1 |
%define auth_ldap_version 2.0.3 |
2 |
%define easy_rsa_version 2.2.0_master |
3 |
%define develname %mklibname %{name} -d |
4 |
|
5 |
|
6 |
%define plugindir %{_libdir}/%{name}/plugins |
7 |
%bcond_without ldap |
8 |
|
9 |
%bcond_without tests_long |
10 |
|
11 |
# There is an issue with gcc, so disable for amd64 |
12 |
# waiting reply/fix |
13 |
%ifarch amd64 |
14 |
%bcond_without ldap |
15 |
%endif |
16 |
|
17 |
Summary: A Secure TCP/UDP Tunneling Daemon |
18 |
Name: openvpn |
19 |
Version: 2.5.0 |
20 |
%define subrel 2 |
21 |
Release: %mkrel 2 |
22 |
URL: http://openvpn.net/ |
23 |
Source0: https://build.openvpn.net/downloads/releases/%{name}-%{version}.tar.xz |
24 |
Source2: http://openvpn-auth-ldap.googlecode.com/files/auth-ldap-%{auth_ldap_version}.tar.gz |
25 |
Source3: dhcp.sh |
26 |
Source4: openvpn-tmpfile.conf |
27 |
Source5: openvpn@.service |
28 |
Source6: openvpn.target |
29 |
Source7: https://github.com/downloads/OpenVPN/easy-rsa/easy-rsa-%{easy_rsa_version}.tar.gz |
30 |
Patch2: openvpn-auth-ldap-2.0.3-disable-tests.patch |
31 |
Patch4: auth-ldap-rfc2307.patch |
32 |
Patch1001: openvpn-auth-ldap-2.0.3-objc.patch |
33 |
Patch1002: CVE-2020-15078-pre1.patch |
34 |
Patch1003: CVE-2020-15078-pre2.patch |
35 |
Patch1004: CVE-2020-15078-1.patch |
36 |
Patch1005: CVE-2020-15078-2.patch |
37 |
Patch1006: CVE-2020-15078-3.patch |
38 |
Patch1007: CVE-2022-0547.patch |
39 |
|
40 |
License: GPLv2 |
41 |
Group: Networking/Other |
42 |
BuildRequires: liblzo-devel |
43 |
BuildRequires: pkgconfig(openssl) |
44 |
BuildRequires: pam-devel |
45 |
BuildRequires: pkgconfig(libpkcs11-helper-1) |
46 |
BuildRequires: pkgconfig(systemd) |
47 |
BuildRequires: libcmocka-devel |
48 |
BuildRequires: python3-docutils |
49 |
%if %with ldap |
50 |
BuildRequires: gcc-objc |
51 |
BuildRequires: openldap-devel |
52 |
BuildRequires: re2c |
53 |
%endif |
54 |
Requires(post): systemd >= %{systemd_required_version} |
55 |
Requires(post): rpm-helper >= 0.24.8-1 |
56 |
Requires(preun): rpm-helper >= 0.24.8-1 |
57 |
|
58 |
%description |
59 |
OpenVPN is a robust and highly flexible tunneling application that uses |
60 |
all of the encryption, authentication, and certification features of the |
61 |
OpenSSL library to securely tunnel IP networks over a single UDP port. |
62 |
|
63 |
|
64 |
%package -n %{develname} |
65 |
Summary: Development package for OpenVPN plugins |
66 |
Group: System/Libraries |
67 |
Requires: %{name} = %{version}-%{release} |
68 |
|
69 |
%description -n %{develname} |
70 |
OpenVPN .h files. |
71 |
|
72 |
%if %with ldap |
73 |
This package contains the auth-ldap plugin |
74 |
%endif |
75 |
|
76 |
%prep |
77 |
%setup -q -n openvpn-%{version} -a 7 |
78 |
%if %with ldap |
79 |
%setup -q -n openvpn-%{version} -a 2 -a 7 |
80 |
%{__mv} auth-ldap-%{auth_ldap_version}/README auth-ldap-%{auth_ldap_version}/README-openvpn-auth-ldap |
81 |
pushd auth-ldap-%{auth_ldap_version} |
82 |
%patch1001 -p1 |
83 |
%patch2 -p1 |
84 |
%patch4 -p1 |
85 |
popd |
86 |
%endif |
87 |
%patch1002 -p1 |
88 |
%patch1003 -p1 |
89 |
%patch1004 -p1 |
90 |
%patch1005 -p1 |
91 |
%patch1006 -p1 |
92 |
%patch1007 -p1 |
93 |
|
94 |
%build |
95 |
%serverbuild |
96 |
%configure \ |
97 |
--enable-systemd \ |
98 |
--enable-pthread \ |
99 |
--enable-pkcs11 \ |
100 |
--enable-silent-rules \ |
101 |
--enable-x509-alt-username \ |
102 |
--enable-async-push \ |
103 |
--with-crypto-library=openssl \ |
104 |
--with-lzo-headers=%{_includedir}/lzo \ |
105 |
--enable-password-save || cat config.log |
106 |
|
107 |
%make_build |
108 |
|
109 |
# plugins |
110 |
%make_build -C src/plugins/down-root |
111 |
%make_build -C src/plugins/auth-pam |
112 |
|
113 |
%if %with ldap |
114 |
pushd auth-ldap-%{auth_ldap_version} |
115 |
%configure \ |
116 |
--with-openvpn=`pwd`/../include \ |
117 |
--libdir=%{plugindir} \ |
118 |
--with-objc-runtime=GNU |
119 |
# workaround parallel build problem with generated header |
120 |
%make_build -C tools |
121 |
make -C src TRConfigParser.h |
122 |
%make_build |
123 |
popd |
124 |
%endif |
125 |
|
126 |
pushd easy-rsa-%{easy_rsa_version} |
127 |
autoreconf -vfi |
128 |
%configure \ |
129 |
--with-easyrsadir=%{_datadir}/%{name}/easy-rsa |
130 |
%make_build |
131 |
popd |
132 |
|
133 |
%install |
134 |
mkdir -p %{buildroot}%{_datadir}/%{name}/easy-rsa |
135 |
|
136 |
%make_install |
137 |
%make_install -C easy-rsa-%{easy_rsa_version} |
138 |
|
139 |
install -d %{buildroot}%{_sysconfdir}/%{name} |
140 |
# (cg) NB The sample config file is needed for drakvpn |
141 |
cp -pr sample/sample-{config-file,key,script}s %{buildroot}%{_datadir}/%{name} |
142 |
|
143 |
install -d %{buildroot}%{_localstatedir}/lib/%{name} |
144 |
|
145 |
# (cg) Nuke sysvinit script |
146 |
rm -f %{buildroot}%{_datadir}/%{name}/sample-scripts/openvpn.init |
147 |
|
148 |
# (cg) Add systemd units |
149 |
install -D -m 644 %{SOURCE4} %{buildroot}%{_tmpfilesdir}/openvpn.conf |
150 |
install -D -m 644 %{SOURCE5} %{buildroot}%{_unitdir}/openvpn@.service |
151 |
install -D -m 644 %{SOURCE6} %{buildroot}%{_unitdir}/openvpn.target |
152 |
# and remove wrongly generated ones |
153 |
%ifarch x86_64 aarch64 |
154 |
rm -f %{buildroot}/%{_libdir}/systemd/system/%{name}*.service |
155 |
rm -f %{buildroot}/%{_libdir}/tmpfiles.d/%{name}.conf |
156 |
%endif |
157 |
|
158 |
#plugins |
159 |
mkdir -p %{buildroot}%{plugindir} |
160 |
|
161 |
%if %with ldap |
162 |
pushd auth-ldap-%{auth_ldap_version} |
163 |
%make_install |
164 |
popd |
165 |
%endif |
166 |
|
167 |
install -m755 %{SOURCE3} %{buildroot}%{_datadir}/%{name} |
168 |
|
169 |
%pre |
170 |
%_pre_useradd %{name} %{_localstatedir}/lib/%{name} /bin/true |
171 |
|
172 |
%post |
173 |
# (cg) This is a templated unit, so we have to manually convert to systemd |
174 |
if [ ! -f %{_localstatedir}/lib/rpm-helper/systemd-migration/%{name} ]; then |
175 |
if [ -f %{_sysconfdir}/rc3.d/S??%{name} ]; then |
176 |
for conf in %{_sysconfdir}/%{name}/*.conf; do |
177 |
[ "$conf" = "%{_sysconfdir}/%{name}/*.conf" ] && continue |
178 |
conf=$(basename $conf .conf) |
179 |
mkdir -p %{_sysconfdir}/systemd/system/%{name}.target.wants |
180 |
ln -s %{_unitdir}/%{name}@.service %{_sysconfdir}/systemd/system/%{name}.target.wants/%{name}@$conf.service |
181 |
done |
182 |
systemctl --quiet enable %{name}.target |
183 |
fi |
184 |
mkdir -p %{_localstatedir}/lib/rpm-helper/systemd-migration |
185 |
touch %{_localstatedir}/lib/rpm-helper/systemd-migration/%{name} |
186 |
else |
187 |
# (cg) Older versions were not controlled by their own target |
188 |
UNITS= |
189 |
for unit in %{_sysconfdir}/systemd/system/multi-user.target.wants/%{name}@?*.service; do |
190 |
[ "$unit" = "%{_sysconfdir}/systemd/system/multi-user.target.wants/%{name}@?*.service" ] && continue |
191 |
UNITS="$UNITS $unit" |
192 |
done |
193 |
if [ -n "$UNITS" ]; then |
194 |
mkdir %{_sysconfdir}/systemd/system/%{name}.target.wants |
195 |
mv $UNITS %{_sysconfdir}/systemd/system/%{name}.target.wants |
196 |
systemctl --quiet enable %{name}.target |
197 |
fi |
198 |
fi |
199 |
%_tmpfilescreate %{name} |
200 |
%_post_service %{name} %{name}.target |
201 |
|
202 |
%preun |
203 |
%_preun_service %{name} %{name}.target |
204 |
|
205 |
%postun |
206 |
%_postun_userdel %{name} |
207 |
|
208 |
%check |
209 |
# Test Crypto: |
210 |
./src/openvpn/openvpn --genkey --secret key |
211 |
./src/openvpn/openvpn --cipher aes-128-cbc --test-crypto --secret key |
212 |
./src/openvpn/openvpn --cipher aes-256-cbc --test-crypto --secret key |
213 |
./src/openvpn/openvpn --cipher aes-128-gcm --test-crypto --secret key |
214 |
./src/openvpn/openvpn --cipher aes-256-gcm --test-crypto --secret key |
215 |
|
216 |
%if %{with tests_long} |
217 |
# Randomize ports for tests to avoid conflicts on the build servers. |
218 |
cport=$[ 50000 + ($RANDOM % 15534) ] |
219 |
sport=$[ $cport + 1 ] |
220 |
sed -e 's/^\(rport\) .*$/\1 '$sport'/' \ |
221 |
-e 's/^\(lport\) .*$/\1 '$cport'/' \ |
222 |
< sample/sample-config-files/loopback-client \ |
223 |
> %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client |
224 |
|
225 |
sed -e 's/^\(rport\) .*$/\1 '$cport'/' \ |
226 |
-e 's/^\(lport\) .*$/\1 '$sport'/' \ |
227 |
< sample/sample-config-files/loopback-server \ |
228 |
> %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server |
229 |
|
230 |
pushd sample |
231 |
# Test SSL/TLS negotiations (runs for 2 minutes): |
232 |
../src/openvpn/openvpn --config \ |
233 |
%{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client & |
234 |
../src/openvpn/openvpn --config \ |
235 |
%{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server |
236 |
wait |
237 |
popd |
238 |
|
239 |
rm -f %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client \ |
240 |
%{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server |
241 |
%endif |
242 |
|
243 |
%files |
244 |
%doc AUTHORS INSTALL PORTS |
245 |
%doc COPYING COPYRIGHT.GPL README* doc/management-notes.txt Changes.rst |
246 |
%doc distro/systemd/README.systemd doc/openvpn.8.html |
247 |
%doc src/plugins/*/README.* |
248 |
|
249 |
%if %with ldap |
250 |
%doc auth-ldap-%{auth_ldap_version}/README-openvpn-auth-ldap |
251 |
%endif |
252 |
%{_mandir}/man8/%{name}* |
253 |
%{_sbindir}/%{name} |
254 |
%{_datadir}/%{name} |
255 |
%dir %{_sysconfdir}/%{name} |
256 |
#{_datadir}/%%{name}/dhcp.sh |
257 |
%{_unitdir}/%{name}*.service |
258 |
%{_unitdir}/%{name}.target |
259 |
%{_tmpfilesdir}/%{name}.conf |
260 |
%dir %{_localstatedir}/lib/%{name} |
261 |
%dir %{plugindir} |
262 |
%{plugindir}/* |
263 |
%exclude %{_docdir}/easy-rsa/COPYING |
264 |
%exclude %{_docdir}/easy-rsa/COPYRIGHT.GPL |
265 |
%exclude %{_docdir}/easy-rsa/README-2.0 |
266 |
|
267 |
%files -n %{develname} |
268 |
%{_includedir}/openvpn-plugin.h |
269 |
%{_includedir}/openvpn-msg.h |