From 8a5c4768e97020d03b317fb92ce36da531a3f496d5196916487d7e9e64934b25 Mon Sep 17 00:00:00 2001 From: Marguerite Su Date: Sun, 28 Jun 2015 05:23:02 +0000 Subject: [PATCH] Accepting request 314133 from home:MargueriteSu OBS-URL: https://build.opensuse.org/request/show/314133 OBS-URL: https://build.opensuse.org/package/show/network:vpn/ocserv?expand=0&rev=2 --- ocserv-0.10.5.tar.xz | 3 ++ ocserv-0.9.0.1.tar.xz | 3 -- ocserv-enable-systemd.patch | 10 ++--- ocserv-str_init.patch | 13 ------- ocserv.changes | 34 ++++++++++++++++ ocserv.config.patch | 77 ++++++++++++++++++++++--------------- ocserv.spec | 7 +--- 7 files changed, 90 insertions(+), 57 deletions(-) create mode 100644 ocserv-0.10.5.tar.xz delete mode 100644 ocserv-0.9.0.1.tar.xz delete mode 100644 ocserv-str_init.patch diff --git a/ocserv-0.10.5.tar.xz b/ocserv-0.10.5.tar.xz new file mode 100644 index 0000000..0e6cea3 --- /dev/null +++ b/ocserv-0.10.5.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:62a2b087f21b257a1ea433c12f6937d2a2f5ef30eedbe4739b0407405de474b8 +size 705828 diff --git a/ocserv-0.9.0.1.tar.xz b/ocserv-0.9.0.1.tar.xz deleted file mode 100644 index 9518d72..0000000 --- a/ocserv-0.9.0.1.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:6428e895b59ea412cd3ef3fff37c107a7d443616384a2fd911810458db80cf56 -size 656716 diff --git a/ocserv-enable-systemd.patch b/ocserv-enable-systemd.patch index 713df1f..49b6250 100644 --- a/ocserv-enable-systemd.patch +++ b/ocserv-enable-systemd.patch @@ -1,12 +1,12 @@ -Index: ocserv-0.9.0/configure.ac +Index: ocserv-0.10.5/configure.ac =================================================================== ---- ocserv-0.9.0.orig/configure.ac -+++ ocserv-0.9.0/configure.ac -@@ -319,11 +319,7 @@ AC_ARG_ENABLE(systemd, +--- ocserv-0.10.5.orig/configure.ac ++++ ocserv-0.10.5/configure.ac +@@ -297,11 +297,7 @@ AC_ARG_ENABLE(systemd, if [ test "$systemd_enabled" = "yes" ];then AC_LIB_HAVE_LINKFLAGS(systemd,, [#include ], [sd_listen_fds(0);]) -- if [ test -z "$LIBSYSTEMD_DAEMON" ];then +- if [ test -z "$LIBSYSTEMD" ];then - systemd_enabled="no" - else systemd_enabled="yes" diff --git a/ocserv-str_init.patch b/ocserv-str_init.patch deleted file mode 100644 index ef15034..0000000 --- a/ocserv-str_init.patch +++ /dev/null @@ -1,13 +0,0 @@ -Index: ocserv-0.9.0/src/main-ctl-dbus.c -=================================================================== ---- ocserv-0.9.0.orig/src/main-ctl-dbus.c -+++ ocserv-0.9.0/src/main-ctl-dbus.c -@@ -946,7 +946,7 @@ static void method_introspect(main_serve - - mslog(s, NULL, LOG_DEBUG, "ctl: introspect"); - -- str_init(&buf); -+ str_init(&buf, ctx); - - ret = str_append_data(&buf, XML_HEAD, sizeof(XML_HEAD) - 1); - if (ret < 0) { diff --git a/ocserv.changes b/ocserv.changes index 1604335..a75e322 100644 --- a/ocserv.changes +++ b/ocserv.changes @@ -1,3 +1,37 @@ +------------------------------------------------------------------- +Mon Jun 8 13:51:18 UTC 2015 - i@marguerite.su + +- set isolated-workers to false since we didn't build w/ seccomp yet +- change systemd socket ports as well + +------------------------------------------------------------------- +Sun Jun 7 04:47:47 UTC 2015 - i@marguerite.su + +- update version 0.10.5 + * Added tgt-freshness-time option for gssapi/Kerberos authentication + option. That allows to specify the maximum number of seconds after + which a reauthentication with Kerberos is required to login to VPN. + * main/sec-mod: impose long timeouts on reads from sec-mod. That + would prevent issues when reading in a blocked in authentication + sec-mod. + * radius: When using radius accounting with certificate + authentication, properly notify of user session termination. + * radius: On definitely terminated sessions contact the radius server + as soon as possible. For sessions that can still be resumed the + radius server is contacted periodically after the cookies expire. + * radius: consider Acct-Interim-Interval when seen by the server. + That will be taken into account if groupconfig=true in radius + subconfig. + * Added configuration options persistent-cookies and session-timeout. + * radius: added support for Route-IPv6-Information, + Delegated-IPv6-Prefix, NAS-IPv6-Address, NAS-IP-Address, + Session-Timeout. + * Corrected desync of main and sec-mod by introducing a synchronous + communication socket. Reported by Mani Behrouz. + * PAM: forward the actual prompt to worker process, and not only + informational messages. +- drop ocserv-str_init.patch, upstream fixed. + ------------------------------------------------------------------- Fri Feb 13 11:28:14 UTC 2015 - i@marguerite.su diff --git a/ocserv.config.patch b/ocserv.config.patch index 9918e15..ef40546 100644 --- a/ocserv.config.patch +++ b/ocserv.config.patch @@ -1,17 +1,17 @@ -Index: ocserv-0.9.0/doc/sample.config +Index: ocserv-0.10.5/doc/sample.config =================================================================== ---- ocserv-0.9.0.orig/doc/sample.config -+++ ocserv-0.9.0/doc/sample.config -@@ -34,7 +34,7 @@ - #auth = "certificate[optional]" +--- ocserv-0.10.5.orig/doc/sample.config ++++ ocserv-0.10.5/doc/sample.config +@@ -36,7 +36,7 @@ + #auth = "pam" #auth = "pam[gid-min=1000]" --auth = "plain[./sample.passwd]" -+auth = "plain[/etc/ocserv/ocpasswd]" - #auth = "radius[/etc/radiusclient/radiusclient.conf,groupconfig]" +-auth = "plain[passwd=./sample.passwd]" ++auth = "plain[passwd=/etc/ocserv/ocpasswd]" + #auth = "certificate" + #auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]" - # Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of -@@ -68,8 +68,8 @@ max-same-clients = 2 +@@ -68,8 +68,8 @@ auth = "plain[passwd=./sample.passwd]" #listen-host-is-dyndns = true # TCP and UDP port number @@ -22,7 +22,16 @@ Index: ocserv-0.9.0/doc/sample.config # Accept connections using a socket file. It accepts HTTP # connections (i.e., without SSL/TLS unlike its TCP counterpart), -@@ -101,7 +101,7 @@ dpd = 90 +@@ -102,7 +102,7 @@ socket-file = /var/run/ocserv-socket + # system calls allowed to a worker process, in order to reduce damage from a + # bug in the worker process. It is available on Linux systems at a performance cost. + # The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8). +-isolate-workers = true ++isolate-workers = false + + # A banner to be displayed on clients + #banner = "Welcome" +@@ -148,7 +148,7 @@ dpd = 90 mobile-dpd = 1800 # MTU discovery (DPD must be enabled) @@ -31,7 +40,7 @@ Index: ocserv-0.9.0/doc/sample.config # The key and the certificates of the server # The key may be a file, or any URL supported by GnuTLS (e.g., -@@ -113,8 +113,8 @@ try-mtu-discovery = false +@@ -160,8 +160,8 @@ try-mtu-discovery = false # # There may be multiple server-cert and server-key directives, # but each key should correspond to the preceding certificate. @@ -42,16 +51,16 @@ Index: ocserv-0.9.0/doc/sample.config # Diffie-Hellman parameters. Only needed if you require support # for the DHE ciphersuites (by default this server supports ECDHE). -@@ -140,7 +140,7 @@ server-key = ../tests/server-key.pem +@@ -187,7 +187,7 @@ server-key = ../tests/server-key.pem # The Certificate Authority that will be used to verify # client certificates (public keys) if certificate authentication # is set. --#ca-cert = /path/to/ca.pem -+#ca-cert = /etc/ocserv/certificates/ca-cert.pem +-ca-cert = ../tests/ca.pem ++ca-cert = /etc/ocserv/certificates/ca-cert.pem # The object identifier that will be used to read the user ID in the client # certificate. The object identifier should be part of the certificate's DN -@@ -236,8 +236,8 @@ rekey-method = ssl +@@ -320,8 +320,8 @@ rekey-method = ssl # STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes # output from the tun device, and the duration of the session in seconds. @@ -62,7 +71,7 @@ Index: ocserv-0.9.0/doc/sample.config # UTMP # Register the connected clients to utmp. This will allow viewing -@@ -302,7 +302,7 @@ ipv4-netmask = 255.255.255.0 +@@ -377,7 +377,7 @@ ipv4-netmask = 255.255.255.0 # The advertized DNS server. Use multiple lines for # multiple servers. # dns = fc00::4be0 @@ -71,23 +80,29 @@ Index: ocserv-0.9.0/doc/sample.config # The NBNS server (if any) #nbns = 192.168.1.3 -@@ -342,8 +342,8 @@ ping-leases = false +@@ -414,8 +414,8 @@ ping-leases = false # comment out all routes from the server, or use the special keyword # 'default'. --route = 192.168.1.0/255.255.255.0 --route = 192.168.5.0/255.255.255.0 -+#route = 192.168.1.0/255.255.255.0 -+#route = 192.168.5.0/255.255.255.0 +-route = 10.10.10.0/255.255.255.0 +-route = 192.168.0.0/255.255.0.0 ++#route = 10.10.10.0/255.255.255.0 ++#route = 192.168.0.0/255.255.0.0 #route = fef4:db8:1000:1001::/64 - # Groups that a client is allowed to select from. -@@ -411,7 +411,7 @@ route = 192.168.5.0/255.255.255.0 - # for clients to present their certificate on every connection. - # That is they may resume a cookie without presenting a certificate - # (when certificate authentication is used). --#cisco-client-compat = true -+cisco-client-compat = true + # Subsets of the routes above that will not be routed by +Index: ocserv-0.10.5/doc/systemd/socket-activated/ocserv.socket +=================================================================== +--- ocserv-0.10.5.orig/doc/systemd/socket-activated/ocserv.socket ++++ ocserv-0.10.5/doc/systemd/socket-activated/ocserv.socket +@@ -2,8 +2,8 @@ + Description=OpenConnect SSL VPN server Socket - # Client profile xml. A sample file exists in doc/profile.xml. - # It is required by some of the CISCO clients. + [Socket] +-ListenStream=443 +-ListenDatagram=443 ++ListenStream=9000 ++ListenDatagram=9001 + BindIPv6Only=default + Accept=false + ReusePort=true diff --git a/ocserv.spec b/ocserv.spec index b569d71..0c09ec0 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -16,7 +16,7 @@ # Name: ocserv -Version: 0.9.0.1 +Version: 0.10.5 Release: 0 License: GPL-2.0+ Summary: OpenConnect VPN Server @@ -27,8 +27,6 @@ Source1: ca.tmpl Source2: server.tmpl Source3: user.tmpl Source99: README.SUSE -#PATCH-FIX-UPSTREAM marguerite@opensuse.org str_init lacks a parameter -Patch: %{name}-str_init.patch #PATCH-FIX-UPSTREAM marguerite@opensuse.org $LIBSYSTEMD_DAEMON env is not set on openSUSE Patch1: %{name}-enable-systemd.patch #PATCH-FIX-UPSTREAM marguerite@opensuse.org tweak configuration @@ -75,8 +73,7 @@ escalation due to any bug on the VPN handling (worker) process. A management interface allows for viewing and querying logged-in users. %prep -%setup -q -n %{name}-0.9.0 -%patch -p1 +%setup -q %patch1 -p1 %patch2 -p1 autoreconf -fiv