current/SPECS/openvpn.spec

%define auth_ldap_version 2.0.3
%define easy_rsa_version 2.2.0_master
%define develname %mklibname %{name} -d


%define plugindir %{_libdir}/%{name}/plugins
%bcond_without ldap

%bcond_without tests_long

# There is an issue with gcc, so disable for amd64
# waiting reply/fix
%ifarch amd64
%bcond_without ldap
%endif

Summary:        A Secure TCP/UDP Tunneling Daemon
Name:           openvpn
Version:        2.5.0
%define subrel 2
Release:        %mkrel 2
URL:            http://openvpn.net/
Source0:        https://build.openvpn.net/downloads/releases/%{name}-%{version}.tar.xz
Source2:        http://openvpn-auth-ldap.googlecode.com/files/auth-ldap-%{auth_ldap_version}.tar.gz
Source3:        dhcp.sh
Source4:        openvpn-tmpfile.conf
Source5:        openvpn@.service
Source6:        openvpn.target
Source7:        https://github.com/downloads/OpenVPN/easy-rsa/easy-rsa-%{easy_rsa_version}.tar.gz
Patch2:         openvpn-auth-ldap-2.0.3-disable-tests.patch
Patch4:         auth-ldap-rfc2307.patch
Patch1001:      openvpn-auth-ldap-2.0.3-objc.patch
Patch1002:      CVE-2020-15078-pre1.patch
Patch1003:      CVE-2020-15078-pre2.patch
Patch1004:      CVE-2020-15078-1.patch
Patch1005:      CVE-2020-15078-2.patch
Patch1006:      CVE-2020-15078-3.patch
Patch1007:      CVE-2022-0547.patch

License:        GPLv2
Group:          Networking/Other
BuildRequires:  liblzo-devel
BuildRequires:  pkgconfig(openssl)
BuildRequires:  pam-devel
BuildRequires:  pkgconfig(libpkcs11-helper-1)
BuildRequires:  pkgconfig(systemd)
BuildRequires:  libcmocka-devel
BuildRequires:  python3-docutils
%if %with ldap
BuildRequires:  gcc-objc
BuildRequires:  openldap-devel
BuildRequires:  re2c
%endif
Requires(post):  systemd >= %{systemd_required_version}
Requires(post):  rpm-helper >= 0.24.8-1
Requires(preun): rpm-helper >= 0.24.8-1

%description
OpenVPN is a robust and highly flexible tunneling application that  uses
all of the encryption, authentication, and certification features of the
OpenSSL library to securely tunnel IP networks over a single UDP port.


%package -n     %{develname}
Summary:        Development package for OpenVPN plugins
Group:          System/Libraries
Requires:       %{name} = %{version}-%{release}

%description -n %{develname}
OpenVPN .h files.

%if %with ldap
This package contains the auth-ldap plugin
%endif

%prep
%setup -q -n openvpn-%{version} -a 7
%if %with ldap
%setup -q -n openvpn-%{version} -a 2 -a 7
%{__mv} auth-ldap-%{auth_ldap_version}/README auth-ldap-%{auth_ldap_version}/README-openvpn-auth-ldap
pushd auth-ldap-%{auth_ldap_version}
%patch1001 -p1
%patch2 -p1
%patch4 -p1
popd
%endif
%patch1002 -p1
%patch1003 -p1
%patch1004 -p1
%patch1005 -p1
%patch1006 -p1
%patch1007 -p1

%build
%serverbuild
%configure \
        --enable-systemd \
        --enable-pthread \
        --enable-pkcs11 \
        --enable-silent-rules \
        --enable-x509-alt-username \
        --enable-async-push \
        --with-crypto-library=openssl \
        --with-lzo-headers=%{_includedir}/lzo \
        --enable-password-save || cat config.log

%make_build

# plugins
%make_build -C src/plugins/down-root
%make_build -C src/plugins/auth-pam

%if %with ldap
pushd auth-ldap-%{auth_ldap_version}
%configure \
        --with-openvpn=`pwd`/../include \
        --libdir=%{plugindir} \
        --with-objc-runtime=GNU
# workaround parallel build problem with generated header
%make_build -C tools
make -C src TRConfigParser.h
%make_build
popd
%endif

pushd easy-rsa-%{easy_rsa_version}
autoreconf -vfi
%configure \
        --with-easyrsadir=%{_datadir}/%{name}/easy-rsa
%make_build
popd

%install
mkdir -p %{buildroot}%{_datadir}/%{name}/easy-rsa

%make_install
%make_install -C easy-rsa-%{easy_rsa_version}

install -d %{buildroot}%{_sysconfdir}/%{name}
# (cg) NB The sample config file is needed for drakvpn
cp -pr sample/sample-{config-file,key,script}s %{buildroot}%{_datadir}/%{name}

install -d %{buildroot}%{_localstatedir}/lib/%{name}

# (cg) Nuke sysvinit script
rm -f %{buildroot}%{_datadir}/%{name}/sample-scripts/openvpn.init

# (cg) Add systemd units
install -D -m 644 %{SOURCE4} %{buildroot}%{_tmpfilesdir}/openvpn.conf
install -D -m 644 %{SOURCE5} %{buildroot}%{_unitdir}/openvpn@.service
install -D -m 644 %{SOURCE6} %{buildroot}%{_unitdir}/openvpn.target
# and remove wrongly generated ones
%ifarch x86_64 aarch64
rm -f %{buildroot}/%{_libdir}/systemd/system/%{name}*.service
rm -f %{buildroot}/%{_libdir}/tmpfiles.d/%{name}.conf
%endif

#plugins
mkdir -p %{buildroot}%{plugindir}

%if %with ldap
pushd auth-ldap-%{auth_ldap_version}
%make_install
popd
%endif

install -m755 %{SOURCE3} %{buildroot}%{_datadir}/%{name}

%pre
%_pre_useradd %{name} %{_localstatedir}/lib/%{name} /bin/true

%post
# (cg) This is a templated unit, so we have to manually convert to systemd
if [ ! -f %{_localstatedir}/lib/rpm-helper/systemd-migration/%{name} ]; then
  if [ -f %{_sysconfdir}/rc3.d/S??%{name} ]; then
    for conf in %{_sysconfdir}/%{name}/*.conf; do
      [ "$conf" = "%{_sysconfdir}/%{name}/*.conf" ] && continue
      conf=$(basename $conf .conf)
      mkdir -p %{_sysconfdir}/systemd/system/%{name}.target.wants
      ln -s %{_unitdir}/%{name}@.service %{_sysconfdir}/systemd/system/%{name}.target.wants/%{name}@$conf.service
    done
    systemctl --quiet enable %{name}.target
  fi
  mkdir -p %{_localstatedir}/lib/rpm-helper/systemd-migration
  touch %{_localstatedir}/lib/rpm-helper/systemd-migration/%{name}
else
  # (cg) Older versions were not controlled by their own target
  UNITS=
  for unit in %{_sysconfdir}/systemd/system/multi-user.target.wants/%{name}@?*.service; do
    [ "$unit" = "%{_sysconfdir}/systemd/system/multi-user.target.wants/%{name}@?*.service" ] && continue
    UNITS="$UNITS $unit"
  done
  if [ -n "$UNITS" ]; then
    mkdir %{_sysconfdir}/systemd/system/%{name}.target.wants
    mv $UNITS %{_sysconfdir}/systemd/system/%{name}.target.wants
    systemctl --quiet enable %{name}.target
  fi
fi
%_tmpfilescreate %{name}
%_post_service %{name} %{name}.target

%preun
%_preun_service %{name} %{name}.target

%postun
%_postun_userdel %{name}

%check
# Test Crypto:
./src/openvpn/openvpn --genkey --secret key
./src/openvpn/openvpn --cipher aes-128-cbc --test-crypto --secret key
./src/openvpn/openvpn --cipher aes-256-cbc --test-crypto --secret key
./src/openvpn/openvpn --cipher aes-128-gcm --test-crypto --secret key
./src/openvpn/openvpn --cipher aes-256-gcm --test-crypto --secret key

%if %{with tests_long}
# Randomize ports for tests to avoid conflicts on the build servers.
cport=$[ 50000 + ($RANDOM % 15534) ]
sport=$[ $cport + 1 ]
sed -e 's/^\(rport\) .*$/\1 '$sport'/' \
    -e 's/^\(lport\) .*$/\1 '$cport'/' \
    < sample/sample-config-files/loopback-client \
    > %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client

sed -e 's/^\(rport\) .*$/\1 '$cport'/' \
    -e 's/^\(lport\) .*$/\1 '$sport'/' \
    < sample/sample-config-files/loopback-server \
    > %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server

pushd sample
# Test SSL/TLS negotiations (runs for 2 minutes):
../src/openvpn/openvpn --config \
    %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client &
../src/openvpn/openvpn --config \
    %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server
wait
popd

rm -f %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client \
    %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server
%endif

%files
%doc AUTHORS INSTALL PORTS
%doc COPYING COPYRIGHT.GPL README* doc/management-notes.txt Changes.rst
%doc distro/systemd/README.systemd  doc/openvpn.8.html
%doc src/plugins/*/README.*

%if %with ldap
%doc auth-ldap-%{auth_ldap_version}/README-openvpn-auth-ldap
%endif
%{_mandir}/man8/%{name}*
%{_sbindir}/%{name}
%{_datadir}/%{name}
%dir %{_sysconfdir}/%{name}
#{_datadir}/%%{name}/dhcp.sh
%{_unitdir}/%{name}*.service
%{_unitdir}/%{name}.target
%{_tmpfilesdir}/%{name}.conf
%dir %{_localstatedir}/lib/%{name}
%dir %{plugindir}
%{plugindir}/*
%exclude %{_docdir}/easy-rsa/COPYING
%exclude %{_docdir}/easy-rsa/COPYRIGHT.GPL
%exclude %{_docdir}/easy-rsa/README-2.0

%files -n %{develname}
%{_includedir}/openvpn-plugin.h
%{_includedir}/openvpn-msg.h
1	%define auth_ldap_version 2.0.3
2	%define easy_rsa_version 2.2.0_master
3	%define develname %mklibname %{name} -d
4
5
6	%define plugindir %{_libdir}/%{name}/plugins
7	%bcond_without ldap
8
9	%bcond_without tests_long
10
11	# There is an issue with gcc, so disable for amd64
12	# waiting reply/fix
13	%ifarch amd64
14	%bcond_without ldap
15	%endif
16
17	Summary: A Secure TCP/UDP Tunneling Daemon
18	Name: openvpn
19	Version: 2.5.0
20	%define subrel 2
21	Release: %mkrel 2
22	URL: http://openvpn.net/
23	Source0: https://build.openvpn.net/downloads/releases/%{name}-%{version}.tar.xz
24	Source2: http://openvpn-auth-ldap.googlecode.com/files/auth-ldap-%{auth_ldap_version}.tar.gz
25	Source3: dhcp.sh
26	Source4: openvpn-tmpfile.conf
27	Source5: openvpn@.service
28	Source6: openvpn.target
29	Source7: https://github.com/downloads/OpenVPN/easy-rsa/easy-rsa-%{easy_rsa_version}.tar.gz
30	Patch2: openvpn-auth-ldap-2.0.3-disable-tests.patch
31	Patch4: auth-ldap-rfc2307.patch
32	Patch1001: openvpn-auth-ldap-2.0.3-objc.patch
33	Patch1002: CVE-2020-15078-pre1.patch
34	Patch1003: CVE-2020-15078-pre2.patch
35	Patch1004: CVE-2020-15078-1.patch
36	Patch1005: CVE-2020-15078-2.patch
37	Patch1006: CVE-2020-15078-3.patch
38	Patch1007: CVE-2022-0547.patch
39
40	License: GPLv2
41	Group: Networking/Other
42	BuildRequires: liblzo-devel
43	BuildRequires: pkgconfig(openssl)
44	BuildRequires: pam-devel
45	BuildRequires: pkgconfig(libpkcs11-helper-1)
46	BuildRequires: pkgconfig(systemd)
47	BuildRequires: libcmocka-devel
48	BuildRequires: python3-docutils
49	%if %with ldap
50	BuildRequires: gcc-objc
51	BuildRequires: openldap-devel
52	BuildRequires: re2c
53	%endif
54	Requires(post): systemd >= %{systemd_required_version}
55	Requires(post): rpm-helper >= 0.24.8-1
56	Requires(preun): rpm-helper >= 0.24.8-1
57
58	%description
59	OpenVPN is a robust and highly flexible tunneling application that uses
60	all of the encryption, authentication, and certification features of the
61	OpenSSL library to securely tunnel IP networks over a single UDP port.
62
63
64	%package -n %{develname}
65	Summary: Development package for OpenVPN plugins
66	Group: System/Libraries
67	Requires: %{name} = %{version}-%{release}
68
69	%description -n %{develname}
70	OpenVPN .h files.
71
72	%if %with ldap
73	This package contains the auth-ldap plugin
74	%endif
75
76	%prep
77	%setup -q -n openvpn-%{version} -a 7
78	%if %with ldap
79	%setup -q -n openvpn-%{version} -a 2 -a 7
80	%{__mv} auth-ldap-%{auth_ldap_version}/README auth-ldap-%{auth_ldap_version}/README-openvpn-auth-ldap
81	pushd auth-ldap-%{auth_ldap_version}
82	%patch1001 -p1
83	%patch2 -p1
84	%patch4 -p1
85	popd
86	%endif
87	%patch1002 -p1
88	%patch1003 -p1
89	%patch1004 -p1
90	%patch1005 -p1
91	%patch1006 -p1
92	%patch1007 -p1
93
94	%build
95	%serverbuild
96	%configure \
97	--enable-systemd \
98	--enable-pthread \
99	--enable-pkcs11 \
100	--enable-silent-rules \
101	--enable-x509-alt-username \
102	--enable-async-push \
103	--with-crypto-library=openssl \
104	--with-lzo-headers=%{_includedir}/lzo \
105	--enable-password-save \|\| cat config.log
106
107	%make_build
108
109	# plugins
110	%make_build -C src/plugins/down-root
111	%make_build -C src/plugins/auth-pam
112
113	%if %with ldap
114	pushd auth-ldap-%{auth_ldap_version}
115	%configure \
116	--with-openvpn=`pwd`/../include \
117	--libdir=%{plugindir} \
118	--with-objc-runtime=GNU
119	# workaround parallel build problem with generated header
120	%make_build -C tools
121	make -C src TRConfigParser.h
122	%make_build
123	popd
124	%endif
125
126	pushd easy-rsa-%{easy_rsa_version}
127	autoreconf -vfi
128	%configure \
129	--with-easyrsadir=%{_datadir}/%{name}/easy-rsa
130	%make_build
131	popd
132
133	%install
134	mkdir -p %{buildroot}%{_datadir}/%{name}/easy-rsa
135
136	%make_install
137	%make_install -C easy-rsa-%{easy_rsa_version}
138
139	install -d %{buildroot}%{_sysconfdir}/%{name}
140	# (cg) NB The sample config file is needed for drakvpn
141	cp -pr sample/sample-{config-file,key,script}s %{buildroot}%{_datadir}/%{name}
142
143	install -d %{buildroot}%{_localstatedir}/lib/%{name}
144
145	# (cg) Nuke sysvinit script
146	rm -f %{buildroot}%{_datadir}/%{name}/sample-scripts/openvpn.init
147
148	# (cg) Add systemd units
149	install -D -m 644 %{SOURCE4} %{buildroot}%{_tmpfilesdir}/openvpn.conf
150	install -D -m 644 %{SOURCE5} %{buildroot}%{_unitdir}/openvpn@.service
151	install -D -m 644 %{SOURCE6} %{buildroot}%{_unitdir}/openvpn.target
152	# and remove wrongly generated ones
153	%ifarch x86_64 aarch64
154	rm -f %{buildroot}/%{_libdir}/systemd/system/%{name}*.service
155	rm -f %{buildroot}/%{_libdir}/tmpfiles.d/%{name}.conf
156	%endif
157
158	#plugins
159	mkdir -p %{buildroot}%{plugindir}
160
161	%if %with ldap
162	pushd auth-ldap-%{auth_ldap_version}
163	%make_install
164	popd
165	%endif
166
167	install -m755 %{SOURCE3} %{buildroot}%{_datadir}/%{name}
168
169	%pre
170	%_pre_useradd %{name} %{_localstatedir}/lib/%{name} /bin/true
171
172	%post
173	# (cg) This is a templated unit, so we have to manually convert to systemd
174	if [ ! -f %{_localstatedir}/lib/rpm-helper/systemd-migration/%{name} ]; then
175	if [ -f %{_sysconfdir}/rc3.d/S??%{name} ]; then
176	for conf in %{_sysconfdir}/%{name}/*.conf; do
177	[ "$conf" = "%{_sysconfdir}/%{name}/*.conf" ] && continue
178	conf=$(basename $conf .conf)
179	mkdir -p %{_sysconfdir}/systemd/system/%{name}.target.wants
180	ln -s %{_unitdir}/%{name}@.service %{_sysconfdir}/systemd/system/%{name}.target.wants/%{name}@$conf.service
181	done
182	systemctl --quiet enable %{name}.target
183	fi
184	mkdir -p %{_localstatedir}/lib/rpm-helper/systemd-migration
185	touch %{_localstatedir}/lib/rpm-helper/systemd-migration/%{name}
186	else
187	# (cg) Older versions were not controlled by their own target
188	UNITS=
189	for unit in %{_sysconfdir}/systemd/system/multi-user.target.wants/%{name}@?*.service; do
190	[ "$unit" = "%{_sysconfdir}/systemd/system/multi-user.target.wants/%{name}@?*.service" ] && continue
191	UNITS="$UNITS $unit"
192	done
193	if [ -n "$UNITS" ]; then
194	mkdir %{_sysconfdir}/systemd/system/%{name}.target.wants
195	mv $UNITS %{_sysconfdir}/systemd/system/%{name}.target.wants
196	systemctl --quiet enable %{name}.target
197	fi
198	fi
199	%_tmpfilescreate %{name}
200	%_post_service %{name} %{name}.target
201
202	%preun
203	%_preun_service %{name} %{name}.target
204
205	%postun
206	%_postun_userdel %{name}
207
208	%check
209	# Test Crypto:
210	./src/openvpn/openvpn --genkey --secret key
211	./src/openvpn/openvpn --cipher aes-128-cbc --test-crypto --secret key
212	./src/openvpn/openvpn --cipher aes-256-cbc --test-crypto --secret key
213	./src/openvpn/openvpn --cipher aes-128-gcm --test-crypto --secret key
214	./src/openvpn/openvpn --cipher aes-256-gcm --test-crypto --secret key
215
216	%if %{with tests_long}
217	# Randomize ports for tests to avoid conflicts on the build servers.
218	cport=$[ 50000 + ($RANDOM % 15534) ]
219	sport=$[ $cport + 1 ]
220	sed -e 's/^\(rport\) .*$/\1 '$sport'/' \
221	-e 's/^\(lport\) .*$/\1 '$cport'/' \
222	< sample/sample-config-files/loopback-client \
223	> %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client
224
225	sed -e 's/^\(rport\) .*$/\1 '$cport'/' \
226	-e 's/^\(lport\) .*$/\1 '$sport'/' \
227	< sample/sample-config-files/loopback-server \
228	> %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server
229
230	pushd sample
231	# Test SSL/TLS negotiations (runs for 2 minutes):
232	../src/openvpn/openvpn --config \
233	%{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client &
234	../src/openvpn/openvpn --config \
235	%{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server
236	wait
237	popd
238
239	rm -f %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client \
240	%{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server
241	%endif
242
243	%files
244	%doc AUTHORS INSTALL PORTS
245	%doc COPYING COPYRIGHT.GPL README* doc/management-notes.txt Changes.rst
246	%doc distro/systemd/README.systemd doc/openvpn.8.html
247	%doc src/plugins//README.
248
249	%if %with ldap
250	%doc auth-ldap-%{auth_ldap_version}/README-openvpn-auth-ldap
251	%endif
252	%{_mandir}/man8/%{name}*
253	%{_sbindir}/%{name}
254	%{_datadir}/%{name}
255	%dir %{_sysconfdir}/%{name}
256	#{_datadir}/%%{name}/dhcp.sh
257	%{_unitdir}/%{name}*.service
258	%{_unitdir}/%{name}.target
259	%{_tmpfilesdir}/%{name}.conf
260	%dir %{_localstatedir}/lib/%{name}
261	%dir %{plugindir}
262	%{plugindir}/*
263	%exclude %{_docdir}/easy-rsa/COPYING
264	%exclude %{_docdir}/easy-rsa/COPYRIGHT.GPL
265	%exclude %{_docdir}/easy-rsa/README-2.0
266
267	%files -n %{develname}
268	%{_includedir}/openvpn-plugin.h
269	%{_includedir}/openvpn-msg.h