fc90bfc0a8
- update to 2.6.3: * For full changelog please refer to: https://github.com/OpenVPN/openvpn/blob/v2.6.3/Changes.rst * implement byte counter statistics for DCO Linux (p2mp server and client) * implement byte counter statistics for DCO Windows (client only) * '--dns server <n> address ...' now permits up to 8 v4 or v6 addresses * fix a few cases of possibly undefined behaviour detected by ASAN * add more unit tests for Windows cryptoapi interface * Dynamic TLS Crypt When both peers are OpenVPN 2.6.1+, OpenVPN will dynamically create a tls-crypt key that is used for renegotiation. This ensure that only the previously authenticated peer can do trigger renegotiation and complete renegotiations. * Keying Material Exporters (RFC 5705) based key generation * As part of the cipher negotiation OpenVPN will automatically prefer the RFC5705 based key material generation to the current custom OpenVPN PRF. This feature requires OpenSSL or mbed TLS 2.18+. * OpenVPN will now work with OpenSSL in FIPS mode. Note, no effort has been made to check or implement all the requirements/ recommendation of FIPS 140-2. This just allows OpenVPN to be run on a system that be configured OpenSSL in FIPS mode. * mlock will now check if enough memlock-able memory has been reserved, and if less than 100MB RAM are available, use setrlimit() to upgrade the limit. See Trac #1390. Not available on OpenSolaris. * The --peer-fingerprint option has been introduced to give users an easy to use alternative to the tls-verify for matching the fingerprint of the peer. The option takes use a number of allowed SHA256 certificate fingerprints. * When --peer-fingerprint is used, the --ca and --capath option become OBS-URL: https://build.opensuse.org/request/show/1082779 OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=189
224 lines
7.4 KiB
RPMSpec
224 lines
7.4 KiB
RPMSpec
#
|
|
# spec file for package openvpn
|
|
#
|
|
# Copyright (c) 2023 SUSE LLC
|
|
#
|
|
# All modifications and additions to the file contributed by third parties
|
|
# remain the property of their copyright owners, unless otherwise agreed
|
|
# upon. The license for this file, and modifications and additions to the
|
|
# file, is the same license as for the pristine package itself (unless the
|
|
# license for the pristine package is not an Open Source License, in which
|
|
# case the license is the MIT License). An "Open Source License" is a
|
|
# license that conforms to the Open Source Definition (Version 1.9)
|
|
# published by the Open Source Initiative.
|
|
|
|
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
|
#
|
|
|
|
|
|
%if ! %{defined _rundir}
|
|
%define _rundir %{_localstatedir}/run
|
|
%endif
|
|
Name: openvpn
|
|
Version: 2.6.3
|
|
Release: 0
|
|
Summary: Full-featured SSL VPN solution using a TUN/TAP Interface
|
|
License: GPL-2.0-only WITH openvpn-openssl-exception
|
|
Group: Productivity/Networking/Security
|
|
URL: https://openvpn.net/
|
|
Source: https://swupdate.openvpn.org/community/releases/openvpn-%{version}.tar.gz
|
|
Source1: https://swupdate.openvpn.org/community/releases/openvpn-%{version}.tar.gz.asc
|
|
Source3: %{name}.README.SUSE
|
|
Source4: client-netconfig.up
|
|
Source5: client-netconfig.down
|
|
Source7: %{name}.keyring
|
|
Source8: %{name}.service
|
|
Source9: %{name}.target
|
|
Source10: %{name}-tmpfile.conf
|
|
Source11: rc%{name}
|
|
Patch1: %{name}-2.3-plugin-man.dif
|
|
BuildRequires: iproute2
|
|
BuildRequires: libcap-ng-devel
|
|
BuildRequires: liblz4-devel
|
|
BuildRequires: libselinux-devel
|
|
BuildRequires: lz4
|
|
BuildRequires: lzo-devel
|
|
BuildRequires: openssl-devel
|
|
BuildRequires: p11-kit-devel
|
|
BuildRequires: pam-devel
|
|
BuildRequires: pkcs11-helper-devel >= 1.11
|
|
BuildRequires: pkgconfig
|
|
BuildRequires: xz
|
|
BuildRequires: pkgconfig(libsystemd)
|
|
BuildRequires: pkgconfig(systemd)
|
|
Requires: iproute2
|
|
Requires: pkcs11-helper >= 1.11
|
|
%systemd_ordering
|
|
|
|
%description
|
|
OpenVPN is an SSL VPN solution which can accommodate a wide
|
|
range of configurations, including remote access, site-to-site VPNs,
|
|
WiFi security, and remote access solutions with load
|
|
balancing, failover, and fine-grained access-controls.
|
|
|
|
OpenVPN implements OSI layer 2 or 3 secure network extension using the
|
|
SSL/TLS protocol, supports flexible client
|
|
authentication methods based on certificates, smart cards, and/or
|
|
2-factor authentication, and allows user or group-specific access
|
|
control policies using firewall rules applied to the VPN virtual
|
|
interface.
|
|
|
|
OpenVPN is not a web application proxy and does not operate through a
|
|
web browser.
|
|
|
|
%package down-root-plugin
|
|
Summary: OpenVPN down-root plugin
|
|
Group: Productivity/Networking/Security
|
|
Requires: %{name} = %{version}
|
|
|
|
%description down-root-plugin
|
|
The OpenVPN down-root plugin allows an OpenVPN configuration to call a
|
|
down script with root privileges, even when privileges have been
|
|
dropped using --user/--group/--chroot.
|
|
|
|
This module uses a split privilege execution model which will fork()
|
|
before OpenVPN drops root privileges, at the point where the --up
|
|
script is usually called. The plugin will then remain in a wait state
|
|
until it receives a message from OpenVPN via pipe to execute the down
|
|
script. Thus, the down script will be run in the same execution
|
|
environment as the up script.
|
|
|
|
%package auth-pam-plugin
|
|
Summary: OpenVPN auth-pam plugin
|
|
Group: Productivity/Networking/Security
|
|
Requires: %{name} = %{version}
|
|
|
|
%description auth-pam-plugin
|
|
The OpenVPN auth-pam plugin implements username/password authentication
|
|
via PAM, and essentially allows any authentication method supported by
|
|
PAM (such as LDAP, RADIUS, or Linux Shadow passwords) to be used with
|
|
OpenVPN.
|
|
|
|
While PAM supports username/password authentication, this can be
|
|
combined with X509 certificates to provide two indepedent levels of
|
|
authentication.
|
|
|
|
This plugin uses a split privilege execution model which will function
|
|
even if you drop openvpn daemon privileges using the user, group, or
|
|
chroot directives.
|
|
|
|
%package devel
|
|
Summary: OpenVPN plugin header
|
|
Group: Development/Libraries/C and C++
|
|
Requires: %{name} = %{version}
|
|
|
|
%description devel
|
|
This package provides the header file to build external plugins.
|
|
|
|
%prep
|
|
%setup -q
|
|
%patch1
|
|
|
|
sed -e "s|\" __DATE__|$(date '+%%b %%e %%Y' -r version.m4)\"|g" \
|
|
-i src/openvpn/options.c
|
|
sed -e "s|@PLUGIN_LIBDIR@|%{_libdir}/openvpn/plugins|g" \
|
|
-e "s|@PLUGIN_DOCDIR@|%{_defaultdocdir}/%{name}|g" \
|
|
-i doc/openvpn.8
|
|
sed -e "s|%{_localstatedir}/run|%{_rundir}|g" < %{SOURCE8} > %{name}.service
|
|
|
|
# %%doc items shouldn't be executable.
|
|
find contrib sample -type f -exec chmod a-x \{\} +
|
|
|
|
%build
|
|
export CFLAGS="%{optflags} $(getconf LFS_CFLAGS) -W -Wall -fno-strict-aliasing"
|
|
export LDFLAGS
|
|
%if 0%{?suse_version} >= 1550
|
|
# usrmerge
|
|
export IPROUTE="%{_sbindir}/ip"
|
|
%endif
|
|
%configure \
|
|
--enable-iproute2 \
|
|
--enable-x509-alt-username \
|
|
--enable-pkcs11 \
|
|
--enable-systemd \
|
|
--enable-plugins \
|
|
--enable-plugin-down-root \
|
|
--enable-plugin-auth-pam \
|
|
CFLAGS="$CFLAGS $(getconf LFS_CFLAGS) -fPIE $PLUGIN_DEFS" \
|
|
LDFLAGS="$LDFLAGS -pie -lpam -rdynamic -Wl,-rpath,%{_libdir}/%{name}/plugins"
|
|
%make_build
|
|
|
|
%install
|
|
%make_install
|
|
find %{buildroot} -type f -name "*.la" -print -exec rm -f {} +
|
|
mkdir -p %{buildroot}/%{_sysconfdir}/openvpn
|
|
mkdir -p %{buildroot}/%{_rundir}/openvpn
|
|
mkdir -p %{buildroot}/%{_datadir}/openvpn
|
|
rm %{buildroot}%{_libdir}/systemd/system/openvpn-client@.service
|
|
rm %{buildroot}%{_libdir}/systemd/system/openvpn-server@.service
|
|
#use one proveded by suse
|
|
rm %{buildroot}%{_libdir}/tmpfiles.d/openvpn.conf
|
|
install -D -m 644 %{name}.service %{buildroot}/%{_unitdir}/%{name}@.service
|
|
install -D -m 644 %{SOURCE9} %{buildroot}/%{_unitdir}/%{name}.target
|
|
install -D -m 755 %{SOURCE11} %{buildroot}%{_sbindir}/rc%{name}
|
|
# tmpfiles.d
|
|
mkdir -p %{buildroot}%{_tmpfilesdir}
|
|
install -m 0644 %{SOURCE10} %{buildroot}%{_tmpfilesdir}/%{name}.conf
|
|
cp -p %{SOURCE3} README.SUSE
|
|
install -m 755 %{SOURCE4} sample/sample-scripts/client-netconfig.up
|
|
install -m 755 %{SOURCE5} sample/sample-scripts/client-netconfig.down
|
|
|
|
# we install docs via spec into _defaultdocdir/name/management-notes.txt
|
|
rm -rf %{buildroot}%{_datadir}/doc/{OpenVPN,%{name}}
|
|
find sample -name .gitignore -exec rm -f {} +
|
|
|
|
%pre
|
|
%service_add_pre %{name}.target
|
|
|
|
%post
|
|
%tmpfiles_create %{_tmpfilesdir}/%{name}.conf
|
|
%service_add_post %{name}.target
|
|
|
|
%preun
|
|
%service_del_preun %{name}.target
|
|
|
|
%postun
|
|
%service_del_postun %{name}.target
|
|
|
|
%files
|
|
%license COPYING
|
|
%doc AUTHORS COPYRIGHT.GPL ChangeLog PORTS README
|
|
%doc src/plugins/{auth-pam/README.auth-pam,down-root/README.down-root}
|
|
%doc README.*
|
|
%doc contrib
|
|
%doc sample/sample-config-files
|
|
%doc sample/sample-keys
|
|
%doc sample/sample-scripts
|
|
%doc doc/management-notes.txt
|
|
%{_mandir}/man5/openvpn-examples.5%{?ext_man}
|
|
%{_mandir}/man8/openvpn.8%{?ext_man}
|
|
%config(noreplace) %{_sysconfdir}/openvpn/
|
|
%dir %{_tmpfilesdir}
|
|
%{_unitdir}/%{name}@.service
|
|
%{_unitdir}/%{name}.target
|
|
%{_tmpfilesdir}/%{name}.conf
|
|
%dir %attr(0750,root,root) %ghost %{_rundir}/openvpn/
|
|
%{_sbindir}/rcopenvpn
|
|
%{_sbindir}/openvpn
|
|
|
|
%files down-root-plugin
|
|
%dir %{_libdir}/%{name}
|
|
%dir %{_libdir}/%{name}/plugins
|
|
%{_libdir}/%{name}/plugins/%{name}-plugin-down-root.so
|
|
|
|
%files auth-pam-plugin
|
|
%dir %{_libdir}/%{name}
|
|
%dir %{_libdir}/%{name}/plugins
|
|
%{_libdir}/%{name}/plugins/%{name}-plugin-auth-pam.so
|
|
|
|
%files devel
|
|
%{_includedir}/%{name}-plugin.h
|
|
%{_includedir}/%{name}-msg.h
|
|
|
|
%changelog
|