn-2.3.2/src/openvpn/crypto.c	2015/02/19 09:15:02
-@@ -486,7 +486,7 @@ init_key_ctx (struct key_ctx *ctx, struc
+Index: openvpn-2.3.14/src/openvpn/crypto.c
+===================================================================
+--- openvpn-2.3.14.orig/src/openvpn/crypto.c
++++ openvpn-2.3.14/src/openvpn/crypto.c
+@@ -505,7 +505,7 @@ init_key_ctx (struct key_ctx *ctx, struc
    if (kt->digest && kt->hmac_length > 0)
      {
        ALLOC_OBJ(ctx->hmac, hmac_ctx_t);
@@ -24,7 +28,7 @@
  
        msg (D_HANDSHAKE,
        "%s: Using %d bit message hash '%s' for HMAC authentication",
-@@ -1409,61 +1409,61 @@ free_ssl_lib (void)
+@@ -1421,61 +1421,61 @@ free_ssl_lib (void)
  #endif /* ENABLE_SSL */
  
  /*
@@ -102,9 +106,11 @@
  }
  
  #endif /* ENABLE_CRYPTO */
---- openvpn-2.3.2/src/openvpn/crypto.h
-+++ openvpn-2.3.2/src/openvpn/crypto.h	2015/02/19 09:15:02
-@@ -364,24 +364,24 @@ void free_ssl_lib (void);
+Index: openvpn-2.3.14/src/openvpn/crypto.h
+===================================================================
+--- openvpn-2.3.14.orig/src/openvpn/crypto.h
++++ openvpn-2.3.14/src/openvpn/crypto.h
+@@ -430,24 +430,24 @@ void free_ssl_lib (void);
  #endif /* ENABLE_SSL */
  
  /*
@@ -140,9 +146,11 @@
  
  /*
   * Inline functions
---- openvpn-2.3.2/src/openvpn/crypto_openssl.c
-+++ openvpn-2.3.2/src/openvpn/crypto_openssl.c	2015/02/19 09:15:02
-@@ -719,13 +719,17 @@ md_ctx_final (EVP_MD_CTX *ctx, uint8_t *
+Index: openvpn-2.3.14/src/openvpn/crypto_openssl.c
+===================================================================
+--- openvpn-2.3.14.orig/src/openvpn/crypto_openssl.c
++++ openvpn-2.3.14/src/openvpn/crypto_openssl.c
+@@ -829,13 +829,17 @@ md_ctx_final (EVP_MD_CTX *ctx, uint8_t *
  
  void
  hmac_ctx_init (HMAC_CTX *ctx, const uint8_t *key, int key_len,
@@ -161,8 +169,10 @@
    HMAC_Init_ex (ctx, key, key_len, kt, NULL);
  
    /* make sure we used a big enough key */
---- openvpn-2.3.2/src/openvpn/crypto_openssl.h
-+++ openvpn-2.3.2/src/openvpn/crypto_openssl.h	2015/02/19 09:15:02
+Index: openvpn-2.3.14/src/openvpn/crypto_openssl.h
+===================================================================
+--- openvpn-2.3.14.orig/src/openvpn/crypto_openssl.h
++++ openvpn-2.3.14/src/openvpn/crypto_openssl.h
 @@ -33,6 +33,7 @@
  #include <openssl/evp.h>
  #include <openssl/hmac.h>
@@ -171,9 +181,11 @@
  
  /** Generic cipher key type %context. */
  typedef EVP_CIPHER cipher_kt_t;
---- openvpn-2.3.2/src/openvpn/crypto_polarssl.c
-+++ openvpn-2.3.2/src/openvpn/crypto_polarssl.c	2015/02/19 09:15:02
-@@ -608,7 +608,7 @@ md_ctx_final (md_context_t *ctx, uint8_t
+Index: openvpn-2.3.14/src/openvpn/crypto_polarssl.c
+===================================================================
+--- openvpn-2.3.14.orig/src/openvpn/crypto_polarssl.c
++++ openvpn-2.3.14/src/openvpn/crypto_polarssl.c
+@@ -695,7 +695,7 @@ md_ctx_final (md_context_t *ctx, uint8_t
   * TODO: re-enable dmsg for crypto debug
   */
  void
@@ -182,9 +194,11 @@
  {
    ASSERT(NULL != kt && NULL != ctx);
  
---- openvpn-2.3.2/src/openvpn/init.c
-+++ openvpn-2.3.2/src/openvpn/init.c	2015/02/19 09:15:02
-@@ -1352,12 +1352,12 @@ do_route (const struct options *options,
+Index: openvpn-2.3.14/src/openvpn/init.c
+===================================================================
+--- openvpn-2.3.14.orig/src/openvpn/init.c
++++ openvpn-2.3.14/src/openvpn/init.c
+@@ -1360,12 +1360,12 @@ do_route (const struct options *options,
   */
  #if P2MP
  static void
@@ -199,7 +213,7 @@
  }
  #endif
  
-@@ -1649,8 +1649,8 @@ do_up (struct context *c, bool pulled_op
+@@ -1713,8 +1713,8 @@ do_up (struct context *c, bool pulled_op
  	  if (!c->c2.did_open_tun
  	      && PULL_DEFINED (&c->options)
  	      && c->c1.tuntap
@@ -210,7 +224,7 @@
  	    {
  	      /* if so, close tun, delete routes, then reinitialize tun and add routes */
  	      msg (M_INFO, "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.");
-@@ -2697,11 +2697,11 @@ do_compute_occ_strings (struct context *
+@@ -2792,11 +2792,11 @@ do_compute_occ_strings (struct context *
  #ifdef ENABLE_CRYPTO
    msg (D_SHOW_OCC_HASH, "Local Options hash (VER=%s): '%s'",
         options_string_version (c->c2.options_string_local, &gc),
@@ -224,8 +238,10 @@
  	       strlen (c->c2.options_string_remote), 9, &gc));
  #endif
  
---- openvpn-2.3.2/src/openvpn/ntlm.c
-+++ openvpn-2.3.2/src/openvpn/ntlm.c	2015/02/19 09:15:02
+Index: openvpn-2.3.14/src/openvpn/ntlm.c
+===================================================================
+--- openvpn-2.3.14.orig/src/openvpn/ntlm.c
++++ openvpn-2.3.14/src/openvpn/ntlm.c
 @@ -90,7 +90,7 @@ gen_hmac_md5 (const char* data, int data
  	hmac_ctx_t hmac_ctx;
  	CLEAR(hmac_ctx);
@@ -235,9 +251,11 @@
  	hmac_ctx_update(&hmac_ctx, (const unsigned char *)data, data_len);
  	hmac_ctx_final(&hmac_ctx, (unsigned char *)result);
  	hmac_ctx_cleanup(&hmac_ctx);
---- openvpn-2.3.2/src/openvpn/openvpn.h
-+++ openvpn-2.3.2/src/openvpn/openvpn.h	2015/02/19 09:15:02
-@@ -206,7 +206,7 @@ struct context_1
+Index: openvpn-2.3.14/src/openvpn/openvpn.h
+===================================================================
+--- openvpn-2.3.14.orig/src/openvpn/openvpn.h
++++ openvpn-2.3.14/src/openvpn/openvpn.h
+@@ -205,7 +205,7 @@ struct context_1
  #endif
  
    /* if client mode, hash of option strings we pulled from server */
@@ -246,7 +264,7 @@
                                  /**< Hash of option strings received from the
                                   *   remote OpenVPN server.  Only used in
                                   *   client-mode. */
-@@ -474,9 +474,9 @@ struct context_2
+@@ -473,9 +473,9 @@ struct context_2
    bool did_pre_pull_restore;
  
    /* hash of pulled options, so we can compare when options change */
@@ -259,9 +277,11 @@
  
    struct event_timeout server_poll_interval;
  
---- openvpn-2.3.2/src/openvpn/options.c
-+++ openvpn-2.3.2/src/openvpn/options.c	2015/02/19 09:15:10
-@@ -828,6 +828,10 @@ init_options (struct options *o, const b
+Index: openvpn-2.3.14/src/openvpn/options.c
+===================================================================
+--- openvpn-2.3.14.orig/src/openvpn/options.c
++++ openvpn-2.3.14/src/openvpn/options.c
+@@ -835,6 +835,10 @@ init_options (struct options *o, const b
  #endif
  #ifdef ENABLE_CRYPTO
    o->ciphername = "BF-CBC";
@@ -272,9 +292,11 @@
    o->ciphername_defined = true;
    o->authname = "SHA1";
    o->authname_defined = true;
---- openvpn-2.3.13.orig/src/openvpn/push.c
-+++ openvpn-2.3.13/src/openvpn/push.c	2016-12-03 22:57:58.198398996 +0100
-@@ -408,7 +408,7 @@
+Index: openvpn-2.3.14/src/openvpn/push.c
+===================================================================
+--- openvpn-2.3.14.orig/src/openvpn/push.c
++++ openvpn-2.3.14/src/openvpn/push.c
+@@ -408,7 +408,7 @@ push_reset (struct options *o)
  #endif
  
  static void
@@ -283,7 +305,7 @@
  {
    char line[OPTION_PARM_SIZE];
    while (buf_parse (buf, ',', line, sizeof (line)))
-@@ -416,7 +416,7 @@
+@@ -416,7 +416,7 @@ push_update_digest(struct md5_state *ctx
        /* peer-id might change on restart and this should not trigger reopening tun */
        if (strstr (line, "peer-id ") != line)
  	{
@@ -292,7 +314,7 @@
  	}
      }
  }
-@@ -472,10 +472,10 @@
+@@ -472,10 +472,10 @@ process_incoming_push_msg (struct contex
        if (ch == ',')
  	{
  	  struct buffer buf_orig = buf;
@@ -306,7 +328,7 @@
  	    }
  	  if (!c->c2.did_pre_pull_restore)
  	    {
-@@ -493,8 +493,8 @@
+@@ -493,8 +493,8 @@ process_incoming_push_msg (struct contex
  		{
  		  case 0:
  		  case 1:
@@ -317,9 +339,11 @@
  		    ret = PUSH_MSG_REPLY;
  		    break;
  		  case 2:
---- openvpn-2.3.2/src/openvpn/ssl.c
-+++ openvpn-2.3.2/src/openvpn/ssl.c	2015/02/19 09:15:02
-@@ -1342,8 +1342,8 @@ tls1_P_hash(const md_kt_t *md_kt,
+Index: openvpn-2.3.14/src/openvpn/ssl.c
+===================================================================
+--- openvpn-2.3.14.orig/src/openvpn/ssl.c
++++ openvpn-2.3.14/src/openvpn/ssl.c
+@@ -1396,8 +1396,8 @@ tls1_P_hash(const md_kt_t *md_kt,
    chunk = md_kt_size(md_kt);
    A1_len = md_kt_size(md_kt);
  
diff --git a/openvpn-tmpfile.conf b/openvpn-tmpfile.conf
index 9416334..e0dc7e6 100644
--- a/openvpn-tmpfile.conf
+++ b/openvpn-tmpfile.conf
@@ -1 +1 @@
-D /var/run/openvpn 0750 root root -
+D /run/openvpn 0750 root root -
diff --git a/openvpn.changes b/openvpn.changes
index 30b5b64..e0fd8ef 100644
--- a/openvpn.changes
+++ b/openvpn.changes
@@ -1,3 +1,37 @@
+-------------------------------------------------------------------
+Sun Jan 22 15:21:17 UTC 2017 - mrueckert@suse.de
+
+- silence warning about %{_rundir}/openvpn
+  - for non systemd case: just package the %{_rundir}/openvpn in
+    the package
+  - for systemd case: call systemd-tmpfiles and own the dir as
+    %ghost in the filelist
+
+-------------------------------------------------------------------
+Sun Jan 22 14:51:44 UTC 2017 - mrueckert@suse.de
+
+- refreshed patches to apply cleanly again
+  openvpn-2.3-plugin-man.dif
+  openvpn-fips140-2.3.2.patch
+
+-------------------------------------------------------------------
+Sun Jan 22 14:47:39 UTC 2017 - mrueckert@suse.de
+
+- update to 2.3.14
+  - update year in copyright message
+  - Document the --auth-token option
+  - Repair topology subnet on FreeBSD 11
+  - Repair topology subnet on OpenBSD
+  - Drop recursively routed packets
+  - Support --block-outside-dns on multiple tunnels
+  - When parsing '--setenv opt xx ..' make sure a third parameter
+    is present
+  - Map restart signals from event loop to SIGTERM during
+    exit-notification wait
+  - Correctly state the default dhcp server address in man page
+  - Clean up format_hex_ex()
+- enabled pkcs11 support
+
 -------------------------------------------------------------------
 Sat Dec  3 21:26:52 UTC 2016 - michael@stroeder.com
 
diff --git a/openvpn.spec b/openvpn.spec
index 868ae7f..31b7949 100644
--- a/openvpn.spec
+++ b/openvpn.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package openvpn
 #
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -32,7 +32,7 @@ Url:            http://openvpn.net/
 %else
 PreReq:         %insserv_prereq %fillup_prereq
 %endif
-Version:        2.3.13
+Version:        2.3.14
 Release:        0
 Summary:        Full-featured SSL VPN solution using a TUN/TAP Interface
 License:        SUSE-GPL-2.0-with-openssl-exception and LGPL-2.1
@@ -154,6 +154,7 @@ export LDFLAGS
 	--enable-iproute2		\
 	--enable-x509-alt-username	\
 	--enable-password-save		\
+	--enable-pkcs11 \
 %if %{with_systemd}
 	--enable-systemd		\
 %endif
@@ -194,8 +195,8 @@ rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/{OpenVPN,%name}
 find sample -name .gitignore | xargs rm -f
 
 %post
-%__mkdir_p -m750 %{_rundir}/openvpn
 %if %{with_systemd}
+systemd-tmpfiles --create /usr/lib/tmpfiles.d/%{name}.conf ||:
 %service_add_post %{name}.target
 # try to migrate openvpn.service autostart to openvpn@<CONF>.service
 if test ${FIRST_ARG:-$1} -ge 1 -a \
@@ -265,13 +266,14 @@ rm -f /etc/sysconfig/openvpn || :
 %{_unitdir}/%{name}@.service
 %{_unitdir}/%{name}.target
 %{_libexecdir}/tmpfiles.d/%{name}.conf
+%dir %attr(0750,root,root) %ghost %{_rundir}/openvpn/
 %else
 %config %{_sysconfdir}/init.d/openvpn
 /var/adm/fillup-templates/sysconfig.openvpn
+%dir %attr(750,root,root) %{_rundir}/openvpn/
 %endif
 %{_sbindir}/rcopenvpn
 %{_sbindir}/openvpn
-%attr(0750,root,root) %dir %ghost %{_rundir}/openvpn
 
 %files down-root-plugin
 %defattr(-,root,root)