made detection of gnutls capabilities dynamic

ocserv-0.10.2-dynamic.patch

@@ -0,0 +1,89 @@
+diff --git a/src/tlslib.c b/src/tlslib.c
+index 86a2413..1aabd9f 100644
+--- a/src/tlslib.c
++++ b/src/tlslib.c
+@@ -828,6 +828,7 @@ unsigned i;
+ 	return retval;
+ }
+ 
++
+ size_t tls_get_overhead(gnutls_protocol_t version, gnutls_cipher_algorithm_t cipher, gnutls_mac_algorithm_t mac)
+ {
+ #if GNUTLS_VERSION_NUMBER >= 0x030207
+@@ -840,9 +841,7 @@ unsigned block_size;
+ 	switch(version) {
+ 		case GNUTLS_DTLS0_9:
+ 		case GNUTLS_DTLS1_0:
+-#if GNUTLS_VERSION_NUMBER >= 0x030200
+ 		case GNUTLS_DTLS1_2:
+-#endif
+ 			overhead += 13;
+ 			break;
+ 		default:
+diff --git a/src/tlslib.h b/src/tlslib.h
+index 7fc71af..8c20150 100644
+--- a/src/tlslib.h
++++ b/src/tlslib.h
+@@ -27,6 +27,10 @@
+ #include <ccan/htable/htable.h>
+ #include <errno.h>
+ 
++# if GNUTLS_VERSION_NUMBER < 0x030200
++#  define GNUTLS_DTLS1_2 202
++# endif
++
+ typedef struct 
+ {
+ 	struct htable *ht;
+diff --git a/src/worker-http.c b/src/worker-http.c
+index e7161e2..b8de179 100644
+--- a/src/worker-http.c
++++ b/src/worker-http.c
+@@ -76,7 +76,6 @@ const static struct known_urls_st known_urls[] = {
+  * HTTP headers (WTF), and the compression negotiation.
+  */
+ static const dtls_ciphersuite_st ciphersuites[] = {
+-#if GNUTLS_VERSION_NUMBER >= 0x030207
+ 	{
+ 	 .oc_name = CS_AES128_GCM,
+ 	 .gnutls_name =
+@@ -84,6 +83,7 @@ static const dtls_ciphersuite_st ciphersuites[] = {
+ 	 .gnutls_version = GNUTLS_DTLS1_2,
+ 	 .gnutls_mac = GNUTLS_MAC_AEAD,
+ 	 .gnutls_cipher = GNUTLS_CIPHER_AES_128_GCM,
++	 .txt_version = "3.2.7",
+ 	 .server_prio = 90},
+ 	{
+ 	 .oc_name = CS_AES256_GCM,
+@@ -93,8 +93,8 @@ static const dtls_ciphersuite_st ciphersuites[] = {
+ 	 .gnutls_mac = GNUTLS_MAC_AEAD,
+ 	 .gnutls_cipher = GNUTLS_CIPHER_AES_256_GCM,
+ 	 .server_prio = 80,
++	 .txt_version = "3.2.7",
+ 	 },
+-#endif
+ 	{
+ 	 .oc_name = "AES128-SHA",
+ 	 .gnutls_name =
+@@ -256,6 +256,9 @@ void header_value_check(struct worker_st *ws, struct http_req_st *req)
+ 			     i < sizeof(ciphersuites) / sizeof(ciphersuites[0]);
+ 			     i++) {
+ 				if (strcmp(token, ciphersuites[i].oc_name) == 0) {
++					if (ciphersuites[i].txt_version != NULL && gnutls_check_version(ciphersuites[i].txt_version) == NULL)
++						continue; /* not supported */
++
+ 					if (cand == NULL ||
+ 					    cand->server_prio <
+ 					    ciphersuites[i].server_prio) {
+diff --git a/src/worker.h b/src/worker.h
+index 9584532..d4f31f4 100644
+--- a/src/worker.h
++++ b/src/worker.h
+@@ -102,6 +102,7 @@ typedef struct dtls_ciphersuite_st {
+ 	unsigned gnutls_cipher;
+ 	unsigned gnutls_mac;
+ 	unsigned gnutls_version;
++	const char *txt_version;
+ } dtls_ciphersuite_st;
+ 
+ #ifdef HAVE_GSSAPI

ocserv.spec

@@ -2,7 +2,7 @@
 
 Name:		ocserv
 Version:	0.10.2
-Release:	1%{?dist}
+Release:	2%{?dist}
 Summary:	OpenConnect SSL VPN server
 
 # For a breakdown of the licensing, see PACKAGE-LICENSING 
@@ -18,6 +18,7 @@ Source6:	ftp://ftp.infradead.org/pub/ocserv/%{name}-%{version}.tar.xz.sig
 Source7:	ocserv-genkey
 Source8:	ocserv-script
 Patch0:		ocserv-0.10.2-libtasn1.patch
+Patch1:		ocserv-0.10.2-dynamic.patch
 
 # Taken from upstream:
 # http://git.infradead.org/ocserv.git/commitdiff/7d70006a2dbddf783213f1856374bacc74217e09
@@ -86,6 +87,7 @@ sed -i 's/run-as-group = nogroup/run-as-group = nobody/g' tests/*.config
 sed -i 's/either version 3 of the License/either version 2 of the License/g' build-aux/snippet/*
 touch src/*.proto
 %patch0 -p1 -b .libtasn1
+%patch1 -p1 -b .dynamic
 
 %build
 autoreconf -ifv
@@ -158,6 +160,9 @@ rm -rf %{buildroot}
 %{_localstatedir}/lib/ocserv/profile.xml
 
 %changelog
+* Mon Mar 30 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.10.2-2
+- Detection of gnutls capabilities is done dynamically
+
 * Mon Mar 30 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.10.2-1
 - new upstream release