File openvpn.spec of Package openvpn
#
# spec file for package openvpn (Version 2.0.9)
#
# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
# norootforbuild
Name: openvpn
Url: http://openvpn.net/
License: GPL v2 or later; LGPL v2.1 or later
Group: Productivity/Networking/Security
AutoReqProv: on
%if 0%{?suse_version}
PreReq: %insserv_prereq %fillup_prereq
%endif
Version: 2.0.9
Release: 143
Summary: Full-featured SSL VPN solution using a TUN/TAP Interface
Source: http://openvpn.net/release/openvpn-%{version}.tar.gz
Source1: http://openvpn.net/signatures/openvpn-%{version}.tar.gz.asc
Source2: openvpn.init
Source3: openvpn.README.SUSE
Patch1: %{name}-%{version}-plugin-man.dif
Patch2: %{name}-%{version}-plugin-build.dif
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: lzo-devel openssl-devel
BuildRequires: iproute2 pam-devel
%define plugin_dir %{_libdir}/%{name}/plugin
%define plugin_libdir %{plugin_dir}/lib
%description
OpenVPN is a full-featured SSL VPN solution which can accomodate a wide
range of configurations, including remote access, site-to-site VPNs,
WiFi security, and enterprise-scale remote access solutions with load
balancing, failover, and fine-grained access-controls.
OpenVPN implements OSI layer 2 or 3 secure network extension using the
industry standard SSL/TLS protocol, supports flexible client
authentication methods based on certificates, smart cards, and/or
2-factor authentication, and allows user or group-specific access
control policies using firewall rules applied to the VPN virtual
interface.
OpenVPN runs on: Linux, Windows 2000/XP and higher, OpenBSD, FreeBSD,
NetBSD, Mac OS X, and Solaris.
OpenVPN is not a web application proxy and does not operate through a
web browser.
Authors:
--------
James Yonan <jim@yonan.net>
%package down-root-plugin
License: GPL v2 or later; LGPL v2.1 or later
Summary: OpenVPN down-root plugin
Group: Productivity/Networking/Security
AutoReqProv: on
Requires: %{name} = %{version}
%description down-root-plugin
The OpenVPN down-root plugin allows an OpenVPN configuration to call a
down script with root privileges, even when privileges have been
dropped using --user/--group/--chroot.
This module uses a split privilege execution model which will fork()
before OpenVPN drops root privileges, at the point where the --up
script is usually called. The plugin will then remain in a wait state
until it receives a message from OpenVPN via pipe to execute the down
script. Thus, the down script will be run in the same execution
environment as the up script.
Authors:
--------
James Yonan <jim@yonan.net>
%package auth-pam-plugin
License: GPL v2 or later; LGPL v2.1 or later
Summary: OpenVPN auth-pam plugin
Group: Productivity/Networking/Security
AutoReqProv: on
Requires: %{name} = %{version}
%description auth-pam-plugin
The OpenVPN auth-pam plugin implements username/password authentication
via PAM, and essentially allows any authentication method supported by
PAM (such as LDAP, RADIUS, or Linux Shadow passwords) to be used with
OpenVPN.
While PAM supports username/password authentication, this can be
combined with X509 certificates to provide two indepedent levels of
authentication.
This plugin uses a split privilege execution model which will function
even if you drop openvpn daemon privileges using the user, group, or
chroot directives.
Authors:
--------
James Yonan <jim@yonan.net>
%prep
%setup -q
%patch1 -p0
%patch2 -p0
sed -e "s|@PLUGIN_DIR@|%{plugin_dir}|g" \
-e "s|@PLUGIN_LIBDIR@|%{plugin_libdir}|g" \
-e "s|@PLUGIN_DOCDIR@|%{_defaultdocdir}/%{name}|g" \
-i openvpn.8
%build
autoreconf -fi
export CFLAGS="$RPM_OPT_FLAGS -W -Wall"
export LDFLAGS
%configure \
--enable-pthread --enable-iproute2 \
--with-lzo-headers=%_includedir/lzo \
CFLAGS="$CFLAGS -fPIE $PLUGIN_DEFS" \
LDFLAGS="$LDFLAGS -pie -lpam -rdynamic -Wl,-rpath,%{_libdir}/%{name}/plugin/lib"
make
#
# Build down-root plugin
#
pushd plugin/down-root
make
popd
#
# Build auth-pam plugin
#
pushd plugin/auth-pam
make
popd
%install
make DESTDIR=$RPM_BUILD_ROOT install
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/openvpn
mkdir -p $RPM_BUILD_ROOT/%{_localstatedir}/run/openvpn
mkdir -p $RPM_BUILD_ROOT/%{_datadir}/openvpn
install -D -m 755 $RPM_SOURCE_DIR/openvpn.init $RPM_BUILD_ROOT/%{_sysconfdir}/init.d/openvpn
ln -sv %{_sysconfdir}/init.d/openvpn $RPM_BUILD_ROOT/%{_sbindir}/rcopenvpn
cp -p $RPM_SOURCE_DIR/openvpn.README.SUSE README.SUSE
find sample-* suse contrib -type f -exec chmod -x \{\} \;
rm -f easy-rsa/build-key-server.orig easy-rsa/.externals
chmod -x easy-rsa/2.0/vars
chmod -x easy-rsa/2.0/openssl*.cnf
chmod -x easy-rsa/Windows/init-config.bat
chmod +x easy-rsa/revoke-crt
chmod +x easy-rsa/make-crl
chmod +x easy-rsa/list-crl
cp -a easy-rsa $RPM_BUILD_ROOT/%{_datadir}/openvpn/
#
# Install the plugins
#
install -d -m 755 $RPM_BUILD_ROOT%{plugin_libdir}/
mv -f plugin/README README.plugins
for pi in auth-pam down-root; do
mv -f plugin/$pi/README README.$pi
install -m 755 plugin/$pi/openvpn-$pi.so \
$RPM_BUILD_ROOT%{plugin_libdir}/
done
%clean
if ! test -f /.buildenv; then rm -rf $RPM_BUILD_ROOT; fi
%post
%{?fillup_and_insserv:%fillup_and_insserv -f}
%preun
%{?stop_on_removal:%stop_on_removal openvpn}
%postun
%{?insserv_cleanup:%insserv_cleanup}
%files
%defattr(-,root,root)
%doc AUTHORS COPYING COPYRIGHT.GPL ChangeLog INSTALL NEWS PORTS README
%doc README.*
%doc contrib
%doc management
%doc sample-config-files
%doc sample-keys
%doc sample-scripts
%doc suse
%doc %{_mandir}/man8/openvpn.8.gz
%config(noreplace) %{_sysconfdir}/openvpn/
%config %{_sysconfdir}/init.d/openvpn
%{_sbindir}/openvpn
%{_sbindir}/rcopenvpn
%dir %{_localstatedir}/run/openvpn
%dir %{_datadir}/openvpn
%{_datadir}/openvpn/easy-rsa
%dir %{_libdir}/%{name}
%dir %{plugin_dir}
%dir %{plugin_libdir}
%files down-root-plugin
%defattr(-,root,root)
%{plugin_libdir}/openvpn-down-root.so
%files auth-pam-plugin
%defattr(-,root,root)
%{plugin_libdir}/openvpn-auth-pam.so
%changelog
* Mon Dec 01 2008 mt@suse.de
- Removed restart_on_update rpm install hook that may break the
update process, e.g. when openvpn asks for auth data or the
update process is running over the tunnel (bnc#450390).
* Tue Oct 28 2008 mt@suse.de
- Fixed init script to handle pid files correctly (bnc#435421).
* Thu May 29 2008 mt@suse.de
- Added $time $named to Should-Start in the init script to avoid
time related certificate errors and name resolving problems.
- Added iproute2 to BuildRequires to avoid openvpn rely on PATH.
* Mon May 26 2008 mt@suse.de
- Reverted init script changes adding startproc, since they break
user auth query and multiple tunnels (bnc#394360, bnc#394353).
* Thu May 22 2008 mt@suse.de
- Added -lpam to LDFLAGS of openvpn, because linking the openvpn
auth-pam plugin against pam is not sufficient. Many pam modules
that are loaded by pam during the authentication process are not
linked against pam and contain undefined symbols, causing the
authentication to fail (bnc#334773).
- Replaced patch loading plugins from /usr/%%_lib/openvpn/plugin/lib
with -rpath linker flags (bnc#334773).
- Fixed init script to use startproc to return 0 when started twice.
* Tue Feb 19 2008 mt@suse.de
- Fixed spec file to not set pie flags when building plugins
* Thu Jan 17 2008 mt@suse.de
- Bug #334773: Enabled build of down-root and auth-pam plugins,
sub-packaged as openvpn-auth-pam-plugin/down-root-plugin.
- Added patch to load plugins from /usr/%%_lib/openvpn/plugin/lib
first, when the plugin name is specified as basename only.
- Added patch adoptiong plugin path informations in openvpn.8.
- Added patch to build plugins with RPM_OPT_FLAGS.
- Fixed init script to use Should-Start/Stop LSB info tags.
- Bug #343106: Enabled iproute2 support / usage
* Mon Jun 04 2007 mt@suse.de
- fixed easy-rsa installation (no exec in doc directory)
- improved spec to use configure directory variables and
cleaned up macro calls in RPM pre/post scripts.
- fixed openvpn binary check in the init script.
* Fri Oct 27 2006 mt@suse.de
- upstream 2.0.9, Windows related fixes only
* Windows installer updated with OpenSSL 0.9.7l DLLs to fix
published vulnerabilities.
* Fixed TAP-Win32 bug that caused BSOD on Windows Vista
(Henry Nestler). The TAP-Win32 driver has now been
upgraded to version 8.4.
* Wed Sep 27 2006 poeml@suse.de
- upstream 2.0.8
* Windows installer updated with OpenSSL 0.9.7k DLLs to fix
RSA Signature Forgery (CVE-2006-4339).
* No changes to OpenVPN source code between 2.0.7 and 2.0.8.
* Fri Jun 23 2006 poeml@suse.de
- upstream 2.0.7, with bug fixes:
* When deleting routes under Linux, use the route metric
as a differentiator to ensure that the route teardown
process only deletes the identical route which was originally
added via the "route" directive (Roy Marples).
* Fixed bug where --server directive in --dev tap mode
claimed that it would support subnets of /30 or less
but actually would only accept /29 or less.
* Extend byte counters to 64 bits (M. van Cuijk).
* Better sanity checking of --server and --server-bridge
IP pool ranges, so as not to hit the assertion at
pool.c:119 (2.0.5).
* Fixed bug where --daemon and --management-query-passwords
used together would cause OpenVPN to block prior to
daemonization.
* Fixed client/server race condition which could occur
when --auth-retry interact is set and the initially
provided auth-user-pass credentials are incorrect,
forcing a username/password re-query.
* Fixed bug where if --daemon and --management-hold are
used together, --user or --group options would be ignored.
* fix for CVE-2006-1629 integrated (disallow "setenv" to be pushed
to clients from the server)
- build with fPIE/pie on SUSE 10.0 or newer, or on any other platform
* Wed Apr 19 2006 poeml@suse.de
- security fix (CVE-2006-1629): disallow "setenv" to be pushed to
clients from the server [#165123]
* Wed Jan 25 2006 mls@suse.de
- converted neededforbuild to BuildRequires
* Thu Nov 03 2005 poeml@suse.de
- update to 2.0.5, with two security fixes -- see below. [#132003]
2005.11.02 -- Version 2.0.5
* Fixed bug in Linux get_default_gateway function
introduced in 2.0.4, which would cause redirect-gateway
on Linux clients to fail.
* Restored easy-rsa/2.0 tree (backported from 2.1 beta
series) which accidentally disappeared in
2.0.2 -> 2.0.4 transition.
2005.11.01 -- Version 2.0.4
* Security fix -- Affects non-Windows OpenVPN clients of
version 2.0 or higher which connect to a malicious or
compromised server. A format string vulnerability
in the foreign_option function in options.c could
potentially allow a malicious or compromised server
to execute arbitrary code on the client. Only
non-Windows clients are affected. The vulnerability
only exists if (a) the client's TLS negotiation with
the server succeeds, (b) the server is malicious or
has been compromised such that it is configured to
push a maliciously crafted options string to the client,
and (c) the client indicates its willingness to accept
pushed options from the server by having "pull" or
"client" in its configuration file (Credit: Vade79).
CVE-2005-3393
* Security fix -- Potential DoS vulnerability on the
server in TCP mode. If the TCP server accept() call
returns an error status, the resulting exception handler
may attempt to indirect through a NULL pointer, causing
a segfault. Affects all OpenVPN 2.0 versions.
CVE-2005-3409
* Fix attempt of assertion at multi.c:1586 (note that
this precise line number will vary across different
versions of OpenVPN).
* Added ".PHONY: plugin" to Makefile.am to work around
"make dist" issue.
* Fixed double fork issue that occurs when --management-hold
is used.
* Moved TUN/TAP read/write log messages from --verb 8 to 6.
* Warn when multiple clients having the same common name or
username usurp each other when --duplicate-cn is not used.
* Modified Windows and Linux versions of get_default_gateway
to return the route with the smallest metric
if multiple 0.0.0.0/0.0.0.0 entries are present.
2005.09.25 -- Version 2.0.3-rc1
* openvpn_plugin_abort_v1 function wasn't being properly
registered on Windows.
* Fixed a bug where --mode server --proto tcp-server --cipher none
operation could cause tunnel packet truncation.
* Tue Aug 30 2005 poeml@suse.de
- update to 2.0.2 [#106258] relevant changes:
* Fixed bug where "--proto tcp-server --mode p2p --management
host port" would cause the management port to not respond until
the OpenVPN peer connects.
* Modified pkitool script to be /bin/sh compatible (Johnny Lam).
* Tue Aug 23 2005 poeml@suse.de
- update to 2.0.1 [#106258]
* Security Fix -- DoS attack against server when run with "verb 0" and
without "tls-auth". If a client connection to the server fails
certificate verification, the OpenSSL error queue is not properly
flushed, which can result in another unrelated client instance on the
server seeing the error and responding to it, resulting in disconnection
of the unrelated client (CAN-2005-2531).
* Security Fix -- DoS attack against server by authenticated client.
This bug presents a potential DoS attack vector against the server
which can only be initiated by a connected and authenticated client.
If the client sends a packet which fails to decrypt on the server,
the OpenSSL error queue is not properly flushed, which can result in
another unrelated client instance on the server seeing the error and
responding to it, resulting in disconnection of the unrelated client
(CAN-2005-2532).
* Security Fix -- DoS attack against server by authenticated client.
A malicious client in "dev tap" ethernet bridging mode could
theoretically flood the server with packets appearing to come from
hundreds of thousands of different MAC addresses, causing the OpenVPN
process to deplete system virtual memory as it expands its internal
routing table. A --max-routes-per-client directive has been added
(default=256) to limit the maximum number of routes in OpenVPN's
internal routing table which can be associated with a given client
(CAN-2005-2533).
* Security Fix -- DoS attack against server by authenticated client.
If two or more client machines try to connect to the server at the
same time via TCP, using the same client certificate, and when
--duplicate-cn is not enabled on the server, a race condition can
crash the server with "Assertion failed at mtcp.c:411"
(CAN-2005-2534).
* Fixed server bug where under certain circumstances, the client instance
object deletion function would try to delete iroutes which had never been
added in the first place, triggering "Assertion failed at mroute.c:349".
* Added --auth-retry option to prevent auth errors from being fatal
on the client side, and to permit username/password requeries in case
of error. Also controllable via new "auth-retry" management interface
command. See man page for more info.
* Added easy-rsa 2.0 scripts to the tarball in easy-rsa/2.0
* Fixed bug in openvpn.spec where rpmbuild --define 'without_pam 1'
would fail to build.
* Implement "make check" to perform loopback tests (Matthias Andree).
- drop obsolete patch which fixed finding lzo libraries
* Tue Jun 28 2005 mrueckert@suse.de
- The previous patch didnt work with lzo1 based distros. Fixed.
* Tue Jun 28 2005 cthiel@suse.de
- fixed build with lzo2 (added lzo2.diff)
* Thu Jun 23 2005 ro@suse.de
- build with fPIE/pie
* Thu Jun 02 2005 hvogel@suse.de
- lzo headers are in a subdirectory now
* Tue Apr 19 2005 cthiel@suse.de
- update to 2.0
* Thu Feb 17 2005 poeml@suse.de
- update to 2.0_rc14
- add README.SUSE
* Fri Jan 28 2005 poeml@suse.de
- update to 2.0_rc10
* Wed Dec 29 2004 poeml@suse.de
- update to 2.0_rc6
* Wed Dec 29 2004 poeml@suse.de
- update to 2.0_rc1 (closing #45979)
IMPORTANT: OpenVPN's default port number is now 1194, based on an
official port number assignment by IANA. OpenVPN 2.0-beta16 and
earlier used 5000 as the default port.
-> see http://openvpn.net/20notes.html
- remove lzo sources, which come in a separate package since 9.2
* Mon Jul 26 2004 poeml@suse.de
- update to 1.6_rc4
- bzip2 sources
* Sun Jan 11 2004 adrian@suse.de
- build as user
* Tue Dec 16 2003 wengel@suse.de
- update to version 1.5.0
* Sun Sep 07 2003 poeml@suse.de
- add an init script
- use RPM_OPT_FLAGS
- add /var/run/openvpn directory for pid files
* Thu Jul 31 2003 wengel@suse.de
- update to new version -> 1.4.2
* Tue May 27 2003 coolo@suse.de
- use BuildRoot
- package a bit more straightforward
* Mon May 19 2003 wengel@suse.de
- update to version 1.4.1
* Mon Jan 20 2003 wengel@suse.de
- initial package
