Accepting request 80110 from network:vpn

bnc#675406 + ssl memory use improvement, non-ghost-in-var-run

OBS-URL: https://build.opensuse.org/request/show/80110
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openvpn?expand=0&rev=31

0001-Use-SSL_MODE_RELEASE_BUFFERS-if-available.patch

@@ -0,0 +1,31 @@
+From db33132094f4748ccc63aadbfa4b7446bb95b350 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Cristian=20Rodr=C3=ADguez?= <crrodriguez@opensuse.org>
+Date: Sat, 20 Aug 2011 18:12:28 -0400
+Subject: [PATCH] Use SSL_MODE_RELEASE_BUFFERS if available
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+
+Signed-off-by: Cristian Rodríguez <crrodriguez@opensuse.org>
+---
+ ssl.c |    3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+diff --git a/ssl.c b/ssl.c
+index ea7b204..459e66c 100644
+--- a/ssl.c
++++ b/ssl.c
+@@ -2073,6 +2073,9 @@ init_ssl (const struct options *options)
+     }
+ 
+   /* Set SSL options */
++#ifdef SSL_MODE_RELEASE_BUFFERS
++  SSL_CTX_set_mode (ctx, SSL_MODE_RELEASE_BUFFERS);
++#endif
+   SSL_CTX_set_session_cache_mode (ctx, SSL_SESS_CACHE_OFF);
+   SSL_CTX_set_options (ctx, SSL_OP_SINGLE_DH_USE);
+ 
+-- 
+1.7.4.1
+

openvpn-2.1-systemd-passwd.patch

@@ -0,0 +1,61 @@
+Index: openvpn-2.2.1/misc.c
+===================================================================
+--- openvpn-2.2.1.orig/misc.c
++++ openvpn-2.2.1/misc.c
+@@ -1333,26 +1333,49 @@ get_console_input (const char *prompt, c
+   ASSERT (input);
+   ASSERT (capacity > 0);
+   input[0] = '\0';
++  bool is_systemd_running;
++  struct stat a, b;
++
++  /* We simply test whether the systemd cgroup hierarchy is
++   * mounted */
++
++  is_systemd_running = (lstat("/sys/fs/cgroup", &a) == 0)
++	  && (lstat("/sys/fs/cgroup/systemd", &b) == 0)
++	  && (a.st_dev != b.st_dev);
+ 
+ #if defined(WIN32)
+   return get_console_input_win32 (prompt, echo, input, capacity);
+ #elif defined(HAVE_GETPASS)
+-  if (echo)
++  if (echo || is_systemd_running)
+     {
+       FILE *fp;
+ 
+-      fp = open_tty (true);
+-      fprintf (fp, "%s", prompt);
+-      fflush (fp);
+-      close_tty (fp);
++      if (is_systemd_running)
++        {
++	 char *cmd;
++
++	 asprintf(&cmd, "/bin/systemd-ask-password \"%s\"", prompt);
++         fp = popen (cmd, "re");
++	 free (cmd);
++        }
++      else
++        {
++          fp = open_tty (true);
++          fprintf (fp, "%s", prompt);
++          fflush (fp);
++          close_tty (fp);
+ 
+-      fp = open_tty (false);
++          fp = open_tty (false);
++        }
+       if (fgets (input, capacity, fp) != NULL)
+ 	{
+ 	  chomp (input);
+ 	  ret = true;
+ 	}
+-      close_tty (fp);
++      if (is_systemd_running)
++	fclose (fp);
++      else
++	close_tty (fp);
+     }
+   else
+     {

openvpn-2.2.1-man-dot.diff

@@ -0,0 +1,18 @@
+--- openvpn.8
++++ openvpn.8	2011/08/29 18:26:40
+@@ -21,13 +21,13 @@
+ .\"  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ .\"
+ .\" Manual page for openvpn
+-.\
++.\"
+ .\" SH section heading
+ .\" SS subsection heading
+ .\" LP paragraph
+ .\" IP indented paragraph
+ .\" TP hanging label
+-.\
++.\"
+ .\" .nf -- no formatting
+ .\" .fi -- resume formatting
+ .\" .ft 3 -- boldface

openvpn.changes

@@ -1,3 +1,22 @@
+-------------------------------------------------------------------
+Mon Aug 29 18:05:30 UTC 2011 - mt@suse.com
+
+- Marked /var/run/openvpn as ghost (bnc#710270), man page and
+  other rpmlint warning fixes
+
+-------------------------------------------------------------------
+Tue Aug 23 15:41:00 UTC 2011 - crrodriguez@opensuse.org
+
+- BuildRequires libselinux-devel
+- Use SSL_MODE_RELEASE_BUFFERS to keep memory usage low, sent 
+  upstream as https://community.openvpn.net/openvpn/ticket/157
+
+-------------------------------------------------------------------
+Mon Aug 22 09:55:44 UTC 2011 - fcrozat@novell.com
+
+- Add openvpn-2.1-systemd-passwd.patch / modify openvpn.init to
+  support systemd password query (bnc#675406)
+
 -------------------------------------------------------------------
 Mon Jul 11 14:38:45 UTC 2011 - mt@suse.de
 

openvpn.spec

@@ -38,9 +38,13 @@ Source4:        client-netconfig.up
 Source5:        client-netconfig.down
 Patch1:         %{name}-2.1-plugin-man.dif
 Patch2:         %{name}-2.1-plugin-build.dif
+Patch3:         openvpn-2.1-systemd-passwd.patch
+Patch4:         0001-Use-SSL_MODE_RELEASE_BUFFERS-if-available.patch
+Patch5:         openvpn-2.2.1-man-dot.diff
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  lzo-devel openssl-devel
 BuildRequires:  iproute2 pam-devel
+BuildRequires:  libselinux-devel
 %if 0%{?suse_version} > 1030
 BuildRequires:  pkcs11-helper-devel
 Requires:       pkcs11-helper
@@ -129,6 +133,9 @@ Authors:
 %setup -q -n %{name}-%{upstream_version}
 %patch1 -p0
 %patch2 -p0
+%patch3 -p1
+%patch4 -p1
+%patch5 -p0
 sed -e "s|@PLUGIN_DIR@|%{plugin_dir}|g" \
     -e "s|@PLUGIN_LIBDIR@|%{plugin_libdir}|g" \
     -e "s|@PLUGIN_DOCDIR@|%{_defaultdocdir}/%{name}|g" \
@@ -187,7 +194,7 @@ for pi in auth-pam down-root; do
 	install -m 755 plugin/$pi/openvpn-$pi.so \
 		$RPM_BUILD_ROOT%{plugin_libdir}/
 done
-# we install docs via spec into %{_defaultdocdir}/name/management-notes.txt
+# we install docs via spec into _defaultdocdir/name/management-notes.txt
 rm $RPM_BUILD_ROOT%{_datadir}/doc/%name/management-notes.txt
 rmdir $RPM_BUILD_ROOT%{_datadir}/doc/%name
 
@@ -205,7 +212,7 @@ if ! test -f /.buildenv; then rm -rf $RPM_BUILD_ROOT; fi
 
 %files
 %defattr(-,root,root)
-%doc AUTHORS COPYING COPYRIGHT.GPL ChangeLog INSTALL NEWS PORTS README
+%doc AUTHORS COPYING COPYRIGHT.GPL ChangeLog PORTS README
 %doc README.*
 %doc contrib
 %doc sample-config-files
@@ -218,7 +225,7 @@ if ! test -f /.buildenv; then rm -rf $RPM_BUILD_ROOT; fi
 %config %{_sysconfdir}/init.d/openvpn
 %{_sbindir}/openvpn
 %{_sbindir}/rcopenvpn
-%dir %{_localstatedir}/run/openvpn
+%attr(0755,root,root) %dir %ghost %{_localstatedir}/run/openvpn
 %dir %{_datadir}/openvpn
 %{_datadir}/openvpn/easy-rsa
 %dir %{_libdir}/%{name}