Accepting request 447316 from network:vpn

1 OBS-URL: https://build.opensuse.org/request/show/447316 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ocserv?expand=0&rev=2
2017-01-09 09:53:09 +00:00 · 2017-01-09 09:53:09 +00:00 · dcd8d258c4
commit dcd8d258c4
parent 8a24fc7bba f9e09ce079
5 changed files with 101 additions and 72 deletions
--- a/ocserv-0.10.11.tar.xz
+++ b/ocserv-0.10.11.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:ba607ecc377d62e66cecaca73154c97e2ef6609e932250aad2906af46c1f785c
-size 730128
--- a/ocserv-0.11.6.tar.xz
+++ b/ocserv-0.11.6.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:93203b344644f1a97ae7ca3cf08853c3f9793a1555e85366e16c425b8d65151e
+size 567552
--- a/ocserv.changes
+++ b/ocserv.changes
@ -1,3 +1,23 @@
+-------------------------------------------------------------------
+Wed Dec 21 10:59:26 UTC 2016 - i@marguerite.su
+
+- update version 0.11.6
+  * cserv: Improved detection of mobile clients
+  * ocserv: Update the worker's ID on Radius accounting messages.
+    That is, even if we initially advertize the ID of the worker
+    handling the client as NAS-Port, the client may eventually end-up
+    being served by another process with different ID. In that case we make
+    sure that the radius server is notified on the next accounting message.
+    If you are using radius see doc/README.radius.md about NAS-Port, since
+    that behavior may cause issues in freeradius installations.
+  * ocserv: Added config option 'switch-to-tcp-timeout'. That allows an
+    automatic switch to TCP in case of no received UDP traffic for
+    certain time
+  * ocserv: Pre-load the OCSP response file; that way worker processes can
+    serve it, even if they have no access to it.
+  * ocserv: When compiled with GnuTLS 3.5.6 automatically set DH
+    parameters from the known set.
+
 -------------------------------------------------------------------
 Fri Feb 12 14:10:54 UTC 2016 - i@marguerite.su

--- a/ocserv.config.patch
+++ b/ocserv.config.patch
@ -1,8 +1,8 @@
-Index: ocserv-0.10.9/doc/sample.config
+Index: b/doc/sample.config
 ===================================================================
--- ocserv-0.10.9.orig/doc/sample.config
-+++ ocserv-0.10.9/doc/sample.config
-@@ -39,7 +39,7 @@
+--- a/doc/sample.config
+++ b/doc/sample.config
+@@ -41,7 +41,7 @@
 #auth = "pam"
 #auth = "pam[gid-min=1000]"
 #auth = "plain[passwd=./sample.passwd,otp=./sample.otp]"
@ -11,7 +11,7 @@ Index: ocserv-0.10.9/doc/sample.config
 #auth = "certificate"
 #auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"
 
-@@ -72,8 +72,8 @@ auth = "plain[passwd=./sample.passwd]"
+@@ -74,8 +74,8 @@ auth = "plain[passwd=./sample.passwd]"
 #listen-host-is-dyndns = true
 
 # TCP and UDP port number
@ -22,36 +22,36 @@ Index: ocserv-0.10.9/doc/sample.config
 
 # Accept connections using a socket file. It accepts HTTP
 # connections (i.e., without SSL/TLS unlike its TCP counterpart),
-@@ -108,8 +108,8 @@ socket-file = /var/run/ocserv-socket
+@@ -110,8 +110,8 @@ socket-file = /var/run/ocserv-socket
 #
 # There may be multiple server-cert and server-key directives,
 # but each key should correspond to the preceding certificate.
-server-cert = ../tests/server-cert.pem
-server-key = ../tests/server-key.pem
+-server-cert = ../tests/certs/server-cert.pem
+-server-key = ../tests/certs/server-key.pem
 +server-cert = /etc/ocserv/certificates/server-cert.pem
 +server-key = /etc/ocserv/certificates/server-key.pem
 
 # Diffie-Hellman parameters. Only needed if you require support
 # for the DHE ciphersuites (by default this server supports ECDHE).
-@@ -135,7 +135,7 @@ server-key = ../tests/server-key.pem
+@@ -137,7 +137,7 @@ server-key = ../tests/certs/server-key.p
 # The Certificate Authority that will be used to verify
 # client certificates (public keys) if certificate authentication
 # is set.
-ca-cert = ../tests/ca.pem
+-ca-cert = ../tests/certs/ca.pem
 +ca-cert = /etc/ocserv/certificates/ca-cert.pem
 
 
 ### All configuration options below this line are reloaded on a SIGHUP.
-@@ -145,7 +145,7 @@ ca-cert = ../tests/ca.pem
- # system calls allowed to a worker process, in order to reduce damage from a
- # bug in the worker process. It is available on Linux systems at a performance cost.
- # The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8).
+@@ -157,7 +157,7 @@ ca-cert = ../tests/certs/ca.pem
+ # the isolation was tested at. If you get random failures on worker processes, try
+ # disabling that option and report the failures you, along with system and debugging
+ # information at: https://gitlab.com/ocserv/ocserv/issues
 -isolate-workers = true
 +isolate-workers = false
 
 # A banner to be displayed on clients
 #banner = "Welcome"
-@@ -197,7 +197,7 @@ dpd = 90
+@@ -204,7 +204,7 @@ dpd = 90
 mobile-dpd = 1800
 
 # MTU discovery (DPD must be enabled)
@ -60,7 +60,7 @@ Index: ocserv-0.10.9/doc/sample.config
 
 # If you have a certificate from a CA that provides an OCSP
 # service you may provide a fresh OCSP status response within
-@@ -341,8 +341,8 @@ rekey-method = ssl
+@@ -362,8 +362,8 @@ rekey-method = ssl
 # STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes 
 # output from the tun device, and the duration of the session in seconds.
 
@ -71,16 +71,17 @@ Index: ocserv-0.10.9/doc/sample.config
 
 # UTMP
 # Register the connected clients to utmp. This will allow viewing
-@@ -401,7 +401,7 @@ ipv4-netmask = 255.255.255.0
+@@ -433,7 +433,8 @@ ipv4-netmask = 255.255.255.0
 # The advertized DNS server. Use multiple lines for
 # multiple servers.
 # dns = fc00::4be0
 -dns = 192.168.1.2
 +dns = 8.8.8.8
+dns = 8.8.4.4
 
 # The NBNS server (if any)
 #nbns = 192.168.1.3
-@@ -438,8 +438,8 @@ ping-leases = false
+@@ -472,8 +473,8 @@ ping-leases = false
 # comment out all routes from the server, or use the special keyword
 # 'default'.
 
@ -89,12 +90,12 @@ Index: ocserv-0.10.9/doc/sample.config
 +#route = 10.10.10.0/255.255.255.0
 +#route = 192.168.0.0/255.255.0.0
 #route = fef4:db8:1000:1001::/64
+ #route = default
 
- # Subsets of the routes above that will not be routed by
-Index: ocserv-0.10.9/doc/systemd/socket-activated/ocserv.socket
+Index: b/doc/systemd/socket-activated/ocserv.socket
 ===================================================================
--- ocserv-0.10.9.orig/doc/systemd/socket-activated/ocserv.socket
-+++ ocserv-0.10.9/doc/systemd/socket-activated/ocserv.socket
+--- a/doc/systemd/socket-activated/ocserv.socket
+++ b/doc/systemd/socket-activated/ocserv.socket
@@ -2,8 +2,8 @@
 Description=OpenConnect SSL VPN server Socket
 
--- a/ocserv.spec
+++ b/ocserv.spec
@ -1,7 +1,7 @@
 #
 # spec file for package ocserv
 #
-# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -15,82 +15,90 @@
 # Please submit bugfixes or comments via http://bugs.opensuse.org/
 #

+
 Name:           ocserv
-Version:	0.10.11
-Release:	0
-License:	GPL-2.0
-Summary:	OpenConnect VPN Server
-Url:	http://www.infradead.org/ocserv
-Group:	Productivity/Networking/Security
-Source:	ftp://ftp.infradead.org/pub/ocserv/%{name}-%{version}.tar.xz
-Source1:	ca.tmpl
-Source2:	server.tmpl
-Source3:	user.tmpl
-Source4:	ocserv.SuSEfirewall
-Source5:	ocserv.sysctl
-Source99:	README.SUSE
+Version:        0.11.6
+Release:        0
+Summary:        OpenConnect VPN Server
+License:        GPL-2.0
+Group:          Productivity/Networking/Security
+Url:            http://www.infradead.org/ocserv
+#Source:         ftp://ftp.infradead.org/pub/ocserv/%{name}-%{version}.tar.xz
+# released tarball has some problem, check out same thing from git
+# git clone https://gitlab.com/ocserv/ocserv
+# git checkout -b fce7610a
+Source:         %{name}-%{version}.tar.xz
+Source1:        ca.tmpl
+Source2:        server.tmpl
+Source3:        user.tmpl
+Source4:        ocserv.SuSEfirewall
+Source5:        ocserv.sysctl
+Source99:       README.SUSE
 #PATCH-FIX-UPSTREAM marguerite@opensuse.org $LIBSYSTEMD_DAEMON env is not set on openSUSE
-Patch1:	%{name}-enable-systemd.patch
+Patch1:         %{name}-enable-systemd.patch
 #PATCH-FIX-UPSTREAM marguerite@opensuse.org tweak configuration
-Patch2:	%{name}.config.patch
-BuildRequires:	autogen
-BuildRequires:	libtool
-BuildRequires:	pkg-config
-BuildRequires:	libgnutls-devel >= 3.1.10
-BuildRequires:	protobuf-devel
-BuildRequires:	libtalloc-devel
-BuildRequires:	libnl3-devel
-BuildRequires:	readline5-devel
-BuildRequires:	pam-devel
-BuildRequires:	freeradius-client-devel
-BuildRequires:	libseccomp-devel
-BuildRequires:	dbus-1-devel
-BuildRequires:	systemd-devel
-%if 0%{?suse_version} > 1310
-BuildRequires:	liblz4-devel
-%endif
+Patch2:         %{name}.config.patch
+BuildRequires:  autogen
+BuildRequires:  dbus-1-devel
+BuildRequires:  freeradius-client-devel
+BuildRequires:  gperf
+BuildRequires:  libev-devel
+BuildRequires:  libgnutls-devel >= 3.1.10
+BuildRequires:  libnl3-devel
+BuildRequires:  libprotobuf-c-devel
+BuildRequires:  libseccomp-devel
+BuildRequires:  libtalloc-devel
+BuildRequires:  libtool
+BuildRequires:  pam-devel
+BuildRequires:  pkgconfig
+BuildRequires:  protobuf-c
+BuildRequires:  readline5-devel
+BuildRequires:  systemd-devel
 # /usr/bin/certtool for generating certificates
-Requires:	gnutls >= 3.1.10
+Requires:       gnutls >= 3.1.10
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %{?systemd_requires}
+%if 0%{?suse_version} > 1310
+BuildRequires:  liblz4-devel
+%endif

 %description
-OpenConnect server (ocserv) is an SSL VPN server. Its purpose is to 
+OpenConnect server (ocserv) is an SSL VPN server. Its purpose is to
 be a secure, small, fast and configurable VPN server. It implements
 the OpenConnect SSL VPN protocol, and has also (currently experimental)
-compatibility with clients using the AnyConnect SSL VPN protocol. 
-The OpenConnect protocol provides a dual TCP/UDP VPN channel, and 
+compatibility with clients using the AnyConnect SSL VPN protocol.
+The OpenConnect protocol provides a dual TCP/UDP VPN channel, and
 uses the standard IETF security protocols to secure it. The server
-is implemented primarily for the GNU/Linux platform but its code 
+is implemented primarily for the GNU/Linux platform but its code
 is designed to be portable to other UNIX variants as well.

 Ocserv's main features are security through privilege separation
 and sandboxing, accounting, and resilience due to a combined use
-of TCP and UDP. Authentication occurs in an isolated security 
+of TCP and UDP. Authentication occurs in an isolated security
 module process, and each user is assigned an unprivileged worker
 process, and a networking (tun) device. That not only eases the
-control of the resources of each user or group of users, but also 
+control of the resources of each user or group of users, but also
 prevents data leak (e.g., heartbleed-style attacks), and privilege
 escalation due to any bug on the VPN handling (worker) process.
-A management interface allows for viewing and querying logged-in users. 
+A management interface allows for viewing and querying logged-in users.

 %prep
 %setup -q
 %patch1 -p1
 %patch2 -p1
+sed -i "s/\@AUTOGEN\@/autogen/" doc/Makefile.am
 autoreconf -fiv

 %build
 %configure --enable-systemd \
 	--enable-seccomp \
-	--enable-linux-namespaces \
 	--disable-rpath \
 	--enable-local-libopts \
-	--enable-libopts-install 	
+	--enable-libopts-install
 make V=1 %{?_smp_mflags}

 %install
-make install DESTDIR=%{buildroot} %{?_smp_mflags}
+make %{?_smp_mflags} DESTDIR=%{buildroot} install

 install -Dm 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/ocserv
 install -Dm 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/sysctl.d/60-ocserv.conf
@ -123,7 +131,7 @@ install -m 0644 doc/systemd/socket-activated/ocserv.service %{buildroot}%{_unitd

 %files
 %defattr(-,root,root)
-%doc AUTHORS ChangeLog LICENSE NEWS README.md COPYING TODO
+%doc AUTHORS LICENSE NEWS README.md COPYING TODO
 %config %{_sysconfdir}/ocserv
 %config(noreplace) %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/ocserv
 %config(noreplace) %{_sysconfdir}/sysctl.d/60-ocserv.conf
@ -134,8 +142,8 @@ install -m 0644 doc/systemd/socket-activated/ocserv.service %{buildroot}%{_unitd
 %{_sbindir}/ocserv
 %{_unitdir}/ocserv.service
 %{_unitdir}/ocserv.socket
-%{_mandir}/man8/occtl.8.gz
-%{_mandir}/man8/ocpasswd.8.gz
-%{_mandir}/man8/ocserv.8.gz
+%{_mandir}/man8/occtl.8%{ext_man}
+%{_mandir}/man8/ocpasswd.8%{ext_man}
+%{_mandir}/man8/ocserv.8%{ext_man}

 %changelog