Accepting request 606481 from home:stawidy:branches:network:vpn

- Update to version 0.12.0
  * Allow DTLS stream to come from different IP from TLS stream. There are situations where internet providers send the UDP stream from different IP.
  * Increased possibilities of allowed combinations of authentication methods.
  * Corrected regression since 0.11.8 with OTP authentication.
  * Added support for hostname-based virtual hosts, utilizing TLS SNI. With that change it is possible to configure multiple servers running over the same port.
  * Rename the tun device on BSD systems which support SIOCSIFNAME ioctl.
  * Correctly handle proxy-protocol’s health commands. That eliminates few connection drops when proxy protocol is in use.
  * Corrected crash on certain cases when proxy protocol is in use.
- Update ocserv.config.patch due to upstream changes

OBS-URL: https://build.opensuse.org/request/show/606481
OBS-URL: https://build.opensuse.org/package/show/network:vpn/ocserv?expand=0&rev=18

ocserv-0.11.10.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:52c821dcd234a8f0d61f440ce3c80d0b23051d7fbd74c6d47dc2b884ae25966a
-size 784420

ocserv-0.12.0.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:fdbb7241013341975640bb9851b14ed16c786029466e81b79cdfbce21f7dc89f
+size 679420

ocserv.changes

@@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Fri May 11 08:08:54 UTC 2018 - duyizhaozj321@yahoo.com
+
+- Update to version 0.12.0
+  * Allow DTLS stream to come from different IP from TLS stream. There are situations where internet providers send the UDP stream from different IP.
+  * Increased possibilities of allowed combinations of authentication methods.
+  * Corrected regression since 0.11.8 with OTP authentication.
+  * Added support for hostname-based virtual hosts, utilizing TLS SNI. With that change it is possible to configure multiple servers running over the same port.
+  * Rename the tun device on BSD systems which support SIOCSIFNAME ioctl.
+  * Correctly handle proxy-protocol’s health commands. That eliminates few connection drops when proxy protocol is in use.
+  * Corrected crash on certain cases when proxy protocol is in use.
+- Update ocserv.config.patch due to upstream changes
+
 -------------------------------------------------------------------
 Tue Feb 27 02:50:33 UTC 2018 - i@marguerite.su
 

ocserv.config.patch

@@ -1,8 +1,8 @@
-Index: ocserv-0.11.10/doc/sample.config
+Index: ocserv-0.12.0/doc/sample.config
 ===================================================================
---- ocserv-0.11.10.orig/doc/sample.config
+--- ocserv-0.12.0.orig/doc/sample.config
-+++ ocserv-0.11.10/doc/sample.config
++++ ocserv-0.12.0/doc/sample.config
-@@ -47,7 +47,7 @@
+@@ -48,7 +48,7 @@
  #auth = "pam"
  #auth = "pam[gid-min=1000]"
  #auth = "plain[passwd=./sample.passwd,otp=./sample.otp]"
@@ -11,7 +11,7 @@ Index: ocserv-0.11.10/doc/sample.config
  #auth = "certificate"
  #auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"
  
-@@ -80,8 +80,8 @@ auth = "plain[passwd=./sample.passwd]"
+@@ -83,8 +83,8 @@ auth = "plain[passwd=./sample.passwd]"
  #listen-host-is-dyndns = true
  
  # TCP and UDP port number
@@ -22,27 +22,27 @@ Index: ocserv-0.11.10/doc/sample.config
  
  # Accept connections using a socket file. It accepts HTTP
  # connections (i.e., without SSL/TLS unlike its TCP counterpart),
-@@ -124,8 +124,8 @@ socket-file = /var/run/ocserv-socket
+@@ -132,8 +132,8 @@ socket-file = /var/run/ocserv-socket
- #
+ 
- # There may be multiple server-cert and server-key directives,
+ #server-cert = /etc/ocserv/server-cert.pem
- # but each key should correspond to the preceding certificate.
+ #server-key = /etc/ocserv/server-key.pem
 -server-cert = ../tests/certs/server-cert.pem
 -server-key = ../tests/certs/server-key.pem
 +server-cert = /etc/ocserv/certificates/server-cert.pem
 +server-key = /etc/ocserv/certificates/server-key.pem
  
- # Diffie-Hellman parameters. Only needed if you require support
+ # Diffie-Hellman parameters. Only needed if for old (pre 3.6.0
- # for the DHE ciphersuites (by default this server supports ECDHE).
+ # versions of GnuTLS for supporting DHE ciphersuites.
-@@ -151,7 +151,7 @@ server-key = ../tests/certs/server-key.p
+@@ -160,7 +160,7 @@ server-key = ../tests/certs/server-key.pem
- # The Certificate Authority that will be used to verify
  # client certificates (public keys) if certificate authentication
  # is set.
+ #ca-cert = /etc/ocserv/ca.pem
 -ca-cert = ../tests/certs/ca.pem
 +ca-cert = /etc/ocserv/certificates/ca-cert.pem
  
  
  ### All configuration options below this line are reloaded on a SIGHUP.
-@@ -171,7 +171,7 @@ ca-cert = ../tests/certs/ca.pem
+@@ -180,7 +180,7 @@ ca-cert = ../tests/certs/ca.pem
  # the isolation was tested at. If you get random failures on worker processes, try
  # disabling that option and report the failures you, along with system and debugging
  # information at: https://gitlab.com/ocserv/ocserv/issues
@@ -51,7 +51,7 @@ Index: ocserv-0.11.10/doc/sample.config
  
  # A banner to be displayed on clients
  #banner = "Welcome"
-@@ -234,7 +234,7 @@ mobile-dpd = 1800
+@@ -243,7 +243,7 @@ mobile-dpd = 1800
  switch-to-tcp-timeout = 25
  
  # MTU discovery (DPD must be enabled)
@@ -60,7 +60,7 @@ Index: ocserv-0.11.10/doc/sample.config
  
  # If you have a certificate from a CA that provides an OCSP
  # service you may provide a fresh OCSP status response within
-@@ -398,8 +398,8 @@ rekey-method = ssl
+@@ -407,8 +407,8 @@ rekey-method = ssl
  # STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes 
  # output from the tun device, and the duration of the session in seconds.
  
@@ -71,7 +71,7 @@ Index: ocserv-0.11.10/doc/sample.config
  
  # UTMP
  # Register the connected clients to utmp. This will allow viewing
-@@ -469,7 +469,8 @@ ipv4-netmask = 255.255.255.0
+@@ -478,7 +478,8 @@ ipv4-netmask = 255.255.255.0
  # The advertized DNS server. Use multiple lines for
  # multiple servers.
  # dns = fc00::4be0
@@ -81,7 +81,7 @@ Index: ocserv-0.11.10/doc/sample.config
  
  # The NBNS server (if any)
  #nbns = 192.168.1.3
-@@ -508,8 +509,8 @@ ping-leases = false
+@@ -517,8 +518,8 @@ ping-leases = false
  # comment out all routes from the server, or use the special keyword
  # 'default'.
  
@@ -92,10 +92,38 @@ Index: ocserv-0.11.10/doc/sample.config
  #route = fef4:db8:1000:1001::/64
  #route = default
  
-Index: ocserv-0.11.10/doc/systemd/socket-activated/ocserv.socket
+@@ -682,18 +683,18 @@ dtls-legacy = true
+ # An example virtual host with different authentication methods serviced
+ # by this server.
+ 
+-[vhost:www.example.com]
+-auth = "certificate"
++#[vhost:www.example.com]
++#auth = "certificate"
+ 
+-ca-cert = ../tests/certs/ca.pem
++#ca-cert = ../tests/certs/ca.pem
+ 
+ # The certificate set here must include a 'dns_name' corresponding to
+ # the virtual host name.
+ 
+-server-cert = ../tests/certs/server-cert-secp521r1.pem
+-server-key = ../tests/certs/server-key-secp521r1.pem
++#server-cert = ../tests/certs/server-cert-secp521r1.pem
++#server-key = ../tests/certs/server-key-secp521r1.pem
+ 
+-ipv4-network = 192.168.2.0
+-ipv4-netmask = 255.255.255.0
++#ipv4-network = 192.168.2.0
++#ipv4-netmask = 255.255.255.0
+ 
+-cert-user-oid = 0.9.2342.19200300.100.1.1
++#cert-user-oid = 0.9.2342.19200300.100.1.1
+ 
+Index: ocserv-0.12.0/doc/systemd/socket-activated/ocserv.socket
 ===================================================================
---- ocserv-0.11.10.orig/doc/systemd/socket-activated/ocserv.socket
+--- ocserv-0.12.0.orig/doc/systemd/socket-activated/ocserv.socket
-+++ ocserv-0.11.10/doc/systemd/socket-activated/ocserv.socket
++++ ocserv-0.12.0/doc/systemd/socket-activated/ocserv.socket
 @@ -2,8 +2,8 @@
  Description=OpenConnect SSL VPN server Socket
  

ocserv.spec

@@ -17,10 +17,10 @@
 
 
 Name:           ocserv
-Version:        0.11.10
+Version:        0.12.0
 Release:        0
 Summary:        OpenConnect VPN Server
-License:        GPL-2.0
+License:        GPL-2.0-only
 Group:          Productivity/Networking/Security
 Url:            http://www.infradead.org/ocserv
 #Source:         ftp://ftp.infradead.org/pub/ocserv/%{name}-%{version}.tar.xz
@@ -59,6 +59,7 @@ BuildRequires:  pam-devel
 BuildRequires:  pkgconfig
 BuildRequires:  protobuf-c
 BuildRequires:  readline-devel
+BuildRequires:  ruby2.5-rubygem-ronn
 BuildRequires:  systemd-devel
 # /usr/bin/certtool for generating certificates
 Requires:       gnutls >= 3.1.10
@@ -93,7 +94,6 @@ A management interface allows for viewing and querying logged-in users.
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
-sed -i "s/\@AUTOGEN\@/autogen/" doc/Makefile.am
 autoreconf -fiv
 
 %build