Accepting request 314133 from home:MargueriteSu

OBS-URL: https://build.opensuse.org/request/show/314133
OBS-URL: https://build.opensuse.org/package/show/network:vpn/ocserv?expand=0&rev=2

ocserv-0.10.5.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:62a2b087f21b257a1ea433c12f6937d2a2f5ef30eedbe4739b0407405de474b8
+size 705828

ocserv-0.9.0.1.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:6428e895b59ea412cd3ef3fff37c107a7d443616384a2fd911810458db80cf56
-size 656716

ocserv-enable-systemd.patch

@@ -1,12 +1,12 @@
-Index: ocserv-0.9.0/configure.ac
+Index: ocserv-0.10.5/configure.ac
 ===================================================================
---- ocserv-0.9.0.orig/configure.ac
+--- ocserv-0.10.5.orig/configure.ac
-+++ ocserv-0.9.0/configure.ac
++++ ocserv-0.10.5/configure.ac
-@@ -319,11 +319,7 @@ AC_ARG_ENABLE(systemd,
+@@ -297,11 +297,7 @@ AC_ARG_ENABLE(systemd,
  
  if [ test "$systemd_enabled" = "yes" ];then
  AC_LIB_HAVE_LINKFLAGS(systemd,, [#include <systemd/sd-daemon.h>], [sd_listen_fds(0);])
-- if [ test -z "$LIBSYSTEMD_DAEMON" ];then
+- if [ test -z "$LIBSYSTEMD" ];then
 -	systemd_enabled="no"
 - else
  	systemd_enabled="yes"

ocserv-str_init.patch

@@ -1,13 +0,0 @@
-Index: ocserv-0.9.0/src/main-ctl-dbus.c
-===================================================================
---- ocserv-0.9.0.orig/src/main-ctl-dbus.c
-+++ ocserv-0.9.0/src/main-ctl-dbus.c
-@@ -946,7 +946,7 @@ static void method_introspect(main_serve
- 
- 	mslog(s, NULL, LOG_DEBUG, "ctl: introspect");
- 
--	str_init(&buf);
-+	str_init(&buf, ctx);
- 
- 	ret = str_append_data(&buf, XML_HEAD, sizeof(XML_HEAD) - 1);
- 	if (ret < 0) {

ocserv.changes

@@ -1,3 +1,37 @@
+-------------------------------------------------------------------
+Mon Jun  8 13:51:18 UTC 2015 - i@marguerite.su
+
+- set isolated-workers to false since we didn't build w/ seccomp yet
+- change systemd socket ports as well
+
+-------------------------------------------------------------------
+Sun Jun  7 04:47:47 UTC 2015 - i@marguerite.su
+
+- update version 0.10.5
+  * Added tgt-freshness-time option for gssapi/Kerberos authentication
+    option. That allows to specify the maximum number of seconds after
+    which a reauthentication with Kerberos is required to login to VPN.
+  * main/sec-mod: impose long timeouts on reads from sec-mod. That 
+    would prevent issues when reading in a blocked in authentication
+    sec-mod.
+  * radius: When using radius accounting with certificate 
+    authentication, properly notify of user session termination.
+  * radius: On definitely terminated sessions contact the radius server
+    as soon as possible. For sessions that can still be resumed the 
+    radius server is contacted periodically after the cookies expire.
+  * radius: consider Acct-Interim-Interval when seen by the server. 
+    That will be taken into account if groupconfig=true in radius 
+    subconfig.
+  * Added configuration options persistent-cookies and session-timeout.
+  * radius: added support for Route-IPv6-Information, 
+    Delegated-IPv6-Prefix, NAS-IPv6-Address, NAS-IP-Address, 
+    Session-Timeout.
+  * Corrected desync of main and sec-mod by introducing a synchronous 
+    communication socket. Reported by Mani Behrouz.
+  * PAM: forward the actual prompt to worker process, and not only 
+    informational messages.
+- drop ocserv-str_init.patch, upstream fixed.
+
 -------------------------------------------------------------------
 Fri Feb 13 11:28:14 UTC 2015 - i@marguerite.su
 

ocserv.config.patch

@@ -1,17 +1,17 @@
-Index: ocserv-0.9.0/doc/sample.config
+Index: ocserv-0.10.5/doc/sample.config
 ===================================================================
---- ocserv-0.9.0.orig/doc/sample.config
+--- ocserv-0.10.5.orig/doc/sample.config
-+++ ocserv-0.9.0/doc/sample.config
++++ ocserv-0.10.5/doc/sample.config
-@@ -34,7 +34,7 @@
+@@ -36,7 +36,7 @@
- #auth = "certificate[optional]"
+ 
  #auth = "pam"
  #auth = "pam[gid-min=1000]"
--auth = "plain[./sample.passwd]"
+-auth = "plain[passwd=./sample.passwd]"
-+auth = "plain[/etc/ocserv/ocpasswd]"
++auth = "plain[passwd=/etc/ocserv/ocpasswd]"
- #auth = "radius[/etc/radiusclient/radiusclient.conf,groupconfig]"
+ #auth = "certificate"
+ #auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"
  
- # Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of 
+@@ -68,8 +68,8 @@ auth = "plain[passwd=./sample.passwd]"
-@@ -68,8 +68,8 @@ max-same-clients = 2
  #listen-host-is-dyndns = true
  
  # TCP and UDP port number
@@ -22,7 +22,16 @@ Index: ocserv-0.9.0/doc/sample.config
  
  # Accept connections using a socket file. It accepts HTTP
  # connections (i.e., without SSL/TLS unlike its TCP counterpart),
-@@ -101,7 +101,7 @@ dpd = 90
+@@ -102,7 +102,7 @@ socket-file = /var/run/ocserv-socket
+ # system calls allowed to a worker process, in order to reduce damage from a
+ # bug in the worker process. It is available on Linux systems at a performance cost.
+ # The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8).
+-isolate-workers = true
++isolate-workers = false
+ 
+ # A banner to be displayed on clients
+ #banner = "Welcome"
+@@ -148,7 +148,7 @@ dpd = 90
  mobile-dpd = 1800
  
  # MTU discovery (DPD must be enabled)
@@ -31,7 +40,7 @@ Index: ocserv-0.9.0/doc/sample.config
  
  # The key and the certificates of the server
  # The key may be a file, or any URL supported by GnuTLS (e.g., 
-@@ -113,8 +113,8 @@ try-mtu-discovery = false
+@@ -160,8 +160,8 @@ try-mtu-discovery = false
  #
  # There may be multiple server-cert and server-key directives,
  # but each key should correspond to the preceding certificate.
@@ -42,16 +51,16 @@ Index: ocserv-0.9.0/doc/sample.config
  
  # Diffie-Hellman parameters. Only needed if you require support
  # for the DHE ciphersuites (by default this server supports ECDHE).
-@@ -140,7 +140,7 @@ server-key = ../tests/server-key.pem
+@@ -187,7 +187,7 @@ server-key = ../tests/server-key.pem
  # The Certificate Authority that will be used to verify
  # client certificates (public keys) if certificate authentication
  # is set.
--#ca-cert = /path/to/ca.pem
+-ca-cert = ../tests/ca.pem
-+#ca-cert = /etc/ocserv/certificates/ca-cert.pem
++ca-cert = /etc/ocserv/certificates/ca-cert.pem
  
  # The object identifier that will be used to read the user ID in the client 
  # certificate. The object identifier should be part of the certificate's DN
-@@ -236,8 +236,8 @@ rekey-method = ssl
+@@ -320,8 +320,8 @@ rekey-method = ssl
  # STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes 
  # output from the tun device, and the duration of the session in seconds.
  
@@ -62,7 +71,7 @@ Index: ocserv-0.9.0/doc/sample.config
  
  # UTMP
  # Register the connected clients to utmp. This will allow viewing
-@@ -302,7 +302,7 @@ ipv4-netmask = 255.255.255.0
+@@ -377,7 +377,7 @@ ipv4-netmask = 255.255.255.0
  # The advertized DNS server. Use multiple lines for
  # multiple servers.
  # dns = fc00::4be0
@@ -71,23 +80,29 @@ Index: ocserv-0.9.0/doc/sample.config
  
  # The NBNS server (if any)
  #nbns = 192.168.1.3
-@@ -342,8 +342,8 @@ ping-leases = false
+@@ -414,8 +414,8 @@ ping-leases = false
  # comment out all routes from the server, or use the special keyword
  # 'default'.
  
--route = 192.168.1.0/255.255.255.0
+-route = 10.10.10.0/255.255.255.0
--route = 192.168.5.0/255.255.255.0
+-route = 192.168.0.0/255.255.0.0
-+#route = 192.168.1.0/255.255.255.0
++#route = 10.10.10.0/255.255.255.0
-+#route = 192.168.5.0/255.255.255.0
++#route = 192.168.0.0/255.255.0.0
  #route = fef4:db8:1000:1001::/64
  
- # Groups that a client is allowed to select from.
+ # Subsets of the routes above that will not be routed by
-@@ -411,7 +411,7 @@ route = 192.168.5.0/255.255.255.0
+Index: ocserv-0.10.5/doc/systemd/socket-activated/ocserv.socket
- # for clients to present their certificate on every connection.
+===================================================================
- # That is they may resume a cookie without presenting a certificate
+--- ocserv-0.10.5.orig/doc/systemd/socket-activated/ocserv.socket
- # (when certificate authentication is used).
++++ ocserv-0.10.5/doc/systemd/socket-activated/ocserv.socket
--#cisco-client-compat = true
+@@ -2,8 +2,8 @@
-+cisco-client-compat = true
+ Description=OpenConnect SSL VPN server Socket
  
- # Client profile xml. A sample file exists in doc/profile.xml.
+ [Socket]
- # It is required by some of the CISCO clients.
+-ListenStream=443
+-ListenDatagram=443
++ListenStream=9000
++ListenDatagram=9001
+ BindIPv6Only=default
+ Accept=false
+ ReusePort=true

ocserv.spec

@@ -16,7 +16,7 @@
 #
 
 Name:           ocserv
-Version:	0.9.0.1
+Version:	0.10.5
 Release:	0
 License:	GPL-2.0+
 Summary:	OpenConnect VPN Server
@@ -27,8 +27,6 @@ Source1:	ca.tmpl
 Source2:	server.tmpl
 Source3:	user.tmpl
 Source99:	README.SUSE
-#PATCH-FIX-UPSTREAM marguerite@opensuse.org str_init lacks a parameter
-Patch:	%{name}-str_init.patch
 #PATCH-FIX-UPSTREAM marguerite@opensuse.org $LIBSYSTEMD_DAEMON env is not set on openSUSE
 Patch1:	%{name}-enable-systemd.patch
 #PATCH-FIX-UPSTREAM marguerite@opensuse.org tweak configuration
@@ -75,8 +73,7 @@ escalation due to any bug on the VPN handling (worker) process.
 A management interface allows for viewing and querying logged-in users. 
 
 %prep
-%setup -q -n %{name}-0.9.0
+%setup -q
-%patch -p1
 %patch1 -p1
 %patch2 -p1
 autoreconf -fiv