Hello community, here is the log from the commit of package openvpn.3888 for openSUSE:13.2:Update checked in at 2015-07-13 11:21:42 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.2:Update/openvpn.3888 (Old) and /work/SRC/openSUSE:13.2:Update/.openvpn.3888.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openvpn.3888" Changes: -------- New Changes file: --- /dev/null 2015-06-25 09:04:34.320025005 +0200 +++ /work/SRC/openSUSE:13.2:Update/.openvpn.3888.new/openvpn.changes 2015-07-13 11:21:44.000000000 +0200 @@ -0,0 +1,694 @@ +------------------------------------------------------------------- +Thu Jul 2 07:15:16 UTC 2015 - [email protected] + +- Fixed to use correct sha digest data length and in fips mode, + use aes instead of the disallowed blowfish crypto (boo#914166). + [* openvpn-fips140-2.3.2.patch] +- Fixed to mention actual plugin/doc dirs in openvpn(8) man page. +- Depend on systemd-devel for the daemon check functionality, + removed obsolete --with-lzo-headers configure option. + +------------------------------------------------------------------- +Mon Dec 1 13:54:15 UTC 2014 - [email protected] + +- Applied upstream patch fixing a denial-of-service vulnerability + where an authenticated client could stop the server by triggering + a server-side ASSERT (bnc#907764,CVE-2014-8104), + [+ 0007-Drop-too-short-control-channel-packets.CVE-2014-8104.patch] + +------------------------------------------------------------------- +Mon Aug 25 09:12:08 UTC 2014 - [email protected] + +- Update to version 2.3.4 + * Add support for client-cert-not-required for PolarSSL. + * Introduce safety check for http proxy options. + +------------------------------------------------------------------- +Mon May 26 15:41:34 UTC 2014 - [email protected] + +- Build with large file support in 32 bit systems. + +------------------------------------------------------------------- +Sun May 11 07:58:52 UTC 2014 - [email protected] + +- use %_rundir for %ghost directory - leaving /var/run everywhere + else + +------------------------------------------------------------------- +Tue Jan 14 10:43:19 UTC 2014 - [email protected] + +- Updated README.SUSE, documented also the rcopenvpn compatibility + wrapper script (bnc#848070). + +------------------------------------------------------------------- +Thu Jan 9 14:14:19 UTC 2014 - [email protected] + +- openvpn-fips140-2.3.2.patch: Allow usage of SHA1 instead of MD5 in + some internal checking routines. This allows operation in FIPS 140-2 + mode. + +------------------------------------------------------------------- +Tue Dec 17 15:26:16 UTC 2013 - [email protected] + +- Readded rcopenvpn helper script under systemd (bnc#848070) + +------------------------------------------------------------------- +Thu Oct 31 18:45:02 UTC 2013 - [email protected] + +- Fixed invalid mode in exec bit removal call from doc files + +------------------------------------------------------------------- +Tue Aug 27 16:28:52 UTC 2013 - [email protected] + +- Add a section about how to control all or a named configuration with the + help of systemctl to the README.SUSE file. + +------------------------------------------------------------------- +Mon Jun 3 22:09:09 UTC 2013 - [email protected] + +- Update to 2.3.2 + +Fixes since 2.3.0 +- Remove dead code path and putenv functionality +- Remove unused function xor +- Move static prototype definition from header into c file +- Remove unused function no_tap_ifconfig +- fix build with automake 1.13(.1) +- Fix corner case in NTLM authentication (trac #172) +- Update README.IPv6 to match what is in 2.3.0 +- Repair "tcp server queue overflow" brokenness, more <stdbool.h> fallout. +- Permit pool size of /64.../112 for ifconfig-ipv6-pool +- Add MIN() compatibility macro +- Fix directly connected routes for "topology subnet" on Solaris. +- close more file descriptors on exec +- Ignore UTF-8 byte order mark +- reintroduce --no-name-remapping option +- make --tls-remote compatible with pre 2.3 configs +- add new option for X.509 name verification +- add man page patch for missing options +- Fix parameter listing in non-debug builds at verb 4 +- (updated) [PATCH] Warn when using verb levels >=7 without debug +- Enable TCP_NODELAY configuration on FreeBSD. +- Updated README +- Cleaned up and updated INSTALL +- PolarSSL-1.2 support +- Improve PolarSSL key_state_read_{cipher, plain}text messages +- Improve verify_callback messages +- Config compatibility patch. Added translate_cipher_name. +- Switch to IANA names for TLS ciphers. +- Fixed autoconf script to properly detect missing pkcs11 with polarssl. +- Use constant time memcmp when comparing HMACs in openvpn_decrypt. + +------------------------------------------------------------------- +Mon May 6 11:13:49 UTC 2013 - [email protected] + +- Try to migrate openvpn.service autostart to openvpn@<CONF>.service + instance enablement. + +------------------------------------------------------------------- +Tue Apr 23 13:20:48 UTC 2013 - [email protected] + +- Fixed to enable systemd support in configure +- Fixed openvpn-tmpfile.conf to use GID root, there is no openvpn group. +- Added openvpn.target file allowing to handle all instances at once. +- Fixed to install the service template correctly as [email protected]. + Use "systemctl enable [email protected]" to enable instance using + /etc/openvpn/foo.conf. +- Disabled systemd variant of restart on update rpm macro, adopted other + macros to use openvpn.target to e.g. stop all instances on uninstall. + +------------------------------------------------------------------- +Tue Mar 26 14:38:48 UTC 2013 - [email protected] + +- Remove _unitdir definition, it is provided by systemd. +- Install service file without x permissions + +------------------------------------------------------------------- +Mon Mar 25 14:55:35 UTC 2013 - [email protected] + +Update to version 2.3.0: + * Full IPv6 support + * SSL layer modularised, enabling easier implementation for other SSL libraries + * PolarSSL support as a drop-in replacement for OpenSSL + * New plug-in API providing direct certificate access, improved logging API + and easier to extend in the future + * Added 'dev_type' environment variable to scripts and plug-ins - which is + set to 'TUN' or 'TAP' + * New feature: --management-external-key - to provide access to the encryption + keys via the management interface + * New feature: --x509-track option, more fine grained access to X.509 fields + in scripts and plug-ins + * New feature: --client-nat support + * New feature: --mark which can mark encrypted packets from the tunnel, suitable + for more advanced routing and firewalling + * New feature: --management-query-proxy - manage proxy settings via the management + interface (supercedes --http-proxy-fallback) + * New feature: --stale-routes-check, which cleans up the internal routing table + * New feature: --x509-username-field, where other X.509v3 fields can be used for + the authentication instead of Common Name + * Improved client-kill management interface command + * Improved UTF-8 support - and added --compat-names to provide backwards compatibility + with older scripts/plug-ins + * Improved auth-pam with COMMONNAME support, passing the certificate's common + name in the PAM conversation + * More options can now be used inside <connection> blocks + * Completely new build system, enabling easier cross-compilation and Windows builds + * Much of the code has been better documented + * Many documentation updates + * Plenty of bug fixes and other code clean-ups +- Add systemd native support for OpenSUSE > 12.1 +- Adapt patchs to upstream release: + * openvpn-2.1-plugin-man.dif > openvpn-2.3-plugin-man.dif + * openvpn-2.1.0-man-dot.diff > openvpn-2.3.0-man-dot.diff +- Remove obsolete patchs; fixed or merged on upstream release: + * 0001-Use-SSL_MODE_RELEASE_BUFFERS-if-available.patch + * openvpn-2.1-plugin-build.dif + * openvpn-2.1-systemd-passwd.patch +- Rebase specfile to upstream changes: + * easy-rsa is not provided anymore with main package + * remove %clean section + * autoreconf -fi is no needed +- Update openvpn.keyring file for upstream release asc key + +------------------------------------------------------------------- +Mon Jan 28 13:59:07 UTC 2013 - [email protected] + +- Join openvpn.service systemd cgroup in start when needed, e.g. + when starting with further parameters. (bnc#781106) + +------------------------------------------------------------------- +Thu Nov 29 18:19:40 CET 2012 - [email protected] + +- Verify GPG signature. + +------------------------------------------------------------------- +Fri Sep 21 12:18:32 UTC 2012 - [email protected] + +- fix ciaran's previous license entry. the license has a SUSE prefix + +------------------------------------------------------------------- +Thu Sep 20 10:50:23 UTC 2012 - [email protected] + +- Fixed openvpn init script to not map reopen to reload so the + reopen code is without any effect (bnc#781106). +- Added requested OPENVPN_AUTOSTART variable allowing to provide + an optional list of config names started by default (bnc#692440). + +------------------------------------------------------------------- +Wed Aug 22 14:50:39 UTC 2012 - [email protected] ++++ 497 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:13.2:Update/.openvpn.3888.new/openvpn.changes New: ---- 0007-Drop-too-short-control-channel-packets.CVE-2014-8104.patch client-netconfig.down client-netconfig.up openvpn-2.3-plugin-man.dif openvpn-2.3.0-man-dot.diff openvpn-2.3.4.tar.gz openvpn-2.3.4.tar.gz.asc openvpn-fips140-2.3.2.patch openvpn-tmpfile.conf openvpn.README.SUSE openvpn.changes openvpn.init openvpn.keyring openvpn.service openvpn.spec openvpn.sysconfig openvpn.target rcopenvpn ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openvpn.spec ++++++ # # spec file for package openvpn # # Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # %if 0%{?suse_version} > 1210 %define with_systemd 1 %else %define with_systemd 0 %endif %if ! %{defined _rundir} %define _rundir %{_localstatedir}/run %endif Name: openvpn Url: http://openvpn.net/ %if %{with_systemd} %{?systemd_requires} %else PreReq: %insserv_prereq %fillup_prereq %endif Version: 2.3.4 Release: 0 Summary: Full-featured SSL VPN solution using a TUN/TAP Interface License: SUSE-GPL-2.0-with-openssl-exception and LGPL-2.1 Group: Productivity/Networking/Security Source: http://swupdate.openvpn.org/community/releases/openvpn-%{version}.tar.gz Source1: http://swupdate.openvpn.org/community/releases/openvpn-%{version}.tar.gz.asc Source2: %{name}.init Source6: %{name}.sysconfig Source3: %{name}.README.SUSE Source4: client-netconfig.up Source5: client-netconfig.down Source7: %{name}.keyring Source8: %{name}.service Source9: %{name}.target Source10: %{name}-tmpfile.conf Source11: rc%{name} Patch1: %{name}-2.3-plugin-man.dif Patch5: %{name}-2.3.0-man-dot.diff Patch6: %{name}-fips140-2.3.2.patch Patch7: 0007-Drop-too-short-control-channel-packets.CVE-2014-8104.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: gpg-offline BuildRequires: iproute2 BuildRequires: lzo-devel BuildRequires: openssl-devel BuildRequires: pam-devel %if %{with_systemd} BuildRequires: systemd %endif BuildRequires: libselinux-devel BuildRequires: pkcs11-helper-devel Requires: pkcs11-helper %if %{with_systemd} BuildRequires: systemd-devel %endif %description OpenVPN is a full-featured SSL VPN solution which can accommodate a wide range of configurations, including remote access, site-to-site VPNs, WiFi security, and enterprise-scale remote access solutions with load balancing, failover, and fine-grained access-controls. OpenVPN implements OSI layer 2 or 3 secure network extension using the industry standard SSL/TLS protocol, supports flexible client authentication methods based on certificates, smart cards, and/or 2-factor authentication, and allows user or group-specific access control policies using firewall rules applied to the VPN virtual interface. OpenVPN runs on: Linux, Windows 2000/XP and higher, OpenBSD, FreeBSD, NetBSD, Mac OS X, and Solaris. OpenVPN is not a web application proxy and does not operate through a web browser. %package down-root-plugin Summary: OpenVPN down-root plugin Group: Productivity/Networking/Security Requires: %{name} = %{version} %description down-root-plugin The OpenVPN down-root plugin allows an OpenVPN configuration to call a down script with root privileges, even when privileges have been dropped using --user/--group/--chroot. This module uses a split privilege execution model which will fork() before OpenVPN drops root privileges, at the point where the --up script is usually called. The plugin will then remain in a wait state until it receives a message from OpenVPN via pipe to execute the down script. Thus, the down script will be run in the same execution environment as the up script. %package auth-pam-plugin Summary: OpenVPN auth-pam plugin Group: Productivity/Networking/Security Requires: %{name} = %{version} %description auth-pam-plugin The OpenVPN auth-pam plugin implements username/password authentication via PAM, and essentially allows any authentication method supported by PAM (such as LDAP, RADIUS, or Linux Shadow passwords) to be used with OpenVPN. While PAM supports username/password authentication, this can be combined with X509 certificates to provide two indepedent levels of authentication. This plugin uses a split privilege execution model which will function even if you drop openvpn daemon privileges using the user, group, or chroot directives. %prep %gpg_verify %{S:1} %setup -q -n %{name}-%{version} %patch1 -p0 %patch5 -p0 %patch6 -p1 %patch7 -p1 sed -e "s|\" __DATE__|$(date '+%b %e %Y' -r version.m4)\"|g" \ -i src/openvpn/options.c sed -e "s|@PLUGIN_LIBDIR@|%{_libdir}/openvpn/plugins|g" \ -e "s|@PLUGIN_DOCDIR@|%{_defaultdocdir}/%{name}|g" \ -i doc/openvpn.8 # %%doc items shouldn't be executable. find contrib sample -type f -exec chmod a-x \{\} \; %build export CFLAGS="$RPM_OPT_FLAGS $(getconf LFS_CFLAGS) -W -Wall -fno-strict-aliasing" export LDFLAGS %configure \ --enable-iproute2 \ --enable-x509-alt-username \ --enable-password-save \ %if %{with_systemd} --enable-systemd \ %endif --enable-plugins \ --enable-plugin-down-root \ --enable-plugin-auth-pam \ CFLAGS="$CFLAGS $(getconf LFS_CFLAGS) -fPIE $PLUGIN_DEFS" \ LDFLAGS="$LDFLAGS -pie -lpam -rdynamic -Wl,-rpath,%{_libdir}/%{name}/plugins" make %install make DESTDIR=$RPM_BUILD_ROOT install find $RPM_BUILD_ROOT -name '*.la' | xargs rm -f mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/openvpn mkdir -p $RPM_BUILD_ROOT/%{_rundir}/openvpn mkdir -p $RPM_BUILD_ROOT/%{_datadir}/openvpn %if %{with_systemd} install -D -m 644 $RPM_SOURCE_DIR/%{name}.service %{buildroot}/%{_unitdir}/%{name}@.service install -D -m 644 $RPM_SOURCE_DIR/%{name}.target %{buildroot}/%{_unitdir}/%{name}.target install -D -m 755 $RPM_SOURCE_DIR/rc%{name} %{buildroot}%{_sbindir}/rc%{name} # tmpfiles.d mkdir -p %{buildroot}%{_libexecdir}/tmpfiles.d install -m 0644 $RPM_SOURCE_DIR/%{name}-tmpfile.conf %{buildroot}%{_libexecdir}/tmpfiles.d/%{name}.conf %else install -D -m 755 $RPM_SOURCE_DIR/openvpn.init $RPM_BUILD_ROOT/%{_sysconfdir}/init.d/openvpn ln -sv %{_sysconfdir}/init.d/openvpn $RPM_BUILD_ROOT/%{_sbindir}/rcopenvpn # the /etc/sysconfig/openvpn template only with sysvinit, no needed with systemd install -d -m0755 %{buildroot}/var/adm/fillup-templates install -m0600 $RPM_SOURCE_DIR/openvpn.sysconfig \ %{buildroot}/var/adm/fillup-templates/sysconfig.openvpn %endif cp -p $RPM_SOURCE_DIR/openvpn.README.SUSE README.SUSE install -m 755 $RPM_SOURCE_DIR/client-netconfig.up sample/sample-scripts/client-netconfig.up install -m 755 $RPM_SOURCE_DIR/client-netconfig.down sample/sample-scripts/client-netconfig.down # we install docs via spec into _defaultdocdir/name/management-notes.txt rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/{OpenVPN,%name} %post %__mkdir_p -m750 %{_rundir}/openvpn %if %{with_systemd} %service_add_post %{name}.target # try to migrate openvpn.service autostart to openvpn@<CONF>.service if test ${FIRST_ARG:-$1} -ge 1 -a \ -x /bin/systemctl -a \ -f /etc/sysconfig/openvpn -a \ -f /var/adm/fillup-templates/sysconfig.openvpn && \ /bin/systemctl --quiet is-enabled openvpn.service &>/dev/null ; then . /etc/sysconfig/openvpn try_service_cgroup_join() { local p="/var/run/openvpn/${1}.pid" local t="/sys/fs/cgroup/systemd/system/[email protected]/${1}" /sbin/checkproc -p "$p" "%{_sbindir}/openvpn" &>/dev/null || return 0 test -d "$t" || mkdir -p "$t" 2>/dev/null || return 1 cat "$p" > "$t/tasks" 2>/dev/null || return 1 } if test "X$OPENVPN_AUTOSTART" != "X" ; then for conf in $OPENVPN_AUTOSTART ; do test -f "/etc/openvpn/${conf}.conf" && \ /bin/systemctl enable "openvpn@${conf}.service" && \ try_service_cgroup_join "$conf" || continue done else shopt -s nullglob || : for conf in /etc/openvpn/*.conf ; do conf=${conf##*/} conf=${conf%.conf} test -f "/etc/openvpn/${conf}.conf" && \ /bin/systemctl enable "openvpn@${conf}.service" && \ try_service_cgroup_join "$conf" || continue done fi fi rm -f /etc/sysconfig/openvpn || : %else %{?fillup_and_insserv:%fillup_and_insserv} %endif %preun %if %{with_systemd} %service_del_preun %{name}.target %else %{?stop_on_removal:%stop_on_removal openvpn} %endif %postun %if %{with_systemd} /bin/systemctl --system daemon-reload &>/dev/null || : %else %{?insserv_cleanup:%insserv_cleanup} %endif %files %defattr(-,root,root) %doc AUTHORS COPYING COPYRIGHT.GPL ChangeLog PORTS README %doc src/plugins/{auth-pam/README.auth-pam,down-root/README.down-root} %doc README.* %doc contrib %doc sample/sample-config-files %doc sample/sample-keys %doc sample/sample-scripts %doc doc/management-notes.txt %doc %{_mandir}/man8/openvpn.8.gz %config(noreplace) %{_sysconfdir}/openvpn/ %if %{with_systemd} %{_unitdir}/%{name}@.service %{_unitdir}/%{name}.target %{_libexecdir}/tmpfiles.d/%{name}.conf %else %config %{_sysconfdir}/init.d/openvpn /var/adm/fillup-templates/sysconfig.openvpn %endif %{_sbindir}/rcopenvpn %{_sbindir}/openvpn %attr(0750,root,root) %dir %ghost %{_rundir}/openvpn %{_includedir}/%{name}-plugin.h %files down-root-plugin %defattr(-,root,root) %dir %{_libdir}/%{name} %dir %{_libdir}/%{name}/plugins %{_libdir}/%{name}/plugins/%{name}-plugin-down-root.so %files auth-pam-plugin %defattr(-,root,root) %dir %{_libdir}/%{name} %dir %{_libdir}/%{name}/plugins %{_libdir}/%{name}/plugins/%{name}-plugin-auth-pam.so %changelog ++++++ 0007-Drop-too-short-control-channel-packets.CVE-2014-8104.patch ++++++ >From c5590a6821e37f3b29735f55eb0c2b9c0924138c Mon Sep 17 00:00:00 2001 From: Steffan Karger <[email protected]> Date: Thu, 20 Nov 2014 13:43:05 +0100 References: bsc#907764, CVE-2014-8104 Upstream: yes Subject: [PATCH] Drop too-short control channel packets instead of asserting out. This fixes a denial-of-service vulnerability where an authenticated client could stop the server by triggering a server-side ASSERT(). OpenVPN would previously ASSERT() that control channel packets have a payload of at least 4 bytes. An authenticated client could trigger this assert by sending a too-short control channel packet to the server. Thanks to Dragana Damjanovic for reporting the issue. This bug has been assigned CVE-2014-8104. Signed-off-by: Steffan Karger <[email protected]> Acked-by: Gert Doering <[email protected]> Message-Id: <[email protected]> Signed-off-by: Gert Doering <[email protected]> diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 2adfa26..cdc8eb1 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -2002,7 +2002,11 @@ key_method_2_read (struct buffer *buf, struct tls_multi *multi, struct tls_sessi ASSERT (session->opt->key_method == 2); /* discard leading uint32 */ - ASSERT (buf_advance (buf, 4)); + if (!buf_advance (buf, 4)) { + msg (D_TLS_ERRORS, "TLS ERROR: Plaintext buffer too short (%d bytes).", + buf->len); + goto error; + } /* get key method */ key_method_flags = buf_read_u8 (buf); -- 2.1.2 ++++++ client-netconfig.down ++++++ #!/bin/bash # Copyright (c) 2010 Andreas Schneider <[email protected]> # Marius Tomaschewski <[email protected]> # Licensed under the GPL version 2 # PURPOSE: This script automatically removes the /etc/resolv.conf # and another settings applied before via netconfig. # INSTALL NOTES: # Place this file in /etc/openvpn/client.down # Then, add the following to your /etc/openvpn/<clientconfig>.conf: # client # pull dhcp-options # up /etc/openvpn/client.up # down /etc/openvpn/client.down # Finally, "chmod +x /etc/openvpn/client.{up,down}" # disable pathname expansion shopt -o -s noglob # --up/--down patametes are: # # tun_dev tun_mtu link_mtu ifconfig_local_ip # ifconfig_remote_ip [ init | restart ] # # tap_dev tap_mtu link_mtu ifconfig_local_ip # ifconfig_netmask [ init | restart ] dev=$1 # skip, when there is no interface parameter or netconfig if test -a /sbin/netconfig -a "x${dev}" != x ; then /sbin/netconfig remove -s openvpn -i "${dev}" fi # all done... exit 0 ++++++ client-netconfig.up ++++++ #!/bin/bash # Copyright (c) 2010 Andreas Schneider <[email protected]> # Marius Tomaschewski <[email protected]> # Licensed under the GPL version 2 # PURPOSE: This script sets the proper /etc/resolv.conf and another # settings as pulled down from an OpenVPN server using a # netconfig modify call. # INSTALL NOTES: # Place this file in /etc/openvpn/client.up # Then, add the following to your /etc/openvpn/<clientconfig>.conf: # client # pull dhcp-options # up /etc/openvpn/client.up # down /etc/openvpn/client.down # Finally, "chmod +x /etc/openvpn/client.{up,down}" # disable pathname expansion shopt -o -s noglob # --up/--down patametes are: # # tun_dev tun_mtu link_mtu ifconfig_local_ip # ifconfig_remote_ip [ init | restart ] # # tap_dev tap_mtu link_mtu ifconfig_local_ip # ifconfig_netmask [ init | restart ] dev=$1 # skip, when there is no interface parameter or netconfig if test -x /sbin/netconfig -a "x${dev}" != x ; then # init variables dns_domain=() dns_server=() ntp_server=() wins_server=() nbdd_server=() nb_typeid="" nb_scopeid="" nb_disable="" # collect settings data for fopt in ${!foreign_option_*} ; do test "x${!fopt}" != x || continue data=(${!fopt}) test "x${data[0]}" = "xdhcp-option" && \ case "${data[1]}" in DOMAIN) dns_domain+=("${data[2]}") ;; DNS) dns_server+=("${data[2]}") ;; NTP) ntp_server+=("${data[2]}") ;; WINS) wins_server+=("${data[2]}") ;; NBDD) nbdd_server+=("${data[2]}") ;; NBT) nb_typeid="${data[2]}" ;; NBS) nb_scopeid="${data[2]}" ;; DISABLE-NBT) nb_disable="yes" ;; esac done # call netconfig modify { echo "DNSSEARCH='${dns_domain[*]}'" echo "DNSSERVERS='${dns_server[*]}'" echo "NTPSERVERS='${ntp_server[*]}'" # currently unused / no netconfig module for: echo "NETBIOSNAMESERVER='${wins_server[*]}'" echo "NETBIOSDDSERVER='${nbdd_server[*]}'" echo "NETBIOSNODETYPE='$nb_typeid'" echo "NETBIOSSCOPE='$nb_scopeid'" # nb_disable ? } | /sbin/netconfig modify -s openvpn -i "$dev" fi # all done... exit 0 ++++++ openvpn-2.3-plugin-man.dif ++++++ --- doc/openvpn.8 +++ doc/openvpn.8 2015/03/02 08:58:02 @@ -2569,12 +2569,11 @@ plug-in modules, see the README file in .B plugin folder of the OpenVPN source distribution. -If you are using an RPM install of OpenVPN, see -/usr/share/openvpn/plugin. The documentation is -in -.B doc -and the actual plugin modules are in -.B lib. +If you are using an RPM install of OpenVPN, the actual +plugin modules are in +.B @PLUGIN_LIBDIR@ +and the documentation is in +.B @PLUGIN_DOCDIR@/README.<plugin-name>. Multiple plugin modules can be cascaded, and modules can be used in tandem with scripts. The modules will be called by ++++++ openvpn-2.3.0-man-dot.diff ++++++ --- doc/openvpn.8 +++ doc/openvpn.8 @@ -21,7 +21,7 @@ .\" 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA .\" .\" Manual page for openvpn -.\ +.\" .\" SH section heading .\" SS subsection heading .\" LP paragraph ++++++ openvpn-fips140-2.3.2.patch ++++++ --- openvpn-2.3.2/src/openvpn/crypto_backend.h +++ openvpn-2.3.2/src/openvpn/crypto_backend.h 2015/02/19 09:15:02 @@ -452,10 +452,11 @@ void md_ctx_final (md_ctx_t *ctx, uint8_ * @param key The key to use for the HMAC * @param key_len The key length to use * @param kt Static message digest parameters + * @param prf_use Intended use for PRF in TLS protocol * */ void hmac_ctx_init (hmac_ctx_t *ctx, const uint8_t *key, int key_length, - const md_kt_t *kt); + const md_kt_t *kt, bool prf_use); /* * Free the given HMAC context. --- openvpn-2.3.2/src/openvpn/crypto.c +++ openvpn-2.3.2/src/openvpn/crypto.c 2015/02/19 09:15:02 @@ -486,7 +486,7 @@ init_key_ctx (struct key_ctx *ctx, struc if (kt->digest && kt->hmac_length > 0) { ALLOC_OBJ(ctx->hmac, hmac_ctx_t); - hmac_ctx_init (ctx->hmac, key->hmac, kt->hmac_length, kt->digest); + hmac_ctx_init (ctx->hmac, key->hmac, kt->hmac_length, kt->digest, 0); msg (D_HANDSHAKE, "%s: Using %d bit message hash '%s' for HMAC authentication", @@ -1409,61 +1409,61 @@ free_ssl_lib (void) #endif /* ENABLE_SSL */ /* - * md5 functions + * sha1 functions */ const char * -md5sum (uint8_t *buf, int len, int n_print_chars, struct gc_arena *gc) +sha1sum (uint8_t *buf, int len, int n_print_chars, struct gc_arena *gc) { - uint8_t digest[MD5_DIGEST_LENGTH]; - const md_kt_t *md5_kt = md_kt_get("MD5"); + uint8_t digest[SHA_DIGEST_LENGTH]; + const md_kt_t *sha1_kt = md_kt_get("SHA1"); - md_full(md5_kt, buf, len, digest); + md_full(sha1_kt, buf, len, digest); - return format_hex (digest, MD5_DIGEST_LENGTH, n_print_chars, gc); + return format_hex (digest, SHA_DIGEST_LENGTH, n_print_chars, gc); } void -md5_state_init (struct md5_state *s) +sha1_state_init (struct sha1_state *s) { - const md_kt_t *md5_kt = md_kt_get("MD5"); + const md_kt_t *sha1_kt = md_kt_get("SHA1"); - md_ctx_init(&s->ctx, md5_kt); + md_ctx_init(&s->ctx, sha1_kt); } void -md5_state_update (struct md5_state *s, void *data, size_t len) +sha1_state_update (struct sha1_state *s, void *data, size_t len) { md_ctx_update(&s->ctx, data, len); } void -md5_state_final (struct md5_state *s, struct md5_digest *out) +sha1_state_final (struct sha1_state *s, struct sha1_digest *out) { md_ctx_final(&s->ctx, out->digest); md_ctx_cleanup(&s->ctx); } void -md5_digest_clear (struct md5_digest *digest) +sha1_digest_clear (struct sha1_digest *digest) { CLEAR (*digest); } bool -md5_digest_defined (const struct md5_digest *digest) +sha1_digest_defined (const struct sha1_digest *digest) { int i; - for (i = 0; i < MD5_DIGEST_LENGTH; ++i) + for (i = 0; i < SHA_DIGEST_LENGTH; ++i) if (digest->digest[i]) return true; return false; } bool -md5_digest_equal (const struct md5_digest *d1, const struct md5_digest *d2) +sha1_digest_equal (const struct sha1_digest *d1, const struct sha1_digest *d2) { - return memcmp(d1->digest, d2->digest, MD5_DIGEST_LENGTH) == 0; + return memcmp(d1->digest, d2->digest, SHA_DIGEST_LENGTH) == 0; } #endif /* ENABLE_CRYPTO */ --- openvpn-2.3.2/src/openvpn/crypto.h +++ openvpn-2.3.2/src/openvpn/crypto.h 2015/02/19 09:15:02 @@ -364,24 +364,24 @@ void free_ssl_lib (void); #endif /* ENABLE_SSL */ /* - * md5 functions + * sha1 functions */ -struct md5_state { +struct sha1_state { md_ctx_t ctx; }; -struct md5_digest { - uint8_t digest [MD5_DIGEST_LENGTH]; +struct sha1_digest { + uint8_t digest [SHA_DIGEST_LENGTH]; }; -const char *md5sum(uint8_t *buf, int len, int n_print_chars, struct gc_arena *gc); -void md5_state_init (struct md5_state *s); -void md5_state_update (struct md5_state *s, void *data, size_t len); -void md5_state_final (struct md5_state *s, struct md5_digest *out); -void md5_digest_clear (struct md5_digest *digest); -bool md5_digest_defined (const struct md5_digest *digest); -bool md5_digest_equal (const struct md5_digest *d1, const struct md5_digest *d2); +const char *sha1sum(uint8_t *buf, int len, int n_print_chars, struct gc_arena *gc); +void sha1_state_init (struct sha1_state *s); +void sha1_state_update (struct sha1_state *s, void *data, size_t len); +void sha1_state_final (struct sha1_state *s, struct sha1_digest *out); +void sha1_digest_clear (struct sha1_digest *digest); +bool sha1_digest_defined (const struct sha1_digest *digest); +bool sha1_digest_equal (const struct sha1_digest *d1, const struct sha1_digest *d2); /* * Inline functions --- openvpn-2.3.2/src/openvpn/crypto_openssl.c +++ openvpn-2.3.2/src/openvpn/crypto_openssl.c 2015/02/19 09:15:02 @@ -719,13 +719,17 @@ md_ctx_final (EVP_MD_CTX *ctx, uint8_t * void hmac_ctx_init (HMAC_CTX *ctx, const uint8_t *key, int key_len, - const EVP_MD *kt) + const EVP_MD *kt, bool prf_use) { ASSERT(NULL != kt && NULL != ctx); CLEAR(*ctx); HMAC_CTX_init (ctx); + /* FIPS 140-2 explicitly allows MD5 for the use in PRF although it is not + * to be used anywhere else */ + if(kt == EVP_md5() && prf_use) + HMAC_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); HMAC_Init_ex (ctx, key, key_len, kt, NULL); /* make sure we used a big enough key */ --- openvpn-2.3.2/src/openvpn/crypto_openssl.h +++ openvpn-2.3.2/src/openvpn/crypto_openssl.h 2015/02/19 09:15:02 @@ -33,6 +33,7 @@ #include <openssl/evp.h> #include <openssl/hmac.h> #include <openssl/md5.h> +#include <openssl/sha.h> /** Generic cipher key type %context. */ typedef EVP_CIPHER cipher_kt_t; --- openvpn-2.3.2/src/openvpn/crypto_polarssl.c +++ openvpn-2.3.2/src/openvpn/crypto_polarssl.c 2015/02/19 09:15:02 @@ -608,7 +608,7 @@ md_ctx_final (md_context_t *ctx, uint8_t * TODO: re-enable dmsg for crypto debug */ void -hmac_ctx_init (md_context_t *ctx, const uint8_t *key, int key_len, const md_info_t *kt) +hmac_ctx_init (md_context_t *ctx, const uint8_t *key, int key_len, const md_info_t *kt, bool prf_use) { ASSERT(NULL != kt && NULL != ctx); --- openvpn-2.3.2/src/openvpn/init.c +++ openvpn-2.3.2/src/openvpn/init.c 2015/02/19 09:15:02 @@ -1352,12 +1352,12 @@ do_route (const struct options *options, */ #if P2MP static void -save_pulled_options_digest (struct context *c, const struct md5_digest *newdigest) +save_pulled_options_digest (struct context *c, const struct sha1_digest *newdigest) { if (newdigest) c->c1.pulled_options_digest_save = *newdigest; else - md5_digest_clear (&c->c1.pulled_options_digest_save); + sha1_digest_clear (&c->c1.pulled_options_digest_save); } #endif @@ -1649,8 +1649,8 @@ do_up (struct context *c, bool pulled_op if (!c->c2.did_open_tun && PULL_DEFINED (&c->options) && c->c1.tuntap - && (!md5_digest_defined (&c->c1.pulled_options_digest_save) || !md5_digest_defined (&c->c2.pulled_options_digest) - || !md5_digest_equal (&c->c1.pulled_options_digest_save, &c->c2.pulled_options_digest))) + && (!sha1_digest_defined (&c->c1.pulled_options_digest_save) || !sha1_digest_defined (&c->c2.pulled_options_digest) + || !sha1_digest_equal (&c->c1.pulled_options_digest_save, &c->c2.pulled_options_digest))) { /* if so, close tun, delete routes, then reinitialize tun and add routes */ msg (M_INFO, "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device."); @@ -2697,11 +2697,11 @@ do_compute_occ_strings (struct context * #ifdef ENABLE_CRYPTO msg (D_SHOW_OCC_HASH, "Local Options hash (VER=%s): '%s'", options_string_version (c->c2.options_string_local, &gc), - md5sum ((uint8_t*)c->c2.options_string_local, + sha1sum ((uint8_t*)c->c2.options_string_local, strlen (c->c2.options_string_local), 9, &gc)); msg (D_SHOW_OCC_HASH, "Expected Remote Options hash (VER=%s): '%s'", options_string_version (c->c2.options_string_remote, &gc), - md5sum ((uint8_t*)c->c2.options_string_remote, + sha1sum ((uint8_t*)c->c2.options_string_remote, strlen (c->c2.options_string_remote), 9, &gc)); #endif --- openvpn-2.3.2/src/openvpn/ntlm.c +++ openvpn-2.3.2/src/openvpn/ntlm.c 2015/02/19 09:15:02 @@ -90,7 +90,7 @@ gen_hmac_md5 (const char* data, int data hmac_ctx_t hmac_ctx; CLEAR(hmac_ctx); - hmac_ctx_init(&hmac_ctx, key, key_len, md5_kt); + hmac_ctx_init(&hmac_ctx, key, key_len, md5_kt, 0); hmac_ctx_update(&hmac_ctx, (const unsigned char *)data, data_len); hmac_ctx_final(&hmac_ctx, (unsigned char *)result); hmac_ctx_cleanup(&hmac_ctx); --- openvpn-2.3.2/src/openvpn/openvpn.h +++ openvpn-2.3.2/src/openvpn/openvpn.h 2015/02/19 09:15:02 @@ -206,7 +206,7 @@ struct context_1 #endif /* if client mode, hash of option strings we pulled from server */ - struct md5_digest pulled_options_digest_save; + struct sha1_digest pulled_options_digest_save; /**< Hash of option strings received from the * remote OpenVPN server. Only used in * client-mode. */ @@ -474,9 +474,9 @@ struct context_2 bool did_pre_pull_restore; /* hash of pulled options, so we can compare when options change */ - bool pulled_options_md5_init_done; - struct md5_state pulled_options_state; - struct md5_digest pulled_options_digest; + bool pulled_options_sha1_init_done; + struct sha1_state pulled_options_state; + struct sha1_digest pulled_options_digest; struct event_timeout server_poll_interval; --- openvpn-2.3.2/src/openvpn/options.c +++ openvpn-2.3.2/src/openvpn/options.c 2015/02/19 09:15:10 @@ -828,6 +828,10 @@ init_options (struct options *o, const b #endif #ifdef ENABLE_CRYPTO o->ciphername = "BF-CBC"; +#ifdef OPENSSL_FIPS + if(FIPS_mode()) + o->ciphername = "AES-256-CBC"; +#endif o->ciphername_defined = true; o->authname = "SHA1"; o->authname_defined = true; --- openvpn-2.3.2/src/openvpn/push.c +++ openvpn-2.3.2/src/openvpn/push.c 2015/02/19 09:15:02 @@ -446,10 +446,10 @@ process_incoming_push_msg (struct contex if (ch == ',') { struct buffer buf_orig = buf; - if (!c->c2.pulled_options_md5_init_done) + if (!c->c2.pulled_options_sha1_init_done) { - md5_state_init (&c->c2.pulled_options_state); - c->c2.pulled_options_md5_init_done = true; + sha1_state_init (&c->c2.pulled_options_state); + c->c2.pulled_options_sha1_init_done = true; } if (!c->c2.did_pre_pull_restore) { @@ -465,13 +465,13 @@ process_incoming_push_msg (struct contex { case 0: case 1: - md5_state_update (&c->c2.pulled_options_state, BPTR(&buf_orig), BLEN(&buf_orig)); - md5_state_final (&c->c2.pulled_options_state, &c->c2.pulled_options_digest); - c->c2.pulled_options_md5_init_done = false; + sha1_state_update (&c->c2.pulled_options_state, BPTR(&buf_orig), BLEN(&buf_orig)); + sha1_state_final (&c->c2.pulled_options_state, &c->c2.pulled_options_digest); + c->c2.pulled_options_sha1_init_done = false; ret = PUSH_MSG_REPLY; break; case 2: - md5_state_update (&c->c2.pulled_options_state, BPTR(&buf_orig), BLEN(&buf_orig)); + sha1_state_update (&c->c2.pulled_options_state, BPTR(&buf_orig), BLEN(&buf_orig)); ret = PUSH_MSG_CONTINUATION; break; } --- openvpn-2.3.2/src/openvpn/ssl.c +++ openvpn-2.3.2/src/openvpn/ssl.c 2015/02/19 09:15:02 @@ -1342,8 +1342,8 @@ tls1_P_hash(const md_kt_t *md_kt, chunk = md_kt_size(md_kt); A1_len = md_kt_size(md_kt); - hmac_ctx_init(&ctx, sec, sec_len, md_kt); - hmac_ctx_init(&ctx_tmp, sec, sec_len, md_kt); + hmac_ctx_init(&ctx, sec, sec_len, md_kt, 1); + hmac_ctx_init(&ctx_tmp, sec, sec_len, md_kt, 1); hmac_ctx_update(&ctx,seed,seed_len); hmac_ctx_final(&ctx, A1); ++++++ openvpn-tmpfile.conf ++++++ D /var/run/openvpn 0750 root root - ++++++ openvpn.README.SUSE ++++++ Notes about the OpenVPN package In a fresh installation, you will find an empty directory /etc/openvpn. The directory is meant to contain *.conf files. With openSUSE post-12.3 either all enabled instances are handled by calling 'systemctl <start|stop|status> openvpn.target' or each one tunnel/config separately using openvpn service template: 'systemctl <start|stop|status|enable|disbale> openvpn@<name>.service' while <name> is the name of the configuration file /etc/openvpn/<name>.conf. The OPENVPN_AUTOSTART sysconfig variable, which were specifying the list of enabled configs is migrated to systemctl enable on update. Alternatively, you can also use the rcopenvpn compatiblity wrapper: rcopenvpn <start|stop|status> or per config/tunnel: rcopenvpn <start|stop|status|enable|disable> <name> ++++++ openvpn.init ++++++ #! /bin/sh # Copyright (c) 2003 SuSE Linux AG # Copyright (c) 2004-2009 SUSE LINUX Products GmbH, Nuernberg, Germany. # # Author: Peter Poeml <[email protected]> # Marius Tomaschewski <[email protected]> # # inspired by the init script contributed to the OpenVPN project by # Douglas Keller <[email protected]> # # /etc/init.d/openvpn # and its symbolic link # /usr/sbin/rcopenvpn # ### BEGIN INIT INFO # Provides: openvpn # Required-Start: $local_fs $remote_fs $network # Should-Start: $syslog $time $named network-remotefs # Required-Stop: $local_fs $remote_fs $network # Should-Stop: $syslog $time $named network-remotefs # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # Short-Description: OpenVPN tunnel # Description: Start OpenVPN tunnel ### END INIT INFO test -s /etc/sysconfig/openvpn && \ . /etc/sysconfig/openvpn DAEMON="OpenVPN" openvpn=/usr/sbin/openvpn confdir=/etc/openvpn piddir=/var/run/openvpn test -d $piddir || mkdir $piddir test -x $openvpn || { echo 1>&2 "$openvpn not installed" if test "$1" == "stop" ; then exit 0 ; else exit 5 ; fi } # Shell functions sourced from /etc/rc.status: # rc_check check and set local and overall rc status # rc_status check and set local and overall rc status # rc_status -v ditto but be verbose in local rc status # rc_status -v -r ditto and clear the local rc status # rc_failed set local and overall rc status to failed # rc_failed <num> set local and overall rc status to <num><num> # rc_reset clear local rc status (overall remains) # rc_exit exit appropriate to overall rc status . /etc/rc.status # First reset status of this service rc_reset # Return values acc. to LSB for all commands but status: # 0 - success # 1 - generic or unspecified error # 2 - invalid or excess argument(s) # 3 - unimplemented feature (e.g. "reload") # 4 - insufficient privilege # 5 - program is not installed # 6 - program is not configured # 7 - program is not running # # Note that starting an already running service, stopping # or restarting a not-running service as well as the restart # with force-reload (in case signalling is not supported) are # considered a success. shopt -s nullglob action="$1" ; shift config="$1" ; shift systemd_cgroup_dir="/sys/fs/cgroup/systemd" openvpn_cgroup_dir="${systemd_cgroup_dir}/system/openvpn.service" join_openvpn_service_cgroup() { local pid dummy # when the systemd cgroup mountpoint does not exists, # assume we run unter systemv init -> nothing to do. /bin/mountpoint -q "${systemd_cgroup_dir}" || return 0 # create the openvpn.service cgroup when needed if test ! -d "${openvpn_cgroup_dir}" ; then /bin/mkdir -p "${openvpn_cgroup_dir}" || return 1 fi # check if the openvpn.service cgroup task list exists if test -f "${openvpn_cgroup_dir}/tasks" ; then # when we're already a member, all is done while read pid dummy ; do test "$pid" = "$$" && return 0 done < "${openvpn_cgroup_dir}/tasks" # otherwise join the openvpn.service cgroup echo "$$" > "${openvpn_cgroup_dir}/tasks" && return 0 fi return 1 } autostart_filter() { test "x$config" != "x" && return 0 test "x$OPENVPN_AUTOSTART" = "x" && return 0 for n in ${OPENVPN_AUTOSTART} ; do test "x$n" = "x$1" && return 0 done return 1 } case "$action" in start) join_openvpn_service_cgroup /sbin/modprobe tun &>/dev/null name="" for conf in $confdir/${config:-*}.conf ; do test -f "$conf" || continue name=$(basename "${conf%%.conf}") autostart_filter "$name" || continue pidfile="$piddir/${name}.pid" echo -n "Starting $DAEMON [$name] " if [ -f "$pidfile" ]; then killproc -p "$pidfile" -USR2 $openvpn ret=$? case $ret in 7) # not running, remove pid and start echo -n "(removed stale pid file) " ; rm -f "$pidfile" ;; 0) # running - no an error, skip start rc_failed 0 ; rc_status -v ; continue ;; *) # another error, set it and continue rc_failed 1 ; rc_status -v ; continue ;; esac fi # openvpn may ask for auth ... echo "" $openvpn --daemon \ --writepid "$pidfile" \ --config "$conf" \ --cd $confdir || \ { rc_status -v1 if [ ! -w "$piddir" ]; then # this is one possible reason, but common to # all instances and better than nothing ... echo " Can not write $pidfile" rc_exit fi echo " See /var/log/messages for the failure reason" rc_failed 1 continue } # write the status one line up rc_status -v1 done test -n "$name" || { echo -n "Starting $DAEMON${config:+ [$config]} -- not configured" rc_failed 6 rc_status -v } ;; stop) ## Stop daemon with killproc(8) and if this fails ## set echo the echo return value. name="" for pidfile in $piddir/${config:-*}.pid; do test -f "$pidfile" || continue name=$(basename "${pidfile%%.pid}") echo -n "Shutting down $DAEMON [$name] " killproc -p "$pidfile" $openvpn rc_status -v rm -f "$pidfile" done test -n "$name" || { echo -n "Shutting down $DAEMON${config:+ [$config]} -- not running" rc_status -v } ;; try-restart) ## Do a restart only if the service was active before. ## Note: try-restart is now part of LSB (as of 1.9). ## RH has a similar command named condrestart. $0 status ${config:+"$config"} if test $? = 0; then $0 restart ${config:+"$config"} else rc_reset # Not running is not a failure. fi # Remember status and be quiet rc_status ;; restart) ## Stop the service and regardless of whether it was ## running or not, start it again. # When nothing is running, start specified config or # the defult (autostart) set. Otherwise we stop the # specified one or all that are currently running. # Then start specified one or all that were running # before and have a config. Makes sense? :-) name="" list=($config) for pidfile in $piddir/${config:-*}.pid; do test -f "$pidfile" || continue name=$(basename "${pidfile%%.pid}") $0 stop "$name" rc_status test "x$name" = "x$config" && continue # in list test -f "$confdir/${name}.conf" && list+=("$name") done test "x$name" = x || sleep 3 # for what was this needed? $0 start "${list[@]}" # Remember status and be quiet rc_status ;; reload|force-reload) for pidfile in $piddir/${config:-*}.pid; do test -f "$pidfile" || continue name=$(basename "${pidfile%%.pid}") echo -n "Reload service $DAEMON [$name] " killproc -p "$pidfile" -HUP $openvpn rc_status -v done rc_status ;; reopen) for pidfile in $piddir/${config:-*}.pid; do test -f "$pidfile" || continue name=$(basename "${pidfile%%.pid}") echo -n "Reopen service $DAEMON [$name] " killproc -p "$pidfile" -USR1 $openvpn rc_status -v done rc_status ;; status) name="" for pidfile in $piddir/${config:-*}.pid; do test -f "$pidfile" || continue name=$(basename "${pidfile%%.pid}") echo -n "Checking for $DAEMON [$name] " killproc -p "$pidfile" -USR2 $openvpn rc_status -v done if test -n "$name" ; then echo "$DAEMON status written to /var/log/messages" else echo -n "Checking for $DAEMON " rc_failed 3 rc_status -v fi ;; probe) ## Optional: Probe for the necessity of a reload, print out the ## argument to this init script which is required for a reload. ## Note: probe is not (yet) part of LSB (as of 1.9) result="" for conf in $confdir/${config:-*}.conf ; do test -f "$conf" || continue name=$(basename "${conf%%.conf}") autostart_filter "$name" || continue pidfile="$piddir/${name}.pid" if test ! -f "$pidfile" ; then result="restart" elif test "$conf" -nt "$pidfile" ; then test "$result" = "restart" || \ result="reload" fi done for pidfile in $piddir/${config:-*}.pid; do test -f "$pidfile" || continue name=$(basename "${pidfile%%.pid}") conf="$confdir/${name}.conf" test -f "$conf" && result="restart" done test -n "$result" && echo "$result" ;; *) echo "Usage: $0 {start|stop|status|try-restart|restart|reload|reopen|probe}" exit 1 esac rc_exit ++++++ openvpn.service ++++++ [Unit] Description=OpenVPN tunneling daemon instance using /etc/openvpn/%I.conf After=network.target PartOf=openvpn.target [Service] Type=forking PrivateTmp=true PIDFile=/var/run/openvpn/%i.pid ExecStart=/usr/sbin/openvpn --daemon --suppress-timestamps --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf ExecReload=/sbin/killproc -p /var/run/openvpn/%i.pid -HUP /usr/sbin/openvpn [Install] WantedBy=multi-user.target openvpn.target ++++++ openvpn.sysconfig ++++++ ## Type: list("",) ## Default: "" # # Allows to specify an optional white-list of config names to start # in /etc/init.d/openvpn. # # Unlisted config names can be still started using the explicit name, # e.g. "/etc/init.d/openvpn start tun0" will start openvpn for the # "/etc/openvpn/tun0.conf" config file. # # Setting the variable to e.g. "foo bar" will cause the start of the # "/etc/openvpn/foo.conf" and "/etc/openvpn/bar.conf" config files. # When empty, the init script will start all existing config files. # OPENVPN_AUTOSTART="" ++++++ openvpn.target ++++++ [Unit] Description=OpenVPN target allowing to start/stop all [email protected] instances at once ++++++ rcopenvpn ++++++ #! /bin/bash SYSTEMD_NO_WRAP=1 . /etc/rc.status rc_reset action=$1 ; shift config=$1 ; shift if test -n "$config" ; then systemctl "${action}" "openvpn@${config}.service" else case $action in status) n=0 l=`systemctl show -p ConsistsOf openvpn.target 2>/dev/null` for s in ${l#ConsistsOf=} ; do case $s in openvpn@*.service) systemctl status "$s" rc_check ((++n)) ;; esac done if test $n -gt 0 ; then rc_status else rc_status -u fi ;; *) systemctl "${action}" "openvpn.target" ;; esac fi rc_exit
