Accepting request 818952 from network:vpn

- Update to version 1.1.0: * Switch from fork to fork/exec model to achieve better scaling and ASLR protection. This introduces an ocserv-worker application which should be installed at the same path as ocserv (#285). * When Linux OOM takes control kill ocserv workers before ocserv-main or ocserv-secmod (#283). * Disable TCP queuing on the TLS port. * Fix leak of GnuTLS session when DTLS connection is re-established (#293). - Verify source with keyring before build. OBS-URL: https://build.opensuse.org/request/show/818952 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ocserv?expand=0&rev=14
2020-07-06 14:33:07 +00:00 · 2020-07-06 14:33:07 +00:00 · 397efc6e95
commit 397efc6e95
parent 1b9ec22872 0da65a902f
9 changed files with 32 additions and 127 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -21,3 +21,5 @@
 *.xz filter=lfs diff=lfs merge=lfs -text
 *.zip filter=lfs diff=lfs merge=lfs -text
 *.zst filter=lfs diff=lfs merge=lfs -text
+## Specific LFS patterns
+gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg filter=lfs diff=lfs merge=lfs -text
--- a/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
+++ b/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b62b9380d3966fa4c8c676364bb43f94e955b46f5ac5b009ff53dd1a61dca56e
+size 7416
--- a/ocserv-1.0.1.tar.xz
+++ b/ocserv-1.0.1.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:59d9ef7a1aeb95ff6e762e2a0f231b3fae2ea420f68a1cf09d39a26395040f4b
-size 787800
--- a/ocserv-1.0.1.tar.xz.sig
+++ b/ocserv-1.0.1.tar.xz.sig
--- a/ocserv-1.1.0.tar.xz
+++ b/ocserv-1.1.0.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a3fafe847b08bdec5a9acd72e698dfd77ce9799cb19146677526e6794b94a779
+size 806964
--- a/ocserv-1.1.0.tar.xz.sig
+++ b/ocserv-1.1.0.tar.xz.sig
--- a/ocserv.changes
+++ b/ocserv.changes
@ -1,3 +1,17 @@
+-------------------------------------------------------------------
+Fri Jul  3 17:34:58 UTC 2020 - Michael Du <duyizhaozj321@yahoo.com>
+
+- Update to version 1.1.0:
+  * Switch from fork to fork/exec model to achieve better scaling 
+    and ASLR protection. This introduces an ocserv-worker application 
+    which should be installed at the same path as ocserv (#285).
+  * When Linux OOM takes control kill ocserv workers before 
+    ocserv-main or ocserv-secmod (#283).
+  * Disable TCP queuing on the TLS port.
+  * Fix leak of GnuTLS session when DTLS connection is 
+    re-established (#293).
+- Verify source with keyring before build.
+
 -------------------------------------------------------------------
 Tue Apr 21 17:20:49 UTC 2020 - Martin Hauke <mardnh@gmx.de>

--- a/ocserv.keyring
+++ b/ocserv.keyring
@ -1,117 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
-
-mQGRBEgd5bQBDCDc8Z7h2Damx3Xm+kMFXMKHqVUdPOqvcFT0c1gnQ9LPw3JiswvB
-dM3SBRb2LxtEAnXt0Bw8WBbcCF9s05h8xjCSLDmBwQ1EBEeTvUN18TgeM6t4rNTZ
-NrXl5wRmvkAzdO+EOHWx2gDRApLbdkkBK21+M6HPhtqRiMWK6zd5bPmiiAKNRv0G
-aC71qUpdNSrWVzB02s8+LUivwH+kUksMX2nXps7b6RPhQyFl6FSv0LsHDd3yxRrB
-JIikUAsSnQbDSPws+Srq1VFLhaARiPF2tg7ag1n4qbbZiK3XOSjK3X+b2XkdZrWY
-7orBke/J1cMv/9XnqtsE1P1EYcuPk34yxjz/E5+0vf8DlzQ86c2DHRCpr81XV3qD
-tNeouQFLDI1kkpG6QTY3S2SPMUht8V8JxhqBzbjWZmKGUf1ISYI2p9FqtXF4rL2D
-u1QLPQGLwqYaUvnGCYFxEMpnDcYheF6zOUtow527WgrJcATDXW/HCzidwi2+o/cU
-bdCeYOiN28IMCOIBJZjLABEBAAG0KU5pa29zIE1hdnJvZ2lhbm5vcG91bG9zIDxu
-bWF2QGdudXRscy5vcmc+iQHYBBMBCAA+FiEEH0JBiQXYIGqnVMzcKe5YuZaGUXEF
-Al4XSloCGwMFCSWYBgAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQKe5YuZaG
-UXFSTwwfQytoBEKigUPJjHmVtmnGto5uqF2oR8x/uFYIn0wX2Pq+eyNQVhHlcWxg
-J1XiifCcBYLlvUujLIBhk5/InEReMwGWUVtnI+EgEosw7Y3VK3u+GAIggDLhvWlN
-vJspD/KTcQDq6psO8SQ30vM2CXK7q0q1TQk+cfiTYx+Pha8+xxaCkUTmDGuwQSvb
-+KinsBJZngT7Wq99MAyPYT86ybd7EQz+WbxgDAwabqgcdmkdcQF6Cg4TJKNB90KQ
-ZW9STisQeIE/+IGJIxt82Dqp6IOKtmCQhfgw+bW0M/Q9RVptoQeCzPtRKCiCk3zM
-hldGWxZoQKiCejp0KzDbcciiPZ3FeW3eHgKTlSWfjlVXgDIoQ/byW7zoo4rm3j0e
-fDJlsfRK6bi29J6yTLq9OyBk9hpCPmJcc6qe0TDvkzUGtrUd9CvbfWKCOiMLl2Ky
-hS5BpKPfSziRDNqUwOZy1DpjNFqk3peHLsDfSgWOYfihVBpHGAqC6awpKi8rda+h
-XiW5RT2KY+yatbQrTmlrb3MgTWF2cm9naWFubm9wb3Vsb3MgPG5tYXZAaHVzaG1h
-aWwuY29tPokB2AQTAQgAPhYhBB9CQYkF2CBqp1TM3CnuWLmWhlFxBQJeF0pcAhsD
-BQklmAYABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJECnuWLmWhlFx7A4MHi/V
-IUQUQEeQprKxxNVuBN+2e87JzAAqyvOBRa1pfYnDpOmVVn2AKq2DTlWoEiAFRXTE
-5tiJjxG4oHPoTiqUuIVxnoJwyVvPBsyaeX1CNRp9y+CxYCXsRAxTRzpzShsX36nk
-Cax87NEIeBhzgun9iyqcKHqc3rRxXLQJgcM/7smC8+5YWXiuVNEILf9psyJJvyci
-H7fexxKleAkCnTN9Nkb9r77Mz9RddaGetZztThSIO5Es3wzfXGoP4w5wrKxNsJ0g
-Hki4xfDxdlPijUxjFsS1HHVABqzy2+J/0CKCafTroEKfaWC31HFYqoqEbpwNSJoE
-38a63hxx0NlHPoVBDzrfQ7IXa9BGNSQ65QbfKNsMGQfexzXpC9r5DMReg7dKBB2Q
-scTNYR83Y8k59domfxypDYUTdIk/pAp0IPiL+hpjX9gN6AOlRYo6X3JTRz893VLh
-kH/kCWVTwQtaoORVCsj5kL3L0S2Dtqn3+9Ztit28f6Zs20nQcBDqQhdRHfvH7ZNU
-4By0N05pa29zIE1hdnJvZ2lhbm5vcG91bG9zIDxuLm1hdnJvZ2lhbm5vcG91bG9z
-QGdtYWlsLmNvbT6JAdgEEwEIAD4WIQQfQkGJBdggaqdUzNwp7li5loZRcQUCXhdK
-XAIbAwUJJZgGAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRAp7li5loZRcfyK
-DB0TrmubgZfD38mRtbGBVshrqaD/uWK4xw4GFQI65Iy+gnp0lDAVeC/raz28nRzR
-vcs+46Fr5Eg/eRzA8k4cYrMA5QvuJ0MBIdGT7jdGOMY/YChYayvPlbuPqFXIDkTp
-pQkDLPob0YJbAev2rYxnadlMrKueHfMn+2+zFGXbhWWXzZywJ7lLif8ofXe5YOo8
-UQqbV/Eft3WnVmr7cMo5zzBk5u6dGcdh8/BtyoCnkLMY9KfVdE3aa+VBR2rVNFSk
-9pOBsJaZtsN7ibOnwwUb40ZOuOtpHM+ZDM0n5caWSHt9zc+zrFrug+9B91dTnGVQ
-1mDqjStxU2Gtclwepq95rOpaYJoq8aYePZa/5ymSHA8faMAx47SOfHDvh8Rhuf7K
-pnPRghl0hDs16w9npvdv69uAU4qe2yZrEiY1WMxCdENiPoK+1KR2G+k5bIfnxYp7
-AcDlC/f34Ftidwe2yyC2wunVns/nv/IAFlgAvfGUVXjBiZhb63riocqueomX1Log
-6tBF0RQ1uQENBEgd5i0BCAC/9nfIuUtQnpG3ldqumR6XsaWBYCO/BjSQjv31Nv+q
-/5u82RP9vPD/SdQ29Dl8WPiG3KbiwHs8vo1geGgWaMtqwuXP8HxMCvXai1JCSRPD
-m2wDIJEWTvvlcvTKAsNxXMfMm9EgTw5/Xq5JEjQ7kSjdyJgG8FUgx+OThweVJEQr
-fGN2zLqL9p+D7kheqMY3EindaE4kPgNYFJQDDaS1vcyudeNcHKCJ1S5+uWPJS15Q
-qguOcl+4PN26ezW73uPug6bXxC6JKCfCTWBlJBa5KjJQFz3JBofbvuyeU9n80rdo
-Oik8fknv3m/W55JyBC3Okuv8t7tyoz7iS/fSGrrHtPNLABEBAAGJAsgEGAECAA8F
-Akgd5i4CGwIFCRLMAwABKQkQKe5YuZaGUXHAXSAEGQECAAYFAkgd5i4ACgkQnV6q
-9pATuEIxSAgAhmaI+89sebZC94mF1GtOuEFs8tpCbBw/RJhO6AAAPjlzSvY1m1TW
-HlqCSrCPthJZ+Hb4Tzcf+PNbGd0YnU2kslFML4MY7tX1fjGi+xU8Z2xHFw7jR+E4
-+7QM1fOPVIcGWfXWwQkvTq74hH3WhSBbhYKEQmTbza8oRUcwjD6i9qH44CYDXy7V
-CYPWyy+12lnwur0NEtSbJ5RW6ZuhvvrBsuz0cAuHiXdN7wdpJ9lYa7tgZUW6GWJM
-NcJpTRQffYUslJKffyo2YEsD9VY9SlYzcSZ0+aFCxRm/eie+UNxGuSkOJ90Umkg1
-QlVuXadtVtlbTldm7k80IDviZAQzOk4Tg1RPDB9jXo31FlX0DeogAEksPjx2VUk1
-gQv9vD+x+HVmESsX0tWgh4G2rSkia7d/XclmEmHDws3y+T0YnvymQpPPfsl9iRZA
-CTJCXIXSl1f3GOMRn5XkFQQ4BwQ6Tm7OL+65so1cRrJ9Y1NR4+/OlVrEYwFEIphi
-pzx7MwMwaUinMMKjv3VS5BMkRbbqVUDgyu5i3pH9U2UjzYNjwn9+HJu6lyrT8a4M
-jQakYZ+qDpIofnf6uOqAIOWRR2fyuOMgzF/7UjIIR5N5StpisXwgzfgNAIVTdqWK
-ly/zT38XJqju2cJ1zYnyLIbsHYfE6A47rfUep9ja3RMBMRA8hm+N5ny3cUCTFrVN
-X3S488YbzNRP6X/BRH+8K22oaVdAHoWYrpnblWZB/OzQnL2R89JwdAG0KnilSRAP
-Ez3UeSus2uGlQJ+TwCshisV3sUS4uyFhHHvtzgInfOwCCAeLZuc16crGYQD2h0VX
-sAdjT2RtAj1iVmUBLHPH8F+WPSJmtSaNlS/Fe9qobJKiuQENBEgd5mkBCADHDPwG
-FZSRYZncDpMQfdpr9EYnUqLfN8Nixiut9TdaAIn9GDatlykj08x65r/5LonRxJcb
-vfHwvvBnRfa4q/5kKAzTtY4AUGVIaNP0Dkrq9PBUwD9F3N9ouPStCfg4RoTzUruI
-LQ0rQ2h89sGdpO4Gp4yJqNjj1+SfK6i/mLgGG8ibpA/B1bDdMHsDJVxbE6jT2Rua
-T5FuxrMus4lq4NYSuPhIEUQ1uQsKF/lX3E9DtyOi9LLkCui2+F35XzX/6/JG4MU4
-0Z7jmPe3aqR3GT2Vxk5HnVN2yI/hn2FPqoGtnR2FR6k1lrdMKcFG2StcaJW7ukY2
-Yt0/SHpad5hJP7nJABEBAAGJAakEGAECAA8FAkgd5mkCGwwFCRLMAwAACgkQKe5Y
-uZaGUXF4JAwgrepkeOv9HYK+vr0bloTgJ/kWUeXZvhbFX0eMxCFaktaYIglWE5WP
-qcyf1U3IXa0YxKoFa6t6mYeRzUI7kTTzQLbiG2KjnLXBqDzMHZP/s9T2UUuq3RSB
-nf2aedbfAu9HDpts9VHyv1oJnpkOY2OjM/1OYOlE3s45pE9wBZWxRVnVBbcE3hb4
-2yr5kBKLEzlaDqhcxj2wpZu+ALmoYOs3gmtXout0GVMZlxTWFQldh9FmWXhsd/9E
-Q9p1bczt1hapalhQSKgwzRpkZtsM/8WE9nC3aF4iTmU/DzIt/rCFJ7+saAc3KFQM
-RPWEgpJ/XWx9OZmDes8U3LvfJ/RWzb0JNw7at3axQzoaEOS5Hcyon60VuG2SB8Au
-Iq8L3CGOHwnruKnZLPBCrqo8JavRsBI0r5RIB9Kg7M2QVc2Zs1R/UNxrZ/07vjzD
-EV5TmvSOWDVKug+yLclkeDj6Q1wL39vlvtgGu+KOYsyHHIFLLFg2v5gRlEG+TJvw
-my+mLoYj82eDq0dfoLkBDQRaeUDpAQgAsNl4EliTztpzahvKFW5UGbdFZ0IfumlC
-CyuIKW6Tl8k5IqCmupVab74CgQarThH6I0zLGj+rFWOsl8ioak+VhoTt5HfoTzIv
-eIU5mrLcL+hgSLfmsofNJG/zUNcTDy+oJPFCEMEbFbzArwYTkJbtK7lC9bc0nCVZ
-PVwWkFLjK2FB0gObZlfVzrHMh07O3OZnDEmt4DPHuUxy5jttD2XyOQvc5xZFhQZC
-MuO81dc+wuoDhu37vGuV0pDHEknLNjQdY0JHgzNJYDRdaeI8q6jF5XH1067ftyzF
-uhMoFH2aNe3pm6Ns9IfQo51AYZYvwjYzBfHnK+BA+wRyQoPcA/jMuQARAQABiQL2
-BBgBCAAmFiEEH0JBiQXYIGqnVMzcKe5YuZaGUXEFAlp5QOkCGwIFCRLMAwABQAkQ
-Ke5YuZaGUXHAdCAEGQEIAB0WIQRZ+7Vcp/OoqwxQN3PYHEiH8WeaZQUCWnlA6QAK
-CRDYHEiH8WeaZTZrB/4ofixTAgSc3vlTSDsTu5v9oP3FvHYcJ0KqAr4hS5qxviul
-TXdCkqL4/KhvsqVXgKLj64nD1y+VRuR5soVZ1u7JQTVd9jjERlI1NH4cvpukTq+5
-G5bF/+7iBPAHSGaTcVndZHXxn69Q7bnliz7+rTnkYtuldk5g032W11wnwatCrKC2
-Z+QYqbhC/sMGVbxSGP1tkWqXoCJ5Mh8Bdit8+4qafd+wHbOOLNLHGYUKBoeRUwR0
-7N8YhH7eJxfVV0sBLDLngtO5T06VjQsVeUJuLqhtoU/oz5ellCIvzipRzgRNWyUN
-cuIS5Wi1C6tO+Eatw94+eSbLom5M57EyGyJiRo3t2BUMIIW8xNuGy/YTGRFT7l2c
-71SWHjY50DbNl+JCjyAOitLtEGLtHJJtxv9AmmlHJ+CLDw0Ctm2j3xgk2KbkeHQK
-pai8d8Fee4rzsVU9WanUX8hg7yv3IXEdFpIJaNMKkeedmCrTMPrhz1TthyJSBbLN
-8tKrLdv5IPOvGQIrJdsaVByZFDuxbNSKqonVvVYDxA+xM76E+8AuRlBcYtzyblXI
-wIUa+kkGdhBQGp0hBdAqYKq4iFWRVlqy44M7Xt8RUk1yu9u2+c+BcitOnlqYOImO
-p2THhjNGeLi7GDqtwizGNSEz1p76vOUErvcwR7DNyVcyuYrD/HVV4Qp16Njy0hnH
-A67NB23CB7IN5tyJ8GsRHb/wPd/78tJedeJUJ5LO6FdbvNV2SdFzKYfUVGmWcAPM
-5sgB02UG6/Hphag092gfOnqeArAWg3pk6NWysWC6pBZWRNMvExnRf3kHIAn4j3su
-UohuPhr7nKIEoUtIbB6IorGj9shVi91hIcYiM9mFvkUJ5cp81a+5AQ0EWnlBCgEI
-ALVO9ZzEdre381rsxAr9JLM1uCrb00t1PrYlfrG1uaYCnx1MpRE+kRZsr94WhZcc
-N6hzjdU50LnKx5ZKZkrqQ9oQf9cl+ZzNIasc8+bopJyXy7cVvOMZlojsqxQLHDD/
-w9IZTLnnGtSjpF0jpAg+g9dPimEhG9o9+fhQxxzAzh22aIbqFKW2CwV6NsNbQ5i6
-UmIWWkz+CQ0Me5xJXz7G7EdBtNeGEQ6bi1AthaxW1fMGLqujL6dSS4QVYMOdqXYS
-gnboI6CZJqJgvDYSuQJrmOWtHziUP7cMHQVirePvsnc/vpZ5lNoGml0kMlEsDwwo
-3nPvxQdXNGSezt3rXlq0Ot0AEQEAAYkBwAQYAQgAJhYhBB9CQYkF2CBqp1TM3Cnu
-WLmWhlFxBQJaeUEKAhsMBQkSzAMAAAoJECnuWLmWhlFxRecMHix2Ljo9c4jinJwy
-zWXad5EWbI1pck1I9wrq69HXJiW18O1luWWF+fBOHFWCEh/ucceH0V65ES4G4TdH
-F0R7QRA8jbSJ25KjKhvWghBou6JLYDvRcY/Aogqt57BBnsFlMIxVsT8OiI5zWsW6
-kaDTACVbRTlKWXzcACg68eYVE0oi+Pfdfcmtw0gu6TRDMwFuQ3xHxET+WrxOqmRY
-2DFQ8VRSHpGaAieKQiKLU3mVnLD9zXiY8U7ZgO1MWVKtyVFcxgor0kYBakMihKw0
-5uBg6ubkGj2l1kmmHrfEjakyG7C4BW3JW9XngEbOGb7P1cICe7lOuZw/BQxvYdv/
-Q6w4cKBXAKFFOu2kWPIQ0xdCQt0ENguDS1W721k2MYJs+u4fNjhqMO+SDMEdwwMe
-Ex2FwjqXlukICekdhEE8tEzy/0VhsYT3tP2D9K7XDhmdmM+iKZ7Ql6IIHyk8Kd+W
-3EWGQ2clDsYJWHvC6y7KAH2onmxM2h6VDGm82/j5F/jhskwdrGfOLnE=
-=GCTz
-----END PGP PUBLIC KEY BLOCK-----
--- a/ocserv.spec
+++ b/ocserv.spec
@ -17,21 +17,21 @@


 Name:           ocserv
-Version:        1.0.1
+Version:        1.1.0
 Release:        0
 Summary:        OpenConnect VPN Server
 License:        GPL-2.0-only
 Group:          Productivity/Networking/Security
 URL:            http://www.infradead.org/ocserv
 Source:         ftp://ftp.infradead.org/pub/ocserv/%{name}-%{version}.tar.xz
-Source100:      ftp://ftp.infradead.org/pub/ocserv/%{name}-%{version}.tar.xz.sig
-Source101:      %{name}.keyring
-Source1:        ca.tmpl
-Source2:        server.tmpl
-Source3:        user.tmpl
+Source1:        ftp://ftp.infradead.org/pub/ocserv/%{name}-%{version}.tar.xz.sig
+Source2:        ca.tmpl
+Source3:        server.tmpl
+Source4:        user.tmpl
 Source5:        ocserv.sysctl
 Source6:        ocserv.firewalld.xml
 Source99:       README.SUSE
+Source100:      gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
 #PATCH-FIX-UPSTREAM marguerite@opensuse.org $LIBSYSTEMD_DAEMON env is not set on openSUSE
 Patch1:         %{name}-enable-systemd.patch
 #PATCH-FIX-UPSTREAM marguerite@opensuse.org tweak configuration
@ -45,6 +45,7 @@ BuildRequires:  firewall-macros
 %endif
 BuildRequires:  freeradius-client-devel
 BuildRequires:  gperf
+BuildRequires:  gpg2
 BuildRequires:  libev-devel
 BuildRequires:  libgnutls-devel >= 3.1.10
 BuildRequires:  libmaxminddb-devel
@ -89,6 +90,7 @@ escalation due to any bug on the VPN handling (worker) process.
 A management interface allows for viewing and querying logged-in users.

 %prep
+gpg --import %{SOURCE100} && gpg --verify %{SOURCE1}
 %setup -q
 %patch1 -p1
 %patch2 -p1
@ -112,9 +114,9 @@ install -D -m 644 %{SOURCE6} %{buildroot}%{_libexecdir}/firewalld/services/ocser
 %endif

 install -d %{buildroot}%{_sysconfdir}/ocserv/certificates
-install -m 0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/ocserv/certificates
 install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/ocserv/certificates
 install -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/ocserv/certificates
+install -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/ocserv/certificates
 install -m 0644 %{SOURCE99} %{buildroot}%{_sysconfdir}/ocserv/
 install -m 0644 doc/sample.config %{buildroot}%{_sysconfdir}/ocserv/ocserv.conf
 install -m 0644 doc/sample.passwd %{buildroot}%{_sysconfdir}/ocserv/ocpasswd
@ -156,6 +158,7 @@ install -m 0644 doc/systemd/socket-activated/ocserv.service %{buildroot}%{_unitd
 %{_bindir}/ocserv-script
 %{_bindir}/ocserv-fw
 %{_sbindir}/ocserv
+%{_sbindir}/ocserv-worker
 %{_unitdir}/ocserv.service
 %{_unitdir}/ocserv.socket
 %{_mandir}/man8/occtl.8%{ext_man}