diff --git a/ocserv-0.10.2-dynamic.patch b/ocserv-0.10.2-dynamic.patch new file mode 100644 index 0000000..032a2d3 --- /dev/null +++ b/ocserv-0.10.2-dynamic.patch @@ -0,0 +1,89 @@ +diff --git a/src/tlslib.c b/src/tlslib.c +index 86a2413..1aabd9f 100644 +--- a/src/tlslib.c ++++ b/src/tlslib.c +@@ -828,6 +828,7 @@ unsigned i; + return retval; + } + ++ + size_t tls_get_overhead(gnutls_protocol_t version, gnutls_cipher_algorithm_t cipher, gnutls_mac_algorithm_t mac) + { + #if GNUTLS_VERSION_NUMBER >= 0x030207 +@@ -840,9 +841,7 @@ unsigned block_size; + switch(version) { + case GNUTLS_DTLS0_9: + case GNUTLS_DTLS1_0: +-#if GNUTLS_VERSION_NUMBER >= 0x030200 + case GNUTLS_DTLS1_2: +-#endif + overhead += 13; + break; + default: +diff --git a/src/tlslib.h b/src/tlslib.h +index 7fc71af..8c20150 100644 +--- a/src/tlslib.h ++++ b/src/tlslib.h +@@ -27,6 +27,10 @@ + #include + #include + ++# if GNUTLS_VERSION_NUMBER < 0x030200 ++# define GNUTLS_DTLS1_2 202 ++# endif ++ + typedef struct + { + struct htable *ht; +diff --git a/src/worker-http.c b/src/worker-http.c +index e7161e2..b8de179 100644 +--- a/src/worker-http.c ++++ b/src/worker-http.c +@@ -76,7 +76,6 @@ const static struct known_urls_st known_urls[] = { + * HTTP headers (WTF), and the compression negotiation. + */ + static const dtls_ciphersuite_st ciphersuites[] = { +-#if GNUTLS_VERSION_NUMBER >= 0x030207 + { + .oc_name = CS_AES128_GCM, + .gnutls_name = +@@ -84,6 +83,7 @@ static const dtls_ciphersuite_st ciphersuites[] = { + .gnutls_version = GNUTLS_DTLS1_2, + .gnutls_mac = GNUTLS_MAC_AEAD, + .gnutls_cipher = GNUTLS_CIPHER_AES_128_GCM, ++ .txt_version = "3.2.7", + .server_prio = 90}, + { + .oc_name = CS_AES256_GCM, +@@ -93,8 +93,8 @@ static const dtls_ciphersuite_st ciphersuites[] = { + .gnutls_mac = GNUTLS_MAC_AEAD, + .gnutls_cipher = GNUTLS_CIPHER_AES_256_GCM, + .server_prio = 80, ++ .txt_version = "3.2.7", + }, +-#endif + { + .oc_name = "AES128-SHA", + .gnutls_name = +@@ -256,6 +256,9 @@ void header_value_check(struct worker_st *ws, struct http_req_st *req) + i < sizeof(ciphersuites) / sizeof(ciphersuites[0]); + i++) { + if (strcmp(token, ciphersuites[i].oc_name) == 0) { ++ if (ciphersuites[i].txt_version != NULL && gnutls_check_version(ciphersuites[i].txt_version) == NULL) ++ continue; /* not supported */ ++ + if (cand == NULL || + cand->server_prio < + ciphersuites[i].server_prio) { +diff --git a/src/worker.h b/src/worker.h +index 9584532..d4f31f4 100644 +--- a/src/worker.h ++++ b/src/worker.h +@@ -102,6 +102,7 @@ typedef struct dtls_ciphersuite_st { + unsigned gnutls_cipher; + unsigned gnutls_mac; + unsigned gnutls_version; ++ const char *txt_version; + } dtls_ciphersuite_st; + + #ifdef HAVE_GSSAPI diff --git a/ocserv.spec b/ocserv.spec index ab14b01..c0d9620 100644 --- a/ocserv.spec +++ b/ocserv.spec @@ -2,7 +2,7 @@ Name: ocserv Version: 0.10.2 -Release: 1%{?dist} +Release: 2%{?dist} Summary: OpenConnect SSL VPN server # For a breakdown of the licensing, see PACKAGE-LICENSING @@ -18,6 +18,7 @@ Source6: ftp://ftp.infradead.org/pub/ocserv/%{name}-%{version}.tar.xz.sig Source7: ocserv-genkey Source8: ocserv-script Patch0: ocserv-0.10.2-libtasn1.patch +Patch1: ocserv-0.10.2-dynamic.patch # Taken from upstream: # http://git.infradead.org/ocserv.git/commitdiff/7d70006a2dbddf783213f1856374bacc74217e09 @@ -86,6 +87,7 @@ sed -i 's/run-as-group = nogroup/run-as-group = nobody/g' tests/*.config sed -i 's/either version 3 of the License/either version 2 of the License/g' build-aux/snippet/* touch src/*.proto %patch0 -p1 -b .libtasn1 +%patch1 -p1 -b .dynamic %build autoreconf -ifv @@ -158,6 +160,9 @@ rm -rf %{buildroot} %{_localstatedir}/lib/ocserv/profile.xml %changelog +* Mon Mar 30 2015 Nikos Mavrogiannopoulos - 0.10.2-2 +- Detection of gnutls capabilities is done dynamically + * Mon Mar 30 2015 Nikos Mavrogiannopoulos - 0.10.2-1 - new upstream release