Accepting request 314133 from home:MargueriteSu

OBS-URL: https://build.opensuse.org/request/show/314133 OBS-URL: https://build.opensuse.org/package/show/network:vpn/ocserv?expand=0&rev=2
2015-06-28 05:23:02 +00:00 · 2015-06-28 05:23:02 +00:00 · 8a5c4768e9
commit 8a5c4768e9
parent c5d48392d7
7 changed files with 90 additions and 57 deletions
--- a/ocserv-0.10.5.tar.xz
+++ b/ocserv-0.10.5.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:62a2b087f21b257a1ea433c12f6937d2a2f5ef30eedbe4739b0407405de474b8
+size 705828
--- a/ocserv-0.9.0.1.tar.xz
+++ b/ocserv-0.9.0.1.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:6428e895b59ea412cd3ef3fff37c107a7d443616384a2fd911810458db80cf56
-size 656716
--- a/ocserv-enable-systemd.patch
+++ b/ocserv-enable-systemd.patch
@ -1,12 +1,12 @@
-Index: ocserv-0.9.0/configure.ac
+Index: ocserv-0.10.5/configure.ac
 ===================================================================
--- ocserv-0.9.0.orig/configure.ac
-+++ ocserv-0.9.0/configure.ac
-@@ -319,11 +319,7 @@ AC_ARG_ENABLE(systemd,
+--- ocserv-0.10.5.orig/configure.ac
+++ ocserv-0.10.5/configure.ac
+@@ -297,11 +297,7 @@ AC_ARG_ENABLE(systemd,
 
 if [ test "$systemd_enabled" = "yes" ];then
 AC_LIB_HAVE_LINKFLAGS(systemd,, [#include <systemd/sd-daemon.h>], [sd_listen_fds(0);])
- if [ test -z "$LIBSYSTEMD_DAEMON" ];then
+- if [ test -z "$LIBSYSTEMD" ];then
 -	systemd_enabled="no"
 - else
 	systemd_enabled="yes"
--- a/ocserv-str_init.patch
+++ b/ocserv-str_init.patch
@ -1,13 +0,0 @@
-Index: ocserv-0.9.0/src/main-ctl-dbus.c
-===================================================================
--- ocserv-0.9.0.orig/src/main-ctl-dbus.c
-+++ ocserv-0.9.0/src/main-ctl-dbus.c
-@@ -946,7 +946,7 @@ static void method_introspect(main_serve
- 
- 	mslog(s, NULL, LOG_DEBUG, "ctl: introspect");
- 
-	str_init(&buf);
-+	str_init(&buf, ctx);
- 
- 	ret = str_append_data(&buf, XML_HEAD, sizeof(XML_HEAD) - 1);
- 	if (ret < 0) {
--- a/ocserv.changes
+++ b/ocserv.changes
@ -1,3 +1,37 @@
+-------------------------------------------------------------------
+Mon Jun  8 13:51:18 UTC 2015 - i@marguerite.su
+
+- set isolated-workers to false since we didn't build w/ seccomp yet
+- change systemd socket ports as well
+
+-------------------------------------------------------------------
+Sun Jun  7 04:47:47 UTC 2015 - i@marguerite.su
+
+- update version 0.10.5
+  * Added tgt-freshness-time option for gssapi/Kerberos authentication
+    option. That allows to specify the maximum number of seconds after
+    which a reauthentication with Kerberos is required to login to VPN.
+  * main/sec-mod: impose long timeouts on reads from sec-mod. That 
+    would prevent issues when reading in a blocked in authentication
+    sec-mod.
+  * radius: When using radius accounting with certificate 
+    authentication, properly notify of user session termination.
+  * radius: On definitely terminated sessions contact the radius server
+    as soon as possible. For sessions that can still be resumed the 
+    radius server is contacted periodically after the cookies expire.
+  * radius: consider Acct-Interim-Interval when seen by the server. 
+    That will be taken into account if groupconfig=true in radius 
+    subconfig.
+  * Added configuration options persistent-cookies and session-timeout.
+  * radius: added support for Route-IPv6-Information, 
+    Delegated-IPv6-Prefix, NAS-IPv6-Address, NAS-IP-Address, 
+    Session-Timeout.
+  * Corrected desync of main and sec-mod by introducing a synchronous 
+    communication socket. Reported by Mani Behrouz.
+  * PAM: forward the actual prompt to worker process, and not only 
+    informational messages.
+- drop ocserv-str_init.patch, upstream fixed.
+
 -------------------------------------------------------------------
 Fri Feb 13 11:28:14 UTC 2015 - i@marguerite.su

--- a/ocserv.config.patch
+++ b/ocserv.config.patch
@ -1,17 +1,17 @@
-Index: ocserv-0.9.0/doc/sample.config
+Index: ocserv-0.10.5/doc/sample.config
 ===================================================================
--- ocserv-0.9.0.orig/doc/sample.config
-+++ ocserv-0.9.0/doc/sample.config
-@@ -34,7 +34,7 @@
- #auth = "certificate[optional]"
+--- ocserv-0.10.5.orig/doc/sample.config
+++ ocserv-0.10.5/doc/sample.config
+@@ -36,7 +36,7 @@
+ 
 #auth = "pam"
 #auth = "pam[gid-min=1000]"
-auth = "plain[./sample.passwd]"
-+auth = "plain[/etc/ocserv/ocpasswd]"
- #auth = "radius[/etc/radiusclient/radiusclient.conf,groupconfig]"
+-auth = "plain[passwd=./sample.passwd]"
+auth = "plain[passwd=/etc/ocserv/ocpasswd]"
+ #auth = "certificate"
+ #auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"
 
- # Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of 
-@@ -68,8 +68,8 @@ max-same-clients = 2
+@@ -68,8 +68,8 @@ auth = "plain[passwd=./sample.passwd]"
 #listen-host-is-dyndns = true
 
 # TCP and UDP port number
@ -22,7 +22,16 @@ Index: ocserv-0.9.0/doc/sample.config
 
 # Accept connections using a socket file. It accepts HTTP
 # connections (i.e., without SSL/TLS unlike its TCP counterpart),
-@@ -101,7 +101,7 @@ dpd = 90
+@@ -102,7 +102,7 @@ socket-file = /var/run/ocserv-socket
+ # system calls allowed to a worker process, in order to reduce damage from a
+ # bug in the worker process. It is available on Linux systems at a performance cost.
+ # The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8).
+-isolate-workers = true
+isolate-workers = false
+ 
+ # A banner to be displayed on clients
+ #banner = "Welcome"
+@@ -148,7 +148,7 @@ dpd = 90
 mobile-dpd = 1800
 
 # MTU discovery (DPD must be enabled)
@ -31,7 +40,7 @@ Index: ocserv-0.9.0/doc/sample.config
 
 # The key and the certificates of the server
 # The key may be a file, or any URL supported by GnuTLS (e.g., 
-@@ -113,8 +113,8 @@ try-mtu-discovery = false
+@@ -160,8 +160,8 @@ try-mtu-discovery = false
 #
 # There may be multiple server-cert and server-key directives,
 # but each key should correspond to the preceding certificate.
@ -42,16 +51,16 @@ Index: ocserv-0.9.0/doc/sample.config
 
 # Diffie-Hellman parameters. Only needed if you require support
 # for the DHE ciphersuites (by default this server supports ECDHE).
-@@ -140,7 +140,7 @@ server-key = ../tests/server-key.pem
+@@ -187,7 +187,7 @@ server-key = ../tests/server-key.pem
 # The Certificate Authority that will be used to verify
 # client certificates (public keys) if certificate authentication
 # is set.
-#ca-cert = /path/to/ca.pem
-+#ca-cert = /etc/ocserv/certificates/ca-cert.pem
+-ca-cert = ../tests/ca.pem
+ca-cert = /etc/ocserv/certificates/ca-cert.pem
 
 # The object identifier that will be used to read the user ID in the client 
 # certificate. The object identifier should be part of the certificate's DN
-@@ -236,8 +236,8 @@ rekey-method = ssl
+@@ -320,8 +320,8 @@ rekey-method = ssl
 # STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes 
 # output from the tun device, and the duration of the session in seconds.
 
@ -62,7 +71,7 @@ Index: ocserv-0.9.0/doc/sample.config
 
 # UTMP
 # Register the connected clients to utmp. This will allow viewing
-@@ -302,7 +302,7 @@ ipv4-netmask = 255.255.255.0
+@@ -377,7 +377,7 @@ ipv4-netmask = 255.255.255.0
 # The advertized DNS server. Use multiple lines for
 # multiple servers.
 # dns = fc00::4be0
@ -71,23 +80,29 @@ Index: ocserv-0.9.0/doc/sample.config
 
 # The NBNS server (if any)
 #nbns = 192.168.1.3
-@@ -342,8 +342,8 @@ ping-leases = false
+@@ -414,8 +414,8 @@ ping-leases = false
 # comment out all routes from the server, or use the special keyword
 # 'default'.
 
-route = 192.168.1.0/255.255.255.0
-route = 192.168.5.0/255.255.255.0
-+#route = 192.168.1.0/255.255.255.0
-+#route = 192.168.5.0/255.255.255.0
+-route = 10.10.10.0/255.255.255.0
+-route = 192.168.0.0/255.255.0.0
+#route = 10.10.10.0/255.255.255.0
+#route = 192.168.0.0/255.255.0.0
 #route = fef4:db8:1000:1001::/64
 
- # Groups that a client is allowed to select from.
-@@ -411,7 +411,7 @@ route = 192.168.5.0/255.255.255.0
- # for clients to present their certificate on every connection.
- # That is they may resume a cookie without presenting a certificate
- # (when certificate authentication is used).
-#cisco-client-compat = true
-+cisco-client-compat = true
+ # Subsets of the routes above that will not be routed by
+Index: ocserv-0.10.5/doc/systemd/socket-activated/ocserv.socket
+===================================================================
+--- ocserv-0.10.5.orig/doc/systemd/socket-activated/ocserv.socket
+++ ocserv-0.10.5/doc/systemd/socket-activated/ocserv.socket
+@@ -2,8 +2,8 @@
+ Description=OpenConnect SSL VPN server Socket
 
- # Client profile xml. A sample file exists in doc/profile.xml.
- # It is required by some of the CISCO clients.
+ [Socket]
+-ListenStream=443
+-ListenDatagram=443
+ListenStream=9000
+ListenDatagram=9001
+ BindIPv6Only=default
+ Accept=false
+ ReusePort=true
--- a/ocserv.spec
+++ b/ocserv.spec
@ -16,7 +16,7 @@
 #

 Name:           ocserv
-Version:	0.9.0.1
+Version:	0.10.5
 Release:	0
 License:	GPL-2.0+
 Summary:	OpenConnect VPN Server
@ -27,8 +27,6 @@ Source1:	ca.tmpl
 Source2:	server.tmpl
 Source3:	user.tmpl
 Source99:	README.SUSE
-#PATCH-FIX-UPSTREAM marguerite@opensuse.org str_init lacks a parameter
-Patch:	%{name}-str_init.patch
 #PATCH-FIX-UPSTREAM marguerite@opensuse.org $LIBSYSTEMD_DAEMON env is not set on openSUSE
 Patch1:	%{name}-enable-systemd.patch
 #PATCH-FIX-UPSTREAM marguerite@opensuse.org tweak configuration
@ -75,8 +73,7 @@ escalation due to any bug on the VPN handling (worker) process.
 A management interface allows for viewing and querying logged-in users. 

 %prep
-%setup -q -n %{name}-0.9.0
-%patch -p1
+%setup -q
 %patch1 -p1
 %patch2 -p1
 autoreconf -fiv