From 983199849d12238af61b331a125abea5b61aab69 Mon Sep 17 00:00:00 2001
From: David Sommerseth <dazo@eurephia.org>
Date: Mar 23 2017 01:08:49 +0000
Subject: Update to upstream v2.4.1, plus ...


- Added mbed TLS patch to allow RSA keys down to 1024 bits plus SHA1
  and RIPE-160 hasing algorithms (based on OpenVPN 3 legacy profile)
- Removed no-functional ./configure options
- Use upstream tmfiles.d/openvpn
- Package newer openvpn-client/server@.service unit files

---

diff --git a/0001-workaround-Allow-weaker-RSA-keys-and-MD-algorithms-i.patch b/0001-workaround-Allow-weaker-RSA-keys-and-MD-algorithms-i.patch
new file mode 100644
index 0000000..5b3f24c
--- /dev/null
+++ b/0001-workaround-Allow-weaker-RSA-keys-and-MD-algorithms-i.patch
@@ -0,0 +1,50 @@
+From 9e2c742b2d8ffc31db7590cfc4f29d2012dd8de1 Mon Sep 17 00:00:00 2001
+From: David Sommerseth <davids@openvpn.net>
+Date: Thu, 23 Mar 2017 01:34:06 +0100
+Subject: [PATCH] workaround: Allow weaker RSA keys and MD algorithms in Fedora
+
+This patch hard codes an alternative mbed TLS profile to allow
+RSA keys >= 1024 bits as well as SHA1 and RIPEMD160 hashing.
+
+Signed-off-by: David Sommerseth <davids@openvpn.net>
+---
+ src/openvpn/ssl_mbedtls.c | 23 +++++++++++++++++++++++
+ 1 file changed, 23 insertions(+)
+
+diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
+index ba8dadf..05f8a48 100644
+--- a/src/openvpn/ssl_mbedtls.c
++++ b/src/openvpn/ssl_mbedtls.c
+@@ -932,6 +932,29 @@ key_state_ssl_init(struct key_state_ssl *ks_ssl,
+                                           MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED);
+ #endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */
+ 
++    /* Fedora adoption - allow legacy certificates
++     * Taken from the OpenVPN 3 Core code base
++     */
++    const static mbedtls_x509_crt_profile crt_profile_legacy = {
++	MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ) |
++	MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_RIPEMD160 ) |
++	MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 ) |
++	MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) |
++	MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) |
++	MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ),
++	-1, /* Any PK alg    */
++	-1, /* Any curve     */
++	1024,      /* Minimum size for RSA keys */
++    };
++    mbedtls_ssl_conf_cert_profile(&ks_ssl->ssl_config, &crt_profile_legacy);
++    static bool fedora_mod_info = false;
++    if (!fedora_mod_info) {
++	msg(M_INFO, "[Fedora modification] Switched mbed TLS certificate profile to legacy mode");
++	fedora_mod_info = true;
++    }
++
++    /* End of Fedora adoption */
++
+     /* Initialise authentication information */
+     if (is_server)
+     {
+-- 
+2.11.0
+
diff --git a/openvpn-tmpfile.conf b/openvpn-tmpfile.conf
deleted file mode 100644
index d5fca71..0000000
--- a/openvpn-tmpfile.conf
+++ /dev/null
@@ -1 +0,0 @@
-D /var/run/openvpn 0710 root openvpn -
diff --git a/openvpn.spec b/openvpn.spec
index 12b4983..1ed7d7e 100644
--- a/openvpn.spec
+++ b/openvpn.spec
@@ -4,28 +4,24 @@
 %define plugins down-root auth-pam
 
 Name:              openvpn
-Version:           2.4.0
-Release:           2%{?prerelease:.%{prerelease}}%{?dist}
+Version:           2.4.1
+Release:           1%{?prerelease:.%{prerelease}}%{?dist}
 Summary:           A full-featured SSL VPN solution
-URL:               http://openvpn.net/
-#Source0:           http://openvpn.net/beta/%{name}-%{version}%{?prerelease:_%{prerelease}}.tar.gz
-#Source0:           https://secure.openvpn.net/beta/%{name}-%{version}%{?prerelease:_%{prerelease}}.tar.gz
-Source0:           http://openvpn.net/release/%{name}-%{version}%{?prerelease:_%{prerelease}}.tar.gz
-#Source1:           https://secure.openvpn.net/beta/signatures/%{name}-%{version}%{?prerelease:_%{prerelease}}.tar.gz.asc
-Source1:           http://openvpn.net/signatures/%{name}-%{version}%{?prerelease:_%{prerelease}}.tar.gz.asc
+URL:               https://community.openvpn.net/
+Source0:           https://swupdate.openvpn.org/community/releases/%{name}-%{version}%{?prerelease:_%{prerelease}}.tar.xz
+Source1:           https://swupdate.openvpn.org/community/releases/%{name}-%{version}%{?prerelease:_%{prerelease}}.tar.xz.asc
 # Sample 2.0 config files
 Source2:           roadwarrior-server.conf
 Source3:           roadwarrior-client.conf
-# Systemd service
+# Systemd service  (deprecated)
 Source4:           openvpn@.service
-# Tmpfile.d config
-Source5:           %{name}-tmpfile.conf
 
 # Don't start openvpn by default.
 #Patch0:            openvpn-init.patch
 #Patch1:            openvpn-script-security.patch
 #Patch2:            openvpn-2.1.1-init.patch
 #Patch3:            openvpn-2.1.1-initinfo.patch
+Patch4:             0001-workaround-Allow-weaker-RSA-keys-and-MD-algorithms-i.patch
 License:           GPLv2
 Group:             Applications/Internet
 BuildRequires:     systemd-devel
@@ -64,6 +60,7 @@ for compression.
 #%patch1 -p1
 #%patch2 -p0
 #%patch3 -p0
+%patch4 -p1
 
 sed -i -e 's,%{_datadir}/openvpn/plugin,%{_libdir}/openvpn/plugin,' doc/openvpn.8
 
@@ -80,8 +77,6 @@ find contrib sample -type f -perm /100 \
 #  --with-iproute-path=PATH    Path to iproute tool
 #  --with-route-path=PATH  Path to route tool
 %configure \
-    --enable-pthread \
-    --enable-password-save \
     --enable-iproute2 \
     --with-iproute-path=/sbin/ip \
     --enable-plugins \
@@ -89,7 +84,9 @@ find contrib sample -type f -perm /100 \
     --enable-plugin-auth-pam \
     --with-crypto-library=mbedtls \
     --enable-systemd \
-    --docdir=%{_pkgdocdir}
+    --docdir=%{_pkgdocdir} \
+    SYSTEMD_UNIT_DIR=%{_unitdir} \
+    TMPFILES_DIR=%{_tmpfilesdir}
 %{__make}
 
 #%check
@@ -143,8 +140,6 @@ find $RPM_BUILD_ROOT -name '*.la' | xargs rm -f
 cp -a AUTHORS PORTS INSTALL contrib sample $RPM_BUILD_ROOT%{_pkgdocdir}
 
 # tmpfiles.d
-mkdir -p %{buildroot}%{_prefix}/lib/tmpfiles.d
-install -m 0644 %{SOURCE5} %{buildroot}%{_prefix}/lib/tmpfiles.d/%{name}.conf
 mkdir -p %{buildroot}%{_localstatedir}/run/
 install -d -m 0710 %{buildroot}%{_localstatedir}/run/%{name}/
 
@@ -196,11 +191,21 @@ fi
 %{_includedir}/openvpn-msg.h
 %{_libdir}/%{name}/
 %{_unitdir}/%{name}@.service
+%{_unitdir}/%{name}-client@.service
+%{_unitdir}/%{name}-server@.service
+%{_tmpfilesdir}/%{name}.conf
 %attr(0710,root,openvpn) %dir %{_localstatedir}/run/%{name}/
-%{_prefix}/lib/tmpfiles.d/%{name}.conf
 %config %dir %{_sysconfdir}/%{name}/
 
 %changelog
+* Thu Mar 23 2017 David Sommerseth <dazo@eurephia.org> - 2.4.1-1
+- Updating to upstream release, v2.4.1
+- Added mbed TLS patch to allow RSA keys down to 1024 bits plus SHA1
+  and RIPE-160 hasing algorithms (based on OpenVPN 3 legacy profile)
+- Removed no-functional ./configure options
+- Use upstream tmfiles.d/openvpn
+- Package newer openvpn-client/server@.service unit files
+
 * Thu Feb 09 2017 Jon Ciesla <limburgher@gmail.com> 2.4.0-2
 - Move to mbedtls to resolve FTBFS.
 - Dropped, re-add once openvpn supports openssl 1.1.x