From d3986a312f5fbcfd0e78e6b147eef419fb4e5f54 Mon Sep 17 00:00:00 2001 From: Bernhard Schmidt Date: Sat, 15 Aug 2020 21:29:15 +0200 Subject: d/gbp.conf for experimental 2.5 branch --- debian/gbp.conf | 3 +++ 1 file changed, 3 insertions(+) (limited to 'debian') diff --git a/debian/gbp.conf b/debian/gbp.conf index cec628c..1526270 100644 --- a/debian/gbp.conf +++ b/debian/gbp.conf @@ -1,2 +1,5 @@ [DEFAULT] pristine-tar = True + +debian-branch = debian/experimental-2.5 +upstream-branch = upstream-2.5 -- cgit v1.2.3 From 0d85c7a4b77d7841435ae1ea6f3c70640f4e974b Mon Sep 17 00:00:00 2001 From: Bernhard Schmidt Date: Sat, 15 Aug 2020 21:59:32 +0200 Subject: Adjust patches for new major upstream version --- debian/patches/auth-pam_libpam_so_filename.patch | 2 +- .../patches/debian_nogroup_for_sample_files.patch | 26 ----------- debian/patches/fix-openssl-error.patch | 51 --------------------- debian/patches/series | 4 +- debian/patches/spelling_errors.patch | 53 ---------------------- 5 files changed, 2 insertions(+), 134 deletions(-) delete mode 100644 debian/patches/fix-openssl-error.patch delete mode 100644 debian/patches/spelling_errors.patch (limited to 'debian') diff --git a/debian/patches/auth-pam_libpam_so_filename.patch b/debian/patches/auth-pam_libpam_so_filename.patch index 2e7e5c4..336ccd4 100644 --- a/debian/patches/auth-pam_libpam_so_filename.patch +++ b/debian/patches/auth-pam_libpam_so_filename.patch @@ -6,7 +6,7 @@ Index: trunk/src/plugins/auth-pam/auth-pam.c --- trunk.orig/src/plugins/auth-pam/auth-pam.c +++ trunk/src/plugins/auth-pam/auth-pam.c @@ -716,7 +716,7 @@ pam_server(int fd, const char *service, - struct user_pass up; + char ac_file_name[PATH_MAX]; int command; #ifdef USE_PAM_DLOPEN - static const char pam_so[] = "libpam.so"; diff --git a/debian/patches/debian_nogroup_for_sample_files.patch b/debian/patches/debian_nogroup_for_sample_files.patch index f7dcaaa..3660453 100644 --- a/debian/patches/debian_nogroup_for_sample_files.patch +++ b/debian/patches/debian_nogroup_for_sample_files.patch @@ -23,32 +23,6 @@ Index: openvpn/sample/sample-config-files/tls-home.conf # for extra security. ; user nobody -; group nobody -+; group nogroup - - # If you built OpenVPN with - # LZO compression, uncomment -Index: openvpn/sample/sample-config-files/static-home.conf -=================================================================== ---- openvpn.orig/sample/sample-config-files/static-home.conf 2016-11-21 09:53:43.608863207 +0100 -+++ openvpn/sample/sample-config-files/static-home.conf 2016-11-21 09:53:43.608863207 +0100 -@@ -43,7 +43,7 @@ - # "nobody" after initialization - # for extra security. - ; user nobody --; group nobody -+; group nogroup - - # If you built OpenVPN with - # LZO compression, uncomment -Index: openvpn/sample/sample-config-files/static-office.conf -=================================================================== ---- openvpn.orig/sample/sample-config-files/static-office.conf 2016-11-21 09:53:43.608863207 +0100 -+++ openvpn/sample/sample-config-files/static-office.conf 2016-11-21 09:53:43.608863207 +0100 -@@ -40,7 +40,7 @@ - # "nobody" after initialization - # for extra security. - ; user nobody --; group nobody +; group nogroup # If you built OpenVPN with diff --git a/debian/patches/fix-openssl-error.patch b/debian/patches/fix-openssl-error.patch deleted file mode 100644 index 566d7e6..0000000 --- a/debian/patches/fix-openssl-error.patch +++ /dev/null @@ -1,51 +0,0 @@ -In the corner case that the global OpenSSL has an invalid command like - - MinProtocol = TLSv1.0 - -(Due to OpenSSL's idiosyncrasies MinProtocol = TLSv1 would be correct) - -the SSL_ctx_new function leaves the errors for parsing the config file -on the stack. - -OpenSSL: error:14187180:SSL routines:ssl_do_config:bad value - -Since the later functions, especially the one of loading the -certificates expected a clean error this error got reported at the -wrong place. - -Print the warnings with crypto_msg when we detect that we are in this -situation (this also clears the stack). ---- - src/openvpn/ssl_openssl.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c -index 5955c6bd..555cbbdf 100644 ---- a/src/openvpn/ssl_openssl.c -+++ b/src/openvpn/ssl_openssl.c -@@ -115,6 +115,11 @@ tls_ctx_server_new(struct tls_root_ctx *ctx) - { - crypto_msg(M_FATAL, "SSL_CTX_new SSLv23_server_method"); - } -+ if (ERR_peek_error() != 0) -+ { -+ crypto_msg(M_WARN, "Warning: TLS server context initialisation " -+ "has warnings."); -+ } - } - - void -@@ -128,6 +133,11 @@ tls_ctx_client_new(struct tls_root_ctx *ctx) - { - crypto_msg(M_FATAL, "SSL_CTX_new SSLv23_client_method"); - } -+ if (ERR_peek_error() != 0) -+ { -+ crypto_msg(M_WARN, "Warning: TLS client context initialisation " -+ "has warnings."); -+ } - } - - void --- -2.26.0 diff --git a/debian/patches/series b/debian/patches/series index 6ef394c..55bae8e 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -2,8 +2,6 @@ move_log_dir.patch auth-pam_libpam_so_filename.patch debian_nogroup_for_sample_files.patch openvpn-pkcs11warn.patch -kfreebsd_support.patch +#kfreebsd_support.patch match-manpage-and-command-help.patch -spelling_errors.patch systemd.patch -fix-openssl-error.patch diff --git a/debian/patches/spelling_errors.patch b/debian/patches/spelling_errors.patch deleted file mode 100644 index cac36d3..0000000 --- a/debian/patches/spelling_errors.patch +++ /dev/null @@ -1,53 +0,0 @@ -Description: correct tspelling errors -Author: Jörg Frings-Fürst -Last-Update: 2018-07-29 ---- -This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ -Index: trunk/src/openvpn/buffer.c -=================================================================== ---- trunk.orig/src/openvpn/buffer.c -+++ trunk/src/openvpn/buffer.c -@@ -44,7 +44,7 @@ array_mult_safe(const size_t m1, const s - unsigned long long res = (unsigned long long)m1 * (unsigned long long)m2 + (unsigned long long)extra; - if (unlikely(m1 > limit) || unlikely(m2 > limit) || unlikely(extra > limit) || unlikely(res > (unsigned long long)limit)) - { -- msg(M_FATAL, "attemped allocation of excessively large array"); -+ msg(M_FATAL, "attempted allocation of excessively large array"); - } - return (size_t) res; - } -Index: trunk/src/openvpn/options.c -=================================================================== ---- trunk.orig/src/openvpn/options.c -+++ trunk/src/openvpn/options.c -@@ -448,7 +448,7 @@ static const char usage_message[] = - " user/pass via environment, if method='via-file', pass\n" - " user/pass via temporary file.\n" - "--auth-gen-token [lifetime] Generate a random authentication token which is pushed\n" -- " to each client, replacing the password. Usefull when\n" -+ " to each client, replacing the password. Useful when\n" - " OTP based two-factor auth mechanisms are in use and\n" - " --reneg-* options are enabled. Optionally a lifetime in seconds\n" - " for generated tokens can be set.\n" -Index: trunk/doc/openvpn.8 -=================================================================== ---- trunk.orig/doc/openvpn.8 -+++ trunk/doc/openvpn.8 -@@ -2181,7 +2181,7 @@ that - is parsed on the command line even though - the daemonization point occurs later. If one of the - .B \-\-log --options is present, it will supercede syslog -+options is present, it will supersede syslog - redirection. - - The optional -@@ -2292,7 +2292,7 @@ If - already exists it will be truncated. - This option takes effect - immediately when it is parsed in the command line --and will supercede syslog output if -+and will supersede syslog output if - .B \-\-daemon - or - .B \-\-inetd -- cgit v1.2.3 From 3b2fa6eda5e27c857eff7f55fd7a5213250c26e0 Mon Sep 17 00:00:00 2001 From: Bernhard Schmidt Date: Sat, 15 Aug 2020 21:59:45 +0200 Subject: Add python3-docutils to build-depends for manpage generation --- debian/control | 1 + 1 file changed, 1 insertion(+) (limited to 'debian') diff --git a/debian/control b/debian/control index 43f6a50..b97a723 100644 --- a/debian/control +++ b/debian/control @@ -16,6 +16,7 @@ Build-Depends: libsystemd-dev [linux-any], net-tools [!linux-any], pkg-config, + python3-docutils, systemd [linux-any] Standards-Version: 4.5.0 Rules-Requires-Root: no -- cgit v1.2.3 From 11d1375916e221780ed3d722e8c5e83bcd575e85 Mon Sep 17 00:00:00 2001 From: Bernhard Schmidt Date: Sat, 15 Aug 2020 22:00:38 +0200 Subject: Changelog for 2.5~beta1-1 --- debian/changelog | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index ca70c2b..e0afaef 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +openvpn (2.5~beta1-1) experimental; urgency=medium + + * d/gbp.conf for experimental 2.5 branch + * New upstream version 2.5~beta1 + * Adjust patches for new major upstream version + * Add python3-docutils to build-depends for manpage generation + + -- Bernhard Schmidt Sat, 15 Aug 2020 21:32:49 +0200 + openvpn (2.4.9-3) unstable; urgency=medium [ Jörg Frings-Fürst ] -- cgit v1.2.3 From 7ba9d08967531199c7644c963b44493f1b67454e Mon Sep 17 00:00:00 2001 From: Bernhard Schmidt Date: Sun, 16 Aug 2020 10:33:45 +0200 Subject: Set Build-Conflicts: systemctl, see Bug#959828 --- debian/control | 3 +++ 1 file changed, 3 insertions(+) (limited to 'debian') diff --git a/debian/control b/debian/control index b97a723..adf3f70 100644 --- a/debian/control +++ b/debian/control @@ -18,6 +18,9 @@ Build-Depends: pkg-config, python3-docutils, systemd [linux-any] +# systemctl from src:docker-systemctl-replacement declaring Provides: systemd +# See Bug#959828 +Build-Conflicts: systemctl Standards-Version: 4.5.0 Rules-Requires-Root: no Homepage: https://openvpn.net/ -- cgit v1.2.3 From 62f9a3c02950839ef9eb5f5fb4cbdd7b7d33ccbc Mon Sep 17 00:00:00 2001 From: Bernhard Schmidt Date: Sun, 16 Aug 2020 10:39:34 +0200 Subject: Changelog for 2.5~beta1-2 --- debian/changelog | 6 ++++++ debian/control | 1 + 2 files changed, 7 insertions(+) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index e0afaef..dffc4ed 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +openvpn (2.5~beta1-2) experimental; urgency=medium + + * Set Build-Conflicts: systemctl, see Bug#959828 + + -- Bernhard Schmidt Sun, 16 Aug 2020 10:33:47 +0200 + openvpn (2.5~beta1-1) experimental; urgency=medium * d/gbp.conf for experimental 2.5 branch diff --git a/debian/control b/debian/control index adf3f70..ca71b4e 100644 --- a/debian/control +++ b/debian/control @@ -19,6 +19,7 @@ Build-Depends: python3-docutils, systemd [linux-any] # systemctl from src:docker-systemctl-replacement declaring Provides: systemd +# only necessary for experimental with the apscud resolver # See Bug#959828 Build-Conflicts: systemctl Standards-Version: 4.5.0 -- cgit v1.2.3 From 0864551ef69cf1c2c3a0b607b4d0583f6b874dce Mon Sep 17 00:00:00 2001 From: Bernhard Schmidt Date: Sun, 16 Aug 2020 14:03:32 +0200 Subject: Disable iproute2 support in favour of the new netlink based default Thanks: Fabio Pedretti --- debian/control | 2 +- debian/rules | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'debian') diff --git a/debian/control b/debian/control index ca71b4e..3526094 100644 --- a/debian/control +++ b/debian/control @@ -6,7 +6,7 @@ Uploaders: Jörg Frings-Fürst Build-Depends: debhelper-compat (= 13), dpkg-dev (>= 1.16.1), - iproute2 [linux-any], +# iproute2 [linux-any], liblz4-dev, liblzo2-dev, libp11-kit-dev, diff --git a/debian/rules b/debian/rules index f7c3377..a49ff29 100755 --- a/debian/rules +++ b/debian/rules @@ -6,7 +6,7 @@ ENV_VARS := IFCONFIG=/sbin/ifconfig ROUTE=/lib/freebsd/route EXTRA_ARGS := else ENV_VARS := SYSTEMD_ASK_PASSWORD=/bin/systemd-ask-password IFCONFIG=/sbin/ifconfig ROUTE=/sbin/route IPROUTE=/sbin/ip SYSTEMD_UNIT_DIR=/lib/systemd/system TMPFILES_DIR=/usr/lib/tmpfiles.d -EXTRA_ARGS := --enable-systemd --enable-iproute2 +EXTRA_ARGS := --enable-systemd endif #export DH_VERBOSE=1 -- cgit v1.2.3 From 4e5ae294da9429b739ba4dd741d73478429bf4d1 Mon Sep 17 00:00:00 2001 From: Bernhard Schmidt Date: Sun, 16 Aug 2020 14:07:34 +0200 Subject: Changelog for 2.5~beta1-3 --- debian/changelog | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index dffc4ed..2f7724f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +openvpn (2.5~beta1-3) experimental; urgency=medium + + * Disable iproute2 support in favour of the new netlink based default. + Thanks to Fabio Pedretti + + -- Bernhard Schmidt Sun, 16 Aug 2020 14:04:11 +0200 + openvpn (2.5~beta1-2) experimental; urgency=medium * Set Build-Conflicts: systemctl, see Bug#959828 -- cgit v1.2.3 From 68cf7e194033449b6c02fde1413875a597861c19 Mon Sep 17 00:00:00 2001 From: Lucas Kanashiro Date: Fri, 8 May 2020 09:19:44 -0300 Subject: Add two DEP-8 test cases for the server side Two scenarios are tested, server setup using: a static key and a CA. --- debian/tests/control | 6 ++ debian/tests/server-setup-with-ca | 91 +++++++++++++++++++++++++++++++ debian/tests/server-setup-with-static-key | 63 +++++++++++++++++++++ 3 files changed, 160 insertions(+) create mode 100644 debian/tests/control create mode 100755 debian/tests/server-setup-with-ca create mode 100755 debian/tests/server-setup-with-static-key (limited to 'debian') diff --git a/debian/tests/control b/debian/tests/control new file mode 100644 index 0000000..9fb6fea --- /dev/null +++ b/debian/tests/control @@ -0,0 +1,6 @@ +Tests: server-setup-with-ca +Depends: openvpn, easy-rsa +Restrictions: needs-root, isolation-machine + +Tests: server-setup-with-static-key +Restrictions: needs-root, isolation-machine diff --git a/debian/tests/server-setup-with-ca b/debian/tests/server-setup-with-ca new file mode 100755 index 0000000..58df2e9 --- /dev/null +++ b/debian/tests/server-setup-with-ca @@ -0,0 +1,91 @@ +#!/bin/bash + +# ---------------------------------------------- +# Test an OpenVPN server setup with CA +# ---------------------------------------------- + +set -e + +CONFIG_DIR=/etc/openvpn +CA_DIR=easy-rsa +CA_VARS_FILE=vars +DEVICE=tun1 +IP_NETWORK=10.9.8.0 +NETWORK_MASK=255.255.255.0 +LOG_FILE=$AUTOPKGTEST_TMP/openvpn.log + +# Print information message to stdout +info() { + echo "[I] $1" +} + +info "Create the CA directory inside the config directory" +cd $CONFIG_DIR +make-cadir $CA_DIR +cd $CA_DIR + +info \ +"Add some variables to the $CA_VARS_FILE to build the CA and keys in a non interactive mode" +cat << EOF >> $CA_VARS_FILE +set_var EASYRSA_REQ_COUNTRY "US" +set_var EASYRSA_REQ_PROVINCE "California" +set_var EASYRSA_REQ_CITY "San Francisco" +set_var EASYRSA_REQ_ORG "Copyleft Certificate Co" +set_var EASYRSA_REQ_EMAIL "me@example.net" +set_var EASYRSA_REQ_OU "My Organizational Unit" + +set_var EASYRSA_BATCH "1" +EOF + +info "Setup the CA and the server keys" +./easyrsa init-pki +./easyrsa build-ca nopass 2>/dev/null +./easyrsa build-server-full server nopass 2>/dev/null +./easyrsa gen-dh 2>/dev/null + +info "Create the OpenVPN server config file" +cat << EOF > /etc/openvpn/server.conf +dev $DEVICE +server $IP_NETWORK $NETWORK_MASK + +ca $CONFIG_DIR/$CA_DIR/pki/ca.crt +cert $CONFIG_DIR/$CA_DIR/pki/issued/server.crt +key $CONFIG_DIR/$CA_DIR/pki/private/server.key +dh $CONFIG_DIR/$CA_DIR/pki/dh.pem +EOF + +info "Start an OpenVPN process in background and redirect its output to a file" +openvpn --config $CONFIG_DIR/server.conf --verb 6 > $LOG_FILE & + +info "Give some time to start the process, check if the TUN device is opened" +count=1 +until [ -f $LOG_FILE ] && cat $LOG_FILE | grep "TUN/TAP device $DEVICE opened"; do + [ $count -gt 9 ] && exit 5 + count=$(expr $count + 1) + sleep 1 +done + +info "Check if the $DEVICE was created and if the state is UNKNOWN at this point" +ip address show $DEVICE | grep 'state UNKNOWN' + +info "Check if OpenVPN is listening on port 1194 (default port)" +ss -lnptu | grep -E '([0-9]{1,3}\.){3}[0-9]{1,3}:1194.*users:\(\(\"openvpn\"' + +info "Check if Diffie-Hellman was initialized" +cat $LOG_FILE | grep 'Diffie-Hellman initialized' + +info "Check if the $DEVICE is linked" +cat $LOG_FILE | grep "/sbin/ip link set dev $DEVICE up" + +info "Check if the network route was correctly configured" +cat $LOG_FILE | grep "/sbin/ip route add $IP_NETWORK/24" + +info "Check if the Initialization Sequence completed" +cat $LOG_FILE | grep 'Initialization Sequence Completed' + +# Clean up: kill tha OpenVPN process, remove the $DEVICE created and CA dir +cleanup() { + pkill openvpn + rm -rf $CONFIG_DIR/$CA_DIR +} +trap cleanup INT TERM EXIT diff --git a/debian/tests/server-setup-with-static-key b/debian/tests/server-setup-with-static-key new file mode 100755 index 0000000..9ddaecd --- /dev/null +++ b/debian/tests/server-setup-with-static-key @@ -0,0 +1,63 @@ +#!/bin/bash + +# ---------------------------------------------- +# Test an OpenVPN server setup with a static key +# ---------------------------------------------- + +set -e + +CONFIG_DIR=/etc/openvpn +STATIC_KEY=static.key +DEVICE=tun0 +IP_SERVER=10.9.8.1 +IP_CLIENT=10.9.8.2 +LOG_FILE=$AUTOPKGTEST_TMP/openvpn.log + +# Print information message to stdout +info() { + echo "[I] $1" +} + +info "Generate the static key inside the config directory" +cd $CONFIG_DIR +openvpn --genkey --secret $STATIC_KEY + +info "Create the config file" +cat << EOF > $CONFIG_DIR/$DEVICE.conf +dev $DEVICE +ifconfig $IP_SERVER $IP_CLIENT +secret $CONFIG_DIR/$STATIC_KEY +EOF + +info "Start an OpenVPN process in background and redirect its output to a file" +openvpn --config $CONFIG_DIR/$DEVICE.conf --verb 6 > $LOG_FILE & + +info "Give some time to start the process, check if the TUN device is opened" +count=1 +until [ -f $LOG_FILE ] && cat $LOG_FILE | grep "TUN/TAP device $DEVICE opened"; do + [ $count -gt 9 ] && exit 5 + count=$(expr $count + 1) + sleep 1 +done + +info "Check if the $DEVICE was created and if the state is UNKNOWN at this point" +ip address show $DEVICE | grep 'state UNKNOWN' + +info "Check if OpenVPN is listening on port 1194 (default port)" +ss -lnptu | grep -E '([0-9]{1,3}\.){3}[0-9]{1,3}:1194.*users:\(\(\"openvpn\"' + +info "Check if the $STATIC_KEY is used by OpenVPN" +cat $LOG_FILE | grep "shared_secret_file = '$CONFIG_DIR/$STATIC_KEY'" + +info "Check if the $DEVICE is linked" +cat $LOG_FILE | grep "/sbin/ip link set dev $DEVICE up" + +info "Check if the specified IP addresses were configured" +cat $LOG_FILE | grep "/sbin/ip addr add dev tun0 local $IP_SERVER peer $IP_CLIENT" + +# Clean up: kill tha OpenVPN process, remove the $DEVICE created and $STATIC_KEY +cleanup() { + pkill openvpn + rm $CONFIG_DIR/$STATIC_KEY +} +trap cleanup INT TERM EXIT -- cgit v1.2.3 From 69b02b1f7fd609d84ace13ab04697158de2418a9 Mon Sep 17 00:00:00 2001 From: Lucas Kanashiro Date: Tue, 26 May 2020 16:45:10 -0300 Subject: Drop reload support from systemd unit files (LP: #1868127) The current reload implementation (sending a SIGHUP signal to the process) fails, and the difference between reload and restart is not clear. Systemd does not require an implementation for reload. --- debian/openvpn.service | 1 - debian/openvpn@.service | 2 -- 2 files changed, 3 deletions(-) (limited to 'debian') diff --git a/debian/openvpn.service b/debian/openvpn.service index 0075cc4..a4d1149 100644 --- a/debian/openvpn.service +++ b/debian/openvpn.service @@ -9,7 +9,6 @@ After=network.target Type=oneshot RemainAfterExit=yes ExecStart=/bin/true -ExecReload=/bin/true WorkingDirectory=/etc/openvpn [Install] diff --git a/debian/openvpn@.service b/debian/openvpn@.service index da7adc7..945874b 100644 --- a/debian/openvpn@.service +++ b/debian/openvpn@.service @@ -1,7 +1,6 @@ [Unit] Description=OpenVPN connection to %i PartOf=openvpn.service -ReloadPropagatedFrom=openvpn.service Before=systemd-user-sessions.service After=network-online.target Wants=network-online.target @@ -16,7 +15,6 @@ WorkingDirectory=/etc/openvpn ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid PIDFile=/run/openvpn/%i.pid KillMode=process -ExecReload=/bin/kill -HUP $MAINPID CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE LimitNPROC=100 DeviceAllow=/dev/null rw -- cgit v1.2.3