Update to 0.11.8-1

- Update to upstream 0.11.8 release
2017-05-03 03:10:13 +02:00 · 2017-05-03 03:10:13 +02:00 · c1e25d54e3
commit c1e25d54e3
parent 80cb8b94e5
8 changed files with 222 additions and 29 deletions
--- a/.gitignore
+++ b/.gitignore
@ -61,3 +61,14 @@
 /gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
 /ocserv-0.11.7.tar.xz.sig
 /ocserv-0.11.7.tar.xz
+/ocserv.init
+/gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg
+/ocserv-script
+/ocserv-genkey
+/PACKAGE-LICENSING
+/ocserv-pamd.conf
+/ocserv.service
+/ocserv.conf
+/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
+/ocserv-0.11.8.tar.xz.sig
+/ocserv-0.11.8.tar.xz
--- a/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
+++ b/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
--- a/gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg
+++ b/gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg
--- a/1
+++ b/1
@ -2,6 +2,7 @@

 #generate CA certificate/key
 if test ! -f /etc/pki/ocserv/private/ca.key;then
+mkdir -p /etc/pki/ocserv/private
 certtool --generate-privkey --outfile /etc/pki/ocserv/private/ca.key >/dev/null 2>&1
 echo "cn=`hostname -f` CA" >/etc/pki/ocserv/ca.tmpl
 echo "expiration_days=-1" >>/etc/pki/ocserv/ca.tmpl
--- a/ocserv.conf
+++ b/ocserv.conf
@ -255,7 +255,8 @@ cert-user-oid = 0.9.2342.19200300.100.1.1
 # difference with AES_128_CBC_SHA1 (the default for anyconnect clients)
 # in your system.

-tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
+#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
+tls-priorities = "@SYSTEM"

 # More combinations in priority strings are available, check
 # http://gnutls.org/manual/html_node/Priority-Strings.html
--- a/ocserv.init
+++ b/ocserv.init
@ -0,0 +1,141 @@
+#!/bin/sh
+#
+# ocserv        This shell script takes care of starting and stopping
+#               ocserv on RedHat or other chkconfig-based system.
+#
+# chkconfig: - 24 76
+#
+# processname: ocserv
+#              port.
+
+### BEGIN INIT INFO
+# Provides: ocserv
+# Required-Start: $network
+# Required-Stop: $network
+# Short-Description: start and stop ocserv
+# Description: ocserv is a VPN server
+### END INIT INFO
+
+
+# To install:
+#   copy this file to /etc/rc.d/init.d/ocserv
+#   shell> chkconfig --add ocserv
+#   shell> mkdir /etc/ocserv
+#   make .conf or .sh files in /etc/ocserv (see below)
+
+# To uninstall:
+#   run: chkconfig --del ocserv
+
+ocserv=""
+ocserv_locations="/usr/sbin/ocserv /usr/local/sbin/ocserv"
+for location in $ocserv_locations
+do
+  if [ -f "$location" ]
+  then
+    ocserv=$location
+  fi
+done
+
+# PID directory
+piddir="/var/run/ocserv"
+pidf="$piddir/ocserv.pid"
+
+# Our working directory
+work=/etc/ocserv
+
+# Source function library.
+. /etc/rc.d/init.d/functions
+
+# Source networking configuration.
+. /etc/sysconfig/network
+
+# Check that networking is up.
+if [ ${NETWORKING} = "no" ]
+then
+  echo "Networking is down"
+  exit 0
+fi
+
+# Check that binary exists
+if ! [ -f  $ocserv ] 
+then
+  echo "ocserv binary not found"
+  exit 0
+fi
+
+# See how we were called.
+case "$1" in
+  start)
+	echo -n $"Starting ocserv: "
+
+	/sbin/modprobe tun >/dev/null 2>&1
+
+	# From a security perspective, I think it makes
+	# sense to remove this, and have users who need
+	# it explictly enable in their --up scripts or
+	# firewall setups.
+
+	#echo 1 > /proc/sys/net/ipv4/ip_forward
+
+	# Run startup script, if defined
+	if [ -x /usr/sbin/ocserv-genkey ]; then
+	    /usr/sbin/ocserv-genkey
+	fi
+
+	if [ ! -d  $piddir ]; then
+	    mkdir $piddir
+	fi
+
+	if [ -s $pidf ]; then
+		kill `cat $pidf` >/dev/null 2>&1
+		sleep 2
+	fi
+	rm -f $pidf
+
+	cd $work
+
+	# Start every .conf in $work and run .sh if exists
+	errors=0
+	$ocserv --pid-file $pidf -c $work/ocserv.conf
+	errors=$?
+	if [ $errors != 0 ]; then
+	    failure; echo
+	else
+	    success; echo
+	fi
+	;;
+  stop)
+	echo -n $"Shutting down ocserv: "
+	if [ -s $pidf ]; then
+		kill `cat $pidf` >/dev/null 2>&1
+	fi
+	rm -f $pidf
+
+	success; echo
+	rm -f $lock
+	;;
+  restart)
+	$0 stop
+	sleep 2
+	$0 start
+	;;
+  reload)
+	/usr/bin/occtl reload
+	exit $?
+	;;
+  reopen)
+	;;
+  condrestart)
+	$0 stop
+	sleep 2
+	$0 start
+	;;
+  status)
+	/usr/bin/occtl show status
+        ;;
+  *)
+	echo "Usage: ocserv {start|stop|restart|condrestart|reload|reopen|status}"
+	exit 1
+	;;
+esac
+exit 0
--- a/ocserv.spec
+++ b/ocserv.spec
@ -1,8 +1,16 @@
 # This spec file has been automatically updated
-Version:	0.11.7
-Release: 3%{?dist}
+Version:	0.11.8
+Release: 1%{?dist}
 %global _hardened_build 1

+%if 0%{?fedora} || 0%{?rhel} >= 7
+%define use_systemd 1
+%define have_gpgv2 1
+%else
+%define use_systemd 0
+%define have_gpgv2 0
+%endif
+
 Name:		ocserv
 Summary:	OpenConnect SSL VPN server

@ -33,21 +41,31 @@ BuildRequires:	gnutls-devel
 %endif
 BuildRequires:	pam-devel
 BuildRequires:	iproute
-BuildRequires:	systemd
-BuildRequires:	systemd-devel
-BuildRequires:	autogen-libopts-devel
+
 BuildRequires:	protobuf-c-devel
 BuildRequires:	libnl3-devel
 BuildRequires:	krb5-devel
 BuildRequires:	libtasn1-devel
-%if 0%{?fedora} || 0%{?rhel} >= 7
+BuildRequires:	gperf
+BuildRequires:	pcllib-devel
+BuildRequires:	libtalloc-devel
+BuildRequires:	libev-devel
+BuildRequires:	http-parser-devel
+BuildRequires:	tcp_wrappers-devel
+BuildRequires:	automake, autoconf
+BuildRequires:	radcli-devel
+BuildRequires:	lz4-devel
+BuildRequires:	readline-devel
+BuildRequires:	GeoIP-devel
+
+%if %{use_systemd}
+BuildRequires:	systemd
+BuildRequires:	systemd-devel
+BuildRequires:	autogen-libopts-devel
+BuildRequires:	autogen
 BuildRequires:	liboath-devel
 BuildRequires:	uid_wrapper
 BuildRequires:	socket_wrapper
-%endif
-BuildRequires:	readline-devel
-BuildRequires:	autogen
-BuildRequires:	gperf

 %if 0%{?rhel} && 0%{?rhel} >= 7
 %ifarch x86_64 %{ix86}
@ -58,23 +76,19 @@ BuildRequires:	libseccomp-devel
 BuildRequires:	libseccomp-devel
 %endif
 %endif
-BuildRequires:	pcllib-devel
-BuildRequires:	libtalloc-devel
-BuildRequires:	libev-devel
-BuildRequires:	http-parser-devel
-BuildRequires:	tcp_wrappers-devel
-BuildRequires:	automake, autoconf
-BuildRequires:	radcli-devel
-BuildRequires:	lz4-devel

+%endif #use systemd

 Requires:		gnutls-utils
 Requires:		iproute
 Requires:		pam
 Requires(pre):		shadow-utils
+%if %{use_systemd}
 Requires(post):		systemd
 Requires(preun):	systemd
 Requires(postun):	systemd
+%endif
+
 #gnulib is bundled. See https://fedorahosted.org/fpc/ticket/174
 Provides:		bundled(gnulib)
 #CCAN is bundled. See https://fedorahosted.org/fpc/ticket/364
@ -91,13 +105,14 @@ uses the standard IETF security protocols such as TLS 1.2, and Datagram TLS
 to provide the secure VPN service. 

 %prep
+%if %{have_gpgv2}
 gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} || gpgv2 --keyring %{SOURCE10} %{SOURCE1} %{SOURCE0}
+%endif
 %setup -q

 rm -f src/http-parser/http_parser.c src/http-parser/http_parser.h
 rm -rf src/protobuf/protobuf-c/
 rm -rf src/ccan/talloc
-rm -f libopts/*.c libopts/*.h libopts/*/*.c libopts/*/*.h
 rm -f src/pcl/*.c src/pcl/*.h
 sed -i 's|/etc/ocserv.conf|/etc/ocserv/ocserv.conf|g' src/config.c
 sed -i 's/run-as-group = nogroup/run-as-group = nobody/g' tests/data/*.config
@ -106,10 +121,28 @@ sed -i 's/run-as-group = nogroup/run-as-group = nobody/g' tests/data/*.config
 sed -i 's/either version 3 of the License/either version 2 of the License/g' build-aux/snippet/*
 touch src/*.proto

+%if 0%{?rhel} && 0%{?rhel} <= 6
+echo "int main() { return 77; }" > tests/valid-hostname.c
+%else
+rm -f libopts/*.c libopts/*.h libopts/*/*.c libopts/*/*.h
+%endif
+
 %build

+%if 0%{?rhel} && 0%{?rhel} <= 6
+export PKG_CONFIG_LIBDIR="%{_libdir}/gnutls30/pkgconfig:%{_libdir}/pkgconfig"
+export LIBGNUTLS_CFLAGS="-I/usr/include/gnutls30"
+export LIBGNUTLS_LIBS="-L%{_libdir}/gnutls30/ -lgnutls"
+export CFLAGS="$CFLAGS -I/usr/include/libev -I/usr/include/gnutls30"
+sed -i 's/AM_PROG_AR//g' configure.ac
+autoreconf -fvi
+%configure \
+	--disable-systemd \
+	--enable-local-libopts
+%else
 %configure \
 	--enable-systemd
+%endif

 make #%{?_smp_mflags}

@ -125,6 +158,7 @@ mkdir -p %{_sysconfdir}/pki/ocserv/cacerts
 %check
 make check %{?_smp_mflags}

+%if %{use_systemd}
 %post
 %systemd_post ocserv.service

@ -133,6 +167,7 @@ make check %{?_smp_mflags}

 %postun
 %systemd_postun ocserv.service
+%endif

 %install
 rm -rf %{buildroot}
@ -156,11 +191,12 @@ sed -i 's|isolate-workers = true|isolate-workers = false|' %{buildroot}/%{_sysco
 %endif
 %endif

-%if 0%{?rhel} && 0%{?rhel} <= 6
-install -D -m 0755 %{SOURCE8} %{buildroot}/%{_initrddir}/%{name}
-%else
+%if %{use_systemd}
 mkdir -p %{buildroot}/%{_unitdir}
 install -p -m 644 %{SOURCE4} %{buildroot}/%{_unitdir}
+%else
+mkdir -p %{buildroot}/%{_initrddir}
+install -D -m 0755 %{SOURCE11} %{buildroot}/%{_initrddir}/%{name}
 %endif

 %make_install
@ -189,13 +225,16 @@ rm -rf %{buildroot}
 %{_sbindir}/ocserv
 %{_sbindir}/ocserv-genkey
 %{_localstatedir}/lib/ocserv/profile.xml
-%if 0%{?rhel} && 0%{?rhel} <= 6
-%{_initrddir}/%{name}
-%else
+%if %{use_systemd}
 %{_unitdir}/ocserv.service
+%else
+%{_initrddir}/%{name}
 %endif

 %changelog
+* Wed May 03 2017 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.11.8-1
+- Update to upstream 0.11.8 release
+
 * Fri Feb 17 2017 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.11.7-3
 - Included liboath in the build

--- a/6
+++ b/6
@ -1,11 +1,11 @@
 SHA512 (ocserv.init) = 7c3256dd0f7d5882c4e126c95209084e2476f7d8d142af137f46c5987364982eb88044bfa5d587ebc397ebd379edb40f22e5c97c0276764be982a27715a9c601
 SHA512 (gpgkey-56EE7FA9E8173B19FE86268D763712747F343FA7.gpg) = c664fd9999cbf9912eeea88ee3a2c356df3f70813a664bb7a7f592be258c12bdeb9e99e4aa9a368c1f123ee449eb08e288d1dc3dcf81e849a958ece6eab82d67
 SHA512 (ocserv-script) = 6d77ebe95d23469d96b45b1ac8de7a062cb1360febd0f9664b42debf0494891a522e3da8feec53d22b84e39ad349a1824b7ecd6b6b8f0790edf75aed1087e2d0
-SHA512 (ocserv-genkey) = c02a25a5504e2bd514c6e6944651960a3cc9bf2ef0a4509744f99d61421feace1f8e440c4d336652efd7349465d1a707cd3a370ff6102ef5096d709b34099a86
+SHA512 (ocserv-genkey) = e898144fd977e4c57c4a9a5480b38f6a166c0281c41500c3fa9b7e142197c4525d3fb90846a738e38d217116dc33c2ba5c16ec3e11de0dbf4d834e204c598eac
 SHA512 (PACKAGE-LICENSING) = eea2a2a4765c90d874c79bb72d754c8b26b58d5e5b3c3cee10c24754fbba6849fd91f7b28e380b5db9789a456f95fc94b3bd8fe8c160a98c8042f404479ecb68
 SHA512 (ocserv-pamd.conf) = 3a75f19d89ddd164f3faa9c3579c7f675fc58413a194f43ec28eee7ebced6fee3f4ca305fe9b0ddf76ae39cd669e8d3d63b58afbbf19b84e4ca646ae7f42d61a
 SHA512 (ocserv.service) = 264f3389d88aec1f7d2e4683a4dfc0aa67af2325154de822eecf5fb43f8c221aab0d9f0c6a8eedb893e6d69ed4d94c9397b01e5d0d12e88330017a3bfa5f3644
 SHA512 (ocserv.conf) = 0a48d394dba183528c1e92df2a8b844a4d7d419244b1c08883f79c8b48843986e786ea4d48478ed4e8d57fd56626bf962dbcf6c76b5839ba5ab5fac8b089c44c
 SHA512 (gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg) = 7eccc70fb763cf8a6525228230c1f537224809cf553efb3ad6bc88ad96f01122c30a5cd9d8328fa3a97b242d59e00bc9966589a24b1e65dd4a27eb71393f097c
-SHA512 (ocserv-0.11.7.tar.xz.sig) = fd4af775842cff6817adaf4a641b180d3be3b55e3b64a026977fd6f328ddc5f7070f4c91cdce7e83eb8c3b078a5c1dc7780cfe40c5322abef61ca7fc408fbb2c
-SHA512 (ocserv-0.11.7.tar.xz) = a563725bd8753186ece80c91a237a2940071047bb32d1990e2ee122a32ad0468b78a7f35d422dcc9b968a8c56358992842d00958dbf9d743632a03623dd2f5cf
+SHA512 (ocserv-0.11.8.tar.xz.sig) = 5551591abc54dfc053125c356095138aaecec6c3255cd125bd38e17350a257bc822094c270d5b3bb329afd4a9e37f355d3d16db16b4db804e15b8c5959321214
+SHA512 (ocserv-0.11.8.tar.xz) = cea5ef084a15de1e16c0d55f418f454f32c77e4303246f3d11e71ddbc7dbea028282b8200b59a49f5509e786970749b0a9795262639209924bbaa1d619c5c25c