%define _hardened_build 1
# LTO needs to be disabled to avoid issues on Fedora 34+ and
# EL-9 when linking the unit-test, which utilizes --wrap in
# the link process
%if 0%{?rhel} > 8 || 0%{?fedora} > 34
%global _lto_cflags %{nil}
%endif
# The DCO feature is only available on EL-8+ or Fedora 34+
%if 0%{?rhel} > 7 || 0%{?fedora} > 34
%bcond_without dco
%else
%bcond_with dco
%endif
# pkcs11-helper on RHEL9 (v1.27.0) comes with a buggy pkcs11.h, so skip it
%if 0%{?rhel} == 9
%bcond_with pkcs11
%else
%bcond_without pkcs11
%endif
# Build conditionals
# tests_long - Enabled by default, enables long running tests in %%check
%bcond_without tests_long
Name: openvpn
Version: 2.6.0
Release: 1%{?dist}
Summary: A full-featured TLS VPN solution (beta release)
URL: https://community.openvpn.net/
Source0: https://build.openvpn.net/downloads/releases/%{name}-%{version}.tar.gz
Source1: https://build.openvpn.net/downloads/releases/%{name}-%{version}.tar.gz.asc
Source2: roadwarrior-server.conf
Source3: roadwarrior-client.conf
# Upstream signing key
Source10: gpgkey-F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7.gpg
Patch1: 0001-Change-the-default-cipher-to-AES-256-GCM-for-server-.patch
Patch2: fedora-crypto-policy-compliance.patch
Patch50: openvpn-2.4-change-tmpfiles-permissions.patch
License: GPLv2
BuildRequires: gnupg2
BuildRequires: gcc
BuildRequires: automake
BuildRequires: autoconf
BuildRequires: autoconf-archive
BuildRequires: libcap-ng-devel
BuildRequires: libtool
BuildRequires: gettext
BuildRequires: lzo-devel
BuildRequires: lz4-devel
BuildRequires: make
BuildRequires: openssl-devel
%if %{with dco}
BuildRequires: libnl3-devel
%endif
%if %{with pkcs11}
BuildRequires: pkcs11-helper-devel >= 1.11
%endif
BuildRequires: pam-devel
BuildRequires: libselinux-devel
BuildRequires: libcmocka-devel
BuildRequires: systemd
BuildRequires: systemd-devel
%{?systemd_requires}
Requires(pre): /usr/sbin/useradd
%if 0%{?rhel} > 7 || 0%{?fedora} > 34
BuildRequires: python3-docutils
%else
# We cannot use python36-docutils on RHEL-7 as
# the ./configure script does not currently find
# the rst2man-3 executable, it only looks for rst2man
BuildRequires: python-docutils
%endif
# For the perl_default_filter macro
BuildRequires: perl-macros
# Filter out the perl(Authen::PAM) dependency.
# No perl dependency is really needed at all.
%{?perl_default_filter}
%description
OpenVPN is a robust and highly flexible tunneling application that uses all
of the encryption, authentication, and certification features of the
OpenSSL library to securely tunnel IP networks over a single UDP or TCP
port. It can use the Marcus Franz Xaver Johannes Oberhumers LZO library
for compression.
%package devel
Summary: Development headers and examples for OpenVPN plug-ins
%description devel
OpenVPN can be extended through the --plugin option, which provides
possibilities to add specialized authentication, user accounting,
packet filtering and related features. These plug-ins need to be
written in C and provides a more low-level and information rich access
to similar features as the various script-hooks.
%prep
gpgv2 --quiet --keyring %{SOURCE10} %{SOURCE1} %{SOURCE0}
%setup -q -n %{name}-%{version}
%patch1 -p1
%if 0%{?rhel} > 7 || 0%{?fedora} > 34
# The crypto-policy patch is only valid on RHEL-8 and newer plus Fedora
%patch2 -p1
%endif
%patch50 -p1
# %%doc items shouldn't be executable.
find contrib sample -type f -perm /100 \
-exec chmod a-x {} \;
%build
%configure \
--enable-silent-rules \
--with-crypto-library=openssl \
%{?with_pkcs11:--enable-pkcs11} \
--enable-selinux \
--enable-systemd \
--enable-x509-alt-username \
--enable-async-push \
%{?with_dco:--enable-dco} \
--docdir=%{_pkgdocdir} \
SYSTEMD_UNIT_DIR=%{_unitdir} \
TMPFILES_DIR=%{_tmpfilesdir}
%{__make} %{?_smp_mflags}
%check
# Test Crypto:
./src/openvpn/openvpn --genkey --secret key
./src/openvpn/openvpn --cipher aes-128-cbc --test-crypto --secret key
./src/openvpn/openvpn --cipher aes-256-cbc --test-crypto --secret key
./src/openvpn/openvpn --cipher aes-128-gcm --test-crypto --secret key
./src/openvpn/openvpn --cipher aes-256-gcm --test-crypto --secret key
# Some of the unit tests does not run on RHEL-7
pushd tests/unit_tests
%{__make} %{?_smp_mflags} check
popd
%if %{with tests_long}
# Randomize ports for tests to avoid conflicts on the build servers.
cport=$[ 50000 + ($RANDOM % 15534) ]
sport=$[ $cport + 1 ]
sed -e 's/^\(rport\) .*$/\1 '$sport'/' \
-e 's/^\(lport\) .*$/\1 '$cport'/' \
< sample/sample-config-files/loopback-client \
> %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client
sed -e 's/^\(rport\) .*$/\1 '$cport'/' \
-e 's/^\(lport\) .*$/\1 '$sport'/' \
< sample/sample-config-files/loopback-server \
> %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server
pushd sample
# Test SSL/TLS negotiations (runs for 2 minutes):
../src/openvpn/openvpn --config \
%{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client &
../src/openvpn/openvpn --config \
%{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server
wait
popd
rm -f %{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-client \
%{_tmppath}/%{name}-%{version}-%{release}-%(%{__id_u})-loopback-server
%endif
%install
%{__make} install DESTDIR=$RPM_BUILD_ROOT
find $RPM_BUILD_ROOT -name '*.la' | xargs rm -f
mkdir -p -m 0750 $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/client $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/server
cp %{SOURCE2} %{SOURCE3} sample/sample-config-files/
# Create some directories the OpenVPN package should own
mkdir -m 0750 -p $RPM_BUILD_ROOT%{_rundir}/%{name}-{client,server}
mkdir -m 0770 -p $RPM_BUILD_ROOT%{_sharedstatedir}/%{name}
# Package installs into %%{_pkgdocdir} directly
# Add various additional files
cp -a AUTHORS ChangeLog contrib sample distro/systemd/README.systemd $RPM_BUILD_ROOT%{_pkgdocdir}
# Fix incorrect she-bang on a python script
# https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/#_interpreter_invocation
sed -e "s|^#!/usr/bin/env.*python3$|#!%{python3} -%{py3_shebang_flags}|" \
-i $RPM_BUILD_ROOT%{_pkgdocdir}/contrib/extract-crl/extractcrl.py
# Remove some files which does not really belong here
rm -f $RPM_BUILD_ROOT%{_pkgdocdir}/sample/Makefile{,.in,.am}
rm -f $RPM_BUILD_ROOT%{_pkgdocdir}/contrib/multilevel-init.patch
rm -rf $RPM_BUILD_ROOT%{_pkgdocdir}/sample/sample-keys
# Remove totpauth.py on RHEL-7, as it is not able to process the code
%if 0%{?rhel} == 7
rm -f $RPM_BUILD_ROOT%{_pkgdocdir}/sample/sample-scripts/totpauth.py
%endif
%pre
getent group openvpn &>/dev/null || groupadd -r openvpn
getent passwd openvpn &>/dev/null || \
/usr/sbin/useradd -r -g openvpn -s /sbin/nologin -c OpenVPN \
-d /etc/openvpn openvpn
%post
%systemd_post openvpn-client@\*.service
%systemd_post openvpn-server@\*.service
%preun
%systemd_preun openvpn-client@\*.service
%systemd_preun openvpn-server@\*.service
%postun
%systemd_postun_with_restart openvpn-client@\*.service
%systemd_postun_with_restart openvpn-server@\*.service
%systemd_postun_with_restart openvpn@\*.service
%files
%{_pkgdocdir}
%exclude %{_pkgdocdir}/README.mbedtls
%exclude %{_pkgdocdir}/sample/sample-plugins
%{_mandir}/man8/%{name}.8*
%{_mandir}/man5/%{name}-*.5*
%{_sbindir}/%{name}
%{_libdir}/%{name}/
%{_unitdir}/%{name}-client@.service
%{_unitdir}/%{name}-server@.service
%{_tmpfilesdir}/%{name}.conf
%config %dir %{_sysconfdir}/%{name}/
%config %dir %attr(-,-,openvpn) %{_sysconfdir}/%{name}/client
%config %dir %attr(-,-,openvpn) %{_sysconfdir}/%{name}/server
%attr(0770,openvpn,openvpn) %{_sharedstatedir}/%{name}
%attr(0750,-,openvpn) %{_rundir}/%{name}-client
%attr(0750,-,openvpn) %{_rundir}/%{name}-server
%files devel
%{_pkgdocdir}/sample/sample-plugins
%{_includedir}/openvpn-plugin.h
%{_includedir}/openvpn-msg.h
%changelog
* Thu Jan 26 2023 David Sommerseth <davids@openvpn.net> - 2.6.0-1
- Packaging of final openvpn-2.6.0 release
* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.5.8-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Tue Nov 1 2022 David Sommerseth <davids@openvpn.net> - 2.5.8-1
- Update to upstream OpenVPN 2.5.8
* Fri Jul 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.5.7-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Tue May 31 2022 David Sommerseth <davids@openvpn.net> - 2.5.7-2
- Added additional upstream patch resolving BF-CBC issues (to be removed with 2.5.8)
https://patchwork.openvpn.net/patch/2504/
- Removed BF-CBC from the --data-ciphers list. This is no longer available by default
in OpenSSL 3.0
* Tue May 31 2022 David Sommerseth <davids@openvpn.net> - 2.5.7-1
- Update to upstream OpenVPN 2.5.7
* Wed Mar 16 2022 David Sommerseth <davids@openvpn.net> - 2.5.6-1
- Update to upstream OpenVPN 2.5.6
- Fixes CVE-2022-0547
* Thu Jan 27 2022 David Sommerseth <davids@openvpn.net> - 2.5.5-4
- Fix systemd related scriptlet error (#1887984)
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.5.5-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild