File openvpn.spec of Package openvpn.15874

Overview Repositories Revisions Requests Users Attributes Meta

File openvpn.spec of Package openvpn.15874

#
# spec file for package openvpn
#
# Copyright (c) 2020 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.

# Please submit bugfixes or comments via https://bugs.opensuse.org/
#

%if 0%{?suse_version} > 1210
%define with_systemd 1
%else
%define with_systemd 0
%endif
%if ! %{defined _rundir}
%define _rundir %{_localstatedir}/run
%endif

Name:           openvpn
URL:            http://openvpn.net/
%if %{with_systemd}
%{?systemd_requires}
%else
PreReq:         %insserv_prereq %fillup_prereq
%endif
Version:        2.3.8
Release:        0
Summary:        Full-featured SSL VPN solution using a TUN/TAP Interface
License:        SUSE-GPL-2.0-with-openssl-exception AND LGPL-2.1-only
Group:          Productivity/Networking/Security
Source:         http://swupdate.openvpn.org/community/releases/openvpn-%{version}.tar.gz
Source1:        http://swupdate.openvpn.org/community/releases/openvpn-%{version}.tar.gz.asc
Source2:        %{name}.init
Source6:        %{name}.sysconfig
Source3:        %{name}.README.SUSE
Source4:        client-netconfig.up
Source5:        client-netconfig.down
Source7:        %{name}.keyring
Source8:        %{name}.service
Source9:        %{name}.target
Source10:       %{name}-tmpfile.conf
Source11:       rc%{name}
Patch1:         %{name}-2.3-plugin-man.dif
Patch5:         %{name}-2.3.0-man-dot.diff
Patch6:         %{name}-fips140-2.3.2.patch
Patch7:         revert-daemonize.patch
Patch8:         openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch
# PATCH-FIX-SLE multiple-low-severity-issues bsc#934237
Patch9:         openvpn-2.3.x-fixed-multiple-low-severity-issues.patch
Patch10:        0001-preform-deferred-authentication-in-the-background.patch
Patch11:        0002-openvpn-fips140-AES-cipher-in-config-template.patch
Patch12:        0003-cleanup-merge-packet_id_alloc_outgoing-into-packet_i.patch
Patch13:        0004-Drop-packets-instead-of-assert-out-if-packet-id-roll.patch
Patch14:        0005-Don-t-assert-out-on-receiving-too-large-control-pack.patch
Patch15:        0006-Discourage-using-64-bit-block-ciphers.patch
Patch20:        0001-Fix-remote-triggerable-memory-leaks-CVE-2017-7521.patch
Patch21:        0002-Restrict-x509-alt-username-extension-types.patch
Patch22:        0003-Fix-potential-double-free-in-x509-alt-username-CVE-2.patch
Patch23:        0004-Prevent-two-kinds-of-stack-buffer-OOB-reads-and-a-cr.patch
Patch24:        0005-Fix-remotely-triggerable-ASSERT-on-malformed-IPv6-pa.patch
Patch25:        0025-Fix-bounds-check-in-read_key.patch
BuildRoot:      %{_tmppath}/%{name}-%{version}-build
BuildRequires:  gpg-offline
BuildRequires:  iproute2
BuildRequires:  lzo-devel
BuildRequires:  openssl-devel
BuildRequires:  pam-devel
%if %{with_systemd}
BuildRequires:  systemd
%endif
BuildRequires:  libselinux-devel
BuildRequires:  pkcs11-helper-devel
Requires:       pkcs11-helper
%if %{with_systemd}
BuildRequires:  systemd-devel
%endif

%description
OpenVPN is a full-featured SSL VPN solution which can accommodate a wide
range of configurations, including remote access, site-to-site VPNs,
WiFi security, and enterprise-scale remote access solutions with load
balancing, failover, and fine-grained access-controls.

OpenVPN implements OSI layer 2 or 3 secure network extension using the
industry standard SSL/TLS protocol, supports flexible client
authentication methods based on certificates, smart cards, and/or
2-factor authentication, and allows user or group-specific access
control policies using firewall rules applied to the VPN virtual
interface.

OpenVPN runs on: Linux, Windows 2000/XP and higher, OpenBSD, FreeBSD,
NetBSD, Mac OS X, and Solaris.

OpenVPN is not a web application proxy and does not operate through a
web browser.

%package down-root-plugin
Summary:        OpenVPN down-root plugin
Group:          Productivity/Networking/Security
Requires:       %{name} = %{version}

%description down-root-plugin
The OpenVPN down-root plugin allows an OpenVPN configuration to call a
down script with root privileges, even when privileges have been
dropped using --user/--group/--chroot.

This module uses a split privilege execution model which will fork()
before OpenVPN drops root privileges, at the point where the --up
script is usually called.  The plugin will then remain in a wait state
until it receives a message from OpenVPN via pipe to execute the down
script.  Thus, the down script will be run in the same execution
environment as the up script.

%package auth-pam-plugin
Summary:        OpenVPN auth-pam plugin
Group:          Productivity/Networking/Security
Requires:       %{name} = %{version}

%description auth-pam-plugin
The OpenVPN auth-pam plugin implements username/password authentication
via PAM, and essentially allows any authentication method supported by
PAM (such as LDAP, RADIUS, or Linux Shadow passwords) to be used with
OpenVPN.

While PAM supports username/password authentication, this can be
combined with X509 certificates to provide two indepedent levels of
authentication.

This plugin uses a split privilege execution model which will function
even if you drop openvpn daemon privileges using the user, group, or
chroot directives.

%package devel
Summary:        OpenVPN plugin header
Group:          Development/Libraries/C and C++
Requires:       %{name} = %{version}

%description devel
This package provides the header file to build external plugins.

%prep
%gpg_verify %{S:1}
%setup -q -n %{name}-%{version}
%patch1 -p0
%patch5 -p0
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch20 -p1
%patch21 -p1
%patch22 -p1
%patch23 -p1
%patch24 -p1
%patch25 -p1
sed -e "s|\" __DATE__|$(date '+%b %e %Y' -r version.m4)\"|g" \
    -i src/openvpn/options.c
sed -e "s|@PLUGIN_LIBDIR@|%{_libdir}/openvpn/plugins|g" \
    -e "s|@PLUGIN_DOCDIR@|%{_defaultdocdir}/%{name}|g" \
    -i doc/openvpn.8

# %%doc items shouldn't be executable.
find contrib sample -type f -exec chmod a-x \{\} \;

%build
export CFLAGS="$RPM_OPT_FLAGS $(getconf LFS_CFLAGS) -W -Wall -fno-strict-aliasing"
export LDFLAGS
%configure \
	--enable-iproute2		\
	--enable-x509-alt-username	\
	--enable-password-save		\
%if %{with_systemd}
	--enable-systemd		\
%endif
	--enable-plugins		\
	--enable-plugin-down-root	\
	--enable-plugin-auth-pam	\
	CFLAGS="$CFLAGS $(getconf LFS_CFLAGS) -fPIE $PLUGIN_DEFS"	\
	LDFLAGS="$LDFLAGS -pie -lpam -rdynamic -Wl,-rpath,%{_libdir}/%{name}/plugins"
make

%install
make DESTDIR=$RPM_BUILD_ROOT install
find $RPM_BUILD_ROOT -name '*.la' | xargs rm -f
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/openvpn
mkdir -p $RPM_BUILD_ROOT/%{_rundir}/openvpn
mkdir -p $RPM_BUILD_ROOT/%{_datadir}/openvpn
%if %{with_systemd}
install -D -m 644 $RPM_SOURCE_DIR/%{name}.service %{buildroot}/%{_unitdir}/%{name}@.service
install -D -m 644 $RPM_SOURCE_DIR/%{name}.target %{buildroot}/%{_unitdir}/%{name}.target
install -D -m 755 $RPM_SOURCE_DIR/rc%{name} %{buildroot}%{_sbindir}/rc%{name}
# tmpfiles.d
mkdir -p %{buildroot}%{_libexecdir}/tmpfiles.d
install -m 0644 $RPM_SOURCE_DIR/%{name}-tmpfile.conf %{buildroot}%{_libexecdir}/tmpfiles.d/%{name}.conf
%else
install -D -m 755 $RPM_SOURCE_DIR/openvpn.init $RPM_BUILD_ROOT/%{_sysconfdir}/init.d/openvpn
ln -sv %{_sysconfdir}/init.d/openvpn $RPM_BUILD_ROOT/%{_sbindir}/rcopenvpn
# the /etc/sysconfig/openvpn template only with sysvinit, no needed with systemd
install -d -m0755 %{buildroot}/var/adm/fillup-templates
install    -m0600 $RPM_SOURCE_DIR/openvpn.sysconfig \
                  %{buildroot}/var/adm/fillup-templates/sysconfig.openvpn
%endif
cp -p $RPM_SOURCE_DIR/openvpn.README.SUSE README.SUSE
install -m 755 $RPM_SOURCE_DIR/client-netconfig.up sample/sample-scripts/client-netconfig.up
install -m 755 $RPM_SOURCE_DIR/client-netconfig.down sample/sample-scripts/client-netconfig.down

# we install docs via spec into _defaultdocdir/name/management-notes.txt
rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/{OpenVPN,%name}
find sample -name .gitignore | xargs rm -f

%post
%__mkdir_p -m750 %{_rundir}/openvpn
%if %{with_systemd}
%service_add_post %{name}.target
# try to migrate openvpn.service autostart to openvpn@<CONF>.service
if test ${FIRST_ARG:-$1} -ge 1 -a \
	-x /bin/systemctl -a \
	-f /etc/sysconfig/openvpn -a \
	-f /var/adm/fillup-templates/sysconfig.openvpn && \
	/bin/systemctl --quiet is-enabled openvpn.service &>/dev/null ;
then
	. /etc/sysconfig/openvpn
	try_service_cgroup_join()
	{
		local p="/var/run/openvpn/${1}.pid"
		local t="/sys/fs/cgroup/systemd/system/openvpn@.service/${1}"
		/sbin/checkproc -p "$p" "%{_sbindir}/openvpn" &>/dev/null || return 0
		test -d "$t" || mkdir -p "$t" 2>/dev/null || return 1
		cat "$p" > "$t/tasks" 2>/dev/null || return 1
	}
	if test "X$OPENVPN_AUTOSTART" != "X" ; then
		for conf in $OPENVPN_AUTOSTART ; do
			test -f "/etc/openvpn/${conf}.conf" && \
			/bin/systemctl enable "openvpn@${conf}.service" && \
			try_service_cgroup_join "$conf" || continue
		done
	else
		shopt -s nullglob || :
		for conf in /etc/openvpn/*.conf ; do
			conf=${conf##*/}
			conf=${conf%.conf}
			test -f "/etc/openvpn/${conf}.conf" && \
			/bin/systemctl enable "openvpn@${conf}.service" && \
			try_service_cgroup_join "$conf" || continue
		done
	fi
fi
rm -f /etc/sysconfig/openvpn || :
%else
%{?fillup_and_insserv:%fillup_and_insserv}
%endif

%preun
%if %{with_systemd}
%service_del_preun %{name}.target
%else
%{?stop_on_removal:%stop_on_removal openvpn}
%endif

%postun
%if %{with_systemd}
/bin/systemctl --system daemon-reload &>/dev/null || :
%else
%{?insserv_cleanup:%insserv_cleanup}
%endif

%files
%defattr(-,root,root)
%doc AUTHORS COPYING COPYRIGHT.GPL ChangeLog PORTS README
%doc src/plugins/{auth-pam/README.auth-pam,down-root/README.down-root}
%doc README.*
%doc contrib
%doc sample/sample-config-files
%doc sample/sample-keys
%doc sample/sample-scripts
%doc doc/management-notes.txt
%doc %{_mandir}/man8/openvpn.8.gz
%config(noreplace) %{_sysconfdir}/openvpn/
%if %{with_systemd}
%{_unitdir}/%{name}@.service
%{_unitdir}/%{name}.target
%{_libexecdir}/tmpfiles.d/%{name}.conf
%else
%config %{_sysconfdir}/init.d/openvpn
/var/adm/fillup-templates/sysconfig.openvpn
%endif
%{_sbindir}/rcopenvpn
%{_sbindir}/openvpn
%attr(0750,root,root) %dir %ghost %{_rundir}/openvpn

%files down-root-plugin
%defattr(-,root,root)
%dir %{_libdir}/%{name}
%dir %{_libdir}/%{name}/plugins
%{_libdir}/%{name}/plugins/%{name}-plugin-down-root.so

%files auth-pam-plugin
%defattr(-,root,root)
%dir %{_libdir}/%{name}
%dir %{_libdir}/%{name}/plugins
%{_libdir}/%{name}/plugins/%{name}-plugin-auth-pam.so

%files devel
%defattr(-,root,root)
%{_includedir}/%{name}-plugin.h

%changelog

Places

File openvpn.spec of Package openvpn.15874

Places