From a5336195d4380cd039642542160a9321ed9894f1 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 23 Apr 2018 13:00:38 +0200 Subject: [PATCH] Update to 0.12.0-1 - Update to upstream 0.12.0 release --- .gitignore | 11 +++++++ ocserv-0.12.0-add-missing-test.patch | 46 ++++++++++++++++++++++++++++ ocserv.conf | 27 +++++++++++----- ocserv.spec | 34 +++++++++++--------- sources | 6 ++-- 5 files changed, 99 insertions(+), 25 deletions(-) create mode 100644 ocserv-0.12.0-add-missing-test.patch diff --git a/.gitignore b/.gitignore index 3f616bf..fb7efd3 100644 --- a/.gitignore +++ b/.gitignore @@ -105,3 +105,14 @@ /gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg /ocserv-0.11.11.tar.xz.sig /ocserv-0.11.11.tar.xz +/ocserv.init +/gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg +/ocserv-script +/ocserv-genkey +/PACKAGE-LICENSING +/ocserv-pamd.conf +/ocserv.service +/ocserv.conf +/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg +/ocserv-0.12.0.tar.xz.sig +/ocserv-0.12.0.tar.xz diff --git a/ocserv-0.12.0-add-missing-test.patch b/ocserv-0.12.0-add-missing-test.patch new file mode 100644 index 0000000..91e1f6b --- /dev/null +++ b/ocserv-0.12.0-add-missing-test.patch @@ -0,0 +1,46 @@ +diff --git a/tests/server-cert-rsa-pss b/tests/server-cert-rsa-pss +new file mode 100755 +index 0000000..be3d098 +--- /dev/null ++++ b/tests/server-cert-rsa-pss +@@ -0,0 +1,40 @@ ++#!/bin/sh ++# ++# Copyright (C) 2017 Red Hat, Inc. ++# ++# This file is part of ocserv. ++# ++# ocserv is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License as published by the ++# Free Software Foundation; either version 2 of the License, or (at ++# your option) any later version. ++# ++# ocserv is distributed in the hope that it will be useful, but ++# WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++# General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with GnuTLS; if not, write to the Free Software Foundation, ++# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ++ ++SERV="${SERV:-../src/ocserv}" ++srcdir=${srcdir:-.} ++NO_NEED_ROOT=1 ++PORT=4444 ++ ++. `dirname $0`/common.sh ++ ++echo "Testing server cert with RSA-PSS... " ++ ++update_config test-rsa-pss.config ++launch_sr_server -d 1 -f -c ${CONFIG} & PID=$! ++wait_server $PID ++ ++echo "Connecting to obtain cookie... " ++( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT -q $ADDRESS:$PORT -u test --servercert=sha256:7462b697482f771a9a787bc19db00f704a1685ae09ed201b7a126b052a09522e --cookieonly ) || ++ fail $PID "Could not receive cookie from server" ++ ++cleanup ++ ++exit 0 diff --git a/ocserv.conf b/ocserv.conf index 96082b7..63ac7db 100644 --- a/ocserv.conf +++ b/ocserv.conf @@ -1,12 +1,19 @@ -# User authentication method. Could be set multiple times and in -# that case all should succeed. To enable multiple methods use -# multiple auth directives. Available options: certificate, -# plain, pam, radius, gssapi. +### The following directives do not change with server reload. +# +# User authentication method. To require multiple methods to be +# used for the user to login, add multiple auth directives. The values +# in the 'auth' directive are AND composed (if multiple all must +# succeed). +# Available options: certificate, plain, pam, radius, gssapi. +# Note that authentication methods utilizing passwords cannot be +# combined (e.g., the plain, pam or radius methods). # -# Note that authentication methods cannot be changed with reload. - # certificate: # This indicates that all connecting users must present a certificate. +# The username and user group will be then extracted from it (see +# cert-user-oid and cert-group-oid). The certificate to be accepted +# it must be signed by the CA certificate as specified in 'ca-cert' and +# it must not be listed in the CRL, as specified by the 'crl' option. # # pam[gid-min=1000]: # This enabled PAM authentication of the user. The gid-min option is used @@ -44,7 +51,9 @@ auth = "pam" # Specify alternative authentication methods that are sufficient # for authentication. That is, if set, any of the methods enabled -# will be sufficient to login. +# will be sufficient to login, irrespective of the main 'auth' entries. +# When multiple options are present, they are OR composed (any of them +# succeeding allows login). #enable-auth = "certificate" #enable-auth = "gssapi" #enable-auth = "gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]" @@ -176,6 +185,10 @@ try-mtu-discovery = false # # There may be multiple server-cert and server-key directives, # but each key should correspond to the preceding certificate. +# The certificate files will be reloaded when changed allowing for in-place +# certificate renewal (they are checked and reloaded periodically; +# a SIGHUP signal to main server will force reload). + server-cert = /etc/pki/ocserv/public/server.crt server-key = /etc/pki/ocserv/private/server.key diff --git a/ocserv.spec b/ocserv.spec index 7a0069e..3d34685 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -1,6 +1,7 @@ # This spec file has been automatically updated -Version: 0.11.11 +Version: 0.12.0 Release: 1%{?dist} +Patch1: ocserv-0.12.0-add-missing-test.patch %global _hardened_build 1 %if 0%{?fedora} || 0%{?rhel} >= 7 @@ -18,11 +19,6 @@ Release: 1%{?dist} %endif %define use_local_protobuf 0 -%if 0%{?rhel} && 0%{?rhel} == 7 -%ifarch ppc64 -%define use_local_protobuf 1 -%endif -%endif Name: ocserv Summary: OpenConnect SSL VPN server @@ -78,8 +74,6 @@ BuildRequires: GeoIP-devel %if %{use_systemd} BuildRequires: systemd BuildRequires: systemd-devel -BuildRequires: autogen-libopts-devel -BuildRequires: autogen BuildRequires: liboath-devel BuildRequires: uid_wrapper BuildRequires: socket_wrapper @@ -97,6 +91,11 @@ BuildRequires: libseccomp-devel %endif #use systemd +# no rubygem in epel7 +%if 0%{?fedora} || 0%{?rhel} > 7 +BuildRequires: rubygem(ronn) +%endif + Requires: gnutls-utils Requires: iproute Requires: pam @@ -126,7 +125,8 @@ to provide the secure VPN service. %if %{have_gpgv2} gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} || gpgv2 --keyring %{SOURCE10} %{SOURCE1} %{SOURCE0} %endif -%setup -q + +%autosetup -p1 rm -f src/http-parser/http_parser.c src/http-parser/http_parser.h %if (0%{?use_local_protobuf} == 0) @@ -140,14 +140,13 @@ sed -i 's/run-as-group = nogroup/run-as-group = nobody/g' tests/data/*.config # GPLv3 in headers is a gnulib bug: # http://lists.gnu.org/archive/html/bug-gnulib/2013-11/msg00062.html sed -i 's/either version 3 of the License/either version 2 of the License/g' build-aux/snippet/* -sed -i 's/exit 1/exit 77/g' tests/ocpasswd-test %if 0%{?rhel} && 0%{?rhel} <= 6 echo "int main() { return 77; }" > tests/valid-hostname.c -%else -rm -f libopts/*.c libopts/*.h libopts/*/*.c libopts/*/*.h %endif +chmod 755 tests/server-cert-rsa-pss + %build %if 0%{?rhel} && 0%{?rhel} <= 6 @@ -165,9 +164,6 @@ autoreconf -fvi %else --disable-systemd \ %endif -%if 0%{?rhel} && 0%{?rhel} <= 6 - --enable-local-libopts \ -%endif %if %{use_local_protobuf} --without-protobuf \ %endif @@ -245,9 +241,14 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %doc AUTHORS ChangeLog NEWS COPYING LICENSE README.md TODO PACKAGE-LICENSING %doc src/ccan/licenses/CC0 src/ccan/licenses/LGPL-2.1 src/ccan/licenses/BSD-MIT + +## Temporarily disable when rubygem is not present; there is a bug in 0.12.0 dist +%if 0%{?fedora} || 0%{?rhel} > 7 %{_mandir}/man8/ocserv.8* %{_mandir}/man8/occtl.8* %{_mandir}/man8/ocpasswd.8* +%endif + %{_bindir}/ocpasswd %{_bindir}/occtl %{_bindir}/ocserv-fw @@ -262,6 +263,9 @@ install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name} %endif %changelog +* Mon Apr 23 2018 Nikos Mavrogiannopoulos - 0.12.0-1 +- Update to upstream 0.12.0 release + * Mon Mar 05 2018 Nikos Mavrogiannopoulos - 0.11.11-1 - Update to upstream 0.11.11 release diff --git a/sources b/sources index 2f7f48b..db4b5fa 100644 --- a/sources +++ b/sources @@ -5,7 +5,7 @@ SHA512 (ocserv-genkey) = e898144fd977e4c57c4a9a5480b38f6a166c0281c41500c3fa9b7e1 SHA512 (PACKAGE-LICENSING) = eea2a2a4765c90d874c79bb72d754c8b26b58d5e5b3c3cee10c24754fbba6849fd91f7b28e380b5db9789a456f95fc94b3bd8fe8c160a98c8042f404479ecb68 SHA512 (ocserv-pamd.conf) = 3a75f19d89ddd164f3faa9c3579c7f675fc58413a194f43ec28eee7ebced6fee3f4ca305fe9b0ddf76ae39cd669e8d3d63b58afbbf19b84e4ca646ae7f42d61a SHA512 (ocserv.service) = 264f3389d88aec1f7d2e4683a4dfc0aa67af2325154de822eecf5fb43f8c221aab0d9f0c6a8eedb893e6d69ed4d94c9397b01e5d0d12e88330017a3bfa5f3644 -SHA512 (ocserv.conf) = 0a48d394dba183528c1e92df2a8b844a4d7d419244b1c08883f79c8b48843986e786ea4d48478ed4e8d57fd56626bf962dbcf6c76b5839ba5ab5fac8b089c44c +SHA512 (ocserv.conf) = 5b68a3547c6c69bf7c2b322692d6382162a587c47edad97690223c36f30ed98d3869d1ce063c630740d91888a4d70aadd657ddc6052c10e6e26800fca2e9d0c0 SHA512 (gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg) = 3b1989dc6a64d1140f83a2af0773da2adb03c50d97b6da7357cf09525050651aafa21131f1e3180baa540a8af922119a256f5ff5bcd6602996a806e8e1816bad -SHA512 (ocserv-0.11.11.tar.xz.sig) = 7a1521f94d48d7aafb66e6c544eb2e1c5a08d02441acc5f57876faaa984ad203f0395da37e602ad5539f54aa0ce1ff5da7389254028f6b811a9e01d6f86b1e84 -SHA512 (ocserv-0.11.11.tar.xz) = 1750e4ddd221913f82379ed34cf63f2ce858d73cfda0bcf60670a32bf2e8574a39f267c77abab78d2cf9a563a816d975e1a07b85c5e2412bd6d009850c8c262d +SHA512 (ocserv-0.12.0.tar.xz.sig) = a746e72ba07bf7d28104385a70ba4c685389353368d02383eb385aece19ccc9d51a86226371338dbe1737046e403b17e351a04ffa2674ca594bf9e467438b534 +SHA512 (ocserv-0.12.0.tar.xz) = 73e39a6073761a42cff7637fdc0748d969dc6ddd80635633487aa2627ae7234af772194cf27fdded9f08637b26d7ca9017555242ccdb6ade03897f9d4ca4de8d